diff --git a/flake.lock b/flake.lock
index 02d2d91..2d9724a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -29,6 +29,38 @@
         "type": "github"
       }
     },
+    "agenix-rekey": {
+      "inputs": {
+        "devshell": [
+          "devshell"
+        ],
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks": [
+          "git-hooks"
+        ],
+        "treefmt-nix": [
+          "treefmt-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1739816852,
+        "narHash": "sha256-QG8aA6hWsi6pqaidaz5a5SL+dM1mT9LMWMrmc1hrOrU=",
+        "owner": "oddlama",
+        "repo": "agenix-rekey",
+        "rev": "5f56d711ffe2aca62cfeeada9ec56692a13b9061",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oddlama",
+        "repo": "agenix-rekey",
+        "type": "github"
+      }
+    },
     "authentik-nix": {
       "inputs": {
         "authentik-src": "authentik-src",
@@ -954,6 +986,7 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "agenix-rekey": "agenix-rekey",
         "authentik-nix": "authentik-nix",
         "blank": "blank",
         "conduwuit": "conduwuit",
diff --git a/flake.nix b/flake.nix
index dd1e558..d676c13 100644
--- a/flake.nix
+++ b/flake.nix
@@ -26,6 +26,7 @@
 
     ### Nix Libraries
     agenix.url = "github:ryantm/agenix";
+    agenix-rekey.url = "github:oddlama/agenix-rekey";
     devshell.url = "github:numtide/devshell";
     disko.url = "github:nix-community/disko/latest";
     flake-parts.url = "github:hercules-ci/flake-parts";
@@ -78,6 +79,11 @@
     systems.url = "github:nix-systems/default";
 
     ## Follow common
+    agenix-rekey.inputs.devshell.follows = "devshell";
+    agenix-rekey.inputs.flake-parts.follows = "flake-parts";
+    agenix-rekey.inputs.nixpkgs.follows = "nixpkgs";
+    agenix-rekey.inputs.pre-commit-hooks.follows = "git-hooks";
+    agenix-rekey.inputs.treefmt-nix.follows = "treefmt-nix";
     agenix.inputs.darwin.follows = "blank";
     agenix.inputs.home-manager.follows = "home-manager";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
@@ -222,13 +228,28 @@
                     ] ++ (self.lib.leaves ./users/modules);
                   };
                 }
+                (
+                  { config, pkgs, ... }:
+                  {
+                    age.rekey = {
+                      storageMode = "local";
+                      generatedSecretsDir = ./secrets/generated;
+                      localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}";
+                      agePlugins = with pkgs; [
+                        age-plugin-fido2-hmac
+                        age-plugin-yubikey
+                      ];
+                    };
+                  }
+                )
 
                 # --- Universe Modules ---
                 ./secrets
                 private.nixosModules.secrets
 
                 # --- Library Modules ---
-                inputs.agenix.nixosModules.age
+                inputs.agenix.nixosModules.default
+                inputs.agenix-rekey.nixosModules.default
                 inputs.disko.nixosModules.disko
                 inputs.home-manager.nixosModules.home-manager
                 inputs.impermanence.nixosModules.impermanence
@@ -273,6 +294,7 @@
           ./pkgs
           ./shell.nix
           ./templates
+          inputs.agenix-rekey.flakeModule
           inputs.devshell.flakeModule
           inputs.treefmt-nix.flakeModule
         ];
diff --git a/hosts/Infini-DESKTOP/default.nix b/hosts/Infini-DESKTOP/default.nix
index f82a1e3..58d06a4 100644
--- a/hosts/Infini-DESKTOP/default.nix
+++ b/hosts/Infini-DESKTOP/default.nix
@@ -14,6 +14,8 @@
 
   info.loc.home = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7uX1myj9ghv7wMoL038oGDCdScdyLd7RvYdnoioSBh root@Infini-DESKTOP";
+
   persist = {
     directories = [
       "/srv"
diff --git a/hosts/Infini-DL360/default.nix b/hosts/Infini-DL360/default.nix
index 11c5439..bc6dd7b 100644
--- a/hosts/Infini-DL360/default.nix
+++ b/hosts/Infini-DL360/default.nix
@@ -10,6 +10,8 @@
     ./hardware-configuration.nix
     ./disks.nix
 
+    ./secrets
+
     ./web.nix
 
     private.nixosModules.minecraft-servers
@@ -37,6 +39,8 @@
 
   info.loc.purdue = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjmvE76BcPwZSjeNGzlguDQC67Yxa3uyOf5ZmVDWNys root@Infini-DL360";
+
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
   boot.binfmt.addEmulatedSystemsToNixSandbox = true;
 
diff --git a/hosts/Infini-DL360/forgejo.nix b/hosts/Infini-DL360/forgejo.nix
index b0979e4..f900003 100644
--- a/hosts/Infini-DL360/forgejo.nix
+++ b/hosts/Infini-DL360/forgejo.nix
@@ -27,7 +27,7 @@ in
 
     lfs.enable = true;
 
