diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix
index 1b98981..9c40c7b 100644
--- a/hosts/nachtigall/default.nix
+++ b/hosts/nachtigall/default.nix
@@ -9,5 +9,10 @@
     ./networking.nix
     ./wireguard.nix
     ./backups.nix
-  ];
+   "${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix"
+    ];
+
+    disabledModules = [
+      "services/web-apps/mastodon.nix"
+    ];
 }
diff --git a/modules/mastodon/default.nix b/modules/mastodon/default.nix
index 47d93f4..01acf7a 100644
--- a/modules/mastodon/default.nix
+++ b/modules/mastodon/default.nix
@@ -7,6 +7,21 @@
 }:
 
 {
+  age.secrets."mastodon-active-record-encryption-deterministic-key" = {
+    file = "${flake.self}/secrets//mastodon-active-record-encryption-deterministic-key.age";
+    mode = "400";
+    owner = config.services.mastodon.user;
+  };
+  age.secrets."mastodon-active-record-encryption-key-derivation-salt" = {
+    file = "${flake.self}/secrets//mastodon-active-record-encryption-key-derivation-salt.age";
+    mode = "400";
+    owner = config.services.mastodon.user;
+  };
+  age.secrets."mastodon-active-record-encryption-primary-key" = {
+    file = "${flake.self}/secrets//mastodon-active-record-encryption-primary-key.age";
+    mode = "400";
+    owner = config.services.mastodon.user;
+  };
   age.secrets."mastodon-secret-key-base" = {
     file = "${flake.self}/secrets/mastodon-secret-key-base.age";
     mode = "400";
@@ -54,6 +69,9 @@
     webProcesses = 2;
     # Threads per process used by the mastodon-web service
     webThreads = 5;
+    activeRecordEncryptionDeterministicKeyFile = "/run/agenix/mastodon-active-record-encryption-deterministic-key";
+    activeRecordEncryptionKeyDerivationSaltFile = "/run/agenix/mastodon-active-record-encryption-key-derivation-salt";
+    activeRecordEncryptionPrimaryKeyFile = "/run/agenix/mastodon-active-record-encryption-primary-key";
     secretKeyBaseFile = "/run/agenix/mastodon-secret-key-base";
     otpSecretFile = "/run/agenix/mastodon-otp-secret";
     vapidPrivateKeyFile = "/run/agenix/mastodon-vapid-private-key";
diff --git a/overlays/default.nix b/overlays/default.nix
index af9faa9..50ede5d 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -16,6 +16,7 @@
                 element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker {
