diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix
index 2b26512..7cfef54 100644
--- a/modules/nixos/common/default.nix
+++ b/modules/nixos/common/default.nix
@@ -7,6 +7,7 @@
     package = pkgs.nixFlakes;
     extraOptions = ''
       experimental-features = nix-command flakes
+      secret-key-files = "/etc/nix/cache-priv-key.pem"
     '';
     optimise.automatic = true;
     gc = {
@@ -23,6 +24,24 @@
     config.allowUnfree = true;
   };
 
+  age.identityPaths = [
+    "/mnt/persist/etc/ssh/ssh_host_ed25519_key"
+    # "/mnt/persist/home/rilla/configs/age/identities/yk_nano"
+    # "/mnt/persist/home/rilla/configs/age/identities/yk_nfc"
+  ];
+
+  age.secrets = with outputs.secrets; {
+    root-passwordfile.file = user-passwordfiles.root;
+    rilla-passwordfile.file = user-passwordfiles.rilla;
+    cache-priv-key = {
+      file = cache-priv-key;
+      mode = "400";
+      owner = "root";
+      group = "root";
+      path = "/etc/nix/cache-priv-key.pem";
+    };
+  };
+
   time.timeZone = "Europe/Madrid";
 
   # Select internationalisation properties.
@@ -86,15 +105,13 @@
   };
   users.users = {
 
-    root = {
-      initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1";
-    };
+    root.passwordFile = config.age.secrets.root-passwordfile.path;
 
     rilla = {
       uid = 1000;
       isNormalUser = true;
-      extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-      initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1";
+      extraGroups = [ "wheel" ];
+      passwordFile = config.age.secrets.rilla-passwordfile.path;
     };
 
     dags = {
diff --git a/modules/nixos/desktop/default.nix b/modules/nixos/desktop/default.nix
index 95e1528..744a7f9 100644
--- a/modules/nixos/desktop/default.nix
+++ b/modules/nixos/desktop/default.nix
@@ -189,7 +189,6 @@
     "/mnt/persist" = {
       directories = [
         "/etc/NetworkManager/system-connections"
-        "/etc/nixos"
         "/etc/wireguard"
         "/var/lib/bluetooth"
         "/var/lib/docker"
diff --git a/secrets/cache-priv-key.age b/secrets/cache-priv-key.age
new file mode 100644
index 0000000..a4cda54
Binary files /dev/null and b/secrets/cache-priv-key.age differ
diff --git a/secrets/capibara/ssh_host_ed25519_key.age b/secrets/capibara/ssh_host_ed25519_key.age
index 70fac9e..ddd14ad 100644
Binary files a/secrets/capibara/ssh_host_ed25519_key.age and b/secrets/capibara/ssh_host_ed25519_key.age differ
diff --git a/secrets/default.nix b/secrets/default.nix
index 2093508..464ad0d 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -1,3 +1,8 @@
 {
   capibara.ssh_host_ed25519_key = ./capibara/ssh_host_ed25519_key.age;
+  user-passwordfiles = {
+    root = ./user-passwordfiles/root.age;
+    rilla = ./user-passwordfiles/rilla.age;
+  };
+  cache-priv-key = ./cache-priv-key.age;
 }
diff --git a/secrets/justfile b/secrets/justfile
new file mode 100644
index 0000000..11d8a4f
--- /dev/null
+++ b/secrets/justfile
@@ -0,0 +1,7 @@
+AGENIX := "agenix --identity /home/rilla/configs/age/identities/yk_nfc"
+
+edit FILE:
+    {{ AGENIX }} --edit {{FILE}}
+
+rekey:
+    {{ AGENIX }} --rekey   
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 8db351b..154472b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -5,4 +5,7 @@ let
 in
 {
   "capibara/ssh_host_ed25519_key.age".publicKeys = [ yk_nano yk_nfc capibara ];
+  "user-passwordfiles/root.age".publicKeys = [ yk_nano yk_nfc capibara ];
+  "user-passwordfiles/rilla.age".publicKeys = [ yk_nano yk_nfc capibara ];
+  "cache-priv-key.age".publicKeys = [ yk_nano yk_nfc capibara ];
 }
diff --git a/secrets/user-passwordfiles/rilla.age b/secrets/user-passwordfiles/rilla.age
new file mode 100644
index 0000000..3e41b29
Binary files /dev/null and b/secrets/user-passwordfiles/rilla.age differ
diff --git a/secrets/user-passwordfiles/root.age b/secrets/user-passwordfiles/root.age
new file mode 100644
index 0000000..24a51b7
--- /dev/null
+++ b/secrets/user-passwordfiles/root.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 z6g2wA GY/RwkGDxHuwZxYxJ3+eqL4reN2qDrrs9j4E1cP3PWI
+67yW3hf+Hweh4r3MZ4IOleuR50Mf3yN+36TIFGMYVS4
+-> piv-p256 dHhT5w A1xwcg+p8VJLMQuRUfJ7xlibmBohxhQbNlGSOL+MvTpX
+FdS4SoIb75Iq0fwtWW97wIbbSocfv6jjCz+uwDOu1AI
+-> piv-p256 QnOxig Aw18aj0jXnC41YhwUsoXvkOx+dO23jaZN1MRaS1L+vdg
+KQL0EqNrrUxqri5IbPer1ca1oExKXRos6fhsTaGoDUE
+-> Rn-i,~>t-grease q@@z]Ln O wm ;
+7PwT
+--- Y13vfwZeRxDaItKvEIfPIUpVTQLXgkE9ZLKVzpG+qds
+Úº´jХȭÑ(v±ûȘò^i¿á­?Pž#çp3˜Î=ÝZV„\¦>=W>˜È¼W´kúînº;Âjˆò*Ûáv`F¶0,û:§u¡2öß	w³û§rÁ˜5l(ÙÑ+Îþbœ¾În C¡ž¤¨p/dírÙ²¸?Ùä‘g>8e4¿Qnáâ
\ No newline at end of file