diff --git a/hosts/x86_64-linux/icarus.nix b/hosts/x86_64-linux/icarus.nix
index 436e6be6..e231ba22 100644
--- a/hosts/x86_64-linux/icarus.nix
+++ b/hosts/x86_64-linux/icarus.nix
@@ -100,6 +100,16 @@
     };
   };
 
+  services.buildkite-agents.nix-build = {
+    tokenPath = config.age.secrets.buildkite-token.path;
+    privateSshKeyPath = config.age.secrets.buildkite-ssh-key.path;
+    tags = {
+      nix = "true";
+      nixos = "true";
+      queue = "default";
+    };
+  };
+
   services.tailscale.auth = {
     enable = true;
     args.advertise-tags = ["tag:server"];
@@ -107,7 +117,7 @@
     args.accept-routes = false;
     args.accept-dns = false;
     args.advertise-exit-node = true;
-    args.auth-key = "file:/var/run/agenix/ts-google-9k";
+    args.auth-key = config.age.secrets.ts-google-9k.path;
   };
 
   # microvm.autostart = [
@@ -267,6 +277,12 @@
       path = "/var/lib/microvm-secrets/ssh_host_ed25519_key";
       symlink = false;
     };
+    buildkite-token = {
+      file = ../../secrets/buildkite-token.age;
+    };
+    buildkite-ssh-key = {
+      file = ../../secrets/buildkite-ssh-key.age;
+    };
   };
 
   security.acme.certs = {
@@ -329,8 +345,8 @@
     user = "${adminUser.name}";
     group = "users";
     openDefaultPorts = true;
-    cert = "/run/agenix/syncthing-cert";
-    key = "/run/agenix/syncthing-key";
+    cert = config.age.secrets.syncthing-cert.path;
+    key = config.age.secrets.syncthing-key.path;
     dataDir = "/home/${adminUser.name}/.local/share/syncthing-data";
 
     settings = {
diff --git a/secrets/buildkite-ssh-key.age b/secrets/buildkite-ssh-key.age
new file mode 100644
index 00000000..e76bd849
Binary files /dev/null and b/secrets/buildkite-ssh-key.age differ
diff --git a/secrets/buildkite-token.age b/secrets/buildkite-token.age
new file mode 100644
index 00000000..2f3ee44c
Binary files /dev/null and b/secrets/buildkite-token.age differ