diff --git a/hosts/nixos/lapetus/filesystems/zfs.nix b/hosts/nixos/lapetus/filesystems/zfs.nix
index 1c39ca9..1e07ee7 100644
--- a/hosts/nixos/lapetus/filesystems/zfs.nix
+++ b/hosts/nixos/lapetus/filesystems/zfs.nix
@@ -1,87 +1,41 @@
-{ config, pkgs, ... }: {
+{ config, pkgs, ... }:
+let secretMountpoint = "/hermes";
+in
+{
   # Configure ZFS
   boot.supportedFilesystems = [ "zfs" ];
   boot.zfs.extraPools = [ "zroot" ];
   boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
   boot.kernelParams = [ "nohibernate" ];
 
-  boot.initrd.systemd.services =
-    let secretMountpoint = "/hermes";
-    in
-    {
-      # {{{ Mount usb 
-      mountSecrets = {
-        serviceConfig = {
-          Type = "oneshot";
-          RemainAfterExit = true;
-        };
-        unitConfig.DefaultDependencies = "no";
-        wantedBy = [ "zfs-import.target" ];
-        before = [ "zfs-import.target" ];
-        script = ''
-          MOUNTPOINT="${secretMountpoint}"
-          USB="/dev/sdb"
+  # {{{ Mount usb for zfs secrets
+  boot.initrd.systemd.systemd.mounts.hermes = {
+    where = "/hermes";
+    what = "/dev/sdb";
+    type = "exfat";
 
-          echo "Waiting for $USB"
-          for I in {1..20}; do
-              if [ -e "$USB" ]; then break; fi
-              echo -n .
-              sleep 1
-          done
+    # The usb contains sensitive data that should only be readable to root
+    mountConfig.DirectoryMode = "0750";
 
-          echo "Found $USB"
-          sleep 1
+    wantedBy = [ "zfs-import.target" ];
+    before = [ "zfs-import.target" ];
+  };
+  # }}}
 
-          if [ -e "$USB" ]; then
-              echo "Mounting $USB"
-              mkdir -p $MOUNTPOINT
-              mount -o ro "$USB" $MOUNTPOINT
-              if [ $? -eq 0 ]; then
-                  exit 0
-              else
-                  echo "Error mounting $USB" >&2
-              fi
-          else
-              echo "Cannot find $USB" >&2
-          fi
-        '';
-      };
-      # }}}
-      # {{{ Unmount usb 
-      unmountSecrets = {
-        serviceConfig = {
-          Type = "oneshot";
-          RemainAfterExit = true;
-        };
-        unitConfig.DefaultDependencies = "no";
-        wantedBy = [ "initrd.target" ];
-        after = [ "zfs-mount.service" ];
-        script = ''
-          MOUNTPOINT="${secretMountpoint}"
-          if [ -e "$MOUNTPOINT" ]; then
-              echo "Clearing $MOUNTPOINT"
-              umount $MOUNTPOINT
-              rmdir $MOUNTPOINT
-              echo "Unmounted $MOUNTPOINT"
-          else
-              echo "Nothing to unmount"
-          fi
-        '';
-      };
-      # }}}
-      # # {{{ Rollback 
-      # rollback = {
-      #   path = [ pkgs.zfs ];
-      #   serviceConfig = {
-      #     Type = "oneshot";
-      #     RemainAfterExit = true;
-      #   };
-      #   unitConfig.DefaultDependencies = "no";
-      #   wantedBy = [ "initrd.target" ];
-      #   after = [ "zfs-import.target" ];
-      #   before = [ "sysroot.mount" ];
-      #   script = "zfs rollback -r zroot@blank";
-      # };
-      # # }}}
-    };
+  boot.initrd.systemd.services = {
+    # # {{{ Rollback 
+    # rollback = {
+    #   path = [ pkgs.zfs ];
+    #   serviceConfig = {
+    #     Type = "oneshot";
+    #     RemainAfterExit = true;
+    #   };
+    #   unitConfig.DefaultDependencies = "no";
+    #   wantedBy = [ "initrd.target" ];
+    #   after = [ "zfs-import.target" ];
+    #   before = [ "sysroot.mount" ];
+    #   script = "zfs rollback -r zroot@blank";
+    # };
+    # # }}}
+  };
 }