diff --git a/.gitattributes b/.gitattributes
index 690a2a8..f0bd4f3 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,4 +1 @@
 secrets.nix filter=git-crypt diff=git-crypt
-*.key filter=git-crypt diff=git-crypt
-deploy_key filter=git-crypt diff=git-crypt
-keys/** filter=git-crypt diff=git-crypt
diff --git a/flake.lock b/flake.lock
index 23fefbb..4f332e7 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,25 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1652712410,
+        "narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "blobs": {
       "flake": false,
       "locked": {
@@ -259,6 +279,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "emacs-overlay": "emacs-overlay",
         "home-manager": "home-manager",
         "nixos-hardware": "nixos-hardware",
diff --git a/flake.nix b/flake.nix
index 128bc9a..b893753 100644
--- a/flake.nix
+++ b/flake.nix
@@ -10,14 +10,17 @@
     nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-21.05";
     nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
     nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
 
   };
   outputs = inputs@{ nixpkgs, home-manager, nixpkgs-mozilla, emacs-overlay
-    , nixpkgs-wayland, nixpkgs-stable, nixos-hardware, self, ... }: {
+    , nixpkgs-wayland, nixpkgs-stable, nixos-hardware, agenix, self, ... }: {
       overlay = nixpkgs.lib.composeManyExtensions [
         nixpkgs-wayland.overlay
         #nixpkgs-mozilla.overlay
         emacs-overlay.overlay
+        agenix.overlay
         (import ./fixups.nix)
         (import ./pkgs)
         (import ./pkgs/mdr.nix)
diff --git a/nixos/conf b/nixos/conf
index 940c162..fc9dd22 100755
--- a/nixos/conf
+++ b/nixos/conf
@@ -4,12 +4,6 @@ cd "$( dirname "${BASH_SOURCE[0]}" )"
 export NIX_PATH=
 host=$1
 COPY_USER=yorick
-decrypt() {
-    if ! [ -e secrets.nix ]
-    then
-        git crypt unlock
-    fi
-}
 get_target_host() {
     TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host)
     TARGET_HOST=$(ssh $TARGET_HOST ip --json r get 1.1.1.1 | jq -r '.[0].prefsrc')
@@ -19,20 +13,12 @@ peek() {
     command "$@"
 }
 nix() {
-    decrypt
-    peek nix --extra-experimental-features nix-command "$@"
+    peek nix --extra-experimental-features "nix-command flakes" "$@"
 }
 nix-build() {
-    decrypt
     peek nix-build "$@"
 }
 case $2 in
-    copy-keys)
-        nix build -f ../. yorick.machine."$host".config.deployment.keys-copy --out-link copy-keys
-        get_target_host
-        peek ./copy-keys/bin/copy-keys "$TARGET_HOST"
-        # rm ./copy-keys
-        ;;
     ssh)
         get_target_host
         peek ssh root@"$TARGET_HOST"
diff --git a/nixos/deploy/keys.nix b/nixos/deploy/keys.nix
deleted file mode 100644
index e295f13..0000000
--- a/nixos/deploy/keys.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ pkgs, lib, config, ... }:
-with lib;
-let cfg = config.deployment.keyys;
-in {
-  options.deployment.keyys = mkOption {
-    type = types.listOf types.path;
-    default = [ ];
-  };
-  options.deployment.keys-copy = mkOption { type = types.package; };
-  config = {
-    deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys"
-      (if cfg != [ ] then ''
-        set -e
-        ssh root@$1 "mkdir -p /root/keys"
-        scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys
-        echo "uploaded keys"
-      '' else ''
-        echo "no keys to upload"
-      '');
-
-  };
-
-}
diff --git a/nixos/keys/backup.pennyworth.key b/nixos/keys/backup.pennyworth.key
deleted file mode 100644
index e58f7fe..0000000
Binary files a/nixos/keys/backup.pennyworth.key and /dev/null differ
diff --git a/nixos/keys/grafana.env b/nixos/keys/grafana.env
deleted file mode 100644
index 334758e..0000000
Binary files a/nixos/keys/grafana.env and /dev/null differ
diff --git a/nixos/keys/http.muflax.key b/nixos/keys/http.muflax.key
deleted file mode 100644
index 982c489..0000000
Binary files a/nixos/keys/http.muflax.key and /dev/null differ
diff --git a/nixos/keys/pennyworth_borg_repo.key b/nixos/keys/pennyworth_borg_repo.key
deleted file mode 100644
index 3f320f0..0000000
Binary files a/nixos/keys/pennyworth_borg_repo.key and /dev/null differ
diff --git a/nixos/keys/pennyworth_borg_ssh.key b/nixos/keys/pennyworth_borg_ssh.key
deleted file mode 100644
index c830363..0000000
Binary files a/nixos/keys/pennyworth_borg_ssh.key and /dev/null differ
diff --git a/nixos/keys/pennyworth_borg_ssh.key.pub b/nixos/keys/pennyworth_borg_ssh.key.pub
deleted file mode 100644
index 3274dc5..0000000
Binary files a/nixos/keys/pennyworth_borg_ssh.key.pub and /dev/null differ
diff --git a/nixos/keys/ssh.frumar.key b/nixos/keys/ssh.frumar.key
deleted file mode 100644
index 60c90ad..0000000
Binary files a/nixos/keys/ssh.frumar.key and /dev/null differ
diff --git a/nixos/keys/ssh.jarvis.key b/nixos/keys/ssh.jarvis.key
deleted file mode 100644
index 32c7090..0000000
Binary files a/nixos/keys/ssh.jarvis.key and /dev/null differ
diff --git a/nixos/keys/ssh.pennyworth.key b/nixos/keys/ssh.pennyworth.key
deleted file mode 100644
index 30df22f..0000000
Binary files a/nixos/keys/ssh.pennyworth.key and /dev/null differ
diff --git a/nixos/keys/ssh.woodhouse.key b/nixos/keys/ssh.woodhouse.key
deleted file mode 100644
index f30c841..0000000
Binary files a/nixos/keys/ssh.woodhouse.key and /dev/null differ
diff --git a/nixos/keys/wg.blackadder.key b/nixos/keys/wg.blackadder.key
deleted file mode 100644
index 7465562..0000000
Binary files a/nixos/keys/wg.blackadder.key and /dev/null differ
diff --git a/nixos/keys/wg.frumar.key b/nixos/keys/wg.frumar.key
deleted file mode 100644
index bd8f954..0000000
Binary files a/nixos/keys/wg.frumar.key and /dev/null differ
diff --git a/nixos/keys/wg.jarvis.key b/nixos/keys/wg.jarvis.key
deleted file mode 100644
index 6d13817..0000000
Binary files a/nixos/keys/wg.jarvis.key and /dev/null differ
diff --git a/nixos/keys/wg.mullvad-nl3.key b/nixos/keys/wg.mullvad-nl3.key
deleted file mode 100644
index 91584a6..0000000
Binary files a/nixos/keys/wg.mullvad-nl3.key and /dev/null differ
diff --git a/nixos/keys/wg.mullvad-nl4.key b/nixos/keys/wg.mullvad-nl4.key
deleted file mode 100644
index 6ff1d02..0000000
Binary files a/nixos/keys/wg.mullvad-nl4.key and /dev/null differ
diff --git a/nixos/keys/wg.pennyworth.key b/nixos/keys/wg.pennyworth.key
deleted file mode 100644
index 9eb68a8..0000000
Binary files a/nixos/keys/wg.pennyworth.key and /dev/null differ
diff --git a/nixos/keys/wg.smithers.key b/nixos/keys/wg.smithers.key
deleted file mode 100644
index 73d1bab..0000000
Binary files a/nixos/keys/wg.smithers.key and /dev/null differ
diff --git a/nixos/keys/wg.woodhouse.key b/nixos/keys/wg.woodhouse.key
deleted file mode 100644
index 91b24e0..0000000
Binary files a/nixos/keys/wg.woodhouse.key and /dev/null differ
diff --git a/nixos/keys/wg.zazu.key b/nixos/keys/wg.zazu.key
deleted file mode 100644
index ea44d6a..0000000
Binary files a/nixos/keys/wg.zazu.key and /dev/null differ
diff --git a/nixos/keys/yori-nix.key b/nixos/keys/yori-nix.key
deleted file mode 100644
index f080c82..0000000
Binary files a/nixos/keys/yori-nix.key and /dev/null differ
diff --git a/nixos/logical/frumar.nix b/nixos/logical/frumar.nix
index d0fbc4e..798fd6e 100644
--- a/nixos/logical/frumar.nix
+++ b/nixos/logical/frumar.nix
@@ -6,8 +6,6 @@
     ../services/torrent-wg.nix
   ];
 
