diff --git a/flake.lock b/flake.lock
index cbd5186..1bad8f3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -52,12 +52,12 @@
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "dirtyRev": "8e853a2094472ac2665b453de41832f0f6cf0aa9-dirty",
-        "dirtyShortRev": "8e853a2-dirty",
-        "lastModified": 1695571453,
+        "lastModified": 1695572027,
         "narHash": "sha256-Qws2IEoO/L7YGzXyweL5VlgHaTWR4UY7Apkbxhihrzg=",
-        "type": "git",
-        "url": "file:///home/malte/projects/agenix-rekey"
+        "owner": "oddlama",
+        "repo": "agenix-rekey",
+        "rev": "0dbcb125b426050ff63e7453d051513ec063a352",
+        "type": "github"
       },
       "original": {
         "owner": "oddlama",
diff --git a/modules/config/impermanence.nix b/modules/config/impermanence.nix
index a9a9d79..6493119 100644
--- a/modules/config/impermanence.nix
+++ b/modules/config/impermanence.nix
@@ -90,32 +90,16 @@ in {
     hideMounts = true;
     directories =
       [
-        {
-          directory = "/var/lib/systemd";
-          user = "root";
-          group = "root";
-          mode = "0755";
-        }
-        {
-          directory = "/var/log";
-          user = "root";
-          group = "root";
-          mode = "0755";
-        }
-        #{ directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; }
-        #{ directory = "/var/tmp"; user = "root"; group = "root"; mode = "1777"; }
-        {
-          directory = "/var/spool";
-          user = "root";
-          group = "root";
-          mode = "0755";
-        }
+        "/var/tmp/agenix-rekey"
+        "/var/lib/systemd"
+        "/var/log"
+        #{ directory = "/tmp"; mode = "1777"; }
+        #{ directory = "/var/tmp"; mode = "1777"; }
+        "/var/spool"
       ]
       ++ optionals config.networking.wireless.iwd.enable [
         {
           directory = "/var/lib/iwd";
-          user = "root";
-          group = "root";
           mode = "0700";
         }
       ];
@@ -132,12 +116,7 @@ in {
     ];
     directories =
       [
-        {
-          directory = "/var/lib/nixos";
-          user = "root";
-          group = "root";
-          mode = "0755";
-        }
+        "/var/lib/nixos"
       ]
       ++ optionals config.security.acme.acceptTerms [
         {
@@ -150,8 +129,6 @@ in {
       ++ optionals config.services.printing.enable [
         {
           directory = "/var/lib/cups";
-          user = "root";
-          group = "root";
           mode = "0700";
         }
       ]
@@ -238,16 +215,12 @@ in {
       ++ optionals config.services.adguardhome.enable [
         {
           directory = "/var/lib/private/AdGuardHome";
-          user = "root";
-          group = "root";
           mode = "0700";
         }
       ]
       ++ optionals config.services.esphome.enable [
         {
           directory = "/var/lib/private/esphome";
-          user = "root";
-          group = "root";
           mode = "0700";
         }
       ]
diff --git a/modules/config/secrets.nix b/modules/config/secrets.nix
index 3f973aa..81bded7 100644
--- a/modules/config/secrets.nix
+++ b/modules/config/secrets.nix
@@ -26,7 +26,7 @@
     forceRekeyOnSystem = builtins.extraBuiltins.unsafeCurrentSystem;
     hostPubkey = config.node.secretsDir + "/host.pub";
     generatedSecretsDir = inputs.self.outPath + "/secrets/generated/${config.node.name}";
-    cacheDir = "\"\${XDG_CACHE_HOME:=$HOME/.cache}/agenix-rekey\"";
+    cacheDir = "/var/tmp/agenix-rekey/\"$UID\"";
   };
 
   age.generators.basic-auth = {
diff --git a/users/modules/config/impermanence.nix b/users/modules/config/impermanence.nix
index 6ebd3a3..47c2fcb 100644
--- a/users/modules/config/impermanence.nix
+++ b/users/modules/config/impermanence.nix
@@ -12,7 +12,6 @@ in {
 
   home.persistence."/state".directories =
     [
-      ".cache/agenix-rekey" # agenix-rekey cache
       ".cache/fontconfig"
       ".cache/nix" # nix eval cache
       ".config/dconf" # some apps store their configuration using dconf