diff --git a/hosts/common/programs/aerc.nix b/hosts/common/programs/aerc.nix
index d8f82e94..8847c48f 100644
--- a/hosts/common/programs/aerc.nix
+++ b/hosts/common/programs/aerc.nix
@@ -2,5 +2,5 @@
 { ... }:
 
 {
-  sane.programs.aerc.secrets.".config/aerc/accounts.conf" = ../../../secrets/universal/aerc_accounts.conf.bin;
+  sane.programs.aerc.secrets.".config/aerc/accounts.conf" = ../../../secrets/common/aerc_accounts.conf.bin;
 }
diff --git a/hosts/common/programs/offlineimap.nix b/hosts/common/programs/offlineimap.nix
index a741c54c..ba081759 100644
--- a/hosts/common/programs/offlineimap.nix
+++ b/hosts/common/programs/offlineimap.nix
@@ -7,6 +7,6 @@
 { ... }:
 
 {
-  sane.programs.offlineimap.secrets.".config/offlineimap/config" = ../../../secrets/universal/offlineimaprc.bin;
+  sane.programs.offlineimap.secrets.".config/offlineimap/config" = ../../../secrets/common/offlineimaprc.bin;
 }
 
diff --git a/hosts/common/programs/sublime-music.nix b/hosts/common/programs/sublime-music.nix
index 3e194771..de00145a 100644
--- a/hosts/common/programs/sublime-music.nix
+++ b/hosts/common/programs/sublime-music.nix
@@ -9,6 +9,6 @@
     #   possible to pass config as a CLI arg (sublime-music -c config.json)
     persist.plaintext = [ ".local/share/sublime-music" ];
 
-    secrets.".config/sublime-music/config.json" = ../../../secrets/universal/sublime_music_config.json.bin;
+    secrets.".config/sublime-music/config.json" = ../../../secrets/common/sublime_music_config.json.bin;
   };
 }
diff --git a/hosts/common/secrets.nix b/hosts/common/secrets.nix
index 10719fce..a5bc3b43 100644
--- a/hosts/common/secrets.nix
+++ b/hosts/common/secrets.nix
@@ -29,10 +29,6 @@
   #   $ cat /run/secrets/example_key
 
   # sops.age.sshKeyPaths = [ "/home/colin/.ssh/id_ed25519_dec" ];
-  # This will add secrets.yaml to the nix store
-  # You can avoid this by adding a string to the full path instead, i.e.
-  # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
-  sops.defaultSopsFile = ../../secrets/universal.yaml;
   sops.gnupg.sshKeyPaths = [];  # disable RSA key import
   # This is using an age key that is expected to already be in the filesystem
   # sops.age.keyFile = "/home/colin/.ssh/age.pub";
@@ -45,105 +41,105 @@
   # };
   # sops.secrets."myservice/my_subdir/my_secret" = {};
 
-  ## universal secrets
+  ## secrets exposed to all hosts
   # TODO: glob these?
 
   sops.secrets."jackett_apikey" = {
-    sopsFile = ../../secrets/universal/jackett_apikey.bin;
+    sopsFile = ../../secrets/common/jackett_apikey.bin;
     format = "binary";
     owner = config.users.users.colin.name;
   };
   sops.secrets."mx-sanebot-env" = {
-    sopsFile = ../../secrets/universal/mx-sanebot-env.bin;
+    sopsFile = ../../secrets/common/mx-sanebot-env.bin;
     format = "binary";
     owner = config.users.users.colin.name;
   };
   sops.secrets."router_passwd" = {
-    sopsFile = ../../secrets/universal/router_passwd.bin;
+    sopsFile = ../../secrets/common/router_passwd.bin;
     format = "binary";
   };
   sops.secrets."transmission_passwd" = {
-    sopsFile = ../../secrets/universal/transmission_passwd.bin;
+    sopsFile = ../../secrets/common/transmission_passwd.bin;
     format = "binary";
   };
   sops.secrets."wg_ovpnd_us_privkey" = {
-    sopsFile = ../../secrets/universal/wg/ovpnd_us_privkey.bin;
+    sopsFile = ../../secrets/common/wg/ovpnd_us_privkey.bin;
     format = "binary";
   };
   sops.secrets."wg_ovpnd_us-atl_privkey" = {
-    sopsFile = ../../secrets/universal/wg/ovpnd_us-atl_privkey.bin;
+    sopsFile = ../../secrets/common/wg/ovpnd_us-atl_privkey.bin;
     format = "binary";
   };
   sops.secrets."wg_ovpnd_us-mi_privkey" = {
-    sopsFile = ../../secrets/universal/wg/ovpnd_us-mi_privkey.bin;
+    sopsFile = ../../secrets/common/wg/ovpnd_us-mi_privkey.bin;
     format = "binary";
   };
   sops.secrets."wg_ovpnd_ukr_privkey" = {
-    sopsFile = ../../secrets/universal/wg/ovpnd_ukr_privkey.bin;
+    sopsFile = ../../secrets/common/wg/ovpnd_ukr_privkey.bin;
     format = "binary";
   };
 
