diff --git a/home-manager/roles/default.nix b/home-manager/roles/default.nix
index d1097853..7343a67b 100644
--- a/home-manager/roles/default.nix
+++ b/home-manager/roles/default.nix
@@ -62,11 +62,6 @@
         set -g allow-rename on
       '';
     };
-    password-store = {
-      package = pkgs.pass-wayland.withExtensions (exts: [exts.pass-update exts.pass-otp]);
-      enable = true;
-      settings.PASSWORD_STORE_DIR = "${config.home.homeDirectory}/git/password-store";
-    };
     git = {
       aliases = {
         sync = "!git pull -r && git push";
@@ -173,7 +168,7 @@
         )
         (
           pkgs.writeShellScriptBin "print-ssh-pw"
-          "pass show eu/m-0/${config.m-0.hostName}.m-0.eu/ssh-key"
+          "rbw ${config.m-0.hostName}.m-0.eu ssh-key"
         )
         (
           pkgs.writeShellScriptBin "dingdingding" (builtins.readFile ./signal.sh)
diff --git a/home-manager/roles/desktop.nix b/home-manager/roles/desktop.nix
index c66a8414..00054e85 100644
--- a/home-manager/roles/desktop.nix
+++ b/home-manager/roles/desktop.nix
@@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  config,
+  ...
+}: {
   home = {
     packages = builtins.attrValues {
       zoom = pkgs.zoom-us.overrideAttrs (old: {
@@ -84,6 +88,11 @@
 
     file.".zprofile".text = ". $HOME/.nix-profile/etc/profile.d/hm-session-vars.sh";
   };
+  programs.password-store = {
+    package = pkgs.pass-wayland.withExtensions (exts: [exts.pass-otp]);
+    enable = true;
+    settings.PASSWORD_STORE_DIR = "${config.home.homeDirectory}/git/password-store";
+  };
   gtk = {
     enable = true;
     iconTheme = {
diff --git a/home-manager/roles/firefox.nix b/home-manager/roles/firefox.nix
index 3b4537db..8fc04401 100644
--- a/home-manager/roles/firefox.nix
+++ b/home-manager/roles/firefox.nix
@@ -1,8 +1,4 @@
 {pkgs, ...}: {
-  programs.browserpass = {
-    browsers = ["firefox"];
-    enable = true;
-  };
   home.packages = [pkgs.firefox];
   home.sessionVariables = {
     # So that electron can open firefox links. See
diff --git a/home-manager/roles/kassandra/config.dhall b/home-manager/roles/kassandra/config.dhall
index b5283c26..81d5ffc9 100644
--- a/home-manager/roles/kassandra/config.dhall
+++ b/home-manager/roles/kassandra/config.dhall
@@ -22,19 +22,6 @@ in  { backends =
                 }
               }
         }
-      , { name = "tasks.maralorn.de"
-        , backend =
-            types.StandaloneAccount.RemoteAccount
-              { backend = Some
-                { url = "https://tasks.maralorn.de"
-                , user = "maralorn"
-                , password =
-                    types.PasswordConfig.PasswordCommand
-                      { command = "pass de/maralorn/tasks.maralorn.de/maralorn"
-                      }
-                }
-              }
-        }
       , { name = "Dynamic Backend"
         , backend =
             types.StandaloneAccount.RemoteAccount
diff --git a/home-manager/roles/leisure.nix b/home-manager/roles/leisure.nix
index 11043792..30ccc51e 100644
--- a/home-manager/roles/leisure.nix
+++ b/home-manager/roles/leisure.nix
@@ -63,14 +63,6 @@
         "exec:${serien}"
       ];
     };
-    news = {
-      config = ''
-        urls-source "ocnews"
-        ocnews-url "https://cloud.maralorn.de"
-        ocnews-login "maralorn"
-        ocnews-password "${(pkgs.privateValue {adminpass = "";} "nextcloud-admin").adminpass}"
-      '';
-    };
     software-updates = {
       feeds =
         [
diff --git a/home-manager/roles/mail.nix b/home-manager/roles/mail.nix
index db3e5937..4c99aa9f 100644
--- a/home-manager/roles/mail.nix
+++ b/home-manager/roles/mail.nix
@@ -54,7 +54,7 @@ in {
     lib.mapAttrs' mkWatchService (lib.filterAttrs hasImapHost config.accounts.email.accounts)
     // {
       mbsync.Service = {
-        Environment = "PATH=${lib.makeBinPath [pkgs.pass pkgs.gnupg pkgs.coreutils]}";
+        Environment = "PATH=${lib.makeBinPath [pkgs.rbw pkgs.gnupg pkgs.coreutils]}";
         Restart = "on-failure";
         RestartSec = "30s";
       };
@@ -127,7 +127,7 @@ in {
         ${move-message-macro "l" "Move/readlater" "readlater list"}
         macro attach 'V' "<pipe-entry>iconv -c --to-code=UTF8 > ~/.cache/mutt/mail.html<enter><shell-escape>firefox ~/.cache/mutt/mail.html<enter>"
 
