diff --git a/hosts/common/configs/system/nix-install/install.sh b/hosts/common/configs/system/nix-install/install.sh
index 1990e94..5463e73 100644
--- a/hosts/common/configs/system/nix-install/install.sh
+++ b/hosts/common/configs/system/nix-install/install.sh
@@ -43,17 +43,17 @@ check_host() {
 }
 
 check_key() {
-  if [[ -n "$key" ]] && [[ ! -f "$flake/secrets/$key/key.txt" ]]; then
+  if [[ -n "$key" ]] && [[ ! -f "$flake/submodules/secrets/domains/$key/key.txt" ]]; then
     echo "Key '$key' not found."
     exit 1
   fi
 }
 
 set_password_file() {
-  SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
+  SOPS_AGE_KEY_FILE="$flake/submodules/secrets/domains/$key/key.txt"
   export SOPS_AGE_KEY_FILE
   install -m 600 /dev/null /tmp/keyfile
-  sops --decrypt --extract "['luks']" "$flake/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile
+  sops --decrypt --extract "['luks']" "$flake/submodules/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile
   unset SOPS_AGE_KEY_FILE
 }
 
@@ -66,7 +66,7 @@ prepare_disk() {
 
 copy_sops_keys() {
   mkdir -p "$root/persist/state/etc/ssh"
-  cp -f "$flake/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
+  cp -f "$flake/submodules/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
 
   for path in "$flake/hosts/$host/users"/*; do
     if [[ -z "$key" ]]; then
@@ -77,7 +77,7 @@ copy_sops_keys() {
     user=$(basename "$path")
 
     mkdir -p "$root/persist/state/home/$user/.config/sops-nix"
-    cp -f "$flake/secrets/$key/key.txt" "$root/persist/state/home/$user/.config/sops-nix/key.txt"
+    cp -f "$flake/submodules/secrets/domains/$key/key.txt" "$root/persist/state/home/$user/.config/sops-nix/key.txt"
 
     owner=$(cat "$flake/hosts/$host/users/$user/uid")
     group=100
@@ -92,16 +92,16 @@ copy_sops_keys() {
 copy_secure_boot_keys() {
   mkdir -p "$root/persist/state/var/lib/sbctl/keys"/{db,KEK,PK}
 
-  SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
+  SOPS_AGE_KEY_FILE="$flake/submodules/secrets/domains/$key/key.txt"
   export SOPS_AGE_KEY_FILE
 
-  sops --decrypt --extract "['guid']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID"
-  sops --decrypt --extract "['keys']['kek']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key"
-  sops --decrypt --extract "['keys']['kek']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem"
-  sops --decrypt --extract "['keys']['pk']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key"
-  sops --decrypt --extract "['keys']['pk']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem"
-  sops --decrypt --extract "['keys']['db']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key"
-  sops --decrypt --extract "['keys']['db']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem"
+  sops --decrypt --extract "['guid']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID"
+  sops --decrypt --extract "['keys']['kek']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key"
+  sops --decrypt --extract "['keys']['kek']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem"
+  sops --decrypt --extract "['keys']['pk']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key"
+  sops --decrypt --extract "['keys']['pk']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem"
+  sops --decrypt --extract "['keys']['db']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key"
+  sops --decrypt --extract "['keys']['db']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem"
 
   chmod 400 "$root/persist/state/var/lib/sbctl/keys"/*/*