diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..683de10
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,7 @@
+keys:
+  - &primary age1ft5dg4lna25ceg40mvvq5sa53zm7rhqdsnsxxe7qyaa34u2gsp8qkgere4
+creation_rules:
+  - path_regex: shared/secrets/secrets.yaml$
+    key_groups:
+      - age:
+          - *primary
diff --git a/flake.lock b/flake.lock
index f8007d0..3bf2f12 100644
--- a/flake.lock
+++ b/flake.lock
@@ -61,9 +61,30 @@
       "inputs": {
         "home-manager": "home-manager",
         "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix",
         "zen-browser": "zen-browser"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1760240450,
+        "narHash": "sha256-sa9bS9jSyc4vH0jSWrUsPGdqtMvDwmkLg971ntWOo2U=",
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "rev": "41fd1f7570c89f645ee0ada0be4e2d3c4b169549",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "zen-browser": {
       "inputs": {
         "home-manager": "home-manager_2",
diff --git a/flake.nix b/flake.nix
index 01ffac6..cb78d30 100644
--- a/flake.nix
+++ b/flake.nix
@@ -13,6 +13,11 @@
       url = "github:0xc000022070/zen-browser-flake";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    sops-nix = {
+      url = "github:mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = { self, nixpkgs, ... }@inputs: {
diff --git a/hosts/arabasta/configuration.nix b/hosts/arabasta/configuration.nix
index 967ebed..4c57a04 100644
--- a/hosts/arabasta/configuration.nix
+++ b/hosts/arabasta/configuration.nix
@@ -78,8 +78,62 @@
     tailscale
   ];
 
-	services.tailscale.enable = true;
-	
+  services = {
+    tailscale.enable = true;
+    forgejo = {
+      enable = true;
+      database.type = "postgres";
+      lfs.enable = true;
+      settings = {
+        server = {
+          APP_NAME = "forgejo";
+          APP_SLOGAN = "Ah well, it's just my programming.";
+          RUN_MODE = "prod";
+          SSH_DOMAIN = "code.kjelsrud.dev";
+          DOMAIN = "code.kjelsrud.dev";
+          HTTP_PORT = 3000;
+          HTTP_ADDR = "0.0.0.0";
+          ROOT_URL = "https://code.kjelsrud.dev";
+          DISABLE_SSH = true;
+          LFS_START_SERVER = true;
+          LFS_JWT_SECRET = "CHANGEME";
+          OFFLINE_MODE = true;
+        };
+        session = {
+          COOKIE_SECURE = true;
+          PROVIDER = "file";
+        };
+        security = {
+          INSTALL_LOCK = true;
+          PASSWORD_HASH_ALGO = "pbkdf2_hi";
+          INTERNAL_TOKEN = "CHANGEME";
+        };
+        service = {
+          DISABLE_REGISTRATION = true;
+          REQUIRE_SIGNIN_VIEW = false;
+          REGISTER_EMAIL_CONFIRM = false;
+          ENABLE_NOTIFY_MAIL = false;
+          ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
+          ENABLE_CAPTCHA = false;
+          DEFAULT_KEEP_EMAIL_PRIVATE = false;
+          DEFAULT_ALLOW_CREATE_ORGANIZATION = false;
+          DEFAULT_ENABLE_TIMETRACKING = true;
+          NO_REPLY_ADDRESS = "noreply.localhost";
+        };
+        mailer.ENABLED = false;
+        openid = {
+          ENABLE_OPENID_SIGNIN = false;
+          ENABLE_OPENID_SIGNUP = false;
+        };
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
+        };
+        oauth2.JWT_SECRET = "CHANGEME";
+      };
+    };
+  };
+
 	fileSystems."/mnt/media" = {
     device = "/dev/disk/by-uuid/956ec2bb-357c-4959-917f-ece881c4615c";
     fsType = "ext4";
diff --git a/hosts/water7/configuration.nix b/hosts/water7/configuration.nix
index d9fa25f..70738a8 100644
--- a/hosts/water7/configuration.nix
+++ b/hosts/water7/configuration.nix
@@ -7,7 +7,8 @@
 {
   imports = [
     ./hardware-configuration.nix
-    inputs.home-manager.nixosModules.default	
+    inputs.home-manager.nixosModules.default
+    inputs.sops-nix.nixosModules.sops
   ];
 
 	nix.settings.experimental-features = [ "nix-command" "flakes" ];
@@ -95,7 +96,12 @@
 	home-manager = {
 		extraSpecialArgs = { inherit inputs; };
 		users = {
-			"sid" = import ./home.nix;
+			sid = {
+  			imports = [
+  			  ./home.nix
+  				inputs.sops-nix.homeManagerModules.sops
+  			];
+			};
 		};
 	};
 
