diff --git a/.sops.yaml b/.sops.yaml
index 825333b..6d555cf 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,16 +1,26 @@
 keys:
   - &nerf age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
+  - &gonne age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju
 
   - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
+  - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
 
 creation_rules:
-  - path_regex nixos/machines/nyarlathotep/.*
+  - path_regex: nixos/machines/nyarlathotep/.*
     key_groups:
       - age:
-          *nerf
-          *nyarlathotep
+        - *nerf
+        - *gonne
+        - *nyarlathotep
+  - path_regex: nixos/machines/bragi/.*
+    key_groups:
+      - age:
+        - *nerf
+        - *gonne
+        - *bragi
   # this is the catchall clause if nothing above machtes. Encrypt to users but not
   # to machines
   - key_groups:
       - age:
-          *nerf
+        - *nerf
+        - *gonne