diff --git a/hosts/phantom/invidious.nix b/hosts/phantom/invidious.nix
index 60c1dca..d4486d7 100644
--- a/hosts/phantom/invidious.nix
+++ b/hosts/phantom/invidious.nix
@@ -23,7 +23,7 @@
     #     "visitor_data": "...",
     #     "po_token": "..."
     # }
-    extraSettingsFile = config.age.secrets.phantom-invidious-settings.path;
+    extraSettingsFile = config.sops.secrets."invidious/settings.json".path;
     settings = {
       force_resolve = "ipv6";
       db = {
@@ -33,8 +33,7 @@
     };
   };
 
-  age.secrets.phantom-invidious-settings = {
-    file = ../../secrets/phantom-invidious-settings.age;
+  sops.secrets."invidious/settings.json" = {
     mode = "666";
   };
 }
diff --git a/hosts/phantom/mastodon.nix b/hosts/phantom/mastodon.nix
index d0dd5d3..e21e874 100644
--- a/hosts/phantom/mastodon.nix
+++ b/hosts/phantom/mastodon.nix
@@ -14,15 +14,14 @@
       host = "lelgenio.com";
       fromAddress = "noreply@social.lelgenio.com";
       user = "noreply@social.lelgenio.com";
-      passwordFile = config.age.secrets.phantom-mastodon-mailer-password.path;
+      passwordFile = config.sops.secrets."mastodon/smtp-password".path;
     };
     streamingProcesses = 2;
     extraConfig.SINGLE_USER_MODE = "true";
     mediaAutoRemove.olderThanDays = 5;
   };
 
-  age.secrets.phantom-mastodon-mailer-password = {
-    file = ../../secrets/phantom-mastodon-mailer-password.age;
+  sops.secrets."mastodon/smtp-password" = {
     mode = "400";
     owner = "mastodon";
   };
diff --git a/hosts/phantom/nextcloud.nix b/hosts/phantom/nextcloud.nix
index d95e598..6b8a020 100644
--- a/hosts/phantom/nextcloud.nix
+++ b/hosts/phantom/nextcloud.nix
@@ -11,7 +11,7 @@
     https = true;
     config = {
       dbtype = "sqlite"; # TODO: move to single postgres db
-      adminpassFile = config.age.secrets.phantom-nextcloud.path;
+      adminpassFile = config.sops.secrets."nextcloud/default-password".path;
     };
   };
 
@@ -20,12 +20,9 @@
     enableACME = true;
   };
 
-  age = {
-    secrets.phantom-nextcloud = {
-      file = ../../secrets/phantom-nextcloud.age;
-      mode = "400";
-      owner = "nextcloud";
-      group = "nextcloud";
-    };
+  sops.secrets."nextcloud/default-password" = {
+    mode = "400";
+    owner = "nextcloud";
+    group = "nextcloud";
   };
 }
diff --git a/hosts/phantom/writefreely.nix b/hosts/phantom/writefreely.nix
index 5608c0f..2358981 100644
--- a/hosts/phantom/writefreely.nix
+++ b/hosts/phantom/writefreely.nix
@@ -12,19 +12,16 @@
     nginx.forceSSL = true;
     host = "blog.lelgenio.com";
     admin.name = "lelgenio";
-    admin.initialPasswordFile = config.age.secrets.phantom-writefreely.path;
+    admin.initialPasswordFile = config.sops.secrets."writefreely/password".path;
     settings.app = {
       site_name = "Leo's blog";
       single_user = true;
