diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix
index 1e90451a..241c881c 100644
--- a/hosts/hydra/default.nix
+++ b/hosts/hydra/default.nix
@@ -244,20 +244,38 @@ in
 
   sops = {
     defaultSopsFile = ./secrets.yaml;
-    secrets."ldap/search-user-pw" = {
-      mode = "440";
-      owner = config.users.users.hydra-queue-runner.name;
-      inherit (config.users.users.hydra-queue-runner) group;
-      path = "/var/lib/hydra/ldap-password.conf";
-    };
-    secrets."machine-id" = {
-      mode = "444";
-      path = "/etc/machine-id";
-    };
-    secrets."nix-serve/secretKey" = {
-      mode = "440";
-      owner = config.users.users.hydra-queue-runner.name;
-      inherit (config.users.users.hydra-queue-runner) group;
+    secrets = {
+      "ldap/search-user-pw" = {
+        mode = "440";
+        owner = config.users.users.hydra-queue-runner.name;
+        inherit (config.users.users.hydra-queue-runner) group;
+        path = "/var/lib/hydra/ldap-password.conf";
+      };
+      "machine-id" = {
+        mode = "444";
+        path = "/etc/machine-id";
+      };
+      "nix-serve/secretKey" = {
+        mode = "440";
+        owner = config.users.users.hydra-queue-runner.name;
+        inherit (config.users.users.hydra-queue-runner) group;
+      };
+      "ssh-keys/root/private" = {
+        mode = "600";
+        path = "/root/.ssh/id_ed25519";
+      };
+      "ssh-keys/root/public" = {
+        mode = "644";
+        path = "/root/.ssh/id_ed25519.pub";
+      };
+      "ssh-keys/updater/private" = {
+        mode = "600";
+        path = "/var/lib/updater/.ssh/id_ed25519";
+      };
+      "ssh-keys/updater/public" = {
+        mode = "644";
+        path = "/var/lib/updater/.ssh/id_ed25519.pub";
+      };
     };
   };
 
diff --git a/hosts/hydra/secrets.yaml b/hosts/hydra/secrets.yaml
index aea0290e..6d46a04b 100644
--- a/hosts/hydra/secrets.yaml
+++ b/hosts/hydra/secrets.yaml
@@ -4,6 +4,13 @@ nix-serve:
     secretKey: ENC[AES256_GCM,data:cm84sA7E6AnzpVoYuaYepbHGWkRigLdD2RxN21UsXCe7FXQxeTQTxxbzVxJ3G9Lt3kRXuZnODntOo5EQKhs46+wzpO8YLKQxkJXrdluXoGVIWl3/6QFVq66XLJ2i6G4eBK9IH0DYJ+anj8/i8Q==,iv:GEM8Vmx0A8LfJo7QOl0N67Cgk+JqHpp7r+41VivmTg4=,tag:O4Kq4WKgbyt354HSa/7eQQ==,type:str]
 ldap:
     search-user-pw: ENC[AES256_GCM,data:tSWin/QPIow2P5Aps/XaT42J+MXb8+a24SEri1QjF1O3bDlCxcR8RHqSX8d4Vg==,iv:P5qMaE2cdKxTaXuKO2nh+LDhKkY3psSlWf+JckmUYt4=,tag:eq8XW7P6FNlkviY5PydkZg==,type:str]
+ssh-keys:
+    root:
