diff --git a/.gitignore b/.gitignore
index b91777e..7ad6275 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1 @@
 /.direnv
-/result
diff --git a/README.md b/README.md
index aa927d4..e0a673f 100644
--- a/README.md
+++ b/README.md
@@ -1,22 +1,10 @@
 # NixOS & Home Manager config
 
-This repository contains all my system configurations, mostly deployed using Nix and [Clan].
-
 ## Structure
 
-- **home**: Dotfiles
-- **machines**: Host-specific configs
+- **home**: Home Manager modules
+- **hosts**: Host-specific configs
 - **infra**: Terraform/OpenTofu files
-- **vars**: Encrypted secrets managed by clan
-- **modules**: NixOS modules
-- **clanServices**: Custom [Clan Services](https://docs.clan.lol/reference/clanServices)
-
-## Dotfiles
-
-### Linking with dotbotc (for windows)
-
-```sh
-dotbot -c ./dotbot/windows.yaml -d home
-```
-
-[Clan]: https//clan.lol
+- **secrets**: Age-encrypted secrets shared between multiple hosts.
+  Host-specific secrets are stored in their own directories.
+- **system**: Base NixOS modules shared among all hosts
diff --git a/clan/flake-module.nix b/clan/flake-module.nix
deleted file mode 100644
index c15a957..0000000
--- a/clan/flake-module.nix
+++ /dev/null
@@ -1,185 +0,0 @@
-{ self, lib, ... }:
-{
-  imports = [
-    ./machines.nix
-    ./monitoring.nix
-    ./network.nix
-  ];
-
-  clan.meta.name = "blossom";
-  clan.meta.domain = "val";
-
-  clan.secrets.age.plugins = [
-    "age-plugin-yubikey"
-  ];
-
-  clan.inventory.instances."rpqt-admin" = {
-    module.input = "clan-core";
-    module.name = "admin";
-    roles.default.tags.server = { };
-    roles.default.machines.haze = { };
-    roles.default.settings.allowedKeys = {
-      rpqt_haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze";
-      nixbld_haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyNC2sn5m7m52r4kVZqg0T7abqdz5xh/blU3cYtHKAE nixbld@haze";
-    };
-  };
-
-  clan.inventory.instances."sshd" = {
-    module.input = "clan-core";
-    module.name = "sshd";
-    roles.server.tags.all = { };
-    roles.server.extraModules = [
-      self.nixosModules.hardened-ssh-server
-    ];
-    roles.server.settings = {
-      certificate.searchDomains = [
-        "home.rpqt.fr"
-      ];
-    };
-
-    roles.client.tags.all = { };
-    roles.client.settings = {
-      certificate.searchDomains = [
-        "home.rpqt.fr"
-      ];
-    };
-  };
-
-  clan.inventory.instances.user-rpqt = {
-    module.input = "clan-core";
-    module.name = "users";
-    roles.default.machines.haze = {
-      settings = {
-        user = "rpqt";
-      };
-    };
-    roles.default.extraModules = [
-      self.nixosModules.user-rpqt
-    ];
-  };
-
-  clan.inventory.instances.common-config = {
-    module = {
-      input = "clan-core";
-      name = "importer";
-    };
-    roles.default.tags.all = { };
-    roles.default.extraModules = [ self.nixosModules.common ];
-  };
-
-  clan.inventory.instances.server-config = {
-    module = {
-      input = "clan-core";
-      name = "importer";
-    };
-    roles.default.tags.server = { };
-    roles.default.extraModules = [
-      {
-        nix.gc.automatic = lib.mkDefault true;
-        nix.gc.dates = lib.mkDefault "Mon 3:15";
-        nix.gc.randomizedDelaySec = lib.mkDefault "30min";
-        nix.gc.options = lib.mkDefault "--delete-older-than 30d";
-      }
-    ];
-  };
-
-  clan.inventory.instances."garage" = {
-    module.input = "clan-core";
-    module.name = "garage";
-    roles.default.tags.garage = { };
-  };
-
-  clan.inventory.instances."garage-config" = {
-    module.input = "clan-core";
-    module.name = "importer";
-    roles.default.tags.garage = { };
-    roles.default.extraModules = [ ../modules/garage.nix ];
-  };
-
-  clan.inventory.instances."trusted-nix-caches" = {
-    module.input = "clan-core";
-    module.name = "trusted-nix-caches";
-    roles.default.tags.all = { };
-  };
-
-  clan.inventory.instances."borgbackup-storagebox" = {
-    module.input = "clan-core";
-    module.name = "borgbackup";
-
-    roles.client.machines = lib.genAttrs [ "crocus" "genepi" "verbena" ] (
-      machine:
-      let
-        config = self.nixosConfigurations.${machine}.config;
-        user = "u422292";
-        host = "${user}.your-storagebox.de";
-      in
-      {
-        settings.destinations."storagebox-${config.networking.hostName}" = {
-          repo = "${user}@${host}:./borgbackup/${config.networking.hostName}";
-          rsh = "ssh -oPort=23 -i ${
-            config.clan.core.vars.generators.borgbackup.files."borgbackup.ssh".path
-          } -oStrictHostKeyChecking=accept-new";
-        };
-      }
-    );
-    roles.client.extraModules = [
-      ../modules/storagebox.nix
-    ];
-    roles.server.machines = { };
-  };
-
-  clan.inventory.instances.syncthing = {
-    roles.peer.tags.syncthing = { };
-    roles.peer.settings.folders = {
-      Documents = {
-        path = "~/Documents";
-      };
-      Music = {
-        path = "~/Music";
-      };
-      Pictures = {
-        path = "~/Pictures";
-      };
-      Videos = {
-        path = "~/Videos";
-      };
-    };
-    roles.peer.settings.extraDevices = {
-      pixel-7a = {
-        id = "IZE7B4Z-LKTJY6Q-77NN4JG-ADYRC77-TYPZTXE-Q35BWV2-AEO7Q3R-ZE63IAU";
-        name = "Pixel 7a";
-        addresses = [ "dynamic" ];
-      };
-    };
-  };
-
-  clan.inventory.instances.buildbot = {
-    module.input = "self";
-    module.name = "@rpqt/buildbot";
-
-    roles.master.machines.verbena = {
-      settings = {
-        domain = "buildbot.turifer.dev";
-        admins = [ "rpqt" ];
-        topic = "buildbot-nix";
-        gitea.instanceUrl = "https://git.turifer.dev";
-      };
-    };
-
-    roles.master.extraModules = [
-      {
-        services.nginx.virtualHosts."buildbot.turifer.dev" = {
-          enableACME = true;
-          forceSSL = true;
-        };
-
-        security.acme.certs."buildbot.turifer.dev" = {
-          email = "admin@turifer.dev";
-        };
-      }
-    ];
-
-    roles.worker.machines.verbena = { };
-  };
-
-}
diff --git a/clan/machines.nix b/clan/machines.nix
deleted file mode 100644
index 8910a89..0000000
--- a/clan/machines.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{
-  clan.inventory.machines = {
-    crocus = {
-      tags = [
-        "garage"
-        "server"
-      ];
-    };
-    genepi = {
-      tags = [
-        "garage"
-        "server"
-        "syncthing"
-      ];
-    };
-    haze = {
-      tags = [
-        "syncthing"
-      ];
-    };
-    verbena = {
-      tags = [
-        "garage"
-        "server"
-      ];
-    };
-  };
-}
diff --git a/clan/monitoring.nix b/clan/monitoring.nix
deleted file mode 100644
index 668b23e..0000000
--- a/clan/monitoring.nix
+++ /dev/null
@@ -1,46 +0,0 @@
-{ self, ... }:
-{
-  clan.inventory.instances.prometheus = {
-    module.input = "self";
-    module.name = "@rpqt/prometheus";
-
-    roles.scraper.machines.genepi = { };
-    roles.scraper.settings = {
-      extraScrapeConfigs = [
-        {
-          job_name = "garage";
-          static_configs = [
-            {
-              labels.instance = "crocus";
-              targets = [ "crocus.home.rpqt.fr:3903" ];
-            }
-            {
-              labels.instance = "genepi";
-              targets = [ "genepi.home.rpqt.fr:3903" ];
-            }
-            {
-              labels.instance = "verbena";
-              targets = [ "verbena.home.rpqt.fr:3903" ];
-            }
-          ];
-          authorization = {
-            type = "Bearer";
-            credentials_file =
-              self.nixosConfigurations.verbena.config.clan.core.vars.generators.garage.files.metrics_token.path;
-          };
-        }
-      ];
-    };
-
-    roles.target.tags.server = { };
-    roles.target.settings = {
-      exporters = {
-        node = {
-          enabledCollectors = [
-            "systemd"
-          ];
-        };
-      };
-    };
-  };
-}
diff --git a/clan/network.nix b/clan/network.nix
deleted file mode 100644
index 8c9e3d0..0000000
--- a/clan/network.nix
+++ /dev/null
@@ -1,87 +0,0 @@
-{ self, ... }:
-{
-  clan.inventory.instances.zerotier = {
-    roles.controller.machines.crocus = { };
-    roles.moon.machines.crocus = {
-      settings = {
-        stableEndpoints = [
-          "116.203.18.122"
-          "2a01:4f8:1c1e:e415::/64"
-        ];
-      };
-    };
-    roles.peer.tags."all" = { };
-  };
-
-  clan.inventory.instances.internet = {
-    roles.default.machines.verbena.settings.host = self.infra.machines.verbena.ipv4;
-    roles.default.machines.crocus.settings.host = self.infra.machines.crocus.ipv4;
-  };
-
-  clan.inventory.instances.wireguard = {
-    module.name = "wireguard";
-    module.input = "clan-core";
-    roles.controller = {
-      machines.verbena.settings = {
-        endpoint = "wg1.turifer.dev";
-      };
-    };
-    roles.peer.machines = {
-      haze = { };
-      crocus = { };
-      genepi = { };
-    };
-  };
-
-  clan.inventory.instances.certificates = {
-    module.name = "certificates";
-    module.input = "clan-core";
-
-    roles.ca.machines.verbena = {
-      settings.acmeEmail = "admin@rpqt.fr";
-      settings.tlds = [ "val" ];
-    };
-    roles.default.tags.all = { };
-    roles.default.settings.acmeEmail = "admin@rpqt.fr";
-  };
-
-  # Temporarily patched version of clan-core/coredns for AAAA records support
-  clan.inventory.instances.coredns = {
-    module.name = "@rpqt/coredns";
-    module.input = "self";
-
-    roles.default.tags.all = { };
-    roles.server.machines.verbena = {
-      settings.ip = "fd28:387a:90:c400::1";
-      settings.dnsPort = 53;
-    };
-    roles.server.machines.crocus = {
-      settings.ip = "fd28:387a:90:c400:6db2:dfc3:c376:9956";
-    };
-    roles.server.settings = {
-      tld = "val";
-    };
-
-    roles.default.machines.verbena.settings = {
-      ip = "fd28:387a:90:c400::1";
-      services = [
-        "ca"
-        "vaultwarden"
-      ];
-    };
-
-    roles.default.machines.genepi.settings = {
-      ip = "fd28:387a:90:c400:ab23:3d38:a148:f539"; # FIXME: IPv4 expected (A record)
-      services = [
-        "actual"
-        "assistant"
-        "glance"
-        "grafana"
-        "images"
-        "lounge"
-        "pinchflat"
-        "rss"
-      ];
-    };
-  };
-}
diff --git a/clanServices/buildbot/default.nix b/clanServices/buildbot/default.nix
deleted file mode 100644
index 9ccab43..0000000
--- a/clanServices/buildbot/default.nix
+++ /dev/null
@@ -1,158 +0,0 @@
-{ self, ... }:
-{ lib, ... }:
-{
-  _class = "clan.service";
-  manifest.name = "buildbot";
-
-  roles.master = {
-    interface.options = {
-      domain = lib.mkOption {
-        type = lib.types.str;
-        description = "Domain name under which the buildbot frontend is reachable";
-        example = "https://buildbot.example.com";
-      };
-      admins = lib.mkOption {
-        type = lib.types.listOf lib.types.str;
-        description = "List of usernames allowed to authenticate to the buildbot frontend";
-        example = [ "Mic92" ];
-      };
-      topic = lib.mkOption {
-        type = lib.types.str;
-        description = "Name of the topic attached to repositories that should be built";
-        example = "buildbot-nix";
-      };
-      gitea.instanceUrl = lib.mkOption {
-        type = lib.types.str;
-        description = "URL of the Gitea instance";
-        example = "https://git.example.com";
-      };
-    };
-
-    perInstance =
-      {
-        settings,
-        roles,
-        ...
-      }:
-      {
-        nixosModule =
-          {
-            config,
-            lib,
-            pkgs,
-            ...
-          }:
-          {
-            imports = [
-              self.inputs.buildbot-nix.nixosModules.buildbot-master
-            ];
-
-            services.buildbot-nix.master = {
-              enable = true;
-              workersFile = config.clan.core.vars.generators.buildbot.files.workers-file.path;
-              inherit (settings) domain admins;
-
-              authBackend = "gitea";
-              gitea = {
-                enable = true;
-                inherit (settings.gitea) instanceUrl;
-                inherit (settings) topic;
-
-                tokenFile = config.clan.core.vars.generators.buildbot.files.api-token.path;
-                webhookSecretFile = config.clan.core.vars.generators.buildbot.files.webhook-secret.path;
-
-                oauthId = config.clan.core.vars.generators.buildbot.files.oauth-id.value;
-                oauthSecretFile = config.clan.core.vars.generators.buildbot.files.oauth-secret.path;
-              };
-            };
-
-            clan.core.vars.generators.buildbot = {
-              prompts.api-token = {
-                description = "gitea API token";
-                type = "hidden";
-                persist = true;
-              };
-              prompts.webhook-secret = {
-                description = "gitea webhook secret";
-                type = "hidden";
-                persist = true;
-              };
-              prompts.oauth-id = {
-                description = "oauth client id";
-                persist = true;
-              };
-              files.oauth-id.secret = false;
-              prompts.oauth-secret = {
-                description = "oauth secret";
-                type = "hidden";
-                persist = true;
-              };
-
-              dependencies = [ "buildbot-worker" ];
-              files.workers-file.secret = true;
-              runtimeInputs = [ pkgs.python3 ];
-              script = ''
-                python3 - << EOF                
-                import os
-                import json
-
-                password_path = os.path.join(os.environ.get("in"), "buildbot-worker/worker-password")
-                password = open(password_path).read().strip()
-
-                workers = [
-                  {
-                    "name": "${config.networking.hostName}",
-                    "pass": password,
-                    "cores": 4,
-                  },
-                ];
-
-                workers_file_path = os.path.join(os.environ.get("out"), "workers-file")
-                with open(workers_file_path, "w") as workers_file:
-                  workers_file.write(json.dumps(workers))
-
-                EOF
-              '';
-            };
-          };
-      };
-  };
-
-  roles.worker = {
-    perInstance =
-      {
-        settings,
-        roles,
-        ...
-      }:
-      {
-        nixosModule =
-          {
-            config,
-            lib,
-            pkgs,
-            ...
-          }:
-          {
-            imports = [
-              self.inputs.buildbot-nix.nixosModules.buildbot-worker
-            ];
-
-            services.buildbot-nix.worker = {
-              enable = true;
-              workerPasswordFile = config.clan.core.vars.generators.buildbot-worker.files.worker-password.path;
-            };
-
-            clan.core.vars.generators.buildbot-worker = {
-              files.worker-password = { };
-              runtimeInputs = [
-                pkgs.openssl
-              ];
-              script = ''
-                openssl rand -hex 32 > "$out"/worker-password
-              '';
-            };
-          };
-      };
-  };
-}
diff --git a/clanServices/buildbot/flake-module.nix b/clanServices/buildbot/flake-module.nix
deleted file mode 100644
index 867a703..0000000
--- a/clanServices/buildbot/flake-module.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-{ self, lib, ... }:
-{
-  clan.modules."@rpqt/buildbot" = lib.modules.importApply ./default.nix { inherit self; };
-}
diff --git a/clanServices/coredns/README.md b/clanServices/coredns/README.md
deleted file mode 100644
index 6283045..0000000
--- a/clanServices/coredns/README.md
+++ /dev/null
@@ -1,73 +0,0 @@
-!!! Danger "Experimental"
-    This service is experimental and will change in the future.
-
-This module enables hosting clan-internal services easily, which can be resolved
-inside your VPN. This allows defining a custom top-level domain (e.g. `.clan`)
-and exposing endpoints from a machine to others, which will be
-accessible under `http://<service>.clan` in your browser.
-
-The service consists of two roles:
-
-- A `server` role: This is the DNS-server that will be queried when trying to
-  resolve clan-internal services. It defines the top-level domain.
-- A `default` role: This does two things. First, it sets up the nameservers so
-  that clan-internal queries are resolved via the `server` machine, while
-  external queries are resolved as normal via DHCP. Second, it allows exposing
-  services (see example below).
-
-## Example Usage
-
-Here the machine `dnsserver` is designated as internal DNS-server for the TLD
-`.foo`. `server01` will host an application that shall be reachable at
-`http://one.foo` and `server02` is going to be reachable at `http://two.foo`.
-`client` is any other machine that is part of the clan but does not host any
-services.
-
-When `client` tries to resolve `http://one.foo`, the DNS query will be
-routed to `dnsserver`, which will answer with `192.168.1.3`. If it tries to
-resolve some external domain (e.g. `https://clan.lol`), the query will not be
-routed to `dnsserver` but resolved as before, via the nameservers advertised by
-DHCP.
-
-```nix
-inventory = {
-
-  machines = {
-    dnsserver = { }; # 192.168.1.2
-    server01 = { };  # 192.168.1.3
-    server02 = { };  # 192.168.1.4
-    client = { };    # 192.168.1.5
-  };
-
-  instances = {
-    coredns = {
-
-      module.name = "@clan/coredns";
-      module.input = "self";
-
-      # Add the default role to all machines, including `client`
-      roles.default.tags.all = { };
-
-      # DNS server queries to http://<name>.foo are resolved here
-      roles.server.machines."dnsserver".settings = {
-        ip = "192.168.1.2";
-        tld = "foo";
-      };
-
-      # First service
-      # Registers http://one.foo will resolve to 192.168.1.3
-      # underlying service runs on server01
-      roles.default.machines."server01".settings = {
-        ip = "192.168.1.3";
-        services = [ "one" ];
-      };
-
-      # Second service
-      roles.default.machines."server02".settings = {
-        ip = "192.168.1.4";
-        services = [ "two" ];
-      };
-    };
-  };
-};
-```
diff --git a/clanServices/coredns/default.nix b/clanServices/coredns/default.nix
deleted file mode 100644
index 20d4350..0000000
--- a/clanServices/coredns/default.nix
+++ /dev/null
@@ -1,235 +0,0 @@
-{ ... }:
-
-{
-  _class = "clan.service";
-  manifest.name = "coredns";
-  manifest.description = "Clan-internal DNS and service exposure";
-  manifest.categories = [ "Network" ];
-  manifest.readme = builtins.readFile ./README.md;
-
-  roles.server = {
-    description = "A DNS server that resolves services in the clan network.";
-    interface =
-      { lib, ... }:
-      {
-        options.tld = lib.mkOption {
-          type = lib.types.str;
-          default = "clan";
-          description = ''
-            Top-level domain for this instance. All services below this will be
-            resolved internally.
-          '';
-        };
-
-        options.ip = lib.mkOption {
-          type = lib.types.str;
-          # TODO: Set a default
-          description = "IP for the DNS to listen on";
-        };
-
-        options.dnsPort = lib.mkOption {
-          type = lib.types.int;
-          default = 1053;
-          description = "Port of the clan-internal DNS server";
-        };
-      };
-
-    perInstance =
-      {
-        roles,
-        settings,
-        ...
-      }:
-      {
-        nixosModule =
-          {
-            lib,
-            pkgs,
-            ...
-          }:
-
-          let
-            hostServiceEntries =
-              host:
-              lib.strings.concatStringsSep "\n" (
-                map (
-                  service:
-                  let
-                    ip = roles.default.machines.${host}.settings.ip;
-                    isIPv4 = addr: (builtins.match "\\." addr) != null;
-                    recordType = if (isIPv4 ip) then "A" else "AAAA";
-                  in
-                  "${service} IN ${recordType} ${ip}   ; ${host}"
-                ) roles.default.machines.${host}.settings.services
-              );
-
-            hostnameEntries = ''
-              crocus 10800 IN AAAA fd28:387a:90:c400:6db2:dfc3:c376:9956
-              genepi 10800 IN AAAA fd28:387a:90:c400:ab23:3d38:a148:f539
-              verbena 10800 IN AAAA fd28:387a:90:c400::1
-              haze 10800 IN AAAA fd28:387a:90:c400:840e:e9db:4c08:b920
-            '';
-
-            zonefile = builtins.toFile "${settings.tld}.zone" (
-              ''
-                $TTL 3600 ; 1 Hour
-                $ORIGIN ${settings.tld}.
-                ${settings.tld}. IN SOA ns1 admin.rpqt.fr. (
-                	2025112300 ; serial
-                	10800 ; refresh
-                	3600 ; retry
-                	604800 ; expire
-                	300 ; minimum
-                )
-
-                ${builtins.concatStringsSep "\n" (
-                  lib.lists.imap1 (i: _m: "@ 1D IN NS ns${toString i}.${settings.tld}.") (
-                    lib.attrNames roles.server.machines
-                  )
-                )}
-
-                ${builtins.concatStringsSep "\n" (
-                  lib.lists.imap1 (i: m: "ns${toString i} 10800 IN CNAME ${m}.${settings.tld}.") (
-                    lib.attrNames roles.server.machines
-                  )
-                )}
-
-              ''
-              + hostnameEntries
-              + "\n"
-              + (lib.strings.concatStringsSep "\n" (
-                map (host: hostServiceEntries host) (lib.attrNames roles.default.machines)
-              ))
-            );
-          in
-          {
-            networking.firewall.interfaces.wireguard = {
-              allowedTCPPorts = [ settings.dnsPort ];
-              allowedUDPPorts = [ settings.dnsPort ];
-            };
-
-            services.coredns = {
-              enable = true;
-              config =
-
-                let
-                  dnsPort = builtins.toString settings.dnsPort;
-                in
-
-                ''
-                  .:${dnsPort} {
-                      bind wireguard
-                      forward . 1.1.1.1
-                      cache 30
-                  }
-
-                  ${settings.tld}:${dnsPort} {
-                      bind wireguard
-                      file ${zonefile}
-                  }
-                '';
-            };
-          };
-      };
-  };
-
-  roles.default = {
-    description = "A machine that registers the 'server' role as resolver and registers services under the configured TLD in the resolver.";
-    interface =
-      { lib, ... }:
-      {
-        options.services = lib.mkOption {
-          type = lib.types.listOf lib.types.str;
-          default = [ ];
-          description = ''
-            Service endpoints this host exposes (without TLD). Each entry will
-            be resolved to <entry>.<tld> using the configured top-level domain.
-          '';
-        };
-
-        options.ip = lib.mkOption {
-          type = lib.types.str;
-          # TODO: Set a default
-          description = "IP on which the services will listen";
-        };
-
-        options.dnsPort = lib.mkOption {
-          type = lib.types.int;
-          default = 1053;
-          description = "Port of the clan-internal DNS server";
-        };
-      };
-
-    perInstance =
-      { roles, settings, ... }:
-      {
-        nixosModule =
-          { config, lib, ... }:
-          {
-
-            networking.nameservers = map (
-              m:
-              let
-                port = config.services.unbound.settings.server.port or 53;
-              in
-              "127.0.0.1:${toString port}#${roles.server.machines.${m}.settings.tld}"
-            ) (lib.attrNames roles.server.machines);
-
-            services.resolved.domains = map (m: "~${roles.server.machines.${m}.settings.tld}") (
-              lib.attrNames roles.server.machines
-            );
-
-            services.unbound = {
-              enable = true;
-              # resolveLocalQueries = true;
-              checkconf = true;
-              settings = {
-                server = {
-                  port = 5353;
-                  verbosity = 2;
-                  interface = [ "127.0.0.1" ];
-                  access-control = [ "127.0.0.0/8 allow" ];
-                  do-not-query-localhost = "no";
-                  domain-insecure = map (m: "${roles.server.machines.${m}.settings.tld}.") (
-                    lib.attrNames roles.server.machines
-                  );
-                };
-
-                # Default: forward everything else to DHCP-provided resolvers
-                # forward-zone = [
-                #   {
-                #     name = ".";
-                #     forward-addr = "127.0.0.53@53"; # Forward to systemd-resolved
-                #   }
-                # ];
-                forward-zone = [
-                  {
-                    name = ".";
-                    forward-tls-upstream = true;
-                    forward-addr = [
-                      "9.9.9.9#dns.quad9.net"
-                      "149.112.112.112#dns.quad9.net"
-                      "1.1.1.1@853#cloudflare-dns.com"
-                      "1.0.0.1@853#cloudflare-dns.com"
-                      "2606:4700:4700::1111@853#cloudflare-dns.com"
-                      "2606:4700:4700::1001@853#cloudflare-dns.com"
-                      "8.8.8.8#dns.google"
-                      "8.8.4.4#dns.google"
-                      "2001:4860:4860::8888#dns.google"
-                      "2001:4860:4860::8844#dns.google"
-                    ];
-                  }
-                ];
-
-                stub-zone = {
-                  name = "${roles.server.machines.${(lib.head (lib.attrNames roles.server.machines))}.settings.tld}.";
-                  stub-addr = map (
-                    m: "${roles.server.machines.${m}.settings.ip}@${builtins.toString settings.dnsPort}"
-                  ) (lib.attrNames roles.server.machines);
-                };
-              };
-            };
-          };
-      };
-  };
-}
diff --git a/clanServices/coredns/flake-module.nix b/clanServices/coredns/flake-module.nix
deleted file mode 100644
index 69c8537..0000000
--- a/clanServices/coredns/flake-module.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{ ... }:
-let
-  module = ./default.nix;
-in
-{
-  clan.modules = {
-    "@rpqt/coredns" = module;
-  };
-  # perSystem =
-  #   { ... }:
-  #   {
-  #     clan.nixosTests.coredns = {
-  #       imports = [ ./tests/vm/default.nix ];
-
-  #       clan.modules."@rpqt/coredns" = module;
-  #     };
-  #   };
-}
diff --git a/clanServices/flake-module.nix b/clanServices/flake-module.nix
deleted file mode 100644
index 138d0f4..0000000
--- a/clanServices/flake-module.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-  imports = [
-    ./buildbot/flake-module.nix
-    ./coredns/flake-module.nix
-    ./prometheus/flake-module.nix
-  ];
-}
diff --git a/clanServices/prometheus/README.md b/clanServices/prometheus/README.md
deleted file mode 100644
index 01c8a77..0000000
--- a/clanServices/prometheus/README.md
+++ /dev/null
@@ -1,38 +0,0 @@
-This module enables collecting metrics from machines in clan, using Prometheus.
-
-There are two roles:
-
-- A `target` role for machines on which to collect and export metrics.
-- A `scraper` roles for machines that fetch metrics from `target` machines and
-  store them in the long term.
-
-
-```nix
-inventory = {
-
-  machines = {
-    server01.tags.server = {};
-    server02.tags.server = {};
-    metrics.tags.server = {}; # metrics collector
-  };
-
-  instances = {
-    prometheus = {
-      module.name = "@rpqt/prometheus";
-      module.input = "self";
-
-      roles.scraper.machines."metrics" = {};
-
-      # Collect metrics on all servers
-      roles.target.tags.server = {
-        settings = {
-          exporters = {
-            # Enable the node-exporter metrics source
-            node.enabledCollectors = [ "systemd" ];
-          };
-        };
-      };
-    };
-  };
-};
-```
diff --git a/clanServices/prometheus/default.nix b/clanServices/prometheus/default.nix
deleted file mode 100644
index 58762f3..0000000
--- a/clanServices/prometheus/default.nix
+++ /dev/null
@@ -1,114 +0,0 @@
-{ self, ... }:
-{ lib, ... }:
-{
-  _class = "clan.service";
-  manifest.name = "prometheus";
-  manifest.description = "Prometheus metrics collection across the clan network.";
-  manifest.readme = builtins.readFile ./README.md;
-
-  # Only works with zerotier (until a unified network module is ready)
-
-  roles.scraper = {
-    description = "A server that scrapes metrics from exporters of machines that have the 'target' role.";
-    interface = {
-      options.extraScrapeConfigs = lib.mkOption {
-        type = lib.types.listOf lib.types.attrs;
-        description = "A list of additional scrape configurations.";
-      };
-    };
-
-    perInstance =
-      {
-        settings,
-        roles,
-        ...
-      }:
-      {
-        nixosModule =
-          { config, lib, ... }:
-          {
-            services.prometheus.enable = true;
-            services.prometheus.scrapeConfigs =
-              let
-                allExporters = lib.unique (
-                  lib.concatLists (
-                    lib.map (machine: lib.attrNames machine.settings.exporters) (lib.attrValues roles.target.machines)
-                  )
-                );
-                hasExporter =
-                  exporter: machine: lib.hasAttr exporter roles.target.machines.${machine}.settings.exporters;
-                mkScrapeConfig = (
-                  exporter:
-                  let
-                    machinesWithExporter = lib.filter (hasExporter exporter) (lib.attrNames roles.target.machines);
-                  in
-                  {
-                    job_name = exporter;
-                    static_configs = lib.map (machineName: {
-                      targets =
-                        let
-                          targetConfig = self.nixosConfigurations.${machineName}.config;
-                          targetHost = targetConfig.clan.core.vars.generators.zerotier.files.zerotier-ip.value;
-                        in
-                        [
-                          "[${targetHost}]:${toString targetConfig.services.prometheus.exporters.${exporter}.port}"
-                        ];
-                      labels.instance = machineName;
-                    }) machinesWithExporter;
-                  }
-                );
-              in
-              (lib.map mkScrapeConfig allExporters) ++ settings.extraScrapeConfigs;
-
-            clan.core.state.prometheus.folders = [ "/var/lib/${config.services.prometheus.stateDir}" ];
-          };
-      };
-  };
-
-  roles.target = {
-    description = "A machine on which to collect and export metrics.";
-    interface =
-      { lib, ... }:
-      {
-        options = {
-          exporters = lib.mkOption {
-            type = lib.types.attrs;
-            default = { };
-            example = {
-              node = {
-                enabledCollectors = [ "systemd" ];
-                port = 9002;
-              };
-            };
-            description = "Attribute set of exporters to enable";
-          };
-        };
-      };
-
-    perInstance =
-      {
-        instanceName,
-        settings,
-        machine,
-        roles,
-        ...
-      }:
-      {
-        nixosModule =
-          { config, lib, ... }:
-          {
-            services.prometheus.exporters = builtins.mapAttrs (
-              name: exporterSettings:
-              exporterSettings
-              // {
-                enable = true;
-              }
-            ) settings.exporters;
-
-            networking.firewall.interfaces."zts7mq7onf".allowedTCPPorts = lib.map (
-              exporterName: config.services.prometheus.exporters.${exporterName}.port
-            ) (lib.attrNames settings.exporters);
-          };
-      };
-  };
-}
diff --git a/clanServices/prometheus/flake-module.nix b/clanServices/prometheus/flake-module.nix
deleted file mode 100644
index 0c56386..0000000
--- a/clanServices/prometheus/flake-module.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-{ self, lib, ... }:
-{
-  clan.modules."@rpqt/prometheus" = lib.modules.importApply ./default.nix { inherit self; };
-}
diff --git a/devShells/flake-module.nix b/devShells/flake-module.nix
deleted file mode 100644
index 961492c..0000000
--- a/devShells/flake-module.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-  perSystem =
-    {
-      inputs',
-      pkgs,
-      ...
-    }:
-    {
-      devShells.default = pkgs.mkShellNoCC {
-        packages = [
-          inputs'.clan-core.packages.clan-cli
-          pkgs.garage
-          pkgs.nil # Nix language server
-          pkgs.nixfmt
-          pkgs.opentofu
-          pkgs.terraform-ls
-          pkgs.deploy-rs
-          pkgs.zsh
-        ];
-        shellHook = ''
-          export GARAGE_RPC_SECRET=$(clan vars get crocus garage-shared/rpc_secret)
-          export GARAGE_RPC_HOST=5d8249fe49264d36bc3532bd88400498bf9497b5cd4872245eb820d5d7797ed6@crocus.val:3901
-        '';
-      };
-    };
-}
diff --git a/dotbot/windows.yaml b/dotbot/windows.yaml
deleted file mode 100644
index 1750fde..0000000
--- a/dotbot/windows.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-- defaults:
-    link:
-      relink: true
-
-- link:
-    ~/AppData/Roaming/helix/config.toml: .config/helix/config.toml
-    ~/AppData/Roaming/jj/config.toml: .config/jj/config.toml
-    ~/AppData/Roaming/nushell/config.nu: .config/nushell/config.nu
diff --git a/flake.lock b/flake.lock
index e7e5916..547ca88 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,25 +1,25 @@
 {
   "nodes": {
-    "buildbot-nix": {
+    "agenix": {
       "inputs": {
-        "flake-parts": "flake-parts",
-        "hercules-ci-effects": "hercules-ci-effects",
+        "darwin": "darwin",
+        "home-manager": "home-manager",
         "nixpkgs": [
           "nixpkgs"
         ],
-        "treefmt-nix": "treefmt-nix"
+        "systems": "systems"
       },
       "locked": {
-        "lastModified": 1768230255,
-        "narHash": "sha256-d98+nRSV2X86LcJUDZDAR9wvmmGG1uMzY5/zJdKH9pU=",
-        "owner": "nix-community",
-        "repo": "buildbot-nix",
-        "rev": "6c62d4e0e82b607638b00d6f4f4ad06646342826",
+        "lastModified": 1745630506,
+        "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "96e078c646b711aee04b82ba01aefbff87004ded",
         "type": "github"
       },
       "original": {
-        "owner": "nix-community",
-        "repo": "buildbot-nix",
+        "owner": "ryantm",
+        "repo": "agenix",
         "type": "github"
       }
     },
@@ -27,24 +27,23 @@
       "inputs": {
         "data-mesher": "data-mesher",
         "disko": "disko",
-        "flake-parts": [
-          "flake-parts"
-        ],
+        "flake-parts": "flake-parts",
         "nix-darwin": "nix-darwin",
         "nix-select": "nix-select",
+        "nixos-facter-modules": "nixos-facter-modules",
         "nixpkgs": [
           "nixpkgs"
         ],
         "sops-nix": "sops-nix",
-        "systems": "systems",
-        "treefmt-nix": "treefmt-nix_2"
+        "systems": "systems_2",
+        "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1768662392,
-        "narHash": "sha256-tE6k6yaQDF1n4YkTC4aH+BgKNQM36bYdhslP0udgMyY=",
+        "lastModified": 1747400548,
+        "narHash": "sha256-zvBGXYkd8pZKkBXlLdcw0/nxSoGJOkwGbc6dz9NS4G8=",
         "ref": "refs/heads/main",
-        "rev": "1f2f93239ef3638d4b7a2187d021b8d8fe6507b8",
-        "revCount": 12169,
+        "rev": "56f3fd0a454635d0449330e6848a98bab6da020e",
+        "revCount": 6979,
         "type": "git",
         "url": "https://git.clan.lol/clan/clan-core"
       },
@@ -53,6 +52,28 @@
         "url": "https://git.clan.lol/clan/clan-core"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "data-mesher": {
       "inputs": {
         "flake-parts": [
@@ -63,47 +84,27 @@
           "clan-core",
           "nixpkgs"
         ],
+        "systems": [
+          "clan-core",
+          "systems"
+        ],
         "treefmt-nix": [
           "clan-core",
           "treefmt-nix"
         ]
       },
       "locked": {
-        "lastModified": 1768383623,
-        "narHash": "sha256-X1jD5UvgYW50wWxdxJn9b8hiOvpSoLcO3ZC1AZx7+gQ=",
-        "rev": "82c2fbf84ea0162d95b4958f02499e68c9a843a6",
+        "lastModified": 1747329636,
+        "narHash": "sha256-mmyx5trq5ZQp6uShbHNfqgSxdg9OeArcZGdZKtHjhqw=",
+        "rev": "7afcd6f322b9839699f6f31d5bed884c6dd412c4",
         "type": "tarball",
-        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/82c2fbf84ea0162d95b4958f02499e68c9a843a6.tar.gz"
+        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/7afcd6f322b9839699f6f31d5bed884c6dd412c4.tar.gz"
       },
       "original": {
         "type": "tarball",
         "url": "https://git.clan.lol/clan/data-mesher/archive/main.tar.gz"
       }
     },
-    "direnv-instant": {
-      "inputs": {
-        "flake-parts": [
-          "flake-parts"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "treefmt-nix": "treefmt-nix_3"
-      },
-      "locked": {
-        "lastModified": 1768657403,
-        "narHash": "sha256-YkbdCu2ZInQj72rQQLgVP2x1m8il8+DtwzypBiYrrfE=",
-        "owner": "Mic92",
-        "repo": "direnv-instant",
-        "rev": "ab8c70c557f610e20008eb407d17cfd78b44ea1c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Mic92",
-        "repo": "direnv-instant",
-        "type": "github"
-      }
-    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -112,11 +113,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766150702,
-        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
+        "lastModified": 1747274630,
+        "narHash": "sha256-87RJwXbfOHyzTB9LYagAQ6vOZhszCvd8Gvudu+gf3qo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
+        "rev": "ec7c109a4f794fce09aad87239eab7f66540b888",
         "type": "github"
       },
       "original": {
@@ -132,11 +133,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766150702,
-        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
+        "lastModified": 1747274630,
+        "narHash": "sha256-87RJwXbfOHyzTB9LYagAQ6vOZhszCvd8Gvudu+gf3qo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
+        "rev": "ec7c109a4f794fce09aad87239eab7f66540b888",
         "type": "github"
       },
       "original": {
@@ -148,16 +149,16 @@
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
-          "buildbot-nix",
+          "clan-core",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1767609335,
-        "narHash": "sha256-feveD98mQpptwrAEggBQKJTYbvwwglSbOv53uCfH9PY=",
+        "lastModified": 1743550720,
+        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "250481aafeb741edfe23d29195671c19b36b6dca",
+        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
         "type": "github"
       },
       "original": {
@@ -166,63 +167,19 @@
         "type": "github"
       }
     },
-    "flake-parts_2": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1768135262,
-        "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "hercules-ci-effects": {
-      "inputs": {
-        "flake-parts": [
-          "buildbot-nix",
-          "flake-parts"
-        ],
-        "nixpkgs": [
-          "buildbot-nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1765774562,
-        "narHash": "sha256-UQhfCggNGDc7eam+EittlYmeW89CZVT1KkFIHZWBH7k=",
-        "owner": "hercules-ci",
-        "repo": "hercules-ci-effects",
-        "rev": "edcbb19948b6caf1700434e369fde6ff9e6a3c93",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "hercules-ci-effects",
-        "type": "github"
-      }
-    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
+          "agenix",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1768598210,
-        "narHash": "sha256-kkgA32s/f4jaa4UG+2f8C225Qvclxnqs76mf8zvTVPg=",
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "c47b2cc64a629f8e075de52e4742de688f930dc6",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
         "type": "github"
       },
       "original": {
@@ -231,6 +188,41 @@
         "type": "github"
       }
     },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1747374689,
+        "narHash": "sha256-JT/aBZqmK1LbExzwT9cPkvxKc0IC4i6tZKOPjsSWFbI=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "d2263ce5f4c251c0f7608330e8fdb7d1f01f0667",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1737831083,
+        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
     "nix-darwin": {
       "inputs": {
         "nixpkgs": [
@@ -239,11 +231,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768561867,
-        "narHash": "sha256-prGOZ+w3pZfGTRxworKcJliCNsewF0L4HUPjgU/6eaw=",
+        "lastModified": 1747365160,
+        "narHash": "sha256-4ZVr0x+ry6ybym/VhVYACj0HlJo44YxAaPGOxiS88Hg=",
         "owner": "nix-darwin",
         "repo": "nix-darwin",
-        "rev": "8b720b9662d4dd19048664b7e4216ce530591adc",
+        "rev": "8817b00b0011750381d0d44bb94d61087349b6ba",
         "type": "github"
       },
       "original": {
@@ -254,11 +246,11 @@
     },
     "nix-select": {
       "locked": {
-        "lastModified": 1763303120,
-        "narHash": "sha256-yxcNOha7Cfv2nhVpz9ZXSNKk0R7wt4AiBklJ8D24rVg=",
-        "rev": "3d1e3860bef36857a01a2ddecba7cdb0a14c35a9",
+        "lastModified": 1745005516,
+        "narHash": "sha256-IVaoOGDIvAa/8I0sdiiZuKptDldrkDWUNf/+ezIRhyc=",
+        "rev": "69d8bf596194c5c35a4e90dd02c52aa530caddf8",
         "type": "tarball",
-        "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/3d1e3860bef36857a01a2ddecba7cdb0a14c35a9.tar.gz"
+        "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/69d8bf596194c5c35a4e90dd02c52aa530caddf8.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -280,17 +272,32 @@
         "type": "github"
       }
     },
+    "nixos-facter-modules": {
+      "locked": {
+        "lastModified": 1743671943,
+        "narHash": "sha256-7sYig0+RcrR3sOL5M+2spbpFUHyEP7cnUvCaqFOBjyU=",
+        "owner": "nix-community",
+        "repo": "nixos-facter-modules",
+        "rev": "58ad9691670d293a15221d4a78818e0088d2e086",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-facter-modules",
+        "type": "github"
+      }
+    },
     "nixos-generators": {
       "inputs": {
         "nixlib": "nixlib",
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1764234087,
-        "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=",
+        "lastModified": 1742568034,
+        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "032a1878682fafe829edfcf5fdfad635a2efe748",
+        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
         "type": "github"
       },
       "original": {
@@ -301,11 +308,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1768584846,
-        "narHash": "sha256-IRPmIOV2tPwxbhP/I9M5AmwhTC0lMPtoPStC+8T6xl0=",
+        "lastModified": 1747129300,
+        "narHash": "sha256-L3clA5YGeYCF47ghsI7Tcex+DnaaN/BbQ4dR2wzoiKg=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "cce68f4a54fa4e3d633358364477f5cc1d782440",
+        "rev": "e81fd167b33121269149c57806599045fd33eeed",
         "type": "github"
       },
       "original": {
@@ -333,11 +340,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1768564909,
-        "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
+        "lastModified": 1747179050,
+        "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
+        "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
         "type": "github"
       },
       "original": {
@@ -349,17 +356,14 @@
     },
     "root": {
       "inputs": {
-        "buildbot-nix": "buildbot-nix",
+        "agenix": "agenix",
         "clan-core": "clan-core",
-        "direnv-instant": "direnv-instant",
         "disko": "disko_2",
-        "flake-parts": "flake-parts_2",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
+        "impermanence": "impermanence",
         "nixos-generators": "nixos-generators",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_2",
-        "srvos": "srvos",
-        "terranix": "terranix"
+        "nixpkgs": "nixpkgs_2"
       }
     },
     "sops-nix": {
@@ -370,11 +374,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768481291,
-        "narHash": "sha256-NjKtkJraCZEnLHAJxLTI+BfdU//9coAz9p5TqveZwPU=",
+        "lastModified": 1746485181,
+        "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e085e303dfcce21adcb5fec535d65aacb066f101",
+        "rev": "e93ee1d900ad264d65e9701a5c6f895683433386",
         "type": "github"
       },
       "original": {
@@ -383,26 +387,6 @@
         "type": "github"
       }
     },
-    "srvos": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1768523683,
-        "narHash": "sha256-UbkyPXPPAbz0gHIWvHZ+jrPTruZqkpuwTFo5JXPnIgU=",
-        "owner": "nix-community",
-        "repo": "srvos",
-        "rev": "90e9331fd79d4c3bb5c1e7cd2df2e560565fe543",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "srvos",
-        "type": "github"
-      }
-    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
@@ -433,52 +417,7 @@
         "type": "github"
       }
     },
-    "terranix": {
-      "inputs": {
-        "flake-parts": [
-          "flake-parts"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "systems": "systems_2"
-      },
-      "locked": {
-        "lastModified": 1762472226,
-        "narHash": "sha256-iVS4sxVgGn+T74rGJjEJbzx+kjsuaP3wdQVXBNJ79A0=",
-        "owner": "terranix",
-        "repo": "terranix",
-        "rev": "3b5947a48da5694094b301a3b1ef7b22ec8b19fc",
-        "type": "github"
-      },
-      "original": {
-        "owner": "terranix",
-        "repo": "terranix",
-        "type": "github"
-      }
-    },
     "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "buildbot-nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1768031762,
-        "narHash": "sha256-b2gJDJfi+TbA7Hu2sKip+1mWqya0GJaWrrXQjpbOVTU=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "0c445aa21b01fd1d4bb58927f7b268568af87b20",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
-    "treefmt-nix_2": {
       "inputs": {
         "nixpkgs": [
           "clan-core",
@@ -486,32 +425,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768158989,
-        "narHash": "sha256-67vyT1+xClLldnumAzCTBvU0jLZ1YBcf4vANRWP3+Ak=",
+        "lastModified": 1747299117,
+        "narHash": "sha256-JGjCVbxS+9t3tZ2IlPQ7sdqSM4c+KmIJOXVJPfWmVOU=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
-    "treefmt-nix_3": {
-      "inputs": {
-        "nixpkgs": [
-          "direnv-instant",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1768031762,
-        "narHash": "sha256-b2gJDJfi+TbA7Hu2sKip+1mWqya0GJaWrrXQjpbOVTU=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "0c445aa21b01fd1d4bb58927f7b268568af87b20",
+        "rev": "e758f27436367c23bcd63cd973fa5e39254b530e",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index a3b99cd..5103abf 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,60 +5,128 @@
     inputs@{
       nixpkgs,
       clan-core,
-      flake-parts,
+      home-manager,
+      impermanence,
+      nixos-generators,
+      nixos-hardware,
+      self,
       ...
     }:
-    flake-parts.lib.mkFlake { inherit inputs; } ({
-      imports = [
-        clan-core.flakeModules.default
-        inputs.terranix.flakeModule
-        ./clan/flake-module.nix
-        ./clanServices/flake-module.nix
-        ./devShells/flake-module.nix
-        ./home-manager/flake-module.nix
-        ./infra/flake-module.nix
-        ./modules/flake-module.nix
-        ./packages/flake-module.nix
-      ];
+    let
+      clan = clan-core.lib.buildClan {
+        self = self;
+        meta.name = "blossom";
+        specialArgs = {
+          inherit inputs self;
+          inherit (import ./parts) keys;
+        };
+        inventory = {
+          instances = {
+            "rpqt-admin" = {
+              module.input = "clan-core";
+              module.name = "admin";
+              roles.default.machines = {
+                "crocus" = { };
+                "genepi" = { };
+                "haze" = { };
+              };
+              roles.default.settings.allowedKeys = {
+                rpqt_haze = (import ./parts).keys.rpqt.haze;
+              };
+            };
+          };
+          services = {
+            zerotier.default = {
+              roles.controller.machines = [
+                "crocus"
+              ];
+              roles.peer.machines = [
+                "haze"
+                "genepi"
+              ];
+            };
+            sshd.default = {
+              roles.server.machines = [ "crocus" ];
+            };
+            user-password.rpqt = {
+              roles.default.machines = [
+                "crocus"
+                "genepi"
+                "haze"
+              ];
+              config.user = "rpqt";
+            };
+          };
+        };
+      };
+    in
+    {
+      inherit (clan) clanInternals nixosConfigurations;
 
-      systems = [
-        "x86_64-linux"
-        "aarch64-linux"
-      ];
-    });
+      devShells =
+        let
+          system = "x86_64-linux";
+          pkgs = import nixpkgs {
+            inherit system;
+          };
+        in
+        {
+          "${system}".default = pkgs.mkShell {
+            packages = [
+              inputs.agenix.packages.${system}.default
+              clan-core.packages.${system}.clan-cli
+              pkgs.nil # Nix language server
+              pkgs.nixfmt-rfc-style
+              pkgs.opentofu
+              pkgs.terraform-ls
+              pkgs.deploy-rs
+              pkgs.zsh
+            ];
+            shellhook = ''
+              exec zsh
+            '';
+          };
+        };
+    };
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    nixpkgs = {
+      url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    impermanence = {
+      url = "github:nix-community/impermanence";
+    };
+    nixos-hardware = {
+      url = "github:NixOS/nixos-hardware/master";
+    };
+    nixos-generators = {
+      url = "github:nix-community/nixos-generators";
+    };
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    clan-core = {
+      url = "git+https://git.clan.lol/clan/clan-core";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
 
-    disko.url = "github:nix-community/disko";
-    disko.inputs.nixpkgs.follows = "nixpkgs";
-
-    home-manager.url = "github:nix-community/home-manager";
-    home-manager.inputs.nixpkgs.follows = "nixpkgs";
-
-    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-
-    nixos-generators.url = "github:nix-community/nixos-generators";
-
-    clan-core.url = "git+https://git.clan.lol/clan/clan-core";
-    clan-core.inputs.nixpkgs.follows = "nixpkgs";
-    clan-core.inputs.flake-parts.follows = "flake-parts";
-
-    flake-parts.url = "github:hercules-ci/flake-parts";
-    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
-
-    srvos.url = "github:nix-community/srvos";
-    srvos.inputs.nixpkgs.follows = "nixpkgs";
-
-    buildbot-nix.url = "github:nix-community/buildbot-nix";
-    buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
-
-    direnv-instant.url = "github:Mic92/direnv-instant";
-    direnv-instant.inputs.nixpkgs.follows = "nixpkgs";
-    direnv-instant.inputs.flake-parts.follows = "flake-parts";
-
-    terranix.url = "github:terranix/terranix";
-    terranix.inputs.nixpkgs.follows = "nixpkgs";
-    terranix.inputs.flake-parts.follows = "flake-parts";
+  nixConfig = {
+    extra-substituters = [
+      "https://cache.nixos.org"
+      "https://nix-community.cachix.org"
+    ];
+    extra-trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
   };
 }
diff --git a/home-manager/cli.nix b/home-manager/cli.nix
deleted file mode 100644
index 89ccda3..0000000
--- a/home-manager/cli.nix
+++ /dev/null
@@ -1,76 +0,0 @@
-{
-  self,
-  config,
-  osConfig,
-  pkgs,
-  ...
-}:
-let
-  shellAliases = {
-    ls = "eza";
-    lsa = "ls -A";
-    ll = "ls -lh";
-    lla = "ls -lAh";
-    h = "hx";
-    g = "git";
-    cd = "z";
-    tree = "eza --tree";
-    ".." = "cd ..";
-    "..." = "cd ../..";
-  };
-in
-{
-  imports = [
-    self.homeManagerModules.dotfiles
-  ];
-
-  home.packages = with pkgs; [
-    age
-    age-plugin-yubikey
-    bottom
-    btop
-    comma
-    difftastic
-    doggo
-    duf
-    eza
-    fd
-    glow
-    jjui
-    lazygit
-    nh
-    passage
-    rage
-    ripgrep
-    skim
-    tealdeer
-    vivid
-    yazi
-    zoxide
-  ];
-
-  programs.zoxide.enable = true;
-  programs.starship.enable = true;
-  programs.bat.enable = true;
-
-  programs.atuin.enable = true;
-  xdg.dataFile."atuin/key".source =
-    config.lib.file.mkOutOfStoreSymlink osConfig.clan.core.vars.generators.atuin.files.key.path;
-
-  programs.zsh = {
-    enable = true;
-    syntaxHighlighting.enable = true;
-    inherit shellAliases;
-  };
-
-  programs.fish = {
-    enable = true;
-    inherit shellAliases;
-  };
-
-  xdg.configFile."git".source = "${config.dotfiles.path}/.config/git";
-  xdg.configFile."jj/config.toml".source = "${config.dotfiles.path}/.config/jj/config.toml";
-  xdg.configFile."task/taskrc".source = "${config.dotfiles.path}/.config/task/taskrc";
-
-  home.sessionPath = [ "${config.dotfiles.path}/bin" ];
-}
diff --git a/home-manager/desktop/gnome.nix b/home-manager/desktop/gnome.nix
deleted file mode 100644
index d246e40..0000000
--- a/home-manager/desktop/gnome.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ pkgs, ... }:
-{
-  home.packages = with pkgs.gnomeExtensions; [
-    blur-my-shell
-    paperwm
-  ];
-
-  dconf.settings = {
-    "org/gnome/nautilus/preferences" = {
-      show-image-thumbnails = "always";
-    };
-  };
-}
diff --git a/home-manager/desktop/niri.nix b/home-manager/desktop/niri.nix
deleted file mode 100644
index 9422dda..0000000
--- a/home-manager/desktop/niri.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ self, config, ... }:
-{
-  imports = [
-    self.homeManagerModules.dotfiles
-    ./wayland.nix
-  ];
-
-  xdg.configFile."niri".source = "${config.dotfiles.path}/.config/niri";
-}
diff --git a/home-manager/desktop/terminal.nix b/home-manager/desktop/terminal.nix
deleted file mode 100644
index 46ce790..0000000
--- a/home-manager/desktop/terminal.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-  config,
-  pkgs,
-  self,
-  ...
-}:
-{
-  imports = [
-    self.homeManagerModules.dotfiles
-  ];
-
-  home.packages = [
-    pkgs.alacritty
-    pkgs.ghostty
-  ];
-
-  programs.alacritty.enable = true;
-  xdg.configFile."alacritty/alacritty.toml".source =
-    "${config.dotfiles.path}/.config/alacritty/alacritty.toml";
-
-  xdg.configFile."ghostty/config".source = "${config.dotfiles.path}/.config/ghostty/config";
-}
diff --git a/home-manager/desktop/vicinae.nix b/home-manager/desktop/vicinae.nix
deleted file mode 100644
index ecb446a..0000000
--- a/home-manager/desktop/vicinae.nix
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-{
-  programs.vicinae = {
-    enable = true;
-    systemd.enable = true;
-    systemd.autoStart = true;
-  };
-
-  xdg.configFile."vicinae/vicinae.json".source =
-    lib.mkForce "${config.dotfiles.path}/.config/vicinae/vicinae.json";
-
-  xdg.configFile."matugen/config.toml".source = "${config.dotfiles.path}/.config/matugen/config.toml";
-  xdg.configFile."matugen/templates/vicinae.toml".source =
-    "${config.dotfiles.path}/.config/matugen/templates/vicinae.toml";
-}
diff --git a/home-manager/dev.nix b/home-manager/dev.nix
deleted file mode 100644
index 06c3332..0000000
--- a/home-manager/dev.nix
+++ /dev/null
@@ -1,42 +0,0 @@
-{
-  self,
-  config,
-  pkgs,
-  ...
-}:
-{
-  imports = [
-    ./cli.nix
-    ./helix.nix
-    self.homeManagerModules.dotfiles
-    self.inputs.direnv-instant.homeModules.direnv-instant
-  ];
-
-  home.packages = with pkgs; [
-    delta
-    direnv
-    gh
-    hut
-    jujutsu
-    nix-output-monitor
-    python3
-    radicle-desktop
-    radicle-node
-    radicle-tui
-    typescript-language-server
-    nil # Nix language server
-    nixfmt-rfc-style
-    nixpkgs-review
-  ];
-
-  programs.direnv = {
-    enable = true;
-    enableZshIntegration = true;
-    nix-direnv.enable = true;
-  };
-
-  programs.direnv-instant.enable = true;
-
-  xdg.configFile."hut/config".source = "${config.dotfiles.path}/.config/hut/config";
-  home.file.".ssh/config".source = "${config.dotfiles.path}/.ssh/config";
-}
diff --git a/home-manager/flake-module.nix b/home-manager/flake-module.nix
deleted file mode 100644
index 4909227..0000000
--- a/home-manager/flake-module.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  flake.homeManagerModules = {
-    dotfiles.imports = [ ./dotfiles.nix ];
-  };
-}
diff --git a/home-manager/helix.nix b/home-manager/helix.nix
deleted file mode 100644
index 61aa5cb..0000000
--- a/home-manager/helix.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{
-  self,
-  config,
-  pkgs,
-  ...
-}:
-{
-  imports = [
-    self.homeManagerModules.dotfiles
-  ];
-
-  home.packages = [ pkgs.helix ];
-
-  programs.helix = {
-    enable = true;
-    defaultEditor = true;
-  };
-
-  home.sessionVariables.EDITOR = "hx";
-
-  xdg.configFile."helix/config.toml".source = "${config.dotfiles.path}/.config/helix/config.toml";
-  xdg.configFile."helix/languages.toml".source =
-    "${config.dotfiles.path}/.config/helix/languages.toml";
-}
diff --git a/home-manager/mail/default.nix b/home-manager/mail/default.nix
deleted file mode 100644
index fba8674..0000000
--- a/home-manager/mail/default.nix
+++ /dev/null
@@ -1,110 +0,0 @@
-{ config, ... }:
-let
-  pass = "passage";
-in
-{
-  programs.thunderbird = {
-    enable = true;
-    profiles = {
-      main = {
-        isDefault = true;
-      };
-    };
-  };
-
-  programs.aerc = {
-    enable = true;
-    # safe since the accounts file just contains commands for retrieving passwords and is readonly in the nix store
-    extraConfig.general.unsafe-accounts-conf = true;
-  };
-
-  accounts.email.accounts = {
-    "rpqt@rpqt.fr" = rec {
-      address = "rpqt@rpqt.fr";
-      realName = "Romain Paquet";
-      primary = true;
-      flavor = "migadu.com";
-      thunderbird.enable = config.programs.thunderbird.enable;
-      aerc.enable = config.programs.aerc.enable;
-      passwordCommand = [
-        pass
-        "show"
-        "mail/${address}"
-      ];
-      folders.inbox = "INBOX";
-    };
-
-    "admin@rpqt.fr" = rec {
-      address = "admin@rpqt.fr";
-      aliases = [ "postmaster@rpqt.fr" ];
-      realName = "Postmaster";
-      flavor = "migadu.com";
-      thunderbird.enable = config.programs.thunderbird.enable;
-      aerc.enable = config.programs.aerc.enable;
-      passwordCommand = [
-        pass
-        "show"
-        "mail/${address}"
-      ];
-      folders.inbox = "INBOX";
-    };
-
-    "romain.paquet@grenoble-inp.org" = rec {
-      address = "romain.paquet@grenoble-inp.org";
-      realName = "Romain Paquet";
-      userName = "romain.paquet@grenoble-inp.org";
-      imap = {
-        host = "imap.partage.renater.fr";
-        port = 993;
-      };
-      smtp = {
-        host = "smtp.partage.renater.fr";
-        port = 465;
-      };
-      thunderbird.enable = config.programs.thunderbird.enable;
-      aerc.enable = config.programs.aerc.enable;
-      passwordCommand = [
-        pass
-        "show"
-        "mail/${address}"
-      ];
-      folders.inbox = "INBOX";
-    };
-
-    "admin@turifer.dev" = rec {
-      address = "admin@turifer.dev";
-      aliases = [ "postmaster@turifer.dev" ];
-      realName = "Postmaster";
-      flavor = "migadu.com";
-      thunderbird.enable = config.programs.thunderbird.enable;
-      aerc.enable = config.programs.aerc.enable;
-      passwordCommand = [
-        pass
-        "mail/${address}"
-      ];
-    };
-
-    "romain@student.agh.edu.pl" = {
-      address = "romain@student.agh.edu.pl";
-      aliases = [ "382799@student.agh.edu.pl" ];
-      realName = "Romain Paquet";
-      userName = "romain@student.agh.edu.pl";
-      imap = {
-        host = "poczta.agh.edu.pl";
-        port = 993;
-      };
-      smtp = {
-        host = "poczta.agh.edu.pl";
-        port = 465;
-      };
-      thunderbird.enable = config.programs.thunderbird.enable;
-    };
-
-    "romain.pqt@gmail.com" = {
-      address = "romain.pqt@gmail.com";
-      realName = "Romain Paquet";
-      flavor = "gmail.com";
-      thunderbird.enable = config.programs.thunderbird.enable;
-    };
-  };
-}
diff --git a/home/.clang-format b/home/.clang-format
deleted file mode 100644
index 340e78a..0000000
--- a/home/.clang-format
+++ /dev/null
@@ -1,16 +0,0 @@
-BasedOnStyle: LLVM
-
-IndentWidth: 8
-TabWidth: 8
-UseTab: Always
-
-ColumnLimit: 80
-
-IndentCaseLabels: false
-IndentGotoLabels: false
-
-BreakBeforeBraces: Custom
-BraceWrapping:
-  AfterFunction: false
-
-AlwaysBreakAfterDefinitionReturnType: false
diff --git a/home/.config/alacritty/alacritty.toml b/home/.config/alacritty/alacritty.toml
deleted file mode 100644
index 62b95bd..0000000
--- a/home/.config/alacritty/alacritty.toml
+++ /dev/null
@@ -1,37 +0,0 @@
-[general]
-live_config_reload = false
-import = ["~/.config/alacritty/themes/kanagawa_wave.toml"]
-
-[font]
-size = 14
-
-[font.bold]
-family = "Jetbrains Mono NF"
-style = "Bold"
-
-[font.bold_italic]
-family = "Jetbrains Mono NF"
-style = "Bold Italic"
-
-[font.italic]
-family = "Jetbrains Mono NF"
-style = "Italic"
-
-[font.normal]
-family = "Jetbrains Mono NF"
-style = "Regular"
-
-[[keyboard.bindings]]
-action = "CreateNewWindow"
-key = "Return"
-mods = "Control|Shift"
-
-[mouse]
-hide_when_typing = true
-
-[window]
-opacity = 1.0
-
-[window.padding]
-x = 4
-y = 4
diff --git a/home/.config/alacritty/themes/kanagawa_lotus.toml b/home/.config/alacritty/themes/kanagawa_lotus.toml
deleted file mode 100644
index 7621688..0000000
--- a/home/.config/alacritty/themes/kanagawa_lotus.toml
+++ /dev/null
@@ -1,35 +0,0 @@
-[colors.primary]
-background = '#f2ecbc'
-foreground = '#545464'
-
-[colors.normal]
-black = "#1f1f28"
-red = "#c84053"
-green = "#6f894e"
-yellow = "#77713f"
-blue = "#4d699b"
-magenta = "#b35b79"
-cyan = "#597b75"
-white = "#545464"
-
-[colors.bright]
-black = "#8a8980"
-red = "#d7474b"
-green = "#6e915f"
-yellow = "#836f4a"
-blue = "#6693bf"
-magenta = "#624c83"
-cyan = "#5e857a"
-white = "#43436c"
-
-[colors.selection]
-background = '#c9cbd1'
-foreground = '#dcd7ba'
-
-[[colors.indexed_colors]]
-index = 16
-color = '#e98a00'
-
-[[colors.indexed_colors]]
-index = 17
-color = '#e82424'
diff --git a/home/.config/alacritty/themes/kanagawa_wave.toml b/home/.config/alacritty/themes/kanagawa_wave.toml
deleted file mode 100644
index 8585305..0000000
--- a/home/.config/alacritty/themes/kanagawa_wave.toml
+++ /dev/null
@@ -1,35 +0,0 @@
-[[colors.indexed_colors]]
-color = "0xffa066"
-index = 16
-
-[[colors.indexed_colors]]
-color = "0xff5d62"
-index = 17
-
-[colors.bright]
-black = "0x727169"
-blue = "0x7fb4ca"
-cyan = "0x7aa89f"
-green = "0x98bb6c"
-magenta = "0x938aa9"
-red = "0xe82424"
-white = "0xdcd7ba"
-yellow = "0xe6c384"
-
-[colors.normal]
-black = "0x090618"
-blue = "0x7e9cd8"
-cyan = "0x6a9589"
-green = "0x76946a"
-magenta = "0x957fb8"
-red = "0xc34043"
-white = "0xc8c093"
-yellow = "0xc0a36e"
-
-[colors.primary]
-background = "0x1f1f28"
-foreground = "0xdcd7ba"
-
-[colors.selection]
-background = "0x2d4f67"
-foreground = "0xc8c093"
diff --git a/home/.config/bat/config b/home/.config/bat/config
deleted file mode 100644
index b83e6e2..0000000
--- a/home/.config/bat/config
+++ /dev/null
@@ -1 +0,0 @@
---theme gruvbox-dark
diff --git a/home/.config/ghostty/config b/home/.config/ghostty/config
deleted file mode 100644
index 9483b2a..0000000
--- a/home/.config/ghostty/config
+++ /dev/null
@@ -1,6 +0,0 @@
-theme = dark:Kanagawa Wave,light:Builtin Light
-font-feature = -liga
-font-feature = -calt
-font-feature = -dlig
-font-size = 14
-window-inherit-working-directory = false
diff --git a/home/.config/git/common.gitconfig b/home/.config/git/common.gitconfig
deleted file mode 100644
index e875b78..0000000
--- a/home/.config/git/common.gitconfig
+++ /dev/null
@@ -1,54 +0,0 @@
-[user]
-	email = rpqt@rpqt.fr
-	name = Romain Paquet
-[init]
-	defaultBranch = main
-[core]
-	excludesfile = ~/.config/git/ignore
-[filter "lfs"]
-	clean = git-lfs clean -- %f
-	smudge = git-lfs smudge -- %f
-	process = git-lfs filter-process
-	required = true
-[color]
-	ui = auto
-[sendemail]
-	smtpserver = smtp.migadu.com
-	smtpuser = rpqt@rpqt.fr
-	smtpencryption = ssl
-	smtpserverport = 465
-[diff]
-	colormoved = "default"
-	colormovedws = "allow-indentation-change"
-[alias]
-	a = add
-	s = status
-	c = commit
-	news = -c diff.external=difft log -p HEAD@{1}..HEAD@{0} --ext-diff
-	dlog = -c diff.external=difft log -p --ext-diff
-	dshow = -c diff.external=difft show --ext-diff
-    dft = -c diff.external=difft diff
-	lg1 = log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(white)%s%C(reset) %C(dim white)- %an%C(reset)%C(auto)%d%C(reset)' --all
-	lg2 = log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold cyan)%aD%C(reset) %C(bold green)(%ar)%C(reset)%C(auto)%d%C(reset)%n''          %C(white)%s%C(reset) %C(dim white)- %an%C(reset)'
-[column]
-	ui = auto
-[branch]
-	sort = -committerdate
-[tag]
-	sort = version:refname
-[push]
-	autoSetupRemote = true
-	followTags = true
-[help]
-	autocorrect = prompt
-[commit]
-	verbose = true
-[rerere]
-	enabled = true
-	autoupdate = true
-[rebase]
-	autoSquash = true
-	autoStash = true
-	updateRefs = true
-[pull]
-	rebase = true
diff --git a/home/.config/git/config b/home/.config/git/config
deleted file mode 100644
index 11e6825..0000000
--- a/home/.config/git/config
+++ /dev/null
@@ -1,5 +0,0 @@
-[include]
-  path = ~/.config/git/common.gitconfig
-  path = ~/.config/git/local.gitconfig
-[includeIf "gitdir:~/imag/"]
-	path = ~/.config/git/ensimag.gitconfig
diff --git a/home/.config/git/ensimag.gitconfig b/home/.config/git/ensimag.gitconfig
deleted file mode 100644
index 9f17d9f..0000000
--- a/home/.config/git/ensimag.gitconfig
+++ /dev/null
@@ -1,3 +0,0 @@
-[user]
-	name = "Romain Paquet"
-	email = romain.paquet@grenoble-inp.org
diff --git a/home/.config/git/ignore b/home/.config/git/ignore
deleted file mode 100644
index de033e6..0000000
--- a/home/.config/git/ignore
+++ /dev/null
@@ -1,4 +0,0 @@
-/.direnv
-/.helix
-/.settings
-/.classpath
diff --git a/home/.config/helix/config.toml b/home/.config/helix/config.toml
deleted file mode 100644
index 5c3ec91..0000000
--- a/home/.config/helix/config.toml
+++ /dev/null
@@ -1,21 +0,0 @@
-theme = "kanagawa"
-
-[editor]
-line-number = "absolute"
-auto-completion = true
-auto-format = true
-end-of-line-diagnostics = "hint"
-
-[editor.cursor-shape]
-insert = "bar"
-normal = "block"
-
-[editor.statusline]
-left = ["mode", "spinner", "file-name"]
-right = ["diagnostics", "file-encoding", "file-type", "position"]
-mode.normal = "NORMAL"
-mode.insert = "INSERT"
-mode.select = "SELECT"
-
-[editor.inline-diagnostics]
-cursor-line = "error"
diff --git a/home/.config/helix/languages.toml b/home/.config/helix/languages.toml
deleted file mode 100644
index 3befed1..0000000
--- a/home/.config/helix/languages.toml
+++ /dev/null
@@ -1,64 +0,0 @@
-[[language]]
-name = "c"
-scope = "source.c"
-file-types = ["c", "h"]
-indent = { tab-width = 4, unit = "\t" }
-auto-format = true
-language-servers = [ { name = "clangd" } ]
-
-[language-server.clangd]
-command = "clangd"
-args = ["--header-insertion=never"]
-
-[[language]]
-name = "rust"
-language-servers = [ "rust-analyzer" ]
-auto-format = true
-
-[language-server.rust-analyzer.config]
-check.command = "clippy"
-
-[language-server.deno-lsp]
-command = "deno"
-args = ["lsp"]
-
-[language-server.deno-lsp.config.deno]
-enable = true
-lint = true
-suggest.imports.hosts = { "https://deno.land" = true }
-
-[[language]]
-name = "typescript"
-file-types = ["ts"]
-language-servers = ["deno-lsp"]
-
-[[language]]
-name = "djot"
-scope = "source.djot"
-file-types = ["dj"]
-
-[[grammar]]
-name = "djot"
-source = { git = "https://github.com/treeman/tree-sitter-djot", rev = "master" }
-
-[[language]]
-name = "nix"
-formatter = { command = "nixfmt" }
-
-[[language]]
-name = "java"
-formatter = { command = "google-java-format", args = ["--aosp"] }
-auto-format = true
-
-[[language]]
-name = "hcl"
-formatter = { command = "tofu", args = ["fmt", "-"] }
-auto-format = true
-
-[[language]]
-name = "vento"
-indent = { tab-width = 2, unit = "\t" }
-
-[[language]]
-name = "ocaml"
-auto-format = true
diff --git a/home/.config/hut/config b/home/.config/hut/config
deleted file mode 100644
index 3a644b9..0000000
--- a/home/.config/hut/config
+++ /dev/null
@@ -1,3 +0,0 @@
-instance "sr.ht" {
-	access-token-cmd pass oauth/sr.ht-hut@haze
-}
diff --git a/home/.config/i3status-rust/bottom-config.toml b/home/.config/i3status-rust/bottom-config.toml
deleted file mode 100644
index bd8de83..0000000
--- a/home/.config/i3status-rust/bottom-config.toml
+++ /dev/null
@@ -1,53 +0,0 @@
-[theme]
-theme = "kanagawa"
-[theme.overrides]
-separator = "<span size='13000'></span>"
-
-[icons]
-icons = "material-nf"
-
-[[block]]
-block = "privacy"
-[[block.driver]]
-name = "pipewire"
-
-[[block]]
-block = "music"
-format = " $icon {$combo.str(max_w:70) $prev $next |}"
-[[block.click]]
-button = "left"
-action = "play_pause"
-
-[[block]]
-block = "bluetooth"
-mac = "20:74:CF:B5:B7:7A"
-format = " $icon $name{ $percentage|} "
-disconnected_format = ""
-
-[[block]]
-block = "bluetooth"
-mac = "28:11:A5:6B:44:8B"
-format = " $icon $name{ $percentage|} "
-disconnected_format = ""
-
-[[block]]
-block = "bluetooth"
-mac = "00:1E:7C:50:24:8F"
-format = " $icon $name{ $percentage|} "
-disconnected_format = ""
-
-[[block]]
-block = "toggle"
-format = " $icon ensivpn "
-command_state = 'nmcli -f general.state con show Ensimag-VPN-ETU-udp | grep -v deactivated'
-command_on = "pass show web/ensimag.fr | head -n 1 | nmcli c up Ensimag-VPN-ETU-udp --ask"
-command_off = "nmcli c down Ensimag-VPN-ETU-udp"
-
-[[block]]
-block = "net"
-interval = 10
-device = "wlan0"
-format = " $icon {$ssid|$device} "
-[[block.click]]
-button = "left"
-cmd = "iwgtk"
diff --git a/home/.config/i3status-rust/config.toml b/home/.config/i3status-rust/config.toml
deleted file mode 100644
index 3ea7922..0000000
--- a/home/.config/i3status-rust/config.toml
+++ /dev/null
@@ -1,78 +0,0 @@
-[theme]
-theme = "kanagawa"
-[theme.overrides]
-separator = "<span size='17000'></span>"
-
-[icons]
-icons = "material-nf"
-[icons.overrides]
-sleep = "ó°’²"
-no_sleep = "ó°’³"
-
-[[block]]
-block = "toggle"
-format = " $icon  "
-command_state = "pgrep swayidle"
-command_on = "swaymsg 'exec swayidle -w'"
-command_off = "pkill swayidle"
-icon_on = "sleep"
-icon_off = "no_sleep"
-
-[[block]]
-block = "toggle"
-format = "  $icon  "
-command_state = 'if [ "$($HOME/bin/darkmode status)" = "dark" ]; then echo y; fi'
-command_on = "$HOME/bin/darkmode toggle"
-command_off = "$HOME/bin/darkmode toggle"
-
-[[block]]
-block = "hueshift"
-format = " 󱩌 {$temperature} "
-click_temp = 4000
-
-[[block]]
-block = "backlight"
-format = " $icon $brightness.eng(width:1) "
-step_width = 1
-minimum = 1
-
-[[block]]
-block = "sound"
-driver = "pulseaudio"
-headphones_indicator = true
-show_volume_when_muted = true
-format = " $icon $volume.eng(width:1) "
-[[block.click]]
-button = "left"
-cmd = "pavucontrol"
-[block.theme_overrides]
-warning_bg = { link = "idle_bg" }
-warning_fg = { link = "idle_fg"}
-idle_bg = { link = "info_bg" }
-idle_fg = { link = "info_fg"}
-
-[[block]]
-block = "battery"
-interval = 30
-format = " $icon $percentage "
-full_format = " $icon $percentage "
-
-[[block]]
-block = "keyboard_layout"
-driver = "sway"
-sway_kb_identifier = "1267:12613:ASUE140C:00_04F3:3145_Keyboard"
-format = "  $layout "
-[[block.click]]
-button = "left"
-cmd = "swaymsg input '1267:12613:ASUE140C:00_04F3:3145_Keyboard' xkb_switch_layout next"
-[block.mappings]
-"French (N/A)" = "fr"
-"English (Colemak-DH)" = "colemak-dh"
-"English (US)" = "en"
-
-[[block]]
-block = "time"
-interval = 10
-[block.format]
-full = " $icon $timestamp.datetime(f:'%a %d/%m/%y %R', l:fr_FR) "
-short = " $icon $timestamp.datetime(f:'%R')"
diff --git a/home/.config/i3status-rust/themes/kanagawa.toml b/home/.config/i3status-rust/themes/kanagawa.toml
deleted file mode 100644
index 655c32d..0000000
--- a/home/.config/i3status-rust/themes/kanagawa.toml
+++ /dev/null
@@ -1,14 +0,0 @@
-idle_bg = "#151515"
-idle_fg = "#dcd7ba"
-info_bg = "#2d4f67"
-info_fg = "#dcd7ba"
-good_bg = "#151515"
-good_fg = "#98971a"
-warning_bg = "#ff9e3b"
-warning_fg = "#16161D"
-critical_bg = "#e82424"
-critical_fg = "#dcd7ba"
-separator = "\ue0b2"
-separator_bg = "auto"
-separator_fg = "auto"
-alternating_tint_bg = "#151515"
diff --git a/home/.config/jj/config.toml b/home/.config/jj/config.toml
deleted file mode 100644
index fa80ef3..0000000
--- a/home/.config/jj/config.toml
+++ /dev/null
@@ -1,54 +0,0 @@
-"$schema" = "https://jj-vcs.github.io/jj/latest/config-schema.json"
-
-[ui]
-default-command = ["log", "--no-pager"]
-diff-formatter = ["difft", "--color=always", "$left", "$right"]
-diff-editor = ":builtin"
-
-[user]
-name = "Romain Paquet"
-email = "rpqt@rpqt.fr"
-
-[git]
-write-change-id-header = true
-
-[revset-aliases]
-'closest_pushable(to)' = 'heads(::to & mutable() & ~description(exact:"") & (~empty() | merges()))'
-
-[aliases]
-s = ["status", "--no-pager"]
-tug = ["bookmark", "move", "--from", "heads(::@ & bookmarks())", "--to", "closest_pushable(@)"]
-
-[[--scope]]
---when.repositories = ["~/agh"]
-[--scope.user]
-email = "romain@student.agh.edu.pl"
-
-[[--scope]]
---when.repositories = ["~/imag"]
-[--scope.user]
-email = "romain.paquet@grenoble-inp.org"
-
-# After this line everything is taken from https://andre.arko.net/2025/09/28/stupid-jj-tricks
-
-[templates]
-draft_commit_description = '''
-  concat(
-    coalesce(description, default_commit_description, "\n"),
-    surround(
-      "\nJJ: This commit contains the following changes:\n", "",
-      indent("JJ:     ", diff.stat(72)),
-    ),
-    "\nJJ: ignore-rest\n",
-    diff.git(),
-  )
-'''
-log_node = '''
-if(self && !current_working_copy && !immutable && !conflict && in_branch(self),
-  "â—‡",
-  builtin_log_node
-)
-'''
-
-[template-aliases]
-"in_branch(commit)" = 'commit.contained_in("immutable_heads()..bookmarks()")'
diff --git a/home/.config/kmonad/config.kbd b/home/.config/kmonad/config.kbd
deleted file mode 100644
index 587ec51..0000000
--- a/home/.config/kmonad/config.kbd
+++ /dev/null
@@ -1,46 +0,0 @@
-(defcfg
-  input (device-file "/dev/input/by-path/platform-i8042-serio-0-event-kbd")
-  output (uinput-sink "KMonad laptop keyboard output")
-  fallthrough true
-)
-
-(defsrc
-  esc  f1   f2   f3   f4   f5   f6   f7   f8   f9   f10  f11  f12  prnt ins  del
-  grv  1    2    3    4    5    6    7    8    9    0    -    =    bspc home
-  tab  q    w    e    r    t    y    u    i    o    p    [    ]    \    pgup
-  caps a    s    d    f    g    h    j    k    l    ;    '    ret       pgdn
-  lsft z    x    c    v    b    n    m    ,    .    /    rsft           end
-  lctl      lmet lalt         spc         ralt rctl
-)
-
-(defalias
-  maj (layer-toggle azerty-shift)
-  agr (layer-toggle azerty-altgr)
-)
-
-(deflayer azerty
-  esc  f1   f2   f3   f4   f5   f6   f7   f8   f9   f10  f11  f12  prnt ins  del
-  grv  &    é    "    '    \(   -    è    \_   ç    à    \)   =    bspc home
-  tab  a    z    e    r    t    y    u    i    o    p    ^    $    *    pgup
-  caps q    s    d    f    g    h    j    k    l    m    ù    ret       pgdn
-  @maj w    x    c    v    b    n    ,    ;    :    !    rsft           end
-  lctl      lmet lalt         spc         @agr rctl
-)
-
-(deflayer azerty-shift
-  _    _    _    _    _    _    _    _    _    _    _    _    _    _    _    _
-  _    1    2    3    4    5    6    7    8    9    0    °    +    _    _
-  _    a    _    _    _    _    _    _    _    _    _    _    £    µ    _
-  _    _    _    _    _    _    _    _    _    _    _    %    _         _
-  @maj _    _    _    _    _    _    ?    .    /    §    rsft           _
-  lctl      lmet lalt         spc         ralt rctl
-)
-
-(deflayer azerty-altgr
-  _    _    _    _    _    _    _    _    _    _    _    _    _    _    _    _
-  _    _    ~    #    {    [    |    grv  \    ^    @    ]    }    _    _
-  _    _    _    _    _    _    _    _    _    _    _    _    _    _    _
-  _    _    _    _    _    _    _    _    _    _    _    _    _         _
-  _    _    _    _    _    _    _    _    _    _    _    rsft           _
-  lctl      lmet lalt         spc         @agr rctl
-)
diff --git a/home/.config/matugen/config.toml b/home/.config/matugen/config.toml
deleted file mode 100644
index e162dc3..0000000
--- a/home/.config/matugen/config.toml
+++ /dev/null
@@ -1,6 +0,0 @@
-[config]
-
-[templates.vicinae]
-input_path = '~/.config/matugen/templates/vicinae.toml'
-output_path = '~/.local/share/vicinae/themes/matugen.toml'
-post_hook = 'vicinae theme set matugen'
diff --git a/home/.config/matugen/templates/vicinae.toml b/home/.config/matugen/templates/vicinae.toml
deleted file mode 100644
index b56dbfb..0000000
--- a/home/.config/matugen/templates/vicinae.toml
+++ /dev/null
@@ -1,127 +0,0 @@
-# Vicinae Matugen Theme Template
-# Used LLM for initial generation, then modified to a satisfactory level
-
-[meta]
-name = "Matugen"
-description = "Material You theme generated by Matugen - {{mode}} variant"
-variant = "{{mode}}"
-
-# ============================================================================
-# Core Colors
-# ============================================================================
-
-[colors.core]
-accent = "{{colors.primary.default.hex}}"
-accent_foreground = "{{colors.on_primary.default.hex}}"
-background = "{{colors.surface.default.hex}}"
-foreground = "{{colors.on_surface.default.hex}}"
-secondary_background = "{{colors.surface_container.default.hex}}"
-border = "{{colors.outline_variant.default.hex}}"
-
-# ============================================================================
-# Window Borders
-# ============================================================================
-
-[colors.main_window]
-border = "{{colors.outline_variant.default.hex}}"
-
-[colors.settings_window]
-border = "{{colors.outline.default.hex}}"
-
-# ============================================================================
-# Accent Palette
-# ============================================================================
-
-[colors.accents]
-blue = "{{colors.primary.default.hex}}"
-green = "{{colors.tertiary.default.hex}}"
-magenta = "{{colors.secondary.default.hex}}"
-orange = { name = "{{colors.error.default.hex}}", lighter = 40 }
-red = "{{colors.error.default.hex}}"
-yellow = { name = "{{colors.tertiary.default.hex}}", lighter = 80 }
-cyan = { name = "{{colors.primary.default.hex}}", lighter = 50 }
-purple = "{{colors.secondary.default.hex}}"
-
-# ============================================================================
-# Text System
-# ============================================================================
-
-[colors.text]
-default = "{{colors.on_surface.default.hex}}"
-muted = "{{colors.on_surface_variant.default.hex}}"
-danger = "{{colors.error.default.hex}}"
-success = "{{colors.tertiary.default.hex}}"
-placeholder = { name = "{{colors.on_surface_variant.default.hex}}", opacity = 0.6 }
-
-[colors.text.selection]
-background = "{{colors.primary.default.hex}}"
-foreground = "{{colors.on_primary.default.hex}}"
-
-[colors.text.links]
-default = "{{colors.primary.default.hex}}"
-visited = { name = "{{colors.tertiary.default.hex}}", darker = 20 }
-
-# ============================================================================
-# Input Fields
-# ============================================================================
-
-[colors.input]
-border = "{{colors.outline.default.hex}}"
-border_focus = "{{colors.primary.default.hex}}"
-border_error = "{{colors.error.default.hex}}"
-
-# ============================================================================
-# Buttons
-# ============================================================================
-
-[colors.button.primary]
-background = "{{colors.surface_container_high.default.hex}}"
-foreground = "{{colors.on_surface.default.hex}}"
-
-[colors.button.primary.hover]
-background = "{{colors.surface_container_highest.default.hex}}"  
-
-[colors.button.primary.focus]
-outline = "{{colors.primary.default.hex}}"
-
-# ============================================================================
-# Lists
-# ============================================================================
-
-[colors.list.item.hover]
-background = { name = "{{colors.primary_container.default.hex}}", opacity = 0.25 }  
-foreground = "{{colors.on_surface.default.hex}}"
-
-[colors.list.item.selection]
-background = { name = "{{colors.primary_container.default.hex}}", opacity = 0.50 }
-foreground = "{{colors.on_primary_container.default.hex}}"
-secondary_background = "{{colors.primary_container.default.hex}}"
-secondary_foreground = "{{colors.on_primary_container.default.hex}}"
-
-# ============================================================================
-# Grid Items
-# ============================================================================
-
-[colors.grid.item]
-background = "{{colors.surface_container.default.hex}}"
-
-[colors.grid.item.hover]
-outline = { name = "{{colors.secondary.default.hex}}", opacity = 0.8 }
-
-[colors.grid.item.selection]
-outline = { name = "{{colors.primary.default.hex}}" }
-
-# ============================================================================
-# Scrollbars
-# ============================================================================
-
-[colors.scrollbars]
-background = { name = "{{colors.primary.default.hex}}", opacity = 0.2 }
-
-# ============================================================================
-# Loading States
-# ============================================================================
-
-[colors.loading]
-bar = "{{colors.primary.default.hex}}"
-spinner = "{{colors.primary.default.hex}}"
diff --git a/home/.config/mpd/mpd.conf b/home/.config/mpd/mpd.conf
deleted file mode 100644
index 90fac39..0000000
--- a/home/.config/mpd/mpd.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-music_directory "~/Music"
-playlist_directory "~/.config/mpd/playlists"
-db_file	"~/.config/mpd/database"
-restore_paused "yes"
-state_file "~/.local/state/mpd"
-
-audio_output {
-	type "pipewire"
-	name "pipewire"
-}
diff --git a/home/.config/niri/config.kdl b/home/.config/niri/config.kdl
deleted file mode 100644
index 41320b9..0000000
--- a/home/.config/niri/config.kdl
+++ /dev/null
@@ -1,312 +0,0 @@
-include "dms/alttab.kdl"
-include "dms/binds.kdl"
-include "dms/colors.kdl"
-include "dms/layout.kdl"
-include "dms/wpblur.kdl"
-
-input {
-    keyboard {
-        xkb {
-            layout "fr,us(colemak_dh),us"
-            options "grp:win_space_toggle"
-        }
-    }
-
-    touchpad {
-        tap
-        natural-scroll
-    }
-
-    // Make the mouse warp to the center of newly focused windows.
