diff --git a/config/hosts/yukari.nix b/config/hosts/yukari.nix
index 80369ab7..d40f7a86 100644
--- a/config/hosts/yukari.nix
+++ b/config/hosts/yukari.nix
@@ -31,23 +31,23 @@
 
   fileSystems = {
     "/" = {
-      device = "zroot/safe/root";
+      device = "rpool/safe/root";
       fsType = "zfs";
     };
     "/nix" = {
-      device = "zroot/local/nix";
+      device = "rpool/local/nix";
       fsType = "zfs";
     };
     "/home" = {
-      device = "zroot/safe/home";
+      device = "rpool/safe/home";
       fsType = "zfs";
     };
     "/boot" = {
-      device = "/dev/disk/by-uuid/44CC-7137";
+      device = "/dev/disk/by-id/ata-Samsung_SSD_860_EVO_250GB_S3YJNX0K780441Z-part3";
       fsType = "vfat";
     };
     "/boot-fallback" = {
-      device = "/dev/disk/by-uuid/4520-4E5F";
+      device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S3R0NF1J841629N-part3";
       fsType = "vfat";
     };
     "/mnt/zraw" = {
@@ -61,8 +61,8 @@
   };
 
   swapDevices = [
-    { device = "/dev/disk/by-uuid/682df001-bad8-4d94-a86b-9068ce5eee4c"; }
-    { device = "/dev/disk/by-uuid/1ee2d322-235c-41de-b272-7ceded4e2624"; }
+    { device = "/dev/disk/by-id/ata-Samsung_SSD_860_EVO_250GB_S3YJNX0K780441Z-part2"; }
+    { device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S3R0NF1J841629N-part2"; }
   ];
 
   boot.loader = {
@@ -73,7 +73,7 @@
       device = "nodev";
       mirroredBoots = [
         {
-          devices = [ "/dev/disk/by-uuid/4520-4E5F" ];
+          devices = [ "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S3R0NF1J841629N-part3" ];
           path = "/boot-fallback";
         }
       ];
diff --git a/config/services/ha.nix b/config/services/ha.nix
index 2c206765..8cb401f1 100644
--- a/config/services/ha.nix
+++ b/config/services/ha.nix
@@ -1,4 +1,4 @@
-{ config, ... }: {
+{ config, lib, tf, ... }: {
   services = {
     home-assistant = {
       enable = true;
@@ -34,8 +34,12 @@
     zigbee2mqtt = {
       enable = true;
       settings = {
+        advanced = {
+          log_level = "info";
+          network_key = "!secret network_key";
+        };
         homeassistant = true;
-        permit_join = true;
+        permit_join = false;
         frontend = {
           port = 8072;
         };
@@ -43,10 +47,33 @@
           port = "tcp://192.168.1.149:8888";
           adapter = "ezsp";
         };
+
       };
     };
   };
 
-  network.firewall.public.tcp.ports = [ 8123 ];
+  kw.secrets.variables.z2m-network-key = {
+    path = "secrets/zigbee2mqtt";
+    field = "password";
+  };
+
+  secrets.files.zigbee2mqtt-config = {
+    text = builtins.toJSON config.services.zigbee2mqtt.settings;
+    owner = "zigbee2mqtt";
+    group = "zigbee2mqtt";
+  };
+
+  secrets.files.zigbee2mqtt-secret = {
+    text = "network_key: ${tf.variables.z2m-network-key.ref}";
+    owner = "zigbee2mqtt";
+    group = "zigbee2mqtt";
+  };
+
+  systemd.services.zigbee2mqtt.preStart = let cfg = config.services.zigbee2mqtt; in lib.mkForce ''
+    cp --no-preserve=mode ${config.secrets.files.zigbee2mqtt-config.path} "${cfg.dataDir}/configuration.yaml"
+    cp --no-preserve=mode ${config.secrets.files.zigbee2mqtt-secret.path} "${cfg.dataDir}/secret.yaml"
+  '';
+
+  network.firewall.public.tcp.ports = [ 8123 8072 ];
   network.firewall.private.tcp.ports = [ 8123 ];
 }
diff --git a/config/tf b/config/tf
index b4d44f3e..84b1742d 160000
--- a/config/tf
+++ b/config/tf
@@ -1 +1 @@
-Subproject commit b4d44f3e882b132b88165a6620c47e2b8d699d99
+Subproject commit 84b1742d36714279de336e2bee37848d0b3b6de8