diff --git a/config/modules/meta/secrets.nix b/config/modules/meta/secrets.nix
new file mode 100644
index 00000000..16cb85fc
--- /dev/null
+++ b/config/modules/meta/secrets.nix
@@ -0,0 +1,5 @@
+{ config, lib, ... }: with lib; {
+  options.kw.secrets.command = mkOption {
+    type = types.str;
+  };
+}
diff --git a/config/modules/nixos/secrets.nix b/config/modules/nixos/secrets.nix
index 6b92ace6..cc35f80b 100644
--- a/config/modules/nixos/secrets.nix
+++ b/config/modules/nixos/secrets.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, meta, ... }:
 
 with lib;
 
@@ -22,14 +22,12 @@ let
       };
     };
   });
+  mcfg = meta.kw.secrets;
   cfg = config.kw.secrets;
 in
 {
   options.kw = {
     secrets = {
-      command = mkOption {
-        type = types.str;
-      };
       variables = mkOption {
         type = types.attrsOf secretType;
         default = { };
@@ -48,7 +46,7 @@ in
       deploy.tf.variables = mapAttrs'
         (name: content:
           nameValuePair name ({
-            value.shellCommand = "${cfg.command} ${content.path}" + optionalString (content.field != "") " -f ${content.field}";
+            value.shellCommand = "${mcfg.command} ${content.path}" + optionalString (content.field != "") " -f ${content.field}";
             type = "string";
             sensitive = true;
           })
diff --git a/config/profiles/base/secrets.nix b/config/profiles/base/secrets.nix
index 99372c3a..f468bebc 100644
--- a/config/profiles/base/secrets.nix
+++ b/config/profiles/base/secrets.nix
@@ -8,10 +8,4 @@
     persistentRoot = "/var/lib/kat/secrets";
     external = true;
   };
-
-  kw.secrets.command =
-    let
-      bitw = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.kw.secrets.repo.bitw.source} "$@"'';
-    in
-    "${bitw}/bin/bitw get";
 }
diff --git a/default.nix b/default.nix
index 2f0823c4..09fcb121 100644
--- a/default.nix
+++ b/default.nix
@@ -22,40 +22,14 @@ let
     all = attrValues local ++ attrValues hexchen;
     allStr = toString all;
   };
-  # This is used for the base path for nodeImport.
+
   root = ./.;
-
-  /*
-    This is used to generate specialArgs + the like. It works as such:
-    * A <xargName> can exist at config/<subconfigName>.
-    * A <xargName> can exist at config/trusted/<subconfigName>.
-    If only one exists, the path for that one is returned.
-    Otherwise a module is generated which contains both import paths.
-  */
   xarg = lib.recursiveMod { folder = ./config; inherit sources lib; };
-  /*
-    We provide the runners with this file this way. We also provide our nix args here.
-    This is also where pkgs are passed through to the meta config.
-  */
-  metaConfig = {
-    config = {
-      runners = {
-        lazy = {
-          file = root;
-          args = [ "--show-trace" ];
-        };
-      };
-      _module.args = {
-        pkgs = lib.mkDefault pkgs;
-      };
 
-      deploy.targets.dummy.enable = false;
-    };
-  };
+  metaBase = import ./meta.nix { inherit config lib pkgs root; };
 
-  # This is where the meta config is evaluated.
   eval = lib.evalModules {
-    modules = lib.singleton metaConfig
+    modules = lib.singleton metaBase
       ++ lib.singleton xarg.modules.meta
       ++ lib.attrValues (removeAttrs xarg.targets [ "common" ])
       ++ (map
@@ -75,22 +49,8 @@ let
     } // xarg;
   };
 
-  # The evaluated meta config.
   inherit (eval) config;
 
-  /*
-    Please note all specialArg generated specifications use the folder common to both import paths.
-    Those import paths are as mentioned above next to `xargNames`.
-
-    This provides us with a ./. that contains (most relevantly):
-    * deploy.targets -> a mapping of target name to host names
-    * network.nodes -> host names to host NixOS + home-manager configs
-    * profiles -> the specialArg generated from profiles/
-    * users -> the specialArg generated from users/
-    * targets -> the specialArg generated from targets/
-    * do not use common, it is tf-nix specific config ingested at line 66 of config/modules/meta/deploy.nix for every target.
-    * services -> the specialArg generated from services/
-  */
   self = config // { inherit pkgs lib sourceCache sources; } // xarg;
 in
 self
diff --git a/meta.nix b/meta.nix
new file mode 100644
index 00000000..5de884e0
--- /dev/null
+++ b/meta.nix
@@ -0,0 +1,17 @@
+{ config, pkgs, lib, root, ... }: {
+  runners = {
+    lazy = {
+      file = root;
+      args = [ "--show-trace" ];
+    };
+  };
+
+  kw.secrets.command =
+    let
+      bitw = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.network.nodes.${builtins.getEnv "HOME_HOSTNAME"}.kw.secrets.repo.bitw.source} "$@"'';
+    in
+    "${bitw}/bin/bitw get";
+
+  deploy.targets.dummy.enable = false;
+  _module.args.pkgs = lib.mkDefault pkgs;
+}