diff --git a/.sops.yaml b/.sops.yaml
index 40c5b6e..be740da 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -4,11 +4,13 @@ keys:
 
   # Servers
   - &wireguard age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e
+  - &mcserver age1v98yggaarelrp7z8rljzpf3gm70up4q8460trejmptdpv7gjucrqssjz9h
 
 creation_rules:
   - path_regex: secrets\/all\/*
     key_groups:
       - pgp: [*clara]
+        age: [*wireguard, *mcserver]
   - path_regex: secrets\/wireguard\/*
     key_groups:
       - pgp: [*clara]
diff --git a/configs/container_config.nix b/configs/container_config.nix
index ceb8281..dfcffd0 100644
--- a/configs/container_config.nix
+++ b/configs/container_config.nix
@@ -1,9 +1,18 @@
-{ modulesPath, pkgs, lib, inputs, ... }: {
+{ modulesPath, pkgs, lib, inputs, config, ... }: {
   imports = [
     (modulesPath + "/virtualisation/proxmox-lxc.nix")
     inputs.sops-nix.nixosModules.sops
   ];
 
+  # set up secret key
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ../secrets/all/secrets.yaml;
+    secrets.initial_password_clara = {
+      neededForUsers = true;
+    };
+  };
+
   time.timeZone = "Europe/Berlin";
 
   # we want at least a possibility to download stuff, monitor activity and sudo
@@ -25,7 +34,7 @@
   # default user with sudo
   users.users.clara = {
     isNormalUser = true;
-    initialPassword = "123456";
+    hashedPasswordFile = config.sops.secrets.initial_password_clara.path;
     extraGroups = [ "sudo" "wheel" ];
     shell = pkgs.zsh;
   };
diff --git a/configs/services/wireguard.nix b/configs/services/wireguard.nix
index 42b2af9..13e3be0 100644
--- a/configs/services/wireguard.nix
+++ b/configs/services/wireguard.nix
@@ -9,8 +9,9 @@ in {
   # set up secret key
   sops = {
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    defaultSopsFile = ../../secrets/wireguard/secrets.yaml;
-    secrets.wg_private_key = { };
+    secrets.wg_private_key = {
+      sopsFile = ../../secrets/wireguard/secrets.yaml;
+    };
   };
 
   networking = {
diff --git a/secrets/all/secrets.yaml b/secrets/all/secrets.yaml
new file mode 100644
index 0000000..c1acf30
--- /dev/null
+++ b/secrets/all/secrets.yaml
@@ -0,0 +1,46 @@
+initial_password_clara: ENC[AES256_GCM,data:9qq2u05PsDWBOSAKY/DslqyXxTpuy4OyRD8zJ2EmbvBFnafVuEVgn/U8QXkXIGrMWqXiDhee9hdKuai4VcQRxGkJFAC7HgteLw==,iv:WSgs0m60C7sSezKFFRq7O/LDWKl2zf4OMT3mEx+eX2Y=,tag:LAxjKNND3Ah0qMNKzmTfmQ==,type:str]
+sops:
+    age:
+        - recipient: age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSHg4SmxHTGFVbm82VDFY
+            TG0ybDRWc1FRR3VLL1A1dk5jcWJzSmFRbFVZCk5lK2NjOTd5UGovVFZPNmwzZld0
+            cEIzTXRBbE5TRUxWbk5NZFZZbkwvazgKLS0tIFN6aHpTZlM4N1Z0dkFZWVBERHEw
+            bjhTUXlFYS92aFpyc2E5NVF3T3JJZ0EK/212uZn6pEmHyIAxef/RZF2XeYbQk0W+
+            PDdnOxO4hizczMjxkI7soMQJm+rn8E+yvv1RqXPCn2iMoZ6XMs7lxw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1v98yggaarelrp7z8rljzpf3gm70up4q8460trejmptdpv7gjucrqssjz9h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySkhJeTdyV0UzbEphV28x
+            aGRWNHAwalN5dEhuTy9NZUIyVGtFOHNpeFNnCm1rZTdrSHcwWGdwVU91WTVwUlIr
+            Z2JWSmtSVGp5akY4a0orWWt4ZkptNGcKLS0tIE9YSzVHS05HbjM0VUI3aGNyVDlo
+            MEc3TmdYd3dUTThIcG5nZmRWQ2RRVzAKWI/c5xcj0bNLUmYFIMuY+gOtmPCpd3Be
+            5tFaJ+Dv6q4sT4OS4YxDUyVqoXXrPh3ZBjgVxuiXDSMq884BpJXx/Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-15T16:44:33Z"
+    mac: ENC[AES256_GCM,data:T8IyZVfFNwapxymfsdaZoyeGq4cmk4otIuCfbZiRqF6NTJgRw3aIDmNmsT7ZMiyEzCrtpKue92HBA/yLdV+bkZqM+yBWKYM9Wu04nMhJgt5AmpXt0KfS9ISJlsLxuNMZBgSIxoMfndKakz+MW+wGomN7Of8UwQnNNqxH08O3Bh0=,iv:Vj+nlKh/lNxpJdI7WEYENqz4jVbtBErtRs3hutc4DZg=,tag:HRvnPQMyZS/cioj9b1IICw==,type:str]
+    pgp:
+        - created_at: "2025-04-15T16:29:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzwtBoBqH5ZOARAAkltkqMBtbtRrttiKUfZVRy/JxzND/LeAVtbB+NsHrIA0
+            CRW4MizreJgAGiuRgkUMWq5QhYbADIrH4UpUJQb0fCfsc0rYcsY40rY1XsGokL/e
+            ABipOkXTt78oMzp7LsAsG+jf2WI+n/BJUmjvvEeyS6x0Z7xXYQ7iYx6ZJYg5W265
+            fW6nxqH3L98GYDlGZ9TQUe2WfGZGtzthVtSx0fTr3z9QC8xsSMsyhLwwOsXjskOJ
+            S6JTAaHyqKGqkECBcV0jGVGH639CHj2QAjJyPjqCmyD9SD2H7oYXVHqsGIUwWyDC
+            p+Ya1YEEdt6twaAb9nw2i53+5fv5Cpok3auk27U8M/S/KOxtH5jbZuUFToHTqMDh
+            P7fXEi4AjuiQF2DuiDL5/4HiUcvKiT86MgdJDwpIbdHqdUrGrT8WYvlApYXBg1EH
+            adN4brPX0BJ/mWFvQl8eGGHnohxuQo9cf7UzWlxAb3jo+pAZHkjAxy8WpCbmdDKQ
+            +2lPXbyXQ0zu0tOdAtUjOVXCOrkPWro+bABw9Q27/Y+apkO4dW2ssGGm/qrm6l6X
+            qzAlzqrG98A66OuuKfaAy99qZflZ1oz+lpeCMaHG5AaLt0XZbE3XPUA/qHOD7WzT
+            1MWvtisUUg3StCkHSbiOv6JZ9Ta2Ng2mlfdCqs7iHCNU05Fgtuj0BVgW/UxFqDTS
+            XgEeus2+EyHN5NVZWPD2zuAM3QJFQ/fpFRx3msP2cr7kueOa6e2Lt+EzkgMsEHm5
+            5OhzLsM+pCWIuZc7+fgGU64BKtFneBMO74TE4fgX204/lEFT3fuQfXFDv4TbK2s=
+            =etKI
+            -----END PGP MESSAGE-----
+          fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83
+    unencrypted_suffix: _unencrypted
+    version: 3.10.1