diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..fa3febb
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,12 @@
+keys:
+  - users:
+    - &jahanson age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
+  - hosts:
+    - &telperion age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg
+
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+      - age:
+        - *jahanson
+        - *telperion
\ No newline at end of file
diff --git a/nixos/common.nix b/nixos/common.nix
index 9ef544c..44c77af 100644
--- a/nixos/common.nix
+++ b/nixos/common.nix
@@ -1,7 +1,28 @@
-{ pkgs, ... }:
+{ inputs, pkgs, ... }:
 {
 
-  imports = [ ../cachix.nix ];
+  imports = [ 
+    ../cachix.nix
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    validateSopsFiles = false;
+
+    age = {
+      # Derives sops private key from host ssh private key and places it at /var/lib/sops-nix/key.txt. 
+      sshKeyPath = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+
+    # # Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
+    # secrets = {
+    #   rndc_keys = {};
+    # };
+  };
+
   # Bootloader.
   boot = {
     loader = {
@@ -161,6 +182,7 @@
 
     # nix tools
     nvd
+    nix-inspect
 
   ];
   # my traceroute
diff --git a/secrets.yaml b/secrets.yaml
new file mode 100644
index 0000000..cbc4518
--- /dev/null
+++ b/secrets.yaml
@@ -0,0 +1,32 @@
+rndc_keys:
+    main: ENC[AES256_GCM,data:ohxkgif+L3sinvm8lJXrcFIdabkO/VgH8i/Ewca5XAI9QP+2LQudDQ5V2xwEQAjy0MCDzqNdwhQwKGGotr8KshxBJZZZ4sy7ZF57FJzIM+ySUb6n5faKz9PpGFFxu8pNhQkthjEF,iv:SpUGmPT2mBOIDWzBZTAk7Mr86OakbW4CPP7hY3DLJUw=,tag:3xaQxRSZrXSgg3x/hu+Y/Q==,type:str]
+    externaldns: ENC[AES256_GCM,data:eMLZ9+vfkdtH2nxgZMB0FyCHc7+94lXLLfsyTvRVRCMKA+SKnzHQ1ep2pTGHRe8z9qdE9fzXNQAx8VyqxvQroadqFx8OA8yyfP5+A/a3GMQ3o+/dF9Nh8ysoLEZYvLk/qQYRSA0o/K39,iv:9wv4ySiQKWu4j7528aKdsX5XM/U+3BC05d/EgzK3gws=,tag:5XhYhSGETKP/exE2Zd6raA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNzRsKytjQ25NN2xsU0hI
+            MWZuRTZjRWNibnhnWkJsYklScmt5UFl2T2pBCnU4L2ZWVnRMclJaN2QyWHQwMVF2
+            Z1hTZUEwMXAwamxRWXgyQ0VQMUY3UVkKLS0tIHVVUXljMzh1MEExTURPSkFoV09u
+            MFB0VDhVUmxCc2JBaTlLV1BVTGJhVkEK2DtRNL6KBkBS23ywub66hpUcRn/Jea6k
+            +oXXU8kcQ30WqSupI6kUUK0Dd+at0vrV1tV/IkvfW0Qs5OzjgtPo5w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoT3RINjA2SUVsT21EWFpm
+            a2V2YytIMktRbSsrNkhlOGI4c2dRS2ZpakFZCmFTNGs5aXA4SW1PQnhSSHlQM0hL
+            cFZvZzlXdGtXbjg2WDNDYytqQkpwYmsKLS0tIFAyUEkrVXJEYkhSNktQR2pQOWFz
+            SHZmN3JDL1ExVHZ5K2txM2h6MzRKWE0KbS3kO9teIcRDY4hnb54LgWzcRQu7aGGf
+            TjnTJzqKqmRRMLOs5be6wbrxBiRe9p5nCN/WJ9nqhr7rfNNMUiZePw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-29T13:34:02Z"
+    mac: ENC[AES256_GCM,data:mrsov4+aHrhdtbZAwGoSSYpRNzzOHlSasGerHmS3tkY3CNskFCpgKNsdGMRsPJdO5JQmccFIRM5FOjdhxA2df+o64HJBWqVR41GzSAczz6m8jcRonsezC/53z684sLttRozR2mLVqU13dnUTNi+IfynJU8FsdwqgUhT6Kb7IvSI=,iv:bTgYT5nczrVmpF6cSLFipvr+5vu00yAi0JkJkBLYQdQ=,tag:qQcqON806EmFy4rpla0NOA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1