diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index af4557be18..5e3056e25e 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -330,7 +330,7 @@ zabbix_url_path: ""  # If Zabbix WebUI runs on non-default (zabbix) path ,e.g. h
 # Zabbix agent vars
 zabbix_host: "zabbix01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
 zabbix_tls_psk_identity: "Fedora"
-zabbix_tls_psk_file: "/etc/zabbix/fedora.psk" # `openssl rand -hex 32` - values in ansible private repo
+zabbix_tls_psk: "{{ zabbix_tls_prod_psk }}" # in ansible-private repo
 
 notes: |
   Unspecified.
diff --git a/inventory/group_vars/pagure_stg b/inventory/group_vars/pagure_stg
index f4877e128a..a63e991bc9 100644
--- a/inventory/group_vars/pagure_stg
+++ b/inventory/group_vars/pagure_stg
@@ -40,6 +40,7 @@ vpn: true
 zabbix_host: zabbix01.vpn.fedoraproject.org
 zabbix_server: "{{ zabbix_hostname }}"
 zabbix_auth_key: "{{ zabbix_apikey }}" # ansible-private repo
+zabbix_tls_psk: "{{ zabbix_tls_prod_psk }}" # in ansible-private repo, pagure-stg is weird...
 
 notes: |
   Run the pagure instances for fedora
diff --git a/inventory/group_vars/staging b/inventory/group_vars/staging
index 196c8891e9..0d2e33812f 100644
--- a/inventory/group_vars/staging
+++ b/inventory/group_vars/staging
@@ -68,3 +68,4 @@ wildcard_key_file: wildcard-2025.stg.fedoraproject.org.key
 # Zabbix connection vars - overrides on production values
 zabbix_server: zabbix.stg.fedoraproject.org
 zabbix_auth_key: "{{ zabbix_stg_apikey }}" # in ansible-private repo
+zabbix_tls_psk: "{{ zabbix_tls_stg_psk }}" # in ansible-private repo
diff --git a/roles/zabbix/zabbix_agent/defaults/main.yml b/roles/zabbix/zabbix_agent/defaults/main.yml
index 45dd3bde07..ad8ee86baf 100644
--- a/roles/zabbix/zabbix_agent/defaults/main.yml
+++ b/roles/zabbix/zabbix_agent/defaults/main.yml
@@ -12,7 +12,9 @@ zabbix_base_hostgroups:
 zabbix_tls_connect: "psk"
 zabbix_tls_accept: "psk"
 zabbix_tls_psk_identity: "Test"
-zabbix_tls_psk_file: "/etc/zabbix/test.psk" # `openssl rand -hex 32` - values in ansible private repo
+# Generate this with `openssl rand -hex 32`
+# and put value in ansible-private repo
+zabbix_tls_psk: abababababababababababababababababababababababababababababababab
 
 # Zabbix Connection params
 # these are set in the inventory, see group_vars/all:zabbix_* for starters
diff --git a/roles/zabbix/zabbix_agent/tasks/hosts.yml b/roles/zabbix/zabbix_agent/tasks/hosts.yml
index 236f211f4a..a986d7bf99 100644
--- a/roles/zabbix/zabbix_agent/tasks/hosts.yml
+++ b/roles/zabbix/zabbix_agent/tasks/hosts.yml
@@ -31,13 +31,13 @@
         force: false
 
     # Zabbix API for PSK is write-only, so Ansible will always mark as "changed". Ignore "changed" state for PSK.
-    - name: "API | PSK keys"
+    - name: Set PSK key in Zabbix
       community.zabbix.zabbix_host:
         host_name: "{{ inventory_hostname }}"
         tls_accept: 2     # PSK
         tls_connect: 2    # PSK
         tls_psk_identity: "{{ zabbix_tls_psk_identity }}"
-        tls_psk: "{{ lookup('ansible.builtin.file', private + '/files/zabbix/fedora' + env_suffix + '.psk') }}"
+        tls_psk: "{{ zabbix_tls_psk }}"
       changed_when: false
       ignore_errors: '{{ ansible_check_mode }}' # in check mode, the host might not be created yet
 
diff --git a/roles/zabbix/zabbix_agent/tasks/main.yml b/roles/zabbix/zabbix_agent/tasks/main.yml
index 729b557117..771fd82ee9 100644
--- a/roles/zabbix/zabbix_agent/tasks/main.yml
+++ b/roles/zabbix/zabbix_agent/tasks/main.yml
@@ -87,13 +87,13 @@
 
 - name: Copy zabbix-agend.conf psk config
   ansible.builtin.copy:
-    src: "{{ item }}"
+    # value set in group_vars from ansibe-private
+    content: "{{ zabbix_tls_psk }}\n"
     dest: /etc/zabbix/fedora.psk
     owner: zabbix
     group: zabbix
     mode: "0600"
-  with_fileglob:
-  - "{{ private }}/files/zabbix/fedora{{ env_suffix }}.psk"
+  notify: Restart zabbix agent
   tags:
     - zabbix_agent
 
diff --git a/roles/zabbix/zabbix_server/defaults/main.yml b/roles/zabbix/zabbix_server/defaults/main.yml
index a441dec5d4..eff90aa789 100644
--- a/roles/zabbix/zabbix_server/defaults/main.yml
+++ b/roles/zabbix/zabbix_server/defaults/main.yml
@@ -8,9 +8,6 @@ zabbix_db_name: zabbix     # OVERRIDE
 zabbix_db_user: zabbix     # OVERRIDE
 zabbix_db_pass: zabbix     # OVERRIDE
 
-# This is to configure matching PSK identity to the agents
-zabbix_tls_psk_identity: "Fedora" # OVERRIDE
-
 zabbix_server_pkgs:
   - zabbix-server-pgsql
   - zabbix-web-pgsql