diff --git a/flake.lock b/flake.lock
index fdc8896..f3cc7eb 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,25 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1631896269,
+        "narHash": "sha256-DAyCxJ8JacayOzGgGSfzrn7ghtsfL/EsCyk1NEUaAR8=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "daf1d773989ac5d949aeef03fce0fe27e583dbca",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "better-status-indicators": {
       "flake": false,
       "locked": {
@@ -426,6 +446,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "better-status-indicators": "better-status-indicators",
         "channel-typing": "channel-typing",
         "discord-tokyonight": "discord-tokyonight",
@@ -443,7 +464,6 @@
         "pure": "pure",
         "radialstatus": "radialstatus",
         "rolecolor-everywhere": "rolecolor-everywhere",
-        "secrets": "secrets",
         "spotify-adblock": "spotify-adblock",
         "theme-toggler": "theme-toggler",
         "tokyonight": "tokyonight",
@@ -457,21 +477,6 @@
         "zsh-history-substring-search": "zsh-history-substring-search"
       }
     },
-    "secrets": {
-      "locked": {
-        "lastModified": 1626423937,
-        "narHash": "sha256-ar4JcAS4q6PL2YiTXcFAsiLpvVZLc7/2r4TS6pI3Aww=",
-        "owner": "LavaDesu",
-        "repo": "flakes-secrets",
-        "rev": "73ec1e3c23216c1a42fb9a00dbf443d90af68f45",
-        "type": "github"
-      },
-      "original": {
-        "owner": "LavaDesu",
-        "repo": "flakes-secrets",
-        "type": "github"
-      }
-    },
     "spotify-adblock": {
       "flake": false,
       "locked": {
diff --git a/flake.nix b/flake.nix
index 014b57c..ea3077f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,8 +3,9 @@
     nixpkgs.url = "github:NixOS/nixpkgs";
     home-manager.url = "github:nix-community/home-manager";
     neovim-nightly.url = "github:nix-community/neovim-nightly-overlay";
-    secrets.url = "github:LavaDesu/flakes-secrets";
+    agenix.url = "github:ryantm/agenix";
 
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
     neovim-nightly.inputs.nixpkgs.follows = "nixpkgs";
 
@@ -43,7 +44,7 @@
     zelk = { url = "github:schnensch0/zelk"; flake = false; };
   };
 
-  outputs = { self, nixpkgs, home-manager, secrets, ... } @ inputs:
+  outputs = { self, agenix, nixpkgs, home-manager, ... } @ inputs:
     let
       lib = nixpkgs.lib;
 
@@ -100,7 +101,7 @@
           system = arch;
           modules = [
             home-manager.nixosModules.home-manager
-            secrets.nixosModules.${name}
+            agenix.nixosModules.age
             (./hosts + "/${name}")
           ];
           specialArgs = { inherit inputs modules overlays enableGUI; };
diff --git a/hosts/apricot/default.nix b/hosts/apricot/default.nix
index 23cb160..e99741c 100644
--- a/hosts/apricot/default.nix
+++ b/hosts/apricot/default.nix
@@ -1,7 +1,12 @@
 { config, modules, overlays, pkgs, ... }: {
   networking.hostName = "apricot";
   system.stateVersion = "21.05";
+  time.timeZone = "Asia/Phnom_Penh";
 
+  age.secrets = {
+    passwd.file = ../../secrets/passwd.age;
+    wpa_conf.file = ../../secrets/wpa_conf.age;
+  };
   imports = with modules.system; [
     base
     input
diff --git a/hosts/apricot/networking.nix b/hosts/apricot/networking.nix
index b9065f5..f52ec91 100644
--- a/hosts/apricot/networking.nix
+++ b/hosts/apricot/networking.nix
@@ -1,4 +1,5 @@
 { config, ... }: {
+  environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path;
   networking = {
     wireless = {
       enable = true;
diff --git a/hosts/winter/default.nix b/hosts/winter/default.nix
index c7dd297..3db4582 100644
--- a/hosts/winter/default.nix
+++ b/hosts/winter/default.nix
@@ -1,7 +1,12 @@
 { config, modules, overlays, pkgs, ... }: {
   networking.hostName = "winter";
   system.stateVersion = "20.09";
+  time.timeZone = "Asia/Phnom_Penh";
 
