diff --git a/.gitmodules b/.gitmodules
index 7cbb245..e0b2a55 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -2,3 +2,6 @@
 	path = misc/nixos-infect
 	url = ../nixos-infect
 	branch = sammy
+[submodule "secrets"]
+	path = secrets
+	url = git@git.cherrykitten.dev:sammy/secret-store
diff --git a/flake.nix b/flake.nix
index 259ed96..6efbf40 100644
--- a/flake.nix
+++ b/flake.nix
@@ -47,11 +47,14 @@
           {
             default = pkgs.mkShell {
               nativeBuildInputs = packages;
-              shellHook = "exec $SHELL";
+              shellHook = ''
+                export PASSWORD_STORE_DIR=./secrets
+                exec $SHELL'';
             };
             hcloud = pkgs.mkShell {
               nativeBuildInputs = packages ++ [ pkgs.hcloud ];
               shellHook = ''
+                export PASSWORD_STORE_DIR=./secrets
                 export HCLOUD_TOKEN=$(pass services/hcloud/api_token)
                 exec $SHELL
               '';
diff --git a/secrets b/secrets
new file mode 160000
index 0000000..6c55eef
--- /dev/null
+++ b/secrets
@@ -0,0 +1 @@
+Subproject commit 6c55eef247c404c243b51a4230f2d29fc8d55862