diff --git a/flake.lock b/flake.lock
index 900955b..4de797e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,48 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -37,6 +80,27 @@
       }
     },
     "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
@@ -58,15 +122,15 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1711703276,
-        "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
-        "owner": "nixos",
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
+        "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
         "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
@@ -88,14 +152,46 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1711703276,
+        "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "disko": "disko",
         "dotfiles": "dotfiles",
-        "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs",
+        "home-manager": "home-manager_2",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-stable": "nixpkgs-stable"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index 7da18c5..dd602fe 100644
--- a/flake.nix
+++ b/flake.nix
@@ -18,6 +18,8 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
 
+    agenix.url = "github:ryantm/agenix";
+
     disko = {
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -31,6 +33,7 @@
 
   outputs = {
     self,
+    agenix,
     disko,
     dotfiles,
     home-manager,
@@ -56,6 +59,7 @@
         modules = [
           ./hosts/m3-kratos
           inputs.disko.nixosModules.disko
+          agenix.nixosModules.default
         ];
       };
     };
diff --git a/home/features/cli/fish.nix b/home/features/cli/fish.nix
index e0d6e99..4dcdc20 100644
--- a/home/features/cli/fish.nix
+++ b/home/features/cli/fish.nix
@@ -15,6 +15,7 @@ in {
         set -x NIX_PATH nixpkgs=channel:nixos-unstable
         set -x NIX_LOG info
         set -x TERMINAL kitty
+        source /run/agenix/${config.home.username}-secrets
 
         if test (tty) = "/dev/tty1"
           exec Hyprland &> /dev/null
diff --git a/hosts/common/extraServices/extraServices/default.nix b/hosts/common/extraServices/extraServices/default.nix
new file mode 100644
index 0000000..db6f8b1
--- /dev/null
+++ b/hosts/common/extraServices/extraServices/default.nix
@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./podman.nix
+  ];
+}
diff --git a/hosts/common/extraServices/extraServices/extraServices/extraServices/podman.nix b/hosts/common/extraServices/extraServices/extraServices/extraServices/podman.nix
new file mode 100644
index 0000000..d3fc4f0
--- /dev/null
+++ b/hosts/common/extraServices/extraServices/extraServices/extraServices/podman.nix
@@ -0,0 +1,32 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.extraServices.podman;
+in {
+  options.extraServices.podman.enable = mkEnableOption "enable podman";
+
+  config = mkIf cfg.enable {
+    virtualisation = {
+      podman = {
+        enable = true;
+        dockerCompat = true;
+        autoPrune = {
+          enable = true;
+          dates = "weekly";
+          flags = [
+            "--filter=until=24h"
+            "--filter=label!=important"
+          ];
+        };
+        defaultNetwork.settings.dns_enabled = true;
+      };
+    };
+    environment.systemPackages = with pkgs; [
+      podman-compose
+    ];
+  };
+}
diff --git a/hosts/common/extraServices/extraServices/extraServices/podman.nix b/hosts/common/extraServices/extraServices/extraServices/podman.nix
new file mode 100644
index 0000000..d3fc4f0
--- /dev/null
+++ b/hosts/common/extraServices/extraServices/extraServices/podman.nix
@@ -0,0 +1,32 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.extraServices.podman;
+in {
+  options.extraServices.podman.enable = mkEnableOption "enable podman";
+
+  config = mkIf cfg.enable {
+    virtualisation = {
+      podman = {
+        enable = true;
+        dockerCompat = true;
+        autoPrune = {
+          enable = true;
+          dates = "weekly";
+          flags = [
+            "--filter=until=24h"
+            "--filter=label!=important"
+          ];
+        };
+        defaultNetwork.settings.dns_enabled = true;
+      };
+    };
+    environment.systemPackages = with pkgs; [
+      podman-compose
+    ];
+  };
+}
diff --git a/hosts/common/extraServices/extraServices/podman.nix b/hosts/common/extraServices/extraServices/podman.nix
new file mode 100644
index 0000000..d3fc4f0
--- /dev/null
+++ b/hosts/common/extraServices/extraServices/podman.nix
@@ -0,0 +1,32 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.extraServices.podman;
+in {
+  options.extraServices.podman.enable = mkEnableOption "enable podman";
+
+  config = mkIf cfg.enable {
+    virtualisation = {
+      podman = {
+        enable = true;
+        dockerCompat = true;
+        autoPrune = {
+          enable = true;
+          dates = "weekly";
+          flags = [
+            "--filter=until=24h"
+            "--filter=label!=important"
+          ];
+        };
+        defaultNetwork.settings.dns_enabled = true;
+      };
+    };
+    environment.systemPackages = with pkgs; [
+      podman-compose
+    ];
+  };
+}
diff --git a/hosts/m3-kratos/default.nix b/hosts/m3-kratos/default.nix
index 3747fec..e8cbd19 100644
--- a/hosts/m3-kratos/default.nix
+++ b/hosts/m3-kratos/default.nix
@@ -36,6 +36,7 @@
   imports = [
     ../common
     ./configuration.nix
+    ./secrets.nix
     ./services
   ];
 
