diff --git a/flake.lock b/flake.lock
index 28d29adb..0a138872 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,50 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1750173260,
+        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "devshell": {
       "inputs": {
         "nixpkgs": "nixpkgs"
@@ -128,7 +173,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1726560853,
@@ -146,7 +191,7 @@
     },
     "flake-utils_2": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1731533236,
@@ -215,6 +260,27 @@
       }
     },
     "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
@@ -414,7 +480,7 @@
           "nixpkgs"
         ],
         "nuschtosSearch": "nuschtosSearch",
-        "systems": "systems_3"
+        "systems": "systems_4"
       },
       "locked": {
         "lastModified": 1751492444,
@@ -526,9 +592,10 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "devshell": "devshell",
         "hardware": "hardware",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
         "nix-alien": "nix-alien",
         "nix-flatpak": "nix-flatpak",
         "nix-topology": "nix-topology",
@@ -582,6 +649,21 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index 0c07d801..29bb1659 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,6 +16,10 @@
     home-manager.url = "github:nix-community/home-manager";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
+    # Agenix
+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+
     # Nix User Repository (e.g. Firefox addons)
     nur.url = "github:nix-community/NUR";
     nur.inputs.nixpkgs.follows = "nixpkgs";
@@ -134,7 +138,7 @@
 
     # NOTE: Keep public keys here so they're easy to rotate
 
-    publicKeys = {
+    publicKeys.christoph = {
       ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAoJac+GdGtzblCMA0lBfMdSR6aQ4YyovrNglCFGIny christoph.urlacher@protonmail.com";
     };
   in {
@@ -172,9 +176,13 @@
         hostname = "nixinator";
         username = "christoph";
         headless = false;
+
+        # Extra NixOS system modules.
+        # HM modules are passed through home/modules/default.nix
         extraModules = [
           # TODO:
           # inputs.nix-topology.nixosModules.default
+          inputs.agenix.nixosModules.default
         ];
       };
       nixtop = mylib.nixos.mkNixosConfigWithHomeManagerModule {
@@ -185,6 +193,7 @@
         extraModules = [
           # TODO:
           # inputs.nix-topology.nixosModules.default
+          inputs.agenix.nixosModules.default
         ];
       };
       servenix = mylib.nixos.mkNixosConfigWithHomeManagerModule {
@@ -195,6 +204,7 @@
         extraModules = [
           # TODO:
           # inputs.nix-topology.nixosModules.default
+          inputs.agenix.nixosModules.default
         ];
       };
       thinknix = mylib.nixos.mkNixosConfigWithHomeManagerModule {
@@ -205,6 +215,7 @@
         extraModules = [
           # TODO:
           # inputs.nix-topology.nixosModules.default
+          inputs.agenix.nixosModules.default
         ];
       };
 
diff --git a/system/default.nix b/system/default.nix
index b8920eff..847f95d4 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -248,6 +248,9 @@ with mylib.networking; {
     libimobiledevice
     ifuse
     usbmuxd
+
+    # Secrets handling
+    inputs.agenix.packages.${system}.default
   ];
 
   # It is preferred to use the module (if it exists) over environment.systemPackages,