diff --git a/configs/nixos/radicale.nix b/configs/nixos/radicale.nix
index 7081633..a965d54 100644
--- a/configs/nixos/radicale.nix
+++ b/configs/nixos/radicale.nix
@@ -11,7 +11,7 @@
       auth = {
         type = "htpasswd";
         htpasswd_encryption = "md5";
-        htpasswd_filename = "${inputs.nix-secrets}/radicale-users";
+        htpasswd_filename = config.sops.secrets.radicale-users.path;
       };
     };
   };
diff --git a/flake.lock b/flake.lock
index 89b02b3..4ed27fe 100644
--- a/flake.lock
+++ b/flake.lock
@@ -235,10 +235,10 @@
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1721938549,
-        "narHash": "sha256-Iy3o7Q9GQybHPgDLzxCRhLVI7Q7P9U7/TCDSEMmFuFs=",
+        "lastModified": 1723051814,
+        "narHash": "sha256-JdAUqMsEqvQZAoCBwiBNM1RboE05BxVaj4fuV0YPSto=",
         "ref": "refs/heads/main",
-        "rev": "f61fd3244eab8d1406f89867b8025d5fe9385551",
+        "rev": "44935ad2ecb400d49ecee5e4f78f7c576c026a9a",
         "shallow": true,
         "type": "git",
         "url": "ssh://forgejo@git.venberg.xyz/Gabe/nix-secrets.git"
diff --git a/hosts/cirrostratus/default.nix b/hosts/cirrostratus/default.nix
index 9c7a1a0..5ef56f5 100644
--- a/hosts/cirrostratus/default.nix
+++ b/hosts/cirrostratus/default.nix
@@ -13,6 +13,7 @@ inputs.nixpkgs.lib.nixosSystem {
     inputs.disko.nixosModules.disko
     ./disk-config.nix
     ./hardware-configuration.nix
+    ./nginx.nix
     ../../configs/nixos/common.nix
     ../../configs/nixos/tailscale.nix
     ../../configs/nixos/sshd.nix
@@ -29,6 +30,7 @@ inputs.nixpkgs.lib.nixosSystem {
         fullName = "Gabe Venberg";
         gui.enable = false;
       };
+      boot.zfs.extraPools = ["storage"];
       networking.hostName = "cirrostratus"; # Define your hostname.
       networking.hostId = "1b9da0b9";
       networking.useNetworkd = true;
@@ -52,6 +54,11 @@ inputs.nixpkgs.lib.nixosSystem {
       sops = lib.mkIf (inputs ? nix-secrets) {
         secrets = {
           duckdns-token.sopsFile = "${inputs.nix-secrets}/duckdns.yaml";
+          gabevenberg-draft-credentials = {
+            sopsFile = "${inputs.nix-secrets}/draft.gabevenberg.com";
+            format = "binary";
+            owner = config.services.nginx.user;
+          };
         };
       };
 
diff --git a/hosts/cirrostratus/disk-config.nix b/hosts/cirrostratus/disk-config.nix
index 788b07c..cb72fd7 100644
--- a/hosts/cirrostratus/disk-config.nix
+++ b/hosts/cirrostratus/disk-config.nix
@@ -66,13 +66,7 @@
         mode = "mirror";
         rootFsOptions = {
           compression = "zstd";
-        };
-
-        datasets = {
-          dataset = {
-            type = "zfs_fs";
-            options.mountpoint = "/storage/dataset";
-          };
+          mountpoint = "/storage";
         };
       };
     };
diff --git a/hosts/cirrus/nginx.nix b/hosts/cirrostratus/nginx.nix
similarity index 51%
rename from hosts/cirrus/nginx.nix
rename to hosts/cirrostratus/nginx.nix
index 5382ffc..1f2cda3 100644
--- a/hosts/cirrus/nginx.nix
+++ b/hosts/cirrostratus/nginx.nix
@@ -13,4 +13,10 @@
     forceSSL = true;
     root = "/var/www/gabevenberg.com";
   };
+  services.nginx.virtualHosts."draft.gabevenberg.com" = {
+    enableACME = true;
+    forceSSL = true;
+    root = "/var/www/draft.gabevenberg.com";
+    basicAuthFile = config.sops.secrets.gabevenberg-draft-credentials.path;
+  };
 }
diff --git a/hosts/cirrus/default.nix b/hosts/cirrus/default.nix
index 82d58e7..88195c5 100644
--- a/hosts/cirrus/default.nix
+++ b/hosts/cirrus/default.nix
@@ -12,18 +12,18 @@ inputs.nixpkgs.lib.nixosSystem {
     inputs.home-manager.nixosModules.home-manager
     inputs.disko.nixosModules.disko
     ./disk-config.nix
-    ./nginx.nix
     ../../roles/nixos/vm.nix
     ../../configs/nixos/common.nix
     ../../configs/nixos/tailscale.nix
     ../../configs/nixos/sshd.nix
-    # ../../configs/nixos/secrets.nix
+    ../../configs/nixos/secrets.nix
     ../../configs/nixos/radicale.nix
     ../../configs/nixos/forgejo.nix
     ({
       config,
       pkgs,
       configLib,
+      lib,
       ...
     }: {
       host = {
@@ -44,6 +44,15 @@ inputs.nixpkgs.lib.nixosSystem {
         };
       };
 
+      sops = lib.mkIf (inputs ? nix-secrets) {
+        secrets = {
+          radicale-users = {
+            sopsFile = "${inputs.nix-secrets}/radicale-users";
+            format = "binary";
+            owner = "radicale";
+          };
+        };
+      };
       home-manager.users.${config.host.user} = {
         inputs,
         osConfig,
diff --git a/modules/nixos/duckdns.nix b/modules/nixos/duckdns.nix
index 1a566b1..375eb86 100644
--- a/modules/nixos/duckdns.nix
+++ b/modules/nixos/duckdns.nix
@@ -57,16 +57,21 @@ in {
         DynamicUser = true;
         RuntimeDirectory = "duckdns-update";
         RuntimeDirectoryMode = "700";
+        LoadCredential =
+          [
+            "tokenFile:${cfg.tokenFile}"
+          ]
+          ++ lib.optionals (cfg.domainsFile != null) ["domainsFile:${cfg.domainsFile}"];
       };
       script = ''
         install --mode 600 ${urlFile} $RUNTIME_DIRECTORY/curlurl
         # replace the token
-        ${pkgs.replace-secret}/bin/replace-secret @token_placeholder@ ${cfg.tokenFile} $RUNTIME_DIRECTORY/curlurl
+        ${pkgs.replace-secret}/bin/replace-secret @token_placeholder@ $CREDENTIALS_DIRECTORY/tokenFile $RUNTIME_DIRECTORY/curlurl
 
         # initalise the replacement file for the domains from the domains file if it exists, otherwise make it empty.
         install --mode 600 ${
           if (cfg.domainsFile != null)
-          then cfg.domainsFile
+          then "$CREDENTIALS_DIRECTORY/domainsFile"
           else "/dev/null"
         } $RUNTIME_DIRECTORY/domains
         # these are already in the nix store, so doesnt matter if they leak via cmdline.