diff --git a/hosts/nachtigall/apps/nextcloud.nix b/hosts/nachtigall/apps/nextcloud.nix
index 2689597..1cb6b91 100644
--- a/hosts/nachtigall/apps/nextcloud.nix
+++ b/hosts/nachtigall/apps/nextcloud.nix
@@ -1,12 +1,18 @@
 { config, pkgs, ... }:
 {
+  age.secrets."nextcloud-secrets" = {
+    file = "${flake.self}/secrets/nextcloud-secrets.age";
+    mode = "400";
+    owner = config.services.mastodon.user;
+  };
+
   services.nextcloud = {
     hostName = "cloud.pub.solar";
     home = "/var/lib/nextcloud";
 
     enable = true;
     https = true;
-    secretFile = ""; # secret
+    secretFile = config.age.secrets."nextcloud-secrets".path; # secret
 
     configureRedis = true;
 
diff --git a/secrets/nextcloud-secrets.age b/secrets/nextcloud-secrets.age
new file mode 100644
index 0000000..937ccec
--- /dev/null
+++ b/secrets/nextcloud-secrets.age
@@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg GHVh1GUADEN6UVTUYntCaYfEqH+LX+gvaICkBHJ5OUY
+rfoD++gVdnZ5HSlXbCOy8Pn7if6QM2WRaShpk0dCJ48
+-> ssh-ed25519 uYcDNw kKeYQIaKjVDKMDBkluuxarRfv2wR9W5TKHzbu1DR2hQ
+bfFYcbcQ7De5hwkCng/CIZXWLHgr/cum0+OfRs5ESvI
+-> ssh-rsa kFDS0A
+pAZ0JEVyYZk3U1vFH/STAuHucNECpbhDdnJR7asfMt2bgTs1dvI9ZA5XBpJs3U4a
+PntBwgYebJyHhgeZ0L7q5NYE6eLVThkxnWvm5OP2NjPyTgGUxjp+NA7WNw+Fc/gA
+mz//NLMmKVHuknKBVEaZn+2lBWaIXyTkD3KetqxChDcXSnKswesLa6LdHLfE97jP
+gHX5Y+JVNeGOlHPn0Ds40I/aFGJJ56p3cD3nTsgoQyGpoQGVIVHO6ghRmVjhSkW4
+7ZfPluq9G0u3NbSD3YjnLrAmUzdJsLPmYme2vvu0YKJr40TG6i5m196DSDuvAtM4
+XhiClq7a2KJfmEF+epVdoXo/7GrPs/F9Bb+NV1S7bVJX7Q87gQ3bbFq2LISu8QvD
+HUlx2hJh0fZXpBv6yHIqXutEL1g6XCtpkli15wrHBfEQHOxP6mB/pNeM3gCYwOLX
+ZdVqpR46OzOErNDwXTniwQecuKrRB9ecTjmmRZycEZErgEcASEZgAlfu2Q8EIW30
+65byX4EWskm6qlhLxp6SfRXlVcA9XcwIg6q2E2UIoEukZQ5zJNKcFAYec7/xTXs0
+DrLyGkOO+8C0lmCDY8Escd4cge2hIbIcsnQdkfh3NQT1ZqXEXkef/XB6yMEzvysg
+3Z13W4dcxwc0ylRFwm2VKcBQD9jDwCyeV4iKohFIyJk
+-> ssh-ed25519 YFSOsg X4DtlP1y5JXKyaYXJ/l18S7cOGIDlwk3vhrO0Vk6t3U
+OXzEp3tRncra6pBvDoeiLkF4SlaHZ6E6j+UV0q1WB80
+-> ssh-ed25519 iHV63A AYUNvys+v75VarEdcZ1g9r9bnW76Tfq91gWnyED7kB0
+zloI/t4Dfa4re850ldwdFEjbF1OR/5G8VBAl9n7umEs
+-> ssh-ed25519 BVsyTA glhHHYg1w7qntg8J3y+6zKJHBaC6PZWFQJnmiQR6axw
+WiIDKiuzouGyiyANmEp25T1Dv2IRyRx+lovSpdFP/Dc
+-> wcj`iUv7-grease <d5F W
+dXdOZ0LN94OwYEvaS4paokqfZm7hqw
+--- oEfnrJu0i9DSupMbQS0hKyVuI9mguqQXDcvXjXUIFS0
+‡—ãaãW(?ÍRÏêþ­v¥Ô9S$« :Ê‰{Içñ½ô< ¾|&Øy$Ø¼9UÑC>}ˆSs¶Q!½ê·/ª4ªöY)þV\Q\y_»Ûg+ÅHÚ„Ho‚Nþ@™w§d†à@ ¯‹ª<:NO¼Òí»X±°–„!Ëâ£/Ì¬Y7“Þ_³«Ë‚Ê ³¤¹’¢Ñ¦A}^»q
+«ØƒàïÄúÉ`:/"i²ÀqjÙÃG³½c›[ó„§>Yõäè‚tT­Æ:ƒh$ŽšO¡hù#,¢ÜûR‘£[×¥F–€žŽ3a]©ù€¯{JÑ·×‘þ÷"Æ¢æ¤Þªã
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index cb06356..5b060b5 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -35,4 +35,6 @@ in {
   "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ baseKeys;
   "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ baseKeys;
   "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys;
+
+  "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
 }
