diff --git a/.gitignore b/.gitignore
index 29ae37f..9143aca 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+*/hm
 */system
 */vm
 */vmWithBootLoader
diff --git a/build_hm.sh b/build_hm.sh
new file mode 100755
index 0000000..b675d9d
--- /dev/null
+++ b/build_hm.sh
@@ -0,0 +1,70 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash
+#! nix-shell -p bash nix-output-monitor
+
+set -euo pipefail
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+# Parse arguments
+function help {
+    echo "Usage: $0 [-h|-v|-b] profile"
+    echo "Build Home Manager configuration on the local machine."
+    echo
+    echo "Arguments:"
+    echo "  profile: Home Manager profile to use"
+    echo
+    echo "Options:"
+    echo "  -h: Display this help message."
+}
+
+while getopts "hvb" OPTION
+do
+    case "$OPTION" in
+        h)
+            help
+            exit 0
+            ;;
+        ?)
+            help
+            exit 2
+            ;;
+    esac
+done
+shift "$(($OPTIND -1))"
+
+if [ "$#" -ne 1 ]
+then
+    help
+    exit 2
+fi
+profile="$1"
+
+profile_dir="${SCRIPT_DIR}/${profile}"
+if [ ! -d "$profile_dir" ]
+then
+    echo "Profile not found."
+fi
+
+home_manager_config="${profile_dir}/hm.nix"
+if [ ! -f "$home_manager_config" ]
+then
+    echo "Home Manager configuration not found."
+fi
+
+set -x
+
+nom-build '<home-manager/home-manager/home-manager.nix>' --argstr confPath "${home_manager_config}" -o "${profile_dir}/hm"
+
+set +x
+
+echo 
+
+path="$(readlink -f "${profile_dir}/hm")"
+
+echo "Manual installation instructions:"
+echo "- Transfer $path and dependencies to the destination machine (somehow)"
+echo "- Run $path/activate as the destination user"
+echo "- Log into the user again to make sure everything is sourced"
+echo "- Transfer necessary private keys (or use ssh -A for testing)"
+echo "- Run git-sync-init"
+echo "- Check that the system can build itself"
diff --git a/hm/common.nix b/hm/common.nix
index 746ac95..85276af 100644
--- a/hm/common.nix
+++ b/hm/common.nix
@@ -330,6 +330,7 @@ in
           extraConfig = builtins.readFile ./tmux.conf + "source-file ${themepack}/share/tmux-plugins/tmux-themepack/powerline/default/green.tmuxtheme\n";
         };
       translate-shell.enable = true; # TODO Cool config?
+      password-store.enable = true;
     };
   services = {
     gpg-agent = {
@@ -338,6 +339,16 @@ in
       enableZshIntegration = true;
       pinentryFlavor = "gtk2"; # Falls back to curses when needed
     };
+    # TODO Doesn't activate units by default. For now, we'll consider this as a safety feature.
+    git-sync = {
+      enable = true;
+      repositories = {
+        dotfiles = {
+          path = "${config.xdg.configHome}/dotfiles";
+          uri = lib.mkDefault "https://git.frogeye.fr/geoffrey/dotfiles.git";
+        };
+      };
+    };
   };
   xdg = {
     configFile = {
@@ -428,8 +439,16 @@ in
       imagemagick
 
       # password
-      pass
       pwgen
+      (pkgs.writeShellApplication {
+        name = "git-sync-init";
+        # runtimeInputs = with pkgs; [ coreutils libnotify ];
+        text = (lib.strings.concatLines
+          (map (r: ''[ -d "${r.path}" ] || ${pkgs.git}/bin/git clone "${r.uri}" "${r.path}"'')
+            (lib.attrsets.attrValues config.services.git-sync.repositories)
+          )
+        );
+      })
 
