diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes
new file mode 100644
index 0000000..665b10e
--- /dev/null
+++ b/.git-crypt/.gitattributes
@@ -0,0 +1,4 @@
+# Do not edit this file.  To specify the files to encrypt, create your own
+# .gitattributes file in the directory where your files are.
+* !filter !diff
+*.gpg binary
diff --git a/.git-crypt/keys/default/0/A476C39610E53A689A57BD0D0B89BC45007EE9CC.gpg b/.git-crypt/keys/default/0/A476C39610E53A689A57BD0D0B89BC45007EE9CC.gpg
new file mode 100644
index 0000000..f922554
Binary files /dev/null and b/.git-crypt/keys/default/0/A476C39610E53A689A57BD0D0B89BC45007EE9CC.gpg differ
diff --git a/.gitattributes b/.gitattributes
index b2244e2..afb59d5 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,4 +1,12 @@
+# noisy diffs
 flake.lock -diff
-home/secrets/**/*.json -diff
 lazy-lock.json -diff
+
+# git lfs
 *.png filter=lfs diff=lfs merge=lfs -text
+
+# git crypt
+home/secrets/fonts/*      filter=git-crypt diff=git-crypt
+home/secrets/*.nix        filter=git-crypt diff=git-crypt
+home/secrets/fallback.nix !filter !diff
+home/secrets/sops.nix     !filter !diff
diff --git a/.gitignore b/.gitignore
index 7a4c3bc..3e8d5fa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,11 +1,4 @@
-# secrets
-.gitsecret/keys/random_seed
-!*.secret
-home/secrets/default.nix
-home/secrets/fonts.tgz
-
 # Generated by nix-pre-commit-hooks
 /.pre-commit-config.yaml
-
 # generated nix files
 /result
diff --git a/.gitsecret/keys/pubring.kbx b/.gitsecret/keys/pubring.kbx
deleted file mode 100644
index 0c72308..0000000
Binary files a/.gitsecret/keys/pubring.kbx and /dev/null differ
diff --git a/.gitsecret/keys/pubring.kbx~ b/.gitsecret/keys/pubring.kbx~
deleted file mode 100644
index 60660eb..0000000
Binary files a/.gitsecret/keys/pubring.kbx~ and /dev/null differ
diff --git a/.gitsecret/keys/trustdb.gpg b/.gitsecret/keys/trustdb.gpg
deleted file mode 100644
index 6e1c048..0000000
Binary files a/.gitsecret/keys/trustdb.gpg and /dev/null differ
diff --git a/.gitsecret/paths/mapping.cfg b/.gitsecret/paths/mapping.cfg
deleted file mode 100644
index 8bdbf5b..0000000
--- a/.gitsecret/paths/mapping.cfg
+++ /dev/null
@@ -1 +0,0 @@
-home/secrets/default.nix:0e6b6e9c57743af34dd280dbafc83d5c27ca599e60c267f9eb63201ab7510856
diff --git a/home/secrets/default.nix b/home/secrets/default.nix
new file mode 100644
index 0000000..f551170
Binary files /dev/null and b/home/secrets/default.nix differ
diff --git a/home/secrets/fonts.tgz.gpg b/home/secrets/fonts.tgz.gpg
deleted file mode 100644
index e2bd7c9..0000000
Binary files a/home/secrets/fonts.tgz.gpg and /dev/null differ
diff --git a/home/secrets/fonts/Berkeley_Bold.otf b/home/secrets/fonts/Berkeley_Bold.otf
new file mode 100644
index 0000000..6c3cf64
Binary files /dev/null and b/home/secrets/fonts/Berkeley_Bold.otf differ
diff --git a/home/secrets/fonts/Berkeley_Bold_Italic.otf b/home/secrets/fonts/Berkeley_Bold_Italic.otf
new file mode 100644
index 0000000..c9d0159
Binary files /dev/null and b/home/secrets/fonts/Berkeley_Bold_Italic.otf differ
diff --git a/home/secrets/fonts/Berkeley_Italic.otf b/home/secrets/fonts/Berkeley_Italic.otf
new file mode 100644
index 0000000..e4555b9
Binary files /dev/null and b/home/secrets/fonts/Berkeley_Italic.otf differ
diff --git a/home/secrets/fonts/Berkeley_Regular.otf b/home/secrets/fonts/Berkeley_Regular.otf
new file mode 100644
index 0000000..2a58765
Binary files /dev/null and b/home/secrets/fonts/Berkeley_Regular.otf differ
diff --git a/home/secrets/fonts/Comic_Code_Bold.otf b/home/secrets/fonts/Comic_Code_Bold.otf
new file mode 100644
index 0000000..d6be066
Binary files /dev/null and b/home/secrets/fonts/Comic_Code_Bold.otf differ
diff --git a/home/secrets/fonts/Comic_Code_Bold_Italic.otf b/home/secrets/fonts/Comic_Code_Bold_Italic.otf
new file mode 100644
index 0000000..5468da0
Binary files /dev/null and b/home/secrets/fonts/Comic_Code_Bold_Italic.otf differ
diff --git a/home/secrets/fonts/Comic_Code_Italic.otf b/home/secrets/fonts/Comic_Code_Italic.otf
new file mode 100644
index 0000000..6277796
Binary files /dev/null and b/home/secrets/fonts/Comic_Code_Italic.otf differ
diff --git a/home/secrets/fonts/Comic_Code_Medium.otf b/home/secrets/fonts/Comic_Code_Medium.otf
new file mode 100644
index 0000000..25f9e65
Binary files /dev/null and b/home/secrets/fonts/Comic_Code_Medium.otf differ
diff --git a/home/secrets/fonts/Comic_Code_Medium_Italic.otf b/home/secrets/fonts/Comic_Code_Medium_Italic.otf
new file mode 100644
index 0000000..17293c1
Binary files /dev/null and b/home/secrets/fonts/Comic_Code_Medium_Italic.otf differ
diff --git a/home/secrets/fonts/Comic_Code_Regular.otf b/home/secrets/fonts/Comic_Code_Regular.otf
new file mode 100644
index 0000000..04bfc6a
Binary files /dev/null and b/home/secrets/fonts/Comic_Code_Regular.otf differ
diff --git a/justfile b/justfile
index c361fe4..eba111b 100644
--- a/justfile
+++ b/justfile
@@ -22,7 +22,7 @@ check:
 
