diff --git a/configuration.nix b/configuration.nix
index 4296cb8..4eea77d 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, inputs, pkgs, lib, ... }:
 
 with pkgs;
 
@@ -30,7 +30,13 @@ with pkgs;
     '';
   };
 
-  environment.systemPackages = [ libraspberrypi htop vim ];
+  environment.systemPackages = [
+    libraspberrypi
+    htop
+    neovim
+    git
+    inputs.agenix.defaultPackage.aarch64-linux
+  ];
 
   # Load PWM hardware timers
   boot.kernelModules = [ "pwm_bcm2835" "w1-gpio" "w1-therm" ];
@@ -103,7 +109,7 @@ with pkgs;
     allowReboot = true;
   };
 
-  # Run Nix garbage collector, while avoiding recompilation
+  # Run Nix garbage collector, while avoiding recompilation and enable flakes
   nix = {
     settings.auto-optimise-store = true;
     gc = {
@@ -114,9 +120,15 @@ with pkgs;
       keep-outputs = true
       keep-derivations = true
       gc-keep-outputs = true
+      experimental-features = nix-command flakes
     '';
+    package = nixFlakes;
   };
 
+  # Use same version of nixpkgs for nix-shell
+  nix.nixPath = let path = toString ./.;
+  in [ "nixpkgs=${inputs.nixpkgs}" "nixos-config=${path}/configuration.nix" ];
+
   # Configure fish shell
   programs.fish.enable = true;
   users.users.root = {
@@ -138,6 +150,25 @@ with pkgs;
   # NixOS version
   system.stateVersion = "22.05";
 
+  # Specify secrets
+  age = {
+    secrets.wireguard.file = secrets/wireguard.age;
+    secrets.syncthing.file = secrets/syncthing.age;
+    secrets.msmtp.file = secrets/msmtp.age;
+    secrets.gitea = {
+      file = secrets/gitea.age;
+      owner = "gitea";
+      group = "gitea";
+    };
+    secrets.ddclient.file = secrets/ddclient.age;
+    secrets.miniflux = {
+      file = secrets/miniflux.age;
+      owner = "miniflux";
+      group = "miniflux";
+    };
+    identityPaths = [ "/etc/ssh/id_ed25519" ];
+  };
+
   # Import other configuration modules
   imports = [
     ./modules/hardware-configuration.nix
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..8c6880e
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,28 @@
+{
+  description = "System configuration for zion";
+
+  inputs = {
+    nixpkgs.url = "nixpkgs/nixos-unstable";
+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs = { self, nixpkgs, agenix, ... }@inputs:
+    let
+      system = "aarch64-linux";
+
+      pkgs = import pkgs {
+        inherit system;
+      };
+
+      lib = nixpkgs.lib;
+
+    in {
+      nixosConfigurations.zion = lib.nixosSystem {
+        inherit system;
+        modules = [ (import ./configuration.nix) agenix.nixosModules.age ];
+        specialArgs = { inherit inputs; };
+      };
+
+    };
+}
diff --git a/modules/datasync.nix b/modules/datasync.nix
index 835b166..a76e688 100644
--- a/modules/datasync.nix
+++ b/modules/datasync.nix
@@ -6,6 +6,7 @@
     openDefaultPorts = true;
     guiAddress = "0.0.0.0:8384";
     dataDir = "/vault/syncthing";
+    key = config.age.secrets.syncthing.path;
     devices = {
       panacea.id =
         "NF4SYEJ-RSGPDEF-CDEYC3A-JWZMKNC-KG4FVQP-CZ5HRFY-XM22BZD-N7B6VAH";
diff --git a/modules/devops.nix b/modules/devops.nix
index f0922b0..ebfdfc8 100644
--- a/modules/devops.nix
+++ b/modules/devops.nix
@@ -7,7 +7,7 @@
     rootUrl = "https://git.coolneng.duckdns.org";
     database = {
       type = "postgres";
-      passwordFile = "/var/keys/gitea";
+      passwordFile = config.age.secrets.gitea.path;
     };
     cookieSecure = true;
     disableRegistration = true;
diff --git a/modules/information.nix b/modules/information.nix
index 4f2e8ff..f16de9e 100644
--- a/modules/information.nix
+++ b/modules/information.nix
@@ -4,7 +4,7 @@
   # Miniflux configuration
   services.miniflux = {
     enable = true;
-    adminCredentialsFile = "/var/keys/miniflux";
+    adminCredentialsFile = config.age.secrets.miniflux.path;
     config = {
       BASE_URL = "https://rss.coolneng.duckdns.org";
       RUN_MIGRATIONS = "1";
diff --git a/modules/networking.nix b/modules/networking.nix
index bdcb24e..6224dfa 100644
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -41,7 +41,7 @@ in {
     quiet = true;
     protocol = "duckdns";
     domains = [ "coolneng.duckdns.org" ];
-    passwordFile = "/var/keys/ddclient";
+    passwordFile = config.age.secrets.ddclient.path;
   };
 
