diff --git a/nixos/machines/orbi/media-nextcloud.nix b/nixos/machines/orbi/media-nextcloud.nix
index 578aae5..8c838c2 100644
--- a/nixos/machines/orbi/media-nextcloud.nix
+++ b/nixos/machines/orbi/media-nextcloud.nix
@@ -50,12 +50,10 @@ in
     };
   };
 
-  #sops.secrets.nextcloud_database_password.owner = "nextcloud";
-  #sops.secrets.nextcloud_root_password.owner = "nextcloud";
-
   clanCore.facts.services.nextcloud_root = factsGenerator.password { service = "nextcloud"; name = "root"; };
   clanCore.facts.services.nextcloud_database = factsGenerator.password { service = "nextcloud"; name = "database"; };
 
+  # todo : remove
   users.users.nextcloud = {
     isSystemUser = true;
     uid = nextcloudUid;
@@ -72,18 +70,15 @@ in
   # * mysql
   containers.nextcloud = {
 
-    # mount host folders
     bindMounts = {
       rootpassword = {
-        #hostPath = "/run/secrets/nextcloud_root_password";
         hostPath = config.clanCore.facts.services.nextcloud_root.secret."nextcloud.root".path;
-        mountPoint = "/run/secrets/nextcloud_root_password";
+        mountPoint = "/run/secrets/nextcloud.root.intput";
         isReadOnly = true;
       };
       databasepassword = {
-        #hostPath = "/run/secrets/nextcloud_database_password";
         hostPath = config.clanCore.facts.services.nextcloud_database.secret."nextcloud.database".path;
-        mountPoint = "/run/secrets/nextcloud_database_password";
+        mountPoint = "/run/secrets/nextcloud.database.input";
         isReadOnly = true;
       };
     };
@@ -102,6 +97,23 @@ in
       # A temporary workaround is to manually write the /etc/nixos/resolv.conf file like this:
       #environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
 
+      systemd.tmpfiles.settings.nextcloud = {
+        "/run/secrets/nextcloud.root".C = {
+          type = "C";
+          user = "nextcloud";
+          group = "nextcloud";
+          mode = "400";
+          argument = "/run/secrets/nextcloud.root.input";
+        };
+        "/run/secrets/nextcloud.database".C = {
+          type = "C";
+          user = "nextcloud";
+          group = "nextcloud";
+          mode = "400";
+          argument = "/run/secrets/nextcloud.database.input";
+        };
+      };
+
 
       users.users.nextcloud.uid = nextcloudUid;
 
@@ -187,10 +199,10 @@ in
           loglevel = 2;
         };
         config = {
-          adminpassFile = "/run/secrets/nextcloud_root_password";
+          adminpassFile = "/run/secrets/nextcloud.root";
           #overwriteProtocol = "https";
           dbtype = "mysql";
-          dbpassFile = "/run/secrets/nextcloud_database_password";
+          dbpassFile = "/run/secrets/nextcloud.database";
           dbhost = "localhost:3306";
         };
       };