diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix
index 2a918d9..a454669 100644
--- a/config/common/services/ssh.nix
+++ b/config/common/services/ssh.nix
@@ -1,13 +1,14 @@
-{ ... }:
+{ config, ... }:
 {
   services.openssh = {
     enable = true;
     permitRootLogin = "no";
     passwordAuthentication = false;
     challengeResponseAuthentication = false;
-    hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ];
+    hostKeys = [ { path = config.secrets.files.ssh_host_ed25519_key.file; type = "ed25519"; } ];
     kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
     macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
+
   };
 
   programs.ssh.knownHosts = {
diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix
index 2b87a11..1feacfc 100644
Binary files a/config/hosts/grondahl/data/secrets/secrets.nix and b/config/hosts/grondahl/data/secrets/secrets.nix differ
diff --git a/config/hosts/grondahl/data/secrets/ssh_host_ed25519_key b/config/hosts/grondahl/data/secrets/ssh_host_ed25519_key
new file mode 100644
index 0000000..8e34820
Binary files /dev/null and b/config/hosts/grondahl/data/secrets/ssh_host_ed25519_key differ
diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix
index f8b5aaa..4b3c0c9 100644
--- a/config/hosts/rudiger/configuration.nix
+++ b/config/hosts/rudiger/configuration.nix
@@ -50,6 +50,7 @@
     nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
   };
 
+
   nix = {
     autoOptimiseStore = true;
     trustedUsers = [
diff --git a/config/hosts/rudiger/data/secrets/secrets.nix b/config/hosts/rudiger/data/secrets/secrets.nix
index a8fc39f..3b435f6 100644
Binary files a/config/hosts/rudiger/data/secrets/secrets.nix and b/config/hosts/rudiger/data/secrets/secrets.nix differ
diff --git a/config/hosts/rudiger/data/secrets/ssh_host_ed25519_key b/config/hosts/rudiger/data/secrets/ssh_host_ed25519_key
new file mode 100644
index 0000000..ed3dbe5
Binary files /dev/null and b/config/hosts/rudiger/data/secrets/ssh_host_ed25519_key differ
diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix
index 2e4c450..b909657 100644
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@@ -1,75 +1,74 @@
 { config, pkgs, lib, ... }:
 
 {
-  imports = [ 
-    ./hardware-configuration.nix 
-    ../../common/services/ssh.nix
+	imports = [ 
+		./hardware-configuration.nix 
+		../../common/services/ssh.nix
 		../../common/users.nix
-    ./services/acme.nix
-    ./services/coturn.nix
-    ./services/nginx.nix
-    ./services/postgres.nix
-    ./services/synapse.nix
-    ./services/ttrss.nix
-    ./services/gitea.nix
-    ./services/restic.nix
-    ./services/vaultwarden.nix
+		./services/acme.nix
+		./services/coturn.nix
+		./services/nginx.nix
+		./services/postgres.nix
+		./services/synapse.nix
+		./services/ttrss.nix
+		./services/gitea.nix
+		./services/restic.nix
+		./services/vaultwarden.nix
 		./services/wireguard.nix
-    ./data/secrets/secrets.nix
-    ];
+		./data/secrets/secrets.nix
+		];
 
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  boot.loader.grub.device = "/dev/sda";
-  boot.kernelPackages = pkgs.linuxPackages_5_10;
-  boot.supportedFilesystems = ["zfs"];
-  services.zfs.autoSnapshot.enable = true;
-  services.zfs.autoScrub.enable = true;
+	boot.loader.grub.enable = true;
+	boot.loader.grub.version = 2;
+	boot.loader.grub.device = "/dev/sda";
+	boot.kernelPackages = pkgs.linuxPackages_5_10;
+	boot.supportedFilesystems = ["zfs"];
+	services.zfs.autoSnapshot.enable = true;
+	services.zfs.autoScrub.enable = true;
 
-  networking.hostName = "wind";
-  networking.hostId = "929e7fb7";
-  time.timeZone = "Europe/Copenhagen";
-  networking.useDHCP = false;
-  networking.interfaces.ens3.useDHCP = true;
-  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:34cb::1"; prefixLength = 64; } ];
-  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+	networking.hostName = "wind";
+	networking.hostId = "929e7fb7";
+	time.timeZone = "Europe/Copenhagen";
+	networking.useDHCP = false;
+	networking.interfaces.ens3.useDHCP = true;
+	networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:34cb::1"; prefixLength = 64; } ];
+	networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+
+	users.users.deploy-web = {
+		isNormalUser = true;
+		extraGroups = [ "nginx" ];
+		openssh.authorizedKeys.keys = [ 
+			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop"
+		];
+	};
+
+	security.sudo.wheelNeedsPassword = false;
+
+	environment.systemPackages = with pkgs; [
+		vim
+		htop
+		iotop
+		dig
+	];
+
+	nix = {
+		autoOptimiseStore = true;
+		trustedUsers = [
+			"root"
+			"@wheel"
+		];
+	};
 
