diff --git a/hosts/biolimo/.gitattributes b/hosts/biolimo/.gitattributes
deleted file mode 100644
index 793fb472..00000000
--- a/hosts/biolimo/.gitattributes
+++ /dev/null
@@ -1 +0,0 @@
-secrets/** filter=git-crypt-4406E80E13CD656C diff=git-crypt-4406E80E13CD656C
diff --git a/hosts/biolimo/base.nix b/hosts/biolimo/base.nix
deleted file mode 100644
index 51f2e763..00000000
--- a/hosts/biolimo/base.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ config, pkgs, lib, ... }:
-with lib;
-let
-  psCfg = config.pub-solar;
-  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
-in
-{
-  imports = [
-    ./configuration.nix
-  ];
-
-  config = {
-    pub-solar.x-os.keyfile = "/etc/nixos/hosts/biolimo/secrets/keyfile.bin";
-
-    hardware.cpu.intel.updateMicrocode = true;
-
-    networking.firewall.allowedTCPPorts = [
-      5000
-    ];
-
-    home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
-      "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
-      "sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
-      "sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
-      "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
-    };
-  };
-}
diff --git a/hosts/biolimo/biolimo.nix b/hosts/biolimo/biolimo.nix
index 25e247c4..820225ea 100644
--- a/hosts/biolimo/biolimo.nix
+++ b/hosts/biolimo/biolimo.nix
@@ -10,8 +10,6 @@ in
   ];
 
   config = {
-    pub-solar.x-os.keyfile = "/etc/nixos/hosts/biolimo/secrets/keyfile.bin";
-
     hardware.cpu.intel.updateMicrocode = true;
 
     networking.firewall.allowedTCPPorts = [ 5000 ];
diff --git a/hosts/biolimo/secrets/keyfile.bin b/hosts/biolimo/secrets/keyfile.bin
deleted file mode 100644
index 143d8bcd..00000000
Binary files a/hosts/biolimo/secrets/keyfile.bin and /dev/null differ
diff --git a/hosts/chocolatebar/.gitattributes b/hosts/chocolatebar/.gitattributes
deleted file mode 100644
index 793fb472..00000000
--- a/hosts/chocolatebar/.gitattributes
+++ /dev/null
@@ -1 +0,0 @@
-secrets/** filter=git-crypt-4406E80E13CD656C diff=git-crypt-4406E80E13CD656C
diff --git a/hosts/chocolatebar/base.nix b/hosts/chocolatebar/base.nix
deleted file mode 100644
index 10de4abb..00000000
--- a/hosts/chocolatebar/base.nix
+++ /dev/null
@@ -1,31 +0,0 @@
-{ config, pkgs, lib, ... }:
-with lib;
-let
-  psCfg = config.pub-solar;
-  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
-in
-{
-  imports = [
-    ./configuration.nix
-    ./virtualisation
-  ];
-
-  config = {
-    pub-solar.x-os.keyfile = "keyfile-chocolatebar.bin";
-
-    pub-solar.virtualisation.isolateGPU = "rx550x";
-
-    hardware.cpu.amd.updateMicrocode = true;
-
-    hardware.opengl.extraPackages = with pkgs; [
-      rocm-opencl-icd
-      rocm-opencl-runtime
-    ];
-
-    home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
-      "sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
-      "sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
-      "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
-    };
-  };
-}
diff --git a/hosts/chocolatebar/chocolatebar.nix b/hosts/chocolatebar/chocolatebar.nix
index 76175878..0e635619 100644
--- a/hosts/chocolatebar/chocolatebar.nix
+++ b/hosts/chocolatebar/chocolatebar.nix
@@ -11,8 +11,6 @@ in
   ];
 
   config = {
-    pub-solar.x-os.keyfile = "/etc/nixos/hosts/chocolatebar/secrets/keyfile.bin";
-
     pub-solar.virtualisation.isolateGPU = "rx550x";
 
     hardware.cpu.amd.updateMicrocode = true;
diff --git a/hosts/chocolatebar/hardware-configuration.nix b/hosts/chocolatebar/hardware-configuration.nix
index 0c623c23..a87bda5c 100644
--- a/hosts/chocolatebar/hardware-configuration.nix
+++ b/hosts/chocolatebar/hardware-configuration.nix
@@ -22,7 +22,7 @@
 
   boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/afcde41f-9811-4ac8-bb7b-a683844acc5c";
 