     };
   };
 
-  age = {
-    secrets.phantom-writefreely = {
-      file = ../../secrets/phantom-writefreely.age;
-      mode = "400";
-      owner = "writefreely";
-      group = "writefreely";
-    };
+  sops.secrets."writefreely/password" = {
+    mode = "400";
+    owner = "writefreely";
+    group = "writefreely";
   };
 }
diff --git a/secrets/phantom-invidious-settings.age b/secrets/phantom-invidious-settings.age
deleted file mode 100644
index 6ca9077..0000000
--- a/secrets/phantom-invidious-settings.age
+++ /dev/null
@@ -1,16 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-iTcgtxF1IxopbtF+aw7V8IQfH7tWiMk9lE/eWlVHVjeaRvER5W6Y3xZNOFCjtbqY
-VwEyV6ibfZ4GJt1jRu2icEH/AnLUJFFGQnxu/K/rtoZ3tqSIk9WCBv3aPo4oZRiU
-uaaxi2gD8qo1RLyl/Ij7Djw4i/isUOO1EON5sgx1d39k6qUD4Mak0DSU4EtGdTsr
-OaxDAc0kAxhxZQOUH/QlKa0HLonaFcy1LHqvttOcw3UZuZnaYfZiPlcqe3USS9cm
-96aIC5cS9pHr4JFrqRYvfpla2TY5jlCB/xBGw3KjGEIQoBPXSsJZA6BCMZyp00++
-tdfS2aomt9HFmb1wZDS0jWAxkVF6nXXBbolFVih+58h0nYLljtHIQ3SizRoXY459
-x3JE9NReHp2OO3SlIeO03Kv8YMBvj7nSSd1C1PMpu+hJ/eCXi1WQxD6QY+40muk6
-KhqE3PZ8BCY2b+VpywUF5gVH28mo3jscqAzhf2dZ3SQlzldI+hFyKPxTdAqkfUOH
-
---- cinb+wzjVfTkpfm1CtFIFaepwoQVCj1MquB5rAC45Ew
-�
-6
-ZC�HS07����E�X*�qb=�O����wu����P�����ǖѳ/��mv����2V�ī
-��xv�
[�������̂A~�evd���0��ni�1қ�Q��"�@ٹ���{Kp�:�ϵu�s��B��(X�r[�QVg�T�������@�*����B��.���hE鲟��뒭�����zlz|k�`l8��8�M�cch���Z`� ?yeo�+�M-:/��**���c��ZD�2���&���Ǣ��e��*Hn�"�~+|ua(�6��J
\ No newline at end of file
diff --git a/secrets/phantom-mastodon-mailer-password.age b/secrets/phantom-mastodon-mailer-password.age
deleted file mode 100644
index 37232fb..0000000
--- a/secrets/phantom-mastodon-mailer-password.age
+++ /dev/null
@@ -1,13 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-Mnc+/tJ0QqxHkg2nl9gEkz5Oj1RgxtOZnD5gRv66ISUOqZhNm1+F+xVEdKn843/q
-/WzH0f1cTF9NXP8vIaEo//bMmp50obJAd+JNovJxV+0gb9L55Nu7ayvK+eyk6j5n
-eb8TxUnwh5BPkEyc6akDh/O49GXzLlVoFD6Ik/0f3YCqUDNAYOl2bsssXtevCeK/
-WEPoCFGhZfNUrOo/0eAhiujZZ5zVb0CWNqXi8VTe2eWOE20VJULcN13TEyO3ZePx
-bAPBmDfS5GgGlV4INWxVLaIMDrzlm0tYozbBNNUbdLFFOhIOrgvay9RWxdk0u2hJ
-MPKoKsJ96EFxrbZJdS0W7a+aZk/Q3A3Civ2rtPx+5UANhmlY8e1lUHa26e1vA4K7
-ApoMtDyCbuZ9FbLurwl9zO64wWP68aKzuyKOIw+wpy41NQ/PcViSY8KNG9Pt7A2N
-CcOkByx+rwz+JdNHbOF8O4FFG4fNSWn7SvVtu5ymGgVi1bOd8PdJpjDR+6Is0SX7
-
---- DHNyITb7ZseEV58MOD/zHeH5vff0hhlbKg27rlYECGk
-�J�����<hUs/��}��Zi`���'�J��z5��g��%���`��%/���
����-�<x���ɒ|
\ No newline at end of file
diff --git a/secrets/phantom-nextcloud.age b/secrets/phantom-nextcloud.age
deleted file mode 100644
index c180524..0000000
--- a/secrets/phantom-nextcloud.age
+++ /dev/null
@@ -1,15 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-bpGCgyaAPDutva1Gp/YPuek6IZTXJHKb7+oIAV/x+7Ry4Oci9zM2VWvPVE/rPE/d
-0AzBX1NvsWBB005w42RfiErk4FQYRCouwNR1FNjUWNdQOmku++RPfxBXspAFIDkQ
-yM7mqbhwf5by5rZY+2kl20QxkErkVtZolus1am9RV4uyXfdPaRcKjWOuPiEim42d
