diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..b9340d2
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,13 @@
+keys:
+  - &users:
+    - &irl age1uhp600xemepn27l0vxnt7hmuvk53wmw5peh9d3wy4ma2apsympmqxm8jxq
+  - &hosts:
+    - &homeserver age1y9v37jc3kxuygw042qrsvseac5krhh3skp88ewlqlja00uslpyss62e4nd
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+      - age:
+        - *irl
+        - *homeserver
+
+
diff --git a/flake.lock b/flake.lock
index 042f8d1..6331e3b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -110,6 +110,22 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1744868846,
+        "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nur": {
       "inputs": {
         "flake-parts": "flake-parts",
@@ -138,7 +154,26 @@
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
         "nixpkgs": "nixpkgs",
-        "nur": "nur"
+        "nur": "nur",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1749592509,
+        "narHash": "sha256-VunQzfZFA+Y6x3wYi2UE4DEQ8qKoAZZCnZPUlSoqC+A=",
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "rev": "50754dfaa0e24e313c626900d44ef431f3210138",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "systems": {
diff --git a/flake.nix b/flake.nix
index 9caea5f..aa859b4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,6 +16,10 @@
       url = "github:nix-community/NUR";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    sops-nix = {
+      url = "github:mic92/sops-nix";
+      inputs.nix.follows = "nixpkgs";
+    };
   };
   outputs =
     {
@@ -24,6 +28,7 @@
       flake-utils,
       home-manager,
       nur,
+      sops-nix,
       ...
     }@inputs:
     let
diff --git a/nixos/common.nix b/nixos/common.nix
index d3cae09..f670c0e 100644
--- a/nixos/common.nix
+++ b/nixos/common.nix
@@ -1,8 +1,30 @@
-{ pkgs, ... }:
+{
+  pkgs,
+  config,
+  sops-nix,
+  ...
+}:
 
 {
+  imports = [
+    sops-nix.nixosModules.sops
+  ];
+
   nix.settings.experimental-features = "nix-command flakes";
 
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    validateSopsFiles = false;
+
+    age = {
+      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+
+    secrets.irl-password.neededForUsers = true;
+  };
+
   time.timeZone = "Europe/London";
 
   i18n.defaultLocale = "en_GB.UTF-8";
@@ -19,9 +41,12 @@
     LC_TIME = "en_GB.UTF-8";
   };
 
+  users.mutableUsers = false;
+
   users.users.irl = {
     isNormalUser = true;
     description = "irl";
+    hashedPasswordFile = config.sops.secrets.irl-password.path;
     extraGroups = [
       "networkmanager"
       "wheel"
diff --git a/secrets.yaml b/secrets.yaml
new file mode 100644
index 0000000..57d61a2
--- /dev/null
+++ b/secrets.yaml
@@ -0,0 +1,25 @@
+irl-password: ENC[AES256_GCM,data:8DcPiZ9Ui40MaOaPJ5XmZI3M7XDqLtBqJKLEUnolMYuNoa6dDBF/IicokQO6zvNVw0G2DPVQwbKzgEaWtvnj+5rXm+QbyEVIKw==,iv:+qsf6VzsMzAj6A5B6TCQ/ZaYDt0EiZYwQ7gZg0sw2TM=,tag:3Xi5bSJ7rYEUUVIDuynHag==,type:str]
+sops:
+    age:
+        - recipient: age1uhp600xemepn27l0vxnt7hmuvk53wmw5peh9d3wy4ma2apsympmqxm8jxq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZmJkMlpoN2RRUEVVUCtS
+            cVl4T0grTit5TGtGUEM2MTlBRnQ2OWlWaEVrClErVm5uRzQySzNDM3J6dDFQY2U0
+            cjlVS1NpTzdBQzgvSHJndmlxMWRmbUkKLS0tIHBtTkhSU1BTZHhMaXdZT0xiWWZD
+            ZXlLNjAzSVkxZWtDRjlUMHV5bnJXK3MKNGKAW7iq/Qfo1dAt3Zxjzu+PsjdtaYPG
+            a5Zvnazkm2dmuajldII/+xk4r/JewBZmeWdd37n2lUpbSisgcw0X5A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1y9v37jc3kxuygw042qrsvseac5krhh3skp88ewlqlja00uslpyss62e4nd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiQTcxWkphbngrK3RMaEZF
+            UHU4ZURiVmNZdDhoR1l5YWVDZ1YvdlZWbndJCnRZd0tmR2lXcnA0V0dRaDZzZkg5
+            YitPd01mbFc1VHVyTDl3Sk9UTGptclEKLS0tIEtWb0VNZWFLUmNZRDh3S0N4WmN0
+            SlVKUDZWVEp2YmR4V3ArRW1GR1lXeTAKRJoawuTKrgrz6qeOSTmYLXO6n66QNPLA
+            C5UI4yB0WLeRxdqxU84a3rS2ZjgTh22RR0WwRe6siOaKOdS1G96DXw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-13T17:56:08Z"
+    mac: ENC[AES256_GCM,data:YjTPJ69gNE3MOxUq8X1H4ucqiJxIwRFBBLz0pu6nJgx64XDKe96qeiy7NLAnyJuzOgXpZxb6bm+ecf4E288Bq5NyqpWyrICXC37mSMMXTIoi+HZMHk/GYOAezfCHCBzJBKlJjTZhmslF1zu/4jGtUf/VTOCm+WTPDTUjVkzvwJ8=,iv:vsiDWLir7b/DmOgJFs9iuNxJxJAipdriP/XSPbm4MKU=,tag:aBXeQdetTepLNj/kl45McQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2