diff --git a/home/hosts/packages.nix b/home/hosts/packages.nix
index 81951fc..5460f92 100644
--- a/home/hosts/packages.nix
+++ b/home/hosts/packages.nix
@@ -21,6 +21,7 @@ with pkgs;
   parallel
   pass
   pnpm
+  python3
   ripgrep
   signal-desktop
   silver-searcher
diff --git a/home/hosts/work/default.nix b/home/hosts/work/default.nix
index ea9f79e..2dc010c 100644
--- a/home/hosts/work/default.nix
+++ b/home/hosts/work/default.nix
@@ -10,13 +10,36 @@ let
 in
 {
   imports = [
+    inputs.sops-nix.homeManagerModules.sops
     ../../modules/dconf.nix
     ../../modules/git.nix
     ../../modules/k9s.nix
     ../../modules/keepassxc.nix
     ../../modules/browser
+    ../../modules/taskwarrior.nix
   ];
 
+  sops = {
+    age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
+    defaultSopsFile = "${inputs.nix-secrets}/secrets.yaml";
+
+    secrets = {
+      taskwarrior_sync_server_url = {};
+      taskwarrior_sync_server_client_id = {};
+      taskwarrior_sync_encryption_secret = {};
+      anki_sync_user = {};
+      anki_sync_key = {};
+    };
+
+    templates."taskrc.d/sync" = {
+      content = ''
+        sync.server.url=${config.sops.placeholder.taskwarrior_sync_server_url}
+        sync.server.client_id=${config.sops.placeholder.taskwarrior_sync_server_client_id}
+        sync.encryption_secret=${config.sops.placeholder.taskwarrior_sync_encryption_secret}
+      '';
+    };
+  };
+
   nixpkgs.config.allowUnfree = true;
 
   home.stateVersion = "25.05";
diff --git a/home/modules/taskwarrior.nix b/home/modules/taskwarrior.nix
index 6349059..b7fbc57 100644
--- a/home/modules/taskwarrior.nix
+++ b/home/modules/taskwarrior.nix
@@ -1,12 +1,24 @@
 {
   config,
+  lib,
   pkgs,
+  osConfig ? null,
   ...
 }:
 
+let
+  hmSopsAvailable = config ? sops && config.sops ? templates;
+  osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? templates;
+  sopsAvailable = hmSopsAvailable || osSopsAvailable;
+
+  sopsTemplates = if hmSopsAvailable then config.sops.templates else osConfig.sops.templates;
+in
 {
+  warnings =
+    lib.optional (!sopsAvailable && config.programs.taskwarrior.enable)
+      "taskwarrior is enabled, but sops templates are not available. taskwarrior sync will not be configured.";
+
   home.packages = with pkgs; [
-    python314
     libnotify
   ];
 
@@ -35,17 +47,10 @@
     package = taskwarrior3;
     colorTheme = "dark-256";
     config = {
-      # sync = {
-      #   server.url = "${builtins.readFile config.sops.secrets."taskwarrior_sync_server_url".path}";
-      #   server.client_id = "${builtins.readFile
-      #     config.sops.secrets."taskwarrior_sync_server_client_id".path
-      #   }";
-      #   encryption_secret = "${builtins.readFile
-      #     config.sops.secrets."taskwarrior_sync_encryption_secret".path
-      #   }";
-      # };
       recurrence = "off";
     };
-    extraConfig = "include ${config.sops.templates."taskrc.d/sync".path}";
+    extraConfig = lib.optionalString sopsAvailable ''
+      include ${sopsTemplates."taskrc.d/sync".path}
+    '';
   };
 }
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index 959797a..9395c70 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -16,7 +16,6 @@ in
   };
   config = {
     sops = {
-      validateSopsFiles = false;
       defaultSopsFile = "${builtins.toString inputs.nix-secrets}/secrets.yaml";
       defaultSopsFormat = "yaml";
       age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt";