diff --git a/.justfile b/.justfile
index 252a267..8d0afb9 100644
--- a/.justfile
+++ b/.justfile
@@ -19,8 +19,8 @@ update-input input:
     nix flake lock --update-input {{input}}
 
 @edit-secrets:
-    git clone http://git.everest.sable-pancake.ts.net/Toast/nix-secrets.git /tmp/secrets
-    sed -i 's\git+http://git.everest.sable-pancake.ts.net/Toast/nix-secrets\/tmp/secrets\g' flake.nix
+    git clone ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets.git /tmp/secrets
+    sed -i 's\git+ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix
     just -q update-input secrets
     echo "{{bold}}All done!"
     echo "{{normal}}Remember to restore flake.nix"
diff --git a/flake.lock b/flake.lock
index 7691036..6482a8d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -377,11 +377,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1710238597,
-        "narHash": "sha256-N0CVdpIyAkofXIHS9SUuDS27gS5HiYue+i4CBtk9IqE=",
+        "lastModified": 1713107869,
+        "narHash": "sha256-TniJoCQfJ3OXrcqhH/8xcV6o4Sa5C/4KSRtk0c0/RK4=",
         "ref": "refs/heads/main",
-        "rev": "e05ec0b3a77ea7c2aecf699894cdabac1b377bab",
-        "revCount": 9,
+        "rev": "a00a07cd931b6eab722727a0606837cb895997f0",
+        "revCount": 11,
         "type": "git",
         "url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets"
       },
diff --git a/roles/desktop/services/networkmanager.nix b/roles/desktop/services/networkmanager.nix
index d56c81b..acf5834 100644
--- a/roles/desktop/services/networkmanager.nix
+++ b/roles/desktop/services/networkmanager.nix
@@ -1,11 +1,55 @@
-{config, ...}: let
+{
+  config,
+  flakeSelf,
+  ...
+}: let
   tailscaleName = config.services.tailscale.interfaceName;
 in {
+  age.secrets = {
+    wifiPasswords.file = "${flakeSelf.inputs.secrets}/wifi-passwords.age";
+  };
   networking.networkmanager = {
     enable = true;
     unmanaged = [
       "interface-name:${tailscaleName}"
     ];
     wifi.macAddress = "random";
+    ensureProfiles = {
+      environmentFiles = [config.age.secrets.wifiPasswords.path];
+      profiles = {
+        "4g-modem" = {
+          connection = {
+            id = "4G Modem";
+            type = "wifi";
+          };
+          ipv4.method = "auto";
+          wifi = {
+            mode = "infrastructure";
+            ssid = "TP-Link_CCB4";
+          };
+          wifi-security = {
+            auth-alg = "open";
+            key-mgmt = "wpa-psk";
+            psk = "$MODEM";
+          };
+        };
+        phone = {
+          connection = {
+            id = "Phone";
+            type = "wifi";
+          };
+          ipv4.method = "auto";
+          wifi = {
+            mode = "infrastructure";
+            ssid = "Redmi Note 10 Pro_5197";
+          };
+          wifi-security = {
+            auth-alg = "open";
+            key-mgmt = "sae";
+            psk = "$PHONE";
+          };
+        };
+      };
+    };
   };
 }