diff --git a/flake.nix b/flake.nix
index aef2986..5733e4c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -36,10 +36,12 @@
     udp-over-tcp.flake = false;
   };
 
-  outputs = inputs@{ flake-parts, self, ... }:
-    flake-parts.lib.mkFlake { inherit inputs; } ({ config, ... }: {
+  outputs = inputs@{ flake-parts, self, secret, ... }:
+    flake-parts.lib.mkFlake { inherit inputs; } ({ config, lib', ... }: {
       imports = [
         modules/nixngConfigurations.nix
+        modules/lib_overlays.nix
+        lib/load_secrets.nix
 
         nixos/systems/omen
         nixos/systems/heater
@@ -83,9 +85,19 @@
         inputs.uterranix.flakeModule
       ];
 
+      _module.args.lib' =
+        let
+          inherit (inputs.nixpkgs) lib;
+          inherit (inputs.nixpkgs.lib)
+            extend;
+        in
+          lib.foldl (acc: x: acc.extend x) lib (with config.flake.libOverlays; [
+            loadSecrets
+          ]);
+
       flake.hydraJobs =
         let
-          inherit (lib)
+          inherit (lib')
             mapAttrs;
         in
           {
@@ -96,6 +108,7 @@
       uterranix.config = [
         ./terranix/default.nix
         {
+          _module.args.secret = secret;
           _module.args.vars = {
             flake_rev = self.rev or null;
             flake_sha = self.sha or null;
@@ -137,7 +150,7 @@
         {
           packages =
             let
-              inherit (lib)
+              inherit (lib')
                 attrValues;
               pkgs' = pkgs.appendOverlays (attrValues config.flake.overlays);
             in
diff --git a/lib/load_secrets.nix b/lib/load_secrets.nix
new file mode 100644
index 0000000..063a4ff
--- /dev/null
+++ b/lib/load_secrets.nix
@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
+#
+# SPDX-License-Identifier: LGPL-3.0-or-later
+{ lib, ... }:
+{
+  flake.libOverlays.loadSecrets =
+    final: prev: (lib.traceVal {
+      loadSecrets = path:
+        if builtins.pathExists "${path}/default.nix" then
+          import path { lib = final; }
+        else
+          {};
+    });
+}
diff --git a/modules/lib_overlays.nix b/modules/lib_overlays.nix
new file mode 100644
index 0000000..889d3e1
--- /dev/null
+++ b/modules/lib_overlays.nix
@@ -0,0 +1,38 @@
+{ lib, flake-parts-lib, ... }:
+let
+  inherit (lib)
+    mkOption
+    types
+    ;
+  inherit (flake-parts-lib)
+    mkSubmoduleOptions
+    ;
+in
+{
+  options = {
+    flake = mkSubmoduleOptions {
+      libOverlays = mkOption {
+        # uniq -> ordered: https://github.com/NixOS/nixpkgs/issues/147052
+        # also update description when done
+        type = types.lazyAttrsOf (types.uniq (types.functionTo (types.functionTo (types.lazyAttrsOf types.unspecified))));
+        # This eta expansion exists for the sole purpose of making nix flake check happy.
+        apply = lib.mapAttrs (_k: f: final: prev: f final prev);
+        default = { };
+        example = lib.literalExpression or lib.literalExample ''
+          {
+            default = final: prev: {};
+          }
+        '';
+        description = ''
+          An attribute set of lib overlays, they're similar to normal
+          [overlays](https://nixos.org/manual/nixpkgs/stable/#chap-overlays).
+
+          Note that the overlays themselves are not mergeable. While overlays
+          can be composed, the order of composition is significant, but the
+          module system does not guarantee sufficiently deterministic
+          definition ordering, across versions and when changing `imports`.
+        '';
+      };
+    };
+  };
+}
diff --git a/nixos/systems/blowhole/default.nix b/nixos/systems/blowhole/default.nix
index 5f12477..bd5a705 100644
--- a/nixos/systems/blowhole/default.nix
+++ b/nixos/systems/blowhole/default.nix
@@ -1,9 +1,9 @@
 # SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
 #
 # SPDX-License-Identifier: LGPL-3.0-or-later
-{ inputs, lib, config, ... }:
+{ inputs, lib', config, ... }:
 let
-  inherit (lib)
+  inherit (lib')
     flip
     mapAttrs
     singleton;
@@ -17,11 +17,7 @@ in
     specialArgs = {
       config' = config';
       inputs' = inputs;
-      secret =
-        if builtins.pathExists "${inputs.secret}/default.nix" then
-          import inputs.secret { inherit lib; }
-        else
-          {};
+      secret = lib'.loadSecrets inputs.secret;
     };
 
     modules = singleton
diff --git a/nixos/systems/heater/default.nix b/nixos/systems/heater/default.nix
index 71ddba9..f8a670b 100644
--- a/nixos/systems/heater/default.nix
+++ b/nixos/systems/heater/default.nix
@@ -1,9 +1,9 @@
 # SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
 #
 # SPDX-License-Identifier: LGPL-3.0-or-later
-{ inputs, lib, config, secret, ... }:
+{ inputs, lib', config, secret, ... }:
 let
-  inherit (lib)
+  inherit (lib')
     flip
     mapAttrs
     singleton;
@@ -13,15 +13,12 @@ in
 {
     flake.nixosConfigurations.heater = inputs.nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
+      lib = lib';
 
       specialArgs = {
         config' = config';
         inputs' = inputs;
-        secret =
-          if builtins.pathExists "${inputs.secret}/default.nix" then
-            import inputs.secret { inherit lib; }
-          else
-            {};
+        secret = lib'.loadSecrets;
       };
       modules = singleton
         ({ pkgs, config, ... }:
diff --git a/nixos/systems/liveusb/default.nix b/nixos/systems/liveusb/default.nix
index 9e3ea7b..df46738 100644
--- a/nixos/systems/liveusb/default.nix
+++ b/nixos/systems/liveusb/default.nix
@@ -1,9 +1,9 @@
 # SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
 #
 # SPDX-License-Identifier: LGPL-3.0-or-later
-{ inputs, lib, config, ... }:
+{ inputs, lib', config, ... }:
 let
-  inherit (lib)
+  inherit (lib')
     flip
     mapAttrs
     singleton;
@@ -13,15 +13,12 @@ in
 {
   flake.nixosConfigurations.liveusb = inputs.nixpkgs.lib.nixosSystem {
     system = "x86_64-linux";
+    lib = lib';
 
     specialArgs = {
       config' = config';
       inputs' = inputs;
-      secret =
-        if builtins.pathExists "${inputs.secret}/default.nix" then
-          import inputs.secret { inherit lib; }
-        else
-          {};
+      secret = lib'.loadSecrets inputs.secrets;
     };
 
     modules = singleton
diff --git a/nixos/systems/omen/default.nix b/nixos/systems/omen/default.nix
index 3d953fd..2ef1984 100644
--- a/nixos/systems/omen/default.nix
+++ b/nixos/systems/omen/default.nix
@@ -1,27 +1,25 @@
 # SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
 #
 # SPDX-License-Identifier: LGPL-3.0-or-later
-{ inputs, lib, config, secret, ... }:
+{ inputs, lib', config, secret, ... }:
 let
-  inherit (lib)
+  inherit (lib')
     flip
     mapAttrs
-    singleton;
+    singleton
+    loadSecrets;
 
   config' = config;
 in
 {
   flake.nixosConfigurations.omen = inputs.nixpkgs.lib.nixosSystem {
     system = "x86_64-linux";
+    lib = lib';
 
     specialArgs = {
       config' = config';
       inputs' = inputs;
-      secret =
-        if builtins.pathExists "${inputs.secret}/default.nix" then
-          import inputs.secret { inherit lib; }
-        else
-          {};
+      secret = loadSecrets inputs.secret;
     };
 
     modules = singleton
diff --git a/nixos/systems/toothpick/default.nix b/nixos/systems/toothpick/default.nix
index adcf4aa..1eca833 100644
--- a/nixos/systems/toothpick/default.nix
+++ b/nixos/systems/toothpick/default.nix
@@ -1,9 +1,9 @@
 # SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
 #
 # SPDX-License-Identifier: LGPL-3.0-or-later
-{ inputs, lib, config, ... }:
+{ inputs, lib', config, ... }:
 let
-  inherit (lib)
+  inherit (lib')
     flip
     mapAttrs
     singleton;
@@ -17,11 +17,7 @@ in
     specialArgs = {
       config' = config';
       inputs' = inputs;
-      secret =
-        if builtins.pathExists "${inputs.secret}/default.nix" then
-          import inputs.secret { inherit lib; }
-        else
-          {};
+      secret = lib'.loadSecrets inputs.secret;
     };
 
     modules = singleton