diff --git a/examples/router-with-l2tp.nix b/examples/router-with-l2tp.nix
index e9c53c71..6c54dc70 100644
--- a/examples/router-with-l2tp.nix
+++ b/examples/router-with-l2tp.nix
@@ -68,6 +68,8 @@ in rec {
   services.secrets = svc.secrets.outboard.build {
     name = "secret-service";
     url = "http://10.0.0.1/liminix/examples/real-secrets.json";
+    username = "demo";
+    password = "demo";
     interval = 5;
     dependencies = [ services.wan-address-for-secrets ];
   };
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index 5106ff07..154f0b51 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -26,6 +26,15 @@ in {
         description = "source url";
         type = types.strMatching "https?://.*";
       };
+      username = mkOption {
+        description = "username for HTTP basic auth";
+        type = types.nullOr types.str;
+      };
+      password = mkOption {
+        description = "password for HTTP basic auth";
+        type = types.nullOr types.str;
+      };
+
       name = mkOption {
         description = "service name";
         type = types.str;
diff --git a/modules/secrets/outboard.nix b/modules/secrets/outboard.nix
index 7e61e39f..ac78ca0a 100644
--- a/modules/secrets/outboard.nix
+++ b/modules/secrets/outboard.nix
@@ -1,14 +1,19 @@
 {
   liminix, lib, json-to-fstree, serviceFns
 }:
-{ name, url, interval } :
+{ name, url, interval, username, password  } :
 let
   inherit (liminix.services) oneshot longrun;
+  inherit (lib) optionalString;
 in longrun {
   inherit name;
   buildInputs = [ json-to-fstree ];
   run = ''
     . ${serviceFns}
+    ${optionalString (username != null) ''
+      export NETRC=$(mkstate ${name})/netrc
+      (echo default ; echo login ${username} ; echo password ${password} ) > $NETRC
+    ''}
     ( in_outputs ${name}
       while : ; do
         ${json-to-fstree}/bin/json-to-fstree ${url} .