diff --git a/README.md b/README.md
index 9250e87..63bf1af 100644
--- a/README.md
+++ b/README.md
@@ -1,14 +1,9 @@
 Config
 ------
 
-This is an attempt to configure my NixOS servers with [krops][1]. Usage:
+Flakes:
 
-    $ direnv allow .
-    $ nix-build ./krops.nix -A hel1a && ./result
-
-There is probably nothing to look at here.
-
-Upcoming flakes:
+    $ deploy --interactive '#vno1-oh2'
 
     $ nix build .#deploy.nodes.hel1-a.profiles.system.path
 
@@ -26,14 +21,3 @@ Encode a secret on host:
 Decode a secret on host (to test things out):
 
     rage -d -i /etc/ssh/ssh_host_ed25519_key secret.age
-
-Bootstrapping
--------------
-
-Prereqs:
-
-    mkdir -p /etc/secrets/initrd
-    ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519
-
-[1]: https://cgit.krebsco.de/krops/about/
-
diff --git a/secrets.nix b/secrets.nix
index 48dba86..f3a3cd8 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -15,6 +15,9 @@ in {
   "secrets/hel1-a/synapse/registration_shared_secret.age".publicKeys = [hel1-a] ++ motiejus;
   "secrets/hel1-a/synapse/macaroon_secret_key.age".publicKeys = [hel1-a] ++ motiejus;
 
+  "secrets/hel1-a/zfs-passphrase.age".publicKeys = [vno1-oh2] ++ motiejus;
+  "secrets/vno1-oh2/zfs-passphrase.age".publicKeys = [hel1-a] ++ motiejus;
+
   "secrets/motiejus_passwd_hash.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
   "secrets/root_passwd_hash.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
 }
diff --git a/secrets/hel1-a.zfs-passphrase.gpg b/secrets/hel1-a.zfs-passphrase.gpg
deleted file mode 100644
index fecd648..0000000
Binary files a/secrets/hel1-a.zfs-passphrase.gpg and /dev/null differ
diff --git a/secrets/hel1-a/zfs-passphrase.age b/secrets/hel1-a/zfs-passphrase.age
new file mode 100644
index 0000000..a12f1f7
--- /dev/null
+++ b/secrets/hel1-a/zfs-passphrase.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 gJrHQg DsQM1OiPx2mZ5zCIoWhswaXAruIyjeYvDT/NpCfQang
+ExnIjettDSsT1BhtrOiuKTHmkuG1UH2oJVFvtaxcskI
+-> X25519 cOjSCW3bPvgvXwZ+OGhYqmuuzTyBG5D0EUA9aSPIABE
+7dzr3eQjQcF3buVLfn66yiv4Oo8gVATjngSn3JtYiEA
+-> piv-p256 +y2G/w A9mCDRKigSM1Bjz5UfNn6pCge9Ifip1qEuSi8oXrqxFR
+v7VYoxTUZhVwjvo6HwGuLwppz808rVadQV+uSTisKc4
+-> piv-p256 jNqd3A A+IpWq0hEn3lvkXGhdA4HwzOf7qMUfP8h2Ulyw6RJWr2
+VKT5WZBnNscxcu2Bv3JyvRzzs9C1PwrrdHOW4mwJbg4
+-> c[,kV-grease
+V6pw1EYTT8KqLcGIVKZWTAGr5gjj1J3O6+jElQ
+--- rU4We/c5iA84jdP6PP46PtDHPv2hFUnKIQd7d8C2AR8
+˜ÝâF;Dš¾`A¤ÎàÝcHÑV o¸J9y_¬Z°N°áÚŒoýˆÅëÞ/ýÝ+¯iœÂj±F<oô†›­ó
\ No newline at end of file
diff --git a/secrets/vno1-oh2/zfs-passphrase.age b/secrets/vno1-oh2/zfs-passphrase.age
new file mode 100644
index 0000000..367f6c2
--- /dev/null
+++ b/secrets/vno1-oh2/zfs-passphrase.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 vDjOfg yX0zrlNsaJBSf3PqD4ccm/9z5tQhv5d7vbGQbITKNGQ
+1adV8hkhSTQPSlPuKQypvWPAcker/kjObBxDfos6x2I
+-> X25519 TASHTwnBupJ72eFuJs4Oph68Js31AyjtpXcHDR8xKl8
+/181mos15wmANSJwo5QPZRUAx3vFoZ4wPpimbIfvC4o
+-> piv-p256 +y2G/w A09p8H96e0/FfHSTajYQZTvSYXwT7EvzFf1qVZtdwsax
+Mgkl6t5uDGN8cYVoDXjEYB+RxeXyyLsZrWvGP7KMCNc
+-> piv-p256 jNqd3A A3Rh+tYvU/vfS6+2GXyOOM3auOu4KfXWFhyvyXgojBbf
+l0whgIauEX31OqPyDMTZ2OLUBOzPVFSVnjxbYu7JeSE
+-> cD-grease u8 9nH (N(2JYW 'd
+mAo1sjuzyaHtnQhYLApV9g
+--- QcxzgeZhzogykC09MKj4VMVOZdq6i8N1OOcFf0nkABc
+kë{nµúþã/c8ÒgQ~ã1¦÷®ó“†v§Šçqùà{ÀsÝ€Å€„¶O²
\ No newline at end of file