diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix
index 71c61a1753..b79c00195f 100644
--- a/ops/nixos/lib/common.nix
+++ b/ops/nixos/lib/common.nix
@@ -133,6 +133,7 @@ in
       iftop htop jq
       depot.nix.pkgs.mercurial
       switch-prebuilt
+      depot.ops.vault.provision-secret-id
     ];
 
     networking.useDHCP = false;
diff --git a/ops/vault/default.nix b/ops/vault/default.nix
index a13b0bc28c..6ec9f21681 100644
--- a/ops/vault/default.nix
+++ b/ops/vault/default.nix
@@ -2,6 +2,31 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-args: {
+{ pkgs, ... }@args: {
   cfg = import ./cfg args;
+
+  provision-secret-id = pkgs.writeShellApplication {
+    name = "provision-secret-id";
+    runtimeInputs = with pkgs; [ vault ];
+    text = ''
+      set -euo pipefail
+
+      export VAULT_ADDR=https://vault.int.lukegb.com/
+
+      if [[ "$(id -u)" != 0 ]]; then
+        echo Must be run as root >&2
+        exit 1
+      fi
+
+      echo -n "Secret wrapping token: "
+      read -r secret_id
+
+      SECRET_ID="$(vault unwrap -field=secret_id "''${secret_id}")"
+      RET="$?"
+      if [[ "$RET" != 0 ]]; then
+        exit $RET
+      fi
+      echo "$SECRET_ID" > /var/lib/vault-agent/secret-id
+    '';
+  };
 }
diff --git a/ops/vault/reissue-secret-id.sh b/ops/vault/reissue-secret-id.sh
index 6ba9ff76bf..0a144e2b38 100755
--- a/ops/vault/reissue-secret-id.sh
+++ b/ops/vault/reissue-secret-id.sh
@@ -11,4 +11,4 @@ echo Checking login credentials... >&2
 vault token lookup >/dev/null || vault login -method=oidc role=admin >&2
 
 echo Creating new secret... >&2
-vault write -f -format=json auth/approle/role/${server_name}/secret-id | jq -r '.data.secret_id'
+vault write -f -format=json -wrap-ttl=3m auth/approle/role/${server_name}/secret-id | jq -r '.wrap_info.token'