   sops.secrets."snippets" = {
-    sopsFile = ../../secrets/universal/snippets.bin;
+    sopsFile = ../../secrets/common/snippets.bin;
     format = "binary";
     owner = config.users.users.colin.name;
   };
 
   sops.secrets."bt/car" = {
-    sopsFile = ../../secrets/universal/bt/car.bin;
+    sopsFile = ../../secrets/common/bt/car.bin;
     format = "binary";
   };
   sops.secrets."bt/earbuds" = {
-    sopsFile = ../../secrets/universal/bt/earbuds.bin;
+    sopsFile = ../../secrets/common/bt/earbuds.bin;
     format = "binary";
   };
   sops.secrets."bt/portable-speaker" = {
-    sopsFile = ../../secrets/universal/bt/portable-speaker.bin;
+    sopsFile = ../../secrets/common/bt/portable-speaker.bin;
     format = "binary";
   };
 
   sops.secrets."iwd/calyx-roomie.psk" = {
-    sopsFile = ../../secrets/universal/net/calyx-roomie.psk.bin;
+    sopsFile = ../../secrets/common/net/calyx-roomie.psk.bin;
     format = "binary";
   };
   sops.secrets."iwd/community-university.psk" = {
-    sopsFile = ../../secrets/universal/net/community-university.psk.bin;
+    sopsFile = ../../secrets/common/net/community-university.psk.bin;
     format = "binary";
   };
   sops.secrets."iwd/friend-libertarian-dod.psk" = {
-    sopsFile = ../../secrets/universal/net/friend-libertarian-dod.psk.bin;
+    sopsFile = ../../secrets/common/net/friend-libertarian-dod.psk.bin;
     format = "binary";
   };
   sops.secrets."iwd/friend-rationalist-empathist.psk" = {
-    sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.psk.bin;
+    sopsFile = ../../secrets/common/net/friend-rationalist-empathist.psk.bin;
     format = "binary";
   };
   sops.secrets."iwd/home-shared.psk" = {
-    sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
+    sopsFile = ../../secrets/common/net/home-shared.psk.bin;
     format = "binary";
   };
   sops.secrets."iwd/makespace-south.psk" = {
-    sopsFile = ../../secrets/universal/net/makespace-south.psk.bin;
+    sopsFile = ../../secrets/common/net/makespace-south.psk.bin;
     format = "binary";
   };
   sops.secrets."iwd/archive-2023-02-home-bedroom.psk" = {
-    sopsFile = ../../secrets/universal/net/archive/2023-02-home-bedroom.psk.bin;
+    sopsFile = ../../secrets/common/net/archive/2023-02-home-bedroom.psk.bin;
     format = "binary";
   };
   sops.secrets."iwd/archive-2023-02-home-shared-24G.psk" = {
-    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared-24G.psk.bin;
+    sopsFile = ../../secrets/common/net/archive/2023-02-home-shared-24G.psk.bin;
     format = "binary";
   };
   sops.secrets."iwd/archive-2023-02-home-shared.psk" = {
-    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared.psk.bin;
+    sopsFile = ../../secrets/common/net/archive/2023-02-home-shared.psk.bin;
     format = "binary";
   };
   sops.secrets."iwd/iphone" = {
-    sopsFile = ../../secrets/universal/net/iphone.psk.bin;
+    sopsFile = ../../secrets/common/net/iphone.psk.bin;
     format = "binary";
   };
   sops.secrets."iwd/parents" = {
-    sopsFile = ../../secrets/universal/net/parents.psk.bin;
+    sopsFile = ../../secrets/common/net/parents.psk.bin;
     format = "binary";
   };
 }
diff --git a/secrets/universal/README.md b/secrets/common/README.md
