diff --git a/nix-os/services/nix-binary-cache.nix b/nix-os/services/nix-binary-cache.nix
index 923b0bc..3dd7ad6 100644
--- a/nix-os/services/nix-binary-cache.nix
+++ b/nix-os/services/nix-binary-cache.nix
@@ -1,11 +1,54 @@
-{ pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 {
+  options = {
+    services.nix-serve = {
+      keyName = lib.mkOption {
+        type = lib.types.str;
+        default = config.networking.fqdnOrHostName;
+        defaultText = "config.networking.fqdnOrHostName";
+        description = "Name of the key when generating (usually domain name)";
+      };
+      publicKeyFile = lib.mkOption {
+        type = lib.types.path;
+        default = "/var/cache-pub-key.pem";
+        description = "Path to the public key file";
+      };
+    };
+  };
   config = {
     services.nix-serve = {
       enable = true;
       package = pkgs.nix-serve-ng;
       secretKeyFile = "/var/cache-priv-key.pem";
     };
+    systemd.services.nix-serve-generate-key = let
+      inherit (config.services.nix-serve) keyName secretKeyFile publicKeyFile;
+    in {
+      description = "Ensure existence of nix binary cache signing key";
+      wantedBy = [ config.systemd.services.nix-serve.name ];
+      script = ''
+        if [ -f ${secretKeyFile} ]; then
+          echo "File ${secretKeyFile} already exists, nothing to do" >&2
+          exit 0
+        fi
+        if [ -a ${secretKeyFile} ]; then
+          echo "File ${secretKeyFile} is not a regular file" >&2
+          exit 1
+        fi
+        echo "Generating nix binary cache signing key" >&2
+        touch ${secretKeyFile}
+        chmod 600 ${secretKeyFile}
+        mkdir -p $(dirname ${secretKeyFile})
+        ${lib.getExe' pkgs.nix "nix-store"} --generate-binary-cache-key \
+          ${keyName} ${secretKeyFile} ${publicKeyFile}
+      '';
+      restartIfChanged = true;
+    };
   };
 }