diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..6d52deb
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,5 @@
+keys:
+  - &pipeline age1554v6n9mqc7e38hf6fzzueygy00jlvzrs9p4p5w068jq4xp5f9xskdae7s
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    age: *pipeline
\ No newline at end of file
diff --git a/dev_system.nix b/dev_system.nix
index 4748cec..c970b07 100644
--- a/dev_system.nix
+++ b/dev_system.nix
@@ -25,6 +25,15 @@ in
     ./dummy-hardware.nix
   ];
 
+  sops = {
+    defaultSopsFile = "./secrets/example.yaml";
+    age = {
+      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25510_key" ];
+      keyFile = "/root/.config/sops/age/keys.txt";
+      generateKey = true;
+    };
+  };
+
   users.users = {
     # connection only via ssh key
     pipeline = {
@@ -32,7 +41,7 @@ in
       home = "/home/pipeline";
       description = "User used by forgejo runners to connect to this system";
       extraGroups = [ "docker" ];
-      openssh.authorizedKeys.keys = [ "TODO" ];
+      openssh.authorizedKeys.keyFiles = [ config.sops.secrets."foo".path ];
     };
   };
 }
diff --git a/flake.nix b/flake.nix
index fe67172..e058abc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,14 +1,15 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    sops-nix.url = "github:Mic92/sops-nix";
   };
 
   outputs =
-    { nixpkgs, ... }:
+    inputs:
     {
       colmena = {
         meta = {
-          nixpkgs = import nixpkgs {
+          nixpkgs = import inputs.nixpkgs {
             system = "x86_64-linux";
             overlays = [ ];
           };
@@ -47,7 +48,7 @@
             ...
           }:
           {
-            imports = [ ./dev_system.nix ];
+            imports = [ ./dev_system.nix inputs.sops-nix.nixosModules.sops ];
           };
       };
     };
diff --git a/secrets/example.yaml b/secrets/example.yaml
new file mode 100644
index 0000000..67899d3
--- /dev/null
+++ b/secrets/example.yaml
@@ -0,0 +1,16 @@
+foo: ENC[AES256_GCM,data:rNll,iv:HkPwTkUQQoCFg249wvtM6426GzU/qbbrlcGsUOy2R4o=,tag:lKuHh4IlNeL6KeG3TrNbwg==,type:str]
+sops:
+    age:
+        - recipient: age1554v6n9mqc7e38hf6fzzueygy00jlvzrs9p4p5w068jq4xp5f9xskdae7s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHaThvKzVmQ2dtS3FKQjg4
+            Y3RrS1BlcTBONzNpbStVUXVkSjYwZG5acGtrCm9DT2N4U0MzWnBzUDZNZmI1SnIy
+            QStmWFRnM0JhWmhKQmxYSW9Veit0Zk0KLS0tIDJQYzh0Y0szdldtZWdQYm9IWUQ0
+            R1UyWWhBOFJkeFltNkt3bUVMRzhjNWcKekxxKb80omoydKORZzauX3qIup0/7aAw
+            h8yFK6qDh3on/GOHbVpJ0S9O6H/Zkgh0aRDFjUGNZDHcevubBphfyg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-05T15:32:10Z"
+    mac: ENC[AES256_GCM,data:qvmntOMwDU1YZ14gaAHoqBJASrhcQ0UkX+tjb7PYAX366vEj90fszEgRSuqIKKQZrZ2OG6BjOlMudy8A6/XFmGiFQXq6Lx7rhddNQ/q8l6jmDPUB6YGgNmOjldpoeYlw8nEymnnnQv2V3Xh2Vt9YsnPxFvRdW9uhmSaNf1qhf88=,iv:d5E+VWy0MCmLjROiB60CYvGjcj1y0KK7/Esk8n+M0Vc=,tag:h+9iGJzHbbdt5Ct0/o6L2w==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.1