diff --git a/.secrets/x1/files.yaml b/.secrets/x1/files.yaml
new file mode 100644
index 0000000..a20919b
--- /dev/null
+++ b/.secrets/x1/files.yaml
@@ -0,0 +1,41 @@
+hello: ENC[AES256_GCM,data:fXNDiacuFhmqmbo9FiGmoBKeOk7KvuVw3ytzcEzj/VxkqoDCGtJ2YX/TaVQfsQ==,iv:bHP2CYXZth3DX6OIeqdzv3zmFVWdRaNBvLuZx0FSyf8=,tag:bn1w5QcyyQ5EcXyoFnc1Zw==,type:str]
+example_key: ENC[AES256_GCM,data:lumROh5JwNpCJrNzxg==,iv:FLmpmVtzMUzPV9Y0nLTKXzisUqCZKonv44LviQTMsfU=,tag:Hp2N7AG7lGNQstt27Ty8pw==,type:str]
+#ENC[AES256_GCM,data:KrggG2yc0mFi3zoZ+WLd7w==,iv:GQZPZZH4xGxFcP5BLiwUIVQkCi7Bsmalsz/myNBbdoI=,tag:fzmEQLnWjfVc+iywEFwp9Q==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:7go3euwMIP7BDuq96vo=,iv:P8hx+DSSbkhrw0SOKLMtcc4/TZBODnQnQFRUxv49oio=,tag:Xi5JbLc+xvcOOv10pY1ydw==,type:str]
+    - ENC[AES256_GCM,data:WVgP3/Hak8ha5yaPmTU=,iv:2DwnOLze1a0vXfOey2xv4qOVE1PhOMq3e+GR/3RiOPU=,tag:TftAtYcHRQctTV5sBHPKFw==,type:str]
+example_number: ENC[AES256_GCM,data:fOprnAAZ/267JQ==,iv:5jvsM3i5iHcpSJWqcryqQJQZCrEP72jcAkyc7qVVirk=,tag:nxecWgcSZOyzuwvOlFawyw==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:iCUmxA==,iv:On6DiKbzithmRq+smOW4pEq3tod0zWWT7dyW9ArolLY=,tag:yoD9ODLYSZkuP0qkUrkR3w==,type:bool]
+    - ENC[AES256_GCM,data:dAYxptk=,iv:JAm9mvA5EH581cZkaNK8yYkV8U8o2gWR2jAh+mUMxt0=,tag:W5sHPszsOzUDZ6mQgIcq+w==,type:bool]
+hosts: ENC[AES256_GCM,data:/28ojxFukz4ThwSjQGURtf+h5Ic5WJN6P8nC75zQWan6LANOVc1zk5tVh7qmSLXcGvGW/2IE0dpz2ysY+z7ujYdKSDA2neFy8+NoBXc3REG60nF/QdNiHMg2rlLfq9n7eQAqXGBSpED/41Y/YO2nuV8ehL4GtsDOuFZnxujnLbu+Q6u30yf+/IVqlk3VnWm5C+Fy6bdX2bYOUyM5ce313i4u5slBEBs0l1lQjX1vE4KK5F6t3d410NdGHShB+RXkOhaBujKX/hKEXWQku/nnjgOiP+JURB/qA/SZzxO/yoV7htNvCE/JcfmTk85SVPAmp7uy4egyK4FveKRXtT5Gla1Vnrg1v9NAVCuYgQECqhE3IYEjtUlxul0h+OI4JmnP6y90nLz8RozxGw4qIc8yJgOZmVORqr2PqbFbtdj8MKid9Df0ciU=,iv:YhMTYHV3kc3LQrAGaPgkek5ZrEYYcZxNOPyKUSbgsC8=,tag:Axx5CIPWdDb8hukM7H4sxg==,type:str]
+wg: ENC[AES256_GCM,data:HjvSsKAkH2yIpuPPteNz/7guP46OrRvH2eKIQPxMSf/kiWXHTRUZDUmGakbOryirkakkgQF1fwxRXehiFULvfaPb9WNx6kR7X7orNWmSR5CRmNWBCB5y7CRsSlO3frL8iKR1JLFjew7omktHiXBew63q38YvsvOeXI2zoLumuGuXl6JH5D9hK2AvEBUehMSkBzrLFgZNeNjsxnFatQEic9e6namjJ2TqcT4F1z4u/5yptkmUCpn4isLjV23zFOALOXcjjyy/9ztcKMGiGE+ULQM3fm+7c3ryux/PmREr2Aj0IDQMDXgJCPvdiHhXvC7K/oGwJPDJeP0v,iv:Lnz5RyUi9D3dClgzFmm4EeD6SZGuFFbs6JBIZevUIdo=,tag:EjheBu/a392lcAgQVVtIuw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1z87u2na6vts0sqg6sc73p9ym6e5g9a0gf3hp9e7ha47e83zy4efqcjhk0y
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRXJtL2lpZlR1TDBRalZr
+            dmdpdmRrVGF0TnJFZHExQ3BuSS96Z0E5aENNCjNHbmJCRzdUVG9GOEdMaERRNzY2
+            aStWNTR2UHkwL3MvNGJnZGFhTXFaencKLS0tIFNlTDZWQVRpbWxJb2JlenRFRDJY
+            SFVUUHE0emZ6MS9VR0FWcytyQy90elUK3g0fuPB45+JnrRxgD+7Iijz6yUVVXct2
+            w5T1UPZElKZQM6VL0QMozD8/piu5sk15cubMnmLjxESztpMRxrgPnw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dwcz3fmp29ju4svy0t0wz4ylhpwlqa8xpw4l7t4gmgqr0ev37qrsfn840l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYTdLcm9yTmRRaU5Qdlpy
+            M2dsalNReWhpZTZtNW9xL3pNbVUzOEZuMkJRCmpXcHpCZkt3NEZJYXBNMXc0Q3BY
+            ZlVBZ2hCenViSW5jRTc1cXFWVEJRZ2cKLS0tIGVROVBxaUFMNXVjdkcwNEE2VzJl
+            blhTd3BhbmgvZHQ4dkF3TTJMcERRN2sKoPKAYvJzRm72V5WEee+vNqjw+mRL66ir
+            DQRas5WfwqOIxHcPHpXHLu9zhmwlNKS+vt4GcG81l4eQLFDFmBol5w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-04T11:23:03Z"
+    mac: ENC[AES256_GCM,data:l/WirVeSYQLuaZEjAPyX+5DJu3hfqiw1ZzPUNAbNKFQ1vUQf5Zxo3tfM7ROO+x95T9jGE271TIchTJAVu0C2XFTSPv7fJ9+WWyUr3JeFN1kFXt/k8Q5aLGdffAInhN2exsw/KKP0IXta5t4g2QfFsBZTDKCqLaj+WUeGBEJfjoc=,iv:J+6OIcE6i0Nt1Nb4m+aBBYeCj1iLNFigrRWYyYbY5GU=,tag:XTBvtWFNgRzuVyT7sWkGlg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4
