diff --git a/hosts/gerrit01/default.nix b/hosts/gerrit01/default.nix
index fed45ab..004f0e5 100755
--- a/hosts/gerrit01/default.nix
+++ b/hosts/gerrit01/default.nix
@@ -121,7 +121,7 @@
     };
   };
 
-  age.secrets.s3-channel-staging-keys.file = ../../secrets/s3-channel-staging-keys.age;
+  age.secrets.s3-channel-staging-keys.file = ../../secrets/floral/s3-channel-staging-keys.age;
   bagel.nixpkgs.channel-scripts = {
     enable = true;
     otlp.enable = true;
diff --git a/services/gerrit/default.nix b/services/gerrit/default.nix
index d450566..1be0e22 100644
--- a/services/gerrit/default.nix
+++ b/services/gerrit/default.nix
@@ -326,7 +326,7 @@ in
       };
     };
 
-    age.secrets.gerrit-prometheus-bearer-token.file = ../../secrets/gerrit-prometheus-bearer-token.age;
+    age.secrets.gerrit-prometheus-bearer-token.file = ../../secrets/floral/gerrit-prometheus-bearer-token.age;
     bagel.monitoring.grafana-agent.exporters.gerrit = {
       port = 4778;  # grrt
       bearerTokenFile = config.age.secrets.gerrit-prometheus-bearer-token.path;
diff --git a/services/monitoring/lgtm/grafana.nix b/services/monitoring/lgtm/grafana.nix
index 9688a5e..bcd2e90 100644
--- a/services/monitoring/lgtm/grafana.nix
+++ b/services/monitoring/lgtm/grafana.nix
@@ -17,7 +17,7 @@ in
 
   config = mkIf cfg.enable {
     age.secrets.grafana-oauth-secret = {
-      file = ../../../secrets/grafana-oauth-secret.age;
+      file = ../../../secrets/floral/grafana-oauth-secret.age;
       owner = "grafana";
     };
 
diff --git a/services/monitoring/lgtm/loki.nix b/services/monitoring/lgtm/loki.nix
index dfe6931..8232263 100644
--- a/services/monitoring/lgtm/loki.nix
+++ b/services/monitoring/lgtm/loki.nix
@@ -13,10 +13,10 @@ in
   config = mkIf cfg.enable {
     age.secrets = {
       metrics-push-htpasswd = {
-        file = ../../../secrets/metrics-push-htpasswd.age;
+        file = ../../../secrets/floral/metrics-push-htpasswd.age;
         owner = "nginx";
       };
-      loki-environment.file = ../../../secrets/loki-environment.age;
+      loki-environment.file = ../../../secrets/floral/loki-environment.age;
     };
 
     services.loki = {
diff --git a/services/monitoring/lgtm/mimir.nix b/services/monitoring/lgtm/mimir.nix
index 8f571da..3c771c5 100644
--- a/services/monitoring/lgtm/mimir.nix
+++ b/services/monitoring/lgtm/mimir.nix
@@ -16,11 +16,11 @@ in
   config = mkIf cfg.enable {
     age.secrets = {
       metrics-push-htpasswd = {
-        file = ../../../secrets/metrics-push-htpasswd.age;
+        file = ../../../secrets/floral/metrics-push-htpasswd.age;
         owner = "nginx";
       };
-      mimir-environment.file = ../../../secrets/mimir-environment.age;
-      mimir-webhook-url.file = ../../../secrets/mimir-webhook-url.age;
+      mimir-environment.file = ../../../secrets/floral/mimir-environment.age;
+      mimir-webhook-url.file = ../../../secrets/floral/mimir-webhook-url.age;
     };
 
     services.mimir = {
diff --git a/services/monitoring/lgtm/tempo.nix b/services/monitoring/lgtm/tempo.nix
index 3f7da98..afe8d25 100644
--- a/services/monitoring/lgtm/tempo.nix
+++ b/services/monitoring/lgtm/tempo.nix
@@ -13,10 +13,10 @@ in
   config = mkIf cfg.enable {
     age.secrets = {
       metrics-push-htpasswd = {
-        file = ../../../secrets/metrics-push-htpasswd.age;
+        file = ../../../secrets/floral/metrics-push-htpasswd.age;
         owner = "nginx";
       };
-      tempo-environment.file = ../../../secrets/tempo-environment.age;
+      tempo-environment.file = ../../../secrets/floral/tempo-environment.age;
     };
 
     services.tempo = {
diff --git a/services/netbox/default.nix b/services/netbox/default.nix
index 2ba6c67..24bb99c 100644
--- a/services/netbox/default.nix
+++ b/services/netbox/default.nix
@@ -20,7 +20,7 @@ in
   };
 
   config = mkIf cfg.enable {
-    age.secrets.netbox-environment.file = ../../secrets/netbox-environment.age;
+    age.secrets.netbox-environment.file = ../../secrets/floral/netbox-environment.age;
     services = {
       netbox = {
         enable = true;
diff --git a/services/s3-revproxy/default.nix b/services/s3-revproxy/default.nix
index cbc8345..aea9967 100644
--- a/services/s3-revproxy/default.nix
+++ b/services/s3-revproxy/default.nix
@@ -70,7 +70,7 @@ in
   ];
 
   config = mkIf cfg.enable {
-    age.secrets.s3-revproxy-api-keys.file = ../../secrets/s3-revproxy-api-keys.age;
+    age.secrets.s3-revproxy-api-keys.file = ../../secrets/floral/s3-revproxy-api-keys.age;
     # For each target, generate an entry that passes it to the s3-revproxy.
     services.nginx.virtualHosts = mapAttrs' (subdomain: _: nameValuePair "${subdomain}.${cfg.domain}" (mkProxiedSubdomain subdomain)) cfg.targets;
     # this solves garage supporting neither anonymous access nor automatic
diff --git a/services/uptime-kuma/default.nix b/services/uptime-kuma/default.nix
index 79a7735..2b5b043 100644
--- a/services/uptime-kuma/default.nix
+++ b/services/uptime-kuma/default.nix
@@ -59,7 +59,7 @@ in
       443
     ];
 
-    age.secrets.stateless-uptime-kuma-password.file = ../../secrets/stateless-uptime-kuma-password.age;
+    age.secrets.stateless-uptime-kuma-password.file = ../../secrets/floral/stateless-uptime-kuma-password.age;
     statelessUptimeKuma = {
       probesConfig = {
         monitors = lib.genAttrs subdomains (name: {