diff --git a/.gitignore b/.gitignore
index 7ad6275..b91777e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 /.direnv
+/result
diff --git a/README.md b/README.md
index e0a673f..aa927d4 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,22 @@
 # NixOS & Home Manager config
 
+This repository contains all my system configurations, mostly deployed using Nix and [Clan].
+
 ## Structure
 
-- **home**: Home Manager modules
-- **hosts**: Host-specific configs
+- **home**: Dotfiles
+- **machines**: Host-specific configs
 - **infra**: Terraform/OpenTofu files
-- **secrets**: Age-encrypted secrets shared between multiple hosts.
-  Host-specific secrets are stored in their own directories.
-- **system**: Base NixOS modules shared among all hosts
+- **vars**: Encrypted secrets managed by clan
+- **modules**: NixOS modules
+- **clanServices**: Custom [Clan Services](https://docs.clan.lol/reference/clanServices)
+
+## Dotfiles
+
+### Linking with dotbotc (for windows)
+
+```sh
+dotbot -c ./dotbot/windows.yaml -d home
+```
+
+[Clan]: https//clan.lol
diff --git a/clan/flake-module.nix b/clan/flake-module.nix
new file mode 100644
index 0000000..c15a957
--- /dev/null
+++ b/clan/flake-module.nix
@@ -0,0 +1,185 @@
+{ self, lib, ... }:
+{
+  imports = [
+    ./machines.nix
+    ./monitoring.nix
+    ./network.nix
+  ];
+
+  clan.meta.name = "blossom";
+  clan.meta.domain = "val";
+
+  clan.secrets.age.plugins = [
+    "age-plugin-yubikey"
+  ];
+
+  clan.inventory.instances."rpqt-admin" = {
+    module.input = "clan-core";
+    module.name = "admin";
+    roles.default.tags.server = { };
+    roles.default.machines.haze = { };
+    roles.default.settings.allowedKeys = {
+      rpqt_haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze";
+      nixbld_haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyNC2sn5m7m52r4kVZqg0T7abqdz5xh/blU3cYtHKAE nixbld@haze";
+    };
+  };
+
+  clan.inventory.instances."sshd" = {
+    module.input = "clan-core";
+    module.name = "sshd";
+    roles.server.tags.all = { };
+    roles.server.extraModules = [
+      self.nixosModules.hardened-ssh-server
+    ];
+    roles.server.settings = {
+      certificate.searchDomains = [
+        "home.rpqt.fr"
+      ];
+    };
+
+    roles.client.tags.all = { };
+    roles.client.settings = {
+      certificate.searchDomains = [
+        "home.rpqt.fr"
+      ];
+    };
+  };
+
+  clan.inventory.instances.user-rpqt = {
+    module.input = "clan-core";
+    module.name = "users";
+    roles.default.machines.haze = {
+      settings = {
+        user = "rpqt";
+      };
+    };
+    roles.default.extraModules = [
+      self.nixosModules.user-rpqt
+    ];
+  };
+
+  clan.inventory.instances.common-config = {
+    module = {
+      input = "clan-core";
+      name = "importer";
+    };
+    roles.default.tags.all = { };
+    roles.default.extraModules = [ self.nixosModules.common ];
+  };
+
+  clan.inventory.instances.server-config = {
+    module = {
+      input = "clan-core";
+      name = "importer";
+    };
+    roles.default.tags.server = { };
+    roles.default.extraModules = [
+      {
+        nix.gc.automatic = lib.mkDefault true;
+        nix.gc.dates = lib.mkDefault "Mon 3:15";
+        nix.gc.randomizedDelaySec = lib.mkDefault "30min";
+        nix.gc.options = lib.mkDefault "--delete-older-than 30d";
+      }
+    ];
+  };
+
+  clan.inventory.instances."garage" = {
+    module.input = "clan-core";
+    module.name = "garage";
+    roles.default.tags.garage = { };
+  };
+
+  clan.inventory.instances."garage-config" = {
+    module.input = "clan-core";
+    module.name = "importer";
+    roles.default.tags.garage = { };
+    roles.default.extraModules = [ ../modules/garage.nix ];
+  };
+
+  clan.inventory.instances."trusted-nix-caches" = {
+    module.input = "clan-core";
+    module.name = "trusted-nix-caches";
+    roles.default.tags.all = { };
+  };
+
+  clan.inventory.instances."borgbackup-storagebox" = {
+    module.input = "clan-core";
+    module.name = "borgbackup";
+
+    roles.client.machines = lib.genAttrs [ "crocus" "genepi" "verbena" ] (
+      machine:
+      let
+        config = self.nixosConfigurations.${machine}.config;
+        user = "u422292";
+        host = "${user}.your-storagebox.de";
+      in
+      {
+        settings.destinations."storagebox-${config.networking.hostName}" = {
+          repo = "${user}@${host}:./borgbackup/${config.networking.hostName}";
+          rsh = "ssh -oPort=23 -i ${
+            config.clan.core.vars.generators.borgbackup.files."borgbackup.ssh".path
+          } -oStrictHostKeyChecking=accept-new";
+        };
+      }
+    );
+    roles.client.extraModules = [
+      ../modules/storagebox.nix
+    ];
+    roles.server.machines = { };
+  };
+
+  clan.inventory.instances.syncthing = {
+    roles.peer.tags.syncthing = { };
+    roles.peer.settings.folders = {
+      Documents = {
+        path = "~/Documents";
+      };
+      Music = {
+        path = "~/Music";
+      };
+      Pictures = {
+        path = "~/Pictures";
+      };
+      Videos = {
+        path = "~/Videos";
+      };
+    };
+    roles.peer.settings.extraDevices = {
+      pixel-7a = {
+        id = "IZE7B4Z-LKTJY6Q-77NN4JG-ADYRC77-TYPZTXE-Q35BWV2-AEO7Q3R-ZE63IAU";
+        name = "Pixel 7a";
+        addresses = [ "dynamic" ];
+      };
+    };
+  };
+
+  clan.inventory.instances.buildbot = {
+    module.input = "self";
+    module.name = "@rpqt/buildbot";
+
+    roles.master.machines.verbena = {
+      settings = {
+        domain = "buildbot.turifer.dev";
+        admins = [ "rpqt" ];
+        topic = "buildbot-nix";
+        gitea.instanceUrl = "https://git.turifer.dev";
+      };
+    };
+
+    roles.master.extraModules = [
+      {
+        services.nginx.virtualHosts."buildbot.turifer.dev" = {
+          enableACME = true;
+          forceSSL = true;
+        };
+
+        security.acme.certs."buildbot.turifer.dev" = {
+          email = "admin@turifer.dev";
+        };
+      }
+    ];
+
+    roles.worker.machines.verbena = { };
+  };
+
+}
diff --git a/clan/machines.nix b/clan/machines.nix
new file mode 100644
index 0000000..8910a89
--- /dev/null
+++ b/clan/machines.nix
@@ -0,0 +1,28 @@
+{
+  clan.inventory.machines = {
+    crocus = {
+      tags = [
+        "garage"
+        "server"
+      ];
+    };
+    genepi = {
+      tags = [
+        "garage"
+        "server"
+        "syncthing"
+      ];
+    };
+    haze = {
+      tags = [
+        "syncthing"
+      ];
+    };
+    verbena = {
+      tags = [
+        "garage"
+        "server"
+      ];
+    };
+  };
+}
diff --git a/clan/monitoring.nix b/clan/monitoring.nix
new file mode 100644
index 0000000..668b23e
--- /dev/null
+++ b/clan/monitoring.nix
@@ -0,0 +1,46 @@
+{ self, ... }:
+{
+  clan.inventory.instances.prometheus = {
+    module.input = "self";
+    module.name = "@rpqt/prometheus";
+
+    roles.scraper.machines.genepi = { };
+    roles.scraper.settings = {
+      extraScrapeConfigs = [
+        {
+          job_name = "garage";
+          static_configs = [
+            {
+              labels.instance = "crocus";
+              targets = [ "crocus.home.rpqt.fr:3903" ];
+            }
+            {
+              labels.instance = "genepi";
+              targets = [ "genepi.home.rpqt.fr:3903" ];
+            }
+            {
+              labels.instance = "verbena";
+              targets = [ "verbena.home.rpqt.fr:3903" ];
+            }
+          ];
+          authorization = {
+            type = "Bearer";
+            credentials_file =
+              self.nixosConfigurations.verbena.config.clan.core.vars.generators.garage.files.metrics_token.path;
+          };
+        }
+      ];
+    };
+
+    roles.target.tags.server = { };
+    roles.target.settings = {
+      exporters = {
+        node = {
+          enabledCollectors = [
+            "systemd"
+          ];
+        };
+      };
+    };
+  };
+}
diff --git a/clan/network.nix b/clan/network.nix
new file mode 100644
index 0000000..8c9e3d0
--- /dev/null
+++ b/clan/network.nix
@@ -0,0 +1,87 @@
+{ self, ... }:
+{
+  clan.inventory.instances.zerotier = {
+    roles.controller.machines.crocus = { };
+    roles.moon.machines.crocus = {
+      settings = {
+        stableEndpoints = [
+          "116.203.18.122"
+          "2a01:4f8:1c1e:e415::/64"
+        ];
+      };
+    };
+    roles.peer.tags."all" = { };
+  };
+
+  clan.inventory.instances.internet = {
+    roles.default.machines.verbena.settings.host = self.infra.machines.verbena.ipv4;
+    roles.default.machines.crocus.settings.host = self.infra.machines.crocus.ipv4;
+  };
+
+  clan.inventory.instances.wireguard = {
+    module.name = "wireguard";
+    module.input = "clan-core";
+    roles.controller = {
+      machines.verbena.settings = {
+        endpoint = "wg1.turifer.dev";
+      };
+    };
+    roles.peer.machines = {
+      haze = { };
+      crocus = { };
+      genepi = { };
+    };
+  };
+
+  clan.inventory.instances.certificates = {
+    module.name = "certificates";
+    module.input = "clan-core";
+
+    roles.ca.machines.verbena = {
+      settings.acmeEmail = "admin@rpqt.fr";
+      settings.tlds = [ "val" ];
+    };
+    roles.default.tags.all = { };
+    roles.default.settings.acmeEmail = "admin@rpqt.fr";
+  };
+
+  # Temporarily patched version of clan-core/coredns for AAAA records support
+  clan.inventory.instances.coredns = {
+    module.name = "@rpqt/coredns";
+    module.input = "self";
+
+    roles.default.tags.all = { };
+    roles.server.machines.verbena = {
+      settings.ip = "fd28:387a:90:c400::1";
+      settings.dnsPort = 53;
+    };
+    roles.server.machines.crocus = {
+      settings.ip = "fd28:387a:90:c400:6db2:dfc3:c376:9956";
+    };
+    roles.server.settings = {
+      tld = "val";
+    };
+
+    roles.default.machines.verbena.settings = {
+      ip = "fd28:387a:90:c400::1";
+      services = [
+        "ca"
+        "vaultwarden"
+      ];
+    };
+
+    roles.default.machines.genepi.settings = {
+      ip = "fd28:387a:90:c400:ab23:3d38:a148:f539"; # FIXME: IPv4 expected (A record)
+      services = [
+        "actual"
+        "assistant"
+        "glance"
+        "grafana"
+        "images"
+        "lounge"
+        "pinchflat"
+        "rss"
+      ];
+    };
+  };
+}
diff --git a/clanServices/buildbot/default.nix b/clanServices/buildbot/default.nix
new file mode 100644
index 0000000..9ccab43
--- /dev/null
+++ b/clanServices/buildbot/default.nix
@@ -0,0 +1,158 @@
+{ self, ... }:
+{ lib, ... }:
+{
+  _class = "clan.service";
+  manifest.name = "buildbot";
+
+  roles.master = {
+    interface.options = {
+      domain = lib.mkOption {
+        type = lib.types.str;
+        description = "Domain name under which the buildbot frontend is reachable";
+        example = "https://buildbot.example.com";
+      };
+      admins = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        description = "List of usernames allowed to authenticate to the buildbot frontend";
+        example = [ "Mic92" ];
+      };
+      topic = lib.mkOption {
+        type = lib.types.str;
+        description = "Name of the topic attached to repositories that should be built";
+        example = "buildbot-nix";
+      };
+      gitea.instanceUrl = lib.mkOption {
+        type = lib.types.str;
+        description = "URL of the Gitea instance";
+        example = "https://git.example.com";
+      };
+    };
+
+    perInstance =
+      {
+        settings,
+        roles,
+        ...
+      }:
+      {
+        nixosModule =
+          {
+            config,
+            lib,
+            pkgs,
+            ...
+          }:
+          {
+            imports = [
+              self.inputs.buildbot-nix.nixosModules.buildbot-master
+            ];
+
+            services.buildbot-nix.master = {
+              enable = true;
+              workersFile = config.clan.core.vars.generators.buildbot.files.workers-file.path;
+              inherit (settings) domain admins;
+
+              authBackend = "gitea";
+              gitea = {
+                enable = true;
+                inherit (settings.gitea) instanceUrl;
+                inherit (settings) topic;
+
+                tokenFile = config.clan.core.vars.generators.buildbot.files.api-token.path;
+                webhookSecretFile = config.clan.core.vars.generators.buildbot.files.webhook-secret.path;
+
+                oauthId = config.clan.core.vars.generators.buildbot.files.oauth-id.value;
+                oauthSecretFile = config.clan.core.vars.generators.buildbot.files.oauth-secret.path;
+              };
+            };
+
+            clan.core.vars.generators.buildbot = {
+              prompts.api-token = {
+                description = "gitea API token";
+                type = "hidden";
+                persist = true;
+              };
+              prompts.webhook-secret = {
+                description = "gitea webhook secret";
+                type = "hidden";
+                persist = true;
+              };
+              prompts.oauth-id = {
+                description = "oauth client id";
+                persist = true;
+              };
+              files.oauth-id.secret = false;
+              prompts.oauth-secret = {
+                description = "oauth secret";
+                type = "hidden";
+                persist = true;
+              };
+
+              dependencies = [ "buildbot-worker" ];
+              files.workers-file.secret = true;
+              runtimeInputs = [ pkgs.python3 ];
+              script = ''
+                python3 - << EOF                
+                import os
+                import json
+
+                password_path = os.path.join(os.environ.get("in"), "buildbot-worker/worker-password")
+                password = open(password_path).read().strip()
+
+                workers = [
+                  {
+                    "name": "${config.networking.hostName}",
+                    "pass": password,
+                    "cores": 4,
+                  },
+                ];
+
+                workers_file_path = os.path.join(os.environ.get("out"), "workers-file")
+                with open(workers_file_path, "w") as workers_file:
+                  workers_file.write(json.dumps(workers))
+
+                EOF
+              '';
+            };
+          };
+      };
+  };
+
+  roles.worker = {
+    perInstance =
+      {
+        settings,
+        roles,
+        ...
+      }:
+      {
+        nixosModule =
+          {
+            config,
+            lib,
+            pkgs,
+            ...
+          }:
+          {
+            imports = [
+              self.inputs.buildbot-nix.nixosModules.buildbot-worker
+            ];
+
+            services.buildbot-nix.worker = {
+              enable = true;
+              workerPasswordFile = config.clan.core.vars.generators.buildbot-worker.files.worker-password.path;
+            };
+
+            clan.core.vars.generators.buildbot-worker = {
+              files.worker-password = { };
+              runtimeInputs = [
+                pkgs.openssl
+              ];
+              script = ''
+                openssl rand -hex 32 > "$out"/worker-password
+              '';
+            };
+          };
+      };
+  };
+}
diff --git a/clanServices/buildbot/flake-module.nix b/clanServices/buildbot/flake-module.nix
new file mode 100644
index 0000000..867a703
--- /dev/null
+++ b/clanServices/buildbot/flake-module.nix
@@ -0,0 +1,4 @@
+{ self, lib, ... }:
+{
+  clan.modules."@rpqt/buildbot" = lib.modules.importApply ./default.nix { inherit self; };
+}
diff --git a/clanServices/coredns/README.md b/clanServices/coredns/README.md
new file mode 100644
index 0000000..6283045
--- /dev/null
+++ b/clanServices/coredns/README.md
@@ -0,0 +1,73 @@
+!!! Danger "Experimental"
+    This service is experimental and will change in the future.
+
+This module enables hosting clan-internal services easily, which can be resolved
+inside your VPN. This allows defining a custom top-level domain (e.g. `.clan`)
+and exposing endpoints from a machine to others, which will be
+accessible under `http://<service>.clan` in your browser.
+
+The service consists of two roles:
+
+- A `server` role: This is the DNS-server that will be queried when trying to
+  resolve clan-internal services. It defines the top-level domain.
+- A `default` role: This does two things. First, it sets up the nameservers so
+  that clan-internal queries are resolved via the `server` machine, while
+  external queries are resolved as normal via DHCP. Second, it allows exposing
+  services (see example below).
+
+## Example Usage
+
+Here the machine `dnsserver` is designated as internal DNS-server for the TLD
+`.foo`. `server01` will host an application that shall be reachable at
+`http://one.foo` and `server02` is going to be reachable at `http://two.foo`.
+`client` is any other machine that is part of the clan but does not host any
+services.
+
+When `client` tries to resolve `http://one.foo`, the DNS query will be
+routed to `dnsserver`, which will answer with `192.168.1.3`. If it tries to
+resolve some external domain (e.g. `https://clan.lol`), the query will not be
+routed to `dnsserver` but resolved as before, via the nameservers advertised by
+DHCP.
+
+```nix
+inventory = {
+
+  machines = {
+    dnsserver = { }; # 192.168.1.2
+    server01 = { };  # 192.168.1.3
+    server02 = { };  # 192.168.1.4
+    client = { };    # 192.168.1.5
+  };
+
+  instances = {
+    coredns = {
+
+      module.name = "@clan/coredns";
+      module.input = "self";
+
+      # Add the default role to all machines, including `client`
+      roles.default.tags.all = { };
+
+      # DNS server queries to http://<name>.foo are resolved here
+      roles.server.machines."dnsserver".settings = {
+        ip = "192.168.1.2";
+        tld = "foo";
+      };
+
+      # First service
+      # Registers http://one.foo will resolve to 192.168.1.3
+      # underlying service runs on server01
+      roles.default.machines."server01".settings = {
+        ip = "192.168.1.3";
+        services = [ "one" ];
+      };
+
+      # Second service
+      roles.default.machines."server02".settings = {
+        ip = "192.168.1.4";
+        services = [ "two" ];
+      };
+    };
+  };
+};
+```
diff --git a/clanServices/coredns/default.nix b/clanServices/coredns/default.nix
new file mode 100644
index 0000000..20d4350
--- /dev/null
+++ b/clanServices/coredns/default.nix
@@ -0,0 +1,235 @@
+{ ... }:
+
+{
+  _class = "clan.service";
+  manifest.name = "coredns";
+  manifest.description = "Clan-internal DNS and service exposure";
+  manifest.categories = [ "Network" ];
+  manifest.readme = builtins.readFile ./README.md;
+
+  roles.server = {
+    description = "A DNS server that resolves services in the clan network.";
+    interface =
+      { lib, ... }:
+      {
+        options.tld = lib.mkOption {
+          type = lib.types.str;
+          default = "clan";
+          description = ''
+            Top-level domain for this instance. All services below this will be
+            resolved internally.
+          '';
+        };
+
+        options.ip = lib.mkOption {
+          type = lib.types.str;
+          # TODO: Set a default
+          description = "IP for the DNS to listen on";
+        };
+
+        options.dnsPort = lib.mkOption {
+          type = lib.types.int;
+          default = 1053;
+          description = "Port of the clan-internal DNS server";
+        };
+      };
+
+    perInstance =
+      {
+        roles,
+        settings,
+        ...
+      }:
+      {
+        nixosModule =
+          {
+            lib,
+            pkgs,
+            ...
+          }:
+
+          let
+            hostServiceEntries =
+              host:
+              lib.strings.concatStringsSep "\n" (
+                map (
+                  service:
+                  let
+                    ip = roles.default.machines.${host}.settings.ip;
+                    isIPv4 = addr: (builtins.match "\\." addr) != null;
+                    recordType = if (isIPv4 ip) then "A" else "AAAA";
+                  in
+                  "${service} IN ${recordType} ${ip}   ; ${host}"
+                ) roles.default.machines.${host}.settings.services
+              );
+
+            hostnameEntries = ''
+              crocus 10800 IN AAAA fd28:387a:90:c400:6db2:dfc3:c376:9956
+              genepi 10800 IN AAAA fd28:387a:90:c400:ab23:3d38:a148:f539
+              verbena 10800 IN AAAA fd28:387a:90:c400::1
+              haze 10800 IN AAAA fd28:387a:90:c400:840e:e9db:4c08:b920
+            '';
+
+            zonefile = builtins.toFile "${settings.tld}.zone" (
+              ''
+                $TTL 3600 ; 1 Hour
+                $ORIGIN ${settings.tld}.
+                ${settings.tld}. IN SOA ns1 admin.rpqt.fr. (
+                	2025112300 ; serial
+                	10800 ; refresh
+                	3600 ; retry
+                	604800 ; expire
+                	300 ; minimum
+                )
+
+                ${builtins.concatStringsSep "\n" (
+                  lib.lists.imap1 (i: _m: "@ 1D IN NS ns${toString i}.${settings.tld}.") (
+                    lib.attrNames roles.server.machines
+                  )
+                )}
+
+                ${builtins.concatStringsSep "\n" (
+                  lib.lists.imap1 (i: m: "ns${toString i} 10800 IN CNAME ${m}.${settings.tld}.") (
+                    lib.attrNames roles.server.machines
+                  )
+                )}
+
+              ''
+              + hostnameEntries
+              + "\n"
+              + (lib.strings.concatStringsSep "\n" (
+                map (host: hostServiceEntries host) (lib.attrNames roles.default.machines)
+              ))
+            );
+          in
+          {
+            networking.firewall.interfaces.wireguard = {
+              allowedTCPPorts = [ settings.dnsPort ];
+              allowedUDPPorts = [ settings.dnsPort ];
+            };
+
+            services.coredns = {
+              enable = true;
+              config =
+
+                let
+                  dnsPort = builtins.toString settings.dnsPort;
+                in
+
+                ''
+                  .:${dnsPort} {
+                      bind wireguard
+                      forward . 1.1.1.1
+                      cache 30
+                  }
+
+                  ${settings.tld}:${dnsPort} {
+                      bind wireguard
+                      file ${zonefile}
+                  }
+                '';
+            };
+          };
+      };
+  };
+
+  roles.default = {
+    description = "A machine that registers the 'server' role as resolver and registers services under the configured TLD in the resolver.";
+    interface =
+      { lib, ... }:
+      {
+        options.services = lib.mkOption {
+          type = lib.types.listOf lib.types.str;
+          default = [ ];
+          description = ''
+            Service endpoints this host exposes (without TLD). Each entry will
+            be resolved to <entry>.<tld> using the configured top-level domain.
+          '';
+        };
+
+        options.ip = lib.mkOption {
+          type = lib.types.str;
+          # TODO: Set a default
+          description = "IP on which the services will listen";
+        };
+
+        options.dnsPort = lib.mkOption {
+          type = lib.types.int;
+          default = 1053;
+          description = "Port of the clan-internal DNS server";
+        };
+      };
+
+    perInstance =
+      { roles, settings, ... }:
+      {
+        nixosModule =
+          { config, lib, ... }:
+          {
+
+            networking.nameservers = map (
+              m:
+              let
+                port = config.services.unbound.settings.server.port or 53;
+              in
+              "127.0.0.1:${toString port}#${roles.server.machines.${m}.settings.tld}"
+            ) (lib.attrNames roles.server.machines);
+
+            services.resolved.domains = map (m: "~${roles.server.machines.${m}.settings.tld}") (
+              lib.attrNames roles.server.machines
+            );
+
+            services.unbound = {
+              enable = true;
+              # resolveLocalQueries = true;
+              checkconf = true;
+              settings = {
+                server = {
+                  port = 5353;
+                  verbosity = 2;
+                  interface = [ "127.0.0.1" ];
+                  access-control = [ "127.0.0.0/8 allow" ];
+                  do-not-query-localhost = "no";
+                  domain-insecure = map (m: "${roles.server.machines.${m}.settings.tld}.") (
+                    lib.attrNames roles.server.machines
+                  );
+                };
+
+                # Default: forward everything else to DHCP-provided resolvers
+                # forward-zone = [
+                #   {
+                #     name = ".";
+                #     forward-addr = "127.0.0.53@53"; # Forward to systemd-resolved
+                #   }
+                # ];
+                forward-zone = [
+                  {
+                    name = ".";
+                    forward-tls-upstream = true;
+                    forward-addr = [
+                      "9.9.9.9#dns.quad9.net"
+                      "149.112.112.112#dns.quad9.net"
+                      "1.1.1.1@853#cloudflare-dns.com"
+                      "1.0.0.1@853#cloudflare-dns.com"
+                      "2606:4700:4700::1111@853#cloudflare-dns.com"
+                      "2606:4700:4700::1001@853#cloudflare-dns.com"
+                      "8.8.8.8#dns.google"
+                      "8.8.4.4#dns.google"
+                      "2001:4860:4860::8888#dns.google"
+                      "2001:4860:4860::8844#dns.google"
+                    ];
+                  }
+                ];
+
+                stub-zone = {
+                  name = "${roles.server.machines.${(lib.head (lib.attrNames roles.server.machines))}.settings.tld}.";
+                  stub-addr = map (
+                    m: "${roles.server.machines.${m}.settings.ip}@${builtins.toString settings.dnsPort}"
+                  ) (lib.attrNames roles.server.machines);
+                };
+              };
+            };
+          };
+      };
+  };
+}
diff --git a/clanServices/coredns/flake-module.nix b/clanServices/coredns/flake-module.nix
new file mode 100644
index 0000000..69c8537
--- /dev/null
+++ b/clanServices/coredns/flake-module.nix
@@ -0,0 +1,18 @@
+{ ... }:
+let
+  module = ./default.nix;
+in
+{
+  clan.modules = {
+    "@rpqt/coredns" = module;
+  };
+  # perSystem =
+  #   { ... }:
+  #   {
+  #     clan.nixosTests.coredns = {
+  #       imports = [ ./tests/vm/default.nix ];
+
+  #       clan.modules."@rpqt/coredns" = module;
+  #     };
+  #   };
+}
diff --git a/clanServices/flake-module.nix b/clanServices/flake-module.nix
new file mode 100644
index 0000000..138d0f4
--- /dev/null
+++ b/clanServices/flake-module.nix
@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./buildbot/flake-module.nix
+    ./coredns/flake-module.nix
+    ./prometheus/flake-module.nix
+  ];
+}
diff --git a/clanServices/prometheus/README.md b/clanServices/prometheus/README.md
new file mode 100644
index 0000000..01c8a77
--- /dev/null
+++ b/clanServices/prometheus/README.md
@@ -0,0 +1,38 @@
+This module enables collecting metrics from machines in clan, using Prometheus.
+
+There are two roles:
+
+- A `target` role for machines on which to collect and export metrics.
+- A `scraper` roles for machines that fetch metrics from `target` machines and
+  store them in the long term.
+
+
+```nix
+inventory = {
+
+  machines = {
+    server01.tags.server = {};
+    server02.tags.server = {};
+    metrics.tags.server = {}; # metrics collector
+  };
+
+  instances = {
+    prometheus = {
+      module.name = "@rpqt/prometheus";
+      module.input = "self";
+
+      roles.scraper.machines."metrics" = {};
+
+      # Collect metrics on all servers
+      roles.target.tags.server = {
+        settings = {
+          exporters = {
+            # Enable the node-exporter metrics source
+            node.enabledCollectors = [ "systemd" ];
+          };
+        };
+      };
+    };
+  };
+};
+```
diff --git a/clanServices/prometheus/default.nix b/clanServices/prometheus/default.nix
new file mode 100644
index 0000000..58762f3
--- /dev/null
+++ b/clanServices/prometheus/default.nix
@@ -0,0 +1,114 @@
+{ self, ... }:
+{ lib, ... }:
+{
+  _class = "clan.service";
+  manifest.name = "prometheus";
+  manifest.description = "Prometheus metrics collection across the clan network.";
+  manifest.readme = builtins.readFile ./README.md;
+
+  # Only works with zerotier (until a unified network module is ready)
+
+  roles.scraper = {
+    description = "A server that scrapes metrics from exporters of machines that have the 'target' role.";
+    interface = {
+      options.extraScrapeConfigs = lib.mkOption {
+        type = lib.types.listOf lib.types.attrs;
+        description = "A list of additional scrape configurations.";
+      };
+    };
+
+    perInstance =
+      {
+        settings,
+        roles,
+        ...
+      }:
+      {
+        nixosModule =
+          { config, lib, ... }:
+          {
+            services.prometheus.enable = true;
+            services.prometheus.scrapeConfigs =
+              let
+                allExporters = lib.unique (
+                  lib.concatLists (
+                    lib.map (machine: lib.attrNames machine.settings.exporters) (lib.attrValues roles.target.machines)
+                  )
+                );
+                hasExporter =
+                  exporter: machine: lib.hasAttr exporter roles.target.machines.${machine}.settings.exporters;
+                mkScrapeConfig = (
+                  exporter:
+                  let
+                    machinesWithExporter = lib.filter (hasExporter exporter) (lib.attrNames roles.target.machines);
+                  in
+                  {
+                    job_name = exporter;
+                    static_configs = lib.map (machineName: {
+                      targets =
+                        let
+                          targetConfig = self.nixosConfigurations.${machineName}.config;
+                          targetHost = targetConfig.clan.core.vars.generators.zerotier.files.zerotier-ip.value;
+                        in
+                        [
+                          "[${targetHost}]:${toString targetConfig.services.prometheus.exporters.${exporter}.port}"
+                        ];
+                      labels.instance = machineName;
+                    }) machinesWithExporter;
+                  }
+                );
+              in
+              (lib.map mkScrapeConfig allExporters) ++ settings.extraScrapeConfigs;
+
+            clan.core.state.prometheus.folders = [ "/var/lib/${config.services.prometheus.stateDir}" ];
+          };
+      };
+  };
+
+  roles.target = {
+    description = "A machine on which to collect and export metrics.";
+    interface =
+      { lib, ... }:
+      {
+        options = {
+          exporters = lib.mkOption {
+            type = lib.types.attrs;
+            default = { };
+            example = {
+              node = {
+                enabledCollectors = [ "systemd" ];
+                port = 9002;
+              };
+            };
+            description = "Attribute set of exporters to enable";
+          };
+        };
+      };
+
+    perInstance =
+      {
+        instanceName,
+        settings,
+        machine,
+        roles,
+        ...
+      }:
+      {
+        nixosModule =
+          { config, lib, ... }:
+          {
+            services.prometheus.exporters = builtins.mapAttrs (
+              name: exporterSettings:
+              exporterSettings
+              // {
+                enable = true;
+              }
+            ) settings.exporters;
+
+            networking.firewall.interfaces."zts7mq7onf".allowedTCPPorts = lib.map (
+              exporterName: config.services.prometheus.exporters.${exporterName}.port
+            ) (lib.attrNames settings.exporters);
+          };
+      };
+  };
+}
diff --git a/clanServices/prometheus/flake-module.nix b/clanServices/prometheus/flake-module.nix
new file mode 100644
index 0000000..0c56386
--- /dev/null
+++ b/clanServices/prometheus/flake-module.nix
@@ -0,0 +1,4 @@
+{ self, lib, ... }:
+{
+  clan.modules."@rpqt/prometheus" = lib.modules.importApply ./default.nix { inherit self; };
+}
diff --git a/devShells/flake-module.nix b/devShells/flake-module.nix
new file mode 100644
index 0000000..961492c
--- /dev/null
+++ b/devShells/flake-module.nix
@@ -0,0 +1,26 @@
+{
+  perSystem =
+    {
+      inputs',
+      pkgs,
+      ...
+    }:
+    {
+      devShells.default = pkgs.mkShellNoCC {
+        packages = [
+          inputs'.clan-core.packages.clan-cli
+          pkgs.garage
+          pkgs.nil # Nix language server
+          pkgs.nixfmt
+          pkgs.opentofu
+          pkgs.terraform-ls
+          pkgs.deploy-rs
+          pkgs.zsh
+        ];
+        shellHook = ''
+          export GARAGE_RPC_SECRET=$(clan vars get crocus garage-shared/rpc_secret)
+          export GARAGE_RPC_HOST=5d8249fe49264d36bc3532bd88400498bf9497b5cd4872245eb820d5d7797ed6@crocus.val:3901
+        '';
+      };
+    };
+}
diff --git a/dotbot/windows.yaml b/dotbot/windows.yaml
new file mode 100644
index 0000000..1750fde
--- /dev/null
+++ b/dotbot/windows.yaml
@@ -0,0 +1,8 @@
+- defaults:
+    link:
+      relink: true
+
+- link:
+    ~/AppData/Roaming/helix/config.toml: .config/helix/config.toml
+    ~/AppData/Roaming/jj/config.toml: .config/jj/config.toml
+    ~/AppData/Roaming/nushell/config.nu: .config/nushell/config.nu
diff --git a/flake.lock b/flake.lock
index 547ca88..e7e5916 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,25 +1,25 @@
 {
   "nodes": {
-    "agenix": {
+    "buildbot-nix": {
       "inputs": {
-        "darwin": "darwin",
-        "home-manager": "home-manager",
+        "flake-parts": "flake-parts",
+        "hercules-ci-effects": "hercules-ci-effects",
         "nixpkgs": [
           "nixpkgs"
         ],
-        "systems": "systems"
+        "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1745630506,
-        "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=",
-        "owner": "ryantm",
-        "repo": "agenix",
-        "rev": "96e078c646b711aee04b82ba01aefbff87004ded",
+        "lastModified": 1768230255,
+        "narHash": "sha256-d98+nRSV2X86LcJUDZDAR9wvmmGG1uMzY5/zJdKH9pU=",
+        "owner": "nix-community",
+        "repo": "buildbot-nix",
+        "rev": "6c62d4e0e82b607638b00d6f4f4ad06646342826",
         "type": "github"
       },
       "original": {
-        "owner": "ryantm",
-        "repo": "agenix",
+        "owner": "nix-community",
+        "repo": "buildbot-nix",
         "type": "github"
       }
     },
@@ -27,23 +27,24 @@
       "inputs": {
         "data-mesher": "data-mesher",
         "disko": "disko",
-        "flake-parts": "flake-parts",
+        "flake-parts": [
+          "flake-parts"
+        ],
         "nix-darwin": "nix-darwin",
         "nix-select": "nix-select",
-        "nixos-facter-modules": "nixos-facter-modules",
         "nixpkgs": [
           "nixpkgs"
         ],
         "sops-nix": "sops-nix",
-        "systems": "systems_2",
-        "treefmt-nix": "treefmt-nix"
+        "systems": "systems",
+        "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
-        "lastModified": 1747400548,
-        "narHash": "sha256-zvBGXYkd8pZKkBXlLdcw0/nxSoGJOkwGbc6dz9NS4G8=",
+        "lastModified": 1768662392,
+        "narHash": "sha256-tE6k6yaQDF1n4YkTC4aH+BgKNQM36bYdhslP0udgMyY=",
         "ref": "refs/heads/main",
-        "rev": "56f3fd0a454635d0449330e6848a98bab6da020e",
-        "revCount": 6979,
+        "rev": "1f2f93239ef3638d4b7a2187d021b8d8fe6507b8",
+        "revCount": 12169,
         "type": "git",
         "url": "https://git.clan.lol/clan/clan-core"
       },
@@ -52,28 +53,6 @@
         "url": "https://git.clan.lol/clan/clan-core"
       }
     },
-    "darwin": {
-      "inputs": {
-        "nixpkgs": [
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1744478979,
-        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lnl7",
-        "ref": "master",
-        "repo": "nix-darwin",
-        "type": "github"
-      }
-    },
     "data-mesher": {
       "inputs": {
         "flake-parts": [
@@ -84,27 +63,47 @@
           "clan-core",
           "nixpkgs"
         ],
-        "systems": [
-          "clan-core",
-          "systems"
-        ],
         "treefmt-nix": [
           "clan-core",
           "treefmt-nix"
         ]
       },
       "locked": {
-        "lastModified": 1747329636,
-        "narHash": "sha256-mmyx5trq5ZQp6uShbHNfqgSxdg9OeArcZGdZKtHjhqw=",
-        "rev": "7afcd6f322b9839699f6f31d5bed884c6dd412c4",
+        "lastModified": 1768383623,
+        "narHash": "sha256-X1jD5UvgYW50wWxdxJn9b8hiOvpSoLcO3ZC1AZx7+gQ=",
+        "rev": "82c2fbf84ea0162d95b4958f02499e68c9a843a6",
         "type": "tarball",
-        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/7afcd6f322b9839699f6f31d5bed884c6dd412c4.tar.gz"
+        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/82c2fbf84ea0162d95b4958f02499e68c9a843a6.tar.gz"
       },
       "original": {
         "type": "tarball",
         "url": "https://git.clan.lol/clan/data-mesher/archive/main.tar.gz"
       }
     },
+    "direnv-instant": {
+      "inputs": {
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "treefmt-nix": "treefmt-nix_3"
+      },
+      "locked": {
+        "lastModified": 1768657403,
+        "narHash": "sha256-YkbdCu2ZInQj72rQQLgVP2x1m8il8+DtwzypBiYrrfE=",
+        "owner": "Mic92",
+        "repo": "direnv-instant",
+        "rev": "ab8c70c557f610e20008eb407d17cfd78b44ea1c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "direnv-instant",
+        "type": "github"
+      }
+    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -113,11 +112,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747274630,
-        "narHash": "sha256-87RJwXbfOHyzTB9LYagAQ6vOZhszCvd8Gvudu+gf3qo=",
+        "lastModified": 1766150702,
+        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "ec7c109a4f794fce09aad87239eab7f66540b888",
+        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
         "type": "github"
       },
       "original": {
@@ -133,11 +132,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747274630,
-        "narHash": "sha256-87RJwXbfOHyzTB9LYagAQ6vOZhszCvd8Gvudu+gf3qo=",
+        "lastModified": 1766150702,
+        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "ec7c109a4f794fce09aad87239eab7f66540b888",
+        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
         "type": "github"
       },
       "original": {
@@ -149,16 +148,16 @@
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
-          "clan-core",
+          "buildbot-nix",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1743550720,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "lastModified": 1767609335,
+        "narHash": "sha256-feveD98mQpptwrAEggBQKJTYbvwwglSbOv53uCfH9PY=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "rev": "250481aafeb741edfe23d29195671c19b36b6dca",
         "type": "github"
       },
       "original": {
@@ -167,19 +166,63 @@
         "type": "github"
       }
     },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768135262,
+        "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "hercules-ci-effects": {
+      "inputs": {
+        "flake-parts": [
+          "buildbot-nix",
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "buildbot-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1765774562,
+        "narHash": "sha256-UQhfCggNGDc7eam+EittlYmeW89CZVT1KkFIHZWBH7k=",
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-effects",
+        "rev": "edcbb19948b6caf1700434e369fde6ff9e6a3c93",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-effects",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
-          "agenix",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1745494811,
-        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "lastModified": 1768598210,
+        "narHash": "sha256-kkgA32s/f4jaa4UG+2f8C225Qvclxnqs76mf8zvTVPg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "rev": "c47b2cc64a629f8e075de52e4742de688f930dc6",
         "type": "github"
       },
       "original": {
@@ -188,41 +231,6 @@
         "type": "github"
       }
     },
-    "home-manager_2": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1747374689,
-        "narHash": "sha256-JT/aBZqmK1LbExzwT9cPkvxKc0IC4i6tZKOPjsSWFbI=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "d2263ce5f4c251c0f7608330e8fdb7d1f01f0667",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
-    "impermanence": {
-      "locked": {
-        "lastModified": 1737831083,
-        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
-        "owner": "nix-community",
-        "repo": "impermanence",
-        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "impermanence",
-        "type": "github"
-      }
-    },
     "nix-darwin": {
       "inputs": {
         "nixpkgs": [
@@ -231,11 +239,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747365160,
-        "narHash": "sha256-4ZVr0x+ry6ybym/VhVYACj0HlJo44YxAaPGOxiS88Hg=",
+        "lastModified": 1768561867,
+        "narHash": "sha256-prGOZ+w3pZfGTRxworKcJliCNsewF0L4HUPjgU/6eaw=",
         "owner": "nix-darwin",
         "repo": "nix-darwin",
-        "rev": "8817b00b0011750381d0d44bb94d61087349b6ba",
+        "rev": "8b720b9662d4dd19048664b7e4216ce530591adc",
         "type": "github"
       },
       "original": {
@@ -246,11 +254,11 @@
     },
     "nix-select": {
       "locked": {
-        "lastModified": 1745005516,
-        "narHash": "sha256-IVaoOGDIvAa/8I0sdiiZuKptDldrkDWUNf/+ezIRhyc=",
-        "rev": "69d8bf596194c5c35a4e90dd02c52aa530caddf8",
+        "lastModified": 1763303120,
+        "narHash": "sha256-yxcNOha7Cfv2nhVpz9ZXSNKk0R7wt4AiBklJ8D24rVg=",
+        "rev": "3d1e3860bef36857a01a2ddecba7cdb0a14c35a9",
         "type": "tarball",
-        "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/69d8bf596194c5c35a4e90dd02c52aa530caddf8.tar.gz"
+        "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/3d1e3860bef36857a01a2ddecba7cdb0a14c35a9.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -272,32 +280,17 @@
         "type": "github"
       }
     },
-    "nixos-facter-modules": {
-      "locked": {
-        "lastModified": 1743671943,
-        "narHash": "sha256-7sYig0+RcrR3sOL5M+2spbpFUHyEP7cnUvCaqFOBjyU=",
-        "owner": "nix-community",
-        "repo": "nixos-facter-modules",
-        "rev": "58ad9691670d293a15221d4a78818e0088d2e086",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixos-facter-modules",
-        "type": "github"
-      }
-    },
     "nixos-generators": {
       "inputs": {
         "nixlib": "nixlib",
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1742568034,
-        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
+        "lastModified": 1764234087,
+        "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
+        "rev": "032a1878682fafe829edfcf5fdfad635a2efe748",
         "type": "github"
       },
       "original": {
@@ -308,11 +301,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1747129300,
-        "narHash": "sha256-L3clA5YGeYCF47ghsI7Tcex+DnaaN/BbQ4dR2wzoiKg=",
+        "lastModified": 1768584846,
+        "narHash": "sha256-IRPmIOV2tPwxbhP/I9M5AmwhTC0lMPtoPStC+8T6xl0=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "e81fd167b33121269149c57806599045fd33eeed",
+        "rev": "cce68f4a54fa4e3d633358364477f5cc1d782440",
         "type": "github"
       },
       "original": {
@@ -340,11 +333,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1747179050,
-        "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
+        "lastModified": 1768564909,
+        "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
+        "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
         "type": "github"
       },
       "original": {
@@ -356,14 +349,17 @@
     },
     "root": {
       "inputs": {
-        "agenix": "agenix",
+        "buildbot-nix": "buildbot-nix",
         "clan-core": "clan-core",
+        "direnv-instant": "direnv-instant",
         "disko": "disko_2",
-        "home-manager": "home-manager_2",
-        "impermanence": "impermanence",
+        "flake-parts": "flake-parts_2",
+        "home-manager": "home-manager",
         "nixos-generators": "nixos-generators",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_2",
+        "srvos": "srvos",
+        "terranix": "terranix"
       }
     },
     "sops-nix": {
@@ -374,11 +370,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746485181,
-        "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=",
+        "lastModified": 1768481291,
+        "narHash": "sha256-NjKtkJraCZEnLHAJxLTI+BfdU//9coAz9p5TqveZwPU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e93ee1d900ad264d65e9701a5c6f895683433386",
+        "rev": "e085e303dfcce21adcb5fec535d65aacb066f101",
         "type": "github"
       },
       "original": {
@@ -387,6 +383,26 @@
         "type": "github"
       }
     },
+    "srvos": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768523683,
+        "narHash": "sha256-UbkyPXPPAbz0gHIWvHZ+jrPTruZqkpuwTFo5JXPnIgU=",
+        "owner": "nix-community",
+        "repo": "srvos",
+        "rev": "90e9331fd79d4c3bb5c1e7cd2df2e560565fe543",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "srvos",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
@@ -417,7 +433,52 @@
         "type": "github"
       }
     },
+    "terranix": {
+      "inputs": {
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1762472226,
+        "narHash": "sha256-iVS4sxVgGn+T74rGJjEJbzx+kjsuaP3wdQVXBNJ79A0=",
+        "owner": "terranix",
+        "repo": "terranix",
+        "rev": "3b5947a48da5694094b301a3b1ef7b22ec8b19fc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "terranix",
+        "repo": "terranix",
+        "type": "github"
+      }
+    },
     "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "buildbot-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768031762,
+        "narHash": "sha256-b2gJDJfi+TbA7Hu2sKip+1mWqya0GJaWrrXQjpbOVTU=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "0c445aa21b01fd1d4bb58927f7b268568af87b20",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "treefmt-nix_2": {
       "inputs": {
         "nixpkgs": [
           "clan-core",
@@ -425,11 +486,32 @@
         ]
       },
       "locked": {
-        "lastModified": 1747299117,
-        "narHash": "sha256-JGjCVbxS+9t3tZ2IlPQ7sdqSM4c+KmIJOXVJPfWmVOU=",
+        "lastModified": 1768158989,
+        "narHash": "sha256-67vyT1+xClLldnumAzCTBvU0jLZ1YBcf4vANRWP3+Ak=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "e758f27436367c23bcd63cd973fa5e39254b530e",
+        "rev": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "treefmt-nix_3": {
+      "inputs": {
+        "nixpkgs": [
+          "direnv-instant",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1768031762,
+        "narHash": "sha256-b2gJDJfi+TbA7Hu2sKip+1mWqya0GJaWrrXQjpbOVTU=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "0c445aa21b01fd1d4bb58927f7b268568af87b20",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 5103abf..a3b99cd 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,128 +5,60 @@
     inputs@{
       nixpkgs,
       clan-core,
-      home-manager,
-      impermanence,
-      nixos-generators,
-      nixos-hardware,
-      self,
+      flake-parts,
       ...
     }:
-    let
-      clan = clan-core.lib.buildClan {
-        self = self;
-        meta.name = "blossom";
-        specialArgs = {
-          inherit inputs self;
-          inherit (import ./parts) keys;
-        };
-        inventory = {
-          instances = {
-            "rpqt-admin" = {
-              module.input = "clan-core";
-              module.name = "admin";
-              roles.default.machines = {
-                "crocus" = { };
-                "genepi" = { };
-                "haze" = { };
-              };
-              roles.default.settings.allowedKeys = {
-                rpqt_haze = (import ./parts).keys.rpqt.haze;
-              };
-            };
-          };
-          services = {
-            zerotier.default = {
-              roles.controller.machines = [
-                "crocus"
-              ];
-              roles.peer.machines = [
-                "haze"
-                "genepi"
-              ];
-            };
-            sshd.default = {
-              roles.server.machines = [ "crocus" ];
-            };
-            user-password.rpqt = {
-              roles.default.machines = [
-                "crocus"
-                "genepi"
-                "haze"
-              ];
-              config.user = "rpqt";
-            };
-          };
-        };
-      };
-    in
-    {
-      inherit (clan) clanInternals nixosConfigurations;
+    flake-parts.lib.mkFlake { inherit inputs; } ({
+      imports = [
+        clan-core.flakeModules.default
+        inputs.terranix.flakeModule
+        ./clan/flake-module.nix
+        ./clanServices/flake-module.nix
+        ./devShells/flake-module.nix
+        ./home-manager/flake-module.nix
+        ./infra/flake-module.nix
+        ./modules/flake-module.nix
+        ./packages/flake-module.nix
+      ];
 
-      devShells =
-        let
-          system = "x86_64-linux";
-          pkgs = import nixpkgs {
-            inherit system;
-          };
-        in
-        {
-          "${system}".default = pkgs.mkShell {
-            packages = [
-              inputs.agenix.packages.${system}.default
-              clan-core.packages.${system}.clan-cli
-              pkgs.nil # Nix language server
-              pkgs.nixfmt-rfc-style
-              pkgs.opentofu
-              pkgs.terraform-ls
-              pkgs.deploy-rs
-              pkgs.zsh
-            ];
-            shellhook = ''
-              exec zsh
-            '';
-          };
-        };
-    };
+      systems = [
+        "x86_64-linux"
+        "aarch64-linux"
+      ];
+    });
 
   inputs = {
-    nixpkgs = {
-      url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    };
-    disko = {
-      url = "github:nix-community/disko";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    home-manager = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    impermanence = {
-      url = "github:nix-community/impermanence";
-    };
-    nixos-hardware = {
-      url = "github:NixOS/nixos-hardware/master";
-    };
-    nixos-generators = {
-      url = "github:nix-community/nixos-generators";
-    };
-    agenix = {
-      url = "github:ryantm/agenix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    clan-core = {
-      url = "git+https://git.clan.lol/clan/clan-core";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-  };
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
 
-  nixConfig = {
-    extra-substituters = [
-      "https://cache.nixos.org"
-      "https://nix-community.cachix.org"
-    ];
-    extra-trusted-public-keys = [
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-    ];
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
+
+    home-manager.url = "github:nix-community/home-manager";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+
+    nixos-generators.url = "github:nix-community/nixos-generators";
+
+    clan-core.url = "git+https://git.clan.lol/clan/clan-core";
+    clan-core.inputs.nixpkgs.follows = "nixpkgs";
+    clan-core.inputs.flake-parts.follows = "flake-parts";
+
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
+
+    srvos.url = "github:nix-community/srvos";
+    srvos.inputs.nixpkgs.follows = "nixpkgs";
+
+    buildbot-nix.url = "github:nix-community/buildbot-nix";
+    buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
+
+    direnv-instant.url = "github:Mic92/direnv-instant";
+    direnv-instant.inputs.nixpkgs.follows = "nixpkgs";
+    direnv-instant.inputs.flake-parts.follows = "flake-parts";
+
+    terranix.url = "github:terranix/terranix";
+    terranix.inputs.nixpkgs.follows = "nixpkgs";
+    terranix.inputs.flake-parts.follows = "flake-parts";
   };
 }
diff --git a/home/chat.nix b/home-manager/chat.nix
similarity index 56%
rename from home/chat.nix
rename to home-manager/chat.nix
index 25fcf22..0b9cd4a 100644
--- a/home/chat.nix
+++ b/home-manager/chat.nix
@@ -1,5 +1,14 @@
-{ config, pkgs, ... }:
 {
+  self,
+  config,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    self.homeManagerModules.dotfiles
+  ];
+
   home.packages = with pkgs; [ senpai ];
 
   xdg.configFile."senpai".source = "${config.dotfiles.path}/.config/senpai";
diff --git a/home-manager/cli.nix b/home-manager/cli.nix
new file mode 100644
index 0000000..89ccda3
--- /dev/null
+++ b/home-manager/cli.nix
@@ -0,0 +1,76 @@
+{
+  self,
+  config,
+  osConfig,
+  pkgs,
+  ...
