diff --git a/.sops.yaml b/.sops.yaml
index e1d781a..cb717ff 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -28,3 +28,7 @@ creation_rules:
     key_groups:
      - pgp: [*clara]
        age: [*vikunja]
+  - path_regex: secrets\/mastodon\/*
+    key_groups:
+     - pgp: [*clara]
+       age: [*mastodon]
diff --git a/configs/services/mastodon.nix b/configs/services/mastodon.nix
index b41e0e0..ce6fe9d 100644
--- a/configs/services/mastodon.nix
+++ b/configs/services/mastodon.nix
@@ -1,44 +1,36 @@
 { lib, pkgs, config, ... }:
-let
-  http_port = 3000;
-  dbuname = "misskey";
-  dbport = 5432;
-in
 {
-  services = {
-    misskey = {
-      enable = true;
-      settings = {
-        url = "https://puppyplaypissparty.de";
-        port = http_port;
-      };
-      settings = {
-        db = {
-          user = dbuname;
-          port = dbport;
-        };
-        setupPassword = "VMoV33ov$C6JxVVXHffuVxHaqf^Cbmr9V1GSNgkyF6pq939Wr@c1hgfN7iD9%$De";
-      };
-    };
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "fedi@cdaut.de";
+  };
 
-    postgresql = {
-      enable = true;
-      ensureUsers = [
-        {
-          name = dbuname;
-          ensureDBOwnership = true;
-        }
-      ];
-      ensureDatabases = [
-        dbuname
-      ];
-      settings.port = dbport;
-    };
-    redis = {
-      servers."" = {
-        enable = true;
-      };
+  # set up smtp pass
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets.smtp_pass = {
+      sopsFile = ../../secrets/mastodon/secrets.yaml;
     };
   };
-  networking.firewall.allowedTCPPorts = [ http_port ];
+
+  services.mastodon = {
+    enable = true;
+    streamingProcesses = 1;
+    localDomain = "puppyplaypissparty.de";
+    configureNginx = true;
+
+    smtp = {
+      fromAddress = "fedi@cdaut.de";
+      host = "mail.cdaut.de";
+      user = "fedi@cdaut.de";
+      port = 587;
+      authenticate = true;
+      passwordFile = config.sops.secrets.smtp_pass.path;
+    };
+
+    database = {
+      createLocally = true;
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
diff --git a/configs/services/misskey.nix b/configs/services/misskey.nix
new file mode 100644
index 0000000..b41e0e0
--- /dev/null
+++ b/configs/services/misskey.nix
@@ -0,0 +1,44 @@
+{ lib, pkgs, config, ... }:
+let
+  http_port = 3000;
+  dbuname = "misskey";
+  dbport = 5432;
+in
+{
+  services = {
+    misskey = {
+      enable = true;
+      settings = {
+        url = "https://puppyplaypissparty.de";
+        port = http_port;
+      };
+      settings = {
+        db = {
+          user = dbuname;
+          port = dbport;
+        };
+        setupPassword = "VMoV33ov$C6JxVVXHffuVxHaqf^Cbmr9V1GSNgkyF6pq939Wr@c1hgfN7iD9%$De";
+      };
+    };
+
+    postgresql = {
+      enable = true;
