diff --git a/hosts/default.nix b/hosts/default.nix
index 3ac0ce9..efdd865 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -59,6 +59,7 @@
           "git-workspace-tokens".owner = "ccr";
           "autistici-password".owner = "ccr";
           "restic-hetzner-password" = { };
+          "nix-netrc" = { };
         };
       };
 
@@ -87,6 +88,7 @@
           "restic-hetzner-password" = { };
           "forgejo-runners-token".owner = "nixuser";
           "forgejo-nix-access-tokens".owner = "nixuser";
+          "nix-netrc" = { };
         };
       };
 
@@ -120,6 +122,7 @@
           };
           "matrix-registration-shared-secret".owner = "matrix-synapse";
           "arbi-config".owner = "arbi";
+          "nix-netrc" = { };
         };
       };
 
@@ -143,6 +146,7 @@
           "cachix-personal-token".owner = "ccr";
           "git-workspace-tokens".owner = "ccr";
           "autistici-password".owner = "ccr";
+          "nix-netrc" = { };
         };
       };
 
diff --git a/modules/nix/default.nix b/modules/nix/default.nix
index 000ede4..ef46e63 100644
--- a/modules/nix/default.nix
+++ b/modules/nix/default.nix
@@ -20,20 +20,20 @@
         "root"
         "@wheel"
       ];
-      netrc-file = "/etc/nix/netrc";
+      netrc-file = config.age.secrets.nix-netrc.path;
       substituters = [
-        #   "s3://cache?profile=default&region=eu-south-1&scheme=https&endpoint=cache.aciceri.dev"
         "https://cache.iog.io"
         "https://cache.lix.systems"
         "https://nix-community.cachix.org"
-        "https://mlabs.cachix.org"
+        # "https://mlabs.cachix.org"
+        "http://sisko.wg.aciceri.dev:8081/nixfleet"
       ];
       trusted-public-keys = [
-        #   "cache.aciceri.dev~1:nJMfcBnYieY2WMbYDG0s9S5qUhU+V4RPL+X9zcxXxZY="
         "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ="
         "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M="
+        # "mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M="
+        "nixfleet:Bud23440n6mMTmgq/7U+mk91zlLjnx2X3lQQrCBCCU4="
       ];
       deprecated-features = [ "url-literals" ];
     };
diff --git a/secrets/nix-netrc.age b/secrets/nix-netrc.age
new file mode 100644
index 0000000..7b0438f
Binary files /dev/null and b/secrets/nix-netrc.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3ab2d98..fd1bca9 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -157,6 +157,13 @@ with keys.users;
     ccr-ssh
     sisko
   ];
+  "nix-netrc.age".publicKeys = [
+    ccr-ssh
+    sisko
+    pike
+    picard
+    kirk
+  ];
 
   # WireGuard
   "picard-wireguard-private-key.age".publicKeys = [