diff --git a/.sops.yaml b/.sops.yaml
index 7449b04..178f37d 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -2,6 +2,7 @@ keys:
   - &server_hetzner age1qur4kh3gay9ryk3jh2snvjp6x9eq94zdrmgkrfcv4fzsu7l6lumq4tr3uy
   - &server_sgx age149fqcw5jze00vd7jauylrp4j5xyv7amlu57jjfuzghkqtzlnxajs704uz3
   - &server_t15 age1f2yu0cc826ej7hs4g865y29zy9uqfy0yp32f2m80typpk2pxqp7sfcffj4
+  - &server_x1 age1z87u2na6vts0sqg6sc73p9ym6e5g9a0gf3hp9e7ha47e83zy4efqcjhk0y
   - &harald age1dwcz3fmp29ju4svy0t0wz4ylhpwlqa8xpw4l7t4gmgqr0ev37qrsfn840l
 creation_rules:
   - path_regex: .secrets/hetzner/[^/]+\.(yaml|json|env|ini)$
@@ -19,3 +20,8 @@ creation_rules:
       - age:
           - *server_t15
           - *harald
+  - path_regex: .secrets/x1/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+          - *server_x1
+          - *harald
diff --git a/flake.lock b/flake.lock
index 1cc38d5..3d8d015 100644
--- a/flake.lock
+++ b/flake.lock
@@ -388,11 +388,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742655702,
-        "narHash": "sha256-jbqlw4sPArFtNtA1s3kLg7/A4fzP4GLk9bGbtUJg0JQ=",
+        "lastModified": 1743387206,
+        "narHash": "sha256-24N3NAuZZbYqZ39NgToZgHUw6M7xHrtrAm18kv0+2Wo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0948aeedc296f964140d9429223c7e4a0702a1ff",
+        "rev": "15c5f9d04fabd176f30286c8f52bbdb2c853a146",
         "type": "github"
       },
       "original": {
@@ -799,11 +799,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1742751704,
-        "narHash": "sha256-rBfc+H1dDBUQ2mgVITMGBPI1PGuCznf9rcWX/XIULyE=",
+        "lastModified": 1743576891,
+        "narHash": "sha256-vXiKURtntURybE6FMNFAVpRPr8+e8KoLPrYs9TGuAKc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "f0946fa5f1fb876a9dc2e1850d9d3a4e3f914092",
+        "rev": "44a69ed688786e98a101f02b712c313f1ade37ab",
         "type": "github"
       },
       "original": {
@@ -2818,11 +2818,11 @@
     },
     "unstable": {
       "locked": {
-        "lastModified": 1742669843,
-        "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
+        "lastModified": 1743583204,
+        "narHash": "sha256-F7n4+KOIfWrwoQjXrL2wD9RhFYLs2/GGe/MQY1sSdlE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
+        "rev": "2c8d3f48d33929642c1c12cd243df4cc7d2ce434",
         "type": "github"
       },
       "original": {
diff --git a/systems/x86_64-linux/x1/default.nix b/systems/x86_64-linux/x1/default.nix
index 2f5d4d5..8811e56 100644
--- a/systems/x86_64-linux/x1/default.nix
+++ b/systems/x86_64-linux/x1/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ pkgs, lib, config, ... }:
 with lib;
 with lib.metacfg;
 {
@@ -7,6 +7,30 @@ with lib.metacfg;
     # ./ipu.nix
   ];
 
+  sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ];
+  sops.secrets."wg".sopsFile = ../../../.secrets/x1/files.yaml;
+  sops.secrets."wg".mode = "0444";
+  sops.secrets."hosts".sopsFile = ../../../.secrets/x1/files.yaml;
+  sops.secrets."hosts".mode = "0444";
+
+  environment.etc."wg0.backup.conf".source = config.sops.secrets."wg".path;
+  environment.etc."hosts.backup".source = config.sops.secrets."hosts".path;
+
+  services.openssh = {
+    enable = true;
+    hostKeys = [
+      {
+        path = "/var/lib/secrets/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+      {
+        path = "/var/lib/secrets/ssh_host_rsa_key";
+        type = "rsa";
+        bits = 4096;
+      }
+    ];
+  };
+
   hardware.bluetooth.input.General.ClassicBondedOnly = false;
   services.udev.extraRules = ''
     KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"