diff --git a/profiles/sops.nix b/profiles/sops.nix
index 65f4381..da0aad5 100644
--- a/profiles/sops.nix
+++ b/profiles/sops.nix
@@ -25,7 +25,5 @@
 
   # This is the actual specification of the secrets.
   #sops.secrets."myservice/my_subdir/my_secret" = {};
-  sops.secrets."acme/certs" = {  };
-  sops.secrets."nginx/defaultpass" = {  };
 
 }
diff --git a/services/nginx.nix b/services/nginx.nix
index 318be26..b59c923 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -19,6 +19,13 @@
   users.users.nginx.extraGroups = [ "acme" ];
   users.users.root.extraGroups = [ "acme" ];
 
+  #declare secrets
+  sops.secrets."acme/certs" = {  };
+  sops.secrets."nginx/defaultpass" = {
+    restartUnits = [ "nginx.service" ];
+    owner = "nginx";
+  };
+
   #TODO add oauth2 proxy to auth
   # services.oauth2_proxy = {
   #   enable = true;