diff --git a/hosts/m3-kratos/secrets.nix b/hosts/m3-kratos/secrets.nix
new file mode 100644
index 0000000..1bca2de
--- /dev/null
+++ b/hosts/m3-kratos/secrets.nix
@@ -0,0 +1,13 @@
+{
+  age = {
+    secrets = {
+      secret1 = {
+        file = ../../secrets/secret1.age;
+      };
+      m3tam3re-secrets = {
+        file = ../../secrets/m3tam3re-secrets.age;
+        owner = "m3tam3re";
+      };
+    };
+  };
+}
diff --git a/hosts/m3-kratos/services/containers/default.nix b/hosts/m3-kratos/services/containers/default.nix
index a4b9d99..9352d16 100644
--- a/hosts/m3-kratos/services/containers/default.nix
+++ b/hosts/m3-kratos/services/containers/default.nix
@@ -1,5 +1,6 @@
 {
   imports = [
     ./echo.nix
+    ./nginx.nix
   ];
 }
diff --git a/hosts/m3-kratos/services/containers/nginx.nix b/hosts/m3-kratos/services/containers/nginx.nix
new file mode 100644
index 0000000..4750e0d
--- /dev/null
+++ b/hosts/m3-kratos/services/containers/nginx.nix
@@ -0,0 +1,8 @@
+{config, ...}: {
+  virtualisation.oci-containers.containers."nginx" = {
+    image = "docker.io/nginx:alpine";
+    environmentFiles = [
+      config.age.secrets.secret1.path
+    ];
+  };
+}
diff --git a/secrets/m3tam3re-secrets.age b/secrets/m3tam3re-secrets.age
new file mode 100644
index 0000000..bef671f
--- /dev/null
+++ b/secrets/m3tam3re-secrets.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 l/KTwg +8dkEwTxSxpSykhcm+qqMU5c9FxuL0VURTO+Et3Hqjg
+IPzfKtktyMQdv5SceryhZrYhCeB/TVLgXAlu78ihMTw
+-> ssh-rsa DQlE7w
+j4z7/+j+OxQn5pyhuzYdhUYKVhsU7VndBt62wHkt/3akh4a31GbXDmhhFasO/0LX
+vj0MnsoNQSyWxSE16oP3abFL3dnv8u5nUNsTUUKnd7gv58RglfGzUI3vZ5iIQVZx
+ryAiRhmZbzb+oXN4Kzi3Mj1yNExnmDK5JXwKMZpWRPlgmnEAvoRnBGK9povIk+Av
+vACdqLC0jZPsw3B2zw1L35iVSeb2HbbqYdUab3ElClPu6HVQBa7JGSSNfyVJY3c4
+zbz9H9gwDvspu0jexK6D7cZjDalh3UCYly7JvPGoUd6bWHUCNhHOyAhZFIZlNIhj
+pD1BqBis9Mh5xtCElml+PQkfKQKqGJz7KZ6v6bs6EGq/0nXaEiMmn3HRYnPEL98O
+u63SVH5vevAcUewVw6/iENN+0vUTK19C3vkEFDaEwuPTituAMReicx+9vZZvz7ZE
+nTUDblgl+8MngAQBaRjH4HrsXb3mx/4vFhSMO7gBYwYq8xpPXLqlwqgyBS54fBSU
+
+--- T7qcXQKB/ktQb5Epx0/k+EDOdpbJV1x7VaZKEGEfaOE
+¶»qñQ¥?NƒË¯:a1)§\Ë&¹EzïŸŽl[Ê'¯Ö`%¯QQÞÁ9Ö/{Ûßà&<w›®ÅåÙÄ–°s
\ No newline at end of file
diff --git a/secrets/secret1.age b/secrets/secret1.age
new file mode 100644
index 0000000..d36231f
--- /dev/null
+++ b/secrets/secret1.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 l/KTwg rtb9YLrncvwCrLgxUrpsyWQKh5EpORg+M3V2jWFEI0Q
++QaPHNxR+5GcIKt9+0EbP/9UbZPe1ET6OS+NOByeZ90
+-> ssh-rsa DQlE7w
+k2jNaCjCwamanfwOn2U+mxjo1n4445GvfEk2U8OG75AGox4UxlvCBqbzecx9jx+t
+w3CBDstgVvJgEMjZ70g4fhok6gISiyMKc/KQxU9TLRYlTU3ulvX3nf+/4pX05YVv
+Xj+7amLZtEPSMNgNDbRnverPToVTCEgzpG7XELzhrhV+cbLvI702f2ws2puySvkR
+rMkAyyHNA3UfYv42FX4ZitIiOKHALdAVw89oxVFLj4qcYIuo6GdmDoMiRQCLdDvs
+CkRyPm7qtrcc6Kmeyl0xLZnTWi90IOF8tHmwbOhSxbhRpWPn05Gzdw27hbX41gkZ
+qqerT71oFVJhueK8gCJPtePQQXIXLsOc4gjI78WXaRB/BlpwWK4GlKEeaIHP9f35
+HVN8PAjWmgA9MR2/p9azmwYjVduaZoRrINmSVMwtS31h6eZD1m5XAuO3orBZHKqX
+8Z9gkpaeIOvGhdP0ye861l3PSduI01CNe9dT0T+iIWhXbMkJ3woVaQTOl8h/IVb6
+
+--- Q6mzi+/lp1nHSpHoVZqH4RXzNh0Jei8FRhBgU4IjHCQ
+º£µéaŒè²Ck		®ýlÃ !¡\Hˆ>Üƒ¥HJ{C:ŒD¦Ñ£&¦îøˆÅ²PEŠ¬ŠW
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..ca3d46a
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,7 @@
+let
+  m3-kratos-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+8dfimMlWKZOlpjEGI6/2hVFDhytJVTi/P92Jf9mTz";
+  m3tam3re = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU=";
+in {
+  "secret1.age".publicKeys = [m3-kratos-vm m3tam3re];
+  "m3tam3re-secrets.age".publicKeys = [m3-kratos-vm m3tam3re];
+}