diff --git a/hosts/Infini-SERVER/default.nix b/hosts/Infini-SERVER/default.nix
index 8848a16..b8b30d9 100644
--- a/hosts/Infini-SERVER/default.nix
+++ b/hosts/Infini-SERVER/default.nix
@@ -59,13 +59,6 @@
     ];
   };
 
-  age.secrets."inx.moe.pem".owner = "nginx";
-  age.secrets."inx.moe.pem".group = "nginx";
-  age.secrets."inx.moe.key".owner = "nginx";
-  age.secrets."inx.moe.key".group = "nginx";
-  age.secrets."vaultwarden".owner = "vaultwarden";
-  age.secrets."vaultwarden".group = "vaultwarden";
-
   services = {
     nginx =
       let
diff --git a/modules/global/options.nix b/modules/global/options.nix
index 2f17a49..46bc893 100644
--- a/modules/global/options.nix
+++ b/modules/global/options.nix
@@ -35,8 +35,6 @@ in
       };
     };
 
-    secrets = mkOpt (attrsOf path) { };
-
     universe = {
       packages = mkOpt (listOf package) [ ];
     };
@@ -57,7 +55,5 @@ in
     environment.variables = mkAliasDefinitions options.env;
 
     environment.persistence."/persist" = mkAliasDefinitions options.persist;
-
-    secrets = mapAttrs (n: v: v.path) config.age.secrets;
   };
 }
diff --git a/secrets/default.nix b/secrets/default.nix
index 07e3455..96228c9 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -1,13 +1,36 @@
 { lib, self, config, ... }:
 let
+  inherit (lib) filterAttrs nameValuePair hasSuffix removeSuffix mapAttrs mapAttrs' hasAttr mkIf mkMerge optionalAttrs;
+  inherit (lib.our) mkOpt;
+  inherit (lib.types) bool attrsOf path;
+
   folder = ./.;
   toFile = name: "${folder}/${name}";
-  filterSecrets = key: value: value == "regular" && lib.hasSuffix ".age" key;
-  filtered = (lib.filterAttrs filterSecrets (builtins.readDir folder));
-  secrets = lib.mapAttrs' (n: v: lib.nameValuePair (lib.removeSuffix ".age" n) { file = toFile n; }) filtered;
+  filterSecrets = key: value: value == "regular" && hasSuffix ".age" key;
+  filtered = (filterAttrs filterSecrets (builtins.readDir folder));
+  secrets = mapAttrs' (n: v: nameValuePair (removeSuffix ".age" n) { file = toFile n; }) filtered;
+
+  setOwner = name: { owner = name; group = name; };
 in
 {
-  options.modules.secrets.enable = lib.our.mkOpt lib.types.bool true;
+  options = {
+    modules.secrets.enable = mkOpt bool true;
+    secrets = mkOpt (attrsOf path) { };
+  };
 
-  config.age.secrets = lib.mkIf config.modules.secrets.enable secrets;
+  config = mkMerge [
+    {
+      age.secrets = mkIf config.modules.secrets.enable secrets;
+      secrets = mapAttrs (n: v: v.path) config.age.secrets;
+    }
+
+    # Set ownership of keys
+    (mkIf config.services.nginx.enable {
+      age.secrets."inx.moe.pem" = setOwner "nginx";
+      age.secrets."inx.moe.key" = setOwner "nginx";
+    })
+    (mkIf config.services.vaultwarden.enable {
+      age.secrets."vaultwarden" = setOwner "vaultwarden";
+    })
+  ];
 }