-    secrets.mailer.PASSWD = secrets.smtp-password;
+    secrets.mailer.PASSWD = secrets.smtp-noreply;
     settings = {
       server = {
         ROOT_URL = "https://${domain}/";
diff --git a/hosts/Infini-DL360/secrets/authentik-ldap.age b/hosts/Infini-DL360/secrets/authentik-ldap.age
new file mode 100644
index 0000000..03da50f
--- /dev/null
+++ b/hosts/Infini-DL360/secrets/authentik-ldap.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AmrcqFPgfqImIMZx45MXeqD5XP2MCpnIIXTjfVZXFOtv
+IgBH5MFAJJ5vP82Jtvmr/NcaCK1F/qSWQHM1PbtKu5Q
+-> piv-p256 5utyxg A80LKCGYw597lm0Oo8kBKLIWcwnOCjDr3FiyIDrAmkSZ
+R9tdgHAfuVNs2nXD+ml7l/jjXvf0cD2b5wALOVzEH9o
+-> BLl-grease d)6dWO5 2P
+/fvI/IO/OJV/4sF+ENnj1AQx9fRf0cLMy90ASBvl9Cdwtdnrx4ly8ZOS57rSNSO1
+JJFsEd9M3lKRElvYsXADC0cOBsK5hg
+--- BNRWm9qA1JnQ71Yf9vAeVa7B5qzUf00mjVHJeFCKjQQ
+£4ráý(	„Œï&@þ»ÖÆO¤‰øªÖ›SÖÉÓAãÛþ®å?¯·,{²ÅÉšPDÃ(¦m|ÒÊö`˜7Ü 8Ómf2ªæìp; 9nÌ}DÐUÃùü™†bùãÏÔÄ‡É(uû?A±¡	V ”Ü(4"’h ÀßÖ“R;,6»?8¶
+È‰“ÙæÙç
\ No newline at end of file
diff --git a/hosts/Infini-DL360/secrets/authentik.age b/hosts/Infini-DL360/secrets/authentik.age
new file mode 100644
index 0000000..e2bd084
--- /dev/null
+++ b/hosts/Infini-DL360/secrets/authentik.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AwjgvoXQnw3dGl+3NzZwbtobCzYQqSEwu3o68itzJXk3
+9J7aPKsJ/dZOoCKNGZWnxOH8a2TNX5D9hBStFgqDOH4
+-> piv-p256 5utyxg AyFGfXw60hWpTNvCXaVNTk0UN8WX8dEwIOMYkwtHLXJF
+Zy5cd5saG4jfF5ZXkZ9TJpvscxfgDV2xGALY1yyY66w
+-> m(-grease [FxH /SCRkN 2\>
+HvqiMVBno3sBsl9eg4Lkr7F/f/dB8pxihcekBG0ntbQApRwxawj37/wjXKOYAX43
+OL4wHohhU91u+4eOv8E1K3OOpXy3aVn7WTjk/6ftA2oxLCy1QzQKpg
+--- fpnPuiVpzrB09e3CvSUY/Y7tQyCc6v6FuRkml07bqD4
+®D\…ìƒâˆèLUŽx‚¤²“Z5œñõ»ÉEm}"&ËÄù&³©Öø&çð*ÅTwä×ïV2¼ñ‰p‰Z¥YsÅŸtãW­Ý;Z’BO…‘,Œï	’§ˆ—Y§Å¯|mMú$…Â`tŠ‰:÷ÏjÜa›œÃ}1)YxÃtà*øŠIÅœZC|-Ãê~qu‰O]V^™IvØk˜—à:—“R¾%ßŠI'áYÀXóZÕ¢1iV±=bÂÉ‚Iñ*ºYµÝeq™
\ No newline at end of file
diff --git a/hosts/Infini-DL360/secrets/default.nix b/hosts/Infini-DL360/secrets/default.nix
new file mode 100644
index 0000000..7310880
--- /dev/null
+++ b/hosts/Infini-DL360/secrets/default.nix
@@ -0,0 +1,17 @@
+{ lib, ... }:
+let
+  inherit (lib.our.secrets) withGroup withOwnerGroup;
+in
+{
+  age.secrets = {
+    authentik-ldap.rekeyFile = ./authentik-ldap.age;
+    authentik.rekeyFile = ./authentik.age;
+    freshrss = withOwnerGroup "freshrss" ./freshrss.age;
+    hedgedoc = withOwnerGroup "hedgedoc" ./hedgedoc.age;
+    hydra = withGroup "hydra" ./hydra.age;
+    ovpn.rekeyFile = ./ovpn.age;
+    radicale-ldap = withOwnerGroup "radicale" ./radicale-ldap.age;
+    searx.rekeyFile = ./searx.age;
+    vaultwarden.rekeyFile = ./vaultwarden.age;
+  };
+}
diff --git a/hosts/Infini-DL360/secrets/freshrss.age b/hosts/Infini-DL360/secrets/freshrss.age
new file mode 100644
index 0000000..abc5413
--- /dev/null
+++ b/hosts/Infini-DL360/secrets/freshrss.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AzMC4XpUhKiVaI2xhQRTQoyV+RjMz5Aoj3gZsgc8PBK3
+CGLI4lL+4xWaMviHW7FofruIZVFES0H/WFSzsbXDjcY
+-> piv-p256 5utyxg AieYOjyIS2APXJfkY/qJ0UmoIuHwO3oIH8MSHh5o2M37
+GCEG5cxBQ5k/3UGm76bNtsPsHzv5yGSJ7iEn3h3wops
+-> -W-grease Gh{uU
+RobG9ho0acfDe+0qEBmtRyejJy7E272b3vzuegQ2twAl2xTYinWOx286sVpRPc7W
