diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..ff1eaee
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,2 @@
+creation_rules:
+  - age: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
diff --git a/kubenix-modules/forgejo.nix b/kubenix-modules/forgejo.nix
index d1d146a..029c833 100644
--- a/kubenix-modules/forgejo.nix
+++ b/kubenix-modules/forgejo.nix
@@ -29,7 +29,7 @@
           SSH_PORT         = 56287
           SSH_LISTEN_PORT  = 22
           LFS_START_SERVER = true
-          LFS_JWT_SECRET   = ref+file:///home/pim/.config/home/vals.yaml#/forgejo/lfsJwtSecret
+          LFS_JWT_SECRET   = ref+sops://secrets/sops.yaml#/forgejo/lfsJwtSecret
           OFFLINE_MODE     = false
 
           [database]
@@ -72,7 +72,7 @@
           SECRET_KEY                    = 
           REVERSE_PROXY_LIMIT           = 1
           REVERSE_PROXY_TRUSTED_PROXIES = *
-          INTERNAL_TOKEN                = ref+file:///home/pim/.config/home/vals.yaml#/forgejo/internalToken
+          INTERNAL_TOKEN                = ref+sops://secrets/sops.yaml#/forgejo/internalToken
           PASSWORD_HASH_ALGO            = pbkdf2
 
           [service]
diff --git a/kubenix-modules/freshrss.nix b/kubenix-modules/freshrss.nix
index 975c0d1..a832c41 100644
--- a/kubenix-modules/freshrss.nix
+++ b/kubenix-modules/freshrss.nix
@@ -7,8 +7,7 @@
       PUBLISHED_PORT = "443";
     };
 
-    # TODO: encrypt this with sops and commit to git repo.
-    secrets.freshrss.stringData.adminPassword = "ref+file:///home/pim/.config/home/vals.yaml#/freshrss/password";
+    secrets.freshrss.stringData.adminPassword = "ref+sops://secrets/sops.yaml#/freshrss/password";
 
     deployments.freshrss = {
       metadata.labels.app = "freshrss";
diff --git a/kubenix-modules/hedgedoc.nix b/kubenix-modules/hedgedoc.nix
index b834fd0..bcb4a58 100644
--- a/kubenix-modules/hedgedoc.nix
+++ b/kubenix-modules/hedgedoc.nix
@@ -20,8 +20,8 @@
     };
 
     secrets.hedgedoc.stringData = {
-      databaseURL = "ref+file:///home/pim/.config/home/vals.yaml#/hedgedoc/databaseURL";
-      sessionSecret = "ref+file:///home/pim/.config/home/vals.yaml#/hedgedoc/sessionSecret";
+      databaseURL = "ref+sops://secrets/sops.yaml#/hedgedoc/databaseURL";
+      sessionSecret = "ref+sops://secrets/sops.yaml#/hedgedoc/sessionSecret";
     };
 
     deployments.hedgedoc = {
diff --git a/kubenix-modules/kitchenowl.nix b/kubenix-modules/kitchenowl.nix
index c32fa3c..6c3fd83 100644
--- a/kubenix-modules/kitchenowl.nix
+++ b/kubenix-modules/kitchenowl.nix
@@ -4,7 +4,7 @@
       BACK_URL = "kitchenowl-backend.default.svc.cluster.local:5000";
     };
 
-    secrets.kitchenowl.stringData.jwtSecretKey = "ref+file:///home/pim/.config/home/vals.yaml#/kitchenowl/jwtSecretKey";
+    secrets.kitchenowl.stringData.jwtSecretKey = "ref+sops://secrets/sops.yaml#/kitchenowl/jwtSecretKey";
 
     deployments = {
       # TODO: this is quite a lot of boilerplate to create these deployments
diff --git a/kubenix-modules/nextcloud.nix b/kubenix-modules/nextcloud.nix
index 9d82fe6..ddfe05b 100644
--- a/kubenix-modules/nextcloud.nix
+++ b/kubenix-modules/nextcloud.nix
@@ -6,7 +6,7 @@
       POSTGRES_HOST = "lewis.dmz";
     };
 