-    // warp-mouse-to-focus
-
-    // Focus windows and outputs automatically when moving the mouse into them.
-    // Setting max-scroll-amount="0%" makes it work only on windows already fully on screen.
-    focus-follows-mouse max-scroll-amount="0%"
-}
-
-workspace "browser" {
-}
-
-output "eDP-1" {
-    mode "1920x1080@60.049"
-    scale 1
-    position x=360 y=1440
-}
-
-output "HDMI-A-1" {
-    mode "3840x2160@60.000"
-    scale 1.5
-    position x=0 y=0
-}
-
-layout {
-    gaps 8
-
-    center-focused-column "never"
-
-    // You can customize the widths that "switch-preset-column-width" (Mod+R) toggles between.
-    preset-column-widths {
-        // Proportion sets the width as a fraction of the output width, taking gaps into account.
-        // For example, you can perfectly fit four windows sized "proportion 0.25" on an output.
-        // The default preset widths are 1/3, 1/2 and 2/3 of the output.
-        proportion 0.33333
-        proportion 0.5
-        proportion 0.66667
-
-        // Fixed sets the width in logical pixels exactly.
-        // fixed 1920
-    }
-
-    // You can also customize the heights that "switch-preset-window-height" (Mod+Shift+R) toggles between.
-    // preset-window-heights { }
-
-    // You can change the default width of the new windows.
-    default-column-width { proportion 0.5; }
-    // If you leave the brackets empty, the windows themselves will decide their initial width.
-}
-
-prefer-no-csd
-
-cursor {
-    hide-when-typing
-}
-
-window-rule {
-    match app-id=r#"^firefox$"#
-    open-maximized true
-    open-on-workspace "browser"
-    focus-ring {
-        off
-    }
-}
-
-window-rule {
-    match app-id=r#"^thunderbird$"#
-    open-maximized true
-    focus-ring {
-        off
-    }
-}
-
-// Open the Firefox picture-in-picture player as floating by default.
-window-rule {
-    // This app-id regular expression will work for both:
-    // - host Firefox (app-id is "firefox")
-    // - Flatpak Firefox (app-id is "org.mozilla.firefox")
-    match app-id=r#"firefox$"# title="^Picture-in-Picture$"
-    open-floating true
-}
-
-binds {
-    // Keys consist of modifiers separated by + signs, followed by an XKB key name
-    // in the end. To find an XKB name for a particular key, you may use a program
-    // like wev.
-    //
-    // "Mod" is a special modifier equal to Super when running on a TTY, and to Alt
-    // when running as a winit window.
-    //
-    // Most actions that you can bind here can also be invoked programmatically with
-    // `niri msg action do-something`.
-
-    // Show a list of important hotkeys.
-    Mod+Shift+Comma { show-hotkey-overlay; }
-
-    // Suggested binds for running programs: terminal, app launcher, screen locker.
-    Mod+Return { spawn "ghostty" "+new-window"; }
-    // Mod+D { spawn "dms" "ipc" "call" "spotlight" "toggle"; }
-    Mod+D { spawn "vicinae" "toggle"; }
-    Super+Alt+L hotkey-overlay-title="Lock session" { spawn "loginctl" "lock-session"; }
-
-    XF86AudioPlay { spawn "playerctl" "play-pause"; }
-    XF86AudioNext { spawn "playerctl" "next"; }
-    XF86AudioPrev { spawn "playerctl" "previous"; }
-    XF86Search    { spawn "tofi-drun" "--drun-launch=true"; }
-
-    Mod+W { close-window; }
-
-    Mod+Left  { focus-column-left; }
-    Mod+Down  { focus-window-down; }
-    Mod+Up    { focus-window-up; }
-    Mod+Right { focus-column-right; }
-    Mod+H     { focus-column-left; }
-    Mod+J     { focus-window-down; }
-    Mod+K     { focus-window-up; }
-    Mod+L     { focus-column-right; }
-
-    Mod+Ctrl+Left  { move-column-left; }
-    Mod+Ctrl+Down  { move-window-down; }
-    Mod+Ctrl+Up    { move-window-up; }
-    Mod+Ctrl+Right { move-column-right; }
-    Mod+Ctrl+H     { move-column-left; }
-    Mod+Ctrl+J     { move-window-down; }
-    Mod+Ctrl+K     { move-window-up; }
-    Mod+Ctrl+L     { move-column-right; }
-
-    // Alternative commands that move across workspaces when reaching
-    // the first or last window in a column.
-    // Mod+J     { focus-window-or-workspace-down; }
-    // Mod+K     { focus-window-or-workspace-up; }
-    // Mod+Ctrl+J     { move-window-down-or-to-workspace-down; }
-    // Mod+Ctrl+K     { move-window-up-or-to-workspace-up; }
-
-    Mod+Home { focus-column-first; }
-    Mod+End  { focus-column-last; }
-    Mod+Ctrl+Home { move-column-to-first; }
-    Mod+Ctrl+End  { move-column-to-last; }
-
-    Mod+Shift+Left  { focus-monitor-left; }
-    Mod+Shift+Down  { focus-monitor-down; }
-    Mod+Shift+Up    { focus-monitor-up; }
-    Mod+Shift+Right { focus-monitor-right; }
-    Mod+Shift+H     { focus-monitor-left; }
-    Mod+Shift+J     { focus-monitor-down; }
-    Mod+Shift+K     { focus-monitor-up; }
-    Mod+Shift+L     { focus-monitor-right; }
-
-    Mod+Shift+Ctrl+Left  { move-column-to-monitor-left; }
-    Mod+Shift+Ctrl+Down  { move-column-to-monitor-down; }
-    Mod+Shift+Ctrl+Up    { move-column-to-monitor-up; }
-    Mod+Shift+Ctrl+Right { move-column-to-monitor-right; }
-    Mod+Shift+Ctrl+H     { move-column-to-monitor-left; }
-    Mod+Shift+Ctrl+J     { move-column-to-monitor-down; }
-    Mod+Shift+Ctrl+K     { move-column-to-monitor-up; }
-    Mod+Shift+Ctrl+L     { move-column-to-monitor-right; }
-
-    // Alternatively, there are commands to move just a single window:
-    // Mod+Shift+Ctrl+Left  { move-window-to-monitor-left; }
-    // ...
-
-    // And you can also move a whole workspace to another monitor:
-    // Mod+Shift+Ctrl+Left  { move-workspace-to-monitor-left; }
-    // ...
-
-    Mod+Page_Down      { focus-workspace-down; }
-    Mod+Page_Up        { focus-workspace-up; }
-    Mod+U              { focus-workspace-down; }
-    Mod+I              { focus-workspace-up; }
-    Mod+Ctrl+Page_Down { move-column-to-workspace-down; }
-    Mod+Ctrl+Page_Up   { move-column-to-workspace-up; }
-    Mod+Ctrl+U         { move-column-to-workspace-down; }
-    Mod+Ctrl+I         { move-column-to-workspace-up; }
-
-    // Alternatively, there are commands to move just a single window:
-    // Mod+Ctrl+Page_Down { move-window-to-workspace-down; }
-    // ...
-
-    Mod+Shift+Page_Down { move-workspace-down; }
-    Mod+Shift+Page_Up   { move-workspace-up; }
-    Mod+Shift+U         { move-workspace-down; }
-    Mod+Shift+I         { move-workspace-up; }
-
-    // You can bind mouse wheel scroll ticks using the following syntax.
-    // These binds will change direction based on the natural-scroll setting.
-    //
-    // To avoid scrolling through workspaces really fast, you can use
-    // the cooldown-ms property. The bind will be rate-limited to this value.
-    // You can set a cooldown on any bind, but it's most useful for the wheel.
-    Mod+WheelScrollDown      cooldown-ms=150 { focus-workspace-down; }
-    Mod+WheelScrollUp        cooldown-ms=150 { focus-workspace-up; }
-    Mod+Ctrl+WheelScrollDown cooldown-ms=150 { move-column-to-workspace-down; }
-    Mod+Ctrl+WheelScrollUp   cooldown-ms=150 { move-column-to-workspace-up; }
-
-    Mod+WheelScrollRight      { focus-column-right; }
-    Mod+WheelScrollLeft       { focus-column-left; }
-    Mod+Ctrl+WheelScrollRight { move-column-right; }
-    Mod+Ctrl+WheelScrollLeft  { move-column-left; }
-
-    // Usually scrolling up and down with Shift in applications results in
-    // horizontal scrolling; these binds replicate that.
-    Mod+Shift+WheelScrollDown      { focus-column-right; }
-    Mod+Shift+WheelScrollUp        { focus-column-left; }
-    Mod+Ctrl+Shift+WheelScrollDown { move-column-right; }
-    Mod+Ctrl+Shift+WheelScrollUp   { move-column-left; }
-
-    // You can refer to workspaces by index. However, keep in mind that
-    // niri is a dynamic workspace system, so these commands are kind of
-    // "best effort". Trying to refer to a workspace index bigger than
-    // the current workspace count will instead refer to the bottommost
-    // (empty) workspace.
-    //
-    // For example, with 2 workspaces + 1 empty, indices 3, 4, 5 and so on
-    // will all refer to the 3rd workspace.
-    Mod+ampersand { focus-workspace 1; }
-    Mod+2 { focus-workspace 2; }
-    Mod+quotedbl { focus-workspace 3; }
-    Mod+apostrophe { focus-workspace 4; }
-    Mod+parenleft { focus-workspace 5; }
-    Mod+minus { focus-workspace 6; }
-    Mod+7 { focus-workspace 7; }
-    Mod+underscore { focus-workspace 8; }
-    Mod+9 { focus-workspace 9; }
-    Mod+Ctrl+1 { move-column-to-workspace 1; }
-    Mod+Ctrl+2 { move-column-to-workspace 2; }
-    Mod+Ctrl+3 { move-column-to-workspace 3; }
-    Mod+Ctrl+4 { move-column-to-workspace 4; }
-    Mod+Ctrl+5 { move-column-to-workspace 5; }
-    Mod+Ctrl+6 { move-column-to-workspace 6; }
-    Mod+Ctrl+7 { move-column-to-workspace 7; }
-    Mod+Ctrl+8 { move-column-to-workspace 8; }
-    Mod+Ctrl+9 { move-column-to-workspace 9; }
-
-    // Switches focus between the current and the previous workspace.
-    Mod+Tab { focus-workspace-previous; }
-
-    // The following binds move the focused window in and out of a column.
-    // If the window is alone, they will consume it into the nearby column to the side.
-    // If the window is already in a column, they will expel it out.
-    Mod+BracketLeft  { consume-or-expel-window-left; }
-    Mod+BracketRight { consume-or-expel-window-right; }
-
-    // Consume one window from the right to the bottom of the focused column.
-    Mod+Comma  { consume-window-into-column; }
-    // Expel the bottom window from the focused column to the right.
-    Mod+Semicolon { expel-window-from-column; }
-
-    Mod+R { switch-preset-column-width; }
-    Mod+Shift+R { switch-preset-window-height; }
-    Mod+Ctrl+R { reset-window-height; }
-    Mod+F { maximize-column; }
-    Mod+Shift+F { fullscreen-window; }
-    Mod+C { center-column; }
-
-    Mod+Escape { toggle-overview; }
-
-    // Finer height adjustments when in column with other windows.
-    Mod+Shift+Minus { set-window-height "-10%"; }
-    Mod+Shift+Equal { set-window-height "+10%"; }
-
-    // Move the focused window between the floating and the tiling layout.
-    Mod+V       { toggle-window-floating; }
-    Mod+Shift+V { switch-focus-between-floating-and-tiling; }
-
-    Print { screenshot; }
-    Ctrl+Print { screenshot-screen; }
-    Alt+Print { screenshot-window; }
-
-    // The quit action will show a confirmation dialog to avoid accidental exits.
-    Mod+Shift+E { quit; }
-    Ctrl+Alt+Delete { quit; }
-
-    // Powers off the monitors. To turn them back on, do any input like
-    // moving the mouse or pressing any other key.
-    Mod+Shift+P { power-off-monitors; }
-
-    Mod+N hotkey-overlay-title="Open notes" {
-        spawn-sh "ghostty -e hx --working-dir ~/notes ~/notes/notes.dj:9999";
-    }
-}
-
-screenshot-path "~/Pictures/Screenshots/Screenshot from %Y-%m-%d %H-%M-%S.png"
-
-spawn-at-startup "kdeconnect-indicator"
-spawn-at-startup "~/rep/flocon/home/bin/monitor-dark-mode.sh"
-
-spawn-at-startup "xwayland-satellite"
-environment {
-    DISPLAY ":0"
-}
-
-hotkey-overlay {
-    skip-at-startup
-}
diff --git a/home/.config/niri/dms/alttab.kdl b/home/.config/niri/dms/alttab.kdl
deleted file mode 100644
index 91d8337..0000000
--- a/home/.config/niri/dms/alttab.kdl
+++ /dev/null
@@ -1,5 +0,0 @@
-recent-windows {
-    highlight {
-        corner-radius 12
-    }
-}
diff --git a/home/.config/niri/dms/binds.kdl b/home/.config/niri/dms/binds.kdl
deleted file mode 100644
index 5f116ed..0000000
--- a/home/.config/niri/dms/binds.kdl
+++ /dev/null
@@ -1,55 +0,0 @@
-binds {
-    Mod+Shift+D hotkey-overlay-title="Application Launcher" { 
-        spawn "dms" "ipc" "call" "spotlight" "toggle"; 
-    }
-
-    Mod+V hotkey-overlay-title="Clipboard Manager" { 
-        spawn "dms" "ipc" "call" "clipboard" "toggle"; 
-    }
-
-    Mod+M hotkey-overlay-title="Task Manager" { 
-        spawn "dms" "ipc" "call" "processlist" "toggle"; 
-    }
-
-    Mod+Comma hotkey-overlay-title="Settings" { 
-        spawn "dms" "ipc" "call" "settings" "toggle"; 
-    }
-
-    Mod+N hotkey-overlay-title="Notification Center" {
-        spawn "dms" "ipc" "call" "notifications" "toggle"; 
-    }
-
-    Mod+Shift+N hotkey-overlay-title="Notepad" {
-      spawn "dms" "ipc" "call" "notepad" "toggle";  
-    }
-    
-    Mod+Alt+L hotkey-overlay-title="Lock Screen" { 
-        spawn "dms" "ipc" "call" "lock" "lock"; 
-    }
-
-    Ctrl+Alt+Delete hotkey-overlay-title="Task Manager" { 
-        spawn "dms" "ipc" "call" "processlist" "toggle"; 
-    }    
-
-    // Audio
-    XF86AudioRaiseVolume allow-when-locked=true {
-        spawn "dms" "ipc" "call" "audio" "increment" "3";
-    }
-    XF86AudioLowerVolume allow-when-locked=true {
-        spawn "dms" "ipc" "call" "audio" "decrement" "3";
-    }
-    XF86AudioMute allow-when-locked=true {
-        spawn "dms" "ipc" "call" "audio" "mute";
-    }
-    XF86AudioMicMute allow-when-locked=true {
-        spawn "dms" "ipc" "call" "audio" "micmute";
-    }
-    
-    // BL
-    XF86MonBrightnessUp allow-when-locked=true {
-       spawn "dms" "ipc" "call" "brightness" "increment" "5" "";
-    }
-    XF86MonBrightnessDown allow-when-locked=true {
-       spawn "dms" "ipc" "call" "brightness" "decrement" "5" "";
-    }  
-}
\ No newline at end of file
diff --git a/home/.config/niri/dms/colors.kdl b/home/.config/niri/dms/colors.kdl
deleted file mode 100644
index 2c7487f..0000000
--- a/home/.config/niri/dms/colors.kdl
+++ /dev/null
@@ -1,36 +0,0 @@
-layout {
-    background-color "transparent"
-
-    focus-ring {
-        active-color   "#5c5891"
-        inactive-color "#787680"
-        urgent-color   "#ba1a1a"
-    }
-
-    border {
-        active-color   "#5c5891"
-        inactive-color "#787680"
-        urgent-color   "#ba1a1a"
-    }
-
-    shadow {
-        color "#00000070"
-    }
-
-    tab-indicator {
-        active-color   "#5c5891"
-        inactive-color "#787680"
-        urgent-color   "#ba1a1a"
-    }
-
-    insert-hint {
-        color "#5c589180"
-    }
-}
-
-recent-windows {
-    highlight {
-        active-color   "#444078"
-        urgent-color   "#ba1a1a"
-    }
-}
diff --git a/home/.config/niri/dms/layout.kdl b/home/.config/niri/dms/layout.kdl
deleted file mode 100644
index 36c08f3..0000000
--- a/home/.config/niri/dms/layout.kdl
+++ /dev/null
@@ -1,17 +0,0 @@
-layout {
-    gaps 4
-
-    border {
-        width 2
-    }
-
-    focus-ring {
-        width 2
-    }
-}
-window-rule {
-    geometry-corner-radius 12
-    clip-to-geometry true
-    tiled-state true
-    draw-border-with-background false
-}
diff --git a/home/.config/niri/dms/wpblur.kdl b/home/.config/niri/dms/wpblur.kdl
deleted file mode 100644
index 667042f..0000000
--- a/home/.config/niri/dms/wpblur.kdl
+++ /dev/null
@@ -1,4 +0,0 @@
-layer-rule {
-    match namespace="dms:blurwallpaper"
-    place-within-backdrop true
-}
diff --git a/home/.config/nushell/config.nu b/home/.config/nushell/config.nu
deleted file mode 100644
index 6ff67b6..0000000
--- a/home/.config/nushell/config.nu
+++ /dev/null
@@ -1,9 +0,0 @@
-alias ls = eza
-alias ll = eza -l
-alias lla = eza -la
-alias h = hx
-alias g = git
-
-# Load starship prompt
-mkdir ($nu.data-dir | path join "vendor/autoload")
-starship init nu | save -f ($nu.data-dir | path join "vendor/autoload/starship.nu")
diff --git a/home/.config/senpai/senpai.scfg b/home/.config/senpai/senpai.scfg
deleted file mode 100644
index 72cce82..0000000
--- a/home/.config/senpai/senpai.scfg
+++ /dev/null
@@ -1,4 +0,0 @@
-address chat.sr.ht
-nickname rpqt
-username rpqt
-password-cmd pass show oauth/sr.ht-senpai-irc
diff --git a/home/.config/sh/aliases.sh b/home/.config/sh/aliases.sh
deleted file mode 100644
index 1376f34..0000000
--- a/home/.config/sh/aliases.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-alias dotfiles="/usr/bin/git --git-dir=$HOME/.dotfiles/ --work-tree=$HOME"
-alias dots=dotfiles
-if command -v helix >/dev/null; then
-  alias h='helix'
-else
-  alias h='hx'
-fi
-if command -v eza >/dev/null; then
-  alias ls='eza'
-else
-  alias ls='ls --color -h'
-fi
-alias lsa='ls -A'
-alias ll='ls -l'
-alias lla='ls -lA'
-alias ..='cd ..'
-alias ...='cd ../..'
-alias bt='bluetoothctl'
-alias go='GOPROXY=direct go'
-alias ts='tree-sitter'
-alias g='git'
-alias c='cargo'
-alias MAKE='make clean && make'
-alias n='myrtle --notebook-dir=$HOME/notes'
diff --git a/home/.config/sh/path.sh b/home/.config/sh/path.sh
deleted file mode 100644
index c41beec..0000000
--- a/home/.config/sh/path.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-# Personnal scripts
-export PATH="$PATH:$HOME/bin"
diff --git a/home/.config/vicinae/vicinae.json b/home/.config/vicinae/vicinae.json
deleted file mode 100644
index 0d92315..0000000
--- a/home/.config/vicinae/vicinae.json
+++ /dev/null
@@ -1,23 +0,0 @@
-{
-    "closeOnFocusLoss": false,
-    "considerPreedit": false,
-    "faviconService": "twenty",
-    "font": {
-        "size": 12
-    },
-    "keybinding": "default",
-    "keybinds": {
-    },
-    "popToRootOnClose": true,
-    "rootSearch": {
-        "searchFiles": true
-    },
-    "theme": {
-        "name": "matugen"
-    },
-    "window": {
-        "csd": true,
-        "opacity": 1,
-        "rounding": 10
-    }
-}
diff --git a/home/.config/zsh/haze.zsh b/home/.config/zsh/haze.zsh
deleted file mode 100644
index e7e39ec..0000000
--- a/home/.config/zsh/haze.zsh
+++ /dev/null
@@ -1,2 +0,0 @@
-# Highlight the executable in green if it is found
-source /usr/share/zsh/plugins/zsh-syntax-highlighting/zsh-syntax-highlighting.plugin.zsh
diff --git a/home/.config/zsh/hooks.sh b/home/.config/zsh/hooks.sh
deleted file mode 100644
index 269dee6..0000000
--- a/home/.config/zsh/hooks.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-# Hook direnv if present
-if command -v direnv >/dev/null; then
-  eval "$(direnv hook zsh)"
-fi
-
-# Prompt
-if command -v starship >/dev/null; then
-  source <(starship init zsh)
-fi
-
-# Load opam config if present
-if [ -r ~/.opam/opam-init/init.zsh ]; then
-  source ~/.opam/opam-init/init.zsh  > /dev/null 2> /dev/null
-fi
-
-# Launch atuin if it is installed
-if command -v atuin >/dev/null; then
-  eval "$(atuin init zsh)"
-fi
-
-# Set ls/tree/fd theme using vivid if it is installed
-if command -v vivid >/dev/null; then
-  export LS_COLORS="$(vivid generate gruvbox-dark-hard)"
-fi
-
-# Init zoxide if present and alias cd to it
-if command -v zoxide >/dev/null; then
-  eval "$(zoxide init zsh)"
-  alias cd=z
-fi
diff --git a/home/.gitignore b/home/.gitignore
deleted file mode 100644
index 1871e64..0000000
--- a/home/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-!/.config
diff --git a/home/.ssh/config b/home/.ssh/config
deleted file mode 100644
index 51534dd..0000000
--- a/home/.ssh/config
+++ /dev/null
@@ -1,11 +0,0 @@
-Host crocus
-	HostName crocus.val
-	User root
-
-Host verbena
-	HostName verbena.val
-	User root
-
-Host genepi
-	HostName genepi.val
-	User root
diff --git a/home/.zshrc b/home/.zshrc
deleted file mode 100644
index 3e47f5e..0000000
--- a/home/.zshrc
+++ /dev/null
@@ -1,27 +0,0 @@
-# Path
-source ~/.config/sh/path.sh
-
-# Aliases
-source ~/.config/sh/aliases.sh
-
-# Completion
-autoload -Uz compinit
-compinit
-# sudo completion
-zstyle ':completion::complete:*' gain-privileges 1
-
-# Line movement with special keys
-bindkey "^[[H" beginning-of-line
-bindkey "^[[F" end-of-line
-bindkey "^[[3~" delete-char
-
-source ~/.config/zsh/hooks.sh
-
-if [ -r ~/.profile ]; then
-  source ~/.profile
-fi
-
-# Load machine-specific config
-if [ -r ~/.config/zsh/$HOST.zsh ]; then
-  source ~/.config/zsh/$HOST.zsh
-fi
diff --git a/home/bin/monitor-dark-mode.sh b/home/bin/monitor-dark-mode.sh
deleted file mode 100755
index e8cdaf4..0000000
--- a/home/bin/monitor-dark-mode.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/usr/bin/env sh
-
-gsettings monitor org.gnome.desktop.interface color-scheme \
-  | xargs -L1 "${HOME}/rep/flocon/home/bin/switch-helix-theme.sh"
diff --git a/home/bin/switch-helix-theme.sh b/home/bin/switch-helix-theme.sh
deleted file mode 100755
index f11f803..0000000
--- a/home/bin/switch-helix-theme.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/usr/bin/env bash
-
-set -euox pipefail
-
-HELIX_CONFIG_PATH=$(readlink -f "${HOME}/.config/helix/config.toml")
-HELIX_THEME_LIGHT="zed_onelight"
-HELIX_THEME_DARK="kanagawa"
-
-if [[ "$2" == "prefer-dark" ]]; then
-  sed -i "s/^theme .*/theme = \"$HELIX_THEME_DARK\"/" "$HELIX_CONFIG_PATH"
-else
-  sed -i "s/^theme .*/theme = \"$HELIX_THEME_LIGHT\"/" "$HELIX_CONFIG_PATH"
-fi
-
-pkill -USR1 hx || true
diff --git a/home-manager/chat.nix b/home/chat.nix
similarity index 56%
rename from home-manager/chat.nix
rename to home/chat.nix
index 0b9cd4a..25fcf22 100644
--- a/home-manager/chat.nix
+++ b/home/chat.nix
@@ -1,14 +1,5 @@
+{ config, pkgs, ... }:
 {
-  self,
-  config,
-  pkgs,
-  ...
-}:
-{
-  imports = [
-    self.homeManagerModules.dotfiles
-  ];
-
   home.packages = with pkgs; [ senpai ];
 
   xdg.configFile."senpai".source = "${config.dotfiles.path}/.config/senpai";
diff --git a/home/cli.nix b/home/cli.nix
new file mode 100644
index 0000000..4a4e746
--- /dev/null
+++ b/home/cli.nix
@@ -0,0 +1,48 @@
+{ config, pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    bottom
+    btop
+    difftastic
+    doggo
+    duf
+    eza
+    fd
+    glow
+    lazygit
+    nh
+    ripgrep
+    skim
+    taskwarrior3
+    tealdeer
+    vivid
+    zoxide
+  ];
+
+  programs.zoxide.enable = true;
+  programs.starship.enable = true;
+  programs.atuin.enable = true;
+  programs.bat.enable = true;
+
+  programs.zsh = {
+    enable = true;
+    syntaxHighlighting.enable = true;
+    shellAliases = {
+      ls = "eza";
+      lsa = "ls -A";
+      ll = "ls -lh";
+      lla = "ls -lAh";
+      h = "hx";
+      g = "git";
+      cd = "z";
+      tree = "eza --tree";
+      ".." = "cd ..";
+      "..." = "cd ../..";
+    };
+  };
+
+  xdg.configFile."git".source = "${config.dotfiles.path}/.config/git";
+  xdg.configFile."task/taskrc".source = "${config.dotfiles.path}/.config/task/taskrc";
+
+  home.sessionPath = [ "${config.dotfiles.path}/bin" ];
+}
diff --git a/home-manager/common.nix b/home/common.nix
similarity index 100%
rename from home-manager/common.nix
rename to home/common.nix
diff --git a/home-manager/desktop/default.nix b/home/desktop/default.nix
similarity index 56%
rename from home-manager/desktop/default.nix
rename to home/desktop/default.nix
index b46f155..2c51df5 100644
--- a/home-manager/desktop/default.nix
+++ b/home/desktop/default.nix
@@ -3,13 +3,13 @@
   imports = [
     ./fonts.nix
     ./pass.nix
-    ./terminal.nix
     ./wayland.nix
   ];
 
   home.packages = with pkgs; [
     discord
     seahorse
+    wofi-emoji
   ];
 
   home.pointerCursor = {
@@ -20,14 +20,4 @@
   };
 
   gtk.enable = true;
-  gtk.iconTheme = {
-    name = "WhiteSur";
-    package = pkgs.whitesur-icon-theme.override {
-      alternativeIcons = true;
-      boldPanelIcons = true;
-    };
-  };
-
-  qt.enable = true;
-  qt.platformTheme.name = "gtk";
 }
diff --git a/home-manager/desktop/fonts.nix b/home/desktop/fonts.nix
similarity index 56%
rename from home-manager/desktop/fonts.nix
rename to home/desktop/fonts.nix
index b987e69..b19e389 100644
--- a/home-manager/desktop/fonts.nix
+++ b/home/desktop/fonts.nix
@@ -6,8 +6,4 @@
   ];
 
   fonts.fontconfig.enable = true;
-  fonts.fontconfig.defaultFonts = {
-    sansSerif = [ "Adwaita Sans" ];
-    monospace = [ "Adwaita Mono" ];
-  };
 }
diff --git a/home/desktop/gnome.nix b/home/desktop/gnome.nix
new file mode 100644
index 0000000..ccaa33a
--- /dev/null
+++ b/home/desktop/gnome.nix
@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  home.packages = with pkgs.gnomeExtensions; [
+    blur-my-shell
+    paperwm
+  ];
+}
diff --git a/home/desktop/niri.nix b/home/desktop/niri.nix
new file mode 100644
index 0000000..73c1ac5
--- /dev/null
+++ b/home/desktop/niri.nix
@@ -0,0 +1,5 @@
+{ config, ... }:
+{
+  xdg.configFile."i3bar-river".source = "${config.dotfiles.path}/.config/i3bar-river";
+  xdg.configFile."niri".source = "${config.dotfiles.path}/.config/niri";
+}
diff --git a/home-manager/desktop/pass.nix b/home/desktop/pass.nix
similarity index 79%
rename from home-manager/desktop/pass.nix
rename to home/desktop/pass.nix
index 3b60fee..84cc37f 100644
--- a/home-manager/desktop/pass.nix
+++ b/home/desktop/pass.nix
@@ -9,6 +9,6 @@
   programs.gpg.enable = true;
   services.gpg-agent = {
     enable = true;
-    pinentry.package = pkgs.pinentry-gnome3;
+    pinentryPackage = pkgs.pinentry-gnome3;
   };
 }
diff --git a/home/desktop/sway.nix b/home/desktop/sway.nix
new file mode 100644
index 0000000..d0dbc91
--- /dev/null
+++ b/home/desktop/sway.nix
@@ -0,0 +1,30 @@
+{ config, pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    alacritty
+    ghostty
+    tofi
+    i3status-rust
+    mako
+    wlsunset
+    kanshi
+    grim
+    slurp
+    playerctl
+    swaybg
+  ];
+
+  xdg.configFile = {
+    "sway".source = "${config.dotfiles.path}/.config/sway";
+    "swaylock".source = "${config.dotfiles.path}/.config/swaylock";
+    "swayidle".source = "${config.dotfiles.path}/.config/swayidle";
+    "kanshi".source = "${config.dotfiles.path}/.config/kanshi";
+    "i3status-rust".source = "${config.dotfiles.path}/.config/i3status-rust";
+    "tofi/config".source = "${config.dotfiles.path}/.config/tofi/config";
+  };
+
+  programs.alacritty.enable = true;
+  xdg.configFile."alacritty".source = "${config.dotfiles.path}/.config/alacritty";
+
+  xdg.configFile."ghostty/config".source = "${config.dotfiles.path}/.config/ghostty/config";
+}
diff --git a/home-manager/desktop/wayland.nix b/home/desktop/wayland.nix
similarity index 84%
rename from home-manager/desktop/wayland.nix
rename to home/desktop/wayland.nix
index 2402cce..cdcefb0 100644
--- a/home-manager/desktop/wayland.nix
+++ b/home/desktop/wayland.nix
@@ -1,6 +1,7 @@
 { pkgs, ... }:
 {
   home.packages = with pkgs; [
+    waypaper
     wl-clipboard
   ];
 }
diff --git a/home/dev.nix b/home/dev.nix
new file mode 100644
index 0000000..2862d2d
--- /dev/null
+++ b/home/dev.nix
@@ -0,0 +1,20 @@
+{ config, pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    devenv
+    direnv
+    hut
+    radicle-node
+    typescript-language-server
+    nil # Nix language server
+    nixfmt-rfc-style
+  ];
+
+  programs.direnv = {
+    enable = true;
+    enableZshIntegration = true;
+    nix-direnv.enable = true;
+  };
+
+  xdg.configFile."hut/config".source = "${config.dotfiles.path}/.config/hut/config";
+}
diff --git a/home-manager/dotfiles.nix b/home/dotfiles.nix
similarity index 90%
rename from home-manager/dotfiles.nix
rename to home/dotfiles.nix
index ff9c6d8..818bec3 100644
--- a/home-manager/dotfiles.nix
+++ b/home/dotfiles.nix
@@ -5,7 +5,7 @@
       path = lib.mkOption {
         type = lib.types.path;
         apply = toString;
-        default = config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/rep/flocon/home";
+        default = config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/rep/dotfiles";
         example = "${config.home.homeDirectory}/.dotfiles";
         description = "Location of the dotfiles working copy";
       };
diff --git a/home/helix.nix b/home/helix.nix
new file mode 100644
index 0000000..0c6f61c
--- /dev/null
+++ b/home/helix.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{
+  home.packages = [ pkgs.helix ];
+
+  programs.helix = {
+    enable = true;
+    defaultEditor = true;
+  };
+
+  xdg.configFile."helix".source = "${config.dotfiles.path}/.config/helix";
+}
diff --git a/home/mail/default.nix b/home/mail/default.nix
new file mode 100644
index 0000000..e03b31f
--- /dev/null
+++ b/home/mail/default.nix
@@ -0,0 +1,44 @@
+{ config, ... }:
+{
+  programs.thunderbird = {
+    enable = true;
+    profiles = {
+      main = {
+        isDefault = true;
+      };
+    };
+  };
+
+  accounts.email.accounts = {
+    "rpqt@rpqt.fr" = {
+      address = "rpqt@rpqt.fr";
+      realName = "Romain Paquet";
+      primary = true;
+      flavor = "migadu.com";
+      thunderbird.enable = true;
+    };
+
+    "admin@rpqt.fr" = {
+      address = "admin@rpqt.fr";
+      aliases = [ "postmaster@rpqt.fr" ];
+      realName = "Postmaster";
+      flavor = "migadu.com";
+      thunderbird.enable = config.programs.thunderbird.enable;
+    };
+
+    "romain.paquet@grenoble-inp.org" = {
+      address = "romain.paquet@grenoble-inp.org";
+      realName = "Romain Paquet";
+      userName = "romain.paquet@grenoble-inp.org";
+      imap = {
+        host = "imap.partage.renater.fr";
+        port = 993;
+      };
+      smtp = {
+        host = "smtp.partage.renater.fr";
+        port = 465;
+      };
+      thunderbird.enable = config.programs.thunderbird.enable;
+    };
+  };
+}
diff --git a/home-manager/minecraft.nix b/home/minecraft.nix
similarity index 100%
rename from home-manager/minecraft.nix
rename to home/minecraft.nix
diff --git a/infra/.terraform.lock.hcl b/infra/.terraform.lock.hcl
index 89eb186..03dfad9 100644
--- a/infra/.terraform.lock.hcl
+++ b/infra/.terraform.lock.hcl
@@ -1,16 +1,44 @@
 # This file is maintained automatically by "tofu init".
 # Manual edits may be lost in future updates.
 
-provider "registry.opentofu.org/hashicorp/external" {
-  version = "2.3.5"
+provider "registry.opentofu.org/go-gandi/gandi" {
+  version     = "2.3.0"
+  constraints = "2.3.0"
   hashes = [
-    "h1:en/2hMK/W/2hKtsEkbxGiiYwi/pSPS/UoGDILHIHjmw=",
+    "h1:9kqWL+eFk/ogrQSltL9zVqjMcOqbvs3EgIJEeyNPb8U=",
+    "zh:0936d011cf75bb5162c6027d00575a586807adc9008f4152def157b6ad22bae9",
+    "zh:2170e671f04d3346ea416fcc404be6d05f637eab7df77e289a6898a928885f0b",
+    "zh:250329baae3cb09cfb88dd004d45f003ba76fbe7b8daf9d18fd640b93a2b7252",
+    "zh:2ccd9f253424738ca5fbbcb2127bf3713c20e87bfb3829f8c4565569424fd0bd",
+    "zh:3607b48bc4691cd209528f9ffe16a6cc666bd284b0d0bdfe8c4e1d538559a408",
+    "zh:3bc1d2b770fe0f50027da59c405b2468d1322243235367014f75f765124f458d",
+    "zh:6c8a9092847ee2e2890825432b54424c456638d494e49b7d1845f055214714f5",
+    "zh:8e0b62a330876005d52bcd65d7b1d9a679a7ac79c626e0f86661519e8f9b5698",
+    "zh:8f44f4d52583ff249e2001ea2a8b8841010489dd43e1a01a9ec3a6813d121c28",
+    "zh:9a617927d4a3a2897ff10999a19a6d1f0ef634b8c6b8fc3be12cf53948cfd9cf",
+    "zh:cab3c82c54e38e6001eed5b80a2d16b7824921f8f8b3909049e174c48e6e8804",
+    "zh:f78cc685aa4ba5056ea53a7f8ce585f87a911f0a8a387a44a33d7dfb69db7663",
   ]
 }
 
 provider "registry.opentofu.org/hetznercloud/hcloud" {
-  version = "1.58.0"
+  version     = "1.49.1"
+  constraints = "~> 1.45"
   hashes = [
-    "h1:6C2LNEvCyGPyWgALDAFTNbRp+5Iuikd4Ju1Xejh+aeg=",
+    "h1:FKGRNHVbcfQJd8EWrb8Ze5QHkaGr8zI+ZKxBMjvOwPk=",
+    "zh:3d5f9773da4f8203cf625d04a5a0e4ff7e202684c010a801a945756140c61cde",
+    "zh:446305d492017cda91e5c15122ec16ff15bfe3ef4d3fd6bcea0cdf7742ab1b86",
+    "zh:44d4f9156ed8b4f0444bd4dc456825940be49048828565964a192286d28c9f20",
+    "zh:492ad893d2f89bb17c9beb877c8ceb4a16caf39db1a79030fefeada6c7aa217f",
+    "zh:68dc552c19ad9d209ec6018445df6e06fb77a637513a53cc66ddce1b024082be",
+    "zh:7492495ffda6f6c49ab38b539bd2eb965b1150a63fb6b191a27dec07d17601cb",
+    "zh:850fe92005981ea00db86c3e49ba5b49732fdf1f7bd5530a68f6e272847059fc",
+    "zh:8cb67f744c233acfb1d68a6c27686315439d944edf733b95f113b4aa63d86713",
+    "zh:8e13dac46e8c2497772ed1baee701b1d1c26bcc95a63b5c4566c83468f504868",
+    "zh:c44249c6a8ba931e208a334792686b5355ab2da465cadea03c1ea8e73c02db12",
+    "zh:d103125a28a85c89aea0cb0c534fe3f504416c4d4fc75c37364b9ec5f66dd77d",
+    "zh:ed8f64e826aa9bfca95b72892271678cb78411b40d7b404a52404141e05a4ab1",
+    "zh:f40efad816de00b279bd1e2cbf62c76b0e5b2da150a0764f259984b318e30945",
+    "zh:f5e912d0873bf4ecc43feba4ceccdf158048080c76d557e47f34749139fdd452",
   ]
 }
diff --git a/infra/README.md b/infra/README.md
index 3c9e53d..664306c 100644
--- a/infra/README.md
+++ b/infra/README.md
@@ -19,8 +19,3 @@ tofu import hcloud_firewall.hcloud_firewall YYY
 ```
 
 For Hetzner Cloud, the resource IDs can be found in the URL of the admin console.
-
-## Outputs
-
-The nix configuration reads some values from the `outputs.json` file.
-When modifying these, the file should be regenerated with `tofu output -json > outputs.json`.
diff --git a/infra/base.nix b/infra/base.nix
deleted file mode 100644
index 1e7f0d3..0000000
--- a/infra/base.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-{
-  terraform.required_providers.hcloud.source = "hetznercloud/hcloud";
-
-  data.external.hcloud-token = {
-    program = [
-      (lib.getExe (
-        pkgs.writeShellApplication {
-          name = "get-clan-secret";
-          text = ''
-            jq -n --arg secret "$(clan secrets get hcloud-token)" '{"secret":$secret}'
-          '';
-        }
-      ))
-    ];
-  };
-
-  provider.hcloud.token = config.data.external.hcloud-token "result.secret";
-}
diff --git a/infra/crocus.tf b/infra/crocus.tf
new file mode 100644
index 0000000..abd9bf8
--- /dev/null
+++ b/infra/crocus.tf
@@ -0,0 +1,52 @@
+resource "hcloud_server" "crocus_server" {
+  name         = "crocus"
+  server_type  = "cx22"
+  image        = "ubuntu-20.04"
+  firewall_ids = [hcloud_firewall.crocus_firewall.id]
+}
+
+resource "hcloud_firewall" "crocus_firewall" {
+  name = "crocus-firewall"
+
+  rule {
+    direction  = "in"
+    protocol   = "icmp"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "22"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "22"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "80"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "443"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  # radicle-node
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "8776"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+}
diff --git a/infra/dns.nix b/infra/dns.nix
deleted file mode 100644
index a6f7031..0000000
--- a/infra/dns.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-{ config, ... }:
-{
-  resource.hcloud_zone.rpqt_fr = {
-    name = "rpqt.fr";
-    mode = "primary";
-  };
-
-  resource.hcloud_zone.turifer_dev = {
-    name = "turifer.dev";
-    mode = "primary";
-  };
-
-  output.rpqt_fr_zone_name = {
-    value = config.resource.hcloud_zone.rpqt_fr "name";
-  };
-
-  output.turifer_dev_zone_name = {
-    value = config.resource.hcloud_zone.turifer_dev "name";
-  };
-}
diff --git a/infra/dns.tf b/infra/dns.tf
new file mode 100644
index 0000000..b28e757
--- /dev/null
+++ b/infra/dns.tf
@@ -0,0 +1,23 @@
+data "gandi_livedns_domain" "rpqt_fr" {
+  name = "rpqt.fr"
+}
+
+resource "gandi_livedns_record" "rpqt_fr_radicle_a" {
+  zone = data.gandi_livedns_domain.rpqt_fr.id
+  name = "radicle"
+  type = "A"
+  ttl  = 10800
+  values = [
+    hcloud_server.crocus_server.ipv4_address,
+  ]
+}
+
+resource "gandi_livedns_record" "rpqt_fr_radicle_aaaa" {
+  zone = data.gandi_livedns_domain.rpqt_fr.id
+  name = "radicle"
+  type = "AAAA"
+  ttl  = 10800
+  values = [
+    hcloud_server.crocus_server.ipv6_address,
+  ]
+}
diff --git a/infra/flake-module.nix b/infra/flake-module.nix
deleted file mode 100644
index 6b19b9b..0000000
--- a/infra/flake-module.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-{ self, ... }:
-{
-  perSystem =
-    { pkgs, ... }:
-    {
-      terranix.terranixConfigurations.infra = {
-        terraformWrapper.package = pkgs.opentofu.withPlugins (p: [
-          p.hashicorp_external
-          p.hetznercloud_hcloud
-        ]);
-
-        extraArgs = { inherit (self) infra; };
-        modules = [
-          ./base.nix
-          ./dns.nix
-          ./mail.nix
-          ./radicle.nix
-          ./web.nix
-        ];
-      };
-    };
-
-  flake.infra =
-    let
-      tf_outputs = builtins.fromJSON (builtins.readFile ./outputs.json);
-    in
-    {
-      machines = {
-        verbena = {
-          ipv4 = tf_outputs.verbena_ipv4.value;
-          ipv6 = tf_outputs.verbena_ipv6.value;
-          gateway6 = tf_outputs.verbena_gateway6.value;
-        };
-        crocus = {
-          ipv4 = tf_outputs.crocus_ipv4.value;
-          ipv6 = "2a01:4f8:1c1e:e415::1";
-        };
-      };
-    };
-}
diff --git a/infra/lib.nix b/infra/lib.nix
deleted file mode 100644
index cf93e1e..0000000
--- a/infra/lib.nix
+++ /dev/null
@@ -1,88 +0,0 @@
-{ lib, ... }:
-let
-  mkMigaduDkim = zone: name: {
-    inherit zone;
-    name = "${name}._domainkey";
-    type = "CNAME";
-    records = [
-      { value = "${name}.${zone}._domainkey.migadu.com."; }
-    ];
-  };
-in
-{
-  mkMigadu_hcloud_zone_rrset = zone: hostedEmailVerify: {
-    dkim_1 = mkMigaduDkim zone "key1";
-    dkim_2 = mkMigaduDkim zone "key2";
-    dkim_3 = mkMigaduDkim zone "key3";
-
-    spf = {
-      inherit zone;
-      name = "@";
-      type = "TXT";
-      records = [
-        {
-          value = lib.tf.ref ''provider::hcloud::txt_record("v=spf1 include:spf.migadu.com -all")'';
-        }
-        {
-          value = lib.tf.ref ''provider::hcloud::txt_record("hosted-email-verify=pgeaq3bp")'';
-        }
-      ];
-    };
-
-    dmarc = {
-      inherit zone;
-      name = "_dmarc";
-      type = "TXT";
-      records = [
-        {
-          value = lib.tf.ref ''provider::hcloud::txt_record("v=DMARC1; p=quarantine;")'';
-        }
-      ];
-    };
-
-    mx = {
-      inherit zone;
-      name = "@";
-      type = "MX";
-      records = [
-        { value = "10 aspmx1.migadu.com."; }
-        { value = "20 aspmx2.migadu.com."; }
-      ];
-    };
-
-    autoconfig = {
-      inherit zone;
-      name = "autoconfig";
-      type = "CNAME";
-      records = [ { value = "autoconfig.migadu.com."; } ];
-    };
-
-    autodiscover = {
-      inherit zone;
-      name = "_autodiscover._tcp";
-      type = "SRV";
-      records = [ { value = "0 1 443 autodiscover.migadu.com."; } ];
-    };
-
-    submissions = {
-      inherit zone;
-      name = "_submissions._tcp";
-      type = "SRV";
-      records = [ { value = "0 1 465 smtp.migadu.com."; } ];
-    };
-
-    imaps = {
-      inherit zone;
-      name = "_imaps._tcp";
-      type = "SRV";
-      records = [ { value = "0 1 993 imap.migadu.com."; } ];
-    };
-
-    pop3s = {
-      inherit zone;
-      name = "_pop3s._tcp";
-      type = "SRV";
-      records = [ { value = "0 1 995 pop.migadu.com."; } ];
-    };
-  };
-}
diff --git a/infra/mail.nix b/infra/mail.nix
deleted file mode 100644
index 255a3cc..0000000
--- a/infra/mail.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (import ./lib.nix { inherit lib; })
-    mkMigadu_hcloud_zone_rrset
-    ;
-  rpqt_fr = mkMigadu_hcloud_zone_rrset (config.resource.hcloud_zone.rpqt_fr "name") "pgeaq3bp";
-
-  # Prefix resource names with zone name to avoid collision
-  turifer_dev = lib.mapAttrs' (name: value: lib.nameValuePair "turifer_dev_${name}" value) (
-    mkMigadu_hcloud_zone_rrset (config.resource.hcloud_zone.turifer_dev "name") "k5z4lcfc"
-  );
-in
-{
-  resource.hcloud_zone_rrset = rpqt_fr // turifer_dev;
-}
diff --git a/infra/main.tf b/infra/main.tf
new file mode 100644
index 0000000..15453d9
--- /dev/null
+++ b/infra/main.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    gandi = {
+      source  = "go-gandi/gandi"
+      version = "2.3.0"
+    }
+    hcloud = {
+      source  = "hetznercloud/hcloud"
+      version = "~> 1.45"
+    }
+  }
+}
diff --git a/infra/outputs.json b/infra/outputs.json
deleted file mode 100644
index 925eb81..0000000
--- a/infra/outputs.json
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-  "crocus_ipv4": {
-    "sensitive": false,
-    "type": "string",
-    "value": "116.203.18.122"
-  },
-  "verbena_gateway6": {
-    "sensitive": false,
-    "type": "string",
-    "value": "2001:41d0:305:2100::1"
-  },
-  "verbena_ipv4": {
-    "sensitive": false,
-    "type": "string",
-    "value": "51.68.122.153"
-  },
-  "verbena_ipv6": {
-    "sensitive": false,
-    "type": "string",
-    "value": "2001:41d0:305:2100::271e"
-  }
-}
diff --git a/infra/providers.tf b/infra/providers.tf
new file mode 100644
index 0000000..d8d6d9b
--- /dev/null
+++ b/infra/providers.tf
@@ -0,0 +1,7 @@
+provider "gandi" {
+  personal_access_token = var.gandi_token
+}
+
+provider "hcloud" {
+  token = var.hcloud_token
+}
diff --git a/infra/radicle.nix b/infra/radicle.nix
deleted file mode 100644
index b7f239d..0000000
--- a/infra/radicle.nix
+++ /dev/null
@@ -1,52 +0,0 @@
-{
-  config,
-  infra,
-  lib,
-  ...
-}:
-{
-  resource.hcloud_zone_rrset =
-    let
-      zone = config.resource.hcloud_zone.rpqt_fr "name";
-    in
-    {
-      radicle_a = {
-        inherit zone;
-        name = "radicle";
-        type = "A";
-        records = [ { value = infra.machines.crocus.ipv4; } ];
-      };
-
-      radicle_aaaa = {
-        inherit zone;
-        name = "radicle";
-        type = "AAAA";
-        records = [ { value = infra.machines.crocus.ipv6; } ];
-      };
-
-      radicles_srv = {
-        inherit zone;
-        name = "seed._radicle-node._tcp";
-        type = "SRV";
-        records = [ { value = "32767 32767 58776 radicle.rpqt.fr."; } ];
-      };
-
-      radicles_nid = {
-        inherit zone;
-        name = "seed._radicle-node._tcp";
-        type = "TXT";
-        records = [
-          {
-            value = lib.tf.ref ''provider::hcloud::txt_record("nid=z6MkuivFHDPg6Bd25v4bEWm7T7qLUYMWk1eVTE7exvum5Rvd")'';
-          }
-        ];
-      };
-
-      radicle_ptr = {
-        inherit zone;
-        name = "_radicle-node._tcp";
-        type = "PTR";
-        records = [ { value = "seed._radicle-node._tcp.radicle.rpqt.fr."; } ];
-      };
-    };
-}
diff --git a/infra/variables.tf b/infra/variables.tf
new file mode 100644
index 0000000..3bc7123
--- /dev/null
+++ b/infra/variables.tf
@@ -0,0 +1,7 @@
+variable "gandi_token" {
+  sensitive = true
+}
+
+variable "hcloud_token" {
+  sensitive = true
+}
diff --git a/infra/web.nix b/infra/web.nix
deleted file mode 100644
index 2513a6a..0000000
--- a/infra/web.nix
+++ /dev/null
@@ -1,82 +0,0 @@
-{ config, infra, ... }:
-{
-  resource.hcloud_zone_rrset =
-    let
-      sourcehut_pages = {
-        ipv4 = "46.23.81.157";
-        ipv6 = "2a03:6000:1813:1337::157";
-      };
-      zone = config.resource.hcloud_zone.rpqt_fr "name";
-    in
-    {
-      a = {
-        inherit zone;
-        name = "@";
-        type = "A";
-        records = [ { value = sourcehut_pages.ipv4; } ];
-      };
-
-      aaaa = {
-        inherit zone;
-        name = "@";
-        type = "AAAA";
-        records = [ { value = sourcehut_pages.ipv6; } ];
-      };
-
-      cloud_a = {
-        inherit zone;
-        name = "cloud";
-        type = "A";
-        records = [ { value = infra.machines.verbena.ipv4; } ];
-      };
-
-      cloud_aaaa = {
-        inherit zone;
-        name = "cloud";
-        type = "AAAA";
-        records = [ { value = infra.machines.verbena.ipv6; } ];
-      };
-
-      git_turifer_dev_a = {
-        zone = config.resource.hcloud_zone.turifer_dev "name";
-        name = "git";
-        type = "A";
-        records = [ { value = infra.machines.verbena.ipv4; } ];
-      };
-
-      git_turifer_dev_aaaa = {
-        zone = config.resource.hcloud_zone.turifer_dev "name";
-        name = "git";
-        type = "AAAA";
-        records = [ { value = infra.machines.verbena.ipv6; } ];
-      };
-
-      buildbot_turifer_dev_a = {
-        zone = config.resource.hcloud_zone.turifer_dev "name";
-        name = "buildbot";
-        type = "A";
-        records = [ { value = infra.machines.verbena.ipv4; } ];
-      };
-
-      buildbot_turifer_dev_aaaa = {
-        zone = config.resource.hcloud_zone.turifer_dev "name";
-        name = "buildbot";
-        type = "AAAA";
-        records = [ { value = infra.machines.verbena.ipv6; } ];
-      };
-
-      wg1_turifer_dev_a = {
-        zone = config.resource.hcloud_zone.turifer_dev "name";
-        name = "wg1";
-        type = "A";
-        records = [ { value = infra.machines.verbena.ipv4; } ];
-      };
-
-      wg1_turifer_dev_aaaa = {
-        zone = config.resource.hcloud_zone.turifer_dev "name";
-        name = "wg1";
-        type = "AAAA";
-        records = [ { value = infra.machines.verbena.ipv6; } ];
-      };
-    };
-}
diff --git a/inventory.json b/inventory.json
deleted file mode 100644
index d5755f2..0000000
--- a/inventory.json
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-  "machines": {
-    "verbena": {
-      "installedAt": 1757633120
-    },
-    "crocus": {
-      "installedAt": 1757633120
-    },
-    "haze": {
-      "installedAt": 1757633120,
-      "description": "Romain's laptop"
-    },
-    "genepi": {
-      "installedAt": 1757633120,
-      "description": "Raspberry Pi 4B"
-    }
-  }
-}
\ No newline at end of file
diff --git a/machines/README.md b/machines/README.md
index 7290d44..996fa70 100644
--- a/machines/README.md
+++ b/machines/README.md
@@ -3,4 +3,3 @@
 - **crocus**: Hetzner Cloud x86_64 VPS
 - **genepi**: Raspberry Pi 4B
 - **haze**: ASUS VivoBook Laptop
-- **verbena**: OVH Cloud x86_64 VPS
diff --git a/machines/crocus/configuration.nix b/machines/crocus/configuration.nix
index 50ca761..39e52d0 100644
--- a/machines/crocus/configuration.nix
+++ b/machines/crocus/configuration.nix
@@ -1,23 +1,23 @@
 {
-  self,
+  inputs,
+  modulesPath,
+  config,
   ...
 }:
 {
   imports = [
-    self.nixosModules.radicle
-    self.nixosModules.nix-defaults
+    (modulesPath + "/profiles/qemu-guest.nix")
+    # ./radicle.nix
+    ../../system
+    inputs.clan-core.clanModules.state-version
     ../../modules/remote-builder.nix
-    self.inputs.srvos.nixosModules.server
-    self.inputs.srvos.nixosModules.hardware-hetzner-cloud
-  ];
-
-  disabledModules = [
-    self.inputs.srvos.nixosModules.mixins-cloud-init
+    ../../modules/borgbackup.nix
   ];
 
   nixpkgs.hostPlatform = "x86_64-linux";
 
   networking.hostName = "crocus";
+  clan.core.networking.targetHost = "root@crocus.local";
 
   networking.useDHCP = false;
   systemd.network.enable = true;
@@ -32,34 +32,38 @@
     ];
   };
 
-  fileSystems."/data1" = {
-    device = "/dev/disk/by-id/scsi-0HC_Volume_103766469";
-  };
+  services.avahi.enable = true;
 
-  services.garage.settings.data_dir = [
-    {
-      path = "/var/lib/garage/data";
-      capacity = "20G";
-    }
-    {
-      path = "/data1/garage";
-      capacity = "20G";
-    }
-  ];
-
-  clan.core.settings.state-version.enable = true;
-
-  clan.core.networking.buildHost = "root@haze";
-
-  services.avahi.allowInterfaces = [
-    "zts7mq7onf"
-  ];
+  disko.devices.disk.main.device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_48353082";
 
   boot.loader.grub = {
     efiSupport = true;
     efiInstallAsRemovable = true;
   };
 
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+    exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = [ "systemd" ];
+        port = 9002;
+      };
+    };
+
+    scrapeConfigs = [
+      {
+        job_name = "crocus";
+        static_configs = [
+          {
+            targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
+          }
+        ];
+      }
+    ];
+  };
+
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;
@@ -75,6 +79,4 @@
     acceptTerms = true;
     defaults.email = "admin@rpqt.fr";
   };
-
-  services.tailscale.useRoutingFeatures = "server";
 }
diff --git a/machines/crocus/disko.nix b/machines/crocus/disko.nix
index b529126..af03c18 100644
--- a/machines/crocus/disko.nix
+++ b/machines/crocus/disko.nix
@@ -1,8 +1,17 @@
 {
+  clan-core,
+  config,
+  ...
+}:
+let
+  suffix = config.clan.core.vars.generators.disk-id.files.diskId.value;
+in
+{
+  imports = [ clan-core.clanModules.disk-id ];
+
   disko.devices.disk.main = {
-    name = "main-dbca87cd30a5498488026c65b37eba60";
+    name = "main-" + suffix;
     type = "disk";
-    device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_48353082";
     content = {
       type = "gpt";
       partitions = {
diff --git a/machines/crocus/radicle.nix b/machines/crocus/radicle.nix
new file mode 100644
index 0000000..d7f60b5
--- /dev/null
+++ b/machines/crocus/radicle.nix
@@ -0,0 +1,21 @@
+{ config, keys, ... }:
+{
+  services.radicle = {
+    enable = true;
+    privateKeyFile = config.age.secrets.radicle-private-key.path;
+    publicKey = keys.services.radicle;
+    node = {
+      openFirewall = true;
+    };
+    httpd = {
+      enable = true;
+      nginx = {
+        serverName = "radicle.rpqt.fr";
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+  };
+
+  age.secrets.radicle-private-key.file = ../../secrets/radicle-private-key.age;
+}
diff --git a/machines/genepi/acme.nix b/machines/genepi/acme.nix
new file mode 100644
index 0000000..d9c784d
--- /dev/null
+++ b/machines/genepi/acme.nix
@@ -0,0 +1,21 @@
+{ config, ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@rpqt.fr";
+  };
+
+  age.secrets.gandi.file = ../../secrets/gandi.age;
+
+  security.acme = {
+    certs."home.rpqt.fr" = {
+      group = config.services.nginx.group;
+
+      domain = "home.rpqt.fr";
+      extraDomainNames = [ "*.home.rpqt.fr" ];
+      dnsProvider = "gandiv5";
+      dnsPropagationCheck = true;
+      environmentFile = config.age.secrets.gandi.path;
+    };
+  };
+}
diff --git a/machines/genepi/actual.nix b/machines/genepi/actual.nix
deleted file mode 100644
index b455535..0000000
--- a/machines/genepi/actual.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{ config, ... }:
-let
-  domain = "actual.val";
-in
-{
-  services.actual = {
-    enable = true;
-    settings = {
-      hostname = "127.0.0.1";
-      port = 5555;
-    };
-  };
-
-  services.nginx.virtualHosts.${domain} = {
-    forceSSL = true;
-    enableACME = true;
-    locations."/".proxyPass =
-      "http://127.0.0.1:${builtins.toString config.services.actual.settings.port}";
-  };
-
-  security.acme.certs.${domain}.server = "https://ca.val/acme/acme/directory";
-
-  clan.core.state.actual.folders = [ "/var/lib/actual" ];
-}
diff --git a/machines/genepi/boot.nix b/machines/genepi/boot.nix
index c6c7b80..a93d860 100644
--- a/machines/genepi/boot.nix
+++ b/machines/genepi/boot.nix
@@ -8,18 +8,12 @@
   ];
 
   boot.loader = {
-    generic-extlinux-compatible.enable = false;
-    efi.canTouchEfiVariables = true;
-    systemd-boot.enable = true;
+    grub.enable = false;
+    generic-extlinux-compatible.enable = true;
   };
 
-  nixpkgs.overlays = [
-    (final: super: {
-      makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });
-    })
-  ];
-
   boot.supportedFilesystems = [
+    "btrfs"
     "vfat"
   ];
 }
diff --git a/machines/genepi/builder.nix b/machines/genepi/builder.nix
index 5e4a7e3..eeab549 100644
--- a/machines/genepi/builder.nix
+++ b/machines/genepi/builder.nix
@@ -1,3 +1,4 @@
+{ keys, ... }:
 {
   imports = [
     ../../modules/remote-builder.nix
@@ -5,8 +6,6 @@
 
   roles.remote-builder = {
     enable = true;
-    authorizedKeys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze"
-    ];
+    authorizedKeys = [ keys.hosts.haze ];
   };
 }
diff --git a/machines/genepi/configuration.nix b/machines/genepi/configuration.nix
index 1e48016..e86c027 100644
--- a/machines/genepi/configuration.nix
+++ b/machines/genepi/configuration.nix
@@ -1,37 +1,47 @@
 {
-  self,
+  inputs,
   ...
 }:
 {
   imports = [
-    ./actual.nix
+    inputs.agenix.nixosModules.default
+    inputs.impermanence.nixosModules.impermanence
+    ./acme.nix
     ./boot.nix
     ./builder.nix
+    ./dns.nix
     ./freshrss.nix
     ./glance.nix
     ./homeassistant.nix
-    ./immich.nix
+    # ./immich.nix
     ./monitoring
+    ./mpd.nix
     ./network.nix
     ./nginx.nix
-    ./pinchflat.nix
+    ./persistence.nix
     ./syncthing.nix
+    ./taskchampion.nix
 
-    ../../modules/acme-home.nix
-    ../../modules/lounge.nix
-    self.nixosModules.nix-defaults
+    ../../system
+    ../../modules/borgbackup.nix
 
-    self.nixosModules.user-rpqt
+    inputs.clan-core.clanModules.state-version
+    inputs.clan-core.clanModules.trusted-nix-caches
 
-    self.inputs.srvos.nixosModules.mixins-terminfo
+    inputs.home-manager.nixosModules.home-manager
+    {
+      home-manager.useGlobalPkgs = true;
+      home-manager.useUserPackages = true;
+      home-manager.users.rpqt = ./home.nix;
+    }
   ];
 
   networking.hostName = "genepi";
+  clan.core.networking.targetHost = "root@genepi.local";
 
-  time.timeZone = "Europe/Paris";
-
-  services.prometheus.checkConfig = "syntax-only";
-  clan.core.vars.generators.garage.files.metrics_token.owner = "prometheus";
-
-  clan.core.settings.state-version.enable = true;
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
 }
diff --git a/machines/genepi/disko.nix b/machines/genepi/disko.nix
index 908efe6..3fd4480 100644
--- a/machines/genepi/disko.nix
+++ b/machines/genepi/disko.nix
@@ -1,27 +1,74 @@
 {
   disko.devices.disk.main = {
-    name = "main-72b27bb5253045f38a07b6bc368ab85c";
     type = "disk";
     device = "/dev/disk/by-id/ata-WD_Green_M.2_2280_480GB_2251E6411147";
     content = {
       type = "gpt";
       partitions = {
         ESP = {
-          type = "EF00";
-          size = "512M";
           priority = 1;
+          name = "ESP";
+          start = "1M";
+          end = "512M";
+          type = "EF00";
           content = {
             type = "filesystem";
             format = "vfat";
             mountpoint = "/boot";
+            mountOptions = [ "umask=0077" ];
           };
         };
         root = {
           end = "-4G";
           content = {
-            type = "filesystem";
-            format = "ext4";
-            mountpoint = "/";
+            type = "btrfs";
+            extraArgs = [
+              "-L"
+              "nixos"
+              "-f" # Override existing partition
+            ];
+            subvolumes = {
+              "/root" = {
+                mountpoint = "/";
+                mountOptions = [
+                  "subvol=root"
+                  "compress=zstd"
+                  "noatime"
+                ];
+              };
+              "/home" = {
+                mountpoint = "/home";
+                mountOptions = [
+                  "subvol=home"
+                  "compress=zstd"
+                  "noatime"
+                ];
+              };
+              "/nix" = {
+                mountpoint = "/nix";
+                mountOptions = [
+                  "subvol=nix"
+                  "compress=zstd"
+                  "noatime"
+                ];
+              };
+              "/persist" = {
+                mountpoint = "/persist";
+                mountOptions = [
+                  "subvol=persist"
+                  "compress=zstd"
+                  "noatime"
+                ];
+              };
+              "/log" = {
+                mountpoint = "/var/log";
+                mountOptions = [
+                  "subvol=log"
+                  "compress=zstd"
+                  "noatime"
+                ];
+              };
+            };
           };
         };
         swap = {
@@ -33,4 +80,7 @@
       };
     };
   };
+
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/var/log".neededForBoot = true;
 }
diff --git a/machines/genepi/dns.nix b/machines/genepi/dns.nix
new file mode 100644
index 0000000..086bcc0
--- /dev/null
+++ b/machines/genepi/dns.nix
@@ -0,0 +1,35 @@
+{ config, lib, ... }:
+let
+  domain = "home.rpqt.fr";
+  genepi = {
+    ip = "100.83.123.79";
+    subdomains = [
+      "glance"
+      "grafana"
+      "images"
+      "rss"
+      "tw"
+    ];
+  };
+in
+{
+  networking.firewall.interfaces."${config.services.tailscale.interfaceName}" = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+
+  services.unbound = {
+    enable = true;
+    resolveLocalQueries = false;
+
+    settings = {
+      server = {
+        interface = [ "${config.services.tailscale.interfaceName}" ];
+        access-control = [ "100.0.0.0/8 allow" ];
+
+        local-zone = lib.map (subdomain: ''"${subdomain}.${domain}." redirect'') genepi.subdomains;
+        local-data = lib.map (subdomain: ''"${subdomain}.${domain}. IN A ${genepi.ip}"'') genepi.subdomains;
+      };
+    };
+  };
+}
diff --git a/machines/genepi/freshrss.nix b/machines/genepi/freshrss.nix
index 511ee1d..9797ece 100644
--- a/machines/genepi/freshrss.nix
+++ b/machines/genepi/freshrss.nix
@@ -1,31 +1,26 @@
 { config, ... }:
 let
-  tld = "val";
-  domain = "rss.${tld}";
+  domain = "home.rpqt.fr";
+  subdomain = "rss.${domain}";
 in
 {
+  age.secrets.freshrss = {
+    file = ../../secrets/freshrss.age;
+    mode = "700";
+    owner = config.services.freshrss.user;
+  };
+
   services.freshrss = {
     enable = true;
-    baseUrl = "https://${domain}";
-    virtualHost = "${domain}";
+    baseUrl = "https://${subdomain}";
+    virtualHost = "${subdomain}";
 
     defaultUser = "rpqt";
-    passwordFile = config.clan.core.vars.generators.freshrss.files.freshrss-password.path;
+    passwordFile = config.age.secrets.freshrss.path;
   };
 
   services.nginx.virtualHosts.${config.services.freshrss.virtualHost} = {
     forceSSL = true;
-    enableACME = true;
-  };
-
-  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
-
-  clan.core.vars.generators.freshrss = {
-    prompts.freshrss-password = {
-      description = "freshrss default user password";
-      type = "hidden";
-      persist = true;
-    };
-    files.freshrss-password.owner = config.services.freshrss.user;
+    useACMEHost = "${domain}";
   };
 }
diff --git a/machines/genepi/glance-config.nix b/machines/genepi/glance-config.nix
index b8d2c17..4b913e6 100644
--- a/machines/genepi/glance-config.nix
+++ b/machines/genepi/glance-config.nix
@@ -1,4 +1,3 @@
-{ tld }:
 {
   theme = {
     light = true;
@@ -42,105 +41,18 @@
               sites = [
                 {
                   title = "Immich";
-                  url = "https://images.${tld}";
-                  icon = "sh:immich";
+                  url = "https://images.home.rpqt.fr";
+                  icon = "si:immich";
+                }
+                {
+                  title = "Grafana";
+                  url = "https://grafana.home.rpqt.fr";
+                  icon = "si:grafana";
                 }
                 {
                   title = "FreshRSS";
-                  url = "https://rss.${tld}";
-                  icon = "sh:freshrss";
-                }
-                {
-                  title = "Syncthing";
-                  url = "https://genepi.${tld}/syncthing";
-                  icon = "sh:syncthing";
-                }
-                {
-                  title = "Actual Budget";
-                  url = "https://actual.${tld}";
-                  icon = "sh:actual-budget";
-                }
-                {
-                  title = "Gitea";
-                  url = "https://git.turifer.dev";
-                  icon = "sh:gitea";
-                }
-                {
-                  title = "Pinchflat";
-                  url = "https://pinchflat.${tld}";
-                  icon = "https://cdn.jsdelivr.net/gh/selfhst/icons/png/pinchflat.png";
-                }
-                {
-                  title = "Home Assistant";
-                  url = "https://assistant.${tld}";
-                  icon = "sh:home-assistant";
-                }
-                {
-                  title = "Nextcloud";
-                  url = "https://cloud.rpqt.fr";
-                  icon = "sh:nextcloud";
-                }
-                {
-                  title = "Buildbot";
-                  url = "https://buildbot.turifer.dev";
-                  icon = "https://buildbot.turifer.dev/icon.svg";
-                }
-                {
-                  title = "Radicle";
-                  url = "https://app.radicle.xyz/nodes/radicle.rpqt.fr";
-                  icon = "sh:radicle";
-                }
-              ];
-            }
-            {
-              type = "monitor";
-              cache = "1m";
-              title = "Monitoring";
-              sites = [
-                {
-                  title = "Grafana";
-                  url = "https://grafana.${tld}";
-                  icon = "sh:grafana";
-                }
-                {
-                  title = "Prometheus";
-                  url = "http://genepi.${tld}:9090";
-                  icon = "sh:prometheus";
-                }
-              ];
-            }
-            {
-              type = "monitor";
-              cache = "1m";
-              title = "Sites";
-              sites = [
-                {
-                  title = "Lounge";
-                  url = "https://lounge.${tld}";
-                  icon = "si:html5";
-                }
-                {
-                  title = "Web corner";
-                  url = "https://rpqt.fr";
-                  icon = "si:html5";
-                }
-              ];
-            }
-            {
-              type = "bookmarks";
-              groups = [
-                {
-                  title = "Music";
-                  links = [
-                    {
-                      title = "YouTube Music";
-                      url = "https://music.youtube.com";
-                    }
-                    {
-                      title = "Music for programming";
-                      url = "https://musicforprogramming.net/latest/";
-                    }
-                  ];
+                  url = "https://rss.home.rpqt.fr";
+                  icon = "si:rss";
                 }
               ];
             }
@@ -148,20 +60,14 @@
         }
         {
           size = "small";
-          widgets =
-            let
-              locations = [
-                "Krakow, Poland"
-                "Grenoble, France"
-                "Saint-Michel-de-Maurienne, France"
-              ];
-            in
-            builtins.map (location: {
+          widgets = [
+            {
               type = "weather";
-              inherit location;
+              location = "Grenoble, France";
               units = "metric";
               hour-format = "24h";
-            }) locations;
+            }
+          ];
         }
       ];
     }
@@ -179,7 +85,7 @@
               cache = "12h";
               feeds = [
                 {
-                  url = "https://rss.${tld}/api/query.php?user=rpqt&t=74HfeLZ6Wu9h4MmjNR38Rz&f=rss";
+                  url = "https://rss.home.rpqt.fr/api/query.php?user=rpqt&t=74HfeLZ6Wu9h4MmjNR38Rz&f=rss";
                 }
               ];
             }
diff --git a/machines/genepi/glance.nix b/machines/genepi/glance.nix
index 6aa1cc2..a68385e 100644
--- a/machines/genepi/glance.nix
+++ b/machines/genepi/glance.nix
@@ -1,20 +1,18 @@
 { config, ... }:
 let
-  tld = "val";
-  domain = "glance.${tld}";
+  domain = "home.rpqt.fr";
+  subdomain = "glance.${domain}";
 in
 {
   services.glance = {
     enable = true;
-    settings = (import ./glance-config.nix) { inherit tld; };
+    settings = ./glance-config.nix;
   };
 
-  services.nginx.virtualHosts.${domain} = {
+  services.nginx.virtualHosts.${subdomain} = {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "${domain}";
     locations."/".proxyPass =
       "http://127.0.0.1:${toString config.services.glance.settings.server.port}";
   };
-
-  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
 }
diff --git a/machines/genepi/hardware-configuration.nix b/machines/genepi/hardware-configuration.nix
index 3cc97f1..efcb8ff 100644
--- a/machines/genepi/hardware-configuration.nix
+++ b/machines/genepi/hardware-configuration.nix
@@ -1,20 +1,20 @@
-{ self, pkgs, ... }:
+{ inputs, pkgs, ... }:
 {
   imports = [
-    self.inputs.nixos-hardware.nixosModules.raspberry-pi-4
+    # inputs.nixos-hardware.nixosModules.raspberry-pi-4
   ];
 
   nixpkgs.hostPlatform = "aarch64-linux";
 
   hardware.enableRedistributableFirmware = true;
 
-  hardware = {
-    raspberry-pi."4".apply-overlays-dtmerge.enable = true;
-    deviceTree = {
-      enable = true;
-      filter = "*rpi-4-*.dtb";
-    };
-  };
+  # hardware = {
+  #   raspberry-pi."4".apply-overlays-dtmerge.enable = true;
+  #   deviceTree = {
+  #     enable = true;
+  #     filter = "*rpi-4-*.dtb";
+  #   };
+  # };
 
   environment.systemPackages = with pkgs; [
     libraspberrypi
diff --git a/machines/genepi/home.nix b/machines/genepi/home.nix
new file mode 100644
index 0000000..9662907
--- /dev/null
+++ b/machines/genepi/home.nix
@@ -0,0 +1,32 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  home.username = "rpqt";
+  home.homeDirectory = lib.mkForce "/home/rpqt";
+
+  home.packages = [
+    pkgs.helix
+    pkgs.ripgrep
+    pkgs.eza
+  ];
+
+  programs.zsh.enable = true;
+  programs.starship.enable = true;
+  programs.atuin.enable = true;
+
+  # This value determines the Home Manager release that your configuration is
+  # compatible with. This helps avoid breakage when a new Home Manager release
+  # introduces backwards incompatible changes.
