diff --git a/os/linux/nix/.sops.yaml b/os/linux/nix/.sops.yaml
new file mode 100644
index 0000000..e2cfbbf
--- /dev/null
+++ b/os/linux/nix/.sops.yaml
@@ -0,0 +1,13 @@
+keys:
+  - &daniel age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45 # pass age-key | rg '# pub'
+  - &sshd-at-beefcake age1k8s590x34ghz7yrjyrgzkd24j252srf0mhfy34halp4frwr065csrlt2ev # ssh beefcake "nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'"
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *daniel
+  - path_regex: secrets/beefcake/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *daniel
+      - *sshd-at-beefcake
diff --git a/os/linux/nix/flake.nix b/os/linux/nix/flake.nix
index 86547af..bf40bf2 100644
--- a/os/linux/nix/flake.nix
+++ b/os/linux/nix/flake.nix
@@ -17,6 +17,11 @@
       # use the version of nixpkgs we specified above rather than the one HM would ordinarily use
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    }
   };
 
   outputs = inputs: {
@@ -26,6 +31,7 @@
         modules = [
           ./machines/beefcake.nix
           inputs.home-manager.nixosModules.home-manager
+          sops-nix.nixosModules.sops
           {
             home-manager.useGlobalPkgs = true;
           }
diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix
index ebc18ba..684dcb6 100644
--- a/os/linux/nix/machines/beefcake.nix
+++ b/os/linux/nix/machines/beefcake.nix
@@ -10,9 +10,49 @@ in
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
   imports =
     [
+      <sops-nix/modules/sops>
       ./hardware-configuration.nix
     ];
 
+  sops = {
+    defaultSopsFile = ../secrets/example.yaml;
+    age = {
+      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+    secrets = {
+      example-key = {
+        # see these and other options' documentation here:
+        # https://github.com/Mic92/sops-nix#set-secret-permissionowner-and-allow-services-to-access-it
+
+        # set permissions:
+        # mode = "0440";
+        # owner = config.users.users.nobody.name;
+        # group = config.users.users.nobody.group;
+
+        # restart service when a secret changes or is newly initialized
+        # restartUnits = [ "home-assistant.service" ];
+
+        # symlink to certain directories
+        path = "/var/lib/my-example-key/secrets.yaml";
+
+        # for use as a user password
+        # neededForUsers = true;
+      };
+      "myservice/my_subdir/my_secret" = {};
+    };
+  };
+
+  # TODO: non-root processes and services that access secrets need to be part of
+  # the 'keys' group
+
+  # systemd.services.some-service = {
+  #   serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];
+  # };
+  # or
+  # users.users.example-user.extraGroups = [ config.users.groups.keys.name ];
+
   # TODO: directory attributes for /storage subdirectories?
   # example: user daniel should be able to write to /storage/files.lyte.dev and
   # caddy should be able to serve it
diff --git a/os/linux/nix/secrets/example.yaml b/os/linux/nix/secrets/example.yaml
new file mode 100644
index 0000000..e647a98
--- /dev/null
+++ b/os/linux/nix/secrets/example.yaml
@@ -0,0 +1,25 @@
+example-key: ENC[AES256_GCM,data:8/LalMfi+YsJaF1P+A==,iv:/Kkul1a1gBiAd447/A/yVzfUJi7rb8nAoBWXiokQZEs=,tag:gN5VnfNFyiKplMpip54YEw==,type:str]
+#ENC[AES256_GCM,data:zF3Eji+GV/e/lxQ8IFpu2Q==,iv:wTfGJmuJ08HXstXGofLbUcl3vSKOsSv1Ai0kQM57sF4=,tag:U94wjTY7mTpafjkA4hOh0g==,type:comment]
+myservice:
+    my_subdir:
+        my_secret: ENC[AES256_GCM,data:0oxmwRaS6wYg,iv:7fn84cOkL9F1yhbGOOJZLgkIphI4ZjA0pdzFFNFDh50=,tag:mwbFqGbLa+H47jOyfiNQBQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UUdpZU8zMloweWhZbmxI
+            aFZNL1M3eWNpMjBKMGxRMDYwUnZpd2k0NG1RCnVvcjJsU1dJQTVIcFlmMmFKeEI2
+            bEJVdldxektybGtLYmprRG9OenFnRjgKLS0tIGtBOWFrWXgvc2l0QThQczlWMkxW
+            bjM4enBEbUlkYlZFOHIvQW80VktsTDgKZMYE95nKgmU+whtU2xrJnuNlwZqrjpfN
+            e5LKNQ6lLqIzsmCdAlyPcKVW5hCbtaT/Ac1TvZWq7+cF6SbPa/51Ew==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-07-27T17:08:21Z"
+    mac: ENC[AES256_GCM,data:HO9P7Z3edo5FyaTenyKjphxnKcke4dqXiUyBveAPd2KP489Hh+fXrugx7+w47UiYsfgBCgFM/ED9xzRKLV7IMIYFtdtL5LwTizPF9H/VUnvRM420VUy/OMPiuludSSoL3WNpTM0UBQi4l7FSjKGpz5AdzLJE65Px05lPJQ/KGFY=,iv:TNtp3/A5lDanNQ0Ghi1Q1yyQc6glcYyYYeDkeEXNkVw=,tag:L5lmerkR3SarF/NLXYMURQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3