diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix
index 6b2f04a..114dcf6 100644
--- a/hosts/nachtigall/configuration.nix
+++ b/hosts/nachtigall/configuration.nix
@@ -38,6 +38,14 @@
   # https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets
   systemd.services.zfs-mount.enable = false;
 
+  # Declarative SSH private key
+  age.secrets."nachtigall-root-ssh-key" = {
+    file = "${flake.self}/secrets/nachtigall-root-ssh-key.age";
+    path = "/root/.ssh/id_ed25519";
+    mode = "400";
+    owner = "root";
+  };
+
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
diff --git a/modules/users.nix b/modules/users.nix
index 0b9a08c..5f8b43c 100644
--- a/modules/users.nix
+++ b/modules/users.nix
@@ -25,12 +25,6 @@
   users.groups.hakkonaut = {};
 
   users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
-  age.secrets."nachtigall-root-ssh-key" = {
-    file = "${flake.self}/secrets/nachtigall-root-ssh-key.age";
-    path = "/root/.ssh/id_ed25519";
-    mode = "400";
-    owner = "root";
-  };
 
   security.sudo.wheelNeedsPassword = false;
 }