diff --git a/assets/ssh/borg_access.pub b/assets/ssh/borg_access.pub
new file mode 100644
index 0000000..dec17a2
--- /dev/null
+++ b/assets/ssh/borg_access.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/WCoJ9zSL85R1mNJHUGRofyigeg2+g4+bwWVysHxWroPMIpP2hJrMRPoP13SAOaLOjl6X112jjoQ2wpJ/qptjtojrsF8bpFgoMqCQFsQDD4zuG4V/AaIt0nAF4B5tDBGFN3Hj6vpbwVAidv+8Kr41r5JOG/8Z/UiJDGrIMab3kDwyOklrMPLWr7IBYC0O8Jwyz3lAl18ukMSEZvoPaJhPJyyqRhSagX59U7AQiNrnq18kzi7Pszy3e1d7x3vWSXemJGZaUJ+cFbl1LrvFHwUa55sSUVUVBRxgABc906YoiUcr31aw98zUX4W+2+AqDzIIquV5frIc/+nnfsmDrsnMl81cLglxuRxqib0AuSYqkNQimWrR61M7TaLvGZomMk8Vheew/QlxvHvhbHwnu7/tgNll2i+Zi1T7VZ5Hcy4quYDZQA7NDrvu0dEm+dTlOfuJJZdMLWws20ao8xtv8IxxCN31CBCbCSETpsSuvT7joHKGpJoOf3eilLLqOKjrbo5E6s6S1w1WRoZ6LuXQo2l5uvMVSzUZ+4CG+FX+Q73bpQ5SWUvz2o5HovX8RbcneuG7mfZMe80F5IyaqSmi0r+kFOqK4NKz/InHhSJjrFYJWl2PP+30MfsHx5NMOVhfKdRZje5oTds6L2o9+3vhiE7CmgZVR+RqMHMUtRrERODwPQ==
diff --git a/configs/pepe/borg.nix b/configs/pepe/borg.nix
index a7b8855..692cd1f 100644
--- a/configs/pepe/borg.nix
+++ b/configs/pepe/borg.nix
@@ -7,8 +7,8 @@
       allowSubRepos = true;
       authorizedKeys = [
         # todo rename
-        (lib.fileContents <common_secrets/backup/ssh_rsa.pub>)
-        (lib.fileContents <assets/ssh/card_rsa.pub>)
+        (lib.fileContents ../../assets/ssh/borg_access.pub)
+        (lib.fileContents ../../assets/ssh/card_rsa.pub)
       ];
     };
   };
diff --git a/configs/pepe/home-assistant.nix b/configs/pepe/home-assistant.nix
index 7d76f67..404217f 100644
--- a/configs/pepe/home-assistant.nix
+++ b/configs/pepe/home-assistant.nix
@@ -1,6 +1,4 @@
-{ pkgs, config, lib, ... }:
-let unstablePkgs = import <nixpkgs-unstable> { };
-in {
+{ pkgs, config, lib, ... }: {
 
   imports = [
     #./home-assistant/mpd.nix
@@ -243,9 +241,9 @@ in {
 
   services.home-assistant = {
     enable = true;
-    package = unstablePkgs.home-assistant;
-    #package = unstablePkgs.home-assistant.override {
-    #  python3 = unstablePkgs.python37;
+    package = pkgs.unstable.home-assistant;
+    #package = pkgs.unstable.home-assistant.override {
+    #  python3 = pkgs.unstable.python37;
     #  extraPackages = python: [
     #    # todo : check which is still needed
     #    python.netdisco
diff --git a/configs/pepe/home-assistant/zigbee2mqtt.nix b/configs/pepe/home-assistant/zigbee2mqtt.nix
index e96b528..019093e 100644
--- a/configs/pepe/home-assistant/zigbee2mqtt.nix
+++ b/configs/pepe/home-assistant/zigbee2mqtt.nix
@@ -2,8 +2,7 @@
 # no need to set ZIGBEE2MQTT_DATA anymore
 assert lib.versionOlder lib.version "21.03";
 
-let unstable = import <nixpkgs-unstable> { };
-in {
+{
   imports = [
     ./mqtt.nix
     ./zigbee2mqtt/service.nix
@@ -23,7 +22,7 @@ in {
     enable = true;
     #package = pkgs.own_zigbee2mqtt;
     #package = unstable.zigbee2mqtt;
-    package = unstable.zigbee2mqtt.overrideAttrs (old: rec {
+    package = pkgs.unstable.zigbee2mqtt.overrideAttrs (old: rec {
       version = "1.18.1";
       src = pkgs.fetchFromGitHub {
         owner = "Koenkk";
diff --git a/configs/sternchen/packages.nix b/configs/sternchen/packages.nix
index 66e07f7..0b5938d 100644
--- a/configs/sternchen/packages.nix
+++ b/configs/sternchen/packages.nix
@@ -1,6 +1,4 @@
-{ config, lib, pkgs, ... }:
-let unstable = import <nixpkgs-unstable> { };
-in {
+{ config, lib, pkgs, ... }: {
 
   # overlay included
   #nixpkgs.overlays = [ (import <mozilla-overlay/rust-overlay.nix>) ];
diff --git a/configs/sterni/syncthing.nix b/configs/sterni/syncthing.nix
index 23cf351..0e8582d 100644
--- a/configs/sterni/syncthing.nix
+++ b/configs/sterni/syncthing.nix
@@ -1,5 +1,8 @@
 { config, pkgs, lib, ... }: {
 
+  sops.secrets.syncthing_cert = { };
+  sops.secrets.syncthing_key = { };
+
   services.syncthing = {
     enable = true;
     openDefaultPorts = false;
@@ -7,8 +10,8 @@
     dataDir = "/home/palo/.syncthing";
     configDir = "/home/palo/.syncthing";
     declarative = {
-      cert = toString <secrets/syncthing/cert.pem>;
-      key = toString <secrets/syncthing/key.pem>;
+      cert = toString config.sops.secrets.syncthing_cert.path;
+      key = toString config.sops.secrets.syncthing_key.path;
       overrideFolders = true;
       folders = {
 
