diff --git a/modules/base.nix b/modules/base.nix
index 96e55c33..18fd454e 100644
--- a/modules/base.nix
+++ b/modules/base.nix
@@ -1,4 +1,5 @@
 {
+  config,
   pkgs,
   myvars,
   nuenv,
@@ -115,4 +116,8 @@
     ];
     builders-use-substitutes = true;
   };
+
+  nix.extraOptions = ''
+    !include ${config.age.secrets.nix-access-tokens.path}
+  '';
 }
diff --git a/modules/nixos/desktop/security.nix b/modules/nixos/desktop/security.nix
index 3e376276..ef3abe59 100644
--- a/modules/nixos/desktop/security.nix
+++ b/modules/nixos/desktop/security.nix
@@ -3,10 +3,6 @@
   pkgs,
   ...
 }: {
-  nix.extraOptions = ''
-    !include ${config.age.secrets.nix-access-tokens.path}
-  '';
-
   # security with polkit
   security.polkit.enable = true;
   # security with gnome-kering
diff --git a/secrets/darwin.nix b/secrets/darwin.nix
index ea67df81..2d8b0f27 100644
--- a/secrets/darwin.nix
+++ b/secrets/darwin.nix
@@ -71,7 +71,8 @@
       {
         file = "${mysecrets}/nix-access-tokens.age";
       }
-      // high_security;
+      # access-token needs to be readable by the user running the `nix` command
+      // user_readable;
 
     # ---------------------------------------------
     # user can read this file.