-    secrets.nextcloud.stringData.databasePassword = "ref+file:///home/pim/.config/home/vals.yaml#/nextcloud/databasePassword";
+    secrets.nextcloud.stringData.databasePassword = "ref+sops://secrets/sops.yaml#/nextcloud/databasePassword";
 
     deployments.nextcloud = {
       metadata.labels.app = "nextcloud";
diff --git a/kubenix-modules/paperless-ngx.nix b/kubenix-modules/paperless-ngx.nix
index ea4ffba..7afcca1 100644
--- a/kubenix-modules/paperless-ngx.nix
+++ b/kubenix-modules/paperless-ngx.nix
@@ -17,8 +17,8 @@
     };
 
     secrets.paperless-ngx.stringData = {
-      databasePassword = "ref+file:///home/pim/.config/home/vals.yaml#/paperless-ngx/databasePassword";
-      secretKey = "ref+file:///home/pim/.config/home/vals.yaml#/paperless-ngx/secretKey";
+      databasePassword = "ref+sops://secrets/sops.yaml#/paperless-ngx/databasePassword";
+      secretKey = "ref+sops://secrets/sops.yaml#/paperless-ngx/secretKey";
     };
 
     deployments = {
diff --git a/kubenix-modules/pihole.nix b/kubenix-modules/pihole.nix
index 7bf6ded..c6ef7fe 100644
--- a/kubenix-modules/pihole.nix
+++ b/kubenix-modules/pihole.nix
@@ -5,7 +5,7 @@
       PIHOLE_DNS_ = "192.168.30.1";
     };
 
-    secrets.pihole.stringData.webPassword = "ref+file:///home/pim/.config/home/vals.yaml#/pihole/password";
+    secrets.pihole.stringData.webPassword = "ref+sops://secrets/sops.yaml#/pihole/password";
 