diff --git a/configs/workhorse/bepasty.nix b/configs/workhorse/bepasty.nix
deleted file mode 100644
index 81227e5..0000000
--- a/configs/workhorse/bepasty.nix
+++ /dev/null
@@ -1,50 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-let port = 8000;
-in {
-
-  # configure nginx
-  services.nginx = {
-    enable = true;
-    virtualHosts = {
-      "paste.workhorse.private" = {
-        locations."/" = {
-          proxyPass = "http://localhost:${toString port}";
-          extraConfig = ''
-            proxy_set_header    Host $host:$server_port;
-            proxy_set_header    X-Real-IP $remote_addr;
-            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header    X-Forwarded-Proto $scheme;
-            proxy_read_timeout  90;
-            proxy_redirect      http://localhost:${
-              toString port
-            } https://paste.workhorse.private/;
-          '';
-        };
-      };
-    };
-  };
-
-  krops.userKeys."bepasty" = {
-    user = "bepasty";
-    source = toString <secrets/bepasty-secret-key>;
-    requiredBy = [ "bepasty-server-ingolf-wagner.de-gunicorn.service" ];
-  };
-
-  services.bepasty = {
-    enable = true;
-    servers."ingolf-wagner.de" = {
-      bind = "0.0.0.0:${toString port}";
-      secretKeyFile = config.krops.userKeys."bepasty".target;
-      extraConfig = ''
-        PERMISSIONS = {
-          '${
-            lib.fileContents <common_secrets/bepasty/admin-password>
-          }': 'admin,list,create,read,delete',
-        }
-      '';
-    };
-  };
-
-}
diff --git a/configs/workhorse/borg.nix b/configs/workhorse/borg.nix
index 9de4c76..7e5bda0 100644
--- a/configs/workhorse/borg.nix
+++ b/configs/workhorse/borg.nix
@@ -5,8 +5,8 @@
       quota = "100G";
       allowSubRepos = true;
       authorizedKeys = [
-        (lib.fileContents <common_secrets/backup/ssh_rsa.pub>)
-        (lib.fileContents <assets/ssh/card_rsa.pub>)
+        (lib.fileContents ../../assets/ssh/borg_access.pub)
+        (lib.fileContents ../../assets/ssh/card_rsa.pub)
       ];
     };
   };
diff --git a/configs/workhorse/configuration.nix b/configs/workhorse/configuration.nix
index 1d09de8..f56f504 100644
--- a/configs/workhorse/configuration.nix
+++ b/configs/workhorse/configuration.nix
@@ -4,7 +4,6 @@
     <system/server>
     ./hardware-configuration.nix
 
-    #./bepasty.nix not working https://github.com/NixOS/nixpkgs/issues/116326
     ./gogs.nix
     ./grafana.nix
     ./graylog.nix
diff --git a/configs/workhorse/jenkins.nix b/configs/workhorse/jenkins.nix
index 637b3c5..bdcfab1 100644
--- a/configs/workhorse/jenkins.nix
+++ b/configs/workhorse/jenkins.nix
@@ -4,7 +4,7 @@ with lib;
 
 let
 
-  library = import <library> { inherit pkgs lib; };
+  library = import ../../library { inherit pkgs lib; };
 
   sync-repo = library.jenkins.syncJob;
   job = library.jenkins.job;
diff --git a/configs/workhorse/packages.nix b/configs/workhorse/packages.nix
index 9726dcf..b70f348 100644
--- a/configs/workhorse/packages.nix
+++ b/configs/workhorse/packages.nix
@@ -1,3 +1 @@
-{ config, pkgs, ... }:
-let unstable = import <nixpkgs-unstable> { };
-in { environment.systemPackages = with pkgs; [ ]; }
+{ config, pkgs, ... }: { environment.systemPackages = with pkgs; [ ]; }
diff --git a/configs/workhorse/transmission.nix b/configs/workhorse/transmission.nix
index 0283836..60426df 100644
--- a/configs/workhorse/transmission.nix
+++ b/configs/workhorse/transmission.nix
@@ -131,17 +131,17 @@ in {
 
           # notify me when download finished
           script-torrent-done-enabled = true;
-          script-torrent-done-filename =
-            (pkgs.writers.writeBash "torrent-finished" ''
-              JSON_STRING=$( ${pkgs.jq}/bin/jq -n --arg torrent_name "$TR_TORRENT_NAME" \
-                '{text: ":tada: finished : \($torrent_name)", channel: "torrent"}' )
-              ${pkgs.curl}/bin/curl \
-                --include \
-                --request POST \
-                --data-urlencode \
-                "payload=$JSON_STRING" \
-                ${lib.fileContents <common_secrets/mattermost_sink_url>}
-            '');
+          #script-torrent-done-filename =
+          #  (pkgs.writers.writeBash "torrent-finished" ''
+          #    JSON_STRING=$( ${pkgs.jq}/bin/jq -n --arg torrent_name "$TR_TORRENT_NAME" \
+          #      '{text: ":tada: finished : \($torrent_name)", channel: "torrent"}' )
+          #    ${pkgs.curl}/bin/curl \
+          #      --include \
+          #      --request POST \
+          #      --data-urlencode \
+          #      "payload=$JSON_STRING" \
+          #      <url>
+          #  '');
 
         };
       };
diff --git a/configs/workout/packages.nix b/configs/workout/packages.nix
index c0b535b..91dad23 100644
--- a/configs/workout/packages.nix
+++ b/configs/workout/packages.nix
@@ -1,6 +1,4 @@
-{ config, pkgs, ... }:
-let unstable = import <nixpkgs-unstable> { };
-in {
+{ config, pkgs, ... }: {
 
   # overlay included
   nixpkgs.overlays = [ (import <mozilla-overlay/rust-overlay.nix>) ];
@@ -24,7 +22,6 @@ in {
     python3Full
     jetbrains.pycharm-professional
     jetbrains.datagrip
-    #unstable.pypi2nix
 
     #nur.repos.mic92.nixos-shell
     jetbrains.idea-ultimate
diff --git a/configurations.nix b/configurations.nix
index 94484f5..65dcbb8 100644
--- a/configurations.nix
+++ b/configurations.nix
@@ -1,4 +1,6 @@
-{ nixosSystem, home-manager, nixpkgs-unstable, ... }: {
+{ nixpkgs, home-manager, nixpkgs-unstable, sops-nix, doom-emacs-nix }:
+let nixosSystem = nixpkgs.lib.nixosSystem;
+in {
 
