diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..823cfcb
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,10 @@
+# Yaml anchor for key
+keys:
+  - &nathan age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
+  - &levitation age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+      - age:
+          - *nathan
+          - *levitation
diff --git a/flake.lock b/flake.lock
index f0c44c9..0b0edbd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -98,13 +98,30 @@
         "type": "github"
       }
     },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1638097282,
+        "narHash": "sha256-EXCzj9b8X/lqDPJapxZThIOKL5ASbpsJZ+8L1LnY1ig=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "78cb77b29d37a9663e05b61abb4fa09465da4b70",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "emacs": "emacs",
         "fenix": "fenix",
         "mozilla": "mozilla",
         "nixpkgs": "nixpkgs_2",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix"
       }
     },
     "rust-analyzer-src": {
@@ -123,6 +140,24 @@
         "repo": "rust-analyzer",
         "type": "github"
       }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1643003126,
+        "narHash": "sha256-JO5WrnP6+5qN3isdmm9VmjzvCM64UElgGnql7vEGjKU=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c86068ac9a317f235be24a468206f874ba00f8d0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index 0f8881a..d8e8d18 100644
--- a/flake.nix
+++ b/flake.nix
@@ -14,15 +14,17 @@
       url = "github:mozilla/nixpkgs-mozilla";
       flake = false;
     };
+    sops-nix.url = "github:Mic92/sops-nix";
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, fenix, emacs, mozilla }:
+  outputs = { self, nixpkgs, nixpkgs-unstable, fenix, emacs, mozilla, sops-nix }:
     let
       coreModules = [
         ./modules/user.nix
         ./modules/common.nix
         ./modules/ssh.nix
         ./applications/utils-core.nix
+        sops-nix.nixosModules.sops
         ({ pkgs, ... }: {
           ## Setup binary caches
           # First install cachix, so we can discover new ones
@@ -37,6 +39,13 @@
             ];
           };
         })
+        ## Setup sops
+        ({ pkgs, config, ... }: {
+          sops.defaultSopsFile = ./secrets/nathan.yaml;
+          sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+          sops.secrets.lastfm-username.owner = "nathan";
+          sops.secrets.lastfm-password.owner = "nathan";
+        })
       ];
       desktopModules = coreModules ++ [
         ./modules/audio.nix
diff --git a/secrets/nathan.yaml b/secrets/nathan.yaml
new file mode 100644
index 0000000..4f3e10c
--- /dev/null
+++ b/secrets/nathan.yaml
@@ -0,0 +1,31 @@
+lastfm-username: ENC[AES256_GCM,data:mVx3ycAJj6hS9lO+DQ==,iv:9JSXwl+X5eKIoJFjOt7LntlK6iQcy/Fm1ViG/J3I1d8=,tag:f8Q2F0Op/YCPq0qYeJzcFg==,type:str]
+lastfm-password: ENC[AES256_GCM,data:4jOnCDKn4fSD5mCIgoZqxOJP7E9TKP3r,iv:olko3/QHnNPoNpEMUeGL77qxphYLGhHSnn+ru5ANd2U=,tag:XAKVjDpS1Vc0NWKaS4OtHQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWV2hlQW1PV1hnTTZSWWtt
+            cmsxTTBvMHJLREtqZWFON1RQU0M5bVhDN1ZrClh0S2d0L0dDU1pkV25TRW5HWnNl
+            Rm9iV0QxS3ozLytRWjVqQ3pkR0lsc2cKLS0tIFJZcGlZWkM4dEI4cmJYOFhrNXZT
+            Um50R0dvK0E3M21qSDBaRkwrOXRvTHMKfDJZYDxrhS5QJzVbkdDI6JgqGI/C10e1
+            lW4ZDC6HVOao5KPCPQbPcxcQE3JT15FKfKEDqxGvdD3zLVT0BA5fTg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidjBqaWRvOXI1SzZuRm1D
+            YW1WVUNJS3VHRlU3NXpDYi9pd3ordWJGSUFNCkNZNXFaMHFSV0VLVEdnWDdPejZL
+            RUZqNHBRMkEyMnZwcWVBeDY2ZzlJSVUKLS0tIDBEQ05TRDhVUjVsU2tTbHNMcmNW
+            cU0yNmUwZkRLQXFjQTRUT3EwUWFRcjgKw/mW2oZs32C25oxLBaHy1B8m1ADL/37X
+            0azQK3sxKUFesTM/p2zJ1ZLVm9uvCnKWA/eg1uJlJ0PmQ5YvBpuvpQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-02-03T11:57:24Z"
+    mac: ENC[AES256_GCM,data:V7C2AJwresf/td55Z7aww2Grjp9Om90u3v8ScusjfKnjxgVQUcY1oFdByt2TIAI2DYBrVXQOKoN6LGacGfC+K8/DrpsbVdP4g2Fcl/FZOQvyWuoW9SQVIbzrBi5fAZ9ztHodSbeg5OnhTgrPnEV6v6Rgr78e/LMiUniV/harltY=,iv:v2Nle+yZdNMEwfvH8IgXB7TyHuXIZOvufQ2L7DuRKK8=,tag:Ui74J+d4jRjTn157gHdADw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1