diff --git a/hosts/h001/flake.nix b/hosts/h001/flake.nix
index 47daae2d..109b5e96 100644
--- a/hosts/h001/flake.nix
+++ b/hosts/h001/flake.nix
@@ -21,7 +21,6 @@
     secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets";
     # beszel.url = "path:../../flakes/beszel";
     beszel.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/beszel";
-    secrets-bao.url = "path:../../flakes/secrets-bao";
 
     ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";
 
@@ -81,42 +80,6 @@
                 };
               })
 
-              inputs.secrets-bao.nixosModules.default
-              (
-                { inputs, lib, ... }:
-                let
-                  secrets = {
-                    litellm-env = {
-                      owner = "root";
-                      group = "root";
-                      mode = "0400";
-                      path = "/run/secrets/litellm.env";
-                      softDepend = [ "litellm" ];
-                      template = ''
-                        {{- with secret "kv/data/machines/home/openrouter" -}}OPENROUTER_API_KEY={{ .Data.data.api-key }}{{ end }}
-                        {{- with secret "kv/data/machines/home/anthropic-claude" -}}
-                        ANTHROPIC_API_KEY={{ .Data.data.api-key }}{{ end -}}
-                      '';
-                    };
-                  };
-                in
-                lib.mkMerge [
-                  {
-                    ringofstorms.secretsBao = {
-                      enable = true;
-                      zitadelKeyPath = "/machine-key.json";
-                      openBaoAddr = "https://sec.joshuabell.xyz";
-                      jwtAuthMountPath = "auth/zitadel-jwt";
-                      openBaoRole = "machines";
-                      zitadelIssuer = "https://sso.joshuabell.xyz";
-                      zitadelProjectId = "344379162166820867";
-                      inherit secrets;
-                    };
-                  }
-                  (inputs.secrets-bao.lib.applyConfigChanges secrets)
-                ]
-              )
-
               nixarr.nixosModules.default
               ./hardware-configuration.nix
               ./mods
diff --git a/hosts/h001/mods/litellm.nix b/hosts/h001/mods/litellm.nix
index 33b87159..ce0db09b 100644
--- a/hosts/h001/mods/litellm.nix
+++ b/hosts/h001/mods/litellm.nix
@@ -27,7 +27,6 @@ in
       host = "0.0.0.0";
       openFirewall = false;
       package = pkgsLitellm.litellm;
-      environmentFile = "/run/secrets/litellm.env";
       environment = {
         SCARF_NO_ANALYTICS = "True";
         DO_NOT_TRACK = "True";
@@ -38,6 +37,10 @@ in
       settings = {
         environment_variables = {
           LITELLM_PROXY_API_KEY = "na";
+
+          # TODO get from openbao secrets somehow
+          OPENROUTER_API_KEY = "kv/data/machines/home/openrouter api-key";
+          ANTHROPIC_API_KEY = "kv/data/machines/home/anthropic-claude api-key";
         };
         litellm_settings = {
           check_provider_endpoints = true;