diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 00000000..baee90a9
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,13 @@
+# This example uses YAML anchors which allows reuse of multiple keys
+# without having to repeat yourself.
+# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
+# for a more complex example.
+keys:
+  - &skinnyv age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn
+  - &bolty age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu
+creation_rules:
+  - path_regex: /[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *skinnyv
+      - *bolty
diff --git a/README.md b/README.md
index 9b7c5aad..89cc8616 100644
--- a/README.md
+++ b/README.md
@@ -145,6 +145,8 @@ reboot
 cd ~/dev/dotfiles/
 nixos-install --flake '.#'
 ssh-keygen -t ed25519
+ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
+age-keygen -y ~/.config/sops/age/keys.txt #add result to .sops.yaml
 # syncthing
 # vault
 # firefox sync
diff --git a/nixos/home-manager/cli.nix b/nixos/home-manager/cli.nix
index 985e83e3..b0fc9de1 100644
--- a/nixos/home-manager/cli.nix
+++ b/nixos/home-manager/cli.nix
@@ -7,6 +7,7 @@
       ext.pass-audit
       ext.pass-update
     ]))
+    age
     aria
     bfg-repo-cleaner
     binutils
@@ -40,6 +41,8 @@
     restic
     ripgrep-all
     rustup
+    sops
+    ssh-to-age
     tmux
     topgrade
     unzip
diff --git a/nixos/home-manager/scripts/download.nix b/nixos/home-manager/scripts/download.nix
index 24e8aa71..207ec74b 100644
--- a/nixos/home-manager/scripts/download.nix
+++ b/nixos/home-manager/scripts/download.nix
@@ -1,13 +1,11 @@
 { config, pkgs, ... }:
 
 let
-  download = pkgs.writeTextFile {
-    name = "download";
-    executable = true;
-    destination = "/bin/download";
-    text = ''
-      ${pkgs.aria}/bin/aria2c -x 16 -s 16 $@
-    '';
-  };
+  download = pkgs.writeShellScriptBin "download" ''
+    ${pkgs.aria}/bin/aria2c -x 16 -s 16 $@
+  '';
 
-in { home.packages = with pkgs; [ download ]; }
+in {
+
+  home.packages = with pkgs; [ download ];
+}
diff --git a/nixos/i3/default.nix b/nixos/i3/default.nix
index d9c4a4a3..ec5fb159 100644
--- a/nixos/i3/default.nix
+++ b/nixos/i3/default.nix
@@ -1,5 +1,5 @@
 { config, pkgs, ... }: {
-  imports = [ ./autorandr.nix ];
+  imports = [ ./autorandr.nix ./openweathermap-secrets.nix ];
   environment.systemPackages = with pkgs; [ dconf ];
   programs.dconf.enable = true;
 
diff --git a/nixos/i3/openweathermap-fullfeatured.sh b/nixos/i3/openweathermap-fullfeatured.sh
index 216e0d49..abd8c65f 100755
--- a/nixos/i3/openweathermap-fullfeatured.sh
+++ b/nixos/i3/openweathermap-fullfeatured.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-source $HOME/.open-secrets.sh
+OPENWEATHERMAP_KEY=`cat /run/secrets/openweathermap-api-key`
 
 KEY="$OPENWEATHERMAP_KEY"
 CITY=""
diff --git a/nixos/i3/openweathermap-secrets.nix b/nixos/i3/openweathermap-secrets.nix
new file mode 100644
index 00000000..2a1d1e80
--- /dev/null
+++ b/nixos/i3/openweathermap-secrets.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{
+  sops.age.keyFile = /home/cyryl/.config/sops/age/keys.txt;
+  sops.secrets.openweathermap-api-key = {
+    mode = "0440";
+    owner = config.users.users.cyryl.name;
+    group = config.users.users.cyryl.group;
+    sopsFile = ./openweathermap.sops.yaml;
+  };
+  home-manager.users.cyryl = { home.sessionVariables = { }; };
+}
diff --git a/nixos/i3/openweathermap.sops.yaml b/nixos/i3/openweathermap.sops.yaml
new file mode 100644
index 00000000..70298980
--- /dev/null
+++ b/nixos/i3/openweathermap.sops.yaml
@@ -0,0 +1,30 @@
+openweathermap-api-key: ENC[AES256_GCM,data:NNeVpkLxM9xDxV0oskAoUPjH6b3V8K3MfnNOOAEtg0k=,iv:0uOxqjmUvslHH7yyKJuZ9h0tY20BUmqr7zsRSX2AjBc=,tag:1rJHeWtct6pph58U9Nalkw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMXQzL3JVaTBOL0U3MlFm
+            d0tjUE9abDVUR2dVbHlBQ1diSWRRWUVnalVvCnNQbWZUUmJ3TFFpL0x6c0lQV3hx
+            UW5IU28xdlp6Mi9OdU9UNmFuRWRKWmsKLS0tIG9GUFNLblphdHdmMXFQbzJmSjBN
+            TVZMTWJCd1lyZU1tNFZJQTBhT0lGZTgKKM0mC1k7YsEBaogB4Y7TEhGliU/lbETQ
+            DuZ59BaXpOy9wzQ62m3oAhubP/cQZVOp1rH094BVdQqfNnDB4+F9xg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3ekZTVjhnaUJkbS9tdm9w
+            cnJQYXpYbTVjOFhCMmFaQmdERCtzS1NBSlRzCnZpYUpGa01QRElhaDdaLzRtY0sy
+            UXQrU1hJRnlNNlJWME1NWWdPbG5rcjQKLS0tIHVmY2lHZ3NDR2FTZmRpSjhkM0FG
+            L0IzUmQvNS9PT2hXYUNYL1hoRVgyQTgKdJs/VaS7G076v2CPoGz71yjeQsu19GCZ
+            pIThhU9ppGJvgo1eD0kQFeNHwHB4Wg1jN38d/KoC5A0vWYWmk+Hhng==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-06-04T08:35:33Z"
+    mac: ENC[AES256_GCM,data:Rne0FsSpBMOPSdwDryFtB9ui7hSxvbJMz1+Qkq3Ih1HYBdVuIldyWsoJK7D8wvAl2E/z3MMk/vBoYQUmkhuzZorqiseuFix6sAZBps08R9ZG1t7uJbHuU9Bt2/ebX3n2ZQXgWkPX06eglmqbqzE+WS/yzUxu/KGYa3aqpv2COt4=,iv:+ginG0RSy8aacTHwKnjO17XKkBU4iY5YzAcIovBIaTU=,tag:yyTxDGqK2BI1QNv+vg2ZqQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3