diff --git a/flake.nix b/flake.nix
index 328aad5..ded0b74 100644
--- a/flake.nix
+++ b/flake.nix
@@ -35,11 +35,11 @@
     noshell,
     nur,
     nvf,
+    self,
     stylix,
     ...
   }: let
     machines = import ./machines.nix;
-    _173-249-5-230 = machines._173-249-5-230;
     configuration = machine: modules:
       nixpkgs.lib.nixosSystem {
         system = machine.system;
@@ -48,11 +48,13 @@
           modules
           ++ [
             ./machines/${machine.hostname}/configuration.nix
+            ./users.nix
+            ./secrets.nix
+            agenix.nixosModules.default
           ];
       };
     configurationWithHomeManager = machine: (configuration machine
       [
-        agenix.nixosModules.default
         home-manager.nixosModules.home-manager
         {
           nixpkgs.overlays = [
diff --git a/machines.nix b/machines.nix
index b9d1c76..bc41ee0 100644
--- a/machines.nix
+++ b/machines.nix
@@ -13,6 +13,5 @@
     users = [
       "mtgmonkey"
     ];
-    pub-keys.ssh = [];
   };
 }
diff --git a/machines/_173-249-5-230/configuration.nix b/machines/_173-249-5-230/configuration.nix
index 0fe1e9e..d079fb6 100644
--- a/machines/_173-249-5-230/configuration.nix
+++ b/machines/_173-249-5-230/configuration.nix
@@ -71,13 +71,6 @@
   };
   system.stateVersion = "26.05";
   time.timeZone = "Europe/Berlin";
-  users.users."mtgmonkey" = {
-    isNormalUser = true;
-    description = "mtgmonkey";
-    hashedPasswordFile = builtins.toString config.age.secrets.secret2.path;
-    extraGroups = ["wheel"];
-    openssh.authorizedKeys.keys = [(import ../../pub-keys.nix).ssh.andromeda];
-  };
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
diff --git a/machines/lenovo/configuration.nix b/machines/lenovo/configuration.nix
index 1b42b9d..adf0814 100644
--- a/machines/lenovo/configuration.nix
+++ b/machines/lenovo/configuration.nix
@@ -1,11 +1,14 @@
 {
   config,
   lib,
-  pkgs,
   modulesPath,
   machine,
   ...
 }: {
+  imports = [
+    ./impermanence.nix
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
   age.secrets = {
     secret0.file = ../../secrets/secret0.age;
     secret1.file = ../../secrets/secret1.age;
@@ -14,48 +17,6 @@
     efi.canTouchEfiVariables = true;
     systemd-boot.enable = true;
   };
-  environment.persistence."/nix/persist" = {
-    enable = true;
-    hideMounts = true;
-    directories = [
-      "/var/log"
-      "/var/lib/bluetooth"
-      "/var/lib/nixos"
-      "/var/lib/systemd/coredump"
-      "/etc/NetworkManager/system-connections"
-      "/etc/ssh"
-    ];
-    files = [
-      "/etc/machine-id"
-      "/etc/ly/save.txt"
-    ];
-    users."andromeda" = {
-      directories = [
-        ".backups"
-        ".local/share/Anki2"
-        ".local/share/chat.fluffy.fluffychat"
-        ".local/share/zoxide"
-        ".ssh"
-        "conf"
-        "Downloads"
-        "pp"
-      ];
-      files = [
-        ".bash_history"
-        ".brush_history"
-      ];
-    };
-    users."mtgmonkey" = {
-      directories = [
-        ".local/share/zoxide"
-        ".ssh"
-      ];
-      files = [
-        ".bash_history"
-        ".brush_history"
-      ];
-    };
-  };
   hardware.bluetooth = {
     enable = true;
     powerOnBoot = true;
@@ -95,28 +56,6 @@
   };
   system.stateVersion = "26.05";
   time.timeZone = "Europe/Berlin";
-  users.users."andromeda" = {
-    isNormalUser = true;
-    description = "andromeda";
-    hashedPasswordFile = builtins.toString config.age.secrets.secret0.path;
-    extraGroups = [
-      "networkmanager"
-      "wheel"
-    ];
-  };
-  users.users."mtgmonkey" = {
-    isNormalUser = true;
-    description = "mtgmonkey";
-    hashedPasswordFile = builtins.toString config.age.secrets.secret1.path;
-    extraGroups = [
