diff --git a/.gitignore b/.gitignore
index 90d9e6f..be4fabf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
-borg-backup-repo
-miniflux-admin-credentials
+/secrets/borg-backup-repo
+/secrets/miniflux-admin-credentials
+/secrets/matrix-registration-shared-secret
diff --git a/configuration.nix b/configuration.nix
index bd0fe36..4ece4be 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -88,7 +88,13 @@
       privatePort = 8080;
     };
 
-    matrix.enable = true;
+    matrix = {
+      enable = true;
+      registration_shared_secret =
+        (lib.removeSuffix "\n" (
+          builtins.readFile ./secrets/matrix-registration-shared-secret
+        ));
+    };
 
     monitoring = {
       enable = true;
diff --git a/secrets/matrix-registration-shared-secret.example b/secrets/matrix-registration-shared-secret.example
new file mode 100644
index 0000000..cd09bbf
--- /dev/null
+++ b/secrets/matrix-registration-shared-secret.example
@@ -0,0 +1 @@
+0000000000000000000000000000000000000000000000000000000000000000
diff --git a/services/matrix.nix b/services/matrix.nix
index cd757ad..f36d701 100644
--- a/services/matrix.nix
+++ b/services/matrix.nix
@@ -21,6 +21,13 @@ let
 in {
   options.my.services.matrix = {
     enable = lib.mkEnableOption "Matrix Synapse";
+
+    registration_shared_secret = lib.mkOption {
+      type = types.str;
+      default = null;
+      example = "deadbeef";
+      description = "Shared secret to register users";
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -38,6 +45,8 @@ in {
       server_name = domain;
       public_baseurl = "https://matrix.${domain}";
 
+      registration_shared_secret = cfg.registration_shared_secret;
+
       listeners = [
         # Federation
         {