diff --git a/flake.lock b/flake.lock
index 8eaa5e6..6ba24c5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -16,31 +16,6 @@
         "type": "github"
       }
     },
-    "agenix": {
-      "inputs": {
-        "darwin": "darwin",
-        "home-manager": [
-          "home-manager"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1770165109,
-        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
-        "owner": "ryantm",
-        "repo": "agenix",
-        "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ryantm",
-        "repo": "agenix",
-        "type": "github"
-      }
-    },
     "blobs": {
       "flake": false,
       "locked": {
@@ -155,28 +130,6 @@
         "type": "github"
       }
     },
-    "darwin": {
-      "inputs": {
-        "nixpkgs": [
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1744478979,
-        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lnl7",
-        "ref": "master",
-        "repo": "nix-darwin",
-        "type": "github"
-      }
-    },
     "demoji": {
       "inputs": {
         "advisory-db": "advisory-db",
@@ -312,7 +265,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -330,7 +283,7 @@
     },
     "flake-utils_2": {
       "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -363,7 +316,7 @@
     },
     "flake-utils_4": {
       "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -381,7 +334,7 @@
     },
     "flake-utils_5": {
       "inputs": {
-        "systems": "systems_5"
+        "systems": "systems_4"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -399,7 +352,7 @@
     },
     "flake-utils_6": {
       "inputs": {
-        "systems": "systems_6"
+        "systems": "systems_5"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -417,7 +370,7 @@
     },
     "flake-utils_7": {
       "inputs": {
-        "systems": "systems_7"
+        "systems": "systems_6"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -791,7 +744,6 @@
     },
     "root": {
       "inputs": {
-        "agenix": "agenix",
         "catboy-spinner": "catboy-spinner",
         "contador-da-viagem": "contador-da-viagem",
         "demoji": "demoji",
@@ -973,21 +925,6 @@
         "type": "github"
       }
     },
-    "systems_7": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "tlauncher": {
       "inputs": {
         "flake-utils": "flake-utils_5",
diff --git a/flake.nix b/flake.nix
index 97c7a6e..f3d6e23 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,12 +22,6 @@
     plymouth-themes.url = "github:adi1090x/plymouth-themes";
     plymouth-themes.flake = false;
 
-    agenix = {
-      url = "github:ryantm/agenix";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.home-manager.follows = "home-manager";
-    };
-
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -111,12 +105,10 @@
       common_modules = [
         { nixpkgs.pkgs = pkgs; }
         ./system/configuration.nix
-        ./system/secrets.nix
         ./system/sops.nix
         ./system/greetd.nix
         { login-manager.greetd.enable = desktop == "sway"; }
 
-        inputs.agenix.nixosModules.default
         inputs.sops-nix.nixosModules.default
         inputs.home-manager.nixosModules.home-manager
         inputs.disko.nixosModules.disko
diff --git a/hosts/monolith/default.nix b/hosts/monolith/default.nix
index bf0e98e..0ce3b79 100644
--- a/hosts/monolith/default.nix
+++ b/hosts/monolith/default.nix
@@ -43,6 +43,8 @@ in
     package = pkgs.unstable.opentabletdriver;
   };
 
+  sops.defaultSopsFile = lib.mkForce ../../secrets/monolith/default.yaml;
+
   my.gaming.enable = true;
   my.nix-ld.enable = true;
 
diff --git a/hosts/monolith/factorio-server.nix b/hosts/monolith/factorio-server.nix
index debbc1e..0db1e3a 100644
--- a/hosts/monolith/factorio-server.nix
+++ b/hosts/monolith/factorio-server.nix
@@ -12,7 +12,7 @@
     lan = true;
     openFirewall = true;
     admins = [ "lelgenio" ];
-    extraSettingsFile = config.age.secrets.factorio-settings.path;
+    extraSettingsFile = config.sops.secrets."factorio/server-config.json".path;
   };
 
   systemd.services.factorio = {
@@ -43,8 +43,7 @@
     wantedBy = [ "timers.target" ];
   };
 
-  age.secrets.factorio-settings = {
-    file = ../../secrets/factorio-settings.age;
+  sops.secrets."factorio/server-config.json" = {
     mode = "777";
   };
 }
diff --git a/hosts/phantom/default.nix b/hosts/phantom/default.nix
index 1b0d3cb..e32fa95 100644
--- a/hosts/phantom/default.nix
+++ b/hosts/phantom/default.nix
@@ -8,7 +8,6 @@
 {
   imports = [
     inputs.vpsadminos.nixosConfigurations.container
-    inputs.agenix.nixosModules.default
     inputs.sops-nix.nixosModules.default
 
     ../../system/sops.nix
diff --git a/hosts/phantom/forgejo.nix b/hosts/phantom/forgejo.nix
index dbb63d3..c7a224b 100644
--- a/hosts/phantom/forgejo.nix
+++ b/hosts/phantom/forgejo.nix
@@ -42,11 +42,10 @@ in
         USER = "noreply@git.lelgenio.com";
       };
     };
-    mailerPasswordFile = config.age.secrets.phantom-forgejo-mailer-password.path;
+    secrets.mailer.PASSWD = config.sops.secrets."forgejo/smtp_password".path;
   };
 
-  age.secrets.phantom-forgejo-mailer-password = {
-    file = ../../secrets/phantom-forgejo-mailer-password.age;
+  sops.secrets."forgejo/smtp_password" = {
     mode = "400";
     owner = "forgejo";
   };
