diff --git a/roles/mas/tasks/main.json b/roles/mas/tasks/main.json
index 32869f2..c117ce6 100644
--- a/roles/mas/tasks/main.json
+++ b/roles/mas/tasks/main.json
@@ -15,6 +15,7 @@
 			"{{var_mas_directory}}/conf.d",
 			"{{var_mas_directory}}/conf.d/providers",
 			"{{var_mas_directory}}/conf.d/clients",
+			"{{var_mas_directory}}/secrets",
 			"{{var_mas_directory}}/scripts"
 		],
 		"ansible.builtin.file": {
@@ -52,6 +53,15 @@
 			"mode": "0555"
 		}
 	},
+	{
+		"name": "configuration | private key",
+		"become": true,
+		"become_user": "{{var_mas_user}}",
+		"community.crypto.openssl_privatekey": {
+			"curve": "secp384r1",
+			"path": "{{var_mas_directory}}/secrets/private_key.pem"
+		}
+	},
 	{
 		"name": "configuration | base",
 		"become": true,
diff --git a/roles/mas/templates/config-base.json.j2 b/roles/mas/templates/config-base.json.j2
index 7a6f488..0c727a1 100644
--- a/roles/mas/templates/config-base.json.j2
+++ b/roles/mas/templates/config-base.json.j2
@@ -1,7 +1,7 @@
 {
 	"database": {
 		"host": "{{var_mas_database_host}}",
-		"port": "{{var_mas_database_port | string}}",
+		"port": {{var_mas_database_port | string}},
 		"username": "{{var_mas_database_username}}",
 		"password": "{{var_mas_database_password}}",
 		"database": "{{var_mas_database_schema}}"
@@ -61,8 +61,8 @@
 			"fd00::/8",
 			"::1/128"
 		],
-		"public_base": "http://{{var_mas_server_address}}]:{{var_mas_server_port | string}}/",
-		"issuer": "http://{{var_mas_server_address}}]:{{var_mas_server_port | string}}/"
+		"public_base": "http://{{var_mas_server_address}}:{{var_mas_server_port | string}}/",
+		"issuer": "http://{{var_mas_server_address}}:{{var_mas_server_port | string}}/"
 	},
 	"matrix": {
 		"homeserver": "{{var_mas_matrix_server}}",
@@ -72,7 +72,10 @@
 	"secrets": {
 		"encryption": "{{var_mas_encryption_key}}",
 		"keys": [
-			"__TODO__"
+			{
+				"kid": "x1",
+				"key_file": "{{var_mas_directory}}/secrets/private_key.pem"
+			}
 		]
 	},
 	"passwords": {