+vJNCu9BCDGlIFnQoP2R1gm2eQrI6InNOOh3Q/IZ736ieAhbDvJbm/3BWqRmRRylY
+dfEg
+--- 3XHaD7Zc6JTUxZl/ouKGxmCVvkbjLw2E+TDAf6PwLLo
+÷u,MÏHS3JkYÿû5ù`5Œ;m<C¾y?E¬ÙV~jx¶«½ßZff‚Ä!3N}
\ No newline at end of file
diff --git a/hosts/Infini-DL360/secrets/hedgedoc.age b/hosts/Infini-DL360/secrets/hedgedoc.age
new file mode 100644
index 0000000..d919864
Binary files /dev/null and b/hosts/Infini-DL360/secrets/hedgedoc.age differ
diff --git a/hosts/Infini-DL360/secrets/hydra.age b/hosts/Infini-DL360/secrets/hydra.age
new file mode 100644
index 0000000..3908789
--- /dev/null
+++ b/hosts/Infini-DL360/secrets/hydra.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q Ai6/RXPumKBsTij/p4Yzze3wuc+lCeCjrficqXR6a+cX
+gGZZ+9hfSefCPpgkEyxiGLBw6HeIRlihlHpRW0flyHs
+-> piv-p256 5utyxg AmJA1H1XKyJf8SH9aGgJGwgBCsW5c0VbYOih82p73tS7
+MclhdvYabgDkKl+K+rFxiRvbLLudscVAENFacJraIvA
+-> ^4f5%t8(-grease ? G
+aNFXQBBqAcfPE5+Wpw
+--- Rvpkl3gKIXx96JuQEJZYvKm/ZkXDMl/7TCDECeTBa+o
+î@üÿnöº©Uej˜tšÜHbuæ’»KžÌ(ƒÇÕ¹Œr_lmDZ(6•ô¤ãš“h†Æ˜æm¥;–Îk`“³ R´uö:[÷¥›x['*iŽijy‘sÊ¶Ç~`wkÓ¥ˆ}28õ‘’º
\ No newline at end of file
diff --git a/hosts/Infini-DL360/secrets/ovpn.age b/hosts/Infini-DL360/secrets/ovpn.age
new file mode 100644
index 0000000..546f54e
--- /dev/null
+++ b/hosts/Infini-DL360/secrets/ovpn.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q A0NnbNjIggIuH4ZTAs8YyN3zn3V6OAsKrC04WaTveFAD
+fiS6e/cndp7XPg6N9FoFDYJVHzQA1R64QNWyDjrmVJs
+-> piv-p256 5utyxg A1EojHMF4AIcObYpGSRE/8Z2gOmtf9l5d9ZV36RC9jHy
+WbYaIRWeSUbeaZDqQK4rqOTXy0kWQsG3gbC4dWsUNa4
+-> LJP-grease ,)
+qNMbqpxba5Q8KRzrglBoMGsTZdWFTc6wTIFeX74MIDVqE2yPVUVNXcCzM6U3b+/y
+XqtVvPgkILD6
+--- 66jeuKk3OHoA9g4muxmythBRKRc/zq4937NDiLC0cM0
+…¤‰	l1a*¾:©×IÒƒÄö‚%gUcbp ¡Ìr¼Ç5“¼,"‚Dn%H|ßŠ
\ No newline at end of file
diff --git a/hosts/Infini-DL360/secrets/radicale-ldap.age b/hosts/Infini-DL360/secrets/radicale-ldap.age
new file mode 100644
index 0000000..d78aa2c
--- /dev/null
+++ b/hosts/Infini-DL360/secrets/radicale-ldap.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q ApL+8SFBLjq2WTsInFVio8n4RN/U7Cy1I2hvFxNBA2Vu
+IUk5Vd0iqcqPVG8JKmEoTmPePeRpO/+e/mA2MWWatVI
+-> piv-p256 5utyxg A2ndIHeH3WUg1D6Og35thBxlL8Oji+vc2Ru7B6aSZwMd
+loQZbjmAoS1hhiRKkr6wgGmE9Olzstw4zfGCkd0IK7Y
+-> AQvw>-grease `Pf
+PpONBRKybtkIwA3qrv0X0WaHlHcTd3VeDNOF0MUu4M+qrO1bI71sDL1+sPz/Hm/2
+bkOFCT1xxYFwBQYaRrWY5/3qSKWi
+--- zp9aNIrYy+Z55Fp+bQ4D0BhLkOAwx5gb5vH4+qkXJmY
+Þˆ7òé=1uF‡`Òdþ	b–Õ×ò‘©åÿëdgN°M¤q^ðbE¬Ûhå ÌI¸O…{:ú!FWÜŒjyßcÇ²ñk§§)cƒ¢íópÝ¶dµƒ
\ No newline at end of file
diff --git a/hosts/Infini-DL360/secrets/searx.age b/hosts/Infini-DL360/secrets/searx.age
new file mode 100644
index 0000000..5ff279a
Binary files /dev/null and b/hosts/Infini-DL360/secrets/searx.age differ
diff --git a/hosts/Infini-DL360/secrets/vaultwarden.age b/hosts/Infini-DL360/secrets/vaultwarden.age
new file mode 100644
index 0000000..db3ff8e
Binary files /dev/null and b/hosts/Infini-DL360/secrets/vaultwarden.age differ
diff --git a/hosts/Infini-FRAMEWORK/default.nix b/hosts/Infini-FRAMEWORK/default.nix
index e8e1940..9636d12 100644
--- a/hosts/Infini-FRAMEWORK/default.nix
+++ b/hosts/Infini-FRAMEWORK/default.nix
@@ -16,6 +16,8 @@
 