+  #
+  # You should not change this value, even if you update Home Manager. If you do
+  # want to update the value, then make sure to first check the Home Manager
+  # release notes.
+  home.stateVersion = "24.11";
+
+  # Let Home Manager install and manage itself
+  programs.home-manager.enable = true;
+}
diff --git a/machines/genepi/homeassistant.nix b/machines/genepi/homeassistant.nix
index 2c61efb..8506960 100644
--- a/machines/genepi/homeassistant.nix
+++ b/machines/genepi/homeassistant.nix
@@ -1,42 +1,10 @@
-{ config, ... }:
-let
-  tld = "val";
-  domain = "assistant.${tld}";
-in
 {
-  services.home-assistant = {
-    enable = true;
-    extraComponents = [
-      # Components required to complete the onboarding
-      "analytics"
-      "google_translate"
-      "met"
-      "radio_browser"
-      "shopping_list"
-      # For fast zlib compression
-      "isal"
-      "shelly"
+  virtualisation.oci-containers.containers.homeassistant = {
+    volumes = [ "home-assistant:/config" ];
+    environment.TZ = "Europe/Paris";
+    image = "ghcr.io/home-assistant/home-assistant:stable";
+    extraOptions = [
+      "--network=host"
     ];
-    config = {
-      default_config = { };
-      http = {
-        use_x_forwarded_for = true;
-        trusted_proxies = [ "127.0.0.1" ];
-      };
-    };
   };
-
-  services.nginx.virtualHosts.${domain} = {
-    forceSSL = true;
-    enableACME = true;
-    extraConfig = ''
-      proxy_buffering off;
-    '';
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:${toString config.services.home-assistant.config.http.server_port}";
-      proxyWebsockets = true;
-    };
-  };
-
-  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
 }
diff --git a/machines/genepi/immich.nix b/machines/genepi/immich.nix
index 76e7f65..7161f3c 100644
--- a/machines/genepi/immich.nix
+++ b/machines/genepi/immich.nix
@@ -1,19 +1,19 @@
 { config, ... }:
 let
-  tld = "val";
-  domain = "images.${tld}";
+  domain = "home.rpqt.fr";
+  subdomain = "images.${domain}";
 in
 {
   services.immich = {
     enable = true;
     settings = {
-      server.externalDomain = "https://${domain}";
+      server.externalDomain = "https://${subdomain}";
     };
   };
 
-  services.nginx.virtualHosts.${domain} = {
+  services.nginx.virtualHosts.${subdomain} = {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "${domain}";
     locations."/" = {
       proxyPass = "http://${toString config.services.immich.host}:${toString config.services.immich.port}";
       proxyWebsockets = true;
@@ -26,7 +26,5 @@ in
     };
   };
 
-  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
-
-  clan.core.state.immich.folders = [ "/var/lib/immich" ];
+  clan.core.state.userdata.folders = [ "/var/lib/immich" ];
 }
diff --git a/machines/genepi/monitoring/default.nix b/machines/genepi/monitoring/default.nix
index e5a3e88..aea5039 100644
--- a/machines/genepi/monitoring/default.nix
+++ b/machines/genepi/monitoring/default.nix
@@ -1,9 +1,6 @@
 {
   imports = [
     ./grafana.nix
-  ];
-
-  networking.firewall.interfaces."zts7mq7onf".allowedTCPPorts = [
-    9090 # prometheus web interface
+    ./prometheus.nix
   ];
 }
diff --git a/machines/genepi/monitoring/grafana.nix b/machines/genepi/monitoring/grafana.nix
index ac96660..7bea765 100644
--- a/machines/genepi/monitoring/grafana.nix
+++ b/machines/genepi/monitoring/grafana.nix
@@ -1,6 +1,6 @@
 { config, ... }:
 let
-  tld = "val";
+  domain = "home.rpqt.fr";
 in
 {
   services.grafana = {
@@ -8,7 +8,7 @@ in
     settings = {
       server = {
         http_port = 3000;
-        domain = "grafana.${tld}";
+        domain = "grafana.${domain}";
       };
     };
     provision = {
@@ -31,13 +31,10 @@ in
 
   services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "${domain}";
     locations."/" = {
       proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
       proxyWebsockets = true;
     };
   };
-
-  security.acme.certs.${config.services.grafana.settings.server.domain}.server =
-    "https://ca.${tld}/acme/acme/directory";
 }
diff --git a/machines/genepi/monitoring/prometheus.nix b/machines/genepi/monitoring/prometheus.nix
index fcf4d20..401a422 100644
--- a/machines/genepi/monitoring/prometheus.nix
+++ b/machines/genepi/monitoring/prometheus.nix
@@ -58,4 +58,6 @@ in
       };
     };
   };
+
+  clan.core.state.userdata.folders = [ "/var/lib/prometheus2" ];
 }
diff --git a/machines/genepi/mpd.nix b/machines/genepi/mpd.nix
new file mode 100644
index 0000000..3f869b5
--- /dev/null
+++ b/machines/genepi/mpd.nix
@@ -0,0 +1,27 @@
+{ config, ... }:
+{
+  services.mpd = {
+    enable = true;
+    musicDirectory = "/home/rpqt/Media/Music";
+    extraConfig = ''
+      audio_output {
+        type "pulse"
+        name "Pulse Audio"
+      }
+    '';
+
+    network.listenAddress = "any";
+  };
+
+  services.pulseaudio.enable = true;
+
+  # Workaround: run PulseAudio system-wide so that the mpd user can access it
+  services.pulseaudio.systemWide = true;
+
+  # Fixes the stutter when changing volume (found this randomly)
+  services.pulseaudio.daemon.config.flat-volumes = "no";
+
+  users.users.${config.services.mpd.user}.extraGroups = [ "pulse-access" ];
+
+  users.users.rpqt.homeMode = "755";
+}
diff --git a/machines/genepi/network.nix b/machines/genepi/network.nix
index e6225ef..49b5992 100644
--- a/machines/genepi/network.nix
+++ b/machines/genepi/network.nix
@@ -1,6 +1,6 @@
 {
   # Tailscale seems to break when not using resolved
-  # services.resolved.enable = true;
+  services.resolved.enable = true;
   networking.useDHCP = true;
   networking.interfaces.tailscale0.useDHCP = false;
 }
diff --git a/machines/genepi/nginx.nix b/machines/genepi/nginx.nix
index 1262037..410d7db 100644
--- a/machines/genepi/nginx.nix
+++ b/machines/genepi/nginx.nix
@@ -4,10 +4,4 @@
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
   };
-
-  networking.firewall.interfaces."zts7mq7onf".allowedTCPPorts = [ 443 ];
-  networking.firewall.interfaces."wireguard".allowedTCPPorts = [
-    80
-    443
-  ];
 }
diff --git a/machines/genepi/persistence.nix b/machines/genepi/persistence.nix
new file mode 100644
index 0000000..bca3d3e
--- /dev/null
+++ b/machines/genepi/persistence.nix
@@ -0,0 +1,64 @@
+{ lib, ... }:
+{
+  environment.persistence."/persist" = {
+    enable = true;
+    directories = [
+      "/var/lib/nixos"
+      "/var/lib/acme"
+      "/var/lib/prometheus2"
+      "/var/lib/immich"
+      "/var/lib/redis-immich"
+      "/var/lib/postgresql"
+      "/var/lib/grafana"
+      "/var/lib/freshrss"
+      "/var/lib/tailscale"
+    ];
+    files = [
+      # so that systemd doesn't think each boot is the first
+      "/etc/machine-id"
+      # ssh host keys
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+    ];
+    users.rpqt = {
+      directories = [ ];
+      files = [ ];
+      home = "/home/rpqt";
+    };
+  };
+
+  # Empty root and remove snapshots older than 30 days
+  # boot.initrd.postDeviceCommands = lib.mkAfter ''
+  #   mkdir /btrfs_tmp
+  #   mount /dev/disk/by-label/nixos /btrfs_tmp
+  #   if [[ -e /btrfs_tmp/root ]]; then
+  #       mkdir -p /btrfs_tmp/old_roots
+  #       timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
+  #       mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
+  #   fi
+
+  #   delete_subvolume_recursively() {
+  #       IFS=$'\n'
+  #       for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+  #           delete_subvolume_recursively "/btrfs_tmp/$i"
+  #       done
+  #       btrfs subvolume delete "$1"
+  #   }
+
+  #   for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
+  #       delete_subvolume_recursively "$i"
+  #   done
+
+  #   btrfs subvolume create /btrfs_tmp/root
+  #   umount /btrfs_tmp
+  #   rmdir /btrfs_tmp
+  # '';
+
+  # Give agenix persistent paths so it can load secrets before the mount
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+    "/persist/etc/ssh/ssh_host_rsa_key"
+  ];
+}
diff --git a/machines/genepi/pinchflat.nix b/machines/genepi/pinchflat.nix
deleted file mode 100644
index 14fbca2..0000000
--- a/machines/genepi/pinchflat.nix
+++ /dev/null
@@ -1,37 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}:
-let
-  tld = "val";
-  domain = "pinchflat.${tld}";
-in
-{
-  services.pinchflat = {
-    enable = true;
-    secretsFile = config.clan.core.vars.generators.pinchflat.files.env.path;
-    mediaDir = "/home/rpqt/Music";
-  };
-
-  clan.core.vars.generators.pinchflat = {
-    files.env = { };
-    runtimeInputs = [
-      pkgs.coreutils
-      pkgs.openssl
-    ];
-    script = ''
-      echo "$SECRET_KEY_BASE=$(openssl rand -hex 64)" > "$out"/env
-    '';
-  };
-
-  clan.core.state.pinchflat.folders = [ "/var/lib/pinchflat" ];
-
-  services.nginx.virtualHosts.${domain} = {
-    forceSSL = true;
-    enableACME = true;
-    locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.pinchflat.port}";
-  };
-
-  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
-}
diff --git a/machines/genepi/syncthing.nix b/machines/genepi/syncthing.nix
index fd3400e..3a0240f 100644
--- a/machines/genepi/syncthing.nix
+++ b/machines/genepi/syncthing.nix
@@ -1,49 +1,57 @@
 {
   config,
-  lib,
-  pkgs,
   ...
 }:
 let
   user = "rpqt";
   home = config.users.users.${user}.home;
-  tld = "val";
-  domain = "genepi.${tld}";
 in
 {
-
-  services.nginx.virtualHosts.${domain} = {
-    forceSSL = true;
-    enableACME = true;
-    locations."/syncthing" = {
-      proxyPass = "http://${config.services.syncthing.guiAddress}";
-    };
-  };
-
-  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
-
   services.syncthing = {
     enable = true;
     user = user;
-    group = lib.mkForce "users";
+    group = "users";
     dataDir = home;
-    configDir = lib.mkForce "${home}/.config/syncthing";
-    guiAddress = "0.0.0.0:8384";
-    guiPasswordFile = config.clan.core.vars.generators.syncthing-gui.files.password.path;
-  };
-
-  networking.firewall.interfaces.wireguard = {
-    allowedTCPPorts = [ 8384 ];
-  };
-
-  clan.core.vars.generators.syncthing-gui = {
-    files.password = {
-      secret = true;
-      owner = user;
+    configDir = "${home}/.config/syncthing";
+    openDefaultPorts = true;
+    overrideDevices = true;
+    overrideFolders = true;
+    settings = {
+      devices = {
+        "haze" = {
+          id = "QUX6KGF-7KNFTGD-RAX5OWC-NFQGRNK-S2TC2DQ-DQRWDTK-KMBTQXT-EVNRDQG";
+        };
+        "pixel-7a" = {
+          id = "IZE7B4Z-LKTJY6Q-77NN4JG-ADYRC77-TYPZTXE-Q35BWV2-AEO7Q3R-ZE63IAU";
+        };
+      };
+      folders = {
+        "Documents" = {
+          path = "${home}/Documents";
+          devices = [
+            "haze"
+          ];
+        };
+        "Music" = {
+          path = "${home}/Media/Music";
+          devices = [
+            "haze"
+            "pixel-7a"
+          ];
+        };
+        "Pictures" = {
+          path = "${home}/Media/Pictures";
+          devices = [
+            "haze"
+          ];
+        };
+        "Videos" = {
+          path = "${home}/Media/Videos";
+          devices = [
+            "haze"
+          ];
+        };
+      };
     };
-    runtimeInputs = [ pkgs.xkcdpass ];
-    script = ''
-      xkcdpass -n 7 > $out/password
-    '';
   };
 }
diff --git a/machines/genepi/taskchampion.nix b/machines/genepi/taskchampion.nix
new file mode 100644
index 0000000..b06dbc5
--- /dev/null
+++ b/machines/genepi/taskchampion.nix
@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+let
+  domain = "home.rpqt.fr";
+  subdomain = "tw.${domain}";
+  hasImpermanence = config.environment.persistence."/persist".enable;
+in
+{
+  services.taskchampion-sync-server.enable = true;
+
+  services.taskchampion-sync-server.dataDir =
+    (lib.optionalString hasImpermanence "/persist") + "/var/lib/taskchampion-sync-server";
+
+  services.nginx.virtualHosts.${subdomain} = {
+    forceSSL = true;
+    useACMEHost = "${domain}";
+    locations."/".proxyPass =
+      "http://127.0.0.1:${toString config.services.taskchampion-sync-server.port}";
+  };
+}
diff --git a/machines/haze/configuration.nix b/machines/haze/configuration.nix
index c0e7a59..f66d604 100644
--- a/machines/haze/configuration.nix
+++ b/machines/haze/configuration.nix
@@ -1,61 +1,54 @@
 {
-  self,
-  pkgs,
+  inputs,
   ...
 }:
 {
   imports = [
+    # inputs.disko.nixosModules.disko
+    inputs.agenix.nixosModules.default
     ./boot.nix
     ./chat.nix
+    ./firefox.nix
     ./gimp.nix
     ./gnome.nix
     ./hibernate.nix
     ./niri.nix
     ./ssh.nix
     ./steam.nix
+    ./thunderbird.nix
     ./network.nix
     ./syncthing.nix
+    ./video.nix
+    ../../system
 
-    self.nixosModules.desktop
-    self.nixosModules.dev
-    self.nixosModules.nix-defaults
+    inputs.clan-core.clanModules.state-version
 
-    self.inputs.home-manager.nixosModules.home-manager
+    inputs.home-manager.nixosModules.home-manager
     {
       home-manager.useGlobalPkgs = true;
       home-manager.useUserPackages = true;
       home-manager.users.rpqt = ./home.nix;
-      home-manager.extraSpecialArgs = {
-        inherit (self) inputs;
-        inherit self;
-      };
+      home-manager.extraSpecialArgs = { inherit inputs; };
     }
   ];
 
   networking.hostName = "haze";
   clan.core.networking.targetHost = "rpqt@haze.local";
 
-  networking.search = [
-    "val"
-    "wireguard"
-  ];
-
-  time.timeZone = "Europe/Paris";
-
-  clan.core.deployment.requireExplicitUpdate = true;
-
-  clan.core.settings.state-version.enable = true;
-
-  environment.systemPackages = [
-    self.inputs.clan-core.packages.x86_64-linux.clan-app
-    pkgs.aseprite
-    pkgs.linux-wifi-hotspot
-    pkgs.anytype
-    pkgs.typst
-    pkgs.anki
-  ];
-
-  programs.kdeconnect.enable = true;
+  specialisation = {
+    hyprland.configuration =
+      { ... }:
+      {
+        imports = [ ./hyprland.nix ];
+        disabledModules = [ ./niri.nix ];
+      };
+    sway.configuration =
+      { ... }:
+      {
+        imports = [ ./sway.nix ];
+        disabledModules = [ ./niri.nix ];
+      };
+  };
 
   # Remote builds
   nix = {
@@ -72,18 +65,4 @@
       builders-use-substitutes = true
     '';
   };
-
-  nixpkgs.config.allowUnfree = true;
-
-  i18n.supportedLocales = [
-    "en_US.UTF-8/UTF-8"
-    "fr_FR.UTF-8/UTF-8"
-  ];
-
-  security.sudo = {
-    enable = true;
-    wheelNeedsPassword = false;
-  };
-
-  services.tailscale.useRoutingFeatures = "client";
 }
diff --git a/machines/haze/firefox.nix b/machines/haze/firefox.nix
new file mode 100644
index 0000000..32391e8
--- /dev/null
+++ b/machines/haze/firefox.nix
@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  programs.firefox = {
+    enable = true;
+    nativeMessagingHosts.packages = [ pkgs.passff-host ];
+  };
+}
diff --git a/machines/haze/gnome.nix b/machines/haze/gnome.nix
index c11cd24..d8f1b7b 100644
--- a/machines/haze/gnome.nix
+++ b/machines/haze/gnome.nix
@@ -2,12 +2,11 @@
 {
   services.xserver = {
     enable = true;
+    displayManager.gdm.enable = true;
+    desktopManager.gnome.enable = true;
     xkb.layout = "fr";
   };
 
-  services.displayManager.gdm.enable = true;
-  services.desktopManager.gnome.enable = true;
-
   environment.gnome.excludePackages = (
     with pkgs;
     [
diff --git a/machines/haze/hardware-configuration.nix b/machines/haze/hardware-configuration.nix
index 639e54b..efeeffb 100644
--- a/machines/haze/hardware-configuration.nix
+++ b/machines/haze/hardware-configuration.nix
@@ -4,15 +4,7 @@
 
   hardware.enableRedistributableFirmware = true;
 
-  boot.initrd.availableKernelModules = [
-    "xhci_pci"
-    "thunderbolt"
-    "vmd"
-    "nvme"
-    "usb_storage"
-    "sd_mod"
-    "rtsx_usb_sdmmc"
-  ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
   boot.kernelModules = [ "kvm-intel" ];
 
   hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware;
diff --git a/machines/haze/home.nix b/machines/haze/home.nix
index 79bea2e..0814049 100644
--- a/machines/haze/home.nix
+++ b/machines/haze/home.nix
@@ -1,15 +1,17 @@
 {
   imports = [
-    ../../home-manager/chat.nix
-    ../../home-manager/common.nix
-    ../../home-manager/desktop
-    ../../home-manager/dev.nix
-    ../../home-manager/helix.nix
-    ../../home-manager/mail
-    ../../home-manager/minecraft.nix
-    ../../home-manager/desktop
-    ../../home-manager/desktop/gnome.nix
-    ../../home-manager/desktop/niri.nix
-    ../../home-manager/desktop/vicinae.nix
+    ../../home/chat.nix
+    ../../home/cli.nix
+    ../../home/common.nix
+    ../../home/desktop
+    ../../home/dev.nix
+    ../../home/dotfiles.nix
+    ../../home/helix.nix
+    ../../home/mail
+    ../../home/minecraft.nix
+    ../../home/desktop
+    ../../home/desktop/gnome.nix
+    ../../home/desktop/niri.nix
+    ../../home/desktop/sway.nix
   ];
 }
diff --git a/machines/haze/hyprland.nix b/machines/haze/hyprland.nix
new file mode 100644
index 0000000..98dfe35
--- /dev/null
+++ b/machines/haze/hyprland.nix
@@ -0,0 +1,3 @@
+{
+  programs.hyprland.enable = true;
+}
diff --git a/machines/haze/network.nix b/machines/haze/network.nix
index 81bb1a0..d6d4675 100644
--- a/machines/haze/network.nix
+++ b/machines/haze/network.nix
@@ -3,11 +3,9 @@
   networking.networkmanager = {
     enable = true;
     wifi.powersave = true;
-    plugins = [
-      pkgs.networkmanager-openconnect
-      pkgs.networkmanager-openvpn
-    ];
   };
 
   users.users."rpqt".extraGroups = [ "networkmanager" ];
+
+  environment.systemPackages = [ pkgs.networkmanager-openconnect ];
 }
diff --git a/machines/haze/niri.nix b/machines/haze/niri.nix
index e47300d..61e2cdb 100644
--- a/machines/haze/niri.nix
+++ b/machines/haze/niri.nix
@@ -3,14 +3,17 @@
   programs.niri.enable = true;
 
   environment.systemPackages = with pkgs; [
+    brightnessctl
+    i3bar-river
+    mako
     pavucontrol
     playerctl
+    swaybg
+    swaylock
+    tofi
+    wl-gammarelay-rs
     xwayland-satellite
   ];
 
-  services.gnome.gnome-keyring.enable = true;
-
   environment.sessionVariables.NIXOS_OZONE_WL = "1";
-
-  programs.dms-shell.enable = true;
 }
diff --git a/machines/haze/secrets/secrets.nix b/machines/haze/secrets/secrets.nix
new file mode 100644
index 0000000..1f012b4
--- /dev/null
+++ b/machines/haze/secrets/secrets.nix
@@ -0,0 +1,13 @@
+let
+  keys = import ../../../parts/keys.nix;
+in
+{
+  "syncthing-key.pem.age".publicKeys = [
+    keys.hosts.haze
+    keys.rpqt.haze
+  ];
+  "syncthing-cert.pem.age".publicKeys = [
+    keys.hosts.haze
+    keys.rpqt.haze
+  ];
+}
diff --git a/machines/haze/secrets/syncthing-cert.pem.age b/machines/haze/secrets/syncthing-cert.pem.age
new file mode 100644
index 0000000..b5dabca
Binary files /dev/null and b/machines/haze/secrets/syncthing-cert.pem.age differ
diff --git a/machines/haze/secrets/syncthing-key.pem.age b/machines/haze/secrets/syncthing-key.pem.age
new file mode 100644
index 0000000..c3349ea
--- /dev/null
+++ b/machines/haze/secrets/syncthing-key.pem.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 P3fsag cm2nekzBIMCAb/yXzY4L6jIH/Sa+rSMznT88WJNkP30
+DMnRf0An69vywpHLD3RGHwE0dkaa6JIEahhQo14EEDc
+--- f/kI+HBhWTQlXoWvCJaLJM70EsOkH4G8/5g9Eeu8uNc
+
+àT!Û÷�\Î’ù6˜
+·TÀƒrϵKr»9ÕÅw¹ÌžÀ8–æ¸ÇEƒ�¿´,ÜR.¢˜³’ÉiÒ ¹ßüý_'2Þ;iÒÅ„—8d¤ÏóÿÁ&DÝ«q¯²îxd
+µ3Ée„xnâg~’/)݇aƒÄWÔèžG~ºÒÈBNV·ˆi¨a�{ËæÝuÕÛ•ÜR=­ûMòO)$HS„Ýf¥f<ç›cóü?à
ï~*€Täà�)WtÊ�ñÅÀ&‚Ü8i˜óºz½è:5Ž¹[sc"ýÀì�& UýËÓ9ÂÓ'í§_»´{xkE½ïؼYÁ@åÑçƒÆÚf×Uä+†—B±u¨=ÿÌY4òe3âU
ÕÆQLSl5 U™qÚšþ!¨h�×W¼ã@}�OW¨ŠÃ
\ No newline at end of file
diff --git a/machines/haze/ssh.nix b/machines/haze/ssh.nix
index 2c63c08..054b746 100644
--- a/machines/haze/ssh.nix
+++ b/machines/haze/ssh.nix
@@ -1,2 +1,3 @@
 {
+  programs.ssh.startAgent = true;
 }
diff --git a/machines/haze/sway.nix b/machines/haze/sway.nix
new file mode 100644
index 0000000..9e6f1a8
--- /dev/null
+++ b/machines/haze/sway.nix
@@ -0,0 +1,11 @@
+{
+  services.gnome.gnome-keyring.enable = true;
+
+  programs.sway = {
+    enable = true;
+    wrapperFeatures.gtk = true;
+  };
+
+  users.users."rpqt".extraGroups = [ "video" ];
+  programs.light.enable = true;
+}
diff --git a/machines/haze/syncthing.nix b/machines/haze/syncthing.nix
index 0a6cfde..00806c4 100644
--- a/machines/haze/syncthing.nix
+++ b/machines/haze/syncthing.nix
@@ -1,6 +1,5 @@
 {
   config,
-  lib,
   ...
 }:
 let
@@ -8,11 +7,57 @@ let
   home = config.users.users.${user}.home;
 in
 {
+  # age.secrets.syncthing-key.file = ./secrets/syncthing-key.pem.age;
+  # age.secrets.syncthing-cert.file = ./secrets/syncthing-cert.pem.age;
+
   services.syncthing = {
-    enable = true;
+    enable = false;
     user = user;
-    group = lib.mkForce "users";
+    group = "users";
     dataDir = home;
-    configDir = lib.mkForce "${home}/.config/syncthing";
+    configDir = "${home}/.config/syncthing";
+    key = config.age.secrets.syncthing-key.path;
+    cert = config.age.secrets.syncthing-cert.path;
+    openDefaultPorts = true;
+    overrideDevices = true;
+    overrideFolders = true;
+    settings = {
+      devices = {
+        "genepi" = {
+          id = "EA7DC7O-IHB47EQ-AWT2QBJ-AWPDF5S-W4EM66A-KQPCTHI-UX53WKM-QTSAHQ4";
+        };
+        "pixel-7a" = {
+          id = "IZE7B4Z-LKTJY6Q-77NN4JG-ADYRC77-TYPZTXE-Q35BWV2-AEO7Q3R-ZE63IAU";
+        };
+      };
+      folders = {
+        "Documents" = {
+          path = "${home}/Documents";
+          devices = [
+            "genepi"
+            "pixel-7a"
+          ];
+        };
+        "Music" = {
+          path = "${home}/Music";
+          devices = [
+            "genepi"
+            "pixel-7a"
+          ];
+        };
+        "Pictures" = {
+          path = "${home}/Pictures";
+          devices = [
+            "genepi"
+          ];
+        };
+        "Videos" = {
+          path = "${home}/Videos";
+          devices = [
+            "genepi"
+          ];
+        };
+      };
+    };
   };
 }
diff --git a/machines/haze/thunderbird.nix b/machines/haze/thunderbird.nix
new file mode 100644
index 0000000..c856732
--- /dev/null
+++ b/machines/haze/thunderbird.nix
@@ -0,0 +1,3 @@
+{
+  programs.thunderbird.enable = true;
+}
diff --git a/machines/haze/video.nix b/machines/haze/video.nix
new file mode 100644
index 0000000..fd045fb
--- /dev/null
+++ b/machines/haze/video.nix
@@ -0,0 +1,4 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [ mpv ];
+}
diff --git a/machines/verbena/configuration.nix b/machines/verbena/configuration.nix
deleted file mode 100644
index 990a3bd..0000000
--- a/machines/verbena/configuration.nix
+++ /dev/null
@@ -1,63 +0,0 @@
-{ self, lib, ... }:
-{
-  imports = [
-    self.nixosModules.nix-defaults
-    self.nixosModules.nextcloud
-    self.nixosModules.gitea
-    self.nixosModules.vaultwarden
-
-    self.inputs.srvos.nixosModules.server
-
-    {
-      # Add Pixel-7a as external device for clan wireguard network
-      networking.wireguard.interfaces.wireguard = {
-        ips = [ "100.42.42.1/32" ];
-        peers = [
-          {
-            publicKey = "BVgDQM18SfNofQsWs7m6fblaTB04Gk74VxR/zK8AKQ4=";
-            allowedIPs =
-              let
-                suffix = "cafe:cafe";
-              in
-              [ "fd28:387a:90:c400:${suffix}::/96" ];
-            persistentKeepalive = 25;
-          }
-        ];
-      };
-    }
-  ];
-
-  nixpkgs.hostPlatform = "x86_64-linux";
-
-  networking.hostName = "verbena";
-
-  networking.useDHCP = lib.mkDefault true;
-
-  networking.defaultGateway6 = {
-    address = self.infra.machines.verbena.gateway6;
-    interface = "ens3";
-  };
-  networking.interfaces."ens3" = {
-    ipv6.addresses = [
-      {
-        address = self.infra.machines.verbena.ipv6;
-        prefixLength = 64;
-      }
-    ];
-  };
-
-  clan.core.settings.state-version.enable = true;
-
-  services.nginx = {
-    enable = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-  };
-
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
-  security.acme.acceptTerms = true;
-}
diff --git a/machines/verbena/disko.nix b/machines/verbena/disko.nix
deleted file mode 100644
index 0f74ef5..0000000
--- a/machines/verbena/disko.nix
+++ /dev/null
@@ -1,50 +0,0 @@
-# ---
-# schema = "single-disk"
-# [placeholders]
-# mainDisk = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0" 
-# ---
-# This file was automatically generated!
-# CHANGING this configuration requires wiping and reinstalling the machine
-{
-
-  boot.loader.grub.efiSupport = true;
-  boot.loader.grub.efiInstallAsRemovable = true;
-  boot.loader.grub.enable = true;
-  disko.devices = {
-    disk = {
-      main = {
-        name = "main-75e31aae5e864fb39a0414ea1230ca81";
-        device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0";
-        type = "disk";
-        content = {
-          type = "gpt";
-          partitions = {
-            "boot" = {
-              size = "1M";
-              type = "EF02"; # for grub MBR
-              priority = 1;
-            };
-            ESP = {
-              type = "EF00";
-              size = "500M";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-                mountOptions = [ "umask=0077" ];
-              };
-            };
-            root = {
-              size = "100%";
-              content = {
-                type = "filesystem";
-                format = "ext4";
-                mountpoint = "/";
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}
diff --git a/machines/verbena/facter.json b/machines/verbena/facter.json
deleted file mode 100644
index 164afc3..0000000
--- a/machines/verbena/facter.json
+++ /dev/null
@@ -1,2227 +0,0 @@
-{
-  "version": 1,
-  "system": "x86_64-linux",
-  "virtualisation": "kvm",
-  "hardware": {
-    "bios": {
-      "apm_info": {
-        "supported": false,
-        "enabled": false,
-        "version": 0,
-        "sub_version": 0,
-        "bios_flags": 0
-      },
-      "vbe_info": {
-        "version": 0,
-        "video_memory": 0
-      },
-      "pnp": true,
-      "pnp_id": 0,
-      "lba_support": false,
-      "low_memory_size": 654336,
-      "smbios_version": 520
-    },
-    "bridge": [
-      {
-        "index": 9,
-        "attached_to": 0,
-        "class_list": [
-          "pci",
-          "bridge"
-        ],
-        "bus_type": {
-          "hex": "0004",
-          "name": "PCI",
-          "value": 4
-        },
-        "slot": {
-          "bus": 0,
-          "number": 1
-        },
-        "base_class": {
-          "hex": "0006",
-          "name": "Bridge",
-          "value": 6
-        },
-        "sub_class": {
-          "hex": "0001",
-          "name": "ISA bridge",
-          "value": 1
-        },
-        "vendor": {
-          "hex": "8086",
-          "name": "Intel Corporation",
-          "value": 32902
-        },
-        "sub_vendor": {
-          "hex": "1af4",
-          "value": 6900
-        },
-        "device": {
-          "hex": "7000",
-          "value": 28672
-        },
-        "sub_device": {
-          "hex": "1100",
-          "value": 4352
-        },
-        "model": "Intel ISA bridge",
-        "sysfs_id": "/devices/pci0000:00/0000:00:01.0",
-        "sysfs_bus_id": "0000:00:01.0",
-        "detail": {
-          "function": 0,
-          "command": 259,
-          "header_type": 0,
-          "secondary_bus": 0,
-          "irq": 0,
-          "prog_if": 0
-        },
-        "module_alias": "pci:v00008086d00007000sv00001AF4sd00001100bc06sc01i00"
-      },
-      {
-        "index": 11,
-        "attached_to": 0,
-        "class_list": [
-          "pci",
-          "bridge"
-        ],
-        "bus_type": {
-          "hex": "0004",
-          "name": "PCI",
-          "value": 4
-        },
-        "slot": {
-          "bus": 0,
-          "number": 0
-        },
-        "base_class": {
-          "hex": "0006",
-          "name": "Bridge",
-          "value": 6
-        },
-        "sub_class": {
-          "hex": "0000",
-          "name": "Host bridge",
-          "value": 0
-        },
-        "vendor": {
-          "hex": "8086",
-          "name": "Intel Corporation",
-          "value": 32902
-        },
-        "sub_vendor": {
-          "hex": "1af4",
-          "value": 6900
-        },
-        "device": {
-          "hex": "1237",
-          "value": 4663
-        },
-        "sub_device": {
-          "hex": "1100",
-          "value": 4352
-        },
-        "revision": {
-          "hex": "0002",
-          "value": 2
-        },
-        "model": "Intel Host bridge",
-        "sysfs_id": "/devices/pci0000:00/0000:00:00.0",
-        "sysfs_bus_id": "0000:00:00.0",
-        "detail": {
-          "function": 0,
-          "command": 259,
-          "header_type": 0,
-          "secondary_bus": 0,
-          "irq": 0,
-          "prog_if": 0
-        },
-        "module_alias": "pci:v00008086d00001237sv00001AF4sd00001100bc06sc00i00"
-      },
-      {
-        "index": 12,
-        "attached_to": 0,
-        "class_list": [
-          "pci",
-          "bridge"
-        ],
-        "bus_type": {
-          "hex": "0004",
-          "name": "PCI",
-          "value": 4
-        },
-        "slot": {
-          "bus": 0,
-          "number": 1
-        },
-        "base_class": {
-          "hex": "0006",
-          "name": "Bridge",
-          "value": 6
-        },
-        "sub_class": {
-          "hex": "0080",
-          "name": "Bridge",
-          "value": 128
-        },
-        "vendor": {
-          "hex": "8086",
-          "name": "Intel Corporation",
-          "value": 32902
-        },
-        "sub_vendor": {
-          "hex": "1af4",
-          "value": 6900
-        },
-        "device": {
-          "hex": "7113",
-          "value": 28947
-        },
-        "sub_device": {
-          "hex": "1100",
-          "value": 4352
-        },
-        "revision": {
-          "hex": "0003",
-          "value": 3
-        },
-        "model": "Intel Bridge",
-        "sysfs_id": "/devices/pci0000:00/0000:00:01.3",
-        "sysfs_bus_id": "0000:00:01.3",
-        "resources": [
-          {
-            "type": "irq",
-            "base": 9,
-            "triggered": 0,
-            "enabled": true
-          }
-        ],
-        "detail": {
-          "function": 3,
-          "command": 259,
-          "header_type": 0,
-          "secondary_bus": 0,
-          "irq": 9,
-          "prog_if": 0
-        },
-        "driver": "piix4_smbus",
-        "driver_module": "i2c_piix4",
-        "drivers": [
-          "piix4_smbus"
-        ],
-        "driver_modules": [
-          "i2c_piix4"
-        ],
-        "module_alias": "pci:v00008086d00007113sv00001AF4sd00001100bc06sc80i00"
-      }
-    ],
-    "cpu": [
-      {
-        "architecture": "x86_64",
-        "vendor_name": "GenuineIntel",
-        "family": 6,
-        "model": 60,
-        "stepping": 1,
-        "features": [
-          "fpu",
-          "vme",
-          "de",
-          "pse",
-          "tsc",
-          "msr",
-          "pae",
-          "mce",
-          "cx8",
-          "apic",
-          "sep",
-          "mtrr",
-          "pge",
-          "mca",
-          "cmov",
-          "pat",
-          "pse36",
-          "clflush",
-          "mmx",
-          "fxsr",
-          "sse",
-          "sse2",
-          "syscall",
-          "nx",
-          "rdtscp",
-          "lm",
-          "constant_tsc",
-          "rep_good",
-          "nopl",
-          "xtopology",
-          "cpuid",
-          "tsc_known_freq",
-          "pni",
-          "pclmulqdq",
-          "vmx",
-          "ssse3",
-          "fma",
-          "cx16",
-          "pcid",
-          "sse4_1",
-          "sse4_2",
-          "x2apic",
-          "movbe",
-          "popcnt",
-          "tsc_deadline_timer",
-          "aes",
-          "xsave",
-          "avx",
-          "f16c",
-          "rdrand",
-          "hypervisor",
-          "lahf_lm",
-          "abm",
-          "cpuid_fault",
-          "pti",
-          "tpr_shadow",
-          "flexpriority",
-          "ept",
-          "vpid",
-          "ept_ad",
-          "fsgsbase",
-          "bmi1",
-          "avx2",
-          "smep",
-          "bmi2",
-          "erms",
-          "invpcid",
-          "xsaveopt",
-          "arat",
-          "vnmi",
-          "md_clear"
-        ],
-        "bugs": [
-          "cpu_meltdown",
-          "spectre_v1",
-          "spectre_v2",
-          "spec_store_bypass",
-          "l1tf",
-          "mds",
-          "swapgs",
-          "itlb_multihit",
-          "srbds",
-          "mmio_unknown",
-          "bhi",
-          "its"
-        ],
-        "bogo": 5986.13,
-        "cache": 16384,
-        "physical_id": 0,
-        "siblings": 1,
-        "cores": 1,
-        "fpu": true,
-        "fpu_exception": true,
-        "cpuid_level": 13,
-        "write_protect": false,
-        "clflush_size": 64,
-        "cache_alignment": 64,
-        "address_sizes": {
-          "physical": "0x28",
-          "virtual": "0x30"
-        }
-      },
-      {
-        "architecture": "x86_64",
-        "vendor_name": "GenuineIntel",
-        "family": 6,
-        "model": 60,
-        "stepping": 1,
-        "features": [
-          "fpu",
-          "vme",
-          "de",
-          "pse",
-          "tsc",
-          "msr",
-          "pae",
-          "mce",
-          "cx8",
-          "apic",
-          "sep",
-          "mtrr",
-          "pge",
-          "mca",
-          "cmov",
-          "pat",
-          "pse36",
-          "clflush",
-          "mmx",
-          "fxsr",
-          "sse",
-          "sse2",
-          "syscall",
-          "nx",
-          "rdtscp",
-          "lm",
-          "constant_tsc",
-          "rep_good",
-          "nopl",
-          "xtopology",
-          "cpuid",
-          "tsc_known_freq",
-          "pni",
-          "pclmulqdq",
-          "vmx",
-          "ssse3",
-          "fma",
-          "cx16",
-          "pcid",
-          "sse4_1",
-          "sse4_2",
-          "x2apic",
-          "movbe",
-          "popcnt",
-          "tsc_deadline_timer",
-          "aes",
-          "xsave",
-          "avx",
-          "f16c",
-          "rdrand",
-          "hypervisor",
-          "lahf_lm",
-          "abm",
-          "cpuid_fault",
-          "pti",
-          "tpr_shadow",
-          "flexpriority",
-          "ept",
-          "vpid",
-          "ept_ad",
-          "fsgsbase",
-          "bmi1",
-          "avx2",
-          "smep",
-          "bmi2",
-          "erms",
-          "invpcid",
-          "xsaveopt",
-          "arat",
-          "vnmi",
-          "md_clear"
-        ],
-        "bugs": [
-          "cpu_meltdown",
-          "spectre_v1",
-          "spectre_v2",
-          "spec_store_bypass",
-          "l1tf",
-          "mds",
-          "swapgs",
-          "itlb_multihit",
-          "srbds",
-          "mmio_unknown",
-          "bhi",
-          "its"
-        ],
-        "bogo": 5986.13,
-        "cache": 16384,
-        "physical_id": 1,
-        "siblings": 1,
-        "cores": 1,
-        "fpu": true,
-        "fpu_exception": true,
-        "cpuid_level": 13,
-        "write_protect": false,
-        "clflush_size": 64,
-        "cache_alignment": 64,
-        "address_sizes": {
-          "physical": "0x28",
-          "virtual": "0x30"
-        }
-      },
-      {
-        "architecture": "x86_64",
-        "vendor_name": "GenuineIntel",
-        "family": 6,
-        "model": 60,
-        "stepping": 1,
-        "features": [
-          "fpu",
-          "vme",
-          "de",
-          "pse",
-          "tsc",
-          "msr",
-          "pae",
-          "mce",
-          "cx8",
-          "apic",
-          "sep",
-          "mtrr",
-          "pge",
-          "mca",
-          "cmov",
-          "pat",
-          "pse36",
-          "clflush",
-          "mmx",
-          "fxsr",
-          "sse",
-          "sse2",
-          "syscall",
-          "nx",
-          "rdtscp",
-          "lm",
-          "constant_tsc",
-          "rep_good",
-          "nopl",
-          "xtopology",
-          "cpuid",
-          "tsc_known_freq",
-          "pni",
-          "pclmulqdq",
-          "vmx",
-          "ssse3",
-          "fma",
-          "cx16",
-          "pcid",
-          "sse4_1",
-          "sse4_2",
-          "x2apic",
-          "movbe",
-          "popcnt",
-          "tsc_deadline_timer",
-          "aes",
-          "xsave",
-          "avx",
-          "f16c",
-          "rdrand",
-          "hypervisor",
-          "lahf_lm",
-          "abm",
-          "cpuid_fault",
-          "pti",
-          "tpr_shadow",
-          "flexpriority",
-          "ept",
-          "vpid",
-          "ept_ad",
-          "fsgsbase",
-          "bmi1",
-          "avx2",
-          "smep",
-          "bmi2",
-          "erms",
-          "invpcid",
-          "xsaveopt",
-          "arat",
-          "vnmi",
-          "md_clear"
-        ],
-        "bugs": [
-          "cpu_meltdown",
-          "spectre_v1",
-          "spectre_v2",
-          "spec_store_bypass",
-          "l1tf",
-          "mds",
-          "swapgs",
-          "itlb_multihit",
-          "srbds",
-          "mmio_unknown",
-          "bhi",
-          "its"
-        ],
-        "bogo": 5986.13,
-        "cache": 16384,
-        "physical_id": 2,
-        "siblings": 1,
-        "cores": 1,
-        "fpu": true,
-        "fpu_exception": true,
-        "cpuid_level": 13,
-        "write_protect": false,
-        "clflush_size": 64,
-        "cache_alignment": 64,
-        "address_sizes": {
-          "physical": "0x28",
-          "virtual": "0x30"
-        }
-      },
-      {
-        "architecture": "x86_64",
-        "vendor_name": "GenuineIntel",
-        "family": 6,
-        "model": 60,
-        "stepping": 1,
-        "features": [
-          "fpu",
-          "vme",
-          "de",
-          "pse",
-          "tsc",
-          "msr",
-          "pae",
-          "mce",
-          "cx8",
-          "apic",
-          "sep",
-          "mtrr",
-          "pge",
-          "mca",
-          "cmov",
-          "pat",
-          "pse36",
-          "clflush",
-          "mmx",
-          "fxsr",
-          "sse",
-          "sse2",
-          "syscall",
-          "nx",
-          "rdtscp",
-          "lm",
-          "constant_tsc",
-          "rep_good",
-          "nopl",
-          "xtopology",
-          "cpuid",
-          "tsc_known_freq",
-          "pni",
-          "pclmulqdq",
-          "vmx",
-          "ssse3",
-          "fma",
-          "cx16",
-          "pcid",
-          "sse4_1",
-          "sse4_2",
-          "x2apic",
-          "movbe",
-          "popcnt",
-          "tsc_deadline_timer",
-          "aes",
-          "xsave",
-          "avx",
-          "f16c",
-          "rdrand",
-          "hypervisor",
-          "lahf_lm",
-          "abm",
-          "cpuid_fault",
-          "pti",
-          "tpr_shadow",
-          "flexpriority",
-          "ept",
-          "vpid",
-          "ept_ad",
-          "fsgsbase",
-          "bmi1",
-          "avx2",
-          "smep",
-          "bmi2",
-          "erms",
-          "invpcid",
-          "xsaveopt",
-          "arat",
-          "vnmi",
-          "md_clear"
-        ],
-        "bugs": [
-          "cpu_meltdown",
-          "spectre_v1",
-          "spectre_v2",
-          "spec_store_bypass",
-          "l1tf",
-          "mds",
-          "swapgs",
-          "itlb_multihit",
-          "srbds",
-          "mmio_unknown",
-          "bhi",
-          "its"
-        ],
-        "bogo": 5986.13,
-        "cache": 16384,
-        "physical_id": 3,
-        "siblings": 1,
-        "cores": 1,
-        "fpu": true,
-        "fpu_exception": true,
-        "cpuid_level": 13,
-        "write_protect": false,
-        "clflush_size": 64,
-        "cache_alignment": 64,
-        "address_sizes": {
-          "physical": "0x28",
-          "virtual": "0x30"
-        }
-      }
-    ],
-    "disk": [
-      {
-        "index": 23,
-        "attached_to": 18,
-        "class_list": [
-          "disk",
-          "scsi",
-          "block_device"
-        ],
-        "bus_type": {
-          "hex": "0084",
-          "name": "SCSI",
-          "value": 132
-        },
-        "slot": {
-          "bus": 0,
-          "number": 0
-        },
-        "base_class": {
-          "hex": "0106",
-          "name": "Mass Storage Device",
-          "value": 262
-        },
-        "sub_class": {
-          "hex": "0000",
-          "name": "Disk",
-          "value": 0
-        },
-        "vendor": {
-          "hex": "0000",
-          "name": "QEMU",
-          "value": 0
-        },
-        "device": {
-          "hex": "0000",
-          "name": "QEMU HARDDISK",
-          "value": 0
-        },
-        "revision": {
-          "hex": "0000",
-          "name": "2.5+",
-          "value": 0
-        },
-        "model": "QEMU HARDDISK",
-        "sysfs_id": "/class/block/sda",
-        "sysfs_bus_id": "0:0:0:0",
-        "sysfs_device_link": "/devices/pci0000:00/0000:00:04.0/virtio1/host0/target0:0:0/0:0:0:0",
-        "unix_device_name": "/dev/sda",
-        "unix_device_number": {
-          "type": 98,
-          "major": 8,
-          "minor": 0,
-          "range": 16
-        },
-        "unix_device_names": [
-          "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0",
-          "/dev/disk/by-path/pci-0000:00:04.0-scsi-0:0:0:0",
-          "/dev/sda"
-        ],
-        "unix_device_name2": "/dev/sg0",
-        "unix_device_number2": {
-          "type": 99,
-          "major": 21,
-          "minor": 0,
-          "range": 1
-        },
-        "rom_id": "0x80",
-        "resources": [
-          {
-            "type": "disk_geo",
-            "cylinders": 9790,
-            "heads": 255,
-            "sectors": 63,
-            "size": "0x0",
-            "geo_type": "logical"
-          },
-          {
-            "type": "size",
-            "unit": "sectors",
-            "value_1": 157286400,
-            "value_2": 512
-          }
-        ],
-        "driver": "virtio_scsi",
-        "driver_module": "virtio_scsi",
-        "drivers": [
-          "sd",
-          "virtio_scsi"
-        ],
-        "driver_modules": [
-          "sd_mod",
-          "virtio_scsi"
-        ]
-      }
-    ],
-    "graphics_card": [
-      {
-        "index": 16,
-        "attached_to": 0,
-        "class_list": [
-          "graphics_card",
-          "pci"
-        ],
-        "bus_type": {
-          "hex": "0004",
-          "name": "PCI",
-          "value": 4
-        },
-        "slot": {
-          "bus": 0,
-          "number": 2
-        },
-        "base_class": {
-          "hex": "0003",
-          "name": "Display controller",
-          "value": 3
-        },
-        "sub_class": {
-          "hex": "0000",
-          "name": "VGA compatible controller",
-          "value": 0
-        },
-        "pci_interface": {
-          "hex": "0000",
-          "name": "VGA",
-          "value": 0
-        },
-        "vendor": {
-          "hex": "1013",
-          "name": "Cirrus Logic",
-          "value": 4115
-        },
-        "sub_vendor": {
-          "hex": "1af4",
-          "value": 6900
-        },
-        "device": {
-          "hex": "00b8",
-          "name": "GD 5446",
-          "value": 184
-        },
-        "sub_device": {
-          "hex": "1100",
-          "value": 4352
-        },
-        "model": "Cirrus Logic GD 5446",
-        "sysfs_id": "/devices/pci0000:00/0000:00:02.0",
-        "sysfs_bus_id": "0000:00:02.0",
-        "resources": [
-          {
-            "type": "mem",
-            "base": 4227858432,
-            "range": 33554432,
-            "enabled": true,
-            "access": "read_only",
-            "prefetch": "no"
-          },
-          {
-            "type": "mem",
-            "base": 4273537024,
-            "range": 4096,
-            "enabled": true,
-            "access": "read_write",
-            "prefetch": "no"
-          },
-          {
-            "type": "mem",
-            "base": 786432,
-            "range": 131072,
-            "enabled": false,
-            "access": "read_write",
-            "prefetch": "no"
-          }
-        ],
-        "detail": {
-          "function": 0,
-          "command": 259,
-          "header_type": 0,
-          "secondary_bus": 0,
-          "irq": 0,
-          "prog_if": 0
-        },
-        "driver": "cirrus-qemu",
-        "driver_module": "cirrus_qemu",
-        "drivers": [
-          "cirrus-qemu"
-        ],
-        "driver_modules": [
-          "cirrus_qemu"
-        ],
-        "driver_info": {
-          "type": "x11",
-          "db_entry_0": [
-            "4",
-            "cirrus"
-          ],
-          "server": "cirrus",
-          "xf86_version": "4",
-          "supports_3d": false,
-          "Colors": {
-            "all": 0,
-            "c8": 0,
-            "c15": 0,
-            "c16": 0,
-            "c24": 0,
-            "c32": 0
-          },
-          "dac_speed": 0,
-          "script": ""
-        },
-        "module_alias": "pci:v00001013d000000B8sv00001AF4sd00001100bc03sc00i00"
-      }
-    ],
-    "hub": [
-      {
-        "index": 24,
-        "attached_to": 8,
-        "class_list": [
-          "usb",
-          "hub"
-        ],
-        "bus_type": {
-          "hex": "0086",
-          "name": "USB",
-          "value": 134
-        },
-        "slot": {
-          "bus": 0,
-          "number": 0
-        },
-        "base_class": {
-          "hex": "010a",
-          "name": "Hub",
-          "value": 266
-        },
-        "vendor": {
-          "hex": "1d6b",
-          "name": "Linux 6.14.10 uhci_hcd",
-          "value": 7531
-        },
-        "device": {
-          "hex": "0001",
-          "name": "UHCI Host Controller",
-          "value": 1
-        },
-        "revision": {
-          "hex": "0000",
-          "name": "6.14",
-          "value": 0
-        },
-        "serial": "0000:00:01.2",
-        "model": "Linux 6.14.10 uhci_hcd UHCI Host Controller",
-        "sysfs_id": "/devices/pci0000:00/0000:00:01.2/usb1/1-0:1.0",
-        "sysfs_bus_id": "1-0:1.0",
-        "resources": [
-          {
-            "type": "baud",
-            "speed": 12000000,
-            "bits": 0,
-            "stop_bits": 0,
-            "parity": 0,
-            "handshake": 0
-          }
-        ],
-        "detail": {
-          "device_class": {
-            "hex": "0009",
-            "name": "hub",
-            "value": 9
-          },
-          "device_subclass": {
-            "hex": "0000",
-            "name": "per_interface",
-            "value": 0
-          },
-          "device_protocol": 0,
-          "interface_class": {
-            "hex": "0009",
-            "name": "hub",
-            "value": 9
-          },
-          "interface_subclass": {
-            "hex": "0000",
-            "name": "per_interface",
-            "value": 0
-          },
-          "interface_protocol": 0,
-          "interface_number": 0,
-          "interface_alternate_setting": 0
-        },
-        "hotplug": "usb",
-        "driver": "hub",
-        "driver_module": "usbcore",
-        "drivers": [
-          "hub"
-        ],
-        "driver_modules": [
-          "usbcore"
-        ],
-        "module_alias": "usb:v1D6Bp0001d0614dc09dsc00dp00ic09isc00ip00in00"
-      }
-    ],
-    "memory": [
-      {
-        "index": 7,
-        "attached_to": 0,
-        "class_list": [
-          "memory"
-        ],
-        "base_class": {
-          "hex": "0101",
-          "name": "Internally Used Class",
-          "value": 257
-        },
-        "sub_class": {
-          "hex": "0002",
-          "name": "Main Memory",
-          "value": 2
-        },
-        "model": "Main Memory",
-        "resources": [
-          {
-            "type": "mem",
-            "base": 0,
-            "range": 8130945024,
-            "enabled": true,
-            "access": "read_write",
-            "prefetch": "unknown"
-          },
-          {
-            "type": "phys_mem",
-            "range": 8053063680
-          }
-        ]
-      }
-    ],
-    "mouse": [
-      {
-        "index": 25,
-        "attached_to": 24,
-        "class_list": [
-          "mouse",
-          "usb"
-        ],
-        "bus_type": {
-          "hex": "0086",
-          "name": "USB",
-          "value": 134
-        },
-        "slot": {
-          "bus": 0,
-          "number": 0
-        },
-        "base_class": {
-          "hex": "0105",
-          "name": "Mouse",
-          "value": 261
-        },
-        "sub_class": {
-          "hex": "0003",
-          "name": "USB Mouse",
-          "value": 3
-        },
-        "vendor": {
-          "hex": "0627",
-          "name": "QEMU",
-          "value": 1575
-        },
-        "device": {
-          "hex": "0001",
-          "name": "QEMU USB Tablet",
-          "value": 1
-        },
-        "serial": "28754-0000:00:01.2-1",
-        "compat_vendor": "Unknown",
-        "compat_device": "Generic USB Mouse",
-        "model": "QEMU USB Tablet",
-        "sysfs_id": "/devices/pci0000:00/0000:00:01.2/usb1/1-1/1-1:1.0",
-        "sysfs_bus_id": "1-1:1.0",
-        "unix_device_name": "/dev/input/mice",
-        "unix_device_number": {
-          "type": 99,
-          "major": 13,
-          "minor": 63,
-          "range": 1
-        },
-        "unix_device_names": [
-          "/dev/input/mice"
-        ],
-        "unix_device_name2": "/dev/input/mouse0",
-        "unix_device_number2": {
-          "type": 99,
-          "major": 13,
-          "minor": 32,
-          "range": 1
-        },
-        "resources": [
-          {
-            "type": "baud",
-            "speed": 12000000,
-            "bits": 0,
-            "stop_bits": 0,
-            "parity": 0,
-            "handshake": 0
-          }
-        ],
-        "detail": {
-          "device_class": {
-            "hex": "0000",
-            "name": "per_interface",
-            "value": 0
-          },
-          "device_subclass": {
-            "hex": "0000",
-            "name": "per_interface",
-            "value": 0
-          },
-          "device_protocol": 0,
-          "interface_class": {
-            "hex": "0003",
-            "name": "hid",
-            "value": 3
-          },
-          "interface_subclass": {
-            "hex": "0000",
-            "name": "per_interface",
-            "value": 0
-          },
-          "interface_protocol": 0,
-          "interface_number": 0,
-          "interface_alternate_setting": 0
-        },
-        "hotplug": "usb",
-        "driver": "usbhid",
-        "driver_module": "usbhid",
-        "drivers": [
-          "usbhid"
-        ],
-        "driver_modules": [
-          "usbhid"
-        ],
-        "driver_info": {
-          "type": "mouse",
-          "db_entry_0": [
-            "explorerps/2",
-            "exps2"
-          ],
-          "xf86": "explorerps/2",
-          "gpm": "exps2",
-          "buttons": -1,
-          "wheels": -1
-        },
-        "module_alias": "usb:v0627p0001d0000dc00dsc00dp00ic03isc00ip00in00"
-      }
-    ],
-    "network_controller": [
-      {
-        "index": 20,
-        "attached_to": 13,
-        "class_list": [
-          "network_controller"
-        ],
-        "bus_type": {
-          "hex": "008f",
-          "name": "Virtio",
-          "value": 143
-        },
-        "slot": {
-          "bus": 0,
-          "number": 0
-        },
-        "base_class": {
-          "hex": "0002",
-          "name": "Network controller",
-          "value": 2
-        },
-        "sub_class": {
-          "hex": "0000",
-          "name": "Ethernet controller",
-          "value": 0
-        },
-        "vendor": "Virtio",
-        "device": "Ethernet Card 0",
-        "model": "Virtio Ethernet Card 0",
-        "sysfs_id": "/devices/pci0000:00/0000:00:03.0/virtio0",
-        "sysfs_bus_id": "virtio0",
-        "unix_device_name": "ens3",
-        "unix_device_names": [
-          "ens3"
-        ],
-        "resources": [
-          {
-            "type": "hwaddr",
-            "address": 102
-          },
-          {
-            "type": "phwaddr",
-            "address": 102
-          }
-        ],
-        "driver": "virtio_net",
-        "driver_module": "virtio_net",
-        "drivers": [
-          "virtio_net"
-        ],
-        "driver_modules": [
-          "virtio_net"
-        ],
-        "module_alias": "virtio:d00000001v00001AF4"
-      }
-    ],
-    "network_interface": [
-      {
-        "index": 26,
-        "attached_to": 20,
-        "class_list": [
-          "network_interface"
-        ],
-        "base_class": {
-          "hex": "0107",
-          "name": "Network Interface",
-          "value": 263
-        },
-        "sub_class": {
-          "hex": "0001",
-          "name": "Ethernet",
-          "value": 1
-        },
-        "model": "Ethernet network interface",
-        "sysfs_id": "/class/net/ens3",
-        "sysfs_device_link": "/devices/pci0000:00/0000:00:03.0/virtio0",
-        "unix_device_name": "ens3",
-        "unix_device_names": [
-          "ens3"
-        ],
-        "resources": [
-          {
-            "type": "hwaddr",
-            "address": 102
-          },
-          {
-            "type": "phwaddr",
-            "address": 102
-          }
-        ],
-        "driver": "virtio_net",
-        "driver_module": "virtio_net",
-        "drivers": [
-          "virtio_net"
-        ],
-        "driver_modules": [
-          "virtio_net"
-        ]
-      },
-      {
-        "index": 27,
-        "attached_to": 0,
-        "class_list": [
-          "network_interface"
-        ],
-        "base_class": {
-          "hex": "0107",
-          "name": "Network Interface",
-          "value": 263
-        },
-        "sub_class": {
-          "hex": "0000",
-          "name": "Loopback",
-          "value": 0
-        },
-        "model": "Loopback network interface",
-        "sysfs_id": "/class/net/lo",
-        "unix_device_name": "lo",
-        "unix_device_names": [
-          "lo"
-        ]
-      }
-    ],
-    "pci": [
-      {
-        "index": 13,
-        "attached_to": 0,
-        "class_list": [
-          "pci",
-          "unknown"
-        ],
-        "bus_type": {
-          "hex": "0004",
-          "name": "PCI",
-          "value": 4
-        },
-        "slot": {
-          "bus": 0,
-          "number": 3
-        },
-        "base_class": {
-          "hex": "0002",
-          "name": "Network controller",
-          "value": 2
-        },
-        "sub_class": {
-          "hex": "0000",
-          "name": "Ethernet controller",
-          "value": 0
-        },
-        "vendor": {
-          "hex": "1af4",
-          "value": 6900
-        },
-        "sub_vendor": {
-          "hex": "1af4",
-          "value": 6900
-        },
-        "device": {
-          "hex": "1000",
-          "value": 4096
-        },
-        "sub_device": {
-          "hex": "0001",
-          "value": 1
-        },
-        "model": "Ethernet controller",
-        "sysfs_id": "/devices/pci0000:00/0000:00:03.0",
-        "sysfs_bus_id": "0000:00:03.0",
-        "resources": [
-          {
-            "type": "io",
-            "base": 49152,
-            "range": 64,
-            "enabled": true,
-            "access": "read_write"
-          },
-          {
-            "type": "irq",
-            "base": 10,
-            "triggered": 0,
-            "enabled": true
-          },
-          {
-            "type": "mem",
-            "base": 4261412864,
-            "range": 16384,
-            "enabled": true,
-            "access": "read_only",
-            "prefetch": "no"
-          },
-          {
-            "type": "mem",
-            "base": 4272947200,
-            "range": 524288,
-            "enabled": false,
-            "access": "read_only",
-            "prefetch": "no"
-          },
-          {
-            "type": "mem",
-            "base": 4273541120,
-            "range": 4096,
-            "enabled": true,
-            "access": "read_write",
-            "prefetch": "no"
-          }
-        ],
-        "detail": {
-          "function": 0,
-          "command": 1287,
-          "header_type": 0,
-          "secondary_bus": 0,
-          "irq": 10,
-          "prog_if": 0
-        },
-        "driver": "virtio-pci",
-        "driver_module": "virtio_pci",
-        "drivers": [
-          "virtio-pci"
-        ],
-        "driver_modules": [
-          "virtio_pci"
-        ],
-        "module_alias": "pci:v00001AF4d00001000sv00001AF4sd00000001bc02sc00i00"
-      },
-      {
-        "index": 15,
-        "attached_to": 0,
-        "class_list": [
-          "pci",
-          "unknown"
-        ],
-        "bus_type": {
-          "hex": "0004",
-          "name": "PCI",
-          "value": 4
-        },
-        "slot": {
-          "bus": 0,
-          "number": 6
-        },
-        "base_class": {
-          "hex": "0000",
-          "name": "Unclassified device",
-          "value": 0
-        },
-        "sub_class": {
-          "hex": "00ff",
-          "value": 255
-        },
-        "vendor": {
-          "hex": "1af4",
-          "value": 6900
-        },
-        "sub_vendor": {
-          "hex": "1af4",
-          "value": 6900
-        },
-        "device": {
-          "hex": "1002",
-          "value": 4098
-        },
-        "sub_device": {
-          "hex": "0005",
-          "value": 5
-        },
-        "model": "Unclassified device",
-        "sysfs_id": "/devices/pci0000:00/0000:00:06.0",
-        "sysfs_bus_id": "0000:00:06.0",
-        "resources": [
-          {
-            "type": "io",
-            "base": 49344,
-            "range": 64,
-            "enabled": true,
-            "access": "read_write"
-          },
-          {
-            "type": "irq",
-            "base": 11,
-            "triggered": 0,
-            "enabled": true
-          },
-          {
-            "type": "mem",
-            "base": 4261462016,
-            "range": 16384,
-            "enabled": true,
-            "access": "read_only",
-            "prefetch": "no"
-          }
-        ],
-        "detail": {
-          "function": 0,
-          "command": 263,
-          "header_type": 0,
-          "secondary_bus": 0,
-          "irq": 11,
-          "prog_if": 0
-        },
-        "driver": "virtio-pci",
-        "driver_module": "virtio_pci",
-        "drivers": [
-          "virtio-pci"
-        ],
-        "driver_modules": [
-          "virtio_pci"
-        ],
-        "module_alias": "pci:v00001AF4d00001002sv00001AF4sd00000005bc00scFFi00"
-      },
-      {
-        "index": 17,
-        "attached_to": 0,
-        "class_list": [
-          "pci",
-          "unknown"
-        ],
-        "bus_type": {
-          "hex": "0004",
-          "name": "PCI",
-          "value": 4
-        },
-        "slot": {
-          "bus": 0,
-          "number": 5
-        },
-        "base_class": {
-          "hex": "0007",
-          "name": "Communication controller",
-          "value": 7
-        },
-        "sub_class": {
-          "hex": "0080",
-          "name": "Communication controller",
-          "value": 128
-        },
-        "vendor": {
-          "hex": "1af4",
-          "value": 6900
-        },
-        "sub_vendor": {
-          "hex": "1af4",
-          "value": 6900
-        },
-        "device": {
-          "hex": "1003",
-          "value": 4099
-        },
-        "sub_device": {
-          "hex": "0003",
-          "value": 3
-        },
-        "model": "Communication controller",
-        "sysfs_id": "/devices/pci0000:00/0000:00:05.0",
-        "sysfs_bus_id": "0000:00:05.0",
-        "resources": [
-          {
-            "type": "io",
-            "base": 49280,
-            "range": 64,
-            "enabled": true,
-            "access": "read_write"
-          },
-          {
-            "type": "irq",
-            "base": 10,
-            "triggered": 0,
-            "enabled": true
-          },
-          {
-            "type": "mem",
-            "base": 4261445632,
-            "range": 16384,
-            "enabled": true,
-            "access": "read_only",
-            "prefetch": "no"
-          },
-          {
-            "type": "mem",
-            "base": 4273549312,
-            "range": 4096,
-            "enabled": true,
-            "access": "read_write",
-            "prefetch": "no"
-          }
-        ],
-        "detail": {
-          "function": 0,
-          "command": 1287,
-          "header_type": 0,
-          "secondary_bus": 0,
-          "irq": 10,
-          "prog_if": 0
-        },
-        "driver": "virtio-pci",
-        "driver_module": "virtio_pci",
-        "drivers": [
-          "virtio-pci"
-        ],
-        "driver_modules": [
-          "virtio_pci"
-        ],
-        "module_alias": "pci:v00001AF4d00001003sv00001AF4sd00000003bc07sc80i00"
-      }
-    ],
-    "storage_controller": [
-      {
-        "index": 10,
-        "attached_to": 0,
-        "class_list": [
-          "storage_controller",
-          "pci"
-        ],
-        "bus_type": {
-          "hex": "0004",
-          "name": "PCI",
-          "value": 4
-        },
-        "slot": {
-          "bus": 0,
-          "number": 4
-        },
-        "base_class": {
-          "hex": "0001",
-          "name": "Mass storage controller",
-          "value": 1
-        },
-        "sub_class": {
-          "hex": "0000",
-          "name": "SCSI storage controller",
-          "value": 0
-        },
-        "vendor": {
-          "hex": "1af4",
-          "value": 6900
-        },
-        "sub_vendor": {
-          "hex": "1af4",
-          "value": 6900
-        },
-        "device": {
-          "hex": "1004",
-          "value": 4100
-        },
-        "sub_device": {
-          "hex": "0008",
-          "value": 8
-        },
-        "model": "SCSI storage controller",
-        "sysfs_id": "/devices/pci0000:00/0000:00:04.0",
-        "sysfs_bus_id": "0000:00:04.0",
-        "resources": [
-          {
-            "type": "io",
-            "base": 49216,
-            "range": 64,
-            "enabled": true,
-            "access": "read_write"
-          },
-          {
-            "type": "irq",
-            "base": 11,
-            "triggered": 0,
-            "enabled": true
-          },
-          {
-            "type": "mem",
-            "base": 4261429248,
-            "range": 16384,
-            "enabled": true,
-            "access": "read_only",
-            "prefetch": "no"
-          },
-          {
-            "type": "mem",
-            "base": 4273545216,
-            "range": 4096,
-            "enabled": true,
-            "access": "read_write",
-            "prefetch": "no"
-          }
-        ],
-        "detail": {
-          "function": 0,
-          "command": 1287,
-          "header_type": 0,
-          "secondary_bus": 0,
-          "irq": 11,
-          "prog_if": 0
-        },
-        "driver": "virtio-pci",
-        "driver_module": "virtio_pci",
-        "drivers": [
-          "virtio-pci"
-        ],
-        "driver_modules": [
-          "virtio_pci"
-        ],
-        "module_alias": "pci:v00001AF4d00001004sv00001AF4sd00000008bc01sc00i00"
-      },
-      {
-        "index": 14,
-        "attached_to": 0,
-        "class_list": [
-          "storage_controller",
-          "pci"
-        ],
-        "bus_type": {
-          "hex": "0004",
-          "name": "PCI",
-          "value": 4
-        },
-        "slot": {
-          "bus": 0,
-          "number": 1
-        },
-        "base_class": {
-          "hex": "0001",
-          "name": "Mass storage controller",
-          "value": 1
-        },
-        "sub_class": {
-          "hex": "0001",
-          "name": "IDE interface",
-          "value": 1
-        },
-        "pci_interface": {
-          "hex": "0080",
-          "value": 128
-        },
-        "vendor": {
-          "hex": "8086",
-          "name": "Intel Corporation",
-          "value": 32902
-        },
-        "sub_vendor": {
-          "hex": "1af4",
-          "value": 6900
-        },
-        "device": {
-          "hex": "7010",
-          "value": 28688
-        },
-        "sub_device": {
-          "hex": "1100",
-          "value": 4352
-        },
-        "model": "Intel IDE interface",
-        "sysfs_id": "/devices/pci0000:00/0000:00:01.1",
-        "sysfs_bus_id": "0000:00:01.1",
-        "resources": [
-          {
-            "type": "io",
-            "base": 1014,
-            "range": 1,
-            "enabled": true,
-            "access": "read_write"
-          },
-          {
-            "type": "io",
-            "base": 368,
-            "range": 8,
-            "enabled": true,
-            "access": "read_write"
-          },
-          {
-            "type": "io",
-            "base": 49440,
-            "range": 16,
-            "enabled": true,
-            "access": "read_write"
-          },
-          {
-            "type": "io",
-            "base": 496,
-            "range": 8,
-            "enabled": true,
-            "access": "read_write"
-          },
-          {
-            "type": "io",
-            "base": 886,
-            "range": 1,
-            "enabled": true,
-            "access": "read_write"
-          }
-        ],
-        "detail": {
-          "function": 1,
-          "command": 263,
-          "header_type": 0,
-          "secondary_bus": 0,
-          "irq": 0,
-          "prog_if": 128
-        },
-        "driver": "ata_piix",
-        "driver_module": "ata_piix",
-        "drivers": [
-          "ata_piix"
-        ],
-        "driver_modules": [
-          "ata_piix"
-        ],
-        "module_alias": "pci:v00008086d00007010sv00001AF4sd00001100bc01sc01i80"
-      }
-    ],
-    "system": {
-      "form_factor": "desktop"
-    },
-    "unknown": [
-      {
-        "index": 18,
-        "attached_to": 10,
-        "class_list": [
-          "unknown"
-        ],
-        "base_class": {
-          "hex": "0000",
-          "name": "Unclassified device",
-          "value": 0
-        },
-        "sub_class": {
-          "hex": "0000",
-          "name": "Unclassified device",
-          "value": 0
-        },
-        "vendor": "Virtio",
-        "device": "",
-        "model": "Virtio Unclassified device",
-        "sysfs_id": "/devices/pci0000:00/0000:00:04.0/virtio1",
-        "sysfs_bus_id": "virtio1",
-        "driver": "virtio_scsi",
-        "driver_module": "virtio_scsi",
-        "drivers": [
-          "virtio_scsi"
-        ],
-        "driver_modules": [
-          "virtio_scsi"
-        ],
-        "module_alias": "virtio:d00000008v00001AF4"
-      },
-      {
-        "index": 19,
-        "attached_to": 17,
-        "class_list": [
-          "unknown"
-        ],
-        "base_class": {
-          "hex": "0000",
-          "name": "Unclassified device",
-          "value": 0
-        },
-        "sub_class": {
-          "hex": "0000",
-          "name": "Unclassified device",
-          "value": 0
-        },
-        "vendor": "Virtio",
-        "device": "",
-        "model": "Virtio Unclassified device",
-        "sysfs_id": "/devices/pci0000:00/0000:00:05.0/virtio2",
-        "sysfs_bus_id": "virtio2",
-        "driver": "virtio_console",
-        "driver_module": "virtio_console",
-        "drivers": [
-          "virtio_console"
-        ],
-        "driver_modules": [
-          "virtio_console"
-        ],
-        "module_alias": "virtio:d00000003v00001AF4"
-      },
-      {
-        "index": 21,
-        "attached_to": 15,
-        "class_list": [
-          "unknown"
-        ],
-        "base_class": {
-          "hex": "0000",
-          "name": "Unclassified device",
-          "value": 0
-        },
-        "sub_class": {
-          "hex": "0000",
-          "name": "Unclassified device",
-          "value": 0
-        },
-        "vendor": "Virtio",
-        "device": "",
-        "model": "Virtio Unclassified device",
-        "sysfs_id": "/devices/pci0000:00/0000:00:06.0/virtio3",
-        "sysfs_bus_id": "virtio3",
-        "driver": "virtio_balloon",
-        "driver_module": "virtio_balloon",
-        "drivers": [
-          "virtio_balloon"
-        ],
-        "driver_modules": [
-          "virtio_balloon"
-        ],
-        "module_alias": "virtio:d00000005v00001AF4"
-      },
-      {
-        "index": 22,
-        "attached_to": 0,
-        "class_list": [
-          "unknown"
-        ],
-        "base_class": {
-          "hex": "0007",
-          "name": "Communication controller",
-          "value": 7
-        },
-        "sub_class": {
-          "hex": "0000",
-          "name": "Serial controller",
-          "value": 0
-        },
-        "pci_interface": {
-          "hex": "0002",
-          "name": "16550",
-          "value": 2
-        },
-        "device": {
-          "hex": "0000",
-          "name": "16550A",
-          "value": 0
-        },
-        "model": "16550A",
-        "unix_device_name": "/dev/ttyS0",
-        "unix_device_names": [
-          "/dev/ttyS0"
-        ],
-        "resources": [
-          {
-            "type": "io",
-            "base": 1016,
-            "range": 0,
-            "enabled": true,
-            "access": "read_write"
-          },
-          {
-            "type": "irq",
-            "base": 4,
-            "triggered": 0,
-            "enabled": true
-          }
-        ]
-      }
-    ],
-    "usb_controller": [
-      {
-        "index": 8,
-        "attached_to": 0,
-        "class_list": [
-          "usb_controller",
-          "pci"
-        ],
-        "bus_type": {
-          "hex": "0004",
-          "name": "PCI",
-          "value": 4
-        },
-        "slot": {
-          "bus": 0,
-          "number": 1
-        },
-        "base_class": {
-          "hex": "000c",
-          "name": "Serial bus controller",
-          "value": 12
-        },
-        "sub_class": {
-          "hex": "0003",
-          "name": "USB Controller",
-          "value": 3
-        },
-        "pci_interface": {
-          "hex": "0000",
-          "name": "UHCI",
-          "value": 0
-        },
-        "vendor": {
-          "hex": "8086",
-          "name": "Intel Corporation",
-          "value": 32902
-        },
-        "sub_vendor": {
-          "hex": "1af4",
-          "value": 6900
-        },
-        "device": {
-          "hex": "7020",
-          "value": 28704
-        },
-        "sub_device": {
-          "hex": "1100",
-          "value": 4352
-        },
-        "revision": {
-          "hex": "0001",
-          "value": 1
-        },
-        "model": "Intel USB Controller",
-        "sysfs_id": "/devices/pci0000:00/0000:00:01.2",
-        "sysfs_bus_id": "0000:00:01.2",
-        "resources": [
-          {
-            "type": "io",
-            "base": 49408,
-            "range": 32,
-            "enabled": true,
-            "access": "read_write"
-          },
-          {
-            "type": "irq",
-            "base": 11,
-            "triggered": 0,
-            "enabled": true
-          }
-        ],
-        "detail": {
-          "function": 2,
-          "command": 263,
-          "header_type": 0,
-          "secondary_bus": 0,
-          "irq": 11,
-          "prog_if": 0
-        },
-        "driver": "uhci_hcd",
-        "driver_module": "uhci_hcd",
-        "drivers": [
-          "uhci_hcd"
-        ],
-        "driver_modules": [
-          "uhci_hcd"
-        ],
-        "driver_info": {
-          "type": "module",
-          "db_entry_0": [
-            "uhci-hcd"
-          ],
-          "active": true,
-          "modprobe": true,
-          "names": [
-            "uhci-hcd"
-          ],
-          "module_args": [
-            ""
-          ],
-          "conf": ""
-        },
-        "module_alias": "pci:v00008086d00007020sv00001AF4sd00001100bc0Csc03i00"
-      }
-    ]
-  },
-  "smbios": {
-    "bios": {
-      "handle": 0,
-      "vendor": "SeaBIOS",
-      "version": "1.16.3-debian-1.16.3-2~bpo12+1",
-      "date": "04/01/2014",
-      "features": null,
-      "start_address": "0xe8000",
-      "rom_size": 65536
-    },
-    "chassis": [
-      {
-        "handle": 768,
-        "manufacturer": "QEMU",
-        "version": "pc-i440fx-9.2",
-        "chassis_type": {
-          "hex": "0001",
-          "name": "Other",
-          "value": 1
-        },
-        "lock_present": false,
-        "bootup_state": {
-          "hex": "0003",
-          "name": "Safe",
-          "value": 3
-        },
-        "power_state": {
-          "hex": "0003",
-          "name": "Safe",
-          "value": 3
-        },
-        "thermal_state": {
-          "hex": "0003",
-          "name": "Safe",
-          "value": 3
-        },
-        "security_state": {
-          "hex": "0002",
-          "name": "Unknown",
-          "value": 2
-        },
-        "oem": "0x0"
-      }
-    ],
-    "memory_array": [
-      {
-        "handle": 4096,
-        "location": {
-          "hex": "0001",
-          "name": "Other",
-          "value": 1
-        },
-        "usage": {
-          "hex": "0003",
-          "name": "System memory",
-          "value": 3
-        },
-        "ecc": {
-          "hex": "0006",
-          "name": "Multi-bit",
-          "value": 6
-        },
-        "max_size": "0x7d0000",
-        "error_handle": 65534,
-        "slots": 1
-      }
-    ],
-    "memory_array_mapped_address": [
-      {
-        "handle": 4864,
-        "array_handle": 4096,
-        "start_address": "0x0",
-        "end_address": "0xc0000000",
-        "part_width": 1
-      },
-      {
-        "handle": 4865,
-        "array_handle": 4096,
-        "start_address": "0x100000000",
-        "end_address": "0x234000000",
-        "part_width": 1
-      }
-    ],
-    "memory_device": [
-      {
-        "handle": 4352,
-        "location": "DIMM 0",
-        "bank_location": "",
-        "manufacturer": "QEMU",
-        "part_number": "",
-        "array_handle": 4096,
-        "error_handle": 65534,
-        "width": 0,
-        "ecc_bits": 0,
-        "size": 8192000,
-        "form_factor": {
-          "hex": "0009",
-          "name": "DIMM",
-          "value": 9
-        },
-        "set": 0,
-        "memory_type": {
-          "hex": "0007",
-          "name": "RAM",
-          "value": 7
-        },
-        "memory_type_details": [
-          "Other"
-        ],
-        "speed": 0
-      }
-    ],
-    "processor": [
-      {
-        "handle": 1024,
-        "socket": "CPU 0",
-        "socket_type": {
-          "hex": "0001",
-          "name": "Other",
-          "value": 1
-        },
-        "socket_populated": true,
-        "manufacturer": "QEMU",
-        "version": "pc-i440fx-9.2",
-        "part": "",
-        "processor_type": {
-          "hex": "0003",
-          "name": "CPU",
-          "value": 3
-        },
-        "processor_family": {
-          "hex": "00fe",
-          "name": "Other",
-          "value": 254
-        },
-        "processor_status": {
-          "hex": "0001",
-          "name": "Enabled",
-          "value": 1
-        },
-        "clock_ext": 0,
-        "clock_max": 2000,
-        "cache_handle_l1": 0,
-        "cache_handle_l2": 0,
-        "cache_handle_l3": 0
-      },
-      {
-        "handle": 1025,
-        "socket": "CPU 1",
-        "socket_type": {
-          "hex": "0001",
-          "name": "Other",
-          "value": 1
-        },
-        "socket_populated": true,
-        "manufacturer": "QEMU",
-        "version": "pc-i440fx-9.2",
-        "part": "",
-        "processor_type": {
-          "hex": "0003",
-          "name": "CPU",
-          "value": 3
-        },
-        "processor_family": {
-          "hex": "00fe",
-          "name": "Other",
-          "value": 254
-        },
-        "processor_status": {
-          "hex": "0001",
-          "name": "Enabled",
-          "value": 1
-        },
-        "clock_ext": 0,
-        "clock_max": 2000,
-        "cache_handle_l1": 0,
-        "cache_handle_l2": 0,
-        "cache_handle_l3": 0
-      },
-      {
-        "handle": 1026,
-        "socket": "CPU 2",
-        "socket_type": {
-          "hex": "0001",
-          "name": "Other",
-          "value": 1
-        },
-        "socket_populated": true,
-        "manufacturer": "QEMU",
-        "version": "pc-i440fx-9.2",
-        "part": "",
-        "processor_type": {
-          "hex": "0003",
-          "name": "CPU",
-          "value": 3
-        },
-        "processor_family": {
-          "hex": "00fe",
-          "name": "Other",
-          "value": 254
-        },
-        "processor_status": {
-          "hex": "0001",
-          "name": "Enabled",
-          "value": 1
-        },
-        "clock_ext": 0,
-        "clock_max": 2000,
-        "cache_handle_l1": 0,
-        "cache_handle_l2": 0,
-        "cache_handle_l3": 0
-      },
-      {
-        "handle": 1027,
-        "socket": "CPU 3",
-        "socket_type": {
-          "hex": "0001",
-          "name": "Other",
-          "value": 1
-        },
-        "socket_populated": true,
-        "manufacturer": "QEMU",
-        "version": "pc-i440fx-9.2",
-        "part": "",
-        "processor_type": {
-          "hex": "0003",
-          "name": "CPU",
-          "value": 3
-        },
-        "processor_family": {
-          "hex": "00fe",
-          "name": "Other",
-          "value": 254
-        },
-        "processor_status": {
-          "hex": "0001",
-          "name": "Enabled",
-          "value": 1
-        },
-        "clock_ext": 0,
-        "clock_max": 2000,
-        "cache_handle_l1": 0,
-        "cache_handle_l2": 0,
-        "cache_handle_l3": 0
-      }
-    ],
-    "system": {
-      "handle": 256,
-      "manufacturer": "OpenStack Foundation",
-      "product": "OpenStack Nova",
-      "version": "19.3.2",
-      "wake_up": {
-        "hex": "0006",
-        "name": "Power Switch",
-        "value": 6
-      }
-    }
-  }
-}
diff --git a/modules/acme-home.nix b/modules/acme-home.nix
deleted file mode 100644
index 77de9c9..0000000
--- a/modules/acme-home.nix
+++ /dev/null
@@ -1,34 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-{
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = lib.mkDefault "admin@rpqt.fr";
-  };
-
-  # security.acme = {
-  #   certs."home.rpqt.fr" = {
-  #     group = config.services.nginx.group;
-  #     domain = "home.rpqt.fr";
-  #     extraDomainNames = [ "*.home.rpqt.fr" ];
-  #     dnsProvider = "rfc2136";
-  #     dnsPropagationCheck = true;
-  #     credentialFiles = {
-  #       RFC2136_TSIG_SECRET_FILE = config.clan.core.vars.generators.coredns.files.tsig-key.path;
-  #     };
-  #     environmentFile = pkgs.writeFile ''
-  #       RFC2136_NAMESERVER=fd28:387a:90:c400::1
-  #     '';
-  #     email = "admin@rpqt.fr";
-  #     dnsResolver = "1.1.1.1:53";
-  #     server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # TODO: use production api
-  # };
-  # };
-
-  # clan.core.vars.generators.coredns.files.tsig-key.group = "acme";
-  # clan.core.vars.generators.coredns.files.tsig-key.mode = "0440";
-}
diff --git a/modules/borgbackup.nix b/modules/borgbackup.nix
index 172e76e..63b59a7 100644
--- a/modules/borgbackup.nix
+++ b/modules/borgbackup.nix
@@ -1,4 +1,4 @@
-{ config, self, ... }:
+{ config, inputs, ... }:
 let
   user = "u422292";
   sub-user = "${user}";
@@ -7,7 +7,7 @@ in
 {
   imports = [
     ./storagebox.nix
-    self.inputs.clan-core.clanModules.borgbackup
+    inputs.clan-core.clanModules.borgbackup
   ];
 
   clan.borgbackup.destinations."storagebox-${config.networking.hostName}" = {
diff --git a/modules/desktop.nix b/modules/desktop.nix
deleted file mode 100644
index 294ef56..0000000
--- a/modules/desktop.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = [
-    pkgs.mpv # video player
-    pkgs.amberol # music player
-    pkgs.alacritty
-    pkgs.ghostty
-    pkgs.libreoffice
-    pkgs.nautilus
-  ];
-
-  programs.firefox = {
-    enable = true;
-    nativeMessagingHosts.packages = [ pkgs.passff-host ];
-  };
-
-  programs.thunderbird.enable = true;
-
-  programs.nautilus-open-any-terminal = {
-    enable = true;
-    terminal = "ghostty";
-  };
-
-  services.pcscd.enable = true;
-}
diff --git a/modules/dev.nix b/modules/dev.nix
deleted file mode 100644
index 294bdfa..0000000
--- a/modules/dev.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  clan.core.vars.generators.atuin = {
-    prompts.key.persist = true;
-    files.key.owner = "rpqt";
-  };
-}
diff --git a/modules/flake-module.nix b/modules/flake-module.nix
deleted file mode 100644
index fba0311..0000000
--- a/modules/flake-module.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ lib, ... }:
-{
-  flake.nixosModules =
-    (
-      (builtins.readDir ./.)
