diff --git a/nix/system/framework/keys.nix b/nix/system/framework/keys.nix
index b74630c..f37ab68 100644
--- a/nix/system/framework/keys.nix
+++ b/nix/system/framework/keys.nix
@@ -1,22 +1,30 @@
+let
+  ifExists = path: if builtins.pathExists path then path else null;
+  readIfExists = path: if builtins.pathExists path then builtins.readFile path else null;
+in
 {
   ssh = {
     public = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd7+5+rLGrsGbg+mXjzQLqwAR2VNNFPCb7Va4FqVwd7 haak@framework";
   };
 
   syncthing = {
-    cert = if builtins.pathExists "/home/haak/dotfiles/secrets/syncthing/cert.pem" then "/home/haak/dotfiles/secrets/syncthing/cert.pem" else null;
-    key = if builtins.pathExists "/home/haak/dotfiles/secrets/syncthing/key.pem" then "/home/haak/dotfiles/secrets/syncthing/key.pem" else null;
+    cert = ifExists "/home/haak/dotfiles/secrets/syncthing/cert.pem";
+    key = ifExists "/home/haak/dotfiles/secrets/syncthing/key.pem";
   };
 
   wifi = {
     # These wifi names must match exactly the network names used for
     # wpa_supplicant configuration!
     N904 = {
-      pskRaw = if builtins.pathExists "/home/haak/dotfiles/secrets/wifi/n904/pskRaw.txt" then builtins.readFile "/home/haak/dotfiles/secrets/wifi/n904/pskRaw.txt" else null;
+      pskRaw = readIfExists "/home/haak/dotfiles/secrets/wifi/n904/pskRaw.txt";
     };
 
     "ShamblingHalfling 5Ghz-1" = {
-      pskRaw = if builtins.pathExists "/home/haak/dotfiles/secrets/wifi/ShamblingHalfling 5Ghz-1/pskRaw.txt" then builtins.readFile "/home/haak/dotfiles/secrets/wifi/ShamblingHalfling 5Ghz-1/pskRaw.txt" else null;
+      pskRaw = readIfExists "/home/haak/dotfiles/secrets/wifi/ShamblingHalfling 5Ghz-1/pskRaw.txt";
+    };
+
+    lbheim = {
+      pskRaw = readIfExists "/home/haak/dotfiles/secrets/wifi/lbheim/pskRaw.txt";
     };
   };
 }