diff --git a/secrets/common.yaml b/secrets/common.yaml
index e2fb49a..a9a57e6 100644
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@@ -19,6 +19,8 @@ matrix:
     signingKey: ENC[AES256_GCM,data:DdTsNPxrma6o/1BgsZlk/E6hDewNnU8AbukKR65U1b4WvS+YF3ffCRqYU7i1AMpbgUgf43H5bhlUTw==,iv:uTdZ5Rqf1/XCusoICInGp25CFDIanUzbl23K22ASDmI=,tag:vO7KGumD5slZrDCx134oCQ==,type:str]
 turn:
     authSecret: ENC[AES256_GCM,data:MjeCwd8CTugY5SccIOPMhGPwSurPiWnqlxmAVlMxSAWDMtngFwmyCl97ixW8BRMYTZy2iaml2AGlWrDyV42JgsFhvohYx/H3bsWFgKC2pO+PxHtC0syYKiuRWj2V8+mIb8wcsr//2L7O9gCTKBnyrwYbv8hG8J3SLfHqFDCBhX5dyzKCht6wjnhJOU3ZXN+foZHCyapOEqoY75K4oeVJxsWRCI9T/VPhuiH3QyosjTiyNBXYhz8UWYG+tpuh4AY7IPmHYeof04BqiuojjjTjaSuy+2v2QHVR2RSDJ6kCb4QkqwwsoGaDujm3el4xnduzRwLh60yZeNPFscKIylHi6A==,iv:Hq6yM3iurnj2TVjyvQb6iaUD+MRjas3bTFkht/mZ2Iw=,tag:YeR2fdglcdRKNgMZizGgOg==,type:str]
+searxng:
+    secretKey: ENC[AES256_GCM,data:GTp13sKrjVndBm5L8sT6Yio+a3j5s5odH7xkuku9sXj0N7Nlju1k3rXsljZ8jpZSWOxGqJ+4xl6zilmKl5B7ib20E5tAGie2Fwmxr2UUJiM4w9w/hpM0p81AZxc8qrKQe98jxwlrYIaS0E3aXmQgq5JeAQ7NaGvLaSTCGbctgtU=,iv:nFSF6jmjFyRTrxH90fS7nPl1z0E57AvCgo5dbpHnPPk=,tag:fk5KPqGanjRAdH+54PsK+w==,type:str]
 remote-build:
     publicKey: ENC[AES256_GCM,data:NxHuASqi56IftFCJKLjw1mbTedT87T05frAdM8HEEHPDcxC5pkcf+KTiNFTZHlfaI4/ZHI86LowK1PsHaS9CDOflwY4R8x6nT+Ysz0ff0udXzfrWR9qknHBWbvUEowunCU+/,iv:3j5TrIi0Rej6VYb7lRsPTxL+jHCqvvPMKptQ9r+vm2Q=,tag:84n/Sc5KOiZ49EZW8Ya9nA==,type:str]
     privateKey: ENC[AES256_GCM,data:bLE+T+s0b/+TqNUpDZ2kTYQwDlflCGeFhqsuq6Mc/og7TFn4JRfFxCR0B0glvbuMJs4GM/v+IERIRUNolVmg3u1Sqc6mmWXM5pKlba3NXsZW/MxzOeLgsiUQFnhEyo1rEmAqNr0CQH1fTbiOiBYLxEpnAvz2Swggd7wXUDhM5NrlQeVUSnsyET12Nc/WH7K5YRyIEa/KjIvjo3DWPzUuWcqwQ39f7j17uutjwdfirAsojakmW/jfd/SI7/9oqC5MI5Uwnk4DqmNGviO1SHRHQQ9cGlA5WYVw3kIzW8faEaygbKxbzJYTpoO3jljZKEn/Xakj6rpmCeKKGbKB7JoZbMI2ye3GSj/W77kYLj6QaMuDBy7BqLo6CytFKTUl+QxmXkOWngzLDA8VhKzZVIRIjIQTB5d+82f77ztXLvPkq7AOEOhd9ySRZHC23yPPjLpzl+BcmxLSDzNrTah2LcfaNAUptN3VvgHcl3uNjKRdTj9aJ4ERXeExVjDqsIKRczg0mklYwGbjQNtqCfu68Z61oX3C57LiIwa2ByTp,iv:HuCYE3EwVJbc6a6VB9liWMAKZvk6Wbs6S2hrNj2SseQ=,tag:KPP3KWtF6jZ7D18Bx3PXrA==,type:str]
@@ -81,7 +83,7 @@ sops:
             eXNxVEZzUW5lR0dqaUhMTWJmcWJNUHMKXZuzo97FE43+c+KcxibO9bcFA+4omTjB
             LQUFFMxenelJ1MWawmUhCeJ13rKjk3EEeTbEav14EF1WzYd4bZgbZQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-01T15:24:24Z"