-      |> lib.filterAttrs (path: type: type == "regular" && (lib.hasSuffix ".nix" path))
-      |> lib.mapAttrs' (
-        path: _: {
-          name = lib.removeSuffix ".nix" path;
-          value = {
-            imports = [ ./${path} ];
-          };
-        }
-      )
-    )
-    // {
-      server.imports = [
-        ./motd.nix
-      ];
-
-      common.imports = [
-        {
-          users.mutableUsers = lib.mkDefault false;
-          services.userborn.enable = lib.mkDefault true;
-        }
-      ];
-    };
-}
diff --git a/modules/garage.nix b/modules/garage.nix
deleted file mode 100644
index 3740110..0000000
--- a/modules/garage.nix
+++ /dev/null
@@ -1,60 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  self,
-  ...
-}:
-let
-  zerotier_interface = "zts7mq7onf";
-  zerotier_ip =
-    self.nixosConfigurations.${config.networking.hostName}.config.clan.core.vars.generators.zerotier.files.zerotier-ip.value;
-  s3_port = 3900;
-  rpc_port = 3901;
-  web_port = 3902;
-  admin_port = 3903;
-in
-{
-  services.garage = {
-    package = pkgs.garage;
-    settings = {
-      metadata_dir = "/var/lib/garage/meta";
-      data_dir = lib.mkDefault "/var/lib/garage/data";
-      db_engine = "sqlite";
-
-      replication_factor = 3;
-
-      rpc_bind_addr = "[::]:${toString rpc_port}";
-      rpc_public_addr = "[::]:${toString rpc_port}";
-
-      s3_api = {
-        api_bind_addr = "[::]:${toString s3_port}";
-        s3_region = "garage";
-        root_domain = ".s3.garage.home.rpqt.fr";
-      };
-
-      s3_web = {
-        bind_addr = "127.0.0.1:${toString web_port}";
-        root_domain = ".web.garage.home.rpqt.fr";
-      };
-
-      admin = {
-        api_bind_addr = "[::]:${toString admin_port}";
-        # TODO: use metrics_token
-      };
-    };
-  };
-
-  networking.firewall.interfaces =
-    let
-      allowedTCPPorts = [
-        s3_port
-        rpc_port
-        admin_port
-      ];
-    in
-    {
-      ${zerotier_interface} = { inherit allowedTCPPorts; };
-      wireguard = { inherit allowedTCPPorts; };
-    };
-}
diff --git a/modules/gitea.nix b/modules/gitea.nix
deleted file mode 100644
index 034801e..0000000
--- a/modules/gitea.nix
+++ /dev/null
@@ -1,71 +0,0 @@
-{ config, ... }:
-{
-  services.gitea = {
-    enable = true;
-    lfs.enable = true;
-
-    settings = {
-      # storage = {
-      # };
-
-      server = {
-        ROOT_URL = "https://git.turifer.dev";
-        DOMAIN = "git.turifer.dev";
-      };
-
-      session.PROVIDER = "db";
-      session.COOKIE_SECURE = true;
-
-      service.DISABLE_REGISTRATION = true;
-
-      # Create a repository by pushing to it
-      repository.ENABLE_PUSH_CREATE_USER = true;
-    };
-  };
-
-  systemd.services.gitea.environment = {
-    GITEA__storage__STORAGE_TYPE = "minio";
-    GITEA__storage__MINIO_ENDPOINT = "localhost:3900";
-    GITEA__storage__MINIO_BUCKET = "gitea";
-    GITEA__storage__MINIO_LOCATION = "garage";
-    GITEA__storage__MINIO_USE_SSL = "false";
-  };
-
-  systemd.services.gitea.serviceConfig = {
-    LoadCredential = [
-      "minio_access_key_id:${config.clan.core.vars.generators.gitea-s3-storage.files.access-key-id.path}"
-      "minio_secret_access_key:${config.clan.core.vars.generators.gitea-s3-storage.files.access-key-secret.path}"
-    ];
-    Environment = [
-      "GITEA__storage__MINIO_ACCESS_KEY_ID=%d/minio_access_key_id"
-      "GITEA__storage__MINIO_SECRET_ACCESS_KEY=%d/minio_secret_access_key"
-    ];
-  };
-
-  clan.core.vars.generators.gitea-s3-storage = {
-    prompts.access-key-id = {
-      description = "s3 access key id";
-      type = "line";
-      persist = true;
-    };
-    prompts.access-key-secret = {
-      description = "s3 access key secret";
-      type = "hidden";
-      persist = true;
-    };
-  };
-
-  clan.core.state.gitea.folders = [ config.services.gitea.stateDir ];
-
-  services.nginx.virtualHosts."git.turifer.dev" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://localhost:${builtins.toString (config.services.gitea.settings.server.HTTP_PORT)}";
-    };
-  };
-
-  security.acme.certs."git.turifer.dev" = {
-    email = "admin@turifer.dev";
-  };
-}
diff --git a/modules/lounge.nix b/modules/lounge.nix
deleted file mode 100644
index dd23b1c..0000000
--- a/modules/lounge.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-let
-  tld = "val";
-  domain = "lounge.${tld}";
-in
-{
-  services.nginx.virtualHosts.${domain} = {
-    enableACME = true;
-    forceSSL = true;
-    root = "/var/www/lounge";
-  };
-
-  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
-}
diff --git a/modules/motd.nix b/modules/motd.nix
deleted file mode 100644
index 1547318..0000000
--- a/modules/motd.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{ config, ... }:
-{
-  users.motd = ''
-    Welcome to ${config.networking.hostName}!
-  '';
-}
diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
deleted file mode 100644
index 745cd30..0000000
--- a/modules/nextcloud.nix
+++ /dev/null
@@ -1,84 +0,0 @@
-{ config, pkgs, ... }:
-let
-  fqdn = "cloud.rpqt.fr";
-in
-{
-  imports = [
-    ./acme-home.nix
-  ];
-
-  services.nextcloud = {
-    enable = true;
-    hostName = fqdn;
-    https = true;
-    package = pkgs.nextcloud32;
-    config = {
-      dbtype = "pgsql";
-      dbuser = "nextcloud";
-      dbhost = "/run/postgresql";
-      dbname = "nextcloud";
-      # admin user is only for the initial setup
-      adminuser = "root";
-      adminpassFile = config.clan.core.vars.generators.nextcloud.files.admin-password.path;
-      objectstore.s3 = {
-        enable = true;
-        bucket = "nextcloud";
-        key = config.clan.core.vars.generators.nextcloud-s3-storage.files.access-key-id.value;
-        secretFile = config.clan.core.vars.generators.nextcloud-s3-storage.files.access-key-secret.path;
-        hostname = "[${config.clan.core.vars.generators.zerotier.files.zerotier-ip.value}]";
-        port = 3900;
-        useSsl = false;
-        region = "garage";
-        usePathStyle = true;
-      };
-    };
-    extraAppsEnable = true;
-    extraApps = {
-      # inherit (pkgs.nextcloud32Packages.apps) tasks;
-    };
-  };
-
-  clan.core.postgresql = {
-    enable = true;
-    databases = {
-      nextcloud = {
-        create.enable = true;
-        restore.stopOnRestore = [ "nextcloud" ];
-      };
-    };
-  };
-
-  systemd.services."nextcloud-setup" = {
-    requires = [ "postgresql.service" ];
-    after = [ "postgresql.service" ];
-  };
-
-  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
-    forceSSL = true;
-    enableACME = true;
-  };
-
-  clan.core.vars.generators.nextcloud = {
-    prompts.admin-password = {
-      description = "nextcloud admin password";
-      type = "hidden";
-      persist = true;
-    };
-    files.admin-password.owner = "nextcloud";
-  };
-
-  clan.core.vars.generators.nextcloud-s3-storage = {
-    prompts.access-key-id = {
-      description = "s3 access key id";
-      type = "line";
-      persist = true;
-    };
-    prompts.access-key-secret = {
-      description = "s3 access key secret";
-      type = "hidden";
-      persist = true;
-    };
-    files.access-key-id.secret = false;
-    files.access-key-secret.owner = "nextcloud";
-  };
-}
diff --git a/modules/radicle.nix b/modules/radicle.nix
deleted file mode 100644
index ea2f2db..0000000
--- a/modules/radicle.nix
+++ /dev/null
@@ -1,44 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}:
-{
-  services.radicle = {
-    enable = true;
-    privateKeyFile = config.clan.core.vars.generators.radicle.files."id_ed25519".path;
-    publicKey = config.clan.core.vars.generators.radicle.files."id_ed25519.pub".value;
-    node = {
-      openFirewall = true;
-    };
-    httpd = {
-      enable = true;
-      nginx = {
-        serverName = "radicle.rpqt.fr";
-        enableACME = true;
-        forceSSL = true;
-      };
-    };
-    settings = {
-      # FIXME: activation fails with rad saying the config is invalid
-      web.avatarUrl = "https://rpqt.fr/favicon.svg";
-      web.description = "rpqt's radicle node";
-      web.pinned.repositories = [
-        "rad:z2DH9K384tPCrM5HJcpiKEoZZdftY" # lila
-        "rad:z29gVX1f6HC1XGx755RL1m1hhMp6x" # corner
-        "rad:z36HRN3Soay4wMXBSiR4aW7Hg9rT7" # flocon
-      ];
-    };
-  };
-
-  clan.core.vars.generators.radicle = {
-    files."id_ed25519".secret = true;
-    files."id_ed25519.pub".secret = false;
-    runtimeInputs = [ pkgs.openssh ];
-    script = ''
-      ssh-keygen -t ed25519 -f "$out"/id_ed25519 -N "" -C "radicle"
-    '';
-  };
-
-  clan.core.state.radicle.folders = [ "/var/lib/radicle" ];
-}
diff --git a/modules/remote-builder.nix b/modules/remote-builder.nix
index 6c74f92..04b32a6 100644
--- a/modules/remote-builder.nix
+++ b/modules/remote-builder.nix
@@ -39,9 +39,7 @@ in
       isSystemUser = true;
       group = cfg.group;
       useDefaultShell = true;
-      openssh.authorizedKeys.keys = map (
-        key: ''restrict,command="nix-daemon --stdio" ${key}''
-      ) cfg.authorizedKeys;
+      openssh.authorizedKeys.keys = cfg.authorizedKeys;
     };
 
     users.groups.${cfg.user} = { };
diff --git a/modules/user-rpqt.nix b/modules/user-rpqt.nix
deleted file mode 100644
index 4c1d0bb..0000000
--- a/modules/user-rpqt.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ lib, pkgs, ... }:
-{
-  users.users.rpqt = {
-    isNormalUser = true;
-
-    createHome = lib.mkDefault true;
-    home = lib.mkDefault "/home/rpqt";
-
-    description = "Romain Paquet";
-
-    shell = pkgs.fish;
-
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze"
-    ];
-
-    extraGroups = [ "wheel" ];
-  };
-
-  programs.fish.enable = true;
-}
diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix
deleted file mode 100644
index 4ae455f..0000000
--- a/modules/vaultwarden.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-  config,
-  ...
-}:
-{
-  services.vaultwarden = {
-    enable = true;
-    domain = "vaultwarden.val";
-    configureNginx = true;
-  };
-
-  services.nginx.virtualHosts.${config.services.vaultwarden.domain} = {
-    enableACME = true;
-  };
-
-  security.acme.certs.${config.services.vaultwarden.domain}.server =
-    "https://ca.val/acme/acme/directory";
-}
diff --git a/packages/flake-module.nix b/packages/flake-module.nix
deleted file mode 100644
index 13305ce..0000000
--- a/packages/flake-module.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{ inputs, self, ... }:
-{
-  flake.packages.aarch64-linux.genepi-installer-sd-image = inputs.nixos-generators.nixosGenerate {
-    specialArgs = {
-      inherit inputs;
-    };
-    system = "aarch64-linux";
-    format = "sd-aarch64-installer";
-    modules = [
-      inputs.nixos-hardware.nixosModules.raspberry-pi-4
-      self.nixosModules.common
-      self.nixosModules.hardened-ssh-server
-      ./machines/genepi/network.nix
-      ./machines/genepi/hardware-configuration.nix
-      { networking.hostName = "genepi"; }
-      { sdImage.compressImage = false; }
-      {
-        nixpkgs.overlays = [
-          (final: super: {
-            makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });
-          })
-        ];
-      }
-    ];
-  };
-}
diff --git a/parts/default.nix b/parts/default.nix
new file mode 100644
index 0000000..2948de5
--- /dev/null
+++ b/parts/default.nix
@@ -0,0 +1,3 @@
+{
+  keys = import ./keys.nix;
+}
diff --git a/parts/keys.nix b/parts/keys.nix
new file mode 100644
index 0000000..f6fce87
--- /dev/null
+++ b/parts/keys.nix
@@ -0,0 +1,15 @@
+{
+  rpqt.haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze";
+
+  hosts = {
+    haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKga5V0H602RsBESBXf5kwRCnI1yfBPOHmjGsM4Rxf5r root@haze";
+    genepi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQUzjid5mfMYginIUCVWTF7rWvWz0mUZBZsl5EhDIDl root@genepi";
+    crocus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAiz3nzuJGO5tRka2Y/kzqKa68wF7wwHr4hAympLNb9F root@crocus";
+    storagebox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
+    storagebox-rsa = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
+  };
+
+  services = {
+    radicle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuoHC4P0h88OAL5PJmiqkbkvQR1cwfkjaevWbwdKOU7 radicle@rpqt.fr";
+  };
+}
diff --git a/secrets/freshrss.age b/secrets/freshrss.age
new file mode 100644
index 0000000..bec4a3d
--- /dev/null
+++ b/secrets/freshrss.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 ELMcHw e1XlBpnFTEjcVaiz2ogDRQlrkvEK98pJb2iDaP3fAF8
+W9li/7spMyPzwaCSFkOdPOL9ZNuaGCnJxm0uB/vLyS8
+-> ssh-ed25519 8TpKTA 3HeKYAD1Y9UGfCmTWdgfVRMXy/q+R2fH/rrDdCnmBgc
+S2pjlFKodLcx06HqrkghUUQB8QgyxkhPean6EV7GsXM
+--- g6mHVMs7rkgyIus4NGuw8h+Hai3ME0FbuIpvA2KOOYQ
+–=Ï2#¯–Þ¸<+ïí
+vàÙúœÂŒL¼3î@Zè,Ü…M9,C$»aèr
zuO>Ç͇°
\ No newline at end of file
diff --git a/secrets/gandi.age b/secrets/gandi.age
new file mode 100644
index 0000000..4a193b0
Binary files /dev/null and b/secrets/gandi.age differ
diff --git a/secrets/radicle-private-key.age b/secrets/radicle-private-key.age
new file mode 100644
index 0000000..7ed9647
--- /dev/null
+++ b/secrets/radicle-private-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 M/D1Cg YfbyictbASsHxNw6wLCn39IrkNtbpVM8QZNczMArVkw
+om2OLtWnWYLvUm7L4tSDDXHtUKd1O+wqwKO78QZ/6cg
+-> ssh-ed25519 8TpKTA vtuEudd4t+4kzeztRImB1QqGtH7QJiCppBzSngEzKm4
+qUgxtzght+zL/PVuBKbD3S+B4H3siZveg7n0mqJQqDQ
+--- 8xbzXxMfsk2mfLI25fp+xtzTfjJr2t6nSQWa69Ua9Mw
+!™n‰�ýÙù:ùŽŸ=Ä`\iý€§ˆÛMti³ðö°ÙÄÞ:ŸA'ñp––®õ¾wwª^râ€Ûâøo¶ò
,NMC„úqÚ˜âÚ¿z–YÉ\<ÒÞ•lSÒ+�d^YŒϹ1rº}ï€ëã¾Z‘®ÇØfm¼ÉÒ@–‚äДèåc—3Ä|MÜìÎÕV÷Kåa½Ûå?EðAÃ+ès�q,…÷™ØÃ…VÄ$|N I	TÄ	¤-xÜ�k÷€µ$¬¢A~•WÈ'<k˜|¶—×Sh+hƒÞ§Ç,J¹Wùhƒ¢öE¢&K‰ù&ø@ëp”P§p¿¿‹ðAÃÄLûbðÌÆ$íJÈ2nk%|Y,!t >„ünM	¯¯þÑÀ˜<p¡{ÊDØåórßeù¦ûåRû²7PyQùì:©¸¹;9XÖ nu6Si剞x î˜FÔ5•ÍMÒ b�œŠHYÿ[æÿgþÓžmt×è£cjÛY„<DIQ˜|ÿMFá#˜+�Öè#æ+9bb±«6Ô…§D3�ˆ.‘]eŽm(ŠïoWù¤
+8˜ô
\ No newline at end of file
diff --git a/secrets/restic-genepi-storagebox-key.age b/secrets/restic-genepi-storagebox-key.age
new file mode 100644
index 0000000..ac4e43f
Binary files /dev/null and b/secrets/restic-genepi-storagebox-key.age differ
diff --git a/secrets/restic-genepi-storagebox-password.age b/secrets/restic-genepi-storagebox-password.age
new file mode 100644
index 0000000..96bd068
Binary files /dev/null and b/secrets/restic-genepi-storagebox-password.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..a97580a
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,27 @@
+let
+  keys = import ../parts/keys.nix;
+
+  keysForGenepi = [
+    keys.hosts.genepi
+    keys.rpqt.haze
+  ];
+
+  keysForCrocus = [
+    keys.hosts.crocus
+    keys.rpqt.haze
+  ];
+in
+{
+  "gandi.age".publicKeys = keysForGenepi;
+
+  # Storagebox sub-account password
+  "restic-genepi-storagebox-password.age".publicKeys = keysForGenepi;
+
+  # Restic repository key
+  "restic-genepi-storagebox-key.age".publicKeys = keysForGenepi;
+
+  # Password of the default user
+  "freshrss.age".publicKeys = keysForGenepi;
+
+  "radicle-private-key.age".publicKeys = keysForCrocus;
+}
diff --git a/sops/machines/verbena/key.json b/sops/machines/verbena/key.json
deleted file mode 100755
index 4c9d333..0000000
--- a/sops/machines/verbena/key.json
+++ /dev/null
@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-    "type": "age"
-  }
-]
\ No newline at end of file
diff --git a/sops/secrets/crocus-age.key/secret b/sops/secrets/crocus-age.key/secret
index 0fbcdd6..ef04195 100644
--- a/sops/secrets/crocus-age.key/secret
+++ b/sops/secrets/crocus-age.key/secret
@@ -2,17 +2,9 @@
 	"data": "ENC[AES256_GCM,data:EGb773Q1F0hvpduV6UcOAhSy8ypN/r2ixBkazycuqY6AJmq9wGIMF40z6uWuUuy+19C4dN6pdwnJLGw4S/3qxrFGKHMFtVbKK0E=,iv:6ByZiSBUUtONGzgO8tbKzdeNlBMI0OnPLMigSeIO634=,tag:G1M64/oWQmxZydhMI9Mo/A==,type:str]",
 	"sops": {
 		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNGFLK0d4\nZ2JCdGdkYWd5TFpKNHpCODNCNGdYdzlwb1hzY1lQMzltV1cvZQpML1BJOXU0UUxo\nUnBGb0hSUG45OFovWmQwbzhjK2Y2MlpCanE1WDdiVkhvCi0tLSBGWEFRa05FM1RH\nNXdpT0hBK2JFU040UGdhWTVkcGxYV2p0SitHencrMkRVCsneAeYc6WjBDpM14O6x\n/Ru/3fh8zl908fjqcrr+UPaIXLD/2r7rgzfUGIROrWJwh8yos22atAWG4O0UGQQa\n8Pw=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUQ1FwSDFQZS93UUNUVFIz\nVUNjMjVQTUpQRXRaRVNJZzVCYjV3OFBFY1Z3CnpabE1CRm8xV0VuWm9EaU5qZ2RT\nb1FBUEgvcVN4RE51di95b1hiT1A3QTAKLS0tICtOWDRqbElaajJ0NDkzS1YyanpC\nOHdnMHB3Z0pRWEtYWUpDUjJFaTdzRHMKUg9bfInt/5mSBhVOhE99yYTsCXZ6CHjd\nKeu/K56gDMa93m4nPVubZjD7p3KareDRSjMW0/aY5Mf2QnY8nlk8wg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbVFINDFx\nM3kvSEpqYkJHT2FFN2xORFYyNncrQnBZcWRIWkd3YVJwUTRuTwpQYlhtWDVCTllq\nK1NLeC9TWWtYd1VMNzZFLytiZjVNV1pIRk9VcjdhNXV3Ci0tLSBya1h5cDRncUJS\nU2NyOFpzWW1ZS3EvdkthRkxyOVBTdG44K1g3QUY3UzF3Ch8tbkMxoiee+PKYxAQu\ncdybSzHGDDhY9uEsFAycFDx5GLybVQoCxo6JxC9J59koFQz58WaXT2pKqo0mMw8r\ntCA=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTU5xN05kWlJuRFViT1lC\nSmxqSlNWTGVtTXhTS2o0Tm4xS05JUUkwK0dBClI5UVhna3Z3Q0NVODZVVW9aN2lG\nb05MbEw1SnVCcWpWNnVBNlRYMVZEQzQKLS0tIExvUFNhVUFxQkl3a1JrQjdOdlBq\nRzM1NDVzY0YvNEp6WWtnYTJYTXBWWGsKJlGXl/TadohSrjH9FEKvr8JMN13GDUl7\nN7OmOuy/2MxXXr2ChTJnmt+1is9Bj/52/oRH3m+yE6lAOb6eDMBgWA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-09T22:28:02Z",
diff --git a/sops/secrets/genepi-age.key/secret b/sops/secrets/genepi-age.key/secret
index 7ee1a24..49e3964 100644
--- a/sops/secrets/genepi-age.key/secret
+++ b/sops/secrets/genepi-age.key/secret
@@ -2,17 +2,9 @@
 	"data": "ENC[AES256_GCM,data:/fLnn5tEMlasoykvgvfjXJSMVFO1b7LMEDXEzw8mV2m6J8eyW0QMLIwfZFoe52ZOe7JC3RCRpEY7ei9UhZVJzLmewbVT5ziN55c=,iv:XW3LIFunMbEv1eQbLfBx7AgS6y8Pdp0/OF0juhq+boU=,tag:RVMEaWp8ilc6rTDW7N73vQ==,type:str]",
 	"sops": {
 		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcit3SDVV\nbUhnT2doYW5SK1ZrMkk4eHk1U3pKMnRQUGZnZ3NBck9LWGxzeAp3ZjRtczV2Nml5\nMDdYZGc3VUNMOU8vbXg5WTJDZUVYRVFiNDd1d1M5c2p3Ci0tLSBOeVora1R2Vms0\nSmhpTU1kM29MYlZ1Mi8zYlZxSmF5dkNLc3N1RjBselNvCvfEkfg+xXIR+M+xlK7r\nmmDG7DLm5v6v31Jthcn36ORKHBS6256j/mteMO8ftHwMwtvw55lmDWkQrtFuaX/J\nz5E=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHejRPeXJoazIzd2xHZDBM\neEplanpuOFAxQ0Z2djRQRXIxcDJkZ3IxcHc0CmtlMGk2YVdUM0ZpZjdCQS9JcVFa\nTnFQV3RjbUptc2p5NnJEOGx0SVYwNmsKLS0tIFZlcXE1amliUEdBQVV3WDhobnpx\nNUIxc3ZjR3QxdlBQeXFZcDNmQlI1WmcKBKsLCbVVeyEy+9vNKOPjAruf8AlDzvat\nWjUjRy3YyjTRiRINaZz/7YOzcr0w14Jo9+GMBF/gX4exXtm4p0KPDQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdXRFSlVU\nSlZIcyswckQzMXN0Qk55K1oyZ0pnREloYUZmM2VkSFhscUdFSgp3c3FWbDV3RWhB\nUU5oQTZOWFVVaU5wSHZiVUVEd25vekNSMDdVeEp6K0NzCi0tLSBMOFVSMGF3eEF3\nNXJrQUlIeG56Vkp5a3FjeFV5WkZ1eUtvQUV5bW83VnpjChSpqwUxZqox60+TkzUk\nTuaGGABkRDyyy+rL0jkVHZvh8gfF8WAe5M+TXHsXMHBN0XDhCulLKgXDkjiPDAtO\n2uA=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiMnJNZ1EyeHVYa0pTdUNa\nOFlVRUo4SjY0WXlDUGVLK0V5VEdpMEQyT0ZrCldhOUpWL2x1Sjhrd3NMRUNMVy9B\nTkhFWXVaMWttQm9YWlhmdDl2MzlpODQKLS0tIE1GM0hCQjBwMGI4cVRXWUtVQUtC\nY3ZvZ256YytFbksvRE9GdHA0c0Ewb2cK9D6HssuN4aXDgg7zHdCIdlcOE9wseEkf\nswmuk6YcMbwORDIwVi8deM5MRerxGhSUo64vQup4O6ivBJdPh+jvyg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T13:43:50Z",
diff --git a/sops/secrets/haze-age.key/secret b/sops/secrets/haze-age.key/secret
index e559dd8..30fa55e 100644
--- a/sops/secrets/haze-age.key/secret
+++ b/sops/secrets/haze-age.key/secret
@@ -2,17 +2,9 @@
 	"data": "ENC[AES256_GCM,data:g7js1FA6umKogdeqrE6VeJeqkIza7gPGX89aB7j4l33nPSGkZ6h8qR2j1fGqggwgolRVbEfszgIJYXrZ2dzzy8HGKQ2kQmQbgaw=,iv:LHGGVVFSRkuMxvCDM4VxxMF2MaNinRJGpIqO5w5mMzA=,tag:YjHpGPPWGhDz6g8+Rm1x0w==,type:str]",
 	"sops": {
 		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBK1VnY1pu\nY0tJODhZSkg5aEdKangyT3VFb2pYZnpMNklNTmJYZzdVOGdzRgpzMUU4Rld2eWJp\nekNobGhES0VVb0tjbEVQb3k5elptR2QvMW1WdzZTVGdvCi0tLSA3ZC8zazF6cngr\nS3dzSmtGSks4WVlTRVB0NzdtcmcyTTd1UlFTcTJrdlpjChpFftWShZE5WfA4s2IJ\nYB/0ybfkJZ/PZwIaTc2LjLv93b+/XwHYqqfelbm5Xbzk2NP2zAkgHez/gAo20LCL\nQVk=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5QWxTdkRnZXViTTAycExQ\nUUx4Y3lRN0p4YllXLytnVjJYKzBEWjF6WjBNCkFBNVh0UEpScjJOejd2ZlNqbnhD\neUpMcW96cENuQmdRZmxFcER4WkFQSFkKLS0tIDZWaUFGYVdsbU1JSnhVTUlXK1Nz\nQy8vTU5MUU9tT0pwMEFBTlF6ZFdEdmMKCxfeNF6659103amzoWkAQrrZ23zOJtc2\nBGa6jBLsjfNIBRK0m/IJ4ixmwPXbAU/KsYkRkvM1WlUjWh6x+yyKnQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbkp1UUpO\nTTZZZG83dndrZU5UZXRUTVpFNW9mY0p1N2hzdjVSUUdaL1JVUgpmMzBKUzh2WnlX\nTHQ2RHBKS2JGcEhCcHdnL2F6YndpNDNIWmgyMzVhaEZNCi0tLSAyK05TTEZ0eXE5\nWjUrb1hiMWZZcVRCZWFDT2g5VngyMFp1bkxXT1hUQlUwCle74xvsWsyhgyvlO7GR\n9HMOZ6tOvlfptOXaJXFxxtlHsfC1oA51pNPAdbq8bR6d+cf/rO2nLEHYhgNjls4p\nyVE=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbTZ3K20xWDNIWEd4TkVZ\nN1I5Ry9CWGgzYWt5Q21kWHQvM3VWK0NkalFFCnM3Um5WZVJJSldPK294ZUYvbG52\nNmk0SlRhQWNkWmNWbzB4cGtmdVNjWGsKLS0tIDI3N3V6dStMRVlobzhMbkttb0Zs\nVW56V1loaDAvNCtuT3FXeWVwNHVzb0UKr59CCWRzWWzxkjLci26NJ5SFHazdzqub\nXdD6uXvUVBDradDHzgg+jy1OXQfstHjQMapSd9rRspAotbmQjdqDeQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-10T13:19:30Z",
diff --git a/sops/secrets/hcloud-token/secret b/sops/secrets/hcloud-token/secret
deleted file mode 100644
index 38bdd44..0000000
--- a/sops/secrets/hcloud-token/secret
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:Jw4huyAI4yZT/24rImVh//JaFvUlwuIRrzP3nzLBqts+U2bs3wcv0LVavSEhECoJveUwYyS29++ewlnw+wiSrQ==,iv:O2ISIPnIJ3677VswqMjphwV30W24SNciPwIzd/AWm/w=,tag:ORMMkAtGyvzlINQ4fbtTjQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTXMyczVuc3ZwUHJIUlUr\nSTFObW0wNjBGQXBhS1FCSDNCVFJpT05DZzM4CmdscVg4dzJJVDZ6aVpiUHNydXhK\nK0tQTy9uZmJyM3d1OHVXT1FlYnhLck0KLS0tIHJGT1IxWTdJL01XWUE5NEhtcGhs\nZWlUZkx1L2cwd3dpakNCOGY0M3BZazQKZrK9JoWAJk9BOCPWfwxthR4sdNvF4bYj\nbnw5HBmXHPuV4pObDE0RwnoMVBXSfTof41HfogvsM16GWR577+CgMg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBdHhYQkMx\nb2xTUXB3dkZuajB0aHIwbllmcVJwOHY3eXphR21MRUdDdWorMApkcHVxQ1FRQ3ZQ\nSnpOYk9ZanJPZ1EvWUpoZHQ1K2VVUVBVMVphVlYweGg0Ci0tLSBiQmQ5YnJpKzJv\nY2lmOFpZSEVJeHNCb3F1SjFzNzBabHN0andFczRYTlFnCkSFxvQ47FvKcCh06tRd\nCb12wKSm12yMs5BR9Bv40YDB9C0/oqo17gDmVworyZKuK2dDfRaSLjoD4Cg2ww+A\nwS0=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBaG9kZWdz\nWVloZGxVZW5lVHpkN292MVFjVC9wWkNWS2hJTWZiLzk0SkdmZwpSZTZkOTFadWxo\naHMzZlVGV3hCY3pyQ1BIczA0ekpIWXZRSFZtN1lZMzZFCi0tLSBlSkRCNkNtbjFs\nd2IvSlRISlRydVh4M1I2bVFFZ1ZJUFFNc1dtbGUrZWtvCiiFUjKkBp4eyI7YV1AY\nk3tqfqsoQyHPYhL4mxU5bDBPTwKpIwPZNzfVDxgiTwQq5s4TEoDYnl4rhEc6ONem\nx84=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2026-01-19T14:49:10Z",
-		"mac": "ENC[AES256_GCM,data:fWo9KS5W4A7UNM58G+KtCzAQAiM0qFVJwf42/eSQC+yAMfZJfbq17JDeow37CbnYo4GaXJuPQHbUqnrFHfqxRXAOP8GfQ02MRf3xSpmzwLQeKtZHwGG8+Ez9x+FnYUJcX8QIHpf25NKpe57h8STtC+Uz66lMp1EFXzJzgOvTY9w=,iv:Eya9bRyBUXv7ddSa7PVNYej6shnXTSdd3NvPPyRfezY=,tag:FH6YK+dfoPyQwgMNTqKQmg==,type:str]",
-		"version": "3.11.0"
-	}
-}
diff --git a/sops/secrets/hcloud-token/users/rpqt b/sops/secrets/hcloud-token/users/rpqt
deleted file mode 120000
index b1a8792..0000000
--- a/sops/secrets/hcloud-token/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../users/rpqt
\ No newline at end of file
diff --git a/sops/secrets/verbena-age.key/secret b/sops/secrets/verbena-age.key/secret
deleted file mode 100644
index 7c1e07b..0000000
--- a/sops/secrets/verbena-age.key/secret
+++ /dev/null
@@ -1,23 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:wxFfM1b8w0EB/o1awHD9FMaHCSTp2NSyTfBCqJ5DjjQxDiBO4VkKVIK1Re28M1pKR4e/vThlvBpdEVnZksO6853RNbtBq8a5QSE=,iv:ZiJUjZ9TsIjse3sdxK40sYBbcBPwNkD7Pdq+O5DTcUQ=,tag:6GuL5cUgLKf3UEhioxk0AQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBZ1dNS1hn\ndUNMMm9PMEEvNW1WbnBiNitJNld2ZmlBQkphYzBFa1Z0bzJwZQpIeU9nSzY4bWpk\nL210cElrQy9PVTk0ZWtSZzAveUI4dlFGSjNBazd5NU5FCi0tLSB1alFvVEgxUDh6\ncGxmOGtqejFNMUVwNzZMeG5od0lPcitaWVF6TlF2QlhvClMRj078WFepyIPQi82b\n7GZ8+Wgel3y5ZfoUKZXFmpWqfYiODCdgBCduoovYY4vbrAsbfVun6VptW+Je3j0J\nC+M=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZGhSV1pTQmx4QktYRENB\nbVZXQytaZFNlU2d3RWlraEVwSnpXNnAvVTA4CjJCdHZNN0lTZkFVOVR4SjdOUEVx\nMXRqc1o5TldOdE1pWkkwR0VzemZMTWMKLS0tIGdxNXZyaGUrMzZaQWwyMHRKZGZz\nbFRMam5ITjN4cVhXcEVQS3Q4bGlYU28K5hopN2oifM6d/9/o3aQ0jS8K2TzXokVj\ngRP0c4NB6cI9TPqOaCAs90z1jIeOVB26OR6JvFH+m7WaaxAuu8rgig==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBM3JHMEN4\nTzJJeHRaUXI3elRuRFBOZDN4MmttRHcrclZxV0owWXlUUHU0bgpXZ3pIQmhRS0Rx\nVXFyOVo3YXl0RVRVM1NWNWFuU0VKTjZDZW52SXhtSFNjCi0tLSAzSXhVQVNCNDlJ\nZjNtRlJkS0VLUUhhOEtLaE5jWmY1a2t1M1Q5RHZCOWE4CoTQMd7TKqdwzo7h8s8E\nqc28aqzCDNzPodvGidySkBpm6hvp6fQfSCgIJ4kWO5G4yZMOSqZmbudymMuUau+L\n6Ns=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-11T22:26:58Z",
-		"mac": "ENC[AES256_GCM,data:amP1SmiUjxfsKvfom4suR+o6SIJPOa4qFOd82MY7bOs7DG/yjbN1olAUWTbER0UDxoLb+HcGYOR/zPsOwJeUnic1bJp9Mt0HXYvmXsWZlqX3Or/hp+HLBgKe1rIoAmfJ3kdEmrZpcm7UViajxLsZIPaKtX8J07k2Wn8EEm/BZnc=,iv:/3dtXEQmItPwY6Q0EE50vtEj7fiMxnyha9j3u4KwuUw=,tag:Pn6u1o7R6iwJ50HlzB7+RA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/sops/secrets/verbena-age.key/users/rpqt b/sops/secrets/verbena-age.key/users/rpqt
deleted file mode 120000
index b1a8792..0000000
--- a/sops/secrets/verbena-age.key/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../users/rpqt
\ No newline at end of file
diff --git a/sops/users/rpqt/key.json b/sops/users/rpqt/key.json
index dd61c76..a86c346 100755
--- a/sops/users/rpqt/key.json
+++ b/sops/users/rpqt/key.json
@@ -2,13 +2,5 @@
   {
     "publickey": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
     "type": "age"
-  },
-  {
-    "publickey": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-    "type": "age"
-  },
-  {
-    "publickey": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-    "type": "age"
   }
 ]
\ No newline at end of file
diff --git a/system/core/default.nix b/system/core/default.nix
new file mode 100644
index 0000000..53ecc66
--- /dev/null
+++ b/system/core/default.nix
@@ -0,0 +1,25 @@
+{ lib, ... }:
+
+{
+  imports = [
+    ./users.nix
+    ./ssh-server.nix
+  ];
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    supportedLocales = [
+      "en_US.UTF-8/UTF-8"
+      "fr_FR.UTF-8/UTF-8"
+    ];
+  };
+
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
+  };
+
+  # system.stateVersion = lib.mkDefault "24.11";
+
+  time.timeZone = lib.mkDefault "Europe/Paris";
+}
diff --git a/modules/hardened-ssh-server.nix b/system/core/ssh-server.nix
similarity index 100%
rename from modules/hardened-ssh-server.nix
rename to system/core/ssh-server.nix
diff --git a/system/core/users.nix b/system/core/users.nix
new file mode 100644
index 0000000..1db5cfc
--- /dev/null
+++ b/system/core/users.nix
@@ -0,0 +1,30 @@
+{
+  keys,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  users.mutableUsers = lib.mkDefault false;
+
+  users.users.rpqt = {
+    isNormalUser = true;
+
+    createHome = true;
+    home = "/home/rpqt";
+
+    description = "Romain Paquet";
+
+    shell = pkgs.zsh;
+
+    openssh.authorizedKeys.keys = [ keys.rpqt.haze ];
+
+    initialHashedPassword = "$y$j9T$.y7GZIaYYgEHt1spMsOqi/$k4O3AAKBhJF0gI.G9/Ja8ssGsVTv3VPD5WC.7ErAUD1";
+
+    extraGroups = [
+      "wheel"
+    ];
+  };
+
+  programs.zsh.enable = true;
+}
diff --git a/system/default.nix b/system/default.nix
new file mode 100644
index 0000000..763d619
--- /dev/null
+++ b/system/default.nix
@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./core
+    ./network
+    ./nix
+  ];
+}
diff --git a/system/network/default.nix b/system/network/default.nix
new file mode 100644
index 0000000..1f59251
--- /dev/null
+++ b/system/network/default.nix
@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./tailscale.nix
+  ];
+}
diff --git a/modules/tailscale.nix b/system/network/tailscale.nix
similarity index 100%
rename from modules/tailscale.nix
rename to system/network/tailscale.nix
diff --git a/modules/nix-defaults.nix b/system/nix/default.nix
similarity index 53%
rename from modules/nix-defaults.nix
rename to system/nix/default.nix
index ac488ef..10d84fc 100644
--- a/modules/nix-defaults.nix
+++ b/system/nix/default.nix
@@ -1,20 +1,18 @@
 { pkgs, ... }:
 {
+  imports = [
+    ./nixpkgs.nix
+    ./substituters.nix
+  ];
+
   # for flakes
   environment.systemPackages = [ pkgs.git ];
 
   nix.settings = {
     auto-optimise-store = true;
     builders-use-substitutes = true;
-    experimental-features = [
-      "nix-command"
-      "flakes"
-      "pipe-operators"
-    ];
+    experimental-features = ["nix-command" "flakes"];
 
-    trusted-users = [
-      "root"
-      "@wheel"
-    ];
+    trusted-users = ["root" "@wheel"];
   };
 }
diff --git a/system/nix/nixpkgs.nix b/system/nix/nixpkgs.nix
new file mode 100644
index 0000000..d793f95
--- /dev/null
+++ b/system/nix/nixpkgs.nix
@@ -0,0 +1,5 @@
+{
+  nixpkgs = {
+    config.allowUnfree = true;
+  };
+}
diff --git a/system/nix/substituters.nix b/system/nix/substituters.nix
new file mode 100644
index 0000000..04660af
--- /dev/null
+++ b/system/nix/substituters.nix
@@ -0,0 +1,11 @@
+{
+  nix.settings = {
+    substituters = [
+      "https://cache.nixos.org?priority=10"
+    ];
+
+    trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+    ];
+  };
+}
diff --git a/vars/per-machine/crocus/borgbackup/borgbackup.repokey/secret b/vars/per-machine/crocus/borgbackup/borgbackup.repokey/secret
index d554869..a358373 100644
--- a/vars/per-machine/crocus/borgbackup/borgbackup.repokey/secret
+++ b/vars/per-machine/crocus/borgbackup/borgbackup.repokey/secret
@@ -4,19 +4,11 @@
 		"age": [
 			{
 				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPV3RaOWZkczN5MHhvRTdk\nZjJWRUNGNzFLSUVxUGpCZjJ4cUZ3aDU2OEJrCjNYYm9yUkJPL1hGZEpSdnFIS0R0\nWlBmbVVuRS9OSitNMmtiM3JLcVZtU28KLS0tIDBDWkRpSWxVK2pvdm5xeGtRRDli\nUnRiQ2tCRGs2UndsWW9KYWdocGpYakUK1WFkf16tMEE7JJcrU67TdFfHxOo7eyr0\nBpNye/Gob3+zPuWUz9ugFiqPOMXfhMVoxRFgzXD5jd7xM7NnP4fmlQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcGxGQTE2\ncmJWcjR4V2w5Zis2WGo0aytFbU9JZ1NkZzZVWkorRVg2SHlTRQpWMEdRRlBTNUM4\nZWY1TEEzMnRrVEhWcU5NNkdWWWFkZGxPay9BakJ4ZWdjCi0tLSAxb1Jhbzd2eUw1\nR2w3MnNMSDJTc1lhbzAvY0FsL2hXaXRZMWxTQmJaL0hBCltKw9Ex0B4BGVd1E7/a\nMKHXT7wEvlLfrfv2sBo0MAucnL3uCUgiQ1f+DQ9cGXwPuTBHCimCBRwkSh9VpVGy\nVF0=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5eCtVYmtlaWlmUEZKRkZP\nazB5N2NGc3JVcEs3NHRpZng3UnhjaGJwUUhnCmJKV3Y1Sm1oUndnWGZTMmxya0d1\nMG5yR0hwNkdoQWU3bE9kMUdxL0crNDAKLS0tIGI1NWhoLzZmNzY0L2xsNThNNzdw\nUmgyeGo2ejd4VU5XeFRJb0JhMy9UencKhDHBhlcAPOMdyUWzD2uMDHFoC7CW2T2D\n09vSaeL75t9uNsCbryM7SWal0HquEyAs8Pdn4YPMydpD2mQOVEAgfg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTm1YYjdtQkQ3aERKU3hx\ndjg0b1dacVo0N055VWM2MmFGSmlBR2tDazFrCjdKb0VwQ2ZrbmExUDJFRTdCNCtu\nQ0pGbWtDeW1lbFZ1NjJaMXNMRmhpVVkKLS0tIHJCUGFYM1ZzeGVVWmFFOEYwR2Uz\nVDZlcFB1UnZYNnhLUEdFZjFXMGpBUWMK/giok2vHTK+YvkGj858pitrHKqJbrq/g\nmsof3z0utDBH8owfHMV9hB9pcE8qtP1lqkK9r6BfMMxrx+kilnC7KQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBME1yQlF0\nS1FrZllxcWJJbEkwV2VrcU42czVsNGowSWc0MnRyVCt2Y29DYgpmaEVIbGVOMHlZ\nbG1YS01tM1Q5VktNQkYzTVhZbTRPYStyNVBiSFJwbkwwCi0tLSBzVkJ2aGdUZE10\nUlVPL2NxNzhmbUU4MVRFZ2JPd094MXA3dEpndFg5bHd3CkrExz9N7/RGV2wMfTLa\nqFuOKYJyv+/9cUEIrzutKk+fRuuptdXzlAHApFqeZ1OxM7vynJV5UbrRca67auGY\n7Gk=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtdmJUampVUEh1cytMUVFn\nVGRMSFZZcXZ0ekRzY0VVa1ZGSFV2c2pjOUdZCmNLUmdRbFhqRUk1REVhT2VWcjRZ\nKzBjQ3phSGhKNjVrd0U1eVlDSWVvVVUKLS0tIG93U1pmRmlZK0xOV0JzTk5FZndy\nZ3JKaVJNamxqYUpMQnF0eitsVFMxdk0KxGfukNQggo93Jc14Z2WAjfZ12e0SyRtD\n+hembYN7huaWCSyQdzS55U2r9C2bW+5qap6HhZOPAJ+1L+mD76wz/w==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-13T21:59:48Z",
diff --git a/vars/per-machine/crocus/borgbackup/borgbackup.ssh/secret b/vars/per-machine/crocus/borgbackup/borgbackup.ssh/secret
index eaf7faa..90b09c8 100644
--- a/vars/per-machine/crocus/borgbackup/borgbackup.ssh/secret
+++ b/vars/per-machine/crocus/borgbackup/borgbackup.ssh/secret
@@ -4,19 +4,11 @@
 		"age": [
 			{
 				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSUw2MlRBRjBsNTI4KzQv\naE85c1ZQU1NXWnZ4d2taaklhNmJOM3BJSVM0CkFPMWt3UTUxcmFlNWpPVlgxVG1Y\nL0hxTlY0Tmg0S01pYkFaR3dwc0Jtb0kKLS0tIHltL1FNekJFUjJPbVJRdzNheVNv\nOG5SSFhUM2lzelV2aWVSMXRaSjJTUUEKCQNA7zTqd3NqeDxfaKPoBCbgOda+qnIF\nuOdNFADV7LCCpUolBUEofhEb+azGpnR87pou93QRaiXCrj9QGQqCTg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBb3B5OXUr\nMjE5K1VGM1Z0eEZxa1lUc3JpeTlXaHFhbDFzeEo3NEs0MmkwbQo3cE5TVkVmRGZz\neHFqNWFXcHdESVNPTTA2eW5RbzdyS1NaRSs1YmM2U2NFCi0tLSBkL3c0S0Y0OHB0\nT1piNGlYV0NvVjI0NkQzQTZoS0VzemJ2UmRXOGZCZTB3CgvVFBgMv+1FhBiYVPJZ\n29zfoYYIoHpjUU4pahjtgwBivSZy1Md/JV7AlWSz0zjyzWWquWyPyCbc4CRcc2U8\nTps=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1bkVVclhvVGExYmxOODdt\nZS9KRlhLcm1jZGZKT21VYWJ0bkp6WkU1WVdvCkU3UHhpdUpTMVJYWThsMElMN3NR\ncEp3RUhsTmNWVEVPeFVReUIxL3Q0dVkKLS0tIFk5VWR2U2ZwSzhUQ1lldWkxUTVW\nbURvVGswZXdNK2ViS1ZTNUt0M3B4N0UKxHYLja4nPCU7ms2Omo7JcCSU8/JR69pm\n0YMfpObSpDExrm/+ln58Pw6nVd1uA/mjWN1riLeKnetVxIpTAV369Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlOCtOSUwxbllMNkFvNVl2\nNGYwZ2x4TUVlTTBldjdJMG03VSs4TGY5L2pnCi91aWNnZ1kyUUZtK3hxd0ExdUFy\nQzZIcm1MMytzSzFyWlFnNnRKSkYvbW8KLS0tIDJBUkNRQ1duYlgyKzAxcExSZWJY\nUzcycC9Nb2pqWHZIL0NGSXFxUVBGTU0Kf4z8CV6hph0fl/te7Vvq5IGRTrraFufn\nvdt3bo/g2ph1O7TV6Yf7wUGmstPsB7ssH/byANTI5zrab0tgBqcm1w==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBMEdBV2tY\nQ2p0M2gwVVAvaHpneDVUVXh4dm90YXNJdWlITFlWSUdNK2ZQQQpjTVI5dDVnYndY\nTnlyNGtSZVlWaGNmOExvY2g0cnNLWTVHYUJoN2tWQkN3Ci0tLSBYVHJmODNZRlpC\nVlI2Z1pjWVpSQUZOclU0VmxZKzM4MFVwRnNkR1drdVlFCraqEY2PYM59CpfILN7d\nCXxvYvAxXSlu4Giz6crAzHvAxq5BdiITRIw3m7st0zlEsCVOjjsGKtsQ1VDhipGE\nYbo=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4SjZPNE9GRC9ud0NZT2RH\ndHR0eU4xUld3YUFIRlBYN1h5Qjg5ZU82U0JzCkZVZTA5M1pnOTBxcmVoNWh3ZGJQ\nbVpsMXowOHE4eENlV0pKdG1YbUNPejQKLS0tIHhIa3dWMkpIMm1OZ3VlM1JaQ2gx\nbXk5OHMwakQzRDFUcWdLRmVXeHFnOEUKOpS+uXVevJ96bPhnKVYiM2Rl5PNvgmNz\nyxuYC+6cX+oPTnz6fSVYKmP9LWKAypHWQCzu5uKBriaAwU3EctRIHw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-13T21:59:48Z",
diff --git a/vars/per-machine/crocus/gandi/gandi-env/machines/crocus b/vars/per-machine/crocus/gandi/gandi-env/machines/crocus
deleted file mode 120000
index efe6fd0..0000000
--- a/vars/per-machine/crocus/gandi/gandi-env/machines/crocus
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/gandi/gandi-env/secret b/vars/per-machine/crocus/gandi/gandi-env/secret
deleted file mode 100644
index 8ed6085..0000000
--- a/vars/per-machine/crocus/gandi/gandi-env/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:diQ/PXOEug+tCpSPJaOqW+RY+jS7/UTHtehMJY9uu0pAr8JPTptPbc9GvHHjfIKfq2+me1Ttb2lUTDPnQuujFXIcD/Oj6Q==,iv:5Sq4geHzXrs6HKCk1Z1axEIEe1BVaH3zJXbFHirCYBg=,tag:BoZQd5hRbo6bXtl6X59lrw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQ3Y5UjJVcVhaWUUwaklS\nK241U0x1M0xyd29lRGJRcWFtOW1GN0pKeVRjClhhempRRlJwajVEZDg2YXJFcDN3\nNEVSdng3bnpFRjZWQVQzRzNkUDlSMGMKLS0tIERPeVN2Q2VnelFzSHZUdGo3Y1RM\nSTJIZjBjVGFZMlByZkxFMTZyZmwzZ2cKRXU2LooeDPC4PSJFpYsLRIuzxKl5I6DM\nXY+Wmo8ffNNXzYfc7VeVk4NVwVPZQcqVmebRypYtnvG3cTejxG2H7A==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBMnFKSFYz\nM1Bjc0pHd0NaSm91aTVSZmZFQTQ0MnJkVXZsUWdCQzEzd21BYQpxSW9wZlRmb3Bz\nSXRHSjRtZ0VuMWU0cFhGeDlwNUlqUVljeXJoU0lkSFdjCi0tLSB1V3Ryb0hGZ2dL\nOEN0ZTlhUTFHVzFkYXlGS3NFbkdKbXQ1MC9CWWNOZEhBCv0q2eUDHsUO50MhFTtX\nc/jv2delDYJpW7XClMWnvVZQjR0O64dETJdwX15c9hxcCCS/5zUt7xktVre3P64x\nnfo=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybGRQTHlDMHB0NnRZbVIz\nekczKzBRZk5iUDhlQlZBMkJ1S0FxMjdqVlc0CmY3Q3NQRTV6Rkl3TWx5T0RMYkhs\nYzFjVzVNMDBuc3NuZWNzK3cvdm16NkkKLS0tIDEvaWNwQVRwV0NxbEJlcWc3NjEz\nV3RyMVYwdHRnQVNXeWxBZkNYQWttSEUKAMzWjimkgPgxA9Ctp4UMMhdeWi58iAJN\nKQwwN12GeQoII5ZQ0GcfPR/5j3ehQl2mMmoqcxc5UqoeS0U1tPjczA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBaU1zOXFU\nV0hqVXE1K00yUkFzUjdVN1RYNWgxYkxTNTk4Ry8vTlpMRnhyQwo4N1YxbXZHbklL\nMnFZRHBhNW9PUFlEN3dRRmxyeVlVaXBpdGZVYWg2cElrCi0tLSA1WFp0b3Y5cDVv\nZ1F2U0Y4OVNhcFlrOFRGOEpiRWlOTVV3bnFvbGNLMUJzCgUkSUQIlfXLdyFp9+YT\nvJo+BM3T0Lk9ZhcNy05PinmYorfzZdd0Eb2zZHp5amyuV3JXxjKuJhspB6wP1GYc\nfcw=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-11T20:41:34Z",
-		"mac": "ENC[AES256_GCM,data:JF1vnWfkno7JM4RrrJ9mSvFH6Qpm6XOnoTSpVpUjKw7b8HYRM20u8KXtoB8FI+mwJU59OWiresBuy+JMrViOO+mKO8mkIdn58VgXITk9/ISM0e+rlZklQJRvpeREDO4hWZfMNnRq74vW0JL8toQiBNAxwErOTu4Yfz2wmW8moBg=,iv:rxDxUhhE8Mn971MVT7UmxIO5Gg1lfXT9nb85HZraXZQ=,tag:3Xcd2tYOttaiCuvscY7kEw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/crocus/gandi/gandi-env/users/rpqt b/vars/per-machine/crocus/gandi/gandi-env/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/crocus/gandi/gandi-env/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/garage/admin_token/machines/crocus b/vars/per-machine/crocus/garage/admin_token/machines/crocus
deleted file mode 120000
index efe6fd0..0000000
--- a/vars/per-machine/crocus/garage/admin_token/machines/crocus
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/garage/admin_token/secret b/vars/per-machine/crocus/garage/admin_token/secret
deleted file mode 100644
index 25f1ea9..0000000
--- a/vars/per-machine/crocus/garage/admin_token/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:pjAzrkB59+DkMEnFaFvClFvRI0ayxCOHdMK8datVmtWRJdDtWZquvFYYB7kq,iv:sSICWQ0rBUwfbS1bk1CEcHOfwA1CmXE93rD1lT1EAU8=,tag:9CjwsKSfjU10xAAzAKo9ww==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0eDhid0pjblhSYkcyb1p0\nUUx6QzY2SWRQVDhvNFZKNXpFYitUeHNzeWdZCjdsY09jQlpWMXV2emZOTjhQNk5v\nMmRmTVlGVDZqQ21EcUFQWGJtK1NqSTgKLS0tIFlmNTFJTHFETmpRTmE2UjJHaTVK\nbXlwODNDZ3BHK3EyNGE0UUpoOHBYcFUKNHrDq5tLe8fPIJ1C+ReWURECGqWDSU4x\nyf3m8SILjS8AEayTkgqcTxIpB/670zUWpxDGO+eYGwvTgkH4mCzS1Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBN0pwNWo4\nZjB3ZldtTVN2ZnVSME1iYm9XKzZSbVVnWEpjTmhZemVBWVBpOQpNT2FoUVEzTFFz\naWJqWHpaSk4rYzI0dGdxUm9aS0VxMnZrSzVPVHcrc3J3Ci0tLSBHdkpPN1VTSllh\nZEp2NjRRVWxFTGJNNjl3aE93Nm9wSndKNUtVR0RuTzhJClJVTVUqfClk4krjSSRu\n1Yu0x0Es3UdtDXUjcNkFSuskvM98YJWtt0A4ptt5TSgaLDvsY+RnUE+XLA8aX6ku\nkbk=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBleGdhSWVuMnZTRy9NSVh0\nUjlNVEVsY1NYZHo0TnFqUzZYS2FEbUNhMnhZCk5HR2RmeHRtekcza0RLN2VYUDNa\nZ3prMnRVRmJ4QzlTdC9SbVhHWHlMcGcKLS0tIGZqd2FDMUZEWWZ5eUtNRkgweThP\nVXZDNW9XWFBjNTEyemkzZ2xDZFR2R2MKCwr7sqFliDt3MGoI1LkFjo9QmlMOR3hV\n/LTrJ/4jt5BAsM2wJLgZUdBjkzFCNW4kCi5PqfV86+Nb34xTXJW9FQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBc3ozNVlD\nLzVIclF5Q2pzVVFQVHdybFFvOTNDaXJLWmltZmtEbFVsaU51Wgo5dDJsRFROa0Mw\nb1VzZ0MwSG9Bcjk5NlRUclYyanpRd3dNeXZ4QmZmbDNvCi0tLSBpRVA1Qm5sVUdh\nM0d6UHZlM21lREZUblZkRk1iQ0djZXJQaUNnT3hwN084CjJka1HD+xbkt76fw4Pd\nmk96YZwYOJmNGJGTX1ZS5oa2FXffhXuYtQj/c3uojylaP7G57XJuoJ1Nk6pSd2u9\n/Jw=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-06-19T21:51:47Z",
-		"mac": "ENC[AES256_GCM,data:A22tkDaTGpgo8yfqnNWkCVRV80JmJKiJoMQVFRNhezUhWLb5jV75QtBirXTBFLO3Uyd48Z2X/+s63FMta3tqYIf4LiHjimv5U4hWs8eVAtpdIi5Qxf0K5UPivlsHs/X3p1+9UWx9z1hnxp7cChpt02t4EEgWh+PNwerks6/gjZ8=,iv:mCAnLVRiXeAujn/7sVXf3ak5KOmvIYmtolOj3CdGlos=,tag:hDMjHWpk9W5ShBkLxYaH5w==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/crocus/garage/admin_token/users/rpqt b/vars/per-machine/crocus/garage/admin_token/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/crocus/garage/admin_token/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/garage/metrics_token/machines/crocus b/vars/per-machine/crocus/garage/metrics_token/machines/crocus
deleted file mode 120000
index efe6fd0..0000000
--- a/vars/per-machine/crocus/garage/metrics_token/machines/crocus
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/garage/metrics_token/secret b/vars/per-machine/crocus/garage/metrics_token/secret
deleted file mode 100644
index cbfdf60..0000000
--- a/vars/per-machine/crocus/garage/metrics_token/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:FaNG0ZX6z1Q7FfauyRwYCDLYl2KaupPtT6KcKGrxQ22yPIxW7htzkZzovwaV,iv:HLxunFnpgmvpVpyet4Og86R22LQ6os1lqzSyV9/E9J8=,tag:QjKKuJcG7SzxzjDmlSCHBg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZGtqMDFHM0VLVnhjUWdn\nK0ZqYnJINUF1TmNLN0N2QkQ2S1FucWVTenhrCnh0OTg3eWRCYkVEeTcxQzNCTnBw\nbVphQm9wTk92emRlTU5waTkrY1RsR2sKLS0tIEJuNEJUNjhGMzlrYXdVcjFudDhp\nRFpVNmdFRnBteGNMQVNQaVpmWVhRZTAKj8VdXywqeN+VEc6aBEYUSwGqPNhzCdyp\nl+ZnX/1Zq5EpalnpBjeqBFVqtXsXvYeBsDg/2RfZok4jaFy+vil63A==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNjRWdXlH\nT2c3ZDVkcDlySHFhWlZkeEY5ZU9xYnZpUERITGJrQ0FuaHZMcgpobVAvUHJwUTNu\nQVhrbHdvVWQwek94TlNTZlpSWGhOQUV6QmRVc21mbFEwCi0tLSBjeHNFZk5JVW1N\nRHp4ZjlkM1RGM0NFU0Z6cUtSMy95azg4TnVpaG1KSGtVCqrX1dJRA7e66Py+ifW/\nUhzHZoPD4KB9EJrmQAgn7vMnFOIRwpam/Vkewe5ILv9uFl2SC49KI95iHA1AV1XL\nUYs=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0cGw1ci9NZEFxZFlVc1Qy\nM3VybDkrNFVLZjlLczlaUzFncG9lZmR1SUcwCjh3NFh1bTU3dG5HdmtKZGh0QjFn\nV3IzVVpHYjhpSDNpc1RyRUJ4cDR3TFUKLS0tIEpCTVBiWUxFS0MyRG5CM2FhRjFE\naEJBb1RlVHFySDZ3NmxWblh2MGFZQVkK7zxgSkhBrQZUTnGB13XfLSwgdwcjyyMh\nDKpMe1w4j9m45B7k2lAhbweTuDEiU4RoHvXaXeTsZ26XFIMlwpwT5g==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBOExKSmtY\nYjNCcmJTZlljM1J0UUk4U3BnWDFONmc3bThxV05GUWx5alhncAorZ1J0czQxTXNl\nemhxZXpoYzJMdnNaM1BKczJXZW9RaXRVMnRKd2lHbGhRCi0tLSBjcWFhS2cwUGZO\nRTM4UnMwRjhrMXRmZnNzVkh0emdwazZvN1Q1QTlYY3UwCihSgclskDvQxfoA9Wnx\nagmLiceD3owl98ug3ZxN2x/wrjv9+44SYaNrI2kkim9Zp+4o0kE0qBYK9zeSsEHD\nMTc=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-10-22T13:51:53Z",
-		"mac": "ENC[AES256_GCM,data:H89aFtec/OOq7r4MS28N/5ygv5GCWU0kcZszIr4yacfvoxPDFhFy95WCk1O0mzeubJ0Kw0nnmRlDS++Xfa8O99gXOtJc3FupBtLH0s2067jH4SW4DF4B/8BDPN9erVPXC4cwjSQnLerP4+TA14JtTbkoMLSLIsfU3gVlN6S0F0k=,iv:q/DKwAs7wOJQ8oZfjPCDN6pm2yREiWk+CQd6B7TixOc=,tag:xRgjYRsv9pOoWpkofkw5dw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/crocus/garage/metrics_token/users/rpqt b/vars/per-machine/crocus/garage/metrics_token/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/crocus/garage/metrics_token/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/gitea-s3-storage/access-key-id/machines/crocus b/vars/per-machine/crocus/gitea-s3-storage/access-key-id/machines/crocus
deleted file mode 120000
index efe6fd0..0000000
--- a/vars/per-machine/crocus/gitea-s3-storage/access-key-id/machines/crocus
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/gitea-s3-storage/access-key-id/secret b/vars/per-machine/crocus/gitea-s3-storage/access-key-id/secret
deleted file mode 100644
index a90e341..0000000
--- a/vars/per-machine/crocus/gitea-s3-storage/access-key-id/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:NB7f+8tGLTJACgHqRzCmvfq84A1wY3gdsgA=,iv:2tNgNcKOpqvvd2ULSSOQwpGbU51uovLbXpIRElTVM/w=,tag:3WBlU9rN5mP2o5/N5ijCZA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJSEw5L2RxNTVpK2FEU2g4\nSno2S3F1NXdRTkNVWWcvY2NkSEhGVFlBVFJFCmRObDRkelZVbzFPRElxNHJBcXkz\nSE9BaFZwOWtrZWIreXJNZU9SL2YxMXcKLS0tIFJrbFhIVHo0azdGa2NxWHFoMW1J\nUG1qSzNOc3pDbTkvNWZRM0FzMG9pMnMKhDvWGGa8TjLSuGxyuWV40gvuXbhx2iph\ntSitGvEh3UExpK4s61vblne4tv+xBsjX0h6KSX0Ip2hGIodThe8nsQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBc0RIQ0x0\nbjgwU2tRSUNveGZMbUdqNTNmN05KVEpqazVNSWZKdWo5M1IzbgpNZE9QY1hUUE1N\nc056NEY1SEdTZmNhNUp3M0xPaENzWjk2eEJPcFRhbW00Ci0tLSBxeXNRUzVIM2RM\naVVDQWt3TldJbFdBdVEvM0c5MEFDbDdyamlEOGd0cXJrChGtzCSSTwjWIwZC9/6w\nBYYpHyVrU/i5cqLvWAv9ZT40cNhNUmFWk9tg3BFoFPFJUxDcCg8FOIQaNn2Z4PR/\ncBQ=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDRWRSWi9TemhlWnlWaC9n\nMUc4MWVBV0F2bkdaSWFsaVl1alYrUlhxczJ3CmRWcjE4R0hSS0R3SW1oVlFCUGFa\nczA0UzdPVHZPenVwalpwd0k5eFl4Y2sKLS0tIDRJOVNpM0ptTVIzU3p3TGxuS3Qw\nQTVWMDE5QkhCR3RiWFdFSmZITG5WTm8KUjL6xuP/yMPQTfvyhrBxEI+xE51ks1Qy\nZgXokrXGSmCIQtZoA+OVT4R5ogop5OBP3rXEZWfGxVFyFE7SqCexyw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBM0FtbjBK\na2RBbmFUS0ZXTDJtZGY3TUZDc1VJK0QxOXVzVHhuZmc2UFpEVgpJU0swS2JIRk4w\nMThsYlViSm1SUnFnWFFVQ2lybGRmNlpsRHp1Qng3WFFFCi0tLSBlYXNoemZlaFgr\nNHFDVm1uSzJyT1dXSXo3eG9mYzdDd0FVdjNtZm1DZVBvCjKiC+OC5uCTJJkFbER+\n7mkox8LdCsobk24tTDTVbsuyzjxKZS/F2L1NXA4FBc1Y428ceoNiv7JcT1OWweUH\nDnw=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-07-26T17:18:51Z",
-		"mac": "ENC[AES256_GCM,data:Wm0RiWij2BZRyT9JkP265sUfn4mnGYVV5xJLxjzPnKyhVEu8Pnr6kSVQVAYP3C2SVicPghPSZONPNW0Co8zSEv/YYD91sLg43mxCPLABR4fda5ZRWaHhxZ2lQ7duCmvGxJP9wdKq/OGQ/C2ubO5W7FIJYmfi04rV7aKKwsGHaJg=,iv:oxVeIkBlWf/GHl81V84F1okGiFfXKTqJGHFHbz+Xkao=,tag:QGEJih/j9RqNr8IgtxAZOQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/crocus/gitea-s3-storage/access-key-id/users/rpqt b/vars/per-machine/crocus/gitea-s3-storage/access-key-id/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/crocus/gitea-s3-storage/access-key-id/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/machines/crocus b/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/machines/crocus
deleted file mode 120000
index efe6fd0..0000000
--- a/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/machines/crocus
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/secret b/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/secret
deleted file mode 100644
index 6199918..0000000
--- a/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:88a57QIAqnO23iv/l3a4Gkl/7ddX3vPFZV37VAgpCsobXntzg3PAAXCXUb36rDHwMZa50Io1jQNErJqed9J6Wg==,iv:1HJ1o7pKZU9XohgKL1j+DZzBMfEUoOwpHyYlwoRapD0=,tag:8Y8+VvXpJJibRyKOBy8vWw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzdUtYN3k2VUtBVkcwOUdP\nQmlodUN3dWVYKzJLUlFxMnhyRUhTWFpHbzJNCmVDK0dzditSNW5TZy9JdlZYMUdl\nQjJvSkRVVEpLY1FiSC9BTlZUMkxabWMKLS0tIEJrUmRzNVpVVHNabVpzSDkwSnZH\nRENnSUh6Y0lqMkdzOWJRQmwrc29PbW8Kli9N5DeyDuf9Ueuiw2XrvW4OD1NRSJwr\nGxWPKzft92MjF/wrr63DmMWB2PxxBynlSqCXZnL/zbU9Wy6GesAdcQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNTltS25X\naVlSS1FxRmtRcFRHaWJIVVUvK2RrSHpYZzNuRVd6OWVqRUFIRwpiZGhUWU5UNSt5\nVVd0SmJBWlo4MzBuTGN0OFU1bWQxT09sZG5xUE93MVE4Ci0tLSBMTmFlanNyOCsy\nWFoyZWo1eU9JS3RRUlU5a0xGbU9SNEVSYndueTZtZnZVCq+i8FnDLkLV1t9QeMkN\nlhaB3cN1Q0CwWSAi/iCgIqDbA4q6PBrdQryrOnWyV3h0vFwMotuEEfjct9y3/chZ\n/G8=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWFQ4dlR3aEF1RUU3bWZx\nakxHc1ZqQjc1Zm1pSm55UlFTMzhyT1hUU0VRCldSaDJINk82bEgxWVptd050emVk\nK29iVEhoclo0K0k3NjcwZ0trWjgvaTQKLS0tIHkzWWtaR3NBUTQ5cng1cll0YXdh\nQ2VsUVlWbGxhN2Y2TmpscFFoMGtoRm8KgGimtdpCLdmPxLVCVRutCKRsZIcIUisx\n0RG8J51MryaQ0aO3LgWbOwQ/rjWvgORR/M0z8L30VhT0XhJLckKRjw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBa2xqNjhr\nQzNkUzEyWFRtald0TytEVysxSE9meWFTNTY0ckZaSi9Gd3Q5RQpGL1grTXB3NkF5\nNmxCalJJU2RYR3V2b3pkMG5wUHFOaTRMQ0YyVE5pZkd3Ci0tLSB5WU9rUExsNUVL\na1BMWTJ1NGloL2taUEt1RU5qZHRrL3c0ek1CNXVKWC9BCjvh4pC8LikO8JmG+w0X\nb/DYoaeZfirlZKWm32vWMkJARiwyqB68X3FKXkN+s4hiKXl5DpsD4DuebkOgjy0n\nQuM=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-07-26T17:18:51Z",
-		"mac": "ENC[AES256_GCM,data:30DcAIuIzINrCgOZ/bRnU2ZbGzgPM3qKEV0ktIa+UOYr9BbaBFJmCxkQjAX2ZMwciQEcWJkOWjfV1jHv6HFXl+p/6D/9IN4S04RjpTUhODYUL5rAai2GzZ3gh0X+KPdrG0jyrqGyjl8fluzkrA40b3H3Bvar6Kh1+U//ACN1Iv8=,iv:cplJSehn3y0B+bi14pm5hrRWV1NQh5w4AikiUrye4I4=,tag:ReK1Mpm3ejNmSC/OuzSApw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/users/rpqt b/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/gitea-s3-storage/gitea-env/machines/crocus b/vars/per-machine/crocus/gitea-s3-storage/gitea-env/machines/crocus
deleted file mode 120000
index efe6fd0..0000000
--- a/vars/per-machine/crocus/gitea-s3-storage/gitea-env/machines/crocus
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/gitea-s3-storage/gitea-env/secret b/vars/per-machine/crocus/gitea-s3-storage/gitea-env/secret
deleted file mode 100644
index c84b7e5..0000000
