diff --git a/configuration.nix b/configuration.nix
index a4c38c9..e1d7de5 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -41,14 +41,10 @@
     defaultSopsFile = ./secrets.yaml;
     age.sshKeyPaths = [ "/root/id_ed25519" ];
     secrets.github-access-token = { };
-    secrets.namecheap-api-user = { };
-    secrets.namecheap-api-key = { };
+    secrets.namecheap-api-user = { mode = "0440"; group = "acme"; };
+    secrets.namecheap-api-key = { mode = "0440"; group = "acme"; };
   };
-  nix.extraOptions = ''
-    !include /run/secrets/github-access-token
-    !include /run/secrets/namecheap-api-user
-    !include /run/secrets/namecheap-api-key
-  '';
+  nix.extraOptions = "!include /run/secrets/github-access-token";
 
   system.autoUpgrade = {
     enable = true;
diff --git a/nginx.nix b/nginx.nix
index 8a42df4..caaac97 100644
--- a/nginx.nix
+++ b/nginx.nix
@@ -29,8 +29,8 @@
       extraDomainNames = [ "*.kyren.codes" ];
       dnsProvider = "namecheap";
       environmentFile = "${pkgs.writeText "namecheap-creds" ''
-        NAMECHEAP_API_USER=${builtins.readFile "/run/secrets/namecheap-api-user"}
-        NAMECHEAP_API_KEY=${builtins.readFile "/run/secrets/namecheap-api-key"}
+        NAMECHEAP_API_USER_FILE=/run/secrets/namecheap-api-user
+        NAMECHEAP_API_KEY_FILE=/run/secrets/namecheap-api-key
       ''}";
     };
   };