diff --git a/flake.nix b/flake.nix
index 0a37437..ad6e717 100644
--- a/flake.nix
+++ b/flake.nix
@@ -70,8 +70,8 @@
         ./flake/dev-shell.nix
         ./flake/formatter.nix
         ./flake/hosts.nix
-        ./flake/install-anywhere.nix
         ./flake/modules.nix
+        ./flake/scripts.nix
         ./flake/sops.nix
       ];
     };
diff --git a/flake/scripts.nix b/flake/scripts.nix
new file mode 100644
index 0000000..6d464ab
--- /dev/null
+++ b/flake/scripts.nix
@@ -0,0 +1,50 @@
+_: {
+  perSystem =
+    { pkgs, ... }:
+    {
+      packages.provision-keys = pkgs.writeShellApplication {
+        name = "provision-keys";
+
+        runtimeInputs = [
+          pkgs.sops
+          pkgs.ssh-to-age
+
+          pkgs.bitwarden-cli
+          pkgs.jq
+        ];
+
+        excludeShellChecks = [ "SC2155" ];
+
+        text = ''
+          if [[ $# -ne 1 ]]; then
+            echo "Usage: $0 <host>"
+            exit 1
+          fi
+
+          host="$1"
+
+          impermanence=$(nixos-option --flake ".#$host" custom.impermanence.enable | awk '/^Value:/ {getline; print $1}')
+
+          if [ "$impermanence" = "true" ]; then
+            root="/tmp/anywhere/$host/persist"
+          else
+            root="/tmp/anywhere/$host"
+          fi
+
+          mkdir --parents "$root/etc/ssh"
+          ssh-keygen -C "root@$host" -f "$root/etc/ssh/ssh_host_ed25519_key" -N "" -q
+
+          new_age_key=$(ssh-to-age -i "$root/etc/ssh/ssh_host_ed25519_key.pub")
+
+          # Replace old age key with new age key
+          sed -i -E "s|(agePublicKey\s*=\s*\")[^\"]*(\";)|\1$new_age_key\2|" "hosts/$host/default.nix"
+
+          export BW_SESSION=$(bw login | awk -F'"' '/export BW_SESSION/ {print $2}')
+          export SOPS_AGE_KEY=$(bw get item 'admin age-key' | jq -r '.notes')
+          export SOPS_CONFIG=$(nix build .#sops-config --print-out-paths)
+
+          sops updatekeys --yes "hosts/$host/secrets.json"
+        '';
+      };
+    };
+}
diff --git a/justfile b/justfile
index 304a8c7..76c69df 100644
--- a/justfile
+++ b/justfile
@@ -20,7 +20,8 @@ deploy +hosts:
     deploy --skip-checks --targets $(echo {{ hosts }} | sed 's/[^ ]*/\.#&/g')
 
 install host destination='root@installer':
-    nix run github:nix-community/nixos-anywhere -- --extra-files ~/.ssh/{{ host }} --flake .#{{ host }} --target-host {{ destination }}
+    nix run .#provision-keys -- {{ host }}
+    nix run github:nix-community/nixos-anywhere -- --extra-files /tmp/anywhere/{{ host }} --flake .#{{ host }} --target-host {{ destination }}
 
 repair:
     nix-store --verify --check-contents --repair