diff --git a/agenix/hosts/sail/config.nix b/agenix/hosts/sail/config.nix
index daefd36..9cdca1a 100644
--- a/agenix/hosts/sail/config.nix
+++ b/agenix/hosts/sail/config.nix
@@ -36,6 +36,12 @@
       group = "mastodon";
     };
 
+    mastodon-extra-config = {
+      file = ./mastodon/extraConfig.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
     freshrss-user-password = {
       file = ./freshrss/userPassword.age;
       owner = "freshrss";
diff --git a/agenix/hosts/sail/mastodon/extraConfig.age b/agenix/hosts/sail/mastodon/extraConfig.age
new file mode 100644
index 0000000..ae202a9
Binary files /dev/null and b/agenix/hosts/sail/mastodon/extraConfig.age differ
diff --git a/secret/hosts/sail.nix b/secret/hosts/sail.nix
index 2a60eaf..5e77745 100644
Binary files a/secret/hosts/sail.nix and b/secret/hosts/sail.nix differ
diff --git a/secrets.nix b/secrets.nix
index 19a7585..339484b 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -13,6 +13,7 @@ in
   "agenix/hosts/sail/mastodon/secretKeyBase.age".publicKeys = sail;
   "agenix/hosts/sail/mastodon/vapidPrivateKey.age".publicKeys = sail;
   "agenix/hosts/sail/mastodon/vapidPublicKey.age".publicKeys = sail;
+  "agenix/hosts/sail/mastodon/extraConfig.age".publicKeys = sail;
 
   "agenix/hosts/sail/freshrss/userPassword.age".publicKeys = sail;
   "agenix/hosts/sail/freshrss/databasePassword.age".publicKeys = sail;
diff --git a/system/nixos/mastodon.nix b/system/nixos/mastodon.nix
index eac13d0..eca011e 100644
--- a/system/nixos/mastodon.nix
+++ b/system/nixos/mastodon.nix
@@ -75,23 +75,9 @@ in
 
     extraConfig = {
       WEB_DOMAIN = web-domain;
-
-      ES_USER = secret.mastodon.elasticsearch.user;
-      ES_PASS = secret.mastodon.elasticsearch.password;
-
-      S3_ENABLED = "true";
-      S3_BUCKET = secret.mastodon.s3.bucket;
-      AWS_ACCESS_KEY_ID = secret.mastodon.s3.accessKeyId;
-      AWS_SECRET_ACCESS_KEY = secret.mastodon.s3.secretAccessKey;
-      S3_PROTOCOL = "https";
-      S3_REGION = secret.mastodon.s3.region;
-      S3_ENDPOINT = secret.mastodon.s3.endpoint;
-      S3_ALIAS_HOST = "mastodon-cdn.kempkens.io";
-      S3_HOSTNAME = "mastodon-cdn.kempkens.io";
-
-      DEEPL_PLAN = "free";
-      DEEPL_API_KEY = secret.mastodon.deepl.apiKey;
     };
+
+    extraEnvFiles = [ config.age.secrets.mastodon-extra-config.path ];
   };
 
   services.nginx = {