diff --git a/hosts/h001/flake.nix b/hosts/h001/flake.nix
index 109b5e96..47daae2d 100644
--- a/hosts/h001/flake.nix
+++ b/hosts/h001/flake.nix
@@ -21,6 +21,7 @@
     secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets";
     # beszel.url = "path:../../flakes/beszel";
     beszel.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/beszel";
+    secrets-bao.url = "path:../../flakes/secrets-bao";
 
     ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";
 
@@ -80,6 +81,42 @@
                 };
               })
 
+              inputs.secrets-bao.nixosModules.default
+              (
+                { inputs, lib, ... }:
+                let
+                  secrets = {
+                    litellm-env = {
+                      owner = "root";
+                      group = "root";
+                      mode = "0400";
+                      path = "/run/secrets/litellm.env";
+                      softDepend = [ "litellm" ];
+                      template = ''
+                        {{- with secret "kv/data/machines/home/openrouter" -}}OPENROUTER_API_KEY={{ .Data.data.api-key }}{{ end }}
+                        {{- with secret "kv/data/machines/home/anthropic-claude" -}}
+                        ANTHROPIC_API_KEY={{ .Data.data.api-key }}{{ end -}}
+                      '';
+                    };
+                  };
+                in
+                lib.mkMerge [
+                  {
+                    ringofstorms.secretsBao = {
+                      enable = true;
+                      zitadelKeyPath = "/machine-key.json";
+                      openBaoAddr = "https://sec.joshuabell.xyz";
+                      jwtAuthMountPath = "auth/zitadel-jwt";
+                      openBaoRole = "machines";
+                      zitadelIssuer = "https://sso.joshuabell.xyz";
+                      zitadelProjectId = "344379162166820867";
+                      inherit secrets;
+                    };
+                  }
+                  (inputs.secrets-bao.lib.applyConfigChanges secrets)
+                ]
+              )
+
               nixarr.nixosModules.default
               ./hardware-configuration.nix
               ./mods
diff --git a/hosts/h001/mods/litellm.nix b/hosts/h001/mods/litellm.nix
index ce0db09b..33b87159 100644
--- a/hosts/h001/mods/litellm.nix
+++ b/hosts/h001/mods/litellm.nix
@@ -27,6 +27,7 @@ in
       host = "0.0.0.0";
       openFirewall = false;
       package = pkgsLitellm.litellm;
+      environmentFile = "/run/secrets/litellm.env";
       environment = {
         SCARF_NO_ANALYTICS = "True";
         DO_NOT_TRACK = "True";
@@ -37,10 +38,6 @@ in
       settings = {
         environment_variables = {
           LITELLM_PROXY_API_KEY = "na";
-
-          # TODO get from openbao secrets somehow
-          OPENROUTER_API_KEY = "kv/data/machines/home/openrouter api-key";
-          ANTHROPIC_API_KEY = "kv/data/machines/home/anthropic-claude api-key";
         };
         litellm_settings = {
           check_provider_endpoints = true;