diff --git a/hosts/phantom/invidious.nix b/hosts/phantom/invidious.nix
index 60c1dca..d4486d7 100644
--- a/hosts/phantom/invidious.nix
+++ b/hosts/phantom/invidious.nix
@@ -23,7 +23,7 @@
     #     "visitor_data": "...",
     #     "po_token": "..."
     # }
-    extraSettingsFile = config.age.secrets.phantom-invidious-settings.path;
+    extraSettingsFile = config.sops.secrets."invidious/settings.json".path;
     settings = {
       force_resolve = "ipv6";
       db = {
@@ -33,8 +33,7 @@
     };
   };
 
-  age.secrets.phantom-invidious-settings = {
-    file = ../../secrets/phantom-invidious-settings.age;
+  sops.secrets."invidious/settings.json" = {
     mode = "666";
   };
 }
diff --git a/hosts/phantom/mastodon.nix b/hosts/phantom/mastodon.nix
index d0dd5d3..e21e874 100644
--- a/hosts/phantom/mastodon.nix
+++ b/hosts/phantom/mastodon.nix
@@ -14,15 +14,14 @@
       host = "lelgenio.com";
       fromAddress = "noreply@social.lelgenio.com";
       user = "noreply@social.lelgenio.com";
-      passwordFile = config.age.secrets.phantom-mastodon-mailer-password.path;
+      passwordFile = config.sops.secrets."mastodon/smtp-password".path;
     };
     streamingProcesses = 2;
     extraConfig.SINGLE_USER_MODE = "true";
     mediaAutoRemove.olderThanDays = 5;
   };
 
-  age.secrets.phantom-mastodon-mailer-password = {
-    file = ../../secrets/phantom-mastodon-mailer-password.age;
+  sops.secrets."mastodon/smtp-password" = {
     mode = "400";
     owner = "mastodon";
   };
diff --git a/hosts/phantom/nextcloud.nix b/hosts/phantom/nextcloud.nix
index d95e598..6b8a020 100644
--- a/hosts/phantom/nextcloud.nix
+++ b/hosts/phantom/nextcloud.nix
@@ -11,7 +11,7 @@
     https = true;
     config = {
       dbtype = "sqlite"; # TODO: move to single postgres db
-      adminpassFile = config.age.secrets.phantom-nextcloud.path;
+      adminpassFile = config.sops.secrets."nextcloud/default-password".path;
     };
   };
 
@@ -20,12 +20,9 @@
     enableACME = true;
   };
 
-  age = {
-    secrets.phantom-nextcloud = {
-      file = ../../secrets/phantom-nextcloud.age;
-      mode = "400";
-      owner = "nextcloud";
-      group = "nextcloud";
-    };
+  sops.secrets."nextcloud/default-password" = {
+    mode = "400";
+    owner = "nextcloud";
+    group = "nextcloud";
   };
 }
diff --git a/hosts/phantom/writefreely.nix b/hosts/phantom/writefreely.nix
index 5608c0f..2358981 100644
--- a/hosts/phantom/writefreely.nix
+++ b/hosts/phantom/writefreely.nix
@@ -12,19 +12,16 @@
     nginx.forceSSL = true;
     host = "blog.lelgenio.com";
     admin.name = "lelgenio";
-    admin.initialPasswordFile = config.age.secrets.phantom-writefreely.path;
+    admin.initialPasswordFile = config.sops.secrets."writefreely/password".path;
     settings.app = {
       site_name = "Leo's blog";
       single_user = true;
     };
   };
 
-  age = {
-    secrets.phantom-writefreely = {
-      file = ../../secrets/phantom-writefreely.age;
-      mode = "400";
-      owner = "writefreely";
-      group = "writefreely";
-    };
