diff --git a/hosts/juni/flake.lock b/hosts/juni/flake.lock
index 23107290..94f33120 100644
--- a/hosts/juni/flake.lock
+++ b/hosts/juni/flake.lock
@@ -31,11 +31,11 @@
       },
       "locked": {
         "dir": "flakes/beszel",
-        "lastModified": 1767107690,
-        "narHash": "sha256-Y1VmRMaPXgEVusn2e9uOeVe40i5+uUdNMZTOnB7CQsU=",
+        "lastModified": 1767112386,
+        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
         "ref": "refs/heads/master",
-        "rev": "b51768f26b9e9fa7858f3f373f27fe5f87a24bfb",
-        "revCount": 1005,
+        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
+        "revCount": 1009,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -64,11 +64,11 @@
     "common": {
       "locked": {
         "dir": "flakes/common",
-        "lastModified": 1767107690,
-        "narHash": "sha256-Y1VmRMaPXgEVusn2e9uOeVe40i5+uUdNMZTOnB7CQsU=",
+        "lastModified": 1767112386,
+        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
         "ref": "refs/heads/master",
-        "rev": "b51768f26b9e9fa7858f3f373f27fe5f87a24bfb",
-        "revCount": 1005,
+        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
+        "revCount": 1009,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -123,11 +123,11 @@
       },
       "locked": {
         "dir": "flakes/de_plasma",
-        "lastModified": 1767107690,
-        "narHash": "sha256-Y1VmRMaPXgEVusn2e9uOeVe40i5+uUdNMZTOnB7CQsU=",
+        "lastModified": 1767112386,
+        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
         "ref": "refs/heads/master",
-        "rev": "b51768f26b9e9fa7858f3f373f27fe5f87a24bfb",
-        "revCount": 1005,
+        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
+        "revCount": 1009,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -161,11 +161,11 @@
       },
       "locked": {
         "dir": "flakes/flatpaks",
-        "lastModified": 1767107690,
-        "narHash": "sha256-Y1VmRMaPXgEVusn2e9uOeVe40i5+uUdNMZTOnB7CQsU=",
+        "lastModified": 1767112386,
+        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
         "ref": "refs/heads/master",
-        "rev": "b51768f26b9e9fa7858f3f373f27fe5f87a24bfb",
-        "revCount": 1005,
+        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
+        "revCount": 1009,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -1268,11 +1268,11 @@
       },
       "locked": {
         "dir": "flakes/opencode",
-        "lastModified": 1767107690,
-        "narHash": "sha256-Y1VmRMaPXgEVusn2e9uOeVe40i5+uUdNMZTOnB7CQsU=",
+        "lastModified": 1767112386,
+        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
         "ref": "refs/heads/master",
-        "rev": "b51768f26b9e9fa7858f3f373f27fe5f87a24bfb",
-        "revCount": 1005,
+        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
+        "revCount": 1009,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -1478,20 +1478,14 @@
         "ragenix": "ragenix"
       },
       "locked": {
-        "dir": "flakes/secrets",
-        "lastModified": 1767107690,
-        "narHash": "sha256-Y1VmRMaPXgEVusn2e9uOeVe40i5+uUdNMZTOnB7CQsU=",
-        "ref": "refs/heads/master",
-        "rev": "b51768f26b9e9fa7858f3f373f27fe5f87a24bfb",
-        "revCount": 1005,
-        "type": "git",
-        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
+        "path": "../../flakes/secrets",
+        "type": "path"
       },
       "original": {
-        "dir": "flakes/secrets",
-        "type": "git",
-        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
-      }
+        "path": "../../flakes/secrets",
+        "type": "path"
+      },
+      "parent": []
     },
     "systems": {
       "locked": {
diff --git a/hosts/juni/hardware-mounts.nix b/hosts/juni/hardware-mounts.nix
index da7a3428..1c74368d 100644
--- a/hosts/juni/hardware-mounts.nix
+++ b/hosts/juni/hardware-mounts.nix
@@ -98,12 +98,16 @@ lib.mkMerge [
     # Impermanence fix for working with custom unlock and reset with root bcache
     boot.initrd.systemd.services.create-needed-for-boot-dirs = lib.mkIf ENCRYPTED {
       after = [
-        "unlock-bcachefs-custom.service"
         "bcachefs-reset-root.service"
+      ]
+      ++ lib.optionals (USB_KEY != null) [
+        "unlock-bcachefs-custom.service"
       ];
       requires = [
-        "unlock-bcachefs-custom.service"
         "bcachefs-reset-root.service"
+      ]
+      ++ lib.optionals (USB_KEY != null) [
+        "unlock-bcachefs-custom.service"
       ];
       serviceConfig.KeyringMode = "shared";
     };
@@ -114,10 +118,15 @@ lib.mkMerge [
       after = [
         "initrd-root-device.target"
         "cryptsetup.target"
+      ]
+      ++ lib.optionals (USB_KEY != null) [
         "unlock-bcachefs-custom.service"
       ];
+
       requires = [
         primaryDeviceUnit
+      ]
+      ++ lib.optionals (USB_KEY != null) [
         "unlock-bcachefs-custom.service"
       ];
 
@@ -126,8 +135,6 @@ lib.mkMerge [
       ];
       wantedBy = [
         "initrd-root-fs.target"
-        "sysroot.mount"
-        "initrd.target"
       ];
 
       serviceConfig = {
@@ -172,7 +179,6 @@ lib.mkMerge [
       '';
     };
   })
-
   # If you mess up decruption password this reboots for retry instead of getting stuck
   (lib.mkIf ENCRYPTED {
     boot.kernelParams = [
@@ -258,5 +264,4 @@ lib.mkMerge [
       '';
     };
   })
-
 ]
diff --git a/hosts/juni/impermanence.nix b/hosts/juni/impermanence.nix
index d30d8473..23b2b22d 100644
--- a/hosts/juni/impermanence.nix
+++ b/hosts/juni/impermanence.nix
@@ -12,6 +12,7 @@
 
       "/etc/nixos"
       "/etc/ssh"
+      "/etc/shadow" # keep passwords
 
       "/etc/NetworkManager/system-connections"
       "/var/lib/bluetooth"