diff --git a/modules/server/database/default.nix b/modules/server/database/default.nix
index f993f3c..375d6c0 100644
--- a/modules/server/database/default.nix
+++ b/modules/server/database/default.nix
@@ -5,6 +5,23 @@ let
   listNames = config.syscfg.server.db;
   containerNames = lib.concatMap (app: app.requires.databases) (builtins.attrValues config.syscfg.server.loadedContainers);
   allApps = lib.unique (listNames ++ containerNames);
+  influxAdminTokenJson = pkgs.writeShellScript "influxdb3-admin-token-json" ''
+    set -eu
+
+    token="''${INFLUXDB_TOKEN-''${INFLUXDB_TOKEN-}}"
+    if [ -z "$token" ]; then
+      echo "Missing INFLUXDB_TOKEN or INFLUXDB_TOKEN in ${config.sops.secrets."INFLUX".path}" >&2
+      exit 1
+    fi
+
+    cat > "$RUNTIME_DIRECTORY/admin-token.json" <<EOF
+{
+  "token": "$token",
+  "name": "admin",
+  "description": "Admin token for automated deployment"
+}
+EOF
+  '';
 in {
   config = lib.mkIf ( builtins.length allApps > 0) {
     services.postgresql = {
@@ -53,7 +70,10 @@ in {
       };
       serviceConfig = {
         Type = "simple";
-        ExecStart = "${pkgs.influxdb3}/bin/influxdb3 serve"; #--admin-token-file=/run/secrets/admin-token
+        EnvironmentFile = config.sops.secrets."INFLUX".path;
+        RuntimeDirectory = "influxdb3";
+        ExecStartPre = influxAdminTokenJson;
+        ExecStart = "${pkgs.influxdb3}/bin/influxdb3 serve --admin-token-file=%t/influxdb3/admin-token.json";
         Restart = "on-failure";
         StateDirectory = "influxdb3";
         PrivateTmp = true;
@@ -61,12 +81,6 @@ in {
       };
     };
 
-#   admin-token.json=  {
-#   "token": "$INFLUXDB_TOKEN",
-#   "name": "admin",
-#   "description": "Admin token for automated deployment"
-# }
-
 
     systemd.services.postgresql-init = {
       description = "Custom Postgres Setup (Ownership & Passwords)";