diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..1d953f4
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+use nix
diff --git a/.gitignore b/.gitignore
index 153dfbb..d7d21f8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,6 @@
 # nixos-rebuild buildvm --flake .#
 result
 *.qcow2
+
+# direnv
+.direnv
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..8044652
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,8 @@
+keys:
+  - &muon age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc
+
+creation_rules:
+  - path_regex: modules/nixos/sops/secrets.ya?ml$
+    key_groups:
+    - age:
+      - *muon
diff --git a/flake.lock b/flake.lock
index 35518ff..7232929 100644
--- a/flake.lock
+++ b/flake.lock
@@ -133,24 +133,6 @@
       "inputs": {
         "systems": "systems"
       },
-      "locked": {
-        "lastModified": 1726560853,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_2": {
-      "inputs": {
-        "systems": "systems_2"
-      },
       "locked": {
         "lastModified": 1731533236,
         "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
@@ -165,9 +147,9 @@
         "type": "github"
       }
     },
-    "flake-utils_3": {
+    "flake-utils_2": {
       "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -183,7 +165,7 @@
         "type": "github"
       }
     },
-    "flake-utils_4": {
+    "flake-utils_3": {
       "inputs": {
         "systems": [
           "stylix",
@@ -204,21 +186,6 @@
         "type": "github"
       }
     },
-    "flakey-profile": {
-      "locked": {
-        "lastModified": 1712898590,
-        "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
-        "owner": "lf-",
-        "repo": "flakey-profile",
-        "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lf-",
-        "repo": "flakey-profile",
-        "type": "github"
-      }
-    },
     "fromYaml": {
       "flake": false,
       "locked": {
@@ -346,45 +313,10 @@
         "type": "github"
       }
     },
-    "lix": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1729298361,
-        "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
-        "rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
-        "type": "tarball",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
-      }
-    },
-    "lix-module": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "flakey-profile": "flakey-profile",
-        "lix": "lix",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1732605668,
-        "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=",
-        "rev": "f19bd752910bbe3a861c9cad269bd078689d50fe",
-        "type": "tarball",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/f19bd752910bbe3a861c9cad269bd078689d50fe.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz"
-      }
-    },
     "nix-alien": {
       "inputs": {
         "flake-compat": "flake-compat",
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils",
         "nix-filter": "nix-filter",
         "nix-index-database": "nix-index-database",
         "nixpkgs": "nixpkgs"
@@ -442,7 +374,7 @@
     "nix-minecraft": {
       "inputs": {
         "flake-compat": "flake-compat_2",
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_2",
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
@@ -526,13 +458,33 @@
     "root": {
       "inputs": {
         "home-manager": "home-manager",
-        "lix-module": "lix-module",
         "nix-alien": "nix-alien",
         "nix-minecraft": "nix-minecraft",
         "nixpkgs": "nixpkgs_3",
+        "sops-nix": "sops-nix",
         "stylix": "stylix"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736808430,
+        "narHash": "sha256-wlgdf/n7bJMLBheqt1jmPoxJFrUP6FByKQFXuM9YvIk=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "553c7cb22fed19fd60eb310423fdc93045c51ba8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "stylix": {
       "inputs": {
         "base16": "base16",
@@ -541,12 +493,12 @@
         "base16-vim": "base16-vim",