-        macro index,pager <F6> "<shell-escape>${pkgs.zsh}/bin/zsh -c '${pkgs.sieve-connect}/bin/sieve-connect -s ${config.accounts.email.accounts.hera.imap.host or ""} -u ${config.accounts.email.accounts.hera.userName or ""} --passwordfd 3 --edit --remotesieve filter 3<<(pass eu/m-0/hera/mail.hera.m-0.eu/maralorn)'\n"
+        macro index,pager <F6> "<shell-escape>${pkgs.zsh}/bin/zsh -c '${pkgs.sieve-connect}/bin/sieve-connect -s ${config.accounts.email.accounts.hera.imap.host or ""} -u ${config.accounts.email.accounts.hera.userName or ""} --passwordfd 3 --edit --remotesieve filter 3<<(cat /run/agenix/mail-password)'\n"
         macro index,pager A "<pipe-message>${pkgs.khard}/bin/khard add-email<return>" "add sender to to khard"
 
         set query_format="%4c %t %-70.70a %-70.70n %?e?(%e)?"
diff --git a/home-manager/roles/mail2rss.nix b/home-manager/roles/mail2rss.nix
index 7cb92100..3524801c 100644
--- a/home-manager/roles/mail2rss.nix
+++ b/home-manager/roles/mail2rss.nix
@@ -33,7 +33,7 @@ in {
       mail2rss = {
         Unit.Description = "Mail to rss exporter";
         Service = {
-          Environment = "PATH=${lib.makeBinPath [pkgs.coreutils pkgs.pass]}";
+          Environment = "PATH=${lib.makeBinPath [pkgs.coreutils config.programs.rbw.packages]}";
           ExecStart = "${mail2rss}/bin/mail2rss";
           Type = "oneshot";
         };
diff --git a/home-manager/roles/pass-fzf.sh b/home-manager/roles/pass-fzf.sh
deleted file mode 100644
index d2735d1a..00000000
--- a/home-manager/roles/pass-fzf.sh
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-
-## Adapted from https://gist.github.com/heywoodlh/4c1e27f477a896bc3b0f6d55e2748d26
-
-## Assumes that the user is using otp plugin
-## Install fzf and make sure pass is configured beforehand
-
-## If you want to grab the otp code, use like so: `pass-fzf.sh otp`, otherwise script will assume you want password
-
-cd ~/.password-store || exit
-
-if [[ $1 == 'otp' ]]
-then
-	type="otp"
-else
-	type="password"
-fi
-
-selection="$(find -L . -name '*.gpg' | sed -e 's/.\///' -e 's/.gpg//' | fzf)"
-
-if [ ${type} == "otp" ]
-then
-	pass otp "${selection}" -c
-
-else
-	pass "${selection}" -c
-fi
-
diff --git a/home-manager/roles/tinkering.nix b/home-manager/roles/tinkering.nix
index 10bdd3c7..d8ae0c7b 100644
--- a/home-manager/roles/tinkering.nix
+++ b/home-manager/roles/tinkering.nix
@@ -30,7 +30,7 @@
         url: http://hackage.haskell.org/
 
