diff --git a/.gitignore b/.gitignore
index 9998018..a0e8414 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,3 @@
-secrets/
 dotfiles/zsh/.zcompdump
 dotfiles/nvim/lazy-lock.json
 result
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..254bd98
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "secrets"]
+	path = secrets
+	url = git@git.caem.dev:caem/secrets
diff --git a/flake.nix b/flake.nix
index 3c33eb3..58da0d1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -44,6 +44,9 @@
       inputs = inputs;
       user = "caem";
       modules = [
+        impermanence.nixosModules.impermanence
+        disko.nixosModules.disko
+        sops-nix.nixosModules.sops
         home-manager.nixosModules.home-manager {
           home-manager = {
             useGlobalPkgs = true;
@@ -53,10 +56,6 @@
             };
           };
         }
-
-        impermanence.nixosModules.impermanence
-        disko.nixosModules.disko
-        sops-nix.nixosModules.sops
       ];
     };
   };
diff --git a/modules/nixos/user/caem.nix b/modules/nixos/user/caem.nix
index 3cb4d29..a4b07a5 100644
--- a/modules/nixos/user/caem.nix
+++ b/modules/nixos/user/caem.nix
@@ -1,9 +1,15 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 {
+  sops.secrets.user_password = {
+    sopsFile = ../../../secrets/user_password.yaml;
+    neededForUsers = true;
+  };
+
   users.users.caem = {
     isNormalUser = true;
     shell = pkgs.zsh;
+    hashedPasswordFile = config.sops.secrets.user_password.path;
     extraGroups = [
       "wheel"
     ];
diff --git a/secrets b/secrets
new file mode 160000
index 0000000..7390891
--- /dev/null
+++ b/secrets
@@ -0,0 +1 @@
+Subproject commit 73908914ee288a689dede75c9e4ff1531e41159c