--- a/vars/per-machine/crocus/gitea-s3-storage/gitea-env/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:yvUPehA2IlYG/G8GIvLDElv8r4awe4kPbRtJRLonjrEl6kV6Qzps9Nw3Um3yVw38azTT9vgD0abLz7inM5Gp0QwiRxk4+06o/+aoDw7FScB+e/pZJkxpigy/061K7g60rJ26QTl36eURtFRM2nHM5F0i7rgsivF+UmYSjLGobwGABNN5rEaqLvG85YSlBHoOBNjuUFb9E1kyQe7TALW9voBb8ZDK3t4=,iv:TNio+GD8YE2hiS+oGD/pE5klOdkEuvmG4VnoiqBlZ8M=,tag:MWyjYsMvY45Qdu8opPe+7g==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVzkwcHptQzZESjdoc01S\ndG54V3FBT0pDN1JzSXh5N1pwTGRiTVFyYlNNCmVTV3VWTnB2QkhacW01VFlhSW9Q\ncHA1ODZ5V0hBYWJQVDdOWlIxdmFKMUEKLS0tIGk0VGd1cmU0Mmw0SDhaM2FGb3hP\nQ1ljdmZ0MWl0ckV1TVk3REJkUm1pV1kK0D2XBrQqZS9yGtGYzJedeZLXccbzDgcV\nb8/yvr3eJkOkshzFKYJzowbbBA5dmnTAA4jFIoF3dba09dV11098BQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBME11R3Fn\nUVhWcHVxTTlLTDVUODNXQlJIb2h3MGEwbTNaT3I5RStQeFBrQQpIT2UyYmhDSW1C\nWjlJdlc4MGtEb1BRVFoxRmpQeHUrbUhSVTJwSXZNQkxVCi0tLSBla0R6VkxrVE93\nSlZZZ0lJZUdCa0hiK1R3UThTekRwbE5MeWxuTUlvc0k4Ch4uqr9lUQiy4vkrmAUw\nA/I8x/t4BOc1mnqv67DPd0w9pyBBAHIRXNf0Ymzj5F22s30yuwXstbtecnPNKFgK\nE6Q=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZDJhWFZmSVRnV3RKWGw2\ncURsTDVKa2V2QThwM0JPWHE1NS9DajY2L3hvCkJZTlBpOUNURHJndXpVSVBNZHdu\nZDFJa0YzMzdKQ0JCaWZyTktpTFB4b1UKLS0tIEZRc1NaSjlRenlhTHNsclVlNGht\nYkYxQlIrY0xnakhQSnNJdW9RVnJZZVEKLaLWFtMJE70HSZ4h4HpjqDIbRPfTu2iZ\nAW4rInouGTOoCimNO3eqxM+5fo5zMGilhY+sSYoZfj/8XtqN/N3r4A==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBaHRPY3lD\nNVU5VzllWXBZaEZoaDJpdktJNmZtR0NWL0IrWm93ZWtidzhvOQp1c3V2K3l6K3VY\nbXBaSm9USlVSWnZUVm90aEVCSmlSYkljb2loWkxNb1FnCi0tLSBTQ2tHSXFMZlVG\nV1ZyQk1pS01ET1l3RjQ1YUVOT20xanhuT2orOEsxK25RChCM3eviktju87V/R9HX\nohaSmh3H+OJ/HzKgFcJV9QxxqksP/nOZ4XHKsjQEk4g4YVH6oFr+shs0Vpu/zAhf\nTq0=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-07-17T19:36:54Z",
-		"mac": "ENC[AES256_GCM,data:MkpTvxi2uVvRurWYZvDhsMm7fOJjO7mAqKQLwd3uxexg/4n41RiiknB9M8vDp4/oVIiXuQAvd870vFamf8hFvGW3ynSqJ6JntqDjsmyoZ9nFmo57YgqmEjFXjmsAcwcDpcndwahkdZJNluXCAWIk811R3ahMc8KWQxqkc0f7a6c=,iv:jjyBxliNvAQj5wWBAKuCK0zNjN6vpe4t10vdlrEdqo0=,tag:y/Xm861aTReLBG/Bz7YJCA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/crocus/gitea-s3-storage/gitea-env/users/rpqt b/vars/per-machine/crocus/gitea-s3-storage/gitea-env/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/crocus/gitea-s3-storage/gitea-env/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/value b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/value
deleted file mode 100644
index 33bebdc..0000000
--- a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/value
+++ /dev/null
@@ -1 +0,0 @@
-GK0380f708a7baab9385e45ae9
\ No newline at end of file
diff --git a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/machines/crocus b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/machines/crocus
deleted file mode 120000
index efe6fd0..0000000
--- a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/machines/crocus
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/secret b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/secret
deleted file mode 100644
index c546b50..0000000
--- a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:5kOuRuLqQuUJPBWtrCzdDzdGWBdYN+GFGLn5LAbezcQcYuDyOZvpI4zJiBCUfEACXGEhlr0Vxid8M18A2g6j9A==,iv:QzOzJTnuG6Bo5zeDQMfDUdh+Qr27rxPq+G/kWj98fwY=,tag:m0KGHs/BqKE2sSj2s8p4DA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJV2gwandKcXg2N1l0a0N3\nRkx6ZDJ6UEFQbkxKa1ZOUStsaFlGSXk1SmtBCks0cnN4WWZCRFBNYlZuQlI3aTJR\nOEdxQ3lGVE9wSnFOblowbWFlTmhDV00KLS0tIGtNRDloOXB1dzJsVVVIYXlkb1V2\nZzNhL3kxbFFwNzBNdGp1OHhTYUo0elUK90tA5xN7SASZ6Xes/6Z5DMKGkSrxu6xK\nhzzId2/C8U0+lbeTQQkprGpTDrG6XlTFRSvaIwq2vwM3ohGVXOyP9A==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbzY1MCtM\nZzV2MkFEMXVPdjFObU9jS3UwS0I5aFdnMUhvSFJLTEM4dHhQbApEbUVlMHVOQlgr\neEErQy9laTdKcis3bDRpSkNtWjFweVBnR3pIeVlTVjE0Ci0tLSBXNDVtQkpaOTJM\ndkcvdHY1TE1pR1dmRnFoWVhpYUxtbzAvV1dMNURmZDBzCv2yCsrI9e9GsPk31lRT\nVSsgpycRE74jTPCV9ALDQzW1tZ7CV+UH4zapgTguuCmqJF9QlNYEFZFSbsAb+ex5\nEtc=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqc3kwUHlhRUtUakkwRWY3\nNTM2aFF1ejhPY1lRSDZmeUJTQjBmaUNtYTBjCk1HY0ZkSkthTVpLTkMwb2o4djNO\ndWhDSjhJRmlia010Y3lEZE9SMzZqWE0KLS0tIHRrSTZNMzRCZnRUeGtYdzJhTGk1\nYUd6MFZKU0ZFL3pjTm1ITnJMcGxWT28KgtKtewS+9nt9X0nBNSxOnGtS1WWViKwi\neKmKorFPykcpe0iloq3Pa6Z0cdreafHHQcAewOjY4nrsHcQOlD6T+g==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNzdaRmMr\naWxSczdYMWc0TEZzZ0Rya2ZUcjVXalBRUURLeEF5QU80VDBmdAo1OHBQT0JmRmRl\ncUFqMkpVMWRHcVpaMlRMdWtYL3lYcHo0aXJYQVo0Y1hnCi0tLSA3SmNOeWpGWldk\nVDYxTk5EN1M1bHlKYkloZ3ZRT3N5ZlNzRHAwVElqNFdRCsJkvpTfuqsI3L38JImj\nsEq4VT8t47dcIQJApMv0yIphCeX2bBPrPN0/6VMc/Th7kOWb9qhRzG/bR5bx6Oaa\n3Og=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-11T20:52:22Z",
-		"mac": "ENC[AES256_GCM,data:FM1/AiycM5mDnluBJv2MBHVdS/S0w7+xbAp64jEAiBeSnpY3sKefdYAIB33YXUs5LViGO8lloUxlBQ5LGnHjTQVd4b7N7Mh7FWkFtgzrnisOBmv21JLP3wa//Y0N3eZhgm+ZMJE1SZyeWGlCwDSsjLk+k8Tn2MmMqy7MfZE9bhM=,iv:WZVumq0jhPzZ5/w1xFHn9YO04ycI/IdgiTvVQsb0qcw=,tag:IsXow7BjeZMgxVhpBsMmrA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/users/rpqt b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/nextcloud/admin-password/machines/crocus b/vars/per-machine/crocus/nextcloud/admin-password/machines/crocus
deleted file mode 120000
index efe6fd0..0000000
--- a/vars/per-machine/crocus/nextcloud/admin-password/machines/crocus
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/nextcloud/admin-password/secret b/vars/per-machine/crocus/nextcloud/admin-password/secret
deleted file mode 100644
index 49aa6be..0000000
--- a/vars/per-machine/crocus/nextcloud/admin-password/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:VPf7HCaqRatP7bK7podFQsSxAXH+jSblyg==,iv:GhOmIssF3fmTTgX95tihr0KfSZozK/ZuJxMIACl8C1E=,tag:Hb0BaSS/dGe4WiPR7WftlA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzakVXTzVvVFVXdWxNS1VB\nUURrMktBTzdXcGIyY05aczV0akhLTUt4T1U0ClJER1JSalpna2RmaUlCMnJnV05p\nUlp6STVDeUQrYWRQWDVTWWxYL3BmRDAKLS0tIHB4K2RqTlFTdG8xaG9SZXVpdEFm\nT1pDaWlWSDVtcWpZTFZBSnZHVlFhOWsKok+32pQrxSx0TlffrXZ2YVDuZ7WgAfH0\njdsTtSMmuE4MXruiSpws9Qv6wCtWaXcK8anjHG/yup6snZnKaCpgyA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcWNsOWVY\nRDMxZTZIRlpONVpvaFpOeWNzSmFLanliUWk4ampGUkdrcEt1dwpsVzdCWnREazZt\nR09VV3k3Qll5MjIxMThmdEJDSDJia25UTnBTVFloWFlnCi0tLSBzcXNySVNWOUts\naTRlYjZodFBBSmd4TEJKNzJJOTJJV3dHd2kvMXJHZmxRCnYIepxXIkKjp2erEpgo\nDOAg5JEmbvd69QDcPWq9+xR9pSPe5QIE1PWH87fPTN7mRE7S0fkbJlThMuuHmqHK\nqso=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVeVV0UDFPaE85RU91aEJq\nT04vM1N5ckt2dXpCVGNKZTV5WUtwWElKcEhVCldLTVlkU2Zodnd2THFWWFB4L3k1\nSFg3ekRQZUlyR3ppdzRvRUhJNVlmK2MKLS0tIFJwOFROQ0hJek5NSlBPcUM3aHlW\nNEhnejEvQUhyMmdrTTRBN1c3YmY3U1kKEp3VtKkfxhKBEfYO0fjcyUOjILg3jpDb\n0a/LEFMzGUa6oMxQQYkmi2XFZnvmTey/1mR5sOOvGz4fDlouwfxrBA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBc25NdE1S\nVjUzWDlvKzArRUN6SXJYcldmVW50NjhFSGxYYmVsY3BSN1ZtVwptRGN2dXphcm15\nUXdOM3BKdHp2ekVjSHA3eUZNKzdEMktRa2Yxcys4VmxNCi0tLSAydXJmVGlJQkRl\nb0h3UTBWK1VQWmlSWVFpT2x4T0hDMVREeUtzd0hqZWVRCoZz2my0mTi3dcAINk4p\nZhXoo/eCCSUGIhLVSLFyxFSd7slsb0EioZzecBt7kC1peba3OF9ZL455WKE0KCDj\n2VE=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-11T20:22:27Z",
-		"mac": "ENC[AES256_GCM,data:w7gpQ0q38O6h8/VO5bc6v0pS78Jq8zY3jIlUC1kSF8I6q2U7J75+2TJlT4CFmwspJdNnyszHvermE5K/2uMCEi+f4Zx9FFpB9IcZ0zNEa2vl+3ksqiaRQjgcGXYBQY4eowHHsqBPFZ8w896e3seAM1o3Ah8RAEsVLPH1BB0quWE=,iv:CZ4ypoZhG/MgKJP2tk4tE/CC65ULB6VR+QYmMltFGJ4=,tag:XDL8mWdPpEqiZ6OLKclPJA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/crocus/nextcloud/admin-password/users/rpqt b/vars/per-machine/crocus/nextcloud/admin-password/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/crocus/nextcloud/admin-password/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/openssh-cert/.validation-hash b/vars/per-machine/crocus/openssh-cert/.validation-hash
deleted file mode 100644
index e971f15..0000000
--- a/vars/per-machine/crocus/openssh-cert/.validation-hash
+++ /dev/null
@@ -1 +0,0 @@
-243132bdc5136706ee224d98a96529e443dfb8fd086cc6202f30d95f6911060f
\ No newline at end of file
diff --git a/vars/per-machine/crocus/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/crocus/openssh-cert/ssh.id_ed25519-cert.pub/value
deleted file mode 100644
index 4e8e3b5..0000000
--- a/vars/per-machine/crocus/openssh-cert/ssh.id_ed25519-cert.pub/value
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIBKcszb0YlcYG5GLTntOGpMyse+FxISKTdn3pVoJAzC5AAAAIOtUFcEICj2NcZZPcfl+JCCaDfmCxQtLytGH0eoFNL4UAAAAAAAAAAAAAAACAAAABmNyb2N1cwAAABcAAAATY3JvY3VzLmhvbWUucnBxdC5mcgAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGE7R12pfvRSXsS8MwMkp57fuc+N2wc4VcXAYwo/eJJ7AAAAUwAAAAtzc2gtZWQyNTUxOQAAAECy8llQ6XQHRjjOTz/Le+Af6bW/lCq8ruJHPW8vh6tc2e9HFM7pWePxVeF0bCwWZ5IRNkvwjgfdbKMZG599racJ nixbld@haze
diff --git a/vars/per-machine/crocus/openssh/ssh.id_ed25519.pub/value b/vars/per-machine/crocus/openssh/ssh.id_ed25519.pub/value
index a9f39b7..3b7b89f 100644
--- a/vars/per-machine/crocus/openssh/ssh.id_ed25519.pub/value
+++ b/vars/per-machine/crocus/openssh/ssh.id_ed25519.pub/value
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtUFcEICj2NcZZPcfl+JCCaDfmCxQtLytGH0eoFNL4U nixbld@haze
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQxsrjjueq/+CdyNgzpy7PKiJS3OREWjdA/BqjpUBVX nixbld@haze
diff --git a/vars/per-machine/crocus/openssh/ssh.id_ed25519/secret b/vars/per-machine/crocus/openssh/ssh.id_ed25519/secret
index bf72d4b..1bd1ef2 100644
--- a/vars/per-machine/crocus/openssh/ssh.id_ed25519/secret
+++ b/vars/per-machine/crocus/openssh/ssh.id_ed25519/secret
@@ -1,26 +1,18 @@
 {
-	"data": "ENC[AES256_GCM,data:NiLXfIfhT+FUGFfrUGc2SBYFrmDIIx60IzuEIm+8AjxrJjgXmjp6PR4EJcvT19kk54mCrDx2devMYsbTCVE7hALqC6GD1DZCEEh7uSFobbgHv/nPrEG49FzQjw/4q4YXjiMc2J3jyVmbZf1lM39sajfpdlozxoS/YLGopYHKCPvPcYALWuTS3+GocBTmWCUu6/newtc2niPDmrBItXzKa54b+0xjD8pRhgfhgDL919lxH+fugh7QWPSx0c+LqdAgroUr9GkX0ofoUPeBdb9mMGcgYjX/EM81ZZzalnAkgsx4v7IEGEpeYxqw3gOm4T//8bkVXnrroqb7KY6c6os7M4NddMxLGJYJoTgAYMr71MX78NOIQiI2HLRaNudeMQ8PP9h+f8PyvyeJXMm4WiljGk+ojwZrh4+CnV+o5W+K7nsL4+gO6Zje3iEhEDW7Pr0VI4KtIho0UcMtbV++PHLIUowwD+YMftd/3wHmcUfGg9DwhDTCy4nSJOcaIUUZGkEGWkrsVxmu2/Gr6Zm19Iz9,iv:7GePCFLRrFOkD/QjDP+XrveU80YsT8O6CyuS770YbSs=,tag:HhN1SssO+dZ1vyBdjUrUYg==,type:str]",
+	"data": "ENC[AES256_GCM,data:NuuwsBJ5E33VfWQwHnCujrU44VN9YUi4QD3ZJBaBMgfmjMA=,iv:f/8P5xs/0DWvaashUP9pYbigU4EyQsHoTh/hj8tP/sc=,tag:afZMpL4jyLWiNIUnDo5nzQ==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Smk0ZnlQZlljV25weWhC\nUkUrdElqSmVEMlowRWp4MzRyK0tuNi8zeHhVCk9pbEJBV1dLL29LQ2l4a3RvVVJl\nYW9LR3ZqQndiU1FqeklKcUx5YlRaVFEKLS0tIC9LWjdBTUdGRWc2YUQ2YVVzclVO\ndnF4TU5TNHdKMWpBVERDNGZkYUxuSFkKElI/4w5sPPwkPgb2lr2ck7HdiKXaYHQf\nJFbdfN9uZ+ORwDEfJPriEV3FeXbUI6+dD42n1tdB1rPs8GrcoAlwFA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBOXBIQ2FR\nVTh2bG9JWWFra0VZaXE1MVBIdERWdFQxekIxU3VYUHN3YWswRgpvWVAyWDJwblgx\nM05jWFhqUFA0eERXZVZRTUxiUHRPRVhyZXZJMFMxRzZNCi0tLSBRbEM4clpHbmMx\neUJlUDlVaDZuOVZqMkI2YmxkOXEreWNSRytESlBjbXd3Cuz6FSIgtQJpmPjmIeL+\nsgG3eWaClcRgr0YXKaokHoBn+8NEiFw5RSTrpgDcsZySBe2RPZqMbDsNJlGmJ1Ij\nfaU=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQkF0MEo2UlN6bFhualpV\nL1NteXpYdUhpZmlqWWY4eGNpTFdKeVRkTUQwCnVVWnpkbUNxTjlhRTU0eXJZRytt\ncDJJN2JmWkJrbnhPU09SSzBaM2VGWVkKLS0tIGVMZHpSNFY4WFBoczc2N3VnMHVB\nZWEvRHBSZUN2dk9nYmVPbjViV1hUbFEKjJ3fWv7LdCwuS4VpdZR7wbvtdUYkCZQK\neQuZ0SG9zF87kL4BpdpXlX2f6yuN4ZdgSPZ5IXc1SFwPJZz3v3Vg5Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2R3d6WU5mK1p1dEdHVzNG\nSmZWRU5qdTJaRGFZTVZqRGtFcXY5aldaWlQ4CmJmWlJ1WlZlbDgrUDcrVWd6V0Ur\nUEphY0xHc04vdm1VMnJwajN3WHQ2UHcKLS0tIDNod0ZvZlZQalNKQmRhUFlOSUEy\nN1dmWnJLemVOQnhlMFAxWWl1bzk1RTAKu9wb50yH5MH25lb7Bztfr174nQMp9QLc\nUPXKQ3lgCOSltyQNtMOFvGYcFRVRfsSwp9unD0BEw9byhcGyTzchlw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBL1hUNnhl\nRnFVUVl5WUpwRjZGQUtXcmNVZzVDNUk2dXRjMmpNVmhKdHliNQpmYmZ1VXJoZjVB\ncUlIQTlvZ0ViTzJVbm04Zzh4b05FSDNzSDhWcjZVdmhzCi0tLSBZM01meGxyYnRu\nV2p3cDhFdFZUalRnOWZqOUZZSmgzTUxEZDRTNndpRHZFCnEuUAsLmtVIUuPEDqg+\nWvVb8mkHx47sgyK6HbJwV5obItuVzlbIZrrEVL30CDa7WzPUC/FxP1H7YPqCWYWl\nWU0=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaStpMDR4ejlwZzJzWnlS\ndkZDam1qZWpQbzVWc25aem1QcldZMHZmeGdJCnE1andLY2JWKzF1Wlh2Q09rWkw5\nc2psZEdFbWFtRi9ic0VDTi9hQVREYTAKLS0tIDB0ajhRNW9wZ055dkFRZGgxcDFk\nYWsreVBwOUxiejNoMVhGMVNET1JydXMK7wH41osgGbCHOWTYpRnw58RvT+vEJTeO\nspdyEnP4hqYl/+CGzYkZ0crJuVvo8oULAAfbXbWtOkVglqHJ2LxGCw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-06-17T19:07:35Z",
-		"mac": "ENC[AES256_GCM,data:Lr2/cMKdHIr+7orHw8XS1hvBngbRCybzIC29EBoREIEsb8PbTyHVJaN1Zf2Tov36h3XImarwG7tWEGqK/9KU35N20qJPlxfHzEzJjWo12oSxnLvMzN7sd7QygJwkwfOygeex4heZGUL8EDmqfp2DfINPVUShTNBmPtbb9q55ZzI=,iv:u3qEtkY2kGAVPm2D+DUwqIm5A/6hRqpgbu550m1G7jI=,tag:HBXdFlO5L2NHM/DfBpz0XQ==,type:str]",
+		"lastmodified": "2025-05-14T20:56:58Z",
+		"mac": "ENC[AES256_GCM,data:EyS804VI4ogWs0SELwfV6de1Yt8PU2qckwBBKuWws7W9EfHdDNWqYA15tUwn4hLjPrW8mgm7FF2/uf0KN9vi43tXUPH9eGnp9NW+BVQL6NObabaYRO/5jwPpxz05qy+HVDw0XF/trGeOwGImmbeSGtKzrLzBmh+vr7/ElzthCyQ=,iv:NRAiTCxS/zBNhGF5l4mGPuEJzWZk/V5BJoOeLtGyqK0=,tag:bCJYDt6xFzoTDG6AUsM0tw==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
diff --git a/vars/per-machine/crocus/radicle/id_ed25519.pub/value b/vars/per-machine/crocus/radicle/id_ed25519.pub/value
deleted file mode 100644
index bdb78c4..0000000
--- a/vars/per-machine/crocus/radicle/id_ed25519.pub/value
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOLiNezoLFhE7umeN7Epcv4ZWymiztb6Go9FX/kyHEUm nixbld@haze
diff --git a/vars/per-machine/crocus/radicle/id_ed25519/machines/crocus b/vars/per-machine/crocus/radicle/id_ed25519/machines/crocus
deleted file mode 120000
index efe6fd0..0000000
--- a/vars/per-machine/crocus/radicle/id_ed25519/machines/crocus
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/radicle/id_ed25519/secret b/vars/per-machine/crocus/radicle/id_ed25519/secret
deleted file mode 100644
index 7de939d..0000000
--- a/vars/per-machine/crocus/radicle/id_ed25519/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:hhgdJTDAFrEaFcYZbD9OPj4HVYRJBPDYWUfNsNj65hoowlrsRYHF9FAJSQUNmznhQ3kmrZjElGxZxS0rP0LhTvbwrRAS8luP7gwuDRPsloaAli8rVbWoZNvutILmC547WEUU3gnHuwCpSfzbNRz73BqF3oGF5tUcsHQYor5Vzs5U7LuP0Psg8q17YAggnaFxWlHIQYT5H9aVWcass8z+FIixnE0Ss62m9lior5GEXAYuoIccEJsisfDjBCdk5sMKnhgJKyUxXLuBA56VSte748/JNx9p8ugbY6jbJxXEQcBVlCNklAzMlIrwcMpJs7GgO4aUm3A2eDM6P5ZM7LMhNxsLfOYLZkWAdVfaRY3TSym6oED5GvKoCXjmzGvqBaR/z825/wAfxw2L1E7CmzOFpTHE8BWC6cwZolZGFQmjUmw8hQ3qesRmI++gM73P5Sopjyq+qfl26VB5ncJ6nTictQVQeepOOOLiby67m0JjTErvEbWm5gTx3t4b0IkOTLl9Ci878+3JKfuUkUBWEgPO,iv:B/TsygWiYqC4wePXJqlw9GS0blzwuGMNBkh/W8FTUTE=,tag:vZh/8vCwWKnzHbdQqmdwJg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dVdIMVBQanlvRWprZ0Er\nd2RPSnRyUXhmNDFtb0FKUEF5MGJpTm94TkVrCjMvTWpicmhSTkNzU3Ria2dzTHNq\nZVhwRkl3MUdDNXJiSlhqa0hYRHNsY3cKLS0tIE0rQUE0cGdkbVFVc3JHWDdIS24v\nUlQ4LzdveUxzYThvMzFHditQcncvOFkKYAOMDXdTR0HLwOv5OsXQvGUY5QK4LQYA\ncUTyHL5HqnUn1+tnrUPWFkAGcxxv/gwLtta+u3qkK0HppXAU+4tiig==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBaGp1VEt1\nU0NJdnlqYm12T3UwZ3JmbFNrYzJlUUY3ZXZSdHNudDFOaHRZTwpqVXE2VXNnQTZW\nTWFTMDMrU2E5Q0lKOGVPZVZoSW90akhycitzcjlwUzdrCi0tLSBKMzFiK0hqSXdY\nN01lQWE0NFppcFo5QVhzTEozU2lZazVQWHhwVXFhWVd3CsfFbHYhIiwJj4uzGFN2\nmSWXahNJYj3vawrWEr7RppS7zw3EHNLmBbxXXSpXQzPspGqZbwApokdj3kcCaRfi\nIWE=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQlVGQitkYmd3VWd5cjlO\nMWNVL0F1TmJ6VjZPQ3RmTXJOU2JMejRCcDNVCmtHdGF6V0RDTnAycUNwRGU2TlBR\nUHNpNSs5UWx6OTA0bUltWElENkhIZkUKLS0tIDc0Q0tsTG01c0E3SjB6TDVaV2tH\nN1FsK3E1NVRIT0dBL1ZDQVlzaVJsOXcKWsL4BAzrfy7fQfTlJVRlDm1VgxcHRXhT\nJk2bgyJhgyZv8dejfZbgJDJDohEN6PpRp1qdVUxhMrUDuL6joiB6FA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdXZsUFdI\nWGtmY2pUYnlJenVXRDNCN2tQbVpDb1o3UG1hRzhVTE05TTZRUgpmVlRMYXJnOGFS\naHp5R0pxaXgxY3c3czJYemFtUlhETTA1TnM4VS9uU0RnCi0tLSArMVhlbWg4Q3cw\nSEdmWGxoTjJaVTVtZDArYU1xRmJiUGZNbVlpSDNuSGgwCsWB83ZKUTcN20C0ZuF8\n97ds5e5BOBfYzRFe4mjfIkqRqn+/bD51XZJAuX2/NNfn0QZP3CCw7NsOEG7IYPbG\nXoo=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-10-01T11:37:19Z",
-		"mac": "ENC[AES256_GCM,data:lw2Hc0N63uIcUImTLmVYV8iTXwbqL5NDf86edBwb71XjuXKYeGzKWQu/PgU9YSByw026egzT3oT7HBk90Z5aiVBzCy2ih6QoZsXkeWCpx2PrLUP1BeTMR/3P9GZnm+d/D24Hc4fJ4mpvy8vTNkjQEYjfLHbrSsqBabeugz5Gvi0=,iv:cUVPNTD46mRgWaU7ukUvj6wuZHOVvd2VjYo/eqJqBPc=,tag:zjlEN6q5j8895tkBTB4JvA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/crocus/radicle/id_ed25519/users/rpqt b/vars/per-machine/crocus/radicle/id_ed25519/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/crocus/radicle/id_ed25519/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/root-password/password-hash/secret b/vars/per-machine/crocus/root-password/password-hash/secret
index 9156edd..17598a1 100644
--- a/vars/per-machine/crocus/root-password/password-hash/secret
+++ b/vars/per-machine/crocus/root-password/password-hash/secret
@@ -4,19 +4,11 @@
 		"age": [
 			{
 				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRW1xa2w4UWUrVzV1ZDdS\nc1B5MUh4RHlkdGVjQVZ2cDJQRGovcjZYbmtrCjV2SUV2WFExVXcxNW5JNEVBc0hr\nYVkyL2xwVmVwVFhmWW4zSWgzbHRjQ00KLS0tIFd3azZRamhmOFlVWWM2dFo4YjFC\nU2RtRURmZEt0Q1dHeUhBZ3hoc1dVQTgKVGesd5Y2FoLaiuojOMevkXXV2K5wXFs6\n9G2JTx8lPBBt0J6tvnr0zKBXxnMJq7TcRgZ9fsnBC6/36IpJ+dZ2Tg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeU5jL2Ry\nNDZDOGVtYUVLRlJkczYrblRzTHFMZDNLdGRmT1VkWGxSbEcrbwplVC8rMmI2aWJp\nRVA4bWc2cjVZc2FyWE91WEJZQkNUeFR6MmdoaXdEbDdJCi0tLSAyV0kwL3JxZG11\neGNLNDRXUmlLUkp1SjRDTlJEZ09OWUNEVEtBZURCWm1JCv/h0VPNHV03gJiE5HO+\nXEScLRDtZ8g4eRoY58hoz7lHIG08BRYRYUEUEvcSTUnnXOVGbLEKq8vu71kiiubk\nTLA=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRR0JaTVdRTEJsOExkOC9D\nZGR6WXpYRTFLdXhDckZFb2w0RFk5cTFHZFRRCkVrM0l4QjN1bnlJaTU0eVY2bTNZ\ndDFGeXBkV2E1TEt4NmlMOHAvem42QUEKLS0tIGtuY29McVYzVUl0d2FPRmRadEdM\nWUwzWktjaHdvOHVvWXFKWVRzSEZKNlkKeeCozhNzrt1gI1QlBVACd0ytDaJ+VCG+\n3Fx420ScVSVq0SxpPNv1LOrYW/JyTEeFNCmuPvCSpMCRKmSOF2eoRw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUlZ6ZmhZWGVJTkNXTE1H\nR1M2RmlXNnZLYnhIWk9KRDFieEF5eDVvNkNvCnhsT3piakkrby9sQUZMSzlXU1p0\nQ0tsWGdsRGQ5VzVmVkM5UE1sU2xzYkUKLS0tIG1ab3EvclIwOFlPdEVaM2taaFdp\nVWV0RC9JQlFVUk9uemR0T0oxVUFmdjQKWwaqMcu47K59PBam7+5IDFzZYzLEdXNp\nNKqzOY7yNyMFv/QoFcpccgGIeVz5PBXYqKKJQdnSPQIHoCybVUvK5w==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbStkMVRy\nNjJYYllSdGFwRzBtemNTN2FMZ2pWVkVjTDl1R2ZVZUhtSldiWApRaU9MNk1MaDMz\nVTNZRVI0Tnc3Sm16NTJZTEJ5SmVEcGEydmR5RC9PM3ZRCi0tLSAwNmlnd0ovTFoz\nUjR1a0ZqMllXSlZ3NjZGUmY4L01JMElzVkFKUFBPTzhnCg19RCFy9FkH51Z1jxu3\nrtZF0A3u3P50CVIChMtS2cwE+YiDj1C6Dl5urkzA+nmg9h4/XfblT2RcTEXCbeDB\nR0Q=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZ240c1hrSmQxUndwSHdy\nMUJDQWJiNExvT0EwRitmcDd6VjFrQUJZNHg0Ckg3TkNOSFVQRUhGcFRZTXFmZDY1\nVnZibHFBVUdDNm9TNm00NTZMVHFWR0kKLS0tIHRxeGkwTnlNejdqeUswSGgwSmNH\nM0RMR2NPOUtFNjlGYityR1BUVnE1dlEK3Y3Qw+2+0XDwOmf323BPuZjhAn1BTYT4\nkEStKcrrVPsua4kQoK7rrdS8euTxmdDixXn7GXOEsfRBzmfaRSf0HA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-14T17:21:00Z",
diff --git a/vars/per-machine/crocus/root-password/password/secret b/vars/per-machine/crocus/root-password/password/secret
index 9265ddf..8bd5aef 100644
--- a/vars/per-machine/crocus/root-password/password/secret
+++ b/vars/per-machine/crocus/root-password/password/secret
@@ -2,17 +2,9 @@
 	"data": "ENC[AES256_GCM,data:R7GQt7/DDTtX6XUSydCuodA1QeW2,iv:VROiFMVtL20iDecEDVyFko5OvgYEA0Wcz8j/IglmH8k=,tag:HCfQ0oWVXrhvcV/QjSrFNw==,type:str]",
 	"sops": {
 		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBMmUrZ2tZ\nNjN5dC9IQkRVSG9UdUVWSHJCV3FDeDFHM1RVVm94cW9EMTU5RwpOQnM3RGdLZ1Na\nK0UvekNqVDB3SlE5R01JRWs2VUcrMWpzYm9HbmJzbkN3Ci0tLSBYb0MrSzJON1ZM\nSFMwZGo2MnVtenVFQ2NEbzg1ZlpHMUFwYWtiZ3R5N1hNCnkqV9O2Ecb1fHGRjnCx\nXtAWFvN7IYB1ZV0SagRq7jdQ2g5FCRzcFV796rtND7E4YGrKH+Urf6ENxaCRqsrw\nEcI=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUXFiWWhyZ3BJR2s4bWd6\nbVQ3UjByWG9VRlVXSzgzSm5MSlpOYi9nQnhBCmxyLzlKc2ZLMnpqeHRtM2prNnJG\nZjZ2d294YThXcTVNaUt0U21pOFVhY1kKLS0tIDVDL1ZMdG1tUmhLRDdiSi9ZQ2Nl\nWjZCR3pSV1ViTndVWndobFlHQ0RFbTgKp24nhr+x1t4vbZECFTHVdctNZ28DePfo\nJcEvncKyzCI7DYQ02/xddgCrnwzquSZclwKcg6DT1zHeume55eGlCg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbWJiakVo\nRElSUUNCV1J6NElyQjRINlFJa2xzV2k1VWdUTHd1Z1Q5K0dmWgo4MmlpeElSd21Q\nd3RWVityMXRKZ2lxUDFGVWcwMmE1MmhwWFVaSFFHN0pFCi0tLSBXekQvNnJjbmNX\nTnA5dzM2QkdrWEZYYnhGUWZHZnhXM09tdTRhU0Z1ZjNnCtVoFcT/GdtN3Qursajh\n1zydqRjhglBB9thPLEwCjytTUhveOY23QWTl+2MJXJzU1TapnE2IPpHlXykAcf9g\n9Eg=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwc1F5ajZGVGlqbEdyUG9X\nNk9NakJMNWR4NWN6d2lFUnRNWmxZcTdQYmhRCmZySFFsL2lsZGpYakFuZnJ1czNH\nMGxlQUYxUDZwbU5aTlZaVVBDb05VdDQKLS0tIHZYMlhGejJMWitVOVNRdzcvWEhU\nQVo1eFNGRUdMUHhpeFl3RThNNkZMdFkKW2OpI5QDTFkCVQ5HMYLxPvSN381OS/mr\nRfrulaRXYpcKRS5xE+Kp4OboHIezcYCndLNxsI1If6twP+SqakeVSA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-14T17:21:00Z",
diff --git a/vars/per-machine/crocus/user-password/user-password-hash/secret b/vars/per-machine/crocus/user-password/user-password-hash/secret
index 43ced92..9cf5690 100644
--- a/vars/per-machine/crocus/user-password/user-password-hash/secret
+++ b/vars/per-machine/crocus/user-password/user-password-hash/secret
@@ -4,19 +4,11 @@
 		"age": [
 			{
 				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMNFB6cHVvQUVCaGs5enlK\nQkpYd2o4WlFOL0FjRkpsSUxydG1tMmxVL0dvCmsvVDY3cnBWWXRnd2cxandHZlEr\nS3JKbHp5dUx6SHpyUnNIN0tGZkpKSlEKLS0tICtaMElCY0UrQTFRMTlqRysrcnFB\nVmg0ZndpN08wa09ldGRoWXBSTEZWOFUK57r+xqIX4uPMhco8I6B+q9OhYfNGInlG\nFB3LTCBGGItStWYqgNmbKDWpMJk/Mrm/c6mUrkhgCppaw4ssOCZ4YA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbTJ0cVJU\ncjlQaDNLc2twQmptY0RMbHhsYWhCa0MvR3lWcEl4L2hOSEIyNApaWkdTbkk2RytQ\nSDB3MERja1BDS2dDeU43N0E3S1RtS0R4Mk15NitXZmZZCi0tLSB0RjJEbHl1R3VL\nYkhRV2YyWUlXbWJpS29tVnhLVnFHNXpjRmJmNWdYVTJVCgTtdW8ko9undu70Aipy\nwYS8Vjl5lYXdCjYMpuaBDW7VngO8wHgGaZvcFZBWZW4qjoaLTYHPX2lKYEYJtQ6J\nhYo=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvR0cwMk1MejFwdXpQR3pF\nRUFuaGRlN01qV2k3U3FjQnJuVVRLdjBoNEY4CmdKcXJTeWpqazJIOFdiMDg2UEhv\nNnl0WEg5b25wbkZsc1lodUUxZkxLd2cKLS0tIHJkbHJtZnhwc1YrNVVCdDgweVVY\nakZYWlBKNlM3YlBiZnB5OWdwYWkrancKTMMFgAdfefUBtuihCuGlDHgBNXK9ppM6\nM6YliifuwsJLiXJrBdJCeOT4E8DjS1tG48VVUOeCAUImWbjL63c67A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvbUh3ZGNTNHdZSHNiM1Rl\nK0ZzSkcwSUhGWEQ1dndRTXZaQWl6QW5qMEVRCm9XaS85S0dtUDR1REtpaG1RbmNF\nVXpwOGgvdGE5bFhIekpUTEk0ZHdKUUUKLS0tIEpnN1J6SldyNytGSFlzOVQzZ3RT\nZ2ZBbGpZcEhCTEtpVldnVXZkNVZUblEKrToM96r+LkKiWg+1Kf7PEAqdTjUapp1d\nBCrWUuNBL/0mFs0C0RMGupnuXsHPKN+LdvgwzeUUf54sezOSM73H4w==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBcHpNRmF4\nQTdrM0xCRnFWQ2FJSUZUSkp6VWIxb29sMSs5eEh6amdVVTVlbApzcXFjUndXelUy\nSU1VTFlYcW9lbTZBNm5uVXRKMmFKZzIzZTdzTlg5V1E0Ci0tLSBCSkpBd0FpNkly\nQXpFMm5RbHE1eXZ6STNEQitFbkVSUUVoUGlVdFc1M09BCr641phqc1xBkM7mmSoA\n6PNXs7DDNmM4zgceGf0uB6WgBc/leJysYf8Af5DexxgJMLZpS97dVeyukR4uVoE1\nmhA=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcTh3dWE2ZzdkaEJ2Tmls\nYjRuWDVWS254TUY1RWt0bFpyTjFnYTQ5OTFzCkNmT3g5N2wrRTRJWlQ4NnovNzRp\nZ0IwVEgvZDhUUit6dFI0czdnL0JyTkEKLS0tIHlWcFVoS3pzendja1orQXNad0VF\nSmw0ZWpya0NtdlJHa3o0TDlGaGtTZTgKuvbeiKjcT+Km3zMeyey7damZfg/GH2Ft\nJSb4I7QUEW6xPR/Wzl+cmk9OoGk94tQ8SsPr11nYOGrUl6bOqaN72g==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-10T20:20:53Z",
diff --git a/vars/per-machine/crocus/user-password/user-password/secret b/vars/per-machine/crocus/user-password/user-password/secret
index dba3584..72d6e59 100644
--- a/vars/per-machine/crocus/user-password/user-password/secret
+++ b/vars/per-machine/crocus/user-password/user-password/secret
@@ -2,17 +2,9 @@
 	"data": "ENC[AES256_GCM,data:Fo/Vp01uPR8nkb6H,iv:GlrAKIHbhGoL21Kxn3aXTJQ0U6hqothX/LO9kczOgpY=,tag:A2MznPnK90+Wx2S/9sIWtQ==,type:str]",
 	"sops": {
 		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBb3Z4RlhM\nU0hVSmhqU3dSbnRMSlFORG5ZYXZlU05SQW9WbmtXVHpoL3ZTSgpjOGtHem5QbitV\nWDdmTFE1M2RaQkJ1TEFSWUVaV3ZXVVordkRhMG5KRjJFCi0tLSBVekpETXp4TDc4\nLy96a0VyWTlCWUpsQnp4MjU0MGx0RUk4NFVwTzNsa3F3CqcuAGQ1oYySnC6BBV6Z\nUh5o+u2vB7VskUcTFGwfFC0eckYvSmj6EfQsTpVrHPfr8w3yD+Qh09mWCi3EdUjp\nlno=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNUNlRS9Gdy9nb0lkOXlp\nZnNFMXdEQlZTNUhZN2VIMU5ER0xmVERtTEc4ClNkdGF5Z2dmUjJtU0MzaUloREp3\nangwRVg1U3dPRDVtZ05jMXBxNDVHb0kKLS0tIHZnRFNrb29pT3hyc2NrWmZ0bVIy\nclU4WG9hNWVaVlVHUTFOajlrNzRrUUEKxWJkz0U7D4TE/cfKjEmh60mWlIGllfPN\nNmtXc0JsTSztqS6NFtAdqhBi9ATeb6qpdu3wNP4OEbHe9uVFP7nUFg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBK1BHWXh0\nQXdIVWV2djRua0dNQmJjNVdkNlgzRWVoMVZBV2I5RGZJakZBYwpLV0Y5Wkp1R1BP\nKzBsTisvc0ZRWHg5TTJPazhnUkVzTDBxSG5FOHo0ZTlzCi0tLSBUbUdkeVNQN2Fw\nb3Nwc2xoa0pGYzEyMEFJRWtDZ09jRmpCSnQ3VVltb3RvCu39Z3AzMxM4Eq3kSm7x\nH7tbm6Qbx22vzguLIOhltjqkRqChknMhwMlwzV5IHVWghtIp55xloW1HvuAzCEq/\nVBU=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsWHFvdWJub0UrTkIvM3Nm\nZHROcCtkZWduMjIxcmdSUjk2ZHFNTkZsWFY4CnlHMUM3L3I3N0tvc0FZall0VU5Y\ncCswR081ejBXaHhpMFZBTWdYZFRUdFkKLS0tIEZneWowOXZsQW1GR3d4c1J1OTdo\nQ1pVM0NTdktNVU1pb05kU1Z3dVZjcWsKwuj49f46Ty+JAHMV6+iN0puMa46Pn90q\n5GTUb4eZ61YFVfeJswJDwIyE5e6uiibUMdNnlLCN/JBRTFJvoMhpkg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-10T20:20:53Z",
diff --git a/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/machines/crocus b/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/machines/crocus
deleted file mode 120000
index efe6fd0..0000000
--- a/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/machines/crocus
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/secret b/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/secret
deleted file mode 100644
index 3f4fae0..0000000
--- a/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:9b2ag6EGvzC6t2cyXizkfrJKObu9JOUUUU9gytBHnxZJ0msP+3smDvWYz6o9,iv:HMNem8T09zQfa7Jyg6eLjCpIIYaRbPjqXtquUH4K9wk=,tag:Mp6cmcPm+/IgeuXmgdFy9A==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvY1BkUm16UkE2eDhuSzdF\neXIrOXhhdWUxaE01Zk5LclpnazBuTEJQMlJ3CmZSM3ZWUVdOUWFCQTdyc3p5L0hn\nS3g4ZUlFdTFVTzUrZTJhaVF6bmdQdUkKLS0tIHRHaE5vUDJrQ0RPaC94STB4ZDl5\nb0NzYTNGZXFyZGI3V09vQi9SNXFNdzQKxWe1zDaRVvpcejQEB1tEFsc3zwfzCIXx\n+EQm9t9fjlU7rwpB2X1dpWyx6OZKRzK4ErvUhXgDWWBGp5Jz8DoXeQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBemY3K2c0\nM3ZYZHBQd2xPMXQ2Syt6RWxUaWloSmxna2FFVzFzZENtL2hhNwpkdkF1aHBWblVa\ndE1TOHJ3Ulk2TEJwZHNWSEcxRTV3bjlqMjVXVVo3TFE4Ci0tLSB4UXZnK0x2VlY2\nL0ZrVnFaMlVVa21lY1g2UVFiRkVFOTVJbHA3QzFVS2VvCpvONFyHigqWBYgx0YPs\nLCYroDHxwcbnRMVhO2LEj+eLwknJBvBLlZviN19pGjIpvuFFXt8Pu26OsWtAbCLZ\nvnw=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSVh3bTRLaXl4bmFobWQ0\ndmgvT0Y1UzdkUmlCaVF5aWlPUnYyRXRTdmxnCldhNVlpTGZJSHBRVk9sU2l0VjRT\nWjFicWRmUXQ0TDA1dEF5b2hxdnJmU2cKLS0tIEY0OGh5Mk5jdzlpcFdkQVF5bDN4\nakFEUXpXQmVCT09wR1didGJMaGwrUWsKqOCiookFanh8GRtWjR42orvkk7HEVlwX\npdiVVb4KOvZXUmZxUTNnOlPkYE4k/kfZsM+B/Rl1QHG6kBtCwIknjw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBZ3M4dkQw\naThMbGVveHVaV0lNT3dPUjN2SWtXaVZ1NGEvR2ZKN0dncTJMNQpxMkpXM1lJNzVw\nRytxTEJwYVhjSTFYZ2NDTUZtQmJNeDFCQXN0QkRKa2t3Ci0tLSBJNnM0WDRyWjFv\nZDU3clZPcWJERHNuR1NlNU9wVktnNHUvbmF0UDhoMjljCmZR0QtAvt98ZZHZnrOO\nvwQQXpuItsMGoWWT3URwjENfQkU6VVgWJ1GfaNXXr8tst45PGqy4jmdrNoFREhfy\nA8c=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-11-21T16:53:25Z",
-		"mac": "ENC[AES256_GCM,data:gks9AYHofKUmYa9i7+8kpM3cEMWEfQmibjY7dLUqi4TDfLyxlUIoKmbptrwJgWTWBs+Tnb3YrU8RRTFGFXPyyiwForX0/mDHf1pK0+1NmxKWd8X/7hZmARaWXQGe3rwOLdlvgXyZ0qpTOYXa8vNCp14m8HHIvq12tY+RY7/l7dY=,iv:fz0Vsw0bmNr8wgVmRltk4xzNEGU9xGb0f/RilEyIBu8=,tag:AfYTEAUBoUw7sLd9NcMPgQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/users/rpqt b/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/wireguard-keys-wireguard/publickey/value b/vars/per-machine/crocus/wireguard-keys-wireguard/publickey/value
deleted file mode 100644
index 254badb..0000000
--- a/vars/per-machine/crocus/wireguard-keys-wireguard/publickey/value
+++ /dev/null
@@ -1 +0,0 @@
-aeI0Lu8Qr1r/qtMmSJzvg5Z5gJAWwSIhSmna3Pk9Rys=
diff --git a/vars/per-machine/crocus/wireguard-network-wireguard/.validation-hash b/vars/per-machine/crocus/wireguard-network-wireguard/.validation-hash
deleted file mode 100644
index 6357e77..0000000
--- a/vars/per-machine/crocus/wireguard-network-wireguard/.validation-hash
+++ /dev/null
@@ -1 +0,0 @@
-c22fbb033348a79707ce950ed15bf06b539bbd4d374b95dace7a3057f2d06c3e
\ No newline at end of file
diff --git a/vars/per-machine/crocus/wireguard-network-wireguard/suffix/value b/vars/per-machine/crocus/wireguard-network-wireguard/suffix/value
deleted file mode 100644
index 115c020..0000000
--- a/vars/per-machine/crocus/wireguard-network-wireguard/suffix/value
+++ /dev/null
@@ -1 +0,0 @@
-6db2:dfc3:c376:9956
\ No newline at end of file
diff --git a/vars/per-machine/crocus/zerotier/zerotier-identity-secret/secret b/vars/per-machine/crocus/zerotier/zerotier-identity-secret/secret
index 0f982cd..547a15a 100644
--- a/vars/per-machine/crocus/zerotier/zerotier-identity-secret/secret
+++ b/vars/per-machine/crocus/zerotier/zerotier-identity-secret/secret
@@ -4,19 +4,11 @@
 		"age": [
 			{
 				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NXlNbFB4bWdrdDZsS0lB\nTUc2MFRnWStvRW93UXRkcWxZZ3dPMXRleW1rCmdRUXhtazQ5b014dFJhK3NhSDJq\nTk1LVzNyOGo1RlZFMjhvVFJ6UnRadDgKLS0tIHZzOW42T1dmR3Z0R09CZFRQcXgw\nWG80MXJweDUrTHdDY085RW1TQXNSSkUK6LkvPYRfBiFJLrq+UXOkIxxRBinyIVA4\nOv+9F6+qTAsVF36zNLaSC+y1lSGH1QfLGrIqKWdHwPqeRzJ0fmnWEw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbXhUV2xs\nL3VNaUNlZmUwNmhZYjNhWGZYbGZ3RkJjdTJpVnFHNjZrd2pzcQppVTBwZ0hOa0l5\nTSs0ajIyTUxZblRWV1FTd0orcFJ3VG1VM0tDaVlIN1pvCi0tLSBqZys2b25VS3pS\nVDZXd2UrcDZDZDBBbTRSUjlQS0RCaXk3WEt4UVlqanZrCtiDuhJzNM8PEvEbknz8\n6BynCKPUVu5U/8b47w+kpMPLX90hzhLesvcMjsHRc8k9lTOdDPeP9v6nI/M1jtm7\n0Gk=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGb1RZUmQrQk1INllDeWhK\nNkZpY2xhc1BuSHYvK2EyNzdkVFlsaGlTRWt3CmFjUmxLOFg3YXViU1FRZFNINE1H\najVXSDNTSHJLY00zcitVQitMU3RkcUEKLS0tICtxSThJbGhQZEpTT2kvSTErb0Ny\nTHlZaStTSjQ3eklzQzNDbHZHQkxITWsK7uxGqGNRU82fZltqYoam76jtcnD6CMay\no4UfTOj5XOSmV+KVGH+e8rEIkUFQItU7GDh51+rmmeM0jzq2iinEcw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMjJBUktGZkxqSytKMFBw\nbTFpTkZ2aGVhNG5PT2t4SkhMQ0tzUUlqQlU4Cmlla0lQNkpJWFJIb3JYWFVxQVE0\nNVNjQlllb0Vra2lKQXBxaU5BR055eTgKLS0tIFNqR1pSa3oyVDdvMzlJUnE3QS9O\ndFozQUtZeXI2blpmUEJRRlJkNjNlQTgKuXcMlm5EuJCjsoeUPTBZRPdKzvBLba0q\nJoaBjrX6qKjmMs9WgbEnoL7nz7i7DXOJTPTUULbhfKHM17MIkK4ZOg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBcnlRLzJo\nVkhaT1AvUWYyc2IyRTFyakdJZVMwWjlGbllQL3A0ZVhvQVBWQQp0eGhiZy9ZbktS\nSHlvVVFJVVg2NnFYZEFDcjc5VWlYckhxRmdLSmVyMWVzCi0tLSBpSkZLNjh1RWcw\nai9LOGRyc2JjQjEybVIwT0RmdW1zNGFLZXBHZVNWMk5VCgfiwtplC9rd1LhEBjEy\nzeyzxShIuKIQ2IdgDMnfmFEmyMSJh9LsqE62nbzxCXC6QIaIYLIczKggz4aiCVK9\nihs=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZWF1MHUxOWRPYXE1Mzcw\nekt1UWZ4S3ZEQndDRjdTRHppUnVNVzNRVkJvClBQZGRMenY4bEovR2JUTXIxSXVW\ncHVrWHM3OWFuS2dIOTZGU1ptNEl2aTQKLS0tIC81cEFsR016dzB6QnVZdklRd2dG\nUjEyMnAzcXRtRExXU0R2akZGclk3dDgKLeZeDfzv5BfNmYt5FxZ1num/g/grZ7Xp\naLfufRxsEMrOhKZxTmY/x7ZxfOP6HfKgyH3j2tRAjBNwnPSst9QpPw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-10T12:16:13Z",
diff --git a/vars/per-machine/genepi/borgbackup/borgbackup.repokey/secret b/vars/per-machine/genepi/borgbackup/borgbackup.repokey/secret
index eb7e72b..69b5354 100644
--- a/vars/per-machine/genepi/borgbackup/borgbackup.repokey/secret
+++ b/vars/per-machine/genepi/borgbackup/borgbackup.repokey/secret
@@ -3,20 +3,12 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNkVsV2hP\nVDNiWFloMWVLMTNLR2hURTl5cGF4Tk8zMzhuSmx1NHdMSDFQbwo2SnFBQStTU0pK\ndkVtUGk5RGRvaEFTSWVLQXA1UXNxUzVSbDZ0OEZOZVpvCi0tLSB1b292aUZlaDBx\nYVYvZCs3WS9oWmt0N0tZSWNnd1EwTXlNeDRQTGlnQW40Chia0ihnLnSTMyIfijLt\nqbEsQ4nhoB37vAZN1goV5YSmp0RubZoLJLcGTQVWqdmhJ7FE3KjRcf1wDq3irDqa\ndZw=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBMjBxeGt5\nOFFnMzlsaEh3WFlyMnFrQk16MjRJNk9RWkNWemdDSWdXSjVXSwp1aHkrSDBUZHE3\ncDIrd2JjVEV3cy90RUFXMXJNQWpwMXh0aG1lNUZnSWI4Ci0tLSB1Y2krK0VmNkFS\nZEdiOG5PNHF4UzFTZ1ZuT3krQUoyMS9XMFNJTE1MeW1JCgR4TqauuGY6LRimxyTb\nNN6ifGjJftAE44bAhHMg9fvO3dMt9Ql0SPZaetkaPeuVCjJ59yJQW7AFS4IPYD0W\nTug=\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SGREV21wekNCeTh2Q2FC\nRUY3NFJNbkFiaGVEaCsyZEt4MnZGdVNMbEE4Ck5OQ1pUN2puSHFBQjdnTTNVZGxK\naDVBV2N4OEJpd1YydDAxRSt3NEo3emMKLS0tIHArRzhTdThBSHNZRDNrbU80WmJh\nenpJUVllRURhZzRzbmtLdEJVMEtLaWMKWIuT+Asla9W7eZcIeBqz6jvnp8JCb2a2\nHaMn8TucGJrSuGbCTACTBDv6/CZUGpD/pVolwROVXalighoAN5ryIA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZlJ2dHJveWdmYUJpS1JK\nNEx4b2UycTV1VGNoRXR3ZkZMZWQ1aU81OUYwCm9UcG4xMVdabThCbHNPT2xyWm5x\naXEvV3dZWkoxbExvL25VUzdTUGlpQ2sKLS0tIE5ZcG5MSFNVemtIZk9ZUVNPNUM5\nOGlJaGNnQ2RVeUZmcVdySGRvRmhaY1EKRl29NkOdifFk5ZHNGL2WS/TjsQ7x4dKa\ncwyWwWb+2n5gyAwKPeV6oxQBVuebqvUAWeNLh7NBgqN8spXSqVr1rg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWHRVN0JSY3lobnQrUFFq\nOE9KamVXWkhhZ0s3S3pnK1RkZ1dWa2hhTmljCkxJZVVnQjhGV1pNS3l1Vzd2TmNH\ndHpNKzN5NStUN0lSY3hJcFBSa0VUekEKLS0tIGFHbDFnQTN1L2JOd3YwZmw1QXEw\ncEw4NlBsRHFkS2hpSEF3VitCU0VHK0kKBl8wvRWi/pEcnF7UomWkrxOc92iPcdm8\nfg35vdLclvbMf5vDJUfmoarxTruFY6+Gnns3B7Ai8ulFZGjFoYBjhg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ0xnWjdGYzZIcnhreStp\nU2dJeXo4YkphWmhzaEFGcmtqTXk5N2xZY1ZFCjlVdWpycmNNYVNta0VSbjlrcnRo\nYkppdFRWME4zdkdnZFA0MCs0elBoSUEKLS0tIHdkUlJVeS9WQmF4ckVJa1BkTjJJ\naXVRLzVLQmM5d2xKSDRJZEtabWpCOGsKr2Q7ME0iGCeo1+uvMdAkbGWujQtzT0rP\nvYTSUdIllvB4zCkj4vK1h2/tl7dp3dwg6QI/qA1NZf6vrHQhakIRfw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T13:43:54Z",
diff --git a/vars/per-machine/genepi/borgbackup/borgbackup.ssh/secret b/vars/per-machine/genepi/borgbackup/borgbackup.ssh/secret
index 654bcdb..2053662 100644
--- a/vars/per-machine/genepi/borgbackup/borgbackup.ssh/secret
+++ b/vars/per-machine/genepi/borgbackup/borgbackup.ssh/secret
@@ -3,20 +3,12 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBK2ZnejVp\nY0l1dHFuZHU0ay9uaFBXSTVlaHkzWVN3eGx1Nkd3OU1RVHE0OQpKek5pc0JhMUt6\nVjBRaXNZZ3NVQkZ0czhOQ1JhdlpoUFlFKzBZS3NseDhBCi0tLSB2OTg2MUdKRXFZ\nS202TlREdVhRWEM3NTF4UEdCeXpjbGhZZlM1V0lsbWg4CoqUV2oAUfSNBMl7SaGu\nPQxxTCal5cgi0Iig7WfqC6862yW59TU6SY6AmiuayaeDd7FkxjUuOEz5btXFNJea\naeM=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbitSWklP\nTFdRc0daNmdzUE9iRjloRTBaL1REakFtclpRS3VBWFBNZXJnNwpkTHd3d0JmRWhP\nZkhNWVdVaVRtVC9ibU9MdTRTc210RkM2NlhuWjVLMkFFCi0tLSBFY25OanZhVTFo\ndkttVEhCWDRFNFZXSlEvYWJFUUxWemQzbytiWGRldkJVCg8fbhQb0BWSbii7tVtp\nXBoLGXdEJc/e31xaEm1DKLJq4Y79U930NaZjNR7ho/TZSYNbL4MgKiHC0+fRiUlC\nlq4=\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdG5qZzNZMTQ3NEtFVVFE\nNDdySUVOeFFLM0RncHFlbVlZcTFva0lpdWs0ClczL0JjRG5JeWp5MjZYWm1tTWxD\nQVdXdGtBbXorQ0JvbTRkUkh2OEFoQzgKLS0tIGpia2ZCYVhUbW52cnNjOERIWE5L\nVjM4R2xUZVhuNjIxc0xGdmV3WmpacVEKIjRzZa6fyQris6kbq9vXgCQrpr81Ol75\n8ELRx3Na/IyJnhNYZKv4nDjkKCMCL713i3gh1VZDM26b2N2/mWGZHg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0eDBEaEE3WXBqeTVSVi8v\nYW02Uy8rRjJaWGxORWtEWkJOUy9NaUlkc3k0CjMrVlcwWjNDMjFoWXgramZZcnRu\nM25ZektQaU5ZQzdXeVQvek0rR0VFNEUKLS0tIHBEM0lQYXNQZ01mZkszNkl0amhM\nYjc0SXR4TG9uZ1Nzek5zUXlYZTZNNk0Kob3L1tVy8EW8urt6h2Ah0dOtfqs8f1vV\nBuOg1+V/NWX14YRrJFXuI3MAP3CNkgBc0NNNZRsB30u3c12DM8aZpQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEVG9TSjlQZnFrNFFJSlRB\nVnFZbDlPSkRkU2tkYmN0dnhtYjFQYlcvUmxvCmtLNTJZbEliTU9Kb2RzQnZ2OGs4\neUxlZlNLb1dwV2tZL3dYRDlvZXlhSnMKLS0tIEI4L2NsU1FXS2t2Y0ZQaHF5L2da\naXVxSnd4Rm13Kzg1UFBRQ25Lb2J6TFUKKX4VKjIPL4v5AopIDbIFVFWGgEo7xiH1\nYKFioWEXetcSD41mUQ8xKyokBAhqmbvrVN1B2HzcH7T+sQJzeaP49Q==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxWlJMdzNpQnpLbmQ1T2dl\nbk9tdXlSZ0wyZDBDVmU3ZS9YWUdMMS8xZXhJCmFlN05GUXUzRTRpSFgxdUhLTHdp\nR1V0U04zd2NvMG5VVitVVEJkYmsrdnMKLS0tIGR4RnNaRkVocVJEb3dYeDIvbUhj\nZ0JCelpwek5QYUNWS1ZBb2pXRnJ3eG8Kd7PmxIG70scR09REGZgsHlDcxsbjjG3D\nHBmj7MfSK2Liqh9iuoWXmrfbHBrmpIpETRfnJTnyuy4w44vSn39baw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T13:43:55Z",
diff --git a/vars/per-machine/genepi/disk-id/diskId/value b/vars/per-machine/genepi/disk-id/diskId/value
deleted file mode 100644
index 3007ad8..0000000
--- a/vars/per-machine/genepi/disk-id/diskId/value
+++ /dev/null
@@ -1 +0,0 @@
-72b27bb5253045f38a07b6bc368ab85c
\ No newline at end of file
diff --git a/vars/per-machine/genepi/freshrss/freshrss-password/machines/genepi b/vars/per-machine/genepi/freshrss/freshrss-password/machines/genepi
deleted file mode 120000
index 342fa08..0000000
--- a/vars/per-machine/genepi/freshrss/freshrss-password/machines/genepi
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/freshrss/freshrss-password/secret b/vars/per-machine/genepi/freshrss/freshrss-password/secret
deleted file mode 100644
index 717fd48..0000000
--- a/vars/per-machine/genepi/freshrss/freshrss-password/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:onsK2gKcLjQq9o6af4+MOHSLrsbtAnRfOA==,iv:d8Ux7K8x9axBL5a7EljVyDuAXgmRRSKpzD/cPU4si9g=,tag:W9YgQ4843uhfS+h+qKry6g==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBcEo1djg3\nVE11ZDZ4T1RzaWhKTGsvaXBJSEE0ZVB1MmlkY2FDaXdjNUlzSApsTjNKOW1nQWRn\neTNvTEZoRUpvZlc5NjVLTXVPSDdnZmxPTFh3QW4rOG5BCi0tLSBxUmpkN3NGTEZC\ndStTTU9DVmxKWmVCazNIUHIxUlZvYlZXbzJwOVFoa2ZVCl9cxR6AlmRRFtFDtNwu\naNLTAqZjFUEVQaSCPQgfUHbMhHFJ5QGM2ySWoxGkwThGHUrFzin6hNDEHF3CuzvX\n6GY=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNWFuY3FI\nTE9FM1p6Zyt1b3ZaR29Uc3dQdVJlWHlFbldkNytlUUMxREdQKwphY0JVVDVxTzly\nUDRFY3hzeXRBNlE5NW1pWjkyRDN0SkwvazBuVDZ0eWc4Ci0tLSB1K3RIVzgwUzkr\nczVpTGZheHN3UXk0c1hvcTVFZTd3cS9nU2Z3QllxSWhFCr5HcEf35VN8NTRp5b7L\n+674JlDthUMKT/7gaQ98f9aV1CBAiqjym4DfFMZtRpWrzU7NHc4sPwn/EjsC9bAn\nmzQ=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBd2pIVmtHVFBJek4rOVhR\nVkpTVjJ2TjM0RmJHS0xCWUxUL3pRNy9jVWxvClUvZ0JzcjF6aUxQSEVWSmwyaVNk\nenBpblEyS2xSc0pic0Q1OGpINmRDcncKLS0tIDVaSk5LOVhZYXZRd0U1bTFOL3BT\nS0VWZjh6MlZBejNFcGp5ekVTRm5BUjgKCPFWPtgLCg4jYo6lMnfyfnVwzzaSW8ur\n6+4gKUcXCUNXjUO5He1SJ5iKGZ/QW8RwQnQr3oC16gqRanMR6U+lkw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFT1ROa24rdno5OExiWW9E\nbzAxUm15S2dsQS83TE5FdWdkVU43d0trTEFrCmluOFpObWFScEVuUXJYSlUrL09m\naDFGQ2hLSFZidHRkd3lJSFdOWWwzVFkKLS0tIHREaTl1UXFYR0NSempMSUFGYzh0\nRzJ0b1lrWkhsdjZnVnBJZmdCcTFNSjQKOnhp0DvgcoKBu2y9dRfk40JNqFX+D8hg\nJZQ64wwiNZ3fvfRSKOY/TKdlqsHxxYnW343xkLy9aRJRyr9bGNrepw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-06-26T21:37:15Z",
-		"mac": "ENC[AES256_GCM,data:eSt9+O86EVGQtvU2sSB0GBs+shBxYcyYI2QeEViuXsqRUSCz0KvnzODFySp1Qn+oaJPEGgvjhACrYHba6UekErFFRQ4C7Ji6zEkM+PhwJYLTgZU7uVQuqgcMrqPWMCJbZy2VFcQEr65FeCz1IYy8rvLpepWhURuGErz/fSJAl6M=,iv:FaWxJBJrDA2pp54R2G2TDRAC9hiSROw0WnxEUCFZI/Y=,tag:vQu01Rk4EV68MWm2tudVyw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/genepi/freshrss/freshrss-password/users/rpqt b/vars/per-machine/genepi/freshrss/freshrss-password/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/genepi/freshrss/freshrss-password/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/gandi/gandi-env/machines/genepi b/vars/per-machine/genepi/gandi/gandi-env/machines/genepi
deleted file mode 120000
index 342fa08..0000000
--- a/vars/per-machine/genepi/gandi/gandi-env/machines/genepi
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/gandi/gandi-env/secret b/vars/per-machine/genepi/gandi/gandi-env/secret
deleted file mode 100644
index edae2ac..0000000
--- a/vars/per-machine/genepi/gandi/gandi-env/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:/rRF/mvM/FGW7evaY0C+HpGnb7yho2UobKzVIAkGu7PFQjzu4iw4oYniSIgSTB+Yf6V+rNKsRSANJer8gVhmh7CVfUw5JQ==,iv:B2Rrde1/rBnFowFk7KY1bppnOl/q1ZMgDNNXLJ6xjlU=,tag:yN3dL3RXy7z15KaWVqlepQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbVJaNzNl\nU2d3aU51YjlpczA0Vm9ncCtYQXRlekhrWEFsSFJMRXZhQkZVYgowdC9USTFibStp\nTGhsOU0zdnlTTk9rNUxnaWdHb3FWQkhydVhnYmZEUE9ZCi0tLSA1LzFUbTV5Tk5X\nSU8vWVpaWWVFVk5hc1R1Vzd5eUtsc29tRkRCa2lyMXI0Co6z3VepScVVjuf83DgQ\nvi334xaSGpFjoqdNk1wtIbinX5DV9XRPTzD823vzcwE8ruPmeVpRXkgDhMwLnZXe\nveE=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBdGJNUmtv\nR004VUNGb1hRZkxFVzVXQ2JIUlJ6TjFzOXRLalh0M3lYalErdwpoN3VKU0N2NllT\nczVjSEhsVkVoNHEwcGQ5VlJHSW8ra25lYlJxVi9mSWVVCi0tLSBmUE55Y2RSNm12\ncml3a24xTlVQa0Y5SnhreWFjd3pSSEJYR01TWEFLWUNvCrGCYNpo88gpVnA+4pAl\nlVe5xlvm9jahtO4KGkSJBMO8cwRwzzJvTSIc4g1Fup5TsBNzDK1TpbvK/f1oahc7\nfZM=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3VHhXeGpnbUc2ZjlLWjhl\neFNTTUZUZ0cxcys5dHh6TjgrUDZycUh3akZzCmFkQ3pMeldrYWorTDQ3UVkxbFFT\nRGwzM1hiWjFMUDh0bFFKN3MvVkg5SGsKLS0tIDVZQkNTVTFqRkNoV1dBMitLWE9r\nQjBmMGlrV1lxTzl1dkJ3YVJGVmE0V00KEaTRu6ocD4Vqnet6+UkvMUIM1wMF0oGh\nhspAFCPExJJclFFxYgcWv4eRTsDO6PdAHnYaz+/l/O9epLA/epHnvQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5dWg1MGl3Z1ArL1RNTDZs\nS09mZEJjdWR1WU8rSS9YdmpCT2ZLQU1hcFFNClZRelkyWFVrMmZuRzc3MjF6TkJP\nellaMzgzTXJCcXJxS3Y0OHdwNEhadEEKLS0tIFBuRzV0WHR2WGt1c0hDTzhRd1dl\nd1lUMnZYaHYzN2t5cHN2S3ZQS1VQbm8KKITvkz74RYiwE1LtD/R8l6DIxsBl37Al\nCsfOALY727kG7RgcE62shU43GYo6zsvnVJaZ52gvRT8oK11D8/EoKw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-10-29T11:45:14Z",
-		"mac": "ENC[AES256_GCM,data:zb2U7OhXBWJmhZPf2/9G/BTAcaqNXS7zaGd4WppKf2fsHtbZZCswd9DfaI/0NzfknQgKlhmqr/qN/nG1UPFhosQGQTcl7Z4od57EyN6WDaXu4fjJYQHZ1VB6HvKD0c0bvb+yBX8WPxF/EW655YQvdV/x8VU1b+rxhGPCX4U1iPY=,iv:wt5RTsnv2hkF5PUo5ah2NM8HwEEBXrE44krI4Pgbbtw=,tag:7nS69I7ZG+kkIU/cmthq6w==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/genepi/gandi/gandi-env/users/rpqt b/vars/per-machine/genepi/gandi/gandi-env/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/genepi/gandi/gandi-env/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/gandi/gandi-token/machines/genepi b/vars/per-machine/genepi/gandi/gandi-token/machines/genepi
deleted file mode 120000
index 342fa08..0000000
--- a/vars/per-machine/genepi/gandi/gandi-token/machines/genepi
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/gandi/gandi-token/secret b/vars/per-machine/genepi/gandi/gandi-token/secret
deleted file mode 100644
index 637b09e..0000000
--- a/vars/per-machine/genepi/gandi/gandi-token/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:PW0hHJALRXaoXPSeqnxPzwepz/u+J4QJKd388CdrLJ3TUzm7IKqstA==,iv:VF/0ZudBmzdZX/VWd/L5ic86LQlOfSUgBmwckvw9G/g=,tag:FXFU3FlewhRbZei28vP4Jg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdytKNDFU\nWkxTZ1VIQWs5L3FPVEx5WUJyWFZDaWN3RFIzUGN6Q1A4cmdROAo3TWZ3RU1WVXlS\nK1RoSHhsdU5STjhVWUovZktQOFFtUlJjdGR1WXdFd1MwCi0tLSBhVGhoY0kybWhu\nYW95dHFUOWtjelg5c2Q1cWpXM3I3dkxsMmFwQXdPZy84CgmAR4Ifa8IuUsEflLu8\nZKgFMWDo4akFoPHeWJ7m7TGl1br3SikeL36GBMYNymyCmEQJSZBsXbDrGItj+Uve\nM8Q=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeHZsbmNV\nbDRBdENUcXAwZjd1Vi9KN0lTNzIvMTBkSzgwazdYMHZMTnhyagpXRDJmWHhRY3VQ\nd2JBY2xGRm0xM1NneUNnMHhkdzFxeHkzd2cvQS9sUFdzCi0tLSBZcEZuT2QzNHBQ\nK29LZVN2UHdNRzUrRU51Y1c0cnhaS3dkeDk0bERrdDVZCqm9AhmUZJytrcIl+6rP\nsXwqFfgEQRwy/WUtWAFxqjnF38YjGomqbyMC1E/vwGDyug82uYdu0VCYK0uOBg4r\nOkw=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WnFUSTVVZjhvRk1NaUJI\nZWhwRTgzZWFGR2JXdDNNS2pPTEF4WkdkYUM4Cm1lWUFCdm9CcGxyQTRuaSs5eWZB\nNXNBRlNqZ2l5UWNuNS9ISnZ2MmJvWmMKLS0tIDdwdzk3R0FkSm9jSEcxbWlsdEow\nN0p1a0xIbWowemlvb3dTUmZmWEowM3MKNPkXMqvgCnWPIUhyPBhqq21EcNnQJDHo\nCUghB99hnhlJPcH3Kjhmq3d3Gj0HDgNrEiPbDVsfnaF/44uNbbCPUg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZkF3c1Rsb2J2ZHZZQi84\nRjlUU09kN1hNVUE0ODVLVE53bUJGK2FaTENNCkd0aUR4YXQ0ank0S24raXZMdDdN\nNmxobE5MRXdISFZTR3dFM2Uzd1p6enMKLS0tIDRFV3hhR3pBSzAwb0JUSWVMNGdj\nRkJPekxLcW5DanpmRmkrVnc2NmVIRncKB7OrdWNq72I//Tgxtw+6fQ/6nheg2t/k\ngYlEJiZUBl/RTCfSMD2N6NGF0jpd19iQbJh+kwZqM5W3JfNcfV0fpA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-06-26T21:22:22Z",
-		"mac": "ENC[AES256_GCM,data:vZchrJpNviCfUYarQG6rZXB6pFAwZga5yGIZZEYCoqWBjTQqnUj5egOmRcjrIDH8YpW51Jo2iXLUg1qkGWfl7rEm7rZIOe6mueh/OSceftgUKtp20oC0YwWclo3Fm/XZAhk7TuzelCFT96gInmii2A9of5J1913g2h1lizs0nKU=,iv:nTVefHS/NZ+sQoPl6YI8YDQyZ7f+tv/B0VBzBt+4VaM=,tag:AdGB1xQa47DbwRu8WbauPg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/genepi/gandi/gandi-token/users/rpqt b/vars/per-machine/genepi/gandi/gandi-token/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/genepi/gandi/gandi-token/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/garage/admin_token/machines/genepi b/vars/per-machine/genepi/garage/admin_token/machines/genepi
deleted file mode 120000
index 342fa08..0000000
--- a/vars/per-machine/genepi/garage/admin_token/machines/genepi
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/garage/admin_token/secret b/vars/per-machine/genepi/garage/admin_token/secret
deleted file mode 100644
index 1336ae9..0000000
--- a/vars/per-machine/genepi/garage/admin_token/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:QOgo0cEpMfRuOfXs0LKvCsn4nQiCu1QsFPCZ3q2DT8mHka9i/h2UPwEMRero,iv:kJvgRalM/j0NCKlETcc+1u26WNctK7dsKp9caw+LJBY=,tag:s0yYUV3U9agn76ZbuGbQFA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBMmoxYk5X\nL2RON0tpUU5xTkU1cmFxQ1krOGRCeGhhZWd2amRSWlNMVTdYTwpWU3VibE1XUVZ5\nQUtDUXF0SWE1djhvMlpHanZITXNIYkhCUkdkWnBpenU0Ci0tLSBWNndlZ0NmNTdR\nQ25sTSt2L1FQL2Nkc0pqRlRuSmFIQlRMYlhZdmFDWkM0CorSl9wuw6Z/c4k5bNaA\n3n/JA49y2J3TAWwzt2qCPZrE0cIA5JuEqXQmbq/nXk9Aom0YU1dlkrrgEZLO1bQj\nvY4=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbUJmeXVK\nOVNQdWl2ZWxNMGNsTUJHN1JwelV3SWhJSDVaNms4b09yOGhCaQpPUGFNMHhPS1Nq\nODFUb05xTTZhbWs2anE4VFF2SmU5U0VjeW8zUU5QYWZNCi0tLSBUOWtJcWZpT0NI\nOVd5bTBQVFEwYzlVTXpSVFJYcmdTTWVtY1ZvOUNGUVR3Cp1tW8f1Pv6x0YlDALZF\nT+rG1THjnZIT/y4FgSBnkHB2AuDnZsSI9RFCz7HJ0JeylDozCUOIMHGqIWSEawVL\nhyc=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnRUw3UGpUdUNFOENlakRp\ndzFTMlVmRFlwSUpoMis3VzZ0K01rODMwQTI4CmxMdHNSL2NNaFNnRkVlMy9UeCtT\ncGEyWUpROGlsQlRoK01wREROK21WSjQKLS0tIDQwanBPWUNpNWhkNStrSWxncjdS\nYVVxcDFpS2plWGJjSnRydjJYM2hDSmMK4V7yFek3HIE4wYQxp2GpefoivID6vnVp\n+/2cuferwusjdBgHrbL3XPUn8bbHwg/VOBHXTXeauj43d0ogr+zoUg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcHI5Ty9Tc3JhYzJCMUVK\nREp3WVFQY0ZoRkRkako4bzIxUEM5STVVZEIwCkdoWWhKd1lSSXl3WkRMTWJoMWdF\nSUM4MnhoMXl3bzRDRFFXYW1Wd2dlNU0KLS0tIEdKN3hHRVRmRFNGdXZsc01QVE54\nc1BuRngxZWpsRXEvNnp2dllGeGFXV1UK1KQsYV5i1h4e/dWdYvQ+OYp2KaAZ+8vA\n9/IsuPmoeuaAU9DyTpG6d88sst6tE0gYsJXLUR++p2B+UPYD4rDJPA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-06-19T21:51:49Z",
-		"mac": "ENC[AES256_GCM,data:zaXINmQBZVN4dvvm9+O3T5nSm6q41J9fNUZ3Ye7/RcnQYS2XwiItL2PJ+Y75SS+2w40JGGrmkqaeUcEr49KGF0fU8ZxwuNelUoL7PuALA6lRsdTLE6plTyXABDFbl7yNWOvZH4P4xMJcYiJrNK2TW+7Kmd7mKtytpAKMUI/dNKw=,iv:MM/M9DwFkDaiqARfdWnEsROnFpT/diw5pQXLOHMFgZ0=,tag:ZzA54TFLYziKo4A/TL6CNg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/genepi/garage/admin_token/users/rpqt b/vars/per-machine/genepi/garage/admin_token/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/genepi/garage/admin_token/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/garage/metrics_token/machines/genepi b/vars/per-machine/genepi/garage/metrics_token/machines/genepi
deleted file mode 120000
index 342fa08..0000000
--- a/vars/per-machine/genepi/garage/metrics_token/machines/genepi
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/garage/metrics_token/secret b/vars/per-machine/genepi/garage/metrics_token/secret
deleted file mode 100644
index 094e5f4..0000000
--- a/vars/per-machine/genepi/garage/metrics_token/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:dqsm3odV1kIx3sbHrpGoxMmaBp7oscTfb42mKSQXkSZA3r0SUyiox/faKRid,iv:TiU/MHNOOs18afosr9te3UI487Of6NR/5bZEU1X/Rz0=,tag:tulweBmCracNztaP0YYFvg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBeStGL2My\nM3E3S0ZzUlBPWTVSaVJPUElVQm1TT3h5ZDVzbWJ5Vkl4cFFOQQorUGxSZWtQRG8z\nN2U3OXhyTE1xUmk1Y0JrL0pwUlg0U0tCQzRjSEl0L3pZCi0tLSA3VWJrMkRNVmxw\nQyt1c2ZJY0RqYVNycTVOb0lpSlVPOTV2UmVUMUZNUHRBChw8V3zf+qA+EnjjvuPC\nCbv2veIZDSWlGvq9BcF450CMSUk9F/9hAUjJHQFyA2HPW2uLxXdvnOjpcuHeKtzD\nRMM=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcDV2dCtV\nVmU2cEhoSnJEbTVwbEJGRG1reEtEVkNjeE5LRXJFd2JaQkpTVwprdkVSakF5T1pz\nbEhUQUZ3VVF4SzVGZGk0MlhZbmE3cmNFdFRvYmRGOGdjCi0tLSBkOXpuZjdxZjRP\nL2hxRWNqZDM0aVRzODhidFUra0hFaDYxNTJwUVl3RkpzCqpFWeGwBFd/tFm2T61d\nLyxjqpAyvfmRC72DF5633PyNRcx/ZG5QqUC9YaYBI5owfJBwjPI6UqZ2Ym8r76qs\n4tk=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4d3pBcDZBS040L1p4YkxO\nVzZnd1NPTVdsREhKQi96bm9hTnRIT0hIZFQ0Ci9OWWRCQjNIUzF1MTI3L3Vla3Jh\nR3hEUldQMk9PNjdQeVprYW0vcXAwYTAKLS0tIEZwN1d1V3g1WGQ4WGxiUzI3VVdV\nUlRubUMrcUo0SGtxTkM1N2YzK1FnM2sKuy/7GpLG8uUa3b7ddbTh8vw9fhemyTgk\n91u+c9u4DGkoKbxlXGwYGL9Bl9ZaciDxgX95XK9oYDmkvzDhSN/rEg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MjdxTDJPa1dHdHdyN1o2\neE1kTU5QK2kxVklielhKRXowQnNrMFh4aVRRCmVHWDFISkhsOGFLMUdVSzh0K2xR\nT2srVlZYUXlQc1psWmMzNkg2bHpEZ2MKLS0tIHRTVHJndjdqYTMwQ0ttWEcvWUNw\nRUEyUGFZOThGWFE3V1pQU0x4Z0F4cHcKYR5FU0kwoZHe32skIWuuyXDPAmsZhRVP\nW+VAuwCLQ/AtaKEyzUS0d5oxQLplfJZoaAF8vQhuWSx9m/dHOqc88w==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-10-22T13:52:11Z",
