diff --git a/hosts/juni/flake.lock b/hosts/juni/flake.lock
index 94f33120..23107290 100644
--- a/hosts/juni/flake.lock
+++ b/hosts/juni/flake.lock
@@ -31,11 +31,11 @@
       },
       "locked": {
         "dir": "flakes/beszel",
-        "lastModified": 1767112386,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "lastModified": 1767107690,
+        "narHash": "sha256-Y1VmRMaPXgEVusn2e9uOeVe40i5+uUdNMZTOnB7CQsU=",
         "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
-        "revCount": 1009,
+        "rev": "b51768f26b9e9fa7858f3f373f27fe5f87a24bfb",
+        "revCount": 1005,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -64,11 +64,11 @@
     "common": {
       "locked": {
         "dir": "flakes/common",
-        "lastModified": 1767112386,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "lastModified": 1767107690,
+        "narHash": "sha256-Y1VmRMaPXgEVusn2e9uOeVe40i5+uUdNMZTOnB7CQsU=",
         "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
-        "revCount": 1009,
+        "rev": "b51768f26b9e9fa7858f3f373f27fe5f87a24bfb",
+        "revCount": 1005,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -123,11 +123,11 @@
       },
       "locked": {
         "dir": "flakes/de_plasma",
-        "lastModified": 1767112386,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "lastModified": 1767107690,
+        "narHash": "sha256-Y1VmRMaPXgEVusn2e9uOeVe40i5+uUdNMZTOnB7CQsU=",
         "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
-        "revCount": 1009,
+        "rev": "b51768f26b9e9fa7858f3f373f27fe5f87a24bfb",
+        "revCount": 1005,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -161,11 +161,11 @@
       },
       "locked": {
         "dir": "flakes/flatpaks",
-        "lastModified": 1767112386,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "lastModified": 1767107690,
+        "narHash": "sha256-Y1VmRMaPXgEVusn2e9uOeVe40i5+uUdNMZTOnB7CQsU=",
         "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
-        "revCount": 1009,
+        "rev": "b51768f26b9e9fa7858f3f373f27fe5f87a24bfb",
+        "revCount": 1005,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -1268,11 +1268,11 @@
       },
       "locked": {
         "dir": "flakes/opencode",
-        "lastModified": 1767112386,
-        "narHash": "sha256-83/88MzCPe2ukEcPHpH/sLgUDeKBcYIt0BWmn4afQQ4=",
+        "lastModified": 1767107690,
+        "narHash": "sha256-Y1VmRMaPXgEVusn2e9uOeVe40i5+uUdNMZTOnB7CQsU=",
         "ref": "refs/heads/master",
-        "rev": "76758fb24a9a0e30e5ffe1a1b940c94b6f8f0f3c",
-        "revCount": 1009,
+        "rev": "b51768f26b9e9fa7858f3f373f27fe5f87a24bfb",
+        "revCount": 1005,
         "type": "git",
         "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
@@ -1478,14 +1478,20 @@
         "ragenix": "ragenix"
       },
       "locked": {
-        "path": "../../flakes/secrets",
-        "type": "path"
+        "dir": "flakes/secrets",
+        "lastModified": 1767107690,
+        "narHash": "sha256-Y1VmRMaPXgEVusn2e9uOeVe40i5+uUdNMZTOnB7CQsU=",
+        "ref": "refs/heads/master",
+        "rev": "b51768f26b9e9fa7858f3f373f27fe5f87a24bfb",
+        "revCount": 1005,
+        "type": "git",
+        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
       "original": {
-        "path": "../../flakes/secrets",
-        "type": "path"
-      },
-      "parent": []
+        "dir": "flakes/secrets",
+        "type": "git",
+        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
+      }
     },
     "systems": {
       "locked": {
diff --git a/hosts/juni/hardware-mounts.nix b/hosts/juni/hardware-mounts.nix
index 1c74368d..da7a3428 100644
--- a/hosts/juni/hardware-mounts.nix
+++ b/hosts/juni/hardware-mounts.nix
@@ -98,16 +98,12 @@ lib.mkMerge [
     # Impermanence fix for working with custom unlock and reset with root bcache
     boot.initrd.systemd.services.create-needed-for-boot-dirs = lib.mkIf ENCRYPTED {
       after = [
-        "bcachefs-reset-root.service"
-      ]
-      ++ lib.optionals (USB_KEY != null) [
         "unlock-bcachefs-custom.service"
+        "bcachefs-reset-root.service"
       ];
       requires = [
-        "bcachefs-reset-root.service"
-      ]
-      ++ lib.optionals (USB_KEY != null) [
         "unlock-bcachefs-custom.service"
+        "bcachefs-reset-root.service"
       ];
       serviceConfig.KeyringMode = "shared";
     };
@@ -118,15 +114,10 @@ lib.mkMerge [
       after = [
         "initrd-root-device.target"
         "cryptsetup.target"
-      ]
-      ++ lib.optionals (USB_KEY != null) [
         "unlock-bcachefs-custom.service"
       ];
-
       requires = [
         primaryDeviceUnit
-      ]
-      ++ lib.optionals (USB_KEY != null) [
         "unlock-bcachefs-custom.service"
       ];
 
@@ -135,6 +126,8 @@ lib.mkMerge [
       ];
       wantedBy = [
         "initrd-root-fs.target"
+        "sysroot.mount"
+        "initrd.target"
       ];
 
       serviceConfig = {
@@ -179,6 +172,7 @@ lib.mkMerge [
       '';
     };
   })
+
   # If you mess up decruption password this reboots for retry instead of getting stuck
   (lib.mkIf ENCRYPTED {
     boot.kernelParams = [
@@ -264,4 +258,5 @@ lib.mkMerge [
       '';
     };
   })
+
 ]
diff --git a/hosts/juni/impermanence.nix b/hosts/juni/impermanence.nix
index 23b2b22d..d30d8473 100644
--- a/hosts/juni/impermanence.nix
+++ b/hosts/juni/impermanence.nix
@@ -12,7 +12,6 @@
 
       "/etc/nixos"
       "/etc/ssh"
-      "/etc/shadow" # keep passwords
 
       "/etc/NetworkManager/system-connections"
       "/var/lib/bluetooth"