diff --git a/hosts/ward/guests/radicale.nix b/hosts/ward/guests/radicale.nix
index f2ac00a..20c9e2f 100644
--- a/hosts/ward/guests/radicale.nix
+++ b/hosts/ward/guests/radicale.nix
@@ -32,6 +32,12 @@ in {
     };
   };
 
+  age.secrets.radicale-users = {
+    rekeyFile = config.node.secretsDir + "/radicale-users.age";
+    mode = "440";
+    group = "radicale";
+  };
+
   environment.persistence."/persist".directories = [
     {
       directory = "/var/lib/radicale";
@@ -49,7 +55,7 @@ in {
       };
       auth = {
         type = "htpasswd";
-        htpasswd_filename = "/etc/radicale/users";
+        htpasswd_filename = config.age.secrets.radicale-users.path;
         htpasswd_encryption = "bcrypt";
       };
       storage = {
diff --git a/hosts/ward/secrets/radicale/radicale-users.age b/hosts/ward/secrets/radicale/radicale-users.age
new file mode 100644
index 0000000..dfb3bc7
Binary files /dev/null and b/hosts/ward/secrets/radicale/radicale-users.age differ