diff --git a/hosts/cuallaidh/default.nix b/hosts/cuallaidh/default.nix
index 42d6b27..9efb72a 100644
--- a/hosts/cuallaidh/default.nix
+++ b/hosts/cuallaidh/default.nix
@@ -19,7 +19,6 @@
     ../../profiles/nixpkgs-dev.nix
     ../../profiles/taskserver.nix
     ../../profiles/tt-rss.nix
-    ../../secrets/tt-rss.nix
   ];
 
   deployment.targetHost = "172.105.171.16";
diff --git a/profiles/tt-rss.nix b/profiles/tt-rss.nix
index 5d5b624..e846c6f 100644
--- a/profiles/tt-rss.nix
+++ b/profiles/tt-rss.nix
@@ -5,12 +5,20 @@
   lib,
   ...
 }: {
+  age.secrets = {
+    tt-rss-dbpass = {
+      file = ../secrets/tt-rss-dbpass.age;
+      owner = "tt_rss";
+      group = "tt_rss";
+      mode = "0640";
+    };
+  };
   services.tt-rss = {
     enable = true; # Enable TT-RSS
     database = {
       # Configure the database
       type = "pgsql"; # Database type
-      passwordFile = "/run/keys/tt-rss-dbpass"; # Where to find the password
+      passwordFile = config.age.secrets.tt-rss-dbpass; # Where to find the password
     };
     email = {
       fromAddress = "news@mcwhirter.io"; # Address for outgoing email
@@ -39,16 +47,6 @@
     ];
   };
 
-  systemd = {
-    services = {
-      tt-rss = {
-        # Ensure tt-rss starts after nixops keys are loaded
-        after = ["tt-rss-dbpass-key.service"];
-        wants = ["tt-rss-dbpass-key.service"];
-      };
-    };
-  };
-
   services.postgresqlBackup.databases = ["tt_rss"];
 
   services.nginx = {
@@ -65,6 +63,4 @@
   };
 