-YdeCXq4nJGxlL3tRunIqLIZGhV08wHBl7Dubhn9hdD6/ekDk0RloVTBDZUY5tUPL
-dJk+bfFPI0DimytzCwyQbWEHOkdiWYSNzbx2JhTSvuqefHP1UzB2LukaQc2gOJFV
-mVKvQuGpOWknytMUhM6zCTvRw4OQutAZd96OniQYTas/vnmfT2l2n9aMEzQK157A
-U9DmsvhBypILiQSPpA7QrGB1QVuRjAFJA86ASY1FAT6MdBBK4vZ8fK7mpT06JO/n
-gwv+UlvFBziWHzA/1GOLrfD+ExjmbeucRZr5XGszrAaK/7GPZt4LF69hRmKegL94
-
--> 9I3~SC,<-grease M$2 RibFL]C
-uR6MirHtTc4Tyrcw3T2my+BN2Q
---- 56zk9BqgwQqNymga1mUDgpvtfIpMy5i/JnaSXbjx6jk
-�Q�ޗ�)N��ڦ��ߑ-������Dz-�I��-�]p$�X5�T�PU=u;k�8}w�V�m��=
\ No newline at end of file
diff --git a/secrets/phantom-renawiki.age b/secrets/phantom-renawiki.age
deleted file mode 100644
index cdc2801..0000000
--- a/secrets/phantom-renawiki.age
+++ /dev/null
@@ -1,16 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-BUJ9L1bwZ0RWj3FmMghmZDkY4iuc0gujS3Rfat+hj/pg+MALZ69Tovc5RnqmOZT/
-pTGPTzWj3WO70YU+wCUHKZ74JcKdL3wSD1FWOWYRvyDV3gxZjDTjw4Grs+sH9M4Z
-MrhdoyY95fhmGZHJ7Qkx/aKCAK/OaFSu5Vhh37ykmLd1gQ9NJYQ+G3lLr1Mrqjd/
-1QaBqJtJpAFTA0eCd3+oBtQ/qgHD2ZBJcOmkS9sRC6S4YKNoyoDifTbL29aJC4f/
-08myI0WH/ApbtN1hWuiVWibmy/9/76IAvgUqi8fULNY5w7Otz3nKGV+mDA5+oD11
-jCHZJdcec9JFyZ/V2mh/PoHpNawksNPy85eJ0MpM1avM25Qib8kWJM6fnZb7uJzt
-DsYCl2q4ILnTaieuTSJUfgacKbrwSv7MQfgdh1SkXAShyZ7aSCoDhsgSdOVwYoAX
-Mspm0NtodeV7493qZwYspO6H0xbfh20vXa1DOeMt98T1iP0aYYhfRXkb0wACx1QF
-
--> \z/RLj3S-grease cmv( uCkG*= .cX3S 9r^&
-OVTVTnB3PjD4COiRCtQ
---- EhfDqxfjLIHF9Sa7V4ytO1xsRK8p23WDsWcB9/B9fRw
-.�=��))/���͹�ҋ#�
�L���Ӊ��|p
-7	���K�7�@�CJf�:w6P�@@/N�7�
\ No newline at end of file
diff --git a/secrets/phantom/default.yaml b/secrets/phantom/default.yaml
index aa133a2..b953bfe 100644
--- a/secrets/phantom/default.yaml
+++ b/secrets/phantom/default.yaml
@@ -10,6 +10,14 @@ example_booleans:
     - ENC[AES256_GCM,data:lFEC/S8=,iv:cJWbnmseP/AqJzyORM+VI5y7rK8axVeh7EXoLP7mT/Q=,tag:BaS5HyecokdLCq+LzQxGkg==,type:bool]
 forgejo:
     smtp_password: ENC[AES256_GCM,data:g/Uqmtp8A9pas5WcslwnGCKSXv7dYSRMA8wKm7DWpvssVRZJ,iv:vNBqdTlZ5mg0AhjMNr8rUts1rDBYmq03tdiceVN3xjs=,tag:M3qfiZEWvJN/XUjjmnAXqA==,type:str]
+invidious:
+    settings.json: ENC[AES256_GCM,data:wzbBnj3qrhw+clHpetEm/FYs+zkMM0kG0JO97E2wPEPaoBZDuOy3BRAbzmwkn4RUEt2hWVN89/A1qweXuuScXt5LSgaQXFXmGQQ2RzXY7K7Pr3uBNol53pnNQI5M6Mi1bif26rdiwznE0QgZCuptadhPcHbCaWB2QrXyYDdTdvQ6Wd+ZueSXPXCjpRnXaqZzTFc5VJf09wqTFahUvVkgjkhgiLVUu218b8xghekJLwJ3bKwmXuXsnmGSQjFry6ttbFPQJawVXWqsiNY7iaE0k1K3NKcTu5Fm2XiriPTKuGM51EXrqaw97ywWN8JEBGxZTk7kcWg2tAf9ddOewYMG,iv:2oDgPdFihZ9O8IkAydL2DtlUtCBUw70u2F2Rn+eW9rs=,tag:zvdZbEdQzbtWgft+i00ufQ==,type:str]
+mastodon:
+    smtp-password: ENC[AES256_GCM,data:ciRTgcCKueSiYerBjWHOD4c9wlpMlcV9jiFaEWFh92vgA6J9,iv:TAaPiMIL8Yfd9k4j9dN40dWqQWAPb+24ngvPC7GTrlE=,tag:+7fGAN7FKiPIWvdsQXGqxg==,type:str]
+nextcloud:
+    default-password: ENC[AES256_GCM,data:mR0KRCheXh6NBVn+odK9Kx0e4njJDuZ6OS37Iw==,iv:PAb/sCt7hq5WKZwr4FMfiMqf7mGvpXQEnZcbzmDz9oI=,tag:ukBDHbFKrStXckzuE1TwJA==,type:str]