+  sops.secrets."writefreely/password" = {
+    mode = "400";
+    owner = "writefreely";
+    group = "writefreely";
   };
 }
diff --git a/secrets/factorio-settings.age b/secrets/factorio-settings.age
deleted file mode 100644
index 77eb8bd..0000000
Binary files a/secrets/factorio-settings.age and /dev/null differ
diff --git a/secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age b/secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age
deleted file mode 100644
index 1d7d3ff..0000000
--- a/secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age
+++ /dev/null
@@ -1,16 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-KuJIQzvERsM1zAF4iikbaIMsi4e/vnyx1yq6h9Mzxf6FnXyFRcUgLPVe05krQhJX
-0wjv18bI0jxRb8742Ww9i2nU5Tlrok9ol458iye5CPl63fAlVih4/Rkl3IkUIiIz
-q/VayGVaIHmpRD2xiEa4L+NXS9N69vVXoubX0oZrB0nPdYJ83gFU9u+CBqqG2EWr
-PBjyIvT5i5MDBnPZGOudadIoyeWGfjXEPsQWhQhL9ssi5QOzLXBnTDlxT53bNvHX
-2yOFprLDZ+ZONedkxy8OXZpPDYNcgPAIHiqx1E87ftqPIucdeU49AqlPh46wrPC3
-79E2hgSoPvn4poTlJtAD0tIADRGkcEV6wLCylN2lTOUJenUfhLNQ7ok4ITx8MOv3
-IkbWiD9yTMExVBlhc+us+XfBHM8mlWs/zu+18YTy21RM03gzY6lHVZCQPxay2Rof
-A505SeZ4Tyhoy0+oLaYv9b+7DJdlhUo/XMaKSibtgJ/2MCtRqmV5ZsnuUIWn1Qsc
-
--> Vg-grease `tLg-(2z
-4EPuRnZmXpoB32r/0GCtskU3HU3h5ic
---- QmKr+zAXnMpWBBBqNm2u954fOu2Zt8Y/kPPdq4UHgZc
-¤ì{çu|õæu´Ó€]OmXÝP3µÆ²•4_±½Â_
-q4›Ð6mþm©<‚pLH+d.hî‹’C<RDµ‘qOø}öô3ÁZ¤KJ¤DÉàj]ÈýÒ¯Ùìá‚ØûCROË¥F;>‡
\ No newline at end of file
diff --git a/secrets/lelgenio-cachix.age b/secrets/lelgenio-cachix.age
deleted file mode 100644
index af5a250..0000000
Binary files a/secrets/lelgenio-cachix.age and /dev/null differ
diff --git a/secrets/monolith-forgejo-runner-token.age b/secrets/monolith-forgejo-runner-token.age
deleted file mode 100644
index fff63ca..0000000
Binary files a/secrets/monolith-forgejo-runner-token.age and /dev/null differ
diff --git a/secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age b/secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
deleted file mode 100644
index 60c5c70..0000000
--- a/secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
+++ /dev/null
@@ -1,13 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-YvABDqm9pSLhyLaKLDStuDisPJnaDpHnpTdTU4/xWgD3F4g2WkMymilhabqM+R5S
-hqcSVDxYE2mpPDPIDIMPRlZyw5EBKS6zQYFr7u3fdSMzzhL6pBLUvFtfq40Y3o6C
-LkkkYyWnJisWuTYeBY95H+fbDhqOylbjHP1fhRVwXO85pa4CcRMAWU2pKOIZRb3T
-IuQyE3LOT/vts56q0mgdItJK0gX0NJzXxi+8YdXb2VU5ny6IOBzDL4jUHhi4nfpS
-AmzEZE3ezq4Nxg+txMDQ6ZO+JUhqjCS4XDf5b2Lq6fDenVhFaNYf4HK/fMZHKhKE
-Ac+K5U3CKB7B2Ur+sEdB7AYWOc346bvxZhP16nwCI0ocaquo6WzEa6XA7zfRVC86
-wlTIUVdYKW3e/4AIHFnSXhFNss52kkhOjxcdQpdBb5RgSc/gWel7XFJ3bV17bCmV
-ccCYejBvW+Arpgr9Tl3UfyEbRbGTe7Jbxydsrx5h7gcXOuBYE3x8RGhegiL28wVl
-
---- E11l59lvUhPNzXAYTgVUIIUCgJsEsSDMdnLV6r+qSiA
-¥Ë‹-&I:Ú¹Sa°_àÝzt•ø¨J!H¤¹'ëC`'uÜ@sØÙ'”:†èì÷ãÎ¶~Ò[0š×ïnÝY-uôF¦eÜ‹ê‹Çü`xÓ7‚öªíßDÆãÉþ0/Ã—%V½«Þ‘îUˆ
\ No newline at end of file
diff --git a/secrets/monolith-nix-serve-privkey.age b/secrets/monolith-nix-serve-privkey.age
deleted file mode 100644
index 843b433..0000000
Binary files a/secrets/monolith-nix-serve-privkey.age and /dev/null differ
