diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..9cc3593
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,13 @@
+# This document uses YAML anchors which allows reuse of multiple keys
+# without having to repeat yourself.
+# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
+# for a more complex example.
+keys:
+  - &admin_daylin age10ft5tkswydhmassqeqzr8frpx6vc07g4rwam09rs8agvgfrsn95q9ml7u3
+  - &host_othalan age1t4k04mjltmmhljnwugm6y4dejtu72vv4fd4anxxfsdpkapfnfauqe765gy
+creation_rules:
+  - path_regex: hosts/othalan/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *admin_daylin
+      - *host_othalan
diff --git a/hosts/othalan/default.nix b/hosts/othalan/default.nix
index fb01bd0..3cb538e 100644
--- a/hosts/othalan/default.nix
+++ b/hosts/othalan/default.nix
@@ -25,4 +25,9 @@
       |> listify
       |> enableAttrs
     );
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  # This will automatically import SSH keys as age keys
+  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+  sops.secrets.restic-othalan = {};
 }
diff --git a/hosts/othalan/secrets.yaml b/hosts/othalan/secrets.yaml
new file mode 100644
index 0000000..3039fa3
--- /dev/null
+++ b/hosts/othalan/secrets.yaml
@@ -0,0 +1,30 @@
+restic-othalan: ENC[AES256_GCM,data:HNIya1Rp,iv:8QkDewpXoy+3ahuuaCN/HfbGOgfQQ0Ud5emD7zVPE2s=,tag:bDfumEnt20lun5hnLY+eVA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10ft5tkswydhmassqeqzr8frpx6vc07g4rwam09rs8agvgfrsn95q9ml7u3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCK3pzZ3hXdG40L1JyK281
+            NDJ4WWEyWFBPeERabXpSUXYzOWMxdWJlMGdFCmQydi8rbVZCUFBzM0NUbWJlZzZ3
+            anV6a2FCL1BRTWg2V1RBZFJXUUNRUEkKLS0tIHIwTzl5NEdoTWRaUm9LR3I1MFph
+            TFJjQndHQUJZdEZsSElmY0xDMTMvc2MKCO9BP1jccmFXqLjJQyk5a1/QC69/WPaV
+            xl8U7gFoiOf6ZIESk/fADVtnG+thEYF1vwEMI8ClUfs+8kWgwBqoGw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1t4k04mjltmmhljnwugm6y4dejtu72vv4fd4anxxfsdpkapfnfauqe765gy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWnBYVFRKMVJPVEQ1VlAy
+            Y000L1lHM2JyN0oyeTFROXh6OTVlTkc5RlVBCkdqU20yeGtVcWo3cmRoQmFKVG91
+            d3RQazc1UTJBdWQwUEdzNkNPYXZ3SmsKLS0tIHdzd0Q0a1pPeEJqS1Rrckt6aUdt
+            UmE2Mk4yV21TNTF2NjBqZ0txYThRRzAKgyWCwmF4mhX8lmfslmBf2UrcFqzT8m11
+            AqhJsG2LRU/9/6FXOYn2rYeCIDpTkPoQ4ez7F4m/zp+RvOc2eW3g2g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-29T00:41:44Z"
+    mac: ENC[AES256_GCM,data:4+H5OmCCTrMrkz9sLHcdwu8EFc+iS3MUTfhLgH6crfE0QSmV87b4JKQTVtdoYnzB8f2hRS/DeAImaLs68NQ/c7raLKwKmX1Bx2htV92MEOhoEjnZ6IbpCzY9FhrtRFjjBrg/nAuMpK0ktYW3w9C/v/jq/YEnP+pabkPhsUav8GU=,iv:LtBd2nj21ZCOXmvfbCIz/lvYC4neRk7ZTnY/rbJnATU=,tag:o9K/TxIp/NLmcvpXHYPHoQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1