diff --git a/flakes/secrets-bao/flake.nix b/flakes/secrets-bao/flake.nix
new file mode 100644
index 00000000..895353e4
--- /dev/null
+++ b/flakes/secrets-bao/flake.nix
@@ -0,0 +1,12 @@
+{
+  description = "Runtime secrets via OpenBao + Zitadel machine key";
+
+  inputs = { };
+
+  outputs = { ... }:
+    {
+      nixosModules = {
+        default = import ./nixos-module.nix;
+      };
+    };
+}
diff --git a/flakes/secrets-bao/nixos-module.nix b/flakes/secrets-bao/nixos-module.nix
new file mode 100644
index 00000000..083af989
--- /dev/null
+++ b/flakes/secrets-bao/nixos-module.nix
@@ -0,0 +1,322 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.ringofstorms.secretsBao;
+
+  mkJwtMintScript = pkgs.writeShellScript "zitadel-mint-jwt" ''
+    #!/usr/bin/env bash
+    set -euo pipefail
+
+    key_json="${cfg.zitadelKeyPath}"
+
+    kid="$(${pkgs.jq}/bin/jq -r .keyId "$key_json")"
+    sub="$(${pkgs.jq}/bin/jq -r .userId "$key_json")"
+
+    pem_file="$(${pkgs.coreutils}/bin/mktemp)"
+    trap '${pkgs.coreutils}/bin/rm -f "$pem_file"' EXIT
+
+    ${pkgs.jq}/bin/jq -r .key "$key_json" >"$pem_file"
+    ${pkgs.coreutils}/bin/chmod 600 "$pem_file"
+
+    now="$(${pkgs.coreutils}/bin/date +%s)"
+    exp="$(( now + ${toString cfg.jwtLifetimeSeconds} ))"
+    jti="$(${pkgs.openssl}/bin/openssl rand -hex 16)"
+
+    header="$(${pkgs.jq}/bin/jq -cn --arg kid "$kid" '{alg:"RS256",typ:"JWT",kid:$kid}')"
+    payload="$(${pkgs.jq}/bin/jq -cn \
+      --arg iss "$sub" \
+      --arg sub "$sub" \
+      --arg aud "${cfg.zitadelTokenEndpoint}" \
+      --arg jti "$jti" \
+      --argjson iat "$now" \
+      --argjson exp "$exp" \
+      '{iss:$iss,sub:$sub,aud:$aud,iat:$iat,exp:$exp,jti:$jti}'
+    )"
+
+    b64url() {
+      ${pkgs.openssl}/bin/openssl base64 -A | ${pkgs.gnused}/bin/sed -e 's/+/-/g' -e 's/\//_/g' -e 's/=*$//'
+    }
+
+    h64="$(${pkgs.coreutils}/bin/printf '%s' "$header" | b64url)"
+    p64="$(${pkgs.coreutils}/bin/printf '%s' "$payload" | b64url)"
+    sig="$(${pkgs.coreutils}/bin/printf '%s' "$h64.$p64" | ${pkgs.openssl}/bin/openssl dgst -sha256 -sign "$pem_file" | b64url)"
+    assertion="$h64.$p64.$sig"
+
+    ${pkgs.curl}/bin/curl -sS -X POST "${cfg.zitadelTokenEndpoint}" \
+      -H 'content-type: application/x-www-form-urlencoded' \
+      --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
+      --data-urlencode "assertion=$assertion" \
+      --data-urlencode "scope=${cfg.zitadelScopes}" \
+      | ${pkgs.jq}/bin/jq -r .access_token
+  '';
+
+  mkAgentConfig = pkgs.writeText "vault-agent.hcl" ''
+    vault {
+      address = "${cfg.openBaoAddr}"
+    }
+
+    auto_auth {
+      method "jwt" {
+        mount_path = "${cfg.jwtAuthMountPath}"
+        config = {
+          role     = "${cfg.openBaoRole}"
+          jwt_file = "${cfg.zitadelJwtPath}"
+        }
+      }
+
+      sink "file" {
+        config = {
+          path = "${cfg.vaultAgentTokenPath}"
+          mode = 0400
+        }
+      }
+    }
+
+    ${lib.concatStringsSep "\n\n" (
+      lib.mapAttrsToList (
+        name: secret:
+        let
+          renderedTemplate =
+            if secret.template != null then
+              secret.template
+            else
+              ''{{- with secret "${secret.kvPath}" -}}{{- .Data.data.${secret.field} -}}{{- end -}}'';
+        in
+        ''
+                    template {
+                      destination = "${secret.path}"
+                      perms       = "${secret.mode}"
+                      contents    = <<EOH
+          ${renderedTemplate}
+          EOH
