diff --git a/nixos/k3s.nix b/nixos/k3s.nix
index 7c79aabc..64dbf1da 100644
--- a/nixos/k3s.nix
+++ b/nixos/k3s.nix
@@ -13,6 +13,8 @@ in {
   };
   config = mkIf cfg.enable {
     age.secrets."1896Folsom-k3s-token.age".file = ./secrets/1896Folsom-k3s-token.age;
+    age.secrets."k3s-registry.yaml.age".file = ./secrets/k3s-registry.yaml.age;
+    environment.etc."rancher/k3s/registry.yaml".source = config.age.secrets."k3s-registry.yaml.age".path;
     services.dockerRegistry = {
       enable = true;
       listenAddress = "0.0.0.0";
diff --git a/nixos/secrets/k3s-registry.yaml.age b/nixos/secrets/k3s-registry.yaml.age
new file mode 100644
index 00000000..93903499
Binary files /dev/null and b/nixos/secrets/k3s-registry.yaml.age differ
diff --git a/nixos/secrets/secrets.nix b/nixos/secrets/secrets.nix
index 9c03edd1..7c22bbd8 100644
--- a/nixos/secrets/secrets.nix
+++ b/nixos/secrets/secrets.nix
@@ -15,4 +15,5 @@ in
   "ryzen-shine-kubernetes-token.age".publicKeys = keys.agenixKeys;
   "1896Folsom-k3s-token.age".publicKeys = keys.agenixKeys ++ keys.railbird-sf;
   "api_service_account_key.json.age".publicKeys = keys.agenixKeys;
+  "k3s-registry.yaml.age".publicKeys = keys.agenixKeys ++ keys.railbird-sf;
 }