diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..825333b
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,16 @@
+keys:
+  - &nerf age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
+
+  - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
+
+creation_rules:
+  - path_regex nixos/machines/nyarlathotep/.*
+    key_groups:
+      - age:
+          *nerf
+          *nyarlathotep
+  # this is the catchall clause if nothing above machtes. Encrypt to users but not
+  # to machines
+  - key_groups:
+      - age:
+          *nerf
diff --git a/README.md b/README.md
index a09d76c..26734c0 100644
--- a/README.md
+++ b/README.md
@@ -109,3 +109,25 @@ is imported as (`../../roles`) in every machine. Notable are the files `nixos/ro
 common admin accounts for these machines and `nixos/roles/nix_keys.nix` which contains the additional trusted
 keys for the nix store.
 
+## sops
+
+We are sharing secrets using [`sops`](https://github.com/getsops/sops) and [`sops-nix`](https://github.com/Mic92/sops-nix)
+As of right now we use only `age` keys.
+The machine keys are derived from their server ssh keys, that they generate at first boot.
+User keys are generated by the users.
+New keys and machines need entries into the `.sops.yaml` file within the root directory of this repo.
+
+To make a secret available on a given machine you need to do the following. Configure the following keys
+
+```
+sops.secrets.example-key = {
+  sopsFile = "relative path to file in the repo containing the secrets (optional else the sops.defaultSopsFile is used)
+  path = "optinal path where the secret gets symlinked to, practical if some programm expects a specific path"
+  owner = user that owns the secret file: config.users.users.nerf.name (for example)
+  group = same as user just with groups: config.users.users.nerf.group
+  mode = "premission in usual octet: 0400 (for example)"
+```
+afterwards the secret should be available in `/run/secrets/example-key`.
+If the accessing process is not root it must be member of the group `config.users.groups.keys`
+for systemd services this can be archived by setting `serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];`
+it the service config.
diff --git a/flake.lock b/flake.lock
index 64650eb..2ad8261 100644
--- a/flake.lock
+++ b/flake.lock
@@ -120,11 +120,49 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1694908564,
+        "narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "596611941a74be176b98aeba9328aa9d01b8b322",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "flake-parts": "flake-parts",
         "nixos-mailserver": "nixos-mailserver",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1695284550,
+        "narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "utils": {
diff --git a/flake.nix b/flake.nix
index d2c7384..727dd91 100644
--- a/flake.nix
+++ b/flake.nix
@@ -10,6 +10,10 @@
         nixpkgs.follows = "";
       };
     };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = inputs@{ flake-parts, ... }:
diff --git a/nixos/flake-module.nix b/nixos/flake-module.nix
index cca5849..d82fbd4 100644
--- a/nixos/flake-module.nix
+++ b/nixos/flake-module.nix
@@ -2,6 +2,15 @@
 
 # This automatically searches for nixos configs in ./machines/${name}/configuration.nix
 # and exposes them as outputs.nixosConfigurations.${name}
+#
+
+# a comment regarding  pkgs.nixos vs lib.nixosSystem
+# while lib.nixosSystem is the usual enduser way to evaluate nixos configurations
+# in flakes, pkgs.nixos sets the package set to the packages it comes from.
+# This spares us tracking our potentiell overlays and own package additions, but just
+# using the right package set to begin with. Using lib.nixosSystem from the flake we would
+# need to specify that again.
+
 { withSystem, lib, inputs, ... }: {
   flake = {
     nixosConfigurations = withSystem "x86_64-linux" ({ pkgs, ... }:
@@ -11,7 +20,7 @@
         pkgs.nixos {
           imports = [
             (import (./. + "/machines/${name}/configuration.nix") inputs)
-            # inputs.secrets.nixosModules.default
+            inputs.sops-nix.nixosModules.sops
           ];
         };
     in lib.genAttrs machines makeSystem);
diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index dcfab4f..de4eb17 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -25,6 +25,8 @@ users = {
   mutableUsers = false;
 };
 
+sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
 environment = {
   systemPackages = builtins.attrValues {
     inherit (pkgs)