diff --git a/secrets/monolith/default.yaml b/secrets/monolith/default.yaml
index 6b3c1ff..afa1c8f 100644
--- a/secrets/monolith/default.yaml
+++ b/secrets/monolith/default.yaml
@@ -13,6 +13,10 @@ nebula-wopus-vpn:
     monolith-key: ENC[AES256_GCM,data:Y8KVQk66dewyeRIF+6HJeufD9EYO55m73LxrtZi4KQU0RbUpsV0eiRMX62rYtw6+uP87f5Tx6kC3fX4+mqNb2ZgDtVvm3/Qnz5Ly112c/h33krNqRpv6pEHRkrS9j01tLkJnxwiyIvq3b03GTAIoCKWgqaaagCXYHArgzRrDIw==,iv:lp3zuD8XWaiJvyxzXHrgpF4qbrCv/uf9l9qyWXVrkkM=,tag:eSlTCa2TrIuga7UUxoloBQ==,type:str]
 minio:
     root-credentials: ENC[AES256_GCM,data:izDiis6BgAubbe91EUcuwMKrSrYEDQFQbaEGzpdjj3Wlt8Z8gzgvGmYCryAK8GBUMbzQvy0do26xMGMl3LxLWz9bgixixPVFTTg5GhfUJw==,iv:hkrkGz+EpVwkWEMQWBrm2u4Jti7azsDtsTmyouDREug=,tag:mDnOKKBwgKOmsxegKcRhpQ==,type:str]
+nix-serve:
+    private-key: ENC[AES256_GCM,data:xSHNHiLKs5QG92cSR0gNlusRhGjRUcelSvBt/f3+LdLjTtPaYMmiEiUsl43FyaigGkGq4nGDWAgPVJ+bFNpman0F4KwYqoSp5zH07IC9KaXouvudRLMZc8MkpwKKptKebKDlxKfsLt44n3qnV7OPYzSgzA==,iv:yUM/4yCIJqTt04HyXBVe+EMN4NnFkVnVhsUvUlKv2QM=,tag:qAr0UIjWzXH1eEzGCrK5Vg==,type:str]
+factorio:
+    server-config.json: ENC[AES256_GCM,data:qpLNcNjKrlH5IjGsq7ukCPR7G5dfOfN9joM2KZUdKZetZ/mA8ikBSbuBtRxwBQUSB6PcFxDftus704vlOkLcDcc4PT9rnpEiedLng9NkJPZZo2exfozut3N7dhij28c6Jy2uvad1pzAfW78iHI0kJNkDQDD2oW9xoFAZrPDRh5oNLpNn1/iIFoIflyYFctUbcpsDvs+8xHGGM5PQQo0QnZcxfSPY2iT4At1i5WP/Uedonvlw9fNcoOtzP7BhOECuMWUC5W2v2hP2/vcp7M8=,iv:Ln+/4AudJfdJYdkq0xLVF8dyrObzLwhANpTo3WgjUF4=,tag:Rgw4/J016Geiv6FwF5ZaMQ==,type:str]
 sops:
     age:
         - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
@@ -33,8 +37,8 @@ sops:
             aFVxcDFhaGdYekRWRVFIWnRsZndtZFkKgsvxOFHOcO306Z9FkucA1fDOpZA8N1/h
             jYmIgcKTFgWoSCvux67lK30jFsYp7sm5z6WxxDYsGcoQ/+pxoUX2jQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-27T15:58:01Z"
-    mac: ENC[AES256_GCM,data:8JemHyxdcDjkg++kgBAGpvGZAyGnQhcAOzs58D8EqjJzTWWf4HgF3uD8od5EGu5i1f7IzUBNio57H/0DC7fWZk/vIRM/Xn7DREuXClBGmBsc32H+K0tOKg8hMb11PDGqviw0qj0qwl1Gs0+j8C4OY9qLupTDzsECUgRXBtsD4cU=,iv:vOV25BV/C3hK/D4bKb26Xi0PaiSlJ5t9bN18ZJQnCRs=,tag:1AZyn4Zj1/e/2dhNzcfPqg==,type:str]
+    lastmodified: "2026-02-15T06:33:37Z"
+    mac: ENC[AES256_GCM,data:lYnwpoQuDSRpcPdIoSX3aGssc34UPqj6aZaliXl9XKMu1FMEgKwYXvNGOgs4tV2hBUQvTB4ZhiPT62awEHxzO1CmVdi6eiR9LTP2KetVubvKp8Ps/xoWKl51pG9ubJj+H3rfwAhfbGVZmAb6PKQgY6mnpyutlt/ojCMoKJ4BVwM=,iv:O0MoP+Nb1+nrowX3yfhIY/pjtSbLPV6qHOhDiEfdpzw=,tag:qSA02qKepxJ8p1qpZYN+UQ==,type:str]
     pgp:
         - created_at: "2025-03-07T22:49:16Z"
           enc: |-
diff --git a/secrets/phantom-forgejo-mailer-password.age b/secrets/phantom-forgejo-mailer-password.age
deleted file mode 100644
index 90fbe73..0000000
Binary files a/secrets/phantom-forgejo-mailer-password.age and /dev/null differ
diff --git a/secrets/phantom-invidious-settings.age b/secrets/phantom-invidious-settings.age
deleted file mode 100644
index 6ca9077..0000000
--- a/secrets/phantom-invidious-settings.age
+++ /dev/null
@@ -1,16 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-iTcgtxF1IxopbtF+aw7V8IQfH7tWiMk9lE/eWlVHVjeaRvER5W6Y3xZNOFCjtbqY