+                      command     = "${pkgs.runtimeShell} -c '${pkgs.coreutils}/bin/chown ${lib.escapeShellArg secret.owner}:${lib.escapeShellArg secret.group} ${lib.escapeShellArg secret.path} && ${pkgs.coreutils}/bin/chmod ${lib.escapeShellArg secret.mode} ${lib.escapeShellArg secret.path}'"
+                    }
+        ''
+      ) cfg.secrets
+    )}
+  '';
+
+in
+{
+  options.age.secrets = lib.mkOption {
+    type = lib.types.attrsOf lib.types.anything;
+    default = { };
+    description = "Compatibility shim for modules that expect config.age.secrets.<name>.path.";
+  };
+
+  options.ringofstorms.secretsBao = {
+    enable = lib.mkEnableOption "Fetch runtime secrets via OpenBao";
+
+    zitadelKeyPath = lib.mkOption {
+      type = lib.types.str;
+      default = "/machine-key.json";
+      description = "Path to Zitadel service account key JSON (persistent, root-only).";
+    };
+
+    zitadelTokenEndpoint = lib.mkOption {
+      type = lib.types.str;
+      default = "https://sso.joshuabell.xyz/oauth/v2/token";
+    };
+
+    zitadelScopes = lib.mkOption {
+      type = lib.types.str;
+      default = "openid profile email";
+    };
+
+    jwtLifetimeSeconds = lib.mkOption {
+      type = lib.types.int;
+      default = 300;
+      description = "Lifetime of signed assertion JWT sent to Zitadel token endpoint.";
+    };
+
+    zitadelJwtPath = lib.mkOption {
+      type = lib.types.str;
+      default = "/run/openbao/zitadel.jwt";
+    };
+
+    openBaoAddr = lib.mkOption {
+      type = lib.types.str;
+      default = "https://sec.joshuabell.xyz";
+    };
+
+    jwtAuthMountPath = lib.mkOption {
+      type = lib.types.str;
+      default = "auth/zitadel-jwt";
+    };
+
+    openBaoRole = lib.mkOption {
+      type = lib.types.str;
+      default = "machines";
+    };
+
+    vaultAgentTokenPath = lib.mkOption {
+      type = lib.types.str;
+      default = "/run/openbao/vault-agent.token";
+    };
+
+    secrets = lib.mkOption {
+      type = lib.types.attrsOf (
+        lib.types.submodule (
+          { name, ... }:
+          {
+            options = {
+              path = lib.mkOption {
+                type = lib.types.str;
+                default = "/run/secrets/${name}";
+              };
+
+              owner = lib.mkOption {
+                type = lib.types.str;
+                default = "root";
+              };
+
+              group = lib.mkOption {
+                type = lib.types.str;
+                default = "root";
+              };
+
+              mode = lib.mkOption {
+                type = lib.types.str;
+                default = "0400";
+              };
+
+              kvPath = lib.mkOption {
+                type = lib.types.nullOr lib.types.str;
+                default = null;
+                description = "KV v2 secret API path (ex: kv/data/machines/home_roaming/nix2github).";
+              };
+
+              field = lib.mkOption {
+                type = lib.types.str;
+                default = "value";
+                description = "Field under .Data.data to render.";
+              };
+
+              template = lib.mkOption {
+                type = lib.types.nullOr lib.types.lines;
+                default = null;
+                description = "Optional raw template contents (overrides kvPath/field).";
+              };
+            };
+          }
+        )
+      );
+      default = { };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = lib.mapAttrsToList (name: s: {
+      assertion = (s.template != null) || (s.kvPath != null);
+      message = "ringofstorms.secretsBao.secrets.${name} must set either template or kvPath";
+    }) cfg.secrets;
+    environment.systemPackages = [
+      pkgs.jq
+      pkgs.curl
+      pkgs.openssl
+      pkgs.openbao
+    ];
+