   sterni = nixosSystem {
     system = "x86_64-linux";
@@ -6,9 +8,14 @@
       ./configs/sterni/configuration.nix
       home-manager.nixosModules.home-manager
       {
+        home-manager.users.mainUser = {
+          imports = [ doom-emacs-nix.hmModule ];
+        };
         home-manager.useGlobalPkgs = true;
         home-manager.useUserPackages = true;
       }
+      sops-nix.nixosModules.sops
+      { sops.defaultSopsFile = ./secrets/sterni.yaml; }
       ({ pkgs, ... }: {
         # defined overlays injected by the nixflake
         nixpkgs.overlays = [
diff --git a/flake.lock b/flake.lock
index b56e24c..7d22ffe 100644
--- a/flake.lock
+++ b/flake.lock
@@ -17,6 +17,44 @@
         "type": "github"
       }
     },
+    "doom-emacs-nix": {
+      "inputs": {
+        "doom-emacs": "doom-emacs",
+        "doom-snippets": "doom-snippets",
+        "emacs-overlay": "emacs-overlay",
+        "emacs-so-long": "emacs-so-long",
+        "evil-markdown": "evil-markdown",
+        "evil-org-mode": "evil-org-mode",
+        "evil-quick-diff": "evil-quick-diff",
+        "explain-pause-mode": "explain-pause-mode",
+        "flake-utils": "flake-utils",
+        "nix-straight": "nix-straight",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nose": "nose",
+        "ob-racket": "ob-racket",
+        "org": "org",
+        "org-contrib": "org-contrib",
+        "org-yt": "org-yt",
+        "php-extras": "php-extras",
+        "revealjs": "revealjs",
+        "rotate-text": "rotate-text"
+      },
+      "locked": {
+        "lastModified": 1627398156,
+        "narHash": "sha256-Ru1aV3NuIFXAsvUE3de8KR7xDZOo1GCBJdsWKJn+Ebw=",
+        "owner": "vlaci",
+        "repo": "nix-doom-emacs",
+        "rev": "fee14d217b7a911aad507679dafbeaa8c1ebf5ff",
+        "type": "github"
+      },
+      "original": {
+        "owner": "vlaci",
+        "repo": "nix-doom-emacs",
+        "type": "github"
+      }
+    },
     "doom-snippets": {
       "flake": false,
       "locked": {
@@ -131,11 +169,11 @@
     },
     "flake-utils": {
       "locked": {
-        "lastModified": 1631561581,
-        "narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=",
+        "lastModified": 1623875721,
+        "narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19",
+        "rev": "f7e004a55b120c02ecb6219596820fcd32ca8772",
         "type": "github"
       },
       "original": {
@@ -146,11 +184,11 @@
     },
     "flake-utils_2": {
       "locked": {
-        "lastModified": 1623875721,
-        "narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=",
+        "lastModified": 1631561581,
+        "narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "f7e004a55b120c02ecb6219596820fcd32ca8772",
+        "rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19",
         "type": "github"
       },
       "original": {
@@ -203,44 +241,6 @@
         "type": "github"
       }
     },
-    "nix-doom-emacs": {
-      "inputs": {
-        "doom-emacs": "doom-emacs",
-        "doom-snippets": "doom-snippets",
-        "emacs-overlay": "emacs-overlay",
-        "emacs-so-long": "emacs-so-long",
-        "evil-markdown": "evil-markdown",
-        "evil-org-mode": "evil-org-mode",
-        "evil-quick-diff": "evil-quick-diff",
-        "explain-pause-mode": "explain-pause-mode",
-        "flake-utils": "flake-utils_2",
-        "nix-straight": "nix-straight",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "nose": "nose",
-        "ob-racket": "ob-racket",
-        "org": "org",
-        "org-contrib": "org-contrib",
-        "org-yt": "org-yt",
-        "php-extras": "php-extras",
-        "revealjs": "revealjs",
-        "rotate-text": "rotate-text"
-      },
-      "locked": {
-        "lastModified": 1627398156,
-        "narHash": "sha256-Ru1aV3NuIFXAsvUE3de8KR7xDZOo1GCBJdsWKJn+Ebw=",
-        "owner": "vlaci",
-        "repo": "nix-doom-emacs",
-        "rev": "fee14d217b7a911aad507679dafbeaa8c1ebf5ff",
-        "type": "github"
-      },
-      "original": {
-        "owner": "vlaci",
-        "repo": "nix-doom-emacs",
-        "type": "github"
-      }
-    },
     "nix-straight": {
       "flake": false,
       "locked": {
@@ -260,11 +260,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1632291606,
-        "narHash": "sha256-oEN24XJYAFK9tsD13TzLEizpgQigEfgC6i9x1b/1pVU=",
+        "lastModified": 1632418649,
+        "narHash": "sha256-4rZspkiQU7zbsuciRRMgoEPkAF/+FSv2jx/VIPxPVx4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "83413f47809790e4ca012e314e7782adeae36cf2",
+        "rev": "056a3c1fae30d06d14b171b9023743c21a23ec1a",
         "type": "github"
       },
       "original": {
@@ -276,11 +276,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1632325095,
-        "narHash": "sha256-KHVVIxhVHq4Wwj4oQPem8/eVkukVKhSPqFKI1o5NrTw=",
+        "lastModified": 1632411313,
+        "narHash": "sha256-lekODc44lVo9/0EwGiX6LoEt2KhiPdcfNopealMJ7n4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a930f7da84786807bb105df40e76b541604c3e72",
+        "rev": "51bcdc4cdaac48535dabf0ad4642a66774c609ed",
         "type": "github"
       },
       "original": {
@@ -420,10 +420,10 @@
     },
     "root": {
       "inputs": {
-        "flake-utils": "flake-utils",
+        "doom-emacs-nix": "doom-emacs-nix",
+        "flake-utils": "flake-utils_2",
         "home-manager": "home-manager",
         "krops": "krops",
-        "nix-doom-emacs": "nix-doom-emacs",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "secrets": "secrets",
@@ -449,7 +449,7 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "narHash": "sha256-R8u4x1+HiTKm2j3ytycGiV4UqCKiih+qGd2Pr9icvQY=",
+        "narHash": "sha256-8e+AsdSyD971rHFL2j2VFxCATO9Oj16Ix8YZIrffd68=",
         "path": "/home/palo/dev/secrets",
         "type": "path"
       },
diff --git a/flake.nix b/flake.nix
index 80dbf4f..1dcceac 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,7 +11,7 @@
     flake-utils.url = "github:numtide/flake-utils";
     nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
-    nix-doom-emacs = {
+    doom-emacs-nix = {
       url = "github:vlaci/nix-doom-emacs";
       inputs.nixpkgs.follows = "nixpkgs";
     };
@@ -27,7 +27,7 @@
   };
 
   outputs = { self, sops-nix, nixpkgs, home-manager, krops, flake-utils
-    , nix-doom-emacs, nixpkgs-unstable, secrets, ... }:
+    , doom-emacs-nix, nixpkgs-unstable, secrets, ... }:
     (flake-utils.lib.eachSystem [ "x86_64-linux" ] (system:
       let
 
@@ -45,8 +45,7 @@
 
       })) // {
         nixosConfigurations = import ./configurations.nix {
-          nixosSystem = nixpkgs.lib.nixosSystem;
-          inherit home-manager nixpkgs-unstable;
+          inherit nixpkgs home-manager nixpkgs-unstable sops-nix doom-emacs-nix;
         };
 
       };
diff --git a/krops.nix b/krops.nix
index 72d4580..69fb0e7 100644
--- a/krops.nix
+++ b/krops.nix
@@ -1,13 +1,17 @@
-{ writeCommand, lib, secrets }:
+{ pkgs, writeCommand, lib, secrets }:
 let
 
   # command that ensures we use flake.nix during switch
-  command = targetPath: ''
-    echo 'nixos-rebuild build --flake ${targetPath} -L --keep-going'
-    nix-shell \
-     -E "with import <nixpkgs> {}; mkShell { buildInputs = [ git (nixos { nix.package = nixFlakes; }).nixos-rebuild ]; }" \
-     --run 'nixos-rebuild build --flake ${targetPath} -L --keep-going'
-  '';
+  command = targetPath:
+    let
+      commandLine =
+        "TMPDIR=/tmp nixos-rebuild build --flake ${targetPath} -L --keep-going";
+    in ''
+      echo '${commandLine}'
+      nix-shell \
+       -E "with import <nixpkgs> {}; mkShell { buildInputs = [ git (nixos { nix.package = nixFlakes; }).nixos-rebuild ]; }" \
+       --run '${commandLine}'
+    '';
 
