diff --git a/common/secrets/default.nix b/common/secrets/default.nix
index a01d60a..6a4707b 100644
--- a/common/secrets/default.nix
+++ b/common/secrets/default.nix
@@ -4,7 +4,7 @@
   lib,
   pkgs,
   ...
-}:
+}@args:
 
 let
   ccfg = import ../config.nix;
@@ -14,9 +14,35 @@ let
   ];
   cfg = lib.attrsets.getAttrFromPath cfg_path config;
   users_cfg = config.${ccfg.custom_config_key}.users;
+
+  secretsRaw = import ./secrets/secrets.nix;
+  systemName = lib.attrsets.getAttrFromPath [
+    ccfg.custom_config_key
+    "systemName"
+  ] config;
+  authorityMarker = "authority";
+
+  # Key matches this host if its trailing comment contains "@<host>"
+  matchesThisSystem = key: lib.strings.hasInfix "@${systemName}" key;
+  # Key is the authority key if its comment contains the marker string
+  matchesAuthority = key: lib.strings.hasInfix authorityMarker key;
+
+  keepSecret =
+    attrs:
+    let
+      keys = attrs.publicKeys or [ ];
+    in
+    lib.any (k: matchesThisSystem k) keys;
+
+  # Any secrets that should be world-readable even after auto-import
+  worldReadable = [
+    "zitadel_master_key"
+    "vaultwarden_env"
+  ];
+
+  # Keep only secrets intended for this host (or that include the authority key)
+  filteredSecrets = lib.attrsets.filterAttrs (_name: attrs: keepSecret attrs) secretsRaw;
 in
-# TODO auto import secret files here
-# secretsFile = (settings.secretsDir + /secrets.nix);
 {
   options =
     { }
@@ -30,105 +56,21 @@ in
     ];
 
     age = {
-      secrets =
-        # builtins.mapAttrs
-        #   (name: _value: lib.nameValuePair (lib.removeSuffix ".age" name) {
-        #     file = (settings.secretsDir + "/${name}");
-        #     owner = lib.mkDefault users_cfg.primary;
-        #   })
-        #   (import secretsFile);
-        {
-          # nix2github = {
-          #   file = ./secrets/nix2github.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2bitbucket = {
-          #   file = ./secrets/nix2bitbucket.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2gitjosh = {
-          #   file = ./secrets/nix2gitjosh.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2gitforgejo = {
-          #   file = ./secrets/nix2gitforgejo.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2nix = {
-          #   file = ./secrets/nix2nix.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2h001 = {
-          #   file = ./secrets/nix2h001.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2h002 = {
-          #   file = ./secrets/nix2h002.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2h003 = {
-          #   file = ./secrets/nix2h003.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2joe = {
-          #   file = ./secrets/nix2joe.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2gpdPocket3 = {
-          #   file = ./secrets/nix2gpdPocket3.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2t = {
-          #   file = ./secrets/nix2t.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2linode = {
-          #   file = ./secrets/nix2linode.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2oracle = {
-          #   file = ./secrets/nix2oracle.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2l002 = {
-          #   file = ./secrets/nix2l002.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2lio = {
-          #   file = ./secrets/nix2lio.age;
-          #   owner = users_cfg.primary;
-          # };
-          # nix2oren = {
-          #   file = ./secrets/nix2oren.age;
-          #   owner = users_cfg.primary;
-          # };
-          # github_read_token = {
-          #   file = ./secrets/github_read_token.age;
-          #   owner = users_cfg.primary;
-          # };
-          # headscale_auth = {
-          #   file = ./secrets/headscale_auth.age;
-          #   owner = users_cfg.primary;
-          # };
-          # obsidian_sync_env = {
-          #   file = ./secrets/obsidian_sync_env.age;
-          #   owner = users_cfg.primary;
-          # };
-          # us_chi_wg = {
-          #   file = ./secrets/us_chi_wg.age;
-          #   owner = users_cfg.primary;
-          # };
-          # zitadel_master_key = {
-          #   file = ./secrets/zitadel_master_key.age;
-          #   owner = users_cfg.primary;
-          #   mode = "444"; # World readable!
-          # };
-          vaultwarden_env = {
-            file = ./secrets/vaultwarden_env.age;
+      secrets = lib.attrsets.mapAttrs' (
+        name: _attrs:
+        let
+          base = lib.removeSuffix ".age" name;
+        in
+        lib.nameValuePair base (
+          {
+            file = ./. + "/secrets/${name}";
             owner = users_cfg.primary;
-            mode = "444"; # World readable!
-          };
-        };
+          }
+          // lib.optionalAttrs (lib.elem base worldReadable) {
+            mode = "444";
+          }
+        )
+      ) filteredSecrets;
     };
   };
 }
diff --git a/common/secrets/secrets/secrets.nix b/common/secrets/secrets/secrets.nix
index e30b958..c551bb5 100644
--- a/common/secrets/secrets/secrets.nix
+++ b/common/secrets/secrets/secrets.nix
@@ -8,7 +8,7 @@
 
 let
   authorityKey = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdG4tG18VeuEr/g4GM7HWUzHuUVcR9k6oS3TPBs4JRF ragenix authority key"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdG4tG18VeuEr/g4GM7HWUzHuUVcR9k6oS3TPBs4JRF authority"
   ];
 
   gpdPocket3 = [