diff --git a/hosts/pluto/services/gitlab.nix b/hosts/pluto/services/gitlab.nix
index f9aa997..c63bc14 100644
--- a/hosts/pluto/services/gitlab.nix
+++ b/hosts/pluto/services/gitlab.nix
@@ -1,4 +1,35 @@
 {
-  services.gitlab = {
+  config,
+  pkgs,
+  ...
+}: let
+  sec = config.age.secrets;
+in {
+  age.secrets = {
+    gitlab_db.file = ../../../sec/gitlab_db.age;
+    gitlab_initpw.file = ../../../src/gitlab_initpw.age;
+    gitlab_otp.file = ../../../sec/gitlab_otp.age;
+    gitlab_pw.file = ../../../sec/gitlab_pw.age;
+    gitlab_sec.file = ../../../sec/gitlab_sec.age;
   };
+
+  services.gitlab = {
+    enable = true;
+    databasePasswordFile = sec.gitlab_db.path;
+    initialRootPasswordFile = sec.gitlab_initpw.path;
+    secrets = {
+      secretFile = sec.gitlab_sec.path;
+      otpFile = sec.gitlab_otp.path;
+      dbFile = sec.gitlab_db.path;
+      jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
+    };
+  };
+
+  services.nginx.virtualHosts."git.zackmyers.io" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+  };
+
+  systemd.services.gitlab-backup.environment.BACKUP = "dump";
 }
diff --git a/sec/gitlab_db.age b/sec/gitlab_db.age
new file mode 100644
index 0000000..c020cc5
Binary files /dev/null and b/sec/gitlab_db.age differ
diff --git a/sec/gitlab_initpw.age b/sec/gitlab_initpw.age
new file mode 100644
index 0000000..56271af
Binary files /dev/null and b/sec/gitlab_initpw.age differ
diff --git a/sec/gitlab_otp.age b/sec/gitlab_otp.age
new file mode 100644
index 0000000..aaa119c
--- /dev/null
+++ b/sec/gitlab_otp.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 gWMdNg QLS11Q5VVV+CSO3ABvuAjoKrn9Ngr9SfQgUavXcJ2Cc
+mpaNeqlJCwq0ZTUwgS6ikaZXAnKPtusRH7UxIGbaZR8
+-> ssh-ed25519 s+NXzQ 5m2L4IfDL86NwPio8QaU7tKUpeyzpn4KKILjSz5aSDU
+eVRvK2SnHO3x9hrYQ+8HDbB0EQWf3oKyY+XuLP97dYI
+-> ssh-ed25519 yEtzbQ Wehlo8c0ggz4Lo7Rnsb/Forlr1bD2OXXaaffI4BLwnw
+UeX3lmyvW/eBBbbDqBR1CSyBSJLnqlCmPyikIPu1bSA
+-> ssh-ed25519 RMNffg 0+nJtxu6ZQ/08gHe/BMz5kcr+xtuGKOakqUt8G+vxzM
+2Lee87QLUGG3tEqS9Dv7RYJ1rkD1JKs4aHWf23VmzPw
+--- UBfkhnuhW71Do8qc1Qi/MiUbHopvnqcDkm9rNOlndIw
+K
+¬Ø'‡Q	±ëõ¨XJ—d:¯®¾ì}¾±áÀ(4¤Êzu6Ô3¼Ø¢ÛŸIG]Â„BÂ@NÔP&ˆª7¡¾‚<
\ No newline at end of file
diff --git a/sec/gitlab_pw.age b/sec/gitlab_pw.age
new file mode 100644
index 0000000..8bc3ac6
--- /dev/null
+++ b/sec/gitlab_pw.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 gWMdNg RnK0NTHFFLDVr3Tprxjxyqmwysj2FQDY90eb4XeKGDc
+cjsHyNmm3jl2rE/vrSHj11z99NWKQr74pyE+dDnvwkM
+-> ssh-ed25519 s+NXzQ vEo6fgYpEBK7awnuhhCCotp/ZJIXP0Oe+Ubclk3R8Hw
+J1OVdLdB9mL/kqbRvyI7I9pA8v3pOa9h4zf01Ex3ahE
+-> ssh-ed25519 yEtzbQ 6hueq9fdq0eqzw0DwpnzEnumpqhuFZr3X34cpjMi0RM
+8yciNrgnth5jSgzNDQKVcuWwU7FfTaWIUUlYnWq0TRk
+-> ssh-ed25519 RMNffg gz+19esQsg57A/CPRwf6zPlzZ2mgoEmc2SwFf1tywn0
+OoMengIceY3hXg77OADBWEVfblVfR6LLQH+65+8YFyU
+--- MYfJC2tPFoeGW7r+FykP0ZFDVj+ATtkNKKDmqF7JcCg
+.4éRbjÙ»=à­t"/q+Àß~‡–uŽ,<òœ»uÇmhpq­Ì¦Æ’¿§˜‘3VO5‘ù±:ô…(ñè
\ No newline at end of file
diff --git a/sec/gitlab_sec.age b/sec/gitlab_sec.age
new file mode 100644
index 0000000..173b9c7
--- /dev/null
+++ b/sec/gitlab_sec.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 gWMdNg AABvJQahR0CWvdNngKHyV58DtGh3VWKJDIulZpMh8FY
+02oHHyrI79V2XPa18KFd3PBqilcfPXFKWcWRIGhAh5E
+-> ssh-ed25519 s+NXzQ ChzQaM2slin1U4YuqPxWzERc6f7KlAlUzi+mctCEbgo
+LnX9est+vDxHj8RLOeY5OK9MeYntkTE49Ar6Pnw1l1Q
+-> ssh-ed25519 yEtzbQ 1hVV52NlaFBTLACj8ZKh3vazmaS7fJWs3rtO7HK9NgM
+y2EDkxijP/eVRGRaZjzIB4G9FFJQ8O/XFiKrPZDF7bM
+-> ssh-ed25519 RMNffg 8mZ6sxNfhxNalYjkT8mDT1PZKTvp/7p3BUs+lUS2S2o
+5E1n+dV04+ZwaJZ/VeUOHKrrL3lBdtlQFiAx/ttwAD0
+--- Sgm5iMT1Uqmb4U4ZTxWyvX40tuivnfDHO/jTPS37i68
+8uî˜>†¿ž2]£²}DºYBq¹ìDFêiƒUÅ<¬ìW4“[“ËCc¤b\ïªKimR—#IZË‘…³=‚õGó±
\ No newline at end of file