diff --git a/secrets.nix b/secrets.nix
index 3c4d143..e87fd0a 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -15,6 +15,8 @@ let
     grafana-oauth-secret = [ machines.meta01 ];
     loki-environment = [ machines.meta01 ];
     gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
+    pyroscope-secrets = [ machines.meta01 ];
+
 
     buildbot-worker-password = [ machines.buildbot ];
     buildbot-oauth-secret = [ machines.buildbot ];
diff --git a/secrets/pyroscope-secrets.age b/secrets/pyroscope-secrets.age
new file mode 100644
index 0000000..45bfd2e
Binary files /dev/null and b/secrets/pyroscope-secrets.age differ
diff --git a/services/monitoring/pyroscope/default.nix b/services/monitoring/pyroscope/default.nix
index 5f9ecbf..3ed665f 100644
--- a/services/monitoring/pyroscope/default.nix
+++ b/services/monitoring/pyroscope/default.nix
@@ -14,6 +14,40 @@ in
   ];
 
   config = mkIf cfg.enable {
-    services.pyroscope.enable = true;
+    age.secrets.pyroscope-secrets.file = ../../../secrets/pyroscope-secrets.age;
+    services.pyroscope = {
+      enable = true;
+      secretFile = config.age.secrets.pyroscope-secrets.path;
+      settings = {
+        target = "all";
+        multitenancy_enabled = false;
+
+        api.base-url = "https://pyroscope.forkos.org";
+        analytics.reporting_enabled = false;
+
+        storage = {
+          backend = "s3";
+          s3 = {
+            endpoint = "s3.delroth.net";
+            region = "garage";
+            bucket_name = "bagel-pyroscope";
+            access_key_id = "\${S3_KEY_ID}";
+            secret_access_key = "\${S3_KEY}";
+            force_path_style = true;
+          };
+        };
+        server = {
+          grpc_listen_port = 9097;
+          grpc_server_max_recv_msg_size = 104857600;
+          grpc_server_max_send_msg_size = 104857600;
+          grpc_server_max_concurrent_streams = 1000;
+        };
+
+        memberlist = {
+          advertise_port = 7948;
+          bind_port = 7948;
+        };
+      };
+    };
   };
 }
diff --git a/services/monitoring/pyroscope/module.nix b/services/monitoring/pyroscope/module.nix
index 1eeb722..35a3f63 100644
--- a/services/monitoring/pyroscope/module.nix
+++ b/services/monitoring/pyroscope/module.nix
@@ -9,6 +9,9 @@ in
   options.services.pyroscope = {
     enable = mkEnableOption "pyroscope, a continuous profiling platform";
     package = mkPackageOption pkgs "pyroscope" { };
+    secretFile = mkOption {
+      type = types.path;
+    };
     settings = mkOption {
       description = "Pyroscope settings. See <>";
 
@@ -22,14 +25,17 @@ in
     systemd.services.pyroscope = {
       description = "Pyroscope server - a continuous profiling platform";
       wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
       serviceConfig = {
-        ExecStart = "${cfg.package}/bin/pyroscope -config.file ${configFile}";
+        ExecStart = "${cfg.package}/bin/pyroscope -config.file ${configFile} -config.expand-env";
         WorkingDirectory = "/var/lib/pyroscope";
         User = "pyroscope";
         DynamicUser = true;
         Restart = "on-failure";
         RuntimeDirectory = "pyroscope";
         StateDirectory = "pyroscope";
+        EnvironmentFile = [ cfg.secretFile ];
       };
     };
   };