diff --git a/flake.lock b/flake.lock
index 70d274b..865fe2c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -28,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1678494029,
-        "narHash": "sha256-2DV9aeUsFuczk4olt4WtlRVuQwIjF8OFK4EzfJ5JFJA=",
+        "lastModified": 1678898163,
+        "narHash": "sha256-Cn35A08nzi+S9+RfFyAD4yMBGFerlk9ESMhAm/CJqRE=",
         "owner": "oddlama",
         "repo": "agenix-rekey",
-        "rev": "7eaf151db39f62c9fbde5c19778e3cce3be243ad",
+        "rev": "653dcdbeba427b0c88137683055b8033c987b137",
         "type": "github"
       },
       "original": {
@@ -166,11 +166,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1678464939,
-        "narHash": "sha256-pRMlwOUkO1OwSi7qF6XR/zcocWy/ZYxXgbYWvnZQO9k=",
+        "lastModified": 1678886248,
+        "narHash": "sha256-ff81NJtc+AgQhUlTCkx8t8hda0o72vSxDeHVGrfxH70=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "7224d7c54c5fc74cdf60b208af6148ed3295aa32",
+        "rev": "2bd74d92bc7345f323ebcbfeb631d5cf4067ed8e",
         "type": "github"
       },
       "original": {
@@ -211,11 +211,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1678380223,
-        "narHash": "sha256-HUxnK38iqrX84QdQxbFcosRKV3/koj1Zzp5b5aP4lIo=",
+        "lastModified": 1678819893,
+        "narHash": "sha256-lfA6WGdxPsPkBK5Y19ltr5Sn7v7MlT+jpZ4nUgco0Xs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1e2590679d0ed2cee2736e8b80373178d085d263",
+        "rev": "7067edc68c035e21780259ed2d26e1f164addaa2",
         "type": "github"
       },
       "original": {
@@ -299,11 +299,11 @@
     },
     "templates": {
       "locked": {
-        "lastModified": 1676551231,
-        "narHash": "sha256-JS1o31ew90UiccpoQHxP84Wn0n7ClgyVpAsJV20Ep5E=",
+        "lastModified": 1678524284,
+        "narHash": "sha256-3tk4RHKrIbz2tNVyW2WOrgZBe26jhfBiz7bzb7b8p5I=",
         "owner": "NixOS",
         "repo": "templates",
-        "rev": "3ac7e8ba52feb2b89e943a6ce0f7a30d6faf81c6",
+        "rev": "0edaa0637331e9d8acca5c8ec67936a2c8b8749b",
         "type": "github"
       },
       "original": {
diff --git a/hosts/nom/net.nix b/hosts/nom/net.nix
index 0b13f0e..18c51eb 100644
--- a/hosts/nom/net.nix
+++ b/hosts/nom/net.nix
@@ -1,4 +1,4 @@
-{
+{ nodeSecrets, ... }: {
   networking = {
     hostId = "4313abca";
     wireless.iwd.enable = true;
@@ -7,14 +7,14 @@
   systemd.network.networks = {
     "10-lan1" = {
       DHCP = "yes";
-      matchConfig.MACAddress = "00:00:00:00:00:00";
+      matchConfig.MACAddress = nodeSecrets.networking.interfaces.lan1.mac;
       networkConfig.IPv6PrivacyExtensions = "kernel";
       dhcpV4Config.RouteMetric = 10;
       dhcpV6Config.RouteMetric = 10;
     };
     "10-wlan1" = {
       DHCP = "yes";
-      matchConfig.MACAddress = "00:00:00:00:00:00";
+      matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
       networkConfig.IPv6PrivacyExtensions = "kernel";
       dhcpV4Config.RouteMetric = 40;
       dhcpV6Config.RouteMetric = 40;
diff --git a/hosts/nom/initrd_host_ed25519_key.age b/hosts/nom/secrets/initrd_host_ed25519_key.age
similarity index 100%
rename from hosts/nom/initrd_host_ed25519_key.age
rename to hosts/nom/secrets/initrd_host_ed25519_key.age
diff --git a/hosts/nom/secrets/secrets.nix.age b/hosts/nom/secrets/secrets.nix.age
new file mode 100644
index 0000000..60cfac9
Binary files /dev/null and b/hosts/nom/secrets/secrets.nix.age differ
diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix
index 03c7a3d..d422661 100644
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@@ -1,19 +1,17 @@
-{
-  networking = {
-    hostId = "49ce3b71";
-  };
+{ nodeSecrets, ... }: {
+  networking.hostId = "49ce3b71";
 
