diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..3550a30
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+use flake
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..92b2793
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.direnv
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..cd7ad2f
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,14 @@
+keys:
+  - &laptop age1thulhunl9qf552rnlvhrdjrfy3udhfy43389thm5ehr09ycrwcsqdjd25q
+  - &vpn age1emavxf6jydt0f8nt7y5xyagthhh0hcc3f0kthtt2yx0am7df3vdqw7uwk6
+  - &vpn_ssh age1gqtj74kr2yumd7wkaf83j2ctlmltv6ykvkwna4thjjmr0v0tts6qnt5dc0
+  - &builder age1emavxf6jydt0f8nt7y5xyagthhh0hcc3f0kthtt2yx0am7df3vdqw7uwk6
+creation_rules:
+  - path_regex: secrets/*
+    key_groups:
+      - age:
+        - *laptop
+        - *vpn
+        - *vpn_ssh
+        - *builder
+
diff --git a/flake.lock b/flake.lock
index d85450d..f8f4082 100644
--- a/flake.lock
+++ b/flake.lock
@@ -204,7 +204,28 @@
         "lix-module": "lix-module",
         "nixgl": "nixgl",
         "nixpkgs": "nixpkgs",
-        "nur": "nur"
+        "nur": "nur",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1751606940,
+        "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "systems": {
diff --git a/flake.nix b/flake.nix
index bae5e50..f041db4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -15,9 +15,13 @@
       url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    sops-nix = {   
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { nixpkgs, home-manager, nur, nixgl, lix-module, ... }:
+  outputs = { nixpkgs, home-manager, nur, nixgl, lix-module, sops-nix, ... }:
     let
       system = "aarch64-linux";
       pkgs = import nixpkgs {
@@ -37,11 +41,19 @@
           modules = [
             ./home.nix
             lix-module.nixosModules.default
+            sops-nix.homeManagerModules.sops
             ({ ... }: {
               nixpkgs.overlays = [ nur.overlays.default ];
             })
           ];
         };
       };
+      devShells.${system}.default = pkgs.mkShell {
+        buildInputs = [
+          pkgs.age
+          pkgs.sops
+          pkgs.just
+        ];
+      };
     };
 }
diff --git a/secrets/Justfile b/secrets/Justfile
new file mode 100644
index 0000000..be83c5e
--- /dev/null
+++ b/secrets/Justfile
@@ -0,0 +1,14 @@
+default:
+
+generate-key:
+    mkdir -p ~/.config/sops/age
+    age-keygen -o ~/.config/sops/age/keys.txt
+    cat ~/.config/sops/age/keys.txt
+
+# use `sops edit` instead
+# encrypt:
+#     sops --encrypt --in-place secrets.yaml
+
+# decrypt:
+#     sops --decrypt --in-place secrets.yaml
+
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
new file mode 100644
index 0000000..9dfa5c7
--- /dev/null
+++ b/secrets/secrets.yaml
@@ -0,0 +1,34 @@
+openrouter_api_key: ENC[AES256_GCM,data:V/JK4bZb6ps22fseIz01AuXqHG+jGy1un3GzJNR5JL2y7WynHdVp9xsK01D4HoYApxYhbKG87VM2/40MSdfu46Rd7e6BwGCaiw==,iv:BMHPFzpu99911v3tBNvuZSzRiXpi+hJ+o/aGL3O/xPc=,tag:iXNV+chWGbUKUaghv6Rytw==,type:str]
+sops:
+    age:
+        - recipient: age1thulhunl9qf552rnlvhrdjrfy3udhfy43389thm5ehr09ycrwcsqdjd25q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbkV1UUo0b0FzSVZ6ZTUw
+            cjdFNkpVOXFRanNuQkZWTlo4MjNVUTlyS1d3Ck9LVW9aemRTaFdLV0xnRGFuZUhT
+            QW5ab29kWmFjOWpvOEdXWjRMUkZWYUUKLS0tIHcxbWVjMlFMR2p4eWFrL1o5U3RR
+            akhEeWtRRHN5OG9ndzRVRS8rcm45RFEKa3Blj75nqr/tlzsHR4TIuGmUZiQvC2xI
+            cS1Zaja1WlcdRw6S8YapYF3jpP9fCPLun4vDQTPfuqMTt2R38TrO1w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1emavxf6jydt0f8nt7y5xyagthhh0hcc3f0kthtt2yx0am7df3vdqw7uwk6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3MmphS0kwMkh5eVAveGFy
+            eVVqb3dITFRQQWx4cUdybXlNMGNEbUlDcVNRCkVkQlh5eGo0SkNVQ3k5c25LQUxU
+            ZHlMdEEvRXBMQVFVVjZtK2U1cU9KRTQKLS0tIGtlMHJRbThhZHBvSHlFQlFIdEtT
+            d25YNzhHekQrSUtyNklBcVIwalY3ek0KVYnN1qvmmcVPWZ1u+HwM8Ua+BbMOky7B
+            qXLuKB7yz2/utw9ACm6kzd28CB5kBIELdsv0GvmexV73cYe7h/w71w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1gqtj74kr2yumd7wkaf83j2ctlmltv6ykvkwna4thjjmr0v0tts6qnt5dc0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1QmJsOEJGM2JOV2FRQ0Y2
+            Ui9uRGNmTkRneUpLR3ZRb0VqYWJvTlRzOHlJCkgwa0R6em1ndWMvVDZ6cW5idElz
+            UG8zaVNNdWJiRStocHkzc1Z2T0dVVWMKLS0tIHhSTEgwRXpPdXR2b1BqQnF2RVp4
+            bUZvN0pwdHBuYkN5M2JaOVExcXVFcmcKGPvIgMyzqBI2fUCU/83rPjnRHVKm0G43
+            nCbcF+TwcvNzgS8rGD3of8OeyK3D03jIJla9zVFBSWZ/zA5YHIHkgg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-08T06:03:47Z"
+    mac: ENC[AES256_GCM,data:QDbGVibN23+BYfPfpw49qPVKF2k76ANaaMaxcWDIaPHvNdIcT+CdNl6Y+HJgayZjBA8W03djnm7Sts+4ijt8+SWuw5pHBmSqs4h5cZ7Vb2SAKjTYz2vPKb3aBHChWLpeIeL9Ihcn2GKqAl8D7PUP7i+YvC8Owr+U5xND/zaHCJ8=,iv:5ERCUXnjVpiOBLeswkEYT/R3sHqBF6kyDZ78L8/pyTo=,tag:Dki4cKMF66MxqBLbjuItZg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/secrets/secrets.yaml.example b/secrets/secrets.yaml.example
new file mode 100644
index 0000000..8285da3
--- /dev/null
+++ b/secrets/secrets.yaml.example
@@ -0,0 +1 @@
+openrouter_api_key: d4d...