diff --git a/flake.nix b/flake.nix
index 1710671..3fcfca0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,6 +2,7 @@
   description = "dnsc-server NixOS flake";
 
   inputs = {
+    inputs.agenix.url = "github:ryantm/agenix";
     nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     home-manager = {
       url = "github:nix-community/home-manager";
@@ -29,7 +30,10 @@
     nixosConfigurations.dnsc-vps-sm = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       specialArgs = {inherit inputs outputs;};
-      modules = [./hosts/dnsc-vps-sm];
+      modules = [
+          ./hosts/dnsc-vps-sm
+          agenix.nixosModules.default
+      ];
     };
 
     darwinConfigurations.dnsc-air = nix-darwin.lib.darwinSystem {
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..12dc99e
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,21 @@
+let
+  dnsc-air = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvXWZOPOJJDAoF+Sx/ZLoAVu6G/7/MAWoknBgMAzjul dennis@dnsc-mac";
+  dnsc-vps-sm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHS4Cq3G0yjoXB9qargJc/zbZdlClnJOcLxSC5ROo7h dennis@dnsc-vps-sm";
+  dnsc-server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM3mkEgvHrwjsEReHQHpLbMP71JLvp6XxMPyW7PTaLCd dennis@dnsc-server";
+  systems = [ dnsc-air dnsc-vps-sm dnsc-server ];
+in
+{
+  # Add like this: "secret1.age".publicKeys = systems;
+}
+
+# 1. Create a file with secret
+# nix run github:ryantm/agenix -- -e $FILE_PATH
+#
+# 2. Reference the file in NixOS config:
+# {
+#  age.secrets.secret1.file = ../secrets/secret1.age;
+# }
+#
+# 3. And use it like this:
+# passwordFile = config.age.secrets.secret1.path;
+