similarity index 100%
rename from secrets/universal/README.md
rename to secrets/common/README.md
diff --git a/secrets/universal/aerc_accounts.conf.bin b/secrets/common/aerc_accounts.conf.bin
similarity index 100%
rename from secrets/universal/aerc_accounts.conf.bin
rename to secrets/common/aerc_accounts.conf.bin
diff --git a/secrets/universal/bt/car.bin b/secrets/common/bt/car.bin
similarity index 100%
rename from secrets/universal/bt/car.bin
rename to secrets/common/bt/car.bin
diff --git a/secrets/universal/bt/earbuds.bin b/secrets/common/bt/earbuds.bin
similarity index 100%
rename from secrets/universal/bt/earbuds.bin
rename to secrets/common/bt/earbuds.bin
diff --git a/secrets/universal/bt/portable-speaker.bin b/secrets/common/bt/portable-speaker.bin
similarity index 100%
rename from secrets/universal/bt/portable-speaker.bin
rename to secrets/common/bt/portable-speaker.bin
diff --git a/secrets/universal/jackett_apikey.bin b/secrets/common/jackett_apikey.bin
similarity index 100%
rename from secrets/universal/jackett_apikey.bin
rename to secrets/common/jackett_apikey.bin
diff --git a/secrets/universal/mx-sanebot-env.bin b/secrets/common/mx-sanebot-env.bin
similarity index 100%
rename from secrets/universal/mx-sanebot-env.bin
rename to secrets/common/mx-sanebot-env.bin
diff --git a/secrets/universal/net/README.md b/secrets/common/net/README.md
similarity index 100%
rename from secrets/universal/net/README.md
rename to secrets/common/net/README.md
diff --git a/secrets/universal/net/archive/2023-02-home-bedroom.psk.bin b/secrets/common/net/archive/2023-02-home-bedroom.psk.bin
similarity index 100%
rename from secrets/universal/net/archive/2023-02-home-bedroom.psk.bin
rename to secrets/common/net/archive/2023-02-home-bedroom.psk.bin
diff --git a/secrets/universal/net/archive/2023-02-home-shared-24G.psk.bin b/secrets/common/net/archive/2023-02-home-shared-24G.psk.bin
similarity index 100%
rename from secrets/universal/net/archive/2023-02-home-shared-24G.psk.bin
rename to secrets/common/net/archive/2023-02-home-shared-24G.psk.bin
diff --git a/secrets/universal/net/archive/2023-02-home-shared.psk.bin b/secrets/common/net/archive/2023-02-home-shared.psk.bin
similarity index 100%
rename from secrets/universal/net/archive/2023-02-home-shared.psk.bin
rename to secrets/common/net/archive/2023-02-home-shared.psk.bin
diff --git a/secrets/universal/net/calyx-roomie.psk.bin b/secrets/common/net/calyx-roomie.psk.bin
similarity index 100%
rename from secrets/universal/net/calyx-roomie.psk.bin
rename to secrets/common/net/calyx-roomie.psk.bin
diff --git a/secrets/universal/net/community-university.psk.bin b/secrets/common/net/community-university.psk.bin
similarity index 100%
rename from secrets/universal/net/community-university.psk.bin
rename to secrets/common/net/community-university.psk.bin
diff --git a/secrets/universal/net/friend-libertarian-dod.psk.bin b/secrets/common/net/friend-libertarian-dod.psk.bin
similarity index 100%
rename from secrets/universal/net/friend-libertarian-dod.psk.bin
rename to secrets/common/net/friend-libertarian-dod.psk.bin
diff --git a/secrets/universal/net/friend-rationalist-empathist.psk.bin b/secrets/common/net/friend-rationalist-empathist.psk.bin
