diff --git a/hosts/x86_64-linux/icarus.nix b/hosts/x86_64-linux/icarus.nix
index 0c3e1399..2c0204f5 100644
--- a/hosts/x86_64-linux/icarus.nix
+++ b/hosts/x86_64-linux/icarus.nix
@@ -108,6 +108,11 @@
       nixos = "true";
       queue = "default-queue";
     };
+    hooks = {
+      environment = ''
+        CACHIX_SIGNING_KEY="$(head -1 ${config.age.secrets.cachix-signing-key.path})"
+      '';
+    };
   };
 
   services.tailscale.auth = {
@@ -285,6 +290,10 @@
       file = ../../secrets/buildkite-ssh-key.age;
       owner = "buildkite-agent-nix-build";
     };
+    cachix-signing-key = {
+      file = ../../secrets/cachix-signing-key.age;
+      owner = "buildkite-agent-nix-build";
+    };
   };
 
   security.acme.certs = {
diff --git a/secrets/cachix-signing-key.age b/secrets/cachix-signing-key.age
new file mode 100644
index 00000000..153d7036
Binary files /dev/null and b/secrets/cachix-signing-key.age differ