diff --git a/hosts/architect/teslamate.nix b/hosts/architect/teslamate.nix
index ac83bec..b054ea7 100644
--- a/hosts/architect/teslamate.nix
+++ b/hosts/architect/teslamate.nix
@@ -8,6 +8,11 @@ let
   allowWAN = false;
 in
 {
+  age.secrets.teslamate = {
+    file = ../../secrets/teslamate.age;
+    owner = "teslamate";
+  };
+
   architect.vhost.${domain} = with config.architect.networks; {
     dnsInterfaces = [ "lan" "tailscale" ];
     locations = {
@@ -43,7 +48,7 @@ in
     port = teslamatePort;
 
     listenAddress = "127.0.0.1";
-    secretsFile = "/secrets/teslamate/teslamate.env";
+    secretsFile = config.age.secrets.teslamate.path;
     virtualHost = domain;
     postgres.enable_server = true;
     grafana = { enable = true; port = grafanaPort; listenAddress = "127.0.0.1"; urlPath = "/grafana"; };
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 7f2a253..3b9ecfc 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -4,5 +4,6 @@ let
   ];
 in
 {
-  "secrets/matrix-synapse.age".publicKeys = pubkeys;
+  "matrix-synapse.age".publicKeys = pubkeys;
+  "teslamate.age".publicKeys = pubkeys;
 }
diff --git a/secrets/teslamate.age b/secrets/teslamate.age
new file mode 100644
index 0000000..7bc5eaa
Binary files /dev/null and b/secrets/teslamate.age differ