-VwEyV6ibfZ4GJt1jRu2icEH/AnLUJFFGQnxu/K/rtoZ3tqSIk9WCBv3aPo4oZRiU
-uaaxi2gD8qo1RLyl/Ij7Djw4i/isUOO1EON5sgx1d39k6qUD4Mak0DSU4EtGdTsr
-OaxDAc0kAxhxZQOUH/QlKa0HLonaFcy1LHqvttOcw3UZuZnaYfZiPlcqe3USS9cm
-96aIC5cS9pHr4JFrqRYvfpla2TY5jlCB/xBGw3KjGEIQoBPXSsJZA6BCMZyp00++
-tdfS2aomt9HFmb1wZDS0jWAxkVF6nXXBbolFVih+58h0nYLljtHIQ3SizRoXY459
-x3JE9NReHp2OO3SlIeO03Kv8YMBvj7nSSd1C1PMpu+hJ/eCXi1WQxD6QY+40muk6
-KhqE3PZ8BCY2b+VpywUF5gVH28mo3jscqAzhf2dZ3SQlzldI+hFyKPxTdAqkfUOH
-
---- cinb+wzjVfTkpfm1CtFIFaepwoQVCj1MquB5rAC45Ew
-¾
-6
-ZCþHS07ïºÖóýE¼X*Àqb=üOßíÛÉwu¥¤³­Pºþ¹ÙçÇ–Ñ³/£ómvòÞ×Ë2VœÄ«
-ÁŠxvç[“£‚µ£±”Ì‚A~ evdÓåÙ0¢Œni³1Ò›¹Qý„"í@Ù¹§ÞÔ{KpÐ:åÏµuµsÊÎBñò(X…r[ÂQVg¢Tš¤°ðœîËï@Ä*ÇõÿíB«.§¯žhEé²ŸèÐë’­÷½¥Žûzlz|kã`l8‘´8¼M›cchîáZ`ƒ ?yeoƒ+ÈM-:/–À**ìè¦ÊcŸÎZD¡2Ñá¼é&·÷¾Ç¢¹£e¤ï*Hnç"Þ~+|ua(û6óËJ
\ No newline at end of file
diff --git a/secrets/phantom-mastodon-mailer-password.age b/secrets/phantom-mastodon-mailer-password.age
deleted file mode 100644
index 37232fb..0000000
--- a/secrets/phantom-mastodon-mailer-password.age
+++ /dev/null
@@ -1,13 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-Mnc+/tJ0QqxHkg2nl9gEkz5Oj1RgxtOZnD5gRv66ISUOqZhNm1+F+xVEdKn843/q
-/WzH0f1cTF9NXP8vIaEo//bMmp50obJAd+JNovJxV+0gb9L55Nu7ayvK+eyk6j5n
-eb8TxUnwh5BPkEyc6akDh/O49GXzLlVoFD6Ik/0f3YCqUDNAYOl2bsssXtevCeK/
-WEPoCFGhZfNUrOo/0eAhiujZZ5zVb0CWNqXi8VTe2eWOE20VJULcN13TEyO3ZePx
-bAPBmDfS5GgGlV4INWxVLaIMDrzlm0tYozbBNNUbdLFFOhIOrgvay9RWxdk0u2hJ
-MPKoKsJ96EFxrbZJdS0W7a+aZk/Q3A3Civ2rtPx+5UANhmlY8e1lUHa26e1vA4K7
-ApoMtDyCbuZ9FbLurwl9zO64wWP68aKzuyKOIw+wpy41NQ/PcViSY8KNG9Pt7A2N
-CcOkByx+rwz+JdNHbOF8O4FFG4fNSWn7SvVtu5ymGgVi1bOd8PdJpjDR+6Is0SX7
-
---- DHNyITb7ZseEV58MOD/zHeH5vff0hhlbKg27rlYECGk
-ÆJ…¨Úãè·<hUs/¿ïš}ó´Zi`ˆ‘ 'ÂJŸ°z5ùÃgõãŸ%€ì‡`¤º%/˜‚±ˆ„á-Î<x—íõÉ’|
\ No newline at end of file
diff --git a/secrets/phantom-nextcloud.age b/secrets/phantom-nextcloud.age
deleted file mode 100644
index c180524..0000000
--- a/secrets/phantom-nextcloud.age
+++ /dev/null
@@ -1,15 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-bpGCgyaAPDutva1Gp/YPuek6IZTXJHKb7+oIAV/x+7Ry4Oci9zM2VWvPVE/rPE/d
-0AzBX1NvsWBB005w42RfiErk4FQYRCouwNR1FNjUWNdQOmku++RPfxBXspAFIDkQ
-yM7mqbhwf5by5rZY+2kl20QxkErkVtZolus1am9RV4uyXfdPaRcKjWOuPiEim42d
-YdeCXq4nJGxlL3tRunIqLIZGhV08wHBl7Dubhn9hdD6/ekDk0RloVTBDZUY5tUPL
-dJk+bfFPI0DimytzCwyQbWEHOkdiWYSNzbx2JhTSvuqefHP1UzB2LukaQc2gOJFV
-mVKvQuGpOWknytMUhM6zCTvRw4OQutAZd96OniQYTas/vnmfT2l2n9aMEzQK157A
-U9DmsvhBypILiQSPpA7QrGB1QVuRjAFJA86ASY1FAT6MdBBK4vZ8fK7mpT06JO/n
-gwv+UlvFBziWHzA/1GOLrfD+ExjmbeucRZr5XGszrAaK/7GPZt4LF69hRmKegL94
-
--> 9I3~SC,<-grease M$2 RibFL]C
-uR6MirHtTc4Tyrcw3T2my+BN2Q
---- 56zk9BqgwQqNymga1mUDgpvtfIpMy5i/JnaSXbjx6jk
-ÞQÚÞ—Ž)NâÿÚ¦¨Žß‘-†ŸÀ ÷ÑDz-ÖIÅß-°]p$ÉX5æT·PU=u;kæ8}wÁV¦mšç=
\ No newline at end of file
diff --git a/secrets/phantom-renawiki.age b/secrets/phantom-renawiki.age
deleted file mode 100644
index cdc2801..0000000
--- a/secrets/phantom-renawiki.age
+++ /dev/null
@@ -1,16 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-BUJ9L1bwZ0RWj3FmMghmZDkY4iuc0gujS3Rfat+hj/pg+MALZ69Tovc5RnqmOZT/
-pTGPTzWj3WO70YU+wCUHKZ74JcKdL3wSD1FWOWYRvyDV3gxZjDTjw4Grs+sH9M4Z
