diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 00000000..ea056782
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,11 @@
+# This example uses YAML anchors which allows reuse of multiple keys 
+# without having to repeat yourself.
+# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
+# for a more complex example.
+keys:
+  - &servius age1pw7kluxp7872c63ne4jecq75glj060jkmqwzkk6esatuyck9egfswufdpk
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *servius
diff --git a/nixos/mirai/configuration.nix b/nixos/mirai/configuration.nix
index bc8d3f35..43f2525b 100644
--- a/nixos/mirai/configuration.nix
+++ b/nixos/mirai/configuration.nix
@@ -11,6 +11,13 @@
   ];
   security.sudo.wheelNeedsPassword = false;
 
+  sops.defaultSopsFile = ../../secrets/secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+  sops.age.keyFile = "/home/fs0c131y/.config/sops/age/keys.txt";
+  sops.secrets."nextcloud/adminpass" = {
+    owner = config.users.users.nextcloud.name;
+  };
+
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
diff --git a/nixos/mirai/services.nix b/nixos/mirai/services.nix
index 03317534..b0eed254 100644
--- a/nixos/mirai/services.nix
+++ b/nixos/mirai/services.nix
@@ -17,7 +17,17 @@
     enable = true;
     package = pkgs.nextcloud30;
     hostName = "cloud.darksailor.dev";
+    config.adminuser = "servius";
+    config.adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
+    configureRedis = true;
   };
+  services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [
+    {
+      addr = "127.0.0.1";
+      port = 8080; # NOT an exposed port
+    }
+  ];
+
   services.caddy = {
     enable = true;
     virtualHosts."music.darksailor.dev".extraConfig = ''
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
new file mode 100644
index 00000000..db1a8898
--- /dev/null
+++ b/secrets/secrets.yaml
@@ -0,0 +1,22 @@
+nextcloud:
+    adminpass: ENC[AES256_GCM,data:v9WXJ3Ig5NcWd+02P8VnaNkMy2yfEQ==,iv:LfS0avmRZfjdqjNE69h7L90ePzzdmtP57X+0U1vAMvs=,tag:Dq90tfGAUyqzTW3oM96IRg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1pw7kluxp7872c63ne4jecq75glj060jkmqwzkk6esatuyck9egfswufdpk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaQi9GRXpvUmVtdXJ3aitF
+            M2tLc1ZwS21yRlZnMlN4cjNuRWZWK2dWWFNBCmRVdGk3US91VUlQL0t0TEFPNU03
+            RVYwYUd3bkw3WmcxMHFUSWxqME0vMmMKLS0tIGFINWlBZDV3cWhEN2JOTXZweWZI
+            VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK
+            ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-20T14:43:08Z"
+    mac: ENC[AES256_GCM,data:j7sIw6/cKbNSRXSjAxZsDvIe5ZPnZ5YioGno33E0WWNYPohj9YtEwzi8ik59aynzSIQf3Usj76c2QMqwgjAFuaVIK5E3ASPGF2Tq4CAczNPPu3q1Kl1ZfEOGNd2nb0t3Zi0EKNE68BRCTAHJw5+UzDEDhPct1QrVlq8MfZSO494=,iv:bLNaaxnZlx8Ffvf9ohcMPDhe1jqGofL91DX1dwUHi2c=,tag:gb0aDWJFC3LX9HkaLoUgZg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1