diff --git a/secrets/ntfy.yaml b/secrets/ntfy.yaml
new file mode 100644
index 0000000..a54d147
--- /dev/null
+++ b/secrets/ntfy.yaml
@@ -0,0 +1,24 @@
+ntfy:
+    default:
+        user: ENC[AES256_GCM,data:M9XiXH3/Nr3/3A==,iv:Ealcewpj/GCWU+U6F+7onCfVaraE+f5Wkt63tlitnlQ=,tag:ARwnlFs1VfwcQKlIkeQQeg==,type:str]
+        password: ENC[AES256_GCM,data:56el7+jh6TcI9UzeXZW5aa7cUG9ycd8a2mw=,iv:iYpkWG37dpZ4dEN5zjg4P8On969hWqWcumJ7h5hLmjk=,tag:tlGDQmJ0+xl9yO42FTp19w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOQXV1QXNCZmFFWGJzUXM2
+            TWNvd1ppeUNFMitFK0dUd1UvYmpOeS9xK0RNClAydkMvQm1ZbEJTbUZnVmN1TDJ2
+            NEI3L25FWlExaSt2bWg2ekRxNVZGcGMKLS0tIFVzMXdDMXZWdXZkZ1lrZE5obmMw
+            VW9lVkh5eTkyLzdtK0RScHlhMTBaR28KHyMRxCQe65ZM1v4iB6mgiQxZ84/sEdr0
+            k0tBwcBlgGK/SF6P9GdCVopFHN8os25YEYMNg8kjAh/qs4N2gTXMEQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-05T02:52:58Z"
+    mac: ENC[AES256_GCM,data:CCLd4p+6V4P2ioE2lKoPctbQ9/d/DcS7m895l3+ty48JT0iZMx32gBubn0TGvdjp6x705uSYZySkM2YACFMhkifuLMxeGLGJu1rBfrXO2bYuHDAhni5fLP/XIsC+FlPbHEOXAnYpAO0y1TLBw7xKz8Tjl3yAC0L00LzIS6URir0=,iv:akFHjwnO9gtZ73NMI8pj0J87q5D6U9SiNLzfRfJUE90=,tag:CMNqOnREytCrEo+bh2l1BA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/system/services/ntfy-sh.nix b/system/services/ntfy-sh.nix
index 4c4182a..83961d4 100644
--- a/system/services/ntfy-sh.nix
+++ b/system/services/ntfy-sh.nix
@@ -14,6 +14,31 @@ in
       ntfy-sh
     ];
 
+    sops = {
+      secrets =
+        let
+          opts = { sopsFile = ../../secrets/ntfy.yaml; };
+        in
+        {
+          "ntfy/default/user" = opts;
+          "ntfy/default/password" = opts;
+        };
+
+      templates =
+        let filename = "ntfy-client.yaml"; in
+        {
+          ${filename} = {
+            content = builtins.readFile ((pkgs.formats.yaml { }).generate filename {
+              default-host = "https://${domain}";
+              default-user = config.sops.placeholder."ntfy/default/user";
+              default-password = config.sops.placeholder."ntfy/default/password";
+            });
+            path = "/etc/ntfy/client.yml";
+            owner = config.profile.user.name;
+          };
+        };
+    };
+
     services.ntfy-sh = {
       enable = true;
       settings =