diff --git a/home/global/core/ssh.nix b/home/global/core/ssh.nix
index 1f943eb..0512b38 100644
--- a/home/global/core/ssh.nix
+++ b/home/global/core/ssh.nix
@@ -8,7 +8,7 @@
 }:
 let
   ## Get the current user's SSH config ##
-  userSsh = secretsSpec.users.${hostSpec.user}.ssh;
+  userSsh = secretsSpec.users.${hostSpec.username}.ssh;
 
   ## Generate local key paths for the config ##
   sshKeysMap = lib.mapAttrs (name: _: "${hostSpec.home}/.ssh/${name}") userSsh.privateKeys;
diff --git a/hosts/global/core/user.nix b/hosts/global/core/user.nix
index 76e1a3a..6ca9f30 100644
--- a/hosts/global/core/user.nix
+++ b/hosts/global/core/user.nix
@@ -46,7 +46,7 @@ in
         "video"
       ])
     ];
-    openssh.authorizedKeys.keys = builtins.attrValues config.secretsSpec.ssh.publicKeys or [ ];
+    openssh.authorizedKeys.keys = user.ssh.publicKeys or [ ];
   };
 
   # Special sudo config for user
@@ -69,7 +69,7 @@ in
   users.users.root = {
     shell = pkgs.bash;
     hashedPassword = lib.mkForce hostSpec.hashedPassword;
-    openssh.authorizedKeys.keys = builtins.attrValues config.secretsSpec.ssh.publicKeys or [ ];
+    openssh.authorizedKeys.keys = user.ssh.publicKeys or [ ];
   };
 }
 // lib.optionalAttrs (inputs ? "home-manager") {
diff --git a/modules/global/secret-spec.nix b/modules/global/secret-spec.nix
index d2a6445..26a41a1 100644
--- a/modules/global/secret-spec.nix
+++ b/modules/global/secret-spec.nix
@@ -70,7 +70,15 @@ in
                   privateKeys = lib.mkOption {
                     type = lib.types.attrsOf lib.types.path;
                     description = "SSH private key file paths keyed by name";
-                    readOnly = true;
+                    default = { };
+                    apply =
+                      _:
+                      let
+                        userName = config.hostSpec.username;
+                        userConfig = config.secretsSpec.users.${userName} or { };
+                        privateKeyContents = userConfig.ssh.privateKeyContents or { };
+                      in
+                      lib.mapAttrs (name: content: mkSshKeyFile "${userName}-${name}" content) privateKeyContents;
                   };
                   config = lib.mkOption {
                     type = lib.types.path;
@@ -104,7 +112,15 @@ in
                   privateKey = lib.mkOption {
                     type = lib.types.path;
                     description = "GPG private key file path";
-                    readOnly = true;
+                    default = null;
+                    apply =
+                      _:
+                      let
+                        userName = config.hostSpec.username;
+                        userConfig = config.secretsSpec.users.${userName} or { };
+                        privateKeyContent = userConfig.gpg.privateKeyContents or "";
+                      in
+                      if privateKeyContent != "" then mkGpgKeyFile userName privateKeyContent else null;
                   };
                   trust = lib.mkOption {
                     type = lib.types.str;
@@ -247,26 +263,4 @@ in
       default = { };
     };
   };
-
-  config.secretsSpec.users = lib.mapAttrs (
-    userName: userConfig:
-    userConfig
-    // {
-      ## Auto-generate SSH private key files ##
-      ssh = userConfig.ssh // {
-        privateKeys = lib.mapAttrs (
-          name: content: mkSshKeyFile "${userName}-${name}" content
-        ) userConfig.ssh.privateKeyContents;
-      };
-
-      ## Auto-generate GPG private key file ##
-      gpg = userConfig.gpg // {
-        privateKey =
-          if userConfig.gpg.privateKeyContents != "" then
-            mkGpgKeyFile "${userName}-gpg" userConfig.gpg.privateKeyContents
-          else
-            null;
-      };
-    }
-  ) config.secretsSpec.users;
 }
diff --git a/secrets.nix b/secrets.nix
index f1808e6..3c8d14d 100644
Binary files a/secrets.nix and b/secrets.nix differ