diff --git a/hosts/default.nix b/hosts/default.nix
index 4c95461..3ed8924 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -81,6 +81,7 @@
         "cachix-personal-token".owner = "ccr";
         "hercules-ci-join-token".owner = "hercules-ci-agent";
         "hercules-ci-binary-caches".owner = "hercules-ci-agent";
+        "hercules-ci-secrets-json".owner = "hercules-ci-agent";
         "git-workspace-tokens".owner = "ccr";
       };
     };
diff --git a/modules/hercules-ci/default.nix b/modules/hercules-ci/default.nix
index 44b9727..1b9ec51 100644
--- a/modules/hercules-ci/default.nix
+++ b/modules/hercules-ci/default.nix
@@ -1,14 +1,11 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
+{config, ...}: {
   services.hercules-ci-agent = {
     enable = true;
     settings = {
       concurrentTasks = 32;
       clusterJoinTokenPath = config.age.secrets.hercules-ci-join-token.path;
       binaryCachesPath = config.age.secrets.hercules-ci-binary-caches.path;
+      secretsJsonPath = config.age.secrets.hercules-ci-secrets-json.path;
     };
   };
 
diff --git a/secrets/default.nix b/secrets/default.nix
index bd58f39..5b0faad 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -12,6 +12,7 @@ in
     "autistici-password.age".publicKeys = [ccr-ssh ccr-gpg thinkpad];
     "hercules-ci-join-token.age".publicKeys = [ccr-ssh ccr-gpg mothership rock5b picard];
     "hercules-ci-binary-caches.age".publicKeys = [ccr-ssh ccr-gpg mothership rock5b picard];
+    "hercules-ci-secrets-json.age".publicKeys = [ccr-ssh ccr-gpg mothership rock5b picard];
     "minio-credentials.age".publicKeys = [ccr-ssh ccr-gpg mothership];
     "aws-credentials.age".publicKeys = [ccr-ssh ccr-gpg mothership rock5b];
     "nextcloud-admin-pass.age".publicKeys = [ccr-ssh ccr-gpg rock5b];
diff --git a/secrets/hercules-ci-secrets-json.age b/secrets/hercules-ci-secrets-json.age
new file mode 100644
index 0000000..c79f58f
Binary files /dev/null and b/secrets/hercules-ci-secrets-json.age differ