   info.loc.purdue = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7PmPq/7e+YIVAvIcs6EOJ3pZVJhinwus6ZauJ3aVp0 root@Infini-FRAMEWORK";
+
   persist = {
     directories = [
       {
diff --git a/hosts/Infini-OPTIPLEX/default.nix b/hosts/Infini-OPTIPLEX/default.nix
index 45f6c6c..c786bb1 100644
--- a/hosts/Infini-OPTIPLEX/default.nix
+++ b/hosts/Infini-OPTIPLEX/default.nix
@@ -9,6 +9,8 @@
 
   info.loc.purdue = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG8fY684SPKeOUsJqaV6LJwwztWxztaU9nAHPBxBtyU root@Infini-OPTIPLEX";
+
   boot.loader.timeout = 1;
 
   modules = {
diff --git a/hosts/Infini-RASPBERRY/default.nix b/hosts/Infini-RASPBERRY/default.nix
index 57366d5..1a6bedb 100644
--- a/hosts/Infini-RASPBERRY/default.nix
+++ b/hosts/Infini-RASPBERRY/default.nix
@@ -13,6 +13,9 @@ with lib;
   ];
 
   system.stateVersion = "23.11";
+
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwPqTFCztLbYFFUej42hRzzCBzG6BCZIb7zXi2cxeJp root@Infini-RASPBERRY";
+
   modules = {
     hardware.form.raspi = true;
   };
diff --git a/hosts/Infini-SD/default.nix b/hosts/Infini-SD/default.nix
index 06441ed..ab446eb 100644
--- a/hosts/Infini-SD/default.nix
+++ b/hosts/Infini-SD/default.nix
@@ -7,6 +7,8 @@
 
   networking.hostId = "3275c7d3";
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8oViHNz64NG51uyll/q/hrSGwoHRgvYI3luD/IWTUT root@Infini-SD";
+
   boot.kernelPackages = pkgs.linuxPackages;
 
   hardware.infiniband = {
diff --git a/hosts/Infini-SERVER/default.nix b/hosts/Infini-SERVER/default.nix
index 8d870ef..154a69b 100644
--- a/hosts/Infini-SERVER/default.nix
+++ b/hosts/Infini-SERVER/default.nix
@@ -9,6 +9,8 @@
 
   info.loc.home = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8ptHWTesaUzglq01O8OVqeAGxFhXutUZpkgPpBFqzY root@Infini-SERVER";
+
   modules = {
     hardware = {
       # gpu.nvidia = true;
diff --git a/hosts/hermes/default.nix b/hosts/hermes/default.nix
index 8a640a4..c42051b 100644
--- a/hosts/hermes/default.nix
+++ b/hosts/hermes/default.nix
@@ -8,6 +8,8 @@
   system.stateVersion = "24.11";
   networking.hostId = "deadbeef";
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0fWuozCHyPrkFKPcnqX1MyUAgnn2fJEpDSoD7bhDA4 root@Infini-STICK";
+
   boot.kernelPackages = pkgs.linuxPackages;
 
   modules = {
diff --git a/hosts/hestia/default.nix b/hosts/hestia/default.nix
index e0aecf3..630bfe8 100644
--- a/hosts/hestia/default.nix
+++ b/hosts/hestia/default.nix
@@ -8,6 +8,8 @@
   system.stateVersion = "25.05";
   networking.hostId = "85eb2d89"; # "hestia" in base64->hex
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBanlhzmtBf5stg2yYdxqb9FzFZmum/rlWod/akWQI3c root@hestia";
+
   modules.hardware.form.server = true;
   modules.backups.enable = false; # hestia is a backup target
   boot.loader.timeout = 1;
diff --git a/hosts/iris/default.nix b/hosts/iris/default.nix
index 87cb452..0a3e051 100644
--- a/hosts/iris/default.nix
+++ b/hosts/iris/default.nix
@@ -1,13 +1,15 @@
 { ... }:
 {
   imports = [
-    ./hardware-configuration.nix
+    #./hardware-configuration.nix
     ./disks.nix
   ];
 
   system.stateVersion = "25.05";
   networking.hostId = "8ab8acd3"; # "iris00" in base64->hex
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsdARqD3MibvnpcUxOZVtstIu9djk+umwFR5tzqKATH root@iris";
+
   modules.hardware.form.server = true;
   modules.backups.enable = false; # testing server
   boot.loader.timeout = 1;
diff --git a/lib/default.nix b/lib/default.nix
index a13185c..55ace2d 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -126,6 +126,7 @@ lib.makeExtensible (
 
     disko = import ./disko.nix { inherit lib; };
     filesystems = import ./filesystems.nix { inherit lib self; };
+    secrets = import ./secrets.nix;
   }
   // (import ./digga.nix { inherit lib; })
   // (import ./hosts.nix { inherit lib; })
diff --git a/lib/secrets.nix b/lib/secrets.nix
new file mode 100644
index 0000000..246254d
--- /dev/null
+++ b/lib/secrets.nix
@@ -0,0 +1,13 @@
+{
+  withOwnerGroup = name: rekeyFile: {
+    owner = name;
+    group = name;
+    mode = "440";
+    inherit rekeyFile;
+  };
+  withOwner = owner: rekeyFile: { inherit owner rekeyFile; };
+  withGroup = group: rekeyFile: {
+    inherit group rekeyFile;
+    mode = "440";
+  };
+}
diff --git a/modules/global/general.nix b/modules/global/general.nix
index 55b850e..f3035c1 100644
--- a/modules/global/general.nix
+++ b/modules/global/general.nix
@@ -57,7 +57,7 @@
     accounts = rec {
       noreply = {
         user = outgoing;
-        passwordeval = "cat ${secrets.smtp-password}";
+        passwordeval = "cat ${secrets.smtp-noreply}";
       };
       default = noreply // {
         from = withSubaddress "%U-%H";
diff --git a/modules/global/packages.nix b/modules/global/packages.nix
index 7484612..80d3388 100644
--- a/modules/global/packages.nix
+++ b/modules/global/packages.nix
@@ -17,7 +17,6 @@
     [
       universe-cli
 