-    mac: ENC[AES256_GCM,data:oeeZ+KgndGH/hIcUQcdgN6JEFXmXh5BggWgTRhnlmFS3C3IN5so5y2bg7IgOGz8BE9TZbi5/y20EQGTXjuvG0zDA8eDktgps5rzap/ZzVCVUsNthG6X6YKAtzpSEZY+xKUf0ubCSEz3LtcWkGJkFJjZDor3GSfSkEax9+ml2V0w=,iv:5GpY2egRT2zxzaR5ywAhegcCJdk8gDTOXQF2+aj2X+I=,tag:EIBtEQ3SoSnikuP2SjGCgA==,type:str]
+    lastmodified: "2026-04-12T15:41:05Z"
+    mac: ENC[AES256_GCM,data:SSUVwVduh7Kk0SlGPTFivwfonFkRB2pfGr7D45wFHpTuViRvc4pD5lbAjsytEY26IMJE8N8hZCHuUQpdEzAVDx0j71rX7ak6bhxCu6gTMntmUzvW+J3BSTtr5/FU/X7AbQxAiotv4Th3dH6oChraTrE0LQ1QXlpRpH5Y8pedLfQ=,iv:6GIo40HYxfRMxSc5upcDQCOfH/eHTOk+gfYstQEPTpU=,tag:QwEOOMzJLOt5TuSAAzQtJA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.2
diff --git a/services/searxng/default.nix b/services/searxng/default.nix
index 16b18a3..630c5da 100644
--- a/services/searxng/default.nix
+++ b/services/searxng/default.nix
@@ -3,5 +3,6 @@
     ./network.nix
     ./options.nix
     ./service.nix
+    ./secrets.nix
   ];
 }
diff --git a/services/searxng/secrets.nix b/services/searxng/secrets.nix
new file mode 100644
index 0000000..93e1e6e
--- /dev/null
+++ b/services/searxng/secrets.nix
@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.searxng;
+in
+with lib;
+mkIf cfg.enable {
+  sops.secrets = {
+    "searxng/secretKey" = {
+      sopsFile = ./../../secrets/common.yaml;
+      owner = config.users.users.matrix-synapse.name;
+      inherit (config.users.users.matrix-synapse) group;
+    };
+  };
+  sops.templates.searxng-env = {
+    owner = config.users.users.matrix-synapse.name;
+    inherit (config.users.users.matrix-synapse) group;
+    restartUnits = [ "matrix-synapse.service" ];
+    content = ''
+      SEARXNG_SECRET_KEY=${config.sops.placeholder."searxng/secretKey"};
+    '';
+  };
+}
diff --git a/services/searxng/service.nix b/services/searxng/service.nix
index 2dd2178..0ab8fe9 100644
--- a/services/searxng/service.nix
+++ b/services/searxng/service.nix
@@ -12,6 +12,8 @@ mkIf cfg.enable {
   services.searx = {
     enable = true;
     redisCreateLocally = true;
+    domain = cfg.domain;
+    environmentFile = config.sops.secrets.searx.path;
 
     # Rate limiting
     limiterSettings = {
@@ -65,7 +67,8 @@ mkIf cfg.enable {
       # Server configuration
       server = {
         base_url = if cfg.domain != null then "https://${cfg.domain}" else null end;
-        port = cfg.port;
+        secret_key = "@SEARXNG_SECRET_KEY@";
+        inherit (cfg) port;
         bind_address = "127.0.0.1";
         limiter = true;
         public_instance = true;