                   inherit (inputs) element-stickers maunium-stickerpicker;
                 };
+                mastodon = unstable.mastodon;
               }
             )
           ];
diff --git a/secrets/mastodon-active-record-encryption-deterministic-key.age b/secrets/mastodon-active-record-encryption-deterministic-key.age
new file mode 100644
index 0000000..3fa0863
--- /dev/null
+++ b/secrets/mastodon-active-record-encryption-deterministic-key.age
@@ -0,0 +1,43 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg 1hTwlkE1sBAeCz0gf7XU6o0iMX9NXcqs4dFKrmerV1Y
+QTRSr5Ab6redaWHmSkGv3QBDOTCoN+0bqZnWTkUXw+k
+-> ssh-ed25519 uYcDNw FJ3Jxz2Y1uz7cZwYw+IfO3MQjoXkO4OU+CIeMDa9Mk0
+MgTZesZpxk788OBPM1forUuxIYFKkpsnp7NsEzmx9M4
+-> ssh-rsa f5THog
+JH7iLrQWeElqdYWVwQJIVh7KjBx2TmfqUekwkI0FA9ikqaWM9byewNkT+juu7egY
+eZol4fyx9WLVVNI0P+Gc64mi1K3DzW6IzJT5PN24TSOeVggj0buKRLBPZeSroCL8
+mfIRPJF5esA0j2ohGOzZLA1cpeHCkAVU6tGq5iXI7w883AOhZDZHtEJWJHE+QMZG
+9ZaSnGPLeAiC9xFjxxUQRuxUAE7nOjqoflcEPcm1/OkZoauqsJGzvNl2L+b1D1Oz
+wgSTTSVxsNH6MDKmuxZgjPLUpU9rbi1/ylfI+caW8SJ1ygu2yYhTh+KyXiDjtj03
++ZZYBjOw9bR12qiQx1it0OaxJU8YPGAlBIN+PZQIQrV7j1KwGUfsYXFmHGdRehK9
+7bVcDMeIEPYorQWiOL59zolwQ1u0Y5oFPJBiXxDwpVKEwen/VzYCtJwCDb4eIfsS
+AWLARmnRR2KIOJn6SgcoqBl8OfPntPjWr3KjvfXXrH1wo56Ba/5c4her1S/wQNh1
+MuMLE61WgCcR5Pn14gtuzMh4cqt2UN4kHLQi2KluRSa9v02WhWOCyf8AJFInANo5
+tdvM0asCAAE0vTPqk1/gwrsIAdATjC50lCyJsmUZQs6iMuL1voihWfZ154CtRS48
+ji8wKDlOuIalbzq9/kQUa6vM1kaHqq8LoLtw5wHFLJQ
+-> ssh-rsa kFDS0A
+QkIAoXUvfop74tdybgxTC6l4RSJD+QcSnCMadA4fQhfgvxftXXAMERPVmWS8L8Rr
+fnkb7WOsLKe5uFwDBAi/stjNugtjxPE6j4Hbv0LxyMh2KzsczRKQjdcEN4IVjHMi
+EZoePsshDJ1ND/SBhfSqQ/Y3N7g9sEU3K3oTE70hGX+0MOxQYz/vhw5VfjwwfihL
+n4Btjn/kmUALlWtox599tvNfy+Tjq583UdZNQMHakI4bust1FOatIdJEz4qHVb7C
+XJ0QnqlJPqY/V8KF5IOh5at37U2raAp/54RDAAziXjLnbeiCIFGFpPNNH4c1XMRe
+MNcDJQo9VxfDreVAWUEjaQSv0xK3bv64A/RelDCvgQA9+4MBDZO9i9PRkC/dUf1C
+0UzNT0pQPR/8TmAo2S/XcPYGaQif6g+OL0dvNivKNjhpx5AUxR+nImuIRL5c4H/P
+x37O6iZbg38B2g6l4oS9kOEALr3zithv7k/J9tC/5kOtXDcnDo5nuLDV1+maASnk
+a1mKGF+NnJNj9HfN9Tf5v1HYSgOHjH1RXZWaSUqQEaaIJ7jKg/hZroXUDGEZxU0E
+0u9rzeoQNXNLvTJtZjO79EWLlp8C+CryfVgJLBELe6yY4FcLR6TbB9t1bWT3VOnf
+s62sU5fpsgQgQ1Wv4JyEPt1Vy93JNPQGrbnI0euFQhc
+-> piv-p256 vRzPNw AmLneGaB8PWxhNVQakxubRiTfQI8ztGWXsZv+eirFURz
+N5bR+P/vKP0hgnejhIBEMG3c3fbnpTeZOsL4FTQdIiA
+-> piv-p256 zqq/iw AzQcsc5Tdm4R+yYGO0TDiDyEkXlsdqhZm5hp4mAj1CPG
+Nxc2z1uW63Cl3N4cQ2T3g1/fju/bVHc2BwA8VGtL/Z0