-      "networkmanager"
-      "wheel"
-    ];
-  };
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
-
   boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"];
   boot.initrd.kernelModules = [];
   boot.kernelModules = ["kvm-intel"];
diff --git a/machines/lenovo/impermanence.nix b/machines/lenovo/impermanence.nix
new file mode 100644
index 0000000..1bb98f5
--- /dev/null
+++ b/machines/lenovo/impermanence.nix
@@ -0,0 +1,44 @@
+{
+  environment.persistence."/nix/persist" = {
+    enable = true;
+    hideMounts = true;
+    directories = [
+      "/var/log"
+      "/var/lib/bluetooth"
+      "/var/lib/nixos"
+      "/var/lib/systemd/coredump"
+      "/etc/NetworkManager/system-connections"
+      "/etc/ssh"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/ly/save.txt"
+    ];
+    users."andromeda" = {
+      directories = [
+        ".backups"
+        ".local/share/Anki2"
+        ".local/share/chat.fluffy.fluffychat"
+        ".local/share/zoxide"
+        ".ssh"
+        "conf"
+        "Downloads"
+        "pp"
+      ];
+      files = [
+        ".bash_history"
+        ".brush_history"
+      ];
+    };
+    users."mtgmonkey" = {
+      directories = [
+        ".local/share/zoxide"
+        ".ssh"
+      ];
+      files = [
+        ".bash_history"
+        ".brush_history"
+      ];
+    };
+  };
+}
diff --git a/pub-keys.nix b/pub-keys.nix
deleted file mode 100644
index 482d454..0000000
--- a/pub-keys.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  ssh = {
-    andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
-    lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
-  };
-}
diff --git a/secrets.nix b/secrets.nix
new file mode 100644
index 0000000..2e435a5
--- /dev/null
+++ b/secrets.nix
@@ -0,0 +1,22 @@
+{lib, ...}: {
+  config = {
+    age.secrets = {
+      secret0.file = ./secrets/secret0.age;
+      secret1.file = ./secrets/secret1.age;
+      secret2.file = ./secrets/secret2.age;
+    };
+    pub-keys = {
+      ssh = {
+        andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
+        lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
+      };
+    };
+  };
+  options = {
+    pub-keys.ssh = lib.mkOption {
+      type = lib.types.attrsOf lib.types.str;
+      default = {};
+      description = "set of public keys as `name = key`";
+    };
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 19c9b7b..e6859f1 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,5 +1,5 @@
 let
-  pub-keys = import ../pub-keys.nix;
+  pub-keys = (import ../secrets.nix).pub-keys;
   andromeda = pub-keys.ssh.andromeda;
   lenovo = pub-keys.ssh.lenovo;
 in {
diff --git a/users.nix b/users.nix
new file mode 100644
index 0000000..7902ca4
--- /dev/null
+++ b/users.nix
@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  machine,
+  ...
+}: let
+  machines = import ./machines.nix;
+in {
+  users.users =
+    builtins.mapAttrs
+    (name: value: lib.mkIf (builtins.elem name machine.users) value)
+    {
+      "andromeda" = {
+        isNormalUser = true;
+        description = "andromeda";
+        hashedPasswordFile = builtins.toString config.age.secrets.secret0.path;
+        extraGroups = [
+          "networkmanager"
+          "wheel"
+        ];
+      };
+      "mtgmonkey" = {
+        isNormalUser = true;
+        description = "mtgmonkey";
+        hashedPasswordFile = builtins.toString config.age.secrets.secret1.path;
+        extraGroups = [
+          (lib.mkIf
+            (machine == machines.lenovo)
+            "networkmanager")
+          "wheel"
+        ];
+        openssh.authorizedKeys.keys = [
+          (lib.mkIf
+            (machine == machines._173-249-5-230)
+            config.pub-keys.ssh.andromeda)
+        ];
+      };
+    };
+}