+writefreely:
+    password: ENC[AES256_GCM,data:5hzvM8Aitvj4Hb/RgViV1QjsnpQqln0k1nZvEz8Y7vdZvcHo,iv:Wi+pKcGqi09050sitgxt/+hYGF2mlmYC0SDjmqSWPr4=,tag:V0KSBgIV4fgMbxuADVTxrA==,type:str]
 sops:
     age:
         - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
@@ -30,8 +38,8 @@ sops:
             RU1HSUhldHpzeURaUWQvcjBCQ3pMY2cKYL87Njs4e68zu5AXKNF/hxiB3HduS8wz
             o0kmGI58DZx17+Cdipw0ab9a9wiu9C9Fn+LaiCcdM/ESXtS79RzdbQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-15T06:20:05Z"
-    mac: ENC[AES256_GCM,data:3S52Sd3qaqHWy5TL8MAq9yOpH7ZYMDUHprJH3JtW1Vs2rNJIm9li7x3RT0mRnct4NYgikyFi9PBghDJsDN/QKxxKfEDm6KWET+okL41/h/KnzJRFqHoG8sxZYnr4NWc1R60A6WdD+xIa6njCwCNLP4hDjHeQuLjhDsvhqSG4dO8=,iv:xsqZB0GaFYN7QhP24Ik602JoBjVnPGEtgKRbIp9a7Pc=,tag:ZfrKyzRn2bd9lY1bvFjZrQ==,type:str]
+    lastmodified: "2026-02-15T06:46:07Z"
+    mac: ENC[AES256_GCM,data:lnvq80oOH2pO6AxBbnjNxvz0xcukTFowcxKf24RKFf/ZouRL6uCJEWJwNCoAKCGOHibrztsGHLDL/cgOffv9CTivIYmzbB+9q2MCQNGxrSL7CkWr/mK9xb5Yz1ASvvZxcGB7WmZNVZXvjIr6mdZy50UweHJoit+oDvE03cmG9Bw=,iv:CikhhcnCE9SXpRasZEImUR6vU5cauD4YIplxPYsPo4A=,tag:+QaBv8Nrk40UCYhUskepyw==,type:str]
     pgp:
         - created_at: "2025-03-07T22:49:19Z"
           enc: |-
diff --git a/secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age b/secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
deleted file mode 100644
index 03118e3..0000000
--- a/secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
+++ /dev/null
@@ -1,13 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-KCVF4Sy49stOeQs2uunYKkvadqeimmWlJ4ucEJxfXy2z+OkkZpixUnWgJEH2nCa4
-NL/F0Wezbqvh+Texl4FlHN8PT2w/d5gdg/L+fI4jBYCvbbiHA4sdUgmXWigY8zrU
-5H7Y9mgb1Y174fA6zfTCk2fHmk+KARoV27YrS2fzGoVQiPhnvv8ZT51eF1E+Zs4I
-+YtXehxEOqYljJKYJJnF9ElzfNa8nypACGtcjTE8eEq0DlZu2U7qV+QWwQudHbcs
-MbFR2VtkHWQaNdK1vVBGND1CMlfshSCqbUzGcexownMiCVSal1RKA2uAWnYdOEc/
-QSR8cKn8QQ5dyPFCqZ8RnlCMUegCVLg5cC0/rlTUD0C/Ti2SRBYTH3HvJjmSNk8k
-3LdcNwK4YtG4d1gkqLVjwCM1Yg8I/UICb5nQYclvBz5VQ2drvL/gU/+Vc7Z5KUFI
-0G/7uNmeJ16Eky+X9c73ZZxVqm0TzDENE2GzkPhBHEfXBR+4j6m8KKEWxQmA2ZSg
-
---- Oq9wU0h90iU/8g1XTNI+LuAg7t09hngj9DCK91V1+pg
-χv��P���}�N,��Wl?y0)�eVw��A�i���ŐSm�������>���D��Q��C-��B������0��V�|�=�X�6�� ���W�>���~�-qI�%
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 0a7abf8..448c1f4 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -2,9 +2,4 @@ let
   main_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15";
 in
 {
-  "phantom-nextcloud.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-writefreely.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-renawiki.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-mastodon-mailer-password.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-invidious-settings.age".publicKeys = [ main_ssh_public_key ];
 }