diff --git a/.gitignore b/.gitignore
index e61812f..f19976d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
 notes/
+secrets/*
+!secrets/*.sample
diff --git a/app/csi-s3/deploy/csi-s3.hcl b/app/bad.csi-s3/deploy/csi-s3.hcl
similarity index 100%
rename from app/csi-s3/deploy/csi-s3.hcl
rename to app/bad.csi-s3/deploy/csi-s3.hcl
diff --git a/app/im/deploy/im.hcl b/app/im/deploy/im.hcl
index 734669a..3cf4e95 100644
--- a/app/im/deploy/im.hcl
+++ b/app/im/deploy/im.hcl
@@ -29,7 +29,7 @@ job "im" {
 
       driver = "docker"
       config {
-        image = "litestream/litestream"
+        image = "litestream/litestream:0.3.7"
         args = [
 		      "restore", "-config", "/etc/litestream.yml", "/ephemeral/homeserver.db"
         ]
@@ -109,7 +109,7 @@ job "im" {
     task "replicate-db" {
       driver = "docker"
       config {
-        image = "litestream/litestream"
+        image = "litestream/litestream:0.3.7"
         args = [
 		      "replicate", "-config", "/etc/litestream.yml"
         ]
diff --git a/configuration.nix b/configuration.nix
index c9fecd0..bb44c40 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -176,6 +176,7 @@ in
     htop
     links
     git
+    rclone
     docker
     docker-compose
   ];
@@ -243,6 +244,24 @@ in
     ];
   };
 
+  # Mount Garage using Rclone
+  systemd.services.mountgarage = {
+    enable = true;
+    description = "Mount the Garage data store";
+    path = [
+      pkgs.fuse
+      pkgs.rclone
+    ];
+    unitConfig = {
+      Type = "simple";
+    };
+    serviceConfig = {
+      ExecStartPre = "${pkgs.bash}/bin/sh -c \"mkdir -p /mnt/garage-staging; fusermount -u /mnt/garage-staging || exit 0\"";
+      ExecStart = "${pkgs.rclone}/bin/rclone --config /root/rclone.conf mount --vfs-cache-mode full --vfs-cache-max-size 1G --cache-dir /root/mountgarage-cache staging: /mnt/garage-staging";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+
   # Open ports in the firewall.
   networking.firewall = {
     enable = true;
diff --git a/deploy.sh b/deploy.sh
index 989e4dd..e4470c0 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -19,10 +19,15 @@ for NIXHOST in $NIXHOSTLIST; do
 
 	echo "==== DOING $NIXHOST ===="
 
-	echo "generating NixOS config"
+	echo "Sending NixOS config files"
+
 	cat configuration.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/configuration.nix > /dev/null
 	cat node/$NIXHOST.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/node.nix > /dev/null
 	cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/site.nix > /dev/null
-	echo "rebuilding NixOS"
+
+	echo "Sending secret files"
+	test -f secrets/rclone.conf && (cat secrets/rclone.conf | ssh -F ssh_config $SSH_DEST sudo tee /root/rclone.conf > /dev/null)
+
+	echo "Rebuilding NixOS"
 	ssh -F ssh_config $SSH_DEST sudo nixos-rebuild switch
 done
diff --git a/secrets/rclone.conf.sample b/secrets/rclone.conf.sample
new file mode 100644
index 0000000..048bdba
--- /dev/null
+++ b/secrets/rclone.conf.sample
@@ -0,0 +1,8 @@
+[staging]
+type = s3
+provider = Other
+env_auth = false
+access_key_id = GK...
+secret_access_key = ...
+endpoint = http://127.0.0.1:3990
+region = garage-staging