diff --git a/hosts/default.nix b/hosts/default.nix
index f78bf54..1ed31b1 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -44,6 +44,7 @@ with lib; let
               ../modules/system
               ../modules/programs
               ../modules/desktop
+              ../modules/homelab
               (mkSystemImports hostname)
               {nixpkgs.config.allowUnfree = true;}
             ]
diff --git a/hosts/homelab/configuration.nix b/hosts/homelab/configuration.nix
index 730d1d0..8ff34bb 100644
--- a/hosts/homelab/configuration.nix
+++ b/hosts/homelab/configuration.nix
@@ -4,6 +4,7 @@
   ...
 }: {
   fireproof.dev.enable = true;
+  fireproof.homelab.enable = true;
 
   boot = {
     # Use grub as bootloader as it works better with mdadm
diff --git a/hosts/homelab/arr.nix b/modules/homelab/arr.nix
similarity index 97%
rename from hosts/homelab/arr.nix
rename to modules/homelab/arr.nix
index b93fc89..80d64eb 100644
--- a/hosts/homelab/arr.nix
+++ b/modules/homelab/arr.nix
@@ -1,8 +1,10 @@
 {
   config,
+  lib,
   username,
   ...
-}: let
+}:
+lib.mkIf config.fireproof.homelab.enable (let
   user = "media";
   group = "media";
 
@@ -80,4 +82,4 @@ in {
     };
     prowlarr.enable = true;
   };
-}
+})
diff --git a/modules/homelab/default.nix b/modules/homelab/default.nix
new file mode 100644
index 0000000..e3cb769
--- /dev/null
+++ b/modules/homelab/default.nix
@@ -0,0 +1,19 @@
+{lib, ...}: {
+  options.fireproof.homelab = {
+    enable = lib.mkEnableOption "Enable homelab services (arr, nginx, postgres, prometheus, etc.)";
+  };
+
+  imports = [
+    ./arr.nix
+    ./flame.nix
+    ./home-assistant.nix
+    ./nextcloud.nix
+    ./nginx.nix
+    ./plex.nix
+    ./postgres.nix
+    ./prometheus.nix
+    ./restic.nix
+    ./sso.nix
+    ./vaultwarden.nix
+  ];
+}
diff --git a/hosts/homelab/flame.nix b/modules/homelab/flame.nix
similarity index 89%
rename from hosts/homelab/flame.nix
rename to modules/homelab/flame.nix
index 3739109..6c4f398 100644
--- a/hosts/homelab/flame.nix
+++ b/modules/homelab/flame.nix
@@ -1,4 +1,9 @@
-_: let
+{
+  config,
+  lib,
+  ...
+}:
+lib.mkIf config.fireproof.homelab.enable (let
   dataDir = "/var/lib/flame";
   domain = "flame.nickolaj.com";
 in {
@@ -29,4 +34,4 @@ in {
       };
     };
   };
-}
+})
diff --git a/hosts/homelab/home-assistant.nix b/modules/homelab/home-assistant.nix
similarity index 98%
rename from hosts/homelab/home-assistant.nix
rename to modules/homelab/home-assistant.nix
index 853bd86..0fea1ab 100644
--- a/hosts/homelab/home-assistant.nix
+++ b/modules/homelab/home-assistant.nix
@@ -1,8 +1,10 @@
 {
   pkgs,
   config,
+  lib,
   ...
-}: let
+}:
+lib.mkIf config.fireproof.homelab.enable (let
   mosquittoPort = 1883;
   zigbee2mqttPort = 8180;
   homeAssistantPort = 8123;
@@ -65,7 +67,7 @@ in {
       package = pkgs.home-assistant;
       customComponents = with pkgs.home-assistant-custom-components; [
         adaptive_lighting
-        sleep_as_android
+        sleep_as_android_mqtt
         (pkgs.buildHomeAssistantComponent rec {
           owner = "Sian-Lee-SA";
           domain = "switch_manager";
@@ -183,4 +185,4 @@ in {
       };
     };
   };
-}
+})
diff --git a/hosts/homelab/nextcloud.nix b/modules/homelab/nextcloud.nix
similarity index 93%
rename from hosts/homelab/nextcloud.nix
rename to modules/homelab/nextcloud.nix
index 6f6be6d..77a12d6 100644
--- a/hosts/homelab/nextcloud.nix
+++ b/modules/homelab/nextcloud.nix
@@ -1,8 +1,10 @@
 {
   config,
   pkgs,
+  lib,
   ...
-}: {
+}:
+lib.mkIf config.fireproof.homelab.enable {
   age.secrets.nextcloud-admin-pass = {
     rekeyFile = ../../secrets/hosts/homelab/nextcloud-admin-pass.age;
     owner = "nextcloud";
diff --git a/hosts/homelab/nginx.nix b/modules/homelab/nginx.nix
similarity index 84%
rename from hosts/homelab/nginx.nix
rename to modules/homelab/nginx.nix
index 7e02436..e930b27 100644
--- a/hosts/homelab/nginx.nix
+++ b/modules/homelab/nginx.nix
@@ -1,4 +1,9 @@
-_: {
+{
+  config,
+  lib,
+  ...
+}:
+lib.mkIf config.fireproof.homelab.enable {
   networking.firewall.allowedTCPPorts = [80 443];
 