         "firefox-gnome-theme": "firefox-gnome-theme",
         "flake-compat": "flake-compat_3",
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_3",
         "git-hooks": "git-hooks",
         "gnome-shell": "gnome-shell",
         "home-manager": "home-manager_2",
         "nixpkgs": "nixpkgs_4",
-        "systems": "systems_4",
+        "systems": "systems_3",
         "tinted-foot": "tinted-foot",
         "tinted-kitty": "tinted-kitty",
         "tinted-tmux": "tinted-tmux",
@@ -611,21 +563,6 @@
         "type": "github"
       }
     },
-    "systems_4": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "tinted-foot": {
       "flake": false,
       "locked": {
diff --git a/flake.nix b/flake.nix
index 16e3fad..2830dce 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,6 +5,9 @@
     home-manager.url = "github:nix-community/home-manager";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+
     stylix.url = "github:danth/stylix";
     nix-minecraft.url = "git+https://codeberg.org/nix-astral/nix-minecraft.git";
     nix-alien.url = "github:thiagokokada/nix-alien";
diff --git a/modules/nixos/core/user.nix b/modules/nixos/core/user.nix
index 800f01c..1d53af0 100644
--- a/modules/nixos/core/user.nix
+++ b/modules/nixos/core/user.nix
@@ -9,9 +9,8 @@
       isNormalUser = true;
       extraGroups = [ "wheel" ];
       initialPassword = "changeme";
-      shell = if config.programs.zsh.enable
-        then pkgs.zsh
-        else pkgs.bash;
+      hashedPasswordFile = config.sops.secrets.muon-password.path;
+      shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
     };
   };
 }
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index e86db4e..bd18466 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -5,6 +5,7 @@
     ./desktop
     ./theme
     ./server
+    ./sops
 
     # </3
     ./unfree
diff --git a/modules/nixos/sops/default.nix b/modules/nixos/sops/default.nix
new file mode 100644
index 0000000..767bab2
--- /dev/null
+++ b/modules/nixos/sops/default.nix
@@ -0,0 +1,20 @@
+{ pkgs, lib, config, inputs, system, ... }:
+let cfg = config.mods;
+
+in {
+  # options.mods.home.file = lib.mkOption {
+  #   description = "home-manager configuration file";
+  # };
+
+  # config = {
+
+  # };
+  #
+
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+  sops = {
+    age.keyFile = "/home/muon/.config/sops/age/keys.txt";
+    defaultSopsFile = ./secrets.yaml;
+    secrets.muon-password = { };
+  };
+}
diff --git a/modules/nixos/sops/secrets.yaml b/modules/nixos/sops/secrets.yaml
new file mode 100644
index 0000000..665c24b
--- /dev/null
+++ b/modules/nixos/sops/secrets.yaml
@@ -0,0 +1,21 @@
+muon-password: ENC[AES256_GCM,data:K2ifHvs8hQXK4//FXf3vfDliiklx0dTn8gpirTBT07Q1XIMJR1Vgn/f1uo62bu4a/bknAR5gEBfd/cSRUTdBBxd7Lec2k3fxQg==,iv:j1JTzyfjcKEqh+PK5tyCWBMV7MpwvIG9MJ9eiajksxM=,tag:ZcSEVBW1UOCvE40yIsaBFQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4czNjbDZ4aDFsVjVZdmRU
+            bVpVWDh5MnN6U2dWSjJlbWN4QmdJN21lNWxFCmI4aTBFL2lkNlZCbldza0h6U0Z1
+            K1JsbW9raEZscFVvbXNzeTlQMXJwaDAKLS0tIG0yaHF5MTdyZVg3R3ZNWk1tRDFa
+            YXdkR3V3Y25XSks2Y2lsZXJXR2lKUFUKHB6YzHlCj6x5Ron+NwLUi0iFYlVGPaYM
+            bRoIx0S9huJwHI3sNNaiuCVg+H0Mctfw4VFfeefoVYDr3o72wBRIkw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-17T20:33:28Z"
+    mac: ENC[AES256_GCM,data:f0BoA4bG64g1WPcLl9Qd2G3VbA5L5+VTK2/+nxcklQZrDzsr2gOQXK8WpiccuZ0CyU1UaLhSTAEfMb9N2sA3MISGikPyWYFQVA/TM+wfaDCnrnEgbuvtBuEMpNp54bwgF4ME2h9k3e3HcJlNze65z52je3tBCxe6siYEKVgB3yg=,iv:VC8BaJLS46yXCZL1gmSrElmqLM/L+sCqTuUkhhvYUBc=,tag:aK164Iq91mUOx8yVyUZN2Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
diff --git a/shell.nix b/shell.nix
new file mode 100644
index 0000000..b4d1f3e
--- /dev/null
+++ b/shell.nix
@@ -0,0 +1,13 @@
+{ pkgs ? import <nixpkgs> { }, ... }: {
+  default = pkgs.mkShell {
+    NIX_CONFIG =
+      "extra-experimental-features = nix-command flakes ca-derivations";
+    nativeBuildInputs = with pkgs; [
+      nix
+      git
+
+      sops
+      age
+    ];
+  };
+}