diff --git a/modules/services/matrix.mod.nix b/modules/services/matrix.mod.nix
index 1836900..94cd961 100644
--- a/modules/services/matrix.mod.nix
+++ b/modules/services/matrix.mod.nix
@@ -11,6 +11,8 @@ let
 
   cfg = config.modules.system.services.matrix;
 
+  registrationToken = config.sops.secrets.tuwunel_token_file.path;
+
   port = 4926;
   domain = "matrix.faukah.com";
 in
@@ -43,6 +45,7 @@ in
             allow_registration = true;
             allow_federation = true;
             allow_encryption = true;
+            registration_token_file = registrationToken;
           };
         };
       };
diff --git a/modules/system/secrets/server_secrets.json b/modules/system/secrets/server_secrets.json
new file mode 100644
index 0000000..b37f778
--- /dev/null
+++ b/modules/system/secrets/server_secrets.json
@@ -0,0 +1,23 @@
+{
+	"tuwunel_token_file": "ENC[AES256_GCM,data:U4zCJdLb2k9Lz4blu0PJnEThODSMr4q8CfxJfV3MnRHzTMBTnUrsoIGe9OLdXKUClbwh,iv:RLJNK2onDbjndnV1dxZP4kDi/4uG+vpJXJEwFfXgX0k=,tag:LnYm++1RRyA6pOgwt3uKnQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2QjdYTzlYemlkSXBTaS9S\nVk1OTVRsdlVIZ0pHTnFJZVFXQ1dvVExzajFJCnZ4L2hGWUg0UGhpdEZOeFpxV0U1\nM0o3NTEwU1lOb2RreDM0ajFvSGl1eG8KLS0tIHA4MFp2QW0rYW9YZ2N6KzNkL0Ur\ndHdpNllLb1JQbVU1TzhBUVlUMkVHUFkKWqWa7kW3yt1L9cwX+VUZE/bW11DgqSpP\nfxy8mO8OKaRyASFA0MNDHgIxdtjk0UMSW81yjU40nDZiZUGLsyxqsg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlakU2aXArRmNPVjdqeWEv\nRHovZGJZeUMzaU51djRZK0JIZGxuek85ZUNjCkJrUHBKcXo4c3M2dnFYN1JuczVt\nN2FGdk1XMWJqemZHK1VTRGxKeU9WeTAKLS0tIFUzdGRHL0I2QTUxb3NEU1g1OTds\nUU8vcGRlWFMwMFV0MnVmNzFzTDJVUjAKEm1yzQ3tpGdegwZpouwnB6t35TVomTFV\nAgmGbrHt00uOseeqSUJXwVmw5XfzEa31wJyEskMS8h6j5i4IoYNCgQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbHhEWDZrYnZTZE5obHpR\nMFJhbTlmYnZSOHFIRWgwRTNtM1pLc0pqK0dvClVHcmxZTEs0NWxTSFYyQmpORDRk\nK2hLTFFjcmhxRXBaVzBKQ3NNYVBOUzgKLS0tIEFhcm9iVy9sMWFzNnJkUUhYaENG\nYW11T2F0VDZNZkZlbm05WjRmYy8rQ1UKbVTEiAj+q0vReW0Ry/oV4F1WNKkFNxxi\nYNrbilQaOrFUWfRLhzzbkz57qUUIJRorlY6iW8IJQHeTRYdl13woQQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-05T14:59:59Z",
+		"mac": "ENC[AES256_GCM,data:rJpbVc3WQSW9KzxX6fPZoKXf0Gg/nyS5UPRL505tBkzXWvL29K/Q+of5+139Y2vcvLPbWCF8FoOd+BQ0dAh7R3QCUuObjkt6eBqNZN1gxqG1me0NttZxmu3K4doI1uHrN8wSL4frgpMSFS2pAtxivd8Uqs/a32HieQcf1eshqEw=,iv:5vzhK2CucHXrTeux52+8tjaLbL2fvsB1StLHRLDpYuk=,tag:XFSVY6GbCwxxqljYAM8l8Q==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}