   services.nginx = {
diff --git a/hosts/homelab/plex.nix b/modules/homelab/plex.nix
similarity index 81%
rename from hosts/homelab/plex.nix
rename to modules/homelab/plex.nix
index b001acf..9a6b2e3 100644
--- a/hosts/homelab/plex.nix
+++ b/modules/homelab/plex.nix
@@ -1,4 +1,10 @@
-{pkgsUnstable, ...}: let
+{
+  config,
+  pkgsUnstable,
+  lib,
+  ...
+}:
+lib.mkIf config.fireproof.homelab.enable (let
   domain = "plex.nickolaj.com";
 in {
   services.nginx.virtualHosts."${domain}" = {
@@ -18,4 +24,4 @@ in {
     user = "media";
     group = "media";
   };
-}
+})
diff --git a/hosts/homelab/postgres.nix b/modules/homelab/postgres.nix
similarity index 70%
rename from hosts/homelab/postgres.nix
rename to modules/homelab/postgres.nix
index 95e7d69..446f427 100644
--- a/hosts/homelab/postgres.nix
+++ b/modules/homelab/postgres.nix
@@ -1,4 +1,9 @@
-{config, ...}: {
+{
+  config,
+  lib,
+  ...
+}:
+lib.mkIf config.fireproof.homelab.enable {
   services = {
     restic.backups.homelab.paths = [config.services.postgresqlBackup.location];
 
diff --git a/hosts/homelab/prometheus.nix b/modules/homelab/prometheus.nix
similarity index 94%
rename from hosts/homelab/prometheus.nix
rename to modules/homelab/prometheus.nix
index 48bb919..7e3617a 100644
--- a/hosts/homelab/prometheus.nix
+++ b/modules/homelab/prometheus.nix
@@ -1,8 +1,10 @@
 {
   config,
   hostname,
+  lib,
   ...
-}: let
+}:
+lib.mkIf config.fireproof.homelab.enable (let
   mkScrapeConfig = name: {
     job_name = name;
     static_configs = [
@@ -49,4 +51,4 @@ in {
       ];
     };
   };
-}
+})
diff --git a/hosts/homelab/restic.nix b/modules/homelab/restic.nix
similarity index 92%
rename from hosts/homelab/restic.nix
rename to modules/homelab/restic.nix
index 97e1cff..2539818 100644
--- a/hosts/homelab/restic.nix
+++ b/modules/homelab/restic.nix
@@ -1,8 +1,10 @@
 {
   pkgs,
   config,
+  lib,
   ...
-}: {
+}:
+lib.mkIf config.fireproof.homelab.enable {
   environment.systemPackages = with pkgs; [
     restic
   ];
diff --git a/hosts/homelab/sso.nix b/modules/homelab/sso.nix
similarity index 97%
rename from hosts/homelab/sso.nix
rename to modules/homelab/sso.nix
index de20882..676013b 100644
--- a/hosts/homelab/sso.nix
+++ b/modules/homelab/sso.nix
@@ -1,8 +1,10 @@
 {
   config,
   pkgsUnstable,
+  lib,
   ...
-}: let
+}:
+lib.mkIf config.fireproof.homelab.enable (let
   port = 9190;
   rootDomain = "nickolaj.com";
   zitadelDomain = "sso.${rootDomain}";
@@ -105,4 +107,4 @@ in {
       cookie-domain = ".${rootDomain}";
     };
   };
-}
+})
diff --git a/hosts/homelab/vaultwarden.nix b/modules/homelab/vaultwarden.nix
similarity index 90%
rename from hosts/homelab/vaultwarden.nix
rename to modules/homelab/vaultwarden.nix
index c1d915b..1127b97 100644
--- a/hosts/homelab/vaultwarden.nix
+++ b/modules/homelab/vaultwarden.nix
@@ -1,4 +1,9 @@
-{config, ...}: let
+{
+  config,
+  lib,
+  ...
+}:
+lib.mkIf config.fireproof.homelab.enable (let
   domain = "bitwarden.nickolaj.com";
 in {
   services = {
@@ -27,4 +32,4 @@ in {
       };
     };
   };
-}
+})
diff --git a/modules/system/ssh.nix b/modules/system/ssh.nix
index 2355b68..4e2f9e4 100644
--- a/modules/system/ssh.nix
+++ b/modules/system/ssh.nix
@@ -30,50 +30,52 @@ in {
       forwardAgent = true;
       serverAliveInterval = 60;
       serverAliveCountMax = 10;
-      matchBlocks = {
-        "*" = {
-          identityFile = "${config.age.secrets.ssh-key.path}";
+      matchBlocks =
+        {
+          "*" = {
+            identityFile = "${config.age.secrets.ssh-key.path}";
+          };
+          homelab = {
+            hostname = "x.nickolaj.com";
+            user = "nickolaj";
+          };
+        }
+        // lib.optionalAttrs workEnabled {
+          # Work hostnames definded in ./networking.nix
+          "bastion.ao" = {
+            user = "nij";
+            identityFile = "${config.age.secrets.ssh-key-ao.path}";
+          };
+          "clickhouse.ao" = {
+            user = "ubuntu";
+            hostname = "51.158.205.48";
+            identityFile = "${config.age.secrets.ssh-key-ao.path}";
+          };
+          "flex.ao" = {
+            user = "nij";
+            hostname = "192.168.2.5";
+            proxyJump = "bastion.ao";
+            identityFile = "${config.age.secrets.ssh-key-ao.path}";
+          };
+          "scw.ao" = {
+            user = "nij";
+            hostname = "51.15.81.1";
+            proxyJump = lib.mkDefault "dev.ao";
+            identityFile = "${config.age.secrets.ssh-key-ao.path}";
+          };
+          "dev.ao" = {
+            user = "nij";
+            hostname = "192.168.2.28";
+            proxyJump = lib.mkDefault "bastion.ao";
+            identityFile = "${config.age.secrets.ssh-key-ao.path}";
+          };
+          "staging.ao" = {
+            user = "staging";
+            hostname = "172.16.2.102";
+            proxyJump = lib.mkDefault "bastion.ao";
+            identityFile = "${config.age.secrets.ssh-key-ao.path}";
+          };
         };
-        homelab = {
-          hostname = "x.nickolaj.com";
-          user = "nickolaj";
-        };
-      } // lib.optionalAttrs workEnabled {
-        # Work hostnames definded in ./networking.nix
-        "bastion.ao" = {
-          user = "nij";
-          identityFile = "${config.age.secrets.ssh-key-ao.path}";
-        };
-        "clickhouse.ao" = {
-          user = "ubuntu";
-          hostname = "51.158.205.48";
-          identityFile = "${config.age.secrets.ssh-key-ao.path}";
-        };
-        "flex.ao" = {
-          user = "nij";
-          hostname = "192.168.2.5";
-          proxyJump = "bastion.ao";
-          identityFile = "${config.age.secrets.ssh-key-ao.path}";
-        };
-        "scw.ao" = {
-          user = "nij";
-          hostname = "51.15.81.1";
-          proxyJump = lib.mkDefault "dev.ao";
-          identityFile = "${config.age.secrets.ssh-key-ao.path}";
-        };
-        "dev.ao" = {
-          user = "nij";
-          hostname = "192.168.2.28";
-          proxyJump = lib.mkDefault "bastion.ao";
-          identityFile = "${config.age.secrets.ssh-key-ao.path}";
-        };
-        "staging.ao" = {
-          user = "staging";
-          hostname = "172.16.2.102";
-          proxyJump = lib.mkDefault "bastion.ao";
-          identityFile = "${config.age.secrets.ssh-key-ao.path}";
-        };
-      };
     };
   };
 
