diff --git a/.woodpecker.yml b/.woodpecker.yml
index cd1703a..739cd0c 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -170,6 +170,66 @@ steps:
       branch: main
       event: [push, cron]
 
+  # Create Docker Secrets
+  create-docker-secrets:
+    name: create-docker-secrets
+    image: woodpeckerci/plugin-docker-buildx
+    environment:
+      REGISTRY_USER:
+        from_secret: REGISTRY_USER
+      REGISTRY_PASSWORD:
+        from_secret: REGISTRY_PASSWORD
+      # Authelia Core Secrets
+      AUTHENTICATION_BACKEND_LDAP_PASSWORD:
+        from_secret: AUTHENTICATION_BACKEND_LDAP_PASSWORD
+      IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET:
+        from_secret: IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
+      STORAGE_ENCRYPTION_KEY:
+        from_secret: STORAGE_ENCRYPTION_KEY
+      SESSION_SECRET:
+        from_secret: SESSION_SECRET
+      NOTIFIER_SMTP_PASSWORD:
+        from_secret: NOTIFIER_SMTP_PASSWORD
+      # OIDC Secrets
+      IDENTITY_PROVIDERS_OIDC_HMAC_SECRET:
+        from_secret: IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
+      IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY:
+        from_secret: IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
+      IDENTITY_PROVIDERS_OIDC_JWKS_KEY:
+        from_secret: IDENTITY_PROVIDERS_OIDC_JWKS_KEY
+      # Client Secrets
+      CLIENT_SECRET_HEADSCALE:
+        from_secret: CLIENT_SECRET_HEADSCALE
+      CLIENT_SECRET_HEADADMIN:
+        from_secret: CLIENT_SECRET_HEADADMIN
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    commands:
+      - echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us
+      - docker secret rm AUTHENTICATION_BACKEND_LDAP_PASSWORD || true
+      - docker secret rm IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET || true
+      - docker secret rm STORAGE_ENCRYPTION_KEY || true
+      - docker secret rm SESSION_SECRET || true
+      - docker secret rm NOTIFIER_SMTP_PASSWORD || true
+      - docker secret rm IDENTITY_PROVIDERS_OIDC_HMAC_SECRET || true
+      - docker secret rm IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY || true
+      - docker secret rm IDENTITY_PROVIDERS_OIDC_JWKS_KEY || true
+      - docker secret rm CLIENT_SECRET_HEADSCALE || true
+      - docker secret rm CLIENT_SECRET_HEADADMIN || true
+      - echo "$${AUTHENTICATION_BACKEND_LDAP_PASSWORD}" | docker secret create AUTHENTICATION_BACKEND_LDAP_PASSWORD -
+      - echo "$${IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET}" | docker secret create IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET -
+      - echo "$${STORAGE_ENCRYPTION_KEY}" | docker secret create STORAGE_ENCRYPTION_KEY -
+      - echo "$${SESSION_SECRET}" | docker secret create SESSION_SECRET -
+      - echo "$${NOTIFIER_SMTP_PASSWORD}" | docker secret create NOTIFIER_SMTP_PASSWORD -
+      - echo "$${IDENTITY_PROVIDERS_OIDC_HMAC_SECRET}" | docker secret create IDENTITY_PROVIDERS_OIDC_HMAC_SECRET -
+      - echo "$${IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY}" | docker secret create IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY -
+      - echo "$${IDENTITY_PROVIDERS_OIDC_JWKS_KEY}" | docker secret create IDENTITY_PROVIDERS_OIDC_JWKS_KEY -
+      - echo "$${CLIENT_SECRET_HEADSCALE}" | docker secret create CLIENT_SECRET_HEADSCALE -
+      - echo "$${CLIENT_SECRET_HEADADMIN}" | docker secret create CLIENT_SECRET_HEADADMIN -
+    when:
+      branch: main
+      event: [push, cron]
+
   # Deploy Production
   deploy-production:
     name: deploy-production
diff --git a/stack.production.yml b/stack.production.yml
index 7f8161f..10eda7d 100644
--- a/stack.production.yml
+++ b/stack.production.yml
@@ -8,6 +8,8 @@ x-authelia-env: &authelia-env
 secrets:
   AUTHENTICATION_BACKEND_LDAP_PASSWORD:
     external: true
+  IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET:
+    external: true
   IDENTITY_PROVIDERS_OIDC_HMAC_SECRET:
     external: true
   IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY:
@@ -20,6 +22,10 @@ secrets:
     external: true
   STORAGE_ENCRYPTION_KEY:
     external: true
+  CLIENT_SECRET_HEADSCALE:
+    external: true
+  CLIENT_SECRET_HEADADMIN:
+    external: true
 
 networks:
   default:
@@ -49,12 +55,15 @@ services:
       - --config=/config/configuration.oidc.clients.yml
     secrets:
       - AUTHENTICATION_BACKEND_LDAP_PASSWORD
+      - IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
       - IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
       - IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
       - IDENTITY_PROVIDERS_OIDC_JWKS_KEY
       - NOTIFIER_SMTP_PASSWORD
       - SESSION_SECRET
       - STORAGE_ENCRYPTION_KEY
+      - CLIENT_SECRET_HEADSCALE
+      - CLIENT_SECRET_HEADADMIN
     environment: *authelia-env
     dns:
       - 1.1.1.1 # Cloudflare