 # build {{{
 [macos]
-switch: secret-stage && secret-unstage
+switch:
   #!/usr/bin/env bash
   set -euxo pipefail
   if [[ -x "./result/sw/bin/darwin-rebuild" ]]; then
@@ -33,29 +33,18 @@ switch: secret-stage && secret-unstage
   fi
 
 [linux]
-switch: secret-stage && secret-unstage
+switch:
   sudo nixos-rebuild switch --flake .
 [linux]
-boot: secret-stage && secret-unstage
+boot:
   sudo nixos-rebuild boot --flake .
 # }}}
 
-# secrets {{{
 secretExists := path_exists("./home/secrets/default.nix")
 
-secret-stage:
-  {{secretExists}} && git add -f home/secrets/default.nix || exit 0
-secret-unstage:
-  {{secretExists}} && git restore --staged home/secrets/default.nix || exit 0
-
 fontdir := if os() == "macos" {"$HOME/Library/Fonts"} else {"${XDG_DATA_HOME:-$HOME/.local/share}/fonts"}
-
 install-fonts:
-  #!/usr/bin/env bash
-  set -euxo pipefail
-  mkdir -p "{{fontdir}}"
-  gpg --decrypt home/secrets/fonts.tgz.gpg | tar -xz -C "{{fontdir}}" --strip-components=1
-# }}}
+  install -Dm644 home/secrets/fonts/* "{{fontdir}}"
 
 fetch:
   @nix run nixpkgs\#onefetch -- --true-color never --no-bots -d lines-of-code