diff --git a/nixos/homes/tina/stylix.nix b/nixos/homes/tina/stylix.nix
index fe45fe5..d78070b 100644
--- a/nixos/homes/tina/stylix.nix
+++ b/nixos/homes/tina/stylix.nix
@@ -5,7 +5,6 @@
 
   stylix.base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-light-medium.yaml";
 
-
   stylix.fonts = {
     serif = {
       package = pkgs.ubuntu_font_family;
diff --git a/nixos/machines/chungus/network-wireguard.nix b/nixos/machines/chungus/network-wireguard.nix
index 37ec6a6..5af48fe 100644
--- a/nixos/machines/chungus/network-wireguard.nix
+++ b/nixos/machines/chungus/network-wireguard.nix
@@ -1,9 +1,8 @@
 { pkgs, config, ... }:
 {
-  # networking.firewall.trustedInterfaces = [ "wg0" ];
   networking.firewall.allowedUDPPorts = [ 51820 ];
-  sops.secrets.wireguard_private = { };
-  #boot.kernel.sysctl."net.ipv4.ip_forward" = true;
+
+  clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
 
   # Enable WireGuard
   networking.wg-quick.interfaces = {
@@ -12,7 +11,7 @@
     wg0 = {
       address = [ "10.100.0.2/32" ];
       listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-      privateKeyFile = config.sops.secrets.wireguard_private.path;
+      privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
       mtu = 1280;
 
       # server
diff --git a/nixos/machines/cream/wireguard.nix b/nixos/machines/cream/wireguard.nix
index 899ab62..92a22f4 100644
--- a/nixos/machines/cream/wireguard.nix
+++ b/nixos/machines/cream/wireguard.nix
@@ -1,7 +1,7 @@
 { config, ... }:
 {
   networking.firewall.allowedUDPPorts = [ 51820 ];
-  sops.secrets.wireguard_private = { };
+  clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
 
   # Enable WireGuard
   networking.wg-quick.interfaces = {
@@ -10,7 +10,7 @@
     wg0 = {
       address = [ "10.100.0.6/32" ];
       listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-      privateKeyFile = config.sops.secrets.wireguard_private.path;
+      privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
       mtu = 1280;
 
       peers = [
diff --git a/nixos/machines/orbi/network-wireguard.nix b/nixos/machines/orbi/network-wireguard.nix
index 8fdc9c9..c814ef2 100644
--- a/nixos/machines/orbi/network-wireguard.nix
+++ b/nixos/machines/orbi/network-wireguard.nix
@@ -1,7 +1,7 @@
 { pkgs, config, ... }:
 {
   networking.firewall.allowedUDPPorts = [ 51820 ];
-  sops.secrets.wireguard_private = { };
+  clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
   boot.kernel.sysctl."net.ipv4.ip_forward" = true;
 
   # Enable WireGuard
@@ -11,7 +11,7 @@
     wg0 = {
       address = [ "10.100.0.1/32" ];
       listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-      privateKeyFile = config.sops.secrets.wireguard_private.path;
+      privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
       mtu = 1280;
 
       postUp = ''
diff --git a/nixos/machines/orbi/social-matrix-terranix.nix b/nixos/machines/orbi/social-matrix-terranix.nix
index 8a1ccd9..5ab0820 100644
--- a/nixos/machines/orbi/social-matrix-terranix.nix
+++ b/nixos/machines/orbi/social-matrix-terranix.nix
@@ -11,13 +11,16 @@ let
   synapse_port = 8008;
   federation_port = 8448;
 
+
+  shared_secret = config.clanCore.facts.services.matrix_terranix.secret."matrix-synapse.terranix.registration_shared_secret.yml";
+
   matrix_create_user = pkgs.writers.writeBashBin "matrix-create-user-${name}" ''
     ${pkgs.matrix-synapse}/bin/register_new_matrix_user \
         -k $( ${pkgs.gojq}/bin/gojq \
             --yaml-input \
             --raw-output \
             '.registration_shared_secret' \
-            ${config.sops.secrets.matrix_shared_secret.path} ) \
+            ${shared_secret.path} ) \
         http://localhost:${toString synapse_port}
   '';
 
@@ -46,9 +49,10 @@ in
   networking.firewall.allowedTCPPorts = [ 80 443 federation_port ];
   networking.firewall.allowedUDPPorts = [ 80 443 federation_port ];
 
+  clanCore.facts.services.matrix_terranix = factsGenerator.matrix-synapse { name = "terranix"; };
+
   environment.systemPackages = [ matrix_create_user ];
 
-  sops.secrets.matrix_shared_secret.owner = "matrix-synapse";
   users.users.matrix-synapse = {
     isSystemUser = true;
     uid = config.ids.uids.matrix-synapse;
@@ -62,7 +66,7 @@ in
 
     bindMounts = {
       rootpassword = {
-        hostPath = config.sops.secrets.matrix_shared_secret.path;
+        hostPath = shared_secret.path;
         mountPoint = "/run/secrets/matrix-shared-secret";
         isReadOnly = true;
       };