 
-  users.users.deploy-web = {
-    isNormalUser = true;
-    extraGroups = [ "nginx" ];
-    openssh.authorizedKeys.keys = [ 
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop"
-    ];
-  };
+	# Use hetzner firewall instead
+	networking.firewall.enable = false;
+	# networking.firewall.allowedTCPPorts = [ 22 80 443 3478 5349 ];
+	# networking.firewall.allowedUDPPorts = [ 3478 5349 ]
+	# networking.firewall.allowedUDPPortsRanges = [ { from = 49152; to = 49999; } ];
 
-  security.sudo.wheelNeedsPassword = false;
+	users.groups.acme.members = [ "nginx" "turnserver" "gitea" ];
+	users.groups.backup.members = [ "matrix-synapse" "postgres" "gitea" "vaultwarden" ];
 
-  environment.systemPackages = with pkgs; [
-    vim
-    htop
-    iotop
-    dig
-  ];
-
-  nix = {
-    autoOptimiseStore = true;
-    trustedUsers = [
-      "root"
-      "@wheel"
-    ];
-  };
-
-
-  # Use hetzner firewall instead
-  networking.firewall.enable = false;
-  # networking.firewall.allowedTCPPorts = [ 22 80 443 3478 5349 ];
-  # networking.firewall.allowedUDPPorts = [ 3478 5349 ]
-  # networking.firewall.allowedUDPPortsRanges = [ { from = 49152; to = 49999; } ];
-
-  users.groups.acme.members = [ "nginx" "turnserver" "gitea" ];
-  users.groups.backup.members = [ "matrix-synapse" "postgres" "gitea" "vaultwarden" ];
-
-  system.stateVersion = "21.05";
+	system.stateVersion = "21.05";
 
 }
diff --git a/config/hosts/wind/data/secrets/secrets.nix b/config/hosts/wind/data/secrets/secrets.nix
index 75790f5..5592aaf 100644
Binary files a/config/hosts/wind/data/secrets/secrets.nix and b/config/hosts/wind/data/secrets/secrets.nix differ
diff --git a/config/hosts/wind/data/secrets/ssh_host_ed25519_key b/config/hosts/wind/data/secrets/ssh_host_ed25519_key
new file mode 100644
index 0000000..bdb47e8
Binary files /dev/null and b/config/hosts/wind/data/secrets/ssh_host_ed25519_key differ
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index e00fe14..32b4231 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "5830a4dd348d77e39a0f3c4c762ff2663b602d4c",
-        "sha256": "1d3lsrqvci4qz2hwjrcnd8h5vfkg8aypq3sjd4g3izbc8frwz5sm",
+        "rev": "9cb7ef336bb71fd1ca84fc7f2dff15ef4b033f2a",
+        "sha256": "1ajyqr8zka1zlb25jx1v4xys3zqmdy3prbm1vxlid6ah27a8qnzh",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/5830a4dd348d77e39a0f3c4c762ff2663b602d4c.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/9cb7ef336bb71fd1ca84fc7f2dff15ef4b033f2a.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "46df95ca81e7e4cf3458cdb4b7d1714b5fce9da5",
-        "sha256": "0rxff15a2z9hcs4xkaymdwgqlkjxvyyylcg66qhi23lia995f2ga",
+        "rev": "c361b954759195c2ac085fbbed5ad7d513e1585b",
+        "sha256": "0grx60c7qhidnna8d5i6mq4mymwpq8rlkrl275dgchv5yfy451js",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixos-hardware/archive/46df95ca81e7e4cf3458cdb4b7d1714b5fce9da5.tar.gz",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/c361b954759195c2ac085fbbed5ad7d513e1585b.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c6019d8efb5530dcf7ce98086b8e091be5ff900a",
-        "sha256": "1havpwch8wkbhw0y2q3rnx4z0dz66msxb1agynrgvkw4qmm2hbpj",
+        "rev": "c28fb0a4671ff2715c1922719797615945e5b6a0",
+        "sha256": "1qzvhxcsxb6s410xlfs4ggcvm1xbbd4jrazy6cpxc1rkrxbyz0kk",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/c6019d8efb5530dcf7ce98086b8e091be5ff900a.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/c28fb0a4671ff2715c1922719797615945e5b6a0.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "Infinisil",
         "repo": "nixus",
-        "rev": "817ef8a9a9e37e9fbf414507daaf8e477640e1c7",
-        "sha256": "1lrns4lm7kskg7vcdw3m3kpwn669q7qbrmj8n24399ghr699v70h",
+        "rev": "60ea7eb5e18d58ac7742234855b7192112fd4049",
+        "sha256": "0c9jkhd6xmgaw2gzbcsf7k1p42sn8dyhla71x1bp902mnfdgjsxx",
         "type": "tarball",
-        "url": "https://github.com/Infinisil/nixus/archive/817ef8a9a9e37e9fbf414507daaf8e477640e1c7.tar.gz",
+        "url": "https://github.com/Infinisil/nixus/archive/60ea7eb5e18d58ac7742234855b7192112fd4049.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }