diff --git a/modules/nixos/home-assistant.nix b/modules/nixos/home-assistant.nix
index bb2cf518..b0a4ac67 100644
--- a/modules/nixos/home-assistant.nix
+++ b/modules/nixos/home-assistant.nix
@@ -16,6 +16,10 @@ in {
       type = str;
       default = config.networking.domain;
     };
+    secretsFile = mkOption {
+      type = nullOr path;
+      default = null;
+    };
     homekit = {
       enable =
         mkEnableOption "homekit"
@@ -97,9 +101,14 @@ in {
 
     systemd.services.home-assistant = mkIf (cfg.enable && cfg.mutableUiConfig) {
       # UI-editable config files
-      preStart = mkBefore ''
-        touch ${cfg.configDir}/{automations,scenes,scripts,manual,homekit_entity_config,homekit_include_entities}.yaml
-      '';
+      preStart = mkMerge [
+        (mkBefore ''
+          touch "${cfg.configDir}/"{automations,scenes,scripts,manual,homekit_entity_config,homekit_include_entities}.yaml
+        '')
+        (mkIf (cfg.secretsFile != null) (mkBefore ''
+          ln -sf ${cfg.secretsFile} "${cfg.configDir}/secrets.yaml"
+        ''))
+      ];
     };
   };
 
diff --git a/nixos/home-assistant.nix b/nixos/home-assistant.nix
index 80e4988b..97b176f3 100644
--- a/nixos/home-assistant.nix
+++ b/nixos/home-assistant.nix
@@ -7,16 +7,14 @@
   inherit (lib.modules) mkIf mkDefault;
   sopsFile = mkDefault ./secrets/home-assistant.yaml;
 in {
-  sops.secrets = {
+  sops.secrets = mkIf cfg.enable {
     ha-integration = {
       inherit sopsFile;
       owner = "hass";
-      path = "${cfg.configDir}/integration.yaml";
     };
     ha-secrets = {
       inherit sopsFile;
       owner = "hass";
-      path = "${cfg.configDir}/secrets.yaml";
     };
   };
 
@@ -24,6 +22,7 @@ in {
     enable = mkDefault true;
     mutableUiConfig = mkDefault true;
     domain = mkDefault "home.${config.networking.domain}";
+    secretsFile = mkDefault config.sops.secrets.ha-secrets.path;
     config = {
       homeassistant = {
         name = "Gensokyo";
@@ -75,7 +74,7 @@ in {
       };
       google_assistant = {
         project_id = "gensokyo-5cfaf";
-        service_account = "!include integration.yaml";
+        service_account = "!include ${config.sops.secrets.ha-integration.path}";
         report_state = true;
         exposed_domains = [
           "scene"
@@ -132,4 +131,7 @@ in {
       "wled"
     ];
   };
+  systemd.services.home-assistant = mkIf cfg.enable {
+    gensokyo-zone.sharedMounts.hass.path = mkDefault cfg.configDir;
+  };
 }