diff --git a/.sops.yaml b/.sops.yaml
index 9034a521..84d0f4ef 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,9 +1,13 @@
 keys:
   - &user_desko_colin age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
+  - &user_lappy_colin age1ml8kkppftygu2wag57yld98jlrkh4avp54eheq7q0fa2rup843csqjajs6
+  - &user_moby_colin age1lt739n2tq7dmpglvntjr9j2r7426md7rat7x9w930gagtx4jyvnqwts2al
   - &host_desko age1s0v4fm203ap6mckcz3djw8hx30uqu87xfhfdajpmyf8rfrf5xs5swpz6m6
 creation_rules:
   - path_regex: secrets/[^/]+\.yaml$
     key_groups:
     - age:
       - *user_desko_colin
+      - *user_lappy_colin
+      - *user_moby_colin
       - *host_desko
diff --git a/configuration.nix b/configuration.nix
index 377dadc4..3c06a3e2 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -35,11 +35,12 @@
   # for each user you want to decrypt secrets:
   #   $ cat ~/.ssh/id_ed25519.pub | ssh-to-age
   #   add the result to .sops.yaml
+  #   since we specify ssh pubkeys in the nix config, you can just grep for `ssh-ed25519` here and use those instead
   #
   # for each machine you want to decrypt secrets:
   #   $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   #   add the result to .sops.yaml
-  #   you may need to re-encode all the secrets (even physically deleting and recreating them).
+  #   $ sops updatekeys secrets/example.yaml
   #
   # to create a new secret:
   #   $ sops secrets/example.yaml
diff --git a/secrets/example.yaml b/secrets/example.yaml
index 3e6a1975..ed665de4 100644
--- a/secrets/example.yaml
+++ b/secrets/example.yaml
@@ -17,20 +17,38 @@ sops:
         - recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUWdZeHhjQnU0MVpQNTNy
-            WTEyVVVMVlpaL3duWkNnRE55RFltcWo0SzAwCkYra2hMdk9hdGR2dXo0SDVDb0Zy
-            Y3lvblhzSy9aWjQzOE5nR1lvaXg5dVEKLS0tIDhlVERraFgzeVlBbmxPZit5MzAv
-            dEIzelZ0M1Nuektzb1lSWXl1bGVWYVEK1sbgSBu/yjtbgAMUNO/U7vX++zuUoCj5
-            IZqsQ1Jofw4VGukUt+vUloWJ9W+uysRveDbqTX2x2XiRLqJXaKVIZQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZDFoUlNBS3lCTGZXT2FZ
+            U3pjNFVWNDF5d294S1dzS3V6ZzhNRCs1SFVJCjVxQ1BxQlczTy9vOVI1V2JKZjN2
+            c2Exa2ttTHIyc21USzZYN2t1WE1sZGsKLS0tIENXamx6TXBtZElOWTRybURybWky
+            WHNpcmdxR2NmTDdDcUlZbC9sQkJPY0kKb7VCtdYpKmf3FlxOGdIjoCJ9Ip/0F5m1
+            QT9HQcxXq4Olc9Ekd4ah9l4bphAgmH4DKkb4ba7ShJ+U4bw3279Bdw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ml8kkppftygu2wag57yld98jlrkh4avp54eheq7q0fa2rup843csqjajs6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVjd2eUlQMUM4QmExVGhT
+            dnpBNkpnbkdGcU0yTzJhQjNvZ2hXZTdWSm4wCjB1djdMTzZpYkhnTWV4ZmgzanN3
+            cG83RlF1OGZGQlhWQTJUZUwxUlNUWU0KLS0tIGtMeFZjVldjS3VJNVB3bWxnWXNZ
+            cmJHbDFtZTQ5OUZ6SURVNUt6MlU5YkUKe/d1hc7x9/Cru8gse+kBgDmR32ezHv5J
+            j9YDUv5QJwAwgnEVhhTHoYnSpHQtDIeoSzURxhVwK/tgHpCaqFSq2w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1lt739n2tq7dmpglvntjr9j2r7426md7rat7x9w930gagtx4jyvnqwts2al
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArMThScUw4emh6Q3JGMTJ2
+            NC9aYjlxL1liWmFqZUN0WHJsRXoxdGNIc2tVCjJmbm96NStwUnY5N0lNVEZSZkZI
+            Zk9Wcm1jSit6TUE0QnBHQzBzK2l0OTQKLS0tIEswRGhrSFUwbzNXeXAwYWUzejZT
+            TTlxRjh6QzVETE0yeGZVRFJzNTVMNEEKUNttIPaTCsyGbycDdxbZ8tYtj4fzYgjM
+            hb+BL0VzJpJjxB3077KAH6eryJe0ZlS0N0nrMy8/cKHUcDW52DhDRA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1s0v4fm203ap6mckcz3djw8hx30uqu87xfhfdajpmyf8rfrf5xs5swpz6m6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNL1NKVjRRbFUzYUZzakw0
-            S1Jhc1Y3dlJ5WWxYcHNUVytDZ25jU1ZIWkdJCkRpY3dwakk4NWw0VWVGYllNQ0x5
-            ZTB1aVh1QlJBdmZld0EzVXVCZkpqZlEKLS0tIG1kcHVwNjhLaVFsVk9vWXpJZmhN
-            RHAyR2poZWkydUpVTEo4NXNvS1RwUE0KDWF9jDZP1cOMxE4iZzhN+eKJakEYK4g8
-            RQX7A5W1chN8Qh7KYPWZiGOL6FfcWUxFt8mfrUPKrxkGnM7zcz9Xrw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZGNKRmx5UHZBYXY2dGJp
+            MmxESVY2MkxmaENLUzlOcFpweDMwRHJUTkdFCkVabW1kbXlIRUxMYWxTVXcrNWw0
+            Z1ZlRFVXUWV5dTV1RkUvUXgvZEpCVEkKLS0tIEdobjZYNXNDVmIwQ0xZR1M5S0Q4
+            dnh3NE9RSGEwZjMvRjRVVXM4V3ZTR0UKJ4Rw+NoTwunpy8ZB1wQvRxs3x/Uq+1sn
+            n0XzsxEViDyA1+xlmOsUmrpdESqSGHLwIuYCWbppI2KhZjnbR2iSUQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2022-06-06T23:21:20Z"
     mac: ENC[AES256_GCM,data:pU5882gcNu2hmINn/xnDriHX8PvrEqepnf8/B+WGYrkd6yqpsVPCivlhGFmPvPaRt/o0AVMuH7Wbwm3+rmOpR1LFfJUtnFcejWVpVNE6BuxuWTdF90EENUStKg3DWV4uspRlQds856GR7pkDblkmAOgWZ7zD3ILS3sF/fLuFLr0=,iv:TCsuetCjhhJc/0K4UQrCD9+zWEVssI6Yx0AQ/+eDSn0=,tag:ZsKZZB5S9bgLIRJBLO/KgQ==,type:str]