diff --git a/clanServices/zitadel/default.nix b/clanServices/zitadel/default.nix
index 97b2be6..bb91302 100644
--- a/clanServices/zitadel/default.nix
+++ b/clanServices/zitadel/default.nix
@@ -41,9 +41,23 @@ in
   perMachine = { instances, machine, ... }: {
     nixosModule = { config, ... }: {
       config = {
+        clan.core.vars.generators.zitadel = {
+          shared = false;
+
+          files.masterKey = { deploy = true; secret = true; };
+
+          # https://zitadel.com/docs/self-hosting/manage/configure#masterkey
+          # The master key has to be 32 bytes
+          script = ''
+            head -c 32 /dev/urandom > $out/masterKey
+          '';
+        };
+
         services.zitadel = {
           enable = true;
 
+          masterKeyFile = config.clan.core.vars.generators.zitadel.masterKey.path;
+
           settings = {
             Port = 9092;