diff --git a/extra-builtins.nix b/extra-builtins.nix
index 6a8b067..7238f6e 100644
--- a/extra-builtins.nix
+++ b/extra-builtins.nix
@@ -1,11 +1,11 @@
 { exec, ... }: {
-  secrets = exec [ "cat" "/etc/nixos/private/default.nix" ] {
+  secrets = exec [ "cat" "/secrets/nixos/default.nix" ] {
     # compress and base64 the file to make it representable in nix,
     # then decompress it back in a derivation (shouldn't there be a better way...)
     copyToStore = pkgs: name: path:
       let
         archive = exec [ "${pkgs.bash}/bin/bash" "-c" ''
-          cd /etc/nixos/private
+          cd /secrets/nixos
           echo '"'"$(
             ${pkgs.gnutar}/bin/tar -I ${pkgs.zstd}/bin/zstd --exclude-vcs \
               --transform='s#'${pkgs.lib.escapeShellArg path}'#!#' \
diff --git a/flake.nix b/flake.nix
index 538ae4f..5878f84 100644
--- a/flake.nix
+++ b/flake.nix
@@ -81,7 +81,7 @@
       # workaround for git flakes not having access to non-checked out files
       else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets
       # yes, this is impure, this is a last ditch effort at getting access to secrets
-      else import /etc/nixos/private { };
+      else import /secrets/nixos { };
     devPath = priv.devPath or ../.;
     inputs = builtins.mapAttrs
       (name: input:
diff --git a/system/hardware/bpi-r3/image.sh b/system/hardware/bpi-r3/image.sh
index 8850127..1183e8b 100755
--- a/system/hardware/bpi-r3/image.sh
+++ b/system/hardware/bpi-r3/image.sh
@@ -86,7 +86,7 @@ run mkdir -p "$tmp/out/@/var/log"
 
 # secrets, we don't want to pass them via the store
 run mkdir -p "$tmp/out/@/secrets"
-run cp -v /etc/nixos/private/wireguard-key "$tmp/out/@/secrets/"
+run cp -v /secrets/nixos/wireguard-key "$tmp/out/@/secrets/"
 run chmod -R 000 "$tmp/out/@/secrets"
 
 cpr "$rootfs/nix" "$tmp/out/@nix"
diff --git a/system/hosts/nixmsi.nix b/system/hosts/nixmsi.nix
index 5475742..b524d43 100644
--- a/system/hosts/nixmsi.nix
+++ b/system/hosts/nixmsi.nix
@@ -181,6 +181,5 @@
 
   impermanence.directories = [
     /secrets
-    /etc/nixos
   ];
 }
diff --git a/system/hosts/server/home.nix b/system/hosts/server/home.nix
index 4bc4c97..eea1204 100644
--- a/system/hosts/server/home.nix
+++ b/system/hosts/server/home.nix
@@ -106,10 +106,7 @@ in {
   nix.settings.allowed-users = [ "nix-serve" "harmonia" ] ++ lib.optionals config.services.hydra.enable [ "hydra" "hydra-www" ];
   # make sure only hydra has access to this file
   # so normal nix evals don't have access to builtins
-  nix.settings.extra-builtins-file = "/etc/nixos/extra-builtins.nix";
-  impermanence.directories = lib.mkIf config.services.hydra.enable [
-    { directory = /etc/nixos; user = "hydra"; group = "hydra"; mode = "0700"; }
-  ];
+  nix.settings.extra-builtins-file = "/secrets/nixos/extra-builtins.nix";
   nix.settings.allowed-uris = [
     # required for home-manager
     "https://git.sr.ht/~rycee/nmd/"