diff --git a/module.nix b/module.nix
index ef5d108..fad860f 100644
--- a/module.nix
+++ b/module.nix
@@ -11,6 +11,27 @@ let
   package = cfg.package;
   qaApi = cfg.apiPackage;
   apiListen = "${cfg.apiListenAddress}:${toString cfg.apiListenPort}";
+  usingDefaultWebhookSecret = cfg.webhookSecretFile == null;
+  webhookSecretPath =
+    if usingDefaultWebhookSecret then config.age.secrets.webhook-secret.path else cfg.webhookSecretFile;
+  usingDefaultTorSecretKey = cfg.tor.onionSecretKeyFile == null;
+  usingDefaultTorPublicKey = cfg.tor.onionPublicKeyFile == null;
+  usingDefaultTorHostname = cfg.tor.onionHostnameFile == null;
+  torOnionSecretKeyPath =
+    if usingDefaultTorSecretKey then
+      config.age.secrets.tor-onion-secret-key.path
+    else
+      cfg.tor.onionSecretKeyFile;
+  torOnionPublicKeyPath =
+    if usingDefaultTorPublicKey then
+      config.age.secrets.tor-onion-public-key.path
+    else
+      cfg.tor.onionPublicKeyFile;
+  torOnionHostnamePath =
+    if usingDefaultTorHostname then
+      config.age.secrets.tor-onion-hostname.path
+    else
+      cfg.tor.onionHostnameFile;
   caddyCommonConfig = ''
     header Cross-Origin-Opener-Policy "same-origin"
     header Cross-Origin-Embedder-Policy "require-corp"
@@ -133,21 +154,44 @@ in
     };
 
     webhookSecretFile = lib.mkOption {
-      type = lib.types.path;
-      description = "File containing the WEBHOOK_SECRET for MTA Hook authentication.";
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      description = "File containing the WEBHOOK_SECRET for MTA Hook authentication. Defaults to the module-managed agenix secret when left unset.";
     };
   };
 
   config = lib.mkIf cfg.enable {
+    age.secrets.webhook-secret = lib.mkIf usingDefaultWebhookSecret {
+      file = "${self}/secrets/webhook-secret.age";
+      mode = "0400";
+    };
+
+    age.secrets.tor-onion-secret-key = lib.mkIf (cfg.tor.enable && usingDefaultTorSecretKey) {
+      file = "${self}/secrets/tor-onion-secret-key.age";
+      owner = "tor";
+      group = "tor";
+      mode = "0400";
+    };
+
+    age.secrets.tor-onion-public-key = lib.mkIf (cfg.tor.enable && usingDefaultTorPublicKey) {
+      file = "${self}/secrets/tor-onion-public-key.age";
+      owner = "tor";
+      group = "tor";
+      mode = "0444";
+    };
+
+    age.secrets.tor-onion-hostname = lib.mkIf (cfg.tor.enable && usingDefaultTorHostname) {
+      file = "${self}/secrets/tor-onion-hostname.age";
+      owner = "tor";
+      group = "tor";
+      mode = "0444";
+    };
+
     assertions = [
       {
         assertion =
           !cfg.tor.enable
-          || (
-            cfg.tor.onionSecretKeyFile != null
-            && cfg.tor.onionPublicKeyFile != null
-            && cfg.tor.onionHostnameFile != null
-          );
+          || (torOnionSecretKeyPath != null && torOnionPublicKeyPath != null && torOnionHostnamePath != null);
         message = "services.jetpham-website.tor requires onionSecretKeyFile, onionPublicKeyFile, and onionHostnameFile.";
       }
     ];
@@ -176,15 +220,18 @@ in
 
     systemd.services.tor-onion-keys = lib.mkIf cfg.tor.enable {
       description = "Copy Tor onion keys into place";
+      after = lib.optional (
+        usingDefaultTorSecretKey || usingDefaultTorPublicKey || usingDefaultTorHostname
+      ) "agenix.service";
       before = [ "tor.service" ];
       wantedBy = [ "tor.service" ];
       serviceConfig.Type = "oneshot";
       script = ''
         dir="/var/lib/tor/onion/jetpham-website"
         mkdir -p "$dir"
-        cp ${cfg.tor.onionSecretKeyFile} "$dir/hs_ed25519_secret_key"
-        cp ${cfg.tor.onionPublicKeyFile} "$dir/hs_ed25519_public_key"
-        cp ${cfg.tor.onionHostnameFile} "$dir/hostname"
+        cp ${torOnionSecretKeyPath} "$dir/hs_ed25519_secret_key"
+        cp ${torOnionPublicKeyPath} "$dir/hs_ed25519_public_key"
+        cp ${torOnionHostnamePath} "$dir/hostname"
         chown -R tor:tor "$dir"
         chmod 700 "$dir"
         chmod 400 "$dir/hs_ed25519_secret_key"
@@ -194,8 +241,8 @@ in
 
     systemd.services.jetpham-qa-api = {
       description = "Jet Pham Q&A API";
-      after = [ "network-online.target" ];
-      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ] ++ lib.optional usingDefaultWebhookSecret "agenix.service";
+      wants = [ "network-online.target" ] ++ lib.optional usingDefaultWebhookSecret "agenix.service";
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
         DynamicUser = true;
@@ -214,7 +261,7 @@ in
         ReadWritePaths = [ "/var/lib/jetpham-qa" ];
         Restart = "on-failure";
         RestartSec = 5;
-        LoadCredential = "webhook-secret:${cfg.webhookSecretFile}";
+        LoadCredential = "webhook-secret:${webhookSecretPath}";
       };
       script = ''
         if [ ! -s "$CREDENTIALS_DIRECTORY/webhook-secret" ]; then
@@ -223,7 +270,7 @@ in
         fi
 
         export WEBHOOK_SECRET="$(cat "$CREDENTIALS_DIRECTORY/webhook-secret")"
-        exec ${lib.getExe qaApi}
+        exec ${qaApi}/bin/jetpham-qa-api
       '';
     };