-  deployment.keyys = [ ../keys/grafana.env ];
-
   system.stateVersion = "15.09";
   networking.hostId = "0702dbe9";
 
@@ -88,8 +86,8 @@
       AUTH_GOOGLE_ALLOW_SIGN_UP = "false";
     };
   };
-  systemd.services.grafana.serviceConfig.EnvironmentFile =
-    "/root/keys/grafana.env";
+  age.secrets.grafana.file = ../../secrets/grafana.env.age;
+  systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana.path;
   services.zfs = {
     trim.enable = false; # no ssd's
     autoScrub = {
diff --git a/nixos/logical/jarvis.nix b/nixos/logical/jarvis.nix
index db2c300..8875329 100644
--- a/nixos/logical/jarvis.nix
+++ b/nixos/logical/jarvis.nix
@@ -4,4 +4,5 @@
   system.stateVersion = "17.09";
 
   yorick.lumi-vpn.name = "yorick";
+  yorick.lumi-vpn.ip = "10.109.0.10";
 }
diff --git a/nixos/logical/pennyworth.nix b/nixos/logical/pennyworth.nix
index 1538ef6..ac007de 100644
--- a/nixos/logical/pennyworth.nix
+++ b/nixos/logical/pennyworth.nix
@@ -44,12 +44,13 @@ in {
     };
   };
 
+  age.secrets.muflax.file = ../../secrets/http.muflax.age;
   services.muflax-blog = {
     enable = true;
     web-server = { port = 9001; };
     hidden-service = {
       hostname = "muflax65ngodyewp.onion";
-      private_key = "/root/keys/http.muflax.key";
+      private_key = config.age.secrets.muflax.path;
     };
   };
   services.nginx.commonHttpConfig = ''
@@ -89,7 +90,6 @@ in {
     };
     "media.yori.cc" = sslforward "http://${vpn.ips.frumar}:32001";
   };
-  deployment.keyys = [ ../keys/http.muflax.key ];
   networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
   networking.wireguard.interfaces.wg-y.peers = lib.mkForce (lib.mapAttrsToList
     (machine: publicKey: {
diff --git a/nixos/logical/zazu.nix b/nixos/logical/zazu.nix
index 42df95a..1e5b77d 100644
--- a/nixos/logical/zazu.nix
+++ b/nixos/logical/zazu.nix
@@ -1,5 +1,5 @@
 # Edit this configuration file to define what should be installed on your system.  Help is available in the configuration.nix(5) man page and in the NixOS manual (accessible by running ‘nixos-help’).
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, inputs, modulesPath, ... }:
 