-		"mac": "ENC[AES256_GCM,data:JCmuUh0D+vWL8D9ogsWX70JBSSoUNxGN+R7kHFprK4ZCcAs1+zCzW/dg7qGcCrQXD6QkNx+nfM05kYiQKNeHXVavqKuOGhqgamPKrHnu6To1y2fNKPk9GbioZTSVpRiICUDGTUhsdQW0f77ekCMNcU7ElzyE0t9BhiwEmwexpbs=,iv:uUyppaoNVCmXkFY+ZrI5enRlEOAZ4+w30awlh86KpaA=,tag:R3fviJdYM+4SQfo3hLOhwg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/genepi/garage/metrics_token/users/rpqt b/vars/per-machine/genepi/garage/metrics_token/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/genepi/garage/metrics_token/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/openssh-cert/.validation-hash b/vars/per-machine/genepi/openssh-cert/.validation-hash
deleted file mode 100644
index 02779a2..0000000
--- a/vars/per-machine/genepi/openssh-cert/.validation-hash
+++ /dev/null
@@ -1 +0,0 @@
-03d96c6ed6a59594bf0faa06dfcb7d7959628eba37fb4c35f6c95803edc23b90
\ No newline at end of file
diff --git a/vars/per-machine/genepi/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/genepi/openssh-cert/ssh.id_ed25519-cert.pub/value
deleted file mode 100644
index 9219ad7..0000000
--- a/vars/per-machine/genepi/openssh-cert/ssh.id_ed25519-cert.pub/value
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIHcv5O9kZ5PjMVSVvmRNK1FQIQ3fsx5I/bq/nVHEbdg7AAAAIFwq0inZe4DX4DuJx/vbfjG5XLZ46MnBXjipdHgD9LBgAAAAAAAAAAAAAAACAAAABmdlbmVwaQAAABcAAAATZ2VuZXBpLmhvbWUucnBxdC5mcgAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGE7R12pfvRSXsS8MwMkp57fuc+N2wc4VcXAYwo/eJJ7AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEBUtVWziAfc5PzYezSlbAXfFXLP1KoPYHPUtFaon0Fu14j3+RhKC7nylUgvGCOm46dTq+S9YoDZ3SqlwxwyD4cL nixbld@haze
diff --git a/vars/per-machine/genepi/openssh/ssh.id_ed25519/secret b/vars/per-machine/genepi/openssh/ssh.id_ed25519/secret
index b608edd..859b019 100644
--- a/vars/per-machine/genepi/openssh/ssh.id_ed25519/secret
+++ b/vars/per-machine/genepi/openssh/ssh.id_ed25519/secret
@@ -3,20 +3,12 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdmlvV0hI\nYWt4MDhnTGQyUHdxUGJPVWdieDBYNmF4YlNpc3hWNUxHZUhmTApINFRVMzA4SWlm\ncnA4WFBwUmhXRkxubThWZXQ2YWZzR05YbVlYMTNIV00wCi0tLSBwRnVXeGdhS3NH\ndVNtbGxJWFNhVWFHaTR3bU1KUi85OUpublNERzNSTUxRCjL7jh33v1evcpv8eGiD\nPGffAHKUGd6NoszFIffaLH4AAp7jvVtRXGEOosyxZjkl8T14BRVvBygNtCzPuXA7\nYWw=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBa2graE1J\nTXpVMGxYOU52UHBsYW1SVDdsYTFuNXVUK3RUZTN6Q0lNcGM0KwpLL3pGTHkvL2xz\nM2o2d290QjVhc2NmemhEcEVmY2FWTHJyK3JIOVRxbHVzCi0tLSBIdkgyZjdzK1kw\nbGR5bUtVRDJnUExML2V3cFVMa3JzV3U3cU1TbmlsZFBnCvpCfNadbvEWZgOYX+wP\nx+jHCQkiP38aHL6rKmGQkO4yocMvv/eANNhHJe46tT6Vy678Ho1CdPiPS70q9Uh9\nDfo=\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPZXRNYmdsUW5KdUNqWTZa\nOE1jWFhpdDBvakFBRE1KUUVVY2p2Q2xsdzFRCjlINWpKSTQ5aU54b3E2WGNPdEY2\nUkJhTy9YZUlGeW5ianV6dEhuN09nUUUKLS0tIHJKK2NNdGNkZ1o2N1dIK0VyYkcw\nazdycjlpTnlKU29ncGg4bVA3UEIxM00K9rtN48IvvY250zbM7WkQMGQ0rZmznrHH\nlaOS+l4WcX3VouIvKHIwNSNhh//psnOblMWjv5fBtGw3Sst0rzyL8A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdUZtbDJScXRXQ0kxQzFy\nT29jTWhPbks0NzhNdnBvbFN2azRKbHdJTmprCnU4clVqZnA1QUxCTS9jZGIyR0xm\nZU9qVkdVUG80QXN5blBiemtXekJ2ZlUKLS0tIHZaS0JMeGJNckJ3RmdhbEdvQnNs\nYXkvUmwxNHZDOEhWWHJ1YnJhazB4a28KtMVaNZB/AKP3ZatPzsSCq4TUfkPxg+Ir\n5Vmxg1Kv/zA4aeIA1En2EL+oHsnPMBcVWBpn7uBfMX6Xo8xZ2RzmfA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RUhUaCtwaGZzeWNnLzU5\nSVpUMS80cGN6MEZ0Zy9oQkdmU2IyUHU4RVhBCjhvb2lqT0c3aWJYWkRQWWJpa2kx\naDFtN1ZxRXZEOVlUTFQxUHlHNjJBSUEKLS0tIGhzWW1JR1JYb3NCc3FNTUFoRnda\nQ0VUb1VEOHJBcHlQeHo3V1hxeG9Wb3cKW6l6aWLF2FQlgQspORpdn1u1Cmr2zF7w\nMGmywIz7VMnWhcMDHXelqXAWXXqkKcEW3TFKor0SnUmqPOj4fFSCPQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWEpFbzQvY0FSQ2hRaE5R\nL3VvNDE2SklhK1N4ZEZrRmpqcElBV01oWkJBCjVTVnVDSmc3aFJmd0dzNmc3ZFI5\nOW16Rm5NSXJ6N0hYdENQV2tTdXZuem8KLS0tIGlUVTVhQm5qend0REJMMmVnUGY1\nTGlVNWJ3UUN3MmhGS043cHg0Y1FBWW8KL3No5ItaAFdbcEF0v/q5yZdYATKxO2UX\nyDwLVPS8hdLYTk8XzzEEMQVBtzrDqahHp/uZ5LNXePJrlNQEtj0/Nw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T13:53:03Z",
diff --git a/vars/per-machine/genepi/pinchflat/env/machines/genepi b/vars/per-machine/genepi/pinchflat/env/machines/genepi
deleted file mode 120000
index 342fa08..0000000
--- a/vars/per-machine/genepi/pinchflat/env/machines/genepi
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/pinchflat/env/secret b/vars/per-machine/genepi/pinchflat/env/secret
deleted file mode 100644
index 5150265..0000000
--- a/vars/per-machine/genepi/pinchflat/env/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:Sfpe4CSU6+923CWT4BGzizP3fNIkCfYJGDvIEFRVDAgnVCAtGl27+q4936CNeIlmzrOjatpIUgTFK/XKB4euNK9C9/baS/C7rB2oDyaebFSiYEGpIpEMjI2V4kK+TwTfrtwrgOl0gjAVKlRJ9+1fmTrPADHn0Oqn7cPMDg2tNh7Lrb3ivyYxxq/RnPGf201/pQ==,iv:Jh11D+YQv3QnnWuc1jcpmifSY8kujxOKK6e79oQdm4c=,tag:AcyVHWHLtIPQwCChbG4ukg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdjVaUE5H\nZ3Y3cHVBSUdqdnQyYVluOWVXcGJIMUZ5SWZ2RHU3dFI5VndmRgo0WE43K1BNazdj\nV3dRRWVldk9UaW1ySDBWd1RHSXdvcDJxZ1A0UlhINm9BCi0tLSB1bFJ4ZkVSaEYx\nNTl3UDA3ZXZaMTNVY2dlU1BEM1pXVEZ2MDh4YmVnci9JCn15VWtzWcvDBdKbPmpp\naTz7xeSwub6IBj7m7hrlS04tsDAbAsPjoyn0L1/xn5q2vic/Yx6f2pytJdUniMie\n/ls=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBN3NNbWNM\nMEdWbThneFhtcHFsczJNcUFRbzBFL3MrWm4yTU4vM1hSbFJjbQp4RDJqMTUrSUpa\nSHJDU1lVc21DN0wzdlVVRm9JZm5oRTRoTDIrSWx0Z2xFCi0tLSBpUWlhZFhpU3Fz\ndWdDQVVXVWNGTXVwN0NyckhpdGJNUjJwUys5K1dtRm9NCtSFfaT9Ej+kIJzRY5Rh\nLbHzCAgv2snFNXg7/TtifW7sptUt8TMhLpBqaA6LH1v/H4WDDv/8j3pTSF7Fi5nd\njzo=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVN2YwN1ZDV095dTdlK3Vy\nWmd0cVozTjNQdFRISDMydUNCQ3RXRlE4c24wCnRpa0NJNFBDNGdPYmRFNTN5N0FL\nUW1ndmZZTmlRNENVTGFFbFpKbENaNlkKLS0tIEpmR2lhVDRDbGhRZ2JWamgzN3k5\nU0xkMklOaVZrY0dVeXN6VXc2VEpLakUKhMtArYZWo2946QdB/eB6WdVEBWSw5ge7\nBokzx8q3eafxHKn+1/npjU3VN7HhqVqQRZ4Pojj3U0DZ6PKsdSDglA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2eWIwZ3V1VkdkQ1QxYU95\ncU5pRVZoT003Zk5oOXlnNElYMDFSMitIR1MwCkhFR3ZiRkszT051ZkdyM2ZkRnhL\nV1ZiczFMTzkza2xQaEl2aGJnT296VlEKLS0tIEZyRklVZE5oODVDVVhBRW5Bb01I\nZi9nQXVOM1BZNGpTaDg2NzdVWDV5SkEKB7dHbGNLW0LspjbI2VW0fGUppRpZr40J\nj5H9D0g3Oct70yJtH2/k/mPxxvS7tKAT/H11gdH/1dD+kyYGMzaq0g==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-16T15:14:34Z",
-		"mac": "ENC[AES256_GCM,data:HneZmFLyVWdGmQGgMY5NObs1AxBGTyfsKPfStNhglWjxAXxXzccfxL1vRHnAs49WGUhUupGp+Xw9u59LuDmCgcWEynlHRHz/Z2cVcNS+0CChDp/U63+ave9R1U6DAxMTtDof/DEcdE8LbsvjHWvSxSV9IhYMg3N1e1bUaLKFsFs=,iv:MViUd7Y5sPzjf74gXFSegvcxetnVFp1eNujFbNdwB5w=,tag:jt2T4y0+PlT85EvWc9kN5g==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/genepi/pinchflat/env/users/rpqt b/vars/per-machine/genepi/pinchflat/env/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/genepi/pinchflat/env/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/root-password/password-hash/secret b/vars/per-machine/genepi/root-password/password-hash/secret
index 5fa17d4..743f5d5 100644
--- a/vars/per-machine/genepi/root-password/password-hash/secret
+++ b/vars/per-machine/genepi/root-password/password-hash/secret
@@ -3,20 +3,12 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbzMwT3Iz\nNk5MTU5mMHhzZ25NdXMvV09McmxNckJFRWllTm9mZ0Y1eXNlMwp2cFphSjMrYWUw\nRHAvMFlzcFUrTVlYeS9haE15bWZKKzR0ZnM0bWpmUmI4Ci0tLSA4cnBkb21zWmRY\ndmUvZlNXNTgvaXJRbEJXUWF0Rzl4SGdnN3IwY24ydXkwCgBIVg3907+mmnG6AX2+\nBTpZg9HEbq5XdSYHJvLEDl+Xi9WCS9+O6Pwo8HAlhKIMtRyEpr11ZphUKfbZ2Rm/\nJnk=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBc1ZEMzUr\nSkpUSTNOTm5SUEhmUmFQUXFNUldPUWhmVk9VUk85M0RMa2tJUQpNZFhXRGJINzZH\nZHRSTjdHbURyV3Vmb0djS2FnczgrZkI3ekNqdkVZZjlVCi0tLSBsUmViU2xYSCtn\nTHY2YkZrelF0WGpwR0dQajJhS2l5MFBJOXB5cm1JQlFZCpk+HhAXVQ8WhmvXx6bP\npIBixAePhS52QdA3u3pAJI0zJ2OC5OZU5v6etbJg2LVk6s6de6Dejo4DGUm0Xr43\n3xc=\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWEtuWDRxdFFSQS9ORitC\nRTY2dURyM3l4SVk5MmdhVld0U2RaRTRuUmo0Ck8rOFVBQS84RGFkWW9kUVdwdFAy\nRE5CS3hmZlExeVF2YmM0a2VOM25qTEkKLS0tIEFxeG1saGt2MjB2dnpRMVpJV0Fw\nb3RKMGsybjUrU3hUamxCSElOeDQxNVkKJ3dh85JmWa8yL6lsxKvR2oyQoBxQXatj\nGB005lbwBf+6pxtARiBmx9a4raiI055/y5YWjyxbNOiT/UnxAQHwgw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiczVHQktNMXc1R2JmV1dI\nT3Rab1pydWtoWFRQbGxqeDlvYlo2Z0ltMXhjCkRJQ0hpV1BnZml6OHVDcVhZckpV\nVGNqV1NZOHgzUy9Ha3AwTFJ0cjU1M1kKLS0tIGp0TGN2WHhBZzhWY01ZcmtneFNT\namlySDdDeXArWGFqZWlCVTMzS2YyVk0KqlHRbqCe3E26eWGZVHzOBdZ9RnSASCpb\nQjokNJ3DsnJ41zr4cHjMfJYUrKbQR3P+Qvw7MiAYuZaE/hra97dn8g==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTHUxYmFMcWF6czJpZFpT\nOE81cnF6OTRjc3NUSkJ2T3lNRGY0b3lqQTB3CmcyZklPYzU2WGRPdnY3R3JHTFNx\nVVhPU1p3M3dORFlEeFNDOWpvcWJmeFkKLS0tIE1zWldBWllzRHRKL2NUQ09GUWRj\nUGY4TzUwS0hhTEFmQ0dWdEt0ZGVTTmMKGs61n42+HioKNh/z1kDUcAuUjrswVCyt\nOp8tSuM21fZYxm7mDttMmcvE/cN+hNbnrp+r0f0m2/2ihYbE+BAuyA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMNnhTUGZFMFoyQm9PNHg3\nY3dIWlp3QTR3blZGbHViaDNkZlB4OUY5bDMwClN2YXZ1TzEzcnVCM0k4Z3ZQMkhY\nbDA4dWgzaE92cU5uNUFJUnFVMmQ5cDgKLS0tIGYrcEJkaHBEa3pjYjlnbml4ZWRU\ndE50bFA0YUsveFg1QmJ1N25tWnB0ejAKd8JVc6AlQ6V9YcTldHv0iHv76O7Skfjq\nImI+mA8cAglbDQl/aY3kVqupdHEGVy69Wfj2cZxdFiH1q+ehL/zwbg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T13:53:06Z",
diff --git a/vars/per-machine/genepi/root-password/password/secret b/vars/per-machine/genepi/root-password/password/secret
index 2d6c857..d78dc7b 100644
--- a/vars/per-machine/genepi/root-password/password/secret
+++ b/vars/per-machine/genepi/root-password/password/secret
@@ -2,17 +2,9 @@
 	"data": "ENC[AES256_GCM,data:wnGJxis0TIEqPVWTl7KIwd5Zt5CQRC0lzA==,iv:vXKN/TAha6LMpMAMWMZlG1IBp9hJqOim7ZQiVzgDPuc=,tag:rPi5YlFiiFZoGD/5T9SYbA==,type:str]",
 	"sops": {
 		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbFRsN0Ev\nS3Y1eVoxRlFrMW8yTEJPcUdzYjNUTUh0SUFjU0NYcDR5YkxMSQp4NEdrUDBtRDU5\ndC9yTDJZamcrWlgva1RhMStsYVhRT1MwZERuakU5Q0RvCi0tLSA3b0prRmVrcVli\ncWUra2pPL1JGaVRNZ3BhMC9UeURrY2duSVNVdkJkTlpRCunbM75dHg80w5sV3/JH\n17FumAcBA6mjj/3SxtfZnTAwdIHnO2sij7ltFH3gDXbGDG6V89ZXA7IvuoY/KHsy\nRtw=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLY0hKcmlUUXlBYlQya29P\ndG00N3JreWJ3ajFUZUlWTDJyRHRxTzRsQW1zClFIM01VMDhoenJ0UWw1MEF2Y0RT\nVXlCVU5QbC9yeXg4bU1wRWtEWENFREUKLS0tIE4vOVNpazFqbVVJMjg5S3FJa1ht\nckZBSFdRWEtHZXQwang0TXBTZWhsVXcKygn8wYzAZKa4geRWNNl9gmEybWmlvRzn\ncL1CDUVWKg2mY/KCYfxGrgVyqFGBFk52xYlNn69PppBy1XgBD9DINw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBeXVZdGZr\nUUVkUi9oSnluQ2EyVWlSVWlkeHh6VzZXRlZaUVRRTHNIL2xFSApGV05sQ2ZKcXIr\nWEJwUHhtcVdBYTc3Wk9TcTlaNThFZG8yL3BaaGJqTTdNCi0tLSB3ZzVtSlRPQk5K\nYTJFTTc0bi9VRVhBT0dRY2x0cm8zajZxRXZyYWx6MGVBCtMuXTdg/q0mMSMl89lK\nBqKAuLU/5SqDyySy+Vl+/B1OIv+79a2QN2S2nd5fXjP8C3Cp1QJ1vkblvsZWJ2rU\ne0I=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0d2lGNkFjYTg0NmhaY0hy\nZEhwdkpzbUFHT0dmVHZBSUNXczkvVlJKN1RZCjlhWUNmcmhvQkFKamp5RGJ5NVlm\nZWxZekhlYXg5TytseU5NVGU0VkIrOWMKLS0tIFFlWk1qcmVSYUVjYSthMys4aVF0\nQ0ZWRXVYMTMxSEJ0OEVjbDRvaUJYZXcKPQML2AfmGnXW1COjgIil2yabXflE/wGA\nOlSKADjlhc9cXfCI658n2WuXFQ1ysrS9Rtsy7Ezw5B7sY+m1DQkDYw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T13:53:06Z",
diff --git a/vars/per-machine/genepi/syncthing-gui/password/machines/genepi b/vars/per-machine/genepi/syncthing-gui/password/machines/genepi
deleted file mode 120000
index 342fa08..0000000
--- a/vars/per-machine/genepi/syncthing-gui/password/machines/genepi
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/syncthing-gui/password/secret b/vars/per-machine/genepi/syncthing-gui/password/secret
deleted file mode 100644
index a0cf518..0000000
--- a/vars/per-machine/genepi/syncthing-gui/password/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:HWmd0ZCo4gD0g+dZrbkX7XNvfsWQaPHN1VOpzNGVbwZFQm1QCxGV1AxKkXbjH2pbsO6i6kikyyNH,iv:CX8Q5o/7SGM33rfQG5lFvc7iSBxR3sTf8Q4bPk4iv5k=,tag:gtEmFaZh6I2Q1d1IeSRDKQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNThCVkVR\nWG1sSDNsTnpqdVEvTGw3UVU4VnlLdDVBY3dvZ2tMT3ZEZjZQMwp0MXBDTWlPQWxD\nVXpobHd3UHRMV2RiV0J1NlR5UXlLRjZTTFVUYkR2R1FRCi0tLSBoN2xqUnZzb1lC\nNVRCbVFtT1lEc01Jc243bS9TRndhMnZ2bTZ2K1d0d3pFCgCoZDFGYDnwFw7A+Dyj\nFBY4N1oPSvJFFycDc/yB/6OWg13mxmEGAjsITTnzCfz/3p4OZwOxq419owTlxa4w\n/U8=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBemRMMWNE\nZk1SdDNCeU1NdDNDaisreVVBSVJSWEt2eis1bG5sd3VRME5FOQpGaDRRdUZsQ2hG\neWdYNzN5c1NkVUpTaVpwUE1nN1NSYUhoRXRkc0gzOURNCi0tLSBhYTNiQXFCNDAx\nc05STTlwdm10MDhzeTRCWDR4NFNrVktGcHRnZlFGR1M4CruhBBaooAQHER5by04i\nYViPPL8oRcEijqh+K1eoAI7b/e/OZdC53LTdzU+MGT/kpXka0TUfCcQvkxJQJ/vb\nEBM=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNlNYNjA4THFFL3poc1R4\nVjdNdXpUMVFtSWVGT1ZXeEtLOEZuQjVlLzJRCk0xZ3VMU3MxTEt4L2V4K25lTW9i\ndVU3TTZvYkQ4STJPVUlsRHc2dnNYUFkKLS0tIElDaCtmUll4YWZUMW1UWm5PQUlM\ndW9mVG0zZGJQUEVsRHRGWklwTzJBN3cKQ6mNYTjYypTuEqvycrLnhGgmfYp639Wg\nbOO7KJK7ek1dU+O4OvI6qxMwpfVPQr3q88LAmnXcpkxhST6gUeIDfg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2L2d4RDFETWtlM0dwTkE3\nWEgxUlQ2UUtJWlFFeWVIQ0VLMHJBQWZKSGhNCmszbGkxdi8ycWFEU2xZaGJ0MzVu\naVczUDEyaVh6N1V6V3cxZ1BqTnlJbTgKLS0tIFpGeFhXQkVqVVZPQXZ4RUZLekVM\nWDZrRkF4TmpBOWxKRlBxRmU4cjFzMVUKcnY23qO+bFRT5aYFSmmuuTwBK7pPQwVm\nm7KW6bfWarLj56Rkgs9xvaPCtA5BMEVcMIgc6ovbun/J5tQUC5U/Cg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-11-29T13:06:57Z",
-		"mac": "ENC[AES256_GCM,data:6PybvwdIi19um8zXFJ3N1kEG611JSVor7fa7cwf4nOR/UCYfhgUc7Rp6YaXpnxACOrMoA8aLQznSKUY19Rrux1EnPFUUlUPRonS64CchoC/Ix941UffZA+HjHTIONOz7uFOBr5qIcWmcWR2EucyMQoWYd501u+chetJMWXErJ9k=,iv:HT5YivDqqkZdVQ/ELdmBBP5KY47VD2IKgpeGGB6pAnM=,tag:a/bUdqqh0TqT5MZrREL1gg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/genepi/syncthing-gui/password/users/rpqt b/vars/per-machine/genepi/syncthing-gui/password/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/genepi/syncthing-gui/password/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/syncthing/api/machines/genepi b/vars/per-machine/genepi/syncthing/api/machines/genepi
deleted file mode 120000
index 342fa08..0000000
--- a/vars/per-machine/genepi/syncthing/api/machines/genepi
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/syncthing/api/secret b/vars/per-machine/genepi/syncthing/api/secret
deleted file mode 100644
index b6451db..0000000
--- a/vars/per-machine/genepi/syncthing/api/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:u8kuySQoFLShwjIXFfy48R3QCQv1cHlNgBoPirbnq6q1,iv:xpy4QLhZEd5ra7kYJciXk0GRkRd7Z0bPL3jcrKnQdEI=,tag:whUDDBmeuZqnhkLJB9yGDg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBeDNSakFl\nNmV1Z0dvWWE0SGVZekRMVnpxeENkcG5hd2toNExwZkxabDFQRAorbUl3K01NMmpD\nbm1hNi8zWXQwMmVIZXk4SEFrSVlhbExVenVqaW4zemc0Ci0tLSBMNXpjcE51K0JE\nY1Vrd0xDUzJ0dlhXMTFVR1hyUjI4Ymx5Wnh0YzVBY0djCjH2/CjBreDFojlV3Uq3\ngX04zSv938Dk7LJ2dg2KXzRJpXVZPq4DtOQO7zsgph6TsuGtG3STrYa8xjiZCtYh\n8fs=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBN3hEUnNL\nWlF0cEIyZnYvdU84anRZSHlRWkdadHZnWFhmd3A0YWYrZnM3RApXYndSYlk3RlpR\nZGhNK1pqVVlld25QQ3JHQ1ZFYkdlZ0ZFcTVYeWQ3aDA4Ci0tLSBsV1B5Mmh5dFZZ\nTHBVMS9LZzdYdzU3MEEyWDZvcEpxWG4wbklndWxjS3RZCvEVpJ1/0fMslm+KeRm0\nY9bWP2VkRJZRzNKzyoBab3NHy0L5mEK5oAhY05LHrZDVdHXrEFAmqsc/TAXw8bad\nSAs=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZlc2UEMwazFsd2daUld4\nZDAxeEpwZkRIc3JaaFNIcnBLYnd4Y2MyOGcwCkJaRUVnaFExNk5FT015SWtiQ2xZ\neFViTHNBZm1xUFQzNzRNTUt2WjhXRWMKLS0tIENxM1NFV2FCanErNXNZbWdtREZV\nZHU0K3ZvSWZJTnNnT092MHYwWnl4V1UKgoEQy7lTiOelJN+VAQUuNMmG5C3F9O2t\nYChspH7ejw+hysBG/F841hpQPQodWIU26/rMD7gSTzYBtF7cQ2SXXA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWXg3ZDBkWDJ3UzZ1dHYw\neS85ZCtVTmI2bU1sMGEwYzNaZWxrQnBjQTBvCkFqdDZRRkdzUWRXVHJEc0Jud1hr\nR3NuV2tOaDdOQnF0NTNQcXo3SWgyYWsKLS0tIGNLc2Z5cVVlTmRJUVFiRUxqbjZO\nN0FmNGFzUG1KVW5wSHpaOEszSkVoQk0KxOGCSaQSN08ZrEAwpK2gvoOPY79xYSmJ\niJ0S67g6Ltx+ktJb7oR9AbMhiMg0vpXD+i7y/XzKmvHMOJOOGtVFEw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-08-21T18:39:02Z",
-		"mac": "ENC[AES256_GCM,data:zOFGghGKXE25I72GYPapzpJTBjh7Xv6m9sFMVtskWWqjiX3/Dnfs649E4FUIVoRbHElwc/vmNN7B5ZWaf6JJSlSpM+VzI9i5qkWgbWBqSZfh0QrtevtJ4keRxEyE4iFwoXXV0jk4p2EmL6gHdHxAKxIwarXDB0HVCuO5AwdbYLU=,iv:F7rfPEBUfTLNK00WVZyJNIa8HdvRoSK2p5IvRIOzoCY=,tag:joxrVGKTD5eGFhj32fXnvw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/genepi/syncthing/api/users/rpqt b/vars/per-machine/genepi/syncthing/api/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/genepi/syncthing/api/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/syncthing/cert/machines/genepi b/vars/per-machine/genepi/syncthing/cert/machines/genepi
deleted file mode 120000
index 342fa08..0000000
--- a/vars/per-machine/genepi/syncthing/cert/machines/genepi
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/syncthing/cert/secret b/vars/per-machine/genepi/syncthing/cert/secret
deleted file mode 100644
index 1fa2ae0..0000000
--- a/vars/per-machine/genepi/syncthing/cert/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:cfoGK/Ap+Iq5TVEjRcExmrgxx6sFN9oyQssiAK1Zn6FlNt1+W2mYTtNikrlaDl4neX2N5T6oIVwKqY9XjQKRcBDAXnwoXE0Jkvmlf3hD15lgMCLzi9TXh6YMAWXOz9VkxWokihpw0CyXqZ5j8pLRPbR7OuMryzLiGBwHKBB/5P8BmvDYAGU7fDRX4pHVbsXH9lXaYvrqz/+VFAvkUm+X48RtonLJLNIrN0XaGYRHya9CaqNDmOM9VbHEuJWSzHe8NB5wNhI1PkL8mrXWfwA9oN+ojnyrHDBTAHs8gOJKELqUix/6dNfVbNgop+8Pd8qsjPRo4TEmXZxizj04Jc9klQo61qWiXUg/6eP2EhLIOgAjBE9q11uFLax4rb9FsvJmXYpM7m7hlQC27js4ZiUzy+yqtev8HlRmXIQkN33YS1qkA/F832GAnXX5rAqZn+IgVn5s7pMAu4p/TEFgH0uFy+D2Wm80vJoXgCs59N33p+b+qZgr7t1nqJDyiy8znpJAUtpsucyW47jLXhhmj1ByHmofNOllJfruOXmLfVpTFxfDtDz/H4nHIU8MNNbNL56hijjJrMf7Iyv8ojsqWemt45d2PDHO7mae3riwpt/OS/Mt+tXoEIKlLLEtNiKRYIqG0GFl+CFVvCRUNWliK52TaFUTxGT9EptvW0Th3iKqcVUtlK40Z4QvAGNQ2Dsw4L5GUfCJ/M0LETRxhsn24nlRZq3llMBBrfxmOxtC/o93+psgh77Blt3Su30NsH0HYVUZXjOym1xvpr0DgGQ8wdjekh7sjM0XTtdr/N4WF8+Eigur63t3zg3TiV07k8sHT9l3ZEN4mtUizI8RTRUG9tN9QioU0VjEFIMzTewAhRNQ7HqyOx6LtfFzZs3KqNBiaGCxjg2d3yldlZJ8nEzMmFgZQXmwH8eVVbPm0L3Puy//FRax+rBhSDUCTNc6rzS29mBeMH0wTn1bzztBAOYSWCkspVFxVzjSlZ13jnP0aFbG+HE1dXv26UvkPlinQNPZvpS42Gm913cYg35SpphstZA7+eKZOi8IUkLMITw=,iv:BkAURRGq5AzRG5e+krVpu2DhXbTj5187N6LhHmEKUjQ=,tag:izmZtEQPOgotlDMoV0CGDg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBMGxZZnlG\nWlZVNkFkcWZTczVKb1FvY29rSmJhVlR4d2I5Q1VveTFRRmxWLwpjV3ptclc1TFll\nbkJjaWI2S1dQdEY4YkVlNitpRjBmL0hQSnowOHFZdnVRCi0tLSBpejY2UHVzVDlz\nRXcyRWhlYUR1T3gwZlU1WUR1NHJ5aDZ3V3ZVV0F4V3JrChgY/fvjTe9l6CyJuJrb\nSlLt/SRDAZxIoxmWalMMbg5mrHPdvyWsmDvh6mf3qhtNM+i/SB27CvHTyQSCStQ7\ndGo=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBMS9lNGxG\ncFdzQlhJK2ZjaHNReXBydDdYb3pMWFFQU0QyckJPaGd0aFZCeApvWXBNSVQ1N2w3\nK0NsekJ5aGpKODQ0OWdVdzRUN0xvM3pSNnBwZmpNZEdFCi0tLSBsNVBFQUlmSlZZ\nclNEVjA5YUxBQ3hHWGY0Z21Bd2k2MHpMWHA0SUFTajg4CjN+uBaYGnshQEf7fMtH\n+zzisEGgreT17r7nuG796CZg4yItPBgEw1FORGaqgwsQ4ckymyRME1N7nHjh8v16\noPM=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTXZycEpnZkU4YzZyMHll\nc3FHc1RtUlZwQnRyYVgzY045STJvSnhzWUdvCmQ4QkpyMWxpQWNoc3RTYVBPVjhh\nQnIzN1ZaMmFDc3FaYk1PaDkyVmhJNkEKLS0tIGRoYnVJL1FVZnJ2VFR2ZGlINGZl\nR0cyZEx1a045ZUNpb0Q3dWYzU3VTSDAKIjE/zGEeymPvj5rHuEauY65iwbdcf4ZR\nsFitmyWuHaeUHOWE8SL80D1sbpAnJvwULselkaUwyaW5NtwLzGgu3Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWMWFZUXIzOFo5NEF3c3E5\nQ0MvQ2RtTUdvSVhPT3FZelZsdk5nMXFIRHdJClFDQURpTXhrTkdaZThValBLRHZj\nVGJVN083ZXlzVTZtZUtRdldXTXl1bHMKLS0tIHpqbmkrcHdJamdRM0QwTmFUMHJG\nTWFoV0dqRGRKUUNwY2xlWkFVUnV2SUUK/T5z/k8nxc2qj9HaBeJdLaRLXTh+2ywk\nQVcBVOFNWuGdUZPFEDGzRL6sMCbxUH4as3D1WI13En6aWX5eiUKULQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-08-21T18:39:02Z",
-		"mac": "ENC[AES256_GCM,data:5G7dqmzDZRk0g2wrmU+i16krW8YqZIozeaqaVoOxiCfRpM4JPT2wT8lXT0gsjRfGXOmuET5o+6r3KtOcn/3L02+yeTeaOxMwWkYg/kF+HJ+uP9DuuELVh4U0NN3EnVYo0JoTtDSYno5ihtx5xdfEkIASQqDAU3Zn0iatIuR9byY=,iv:ljx/17RfbR6J3EdEkdH4S8hQcSl4+JFS3ETK1291pz0=,tag:Q7myt4Y/RA8vhG4H1Y+PEQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/genepi/syncthing/cert/users/rpqt b/vars/per-machine/genepi/syncthing/cert/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/genepi/syncthing/cert/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/syncthing/id/value b/vars/per-machine/genepi/syncthing/id/value
deleted file mode 100644
index dfe1fe5..0000000
--- a/vars/per-machine/genepi/syncthing/id/value
+++ /dev/null
@@ -1 +0,0 @@
-E6JDGDV-3V3MYCN-TGBDHSO-TJEXRCM-3IJBVOB-F4Q6FFE-FAYIH4S-HNVBYAJ
diff --git a/vars/per-machine/genepi/syncthing/key/machines/genepi b/vars/per-machine/genepi/syncthing/key/machines/genepi
deleted file mode 120000
index 342fa08..0000000
--- a/vars/per-machine/genepi/syncthing/key/machines/genepi
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/syncthing/key/secret b/vars/per-machine/genepi/syncthing/key/secret
deleted file mode 100644
index b98b614..0000000
--- a/vars/per-machine/genepi/syncthing/key/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:xlS4AxF6bGWkn//F90xFoqScovc5UCPisx38EGQSUk4uPUxA0LGlBYpajPkWN/05cfpqirNzGnKd2fxOE/97vNusFf71aEn7QcqBW3dxIbNeN1b9DgOd3kCsbn1KHnTUDpE+ucx0im87KvWrLop6GiaGkREElP/hpxJnaZCZB6ae78HN1L31yANo39Ts+YJIfJ18lVFT+AKbvicUfleLKOgyHzv7eO0eohTfJ4UZAvkiW3bODL9QxiLP64pQvVkHFp9HllsWkbjd/28j3dN6ZAiZ5Fg+j2Uhjk/8m+7VkXIbPoTPu2KxXIputM/iN9fQIOaBJs3GfZ9Gj9C+oZeR3Rk5MYz/WS44bExlKd7fHB9xmKnrvTe7JTyHgPjDEvgD,iv:vAxFuqWVe3PSnqZXbFAwqVsajHrhj8ZA/3yJKVKCIrI=,tag:7ERgXif9/mb/Xbk6nsZz5Q==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdXhTb0xa\nRGxkRVdYaDhVaTIxdWxiYk9zQ1c5S2JmaGRTQUQ0RVd0UG56NgpHdmhOcmlJc0RF\nSGNaZUt6UmxxYnh4SUVjR2kyRWVPOWt0YUFhV2Y1c3J3Ci0tLSB2bm1WangvVitD\nRHRVMk9Eb21IdkNLNlhNdDNIb2Q4V0xkQnhycFhRZGhvCtHtxgYg2NTTQZ7ijwh1\neG5eFDUR790uHpXO0IDVm9n4ewxALylMmnbTtoKLXzbhqEtwKFteiWzEo17LNIWp\n5yE=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcTZ3WjVN\nbHlNUGRDTFN3c09reTlrUEF5TzBQL3hNU1FJSTVDUGxQQXBnMApNc2w2TGk0dzI1\nUjBDeURVVDZMUElsWlVkWjFRNnU3WVYyUHhEN1lLRXJZCi0tLSB5ZjBNKzVqSE8x\nMlE4cytVbzB6RldkNkpzNmVoR2MvdHEvUHpCNGdEUGZjCg+YUTaAJI9GstcAR/83\nxx1OqmexxHPxmd3FPP883P/sLerL8vZLOSLQ2R91b4fBCMDYZ2FnZhykk8Ys8kau\nq78=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGeUp5NU9OcWYyUmlXQWJm\nNXNIQ1ZDcFpidjlIdjl0WTUxTjlNUlJSK0JjClRyMHpmRkk5SXpwOWVHd3d1TmxV\nS3RZVGhBeW5yT2poNC9KczNyN2pZbTgKLS0tIEpHOXhPc2RYWURGaW5SeGhKMStE\nU09OZm9jdTU0K0o4U3B1bXA0Zyt4S28KND1NurbdKkzNu4WIUHbmjKczKmgzJ2Re\n8o8wCqR/yGBxgz8kMz4QCqS0BbfuVlfgdBORlTDopSDLXVzLEuiotQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5VGxLM2V2dmJyR0haQnd2\nR2FBci9Xd2FHVnlJRnN5NmQrTEhHMXNLZ2h3CnVXUFY4MUs2WkltczY5cGVRUHI4\nMnVNdzlTUWZ6aE81U21YRmVsZ0VQeGsKLS0tIEF2Mm5pemRvZ0U1YkRYaVhuZnNY\nOUwzb3lHQlMxd0RHWXA2TmE4S3JuWkEKLXcbml9PhFcxoOyo4YbQVKkezSha4mEA\nCkPqB5APjxo03//KaZ48qQIzewGclmKaWaXSOeoxuZ0li7oPF67uzQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-08-21T18:39:02Z",
-		"mac": "ENC[AES256_GCM,data:7f/wdkK2/haEHCpvVk4QeClmMG76rUBrCFqD86HoKgbnkK4u4FaRreySdt+yZvUq+AZKSQkxkoWTLk7ndyGlEF8bFZzsi0eZtgz8wkJCTwGs4l2zF6giLqs6iPvbSEiWMPJvlKKhhvyh3NfjRP+qVrZuyjL2H73plYZ/7ltSYiw=,iv:eBTEocLzBEna4iL/ynjYpp9Iq9EyTeSmafBHhP+JVUY=,tag:JHteT/rVf0LcFUsUJiOeoA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/genepi/syncthing/key/users/rpqt b/vars/per-machine/genepi/syncthing/key/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/genepi/syncthing/key/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/user-password/user-password-hash/secret b/vars/per-machine/genepi/user-password/user-password-hash/secret
index be96ed9..3c38fe7 100644
--- a/vars/per-machine/genepi/user-password/user-password-hash/secret
+++ b/vars/per-machine/genepi/user-password/user-password-hash/secret
@@ -3,20 +3,12 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNnRxRjBI\nUlF2WFkvc3ZpY01jMzJNK002a2JERUM0d2ZHT3ViY1lEQjVjZApyb0grdU9lbU5G\ndDR1SnE4Q0pEUUwvcDJUNzZlTHFObnZXeVJicGJKS0F3Ci0tLSAwMHJHVEpmd3p4\nVHdzNE14Q3hiY0NIUFRFVHN4QUIxNUdjNDZkYnkrN0ZjCpmiS2iTiN0XSc14csEv\nO46lEMxXVymhtT2vtNMydaw0qZ8R/ufHx4WB4nTyLCQO6DW0UaA8+GligVRRk5FI\n+Kk=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbkxqajRX\nckUwRGxEdmN6RFhBUGlLWmp4QkxGQkFKQlp6WU1sd0JwbUgzdgpISXRNVFdjME9p\neTFhSmlOZjlYU1VUalkvNldzZlkyaFQyODczZkYyNFdZCi0tLSAvUjB6TDBjTVFH\nK2tobncvR0RTTU9BY0tUREVCSnZNUFB2SjEwemRqMjg4CuTRXD8jqwrTQyPMr5Q6\nuuJ634To5MbWxXhNFcPGj99wM5xkyIhBbGso7ozhpcvCP/npt19omiwpmYPDtVGy\niHY=\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyM09FMUZvLzV1cWpBNnBs\naXgzNXlRcW1FWkdJWjZzS3B5YjdQRWhuYzFFCmRDRTdRUjlaREIwTUNCTFMrbGJG\neFArVS9VUFlCek1Edjc4RGIzeVJOQzAKLS0tIHF0RnRocWhLelJOV3haWVErSXdz\nb2VBZ2ZVTzN5SUNzNENwWFNiT2R2WmcKipvqGOBuh53wU+91w9QFUGQpdVSuQjCR\nUfojMypTMbNWlo2+0jmUJUWbzEP8jzM8LRGNnHyTFjx6qQwDK9fJjw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5VytkcWVTM3NUY0hSMTAx\nUGM5ZDVJTVJCRnNpd0RIVjY1TGVKREtQV0ZVCnNxOUFJalBDTFVUdUpGLzZzd0Jz\nMjJ4YldNRzNGMjNjYks5bml5TWhVeG8KLS0tIHdodDdsYWhuTWdmNXlpS1QxOERk\nYzcwMkZ6OWVvRVgrWFloZ0tGU1lPYXcKUPGMbQLCZ4M++zerdhfQqzlcO4YHNIMt\nSOTdzgqFiIFa4VpQA/W6pOfOK6Xc9ZZasNcqc6NbutaAxfVSYDTCrA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmK3BzSzlwTVM3bXFuY0Qy\nVjUvaUZJV2VQSUhYUmU3TDRrbkZPWEE4UGlRCkcwVHFCc0JvNjdDSHFCTXkwclVE\nVGZ5OXpTNzBuQVptNjAzMFk2Y3NvNWcKLS0tIEdpZ0t4ZFhTdTVwaEh0YzUzbC96\nQk5VcGg5bjY2UG43UU5sNHUydFFXMEUKC1K1XDvwKG+OWZ01swnc8pJqQZ8jdcYI\nvyVyX0i++6bKEEwiG8FXxpgr6jnjzsq6UIWq8SNPM1GeLJir5hDPtw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRjR3OXNpeTV2MWxGQVFx\nWXM1dmdPcEF4Mys1NkNWTkY2ZGhIS1lZTDBjClJVZXQ3bHh1ZXlJRkNNV3dsSzI5\na0ZtTW1DTFdBV3J6T2ZLaWs0dUY3T2sKLS0tIG13ZktUVnpuV0kvU09rNmk5amdr\nU3hzSnZWUjE4SXNOeXlHdzFYaXhUS2sKbXpU58n1qmUGpzPz9keex7mQEKYc/PnB\np3gM+nIFuWOqg2EwHd2pNjNT3Jf76Jt/uBzsTPPJzwKJD0xW9CEKWg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T16:16:45Z",
diff --git a/vars/per-machine/genepi/user-password/user-password/secret b/vars/per-machine/genepi/user-password/user-password/secret
index e6505f3..71bf9ce 100644
--- a/vars/per-machine/genepi/user-password/user-password/secret
+++ b/vars/per-machine/genepi/user-password/user-password/secret
@@ -2,17 +2,9 @@
 	"data": "ENC[AES256_GCM,data:s4vxCXqkVpimQHeT0f6tn5bdUM8N,iv:8keq2DwfeoaOqtZkxSw5SAQ9OwSUnbUWcVDYRdP7s2I=,tag:0tBgLvWkYqkH1RwX1VJSpg==,type:str]",
 	"sops": {
 		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBN0dOWCtK\nMEtYRElOTTVvV2QzbmtCbFRidmluTDFNNldFVFNLdFpVN3B2ZQpZS1k1MERzNnhC\nSllHZmlybHpCb2M0aUthV2l6RjVFUjcyb0NIV085R2tvCi0tLSBWOUU3VFI5ZDRZ\nckdsR2lRTDdpeExPczR2L0FyanYyRis1RTFSMW5tMW00CmDWQSteogGg3bdqZhP7\nIvuPgvFOZ9Z0BiYjhVaZ6ufudErOQA2sxVug0xt/7lbnUKD4a4X/vTKTKF2swnf7\nIiQ=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmUVlhL1hWK1ZZRCsvN3Vw\nbE0ydFNzOU4vck96UTJ4TEV5L29hVVprWlFNCnNSenNDMjlCeDRCT2NkOHg2VWZn\ndnV0NFVOSUpDZHE4c2tYQ3pnOWFYczgKLS0tIFZQQktOTzgrb2VLbUlENkdoZmRT\nbXB6bFZlOUNZbi9oTGhoL3pyTXpTMjAK48AqcEGIViyaQrdjeEmtwPTFL7cfysFl\neX/KGigWG2ZpdUkyxqHvOqIkMI7/61epEpxCOY4ryIX5mZzax3geSw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdVZxMElt\nMUdud1UwTjgrVVZ2cVRuUmhLSGJHOGltWElucUcrQnA4cXd1RwpuYW85YTc2eG5T\nNUVIRUwzVGNocHg0ZElmQ2Z2bXkxQXAveHp4Q1pOU1E4Ci0tLSBsTTlxbHlFbnJa\nS2l3NjZlOFRGU3pJN2g1M2cxMGhNTmVmWEI0Q2hEdE5rCgnKaKy4tZzSu7RBTxT1\ngneaq3mtXjdqLbDdKiA2HJbIs2pbGTGOi+BxqV8jFMXx/z1XzImcdsu3CPYqV+OC\nPpI=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnTXRMNnpocFZVSXJxWDJB\nNG5NcmU1N05CMU95Q2FuelRDZmNxVjZ6T1FBCkhpZVJUMElPaW9TTnRGTDdza1Z1\naWdSTzRuSU1Zc3c3Mk9PQiszZmZBKzgKLS0tIC9zMVBkRXFnZUI3NWxRMWRGSG9I\nZ2dhdUJ1eTJoTkxtV0VhaW5DK2I5SEUKiulI8V8jMPrD0x1HUrZSo93wGMz+e8BB\nX6r2NVqjihxoHyfyeP1gTg9jpsh44UbeD8a8i50YXn0oc7+kADH4MQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T16:16:45Z",
diff --git a/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/machines/genepi b/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/machines/genepi
deleted file mode 120000
index 342fa08..0000000
--- a/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/machines/genepi
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/secret b/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/secret
deleted file mode 100644
index fc1de2e..0000000
--- a/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:U0tjahIz+X9nKrUH6urXjx8rfWIdPeF+0wMQtB2/JsCZ35E6w74wvz6xWACK,iv:CoD0FgB7gW22UjH44jhaatXrPt2qX0I+ZVDGyCCZ1oU=,tag:HZg5CnIr8ZRKwoXakilCPA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNkVTUyta\neWp5YVNWOW5iNUc3ZytoY2h2Y01NeUdpbDlvRzRMV2x5WmlrZQplYkJEaUhzWlBO\nRzFYZ2h4QUVjLzZmRlM3TnYzYm5Ua0ordWhYRDVmVVpZCi0tLSA5ZGdRQ012UmRh\nN1dGcllqb3N0SmlsTWdzem56bHJzb09rajQzYzNLTXFrCsE42Jp4HGtYspJ4bSKp\nN4LyDSsV297OeCNsQ+ztRiPCGE8SPdgrce4mivnpI/jpmZONU1uY+7TthBCzfpyL\nMgE=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBdmxMdzJH\nSjdTaGJFZEJyQVFmejNCV1FIRGlVOUxnbjE1dGNQQ1FnTkdqMgprRzYzU2t4QjVT\nUXlhUitDVEJnOWZyR1JWelVQRHlIdnFrSTFnbWVVZTljCi0tLSBkN2t3VldyYldJ\nVDNId2RjVmZhZTJUeHEvNzE3ZUppN0Z5ZGRLSUh3cHNVCmbusPriHhV+VgZXN5dr\nntHg4mU8X0vIvcY/V1goQLburmxrgLB/HYr2mL5s2gdldiTh1n2xM/7phD0uKWbD\nN5Q=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZU9UUFdwRlk0NENUQXZi\nQUttQ3FrakdpT3hZcmJJaHNNaFU0WVU0QXpRCm5GdDNMSFZZT2RQT0FlNG4xemhs\naTE5K0dVa2I4Z25MUmVkcnp3ZEpUWVUKLS0tIG0wUEhwblcydTc0c1lzVGw4bkM3\nZW5vWFFsVi9tNklmMWYwSU5ZSllRYkkKg3fCVYwi7v8PpdHkGu6EOaVWubkHBV4b\nXYjb/zAeVfae33qZYQWdxXX8O4ufkFC3+lECERwfL9M6cK29Dc7WzA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZWU1SE13T3Z4b29NOEl5\nRTIxelRnTUxUL2gvMHJPQ2hjT3RuMm5oYUJBCldVa0V3U0J2M1NRWi9odERFWUVS\nRkVRcnlJUnp6b2J4NXY3dFJhVzhUZ0kKLS0tIDFNQ29yVG9Dc1IySEVuN1o5SHhY\nWHFyY1lJaHZwbE1zbW9jbW5VTjVVdGcKjP2huy/43iHqt87pG6Yvg52DEe8eOMcY\nqHxP9IvuTL/bwWibYTW3tusnH95Yny1P9whoayVPA8yzCUpWOuGuiA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-11-21T16:53:26Z",
-		"mac": "ENC[AES256_GCM,data:UmzngDkTSBiZxhCTWqgzvZIAY2EqsrCcKGeBHRiwErqsC2jFyfUJNC11m9byh6mtYB81vrAFbsQq/kFN0ZAVUfVKqbYSI3ibEFXBbFbKX5oMhFgNs51Rvab61DVFyfn/36u6VXFdkq1FW58j7p8kQXXd/OarC02r7LJzQY0BdNs=,iv:ZJbEM7o1+rsG5/3Hxu+PQ8hARhmoC1QCqH2ElRxfJTo=,tag:HLfgcwexzIoe74Ym5KPE1Q==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/users/rpqt b/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/wireguard-keys-wireguard/publickey/value b/vars/per-machine/genepi/wireguard-keys-wireguard/publickey/value
deleted file mode 100644
index 9260852..0000000
--- a/vars/per-machine/genepi/wireguard-keys-wireguard/publickey/value
+++ /dev/null
@@ -1 +0,0 @@
-zBRJ8D6d3IiZ8HzwDq8FM0g/C+fxn2Ef0HGY5QgsiUc=
diff --git a/vars/per-machine/genepi/wireguard-network-wireguard/.validation-hash b/vars/per-machine/genepi/wireguard-network-wireguard/.validation-hash
deleted file mode 100644
index 9557718..0000000
--- a/vars/per-machine/genepi/wireguard-network-wireguard/.validation-hash
+++ /dev/null
@@ -1 +0,0 @@
-59769e148d924871d37bfb9d1d73953f1e7681d568eb584be88ffe6d9323af6a
\ No newline at end of file
diff --git a/vars/per-machine/genepi/wireguard-network-wireguard/suffix/value b/vars/per-machine/genepi/wireguard-network-wireguard/suffix/value
deleted file mode 100644
index 98c5cc6..0000000
--- a/vars/per-machine/genepi/wireguard-network-wireguard/suffix/value
+++ /dev/null
@@ -1 +0,0 @@
-ab23:3d38:a148:f539
\ No newline at end of file
diff --git a/vars/per-machine/genepi/zerotier/zerotier-identity-secret/secret b/vars/per-machine/genepi/zerotier/zerotier-identity-secret/secret
index 85d6030..515e514 100644
--- a/vars/per-machine/genepi/zerotier/zerotier-identity-secret/secret
+++ b/vars/per-machine/genepi/zerotier/zerotier-identity-secret/secret
@@ -1,26 +1,18 @@
 {
-	"data": "ENC[AES256_GCM,data:3lcGW28SKHbpHq/g0xpmNqlemZ1W5DTfjbsIwufl34tYZIlAEITBVRAf2M66k0hUAvl/e5My82zVhxKGW2FcLUghxRBWXM0HIUDssKtPJhSjuDeQ5kBqTLDCGDDuyW+nFi16C8tzp4arszeaS3yENn65iWax9hlssQQiAYodRZoLvFoO3fPVkeDlII8qL5sjCqTdVBX318c4XKt1hi3PcgVCsevV7gD8kQKKPBePMD/hzwhoVcjDBcTigLRTVio+JmYMOQOV3sl65q7j4yB1j09C0IX7glq6s80+YWTvNkAwyeC/N2UvDntgGIC7/+1VvawViOC/2W6rZpkF5orsIJhW95xM6uIaOhAPQHot,iv:a+PeVag/u0K9NP8bg7Cz9sqhTqAf5SmucFbIHlYcWmE=,tag:GyF2gl+zVSQ7MkatjHSbrA==,type:str]",
+	"data": "ENC[AES256_GCM,data:qiV0iFWH0Bo9hX0k8cusHIShcvuIJ2QqXDF0ea0WZrOLgXTlUzqkRk5PB1sKA1JElGN/2sEmFZJXZMEPlUCNVTQSQxkInHF8UTMjChLRPmq0rRAWSjMzPRhS9slscQAudRhxe6baPxztVlhjqCDFH8JnM9zeWRqZfmgTjLjcKF987ZK7fPuBptY/k/QYlCF4ydnjM1wqgNgnhLxal63ItRwBiwHRkxTgBWu+iW5Ewu4p2/n+VgOI96auy9vzb4q2zmegf8FBfH5ltHppc0bwLCS/VwkYYxyN2pK6y0xOQMTfrDaqNcIPaTNPR/PwxHR0xbf+mHpFUu307LF5iew3K0A4JrDRWo7fF3FYCigK,iv:Ab23CcA2KZAsdKcTPGd8b4VSdL8YO8vJzZ8BqA8m/EQ=,tag:opYwCSueDzok0KDjAS2ZVQ==,type:str]",
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBcVVyb3Nm\nZXlSQlFxUEdOd2Y3ZWpERm03M2Z0c0RMTFM5djIzTDVldkM1Ygo4RkNPZkZ4OTMr\nVldBL1hYSkZZME44dXZKcHdoUk5nc1JuYytuN29KL01jCi0tLSBzZUw4dlBranh5\nZG51V1hqbTZYSER1NHdNbHpUNmNuTHZ5Q3NUaFV5R3Q0CnwBTtadLTcqhQ2Fi8IC\nYeKNG7DxU2NaAjJ/rwRbVqElFwD8DZJB63U8T5ovXzS0u350EVJ+E5ulSZGUNNdf\nT38=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeU1LM2ho\nNjFuOXZmbWpsQ2VjZGhsTlVvVDYzNEhOUzFIVk1nb0EwR1hBTAp1bEpGQ1FwVjRh\nZi9QTmd5cjFlMVU5ZFluNk5yS2hBZUJHT3pmWlFYdTVrCi0tLSBxdkRIMDVYbDBZ\ncVU1MjlNUUlHcy83dlNkYWkwcEFxRXY5RWtSY2xLM0U0Cj8fxaBr0oJ+nEx6/kNe\nnz4PNXi3veyt1F+VrCBgu2jH+rcb67qreK/8y4Ev8tAOwXshoAKg4V0KoX7z+i5H\nPRE=\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUaUZ4V0J4WDVycjNvNlRt\nRzVSN2p5RFRkU1NYbEZ4K0xyLzdzQ0U2dGpnCkJUdW9icWd0K2RpQTQvWC9vaXNm\nMERpbVYvVW1VTXkvNUxyTnlqUjgycm8KLS0tIFp1TTIzaVZuSU5QUUZrd0VacVJt\nemE0R2FidnlISlQrWUllZ1oyRmd1SncKeFLYq44Bx9h4PNo44OOLSk83dwJNYuii\ncguM+LjkwHhgMXBDAEf5w0REbkC397yMZ8w9WNaznWhua18kdTIc0w==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaY3BuWGFNL3B3WkxZZlJP\na05IMDVLNDR3THpDNmExQ0MxVUpKVjNyc0FRCm1JRUw4eHMram1KY0Y3ZE1HK2Ew\nL1RsOE1Ma2FrWE9SL29YbkdLTDcvMW8KLS0tIGFqZW1nbUZSUkVMWnBNVVZlM05Z\nalEzUitBZmMwelRQOTBGVEN2V2h4Um8KlREiGF8kzhA7CGujppwzACGsK+5atVfz\nS6BTPGw8ZJnDHZsux01ePQ1Pyrz99qwfDTubzk4tywayTA8/LZirQw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVWFWMWRkOGh3QXpiaHkx\nbDM5d1FraVJ1eTMzclFxOGNHREpWL0xYQkcwClNRNFYyUzQ0aHdjZ2M3ZTk1QzBr\nWURGcVRocncwTnlZUUFVZVVyeFhRUTgKLS0tIExVZ3Y5TE5pY2hzWVBJNWRhTmQw\ndVJ4VFlVSWE0dGI5YWExeXpCSEdHZncK5METCsDcyAef/spwZ6MXRSqaXWW/RaoK\nZrbKxBn5ibGwOfwCVvtKz1sPy9SyLNUyBw/S0CzTm3wTD/3KwXvuyA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMW40RUVtQjByVm93aGJ3\naG5XWG15MkhFUTY5WTFTQkJtTHZmMk9JQWpNCnVvcE85SFRlbGZxUWRud2Y5TFVE\nTkk4TVdoYlJ0VlpaRXByekxFK2xHVkUKLS0tIE9OM2N3dUpnZHROeEwzc3lmNERU\neHFYcFloRm8yV0R1TFAra29qYWhpaVkKrIdKo8C3upVLvFtXRUxc8RNwGOuUdeGV\nZMO/ClmtXvi8WHRa0CMUOSLYBlemC4yrHjK4FKru3BqYqLVtqjydaA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-07-01T18:02:24Z",
-		"mac": "ENC[AES256_GCM,data:JsFXULP0hM39nNW4xNQjbsTnOJSNS8n0kNiknCEhRHjE3aIfxrnTdP27DOGTotMWrIvk9lWBknHPW2HZQg5IBVQpglYJwCpNzXyP4ipUYAnATpplPFe36Oa/EciExS0Z2l17UKpGIEcxnrWijAsPAuCyQOD7Z44KtXSR6VeCtTU=,iv:LY3umqELBIMSjBb69EW4+LeJ5lXmREZxJlHYIPcrtOo=,tag:nWfh3bBvxtwgTeGH76NpOw==,type:str]",
+		"lastmodified": "2025-05-15T16:16:51Z",
+		"mac": "ENC[AES256_GCM,data:mU+46/g2nd8mUPtg64LriMHS5c04QdG+vbGFD2iLxkwpNurp+bEb//Bfuj5txStp9RA+2Y3sjvzz4YALwZkAtgiX9JPH7j5kBoweI7NYeD/CqfnRPGqhA8M9THe/qpeluaNpTKqLOjkDu9eqn9LzFre9DfsmV7MP4NU5dxjRigk=,iv:LMSxSDww17SmmA06L652/kws87IUBthqrBwhGbMe3c0=,tag:bSKDEdURgwt/30x9Qs8JrA==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
diff --git a/vars/per-machine/genepi/zerotier/zerotier-ip/value b/vars/per-machine/genepi/zerotier/zerotier-ip/value
index ad42803..69e3a90 100644
--- a/vars/per-machine/genepi/zerotier/zerotier-ip/value
+++ b/vars/per-machine/genepi/zerotier/zerotier-ip/value
@@ -1 +1 @@
-fd80:150d:17cc:2ae:6999:9358:3e0e:d738
\ No newline at end of file
+fde5:947a:3cec:e1c5:1999:93e5:947a:3cec
\ No newline at end of file
diff --git a/vars/per-machine/haze/atuin/key/machines/haze b/vars/per-machine/haze/atuin/key/machines/haze
deleted file mode 120000
index db9551a..0000000
--- a/vars/per-machine/haze/atuin/key/machines/haze
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/atuin/key/secret b/vars/per-machine/haze/atuin/key/secret
deleted file mode 100644
index 66cd82d..0000000
--- a/vars/per-machine/haze/atuin/key/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:fF1De3CumRtONLJXCxgV/DDy0DbWdEDcgTEf9PB8nI/czxsoe+iQ1nbbHrNkG9ZqJQl72nXL3+y6g4OssZ44aQ==,iv:0oCUhhAJNj7fQLxqLlSiF+rWpDrk/C/WX9+fwWnNeM8=,tag:FzXudt/aGN93XSfaLRMHwQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBdEVKWW1Q\nbUNBdVA4cjdPUWNIeDdnRnFaVUJOWjA2WTYwb1Z2ckFvdEw3aQpvMy9Ic3k2WUxk\na043azJNaXFXbThwTmdmRStnNndFdmdkMHpUbHlVa0NrCi0tLSAwNmp0NitzeWx0\nTmtaa3NKOUJVZFI3R1Rid2tLUnYvTk1ZRXRJVUx6Vzh3Cj7g2RXgUtHC8qL2UkbC\n8DXqgbbJUVlqzhnoNbiIZyt4oHYNayV9j8TsBcMwL0ZipHdqvcfIp6ppW5qw3kn4\ntNE=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Y0QzZTRsME9LUFR3Rmcw\nbXUvUDdkQzQxVmtBaTVWNnNadDJTYUR6bGpZCjV1QjZDOEFjRUVycUV4bDBBMUor\nMVphN1FOZ0phNFRIa2dIKzRVc1RmYTQKLS0tIGNYclc1SHovS1dka3VRU2N1VFp1\na1VreE04UTRwUGRTUE85Rnd3dmVuVW8Kdp0IZDe+Vfa9U0i6t1GBJNndldrXF5Eh\nVPn8TEtAC73hVRDtMKxhqOKlIAoYBGoVxdeCJ/rQV6zI+Paci2+4SA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVDBVWFUwQXd3Z0NjUXB2\nRmlEOEtLSForYjl4dHp1cFd3SHp2dlYrWjFrCnVPVDA5ekxCMU9lb0d1c2VEWXF2\nN3JVME55cVVCbktYek1MSXoyR0tydnMKLS0tIC9uZmhhaTFjMEJTczIxQUt4SzBH\nbFpnNE1TUXN1L3BQL0w5UzFhTGR2dWcKykTdCd9RsebnSCgUSAguWLKVdd3XkQ0G\nhL+yAQD9hff235UVlmJ4eFt0pIGyHrGwvNCCErh4Ng0lY3pHxDsNFw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNnVETlB5\nejlHd0lKMlFFVENkdnhzUDh0Vmxqc2xDQTNKQStncFZZUmpoNQoxbEZSbnQ1ZzB4\nczRVS1JncVdNTm5XQWRESVdtQmF5bE1MT1lGcVVGU0VzCi0tLSBhR1ZHaCsvQjBQ\ncmtjdDVYaVc2NzBNenZMOVhMdFNSR21wbHdYVHlURFRvCpaDO4P9LKhxVpCJW5qp\ndbEA+voDUPM1EAlFWVOesJOf9VHrDgwjq18pMhZg/yUawYIoFtDqj3WlPmShHrPJ\ngu0=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-11-27T14:56:54Z",
-		"mac": "ENC[AES256_GCM,data:T9Z5jMebdm0UuRsnrFXYxg0Yylvn5So0ZqaEo+3axRMfjq5MS/sikz/nRGhgD5h9OTRk3tWndBB8aUO9u8QE+s+L4jM+wHSD1cI0+mc4/UuQgcs09tVxtCSFED0ETp8Iay0lhl7+yKpImPys0RpGNd4Wjn1qqExXqQ4M5aYcBWQ=,iv:85NKSnnrOGUtrriky0twzhLstnkjFkL11YxXjsgF+Js=,tag:VXb0q5eZFLxW7yE+SLZlYQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/haze/atuin/key/users/rpqt b/vars/per-machine/haze/atuin/key/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/haze/atuin/key/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/garage/admin_token/machines/haze b/vars/per-machine/haze/garage/admin_token/machines/haze
deleted file mode 120000
index db9551a..0000000
--- a/vars/per-machine/haze/garage/admin_token/machines/haze
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/garage/admin_token/secret b/vars/per-machine/haze/garage/admin_token/secret
deleted file mode 100644
index 8ae40b3..0000000
--- a/vars/per-machine/haze/garage/admin_token/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:5jy8TnyZC5pnZjVHfu2UG5WP0EqiYIAzkxNsfXi49SQM0Jj0YcDGnJK5rhQI,iv:QdixTsOqXAdK28eggOekBsAiecwoW5IIOQLaGJ8TQ6I=,tag:whNmkf7n3HwtfXo4mqsODg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcDFEeXRW\nNFRKQ0FZZnZrTlNuZ1BlSCtoRGZGMU95SDB3T2trL3kyWmtobgpTb096SWJyY0c2\nL290WS9nWi93WTgxd2dnZGNab3JGc3VlbVBqa3dXN2VrCi0tLSAydWJiS1E0R1RY\nRTBsNXJEZVZXbnJVYWwwTEJMdXE2cXF6NVljYW1QTFljCtG5o/LUk1Hmu13aOvf0\nikkI4f4ipg+WpPpWENn2MS2jZ2ZQgP+tauNFwvlJjNxDXB+fSK5RtnAUn6CAzjfR\ngyI=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNem5wNFEwVjRRU0NzREQr\nSmFZTHU5Y1ZTaktGSXZ5alh1UFIzd05LcFZZCjFUMDJqUkwxYis2V1pheEV4Mnlv\nTE5UWE9qYnUxRkpQSjhKa1FsUnQyeUEKLS0tIHJ0TXczY1Rqa0V0RVJtNm9RdW9v\ndTVaSVV0dFc1c092SHNoUDZUSzcrZnMKLDoWd+qdFT/9/83jIxWIcQ8BBed2rn3r\nRugPtd3BWsUK6DF/7Oxofcw2ocz8DY/SjieYARiuAjK57IlZQxYEvA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUFB1a3ZNalJ4L1NYd3hj\nZzFCWFN1M2JDeWlDQ0U3aTA5S2FMRmhGcGl3CjN2ZzJMWDlqN2lhRzcxcjcyTVYv\nckdJRU5BMzhCNVdKRzJDalhKdDZieWsKLS0tIHpOTDdleU45c3hwSmp2dlNLVkhS\nQ0lweGkwWlF4ZWRsZXlja29xK1ZXeTAKddB/O8Ed35cNcjXN2zC+/khnOP6Qim81\n9jS6slVfX/5B9QJ3FZ46TWj2vhmHEDo5vSvdgjOmNRbppTlu9XAiFg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBL2pycUNG\nNkh6bXRTSGxDNDhVZ0pTc3V6VHp6cHFmMkdCUzVITnZvdkNLVwoxeDFMT09iai83\nTmoydTQ5TWsydUZrdVVzLzBvWWNmWENjYzNvQ0R0aHVFCi0tLSAxUDEwWk56dlF0\ndzN6STR4NEdYa0NkYW50WEtCcWhXN1dWVlA4bjRkSDhBCnUZ2Je2hXHMRJuGyRDQ\nJTMRUi013wD3DTgmLE0a40HuLIQud1+fw0AqjCcJpRvz6kQMBMImiwDhm57+LVqo\nn1I=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-08-20T19:06:32Z",
-		"mac": "ENC[AES256_GCM,data:uSwnPaV5+fi2czQoOhb7aVlYHejjXDeXkUZ1JZbH9m2//OxczfOvue66kVQiiq+m9QdgDnAHKy4LK3JpjuxI5QG/6wPx1aC0CisrjQx+tY4Cw2+mTfgiWWzCrM9q5URVFuxZ+TfFapeHMCL2CQZnLPvesbDwv4wNjLYsvJghVjA=,iv:AnVTpfgULC0bdw802optkPQjk7tDCBpzv3EiQEEfWeI=,tag:eGUZWCmjMl9m1PC1QTVWsw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/haze/garage/admin_token/users/rpqt b/vars/per-machine/haze/garage/admin_token/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/haze/garage/admin_token/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/garage/metrics_token/machines/haze b/vars/per-machine/haze/garage/metrics_token/machines/haze
deleted file mode 120000
index db9551a..0000000
--- a/vars/per-machine/haze/garage/metrics_token/machines/haze
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/garage/metrics_token/secret b/vars/per-machine/haze/garage/metrics_token/secret
deleted file mode 100644
index 538e535..0000000
--- a/vars/per-machine/haze/garage/metrics_token/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:2sVVTEcBqn7eIZFpKfEWJ4kU1tS4o78cv8VosjG8s3JmXcTxqHczEdbs+gVA,iv:T1eDOxyWNiwDl7+kZKDb78J+A3t/E+0okj1s3OjyyxI=,tag:wDmMUJp1I/vTm4XsK5gHPw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcW8xZDBl\nMkp6Ym9vM3BZWDVGa2JaR0ZEL3VjRER4Tk5Yc0RQc2VWNlUrTwpXckluTHFPOXBk\nNlRiUzNOWHlCeWNLdnV5b3hmUkVSSHVCS2psdkdVUWpNCi0tLSBFZ1RIdExZUkNl\nZTZ5alc3eDR2QTNRNjhNdEFWeE5MNVVHT3FjSkdWR0FrCpWlbh80ZcDR2Pbh43L8\nGtTLxW3muuAqMUy9wtykc77FTPkzT86rz9BUb+EOvWJlH1HQ2mr6qCDsRPH+OhQb\nGOI=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dmNhOWZhZ05FRDZ2cW01\nZkZKZkUzZ3pIZjA4SzRzb0FYQUE1SE0rR1NVCmdiK1ZsMTRJc1ZRelNkNFhQeGlz\nYVI0S2RjS0pOTis2dldHUzQxUVJXb00KLS0tIEMwSXZvM1NySzZ5TzlRSklCSEVj\nUWUwekRkcWFHNkczU0loaTdtVVRFYTgKGVgbrHrBl/wNMR7/zeENghs1jv+Cghh9\nuDBCh6RwYV+vWP7bf/hqZUw/e0bXnbIVgcraunQkUwYpgSS5+B0GXg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS3ZGWG1sQVo5MnlVYXNI\nbHQvVU1reXpzcngxZ3dPbEZFdFlhemdHOHo4CnRFMlUzd2hqdDU4SW1kNW9wUnRn\nbWpuTnhDYmVnVHRrN1dpaWJBMldHRTQKLS0tICt0M1JwcFlDQVJkem80Rmx6TTg3\nS3JrQmFTZGVqdGVlYTI0ZktWaDJvTW8Kq9yjcHnAeGA8qduq/d11awVM8uE82jHo\n0bzID7kjWXiDNKrCb0LXkUthkTt+21kr/qkdG0zmn93eomIbaTm+Wg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNENKaERF\nS2owNUhGdVpWVGcyZVZWcG9BZFRKZnRMc1JtbUIvMGYxNHQ1bgpZM0tBTmJDc2w1\nVEFlMkpDd0E0SDhDSjcwOHV4WHRZc1NGRERuQmZQNG5nCi0tLSB4RUUzcFp2WlJB\nejFTeTNCMlBDMjY1cEx2YkdtUXBJL25ZZFlEL1ExUDFZCptl1mCTAVpTY4lB2Aqm\nYUVVNezPrM15OA6GglDxm+u/gxxtC6yBUFHtsThLypyBMJ+r+4BHF/UOp4OqLxGH\nzt4=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-08-20T19:06:32Z",
-		"mac": "ENC[AES256_GCM,data:UmVIfwKSX+qHb0nkTA6Bm0pK+j2p2zw1iZLxM1469bICjdyWJCa908kjEzDb/aozx+KGi6LyoIUFHVyBoJKhTfgyiHg8iaEhhWCXNwmNswdainswtN5pXE94dgx7ycGs1jLd1R0bOI6RdziIv1vfm3DGMhw0dszVp44HF4UM4iU=,iv:71/Plcqcemhnn7y7DvffsVXmF2pNmpt5UwHsY0eVEls=,tag:zAn8d1IXZ/5GL4g+F8whlA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/haze/garage/metrics_token/users/rpqt b/vars/per-machine/haze/garage/metrics_token/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/haze/garage/metrics_token/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/openssh-cert/.validation-hash b/vars/per-machine/haze/openssh-cert/.validation-hash
deleted file mode 100644
index 15f8ff2..0000000
--- a/vars/per-machine/haze/openssh-cert/.validation-hash
+++ /dev/null
@@ -1 +0,0 @@
-5c9d0944c4f6abc9765b12a4c4eebca296ec914fd8ee4e4691b9c40fbdef57b7
\ No newline at end of file
diff --git a/vars/per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value
deleted file mode 100644
index ddf64bf..0000000
--- a/vars/per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAICBUNOo7T8sn7F094li17lssJOCdixjDhLO6eGlO72ZwAAAAIIyNC2sn5m7m52r4kVZqg0T7abqdz5xh/blU3cYtHKAEAAAAAAAAAAAAAAACAAAABGhhemUAAAAVAAAAEWhhemUuaG9tZS5ycHF0LmZyAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQHVWtdcrv4w8xc/YSAJmGkulkMfr3QOdEEGBZLeARu15To31xtScc4U5WhMstZRu9rWBoVENaUIuo0poRvHT/Ak= nixbld@haze
diff --git a/vars/per-machine/haze/openssh/ssh.id_ed25519/secret b/vars/per-machine/haze/openssh/ssh.id_ed25519/secret
index adb8199..8f048ef 100644
--- a/vars/per-machine/haze/openssh/ssh.id_ed25519/secret
+++ b/vars/per-machine/haze/openssh/ssh.id_ed25519/secret
@@ -3,20 +3,12 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNng5Ly9J\nczRTSEFMOHlmbEVkV09sVE45SjdLLzFDd3g5d3ZYb2M2N0kxSApkUUM5QXB1Mm1F\nYXJ2eGhCU2s1eHRqVnBMRm44RWl1YTdBdUFYZXJSMjFjCi0tLSBuTEM4RkY3K29m\nbWp2SDJ1S0poWFRrSVZhQ2UxQ1dtODNCazlydEt4MiswCt85xFy0xUKnjxTdea4w\nxSaCvi4ABykBbSZx9nAnZ+PVxlM7CYSkmpYkQUlrwQN7URlfXVuMjhyQF5qr3lzx\nIfY=\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dVVLWVdobjJEL1JQNlFW\nbnFlWXNuK3Q2d01kU1hoQXBWaXBFNXVkVEU4CkFlbzZTMnpwUE1ORU9zM2l4TE5O\nc3lsUjRaVGdtdndldEQ1UTBONEZvejAKLS0tIGU3RmEvYnN0UmYyL0tPUld4cStD\nUVNaSitqZU90TzF1enlBZ3E2bXdXUkkK3WjZzeEbbI/IzC2iyMUtIahzuojJafVY\nhPYUfahwfdt8GDPp7dIsed2IoeS3xnPaHZ9+EhihH/xPZtz2oAIKvA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVUYzOCtQTkJNdWJjYkdi\nQjM4VFhDQnRoeXVUZXBjNFRhemhsSS9haHh3CnR3OHNLV05PTFVMNTE0dUxnbVVR\nWlJlNFJ4QzVvVTk1bnMrd2hzWHRsWFEKLS0tIE9ORnNzT0I3UzhVbExndHBUU0ll\nNjF2VkJKWFh3WDdzdGZ2enRrMlZWQk0K/33zWJ0B0i5Y2W1zqNRKik2iC3GoJXFU\n9jmPH0BmIU/C32bYgZkDAGPkZbqON6OdhYQ4LwY2GTNpQYcQwd0+Lw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvdjBsVTZwUkdNRmN5ay9h\na2hoUUYyZkVieW1Ia2oybEFZa3pBZUpJMlNRClBFenB2NXFNVUJIWERibEgxZGlz\ncDFMaHRMMEM5M052YnJmcnhkeEtvajgKLS0tIG9Hc1BUUVdVYTdESVRrK2VUcHpD\nOG4xT05MbWF5aExjNmRWQW1VYVVldlUKr6FPttKwPIeH+lrbcxVq4yNymRj2Oa7Q\nfWs599WWjw3aSdlHVafgABcqKrxqSo7/gEGy0rtaskzWCQ0pGVe7mA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBL093UVk5\nR2F6NDFBSzBLWkxEdXM4NUNYMmdWQmRBQTNyQ2F4QWxjNlhNZgplOTlMMTVDNEkv\ncytvaHZNU0kyL1dwVlhmWlY0SURQQUpPemNMc1lERDVjCi0tLSBKZ1lOekMwM2Zk\nZEN4cm9TRFJENjUrZmwzQXovMmhPeUV4S0tCRnFlS2dNCrBsWrp9sW0DBMKrEUHI\njWn3DwDsa0E8A72Mbtm1urdE4zyIU7VBONOe7LUzHBNe6Lq07CyJ7mWXHzORQ8Mg\n9Ik=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUFJqaDNIY1UweElXV2J1\nQ3JWY0pOTW00WG9pT0tJWHNFb0hoc0cxNUE0Ck91ZnJLc2lIWlY4bFArazZwSy92\nQW0wRURrdFNwUHc2ZU1QQVJIeVp3NVEKLS0tIEY2bGJMblRMUjExWm11M3puUE9x\nUlRwY2RSN01taDdXbko0M0s5OTlVWVEKPv1/4E0G0tpwXPpRQrodugA+v9vIhRD+\ntGwTvCJ8z63CQo24Tcb7WNEZ/bDKfS2p8VH6QV8CAJvWWFyF+x/6NQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-14T21:17:44Z",
diff --git a/vars/per-machine/haze/root-password/password-hash/secret b/vars/per-machine/haze/root-password/password-hash/secret
index 4c9c96c..4a4d249 100644
--- a/vars/per-machine/haze/root-password/password-hash/secret
+++ b/vars/per-machine/haze/root-password/password-hash/secret
@@ -3,20 +3,12 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNUtxV0lO\nR2M1N3BJd2FRdE1xSFJhbUpJU2ZVL05mNG9NSGtkL0ovRlV1RwpVRFdSQUNyQ2Y3\nL3A3YUpCMTJBb0N4ckczQ01BbTFCOVozUnpFVTNEallZCi0tLSBHdG8yL2tPOHZT\nb3MxdG5QQTRieUtUck1OdkFadStmc1U1UkI4Q04zRiswCuQu31tdmdxlaKHRE+cP\nd3TPJgOMhcbjQqr60JNw4i9pCktiAvGd52gcIYCCKUGYM5QvSAt8JqYJ9F/ZcRVV\nTZk=\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3MzFlb0tWcVAvdExzSWk4\ndjdycmNsbG5xOVFXYkZzN1ZpT1huQ05jSlJFCm9qMDFybjV1Mk9qbHFvU0VCNHlM\nOUpqeVoybTV0c3NjZjlzcTNFSlpQelkKLS0tIHcyY3BGWXNIa0I4NFFHWDFqMFBa\nZG9sZkxMMjRSRUF1ejU5eFZVZWRHbTgK/ZExg03rN+OA/PX/qomcB2nJqQk55haA\n6Ok/1mzgtd4qeDp3tQDn2GqxHj0+Glua4wA55uLeBN7uRgT82IfNLg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbGN4UHJCRkFOclRlL1d6\nVmFzV0FabWkvcTAyUkhYVnFNTHcra3gwZkVFCjF2V01uZ0lyUzZIcEFqVEsxc1Br\nZVZIcGhOOHF2SWlVRU1aK2oxQjNISDgKLS0tIFlQdHhacDFpUGkxaE5lb0JjZlRR\nNDRkWWthZC82SEs2ZU5pWFlRYjhuU00Kv6ht3pXNcgaG4zNbMuhu7B+7lZcZdk3s\nxLLW9W5/M/s6NpwxcxGSkpK7tk6D0etUnuDvZNmmZptEKmrmsnwj9w==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQzVKdXpNaklXOWlEdWNa\naW9ZdVRncTRxcE9KZXlZZU1OdFd0QlpvV1JzCjJTQ2p4MEtQUDVqU3lYN1RZcUh2\nSVNQTzlsVlR5dXlVc2xuU3YyVlh5bTQKLS0tIFd1UWpTemxjTCt1MytoSkhHNVZM\nbGc0L0NPTUNPODd6K2JMMmNQRnprbW8KyNnslioY4vi4w0mzyIstqsIlKT8EJ0r2\nBIaduiQkhdVlMbNRtAIN/TlcL1jUZUilx0VjaFaIiQaq8DlJxZ21/g==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBeGx0aVR1\nUERLVDdFeUVIMHFSYkhITTBmM05BcStTeis2WkdQa1J0NnZ1dApUZUkzUWFLWkRt\nZ09ONk9LNFI5Z3RYeVRNQmQ1eEtDMDNIZG5DdDd4VjBRCi0tLSA2UGJ2UE1CN25n\nYkZzUUk4ZVBoT2Fkc2JWYUFaYjR6WS9xZlRsT2ZhYjdBCnV1S7LqTPRu4RFTtgiJ\nlGnNMOeyQat3FDFzt3ziheFHC7KQsvSHmLL3bdaV9GghS/L/Gtrk+ZJbDXVKhNJ/\nML0=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5SS9iVncrQVRkYkM0L2hH\nWW1oRWlKT0FmNDk0QndYNTllOTZyS2Jsc2hJCjVKRkR4QW1UcmU4bWpFVm9VVU11\nU3VQbG41UndSWG5wV09DeWVIczE1blkKLS0tIDdwN0FpQ3A4bWtLa0k4YmsyRzVR\nMGpVNUxyM2VZaVpjNm5wbkF0SHludnMK5RxjTcybp5XObn31DC27rU9TDy4ca6oy\n6rn6hX/9AHCq7qAqhjvb4fF+7cwW1WYWZcAdWuWKa8EO/Xtc2MeMXQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-14T20:58:38Z",
