diff --git a/flake.lock b/flake.lock
index a20f7ead..3e446cd5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -212,6 +212,22 @@
       }
     },
     "flake-compat_3": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1761588595,
+        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_4": {
       "flake": false,
       "locked": {
         "lastModified": 1747046372,
@@ -358,6 +374,28 @@
         "type": "github"
       }
     },
+    "git-hooks-nix": {
+      "inputs": {
+        "flake-compat": "flake-compat_3",
+        "gitignore": "gitignore_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1765911976,
+        "narHash": "sha256-t3T/xm8zstHRLx+pIHxVpQTiySbKqcQbK+r+01XVKc0=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "b68b780b69702a090c8bb1b973bab13756cc7a27",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
@@ -381,6 +419,27 @@
       }
     },
     "gitignore_2": {
+      "inputs": {
+        "nixpkgs": [
+          "git-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "gitignore_3": {
       "inputs": {
         "nixpkgs": [
           "lanzaboote",
@@ -550,7 +609,7 @@
     "lanzaboote": {
       "inputs": {
         "crane": "crane_2",
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_4",
         "flake-parts": "flake-parts_2",
         "nixpkgs": [
           "nixpkgs"
@@ -977,7 +1036,7 @@
           "lanzaboote",
           "flake-compat"
         ],
-        "gitignore": "gitignore_2",
+        "gitignore": "gitignore_3",
         "nixpkgs": [
           "lanzaboote",
           "nixpkgs"
@@ -1005,6 +1064,7 @@
         "disko": "disko",
         "flake-parts": "flake-parts",
         "flox": "flox",
+        "git-hooks-nix": "git-hooks-nix",
         "hardware": "hardware",
         "home-manager": "home-manager_2",
         "homebrew-bundle": "homebrew-bundle",
diff --git a/flake.nix b/flake.nix
index 9c0804f4..f5021fa1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -73,6 +73,10 @@
     # treefmt-nix
     treefmt-nix.url = "github:numtide/treefmt-nix";
 
+    # git-hooks
+    git-hooks-nix.url = "github:cachix/git-hooks.nix";
+    git-hooks-nix.inputs.nixpkgs.follows = "nixpkgs";
+
     # nixos-vfio
     nixos-vfio.url = "github:j-brn/nixos-vfio";
     nixos-vfio.inputs.nixpkgs.follows = "nixpkgs";
@@ -105,6 +109,7 @@
       {
         imports = [
           treefmt-nix.flakeModule
+          inputs.git-hooks-nix.flakeModule
         ];
         perSystem =
           {
@@ -148,6 +153,15 @@
                 "secrets/*"
                 ".sops.yaml"
               ];
+              flakeCheck = false;
+            };
+
+            pre-commit = {
+              check.enable = true;
+              settings.hooks = {
+                ripsecrets.enable = true;
+                treefmt.enable = true;
+              };
             };
 
             checks =