diff --git a/config/hosts/to-do/ostara/home/default.nix b/config/hosts/to-do/ostara/home/default.nix
deleted file mode 100644
index c915eb0a..00000000
--- a/config/hosts/to-do/ostara/home/default.nix
+++ /dev/null
@@ -1 +0,0 @@
-{ ... }: { }
diff --git a/config/hosts/to-do/ostara/meta.nix b/config/hosts/to-do/ostara/meta.nix
deleted file mode 100644
index 14abe350..00000000
--- a/config/hosts/to-do/ostara/meta.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ lib, config, ... }: with lib; {
-  config = {
-    deploy.targets.ostara = {
-      nodeNames = singleton "ostara";
-      tf = {
-        resources.ostara = {
-          provider = "null";
-          type = "resource";
-          connection = {
-            port = 62954;
-            host = "192.168.1.245";
-          };
-        };
-      };
-    };
-    network.nodes.ostara = {
-      imports = lib.hostImport "ostara";
-      networking = {
-        hostName = "ostara";
-      };
-    };
-  };
-}
diff --git a/config/hosts/to-do/ostara/nixos/default.nix b/config/hosts/to-do/ostara/nixos/default.nix
deleted file mode 100644
index c5706d15..00000000
--- a/config/hosts/to-do/ostara/nixos/default.nix
+++ /dev/null
@@ -1,58 +0,0 @@
-{ lib, config, users, pkgs, profiles, ... }:
-
-with lib;
-
-{
-  imports = [ ./hw.nix profiles.laptop ];
-
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  boot.loader.grub.device = "/dev/sda";
-
-  networking.hostId = "9f89b327";
-  networking.hostName = "ostara";
-
-  networking.useDHCP = false;
-  networking.interfaces.enp1s0.useDHCP = true;
-  networking.interfaces.wlp2s0.useDHCP = true;
-
-  kw.fw.public.interfaces = singleton "wlp2s0";
-
-  kw.fw.public.tcp.ports = [ 9981 9982 ];
-
-  hardware.firmware = [ pkgs.libreelec-dvb-firmware ];
-
-  services.tvheadend.enable = true;
-
-  systemd.services.tvheadend.enable = lib.mkForce false;
-  
-  systemd.services.tvheadend-kat = {
-      description = "Tvheadend TV streaming server";
-      wantedBy    = [ "multi-user.target" ];
-      after       = [ "network.target" ];
-      script   = ''
-                      ${pkgs.tvheadend}/bin/tvheadend \
-                      --http_root /tvheadend \
-                      --http_port 9981 \
-                      --htsp_port 9982 \
-                      -f \
-                      -C \
-                      -p ${config.users.users.tvheadend.home}/tvheadend.pid \
-                      -u tvheadend \
-                      -g video
-                      '';
-      serviceConfig = {
-        Type         = "forking";
-        PIDFile      = "${config.users.users.tvheadend.home}/tvheadend.pid"; 
-        Restart      = "always";
-        RestartSec   = 5;
-        User         = "tvheadend";
-        Group        = "video";
-       
-        ExecStop     = "${pkgs.coreutils}/bin/rm ${config.users.users.tvheadend.home}/tvheadend.pid";
-      };
-    };
-
-
-  system.stateVersion = "20.09";
-}
diff --git a/config/hosts/to-do/ostara/nixos/hw.nix b/config/hosts/to-do/ostara/nixos/hw.nix
deleted file mode 100644
index 0d1f7e61..00000000
--- a/config/hosts/to-do/ostara/nixos/hw.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-
-  boot.initrd.availableKernelModules =
-    [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/469a684b-eb8f-48a8-8f98-be58528312c4";
-    fsType = "ext4";
-  };
-
-  swapDevices =
-    [{ device = "/dev/disk/by-uuid/2223e305-79c9-45b3-90d7-560dcc45775a"; }];
-
-}
diff --git a/config/services/asterisk.nix b/config/services/asterisk/default.nix
similarity index 100%
rename from config/services/asterisk.nix
rename to config/services/asterisk/default.nix
diff --git a/config/services/fail2ban.nix b/config/services/fail2ban/default.nix
similarity index 100%
rename from config/services/fail2ban.nix
rename to config/services/fail2ban/default.nix
diff --git a/config/services/grafana.nix b/config/services/grafana/default.nix
similarity index 100%
rename from config/services/grafana.nix
rename to config/services/grafana/default.nix
diff --git a/config/services/logrotate.nix b/config/services/logrotate/default.nix
similarity index 100%
rename from config/services/logrotate.nix
rename to config/services/logrotate/default.nix
diff --git a/config/services/loki.nix b/config/services/loki/default.nix
similarity index 100%
rename from config/services/loki.nix
rename to config/services/loki/default.nix
diff --git a/config/services/mail.nix b/config/services/mail/default.nix
similarity index 100%
rename from config/services/mail.nix
rename to config/services/mail/default.nix
diff --git a/config/services/matrix.nix b/config/services/matrix/default.nix
similarity index 100%
rename from config/services/matrix.nix
rename to config/services/matrix/default.nix
