diff --git a/modules/nixos/navidrome.nix b/modules/nixos/navidrome.nix
index add8538..1dd9f2c 100644
--- a/modules/nixos/navidrome.nix
+++ b/modules/nixos/navidrome.nix
@@ -1,3 +1,4 @@
+{ inputs, ... }:
 {
   containers.music = {
     autoStart = true;
@@ -8,24 +9,38 @@
       };
     };
 
-    config = {
-      services = {
-        navidrome = {
-          enable = true;
-          settings = {
-            MusicFolder = "/Music";
-            port = 4533;
+    config =
+      { config, ... }:
+      {
+        imports = [ inputs.agenix.nixosModules.default ];
+
+        age = {
+          identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+          secrets."tailscale" = {
+            file = ../secrets/tailscale.age;
+            mode = "400";
+            owner = "tailscale";
           };
         };
 
-        tailscale = {
-          enable = true;
-          useRoutingFeatures = "server";
-          interfaceName = "userspace-networking";
-        };
-      };
+        services = {
+          navidrome = {
+            enable = true;
+            settings = {
+              MusicFolder = "/Music";
+              port = 4533;
+            };
+          };
 
-      system.stateVersion = "24.05";
-    };
+          tailscale = {
+            enable = true;
+            useRoutingFeatures = "server";
+            interfaceName = "userspace-networking";
+            authKeyFile = config.age.secrets.tailscale.path;
+          };
+        };
+
+        system.stateVersion = "24.05";
+      };
   };
 }
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index b6beef9..c78a80c 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -9,4 +9,5 @@ in
 {
   "nextcloud.age".publicKeys = all;
   "forgejo-runner-token.age".publicKeys = all;
+  "tailscale.age".publicKeys = all;
 }
diff --git a/modules/secrets/tailscale.age b/modules/secrets/tailscale.age
new file mode 100644
index 0000000..ec8e0e9
Binary files /dev/null and b/modules/secrets/tailscale.age differ