diff --git a/configurations/nixos/graylog-tofu/default.nix b/configurations/nixos/graylog-tofu/default.nix
index 559091f..825a790 100644
--- a/configurations/nixos/graylog-tofu/default.nix
+++ b/configurations/nixos/graylog-tofu/default.nix
@@ -25,10 +25,18 @@ in
     ];
 
   sops.secrets.graylog = {
+    mode = "0400";
     owner = "graylog";
     group = "graylog";
   };
-  systemd.services.graylog.serviceConfig.EnvironmentFile = config.sops.secrets.graylog.path;
+
+  systemd.services.graylog = {
+    after = [ "sops-nix.service" ];
+    requires = [ "sops-nix.service" ];
+    serviceConfig = {
+      EnvironmentFile = config.sops.secrets.graylog.path;
+    };
+  };
   services = {
     graylog = {
       enable = true;
diff --git a/hosts.json b/hosts.json
index 9f8ab32..221b778 100644
--- a/hosts.json
+++ b/hosts.json
@@ -3,7 +3,7 @@
   "base-tofu": "200:b7fe:dd60:91d:4e18:5182:a112:2bb0",
   "caddy-tofu": "200:32d5:56e6:9387:841:c7d7:4d04:b2e4",
   "forgejo-runner-tofu": "201:ea26:66c7:657b:3599:63a6:c66c:d388",
-  "graylog-tofu": "201:3ea9:b1f4:fa2a:b627:440c:376e:60b6",
+  "graylog-tofu": "201:ecfa:f0d8:d1ea:5146:d43c:172b:195e",
   "link-warden-tofu": "200:7e25:554c:6df3:2c5:2de:6f9f:a96d",
   "medchart-tofu": "200:67d4:8493:35c9:ac0f:ec86:c3ea:9b11",
   "observer-tofu": "200:b938:d405:92df:a6e:1ffd:5213:26b",