diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..101c2cb
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,10 @@
+#  see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
+keys:
+  - &user_homefree 06321D7F20335A7E08595BA905D137EE114BA2C2
+  - &host_homefree 0BC4F8FF51F3167F06683FFB19008821C072983E
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *user_homefree
+      - *host_homefree
diff --git a/README.md b/README.md
index f0137d0..ef4dec8 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,42 @@
 HomeFree Sample Config
 ======================
 
-Clone this repo and modify configuration.nix as needed, then deploy with:
+## Edit config
+
+Clone this repo and modify configuration.nix as needed onto a freshly installed NixOS machine.
+
+## Create secrets
+
+- Generate appropriate GPG keys. You will need a private SSH key at ~/.ssh/id_rsa
 
 ```
-./install.sh
+./generate-gpg-keys.sh
 ```
 
-Make sure to create secrets files in the secrets folder, as described by the README file in that folder.
+- Create secrets file in this folder. Use the following commands.
+
+```
+sops secrets/authentik.yaml
+sops secrets/backup.yaml
+sops secrets/ddclient.yaml
+sops secrets/linkwarden.yaml
+sops secrets/nextcloud.yaml
+sops secrets/tailscale.yaml
+```
+
+And copy the contents from the appropriate file in the `secrets-unencrypted` folder, changing
+the values as required.
+
+## Build
+
+```
+./build.sh
+```
+
+## You can also deploy remotely to a machine running the Live CD
+
+```
+./deploy.sh
+```
+
+BUT, you'll have to check out the source onto the server and run the `./generate-gpg-keys.sh` script again after deployment.
diff --git a/build.sh b/build.sh
new file mode 100755
index 0000000..5c89c88
--- /dev/null
+++ b/build.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+sudo nixos-rebuild switch --flake .#${HOSTNAME} -L
diff --git a/install.sh b/deploy.sh
similarity index 100%
rename from install.sh
rename to deploy.sh
diff --git a/generate-gpg-keys.sh b/generate-gpg-keys.sh
new file mode 100755
index 0000000..376005e
--- /dev/null
+++ b/generate-gpg-keys.sh
@@ -0,0 +1,36 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p gnupg ssh-to-pgp
+
+## Import user SSH key into GPG
+
+cp ~/.ssh/id_rsa /tmp/id_rsa
+ssh-keygen -p -N "" -f /tmp/id_rsa
+{
+    IFS=$'\n' read -r -d '' CAPTURED_STDERR;
+    IFS=$'\n' read -r -d '' CAPTURED_STDOUT;
+} < <((printf '\0%s\0' "$(ssh-to-pgp -private-key -i /tmp/id_rsa | gpg --import --allow-non-selfsigned-uid --quiet)" 1>&2) 2>&1)
+USER_GPG_FINGERPRINT=$(echo $CAPTURED_STDERR | awk '{print $1;}')
+echo "FINGERPRINT: ${USER_GPG_FINGERPRINT}"
+rm /tmp/id_rsa
+# set ultimate trust level
+echo "${USER_GPG_FINGERPRINT}:6:" | gpg --import-ownertrust
+echo -e "adduid\n\n${USER}@localhost\n\nsave\nexit\n" | gpg --command-fd=0 --status-fd=1 --edit-key ${USER_GPG_FINGERPRINT}
+
+sed -i -e "s/\&user .\+$/\&user $USER_GPG_FINGERPRINT/g" .sops.yaml
+
+## Import host SSH key into GPG
+
+# Get GPG fingerprint of server RSA key
+# HOST_GPG_FINGERPRINT=$(sudo cat /etc/ssh/ssh_host_rsa_key | ssh-to-pgp -private-key | gpg --import --allow-non-selfsigned-uid --quiet 2> /dev/null | head -n 1)
+{
+    IFS=$'\n' read -r -d '' CAPTURED_STDERR;
+    IFS=$'\n' read -r -d '' CAPTURED_STDOUT;
+} < <((printf '\0%s\0' "$(sudo cat /etc/ssh/ssh_host_rsa_key | ssh-to-pgp -private-key | gpg --import --allow-non-selfsigned-uid --quiet)" 1>&2) 2>&1)
+HOST_GPG_FINGERPRINT=$(echo $CAPTURED_STDERR | awk '{print $1;}')
+echo "FINGERPRINT: ${HOST_GPG_FINGERPRINT}"
+# set ultimate trust level
+echo "${HOST_GPG_FINGERPRINT}:6:" | gpg --import-ownertrust
+echo -e "adduid\n\n${USER}@localhost\n\nsave\nexit\n" | gpg --command-fd=0 --status-fd=1 --edit-key ${HOST_GPG_FINGERPRINT}
+
+sed -i -e "s/\&host_$HOST .\+$/\&host_$HOST $HOST_GPG_FINGERPRINT/g" .sops.yaml
+
diff --git a/secrets/.gitignore b/secrets/.gitignore
new file mode 100644
index 0000000..e69de29
diff --git a/secrets/README.md b/secrets/README.md
deleted file mode 100644
index 27812c0..0000000
--- a/secrets/README.md
+++ /dev/null
@@ -1,16 +0,0 @@
-Secrets config
---------------
-
-Create secrets file in this folder. Use the following commands:
-
-```
-sops authentik.yaml
-sops backup.yaml
-sops ddclient.yaml
-sops linkwarden.yaml
-sops nextcloud.yaml
-sops tailscale.yaml
-```
-
-And copy the contents from the appropriate file in the `secrets-unencrypted` folder, changing
-the values as required.