diff --git a/hosts/default.nix b/hosts/default.nix
index 4924419..f78bf54 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -41,6 +41,7 @@ with lib; let
               inputs.dankMaterialShell.nixosModules.dankMaterialShell
               inputs.niri.nixosModules.niri
               ../modules/base
+              ../modules/system
               ../modules/programs
               ../modules/desktop
               (mkSystemImports hostname)
diff --git a/modules/base/default.nix b/modules/base/default.nix
index f0dfdab..7450d0f 100644
--- a/modules/base/default.nix
+++ b/modules/base/default.nix
@@ -2,22 +2,10 @@ _: {
   options.fireproof.base = {};
 
   imports = [
-    ./boot.nix
     ./defaults.nix
     ./gc.nix
     ./home-manager.nix
-    ./hosts.nix
-    ./keyd.nix
-    ./ld.nix
-    ./networking.nix
     ./nix.nix
     ./secrets.nix
-    ./security.nix
-    ./ssh.nix
-    ./time.nix
-    ./usb.nix
-    ./user.nix
-    ./yubikey.nix
-    ./tailscale.nix
   ];
 }
diff --git a/modules/base/nix.nix b/modules/base/nix.nix
index 04467e3..0a2ccd6 100644
--- a/modules/base/nix.nix
+++ b/modules/base/nix.nix
@@ -1,5 +1,11 @@
-_: {
+{username, ...}: {
   nix.settings = {
+    trusted-users = [
+      "root"
+      "@wheel"
+      username
+    ];
+
     experimental-features = "nix-command flakes";
     substituters = [
       "https://hyprland.cachix.org"
diff --git a/modules/base/security.nix b/modules/base/security.nix
deleted file mode 100644
index 2392ec8..0000000
--- a/modules/base/security.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{username, ...}: {
-  security.sudo.wheelNeedsPassword = false;
-  nix.settings.trusted-users = [
-    "root"
-    "@wheel"
-    username
-  ];
-  services.gnome.gnome-keyring.enable = true;
-}
diff --git a/modules/base/boot.nix b/modules/system/boot.nix
similarity index 100%
rename from modules/base/boot.nix
rename to modules/system/boot.nix
diff --git a/modules/system/default.nix b/modules/system/default.nix
new file mode 100644
index 0000000..6a1f055
--- /dev/null
+++ b/modules/system/default.nix
@@ -0,0 +1,18 @@
+_: {
+  options.fireproof.base = {};
+
+  imports = [
+    ./boot.nix
+    ./hosts.nix
+    ./keyd.nix
+    ./ld.nix
+    ./networking.nix
+    ./security.nix
+    ./ssh.nix
+    ./time.nix
+    ./usb.nix
+    ./user.nix
+    ./yubikey.nix
+    ./tailscale.nix
+  ];
+}
diff --git a/modules/base/hosts.nix b/modules/system/hosts.nix
similarity index 100%
rename from modules/base/hosts.nix
rename to modules/system/hosts.nix
diff --git a/modules/base/keyd.nix b/modules/system/keyd.nix
similarity index 100%
rename from modules/base/keyd.nix
rename to modules/system/keyd.nix
diff --git a/modules/base/ld.nix b/modules/system/ld.nix
similarity index 100%
rename from modules/base/ld.nix
rename to modules/system/ld.nix
diff --git a/modules/base/networking.nix b/modules/system/networking.nix
similarity index 100%
rename from modules/base/networking.nix
rename to modules/system/networking.nix
diff --git a/modules/system/security.nix b/modules/system/security.nix
new file mode 100644
index 0000000..1514e3e
--- /dev/null
+++ b/modules/system/security.nix
@@ -0,0 +1,4 @@
+_: {
+  security.sudo.wheelNeedsPassword = false;
+  services.gnome.gnome-keyring.enable = true;
+}
diff --git a/modules/base/ssh.nix b/modules/system/ssh.nix
similarity index 93%
rename from modules/base/ssh.nix
rename to modules/system/ssh.nix
index 2031415..2355b68 100644
--- a/modules/base/ssh.nix
+++ b/modules/system/ssh.nix
@@ -9,6 +9,7 @@
   # Load all public keys from ../../secrets/hosts/*/id_ed25519.pub
   allHosts = lib.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir ../../secrets/hosts));
   publicKeys = map (x: builtins.readFile (../../secrets/hosts + ("/" + x) + "/id_ed25519.pub")) allHosts;
+  workEnabled = config.fireproof.work.enable;
 in {
   age.secrets.ssh-key = {
     rekeyFile = ../../secrets/hosts + ("/" + hostname) + /id_ed25519.age;
@@ -16,7 +17,7 @@ in {
     mode = "0600";
     owner = username;
   };
-  age.secrets.ssh-key-ao = {
+  age.secrets.ssh-key-ao = lib.mkIf workEnabled {
     rekeyFile = ../../secrets/ssh-key-ao.age;
     mode = "0600";
     owner = username;
@@ -37,6 +38,7 @@ in {
           hostname = "x.nickolaj.com";
           user = "nickolaj";
         };
+      } // lib.optionalAttrs workEnabled {
         # Work hostnames definded in ./networking.nix
         "bastion.ao" = {
           user = "nij";
@@ -84,7 +86,7 @@ in {
     settings.KbdInteractiveAuthentication = false;
   };
 
-  systemd.user.services."add-ssh-keys" = {
+  systemd.user.services."add-ssh-keys" = lib.mkIf workEnabled {
     description = "Add SSH keys to ssh-agent";
     after = ["network.target" "ssh-agent.service"];
     requires = ["ssh-agent.service"];
diff --git a/modules/base/tailscale.nix b/modules/system/tailscale.nix
similarity index 100%
rename from modules/base/tailscale.nix
rename to modules/system/tailscale.nix
diff --git a/modules/base/time.nix b/modules/system/time.nix
similarity index 100%
rename from modules/base/time.nix
rename to modules/system/time.nix
diff --git a/modules/base/usb.nix b/modules/system/usb.nix
similarity index 100%
rename from modules/base/usb.nix
rename to modules/system/usb.nix
diff --git a/modules/base/user.nix b/modules/system/user.nix
similarity index 100%
rename from modules/base/user.nix
rename to modules/system/user.nix
diff --git a/modules/base/yubikey.nix b/modules/system/yubikey.nix
similarity index 100%
rename from modules/base/yubikey.nix
rename to modules/system/yubikey.nix