diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..dee8397
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,7 @@
+# Age keys (never commit these)
+*.key
+key.txt
+
+# Result symlinks
+result
+result-*
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..f834274
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,10 @@
+keys:
+  # Replace with your age public key (from age-keygen)
+  # Example: age1qyqszq...
+  - &vps age1__REPLACE_WITH_YOUR_AGE_PUBLIC_KEY__
+
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *vps
diff --git a/configuration.nix b/configuration.nix
index cc9e60f..dfb97c8 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -39,6 +39,15 @@
   # === Sudo without password for wheel group ===
   security.sudo.wheelNeedsPassword = false;
 
+  # === SOPS (Secrets Management) ===
+  sops = {
+    defaultSopsFile = ./secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
+    age.keyFile = "/var/lib/sops-nix/key.txt";
+    # Generate with: nix-shell -p age --run "age-keygen -o key.txt"
+    # Then add the public key to .sops.yaml
+  };
+
   # === Automatic Updates ===
   system.autoUpgrade = {
     enable = true;
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..b75008f
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,19 @@
+{
+  description = "NixOS VPS configuration";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs = { self, nixpkgs, sops-nix, ... }@inputs: {
+    nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ./configuration.nix
+        sops-nix.nixosModules.sops
+      ];
+    };
+  };
+}
diff --git a/secrets/.gitkeep b/secrets/.gitkeep
new file mode 100644
index 0000000..e69de29