diff --git a/system/hosts/nixserver/home.nix b/system/hosts/nixserver/home.nix
index 39c4944..6a35e42 100644
--- a/system/hosts/nixserver/home.nix
+++ b/system/hosts/nixserver/home.nix
@@ -84,12 +84,15 @@ in {
   nix.settings.allowed-users = [ "nix-serve" "hydra" ];
   # only hydra has access to this file anyway
   nix.settings.extra-builtins-file = "/etc/nixos/private/extra-builtins.nix";
+  impermanence.directories = [
+    { directory = /etc/nixos/private; user = "hydra"; group = "hydra"; mode = "0700"; }
+  ];
   nix.settings.allowed-uris = [
     # required for home-manager
     "https://git.sr.ht/~rycee/nmd/"
     # required for server (I suppose since nvfetcher uses fetchTarball here...)
     "https://github.com/searxng/searxng/"
-    # required for home config (nvfetcher)
+    # required for home config (nvfetcher again)
     "https://api.github.com/repos/FAForever/"
   ];
   services.nginx.virtualHosts."binarycache.${cfg.domainName}" = {