diff --git a/hosts/nixos/porthos/secrets/monitoring/secret-key.age b/hosts/nixos/porthos/secrets/monitoring/secret-key.age
new file mode 100644
index 0000000..4cef94f
Binary files /dev/null and b/hosts/nixos/porthos/secrets/monitoring/secret-key.age differ
diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix
index 821cc25..498aebf 100644
--- a/hosts/nixos/porthos/secrets/secrets.nix
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@@ -42,6 +42,10 @@ in
     owner = "grafana";
     publicKeys = all;
   };
+  "monitoring/secret-key.age" = {
+    owner = "grafana";
+    publicKeys = all;
+  };
 
   "nextcloud/password.age" = {
     owner = "nextcloud";
diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix
index 76ea1ee..e4cae5e 100644
--- a/hosts/nixos/porthos/services.nix
+++ b/hosts/nixos/porthos/services.nix
@@ -80,6 +80,7 @@ in
       enable = true;
       grafana = {
         passwordFile = secrets."monitoring/password".path;
+        secretKeyFile = secrets."monitoring/secret-key".path;
       };
     };
     # FLOSS music streaming server
diff --git a/modules/services/monitoring/default.nix b/modules/services/monitoring/default.nix
index ece6cc1..829bfe0 100644
--- a/modules/services/monitoring/default.nix
+++ b/modules/services/monitoring/default.nix
@@ -27,6 +27,12 @@ in
         example = "/var/lib/grafana/password.txt";
         description = "Admin password stored in a file";
       };
+
+      secretKeyFile = mkOption {
+        type = types.str;
+        example = "/var/lib/grafana/secret_key.txt";
+        description = "Secret key stored in a file";
+      };
     };
 
     prometheus = {
@@ -61,6 +67,7 @@ in
         security = {
           admin_user = cfg.grafana.username;
           admin_password = "$__file{${cfg.grafana.passwordFile}}";
+          secret_key = "$__file{${cfg.grafana.secretKeyFile}}";
         };
       };