diff --git a/apps/renc.nix b/apps/renc.nix
index e9bb708..78096fc 100644
--- a/apps/renc.nix
+++ b/apps/renc.nix
@@ -7,7 +7,7 @@
 }:
 let
   inherit (pkgs) writeShellScriptBin;
-  inherit (pkgs.lib) concatStringsSep traceVal;
+  inherit (pkgs.lib) concatStringsSep;
   inherit (builtins) attrValues;
 
   vaultixs = map (n: n.config.vaultix) (attrValues nodes);
@@ -19,9 +19,9 @@ writeShellScriptBin "renc" (
     map (
       n:
       let
-        a = (pkgs.formats.toml { }).generate "secretsMetadata" n;
+        profile = (pkgs.formats.toml { }).generate "secretsMetadata" n;
       in
-      "${bin} ${a} renc"
+      "${bin} ${profile} renc"
     ) vaultixs
   )
 )
diff --git a/module/default.nix b/module/default.nix
index dd768b3..a827169 100644
--- a/module/default.nix
+++ b/module/default.nix
@@ -13,6 +13,7 @@ let
     isAttrs
     isPath
     readFile
+    mkPackageOption
     literalExpression
     mkEnableOption
     mkIf
@@ -310,6 +311,8 @@ in
 {
   options.vaultix = {
 
+    package = mkPackageOption pkgs "vaultix" { };
+
     settings = mkOption {
       type = settingsType;
       default = { };
@@ -330,9 +333,21 @@ in
 
   config =
     let
-      secretsMetadata = (pkgs.formats.toml { }).generate "secretsMetadata" (cfg);
+      profile = (pkgs.formats.toml { }).generate "secretsMetadata" (cfg);
     in
     mkIf (sysusers && storageExist) {
-      test = secretsMetadata;
+      test = profile;
+
+      systemd.services.agenix-install-secrets = {
+        wantedBy = [ "sysinit.target" ];
+        after = [ "systemd-sysusers.service" ];
+        unitConfig.DefaultDependencies = "no";
+
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${lib.getExe cfg.package} ${profile} deploy";
+          RemainAfterExit = true;
+        };
+      };
     };
 }
diff --git a/src/cmd/deploy.rs b/src/cmd/deploy.rs
index d79d822..56e79f7 100644
--- a/src/cmd/deploy.rs
+++ b/src/cmd/deploy.rs
@@ -164,7 +164,6 @@ impl Profile {
 
                 file
             };
-            // TODO: permission and so on
             the_file
                 .write_all(&decrypted)
                 .expect("write decrypted file error")
diff --git a/test/default.nix b/test/default.nix
index cc283df..3d28476 100644
--- a/test/default.nix
+++ b/test/default.nix
@@ -22,6 +22,11 @@
           specialArgs = {
             inherit self;
           };
+          pkgs = import inputs.nixpkgs {
+            inherit system;
+            config = { };
+            overlays = [ self.overlays.default ];
+          };
           modules = [
             ./configuration.nix
             ./UEFI