-MrhdoyY95fhmGZHJ7Qkx/aKCAK/OaFSu5Vhh37ykmLd1gQ9NJYQ+G3lLr1Mrqjd/
-1QaBqJtJpAFTA0eCd3+oBtQ/qgHD2ZBJcOmkS9sRC6S4YKNoyoDifTbL29aJC4f/
-08myI0WH/ApbtN1hWuiVWibmy/9/76IAvgUqi8fULNY5w7Otz3nKGV+mDA5+oD11
-jCHZJdcec9JFyZ/V2mh/PoHpNawksNPy85eJ0MpM1avM25Qib8kWJM6fnZb7uJzt
-DsYCl2q4ILnTaieuTSJUfgacKbrwSv7MQfgdh1SkXAShyZ7aSCoDhsgSdOVwYoAX
-Mspm0NtodeV7493qZwYspO6H0xbfh20vXa1DOeMt98T1iP0aYYhfRXkb0wACx1QF
-
--> \z/RLj3S-grease cmv( uCkG*= .cX3S 9r^&
-OVTVTnB3PjD4COiRCtQ
---- EhfDqxfjLIHF9Sa7V4ytO1xsRK8p23WDsWcB9/B9fRw
-.ß=–£))/’ö‰Í¹êÒ‹#´ýLÁƒŒÓ‰Ž—|p
-7	ÍñÄKä®7ò²Š@üCJfš:w6Pè•@@/N7¿
\ No newline at end of file
diff --git a/secrets/phantom/default.yaml b/secrets/phantom/default.yaml
index 962c6ba..b953bfe 100644
--- a/secrets/phantom/default.yaml
+++ b/secrets/phantom/default.yaml
@@ -8,11 +8,17 @@ example_number: ENC[AES256_GCM,data:R+/m/QVBH9/3DA==,iv:FumBUj97ICrRQmyh5fg8Gu9L
 example_booleans:
     - ENC[AES256_GCM,data:VvI5ag==,iv:koMzyWcua75sK19vuk65oywCD61lMyH3xUwue8LTqy4=,tag:2ym1M0FTwevLm7wefTUWAw==,type:bool]
     - ENC[AES256_GCM,data:lFEC/S8=,iv:cJWbnmseP/AqJzyORM+VI5y7rK8axVeh7EXoLP7mT/Q=,tag:BaS5HyecokdLCq+LzQxGkg==,type:bool]
+forgejo:
+    smtp_password: ENC[AES256_GCM,data:g/Uqmtp8A9pas5WcslwnGCKSXv7dYSRMA8wKm7DWpvssVRZJ,iv:vNBqdTlZ5mg0AhjMNr8rUts1rDBYmq03tdiceVN3xjs=,tag:M3qfiZEWvJN/XUjjmnAXqA==,type:str]
+invidious:
+    settings.json: ENC[AES256_GCM,data:wzbBnj3qrhw+clHpetEm/FYs+zkMM0kG0JO97E2wPEPaoBZDuOy3BRAbzmwkn4RUEt2hWVN89/A1qweXuuScXt5LSgaQXFXmGQQ2RzXY7K7Pr3uBNol53pnNQI5M6Mi1bif26rdiwznE0QgZCuptadhPcHbCaWB2QrXyYDdTdvQ6Wd+ZueSXPXCjpRnXaqZzTFc5VJf09wqTFahUvVkgjkhgiLVUu218b8xghekJLwJ3bKwmXuXsnmGSQjFry6ttbFPQJawVXWqsiNY7iaE0k1K3NKcTu5Fm2XiriPTKuGM51EXrqaw97ywWN8JEBGxZTk7kcWg2tAf9ddOewYMG,iv:2oDgPdFihZ9O8IkAydL2DtlUtCBUw70u2F2Rn+eW9rs=,tag:zvdZbEdQzbtWgft+i00ufQ==,type:str]
+mastodon:
+    smtp-password: ENC[AES256_GCM,data:ciRTgcCKueSiYerBjWHOD4c9wlpMlcV9jiFaEWFh92vgA6J9,iv:TAaPiMIL8Yfd9k4j9dN40dWqQWAPb+24ngvPC7GTrlE=,tag:+7fGAN7FKiPIWvdsQXGqxg==,type:str]
+nextcloud:
+    default-password: ENC[AES256_GCM,data:mR0KRCheXh6NBVn+odK9Kx0e4njJDuZ6OS37Iw==,iv:PAb/sCt7hq5WKZwr4FMfiMqf7mGvpXQEnZcbzmDz9oI=,tag:ukBDHbFKrStXckzuE1TwJA==,type:str]
+writefreely:
+    password: ENC[AES256_GCM,data:5hzvM8Aitvj4Hb/RgViV1QjsnpQqln0k1nZvEz8Y7vdZvcHo,iv:Wi+pKcGqi09050sitgxt/+hYGF2mlmYC0SDjmqSWPr4=,tag:V0KSBgIV4fgMbxuADVTxrA==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
           enc: |
@@ -32,8 +38,8 @@ sops:
             RU1HSUhldHpzeURaUWQvcjBCQ3pMY2cKYL87Njs4e68zu5AXKNF/hxiB3HduS8wz
             o0kmGI58DZx17+Cdipw0ab9a9wiu9C9Fn+LaiCcdM/ESXtS79RzdbQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-05T22:27:18Z"
-    mac: ENC[AES256_GCM,data:WSopSnWZ+uOllywd7difaZtJcfxkL7eIf9Kr3GajZKO0+rP6pEHIS+5AbXZy6oKRlCLUPecY/WXFvk3//akpvvXHbf6Jp4fQ/YSuTcYKRQupbDBpOXSlc33QyRl6oEyiMOjxMxa2N2tmq8dmA0NbF9wSDMa5a4eNDoiL5T/sUZ8=,iv:QqbVRApzFF6q24rk8KfKuthj656nEczD9Si4INj+N9A=,tag:tMRNYo+u/jIQ6iX3KqKJdA==,type:str]
+    lastmodified: "2026-02-15T06:46:07Z"
