diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4bd922a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+secrets/
diff --git a/configuration.nix b/configuration.nix
index 84afa82..274bed5 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -24,7 +24,6 @@ in {
   environment.systemPackages = with pkgs; [
      vim tmux clightning bitcoin
      nodeinfo
-     jq
   ];
   nixpkgs.config.packageOverrides = pkgs: {
     inherit nodeinfo;
@@ -48,8 +47,6 @@ in {
   #services.bitcoin.proxy = services.tor.client.socksListenAddress;
   services.nixbitcoin.enable = true;
 
-
-
   # Configure network proxy if necessary
   # networking.proxy.default = "http://user:password@proxy:port/";
   # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
diff --git a/generate_secrets.sh b/generate_secrets.sh
new file mode 100755
index 0000000..dce6e40
--- /dev/null
+++ b/generate_secrets.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+SECRETSFILE=secrets/secrets.nix
+
+if [ -e "$SECRETSFILE" ]; then
+    echo $SECRETSFILE already exists
+    exit 1
+fi
+
+echo Installing apg through nix-env
+nix-env -i apg
+echo Creating bitcoin RPC password
+echo \{ >> $SECRETSFILE
+echo "  bitcoinrpcpassword = \"$(apg -m 20 -x 20 -M Ncl -n 1)\";" >> $SECRETSFILE
+echo \} >> $SECRETSFILE
+echo Done
diff --git a/load-secrets.nix b/load-secrets.nix
new file mode 100644
index 0000000..8fe236f
--- /dev/null
+++ b/load-secrets.nix
@@ -0,0 +1,13 @@
+if builtins.pathExists ./secrets/secrets.nix then import ./secrets/secrets.nix else {
+  prophet-openvpn-config = "";
+  prophet-guest-openvpn-config = "";
+  centrallake-openvpn-config = "";
+  bower-openvpn-config = "";
+  unifi_password_ro = "";
+  alertmanager_smtp_pw = "";
+  alertmanager_pushover_user = "";
+  alertmanager_pushover_token = "";
+  mpd_pw = "";
+  mpd_icecast_pw = "";
+  github_token = "";
+}
diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
index 5dcb24a..0bb4ee4 100644
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@@ -14,7 +14,7 @@ let
     discover=0
     ${optionalString (cfg.port != null) "port=${toString cfg.port}"}
     ${optionalString (cfg.rpcuser != null) "rpcuser=${cfg.rpcuser}"}
-    ${optionalString (cfg.rpcpassword != null) "rpcuser=${cfg.rpcpassword}"}
+    ${optionalString (cfg.rpcpassword != null) "rpcpassword=${cfg.rpcpassword}"}
     '';
 in {
   options.services.bitcoin = {
diff --git a/modules/nixbitcoin.nix b/modules/nixbitcoin.nix
index accff1d..f69aa72 100644
--- a/modules/nixbitcoin.nix
+++ b/modules/nixbitcoin.nix
@@ -4,6 +4,7 @@ with lib;
 
 let
   cfg = config.services.nixbitcoin;
+  secrets = import ../load-secrets.nix;
 in {
   imports =
     [
@@ -39,7 +40,7 @@ in {
     services.bitcoin.proxy = config.services.tor.client.socksListenAddress;
     services.bitcoin.port = 8333;
     services.bitcoin.rpcuser = "bitcoinrpc";
-    services.bitcoin.rpcpassword = "bitcoinrpc";
+    services.bitcoin.rpcpassword = secrets.bitcoinrpcpassword;
 
     # clightning
     services.clightning.enable = true;
diff --git a/network.nix b/network.nix
index 2f44385..70c13e7 100644
--- a/network.nix
+++ b/network.nix
@@ -1,4 +1,6 @@
-{
+let
+  secrets = import ./load-secrets.nix;
+in {
   network.description = "Bitcoin Core node";
 
   bitcoin-node = import ./configuration.nix;