+}:
+let
+  shellAliases = {
+    ls = "eza";
+    lsa = "ls -A";
+    ll = "ls -lh";
+    lla = "ls -lAh";
+    h = "hx";
+    g = "git";
+    cd = "z";
+    tree = "eza --tree";
+    ".." = "cd ..";
+    "..." = "cd ../..";
+  };
+in
+{
+  imports = [
+    self.homeManagerModules.dotfiles
+  ];
+
+  home.packages = with pkgs; [
+    age
+    age-plugin-yubikey
+    bottom
+    btop
+    comma
+    difftastic
+    doggo
+    duf
+    eza
+    fd
+    glow
+    jjui
+    lazygit
+    nh
+    passage
+    rage
+    ripgrep
+    skim
+    tealdeer
+    vivid
+    yazi
+    zoxide
+  ];
+
+  programs.zoxide.enable = true;
+  programs.starship.enable = true;
+  programs.bat.enable = true;
+
+  programs.atuin.enable = true;
+  xdg.dataFile."atuin/key".source =
+    config.lib.file.mkOutOfStoreSymlink osConfig.clan.core.vars.generators.atuin.files.key.path;
+
+  programs.zsh = {
+    enable = true;
+    syntaxHighlighting.enable = true;
+    inherit shellAliases;
+  };
+
+  programs.fish = {
+    enable = true;
+    inherit shellAliases;
+  };
+
+  xdg.configFile."git".source = "${config.dotfiles.path}/.config/git";
+  xdg.configFile."jj/config.toml".source = "${config.dotfiles.path}/.config/jj/config.toml";
+  xdg.configFile."task/taskrc".source = "${config.dotfiles.path}/.config/task/taskrc";
+
+  home.sessionPath = [ "${config.dotfiles.path}/bin" ];
+}
diff --git a/home/common.nix b/home-manager/common.nix
similarity index 100%
rename from home/common.nix
rename to home-manager/common.nix
diff --git a/home/desktop/default.nix b/home-manager/desktop/default.nix
similarity index 56%
rename from home/desktop/default.nix
rename to home-manager/desktop/default.nix
index 2c51df5..b46f155 100644
--- a/home/desktop/default.nix
+++ b/home-manager/desktop/default.nix
@@ -3,13 +3,13 @@
   imports = [
     ./fonts.nix
     ./pass.nix
+    ./terminal.nix
     ./wayland.nix
   ];
 
   home.packages = with pkgs; [
     discord
     seahorse
-    wofi-emoji
   ];
 
   home.pointerCursor = {
@@ -20,4 +20,14 @@
   };
 
   gtk.enable = true;
+  gtk.iconTheme = {
+    name = "WhiteSur";
+    package = pkgs.whitesur-icon-theme.override {
+      alternativeIcons = true;
+      boldPanelIcons = true;
+    };
+  };
+
+  qt.enable = true;
+  qt.platformTheme.name = "gtk";
 }
diff --git a/home/desktop/fonts.nix b/home-manager/desktop/fonts.nix
similarity index 56%
rename from home/desktop/fonts.nix
rename to home-manager/desktop/fonts.nix
index b19e389..b987e69 100644
--- a/home/desktop/fonts.nix
+++ b/home-manager/desktop/fonts.nix
@@ -6,4 +6,8 @@
   ];
 
   fonts.fontconfig.enable = true;
+  fonts.fontconfig.defaultFonts = {
+    sansSerif = [ "Adwaita Sans" ];
+    monospace = [ "Adwaita Mono" ];
+  };
 }
diff --git a/home-manager/desktop/gnome.nix b/home-manager/desktop/gnome.nix
new file mode 100644
index 0000000..d246e40
--- /dev/null
+++ b/home-manager/desktop/gnome.nix
@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  home.packages = with pkgs.gnomeExtensions; [
+    blur-my-shell
+    paperwm
+  ];
+
+  dconf.settings = {
+    "org/gnome/nautilus/preferences" = {
+      show-image-thumbnails = "always";
+    };
+  };
+}
diff --git a/home-manager/desktop/niri.nix b/home-manager/desktop/niri.nix
new file mode 100644
index 0000000..9422dda
--- /dev/null
+++ b/home-manager/desktop/niri.nix
@@ -0,0 +1,9 @@
+{ self, config, ... }:
+{
+  imports = [
+    self.homeManagerModules.dotfiles
+    ./wayland.nix
+  ];
+
+  xdg.configFile."niri".source = "${config.dotfiles.path}/.config/niri";
+}
diff --git a/home/desktop/pass.nix b/home-manager/desktop/pass.nix
similarity index 79%
rename from home/desktop/pass.nix
rename to home-manager/desktop/pass.nix
index 84cc37f..3b60fee 100644
--- a/home/desktop/pass.nix
+++ b/home-manager/desktop/pass.nix
@@ -9,6 +9,6 @@
   programs.gpg.enable = true;
   services.gpg-agent = {
     enable = true;
-    pinentryPackage = pkgs.pinentry-gnome3;
+    pinentry.package = pkgs.pinentry-gnome3;
   };
 }
diff --git a/home-manager/desktop/terminal.nix b/home-manager/desktop/terminal.nix
new file mode 100644
index 0000000..46ce790
--- /dev/null
+++ b/home-manager/desktop/terminal.nix
@@ -0,0 +1,22 @@
+{
+  config,
+  pkgs,
+  self,
+  ...
+}:
+{
+  imports = [
+    self.homeManagerModules.dotfiles
+  ];
+
+  home.packages = [
+    pkgs.alacritty
+    pkgs.ghostty
+  ];
+
+  programs.alacritty.enable = true;
+  xdg.configFile."alacritty/alacritty.toml".source =
+    "${config.dotfiles.path}/.config/alacritty/alacritty.toml";
+
+  xdg.configFile."ghostty/config".source = "${config.dotfiles.path}/.config/ghostty/config";
+}
diff --git a/home-manager/desktop/vicinae.nix b/home-manager/desktop/vicinae.nix
new file mode 100644
index 0000000..ecb446a
--- /dev/null
+++ b/home-manager/desktop/vicinae.nix
@@ -0,0 +1,19 @@
+{
+  config,
+  lib,
+  ...
+}:
+{
+  programs.vicinae = {
+    enable = true;
+    systemd.enable = true;
+    systemd.autoStart = true;
+  };
+
+  xdg.configFile."vicinae/vicinae.json".source =
+    lib.mkForce "${config.dotfiles.path}/.config/vicinae/vicinae.json";
+
+  xdg.configFile."matugen/config.toml".source = "${config.dotfiles.path}/.config/matugen/config.toml";
+  xdg.configFile."matugen/templates/vicinae.toml".source =
+    "${config.dotfiles.path}/.config/matugen/templates/vicinae.toml";
+}
diff --git a/home/desktop/wayland.nix b/home-manager/desktop/wayland.nix
similarity index 84%
rename from home/desktop/wayland.nix
rename to home-manager/desktop/wayland.nix
index cdcefb0..2402cce 100644
--- a/home/desktop/wayland.nix
+++ b/home-manager/desktop/wayland.nix
@@ -1,7 +1,6 @@
 { pkgs, ... }:
 {
   home.packages = with pkgs; [
-    waypaper
     wl-clipboard
   ];
 }
diff --git a/home-manager/dev.nix b/home-manager/dev.nix
new file mode 100644
index 0000000..06c3332
--- /dev/null
+++ b/home-manager/dev.nix
@@ -0,0 +1,42 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./cli.nix
+    ./helix.nix
+    self.homeManagerModules.dotfiles
+    self.inputs.direnv-instant.homeModules.direnv-instant
+  ];
+
+  home.packages = with pkgs; [
+    delta
+    direnv
+    gh
+    hut
+    jujutsu
+    nix-output-monitor
+    python3
+    radicle-desktop
+    radicle-node
+    radicle-tui
+    typescript-language-server
+    nil # Nix language server
+    nixfmt-rfc-style
+    nixpkgs-review
+  ];
+
+  programs.direnv = {
+    enable = true;
+    enableZshIntegration = true;
+    nix-direnv.enable = true;
+  };
+
+  programs.direnv-instant.enable = true;
+
+  xdg.configFile."hut/config".source = "${config.dotfiles.path}/.config/hut/config";
+  home.file.".ssh/config".source = "${config.dotfiles.path}/.ssh/config";
+}
diff --git a/home/dotfiles.nix b/home-manager/dotfiles.nix
similarity index 90%
rename from home/dotfiles.nix
rename to home-manager/dotfiles.nix
index 818bec3..ff9c6d8 100644
--- a/home/dotfiles.nix
+++ b/home-manager/dotfiles.nix
@@ -5,7 +5,7 @@
       path = lib.mkOption {
         type = lib.types.path;
         apply = toString;
-        default = config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/rep/dotfiles";
+        default = config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/rep/flocon/home";
         example = "${config.home.homeDirectory}/.dotfiles";
         description = "Location of the dotfiles working copy";
       };
diff --git a/home-manager/flake-module.nix b/home-manager/flake-module.nix
new file mode 100644
index 0000000..4909227
--- /dev/null
+++ b/home-manager/flake-module.nix
@@ -0,0 +1,5 @@
+{
+  flake.homeManagerModules = {
+    dotfiles.imports = [ ./dotfiles.nix ];
+  };
+}
diff --git a/home-manager/helix.nix b/home-manager/helix.nix
new file mode 100644
index 0000000..61aa5cb
--- /dev/null
+++ b/home-manager/helix.nix
@@ -0,0 +1,24 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    self.homeManagerModules.dotfiles
+  ];
+
+  home.packages = [ pkgs.helix ];
+
+  programs.helix = {
+    enable = true;
+    defaultEditor = true;
+  };
+
+  home.sessionVariables.EDITOR = "hx";
+
+  xdg.configFile."helix/config.toml".source = "${config.dotfiles.path}/.config/helix/config.toml";
+  xdg.configFile."helix/languages.toml".source =
+    "${config.dotfiles.path}/.config/helix/languages.toml";
+}
diff --git a/home-manager/mail/default.nix b/home-manager/mail/default.nix
new file mode 100644
index 0000000..fba8674
--- /dev/null
+++ b/home-manager/mail/default.nix
@@ -0,0 +1,110 @@
+{ config, ... }:
+let
+  pass = "passage";
+in
+{
+  programs.thunderbird = {
+    enable = true;
+    profiles = {
+      main = {
+        isDefault = true;
+      };
+    };
+  };
+
+  programs.aerc = {
+    enable = true;
+    # safe since the accounts file just contains commands for retrieving passwords and is readonly in the nix store
+    extraConfig.general.unsafe-accounts-conf = true;
+  };
+
+  accounts.email.accounts = {
+    "rpqt@rpqt.fr" = rec {
+      address = "rpqt@rpqt.fr";
+      realName = "Romain Paquet";
+      primary = true;
+      flavor = "migadu.com";
+      thunderbird.enable = config.programs.thunderbird.enable;
+      aerc.enable = config.programs.aerc.enable;
+      passwordCommand = [
+        pass
+        "show"
+        "mail/${address}"
+      ];
+      folders.inbox = "INBOX";
+    };
+
+    "admin@rpqt.fr" = rec {
+      address = "admin@rpqt.fr";
+      aliases = [ "postmaster@rpqt.fr" ];
+      realName = "Postmaster";
+      flavor = "migadu.com";
+      thunderbird.enable = config.programs.thunderbird.enable;
+      aerc.enable = config.programs.aerc.enable;
+      passwordCommand = [
+        pass
+        "show"
+        "mail/${address}"
+      ];
+      folders.inbox = "INBOX";
+    };
+
+    "romain.paquet@grenoble-inp.org" = rec {
+      address = "romain.paquet@grenoble-inp.org";
+      realName = "Romain Paquet";
+      userName = "romain.paquet@grenoble-inp.org";
+      imap = {
+        host = "imap.partage.renater.fr";
+        port = 993;
+      };
+      smtp = {
+        host = "smtp.partage.renater.fr";
+        port = 465;
+      };
+      thunderbird.enable = config.programs.thunderbird.enable;
+      aerc.enable = config.programs.aerc.enable;
+      passwordCommand = [
+        pass
+        "show"
+        "mail/${address}"
+      ];
+      folders.inbox = "INBOX";
+    };
+
+    "admin@turifer.dev" = rec {
+      address = "admin@turifer.dev";
+      aliases = [ "postmaster@turifer.dev" ];
+      realName = "Postmaster";
+      flavor = "migadu.com";
+      thunderbird.enable = config.programs.thunderbird.enable;
+      aerc.enable = config.programs.aerc.enable;
+      passwordCommand = [
+        pass
+        "mail/${address}"
+      ];
+    };
+
+    "romain@student.agh.edu.pl" = {
+      address = "romain@student.agh.edu.pl";
+      aliases = [ "382799@student.agh.edu.pl" ];
+      realName = "Romain Paquet";
+      userName = "romain@student.agh.edu.pl";
+      imap = {
+        host = "poczta.agh.edu.pl";
+        port = 993;
+      };
+      smtp = {
+        host = "poczta.agh.edu.pl";
+        port = 465;
+      };
+      thunderbird.enable = config.programs.thunderbird.enable;
+    };
+
+    "romain.pqt@gmail.com" = {
+      address = "romain.pqt@gmail.com";
+      realName = "Romain Paquet";
+      flavor = "gmail.com";
+      thunderbird.enable = config.programs.thunderbird.enable;
+    };
+  };
+}
diff --git a/home/minecraft.nix b/home-manager/minecraft.nix
similarity index 100%
rename from home/minecraft.nix
rename to home-manager/minecraft.nix
diff --git a/home/.clang-format b/home/.clang-format
new file mode 100644
index 0000000..340e78a
--- /dev/null
+++ b/home/.clang-format
@@ -0,0 +1,16 @@
+BasedOnStyle: LLVM
+
+IndentWidth: 8
+TabWidth: 8
+UseTab: Always
+
+ColumnLimit: 80
+
+IndentCaseLabels: false
+IndentGotoLabels: false
+
+BreakBeforeBraces: Custom
+BraceWrapping:
+  AfterFunction: false
+
+AlwaysBreakAfterDefinitionReturnType: false
diff --git a/home/.config/alacritty/alacritty.toml b/home/.config/alacritty/alacritty.toml
new file mode 100644
index 0000000..62b95bd
--- /dev/null
+++ b/home/.config/alacritty/alacritty.toml
@@ -0,0 +1,37 @@
+[general]
+live_config_reload = false
+import = ["~/.config/alacritty/themes/kanagawa_wave.toml"]
+
+[font]
+size = 14
+
+[font.bold]
+family = "Jetbrains Mono NF"
+style = "Bold"
+
+[font.bold_italic]
+family = "Jetbrains Mono NF"
+style = "Bold Italic"
+
+[font.italic]
+family = "Jetbrains Mono NF"
+style = "Italic"
+
+[font.normal]
+family = "Jetbrains Mono NF"
+style = "Regular"
+
+[[keyboard.bindings]]
+action = "CreateNewWindow"
+key = "Return"
+mods = "Control|Shift"
+
+[mouse]
+hide_when_typing = true
+
+[window]
+opacity = 1.0
+
+[window.padding]
+x = 4
+y = 4
diff --git a/home/.config/alacritty/themes/kanagawa_lotus.toml b/home/.config/alacritty/themes/kanagawa_lotus.toml
new file mode 100644
index 0000000..7621688
--- /dev/null
+++ b/home/.config/alacritty/themes/kanagawa_lotus.toml
@@ -0,0 +1,35 @@
+[colors.primary]
+background = '#f2ecbc'
+foreground = '#545464'
+
+[colors.normal]
+black = "#1f1f28"
+red = "#c84053"
+green = "#6f894e"
+yellow = "#77713f"
+blue = "#4d699b"
+magenta = "#b35b79"
+cyan = "#597b75"
+white = "#545464"
+
+[colors.bright]
+black = "#8a8980"
+red = "#d7474b"
+green = "#6e915f"
+yellow = "#836f4a"
+blue = "#6693bf"
+magenta = "#624c83"
+cyan = "#5e857a"
+white = "#43436c"
+
+[colors.selection]
+background = '#c9cbd1'
+foreground = '#dcd7ba'
+
+[[colors.indexed_colors]]
+index = 16
+color = '#e98a00'
+
+[[colors.indexed_colors]]
+index = 17
+color = '#e82424'
diff --git a/home/.config/alacritty/themes/kanagawa_wave.toml b/home/.config/alacritty/themes/kanagawa_wave.toml
new file mode 100644
index 0000000..8585305
--- /dev/null
+++ b/home/.config/alacritty/themes/kanagawa_wave.toml
@@ -0,0 +1,35 @@
+[[colors.indexed_colors]]
+color = "0xffa066"
+index = 16
+
+[[colors.indexed_colors]]
+color = "0xff5d62"
+index = 17
+
+[colors.bright]
+black = "0x727169"
+blue = "0x7fb4ca"
+cyan = "0x7aa89f"
+green = "0x98bb6c"
+magenta = "0x938aa9"
+red = "0xe82424"
+white = "0xdcd7ba"
+yellow = "0xe6c384"
+
+[colors.normal]
+black = "0x090618"
+blue = "0x7e9cd8"
+cyan = "0x6a9589"
+green = "0x76946a"
+magenta = "0x957fb8"
+red = "0xc34043"
+white = "0xc8c093"
+yellow = "0xc0a36e"
+
+[colors.primary]
+background = "0x1f1f28"
+foreground = "0xdcd7ba"
+
+[colors.selection]
+background = "0x2d4f67"
+foreground = "0xc8c093"
diff --git a/home/.config/bat/config b/home/.config/bat/config
new file mode 100644
index 0000000..b83e6e2
--- /dev/null
+++ b/home/.config/bat/config
@@ -0,0 +1 @@
+--theme gruvbox-dark
diff --git a/home/.config/ghostty/config b/home/.config/ghostty/config
new file mode 100644
index 0000000..9483b2a
--- /dev/null
+++ b/home/.config/ghostty/config
@@ -0,0 +1,6 @@
+theme = dark:Kanagawa Wave,light:Builtin Light
+font-feature = -liga
+font-feature = -calt
+font-feature = -dlig
+font-size = 14
+window-inherit-working-directory = false
diff --git a/home/.config/git/common.gitconfig b/home/.config/git/common.gitconfig
new file mode 100644
index 0000000..e875b78
--- /dev/null
+++ b/home/.config/git/common.gitconfig
@@ -0,0 +1,54 @@
+[user]
+	email = rpqt@rpqt.fr
+	name = Romain Paquet
+[init]
+	defaultBranch = main
+[core]
+	excludesfile = ~/.config/git/ignore
+[filter "lfs"]
+	clean = git-lfs clean -- %f
+	smudge = git-lfs smudge -- %f
+	process = git-lfs filter-process
+	required = true
+[color]
+	ui = auto
+[sendemail]
+	smtpserver = smtp.migadu.com
+	smtpuser = rpqt@rpqt.fr
+	smtpencryption = ssl
+	smtpserverport = 465
+[diff]
+	colormoved = "default"
+	colormovedws = "allow-indentation-change"
+[alias]
+	a = add
+	s = status
+	c = commit
+	news = -c diff.external=difft log -p HEAD@{1}..HEAD@{0} --ext-diff
+	dlog = -c diff.external=difft log -p --ext-diff
+	dshow = -c diff.external=difft show --ext-diff
+    dft = -c diff.external=difft diff
+	lg1 = log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(white)%s%C(reset) %C(dim white)- %an%C(reset)%C(auto)%d%C(reset)' --all
+	lg2 = log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold cyan)%aD%C(reset) %C(bold green)(%ar)%C(reset)%C(auto)%d%C(reset)%n''          %C(white)%s%C(reset) %C(dim white)- %an%C(reset)'
+[column]
+	ui = auto
+[branch]
+	sort = -committerdate
+[tag]
+	sort = version:refname
+[push]
+	autoSetupRemote = true
+	followTags = true
+[help]
+	autocorrect = prompt
+[commit]
+	verbose = true
+[rerere]
+	enabled = true
+	autoupdate = true
+[rebase]
+	autoSquash = true
+	autoStash = true
+	updateRefs = true
+[pull]
+	rebase = true
diff --git a/home/.config/git/config b/home/.config/git/config
new file mode 100644
index 0000000..11e6825
--- /dev/null
+++ b/home/.config/git/config
@@ -0,0 +1,5 @@
+[include]
+  path = ~/.config/git/common.gitconfig
+  path = ~/.config/git/local.gitconfig
+[includeIf "gitdir:~/imag/"]
+	path = ~/.config/git/ensimag.gitconfig
diff --git a/home/.config/git/ensimag.gitconfig b/home/.config/git/ensimag.gitconfig
new file mode 100644
index 0000000..9f17d9f
--- /dev/null
+++ b/home/.config/git/ensimag.gitconfig
@@ -0,0 +1,3 @@
+[user]
+	name = "Romain Paquet"
+	email = romain.paquet@grenoble-inp.org
diff --git a/home/.config/git/ignore b/home/.config/git/ignore
new file mode 100644
index 0000000..de033e6
--- /dev/null
+++ b/home/.config/git/ignore
@@ -0,0 +1,4 @@
+/.direnv
+/.helix
+/.settings
+/.classpath
diff --git a/home/.config/helix/config.toml b/home/.config/helix/config.toml
new file mode 100644
index 0000000..5c3ec91
--- /dev/null
+++ b/home/.config/helix/config.toml
@@ -0,0 +1,21 @@
+theme = "kanagawa"
+
+[editor]
+line-number = "absolute"
+auto-completion = true
+auto-format = true
+end-of-line-diagnostics = "hint"
+
+[editor.cursor-shape]
+insert = "bar"
+normal = "block"
+
+[editor.statusline]
+left = ["mode", "spinner", "file-name"]
+right = ["diagnostics", "file-encoding", "file-type", "position"]
+mode.normal = "NORMAL"
+mode.insert = "INSERT"
+mode.select = "SELECT"
+
+[editor.inline-diagnostics]
+cursor-line = "error"
diff --git a/home/.config/helix/languages.toml b/home/.config/helix/languages.toml
new file mode 100644
index 0000000..3befed1
--- /dev/null
+++ b/home/.config/helix/languages.toml
@@ -0,0 +1,64 @@
+[[language]]
+name = "c"
+scope = "source.c"
+file-types = ["c", "h"]
+indent = { tab-width = 4, unit = "\t" }
+auto-format = true
+language-servers = [ { name = "clangd" } ]
+
+[language-server.clangd]
+command = "clangd"
+args = ["--header-insertion=never"]
+
+[[language]]
+name = "rust"
+language-servers = [ "rust-analyzer" ]
+auto-format = true
+
+[language-server.rust-analyzer.config]
+check.command = "clippy"
+
+[language-server.deno-lsp]
+command = "deno"
+args = ["lsp"]
+
+[language-server.deno-lsp.config.deno]
+enable = true
+lint = true
+suggest.imports.hosts = { "https://deno.land" = true }
+
+[[language]]
+name = "typescript"
+file-types = ["ts"]
+language-servers = ["deno-lsp"]
+
+[[language]]
+name = "djot"
+scope = "source.djot"
+file-types = ["dj"]
+
+[[grammar]]
+name = "djot"
+source = { git = "https://github.com/treeman/tree-sitter-djot", rev = "master" }
+
+[[language]]
+name = "nix"
+formatter = { command = "nixfmt" }
+
+[[language]]
+name = "java"
+formatter = { command = "google-java-format", args = ["--aosp"] }
+auto-format = true
+
+[[language]]
+name = "hcl"
+formatter = { command = "tofu", args = ["fmt", "-"] }
+auto-format = true
+
+[[language]]
+name = "vento"
+indent = { tab-width = 2, unit = "\t" }
+
+[[language]]
+name = "ocaml"
+auto-format = true
diff --git a/home/.config/hut/config b/home/.config/hut/config
new file mode 100644
index 0000000..3a644b9
--- /dev/null
+++ b/home/.config/hut/config
@@ -0,0 +1,3 @@
+instance "sr.ht" {
+	access-token-cmd pass oauth/sr.ht-hut@haze
+}
diff --git a/home/.config/i3status-rust/bottom-config.toml b/home/.config/i3status-rust/bottom-config.toml
new file mode 100644
index 0000000..bd8de83
--- /dev/null
+++ b/home/.config/i3status-rust/bottom-config.toml
@@ -0,0 +1,53 @@
+[theme]
+theme = "kanagawa"
+[theme.overrides]
+separator = "<span size='13000'></span>"
+
+[icons]
+icons = "material-nf"
+
+[[block]]
+block = "privacy"
+[[block.driver]]
+name = "pipewire"
+
+[[block]]
+block = "music"
+format = " $icon {$combo.str(max_w:70) $prev $next |}"
+[[block.click]]
+button = "left"
+action = "play_pause"
+
+[[block]]
+block = "bluetooth"
+mac = "20:74:CF:B5:B7:7A"
+format = " $icon $name{ $percentage|} "
+disconnected_format = ""
+
+[[block]]
+block = "bluetooth"
+mac = "28:11:A5:6B:44:8B"
+format = " $icon $name{ $percentage|} "
+disconnected_format = ""
+
+[[block]]
+block = "bluetooth"
+mac = "00:1E:7C:50:24:8F"
+format = " $icon $name{ $percentage|} "
+disconnected_format = ""
+
+[[block]]
+block = "toggle"
+format = " $icon ensivpn "
+command_state = 'nmcli -f general.state con show Ensimag-VPN-ETU-udp | grep -v deactivated'
+command_on = "pass show web/ensimag.fr | head -n 1 | nmcli c up Ensimag-VPN-ETU-udp --ask"
+command_off = "nmcli c down Ensimag-VPN-ETU-udp"
+
+[[block]]
+block = "net"
+interval = 10
+device = "wlan0"
+format = " $icon {$ssid|$device} "
+[[block.click]]
+button = "left"
+cmd = "iwgtk"
diff --git a/home/.config/i3status-rust/config.toml b/home/.config/i3status-rust/config.toml
new file mode 100644
index 0000000..3ea7922
--- /dev/null
+++ b/home/.config/i3status-rust/config.toml
@@ -0,0 +1,78 @@
+[theme]
+theme = "kanagawa"
+[theme.overrides]
+separator = "<span size='17000'></span>"
+
+[icons]
+icons = "material-nf"
+[icons.overrides]
+sleep = "ó°’²"
+no_sleep = "ó°’³"
+
+[[block]]
+block = "toggle"
+format = " $icon  "
+command_state = "pgrep swayidle"
+command_on = "swaymsg 'exec swayidle -w'"
+command_off = "pkill swayidle"
+icon_on = "sleep"
+icon_off = "no_sleep"
+
+[[block]]
+block = "toggle"
+format = "  $icon  "
+command_state = 'if [ "$($HOME/bin/darkmode status)" = "dark" ]; then echo y; fi'
+command_on = "$HOME/bin/darkmode toggle"
+command_off = "$HOME/bin/darkmode toggle"
+
+[[block]]
+block = "hueshift"
+format = " 󱩌 {$temperature} "
+click_temp = 4000
+
+[[block]]
+block = "backlight"
+format = " $icon $brightness.eng(width:1) "
+step_width = 1
+minimum = 1
+
+[[block]]
+block = "sound"
+driver = "pulseaudio"
+headphones_indicator = true
+show_volume_when_muted = true
+format = " $icon $volume.eng(width:1) "
+[[block.click]]
+button = "left"
+cmd = "pavucontrol"
+[block.theme_overrides]
+warning_bg = { link = "idle_bg" }
+warning_fg = { link = "idle_fg"}
+idle_bg = { link = "info_bg" }
+idle_fg = { link = "info_fg"}
+
+[[block]]
+block = "battery"
+interval = 30
+format = " $icon $percentage "
+full_format = " $icon $percentage "
+
+[[block]]
+block = "keyboard_layout"
+driver = "sway"
+sway_kb_identifier = "1267:12613:ASUE140C:00_04F3:3145_Keyboard"
+format = "  $layout "
+[[block.click]]
+button = "left"
+cmd = "swaymsg input '1267:12613:ASUE140C:00_04F3:3145_Keyboard' xkb_switch_layout next"
+[block.mappings]
+"French (N/A)" = "fr"
+"English (Colemak-DH)" = "colemak-dh"
+"English (US)" = "en"
+
+[[block]]
+block = "time"
+interval = 10
+[block.format]
+full = " $icon $timestamp.datetime(f:'%a %d/%m/%y %R', l:fr_FR) "
+short = " $icon $timestamp.datetime(f:'%R')"
diff --git a/home/.config/i3status-rust/themes/kanagawa.toml b/home/.config/i3status-rust/themes/kanagawa.toml
new file mode 100644
index 0000000..655c32d
--- /dev/null
+++ b/home/.config/i3status-rust/themes/kanagawa.toml
@@ -0,0 +1,14 @@
+idle_bg = "#151515"
+idle_fg = "#dcd7ba"
+info_bg = "#2d4f67"
+info_fg = "#dcd7ba"
+good_bg = "#151515"
+good_fg = "#98971a"
+warning_bg = "#ff9e3b"
+warning_fg = "#16161D"
+critical_bg = "#e82424"
+critical_fg = "#dcd7ba"
+separator = "\ue0b2"
+separator_bg = "auto"
+separator_fg = "auto"
+alternating_tint_bg = "#151515"
diff --git a/home/.config/jj/config.toml b/home/.config/jj/config.toml
new file mode 100644
index 0000000..fa80ef3
--- /dev/null
+++ b/home/.config/jj/config.toml
@@ -0,0 +1,54 @@
+"$schema" = "https://jj-vcs.github.io/jj/latest/config-schema.json"
+
+[ui]
+default-command = ["log", "--no-pager"]
+diff-formatter = ["difft", "--color=always", "$left", "$right"]
+diff-editor = ":builtin"
+
+[user]
+name = "Romain Paquet"
+email = "rpqt@rpqt.fr"
+
+[git]
+write-change-id-header = true
+
+[revset-aliases]
+'closest_pushable(to)' = 'heads(::to & mutable() & ~description(exact:"") & (~empty() | merges()))'
+
+[aliases]
+s = ["status", "--no-pager"]
+tug = ["bookmark", "move", "--from", "heads(::@ & bookmarks())", "--to", "closest_pushable(@)"]
+
+[[--scope]]
+--when.repositories = ["~/agh"]
+[--scope.user]
+email = "romain@student.agh.edu.pl"
+
+[[--scope]]
+--when.repositories = ["~/imag"]
+[--scope.user]
+email = "romain.paquet@grenoble-inp.org"
+
+# After this line everything is taken from https://andre.arko.net/2025/09/28/stupid-jj-tricks
+
+[templates]
+draft_commit_description = '''
+  concat(
+    coalesce(description, default_commit_description, "\n"),
+    surround(
+      "\nJJ: This commit contains the following changes:\n", "",
+      indent("JJ:     ", diff.stat(72)),
+    ),
+    "\nJJ: ignore-rest\n",
+    diff.git(),
+  )
+'''
+log_node = '''
+if(self && !current_working_copy && !immutable && !conflict && in_branch(self),
+  "â—‡",
+  builtin_log_node
+)
+'''
+
+[template-aliases]
+"in_branch(commit)" = 'commit.contained_in("immutable_heads()..bookmarks()")'
diff --git a/home/.config/kmonad/config.kbd b/home/.config/kmonad/config.kbd
new file mode 100644
index 0000000..587ec51
--- /dev/null
+++ b/home/.config/kmonad/config.kbd
@@ -0,0 +1,46 @@
+(defcfg
+  input (device-file "/dev/input/by-path/platform-i8042-serio-0-event-kbd")
+  output (uinput-sink "KMonad laptop keyboard output")
+  fallthrough true
+)
+
+(defsrc
+  esc  f1   f2   f3   f4   f5   f6   f7   f8   f9   f10  f11  f12  prnt ins  del
+  grv  1    2    3    4    5    6    7    8    9    0    -    =    bspc home
+  tab  q    w    e    r    t    y    u    i    o    p    [    ]    \    pgup
+  caps a    s    d    f    g    h    j    k    l    ;    '    ret       pgdn
+  lsft z    x    c    v    b    n    m    ,    .    /    rsft           end
+  lctl      lmet lalt         spc         ralt rctl
+)
+
+(defalias
+  maj (layer-toggle azerty-shift)
+  agr (layer-toggle azerty-altgr)
+)
+
+(deflayer azerty
+  esc  f1   f2   f3   f4   f5   f6   f7   f8   f9   f10  f11  f12  prnt ins  del
+  grv  &    é    "    '    \(   -    è    \_   ç    à    \)   =    bspc home
+  tab  a    z    e    r    t    y    u    i    o    p    ^    $    *    pgup
+  caps q    s    d    f    g    h    j    k    l    m    ù    ret       pgdn
+  @maj w    x    c    v    b    n    ,    ;    :    !    rsft           end
+  lctl      lmet lalt         spc         @agr rctl
+)
+
+(deflayer azerty-shift
+  _    _    _    _    _    _    _    _    _    _    _    _    _    _    _    _
+  _    1    2    3    4    5    6    7    8    9    0    °    +    _    _
+  _    a    _    _    _    _    _    _    _    _    _    _    £    µ    _
+  _    _    _    _    _    _    _    _    _    _    _    %    _         _
+  @maj _    _    _    _    _    _    ?    .    /    §    rsft           _
+  lctl      lmet lalt         spc         ralt rctl
+)
+
+(deflayer azerty-altgr
+  _    _    _    _    _    _    _    _    _    _    _    _    _    _    _    _
+  _    _    ~    #    {    [    |    grv  \    ^    @    ]    }    _    _
+  _    _    _    _    _    _    _    _    _    _    _    _    _    _    _
+  _    _    _    _    _    _    _    _    _    _    _    _    _         _
+  _    _    _    _    _    _    _    _    _    _    _    rsft           _
+  lctl      lmet lalt         spc         @agr rctl
+)
diff --git a/home/.config/matugen/config.toml b/home/.config/matugen/config.toml
new file mode 100644
index 0000000..e162dc3
--- /dev/null
+++ b/home/.config/matugen/config.toml
@@ -0,0 +1,6 @@
+[config]
+
+[templates.vicinae]
+input_path = '~/.config/matugen/templates/vicinae.toml'
+output_path = '~/.local/share/vicinae/themes/matugen.toml'
+post_hook = 'vicinae theme set matugen'
diff --git a/home/.config/matugen/templates/vicinae.toml b/home/.config/matugen/templates/vicinae.toml
new file mode 100644
index 0000000..b56dbfb
--- /dev/null
+++ b/home/.config/matugen/templates/vicinae.toml
@@ -0,0 +1,127 @@
+# Vicinae Matugen Theme Template
+# Used LLM for initial generation, then modified to a satisfactory level
+
+[meta]
+name = "Matugen"
+description = "Material You theme generated by Matugen - {{mode}} variant"
+variant = "{{mode}}"
+
+# ============================================================================
+# Core Colors
+# ============================================================================
+
+[colors.core]
+accent = "{{colors.primary.default.hex}}"
+accent_foreground = "{{colors.on_primary.default.hex}}"
+background = "{{colors.surface.default.hex}}"
+foreground = "{{colors.on_surface.default.hex}}"
+secondary_background = "{{colors.surface_container.default.hex}}"
+border = "{{colors.outline_variant.default.hex}}"
+
+# ============================================================================
+# Window Borders
+# ============================================================================
+
+[colors.main_window]
+border = "{{colors.outline_variant.default.hex}}"
+
+[colors.settings_window]
+border = "{{colors.outline.default.hex}}"
+
+# ============================================================================
+# Accent Palette
+# ============================================================================
+
+[colors.accents]
+blue = "{{colors.primary.default.hex}}"
+green = "{{colors.tertiary.default.hex}}"
+magenta = "{{colors.secondary.default.hex}}"
+orange = { name = "{{colors.error.default.hex}}", lighter = 40 }
+red = "{{colors.error.default.hex}}"
+yellow = { name = "{{colors.tertiary.default.hex}}", lighter = 80 }
+cyan = { name = "{{colors.primary.default.hex}}", lighter = 50 }
+purple = "{{colors.secondary.default.hex}}"
+
+# ============================================================================
+# Text System
+# ============================================================================
+
+[colors.text]
+default = "{{colors.on_surface.default.hex}}"
+muted = "{{colors.on_surface_variant.default.hex}}"
+danger = "{{colors.error.default.hex}}"
+success = "{{colors.tertiary.default.hex}}"
+placeholder = { name = "{{colors.on_surface_variant.default.hex}}", opacity = 0.6 }
+
+[colors.text.selection]
+background = "{{colors.primary.default.hex}}"
+foreground = "{{colors.on_primary.default.hex}}"
+
+[colors.text.links]
+default = "{{colors.primary.default.hex}}"
+visited = { name = "{{colors.tertiary.default.hex}}", darker = 20 }
+
+# ============================================================================
+# Input Fields
+# ============================================================================
+
+[colors.input]
+border = "{{colors.outline.default.hex}}"
+border_focus = "{{colors.primary.default.hex}}"
+border_error = "{{colors.error.default.hex}}"
+
+# ============================================================================
+# Buttons
+# ============================================================================
+
+[colors.button.primary]
+background = "{{colors.surface_container_high.default.hex}}"
+foreground = "{{colors.on_surface.default.hex}}"
+
+[colors.button.primary.hover]
+background = "{{colors.surface_container_highest.default.hex}}"  
+
+[colors.button.primary.focus]
+outline = "{{colors.primary.default.hex}}"
+
+# ============================================================================
+# Lists
+# ============================================================================
+
+[colors.list.item.hover]
+background = { name = "{{colors.primary_container.default.hex}}", opacity = 0.25 }  
+foreground = "{{colors.on_surface.default.hex}}"
+
+[colors.list.item.selection]
+background = { name = "{{colors.primary_container.default.hex}}", opacity = 0.50 }
+foreground = "{{colors.on_primary_container.default.hex}}"
+secondary_background = "{{colors.primary_container.default.hex}}"
+secondary_foreground = "{{colors.on_primary_container.default.hex}}"
+
+# ============================================================================
+# Grid Items
+# ============================================================================
+
+[colors.grid.item]
+background = "{{colors.surface_container.default.hex}}"
+
+[colors.grid.item.hover]
+outline = { name = "{{colors.secondary.default.hex}}", opacity = 0.8 }
+
+[colors.grid.item.selection]
+outline = { name = "{{colors.primary.default.hex}}" }
+
+# ============================================================================
+# Scrollbars
+# ============================================================================
+
+[colors.scrollbars]
+background = { name = "{{colors.primary.default.hex}}", opacity = 0.2 }
+
+# ============================================================================
+# Loading States
+# ============================================================================
+
+[colors.loading]
+bar = "{{colors.primary.default.hex}}"
+spinner = "{{colors.primary.default.hex}}"
diff --git a/home/.config/mpd/mpd.conf b/home/.config/mpd/mpd.conf
new file mode 100644
index 0000000..90fac39
--- /dev/null
+++ b/home/.config/mpd/mpd.conf
@@ -0,0 +1,10 @@
+music_directory "~/Music"
+playlist_directory "~/.config/mpd/playlists"
+db_file	"~/.config/mpd/database"
+restore_paused "yes"
+state_file "~/.local/state/mpd"
+
+audio_output {
+	type "pipewire"
+	name "pipewire"
+}
diff --git a/home/.config/niri/config.kdl b/home/.config/niri/config.kdl
new file mode 100644
index 0000000..41320b9
--- /dev/null
+++ b/home/.config/niri/config.kdl
@@ -0,0 +1,312 @@
+include "dms/alttab.kdl"
+include "dms/binds.kdl"
+include "dms/colors.kdl"
+include "dms/layout.kdl"
+include "dms/wpblur.kdl"
+
+input {
+    keyboard {
+        xkb {
+            layout "fr,us(colemak_dh),us"
+            options "grp:win_space_toggle"
+        }
+    }
+
+    touchpad {
+        tap
+        natural-scroll
+    }
+
+    // Make the mouse warp to the center of newly focused windows.
+    // warp-mouse-to-focus
+
+    // Focus windows and outputs automatically when moving the mouse into them.
+    // Setting max-scroll-amount="0%" makes it work only on windows already fully on screen.
+    focus-follows-mouse max-scroll-amount="0%"
+}
+
+workspace "browser" {
+}
+
+output "eDP-1" {
+    mode "1920x1080@60.049"
+    scale 1
+    position x=360 y=1440
+}
+
+output "HDMI-A-1" {
+    mode "3840x2160@60.000"
+    scale 1.5
+    position x=0 y=0
+}
+
+layout {
+    gaps 8
+
+    center-focused-column "never"
+
+    // You can customize the widths that "switch-preset-column-width" (Mod+R) toggles between.
+    preset-column-widths {
+        // Proportion sets the width as a fraction of the output width, taking gaps into account.
+        // For example, you can perfectly fit four windows sized "proportion 0.25" on an output.
+        // The default preset widths are 1/3, 1/2 and 2/3 of the output.
+        proportion 0.33333
+        proportion 0.5
+        proportion 0.66667
+
+        // Fixed sets the width in logical pixels exactly.
+        // fixed 1920
+    }
+
+    // You can also customize the heights that "switch-preset-window-height" (Mod+Shift+R) toggles between.
+    // preset-window-heights { }
+
+    // You can change the default width of the new windows.
+    default-column-width { proportion 0.5; }
+    // If you leave the brackets empty, the windows themselves will decide their initial width.
+}
+
+prefer-no-csd
+
+cursor {
+    hide-when-typing
+}
+
+window-rule {
+    match app-id=r#"^firefox$"#
+    open-maximized true
+    open-on-workspace "browser"
+    focus-ring {
+        off
+    }
+}
+
+window-rule {
+    match app-id=r#"^thunderbird$"#
+    open-maximized true
+    focus-ring {
+        off
+    }
+}
+
+// Open the Firefox picture-in-picture player as floating by default.
+window-rule {
+    // This app-id regular expression will work for both:
+    // - host Firefox (app-id is "firefox")
+    // - Flatpak Firefox (app-id is "org.mozilla.firefox")
+    match app-id=r#"firefox$"# title="^Picture-in-Picture$"
+    open-floating true
+}
+
+binds {
+    // Keys consist of modifiers separated by + signs, followed by an XKB key name
+    // in the end. To find an XKB name for a particular key, you may use a program
+    // like wev.
+    //
+    // "Mod" is a special modifier equal to Super when running on a TTY, and to Alt
+    // when running as a winit window.
+    //
+    // Most actions that you can bind here can also be invoked programmatically with
+    // `niri msg action do-something`.
+
+    // Show a list of important hotkeys.
+    Mod+Shift+Comma { show-hotkey-overlay; }
+
+    // Suggested binds for running programs: terminal, app launcher, screen locker.
+    Mod+Return { spawn "ghostty" "+new-window"; }
+    // Mod+D { spawn "dms" "ipc" "call" "spotlight" "toggle"; }
+    Mod+D { spawn "vicinae" "toggle"; }
+    Super+Alt+L hotkey-overlay-title="Lock session" { spawn "loginctl" "lock-session"; }
+
+    XF86AudioPlay { spawn "playerctl" "play-pause"; }
+    XF86AudioNext { spawn "playerctl" "next"; }
+    XF86AudioPrev { spawn "playerctl" "previous"; }
+    XF86Search    { spawn "tofi-drun" "--drun-launch=true"; }
+
+    Mod+W { close-window; }
+
+    Mod+Left  { focus-column-left; }
+    Mod+Down  { focus-window-down; }
+    Mod+Up    { focus-window-up; }
+    Mod+Right { focus-column-right; }
+    Mod+H     { focus-column-left; }
+    Mod+J     { focus-window-down; }
+    Mod+K     { focus-window-up; }
+    Mod+L     { focus-column-right; }
+
+    Mod+Ctrl+Left  { move-column-left; }
+    Mod+Ctrl+Down  { move-window-down; }
+    Mod+Ctrl+Up    { move-window-up; }
+    Mod+Ctrl+Right { move-column-right; }
+    Mod+Ctrl+H     { move-column-left; }
+    Mod+Ctrl+J     { move-window-down; }
+    Mod+Ctrl+K     { move-window-up; }
+    Mod+Ctrl+L     { move-column-right; }
+
+    // Alternative commands that move across workspaces when reaching
+    // the first or last window in a column.
+    // Mod+J     { focus-window-or-workspace-down; }
+    // Mod+K     { focus-window-or-workspace-up; }
+    // Mod+Ctrl+J     { move-window-down-or-to-workspace-down; }
+    // Mod+Ctrl+K     { move-window-up-or-to-workspace-up; }
+
+    Mod+Home { focus-column-first; }
+    Mod+End  { focus-column-last; }
+    Mod+Ctrl+Home { move-column-to-first; }
+    Mod+Ctrl+End  { move-column-to-last; }
+
+    Mod+Shift+Left  { focus-monitor-left; }
+    Mod+Shift+Down  { focus-monitor-down; }
+    Mod+Shift+Up    { focus-monitor-up; }
+    Mod+Shift+Right { focus-monitor-right; }
+    Mod+Shift+H     { focus-monitor-left; }
+    Mod+Shift+J     { focus-monitor-down; }
+    Mod+Shift+K     { focus-monitor-up; }
+    Mod+Shift+L     { focus-monitor-right; }
+
+    Mod+Shift+Ctrl+Left  { move-column-to-monitor-left; }
+    Mod+Shift+Ctrl+Down  { move-column-to-monitor-down; }
+    Mod+Shift+Ctrl+Up    { move-column-to-monitor-up; }
+    Mod+Shift+Ctrl+Right { move-column-to-monitor-right; }
+    Mod+Shift+Ctrl+H     { move-column-to-monitor-left; }
+    Mod+Shift+Ctrl+J     { move-column-to-monitor-down; }
+    Mod+Shift+Ctrl+K     { move-column-to-monitor-up; }
+    Mod+Shift+Ctrl+L     { move-column-to-monitor-right; }
+
+    // Alternatively, there are commands to move just a single window:
+    // Mod+Shift+Ctrl+Left  { move-window-to-monitor-left; }
+    // ...
+
+    // And you can also move a whole workspace to another monitor:
+    // Mod+Shift+Ctrl+Left  { move-workspace-to-monitor-left; }
+    // ...
+
+    Mod+Page_Down      { focus-workspace-down; }
+    Mod+Page_Up        { focus-workspace-up; }
+    Mod+U              { focus-workspace-down; }
+    Mod+I              { focus-workspace-up; }
+    Mod+Ctrl+Page_Down { move-column-to-workspace-down; }
+    Mod+Ctrl+Page_Up   { move-column-to-workspace-up; }
+    Mod+Ctrl+U         { move-column-to-workspace-down; }
+    Mod+Ctrl+I         { move-column-to-workspace-up; }
+
+    // Alternatively, there are commands to move just a single window:
+    // Mod+Ctrl+Page_Down { move-window-to-workspace-down; }
+    // ...
+
+    Mod+Shift+Page_Down { move-workspace-down; }
+    Mod+Shift+Page_Up   { move-workspace-up; }
+    Mod+Shift+U         { move-workspace-down; }
+    Mod+Shift+I         { move-workspace-up; }
+
+    // You can bind mouse wheel scroll ticks using the following syntax.
+    // These binds will change direction based on the natural-scroll setting.
+    //
+    // To avoid scrolling through workspaces really fast, you can use
+    // the cooldown-ms property. The bind will be rate-limited to this value.
+    // You can set a cooldown on any bind, but it's most useful for the wheel.
+    Mod+WheelScrollDown      cooldown-ms=150 { focus-workspace-down; }
+    Mod+WheelScrollUp        cooldown-ms=150 { focus-workspace-up; }
+    Mod+Ctrl+WheelScrollDown cooldown-ms=150 { move-column-to-workspace-down; }
+    Mod+Ctrl+WheelScrollUp   cooldown-ms=150 { move-column-to-workspace-up; }
+
+    Mod+WheelScrollRight      { focus-column-right; }
+    Mod+WheelScrollLeft       { focus-column-left; }
+    Mod+Ctrl+WheelScrollRight { move-column-right; }
+    Mod+Ctrl+WheelScrollLeft  { move-column-left; }
+
+    // Usually scrolling up and down with Shift in applications results in
+    // horizontal scrolling; these binds replicate that.
+    Mod+Shift+WheelScrollDown      { focus-column-right; }
+    Mod+Shift+WheelScrollUp        { focus-column-left; }
+    Mod+Ctrl+Shift+WheelScrollDown { move-column-right; }
+    Mod+Ctrl+Shift+WheelScrollUp   { move-column-left; }
+
+    // You can refer to workspaces by index. However, keep in mind that
+    // niri is a dynamic workspace system, so these commands are kind of
+    // "best effort". Trying to refer to a workspace index bigger than
+    // the current workspace count will instead refer to the bottommost
+    // (empty) workspace.
+    //
+    // For example, with 2 workspaces + 1 empty, indices 3, 4, 5 and so on
+    // will all refer to the 3rd workspace.
+    Mod+ampersand { focus-workspace 1; }
+    Mod+2 { focus-workspace 2; }
+    Mod+quotedbl { focus-workspace 3; }
+    Mod+apostrophe { focus-workspace 4; }
+    Mod+parenleft { focus-workspace 5; }
+    Mod+minus { focus-workspace 6; }
+    Mod+7 { focus-workspace 7; }
+    Mod+underscore { focus-workspace 8; }
+    Mod+9 { focus-workspace 9; }
+    Mod+Ctrl+1 { move-column-to-workspace 1; }
+    Mod+Ctrl+2 { move-column-to-workspace 2; }
+    Mod+Ctrl+3 { move-column-to-workspace 3; }
+    Mod+Ctrl+4 { move-column-to-workspace 4; }
+    Mod+Ctrl+5 { move-column-to-workspace 5; }
+    Mod+Ctrl+6 { move-column-to-workspace 6; }
+    Mod+Ctrl+7 { move-column-to-workspace 7; }
+    Mod+Ctrl+8 { move-column-to-workspace 8; }
+    Mod+Ctrl+9 { move-column-to-workspace 9; }
+
+    // Switches focus between the current and the previous workspace.
+    Mod+Tab { focus-workspace-previous; }
+
+    // The following binds move the focused window in and out of a column.
+    // If the window is alone, they will consume it into the nearby column to the side.
+    // If the window is already in a column, they will expel it out.
+    Mod+BracketLeft  { consume-or-expel-window-left; }
+    Mod+BracketRight { consume-or-expel-window-right; }
+
+    // Consume one window from the right to the bottom of the focused column.
+    Mod+Comma  { consume-window-into-column; }
+    // Expel the bottom window from the focused column to the right.
+    Mod+Semicolon { expel-window-from-column; }
+
+    Mod+R { switch-preset-column-width; }
+    Mod+Shift+R { switch-preset-window-height; }
+    Mod+Ctrl+R { reset-window-height; }
+    Mod+F { maximize-column; }
+    Mod+Shift+F { fullscreen-window; }
+    Mod+C { center-column; }
+
+    Mod+Escape { toggle-overview; }
+
+    // Finer height adjustments when in column with other windows.
+    Mod+Shift+Minus { set-window-height "-10%"; }
+    Mod+Shift+Equal { set-window-height "+10%"; }
+
+    // Move the focused window between the floating and the tiling layout.
+    Mod+V       { toggle-window-floating; }
+    Mod+Shift+V { switch-focus-between-floating-and-tiling; }
+
+    Print { screenshot; }
+    Ctrl+Print { screenshot-screen; }
+    Alt+Print { screenshot-window; }
+
+    // The quit action will show a confirmation dialog to avoid accidental exits.
+    Mod+Shift+E { quit; }
+    Ctrl+Alt+Delete { quit; }
+
+    // Powers off the monitors. To turn them back on, do any input like
+    // moving the mouse or pressing any other key.
