diff --git a/nix/secrets/README.md b/nix/secrets/README.md
new file mode 100644
index 0000000..e8c9086
--- /dev/null
+++ b/nix/secrets/README.md
@@ -0,0 +1,11 @@
+# secrets
+
+> Nix configuration secrets managed with [agenix](https://github.com/ryantm/agenix#tutorial).
+
+Use `nix develop` in the repository root to drop into a shell with `agenix`.
+
+## Editing files
+
+```
+agenix -e <thingamajig.age>
+```
diff --git a/nix/secrets/ionos-prefix.age b/nix/secrets/ionos-prefix.age
new file mode 100644
index 0000000..f0218f2
--- /dev/null
+++ b/nix/secrets/ionos-prefix.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 9V3MUQ 7+lohnPlQALVPEGo2LwS2fj5r2RCKaVeEFmi6EYEyCE
+9U6eAthRVd5ry0ej79FEy3oRG3okJTwY6zSN1u68H1o
+-> ssh-ed25519 CcM6/g QQX9SsgKkk8YdUPRKj9Tda8mf6qRJ7ywtP6IIpN9fxo
+3Ml2+1+AQMwr5Lnv84pYOee/s5mzfVdsHRLaUIAKNFk
+-> i)!b3gaJ-grease 7|bwS ?k2JgF E-G 2HI
+0mFbZ22lqvLd
+--- 0+CwYGJlJC7bRbokHSlv+V4JKppBo+/ocfjp2NQBD3Q
+JDvˆ8ì ëƒ¶ÚÄ÷8é V/Ã'O”M¸x×é!È¸TÉA7ÍK5#É8©&•Ø-VqÈ&}ù]ráÂ
\ No newline at end of file
diff --git a/nix/secrets/ionos-secret.age b/nix/secrets/ionos-secret.age
new file mode 100644
index 0000000..745ae45
Binary files /dev/null and b/nix/secrets/ionos-secret.age differ
diff --git a/nix/secrets/secrets.nix b/nix/secrets/secrets.nix
new file mode 100644
index 0000000..f8326b1
--- /dev/null
+++ b/nix/secrets/secrets.nix
@@ -0,0 +1,10 @@
+let
+  # Users
+  paul = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMFqREiw3EareYXntIrm1/numKDo113zx1WMOFO69LJ";
+
+  # Systems
+  gilgamesh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDmLWYK6/4/Fh+wsoiz9+PCHvNcP2/wu2GvfzrqXCGA";
+in {
+  "ionos-prefix.age".publicKeys = [ paul gilgamesh ];
+  "ionos-secret.age".publicKeys = [ paul gilgamesh ];
+}