       username: maralorn
-      password-command: pass org/haskell/hackage.haskell.org/maralorn
+      password-command: rbw get hackage.haskell.org
     '';
   };
 }
diff --git a/home-manager/roles/unlock.nix b/home-manager/roles/unlock.nix
index f2d64ffd..d082252c 100644
--- a/home-manager/roles/unlock.nix
+++ b/home-manager/roles/unlock.nix
@@ -1,9 +1,13 @@
-{pkgs, ...}: let
+{
+  pkgs,
+  config,
+  ...
+}: let
   makeUnlocker = {
     name,
     hostName,
     pubKey,
-    passPath,
+    passwordName,
   }: let
     knownHosts = pkgs.writeText "KnownBootHosts" "${hostName} ${pubKey}";
   in
@@ -16,14 +20,14 @@
       done;
       echo
       echo "Ping successful; Entering disk encryption password"
-      ${pkgs.pass}/bin/pass ${passPath} | ssh -4 root@${hostName} -o UserKnownHostsFile=${knownHosts} cryptsetup-askpass && echo "Unlocking of ${name} successful" || echo "Unlocking of ${name} failed"
+      ${config.programs.rbw.package}/bin/rbw get ${passwordName} | (ssh -4 root@${hostName} -o UserKnownHostsFile=${knownHosts} cryptsetup-askpass && echo "Unlocking of ${name} successful" || echo "Unlocking of ${name} failed")
     '';
   unlocker = [
     {
       name = "hera";
       hostName = "hera-v4";
       pubKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCHkqWlFLtmIlTSKahr2PcL++K75YgfsSU6jwVYW5df3JCkowu/M16SIBxABxYSQrKej5uIz/OFCjqSxHJQ8D5wSYBvn2gYr/BbBcz4rfIJmZ55Od2jckaqlj/M8TtkuPPhsQG7S730vXxK5hbMT8iW5WWv8sIKY/WtaRbZOFMX/53WCLEHtnMu5zFJFWf92+mjIHSLyW8ggl1m525RUiaAfCge2vnuzIFq4kUqJxaWzxIvEWIncKWN10K/HMvdI+yOtbSen41uKedwSFhUFs3xHy1mJddYOrlcJQPt5zuuffZ/nTDVXMZoh5QNwg8ZlkkueVChaS1Y5STjb7cem1Mt";
-      passPath = "eu/m-0/hera.m-0.eu/disk";
+      passwordName = "hera.m-0.eu disk";
     }
   ];
 in {config = {home.packages = map makeUnlocker unlocker;};}
diff --git a/home-manager/roles/vdirsyncer.nix b/home-manager/roles/vdirsyncer.nix
index b65b117d..69423c7f 100644
--- a/home-manager/roles/vdirsyncer.nix
+++ b/home-manager/roles/vdirsyncer.nix
@@ -48,7 +48,7 @@
         if (type == "caldav")
         then {
           inherit username;
-          "password.fetch" = ["command" "${pkgs.pass}/bin/pass" passwordPath];
+          "password.fetch" = ["command" (lib.getExe config.programs.rbw.package) passwordPath];
           read_only = readOnly;
         }
         else {}
diff --git a/home-manager/roles/zsh/zshrc b/home-manager/roles/zsh/zshrc
index bb5d45f2..8f42fb02 100644
--- a/home-manager/roles/zsh/zshrc
+++ b/home-manager/roles/zsh/zshrc
@@ -41,7 +41,8 @@ alias nixpkgs-review-pr-remote='nixpkgs-review pr --build-args "--builders @$(bu
 alias nixpkgs-review-rev-remote='nixpkgs-review rev --build-args "--builders @$(builders-configurator --force)"'
 alias accounting='f() { if [[ "$1" == "" ]]; then year="buchhaltung" else year="$1" fi; hledger -f ~/git/buchhaltung/$year.journal ui -- --watch --theme=terminal -X€ -t -E}; f'
 alias o=xdg-open
-alias s='sudo systemctl'
+alias sudo='sudo -A'
+alias s='sudo -A systemctl'
 alias g='lazygit'
 alias u='systemctl --user'
 alias m=man
diff --git a/nixos/machines/fluffy/configuration.nix b/nixos/machines/fluffy/configuration.nix
index f83bb4fb..7665e45e 100644
--- a/nixos/machines/fluffy/configuration.nix
+++ b/nixos/machines/fluffy/configuration.nix
@@ -15,6 +15,7 @@ in {
     ../../roles/fonts.nix
     ../../roles/metal.nix
     ../../roles/standalone
+    ../../roles/server
     ./hardware-configuration.nix
   ];
 
diff --git a/nixos/machines/hera/configuration.nix b/nixos/machines/hera/configuration.nix
index ac3362fd..c523bee6 100644
--- a/nixos/machines/hera/configuration.nix
+++ b/nixos/machines/hera/configuration.nix
@@ -28,6 +28,7 @@ in {
     ../../roles/miniflux.nix
     ../../roles/monitoring
     ../../roles/nixpkgs-bot.nix
+    ../../roles/server
     ../../roles/server/init_ssh.nix
     ../../roles/standalone
     ../../roles/unbound.nix
diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index 28e67d4c..d73345b6 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -19,8 +19,6 @@ in {
 
   time.timeZone = "Europe/Berlin";
 
-  security.sudo.wheelNeedsPassword = false; # If my user account is pwned all is lost anyway.
-
   networking = {
     resolvconf.dnsExtensionMechanism = false; # this breaks dnssec but is necessary for certain bad-behaved hotspots
     firewall = {
diff --git a/nixos/roles/server/default.nix b/nixos/roles/server/default.nix
new file mode 100644
index 00000000..af947a8f
--- /dev/null
+++ b/nixos/roles/server/default.nix
@@ -0,0 +1,3 @@
+{
+  security.sudo.wheelNeedsPassword = false;
+}
diff --git a/overlays/update-system.nix b/overlays/update-system.nix
index 89f9e0a1..e3c55f99 100644
--- a/overlays/update-system.nix
+++ b/overlays/update-system.nix
@@ -86,7 +86,7 @@ final: _: let
       output=$(nom build --builders @$(builders-configurator) $HOME/git/config#nixosConfigurations.$host.config.system.build.toplevel --no-link --print-out-paths)
       if [[ -z "$remote_host" ]]; then
         on_target() {
-          /run/wrappers/bin/sudo $@
+          /run/wrappers/bin/sudo -A $@
         }
       else
         on_target() {