diff --git a/.gitattributes b/.gitattributes
index 3d0f92e..8e672fe 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,3 @@
 nix/home-manager/secrets/factorio.nix filter=git-agecrypt diff=git-agecrypt
 nix/etcnixos/secrets/wifi-passwords.nix filter=git-agecrypt diff=git-agecrypt
+nix/etcnixos/secrets/secureboot.tar filter=git-agecrypt diff=git-agecrypt
diff --git a/git-agecrypt.toml b/git-agecrypt.toml
index f2810c7..368d47d 100644
--- a/git-agecrypt.toml
+++ b/git-agecrypt.toml
@@ -1,9 +1,13 @@
 [config]
-"nix/etcnixos/secrets/wifi-passwords.nix" = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH",
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi",
-]
 "nix/home-manager/secrets/factorio.nix" = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH",
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi",
 ]
+"nix/etcnixos/secrets/secureboot.tar" = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH",
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi",
+]
+"nix/etcnixos/secrets/wifi-passwords.nix" = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH",
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi",
+]
diff --git a/justfile b/justfile
index 91782c2..1aa8b6a 100644
--- a/justfile
+++ b/justfile
@@ -7,11 +7,11 @@ format_system:
     run0 nixfmt /etc/nixos
 
 system_update:
-    run0 nix flake update --flake /etc/nixos
+    run0 nix flake update /etc/nixos
     run0 nixos-rebuild boot --impure
 
 home_update:
-    nix flake update --flake ~/.config/home-manager
+    nix flake update ~/.config/home-manager
     rm -fr ~/.gtkrc-2.0
     home-manager switch --impure
 
diff --git a/nix/etcnixos/flake.lock b/nix/etcnixos/flake.lock
index 9c17495..6b801fe 100644
--- a/nix/etcnixos/flake.lock
+++ b/nix/etcnixos/flake.lock
@@ -332,11 +332,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1726759964,
-        "narHash": "sha256-d7ej4YWIxJs81uxlQSeiAUTqRLHJFhEtmbqIltKN1SI=",
+        "lastModified": 1726766095,
+        "narHash": "sha256-QapPXaSkDmiaJ3WcCIvF8vnyzCfuxd0xgUO+H7ShJ5E=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6886cfd66b1a58135d1e262d76834f77b2235f35",
+        "rev": "223f611353f687cc301b0285f4fabe015d100754",
         "type": "github"
       },
       "original": {
diff --git a/nix/etcnixos/secrets/secureboot.tar b/nix/etcnixos/secrets/secureboot.tar
new file mode 100644
index 0000000..e6901c0
Binary files /dev/null and b/nix/etcnixos/secrets/secureboot.tar differ
diff --git a/nix/etcnixos/system-mreow.nix b/nix/etcnixos/system-mreow.nix
index d103419..b1ef9cb 100644
--- a/nix/etcnixos/system-mreow.nix
+++ b/nix/etcnixos/system-mreow.nix
@@ -109,4 +109,19 @@
   #weird hack to get swaylock working? idk, if you don't put this here, password entry doesnt work
   #if I move to another lock screen program, i will have to replace `swaylock`
   security.pam.services.swaylock = { };
+
+  system.activationScripts = {
+
+    "secureboot-keys".text =
+      let
+        secureboot_path = "/etc/secureboot";
+      in
+      ''
+        #!/bin/sh
+        rm -fr ${secureboot_path}
+        mkdir -p ${secureboot_path}
+        ${pkgs.gnutar}/bin/tar xf /etc/nixos/secrets/secureboot.tar -C ${secureboot_path}
+      '';
+
+  };
 }