diff --git a/Makefile b/Makefile
index bda63dd..5042f10 100644
--- a/Makefile
+++ b/Makefile
@@ -50,7 +50,7 @@ sops-setup: ## Copy age key to SOPS default path (~/.config/sops/age/keys.txt)
 	@echo "✔ SOPS key path set (~/.config/sops/age/keys.txt). Alternatively export SOPS_AGE_KEY."
 
 sops-edit: ## Edit the global secrets with SOPS
-	sops inventory/group_vars/secrets.sops.yaml
+	sops secrets/hetzner-token.yaml
 
 sops-encrypt: ## Encrypt a file in place: make sops-encrypt FILE=secrets/foo.yaml
 	@[ -n "$(FILE)" ] || (echo "Usage: make sops-encrypt FILE=secrets/xxx.yaml" && exit 1)
diff --git a/scripts/hcloud_new_server.sh b/scripts/hcloud_new_server.sh
index cd10f15..29cf793 100755
--- a/scripts/hcloud_new_server.sh
+++ b/scripts/hcloud_new_server.sh
@@ -63,8 +63,8 @@ python3 scripts/new_host.py \
 ok "Inventory updated: $NAME → inventory/servers.yaml"
 
 # --- Decrypt Hetzner token and apply Terraform ---
-HCLOUD_TOKEN="$(sops -d --extract '["ops"]["hcloud_token"]' inventory/group_vars/secrets.sops.yaml 2>/dev/null || true)"
-[[ -n "$HCLOUD_TOKEN" ]] || fail "Could not decrypt ops.hcloud_token from inventory/group_vars/secrets.sops.yaml. Ensure SOPS_AGE_KEY or keys.txt is set and token exists."
+HCLOUD_TOKEN="$(sops -d --extract '["hetzner"]["token"]' secrets/hetzner-token.sops.yaml 2>/dev/null)"
+[[ -n "$HCLOUD_TOKEN" ]] || fail "Could not decrypt ops.hcloud_token from secrets/hetzner-token.sops.yaml. Ensure SOPS_AGE_KEY or keys.txt is set and token exists."
 
 pushd terraform/hetzner >/dev/null