diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix
index 4ee8c2b..0cbeb6c 100644
--- a/hosts/sid/services/nginx.nix
+++ b/hosts/sid/services/nginx.nix
@@ -51,8 +51,6 @@ in
       credentialsFile = config.sops.templates.hetzner-dns-api-key.path;
     };
   };
-  sops.secrets.hetzner-dns-api-key = { };
-  sops.templates.hetzner-dns-api-key.content = "HETZNER_API_TOKEN=${config.sops.placeholder.hetzner-dns-api-key}";
 
   services.nginx = {
     enable = true;
@@ -114,4 +112,18 @@ in
     #   };
     # };
   };
+
+  sops =
+    let
+      owner = "acme";
+      group = "acme";
+      mode = "0400";
+    in
+    {
+      secrets.hetzner-dns-api-key = { inherit owner group mode; };
+      templates.hetzner-dns-api-key = {
+        inherit owner group mode;
+        content = "HETZNER_API_TOKEN=${config.sops.placeholder.hetzner-dns-api-key}";
+      };
+    };
 }