diff --git a/flake.nix b/flake.nix
index 45902cb..9cc3399 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,11 +3,10 @@
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs";
-    zentralwerk-network-key.url = "https://gitea.c3d2.de/zentralwerk/network.git?dir=nix/key";
-    zentralwerk-network-key.flake = false;
+    zentralwerk-network-key.url = "git+https://gitea.c3d2.de/zentralwerk/network.git?dir=nix/key&ref=nix";
   };
 
-  outputs = { self, nixpkgs }:
+  outputs = { self, nixpkgs, zentralwerk-network-key }:
     let
       system = "x86_64-linux";
       systems = [ system ];
@@ -15,7 +14,10 @@
     in
     rec {
       lib =
-        import ./nix/lib { inherit nixpkgs; };
+        import ./nix/lib {
+          inherit nixpkgs;
+          inherit (zentralwerk-network-key.lib) gpgKey;
+        };
 
       packages = forAllSystems (system:
         import ./nix/pkgs { inherit self nixpkgs system; }
diff --git a/nix/key/default.nix b/nix/key/default.nix
deleted file mode 100644
index 19765bd..000000000
--- a/nix/key/default.nix
+++ /dev/null
@@ -1 +0,0 @@
-null
diff --git a/nix/key/flake.nix b/nix/key/flake.nix
new file mode 100644
index 000000000..3405fe7
--- /dev/null
+++ b/nix/key/flake.nix
@@ -0,0 +1,7 @@
+{
+  description = "Zentralwerk network secret GPG key";
+
+  outputs = { ... }: {
+    lib.gpgKey = null;
+  };
+}
diff --git a/nix/lib/config/default.nix b/nix/lib/config/default.nix
index 07f5a27..94f661b 100644
--- a/nix/lib/config/default.nix
+++ b/nix/lib/config/default.nix
@@ -1,4 +1,6 @@
-{ pkgs ? import <nixpkgs> {} }:
+{ pkgs ? import <nixpkgs> {}
+, gpgKey
+}:
 
 let
   result = pkgs.lib.evalModules {
@@ -6,6 +8,18 @@ let
     modules = [
       ./options.nix
       ./legacy.nix
+      (
+        { lib, ... }:
+        with lib;
+        {
+          options.gpgKey = mkOption {
+            type = types.path;
+          };
+          config = {
+            inherit gpgKey;
+          };
+        }
+      )
     ];
   };
 in
diff --git a/nix/lib/config/legacy.nix b/nix/lib/config/legacy.nix
index 6f8cb85..7085485 100644
--- a/nix/lib/config/legacy.nix
+++ b/nix/lib/config/legacy.nix
@@ -1,7 +1,10 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
 
 let
-  pillar = import ./salt-support/salt-pillar.nix { inherit pkgs; };
+  pillar = import ./salt-support/salt-pillar.nix {
+    inherit pkgs;
+    inherit (config) gpgKey;
+  };
 in
 {
   options.salt-pillar = lib.mkOption {};
diff --git a/nix/lib/config/salt-support/salt-pillar.nix b/nix/lib/config/salt-support/salt-pillar.nix
index 29cb560..da68b87 100644
--- a/nix/lib/config/salt-support/salt-pillar.nix
+++ b/nix/lib/config/salt-support/salt-pillar.nix
@@ -1,34 +1,27 @@
-{ pkgs ? import <nixpkgs> {} }:
+{ pkgs ? import <nixpkgs> {}
+, gpgKey
+}:
 
 with pkgs.lib;
 let
   loadYaml = import ./load-yaml.nix { inherit pkgs; };
 
-  # Swap with the real one if you don't have the key:
-  decryptMessage = _: "encrypted";
-
-  _decryptMessage = x:
-    let
-      keyFile = requireFile {
-        name = "salt-gpg.asc";
-        sha256 = "";
-        message = ''
-          GPG private key not found.
-
-          If you still want to build the scripts, search "#decryptMessage" in salt-pillar.nix.
-        '';
-      };
-      cleartextFile = pkgs.runCommandLocal "decrypted-salt-value" {
-        nativeBuildInputs = [ pkgs.gpg ];
-      } ''
-        export GNUPGHOME=$(mktemp -d)
-        gpg --import ${keyFile}
-        gpg -d > $out << EOF
-        ${x}
-        EOF
-      '';
-    in
-      builtins.readFile cleartextFile;
+  decryptMessage =     builtins.trace gpgKey
+    (x:
+      if gpgKey == null
+    then "encrypted"
+    else
+      builtins.readFile (
+        pkgs.runCommandLocal "decrypted-salt-value" {
+          nativeBuildInputs = [ pkgs.gnupg ];
+        } ''
+          export GNUPGHOME=$(mktemp -d)
+          gpg --import ${gpgKey}
+          gpg -d > $out << EOF
+          ${x}
+          EOF
+        ''
+      ));
 
   decrypt = x:
     if builtins.isString x
diff --git a/nix/lib/default.nix b/nix/lib/default.nix
index 8f16450..d43b0e1 100644
--- a/nix/lib/default.nix
+++ b/nix/lib/default.nix
@@ -1,10 +1,10 @@
-{ nixpkgs }:
+{ nixpkgs, gpgKey }:
 
 let
   pkgs = nixpkgs.legacyPackages.x86_64-linux;
 in
 {
-  config = import ./config { inherit pkgs; };
+  config = import ./config { inherit pkgs gpgKey; };
 
   expandSaltTemplate = import ./config/salt-support/expand-template.nix { inherit pkgs; };