-  fileSystems."/boot/efi" =
+  fileSystems."/boot" =
     {
       device = "/dev/disk/by-uuid/12FD-62A8";
       fsType = "vfat";
diff --git a/hosts/chocolatebar/secrets/.gitkeep b/hosts/chocolatebar/secrets/.gitkeep
deleted file mode 100644
index 43bd4fb3..00000000
Binary files a/hosts/chocolatebar/secrets/.gitkeep and /dev/null differ
diff --git a/hosts/chocolatebar/secrets/crypto_keyfile.bin b/hosts/chocolatebar/secrets/crypto_keyfile.bin
deleted file mode 100644
index ca34df9d..00000000
Binary files a/hosts/chocolatebar/secrets/crypto_keyfile.bin and /dev/null differ
diff --git a/hosts/chocolatebar/secrets/hdd_keyfile.bin b/hosts/chocolatebar/secrets/hdd_keyfile.bin
deleted file mode 100644
index 2c6b25fe..00000000
Binary files a/hosts/chocolatebar/secrets/hdd_keyfile.bin and /dev/null differ
diff --git a/hosts/chocolatebar/secrets/keyfile.bin b/hosts/chocolatebar/secrets/keyfile.bin
deleted file mode 100644
index 38577a09..00000000
Binary files a/hosts/chocolatebar/secrets/keyfile.bin and /dev/null differ
diff --git a/modules/x-os/boot.nix b/modules/x-os/boot.nix
index 176d9d4f..7b24cf17 100644
--- a/modules/x-os/boot.nix
+++ b/modules/x-os/boot.nix
@@ -3,41 +3,19 @@
 let
   cfg = config.pub-solar.x-os;
 in
-with lib; {
-  options = {
-    pub-solar.x-os.keyfile = mkOption {
-      type = types.str;
-      description = "Keyfile location";
-    };
-  };
-
+{
   config = {
     # Enable plymouth for better experience of booting
     boot.plymouth.enable = true;
 
-    # Use Keyfile to unlock the root partition to avoid keying in twice.
+    # Mount / luks device in initrd
     # Allow fstrim to work on it.
-    age.secrets.luksKeyFile.file = "${self}/secrets/${cfg.keyfile}";
     boot.initrd = {
-      secrets = { "/keyfile.bin" = "/run/secrets/${cfg.keyfile}"; };
       luks.devices."cryptroot" = {
-        keyFile = "/keyfile.bin";
         allowDiscards = true;
-        fallbackToPassword = true;
       };
     };
 
