diff --git a/flake.lock b/flake.lock
index 858ff35..21e71d0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716168343,
-        "narHash": "sha256-82oT27w9smpItZ+PyN2C0PjIwZYbIocwXSM4u1igXuc=",
+        "lastModified": 1716383025,
+        "narHash": "sha256-kYfXAqbmbL0bu3J/AoiSkWVOCNlpJEemxivbTUaS+fU=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "6f01b9710bc4d3bf006eb8df928b4b15e0430901",
+        "rev": "d957a010f83923626609d00cf73ed1b81f5a8a4b",
         "type": "github"
       },
       "original": {
@@ -58,11 +58,11 @@
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1716313798,
-        "narHash": "sha256-XQnaNbpCxUo97c64IBbrbSKAA5FJb6FTyylPFRp/ZyY=",
+        "lastModified": 1716384287,
+        "narHash": "sha256-d29bda7PZxvxkkA505pea74AiuBlMEjZvrKnHog8bio=",
         "ref": "refs/heads/master",
-        "rev": "6f2eb80d6a641515e205fd7df615453567ad9ffe",
-        "revCount": 20,
+        "rev": "960f344fa38bcfcd439d885aa503bf54e8599bc0",
+        "revCount": 23,
         "type": "git",
         "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
       },
@@ -101,11 +101,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1716137900,
-        "narHash": "sha256-sowPU+tLQv8GlqtVtsXioTKeaQvlMz/pefcdwg8MvfM=",
+        "lastModified": 1716293225,
+        "narHash": "sha256-pU9ViBVE3XYb70xZx+jK6SEVphvt7xMTbm6yDIF4xPs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6c0b7a92c30122196a761b440ac0d46d3d9954f1",
+        "rev": "3eaeaeb6b1e08a016380c279f8846e0bd8808916",
         "type": "github"
       },
       "original": {
diff --git a/hosts/common/core/default.nix b/hosts/common/core/default.nix
index e8b1624..1b29121 100644
--- a/hosts/common/core/default.nix
+++ b/hosts/common/core/default.nix
@@ -17,7 +17,7 @@ in
   ]; 
 
   users = {
-    mutableUsers = true;
+    mutableUsers = false;
     extraUsers = {
       root = {
         hashedPasswordFile = sopsHashedPasswordFile;
diff --git a/hosts/common/core/sops.nix b/hosts/common/core/sops.nix
index 5c71b95..30dc04a 100644
--- a/hosts/common/core/sops.nix
+++ b/hosts/common/core/sops.nix
@@ -19,6 +19,7 @@ in
     secrets = {
       "passwords/root".neededForUsers = true;
       "passwords/sam".neededForUsers = true;
+      "passwords/media".neededForUsers = true;
     };
   };
 }
diff --git a/hosts/common/optional/openssh.nix b/hosts/common/optional/openssh.nix
index 23a0fc3..6088f56 100644
--- a/hosts/common/optional/openssh.nix
+++ b/hosts/common/optional/openssh.nix
@@ -7,16 +7,21 @@ in
   services.openssh = {
     enable = true;
     ports = [ sshPort ];
-    authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/default"];
+    authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
+    hostKeys = [{
+      path = "/persist/etc/ssh/ssh_host_ed25519_key";
+      type = "ed25519";
+    }];
     settings = {
-      # Harden
-      PasswordAuthentication = true;
+      PasswordAuthentication = false;
       PermitRootLogin = "no";
-      # Automatically remove stale sockets
+      PubKeyAuthentication = "yes";
       StreamLocalBindUnlink = "yes";
+      UsePAM = true;
     };
   };
-
-
+  security.pam = {
+    sshAgentAuth.enable = true;
+  };
   networking.firewall.allowedTCPPorts = [ sshPort ];
 }
diff --git a/hosts/common/users/keys/laptop.pub b/hosts/common/users/keys/laptop@id_rsa.pub
similarity index 100%
rename from hosts/common/users/keys/laptop.pub
rename to hosts/common/users/keys/laptop@id_rsa.pub
diff --git a/hosts/common/users/keys/sam@id_ed25519.pub b/hosts/common/users/keys/sam@id_ed25519.pub
new file mode 100644
index 0000000..b07c2d8
--- /dev/null
+++ b/hosts/common/users/keys/sam@id_ed25519.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFc+y7KKEbutJe9u9UPP3rWqchjS7/yrpyoQRd178c7u sam
diff --git a/hosts/common/users/keys/sam@nixdev-ssh-ed25519.pub b/hosts/common/users/keys/sam@nixdev-ssh-ed25519.pub
deleted file mode 100644
index 2e5bfd1..0000000
--- a/hosts/common/users/keys/sam@nixdev-ssh-ed25519.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIYioCEiSLTNr3QqWEvcs8iIS4XmQUDfRg4psHyowzwp sam@nixdev
diff --git a/hosts/common/users/media/default.nix b/hosts/common/users/media/default.nix
index ebd0a86..f395418 100644
--- a/hosts/common/users/media/default.nix
+++ b/hosts/common/users/media/default.nix
@@ -2,13 +2,14 @@
 let
   pubKeys = lib.filesystem.listFilesRecursive (../keys);
   hostname = config.networking.hostName;
+  sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/media".path;
 in 
 {
   users.users.media = {
     isNormalUser = true;
-    password = "nixos"; # Overridden if sops is working
     shell = pkgs.zsh; # default shell
-
+    #hashedPasswordFile = sopsHashedPasswordFile;
+    password = "nixos";
     openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
 
