diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..a955967
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,7 @@
+keys:
+  - &primary age1sqssntfzzlhcgp0wuf9wmeavg0hmwmq349npsq8vaxj9sxey5s9ssc82sw
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+      - age:
+        - *primary
diff --git a/flake.nix b/flake.nix
index ac87abe..cffad20 100644
--- a/flake.nix
+++ b/flake.nix
@@ -9,6 +9,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     disko = {
       url = "github:nix-community/disko/latest";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -19,6 +24,7 @@
     {
       nixpkgs,
       home-manager,
+      sops-nix,
       disko,
       ...
     }:
@@ -34,6 +40,7 @@
               home-manager.useUserPackages = true;
               home-manager.users.wekuz = import ./hosts/plexy/home.nix;
             }
+            sops-nix.nixosModules.sops
             disko.nixosModules.disko
           ];
         };
diff --git a/hosts/plexy/default.nix b/hosts/plexy/default.nix
index 0a04d19..b6b91bf 100644
--- a/hosts/plexy/default.nix
+++ b/hosts/plexy/default.nix
@@ -59,6 +59,16 @@
     ];
   };
 
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    defaultSopsFormat = "yaml";
+    age.keyFile = /var/lib/sops-nix/key.txt;
+
+    secrets = {
+      super_secret_api = { };
+    };
+  };
+
   services = {
     openssh = {
       enable = true;
@@ -67,21 +77,6 @@
     };
   };
 
-  virtualisation = {
-    docker = {
-      enable = true;
-      autoPrune = {
-        enable = true;
-        dates = "weekly";
-        randomizedDelaySec = "30min";
-        flags = [
-          "--all"
-          "--volumes"
-        ];
-      };
-    };
-  };
-
   environment.variables.EDITOR = "nvim";
 
   users.users.wekuz = {
diff --git a/hosts/plexy/secrets.yaml b/hosts/plexy/secrets.yaml
new file mode 100644
index 0000000..04753a0
--- /dev/null
+++ b/hosts/plexy/secrets.yaml
@@ -0,0 +1,16 @@
+super_secret_api: ENC[AES256_GCM,data:k0iECBf6Q0eJ,iv:aZ9nNh7IMK4Ge/xgZblaO86ZEABBW/f8PJV+Kgj2Y0g=,tag:p9x7IsZYIfaa6hlzRPceQw==,type:str]
+sops:
+    age:
+        - recipient: age1sqssntfzzlhcgp0wuf9wmeavg0hmwmq349npsq8vaxj9sxey5s9ssc82sw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXSERvcGNXdDlUb3NBUm40
+            WW1mVlY5YlpxclBxT3htQ1orbHpxTnBUTEJNCkZaZnUzZUZNQmk0RmU2U2RkOUVI
+            ZElUbVZEMjBNd0hKZkU0WjMzajgySVEKLS0tIE9rNkdoeWJzU1h5U0ZVa2YveGE0
+            eDUxR1V0ZEFSYnZTYnYzakFydEliaFUKoa/gHecAy01vTk7I02KMGGPHZBql5K48
+            hkLDjoWK9dkGRX8kqRd028cuMCQRenLpULEECWp6oV+evUdMf7wRtg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-30T13:57:31Z"
+    mac: ENC[AES256_GCM,data:OAa6W+v/eeuzSFKbiSzyUoFA40SHYDdhzMzTw35ytBGhfNJRPLNBKnQBnPE1fqkrcc+pQgjrOdhsz+V5EV+ze/7G69HADYxd/G4/zqK3+FyU7CBsNKpoCjXYTcEkBco8t76LEFefmE/BJcUm5JEBZ2Hudnkm50fdyQDIWlips+w=,iv:amKno6v2RUAKOM4Rh126T1RHomxU31MJwmbLkkHc7JU=,tag:/ddTFf1vp7THLK5kh57EzQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0