 {
   imports = [ # Include the results of the hardware scan.
@@ -7,7 +7,7 @@
     #<yori-nix/roles/homeserver.nix>
     ../roles
     inputs.nixos-hardware.nixosModules.pcengines-apu
-    <nixpkgs/nixos/modules/profiles/minimal.nix>
+    "${modulesPath}/profiles/minimal.nix"
   ];
 
   boot.loader.grub.enable = true;
diff --git a/nixos/modules/lumi-cache.nix b/nixos/modules/lumi-cache.nix
index 71aaaf5..1804a50 100644
--- a/nixos/modules/lumi-cache.nix
+++ b/nixos/modules/lumi-cache.nix
@@ -1,27 +1,15 @@
 { config, lib, pkgs, ... }:
 let
   cfg = config.yorick.lumi-cache;
-  nixNetrcFile = pkgs.runCommand "nix-netrc-file" {
-    hostname = "cache.lumi.guide";
-    username = "lumi";
-  } ''
-    cat > $out <<EOI
-    machine $hostname
-    login $username
-    password ${
-      builtins.readFile
-      /home/yorick/engineering/lumi/secrets/shared/passwords/nix-serve-password
-    }
-    EOI
-  '';
 in {
   options.yorick.lumi-cache = with lib; {
     enable = mkEnableOption "lumi cache";
   };
   config = lib.mkIf cfg.enable {
+    age.secrets.nix-netrc.file = ../../secrets/nix-netrc.age;
     nix = {
       settings.substituters = [ "https://cache.lumi.guide/" ];
-      settings.netrc-file = nixNetrcFile;
+      settings.netrc-file = config.age.secrets.nix-netrc.path;
       settings.trusted-public-keys = [
         "cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE="
       ];
diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index b306851..858e315 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -5,11 +5,11 @@ let
   vpn = import ../vpn.nix;
 in {
   imports = [
+    inputs.agenix.nixosModule
     ../modules/tor-hidden-service.nix
     ../modules/nginx.nix
     ../modules/lumi-cache.nix
     ../modules/lumi-vpn.nix
-    ../deploy/keys.nix
     ../services
   ];
 
@@ -106,9 +106,9 @@ in {
     ipv6 = true;
     hostName = machine;
   };
-  deployment.keyys = [ (../keys + "/wg.${machine}.key") ];
+  age.secrets.wg.file = ../../secrets/wg.${machine}.age;
   networking.wireguard.interfaces.wg-y = {
-    privateKeyFile = "/root/keys/wg.${machine}.key";
+    privateKeyFile = config.age.secrets.wg.path;
     ips = [ vpn.ips.${machine} ];
     listenPort = 31790;
     peers = [{
diff --git a/nixos/services/backup.nix b/nixos/services/backup.nix
index 273608b..323148a 100644
--- a/nixos/services/backup.nix
+++ b/nixos/services/backup.nix
@@ -1,22 +1,20 @@
-{ name, ... }: {
-  deployment.keyys = [
-    (../keys + "/${name}_borg_repo.key")
-    (../keys + "/${name}_borg_ssh.key")
-  ];
+{ name, config, ... }: {
+  age.secrets.backup_repo.file = ../../secrets/${name}_borg_repo.age;
+  age.secrets.backup_ssh.file = ../../secrets/${name}_borg_ssh.age;
   services.borgbackup.jobs.backup = {
     encryption = {
       # Keep the encryption key in the repo itself
       mode = "repokey-blake2";
 
       # Password is used to decrypt the encryption key from the repo
-      passCommand = "cat /root/keys/${name}_borg_repo.key";
+      passCommand = "cat ${config.age.secrets.backup_repo.path}";
     };
     environment = {
       # Make sure we're using Borg >= 1.0
       BORG_REMOTE_PATH = "borg1";
 
       # SSH key is specific to the subaccount defined in the repo username
-      BORG_RSH = "ssh -i /root/keys/${name}_borg_ssh.key";
+      BORG_RSH = "ssh -i ${config.age.secrets.backup_ssh.path}";
     };
 
