diff --git a/base/users.nix b/base/users.nix
index 2af640f..263163f 100644
--- a/base/users.nix
+++ b/base/users.nix
@@ -5,10 +5,10 @@ in
 {
   users.mutableUsers = false;
   users.users.root = {
-    passwordFile = config.age.secrets."users/root-hashed-password".path;
+    hashedPassword = secrets.shadow-hashed-password-root;
   };
   users.users.alarsyo = {
-    passwordFile = config.age.secrets."users/alarsyo-hashed-password".path;
+    hashedPassword = secrets.shadow-hashed-password-alarsyo;
     isNormalUser = true;
     extraGroups = [
       "media"
diff --git a/hosts/zephyrus/default.nix b/hosts/zephyrus/default.nix
index ef8f38a..0236f1d 100644
--- a/hosts/zephyrus/default.nix
+++ b/hosts/zephyrus/default.nix
@@ -3,6 +3,9 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, lib, pkgs, ... }:
+let
+  secrets = config.my.secrets;
+in
 {
   imports =
     [ # Include the results of the hardware scan.
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 0a0d1cd..5998d31 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -13,7 +13,4 @@ in
 {
   "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
   "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
-
-  "users/root-hashed-password.age".publicKeys = machines;
-  "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ];
 }
diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age
deleted file mode 100644
index 9d80aa7..0000000
Binary files a/modules/secrets/users/alarsyo-hashed-password.age and /dev/null differ
diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age
deleted file mode 100644
index b0ef183..0000000
Binary files a/modules/secrets/users/root-hashed-password.age and /dev/null differ
diff --git a/services/restic-backup.nix b/services/restic-backup.nix
index 66e531c..8d57f5c 100644
--- a/services/restic-backup.nix
+++ b/services/restic-backup.nix
@@ -11,6 +11,7 @@ let
   ;
 
   cfg = config.my.services.restic-backup;
+  secrets = config.my.secrets;
   excludeArg = "--exclude-file=" + (pkgs.writeText "excludes.txt" (concatStringsSep "\n" cfg.exclude));
   makePruneOpts = pruneOpts:
     attrsets.mapAttrsToList (name: value: "--keep-${name} ${toString value}") pruneOpts;
diff --git a/zephyrus.nix b/zephyrus.nix
index ed011ae..e355eb3 100644
--- a/zephyrus.nix
+++ b/zephyrus.nix
@@ -10,6 +10,9 @@
     # Service definitions
     ./services
 
+    # Configuration secrets
+    ./secrets
+
     # Host-specific config
     ./hosts/zephyrus
   ];