+-> ssh-ed25519 YFSOsg iKhgZjb+wldSbt6GK6RXHVOmmHIy/q1kvwR/sirvQ3w
+0IIhK9FhVl6CsdDS6e1oqlha2DfeUZ/Bs9MNooPFTpY
+-> ssh-ed25519 iHV63A u5F2ywZTiWhB19r3ey9JTzho7za06Cq8UISh4G1ApGQ
+NpuI82VTuaZdqGKyftNIrYhr5KAkh56sf84J9aw51+s
+-> ssh-ed25519 BVsyTA kDelsR5/FRuItCOMX6m6H7vyLlZRYyMrb32Eve3lMEY
+sNGS7R6zqSLT7xNJAJWmzWfWL0uj5QnJ+Gbh49YfpKQ
+-> ssh-ed25519 +3V2lQ idYZrubfci3W4Yn+3pEblXOQCf1UoyA7cxKnFmfh3Bc
+OMI1yg67nxUBH1xj9NikqFVeCTqAWa+69DYvB4T4uiQ
+--- 7HlnH19UqRCTjysYSSUJGrdsK4ZduF8+k4nSK/3JDq8
+}sˆðDéµYá–ÀMÔŽzS’Å~ºùÂ…«.Qc¯¶d("û)#š¾þý*HdºÓ…Œ%/s¬g—hé]½m}
\ No newline at end of file
diff --git a/secrets/mastodon-active-record-encryption-key-derivation-salt.age b/secrets/mastodon-active-record-encryption-key-derivation-salt.age
new file mode 100644
index 0000000..01bb53a
--- /dev/null
+++ b/secrets/mastodon-active-record-encryption-key-derivation-salt.age
@@ -0,0 +1,44 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg dNFZ+e+a0AjH6Gs5POmZVl9bSXREvkqx1lSdmOq5IRI
+ZPEuKmVDwWgPL0qfDsMtslNJ7RG55MPTQjlBL2iEJdk
+-> ssh-ed25519 uYcDNw qDCVM6EndKJxZUXOUg0d4ElU9vlMGS9mJxELjezs8H0
+clZ8JJ24IPAd74jKyOcUvKeeanxm/Cy4b3B5mrvg9ds
+-> ssh-rsa f5THog
+rjdgXMdt8KqI1qJA0hWkF3SyjsaDz0f7AwUzcTY7hk5ULa98mCRe26tmWbTiil5D
+gchbehmLRy1JTzahUw+1xLH/iZzo3RqXCvzjrBoPCM/iucHJZPHpLNoOTtL//zXR
+0lZusQaUZ/lQrjCwyMwACJ9DKv4QiCIUfgYBzZGq6oLMYiWpEHfZQ7tWiROAO4/T
+cCCvLtM2LQ5Q5vZ5cCdBQLxrAZz+OnPgXQRAoLqH5WLMIqleUhkoVh8JoIzww+UG
+c2OKazF2dL4djnujrTQfS1uWirfmkpNW+TKrKKq6q0+cLOMjc/eLjOfBvgD+yZuO
+TxnkRRbOGNuc8hA+9FL3A/yfYk/TH78eQ27aiiV6yaX3qK9KcPp1/vUe+m4XguXE
+8LRemmCVazYuYKXzh4jr+ecppVokKep3tzb/eKSjw55xx/PIcG3AV4UjuN3Vvtdx
+BkP4/S/jn7tEBlNc1DmkrgmuUF5iwPR0CTMG1I6gxUkjyxWyPKntq6wegPT4QMRE
+eePq6SjKOOH06u4W1z4HM1ipMOK1VJrozQabnmZnhbE2+Gfy76N+Fe0sjG2iK/pg
+J8v/KT6BrhR0PYvGJirnZD0MvIlSZA+xI/FpKav/Y2195Bb+LEJY+nJoxepdj8ev
+d7N+J6g5Yt6SN9BJS0QTmtatFlTnfsU8nAYCEVB1Uxc
+-> ssh-rsa kFDS0A
+PnAXBG7IsVdWs3TEthQFSDglnQdZlmBzhYWq5er7Q32i06BGw0OJp5c7VNi6zLFd
+EOSYtdZ8SaK/CL7m3LROmv8NraVst2ml7zKeYPZ5/xHLVBb57SWkFYZIalMpZDr3
+IVRxHifZVS6hgdCa5MWUotOsdzbStUSSh6G7TCrP/LnCeh/abOXLkvqLj9NrHeAH
+UOb+Sxay3y5jUc3OBPGWw0LzGFa8S0vKhqGYIIMUcFBoenQ68/WYMMt9Lc5nD9yA
+fiH0ytkhZVkPd1+0MQ99dpCgUOcK7SOG/jUDIOhVJ8OQMoqovaML0Kmz6+Csj8l3
+l+iMd19D8CCK16dLGDi3LdvDaanIHq7H8vOW5ihWgV313aLYWdYJDIKhyn90XO0b
+SjF7dFuPxsIb+8r8/hk8xPdGu1cB3ryfEUaccQF1f0q3jBaM1RZ5Jfu/0fVHDnOj