+    Mod+Shift+P { power-off-monitors; }
+
+    Mod+N hotkey-overlay-title="Open notes" {
+        spawn-sh "ghostty -e hx --working-dir ~/notes ~/notes/notes.dj:9999";
+    }
+}
+
+screenshot-path "~/Pictures/Screenshots/Screenshot from %Y-%m-%d %H-%M-%S.png"
+
+spawn-at-startup "kdeconnect-indicator"
+spawn-at-startup "~/rep/flocon/home/bin/monitor-dark-mode.sh"
+
+spawn-at-startup "xwayland-satellite"
+environment {
+    DISPLAY ":0"
+}
+
+hotkey-overlay {
+    skip-at-startup
+}
diff --git a/home/.config/niri/dms/alttab.kdl b/home/.config/niri/dms/alttab.kdl
new file mode 100644
index 0000000..91d8337
--- /dev/null
+++ b/home/.config/niri/dms/alttab.kdl
@@ -0,0 +1,5 @@
+recent-windows {
+    highlight {
+        corner-radius 12
+    }
+}
diff --git a/home/.config/niri/dms/binds.kdl b/home/.config/niri/dms/binds.kdl
new file mode 100644
index 0000000..5f116ed
--- /dev/null
+++ b/home/.config/niri/dms/binds.kdl
@@ -0,0 +1,55 @@
+binds {
+    Mod+Shift+D hotkey-overlay-title="Application Launcher" { 
+        spawn "dms" "ipc" "call" "spotlight" "toggle"; 
+    }
+
+    Mod+V hotkey-overlay-title="Clipboard Manager" { 
+        spawn "dms" "ipc" "call" "clipboard" "toggle"; 
+    }
+
+    Mod+M hotkey-overlay-title="Task Manager" { 
+        spawn "dms" "ipc" "call" "processlist" "toggle"; 
+    }
+
+    Mod+Comma hotkey-overlay-title="Settings" { 
+        spawn "dms" "ipc" "call" "settings" "toggle"; 
+    }
+
+    Mod+N hotkey-overlay-title="Notification Center" {
+        spawn "dms" "ipc" "call" "notifications" "toggle"; 
+    }
+
+    Mod+Shift+N hotkey-overlay-title="Notepad" {
+      spawn "dms" "ipc" "call" "notepad" "toggle";  
+    }
+    
+    Mod+Alt+L hotkey-overlay-title="Lock Screen" { 
+        spawn "dms" "ipc" "call" "lock" "lock"; 
+    }
+
+    Ctrl+Alt+Delete hotkey-overlay-title="Task Manager" { 
+        spawn "dms" "ipc" "call" "processlist" "toggle"; 
+    }    
+
+    // Audio
+    XF86AudioRaiseVolume allow-when-locked=true {
+        spawn "dms" "ipc" "call" "audio" "increment" "3";
+    }
+    XF86AudioLowerVolume allow-when-locked=true {
+        spawn "dms" "ipc" "call" "audio" "decrement" "3";
+    }
+    XF86AudioMute allow-when-locked=true {
+        spawn "dms" "ipc" "call" "audio" "mute";
+    }
+    XF86AudioMicMute allow-when-locked=true {
+        spawn "dms" "ipc" "call" "audio" "micmute";
+    }
+    
+    // BL
+    XF86MonBrightnessUp allow-when-locked=true {
+       spawn "dms" "ipc" "call" "brightness" "increment" "5" "";
+    }
+    XF86MonBrightnessDown allow-when-locked=true {
+       spawn "dms" "ipc" "call" "brightness" "decrement" "5" "";
+    }  
+}
\ No newline at end of file
diff --git a/home/.config/niri/dms/colors.kdl b/home/.config/niri/dms/colors.kdl
new file mode 100644
index 0000000..2c7487f
--- /dev/null
+++ b/home/.config/niri/dms/colors.kdl
@@ -0,0 +1,36 @@
+layout {
+    background-color "transparent"
+
+    focus-ring {
+        active-color   "#5c5891"
+        inactive-color "#787680"
+        urgent-color   "#ba1a1a"
+    }
+
+    border {
+        active-color   "#5c5891"
+        inactive-color "#787680"
+        urgent-color   "#ba1a1a"
+    }
+
+    shadow {
+        color "#00000070"
+    }
+
+    tab-indicator {
+        active-color   "#5c5891"
+        inactive-color "#787680"
+        urgent-color   "#ba1a1a"
+    }
+
+    insert-hint {
+        color "#5c589180"
+    }
+}
+
+recent-windows {
+    highlight {
+        active-color   "#444078"
+        urgent-color   "#ba1a1a"
+    }
+}
diff --git a/home/.config/niri/dms/layout.kdl b/home/.config/niri/dms/layout.kdl
new file mode 100644
index 0000000..36c08f3
--- /dev/null
+++ b/home/.config/niri/dms/layout.kdl
@@ -0,0 +1,17 @@
+layout {
+    gaps 4
+
+    border {
+        width 2
+    }
+
+    focus-ring {
+        width 2
+    }
+}
+window-rule {
+    geometry-corner-radius 12
+    clip-to-geometry true
+    tiled-state true
+    draw-border-with-background false
+}
diff --git a/home/.config/niri/dms/wpblur.kdl b/home/.config/niri/dms/wpblur.kdl
new file mode 100644
index 0000000..667042f
--- /dev/null
+++ b/home/.config/niri/dms/wpblur.kdl
@@ -0,0 +1,4 @@
+layer-rule {
+    match namespace="dms:blurwallpaper"
+    place-within-backdrop true
+}
diff --git a/home/.config/nushell/config.nu b/home/.config/nushell/config.nu
new file mode 100644
index 0000000..6ff67b6
--- /dev/null
+++ b/home/.config/nushell/config.nu
@@ -0,0 +1,9 @@
+alias ls = eza
+alias ll = eza -l
+alias lla = eza -la
+alias h = hx
+alias g = git
+
+# Load starship prompt
+mkdir ($nu.data-dir | path join "vendor/autoload")
+starship init nu | save -f ($nu.data-dir | path join "vendor/autoload/starship.nu")
diff --git a/home/.config/senpai/senpai.scfg b/home/.config/senpai/senpai.scfg
new file mode 100644
index 0000000..72cce82
--- /dev/null
+++ b/home/.config/senpai/senpai.scfg
@@ -0,0 +1,4 @@
+address chat.sr.ht
+nickname rpqt
+username rpqt
+password-cmd pass show oauth/sr.ht-senpai-irc
diff --git a/home/.config/sh/aliases.sh b/home/.config/sh/aliases.sh
new file mode 100644
index 0000000..1376f34
--- /dev/null
+++ b/home/.config/sh/aliases.sh
@@ -0,0 +1,24 @@
+alias dotfiles="/usr/bin/git --git-dir=$HOME/.dotfiles/ --work-tree=$HOME"
+alias dots=dotfiles
+if command -v helix >/dev/null; then
+  alias h='helix'
+else
+  alias h='hx'
+fi
+if command -v eza >/dev/null; then
+  alias ls='eza'
+else
+  alias ls='ls --color -h'
+fi
+alias lsa='ls -A'
+alias ll='ls -l'
+alias lla='ls -lA'
+alias ..='cd ..'
+alias ...='cd ../..'
+alias bt='bluetoothctl'
+alias go='GOPROXY=direct go'
+alias ts='tree-sitter'
+alias g='git'
+alias c='cargo'
+alias MAKE='make clean && make'
+alias n='myrtle --notebook-dir=$HOME/notes'
diff --git a/home/.config/sh/path.sh b/home/.config/sh/path.sh
new file mode 100644
index 0000000..c41beec
--- /dev/null
+++ b/home/.config/sh/path.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+# Personnal scripts
+export PATH="$PATH:$HOME/bin"
diff --git a/home/.config/vicinae/vicinae.json b/home/.config/vicinae/vicinae.json
new file mode 100644
index 0000000..0d92315
--- /dev/null
+++ b/home/.config/vicinae/vicinae.json
@@ -0,0 +1,23 @@
+{
+    "closeOnFocusLoss": false,
+    "considerPreedit": false,
+    "faviconService": "twenty",
+    "font": {
+        "size": 12
+    },
+    "keybinding": "default",
+    "keybinds": {
+    },
+    "popToRootOnClose": true,
+    "rootSearch": {
+        "searchFiles": true
+    },
+    "theme": {
+        "name": "matugen"
+    },
+    "window": {
+        "csd": true,
+        "opacity": 1,
+        "rounding": 10
+    }
+}
diff --git a/home/.config/zsh/haze.zsh b/home/.config/zsh/haze.zsh
new file mode 100644
index 0000000..e7e39ec
--- /dev/null
+++ b/home/.config/zsh/haze.zsh
@@ -0,0 +1,2 @@
+# Highlight the executable in green if it is found
+source /usr/share/zsh/plugins/zsh-syntax-highlighting/zsh-syntax-highlighting.plugin.zsh
diff --git a/home/.config/zsh/hooks.sh b/home/.config/zsh/hooks.sh
new file mode 100644
index 0000000..269dee6
--- /dev/null
+++ b/home/.config/zsh/hooks.sh
@@ -0,0 +1,30 @@
+# Hook direnv if present
+if command -v direnv >/dev/null; then
+  eval "$(direnv hook zsh)"
+fi
+
+# Prompt
+if command -v starship >/dev/null; then
+  source <(starship init zsh)
+fi
+
+# Load opam config if present
+if [ -r ~/.opam/opam-init/init.zsh ]; then
+  source ~/.opam/opam-init/init.zsh  > /dev/null 2> /dev/null
+fi
+
+# Launch atuin if it is installed
+if command -v atuin >/dev/null; then
+  eval "$(atuin init zsh)"
+fi
+
+# Set ls/tree/fd theme using vivid if it is installed
+if command -v vivid >/dev/null; then
+  export LS_COLORS="$(vivid generate gruvbox-dark-hard)"
+fi
+
+# Init zoxide if present and alias cd to it
+if command -v zoxide >/dev/null; then
+  eval "$(zoxide init zsh)"
+  alias cd=z
+fi
diff --git a/home/.gitignore b/home/.gitignore
new file mode 100644
index 0000000..1871e64
--- /dev/null
+++ b/home/.gitignore
@@ -0,0 +1 @@
+!/.config
diff --git a/home/.ssh/config b/home/.ssh/config
new file mode 100644
index 0000000..51534dd
--- /dev/null
+++ b/home/.ssh/config
@@ -0,0 +1,11 @@
+Host crocus
+	HostName crocus.val
+	User root
+
+Host verbena
+	HostName verbena.val
+	User root
+
+Host genepi
+	HostName genepi.val
+	User root
diff --git a/home/.zshrc b/home/.zshrc
new file mode 100644
index 0000000..3e47f5e
--- /dev/null
+++ b/home/.zshrc
@@ -0,0 +1,27 @@
+# Path
+source ~/.config/sh/path.sh
+
+# Aliases
+source ~/.config/sh/aliases.sh
+
+# Completion
+autoload -Uz compinit
+compinit
+# sudo completion
+zstyle ':completion::complete:*' gain-privileges 1
+
+# Line movement with special keys
+bindkey "^[[H" beginning-of-line
+bindkey "^[[F" end-of-line
+bindkey "^[[3~" delete-char
+
+source ~/.config/zsh/hooks.sh
+
+if [ -r ~/.profile ]; then
+  source ~/.profile
+fi
+
+# Load machine-specific config
+if [ -r ~/.config/zsh/$HOST.zsh ]; then
+  source ~/.config/zsh/$HOST.zsh
+fi
diff --git a/home/bin/monitor-dark-mode.sh b/home/bin/monitor-dark-mode.sh
new file mode 100755
index 0000000..e8cdaf4
--- /dev/null
+++ b/home/bin/monitor-dark-mode.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+
+gsettings monitor org.gnome.desktop.interface color-scheme \
+  | xargs -L1 "${HOME}/rep/flocon/home/bin/switch-helix-theme.sh"
diff --git a/home/bin/switch-helix-theme.sh b/home/bin/switch-helix-theme.sh
new file mode 100755
index 0000000..f11f803
--- /dev/null
+++ b/home/bin/switch-helix-theme.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -euox pipefail
+
+HELIX_CONFIG_PATH=$(readlink -f "${HOME}/.config/helix/config.toml")
+HELIX_THEME_LIGHT="zed_onelight"
+HELIX_THEME_DARK="kanagawa"
+
+if [[ "$2" == "prefer-dark" ]]; then
+  sed -i "s/^theme .*/theme = \"$HELIX_THEME_DARK\"/" "$HELIX_CONFIG_PATH"
+else
+  sed -i "s/^theme .*/theme = \"$HELIX_THEME_LIGHT\"/" "$HELIX_CONFIG_PATH"
+fi
+
+pkill -USR1 hx || true
diff --git a/home/cli.nix b/home/cli.nix
deleted file mode 100644
index 4a4e746..0000000
--- a/home/cli.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{ config, pkgs, ... }:
-{
-  home.packages = with pkgs; [
-    bottom
-    btop
-    difftastic
-    doggo
-    duf
-    eza
-    fd
-    glow
-    lazygit
-    nh
-    ripgrep
-    skim
-    taskwarrior3
-    tealdeer
-    vivid
-    zoxide
-  ];
-
-  programs.zoxide.enable = true;
-  programs.starship.enable = true;
-  programs.atuin.enable = true;
-  programs.bat.enable = true;
-
-  programs.zsh = {
-    enable = true;
-    syntaxHighlighting.enable = true;
-    shellAliases = {
-      ls = "eza";
-      lsa = "ls -A";
-      ll = "ls -lh";
-      lla = "ls -lAh";
-      h = "hx";
-      g = "git";
-      cd = "z";
-      tree = "eza --tree";
-      ".." = "cd ..";
-      "..." = "cd ../..";
-    };
-  };
-
-  xdg.configFile."git".source = "${config.dotfiles.path}/.config/git";
-  xdg.configFile."task/taskrc".source = "${config.dotfiles.path}/.config/task/taskrc";
-
-  home.sessionPath = [ "${config.dotfiles.path}/bin" ];
-}
diff --git a/home/desktop/gnome.nix b/home/desktop/gnome.nix
deleted file mode 100644
index ccaa33a..0000000
--- a/home/desktop/gnome.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ pkgs, ... }:
-{
-  home.packages = with pkgs.gnomeExtensions; [
-    blur-my-shell
-    paperwm
-  ];
-}
diff --git a/home/desktop/niri.nix b/home/desktop/niri.nix
deleted file mode 100644
index 73c1ac5..0000000
--- a/home/desktop/niri.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ config, ... }:
-{
-  xdg.configFile."i3bar-river".source = "${config.dotfiles.path}/.config/i3bar-river";
-  xdg.configFile."niri".source = "${config.dotfiles.path}/.config/niri";
-}
diff --git a/home/desktop/sway.nix b/home/desktop/sway.nix
deleted file mode 100644
index d0dbc91..0000000
--- a/home/desktop/sway.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{ config, pkgs, ... }:
-{
-  home.packages = with pkgs; [
-    alacritty
-    ghostty
-    tofi
-    i3status-rust
-    mako
-    wlsunset
-    kanshi
-    grim
-    slurp
-    playerctl
-    swaybg
-  ];
-
-  xdg.configFile = {
-    "sway".source = "${config.dotfiles.path}/.config/sway";
-    "swaylock".source = "${config.dotfiles.path}/.config/swaylock";
-    "swayidle".source = "${config.dotfiles.path}/.config/swayidle";
-    "kanshi".source = "${config.dotfiles.path}/.config/kanshi";
-    "i3status-rust".source = "${config.dotfiles.path}/.config/i3status-rust";
-    "tofi/config".source = "${config.dotfiles.path}/.config/tofi/config";
-  };
-
-  programs.alacritty.enable = true;
-  xdg.configFile."alacritty".source = "${config.dotfiles.path}/.config/alacritty";
-
-  xdg.configFile."ghostty/config".source = "${config.dotfiles.path}/.config/ghostty/config";
-}
diff --git a/home/dev.nix b/home/dev.nix
deleted file mode 100644
index 2862d2d..0000000
--- a/home/dev.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-{ config, pkgs, ... }:
-{
-  home.packages = with pkgs; [
-    devenv
-    direnv
-    hut
-    radicle-node
-    typescript-language-server
-    nil # Nix language server
-    nixfmt-rfc-style
-  ];
-
-  programs.direnv = {
-    enable = true;
-    enableZshIntegration = true;
-    nix-direnv.enable = true;
-  };
-
-  xdg.configFile."hut/config".source = "${config.dotfiles.path}/.config/hut/config";
-}
diff --git a/home/helix.nix b/home/helix.nix
deleted file mode 100644
index 0c6f61c..0000000
--- a/home/helix.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  home.packages = [ pkgs.helix ];
-
-  programs.helix = {
-    enable = true;
-    defaultEditor = true;
-  };
-
-  xdg.configFile."helix".source = "${config.dotfiles.path}/.config/helix";
-}
diff --git a/home/mail/default.nix b/home/mail/default.nix
deleted file mode 100644
index e03b31f..0000000
--- a/home/mail/default.nix
+++ /dev/null
@@ -1,44 +0,0 @@
-{ config, ... }:
-{
-  programs.thunderbird = {
-    enable = true;
-    profiles = {
-      main = {
-        isDefault = true;
-      };
-    };
-  };
-
-  accounts.email.accounts = {
-    "rpqt@rpqt.fr" = {
-      address = "rpqt@rpqt.fr";
-      realName = "Romain Paquet";
-      primary = true;
-      flavor = "migadu.com";
-      thunderbird.enable = true;
-    };
-
-    "admin@rpqt.fr" = {
-      address = "admin@rpqt.fr";
-      aliases = [ "postmaster@rpqt.fr" ];
-      realName = "Postmaster";
-      flavor = "migadu.com";
-      thunderbird.enable = config.programs.thunderbird.enable;
-    };
-
-    "romain.paquet@grenoble-inp.org" = {
-      address = "romain.paquet@grenoble-inp.org";
-      realName = "Romain Paquet";
-      userName = "romain.paquet@grenoble-inp.org";
-      imap = {
-        host = "imap.partage.renater.fr";
-        port = 993;
-      };
-      smtp = {
-        host = "smtp.partage.renater.fr";
-        port = 465;
-      };
-      thunderbird.enable = config.programs.thunderbird.enable;
-    };
-  };
-}
diff --git a/infra/.terraform.lock.hcl b/infra/.terraform.lock.hcl
index 03dfad9..89eb186 100644
--- a/infra/.terraform.lock.hcl
+++ b/infra/.terraform.lock.hcl
@@ -1,44 +1,16 @@
 # This file is maintained automatically by "tofu init".
 # Manual edits may be lost in future updates.
 
-provider "registry.opentofu.org/go-gandi/gandi" {
-  version     = "2.3.0"
-  constraints = "2.3.0"
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.5"
   hashes = [
-    "h1:9kqWL+eFk/ogrQSltL9zVqjMcOqbvs3EgIJEeyNPb8U=",
-    "zh:0936d011cf75bb5162c6027d00575a586807adc9008f4152def157b6ad22bae9",
-    "zh:2170e671f04d3346ea416fcc404be6d05f637eab7df77e289a6898a928885f0b",
-    "zh:250329baae3cb09cfb88dd004d45f003ba76fbe7b8daf9d18fd640b93a2b7252",
-    "zh:2ccd9f253424738ca5fbbcb2127bf3713c20e87bfb3829f8c4565569424fd0bd",
-    "zh:3607b48bc4691cd209528f9ffe16a6cc666bd284b0d0bdfe8c4e1d538559a408",
-    "zh:3bc1d2b770fe0f50027da59c405b2468d1322243235367014f75f765124f458d",
-    "zh:6c8a9092847ee2e2890825432b54424c456638d494e49b7d1845f055214714f5",
-    "zh:8e0b62a330876005d52bcd65d7b1d9a679a7ac79c626e0f86661519e8f9b5698",
-    "zh:8f44f4d52583ff249e2001ea2a8b8841010489dd43e1a01a9ec3a6813d121c28",
-    "zh:9a617927d4a3a2897ff10999a19a6d1f0ef634b8c6b8fc3be12cf53948cfd9cf",
-    "zh:cab3c82c54e38e6001eed5b80a2d16b7824921f8f8b3909049e174c48e6e8804",
-    "zh:f78cc685aa4ba5056ea53a7f8ce585f87a911f0a8a387a44a33d7dfb69db7663",
+    "h1:en/2hMK/W/2hKtsEkbxGiiYwi/pSPS/UoGDILHIHjmw=",
   ]
 }
 
 provider "registry.opentofu.org/hetznercloud/hcloud" {
-  version     = "1.49.1"
-  constraints = "~> 1.45"
+  version = "1.58.0"
   hashes = [
-    "h1:FKGRNHVbcfQJd8EWrb8Ze5QHkaGr8zI+ZKxBMjvOwPk=",
-    "zh:3d5f9773da4f8203cf625d04a5a0e4ff7e202684c010a801a945756140c61cde",
-    "zh:446305d492017cda91e5c15122ec16ff15bfe3ef4d3fd6bcea0cdf7742ab1b86",
-    "zh:44d4f9156ed8b4f0444bd4dc456825940be49048828565964a192286d28c9f20",
-    "zh:492ad893d2f89bb17c9beb877c8ceb4a16caf39db1a79030fefeada6c7aa217f",
-    "zh:68dc552c19ad9d209ec6018445df6e06fb77a637513a53cc66ddce1b024082be",
-    "zh:7492495ffda6f6c49ab38b539bd2eb965b1150a63fb6b191a27dec07d17601cb",
-    "zh:850fe92005981ea00db86c3e49ba5b49732fdf1f7bd5530a68f6e272847059fc",
-    "zh:8cb67f744c233acfb1d68a6c27686315439d944edf733b95f113b4aa63d86713",
-    "zh:8e13dac46e8c2497772ed1baee701b1d1c26bcc95a63b5c4566c83468f504868",
-    "zh:c44249c6a8ba931e208a334792686b5355ab2da465cadea03c1ea8e73c02db12",
-    "zh:d103125a28a85c89aea0cb0c534fe3f504416c4d4fc75c37364b9ec5f66dd77d",
-    "zh:ed8f64e826aa9bfca95b72892271678cb78411b40d7b404a52404141e05a4ab1",
-    "zh:f40efad816de00b279bd1e2cbf62c76b0e5b2da150a0764f259984b318e30945",
-    "zh:f5e912d0873bf4ecc43feba4ceccdf158048080c76d557e47f34749139fdd452",
+    "h1:6C2LNEvCyGPyWgALDAFTNbRp+5Iuikd4Ju1Xejh+aeg=",
   ]
 }
diff --git a/infra/README.md b/infra/README.md
index 664306c..3c9e53d 100644
--- a/infra/README.md
+++ b/infra/README.md
@@ -19,3 +19,8 @@ tofu import hcloud_firewall.hcloud_firewall YYY
 ```
 
 For Hetzner Cloud, the resource IDs can be found in the URL of the admin console.
+
+## Outputs
+
+The nix configuration reads some values from the `outputs.json` file.
+When modifying these, the file should be regenerated with `tofu output -json > outputs.json`.
diff --git a/infra/base.nix b/infra/base.nix
new file mode 100644
index 0000000..1e7f0d3
--- /dev/null
+++ b/infra/base.nix
@@ -0,0 +1,24 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  terraform.required_providers.hcloud.source = "hetznercloud/hcloud";
+
+  data.external.hcloud-token = {
+    program = [
+      (lib.getExe (
+        pkgs.writeShellApplication {
+          name = "get-clan-secret";
+          text = ''
+            jq -n --arg secret "$(clan secrets get hcloud-token)" '{"secret":$secret}'
+          '';
+        }
+      ))
+    ];
+  };
+
+  provider.hcloud.token = config.data.external.hcloud-token "result.secret";
+}
diff --git a/infra/crocus.tf b/infra/crocus.tf
deleted file mode 100644
index abd9bf8..0000000
--- a/infra/crocus.tf
+++ /dev/null
@@ -1,52 +0,0 @@
-resource "hcloud_server" "crocus_server" {
-  name         = "crocus"
-  server_type  = "cx22"
-  image        = "ubuntu-20.04"
-  firewall_ids = [hcloud_firewall.crocus_firewall.id]
-}
-
-resource "hcloud_firewall" "crocus_firewall" {
-  name = "crocus-firewall"
-
-  rule {
-    direction  = "in"
-    protocol   = "icmp"
-    source_ips = ["0.0.0.0/0", "::/0"]
-  }
-
-  rule {
-    direction  = "in"
-    protocol   = "tcp"
-    port       = "22"
-    source_ips = ["0.0.0.0/0", "::/0"]
-  }
-
-  rule {
-    direction  = "in"
-    protocol   = "tcp"
-    port       = "22"
-    source_ips = ["0.0.0.0/0", "::/0"]
-  }
-
-  rule {
-    direction  = "in"
-    protocol   = "tcp"
-    port       = "80"
-    source_ips = ["0.0.0.0/0", "::/0"]
-  }
-
-  rule {
-    direction  = "in"
-    protocol   = "tcp"
-    port       = "443"
-    source_ips = ["0.0.0.0/0", "::/0"]
-  }
-
-  # radicle-node
-  rule {
-    direction  = "in"
-    protocol   = "tcp"
-    port       = "8776"
-    source_ips = ["0.0.0.0/0", "::/0"]
-  }
-}
diff --git a/infra/dns.nix b/infra/dns.nix
new file mode 100644
index 0000000..a6f7031
--- /dev/null
+++ b/infra/dns.nix
@@ -0,0 +1,20 @@
+{ config, ... }:
+{
+  resource.hcloud_zone.rpqt_fr = {
+    name = "rpqt.fr";
+    mode = "primary";
+  };
+
+  resource.hcloud_zone.turifer_dev = {
+    name = "turifer.dev";
+    mode = "primary";
+  };
+
+  output.rpqt_fr_zone_name = {
+    value = config.resource.hcloud_zone.rpqt_fr "name";
+  };
+
+  output.turifer_dev_zone_name = {
+    value = config.resource.hcloud_zone.turifer_dev "name";
+  };
+}
diff --git a/infra/dns.tf b/infra/dns.tf
deleted file mode 100644
index b28e757..0000000
--- a/infra/dns.tf
+++ /dev/null
@@ -1,23 +0,0 @@
-data "gandi_livedns_domain" "rpqt_fr" {
-  name = "rpqt.fr"
-}
-
-resource "gandi_livedns_record" "rpqt_fr_radicle_a" {
-  zone = data.gandi_livedns_domain.rpqt_fr.id
-  name = "radicle"
-  type = "A"
-  ttl  = 10800
-  values = [
-    hcloud_server.crocus_server.ipv4_address,
-  ]
-}
-
-resource "gandi_livedns_record" "rpqt_fr_radicle_aaaa" {
-  zone = data.gandi_livedns_domain.rpqt_fr.id
-  name = "radicle"
-  type = "AAAA"
-  ttl  = 10800
-  values = [
-    hcloud_server.crocus_server.ipv6_address,
-  ]
-}
diff --git a/infra/flake-module.nix b/infra/flake-module.nix
new file mode 100644
index 0000000..6b19b9b
--- /dev/null
+++ b/infra/flake-module.nix
@@ -0,0 +1,40 @@
+{ self, ... }:
+{
+  perSystem =
+    { pkgs, ... }:
+    {
+      terranix.terranixConfigurations.infra = {
+        terraformWrapper.package = pkgs.opentofu.withPlugins (p: [
+          p.hashicorp_external
+          p.hetznercloud_hcloud
+        ]);
+
+        extraArgs = { inherit (self) infra; };
+        modules = [
+          ./base.nix
+          ./dns.nix
+          ./mail.nix
+          ./radicle.nix
+          ./web.nix
+        ];
+      };
+    };
+
+  flake.infra =
+    let
+      tf_outputs = builtins.fromJSON (builtins.readFile ./outputs.json);
+    in
+    {
+      machines = {
+        verbena = {
+          ipv4 = tf_outputs.verbena_ipv4.value;
+          ipv6 = tf_outputs.verbena_ipv6.value;
+          gateway6 = tf_outputs.verbena_gateway6.value;
+        };
+        crocus = {
+          ipv4 = tf_outputs.crocus_ipv4.value;
+          ipv6 = "2a01:4f8:1c1e:e415::1";
+        };
+      };
+    };
+}
diff --git a/infra/lib.nix b/infra/lib.nix
new file mode 100644
index 0000000..cf93e1e
--- /dev/null
+++ b/infra/lib.nix
@@ -0,0 +1,88 @@
+{ lib, ... }:
+let
+  mkMigaduDkim = zone: name: {
+    inherit zone;
+    name = "${name}._domainkey";
+    type = "CNAME";
+    records = [
+      { value = "${name}.${zone}._domainkey.migadu.com."; }
+    ];
+  };
+in
+{
+  mkMigadu_hcloud_zone_rrset = zone: hostedEmailVerify: {
+    dkim_1 = mkMigaduDkim zone "key1";
+    dkim_2 = mkMigaduDkim zone "key2";
+    dkim_3 = mkMigaduDkim zone "key3";
+
+    spf = {
+      inherit zone;
+      name = "@";
+      type = "TXT";
+      records = [
+        {
+          value = lib.tf.ref ''provider::hcloud::txt_record("v=spf1 include:spf.migadu.com -all")'';
+        }
+        {
+          value = lib.tf.ref ''provider::hcloud::txt_record("hosted-email-verify=pgeaq3bp")'';
+        }
+      ];
+    };
+
+    dmarc = {
+      inherit zone;
+      name = "_dmarc";
+      type = "TXT";
+      records = [
+        {
+          value = lib.tf.ref ''provider::hcloud::txt_record("v=DMARC1; p=quarantine;")'';
+        }
+      ];
+    };
+
+    mx = {
+      inherit zone;
+      name = "@";
+      type = "MX";
+      records = [
+        { value = "10 aspmx1.migadu.com."; }
+        { value = "20 aspmx2.migadu.com."; }
+      ];
+    };
+
+    autoconfig = {
+      inherit zone;
+      name = "autoconfig";
+      type = "CNAME";
+      records = [ { value = "autoconfig.migadu.com."; } ];
+    };
+
+    autodiscover = {
+      inherit zone;
+      name = "_autodiscover._tcp";
+      type = "SRV";
+      records = [ { value = "0 1 443 autodiscover.migadu.com."; } ];
+    };
+
+    submissions = {
+      inherit zone;
+      name = "_submissions._tcp";
+      type = "SRV";
+      records = [ { value = "0 1 465 smtp.migadu.com."; } ];
+    };
+
+    imaps = {
+      inherit zone;
+      name = "_imaps._tcp";
+      type = "SRV";
+      records = [ { value = "0 1 993 imap.migadu.com."; } ];
+    };
+
+    pop3s = {
+      inherit zone;
+      name = "_pop3s._tcp";
+      type = "SRV";
+      records = [ { value = "0 1 995 pop.migadu.com."; } ];
+    };
+  };
+}
diff --git a/infra/mail.nix b/infra/mail.nix
new file mode 100644
index 0000000..255a3cc
--- /dev/null
+++ b/infra/mail.nix
@@ -0,0 +1,15 @@
+{ config, lib, ... }:
+let
+  inherit (import ./lib.nix { inherit lib; })
+    mkMigadu_hcloud_zone_rrset
+    ;
+  rpqt_fr = mkMigadu_hcloud_zone_rrset (config.resource.hcloud_zone.rpqt_fr "name") "pgeaq3bp";
+
+  # Prefix resource names with zone name to avoid collision
+  turifer_dev = lib.mapAttrs' (name: value: lib.nameValuePair "turifer_dev_${name}" value) (
+    mkMigadu_hcloud_zone_rrset (config.resource.hcloud_zone.turifer_dev "name") "k5z4lcfc"
+  );
+in
+{
+  resource.hcloud_zone_rrset = rpqt_fr // turifer_dev;
+}
diff --git a/infra/main.tf b/infra/main.tf
deleted file mode 100644
index 15453d9..0000000
--- a/infra/main.tf
+++ /dev/null
@@ -1,12 +0,0 @@
-terraform {
-  required_providers {
-    gandi = {
-      source  = "go-gandi/gandi"
-      version = "2.3.0"
-    }
-    hcloud = {
-      source  = "hetznercloud/hcloud"
-      version = "~> 1.45"
-    }
-  }
-}
diff --git a/infra/outputs.json b/infra/outputs.json
new file mode 100644
index 0000000..925eb81
--- /dev/null
+++ b/infra/outputs.json
@@ -0,0 +1,22 @@
+{
+  "crocus_ipv4": {
+    "sensitive": false,
+    "type": "string",
+    "value": "116.203.18.122"
+  },
+  "verbena_gateway6": {
+    "sensitive": false,
+    "type": "string",
+    "value": "2001:41d0:305:2100::1"
+  },
+  "verbena_ipv4": {
+    "sensitive": false,
+    "type": "string",
+    "value": "51.68.122.153"
+  },
+  "verbena_ipv6": {
+    "sensitive": false,
+    "type": "string",
+    "value": "2001:41d0:305:2100::271e"
+  }
+}
diff --git a/infra/providers.tf b/infra/providers.tf
deleted file mode 100644
index d8d6d9b..0000000
--- a/infra/providers.tf
+++ /dev/null
@@ -1,7 +0,0 @@
-provider "gandi" {
-  personal_access_token = var.gandi_token
-}
-
-provider "hcloud" {
-  token = var.hcloud_token
-}
diff --git a/infra/radicle.nix b/infra/radicle.nix
new file mode 100644
index 0000000..b7f239d
--- /dev/null
+++ b/infra/radicle.nix
@@ -0,0 +1,52 @@
+{
+  config,
+  infra,
+  lib,
+  ...
+}:
+{
+  resource.hcloud_zone_rrset =
+    let
+      zone = config.resource.hcloud_zone.rpqt_fr "name";
+    in
+    {
+      radicle_a = {
+        inherit zone;
+        name = "radicle";
+        type = "A";
+        records = [ { value = infra.machines.crocus.ipv4; } ];
+      };
+
+      radicle_aaaa = {
+        inherit zone;
+        name = "radicle";
+        type = "AAAA";
+        records = [ { value = infra.machines.crocus.ipv6; } ];
+      };
+
+      radicles_srv = {
+        inherit zone;
+        name = "seed._radicle-node._tcp";
+        type = "SRV";
+        records = [ { value = "32767 32767 58776 radicle.rpqt.fr."; } ];
+      };
+
+      radicles_nid = {
+        inherit zone;
+        name = "seed._radicle-node._tcp";
+        type = "TXT";
+        records = [
+          {
+            value = lib.tf.ref ''provider::hcloud::txt_record("nid=z6MkuivFHDPg6Bd25v4bEWm7T7qLUYMWk1eVTE7exvum5Rvd")'';
+          }
+        ];
+      };
+
+      radicle_ptr = {
+        inherit zone;
+        name = "_radicle-node._tcp";
+        type = "PTR";
+        records = [ { value = "seed._radicle-node._tcp.radicle.rpqt.fr."; } ];
+      };
+    };
+}
diff --git a/infra/variables.tf b/infra/variables.tf
deleted file mode 100644
index 3bc7123..0000000
--- a/infra/variables.tf
+++ /dev/null
@@ -1,7 +0,0 @@
-variable "gandi_token" {
-  sensitive = true
-}
-
-variable "hcloud_token" {
-  sensitive = true
-}
diff --git a/infra/web.nix b/infra/web.nix
new file mode 100644
index 0000000..2513a6a
--- /dev/null
+++ b/infra/web.nix
@@ -0,0 +1,82 @@
+{ config, infra, ... }:
+{
+  resource.hcloud_zone_rrset =
+    let
+      sourcehut_pages = {
+        ipv4 = "46.23.81.157";
+        ipv6 = "2a03:6000:1813:1337::157";
+      };
+      zone = config.resource.hcloud_zone.rpqt_fr "name";
+    in
+    {
+      a = {
+        inherit zone;
+        name = "@";
+        type = "A";
+        records = [ { value = sourcehut_pages.ipv4; } ];
+      };
+
+      aaaa = {
+        inherit zone;
+        name = "@";
+        type = "AAAA";
+        records = [ { value = sourcehut_pages.ipv6; } ];
+      };
+
+      cloud_a = {
+        inherit zone;
+        name = "cloud";
+        type = "A";
+        records = [ { value = infra.machines.verbena.ipv4; } ];
+      };
+
+      cloud_aaaa = {
+        inherit zone;
+        name = "cloud";
+        type = "AAAA";
+        records = [ { value = infra.machines.verbena.ipv6; } ];
+      };
+
+      git_turifer_dev_a = {
+        zone = config.resource.hcloud_zone.turifer_dev "name";
+        name = "git";
+        type = "A";
+        records = [ { value = infra.machines.verbena.ipv4; } ];
+      };
+
+      git_turifer_dev_aaaa = {
+        zone = config.resource.hcloud_zone.turifer_dev "name";
+        name = "git";
+        type = "AAAA";
+        records = [ { value = infra.machines.verbena.ipv6; } ];
+      };
+
+      buildbot_turifer_dev_a = {
+        zone = config.resource.hcloud_zone.turifer_dev "name";
+        name = "buildbot";
+        type = "A";
+        records = [ { value = infra.machines.verbena.ipv4; } ];
+      };
+
+      buildbot_turifer_dev_aaaa = {
+        zone = config.resource.hcloud_zone.turifer_dev "name";
+        name = "buildbot";
+        type = "AAAA";
+        records = [ { value = infra.machines.verbena.ipv6; } ];
+      };
+
+      wg1_turifer_dev_a = {
+        zone = config.resource.hcloud_zone.turifer_dev "name";
+        name = "wg1";
+        type = "A";
+        records = [ { value = infra.machines.verbena.ipv4; } ];
+      };
+
+      wg1_turifer_dev_aaaa = {
+        zone = config.resource.hcloud_zone.turifer_dev "name";
+        name = "wg1";
+        type = "AAAA";
+        records = [ { value = infra.machines.verbena.ipv6; } ];
+      };
+    };
+}
diff --git a/inventory.json b/inventory.json
new file mode 100644
index 0000000..d5755f2
--- /dev/null
+++ b/inventory.json
@@ -0,0 +1,18 @@
+{
+  "machines": {
+    "verbena": {
+      "installedAt": 1757633120
+    },
+    "crocus": {
+      "installedAt": 1757633120
+    },
+    "haze": {
+      "installedAt": 1757633120,
+      "description": "Romain's laptop"
+    },
+    "genepi": {
+      "installedAt": 1757633120,
+      "description": "Raspberry Pi 4B"
+    }
+  }
+}
\ No newline at end of file
diff --git a/machines/README.md b/machines/README.md
index 996fa70..7290d44 100644
--- a/machines/README.md
+++ b/machines/README.md
@@ -3,3 +3,4 @@
 - **crocus**: Hetzner Cloud x86_64 VPS
 - **genepi**: Raspberry Pi 4B
 - **haze**: ASUS VivoBook Laptop
+- **verbena**: OVH Cloud x86_64 VPS
diff --git a/machines/crocus/configuration.nix b/machines/crocus/configuration.nix
index 39e52d0..50ca761 100644
--- a/machines/crocus/configuration.nix
+++ b/machines/crocus/configuration.nix
@@ -1,23 +1,23 @@
 {
-  inputs,
-  modulesPath,
-  config,
+  self,
   ...
 }:
 {
   imports = [
-    (modulesPath + "/profiles/qemu-guest.nix")
-    # ./radicle.nix
-    ../../system
-    inputs.clan-core.clanModules.state-version
+    self.nixosModules.radicle
+    self.nixosModules.nix-defaults
     ../../modules/remote-builder.nix
-    ../../modules/borgbackup.nix
+    self.inputs.srvos.nixosModules.server
+    self.inputs.srvos.nixosModules.hardware-hetzner-cloud
+  ];
+
+  disabledModules = [
+    self.inputs.srvos.nixosModules.mixins-cloud-init
   ];
 
   nixpkgs.hostPlatform = "x86_64-linux";
 
   networking.hostName = "crocus";
-  clan.core.networking.targetHost = "root@crocus.local";
 
   networking.useDHCP = false;
   systemd.network.enable = true;
@@ -32,38 +32,34 @@
     ];
   };
 
-  services.avahi.enable = true;
+  fileSystems."/data1" = {
+    device = "/dev/disk/by-id/scsi-0HC_Volume_103766469";
+  };
 
-  disko.devices.disk.main.device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_48353082";
+  services.garage.settings.data_dir = [
+    {
+      path = "/var/lib/garage/data";
+      capacity = "20G";
+    }
+    {
+      path = "/data1/garage";
+      capacity = "20G";
+    }
+  ];
+
+  clan.core.settings.state-version.enable = true;
+
+  clan.core.networking.buildHost = "root@haze";
+
+  services.avahi.allowInterfaces = [
+    "zts7mq7onf"
+  ];
 
   boot.loader.grub = {
     efiSupport = true;
     efiInstallAsRemovable = true;
   };
 
-  services.prometheus = {
-    enable = true;
-    port = 9001;
-    exporters = {
-      node = {
-        enable = true;
-        enabledCollectors = [ "systemd" ];
-        port = 9002;
-      };
-    };
-
-    scrapeConfigs = [
-      {
-        job_name = "crocus";
-        static_configs = [
-          {
-            targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
-          }
-        ];
-      }
-    ];
-  };
-
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;
@@ -79,4 +75,6 @@
     acceptTerms = true;
     defaults.email = "admin@rpqt.fr";
   };
+
+  services.tailscale.useRoutingFeatures = "server";
 }
diff --git a/machines/crocus/disko.nix b/machines/crocus/disko.nix
index af03c18..b529126 100644
--- a/machines/crocus/disko.nix
+++ b/machines/crocus/disko.nix
@@ -1,17 +1,8 @@
 {
-  clan-core,
-  config,
-  ...
-}:
-let
-  suffix = config.clan.core.vars.generators.disk-id.files.diskId.value;
-in
-{
-  imports = [ clan-core.clanModules.disk-id ];
-
   disko.devices.disk.main = {
-    name = "main-" + suffix;
+    name = "main-dbca87cd30a5498488026c65b37eba60";
     type = "disk";
+    device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_48353082";
     content = {
       type = "gpt";
       partitions = {
diff --git a/machines/crocus/radicle.nix b/machines/crocus/radicle.nix
deleted file mode 100644
index d7f60b5..0000000
--- a/machines/crocus/radicle.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ config, keys, ... }:
-{
-  services.radicle = {
-    enable = true;
-    privateKeyFile = config.age.secrets.radicle-private-key.path;
-    publicKey = keys.services.radicle;
-    node = {
-      openFirewall = true;
-    };
-    httpd = {
-      enable = true;
-      nginx = {
-        serverName = "radicle.rpqt.fr";
-        enableACME = true;
-        forceSSL = true;
-      };
-    };
-  };
-
-  age.secrets.radicle-private-key.file = ../../secrets/radicle-private-key.age;
-}
diff --git a/machines/genepi/acme.nix b/machines/genepi/acme.nix
deleted file mode 100644
index d9c784d..0000000
--- a/machines/genepi/acme.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ config, ... }:
-{
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "admin@rpqt.fr";
-  };
-
-  age.secrets.gandi.file = ../../secrets/gandi.age;
-
-  security.acme = {
-    certs."home.rpqt.fr" = {
-      group = config.services.nginx.group;
-
-      domain = "home.rpqt.fr";
-      extraDomainNames = [ "*.home.rpqt.fr" ];
-      dnsProvider = "gandiv5";
-      dnsPropagationCheck = true;
-      environmentFile = config.age.secrets.gandi.path;
-    };
-  };
-}
diff --git a/machines/genepi/actual.nix b/machines/genepi/actual.nix
new file mode 100644
index 0000000..b455535
--- /dev/null
+++ b/machines/genepi/actual.nix
@@ -0,0 +1,24 @@
+{ config, ... }:
+let
+  domain = "actual.val";
+in
+{
+  services.actual = {
+    enable = true;
+    settings = {
+      hostname = "127.0.0.1";
+      port = 5555;
+    };
+  };
+
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass =
+      "http://127.0.0.1:${builtins.toString config.services.actual.settings.port}";
+  };
+
+  security.acme.certs.${domain}.server = "https://ca.val/acme/acme/directory";
+
+  clan.core.state.actual.folders = [ "/var/lib/actual" ];
+}
diff --git a/machines/genepi/boot.nix b/machines/genepi/boot.nix
index a93d860..c6c7b80 100644
--- a/machines/genepi/boot.nix
+++ b/machines/genepi/boot.nix
@@ -8,12 +8,18 @@
   ];
 
   boot.loader = {
-    grub.enable = false;
-    generic-extlinux-compatible.enable = true;
+    generic-extlinux-compatible.enable = false;
+    efi.canTouchEfiVariables = true;
+    systemd-boot.enable = true;
   };
 
+  nixpkgs.overlays = [
+    (final: super: {
+      makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });
+    })
+  ];
+
   boot.supportedFilesystems = [
-    "btrfs"
     "vfat"
   ];
 }
diff --git a/machines/genepi/builder.nix b/machines/genepi/builder.nix
index eeab549..5e4a7e3 100644
--- a/machines/genepi/builder.nix
+++ b/machines/genepi/builder.nix
@@ -1,4 +1,3 @@
-{ keys, ... }:
 {
   imports = [
     ../../modules/remote-builder.nix
@@ -6,6 +5,8 @@
 
   roles.remote-builder = {
     enable = true;
-    authorizedKeys = [ keys.hosts.haze ];
+    authorizedKeys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze"
+    ];
   };
 }
diff --git a/machines/genepi/configuration.nix b/machines/genepi/configuration.nix
index e86c027..1e48016 100644
--- a/machines/genepi/configuration.nix
+++ b/machines/genepi/configuration.nix
@@ -1,47 +1,37 @@
 {
-  inputs,
+  self,
   ...
 }:
 {
   imports = [
-    inputs.agenix.nixosModules.default
-    inputs.impermanence.nixosModules.impermanence
-    ./acme.nix
+    ./actual.nix
     ./boot.nix
     ./builder.nix
-    ./dns.nix
     ./freshrss.nix
     ./glance.nix
     ./homeassistant.nix
-    # ./immich.nix
+    ./immich.nix
     ./monitoring
-    ./mpd.nix
     ./network.nix
     ./nginx.nix
-    ./persistence.nix
+    ./pinchflat.nix
     ./syncthing.nix
-    ./taskchampion.nix
 
-    ../../system
-    ../../modules/borgbackup.nix
+    ../../modules/acme-home.nix
+    ../../modules/lounge.nix
+    self.nixosModules.nix-defaults
 
-    inputs.clan-core.clanModules.state-version
-    inputs.clan-core.clanModules.trusted-nix-caches
+    self.nixosModules.user-rpqt
 
-    inputs.home-manager.nixosModules.home-manager
-    {
-      home-manager.useGlobalPkgs = true;
-      home-manager.useUserPackages = true;
-      home-manager.users.rpqt = ./home.nix;
-    }
+    self.inputs.srvos.nixosModules.mixins-terminfo
   ];
 
   networking.hostName = "genepi";
-  clan.core.networking.targetHost = "root@genepi.local";
 
-  nix.gc = {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 30d";
-  };
+  time.timeZone = "Europe/Paris";
+
+  services.prometheus.checkConfig = "syntax-only";
+  clan.core.vars.generators.garage.files.metrics_token.owner = "prometheus";
+
+  clan.core.settings.state-version.enable = true;
 }
diff --git a/machines/genepi/disko.nix b/machines/genepi/disko.nix
index 3fd4480..908efe6 100644
--- a/machines/genepi/disko.nix
+++ b/machines/genepi/disko.nix
@@ -1,74 +1,27 @@
 {
   disko.devices.disk.main = {
+    name = "main-72b27bb5253045f38a07b6bc368ab85c";
     type = "disk";
     device = "/dev/disk/by-id/ata-WD_Green_M.2_2280_480GB_2251E6411147";
     content = {
       type = "gpt";
       partitions = {
         ESP = {
-          priority = 1;
-          name = "ESP";
-          start = "1M";
-          end = "512M";
           type = "EF00";
+          size = "512M";
+          priority = 1;
           content = {
             type = "filesystem";
             format = "vfat";
             mountpoint = "/boot";
-            mountOptions = [ "umask=0077" ];
           };
         };
         root = {
           end = "-4G";
           content = {
-            type = "btrfs";
-            extraArgs = [
-              "-L"
-              "nixos"
-              "-f" # Override existing partition
-            ];
-            subvolumes = {
-              "/root" = {
-                mountpoint = "/";
-                mountOptions = [
-                  "subvol=root"
-                  "compress=zstd"
-                  "noatime"
-                ];
-              };
-              "/home" = {
-                mountpoint = "/home";
-                mountOptions = [
-                  "subvol=home"
-                  "compress=zstd"
-                  "noatime"
-                ];
-              };
-              "/nix" = {
-                mountpoint = "/nix";
-                mountOptions = [
-                  "subvol=nix"
-                  "compress=zstd"
-                  "noatime"
-                ];
-              };
-              "/persist" = {
-                mountpoint = "/persist";
-                mountOptions = [
-                  "subvol=persist"
-                  "compress=zstd"
-                  "noatime"
-                ];
-              };
-              "/log" = {
-                mountpoint = "/var/log";
-                mountOptions = [
-                  "subvol=log"
-                  "compress=zstd"
-                  "noatime"
-                ];
-              };
-            };
+            type = "filesystem";
+            format = "ext4";
+            mountpoint = "/";
           };
         };
         swap = {
@@ -80,7 +33,4 @@
       };
     };
   };
-
-  fileSystems."/persist".neededForBoot = true;
-  fileSystems."/var/log".neededForBoot = true;
 }
diff --git a/machines/genepi/dns.nix b/machines/genepi/dns.nix
deleted file mode 100644
index 086bcc0..0000000
--- a/machines/genepi/dns.nix
+++ /dev/null
@@ -1,35 +0,0 @@
-{ config, lib, ... }:
-let
-  domain = "home.rpqt.fr";
-  genepi = {
-    ip = "100.83.123.79";
-    subdomains = [
-      "glance"
-      "grafana"
-      "images"
-      "rss"
-      "tw"
-    ];
-  };
-in
-{
-  networking.firewall.interfaces."${config.services.tailscale.interfaceName}" = {
-    allowedTCPPorts = [ 53 ];
-    allowedUDPPorts = [ 53 ];
-  };
-
-  services.unbound = {
-    enable = true;
-    resolveLocalQueries = false;
-
-    settings = {
-      server = {
-        interface = [ "${config.services.tailscale.interfaceName}" ];
-        access-control = [ "100.0.0.0/8 allow" ];
-
-        local-zone = lib.map (subdomain: ''"${subdomain}.${domain}." redirect'') genepi.subdomains;
-        local-data = lib.map (subdomain: ''"${subdomain}.${domain}. IN A ${genepi.ip}"'') genepi.subdomains;
-      };
-    };
-  };
-}
diff --git a/machines/genepi/freshrss.nix b/machines/genepi/freshrss.nix
index 9797ece..511ee1d 100644
--- a/machines/genepi/freshrss.nix
+++ b/machines/genepi/freshrss.nix
@@ -1,26 +1,31 @@
 { config, ... }:
 let
-  domain = "home.rpqt.fr";
-  subdomain = "rss.${domain}";
+  tld = "val";
+  domain = "rss.${tld}";
 in
 {
-  age.secrets.freshrss = {
-    file = ../../secrets/freshrss.age;
-    mode = "700";
-    owner = config.services.freshrss.user;
-  };
-
   services.freshrss = {
     enable = true;
-    baseUrl = "https://${subdomain}";
-    virtualHost = "${subdomain}";
+    baseUrl = "https://${domain}";
+    virtualHost = "${domain}";
 
     defaultUser = "rpqt";
-    passwordFile = config.age.secrets.freshrss.path;
+    passwordFile = config.clan.core.vars.generators.freshrss.files.freshrss-password.path;
   };
 
   services.nginx.virtualHosts.${config.services.freshrss.virtualHost} = {
     forceSSL = true;
-    useACMEHost = "${domain}";
+    enableACME = true;
+  };
+
+  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
+
+  clan.core.vars.generators.freshrss = {
+    prompts.freshrss-password = {
+      description = "freshrss default user password";
+      type = "hidden";
+      persist = true;
+    };
+    files.freshrss-password.owner = config.services.freshrss.user;
   };
 }
diff --git a/machines/genepi/glance-config.nix b/machines/genepi/glance-config.nix
index 4b913e6..b8d2c17 100644
--- a/machines/genepi/glance-config.nix
+++ b/machines/genepi/glance-config.nix
@@ -1,3 +1,4 @@
+{ tld }:
 {
   theme = {
     light = true;
@@ -41,18 +42,105 @@
               sites = [
                 {
                   title = "Immich";
-                  url = "https://images.home.rpqt.fr";
-                  icon = "si:immich";
-                }
-                {
-                  title = "Grafana";
-                  url = "https://grafana.home.rpqt.fr";
-                  icon = "si:grafana";
+                  url = "https://images.${tld}";
+                  icon = "sh:immich";
                 }
                 {
                   title = "FreshRSS";
-                  url = "https://rss.home.rpqt.fr";
-                  icon = "si:rss";
+                  url = "https://rss.${tld}";
+                  icon = "sh:freshrss";
+                }
+                {
+                  title = "Syncthing";
+                  url = "https://genepi.${tld}/syncthing";
+                  icon = "sh:syncthing";
+                }
+                {
+                  title = "Actual Budget";
+                  url = "https://actual.${tld}";
+                  icon = "sh:actual-budget";
+                }
+                {
+                  title = "Gitea";
+                  url = "https://git.turifer.dev";
+                  icon = "sh:gitea";
+                }
+                {
+                  title = "Pinchflat";
+                  url = "https://pinchflat.${tld}";
+                  icon = "https://cdn.jsdelivr.net/gh/selfhst/icons/png/pinchflat.png";
+                }
+                {
+                  title = "Home Assistant";
+                  url = "https://assistant.${tld}";
+                  icon = "sh:home-assistant";
+                }
+                {
+                  title = "Nextcloud";
+                  url = "https://cloud.rpqt.fr";
+                  icon = "sh:nextcloud";
+                }
+                {
+                  title = "Buildbot";
+                  url = "https://buildbot.turifer.dev";
+                  icon = "https://buildbot.turifer.dev/icon.svg";
+                }
+                {
+                  title = "Radicle";
+                  url = "https://app.radicle.xyz/nodes/radicle.rpqt.fr";
+                  icon = "sh:radicle";
+                }
+              ];
+            }
+            {
+              type = "monitor";
+              cache = "1m";
+              title = "Monitoring";
+              sites = [
+                {
+                  title = "Grafana";
+                  url = "https://grafana.${tld}";
+                  icon = "sh:grafana";
+                }
+                {
+                  title = "Prometheus";
+                  url = "http://genepi.${tld}:9090";
+                  icon = "sh:prometheus";
+                }
+              ];
+            }
+            {
+              type = "monitor";
+              cache = "1m";
+              title = "Sites";
+              sites = [
+                {
+                  title = "Lounge";
+                  url = "https://lounge.${tld}";
+                  icon = "si:html5";
+                }
+                {
+                  title = "Web corner";
+                  url = "https://rpqt.fr";
+                  icon = "si:html5";
+                }
+              ];
+            }
+            {
+              type = "bookmarks";
+              groups = [
+                {
+                  title = "Music";
+                  links = [
+                    {
+                      title = "YouTube Music";
+                      url = "https://music.youtube.com";
+                    }
+                    {
+                      title = "Music for programming";
+                      url = "https://musicforprogramming.net/latest/";
+                    }
+                  ];
                 }
               ];
             }
@@ -60,14 +148,20 @@
         }
         {
           size = "small";
-          widgets = [
-            {
+          widgets =
+            let
+              locations = [
+                "Krakow, Poland"
+                "Grenoble, France"
+                "Saint-Michel-de-Maurienne, France"
+              ];
+            in
+            builtins.map (location: {
               type = "weather";
-              location = "Grenoble, France";
+              inherit location;
               units = "metric";
               hour-format = "24h";
-            }
-          ];
+            }) locations;
         }
       ];
     }
@@ -85,7 +179,7 @@
               cache = "12h";
               feeds = [
                 {
-                  url = "https://rss.home.rpqt.fr/api/query.php?user=rpqt&t=74HfeLZ6Wu9h4MmjNR38Rz&f=rss";
+                  url = "https://rss.${tld}/api/query.php?user=rpqt&t=74HfeLZ6Wu9h4MmjNR38Rz&f=rss";
                 }
               ];
             }
diff --git a/machines/genepi/glance.nix b/machines/genepi/glance.nix
index a68385e..6aa1cc2 100644
--- a/machines/genepi/glance.nix
+++ b/machines/genepi/glance.nix
@@ -1,18 +1,20 @@
 { config, ... }:
 let
-  domain = "home.rpqt.fr";
-  subdomain = "glance.${domain}";
+  tld = "val";
+  domain = "glance.${tld}";
 in
 {
   services.glance = {
     enable = true;
-    settings = ./glance-config.nix;
+    settings = (import ./glance-config.nix) { inherit tld; };
   };
 
-  services.nginx.virtualHosts.${subdomain} = {
+  services.nginx.virtualHosts.${domain} = {
     forceSSL = true;
-    useACMEHost = "${domain}";
+    enableACME = true;
     locations."/".proxyPass =
       "http://127.0.0.1:${toString config.services.glance.settings.server.port}";
   };
+
+  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
 }
diff --git a/machines/genepi/hardware-configuration.nix b/machines/genepi/hardware-configuration.nix
index efcb8ff..3cc97f1 100644
--- a/machines/genepi/hardware-configuration.nix
+++ b/machines/genepi/hardware-configuration.nix
@@ -1,20 +1,20 @@
-{ inputs, pkgs, ... }:
+{ self, pkgs, ... }:
 {
   imports = [
-    # inputs.nixos-hardware.nixosModules.raspberry-pi-4
+    self.inputs.nixos-hardware.nixosModules.raspberry-pi-4
   ];
 
   nixpkgs.hostPlatform = "aarch64-linux";
 
   hardware.enableRedistributableFirmware = true;
 
-  # hardware = {
-  #   raspberry-pi."4".apply-overlays-dtmerge.enable = true;
-  #   deviceTree = {
-  #     enable = true;
-  #     filter = "*rpi-4-*.dtb";
-  #   };
-  # };
+  hardware = {
+    raspberry-pi."4".apply-overlays-dtmerge.enable = true;
+    deviceTree = {
+      enable = true;
+      filter = "*rpi-4-*.dtb";
+    };
+  };
 
   environment.systemPackages = with pkgs; [
     libraspberrypi
diff --git a/machines/genepi/home.nix b/machines/genepi/home.nix
deleted file mode 100644
index 9662907..0000000
--- a/machines/genepi/home.nix
+++ /dev/null
@@ -1,32 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-{
-  home.username = "rpqt";
-  home.homeDirectory = lib.mkForce "/home/rpqt";
-
-  home.packages = [
-    pkgs.helix
-    pkgs.ripgrep
-    pkgs.eza
-  ];
-
-  programs.zsh.enable = true;
-  programs.starship.enable = true;
-  programs.atuin.enable = true;
-
-  # This value determines the Home Manager release that your configuration is
-  # compatible with. This helps avoid breakage when a new Home Manager release
-  # introduces backwards incompatible changes.