+    mac: ENC[AES256_GCM,data:lnvq80oOH2pO6AxBbnjNxvz0xcukTFowcxKf24RKFf/ZouRL6uCJEWJwNCoAKCGOHibrztsGHLDL/cgOffv9CTivIYmzbB+9q2MCQNGxrSL7CkWr/mK9xb5Yz1ASvvZxcGB7WmZNVZXvjIr6mdZy50UweHJoit+oDvE03cmG9Bw=,iv:CikhhcnCE9SXpRasZEImUR6vU5cauD4YIplxPYsPo4A=,tag:+QaBv8Nrk40UCYhUskepyw==,type:str]
     pgp:
         - created_at: "2025-03-07T22:49:19Z"
           enc: |-
@@ -51,4 +57,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
     unencrypted_suffix: _unencrypted
-    version: 3.9.4-unstable
+    version: 3.11.0
diff --git a/secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age b/secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
deleted file mode 100644
index 03118e3..0000000
--- a/secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
+++ /dev/null
@@ -1,13 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-KCVF4Sy49stOeQs2uunYKkvadqeimmWlJ4ucEJxfXy2z+OkkZpixUnWgJEH2nCa4
-NL/F0Wezbqvh+Texl4FlHN8PT2w/d5gdg/L+fI4jBYCvbbiHA4sdUgmXWigY8zrU
-5H7Y9mgb1Y174fA6zfTCk2fHmk+KARoV27YrS2fzGoVQiPhnvv8ZT51eF1E+Zs4I
-+YtXehxEOqYljJKYJJnF9ElzfNa8nypACGtcjTE8eEq0DlZu2U7qV+QWwQudHbcs
-MbFR2VtkHWQaNdK1vVBGND1CMlfshSCqbUzGcexownMiCVSal1RKA2uAWnYdOEc/
-QSR8cKn8QQ5dyPFCqZ8RnlCMUegCVLg5cC0/rlTUD0C/Ti2SRBYTH3HvJjmSNk8k
-3LdcNwK4YtG4d1gkqLVjwCM1Yg8I/UICb5nQYclvBz5VQ2drvL/gU/+Vc7Z5KUFI
-0G/7uNmeJ16Eky+X9c73ZZxVqm0TzDENE2GzkPhBHEfXBR+4j6m8KKEWxQmA2ZSg
-
---- Oq9wU0h90iU/8g1XTNI+LuAg7t09hngj9DCK91V1+pg
-Ï‡võ’P·Êì}ÓN,×ÿWl?y0)‘eVw‰©Aði±ýê•ÅSm¥œ¼¸à‡ì>‰ð°ÑD“ÂQž¦C-ùëB†Ôáôôø0ŽúVµ|÷=ŽXÊ6©ë ¢œ‹W>ãÒì~·-qIÞ%
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
deleted file mode 100644
index 6504054..0000000
--- a/secrets/secrets.nix
+++ /dev/null
@@ -1,19 +0,0 @@
-let
-  main_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15";
-in
-{
-  "monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age".publicKeys = [
-    main_ssh_public_key
-  ];
-  "gitlab-runner-thoreb-telemetria-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
-  "monolith-forgejo-runner-token.age".publicKeys = [ main_ssh_public_key ];
-  "lelgenio-cachix.age".publicKeys = [ main_ssh_public_key ];
-  "monolith-nix-serve-privkey.age".publicKeys = [ main_ssh_public_key ];
-  "factorio-settings.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-nextcloud.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-writefreely.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-renawiki.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-forgejo-mailer-password.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-mastodon-mailer-password.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-invidious-settings.age".publicKeys = [ main_ssh_public_key ];
-}
diff --git a/switch-with-home-cache b/switch-with-home-cache
deleted file mode 100755
index cff021a..0000000
--- a/switch-with-home-cache
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-
-./switch \
-    --option extra-substituters "http://nixcache.lelgenio.1337.cx:5000" \
-    --option extra-trusted-public-keys "nixcache.lelgenio.1337.cx:HZCwDaM39BOF+MLuviMQTUrz3rBWLTLV9H+GV4zcxVI=" \
-    "$@"
diff --git a/system/monolith-forgejo-runner.nix b/system/monolith-forgejo-runner.nix
