diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index a41d232..7dfb5cc 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -38,8 +38,13 @@
       supportedFeatures = config.my.nix.features;
     }
   ];
-  sops.secrets."vps/home/private" = lib.mkIf config.my.secureHost {
-    sopsFile = ../../secrets/wireguard.yaml;
+  sops.secrets = {
+    "vps/home/private" = lib.mkIf config.my.secureHost {
+      sopsFile = ../../secrets/wireguard.yaml;
+    };
+    lidarr-mb-gap = lib.mkIf config.my.secureHost {
+      sopsFile = ../../secrets/env.yaml;
+    };
   };
   networking = {
     hostName = "server";
@@ -78,7 +83,7 @@
       enable = true;
       package = inputs.lidarr-mb-gap.packages.${pkgs.system}.lidarr-mb-gap;
       reportDir = "/var/lib/lidarr-mb-gap/reports";
-      envFile = "/var/lib/lidarr-mb-gap/.env";
+      envFile = config.sops.secrets.lidarr-mb-gap.path;
       runInterval = "weekly";
       syncToVPS = false;
       # vpsHost = "user@vps";
diff --git a/secrets/env.yaml b/secrets/env.yaml
index 120911c..a796f70 100644
--- a/secrets/env.yaml
+++ b/secrets/env.yaml
@@ -10,6 +10,7 @@ dns: ENC[AES256_GCM,data:fQN3SOm0HzOjSjTohRAD4KlXdEu5PbQc3DvK3rLC1S4G0G4HUPkgucN
 cloudflare-api: ENC[AES256_GCM,data:iNUMlY8rz5yHVitpK4HGaFSK7j+c8Pm7rOQMOQGmSJ3a8ASyrtouPgLbcnoPY/jalsJYAj991dSiui+Vwqs=,iv:qWONG/KLd9/F4tqrWF5T25Zxst3bk+kOYaOFBFSBAAY=,tag:gRFxar8KS8gnX8oaCD156Q==,type:str]
 synapse: ENC[AES256_GCM,data:IR0pFwQBEM4O8mzzYXrPe2FjulSUGuitzLDLms2uovr6gEU82mCkRO/UCQOybNm03iOQeXX0Whz739kpYSGSInEyx69BNG/etH+bMu+GbYeMdrTEyXHSa7kcH4Ug,iv:Vn2ILYXnCj+Op/E2kWoxV+2ZtlxYJxO6XK3Ql41KW6w=,tag:9wogJFLlmfM5PRgPdwFlcw==,type:str]
 readeck: ENC[AES256_GCM,data:TsIkHLji37dDHQRt78SquBhoSREHDgvgbc6+M1k2MLrgMGJ/Ejfy5AZXCIp/Qj5sXDzKP4j6Y6xFvGLswCqe02XjqGCpX13gZVCFPuKr8Nq051Xg,iv:Rc/pjYP+Vd/DvLCYsfJjDrnAlAiUlZOcNeeYzE6O3UY=,tag:OvR+CXMmrUFbsrHvduhnjA==,type:str]
+lidarr-mb-gap: ENC[AES256_GCM,data:zMr1UJUxqu3BJ2YRZKeIUzcEQRsHM6xeZ9kJ7ElynTD7ay0je+L0i+pyWe3OGwVN/8UUIQnKf42Pr6C4hJSxqwetjG6jQYTUGwTWzvxr/TDr6uhZwG59wLh8e02ymLw0GMJYfkQdZqEWyicHESHNdPmBFx3kByU01/QvOQlFO82/FPTvwpY=,iv:sk57rOrV/lj5f47sF4agZYPScLRiMgtM7iwzmubnZ2Q=,tag:LNl8TK3MswXj6lqBNA9Vqw==,type:str]
 sops:
     age:
         - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
@@ -48,7 +49,7 @@ sops:
             QXRUYWtGcWZCVW11U3VYRktuUjlCbDgKsTK4WhUza/JuoDTU3uATa6fq/8eYzxtb
             9BUK1ddzx9Mghea9XBMS17YGtGmW800OsLBomb3SINnOFvejcnKf8Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-02T19:58:54Z"
-    mac: ENC[AES256_GCM,data:xplk6z63m35V1IL/PpvnjNU1+bUrrplGg60SufnGV6307V520Ajo63dKkQ5yMuiGq/JQETc+sdm9GLQrmOflwhl92YwK2+/11MlMp0vMkC91mAJsobLUmNt3WXVml54CiCbvH+c8fH0T0pIaLGK3MxSRFX//hrfLjSCAvwQagsE=,iv:oE6g0WPM4Rf3YrdgkIdE8qWfiWQxbZ62Axa56ZQYWSA=,tag:QMaWvCD3sbHTv1NFctIBZA==,type:str]
+    lastmodified: "2025-11-11T17:47:23Z"
+    mac: ENC[AES256_GCM,data:9wWhkUbU/bNV6erUpQhwza47XLbdC7RIfw1J+bFdKW1DLjokeYr1HacZVw+O3bGDFZqKs9JomfnYLxeZay0VXKLb/e61yETi2lx3/BV3Ghp3Tsglf3Eoy4QokvErqDi3GoT7Hvc2bArq4hlYuZI5yjUU+8xvwMopU9MS1C1Muuw=,iv:WfnngiGiY8pnvZHiGueCkZtnGbF42L7ut+tCs8BMskA=,tag:x81EkcXBIk1bylD/QqXzPg==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0