diff --git a/hosts/ni/default.nix b/hosts/ni/default.nix
index 9e143e4b..4c2e4cee 100644
--- a/hosts/ni/default.nix
+++ b/hosts/ni/default.nix
@@ -17,6 +17,13 @@
     })
   ];
 
+  services.openssh.hostKeys = [{
+    path = config.sops.secrets.ssh-key.path;
+    type = "ed25519";
+  }];
+  sops.secrets.ssh-key.sopsFile = ./secrets/secrets.yaml;
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+
   boot.binfmt.emulatedSystems = [
     "aarch64-linux"
     "riscv64-linux"
@@ -67,7 +74,9 @@
   ];
 
   # This is needed for shell integration and applying semantic zones.
-  environment.profiles = [ pkgs.wezterm ];
+  environment.extraInit = ''
+    source ${pkgs.wezterm}/etc/profiles.d/wezterm.sh
+  '';
 
   # Enable Guix service.
   services.guix-binary.enable = true;
@@ -85,13 +94,6 @@
     longitude = 121.0;
   };
 
-  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
-  # Per-interface useDHCP will be mandatory in the future, so this generated config
-  # replicates the default behaviour.
-  networking.useDHCP = false;
-  networking.interfaces.enp1s0.useDHCP = true;
-  networking.interfaces.wlp2s0.useDHCP = true;
-
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
   programs.mtr.enable = true;
@@ -109,12 +111,6 @@
     }];
   };
 
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.11"; # Did you read the comment?
+  system.stateVersion = "22.11"; # Yes! I read the comment!
 }
 
diff --git a/hosts/ni/hardware-configuration.nix b/hosts/ni/hardware-configuration.nix
index d05eb609..17732b18 100644
--- a/hosts/ni/hardware-configuration.nix
+++ b/hosts/ni/hardware-configuration.nix
@@ -7,7 +7,7 @@
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
   boot.initrd.availableKernelModules =
-    [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+    [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
@@ -24,6 +24,10 @@
 
   swapDevices = [{ label = "swap"; }];
 
+  networking.useDHCP = false;
+  networking.interfaces.enp1s0.useDHCP = true;
+  networking.interfaces.wlp2s0.useDHCP = true;
+
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault true;
 }
diff --git a/hosts/ni/host-key.pub b/hosts/ni/host-key.pub
new file mode 100644
index 00000000..34be10c5
--- /dev/null
+++ b/hosts/ni/host-key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ4X7YXsEmMW3jP2dfU9l/KrF9jUZqN0sVXSvkag8VFH root@ni
diff --git a/hosts/ni/secrets/secrets.yaml b/hosts/ni/secrets/secrets.yaml
new file mode 100644
index 00000000..e3e30c54
--- /dev/null
+++ b/hosts/ni/secrets/secrets.yaml
@@ -0,0 +1,21 @@
+ssh-key: ENC[AES256_GCM,data:QKlQJCr4saNFHFBmbZBYnb0trwDaD+P925PRv0StcHjjT/eQVQijxGJRn4R73F0rChpB0YcnLsqn/mcgZzitzw0Q8MTREBNWYHITKl/VzTiOVhPdfD3hhlLMOVXRjtFwIk69iwheQeh9aGtRmin8MmbjZJHv7bczDuLeD5GtdL7G5Y8KPTF4BFOHFwLuUgL1vOG3wc+vWynFJ6W0t7umnBmcSHaIf2o8ZY2arGruHXsCJHVCtj9G5PS8SMBb1pGstiAXAdhd9rOhbHSYF0rqL841CkGnLL1hUrgNYTXNlEuss06exuYNEQq24GXRYdnMNizhNiWJxGiVC53masTWynryGdj0qRUvjqzzttLLer3w6wS4rA743vPvmlNnVrWauyoUtE9Z/EBLfh2gv2m+I6A8e7aAUyAqsI0e/zMbv0Mvm+Gv2veGHp1sX+PLF6MbQMDxMuax0ZNBgdidGqWAqBtKZ7buLQ5ckU43Js9/CaRB+qQ7VzTJ+amhtQPrlgILY+yQKheLribkSKRuw99p,iv:UaWomy2e/WE0jYAkblGoZDOEEPtQpaIiGawMh8q4Emk=,tag:kS1rafdiqkyMEbdPj+TdqA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1dm9xugju4q5gx0zty8ckw655ea904c64gv9qw9fn3lu507ck8uzsag59y8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5RTRLNUNQTHZkQTMzaTgv
+            b2VHQ0JqSDJ3M1VDd0tQaGtmSXZ0VnNSckJNCkNMOStmSW4rM1JhSElJUHN2dklj
+            S0ZRaC9XTmFtRWZvTndpT3BEM0U0NkkKLS0tIEVUYkIrbEhNblNWUnE2K2piSVI2
+            eEV0YWkyWHlIRmxhZjNYU3kzNlN3alkKDbMlrB1MkJ8145OcXyOhQLjLkKhrI/Vm
+            ba7etZO7hqWwajWgEhFGNexI6QuQwgUU3zIOc//zPp8P7nNySfWOww==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-18T13:08:34Z"
+    mac: ENC[AES256_GCM,data:Q3vlqrnYzjhdrqy6zWBTAU6IHM4rCmS+qdUrlyYezy5j3Sdw+y0EX9w4KCEiJ7c86QrxB+gfxgxYvyLBuXPEEoRqvf7xKIiwGXEs/vxif1W9nri3n14PAP/PdgjQqNCI1BVHAX276Mbkec8ipaFEClboV6d9904/18t9tqlFkx0=,iv:NlLzwp/pJ7X80A+EupaxNwrEP7iO4oFtOlhTQLjAies=,tag:Z3bgc2DhunF7iKF0GOoq2g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3