+    systemd.tmpfiles.rules = [
+      "d /run/openbao 0700 root root - -"
+      "d /run/secrets 0711 root root - -"
+    ];
+
+    systemd.services = lib.mkMerge [
+      {
+        zitadel-mint-jwt = {
+          description = "Mint Zitadel access token (JWT) for OpenBao";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network-online.target" ];
+          wants = [ "network-online.target" ];
+
+          serviceConfig = {
+            Type = "oneshot";
+            User = "root";
+            Group = "root";
+
+            UMask = "0077";
+            ExecStart = pkgs.writeShellScript "zitadel-mint-jwt-service" ''
+              #!/usr/bin/env bash
+              set -euo pipefail
+
+              if [ ! -f "${cfg.zitadelKeyPath}" ]; then
+                echo "Missing Zitadel key JSON at ${cfg.zitadelKeyPath}" >&2
+                exit 1
+              fi
+
+              jwt="$(${mkJwtMintScript})"
+              ${pkgs.coreutils}/bin/printf '%s' "$jwt" > "${cfg.zitadelJwtPath}"
+            '';
+          };
+        };
+
+        vault-agent = {
+          description = "OpenBao agent for rendering secrets";
+          wantedBy = [ "multi-user.target" ];
+          after = [
+            "network-online.target"
+            "zitadel-mint-jwt.service"
+          ];
+          wants = [ "network-online.target" ];
+          requires = [ "zitadel-mint-jwt.service" ];
+
+          serviceConfig = {
+            Type = "simple";
+            User = "root";
+            Group = "root";
+            Restart = "on-failure";
+            RestartSec = "2s";
+
+            UMask = "0077";
+            ExecStart = "${pkgs.openbao}/bin/bao agent -config=${mkAgentConfig}";
+          };
+        };
+      }
+
+      (lib.mapAttrs' (
+        name: secret:
+        lib.nameValuePair "openbao-secret-${name}" {
+          description = "Wait for OpenBao secret ${name}";
+          after = [ "vault-agent.service" ];
+          requires = [ "vault-agent.service" ];
+
+          serviceConfig = {
+            Type = "oneshot";
+            User = "root";
+            Group = "root";
+            UMask = "0077";
+            ExecStart = pkgs.writeShellScript "openbao-wait-secret-${name}" ''
+              #!/usr/bin/env bash
+              set -euo pipefail
+
+              p=${lib.escapeShellArg secret.path}
+
+              for i in {1..60}; do
+                if [ -s "$p" ]; then
+                  exit 0
+                fi
+                sleep 1
+              done
+
+              echo "Secret file not rendered: $p" >&2
+              exit 1
+            '';
+          };
+        }
+      ) cfg.secrets)
+    ];
+
+    age.secrets = lib.mapAttrs' (
+      name: secret:
+      lib.nameValuePair name {
+        file = null;
+        path = secret.path;
+      }
+    ) cfg.secrets;
+  };
+}
diff --git a/hosts/juni/flake.lock b/hosts/juni/flake.lock
index 94f33120..0f4d6da0 100644
--- a/hosts/juni/flake.lock
+++ b/hosts/juni/flake.lock
@@ -1,41 +1,16 @@
 {
   "nodes": {
-    "agenix": {
-      "inputs": {
-        "darwin": "darwin",
-        "home-manager": "home-manager_3",
-        "nixpkgs": [
-          "secrets",
-          "ragenix",
-          "nixpkgs"
-        ],
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1761656077,
-        "narHash": "sha256-lsNWuj4Z+pE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94=",
-        "owner": "ryantm",
-        "repo": "agenix",
-        "rev": "9ba0d85de3eaa7afeab493fed622008b6e4924f5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ryantm",
-        "repo": "agenix",
-        "type": "github"
-      }
-    },
     "beszel": {
       "inputs": {
