diff --git a/flake.lock b/flake.lock
index f6980b8d..297b5c6b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -327,11 +327,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1637279330,
-        "narHash": "sha256-KVpmVahyEZCv+FBMGTnLr58mLEdaY5TskgXBLcGEmTk=",
+        "lastModified": 1640393547,
+        "narHash": "sha256-UCCzxswpYTBW5Iv56rhtydsgrpvul0cAfxysCWmVgYk=",
         "ref": "master",
-        "rev": "3b8e8c32965dde461833513580ab1bed7becf2fc",
-        "revCount": 111,
+        "rev": "9a1eef32664986af8797eab1b14b273d90faf6e6",
+        "revCount": 114,
         "type": "git",
         "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
       },
diff --git a/flake.nix b/flake.nix
index 16e1ba1a..31e7dfbb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -522,7 +522,11 @@
             self.nixosModules.plume
             ./lib/lxc-container.nix
             ./hosts/containers/blogs
+            sops-nix.nixosModules.sops
           ];
+          extraArgs = {
+            secretsFile = "${secrets}/hosts/blogs/secrets.yaml";
+          };
           system = "x86_64-linux";
         };
 
diff --git a/hosts/containers/blogs/default.nix b/hosts/containers/blogs/default.nix
index ba10031f..302ea5d3 100644
--- a/hosts/containers/blogs/default.nix
+++ b/hosts/containers/blogs/default.nix
@@ -1,4 +1,4 @@
-{ hostRegistry, zentralwerk, config, ... }:
+{ hostRegistry, zentralwerk, secretsFile, config, ... }:
 {
   networking = {
     hostName = "blogs";
@@ -13,11 +13,14 @@
     ];
   };
 
-  services.plume = {
-    enable = true;
-    config.BASE_URL = "blogs.c3d2.de";
-    config.ROCKET_SECRET_KEY = "OIZiemtQLDG2wcVnKgHAJ2kMB0UJpa5Uuoei7C57N5o=";
+  # See secrets/hosts/blogs for the .env file with all settings
+  services.plume.enable = true;
+
+  sops.defaultSopsFile = secretsFile;
+  sops.secrets = {
+    "plume/env".owner = config.systemd.services.plume.serviceConfig.User;
   };
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
   services.nginx.enable = true;
   services.nginx.virtualHosts."blogs.c3d2.de" = {
diff --git a/lib/plume.nix b/lib/plume.nix
index a0587653..3fed7fa0 100644
--- a/lib/plume.nix
+++ b/lib/plume.nix
@@ -2,17 +2,6 @@
 
 { config, lib, pkgs, ... }:
 let
-  defaultConfig = {
-    DATABASE_URL = "postgres://plume:plume@localhost/plume";
-    MIGRATION_DIRECTORY = "migrations/postgres";
-  };
-  mergedConfig = defaultConfig // cfg.config;
-  configFile = builtins.toFile "plume-env" (
-    lib.concatMapStrings (key: ''
-      ${key}=${mergedConfig.${key}}
-    '') (builtins.attrNames mergedConfig)
-  );
-
   plume = self.packages.${pkgs.system}.plume;
   cfg = config.services.plume;
 in
@@ -30,18 +19,12 @@ in
       default = "plume";
       description = "System group to run Plume";
     };
-
-    config = mkOption {
-      type = with types; attrsOf str;
-      default = {};
-      description = "Configuration for Plume";
-    };
   };
 
   config = lib.mkIf cfg.enable {
     systemd.tmpfiles.rules = [
       "d ${config.users.users.${cfg.user}.home} 0700 ${cfg.user} ${cfg.group} -"
-      "L ${config.users.users.${cfg.user}.home}/.env - - - - ${configFile}"
+      "L ${config.users.users.${cfg.user}.home}/.env - - - - /run/secrets/plume/env"
       "L ${config.users.users.${cfg.user}.home}/static - - - - ${plume}/share/plume/static"
     ];