diff --git a/README.md b/README.md
index f448a4f..8cd6ca7 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,6 @@ make
 
 ## Directory layout 
 
-- `nixos`: nixos config (includes nix-darwin)
 - `home`: home-manager config
+- `nixos`: nixos config (includes nix-darwin)
 - `systems`: top-level configuration.nix('ish) for various kinds of system
diff --git a/scripts/priv b/scripts/priv
deleted file mode 100755
index a81bcbf..0000000
--- a/scripts/priv
+++ /dev/null
@@ -1,4 +0,0 @@
-set -x
-
-sudo cryptsetup luksOpen /dev/nvme0n1p3 crypted0
-sudo mount /dev/mapper/crypted0 /extra0
\ No newline at end of file
diff --git a/systems/hetzner/ax101.nix b/systems/hetzner/ax101.nix
index b4df2db..d814812 100644
--- a/systems/hetzner/ax101.nix
+++ b/systems/hetzner/ax101.nix
@@ -104,9 +104,21 @@
   services.netdata.enable = true;
 
   environment.systemPackages = with pkgs; [
-    cryptsetup
     lsof
     inputs.nixos-shell.defaultPackage.${system}
+
+    # Encrypted private directory stuff
+    # See https://srid.ca/vf.enc
+    cryptsetup
+    (pkgs.writeShellApplication {
+      name = "now-mount-priv";
+      runtimeInputs = [ cryptsetup ];
+      text = ''
+        set -x
+        sudo cryptsetup luksOpen /dev/nvme0n1p3 crypted0
+        sudo mount /dev/mapper/crypted0 /extra0
+      '';
+    })
   ];
 
   services.openssh.permitRootLogin = "prohibit-password";