diff --git a/tide.nix b/tide.nix
index fac2eba..da5fd4e 100644
--- a/tide.nix
+++ b/tide.nix
@@ -20,6 +20,14 @@
   # the file is absent, which is the right place for that failure.
   sops.validateSopsFiles = false;
 
+  # Use the host's age key generated with age-keygen, not the
+  # SSH-host-key-derived identity sops-nix falls back to by default.
+  # The encrypted file's recipient is the public key paired with
+  # this private key.
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.sshKeyPaths = [ ];
+  sops.gnupg.sshKeyPaths = [ ];
+
   sops.secrets."tide-env" = {
     sopsFile = ./secrets/tide.yaml;
     # phpfpm reads this via EnvironmentFile, which runs as root