diff --git a/hosts/nixos/aramis/default.nix b/hosts/nixos/aramis/default.nix
index c49c2b5..c72fb11 100644
--- a/hosts/nixos/aramis/default.nix
+++ b/hosts/nixos/aramis/default.nix
@@ -12,6 +12,7 @@
     ./networking.nix
     ./profiles.nix
     ./programs.nix
+    ./secrets
     ./services.nix
     ./sound.nix
   ];
diff --git a/hosts/nixos/aramis/secrets/default.nix b/hosts/nixos/aramis/secrets/default.nix
new file mode 100644
index 0000000..83af695
--- /dev/null
+++ b/hosts/nixos/aramis/secrets/default.nix
@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+
+{
+  config.age = {
+    secrets =
+      let
+        toName = lib.removeSuffix ".age";
+        userExists = u: builtins.hasAttr u config.users.users;
+        # Only set the user if it exists, to avoid warnings
+        userIfExists = u: if userExists u then u else "root";
+        toSecret = name: { owner ? "root", ... }: {
+          file = ./. + "/${name}";
+          owner = lib.mkDefault (userIfExists owner);
+        };
+        convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
+        secrets = import ./secrets.nix;
+      in
+      lib.mapAttrs' convertSecrets secrets;
+  };
+}
diff --git a/hosts/nixos/aramis/secrets/secrets.nix b/hosts/nixos/aramis/secrets/secrets.nix
new file mode 100644
index 0000000..55e64a9
--- /dev/null
+++ b/hosts/nixos/aramis/secrets/secrets.nix
@@ -0,0 +1,13 @@
+# Host-specific secrets
+let
+  keys = import ../../../../keys;
+
+  all = [
+    # This host is a laptop, it does not have a host key
+    # Allow me to modify the secrets anywhere
+    keys.users.ambroisie
+  ];
+in
+{
+  # Add secrets here
+}
diff --git a/hosts/nixos/porthos/default.nix b/hosts/nixos/porthos/default.nix
index 6d7df29..326d1cd 100644
--- a/hosts/nixos/porthos/default.nix
+++ b/hosts/nixos/porthos/default.nix
@@ -7,6 +7,7 @@
     ./hardware.nix
     ./home.nix
     ./networking.nix
+    ./secrets
     ./services.nix
     ./users.nix
   ];
diff --git a/hosts/nixos/porthos/secrets/default.nix b/hosts/nixos/porthos/secrets/default.nix
new file mode 100644
index 0000000..83af695
--- /dev/null
+++ b/hosts/nixos/porthos/secrets/default.nix
@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+
+{
+  config.age = {
+    secrets =
+      let
+        toName = lib.removeSuffix ".age";
+        userExists = u: builtins.hasAttr u config.users.users;
+        # Only set the user if it exists, to avoid warnings
+        userIfExists = u: if userExists u then u else "root";
+        toSecret = name: { owner ? "root", ... }: {
+          file = ./. + "/${name}";
+          owner = lib.mkDefault (userIfExists owner);
+        };
+        convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
+        secrets = import ./secrets.nix;
+      in
+      lib.mapAttrs' convertSecrets secrets;
+  };
+}
diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix
new file mode 100644
index 0000000..31af365
--- /dev/null
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@@ -0,0 +1,14 @@
+# Host-specific secrets
+let
+  keys = import ../../../../keys;
+
+  all = [
+    # Host key
+    keys.hosts.porthos
+    # Allow me to modify the secrets anywhere
+    keys.users.ambroisie
+  ];
+in
+{
+  # Add secrets here
+}
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 4ccb886..cd1210b 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -1,3 +1,4 @@
+# Common secrets
 let
   keys = import ../../keys;