+        private: ENC[AES256_GCM,data:aerhMF9uwwOPsgcWLumpXuPSOI1JHUYP3fqeo+F64+n1068rmJwPTtAj9NTTmxJB0XeCsI7VwM5gYaQx3Zl6bYYRWHdgLJmQAyCZhiLKqZDPypGnBBLWR6Ctd3BpOGd253bVPXVPOw8FqYfC152KjnGNANZQVbsv26CSiS+3j0D+S3xt70mkyTQxrfUdFPP5RojmqbgvbvOJt0qj02HOmnUdrzwIILqJMBM3CycP9qSnq36mEihqJSJ0YkX+qechVxU0PktmcLUGBjri38kSLno4v4oc1eRSsljyOYRUbf/M5vyHuHgNql3ROweS+RegsJIljtN3XdH2X0SHkntaAk6+d1ssrb6UKnTbP6ipEBGAnu12jErvRZHLYehcl+rx0gk3RCPKEmH88tPIIiOlSADgLw59Ghr6E68U3d9VpqQhZe5qh1jv7ZVAr1k4XkJJvx9oCnbf6UR8jQ4DZFqCYusB56nBKZkcXtCoMlLXTFD3eLLRwXNmAqZoUu9mXzFK9TIyk+zsI+JdUbK0ZAju,iv:ZCGvaBjhG0tSRgrEANPf0fR5XnDK1gqU0WORSu75/lY=,tag:lAhZHLltfA8j2hF1IZM4qw==,type:str]
+        public: ENC[AES256_GCM,data:7skUJMhKvPVhVO3lpXOUepgExVGR6C01NUK6r0rnXnU81tCsiZoG7PF5RedSiE1USOpm/k2kz1IJUehn4xKqtLZNrVn1PPjNJIZ7Dpgm15PvVOtvyM+wSdxHFw==,iv:bz/rLsOHVapgvCPgewAHFPamKOCWYJXSp12SLeCNFSQ=,tag:vUDqPrvn/Y6Y5aLxfMYVow==,type:str]
+    updater:
+        private: ENC[AES256_GCM,data:D9IHwI/gOc3LFDdiRpMYdldPwfZpvF03ThJvqVMESqHWRoKXrb0raUkLDfy0kvJZF2glWwXME3SDToiyi+4/iaxCEkO40qxxW4mqzrNfVNq1OjcyganYML3f7sDtQ6UzsBQK3CWlb6YvdQlvAwaUvhPuCu9bi8IBfSTDZtV8NcAyVkir8sOYALAPUxoiHXAk01I3htcL9EMpK9MExQhpkwL4ESlXQ5cB+qzUnOW1jGyN7FvKIlkLpIPxtKKiUV86cNkxYe84H9/1Jy3VjmTf03xhnWlp3d4/pbUhgFnT2wVZH0A4tu6Ewhkx8I5v9fqEunOTvZE2+6a5lfHpdva+mK+wDItwF2fwt0PHXUBVoIvqRI3LZzlqI9FNv3xRW7Sa0q8tHiQjrtTLxw9MtuwDlisBpLEWKkhVEUGuSznGRH1PxyL2kNjavWTgRsRY5dPDWAWAQ37AJBCfqGyRg+NE5cqZBzYBheMHKrGqp7ePmKaIBw6F5qFZ1II7ucNUeimu9A/3qMMU41B/++opDKq3,iv:DMD11AUuWPHutmZOVBeL1megyvQxbJ9Tw5ApH3RWrCw=,tag:yyWpFuJua79+QCMIOOCpwQ==,type:str]
+        public: ENC[AES256_GCM,data:sphILo6Xz3eCsIC0Y8fr4+CllH2nK42aijMDp5Psc5vhnxCuBxL+Zh4yT3NkPjAHMYZyAxp35uOGOjpOUNS+ii14C86WVTpWtiX3d52/1W5MK9SUGIBQrw8oGoqJeg==,iv:SlinQ+S0QEI6pMzUm8oJqJmlW11ULne2e73974RHiYw=,tag:QkFP9D3MsXM6OSPDqnKKOw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -28,8 +35,8 @@ sops:
             WkRmWkpEYVMrZ0tKQVgrRk5YU0grTFEK3cX9v11MK9LIw4w51hr2zyLP3biGxkdf
             dl77D0IS9m2u0HipmzUs95m+z5j47hiX4Qo1Uza/sshwDBYyia4upg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-28T00:46:32Z"
-    mac: ENC[AES256_GCM,data:iAGu+wOfSh5kYlwonk3DTLQPHEuOfXExv54vHikIRQbk81VNN7GKferJo9uB8d3fos461zGFulsL/Zw4j0EX1X7jr7d4PGybtb1oWIqi8D81TTeBqvfsvgrHfozeQCSIF6xzmXpulTmrTtuIAzMuHRXkV+i85YmYVBKFBi0g2jE=,iv:wafAqiOzpRREVfp1D4+/kB5g9kjd8786XosnrGmtUi4=,tag:OzUBTZ5L7wK47R5axF3N+w==,type:str]
+    lastmodified: "2023-01-04T23:32:36Z"
+    mac: ENC[AES256_GCM,data:wBh2gnaGCcLPItcr7SfMV3F8dmWlpeV9H77Cc0bRovFbbrxob+9A7FKNzqNSR372MnTRCaf6pRWDu5U9nNAGohrqtP11oouehuNyieW3PlijWepAN3A+BYd0DFYqu5FtNvccFWJnKy6I4Fjsf1Fjh8ark06h7fg8mMafsudLXH0=,iv:11bCknws/idxujuLWSyn2Sa6ilCyI1IIihHguuwLuxs=,tag:PKtlEddCxmgWTiOJDQOqhA==,type:str]
     pgp:
         - created_at: "2022-12-26T19:10:03Z"
           enc: |