diff --git a/hosts/patricknix/default.nix b/hosts/patricknix/default.nix
index 2354537..962b44d 100644
--- a/hosts/patricknix/default.nix
+++ b/hosts/patricknix/default.nix
@@ -11,6 +11,7 @@
 
     ../../modules/optional/xserver.nix
     ../../modules/optional/wayland.nix
+    ../../modules/optional/secureboot.nix
 
     ../../modules/hardware/bluetooth.nix
     ../../modules/hardware/laptop.nix
diff --git a/hosts/patricknix/secrets/secureboot.tar.age b/hosts/patricknix/secrets/secureboot.tar.age
new file mode 100644
index 0000000..f0b9ac0
Binary files /dev/null and b/hosts/patricknix/secrets/secureboot.tar.age differ
diff --git a/modules/impermanence/default.nix b/modules/impermanence/default.nix
index 600e2ad..89274db 100644
--- a/modules/impermanence/default.nix
+++ b/modules/impermanence/default.nix
@@ -18,10 +18,13 @@
     ];
     directories =
       [
-        "/var/tmp/agenix-rekey"
         "/var/log"
         "/var/lib/systemd"
         "/var/lib/nixos"
+        {
+          directory = "/var/tmp/agenix-rekey";
+          mode = "0777";
+        }
       ]
       ++ lib.lists.optionals config.hardware.bluetooth.enable [
         "/var/lib/bluetooth"
diff --git a/modules/optional/secureboot.nix b/modules/optional/secureboot.nix
index 6136158..b60f42d 100644
--- a/modules/optional/secureboot.nix
+++ b/modules/optional/secureboot.nix
@@ -4,6 +4,30 @@
   config,
   ...
 }: {
+  # HOW TO: Add secureboot to new systems
+  # generate keys with `sbct create-keys'
+  # tar the resulting folder using
+  # `tar cvf secureboot.tar -C /etc/secureboot .
+  # Copy the tar to local using scp
+  # and encrypt it using rage
+  # safe the encrypted archive to hosts/<host>/secrets/secureboot.tar.age
+  # DO NOT forget to delete the unecrypted archives
+  # link /run/secureboot to /etc/secureboot
+  # This is necesarry since for the first
+  # apply the rekeyed keys are not yet available but needed for
+  # signing the boot files
+  # ensure the boot files are signed using
+  # `sbctl verify'
+  # Now reboot the computer into BIOS and
+  # enable secureboot, this may include
+  # removing old keys
+  # bootctl should now read
+  # `Secure Boot: disabled (setup)'
+  # you can now enroll your secureboot keys using
+  # `sbctl enroll-keys`
+  # If you want to be able to boot microsoft signed images append
+  # `--microsoft`
+  # Time to reboot and pray
   environment.systemPackages = [
     # For debugging and troubleshooting Secure Boot.
     (pkgs.sbctl.override