-  #
-  # You should not change this value, even if you update Home Manager. If you do
-  # want to update the value, then make sure to first check the Home Manager
-  # release notes.
-  home.stateVersion = "24.11";
-
-  # Let Home Manager install and manage itself
-  programs.home-manager.enable = true;
-}
diff --git a/machines/genepi/homeassistant.nix b/machines/genepi/homeassistant.nix
index 8506960..2c61efb 100644
--- a/machines/genepi/homeassistant.nix
+++ b/machines/genepi/homeassistant.nix
@@ -1,10 +1,42 @@
+{ config, ... }:
+let
+  tld = "val";
+  domain = "assistant.${tld}";
+in
 {
-  virtualisation.oci-containers.containers.homeassistant = {
-    volumes = [ "home-assistant:/config" ];
-    environment.TZ = "Europe/Paris";
-    image = "ghcr.io/home-assistant/home-assistant:stable";
-    extraOptions = [
-      "--network=host"
+  services.home-assistant = {
+    enable = true;
+    extraComponents = [
+      # Components required to complete the onboarding
+      "analytics"
+      "google_translate"
+      "met"
+      "radio_browser"
+      "shopping_list"
+      # For fast zlib compression
+      "isal"
+      "shelly"
     ];
+    config = {
+      default_config = { };
+      http = {
+        use_x_forwarded_for = true;
+        trusted_proxies = [ "127.0.0.1" ];
+      };
+    };
   };
+
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      proxy_buffering off;
+    '';
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.home-assistant.config.http.server_port}";
+      proxyWebsockets = true;
+    };
+  };
+
+  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
 }
diff --git a/machines/genepi/immich.nix b/machines/genepi/immich.nix
index 7161f3c..76e7f65 100644
--- a/machines/genepi/immich.nix
+++ b/machines/genepi/immich.nix
@@ -1,19 +1,19 @@
 { config, ... }:
 let
-  domain = "home.rpqt.fr";
-  subdomain = "images.${domain}";
+  tld = "val";
+  domain = "images.${tld}";
 in
 {
   services.immich = {
     enable = true;
     settings = {
-      server.externalDomain = "https://${subdomain}";
+      server.externalDomain = "https://${domain}";
     };
   };
 
-  services.nginx.virtualHosts.${subdomain} = {
+  services.nginx.virtualHosts.${domain} = {
     forceSSL = true;
-    useACMEHost = "${domain}";
+    enableACME = true;
     locations."/" = {
       proxyPass = "http://${toString config.services.immich.host}:${toString config.services.immich.port}";
       proxyWebsockets = true;
@@ -26,5 +26,7 @@ in
     };
   };
 
-  clan.core.state.userdata.folders = [ "/var/lib/immich" ];
+  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
+
+  clan.core.state.immich.folders = [ "/var/lib/immich" ];
 }
diff --git a/machines/genepi/monitoring/default.nix b/machines/genepi/monitoring/default.nix
index aea5039..e5a3e88 100644
--- a/machines/genepi/monitoring/default.nix
+++ b/machines/genepi/monitoring/default.nix
@@ -1,6 +1,9 @@
 {
   imports = [
     ./grafana.nix
-    ./prometheus.nix
+  ];
+
+  networking.firewall.interfaces."zts7mq7onf".allowedTCPPorts = [
+    9090 # prometheus web interface
   ];
 }
diff --git a/machines/genepi/monitoring/grafana.nix b/machines/genepi/monitoring/grafana.nix
index 7bea765..ac96660 100644
--- a/machines/genepi/monitoring/grafana.nix
+++ b/machines/genepi/monitoring/grafana.nix
@@ -1,6 +1,6 @@
 { config, ... }:
 let
-  domain = "home.rpqt.fr";
+  tld = "val";
 in
 {
   services.grafana = {
@@ -8,7 +8,7 @@ in
     settings = {
       server = {
         http_port = 3000;
-        domain = "grafana.${domain}";
+        domain = "grafana.${tld}";
       };
     };
     provision = {
@@ -31,10 +31,13 @@ in
 
   services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
     forceSSL = true;
-    useACMEHost = "${domain}";
+    enableACME = true;
     locations."/" = {
       proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
       proxyWebsockets = true;
     };
   };
+
+  security.acme.certs.${config.services.grafana.settings.server.domain}.server =
+    "https://ca.${tld}/acme/acme/directory";
 }
diff --git a/machines/genepi/monitoring/prometheus.nix b/machines/genepi/monitoring/prometheus.nix
index 401a422..fcf4d20 100644
--- a/machines/genepi/monitoring/prometheus.nix
+++ b/machines/genepi/monitoring/prometheus.nix
@@ -58,6 +58,4 @@ in
       };
     };
   };
-
-  clan.core.state.userdata.folders = [ "/var/lib/prometheus2" ];
 }
diff --git a/machines/genepi/mpd.nix b/machines/genepi/mpd.nix
deleted file mode 100644
index 3f869b5..0000000
--- a/machines/genepi/mpd.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ config, ... }:
-{
-  services.mpd = {
-    enable = true;
-    musicDirectory = "/home/rpqt/Media/Music";
-    extraConfig = ''
-      audio_output {
-        type "pulse"
-        name "Pulse Audio"
-      }
-    '';
-
-    network.listenAddress = "any";
-  };
-
-  services.pulseaudio.enable = true;
-
-  # Workaround: run PulseAudio system-wide so that the mpd user can access it
-  services.pulseaudio.systemWide = true;
-
-  # Fixes the stutter when changing volume (found this randomly)
-  services.pulseaudio.daemon.config.flat-volumes = "no";
-
-  users.users.${config.services.mpd.user}.extraGroups = [ "pulse-access" ];
-
-  users.users.rpqt.homeMode = "755";
-}
diff --git a/machines/genepi/network.nix b/machines/genepi/network.nix
index 49b5992..e6225ef 100644
--- a/machines/genepi/network.nix
+++ b/machines/genepi/network.nix
@@ -1,6 +1,6 @@
 {
   # Tailscale seems to break when not using resolved
-  services.resolved.enable = true;
+  # services.resolved.enable = true;
   networking.useDHCP = true;
   networking.interfaces.tailscale0.useDHCP = false;
 }
diff --git a/machines/genepi/nginx.nix b/machines/genepi/nginx.nix
index 410d7db..1262037 100644
--- a/machines/genepi/nginx.nix
+++ b/machines/genepi/nginx.nix
@@ -4,4 +4,10 @@
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
   };
+
+  networking.firewall.interfaces."zts7mq7onf".allowedTCPPorts = [ 443 ];
+  networking.firewall.interfaces."wireguard".allowedTCPPorts = [
+    80
+    443
+  ];
 }
diff --git a/machines/genepi/persistence.nix b/machines/genepi/persistence.nix
deleted file mode 100644
index bca3d3e..0000000
--- a/machines/genepi/persistence.nix
+++ /dev/null
@@ -1,64 +0,0 @@
-{ lib, ... }:
-{
-  environment.persistence."/persist" = {
-    enable = true;
-    directories = [
-      "/var/lib/nixos"
-      "/var/lib/acme"
-      "/var/lib/prometheus2"
-      "/var/lib/immich"
-      "/var/lib/redis-immich"
-      "/var/lib/postgresql"
-      "/var/lib/grafana"
-      "/var/lib/freshrss"
-      "/var/lib/tailscale"
-    ];
-    files = [
-      # so that systemd doesn't think each boot is the first
-      "/etc/machine-id"
-      # ssh host keys
-      "/etc/ssh/ssh_host_rsa_key"
-      "/etc/ssh/ssh_host_rsa_key.pub"
-      "/etc/ssh/ssh_host_ed25519_key"
-      "/etc/ssh/ssh_host_ed25519_key.pub"
-    ];
-    users.rpqt = {
-      directories = [ ];
-      files = [ ];
-      home = "/home/rpqt";
-    };
-  };
-
-  # Empty root and remove snapshots older than 30 days
-  # boot.initrd.postDeviceCommands = lib.mkAfter ''
-  #   mkdir /btrfs_tmp
-  #   mount /dev/disk/by-label/nixos /btrfs_tmp
-  #   if [[ -e /btrfs_tmp/root ]]; then
-  #       mkdir -p /btrfs_tmp/old_roots
-  #       timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
-  #       mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
-  #   fi
-
-  #   delete_subvolume_recursively() {
-  #       IFS=$'\n'
-  #       for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
-  #           delete_subvolume_recursively "/btrfs_tmp/$i"
-  #       done
-  #       btrfs subvolume delete "$1"
-  #   }
-
-  #   for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
-  #       delete_subvolume_recursively "$i"
-  #   done
-
-  #   btrfs subvolume create /btrfs_tmp/root
-  #   umount /btrfs_tmp
-  #   rmdir /btrfs_tmp
-  # '';
-
-  # Give agenix persistent paths so it can load secrets before the mount
-  age.identityPaths = [
-    "/persist/etc/ssh/ssh_host_ed25519_key"
-    "/persist/etc/ssh/ssh_host_rsa_key"
-  ];
-}
diff --git a/machines/genepi/pinchflat.nix b/machines/genepi/pinchflat.nix
new file mode 100644
index 0000000..14fbca2
--- /dev/null
+++ b/machines/genepi/pinchflat.nix
@@ -0,0 +1,37 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  tld = "val";
+  domain = "pinchflat.${tld}";
+in
+{
+  services.pinchflat = {
+    enable = true;
+    secretsFile = config.clan.core.vars.generators.pinchflat.files.env.path;
+    mediaDir = "/home/rpqt/Music";
+  };
+
+  clan.core.vars.generators.pinchflat = {
+    files.env = { };
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.openssl
+    ];
+    script = ''
+      echo "$SECRET_KEY_BASE=$(openssl rand -hex 64)" > "$out"/env
+    '';
+  };
+
+  clan.core.state.pinchflat.folders = [ "/var/lib/pinchflat" ];
+
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.pinchflat.port}";
+  };
+
+  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
+}
diff --git a/machines/genepi/syncthing.nix b/machines/genepi/syncthing.nix
index 3a0240f..fd3400e 100644
--- a/machines/genepi/syncthing.nix
+++ b/machines/genepi/syncthing.nix
@@ -1,57 +1,49 @@
 {
   config,
+  lib,
+  pkgs,
   ...
 }:
 let
   user = "rpqt";
   home = config.users.users.${user}.home;
+  tld = "val";
+  domain = "genepi.${tld}";
 in
 {
+
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/syncthing" = {
+      proxyPass = "http://${config.services.syncthing.guiAddress}";
+    };
+  };
+
+  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
+
   services.syncthing = {
     enable = true;
     user = user;
-    group = "users";
+    group = lib.mkForce "users";
     dataDir = home;
-    configDir = "${home}/.config/syncthing";
-    openDefaultPorts = true;
-    overrideDevices = true;
-    overrideFolders = true;
-    settings = {
-      devices = {
-        "haze" = {
-          id = "QUX6KGF-7KNFTGD-RAX5OWC-NFQGRNK-S2TC2DQ-DQRWDTK-KMBTQXT-EVNRDQG";
-        };
-        "pixel-7a" = {
-          id = "IZE7B4Z-LKTJY6Q-77NN4JG-ADYRC77-TYPZTXE-Q35BWV2-AEO7Q3R-ZE63IAU";
-        };
-      };
-      folders = {
-        "Documents" = {
-          path = "${home}/Documents";
-          devices = [
-            "haze"
-          ];
-        };
-        "Music" = {
-          path = "${home}/Media/Music";
-          devices = [
-            "haze"
-            "pixel-7a"
-          ];
-        };
-        "Pictures" = {
-          path = "${home}/Media/Pictures";
-          devices = [
-            "haze"
-          ];
-        };
-        "Videos" = {
-          path = "${home}/Media/Videos";
-          devices = [
-            "haze"
-          ];
-        };
-      };
+    configDir = lib.mkForce "${home}/.config/syncthing";
+    guiAddress = "0.0.0.0:8384";
+    guiPasswordFile = config.clan.core.vars.generators.syncthing-gui.files.password.path;
+  };
+
+  networking.firewall.interfaces.wireguard = {
+    allowedTCPPorts = [ 8384 ];
+  };
+
+  clan.core.vars.generators.syncthing-gui = {
+    files.password = {
+      secret = true;
+      owner = user;
     };
+    runtimeInputs = [ pkgs.xkcdpass ];
+    script = ''
+      xkcdpass -n 7 > $out/password
+    '';
   };
 }
diff --git a/machines/genepi/taskchampion.nix b/machines/genepi/taskchampion.nix
deleted file mode 100644
index b06dbc5..0000000
--- a/machines/genepi/taskchampion.nix
+++ /dev/null
@@ -1,19 +0,0 @@
-{ config, lib, ... }:
-let
-  domain = "home.rpqt.fr";
-  subdomain = "tw.${domain}";
-  hasImpermanence = config.environment.persistence."/persist".enable;
-in
-{
-  services.taskchampion-sync-server.enable = true;
-
-  services.taskchampion-sync-server.dataDir =
-    (lib.optionalString hasImpermanence "/persist") + "/var/lib/taskchampion-sync-server";
-
-  services.nginx.virtualHosts.${subdomain} = {
-    forceSSL = true;
-    useACMEHost = "${domain}";
-    locations."/".proxyPass =
-      "http://127.0.0.1:${toString config.services.taskchampion-sync-server.port}";
-  };
-}
diff --git a/machines/haze/configuration.nix b/machines/haze/configuration.nix
index f66d604..c0e7a59 100644
--- a/machines/haze/configuration.nix
+++ b/machines/haze/configuration.nix
@@ -1,54 +1,61 @@
 {
-  inputs,
+  self,
+  pkgs,
   ...
 }:
 {
   imports = [
-    # inputs.disko.nixosModules.disko
-    inputs.agenix.nixosModules.default
     ./boot.nix
     ./chat.nix
-    ./firefox.nix
     ./gimp.nix
     ./gnome.nix
     ./hibernate.nix
     ./niri.nix
     ./ssh.nix
     ./steam.nix
-    ./thunderbird.nix
     ./network.nix
     ./syncthing.nix
-    ./video.nix
-    ../../system
 
-    inputs.clan-core.clanModules.state-version
+    self.nixosModules.desktop
+    self.nixosModules.dev
+    self.nixosModules.nix-defaults
 
-    inputs.home-manager.nixosModules.home-manager
+    self.inputs.home-manager.nixosModules.home-manager
     {
       home-manager.useGlobalPkgs = true;
       home-manager.useUserPackages = true;
       home-manager.users.rpqt = ./home.nix;
-      home-manager.extraSpecialArgs = { inherit inputs; };
+      home-manager.extraSpecialArgs = {
+        inherit (self) inputs;
+        inherit self;
+      };
     }
   ];
 
   networking.hostName = "haze";
   clan.core.networking.targetHost = "rpqt@haze.local";
 
-  specialisation = {
-    hyprland.configuration =
-      { ... }:
-      {
-        imports = [ ./hyprland.nix ];
-        disabledModules = [ ./niri.nix ];
-      };
-    sway.configuration =
-      { ... }:
-      {
-        imports = [ ./sway.nix ];
-        disabledModules = [ ./niri.nix ];
-      };
-  };
+  networking.search = [
+    "val"
+    "wireguard"
+  ];
+
+  time.timeZone = "Europe/Paris";
+
+  clan.core.deployment.requireExplicitUpdate = true;
+
+  clan.core.settings.state-version.enable = true;
+
+  environment.systemPackages = [
+    self.inputs.clan-core.packages.x86_64-linux.clan-app
+    pkgs.aseprite
+    pkgs.linux-wifi-hotspot
+    pkgs.anytype
+    pkgs.typst
+    pkgs.anki
+  ];
+
+  programs.kdeconnect.enable = true;
 
   # Remote builds
   nix = {
@@ -65,4 +72,18 @@
       builders-use-substitutes = true
     '';
   };
+
+  nixpkgs.config.allowUnfree = true;
+
+  i18n.supportedLocales = [
+    "en_US.UTF-8/UTF-8"
+    "fr_FR.UTF-8/UTF-8"
+  ];
+
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
+  };
+
+  services.tailscale.useRoutingFeatures = "client";
 }
diff --git a/machines/haze/firefox.nix b/machines/haze/firefox.nix
deleted file mode 100644
index 32391e8..0000000
--- a/machines/haze/firefox.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ pkgs, ... }:
-{
-  programs.firefox = {
-    enable = true;
-    nativeMessagingHosts.packages = [ pkgs.passff-host ];
-  };
-}
diff --git a/machines/haze/gnome.nix b/machines/haze/gnome.nix
index d8f1b7b..c11cd24 100644
--- a/machines/haze/gnome.nix
+++ b/machines/haze/gnome.nix
@@ -2,11 +2,12 @@
 {
   services.xserver = {
     enable = true;
-    displayManager.gdm.enable = true;
-    desktopManager.gnome.enable = true;
     xkb.layout = "fr";
   };
 
+  services.displayManager.gdm.enable = true;
+  services.desktopManager.gnome.enable = true;
+
   environment.gnome.excludePackages = (
     with pkgs;
     [
diff --git a/machines/haze/hardware-configuration.nix b/machines/haze/hardware-configuration.nix
index efeeffb..639e54b 100644
--- a/machines/haze/hardware-configuration.nix
+++ b/machines/haze/hardware-configuration.nix
@@ -4,7 +4,15 @@
 
   hardware.enableRedistributableFirmware = true;
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "thunderbolt"
+    "vmd"
+    "nvme"
+    "usb_storage"
+    "sd_mod"
+    "rtsx_usb_sdmmc"
+  ];
   boot.kernelModules = [ "kvm-intel" ];
 
   hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware;
diff --git a/machines/haze/home.nix b/machines/haze/home.nix
index 0814049..79bea2e 100644
--- a/machines/haze/home.nix
+++ b/machines/haze/home.nix
@@ -1,17 +1,15 @@
 {
   imports = [
-    ../../home/chat.nix
-    ../../home/cli.nix
-    ../../home/common.nix
-    ../../home/desktop
-    ../../home/dev.nix
-    ../../home/dotfiles.nix
-    ../../home/helix.nix
-    ../../home/mail
-    ../../home/minecraft.nix
-    ../../home/desktop
-    ../../home/desktop/gnome.nix
-    ../../home/desktop/niri.nix
-    ../../home/desktop/sway.nix
+    ../../home-manager/chat.nix
+    ../../home-manager/common.nix
+    ../../home-manager/desktop
+    ../../home-manager/dev.nix
+    ../../home-manager/helix.nix
+    ../../home-manager/mail
+    ../../home-manager/minecraft.nix
+    ../../home-manager/desktop
+    ../../home-manager/desktop/gnome.nix
+    ../../home-manager/desktop/niri.nix
+    ../../home-manager/desktop/vicinae.nix
   ];
 }
diff --git a/machines/haze/hyprland.nix b/machines/haze/hyprland.nix
deleted file mode 100644
index 98dfe35..0000000
--- a/machines/haze/hyprland.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  programs.hyprland.enable = true;
-}
diff --git a/machines/haze/network.nix b/machines/haze/network.nix
index d6d4675..81bb1a0 100644
--- a/machines/haze/network.nix
+++ b/machines/haze/network.nix
@@ -3,9 +3,11 @@
   networking.networkmanager = {
     enable = true;
     wifi.powersave = true;
+    plugins = [
+      pkgs.networkmanager-openconnect
+      pkgs.networkmanager-openvpn
+    ];
   };
 
   users.users."rpqt".extraGroups = [ "networkmanager" ];
-
-  environment.systemPackages = [ pkgs.networkmanager-openconnect ];
 }
diff --git a/machines/haze/niri.nix b/machines/haze/niri.nix
index 61e2cdb..e47300d 100644
--- a/machines/haze/niri.nix
+++ b/machines/haze/niri.nix
@@ -3,17 +3,14 @@
   programs.niri.enable = true;
 
   environment.systemPackages = with pkgs; [
-    brightnessctl
-    i3bar-river
-    mako
     pavucontrol
     playerctl
-    swaybg
-    swaylock
-    tofi
-    wl-gammarelay-rs
     xwayland-satellite
   ];
 
+  services.gnome.gnome-keyring.enable = true;
+
   environment.sessionVariables.NIXOS_OZONE_WL = "1";
+
+  programs.dms-shell.enable = true;
 }
diff --git a/machines/haze/secrets/secrets.nix b/machines/haze/secrets/secrets.nix
deleted file mode 100644
index 1f012b4..0000000
--- a/machines/haze/secrets/secrets.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-let
-  keys = import ../../../parts/keys.nix;
-in
-{
-  "syncthing-key.pem.age".publicKeys = [
-    keys.hosts.haze
-    keys.rpqt.haze
-  ];
-  "syncthing-cert.pem.age".publicKeys = [
-    keys.hosts.haze
-    keys.rpqt.haze
-  ];
-}
diff --git a/machines/haze/secrets/syncthing-cert.pem.age b/machines/haze/secrets/syncthing-cert.pem.age
deleted file mode 100644
index b5dabca..0000000
Binary files a/machines/haze/secrets/syncthing-cert.pem.age and /dev/null differ
diff --git a/machines/haze/secrets/syncthing-key.pem.age b/machines/haze/secrets/syncthing-key.pem.age
deleted file mode 100644
index c3349ea..0000000
--- a/machines/haze/secrets/syncthing-key.pem.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 P3fsag cm2nekzBIMCAb/yXzY4L6jIH/Sa+rSMznT88WJNkP30
-DMnRf0An69vywpHLD3RGHwE0dkaa6JIEahhQo14EEDc
---- f/kI+HBhWTQlXoWvCJaLJM70EsOkH4G8/5g9Eeu8uNc
-
-àT!Û÷�\Î’ù6˜
-·TÀƒrϵKr»9ÕÅw¹ÌžÀ8–æ¸ÇEƒ�¿´,ÜR.¢˜³’ÉiÒ ¹ßüý_'2Þ;iÒÅ„—8d¤ÏóÿÁ&DÝ«q¯²îxd
-µ3Ée„xnâg~’/)݇aƒÄWÔèžG~ºÒÈBNV·ˆi¨a�{ËæÝuÕÛ•ÜR=­ûMòO)$HS„Ýf¥f<ç›cóü?à
ï~*€Täà�)WtÊ�ñÅÀ&‚Ü8i˜óºz½è:5Ž¹[sc"ýÀì�& UýËÓ9ÂÓ'í§_»´{xkE½ïؼYÁ@åÑçƒÆÚf×Uä+†—B±u¨=ÿÌY4òe3âU
ÕÆQLSl5 U™qÚšþ!¨h�×W¼ã@}�OW¨ŠÃ
\ No newline at end of file
diff --git a/machines/haze/ssh.nix b/machines/haze/ssh.nix
index 054b746..2c63c08 100644
--- a/machines/haze/ssh.nix
+++ b/machines/haze/ssh.nix
@@ -1,3 +1,2 @@
 {
-  programs.ssh.startAgent = true;
 }
diff --git a/machines/haze/sway.nix b/machines/haze/sway.nix
deleted file mode 100644
index 9e6f1a8..0000000
--- a/machines/haze/sway.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-  services.gnome.gnome-keyring.enable = true;
-
-  programs.sway = {
-    enable = true;
-    wrapperFeatures.gtk = true;
-  };
-
-  users.users."rpqt".extraGroups = [ "video" ];
-  programs.light.enable = true;
-}
diff --git a/machines/haze/syncthing.nix b/machines/haze/syncthing.nix
index 00806c4..0a6cfde 100644
--- a/machines/haze/syncthing.nix
+++ b/machines/haze/syncthing.nix
@@ -1,5 +1,6 @@
 {
   config,
+  lib,
   ...
 }:
 let
@@ -7,57 +8,11 @@ let
   home = config.users.users.${user}.home;
 in
 {
-  # age.secrets.syncthing-key.file = ./secrets/syncthing-key.pem.age;
-  # age.secrets.syncthing-cert.file = ./secrets/syncthing-cert.pem.age;
-
   services.syncthing = {
-    enable = false;
+    enable = true;
     user = user;
-    group = "users";
+    group = lib.mkForce "users";
     dataDir = home;
-    configDir = "${home}/.config/syncthing";
-    key = config.age.secrets.syncthing-key.path;
-    cert = config.age.secrets.syncthing-cert.path;
-    openDefaultPorts = true;
-    overrideDevices = true;
-    overrideFolders = true;
-    settings = {
-      devices = {
-        "genepi" = {
-          id = "EA7DC7O-IHB47EQ-AWT2QBJ-AWPDF5S-W4EM66A-KQPCTHI-UX53WKM-QTSAHQ4";
-        };
-        "pixel-7a" = {
-          id = "IZE7B4Z-LKTJY6Q-77NN4JG-ADYRC77-TYPZTXE-Q35BWV2-AEO7Q3R-ZE63IAU";
-        };
-      };
-      folders = {
-        "Documents" = {
-          path = "${home}/Documents";
-          devices = [
-            "genepi"
-            "pixel-7a"
-          ];
-        };
-        "Music" = {
-          path = "${home}/Music";
-          devices = [
-            "genepi"
-            "pixel-7a"
-          ];
-        };
-        "Pictures" = {
-          path = "${home}/Pictures";
-          devices = [
-            "genepi"
-          ];
-        };
-        "Videos" = {
-          path = "${home}/Videos";
-          devices = [
-            "genepi"
-          ];
-        };
-      };
-    };
+    configDir = lib.mkForce "${home}/.config/syncthing";
   };
 }
diff --git a/machines/haze/thunderbird.nix b/machines/haze/thunderbird.nix
deleted file mode 100644
index c856732..0000000
--- a/machines/haze/thunderbird.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  programs.thunderbird.enable = true;
-}
diff --git a/machines/haze/video.nix b/machines/haze/video.nix
deleted file mode 100644
index fd045fb..0000000
--- a/machines/haze/video.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = with pkgs; [ mpv ];
-}
diff --git a/machines/verbena/configuration.nix b/machines/verbena/configuration.nix
new file mode 100644
index 0000000..990a3bd
--- /dev/null
+++ b/machines/verbena/configuration.nix
@@ -0,0 +1,63 @@
+{ self, lib, ... }:
+{
+  imports = [
+    self.nixosModules.nix-defaults
+    self.nixosModules.nextcloud
+    self.nixosModules.gitea
+    self.nixosModules.vaultwarden
+
+    self.inputs.srvos.nixosModules.server
+
+    {
+      # Add Pixel-7a as external device for clan wireguard network
+      networking.wireguard.interfaces.wireguard = {
+        ips = [ "100.42.42.1/32" ];
+        peers = [
+          {
+            publicKey = "BVgDQM18SfNofQsWs7m6fblaTB04Gk74VxR/zK8AKQ4=";
+            allowedIPs =
+              let
+                suffix = "cafe:cafe";
+              in
+              [ "fd28:387a:90:c400:${suffix}::/96" ];
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    }
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  networking.hostName = "verbena";
+
+  networking.useDHCP = lib.mkDefault true;
+
+  networking.defaultGateway6 = {
+    address = self.infra.machines.verbena.gateway6;
+    interface = "ens3";
+  };
+  networking.interfaces."ens3" = {
+    ipv6.addresses = [
+      {
+        address = self.infra.machines.verbena.ipv6;
+        prefixLength = 64;
+      }
+    ];
+  };
+
+  clan.core.settings.state-version.enable = true;
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  security.acme.acceptTerms = true;
+}
diff --git a/machines/verbena/disko.nix b/machines/verbena/disko.nix
new file mode 100644
index 0000000..0f74ef5
--- /dev/null
+++ b/machines/verbena/disko.nix
@@ -0,0 +1,50 @@
+# ---
+# schema = "single-disk"
+# [placeholders]
+# mainDisk = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0" 
+# ---
+# This file was automatically generated!
+# CHANGING this configuration requires wiping and reinstalling the machine
+{
+
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.grub.enable = true;
+  disko.devices = {
+    disk = {
+      main = {
+        name = "main-75e31aae5e864fb39a0414ea1230ca81";
+        device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            "boot" = {
+              size = "1M";
+              type = "EF02"; # for grub MBR
+              priority = 1;
+            };
+            ESP = {
+              type = "EF00";
+              size = "500M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/machines/verbena/facter.json b/machines/verbena/facter.json
new file mode 100644
index 0000000..164afc3
--- /dev/null
+++ b/machines/verbena/facter.json
@@ -0,0 +1,2227 @@
+{
+  "version": 1,
+  "system": "x86_64-linux",
+  "virtualisation": "kvm",
+  "hardware": {
+    "bios": {
+      "apm_info": {
+        "supported": false,
+        "enabled": false,
+        "version": 0,
+        "sub_version": 0,
+        "bios_flags": 0
+      },
+      "vbe_info": {
+        "version": 0,
+        "video_memory": 0
+      },
+      "pnp": true,
+      "pnp_id": 0,
+      "lba_support": false,
+      "low_memory_size": 654336,
+      "smbios_version": 520
+    },
+    "bridge": [
+      {
+        "index": 9,
+        "attached_to": 0,
+        "class_list": [
+          "pci",
+          "bridge"
+        ],
+        "bus_type": {
+          "hex": "0004",
+          "name": "PCI",
+          "value": 4
+        },
+        "slot": {
+          "bus": 0,
+          "number": 1
+        },
+        "base_class": {
+          "hex": "0006",
+          "name": "Bridge",
+          "value": 6
+        },
+        "sub_class": {
+          "hex": "0001",
+          "name": "ISA bridge",
+          "value": 1
+        },
+        "vendor": {
+          "hex": "8086",
+          "name": "Intel Corporation",
+          "value": 32902
+        },
+        "sub_vendor": {
+          "hex": "1af4",
+          "value": 6900
+        },
+        "device": {
+          "hex": "7000",
+          "value": 28672
+        },
+        "sub_device": {
+          "hex": "1100",
+          "value": 4352
+        },
+        "model": "Intel ISA bridge",
+        "sysfs_id": "/devices/pci0000:00/0000:00:01.0",
+        "sysfs_bus_id": "0000:00:01.0",
+        "detail": {
+          "function": 0,
+          "command": 259,
+          "header_type": 0,
+          "secondary_bus": 0,
+          "irq": 0,
+          "prog_if": 0
+        },
+        "module_alias": "pci:v00008086d00007000sv00001AF4sd00001100bc06sc01i00"
+      },
+      {
+        "index": 11,
+        "attached_to": 0,
+        "class_list": [
+          "pci",
+          "bridge"
+        ],
+        "bus_type": {
+          "hex": "0004",
+          "name": "PCI",
+          "value": 4
+        },
+        "slot": {
+          "bus": 0,
+          "number": 0
+        },
+        "base_class": {
+          "hex": "0006",
+          "name": "Bridge",
+          "value": 6
+        },
+        "sub_class": {
+          "hex": "0000",
+          "name": "Host bridge",
+          "value": 0
+        },
+        "vendor": {
+          "hex": "8086",
+          "name": "Intel Corporation",
+          "value": 32902
+        },
+        "sub_vendor": {
+          "hex": "1af4",
+          "value": 6900
+        },
+        "device": {
+          "hex": "1237",
+          "value": 4663
+        },
+        "sub_device": {
+          "hex": "1100",
+          "value": 4352
+        },
+        "revision": {
+          "hex": "0002",
+          "value": 2
+        },
+        "model": "Intel Host bridge",
+        "sysfs_id": "/devices/pci0000:00/0000:00:00.0",
+        "sysfs_bus_id": "0000:00:00.0",
+        "detail": {
+          "function": 0,
+          "command": 259,
+          "header_type": 0,
+          "secondary_bus": 0,
+          "irq": 0,
+          "prog_if": 0
+        },
+        "module_alias": "pci:v00008086d00001237sv00001AF4sd00001100bc06sc00i00"
+      },
+      {
+        "index": 12,
+        "attached_to": 0,
+        "class_list": [
+          "pci",
+          "bridge"
+        ],
+        "bus_type": {
+          "hex": "0004",
+          "name": "PCI",
+          "value": 4
+        },
+        "slot": {
+          "bus": 0,
+          "number": 1
+        },
+        "base_class": {
+          "hex": "0006",
+          "name": "Bridge",
+          "value": 6
+        },
+        "sub_class": {
+          "hex": "0080",
+          "name": "Bridge",
+          "value": 128
+        },
+        "vendor": {
+          "hex": "8086",
+          "name": "Intel Corporation",
+          "value": 32902
+        },
+        "sub_vendor": {
+          "hex": "1af4",
+          "value": 6900
+        },
+        "device": {
+          "hex": "7113",
+          "value": 28947
+        },
+        "sub_device": {
+          "hex": "1100",
+          "value": 4352
+        },
+        "revision": {
+          "hex": "0003",
+          "value": 3
+        },
+        "model": "Intel Bridge",
+        "sysfs_id": "/devices/pci0000:00/0000:00:01.3",
+        "sysfs_bus_id": "0000:00:01.3",
+        "resources": [
+          {
+            "type": "irq",
+            "base": 9,
+            "triggered": 0,
+            "enabled": true
+          }
+        ],
+        "detail": {
+          "function": 3,
+          "command": 259,
+          "header_type": 0,
+          "secondary_bus": 0,
+          "irq": 9,
+          "prog_if": 0
+        },
+        "driver": "piix4_smbus",
+        "driver_module": "i2c_piix4",
+        "drivers": [
+          "piix4_smbus"
+        ],
+        "driver_modules": [
+          "i2c_piix4"
+        ],
+        "module_alias": "pci:v00008086d00007113sv00001AF4sd00001100bc06sc80i00"
+      }
+    ],
+    "cpu": [
+      {
+        "architecture": "x86_64",
+        "vendor_name": "GenuineIntel",
+        "family": 6,
+        "model": 60,
+        "stepping": 1,
+        "features": [
+          "fpu",
+          "vme",
+          "de",
+          "pse",
+          "tsc",
+          "msr",
+          "pae",
+          "mce",
+          "cx8",
+          "apic",
+          "sep",
+          "mtrr",
+          "pge",
+          "mca",
+          "cmov",
+          "pat",
+          "pse36",
+          "clflush",
+          "mmx",
+          "fxsr",
+          "sse",
+          "sse2",
+          "syscall",
+          "nx",
+          "rdtscp",
+          "lm",
+          "constant_tsc",
+          "rep_good",
+          "nopl",
+          "xtopology",
+          "cpuid",
+          "tsc_known_freq",
+          "pni",
+          "pclmulqdq",
+          "vmx",
+          "ssse3",
+          "fma",
+          "cx16",
+          "pcid",
+          "sse4_1",
+          "sse4_2",
+          "x2apic",
+          "movbe",
+          "popcnt",
+          "tsc_deadline_timer",
+          "aes",
+          "xsave",
+          "avx",
+          "f16c",
+          "rdrand",
+          "hypervisor",
+          "lahf_lm",
+          "abm",
+          "cpuid_fault",
+          "pti",
+          "tpr_shadow",
+          "flexpriority",
+          "ept",
+          "vpid",
+          "ept_ad",
+          "fsgsbase",
+          "bmi1",
+          "avx2",
+          "smep",
+          "bmi2",
+          "erms",
+          "invpcid",
+          "xsaveopt",
+          "arat",
+          "vnmi",
+          "md_clear"
+        ],
+        "bugs": [
+          "cpu_meltdown",
+          "spectre_v1",
+          "spectre_v2",
+          "spec_store_bypass",
+          "l1tf",
+          "mds",
+          "swapgs",
+          "itlb_multihit",
+          "srbds",
+          "mmio_unknown",
+          "bhi",
+          "its"
+        ],
+        "bogo": 5986.13,
+        "cache": 16384,
+        "physical_id": 0,
+        "siblings": 1,
+        "cores": 1,
+        "fpu": true,
+        "fpu_exception": true,
+        "cpuid_level": 13,
+        "write_protect": false,
+        "clflush_size": 64,
+        "cache_alignment": 64,
+        "address_sizes": {
+          "physical": "0x28",
+          "virtual": "0x30"
+        }
+      },
+      {
+        "architecture": "x86_64",
+        "vendor_name": "GenuineIntel",
+        "family": 6,
+        "model": 60,
+        "stepping": 1,
+        "features": [
+          "fpu",
+          "vme",
+          "de",
+          "pse",
+          "tsc",
+          "msr",
+          "pae",
+          "mce",
+          "cx8",
+          "apic",
+          "sep",
+          "mtrr",
+          "pge",
+          "mca",
+          "cmov",
+          "pat",
+          "pse36",
+          "clflush",
+          "mmx",
+          "fxsr",
+          "sse",
+          "sse2",
+          "syscall",
+          "nx",
+          "rdtscp",
+          "lm",
+          "constant_tsc",
+          "rep_good",
+          "nopl",
+          "xtopology",
+          "cpuid",
+          "tsc_known_freq",
+          "pni",
+          "pclmulqdq",
+          "vmx",
+          "ssse3",
+          "fma",
+          "cx16",
+          "pcid",
+          "sse4_1",
+          "sse4_2",
+          "x2apic",
+          "movbe",
+          "popcnt",
+          "tsc_deadline_timer",
+          "aes",
+          "xsave",
+          "avx",
+          "f16c",
+          "rdrand",
+          "hypervisor",
+          "lahf_lm",
+          "abm",
+          "cpuid_fault",
+          "pti",
+          "tpr_shadow",
+          "flexpriority",
+          "ept",
+          "vpid",
+          "ept_ad",
+          "fsgsbase",
+          "bmi1",
+          "avx2",
+          "smep",
+          "bmi2",
+          "erms",
+          "invpcid",
+          "xsaveopt",
+          "arat",
+          "vnmi",
+          "md_clear"
+        ],
+        "bugs": [
+          "cpu_meltdown",
+          "spectre_v1",
+          "spectre_v2",
+          "spec_store_bypass",
+          "l1tf",
+          "mds",
+          "swapgs",
+          "itlb_multihit",
+          "srbds",
+          "mmio_unknown",
+          "bhi",
+          "its"
+        ],
+        "bogo": 5986.13,
+        "cache": 16384,
+        "physical_id": 1,
+        "siblings": 1,
+        "cores": 1,
+        "fpu": true,
+        "fpu_exception": true,
+        "cpuid_level": 13,
+        "write_protect": false,
+        "clflush_size": 64,
+        "cache_alignment": 64,
+        "address_sizes": {
+          "physical": "0x28",
+          "virtual": "0x30"
+        }
+      },
+      {
+        "architecture": "x86_64",
+        "vendor_name": "GenuineIntel",
+        "family": 6,
+        "model": 60,
+        "stepping": 1,
+        "features": [
+          "fpu",
+          "vme",
+          "de",
+          "pse",
+          "tsc",
+          "msr",
+          "pae",
+          "mce",
+          "cx8",
+          "apic",
+          "sep",
+          "mtrr",
+          "pge",
+          "mca",
+          "cmov",
+          "pat",
+          "pse36",
+          "clflush",
+          "mmx",
+          "fxsr",
+          "sse",
+          "sse2",
+          "syscall",
+          "nx",
+          "rdtscp",
+          "lm",
+          "constant_tsc",
+          "rep_good",
+          "nopl",
+          "xtopology",
+          "cpuid",
+          "tsc_known_freq",
+          "pni",
+          "pclmulqdq",
+          "vmx",
+          "ssse3",
+          "fma",
+          "cx16",
+          "pcid",
+          "sse4_1",
+          "sse4_2",
+          "x2apic",
+          "movbe",
+          "popcnt",
+          "tsc_deadline_timer",
+          "aes",
+          "xsave",
+          "avx",
+          "f16c",
+          "rdrand",
+          "hypervisor",
+          "lahf_lm",
+          "abm",
+          "cpuid_fault",
+          "pti",
+          "tpr_shadow",
+          "flexpriority",
+          "ept",
+          "vpid",
+          "ept_ad",
+          "fsgsbase",
+          "bmi1",
+          "avx2",
+          "smep",
+          "bmi2",
+          "erms",
+          "invpcid",
+          "xsaveopt",
+          "arat",
+          "vnmi",
+          "md_clear"
+        ],
+        "bugs": [
+          "cpu_meltdown",
+          "spectre_v1",
+          "spectre_v2",
+          "spec_store_bypass",
+          "l1tf",
+          "mds",
+          "swapgs",
+          "itlb_multihit",
+          "srbds",
+          "mmio_unknown",
+          "bhi",
+          "its"
+        ],
+        "bogo": 5986.13,
+        "cache": 16384,
+        "physical_id": 2,
+        "siblings": 1,
+        "cores": 1,
+        "fpu": true,
+        "fpu_exception": true,
+        "cpuid_level": 13,
+        "write_protect": false,
+        "clflush_size": 64,
+        "cache_alignment": 64,
+        "address_sizes": {
+          "physical": "0x28",
+          "virtual": "0x30"
+        }
+      },
+      {
+        "architecture": "x86_64",
+        "vendor_name": "GenuineIntel",
+        "family": 6,
+        "model": 60,
+        "stepping": 1,
+        "features": [
+          "fpu",
+          "vme",
+          "de",
+          "pse",
+          "tsc",
+          "msr",
+          "pae",
+          "mce",
+          "cx8",
+          "apic",
+          "sep",
+          "mtrr",
+          "pge",
+          "mca",
+          "cmov",
+          "pat",
+          "pse36",
+          "clflush",
+          "mmx",
+          "fxsr",
+          "sse",
+          "sse2",
+          "syscall",
+          "nx",
+          "rdtscp",
+          "lm",
+          "constant_tsc",
+          "rep_good",
+          "nopl",
+          "xtopology",
+          "cpuid",
+          "tsc_known_freq",
+          "pni",
+          "pclmulqdq",
+          "vmx",
+          "ssse3",
+          "fma",
+          "cx16",
+          "pcid",
+          "sse4_1",
+          "sse4_2",
+          "x2apic",
+          "movbe",
+          "popcnt",
+          "tsc_deadline_timer",
+          "aes",
+          "xsave",
+          "avx",
+          "f16c",
+          "rdrand",
+          "hypervisor",
+          "lahf_lm",
+          "abm",
+          "cpuid_fault",
+          "pti",
+          "tpr_shadow",
+          "flexpriority",
+          "ept",
+          "vpid",
+          "ept_ad",
+          "fsgsbase",
+          "bmi1",
+          "avx2",
+          "smep",
+          "bmi2",
+          "erms",
+          "invpcid",
+          "xsaveopt",
+          "arat",
+          "vnmi",
+          "md_clear"
+        ],
+        "bugs": [
+          "cpu_meltdown",
+          "spectre_v1",
+          "spectre_v2",
+          "spec_store_bypass",
+          "l1tf",
+          "mds",
+          "swapgs",
+          "itlb_multihit",
+          "srbds",
+          "mmio_unknown",
+          "bhi",
+          "its"
+        ],
+        "bogo": 5986.13,
+        "cache": 16384,
+        "physical_id": 3,
+        "siblings": 1,
+        "cores": 1,
+        "fpu": true,
+        "fpu_exception": true,
+        "cpuid_level": 13,
+        "write_protect": false,
+        "clflush_size": 64,
+        "cache_alignment": 64,
+        "address_sizes": {
+          "physical": "0x28",
+          "virtual": "0x30"
+        }
+      }
+    ],
+    "disk": [
+      {
+        "index": 23,
+        "attached_to": 18,
+        "class_list": [
+          "disk",
+          "scsi",
+          "block_device"
+        ],
+        "bus_type": {
+          "hex": "0084",
+          "name": "SCSI",
+          "value": 132
+        },
+        "slot": {
+          "bus": 0,
+          "number": 0
+        },
+        "base_class": {
+          "hex": "0106",
+          "name": "Mass Storage Device",
+          "value": 262
+        },
+        "sub_class": {
+          "hex": "0000",
+          "name": "Disk",
+          "value": 0
+        },
+        "vendor": {
+          "hex": "0000",
+          "name": "QEMU",
+          "value": 0
+        },
+        "device": {
+          "hex": "0000",
+          "name": "QEMU HARDDISK",
+          "value": 0
+        },
+        "revision": {
+          "hex": "0000",
+          "name": "2.5+",
+          "value": 0
+        },
+        "model": "QEMU HARDDISK",
+        "sysfs_id": "/class/block/sda",
+        "sysfs_bus_id": "0:0:0:0",
+        "sysfs_device_link": "/devices/pci0000:00/0000:00:04.0/virtio1/host0/target0:0:0/0:0:0:0",
+        "unix_device_name": "/dev/sda",
+        "unix_device_number": {
+          "type": 98,
+          "major": 8,
+          "minor": 0,
+          "range": 16
+        },
+        "unix_device_names": [
+          "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0",
+          "/dev/disk/by-path/pci-0000:00:04.0-scsi-0:0:0:0",
+          "/dev/sda"
+        ],
+        "unix_device_name2": "/dev/sg0",
+        "unix_device_number2": {
+          "type": 99,
+          "major": 21,
+          "minor": 0,
+          "range": 1
+        },
+        "rom_id": "0x80",
+        "resources": [
+          {
+            "type": "disk_geo",
+            "cylinders": 9790,
+            "heads": 255,
+            "sectors": 63,
+            "size": "0x0",
+            "geo_type": "logical"
+          },
+          {
+            "type": "size",
+            "unit": "sectors",
+            "value_1": 157286400,
+            "value_2": 512
+          }
+        ],
+        "driver": "virtio_scsi",
+        "driver_module": "virtio_scsi",
+        "drivers": [
+          "sd",
+          "virtio_scsi"
+        ],
+        "driver_modules": [
+          "sd_mod",
+          "virtio_scsi"
+        ]
+      }
+    ],
+    "graphics_card": [
+      {
+        "index": 16,
+        "attached_to": 0,
+        "class_list": [
+          "graphics_card",
+          "pci"
+        ],
+        "bus_type": {
+          "hex": "0004",
+          "name": "PCI",
+          "value": 4
+        },
+        "slot": {
+          "bus": 0,
+          "number": 2
+        },
+        "base_class": {
+          "hex": "0003",
+          "name": "Display controller",
+          "value": 3
+        },
+        "sub_class": {
+          "hex": "0000",
+          "name": "VGA compatible controller",
+          "value": 0
+        },
+        "pci_interface": {
+          "hex": "0000",
+          "name": "VGA",
+          "value": 0
+        },
+        "vendor": {
+          "hex": "1013",
+          "name": "Cirrus Logic",
+          "value": 4115
+        },
+        "sub_vendor": {
+          "hex": "1af4",
+          "value": 6900
+        },
+        "device": {
+          "hex": "00b8",
+          "name": "GD 5446",
+          "value": 184
+        },
+        "sub_device": {
+          "hex": "1100",
+          "value": 4352
+        },
+        "model": "Cirrus Logic GD 5446",
+        "sysfs_id": "/devices/pci0000:00/0000:00:02.0",
+        "sysfs_bus_id": "0000:00:02.0",
+        "resources": [
+          {
+            "type": "mem",
+            "base": 4227858432,
+            "range": 33554432,
+            "enabled": true,
+            "access": "read_only",
+            "prefetch": "no"
+          },
+          {
+            "type": "mem",
+            "base": 4273537024,
+            "range": 4096,
+            "enabled": true,
+            "access": "read_write",
+            "prefetch": "no"
+          },
+          {
+            "type": "mem",
+            "base": 786432,
+            "range": 131072,
+            "enabled": false,
+            "access": "read_write",
+            "prefetch": "no"
+          }
+        ],
+        "detail": {
+          "function": 0,
+          "command": 259,
+          "header_type": 0,
+          "secondary_bus": 0,
+          "irq": 0,
+          "prog_if": 0
+        },
+        "driver": "cirrus-qemu",
+        "driver_module": "cirrus_qemu",
+        "drivers": [
+          "cirrus-qemu"
+        ],
+        "driver_modules": [
+          "cirrus_qemu"
+        ],
+        "driver_info": {
+          "type": "x11",
+          "db_entry_0": [
+            "4",
+            "cirrus"
+          ],
+          "server": "cirrus",
+          "xf86_version": "4",
+          "supports_3d": false,
+          "Colors": {
+            "all": 0,
+            "c8": 0,
+            "c15": 0,
+            "c16": 0,
+            "c24": 0,
+            "c32": 0
+          },
+          "dac_speed": 0,
+          "script": ""
+        },
+        "module_alias": "pci:v00001013d000000B8sv00001AF4sd00001100bc03sc00i00"
+      }
+    ],
+    "hub": [
+      {
+        "index": 24,
+        "attached_to": 8,
+        "class_list": [
+          "usb",
+          "hub"
+        ],
+        "bus_type": {
+          "hex": "0086",
+          "name": "USB",
+          "value": 134
+        },
+        "slot": {
+          "bus": 0,
+          "number": 0
+        },
+        "base_class": {
+          "hex": "010a",
+          "name": "Hub",
+          "value": 266
+        },
+        "vendor": {
+          "hex": "1d6b",
+          "name": "Linux 6.14.10 uhci_hcd",
+          "value": 7531
+        },
+        "device": {
+          "hex": "0001",
+          "name": "UHCI Host Controller",
+          "value": 1
+        },
+        "revision": {
+          "hex": "0000",
+          "name": "6.14",
+          "value": 0
+        },
+        "serial": "0000:00:01.2",
+        "model": "Linux 6.14.10 uhci_hcd UHCI Host Controller",
+        "sysfs_id": "/devices/pci0000:00/0000:00:01.2/usb1/1-0:1.0",
+        "sysfs_bus_id": "1-0:1.0",
+        "resources": [
