diff --git a/.drone.yml b/.drone.yml
index 94cb083..2b95a7d 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -130,6 +130,14 @@ steps:
   - echo "newton:" && nix store diff-closures $(readlink -f newton-old) $(readlink -f newton-new)
   - echo "macintosh:" && nix store diff-closures $(readlink -f macintosh-old) $(readlink -f macintosh-new)
 
+
+- name: Push update
+  commands:
+  - git checkout -b flake-update
+  - git add flake.lock
+  - git commit -m "Updated flake lock"
+  - git push --force 
+
 trigger:
   branch:
   - main
@@ -137,61 +145,3 @@ trigger:
   - pull_request
   - cron
   - push
-
-
-  
----
-kind: pipeline
-name: Push flake update
-type: docker
-
-steps:
-- name: Update flake.lock
-  image: nixpkgs/nix-flakes
-  commands:
-  - nix flake update --inputs-from nixpkgs
-  - nix flake show
-  - nix flake metadata
-  - nix flake check
-  - nix flake check --show-trace
-  environment:
-    NIX_PATH: nixpkgs=channel:nixos-unstable
-
-- name: Push updated flake.lock
-  image: appleboy/drone-git-push
-  settings:
-    branch: update-flake
-    remote: git@github.com:JulienMalka/nix-config.git
-    force: true
-    commit: true
-    force: true
-    commit_message: "Updated flake.lock"
-    ssh_key:
-      from_secret: deploy_key
-
-- name: notify on failure
-  image: drillster/drone-email
-  settings:
-    username: "julien.malka@me.com"
-    from:
-      from_secret: email_from
-    host:
-      from_secret: email_host
-    password:
-      from_secret: email_password
-  when:
-    status:
-    - failure
-
-
-depends_on:
-- Update flake
-
-trigger:
-  branch:
-  - main
-  event:
-  - cron
-  - push
-
-
diff --git a/modules/drone/default.nix b/modules/drone/default.nix
index b2be557..b606f4a 100644
--- a/modules/drone/default.nix
+++ b/modules/drone/default.nix
@@ -19,8 +19,10 @@ in
     mkMerge [{
 
 
+      luj.hmgr.droneserver.luj.programs.git.enable = true;
       users.groups.docker = {};
       sops.secrets.drone = { };
+      nix.allowedUsers = [ "droneserver"];
 
       virtualisation.docker.enable = true;
 
@@ -54,7 +56,9 @@ in
       users.users.droneserver = {
         isSystemUser = true;
         createHome = true;
+        home = "/home/droneserver";
         group = droneserver;
+        extraGroups = [ config.users.groups.keys.name ];
       };
       users.groups.droneserver = { };
 
@@ -63,6 +67,8 @@ in
         description = "Drone Exec Runner";
         startLimitIntervalSec = 5;
         serviceConfig = {
+          User = droneserver;
+          Group = droneserver;
           EnvironmentFile = [ config.sops.secrets.drone.path ];
           Environment = [
             "DRONE_SERVER_HOST=${cfg.nginx.subdomain}.julienmalka.me"
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index 6d7ebc5..d8f649d 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -18,6 +18,8 @@ with lib;
       sops.secrets.sendinblue-mail-passwd = {};
       sops.secrets.git-gpg-private-key = {
         owner = "julien";
+        mode = "0440";
+        group = config.users.groups.keys.name;
       };
       
       };