diff --git a/base/programs.nix b/base/programs.nix
index 86a0668..ab3abc7 100644
--- a/base/programs.nix
+++ b/base/programs.nix
@@ -53,6 +53,8 @@
 
       # nix pkgs lookup
       nix-index
+
+      agenix
     ;
 
     inherit (pkgs.llvmPackages_11)
diff --git a/flake.lock b/flake.lock
index 2c990e4..a7dafe2 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,23 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1641576265,
+        "narHash": "sha256-G4W39k5hdu2kS13pi/RhyTOySAo7rmrs7yMUZRH0OZI=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "08b9c96878b2f9974fc8bde048273265ad632357",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "emacs-overlay": {
       "locked": {
         "lastModified": 1642358862,
@@ -71,18 +89,15 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1642104392,
-        "narHash": "sha256-m71b7MgMh9FDv4MnI5sg9MiBVW6DhE1zq+d/KlLWSC8=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "5aaed40d22f0d9376330b6fa413223435ad6fee5",
-        "type": "github"
+        "lastModified": 1618628710,
+        "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=",
+        "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source",
+        "rev": "7919518f0235106d050c77837df5e338fb94de5d",
+        "type": "path"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "id": "nixpkgs",
+        "type": "indirect"
       }
     },
     "nixpkgs-unstable-small": {
@@ -101,13 +116,30 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1642104392,
+        "narHash": "sha256-m71b7MgMh9FDv4MnI5sg9MiBVW6DhE1zq+d/KlLWSC8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "5aaed40d22f0d9376330b6fa413223435ad6fee5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "emacs-overlay": "emacs-overlay",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable-small": "nixpkgs-unstable-small"
       }
     }
diff --git a/flake.nix b/flake.nix
index 9bc927c..16e9b08 100644
--- a/flake.nix
+++ b/flake.nix
@@ -15,6 +15,12 @@
       ref = "nixos-unstable-small";
     };
 
+    agenix = {
+      type = "github";
+      owner = "ryantm";
+      repo = "agenix";
+    };
+
     emacs-overlay = {
       type = "github";
       owner = "nix-community";
@@ -45,7 +51,7 @@
     };
   };
 
-  outputs = { self, nixpkgs, home-manager, ... } @inputs: {
+  outputs = { self, nixpkgs, home-manager, agenix, ... } @inputs: {
     nixosModules = {
       home = {
         home-manager.useGlobalPkgs = true;
@@ -74,9 +80,13 @@
               inherit system;
               config.allowUnfree = true;
             };
+
           })
+
+          agenix.overlay
         ] ++ builtins.attrValues self.overlays;
         sharedModules = [
+          agenix.nixosModules.age
           home-manager.nixosModule
           { nixpkgs.overlays = shared_overlays; }
         ] ++ (nixpkgs.lib.attrValues self.nixosModules);
diff --git a/hosts/zephyrus/default.nix b/hosts/zephyrus/default.nix
index 231692f..8302757 100644
--- a/hosts/zephyrus/default.nix
+++ b/hosts/zephyrus/default.nix
@@ -53,6 +53,11 @@ in
       };
     };
     fwupd.enable = true;
+    openssh = {
+      enable = true;
+      permitRootLogin = "no";
+      passwordAuthentication = false;
+    };
   };
   my.gui.enable = true;
 
diff --git a/modules/default.nix b/modules/default.nix
index 761f84e..dd987a9 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -2,6 +2,7 @@
 {
   imports = [
     ./sddm.nix
+    ./secrets
     ./wakeonwlan.nix
   ];
 }
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
new file mode 100644
index 0000000..06636db
--- /dev/null
+++ b/modules/secrets/default.nix
@@ -0,0 +1,24 @@
+{ config, lib, options, ... }:
+
+{
+  config.age = {
+    secrets =
+      let
+        toName = lib.removeSuffix ".age";
+        userExists = u: builtins.hasAttr u config.users.users;
+        # Only set the user if it exists, to avoid warnings
+        userIfExists = u: if userExists u then u else "root";
+        toSecret = name: { owner ? "root", ... }: {
+          file = ./. + "/${name}";
+          owner = lib.mkDefault (userIfExists owner);
+        };
+        convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
+        secrets = import ./secrets.nix;
+      in
+      lib.mapAttrs' convertSecrets secrets;
+
+    identityPaths = options.age.identityPaths.default ++ [
+      "/home/alarsyo/.ssh/id_ed25519"
+    ];
+  };
+}
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
new file mode 100644
index 0000000..53ef8d1
--- /dev/null
+++ b/modules/secrets/secrets.nix
@@ -0,0 +1,14 @@
+let
+  alarsyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3rrF3VSWI4n4cpguvlmLAaU3uftuX4AVV/39S/8GO9 alarsyo@thinkpad";
+  users = [ alarsyo ];
+
+  boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal";
+  poseidon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYhZYMbWQG9TSQ2qze8GgFo2XrZzgu/GuSOGwenByJo root@poseidon";
+  zephyrus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU4JfIADH9MXUnVe+3ezYK9WXsqy/jJcm1zFkmL4aSU root@zephyrus";
+
+  machines = [ boreal poseidon zephyrus ];
+
+  all = users ++ machines;
+in
+{
+}