+          {
+            "type": "baud",
+            "speed": 12000000,
+            "bits": 0,
+            "stop_bits": 0,
+            "parity": 0,
+            "handshake": 0
+          }
+        ],
+        "detail": {
+          "device_class": {
+            "hex": "0009",
+            "name": "hub",
+            "value": 9
+          },
+          "device_subclass": {
+            "hex": "0000",
+            "name": "per_interface",
+            "value": 0
+          },
+          "device_protocol": 0,
+          "interface_class": {
+            "hex": "0009",
+            "name": "hub",
+            "value": 9
+          },
+          "interface_subclass": {
+            "hex": "0000",
+            "name": "per_interface",
+            "value": 0
+          },
+          "interface_protocol": 0,
+          "interface_number": 0,
+          "interface_alternate_setting": 0
+        },
+        "hotplug": "usb",
+        "driver": "hub",
+        "driver_module": "usbcore",
+        "drivers": [
+          "hub"
+        ],
+        "driver_modules": [
+          "usbcore"
+        ],
+        "module_alias": "usb:v1D6Bp0001d0614dc09dsc00dp00ic09isc00ip00in00"
+      }
+    ],
+    "memory": [
+      {
+        "index": 7,
+        "attached_to": 0,
+        "class_list": [
+          "memory"
+        ],
+        "base_class": {
+          "hex": "0101",
+          "name": "Internally Used Class",
+          "value": 257
+        },
+        "sub_class": {
+          "hex": "0002",
+          "name": "Main Memory",
+          "value": 2
+        },
+        "model": "Main Memory",
+        "resources": [
+          {
+            "type": "mem",
+            "base": 0,
+            "range": 8130945024,
+            "enabled": true,
+            "access": "read_write",
+            "prefetch": "unknown"
+          },
+          {
+            "type": "phys_mem",
+            "range": 8053063680
+          }
+        ]
+      }
+    ],
+    "mouse": [
+      {
+        "index": 25,
+        "attached_to": 24,
+        "class_list": [
+          "mouse",
+          "usb"
+        ],
+        "bus_type": {
+          "hex": "0086",
+          "name": "USB",
+          "value": 134
+        },
+        "slot": {
+          "bus": 0,
+          "number": 0
+        },
+        "base_class": {
+          "hex": "0105",
+          "name": "Mouse",
+          "value": 261
+        },
+        "sub_class": {
+          "hex": "0003",
+          "name": "USB Mouse",
+          "value": 3
+        },
+        "vendor": {
+          "hex": "0627",
+          "name": "QEMU",
+          "value": 1575
+        },
+        "device": {
+          "hex": "0001",
+          "name": "QEMU USB Tablet",
+          "value": 1
+        },
+        "serial": "28754-0000:00:01.2-1",
+        "compat_vendor": "Unknown",
+        "compat_device": "Generic USB Mouse",
+        "model": "QEMU USB Tablet",
+        "sysfs_id": "/devices/pci0000:00/0000:00:01.2/usb1/1-1/1-1:1.0",
+        "sysfs_bus_id": "1-1:1.0",
+        "unix_device_name": "/dev/input/mice",
+        "unix_device_number": {
+          "type": 99,
+          "major": 13,
+          "minor": 63,
+          "range": 1
+        },
+        "unix_device_names": [
+          "/dev/input/mice"
+        ],
+        "unix_device_name2": "/dev/input/mouse0",
+        "unix_device_number2": {
+          "type": 99,
+          "major": 13,
+          "minor": 32,
+          "range": 1
+        },
+        "resources": [
+          {
+            "type": "baud",
+            "speed": 12000000,
+            "bits": 0,
+            "stop_bits": 0,
+            "parity": 0,
+            "handshake": 0
+          }
+        ],
+        "detail": {
+          "device_class": {
+            "hex": "0000",
+            "name": "per_interface",
+            "value": 0
+          },
+          "device_subclass": {
+            "hex": "0000",
+            "name": "per_interface",
+            "value": 0
+          },
+          "device_protocol": 0,
+          "interface_class": {
+            "hex": "0003",
+            "name": "hid",
+            "value": 3
+          },
+          "interface_subclass": {
+            "hex": "0000",
+            "name": "per_interface",
+            "value": 0
+          },
+          "interface_protocol": 0,
+          "interface_number": 0,
+          "interface_alternate_setting": 0
+        },
+        "hotplug": "usb",
+        "driver": "usbhid",
+        "driver_module": "usbhid",
+        "drivers": [
+          "usbhid"
+        ],
+        "driver_modules": [
+          "usbhid"
+        ],
+        "driver_info": {
+          "type": "mouse",
+          "db_entry_0": [
+            "explorerps/2",
+            "exps2"
+          ],
+          "xf86": "explorerps/2",
+          "gpm": "exps2",
+          "buttons": -1,
+          "wheels": -1
+        },
+        "module_alias": "usb:v0627p0001d0000dc00dsc00dp00ic03isc00ip00in00"
+      }
+    ],
+    "network_controller": [
+      {
+        "index": 20,
+        "attached_to": 13,
+        "class_list": [
+          "network_controller"
+        ],
+        "bus_type": {
+          "hex": "008f",
+          "name": "Virtio",
+          "value": 143
+        },
+        "slot": {
+          "bus": 0,
+          "number": 0
+        },
+        "base_class": {
+          "hex": "0002",
+          "name": "Network controller",
+          "value": 2
+        },
+        "sub_class": {
+          "hex": "0000",
+          "name": "Ethernet controller",
+          "value": 0
+        },
+        "vendor": "Virtio",
+        "device": "Ethernet Card 0",
+        "model": "Virtio Ethernet Card 0",
+        "sysfs_id": "/devices/pci0000:00/0000:00:03.0/virtio0",
+        "sysfs_bus_id": "virtio0",
+        "unix_device_name": "ens3",
+        "unix_device_names": [
+          "ens3"
+        ],
+        "resources": [
+          {
+            "type": "hwaddr",
+            "address": 102
+          },
+          {
+            "type": "phwaddr",
+            "address": 102
+          }
+        ],
+        "driver": "virtio_net",
+        "driver_module": "virtio_net",
+        "drivers": [
+          "virtio_net"
+        ],
+        "driver_modules": [
+          "virtio_net"
+        ],
+        "module_alias": "virtio:d00000001v00001AF4"
+      }
+    ],
+    "network_interface": [
+      {
+        "index": 26,
+        "attached_to": 20,
+        "class_list": [
+          "network_interface"
+        ],
+        "base_class": {
+          "hex": "0107",
+          "name": "Network Interface",
+          "value": 263
+        },
+        "sub_class": {
+          "hex": "0001",
+          "name": "Ethernet",
+          "value": 1
+        },
+        "model": "Ethernet network interface",
+        "sysfs_id": "/class/net/ens3",
+        "sysfs_device_link": "/devices/pci0000:00/0000:00:03.0/virtio0",
+        "unix_device_name": "ens3",
+        "unix_device_names": [
+          "ens3"
+        ],
+        "resources": [
+          {
+            "type": "hwaddr",
+            "address": 102
+          },
+          {
+            "type": "phwaddr",
+            "address": 102
+          }
+        ],
+        "driver": "virtio_net",
+        "driver_module": "virtio_net",
+        "drivers": [
+          "virtio_net"
+        ],
+        "driver_modules": [
+          "virtio_net"
+        ]
+      },
+      {
+        "index": 27,
+        "attached_to": 0,
+        "class_list": [
+          "network_interface"
+        ],
+        "base_class": {
+          "hex": "0107",
+          "name": "Network Interface",
+          "value": 263
+        },
+        "sub_class": {
+          "hex": "0000",
+          "name": "Loopback",
+          "value": 0
+        },
+        "model": "Loopback network interface",
+        "sysfs_id": "/class/net/lo",
+        "unix_device_name": "lo",
+        "unix_device_names": [
+          "lo"
+        ]
+      }
+    ],
+    "pci": [
+      {
+        "index": 13,
+        "attached_to": 0,
+        "class_list": [
+          "pci",
+          "unknown"
+        ],
+        "bus_type": {
+          "hex": "0004",
+          "name": "PCI",
+          "value": 4
+        },
+        "slot": {
+          "bus": 0,
+          "number": 3
+        },
+        "base_class": {
+          "hex": "0002",
+          "name": "Network controller",
+          "value": 2
+        },
+        "sub_class": {
+          "hex": "0000",
+          "name": "Ethernet controller",
+          "value": 0
+        },
+        "vendor": {
+          "hex": "1af4",
+          "value": 6900
+        },
+        "sub_vendor": {
+          "hex": "1af4",
+          "value": 6900
+        },
+        "device": {
+          "hex": "1000",
+          "value": 4096
+        },
+        "sub_device": {
+          "hex": "0001",
+          "value": 1
+        },
+        "model": "Ethernet controller",
+        "sysfs_id": "/devices/pci0000:00/0000:00:03.0",
+        "sysfs_bus_id": "0000:00:03.0",
+        "resources": [
+          {
+            "type": "io",
+            "base": 49152,
+            "range": 64,
+            "enabled": true,
+            "access": "read_write"
+          },
+          {
+            "type": "irq",
+            "base": 10,
+            "triggered": 0,
+            "enabled": true
+          },
+          {
+            "type": "mem",
+            "base": 4261412864,
+            "range": 16384,
+            "enabled": true,
+            "access": "read_only",
+            "prefetch": "no"
+          },
+          {
+            "type": "mem",
+            "base": 4272947200,
+            "range": 524288,
+            "enabled": false,
+            "access": "read_only",
+            "prefetch": "no"
+          },
+          {
+            "type": "mem",
+            "base": 4273541120,
+            "range": 4096,
+            "enabled": true,
+            "access": "read_write",
+            "prefetch": "no"
+          }
+        ],
+        "detail": {
+          "function": 0,
+          "command": 1287,
+          "header_type": 0,
+          "secondary_bus": 0,
+          "irq": 10,
+          "prog_if": 0
+        },
+        "driver": "virtio-pci",
+        "driver_module": "virtio_pci",
+        "drivers": [
+          "virtio-pci"
+        ],
+        "driver_modules": [
+          "virtio_pci"
+        ],
+        "module_alias": "pci:v00001AF4d00001000sv00001AF4sd00000001bc02sc00i00"
+      },
+      {
+        "index": 15,
+        "attached_to": 0,
+        "class_list": [
+          "pci",
+          "unknown"
+        ],
+        "bus_type": {
+          "hex": "0004",
+          "name": "PCI",
+          "value": 4
+        },
+        "slot": {
+          "bus": 0,
+          "number": 6
+        },
+        "base_class": {
+          "hex": "0000",
+          "name": "Unclassified device",
+          "value": 0
+        },
+        "sub_class": {
+          "hex": "00ff",
+          "value": 255
+        },
+        "vendor": {
+          "hex": "1af4",
+          "value": 6900
+        },
+        "sub_vendor": {
+          "hex": "1af4",
+          "value": 6900
+        },
+        "device": {
+          "hex": "1002",
+          "value": 4098
+        },
+        "sub_device": {
+          "hex": "0005",
+          "value": 5
+        },
+        "model": "Unclassified device",
+        "sysfs_id": "/devices/pci0000:00/0000:00:06.0",
+        "sysfs_bus_id": "0000:00:06.0",
+        "resources": [
+          {
+            "type": "io",
+            "base": 49344,
+            "range": 64,
+            "enabled": true,
+            "access": "read_write"
+          },
+          {
+            "type": "irq",
+            "base": 11,
+            "triggered": 0,
+            "enabled": true
+          },
+          {
+            "type": "mem",
+            "base": 4261462016,
+            "range": 16384,
+            "enabled": true,
+            "access": "read_only",
+            "prefetch": "no"
+          }
+        ],
+        "detail": {
+          "function": 0,
+          "command": 263,
+          "header_type": 0,
+          "secondary_bus": 0,
+          "irq": 11,
+          "prog_if": 0
+        },
+        "driver": "virtio-pci",
+        "driver_module": "virtio_pci",
+        "drivers": [
+          "virtio-pci"
+        ],
+        "driver_modules": [
+          "virtio_pci"
+        ],
+        "module_alias": "pci:v00001AF4d00001002sv00001AF4sd00000005bc00scFFi00"
+      },
+      {
+        "index": 17,
+        "attached_to": 0,
+        "class_list": [
+          "pci",
+          "unknown"
+        ],
+        "bus_type": {
+          "hex": "0004",
+          "name": "PCI",
+          "value": 4
+        },
+        "slot": {
+          "bus": 0,
+          "number": 5
+        },
+        "base_class": {
+          "hex": "0007",
+          "name": "Communication controller",
+          "value": 7
+        },
+        "sub_class": {
+          "hex": "0080",
+          "name": "Communication controller",
+          "value": 128
+        },
+        "vendor": {
+          "hex": "1af4",
+          "value": 6900
+        },
+        "sub_vendor": {
+          "hex": "1af4",
+          "value": 6900
+        },
+        "device": {
+          "hex": "1003",
+          "value": 4099
+        },
+        "sub_device": {
+          "hex": "0003",
+          "value": 3
+        },
+        "model": "Communication controller",
+        "sysfs_id": "/devices/pci0000:00/0000:00:05.0",
+        "sysfs_bus_id": "0000:00:05.0",
+        "resources": [
+          {
+            "type": "io",
+            "base": 49280,
+            "range": 64,
+            "enabled": true,
+            "access": "read_write"
+          },
+          {
+            "type": "irq",
+            "base": 10,
+            "triggered": 0,
+            "enabled": true
+          },
+          {
+            "type": "mem",
+            "base": 4261445632,
+            "range": 16384,
+            "enabled": true,
+            "access": "read_only",
+            "prefetch": "no"
+          },
+          {
+            "type": "mem",
+            "base": 4273549312,
+            "range": 4096,
+            "enabled": true,
+            "access": "read_write",
+            "prefetch": "no"
+          }
+        ],
+        "detail": {
+          "function": 0,
+          "command": 1287,
+          "header_type": 0,
+          "secondary_bus": 0,
+          "irq": 10,
+          "prog_if": 0
+        },
+        "driver": "virtio-pci",
+        "driver_module": "virtio_pci",
+        "drivers": [
+          "virtio-pci"
+        ],
+        "driver_modules": [
+          "virtio_pci"
+        ],
+        "module_alias": "pci:v00001AF4d00001003sv00001AF4sd00000003bc07sc80i00"
+      }
+    ],
+    "storage_controller": [
+      {
+        "index": 10,
+        "attached_to": 0,
+        "class_list": [
+          "storage_controller",
+          "pci"
+        ],
+        "bus_type": {
+          "hex": "0004",
+          "name": "PCI",
+          "value": 4
+        },
+        "slot": {
+          "bus": 0,
+          "number": 4
+        },
+        "base_class": {
+          "hex": "0001",
+          "name": "Mass storage controller",
+          "value": 1
+        },
+        "sub_class": {
+          "hex": "0000",
+          "name": "SCSI storage controller",
+          "value": 0
+        },
+        "vendor": {
+          "hex": "1af4",
+          "value": 6900
+        },
+        "sub_vendor": {
+          "hex": "1af4",
+          "value": 6900
+        },
+        "device": {
+          "hex": "1004",
+          "value": 4100
+        },
+        "sub_device": {
+          "hex": "0008",
+          "value": 8
+        },
+        "model": "SCSI storage controller",
+        "sysfs_id": "/devices/pci0000:00/0000:00:04.0",
+        "sysfs_bus_id": "0000:00:04.0",
+        "resources": [
+          {
+            "type": "io",
+            "base": 49216,
+            "range": 64,
+            "enabled": true,
+            "access": "read_write"
+          },
+          {
+            "type": "irq",
+            "base": 11,
+            "triggered": 0,
+            "enabled": true
+          },
+          {
+            "type": "mem",
+            "base": 4261429248,
+            "range": 16384,
+            "enabled": true,
+            "access": "read_only",
+            "prefetch": "no"
+          },
+          {
+            "type": "mem",
+            "base": 4273545216,
+            "range": 4096,
+            "enabled": true,
+            "access": "read_write",
+            "prefetch": "no"
+          }
+        ],
+        "detail": {
+          "function": 0,
+          "command": 1287,
+          "header_type": 0,
+          "secondary_bus": 0,
+          "irq": 11,
+          "prog_if": 0
+        },
+        "driver": "virtio-pci",
+        "driver_module": "virtio_pci",
+        "drivers": [
+          "virtio-pci"
+        ],
+        "driver_modules": [
+          "virtio_pci"
+        ],
+        "module_alias": "pci:v00001AF4d00001004sv00001AF4sd00000008bc01sc00i00"
+      },
+      {
+        "index": 14,
+        "attached_to": 0,
+        "class_list": [
+          "storage_controller",
+          "pci"
+        ],
+        "bus_type": {
+          "hex": "0004",
+          "name": "PCI",
+          "value": 4
+        },
+        "slot": {
+          "bus": 0,
+          "number": 1
+        },
+        "base_class": {
+          "hex": "0001",
+          "name": "Mass storage controller",
+          "value": 1
+        },
+        "sub_class": {
+          "hex": "0001",
+          "name": "IDE interface",
+          "value": 1
+        },
+        "pci_interface": {
+          "hex": "0080",
+          "value": 128
+        },
+        "vendor": {
+          "hex": "8086",
+          "name": "Intel Corporation",
+          "value": 32902
+        },
+        "sub_vendor": {
+          "hex": "1af4",
+          "value": 6900
+        },
+        "device": {
+          "hex": "7010",
+          "value": 28688
+        },
+        "sub_device": {
+          "hex": "1100",
+          "value": 4352
+        },
+        "model": "Intel IDE interface",
+        "sysfs_id": "/devices/pci0000:00/0000:00:01.1",
+        "sysfs_bus_id": "0000:00:01.1",
+        "resources": [
+          {
+            "type": "io",
+            "base": 1014,
+            "range": 1,
+            "enabled": true,
+            "access": "read_write"
+          },
+          {
+            "type": "io",
+            "base": 368,
+            "range": 8,
+            "enabled": true,
+            "access": "read_write"
+          },
+          {
+            "type": "io",
+            "base": 49440,
+            "range": 16,
+            "enabled": true,
+            "access": "read_write"
+          },
+          {
+            "type": "io",
+            "base": 496,
+            "range": 8,
+            "enabled": true,
+            "access": "read_write"
+          },
+          {
+            "type": "io",
+            "base": 886,
+            "range": 1,
+            "enabled": true,
+            "access": "read_write"
+          }
+        ],
+        "detail": {
+          "function": 1,
+          "command": 263,
+          "header_type": 0,
+          "secondary_bus": 0,
+          "irq": 0,
+          "prog_if": 128
+        },
+        "driver": "ata_piix",
+        "driver_module": "ata_piix",
+        "drivers": [
+          "ata_piix"
+        ],
+        "driver_modules": [
+          "ata_piix"
+        ],
+        "module_alias": "pci:v00008086d00007010sv00001AF4sd00001100bc01sc01i80"
+      }
+    ],
+    "system": {
+      "form_factor": "desktop"
+    },
+    "unknown": [
+      {
+        "index": 18,
+        "attached_to": 10,
+        "class_list": [
+          "unknown"
+        ],
+        "base_class": {
+          "hex": "0000",
+          "name": "Unclassified device",
+          "value": 0
+        },
+        "sub_class": {
+          "hex": "0000",
+          "name": "Unclassified device",
+          "value": 0
+        },
+        "vendor": "Virtio",
+        "device": "",
+        "model": "Virtio Unclassified device",
+        "sysfs_id": "/devices/pci0000:00/0000:00:04.0/virtio1",
+        "sysfs_bus_id": "virtio1",
+        "driver": "virtio_scsi",
+        "driver_module": "virtio_scsi",
+        "drivers": [
+          "virtio_scsi"
+        ],
+        "driver_modules": [
+          "virtio_scsi"
+        ],
+        "module_alias": "virtio:d00000008v00001AF4"
+      },
+      {
+        "index": 19,
+        "attached_to": 17,
+        "class_list": [
+          "unknown"
+        ],
+        "base_class": {
+          "hex": "0000",
+          "name": "Unclassified device",
+          "value": 0
+        },
+        "sub_class": {
+          "hex": "0000",
+          "name": "Unclassified device",
+          "value": 0
+        },
+        "vendor": "Virtio",
+        "device": "",
+        "model": "Virtio Unclassified device",
+        "sysfs_id": "/devices/pci0000:00/0000:00:05.0/virtio2",
+        "sysfs_bus_id": "virtio2",
+        "driver": "virtio_console",
+        "driver_module": "virtio_console",
+        "drivers": [
+          "virtio_console"
+        ],
+        "driver_modules": [
+          "virtio_console"
+        ],
+        "module_alias": "virtio:d00000003v00001AF4"
+      },
+      {
+        "index": 21,
+        "attached_to": 15,
+        "class_list": [
+          "unknown"
+        ],
+        "base_class": {
+          "hex": "0000",
+          "name": "Unclassified device",
+          "value": 0
+        },
+        "sub_class": {
+          "hex": "0000",
+          "name": "Unclassified device",
+          "value": 0
+        },
+        "vendor": "Virtio",
+        "device": "",
+        "model": "Virtio Unclassified device",
+        "sysfs_id": "/devices/pci0000:00/0000:00:06.0/virtio3",
+        "sysfs_bus_id": "virtio3",
+        "driver": "virtio_balloon",
+        "driver_module": "virtio_balloon",
+        "drivers": [
+          "virtio_balloon"
+        ],
+        "driver_modules": [
+          "virtio_balloon"
+        ],
+        "module_alias": "virtio:d00000005v00001AF4"
+      },
+      {
+        "index": 22,
+        "attached_to": 0,
+        "class_list": [
+          "unknown"
+        ],
+        "base_class": {
+          "hex": "0007",
+          "name": "Communication controller",
+          "value": 7
+        },
+        "sub_class": {
+          "hex": "0000",
+          "name": "Serial controller",
+          "value": 0
+        },
+        "pci_interface": {
+          "hex": "0002",
+          "name": "16550",
+          "value": 2
+        },
+        "device": {
+          "hex": "0000",
+          "name": "16550A",
+          "value": 0
+        },
+        "model": "16550A",
+        "unix_device_name": "/dev/ttyS0",
+        "unix_device_names": [
+          "/dev/ttyS0"
+        ],
+        "resources": [
+          {
+            "type": "io",
+            "base": 1016,
+            "range": 0,
+            "enabled": true,
+            "access": "read_write"
+          },
+          {
+            "type": "irq",
+            "base": 4,
+            "triggered": 0,
+            "enabled": true
+          }
+        ]
+      }
+    ],
+    "usb_controller": [
+      {
+        "index": 8,
+        "attached_to": 0,
+        "class_list": [
+          "usb_controller",
+          "pci"
+        ],
+        "bus_type": {
+          "hex": "0004",
+          "name": "PCI",
+          "value": 4
+        },
+        "slot": {
+          "bus": 0,
+          "number": 1
+        },
+        "base_class": {
+          "hex": "000c",
+          "name": "Serial bus controller",
+          "value": 12
+        },
+        "sub_class": {
+          "hex": "0003",
+          "name": "USB Controller",
+          "value": 3
+        },
+        "pci_interface": {
+          "hex": "0000",
+          "name": "UHCI",
+          "value": 0
+        },
+        "vendor": {
+          "hex": "8086",
+          "name": "Intel Corporation",
+          "value": 32902
+        },
+        "sub_vendor": {
+          "hex": "1af4",
+          "value": 6900
+        },
+        "device": {
+          "hex": "7020",
+          "value": 28704
+        },
+        "sub_device": {
+          "hex": "1100",
+          "value": 4352
+        },
+        "revision": {
+          "hex": "0001",
+          "value": 1
+        },
+        "model": "Intel USB Controller",
+        "sysfs_id": "/devices/pci0000:00/0000:00:01.2",
+        "sysfs_bus_id": "0000:00:01.2",
+        "resources": [
+          {
+            "type": "io",
+            "base": 49408,
+            "range": 32,
+            "enabled": true,
+            "access": "read_write"
+          },
+          {
+            "type": "irq",
+            "base": 11,
+            "triggered": 0,
+            "enabled": true
+          }
+        ],
+        "detail": {
+          "function": 2,
+          "command": 263,
+          "header_type": 0,
+          "secondary_bus": 0,
+          "irq": 11,
+          "prog_if": 0
+        },
+        "driver": "uhci_hcd",
+        "driver_module": "uhci_hcd",
+        "drivers": [
+          "uhci_hcd"
+        ],
+        "driver_modules": [
+          "uhci_hcd"
+        ],
+        "driver_info": {
+          "type": "module",
+          "db_entry_0": [
+            "uhci-hcd"
+          ],
+          "active": true,
+          "modprobe": true,
+          "names": [
+            "uhci-hcd"
+          ],
+          "module_args": [
+            ""
+          ],
+          "conf": ""
+        },
+        "module_alias": "pci:v00008086d00007020sv00001AF4sd00001100bc0Csc03i00"
+      }
+    ]
+  },
+  "smbios": {
+    "bios": {
+      "handle": 0,
+      "vendor": "SeaBIOS",
+      "version": "1.16.3-debian-1.16.3-2~bpo12+1",
+      "date": "04/01/2014",
+      "features": null,
+      "start_address": "0xe8000",
+      "rom_size": 65536
+    },
+    "chassis": [
+      {
+        "handle": 768,
+        "manufacturer": "QEMU",
+        "version": "pc-i440fx-9.2",
+        "chassis_type": {
+          "hex": "0001",
+          "name": "Other",
+          "value": 1
+        },
+        "lock_present": false,
+        "bootup_state": {
+          "hex": "0003",
+          "name": "Safe",
+          "value": 3
+        },
+        "power_state": {
+          "hex": "0003",
+          "name": "Safe",
+          "value": 3
+        },
+        "thermal_state": {
+          "hex": "0003",
+          "name": "Safe",
+          "value": 3
+        },
+        "security_state": {
+          "hex": "0002",
+          "name": "Unknown",
+          "value": 2
+        },
+        "oem": "0x0"
+      }
+    ],
+    "memory_array": [
+      {
+        "handle": 4096,
+        "location": {
+          "hex": "0001",
+          "name": "Other",
+          "value": 1
+        },
+        "usage": {
+          "hex": "0003",
+          "name": "System memory",
+          "value": 3
+        },
+        "ecc": {
+          "hex": "0006",
+          "name": "Multi-bit",
+          "value": 6
+        },
+        "max_size": "0x7d0000",
+        "error_handle": 65534,
+        "slots": 1
+      }
+    ],
+    "memory_array_mapped_address": [
+      {
+        "handle": 4864,
+        "array_handle": 4096,
+        "start_address": "0x0",
+        "end_address": "0xc0000000",
+        "part_width": 1
+      },
+      {
+        "handle": 4865,
+        "array_handle": 4096,
+        "start_address": "0x100000000",
+        "end_address": "0x234000000",
+        "part_width": 1
+      }
+    ],
+    "memory_device": [
+      {
+        "handle": 4352,
+        "location": "DIMM 0",
+        "bank_location": "",
+        "manufacturer": "QEMU",
+        "part_number": "",
+        "array_handle": 4096,
+        "error_handle": 65534,
+        "width": 0,
+        "ecc_bits": 0,
+        "size": 8192000,
+        "form_factor": {
+          "hex": "0009",
+          "name": "DIMM",
+          "value": 9
+        },
+        "set": 0,
+        "memory_type": {
+          "hex": "0007",
+          "name": "RAM",
+          "value": 7
+        },
+        "memory_type_details": [
+          "Other"
+        ],
+        "speed": 0
+      }
+    ],
+    "processor": [
+      {
+        "handle": 1024,
+        "socket": "CPU 0",
+        "socket_type": {
+          "hex": "0001",
+          "name": "Other",
+          "value": 1
+        },
+        "socket_populated": true,
+        "manufacturer": "QEMU",
+        "version": "pc-i440fx-9.2",
+        "part": "",
+        "processor_type": {
+          "hex": "0003",
+          "name": "CPU",
+          "value": 3
+        },
+        "processor_family": {
+          "hex": "00fe",
+          "name": "Other",
+          "value": 254
+        },
+        "processor_status": {
+          "hex": "0001",
+          "name": "Enabled",
+          "value": 1
+        },
+        "clock_ext": 0,
+        "clock_max": 2000,
+        "cache_handle_l1": 0,
+        "cache_handle_l2": 0,
+        "cache_handle_l3": 0
+      },
+      {
+        "handle": 1025,
+        "socket": "CPU 1",
+        "socket_type": {
+          "hex": "0001",
+          "name": "Other",
+          "value": 1
+        },
+        "socket_populated": true,
+        "manufacturer": "QEMU",
+        "version": "pc-i440fx-9.2",
+        "part": "",
+        "processor_type": {
+          "hex": "0003",
+          "name": "CPU",
+          "value": 3
+        },
+        "processor_family": {
+          "hex": "00fe",
+          "name": "Other",
+          "value": 254
+        },
+        "processor_status": {
+          "hex": "0001",
+          "name": "Enabled",
+          "value": 1
+        },
+        "clock_ext": 0,
+        "clock_max": 2000,
+        "cache_handle_l1": 0,
+        "cache_handle_l2": 0,
+        "cache_handle_l3": 0
+      },
+      {
+        "handle": 1026,
+        "socket": "CPU 2",
+        "socket_type": {
+          "hex": "0001",
+          "name": "Other",
+          "value": 1
+        },
+        "socket_populated": true,
+        "manufacturer": "QEMU",
+        "version": "pc-i440fx-9.2",
+        "part": "",
+        "processor_type": {
+          "hex": "0003",
+          "name": "CPU",
+          "value": 3
+        },
+        "processor_family": {
+          "hex": "00fe",
+          "name": "Other",
+          "value": 254
+        },
+        "processor_status": {
+          "hex": "0001",
+          "name": "Enabled",
+          "value": 1
+        },
+        "clock_ext": 0,
+        "clock_max": 2000,
+        "cache_handle_l1": 0,
+        "cache_handle_l2": 0,
+        "cache_handle_l3": 0
+      },
+      {
+        "handle": 1027,
+        "socket": "CPU 3",
+        "socket_type": {
+          "hex": "0001",
+          "name": "Other",
+          "value": 1
+        },
+        "socket_populated": true,
+        "manufacturer": "QEMU",
+        "version": "pc-i440fx-9.2",
+        "part": "",
+        "processor_type": {
+          "hex": "0003",
+          "name": "CPU",
+          "value": 3
+        },
+        "processor_family": {
+          "hex": "00fe",
+          "name": "Other",
+          "value": 254
+        },
+        "processor_status": {
+          "hex": "0001",
+          "name": "Enabled",
+          "value": 1
+        },
+        "clock_ext": 0,
+        "clock_max": 2000,
+        "cache_handle_l1": 0,
+        "cache_handle_l2": 0,
+        "cache_handle_l3": 0
+      }
+    ],
+    "system": {
+      "handle": 256,
+      "manufacturer": "OpenStack Foundation",
+      "product": "OpenStack Nova",
+      "version": "19.3.2",
+      "wake_up": {
+        "hex": "0006",
+        "name": "Power Switch",
+        "value": 6
+      }
+    }
+  }
+}
diff --git a/modules/acme-home.nix b/modules/acme-home.nix
new file mode 100644
index 0000000..77de9c9
--- /dev/null
+++ b/modules/acme-home.nix
@@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = lib.mkDefault "admin@rpqt.fr";
+  };
+
+  # security.acme = {
+  #   certs."home.rpqt.fr" = {
+  #     group = config.services.nginx.group;
+  #     domain = "home.rpqt.fr";
+  #     extraDomainNames = [ "*.home.rpqt.fr" ];
+  #     dnsProvider = "rfc2136";
+  #     dnsPropagationCheck = true;
+  #     credentialFiles = {
+  #       RFC2136_TSIG_SECRET_FILE = config.clan.core.vars.generators.coredns.files.tsig-key.path;
+  #     };
+  #     environmentFile = pkgs.writeFile ''
+  #       RFC2136_NAMESERVER=fd28:387a:90:c400::1
+  #     '';
+  #     email = "admin@rpqt.fr";
+  #     dnsResolver = "1.1.1.1:53";
+  #     server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # TODO: use production api
+  # };
+  # };
+
+  # clan.core.vars.generators.coredns.files.tsig-key.group = "acme";
+  # clan.core.vars.generators.coredns.files.tsig-key.mode = "0440";
+}
diff --git a/modules/borgbackup.nix b/modules/borgbackup.nix
index 63b59a7..172e76e 100644
--- a/modules/borgbackup.nix
+++ b/modules/borgbackup.nix
@@ -1,4 +1,4 @@
-{ config, inputs, ... }:
+{ config, self, ... }:
 let
   user = "u422292";
   sub-user = "${user}";
@@ -7,7 +7,7 @@ in
 {
   imports = [
     ./storagebox.nix
-    inputs.clan-core.clanModules.borgbackup
+    self.inputs.clan-core.clanModules.borgbackup
   ];
 
   clan.borgbackup.destinations."storagebox-${config.networking.hostName}" = {
diff --git a/modules/desktop.nix b/modules/desktop.nix
new file mode 100644
index 0000000..294ef56
--- /dev/null
+++ b/modules/desktop.nix
@@ -0,0 +1,25 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = [
+    pkgs.mpv # video player
+    pkgs.amberol # music player
+    pkgs.alacritty
+    pkgs.ghostty
+    pkgs.libreoffice
+    pkgs.nautilus
+  ];
+
+  programs.firefox = {
+    enable = true;
+    nativeMessagingHosts.packages = [ pkgs.passff-host ];
+  };
+
+  programs.thunderbird.enable = true;
+
+  programs.nautilus-open-any-terminal = {
+    enable = true;
+    terminal = "ghostty";
+  };
+
+  services.pcscd.enable = true;
+}
diff --git a/modules/dev.nix b/modules/dev.nix
new file mode 100644
index 0000000..294bdfa
--- /dev/null
+++ b/modules/dev.nix
@@ -0,0 +1,6 @@
+{
+  clan.core.vars.generators.atuin = {
+    prompts.key.persist = true;
+    files.key.owner = "rpqt";
+  };
+}
diff --git a/modules/flake-module.nix b/modules/flake-module.nix
new file mode 100644
index 0000000..fba0311
--- /dev/null
+++ b/modules/flake-module.nix
@@ -0,0 +1,28 @@
+{ lib, ... }:
+{
+  flake.nixosModules =
+    (
+      (builtins.readDir ./.)
+      |> lib.filterAttrs (path: type: type == "regular" && (lib.hasSuffix ".nix" path))
+      |> lib.mapAttrs' (
+        path: _: {
+          name = lib.removeSuffix ".nix" path;
+          value = {
+            imports = [ ./${path} ];
+          };
+        }
+      )
+    )
+    // {
+      server.imports = [
+        ./motd.nix
+      ];
+
+      common.imports = [
+        {
+          users.mutableUsers = lib.mkDefault false;
+          services.userborn.enable = lib.mkDefault true;
+        }
+      ];
+    };
+}
diff --git a/modules/garage.nix b/modules/garage.nix
new file mode 100644
index 0000000..3740110
--- /dev/null
+++ b/modules/garage.nix
@@ -0,0 +1,60 @@
+{
+  config,
+  lib,
+  pkgs,
+  self,
+  ...
+}:
+let
+  zerotier_interface = "zts7mq7onf";
+  zerotier_ip =
+    self.nixosConfigurations.${config.networking.hostName}.config.clan.core.vars.generators.zerotier.files.zerotier-ip.value;
+  s3_port = 3900;
+  rpc_port = 3901;
+  web_port = 3902;
+  admin_port = 3903;
+in
+{
+  services.garage = {
+    package = pkgs.garage;
+    settings = {
+      metadata_dir = "/var/lib/garage/meta";
+      data_dir = lib.mkDefault "/var/lib/garage/data";
+      db_engine = "sqlite";
+
+      replication_factor = 3;
+
+      rpc_bind_addr = "[::]:${toString rpc_port}";
+      rpc_public_addr = "[::]:${toString rpc_port}";
+
+      s3_api = {
+        api_bind_addr = "[::]:${toString s3_port}";
+        s3_region = "garage";
+        root_domain = ".s3.garage.home.rpqt.fr";
+      };
+
+      s3_web = {
+        bind_addr = "127.0.0.1:${toString web_port}";
+        root_domain = ".web.garage.home.rpqt.fr";
+      };
+
+      admin = {
+        api_bind_addr = "[::]:${toString admin_port}";
+        # TODO: use metrics_token
+      };
+    };
+  };
+
+  networking.firewall.interfaces =
+    let
+      allowedTCPPorts = [
+        s3_port
+        rpc_port
+        admin_port
+      ];
+    in
+    {
+      ${zerotier_interface} = { inherit allowedTCPPorts; };
+      wireguard = { inherit allowedTCPPorts; };
+    };
+}
diff --git a/modules/gitea.nix b/modules/gitea.nix
new file mode 100644
index 0000000..034801e
--- /dev/null
+++ b/modules/gitea.nix
@@ -0,0 +1,71 @@
+{ config, ... }:
+{
+  services.gitea = {
+    enable = true;
+    lfs.enable = true;
+
+    settings = {
+      # storage = {
+      # };
+
+      server = {
+        ROOT_URL = "https://git.turifer.dev";
+        DOMAIN = "git.turifer.dev";
+      };
+
+      session.PROVIDER = "db";
+      session.COOKIE_SECURE = true;
+
+      service.DISABLE_REGISTRATION = true;
+
+      # Create a repository by pushing to it
+      repository.ENABLE_PUSH_CREATE_USER = true;
+    };
+  };
+
+  systemd.services.gitea.environment = {
+    GITEA__storage__STORAGE_TYPE = "minio";
+    GITEA__storage__MINIO_ENDPOINT = "localhost:3900";
+    GITEA__storage__MINIO_BUCKET = "gitea";
+    GITEA__storage__MINIO_LOCATION = "garage";
+    GITEA__storage__MINIO_USE_SSL = "false";
+  };
+
+  systemd.services.gitea.serviceConfig = {
+    LoadCredential = [
+      "minio_access_key_id:${config.clan.core.vars.generators.gitea-s3-storage.files.access-key-id.path}"
+      "minio_secret_access_key:${config.clan.core.vars.generators.gitea-s3-storage.files.access-key-secret.path}"
+    ];
+    Environment = [
+      "GITEA__storage__MINIO_ACCESS_KEY_ID=%d/minio_access_key_id"
+      "GITEA__storage__MINIO_SECRET_ACCESS_KEY=%d/minio_secret_access_key"
+    ];
+  };
+
+  clan.core.vars.generators.gitea-s3-storage = {
+    prompts.access-key-id = {
+      description = "s3 access key id";
+      type = "line";
+      persist = true;
+    };
+    prompts.access-key-secret = {
+      description = "s3 access key secret";
+      type = "hidden";
+      persist = true;
+    };
+  };
+
+  clan.core.state.gitea.folders = [ config.services.gitea.stateDir ];
+
+  services.nginx.virtualHosts."git.turifer.dev" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString (config.services.gitea.settings.server.HTTP_PORT)}";
+    };
+  };
+
+  security.acme.certs."git.turifer.dev" = {
+    email = "admin@turifer.dev";
+  };
+}
diff --git a/system/core/ssh-server.nix b/modules/hardened-ssh-server.nix
similarity index 100%
rename from system/core/ssh-server.nix
rename to modules/hardened-ssh-server.nix
diff --git a/modules/lounge.nix b/modules/lounge.nix
new file mode 100644
index 0000000..dd23b1c
--- /dev/null
+++ b/modules/lounge.nix
@@ -0,0 +1,13 @@
+let
+  tld = "val";
+  domain = "lounge.${tld}";
+in
+{
+  services.nginx.virtualHosts.${domain} = {
+    enableACME = true;
+    forceSSL = true;
+    root = "/var/www/lounge";
+  };
+
+  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
+}
diff --git a/modules/motd.nix b/modules/motd.nix
new file mode 100644
index 0000000..1547318
--- /dev/null
+++ b/modules/motd.nix
@@ -0,0 +1,6 @@
+{ config, ... }:
+{
+  users.motd = ''
+    Welcome to ${config.networking.hostName}!
+  '';
+}
diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
new file mode 100644
index 0000000..745cd30
--- /dev/null
+++ b/modules/nextcloud.nix
@@ -0,0 +1,84 @@
+{ config, pkgs, ... }:
+let
+  fqdn = "cloud.rpqt.fr";
+in
+{
+  imports = [
+    ./acme-home.nix
+  ];
+
+  services.nextcloud = {
+    enable = true;
+    hostName = fqdn;
+    https = true;
+    package = pkgs.nextcloud32;
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql";
+      dbname = "nextcloud";
+      # admin user is only for the initial setup
+      adminuser = "root";
+      adminpassFile = config.clan.core.vars.generators.nextcloud.files.admin-password.path;
+      objectstore.s3 = {
+        enable = true;
+        bucket = "nextcloud";
+        key = config.clan.core.vars.generators.nextcloud-s3-storage.files.access-key-id.value;
+        secretFile = config.clan.core.vars.generators.nextcloud-s3-storage.files.access-key-secret.path;
+        hostname = "[${config.clan.core.vars.generators.zerotier.files.zerotier-ip.value}]";
+        port = 3900;
+        useSsl = false;
+        region = "garage";
+        usePathStyle = true;
+      };
+    };
+    extraAppsEnable = true;
+    extraApps = {
+      # inherit (pkgs.nextcloud32Packages.apps) tasks;
+    };
+  };
+
+  clan.core.postgresql = {
+    enable = true;
+    databases = {
+      nextcloud = {
+        create.enable = true;
+        restore.stopOnRestore = [ "nextcloud" ];
+      };
+    };
+  };
+
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
+  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+    forceSSL = true;
+    enableACME = true;
+  };
+
+  clan.core.vars.generators.nextcloud = {
+    prompts.admin-password = {
+      description = "nextcloud admin password";
+      type = "hidden";
+      persist = true;
+    };
+    files.admin-password.owner = "nextcloud";
+  };
+
+  clan.core.vars.generators.nextcloud-s3-storage = {
+    prompts.access-key-id = {
+      description = "s3 access key id";
+      type = "line";
+      persist = true;
+    };
+    prompts.access-key-secret = {
+      description = "s3 access key secret";
+      type = "hidden";
+      persist = true;
+    };
+    files.access-key-id.secret = false;
+    files.access-key-secret.owner = "nextcloud";
+  };
+}
diff --git a/system/nix/default.nix b/modules/nix-defaults.nix
similarity index 53%
rename from system/nix/default.nix
rename to modules/nix-defaults.nix
index 10d84fc..ac488ef 100644
--- a/system/nix/default.nix
+++ b/modules/nix-defaults.nix
@@ -1,18 +1,20 @@
 { pkgs, ... }:
 {
-  imports = [
-    ./nixpkgs.nix
-    ./substituters.nix
-  ];
-
   # for flakes
   environment.systemPackages = [ pkgs.git ];
 
   nix.settings = {
     auto-optimise-store = true;
     builders-use-substitutes = true;
-    experimental-features = ["nix-command" "flakes"];
+    experimental-features = [
+      "nix-command"
+      "flakes"
+      "pipe-operators"
+    ];
 
-    trusted-users = ["root" "@wheel"];
+    trusted-users = [
+      "root"
+      "@wheel"
+    ];
   };
 }
diff --git a/modules/radicle.nix b/modules/radicle.nix
new file mode 100644
index 0000000..ea2f2db
--- /dev/null
+++ b/modules/radicle.nix
@@ -0,0 +1,44 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+{
+  services.radicle = {
+    enable = true;
+    privateKeyFile = config.clan.core.vars.generators.radicle.files."id_ed25519".path;
+    publicKey = config.clan.core.vars.generators.radicle.files."id_ed25519.pub".value;
+    node = {
+      openFirewall = true;
+    };
+    httpd = {
+      enable = true;
+      nginx = {
+        serverName = "radicle.rpqt.fr";
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+    settings = {
+      # FIXME: activation fails with rad saying the config is invalid
+      web.avatarUrl = "https://rpqt.fr/favicon.svg";
+      web.description = "rpqt's radicle node";
+      web.pinned.repositories = [
+        "rad:z2DH9K384tPCrM5HJcpiKEoZZdftY" # lila
+        "rad:z29gVX1f6HC1XGx755RL1m1hhMp6x" # corner
+        "rad:z36HRN3Soay4wMXBSiR4aW7Hg9rT7" # flocon
+      ];
+    };
+  };
+
+  clan.core.vars.generators.radicle = {
+    files."id_ed25519".secret = true;
+    files."id_ed25519.pub".secret = false;
+    runtimeInputs = [ pkgs.openssh ];
+    script = ''
+      ssh-keygen -t ed25519 -f "$out"/id_ed25519 -N "" -C "radicle"
+    '';
+  };
+
+  clan.core.state.radicle.folders = [ "/var/lib/radicle" ];
+}
diff --git a/modules/remote-builder.nix b/modules/remote-builder.nix
index 04b32a6..6c74f92 100644
--- a/modules/remote-builder.nix
+++ b/modules/remote-builder.nix
@@ -39,7 +39,9 @@ in
       isSystemUser = true;
       group = cfg.group;
       useDefaultShell = true;
-      openssh.authorizedKeys.keys = cfg.authorizedKeys;
+      openssh.authorizedKeys.keys = map (
+        key: ''restrict,command="nix-daemon --stdio" ${key}''
+      ) cfg.authorizedKeys;
     };
 
     users.groups.${cfg.user} = { };
diff --git a/system/network/tailscale.nix b/modules/tailscale.nix
similarity index 100%
rename from system/network/tailscale.nix
rename to modules/tailscale.nix
diff --git a/modules/user-rpqt.nix b/modules/user-rpqt.nix
new file mode 100644
index 0000000..4c1d0bb
--- /dev/null
+++ b/modules/user-rpqt.nix
@@ -0,0 +1,21 @@
+{ lib, pkgs, ... }:
+{
+  users.users.rpqt = {
+    isNormalUser = true;
+
+    createHome = lib.mkDefault true;
+    home = lib.mkDefault "/home/rpqt";
+
+    description = "Romain Paquet";
+
+    shell = pkgs.fish;
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze"
+    ];
+
+    extraGroups = [ "wheel" ];
+  };
+
+  programs.fish.enable = true;
+}
diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix
new file mode 100644
index 0000000..4ae455f
--- /dev/null
+++ b/modules/vaultwarden.nix
@@ -0,0 +1,18 @@
+{
+  config,
+  ...