index 3297514..5d7a98f 100644
--- a/system/monolith-forgejo-runner.nix
+++ b/system/monolith-forgejo-runner.nix
@@ -6,7 +6,7 @@
       enable = true;
       name = "monolith";
       url = "https://git.lelgenio.com";
-      tokenFile = config.age.secrets.monolith-forgejo-runner-token.path;
+      tokenFile = config.sops.secrets."forgejo-runners/git.lelgenio.com-default".path;
       labels = [
         # provide a debian base with nodejs for actions
         "debian-latest:docker://node:18-bullseye"
@@ -17,4 +17,6 @@
       ];
     };
   };
+
+  sops.secrets."forgejo-runners/git.lelgenio.com-default" = { };
 }
diff --git a/system/nix-serve.nix b/system/nix-serve.nix
index 6cc7161..9bf9814 100644
--- a/system/nix-serve.nix
+++ b/system/nix-serve.nix
@@ -7,6 +7,8 @@
 {
   services.nix-serve = {
     enable = true;
-    secretKeyFile = config.age.secrets.monolith-nix-serve-privkey.path;
+    secretKeyFile = config.sops.secrets."nix-serve/private-key".path;
   };
+
+  sops.secrets."nix-serve/private-key" = { };
 }
diff --git a/system/nix.nix b/system/nix.nix
index 482bb93..7ab2e28 100644
--- a/system/nix.nix
+++ b/system/nix.nix
@@ -29,16 +29,12 @@ in
       substituters = [
         "https://cache.nixos.org"
         "https://nix-community.cachix.org"
-        # "http://nixcache.lelgenio.1337.cx:5000"
-        "https://lelgenio.cachix.org"
         "https://wegank.cachix.org"
         "https://snowflakeos.cachix.org/"
       ];
       trusted-public-keys = [
         "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        # "nixcache.lelgenio.1337.cx:zxCfx7S658llDgAUG0JVyNrlAdFVvPniSdDOkvfTPS8="
-        "lelgenio.cachix.org-1:W8tMlmDFLU/V+6DlChXjekxoHZpjgVHZpmusC4cueBc="
         "wegank.cachix.org-1:xHignps7GtkPP/gYK5LvA/6UFyz98+sgaxBSy7qK0Vs="
         "snowflakeos.cachix.org-1:gXb32BL86r9bw1kBiw9AJuIkqN49xBvPd1ZW8YlqO70="
       ];
diff --git a/system/secrets.nix b/system/secrets.nix
deleted file mode 100644
index 588dfe4..0000000
--- a/system/secrets.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ pkgs, config, ... }:
-{
-  age = {
-    identityPaths = [ "/root/.ssh/id_rsa" ];
-    secrets.lelgenio-cachix.file = ../secrets/lelgenio-cachix.age;
-    secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.file = ../secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
-    secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.file = ../secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age;
-    secrets.monolith-forgejo-runner-token.file = ../secrets/monolith-forgejo-runner-token.age;
-    secrets.monolith-nix-serve-privkey.file = ../secrets/monolith-nix-serve-privkey.age;
-    secrets.phantom-forgejo-mailer-password.file = ../secrets/phantom-forgejo-mailer-password.age;
-  };
-}
diff --git a/user/home.nix b/user/home.nix
index c8dd8c1..5d94b46 100644
--- a/user/home.nix
+++ b/user/home.nix
@@ -114,9 +114,6 @@
     deluge
     nicotine-plus
 
-    ## Nix secrets management
-    inputs.agenix.packages.x86_64-linux.default
-
     ## Programming
     # rustup