diff --git a/agenix/hosts/sail/config.nix b/agenix/hosts/sail/config.nix
index a265bd0..daefd36 100644
--- a/agenix/hosts/sail/config.nix
+++ b/agenix/hosts/sail/config.nix
@@ -1,5 +1,41 @@
 {
   age.secrets = {
+    mastodon-database-password = {
+      file = ./mastodon/databasePassword.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
+    mastodon-smtp-password = {
+      file = ./mastodon/smtpPassword.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
+    mastodon-otp-secret = {
+      file = ./mastodon/otpSecret.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
+    mastodon-secret-key-base = {
+      file = ./mastodon/secretKeyBase.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
+    mastodon-vapid-private-key = {
+      file = ./mastodon/vapidPrivateKey.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
+    mastodon-vapid-public-key = {
+      file = ./mastodon/vapidPublicKey.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
     freshrss-user-password = {
       file = ./freshrss/userPassword.age;
       owner = "freshrss";
diff --git a/secret/hosts/sail.nix b/secret/hosts/sail.nix
index 8e80453..2a60eaf 100644
Binary files a/secret/hosts/sail.nix and b/secret/hosts/sail.nix differ
diff --git a/secrets.nix b/secrets.nix
index 765fcc9..19a7585 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -7,6 +7,13 @@ let
 in
 {
   # sail
+  "agenix/hosts/sail/mastodon/databasePassword.age".publicKeys = sail;
+  "agenix/hosts/sail/mastodon/smtpPassword.age".publicKeys = sail;
+  "agenix/hosts/sail/mastodon/otpSecret.age".publicKeys = sail;
+  "agenix/hosts/sail/mastodon/secretKeyBase.age".publicKeys = sail;
+  "agenix/hosts/sail/mastodon/vapidPrivateKey.age".publicKeys = sail;
+  "agenix/hosts/sail/mastodon/vapidPublicKey.age".publicKeys = sail;
+
   "agenix/hosts/sail/freshrss/userPassword.age".publicKeys = sail;
   "agenix/hosts/sail/freshrss/databasePassword.age".publicKeys = sail;
 }
diff --git a/system/nixos/mastodon.nix b/system/nixos/mastodon.nix
index 0de165a..eac13d0 100644
--- a/system/nixos/mastodon.nix
+++ b/system/nixos/mastodon.nix
@@ -30,10 +30,10 @@ in
 
     trustedProxy = "127.0.0.1";
 
-    vapidPublicKeyFile = "/var/lib/mastodon/secrets/vapid-public-key";
-    secretKeyBaseFile = "/var/lib/mastodon/secrets/secret-key-base";
-    otpSecretFile = "/var/lib/mastodon/secrets/otp-secret";
-    vapidPrivateKeyFile = "/var/lib/mastodon/secrets/vapid-private-key";
+    vapidPublicKeyFile = config.age.secrets.mastodon-vapid-public-key.path;
+    secretKeyBaseFile = config.age.secrets.mastodon-secret-key-base.path;
+    otpSecretFile = config.age.secrets.mastodon-otp-secret.path;
+    vapidPrivateKeyFile = config.age.secrets.mastodon-vapid-private-key.path;
 
     database = {
       createLocally = false;
@@ -41,7 +41,7 @@ in
       port = 5432;
       name = "mastodon";
       inherit (secret.mastodon.database) user;
-      inherit (secret.mastodon.database) passwordFile;
+      passwordFile = config.age.secrets.mastodon-database-password.path;
     };
 
     redis = {
@@ -62,7 +62,7 @@ in
       port = 587;
       fromAddress = "mastodon@mg.kempkens.io";
       inherit (secret.mastodon.smtp) user;
-      inherit (secret.mastodon.smtp) passwordFile;
+      passwordFile = config.age.secrets.mastodon-smtp-password.path;
     };
 
     automaticMigrations = true;