diff --git a/default.nix b/default.nix
new file mode 100644
index 0000000..2b99e88
--- /dev/null
+++ b/default.nix
@@ -0,0 +1,6 @@
+{ pkgs ? import <nixpkgs> {} }:
+rec {
+  age-nix = pkgs.writeScriptBin "age-nix" ''
+    exit 0
+  '';
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..b25719a
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,18 @@
+{
+  description = "Secret management with age";
+  outputs = { self, nixpkgs }: let
+    systems = [
+      "x86_64-linux"
+      "i686-linux"
+      "x86_64-darwin"
+      "aarch64-linux"
+      "armv6l-linux"
+      "armv7l-linux"
+    ];
+    forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
+  in {
+    nixosModules.age = import ./modules/age.nix;
+    # packages = forAllSystems (system: nixpkgs.legacyPackages.${system}.callPackage ./default.nix {});
+#    defaultPackage = forAllSystems (system: self.packages.${system}.age-nix); # 
+  };
+}
diff --git a/modules/age.nix b/modules/age.nix
index c03c227..c9b5afb 100644
--- a/modules/age.nix
+++ b/modules/age.nix
@@ -8,13 +8,14 @@ let
 
   identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths);
   installSecret = secretType: ''
-    TMP_DIR=$(mktemp -d)
-    TMP_FILE="$TMP_DIR/file"
+    TMP_FILE="${secretType.path}.tmp"
     (umask 0400; ${pkgs.age}/bin/age --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}")
-    install -o '${secretType.owner}' -g '${secretType.group}' -m '${secretType.mode}' "$TMP_FILE" '${secretType.path}'
-    rm -rf "$TMP_DIR"
+    chmod ${secretType.mode} "$TMP_FILE"
+    chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
+    mv -f "$TMP_FILE" '${secretType.path}'
+
   '';
-  installAllSecrets = builtins.concatStringsSep (map installSecret (builtins.attrValues cfg.secrets));
+  installAllSecrets = builtins.concatStringsSep "\n" (map installSecret (builtins.attrValues cfg.secrets));
 
   secretType = types.submodule ({ config, ... }: {
     options = {