diff --git a/vars/per-machine/haze/root-password/password/secret b/vars/per-machine/haze/root-password/password/secret
index c9fe3cd..7b8b6a8 100644
--- a/vars/per-machine/haze/root-password/password/secret
+++ b/vars/per-machine/haze/root-password/password/secret
@@ -2,17 +2,9 @@
 	"data": "ENC[AES256_GCM,data:ZubfHil6U+zDmAFhVuNKPwpxv02As6JZNVRm,iv:7/UnzVA0yJ5nWC0m9eW6ZQ8N/gZIvxldT6jONbEbcUI=,tag:OZxm7fkGRkxJahq5/79Ctg==,type:str]",
 	"sops": {
 		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBb2g3SkVF\ncUREL3NZZmVNSEpySkpGRU5kNmdxQ3pJZnpvT3JpaDJ4QStzTwo3QU9ueC9ObjNv\naUYxd3lIbTk4L3JHZHZGeU0vb3FQc3dqYjBmNEczbmNJCi0tLSBoalFlMXNLSTVU\naGhWRDZORWY1ZVJEY0JCNUtGMmhuTDR1WFZoYi9NY0w4Cpf7AdOaDFR+Mt4VGota\nA60hpYJzEFitYD5Ky66j+R+z3j9o2mLCE+1UH/Lw0k6cBPECAPBGUR1l27Dl07OR\nLcw=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSHE0ZlBud2Rjd0taSkhx\nUlczSGIzK0hmMEVzeDFrQVlqdWtBSFlQTHdjClBUK3B4cUV2SEZIb09DWjBNR2o2\nbXZPS3dXNllrUzRmczhiODAyQS9nRmMKLS0tIFhZS2JpTTNNYW5xSTA2TVN0Q2lK\nZ1BSOHVsdy9RS1BONzlzK0Y0emtQUGsK56puPRo0YfMDYtWtK0JvxPOH9HyoNeeK\ndeGwe/S1AjtrgnmJ/1h9UxPPHF5c2h7v1XgstiFfSIAvLCRMvk1sIA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNGlTZ2o0\ncFFvSDdHVmxzVVRFUGt5Y1FqTGlGbmZ0SFpsR0FIM1cxRTFVcwowUWNFLzh0Rk94\nOEN2Z2pxRE5WUW5lMkZKTjE0VTZuQ3ZFdzh0YUg4ZE1ZCi0tLSBHdXpvcjJkeDA3\nbHJDOHIyTkViQ1JlNWVOeER2YWJHb3g3YkZ2Q1ZnVEVnCpcxFzHlO0q2vCsym6gF\ngV0P0sJOorI56UcRUR1aJhhpTuqskQcf08CVOcmOVBQm/l9NQX9mdpp1obyQl94B\n4+g=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZGdja09nbFdOSEpRd2po\neHNCdm1NTmh5bEpjZURDZmFKT3NsWitzaWowCkgrSGpTKyt5MzFPZTJoODZBb0tl\nYUxueTgzLy9RWjhXdWEySzlIS2hEMkEKLS0tIEQvMjZTcldjdVRBekxySUc0Q1h4\nbTR6Tkp1Q2JnVU9nRUdHbURHUFRtaWsK3Zq/MNzRV+oViZIn36RMmG7St49I++QQ\n2s+DNrzT2CkGdpXwSegwrxDZdnk6LJ5bJbl8K2POQnDFtvQqipxTaw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-14T20:58:38Z",
diff --git a/vars/per-machine/haze/syncthing/api/machines/haze b/vars/per-machine/haze/syncthing/api/machines/haze
deleted file mode 120000
index db9551a..0000000
--- a/vars/per-machine/haze/syncthing/api/machines/haze
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/syncthing/api/secret b/vars/per-machine/haze/syncthing/api/secret
deleted file mode 100644
index 6b2ae4d..0000000
--- a/vars/per-machine/haze/syncthing/api/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:wdyPBmRCVrcFH66X01F1VzFfGkKA5hhIEa10WUMfnoM0,iv:QJBi16RI0VvHtEiwrtk76oad/LNqG+xOTPWHS8R7Kys=,tag:AnaCwhmtbCZ6MaJvrRNesw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBd3pvVzFV\neGpzOUhjZ0NTQXBQZG1yZUVsWHRGZW51OENVOGI2MS9ZWlFXcgp6c05jR3hkam9n\nWjZpT05vc3h2cjQvczlkWTVQTVh5MjhXak4xMGNhdzZJCi0tLSB3SkNUOUE5TWVZ\neUxQc25FQVI3UGhSMU1hQ09RaFZVNlg4SllyMEprbWlRCgYJ3cLXwmIw0jcgeiCT\nWE5xJAyX5ckFsaz4m/Wy3agRyuEZBn5xU6CXVFxhnLKPZZFvKoHxm98MIC2MqTXx\ne7E=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOeDdYOE56Qy9yNFJWQllu\nenFPRkdiNmxPUW9yMFh0eUc5UEhiUERqSkJNCnRGSkI3MjRlTHRVRWVRTUhxY3RE\nZGx4NUQ3TWxxT0h4RDR3elBON1E5M1EKLS0tIDhBUkFwMVEvWkRPWUlBdVdITGEr\nYzIraktjbFl6bThoQzFxbnVJaG5UT2sKVXn37flCFIRANh+wWVB4LSXcO8W14G0I\nqsPYPqB6bCHZGkCJiCPoxfPwJkmED659xsQ3FXAOA4+/Deu4IjlaGA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycktKNDhnd2l0cGNCYWRp\nVXhzNlFRcDRNWmRyRDZVV3RyUFBTa2lOd1g4CkxwOFhzYllGZTRKaXpBRU1zTStG\najNXU3lJRnBhei84dWNHTXhhaFJPT2cKLS0tIGhtOGlYVjZoRHpaQ1RhTG1SRlM1\nOUZYMkdPTXN2UkFOYVhabUFLVDNuRFkKvRy0nRWKvMSAh+oOO7w+d8DdTbWOKp+g\nMnhTJxDIDtZ0BuEoF+ekPLmBO9OCnZhOOTamVx9Ip6KEdI6IzwOPcw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBM3RTaUR4\nRHVvSE50cDNSNStCU1FmV2ZJK3NzeGsrd0VGeW5zK0tXWjJlNAovRGZCZldBUXhD\nU1BnT2RxdG1qZWd0UEtLMUt5UTRabkVBaHRqQThKMi8wCi0tLSBTYVlQemRVeEF4\nSVlBa0tnd2MraGlJd1pmTlNvR00vS3RWbGtBV1JCcDY0CmPlEEkFY+7Zvq8pPeWN\nWernuH3s1x8f/35HLpvHlFqLKfgeFtafgH6DlvuhRPdwP7ElxQzvK1iQx+LWu8QA\nUgg=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-08-21T19:57:39Z",
-		"mac": "ENC[AES256_GCM,data:6B5CrRGH5vjVJ40DUoBo3y7g3Dc+YrsQ1QCwJjUeob85HYY69EF4QEh60TyAW02jcX0AF6m/qprG+66huqqnKcjlI3nlda+WFSQlL3wa2KoT6DcEwgi0p6GjQMT83WYOJBmKfAkd7vCbAnR+IJDiPW4fNpfe0eMsUBUs+EX2+9o=,iv:zrJWdjKABkpGy+F45zCfJtTNcfpGtF9RNsmH0ylsatM=,tag:QTi2ln4Uhq9gppxtA6/IYQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/haze/syncthing/api/users/rpqt b/vars/per-machine/haze/syncthing/api/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/haze/syncthing/api/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/syncthing/cert/machines/haze b/vars/per-machine/haze/syncthing/cert/machines/haze
deleted file mode 120000
index db9551a..0000000
--- a/vars/per-machine/haze/syncthing/cert/machines/haze
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/syncthing/cert/secret b/vars/per-machine/haze/syncthing/cert/secret
deleted file mode 100644
index c99828c..0000000
--- a/vars/per-machine/haze/syncthing/cert/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:SKGdJPqhv+RHwVkLjxdeWKfWwR4Oiyi+ftWJ3SmGsqLEQvuXzXjsivIRwYPw7EWwMDpgh8GD28iV5TaUmthcptLucKuWk6no+AXhc6diEeRm6YEh2BAN/L2leNN0l8Dte6wG1O/1FwBQ89qHlfuJZpxCsPZHz/+Xr734F1+mbkrgat+ItET2wvqT56UkSkct0CGMqttY0IlxEVCfxZF3R/I2aQI0TOyTciikBy5yJxvffVReJhfwwJvE9PedZwjiauIxvKbvuev3+WKzLYXEr4jPqFaTI+t/xYVlWXSlXQNot/FlOFy3cfw9kKb5R/l9Xst05xA/5wMDDVEBdx1lbRxTWlS7ZYJDyZbNRtTkB6jYe1H95IupVKrnt9nqLzEaXnxzjonHrJNwopW0sF84XL9HZ8g1u+ZTgCz7CuRzB8WGacBd/nt8NIefgpeS3Coj0XZQx9cMIQM38P5eJuiM22ardknZ8PxCBCFeqXxwrddyTfrZY+FPRrIP6QK+aVMRn7998qqaKlPA0itgvyTYIMHIy3KT4Rv9U8VEfItauDsUCzhJ2TDOIuDpzCTq2pu628WRJA3jbJns0l+XSo5WUEdjK1IXTUOLsaDm+Mph2vty0IRAqoc/JV16WOqn+SeCFxdvy2eOJuosj/6hknKrSP01ptaEhrbZWFsfAVrhc2iv/9u/KpEqzn4f4XAlFkwSevBePnUnYYMrOAuI8OmmLUsWHv1flOTJmbsWLNT4/VYf4z6C9knIiz8Usqpg3BgYIt7XcntU1VWBhpwnzaIA0V4aGtoT9VyCuLP8eafkncaUkFXvYJDge9GJs+JXbrIa6WL2lRXltq7iIcu3F2FCu+sQa5pBuLTZa+dsTFKYoU55zXWRS+kXMe+M4soZ3HwxWUxN//n7KmJWN5Lw+qyNMQwBuraYCuFQR+LL2gus/Plaq8pEmi3u/sl+deU5nKW0pvyjJsCRmLW0Bj1XgJhuNGxqRhdQzHhVfs4TB5U/Na4FLsQRB+kXShz8hb4N99YklGbQ8+aNGJkgg8PnfJTy6kGCTcZnig==,iv:pOJFhXC2+945P31AI3XaGogeDJiLreZXDcBu8OCziEA=,tag:q0/fTUGO06uwq+c7CRf6EQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcmZDT2V3\nK2FudForOWpGU0FuMEg4N3NhbklSRHJVZXNUR21jaHFoOHlkZwpzSVkyQks1MmUr\nRlFUbThvRVR2ZTEySnM0bDNWcE13UHloalNQbnI5cEZJCi0tLSA1WDhmZnY2NGpY\nWThpVkpPUVFZOEMxQ0JlY2ZycjhYNUk2SFgxTEI4OElFCu3r0ynvoeGJ+5y02o1Z\nyStTO2PpxgqNAqB/DVjH75xpQIPb1gqNFaR91xeww7lK8F5hngiKrut1I5Uu/aK9\nscs=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbW1EUUVuR3dObVc5YVlI\na2dRUGNrTnBrSzU3NmRWVGdreEdDVTRuSlFVCnJyRHVJK0tmVDUxdHFSRlpxUWY2\ncCtZeTZPOFpnWG9WMWoxcUd3Z1I4S2cKLS0tIFJ0Y1dBT3NqdWM4aUVvZk9GM0Qr\nOGFqV1pZcXJnNWpSY3VER29jSzhpbmcKlgd/ahLtBvAGRzu2w4ddn0wXz6LwoDzw\neD6HO/TSjdN+tJe1fKcdnywi1XMjLC4qkJiYz64TcE/7vEmVt1YPnw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKeXlpVzgzRC9SNGQ3QjlD\nMjk1SXMvSjNtcFRJMTZhK3JHb3pjMGR2b1NZCmpTVTZCUWJXRmtDY0o5TkV4cUVZ\nWHRseVloUHhWN3kvcTV5TjFNMUdWWjgKLS0tIGYyUHpjWjhwZTAzWTU4dFZabXBG\nMkNMbyt4NlJOM0FxLys5dnh1THZ4bTgKynU4/ygzPLu9u/ye9qLRh8tq6Ajohxjy\nskz0FgGkX7EPRWYuh+v6/vuyKuqke1peZERCLb7WwLlKfYJLeKl9Kw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdGVPVVFV\nSmIrSE0yTmxYT2FpakhBaDkxelVGRzk1dTdWcXZqMHoweTFnbwpNbHFyUnBwUXph\ndWw4N0xONysxRFd3U28wb0d5aG1mZFZmZ0RoY244WTQwCi0tLSB4R3cyV1ZIbzd0\ndEZmUDNRb3FYMFdKcmlkcU1PWFRJMld4SDNBRDRkMExFCna+auo98pjbmBEm212P\nM9HFzbUmW/nQNzFmCmtBPZ12TLYghJIMWciiCz8piN4745Ff5HwKHZHq8AC5l078\nGAk=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-08-21T19:57:39Z",
-		"mac": "ENC[AES256_GCM,data:QfsTZ8clnaM49i9v/vOGNXC5MQWVeTlSQRe01+TaTSoQCbe9weCgpS0RuIFMMDYfrgjPo+uywsQqtU9h2TIcaciZECm2IlQlBV3E0KXu8YhIZfKdEVw8WubBDaoJ12EoxYLzWH6NO2T4fe1W9oWiPkvXtH2F87JshFQHxU5bjSc=,iv:xs7pXaDTRTfzQH50/ofCox+Nf04q7HaYOhG9YEI9p14=,tag:iu2ZQRZG/YX/4RhJtDq4mQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/haze/syncthing/cert/users/rpqt b/vars/per-machine/haze/syncthing/cert/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/haze/syncthing/cert/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/syncthing/id/value b/vars/per-machine/haze/syncthing/id/value
deleted file mode 100644
index c533a73..0000000
--- a/vars/per-machine/haze/syncthing/id/value
+++ /dev/null
@@ -1 +0,0 @@
-OAHRNIM-ZGCKX6L-TT6H7CU-PN37K5R-NSYD73B-MXNMCC6-X7V4ZVX-PXDWHAC
diff --git a/vars/per-machine/haze/syncthing/key/machines/haze b/vars/per-machine/haze/syncthing/key/machines/haze
deleted file mode 120000
index db9551a..0000000
--- a/vars/per-machine/haze/syncthing/key/machines/haze
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/syncthing/key/secret b/vars/per-machine/haze/syncthing/key/secret
deleted file mode 100644
index f14471c..0000000
--- a/vars/per-machine/haze/syncthing/key/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:VTGonbJui6BXQSPh6IgxYqh4bJuNNplBzYr9XmddQuVgUheuXOWiIZdWIKQh+/6xGX7J3XRv7hsrmE5XJjUwR79mSgVGwa2K4ZASv8aRZ1JVuephtd9OvJaazCjeA5Y466XJtw6NEmbRiu3SCxItj8Rqk8NeLnX/QzfqTA2ICRBWDq8tBY5gYgDxZNLksDchVF5VziHjENQ0EqW5inRczWoTRf/TnnwHeGj/FY4MNgDbV3brhlHb1ksVLxxZAIJkRvPVUn8O3Q1lAQZsUNBqMcHeFGDXVP6GYyarq0oi6yirajKU+e9240SSpFfF8kkN0Bu60cKaY9ITfp349vi86hgi4t69jF7sUqvJ7q8VXtKQkWyRaiA3iMnWZBBhmVQM,iv:XYXEsPw53CSM6qGVOUx9Wo4uirtGGVqcXAs5F9oNHjQ=,tag:e2lmKXl+Zj5Kz5wv1LTk/w==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNzZyWEpN\ndkVmNFlZNjh3TW1LSk93OVZud0hpa0IyQ3p6eW9Tb3RzdlI4TwpmRnhlT1R5eExI\nTkFMYzhJTWlrMW8yME1aQW9ZWkx2NWZ3WitoamlFcnNRCi0tLSAvUEZ1VTlkRno0\nOXRia1l2NGd3VkMwK0tCcStSeGFUVGtQOHp2U1Z6L3hFCtB/ZCZKsq8AQBW3Y9fY\n5DqikjzAoGIV4/0aduLIFag0B3NpWKgMFTkxbwBdsQPSVc68RtGD9HYHJ2uSZj7J\n9N8=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArVFd6MzlYbXVEZTh3M3M1\nMzRYY05UWkkrYWdaN2tra0lNUTJRdVhzUUdnCnhWT1RPbUowSlo4dDBUcC9Ud1BR\nN1REYnY0OFJTejB5dzVSOHpwc0dLSkkKLS0tIG9GVDJTRDVIWER3TE9INnIvd0Fp\nd1NNZUhOMCtDb3FJRzRSZlV4eGVMcmcKdx7nYm4lTQgYIsumiB6dI2Gv42Y2+yV+\n90GYWy+B1XIMMAgiaGbWfmigV0dqS/XugnDwmXpu9QcLpAkUjfwdBg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwa0hKNTNQZFJmYk9FQTRs\nVVliNUhuYng2UFpJTS9zSHVwYmJOZ1VjTEFjCnFoVWU4eEttb0cxMmI4cmVKbm9T\nak9jVHUvV04rRktVQUE4RmRzdnBxemMKLS0tIGNQbWw0YzRYMzMxdUlMRTNHV0R3\nTmhTWThOVlpuRFRvNnVSaUs1UFRaVnMKjeWq4LTCM2uGfpg5ULat+jKMXmo/wfSV\nELSqAyuLOuxlCeAakXDcv1rcRo/wBgIQZEqv6YkbXtZn5M3Qi8nSww==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBa0dsTnVJ\nemZQWTNJTTcyWmtEVzVDYnVWeEdKUmpMbG1NSVNZeDh2OWdDeQpsV1hTeE1HVW9I\nNnc4MFJkUC9HVDljQjZIb2RWVXQ1dmFpR1FnSXBrbXVvCi0tLSBqaFZyZVNIeEEy\neHkrZld2L1drK0xPVkhUWkdsajNRVzZiVXlXNE0wR2VnCsIb3oF4WVCjIlH1KRdI\nYuzIVbZUkv56xRQfC/2JRgSVCSJobOm9h8JRn9eZuewqzD+4kiLOx27LAXcMvX+Y\nqUI=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-08-21T19:57:40Z",
-		"mac": "ENC[AES256_GCM,data:sDAMQsdy5og2e7Ch0npphfgMzeLcI2Lh40ZNgXG8JgDzoGLCeuNjcWwPTJDmdXzIpngAs+FuIAAMyjk1u27SY9RyVhIg+/OnAjK03UGr7sYdNNhnP5lQqKJy8PuPUaVclAuR3uavGxNGdXYX3GCFri0qCI6tB+Oqa6feZNxvEn8=,iv:EAAZc3BfqJsv/ax9Rf7uCG/D+NKLLZI6uzFzo5qb4p4=,tag:ZDb8PwLsMIDpMu5zGLNKlg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/haze/syncthing/key/users/rpqt b/vars/per-machine/haze/syncthing/key/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/haze/syncthing/key/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/user-password-rpqt/user-password-hash/machines/haze b/vars/per-machine/haze/user-password-rpqt/user-password-hash/machines/haze
deleted file mode 120000
index db9551a..0000000
--- a/vars/per-machine/haze/user-password-rpqt/user-password-hash/machines/haze
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/user-password-rpqt/user-password-hash/secret b/vars/per-machine/haze/user-password-rpqt/user-password-hash/secret
deleted file mode 100644
index 2b0ee92..0000000
--- a/vars/per-machine/haze/user-password-rpqt/user-password-hash/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:FPfiUzjYns9F9qYuJCuKQ2gQOtiRM5p9wUM4vTB+itXKiQHNRWaT0Row/wyMLkjMd8roBYgpUpUOpOnI2MZQfUAB3dlvVKoXW+lE4LrC2G8qTleQ3FYfM9FelpWuw+yCq4IJaZu8PVRY0g==,iv:K9B46wJW17JoOU4fKl6o5kYMnXJG8l+0C0UNSq6W5fU=,tag:pfG9rSTlv8HVKs8orUosTg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeEdjcEVh\nR1F4MzZad083RFRZQUh4WUhMUC95bUZaa1dFSXFkRCtaelpQVApRWHJ3a3ZaOW5U\nMUxDVGJOTWV5dHNlWlgvQnBoWHhGNURWOU4vUlBnd293Ci0tLSBUTytzdDhBMzF6\naC84bm5pRm1QNUptZUwwcmFxWXp3TUtpSEF1ejNlSDFFCtjcNkkFY1qMEpy1moJT\n5XpOU++83gy/MXRzBYFcL8WowMte2IwczfdZcc+RN96plAqejRVBZE4Fx6OZIHJr\nLPc=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eGp6c0Evc3RpY01JajZH\nTjcrNm9xN1N1MkYzZ3dldUFZeDFtU1BQOVRNCk1MWmpsN25wUEdtamN5b0dFYmpL\ndEdJaHpUcWR0NVdOWTAyVjBBTGZHRUkKLS0tIGx3U0srVmJMVU13UXZRRTlhWVp3\nTm52TERSbm5odVB1aU0zYTVDVnQ4ZFkK5nDBFPv/S4j/8FShOaMsWXZMQPJO9vCx\nEi9OU2vZ66tlbgHwTq6QdPcEA5/ptAJnYLrzihs9vMFhKpLbn6ElpA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdzEvTnV2cDVSZWM2eEJn\nVlBUbUUxQzV3RGJhN3RtWHZNcXFNaEVSQkhrClQ1dEl3YmcvMTlnWHMzN1JwZFJu\nc090TC9wdjlRSHd2QStvZ3plNmY3UEUKLS0tIFgxZzVPRURUUUhwYVg5UEZrREVq\nNk9VcituMktZb25ub25RTTllTnhVeTAKFHF0ZFU0/nxI8OTvvsiJv/vUJjU7nkH3\nRyn7Sl6yQL0aYwPBRyazS5eo3TesPKU0uO868bUui8LZM9z0687zDA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBd2E0Z1hv\ndENyQnA3UThZZTRQNmwxZFZMREVUWDR0SHFPVTJlbmw1UG5abwpMME9DS0w4WWFn\nUGJ5QVR2cnZndU5Bc3g1Y0J2eWRqbWlnWEpZS3pqNUR3Ci0tLSBSTG5zQUhjaWh4\nRDBzSGhZM2I1ajZ4VjJHbVVhRmlsUWRCZEdnVkVVaXRJCpt1R1StL8pXG62WTts1\nL36IuP3cflSegYmz3bLdcnbMmejldl2EYflNmLlhQMOoa70vSJyFjqEZ7i7+ly20\n6M0=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-06-24T17:11:23Z",
-		"mac": "ENC[AES256_GCM,data:BS/+1cyvgY3nCjmbDNHDtPbA/1bvnWWl2Je2XpjfsytRTMAZ0QEwkwQ4cJJnpZDwkscOtJOTR/0FY9+sRrSEMQbC5r1TFL3gFYF8PzskFBL21kovKgQD4y07tARlyLzL1Y8EuA9jVGQjIuqi36mXIxrAcCaP+ESDArWSh5IoQfw=,iv:4BZNHlHKgGe08f8tVZXUtaCZhLZZ8Bwl1oQ/S7S1qdM=,tag:Lusfyr8U2G0UpBLkEitLGw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/haze/user-password-rpqt/user-password-hash/users/rpqt b/vars/per-machine/haze/user-password-rpqt/user-password-hash/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/haze/user-password-rpqt/user-password-hash/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/user-password-rpqt/user-password/secret b/vars/per-machine/haze/user-password-rpqt/user-password/secret
deleted file mode 100644
index 7ce933a..0000000
--- a/vars/per-machine/haze/user-password-rpqt/user-password/secret
+++ /dev/null
@@ -1,23 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:bYZDSHz0u+O0UJ3P,iv:7L/ziYffgAM+bYgmlonPyRlA/Sa/x5bXMeJsIjMRORA=,tag:FPk0ggKa6cRTDMiVNWSj3A==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNXMzeVV6\nZG5Xd3Ztbms5YzY5dlAzSHhJWm0xRkdMMjhFUzAyZ3A3V1o4VgpRdWtJMDYvMTlh\nei9oQzRsemloVUE0ai9LRTF0VFZuM2VoR1Z4bXluMVhrCi0tLSBWUW5MODE0THpo\nVWxIMHBON2EwejJneVpPTVlEaTFKSkN4ZHVqSXppRTNNCjqu9qygzCclKZaAZLhc\nnNjXZxhbSTqSXr3KlY6O+1FD26UXUDfEsX9pRibZg7Djx8/mUPxJIrOb96CunFmJ\nADc=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWGNYM3hSMkdsRmRVR1h6\nNjhKNTltRXVvNkhXK0RrbUllN1RVclE2UlNJCk11RUFkbm4zOWxKcFZyK2h5N3BP\nUXE5TkVuc0RuQ283YVIzVGtkNHUwTG8KLS0tIC9lbkNJWk9KMUFwcU9zS0VrVklq\nTjByOWZkaXhTdmUxSW5sODBPSXFPTWsK68XVfgber32/0uwmE7ozcVJQkx59hqGj\n4sV/9pbdJltzMjsZtlRYLRlR8ajdxvf5dv11tIPaZvl9tJMc1tH61g==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBMW1CZzR6\nRm1DcW1uU3BYMzlRNTNMTTV5Z0h1VlFqbHBFdUZCWlVxTUMreQpjV3ZlYVdOcnJT\nQXRpZkYyRjNnT2dFZ2J6Mmt3bEkvbm5TM0VudlVIUTVVCi0tLSBpYURCbEY1MzJt\nQnVXWm16TGl4Y0QyUGM4L3dGeTBvNXQ2MTNBRThMRWxFCgeixfvazqFYMj6hZEKn\npsW/I62Uqx3TuRvqseqvyTRC4lSYV+KzOMGJAFnUTVU8fH+tk5tyCpgeUvIEBWJj\nvoI=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-06-24T17:11:23Z",
-		"mac": "ENC[AES256_GCM,data:WW+UXihwEX5Z29my0bRXEcTFzH6YaUBo2nbkLeXcvkj1bePbZeVB5AJFh6OXQHe1mr4k8/iXNUTmwh2ZxrvAkTuhYn9V83GYVC1aTEHesmoQ+cVlTGpqu6tqpSl6HDJcWUIiC0eAktQbQEK03rIaE8bjJzoQp6Qzj1OZ6DR9nwE=,iv:cnqDZIIxpg1qFRbpZjrXUi4abjydJ6aYfLX3RxGFpMs=,tag:XNmbxi7ZnBdZb0ekU+e6jw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/haze/user-password-rpqt/user-password/users/rpqt b/vars/per-machine/haze/user-password-rpqt/user-password/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/haze/user-password-rpqt/user-password/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/user-password/user-password-hash/secret b/vars/per-machine/haze/user-password/user-password-hash/secret
index 067ed24..a007c47 100644
--- a/vars/per-machine/haze/user-password/user-password-hash/secret
+++ b/vars/per-machine/haze/user-password/user-password-hash/secret
@@ -3,20 +3,12 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNlBuWjlQ\nVkhib2FaTDdJYVIwbTE5QUFwY3BlSTA3S291TkVhVHhXVEZHaQpGaFVVM3NIZmhP\nS1hzanRoVzUxWW5YNy80SFYwZklTYStrN09jaDc3U1BJCi0tLSBvZXhCWFJCZXE1\namZONmVQbWNaYWZkQ3FsTVV2M252aHhTdWhmTm9kUFlzChB7LeXc/qhdydGuN7u7\n3RC5X2Wz+0vOrsF48qJ9/689p76HYW6exINfCqahLcIQN5A+HyODLBItr53XmHWE\n0ow=\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSd3NhRHdETTUyZGJ1Wkg4\nZ0swODcwTTdCVXhkQllWUkdaTjlpTzMzQWtjClJ1TWJCbmx6d21xb2FlSVRiVlhy\nS3NwWFB4NWQ2SGFrNTNlWklqeVBCbHcKLS0tIGFpV3l3dUFjMSt1MXdwcUpiL2tF\nczNtQXpGK21OUGJacy9ML0dQM1RIQmcK2cbCWsIJfCbKIx28sAioak3ykzp/vG2y\n/k34N1bMLNo8Z5v7OteHdcYXp1jMwV2/gRnbHWoxHwBGtuJWa1JZNg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNNkV5WWN2MzQ0OVpoOFZU\nU0pEVTVQM3BocGtDY0Q1bHFCVko5RjJWNFJjCnljQ0phUloyWEJ5bVl6Sy9HYUkz\nN0l4a3l0d1hCcis2VVlDY3hYVFpJMGsKLS0tIFc3UjhwRU9GY2lpS3VvQUhWeVBl\nT0hLZktwV0ZvZmxnbUZIZEVqbGxVUG8Kt3wAZM7zlNvx2lAW49TvJvVnh0F2E9CF\nWhy4alo1SpbPLGENdoVJNghRGF4MkhUnC1Yhy8u6rZ1DPkW35Rq82g==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBubjBaTEdkZmxjQUFycTNo\neFRZRFNxelVUSmR4OEUwZzV6TCtpTEc0T21ZCmRnZG5JV0Z1QitDQWUycTJ2SjRS\nSmF3YTFtY2dsZ2dWQjJ6Z3FXZnBHcjgKLS0tIHQ2QldhSXo5dXA0RlI0NGpxSGJz\nR1hXc0VlRFNyNEtKSU5NSHhEbEZzeHcKSk7Tf9wbo8OwJMxv89nh5Me9dAvAxEGc\nvDKywtaOXuC3eD/RaSTKN1FsF/tDEST0cpUJcWn9zAgE8lbaw6NGhA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBMEMvUW5Q\nM29ocE1oajR0am9FUFdldkVEdlZKakJFbW0xOVI4bUF3R3VsZwpCc1NCdHdWZXJN\nOHV5ZHFKNWVKUHFlaWROTm1vcU9aYU52MVFKWldLM2lFCi0tLSA4aVBLR0FzUldC\naWdUZlNxRTF2VXZHUTZRRjg5U0lxbm5vWCtWNEc2dUlJCrCjadfT+XQv8D7ySGpr\nDWd6qtkVMrUjZEBzon+UD7E+LEsB+4iwhvsHHT0y4mP2BYbFgJySgTYrMa3MoyNz\nPsA=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRGFIeTUwK2RkNzhZUzJH\nUjhLRWl4anlqK3NIbURiYU8rN01laUtLVUJJCkF5NFZiOTByQlBIb0k5R2ZWWm5S\nUkZmc1g3Z05ycXhoYWozSy9zN1JHZG8KLS0tIGswcVRZbHI3L2tUTDZEMjVOMzdI\nL2xkU0JhTzVVSlRmbnZpamd1VW1IZzgKO6nOLxHYT7ebNh2sJou0k+PRuoGewdXA\nGDZd4AF5F/6Xhswa3d1ETIDynQp2EmmvetDVd97u/ezj9h+MDFESag==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-14T20:58:41Z",
diff --git a/vars/per-machine/haze/user-password/user-password/secret b/vars/per-machine/haze/user-password/user-password/secret
index fe12598..df25ae5 100644
--- a/vars/per-machine/haze/user-password/user-password/secret
+++ b/vars/per-machine/haze/user-password/user-password/secret
@@ -2,17 +2,9 @@
 	"data": "ENC[AES256_GCM,data:Lkjm0xRgzB84sHTW,iv:JP+9dWfDR4VbU5QXq7lVvxDYZc16R4lRcRZDBJ+ybKw=,tag:brqhJSuZuLLoxFlyGWPIBw==,type:str]",
 	"sops": {
 		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBenNLV1hV\nb0srQkRSZElxSmEvZEFNZHVJOXZsMVU3d2pJNlNtWFFtZmM4bgpjTGpBanJySmJ0\nMXNYTURWUkNVQ0ZJYzRaUWJrN0cyTmYyZkVCNGQrTUg4Ci0tLSBVOEFIbXdwMVpv\neGM4RTBpM0tQRXBUOStRMEhzRmpTNGt3dWVNaDFNaHNRCnxB+7dTBcKoA9fMy/tF\n/weiA3Dh8j5VCxMDyWOvCVKPMA70rLCh5Rc7/pZU/vCmktQFLGgnXVamHncU5w8r\nlNI=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQUJOditCdTM5dkF3RXE1\ncGs3cTJQNnpvRzl2Y1pHcmhTY2VMTEtTbERZCnRzT3Q5Sks5VlhQMWNsZG9FR21y\nbDhMRHRLUlUzNi9oM1dBaUM4QjdMaEkKLS0tIFBVVGxBTm1OVG9xWERBbU1sYTVO\nb0NkMVdJR1d4UGtXOWdNTE5xRE9ONDQKP1iVgCXH6HCELkNXsrQCnCkCuubnxFtB\n2fKNNzio1qBr+tYgxAXF2W41z3hWhsSSKKC7LyRDT8ozvfIpPWL1iQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdE10eDk3\nLzFMaE05bDNsTHFvRGE4dC95dDZKd2JYZTNpSzNnWlQxQnhFRApRZm9TNEhIQ2VE\nck1XTkJ6Y2xwNU93M2ZNcFR0UFNiQWl4T1F1WW8xMWlrCi0tLSBvY1dBeGllTGxB\nVDRsalFSTVBXOC9wbGplRmlTdWJYOE5PQTlhVGZySW1nCqNn/hWXd00ypG4DjsSh\nZrs8ZstW4n6d6leph/WHBT5p64rN/U+CD2aHqulW0vTUGZLHrP0RNmOQ0nlnENjh\nl6E=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbFdyU0w5Y1FoQUd6bEls\nRGtkTjNVaGZIUDdHZFhRUGQxQ3FMOC92c200CkM0bUJiemRqd1NpMVNPNEo5a2ts\ncldTNWdVbHVzS3Z5N0VueWZwajJRajgKLS0tIFBDOVltbjdmSEF0bWhkeCt0OFpy\naGJ1REp2eFRKaDJ2VVFPUVhnb0o0TWMKYTiKcLQefKDhDRq9XFNM9rtOHcQHk5CW\n/6lwOKhpTTE26L8O7VyeYSf5xhECZcjImJIbTmfBY+OxOAndwGZ3Xg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-14T20:58:41Z",
diff --git a/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/machines/haze b/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/machines/haze
deleted file mode 120000
index db9551a..0000000
--- a/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/machines/haze
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/secret b/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/secret
deleted file mode 100644
index 5dfe94f..0000000
--- a/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:qEKpqsrZN2K5tvq3uUeQm1EGJFwF6Y/Gt/xI4PPRfCtqQujkFOtDcHfjGclX,iv:Qfv6vMwHfFp3Ao3rKsed4WIyj4qY68v18HoATl9GtYU=,tag:AvWpclBxN8cVvUswz57tTQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBOU0zNlBk\nbHV0OUIzY3NkQktTNUl5cGtPcWFyWHdNM0NicEd6aGlobXJ1VgpUOW5SUUtEUGV2\ncUtlVFI5eE5GZklaYjIyWk02TE8rdHZ5cHVPdXd5OWw4Ci0tLSBROWZ2WXliN3pi\nUzZzYVZxenpZc0U2QjNiN1lmYStSb0lLQzhGZzg3OEVNCpGnC0PHvxMFKSjjeb3O\n6r22kqZr/jflNAkIRMfK9r0yycIJtir1iO/R6FADk1W0GGgHHLa+dS/TfHThJy/F\n0yw=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYaGNJR1MyZUFnL3d0bHRy\nVFBta2xHdGxoeTZodGlGQkhLdDBSNUlRSDJZCjk2ZjFnWTlDT2tIOFNiNGRvbG01\nYytOcnJGM0N3dUlaME1PMmhyUnNkVEUKLS0tIHVBUU03Q0c2WmZmUjN5WXJzQk9W\nQ2owaDBXa3htWDBmbk8rUEN5a3ZaWWsKmavt7FoM3IvvnXt3jUeSXmuA8h4nhaf8\nRk8dOIZxoWVjWi5cIImV2Bu+zDl9TtWjiRRDxzSux6mtDDUkhyk+dQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkcEMzWFVQN1YxZjBKQkd2\nSGFjYjlTWHppMVhpZlpHSVFqWHRjYUlIVlgwCi83YmZKYytsVXVJZEVibTdEMkc3\nelh3aU94K1BsU2lYakMrbXVXQ015NDQKLS0tIFlIMTJQMFp5THhGUS9RTmIyaXox\ndjBqR3hkdmh0cldVeE9kWWVESldlSU0KcCTg1vasovQBFBXJQJ/CDqBgjPMz7Kdd\njHW2TRJ3Z2a+/Cdqa4Asdi2eYc89Rw44FbMDRwSWAPg7azoneA3NLQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNkdBcjQy\nRXFiOVZLS0g1bnVXYStkOTlZaDB1MzQrQWMxM0ovNXhOa1ZuQgorOG5GQkRKTTh0\nY3ZKYVJ0ZktlQVN3MTFvV1lQSzhVMUlESER0Z2xkYkZ3Ci0tLSBPYndLcnpwZEts\neFBKQzdudXdoaDYvRStGZ0ZORmphMnZoR0VQMUhaZHdnCgi15NaACFCcLpGLGoKk\n/wmhvFIdNm9/6crVhdrnb/qzQUWUF2HYJdMeI22iEaPCughhJfXX7L4uBDlBOcni\n8JI=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-11-21T16:24:47Z",
-		"mac": "ENC[AES256_GCM,data:uW7rkOZGqrhOZr16MJZNiYD6niGqFdzbhC4sOmdY4l2K/Q+esAycgSakPrVGLi/h0QFGlo8/xBPu1wvCFWiklPDaoPLwyHpZefAr3szmJ751Zo8gJPUPvYFOkGgBNIDYDxg/gyCxAu63M1v+rY2YD2tsegMw0xEAAyusC9rxocM=,iv:fN1537itb9ohJ2dNuQaPRLxKmV7mWJSs15jkEBNjS6U=,tag:q62fQfBBzJ2GjybhbRCViQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/users/rpqt b/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/wireguard-keys-wireguard/publickey/value b/vars/per-machine/haze/wireguard-keys-wireguard/publickey/value
deleted file mode 100644
index cf95443..0000000
--- a/vars/per-machine/haze/wireguard-keys-wireguard/publickey/value
+++ /dev/null
@@ -1 +0,0 @@
-DX/Oxm7ESVkJlq8gkwGeLG8gpTP15URo4IBTAWcypi4=
diff --git a/vars/per-machine/haze/wireguard-network-wireguard/.validation-hash b/vars/per-machine/haze/wireguard-network-wireguard/.validation-hash
deleted file mode 100644
index 3a66342..0000000
--- a/vars/per-machine/haze/wireguard-network-wireguard/.validation-hash
+++ /dev/null
@@ -1 +0,0 @@
-8bdf8580329052d98be05520e25f51bc9be58da446951f95962e9924ca336235
\ No newline at end of file
diff --git a/vars/per-machine/haze/wireguard-network-wireguard/suffix/value b/vars/per-machine/haze/wireguard-network-wireguard/suffix/value
deleted file mode 100644
index c042739..0000000
--- a/vars/per-machine/haze/wireguard-network-wireguard/suffix/value
+++ /dev/null
@@ -1 +0,0 @@
-840e:e9db:4c08:b920
\ No newline at end of file
diff --git a/vars/per-machine/haze/zerotier/zerotier-identity-secret/secret b/vars/per-machine/haze/zerotier/zerotier-identity-secret/secret
index 80357a0..d893f17 100644
--- a/vars/per-machine/haze/zerotier/zerotier-identity-secret/secret
+++ b/vars/per-machine/haze/zerotier/zerotier-identity-secret/secret
@@ -3,20 +3,12 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBazJPeGFk\nTEl3QzB1SE9xUDIyT0tKaHcxdk1RZXdXbHU4SFp1WkpmWVhsaAo4U2JSbXZLU0tt\nU0lrWFRhajJjN2ltSTk5VnJXS21uRmNMd0c0b3lkN2lvCi0tLSBkb1l0UVFSWWdJ\nb3JaOVo5aTl2dU9yalNtRTk0R0x4UUQ1MXkxUXk4UjNJCvMpWIDWmCj0t6H9GF7y\nVWns9YzQ1P5tEEeZArACMxG5z3Is+hNOOrDZyaLlo23RfrnoKHT2ZIy3kYSbNQzl\nYfI=\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPMG55a2YzOGlXRXVXa1pK\nRFNsWXMxTUcrMDhJVXhVNXRnNmhpbGFXL1FVClZmSjFQUkh2SjJlTTQ0V2hPNUNn\neDR6bFB6SFJ6NktGUU5ZMmxteDM2UkEKLS0tIEhsQm8xa3hvM1d3TENxK0ROdG9p\nYm1Ya1I5L1QxTU9wb2pwUWFzL2d4dTQK1oDJeC1PqrSYsmKneedZWpjdz0Q+HC4a\nLiM/0O3no2rDO0Ze9ATSY2+NbwhRNr4i98K0h9uoZoh4SVGwusCPPw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbEsvc1MyMDRDUWp3di85\nZmc0eTVQUFZCRFo5N3RsSm91L2VTWGdWRVJzClBwUzJjNjNMVW4yT2M0eFJDb0xw\nQ0NXUGtiUkllbGhOTVVheVlwbUNpYzgKLS0tIGw4OHF3c3Z3K0NKNCt0akhGbWVL\nR2RWRjlDYW9QOHVYRUJxMmVHL1cxb1EKTcDfODorOcvn8D8Z5hNCv4HuzOxHoVcV\n+J+2lwZt1leSlKw4q5HpOGPJclGguXW4P3yZhomqOp5nnAfNXGHuCA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbGF2Tm1YaElZZXVYM0NH\nZXNiS05seEF2NXI0akpYOW9EU1VOZ1lLa1VnClJZQWlMczVKcE1iVmNHaHlpL21s\nQU1Bd3U3NnMrQjV5SjBqUW44ZjFzcnMKLS0tIC9jenFDemNrNWdxRWltUmYwS3Zz\nMFUvVmVsSW5RcCt2UEE5SFRVWTZScjAKT5pk/uhf3deBCO3dA/XMFQEltotkvxtI\ngqt9Db21ZE+d7svhpLWP20YzhNbKBNyC/qzd3Q2ERbmmHb6X5/gakQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBK2xpM3VT\nbUphdFpITXhDTmkxYkM1ZVNjYTlOdTZYa082L1FEK0xNeGRIYgovUWdqeEZqcjdG\nQXhvWUlmMVVHTGppVS94T2kzdWt2dWFNL3JOckl0M3NvCi0tLSBabkx4ZE1iOGZF\naE9RZVZ4Yy9ZL0dneGdLU3NnMGNaVk5HcEhlNXcyRW1vCtgwH7vs9aLr0rP30h5D\npV9hBiMtQOfZxjsMP0RDF0XC08/v9bLxRnjKWESZr7CZioZ8mUI7kXH14jR7yml1\nSIg=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcnVRR04yY2h4NzI1ZEoz\nL291SENNdEh1YUdqM1NMaDJNakJBaWc1bXljCmhsdy9EekxGMlc4aEppYTIwR2VX\nQk8zaDRIU3FnUFNYaUl1clBuenlRQzgKLS0tIG1xWGJmTk5pL2sxTUt4M1hEakhE\nUHhWSGYrRHQvcUIvL25qdXI4eUxyc2MK6uGYMbAzXhX4W3ejPOJAmIwHAR47888b\nTrfiPXBivPjel8Nja9mH/NmI2KQjshJl+7kxa3eH5LRlPJm4JfuYeA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-10T13:20:42Z",
diff --git a/vars/per-machine/verbena/borgbackup/borgbackup.repokey/machines/verbena b/vars/per-machine/verbena/borgbackup/borgbackup.repokey/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/borgbackup/borgbackup.repokey/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/borgbackup/borgbackup.repokey/secret b/vars/per-machine/verbena/borgbackup/borgbackup.repokey/secret
deleted file mode 100644
index 9e18a83..0000000
--- a/vars/per-machine/verbena/borgbackup/borgbackup.repokey/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:OA19EoSW2Qlea6yBU721FABKZ4Ay3gzR1Q1XbI0K35K8GCo=,iv:Iwm6YD4bEiPK4MDORZz36O8DzSJD2Z0vsqhB+TOePZc=,tag:9fEB0Vai6oQrETo8GlO+Kw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbGJrcWFm\nWEV4WTFUcVhLcXVwVmZWMDJGK0xvQzIyNmJ4cFJsS0pMMlBtcQphdDNlRmtlLzVW\nTEdLdkNpV3ErdEpxWHJjcDRmZkU4VnFpU2hKbW8xMVRFCi0tLSBHTjNCWExuaFB0\ncXcvSWhFVHh2Wjc3LytsSlQrdThmcFJVZDJ1dVl5Q0tRCi+gnK2wd583n+w9rNH6\nYIl8KwduCI9WkNx5Vw2/e99ruhkXi90b9CEawbi5HjgPzisLh0atTYqL1U8NhBNO\nvrA=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcVRBOWtD\nTGF4elBabkRyTU9rYVk4aldmbVdNalFEZU82cVVuN1g4WEIxdQpkMDBVQkI2RGto\nSUhZWGxyYjZ6eHNpY1piTGFzZUpWMzhxQ1lheHI0MFZZCi0tLSBMd1J2clo4NnRW\nNkU4eW1oVVpsQzFBaFIvMEZuK21OSkcxVFFtQjVYZkt3CtP7JU+W6GtniH2f265N\nzyNJhsTiVPZ+Cm1ao/OpuRyQe9VgaCbBOoEECAFhTlB+GQx8fWQmV5tczjO3j5q3\nCHs=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJUHJZRFloZnZoUjdpS3or\nYkxRcjFNNm1qWFJJTzVDZmRVWU84eFdWeWpNCnhxUFZMZkdSY2FoaWlJSmoxemVp\nSDhoTnJISTRwUm5VMXo3TkYrTUhpZUUKLS0tIEVOcWhCU014QmRCNUtHVFFMYTNt\nbWhYWjdZd2F3enp0MEprL2dTcUQxUjQKdvEU7183HcB7ejQX0STb1WiOzt5VTwAM\n2KZSmB8T7l7zK5QCebVv78bWbseQ0ls3tRqFizxT/dgH3fXwyHbsvA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0cEVSNEhyQUd5RmxZZFA5\nQ1hDcEtFZWdLZnYxRjdKWDhQSmFXK2tIS21BCmFoS3gzQUlpTlhTaWQ1OEJRTUpJ\nZ3dTengvdFBhOVZzOWxlRloxN3RvSTQKLS0tIDJCSjZJcGgrNnBmWnBEQVE4RGJX\nMWdoSDJ2Tm5FZE9Va0VJSjE5N0E2L2sK9oW8SqMwnvuTYr24PwjLsi/u1sTJcRZq\nG9gcbsngY3f5tmvoweNseVNEMqLvIfMDJ5nCLf+37IVsMjlsIJsSoQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-24T23:04:28Z",
-		"mac": "ENC[AES256_GCM,data:Ly28RVEWr6EQv8W+YzrnUki26SEhDe/MIqJ2t7pCSmqvwScMZJ4hWIs6Kq/zMlRabFK0bAM2wWDCZdxOV2yt8mBm/+2BCTGpGL4m216EadBO4Oox00VZsqlkCegrHQufTuNkfTxvym4uMcSTHdUG3QtN5iFzm1R7UV7rMtlLAq0=,iv:wCj7nQmSvx7Bhph6cNempqChvCjfjexg/m+Zr2+1XTQ=,tag:ZTm7knn5pOdXOC0mQOnXtQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/verbena/borgbackup/borgbackup.repokey/users/rpqt b/vars/per-machine/verbena/borgbackup/borgbackup.repokey/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/borgbackup/borgbackup.repokey/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/borgbackup/borgbackup.ssh.pub/value b/vars/per-machine/verbena/borgbackup/borgbackup.ssh.pub/value
deleted file mode 100644
index 5907ffd..0000000
--- a/vars/per-machine/verbena/borgbackup/borgbackup.ssh.pub/value
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGziB5tTi71e1pQddR3R+GgON3PK+IwJXeuvi7xtAAtp 
diff --git a/vars/per-machine/verbena/borgbackup/borgbackup.ssh/machines/verbena b/vars/per-machine/verbena/borgbackup/borgbackup.ssh/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/borgbackup/borgbackup.ssh/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/borgbackup/borgbackup.ssh/secret b/vars/per-machine/verbena/borgbackup/borgbackup.ssh/secret
deleted file mode 100644
index 228c81a..0000000
--- a/vars/per-machine/verbena/borgbackup/borgbackup.ssh/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:vUrRWsUzWhWf+vdoU2PL8TIIdAf2aa3Zlp8jLoZcriw6yWE5cmVW7vHYBiDIYfiusple97nptPm+h5mS70jGpRkRpHq3d/Gq6LLEhYnoekihSjxCYEnpZo9ItdUYCN/RzvQ2vPtOQn0sbiore/uc/0GmrVA5nX6AL3u7F4AY/yUWDKV3HshHBjzQB7uSAm169s/UfroevrMD6q5ghYjtOT7cNEhykhD6kiNFOY/YsCISuYSGR+YBmwH6UfdoPX331IrizraNDhVXdnb3bWWK4sYt5NzUq4yKwzX3EcsY+Te8irGsB1FLoENkRN9ITlaf64O2ZXan76AF0z8GNYsv0k2t+W3sGGR/crV0L2e0Oi3hcLq8+st07/0DmrtzRstsMZDFkYyj+qb496kMSWvyciSeOC7stVGM+5vpZQQYJic7ofeT5rL47rv6heQqTssRO8VAaVhte3Wlf41WOXXCx65Ypl87KXfLh7JdAb1jveZhG4rNOgihrWWFT5A8sJCPgnU1,iv:hD7qjliIBiHZ79YGchL+njgKdaY+O4ek7MJ5eRF5Ivg=,tag:QOxjOqdiN5BFe4Nr4W0MyQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBOGhGQkJ6\nYjM3QW1HeGpIajdTaHV2T084YWdLVlNCekVtbFRwYmFDSXVPagpsTXJyelFVNXdY\nZ2IzcVZJMVFsQkJKbHB3eWV5SGFDK2JJbkVUbTAvUEJNCi0tLSBlVkVNditWdjRh\nRWhyQUUwa29ZU1VnOGF3UFpGS2hvQTk0TE9rM1Z6U0JjCpgokN57F7ElrHAEiRy6\n6DwDTq9A7pCDkqRSQ5rB/VM7eMNMJGrti1oVmp1xQEYl95cuPfI0ZniQjGJRcqBo\nYRk=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBOWhIWWpo\nOEpoK0ZVQWJ4Ti9BKzd1cU5IUFk1TW9GL2o2eXBtRytPU1lxOApCNEcrUHBtTkh1\nME05aVNkOEFmdE9IOXVDM2NUTVBiMGFmeDRpQ2RIY0ZRCi0tLSBqaXhic0hpU0hV\nZmY4RXJGUXBpMlhmdUhQUXVrT2xVQUdPWm9mb29MY0NVCtNOvwH7Hzlrr7U+xT2W\na8clXsg8FiGugnb9b2Cci3PuSPr2ULiH7SIJN3/TB38G5xS871EatgVXfdFEn/OI\nbtc=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRng2VGhPcnBGQWNmWVBw\nUE9LbVd5eTQzQTZqa09PcUtvRlU4bWdLY3k4Cjl1NFhMQURHcUt5M24zUnVha0tj\nSlRHSW5vbklXTjVLWTR5MXRXenc5SnMKLS0tIDlRUC9KTTdKZ3FXSEFUSVR0NUsx\nd3NqaFl5N0JWdGxOcjZFVUJyRkJmSjQK2phuifCZvZU+JjqUeGc9u/tj+E+ksa4f\nbNFVZamjtB5jhxbVPQ1iyQ1Hoi1kkqT9R+43NTzUnJHv921bIeI6cA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaGNVS1JTaVozcklucXJ5\nbERzbllrOUNqSHJTUG44QTNwMkVpQXQyOUcwCmx2MjNZaXpBaHNjSnV1cE5aYnAw\nQUNQWDVJZHZmTS9mRkNyd3ZRM1doVWMKLS0tIGNERXdnL05vRGU1R290MFlQOWlu\nSE5PQnhEOE5hdTRjU3NYcFgwVUxwQzgK5RAMppjBJDe+Z1WUS+y8p3NfAD86vBQH\nRCHlWmry7sLLuKG+80ntFObKr8JmC3/ykg0+8pjmXGl17I2U/fBqIQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-24T23:04:29Z",
-		"mac": "ENC[AES256_GCM,data:9O9q6P/dorPcVCKJz5Yc3OYLaalbD5fXEwyrMfFtvF/AruIE6FEUghpyynTGCNJxY6JC1JI0Q0iQG+uo6ceq05Fa+Yv0yUAOsN/YUP4Yuwi3gSm39VIBglcoDkUi87zU6vFsJDylWb3asTUX5MshZWoXFtH4lzuwTCd3fGBd9ps=,iv:U9Plt0cgLMyi54xI8Nq0G7/1ASR/BE6qnZBsyTdbEDA=,tag:EVKjccREZDvhetsLYnRrdA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/verbena/borgbackup/borgbackup.ssh/users/rpqt b/vars/per-machine/verbena/borgbackup/borgbackup.ssh/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/borgbackup/borgbackup.ssh/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot-worker/worker-password/machines/verbena b/vars/per-machine/verbena/buildbot-worker/worker-password/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/buildbot-worker/worker-password/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot-worker/worker-password/secret b/vars/per-machine/verbena/buildbot-worker/worker-password/secret
deleted file mode 100644
index e964c93..0000000
--- a/vars/per-machine/verbena/buildbot-worker/worker-password/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:96CnBRKaFXT6y+uLnltdrQEktrpNkRzFhXTD0TszN0KDOYYsRSVStsOPicHoDj1I0lcSqJQwic2/IW885ZDZdII=,iv:qO5NhgplS79EKDFT+1cbRfL3fhm0ZVQbIU67w3lf2+Q=,tag:YDYcajCgWT40tS4uYLyoLQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBM2psQmdL\nZ0ZmTzg3U2hnNS9HcWRoWmdkWG95UlV4b3BKN2ROTHpLZjZHKwoxSUQxcEh2Q0o2\nKzg1dThQaWJOMERoajA2VUtpTjZKMHFYaDRLWlJMWXJ3Ci0tLSBiS3pCZVc4b3Y4\nTEdXNDJYQ1hjZXBDV0xGdVI3d2NnQmROdVpQclZoRzZrCnNCjThvWRxwiVlqI8ID\n/628uDwjoOuI6M06eOCxxe65avnoMd9ViuJyRwJBVtdSphsYKrLWrInvE/bQKkm9\nYW8=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeTJVZ2Jn\nUDByM29GQnd2Z3AyQ1lxZ1NZSG9RMmsrM0Y3eEpRV2wzSFNwOApmU3M5QWFPSEcv\neW1TVm1xS25XVnh2UUg0ZUFpTVd6N1dCVUh1Q2FJdkhZCi0tLSBSdDNJUE9vWEp2\nRU8vMSt0Nm9EdE5XdVF6UXVud1N6REd2Nk93Q21XdnRFCl1Tk0SMTqvop15O6+Lv\neAxdd/p5w4QTLCl4a1Q/wPyxIAbymYs3EX37TnrpyrW7Nf1VmBucJlpjMV/doz6K\nh7M=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFajUwTEpjUUpXVFdNYzZ4\nMXlxZkxsaXJqL28reHBCL3FwWGJ5NXIxNUJzCjNvRmRSR3hiRFBmVkJ1ZlVsQ3ky\nNXIzNmxLNTNMaGlZWVNQdElQcms3dmsKLS0tIHFnUzV1WXlCUkFZQ2pFM3ltV1ps\nV0xULzlDOUY2T3BYNzUvaHlldnBJY0UKh08SR4vFOYyu0qquO5bxtqXoUd7mG9JK\nITMwEvzQtcv+oVIWz6pZjTNsm5A+eER2FLJtJlOzunZgwySPj5Q6XA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UU4vVS9BV3NCaEpQU3Z1\ncDd6bVJoY0xUM3MyVXF0bzJzRExTeEtTWlQ0Cko4MmxYcG91UkFGYlR5eFJQd1da\nRGpLYTc2U1BWVDNQZDVCdnRvTkRKSk0KLS0tIHQ1dWxyUHcxUmJkSU1QaWIvd1Bq\nQnArbVorK0w0VlRMQUR0U3d4d2IvZjQK+8u7NehL+GAUJe74oArXRa7dietE8rlC\nobo6oTN3YYFPAchbsqPpk9g2XF7lQ0CbXq+XPUBXvcVWepXlHZ7/zw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-30T19:23:50Z",
-		"mac": "ENC[AES256_GCM,data:iUkKW49fo6GDb9gQhzeOgs61tWuoMR1LNQ1hQIze5lAqQOMEqZTHI7oq4SDM4wSaoFgTsEdWl+d7rAUC7Iomm4NsYYs5BCIuQq8omUVNxU9qABA+HYIuUI/RSu8W9/Fko7j85E/dOAqmuQz+RKsQjzIyKSORNenwXezkj0p+ADw=,iv:30VfZbHOU6RMN72LqEApDtXXd78pdQKGGmWDQQa7oig=,tag:rFjmDzi86DOmpv/F8CLL7A==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/verbena/buildbot-worker/worker-password/users/rpqt b/vars/per-machine/verbena/buildbot-worker/worker-password/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/buildbot-worker/worker-password/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/api-token/machines/verbena b/vars/per-machine/verbena/buildbot/api-token/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/buildbot/api-token/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/api-token/secret b/vars/per-machine/verbena/buildbot/api-token/secret
deleted file mode 100644
index 85e2b69..0000000
--- a/vars/per-machine/verbena/buildbot/api-token/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:TBkW6fgVu4nOFNI9mQjrnkW++jc7fchjJBDwTjaNkEh9E19MMTlQnw==,iv:jvX3gKJ1I7bRcsihqVOYBv6p0KJhQXT1oAG+wlThRU0=,tag:uYGupsYDsJFFTY/eAC73pg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBOTJEK3Ax\nRVlXaG44NHpzT3NTTXJYTXhlRHpnbXZ2QnR6VXFRWnlHSk91WQprb2FFa0x3SSt0\nRlVBMlJkdE1jMkVxT0cwMm41V2JMUDhsclRhanY3cVBjCi0tLSB3TFp6aTg0anZL\nZERNUEtwK0F3NEVMMzUxMjJieDVQQ1FSWCtnWncxTG9RCnX4zS4JBzof8zEKGfxc\nEvz2y+MCTe1CV31rVXKX8ToRg3ZO6vTp+ChxVD2Euo2q8GGGA/8CG7ejfBPOJJQw\n14E=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBOHpOU053\nalpCQ3ErYzg1ekFIclZqOGdtUFFkQ1JzY1hzSW5rY3JIZ1g3YwozaWNjYTAzVXZJ\naVhwd2dIK2Rpc1U1ZDg1U2UxanlpSzE0LzB1MExYMWtBCi0tLSA3Rnl4YVpNVlVQ\nRWxYSkl6ZWNQbkJZZXlwdkkxOEo2YW95bTJ1QlgvWDJZCq2pDBZJP+8ZHlvR+OaN\nuA9VrVqGoG852JhTDYuy11wJsK/v/f+irLhKB1tBubqCTW0nPT6MqElA6geksp9g\nbbk=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTVVnTEdoSmxqazN3S3FT\ncCsxZ2NKNnhEdHR6enI0dCt4eStoSjY5ZFI0CmdBbkRFWEJncmpsQ2RNM3pZMnpk\nd2w4c1VrQzdhQWJVSjcvblJhd0x4ZlkKLS0tIDVXZFVkdUQ2V3g3c3hOV01oTDFM\nb3MxRjYzSEd3d242WHA4Rlo5QzEyc0EKzAyUGH0whYrqKL6RD887V7OknyrSoCVX\nP8kc6uOopXCsNM3RoOoNZVuq//c1KPB2ilfKddm9CtnQtO14SLzoog==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPZUhVRVlqU2xERTJGVjFD\nZU1icVdYUHlSakZxbTJiajBMSlI0MTdDMEhFClcvWk80YTNKRE9Pbmg3aC9mQ1R1\nb0lTOGNUdm9yanVMcld2di9kZ214TFUKLS0tIGxiek1rRVBFVHlpaTVQQzErRmhi\nM3NEWlFUemlNSDVZNTlIMTA3WnhpOE0K8nuTWNETbyeqA8Rr0XTGnGmTG3Lhsyzr\nF+wIspVSEAPPI+qGZ9v76x5FcJ/kp+AV2oKwYrbdmRY4s7fKRvUR7w==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-30T20:24:05Z",
-		"mac": "ENC[AES256_GCM,data:/1u+xf4gfv+/8m45UwGeutMrOKfxDOC/vlF+JY/GS+B4xW+bBIVHtBFg6cqKZ6jvAqMjx5w1j2x+St7xI/S9rVhf7mG8p4sdO5/EnM2Ib+I94dNKLx90h67jAJir7N4sQ6qsT8K5B4CDwBC4ugOBtBVBW3eoRxMFjGNNGoG+mUw=,iv:RUatCLMYYUT9fUluykcaJH+uKOPQGizzGjPnsmROtLw=,tag:K/6z9CHx7kBJtOTgfiXyQA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/verbena/buildbot/api-token/users/rpqt b/vars/per-machine/verbena/buildbot/api-token/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/buildbot/api-token/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/oauth-id/value b/vars/per-machine/verbena/buildbot/oauth-id/value
deleted file mode 100644
index cc499f4..0000000
--- a/vars/per-machine/verbena/buildbot/oauth-id/value
+++ /dev/null
@@ -1 +0,0 @@
-23299be5-92d4-4635-b023-099d39b2d056
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/oauth-secret/machines/verbena b/vars/per-machine/verbena/buildbot/oauth-secret/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/buildbot/oauth-secret/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/oauth-secret/secret b/vars/per-machine/verbena/buildbot/oauth-secret/secret
deleted file mode 100644
index ef6818e..0000000
--- a/vars/per-machine/verbena/buildbot/oauth-secret/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:BNaSFieGNC+TbU5S8NFYitdQiO51vdAh1q7UMfS5UPHqnASBYAumgrrNotm2Rma2s2QijJJFsyw=,iv:ns6hkNgOVaAJMq4AkZeX2DOXLNqzv/2iD83wWwNeocA=,tag:vmh9crLrJ+2V9FOfVr3Fog==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBZ3YxTFFT\nY0ZRQkRXOVFrVzhiWjM0NmpIVWZFNUF0ck9mYkZEWFVkT1dobgpzSXNBY2dzY2V0\nMmxDOTJrTG1RR2NYTFVhVnhNbng4OVVNeENudm9Ld2FnCi0tLSB2L1pLaWNWZDlx\nZzRhRzRKNG10bnQrLzBpTWV4MWo0RzMxQmxRckU5bjQwChJz3wx9gIcBgq07bRYJ\nXwRznuLU03evUDr9M7TiMrTo88a2IJuSBzLKEseoQfUj0t3eOEvQRgTcgEJL9gwR\nVOs=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBN2orZUpR\nVUlMajdUN3BqamU5bmlxMkdHc3VIR3NkaTh6eit4dFJtWG0wYwpwSnFrZW15Y0Nx\nZzFzbUMzdTA4SWZvb1A3Z1BCWUtIVXdSV1pFem55dU44Ci0tLSBmaW1aeExGa25Y\nR01PbEI5SlEwMWxWdVh5aDlXam0vK3VvbmhkNVg5QzlzCiKUvFiNfNlHZB6g0tB4\nmXKH52wB4d43OLXAPFKFaq4i68CXN1lYOlWiFYUMNjbNFNs/zeBg/+i/mvcMoVMl\nUs4=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUTJpWUFxdkR0V3htN000\naWZacExiYjhHV3FKWFNYQ0R0M0pWczZHUFRNClIva1FJandISzdIMlNFemR1eVpl\neUZpbTVsMkVDYmh0MUNveHhzQWhIY0kKLS0tIFVZcDNXOHQxMUtMb1NqMGxkZmpV\naHZGN1J1bjVzMGVPVEVhczB2Vys5TTQKW2QzPrOGKTXBwqxCgyfaNv78kyhW8IDD\nFEgo4K+3zs+YN2480OCvUf6xfIsk/ynDSJIimOeZ4eZkBGzzmFiESA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyNU9jQ0NoalpZOHhPMG1S\nRnZrK2IwWmpEQ0kxMnB3ckdscnpORkVFZHdFCkdZclNmb0dmVEJzS0RMc1R6SWRw\ndHVmRW9acTZUYVFoZnNFQnU3ckdwZmsKLS0tIFpleWVFUlRERkJqNlFySmkxZjIr\nSU53ZFJCSi9mRVZpYTN1Nk9SRHNBQmsKQcFH9A0Giob4sf/T0GvdLr8dwZVE38xC\nC1BfkCzx+m75trIgfVwDk5/Xdysil/XDlUtx3t5xGjs/6BQpmqPWcA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-30T20:24:05Z",
-		"mac": "ENC[AES256_GCM,data:5uaRAQ4li9OwcIyGqa6r94rHp0HnoS7kh23N/hBNxRmj8kAdDL3YY3JaHdat3na8Le934MtKQ6doAMAZ+HBYn5Kjn8nhJZpE1gNK/BK8zn+mdqRZ6CEIeADbEDVp4B1OO0kWsRBl5h/ndyBzoFcZb5O9mFT2OPg24zOK5D/+h+I=,iv:+C+l/U/mDyGEiZSXP9szlj39BYq/0zEM7UhzIeHbnZk=,tag:6GvdwYKE5N2l1vqq5FllSw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/verbena/buildbot/oauth-secret/users/rpqt b/vars/per-machine/verbena/buildbot/oauth-secret/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/buildbot/oauth-secret/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/webhook-secret/machines/verbena b/vars/per-machine/verbena/buildbot/webhook-secret/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/buildbot/webhook-secret/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/webhook-secret/secret b/vars/per-machine/verbena/buildbot/webhook-secret/secret
deleted file mode 100644
index f9cb3b1..0000000
--- a/vars/per-machine/verbena/buildbot/webhook-secret/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:zT9TZJquGohxc7Q7PpV/H6Bq0BSW/QHTZAUivjP/pk9Pwva563GvDeZavMPk8j5bZEzfMnwaiUl3b9Drcd2fkQ==,iv:8kyv4A1VhS64uiar5I8AJg8ufrMNXvvQVd27UYywgHE=,tag:jNPOp6JT/AMkvueDKmpWrA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBL0syK0pB\neTUvd0dlaStaTkIzeXgvSGpybTY3VVgrYWdiUGpUT3ZkRGtDRwpVdXQ4ZW9xc0xr\nOE9OTWlVTlc2QlErOG5ta1RFTnFoSUMvUFpWZStLUG00Ci0tLSA0NkZZMGhieTFJ\nVS9nSWtwY0Z4MzE2UFhDTjJvMGtIenlBcGFpYm9OaXpVCnfbiEdrm0RcqdbwiRQW\nhasK4g5w4/6qN7AUEX9xFlukEy1PEeeWA3vOISeSI6aPujT+ThRm8oEI7WeZdvL2\nIVk=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBLzVwVEEw\nQnBsMk82ZmtIT1hvWnlRSkhPVVZpVFl5bjlaUysxNStuRWpGKwoxTnFKVURJaGRs\nSGRPRDFQUlJncytucVlNalhxVTRHb0t6cjFmNWNSSFNJCi0tLSBBcDV5QndCTnJy\naVZ4WU4rM29aYTUxWHEzdHQ0NWd1ZmtiWUsyaWllV1V3Cuv876IfeYAoQM8s7eaz\nYuDLeOEBGUoutWHuBQlPrLATp/qhtdJXBoTkXQoPdxjijQGZCfCgGxfLmzT25xNG\nrZQ=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqb1VLOU5Qejd3NCtTSFZ3\nTmppWXRSYnhIeHpoZnJrcURMWnlvQ091Skg0CllwVFJMcndoc1NLN3RoYXlyS2Uw\nOGFGK1BNVUtUVVBBaVFjUU1vU1hscmcKLS0tIDVWL3dBVFJkcG5XNUI3N3hmMSt4\nUTB4cVBZWmk5VkNEaWlTNnFyc3gzTDAKNZDf4n1EZmaLfv6DEQToxMk4C3bX+5kE\nHMeZkkqLL4Buyz/725lAuXUelKWG9Evk0y3T51YXbMaUQGgRb8JXPw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKa1V5NnZtWjV6UHg3K0Y4\ndkRsOXJJaHJDVTBETXA3dUNuR1hSL2ZJYXh3CittNDl3bW1odG1pQkhFZFFMVS90\nRVQ4U0w2ZDB3dFFiM1NhNUVFUG9OQ2sKLS0tIEsyU2tIbTVIanN6VWtLdnZQazdS\nTVN6a09rZllRS292Y3ZJckd5RHJGV1kK3eIIJOCsEsrK7gUvAX1n3acXGKjkQ8b7\n6BZ9nglbtNby9BRnl7Ow+RDTskK5VAnKGUlBWM6UHIBCM0vSKO5NkA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-10-01T17:32:26Z",
-		"mac": "ENC[AES256_GCM,data:+pSRI6tBtON+7RQHS597E6c9Ov9gbv9X8xTNJf2/wqVvn1iUiUtNgfVAsRhz+TDYrSDukxbJUVBQGAFgzCXJRVibLehI/UqJdtHvN+T69foXfLp46nO5F6zkjh7ZldDzSS5rPlOz/dW/u5l/4Xq+ED9U2beWN94V7flygHxtxz8=,iv:MVFTsbDwe7vwzz39QIPjEJkRFaaNXmyEciF2wAz92sI=,tag:4a0Ef7yO6++44+vTI3nHWg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/verbena/buildbot/webhook-secret/users/rpqt b/vars/per-machine/verbena/buildbot/webhook-secret/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/buildbot/webhook-secret/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/worker-password/machines/verbena b/vars/per-machine/verbena/buildbot/worker-password/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/buildbot/worker-password/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/worker-password/secret b/vars/per-machine/verbena/buildbot/worker-password/secret
deleted file mode 100644
index cda6331..0000000
--- a/vars/per-machine/verbena/buildbot/worker-password/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:nzU7Iem9NU21DOrbFiaT5LL+msF1zxdECowiqeV0A5nYok2PrjT4VVryqjoz4jjwawtXJigflMO0lUjKbQSLdfg=,iv:Al1ZQzAG6gbyvoCBakHQt3hKAV4tjNS38Ij2XSMKkQI=,tag:BS3BZWYCn0Osqvb4ZidGLA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBaEhiUnA2\nTDlYRzVic2dhaEJHT1hDZEdKTGFOL214L0Q1WjdoaXpvV0VuQwp0SVZXbG41clBp\nMDJ4SmV1M3hyRWhLNkhKbTR0ZEoxSDF5U2dNb25rM2hZCi0tLSBEZ28rTjJJeWJK\nMktmR2tKQWVEa2V4YjF2bmttY1JHZXQydWNDQjBYNEprCiHwtMZ/oh5e5GsUD44A\nYg7F/nBl1vVJKbyioZHI47rFjSke6DAL7R8qmTjGclJposH9zoomPZ/DAi9qosg/\nWrU=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBN29xZENH\neUFZcUs2OGl6eitpc0VKWFBobXg4TVplTHV1dGpvdHI3WUhWMgppQ0p2bEFtWTh6\nOEVGcDl6YkRVVWl1L3hOVzRmclgrQ09UUTI3aWZ5cktVCi0tLSB5TlRrQUFEV2Nz\nTzhhNTN1REMvREJ6eFZ1dmRCWTNITGZ1V0hDU1lyeTNFCuHGzKwJd8Fd+lpu06HT\np+6E1W3Rbb8BgRiKqGVNgYF3uSOTkoKbLgMVn14MteqeCfs/MpdtI1U2ffKQ0Cz1\nUhc=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5UUIwa0hWOFlKVU13eEt2\nRmtHS3R1SVUwUHRtNmhUV05Vc3dZTG03WEZNClJvS3VVSXA3UGVrS3F6MHpyZVp0\nVlUyd2dOcDFyc0VTaUxhd0E1a1htVjgKLS0tIHdRUGhJRWJzVXlUMVptbSt1RjZZ\na3NLbVQ4R2VXUnk4MWVENTZDa0YvTWcKVXXEhbUaojv8+u8IPwpeIjSBhPDLOqXy\n1yZz5BpoEf4z5WXzlfm8FfGAaLXCMzHA5DwkG43360puyd9rK+D/Tw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvUU9ScHJEVytkdllYS0RR\nclFlaEphYWFhejNnU3NtSVFIUVloaE83QUVzCmI0NUlwT0JMTVlFcnlCYVNPZGhm\nRzlJcU4zZ2o5cnBpcHgzRklVcW5CTlUKLS0tIE5pYU9uTkdwejE3ZjVFSEFTdHJP\nVVdZd1I2R0tiOWttaU0xalAxWGY2TkUKPbwWTstdkM2fUYW3/lt5OMeF1KsEtiZx\nppxTSphkVFDYfZt28GUUTGCnM0zHdHs0mINTg4UEYZWJXhgEA+49lA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-30T18:24:07Z",
-		"mac": "ENC[AES256_GCM,data:3u3GKO4v3hckZDRU6qzGdbfboEZ2oRpvkJGukUL3PtphiHKcxSUSofHzJQUP4Du+eLJ1nyTmZst8rrfQt38u3CGnaXu/cgQMD9Xgj2UPzvamY0Yc0/gAH/NAHLOx3u2TVOeqYcm7MSIoMmd3ieN4GPUDO/tkMhjh/Rn577T7978=,iv:oWuZNe+i0nLQpr5fYgI9yvRf67GuPXVE+OmiGqXIvkk=,tag:Cbhn91/j0IihNF3SynhocQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/verbena/buildbot/worker-password/users/rpqt b/vars/per-machine/verbena/buildbot/worker-password/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/buildbot/worker-password/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/workers-file/machines/verbena b/vars/per-machine/verbena/buildbot/workers-file/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/buildbot/workers-file/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/workers-file/secret b/vars/per-machine/verbena/buildbot/workers-file/secret
deleted file mode 100644
index e3e79c0..0000000
--- a/vars/per-machine/verbena/buildbot/workers-file/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:nAasbZt+rynccMfq4+eUELpdFsO0SQhTTOXDCz9Y2jK0+6KdIdimoH72HU+6YTWrdWjURv7ql7TlakXAYCgCwoIGdLdl6cZLs0hZXAzthxI13OrPUJRyBbYmmUCu5qQ9mCcy1cLkHhe0KQGxBA==,iv:0/kTk36AQTw/mFKvYhUcyfzdkODEq5ZyeXWERpf08vs=,tag:v4uXqzJlzv+kdVaUjzwEEg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBakZKU2xE\nbnl6cE9mQ28rekhQMS9HRENveVJEbXVzODNnb3FoRkNrZGFnRQpsa2dHd2d5NmFP\nZEd2YTB6TkNQUTU3a2xsQjQ0Z0huTk00Mk96ZFloUHpjCi0tLSBNbTFzWmxJWDFY\neUxBQXUxVkVVZ25rL0puL2p1OVh4bTlGT2JiREJtT0lZCuLy/3/BphFvEY2K8zSO\nuJ6f1MWWP/JDw2WNQXmbh2YPj9gXb6QZdAAKf7zLs9pnEUtZWlCCjZBKFdMDDadd\nAic=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBZzRBSE5B\neUVoZ29VQ0VUYVNjVU4zZ1gxZERHaHYyN3dGTWlaWXFoWVRNZwp5cmJsUTQ3Y3Ew\nWGV2YnlHbXgydmlydjdNR2Zmcy91WXh2d1B6N3ZYYWdZCi0tLSBRVi9vbGdES3Ex\nTVI3cHFJaFhkV3FDNkRxd013aGkxYUJSM1F5WVVqaDFJClQait3PGeiKSDkKZhuj\nm2UuEV1GGwAKl+pluNF8hh+XpHMsLtBm/hORnyriqDoH201eGfksXCEO6F0i+Byt\n+eM=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWGlFejVGTGtyQmg1aDly\nNVB6ODBOcXI0NVFybHNCZFFHd1diZlVPS0U4CnZXR09NV3ZaNGVMOUFaRll5OVhp\nN05SaFFPUVhEYVpRbDFQNUlxV09wbzAKLS0tIGwyT1orLzVHeFhmWjdNbU5rVUpk\neDNxaEZ3SkF2OG1LQWUyTlcrQ3orSDgKy0acbjlImm/rT65X054BAEMhJhSLRzvU\nUrIvfV/Z//frzDMp2NNt7YZSPNswJJr0EXJr1z3Fc5xRHhkWKD8kjA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSHA0T1JTdElFMHVvTU1F\ndGFoa2JaWDdQTEZFRXZHUHlYZ1BjNjlHQURBCnZMbWNIMUFtR28za1ZGclYxU1Bp\naThwUFdRd1BLNWd5SGFTTGgxSG90aEkKLS0tIENOcndRL0hRMklTazJMTkNiTE5V\nMTZaaU1kV2JWTTVxNFpTQVVETzJKaVEK6DLpP2HJk+1LIeicHU+NcqjIMkTk8e96\nONnf1BZANmkLEEDw8Z7q4HFGSgDJQOOTDYoyl6bYMLuF7yJfkYU5yw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-30T20:24:05Z",
-		"mac": "ENC[AES256_GCM,data:COlUjsuwrIQz0TX2yUHLfsR+Yv3kcX9PwqfTEfGNJ28xtxLPcuSXQ3k+BGxiM9XDZTUCBOmYcHeozlupdoLU8AryQbGvX6se5rae735DfLIrQ10xbpF0lxIoAf1V3CEj0prdp8wb4xLVtjqJ35BmGQsW89h8f9Pe/SgQCazpl60=,iv:ei8y9IlI9f0HMFuCQr95OuVXQv1ck4t8Sy9OBeO+SeA=,tag:3qSsuhnZPo8PpUTeu2uAXw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/verbena/buildbot/workers-file/users/rpqt b/vars/per-machine/verbena/buildbot/workers-file/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/buildbot/workers-file/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/gandi/gandi-env/machines/verbena b/vars/per-machine/verbena/gandi/gandi-env/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/gandi/gandi-env/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/gandi/gandi-env/secret b/vars/per-machine/verbena/gandi/gandi-env/secret