-      agenix
       bat
       cloc
       cryptsetup
diff --git a/modules/global/security.nix b/modules/global/security.nix
index d4461b1..fea807f 100644
--- a/modules/global/security.nix
+++ b/modules/global/security.nix
@@ -19,7 +19,7 @@ in
       defaults = {
         email = "infinidoge@inx.moe";
         dnsProvider = "cloudflare";
-        environmentFile = config.secrets.cloudflare;
+        environmentFile = config.secrets.dns-cloudflare;
       };
     };
     pki.certificateFiles = [
diff --git a/secrets/binary-cache-private-key.age b/secrets/binary-cache-private-key.age
index bdf033d..aae9746 100644
Binary files a/secrets/binary-cache-private-key.age and b/secrets/binary-cache-private-key.age differ
diff --git a/secrets/binary-cache-public-key b/secrets/binary-cache-public-key
deleted file mode 100644
index e223bde..0000000
--- a/secrets/binary-cache-public-key
+++ /dev/null
@@ -1 +0,0 @@
-infinidoge-1:uw2A6JHHdGJ9GPk0NEDnrdfVkPp0CUY3zIvwVgNlrSk=
\ No newline at end of file
diff --git a/secrets/borg-password.age b/secrets/borg-password.age
index 10ef521..b82be6b 100644
--- a/secrets/borg-password.age
+++ b/secrets/borg-password.age
@@ -1,56 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 sQ/0YA 5/8hTMh6CloNFOxL7nqpRWx6EHXfJ22s5Qm+lkFStwU
-5Virolfv5xEn9d2We37ciIrIT6hLSZF78iAwkHl16KI
--> ssh-ed25519 aYlTiQ JSJJ4EC6v8VcSS13n6h0+K+sApNulYBphu7Ny+dYZhU
-PAIeYvIlsPbBSUs5t2KUxXu9sk1Yb/rSIKPlEZHj3Ls
--> ssh-ed25519 i9xGKA YhZ3NCliAzg62D4LrfCNpcSwoJ+wKe+avbdUCQXMj1M
-pVOnIU43mqtFY0pRiSQBUigdoxq532p7wv0nS2MWPYs
--> ssh-ed25519 ydxrGg OYE8RmU2XB3Vi5yxW2TExllNbUBzo6fFUWRUrfAl6Xc
-j1vTMqWvAu894eZzGA5wEk+3EvyQUBk/m3Xho5bDgAE
--> ssh-ed25519 oqB+OQ bWopOtx5LLDGCQ2/TgxM4tpKWYjH9QODfDpxx9in01E
-4NT1npZomt0mSQSpLtTvFxLvV5NPMphG8J8LKcL5Wjw
--> ssh-ed25519 gIJNbA QnW3sLf5LcofKLuAZz2f5y7qZMMVfmgNDXM6wBY57CQ
-l9Dl5+IJ7CswosXwijyOepxS5P6g+bA8wUfNQVF01fA
--> ssh-ed25519 hjL/yw IqwsP6XXOoVgTdGMcgm+Ev0pvAHgRIEwaWcTaB6hNVQ
-olJ4WbQW58vI0TjkHww+iCTUgio7kZmPlcvJEc4IQGE
--> ssh-ed25519 Ig0rsg 3ZiWNnm9DFiAKnwpyYQiSP5kZgNwLArraC32lqKtITQ
-1e74EWfTnOS7UdSJfMxTlzbr58fIn+rw/qeN6TxAKWk
--> ssh-ed25519 U4Pefg yXsLnpVhhud1LAp+rgMqa4UH7mHsEbgrEb7SZzvyGDA
-UjF3i1PLn/jqMeStZmRcV/hA8SGkQkAOJ4E04W0d2Mg
--> ssh-ed25519 SqmlZQ 44N/cMPg4R/6ntv/ZleB3tpjdyIi4F8HSJy03zyj1DA
-3SyM8OnvcbT2/PGiBj1EcTUr4q2T6H0+s+9UP4cpZps
--> ssh-ed25519 GT2Stg 9vBE4i87f287MpgTama/5g6wQseDfng/fj6fKLKP1QY
-d7JvhmUrIOxxKEr3trtv4NRJKdLlf+LBbECpxnIpTxk
--> ssh-ed25519 oAMyvg fjJmTln1QI4uw4TE4YMq0E8b0q/sZ2TLIgEP0zYlLyE
-7VHmeg6zpnzKWL5AC8qx6wAvYcdxulAMh/zPKt4eS1w
--> ssh-ed25519 VIHjXg XdmRVbvEvARws7bCPn529MTPT1p/cb0U62hOtAfW33A
-8c0OrrMRip7KjeE2+VtbU/QDWl7KiVTvbv+lSIs7UNg
--> ssh-ed25519 VEv3zg Umgx52XORKFXYdEsGzvKfvUy6SHJoJbvAKX3NHrVxko
-o3Phua7fSn5alLQDdU2PJBFvJBDqF+H+F3V/s4v4EgE
--> ssh-ed25519 m7J79g CkPOHoXFHcMMk/xlmCAMd2ikZWJCqPhW7UvtymJ9FiE
-p+agR0jOtshNZjF0Gox3Njr7qwMzsk2nsstSUaScOH4
--> ssh-ed25519 2S7Wcg XqhSc/NbSCGTMU8kZCk2Xu7fAFg+hQ4W4wSwzx9e9jA
-rNepa1tbXPRCfTSaAKgs+aLvCyRloAb340Ufw8DVi9w
--> ssh-ed25519 EMoPew bK7hR3fKibZb47MyOR5n3gfyh7HzpDqC3ZlcaSigNQM
-NsYE8aU/wic0N1tVFbWykRfghsGmws4Xg8kdrJLisps
--> ssh-ed25519 izZ3FQ 7UWEjg98xHo/9s9+onUSbrMh0uPLTDQVEbPgPAWVu3k
-GrBRLSIBdCHIHZNQIORZGFk93/l01CgOhfDx1eJqgvo
--> ssh-ed25519 zNb8DQ XuvULuWzBe3DRVrEHM6fShYGh5MexG6XNxNpznJr1Fk
-MBOeY+DZ4HQ69ifOKr+2gv5Bkpg5WQa7zKm+NeC8Wec
--> ssh-ed25519 GB2MZQ C6bFo1mneQHotAZLSn6sClt35+uUwPJLuHOYoE3aRkw
-DeDM1yv2FZo0dUXttP0d62fRgU/A8MJ99oHpGhr0Y/M
--> ssh-ed25519 FelIjw E7fL8omx+HGv75MUsC/IZAXQNw4G1vb7LLT6FdTdkU0
-I7ix1MlBnH+wT9PxL64b5EYex3yjk3+U1EO0WLhzPjU
--> ssh-ed25519 TRpHkw LHWFmWM6uKa7+MLlxKsdhBA5HmjsCnBz81MR2hIJCDQ
-IJOsuUtXmp91t226YrW+5lvAGiLygv598b0zCVBNHTc
--> ssh-ed25519 rKpRzQ Qk96yw6dOkE7zIcBo/6SXpO9o6OrPykkT4knw8fj/0k
-SCa84kZ/e/vs4caIklF2LqwkVHgxbLoyWQIdXYsKC8I
--> ssh-ed25519 8/Dzqw blUGZhhmVedopPKAbFNPfSxc58OoS5o5oW5plYltTiI
-WPFPl6bXvewmISOp8/S1ronk9jT8O57qNPZUCFvTxxE
--> ssh-ed25519 tJyugw UUi6VCLSfg3oyutzwg+xskDCtE1mFQTvHrGBkXuIT1Q
-+rk2mBJRrYrUfsv4o0keEAKsXahjEIintcoA+38RL/o
--> ssh-ed25519 lpPUYw TFf9vRCAv2005EC1giIkVfy/AwpU/t5WPX3bSLDDHgw
-vbLC5pesZRyuw/vMAv2X1ZYVNwrYUx+P/ZV8BLrpELo
---- EpxlXztYxi3N6dCswIYXZxAxmFv3XYSkU34LmUIM0fE
-3´%"xR·É«@(£qOŸEL^¾§íS„%#ç4„€×8mEü—eš(­Jò
-üAÌN>DïœŒ£E+&þ@Ë8b5~‚l«-ùÂì MÔ#Œ8	•õ±‘»2•=vñÒæ¹P•ï­4¢ä|âÔñ[}Oyñ
\ No newline at end of file
+-> piv-p256 CT7K2Q Atat1p1wMEaZVi0DxSmUYN3H79RO1XK26pmJFnrMUW+N
+4IUFdkcSJnVthch8NgWV/mRsPqs5/NbxRgTP1DTq6Js
+-> piv-p256 5utyxg AhOyUzfDfgFTgoSZ/Ram2/AKwXT0RoJ/g4cGvQoCHwMR
+7W5e76JbGDvEiUwbJrOK2/9pSzEKUk+4LAtnJd6Au9A
+-> A(v,}OT8-grease iv$<6^
+qJk7RvKMoJ/OCb1L15x8ur6Q5MxpDcXkwA
+--- FrURRINPBWKnkfeCAsUecvz0nSlH8cUmpuxzgpUc9sA
+w«m¤ ²ƒ‹56#x&g£@ ™n´ªM2]-9¤ˆ`³”†±Ò`$8þŸ6š‡E££Ö¡Üt»o³±¬Û0 zÐEµD>»<T×/]ºˆ'¿±2\sÎCöU0í—i¡Wý<ûÄÑ÷›Y6¶q¼jô¾1d~cÙÌÉÏÞüB
\ No newline at end of file
diff --git a/secrets/borg-ssh-key.age b/secrets/borg-ssh-key.age
index 68eeafb..f99a527 100644
Binary files a/secrets/borg-ssh-key.age and b/secrets/borg-ssh-key.age differ
diff --git a/secrets/default.nix b/secrets/default.nix
index 44238d8..6a5989e 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -1,89 +1,29 @@
 {
   lib,
-  self,
   config,
   ...
 }:
 with lib;
 let
-  inherit (lib.our) mkOpt;
-  inherit (lib.types) bool attrsOf path;
-
-  mkSecret = name: nameValuePair (removeSuffix ".age" name) { file = "${./.}/${name}"; };
-  secrets = listToAttrs (map mkSecret (attrNames (import ./secrets.nix)));
-
-  withOwnerGroup =
-    name: secret:
-    secret
-    // {
-      owner = name;
-      group = name;
-      mode = "440";
-    };
-  withOwner = name: secret: secret // { owner = name; };
-  withGroup =
-    name: secret:
-    secret
-    // {
-      group = name;
-      mode = "440";
-    };
+  inherit (lib.our) mkOpt mkBoolOpt;
+  inherit (lib.types) attrsOf path;
+  inherit (lib.our.secrets) withGroup;
 in
 {
   options = {
-    modules.secrets.enable = mkOpt bool true;
+    modules.secrets.enable = mkBoolOpt true;
     secrets = mkOpt (attrsOf path) { };
   };
 
