diff --git a/flake.lock b/flake.lock
index 3e6db45..7d0fd74 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": [],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1680281360,
+        "narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "e64961977f60388dd0b49572bb0fc453b871f896",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "colmena": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -208,6 +229,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "colmena": "colmena",
         "hakyll-skeleton": "hakyll-skeleton",
         "jfdic-web": "jfdic-web",
diff --git a/flake.nix b/flake.nix
index fa8cd8a..b3e3744 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,6 +2,11 @@
   description = "jfdic-ops deployment";
 
   inputs = {
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.darwin.follows = ""; # skip Darwin dependencies
+    };
     hakyll-skeleton = {
       flake = false;
       url = git+https://source.jfdic.org/jfdic/hakyll-skeleton/?ref=consensus;
diff --git a/outputs.nix b/outputs.nix
index d4ab031..1419a3e 100644
--- a/outputs.nix
+++ b/outputs.nix
@@ -2,6 +2,7 @@
   self,
   hakyll-skeleton,
   jfdic-web,
+  agenix,
   colmena,
   nix,
   nixpkgs,
@@ -17,6 +18,7 @@ in {
   devShell =
     pkgs.callPackage
     ./shell.nix {
+      inherit (agenix.packages."${pkgs.system}") agenix;
       inherit (colmena.packages."${pkgs.system}") colmena;
       inherit (nix.packages."${pkgs.system}") nix;
       inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra;
@@ -33,9 +35,10 @@ in {
       };
     };
     toscano = import ./nixos/hosts/toscano/configuration.nix;
-    nixosConfigurations = import ./nixos/configurations.nix (inputs
-      // {
-        inherit inputs;
-      });
+    # The below lines are in the wrong place
+    #nixosConfigurations = import ./nixos/configurations.nix (inputs
+    #  // {
+    #    inherit inputs;
+    #  });
   };
 }
diff --git a/shell.nix b/shell.nix
index 0ba0b4e..c1e274f 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,5 +1,6 @@
 {
   pkgs ? import <nixpkgs> {},
+  agenix,
   alejandra,
   mkShell,
   colmena,
@@ -8,6 +9,7 @@
 with pkgs;
   mkShell {
     buildInputs = [
+      agenix # CLI management of secrets encrypted via existing SSH keys
       alejandra # The Uncompromising Nix Code Formatter
       colmena # simple, stateless NixOS deployment tool
       nix # Powerful package manager, makes packaging reliable & reproducible