   security.acme.certs = {"news.mcwhirter.io".email = "craige@mcwhirter.io";};
-
-  users.groups.keys.members = ["tt_rss"]; # Required due to NixOps issue #1204
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 14ece9d..3c17252 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -45,4 +45,5 @@ in {
   "xander.age".publicKeys = ops ++ systems;
   "nextcloud-dbpass.age".publicKeys = ops ++ systems;
   "nextcloud-adminpass.age".publicKeys = ops ++ systems;
+  "tt-rss-dbpass.age".publicKeys = ops ++ systems;
 }
diff --git a/secrets/tt-rss-dbpass.age b/secrets/tt-rss-dbpass.age
new file mode 100644
index 0000000..b478308
--- /dev/null
+++ b/secrets/tt-rss-dbpass.age
@@ -0,0 +1,35 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEZCOVgxUSBsTzdO
+clFOUVMzRGlUTkF6eGo2djFOWHhpWkpacG5GbEFXZHNKSHBBREZvCnRvSEVqSUpF
+Yk5zNDNkY21jejM1OFNxUTNGMEVtRnliNzZvZndyZnliWFkKLT4gc3NoLWVkMjU1
+MTkgSk00dDZBIFBVV1doL1JrVEY5L1JXRExSQ1o3ZHYvaFF5eFcxcHVERjNHWExW
+VGc2Z0kKaitHRHZ0U0hOeUpJTHJaUStKTk9qbHo4aU9nOEJBMytrVUhDM1FNSTZz
+dwotPiBzc2gtZWQyNTUxOSA5aEV5RFEgeDB1TmpjTmtzU1F6VjFBNUMxQWcxcFFV
+MTA3d0huYlJ0Nk44Ym5Kd2JWMApDcE1GM1pKaW9TWW1Nd1QzclVlNHVDeGowVjhZ
+T2F1NXZaUnQ4WWVHbVhZCi0+IHNzaC1lZDI1NTE5IHU3WjNqdyBNVXhYMW1DTXl1
+QmJ0dGN6UDRzb0cxeXdMN21VdzJuekZmOGZwQmIxb1dBCi81ZC9TM3ZOcEdrMVpG
+NzFKWlFOeVFkVHk0MVBBNS9ZMlVkK1RML3poZG8KLT4gc3NoLWVkMjU1MTkgV2c5
+M3J3IFRvS0FUUStKdmRXbkRhemdwM2NKSUw3dmtKZkZ3Vk1VbllEZGpVOVVKUjAK
+b1dnLzBEZGdSY0V4a05xVzJSYXdCTUdvVm9TL2ZjdGJwQ3lmc01hdEVQcwotPiBz
+c2gtZWQyNTUxOSBQeEt3alEgb1ptc1J5ZWFsTEFETFdDbVVvZGhoRzZDaW9JYlE0
+MnFoWHh1bG5aVGxrUQpvWVcwWDBvenZJYjMzUFNBV2kxWjAwa0xjT1gzYWx2K0pq
+SlpzYnVqYytjCi0+IHNzaC1lZDI1NTE5IEIzZFhTQSA0K09ISzNlVVY1RzlyMWJU
+ZHVRZWV5QmV6WmNmeVMrUnA1MlNjWU83OUhnClI2Z1U0cG1udC9JUGQ2Tk9YZ3Z4
+azB3Mk02U0tPVUZaajJya1F4Q2twdjgKLT4gc3NoLWVkMjU1MTkgUWZwS1ZnIHJF
+dDU4RUxiYlNJMUtLdFJDbU1JUzE5R1U0dkIwRE9TdFNwRDh6TWRiMWcKY1pqdFlK
+WC9EMFZJUkJxdit0cUJvMU5kNldmQlk2N3BmMnJWbGpGYThsWQotPiBzc2gtZWQy
+NTUxOSAwZHBkZ1Ega0ppUFQvLytEQnZ6VEJ0QWZFc1J3R1RUNS9jQ3FSODhhazhn
+N3NHUThuQQptYWtKdk9pd00zMkk0VWRXbUZGN0ZnNjBWMUorZkdOaWRjeVFGa3NX
+RXdJCi0+IHNzaC1lZDI1NTE5IHVsMGt4USBkWkFXN25SeU1sMWJTVS9Bc0JJdzkw
+MVRkekIwaVFCOTB0cVREc2dWSFVFCkNxMmF4Vk01L2N5R0haQ2Z6cjdQdHRzTHEx
+VHZKbGpGQ2pZUmRhdVpGTmsKLT4gc3NoLWVkMjU1MTkgWnc1SGt3IEZZV0plaWpJ
+bnFqVStFK2dNV25ZYUtRa0Q5RDQwckZQQXlYbEFEaUQ1RWMKekFjNDZRaC9TTHpQ
+OEJ6bU5tYXhXTktmMUJsMXRlZ0dUSEthcWVteDU5bwotPiBzc2gtZWQyNTUxOSB6
+RzMrMXcgZ3liVlF5M0pKMVExTzVjWVBjWUFIQjZaUE9ISmJXQUo0ay9HSjEydXdS
+Zwo1cFEyMFBCWGd3NnR1Q1ZORnhnMmJWQXkzcDlRQVRnRjJWZUFjd2x4WFVZCi0+
+IDFfTGpoM20tZ3JlYXNlIHFDUzF4Un4KZ0RKV29ZY2UxQ0dFTERGdU1TQk9pWEF2
+aHVtUUwzd2p6c1dKRzFKekNyTno4Z202Z2RkS2JhdnF2N0tHUWZJWgowalNzN3pE
+NzdtQ09zWDRwYzU5b0VaemFUUGljUncKLS0tIHdXNWhtWi83QnQ5bXFNZXp0MFR3
+UkI2TTlMd1lSS0toRnFwYWg1UHUyVmcK4yZHPD4ymOHd8MKfXFnyndhFbZrMdIIl
++nmCeTJWL6oVaf2fXnE39io5AuRD8TkQGpg5VvkJwvPZ
+-----END AGE ENCRYPTED FILE-----