diff --git a/m/common/slurm.nix b/m/common/slurm.nix
index 5404d0c..22ffae6 100644
--- a/m/common/slurm.nix
+++ b/m/common/slurm.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
 
 let
   suspendProgram = pkgs.writeScript "suspend.sh" ''
@@ -85,4 +85,15 @@ in {
       SrunPortRange=60000-61000
     '';
   };
+
+  age.secrets.mungeKey = {
+    file = ../../secrets/munge-key.age;
+    owner = "munge";
+    group = "munge";
+  };
+
+  services.munge = {
+    enable = true;
+    password = config.age.secrets.mungeKey.path;
+  };
 }
diff --git a/secrets/munge-key.age b/secrets/munge-key.age
new file mode 100644
index 0000000..ead42c8
Binary files /dev/null and b/secrets/munge-key.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 34fb177..9dce058 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -3,11 +3,12 @@ let
   adminsKeys = builtins.attrValues keys.admins;
   hut = [ keys.hosts.hut ] ++ adminsKeys;
   # Only expose ceph keys to safe nodes and admins
-  ceph = keys.hostGroup.safe ++ adminsKeys;
+  safe = keys.hostGroup.safe ++ adminsKeys;
 in
 {
   "ovni-token.age".publicKeys = hut;
   "nosv-token.age".publicKeys = hut;
 
-  "ceph-user.age".publicKeys = ceph;
+  "ceph-user.age".publicKeys = safe;
+  "munge-key.age".publicKeys = safe;
 }