diff --git a/system/default.nix b/system/default.nix
index 9fda37ce..352a3282 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -248,9 +248,6 @@ with mylib.networking; {
     libimobiledevice
     ifuse
     usbmuxd
-
-    # Secrets handling
-    # inputs.agenix.packages.${system}.default
   ];
 
   # It is preferred to use the module (if it exists) over environment.systemPackages,
diff --git a/system/modules/default.nix b/system/modules/default.nix
index 45c26ddc..69ccf370 100644
--- a/system/modules/default.nix
+++ b/system/modules/default.nix
@@ -5,7 +5,8 @@
     ./docker
     ./fonts
     ./mime
-    ./polkit
     ./network
+    ./polkit
+    ./sops
   ];
 }
diff --git a/system/modules/sops/default.nix b/system/modules/sops/default.nix
new file mode 100644
index 00000000..5842e80d
--- /dev/null
+++ b/system/modules/sops/default.nix
@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  mylib,
+  pkgs,
+  ...
+}: let
+  inherit (config.modules) sops;
+in {
+  options.modules.sops = import ./options.nix {inherit lib mylib;};
+
+  config = {
+    environment.systemPackages = [pkgs.sops];
+  };
+}
diff --git a/system/modules/sops/options.nix b/system/modules/sops/options.nix
new file mode 100644
index 00000000..d2d37dc3
--- /dev/null
+++ b/system/modules/sops/options.nix
@@ -0,0 +1,6 @@
+{
+  lib,
+  mylib,
+  ...
+}: {
+}
diff --git a/system/modules/sops/sops.yaml b/system/modules/sops/sops.yaml
new file mode 100644
index 00000000..aa9be99f
--- /dev/null
+++ b/system/modules/sops/sops.yaml
@@ -0,0 +1,7 @@
+keys:
+  - &christoph 2D77520CF698928A855E0B9A2AB59FDA7728388B
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+      - pgp:
+        - *christoph