   config = mkIf config.modules.secrets.enable {
     _module.args.secrets = config.secrets;
     secrets = mapAttrs (n: v: v.path) config.age.secrets;
-    age.secrets = mkMerge [
-      {
-        inherit (secrets)
-          "infinidoge-password"
-          "root-password"
-          "borg-ssh-key"
-          "ovpn"
-          ;
-
-        "borg-password" = secrets."borg-password" // {
-          group = "borg";
-          mode = "440";
-        };
-        "binary-cache-private-key" =
-          secrets.binary-cache-private-key
-          // lib.optionalAttrs config.services.hydra.enable {
-            group = "hydra";
-            mode = "440";
-          };
-        "smtp-password" = withGroup "smtp" secrets."smtp-password";
-        "personal-smtp-password" = withOwner "infinidoge" secrets."personal-smtp-password";
-      }
-      (mkIf config.services.nginx.enable {
-        inherit (secrets) "cloudflare";
-      })
-      (mkIf config.services.vaultwarden.enable {
-        "vaultwarden" = withOwnerGroup "vaultwarden" secrets."vaultwarden";
-      })
-      (mkIf config.services.freshrss.enable {
-        "freshrss" = withOwnerGroup "freshrss" secrets."freshrss";
-      })
-      (mkIf config.services.hydra.enable {
-        inherit (secrets) hydra;
-      })
-      (mkIf config.services.hedgedoc.enable {
-        "hedgedoc" = withOwnerGroup "hedgedoc" secrets."hedgedoc";
-      })
-      (mkIf config.services.searx.enable {
-        inherit (secrets) searx;
-      })
-      (mkIf config.services.authentik.enable {
-        inherit (secrets) authentik authentik-ldap;
-      })
-      (mkIf config.services.radicale.enable {
-        radicale-ldap = withOwnerGroup "radicale" secrets.radicale-ldap;
-      })
-    ];
+    age.secrets = {
+      borg-ssh-key.rekeyFile = ./borg-ssh-key.age;
+      borg-password = withGroup "borg" ./borg-password.age;
+      binary-cache-private-key = withGroup "hydra" ./binary-cache-private-key.age;
+      smtp-noreply = withGroup "smtp" ./smtp-noreply.age;
+      dns-cloudflare.rekeyFile = ./dns-cloudflare.age;
+    };
   };
 }
diff --git a/secrets/dns-cloudflare.age b/secrets/dns-cloudflare.age
new file mode 100644
index 0000000..bd340df
--- /dev/null
+++ b/secrets/dns-cloudflare.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q A0qTlw/zQp903Xk08cjrAX7zoPL2xc6KCBD1ZQhpDP9H
+kCuhwrAe91AXCEcXw7xGfb4ypYpAhCm/MCFv7cQJcXY
+-> piv-p256 5utyxg A+dmEbRvkJuqaMp2ZaamaLTdRLWTlkBxwJDE0e4cP7jG
+ai+6s1mDIsxx5bHcnZQscjjTQnV8/C146n2YJy4gF+w
+-> kQ'0sT4p-grease kVUsHd] ^ 3z#4aLz zmwIUo\
+m88fb8byPiryipImWibRNuzZ/mXFVYe0bDeM
+--- uRfolk520znGni9GMw2SxyYUqYsK0Mxw6WnTd23T9zY
+€¿°“®/ŸvjŒœùh¸ê²³¬¼7e*ÑvkË ~¼þM®QKþ§ÐêKÂé„OÉJø‘0”ÏEåˆ†é³gÿ[%m–N¢\•	×®Ùi ‘ÑŒ­È»9™5Š¶—ã€ˆÎhæŽôîÂ°‘*.
+*j’5j³ƒZ?^O}ZbkBÀ†þã|åÛYæƒƒÃÞgîþ™@_óC	m¿J,z<uëºµ®}(_
\ No newline at end of file
diff --git a/secrets/authentik-ldap.age b/secrets/old/authentik-ldap.age
similarity index 100%
rename from secrets/authentik-ldap.age
rename to secrets/old/authentik-ldap.age
diff --git a/secrets/authentik.age b/secrets/old/authentik.age
similarity index 100%
rename from secrets/authentik.age
rename to secrets/old/authentik.age
diff --git a/secrets/old/binary-cache-private-key.age b/secrets/old/binary-cache-private-key.age
new file mode 100644
index 0000000..bdf033d
Binary files /dev/null and b/secrets/old/binary-cache-private-key.age differ
diff --git a/secrets/old/borg-password.age b/secrets/old/borg-password.age
new file mode 100644
index 0000000..10ef521
--- /dev/null
+++ b/secrets/old/borg-password.age
@@ -0,0 +1,56 @@
+age-encryption.org/v1
+-> ssh-ed25519 sQ/0YA 5/8hTMh6CloNFOxL7nqpRWx6EHXfJ22s5Qm+lkFStwU
+5Virolfv5xEn9d2We37ciIrIT6hLSZF78iAwkHl16KI
+-> ssh-ed25519 aYlTiQ JSJJ4EC6v8VcSS13n6h0+K+sApNulYBphu7Ny+dYZhU
+PAIeYvIlsPbBSUs5t2KUxXu9sk1Yb/rSIKPlEZHj3Ls
+-> ssh-ed25519 i9xGKA YhZ3NCliAzg62D4LrfCNpcSwoJ+wKe+avbdUCQXMj1M
+pVOnIU43mqtFY0pRiSQBUigdoxq532p7wv0nS2MWPYs
+-> ssh-ed25519 ydxrGg OYE8RmU2XB3Vi5yxW2TExllNbUBzo6fFUWRUrfAl6Xc
+j1vTMqWvAu894eZzGA5wEk+3EvyQUBk/m3Xho5bDgAE
+-> ssh-ed25519 oqB+OQ bWopOtx5LLDGCQ2/TgxM4tpKWYjH9QODfDpxx9in01E
+4NT1npZomt0mSQSpLtTvFxLvV5NPMphG8J8LKcL5Wjw
+-> ssh-ed25519 gIJNbA QnW3sLf5LcofKLuAZz2f5y7qZMMVfmgNDXM6wBY57CQ
+l9Dl5+IJ7CswosXwijyOepxS5P6g+bA8wUfNQVF01fA
+-> ssh-ed25519 hjL/yw IqwsP6XXOoVgTdGMcgm+Ev0pvAHgRIEwaWcTaB6hNVQ
+olJ4WbQW58vI0TjkHww+iCTUgio7kZmPlcvJEc4IQGE
+-> ssh-ed25519 Ig0rsg 3ZiWNnm9DFiAKnwpyYQiSP5kZgNwLArraC32lqKtITQ
+1e74EWfTnOS7UdSJfMxTlzbr58fIn+rw/qeN6TxAKWk
+-> ssh-ed25519 U4Pefg yXsLnpVhhud1LAp+rgMqa4UH7mHsEbgrEb7SZzvyGDA
+UjF3i1PLn/jqMeStZmRcV/hA8SGkQkAOJ4E04W0d2Mg
+-> ssh-ed25519 SqmlZQ 44N/cMPg4R/6ntv/ZleB3tpjdyIi4F8HSJy03zyj1DA
+3SyM8OnvcbT2/PGiBj1EcTUr4q2T6H0+s+9UP4cpZps
+-> ssh-ed25519 GT2Stg 9vBE4i87f287MpgTama/5g6wQseDfng/fj6fKLKP1QY
+d7JvhmUrIOxxKEr3trtv4NRJKdLlf+LBbECpxnIpTxk
+-> ssh-ed25519 oAMyvg fjJmTln1QI4uw4TE4YMq0E8b0q/sZ2TLIgEP0zYlLyE
+7VHmeg6zpnzKWL5AC8qx6wAvYcdxulAMh/zPKt4eS1w
+-> ssh-ed25519 VIHjXg XdmRVbvEvARws7bCPn529MTPT1p/cb0U62hOtAfW33A
+8c0OrrMRip7KjeE2+VtbU/QDWl7KiVTvbv+lSIs7UNg
+-> ssh-ed25519 VEv3zg Umgx52XORKFXYdEsGzvKfvUy6SHJoJbvAKX3NHrVxko
+o3Phua7fSn5alLQDdU2PJBFvJBDqF+H+F3V/s4v4EgE
+-> ssh-ed25519 m7J79g CkPOHoXFHcMMk/xlmCAMd2ikZWJCqPhW7UvtymJ9FiE
+p+agR0jOtshNZjF0Gox3Njr7qwMzsk2nsstSUaScOH4
+-> ssh-ed25519 2S7Wcg XqhSc/NbSCGTMU8kZCk2Xu7fAFg+hQ4W4wSwzx9e9jA
+rNepa1tbXPRCfTSaAKgs+aLvCyRloAb340Ufw8DVi9w
+-> ssh-ed25519 EMoPew bK7hR3fKibZb47MyOR5n3gfyh7HzpDqC3ZlcaSigNQM
+NsYE8aU/wic0N1tVFbWykRfghsGmws4Xg8kdrJLisps
+-> ssh-ed25519 izZ3FQ 7UWEjg98xHo/9s9+onUSbrMh0uPLTDQVEbPgPAWVu3k
+GrBRLSIBdCHIHZNQIORZGFk93/l01CgOhfDx1eJqgvo
+-> ssh-ed25519 zNb8DQ XuvULuWzBe3DRVrEHM6fShYGh5MexG6XNxNpznJr1Fk
+MBOeY+DZ4HQ69ifOKr+2gv5Bkpg5WQa7zKm+NeC8Wec
+-> ssh-ed25519 GB2MZQ C6bFo1mneQHotAZLSn6sClt35+uUwPJLuHOYoE3aRkw
+DeDM1yv2FZo0dUXttP0d62fRgU/A8MJ99oHpGhr0Y/M