       # Mail
       isync
diff --git a/hm/desktop.nix b/hm/desktop.nix
index e6a720e..926e14c 100644
--- a/hm/desktop.nix
+++ b/hm/desktop.nix
@@ -111,7 +111,7 @@ in
                   "${mod}+z" = "kill";
                   button2 = "kill";
                   # Rofi
-                  "${mod}+c" = "exec --no-startup-id ${pkgs.rofi-pass}/bin/rofi-pass --last-used";
+                  "${mod}+c" = "exec --no-startup-id ${config.programs.rofi.pass.package}/bin/rofi-pass --last-used";
                   # TODO Try autopass.cr
                   # 23.11 config.programs.rofi.pass.package
                   "${mod}+i" = "exec --no-startup-id ${pkgs.rofimoji}/bin/rofimoji";
diff --git a/install_os.sh b/install_os.sh
index eb41b84..577e688 100755
--- a/install_os.sh
+++ b/install_os.sh
@@ -103,5 +103,13 @@ sudo nixos-install --no-root-password --root "$mountpoint"
 # sudo cp -a ../dotfiles $mountpoint/home/geoffrey/.config/
 # sudo chown geoffrey:geoffrey $mountpoint/home/geoffrey -R
 
+set +x
+
 # Signal the installation is done!
 echo 
+
+echo "Manual post-installation instructions:"
+echo "- Boot into the system"
+echo "- Transfer necessary private keys (or use ssh -A for testing)"
+echo "- Run git-sync-init"
+echo "- Check that the system can build itself"
diff --git a/unprocessed/config/automatrop/playbooks/default.yml b/unprocessed/config/automatrop/playbooks/default.yml
index b02d58a..f4950ff 100644
--- a/unprocessed/config/automatrop/playbooks/default.yml
+++ b/unprocessed/config/automatrop/playbooks/default.yml
@@ -5,11 +5,6 @@
     - role: system
       tags: system
       when: root_access
-    - role: dotfiles
-      tags: dotfiles
     - role: termux
       tags: termux
       when: termux
-    - role: extensions
-      tags: extensions
-# TODO Dependencies
diff --git a/unprocessed/config/automatrop/roles/dotfiles/handlers/main.yml b/unprocessed/config/automatrop/roles/dotfiles/handlers/main.yml
deleted file mode 100644
index 871fdcc..0000000
--- a/unprocessed/config/automatrop/roles/dotfiles/handlers/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-- name: Install dotfiles
-  ansible.builtin.command: "{{ ansible_user_dir }}/.dotfiles/config/scripts/dotfiles install"
diff --git a/unprocessed/config/automatrop/roles/dotfiles/tasks/main.yml b/unprocessed/config/automatrop/roles/dotfiles/tasks/main.yml
deleted file mode 100644
index ced1daf..0000000
--- a/unprocessed/config/automatrop/roles/dotfiles/tasks/main.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: Install dotfiles repository
-  ansible.builtin.git:
-    repo: "{% if has_forge_access %}git@git.frogeye.fr:{% else %}https://git.frogeye.fr/{% endif %}geoffrey/dotfiles.git"
-    dest: "{{ ansible_user_dir }}/.dotfiles"
-    update: true
-  notify: install dotfiles
-  tags: dotfiles_repo
-# TODO Put actual dotfiles in a subdirectory of the repo, so we don't have to put everything in config
diff --git a/unprocessed/config/automatrop/roles/extensions/tasks/main.yml b/unprocessed/config/automatrop/roles/extensions/tasks/main.yml
deleted file mode 100644
index d14feb9..0000000
--- a/unprocessed/config/automatrop/roles/extensions/tasks/main.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-- name: Load extensions
-  ansible.builtin.include_role:
-    name: geoffreyfrogeye.{{ extension }}automatrop.entry
-  loop: "{{ extensions }}"
-  loop_control:
-    loop_var: extension
-  tags: always
-
-- name: Configure extensions rc sourcing
-  ansible.builtin.template:
-    src: extrc.sh.j2
-    dest: "{{ ansible_user_dir }}/.config/shell/extrc"
-    mode: u=rw,g=r,o=r
diff --git a/unprocessed/config/automatrop/roles/extensions/templates/extrc.sh.j2 b/unprocessed/config/automatrop/roles/extensions/templates/extrc.sh.j2
deleted file mode 100644
index 64c45b3..0000000
--- a/unprocessed/config/automatrop/roles/extensions/templates/extrc.sh.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/usr/bin/env bash
-
-{% for extension in extensions %}
-trysource ~/.config/{{ extension }}scripts/{{ extension }}profile
-{% endfor %}
-{# TODO Rename profile as rc, and add env #}
-{# TODO Put in non-linked path #}