diff --git a/clanModules/borgbackup/default.nix b/clanModules/borgbackup/default.nix
index fbc05db23..760e1afe8 100644
--- a/clanModules/borgbackup/default.nix
+++ b/clanModules/borgbackup/default.nix
@@ -106,6 +106,16 @@ in
     '';
   };
 
+  options.clan.borgbackup.exclude = lib.mkOption {
+    type = lib.types.listOf lib.types.str;
+    example = [ "*.pyc" ];
+    default = [ ];
+    description = ''
+      Directories/Files to exclude from the backup.
+      Use * as a wildcard.
+    '';
+  };
+
   imports = [
     (lib.mkRemovedOptionModule [
       "clan"
@@ -129,7 +139,7 @@ in
       paths = lib.unique (
         lib.flatten (map (state: state.folders) (lib.attrValues config.clan.core.state))
       );
-      exclude = [ "*.pyc" ];
+      exclude = cfg.exclude;
       repo = dest.repo;
       environment.BORG_RSH = dest.rsh;
       compression = "auto,zstd";
diff --git a/clanModules/root-password/default.nix b/clanModules/root-password/default.nix
index 9c901f30e..a340730e3 100644
--- a/clanModules/root-password/default.nix
+++ b/clanModules/root-password/default.nix
@@ -9,9 +9,9 @@
   users.users.root.hashedPasswordFile =
     config.clan.core.facts.services.root-password.secret.password-hash.path;
 
-  sops.secrets."${config.clan.core.machineName}-password-hash".neededForUsers = lib.mkIf (
-    config.clan.core.facts.secretStore == "sops"
-  ) true;
+  sops.secrets = lib.mkIf (config.clan.core.facts.secretStore == "sops") {
+    "${config.clan.core.machineName}-password-hash".neededForUsers = true;
+  };
 
   clan.core.facts.services.root-password = {
     secret.password = { };
diff --git a/clanModules/user-password/default.nix b/clanModules/user-password/default.nix
index f76c7f397..14b1f0177 100644
--- a/clanModules/user-password/default.nix
+++ b/clanModules/user-password/default.nix
@@ -23,7 +23,11 @@
     users.mutableUsers = false;
     users.users.${config.clan.user-password.user}.hashedPasswordFile =
       config.clan.core.facts.services.user-password.secret.user-password-hash.path;
-    sops.secrets."${config.clan.core.machineName}-user-password-hash".neededForUsers = true;
+
+    sops.secrets = lib.mkIf (config.clan.core.facts.secretStore == "sops") {
+      "${config.clan.core.machineName}-user-password-hash".neededForUsers = true;
+    };
+
     clan.core.facts.services.user-password = {
       secret.user-password = { };
       secret.user-password-hash = { };
diff --git a/pkgs/clan-cli/clan_cli/inventory/classes.py b/pkgs/clan-cli/clan_cli/inventory/classes.py
index 7712932a3..41d116831 100644
--- a/pkgs/clan-cli/clan_cli/inventory/classes.py
+++ b/pkgs/clan-cli/clan_cli/inventory/classes.py
@@ -39,6 +39,7 @@ class BorgbackupConfigDestination:
 @dataclass
 class BorgbackupConfig:
     destinations: dict[str, BorgbackupConfigDestination] = field(default_factory = dict)
+    exclude: list[str] = field(default_factory = list)
 
 
 @dataclass