         "beszel-nixpkgs": "beszel-nixpkgs"
       },
       "locked": {
         "dir": "flakes/beszel",
-        "lastModified": 1767112386,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "lastModified": 1767293741,
+        "narHash": "sha256-mqcZB2uthea2TMcFmEgfPYGDC+O2px5hc/XPrlqsYMs=",
         "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
-        "revCount": 1009,
+        "rev": "8fff3be0425341a048167db5385d9639f6355133",
+        "revCount": 1031,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -64,11 +39,11 @@
     "common": {
       "locked": {
         "dir": "flakes/common",
-        "lastModified": 1767112386,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "lastModified": 1767293741,
+        "narHash": "sha256-mqcZB2uthea2TMcFmEgfPYGDC+O2px5hc/XPrlqsYMs=",
         "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
-        "revCount": 1009,
+        "rev": "8fff3be0425341a048167db5385d9639f6355133",
+        "revCount": 1031,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -78,56 +53,17 @@
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       }
     },
-    "crane": {
-      "locked": {
-        "lastModified": 1760924934,
-        "narHash": "sha256-tuuqY5aU7cUkR71sO2TraVKK2boYrdW3gCSXUkF4i44=",
-        "owner": "ipetkov",
-        "repo": "crane",
-        "rev": "c6b4d5308293d0d04fcfeee92705017537cad02f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ipetkov",
-        "repo": "crane",
-        "type": "github"
-      }
-    },
-    "darwin": {
-      "inputs": {
-        "nixpkgs": [
-          "secrets",
-          "ragenix",
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1744478979,
-        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lnl7",
-        "ref": "master",
-        "repo": "nix-darwin",
-        "type": "github"
-      }
-    },
     "de_plasma": {
       "inputs": {
         "plasma-manager": "plasma-manager"
       },
       "locked": {
         "dir": "flakes/de_plasma",
-        "lastModified": 1767112386,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "lastModified": 1767293741,
+        "narHash": "sha256-mqcZB2uthea2TMcFmEgfPYGDC+O2px5hc/XPrlqsYMs=",
         "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
-        "revCount": 1009,
+        "rev": "8fff3be0425341a048167db5385d9639f6355133",
+        "revCount": 1031,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -137,35 +73,17 @@
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       }
     },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems_2"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "flatpaks": {
       "inputs": {
         "nix-flatpak": "nix-flatpak"
       },
       "locked": {
         "dir": "flakes/flatpaks",
-        "lastModified": 1767112386,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "lastModified": 1767293741,
+        "narHash": "sha256-mqcZB2uthea2TMcFmEgfPYGDC+O2px5hc/XPrlqsYMs=",
         "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
-        "revCount": 1009,
+        "rev": "8fff3be0425341a048167db5385d9639f6355133",
+        "revCount": 1031,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -202,11 +120,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1767024057,
-        "narHash": "sha256-B1aycRjMRvb6QOGbnqDhiDzZwMebj5jxZ5qyJzaKvpI=",
+        "lastModified": 1767280655,
+        "narHash": "sha256-YmaYMduV5ko8zURUT1VLGDbVC1L/bxHS0NsiPoZ6bBM=",
         "owner": "rycee",
         "repo": "home-manager",
-        "rev": "34578a2fdfce4257ce5f5baf6e7efbd4e4e252b1",
+        "rev": "d49d2543f02dbd789ed032188c84570d929223cb",
         "type": "github"
       },
       "original": {
@@ -216,29 +134,6 @@
