diff --git a/dot_bin/executable_with_gpg_mount b/dot_bin/executable_with_gpg_mount
index d864304..03b8bf8 100644
--- a/dot_bin/executable_with_gpg_mount
+++ b/dot_bin/executable_with_gpg_mount
@@ -7,7 +7,7 @@ shift
 
 alias="gnupg"
 
-if rofi-dev -c "$XDG_CONFIG_HOME/rofi/devices.yml" -m "$alias"; then
+if rofi-dev -c "$XDG_CONFIG_HOME/rofi/devices.dhall" -m "$alias"; then
     "$bin" "$@"
 else
     echo "Could not mount $alias"
diff --git a/dot_config/rofi/devices.dhall.tmpl b/dot_config/rofi/devices.dhall.tmpl
new file mode 100644
index 0000000..a897069
--- /dev/null
+++ b/dot_config/rofi/devices.dhall.tmpl
@@ -0,0 +1,97 @@
+let cryptdir = 
+{{ if eq .features.rofi_alias "laptop" -}}
+    "/mnt/data/Documents/.crypt"
+{{- else if eq .features.rofi_alias "workstation" -}}
+    "/mnt/data/.crypt"
+{{- else -}}
+    "~/.crypt"
+{{- end }}
+
+let sshKey = "ssh"
+
+let gpgKey = "gpg"
+
+let bwConfig =
+      \(k : Text) ->
+        PasswordConfig.PwdBW ({ bwKey = k, bwTries = +2 } : BitwardenConfig)
+
+let sshData =
+      \(r : Text) ->
+        DataConfig.SSHFSConfig
+          ({ sshfsRemote = r, sshfsPassword = None PasswordConfig } : SSHFSData)
+
+let sshfsTree =
+      \(m : Text) ->
+      \(l : Text) ->
+      \(r : Text) ->
+          { tcParent =
+                { deviceMount = { mpPath = m, mpLabel = Some l } : MountConfig
+                , deviceData = sshData r
+                }
+              : DeviceConfig
+          , tcChildren = [ "ssh" ]
+          }
+        : TreeConfig
+
+let crypt = \(b : Text) -> "${cryptdir}/${b}"
+
+let vcName = \(n : Text) -> "Veracrypt (${n})"
+
+let vcryptTree =
+      \(m : Text) ->
+      \(l : Optional Text) ->
+      \(v : Text) ->
+      \(k : Text) ->
+          { tcParent =
+                { deviceMount = { mpPath = m, mpLabel = l } : MountConfig
+                , deviceData =
+                    DataConfig.VeracryptConfig
+                      (   { vcVolume = crypt v
+                          , vcPassword = Some (bwConfig (vcName k))
+                          }
+                        : VeracryptData
+                      )
+                }
+              : DeviceConfig
+          , tcChildren = [] : List Text
+          }
+        : TreeConfig
+
+let defaultDevs =
+      { ssh =
+          vcryptTree "${env:HOME as Text}/.ssh" (Some "ssh") "ssh-config" sshKey
+      , gnupg =
+          vcryptTree "${env:GNUPGHOME as Text}" (None Text) "gpg-config" gpgKey
+      }
+
+let otherDevs =
+{{- if eq .features.rofi_alias "laptop" -}}
+      { accounts = vcryptTree "accounts" (None Text) "accounts" "accounts"
+      , ansible-pki =
+          vcryptTree "ansible-pki" (None Text) "ansible" "Ansible PKI"
+      , call_logs = vcryptTree "call-logs" (None Text) "call_logs" "ACR"
+      , ebm_snakemake =
+          sshfsTree "ebm_snakemake" "EBM" "nisaba:/aigenomics/EBM_dev/snakemake"
+      , music =
+          sshfsTree
+            "/mnt/data/Music"
+            "Music"
+            "portnoy4prez:/mnt/data/home/Music"
+      , videos =
+          sshfsTree
+            "/mnt/data/Videos"
+            "Videos"
+            "portnoy4prez:/mnt/data/home/Videos"
+      }
+{{- else if eq .features.rofi_alias "workstation" -}}
+      { ebm_snakemake =
+          sshfsTree "ebm_snakemake" "EBM" "nisaba:/aigenomics/EBM_dev/snakemake"
+      }
+{{- else -}}
+      {=}
+{{- end }}
+
+in  { scTmpPath = Some "/tmp/media/${env:LOGNAME as Text}"
+    , scVerbose = Some False
+    , scDevices = toMap (defaultDevs /\ otherDevs)
+    }
diff --git a/dot_config/rofi/devices.yml.tmpl b/dot_config/rofi/devices.yml.tmpl
deleted file mode 100644
index c1e2343..0000000
--- a/dot_config/rofi/devices.yml.tmpl
+++ /dev/null
@@ -1,72 +0,0 @@
-# directory for all relative, transitive mountpoints
-mountdir: /tmp/media/{{ .chezmoi.username }}
-verbose: false
-
-devices:
-{{- if eq .features.rofi_alias "laptop" -}}
-{{- $mntdata := "/mnt/data" -}}
-{{- $crypt := $mntdata | printf "%s/Documents/.crypt" }}
-  gnupg:
-    type: veracrypt
-    mount:
-      mountpoint: {{ .paths.config }}/gnupg
-    volume: {{ $crypt }}/gnupg
-    password:
-      bitwarden:
-        key: Veracrypt (gpg)
-  ssh:
-    type: veracrypt
-    mount:
-      mountpoint: {{ .chezmoi.homeDir }}/.ssh
-      label: ssh
-    volume: {{ $crypt }}/ssh-config
-    password:
-      bitwarden:
-        key: Veracrypt (ssh)
-  ebm_snakemake:
-    type: sshfs
-    mount:
-      mountpoint: ebm_snakemake
-      label: EBM
-    remote: nisaba:/aigenomics/EBM_dev/snakemake
-    depends:
-      - ssh
-  accounts:
-    type: veracrypt
-    mount:
-      mountpoint: accounts
-    volume: {{ $crypt }}/accounts
-    password:
-      bitwarden:
-        key: Veracrypt (accounts)
-  ansible_pki:
-    type: veracrypt
-    mount:
-      mountpoint: ansible-pki
-    volume: {{ $crypt }}/ansible
-    password:
-      bitwarden:
-        key: Veracrypt (Ansible PKI)
-  call_logs:
-    type: veracrypt
-    mount:
-      mountpoint: call-logs
-    volume: {{ $crypt }}/call_logs
-    password:
-      bitwarden:
-        key: Veracrypt (ACR)
-  music:
-    type: sshfs
-    mount:
-      mountpoint: {{ $mntdata }}/Music
-    remote: portnoy4prez:/mnt/data/home/Music
-    depends:
-      - ssh
-  videos:
-    type: sshfs
-    mount:
-      mountpoint: {{ $mntdata }}/Videos
-    remote: portnoy4prez:/mnt/data/home/Videos
-    depends:
-      - ssh
-{{ end -}}
\ No newline at end of file