+-> ssh-ed25519 FelIjw E7fL8omx+HGv75MUsC/IZAXQNw4G1vb7LLT6FdTdkU0
+I7ix1MlBnH+wT9PxL64b5EYex3yjk3+U1EO0WLhzPjU
+-> ssh-ed25519 TRpHkw LHWFmWM6uKa7+MLlxKsdhBA5HmjsCnBz81MR2hIJCDQ
+IJOsuUtXmp91t226YrW+5lvAGiLygv598b0zCVBNHTc
+-> ssh-ed25519 rKpRzQ Qk96yw6dOkE7zIcBo/6SXpO9o6OrPykkT4knw8fj/0k
+SCa84kZ/e/vs4caIklF2LqwkVHgxbLoyWQIdXYsKC8I
+-> ssh-ed25519 8/Dzqw blUGZhhmVedopPKAbFNPfSxc58OoS5o5oW5plYltTiI
+WPFPl6bXvewmISOp8/S1ronk9jT8O57qNPZUCFvTxxE
+-> ssh-ed25519 tJyugw UUi6VCLSfg3oyutzwg+xskDCtE1mFQTvHrGBkXuIT1Q
++rk2mBJRrYrUfsv4o0keEAKsXahjEIintcoA+38RL/o
+-> ssh-ed25519 lpPUYw TFf9vRCAv2005EC1giIkVfy/AwpU/t5WPX3bSLDDHgw
+vbLC5pesZRyuw/vMAv2X1ZYVNwrYUx+P/ZV8BLrpELo
+--- EpxlXztYxi3N6dCswIYXZxAxmFv3XYSkU34LmUIM0fE
+3´%"xR·É«@(£qOŸEL^¾§íS„%#ç4„€×8mEü—eš(­Jò
+üAÌN>DïœŒ£E+&þ@Ë8b5~‚l«-ùÂì MÔ#Œ8	•õ±‘»2•=vñÒæ¹P•ï­4¢ä|âÔñ[}Oyñ
\ No newline at end of file
diff --git a/secrets/old/borg-ssh-key.age b/secrets/old/borg-ssh-key.age
new file mode 100644
index 0000000..68eeafb
Binary files /dev/null and b/secrets/old/borg-ssh-key.age differ
diff --git a/secrets/cloudflare.age b/secrets/old/cloudflare.age
similarity index 100%
rename from secrets/cloudflare.age
rename to secrets/old/cloudflare.age
diff --git a/secrets/freshrss.age b/secrets/old/freshrss.age
similarity index 100%
rename from secrets/freshrss.age
rename to secrets/old/freshrss.age
diff --git a/secrets/hedgedoc.age b/secrets/old/hedgedoc.age
similarity index 100%
rename from secrets/hedgedoc.age
rename to secrets/old/hedgedoc.age
diff --git a/secrets/hydra.age b/secrets/old/hydra.age
similarity index 100%
rename from secrets/hydra.age
rename to secrets/old/hydra.age
diff --git a/secrets/infinidoge-password.age b/secrets/old/infinidoge-password.age
similarity index 100%
rename from secrets/infinidoge-password.age
rename to secrets/old/infinidoge-password.age
diff --git a/secrets/ovpn.age b/secrets/old/ovpn.age
similarity index 100%
rename from secrets/ovpn.age
rename to secrets/old/ovpn.age
diff --git a/secrets/personal-smtp-password.age b/secrets/old/personal-smtp-password.age
similarity index 100%
rename from secrets/personal-smtp-password.age
rename to secrets/old/personal-smtp-password.age
diff --git a/secrets/radicale-ldap.age b/secrets/old/radicale-ldap.age
similarity index 100%
rename from secrets/radicale-ldap.age
rename to secrets/old/radicale-ldap.age
diff --git a/secrets/root-password.age b/secrets/old/root-password.age
similarity index 100%
rename from secrets/root-password.age
rename to secrets/old/root-password.age
diff --git a/secrets/searx.age b/secrets/old/searx.age
similarity index 100%
rename from secrets/searx.age
rename to secrets/old/searx.age
diff --git a/secrets/smtp-password.age b/secrets/old/smtp-password.age
similarity index 100%
rename from secrets/smtp-password.age
rename to secrets/old/smtp-password.age
diff --git a/secrets/vaultwarden.age b/secrets/old/vaultwarden.age
similarity index 100%
rename from secrets/vaultwarden.age
rename to secrets/old/vaultwarden.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
deleted file mode 100644
index 07e6967..0000000
--- a/secrets/secrets.nix
+++ /dev/null
@@ -1,52 +0,0 @@
-with builtins;
-let
-  flatten = x: if isList x then concatMap (y: flatten y) x else [ x ];
-  hasPrefix = pref: str: (substring 0 (stringLength pref) str == pref);
-  isValidKey =
-    key:
-    all (keyPrefix: !(hasPrefix keyPrefix key)) [
-      "sk-ssh-ed25519"
-    ];
-
-  systems = {
-    Infini-DESKTOP = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7uX1myj9ghv7wMoL038oGDCdScdyLd7RvYdnoioSBh root@Infini-DESKTOP";
-    Infini-FRAMEWORK = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7PmPq/7e+YIVAvIcs6EOJ3pZVJhinwus6ZauJ3aVp0 root@Infini-FRAMEWORK";
-    Infini-SERVER = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8ptHWTesaUzglq01O8OVqeAGxFhXutUZpkgPpBFqzY root@Infini-SERVER";
-    Infini-OPTIPLEX = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG8fY684SPKeOUsJqaV6LJwwztWxztaU9nAHPBxBtyU root@Infini-OPTIPLEX";
-    Infini-STICK = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0fWuozCHyPrkFKPcnqX1MyUAgnn2fJEpDSoD7bhDA4 root@Infini-STICK";
-    Infini-SD = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8oViHNz64NG51uyll/q/hrSGwoHRgvYI3luD/IWTUT root@Infini-SD";
-    Infini-DL360 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjmvE76BcPwZSjeNGzlguDQC67Yxa3uyOf5ZmVDWNys root@Infini-DL360";
-    Infini-RASPBERRY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwPqTFCztLbYFFUej42hRzzCBzG6BCZIb7zXi2cxeJp root@Infini-RASPBERRY";
-    hestia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBanlhzmtBf5stg2yYdxqb9FzFZmum/rlWod/akWQI3c root@hestia";
-    iris = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsdARqD3MibvnpcUxOZVtstIu9djk+umwFR5tzqKATH root@iris";
-  };
-  users = {
-    infinidoge = import ../users/infinidoge/ssh-keys.nix;
-    root = import ../users/root/ssh-keys.nix;
-  };
-  allKeys = filter isValidKey (flatten [
-    (attrValues systems)
-    (attrValues users)
-  ]);
-
-  generate = secrets: foldl' (a: b: a // b) { } (map (n: { ${n}.publicKeys = allKeys; }) secrets);
-in
-generate [
-  "infinidoge-password.age"
-  "root-password.age"
-  "binary-cache-private-key.age"
-  "vaultwarden.age"
-  "freshrss.age"
-  "borg-password.age"
-  "borg-ssh-key.age"
-  "cloudflare.age"
-  "smtp-password.age"
-  "hydra.age"
-  "hedgedoc.age"
-  "searx.age"
-  "ovpn.age"
-  "authentik.age"
-  "authentik-ldap.age"
-  "radicale-ldap.age"
-  "personal-smtp-password.age"
-]
diff --git a/secrets/smtp-noreply.age b/secrets/smtp-noreply.age
new file mode 100644
index 0000000..8d9ca3f
Binary files /dev/null and b/secrets/smtp-noreply.age differ
diff --git a/shell.nix b/shell.nix
index 2aabb81..6accab5 100644
--- a/shell.nix
+++ b/shell.nix
@@ -24,9 +24,12 @@
           devshell.name = "universe";
           devshell.motd = "";
 