-    # Use GRUB with encrypted /boot under EFI env.
-    boot.loader = {
-      efi.efiSysMountPoint = "/boot/efi";
-
-      grub = {
-        enable = true;
-        version = 2;
-        device = "nodev";
-        efiSupport = true;
-        enableCryptodisk = true;
-      };
-    };
+    boot.loader.systemd-boot.enable = true;
   };
 }
diff --git a/secrets/.gitattributes b/secrets/.gitattributes
deleted file mode 100644
index 901863e3..00000000
--- a/secrets/.gitattributes
+++ /dev/null
@@ -1,4 +0,0 @@
-* filter=git-crypt diff=git-crypt
-.gitattributes !filter !diff
-secrets.nix !filter !diff
-README.md !filter !diff
diff --git a/secrets/crypto_keyfile-chocolatebar.bin b/secrets/crypto_keyfile-chocolatebar.bin
new file mode 100644
index 00000000..98fb3f9b
Binary files /dev/null and b/secrets/crypto_keyfile-chocolatebar.bin differ
diff --git a/secrets/hdd_keyfile-chocolatebar.bin b/secrets/hdd_keyfile-chocolatebar.bin
new file mode 100644
index 00000000..f48b953a
Binary files /dev/null and b/secrets/hdd_keyfile-chocolatebar.bin differ
diff --git a/secrets/keyfile-biolimo.bin b/secrets/keyfile-biolimo.bin
index 02937d66..4fb69723 100644
Binary files a/secrets/keyfile-biolimo.bin and b/secrets/keyfile-biolimo.bin differ
diff --git a/secrets/keyfile-chocolatebar.bin b/secrets/keyfile-chocolatebar.bin
index da78610d..dec7a831 100644
Binary files a/secrets/keyfile-chocolatebar.bin and b/secrets/keyfile-chocolatebar.bin differ
diff --git a/secrets/mopidy.conf b/secrets/mopidy.conf
new file mode 100644
index 00000000..2edbacf9
--- /dev/null
+++ b/secrets/mopidy.conf
@@ -0,0 +1,44 @@
+age-encryption.org/v1
+-> ssh-rsa kFDS0A
+pgJUXnYT0UgB7h8dWOBCIO6OuXwpjmBuQpJBXnI2Zh5X2fiGQVyrrcrm8VSWLHOd
+za9SME+PxcGXDGgwaGpCl8tOh93WRUC0RtNTBmoiyzrfkbQtm9gfnt51JpHscuTc
+wzZ9cxMvtKSNGsCuK5oeX9ZxVgXH5QFomwvADXoy14HacgEOzLTPU6vrPrOonGAG
+kDqYDzf87V2BfPttzONoScsVsFV26EQntxDx5/8Hja4ceOvgBwm2GczUzpgfIRCA
+To+az2B1Y0h/BWMqzRAhobuN/UIQcZAKro4uf8SbpKqPQrON+k1tAE+lrMUFLx1A
+2ZayulT/Partcm6L8Yb0JAn24eXFla52XQ6JyukSbtoqZxEQIcjbM34+KFKMftIA
+M8taZIG2JWyFdHBPO4RAMyGbNpQN5hsDvJWGIJePj4bAxW7GX9JJiT7gg1iCKce3
+SINdaBt4O3RJ49wTGqJtMSJSlfzLf7s4zHx5oaozAEt84h97A2Yt/8Lg1Wmc2Aji
+Q4XG6w8OQ/Fk8E/EeSZ27udMHF94TfQ9mzbKdMJRclLDlKKlxeYA6gea4QYb6GLi
+8tY6qnDpF9jwV7ehehM9KYhJcCLw7MYNwGI6oPmTagZCRhXDYULbmK5gfkspcrZ1
+zZn5yOCwt+MA3U2NfpxNOMs0LvaGU7HOruzyD9DLp+4
+-> ssh-ed25519 TnSWKQ SWZZJeUCYeSkYwIKmrsMa/MUkNK7xIn+213hy6X51Uk
+FDzM+HzDh+5+9RI+gjTPKNT74DPSvxA+CKJpHXSMX5c
+-> ssh-rsa 8daibg
+XthUstyN7tDd/vAw3y6knQWNI1M2GEKGDzvmOXFMgwxUcBUNPZmPnZvTfmUXY81Z
+iF13Lruwid0/4Pb9dcYyyifzoqnNb6SvnzczoUSpqQc6m+6BLX4kSTIN1Pulwt8A
+kWrOekvKy9J7Z2QsW6QKfxB4xaAc+BA9kHOgWWpLTyx2GOm0ksLjUnsd3Zo/xXsc
+JpjuSNcsUM9mCP00RjamX1SwrAc/tRnoOSOD6jmED5M0Xfb7bE2AORUQ3Em8B4iG
+CgaTEXFppZN96+BHOumOP1wAbH7uI0EdQP/SvR+qelCH35C0pSWZ4AuyvT5kvoYL
+CyK6GQ8rVnDrBaWQIj4TPhpB1xVxKd01AZX9ITdhPdTATJFwCcVxoWgCTtjNGaIc
+4GldFh0+nXUUV9spzxFbAhiJwy+PHfNfuJ1gyYMrgLY4mQPhA6ntPeWqZOb20cYZ
+ABl7eHN9AAQnibw6EufkgH/U9v81HlWjbLWedAHNPGAldDF5uNrY+FRiqXWT2Ivb
+9CkU/pUFAAcZs7GwEHTVz2dWsuxthS/P/DhN1YshDmY17gTBEf+40SUATsD1wBV0
+tdmbU3i79djbfXXvazR+hi7qDtKo+zJKCDORSq66J70njl0pwN/QIKGQnKt5sYCm
+3kPTZHrR6ys82MhTFk/C1G4aJjQScTz4buA5UH+0hsE
+-> ssh-ed25519 2Ca8Kg eqyr8Yr3rrWlhCd+TmKsnywFdp1mwt3jZwuJzO0TwzM
+mcfYZGTAebrZY9Ool8sPn25wPiwe6StBUzdVAyEErAE
+-> ssh-rsa 2ggJWw
+h00c7evck2bHux9EhMjLQa1f3O3tReLd65LDJB28jH7SbpT6t8Gxfk9tamGFHg4Z
+lGxkzZjK9xnroBpZv5ikuP+tD7A6A2saDXDnnAw+wHUGv0UO5yzr0HPIvwE1bVR5
+GOW1iqPMHKB2v6NeTaBG1g5TohSYEDDINkQv+Q4NyPhdpX9bGd3biWiBAa1gy3Xp
+XmDwtUfBg9IN+EeQTpC/tc4C1pLd3k7E+5pZDQebfTlvXZ83SH05BpBnpakPWNty
+Pf3s/iMwWBiJ+8GiwQ7c6FjTrr9ImJe8nD6mknWGpsMEQ9wB4Bd9l5RTjpTW9wCo
+DNtN8Mo0SGgFXjj/5XO0kMDhDike/GLr6wfD0HVgRP9MtcatvEaezp4RY6NIknjy
+F49KFsZWhzqwU2c4VX3ayFGJHcn/TT6o2QL3qZoI6x23ZFHQlXtQjXfhTkXk2qJt
+565cgrWzLYV7y+DB5fwaG/+Twlnr8rMQOPwyEnrWylh+AY3H/2/M1qQz2b2UQapl
+
+-> }L0d&,o-grease QVMP gPkF4&,`
+YaavYxfymQIl4xRnz1AZxLAY7+r2R9Mftt9AIk11bEymVtCWhsWtSbnhsq9q+fjm
+yYwVUyIh4eeH4oOdz3ssnmB3gg
+--- 5VOiRneXGtTtik3m0OJY8zV8Sboh18DIB4eM07M+1Lo
+ö™:üŠØþI{ˆzþ)ƒô½-tÈ«½©jT»0rE™ÚYæg4wFA³SÖ÷9RÐ…çëQ¡5c{ºÈz–j…lÁRAØãàÛH”L	y£ø²W•6¢¢l>¸–ßª}­m¤Ý¿óÆbÑ±“ô6*ÎËg"ßãÈè}Xˆí>W¬œÛÇÕTÉÞ­™é¼Ì#mÍi@êiö:°zõæ„²jbc(Æ¦Ÿýìùô{ô™¨ª¯©âwã(ÖÎ¸ÈäyÔ§`iÌó_ïC-`ŽP‘ô³²e«¶çCÈ»tSÆ5Ž·e÷Zp%þQ´B¿Êh4yžC°dY¿«—Lˆ<Nw½µýÆ„ÊVñ4ù/ð:•+Ÿãx5ÚÞÁ8_V F6ð½)a>….}É‘^h¿óÖ®îÍø.Ÿ’»ËË¿GÑà”›ÿ~ÝŒd¢EoZ=|×C•Oö”x7›,Nƒ•ïú¹PÖä¥ˆ%*I%®kÎ[ØÐ|-ÈžT¦úe~3¥6ËÞ!C"Öai/kDmÃ¬]íJ÷Û>ü¬n^»OýÚ—MãÌíü‚SÁ°7„¼»1P\ý€ú?x\;B¸#u”BŽ$hÑµ:¶Ë
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 38042bb2..bbdc4961 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -5,8 +5,8 @@ let
   biolimo-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZzg8pfVtFonx/IvO2MKG5uVF/sMJAOt1Ifm9Vds2eA root@biolimo";
   biolimo-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== ben@biolimo";
 