   #secrets = name: {
   #  secrets.pass = {
@@ -28,9 +32,12 @@ let
   #};
 
   source = {
-
     secrets.file = "${secrets}/secrets";
     assets.file = toString ./assets;
+    private_assets.pass = {
+      dir = toString ~/.password-store;
+      name = "krops/private_assets";
+    };
     configs.file = toString ./configs;
     library.file = toString ./library;
     modules.file = toString ./modules;
@@ -62,10 +69,28 @@ let
   };
 
 in {
-  sterni = writeCommand "/bin/sterni" {
-    #source = lib.evalSource [ source (secrets "sterni") desktopSecrets ];
-    source = lib.evalSource [ source ];
-    target = lib.mkTarget "root@sterni.private";
-    inherit command;
-  };
+  sterni = let
+    system = writeCommand "/bin/system" {
+      source = lib.evalSource [ source ];
+      force = true;
+      target = lib.mkTarget "root@sterni.private/var/krops";
+      inherit command;
+    };
+    network = writeCommand "/bin/secrets" {
+      source = lib.evalSource [{
+        system-connections.pass = {
+          dir = toString ~/.password-store;
+          name = "krops/desktop_secrets/network-manager/system-connections";
+        };
+      }];
+      force = true;
+      target = lib.mkTarget "root@sterni.private/etc/NetworkManager";
+    };
+  in pkgs.writers.writeBash "/bin/sterni" ''
+    #echo "deploy network secerts"
+    #${network}/bin/secrets
+
+    echo "deploy system"
+    ${system}/bin/system
+  '';
 }
diff --git a/modules/programs/browser.nix b/modules/programs/browser.nix
index 3f1e0d9..ae2776b 100644
--- a/modules/programs/browser.nix
+++ b/modules/programs/browser.nix
@@ -7,7 +7,7 @@ with lib;
 let
 
   cfg = config.programs.custom.browser;
-  library = import <library> { inherit pkgs lib; };
+  library = import ../../library { inherit pkgs lib; };
 
   chromiumBin = "${pkgs.chromium}/bin/chromium";
   chromeBin = "${pkgs.google-chrome}/bin/google-chrome-stable";
diff --git a/modules/programs/citate.nix b/modules/programs/citate.nix
index 91d2264..eed2e49 100644
--- a/modules/programs/citate.nix
+++ b/modules/programs/citate.nix
@@ -6,7 +6,7 @@ let
 
   cfg = config.programs.custom.citate;
 
-  library = import <library> { inherit pkgs lib; };
+  library = import ../../library { inherit pkgs lib; };
 
   xdotool = "${pkgs.xdotool}/bin/xdotool";
   dmenu = "${pkgs.dmenu}/bin/dmenu";
@@ -16,8 +16,8 @@ let
       ${xdotool} - <<<"type -- $( cat ${file} | ${dmenu} -l 10 -i | sed -e "s/\(.*\)/'\1'/" )"
     '';
 
-  scriptAxel = citateScript (toString <assets/sprueche-axel>) "axel";
-  scriptSiw = citateScript (toString <assets/sprueche-siw>) "siw";
+  scriptAxel = citateScript (toString ../../assets/sprueche-axel) "axel";
+  scriptSiw = citateScript (toString ../../assets/sprueche-siw) "siw";
 
 in {
 
diff --git a/modules/programs/espeak.nix b/modules/programs/espeak.nix
index 67362ec..dfe3460 100644
--- a/modules/programs/espeak.nix
+++ b/modules/programs/espeak.nix
@@ -4,9 +4,7 @@ with lib;
 
 let
 
-  unstable = import <nixpkgs-unstable> { };
-
-  espeak = unstable.espeak;
+  espeak = pkgs.unstable.espeak;
 
   # can't use bash aliases because programms will not pic it up
   en_espeak = pkgs.writeShellScriptBin "en-speak" ''
diff --git a/modules/programs/taskwarrior.nix b/modules/programs/taskwarrior.nix
index e53b228..554bc8f 100644
--- a/modules/programs/taskwarrior.nix
+++ b/modules/programs/taskwarrior.nix
@@ -5,7 +5,6 @@ with lib;
 let
 
   cfg = config.programs.custom.taskwarrior;
-  unstable = import <nixpkgs-unstable> { };
 
   taskNextWeek = pkgs.writeShellScriptBin "taskweek" # sh
     ''
@@ -20,9 +19,9 @@ let
     ''
       ${pkgs.taskwarrior}/bin/task "$@"
     '';
-  taskwarrior-tui = unstable.taskwarrior-tui;
+  taskwarrior-tui = pkgs.unstable.taskwarrior-tui;
 
-  vit = unstable.vit.overrideAttrs (old: rec {
+  vit = pkgs.unstable.vit.overrideAttrs (old: rec {
     name = "vit-${version}";
     version = "master";
     src = pkgs.fetchgit {
diff --git a/modules/programs/vim.nix b/modules/programs/vim.nix
index 6bf88bd..c698f38 100644
--- a/modules/programs/vim.nix
+++ b/modules/programs/vim.nix
@@ -128,180 +128,6 @@ let
             '';
   };
 