+}:
+{
+  services.vaultwarden = {
+    enable = true;
+    domain = "vaultwarden.val";
+    configureNginx = true;
+  };
+
+  services.nginx.virtualHosts.${config.services.vaultwarden.domain} = {
+    enableACME = true;
+  };
+
+  security.acme.certs.${config.services.vaultwarden.domain}.server =
+    "https://ca.val/acme/acme/directory";
+}
diff --git a/packages/flake-module.nix b/packages/flake-module.nix
new file mode 100644
index 0000000..13305ce
--- /dev/null
+++ b/packages/flake-module.nix
@@ -0,0 +1,26 @@
+{ inputs, self, ... }:
+{
+  flake.packages.aarch64-linux.genepi-installer-sd-image = inputs.nixos-generators.nixosGenerate {
+    specialArgs = {
+      inherit inputs;
+    };
+    system = "aarch64-linux";
+    format = "sd-aarch64-installer";
+    modules = [
+      inputs.nixos-hardware.nixosModules.raspberry-pi-4
+      self.nixosModules.common
+      self.nixosModules.hardened-ssh-server
+      ./machines/genepi/network.nix
+      ./machines/genepi/hardware-configuration.nix
+      { networking.hostName = "genepi"; }
+      { sdImage.compressImage = false; }
+      {
+        nixpkgs.overlays = [
+          (final: super: {
+            makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });
+          })
+        ];
+      }
+    ];
+  };
+}
diff --git a/parts/default.nix b/parts/default.nix
deleted file mode 100644
index 2948de5..0000000
--- a/parts/default.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  keys = import ./keys.nix;
-}
diff --git a/parts/keys.nix b/parts/keys.nix
deleted file mode 100644
index f6fce87..0000000
--- a/parts/keys.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  rpqt.haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze";
-
-  hosts = {
-    haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKga5V0H602RsBESBXf5kwRCnI1yfBPOHmjGsM4Rxf5r root@haze";
-    genepi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQUzjid5mfMYginIUCVWTF7rWvWz0mUZBZsl5EhDIDl root@genepi";
-    crocus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAiz3nzuJGO5tRka2Y/kzqKa68wF7wwHr4hAympLNb9F root@crocus";
-    storagebox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
-    storagebox-rsa = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
-  };
-
-  services = {
-    radicle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuoHC4P0h88OAL5PJmiqkbkvQR1cwfkjaevWbwdKOU7 radicle@rpqt.fr";
-  };
-}
diff --git a/secrets/freshrss.age b/secrets/freshrss.age
deleted file mode 100644
index bec4a3d..0000000
--- a/secrets/freshrss.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 ELMcHw e1XlBpnFTEjcVaiz2ogDRQlrkvEK98pJb2iDaP3fAF8
-W9li/7spMyPzwaCSFkOdPOL9ZNuaGCnJxm0uB/vLyS8
--> ssh-ed25519 8TpKTA 3HeKYAD1Y9UGfCmTWdgfVRMXy/q+R2fH/rrDdCnmBgc
-S2pjlFKodLcx06HqrkghUUQB8QgyxkhPean6EV7GsXM
---- g6mHVMs7rkgyIus4NGuw8h+Hai3ME0FbuIpvA2KOOYQ
-–=Ï2#¯–Þ¸<+ïí
-vàÙúœÂŒL¼3î@Zè,Ü…M9,C$»aèr
zuO>Ç͇°
\ No newline at end of file
diff --git a/secrets/gandi.age b/secrets/gandi.age
deleted file mode 100644
index 4a193b0..0000000
Binary files a/secrets/gandi.age and /dev/null differ
diff --git a/secrets/radicle-private-key.age b/secrets/radicle-private-key.age
deleted file mode 100644
index 7ed9647..0000000
--- a/secrets/radicle-private-key.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 M/D1Cg YfbyictbASsHxNw6wLCn39IrkNtbpVM8QZNczMArVkw
-om2OLtWnWYLvUm7L4tSDDXHtUKd1O+wqwKO78QZ/6cg
--> ssh-ed25519 8TpKTA vtuEudd4t+4kzeztRImB1QqGtH7QJiCppBzSngEzKm4
-qUgxtzght+zL/PVuBKbD3S+B4H3siZveg7n0mqJQqDQ
---- 8xbzXxMfsk2mfLI25fp+xtzTfjJr2t6nSQWa69Ua9Mw
-!™n‰�ýÙù:ùŽŸ=Ä`\iý€§ˆÛMti³ðö°ÙÄÞ:ŸA'ñp––®õ¾wwª^râ€Ûâøo¶ò
,NMC„úqÚ˜âÚ¿z–YÉ\<ÒÞ•lSÒ+�d^YŒϹ1rº}ï€ëã¾Z‘®ÇØfm¼ÉÒ@–‚äДèåc—3Ä|MÜìÎÕV÷Kåa½Ûå?EðAÃ+ès�q,…÷™ØÃ…VÄ$|N I	TÄ	¤-xÜ�k÷€µ$¬¢A~•WÈ'<k˜|¶—×Sh+hƒÞ§Ç,J¹Wùhƒ¢öE¢&K‰ù&ø@ëp”P§p¿¿‹ðAÃÄLûbðÌÆ$íJÈ2nk%|Y,!t >„ünM	¯¯þÑÀ˜<p¡{ÊDØåórßeù¦ûåRû²7PyQùì:©¸¹;9XÖ nu6Si剞x î˜FÔ5•ÍMÒ b�œŠHYÿ[æÿgþÓžmt×è£cjÛY„<DIQ˜|ÿMFá#˜+�Öè#æ+9bb±«6Ô…§D3�ˆ.‘]eŽm(ŠïoWù¤
-8˜ô
\ No newline at end of file
diff --git a/secrets/restic-genepi-storagebox-key.age b/secrets/restic-genepi-storagebox-key.age
deleted file mode 100644
index ac4e43f..0000000
Binary files a/secrets/restic-genepi-storagebox-key.age and /dev/null differ
diff --git a/secrets/restic-genepi-storagebox-password.age b/secrets/restic-genepi-storagebox-password.age
deleted file mode 100644
index 96bd068..0000000
Binary files a/secrets/restic-genepi-storagebox-password.age and /dev/null differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
deleted file mode 100644
index a97580a..0000000
--- a/secrets/secrets.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-let
-  keys = import ../parts/keys.nix;
-
-  keysForGenepi = [
-    keys.hosts.genepi
-    keys.rpqt.haze
-  ];
-
-  keysForCrocus = [
-    keys.hosts.crocus
-    keys.rpqt.haze
-  ];
-in
-{
-  "gandi.age".publicKeys = keysForGenepi;
-
-  # Storagebox sub-account password
-  "restic-genepi-storagebox-password.age".publicKeys = keysForGenepi;
-
-  # Restic repository key
-  "restic-genepi-storagebox-key.age".publicKeys = keysForGenepi;
-
-  # Password of the default user
-  "freshrss.age".publicKeys = keysForGenepi;
-
-  "radicle-private-key.age".publicKeys = keysForCrocus;
-}
diff --git a/sops/machines/verbena/key.json b/sops/machines/verbena/key.json
new file mode 100755
index 0000000..4c9d333
--- /dev/null
+++ b/sops/machines/verbena/key.json
@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+    "type": "age"
+  }
+]
\ No newline at end of file
diff --git a/sops/secrets/crocus-age.key/secret b/sops/secrets/crocus-age.key/secret
index ef04195..0fbcdd6 100644
--- a/sops/secrets/crocus-age.key/secret
+++ b/sops/secrets/crocus-age.key/secret
@@ -2,9 +2,17 @@
 	"data": "ENC[AES256_GCM,data:EGb773Q1F0hvpduV6UcOAhSy8ypN/r2ixBkazycuqY6AJmq9wGIMF40z6uWuUuy+19C4dN6pdwnJLGw4S/3qxrFGKHMFtVbKK0E=,iv:6ByZiSBUUtONGzgO8tbKzdeNlBMI0OnPLMigSeIO634=,tag:G1M64/oWQmxZydhMI9Mo/A==,type:str]",
 	"sops": {
 		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNGFLK0d4\nZ2JCdGdkYWd5TFpKNHpCODNCNGdYdzlwb1hzY1lQMzltV1cvZQpML1BJOXU0UUxo\nUnBGb0hSUG45OFovWmQwbzhjK2Y2MlpCanE1WDdiVkhvCi0tLSBGWEFRa05FM1RH\nNXdpT0hBK2JFU040UGdhWTVkcGxYV2p0SitHencrMkRVCsneAeYc6WjBDpM14O6x\n/Ru/3fh8zl908fjqcrr+UPaIXLD/2r7rgzfUGIROrWJwh8yos22atAWG4O0UGQQa\n8Pw=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTU5xN05kWlJuRFViT1lC\nSmxqSlNWTGVtTXhTS2o0Tm4xS05JUUkwK0dBClI5UVhna3Z3Q0NVODZVVW9aN2lG\nb05MbEw1SnVCcWpWNnVBNlRYMVZEQzQKLS0tIExvUFNhVUFxQkl3a1JrQjdOdlBq\nRzM1NDVzY0YvNEp6WWtnYTJYTXBWWGsKJlGXl/TadohSrjH9FEKvr8JMN13GDUl7\nN7OmOuy/2MxXXr2ChTJnmt+1is9Bj/52/oRH3m+yE6lAOb6eDMBgWA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUQ1FwSDFQZS93UUNUVFIz\nVUNjMjVQTUpQRXRaRVNJZzVCYjV3OFBFY1Z3CnpabE1CRm8xV0VuWm9EaU5qZ2RT\nb1FBUEgvcVN4RE51di95b1hiT1A3QTAKLS0tICtOWDRqbElaajJ0NDkzS1YyanpC\nOHdnMHB3Z0pRWEtYWUpDUjJFaTdzRHMKUg9bfInt/5mSBhVOhE99yYTsCXZ6CHjd\nKeu/K56gDMa93m4nPVubZjD7p3KareDRSjMW0/aY5Mf2QnY8nlk8wg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbVFINDFx\nM3kvSEpqYkJHT2FFN2xORFYyNncrQnBZcWRIWkd3YVJwUTRuTwpQYlhtWDVCTllq\nK1NLeC9TWWtYd1VMNzZFLytiZjVNV1pIRk9VcjdhNXV3Ci0tLSBya1h5cDRncUJS\nU2NyOFpzWW1ZS3EvdkthRkxyOVBTdG44K1g3QUY3UzF3Ch8tbkMxoiee+PKYxAQu\ncdybSzHGDDhY9uEsFAycFDx5GLybVQoCxo6JxC9J59koFQz58WaXT2pKqo0mMw8r\ntCA=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-09T22:28:02Z",
diff --git a/sops/secrets/genepi-age.key/secret b/sops/secrets/genepi-age.key/secret
index 49e3964..7ee1a24 100644
--- a/sops/secrets/genepi-age.key/secret
+++ b/sops/secrets/genepi-age.key/secret
@@ -2,9 +2,17 @@
 	"data": "ENC[AES256_GCM,data:/fLnn5tEMlasoykvgvfjXJSMVFO1b7LMEDXEzw8mV2m6J8eyW0QMLIwfZFoe52ZOe7JC3RCRpEY7ei9UhZVJzLmewbVT5ziN55c=,iv:XW3LIFunMbEv1eQbLfBx7AgS6y8Pdp0/OF0juhq+boU=,tag:RVMEaWp8ilc6rTDW7N73vQ==,type:str]",
 	"sops": {
 		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcit3SDVV\nbUhnT2doYW5SK1ZrMkk4eHk1U3pKMnRQUGZnZ3NBck9LWGxzeAp3ZjRtczV2Nml5\nMDdYZGc3VUNMOU8vbXg5WTJDZUVYRVFiNDd1d1M5c2p3Ci0tLSBOeVora1R2Vms0\nSmhpTU1kM29MYlZ1Mi8zYlZxSmF5dkNLc3N1RjBselNvCvfEkfg+xXIR+M+xlK7r\nmmDG7DLm5v6v31Jthcn36ORKHBS6256j/mteMO8ftHwMwtvw55lmDWkQrtFuaX/J\nz5E=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiMnJNZ1EyeHVYa0pTdUNa\nOFlVRUo4SjY0WXlDUGVLK0V5VEdpMEQyT0ZrCldhOUpWL2x1Sjhrd3NMRUNMVy9B\nTkhFWXVaMWttQm9YWlhmdDl2MzlpODQKLS0tIE1GM0hCQjBwMGI4cVRXWUtVQUtC\nY3ZvZ256YytFbksvRE9GdHA0c0Ewb2cK9D6HssuN4aXDgg7zHdCIdlcOE9wseEkf\nswmuk6YcMbwORDIwVi8deM5MRerxGhSUo64vQup4O6ivBJdPh+jvyg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHejRPeXJoazIzd2xHZDBM\neEplanpuOFAxQ0Z2djRQRXIxcDJkZ3IxcHc0CmtlMGk2YVdUM0ZpZjdCQS9JcVFa\nTnFQV3RjbUptc2p5NnJEOGx0SVYwNmsKLS0tIFZlcXE1amliUEdBQVV3WDhobnpx\nNUIxc3ZjR3QxdlBQeXFZcDNmQlI1WmcKBKsLCbVVeyEy+9vNKOPjAruf8AlDzvat\nWjUjRy3YyjTRiRINaZz/7YOzcr0w14Jo9+GMBF/gX4exXtm4p0KPDQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdXRFSlVU\nSlZIcyswckQzMXN0Qk55K1oyZ0pnREloYUZmM2VkSFhscUdFSgp3c3FWbDV3RWhB\nUU5oQTZOWFVVaU5wSHZiVUVEd25vekNSMDdVeEp6K0NzCi0tLSBMOFVSMGF3eEF3\nNXJrQUlIeG56Vkp5a3FjeFV5WkZ1eUtvQUV5bW83VnpjChSpqwUxZqox60+TkzUk\nTuaGGABkRDyyy+rL0jkVHZvh8gfF8WAe5M+TXHsXMHBN0XDhCulLKgXDkjiPDAtO\n2uA=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T13:43:50Z",
diff --git a/sops/secrets/haze-age.key/secret b/sops/secrets/haze-age.key/secret
index 30fa55e..e559dd8 100644
--- a/sops/secrets/haze-age.key/secret
+++ b/sops/secrets/haze-age.key/secret
@@ -2,9 +2,17 @@
 	"data": "ENC[AES256_GCM,data:g7js1FA6umKogdeqrE6VeJeqkIza7gPGX89aB7j4l33nPSGkZ6h8qR2j1fGqggwgolRVbEfszgIJYXrZ2dzzy8HGKQ2kQmQbgaw=,iv:LHGGVVFSRkuMxvCDM4VxxMF2MaNinRJGpIqO5w5mMzA=,tag:YjHpGPPWGhDz6g8+Rm1x0w==,type:str]",
 	"sops": {
 		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBK1VnY1pu\nY0tJODhZSkg5aEdKangyT3VFb2pYZnpMNklNTmJYZzdVOGdzRgpzMUU4Rld2eWJp\nekNobGhES0VVb0tjbEVQb3k5elptR2QvMW1WdzZTVGdvCi0tLSA3ZC8zazF6cngr\nS3dzSmtGSks4WVlTRVB0NzdtcmcyTTd1UlFTcTJrdlpjChpFftWShZE5WfA4s2IJ\nYB/0ybfkJZ/PZwIaTc2LjLv93b+/XwHYqqfelbm5Xbzk2NP2zAkgHez/gAo20LCL\nQVk=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbTZ3K20xWDNIWEd4TkVZ\nN1I5Ry9CWGgzYWt5Q21kWHQvM3VWK0NkalFFCnM3Um5WZVJJSldPK294ZUYvbG52\nNmk0SlRhQWNkWmNWbzB4cGtmdVNjWGsKLS0tIDI3N3V6dStMRVlobzhMbkttb0Zs\nVW56V1loaDAvNCtuT3FXeWVwNHVzb0UKr59CCWRzWWzxkjLci26NJ5SFHazdzqub\nXdD6uXvUVBDradDHzgg+jy1OXQfstHjQMapSd9rRspAotbmQjdqDeQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5QWxTdkRnZXViTTAycExQ\nUUx4Y3lRN0p4YllXLytnVjJYKzBEWjF6WjBNCkFBNVh0UEpScjJOejd2ZlNqbnhD\neUpMcW96cENuQmdRZmxFcER4WkFQSFkKLS0tIDZWaUFGYVdsbU1JSnhVTUlXK1Nz\nQy8vTU5MUU9tT0pwMEFBTlF6ZFdEdmMKCxfeNF6659103amzoWkAQrrZ23zOJtc2\nBGa6jBLsjfNIBRK0m/IJ4ixmwPXbAU/KsYkRkvM1WlUjWh6x+yyKnQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbkp1UUpO\nTTZZZG83dndrZU5UZXRUTVpFNW9mY0p1N2hzdjVSUUdaL1JVUgpmMzBKUzh2WnlX\nTHQ2RHBKS2JGcEhCcHdnL2F6YndpNDNIWmgyMzVhaEZNCi0tLSAyK05TTEZ0eXE5\nWjUrb1hiMWZZcVRCZWFDT2g5VngyMFp1bkxXT1hUQlUwCle74xvsWsyhgyvlO7GR\n9HMOZ6tOvlfptOXaJXFxxtlHsfC1oA51pNPAdbq8bR6d+cf/rO2nLEHYhgNjls4p\nyVE=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-10T13:19:30Z",
diff --git a/sops/secrets/hcloud-token/secret b/sops/secrets/hcloud-token/secret
new file mode 100644
index 0000000..38bdd44
--- /dev/null
+++ b/sops/secrets/hcloud-token/secret
@@ -0,0 +1,22 @@
+{
+	"data": "ENC[AES256_GCM,data:Jw4huyAI4yZT/24rImVh//JaFvUlwuIRrzP3nzLBqts+U2bs3wcv0LVavSEhECoJveUwYyS29++ewlnw+wiSrQ==,iv:O2ISIPnIJ3677VswqMjphwV30W24SNciPwIzd/AWm/w=,tag:ORMMkAtGyvzlINQ4fbtTjQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTXMyczVuc3ZwUHJIUlUr\nSTFObW0wNjBGQXBhS1FCSDNCVFJpT05DZzM4CmdscVg4dzJJVDZ6aVpiUHNydXhK\nK0tQTy9uZmJyM3d1OHVXT1FlYnhLck0KLS0tIHJGT1IxWTdJL01XWUE5NEhtcGhs\nZWlUZkx1L2cwd3dpakNCOGY0M3BZazQKZrK9JoWAJk9BOCPWfwxthR4sdNvF4bYj\nbnw5HBmXHPuV4pObDE0RwnoMVBXSfTof41HfogvsM16GWR577+CgMg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBdHhYQkMx\nb2xTUXB3dkZuajB0aHIwbllmcVJwOHY3eXphR21MRUdDdWorMApkcHVxQ1FRQ3ZQ\nSnpOYk9ZanJPZ1EvWUpoZHQ1K2VVUVBVMVphVlYweGg0Ci0tLSBiQmQ5YnJpKzJv\nY2lmOFpZSEVJeHNCb3F1SjFzNzBabHN0andFczRYTlFnCkSFxvQ47FvKcCh06tRd\nCb12wKSm12yMs5BR9Bv40YDB9C0/oqo17gDmVworyZKuK2dDfRaSLjoD4Cg2ww+A\nwS0=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBaG9kZWdz\nWVloZGxVZW5lVHpkN292MVFjVC9wWkNWS2hJTWZiLzk0SkdmZwpSZTZkOTFadWxo\naHMzZlVGV3hCY3pyQ1BIczA0ekpIWXZRSFZtN1lZMzZFCi0tLSBlSkRCNkNtbjFs\nd2IvSlRISlRydVh4M1I2bVFFZ1ZJUFFNc1dtbGUrZWtvCiiFUjKkBp4eyI7YV1AY\nk3tqfqsoQyHPYhL4mxU5bDBPTwKpIwPZNzfVDxgiTwQq5s4TEoDYnl4rhEc6ONem\nx84=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-01-19T14:49:10Z",
+		"mac": "ENC[AES256_GCM,data:fWo9KS5W4A7UNM58G+KtCzAQAiM0qFVJwf42/eSQC+yAMfZJfbq17JDeow37CbnYo4GaXJuPQHbUqnrFHfqxRXAOP8GfQ02MRf3xSpmzwLQeKtZHwGG8+Ez9x+FnYUJcX8QIHpf25NKpe57h8STtC+Uz66lMp1EFXzJzgOvTY9w=,iv:Eya9bRyBUXv7ddSa7PVNYej6shnXTSdd3NvPPyRfezY=,tag:FH6YK+dfoPyQwgMNTqKQmg==,type:str]",
+		"version": "3.11.0"
+	}
+}
diff --git a/sops/secrets/hcloud-token/users/rpqt b/sops/secrets/hcloud-token/users/rpqt
new file mode 120000
index 0000000..b1a8792
--- /dev/null
+++ b/sops/secrets/hcloud-token/users/rpqt
@@ -0,0 +1 @@
+../../../users/rpqt
\ No newline at end of file
diff --git a/sops/secrets/verbena-age.key/secret b/sops/secrets/verbena-age.key/secret
new file mode 100644
index 0000000..7c1e07b
--- /dev/null
+++ b/sops/secrets/verbena-age.key/secret
@@ -0,0 +1,23 @@
+{
+	"data": "ENC[AES256_GCM,data:wxFfM1b8w0EB/o1awHD9FMaHCSTp2NSyTfBCqJ5DjjQxDiBO4VkKVIK1Re28M1pKR4e/vThlvBpdEVnZksO6853RNbtBq8a5QSE=,iv:ZiJUjZ9TsIjse3sdxK40sYBbcBPwNkD7Pdq+O5DTcUQ=,tag:6GuL5cUgLKf3UEhioxk0AQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBZ1dNS1hn\ndUNMMm9PMEEvNW1WbnBiNitJNld2ZmlBQkphYzBFa1Z0bzJwZQpIeU9nSzY4bWpk\nL210cElrQy9PVTk0ZWtSZzAveUI4dlFGSjNBazd5NU5FCi0tLSB1alFvVEgxUDh6\ncGxmOGtqejFNMUVwNzZMeG5od0lPcitaWVF6TlF2QlhvClMRj078WFepyIPQi82b\n7GZ8+Wgel3y5ZfoUKZXFmpWqfYiODCdgBCduoovYY4vbrAsbfVun6VptW+Je3j0J\nC+M=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZGhSV1pTQmx4QktYRENB\nbVZXQytaZFNlU2d3RWlraEVwSnpXNnAvVTA4CjJCdHZNN0lTZkFVOVR4SjdOUEVx\nMXRqc1o5TldOdE1pWkkwR0VzemZMTWMKLS0tIGdxNXZyaGUrMzZaQWwyMHRKZGZz\nbFRMam5ITjN4cVhXcEVQS3Q4bGlYU28K5hopN2oifM6d/9/o3aQ0jS8K2TzXokVj\ngRP0c4NB6cI9TPqOaCAs90z1jIeOVB26OR6JvFH+m7WaaxAuu8rgig==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBM3JHMEN4\nTzJJeHRaUXI3elRuRFBOZDN4MmttRHcrclZxV0owWXlUUHU0bgpXZ3pIQmhRS0Rx\nVXFyOVo3YXl0RVRVM1NWNWFuU0VKTjZDZW52SXhtSFNjCi0tLSAzSXhVQVNCNDlJ\nZjNtRlJkS0VLUUhhOEtLaE5jWmY1a2t1M1Q5RHZCOWE4CoTQMd7TKqdwzo7h8s8E\nqc28aqzCDNzPodvGidySkBpm6hvp6fQfSCgIJ4kWO5G4yZMOSqZmbudymMuUau+L\n6Ns=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-11T22:26:58Z",
+		"mac": "ENC[AES256_GCM,data:amP1SmiUjxfsKvfom4suR+o6SIJPOa4qFOd82MY7bOs7DG/yjbN1olAUWTbER0UDxoLb+HcGYOR/zPsOwJeUnic1bJp9Mt0HXYvmXsWZlqX3Or/hp+HLBgKe1rIoAmfJ3kdEmrZpcm7UViajxLsZIPaKtX8J07k2Wn8EEm/BZnc=,iv:/3dtXEQmItPwY6Q0EE50vtEj7fiMxnyha9j3u4KwuUw=,tag:Pn6u1o7R6iwJ50HlzB7+RA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/sops/secrets/verbena-age.key/users/rpqt b/sops/secrets/verbena-age.key/users/rpqt
new file mode 120000
index 0000000..b1a8792
--- /dev/null
+++ b/sops/secrets/verbena-age.key/users/rpqt
@@ -0,0 +1 @@
+../../../users/rpqt
\ No newline at end of file
diff --git a/sops/users/rpqt/key.json b/sops/users/rpqt/key.json
index a86c346..dd61c76 100755
--- a/sops/users/rpqt/key.json
+++ b/sops/users/rpqt/key.json
@@ -2,5 +2,13 @@
   {
     "publickey": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
     "type": "age"
+  },
+  {
+    "publickey": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+    "type": "age"
+  },
+  {
+    "publickey": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+    "type": "age"
   }
 ]
\ No newline at end of file
diff --git a/system/core/default.nix b/system/core/default.nix
deleted file mode 100644
index 53ecc66..0000000
--- a/system/core/default.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ lib, ... }:
-
-{
-  imports = [
-    ./users.nix
-    ./ssh-server.nix
-  ];
-
-  i18n = {
-    defaultLocale = "en_US.UTF-8";
-    supportedLocales = [
-      "en_US.UTF-8/UTF-8"
-      "fr_FR.UTF-8/UTF-8"
-    ];
-  };
-
-  security.sudo = {
-    enable = true;
-    wheelNeedsPassword = false;
-  };
-
-  # system.stateVersion = lib.mkDefault "24.11";
-
-  time.timeZone = lib.mkDefault "Europe/Paris";
-}
diff --git a/system/core/users.nix b/system/core/users.nix
deleted file mode 100644
index 1db5cfc..0000000
--- a/system/core/users.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{
-  keys,
-  lib,
-  pkgs,
-  ...
-}:
-{
-  users.mutableUsers = lib.mkDefault false;
-
-  users.users.rpqt = {
-    isNormalUser = true;
-
-    createHome = true;
-    home = "/home/rpqt";
-
-    description = "Romain Paquet";
-
-    shell = pkgs.zsh;
-
-    openssh.authorizedKeys.keys = [ keys.rpqt.haze ];
-
-    initialHashedPassword = "$y$j9T$.y7GZIaYYgEHt1spMsOqi/$k4O3AAKBhJF0gI.G9/Ja8ssGsVTv3VPD5WC.7ErAUD1";
-
-    extraGroups = [
-      "wheel"
-    ];
-  };
-
-  programs.zsh.enable = true;
-}
diff --git a/system/default.nix b/system/default.nix
deleted file mode 100644
index 763d619..0000000
--- a/system/default.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-  imports = [
-    ./core
-    ./network
-    ./nix
-  ];
-}
diff --git a/system/network/default.nix b/system/network/default.nix
deleted file mode 100644
index 1f59251..0000000
--- a/system/network/default.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  imports = [
-    ./tailscale.nix
-  ];
-}
diff --git a/system/nix/nixpkgs.nix b/system/nix/nixpkgs.nix
deleted file mode 100644
index d793f95..0000000
--- a/system/nix/nixpkgs.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  nixpkgs = {
-    config.allowUnfree = true;
-  };
-}
diff --git a/system/nix/substituters.nix b/system/nix/substituters.nix
deleted file mode 100644
index 04660af..0000000
--- a/system/nix/substituters.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-  nix.settings = {
-    substituters = [
-      "https://cache.nixos.org?priority=10"
-    ];
-
-    trusted-public-keys = [
-      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-    ];
-  };
-}
diff --git a/vars/per-machine/crocus/borgbackup/borgbackup.repokey/secret b/vars/per-machine/crocus/borgbackup/borgbackup.repokey/secret
index a358373..d554869 100644
--- a/vars/per-machine/crocus/borgbackup/borgbackup.repokey/secret
+++ b/vars/per-machine/crocus/borgbackup/borgbackup.repokey/secret
@@ -4,11 +4,19 @@
 		"age": [
 			{
 				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5eCtVYmtlaWlmUEZKRkZP\nazB5N2NGc3JVcEs3NHRpZng3UnhjaGJwUUhnCmJKV3Y1Sm1oUndnWGZTMmxya0d1\nMG5yR0hwNkdoQWU3bE9kMUdxL0crNDAKLS0tIGI1NWhoLzZmNzY0L2xsNThNNzdw\nUmgyeGo2ejd4VU5XeFRJb0JhMy9UencKhDHBhlcAPOMdyUWzD2uMDHFoC7CW2T2D\n09vSaeL75t9uNsCbryM7SWal0HquEyAs8Pdn4YPMydpD2mQOVEAgfg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPV3RaOWZkczN5MHhvRTdk\nZjJWRUNGNzFLSUVxUGpCZjJ4cUZ3aDU2OEJrCjNYYm9yUkJPL1hGZEpSdnFIS0R0\nWlBmbVVuRS9OSitNMmtiM3JLcVZtU28KLS0tIDBDWkRpSWxVK2pvdm5xeGtRRDli\nUnRiQ2tCRGs2UndsWW9KYWdocGpYakUK1WFkf16tMEE7JJcrU67TdFfHxOo7eyr0\nBpNye/Gob3+zPuWUz9ugFiqPOMXfhMVoxRFgzXD5jd7xM7NnP4fmlQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcGxGQTE2\ncmJWcjR4V2w5Zis2WGo0aytFbU9JZ1NkZzZVWkorRVg2SHlTRQpWMEdRRlBTNUM4\nZWY1TEEzMnRrVEhWcU5NNkdWWWFkZGxPay9BakJ4ZWdjCi0tLSAxb1Jhbzd2eUw1\nR2w3MnNMSDJTc1lhbzAvY0FsL2hXaXRZMWxTQmJaL0hBCltKw9Ex0B4BGVd1E7/a\nMKHXT7wEvlLfrfv2sBo0MAucnL3uCUgiQ1f+DQ9cGXwPuTBHCimCBRwkSh9VpVGy\nVF0=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtdmJUampVUEh1cytMUVFn\nVGRMSFZZcXZ0ekRzY0VVa1ZGSFV2c2pjOUdZCmNLUmdRbFhqRUk1REVhT2VWcjRZ\nKzBjQ3phSGhKNjVrd0U1eVlDSWVvVVUKLS0tIG93U1pmRmlZK0xOV0JzTk5FZndy\nZ3JKaVJNamxqYUpMQnF0eitsVFMxdk0KxGfukNQggo93Jc14Z2WAjfZ12e0SyRtD\n+hembYN7huaWCSyQdzS55U2r9C2bW+5qap6HhZOPAJ+1L+mD76wz/w==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTm1YYjdtQkQ3aERKU3hx\ndjg0b1dacVo0N055VWM2MmFGSmlBR2tDazFrCjdKb0VwQ2ZrbmExUDJFRTdCNCtu\nQ0pGbWtDeW1lbFZ1NjJaMXNMRmhpVVkKLS0tIHJCUGFYM1ZzeGVVWmFFOEYwR2Uz\nVDZlcFB1UnZYNnhLUEdFZjFXMGpBUWMK/giok2vHTK+YvkGj858pitrHKqJbrq/g\nmsof3z0utDBH8owfHMV9hB9pcE8qtP1lqkK9r6BfMMxrx+kilnC7KQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBME1yQlF0\nS1FrZllxcWJJbEkwV2VrcU42czVsNGowSWc0MnRyVCt2Y29DYgpmaEVIbGVOMHlZ\nbG1YS01tM1Q5VktNQkYzTVhZbTRPYStyNVBiSFJwbkwwCi0tLSBzVkJ2aGdUZE10\nUlVPL2NxNzhmbUU4MVRFZ2JPd094MXA3dEpndFg5bHd3CkrExz9N7/RGV2wMfTLa\nqFuOKYJyv+/9cUEIrzutKk+fRuuptdXzlAHApFqeZ1OxM7vynJV5UbrRca67auGY\n7Gk=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-13T21:59:48Z",
diff --git a/vars/per-machine/crocus/borgbackup/borgbackup.ssh/secret b/vars/per-machine/crocus/borgbackup/borgbackup.ssh/secret
index 90b09c8..eaf7faa 100644
--- a/vars/per-machine/crocus/borgbackup/borgbackup.ssh/secret
+++ b/vars/per-machine/crocus/borgbackup/borgbackup.ssh/secret
@@ -4,11 +4,19 @@
 		"age": [
 			{
 				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1bkVVclhvVGExYmxOODdt\nZS9KRlhLcm1jZGZKT21VYWJ0bkp6WkU1WVdvCkU3UHhpdUpTMVJYWThsMElMN3NR\ncEp3RUhsTmNWVEVPeFVReUIxL3Q0dVkKLS0tIFk5VWR2U2ZwSzhUQ1lldWkxUTVW\nbURvVGswZXdNK2ViS1ZTNUt0M3B4N0UKxHYLja4nPCU7ms2Omo7JcCSU8/JR69pm\n0YMfpObSpDExrm/+ln58Pw6nVd1uA/mjWN1riLeKnetVxIpTAV369Q==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSUw2MlRBRjBsNTI4KzQv\naE85c1ZQU1NXWnZ4d2taaklhNmJOM3BJSVM0CkFPMWt3UTUxcmFlNWpPVlgxVG1Y\nL0hxTlY0Tmg0S01pYkFaR3dwc0Jtb0kKLS0tIHltL1FNekJFUjJPbVJRdzNheVNv\nOG5SSFhUM2lzelV2aWVSMXRaSjJTUUEKCQNA7zTqd3NqeDxfaKPoBCbgOda+qnIF\nuOdNFADV7LCCpUolBUEofhEb+azGpnR87pou93QRaiXCrj9QGQqCTg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBb3B5OXUr\nMjE5K1VGM1Z0eEZxa1lUc3JpeTlXaHFhbDFzeEo3NEs0MmkwbQo3cE5TVkVmRGZz\neHFqNWFXcHdESVNPTTA2eW5RbzdyS1NaRSs1YmM2U2NFCi0tLSBkL3c0S0Y0OHB0\nT1piNGlYV0NvVjI0NkQzQTZoS0VzemJ2UmRXOGZCZTB3CgvVFBgMv+1FhBiYVPJZ\n29zfoYYIoHpjUU4pahjtgwBivSZy1Md/JV7AlWSz0zjyzWWquWyPyCbc4CRcc2U8\nTps=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4SjZPNE9GRC9ud0NZT2RH\ndHR0eU4xUld3YUFIRlBYN1h5Qjg5ZU82U0JzCkZVZTA5M1pnOTBxcmVoNWh3ZGJQ\nbVpsMXowOHE4eENlV0pKdG1YbUNPejQKLS0tIHhIa3dWMkpIMm1OZ3VlM1JaQ2gx\nbXk5OHMwakQzRDFUcWdLRmVXeHFnOEUKOpS+uXVevJ96bPhnKVYiM2Rl5PNvgmNz\nyxuYC+6cX+oPTnz6fSVYKmP9LWKAypHWQCzu5uKBriaAwU3EctRIHw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlOCtOSUwxbllMNkFvNVl2\nNGYwZ2x4TUVlTTBldjdJMG03VSs4TGY5L2pnCi91aWNnZ1kyUUZtK3hxd0ExdUFy\nQzZIcm1MMytzSzFyWlFnNnRKSkYvbW8KLS0tIDJBUkNRQ1duYlgyKzAxcExSZWJY\nUzcycC9Nb2pqWHZIL0NGSXFxUVBGTU0Kf4z8CV6hph0fl/te7Vvq5IGRTrraFufn\nvdt3bo/g2ph1O7TV6Yf7wUGmstPsB7ssH/byANTI5zrab0tgBqcm1w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBMEdBV2tY\nQ2p0M2gwVVAvaHpneDVUVXh4dm90YXNJdWlITFlWSUdNK2ZQQQpjTVI5dDVnYndY\nTnlyNGtSZVlWaGNmOExvY2g0cnNLWTVHYUJoN2tWQkN3Ci0tLSBYVHJmODNZRlpC\nVlI2Z1pjWVpSQUZOclU0VmxZKzM4MFVwRnNkR1drdVlFCraqEY2PYM59CpfILN7d\nCXxvYvAxXSlu4Giz6crAzHvAxq5BdiITRIw3m7st0zlEsCVOjjsGKtsQ1VDhipGE\nYbo=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-13T21:59:48Z",
diff --git a/vars/per-machine/crocus/gandi/gandi-env/machines/crocus b/vars/per-machine/crocus/gandi/gandi-env/machines/crocus
new file mode 120000
index 0000000..efe6fd0
--- /dev/null
+++ b/vars/per-machine/crocus/gandi/gandi-env/machines/crocus
@@ -0,0 +1 @@
+../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/gandi/gandi-env/secret b/vars/per-machine/crocus/gandi/gandi-env/secret
new file mode 100644
index 0000000..8ed6085
--- /dev/null
+++ b/vars/per-machine/crocus/gandi/gandi-env/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:diQ/PXOEug+tCpSPJaOqW+RY+jS7/UTHtehMJY9uu0pAr8JPTptPbc9GvHHjfIKfq2+me1Ttb2lUTDPnQuujFXIcD/Oj6Q==,iv:5Sq4geHzXrs6HKCk1Z1axEIEe1BVaH3zJXbFHirCYBg=,tag:BoZQd5hRbo6bXtl6X59lrw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQ3Y5UjJVcVhaWUUwaklS\nK241U0x1M0xyd29lRGJRcWFtOW1GN0pKeVRjClhhempRRlJwajVEZDg2YXJFcDN3\nNEVSdng3bnpFRjZWQVQzRzNkUDlSMGMKLS0tIERPeVN2Q2VnelFzSHZUdGo3Y1RM\nSTJIZjBjVGFZMlByZkxFMTZyZmwzZ2cKRXU2LooeDPC4PSJFpYsLRIuzxKl5I6DM\nXY+Wmo8ffNNXzYfc7VeVk4NVwVPZQcqVmebRypYtnvG3cTejxG2H7A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBMnFKSFYz\nM1Bjc0pHd0NaSm91aTVSZmZFQTQ0MnJkVXZsUWdCQzEzd21BYQpxSW9wZlRmb3Bz\nSXRHSjRtZ0VuMWU0cFhGeDlwNUlqUVljeXJoU0lkSFdjCi0tLSB1V3Ryb0hGZ2dL\nOEN0ZTlhUTFHVzFkYXlGS3NFbkdKbXQ1MC9CWWNOZEhBCv0q2eUDHsUO50MhFTtX\nc/jv2delDYJpW7XClMWnvVZQjR0O64dETJdwX15c9hxcCCS/5zUt7xktVre3P64x\nnfo=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybGRQTHlDMHB0NnRZbVIz\nekczKzBRZk5iUDhlQlZBMkJ1S0FxMjdqVlc0CmY3Q3NQRTV6Rkl3TWx5T0RMYkhs\nYzFjVzVNMDBuc3NuZWNzK3cvdm16NkkKLS0tIDEvaWNwQVRwV0NxbEJlcWc3NjEz\nV3RyMVYwdHRnQVNXeWxBZkNYQWttSEUKAMzWjimkgPgxA9Ctp4UMMhdeWi58iAJN\nKQwwN12GeQoII5ZQ0GcfPR/5j3ehQl2mMmoqcxc5UqoeS0U1tPjczA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBaU1zOXFU\nV0hqVXE1K00yUkFzUjdVN1RYNWgxYkxTNTk4Ry8vTlpMRnhyQwo4N1YxbXZHbklL\nMnFZRHBhNW9PUFlEN3dRRmxyeVlVaXBpdGZVYWg2cElrCi0tLSA1WFp0b3Y5cDVv\nZ1F2U0Y4OVNhcFlrOFRGOEpiRWlOTVV3bnFvbGNLMUJzCgUkSUQIlfXLdyFp9+YT\nvJo+BM3T0Lk9ZhcNy05PinmYorfzZdd0Eb2zZHp5amyuV3JXxjKuJhspB6wP1GYc\nfcw=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-11T20:41:34Z",
+		"mac": "ENC[AES256_GCM,data:JF1vnWfkno7JM4RrrJ9mSvFH6Qpm6XOnoTSpVpUjKw7b8HYRM20u8KXtoB8FI+mwJU59OWiresBuy+JMrViOO+mKO8mkIdn58VgXITk9/ISM0e+rlZklQJRvpeREDO4hWZfMNnRq74vW0JL8toQiBNAxwErOTu4Yfz2wmW8moBg=,iv:rxDxUhhE8Mn971MVT7UmxIO5Gg1lfXT9nb85HZraXZQ=,tag:3Xcd2tYOttaiCuvscY7kEw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/crocus/gandi/gandi-env/users/rpqt b/vars/per-machine/crocus/gandi/gandi-env/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/crocus/gandi/gandi-env/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/garage/admin_token/machines/crocus b/vars/per-machine/crocus/garage/admin_token/machines/crocus
new file mode 120000
index 0000000..efe6fd0
--- /dev/null
+++ b/vars/per-machine/crocus/garage/admin_token/machines/crocus
@@ -0,0 +1 @@
+../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/garage/admin_token/secret b/vars/per-machine/crocus/garage/admin_token/secret
new file mode 100644
index 0000000..25f1ea9
--- /dev/null
+++ b/vars/per-machine/crocus/garage/admin_token/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:pjAzrkB59+DkMEnFaFvClFvRI0ayxCOHdMK8datVmtWRJdDtWZquvFYYB7kq,iv:sSICWQ0rBUwfbS1bk1CEcHOfwA1CmXE93rD1lT1EAU8=,tag:9CjwsKSfjU10xAAzAKo9ww==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0eDhid0pjblhSYkcyb1p0\nUUx6QzY2SWRQVDhvNFZKNXpFYitUeHNzeWdZCjdsY09jQlpWMXV2emZOTjhQNk5v\nMmRmTVlGVDZqQ21EcUFQWGJtK1NqSTgKLS0tIFlmNTFJTHFETmpRTmE2UjJHaTVK\nbXlwODNDZ3BHK3EyNGE0UUpoOHBYcFUKNHrDq5tLe8fPIJ1C+ReWURECGqWDSU4x\nyf3m8SILjS8AEayTkgqcTxIpB/670zUWpxDGO+eYGwvTgkH4mCzS1Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBN0pwNWo4\nZjB3ZldtTVN2ZnVSME1iYm9XKzZSbVVnWEpjTmhZemVBWVBpOQpNT2FoUVEzTFFz\naWJqWHpaSk4rYzI0dGdxUm9aS0VxMnZrSzVPVHcrc3J3Ci0tLSBHdkpPN1VTSllh\nZEp2NjRRVWxFTGJNNjl3aE93Nm9wSndKNUtVR0RuTzhJClJVTVUqfClk4krjSSRu\n1Yu0x0Es3UdtDXUjcNkFSuskvM98YJWtt0A4ptt5TSgaLDvsY+RnUE+XLA8aX6ku\nkbk=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBleGdhSWVuMnZTRy9NSVh0\nUjlNVEVsY1NYZHo0TnFqUzZYS2FEbUNhMnhZCk5HR2RmeHRtekcza0RLN2VYUDNa\nZ3prMnRVRmJ4QzlTdC9SbVhHWHlMcGcKLS0tIGZqd2FDMUZEWWZ5eUtNRkgweThP\nVXZDNW9XWFBjNTEyemkzZ2xDZFR2R2MKCwr7sqFliDt3MGoI1LkFjo9QmlMOR3hV\n/LTrJ/4jt5BAsM2wJLgZUdBjkzFCNW4kCi5PqfV86+Nb34xTXJW9FQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBc3ozNVlD\nLzVIclF5Q2pzVVFQVHdybFFvOTNDaXJLWmltZmtEbFVsaU51Wgo5dDJsRFROa0Mw\nb1VzZ0MwSG9Bcjk5NlRUclYyanpRd3dNeXZ4QmZmbDNvCi0tLSBpRVA1Qm5sVUdh\nM0d6UHZlM21lREZUblZkRk1iQ0djZXJQaUNnT3hwN084CjJka1HD+xbkt76fw4Pd\nmk96YZwYOJmNGJGTX1ZS5oa2FXffhXuYtQj/c3uojylaP7G57XJuoJ1Nk6pSd2u9\n/Jw=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-19T21:51:47Z",
+		"mac": "ENC[AES256_GCM,data:A22tkDaTGpgo8yfqnNWkCVRV80JmJKiJoMQVFRNhezUhWLb5jV75QtBirXTBFLO3Uyd48Z2X/+s63FMta3tqYIf4LiHjimv5U4hWs8eVAtpdIi5Qxf0K5UPivlsHs/X3p1+9UWx9z1hnxp7cChpt02t4EEgWh+PNwerks6/gjZ8=,iv:mCAnLVRiXeAujn/7sVXf3ak5KOmvIYmtolOj3CdGlos=,tag:hDMjHWpk9W5ShBkLxYaH5w==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/crocus/garage/admin_token/users/rpqt b/vars/per-machine/crocus/garage/admin_token/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/crocus/garage/admin_token/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/garage/metrics_token/machines/crocus b/vars/per-machine/crocus/garage/metrics_token/machines/crocus
new file mode 120000
index 0000000..efe6fd0
--- /dev/null
+++ b/vars/per-machine/crocus/garage/metrics_token/machines/crocus
@@ -0,0 +1 @@
+../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/garage/metrics_token/secret b/vars/per-machine/crocus/garage/metrics_token/secret
new file mode 100644
index 0000000..cbfdf60
--- /dev/null
+++ b/vars/per-machine/crocus/garage/metrics_token/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:FaNG0ZX6z1Q7FfauyRwYCDLYl2KaupPtT6KcKGrxQ22yPIxW7htzkZzovwaV,iv:HLxunFnpgmvpVpyet4Og86R22LQ6os1lqzSyV9/E9J8=,tag:QjKKuJcG7SzxzjDmlSCHBg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZGtqMDFHM0VLVnhjUWdn\nK0ZqYnJINUF1TmNLN0N2QkQ2S1FucWVTenhrCnh0OTg3eWRCYkVEeTcxQzNCTnBw\nbVphQm9wTk92emRlTU5waTkrY1RsR2sKLS0tIEJuNEJUNjhGMzlrYXdVcjFudDhp\nRFpVNmdFRnBteGNMQVNQaVpmWVhRZTAKj8VdXywqeN+VEc6aBEYUSwGqPNhzCdyp\nl+ZnX/1Zq5EpalnpBjeqBFVqtXsXvYeBsDg/2RfZok4jaFy+vil63A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNjRWdXlH\nT2c3ZDVkcDlySHFhWlZkeEY5ZU9xYnZpUERITGJrQ0FuaHZMcgpobVAvUHJwUTNu\nQVhrbHdvVWQwek94TlNTZlpSWGhOQUV6QmRVc21mbFEwCi0tLSBjeHNFZk5JVW1N\nRHp4ZjlkM1RGM0NFU0Z6cUtSMy95azg4TnVpaG1KSGtVCqrX1dJRA7e66Py+ifW/\nUhzHZoPD4KB9EJrmQAgn7vMnFOIRwpam/Vkewe5ILv9uFl2SC49KI95iHA1AV1XL\nUYs=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0cGw1ci9NZEFxZFlVc1Qy\nM3VybDkrNFVLZjlLczlaUzFncG9lZmR1SUcwCjh3NFh1bTU3dG5HdmtKZGh0QjFn\nV3IzVVpHYjhpSDNpc1RyRUJ4cDR3TFUKLS0tIEpCTVBiWUxFS0MyRG5CM2FhRjFE\naEJBb1RlVHFySDZ3NmxWblh2MGFZQVkK7zxgSkhBrQZUTnGB13XfLSwgdwcjyyMh\nDKpMe1w4j9m45B7k2lAhbweTuDEiU4RoHvXaXeTsZ26XFIMlwpwT5g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBOExKSmtY\nYjNCcmJTZlljM1J0UUk4U3BnWDFONmc3bThxV05GUWx5alhncAorZ1J0czQxTXNl\nemhxZXpoYzJMdnNaM1BKczJXZW9RaXRVMnRKd2lHbGhRCi0tLSBjcWFhS2cwUGZO\nRTM4UnMwRjhrMXRmZnNzVkh0emdwazZvN1Q1QTlYY3UwCihSgclskDvQxfoA9Wnx\nagmLiceD3owl98ug3ZxN2x/wrjv9+44SYaNrI2kkim9Zp+4o0kE0qBYK9zeSsEHD\nMTc=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-22T13:51:53Z",
+		"mac": "ENC[AES256_GCM,data:H89aFtec/OOq7r4MS28N/5ygv5GCWU0kcZszIr4yacfvoxPDFhFy95WCk1O0mzeubJ0Kw0nnmRlDS++Xfa8O99gXOtJc3FupBtLH0s2067jH4SW4DF4B/8BDPN9erVPXC4cwjSQnLerP4+TA14JtTbkoMLSLIsfU3gVlN6S0F0k=,iv:q/DKwAs7wOJQ8oZfjPCDN6pm2yREiWk+CQd6B7TixOc=,tag:xRgjYRsv9pOoWpkofkw5dw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/crocus/garage/metrics_token/users/rpqt b/vars/per-machine/crocus/garage/metrics_token/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/crocus/garage/metrics_token/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/gitea-s3-storage/access-key-id/machines/crocus b/vars/per-machine/crocus/gitea-s3-storage/access-key-id/machines/crocus
new file mode 120000
index 0000000..efe6fd0
--- /dev/null
+++ b/vars/per-machine/crocus/gitea-s3-storage/access-key-id/machines/crocus
@@ -0,0 +1 @@
+../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/gitea-s3-storage/access-key-id/secret b/vars/per-machine/crocus/gitea-s3-storage/access-key-id/secret
new file mode 100644
index 0000000..a90e341
--- /dev/null
+++ b/vars/per-machine/crocus/gitea-s3-storage/access-key-id/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:NB7f+8tGLTJACgHqRzCmvfq84A1wY3gdsgA=,iv:2tNgNcKOpqvvd2ULSSOQwpGbU51uovLbXpIRElTVM/w=,tag:3WBlU9rN5mP2o5/N5ijCZA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJSEw5L2RxNTVpK2FEU2g4\nSno2S3F1NXdRTkNVWWcvY2NkSEhGVFlBVFJFCmRObDRkelZVbzFPRElxNHJBcXkz\nSE9BaFZwOWtrZWIreXJNZU9SL2YxMXcKLS0tIFJrbFhIVHo0azdGa2NxWHFoMW1J\nUG1qSzNOc3pDbTkvNWZRM0FzMG9pMnMKhDvWGGa8TjLSuGxyuWV40gvuXbhx2iph\ntSitGvEh3UExpK4s61vblne4tv+xBsjX0h6KSX0Ip2hGIodThe8nsQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBc0RIQ0x0\nbjgwU2tRSUNveGZMbUdqNTNmN05KVEpqazVNSWZKdWo5M1IzbgpNZE9QY1hUUE1N\nc056NEY1SEdTZmNhNUp3M0xPaENzWjk2eEJPcFRhbW00Ci0tLSBxeXNRUzVIM2RM\naVVDQWt3TldJbFdBdVEvM0c5MEFDbDdyamlEOGd0cXJrChGtzCSSTwjWIwZC9/6w\nBYYpHyVrU/i5cqLvWAv9ZT40cNhNUmFWk9tg3BFoFPFJUxDcCg8FOIQaNn2Z4PR/\ncBQ=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDRWRSWi9TemhlWnlWaC9n\nMUc4MWVBV0F2bkdaSWFsaVl1alYrUlhxczJ3CmRWcjE4R0hSS0R3SW1oVlFCUGFa\nczA0UzdPVHZPenVwalpwd0k5eFl4Y2sKLS0tIDRJOVNpM0ptTVIzU3p3TGxuS3Qw\nQTVWMDE5QkhCR3RiWFdFSmZITG5WTm8KUjL6xuP/yMPQTfvyhrBxEI+xE51ks1Qy\nZgXokrXGSmCIQtZoA+OVT4R5ogop5OBP3rXEZWfGxVFyFE7SqCexyw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBM0FtbjBK\na2RBbmFUS0ZXTDJtZGY3TUZDc1VJK0QxOXVzVHhuZmc2UFpEVgpJU0swS2JIRk4w\nMThsYlViSm1SUnFnWFFVQ2lybGRmNlpsRHp1Qng3WFFFCi0tLSBlYXNoemZlaFgr\nNHFDVm1uSzJyT1dXSXo3eG9mYzdDd0FVdjNtZm1DZVBvCjKiC+OC5uCTJJkFbER+\n7mkox8LdCsobk24tTDTVbsuyzjxKZS/F2L1NXA4FBc1Y428ceoNiv7JcT1OWweUH\nDnw=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-07-26T17:18:51Z",
