diff --git a/modules/services/matrix.nix b/modules/services/matrix.nix
index 8d46c6d370fdbeb008c04f52713fabea71baea81..5a88360917881e6e5aced8ab7e22bca0295a256b 100644
--- a/modules/services/matrix.nix
+++ b/modules/services/matrix.nix
@@ -19,6 +19,11 @@
       owner = "matrix-synapse";
     };
 
+    note_oidc_extra_config = {
+      file = ../../secrets/neo/note_oidc_extra_config.age;
+      owner = "matrix-synapse";
+    };
+
     appservice_irc_db_env = {
       file = ../../secrets/neo/appservice_irc_db_env.age;
     };
@@ -119,6 +124,7 @@
 
     extraConfigFiles = [
       config.age.secrets.database_extra_config.path
+      config.age.secrets.note_oidc_extra_config.path
     ];
   };
 
diff --git a/secrets.nix b/secrets.nix
index bc0326796a3e19266d9faac709e99f22a7de3867..230e4328d96c04dc9e44acd0df92ee2139931ea4 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -94,10 +94,12 @@ in
     let
       key = hosts.${name};
     in
-    genAttrs [
-      "restic/${name}/base-repo"
-      "restic/${name}/base-password"
-    ] [ key ]
+    genAttrs
+      [
+        "restic/${name}/base-repo"
+        "restic/${name}/base-password"
+      ]
+      [ key ]
   )
 ) { } (remove "thot" hostnames)
 // builtins.mapAttrs (name: value: { publicKeys = value.publicKeys ++ nounous; }) {
@@ -106,5 +108,6 @@ in
   "secrets/neo/appservice_irc_db_env.age".publicKeys = [ neo ];
   "secrets/neo/coturn_auth_secret.age".publicKeys = [ neo ];
   "secrets/neo/database_extra_config.age".publicKeys = [ neo ];
+  "secrets/neo/note_oidc_extra_config.age".publicKeys = [ neo ];
   "secrets/neo/ldap_synapse_password.age".publicKeys = [ neo ];
 }
diff --git a/secrets/neo/note_oidc_extra_config.age b/secrets/neo/note_oidc_extra_config.age
new file mode 100644
index 0000000000000000000000000000000000000000..e593a11cedb89b9d2045957c4fb32c35b06df861
Binary files /dev/null and b/secrets/neo/note_oidc_extra_config.age differ