diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..e393ddc
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "private"]
+	path = private
+	url = ssh://forgejo@git.luj.fr/luj/snowfield-private.git
diff --git a/home-manager-modules/mails/default.nix b/home-manager-modules/mails/default.nix
index 0a1a8e0..51adb38 100644
--- a/home-manager-modules/mails/default.nix
+++ b/home-manager-modules/mails/default.nix
@@ -16,19 +16,19 @@ with lib;
   config = mkIf cfg.enable {
 
     age.secrets.work-mail-pw = {
-      file = ../../secrets/work-mail-pw.age;
+      file = ../../private/secrets/work-mail-pw.age;
     };
 
     age.secrets.dgnum-mail-pw = {
-      file = ../../secrets/dgnum-mail-pw.age;
+      file = ../../private/secrets/dgnum-mail-pw.age;
     };
 
     age.secrets.telecom-mail-pw = {
-      file = ../../secrets/telecom-mail-pw.age;
+      file = ../../private/secrets/telecom-mail-pw.age;
     };
 
     age.secrets.ens-mail-pw = {
-      file = ../../secrets/ens-mail-pw.age;
+      file = ../../private/secrets/ens-mail-pw.age;
     };
 
     programs.mbsync = {
diff --git a/machines/akhaten/stalwart.nix b/machines/akhaten/stalwart.nix
index 11db346..298cc84 100644
--- a/machines/akhaten/stalwart.nix
+++ b/machines/akhaten/stalwart.nix
@@ -64,7 +64,7 @@
   services.backup.includes = [ "/var/lib/stalwart-mail/db" ];
 
   age.secrets.stalwart-admin-hash = {
-    file = ../../secrets/stalwart-admin.age;
+    file = ../../private/secrets/stalwart-admin.age;
     path = "/var/lib/stalwart-mail/admin-hash";
     owner = "stalwart-mail";
     group = "stalwart-mail";
diff --git a/machines/biblios/garage.nix b/machines/biblios/garage.nix
index afe2feb..221a386 100644
--- a/machines/biblios/garage.nix
+++ b/machines/biblios/garage.nix
@@ -36,17 +36,17 @@ in
     environmentFile = config.age.secrets."garage-env-file".path;
   };
 
-  age.secrets."garage-env-file".file = ../../secrets/garage-env-file.age;
+  age.secrets."garage-env-file".file = ../../private/secrets/garage-env-file.age;
   age.secrets."book-auth" = {
-    file = ../../secrets/book-auth.age;
+    file = ../../private/secrets/book-auth.age;
     owner = "nginx";
   };
   age.secrets."notes-phd-auth" = {
-    file = ../../secrets/notes-phd-auth.age;
+    file = ../../private/secrets/notes-phd-auth.age;
     owner = "nginx";
   };
   age.secrets."notes-perso-auth" = {
-    file = ../../secrets/notes-perso-auth.age;
+    file = ../../private/secrets/notes-perso-auth.age;
     owner = "nginx";
   };
 
diff --git a/machines/core-security/default.nix b/machines/core-security/default.nix
index 11d956b..01184a6 100644
--- a/machines/core-security/default.nix
+++ b/machines/core-security/default.nix
@@ -90,7 +90,7 @@
     };
   };
 
-  age.secrets.keycloak-db.file = ../../secrets/keycloak-db.age;
+  age.secrets.keycloak-db.file = ../../private/secrets/keycloak-db.age;
 
   services.openssh.extraConfig = ''
     HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
diff --git a/machines/gustave/artiflakery.nix b/machines/gustave/artiflakery.nix
index 1a8790c..afb8f19 100644
--- a/machines/gustave/artiflakery.nix
+++ b/machines/gustave/artiflakery.nix
@@ -2,7 +2,7 @@
 {
 
   age.secrets."artiflakery-auth" = {
-    file = ../../secrets/artiflakery-auth.age;
+    file = ../../private/secrets/artiflakery-auth.age;
     owner = "artiflakery";
   };
 
diff --git a/machines/gustave/nextcloud.nix b/machines/gustave/nextcloud.nix
index 1e62a66..06ceb88 100644
--- a/machines/gustave/nextcloud.nix
+++ b/machines/gustave/nextcloud.nix
@@ -5,13 +5,13 @@
   environment.systemPackages = [ config.services.nextcloud.occ ];
 
   age.secrets."nextcloud-admin-password" = {
-    file = ../../secrets/nextcloud-admin-password.age;
+    file = ../../private/secrets/nextcloud-admin-password.age;
     owner = "nextcloud";
     group = "nextcloud";
   };
 
