diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 7510b6b82e8b298387394e5ff8082445a2fe18e7..9f37d640fd7cfacc67eed7074f03292849d8597f 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -8,7 +8,7 @@
 , stateVersion
 , publicIPv4
 , ...
-}: {
+}: rec {
   deployment = {
     targetHost = publicIPv4;
 
@@ -41,8 +41,8 @@
   services.private-storage-issuer = {
     enable = true;
     tls = true;
-    ristrettoSigningKeyPath = "/var/secrets/ristretto.signing-key";
-    stripeSecretKeyPath = "/var/secrets/stripe.secret-key";
+    ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
+    stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination;
     database = "SQLite3";
     databasePath = "/var/db/vouchers.sqlite3";
     inherit letsEncryptAdminEmail;