diff --git a/configuration/services/battery-manager.nix b/configuration/services/battery-manager.nix
index 0c58c7b..9da7e32 100644
--- a/configuration/services/battery-manager.nix
+++ b/configuration/services/battery-manager.nix
@@ -13,9 +13,4 @@
       log_level = "DEBUG";
     };
   };
-
-  sops.secrets = {
-    "battery-manager/email" = { };
-    "battery-manager/password" = { };
-  };
 }
diff --git a/configuration/services/conduit/default.nix b/configuration/services/conduit/default.nix
index 6e01e81..4ba5271 100644
--- a/configuration/services/conduit/default.nix
+++ b/configuration/services/conduit/default.nix
@@ -179,11 +179,4 @@ in
   systemd.services.coturn.serviceConfig.SupplementaryGroups = [
     config.security.acme.certs."tlater.net".group
   ];
-
-  sops.secrets = {
-    "turn/env" = { };
-    "turn/secret" = {
-      owner = "turnserver";
-    };
-  };
 }
diff --git a/configuration/services/conduit/heisenbridge.nix b/configuration/services/conduit/heisenbridge.nix
index 5441639..f0f7e49 100644
--- a/configuration/services/conduit/heisenbridge.nix
+++ b/configuration/services/conduit/heisenbridge.nix
@@ -75,10 +75,4 @@ in
         # AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
       };
     };
-
-  sops.secrets = {
-    # Accessed via systemd cred through /run/secrets/heisebridge
-    "heisenbridge/as-token" = { };
-    "heisenbridge/hs-token" = { };
-  };
 }
diff --git a/configuration/services/conduit/matrix-hookshot.nix b/configuration/services/conduit/matrix-hookshot.nix
index c1fec82..6b788b2 100644
--- a/configuration/services/conduit/matrix-hookshot.nix
+++ b/configuration/services/conduit/matrix-hookshot.nix
@@ -163,10 +163,4 @@ in
       metrics.enabled = true;
     };
   };
-
-  sops.secrets = {
-    # Accessed via systemd cred through /run/secrets/matrix-hookshot
-    "matrix-hookshot/as-token" = { };
-    "matrix-hookshot/hs-token" = { };
-  };
 }
diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix
index f4b6956..b30806c 100644
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@@ -67,15 +67,4 @@ in
       };
     };
   };
-
-  sops.secrets = {
-    "grafana/adminPassword" = {
-      owner = "grafana";
-      group = "grafana";
-    };
-    "grafana/secretKey" = {
-      owner = "grafana";
-      group = "grafana";
-    };
-  };
 }
diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix
index d02b3a7..f37b8b0 100644
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@@ -96,10 +96,4 @@ in
       victorialogs.targets = [ config.services.victorialogs.bindAddress ];
     };
   };
-
-  sops.secrets."forgejo/metrics-token" = {
-    owner = "forgejo";
-    group = "metrics";
-    mode = "0440";
-  };
 }
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index ef2a6ac..4af77a9 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -100,9 +100,4 @@ in
 
   # Ensure that this service doesn't start before postgres is ready
   systemd.services.nextcloud-setup.after = [ "postgresql.service" ];
-
-  sops.secrets."nextcloud/tlater" = {
-    owner = "nextcloud";
-    group = "nextcloud";
-  };
 }
diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix
index 609d4c0..f5b23c3 100644
--- a/configuration/services/starbound.nix
+++ b/configuration/services/starbound.nix
@@ -114,7 +114,4 @@ in
     paths = [ "/var/lib/private/starbound/storage/universe/" ];
     pauseServices = [ "starbound.service" ];
   };
-
-  # Accessed via systemd cred through /run/secrets/steam
-  sops.secrets."steam/tlater" = { };
 }
diff --git a/configuration/services/wireguard.nix b/configuration/services/wireguard.nix
index d4ab090..a6b7763 100644
--- a/configuration/services/wireguard.nix
+++ b/configuration/services/wireguard.nix
@@ -62,10 +62,4 @@
       };
     };
   };
-
-  sops.secrets."wireguard/server-key" = {
-    owner = "root";
-    group = "systemd-network";
-    mode = "0440";
-  };
 }
diff --git a/configuration/sops.nix b/configuration/sops.nix
index ff84452..a5b19f6 100644
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@@ -3,6 +3,41 @@
     defaultSopsFile = ../keys/production.yaml;
 
     secrets = {
+      "battery-manager/email" = { };
+
+      "battery-manager/password" = { };
+
+      # Gitea
+      "forgejo/metrics-token" = {
+        owner = "forgejo";
+        group = "metrics";
+        mode = "0440";
+      };
+
+      # Grafana
+      "grafana/adminPassword" = {
+        owner = "grafana";
+        group = "grafana";
+      };
+      "grafana/secretKey" = {
+        owner = "grafana";
+        group = "grafana";
+      };
+
+      # Heisenbridge
+      "heisenbridge/as-token" = { };
+      "heisenbridge/hs-token" = { };
+
+      # Matrix-hookshot
+      "matrix-hookshot/as-token" = { };
+      "matrix-hookshot/hs-token" = { };
+
+      # Nextcloud
+      "nextcloud/tlater" = {
+        owner = "nextcloud";
+        group = "nextcloud";
+      };
+
       # Restic
       "restic/local-backups" = {
         owner = "root";
@@ -10,13 +45,27 @@
         mode = "0440";
       };
 
+      # Steam
+      "steam/tlater" = { };
+
       # Turn
+      "turn/env" = { };
+      "turn/secret" = {
+        owner = "turnserver";
+      };
       "turn/ssl-key" = {
         owner = "turnserver";
       };
       "turn/ssl-cert" = {
         owner = "turnserver";
       };
+
+      # Wireguard
+      "wireguard/server-key" = {
+        owner = "root";
+        group = "systemd-network";
+        mode = "0440";
+      };
     };
   };
 }