     extraGroups =
diff --git a/hosts/sparky/default.nix b/hosts/sparky/default.nix
index b7ff47e..561dcad 100644
--- a/hosts/sparky/default.nix
+++ b/hosts/sparky/default.nix
@@ -36,12 +36,17 @@
     hideMounts = true;
     directories = [
       "/etc/nixos"
-      "/etc/ssh"
       "/var/log"
       "/var/lib/nixos"
       "/var/lib/systemd/coredump"
       "/etc/NetworkManager/system-connections"
     ];
+    files = [
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+    ];
     users.media = {
         directories = [
           "sync"
@@ -85,12 +90,6 @@
 #		};
 #	};
 #
-  security.pam = {
-    sshAgentAuth.enable = true;
-    services = {
-      sudo.u2fAuth = true;
-    };
-  };
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
   system.stateVersion = "23.11";
diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh
index eb74392..caaef73 100755
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@@ -13,11 +13,15 @@ read -p "Confirm host had been setup using the above steps...(yes|no): " confirm
 [ "$confirm" != "yes" ] && echo "Exiting" && exit 0
 
 # Target host details
-cd ~
-read -p "Enter hostname: " hostname
-read -p "Enter username: " username
-read -p "Enter ip address: " ip
-read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
+#cd ~
+#read -p "Enter hostname: " hostname
+#read -p "Enter username: " username
+#read -p "Enter ip address: " ip
+#read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
+hostname="sparky"
+username="media"
+ip="192.168.122.192"
+config="sparky"
 
 echo "
 Details entered:
@@ -57,9 +61,27 @@ echo -e "Host age key:\n$HOST_AGE_KEY\n"
 echo -e "User age key:\n$USER_AGE_KEY\n"
 echo "These keys needs to be inserted into .sops.yaml file. This will be prompted again later."
 
+# Create temp directory for ssh keys to be copied to host:
+temp=$(mktemp -d)
+
+# Function to cleanup temporary directory on exit
+cleanup() {
+  rm -rf "$temp"
+}
+trap cleanup EXIT
+
+# Create the directory where sshd expects to find the host keys
+install -d -m755 "$temp/persist/etc/ssh"
+
+cat "$HOST_KEY_DIR/ssh_host_ed25519_key" > "$temp/persist/etc/ssh/ssh_host_ed25519_key" 
+cat "$HOST_KEY_DIR/ssh_host_ed25519_key.pub" > "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub" 
+
+chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key"
+chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub"
+
 # Install Nixos to target
 cd "$HOME/nixos"
-SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
+SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
 [ $? != 0 ] && echo "Error installing Nixos" && exit 1
 
 ## Delete keys from local known_hosts
@@ -80,21 +102,21 @@ do
 done
 echo "$ip is now online and port 22 is open!"
 
+## Copy host ssh keys to target
+#scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key" "root@$ip:/etc/ssh/ssh_host_ed25519_key"
+#scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key.pub" "root@$ip:/etc/ssh/ssh_host_ed25519_key.pub"
+#
 # Authorise source public key
 echo "Copying pubkey to target host"
 ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "$username@$ip"
 
-# Copy host ssh keys to target & delete key in known hosts (because of key change)
-scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key" "root@$ip:/etc/ssh/ssh_host_ed25519_key" && sed -i "/$ip/d" ~/.ssh/known_hosts
-scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key.pub" "root@$ip:/etc/ssh/ssh_host_ed25519_key.pub"
-
 # Copy user ssh keys to target
-scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519_key" "$username@$ip:~/.ssh/id_ed25519"
-scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519_key.pub" "$username@$ip~/.ssh/id_ed25519.pub"
+scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519" "$username@$ip:~/.ssh/id_ed25519"
+scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519.pub" "$username@$ip:~/.ssh/id_ed25519.pub"
 
 # Copy deploy_key to target for personal repo authorisation
-scp -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519"
-scp -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519.pub"
+scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519"
+scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519.pub"
 
 echo "Configuring target host ssh connection to enable connection to gitea repos:"
 read -r -d '' config << EOM
@@ -144,10 +166,10 @@ do
   [ "$confirm" = "yes" ] && break
 done
 
-ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
-ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"
-
-echo "Successfully installed Nixos on the target host!"
-echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'"
+ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git ~/keep/'"
+ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git ~/keep/'"
 
+echo -e "###\nSuccessfully installed Nixos on the target host!\n###"
+#echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'"
 
+exit 0