diff --git a/secrets/hosts/bootstrap/.rekey/6cf125b0ff06b3abca21a3a0c1535d1f-ssh-key-ao.age b/secrets/hosts/bootstrap/.rekey/6cf125b0ff06b3abca21a3a0c1535d1f-ssh-key-ao.age
deleted file mode 100644
index 5b69725..0000000
Binary files a/secrets/hosts/bootstrap/.rekey/6cf125b0ff06b3abca21a3a0c1535d1f-ssh-key-ao.age and /dev/null differ
diff --git a/secrets/hosts/homelab/.rekey/0caf919251bb18b1001dc9edd0b65e8f-ssh-key-ao.age b/secrets/hosts/homelab/.rekey/0caf919251bb18b1001dc9edd0b65e8f-ssh-key-ao.age
deleted file mode 100644
index 3928fe3..0000000
Binary files a/secrets/hosts/homelab/.rekey/0caf919251bb18b1001dc9edd0b65e8f-ssh-key-ao.age and /dev/null differ
diff --git a/secrets/hosts/homelab/.rekey/2065d9b9ea4ca971c2fc9d12218c1ea7-k8s-ao-dev.age b/secrets/hosts/homelab/.rekey/2065d9b9ea4ca971c2fc9d12218c1ea7-k8s-ao-dev.age
new file mode 100644
index 0000000..eeab804
Binary files /dev/null and b/secrets/hosts/homelab/.rekey/2065d9b9ea4ca971c2fc9d12218c1ea7-k8s-ao-dev.age differ
diff --git a/secrets/hosts/homelab/.rekey/456a05a5f283a7e7fcd797b29f5e5de0-k8s-ao-prod.age b/secrets/hosts/homelab/.rekey/456a05a5f283a7e7fcd797b29f5e5de0-k8s-ao-prod.age
new file mode 100644
index 0000000..2a86113
Binary files /dev/null and b/secrets/hosts/homelab/.rekey/456a05a5f283a7e7fcd797b29f5e5de0-k8s-ao-prod.age differ