-  vim-tv-plugin = with lib;
-    ((rtp: rtp // { inherit rtp; }) (pkgs.write "vim-tv" {
-      "/syntax/haskell.vim".text = # vim
-        ''
-          syn region String start=+\[[[:alnum:]]*|+ end=+|]+
-
-          hi link ConId Identifier
-          hi link VarId Identifier
-          hi link hsDelimiter Delimiter
-        '';
-      "/syntax/nix.vim".text = # vim
-        ''
-          "" Quit when a (custom) syntax file was already loaded
-          "if exists("b:current_syntax")
-          "  finish
-          "endif
-
-          "setf nix
-
-          " Ref <nix/src/libexpr/lexer.l>
-          syn match NixID    /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/
-          syn match NixINT   /\<[0-9]\+\>/
-          syn match NixPATH  /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
-          syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
-          syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
-          syn match NixURI   /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
-          syn region NixSTRING
-            \ matchgroup=NixSTRING
-            \ start='"'
-            \ skip='\\"'
-            \ end='"'
-          syn region NixIND_STRING
-            \ matchgroup=NixIND_STRING
-            \ start="'''"
-            \ skip="'''\('\|[$]\|\\[nrt]\)"
-            \ end="'''"
-
-          syn match NixOther /[-!+&<>|():/;=.,?\[\]*@]/
-
-          syn match NixCommentMatch /\(^\|\s\)#.*/
-          syn region NixCommentRegion start="/\*" end="\*/"
-
-          hi link NixCode Statement
-          hi link NixData Constant
-          hi link NixComment Comment
-
-          hi link NixCommentMatch NixComment
-          hi link NixCommentRegion NixComment
-          hi link NixID NixCode
-          hi link NixINT NixData
-          hi link NixPATH NixData
-          hi link NixHPATH NixData
-          hi link NixSPATH NixData
-          hi link NixURI NixData
-          hi link NixSTRING NixData
-          hi link NixIND_STRING NixData
-
-          hi link NixEnter NixCode
-          hi link NixOther NixCode
-          hi link NixQuote NixData
-
-          syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings
-          syn cluster nix_ind_strings contains=NixIND_STRING
-          syn cluster nix_strings contains=NixSTRING
-
-          ${concatStringsSep "\n" (mapAttrsToList (name:
-            { extraStart ? null, lang ? name }:
-            let
-              startAlts = filter isString [ "/\\* ${name} \\*/" extraStart ];
-              sigil = "\\(${concatStringsSep "\\|" startAlts}\\)[ \\t\\r\\n]*";
-              # vim
-            in ''
-              syn include @nix_${lang}_syntax syntax/${lang}.vim
-              if exists("b:current_syntax")
-                unlet b:current_syntax
-              endif
-
-              syn match nix_${lang}_sigil
-                \ X${replaceStrings [ "X" ] [ "\\X" ] sigil}\ze\('''\|"\)X
-                \ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING
-                \ transparent
-
-              syn region nix_${lang}_region_STRING
-                \ matchgroup=NixSTRING
-                \ start='"'
-                \ skip='\\"'
-                \ end='"'
-                \ contained
-                \ contains=@nix_${lang}_syntax
-                \ transparent
-
-              syn region nix_${lang}_region_IND_STRING
-                \ matchgroup=NixIND_STRING
-                \ start="'''"
-                \ skip="'''\('\|[$]\|\\[nrt]\)"
-                \ end="'''"
-                \ contained
-                \ contains=@nix_${lang}_syntax
-                \ transparent
-
-              syn cluster nix_ind_strings
-                \ add=nix_${lang}_region_IND_STRING
-
-              syn cluster nix_strings
-                \ add=nix_${lang}_region_STRING
-
-              " This is required because containedin isn't transitive.
-              syn cluster nix_has_dollar_curly
-                \ add=@nix_${lang}_syntax
-            '') {
-              c = { };
-              cabal = { };
-              diff = { };
-              haskell = { };
-              python = { };
-              lua = { };
-              sed.extraStart = ''writeSed[^ \t\r\n]*[ \t\r\n]*"[^"]*"'';
-              sh.extraStart = concatStringsSep "\\|" [
-                ''
-                  write\(A\|Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*\("[^"]*"\|[a-z]\+\)''
-                "[a-z]*Phase[ \\t\\r\\n]*="
-              ];
-              yaml = { };
-              vim.extraStart = ''
-                write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
-              xdefaults = { };
-            })}
-
-          " Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY.
-          syn clear shVarAssign
-
-          syn region nixINSIDE_DOLLAR_CURLY
-            \ matchgroup=NixEnter
-            \ start="[$]{"
-            \ end="}"
-            \ contains=TOP
-            \ containedin=@nix_has_dollar_curly
-            \ transparent
-
-          syn region nix_inside_curly
-            \ matchgroup=NixEnter
-            \ start="{"
-            \ end="}"
-            \ contains=TOP
-            \ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly
-            \ transparent
-
-          syn match NixQuote /'''\($\|\\.\)/he=s+2
-            \ containedin=@nix_ind_strings
-            \ contained
-
-          syn match NixQuote /'''\('\|\\.\)/he=s+1
-            \ containedin=@nix_ind_strings
-            \ contained
-
-          syn match NixQuote /\\./he=s+1
-            \ containedin=@nix_strings
-            \ contained
-
-          syn sync fromstart
-
-          let b:current_syntax = "nix"
-
-          set isk=@,48-57,_,192-255,-,'
-        '';
-      "/syntax/sed.vim".text = # vim
-        ''
-          syn region sedBranch
-            \ matchgroup=sedFunction start="T"
-            \ matchgroup=sedSemicolon end=";\|$"
-            \ contains=sedWhitespace
-        '';
-    }));
-
   # active plugins
   # --------------
   extra-runtimepath = with pkgs;
@@ -311,7 +137,6 @@ let
       vimPlugins.airline
       vimPlugins.vim-nix
       vimPlugins.xptemplate
-      vim-tv-plugin
     ];
 
   # the vimrc
diff --git a/modules/system/audio.nix b/modules/system/audio.nix
index c8c8190..97d4f3b 100644
--- a/modules/system/audio.nix
+++ b/modules/system/audio.nix
@@ -7,7 +7,7 @@ let
   ladspaPath = "${pkgs.ladspaPlugins}/lib/ladspa";
 
   jackScript =
-    pkgs.writeShellScriptBin "jack" (lib.fileContents <assets/jack.sh>);
+    pkgs.writeShellScriptBin "jack" (lib.fileContents ../../assets/jack.sh);
 
   queueElement = {
     options = {
diff --git a/modules/system/on-failure.nix b/modules/system/on-failure.nix
index 91800da..d45c4e7 100644
--- a/modules/system/on-failure.nix
+++ b/modules/system/on-failure.nix
@@ -46,7 +46,7 @@ let
 
   # todo this output must be better
   mattermostStart = plan:
-    pkgs.writeDash "on-failure.${plan.name}" ''
+    pkgs.writers.writeDash "on-failure.${plan.name}" ''
       ${pkgs.curl}/bin/curl \
       --include \
       --request POST \
diff --git a/nixos/flake.nix b/nixos/flake.nix
deleted file mode 100644
index 865d469..0000000
--- a/nixos/flake.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-
-}
diff --git a/pkgs/bitwig-studio/bitwig-studio-environment.nix b/pkgs/bitwig-studio/bitwig-studio-environment.nix
index b944523..7805bc5 100644
--- a/pkgs/bitwig-studio/bitwig-studio-environment.nix
+++ b/pkgs/bitwig-studio/bitwig-studio-environment.nix
@@ -10,8 +10,6 @@
 
 let
 
-  unstable = import <nixpkgs-unstable> { };
-
   # function call
   # -------------
 in (pkgs.buildFHSUserEnv {
@@ -74,11 +72,6 @@ in (pkgs.buildFHSUserEnv {
       wolf-spectrum
       lsp-plugins
 
-      #calf
-      #carla
-      #unstable.bshapr
-      #lv2vst
-
     ];
 
   # multilib packages
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 30ef974..fd65ea4 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -2,9 +2,7 @@
 
 self: super:
 
