diff --git a/flake.lock b/flake.lock
index 1209a00..a03e940 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,23 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1665870395,
+        "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "a630400067c6d03c9b3e0455347dc8559db14288",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "alacritty-sixel": {
       "flake": false,
       "locked": {
@@ -20,7 +38,7 @@
       "inputs": {
         "fenix": "fenix",
         "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
         "lastModified": 1659395338,
@@ -205,17 +223,18 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1659219666,
-        "narHash": "sha256-pzYr5fokQPHv7CmUXioOhhzDy/XyWOIXP4LZvv/T7Mk=",
+        "lastModified": 1665732960,
+        "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7b9be38c7250b22d829ab6effdee90d5e40c6e5c",
+        "rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
+        "owner": "NixOS",
         "ref": "nixos-unstable",
-        "type": "indirect"
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "nixpkgs-unstable": {
@@ -234,6 +253,21 @@
       }
     },
     "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1659219666,
+        "narHash": "sha256-pzYr5fokQPHv7CmUXioOhhzDy/XyWOIXP4LZvv/T7Mk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "7b9be38c7250b22d829ab6effdee90d5e40c6e5c",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_3": {
       "locked": {
         "lastModified": 1670543317,
         "narHash": "sha256-4mMR56rtxKr+Gwz399jFr4i76SQZxsLWxxyfQlPXRm0=",
@@ -314,13 +348,14 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "alacritty-sixel": "alacritty-sixel",
         "dhist": "dhist",
         "home-manager": "home-manager",
         "hyprland": "hyprland",
         "material-wifi-icons": "material-wifi-icons",
         "nil-lsp": "nil-lsp",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "nur": "nur",
         "plymouth-themes": "plymouth-themes",
diff --git a/flake.nix b/flake.nix
index b9fdf46..eb0511d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -39,6 +39,8 @@
     plymouth-themes.url = "github:adi1090x/plymouth-themes";
     plymouth-themes.flake = false;
 
+    agenix.url = "github:ryantm/agenix";
+
     # my stuff
     dhist.url = "github:lelgenio/dhist";
   };
@@ -54,7 +56,9 @@
       specialArgs = { inherit inputs; };
       common_modules = [
         ./system/configuration.nix
+        ./system/secrets.nix
         # nur.nixosModules.nur
+        inputs.agenix.nixosModule
         inputs.hyprland.nixosModules.default
         {
           programs.hyprland.enable = true;
diff --git a/secrets/lelgenio-cachix.age b/secrets/lelgenio-cachix.age
new file mode 100644
index 0000000..af5a250
Binary files /dev/null and b/secrets/lelgenio-cachix.age differ
diff --git a/secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age b/secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
new file mode 100644
index 0000000..9f9e0e3
Binary files /dev/null and b/secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..7febb1b
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,6 @@
+let
+  main_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15";
+in {
+  "monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
+  "lelgenio-cachix.age".publicKeys = [ main_ssh_public_key ];
+}
diff --git a/system/cachix.nix b/system/cachix.nix
index 7e6672f..404dc87 100644
--- a/system/cachix.nix
+++ b/system/cachix.nix
@@ -1,8 +1,8 @@
-{ pkgs, ... }: {
+{ pkgs, config, ... }: {
   services.cachix-watch-store = {
     enable = true;
     cacheName = "lelgenio";
-    cachixTokenFile = "/etc/cachix-token";
+    cachixTokenFile = config.age.secrets.lelgenio-cachix.path;
   };
   systemd.services.cachix-watch-store-agent.serviceConfig.TimeoutStopSec = 3;
 }
diff --git a/system/configuration.nix b/system/configuration.nix
index be1da41..ab97d5d 100644
--- a/system/configuration.nix
+++ b/system/configuration.nix
@@ -52,6 +52,12 @@
     permitRootLogin = "no";
     ports = [ 9022 ];
   };
+  # programs.ssh = {
+  #   startAgent = true;
+  #   extraConfig = ''
+  #     AddKeysToAgent yes
+  #   '';
+  # };
 
   ## Enable sound with pipewire.
   sound.enable = true;
diff --git a/system/gitlab-runner.nix b/system/gitlab-runner.nix
index 5670d19..f27eb9c 100644
--- a/system/gitlab-runner.nix
+++ b/system/gitlab-runner.nix
@@ -5,13 +5,13 @@
     enable = true;
     settings.concurrent = 4;
     services = {
-      ci_test = {
-        registrationConfigFile = "/srv/gitlab-runner/env/ci_test";
-        dockerImage = "debian";
-        dockerPrivileged = true;
-      };
+      # ci_test = {
+      #   registrationConfigFile = "/srv/gitlab-runner/env/ci_test";
+      #   dockerImage = "debian";
+      #   dockerPrivileged = true;
+      # };
       thoreb_builder = {
-        registrationConfigFile = "/srv/gitlab-runner/env/thoreb_builder";
+        registrationConfigFile = config.age.secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.path;
         dockerImage = "debian";
         dockerPrivileged = true;
       };
diff --git a/system/secrets.nix b/system/secrets.nix
new file mode 100644
index 0000000..f984710
--- /dev/null
+++ b/system/secrets.nix
@@ -0,0 +1,8 @@
+{ pkgs, ... }: {
+  age = {
+    identityPaths = [ "/home/lelgenio/.ssh/id_rsa" ];
+    secrets.lelgenio-cachix.file = ../secrets/lelgenio-cachix.age;
+    secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.file =
+      ../secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
+  };
+}
diff --git a/user/home.nix b/user/home.nix
index a4f0163..4b88ef6 100644
--- a/user/home.nix
+++ b/user/home.nix
@@ -86,6 +86,9 @@ in {
     miniupnpc
     deluge
 
+    ## Nix secrets management
+    inputs.agenix.defaultPackage.x86_64-linux
+
     ## Programming
     vscode
     rustup