diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..1417f26
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,7 @@
+keys:
+  - &host_key age15x4h66uk6ct3436e6r4l0tkpf86e7jzl3lqd2acndq2jjvq5za3stqg2fy
+creation_rules:
+  - path_regex: secrets\.yaml$
+    key_groups:
+    - age:
+      - *host_key
diff --git a/flake.nix b/flake.nix
index a781f46..1ac0cb7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -9,6 +9,8 @@
     # Home manager
     home-manager.url = "github:nix-community/home-manager/release-24.11";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    # Add sops for secret management
+    sops-nix.url = "github:Mic92/sops-nix";
     # add phinger hyprcursor flake
     hyprcursor-phinger.url = "github:jappie3/hyprcursor-phinger";
     # add zen browser flake
@@ -122,6 +124,16 @@
           };
         };
         modules = [
+          inputs.sops-nix.homeManagerModules.sops
+          {
+            sops = {
+              defaultSopsFile = ./secrets.yaml;
+              secrets = {
+                # Define your secrets here
+                vikunja_jwtsecret = {};
+              };
+            };
+          }
           ./home-manager/homeserver.nix
         ];
       };
diff --git a/home-manager/homeserver/containers/work_tools.nix b/home-manager/homeserver/containers/work_tools.nix
index 2826188..401d9ba 100644
--- a/home-manager/homeserver/containers/work_tools.nix
+++ b/home-manager/homeserver/containers/work_tools.nix
@@ -10,29 +10,20 @@
   services.podman.containers = {
     vikunja = {
       image = "docker.io/vikunja/vikunja:latest";
+      autoUpdate = "registry";
       environment = {
-        VIKUNJA_SERVICE_JWTSECRET = "<a super secure random secret>";
+        VIKUNJA_SERVICE_JWTSECRET = config.sops.secrets.vikunja_jwt_secret.path;
         VIKUNJA_SERVICE_PUBLICURL = "http://bulba.space/";
-        # Note the default path is /app/vikunja/vikunja.db.
-        # This config variable moves it to a different folder so you can use a volume and
-        # store the database file outside the container so state is persisted even if the container is destroyed.
         VIKUNJA_DATABASE_PATH = "/db/vikunja.db";
       };
+      environmentFiles = [
+        config.sops.secrets.vikunja_jwt_secret.path
+      ];
+      volumes = [
+        "/home/cianh/vikunja/files:/app/vikunja/files"
+        "/home/cianh/vikunja/db:/db"
+      ];
+      ports = ["3456:3456"];
     };
   };
-  # vikunja:
-  #   image: vikunja/vikunja
-  #   environment:
-  #     VIKUNJA_SERVICE_JWTSECRET: <a super secure random secret>
-  #     VIKUNJA_SERVICE_PUBLICURL: http://<your public frontend url with slash>/
-  #     # Note the default path is /app/vikunja/vikunja.db.
-  #     # This config variable moves it to a different folder so you can use a volume and
-  #     # store the database file outside the container so state is persisted even if the container is destroyed.
-  #     VIKUNJA_DATABASE_PATH: /db/vikunja.db
-  #   ports:
-  #     - 3456:3456
-  #   volumes:
-  #     - ./files:/app/vikunja/files
-  #     - ./db:/db
-  #   restart: unless-stopped
 }
diff --git a/home-manager/homeserver/packages.nix b/home-manager/homeserver/packages.nix
index ba31a80..656b7aa 100644
--- a/home-manager/homeserver/packages.nix
+++ b/home-manager/homeserver/packages.nix
@@ -20,6 +20,7 @@
       lua54Packages.lua
       luajitPackages.luarocks
       nodejs-slim
+      sops
       stylua
     ])
     ++ (with unstablePkgs; [