   age.secrets."nextcloud-s3-token" = {
-    file = ../../secrets/nextcloud-s3-token.age;
+    file = ../../private/secrets/nextcloud-s3-token.age;
     owner = "nextcloud";
     group = "nextcloud";
   };
diff --git a/machines/gustave/pages.nix b/machines/gustave/pages.nix
index 7c99d37..1f63104 100644
--- a/machines/gustave/pages.nix
+++ b/machines/gustave/pages.nix
@@ -8,7 +8,7 @@ let
   allowedUpstream = "2a01:e0a:de4:a0e1:4bb5:9275:6010:e9b5/128";
 in
 {
-  age.secrets."pages-settings-file".file = ../../secrets/pages-settings-file.age;
+  age.secrets."pages-settings-file".file = ../../private/secrets/pages-settings-file.age;
 
   services.codeberg-pages = {
     enable = true;
@@ -97,7 +97,7 @@ in
     ];
 
     # Listen to ipv6 packets coming from the internet, check the SNI
-    # If they are one of the declared virtualHosts, forward them to the proxy protocol listener 
+    # If they are one of the declared virtualHosts, forward them to the proxy protocol listener
     # for that virtualHost, else forward them to the page server
     streamConfig = ''
       map $ssl_preread_server_name $sni_upstream {
diff --git a/machines/gustave/plausible.nix b/machines/gustave/plausible.nix
index c5911f3..308b6b1 100644
--- a/machines/gustave/plausible.nix
+++ b/machines/gustave/plausible.nix
@@ -21,7 +21,7 @@
   };
 
   age.secrets = {
-    plausible-admin-password.file = ../../secrets/plausible-password.age;
-    plausible-secret-key-base.file = ../../secrets/plausible-keybase-secret.age;
+    plausible-admin-password.file = ../../private/secrets/plausible-password.age;
+    plausible-secret-key-base.file = ../../private/secrets/plausible-keybase-secret.age;
   };
 }
diff --git a/machines/gustave/readeck.nix b/machines/gustave/readeck.nix
index 8bac7a0..cc30d8c 100644
--- a/machines/gustave/readeck.nix
+++ b/machines/gustave/readeck.nix
@@ -1,7 +1,7 @@
 { config, ... }:
 {
 
-  age.secrets."readeck-config".file = ../../secrets/readeck-config.age;
+  age.secrets."readeck-config".file = ../../private/secrets/readeck-config.age;
 
   services.nginx.virtualHosts."read.luj" = {
     forceSSL = true;
diff --git a/machines/lambda/uptime-kuma.nix b/machines/lambda/uptime-kuma.nix
index 745dec4..e82da2a 100644
--- a/machines/lambda/uptime-kuma.nix
+++ b/machines/lambda/uptime-kuma.nix
@@ -37,7 +37,7 @@ in
   };
 
   age.secrets."stateless-uptime-kuma-password".file =
-    ../../secrets/stateless-uptime-kuma-password.age;
+    ../../private/secrets/stateless-uptime-kuma-password.age;
   nixpkgs.overlays = [
     (import "${inputs.stateless-uptime-kuma}/overlay.nix")
   ];
diff --git a/machines/tower/forgejo-runner.nix b/machines/tower/forgejo-runner.nix
index f30cd01..9723288 100644
--- a/machines/tower/forgejo-runner.nix
+++ b/machines/tower/forgejo-runner.nix
@@ -1,6 +1,6 @@
 { pkgs, config, ... }:
 {
-  age.secrets.forgejo_runners-token_file.file = ../../secrets/forgejo_runners-token_file.age;
+  age.secrets.forgejo_runners-token_file.file = ../../private/secrets/forgejo_runners-token_file.age;
   nix.settings.allowed-users = [ "gitea-runner" ];
   nix.settings.trusted-users = [ "gitea-runner" ];
 
diff --git a/modules/backup/default.nix b/modules/backup/default.nix
index 8b2a6a5..7417be0 100644
--- a/modules/backup/default.nix
+++ b/modules/backup/default.nix
@@ -72,12 +72,12 @@ in
   config = lib.mkIf (cfg.includes != [ ]) {
 
     age.secrets."borg-ssh-key" = {
-      file = ../../secrets/borg-ssh-priv.age;
+      file = ../../private/secrets/borg-ssh-priv.age;
       owner = "root";
       mode = "0600";
     };
 
