diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..77c8518
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,13 @@
+keys:
+  - &users:
+    - &lander 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
+  - &hosts:
+    - &wodan age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh
+
+creation_rules:
+  - path_regex: hosts/common/secrets.yam?l$
+    key_groups:
+      - age:
+          - *wodan
+        pgp:
+          - *lander
diff --git a/hosts/common/global/default.nix b/hosts/common/global/default.nix
index a8c4414..0830df8 100644
--- a/hosts/common/global/default.nix
+++ b/hosts/common/global/default.nix
@@ -8,12 +8,12 @@
   imports = [
     inputs.home-manager.nixosModules.home-manager
     inputs.lix-module.nixosModules.default
-    inputs.sops-nix.nixosModules.sops
     inputs.catppuccin.nixosModules.catppuccin
 
     ./locale.nix
     ./nh.nix
     ./openssh.nix
+    ./sops.nix
   ];
 
   home-manager.useGlobalPkgs = true;
diff --git a/hosts/common/global/sops.nix b/hosts/common/global/sops.nix
new file mode 100644
index 0000000..fff5a74
--- /dev/null
+++ b/hosts/common/global/sops.nix
@@ -0,0 +1,15 @@
+{ inputs, config, ... }:
+
+let
+  isEd25519 = k: k.type == "ed25519";
+  getKeyPath = k: k.path;
+  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
+in {
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    age.sshKeyPaths = map getKeyPath keys;
+  };
+}