-let
-  callPackage = super.lib.callPackageWith super;
-  unstablePkgs = import <nixpkgs-unstable> { };
+let callPackage = super.lib.callPackageWith super;
 
 in {
 
diff --git a/system/all/borg-jobs.nix b/system/all/borg-jobs.nix
index 374e709..fb7f4af 100644
--- a/system/all/borg-jobs.nix
+++ b/system/all/borg-jobs.nix
@@ -21,6 +21,7 @@
   };
 
   config = let
+
     servers = [
       {
         name = "workhorse";
@@ -44,9 +45,12 @@
       encryption = {
         mode = "repokey-blake2";
         # todo rename
-        passCommand = "cat ${toString <secrets/backup/repo>}";
+        # passCommand = "cat ${toString <secrets/backup/repo>}";
+        passCommand =
+          "cat ${config.sops.secrets.backup_repository_passphrase.path}";
       };
-      environment.BORG_RSH = "ssh -i ${toString <secrets/backup/ssh_rsa>}";
+      environment.BORG_RSH =
+        "ssh -i ${toString config.sops.secrets.backup_ssh_rsa_private.path}";
       compression = "auto,lzma";
       startAt = "daily";
       prune.keep = {
@@ -59,6 +63,9 @@
 
   in {
 
+    sops.secrets.backup_repository_passphrase = { };
+    sops.secrets.backup_ssh_rsa_private = { };
+
     services.borgbackup.jobs = let
       setups = map ({ name, host }: { "${name}" = setup host; }) servers;
       setupAttrs = lib.zipAttrsWith (_: vals: lib.head vals) setups;
diff --git a/system/all/default.nix b/system/all/default.nix
index c9e0895..ebc0e85 100644
--- a/system/all/default.nix
+++ b/system/all/default.nix
@@ -36,7 +36,7 @@
 
   # provide overlays
   # -----------------
-  #nixpkgs.overlays = [ (import <pkgs>) (import <nix-writers/pkgs>) ];
+  nixpkgs.overlays = [ (import ../../pkgs) ];
 
   # allow un-free
   # -------------
diff --git a/system/all/on-failure.nix b/system/all/on-failure.nix
index bdc0082..1abdc3b 100644
--- a/system/all/on-failure.nix
+++ b/system/all/on-failure.nix
@@ -1,17 +1,17 @@
-{ lib, ... }: {
-  on-failure = {
-    url = lib.fileContents <common_secrets/mattermost_sink_url>;
-    enable = true;
-    plans = {
-      tinc_private.name = "tinc.private";
-      tinc_retiolum.name = "tinc.retiolum";
-      sshd.name = "sshd";
-      tor.name = "tor";
-      dnsmasq.name = "dnsmasq";
-      #backup_on_workhorse.name = "backup.on-workhorse.private";
-      #backup_on_workout.name = "backup.on-workout.private";
-      #backup_on_porani.name = "backup.on-porani.private";
-      syncthing.name = "syncthing";
-    };
-  };
+{ lib, ... }:
+{
+  #on-failure = {
+  #  enable = true;
+  #  plans = {
+  #    tinc_private.name = "tinc.private";
+  #    tinc_retiolum.name = "tinc.retiolum";
+  #    sshd.name = "sshd";
+  #    tor.name = "tor";
+  #    dnsmasq.name = "dnsmasq";
+  #    #backup_on_workhorse.name = "backup.on-workhorse.private";
+  #    #backup_on_workout.name = "backup.on-workout.private";
+  #    #backup_on_porani.name = "backup.on-porani.private";
+  #    syncthing.name = "syncthing";
+  #  };
+  #};
 }
diff --git a/system/all/packages.nix b/system/all/packages.nix
index f857b09..5f2ee52 100644
--- a/system/all/packages.nix
+++ b/system/all/packages.nix
@@ -2,14 +2,6 @@
 
 let
 
-  pastebin = pkgs.writers.writeDashBin "pastebin" ''
-    exec ${pkgs.bepasty-client-cli}/bin/bepasty-cli \
-         --lifetime 1m \
-         --url http://workhorse.private:8000 \
-         --pass ${lib.fileContents <common_secrets/bepasty/admin-password>} \
-         "$@" | sed -e s/workhorse.private:8000/paste.ingolf-wagner.de/
-  '';
-
   memoryUsage = pkgs.writers.writeDashBin "memory-total-usage" ''
     echo "   %CPU    %MEM           MEM : PROCESS"
     echo "------- ------- -------------   -------"
@@ -82,8 +74,6 @@ in {
     zip
     unzip
 
-    #pastebin # no need
-
     jq
     miller
 
diff --git a/system/all/sshd-known-hosts-bootup.nix b/system/all/sshd-known-hosts-bootup.nix
index 3801aba..3ba3693 100644
--- a/system/all/sshd-known-hosts-bootup.nix
+++ b/system/all/sshd-known-hosts-bootup.nix
@@ -1,15 +1,15 @@
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 with lib;
 let
 
   computers = {
     workhorse = {
-      onionId = fileContents <common_secrets/onion/workhorse>;
+      onionId = fileContents ../../private_assets/onion_id_workhorse;
       publicKey =
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/I4JBA1HHTH2xsrEM7xtxkhRDE42lZcBrdBvN46WTx";
     };
     porani = {
-      onionId = fileContents <common_secrets/onion/porani>;
+      onionId = fileContents ../../private_assets/onion_id_porani;
       publicKey =
         "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGFaTRGqMd/rKpyMUP6wVbgiWFOUvUV2qS/B5Xe02UUch/wxR4fTCY+vnzku5K0V/qqJpjYLgHotwZFqO/8lFu4=";
     };
diff --git a/system/all/sshd.nix b/system/all/sshd.nix
index 53e41d3..fc5b615 100644
--- a/system/all/sshd.nix
+++ b/system/all/sshd.nix
@@ -11,7 +11,7 @@ with lib;
     tools.enable = true;
     sshd = {
       enable = true;
-      rootKeyFiles = [ (toString <assets/ssh/card_rsa.pub>) ];
+      rootKeyFiles = [ (toString ../../assets/ssh/card_rsa.pub) ];
     };
   };
 
