diff --git a/systems/etna/default.nix b/systems/etna/default.nix
index 27252fb..01debe9 100644
--- a/systems/etna/default.nix
+++ b/systems/etna/default.nix
@@ -10,7 +10,7 @@
   mkSecrets = builtins.mapAttrs (name: value: value // {file = "${secretsPath}/${name}.age";});
   mkSecret = name: other: mkSecrets {${name} = other;};
 
-  fudgeMyShitIn = builtins.map (file: import file (args // {inherit mkSecret;}));
+  fudgeMyShitIn = builtins.map (file: import file (args // {inherit mkSecret mkSecrets;}));
 in {
   imports =
     [
@@ -21,12 +21,12 @@ in {
       ./attic.nix
       ./dendrite.nix
       ./nextcloud.nix
+      ./reposilite.nix
+      ./uku.nix
+      ./vaultwarden.nix
     ];
 
   age.secrets = mkSecrets {
-    apiRsEnv = {};
-    ukubotRsEnv = {};
-
     tunnelCreds = {
       owner = "cloudflared";
       group = "cloudflared";
@@ -36,42 +36,12 @@ in {
   boot.loader.systemd-boot.enable = true;
 
   services = {
-    api-rs = {
-      enable = true;
-      environmentFile = config.age.secrets.apiRsEnv.path;
-    };
-
-    ukubot-rs = {
-      enable = true;
-      environmentFile = config.age.secrets.ukubotRsEnv.path;
-    };
-
-    reposilite.enable = true;
-
     tailscale.extraUpFlags = ["--advertise-exit-node"];
 
-    vaultwarden = {
-      enable = true;
-      config = {
-        DOMAIN = "https://bw.uku3lig.net";
-        SIGNUPS_ALLOWED = false;
-
-        ROCKET_ADDRESS = "::1";
-        ROCKET_PORT = 8222;
-      };
-    };
-
     cloudflared = {
       enable = true;
       tunnels.${tunnelId} = {
         credentialsFile = config.age.secrets.tunnelCreds.path;
-
-        ingress = {
-          "api.uku3lig.net" = "http://localhost:5000";
-          "bw.uku3lig.net" = "http://localhost:8222";
-          "maven.uku3lig.net" = "http://localhost:8080";
-        };
-
         default = "http_status:404";
       };
     };
diff --git a/systems/etna/reposilite.nix b/systems/etna/reposilite.nix
new file mode 100644
index 0000000..dbe37ae
--- /dev/null
+++ b/systems/etna/reposilite.nix
@@ -0,0 +1,6 @@
+{...}: {
+  cfTunnels."maven.uku3lig.net" = "http://localhost:8080";
+
+  # see exprs/reposilite/module.nix
+  services.reposilite.enable = true;
+}
diff --git a/systems/etna/uku.nix b/systems/etna/uku.nix
new file mode 100644
index 0000000..6bba494
--- /dev/null
+++ b/systems/etna/uku.nix
@@ -0,0 +1,24 @@
+{
+  config,
+  mkSecrets,
+  ...
+}: {
+  age.secrets = mkSecrets {
+    apiRsEnv = {};
+    ukubotRsEnv = {};
+  };
+
+  cfTunnels."api.uku3lig.net" = "http://localhost:5000";
+
+  services = {
+    api-rs = {
+      enable = true;
+      environmentFile = config.age.secrets.apiRsEnv.path;
+    };
+
+    ukubot-rs = {
+      enable = true;
+      environmentFile = config.age.secrets.ukubotRsEnv.path;
+    };
+  };
+}
diff --git a/systems/etna/vaultwarden.nix b/systems/etna/vaultwarden.nix
new file mode 100644
index 0000000..88d6cdd
--- /dev/null
+++ b/systems/etna/vaultwarden.nix
@@ -0,0 +1,14 @@
+{...}: {
+  cfTunnels."bw.uku3lig.net" = "http://localhost:8222";
+
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "https://bw.uku3lig.net";
+      SIGNUPS_ALLOWED = false;
+
+      ROCKET_ADDRESS = "::1";
+      ROCKET_PORT = 8222;
+    };
+  };
+}