diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..47ede6d
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,9 @@
+keys:
+  - &admin age13flq29rfu03np26ujargsjml3wdhlruvhqyjnfhlq87s56lrxy2sgl8z6h
+  - &server_netbox: age1y5y2k2zn9w3ss2drqw3d295ny0t0xww5855dkuh4g2f934gt74eqxgmhvh
+creation_rules:
+  - path_regex: boxes/netbox/secrets.yaml
+    key_groups:
+      - age:
+        - *admin
+        - *server_netbox
diff --git a/boxes/netbox/default.nix b/boxes/netbox/default.nix
index cd2635a..4b8ecaf 100644
--- a/boxes/netbox/default.nix
+++ b/boxes/netbox/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ./hardware-configuration.nix
     ../../lib/bootstrap.nix
+    ./sops.nix
 
     ./franklincce.nix
     ./gitea.nix
diff --git a/boxes/netbox/gitea.nix b/boxes/netbox/gitea.nix
index 990526e..164af4b 100644
--- a/boxes/netbox/gitea.nix
+++ b/boxes/netbox/gitea.nix
@@ -1,11 +1,11 @@
-{ lib, config, pkgs, ... }:
+{ config, ... }:
 {
   services.gitea = {
     enable = true;
     appName = "beepboop.systems"; # Give the site a name
     database = {
       type = "postgres";
-      passwordFile = "/etc/gittea-pass"; 
+      passwordFile = config.sops.secrets."gitea/postgres-password".path;
     };
     settings.security.INSTALL_LOCK = true;
     settings.service = {
diff --git a/boxes/netbox/secrets.yaml b/boxes/netbox/secrets.yaml
new file mode 100644
index 0000000..be9eb2f
--- /dev/null
+++ b/boxes/netbox/secrets.yaml
@@ -0,0 +1,22 @@
+gitea:
+    postgres-password: ENC[AES256_GCM,data:lcF+qOUo3PuCM/ymuIsxrZ/Ui5lwWuto8FMAQNY2nGWEvtf/yjcRzFwWIyqfszb19Wl3Z70a3i5fyurCdQ+izwAL83TOMA==,iv:+ValvmW5P4geg/2LdvrR28mp1lbB2a/Lu1zpHsxg6Uo=,tag:fayiaAf3MTSJE6Fnic9RPw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age13flq29rfu03np26ujargsjml3wdhlruvhqyjnfhlq87s56lrxy2sgl8z6h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1UkFWVm5GanMvQXdUZUc1
+            TFhxVDhWSDZwb3BMUHNnZHg5c2sxbmY0Y2lVCjF1T3FFdUE0bVJ1T3BaNnpjeThH
+            Sld6K2gydVN0YmJvUHdlTmd3VkV0ZTgKLS0tIE1VSElDbXdDUkd6aWFGSW02VTRP
+            MGwzY3dySzJHQzJWUTArVDU4MSszakUK3u5xVX+Oey1Ax6I4PH8IuJ/eQAWMgFyK
+            SaEgS7z/pHSEKQZeGmZwrk5+1ahI+qkjX4XPiTxiM4rxjiluxhyqQg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-27T03:59:29Z"
+    mac: ENC[AES256_GCM,data:BJQOgkeU71G9Cy9tRxSCNJce4NDlc73ZKoWfpMkYcIbBIkpQotmnEzmWvjmDjcR9hEayDoDHVXZA4DWtpPPSYCuls5tkHV0wFg3usLRAFWWhMOWLL4D9ZJl9C8uuW21c8mlhDf+5n+sWY5UGaRSD5SBqYdqn68E62bunLm6kHrM=,iv:Z7A686d5B7oG1GODtUDdMG9zsf2tSyqWLrofdBC9PLo=,tag:U5sf23+BRBDuqXkdb/LYGw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/boxes/netbox/sops.nix b/boxes/netbox/sops.nix
new file mode 100644
index 0000000..ed91957
--- /dev/null
+++ b/boxes/netbox/sops.nix
@@ -0,0 +1,14 @@
+{ inputs, config, ... }:
+{
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets = {
+      "gitea/postgres-password" = {};
+    };
+  };
+}
diff --git a/flake.nix b/flake.nix
index 8353937..51f4bf2 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,11 +2,9 @@
   description = "stupidcomputer's nixos flake";
 
   inputs = {
-    # regular nixos stuff
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
-    simple-nixos-mailserver = {
-      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
-    };
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
+    sops-nix.url = "github:Mic92/sops-nix";
   };
 
   outputs = {