-  chocolatebar-host = "";
-  chocolatebar-user = "";
+  chocolatebar-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZT3QrKugNTWNOwYziQnxrT5zFqWQDafWjScDuIpMhN root@chocolatebar";
+  chocolatebar-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= ben@chocolatebar";
 
   allKeys = [
     bbcom
@@ -34,5 +34,10 @@ let
 in
 {
   "keyfile-biolimo.bin".publicKeys = biolimoKeys;
-  "keyfile-chocolatebar.bin".publicKeys = biolimoKeys;
+
+  "keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
+  "crypto_keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
+  "hdd_keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
+
+  "mopidy.conf".publicKeys = allKeys;
 }
diff --git a/users/ben/.gitattributes b/users/ben/.gitattributes
deleted file mode 100644
index 793fb472..00000000
--- a/users/ben/.gitattributes
+++ /dev/null
@@ -1 +0,0 @@
-secrets/** filter=git-crypt-4406E80E13CD656C diff=git-crypt-4406E80E13CD656C
diff --git a/users/ben/home.nix b/users/ben/home.nix
index 54f0d3e8..8bf73006 100644
--- a/users/ben/home.nix
+++ b/users/ben/home.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, self, ... }:
 with lib;
 let
   psCfg = config.pub-solar;
@@ -50,5 +50,6 @@ in
     # xdg.configFile."wallpaper.jpg".source = ./assets/wallpaper.jpg;
   };
 
-  services.mopidy.configuration = mkIf config.pub-solar.audio.enable (builtins.readFile ./secrets/mopidy.conf);
+  age.secrets.mopidyConf.file = "${self}/secrets/mopidy.conf";
+  services.mopidy.extraConfigFiles = [ "/run/secrets/mopidy.conf" ];
 }
diff --git a/users/ben/secrets/mopidy.conf b/users/ben/secrets/mopidy.conf
deleted file mode 100644
index 7aeff482..00000000
Binary files a/users/ben/secrets/mopidy.conf and /dev/null differ