diff --git a/hosts/ward/microvms/grafana.nix b/hosts/ward/microvms/grafana.nix
index 374d5b0..0f50b95 100644
--- a/hosts/ward/microvms/grafana.nix
+++ b/hosts/ward/microvms/grafana.nix
@@ -11,20 +11,20 @@ in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
 
   age.secrets.grafana-secret-key = {
-    rekeyFile = ./secrets/grafana-secret-key.age;
+    rekeyFile = config.node.secretsDir + "/grafana-secret-key.age";
     mode = "440";
     group = "grafana";
   };
 
   age.secrets.grafana-loki-basic-auth-password = {
-    rekeyFile = ./secrets/grafana-loki-basic-auth-password.age;
+    rekeyFile = config.node.secretsDir + "/grafana-loki-basic-auth-password.age";
     generator = "alnum";
     mode = "440";
     group = "grafana";
   };
 
   age.secrets.grafana-influxdb-token = {
-    rekeyFile = ./secrets/grafana-influxdb-token.age;
+    rekeyFile = config.node.secretsDir + "/grafana-influxdb-token.age";
     mode = "440";
     group = "grafana";
   };
diff --git a/hosts/ward/microvms/kanidm.nix b/hosts/ward/microvms/kanidm.nix
index 2b7d57c..dfb9621 100644
--- a/hosts/ward/microvms/kanidm.nix
+++ b/hosts/ward/microvms/kanidm.nix
@@ -13,13 +13,13 @@ in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort];
 
   age.secrets."kanidm-self-signed.crt" = {
-    rekeyFile = ./secrets/kanidm-self-signed.crt.age;
+    rekeyFile = config.node.secretsDir + "/kanidm-self-signed.crt.age";
     mode = "440";
     group = "kanidm";
   };
 
   age.secrets."kanidm-self-signed.key" = {
-    rekeyFile = ./secrets/kanidm-self-signed.key.age;
+    rekeyFile = config.node.secretsDir + "/kanidm-self-signed.key.age";
     mode = "440";
     group = "kanidm";
   };
diff --git a/hosts/ward/microvms/loki.nix b/hosts/ward/microvms/loki.nix
index 3b866ae..e94af50 100644
--- a/hosts/ward/microvms/loki.nix
+++ b/hosts/ward/microvms/loki.nix
@@ -14,7 +14,7 @@ in {
     networking.providedDomains.loki = lokiDomain;
 
     age.secrets.loki-basic-auth-hashes = {
-      rekeyFile = ./secrets/loki-basic-auth-hashes.age;
+      rekeyFile = config.node.secretsDir + "/loki-basic-auth-hashes.age";
       # Copy only the script so the dependencies can be added by the nodes
       # that define passwords (using distributed-config).
       generator.script = config.age.generators.basic-auth.script;
diff --git a/hosts/ward/microvms/vaultwarden.nix b/hosts/ward/microvms/vaultwarden.nix
index 62e8ec6..7265b6d 100644
--- a/hosts/ward/microvms/vaultwarden.nix
+++ b/hosts/ward/microvms/vaultwarden.nix
@@ -14,7 +14,7 @@ in {
   ];
 
   age.secrets.vaultwarden-env = {
-    rekeyFile = ./secrets/vaultwarden-env.age;
+    rekeyFile = config.node.secretsDir + "/vaultwarden-env.age";
     mode = "440";
     group = "vaultwarden";
   };