diff --git a/cluster/services/ipfs/cluster-secret.age b/cluster/secrets/ipfs-clusterSecret.age
similarity index 100%
rename from cluster/services/ipfs/cluster-secret.age
rename to cluster/secrets/ipfs-clusterSecret.age
diff --git a/cluster/services/ipfs/cluster-pinsvc-credentials.age b/cluster/secrets/ipfs-pinningServiceCredentials.age
similarity index 100%
rename from cluster/services/ipfs/cluster-pinsvc-credentials.age
rename to cluster/secrets/ipfs-pinningServiceCredentials.age
diff --git a/cluster/services/ipfs/cluster.nix b/cluster/services/ipfs/cluster.nix
index 2194ec0..f8d06a7 100644
--- a/cluster/services/ipfs/cluster.nix
+++ b/cluster/services/ipfs/cluster.nix
@@ -1,8 +1,9 @@
-{ config, depot, lib, pkgs, ... }:
+{ cluster, config, depot, lib, ... }:
 
 let
   inherit (depot.lib.meta) domain;
   inherit (depot.lib.nginx) vhosts;
+  inherit (cluster.config.services.ipfs) secrets;
   cfg = config.services.ipfs-cluster;
   ipfsCfg = config.services.ipfs;
 
@@ -19,20 +20,12 @@ in {
     incantations = i: [ ];
   };
 
-  age.secrets = {
-    ipfs-cluster-secret.file = ./cluster-secret.age;
-    ipfs-cluster-pinsvc-credentials = {
-      file = ./cluster-pinsvc-credentials.age;
-      owner = cfg.user;
-    };
-  };
-
   services.ipfs-cluster = {
     enable = true;
     consensus = "crdt";
     dataDir = "/srv/storage/ipfs/cluster";
-    secretFile = config.age.secrets.ipfs-cluster-secret.path;
-    pinSvcBasicAuthFile = config.age.secrets.ipfs-cluster-pinsvc-credentials.path;
+    secretFile = secrets.clusterSecret.path;
+    pinSvcBasicAuthFile = secrets.pinningServiceCredentials.path;
     openSwarmPort = true;
     settings = {
       cluster = {
diff --git a/cluster/services/ipfs/default.nix b/cluster/services/ipfs/default.nix
index 2a9914e..c58243f 100644
--- a/cluster/services/ipfs/default.nix
+++ b/cluster/services/ipfs/default.nix
@@ -47,6 +47,17 @@
       io-tweaks = ./io-tweaks.nix;
       remote-api = ./remote-api.nix;
     };
+    secrets = let
+      inherit (config.services.ipfs) nodes;
+    in {
+      clusterSecret = {
+        nodes = nodes.clusterPeer;
+      };
+      pinningServiceCredentials = {
+        nodes = nodes.clusterPeer;
+        owner = "ipfs";
+      };
+    };
   };
 
   monitoring.blackbox.targets.ipfs-gateway = {