+      ensureUsers = [
+        {
+          name = dbuname;
+          ensureDBOwnership = true;
+        }
+      ];
+      ensureDatabases = [
+        dbuname
+      ];
+      settings.port = dbport;
+    };
+    redis = {
+      servers."" = {
+        enable = true;
+      };
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ http_port ];
+}
diff --git a/secrets/mastodon/secrets.yaml b/secrets/mastodon/secrets.yaml
new file mode 100644
index 0000000..09c28b9
--- /dev/null
+++ b/secrets/mastodon/secrets.yaml
@@ -0,0 +1,37 @@
+smtp_pass: ENC[AES256_GCM,data:S1vB0GIb9c0Yov/wkGiqpt6goN/XmIWPFx0TYMvqhJUXtGgjKNtkmijYBsT0,iv:xnKh4edcHRDjxHRo84KxQKx6OrZlErla3yvLIZyqeUo=,tag:ftVNoc0qnRru+Z8TF3E0wQ==,type:str]
+sops:
+    age:
+        - recipient: age19efecaur72d92g452zpe4uxjtwev2ktjtaezascxg9l2p8544s8s05d93r
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2bkMvTUZKbkpCeFg2Z3I4
+            L095TkFhVUNSWmNxWERicGdrZXF3dFFTcTFBCnhNTGxYSitrcGlYY2ZpTXNlQUhW
+            MmVocHFENmNGWXZ1QWxabG8xSTNWSmcKLS0tIFBkY1JXd3JuTVE4NEVFL2lLeUZT
+            YUdTMTk2V3QvN2NXWXlqbDh1SkNBZVUKI7aHgopbId8rjAKVXYstsXa36mLm1j4f
+            nknPOngq++hMoY/v3P2ipV+Ml0lgJt+Nk0BlA9RTBQ2FYg4cJhiOuA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-09-12T11:36:49Z"
+    mac: ENC[AES256_GCM,data:VWTDVy7Eoe71XNfKPcNUTZbfxH6BBkS+hHOCRImnZZnu8bEvdmrbvDFtKgvsmolijg870G4YVgdKiZc9REJAD2Egcq4rX6XXZi4F5AQISlU/vkQ5amUdvHAjbW9U+O67c1qxDsSOP489x3zDlR4LeoWALCXpnFNFCjBQwIIjKzM=,iv:uedmYsLS5TIMPprREzn5aRGXXJj8xKtr1mEocugiokA=,tag:jqXp8DCzqywu18gvfm5Qtw==,type:str]
+    pgp:
+        - created_at: "2025-09-12T10:53:07Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzwtBoBqH5ZOAQ//ePQhgxIhAoV0FXav0+Z8i9I+hri/OAvN0Isrjohss1uj
+            TRruFq0fxVQuvlbA1qXixPL/7bxE5dV2YGQbw+SmzD+joAo0VMvKzQzxd2cM4XUy
+            +S4T97lH8MlziGOTTi82Uw31PCvMy7HfgTS5ftIVPbsJ7VegDcs2OtWyqXDmNR/q
+            96gSGGGb0sIirVrv1mtSlmd2vKqN7pO72DNUsnJ8wTQ3h4ntH4LB3i859q1mwLSz
+            OSc7BQYY2GmtdFfhHrLT0b8abF19lD/JZEGRLgfOngPlR3aDJgtoh06x3zBcQ0Hp
+            aqLWr1HttJNEAET80zO38cdHUPe11G+3Vw7+7EgbRjOMKKORVpby0GSjZLWJJI3M
+            fR3er4CgVXSeCKkNuIQx/prwEMm5iHouKMN0fruy5R4eg07mZhIuGg7RsZs1T4Sr
+            ekPXHtK6HCD2XmXHM2dteWbO+DMOMKsF/lihM/ct5KAGHd+cLyHk98n3extmworv
+            PVzOTLE5xzGmAK87OtGL7DOlpxOfhgHYf1x9idLJorJMbg5MyAK/b8fjYtibN+nJ
+            sSQruHhBoc0ekyeyqIWY5vgd+oRf5Rma3CcJSMTEk09SlVYSN9n7ys+lSaD4DL3z
+            rck2N2FG+/L5cv3FfON3yJ+c4NUydehUzihWVGTE5LLSrwCMi8Lhp87Kse3vFmTS
+            XAFkdKenVseFcCGk271PCSThphSKdZYGJIuoRuyrVSFbhL/L7dTAHXRu6VHuXBTP
+            TfeUEyRqY6zaCOAEbS4K5NhcGbhVdXATWOgTSdLYGYVXPCtTYKrwEQPtzxyN
+            =cTu+
+            -----END PGP MESSAGE-----
+          fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2