     deployments.pihole = {
       metadata.labels.app = "pihole";
diff --git a/secrets/sops.yaml b/secrets/sops.yaml
new file mode 100644
index 0000000..cb61d98
--- /dev/null
+++ b/secrets/sops.yaml
@@ -0,0 +1,37 @@
+freshrss:
+    password: ENC[AES256_GCM,data:o1TcbxuSULbatxbBSBt7VZKpT8SlRKfF2UQSnj7eo0nVhgWnXPcJlQ==,iv:qd/asB7gVpLijV3E89Vy7WNG9b531/Tn57uf0mgTMZA=,tag:eQ69xVcYBA931e2bxMp1fA==,type:str]
+pihole:
+    password: ENC[AES256_GCM,data:RkKI/R+mdN0vJRMVKjBJF4y5PKj2J2keg0CsjCiXgZPvFl6jnPqTnQ==,iv:5waAzXb42SHEKAHmEVoIBCkhIJDCunrvaUNg4YI+1xw=,tag:FjGeyZ5G5Cp0imoIbkoBVw==,type:str]
+hedgedoc:
+    databaseURL: ENC[AES256_GCM,data:8VS1+EWCWAA3uQ8MVloSD57o3QKPmhvww8utnE2JJGDFMKb6irCNVwkwjRxr8fSnV+wjUvTONfAv+Wm/VBI2PfYgyaSgQD66BdjnQDicTPR9UHqB,iv:d2VHutdOkeyM1Sqwn3khHPOdZkV43RyDb0jQQUe5AxE=,tag:L3EFLzFW6KJNuWqK8IZ3yw==,type:str]
+    sessionSecret: ENC[AES256_GCM,data:Qq2FzcIXWbf7FWm0/K1yMl8tmVdNtv3+DGVST3NM2t9N3IJ+Vbz2PKRy3UX2oPJGthIoXChAaWTNU7WGV2zEBA==,iv:aQvXrbUX3ZCpY2OkFDpbl2XHwCDwLwXjiV2Ny4bjoyE=,tag:wPmROgRmWcvilj/W0RANVQ==,type:str]
+nextcloud:
+    databasePassword: ENC[AES256_GCM,data:9mkwB4uKUlt1E20n7Wxr9PnKc1bxkYVO5Ph/dFfcuGA=,iv:U3IUz+7izoaeQi03xghDM1dZK01ICi3+r6r3mvNh8u0=,tag:aGKQyzZX210SNTRlvoHUig==,type:str]
+paperless-ngx:
+    databasePassword: ENC[AES256_GCM,data:tQcxQbp5WT3AmR6qqdSmfeIGu40=,iv:xSq5kXp8RqOUXR9kK3hr38YjATWoAxmKqPO59B1sdlg=,tag:pft3KrmLgIbSebAY2DBtPQ==,type:str]
+    secretKey: ENC[AES256_GCM,data:Ue409vICe/ULoEM15mh9hOdIFl4=,iv:QU3NmPknqeNxUqJi44mGVtL0yiyNOu9pVW08jHYuVec=,tag:zjUO2s4BoMMJrEttq7Cd/w==,type:str]
+kitchenowl:
+    jwtSecretKey: ENC[AES256_GCM,data:XAfrvGbfVA1AZJyT0Nq0V0Om+1U=,iv:3kuWHfx5/Wk08z4/rou49s1wSxzisZUP0HLefYk9vXs=,tag:kormdXTJ7u5ar4+VY/IfvQ==,type:str]
+forgejo:
+    lfsJwtSecret: ENC[AES256_GCM,data:TZaptdiX/3HT2Q5lHqAOEQBkT3gV49dD6+RIludIcJVA6AevijgDonuVQA==,iv:hwU0K4JjFs8LaSNe5Dqmsj5Vz/w3sOWgSrnEW22bM/M=,tag:RJTDtYqRQdGVQ6PO2V+31g==,type:str]
+    internalToken: ENC[AES256_GCM,data:28sIm0OW2G48ZECjCf5WM9/O5kbo54S96aD20MYfGrK0pbxgAwLjL8jXO/dNobSQ+26vet2WKfLbC9MPdBjhsQ5zC/keGHUFw6TPqnuhFchTLnP+JvMoqNZzcRo2kHi/EM93luG6xQvy,iv:Iy+1EVS7lvLust4MPkxyFonna/q1NVzRyMcTSJ3F5oM=,tag:v075jl/jtqcjSkEhRZVO2g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsM0xTM1pFNDMwYW1FSDRB
+            SGk3dXl6RzVPVXF5N2NYSWxYVXpTYm1UUUZNCkkwOEJZbnVTanRRSXFWWXpJQ0lK
+            T0Z6QnMyZUl1WGEwaEsrbitUUFNoa2MKLS0tIHArQkIrRWlWcU9yUFVaa3pJMDlo
+            dVBPbkRib1M1cmVKZzl4TWpoSml2WDQK45jJDXpPXIBoaANhjZSWYVZ8mI51LAin
+            EqgBj7VKY+CQbw1gMd1Fdh8iDYraowwcLyd/ZhZ/M0kIdkCc5E1a5g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-14T12:05:53Z"
+    mac: ENC[AES256_GCM,data:T4Uvkt28ACuLZv7FkJt9Nlhes1fVxasOnGgXpdhvMyf8DS4SFHBUQ0o6UsDcmjHixs/GFEkHNLa22V1PomNlPbpZ+ysNeYN0M/q8fguhpINMoJQlXQ6HXTEy7JQ9IBRfx010/1imjiNJ8QXkTYnDqDKk9sMhpJxubX8rBnGccJ4=,iv:rACUx2Nn8R8KgTF+OSP9MaW7yfNH8fOhlEEAynsdHsE=,tag:K2+iK/i0mDt7eNJlcE96NA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1