diff --git a/configuration.nix b/configuration.nix
index 7c70fe6..8f97cbb 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -9,6 +9,7 @@
     ./modules/matrix.nix
     ./modules/minecraft.nix
     ./modules/monitoring.nix
+    ./modules/secrets-scheme.nix
     # Impure Secrets
     ./secrets.nix
   ];
@@ -56,5 +57,7 @@
   zramSwap.enable = true;
   zramSwap.memoryPercent = 50; 
 
-  # Secrets handled via ./secrets/secrets.nix import
+  # Secrets handled via ./secrets.nix importing to config.mySecrets
+  environment.etc."secrets/tailscale-auth".text = config.mySecrets.tailscaleKey;
+  services.tailscale.authKeyFile = "/etc/secrets/tailscale-auth";
 }
diff --git a/modules/forgejo.nix b/modules/forgejo.nix
index 209a804..7ba72a4 100644
--- a/modules/forgejo.nix
+++ b/modules/forgejo.nix
@@ -14,7 +14,8 @@
       };
       # You can configure SMTP here using secrets if needed
     };
-    # Secret for DB password set in secrets.nix
+    # Secret for DB password
+    settings.database.PASSWORD = config.mySecrets.forgejoDb;
   };
 
   services.postgresql = {
diff --git a/modules/mail.nix b/modules/mail.nix
index 124cdfb..874ff35 100644
--- a/modules/mail.nix
+++ b/modules/mail.nix
@@ -11,7 +11,12 @@
           implicit = false; # StartTLS usually on 587
         };
       };
-      # authentication.fallback-admin set in secrets.nix
+      
+      authentication.fallback-admin = {
+        user = "admin";
+        secret = config.mySecrets.stalwartAdmin;
+      };
+
       # Stalwart configuration is quite extensive. 
       # By default it listens on standard ports (25, 465, 587, 993, 4190)
       # and provides a web admin UI on 8080.
diff --git a/modules/minecraft.nix b/modules/minecraft.nix
index 7c1fde1..f4170b9 100644
--- a/modules/minecraft.nix
+++ b/modules/minecraft.nix
@@ -24,7 +24,7 @@
           simulation-distance = 10;
           max-players = 5;
           enable-rcon = true;
-          # "rcon.password" set in secrets.nix
+          "rcon.password" = config.mySecrets.minecraftRcon; 
         };
         jvmOpts = "-Xms2G -Xmx2500M -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true";
       };
diff --git a/modules/searx.nix b/modules/searx.nix
index 41f0761..695ecee 100644
--- a/modules/searx.nix
+++ b/modules/searx.nix
@@ -3,12 +3,11 @@
 {
   services.searx = {
     enable = true;
-    # settings.server.secret_key set in secrets.nix
     settings = {
       server = {
         port = 8082;
         bind_address = "127.0.0.1";
-        # secret_key = ...; # Set via env var in file
+        secret_key = config.mySecrets.searxKey;
       };
     };
   };
diff --git a/modules/secrets-scheme.nix b/modules/secrets-scheme.nix
new file mode 100644
index 0000000..c5e5b76
--- /dev/null
+++ b/modules/secrets-scheme.nix
@@ -0,0 +1,28 @@
+{ lib, ... }:
+
+with lib;
+
+{
+  options.mySecrets = {
+    forgejoDb = mkOption {
+      type = types.str;
+      description = "Forgejo Database Password";
+    };
+    stalwartAdmin = mkOption {
+      type = types.str;
+      description = "Stalwart Mail Admin Password";
+    };
+    searxKey = mkOption {
+      type = types.str;
+      description = "Searx Secret Key";
+    };
+    minecraftRcon = mkOption {
+      type = types.str;
+      description = "Minecraft RCON Password";
+    };
+    tailscaleKey = mkOption {
+      type = types.str;
+      description = "Tailscale Auth Key";
+    };
+  };
+}
diff --git a/secrets.nix.example b/secrets.nix.example
index 9721f96..24856c8 100644
--- a/secrets.nix.example
+++ b/secrets.nix.example
@@ -1,25 +1,12 @@
 { pkgs, config, lib, ... }:
 
 {
-  # Forgejo
-  services.forgejo.settings.database.PASSWORD = "changeme_forgejo_db";
-
-  # Stalwart Mail
-  services.stalwart.settings.authentication.fallback-admin.secret = "changeme_stalwart_admin";
-
-  # Searx
-  services.searx.settings.server.secret_key = "changeme_searx_secret";
-
-  # Minecraft RCON
-  services.minecraft-servers.servers.fabric.serverProperties."rcon.password" = "changeme_rcon";
-
-  # Tailscale Auth Key (needs to be a file for the service usually, or use pre-auth)
-  # For Tailscale, standard module uses 'authKeyFile'. 
-  # We can create a file in the store for it since this is an impure secrets file anyway.
-  
-  # For Tailscale, let's just write valid one-liner to a file via environment.etc if needed, 
-  # or use the 'authKey' option if available (it is not, usually).
-  # We will stick to environment.etc JUST for Tailscale or file-based secrets.
-  environment.etc."secrets/tailscale-auth".text = "tskey-auth-PLACEHOLDER";
-  services.tailscale.authKeyFile = "/etc/secrets/tailscale-auth";
+  # Copy this file to secrets.nix and fill in real values
+  mySecrets = {
+    forgejoDb = "changeme_forgejo_db";
+    stalwartAdmin = "changeme_stalwart_admin";
+    searxKey = "changeme_searx_secret";
+    minecraftRcon = "changeme_rcon";
+    tailscaleKey = "tskey-auth-PLACEHOLDER";
+  };
 }