diff --git a/system/all/tinc.nix b/system/all/tinc.nix
index 5116385..af20dfe 100644
--- a/system/all/tinc.nix
+++ b/system/all/tinc.nix
@@ -22,24 +22,25 @@ in {
         LocalDiscovery = yes
         AutoConnect = yes
       '';
-      privateEd25519KeyFile = toString <secrets/tinc/retiolum/ed25519_key>;
-      privateRsaKeyFile = toString <secrets/tinc/retiolum/rsa_key>;
+      privateEd25519KeyFile =
+        toString config.sops.secrets.tinc_ed25519_key.path;
+      privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
       hosts = {
         pepe = {
           tincIp = "10.243.23.1";
-          publicKey = lib.fileContents <assets/tinc/retiolum/host_file>;
+          publicKey = lib.fileContents ../../assets/tinc/retiolum/host_file;
         };
         sterni = {
           tincIp = "10.243.23.3";
-          publicKey = lib.fileContents <assets/tinc/retiolum/host_file>;
+          publicKey = lib.fileContents ../../assets/tinc/retiolum/host_file;
         };
         workhorse = {
           tincIp = "10.243.23.5";
-          publicKey = lib.fileContents <assets/tinc/retiolum/host_file>;
+          publicKey = lib.fileContents ../../assets/tinc/retiolum/host_file;
         };
         workout = {
           tincIp = "10.243.23.4";
-          publicKey = lib.fileContents <assets/tinc/retiolum/host_file>;
+          publicKey = lib.fileContents ../../assets/tinc/retiolum/host_file;
         };
       };
     };
@@ -51,31 +52,32 @@ in {
         LocalDiscovery = yes
         AutoConnect = yes
       '';
-      privateEd25519KeyFile = toString <secrets/tinc/ed25519_key>;
-      privateRsaKeyFile = toString <secrets/tinc/rsa_key>;
+      privateEd25519KeyFile =
+        toString config.sops.secrets.tinc_ed25519_key.path;
+      privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
       hosts = {
         sternchen = {
           tincIp = "10.123.42.25";
-          # publicKey  = lib.fileContents <assets/tinc/sterni_host_file>;
-          publicKey = lib.fileContents <assets/tinc/sternchen_host_file>;
+          # publicKey  = lib.fileContents ../../assets/tinc/sterni_host_file;
+          publicKey = lib.fileContents ../../assets/tinc/sternchen_host_file;
         };
         sterni = {
           tincIp = "10.123.42.24";
-          # publicKey  = lib.fileContents <assets/tinc/sterni_host_file>;
-          publicKey = lib.fileContents <assets/tinc/workout_host_file>;
+          # publicKey  = lib.fileContents ../../assets/tinc/sterni_host_file;
+          publicKey = lib.fileContents ../../assets/tinc/workout_host_file;
         };
         porani = {
           tincIp = "10.123.42.31";
-          publicKey = lib.fileContents <assets/tinc/porani_host_file>;
+          publicKey = lib.fileContents ../../assets/tinc/porani_host_file;
         };
         workhorse = {
           tincIp = "10.123.42.21";
-          publicKey = lib.fileContents <assets/tinc/workhorse_host_file>;
+          publicKey = lib.fileContents ../../assets/tinc/workhorse_host_file;
         };
         sputnik = {
           realAddress = [ "static.247.134.201.195.clients.your-server.de:721" ];
           tincIp = "10.123.42.122";
-          publicKey = lib.fileContents <assets/tinc/sputnik_host_file>;
+          publicKey = lib.fileContents ../../assets/tinc/sputnik_host_file;
         };
       };
     };
@@ -85,33 +87,34 @@ in {
       extraConfig = ''
         LocalDiscovery = yes
       '';
-      privateEd25519KeyFile = toString <secrets/tinc/ed25519_key>;
-      privateRsaKeyFile = toString <secrets/tinc/rsa_key>;
+      privateEd25519KeyFile =
+        toString config.sops.secrets.tinc_ed25519_key.path;
+      privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
       hosts = {
         workout = {
           tincIp = "10.23.42.27";
-          publicKey = lib.fileContents <assets/tinc/workout_host_file>;
+          publicKey = lib.fileContents ../../assets/tinc/workout_host_file;
         };
         pepe = {
           tincIp = "10.23.42.26";
-          publicKey = lib.fileContents <assets/tinc/pepe_host_file>;
+          publicKey = lib.fileContents ../../assets/tinc/pepe_host_file;
         };
         sterni = {
           tincIp = "10.23.42.24";
-          # publicKey  = lib.fileContents <assets/tinc/sterni_host_file>;
-          publicKey = lib.fileContents <assets/tinc/workout_host_file>;
+          # publicKey  = lib.fileContents ../../assets/tinc/sterni_host_file;
+          publicKey = lib.fileContents ../../assets/tinc/workout_host_file;
         };
         mobi = {
           tincIp = "10.23.42.23";
-          publicKey = lib.fileContents <assets/tinc/mobi_host_file>;
+          publicKey = lib.fileContents ../../assets/tinc/mobi_host_file;
         };
         #porani = {
         #  tincIp = "10.23.42.31";
-        #  publicKey = lib.fileContents <assets/tinc/porani_host_file>;
+        #  publicKey = lib.fileContents ../../assets/tinc/porani_host_file;
         #};
         workhorse = {
           tincIp = "10.23.42.21";
-          publicKey = lib.fileContents <assets/tinc/workhorse_host_file>;
+          publicKey = lib.fileContents ../../assets/tinc/workhorse_host_file;
         };
         sputnik = {
           realAddress = [
@@ -121,12 +124,15 @@ in {
             "static.247.134.201.195.clients.your-server.de:443"
           ];
           tincIp = "10.23.42.122";
-          publicKey = lib.fileContents <assets/tinc/sputnik_host_file>;
+          publicKey = lib.fileContents ../../assets/tinc/sputnik_host_file;
         };
       };
     };
   };
 
+  sops.secrets.tinc_ed25519_key = { };
+  sops.secrets.tinc_rsa_key = { };
+
   # retiolum stuff
   networking.extraHosts = builtins.readFile (toString "${retiolum}/etc.hosts");
   systemd.services."tinc.retiolum" = {
diff --git a/system/desktop/audio.nix b/system/desktop/audio.nix
index e906680..bdcd85f 100644
--- a/system/desktop/audio.nix
+++ b/system/desktop/audio.nix
@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 let
 
-  library = import <library> { inherit pkgs lib; };
+  library = import ../../library { inherit pkgs lib; };
 
   mixxxBin = pkgs.writeShellScriptBin "mixxx"
     "${pkgs.mixxx}/bin/mixxx --settingsPath ${config.users.users.mainUser.home}/music-library/mixxx";
diff --git a/system/desktop/default.nix b/system/desktop/default.nix
index 1c3a517..f6dcc05 100644
--- a/system/desktop/default.nix
+++ b/system/desktop/default.nix
@@ -12,7 +12,7 @@
     ./dnsmasq.nix
     ./home-manager.nix
     ./mail-stuff.nix
-    ./mc.nix
+    #./mc.nix
     ./network.nix
     ./packages.nix
     ./pass.nix
diff --git a/system/desktop/home-manager.nix b/system/desktop/home-manager.nix
index bb68e79..02b74bb 100644
--- a/system/desktop/home-manager.nix
+++ b/system/desktop/home-manager.nix
@@ -99,8 +99,8 @@ in {
 
     programs.htop = {
       enable = true;
-      highlightBaseName = true;
-      treeView = true;
+      settings.highlight_base_name = true;
+      settings.tree_view = true;
     };
 
     xdg.configFile."albert/albert.conf".text = ''
@@ -223,7 +223,7 @@ in {
   };
 
   environment.systemPackages = let
-    library = import <library> { inherit pkgs lib; };
+    library = import ../../library { inherit pkgs lib; };
 
     fixKeyboard = pkgs.writeScriptBin "fix-Keyboard" # sh
       ''
diff --git a/system/desktop/home-manager/doom-emacs.nix b/system/desktop/home-manager/doom-emacs.nix
index ed5c81b..c50ee36 100644
--- a/system/desktop/home-manager/doom-emacs.nix
+++ b/system/desktop/home-manager/doom-emacs.nix
@@ -1,15 +1,5 @@
-{ pkgs, ... }:
-let
-  doom-emacs = pkgs.callPackage (builtins.fetchTarball {
-    url = "https://github.com/vlaci/nix-doom-emacs/archive/master.tar.gz";
-  }) {
-    doomPrivateDir = ./doom.d;
-    # Directory containing your config.el init.el
-    # and packages.el files
-  };
-in {
+{ pkgs, ... }: {
   home-manager.users.mainUser = {
-    home.packages = [ doom-emacs ];
     home.file.".emacs.d/init.el".text = ''
       (load "default.el")
     '';
diff --git a/system/desktop/home-manager/spacemacs.nix b/system/desktop/home-manager/spacemacs.nix
index bc90705..229a094 100644
--- a/system/desktop/home-manager/spacemacs.nix
+++ b/system/desktop/home-manager/spacemacs.nix
@@ -14,15 +14,12 @@ let
 
   ticks = "\"''\"";
 