diff --git a/config/services/murmur.nix b/config/services/murmur/default.nix
similarity index 100%
rename from config/services/murmur.nix
rename to config/services/murmur/default.nix
diff --git a/config/services/netdata.nix b/config/services/netdata/default.nix
similarity index 100%
rename from config/services/netdata.nix
rename to config/services/netdata/default.nix
diff --git a/config/services/nginx.nix b/config/services/nginx/default.nix
similarity index 100%
rename from config/services/nginx.nix
rename to config/services/nginx/default.nix
diff --git a/config/services/node-exporter.nix b/config/services/node-exporter/default.nix
similarity index 100%
rename from config/services/node-exporter.nix
rename to config/services/node-exporter/default.nix
diff --git a/config/services/postgres.nix b/config/services/postgres/default.nix
similarity index 100%
rename from config/services/postgres.nix
rename to config/services/postgres/default.nix
diff --git a/config/services/prometheus.nix b/config/services/prometheus/default.nix
similarity index 100%
rename from config/services/prometheus.nix
rename to config/services/prometheus/default.nix
diff --git a/config/services/promtail.nix b/config/services/promtail/default.nix
similarity index 100%
rename from config/services/promtail.nix
rename to config/services/promtail/default.nix
diff --git a/config/services/radicale.nix b/config/services/radicale/default.nix
similarity index 100%
rename from config/services/radicale.nix
rename to config/services/radicale/default.nix
diff --git a/config/services/restic.nix b/config/services/restic/default.nix
similarity index 100%
rename from config/services/restic.nix
rename to config/services/restic/default.nix
diff --git a/config/services/syncplay.nix b/config/services/syncplay/default.nix
similarity index 100%
rename from config/services/syncplay.nix
rename to config/services/syncplay/default.nix
diff --git a/config/services/taskserver.nix b/config/services/taskserver/default.nix
similarity index 100%
rename from config/services/taskserver.nix
rename to config/services/taskserver/default.nix
diff --git a/config/services/vaultwarden.nix b/config/services/vaultwarden/default.nix
similarity index 100%
rename from config/services/vaultwarden.nix
rename to config/services/vaultwarden/default.nix
diff --git a/config/services/weechat.nix b/config/services/weechat/default.nix
similarity index 100%
rename from config/services/weechat.nix
rename to config/services/weechat/default.nix
diff --git a/config/services/xmpp.nix b/config/services/xmpp/default.nix
similarity index 100%
rename from config/services/xmpp.nix
rename to config/services/xmpp/default.nix
diff --git a/config/services/zfs.nix b/config/services/zfs/default.nix
similarity index 100%
rename from config/services/zfs.nix
rename to config/services/zfs/default.nix
diff --git a/config/services/znc.nix b/config/services/znc/default.nix
similarity index 100%
rename from config/services/znc.nix
rename to config/services/znc/default.nix
diff --git a/default.nix b/default.nix
index 6270c63b..99a285ae 100644
--- a/default.nix
+++ b/default.nix
@@ -5,6 +5,14 @@ let
   sourceCache = import ./cache.nix {
     inherit sources lib;
   };
+  publicServices = lib.modList {
+    modulesDir = ./config/services;
+  };
+  privateServices-base = lib.mkIf (builtins.pathExists ./config/trusted/services) (lib.modList {
+    modulesDir = ./config/trusted/services;
+  });
+  privateServices = privateServices-base.content;
+  services = lib.modListMerge publicServices privateServices;
   profiles = lib.modList {
     modulesDir = ./config/profiles;
   };
@@ -34,7 +42,7 @@ let
       ./config/modules/meta/default.nix
     ] ++ map (hostName: ./config/hosts + "/${hostName}/meta.nix") hostNames;
     specialArgs = {
-      inherit sources profiles users;
+      inherit sources profiles users services;
     };
   };
   inherit (eval) config;
diff --git a/pkgs/lib/default.nix b/pkgs/lib/default.nix
index 497daaf6..de1f21b7 100644
--- a/pkgs/lib/default.nix
+++ b/pkgs/lib/default.nix
@@ -12,5 +12,6 @@
 {
   inherit (colorHelpers) hextorgba;
   hostImport = import ./host-import.nix { inherit lib; };
+  modListMerge = import ./intersect-merge.nix { inherit lib; };
   modList = import ./module-list.nix { inherit lib; };
 }; in katlib
diff --git a/pkgs/lib/intersect-merge.nix b/pkgs/lib/intersect-merge.nix
new file mode 100644
index 00000000..15a385bd
--- /dev/null
+++ b/pkgs/lib/intersect-merge.nix
@@ -0,0 +1,4 @@
+{ lib }: pathsA: pathsB: with lib; let
+  pathIntersection = intersectLists (attrNames pathsA) (attrNames pathsB);
+  pathMerger = pathA: pathB: { imports = [ pathA pathB ]; };
+in pathsA // pathsB // genAttrs pathIntersection (key: (pathMerger pathsA.${key} pathsB.${key}))