diff --git a/.sops.yaml b/.sops.yaml
index 9db3e5aa..c3481431 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -372,6 +372,13 @@ creation_rules:
       - *radiobert
       - *polygon-snowflake
 
+  - path_regex: hosts/scrape/secrets\.yaml$
+    key_groups:
+    - pgp: *admins
+      age:
+      - *scrape
+      - *polygon-snowflake
+
   - path_regex: hosts/server8/secrets\.yaml$
     key_groups:
     - pgp: *admins
diff --git a/flake.lock b/flake.lock
index 81694277..0cfd8595 100644
--- a/flake.lock
+++ b/flake.lock
@@ -543,7 +543,6 @@
         "openwrt-imagebuilder": "openwrt-imagebuilder",
         "rust-overlay": "rust-overlay",
         "scrapers": "scrapers",
-        "secrets": "secrets",
         "simple-nixos-mailserver": "simple-nixos-mailserver",
         "skyflake": "skyflake",
         "sops-nix": "sops-nix",
@@ -613,21 +612,6 @@
         "url": "https://gitea.c3d2.de/astro/scrapers.git"
       }
     },
-    "secrets": {
-      "locked": {
-        "lastModified": 1713190267,
-        "narHash": "sha256-JuK9t9ax6iNJka99MuEHBigggURtuOldIuO3wRIqrJI=",
-        "ref": "refs/heads/master",
-        "rev": "3ebb2eed7868e62215a5d620ca903286850a8229",
-        "revCount": 167,
-        "type": "git",
-        "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
-      },
-      "original": {
-        "type": "git",
-        "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
-      }
-    },
     "simple-nixos-mailserver": {
       "inputs": {
         "blobs": "blobs",
diff --git a/flake.nix b/flake.nix
index 917b28aa..6ae1fcb9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -165,8 +165,6 @@
         fenix.follows = "fenix";
       };
     };
-    # deprecated
-    secrets.url = "git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git";
     simple-nixos-mailserver = {
       # url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
       url = "gitlab:SuperSandro2000/nixos-mailserver/quote-ldap-password";
@@ -221,7 +219,7 @@
     };
   };
 
-  outputs = inputs@{ self, alert2muc, c3d2-user-module, deployment, disko, fenix, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-modules, buzzrelay, caveman, oparl-scraper, simple-nixos-mailserver, scrapers, secrets, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }:
+  outputs = inputs@{ self, alert2muc, c3d2-user-module, deployment, disko, fenix, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-modules, buzzrelay, caveman, oparl-scraper, simple-nixos-mailserver, scrapers, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }:
     let
       inherit (nixos) lib;
 
@@ -630,9 +628,6 @@
             ./hosts/scrape
             {
               _module.args = { inherit scrapers; };
-
-              # TODO: migrate to sops
-              nixpkgs.overlays = [ secrets.overlays.scrape ];
             }
           ];
         };
diff --git a/hosts/scrape/default.nix b/hosts/scrape/default.nix
index 62293eba..cff1f937 100644
--- a/hosts/scrape/default.nix
+++ b/hosts/scrape/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, config, scrapers, ... }:
+{ lib, config, pkgs, scrapers, ... }:
 
 let
   freifunkNodes = {
@@ -37,14 +37,29 @@ in {
     };
   };
 
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      "scrape/matemat/user".owner = config.users.users.scrape.name;
+      "scrape/matemat/password".owner = config.users.users.scrape.name;
+      "scrape/xeri/user".owner = config.users.users.scrape.name;
+      "scrape/xeri/password".owner = config.users.users.scrape.name;
+    };
+  };
+
   systemd.services = let
     serviceConfig = {
       User = config.users.users.scrape.name;
       Group = config.users.users.scrape.group;
     };
     scraperPkgs = import scrapers { inherit pkgs; };
-    makeService = { script, host ? "", user ? "", password ? "" }: {
-      script = "${scraperPkgs."${script}"}/bin/${script} ${host} ${user} ${password}";
+    makeService = {
+      script,
+      host ? "",
+      userFile ? "",
+      passwordFile ? ""
+    }: {
+      script = "${lib.getExe scraperPkgs."${script}"} ${host} ${lib.optionalString (userFile != "") ''"$(cat ${userFile})"''} ${lib.optionalString (passwordFile != "") ''"$(cat ${passwordFile})"''}";
       inherit serviceConfig;
     };
     makeNodeScraper = nodeId: {
@@ -67,7 +82,8 @@ in {
     scrape-xeri = makeService {
       script = "xerox";
       host = "xeri.hq.c3d2.de";
-      inherit (pkgs.scrape-xeri-login) user password;
+      userFile = config.sops.secrets."scrape/xeri/user".path;
+      passwordFile = config.sops.secrets."scrape/xeri/user".path;
     };
     scrape-roxi = makeService {
       script = "xerox";
@@ -76,7 +92,8 @@ in {
     scrape-matemat = makeService {
       script = "matemat";
       host = "matemat.hq.c3d2.de";
-      inherit (pkgs.scrape-matemat-login) user password;
+      userFile = config.sops.secrets."scrape/matemat/user".path;
+      passwordFile = config.sops.secrets."scrape/matemat/user".path;
     };
     scrape-impfee = makeService {
       script = "impfee";