diff --git a/.sops.yaml b/.sops.yaml
index b24ce7e..cbdec1d 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,12 +1,16 @@
 # See https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
 keys:
   - &matt age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0
+  - &matt_pi4 age13g9a4d4jrvckfddpgn8sm4kjtzajr67le56pfdg78ktr5pd09phq32j89u
   - &desktop age1jv8ap5zwa49ftv0gg7wqf5ps0e68uuwxe2fekjsn0zkyql964unqyc58rf
   - &jallen-nas age1mn2afyp9my7y7hcyzum0wdwt49zufnkt8swnyy8pj30cwzs4zvgsthj0lt
+  - &pi4 age1llgz23hxtcmfmmfgaffyfr4rcvwv39ntxlj57frdp7t5ct68e9ssn2jhvy
 creation_rules:
   - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
     key_groups:
     - age:
       - *matt
+      - *matt_pi4
       - *desktop
-      - *jallen-nas
\ No newline at end of file
+      - *jallen-nas
+      - *pi4
\ No newline at end of file
diff --git a/hosts/pi4/adguard.nix b/hosts/pi4/adguard.nix
new file mode 100644
index 0000000..cbb7ed6
--- /dev/null
+++ b/hosts/pi4/adguard.nix
@@ -0,0 +1,10 @@
+{ ... }:
+{
+  services.adguard = {
+    enable = true;
+    allowDHCP = true;
+    port = 3000;
+    openFirewall = true;
+    mutableSettings = true;
+  };
+}
\ No newline at end of file
diff --git a/hosts/pi4/boot.nix b/hosts/pi4/boot.nix
new file mode 100644
index 0000000..f372135
--- /dev/null
+++ b/hosts/pi4/boot.nix
@@ -0,0 +1,19 @@
+{ pkgs, lib, ... }:
+{
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    initrd.availableKernelModules = [
+      "xhci_pci"
+      "usbhid"
+      "usb_storage"
+    ];
+    # We're using EFI so enable systemd-boot
+    loader = {
+      systemd-boot.enable = true;
+      generic-extlinux-compatible.enable = lib.mkForce false;
+    };
+    # kernelParams = [
+    #   "snd_bcm2835.enable_hdmi=1"
+    #   ];
+  };
+}
\ No newline at end of file
diff --git a/hosts/pi4/configuration.nix b/hosts/pi4/configuration.nix
index bf5dd3d..18d5b7d 100644
--- a/hosts/pi4/configuration.nix
+++ b/hosts/pi4/configuration.nix
@@ -8,7 +8,7 @@ let
   user = "matt";
   password = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06";
   SSID = "Joey's Jungle 5G";
-  SSIDpassword = "kR8v&3Qd";#config.sops.templates."wifi-password".content;
+  SSIDpassword = config.sops.templates."wifi-password".content;
   interface = "wlan0";
   timezone = "America/Chicago";
   hostname = "pi4";
@@ -16,6 +16,7 @@ in
 {
   imports = [
     # Include the results of the hardware scan.
+    ./boot.nix
     ./hardware-configuration.nix
     ./impermanence.nix
     ./sops.nix
@@ -31,34 +32,18 @@ in
 
   nix.settings.trusted-users = [ "@wheel" ];
 
-  boot = {
-    kernelPackages = pkgs.linuxPackages_latest;
-    initrd.availableKernelModules = [
-      "xhci_pci"
-      "usbhid"
-      "usb_storage"
-    ];
-    loader = {
-      systemd-boot.enable = true;
-      generic-extlinux-compatible.enable = lib.mkForce false;
-    };
-    # kernelParams = [
-    #   "snd_bcm2835.enable_hdmi=1"
-    #   ];
-  };
-
   services.xserver = {
-    enable = true;
+    enable = false;
     desktopManager = {
-      budgie.enable = true;
+      budgie.enable = false;
     };
     displayManager = {
-      lightdm.enable = true;
+      lightdm.enable = false;
     };
   };
 
   services.ups-monitor = {
-    enable = true;
+    enable = false;
   };
 
   # hardware = {
diff --git a/hosts/pi4/impermanence.nix b/hosts/pi4/impermanence.nix
index e2cedc5..63df79f 100644
--- a/hosts/pi4/impermanence.nix
+++ b/hosts/pi4/impermanence.nix
@@ -20,6 +20,7 @@
     ];
     files = [
       "/etc/machine-id"
+      { file = "/etc/nix/id_rsa"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
     ];
   };