+		"mac": "ENC[AES256_GCM,data:Wm0RiWij2BZRyT9JkP265sUfn4mnGYVV5xJLxjzPnKyhVEu8Pnr6kSVQVAYP3C2SVicPghPSZONPNW0Co8zSEv/YYD91sLg43mxCPLABR4fda5ZRWaHhxZ2lQ7duCmvGxJP9wdKq/OGQ/C2ubO5W7FIJYmfi04rV7aKKwsGHaJg=,iv:oxVeIkBlWf/GHl81V84F1okGiFfXKTqJGHFHbz+Xkao=,tag:QGEJih/j9RqNr8IgtxAZOQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/crocus/gitea-s3-storage/access-key-id/users/rpqt b/vars/per-machine/crocus/gitea-s3-storage/access-key-id/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/crocus/gitea-s3-storage/access-key-id/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/machines/crocus b/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/machines/crocus
new file mode 120000
index 0000000..efe6fd0
--- /dev/null
+++ b/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/machines/crocus
@@ -0,0 +1 @@
+../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/secret b/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/secret
new file mode 100644
index 0000000..6199918
--- /dev/null
+++ b/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:88a57QIAqnO23iv/l3a4Gkl/7ddX3vPFZV37VAgpCsobXntzg3PAAXCXUb36rDHwMZa50Io1jQNErJqed9J6Wg==,iv:1HJ1o7pKZU9XohgKL1j+DZzBMfEUoOwpHyYlwoRapD0=,tag:8Y8+VvXpJJibRyKOBy8vWw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzdUtYN3k2VUtBVkcwOUdP\nQmlodUN3dWVYKzJLUlFxMnhyRUhTWFpHbzJNCmVDK0dzditSNW5TZy9JdlZYMUdl\nQjJvSkRVVEpLY1FiSC9BTlZUMkxabWMKLS0tIEJrUmRzNVpVVHNabVpzSDkwSnZH\nRENnSUh6Y0lqMkdzOWJRQmwrc29PbW8Kli9N5DeyDuf9Ueuiw2XrvW4OD1NRSJwr\nGxWPKzft92MjF/wrr63DmMWB2PxxBynlSqCXZnL/zbU9Wy6GesAdcQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNTltS25X\naVlSS1FxRmtRcFRHaWJIVVUvK2RrSHpYZzNuRVd6OWVqRUFIRwpiZGhUWU5UNSt5\nVVd0SmJBWlo4MzBuTGN0OFU1bWQxT09sZG5xUE93MVE4Ci0tLSBMTmFlanNyOCsy\nWFoyZWo1eU9JS3RRUlU5a0xGbU9SNEVSYndueTZtZnZVCq+i8FnDLkLV1t9QeMkN\nlhaB3cN1Q0CwWSAi/iCgIqDbA4q6PBrdQryrOnWyV3h0vFwMotuEEfjct9y3/chZ\n/G8=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWFQ4dlR3aEF1RUU3bWZx\nakxHc1ZqQjc1Zm1pSm55UlFTMzhyT1hUU0VRCldSaDJINk82bEgxWVptd050emVk\nK29iVEhoclo0K0k3NjcwZ0trWjgvaTQKLS0tIHkzWWtaR3NBUTQ5cng1cll0YXdh\nQ2VsUVlWbGxhN2Y2TmpscFFoMGtoRm8KgGimtdpCLdmPxLVCVRutCKRsZIcIUisx\n0RG8J51MryaQ0aO3LgWbOwQ/rjWvgORR/M0z8L30VhT0XhJLckKRjw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBa2xqNjhr\nQzNkUzEyWFRtald0TytEVysxSE9meWFTNTY0ckZaSi9Gd3Q5RQpGL1grTXB3NkF5\nNmxCalJJU2RYR3V2b3pkMG5wUHFOaTRMQ0YyVE5pZkd3Ci0tLSB5WU9rUExsNUVL\na1BMWTJ1NGloL2taUEt1RU5qZHRrL3c0ek1CNXVKWC9BCjvh4pC8LikO8JmG+w0X\nb/DYoaeZfirlZKWm32vWMkJARiwyqB68X3FKXkN+s4hiKXl5DpsD4DuebkOgjy0n\nQuM=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-07-26T17:18:51Z",
+		"mac": "ENC[AES256_GCM,data:30DcAIuIzINrCgOZ/bRnU2ZbGzgPM3qKEV0ktIa+UOYr9BbaBFJmCxkQjAX2ZMwciQEcWJkOWjfV1jHv6HFXl+p/6D/9IN4S04RjpTUhODYUL5rAai2GzZ3gh0X+KPdrG0jyrqGyjl8fluzkrA40b3H3Bvar6Kh1+U//ACN1Iv8=,iv:cplJSehn3y0B+bi14pm5hrRWV1NQh5w4AikiUrye4I4=,tag:ReK1Mpm3ejNmSC/OuzSApw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/users/rpqt b/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/crocus/gitea-s3-storage/access-key-secret/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/gitea-s3-storage/gitea-env/machines/crocus b/vars/per-machine/crocus/gitea-s3-storage/gitea-env/machines/crocus
new file mode 120000
index 0000000..efe6fd0
--- /dev/null
+++ b/vars/per-machine/crocus/gitea-s3-storage/gitea-env/machines/crocus
@@ -0,0 +1 @@
+../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/gitea-s3-storage/gitea-env/secret b/vars/per-machine/crocus/gitea-s3-storage/gitea-env/secret
new file mode 100644
index 0000000..c84b7e5
--- /dev/null
+++ b/vars/per-machine/crocus/gitea-s3-storage/gitea-env/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:yvUPehA2IlYG/G8GIvLDElv8r4awe4kPbRtJRLonjrEl6kV6Qzps9Nw3Um3yVw38azTT9vgD0abLz7inM5Gp0QwiRxk4+06o/+aoDw7FScB+e/pZJkxpigy/061K7g60rJ26QTl36eURtFRM2nHM5F0i7rgsivF+UmYSjLGobwGABNN5rEaqLvG85YSlBHoOBNjuUFb9E1kyQe7TALW9voBb8ZDK3t4=,iv:TNio+GD8YE2hiS+oGD/pE5klOdkEuvmG4VnoiqBlZ8M=,tag:MWyjYsMvY45Qdu8opPe+7g==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVzkwcHptQzZESjdoc01S\ndG54V3FBT0pDN1JzSXh5N1pwTGRiTVFyYlNNCmVTV3VWTnB2QkhacW01VFlhSW9Q\ncHA1ODZ5V0hBYWJQVDdOWlIxdmFKMUEKLS0tIGk0VGd1cmU0Mmw0SDhaM2FGb3hP\nQ1ljdmZ0MWl0ckV1TVk3REJkUm1pV1kK0D2XBrQqZS9yGtGYzJedeZLXccbzDgcV\nb8/yvr3eJkOkshzFKYJzowbbBA5dmnTAA4jFIoF3dba09dV11098BQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBME11R3Fn\nUVhWcHVxTTlLTDVUODNXQlJIb2h3MGEwbTNaT3I5RStQeFBrQQpIT2UyYmhDSW1C\nWjlJdlc4MGtEb1BRVFoxRmpQeHUrbUhSVTJwSXZNQkxVCi0tLSBla0R6VkxrVE93\nSlZZZ0lJZUdCa0hiK1R3UThTekRwbE5MeWxuTUlvc0k4Ch4uqr9lUQiy4vkrmAUw\nA/I8x/t4BOc1mnqv67DPd0w9pyBBAHIRXNf0Ymzj5F22s30yuwXstbtecnPNKFgK\nE6Q=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZDJhWFZmSVRnV3RKWGw2\ncURsTDVKa2V2QThwM0JPWHE1NS9DajY2L3hvCkJZTlBpOUNURHJndXpVSVBNZHdu\nZDFJa0YzMzdKQ0JCaWZyTktpTFB4b1UKLS0tIEZRc1NaSjlRenlhTHNsclVlNGht\nYkYxQlIrY0xnakhQSnNJdW9RVnJZZVEKLaLWFtMJE70HSZ4h4HpjqDIbRPfTu2iZ\nAW4rInouGTOoCimNO3eqxM+5fo5zMGilhY+sSYoZfj/8XtqN/N3r4A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBaHRPY3lD\nNVU5VzllWXBZaEZoaDJpdktJNmZtR0NWL0IrWm93ZWtidzhvOQp1c3V2K3l6K3VY\nbXBaSm9USlVSWnZUVm90aEVCSmlSYkljb2loWkxNb1FnCi0tLSBTQ2tHSXFMZlVG\nV1ZyQk1pS01ET1l3RjQ1YUVOT20xanhuT2orOEsxK25RChCM3eviktju87V/R9HX\nohaSmh3H+OJ/HzKgFcJV9QxxqksP/nOZ4XHKsjQEk4g4YVH6oFr+shs0Vpu/zAhf\nTq0=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-07-17T19:36:54Z",
+		"mac": "ENC[AES256_GCM,data:MkpTvxi2uVvRurWYZvDhsMm7fOJjO7mAqKQLwd3uxexg/4n41RiiknB9M8vDp4/oVIiXuQAvd870vFamf8hFvGW3ynSqJ6JntqDjsmyoZ9nFmo57YgqmEjFXjmsAcwcDpcndwahkdZJNluXCAWIk811R3ahMc8KWQxqkc0f7a6c=,iv:jjyBxliNvAQj5wWBAKuCK0zNjN6vpe4t10vdlrEdqo0=,tag:y/Xm861aTReLBG/Bz7YJCA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/crocus/gitea-s3-storage/gitea-env/users/rpqt b/vars/per-machine/crocus/gitea-s3-storage/gitea-env/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/crocus/gitea-s3-storage/gitea-env/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/value b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/value
new file mode 100644
index 0000000..33bebdc
--- /dev/null
+++ b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-id/value
@@ -0,0 +1 @@
+GK0380f708a7baab9385e45ae9
\ No newline at end of file
diff --git a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/machines/crocus b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/machines/crocus
new file mode 120000
index 0000000..efe6fd0
--- /dev/null
+++ b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/machines/crocus
@@ -0,0 +1 @@
+../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/secret b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/secret
new file mode 100644
index 0000000..c546b50
--- /dev/null
+++ b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:5kOuRuLqQuUJPBWtrCzdDzdGWBdYN+GFGLn5LAbezcQcYuDyOZvpI4zJiBCUfEACXGEhlr0Vxid8M18A2g6j9A==,iv:QzOzJTnuG6Bo5zeDQMfDUdh+Qr27rxPq+G/kWj98fwY=,tag:m0KGHs/BqKE2sSj2s8p4DA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJV2gwandKcXg2N1l0a0N3\nRkx6ZDJ6UEFQbkxKa1ZOUStsaFlGSXk1SmtBCks0cnN4WWZCRFBNYlZuQlI3aTJR\nOEdxQ3lGVE9wSnFOblowbWFlTmhDV00KLS0tIGtNRDloOXB1dzJsVVVIYXlkb1V2\nZzNhL3kxbFFwNzBNdGp1OHhTYUo0elUK90tA5xN7SASZ6Xes/6Z5DMKGkSrxu6xK\nhzzId2/C8U0+lbeTQQkprGpTDrG6XlTFRSvaIwq2vwM3ohGVXOyP9A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbzY1MCtM\nZzV2MkFEMXVPdjFObU9jS3UwS0I5aFdnMUhvSFJLTEM4dHhQbApEbUVlMHVOQlgr\neEErQy9laTdKcis3bDRpSkNtWjFweVBnR3pIeVlTVjE0Ci0tLSBXNDVtQkpaOTJM\ndkcvdHY1TE1pR1dmRnFoWVhpYUxtbzAvV1dMNURmZDBzCv2yCsrI9e9GsPk31lRT\nVSsgpycRE74jTPCV9ALDQzW1tZ7CV+UH4zapgTguuCmqJF9QlNYEFZFSbsAb+ex5\nEtc=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqc3kwUHlhRUtUakkwRWY3\nNTM2aFF1ejhPY1lRSDZmeUJTQjBmaUNtYTBjCk1HY0ZkSkthTVpLTkMwb2o4djNO\ndWhDSjhJRmlia010Y3lEZE9SMzZqWE0KLS0tIHRrSTZNMzRCZnRUeGtYdzJhTGk1\nYUd6MFZKU0ZFL3pjTm1ITnJMcGxWT28KgtKtewS+9nt9X0nBNSxOnGtS1WWViKwi\neKmKorFPykcpe0iloq3Pa6Z0cdreafHHQcAewOjY4nrsHcQOlD6T+g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNzdaRmMr\naWxSczdYMWc0TEZzZ0Rya2ZUcjVXalBRUURLeEF5QU80VDBmdAo1OHBQT0JmRmRl\ncUFqMkpVMWRHcVpaMlRMdWtYL3lYcHo0aXJYQVo0Y1hnCi0tLSA3SmNOeWpGWldk\nVDYxTk5EN1M1bHlKYkloZ3ZRT3N5ZlNzRHAwVElqNFdRCsJkvpTfuqsI3L38JImj\nsEq4VT8t47dcIQJApMv0yIphCeX2bBPrPN0/6VMc/Th7kOWb9qhRzG/bR5bx6Oaa\n3Og=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-11T20:52:22Z",
+		"mac": "ENC[AES256_GCM,data:FM1/AiycM5mDnluBJv2MBHVdS/S0w7+xbAp64jEAiBeSnpY3sKefdYAIB33YXUs5LViGO8lloUxlBQ5LGnHjTQVd4b7N7Mh7FWkFtgzrnisOBmv21JLP3wa//Y0N3eZhgm+ZMJE1SZyeWGlCwDSsjLk+k8Tn2MmMqy7MfZE9bhM=,iv:WZVumq0jhPzZ5/w1xFHn9YO04ycI/IdgiTvVQsb0qcw=,tag:IsXow7BjeZMgxVhpBsMmrA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/users/rpqt b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/crocus/nextcloud-s3-storage/access-key-secret/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/nextcloud/admin-password/machines/crocus b/vars/per-machine/crocus/nextcloud/admin-password/machines/crocus
new file mode 120000
index 0000000..efe6fd0
--- /dev/null
+++ b/vars/per-machine/crocus/nextcloud/admin-password/machines/crocus
@@ -0,0 +1 @@
+../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/nextcloud/admin-password/secret b/vars/per-machine/crocus/nextcloud/admin-password/secret
new file mode 100644
index 0000000..49aa6be
--- /dev/null
+++ b/vars/per-machine/crocus/nextcloud/admin-password/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:VPf7HCaqRatP7bK7podFQsSxAXH+jSblyg==,iv:GhOmIssF3fmTTgX95tihr0KfSZozK/ZuJxMIACl8C1E=,tag:Hb0BaSS/dGe4WiPR7WftlA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzakVXTzVvVFVXdWxNS1VB\nUURrMktBTzdXcGIyY05aczV0akhLTUt4T1U0ClJER1JSalpna2RmaUlCMnJnV05p\nUlp6STVDeUQrYWRQWDVTWWxYL3BmRDAKLS0tIHB4K2RqTlFTdG8xaG9SZXVpdEFm\nT1pDaWlWSDVtcWpZTFZBSnZHVlFhOWsKok+32pQrxSx0TlffrXZ2YVDuZ7WgAfH0\njdsTtSMmuE4MXruiSpws9Qv6wCtWaXcK8anjHG/yup6snZnKaCpgyA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcWNsOWVY\nRDMxZTZIRlpONVpvaFpOeWNzSmFLanliUWk4ampGUkdrcEt1dwpsVzdCWnREazZt\nR09VV3k3Qll5MjIxMThmdEJDSDJia25UTnBTVFloWFlnCi0tLSBzcXNySVNWOUts\naTRlYjZodFBBSmd4TEJKNzJJOTJJV3dHd2kvMXJHZmxRCnYIepxXIkKjp2erEpgo\nDOAg5JEmbvd69QDcPWq9+xR9pSPe5QIE1PWH87fPTN7mRE7S0fkbJlThMuuHmqHK\nqso=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVeVV0UDFPaE85RU91aEJq\nT04vM1N5ckt2dXpCVGNKZTV5WUtwWElKcEhVCldLTVlkU2Zodnd2THFWWFB4L3k1\nSFg3ekRQZUlyR3ppdzRvRUhJNVlmK2MKLS0tIFJwOFROQ0hJek5NSlBPcUM3aHlW\nNEhnejEvQUhyMmdrTTRBN1c3YmY3U1kKEp3VtKkfxhKBEfYO0fjcyUOjILg3jpDb\n0a/LEFMzGUa6oMxQQYkmi2XFZnvmTey/1mR5sOOvGz4fDlouwfxrBA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBc25NdE1S\nVjUzWDlvKzArRUN6SXJYcldmVW50NjhFSGxYYmVsY3BSN1ZtVwptRGN2dXphcm15\nUXdOM3BKdHp2ekVjSHA3eUZNKzdEMktRa2Yxcys4VmxNCi0tLSAydXJmVGlJQkRl\nb0h3UTBWK1VQWmlSWVFpT2x4T0hDMVREeUtzd0hqZWVRCoZz2my0mTi3dcAINk4p\nZhXoo/eCCSUGIhLVSLFyxFSd7slsb0EioZzecBt7kC1peba3OF9ZL455WKE0KCDj\n2VE=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-11T20:22:27Z",
+		"mac": "ENC[AES256_GCM,data:w7gpQ0q38O6h8/VO5bc6v0pS78Jq8zY3jIlUC1kSF8I6q2U7J75+2TJlT4CFmwspJdNnyszHvermE5K/2uMCEi+f4Zx9FFpB9IcZ0zNEa2vl+3ksqiaRQjgcGXYBQY4eowHHsqBPFZ8w896e3seAM1o3Ah8RAEsVLPH1BB0quWE=,iv:CZ4ypoZhG/MgKJP2tk4tE/CC65ULB6VR+QYmMltFGJ4=,tag:XDL8mWdPpEqiZ6OLKclPJA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/crocus/nextcloud/admin-password/users/rpqt b/vars/per-machine/crocus/nextcloud/admin-password/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/crocus/nextcloud/admin-password/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/openssh-cert/.validation-hash b/vars/per-machine/crocus/openssh-cert/.validation-hash
new file mode 100644
index 0000000..e971f15
--- /dev/null
+++ b/vars/per-machine/crocus/openssh-cert/.validation-hash
@@ -0,0 +1 @@
+243132bdc5136706ee224d98a96529e443dfb8fd086cc6202f30d95f6911060f
\ No newline at end of file
diff --git a/vars/per-machine/crocus/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/crocus/openssh-cert/ssh.id_ed25519-cert.pub/value
new file mode 100644
index 0000000..4e8e3b5
--- /dev/null
+++ b/vars/per-machine/crocus/openssh-cert/ssh.id_ed25519-cert.pub/value
@@ -0,0 +1 @@
+ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIBKcszb0YlcYG5GLTntOGpMyse+FxISKTdn3pVoJAzC5AAAAIOtUFcEICj2NcZZPcfl+JCCaDfmCxQtLytGH0eoFNL4UAAAAAAAAAAAAAAACAAAABmNyb2N1cwAAABcAAAATY3JvY3VzLmhvbWUucnBxdC5mcgAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGE7R12pfvRSXsS8MwMkp57fuc+N2wc4VcXAYwo/eJJ7AAAAUwAAAAtzc2gtZWQyNTUxOQAAAECy8llQ6XQHRjjOTz/Le+Af6bW/lCq8ruJHPW8vh6tc2e9HFM7pWePxVeF0bCwWZ5IRNkvwjgfdbKMZG599racJ nixbld@haze
diff --git a/vars/per-machine/crocus/openssh/ssh.id_ed25519.pub/value b/vars/per-machine/crocus/openssh/ssh.id_ed25519.pub/value
index 3b7b89f..a9f39b7 100644
--- a/vars/per-machine/crocus/openssh/ssh.id_ed25519.pub/value
+++ b/vars/per-machine/crocus/openssh/ssh.id_ed25519.pub/value
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQxsrjjueq/+CdyNgzpy7PKiJS3OREWjdA/BqjpUBVX nixbld@haze
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtUFcEICj2NcZZPcfl+JCCaDfmCxQtLytGH0eoFNL4U nixbld@haze
diff --git a/vars/per-machine/crocus/openssh/ssh.id_ed25519/secret b/vars/per-machine/crocus/openssh/ssh.id_ed25519/secret
index 1bd1ef2..bf72d4b 100644
--- a/vars/per-machine/crocus/openssh/ssh.id_ed25519/secret
+++ b/vars/per-machine/crocus/openssh/ssh.id_ed25519/secret
@@ -1,18 +1,26 @@
 {
-	"data": "ENC[AES256_GCM,data:NuuwsBJ5E33VfWQwHnCujrU44VN9YUi4QD3ZJBaBMgfmjMA=,iv:f/8P5xs/0DWvaashUP9pYbigU4EyQsHoTh/hj8tP/sc=,tag:afZMpL4jyLWiNIUnDo5nzQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:NiLXfIfhT+FUGFfrUGc2SBYFrmDIIx60IzuEIm+8AjxrJjgXmjp6PR4EJcvT19kk54mCrDx2devMYsbTCVE7hALqC6GD1DZCEEh7uSFobbgHv/nPrEG49FzQjw/4q4YXjiMc2J3jyVmbZf1lM39sajfpdlozxoS/YLGopYHKCPvPcYALWuTS3+GocBTmWCUu6/newtc2niPDmrBItXzKa54b+0xjD8pRhgfhgDL919lxH+fugh7QWPSx0c+LqdAgroUr9GkX0ofoUPeBdb9mMGcgYjX/EM81ZZzalnAkgsx4v7IEGEpeYxqw3gOm4T//8bkVXnrroqb7KY6c6os7M4NddMxLGJYJoTgAYMr71MX78NOIQiI2HLRaNudeMQ8PP9h+f8PyvyeJXMm4WiljGk+ojwZrh4+CnV+o5W+K7nsL4+gO6Zje3iEhEDW7Pr0VI4KtIho0UcMtbV++PHLIUowwD+YMftd/3wHmcUfGg9DwhDTCy4nSJOcaIUUZGkEGWkrsVxmu2/Gr6Zm19Iz9,iv:7GePCFLRrFOkD/QjDP+XrveU80YsT8O6CyuS770YbSs=,tag:HhN1SssO+dZ1vyBdjUrUYg==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQkF0MEo2UlN6bFhualpV\nL1NteXpYdUhpZmlqWWY4eGNpTFdKeVRkTUQwCnVVWnpkbUNxTjlhRTU0eXJZRytt\ncDJJN2JmWkJrbnhPU09SSzBaM2VGWVkKLS0tIGVMZHpSNFY4WFBoczc2N3VnMHVB\nZWEvRHBSZUN2dk9nYmVPbjViV1hUbFEKjJ3fWv7LdCwuS4VpdZR7wbvtdUYkCZQK\neQuZ0SG9zF87kL4BpdpXlX2f6yuN4ZdgSPZ5IXc1SFwPJZz3v3Vg5Q==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Smk0ZnlQZlljV25weWhC\nUkUrdElqSmVEMlowRWp4MzRyK0tuNi8zeHhVCk9pbEJBV1dLL29LQ2l4a3RvVVJl\nYW9LR3ZqQndiU1FqeklKcUx5YlRaVFEKLS0tIC9LWjdBTUdGRWc2YUQ2YVVzclVO\ndnF4TU5TNHdKMWpBVERDNGZkYUxuSFkKElI/4w5sPPwkPgb2lr2ck7HdiKXaYHQf\nJFbdfN9uZ+ORwDEfJPriEV3FeXbUI6+dD42n1tdB1rPs8GrcoAlwFA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBOXBIQ2FR\nVTh2bG9JWWFra0VZaXE1MVBIdERWdFQxekIxU3VYUHN3YWswRgpvWVAyWDJwblgx\nM05jWFhqUFA0eERXZVZRTUxiUHRPRVhyZXZJMFMxRzZNCi0tLSBRbEM4clpHbmMx\neUJlUDlVaDZuOVZqMkI2YmxkOXEreWNSRytESlBjbXd3Cuz6FSIgtQJpmPjmIeL+\nsgG3eWaClcRgr0YXKaokHoBn+8NEiFw5RSTrpgDcsZySBe2RPZqMbDsNJlGmJ1Ij\nfaU=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaStpMDR4ejlwZzJzWnlS\ndkZDam1qZWpQbzVWc25aem1QcldZMHZmeGdJCnE1andLY2JWKzF1Wlh2Q09rWkw5\nc2psZEdFbWFtRi9ic0VDTi9hQVREYTAKLS0tIDB0ajhRNW9wZ055dkFRZGgxcDFk\nYWsreVBwOUxiejNoMVhGMVNET1JydXMK7wH41osgGbCHOWTYpRnw58RvT+vEJTeO\nspdyEnP4hqYl/+CGzYkZ0crJuVvo8oULAAfbXbWtOkVglqHJ2LxGCw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2R3d6WU5mK1p1dEdHVzNG\nSmZWRU5qdTJaRGFZTVZqRGtFcXY5aldaWlQ4CmJmWlJ1WlZlbDgrUDcrVWd6V0Ur\nUEphY0xHc04vdm1VMnJwajN3WHQ2UHcKLS0tIDNod0ZvZlZQalNKQmRhUFlOSUEy\nN1dmWnJLemVOQnhlMFAxWWl1bzk1RTAKu9wb50yH5MH25lb7Bztfr174nQMp9QLc\nUPXKQ3lgCOSltyQNtMOFvGYcFRVRfsSwp9unD0BEw9byhcGyTzchlw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBL1hUNnhl\nRnFVUVl5WUpwRjZGQUtXcmNVZzVDNUk2dXRjMmpNVmhKdHliNQpmYmZ1VXJoZjVB\ncUlIQTlvZ0ViTzJVbm04Zzh4b05FSDNzSDhWcjZVdmhzCi0tLSBZM01meGxyYnRu\nV2p3cDhFdFZUalRnOWZqOUZZSmgzTUxEZDRTNndpRHZFCnEuUAsLmtVIUuPEDqg+\nWvVb8mkHx47sgyK6HbJwV5obItuVzlbIZrrEVL30CDa7WzPUC/FxP1H7YPqCWYWl\nWU0=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-05-14T20:56:58Z",
-		"mac": "ENC[AES256_GCM,data:EyS804VI4ogWs0SELwfV6de1Yt8PU2qckwBBKuWws7W9EfHdDNWqYA15tUwn4hLjPrW8mgm7FF2/uf0KN9vi43tXUPH9eGnp9NW+BVQL6NObabaYRO/5jwPpxz05qy+HVDw0XF/trGeOwGImmbeSGtKzrLzBmh+vr7/ElzthCyQ=,iv:NRAiTCxS/zBNhGF5l4mGPuEJzWZk/V5BJoOeLtGyqK0=,tag:bCJYDt6xFzoTDG6AUsM0tw==,type:str]",
+		"lastmodified": "2025-06-17T19:07:35Z",
+		"mac": "ENC[AES256_GCM,data:Lr2/cMKdHIr+7orHw8XS1hvBngbRCybzIC29EBoREIEsb8PbTyHVJaN1Zf2Tov36h3XImarwG7tWEGqK/9KU35N20qJPlxfHzEzJjWo12oSxnLvMzN7sd7QygJwkwfOygeex4heZGUL8EDmqfp2DfINPVUShTNBmPtbb9q55ZzI=,iv:u3qEtkY2kGAVPm2D+DUwqIm5A/6hRqpgbu550m1G7jI=,tag:HBXdFlO5L2NHM/DfBpz0XQ==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
diff --git a/vars/per-machine/crocus/radicle/id_ed25519.pub/value b/vars/per-machine/crocus/radicle/id_ed25519.pub/value
new file mode 100644
index 0000000..bdb78c4
--- /dev/null
+++ b/vars/per-machine/crocus/radicle/id_ed25519.pub/value
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOLiNezoLFhE7umeN7Epcv4ZWymiztb6Go9FX/kyHEUm nixbld@haze
diff --git a/vars/per-machine/crocus/radicle/id_ed25519/machines/crocus b/vars/per-machine/crocus/radicle/id_ed25519/machines/crocus
new file mode 120000
index 0000000..efe6fd0
--- /dev/null
+++ b/vars/per-machine/crocus/radicle/id_ed25519/machines/crocus
@@ -0,0 +1 @@
+../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/radicle/id_ed25519/secret b/vars/per-machine/crocus/radicle/id_ed25519/secret
new file mode 100644
index 0000000..7de939d
--- /dev/null
+++ b/vars/per-machine/crocus/radicle/id_ed25519/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:hhgdJTDAFrEaFcYZbD9OPj4HVYRJBPDYWUfNsNj65hoowlrsRYHF9FAJSQUNmznhQ3kmrZjElGxZxS0rP0LhTvbwrRAS8luP7gwuDRPsloaAli8rVbWoZNvutILmC547WEUU3gnHuwCpSfzbNRz73BqF3oGF5tUcsHQYor5Vzs5U7LuP0Psg8q17YAggnaFxWlHIQYT5H9aVWcass8z+FIixnE0Ss62m9lior5GEXAYuoIccEJsisfDjBCdk5sMKnhgJKyUxXLuBA56VSte748/JNx9p8ugbY6jbJxXEQcBVlCNklAzMlIrwcMpJs7GgO4aUm3A2eDM6P5ZM7LMhNxsLfOYLZkWAdVfaRY3TSym6oED5GvKoCXjmzGvqBaR/z825/wAfxw2L1E7CmzOFpTHE8BWC6cwZolZGFQmjUmw8hQ3qesRmI++gM73P5Sopjyq+qfl26VB5ncJ6nTictQVQeepOOOLiby67m0JjTErvEbWm5gTx3t4b0IkOTLl9Ci878+3JKfuUkUBWEgPO,iv:B/TsygWiYqC4wePXJqlw9GS0blzwuGMNBkh/W8FTUTE=,tag:vZh/8vCwWKnzHbdQqmdwJg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dVdIMVBQanlvRWprZ0Er\nd2RPSnRyUXhmNDFtb0FKUEF5MGJpTm94TkVrCjMvTWpicmhSTkNzU3Ria2dzTHNq\nZVhwRkl3MUdDNXJiSlhqa0hYRHNsY3cKLS0tIE0rQUE0cGdkbVFVc3JHWDdIS24v\nUlQ4LzdveUxzYThvMzFHditQcncvOFkKYAOMDXdTR0HLwOv5OsXQvGUY5QK4LQYA\ncUTyHL5HqnUn1+tnrUPWFkAGcxxv/gwLtta+u3qkK0HppXAU+4tiig==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBaGp1VEt1\nU0NJdnlqYm12T3UwZ3JmbFNrYzJlUUY3ZXZSdHNudDFOaHRZTwpqVXE2VXNnQTZW\nTWFTMDMrU2E5Q0lKOGVPZVZoSW90akhycitzcjlwUzdrCi0tLSBKMzFiK0hqSXdY\nN01lQWE0NFppcFo5QVhzTEozU2lZazVQWHhwVXFhWVd3CsfFbHYhIiwJj4uzGFN2\nmSWXahNJYj3vawrWEr7RppS7zw3EHNLmBbxXXSpXQzPspGqZbwApokdj3kcCaRfi\nIWE=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQlVGQitkYmd3VWd5cjlO\nMWNVL0F1TmJ6VjZPQ3RmTXJOU2JMejRCcDNVCmtHdGF6V0RDTnAycUNwRGU2TlBR\nUHNpNSs5UWx6OTA0bUltWElENkhIZkUKLS0tIDc0Q0tsTG01c0E3SjB6TDVaV2tH\nN1FsK3E1NVRIT0dBL1ZDQVlzaVJsOXcKWsL4BAzrfy7fQfTlJVRlDm1VgxcHRXhT\nJk2bgyJhgyZv8dejfZbgJDJDohEN6PpRp1qdVUxhMrUDuL6joiB6FA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdXZsUFdI\nWGtmY2pUYnlJenVXRDNCN2tQbVpDb1o3UG1hRzhVTE05TTZRUgpmVlRMYXJnOGFS\naHp5R0pxaXgxY3c3czJYemFtUlhETTA1TnM4VS9uU0RnCi0tLSArMVhlbWg4Q3cw\nSEdmWGxoTjJaVTVtZDArYU1xRmJiUGZNbVlpSDNuSGgwCsWB83ZKUTcN20C0ZuF8\n97ds5e5BOBfYzRFe4mjfIkqRqn+/bD51XZJAuX2/NNfn0QZP3CCw7NsOEG7IYPbG\nXoo=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-01T11:37:19Z",
+		"mac": "ENC[AES256_GCM,data:lw2Hc0N63uIcUImTLmVYV8iTXwbqL5NDf86edBwb71XjuXKYeGzKWQu/PgU9YSByw026egzT3oT7HBk90Z5aiVBzCy2ih6QoZsXkeWCpx2PrLUP1BeTMR/3P9GZnm+d/D24Hc4fJ4mpvy8vTNkjQEYjfLHbrSsqBabeugz5Gvi0=,iv:cUVPNTD46mRgWaU7ukUvj6wuZHOVvd2VjYo/eqJqBPc=,tag:zjlEN6q5j8895tkBTB4JvA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/crocus/radicle/id_ed25519/users/rpqt b/vars/per-machine/crocus/radicle/id_ed25519/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/crocus/radicle/id_ed25519/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/root-password/password-hash/secret b/vars/per-machine/crocus/root-password/password-hash/secret
index 17598a1..9156edd 100644
--- a/vars/per-machine/crocus/root-password/password-hash/secret
+++ b/vars/per-machine/crocus/root-password/password-hash/secret
@@ -4,11 +4,19 @@
 		"age": [
 			{
 				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRR0JaTVdRTEJsOExkOC9D\nZGR6WXpYRTFLdXhDckZFb2w0RFk5cTFHZFRRCkVrM0l4QjN1bnlJaTU0eVY2bTNZ\ndDFGeXBkV2E1TEt4NmlMOHAvem42QUEKLS0tIGtuY29McVYzVUl0d2FPRmRadEdM\nWUwzWktjaHdvOHVvWXFKWVRzSEZKNlkKeeCozhNzrt1gI1QlBVACd0ytDaJ+VCG+\n3Fx420ScVSVq0SxpPNv1LOrYW/JyTEeFNCmuPvCSpMCRKmSOF2eoRw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRW1xa2w4UWUrVzV1ZDdS\nc1B5MUh4RHlkdGVjQVZ2cDJQRGovcjZYbmtrCjV2SUV2WFExVXcxNW5JNEVBc0hr\nYVkyL2xwVmVwVFhmWW4zSWgzbHRjQ00KLS0tIFd3azZRamhmOFlVWWM2dFo4YjFC\nU2RtRURmZEt0Q1dHeUhBZ3hoc1dVQTgKVGesd5Y2FoLaiuojOMevkXXV2K5wXFs6\n9G2JTx8lPBBt0J6tvnr0zKBXxnMJq7TcRgZ9fsnBC6/36IpJ+dZ2Tg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeU5jL2Ry\nNDZDOGVtYUVLRlJkczYrblRzTHFMZDNLdGRmT1VkWGxSbEcrbwplVC8rMmI2aWJp\nRVA4bWc2cjVZc2FyWE91WEJZQkNUeFR6MmdoaXdEbDdJCi0tLSAyV0kwL3JxZG11\neGNLNDRXUmlLUkp1SjRDTlJEZ09OWUNEVEtBZURCWm1JCv/h0VPNHV03gJiE5HO+\nXEScLRDtZ8g4eRoY58hoz7lHIG08BRYRYUEUEvcSTUnnXOVGbLEKq8vu71kiiubk\nTLA=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZ240c1hrSmQxUndwSHdy\nMUJDQWJiNExvT0EwRitmcDd6VjFrQUJZNHg0Ckg3TkNOSFVQRUhGcFRZTXFmZDY1\nVnZibHFBVUdDNm9TNm00NTZMVHFWR0kKLS0tIHRxeGkwTnlNejdqeUswSGgwSmNH\nM0RMR2NPOUtFNjlGYityR1BUVnE1dlEK3Y3Qw+2+0XDwOmf323BPuZjhAn1BTYT4\nkEStKcrrVPsua4kQoK7rrdS8euTxmdDixXn7GXOEsfRBzmfaRSf0HA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUlZ6ZmhZWGVJTkNXTE1H\nR1M2RmlXNnZLYnhIWk9KRDFieEF5eDVvNkNvCnhsT3piakkrby9sQUZMSzlXU1p0\nQ0tsWGdsRGQ5VzVmVkM5UE1sU2xzYkUKLS0tIG1ab3EvclIwOFlPdEVaM2taaFdp\nVWV0RC9JQlFVUk9uemR0T0oxVUFmdjQKWwaqMcu47K59PBam7+5IDFzZYzLEdXNp\nNKqzOY7yNyMFv/QoFcpccgGIeVz5PBXYqKKJQdnSPQIHoCybVUvK5w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbStkMVRy\nNjJYYllSdGFwRzBtemNTN2FMZ2pWVkVjTDl1R2ZVZUhtSldiWApRaU9MNk1MaDMz\nVTNZRVI0Tnc3Sm16NTJZTEJ5SmVEcGEydmR5RC9PM3ZRCi0tLSAwNmlnd0ovTFoz\nUjR1a0ZqMllXSlZ3NjZGUmY4L01JMElzVkFKUFBPTzhnCg19RCFy9FkH51Z1jxu3\nrtZF0A3u3P50CVIChMtS2cwE+YiDj1C6Dl5urkzA+nmg9h4/XfblT2RcTEXCbeDB\nR0Q=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-14T17:21:00Z",
diff --git a/vars/per-machine/crocus/root-password/password/secret b/vars/per-machine/crocus/root-password/password/secret
index 8bd5aef..9265ddf 100644
--- a/vars/per-machine/crocus/root-password/password/secret
+++ b/vars/per-machine/crocus/root-password/password/secret
@@ -2,9 +2,17 @@
 	"data": "ENC[AES256_GCM,data:R7GQt7/DDTtX6XUSydCuodA1QeW2,iv:VROiFMVtL20iDecEDVyFko5OvgYEA0Wcz8j/IglmH8k=,tag:HCfQ0oWVXrhvcV/QjSrFNw==,type:str]",
 	"sops": {
 		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBMmUrZ2tZ\nNjN5dC9IQkRVSG9UdUVWSHJCV3FDeDFHM1RVVm94cW9EMTU5RwpOQnM3RGdLZ1Na\nK0UvekNqVDB3SlE5R01JRWs2VUcrMWpzYm9HbmJzbkN3Ci0tLSBYb0MrSzJON1ZM\nSFMwZGo2MnVtenVFQ2NEbzg1ZlpHMUFwYWtiZ3R5N1hNCnkqV9O2Ecb1fHGRjnCx\nXtAWFvN7IYB1ZV0SagRq7jdQ2g5FCRzcFV796rtND7E4YGrKH+Urf6ENxaCRqsrw\nEcI=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwc1F5ajZGVGlqbEdyUG9X\nNk9NakJMNWR4NWN6d2lFUnRNWmxZcTdQYmhRCmZySFFsL2lsZGpYakFuZnJ1czNH\nMGxlQUYxUDZwbU5aTlZaVVBDb05VdDQKLS0tIHZYMlhGejJMWitVOVNRdzcvWEhU\nQVo1eFNGRUdMUHhpeFl3RThNNkZMdFkKW2OpI5QDTFkCVQ5HMYLxPvSN381OS/mr\nRfrulaRXYpcKRS5xE+Kp4OboHIezcYCndLNxsI1If6twP+SqakeVSA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUXFiWWhyZ3BJR2s4bWd6\nbVQ3UjByWG9VRlVXSzgzSm5MSlpOYi9nQnhBCmxyLzlKc2ZLMnpqeHRtM2prNnJG\nZjZ2d294YThXcTVNaUt0U21pOFVhY1kKLS0tIDVDL1ZMdG1tUmhLRDdiSi9ZQ2Nl\nWjZCR3pSV1ViTndVWndobFlHQ0RFbTgKp24nhr+x1t4vbZECFTHVdctNZ28DePfo\nJcEvncKyzCI7DYQ02/xddgCrnwzquSZclwKcg6DT1zHeume55eGlCg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbWJiakVo\nRElSUUNCV1J6NElyQjRINlFJa2xzV2k1VWdUTHd1Z1Q5K0dmWgo4MmlpeElSd21Q\nd3RWVityMXRKZ2lxUDFGVWcwMmE1MmhwWFVaSFFHN0pFCi0tLSBXekQvNnJjbmNX\nTnA5dzM2QkdrWEZYYnhGUWZHZnhXM09tdTRhU0Z1ZjNnCtVoFcT/GdtN3Qursajh\n1zydqRjhglBB9thPLEwCjytTUhveOY23QWTl+2MJXJzU1TapnE2IPpHlXykAcf9g\n9Eg=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-14T17:21:00Z",
diff --git a/vars/per-machine/crocus/user-password/user-password-hash/secret b/vars/per-machine/crocus/user-password/user-password-hash/secret
index 9cf5690..43ced92 100644
--- a/vars/per-machine/crocus/user-password/user-password-hash/secret
+++ b/vars/per-machine/crocus/user-password/user-password-hash/secret
@@ -4,11 +4,19 @@
 		"age": [
 			{
 				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvR0cwMk1MejFwdXpQR3pF\nRUFuaGRlN01qV2k3U3FjQnJuVVRLdjBoNEY4CmdKcXJTeWpqazJIOFdiMDg2UEhv\nNnl0WEg5b25wbkZsc1lodUUxZkxLd2cKLS0tIHJkbHJtZnhwc1YrNVVCdDgweVVY\nakZYWlBKNlM3YlBiZnB5OWdwYWkrancKTMMFgAdfefUBtuihCuGlDHgBNXK9ppM6\nM6YliifuwsJLiXJrBdJCeOT4E8DjS1tG48VVUOeCAUImWbjL63c67A==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMNFB6cHVvQUVCaGs5enlK\nQkpYd2o4WlFOL0FjRkpsSUxydG1tMmxVL0dvCmsvVDY3cnBWWXRnd2cxandHZlEr\nS3JKbHp5dUx6SHpyUnNIN0tGZkpKSlEKLS0tICtaMElCY0UrQTFRMTlqRysrcnFB\nVmg0ZndpN08wa09ldGRoWXBSTEZWOFUK57r+xqIX4uPMhco8I6B+q9OhYfNGInlG\nFB3LTCBGGItStWYqgNmbKDWpMJk/Mrm/c6mUrkhgCppaw4ssOCZ4YA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbTJ0cVJU\ncjlQaDNLc2twQmptY0RMbHhsYWhCa0MvR3lWcEl4L2hOSEIyNApaWkdTbkk2RytQ\nSDB3MERja1BDS2dDeU43N0E3S1RtS0R4Mk15NitXZmZZCi0tLSB0RjJEbHl1R3VL\nYkhRV2YyWUlXbWJpS29tVnhLVnFHNXpjRmJmNWdYVTJVCgTtdW8ko9undu70Aipy\nwYS8Vjl5lYXdCjYMpuaBDW7VngO8wHgGaZvcFZBWZW4qjoaLTYHPX2lKYEYJtQ6J\nhYo=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcTh3dWE2ZzdkaEJ2Tmls\nYjRuWDVWS254TUY1RWt0bFpyTjFnYTQ5OTFzCkNmT3g5N2wrRTRJWlQ4NnovNzRp\nZ0IwVEgvZDhUUit6dFI0czdnL0JyTkEKLS0tIHlWcFVoS3pzendja1orQXNad0VF\nSmw0ZWpya0NtdlJHa3o0TDlGaGtTZTgKuvbeiKjcT+Km3zMeyey7damZfg/GH2Ft\nJSb4I7QUEW6xPR/Wzl+cmk9OoGk94tQ8SsPr11nYOGrUl6bOqaN72g==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvbUh3ZGNTNHdZSHNiM1Rl\nK0ZzSkcwSUhGWEQ1dndRTXZaQWl6QW5qMEVRCm9XaS85S0dtUDR1REtpaG1RbmNF\nVXpwOGgvdGE5bFhIekpUTEk0ZHdKUUUKLS0tIEpnN1J6SldyNytGSFlzOVQzZ3RT\nZ2ZBbGpZcEhCTEtpVldnVXZkNVZUblEKrToM96r+LkKiWg+1Kf7PEAqdTjUapp1d\nBCrWUuNBL/0mFs0C0RMGupnuXsHPKN+LdvgwzeUUf54sezOSM73H4w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBcHpNRmF4\nQTdrM0xCRnFWQ2FJSUZUSkp6VWIxb29sMSs5eEh6amdVVTVlbApzcXFjUndXelUy\nSU1VTFlYcW9lbTZBNm5uVXRKMmFKZzIzZTdzTlg5V1E0Ci0tLSBCSkpBd0FpNkly\nQXpFMm5RbHE1eXZ6STNEQitFbkVSUUVoUGlVdFc1M09BCr641phqc1xBkM7mmSoA\n6PNXs7DDNmM4zgceGf0uB6WgBc/leJysYf8Af5DexxgJMLZpS97dVeyukR4uVoE1\nmhA=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-10T20:20:53Z",
diff --git a/vars/per-machine/crocus/user-password/user-password/secret b/vars/per-machine/crocus/user-password/user-password/secret
index 72d6e59..dba3584 100644
--- a/vars/per-machine/crocus/user-password/user-password/secret
+++ b/vars/per-machine/crocus/user-password/user-password/secret
@@ -2,9 +2,17 @@
 	"data": "ENC[AES256_GCM,data:Fo/Vp01uPR8nkb6H,iv:GlrAKIHbhGoL21Kxn3aXTJQ0U6hqothX/LO9kczOgpY=,tag:A2MznPnK90+Wx2S/9sIWtQ==,type:str]",
 	"sops": {
 		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBb3Z4RlhM\nU0hVSmhqU3dSbnRMSlFORG5ZYXZlU05SQW9WbmtXVHpoL3ZTSgpjOGtHem5QbitV\nWDdmTFE1M2RaQkJ1TEFSWUVaV3ZXVVordkRhMG5KRjJFCi0tLSBVekpETXp4TDc4\nLy96a0VyWTlCWUpsQnp4MjU0MGx0RUk4NFVwTzNsa3F3CqcuAGQ1oYySnC6BBV6Z\nUh5o+u2vB7VskUcTFGwfFC0eckYvSmj6EfQsTpVrHPfr8w3yD+Qh09mWCi3EdUjp\nlno=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsWHFvdWJub0UrTkIvM3Nm\nZHROcCtkZWduMjIxcmdSUjk2ZHFNTkZsWFY4CnlHMUM3L3I3N0tvc0FZall0VU5Y\ncCswR081ejBXaHhpMFZBTWdYZFRUdFkKLS0tIEZneWowOXZsQW1GR3d4c1J1OTdo\nQ1pVM0NTdktNVU1pb05kU1Z3dVZjcWsKwuj49f46Ty+JAHMV6+iN0puMa46Pn90q\n5GTUb4eZ61YFVfeJswJDwIyE5e6uiibUMdNnlLCN/JBRTFJvoMhpkg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNUNlRS9Gdy9nb0lkOXlp\nZnNFMXdEQlZTNUhZN2VIMU5ER0xmVERtTEc4ClNkdGF5Z2dmUjJtU0MzaUloREp3\nangwRVg1U3dPRDVtZ05jMXBxNDVHb0kKLS0tIHZnRFNrb29pT3hyc2NrWmZ0bVIy\nclU4WG9hNWVaVlVHUTFOajlrNzRrUUEKxWJkz0U7D4TE/cfKjEmh60mWlIGllfPN\nNmtXc0JsTSztqS6NFtAdqhBi9ATeb6qpdu3wNP4OEbHe9uVFP7nUFg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBK1BHWXh0\nQXdIVWV2djRua0dNQmJjNVdkNlgzRWVoMVZBV2I5RGZJakZBYwpLV0Y5Wkp1R1BP\nKzBsTisvc0ZRWHg5TTJPazhnUkVzTDBxSG5FOHo0ZTlzCi0tLSBUbUdkeVNQN2Fw\nb3Nwc2xoa0pGYzEyMEFJRWtDZ09jRmpCSnQ3VVltb3RvCu39Z3AzMxM4Eq3kSm7x\nH7tbm6Qbx22vzguLIOhltjqkRqChknMhwMlwzV5IHVWghtIp55xloW1HvuAzCEq/\nVBU=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-10T20:20:53Z",
diff --git a/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/machines/crocus b/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/machines/crocus
new file mode 120000
index 0000000..efe6fd0
--- /dev/null
+++ b/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/machines/crocus
@@ -0,0 +1 @@
+../../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/secret b/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/secret
new file mode 100644
index 0000000..3f4fae0
--- /dev/null
+++ b/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:9b2ag6EGvzC6t2cyXizkfrJKObu9JOUUUU9gytBHnxZJ0msP+3smDvWYz6o9,iv:HMNem8T09zQfa7Jyg6eLjCpIIYaRbPjqXtquUH4K9wk=,tag:Mp6cmcPm+/IgeuXmgdFy9A==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvY1BkUm16UkE2eDhuSzdF\neXIrOXhhdWUxaE01Zk5LclpnazBuTEJQMlJ3CmZSM3ZWUVdOUWFCQTdyc3p5L0hn\nS3g4ZUlFdTFVTzUrZTJhaVF6bmdQdUkKLS0tIHRHaE5vUDJrQ0RPaC94STB4ZDl5\nb0NzYTNGZXFyZGI3V09vQi9SNXFNdzQKxWe1zDaRVvpcejQEB1tEFsc3zwfzCIXx\n+EQm9t9fjlU7rwpB2X1dpWyx6OZKRzK4ErvUhXgDWWBGp5Jz8DoXeQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBemY3K2c0\nM3ZYZHBQd2xPMXQ2Syt6RWxUaWloSmxna2FFVzFzZENtL2hhNwpkdkF1aHBWblVa\ndE1TOHJ3Ulk2TEJwZHNWSEcxRTV3bjlqMjVXVVo3TFE4Ci0tLSB4UXZnK0x2VlY2\nL0ZrVnFaMlVVa21lY1g2UVFiRkVFOTVJbHA3QzFVS2VvCpvONFyHigqWBYgx0YPs\nLCYroDHxwcbnRMVhO2LEj+eLwknJBvBLlZviN19pGjIpvuFFXt8Pu26OsWtAbCLZ\nvnw=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSVh3bTRLaXl4bmFobWQ0\ndmgvT0Y1UzdkUmlCaVF5aWlPUnYyRXRTdmxnCldhNVlpTGZJSHBRVk9sU2l0VjRT\nWjFicWRmUXQ0TDA1dEF5b2hxdnJmU2cKLS0tIEY0OGh5Mk5jdzlpcFdkQVF5bDN4\nakFEUXpXQmVCT09wR1didGJMaGwrUWsKqOCiookFanh8GRtWjR42orvkk7HEVlwX\npdiVVb4KOvZXUmZxUTNnOlPkYE4k/kfZsM+B/Rl1QHG6kBtCwIknjw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBZ3M4dkQw\naThMbGVveHVaV0lNT3dPUjN2SWtXaVZ1NGEvR2ZKN0dncTJMNQpxMkpXM1lJNzVw\nRytxTEJwYVhjSTFYZ2NDTUZtQmJNeDFCQXN0QkRKa2t3Ci0tLSBJNnM0WDRyWjFv\nZDU3clZPcWJERHNuR1NlNU9wVktnNHUvbmF0UDhoMjljCmZR0QtAvt98ZZHZnrOO\nvwQQXpuItsMGoWWT3URwjENfQkU6VVgWJ1GfaNXXr8tst45PGqy4jmdrNoFREhfy\nA8c=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-21T16:53:25Z",
+		"mac": "ENC[AES256_GCM,data:gks9AYHofKUmYa9i7+8kpM3cEMWEfQmibjY7dLUqi4TDfLyxlUIoKmbptrwJgWTWBs+Tnb3YrU8RRTFGFXPyyiwForX0/mDHf1pK0+1NmxKWd8X/7hZmARaWXQGe3rwOLdlvgXyZ0qpTOYXa8vNCp14m8HHIvq12tY+RY7/l7dY=,iv:fz0Vsw0bmNr8wgVmRltk4xzNEGU9xGb0f/RilEyIBu8=,tag:AfYTEAUBoUw7sLd9NcMPgQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/users/rpqt b/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/crocus/wireguard-keys-wireguard/privatekey/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/crocus/wireguard-keys-wireguard/publickey/value b/vars/per-machine/crocus/wireguard-keys-wireguard/publickey/value
new file mode 100644
index 0000000..254badb
--- /dev/null
+++ b/vars/per-machine/crocus/wireguard-keys-wireguard/publickey/value
@@ -0,0 +1 @@
+aeI0Lu8Qr1r/qtMmSJzvg5Z5gJAWwSIhSmna3Pk9Rys=
diff --git a/vars/per-machine/crocus/wireguard-network-wireguard/.validation-hash b/vars/per-machine/crocus/wireguard-network-wireguard/.validation-hash
new file mode 100644
index 0000000..6357e77
--- /dev/null
+++ b/vars/per-machine/crocus/wireguard-network-wireguard/.validation-hash
