diff --git a/config/services/hydra/default.nix b/config/services/hydra/default.nix
index fa982ad..229d15c 100644
--- a/config/services/hydra/default.nix
+++ b/config/services/hydra/default.nix
@@ -7,7 +7,10 @@
     sopsFile = ../../../secrets/services/hydra.yaml;
   };
   sops.secrets."services/hydra/id_ed25519_hydra" = {
+    path = "/var/lib/hydra/.ssh/id_ed25519";
     owner = "hydra-queue-runner";
+    group = "hydra";
+    mode = "0440";
     sopsFile = ../../../secrets/services/hydra.yaml;
   };
   kyouma.deployment.auto-upgrade.cache = "daemon";