diff --git a/configs/mail/client.nix b/configs/mail/client.nix
index 92ea78a..7c8110c 100644
--- a/configs/mail/client.nix
+++ b/configs/mail/client.nix
@@ -1,5 +1,6 @@
 { config, pkgs, lib, ... }:
 let
+  inherit (import <niveum/lib>) email-sshKey;
   much =
     let
       nixpkgs-much = import (pkgs.fetchFromGitHub {
@@ -17,6 +18,8 @@ let
 in {
   environment.variables.NOTMUCH_CONFIG = config.home-manager.users.me.home.sessionVariables.NOTMUCH_CONFIG;
 
+  users.users.me.openssh.authorizedKeys.keys = [ email-sshKey ];
+
   environment.systemPackages = [
     pkgs.notmuch-addrlookup
 
@@ -37,16 +40,9 @@ in {
   ];
 
   home-manager.users.me = {
-    services.muchsync.remotes.zaatar = {
-      frequency = "*:0/10";
-      remote.host = "email@zaatar";
-      remote.importNew = false;
-    };
-
     programs.notmuch = {
       enable = true;
       search.excludeTags = [ "deleted" "spam" ];
-      # extraConfig.muchsync.and_tags = "inbox;unread";
     };
 
     programs.msmtp.enable = true;
diff --git a/configs/mail/fetcher.nix b/configs/mail/fetcher.nix
index a6ac82d..f976490 100644
--- a/configs/mail/fetcher.nix
+++ b/configs/mail/fetcher.nix
@@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }:
 let
-  inherit (import <niveum/lib>) kieran;
+  inherit (import <niveum/lib>) kieran sshPort;
 
   tagRules = [
     {
@@ -32,25 +32,37 @@ let
     in lib.concatStringsSep "\n" (map template filters);
 in
 {
+  imports = [ <stockholm/krebs/3modules/secret.nix> ];
+
+  krebs.secret.files.email-ssh = {
+    path = "${config.users.users.email.home}/.ssh/id_ed25519";
+    owner.name = config.users.users.email.name;
+    source-path = toString <system-secrets> + "/email/ssh.key";
+  };
+
   users.users.email = {
     isNormalUser = true;
     description = "fetching mails since 2021";
-    openssh.authorizedKeys.keys = kieran.sshKeys pkgs;
-    packages = [ pkgs.muchsync ];
   };
 
-  environment.variables.NOTMUCH_CONFIG = config.home-manager.users.email.home.sessionVariables.NOTMUCH_CONFIG;
-
-  systemd.services.mail-sync = {
+  systemd.services.mail-sync =
+  let
+    hosts = [ "manakish.r" "wilde.r" ];
+  in {
     enable = true;
-    wants = [ "network-online.target" ];
-    startAt = "*:0/15";
+    wants = [ "network-online.target" config.krebs.secret.files.email-ssh.service ];
+    startAt = "*:0/3";
     serviceConfig.User = config.users.users.email.name;
     serviceConfig.Type = "oneshot";
     environment.NOTMUCH_CONFIG = config.home-manager.users.email.home.sessionVariables.NOTMUCH_CONFIG;
+    path = [ pkgs.notmuch pkgs.openssh ];
     script = ''
       ${pkgs.isync}/bin/mbsync --all
-      ${pkgs.notmuch}/bin/notmuch new
+
+      ${lib.concatMapStringsSep "\n" (host: ''
+        echo === syncing ${host}
+        ${pkgs.muchsync}/bin/muchsync -s 'ssh -CTaxq -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ConnectTimeout=4 -p ${toString sshPort}' kfm@${host} || :
+      '') hosts}
     '';
   };
 
diff --git a/lib/default.nix b/lib/default.nix
index 7796b1a..bc03860 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -28,6 +28,8 @@ rec {
 
   localAddresses = import ./local-network.nix;
 
+  email-sshKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKz33wHtPuIfgXEb0+hybxFGV9ZuPsDTLUZo/+hlcdA";
+
   kieran = {
     github = "kmein";
     email = "kmein@posteo.de";