diff --git a/hosts/snowbelle/configuration.nix b/hosts/snowbelle/configuration.nix
index f58c9f5..8b02073 100644
--- a/hosts/snowbelle/configuration.nix
+++ b/hosts/snowbelle/configuration.nix
@@ -30,7 +30,7 @@
   };
 
   # age
-  age.keyFile = ../../.keyring/age/keys.txt;
+  #config.age.keyFile = "/home/blake/.nix/.keyring/age/keys.txt";
 
   # passwordless rebuild
   security.sudo.extraRules = [
diff --git a/modules/system/age.nix b/modules/system/age.nix
new file mode 100644
index 0000000..36b3f12
--- /dev/null
+++ b/modules/system/age.nix
@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+let
+  # Central list of secrets
+  secret_names = [
+    "tailscale_authkey"
+  ];
+
+  # Map the list into age.secrets definitions
+  secrets = builtins.listToAttrs (map
+    (name: {
+      name = name;
+      value.file = ../../secrets/${name}.age;
+    })
+    secret_names);
+in {
+  options.secrets.enable = lib.mkEnableOption "Enable system secrets";
+
+  config = lib.mkIf config.modules.secrets.enable {
+    age.keyFile = "/home/blake/.keyring/age/keys.txt";
+    age.secrets = secrets;
+  };
+}
diff --git a/modules/system/system.nix b/modules/system/system.nix
index eee3112..d94cb25 100644
--- a/modules/system/system.nix
+++ b/modules/system/system.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     ./ssh.nix
+    ./age.nix
     ./docker.nix
     ./tailscale.nix
     ./syncthing.nix
@@ -10,6 +11,7 @@
   ];
 
   modules.system.ssh.enable = lib.mkDefault true;
+  modules.secrets.enable = lib.mkDefault true;
   modules.system.docker.enable = lib.mkDefault true;
   modules.system.tailscale.enable = lib.mkDefault true;
   modules.system.syncthing.enable = lib.mkDefault true;
diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix
index 17a49ee..7631d26 100644
--- a/modules/system/tailscale.nix
+++ b/modules/system/tailscale.nix
@@ -1,24 +1,23 @@
 { pkgs, config, lib, ... }:
 
 {
-  age.secrets."tailscale_authkey" = {
-    file = ../../secrets/tailscale_authkey.txt.age;
-    owner = "blake";
-    group = "blake";
-    mode = "0400";
-  };
-
+  #imports = [ agenix.nixosModules.default ];
 
   options = {
     modules.system.tailscale.enable = lib.mkEnableOption "enables tailscale";
   };
 
   config = lib.mkIf config.modules.system.tailscale.enable {
+    age.secrets."tailscale_authkey" = {
+      file = ../../secrets/tailscale_authkey.txt.age;
+      owner = "blake";
+      group = "blake";
+      mode = "0400";
+    };
     services.tailscale = {
       enable = true;
-
+    };
       useRoutingFeatures = "both";
       authKeyFile = "/run/agenix/tailscale_authkey";
     };
-  };
 }