diff --git a/platforms/nixos/modules/nmasur/presets/services/grafana/grafana-secret-key.age b/platforms/nixos/modules/nmasur/presets/services/grafana/grafana-secret-key.age
new file mode 100644
index 0000000..5c44ddd
--- /dev/null
+++ b/platforms/nixos/modules/nmasur/presets/services/grafana/grafana-secret-key.age
@@ -0,0 +1,17 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBxUDhh
+SkpvdDNNS04yNk0yNGtqRlRXT2V2QVVScUpVd3RrMWUvYnVyRlJFCktoZUw1VnJI
+SnJ4dDBZK1ROUDRhWm1EaExKZUJmM1NrcUZ0elRtZXZFSTQKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RICtHZGEyUm1lelBEWVFIaCsxSmx0S2V3Yk5qREVRaDdtSkp6ckcz
+UDB5aWcKUFNoeU1YQjhaTG1zTEZBZElkUUpUcXVXdzgrUENUajNqRytMMFZVTzNm
+NAotPiBzc2gtZWQyNTUxOSBuanZYNUEgNjNoM0U0ZnE5dzNCenRWZmVkRVdXOGFa
+cmFjSWtFOUVXSUdzTFNlWGhUSQpvNnk3NXdGZkhtaGRJRmd3czFNUHh3OUlTSGpG
+YUJjT1Baa3dRdzF4V2EwCi0+IHNzaC1lZDI1NTE5IENxSU9VQSBXcnNQcnY5MnJ3
+b3hLM01PYXNwa2tPTFVRMC96QmZZTkdDNktWZFRHOVE4Ck1PZUlLcXN6Rnh3UnlS
+dVkwODJ2QjBXWUZOUTdBU01DYjFSemJxY1haVVUKLT4gc3NoLWVkMjU1MTkgejFP
+Y1p3IEQwZTA3WFkwMWJjbXhMRDlFaEJjMVhuZFpTVTFsaktqWHFXN0J1ajJHMmMK
+bXRTdTI2N1o4ZXhYcG9kWCtMNjJCMG0zeUpqMS95SC9VdTRNdUY3ZFVVSQotLS0g
+OXJFMUkvOXkvdStrU1dBSEhhNnE0NU56SHE0UkUvbXhwcWRCdkdxdXN3SQpXUnGQ
+XJT+KXvM80eW2z/je+0kq9Yh+DkgcWtUpq2k2WyzIue9AifKco9CQ4AsBtKKoxO9
+SxjY/7b0HRwoXS578gwTxJD0j9sBRsz4s64IeiepKn01KcMTgo1TxYzB7JgM
+-----END AGE ENCRYPTED FILE-----
diff --git a/platforms/nixos/modules/nmasur/presets/services/grafana/grafana.nix b/platforms/nixos/modules/nmasur/presets/services/grafana/grafana.nix
index 63d9740..e66d10d 100644
--- a/platforms/nixos/modules/nmasur/presets/services/grafana/grafana.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/grafana/grafana.nix
@@ -28,9 +28,22 @@ in
       before = [ "grafana.service" ];
     };
 
+    secrets.grafana-secret-key = {
+             source = ./grafana-secret-key.age;
+      dest = "${config.secretsDirectory}/grafana-secret-key";
+      owner = "grafana";
+      group = "grafana";
+      permissions = "0440";
+    };
+    systemd.services.grafana-secret-key  = {
+      requiredBy = [ "grafana.service" ];
+      before = [ "grafana.service" ];
+    };
+
     services.grafana = {
       enable = true;
       settings = {
+        security.secret_key = "$__file{${config.secrets.grafana-secret-key.dest}}";
         server = {
           domain = hostnames.metrics;
           http_addr = "127.0.0.1";