   # Firewall configuration
@@ -73,7 +73,7 @@ in {
     wg0 = {
       ips = [ "10.8.0.1/24" ];
       listenPort = wireguard_port;
-      privateKeyFile = "/home/coolneng/.wg/keys/privatekey";
+      privateKeyFile = config.age.secrets.wireguard.path;
       peers = [
         # panacea
         {
diff --git a/secrets/ddclient.age b/secrets/ddclient.age
new file mode 100644
index 0000000..75908aa
--- /dev/null
+++ b/secrets/ddclient.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg mRkPNMBvRfbwb3GjcWWJ42RiJn4wxMdczvL2OJFagkY
+jCqCSE2MMx74ZvXabmyHfI4jC6lwhtgrTSqjAflUksw
+-> vH/-grease []_Tx" cZfV JHS /x/
+SK1DATphyeQv8pjoNXTlQrRKQwn8oItd6xrhSic7fmxzmuKTQiPE
+--- ObilbWkclfLnmjVql03OamXitnFgYnzfoZ04oq3XO1k
+éiy«ÝŒ1k{ŸOJ3ˆH´NüÏöë‰ý”¬à%yäë¦á”JA›8›¯
+'£NûÊ%®¼¸Ž“L@û6	&’”
\ No newline at end of file
diff --git a/secrets/gitea.age b/secrets/gitea.age
new file mode 100644
index 0000000..0cac196
--- /dev/null
+++ b/secrets/gitea.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg qr3AoWBF4bx+2bK0STPQtBRDjU6HW5SfXIIUE8GJfxE
+mr9m+Le1RrMFumNjSEXpkqbqK9e6jbT4ltWvx/hRplE
+-> !W;iA-grease 343tk
+f2Fn5fkaYHB/X9wKx/Fa5pJN
+--- RynMspwxpbATQ4tCuRoyB9d62IhnADztJu58ohN7mkw
+e¬Ežƒ¸ê'+³ò(Ï˜©ë¶.0Oæ†+$%@YWw|ÜÊv2­Ri-ˆÕ¸iÿÔ¤f›‘fø¥iŽè®vOëÜ†„½w!êÀ°ë¸QüÊ7¯HÞOäi‚“0d9µ!G-…CYæ+hÌ±yOBƒ?É) Ð®1à«ë’šiK‡z-~M¥_|#aùZØ4IØÈ(Ëg»¯ãøoˆ
\ No newline at end of file
diff --git a/secrets/miniflux.age b/secrets/miniflux.age
new file mode 100644
index 0000000..662e38e
Binary files /dev/null and b/secrets/miniflux.age differ
diff --git a/secrets/msmtp.age b/secrets/msmtp.age
new file mode 100644
index 0000000..f2e7210
--- /dev/null
+++ b/secrets/msmtp.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg +E0/YCwuUtJNFQHtniQyN+xU/1s0phXNMd5YYbOGGFA
+Xfht0XPm+oflQLicH5MWGF2nLzu44p/DgahpZa2K70k
+-> NlBVK_)-grease SRaB^ jo >B#rtU zoC-H]
+lAQL9zTNvGOmJv7FhQaYKd9Ac+MdQSKAhN8hgOTzyh4
+--- 0ox9Q/KOAhuHxkDHIwj6ab6rzie4T/mU9GIT8p4x+0g
+ÒUCŠá8ñº^ÊUKÌïîxèU¿^ =¥)­dôl‰¨ù•œßñQÝÒ«pQHÉê¯ó1»‹xéá;K­U;Ëlbè’K9ó*`‹Ã:IÅ:ÜÅ­Ðt´²SF½Þf¥yGU
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..ef0c37a
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,11 @@
+let
+  zion =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW";
+in {
+  "wireguard.age".publicKeys = [ zion ];
+  "syncthing.age".publicKeys = [ zion ];
+  "msmtp.age".publicKeys = [ zion ];
+  "gitea.age".publicKeys = [ zion ];
+  "ddclient.age".publicKeys = [ zion ];
+  "miniflux.age".publicKeys = [ zion ];
+}
diff --git a/secrets/syncthing.age b/secrets/syncthing.age
new file mode 100644
index 0000000..d831fbc
Binary files /dev/null and b/secrets/syncthing.age differ
diff --git a/secrets/wireguard.age b/secrets/wireguard.age
new file mode 100644
index 0000000..1f31c7e
Binary files /dev/null and b/secrets/wireguard.age differ