similarity index 100%
rename from secrets/universal/net/friend-rationalist-empathist.psk.bin
rename to secrets/common/net/friend-rationalist-empathist.psk.bin
diff --git a/secrets/universal/net/home-shared.psk.bin b/secrets/common/net/home-shared.psk.bin
similarity index 100%
rename from secrets/universal/net/home-shared.psk.bin
rename to secrets/common/net/home-shared.psk.bin
diff --git a/secrets/universal/net/iphone.psk.bin b/secrets/common/net/iphone.psk.bin
similarity index 100%
rename from secrets/universal/net/iphone.psk.bin
rename to secrets/common/net/iphone.psk.bin
diff --git a/secrets/universal/net/makespace-south.psk.bin b/secrets/common/net/makespace-south.psk.bin
similarity index 100%
rename from secrets/universal/net/makespace-south.psk.bin
rename to secrets/common/net/makespace-south.psk.bin
diff --git a/secrets/universal/net/parents.psk.bin b/secrets/common/net/parents.psk.bin
similarity index 100%
rename from secrets/universal/net/parents.psk.bin
rename to secrets/common/net/parents.psk.bin
diff --git a/secrets/universal/offlineimaprc.bin b/secrets/common/offlineimaprc.bin
similarity index 100%
rename from secrets/universal/offlineimaprc.bin
rename to secrets/common/offlineimaprc.bin
diff --git a/secrets/universal/router_passwd.bin b/secrets/common/router_passwd.bin
similarity index 100%
rename from secrets/universal/router_passwd.bin
rename to secrets/common/router_passwd.bin
diff --git a/secrets/universal/snippets.bin b/secrets/common/snippets.bin
similarity index 100%
rename from secrets/universal/snippets.bin
rename to secrets/common/snippets.bin
diff --git a/secrets/universal/sublime_music_config.json.bin b/secrets/common/sublime_music_config.json.bin
similarity index 100%
rename from secrets/universal/sublime_music_config.json.bin
rename to secrets/common/sublime_music_config.json.bin
diff --git a/secrets/universal/transmission_passwd.bin b/secrets/common/transmission_passwd.bin
similarity index 100%
rename from secrets/universal/transmission_passwd.bin
rename to secrets/common/transmission_passwd.bin
diff --git a/secrets/universal/wg/README.md b/secrets/common/wg/README.md
similarity index 100%
rename from secrets/universal/wg/README.md
rename to secrets/common/wg/README.md
diff --git a/secrets/universal/wg/ovpnd_ukr_privkey.bin b/secrets/common/wg/ovpnd_ukr_privkey.bin
similarity index 100%
rename from secrets/universal/wg/ovpnd_ukr_privkey.bin
rename to secrets/common/wg/ovpnd_ukr_privkey.bin
diff --git a/secrets/universal/wg/ovpnd_us-atl_privkey.bin b/secrets/common/wg/ovpnd_us-atl_privkey.bin
similarity index 100%
rename from secrets/universal/wg/ovpnd_us-atl_privkey.bin
rename to secrets/common/wg/ovpnd_us-atl_privkey.bin
diff --git a/secrets/universal/wg/ovpnd_us-mi_privkey.bin b/secrets/common/wg/ovpnd_us-mi_privkey.bin
similarity index 100%
rename from secrets/universal/wg/ovpnd_us-mi_privkey.bin
rename to secrets/common/wg/ovpnd_us-mi_privkey.bin
diff --git a/secrets/universal/wg/ovpnd_us_privkey.bin b/secrets/common/wg/ovpnd_us_privkey.bin
similarity index 100%
rename from secrets/universal/wg/ovpnd_us_privkey.bin
rename to secrets/common/wg/ovpnd_us_privkey.bin