diff --git a/flake.nix b/flake.nix
index 6563945..51e4c5e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,33 +3,37 @@
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-
-    nur.url = "github:nix-community/nur";
+    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-22.11";
 
     home-manager = {
       url = "github:nix-community/home-manager/master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    kmonad = {
-      url = "github:kmonad/kmonad?dir=nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-22.11";
-
     home-manager-stable = {
       url = "github:nix-community/home-manager/release-22.11";
       inputs.nixpkgs.follows = "nixpkgs-stable";
     };
 
+    nur.url = "github:nix-community/nur";
+
+    kmonad = {
+      url = "github:kmonad/kmonad?dir=nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     deploy-rs = {
       url = "github:serokell/deploy-rs";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = inputs @ { self, nixpkgs, home-manager, nur, kmonad, nixpkgs-stable, home-manager-stable, deploy-rs, ... }: {
+  outputs = inputs @ { self, nixpkgs, home-manager, nur, kmonad, nixpkgs-stable, home-manager-stable, deploy-rs, agenix, ... }: {
     nixosConfigurations = {
       io = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
@@ -37,6 +41,7 @@
         modules = [
           ./hosts/desktops/io.nix
           kmonad.nixosModules.default
+          agenix.nixosModule
           home-manager.nixosModules.home-manager
           {
             nixpkgs.overlays = [ nur.overlay ];
diff --git a/hosts/desktops/io.nix b/hosts/desktops/io.nix
index 3dea7b1..f51e2d5 100644
--- a/hosts/desktops/io.nix
+++ b/hosts/desktops/io.nix
@@ -10,6 +10,8 @@
     ./io
   ];
 
+  age.secrets.secret1.file = ../secrets/secret1.age;
+
   networking.hostName = "io";
 
   zramSwap = {
diff --git a/secrets/secret1.age b/secrets/secret1.age
new file mode 100644
index 0000000..cf6213e
Binary files /dev/null and b/secrets/secret1.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..cee744e
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,10 @@
+let
+  io = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCIrKJk5zWzWEHvLMPMK8T3PyeBjsCsqzxPN+OrXfhA";
+  desktops = [ io ];
+  
+  alexandria = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK95QueW+jp1ZmF299Xr3XkgHJ6dL7aZVsfWxqbOKVKA";
+  servers = [ alexandria ];
+in
+{
+  "secret1.age".publicKeys = desktops;
+}