diff --git a/nixos/modules/base/nix/default.nix b/nixos/modules/base/nix/default.nix
index e4b109c..98f2d6b 100644
--- a/nixos/modules/base/nix/default.nix
+++ b/nixos/modules/base/nix/default.nix
@@ -18,6 +18,7 @@ in
         git
         deadnix
         statix
+        inputs.agenix.packages.${system}.default
       ];
       defaultPackages = [];
       etc = {
diff --git a/nixos/modules/base/secrets.nix b/nixos/modules/base/secrets.nix
new file mode 100644
index 0000000..7250e21
--- /dev/null
+++ b/nixos/modules/base/secrets.nix
@@ -0,0 +1,24 @@
+{ config, lib, self, ... }:
+
+let
+  inherit (lib) mkIf;
+
+  host = config.ooknet.host;
+  admin = host.admin;
+  tailscale = host.networking.tailscale;
+in
+
+{
+  age.identityPaths = [
+    "/home/${admin.name}/.ssh/id_ed25519"
+  ];
+
+  age.secrets = {
+    tailscale-auth = mkIf tailscale.enable {
+      file = "${self}/secrets/tailscale-auth.age";
+      owner = "${admin.name}";
+      group = "users";
+      mode = "400";
+    };
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 10c9384..cd2875f 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -4,5 +4,5 @@ let
 in
 
 {
-  "tailscale.age".publicKeys = [ users.ooks] ++ workstations;
+  "tailscale-auth.age".publicKeys = [ users.ooks] ++ workstations;
 }
diff --git a/secrets/tailscale-auth.age b/secrets/tailscale-auth.age
new file mode 100644
index 0000000..92ead7f
--- /dev/null
+++ b/secrets/tailscale-auth.age
@@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> ssh-ed25519 xeHnUA 52ff3V6p8X3hodTBDvRQRD/ZyocV58chSleKsf5w4y4
+Wr8MbvxZdd49DdwsuMXvoCYm8kpzWiEzna+NrqUICqQ
+-> ssh-ed25519 6HvatA iVh9DJ3Ou3TtR96see0/U7X1zR8lZZXGi7B4ObAxDGI
+5cn14n4Ct236Ft/R7ZqzJGgPpJsZL2ZTnD9LXDmKN+0
+-> ssh-ed25519 3DwG4w 97Zlb54r8xrNkjA86HdDQatvZzEmBk9KAqFT78VVgg8
+dmQggrUwGHJjM0/YjzeJ6dgw2Hu6fxspx7lioClXkLY
+-> ssh-ed25519 Nn8WxA AtXU2CGgju1bW80X2lI14arexSf8WB4JAH1ryXAH21Y
+EHKKwihQqg1EJ1Qr3BL2b1Kyt6bAYTitAEY9oXE5O2M
+-> ssh-ed25519 Gd+9pg +PCQ96Jyut87SS18Rr/E7mk2oXfdCJmYRmreCZQDU0E
+fjcBw2XHzTRY9KiZ6Iqc/0yhdP+JZHadZUZK8OQgAcY
+-> ssh-ed25519 eMj+Jg qv5f3o7vz0cGuyHrs0g9ESSiQwtrE8OXSBtzl6XcHT8
+JW73t+wiglYMAtovUzze22L34eh4MNROFJTsOaMSdmc
+-> ssh-ed25519 MQ/7Ew JLvkekvt9/cICI3bhllYiHWgoLYLZ7mMAPCzQkV4tXE
+2OBRPv3hNVKcZF4WnM2yH1/3uXKWoOUXPGql+hu/6C4
+--- LGSxHZgBm9F4YzIESW2MsGO7ys3OJpRG32mPAOyl0yo
+'Û°šº’|‘BnB¹wÃbR`øh<ÃËìu"ça±Má!á]¤°^wC=Âßóü>DÊ;
+{&­÷U›÷×›õºÀ5ä›®$g‘ ¶þÒÊT8Ak_gÀÁlw
\ No newline at end of file