@@ -121,6 +127,7 @@
     libreoffice-qt6-fresh
     komikku
     joplin
+    obs-studio
     # Only related to this laptop - above to be moved to a more common config when ive added more hosts
     kdePackages.dolphin
     prismlauncher
diff --git a/hosts/water7/home.nix b/hosts/water7/home.nix
index 3f04c9a..172ef67 100644
--- a/hosts/water7/home.nix
+++ b/hosts/water7/home.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, inputs, ... }:
+{ config, pkgs, inputs, lib, ... }:
 
 {
   # Home Manager needs a bit of information about you and the paths it should
@@ -22,8 +22,16 @@
     pinentry-curses
     hyprpaper
     inputs.zen-browser.packages."x86_64-linux".default
+    sops
+    age
   ];
 
+  sops = {
+    defaultSopsFile = "../../.sops.yaml";
+    defaultSopsFormat = "yaml";
+    age.keyFile = "/home/sid/.config/sops/age/keys.txt";
+  };
+
   # Home Manager is pretty good at managing dotfiles. The primary way to manage
   # plain files is through 'home.file'.
   home.file = {
diff --git a/shared/secrets/secrets.yaml b/shared/secrets/secrets.yaml
new file mode 100644
index 0000000..a9f8a5b
--- /dev/null
+++ b/shared/secrets/secrets.yaml
@@ -0,0 +1,19 @@
+forgejo:
+    LFS_JWT_SECRET: ENC[AES256_GCM,data:qdYhKX+SRnpy5ur5XkBmQ9gN6dNCOw3q2dliUssWaNHP7RWATwsTcdsApQ==,iv:EazZrHXvDUM1z2UcqbH6tHmTs7+COv4CFNo04fDgAWw=,tag:ZJZn8d1yuHnB/1CHyuuTyg==,type:str]
+    INTERNAL_TOKEN: ENC[AES256_GCM,data:Wg+VeKKZK/EIjREIWQuWKCUB7CoL4SlPwBC3ldyul3EWu+YAzc6nouWqp1Q4eH9ib9nNztnOQ66cru8u513TMJfNA7F9BuCGf3b2MjIRwcf12aXJR7yHc15nPD0/LwJ6PXQQBAXZNnfh,iv:STOtNKSxF5LzexsYVvWUQDa/ZXkWV2CJRFD0nYr9U+g=,tag:yKfUIkKVZXWJ5zDOCseLNw==,type:str]
+    oauth2.JWT_SECRET: ENC[AES256_GCM,data:lypGzbbbXhXc75Gi1I6LVQIDAgsQseuvz60Um+YglkMkDMuMfpEAX1AkhQ==,iv:uMzIu0+O8f98074BP8V8tkNQKhCc+jAGPCf3ZSVuUS4=,tag:GFIIZYiKqgfZ/C+9iiVxvQ==,type:str]
+sops:
+    age:
+        - recipient: age1ft5dg4lna25ceg40mvvq5sa53zm7rhqdsnsxxe7qyaa34u2gsp8qkgere4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraGdMYXBEZGMvbGVqSkJE
+            aWJRRUtBN3Q1cVR3S0xHTU00akhOL0hhSlc0Clh5SVlycit2b3pPMVMzV3BPdTNM
+            S3lNRFVCZFZwaWwzc1QxdSthYTdsNlEKLS0tICtJem9UaXp4cFJWMWU2cmRXL2pV
+            Yk9ETmxVV3Ezb0ZUQXViNkNxaHk1bmcKwBkyJN6IFH59THyuhYydP7lqfki26rNX
+            Eb0/GmRLhx9P9EfA+eMwL5rox4nksoqktOxDB8MATASOAH3EM/+e5A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-12T07:11:43Z"
+    mac: ENC[AES256_GCM,data:Ox0JQ/90f5uey1+CEXBexVkTDd0PsLDqRdKZNi3OHoUJG9B3Oty5NRqsOdowlGQdGJ7Hn0gxprwO4/QQ/SS45rZFX1bNWywSxTtNuKK9HeOG5DFFaLaJTGUa2UHxjb3Owu2ScHUUOzEWxZt2h1mBpnxEKvdxajq5X8ww+hgXd7s=,iv:SMY3PANRZq33KNn8JwnBdqRFMOWwfxTz7l7ZKA/suFg=,tag:JVGqCRkUw12k7wwqc1vI8g==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2