     # Define schedule
diff --git a/nixos/services/torrent-wg.nix b/nixos/services/torrent-wg.nix
index e8001e8..e5d9dd6 100644
--- a/nixos/services/torrent-wg.nix
+++ b/nixos/services/torrent-wg.nix
@@ -7,11 +7,11 @@ in {
     namespace = mkOption { type = types.str; };
   };
   config = {
-    deployment.keyys = [ (../keys + "/wg.${cfg.name}.key") ];
+    age.secrets.wg-torrent.file = ../../secrets/wg.${cfg.name}.age;
     networking.wireguard.interfaces.${cfg.name} = {
       # curl -s https://api.mullvad.net/www/relays/all/ | jq '.[] | select(.type == "wireguard" and .country_code == "nl")'
       ips = [ "10.66.30.26/32" "fc00:bbbb:bbbb:bb01::3:1e19/128" ];
-      privateKeyFile = "/root/keys/wg.${cfg.name}.key";
+      privateKeyFile = config.age.secrets.wg-torrent.path;
       peers = [{
         publicKey = "hnRyse6QxPPcZOoSwRsHUtK1W+APWXnIoaDTmH6JsHQ=";
         allowedIPs = [ "0.0.0.0/0" "::0/0" ];
diff --git a/secrets/grafana.env.age b/secrets/grafana.env.age
new file mode 100644
index 0000000..18f3fcf
Binary files /dev/null and b/secrets/grafana.env.age differ
diff --git a/secrets/http.muflax.age b/secrets/http.muflax.age
new file mode 100644
index 0000000..6e6dff1
Binary files /dev/null and b/secrets/http.muflax.age differ
diff --git a/secrets/nix-netrc.age b/secrets/nix-netrc.age
new file mode 100644
index 0000000..626a1d6
Binary files /dev/null and b/secrets/nix-netrc.age differ
diff --git a/secrets/pennyworth_borg_repo.age b/secrets/pennyworth_borg_repo.age
new file mode 100644
index 0000000..942b06a
--- /dev/null
+++ b/secrets/pennyworth_borg_repo.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 lYFcsw HsqJA3brEYXwaJT7VjTassnpzZSBsa+968Oe6BC7FFA
+rwqKJVSh2BkXpUbnkegEOKMWV68CXZnOg5HJlFhGWmY
+-> ssh-ed25519 ZzuO9Q SbeT6ExvwzTog2HXThI8OOgJQoMqWOOtU6gmU+v/x28
+pgEYyg6EuRsIW1shMlvQfTGxwyq0/uFHQumDmB0QzZM
+-> P*s7TnXP-grease C O$
+KXqmSEK5b3oWErBT6A5w5A
+--- 7XjRgeS86xeERnenf8zSZPb47lV2GiSa55ZPKEvjJBc
+�x6
+�
KO�+�S���UaH�r�-A�C�M�n�f���s;
bB�d���;�L9�2��LSR����͞�t���nn�N
\ No newline at end of file
diff --git a/secrets/pennyworth_borg_ssh.age b/secrets/pennyworth_borg_ssh.age
new file mode 100644
index 0000000..77380f7
Binary files /dev/null and b/secrets/pennyworth_borg_ssh.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..d861b3a
Binary files /dev/null and b/secrets/secrets.nix differ
diff --git a/secrets/wg.blackadder.age b/secrets/wg.blackadder.age
new file mode 100644
index 0000000..92eb358
--- /dev/null
