diff --git a/secrets/etna/reposiliteDbPass.age b/secrets/etna/reposiliteDbPass.age
new file mode 100644
index 0000000..3445fb2
--- /dev/null
+++ b/secrets/etna/reposiliteDbPass.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUenluTmJ0VkdTYUZUT2s5
+bjAvQjhWQUFDTWZDL0c1NWNqZERxSVlhSGxJCmR4ZXdiVDQ4MVdTNThXWXN0QTd5
+UFl5RTMyc21oQmZ5cUkxVXhxT056QzAKLT4gWDI1NTE5IDI4M3VBeTFLaHZLcTZ1
+VWtDOUdCY1ZwUk5XR3czUFZZYnpYcmRiSUhBd1EKUWkxY1hPU0VRRCs3ZG9mWkE4
+UnAzMzNTZkJKaDRSQmNEMXdTQjNGY1NLSQotPiBYMjU1MTkgVmhOUHZyRE5EczdF
+bVRtbE0wVERVeGVGNGRaU1dSUkh5aVJVRVlTY01YSQpoL2s2eEpPR1lUM0FpaDRo
+OUtiSUNtcEtVOXE5QVNsc1BndkUwbUJjWE1FCi0+IFgyNTUxOSBHeFJDMXo2Y2g5
+VWtaMnJpb3Y4YmRxTVFVdm0xNU5VTjlDWlRXcndpU1hzClBtcWZZbllCbW9EUU1v
+N09aTnFPeTIzR0J0aXE3YWFZakZ6Y2NUQjVoNWcKLS0tIEQvR2Vzakd6NGFibjlI
+VmVtVTBPU0l4MzBDSGxSbWg0N3kraXl6cnNieWsKOy2KVj5C71fPafzkkWi0mi9C
+VzcpLOocxgfp9/gDxppG870fm9V9i+IVpmxsQeM50rvTrFDF5WrmUNf4hYIUOQ==
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 1a8f944..2b398e0 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -43,6 +43,7 @@ in
   "etna/upsdUserPass.age".publicKeys = main ++ [ etna ];
   "etna/cobaltTokens.age".publicKeys = main ++ [ etna ];
   "etna/slskdEnv.age".publicKeys = main ++ [ etna ];
+  "etna/reposiliteDbPass.age".publicKeys = main ++ [ etna ];
 
   "vesuvio/gatusEnv.age".publicKeys = main ++ [ vesuvio ];
   "vesuvio/maddyEnv.age".publicKeys = main ++ [ vesuvio ];
diff --git a/systems/etna/reposilite.nix b/systems/etna/reposilite.nix
index 72aa2c9..13dbd75 100644
--- a/systems/etna/reposilite.nix
+++ b/systems/etna/reposilite.nix
@@ -1,12 +1,29 @@
-{ camasca, ... }:
 {
-  imports = [ camasca.nixosModules.reposilite ];
+  config,
+  camasca,
+  _utils,
+  ...
+}:
+let
+  dbPass = _utils.setupSingleSecret config "reposiliteDbPass" {
+    owner = "reposilite";
+    group = "reposilite";
+  };
+in
+{
+  imports = [
+    camasca.nixosModules.reposilite
+    dbPass.generate
+  ];
 
   cfTunnels."maven.uku3lig.net" = "http://localhost:8080";
 
   services.reposilite = {
     enable = true;
-    database.type = "sqlite";
     settings.port = 8080;
+    database = {
+      type = "postgresql";
+      passwordFile = dbPass.path;
+    };
   };
 }