diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes
new file mode 100644
index 0000000..665b10e
--- /dev/null
+++ b/.git-crypt/.gitattributes
@@ -0,0 +1,4 @@
+# Do not edit this file.  To specify the files to encrypt, create your own
+# .gitattributes file in the directory where your files are.
+* !filter !diff
+*.gpg binary
diff --git a/.git-crypt/keys/default/0/91FF02AD4EEBB9C7E08FF04D6BD29B53D3847632.gpg b/.git-crypt/keys/default/0/91FF02AD4EEBB9C7E08FF04D6BD29B53D3847632.gpg
new file mode 100644
index 0000000..4a4cc59
Binary files /dev/null and b/.git-crypt/keys/default/0/91FF02AD4EEBB9C7E08FF04D6BD29B53D3847632.gpg differ
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..dca0b4c
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,3 @@
+secrets/**/*.secret filter=git-crypt diff=git-crypt
+secrets/matrix-email-config.nix filter=git-crypt diff=git-crypt
+home/secrets/*.secret filter=git-crypt diff=git-crypt
diff --git a/boreal.nix b/boreal.nix
index 448fcfb..63b89d5 100644
--- a/boreal.nix
+++ b/boreal.nix
@@ -10,6 +10,9 @@
     # Service definitions
     ./services
 
+    # Configuration secrets
+    ./secrets
+
     # Host-specific config
     ./hosts/boreal
   ];
diff --git a/poseidon.nix b/poseidon.nix
index 2739352..6e02ba3 100644
--- a/poseidon.nix
+++ b/poseidon.nix
@@ -11,6 +11,9 @@
     # Service definitions
     ./services
 
+    # Configuration secrets
+    ./secrets
+
     # Host-specific config
     ./hosts/poseidon
   ];
diff --git a/secrets/default.nix b/secrets/default.nix
new file mode 100644
index 0000000..5b4ab4a
--- /dev/null
+++ b/secrets/default.nix
@@ -0,0 +1,14 @@
+{ pkgs, lib, config, ... }:
+let
+  inherit (lib)
+    fileContents
+    mkOption
+  ;
+in {
+  options.my.secrets = let inherit (lib) types; in mkOption {
+    type = types.attrs;
+  };
+
+  config.my.secrets = {
+  };
+}