+++ b/secrets/wg.blackadder.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 lYFcsw v6eGXaE307KPZGNPiZizSUSiJ4om5/igqveCtyXJpVA
+7tJ+o/YBYrHF+DeLaHeBdV6ZVPEV7w9Dxq/4HcpGdDc
+-> ssh-ed25519 4Ui0LA 2gDiPTnSkhgMySIeIITAUmTRzCDHwFH73BKayFzIBmE
+mc8SgUhs7WSR9sl+Y1ZkQahwJ2zXdbkEekZkGXiL7ss
+-> !ff-grease BK qoe krs&bJ
+pKON54F5tCt2T9YGQM920TxaK+l08X/1xCSIpSLy0WwpzJYeFu6XRT6VoPTga/hG
+tDqS6PvXw12729k5JH7qMS2XzDEuh+6NIRnDuwGC/ttfk+2HJe25FifbZhE+1YNC
+9A
+--- BxJEHO4W1sUHQ2pk8CZViEDCy+WhyzVdWlZUZHIHlBE
+-
fV�7�O�9��_B�?Z	/����TQ������+�3�B�*���w�v��/��^�@X���!�/�uҪ
\ No newline at end of file
diff --git a/secrets/wg.frumar.age b/secrets/wg.frumar.age
new file mode 100644
index 0000000..6de9114
--- /dev/null
+++ b/secrets/wg.frumar.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 lYFcsw vv0M0zAhNZ8dsIuOI6p1Y++WusqBwdYJqzXuK4IXflo
+MERLtcazm/pWBSvyISDLoil5eiNDDwAYDY+H1pTrYN4
+-> ssh-ed25519 n7yA6g dV0UCZeAfZIxaoNYM5OZnbLRHiad1XJdYcidUCa6qj8
+7PJAgRS4r+oQiQAM4Lt+yvQXRZzrOEMp0RwlwTge6Ic
+-> D-grease 9p~L6^ #_8k_6RW <A:we
+g88QsMIGbjOJjIvb9WjroQaPCN9YWHNaK7icMSAEf6xJE1V3a9Bu/7v0JqgZGV8f
+szEC2UtY6bUYdRPUhwsS0V2N9lds7Gg65kYrAHylRL8w9uFJJmydcb9Bgw
+--- ZWYEvPCTLh1Vh05yX4zmH+YOjlW6yaaAQZcp1WeAUnA
+��(��E�H��EE�j�W�m�r���t�O
+�f<��"o�=+Ҡ��+�s�/��_3]�
���w�[����5���a"�
\ No newline at end of file
diff --git a/secrets/wg.jarvis.age b/secrets/wg.jarvis.age
new file mode 100644
index 0000000..b370292
Binary files /dev/null and b/secrets/wg.jarvis.age differ
diff --git a/secrets/wg.mullvad-nl4.age b/secrets/wg.mullvad-nl4.age
new file mode 100644
index 0000000..eaf64a4
--- /dev/null
+++ b/secrets/wg.mullvad-nl4.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 lYFcsw TtNKEpF1PW3hFdAR6yvwlppBsb4aS8G7GxpBhtpwvVQ
+p4VgueR9Evc7lxckk9psbD/i0su9XSzfns8/YnroKVY
+-> ssh-ed25519 n7yA6g YRrCJZMq/Rz3VRlOXSM6QFsRLK+S7H/ThVigcin21Gk
+S4X0SNQUtxLpsDei6PkzQm+cFxL9cyLubTlVXrdZmHE
+-> 6LOV|>L-grease ;6R Kod}I/ bmRbO|
+SPzo5pVPaREotXuB0w
+--- UfqolORCJHBYP9FQU/cxuRbPuQBWAX8bqUWrrUx3GTQ
+���߆��C=%݋�u���k�ʘs�x.�C���5~d �����c�4���� �$����yV)����q
\ No newline at end of file
diff --git a/secrets/wg.pennyworth.age b/secrets/wg.pennyworth.age
new file mode 100644
index 0000000..67b02b4
Binary files /dev/null and b/secrets/wg.pennyworth.age differ
diff --git a/secrets/wg.smithers.age b/secrets/wg.smithers.age
new file mode 100644
index 0000000..db82635
Binary files /dev/null and b/secrets/wg.smithers.age differ
diff --git a/secrets/wg.zazu.age b/secrets/wg.zazu.age
new file mode 100644
index 0000000..829ec68
Binary files /dev/null and b/secrets/wg.zazu.age differ