   systemd.network.networks = {
     "10-lan1" = {
       DHCP = "yes";
-      matchConfig.MACAddress = "00:00:00:00:00:00";
+      matchConfig.MACAddress = nodeSecrets.networking.interfaces.lan1.mac;
       networkConfig.IPv6PrivacyExtensions = "kernel";
       dhcpV4Config.RouteMetric = 10;
       dhcpV6Config.RouteMetric = 10;
     };
     "10-lan2" = {
       DHCP = "yes";
-      matchConfig.MACAddress = "00:00:00:00:00:00";
+      matchConfig.MACAddress = nodeSecrets.networking.interfaces.lan2.mac;
       networkConfig.IPv6PrivacyExtensions = "kernel";
       dhcpV4Config.RouteMetric = 20;
       dhcpV6Config.RouteMetric = 20;
diff --git a/hosts/ward/initrd_host_ed25519_key.age b/hosts/ward/secrets/initrd_host_ed25519_key.age
similarity index 100%
rename from hosts/ward/initrd_host_ed25519_key.age
rename to hosts/ward/secrets/initrd_host_ed25519_key.age
diff --git a/hosts/ward/secrets/secrets.nix.age b/hosts/ward/secrets/secrets.nix.age
new file mode 100644
index 0000000..b9c83b3
--- /dev/null
+++ b/hosts/ward/secrets/secrets.nix.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 fJutn5YCebczN3xQLTDNPKQlNj4p47h1sUgkyVfRARw
+V61YLy8oXTJZUFhpxYCM7glt1u3LKtVgkp0XDdYwlaE
+-> piv-p256 xqSe8Q AzOVI4DKP7g7Rzr7NbH6olY/T57R9BbO5gNpeXrCn+xZ
+cmD4KdE3CIbKp36azm7fuL5V1EVvgcuaLE8/cEzE7x0
+-> @Zm-grease )8>fIDi YH{ Qp_) VJs.7
+jkMFKrAANRssnB6n0Cr6cxVc5g
+--- eNSoD5B33WIgF5M26POfs5rUjqVNb6BqiMedIMS7/H8
+&ûë^ÑÓ”3˜œÞÌsˆ	$mÃ"‚e­ºk­·Ù¦~BŠõ”ad°šeì^é9’š/ŠaI/½šyJí‚F'œIÐ^ÃWåPÁÎ/0uŽ;ãææ—ä‘bn
+TXró·/,è¹Û‘æ%ÀSÉƒ­}å¨µ`ÉƒÏžº {–¤æµ$˜šÛý”O
\ No newline at end of file
diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix
index 3b5555f..603ed84 100644
--- a/hosts/zackbiene/default.nix
+++ b/hosts/zackbiene/default.nix
@@ -21,6 +21,7 @@
     ./zigbee2mqtt.nix
     ./esphome.nix
     ./nginx.nix
+    ./hostapd.nix
   ];
 
   boot.loader.grub.enable = false;
diff --git a/hosts/zackbiene/hostapd.nix b/hosts/zackbiene/hostapd.nix
new file mode 100644
index 0000000..b0615f8
--- /dev/null
+++ b/hosts/zackbiene/hostapd.nix
@@ -0,0 +1,6 @@
+{
+  lib,
+  config,
+  ...
+}: {
+}
diff --git a/hosts/zackbiene/net.nix b/hosts/zackbiene/net.nix
index 0c8d422..f53a314 100644
--- a/hosts/zackbiene/net.nix
+++ b/hosts/zackbiene/net.nix
@@ -1,15 +1,20 @@
-{
-  networking = {
-    hostId = "f7e6acdc";
-  };
+{ nodeSecrets, ... }: {
+  networking.hostId = "f7e6acdc";
 
   systemd.network.networks = {
     "10-lan1" = {
       DHCP = "yes";
-      matchConfig.MACAddress = "00:00:00:00:00:00";
+      matchConfig.MACAddress = nodeSecrets.networking.interfaces.lan1.mac;
       networkConfig.IPv6PrivacyExtensions = "kernel";
       dhcpV4Config.RouteMetric = 10;
       dhcpV6Config.RouteMetric = 10;
     };
+    #"10-wlan1" = {
+    #  DHCP = "yes";
+    #  matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
+    #  networkConfig.IPv6PrivacyExtensions = "kernel";
+    #  dhcpV4Config.RouteMetric = 40;
+    #  dhcpV6Config.RouteMetric = 40;
+    #};
   };
 }
diff --git a/hosts/zackbiene/secrets/secrets.nix.age b/hosts/zackbiene/secrets/secrets.nix.age
index 25625ad..f966809 100644
Binary files a/hosts/zackbiene/secrets/secrets.nix.age and b/hosts/zackbiene/secrets/secrets.nix.age differ
diff --git a/modules/initrd-ssh.nix b/modules/initrd-ssh.nix
index e03efe9..278ce3c 100644
--- a/modules/initrd-ssh.nix
+++ b/modules/initrd-ssh.nix
@@ -3,7 +3,7 @@
   name,
   ...
 }: {
-  rekey.secrets.initrd_host_ed25519_key.file = ../hosts/${name}/initrd_host_ed25519_key.age;
+  rekey.secrets.initrd_host_ed25519_key.file = ../hosts/${name}/secrets/initrd_host_ed25519_key.age;
 
   boot.initrd.network.enable = true;
   boot.initrd.network.ssh = {
diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age
index 5b02c71..9cce0ec 100644
Binary files a/secrets/secrets.nix.age and b/secrets/secrets.nix.age differ