diff --git a/modules/base.nix b/modules/base.nix
index 97a3420..a8cc6bc 100644
--- a/modules/base.nix
+++ b/modules/base.nix
@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, sops-nix, ... }:
 {
   boot.default = lib.mkDefault true;
 
@@ -18,5 +18,6 @@
   home-manager = {
     useGlobalPkgs = true;
     useUserPackages = true;
+    sharedModules = [ sops-nix.homeManagerModules.sops ];
   };
 }
diff --git a/users/alice/home.nix b/users/alice/home.nix
index ad7aae6..5ddcd7d 100644
--- a/users/alice/home.nix
+++ b/users/alice/home.nix
@@ -166,5 +166,11 @@
     };
   };
 
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ./secrets.yaml;
+    secrets."alice/wakatime-api-key".path = "/home/alice/.config/doom/wakatime";
+  };
+
   home.stateVersion = "23.11";
 }
diff --git a/users/alice/home/doom/custom.el b/users/alice/home/doom/custom.el
index 8c9db8c..d6ee722 100644
--- a/users/alice/home/doom/custom.el
+++ b/users/alice/home/doom/custom.el
@@ -11,3 +11,7 @@
  ;; If there is more than one, they won't work right.
  '(font-lock-comment-face ((t (:slant italic))))
  '(font-lock-keyword-face ((t (:slant italic)))))
+
+ ;; insert wakatime-api-key from sops file
+(setq! wakatime-api-key
+   (shell-command-to-string "cat /home/alice/.config/doom/wakatime"))
diff --git a/users/alice/secrets.yaml b/users/alice/secrets.yaml
index e7ec33e..64f4c99 100644
--- a/users/alice/secrets.yaml
+++ b/users/alice/secrets.yaml
@@ -2,6 +2,7 @@ alice:
     user-password: ENC[AES256_GCM,data:ew2R77T02LYby9fclYYqYXQBgDtKf7miFYMeS70/hj30fFw580qRCPeVicILB5UTnZCIoPf24ZCr2DGJ3UBrk8cvYQ285i0FWD/OfLAqZ/Tosi36MJKv6Nob/Z/vAltHIVqBJA5UiAU58UohbBos1lfZMWGFsg==,iv:mpIf9n4MgbbjD2jFkVGAL/lGNh5VW81FIzvmb1x/H1I=,tag:MVZRrHxxyDwu2mbRQMz9VA==,type:str]
     #ENC[AES256_GCM,data:vUMcowHjlQA0RWflfaQhZKkalO39epYi6N9PPW8=,iv:6DFqHlQR+mi+ZkfMUhlhwvpMwnxXNfQV6+sYgPzSj4I=,tag:Pz1zJayscGckPO8Q2ZVb4g==,type:comment]
     gha-hydra-token: ENC[AES256_GCM,data:sF3jFcXMIMqIgDs5EKK4KRZDNL5CayG06LNCCIMquwAHv//1fxmDtZpsW9H6FnRUMbkDRs8wfoRrCD7NqKZ+sJrprcid0j5mWlyCvyXfVZiUKOLpE9F1uC1pJBWi9/sYUdc/fR0WQnkAchzV6KGFf4oCX32Gq3Mm21tSzKD6sik7ewjfFYj4h6tFMxGe/Z+B0sgEX9gl/qiyOSikdjaKMGzpMabPWu/uPU/g1oIoQ+dSFWit1LZnd7ON75VpFFCKV7ndqtEULQYkbh60kQlCb79PvafR6tITFWq9vgx64NkXbEikEgNr/nEauyZP/XSh1otBoyf5DWQbFffx/TRlnov7c5CIF5QUCyfCAG54AgyLUurHfOHK/jgreB28Jvg/4csnYONlcfHwMRLWJTRzA/XDnEQ21knJ0ZujZG7hr4fKBmAx9fmmylmSDV1PDgKA00yJOaKLfSFcNoJxnZ7WWomLOikwTQJyoWD5PagOBQ8lgGdl6e8fvBY7q/x0GSimyjraJsSm5WVHVGIxjIihFCp5n/hMGwkuReqlLmWZ9bj3e2V/c4KgNz5SuiQXOoTvgrAE/9ViRmLcewV5GDyEWCieyU7umiwCLEZtmXauMCOQk7IehuGSewULk6IbYj+Et0qFqUdNQQM5qgH6Itbp0OBNR021dQ5M/aEJ+YGRgxB/,iv:EJqsm3Dc1YnfCzj4g0HPhSYrE0hhhMaSlKSDnKUcJUs=,tag:UQFQsh/+AHM9YXkQhQ525g==,type:str]
+    wakatime-api-key: ENC[AES256_GCM,data:ITu5pRySYGCJ6q9IQ35NfpGX2FyIJRYHGDeBiq0btzIrqitxcFox1Vc=,iv:HsXpyFHV7dG5qORk26BtD+kFo4Jdq2c4fozMpoqyDfU=,tag:uaQoXvvYqNfmRXVDVH8AoQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -44,8 +45,8 @@ sops:
             MDJhN29xZk81NG91aHFZNmpLdGRTN0EKc2pqjllcRWl3QH4BVNyylB7CMMHAH0mr
             EsxyKrZEph7eKJYYy/9eaR1e/FvomB/1+hQXZAZVtG4bpuEG/mY14w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-11T15:38:58Z"
-    mac: ENC[AES256_GCM,data:r/H+1zy7B2WwkFavbaK+j779RQdzcMSx46TnnDwpKzm5liSENbAb4OYDxYMJmqA4pKwCSKZKbbkQ4n8IG+fwkrTcLDj+g7hiU2G2fhxU0sel1HN93wqotObDqLhUk0DN/QKHCdS2mqdBnQyMGzmqCelTPCeWXM06ixf8QAP47o4=,iv:5qGYqa8NXQcRUq8SeBh/fYlTmcu90QmQkrTx+HLedW8=,tag:0/Muq1rIROR8wHNJwKf7/w==,type:str]
+    lastmodified: "2024-05-21T04:42:46Z"
+    mac: ENC[AES256_GCM,data:WyWlfPqrAizjFnN/5rEgGeJN2vaAc13dWY1+xP7lDrfIH6x+S1L2PNuuO3bxAjHqYFK/79usXxExAtaeildmo8YO49sAsx4T9M7rKv9wgdqDxSrtj8M7P1uSyM68VSOGNGurE1YT10Cx1siUvI6+ymUb2hTzxVyGR5iDdn45+Eg=,iv:O8kwNNnDJZ+24LC6ahSR3x/eOuF6oXfXM6daaFfBVDg=,tag:AfxCdFYU9cIQM9PzjatZ7w==,type:str]
     pgp:
         - created_at: "2024-04-03T02:40:01Z"
           enc: |-