diff --git a/home/modules/neovim/default.nix b/home/modules/neovim/default.nix
index c7f4e94b..710de5a4 100644
--- a/home/modules/neovim/default.nix
+++ b/home/modules/neovim/default.nix
@@ -1475,6 +1475,7 @@ in {
                 };
               };
 
+              # TODO: Replace with neo-tree (or figure out how to multiselect and cut/paste)
               explorer = {
                 enabled = true;
                 replace_netrw = false; # Use yazi for that
diff --git a/system/services/heidi.nix b/system/services/heidi.nix
index 35ade07e..b3b6bfa9 100644
--- a/system/services/heidi.nix
+++ b/system/services/heidi.nix
@@ -19,7 +19,9 @@
     ];
 
     environment = {
-      DISCORD_TOKEN = (builtins.readFile ./heidi.discord_token);
+      # TODO: I can't do this because readFile obviously doesn't
+      #       read at runtime but at buildtime, duh...
+      DISCORD_TOKEN = builtins.readFile config.age.secrets.heidi-discord-token.path;
       DOCKER = "True";
     };
 
diff --git a/system/services/kopia.nix b/system/services/kopia.nix
index 04bd413f..86d2a1a9 100644
--- a/system/services/kopia.nix
+++ b/system/services/kopia.nix
@@ -56,7 +56,7 @@
     environment = {
       TZ = "Europe/Berlin";
       USER = "christoph";
-      KOPIA_PASSWORD = (builtins.readFile ./kopia.password);
+      KOPIA_PASSWORD = builtins.readFile config.age.secrets.kopia-user-password.path;
     };
 
     entrypoint = "/bin/kopia";
@@ -67,8 +67,8 @@
       "--disable-csrf-token-checks"
       "--insecure"
       "--address=0.0.0.0:51515"
-      "--server-username=christoph"
-      "--server-password=kopia"
+      "--server-username=${builtins.readFile config.age.secrets.kopia-server-username.path}"
+      "--server-password=${builtins.readFile config.age.secrets.kopia-server-password.path}"
     ];
 
     extraOptions = [