         "type": "github"
       }
     },
-    "home-manager_3": {
-      "inputs": {
-        "nixpkgs": [
-          "secrets",
-          "ragenix",
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1745494811,
-        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
     "impermanence": {
       "locked": {
         "lastModified": 1737831083,
@@ -272,11 +167,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1767070591,
-        "narHash": "sha256-b0aM3221Pw6vbACFqZrVzZjMNqXVPi1dvgLr8QTbajc=",
+        "lastModified": 1767185284,
+        "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "9b3c38bf6c260d0e88154ef07fa833fa845bfd14",
+        "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe",
         "type": "github"
       },
       "original": {
@@ -304,11 +199,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1766902085,
-        "narHash": "sha256-coBu0ONtFzlwwVBzmjacUQwj3G+lybcZ1oeNSQkgC0M=",
+        "lastModified": 1767116409,
+        "narHash": "sha256-5vKw92l1GyTnjoLzEagJy5V5mDFck72LiQWZSOnSicw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c0b0e0fddf73fd517c3471e546c0df87a42d53f4",
+        "rev": "cad22e7d996aea55ecab064e84834289143e44a0",
         "type": "github"
       },
       "original": {
@@ -320,11 +215,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1766736597,
-        "narHash": "sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ=",
+        "lastModified": 1767047869,
+        "narHash": "sha256-tzYsEzXEVa7op1LTnrLSiPGrcCY6948iD0EcNLWcmzo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852",
+        "rev": "89dbf01df72eb5ebe3b24a86334b12c27d68016a",
         "type": "github"
       },
       "original": {
@@ -336,11 +231,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1766885793,
-        "narHash": "sha256-P6RVkrM9JLCW6xBjSwHfgTOQ1JwBUma5xe5LI8xAPC0=",
+        "lastModified": 1767047869,
+        "narHash": "sha256-tzYsEzXEVa7op1LTnrLSiPGrcCY6948iD0EcNLWcmzo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9ef261221d1e72399f2036786498d78c38185c46",
+        "rev": "89dbf01df72eb5ebe3b24a86334b12c27d68016a",
         "type": "github"
       },
       "original": {
@@ -352,11 +247,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1766870016,
-        "narHash": "sha256-fHmxAesa6XNqnIkcS6+nIHuEmgd/iZSP/VXxweiEuQw=",
+        "lastModified": 1767026758,
+        "narHash": "sha256-7fsac/f7nh/VaKJ/qm3I338+wAJa/3J57cOGpXi0Sbg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5c2bc52fb9f8c264ed6c93bd20afa2ff5e763dce",
+        "rev": "346dd96ad74dc4457a9db9de4f4f57dab2e5731d",
         "type": "github"
       },
       "original": {
@@ -382,22 +277,6 @@
         "type": "github"
       }
     },
-    "nixpkgs_6": {
-      "locked": {
-        "lastModified": 1761672384,
-        "narHash": "sha256-o9KF3DJL7g7iYMZq9SWgfS1BFlNbsm6xplRjVlOCkXI=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "08dacfca559e1d7da38f3cf05f1f45ee9bfd213c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nvim_plugin-Almo7aya/openingh.nvim": {
       "flake": false,
       "locked": {
@@ -1268,11 +1147,11 @@
       },
       "locked": {
         "dir": "flakes/opencode",
-        "lastModified": 1767112386,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "lastModified": 1767293741,
+        "narHash": "sha256-mqcZB2uthea2TMcFmEgfPYGDC+O2px5hc/XPrlqsYMs=",
         "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
-        "revCount": 1009,
+        "rev": "8fff3be0425341a048167db5385d9639f6355133",
+        "revCount": 1031,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -1287,11 +1166,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1767028968,
