diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
index 31ad358..c1abaff 100644
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@@ -225,8 +225,8 @@ in {
     environment.systemPackages = [ cfg.package ];
     systemd.services.bitcoind = {
       description = "Bitcoin daemon";
-      requires = [ "bitcoin-rpcpassword-key.service" ];
-      after = [ "network.target" "bitcoin-rpcpassword-key.service" ];
+      requires = [ "nix-bitcoin-secrets.target" ];
+      after = [ "network.target" "nix-bitcoin-secrets.target" ];
       wantedBy = [ "multi-user.target" ];
       preStart = ''
         if ! test -e ${cfg.dataDir}; then
@@ -296,7 +296,6 @@ in {
 
     users.users.${cfg.user} = {
       group = cfg.group;
-      extraGroups = [ "keys" ];
       description = "Bitcoin daemon user";
       home = cfg.dataDir;
     };
diff --git a/modules/clightning.nix b/modules/clightning.nix
index 4fc1e89..a01ff7c 100644
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@@ -64,7 +64,7 @@ in {
     users.users.clightning = {
         description = "clightning User";
         group = "clightning";
-        extraGroups = [ "bitcoinrpc" "keys" ];
+        extraGroups = [ "bitcoinrpc" ];
         home = cfg.dataDir;
     };
     users.groups.clightning = {};
diff --git a/modules/electrs.nix b/modules/electrs.nix
index 2d6ee20..77d8944 100644
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@@ -60,7 +60,7 @@ in {
     users.users.${cfg.user} = {
         description = "electrs User";
         group = cfg.group;
-        extraGroups = [ "bitcoinrpc" "keys" "bitcoin"];
+        extraGroups = [ "bitcoinrpc" "bitcoin"];
         home = cfg.dataDir;
     };
     users.groups.${cfg.group} = {};
@@ -113,5 +113,9 @@ in {
         }
       '';
     };
+    systemd.services.nginx = {
+      requires = [ "nix-bitcoin-secrets.target" ];
+      after = [ "nix-bitcoin-secrets.target" ];
+    };
   };
 }
diff --git a/modules/liquid.nix b/modules/liquid.nix
index c558a6a..5ce72e2 100644
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@@ -183,8 +183,8 @@ in {
     environment.systemPackages = [ pkgs.elementsd ];
     systemd.services.liquidd = {
       description = "Elements daemon providing access to the Liquid sidechain";
-      requires = [ "liquid-rpcpassword-key.service" ];
-      after = [ "network.target" "liquid-rpcpassword-key.service" ];
+      requires = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" ];
       wantedBy = [ "multi-user.target" ];
       preStart = ''
         if ! test -e ${cfg.dataDir}; then
@@ -215,7 +215,6 @@ in {
     };
     users.users.${cfg.user} = {
       group = cfg.group;
-      extraGroups = [ "keys" ];
       description = "Liquid sidechain user";
       home = cfg.dataDir;
     };
diff --git a/modules/lnd.nix b/modules/lnd.nix
index 496eb11..3806477 100644
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@@ -95,7 +95,7 @@ in {
     users.users.lnd = {
         description = "LND User";
         group = "lnd";
-        extraGroups = [ "bitcoinrpc" "keys" ];
+        extraGroups = [ "bitcoinrpc" ];
         home = cfg.dataDir;
     };
     users.groups.lnd = {};
diff --git a/modules/nanopos.nix b/modules/nanopos.nix
index 2dc7364..9fb5337 100644
--- a/modules/nanopos.nix
+++ b/modules/nanopos.nix
@@ -55,7 +55,6 @@ in {
     users.users.nanopos = {
         description = "nanopos User";
         group = "nanopos";
-        extraGroups = [ "keys" ];
     };
     users.groups.nanopos = {};
 
diff --git a/network/network.nix b/network/network.nix
index 9a35e9d..f8ae92b 100644
--- a/network/network.nix
+++ b/network/network.nix
@@ -75,7 +75,7 @@ in {
   network.description = "Bitcoin Core node";
 
   bitcoin-node =
-    { config, pkgs, ... }: {
+    { config, pkgs, lib, ... }: {
       imports = [ ../configuration.nix ];
 
       deployment.keys = {
@@ -87,5 +87,22 @@ in {
       // (if (config.services.liquidd.enable) then { inherit liquid-rpcpassword; } else { })
       // (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { })
       // (if (config.services.electrs.enable) then { inherit nginx_key nginx_cert; } else { });
+
+      # nixops makes the secrets directory accessible only for users with group 'key'.
+      # For compatibility with other deployment methods besides nixops, we forego the
+      # use of the 'key' group and make the secrets dir world-readable instead.
+      # This is safe because all containing files have their specific private
+      # permissions set.
+      systemd.services.allowSecretsDirAccess = {
+        requires = [ "keys.target" ];
+        after = [ "keys.target" ];
+        script = "chmod o+x /secrets";
+        serviceConfig.Type = "oneshot";
+      };
+
+      systemd.targets.nix-bitcoin-secrets = {
+        requires = [ "allowSecretsDirAccess.service" ];
+        after = [ "allowSecretsDirAccess.service" ];
+      };
     };
 }