-  unstable = import <nixpkgs-unstable> { };
-
 in {
 
   environment.systemPackages = [
     # needed for the SPC p g
     pkgs.universal-ctags
     pkgs.nodePackages.tern
-    #unstable.emacs
     pkgs.emacs
   ];
 
diff --git a/system/desktop/mc.nix b/system/desktop/mc.nix
index 141f8c5..413af09 100644
--- a/system/desktop/mc.nix
+++ b/system/desktop/mc.nix
@@ -327,7 +327,7 @@ in {
       paths = [
         (pkgs.writers.writeDashBin "mc" ''
           export MC_DATADIR=${
-            pkgs.write "mc-ext" {
+            pkgs.writers.write "mc-ext" {
               "/mc.ext".link = mcExt;
               "/sfs.ini".text = "";
             }
diff --git a/system/desktop/network.nix b/system/desktop/network.nix
index 323c57f..6d99911 100644
--- a/system/desktop/network.nix
+++ b/system/desktop/network.nix
@@ -1,12 +1,6 @@
 { config, pkgs, lib, ... }: {
-
   system.custom.wifi = {
     enable = true;
-    configurationFile = toString <desktop_secrets/wpa_supplicant>;
     system = "networkmanager";
   };
-
-  environment.etc."NetworkManager/system-connections".source =
-    toString <desktop_secrets/network-manager/system-connections>;
-
 }
diff --git a/system/desktop/packages.nix b/system/desktop/packages.nix
index a951f6f..3f52f9d 100644
--- a/system/desktop/packages.nix
+++ b/system/desktop/packages.nix
@@ -4,9 +4,7 @@ with lib;
 
 let
 
-  unstablePkgs = import <nixpkgs-unstable> { };
-
-  library = import <library> { inherit pkgs lib; };
+  library = import ../../library { inherit pkgs lib; };
 
   allLicenses = let
     licenses = builtins.map
@@ -36,7 +34,7 @@ let
   '';
   #zettlr = unstablePkgs.zettlr;
 
-  parseUrl = pkgs.writeBashBin "parseUrl" ''
+  parseUrl = pkgs.writers.writeBashBin "parseUrl" ''
     echo "$@" | \
     ${pkgs.jq}/bin/jq --raw-input --raw-output '
     def parseURL: capture( "^((?<scheme>[^:/?#]+):)?(//(?<authority>(?<domain>[^/?#:]*)(:(?<port>[0-9]*))?))?((?<path>[^?#]*)\\?)?((?<query>([^#]*)))?(#(?<fragment>(.*)))?");
@@ -44,7 +42,7 @@ let
     '
   '';
 
-  parseAndCopyLink = pkgs.writeBashBin "parseAndCopyLink" ''
+  parseAndCopyLink = pkgs.writers.writeBashBin "parseAndCopyLink" ''
     ${parseUrl}/bin/parseUrl "$@" | \
     ${pkgs.jq}/bin/jq --raw-output '"\(.scheme)://\(.domain)\(.path)"' | \
     ${pkgs.xclip}/bin/xclip
@@ -344,9 +342,9 @@ in {
 
       ffmpeg
       (writeShellScriptBin "shrink-exports"
-        (fileContents <assets/shrink_exports>))
+        (fileContents ../../assets/shrink_exports))
       (writeShellScriptBin "music-making"
-        (fileContents <assets/music-making.sh>))
+        (fileContents ../../assets/music-making.sh))
 
       replaceLinks
       youtube-dl
diff --git a/system/desktop/wtf.nix b/system/desktop/wtf.nix
index 0e94819..eca8dad 100644
--- a/system/desktop/wtf.nix
+++ b/system/desktop/wtf.nix
@@ -1,8 +1,6 @@
 { pkgs, lib, config, ... }:
 let
 
-  unstable = import <nixpkgs-unstable> { };
-
   networkStatus = let
 
     q-online = ''
@@ -385,7 +383,7 @@ let
   createDashboard = { json, name }:
     let configuration = pkgs.writeText "config.yml" (builtins.toJSON json);
     in pkgs.writers.writeBashBin name ''
-      ${unstable.wtf}/bin/wtfutil --config=${toString configuration}
+      ${pkgs.unstable.wtf}/bin/wtfutil --config=${toString configuration}
     '';
 
 in {
@@ -393,7 +391,7 @@ in {
   services.upower.enable = true;
 
   environment.systemPackages = [
-    unstable.wtf
+    pkgs.unstable.wtf
     (createDashboard {
       json = qJson;
       name = "q";
diff --git a/system/desktop/yubikey.nix b/system/desktop/yubikey.nix
index 259d7a5..25542da 100644
--- a/system/desktop/yubikey.nix
+++ b/system/desktop/yubikey.nix
@@ -1,7 +1,7 @@
 # References:
 # * https://github.com/drduh/YubiKey-Guide
 # * https://nixos.wiki/wiki/Yubikey
-{ pkgs, ... }: {
+{ config, pkgs, ... }: {
 
   services.pcscd.enable = true;
   services.udev.packages = [
@@ -50,5 +50,8 @@
   # use for pam (sudo)
   # --------------------------
   security.pam.u2f.enable = true;
-  security.pam.u2f.authFile = toString <desktop_secrets/yubikey/u2fAuthFile>;
+  security.pam.u2f.authFile =
+    toString config.sops.secrets.yubikey_u2fAuthFile.path;
+  sops.secrets.yubikey_u2fAuthFile = { };
+
 }
diff --git a/system/server/packages.nix b/system/server/packages.nix
index f75b3ca..cbdc5f9 100644
--- a/system/server/packages.nix
+++ b/system/server/packages.nix
@@ -5,7 +5,7 @@
 
     nginxShowConfig = pkgs.writers.writePython3Bin "nginx-show-config" {
       flakeIgnore = [ "E265" "E225" "W292" ];
-    } (lib.fileContents <assets/nginx-show-config.sh>);
+    } (lib.fileContents ../../assets/nginx-show-config.sh);
   in [
     pkgs.mosh