diff --git a/secrets/miniflux.age b/secrets/miniflux/admin.age
similarity index 100%
rename from secrets/miniflux.age
rename to secrets/miniflux/admin.age
diff --git a/secrets/authelia/oidc-miniflux.age b/secrets/miniflux/oidc.age
similarity index 100%
rename from secrets/authelia/oidc-miniflux.age
rename to secrets/miniflux/oidc.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 4bd3fd1..731713f 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -22,6 +22,7 @@ in {
   "etebase-server.age".publicKeys = [ felschr home-pc home-server ];
   "calibre-web/htpasswd.age".publicKeys = [ felschr home-pc home-server ];
   "miniflux.age".publicKeys = [ felschr home-pc home-server ];
+  "miniflux-oidc.age".publicKeys = [ felschr home-pc home-server ];
   "paperless.age".publicKeys = [ felschr home-pc home-server ];
   "nextcloud/admin.age".publicKeys = [ felschr home-pc home-server ];
   "immich/.env.age".publicKeys = [ felschr home-pc home-server ];
@@ -38,7 +39,6 @@ in {
   "authelia/storage.age".publicKeys = [ felschr home-server ];
   "authelia/oidc-hmac.age".publicKeys = [ felschr home-server ];
   "authelia/oidc-issuer.age".publicKeys = [ felschr home-server ];
-  "authelia/oidc-miniflux.age".publicKeys = [ felschr home-server ];
   "hass/secrets.age".publicKeys = [ felschr home-server ];
   "esphome/password.age".publicKeys = [ felschr home-server ];
   "focalboard/.env.age".publicKeys = [ felschr home-server ];
diff --git a/services/authelia.nix b/services/authelia.nix
index f5d8000..4dde322 100644
--- a/services/authelia.nix
+++ b/services/authelia.nix
@@ -29,11 +29,6 @@ in {
     owner = cfg.user;
   };
 
-  age.secrets.authelia-oidc-miniflux = {
-    file = ../secrets/authelia/oidc-miniflux.age;
-    owner = cfg.user;
-  };
-
   services.authelia.instances.main = {
     enable = true;
     secrets = {
diff --git a/services/miniflux.nix b/services/miniflux.nix
index a2d6d21..2e6d6e6 100644
--- a/services/miniflux.nix
+++ b/services/miniflux.nix
@@ -4,7 +4,12 @@ let
   domain = "news.felschr.com";
   port = 8002;
 in {
-  age.secrets.miniflux.file = ../secrets/miniflux.age;
+  age.secrets.miniflux.file = ../secrets/miniflux/admin.age;
+  age.secrets.miniflux-oidc = {
+    file = ../secrets/miniflux/oidc.age;
+    group = "miniflux-secrets";
+    mode = "440";
+  };
 
   services.miniflux = {
     enable = true;
@@ -14,14 +19,16 @@ in {
       BASE_URL = "https://${domain}";
       OAUTH2_PROVIDER = "oidc";
       OAUTH2_CLIENT_ID = "miniflux";
-      OAUTH2_CLIENT_SECRET_FILE =
-        config.age.secrets.authelia-oidc-miniflux.path;
+      OAUTH2_CLIENT_SECRET_FILE = config.age.secrets.miniflux-oidc.path;
       OAUTH2_REDIRECT_URL = "https://news.felschr.com/oauth2/oidc/callback";
       OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.felschr.com";
       OAUTH2_USER_CREATION = "1";
     };
   };
 
+  systemd.services.miniflux.serviceConfig.SupplementaryGroups =
+    [ "miniflux-secrets" ];
+
   services.nginx = {
     virtualHosts."news.felschr.com" = {
       enableACME = true;
@@ -29,4 +36,6 @@ in {
       locations."/".proxyPass = "http://localhost:${toString port}";
     };
   };
+
+  users.groups.miniflux-secrets = { };
 }