+9c1lMC2MvwBOFFrNo9GzKjq6ezLBb58i8fV5+LZTVOgMa25BusCpnHW+KerjpGb1
+/2RK8WoXoviGAAaPuIp0ttD21oj7Ba7ZjalzO328cTlK/J6wp6qxoJOC9FuXBZCf
+M91kGWavS8Y941kRZJBD14VhLQeIjzRphnR64r03kv8HyIDSAmNc2sDOoqji1G4Q
+Fxs1oKVnSxmnGWazjmxtOtbDMhJjJlLyVEJOxgHXmz0
+-> piv-p256 vRzPNw A8qqho2hbHfodtF8D4JFu039UlMDhXhIy1lzqOBkIpIB
+CY5cHkLTHhhNIq1s6iFVGyKyIMemO/my/GmnWS2we08
+-> piv-p256 zqq/iw A23triY0bM1tpn20GXCvGCcWny9dkQDY6tP7du/HmJty
+vXVsqP2j6Kf0mwb29jSY/qn1FFnmQLWVEcL002MT6U0
+-> ssh-ed25519 YFSOsg KZ5TnAoRXHKCIEg1eoMO28saKhKmG08lCoCKNnWaOTM
+FOOqg8s2cVDPAiIVmYI2UkmpXWimQE4Sy+gCwH7oYEw
+-> ssh-ed25519 iHV63A mlcNQxplVIGOPIte0u+vibNIQtV1FCzC5IUmz7183SY
+5IlGvhYYU510PkdyzdNGgFfS9f2rkU1dMJ2Spt3RGls
+-> ssh-ed25519 BVsyTA s5BCUQJfI9Oo8XclNEp9ZJxklF/OwVECb7vFReVQ+SA
+0U2S5Y2den/c/5wNt3RI69AaURAZoEIxjoL1cBtomxM
+-> ssh-ed25519 +3V2lQ ot8xMJdVEzGv0W17UMaOvDp5ltMV1t8zrXhkpRjwrEo
+M8ky+nhQo/rgBZ2gzD1rf++MIJXzrkh9RmGOvL4cqV8
+--- 5RnhwI3yXutsCzaH+lUK221P8Drag4a4LWW0vMJKyis
+P£v ^V÷ä]zù;>Ev»-äŠ½Uª¨}üpb€ð2žÆ3W?Ôo¬!m»ç¶×
+ËNÌ	7™—"•Ÿ'•â}qk
\ No newline at end of file
diff --git a/secrets/mastodon-active-record-encryption-primary-key.age b/secrets/mastodon-active-record-encryption-primary-key.age
new file mode 100644
index 0000000..dc28734
Binary files /dev/null and b/secrets/mastodon-active-record-encryption-primary-key.age differ
diff --git a/secrets/mastodon-extra-env-secrets.age b/secrets/mastodon-extra-env-secrets.age
index dba14bb..14ad427 100644
Binary files a/secrets/mastodon-extra-env-secrets.age and b/secrets/mastodon-extra-env-secrets.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index da61f63..1bf6251 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -43,6 +43,9 @@ in
   "delite-wg-private-key.age".publicKeys = deliteKeys ++ adminKeys;
   "blue-shell-wg-private-key.age".publicKeys = blueshellKeys ++ adminKeys;
 
+  "mastodon-active-record-encryption-deterministic-key.age".publicKeys = nachtigallKeys ++ adminKeys;
+  "mastodon-active-record-encryption-key-derivation-salt.age".publicKeys = nachtigallKeys ++ adminKeys;
+  "mastodon-active-record-encryption-primary-key.age".publicKeys = nachtigallKeys ++ adminKeys;
   "mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys;
   "mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
   "mastodon-vapid-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;