diff --git a/aspects/hosts/_alexandria/nextcloud.nix b/aspects/hosts/_alexandria/nextcloud.nix
index cb9f2ac..c4a9669 100644
--- a/aspects/hosts/_alexandria/nextcloud.nix
+++ b/aspects/hosts/_alexandria/nextcloud.nix
@@ -1,7 +1,8 @@
 {
+  lib,
   config,
-  inputs,
   pkgs,
+  inputs,
   ...
 }:
 
@@ -82,12 +83,12 @@ in
 
   age.secrets = {
     "nextcloud-secrets.json" = {
-      file = "${inputs.self}/secrets/nextcloud-secrets.json.age";
+      file = ../../../secrets/nextcloud-secrets.json.age;
       owner = "nextcloud";
       group = "nextcloud";
     };
     nextcloud-adminpass = {
-      file = "${inputs.self}/secrets/nextcloud-adminpass.age";
+      file = ../../../secrets/nextcloud-adminpass.age;
       owner = "nextcloud";
       group = "nextcloud";
     };
diff --git a/aspects/hosts/_alexandria/nginx.nix b/aspects/hosts/_alexandria/nginx.nix
index 087faf4..26a7ba1 100644
--- a/aspects/hosts/_alexandria/nginx.nix
+++ b/aspects/hosts/_alexandria/nginx.nix
@@ -51,7 +51,7 @@ in
   ];
 
   age.secrets.cloudflare = {
-    file = "${inputs.self}/secrets/cloudflare.age";
+    file = ../../../secrets/cloudflare.age;
     owner = "nginx";
     group = "nginx";
   };
diff --git a/aspects/hosts/_trantor/forgejo.nix b/aspects/hosts/_trantor/forgejo.nix
index 8421adb..1112622 100644
--- a/aspects/hosts/_trantor/forgejo.nix
+++ b/aspects/hosts/_trantor/forgejo.nix
@@ -67,8 +67,5 @@ in
   };
 
   # Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
-  systemd.services.forgejo.serviceConfig = {
-    PrivateMounts = lib.mkForce false;
-    ProtectSystem = lib.mkForce false;
-  };
+  systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false;
 }
diff --git a/aspects/hosts/_trantor/nginx.nix b/aspects/hosts/_trantor/nginx.nix
index 24f96c3..899666e 100644
--- a/aspects/hosts/_trantor/nginx.nix
+++ b/aspects/hosts/_trantor/nginx.nix
@@ -8,8 +8,10 @@
 let
   services = inputs.self.services;
 
+  # Get all unique domains from shared services on trantor (host = "trantor")
   localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "trantor") services));
 
+  # Generate ACME cert configs for all local domains
   acmeCerts = lib.genAttrs localDomains (domain: {
     group = "nginx";
   });
@@ -49,7 +51,7 @@ in
   ];
 
   age.secrets.cloudflare = {
-    file = "${inputs.self}/secrets/cloudflare.age";
+    file = ../../../secrets/cloudflare.age;
     owner = "nginx";
     group = "nginx";
   };
diff --git a/aspects/hosts/alexandria.nix b/aspects/hosts/alexandria.nix
index f10dfe7..57fdf5f 100644
--- a/aspects/hosts/alexandria.nix
+++ b/aspects/hosts/alexandria.nix
@@ -27,7 +27,6 @@
 
       # other aspects
       fwupd
-      podman
     ]);
   };
 }
diff --git a/aspects/lxc.nix b/aspects/lxc.nix
deleted file mode 100644
index 15da310..0000000
--- a/aspects/lxc.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{ ... }:
-
-{
-  flake.modules.nixos.lxc =
-    {
-      config,
-      lib,
-      pkgs,
-      ...
-    }:
-    {
-      virtualisation.lxc = {
-        enable = true;
-        unprivilegedContainers = true;
-      };
-    };
-}