diff --git a/config/nix.nix b/config/nix.nix
index 52b9979..a8d854a 100644
--- a/config/nix.nix
+++ b/config/nix.nix
@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 {
   nix = {
@@ -9,7 +9,7 @@
     extraOptions = ''
       build-timeout = 86400  # 24 hours
     '';
-    binaryCachePublicKeys = [ (lib.fileContents /secret/hydra_cache.pub) ];
+    binaryCachePublicKeys = [ (lib.fileContents "${config.machine.secretPath}/hydra_cache.pub") ];
     trustedBinaryCaches = [
       "https://cache.nixos.org"
       "https://cache.ophanim.de"
diff --git a/config/users.nix b/config/users.nix
index 4faf542..b13341b 100644
--- a/config/users.nix
+++ b/config/users.nix
@@ -18,8 +18,8 @@ let
         ++ (if config.services.printing.enable then [ "cups" "lp" ] else [])
         ++ (if config.virtualisation.docker.enable then [ "docker"] else []);
       shell = "${pkgs.zsh}/bin/zsh";
-      passwordFile = "/secret/${user.name}";
-      openssh.authorizedKeys.keyFiles = if config.services.openssh.enable then [ "/secret/${user.name}.pub" ] else [];
+      passwordFile = "${config.machine.secretPath}/${user.name}";
+      openssh.authorizedKeys.keyFiles = if config.services.openssh.enable then [ "${config.machine.secretPath}/${user.name}.pub" ] else [];
     };
   };
 
diff --git a/options/machine.nix b/options/machine.nix
index 481b2da..c78e1f0 100644
--- a/options/machine.nix
+++ b/options/machine.nix
@@ -34,6 +34,13 @@ with lib;
         The Machines HostName
       '';
     };
+    secretPath = mkOption {
+      type = types.string;
+      default = "/secret";
+      description = ''
+        Path to you systems secret folder containing files with sensitive information.
+      '';
+    };
     administrators = mkOption {
       type = types.listOf types.attrs;
       description = ''
diff --git a/services/gitea.nix b/services/gitea.nix
index 97ccab8..1340a1d 100644
--- a/services/gitea.nix
+++ b/services/gitea.nix
@@ -13,7 +13,7 @@ mkIf (elem "gitea" config.machine.services) {
       type = "mysql";
       user = "git";
       name = "gitea";
-      passwordFile = "/secret/gitea_db";
+      passwordFile = "${config.machine.secretPath}/gitea_db";
     };
     extraConfig = ''
       [repository]
diff --git a/services/hydra.nix b/services/hydra.nix
index 9c27df3..e457afd 100644
--- a/services/hydra.nix
+++ b/services/hydra.nix
@@ -36,7 +36,7 @@ mkIf (elem "hydra" config.machine.services) {
     # hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead
     extraConfig = ''
       max_output_size = 4294967296
-      store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br
+      store_uri = file:///var/cache/hydra?secret-key=${config.machine.secretPath}/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br
       # add ?local-nar-cache= to set nar cache location
       server_store_uri = https://cache.${config.machine.domain}
       binary_cache_public_uri https://cache.${config.machine.domain}
@@ -48,7 +48,7 @@ mkIf (elem "hydra" config.machine.services) {
     enable = true;
     bindAddress = "0.0.0.0";
     port = 5000;
-    secretKeyFile = "/secret/hydra_cache";
+    secretKeyFile = "${config.machine.secretPath}/hydra_cache";
     extraParams = ''
 # Dont know how to change the store root yet...
 #      --user hydra-queue-runner
diff --git a/services/mailserver.nix b/services/mailserver.nix
index 2ac6577..e4d2db7 100644
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@@ -9,7 +9,7 @@ mkIf (elem "mailserver" config.machine.services) {
     mkUser = user: rec {
       name = "${user.name}@${domain}";
       value = {
-        hashedPassword = (fileContents "/secret/${user.name}.mail");
+        hashedPassword = (fileContents "${config.machine.secretPath}/${user.name}.mail");
         aliases = [ "${user.name}@mail.${domain}" ] ++ (flatten (map mkFqdnAlias user.aliases));
       };
     };
diff --git a/services/mariaDB.nix b/services/mariaDB.nix
index cfed27c..abbc49b 100644
--- a/services/mariaDB.nix
+++ b/services/mariaDB.nix
@@ -6,7 +6,7 @@ let
   cfg = config.services;
   mkInitialDatabases = servicename: if (cfg."${servicename}".enable && (cfg."${servicename}".database.type == "mysql")) then
     let 
-      password = (fileContents "/secret/${servicename}_db");
+      password = (fileContents "${config.machine.secretPath}/${servicename}_db");
       cfg = config.services."${servicename}".database;
     in {
       name = cfg.name;
diff --git a/services/nextcloud.nix b/services/nextcloud.nix
index baa07f5..29e9c6c 100644
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@@ -11,12 +11,12 @@ mkIf (elem "nextcloud" config.machine.services) {
     maxUploadSize = "1024M";
     config = {
       adminuser = "derped";
-      adminpassFile = "/secret/nextcloud_admin";
+      adminpassFile = "${config.machine.secretPath}/nextcloud_admin";
       dbtype = "mysql";
       dbhost = "localhost";
       dbport = "3306";
       dbuser = "nextcloud";
-      dbpassFile = "/secret/nextcloud_db";
+      dbpassFile = "${config.machine.secretPath}/nextcloud_db";
       dbname = "nextcloud";
       dbtableprefix = "oc_";
     };