diff --git a/configuration.nix b/configuration.nix
index ff19c31..6e9ea91 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -4,11 +4,16 @@
 
 { config, lib, pkgs, ... }:
 
+let
+  my = config.my;
+in
 {
   imports =
     [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
+      # Include my secrets
+      ./secrets
       # Include my services
       ./services
     ];
@@ -57,9 +62,9 @@
   users.mutableUsers = false; # I want it to be declarative.
 
   # Define user accounts and passwords.
-  users.users.root.hashedPassword = lib.fileContents ./secrets/users/root/password.txt;
+  users.users.root.hashedPassword = my.secrets.users.root.hashedPassword;
   users.users.ambroisie = {
-    hashedPassword = lib.fileContents ./secrets/users/ambroisie/password.txt;
+    hashedPassword = my.secrets.users.ambroisie.hashedPassword;
     description = "Bruno BELANYI";
     isNormalUser = true;
     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
@@ -96,12 +101,12 @@
     # Matrix backend and Element chat front-end
     matrix = {
       enable = true;
-      secret = lib.fileContents ./secrets/matrix/secret.txt;
+      secret = my.secrets.matrix.secret;
     };
     # Nextcloud self-hosted cloud
     nextcloud = {
       enable = true;
-      password = lib.fileContents ./secrets/nextcloud/password.txt;
+      password = my.secrets.nextcloud.password;
     };
     # The whole *arr software suite
     pirate.enable = true;
@@ -117,7 +122,7 @@
     transmission = {
       enable = true;
       username = "Ambroisie";
-      password = lib.fileContents ./secrets/transmission/password.txt;
+      password = my.secrets.transmission.password;
     };
   };
 
diff --git a/secrets/canary b/secrets/canary
new file mode 100644
index 0000000..e910ea3
Binary files /dev/null and b/secrets/canary differ
diff --git a/secrets/default.nix b/secrets/default.nix
new file mode 100644
index 0000000..7104fc0
Binary files /dev/null and b/secrets/default.nix differ
diff --git a/services/nginx.nix b/services/nginx.nix
index 48ca7ec..ab90760 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -1,7 +1,7 @@
 # Configuration shamelessly stolen from [1]
 #
 # [1]: https://github.com/delroth/infra.delroth.net/blob/master/common/nginx.nix
-{ config, lib, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   # Whenever something defines an nginx vhost, ensure that nginx defaults are
@@ -29,12 +29,14 @@
       certs =
         let
           domain = config.networking.domain;
+          key = config.my.secrets.acme.key;
         in
+        with pkgs;
         {
           "${domain}" = {
             extraDomainNames = [ "*.${domain}" ];
             dnsProvider = "gandiv5";
-            credentialsFile = ../secrets/acme/key.env;
+            credentialsFile = writeText "key.env" key; # Unsecure, I don't care.
           };
         };
     };