diff --git a/hosts/cube/grafana.nix b/hosts/cube/grafana.nix
index 1c7ac92..9e624e9 100644
--- a/hosts/cube/grafana.nix
+++ b/hosts/cube/grafana.nix
@@ -5,7 +5,7 @@ let
 
   fqdn = "metrics.${domain}";
 in serverSystemConfiguration {
-  age.secrets."cube.mail.password" = {
+  age.secrets."cube.mail.password.grafana" = {
     owner = "grafana";
     group = "grafana";
   };
@@ -33,7 +33,7 @@ in serverSystemConfiguration {
 
     settings.security = {
       admin_email    = "metrics@${domain}";
-      admin_password = "$__file{${config.age.secrets."cube.mail.password".path}}";
+      admin_password = "$__file{${config.age.secrets."cube.mail.password.grafana".path}}";
     };
   };
 
diff --git a/hosts/cube/mail.nix b/hosts/cube/mail.nix
index 73271a5..7c7fc4c 100644
--- a/hosts/cube/mail.nix
+++ b/hosts/cube/mail.nix
@@ -5,10 +5,15 @@ let
 
   fqdn = "mail.${domain}";
 in serverSystemConfiguration {
+  age.secrets."cube.mail.password.dmarc" = {
+    owner = "dmarc-exporter";
+    group = "dmarc-exporter";
+  };
+
   services.prometheus.exporters = {
     dmarc = enabled {
       imap.host         = domain;
-      imap.passwordFile = config.age.secrets."cube.mail.password".path;
+      imap.passwordFile = config.age.secrets."cube.mail.password.dmarc".path;
       imap.username     = "contact@${domain}";
 
       listenAddress = "::";
diff --git a/secrets/cube.mail.password.age b/secrets/cube.mail.password.dmarc.age
similarity index 100%
rename from secrets/cube.mail.password.age
rename to secrets/cube.mail.password.dmarc.age
diff --git a/secrets/cube.mail.password.grafana.age b/secrets/cube.mail.password.grafana.age
new file mode 100644
index 0000000..8be0058
--- /dev/null
+++ b/secrets/cube.mail.password.grafana.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw 9dsCOc/hpTof2yjqGKzAJozjXnc0RPgnv3pNaccmBAQ
+s6+1D/Sn6tuIh3aIbgBHYKTATyGbQKcaKPW+6HvMNFQ
+--- pr1ZimpiaA8RO8Oayn6tHJN+rTGSLxcaddmYWpSiWLs
+"LÜàPœw5¿Û&Ž C"Â\ø¬íòŽTQD¯IZdê¤ìˆV÷Â\d
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index f0d3f02..80fc98e 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -4,11 +4,13 @@ rec {
     cube     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMkCJeHcD0SIOZ4HkyF6rqUmbvlKhSha3HWMZ0hbIjp rgb@cube";
   };
 
-  "acme.age".publicKeys                     = [ keys.cube ];
-  "cube.rgb.password.hash.age".publicKeys   = [ keys.cube ];
-  "cube.mail.password.age".publicKeys       = [ keys.cube ];
-  "cube.mail.password.hash.age".publicKeys  = [ keys.cube ];
-  "cube.id.age".publicKeys                  = [ keys.rgbcube ];
-  "enka.said.password.hash.age".publicKeys  = [ keys.rgbcube ];
-  "enka.orhan.password.hash.age".publicKeys = [ keys.rgbcube ];
+  "acme.age".publicKeys                       = [ keys.cube ];
+  "cube.id.age".publicKeys                    = [ keys.rgbcube ];
+  "cube.mail.password.dmarc.age".publicKeys   = [ keys.cube ];
+  "cube.mail.password.grafana.age".publicKeys = [ keys.cube ];
+  "cube.mail.password.hash.age".publicKeys    = [ keys.cube ];
+  "cube.nextcloud.password.age".publicKeys    = [ keys.cube ];
+  "cube.rgb.password.hash.age".publicKeys     = [ keys.cube ];
+  "enka.orhan.password.hash.age".publicKeys   = [ keys.rgbcube ];
+  "enka.said.password.hash.age".publicKeys    = [ keys.rgbcube ];
 }