-        "narHash": "sha256-Z6Jk9Ee3+KHaQf7V/zbHHgotZ0gQA5Mtqpzs8PAQmBY=",
+        "lastModified": 1767126722,
+        "narHash": "sha256-bXBpPQ9altAzsuFKhIS83LKwuLIxKJ4gWMAG5xzk+fM=",
         "owner": "sst",
         "repo": "opencode",
-        "rev": "b7ce46f7a12e68283d6588c33aaf972426ddd65e",
+        "rev": "3fe5d91372fdf859e09ed5a2aefe359e0648ed10",
         "type": "github"
       },
       "original": {
@@ -1319,28 +1198,6 @@
         "type": "github"
       }
     },
-    "ragenix": {
-      "inputs": {
-        "agenix": "agenix",
-        "crane": "crane",
-        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_6",
-        "rust-overlay": "rust-overlay_2"
-      },
-      "locked": {
-        "lastModified": 1761832913,
-        "narHash": "sha256-VCNVjjuRvrKPiYYwqhE3BAKIaReiKXGpxGp27lZ0MFM=",
-        "owner": "yaxitech",
-        "repo": "ragenix",
-        "rev": "83bccfdea758241999f32869fb6b36f7ac72f1ac",
-        "type": "github"
-      },
-      "original": {
-        "owner": "yaxitech",
-        "repo": "ragenix",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "beszel": "beszel",
@@ -1354,7 +1211,7 @@
         "nixpkgs-unstable": "nixpkgs-unstable",
         "opencode": "opencode",
         "ros_neovim": "ros_neovim",
-        "secrets": "secrets"
+        "secrets-bao": "secrets-bao"
       }
     },
     "ros_neovim": {
@@ -1417,11 +1274,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1766468664,
-        "narHash": "sha256-QfAZCWfwIDiOvikyMb9Tsg2X0n659zd6DxDT88ILE4I=",
+        "lastModified": 1767195473,
+        "narHash": "sha256-xL3DZSWiNSvW58LsJwFIpQ9i3Vs5uaYUjbL60rpFxPk=",
         "ref": "refs/heads/master",
-        "rev": "99a57f25b959d7226d68f1b53ff60f0c4cc5b210",
-        "revCount": 326,
+        "rev": "88e86b5a7d40697ade905f534dcd5372a67b8102",
+        "revCount": 328,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/nvim"
       },
@@ -1451,70 +1308,16 @@
         "type": "github"
       }
     },
-    "rust-overlay_2": {
-      "inputs": {
-        "nixpkgs": [
-          "secrets",
-          "ragenix",
-          "nixpkgs"
-        ]
-      },
+    "secrets-bao": {
       "locked": {
-        "lastModified": 1761791894,
-        "narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "59c45eb69d9222a4362673141e00ff77842cd219",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
-      }
-    },
-    "secrets": {
-      "inputs": {
-        "ragenix": "ragenix"
-      },
-      "locked": {
-        "path": "../../flakes/secrets",
+        "lastModified": 1767294512,
+        "narHash": "sha256-VJsOr6MRAskbLVRHtLplIHBvi6K45yj0H2TSP0V2SKI=",
+        "path": "/home/josh/.config/nixos-config/flakes/secrets-bao",
         "type": "path"
       },
       "original": {
-        "path": "../../flakes/secrets",
+        "path": "/home/josh/.config/nixos-config/flakes/secrets-bao",
         "type": "path"
-      },
-      "parent": []
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_2": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
       }
     }
   },
diff --git a/hosts/juni/flake.nix b/hosts/juni/flake.nix
index a4981c9d..8bac7468 100644
--- a/hosts/juni/flake.nix
+++ b/hosts/juni/flake.nix
@@ -11,8 +11,10 @@
     # Use relative to get current version for testin
     # common.url = "path:../../flakes/common";
     common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common";
-    # secrets.url = "path:../../flakes/secrets";
-    secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets";
+    # secrets-bao.url = "path:../../flakes/secrets-bao";
+    # NOTE: using an absolute path so this works before you commit/push.
