diff --git a/installations/applications/helmfile.yaml b/installations/applications/helmfile.yaml
index 373333e..c8a97aa 100644
--- a/installations/applications/helmfile.yaml
+++ b/installations/applications/helmfile.yaml
@@ -84,6 +84,7 @@ releases:
     namespace: applications
     inherit:
       - template: default-env-values
+      - template: default-env-secrets
       - template: ext-tcp-routes
   - name: shadowsocks-libev
     #- name: vaultwardentest
diff --git a/values/badhouseplants/secrets.stalwart.yaml b/values/badhouseplants/secrets.stalwart.yaml
new file mode 100644
index 0000000..21a5046
--- /dev/null
+++ b/values/badhouseplants/secrets.stalwart.yaml
@@ -0,0 +1,24 @@
+env:
+  secrets:
+    data:
+      SW_ADMIN_SECRET: ENC[AES256_GCM,data:Cbeqg1J5J4oSmXhiWRX0jiEgflrI7MVRiLmFlM5dQAqAfO/IoruZsqfYtKZjxsPGhKA=,iv:+IKV2jW69cnZo1gCGWyf8hZDh2wvBAkcOJ1xEm6pBM4=,tag:So7bqtKscDOnKhCz+AOsCw==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXUHVRdFA0UTZCVitsYzFq
+        a2JhaUR2ODkydmN3ck1wc1h0UTRXMmI2eVUwCkd2bk9TWVFlUEdhcGk4RUFmVHZp
+        djJsOU1vanEySkpVMVN6SWF4OWd6MzQKLS0tIDJZcWxVeWJtOE1LNFZDZk5ZSEl5
+        eUhLTUwvUysyYnhSMzRhanMyT3BPam8KkK4cWHKEGGSnva0t6XjmVY9uoc8gHX+Y
+        CdixG+aPhhimSx64DsZiE01ZGnT7iL1OC/W3umGWZv3OO0IAEXo3NQ==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-09-13T03:42:42Z"
+  mac: ENC[AES256_GCM,data:R8Uq4puFFIG5/snx/pgFLbYX+uqFZoVQOyn3Iw1Vh7vRX1QkG0njFMp3sbHTMfXqvoRPuXNJNK88jA+e0P04BzfbKqj9O+biP+AksRsS+5uGIeNtZXWzFOwFl5+Fv/RLvPY08+stE09ChUVZzJSe+l2ed7OSs8FXtJrJAXrSSh8=,iv:elp8yKU2AUjIIa4b2sZm0VJbO+qg//+SjGMvm9dMNbc=,tag:k79lBuL4Pa6+P35kLeeoQA==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0
diff --git a/values/badhouseplants/values.stalwart.yaml b/values/badhouseplants/values.stalwart.yaml
index a831d2e..46234f7 100644
--- a/values/badhouseplants/values.stalwart.yaml
+++ b/values/badhouseplants/values.stalwart.yaml
@@ -21,7 +21,6 @@ workload:
       args:
         - -c
         - cp /app/config/config.toml /app/etc/config.toml
-         
   containers:
     stalwart:
       args:
@@ -38,15 +37,15 @@ workload:
             path: /app/logs
           etc:
             path: /app/etc
-
+      envFrom:
+        - secrets
 storage:
   data:
     enabled: true
-    storageClassName: default
+    storageClassName: ceph-filesystem
     size: 1Gi
     accessModes:
       - ReadWriteMany
-
 extraVolumes:
   certs:
     secret:
@@ -64,7 +63,6 @@ ingress:
       kubernetes.io/ingress.global-static-ip-name: ""
       kubernetes.io/tls-acme: "true"
       traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
-
 traefik:
   enabled: true
   tcpRoutes:
@@ -98,11 +96,6 @@ traefik:
       service: stalwart-pop3s
       entrypoint: pop3s
       port: 995
-
-storage:
-  data:
-    storageClassName: ceph-filesystem
-
 files:
   config:
     enabled: true
@@ -115,38 +108,38 @@ files:
           [server.listener."smtp"]
           bind = ["[::]:25"]
           protocol = "smtp"
-          
+
           [server.listener."submission"]
           bind = ["[::]:587"]
           protocol = "smtp"
-          
+
           [server.listener."submissions"]
           bind = ["[::]:465"]
           protocol = "smtp"
           tls.implicit = true
-          
+
           [server.listener."imap"]
           bind = ["[::]:143"]
           protocol = "imap"
-          
+
           [server.listener."imaptls"]
           bind = ["[::]:993"]
           protocol = "imap"
           tls.implicit = true
-          
+
           [server.listener.pop3]
           bind = "[::]:110"
           protocol = "pop3"
-          
+
           [server.listener.pop3s]
           bind = "[::]:995"
           protocol = "pop3"
           tls.implicit = true
-          
+
           [server.listener."sieve"]
           bind = ["[::]:4190"]
           protocol = "managesieve"
-          
+
           [server.listener."https"]
           protocol = "https"
           bind = ["[::]:443"]
@@ -155,43 +148,43 @@ files:
           [server.listener."http"]
           bind = "[::]:8080"
           protocol = "http"
-          
+
           [storage]
           data = "rocksdb"
           fts = "rocksdb"
           blob = "rocksdb"
           lookup = "rocksdb"
           directory = "internal"
-          
+
           [store."rocksdb"]
           type = "rocksdb"
           path = "/app/data"
           compression = "lz4"
-          
+
           [directory."internal"]
           type = "internal"
           store = "rocksdb"
-          
+
           [tracer."stdout"]
           type = "stdout"
           level = "info"
           ansi = false
           enable = true
-          
-          #[server.run-as]
-          #user = "stalwart-mail"
-          #group = "stalwart-mail"
-          
+
           [authentication.fallback-admin]
-          user = "admin"
-          secret = 'R@ndomToken$tring'
-          
+          user = "overlord"
+          secret = "%{env:SW_ADMIN_SECRET}%"
+
           [tracer.console]
           type = "console"
           level = "info"
           ansi = true
           enable = true
-          
+
           [certificate."default"]
           cert = "%{file:/app/certs/tls.crt}%"
           private-key = "%{file:/app/certs/tls.key}%"
+env:
+  secrets:
+    enabled: true
+    sensitive: true