diff --git a/nixos/configuration.nix b/nixos/configuration.nix
index 26068ee..a139453 100644
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@@ -17,15 +17,6 @@
     neovim
   ];
 
-  programs.git = {
-    enable = true;
-    config = {
-      credential = {
-        helper = "store";
-      };
-    };
-  };
-
   services.openssh.enable = true;
   services.openssh.passwordAuthentication = false;
 
@@ -34,5 +25,12 @@
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7P9K9D5RkBk+JCRRS6AtHuTAc6cRpXfRfRMg/Kyren"
   ];
 
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age.sshKeyPaths = [ "/var/lib/id_ed25519" ];
+    secrets.github-access-token = { };
+  };
+  nix.extraOptions = "!include /run/secrets/github-access-token";
+
   system.stateVersion = "24.05";
 }
diff --git a/nixos/flake.nix b/nixos/flake.nix
index 3745d51..3bcf5a9 100644
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@@ -1,13 +1,17 @@
 {
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
-  inputs.disko.url = "github:nix-community/disko";
-  inputs.disko.inputs.nixpkgs.follows = "nixpkgs";
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
+    sops-nix.url = "github:Mic92/sops-nix/bd695cc4d0a5e1bead703cc1bec5fa3094820a81";
+  };
 
   outputs = { nixpkgs, disko, ... }: {
     nixosConfigurations.default = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       modules = [
         disko.nixosModules.disko
+        sops-nix.nixosModules.sops
         ./configuration.nix
         ./hardware-configuration.nix
       ];