+  age.secrets = {
+    passwd.file = ../../secrets/passwd.age;
+    wpa_conf.file = ../../secrets/wpa_conf.age;
+  };
   imports = with modules.system; [
     audio
     base
diff --git a/hosts/winter/networking.nix b/hosts/winter/networking.nix
index f0e3fd5..8bab14c 100644
--- a/hosts/winter/networking.nix
+++ b/hosts/winter/networking.nix
@@ -1,4 +1,5 @@
 { config, ... }: {
+  environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path;
   networking = {
     wireless = {
       enable = true;
diff --git a/secrets.nix b/secrets.nix
new file mode 100644
index 0000000..cfa0b78
--- /dev/null
+++ b/secrets.nix
@@ -0,0 +1,12 @@
+let
+  apricot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGGS0M4BOLiVUM/qdUpcg9Y4aTeyDfyQl89uhXwFORjn";
+  fondue = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkKZYsYWnI+MgecBjOwf7aL5jtiT0ymCDme3pzucTei";
+  winter = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5wfPCcpkNR3ubr7cBV0UwVCDo/sMmV0aI/JOJTIxQj";
+
+  rin-apricot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINxzygMMJ/hmPRUeQu/eMmEhAKfFSFIEVstDIerPzxgZ";
+  rin-fondue = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbPamP5bovUsrBNYnjOk4SN2TaQZAVlJ+4JldK2cL5M";
+  rin-winter = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15";
+in {
+  "secrets/passwd.age".publicKeys = [ apricot fondue winter rin-apricot rin-fondue rin-winter ];
+  "secrets/wpa_conf.age".publicKeys = [ apricot winter rin-apricot rin-winter ];
+}
diff --git a/secrets/passwd.age b/secrets/passwd.age
new file mode 100644
index 0000000..9a53299
--- /dev/null
+++ b/secrets/passwd.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 U9FXlg pyO5bXIo3QmlwLGThUQOJpxkNHMWRw7zCN7MZRHT2XI
++t6CvDsUoxDK7VieD1JGGoPIAdgNy88gHQTElEbq+Aw
+-> ssh-ed25519 W08TTA JGyCrmpEH/04XqVK3cZjZQxW8FdgTHGdeSjDRHBFTy8
+DO352HTh9LhjLROJt4Ezx5tCEjuA8O7Y2yOtSnzqJFY
+-> ssh-ed25519 pumkzw bwVqGKi9z0tZU//9eETsW3QtU1eKw1fUGueGpPPwEE0
+MPa3afK3Imz5DQ0OC+VRoN7NTkTfxW4PdYtUQpZKYFU
+-> ssh-ed25519 CUCjXQ imjGGo/eW0k/5Nqx54GSdxyPUd/rrKiCSbe5IVBqpGY
+kbznCkFsJ1cQtaSOpcO87XymQVUh0trjf+hnPrZn4wM
+-> ssh-ed25519 1f0c9Q gs51wLCgicapbWMXe762vHXzKZEL4uBEwyoMMgjYEDo
+jQcqFfXZdNyUXKdQYd6NGpB2UG6kspSqES0U7YVl8bs
+-> ssh-ed25519 l9dSQg jFs43ABxAmfFnbHXaDf7cI5LSZl7eG45vRvmDRcGn2I
+xi0ssuW/X+GbhEAjTlMqsRZuF860ClW5OW7em8q4gCU
+-> ddi&.U1,-grease l-[{g`4' 8[A; E*S _#Pt
+f6BrJn0
+--- 94Qsnx1vfwhCQBcX1UBinqiQkcTHwAsoaT8Fc0g6bxw
+*hŠ)ë¼uÞ-ÝØ¬4(uIãm5¬ÔßI½Í¼„7Ûs?;äŽr˜	õ:ñ–a‘£év{FJbýs‹tPŽ„óìlñäÀï?aq”Õ‚Nû7ËAôsØ² –éˆI;+ÿc€(¯OÍ*3Lðr.GåÏ:fö|ñœ
\ No newline at end of file
diff --git a/secrets/wpa_conf.age b/secrets/wpa_conf.age
new file mode 100644
index 0000000..1253113
--- /dev/null
+++ b/secrets/wpa_conf.age
@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 U9FXlg E0hhgFA/zsRWQJlrPEcoa3EB5+PsCAqCR1zCnezkFjU
+C17s+kvncsFSdYG4MPG/mBuBwyjQihI0psdBG5TZRkU
+-> ssh-ed25519 pumkzw 6lB6ssEW3qI/urBGKNiVvwn2mwNlqjAoteHjzWhSdic
+5H9O9ogZSo5MZxvotcVpH2iTsSl82RoA1mEOqfPJhs8
+-> ssh-ed25519 CUCjXQ M1pJrjSYKt79yozkZg5QnWoVXm/Ycux2CjK9KZ2c3Gg
+kIZU/NI0lZK7VqP6LXeBCm1I1QvwPUcrrqRhouE1qXY
+-> ssh-ed25519 l9dSQg kdr5ycMPLZHm3gnQXlRGePkmnWMAtQCVL/eeqQNZW3M
+so1UTAIF4xYYC8BGseA+cY7yz49xeqROBoCrnyaa5fQ
+-> at-grease pZp\ \
+wFowXoNmbvDQFM/9r4Ju5rPlrj4nP8k4NEtKbUOZovebox75dWododrjol14pk7x
+2YgYznE9r6HsyqN/6wXroQ
+--- m1BL/gjAKZlbd2fLwT46xse7I9SzL5hgBIxnoIZmMu4
+oLZ80¬Å“"Á®;ã«‡gœ(Æ¡"5FšÇ‹aŠ6`GÊSfÍ.·´hYâç¬ª§K9‚›Jó=³· Ö0Ü†.€¬]qšØGoÄnpË•«ý—Îû3Žo>†ÅS°¼•yR¡ÔpÍ¦z.KËÅF¹Fep
\ No newline at end of file
diff --git a/users/rin.nix b/users/rin.nix
index a7217fa..560eb34 100644
--- a/users/rin.nix
+++ b/users/rin.nix
@@ -4,6 +4,7 @@
     extraGroups = [ "adbusers" "audio" "video" "wheel" ];
     shell = pkgs.zsh;
     uid = 1001;
+    passwordFile = config.age.secrets.passwd.path;
   };
   home-manager.users.rin = { config, enableGUI, lib, pkgs, ... }: {
     home = {