diff --git a/newinfra/nix/hive.nix b/newinfra/nix/hive.nix
index 1669820..3eb637a 100644
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@@ -27,6 +27,10 @@
       dnsutils
     ];
 
+    imports = [
+      "${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6.tar.gz"}/modules/age.nix" # main 2024-07-26
+    ];
+
     time.timeZone = "Europe/Zurich";
     users.users.root.openssh.authorizedKeys.keys = [ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG0n1ikUG9rYqobh7WpAyXrqZqxQoQ2zNJrFPj12gTpP nilsh@PC-Nils'' ];
 
@@ -113,8 +117,11 @@
     imports = [
       (modulesPath + "/profiles/qemu-guest.nix")
       ./modules/ingress
+      ./modules/widetom
     ];
 
+    age.secrets.docker_registry_password.file = ./secrets/docker_registry_password.age;
+
     # The name and nodes parameters are supported in Colmena,
     # allowing you to reference configurations in other nodes.
     networking.hostName = name;
diff --git a/newinfra/nix/modules/widetom/default.nix b/newinfra/nix/modules/widetom/default.nix
new file mode 100644
index 0000000..0cabaf3
--- /dev/null
+++ b/newinfra/nix/modules/widetom/default.nix
@@ -0,0 +1,33 @@
+{ config, ... }: {
+  age.secrets.widetom_bot_token.file = ../../secrets/widetom_bot_token.age;
+  age.secrets.widetom_config_toml.file = ../../secrets/widetom_config_toml.age;
+
+  virtualisation.oci-containers.containers = {
+    /*
+      container_name: widetom
+      image: "docker.nilstrieb.dev/widetom:33d17387"
+      restart: always
+      volumes:
+        - "/apps/widetom:/app/config"
+      environment:
+        CONFIG_PATH: /app/config/config.toml
+        BOT_TOKEN_PATH: /app/config/bot_token
+    */
+    widetom = {
+      image = "docker.nilstrieb.dev/widetom:33d17387";
+      volumes = [
+        "${config.age.secrets.widetom_config_toml.path}:/config.toml"
+        "${config.age.secrets.widetom_bot_token.path}:/token"
+      ];
+      environment = {
+        CONFIG_PATH = "/config.toml";
+        BOT_TOKEN_PATH = "/token";
+      };
+      login = {
+        registry = "docker.nilstrieb.dev";
+        username = "nils";
+        passwordFile = config.age.secrets.docker_registry_password.path;
+      };
+    };
+  };
+}
diff --git a/newinfra/nix/secrets/docker_registry_password.age b/newinfra/nix/secrets/docker_registry_password.age
new file mode 100644
index 0000000..9c0736b
--- /dev/null
+++ b/newinfra/nix/secrets/docker_registry_password.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 cVCt6g AAbb0ErTvg38WthfQ3l812GEevHWHclMOyFaPj4+GT0
+Rd83XSOPBQQVfCur8qOpMAxl0G25Obg/d4sLWW86Qb4
+--- fRS0N8vuoOh7BdE2mcDZrQJDwN+MgTwmYWfYDDvwFnY
+Ni:l÷"½03Ç4‚²}zØV„òàžÖÁXÜ-†z—Ø­ð(k'Åæf[”÷>ôÐþáî¢ý®
\ No newline at end of file
diff --git a/newinfra/nix/secrets/secrets.nix b/newinfra/nix/secrets/secrets.nix
new file mode 100644
index 0000000..8501dac
--- /dev/null
+++ b/newinfra/nix/secrets/secrets.nix
@@ -0,0 +1,8 @@
+let
+  vps1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOixcV3SGAWRCMYYn+ybioFSBhpfkYzSU1nX+g6e5jI5";
+in
+{
+  "widetom_bot_token.age".publicKeys = [ vps1 ];
+  "widetom_config_toml.age".publicKeys = [ vps1 ];
+  "docker_registry_password.age".publicKeys = [ vps1 ];
+}
diff --git a/newinfra/nix/secrets/widetom_bot_token.age b/newinfra/nix/secrets/widetom_bot_token.age
new file mode 100644
index 0000000..a801ee8
Binary files /dev/null and b/newinfra/nix/secrets/widetom_bot_token.age differ
diff --git a/newinfra/nix/secrets/widetom_config_toml.age b/newinfra/nix/secrets/widetom_config_toml.age
new file mode 100644
index 0000000..00ae96e
Binary files /dev/null and b/newinfra/nix/secrets/widetom_config_toml.age differ
diff --git a/playbooks/vps2.yml b/playbooks/vps2.yml
index ef71895..7c78958 100644
--- a/playbooks/vps2.yml
+++ b/playbooks/vps2.yml
@@ -63,24 +63,6 @@
         src: "../secrets/registry/htpasswd"
         mode: "u=r,g=r,o=r"
     #####
-    # APP: widetom, /apps/widetom
-    #####
-    - name: Create /apps/widetom
-      ansible.builtin.file:
-        path: "/apps/widetom"
-        state: directory
-        mode: u=rwx,g=rx,o=rx
-    - name: Copy widetom config.toml
-      ansible.builtin.copy:
-        dest: "/apps/widetom/config.toml"
-        src: "../secrets/widetom/config.toml"
-        mode: "u=r,g=r,o=r"
-    - name: Copy widetom bot_token
-      ansible.builtin.copy:
-        dest: "/apps/widetom/bot_token"
-        src: "../secrets/widetom/bot_token"
-        mode: "u=r,g=r,o=r"
-    #####
     # APP: killua bot, /apps/killua
     #####
     - name: Create /apps/killua
diff --git a/shell.nix b/shell.nix
index a665039..dde9947 100644
--- a/shell.nix
+++ b/shell.nix
@@ -11,5 +11,6 @@
     shellcheck
     git-crypt
     opentofu
+    (import (builtins.fetchTarball "https://github.com/ryantm/agenix/archive/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6.tar.gz") { }).agenix
   ];
 }
diff --git a/vps2/docker-compose.yml b/vps2/docker-compose.yml
index c9bee86..c72cbaa 100644
--- a/vps2/docker-compose.yml
+++ b/vps2/docker-compose.yml
@@ -19,15 +19,6 @@ services:
       - "/apps/prometheus/data:/opt/bitnami/prometheus/data"
     networks:
       - prometheus
-  widetom:
-    container_name: widetom
-    image: "docker.nilstrieb.dev/widetom:33d17387"
-    restart: always
-    volumes:
-      - "/apps/widetom:/app/config"
-    environment:
-      CONFIG_PATH: /app/config/config.toml
-      BOT_TOKEN_PATH: /app/config/bot_token
   killua:
     container_name: killua
     image: "docker.nilstrieb.dev/killua-bot:ac8203d2"