diff --git a/.sops.yaml b/.sops.yaml
index 784972b..ab3fd30 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -7,6 +7,7 @@ keys:
   - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
   - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
   - &nyarlathotep age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
+  - &nodens age1vzhru3nsv5ttx3scmxvdep7z29qtsacft48wj2pk2rtkrdywdyuswc3lqn
 
 creation_rules:
   - path_regex: nixos/machines/nyarlathotep/.*
@@ -33,6 +34,14 @@ creation_rules:
         - *daniel
         - *totallynotadolphin
         - *lobon
+  - path_regex: nixos/machines/nodens/.*
+    key_groups:
+      - age:
+        - *nerf
+        - *gonne
+        - *daniel
+        - *totallynotadolphin
+        - *nodens
   # this is the catchall clause if nothing above machtes. Encrypt to users but not
   # to machines
   - key_groups:
diff --git a/nixos/machines/nodens/configuration.nix b/nixos/machines/nodens/configuration.nix
index a9ae8a2..282d813 100644
--- a/nixos/machines/nodens/configuration.nix
+++ b/nixos/machines/nodens/configuration.nix
@@ -11,4 +11,11 @@
 
   networking.hostName = "nodens";
   system.stateVersion = "24.11";
+
+  sops.secrets."nodens-deploy.key" = {
+    sopsFile = ./deploy.secrets.yaml;
+    owner = "root";
+    group = "root";
+    mode = "0400";
+  };
 }
diff --git a/nixos/machines/nodens/deploy.secrets.yaml b/nixos/machines/nodens/deploy.secrets.yaml
new file mode 100644
index 0000000..bc44289
--- /dev/null
+++ b/nixos/machines/nodens/deploy.secrets.yaml
@@ -0,0 +1,52 @@
+nodens-deploy.key: ENC[AES256_GCM,data:78egSKIl+ecnCoIsw30ytx9wYwtnAHppMObpn4tPBuqSNN20ILWK4IdZUTE7H/QkOAbhi+R565efg/Cxt85OghXZ9jwBNXX+EwTwS7LAiGwp2Kxm7kYGX4jWvrmAnvmd/nqM3Rw+DgfGAA==,iv:+5Hz/Vmluk9icv68rmb1Dyi0g6PkW2JyaOnqluC/TKo=,tag:c7DQRCcKsS+9zJ9agCb0VA==,type:str]
+sops:
+    age:
+        - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MWdKbDBpaHoycmdWdlc3
+            MGltTU1rbUhPQ2VtbERWUXQzdWpvd2ZGdzFjCmV0aW5oTkdGMExUUkV1UFV3UkpZ
+            dE5kUktrYUlEQ1hNWEIzdlFxeUFKRXcKLS0tIGN6NStxdTl0VkYvcS82QjJCT0xu
+            eDRtM1BjN0tMVnkwZHF4ajRKUW94aVEKklPazc/5C/g0cTe0xzdwxi+G4vZ3LSbI
+            utp7vfDLIddT4mKVyt4bD/VffDlB5Afvu91mDMEr/WrQGQsmczqdYg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4S1RZVVB2ancrMERNSUZ1
+            Nlg4Q3FZNFl1WUN5b2FVM0pYUDA2cXVtendrCm1TWkZNanZqYnM2eEt3eFZpdS9M
+            SzlpQnZQQzE5OFM1ME5xaXQxOWdGbzQKLS0tIEdXUGFGL3ZOZlZMWTgwY1lNdE5o
+            MS9WYWtuWkpKdDFnb0huelcyVEgvK2sKzRQ6oxBmOrE+OnCF19Nuaf9SZus4CtHD
+            l+q/0xqkSnxz+/Vl3ooq0bPUPXiGrHWkSXb/LFH6crRJHxRAuiga3w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mmpdvzy6d23qyhrl55jtv3c25pus2wwfplx9tujmqps2xsreuv8qwc6gv5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVlNZZ05TK3c1TitESEYx
+            dkpaMjhKaWNTTElld21yTXcyeVorTHBZYlFBCjF3R3BVNFcvZFZFK0xScmJTUEda
+            TmNySERXVk9jT01JWlFHNGd4MFlwUFkKLS0tIHJQV2dSd1pRbCtqKys3YW1JNVpq
+            QU5wdlBQODh4WmxrY1Z3aHl3WTE0eUUKTJPqJFelo6bQLfFNVa6K8UnUxCM8N15A
+            v8FWo1C71bIbMEtMTOq/TotJwxElUk8Oc10ECd3ST0bWZfyKFtkwHQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m7l4x2zdgn7akgg5mkm9quen3u9sm0785tzm7vl000anuqrwwg6s5urenn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTUdtYzJMWk1YSitjNnhi
+            VVdpU0R4eHJIejZmSTNycWxheTZjcjBJdGlZCmxHdWxpaGdhQnFCT0tMRTVTS29X
+            Yks5UEw1MG5OMlZyWHVaZHpLb01vTFEKLS0tIHBTcjZrOHE4S2lZVllGNWpBdzV1
+            ci8xcGo2dzU0NDh2M3RCVEU3VjNDRkUKWZuklDoyHN83M0sfO9lnHP8cfj5ECqbx
+            3/JbV4wOalQ4+LiSSFmgxYXfADtWe4QpRUDCoVEHPc+sBvA09aCh+g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vzhru3nsv5ttx3scmxvdep7z29qtsacft48wj2pk2rtkrdywdyuswc3lqn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRa09heTBzZ0xtSHlqR092
+            R3BNQWk3ZXhnd0wwMmI0SVBOSG00cTY2czI4ClZoMHJwdDh0b08xR2lXNStEbVkz
+            RGFnNkJrRkUrU0hIaTJsNzBOdENpdFEKLS0tIHhlazVXeTgzakpTYW1qUzZSMXNJ
+            V3JSeDNsdVNOQ2ZLL2MvSDBZdk1wTzgKPzrGAY1xqJ679iTqe+gUXB3UoTuA71Rj
+            KUTxgml2J6R+3mI61VFL1C5mDApFPoI6FaG/dXk5zgXSO1auVxHlAA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-20T16:36:28Z"
+    mac: ENC[AES256_GCM,data:2UKbVUVB0WYZBAti4QN6gqsl9bsYjjjy6JOwwHYpLXywsXZOkpj1wptwdAXyjR3s9KT0fpywxZgCPtIqYb6wd8QqXkNzrTcVc6I7OJtDizcHh/tNvNsVvlC4I1+VpbTlIkmw3OxbIf88MrsVUxCFcyin7spIFHLtgIVQVO1xAHI=,iv:v7c/Wa81EE43hnWi6xISlxuzgfDxdpABkfQb/0zF+Kc=,tag:2fDl4Hy59d5QiXF3KZG+EQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index 851db7c..9ce47d6 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -30,6 +30,16 @@
 
   sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
 
+  # additional trusted keys for substituters for every machine
+  # right now it is only nodens so nodens can build system configs
+  # and we can deploy them from nodens.
+  # For security reasons we might want to move this to the vm part, as
+  # someone who can get control of nodens and get hold of the build process
+  # can gain control of the other machines. While this is very handy
+  # and a step towards CI, we might not want this for backups.
+  # (This is a tradeof between security and convenience)
+  nix.settings.trusted-public-keys = ["nodens-deploy.key:VHJmEr17pdoEEnWlSfC03TIf4GBbClxGRiInHuWaUvU="];
+
   environment = {
     systemPackages = builtins.attrValues {
       inherit