diff --git a/config/hosts/jellyfin/hardware-configuration.nix b/config/hosts/jellyfin/hardware-configuration.nix
index 764a903..f89a9e5 100644
--- a/config/hosts/jellyfin/hardware-configuration.nix
+++ b/config/hosts/jellyfin/hardware-configuration.nix
@@ -5,7 +5,7 @@
     fsType = "cifs";
     options = [ 
       "username=jellyfin" 
-      "credentials=/secrets/samba-credentials.secret"
+      "credentials=/run/secrets/samba-credentials"
       "iocharset=utf8"
       "vers=3.1.1"
       "uid=jellyfin"
@@ -13,4 +13,10 @@
       "_netdev"
     ];
   };
+
+  sops.secrets."samba-credentials" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+  };
 }
diff --git a/config/hosts/jellyfin/secrets.nix b/config/hosts/jellyfin/secrets.nix
deleted file mode 100644
index 922d4c4..0000000
--- a/config/hosts/jellyfin/secrets.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ keyCommandEnv, ... }:
-{
-  deployment.keys."samba-credentials.secret" = {
-    keyCommand = keyCommandEnv ++ [ "pass" "jellyfin/samba-credentials" ];
-    destDir = "/secrets";
-    user = "root";
-    group = "root";
-    permissions = "0640";
-    uploadAt = "pre-activation";
-  };
-}
diff --git a/config/hosts/jellyfin/secrets.yaml b/config/hosts/jellyfin/secrets.yaml
new file mode 100644
index 0000000..c4653bc
--- /dev/null
+++ b/config/hosts/jellyfin/secrets.yaml
@@ -0,0 +1,25 @@
+samba-credentials: ENC[AES256_GCM,data:9txZMLLwlyAMzI3Naag3tUD1zSXLAf/zoJFoJZYTChhmkPpuhuuaIANFcYmH2sUYSsvZLXlbBuLXRryjTix0zK9ZfkZW8/R1vg==,iv:cF3S9S2+Vk+VAb8gyFyxZ12fqmohHSD3GG0fTILrxRM=,tag:m4BqpUlKmUoPbXTEjFmjaA==,type:str]
+sops:
+  age:
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzb3dQYWM4SHVraHFPZEx6
+        aGpDcTEyVjZ6Y0h6YzM4aVliRXpqZFpLcnprCmNEOHFrby9IdEE1MTZIYWxrS3BS
+        ZHZTSmYxUW9pek5XblIyZ2FDVlV0TEkKLS0tIEN6NnErRXI3ejc3cVBiSVR6NlpC
+        a2tnWWxDaXgwQ3hmc0dreTNIRnl0cTAKCSaj/epLw16tVDX4OMCzutxlnARL8MDf
+        pUVDonkZ7sB7d1+mnyG+gMQuFDhiDcV9WS2h3M83xoSKoHnCkca9Ew==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbUdFMlZvVXlzc3FPSmE4
+        Rk1jeUpDVUJMeUlJZDlYeHhwK2l6UkJNRVFVCjNUVS9ZMjI2ME9qTFM0Umc3dXZC
+        Z0todzhYSXZ5Yk5odUdOZGg3VnE3QW8KLS0tIGd1emhUMFVHT3JiZ1JhY0FWOU1i
+        cW9PWk9oRHZGeFlSdlVLSlJ6TVg4WnMKikUhDJNyuKdiazCUcKBo834NO3U6ZfjB
+        GbDn3wUKb465CDYw7GPcvZtM2mNufsoInZh+Oq/07Hi+seAXfX2y7A==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age10huhyn3va02zjysyanf8fd6lpfvjv3k3u6qymanz9jtcmfp3kqfskth7yt
+  lastmodified: "2026-05-17T00:58:22Z"
+  mac: ENC[AES256_GCM,data:0WF8JU4d+5nHHB5iBmqdS6TkZem2AHrYNx6zDm4yoIKip7ZVTfCPCyhZ4c3QseEBn1G2IXsTMEtIk6RVI2JigSJPLjyXOTJOeWjVtPD5+1I+mrU7z+YWN+sK5i4F1hQX7/E4JbTDh/h+NbqZ6I9pBq7Nm12QUtZdp/7R5qChXs4=,iv:DBdSDx/X8fh7SXiC073AtDMPDB9idKItzEz2fl7xe+g=,tag:0O1pZp6+Y2Uf2DlijwZLeg==,type:str]
+  unencrypted_suffix: _unencrypted
+  version: 3.13.0