diff --git a/flake.lock b/flake.lock
index b2a19cff..a6c61b07 100644
--- a/flake.lock
+++ b/flake.lock
@@ -814,10 +814,10 @@
     "mysecrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1737955933,
-        "narHash": "sha256-ZFEmdm1T2F7kc1hHHKcg/+iaYmNJ+b5jMbvQ6aUuTis=",
+        "lastModified": 1740667506,
+        "narHash": "sha256-0cfi0sHvU23SDZqykO0+PrSTnxz0Lslo4z52L/H2VUE=",
         "ref": "refs/heads/main",
-        "rev": "f6aeb3fa21216c63f33a637d3f874a4bbddd5989",
+        "rev": "2ed1bd37e3bbc553f5efe3b212333652fa5f3eab",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@github.com/ryan4yin/nix-secrets.git"
diff --git a/outputs/x86_64-linux/src/kubevirt-shoryu.nix b/outputs/x86_64-linux/src/kubevirt-shoryu.nix
index a584bf77..99356c83 100644
--- a/outputs/x86_64-linux/src/kubevirt-shoryu.nix
+++ b/outputs/x86_64-linux/src/kubevirt-shoryu.nix
@@ -24,7 +24,10 @@
         "hosts/k8s/${name}"
       ])
       ++ [
-        # {modules.secrets.server.kubernetes.enable = true;}
+        {
+          modules.secrets.server.kubernetes.enable = true;
+          modules.secrets.impermanence.enable = true;
+        }
       ];
     # home-modules = map mylib.relativeToRoot [
     #   "home/linux/tui.nix"
diff --git a/outputs/x86_64-linux/src/kubevirt-shushou.nix b/outputs/x86_64-linux/src/kubevirt-shushou.nix
index e3bd151d..ef7186f9 100644
--- a/outputs/x86_64-linux/src/kubevirt-shushou.nix
+++ b/outputs/x86_64-linux/src/kubevirt-shushou.nix
@@ -24,7 +24,10 @@
         "hosts/k8s/${name}"
       ])
       ++ [
-        # {modules.secrets.server.kubernetes.enable = true;}
+        {
+          modules.secrets.server.kubernetes.enable = true;
+          modules.secrets.impermanence.enable = true;
+        }
       ];
   };
 
diff --git a/outputs/x86_64-linux/src/kubevirt-youko.nix b/outputs/x86_64-linux/src/kubevirt-youko.nix
index 07e1c904..c7eebaf1 100644
--- a/outputs/x86_64-linux/src/kubevirt-youko.nix
+++ b/outputs/x86_64-linux/src/kubevirt-youko.nix
@@ -24,7 +24,10 @@
         "hosts/k8s/${name}"
       ])
       ++ [
-        # {modules.secrets.server.kubernetes.enable = true;}
+        {
+          modules.secrets.server.kubernetes.enable = true;
+          modules.secrets.impermanence.enable = true;
+        }
       ];
   };
 
diff --git a/secrets/nixos.nix b/secrets/nixos.nix
index 79529dca..5bc5983d 100644
--- a/secrets/nixos.nix
+++ b/secrets/nixos.nix
@@ -66,6 +66,16 @@ in {
           "/etc/ssh/ssh_host_ed25519_key"
         ];
 
+      # secrets that are used by all nixos hosts
+      age.secrets = {
+        "nix-access-tokens" =
+          {
+            file = "${mysecrets}/nix-access-tokens.age";
+          }
+          # access-token needs to be readable by the user running the `nix` command
+          // user_readable;
+      };
+
       assertions = [
         {
           # This expression should be true to pass the assertion
@@ -112,13 +122,6 @@ in {
           }
           // high_security;
 
-        "nix-access-tokens" =
-          {
-            file = "${mysecrets}/nix-access-tokens.age";
-          }
-          # access-token needs to be readable by the user running the `nix` command
-          // user_readable;
-
         # ---------------------------------------------
         # user can read this file.
         # ---------------------------------------------