-          devshell.packages = [
+          devshell.packages = with pkgs; [
             pythonEnv
             inputs'.disko.packages.disko
+            config.agenix-rekey.package
+            age-plugin-fido2-hmac
+            age-plugin-yubikey
           ];
 
           env = [
diff --git a/users/infinidoge/default.nix b/users/infinidoge/default.nix
index cd96e92..49ed655 100644
--- a/users/infinidoge/default.nix
+++ b/users/infinidoge/default.nix
@@ -43,7 +43,7 @@ in
         POP_SMTP_HOST = common.email.smtp.address;
         POP_SMTP_PORT = common.email.smtp.STARTTLS;
         POP_SMTP_USERNAME = common.email.withUser "infinidoge";
-        POP_SMTP_PASSWORD = "$(cat ${secrets.personal-smtp-password})";
+        POP_SMTP_PASSWORD = "$(cat ${secrets.smtp-personal})";
       };
 
       home.packages =
@@ -110,10 +110,22 @@ in
     adb.enable = config.info.graphical;
   };
 
+  age.rekey.masterIdentities = [
+    ./keys/primary_age.pub
+    ./keys/backup_age.pub
+  ];
+
+  age.secrets = {
+    password-infinidoge.rekeyFile = ./password.age;
+    smtp-personal.rekeyFile = ./smtp-personal.age;
+    smtp-personal.owner = "infinidoge";
+  };
+
+  user.hashedPasswordFile = mkIf config.modules.secrets.enable secrets.password-infinidoge;
+
   user = {
     name = "infinidoge";
     uid = 1000;
-    hashedPasswordFile = mkIf config.modules.secrets.enable config.secrets.infinidoge-password;
     description = "Infinidoge, primary user of the system";
     group = "users";
     isNormalUser = true;
diff --git a/users/infinidoge/keys/backup_age.pub b/users/infinidoge/keys/backup_age.pub
new file mode 100644
index 0000000..3c6f399
--- /dev/null
+++ b/users/infinidoge/keys/backup_age.pub
@@ -0,0 +1,7 @@
+#       Serial: 26969244, Slot: 1
+#         Name: BACKUP_AGE
+#      Created: Wed, 19 Feb 2025 01:58:28 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1q2dxqlvpp0jpjumgmm3rk952dqexy6r2ff4ul62luman3uga6s0l5llfumw
+AGE-PLUGIN-YUBIKEY-1NJZFKQVZUM4H93SSLXN5A
diff --git a/users/infinidoge/keys/primary_age.pub b/users/infinidoge/keys/primary_age.pub
new file mode 100644
index 0000000..2eff10a
--- /dev/null
+++ b/users/infinidoge/keys/primary_age.pub
@@ -0,0 +1,7 @@
+#       Serial: 24623451, Slot: 1
+#         Name: PRIMARY_AGE
+#      Created: Wed, 19 Feb 2025 00:53:27 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1q2mfklp6cectpmkefv6edr9elreeypdzwhpzsnwry9nzjq3epnswstkyq5w
+AGE-PLUGIN-YUBIKEY-1TWUHWQVZPYLV4KGFG23L9
diff --git a/users/infinidoge/password.age b/users/infinidoge/password.age
new file mode 100644
index 0000000..25a8e84
Binary files /dev/null and b/users/infinidoge/password.age differ
diff --git a/users/infinidoge/smtp-personal.age b/users/infinidoge/smtp-personal.age
new file mode 100644
index 0000000..0023e8f
Binary files /dev/null and b/users/infinidoge/smtp-personal.age differ
diff --git a/users/root/default.nix b/users/root/default.nix
index 1d400ba..3ecaf16 100644
--- a/users/root/default.nix
+++ b/users/root/default.nix
@@ -2,14 +2,15 @@
   config,
   lib,
   pkgs,
+  secrets,
   ...
 }:
 {
   users.users.root = {
     shell = pkgs.zsh;
-    hashedPasswordFile = lib.mkIf config.modules.secrets.enable config.secrets.root-password;
+    hashedPasswordFile = lib.mkIf config.modules.secrets.enable secrets.password-root;
     openssh.authorizedKeys.keys = import ./ssh-keys.nix;
   };
 
-  home-manager.users.root = { ... }: { };
+  age.secrets.password-root.rekeyFile = ./password.age;
 }
diff --git a/users/root/password.age b/users/root/password.age
new file mode 100644
index 0000000..d91fb60
--- /dev/null
+++ b/users/root/password.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AooiXHg+vA2jBkxQ00aC81gCRIuo9Xe4c4uOaWCMU4X6
+4Aaaywj9vKAj/cv+yb6gFeiV+ROTeTxnPDrgAO29ODM
+-> piv-p256 5utyxg Apti8vz8VE2kLk8pvWIYk0f+AnuHItXpH3x2MDs3iv+0
++OhtPhXmsLZXimQuAIdB54OD1Qde18ZDVBUsGNafRR8
+-> M_nrH-grease hj"xH( *8 dX]
+Ld3SIuXFJqz/gbDEnDxroU188XFJjoRkqHnYWpRLauCpcSbG2kHuKdYKDQ
+--- Wp70IAXPdmf99j5ccFzGM8FDfcTl05nz01d5cc0tVgI
+Ô4µ«ôã,DXU»»›ª‘Ú›
+Gx(Í¹ÝE'(þgìK&h¡µÍ½È$ÈEÿ…/g¼¦{öBJö“ÃQ«³a¤öèNö,j'3î(ÝÝ4¡î„j¸ØQÚ¾Ä)
+[C…ø¯AJf&êœÍ°Üaf¥™Í¸~Õ*öÝ¥Žx9*äI
\ No newline at end of file