deleted file mode 100644
index b6014b7..0000000
--- a/vars/per-machine/verbena/gandi/gandi-env/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:xLZ3utyBPOOwQ9UZVIjZee5hRUfR1WrzZqXTdPN02vb396Z6L7Ti7B2bXbBxxkxWBJi7uipyD7eC7Uo8iZtp2amncDWeBA==,iv:QtN+VN/fexTQjBtZjoiLgM0DZxEvFbPNUa/sAtgDJ6g=,tag:QCOerJQkXRRzRVez7XKung==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBM01XWmRB\nZEhFRG1YT3BoNlpoSnlqSi9mMTZydXJUMU8rTDcwTWFFekx1YQorc0svbHBCYnFv\naVZlY0Q4OXczN09qb3RNVVNOYnBXeDNXR29YWjJFV1NFCi0tLSBBTkpZbnZZRXB3\ncEZvL20ra0NtM1NtL2paNnRieERQOW9WMS9vTlIrRUxvCnrvGNJEgRsEuxE+mC9P\nKODfgT9bOEmOiRifmHr9e61AsKnBy58hjrcr+h78pYA9jAuX+XbtzXjcVl39CCku\nev0=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBK2R0TjJU\nQ0pLVjNwZlVRSkRPOWRMbTNEanhDRGxrRUE4Q2RJdHpQOFZIMQphWU9SZ29kWE5C\nbjd2VHVWaVdvMWl4Q1FnMTA2YVQyb0I1NEFyNDdranI0Ci0tLSBZcUFUQkJNZkRO\nM21YRHRqMUNaNVdiUWR1S1VmR2pCcXNoQmg3MUJQd3VFCqOqw6zdkK9Jez4p2zVj\ndrqBjKid3DC5/mUwzVhtRjaAk6I1hTmVBgmbnjsZGCdhdPSiUcw6RyFuaevGjvJ9\n8w8=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNCtDd29zdDAzRDN6ZExO\nSC9CZng0dlNNOHpsblRRSDUydUN5Q042ckY0Ck4zdC9URDQ0STBlbmo3SHQ4Ykpw\naVlmOEZEUXFMd3d1TjRwbCtZRGdJaU0KLS0tIE90RHVWNEdrWVEwdWlxQkZoTUJk\nb2ZwZXVBWHFyUk1xRG9Nb2Via0VBVDAKoEpZvao+F3s+b3JHIRbzrp28PHvzG8Mh\nZyBx+Ro8NxfP8nLIGi5Xl1plxsVOOuSLn7q1KTQF17nmeOERR2mWng==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrWjRGeThidDRUczNoNWJG\neGNkMDBhZ0x1VFFZcGdTdnFodFVMUWl6cVV3CkN3TS9YbEluZFdyWG93M0xzQmNB\nc0tXYy9ULytjUzFDclpTT0ZXRjJzcGMKLS0tIE5Ib3VzOVB2TTZDR0tPNlhzc3Zs\nTzRSdVg3amk0SHBDMlFQKzFKNlVtaVUKT6RiWdXqQdHN9PsthvHXeiXZZBl5nBMD\ndcKhGoSnQPGKkSx2wzPVPf041TywLf0nsYkOXhaqFgPevLqmJSsmmQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-10-29T11:44:19Z",
-		"mac": "ENC[AES256_GCM,data:2pGn0COv50V6zL/P2TnWawiRxCoMf4jaNE4MPcOQW88edw8NUGC/KIKq4numi4NoNfxM6CyGbpyBpC3NhQujQo25bxqXrlHqZhhmAxTgyVgQrmbQZ2QbYKHsG8NGOi4nhTXezI9u/eDXyVyC5DX6sitynvH/tizordn5AN6hpog=,iv:N14abfZJxqroJo2l2D5KJSXT1wJtY2DTf7pkJu8XKnY=,tag:Xn5UMlVW7v6GkQqgUVY4qA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/verbena/gandi/gandi-env/users/rpqt b/vars/per-machine/verbena/gandi/gandi-env/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/gandi/gandi-env/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/garage/admin_token/machines/verbena b/vars/per-machine/verbena/garage/admin_token/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/garage/admin_token/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/garage/admin_token/secret b/vars/per-machine/verbena/garage/admin_token/secret
deleted file mode 100644
index d09b997..0000000
--- a/vars/per-machine/verbena/garage/admin_token/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:d7ch6OypkqLBvYkVCDpFVxH0EPJ3m50L4hWQoDPJiXRbKBGyT9P+4iI4voOe,iv:IBU3q9gxwKulFMJa0vbfQnkEc2SnLfSnDaoz4yO2zkE=,tag:RL7+GfFl9oOONRZ599RKUg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBeE5XTmpD\nOW80L2hmU3hsQnFyWEZvUnhiSVUydGNVMTZkaEltbGJwREZlWQpyRjQ4d2UzT1U4\nb0gvSE91SVEzVm9HS0hKNHlLNzNUckQvVnVXWFJLMER3Ci0tLSA2NGtiWmdSQ1JP\nRTBFZGpJbEhUSmlZRW13eGNFOXU3N25uVXRwTUVrMVRJCjq7QsG7ewi/rzVfDEdR\neyX6D6U7mcEvSDXpOmu90oWU8+y7WdXbuSGYsbNEdR3d6Y7/AcM62gNqzjFJ4ufr\ns0s=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBK1VLczZo\nTlR5YWd0OE9raDNYRXllTTZna0dGUkpqWUR5Q1ZabWtDODBlbgoxQ25KWGF4RnBC\nTUxwUkUvRU9KLzk5UHg2QkpONWEyZmNVcHhBOVhiZjJZCi0tLSB6TnI2UTV4Y2ZN\nSFpmeDV1ZUNoUUxBWmdxUlpLSm5WUnFKSDhiZ3NqUnRnCt/EvZGXnIFMvHR5xOrD\nZTHHwsFTTYuaA4ghShDtK/+iR53Y92rq6BDJ15bB+EuU3xNqCx8+q1vV89DIi2yx\nK5E=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBva1pYeHlKemFXc2ZCSW1n\nZXhDYVlseU5jamhMVXJaK2x6aFNpblI5c1hVCi91UG5rL3ZsTTNQbjR0S3VnbWdM\nWE1QZTk2L3BZNGlKeEljMlU0NmlNT0kKLS0tIFpBNDV4RlJYZ1lMand2N3o5QkR0\nRDdPWC85c1NkeWlUNVc1QVJEZlpiV3MKnZynnSUdrLAL5ygYse1+DqU8okQ5xToX\nmG9/UmUMhEspeDrXZnjlsq+JkbaCxGouRwQECVsb0ImDlLP63xhDJg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVUZPU2VFdnhKc003SklF\naitpa25SKzU2cDBRRklUQ09JT0ZQVmpnZXlVCnVMRWRVUm5XRWxrTWxNM3Yzd0dJ\nS1VNdFVpSUk2TUlmVVVvNGNCSldnMjgKLS0tIHhpakoxTHMreXdTYndRaWRxbVc2\nQUFpM1RSN1k4UnY0Zk5NbXVrMEtXQWsK1XOUALji+vmTHFo4t2smOOfdnkBC3BK4\npC4PrDrUO0nThNu8ASBtVqJELly32dJYLKRIpOTTqWxNFCQZ9Vz0RQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-11T22:27:00Z",
-		"mac": "ENC[AES256_GCM,data:tzrsM/GRxEOeZwksc0MjNzG6hNqrVbg0gwctd5LQLRtMLCOokYQO6pS5gjEQ/zS6+SUbauKyifO8xMfkrc5SQ2Iqqgj2tIZIf2xXntQ/152X1IpQKEQN9zO1LQhI6g/w4jtgnNOT4bw6XW5yKW6CN4NfKNCbEzisWjyiQFRxmR4=,iv:LIclgDzRbSYuTbYzONaqaso8TZUBg8r6pG6ZtRLQyXY=,tag:JpnzzVGmNdpRx2jiR4V7oA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/verbena/garage/admin_token/users/rpqt b/vars/per-machine/verbena/garage/admin_token/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/garage/admin_token/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/garage/metrics_token/machines/verbena b/vars/per-machine/verbena/garage/metrics_token/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/garage/metrics_token/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/garage/metrics_token/secret b/vars/per-machine/verbena/garage/metrics_token/secret
deleted file mode 100644
index 5da7fd5..0000000
--- a/vars/per-machine/verbena/garage/metrics_token/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:ExSv+ji6femtNG+/+JgGpjBNbcMQJeHIOjsrL7arFbWPPJlhV5Bqs6QuVeIT,iv:l43EjooL912qou3fJ5iFObQdHWtSCI+13xQZvnhS+v4=,tag:kqAOc2YYNDks1upXd3aSDQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBcFFSalpW\ndEhCd2pWaWdrT2I4R2tJeDdFczBNSy9xSGlNNUFWa0toSGlRRwo5bkd4ZU1XRm95\nejBEZ2U3eVpUL1k3UW81TGZuTGFhckhkZHJwdkQ1SWdVCi0tLSBkYU5SK3dOdFBw\naXJvQU02N0VZRzhXN3FIUWw1Vjh2a2NDekIyVGVNVUswCvqnFEq+1llQE153aJ6O\nED4X/JS6fGoze0onqdQ/HQUM3UXGRRkmqdGVww71Z1UTMSYt3SRjhiIeFMe0lwXT\nyq4=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBM2FkK01x\nZi9JMHdUZncyNGxoM2dXZDFEd1lOVHVJdXNhVXIybC91V0hOWQo2UGJnSHVjYTZB\nR3F6cVJUKzdJRjAwemlqVDk2RUxLVjJvd0hhemxrc3M0Ci0tLSBjdmx4b1gvblVp\nWTdFVGF6STVCcmEwUC9iSFZTZkpMMkV0Q200a3JwdlVjCpGamkfpSZv9wT1TKBqh\nI57/rmmu66gCC7NMB0Iq/HHbUINo42Vl2TXrj8i26q/oxCVzmCVVpcsRj4tYJ4NK\nqS4=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OWNYVUZWTUltM1ZzUUpZ\nNi9tV1ZSbUdRVThzeEZSMFd4SVk3VVpVMW1VCnRYYnhrWUc4azRrdFF5MDFraDJ2\naXdUUEJKYlJLSEsrTmhFaStsQ2RRK2MKLS0tIFNlWHp0VDh1OWU0TkNiUGgwWjI4\nMTRkQ3BkVHZ5b0Z1bXlZekV1VFdDWEEK3+5bHw30Uf9pNtzVKTwIGlSOJaPzztuD\nKvz5dUJrXX6qF4iGVoZgoEQJsdAvTJ8bCTeEYcEzwIM+fhbuKu9Pxg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUYjJaK2xJY2p2QVNTVEJn\ncHhsZ2tXVGsrUHlFRzVheDR5SXNnaTFWbjMwCnkvUzA2ek9taUhUT1J3TDJWQjNy\nTW1BVDVMWjRCeUJkRFZjT3lRbTNXcU0KLS0tIEE3YzBCcWlVVUNFallmdkczYUxt\nSkN0TjRrT1NLTTJ5MmpVanpyckI0RzAK2T/13fItOBvh43/7Xa2gSmnJcfE7TB8q\nuYCfu80wXTVOPJwvU75A/ao7Wpv95sV80HNY2KaiDM+3QimUe9t8Ng==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-11T22:27:00Z",
-		"mac": "ENC[AES256_GCM,data:o4ehewq1VRocELO4C2wcXAjlJTGCqEgenYXRCS3Yws0G2QQOw767ZSev8EFs7z5H9p/5iS3YWMRBzwcNsAbpcJyc4kDZFkRqOs9GOlkzZLuHlkBLWkkuZSK8N9vvTyon2Lw4veuxVVn0S/2RFXPvkyAHSMxlb1PsRRiu6k7Vn5s=,iv:h+AsVY/+BTTYzRCGT8KcETrZOMuUKQWv5aO1oND85JI=,tag:aOWfgcXEzSgeiUBBP+x5ew==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/verbena/garage/metrics_token/users/rpqt b/vars/per-machine/verbena/garage/metrics_token/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/garage/metrics_token/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/gitea-s3-storage/access-key-id/machines/verbena b/vars/per-machine/verbena/gitea-s3-storage/access-key-id/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/gitea-s3-storage/access-key-id/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/gitea-s3-storage/access-key-id/secret b/vars/per-machine/verbena/gitea-s3-storage/access-key-id/secret
deleted file mode 100644
index eefec14..0000000
--- a/vars/per-machine/verbena/gitea-s3-storage/access-key-id/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:VQjMQfKH1lw3nLnccac1p0rwVKQWYpSs7TU=,iv:UQbB/5v9G2wiX5WWMEAOn6KcWywBAoEi1aX6Zjtv33w=,tag:1lOSmj7UbCB9g73jgbRunQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNnRXSFFZ\nUTA4NE5mTXFZWTA3eERuV2M1M1FZWjV4ck91ZFRZOUN5bDlyTgozOVhBV0NlL0di\naUlKNlQ4M1VSMHJtenlaM0t3MVVNa0tDUEc3dXhPeFJRCi0tLSBjNHBZZDZxbWNR\nY0VnNTVxYWhFVThGS28zMFBBQmppQkxzeEoxNGN5Y2FrCqSDhieve+7eqz3voiNb\nZZizAuH+w5Y96s/U8tpGoRztQoYDFFsco6e4GAFo9mYQF45xXB8WBKR2IAMWhw6q\nRM0=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeGlOZFVE\nZkdtNWw2MFBHS3pGWWZlMkUxVEV0VkkyN2ljZGMyQitwYzZEVQo0R3VnN2c5cDRh\nNmZDR25ZcFJCZmV6QW9tcG5qYWx6ZUxLMTJDM3JETWswCi0tLSBzeHJqbEIyZ2VR\nQTdGMUl5MDBFN3NNSndqdExXWjRGc3RRbTlEUk8xaU1FCniYYcxriIA5b2sPaUqS\nDo6QLVIV9XagG1sf1A/rTiarIN+vW7Cz4fU0ghbreDuvzT8PocB/PHPeCUg/ppZK\nwdg=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSYUpxNXlJUDNTKzAvNmZq\ndEdvQWFBYXltQmZ5MHp6ZVJJU3ppd2ZSOUN3CnFsTEo3UHAwWDlmKytSZVErT203\nNkcvMFB3SXMyME8rQ0dOaFJlOGFrajgKLS0tIE1XYkQ4dE51UTRNZXNBUktpbE9M\nN0tjandSUG1PL1Qwb01uVVdvY055cmMKteqB3tp59hK3P1C6SUwusQOdDFZx+0ZS\n2kAYb1kOMbQvd5UvHrUnircB2dZAOs1Ccy6WoFpCjoeONODw0O3hSA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUaGtsa3hHM3E5YVM5SDZC\ncUw5aTVHMlVJRGJPYUR4eE5pRzBXeTczSGtRCi9PaEY4TVJCalBhTUcyRVBGc2lT\nREJrZ25FMG5rVlN4cVg2L3E0OVZ3bFEKLS0tIGswWktrZnIvb2tiNm1WZE52M2NO\nV2htcG9MSnVhSzIveTdpNmR5MHFIMlkK3QC6C7UGvVZbO89DONJWuFLF7bNnr4gm\n8hDvpTwurL8GpdbXRBwjp7ZhzlTkXR3QmOetgPPvDdyYhb/YcnQocA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-10-17T15:13:14Z",
-		"mac": "ENC[AES256_GCM,data:W2GFjGzFNbA7rcJDDqN4xWModtAe1IOlpsqR4VSg0TJNtLcQOSpzKHM/jd/wGu7yEA+5qRIPw5b8zBhTIqjTHEZv/OgGW1VU9xACNnYIbZj2E6dR5XkMo7Kk4pcClfUrn+mcoFb3qDRUmot4hIoOGwxYlzZCd1AWIoA0LsMwl7E=,iv:N03rEnwGDnnhfQTSr+ustojxUvuAzBRm62W+FPURuKM=,tag:bwYrwKAwi56KAy2iL/QVMQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/verbena/gitea-s3-storage/access-key-id/users/rpqt b/vars/per-machine/verbena/gitea-s3-storage/access-key-id/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/gitea-s3-storage/access-key-id/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/machines/verbena b/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/secret b/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/secret
deleted file mode 100644
index ece12ff..0000000
--- a/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:Qw4KdJ8oqtZisPqpgrh7n069YPGjO7t3GE2XLEfFnnvU5UcbIoV77lx8A5d6K0F9OGtR3b2Oo4ka5bPPNI9pCA==,iv:hXORx3mNALVMk2i9MxVebWE/+PY9OZ3Sbu3+enBY3To=,tag:0MPUB3JWDnetR54MSfZt8Q==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNWZjdFp6\nREY1ZlkyRHBLQWptQ3NhazRqaWNWWlhtM002emRzdW0za3FUQgovV1FsRnZkaGcv\ncjNQVXdrV3pBYitsKzBvQU1oL0RmQ1Z2VXFwc1JoNHlrCi0tLSA2L29oK24rbXU3\nWnZ0cE9WYnAxL3UrTzh2L2JZYnZqRGVTL2cyVkszRG9JChpjCgxxGP32VP0yLPmt\n/ocT8e7KkZwAXj2+AJIL74Pb1cUyNZXIOs52bLAnx0scLH0ytx/Jyvf4ePLVDX3v\nu6Q=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBMktuQXY5\nS3dMOFNJb3lzRWlSSVB0bDBvQ1JLL3doQlF2YVE5bGErVHlpSApqQnBVS2JoTGR5\nVUFuTnd3VTlhRWJldGQ0cndIdEpwMnN6VkRIWEovSjdBCi0tLSBOczljN3JyeDdS\nd3hyaHBPS3gwSjNzVlZRSTVSNlRhTUUvVEhIMkMyRXIwCje0iEVypMLnwLbTBYM5\nJmHJ1ChPp95TfxviEcKUiNXXx9uY3uIQ38G33FwI3qN+Bd3dGSkHHqZjyelqcJaO\ngPs=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpTk91SlRGZWlRa0Q5OURZ\nNDAvREExZkQzeExXL1pJTzA1dWxEQU1LZ3p3CkxQWUxxWk5aQTBkdFBrU0daZlI4\nWW1tdGVQODFWU2JZYldabWVYNVJwdkUKLS0tIGRmSzl2eVdPUXBEWW80QnlzdTgx\ncFdqZzMya0Y0K1lFcnYwd0lnWUhpcGsKSpu0myQpuVRO9eOyO543sKf/Z+YZeo75\nDqdsI6deQZnW+0NPy9zI0CXTFkjv7KNG//2G8LbscjV9PziO5ArvXQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoL3pmWUJwYTFqSjRJaGZ6\nMmJwQ21EU240NlJLa3JpUW9QSy9FNno1VERzClhjaWxOVXVPT2piM3pSL3d6QlFm\nMmp1VWExQnV5c2tNMnlNNDlWWTU2U2cKLS0tIC84S2JEUzJXNWVzemRLR2Y5OEhk\nNFFUQTk0b1Mzc3dWSXFra0tJb0gyQXcK7Iw2Oy2dNzazO7Ok8cEwT0lhfL9l9JdS\n9vrk71zRCCNe6UdDQoOYqAukTbT4YKAS2W7AmHH/g0Y9xIJGHpYB/Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-10-17T15:13:14Z",
-		"mac": "ENC[AES256_GCM,data:WH9GzcZM9ii4CHvtqCoqoKHCFK0S3OQM9x1cO/gkgRftFsO85jSnBUCtiPhRahvTffZT42sN4ZqDBq/LSKYEXB2iJWcN9StpTLs196wPzLyJhSrhY9jEy0JuxoTAhvcAC1MKPW+TsfC4SO9xazvEqShnP2z/BTYhzrgE5lsDDEE=,iv:eD7iBUopEKc5X/l8DowrBthYNPB805+AhuCCZq+fYeY=,tag:fTRAPEH0WXIW8SNso5FmdQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/users/rpqt b/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/nextcloud-s3-storage/access-key-id/value b/vars/per-machine/verbena/nextcloud-s3-storage/access-key-id/value
deleted file mode 100644
index 33bebdc..0000000
--- a/vars/per-machine/verbena/nextcloud-s3-storage/access-key-id/value
+++ /dev/null
@@ -1 +0,0 @@
-GK0380f708a7baab9385e45ae9
\ No newline at end of file
diff --git a/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/machines/verbena b/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/secret b/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/secret
deleted file mode 100644
index 493a6c2..0000000
--- a/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:ekQgkyM4yo8LHVmN2ixGaIaz4quZiMFVhpD7d4K+s4fXKrL/Tc+so+bIxHQj3UlGgYAOvIqWHRZ/aqDZzFGGjw==,iv:bnYpVa1Ug6mhUsGSHPonVBT6g6Bhu+f8O+i8ieRtDik=,tag:jGScke0h1OHKj1DL31JhjA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBaTg0OStI\ndDZzSGtucnplSmpnUndxZnNZMGF1NTRiZkluNy9tTFk2U0xTYQo2elhYbHlkZTlX\nVlZ6SjJtQTJXUzQ3Q25QaGFVdnZYS1Flc1dycG1RREdNCi0tLSBPTFBydDlpMW5l\nR1FKNlNLdE91eFBJcDZrcERiTGEzRjBkUXRIYTVTTTFBCrehdm6kPGFqTr2AbQ0f\nLBNGf3/lPIca/KW7NQS3IKMFh1xsx1EFEbxkUm37/LvQzlpzDCyyfEaKEBjBei1b\nczk=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBdmF4QkVw\naEpWaGlsUVVJZjBKd3BpaFZMbVZtNVFTWFBlVXFxdnhBNlJ1cQpUY0pPV0pmWWln\najdYajArNythcm94d0x6L29PSHlFT204dW96RjBpNlNZCi0tLSB6TXVPRGhkdVRH\nb0lNMllpazZlbFNsNVFGdEt5Sk9aNmZ3ZFhWajkxZTFFCpdwi6IV1i5UnYSgg830\n4L8vS9E/KyKCKzJzgrYVYxJ2Jn4nQsHotBxJgHpy+EhGyX9U61oPUCpCttodfi6a\nlMU=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwSUQxNDlTTVhIZ0l4SlRu\nb05JSzJVQTkxeEhDQ2lwbUk4SFdaV2I5UGc4CmtkM2J4bWRlZ0JqT2Z6VGlqQjcv\ndmNQbVF6STBTWGdjWXVWZ1gvME1UWmMKLS0tIHlGbWI0T1lQbnA0Z0NyN3lhUU82\ndUJTdjdwTTZ2N2lhMk1VL1l6bzFtWUEK3QaPsEpTMuemfvLvmOisEBN6JATMEJOA\nq3UCMhsYu37XLitAyrE6QydiYo4JhvZYoMX+Vrsq+qWCtm7+7KiVTA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5V1hpa3NldGNJU09XaFI4\nTEVWSWNuQ2wzd0FWdUdtQWhsY0hUNkttUDEwCkpBMVJLcHV0NUFBeEVyTUhCbXhu\nOVFvT3A0NUNiRmsraExPWmoxOTVXbWsKLS0tIEJ4WjBXZlkzRU11M3RkYzZld0tL\nS0FXcXhrOEZNZVBxbUhTODhtN2IrK00Kx22WHcIkC/IQmBBVtT41g/KHpnqyCSL0\n1XN0O6glllp4VQG/QqFljjGSqGp7x9DoC1/7RKRRJFh9PLAPK5W0FA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-10-17T15:13:14Z",
-		"mac": "ENC[AES256_GCM,data:cRSryYYPPVbdkodd63xa7h8DWHH5x5S8IforRB0pYLvbYEcCU88XHOZzJlnw6C42WB/wfYNeE09pG4uEcq8dTxRxseE3vzz+h46EBXQvjhPM/YKvNY5NMPkpda7NVmkABGCydB/MCWpRZBqR2DEyrc0V20/RNIYd7uHfYNi5dWg=,iv:3kLDivvmwa/4C4Nlq5dmaueDSaqxJT+7W21j93yUdKk=,tag:9TZkivjH9C2UtiCDDFohkQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/users/rpqt b/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/nextcloud/admin-password/machines/verbena b/vars/per-machine/verbena/nextcloud/admin-password/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/nextcloud/admin-password/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/nextcloud/admin-password/secret b/vars/per-machine/verbena/nextcloud/admin-password/secret
deleted file mode 100644
index 7157997..0000000
--- a/vars/per-machine/verbena/nextcloud/admin-password/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:1MidunOjhcm7MZSfQSor8xrGR3KSM6CAPw==,iv:/QIxqzJ+115R0C8eH1T6gHeJ5HdDAWcLZzEvhpu9SnU=,tag:PvoxKpIz3nTPlHgMD/MQ2w==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBb3BKOGZw\ndC9oQTJKMDZqZUxZdzJMRjV6MFF3eEV3TEtHZnZQcjVSN2dJVwp2MlFseGdMUWgz\nenpONktML1B0aVFxNFNWVWZoc2I1NUI3cDBIUk0xY0ZnCi0tLSBrM0hzV3h5Ylh6\naHhxcWZLaVNqZWtueUFTdGpOUnRNNm5GSmd0YXoxanBvCtuxwSc3CToGHVflPDm5\nS33vbLLfD7+y9ZtYCyAmfZ9fSu6Go0vZxbGoIe3vdg9vvIOQoO7IWRdr805VQjc8\n+1w=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNXBpcjNN\nY3BSSC9lakJUR1BOV0RqNEdEL3lPL3V4bHdaUHhBVlhleFVDMQo0ZWxyb2ZUTHV1\nQnYxUWw5cnAyTEQ0K2R5dGlXMUJwaGpRZmMxVGJ5SUpJCi0tLSAxZUxMcTlKL1dZ\nVzBMZm1XY2pVbEljQnlFR0VmbDNGVUE3U2N0dEVscmY0ConyoftT5dCvCP5iHF7S\n10DI9LZsyafIrCjhKjUxvwZ35sk52tZFxBs30WMZpDipctPXO5grmXtydYxDjjOI\n08Y=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3RlRMb01rOHJqTVRZY1Bq\ncGNTVlJXZGI4bU5tbHdKTXN0bUttTlZaQ3lJCnJjTitiZjNPQXIxdWJzeGtteWN4\nNFRrUVdsT0RDTVIydTN0OWRtS2pmZkEKLS0tIDVyN01CenVVSE55OE1xZ2dNUnE4\nWEhLeEhEbnlyaUVYS01XcU1rV3FmT00KLGcgKGhhWgf12XbPy8VEqeoObyfEoPXF\ngofpkwyQ8havZnGsbwqJDaD9KSxtLb16vyam82Nr2wlNAxoQdMnDSg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZlJYa0wybHdRUVBaK2ph\nTWJ4L3pCa2gyRTdMQjNQMTNDY3JPZ01UbVVjCk1RSkdlNGxib05BV014Qm1FdHFG\nNEdiWkM1dlhINXdWT09jK1Nub3dVYmsKLS0tIENacE4ydFNUSHdseDFnKy9qVk9a\nUlE4VkQxUUVGYUZNQWtXVjFQMmhVTjAKeXpKLW/n5f24iudXBG9tAptzKfDD0QMR\nWf2PazgiqOpBpBBRAoxV1nXseUMI6Q9ORsddyfa0BTGlX8BJknizFw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-10-17T15:13:14Z",
-		"mac": "ENC[AES256_GCM,data:3ljtqcuR64WFghGRQT5sSQtnHE8XhaaYZTZljGVmb9LHpY2p0GVCzyEBTFj4t3RoOfaRh4NGxR5FGGn03WTghN604zXAZZokdq3jDZANXtu5F46dmtaN3JZPPpQof6tq+lNfuYQZBGFxSHd1Aq3iuIOTXLFyox7Pw5ECDHsw690=,iv:b/uFAqMc4KCMscztPxUQ7VTBq0IT9+iIb6U2+xCKlg4=,tag:1Zu11VuTry0fcsXq/Fx6jw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/verbena/nextcloud/admin-password/users/rpqt b/vars/per-machine/verbena/nextcloud/admin-password/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/nextcloud/admin-password/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/openssh-cert/.validation-hash b/vars/per-machine/verbena/openssh-cert/.validation-hash
deleted file mode 100644
index e0bfa42..0000000
--- a/vars/per-machine/verbena/openssh-cert/.validation-hash
+++ /dev/null
@@ -1 +0,0 @@
-ac6a5c1a1f92820a01374e2f28f5e230bc28104313a3c01c5bfa91ee112805e5
\ No newline at end of file
diff --git a/vars/per-machine/verbena/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/verbena/openssh-cert/ssh.id_ed25519-cert.pub/value
deleted file mode 100644
index 8b9264c..0000000
--- a/vars/per-machine/verbena/openssh-cert/ssh.id_ed25519-cert.pub/value
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIERlRW05oWOKBoc6WXhIbkMsu/GGjZ7GtsDWGbilP6FQAAAAIOFmER+Rjwzfr/GLrD3kItVEEdhPTIjUFgSbhNOJtNJVAAAAAAAAAAAAAAACAAAAB3ZlcmJlbmEAAAAYAAAAFHZlcmJlbmEuaG9tZS5ycHF0LmZyAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQN93JKKLUpCkdj2D2wHbhn8MK3JH0PMUuQqBLUqK29+YlRlPZI9ZesKK0JsAnraDLyn7UEg7cyt0cXRkCPfcqwc= /tmp/vars-ifid6s0y/in/openssh/ssh.id_ed25519.pub
diff --git a/vars/per-machine/verbena/openssh/ssh.id_ed25519.pub/value b/vars/per-machine/verbena/openssh/ssh.id_ed25519.pub/value
deleted file mode 100644
index a9778c7..0000000
--- a/vars/per-machine/verbena/openssh/ssh.id_ed25519.pub/value
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFmER+Rjwzfr/GLrD3kItVEEdhPTIjUFgSbhNOJtNJV 
diff --git a/vars/per-machine/verbena/openssh/ssh.id_ed25519/machines/verbena b/vars/per-machine/verbena/openssh/ssh.id_ed25519/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/openssh/ssh.id_ed25519/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/openssh/ssh.id_ed25519/secret b/vars/per-machine/verbena/openssh/ssh.id_ed25519/secret
deleted file mode 100644
index 96f6b6f..0000000
--- a/vars/per-machine/verbena/openssh/ssh.id_ed25519/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:rhT/tKlqv0mjlvVCExyYssF9gO2R145z+R4XT6vFYnmVwl8gparg2CGZjnFf7ukS/7Uh/yhG7lMIstd5kaLnmeop9EEclzXoIa4XP1s4FAsb6oD/7PJtxuWF8cvDq+whwYtau8ci8HhkxazVu445rQYzmVOtttxDCwpol+3r+OP6Ey+dSITQ4n03X61bffQoBjnh4gT5wpaMaOEh6B6D1Tzp4NuitdUIBqKgBUi/LSeejePIamkGdhxRJ8ZNua4y9NcrDDxYhwzPkNirQB/Bc6urbaNRKVqdMKhNG4gT0tXkuestfiHwHpjrq0Ymuy7d/RF1M5cLXIY4Hjix8qXh8GfpyxPYBSXilRy9nmgc1k9MkPQvmxdGNis71XxI1oF3rA+wa3VRjJS+Kc+Hu+9aBUr2YY9FrUO3kQg977ttUOyJO9ihrNvlsgDmm/y7cOpQ5Fx7TkSd32ugOG2TtHJTk8+L0j56Xb1kPuoQ3P92gB5I+X0bflYDf1IftgFD/M2lHIRd,iv:9UymekNxnAfYblC3/9sYvenWS2370oD/fG4LHHsXz0k=,tag:Ywl9wF7w/QvYVIIjQ3mrdQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdi9ZNmVL\nYXhySkgyOE42U1Z2TStlUkcrRGQzRmg5eTRYOUN3bmYzeVVxaQpQckNvT200WVdr\nZ2FnM3ZXbmpFdGlMUU9hYlhQeUJJL3FkMG5rZFVnSCtvCi0tLSB6RTZOSFRtdm50\nazRTOVlxdzd1alNoRDhwYlVmTnI2SmlOUjExdVBHTGJVCtznop8akfkY5A/XO8OY\n+eB6YgNQaF8Tijoq3tM3ynifvLQGbQYMh/92N9wsFZs7K4ObsbdHbtNks6nMAWXd\neic=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBam1HMSt3\nTElLOGNsQmZwVmNMcm9CSWc5QUc4RkxjUEl0RURkeUZKZk1ZNQpzNDhVV0dlbnN4\naWZZY24xbDBiMVFRbmpOcDlhbGtGTjVqSnh3VjFIZUpNCi0tLSBCaFg3RWZWU2ZM\nclVBeUI2ZXJZMFpNd2NvOEJwTlFESVlqaG03UC8vZDJBCpqzxKfjr8oLfhXpEH/k\nP+m4pUdpFxWbSN79OjauXMsaCLiyNcRRh/stzgUVZSY06p8BjY54dXLxnFIwXGje\n5b4=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VWhMK2hwcUxhUURqc0ZN\nZkxHazFpL2VXbzYyN1AzeTBETVZRKzc5ckZnCmNvcXJOdGo5Uk10OHhYVVczd3BU\nNStPdlVHeks5c0xMUm5ITWJ6QkNROUkKLS0tIE1OT0ZXd0trL0VITzNvakhGNkxY\nVUtZZ3EweEZaNy9YMDdWS21xamp3SmsKdRWrBH3Urx8Ws8ND6kB7ZvKCNM4R9NQd\nMDfPhLWxm3QPAYUX+VOsqz7A+0/ppIF72WTEPDxcu9HF5X7a+dW7qg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuN1hPek1xQWIvazRXenZ0\nRk1OVFFtMUswalhxVU5tY0ZHUGFKbWV5bEcwCjJ1T1dXbng1VHVnWmdoUGNCZGtx\naGU0bnZnTWpETVIvTzM2T0g3SXE4MEkKLS0tIG9ZL3A4MTRsM2hqZU9IaE1tbkkv\nOGQwekJMWnFZWms4ekl0T3RjUCtiZ00KvEufhdEDX7wJKFY4qKgOEN0qNGEWrzeC\n7buI+inOG+40IGPQKDNEobhTthdvC/QOlcBrYb6YyMonXd5mzvs4Rg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-11T22:27:04Z",
-		"mac": "ENC[AES256_GCM,data:G1jAZtxL8+nZRrB9E2dU/huAH92eHl2ir7tuabZK9f3RnlqPXZRKvahESp4VuFSAEWhO0dCbgmvoG6qwDjmvb4oZsA5quouWs0JVJA9a/Z09KyqslLgKZA3zO8t/wMRYUX6uu+2NmvGZDCPt4WiWtMIJ+sFsIza0DyrsdmVJGYw=,iv:KveqtGOpq4vlqQYA9/rMJWLXJ74j3VZuu3MRc8s54Gs=,tag:E4ZUcAdv0ZRJ+Y0/xg80VQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/verbena/openssh/ssh.id_ed25519/users/rpqt b/vars/per-machine/verbena/openssh/ssh.id_ed25519/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/openssh/ssh.id_ed25519/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/root-password/password-hash/machines/verbena b/vars/per-machine/verbena/root-password/password-hash/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/root-password/password-hash/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/root-password/password-hash/secret b/vars/per-machine/verbena/root-password/password-hash/secret
deleted file mode 100644
index 60b11a1..0000000
--- a/vars/per-machine/verbena/root-password/password-hash/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:trmjf2lKYlYKajTS2t2pSDVQB3X4NYFNdnapx+xAyGJGgQtGV/TCJDDP+9JsWgbv89+SARrQ1qNhl/tw/HZpaOE66kYhZSEtVpVzsGWAoSdKxQVvvNbySBo2Y1TOfg2JS+f+/O5MLiRoQw==,iv:a/4JT2zmH/uyMYEq7YNR7CoONowtQjRCEUGYTgKj2rU=,tag:2nqHveDnULuXnUWmaW7Rng==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNmgwNzVQ\nTWg2dHo5ek5McVNPcWV3ZXRlc0VSaCtxSlduYUtNejlEME1EdgpBalZXN1FBN2k2\nY3EwOGZkVFVFTjJ5RUZSUHIwNm1UN1ZJOGViSmZsRWU0Ci0tLSB5RnA4cmZPb3hC\nK0RlRWJvZ1RaTC9sQ05yQysxbUZvaVY5cHNLQlhqN1V3CtyWHyYRJFWh2HKUvYSe\nMezFaFiuAy+raN3I/okVQzP8oDHkOYL8EjFSH0YsYZOjeEH4nWuVFRWSD9s1OsAt\nZS0=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBKzRTWWt4\nVk9OQ3Qya2FzUEhjSUJDZXRMemdoWXp3WDVQaXRqN01CWE0zRQpQeVh5TXYxS0JO\neGo2ekRDZmtIaDRFUEt3bHpNcDNEYVpOQk5WNytBdU00Ci0tLSBUM1RnNmJ5Mjdi\nSUlxUVltVXFGMTNWa1Z5c3pGWkVhTGhFTG8vZzkwQUQwCnqSvJ32XEp0CAAcyzq7\nLSQJlNV90YiS1nQVcrJmK/vAtKYnWksrwEF/q2HryBl9t6UEWKrWccPdE0t9sKJV\n8Hw=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBISGlPNzlZVWY0WDQ3WGNa\nVmpWcXI0TEMzcEd1SElNZVBKancxdUh4U1FFClJOSFVoQmVLSDVXZldEbHJ5SWdS\nbjFDZUEvQnh0ZG1Vc1FmWGdONHlXNEUKLS0tIDFlMlAvblRlSkxIQUdDY0o0ZzU2\nWC8xdlE3RThTa0tjQWl3SWoraG01dXMKg3N3lY9Nq2MEwDPI68/x5SmQItOrrFw0\neq3ejjoarreaQY0gC4Q32fbTjvumhmEYbMObMUgs7tfET26TWSQ15Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSndOZ1Zka0FvdkY2YTlB\nT255WFFQUzR1bXNuakRYRjQzWTMwQWVDZUZnCjZhRldDYVgxcDVCS2NpZnY2bWQ2\nZWlXMFh5NG1HeG1ENEJRYnRZb0hobFEKLS0tIFdQLzQ0b2Q2bTFZbmxIYy9nTUwv\nN1ZUcUpHM0VFdVhSZkFEWlZrVnlGVEEKxDF/S1N8H+y5z5Ef9PeL3TNG17HnDMtM\nZXdf279bpDCP7NZXMXdSPS7CYsxEs6/O4oezTA0RfiCIVsRGPrJYfA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-11T22:27:07Z",
-		"mac": "ENC[AES256_GCM,data:tsDk5m3xnjQgLJcJ/Z8GRu0es1Y13vWUwmxQoZm7CkW8B1SWj4tb0JxBEpmulq5cBAsgIxa1U68N3ooWgV10tjmvy+789RCINi6SPwTzXNPFVuzGwWmfSxIIZqMEvoqAOAQ3CT95lHd5+Gti5XtoRDDniGi5gq/fTQjAXn5mCIc=,iv:JtrQjj3MxoY/GU7DKG7vOCZuIKOsM/ITdjfDuH0/UrQ=,tag:FZl+mjv1krHTqWeBR7pA1Q==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/verbena/root-password/password-hash/users/rpqt b/vars/per-machine/verbena/root-password/password-hash/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/root-password/password-hash/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/root-password/password/secret b/vars/per-machine/verbena/root-password/password/secret
deleted file mode 100644
index 4aa7bf2..0000000
--- a/vars/per-machine/verbena/root-password/password/secret
+++ /dev/null
@@ -1,23 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:8KysUmawUtddgXWrH52syDDHO89TngtD3vVX6BWUJUuMfD2YaNCfQQ==,iv:d37zoPVJlRCsaQRJOqc08OoiwjclHu6yIwqHCGg0Nsg=,tag:YxwhlS32hvP0h2yo2BhCSg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeWV2YTNa\nTFhYYkxUcmtjV2Y2RC9xN21mM1BrbGZ0cjVlUWJGNmt1em5rbwpGR2IrbEI4OUF2\ndVIrSmVVNXF3dk1INmtIY2NpYnNpYjZYWmt0cmwzMEtNCi0tLSBVVkxpOTZESjAy\nd1dVVjBlbDRwZ2dlbm56ZTZMOC9EcDhDVTNqVE9YdzZFCrBb7pbTKjMh/MQBqmNe\nGhoktFc9quC6WpEJngRJ7lqRjXgIHxGlMUvhhebaQ1vwfMN5zQRa6DhwV+tb0R4V\npCE=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPMFhKcGdkNkU5OUR1bENR\nRHkyOXZINCtNSmpMR1NUaU5YM3dlVGdLSGowCkRwWEtISHk1QW53WW53djNINmlu\neWxLOTk3QmRkYkhDb1BEMjAybmlmUkkKLS0tIGxZakVlaDZtOFJ5eWR2aFBFMTBY\nUDltU0IwMnZpL1VubENTeHhBbklDQVUKkma8t35fQqvZ7/RpCwfyPpndvzngehK9\npLcJXr64/eYlOrHBNWbnCodiRrBAVmc2nLgBZlG/rK2tjRvMWOEMuw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbjNaRWt6\nd01IeXBHM0huQk4rRlJ4c00zd1h0WktLYzdHOWJoWGhQWnRrTQpyblZCYm02cDMz\nRjdwVkZscldieENsWmw1WXREQ2xPY2N3RzVyYUpnTDVRCi0tLSBSSEo1aXdXcTdy\nT1JLcFJaQWptNmhpZGx4QUNUZVl3V01ZU2ZjQkhVK1k0CrQtWlYxBIoB2+8BRf6M\nbQEStAJfuIOIOmP97xbMCpfo0O2kJttsWu0p9BmSMtyuOJQtqMu0edVqCEA0qf9v\nwkE=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-11T22:27:07Z",
-		"mac": "ENC[AES256_GCM,data:4rOTlVEL3hIzF52chd57/9lYPLpZCZDPzl73j9V0wtkT6/heVZgq0HjoHEMj2WY7kqRluPeUFpfwgD/t1ITKMPCwobDUH0qkkfStBGErKBxmFMQVM+iexqtwEEyDX61tERbB4tnwaLodMXs9QqiT0IZSfboIaXi2W8kcgzsk0J8=,iv:eaZCpx4td8tPk1dHO6GUe3UvKh8AXFKv+ABP+Jpzx+c=,tag:CAccNNNfOv6NfMtfBNWmMQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/verbena/root-password/password/users/rpqt b/vars/per-machine/verbena/root-password/password/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/root-password/password/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/state-version/version/value b/vars/per-machine/verbena/state-version/version/value
deleted file mode 100644
index 115ab7a..0000000
--- a/vars/per-machine/verbena/state-version/version/value
+++ /dev/null
@@ -1 +0,0 @@
-25.11
\ No newline at end of file
diff --git a/vars/per-machine/verbena/step-intermediate-cert/intermediate.crt/value b/vars/per-machine/verbena/step-intermediate-cert/intermediate.crt/value
deleted file mode 100644
index 3f7ba1c..0000000
--- a/vars/per-machine/verbena/step-intermediate-cert/intermediate.crt/value
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBmzCCAUGgAwIBAgIRALMIUcjKX/BUO1h5k+5GU7MwCgYIKoZIzj0EAwIwFzEV
-MBMGA1UEAxMMQ2xhbiBSb290IENBMB4XDTI1MTEyMjAyMDI0NVoXDTI2MTEyMjE0
-MDI0NVowHzEdMBsGA1UEAxMUQ2xhbiBJbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAATzv2ktJtY0x2czkJDKaTucQ9xuFdgKMRXRbcdHRW5e
-abKOEJ8BCWdaYQa9SKztMu5V9TTInqYo9+MqDLyyM9/To2YwZDAOBgNVHQ8BAf8E
-BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUkB4ETjcnhqUlXSQ1
-TvLMMrFK1hwwHwYDVR0jBBgwFoAUWdZmxk+2XBZzgVucaLlY3rD0p3owCgYIKoZI
-zj0EAwIDSAAwRQIhANpFk+c7h1VqH2x/zyyL82uZti6zbbYiteQ9RJ2jtqkbAiAv
-vKAz5q2poLKocrMBz4N2ABBr3Y6IO7kPCIvoXBrEMA==
------END CERTIFICATE-----
diff --git a/vars/per-machine/verbena/step-intermediate-key/intermediate.key/machines/verbena b/vars/per-machine/verbena/step-intermediate-key/intermediate.key/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/step-intermediate-key/intermediate.key/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/step-intermediate-key/intermediate.key/secret b/vars/per-machine/verbena/step-intermediate-key/intermediate.key/secret
deleted file mode 100644
index 5823b0b..0000000
--- a/vars/per-machine/verbena/step-intermediate-key/intermediate.key/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:QviBFbMDWAFaeuBSOCTA+qnQZlOIK1KZVK/6GzlsmouLxh1rytk6EGeSQycHAhQwuddinTfU3VKGT2PZUmUhOinHrcf3RBlD+QMRUSf4Ikj4Q5dCwW3agSe7fzRutRVTA5cjBQaKnWPllYmy4+l3Am9UfOPwz8nETzvMK2IfttaQf4w6KJOvg/mxT2OM96pzRIcITLBeNpZI6Jxjds9LQVcisEwpQyxbJ7qi5QnICq5wTtlhh6fGaYM38FTLcSi7NIspP3BN8teX8oOdY01JjnXpIuMSKVQSya6RPUWTEQ36hlY=,iv:E/SCmZoEGVu1ou3Co+kEXDm6cJFrLrvSTbfdkeHrkIU=,tag:+4ACjvUtTT22r4uepTfWjg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBOFA4L3Zr\nZUdYZDBSUCs0RitKajdveGlJbUE2ZFhiV3lsNGFrOUdHenZoOQpxQVZKVTdrYzRp\nVGVPSGpjQTBGYkFYWFplL3dON2dCNDgycFpmYW9QZU93Ci0tLSBnZjVOc1RON0x1\nWGxRS3I0UTJqVXEvTlpINS84OFRJcmZVdnNUTmNkSlZjCmOjq4Dj8c2iGswQvHU6\nyT5DIFwIWhsKb26z2zpcVajp2kdYpdunoCJfYt8FeIRg1cl/zL/HeH5NcO6XxGhM\niS8=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBb0ZHNUx4\nT0NOcTJxR1BLRFQvdFc0U3l2eTlrNFZQTU9Ua1RrNXJrY1ZlawplTk1sNE1Yd2dt\nQzJOZGYwdVRVV0JkR0pPaGFzdzI4TEtxWEFYdmoxcmtnCi0tLSBIckk3ZXp2Z1RN\nN3g1VFV1UjRxYmUya1IrOXRZK09HZmZqdFl4VWUxc0MwCn530MbLBtgL3bkNwVP2\n3udSFE3EnObtaOnqrlEbggrpLPWMR23plqGV2t9mC4a+xyDXESgnrRlSYbwwVw1T\nE84=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxNW1WSXZISk13Z3JRTUFC\nT291cnpsb29WMG4yYTh3eWlrK0k5ZmpTV0JvClZpMk01aUREWHgzbGZhZjJHM1BQ\nSDkrMkdQOW83UWRQbFZvUUlHWHU3YkkKLS0tIDZTaFhqeVpYODNReUU0ay9GMWd2\neDZ5bUlXZXRiVlY1Nm1UQktxK0FmWTgKwUw3iHRnF1rAEFCyWTCCbtVWoWIPSVR9\nuCY+sPNHqZZlJ8AotgXl6ogcolx7ztbcgU4L0wuqfPeLZkE5t5sB5Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQmlFaUxWS3BZTjRqMFVm\nZVVRcXA3NzNQNGpzVGZVNzB5QUVvTFZnNG1vCmtUUk9jdy9GQ2YydjErUENYU0cv\nb0RXTEROSXREQ3hFM0k3TFpXUDV3TDAKLS0tIDZCbitTNTRaL2I5SlZ1SUhvQWQ3\nTXJSazBOSFh6cHg4UlpwaXo4ZFliamcK6E//G58skkbC50OTFgxNIShCdMY7BoMz\nK2NJidEtpExXA1fo+/D6xA9kuh5poCOxinfTS25ONP+xhWIpchs0cg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-11-22T14:02:44Z",
-		"mac": "ENC[AES256_GCM,data:9MuR8Na+/sEhfuTBrgHk2ydsUgo3UIQYzS4PMWIwCcqKTzZ4rqB2Xynq0PCsqq+3l/ZadtzDwB8gRP6m0f+wL3ZUY8lMG74lek6mBLLAaIUZSflgg24V2o0naKWCZVXWld2GKWDOxupUM5bWYE6SLwhOuepSZ4JMH59mD925v9Q=,iv:aKzJFPgfVqqpETySdFIM0+MVGr8IFcy0M2lzbWVPjAM=,tag:vZyPNmwcF5l1PgyMBjtp4g==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/verbena/step-intermediate-key/intermediate.key/users/rpqt b/vars/per-machine/verbena/step-intermediate-key/intermediate.key/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/step-intermediate-key/intermediate.key/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/machines/verbena b/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/secret b/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/secret
deleted file mode 100644
index bd161fb..0000000
--- a/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:Le4PZ5jFQXxJYGb8LgjrK4xWbjGvVgRziD1IYove4qmoIYfxNmbb8zZxctZA,iv:PqFFN7WM9oMXk1w8S3Gcqv5nIpaB7KrcqCIsX0L2ONg=,tag:SpVwb//AdQUmMhFf0RzMWQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdzdLbjBX\nTEw5eWhaK2h0MTE2bDBGczQwZXpQZUx3bGZ5THdqNVRpaCtQNApnMEdybTNFMmJY\nanZ6M1J5bTltT2N2dGRDRldvVjJNc1dva2RNSDF2azVrCi0tLSBEWTBvUERwdVlz\nRE55UkdLSHNGREN3TTFZdVFkbW1pOFJuU2cxRTJpQXhRCiPuchb1k8uEctJJH7+/\nMRpRSYQoX1SVcSXGLhbVimVelCPddjIBmdqmnayJl91dBU6UKP2nTGJWOOunFFQj\nGLc=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBMW1jMHY1\nNnhUU3R2bkRmbCtzQ1ErWEVLdmY4amhob1MxNG1CTWhhREFoMgpMSDV2LzdlZXQ1\ndzdDS0tjQmFNRHVxb1dDS2psS1lFdklqMlM1dTIrbWh3Ci0tLSBOVlZXLytmUGs4\nRytFNllOVzBmUlNGV0NZUXBDUTYyU2UxWXFuUmw4d1ZJCkaqdnvc0xNwNDvMjVyO\nx+Y5MOXIrjOnOu1IgGo1NKsrfOW315sP2fuVxgVBF2UW+3pGYu+3FE/z8Yqbk3BE\nJWw=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvV1NHaFRLTUNtWXhkNjgz\nd0dyaThweVIzc2M5VjZrUHFmcER6cWJna25nCm5iL1JTdDFwRlhJSTRWYlBmaTh4\nOGpULzZGZFZiMlpvNHU3enhTd3hUdWcKLS0tIEJjbjBET0RISXBFZjRGTC9OMWJY\nekloMmVhRzhSQzhhcHZhNzh6NEhnUEkKeFExfpKJ7VbHjKVDB/HAptqg/flCkeOy\nSZ0IlXrQtCiYXVq2uebrLxxkcNKp3exd60YOUZLBHTUjuUspqwV4cA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3OVY2MmRZWVJqeHJiclho\nbTFXSzExM1kvTi9CdEMxakZ1aWtxMGJXMGxrCnlSUSs2RmROTG1WaXprbVpnYzZr\naytWSXFOdDFhSHBTQm9xVXh4Y1hiTGsKLS0tIFcydlZ6NWJ2VVBFbm5meEMwalRT\ndDBXb1UzN3dCMUkyK2Exa1lsTDNpKzAKQLQKn4NwQwSnPauRTWytIX6FxzUzF17S\nTw8HQV0BZ6z6Dv0wbzGMwTRudGRM6f26RWXvgYHny1nBahSOvnzUxg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-11-21T15:59:22Z",
-		"mac": "ENC[AES256_GCM,data:5b0R/lLXv2WL5WJ1p+lzzvU11VshSrs20eND7sROcvZ+9bIC0sX8wAozyTPMsPvXEMpgDk2HWkULaJH//zZ6jjC8i+b9c4vOvj+qF02uea6+KwhC/ZvAhZzNkHe53zyLcfI+N8/p2tPkZwEZfpNln36GKRtyxHQrzlCmSrRWrpI=,iv:gSN7EpfGZexA1pEIKel3Q6V2SPWXbfUXtHF2LqTm14E=,tag:JWkTFLOxsRP/phNLKBQONA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/users/rpqt b/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/wireguard-keys-wireguard/publickey/value b/vars/per-machine/verbena/wireguard-keys-wireguard/publickey/value
deleted file mode 100644
index 3ecfd22..0000000
--- a/vars/per-machine/verbena/wireguard-keys-wireguard/publickey/value
+++ /dev/null
@@ -1 +0,0 @@
-KiRDNfRjn9Y8HmHuFdK4CgJyY5p9QLjgMAwhYJB+qzY=
diff --git a/vars/per-machine/verbena/wireguard-network-wireguard/.validation-hash b/vars/per-machine/verbena/wireguard-network-wireguard/.validation-hash
deleted file mode 100644
index 0a8e2fa..0000000
--- a/vars/per-machine/verbena/wireguard-network-wireguard/.validation-hash
+++ /dev/null
@@ -1 +0,0 @@
-bb4d45d8f4c57db556ce4fb89236761a1fce2b7815628b103932b895230c3acf
\ No newline at end of file
diff --git a/vars/per-machine/verbena/wireguard-network-wireguard/prefix/value b/vars/per-machine/verbena/wireguard-network-wireguard/prefix/value
deleted file mode 100644
index de23f70..0000000
--- a/vars/per-machine/verbena/wireguard-network-wireguard/prefix/value
+++ /dev/null
@@ -1 +0,0 @@
-fd28:387a:90:c400
\ No newline at end of file
diff --git a/vars/per-machine/verbena/zerotier/zerotier-identity-secret/machines/verbena b/vars/per-machine/verbena/zerotier/zerotier-identity-secret/machines/verbena
deleted file mode 120000
index e061a4c..0000000
--- a/vars/per-machine/verbena/zerotier/zerotier-identity-secret/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/zerotier/zerotier-identity-secret/secret b/vars/per-machine/verbena/zerotier/zerotier-identity-secret/secret
deleted file mode 100644
index 61b5991..0000000
--- a/vars/per-machine/verbena/zerotier/zerotier-identity-secret/secret
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:msrulcai/A5C7SmFzRsIgpAWFft6fHURoVQCPLYjEIQcWOm9K8mPpeX8Wy6tLp5Sz1Ts9WC5RCq4G4baXWYi4YZ/sP0shJVHQnSjJbqNTw40NN07snlpSiwyGK8zU/RGyS9jxA6SHAiw5kCFZwdLbkVVHwgGIzxq1a6fztMr1gEjfPHILZ7hkEoNGIA/Z9/ry5b7gFdFLdjW3EfjBGdDJX8+Vk+QPqHJEYM9vR5kb86XkH1ZSaKtKaG/vIvYm932iZUP+J/MGee7RC5epvYKUgdKj3Py3w4YQNO0IY7gyzgio3Qr/qQaclN9kPY9rwG6WPbPT46SxJAzzqzzhkx9wJJyLSiFwm8nW+Nfy1km,iv:8F/sYFTc0fiIgTFmssM1nVeG1OZnqS0nXU5ap7QyK88=,tag:BvWwqQPX1QSTyzavUvIhVQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBaVZUeFlj\na0JnRTN0K0JwUGszck1xMS96ckdjUEtpRjJkUjFyT2Vqd2lJYgpuR0JsVStGLzBu\nYWhUVmxDM05teXdnTytJU2ZsMmJuRmlMTWRmUDJBL0Z3Ci0tLSBFYjVLeGVuMUFV\ndDkycmVpSWZIRnMvWVFoKzJXVHBqZ1ZsU1BLMEhTS0NzCuhvoZEAlqVtFfdy9j1i\nz+ZAkIBvFd35D/lXxr2oTcYbEjYziPNUA5Iy+sSQ7/La+yZ4CVAEIRCgp8tWSi/A\ncOo=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBMnAzdkUz\nY3lmRS9BVkdrbkxFb3FPblJHRGhzdWptMlRkWVVrQU9wd1pvUApTaTNWSTdnQVRV\nblFzeFNCRDRxbzI3SyttVk10bFFvWVpDZzUveHlScXpjCi0tLSBPbzNsZzFBZVkx\nQnduMmM4alFRTXNvMllmM284Wi8xdm8wbnZ1RDN3UTRNCmeiu77z9pFT9jjcdSkS\n99Wc8y+JdrhfBlpso9zfFD7IbI+pTC2DDmy5hKTLMet7MKebB5LtmT5Cll/Xqhbz\nun0=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzbFIyTVJxdEpnQzNDeGZ2\nOUt0WG04THZNbDBORDNGTWljZ25kVGpMY1NvCmhnUmp4UFJZWHl0b1ErZWJpTkpa\nenVWcnRyeS9hQjlrRkxNQ2VLc3dpMzQKLS0tIElFNkpPZHZ5ekhhMitJdWQ1Ti83\nVHVyQnAxblFLK1hrbG9qNXdyQm1GR0UKEVtE1Rpt5Yn0b4S/YGksLslk4O1E+F6i\nSEzI8QD6JOpFBBoGxjWiihzGyyalqcnaLP9E6fW6yAkI5GC1GogkUg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwa0hKZlZyb1QrQmlSZkFM\nZzNTeVNraTVWWDJFeWEyM2RaUVZET0swUVh3CnpGNDA1cGFhYnIzWS95Y0M5U1BK\nckdrM240MWtyZDJjL1FlRHdweFFWWEEKLS0tIGpLbkZwcGJtRmdHNEpCaXZNU0FR\nTHdpOUh6c1dVNUtpbWE2SHV5MTVSblUKClOTFz/FzLlK1U2WsfUdQ3m9t49vzDtf\n6c7vIHOlBr6C/N3CufIozyohjfFP3DabtzaA4cVI85kU9Alx86y+QQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-11T22:30:18Z",
-		"mac": "ENC[AES256_GCM,data:cTWCHpWFF7uWtJd6xlCeKdbkr3yv2yD635NGxKzkMgCJRy5SGsyMD6KtaPE3IH62JPZ7ssWzJmHfC+aqlFUaqLQeEoExkz+SCpxDHHQtRjsB7zvSB2Hemkp4E3Tg9KpC9Y2Hhmhn+yYjoDPEJiol9XI0n+Yf5B5ojKyVA8mqC/o=,iv:4D+P3In6v4TzEsZ+xXMzUGDA0smK7BnDsvu09jNLmok=,tag:X3UumaiLPCTl+xmIcXUFcg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/per-machine/verbena/zerotier/zerotier-identity-secret/users/rpqt b/vars/per-machine/verbena/zerotier/zerotier-identity-secret/users/rpqt
deleted file mode 120000
index c6af5c7..0000000
--- a/vars/per-machine/verbena/zerotier/zerotier-identity-secret/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/zerotier/zerotier-ip/value b/vars/per-machine/verbena/zerotier/zerotier-ip/value
deleted file mode 100644
index ecb2750..0000000
--- a/vars/per-machine/verbena/zerotier/zerotier-ip/value
+++ /dev/null
@@ -1 +0,0 @@
-fd80:150d:17cc:2ae:6999:9306:9a0e:c197
\ No newline at end of file
diff --git a/vars/shared/garage-shared/rpc_secret/machines/crocus b/vars/shared/garage-shared/rpc_secret/machines/crocus
deleted file mode 120000
index 1ca5db3..0000000
--- a/vars/shared/garage-shared/rpc_secret/machines/crocus
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/shared/garage-shared/rpc_secret/machines/genepi b/vars/shared/garage-shared/rpc_secret/machines/genepi
deleted file mode 120000
index be44d39..0000000
--- a/vars/shared/garage-shared/rpc_secret/machines/genepi
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/shared/garage-shared/rpc_secret/machines/haze b/vars/shared/garage-shared/rpc_secret/machines/haze
deleted file mode 120000
index 0bcd94e..0000000
--- a/vars/shared/garage-shared/rpc_secret/machines/haze
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/shared/garage-shared/rpc_secret/machines/verbena b/vars/shared/garage-shared/rpc_secret/machines/verbena
deleted file mode 120000
index de62703..0000000
--- a/vars/shared/garage-shared/rpc_secret/machines/verbena
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/shared/garage-shared/rpc_secret/secret b/vars/shared/garage-shared/rpc_secret/secret
deleted file mode 100644
index c92b38a..0000000
--- a/vars/shared/garage-shared/rpc_secret/secret
+++ /dev/null
@@ -1,39 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:/lXB/mx52rLK4TzJgkyHYleiKQLX/FYVRdgSPrg1+cLzpMxHFRUfedoovKC4ibFHNhnLO3p54TAd353xiINvrX8=,iv:kbcqCEC6/i58u78HQRTXaozOrrdNS3PEMrGfHJqxuKY=,tag:2s/7ZGLok5BRbn25h2wetg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBeTZmMjE0ME9mZU1UTXNu\nNFdtbFFZT2YwODJtTkwrUlRzNDNZTWdQVFNNCkZ3YWpLWmxJMXRnNmkyYnIzU1Jv\nc2dyRUZSblM5b1hFazlUMVZmU1BpVUEKLS0tIDRKTTJPeFJiOGtjQjRuQ0xqd2lE\nNkFBblRKT1dPR3FmbmVlWVlVWkFyUGcKloraZGC3O2nMPx/4Zoy8yqGZiSP4ocyM\nsxWW6IYOrvKL6P6cP5OXV3fnHTQ2jjbeurrWNDJ+V4YMIVI1ZkEqig==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBL2p0cTVj\nOUxvb2ttREpka0ExQmxYRHczVi9RWElJemFOMWJFQ2tVQkR3cQpmdjdXM3o1NFZa\nVkZ4Ukgra3FQNjV3Yk16d0ZXb0lMdXdrRTV2OXo3T0pjCi0tLSByK2ZiTS9SV2JM\neTM5VE1jRVhPTUpwTnhBMU4xU1k2MWVHdE5iTVA2N0JNCi9wVqdMPBoo/RTrgWAt\nfBnxtMedy5+uSWjX6KV0OiydeOERCawIkaZPx9KWFoPQc74SCw1PQv4IeG5gk0ge\na6k=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBZ24vZXZl\nSDM0Sk1HeUh5V2VoZjhyekZ5alg0MlFsNXAvT1FlbUhya3JFNQpjZHZXSTVSZXlH\nUlF1RGdNSWFNSlV4V2phcnBrWENEQWxnSk5kTEVocERRCi0tLSBTZGhVZVA4bW5M\nZlpzYzZPMzQyQytpM0RRcldJcTJrUmwzVWZzSkxjTTFNCmTG9lZ5yzS0k11DV672\nbBb+wMpqsSgq05ObCs7EVcnYDLMOQ6L2yMJ8UH7V/tUiT0+kAq36Wfc2O0CafXYW\n+yY=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbmJZSGllbUNiellkWGlO\nQ2VINUZYQnoycnRYZDVnMmxxaW5EdHJqTlc0Ck84ZjVKRnp2cG9HSkRnWnpWZmRX\nUXhtVmF0bWp0WmVVdXBEU0s5ZmtIbk0KLS0tIE5sOW1ES3V5T2JCUmhKcnBQNFB2\nL3g5L015NFk1T0p3U0xTZWRNRVNlNzAKo1V3RVUwP9wCRCbFeOYEE5gAoWglUmAW\nLSUWSJSLU6L/BwHfp1iakKof9Y9sKdYsVWjelftLGEJp6QbkohjQbA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtOE90L3BUZFBsQ1hoemdx\nYTFTdTVmRUJFSVU1R0pZTmNQOGxGTmtsTFFzClhHYi9iN1BvSmc0aGpnNHczYUdS\nKzRYbGMrRWQvaWpyR001YTV1MEErOW8KLS0tIFR4M21SZGNucDN4N1Y0K3RERzJZ\nQ3E2MENzUWxwOVpDUnlzMko0bWRvVVEKoaMGCVivMJHUZriTgCkSDEaeCh45BcHG\nb5jgClScpwqqq/P5Smr+SL+OgaX28ibG+kPRSp0yIfOdfsd/ox6kPA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OTVuUlphY2FiVHlpbGp6\nQlFiRWczTEkxUVcvb2V2R1E1TUFZM0pYSnhjCitaL2VSa04veU5vN0o0RWNneDdu\nNmIwMk4ycDJkSXIzV0xwaElPbEZhb1EKLS0tIDltVWErU2t1U0FoVHlhSW9DRFg1\nYmFRM0NWQlpNeGxjTzJHYXN3dzNZeUEKs/Jsj6iDHGIDHYN57MUYaYG5oKHFU6ZY\nug4YR9rOh889PF4xq3w51wJJiSEnQKfVrtNTaj67gxBXXC/EHI7fOQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsZUN4ekNyMjdRNW10ZUVU\nSDZOcVVraStneVl3eEJCVzdhWWIrQ0phRXlVCk5Ob2NwRHhqWnJtQ3RFUXlvRjgx\nanpuL25ST2Zva0JQVlJ5Z1FEbHo5QzgKLS0tIGJSV3pYcVU1WXcwUmdqa3dYam1M\nalpmbUVqSkZabXpCM25JZGp3cnRxWHcKNCXjj8zvR+cqXq2XkEsYkMSI+b1NLwh6\n1pkRibsoyhQwzC0vkMdYQV4Kt9SzheFqKTuNhthW9J5I0Jf4R9lR6A==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-06-19T21:51:53Z",
-		"mac": "ENC[AES256_GCM,data:wJObpbZ91sGruEO043TWY1UdqMjBxEKMHUQOkw8xfMCmqgsRp12fqJKqK/jFZD4FZyJSw8WKrVKEklx7+9v4GGH4udS1KSrypm0UVmhIMV1/X1FANL0ZZ80Yqt9mnSOcRcLPaAHjqeD6NfB/rss5wCRwqeqdwjlfGyMr1bUHPOc=,iv:fFYsziILeWLVSyOZ48AcmGZEtdEOOi3FBTGpATbsP7U=,tag:uT4nj2WuELKRLitZeuRElQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
diff --git a/vars/shared/garage-shared/rpc_secret/users/rpqt b/vars/shared/garage-shared/rpc_secret/users/rpqt
deleted file mode 120000
index 825a187..0000000
--- a/vars/shared/garage-shared/rpc_secret/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/shared/openssh-ca/id_ed25519.pub/value b/vars/shared/openssh-ca/id_ed25519.pub/value
deleted file mode 100644
index 2613f81..0000000
--- a/vars/shared/openssh-ca/id_ed25519.pub/value
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGE7R12pfvRSXsS8MwMkp57fuc+N2wc4VcXAYwo/eJJ7 
diff --git a/vars/shared/openssh-ca/id_ed25519/secret b/vars/shared/openssh-ca/id_ed25519/secret
deleted file mode 100644
index b8904d2..0000000
--- a/vars/shared/openssh-ca/id_ed25519/secret
+++ /dev/null
@@ -1,23 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:sPSi5gWzieSktKNwVzD+c0WhCFt2u/FtsiKfwkpFceKbzyLLqBWQwyF9/CrAfExMky230YxA9atQxilpZLTZ0zmuk0D7Mi4xLsF+G9sFdyKz2DFuBHZ1hQZNiVAsQlHLvqcDtdixgo0gHfjHJ9t0eH+q4tgVJe0QhhzmcDSj0EjrE3SUnxzTszS0ZHL4X+Wfx+lrJtL8Do5eSXKXcoQHS8d6bOW/psLA8AHNJypOMlplXd4vASXPJmj9RQ1GFdzSFz5TZoyxShBuImukcLO6EoTc2TXtAclbN5JLHEbvx9I5K4S74WR7amtYV/8g1tquZ5nHVxVHr4sFY3pHDUuMvGdiVgVbrBwK4iJ5GtAUU81jCQzZ1MwtT74cldFXfwJIUAHbV0s4cSNQpH+f2bYO2uyVhykpIuLmI23Vb1ezRJqW1cGcg0VRoBRoduxQzOAeI1LE4EuniH/w1xtdKmn2XTMwwl6YetT1KbPBRMVScqcEF2ZadJV3X7hJFh0awn1cSWsG,iv:Kjm+58JsE/FCEYEpYIEVwjRuWYWaLP8VrysgsZGDs6g=,tag:xdlA9tvtw9cm8YFW64a+pw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBeDczWEw4\ndGQydE1DN3RRRFpDQm1RWUcrOExaY0w3dEtLN2wzL0RDU0NkRQoydVBFOFY2eHpD\nUWk0T2V6cUNxZFZBZ1U4NS9adzc2ZXlUcWVRZGNscURzCi0tLSBpZ3VoYXhGdldS\nMVFralNzaTRQMEhVT0xRdEJDcUxPNHFOY29NUnh2K2ZvCjflIFoO8/97HXz0893D\nnNc5EVMRMNhJbDb/Nj4MCafNrf3JeN3jWmCX1IA5AZqMt2Nq2SB1Itx8iaIcRq0t\nlTY=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBaURsSGZ3\neFRLVCtjYW90bytBcG1MUHpXdVpYZHVZK01tcVpJOWRBYitsUgp3RTE1UUFOUjVV\nRGcvbFJ0MUpFdnVUYmVuN2pUVkdEdDdjSFlwRGZPWVhJCi0tLSB4WWNRMEM3ZDVX\nMUVXUklPbkFVcjBGcU14WjZpTTY0RlFvYXB2STRtSEpZCmTYPzBXojpndrIeuMi+\nj4oGZRPWKkx0EMORJFBIR1YQJhjjVrnrv7BbWYRGPkcS1mJZH2x4IgmUz7ZTfN5F\njuw=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByY1pvaWhUSnZqeFl4blo1\nNGtRN2g2Tit1OFFxTnVvV1VSVFFjVlpjUVNvClRBTldvb2NEaHA3Vi80L3pnTzly\nOFBYMUUyLzhtdmNraXJCQmJ5bGxIWlEKLS0tIGVRcFJ6MmdjL2VuVUdVbCtnM1Bi\nbW9Bdm5OdWJRSUwwYWdaSXFEbzhsOW8K5dda6d6wkUvMYU3PpTLG65RWxdH/3ewB\n+yakGuatvZP1nJo7THhHXyZ9dQ2CMOnnOFi0W8W4hVcgBNWc8HR2xg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-10-15T14:18:28Z",
-		"mac": "ENC[AES256_GCM,data:mOSflPXxdKtJH6dfmR41msVSp1Bcc7M4eBpFQFsTe5edUa8qWKjOeBnIN0U7Sqm7fQngOmfxIzqViaPCqSFg4TX01F4Trv6gcMUErF9OqIl+HbkZKHQxPIktXnb0OX95V85GsRvwUrLKX5l6PwQrPK+ovCHr9NjcUos2T4vlJkc=,iv:HSWHk5J+lPuiNBppKuJHRLwjcvm+H4DqBTlvR+mHUTk=,tag:PkKNbxHu61iuidj0MhkiaQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/shared/openssh-ca/id_ed25519/users/rpqt b/vars/shared/openssh-ca/id_ed25519/users/rpqt
deleted file mode 120000
index 825a187..0000000
--- a/vars/shared/openssh-ca/id_ed25519/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/shared/step-ca/ca.crt/value b/vars/shared/step-ca/ca.crt/value
deleted file mode 100644
index 02fc004..0000000
--- a/vars/shared/step-ca/ca.crt/value
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBcjCCARegAwIBAgIQBATaX7P9gLOPdEvyU6ulFDAKBggqhkjOPQQDAjAXMRUw
-EwYDVQQDEwxDbGFuIFJvb3QgQ0EwHhcNMjUxMTIyMDIwMjQ0WhcNMjYxMTIyMTQw
-MjQ0WjAXMRUwEwYDVQQDEwxDbGFuIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjO
-PQMBBwNCAAQ3PdFudbQHMrKLU59IeUqw1kUOwTAWco5d4fLUrz5JpaSDsq0UJT1j
-wayaUeFstMGEQqOZ5nqle7UC64G7Wn1Lo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYD
-VR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUWdZmxk+2XBZzgVucaLlY3rD0p3ow
-CgYIKoZIzj0EAwIDSQAwRgIhANS0Pn0MmVx3w6+h0686NBrvobqt6Tue9/WlkAW6
-mJTlAiEA5j8DHm66BnmlYlCqQaz9wuAQ4q+g26XqWvvlEFkpYuo=
------END CERTIFICATE-----
diff --git a/vars/shared/step-ca/ca.key/secret b/vars/shared/step-ca/ca.key/secret
deleted file mode 100644
index 318a2ba..0000000
--- a/vars/shared/step-ca/ca.key/secret
+++ /dev/null
@@ -1,23 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:eJ0fq3tBFpJmKad1zQoY/2EczN1tnER8Mxo8erioOUBi0caiH3BRUdHQzLU9gbfbmr2CX6X0PzX1G5TknROF4d0n7pK4lLzlH+/zXX9niLkZKf4sNibUcAa6xwaUu+bQZPdrbMsxz0hFjztTHfhhcEkqTwImYcJxtmKNQTc0qJSq7C4j82QVJzN+rvAnuEBp3pXMnqbbpmmUG4D6oIvdR8f5e5E8qe/fO13s8EglU583/sTV5Jm/dMPvyQVhL2U18GiRAXCTcJ8abHU1yczMU4aZKqpQwinG1pLg267IRxvrSaM=,iv:+NWxLy+HEtZ2m8eJGk6Y6t0B96QhdLa7zBtLEMz1KRM=,tag:7ccHbUUEW+GX/TsfBHzdXw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeFJhbU82\nY1d0TUlsdW5paksvZG5ZNXBIUERCQ0F6dnhFdmFyK2krK09vMQozcmxVTEJEdWYr\nRjkyWFJucmJpSVg0YWRWdHczdnE4c0V3cHVmcVpzTHowCi0tLSB5ajZvb2xsbUQw\nM1RKdElsaEZzREFLUjBSYndwbTNtNzJWNXpMQ29QeGtzCrUf6JJLxT4HMiMoyKEw\nJfY8r6arxomgg3cexPcjJhU/efRMKwkDwr8ophyui/1aNAo6sBrcww+XLWNhBG91\nkws=\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUGFTWTdrdlVuS0pnV1dL\nVXg4c2hOYVlaVko0ZkdRbnVYYlovZ3FlZ0JFCjA5Y2F5am96eno0KzYvWkgwKytB\nYWhPTGRrSzZNaFIzek9JSlpQdmd5TVEKLS0tIFAwRWpOOGcrVER3YVBaekxXenZV\nd2dBU1VaT0szWWtOenpHWFJ0WmdwV0UKaDmXZwd4ZNrFcGGadq/M6Vf409UgPtO+\nyJ4KSMLJtTMhKN2PfP8BdprIDyS6zVDQoHAv+rmGdyOlIjrXzTT6xQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBN2plcTcx\nekErR2hFOTdZeGxEQ254NnNOZGpYZ0dVOVZlbTE1R1QvRmtJLwpEOVJnZlBKTjB1\nWmNTckU4NFpPL2FlTVJrMk5CYURoeG90cTlxbkU2VFJRCi0tLSBjcnZmK25EUGYz\ncWwvbFBzZmNIcEJGUmZ5T080aUQ5cUFiZi9UMy9oTldvChJ4z5z6qo9wbQyGzW3s\nTwLC/spurP0EetY9UWOFDeyCcIdkl2xYC7SvM+hrl/LmPxfyDpQwPBNBvgUsfQHe\nopU=\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-11-22T14:02:44Z",
-		"mac": "ENC[AES256_GCM,data:Zua39bnqFiyDcf5aWMo/PcbjN8/EAecI/nOuQ7WwSE7KHhQ+wnYMDaeQFROYSjvlJdzn4upCeQCpid+k09ZSYE3upUdCVSiPqo+IFziE9kifs5if5LS1V39QKvHP5h2rXPrwS+bYPk8Z198HyX3SUu0yoU7DVZ+zrt4s9hbzuAA=,iv:NxsrTAhEYPvWGjG64n7mK7ABDXaLKHxYazqYfuP4giY=,tag:AbpEDuNkC3kBOtonVzdBdA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/vars/shared/step-ca/ca.key/users/rpqt b/vars/shared/step-ca/ca.key/users/rpqt
deleted file mode 120000
index 825a187..0000000
--- a/vars/shared/step-ca/ca.key/users/rpqt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../sops/users/rpqt
\ No newline at end of file