+    # After you add `flakes/secrets-bao` to the repo, switch to a git URL like your other flakes.
+    secrets-bao.url = "path:/home/josh/.config/nixos-config/flakes/secrets-bao";
     # flatpaks.url = "path:../../flakes/flatpaks";
     flatpaks.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/flatpaks";
     # beszel.url = "path:../../flakes/beszel";
@@ -66,7 +68,7 @@
               })
               inputs.common.nixosModules.jetbrains_font
 
-              inputs.secrets.nixosModules.default
+              inputs.secrets-bao.nixosModules.default
               inputs.ros_neovim.nixosModules.default
               ({
                 ringofstorms-nvim.includeAllRuntimeDependencies = true;
@@ -84,15 +86,66 @@
               inputs.common.nixosModules.timezone_auto
               inputs.common.nixosModules.tty_caps_esc
               inputs.common.nixosModules.zsh
-              inputs.common.nixosModules.tailnet
+              # inputs.common.nixosModules.tailnet
 
-              inputs.beszel.nixosModules.agent
               ({
-                  beszelAgent = {
-                    token = "2fb5f0a0-24aa-4044-a893-6d0f916cd063";
+                ringofstorms.secretsBao = {
+                  enable = true;
+                  zitadelKeyPath = "/machine-key.json";
+                  openBaoAddr = "https://sec.joshuabell.xyz";
+                  jwtAuthMountPath = "auth/zitadel-jwt";
+                  openBaoRole = "machines";
+                  secrets = {
+                    headscale_auth = {
+                      path = "/run/secrets/headscale_auth";
+                      kvPath = "kv/data/machines/home_roaming/headscale_auth";
+                      field = "value";
+                    };
+
+                    nix2github = {
+                      path = "/run/secrets/nix2github";
+                      owner = "josh";
+                      group = "users";
+                      kvPath = "kv/data/machines/home_roaming/nix2github";
+                      field = "private_key";
+                    };
+                    nix2bitbucket = {
+                      path = "/run/secrets/nix2bitbucket";
+                      owner = "josh";
+                      group = "users";
+                      kvPath = "kv/data/machines/home_roaming/nix2bitbucket";
+                      field = "private_key";
+                    };
+                    nix2gitforgejo = {
+                      path = "/run/secrets/nix2gitforgejo";
+                      owner = "josh";
+                      group = "users";
+                      kvPath = "kv/data/machines/home_roaming/nix2gitforgejo";
+                      field = "private_key";
+                    };
+                    nix2lio = {
+                      path = "/run/secrets/nix2lio";
+                      owner = "josh";
+                      group = "users";
+                      kvPath = "kv/data/machines/home_roaming/nix2lio";
+                      field = "private_key";
+                    };
                   };
-                }
-              )
+                };
+
+                systemd.services.tailscaled = {
+                  after = [ "openbao-secret-headscale_auth.service" ];
+                  requires = [ "openbao-secret-headscale_auth.service" ];
+                };
+              })
+
+              # inputs.beszel.nixosModules.agent
+              # ({
+              #     beszelAgent = {
+              #       token = "2fb5f0a0-24aa-4044-a893-6d0f916cd063";
+              #     };
+              #   }
+              # )
 
               ./hardware-configuration.nix
               ./hardware-mounts.nix
@@ -122,7 +175,7 @@
                       inputs.common.homeManagerModules.starship
                       inputs.common.homeManagerModules.zoxide
                       inputs.common.homeManagerModules.zsh
-                      inputs.common.homeManagerModules.ssh
+                      # inputs.common.homeManagerModules.ssh
                       (
                         { ... }:
                         {