diff --git a/cluster/kube/cluster.jsonnet b/cluster/kube/cluster.jsonnet
index c07e5b9c..3952f66f 100644
--- a/cluster/kube/cluster.jsonnet
+++ b/cluster/kube/cluster.jsonnet
@@ -475,18 +475,7 @@ local Cluster(short, realm) = {
         },
 
         # Used for owncloud.hackerspace.pl, which for now lices on boston-packets.hackerspace.pl.
-        nextcloudWaw2: kube._Object("ceph.rook.io/v1", "CephObjectStoreUser", "nextcloud") {
-            metadata+: {
-                namespace: "ceph-waw2",
-            },
-            spec: {
-                store: "waw-hdd-redundant-2-object",
-                displayName: "nextcloud",
-            },
-        },
-
-        # Used for owncloud.hackerspace.pl, which for now lices on boston-packets.hackerspace.pl.
-        nextcloudWaw3: kube._Object("ceph.rook.io/v1", "CephObjectStoreUser", "nextcloud") {
+        nextcloudWaw3: kube.CephObjectStoreUser("nextcloud") {
             metadata+: {
                 namespace: "ceph-waw3",
             },
diff --git a/cluster/kube/lib/registry.libsonnet b/cluster/kube/lib/registry.libsonnet
index d457830c..e65f569a 100644
--- a/cluster/kube/lib/registry.libsonnet
+++ b/cluster/kube/lib/registry.libsonnet
@@ -312,7 +312,7 @@ local kube = import "../../../kube/kube.libsonnet";
             },
         },
 
-        registryStorageUser: kube._Object("ceph.rook.io/v1", "CephObjectStoreUser", "registry") {
+        registryStorageUser: kue.CephObjectStoreUser("registry") {
             metadata+: {
                 namespace: "ceph-waw2",
             },
diff --git a/kube/kube.libsonnet b/kube/kube.libsonnet
index c12e3db7..202b41bf 100644
--- a/kube/kube.libsonnet
+++ b/kube/kube.libsonnet
@@ -12,4 +12,16 @@ kube {
     Certificate(name): kube._Object("certmanager.k8s.io/v1alpha1", "Certificate", name) {
         spec: error "spec must be defined",
     },
+
+    CephObjectStoreUser(name): kube._Object("ceph.rook.io/v1", "CephObjectStoreUser", name) {
+        local user = self,
+        spec: error "spec must be defined",
+
+        // Name of the secret that contains the login data for this user.
+        // This secret is created in the same namespace as the ceph cluster, so
+        // unfortunately you can't really refer to it directly.
+        // We should write some automation to copy these secrets over in a
+        // secure way.
+        secret_name:: "rook-ceph-object-user-%s-%s" % [user.spec.store, user.spec.displayName],
+    },
 }