diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index a33ac23d..b2198d15 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -9,7 +9,7 @@
   i18n.defaultLocale = "en_US.UTF-8";
 
   # For nixos-rebuild
-  nixpkgs.overlays = import ../../overlays { inherit lib; };
+  nixpkgs.overlays = [ (_: _: { withSecrets = false; }) ] ++ import ../../overlays { inherit lib; };
 
   time.timeZone = "Europe/Berlin";
 
diff --git a/nixos/target.nix b/nixos/target.nix
new file mode 100644
index 00000000..d8d1edb4
--- /dev/null
+++ b/nixos/target.nix
@@ -0,0 +1,15 @@
+{ withSecrets ? false }:
+let
+  sources = import ../nix/sources.nix;
+  inherit (import sources.nixpkgs { }) lib pkgs;
+  machines = lib.attrNames (builtins.readDir ./machines);
+  getConfig = hostname:
+    args:
+    import (./machines + "/${hostname}/configuration.nix") (args // {
+      bla = "fünf";
+    });
+in lib.listToAttrs (map (hostname: {
+  name = hostname;
+  value =
+    (import <nixpkgs/nixos> { configuration = getConfig hostname; }).system;
+}) machines)
diff --git a/overlays/private.nix b/overlays/private.nix
index daf2dcf9..d33a56da 100644
--- a/overlays/private.nix
+++ b/overlays/private.nix
@@ -1,8 +1,14 @@
-final: prec: {
-  withSecrets = let val = builtins.pathExists ../private/submodule-is-checked-out;
-  in builtins.trace
-  (if val then "Building _with_ secrets!" else "Building _without_ secrets!")
-  val;
+final: prev:
+let
+#  val = if prev.withSecrets then
+#    assert builtins.pathExists ../private/submodule-is-checked-out; true
+#  else
+#    false;
+val = builtins.pathExists ../private/submodule-is-checked-out;
+in {
+  withSecrets = builtins.trace
+    (if val then "Building _with_ secrets!" else "Building _without_ secrets!")
+    val;
   privatePath = name:
     let path = "/etc/nixos/private/${name}";
     in if final.withSecrets then
@@ -12,5 +18,8 @@ final: prec: {
   privateValue = default: name:
     if final.withSecrets then import (../private + "/${name}.nix") else default;
   privateFile = name:
-    if final.withSecrets then ../private + "/${name}" else builtins.toFile "missing-secret-file-${name}" "";
+    if final.withSecrets then
+      ../private + "/${name}"
+    else
+      builtins.toFile "missing-secret-file-${name}" "";
 }