diff --git a/ops/secrets/mkSecrets.nix b/ops/secrets/mkSecrets.nix
index dc0ce153f..03990ad1f 100644
--- a/ops/secrets/mkSecrets.nix
+++ b/ops/secrets/mkSecrets.nix
@@ -3,10 +3,25 @@
 # Note that encrypted secrets end up in the Nix store, but this is
 # fine since they're publicly available anyways.
 { depot, lib, ... }:
+let
+  types = depot.third_party.korora;
+  inherit (lib) hasPrefix isString;
 
+  sshPubkey = types.typedef "SSH pubkey" (s: isString s && hasPrefix "ssh-" s);
+
+  agePubkey = types.typedef "age pubkey" (s: isString s && hasPrefix "age" s);
+
+  agenixSecret = types.struct "agenixSecret" {
+    publicKeys = types.listOf (types.union [
+      sshPubkey
+      agePubkey
+    ]);
+  };
+
+in
 (
   path: secrets:
   depot.nix.readTree.drvTargets
     # Import each secret into the Nix store
-    (builtins.mapAttrs (name: _: "${path}/${name}") secrets)
+    (builtins.mapAttrs (name: secret: agenixSecret.check secret "${path}/${name}") secrets)
 )
diff --git a/third_party/korora/default.nix b/third_party/korora/default.nix
new file mode 100644
index 000000000..5a0413b84
--- /dev/null
+++ b/third_party/korora/default.nix
@@ -0,0 +1,3 @@
+{ depot, ... }:
+
+import depot.third_party.sources.korora { }
diff --git a/third_party/sources/sources.json b/third_party/sources/sources.json
index b3ec3d460..5d5be9acc 100644
--- a/third_party/sources/sources.json
+++ b/third_party/sources/sources.json
@@ -48,6 +48,18 @@
         "url": "https://github.com/hercules-ci/gitignore.nix/archive/637db329424fd7e46cf4185293b9cc8c88c95394.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
+    "korora": {
+        "branch": "master",
+        "description": "A tiny & fast type system for Nix in Nix",
+        "homepage": "",
+        "owner": "adisbladis",
+        "repo": "korora",
+        "rev": "f7d8f17c4f20b69bc77189d4202c59c680400623",
+        "sha256": "15im7sm7z36n128g38fz3dcy26qml7vzj986x0nfpzwgyd7499pb",
+        "type": "tarball",
+        "url": "https://github.com/adisbladis/korora/archive/f7d8f17c4f20b69bc77189d4202c59c680400623.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
     "naersk": {
         "branch": "master",
         "description": "Build rust crates in Nix. No configuration, no code generation, no IFD. Sandbox friendly. [maintainer: @Patryk27]",