-    age.secrets."borg-encryption-secret".file = ../../secrets/borg-encryption-secret.age;
+    age.secrets."borg-encryption-secret".file = ../../private/secrets/borg-encryption-secret.age;
 
     programs.ssh.knownHosts."${if port != 22 then "[${host}]:${port}" else host}" = {
       publicKey = "${hostPublicKey}";
diff --git a/modules/buildbot/default.nix b/modules/buildbot/default.nix
index 4746ca0..c9e1503 100644
--- a/modules/buildbot/default.nix
+++ b/modules/buildbot/default.nix
@@ -55,12 +55,12 @@ in
     };
 
     age.secrets = {
-      github-token.file = ../../secrets/github-token-secret.age;
-      github-webhook-secret.file = ../../secrets/github-webhook-secret.age;
-      github-oauth-secret.file = ../../secrets/github-oauth-secret.age;
-      buildbot-nix-workers.file = ../../secrets/buildbot-nix-workers.age;
+      github-token.file = ../../private/secrets/github-token-secret.age;
+      github-webhook-secret.file = ../../private/secrets/github-webhook-secret.age;
+      github-oauth-secret.file = ../../private/secrets/github-oauth-secret.age;
+      buildbot-nix-workers.file = ../../private/secrets/buildbot-nix-workers.age;
       buildbot-nix-worker-password = {
-        file = ../../secrets/buildbot-nix-worker-password.age;
+        file = ../../private/secrets/buildbot-nix-worker-password.age;
         owner = "buildbot-worker";
       };
     };
diff --git a/modules/deluge/default.nix b/modules/deluge/default.nix
index d8208c3..0d24bcc 100644
--- a/modules/deluge/default.nix
+++ b/modules/deluge/default.nix
@@ -35,7 +35,7 @@ in
 
       age.secrets.deluge-webui-password = {
         owner = cfg.user;
-        file = ../../secrets/deluge-webui-password.age;
+        file = ../../private/secrets/deluge-webui-password.age;
       };
 
       services.deluge = {
diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix
index afafcbf..1f320d3 100644
--- a/modules/nginx/default.nix
+++ b/modules/nginx/default.nix
@@ -147,7 +147,7 @@ in
     security.acme.acceptTerms = true;
 
     age.secrets.nginx-cert = {
-      file = ../../secrets/404-ssl-certificate-cert.age;
+      file = ../../private/secrets/404-ssl-certificate-cert.age;
       path = "/var/lib/acme/default/cert.pem";
       owner = "acme";
       group = "nginx";
@@ -156,7 +156,7 @@ in
     };
 
     age.secrets.nginx-key = {
-      file = ../../secrets/404-ssl-certificate-key.age;
+      file = ../../private/secrets/404-ssl-certificate-key.age;
       path = "/var/lib/acme/default/key.pem";
       owner = "acme";
       group = "nginx";
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index cb7a316..c713a12 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -11,7 +11,7 @@ with lib;
   config = mkIf cfg.enable {
 
     age.secrets.git-gpg-private-key = {
-      file = ../../secrets/git-gpg-private-key.age;
+      file = ../../private/secrets/git-gpg-private-key.age;
       owner = "julien";
       mode = "0440";
       group = config.users.groups.keys.name;
diff --git a/private b/private
new file mode 160000
index 0000000..8dca9c5
--- /dev/null
+++ b/private
@@ -0,0 +1 @@
+Subproject commit 8dca9c5539ce520591101b9e5f0a2ec131b8ec4c
diff --git a/users/default.nix b/users/default.nix
index 0319dce..583cbd1 100644
--- a/users/default.nix
+++ b/users/default.nix
@@ -11,7 +11,7 @@
 
   programs.fish.enable = true;
 
-  age.secrets.user-root-password.file = ../secrets/user-root-password.age;
+  age.secrets.user-root-password.file = ../private/secrets/user-root-password.age;
 
   users.users.root = {
     uid = config.ids.uids.root;
diff --git a/users/julien.nix b/users/julien.nix
index 89d7195..b37966a 100644
--- a/users/julien.nix
+++ b/users/julien.nix
@@ -29,5 +29,5 @@
   nix.settings.allowed-users = [ "julien" ];
   nix.settings.trusted-users = [ "julien" ];
 
-  age.secrets.julien-password.file = ../secrets/user-julien-password.age;
+  age.secrets.julien-password.file = ../private/secrets/user-julien-password.age;
 }