diff --git a/.gitignore b/.gitignore
index f8d8cdd0..81411916 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,2 @@
 result
-/secrets/*
-!/secrets/readme.md
+/secrets/local.nix
diff --git a/flake.nix b/flake.nix
index e68788df..6f57e148 100644
--- a/flake.nix
+++ b/flake.nix
@@ -48,7 +48,7 @@
 
     decl-machine = { name, system, extraModules ? [], basePkgs ? nixpkgs }: (basePkgs.lib.nixosSystem {
         inherit system;
-        specialArgs = { inherit home-manager; inherit nurpkgs; secrets = import ./secrets.nix ;};
+        specialArgs = { inherit home-manager; inherit nurpkgs; secrets = import ./secrets/default.nix; };
         modules = [
           ./configuration.nix
           ./modules
diff --git a/secrets.nix b/secrets/default.nix
similarity index 97%
rename from secrets.nix
rename to secrets/default.nix
index d5435876..892b3317 100644
--- a/secrets.nix
+++ b/secrets/default.nix
@@ -19,4 +19,4 @@
   pleroma.vapid_public_key = "<REPLACEME>";
   pleroma.vapid_private_key = "<REPLACEME>";
   pleroma.joken_default_signer = "<REPLACEME>";
-}
+} // import ./local.nix
diff --git a/secrets/local.nix b/secrets/local.nix
new file mode 100644
index 00000000..44170155
--- /dev/null
+++ b/secrets/local.nix
@@ -0,0 +1,3 @@
+{
+  # populate secrets on a per-machine basis below (and don't push changes to this file to git)
+}