diff --git a/.gitattributes b/.gitattributes
deleted file mode 100755
index e155600..0000000
--- a/.gitattributes
+++ /dev/null
@@ -1 +0,0 @@
-secrets.json filter=git-crypt diff=git-crypt
diff --git a/backup.nix b/backup.nix
index a358e2a..be777d8 100755
--- a/backup.nix
+++ b/backup.nix
@@ -1,4 +1,4 @@
-{ pkgs, config, secrets, ... }: {
+{ pkgs, config, ... }: {
   systemd.services = {
     notify-backup-b2-failed = {
       description = "Notify on failed backup to B2";
@@ -16,27 +16,25 @@
     restic-backups-b2 = { onFailure = [ "notify-backup-b2-failed.service" ]; };
   };
 
-  environment.etc = {
-    "restic-env".text = ''
-      B2_ACCOUNT_ID="${secrets.b2.accountId}"
-      B2_ACCOUNT_KEY="${secrets.b2.accountKey}"
-    '';
-    "restic-password".text = secrets.restic.password;
+  age.secrets = {
+    restic-env.file = ./secrets/restic-env.age;
+    restic-password.file = ./secrets/restic-password.age;
   };
 
   services.restic.backups = {
     b2 = {
       initialize = true;
-      environmentFile = "/etc/restic-env";
+      environmentFile = config.age.secrets.restic-env.path;
+      passwordFile = config.age.secrets.restic-password.path;
       repository = "b2:marauder-backup";
-      passwordFile = "/etc/restic-password";
-      paths = [
-        "${config.users.users.nettika.home}/Artwork"
-        "${config.users.users.nettika.home}/Documents"
-        "${config.users.users.nettika.home}/Music"
-        "${config.users.users.nettika.home}/Pictures"
-        "${config.users.users.nettika.home}/Projects"
-        "${config.users.users.nettika.home}/Videos"
+      paths = let home = config.users.users.nettika.home;
+      in [
+        "${home}/Artwork"
+        "${home}/Documents"
+        "${home}/Music"
+        "${home}/Pictures"
+        "${home}/Projects"
+        "${home}/Videos"
       ];
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" ];
     };
diff --git a/configuration.nix b/configuration.nix
index 9134aad..2a5baa2 100755
--- a/configuration.nix
+++ b/configuration.nix
@@ -1,4 +1,4 @@
-{ pkgs, secrets, phps, ... }:
+{ pkgs, phps, agenix, ... }:
 let
   fortune = pkgs.writeShellScript "cgi" ''
     echo "Content-type: text/html"
@@ -31,6 +31,8 @@ in {
 
   environment.variables.VISUAL = "code --wait";
 
+  age.identityPaths = [ "/home/nettika/.ssh/id_ed25519" ];
+
   networking = {
     hostName = "marauder";
     firewall.enable = false;
@@ -127,7 +129,6 @@ in {
     php
 
     # Command line
-    git-crypt
     htop
     jq
 
@@ -139,6 +140,7 @@ in {
     mullvad-vpn
     qbittorrent
     system-config-printer
+    agenix.packages.${system}.default
   ];
 
   programs.steam = {
@@ -205,7 +207,7 @@ in {
 
   services.zerotierone = {
     enable = true;
-    joinNetworks = secrets.zerotier.networks;
+    joinNetworks = [ "8056c2e21c0b1a53" ];
   };
 
   services.mullvad-vpn = {
diff --git a/flake.lock b/flake.lock
index 3972ea6..2ef6b7d 100755
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,28 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1750173260,
+        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "common": {
       "locked": {
         "lastModified": 1750666369,
@@ -15,6 +38,28 @@
         "url": "https://git.uninsane.org/nettika/nettika-common"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -31,6 +76,27 @@
         "type": "github"
       }
     },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1748437600,
@@ -71,6 +137,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "common": "common",
         "nixpkgs": "nixpkgs",
         "phps": "phps"
@@ -91,9 +158,24 @@
         "type": "github"
       }
     },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1731533236,
diff --git a/flake.nix b/flake.nix
index 2aa7c0f..2c97c1d 100755
--- a/flake.nix
+++ b/flake.nix
@@ -7,17 +7,19 @@
       url = "github:fossar/nix-phps";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     common.url = "git+https://git.uninsane.org/nettika/nettika-common";
   };
 
-  outputs = { nixpkgs, phps, common, ... }: {
-    nixosConfigurations.marauder = nixpkgs.lib.nixosSystem {
+  outputs = { nixpkgs, phps, common, agenix, ... }: {
+    nixosConfigurations.marauder = nixpkgs.lib.nixosSystem rec {
       system = "x86_64-linux";
-      modules = [ ./configuration.nix common.nixosModule ];
-      specialArgs = {
-        inherit phps;
-        secrets = builtins.fromJSON (builtins.readFile ./secrets.json);
-      };
+      modules =
+        [ ./configuration.nix common.nixosModule agenix.nixosModules.default ];
+      specialArgs = { inherit phps agenix; };
     };
   };
 }
diff --git a/secrets.json b/secrets.json
deleted file mode 100755
index 6e240ec..0000000
Binary files a/secrets.json and /dev/null differ
diff --git a/secrets/restic-env.age b/secrets/restic-env.age
new file mode 100644
index 0000000..1d93a5d
--- /dev/null
+++ b/secrets/restic-env.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 f+PJrQ qccE2xAzfBZ3DCRQtQDgwS1UzjlZx44oUrYjcDfMfDk
+I2l6xRJsdQLYB2cMo0Kfi6mVyhZsuSPFG574P8pl12Y
+--- WoBlo7fqYRkiBYPoLpa3wHB8ZPCVy32a4aL5UswCHJc
+L£æÎšÈ[¤Nî<#Õ]ˆŸüBÄ}–×fË%P„ôxK±Û¨þkI½©”<§VŸ…¶YÄ5#å±ð÷û”qE³4’­®¶l—ËøF¾“8ukÈ¨ûÂ%À´U53yìû"g\îƒ©ªZæÙC®õW¥²g­z
\ No newline at end of file
diff --git a/secrets/restic-password.age b/secrets/restic-password.age
new file mode 100644
index 0000000..58bbd5c
Binary files /dev/null and b/secrets/restic-password.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..5e3f402
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,8 @@
+let
+  nettika =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHopty1QG8P+OfGxQ9CV0BI1IRB/q6yITzMZaZ6Zspid";
+in {
+  "restic-env.age".publicKeys = [ nettika ];
+  "restic-password.age".publicKeys = [ nettika ];
+  "zerotier-networks.age".publicKeys = [ nettika ];
+}