diff --git a/flake.nix b/flake.nix
index 8be72e6..ebab468 100644
--- a/flake.nix
+++ b/flake.nix
@@ -50,7 +50,10 @@
         home-manager.useGlobalPkgs = true;
         home-manager.extraSpecialArgs = {inherit inputs;};
         home-manager.users.tacocat = {
-          imports = [toplevel];
+          imports = [
+            toplevel
+            agenix.homeManagerModules.default
+          ];
           _module.args.theme = import ./modules/themes;
         };
       }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..aafbb91
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,12 @@
+let
+  aria = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFy/qHGXBgAYhhk2hy0HIEvZxgmLF6bN3aQ7rZTf4Lxf";
+  users = [aria];
+
+  bicep = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIrnQd4xYIg24VjBBEikC+dt1pNmo9pcD69TMCzRYiZn";
+  jwst = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIME17TyJvo5MBNRVFTuXW23arQnI9f3OnAEv/3M6RM1g";
+  systems = [bicep jwst];
+in {
+  "taskd-ca-cert.age".publicKeys = users ++ systems;
+  "taskd-aria-cert.age".publicKeys = users ++ systems;
+  "taskd-aria-key.age".publicKeys = users ++ systems;
+}
diff --git a/secrets/taskd-aria-cert.age b/secrets/taskd-aria-cert.age
new file mode 100644
index 0000000..978dfe5
Binary files /dev/null and b/secrets/taskd-aria-cert.age differ
diff --git a/secrets/taskd-aria-key.age b/secrets/taskd-aria-key.age
new file mode 100644
index 0000000..59fadff
Binary files /dev/null and b/secrets/taskd-aria-key.age differ
diff --git a/secrets/taskd-ca-cert.age b/secrets/taskd-ca-cert.age
new file mode 100644
index 0000000..caf54fe
Binary files /dev/null and b/secrets/taskd-ca-cert.age differ
diff --git a/users/tacocat/home.nix b/users/tacocat/home.nix
index fca8957..6fa9929 100644
--- a/users/tacocat/home.nix
+++ b/users/tacocat/home.nix
@@ -1,4 +1,14 @@
 {pkgs, ...}: {
+  imports = [
+    ./programs
+    ./services
+    ./shell
+    ./helix
+    ./wayland
+    ./email.nix
+    ./lf
+  ];
+
   home = {
     username = "tacocat";
     homeDirectory = "/home/tacocat";
@@ -69,16 +79,6 @@
 
   news.display = "silent";
 
-  imports = [
-    ./programs
-    ./services
-    ./shell
-    ./helix
-    ./wayland
-    ./email.nix
-    ./lf
-  ];
-
   xdg = {
     enable = true;
     mimeApps = {
diff --git a/users/tacocat/programs/taskwarrior.nix b/users/tacocat/programs/taskwarrior.nix
index ffd975d..b421af2 100644
--- a/users/tacocat/programs/taskwarrior.nix
+++ b/users/tacocat/programs/taskwarrior.nix
@@ -1,13 +1,19 @@
 {config, ...}: {
+  age.secrets = {
+    taskd-ca-cert.file = ../../../secrets/taskd-ca-cert.age;
+    taskd-aria-cert.file = ../../../secrets/taskd-aria-cert.age;
+    taskd-aria-key.file = ../../../secrets/taskd-aria-key.age;
+  };
+
   programs.taskwarrior = {
     enable = true;
     config = {
       taskd = {
         server = "aria.cat:53589";
         credentials = "myself/aria/e67e2e9f-78af-42c2-9c55-3c59054246c6";
-        certificate = "${config.xdg.dataHome}/task/aria.cert.pem";
-        key = "${config.xdg.dataHome}/task/aria.key.pem";
-        ca = "${config.xdg.dataHome}/task/ca.cert.pem";
+        certificate = config.age.secrets.taskd-aria-cert.path;
+        key = config.age.secrets.taskd-aria-key.path;
+        ca = config.age.secrets.taskd-ca-cert.path;
       };
       dateformat = "Y-M-D H:N";
       report.list.columns = [