diff --git a/secrets/etna/cobaltTokens.age b/secrets/etna/cobaltTokens.age
new file mode 100644
index 0000000..df836b4
--- /dev/null
+++ b/secrets/etna/cobaltTokens.age
@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTXVmYUVDZC90NzIxdUZk
+aE5Vb2FsZXJadk5YY2tuV2lvNW5uWGJSUXcwCkUxQkRQU3BGN0JkVVVEdEdMQXcy
+aFh4emtxSjFjK0M1TmQ2OW1EcXBlNE0KLT4gWDI1NTE5IEd4OHVhcmtVMitaRUVs
+SHVDN0dpbzM5Skt4cmtnT1Z2L1gxalpJck9KR1kKNkx0dVc3RHhIZERPTE5oVzFV
+NzhFSXBmbEt0cWh0OTNQNE85VVpnVnFNawotPiBYMjU1MTkgOGpKWFg3ck1ENzB4
+SHBkeURkaE9jcGFJSWN2QjJSQTlod01aUHl6UUxHSQpJUWJ4cjJ0OTdQdUw3TGls
+RmtNSEw3UGhiOWRXZnFYQytCK3QwcmZFaFBBCi0+IFgyNTUxOSBzd3F5dU5TVkZN
+NmRyWWVNeU1LRFdnL0NiUGJPOHZyWXZCODhUK201d3hNClR3TTAzSHZ4REdLZkxo
+SVZZeTBnQS9tNjlhQzAzRGcyVndzMEU1dHpHNGMKLS0tIEJPQjRvYU5HckhieTFy
+ZWw0MENGV0dUSDZ6b2F5MEFxYzV5S3ExM1hycTQKHWh2QjrHIxM6QCq9vIiXw/KX
+Td1VG2OTZvAD/vYo5EwDGs6w4vM82hlIc1FYbW2nrp+YkhT+47Kxzoq5bGCb96U0
+t867urC9eoJLV9d9Kt1g9PKCMJVh/9/BBaMsTMFqGquIZMfRHlmD+ZquJUw=
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index d92b862..32c3e24 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -40,4 +40,5 @@ in
   "etna/vaultwardenEnv.age".publicKeys = main ++ [ etna ];
   "etna/vmauthEnv.age".publicKeys = main ++ [ etna ];
   "etna/upsdUserPass.age".publicKeys = main ++ [ etna ];
+  "etna/cobaltTokens.age".publicKeys = main ++ [ etna ];
 }
diff --git a/systems/etna/cobalt.nix b/systems/etna/cobalt.nix
new file mode 100644
index 0000000..94d1619
--- /dev/null
+++ b/systems/etna/cobalt.nix
@@ -0,0 +1,21 @@
+{ config, _utils, ... }:
+let
+  tokens = _utils.setupSingleSecret config "cobaltTokens" { };
+in
+{
+  imports = [ tokens.generate ];
+
+  cfTunnels."cobalt.uku3lig.net" = "http://localhost:9000";
+
+  virtualisation.oci-containers.containers.cobalt = {
+    image = "ghcr.io/imputnet/cobalt:10";
+    user = "root:root";
+    ports = [ "9000:9000/tcp" ];
+    volumes = [ "${tokens.path}:/keys.json:ro" ];
+    environment = {
+      API_URL = "https://cobalt.uku3lig.net";
+      API_AUTH_REQUIRED = "1";
+      API_KEY_URL = "file:///keys.json";
+    };
+  };
+}
diff --git a/systems/etna/default.nix b/systems/etna/default.nix
index db583cc..2a51dbd 100644
--- a/systems/etna/default.nix
+++ b/systems/etna/default.nix
@@ -28,6 +28,7 @@ in
     secrets.generate
     cfTunnelSecret.generate
 
+    ./cobalt.nix
     ./dendrite.nix
     ./forgejo.nix
     ./immich.nix