@@ -0,0 +1 @@
+c22fbb033348a79707ce950ed15bf06b539bbd4d374b95dace7a3057f2d06c3e
\ No newline at end of file
diff --git a/vars/per-machine/crocus/wireguard-network-wireguard/suffix/value b/vars/per-machine/crocus/wireguard-network-wireguard/suffix/value
new file mode 100644
index 0000000..115c020
--- /dev/null
+++ b/vars/per-machine/crocus/wireguard-network-wireguard/suffix/value
@@ -0,0 +1 @@
+6db2:dfc3:c376:9956
\ No newline at end of file
diff --git a/vars/per-machine/crocus/zerotier/zerotier-identity-secret/secret b/vars/per-machine/crocus/zerotier/zerotier-identity-secret/secret
index 547a15a..0f982cd 100644
--- a/vars/per-machine/crocus/zerotier/zerotier-identity-secret/secret
+++ b/vars/per-machine/crocus/zerotier/zerotier-identity-secret/secret
@@ -4,11 +4,19 @@
 		"age": [
 			{
 				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGb1RZUmQrQk1INllDeWhK\nNkZpY2xhc1BuSHYvK2EyNzdkVFlsaGlTRWt3CmFjUmxLOFg3YXViU1FRZFNINE1H\najVXSDNTSHJLY00zcitVQitMU3RkcUEKLS0tICtxSThJbGhQZEpTT2kvSTErb0Ny\nTHlZaStTSjQ3eklzQzNDbHZHQkxITWsK7uxGqGNRU82fZltqYoam76jtcnD6CMay\no4UfTOj5XOSmV+KVGH+e8rEIkUFQItU7GDh51+rmmeM0jzq2iinEcw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NXlNbFB4bWdrdDZsS0lB\nTUc2MFRnWStvRW93UXRkcWxZZ3dPMXRleW1rCmdRUXhtazQ5b014dFJhK3NhSDJq\nTk1LVzNyOGo1RlZFMjhvVFJ6UnRadDgKLS0tIHZzOW42T1dmR3Z0R09CZFRQcXgw\nWG80MXJweDUrTHdDY085RW1TQXNSSkUK6LkvPYRfBiFJLrq+UXOkIxxRBinyIVA4\nOv+9F6+qTAsVF36zNLaSC+y1lSGH1QfLGrIqKWdHwPqeRzJ0fmnWEw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbXhUV2xs\nL3VNaUNlZmUwNmhZYjNhWGZYbGZ3RkJjdTJpVnFHNjZrd2pzcQppVTBwZ0hOa0l5\nTSs0ajIyTUxZblRWV1FTd0orcFJ3VG1VM0tDaVlIN1pvCi0tLSBqZys2b25VS3pS\nVDZXd2UrcDZDZDBBbTRSUjlQS0RCaXk3WEt4UVlqanZrCtiDuhJzNM8PEvEbknz8\n6BynCKPUVu5U/8b47w+kpMPLX90hzhLesvcMjsHRc8k9lTOdDPeP9v6nI/M1jtm7\n0Gk=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZWF1MHUxOWRPYXE1Mzcw\nekt1UWZ4S3ZEQndDRjdTRHppUnVNVzNRVkJvClBQZGRMenY4bEovR2JUTXIxSXVW\ncHVrWHM3OWFuS2dIOTZGU1ptNEl2aTQKLS0tIC81cEFsR016dzB6QnVZdklRd2dG\nUjEyMnAzcXRtRExXU0R2akZGclk3dDgKLeZeDfzv5BfNmYt5FxZ1num/g/grZ7Xp\naLfufRxsEMrOhKZxTmY/x7ZxfOP6HfKgyH3j2tRAjBNwnPSst9QpPw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMjJBUktGZkxqSytKMFBw\nbTFpTkZ2aGVhNG5PT2t4SkhMQ0tzUUlqQlU4Cmlla0lQNkpJWFJIb3JYWFVxQVE0\nNVNjQlllb0Vra2lKQXBxaU5BR055eTgKLS0tIFNqR1pSa3oyVDdvMzlJUnE3QS9O\ndFozQUtZeXI2blpmUEJRRlJkNjNlQTgKuXcMlm5EuJCjsoeUPTBZRPdKzvBLba0q\nJoaBjrX6qKjmMs9WgbEnoL7nz7i7DXOJTPTUULbhfKHM17MIkK4ZOg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBcnlRLzJo\nVkhaT1AvUWYyc2IyRTFyakdJZVMwWjlGbllQL3A0ZVhvQVBWQQp0eGhiZy9ZbktS\nSHlvVVFJVVg2NnFYZEFDcjc5VWlYckhxRmdLSmVyMWVzCi0tLSBpSkZLNjh1RWcw\nai9LOGRyc2JjQjEybVIwT0RmdW1zNGFLZXBHZVNWMk5VCgfiwtplC9rd1LhEBjEy\nzeyzxShIuKIQ2IdgDMnfmFEmyMSJh9LsqE62nbzxCXC6QIaIYLIczKggz4aiCVK9\nihs=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-10T12:16:13Z",
diff --git a/vars/per-machine/genepi/borgbackup/borgbackup.repokey/secret b/vars/per-machine/genepi/borgbackup/borgbackup.repokey/secret
index 69b5354..eb7e72b 100644
--- a/vars/per-machine/genepi/borgbackup/borgbackup.repokey/secret
+++ b/vars/per-machine/genepi/borgbackup/borgbackup.repokey/secret
@@ -3,12 +3,20 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SGREV21wekNCeTh2Q2FC\nRUY3NFJNbkFiaGVEaCsyZEt4MnZGdVNMbEE4Ck5OQ1pUN2puSHFBQjdnTTNVZGxK\naDVBV2N4OEJpd1YydDAxRSt3NEo3emMKLS0tIHArRzhTdThBSHNZRDNrbU80WmJh\nenpJUVllRURhZzRzbmtLdEJVMEtLaWMKWIuT+Asla9W7eZcIeBqz6jvnp8JCb2a2\nHaMn8TucGJrSuGbCTACTBDv6/CZUGpD/pVolwROVXalighoAN5ryIA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNkVsV2hP\nVDNiWFloMWVLMTNLR2hURTl5cGF4Tk8zMzhuSmx1NHdMSDFQbwo2SnFBQStTU0pK\ndkVtUGk5RGRvaEFTSWVLQXA1UXNxUzVSbDZ0OEZOZVpvCi0tLSB1b292aUZlaDBx\nYVYvZCs3WS9oWmt0N0tZSWNnd1EwTXlNeDRQTGlnQW40Chia0ihnLnSTMyIfijLt\nqbEsQ4nhoB37vAZN1goV5YSmp0RubZoLJLcGTQVWqdmhJ7FE3KjRcf1wDq3irDqa\ndZw=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBMjBxeGt5\nOFFnMzlsaEh3WFlyMnFrQk16MjRJNk9RWkNWemdDSWdXSjVXSwp1aHkrSDBUZHE3\ncDIrd2JjVEV3cy90RUFXMXJNQWpwMXh0aG1lNUZnSWI4Ci0tLSB1Y2krK0VmNkFS\nZEdiOG5PNHF4UzFTZ1ZuT3krQUoyMS9XMFNJTE1MeW1JCgR4TqauuGY6LRimxyTb\nNN6ifGjJftAE44bAhHMg9fvO3dMt9Ql0SPZaetkaPeuVCjJ59yJQW7AFS4IPYD0W\nTug=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ0xnWjdGYzZIcnhreStp\nU2dJeXo4YkphWmhzaEFGcmtqTXk5N2xZY1ZFCjlVdWpycmNNYVNta0VSbjlrcnRo\nYkppdFRWME4zdkdnZFA0MCs0elBoSUEKLS0tIHdkUlJVeS9WQmF4ckVJa1BkTjJJ\naXVRLzVLQmM5d2xKSDRJZEtabWpCOGsKr2Q7ME0iGCeo1+uvMdAkbGWujQtzT0rP\nvYTSUdIllvB4zCkj4vK1h2/tl7dp3dwg6QI/qA1NZf6vrHQhakIRfw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZlJ2dHJveWdmYUJpS1JK\nNEx4b2UycTV1VGNoRXR3ZkZMZWQ1aU81OUYwCm9UcG4xMVdabThCbHNPT2xyWm5x\naXEvV3dZWkoxbExvL25VUzdTUGlpQ2sKLS0tIE5ZcG5MSFNVemtIZk9ZUVNPNUM5\nOGlJaGNnQ2RVeUZmcVdySGRvRmhaY1EKRl29NkOdifFk5ZHNGL2WS/TjsQ7x4dKa\ncwyWwWb+2n5gyAwKPeV6oxQBVuebqvUAWeNLh7NBgqN8spXSqVr1rg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWHRVN0JSY3lobnQrUFFq\nOE9KamVXWkhhZ0s3S3pnK1RkZ1dWa2hhTmljCkxJZVVnQjhGV1pNS3l1Vzd2TmNH\ndHpNKzN5NStUN0lSY3hJcFBSa0VUekEKLS0tIGFHbDFnQTN1L2JOd3YwZmw1QXEw\ncEw4NlBsRHFkS2hpSEF3VitCU0VHK0kKBl8wvRWi/pEcnF7UomWkrxOc92iPcdm8\nfg35vdLclvbMf5vDJUfmoarxTruFY6+Gnns3B7Ai8ulFZGjFoYBjhg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T13:43:54Z",
diff --git a/vars/per-machine/genepi/borgbackup/borgbackup.ssh/secret b/vars/per-machine/genepi/borgbackup/borgbackup.ssh/secret
index 2053662..654bcdb 100644
--- a/vars/per-machine/genepi/borgbackup/borgbackup.ssh/secret
+++ b/vars/per-machine/genepi/borgbackup/borgbackup.ssh/secret
@@ -3,12 +3,20 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdG5qZzNZMTQ3NEtFVVFE\nNDdySUVOeFFLM0RncHFlbVlZcTFva0lpdWs0ClczL0JjRG5JeWp5MjZYWm1tTWxD\nQVdXdGtBbXorQ0JvbTRkUkh2OEFoQzgKLS0tIGpia2ZCYVhUbW52cnNjOERIWE5L\nVjM4R2xUZVhuNjIxc0xGdmV3WmpacVEKIjRzZa6fyQris6kbq9vXgCQrpr81Ol75\n8ELRx3Na/IyJnhNYZKv4nDjkKCMCL713i3gh1VZDM26b2N2/mWGZHg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBK2ZnejVp\nY0l1dHFuZHU0ay9uaFBXSTVlaHkzWVN3eGx1Nkd3OU1RVHE0OQpKek5pc0JhMUt6\nVjBRaXNZZ3NVQkZ0czhOQ1JhdlpoUFlFKzBZS3NseDhBCi0tLSB2OTg2MUdKRXFZ\nS202TlREdVhRWEM3NTF4UEdCeXpjbGhZZlM1V0lsbWg4CoqUV2oAUfSNBMl7SaGu\nPQxxTCal5cgi0Iig7WfqC6862yW59TU6SY6AmiuayaeDd7FkxjUuOEz5btXFNJea\naeM=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbitSWklP\nTFdRc0daNmdzUE9iRjloRTBaL1REakFtclpRS3VBWFBNZXJnNwpkTHd3d0JmRWhP\nZkhNWVdVaVRtVC9ibU9MdTRTc210RkM2NlhuWjVLMkFFCi0tLSBFY25OanZhVTFo\ndkttVEhCWDRFNFZXSlEvYWJFUUxWemQzbytiWGRldkJVCg8fbhQb0BWSbii7tVtp\nXBoLGXdEJc/e31xaEm1DKLJq4Y79U930NaZjNR7ho/TZSYNbL4MgKiHC0+fRiUlC\nlq4=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxWlJMdzNpQnpLbmQ1T2dl\nbk9tdXlSZ0wyZDBDVmU3ZS9YWUdMMS8xZXhJCmFlN05GUXUzRTRpSFgxdUhLTHdp\nR1V0U04zd2NvMG5VVitVVEJkYmsrdnMKLS0tIGR4RnNaRkVocVJEb3dYeDIvbUhj\nZ0JCelpwek5QYUNWS1ZBb2pXRnJ3eG8Kd7PmxIG70scR09REGZgsHlDcxsbjjG3D\nHBmj7MfSK2Liqh9iuoWXmrfbHBrmpIpETRfnJTnyuy4w44vSn39baw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0eDBEaEE3WXBqeTVSVi8v\nYW02Uy8rRjJaWGxORWtEWkJOUy9NaUlkc3k0CjMrVlcwWjNDMjFoWXgramZZcnRu\nM25ZektQaU5ZQzdXeVQvek0rR0VFNEUKLS0tIHBEM0lQYXNQZ01mZkszNkl0amhM\nYjc0SXR4TG9uZ1Nzek5zUXlYZTZNNk0Kob3L1tVy8EW8urt6h2Ah0dOtfqs8f1vV\nBuOg1+V/NWX14YRrJFXuI3MAP3CNkgBc0NNNZRsB30u3c12DM8aZpQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEVG9TSjlQZnFrNFFJSlRB\nVnFZbDlPSkRkU2tkYmN0dnhtYjFQYlcvUmxvCmtLNTJZbEliTU9Kb2RzQnZ2OGs4\neUxlZlNLb1dwV2tZL3dYRDlvZXlhSnMKLS0tIEI4L2NsU1FXS2t2Y0ZQaHF5L2da\naXVxSnd4Rm13Kzg1UFBRQ25Lb2J6TFUKKX4VKjIPL4v5AopIDbIFVFWGgEo7xiH1\nYKFioWEXetcSD41mUQ8xKyokBAhqmbvrVN1B2HzcH7T+sQJzeaP49Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T13:43:55Z",
diff --git a/vars/per-machine/genepi/disk-id/diskId/value b/vars/per-machine/genepi/disk-id/diskId/value
new file mode 100644
index 0000000..3007ad8
--- /dev/null
+++ b/vars/per-machine/genepi/disk-id/diskId/value
@@ -0,0 +1 @@
+72b27bb5253045f38a07b6bc368ab85c
\ No newline at end of file
diff --git a/vars/per-machine/genepi/freshrss/freshrss-password/machines/genepi b/vars/per-machine/genepi/freshrss/freshrss-password/machines/genepi
new file mode 120000
index 0000000..342fa08
--- /dev/null
+++ b/vars/per-machine/genepi/freshrss/freshrss-password/machines/genepi
@@ -0,0 +1 @@
+../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/freshrss/freshrss-password/secret b/vars/per-machine/genepi/freshrss/freshrss-password/secret
new file mode 100644
index 0000000..717fd48
--- /dev/null
+++ b/vars/per-machine/genepi/freshrss/freshrss-password/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:onsK2gKcLjQq9o6af4+MOHSLrsbtAnRfOA==,iv:d8Ux7K8x9axBL5a7EljVyDuAXgmRRSKpzD/cPU4si9g=,tag:W9YgQ4843uhfS+h+qKry6g==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBcEo1djg3\nVE11ZDZ4T1RzaWhKTGsvaXBJSEE0ZVB1MmlkY2FDaXdjNUlzSApsTjNKOW1nQWRn\neTNvTEZoRUpvZlc5NjVLTXVPSDdnZmxPTFh3QW4rOG5BCi0tLSBxUmpkN3NGTEZC\ndStTTU9DVmxKWmVCazNIUHIxUlZvYlZXbzJwOVFoa2ZVCl9cxR6AlmRRFtFDtNwu\naNLTAqZjFUEVQaSCPQgfUHbMhHFJ5QGM2ySWoxGkwThGHUrFzin6hNDEHF3CuzvX\n6GY=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNWFuY3FI\nTE9FM1p6Zyt1b3ZaR29Uc3dQdVJlWHlFbldkNytlUUMxREdQKwphY0JVVDVxTzly\nUDRFY3hzeXRBNlE5NW1pWjkyRDN0SkwvazBuVDZ0eWc4Ci0tLSB1K3RIVzgwUzkr\nczVpTGZheHN3UXk0c1hvcTVFZTd3cS9nU2Z3QllxSWhFCr5HcEf35VN8NTRp5b7L\n+674JlDthUMKT/7gaQ98f9aV1CBAiqjym4DfFMZtRpWrzU7NHc4sPwn/EjsC9bAn\nmzQ=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBd2pIVmtHVFBJek4rOVhR\nVkpTVjJ2TjM0RmJHS0xCWUxUL3pRNy9jVWxvClUvZ0JzcjF6aUxQSEVWSmwyaVNk\nenBpblEyS2xSc0pic0Q1OGpINmRDcncKLS0tIDVaSk5LOVhZYXZRd0U1bTFOL3BT\nS0VWZjh6MlZBejNFcGp5ekVTRm5BUjgKCPFWPtgLCg4jYo6lMnfyfnVwzzaSW8ur\n6+4gKUcXCUNXjUO5He1SJ5iKGZ/QW8RwQnQr3oC16gqRanMR6U+lkw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFT1ROa24rdno5OExiWW9E\nbzAxUm15S2dsQS83TE5FdWdkVU43d0trTEFrCmluOFpObWFScEVuUXJYSlUrL09m\naDFGQ2hLSFZidHRkd3lJSFdOWWwzVFkKLS0tIHREaTl1UXFYR0NSempMSUFGYzh0\nRzJ0b1lrWkhsdjZnVnBJZmdCcTFNSjQKOnhp0DvgcoKBu2y9dRfk40JNqFX+D8hg\nJZQ64wwiNZ3fvfRSKOY/TKdlqsHxxYnW343xkLy9aRJRyr9bGNrepw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-26T21:37:15Z",
+		"mac": "ENC[AES256_GCM,data:eSt9+O86EVGQtvU2sSB0GBs+shBxYcyYI2QeEViuXsqRUSCz0KvnzODFySp1Qn+oaJPEGgvjhACrYHba6UekErFFRQ4C7Ji6zEkM+PhwJYLTgZU7uVQuqgcMrqPWMCJbZy2VFcQEr65FeCz1IYy8rvLpepWhURuGErz/fSJAl6M=,iv:FaWxJBJrDA2pp54R2G2TDRAC9hiSROw0WnxEUCFZI/Y=,tag:vQu01Rk4EV68MWm2tudVyw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/genepi/freshrss/freshrss-password/users/rpqt b/vars/per-machine/genepi/freshrss/freshrss-password/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/genepi/freshrss/freshrss-password/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/gandi/gandi-env/machines/genepi b/vars/per-machine/genepi/gandi/gandi-env/machines/genepi
new file mode 120000
index 0000000..342fa08
--- /dev/null
+++ b/vars/per-machine/genepi/gandi/gandi-env/machines/genepi
@@ -0,0 +1 @@
+../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/gandi/gandi-env/secret b/vars/per-machine/genepi/gandi/gandi-env/secret
new file mode 100644
index 0000000..edae2ac
--- /dev/null
+++ b/vars/per-machine/genepi/gandi/gandi-env/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:/rRF/mvM/FGW7evaY0C+HpGnb7yho2UobKzVIAkGu7PFQjzu4iw4oYniSIgSTB+Yf6V+rNKsRSANJer8gVhmh7CVfUw5JQ==,iv:B2Rrde1/rBnFowFk7KY1bppnOl/q1ZMgDNNXLJ6xjlU=,tag:yN3dL3RXy7z15KaWVqlepQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbVJaNzNl\nU2d3aU51YjlpczA0Vm9ncCtYQXRlekhrWEFsSFJMRXZhQkZVYgowdC9USTFibStp\nTGhsOU0zdnlTTk9rNUxnaWdHb3FWQkhydVhnYmZEUE9ZCi0tLSA1LzFUbTV5Tk5X\nSU8vWVpaWWVFVk5hc1R1Vzd5eUtsc29tRkRCa2lyMXI0Co6z3VepScVVjuf83DgQ\nvi334xaSGpFjoqdNk1wtIbinX5DV9XRPTzD823vzcwE8ruPmeVpRXkgDhMwLnZXe\nveE=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBdGJNUmtv\nR004VUNGb1hRZkxFVzVXQ2JIUlJ6TjFzOXRLalh0M3lYalErdwpoN3VKU0N2NllT\nczVjSEhsVkVoNHEwcGQ5VlJHSW8ra25lYlJxVi9mSWVVCi0tLSBmUE55Y2RSNm12\ncml3a24xTlVQa0Y5SnhreWFjd3pSSEJYR01TWEFLWUNvCrGCYNpo88gpVnA+4pAl\nlVe5xlvm9jahtO4KGkSJBMO8cwRwzzJvTSIc4g1Fup5TsBNzDK1TpbvK/f1oahc7\nfZM=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3VHhXeGpnbUc2ZjlLWjhl\neFNTTUZUZ0cxcys5dHh6TjgrUDZycUh3akZzCmFkQ3pMeldrYWorTDQ3UVkxbFFT\nRGwzM1hiWjFMUDh0bFFKN3MvVkg5SGsKLS0tIDVZQkNTVTFqRkNoV1dBMitLWE9r\nQjBmMGlrV1lxTzl1dkJ3YVJGVmE0V00KEaTRu6ocD4Vqnet6+UkvMUIM1wMF0oGh\nhspAFCPExJJclFFxYgcWv4eRTsDO6PdAHnYaz+/l/O9epLA/epHnvQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5dWg1MGl3Z1ArL1RNTDZs\nS09mZEJjdWR1WU8rSS9YdmpCT2ZLQU1hcFFNClZRelkyWFVrMmZuRzc3MjF6TkJP\nellaMzgzTXJCcXJxS3Y0OHdwNEhadEEKLS0tIFBuRzV0WHR2WGt1c0hDTzhRd1dl\nd1lUMnZYaHYzN2t5cHN2S3ZQS1VQbm8KKITvkz74RYiwE1LtD/R8l6DIxsBl37Al\nCsfOALY727kG7RgcE62shU43GYo6zsvnVJaZ52gvRT8oK11D8/EoKw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-29T11:45:14Z",
+		"mac": "ENC[AES256_GCM,data:zb2U7OhXBWJmhZPf2/9G/BTAcaqNXS7zaGd4WppKf2fsHtbZZCswd9DfaI/0NzfknQgKlhmqr/qN/nG1UPFhosQGQTcl7Z4od57EyN6WDaXu4fjJYQHZ1VB6HvKD0c0bvb+yBX8WPxF/EW655YQvdV/x8VU1b+rxhGPCX4U1iPY=,iv:wt5RTsnv2hkF5PUo5ah2NM8HwEEBXrE44krI4Pgbbtw=,tag:7nS69I7ZG+kkIU/cmthq6w==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/genepi/gandi/gandi-env/users/rpqt b/vars/per-machine/genepi/gandi/gandi-env/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/genepi/gandi/gandi-env/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/gandi/gandi-token/machines/genepi b/vars/per-machine/genepi/gandi/gandi-token/machines/genepi
new file mode 120000
index 0000000..342fa08
--- /dev/null
+++ b/vars/per-machine/genepi/gandi/gandi-token/machines/genepi
@@ -0,0 +1 @@
+../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/gandi/gandi-token/secret b/vars/per-machine/genepi/gandi/gandi-token/secret
new file mode 100644
index 0000000..637b09e
--- /dev/null
+++ b/vars/per-machine/genepi/gandi/gandi-token/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:PW0hHJALRXaoXPSeqnxPzwepz/u+J4QJKd388CdrLJ3TUzm7IKqstA==,iv:VF/0ZudBmzdZX/VWd/L5ic86LQlOfSUgBmwckvw9G/g=,tag:FXFU3FlewhRbZei28vP4Jg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdytKNDFU\nWkxTZ1VIQWs5L3FPVEx5WUJyWFZDaWN3RFIzUGN6Q1A4cmdROAo3TWZ3RU1WVXlS\nK1RoSHhsdU5STjhVWUovZktQOFFtUlJjdGR1WXdFd1MwCi0tLSBhVGhoY0kybWhu\nYW95dHFUOWtjelg5c2Q1cWpXM3I3dkxsMmFwQXdPZy84CgmAR4Ifa8IuUsEflLu8\nZKgFMWDo4akFoPHeWJ7m7TGl1br3SikeL36GBMYNymyCmEQJSZBsXbDrGItj+Uve\nM8Q=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeHZsbmNV\nbDRBdENUcXAwZjd1Vi9KN0lTNzIvMTBkSzgwazdYMHZMTnhyagpXRDJmWHhRY3VQ\nd2JBY2xGRm0xM1NneUNnMHhkdzFxeHkzd2cvQS9sUFdzCi0tLSBZcEZuT2QzNHBQ\nK29LZVN2UHdNRzUrRU51Y1c0cnhaS3dkeDk0bERrdDVZCqm9AhmUZJytrcIl+6rP\nsXwqFfgEQRwy/WUtWAFxqjnF38YjGomqbyMC1E/vwGDyug82uYdu0VCYK0uOBg4r\nOkw=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WnFUSTVVZjhvRk1NaUJI\nZWhwRTgzZWFGR2JXdDNNS2pPTEF4WkdkYUM4Cm1lWUFCdm9CcGxyQTRuaSs5eWZB\nNXNBRlNqZ2l5UWNuNS9ISnZ2MmJvWmMKLS0tIDdwdzk3R0FkSm9jSEcxbWlsdEow\nN0p1a0xIbWowemlvb3dTUmZmWEowM3MKNPkXMqvgCnWPIUhyPBhqq21EcNnQJDHo\nCUghB99hnhlJPcH3Kjhmq3d3Gj0HDgNrEiPbDVsfnaF/44uNbbCPUg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZkF3c1Rsb2J2ZHZZQi84\nRjlUU09kN1hNVUE0ODVLVE53bUJGK2FaTENNCkd0aUR4YXQ0ank0S24raXZMdDdN\nNmxobE5MRXdISFZTR3dFM2Uzd1p6enMKLS0tIDRFV3hhR3pBSzAwb0JUSWVMNGdj\nRkJPekxLcW5DanpmRmkrVnc2NmVIRncKB7OrdWNq72I//Tgxtw+6fQ/6nheg2t/k\ngYlEJiZUBl/RTCfSMD2N6NGF0jpd19iQbJh+kwZqM5W3JfNcfV0fpA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-26T21:22:22Z",
+		"mac": "ENC[AES256_GCM,data:vZchrJpNviCfUYarQG6rZXB6pFAwZga5yGIZZEYCoqWBjTQqnUj5egOmRcjrIDH8YpW51Jo2iXLUg1qkGWfl7rEm7rZIOe6mueh/OSceftgUKtp20oC0YwWclo3Fm/XZAhk7TuzelCFT96gInmii2A9of5J1913g2h1lizs0nKU=,iv:nTVefHS/NZ+sQoPl6YI8YDQyZ7f+tv/B0VBzBt+4VaM=,tag:AdGB1xQa47DbwRu8WbauPg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/genepi/gandi/gandi-token/users/rpqt b/vars/per-machine/genepi/gandi/gandi-token/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/genepi/gandi/gandi-token/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/garage/admin_token/machines/genepi b/vars/per-machine/genepi/garage/admin_token/machines/genepi
new file mode 120000
index 0000000..342fa08
--- /dev/null
+++ b/vars/per-machine/genepi/garage/admin_token/machines/genepi
@@ -0,0 +1 @@
+../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/garage/admin_token/secret b/vars/per-machine/genepi/garage/admin_token/secret
new file mode 100644
index 0000000..1336ae9
--- /dev/null
+++ b/vars/per-machine/genepi/garage/admin_token/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:QOgo0cEpMfRuOfXs0LKvCsn4nQiCu1QsFPCZ3q2DT8mHka9i/h2UPwEMRero,iv:kJvgRalM/j0NCKlETcc+1u26WNctK7dsKp9caw+LJBY=,tag:s0yYUV3U9agn76ZbuGbQFA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBMmoxYk5X\nL2RON0tpUU5xTkU1cmFxQ1krOGRCeGhhZWd2amRSWlNMVTdYTwpWU3VibE1XUVZ5\nQUtDUXF0SWE1djhvMlpHanZITXNIYkhCUkdkWnBpenU0Ci0tLSBWNndlZ0NmNTdR\nQ25sTSt2L1FQL2Nkc0pqRlRuSmFIQlRMYlhZdmFDWkM0CorSl9wuw6Z/c4k5bNaA\n3n/JA49y2J3TAWwzt2qCPZrE0cIA5JuEqXQmbq/nXk9Aom0YU1dlkrrgEZLO1bQj\nvY4=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbUJmeXVK\nOVNQdWl2ZWxNMGNsTUJHN1JwelV3SWhJSDVaNms4b09yOGhCaQpPUGFNMHhPS1Nq\nODFUb05xTTZhbWs2anE4VFF2SmU5U0VjeW8zUU5QYWZNCi0tLSBUOWtJcWZpT0NI\nOVd5bTBQVFEwYzlVTXpSVFJYcmdTTWVtY1ZvOUNGUVR3Cp1tW8f1Pv6x0YlDALZF\nT+rG1THjnZIT/y4FgSBnkHB2AuDnZsSI9RFCz7HJ0JeylDozCUOIMHGqIWSEawVL\nhyc=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnRUw3UGpUdUNFOENlakRp\ndzFTMlVmRFlwSUpoMis3VzZ0K01rODMwQTI4CmxMdHNSL2NNaFNnRkVlMy9UeCtT\ncGEyWUpROGlsQlRoK01wREROK21WSjQKLS0tIDQwanBPWUNpNWhkNStrSWxncjdS\nYVVxcDFpS2plWGJjSnRydjJYM2hDSmMK4V7yFek3HIE4wYQxp2GpefoivID6vnVp\n+/2cuferwusjdBgHrbL3XPUn8bbHwg/VOBHXTXeauj43d0ogr+zoUg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcHI5Ty9Tc3JhYzJCMUVK\nREp3WVFQY0ZoRkRkako4bzIxUEM5STVVZEIwCkdoWWhKd1lSSXl3WkRMTWJoMWdF\nSUM4MnhoMXl3bzRDRFFXYW1Wd2dlNU0KLS0tIEdKN3hHRVRmRFNGdXZsc01QVE54\nc1BuRngxZWpsRXEvNnp2dllGeGFXV1UK1KQsYV5i1h4e/dWdYvQ+OYp2KaAZ+8vA\n9/IsuPmoeuaAU9DyTpG6d88sst6tE0gYsJXLUR++p2B+UPYD4rDJPA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-19T21:51:49Z",
+		"mac": "ENC[AES256_GCM,data:zaXINmQBZVN4dvvm9+O3T5nSm6q41J9fNUZ3Ye7/RcnQYS2XwiItL2PJ+Y75SS+2w40JGGrmkqaeUcEr49KGF0fU8ZxwuNelUoL7PuALA6lRsdTLE6plTyXABDFbl7yNWOvZH4P4xMJcYiJrNK2TW+7Kmd7mKtytpAKMUI/dNKw=,iv:MM/M9DwFkDaiqARfdWnEsROnFpT/diw5pQXLOHMFgZ0=,tag:ZzA54TFLYziKo4A/TL6CNg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/genepi/garage/admin_token/users/rpqt b/vars/per-machine/genepi/garage/admin_token/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/genepi/garage/admin_token/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/garage/metrics_token/machines/genepi b/vars/per-machine/genepi/garage/metrics_token/machines/genepi
new file mode 120000
index 0000000..342fa08
--- /dev/null
+++ b/vars/per-machine/genepi/garage/metrics_token/machines/genepi
@@ -0,0 +1 @@
+../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/garage/metrics_token/secret b/vars/per-machine/genepi/garage/metrics_token/secret
new file mode 100644
index 0000000..094e5f4
--- /dev/null
+++ b/vars/per-machine/genepi/garage/metrics_token/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:dqsm3odV1kIx3sbHrpGoxMmaBp7oscTfb42mKSQXkSZA3r0SUyiox/faKRid,iv:TiU/MHNOOs18afosr9te3UI487Of6NR/5bZEU1X/Rz0=,tag:tulweBmCracNztaP0YYFvg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBeStGL2My\nM3E3S0ZzUlBPWTVSaVJPUElVQm1TT3h5ZDVzbWJ5Vkl4cFFOQQorUGxSZWtQRG8z\nN2U3OXhyTE1xUmk1Y0JrL0pwUlg0U0tCQzRjSEl0L3pZCi0tLSA3VWJrMkRNVmxw\nQyt1c2ZJY0RqYVNycTVOb0lpSlVPOTV2UmVUMUZNUHRBChw8V3zf+qA+EnjjvuPC\nCbv2veIZDSWlGvq9BcF450CMSUk9F/9hAUjJHQFyA2HPW2uLxXdvnOjpcuHeKtzD\nRMM=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcDV2dCtV\nVmU2cEhoSnJEbTVwbEJGRG1reEtEVkNjeE5LRXJFd2JaQkpTVwprdkVSakF5T1pz\nbEhUQUZ3VVF4SzVGZGk0MlhZbmE3cmNFdFRvYmRGOGdjCi0tLSBkOXpuZjdxZjRP\nL2hxRWNqZDM0aVRzODhidFUra0hFaDYxNTJwUVl3RkpzCqpFWeGwBFd/tFm2T61d\nLyxjqpAyvfmRC72DF5633PyNRcx/ZG5QqUC9YaYBI5owfJBwjPI6UqZ2Ym8r76qs\n4tk=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4d3pBcDZBS040L1p4YkxO\nVzZnd1NPTVdsREhKQi96bm9hTnRIT0hIZFQ0Ci9OWWRCQjNIUzF1MTI3L3Vla3Jh\nR3hEUldQMk9PNjdQeVprYW0vcXAwYTAKLS0tIEZwN1d1V3g1WGQ4WGxiUzI3VVdV\nUlRubUMrcUo0SGtxTkM1N2YzK1FnM2sKuy/7GpLG8uUa3b7ddbTh8vw9fhemyTgk\n91u+c9u4DGkoKbxlXGwYGL9Bl9ZaciDxgX95XK9oYDmkvzDhSN/rEg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MjdxTDJPa1dHdHdyN1o2\neE1kTU5QK2kxVklielhKRXowQnNrMFh4aVRRCmVHWDFISkhsOGFLMUdVSzh0K2xR\nT2srVlZYUXlQc1psWmMzNkg2bHpEZ2MKLS0tIHRTVHJndjdqYTMwQ0ttWEcvWUNw\nRUEyUGFZOThGWFE3V1pQU0x4Z0F4cHcKYR5FU0kwoZHe32skIWuuyXDPAmsZhRVP\nW+VAuwCLQ/AtaKEyzUS0d5oxQLplfJZoaAF8vQhuWSx9m/dHOqc88w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-22T13:52:11Z",
+		"mac": "ENC[AES256_GCM,data:JCmuUh0D+vWL8D9ogsWX70JBSSoUNxGN+R7kHFprK4ZCcAs1+zCzW/dg7qGcCrQXD6QkNx+nfM05kYiQKNeHXVavqKuOGhqgamPKrHnu6To1y2fNKPk9GbioZTSVpRiICUDGTUhsdQW0f77ekCMNcU7ElzyE0t9BhiwEmwexpbs=,iv:uUyppaoNVCmXkFY+ZrI5enRlEOAZ4+w30awlh86KpaA=,tag:R3fviJdYM+4SQfo3hLOhwg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/genepi/garage/metrics_token/users/rpqt b/vars/per-machine/genepi/garage/metrics_token/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/genepi/garage/metrics_token/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/openssh-cert/.validation-hash b/vars/per-machine/genepi/openssh-cert/.validation-hash
new file mode 100644
index 0000000..02779a2
--- /dev/null
+++ b/vars/per-machine/genepi/openssh-cert/.validation-hash
@@ -0,0 +1 @@
+03d96c6ed6a59594bf0faa06dfcb7d7959628eba37fb4c35f6c95803edc23b90
\ No newline at end of file
diff --git a/vars/per-machine/genepi/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/genepi/openssh-cert/ssh.id_ed25519-cert.pub/value
new file mode 100644
index 0000000..9219ad7
--- /dev/null
+++ b/vars/per-machine/genepi/openssh-cert/ssh.id_ed25519-cert.pub/value
@@ -0,0 +1 @@
+ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIHcv5O9kZ5PjMVSVvmRNK1FQIQ3fsx5I/bq/nVHEbdg7AAAAIFwq0inZe4DX4DuJx/vbfjG5XLZ46MnBXjipdHgD9LBgAAAAAAAAAAAAAAACAAAABmdlbmVwaQAAABcAAAATZ2VuZXBpLmhvbWUucnBxdC5mcgAAAAAAAAAA//////////8AAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGE7R12pfvRSXsS8MwMkp57fuc+N2wc4VcXAYwo/eJJ7AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEBUtVWziAfc5PzYezSlbAXfFXLP1KoPYHPUtFaon0Fu14j3+RhKC7nylUgvGCOm46dTq+S9YoDZ3SqlwxwyD4cL nixbld@haze
diff --git a/vars/per-machine/genepi/openssh/ssh.id_ed25519/secret b/vars/per-machine/genepi/openssh/ssh.id_ed25519/secret
index 859b019..b608edd 100644
--- a/vars/per-machine/genepi/openssh/ssh.id_ed25519/secret
+++ b/vars/per-machine/genepi/openssh/ssh.id_ed25519/secret
@@ -3,12 +3,20 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPZXRNYmdsUW5KdUNqWTZa\nOE1jWFhpdDBvakFBRE1KUUVVY2p2Q2xsdzFRCjlINWpKSTQ5aU54b3E2WGNPdEY2\nUkJhTy9YZUlGeW5ianV6dEhuN09nUUUKLS0tIHJKK2NNdGNkZ1o2N1dIK0VyYkcw\nazdycjlpTnlKU29ncGg4bVA3UEIxM00K9rtN48IvvY250zbM7WkQMGQ0rZmznrHH\nlaOS+l4WcX3VouIvKHIwNSNhh//psnOblMWjv5fBtGw3Sst0rzyL8A==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdmlvV0hI\nYWt4MDhnTGQyUHdxUGJPVWdieDBYNmF4YlNpc3hWNUxHZUhmTApINFRVMzA4SWlm\ncnA4WFBwUmhXRkxubThWZXQ2YWZzR05YbVlYMTNIV00wCi0tLSBwRnVXeGdhS3NH\ndVNtbGxJWFNhVWFHaTR3bU1KUi85OUpublNERzNSTUxRCjL7jh33v1evcpv8eGiD\nPGffAHKUGd6NoszFIffaLH4AAp7jvVtRXGEOosyxZjkl8T14BRVvBygNtCzPuXA7\nYWw=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBa2graE1J\nTXpVMGxYOU52UHBsYW1SVDdsYTFuNXVUK3RUZTN6Q0lNcGM0KwpLL3pGTHkvL2xz\nM2o2d290QjVhc2NmemhEcEVmY2FWTHJyK3JIOVRxbHVzCi0tLSBIdkgyZjdzK1kw\nbGR5bUtVRDJnUExML2V3cFVMa3JzV3U3cU1TbmlsZFBnCvpCfNadbvEWZgOYX+wP\nx+jHCQkiP38aHL6rKmGQkO4yocMvv/eANNhHJe46tT6Vy678Ho1CdPiPS70q9Uh9\nDfo=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWEpFbzQvY0FSQ2hRaE5R\nL3VvNDE2SklhK1N4ZEZrRmpqcElBV01oWkJBCjVTVnVDSmc3aFJmd0dzNmc3ZFI5\nOW16Rm5NSXJ6N0hYdENQV2tTdXZuem8KLS0tIGlUVTVhQm5qend0REJMMmVnUGY1\nTGlVNWJ3UUN3MmhGS043cHg0Y1FBWW8KL3No5ItaAFdbcEF0v/q5yZdYATKxO2UX\nyDwLVPS8hdLYTk8XzzEEMQVBtzrDqahHp/uZ5LNXePJrlNQEtj0/Nw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdUZtbDJScXRXQ0kxQzFy\nT29jTWhPbks0NzhNdnBvbFN2azRKbHdJTmprCnU4clVqZnA1QUxCTS9jZGIyR0xm\nZU9qVkdVUG80QXN5blBiemtXekJ2ZlUKLS0tIHZaS0JMeGJNckJ3RmdhbEdvQnNs\nYXkvUmwxNHZDOEhWWHJ1YnJhazB4a28KtMVaNZB/AKP3ZatPzsSCq4TUfkPxg+Ir\n5Vmxg1Kv/zA4aeIA1En2EL+oHsnPMBcVWBpn7uBfMX6Xo8xZ2RzmfA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RUhUaCtwaGZzeWNnLzU5\nSVpUMS80cGN6MEZ0Zy9oQkdmU2IyUHU4RVhBCjhvb2lqT0c3aWJYWkRQWWJpa2kx\naDFtN1ZxRXZEOVlUTFQxUHlHNjJBSUEKLS0tIGhzWW1JR1JYb3NCc3FNTUFoRnda\nQ0VUb1VEOHJBcHlQeHo3V1hxeG9Wb3cKW6l6aWLF2FQlgQspORpdn1u1Cmr2zF7w\nMGmywIz7VMnWhcMDHXelqXAWXXqkKcEW3TFKor0SnUmqPOj4fFSCPQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T13:53:03Z",
diff --git a/vars/per-machine/genepi/pinchflat/env/machines/genepi b/vars/per-machine/genepi/pinchflat/env/machines/genepi
new file mode 120000
index 0000000..342fa08
--- /dev/null
+++ b/vars/per-machine/genepi/pinchflat/env/machines/genepi
@@ -0,0 +1 @@
+../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/pinchflat/env/secret b/vars/per-machine/genepi/pinchflat/env/secret
new file mode 100644
index 0000000..5150265
--- /dev/null
+++ b/vars/per-machine/genepi/pinchflat/env/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:Sfpe4CSU6+923CWT4BGzizP3fNIkCfYJGDvIEFRVDAgnVCAtGl27+q4936CNeIlmzrOjatpIUgTFK/XKB4euNK9C9/baS/C7rB2oDyaebFSiYEGpIpEMjI2V4kK+TwTfrtwrgOl0gjAVKlRJ9+1fmTrPADHn0Oqn7cPMDg2tNh7Lrb3ivyYxxq/RnPGf201/pQ==,iv:Jh11D+YQv3QnnWuc1jcpmifSY8kujxOKK6e79oQdm4c=,tag:AcyVHWHLtIPQwCChbG4ukg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdjVaUE5H\nZ3Y3cHVBSUdqdnQyYVluOWVXcGJIMUZ5SWZ2RHU3dFI5VndmRgo0WE43K1BNazdj\nV3dRRWVldk9UaW1ySDBWd1RHSXdvcDJxZ1A0UlhINm9BCi0tLSB1bFJ4ZkVSaEYx\nNTl3UDA3ZXZaMTNVY2dlU1BEM1pXVEZ2MDh4YmVnci9JCn15VWtzWcvDBdKbPmpp\naTz7xeSwub6IBj7m7hrlS04tsDAbAsPjoyn0L1/xn5q2vic/Yx6f2pytJdUniMie\n/ls=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBN3NNbWNM\nMEdWbThneFhtcHFsczJNcUFRbzBFL3MrWm4yTU4vM1hSbFJjbQp4RDJqMTUrSUpa\nSHJDU1lVc21DN0wzdlVVRm9JZm5oRTRoTDIrSWx0Z2xFCi0tLSBpUWlhZFhpU3Fz\ndWdDQVVXVWNGTXVwN0NyckhpdGJNUjJwUys5K1dtRm9NCtSFfaT9Ej+kIJzRY5Rh\nLbHzCAgv2snFNXg7/TtifW7sptUt8TMhLpBqaA6LH1v/H4WDDv/8j3pTSF7Fi5nd\njzo=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVN2YwN1ZDV095dTdlK3Vy\nWmd0cVozTjNQdFRISDMydUNCQ3RXRlE4c24wCnRpa0NJNFBDNGdPYmRFNTN5N0FL\nUW1ndmZZTmlRNENVTGFFbFpKbENaNlkKLS0tIEpmR2lhVDRDbGhRZ2JWamgzN3k5\nU0xkMklOaVZrY0dVeXN6VXc2VEpLakUKhMtArYZWo2946QdB/eB6WdVEBWSw5ge7\nBokzx8q3eafxHKn+1/npjU3VN7HhqVqQRZ4Pojj3U0DZ6PKsdSDglA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2eWIwZ3V1VkdkQ1QxYU95\ncU5pRVZoT003Zk5oOXlnNElYMDFSMitIR1MwCkhFR3ZiRkszT051ZkdyM2ZkRnhL\nV1ZiczFMTzkza2xQaEl2aGJnT296VlEKLS0tIEZyRklVZE5oODVDVVhBRW5Bb01I\nZi9nQXVOM1BZNGpTaDg2NzdVWDV5SkEKB7dHbGNLW0LspjbI2VW0fGUppRpZr40J\nj5H9D0g3Oct70yJtH2/k/mPxxvS7tKAT/H11gdH/1dD+kyYGMzaq0g==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-05-16T15:14:34Z",
+		"mac": "ENC[AES256_GCM,data:HneZmFLyVWdGmQGgMY5NObs1AxBGTyfsKPfStNhglWjxAXxXzccfxL1vRHnAs49WGUhUupGp+Xw9u59LuDmCgcWEynlHRHz/Z2cVcNS+0CChDp/U63+ave9R1U6DAxMTtDof/DEcdE8LbsvjHWvSxSV9IhYMg3N1e1bUaLKFsFs=,iv:MViUd7Y5sPzjf74gXFSegvcxetnVFp1eNujFbNdwB5w=,tag:jt2T4y0+PlT85EvWc9kN5g==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/genepi/pinchflat/env/users/rpqt b/vars/per-machine/genepi/pinchflat/env/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/genepi/pinchflat/env/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/root-password/password-hash/secret b/vars/per-machine/genepi/root-password/password-hash/secret
index 743f5d5..5fa17d4 100644
--- a/vars/per-machine/genepi/root-password/password-hash/secret
+++ b/vars/per-machine/genepi/root-password/password-hash/secret
@@ -3,12 +3,20 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWEtuWDRxdFFSQS9ORitC\nRTY2dURyM3l4SVk5MmdhVld0U2RaRTRuUmo0Ck8rOFVBQS84RGFkWW9kUVdwdFAy\nRE5CS3hmZlExeVF2YmM0a2VOM25qTEkKLS0tIEFxeG1saGt2MjB2dnpRMVpJV0Fw\nb3RKMGsybjUrU3hUamxCSElOeDQxNVkKJ3dh85JmWa8yL6lsxKvR2oyQoBxQXatj\nGB005lbwBf+6pxtARiBmx9a4raiI055/y5YWjyxbNOiT/UnxAQHwgw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbzMwT3Iz\nNk5MTU5mMHhzZ25NdXMvV09McmxNckJFRWllTm9mZ0Y1eXNlMwp2cFphSjMrYWUw\nRHAvMFlzcFUrTVlYeS9haE15bWZKKzR0ZnM0bWpmUmI4Ci0tLSA4cnBkb21zWmRY\ndmUvZlNXNTgvaXJRbEJXUWF0Rzl4SGdnN3IwY24ydXkwCgBIVg3907+mmnG6AX2+\nBTpZg9HEbq5XdSYHJvLEDl+Xi9WCS9+O6Pwo8HAlhKIMtRyEpr11ZphUKfbZ2Rm/\nJnk=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBc1ZEMzUr\nSkpUSTNOTm5SUEhmUmFQUXFNUldPUWhmVk9VUk85M0RMa2tJUQpNZFhXRGJINzZH\nZHRSTjdHbURyV3Vmb0djS2FnczgrZkI3ekNqdkVZZjlVCi0tLSBsUmViU2xYSCtn\nTHY2YkZrelF0WGpwR0dQajJhS2l5MFBJOXB5cm1JQlFZCpk+HhAXVQ8WhmvXx6bP\npIBixAePhS52QdA3u3pAJI0zJ2OC5OZU5v6etbJg2LVk6s6de6Dejo4DGUm0Xr43\n3xc=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMNnhTUGZFMFoyQm9PNHg3\nY3dIWlp3QTR3blZGbHViaDNkZlB4OUY5bDMwClN2YXZ1TzEzcnVCM0k4Z3ZQMkhY\nbDA4dWgzaE92cU5uNUFJUnFVMmQ5cDgKLS0tIGYrcEJkaHBEa3pjYjlnbml4ZWRU\ndE50bFA0YUsveFg1QmJ1N25tWnB0ejAKd8JVc6AlQ6V9YcTldHv0iHv76O7Skfjq\nImI+mA8cAglbDQl/aY3kVqupdHEGVy69Wfj2cZxdFiH1q+ehL/zwbg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiczVHQktNMXc1R2JmV1dI\nT3Rab1pydWtoWFRQbGxqeDlvYlo2Z0ltMXhjCkRJQ0hpV1BnZml6OHVDcVhZckpV\nVGNqV1NZOHgzUy9Ha3AwTFJ0cjU1M1kKLS0tIGp0TGN2WHhBZzhWY01ZcmtneFNT\namlySDdDeXArWGFqZWlCVTMzS2YyVk0KqlHRbqCe3E26eWGZVHzOBdZ9RnSASCpb\nQjokNJ3DsnJ41zr4cHjMfJYUrKbQR3P+Qvw7MiAYuZaE/hra97dn8g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTHUxYmFMcWF6czJpZFpT\nOE81cnF6OTRjc3NUSkJ2T3lNRGY0b3lqQTB3CmcyZklPYzU2WGRPdnY3R3JHTFNx\nVVhPU1p3M3dORFlEeFNDOWpvcWJmeFkKLS0tIE1zWldBWllzRHRKL2NUQ09GUWRj\nUGY4TzUwS0hhTEFmQ0dWdEt0ZGVTTmMKGs61n42+HioKNh/z1kDUcAuUjrswVCyt\nOp8tSuM21fZYxm7mDttMmcvE/cN+hNbnrp+r0f0m2/2ihYbE+BAuyA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T13:53:06Z",
diff --git a/vars/per-machine/genepi/root-password/password/secret b/vars/per-machine/genepi/root-password/password/secret
index d78dc7b..2d6c857 100644
--- a/vars/per-machine/genepi/root-password/password/secret
+++ b/vars/per-machine/genepi/root-password/password/secret
@@ -2,9 +2,17 @@
 	"data": "ENC[AES256_GCM,data:wnGJxis0TIEqPVWTl7KIwd5Zt5CQRC0lzA==,iv:vXKN/TAha6LMpMAMWMZlG1IBp9hJqOim7ZQiVzgDPuc=,tag:rPi5YlFiiFZoGD/5T9SYbA==,type:str]",
 	"sops": {
 		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbFRsN0Ev\nS3Y1eVoxRlFrMW8yTEJPcUdzYjNUTUh0SUFjU0NYcDR5YkxMSQp4NEdrUDBtRDU5\ndC9yTDJZamcrWlgva1RhMStsYVhRT1MwZERuakU5Q0RvCi0tLSA3b0prRmVrcVli\ncWUra2pPL1JGaVRNZ3BhMC9UeURrY2duSVNVdkJkTlpRCunbM75dHg80w5sV3/JH\n17FumAcBA6mjj/3SxtfZnTAwdIHnO2sij7ltFH3gDXbGDG6V89ZXA7IvuoY/KHsy\nRtw=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0d2lGNkFjYTg0NmhaY0hy\nZEhwdkpzbUFHT0dmVHZBSUNXczkvVlJKN1RZCjlhWUNmcmhvQkFKamp5RGJ5NVlm\nZWxZekhlYXg5TytseU5NVGU0VkIrOWMKLS0tIFFlWk1qcmVSYUVjYSthMys4aVF0\nQ0ZWRXVYMTMxSEJ0OEVjbDRvaUJYZXcKPQML2AfmGnXW1COjgIil2yabXflE/wGA\nOlSKADjlhc9cXfCI658n2WuXFQ1ysrS9Rtsy7Ezw5B7sY+m1DQkDYw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLY0hKcmlUUXlBYlQya29P\ndG00N3JreWJ3ajFUZUlWTDJyRHRxTzRsQW1zClFIM01VMDhoenJ0UWw1MEF2Y0RT\nVXlCVU5QbC9yeXg4bU1wRWtEWENFREUKLS0tIE4vOVNpazFqbVVJMjg5S3FJa1ht\nckZBSFdRWEtHZXQwang0TXBTZWhsVXcKygn8wYzAZKa4geRWNNl9gmEybWmlvRzn\ncL1CDUVWKg2mY/KCYfxGrgVyqFGBFk52xYlNn69PppBy1XgBD9DINw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBeXVZdGZr\nUUVkUi9oSnluQ2EyVWlSVWlkeHh6VzZXRlZaUVRRTHNIL2xFSApGV05sQ2ZKcXIr\nWEJwUHhtcVdBYTc3Wk9TcTlaNThFZG8yL3BaaGJqTTdNCi0tLSB3ZzVtSlRPQk5K\nYTJFTTc0bi9VRVhBT0dRY2x0cm8zajZxRXZyYWx6MGVBCtMuXTdg/q0mMSMl89lK\nBqKAuLU/5SqDyySy+Vl+/B1OIv+79a2QN2S2nd5fXjP8C3Cp1QJ1vkblvsZWJ2rU\ne0I=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T13:53:06Z",
diff --git a/vars/per-machine/genepi/syncthing-gui/password/machines/genepi b/vars/per-machine/genepi/syncthing-gui/password/machines/genepi
new file mode 120000
index 0000000..342fa08
--- /dev/null
+++ b/vars/per-machine/genepi/syncthing-gui/password/machines/genepi
@@ -0,0 +1 @@
+../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/syncthing-gui/password/secret b/vars/per-machine/genepi/syncthing-gui/password/secret
new file mode 100644
index 0000000..a0cf518
--- /dev/null
+++ b/vars/per-machine/genepi/syncthing-gui/password/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:HWmd0ZCo4gD0g+dZrbkX7XNvfsWQaPHN1VOpzNGVbwZFQm1QCxGV1AxKkXbjH2pbsO6i6kikyyNH,iv:CX8Q5o/7SGM33rfQG5lFvc7iSBxR3sTf8Q4bPk4iv5k=,tag:gtEmFaZh6I2Q1d1IeSRDKQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNThCVkVR\nWG1sSDNsTnpqdVEvTGw3UVU4VnlLdDVBY3dvZ2tMT3ZEZjZQMwp0MXBDTWlPQWxD\nVXpobHd3UHRMV2RiV0J1NlR5UXlLRjZTTFVUYkR2R1FRCi0tLSBoN2xqUnZzb1lC\nNVRCbVFtT1lEc01Jc243bS9TRndhMnZ2bTZ2K1d0d3pFCgCoZDFGYDnwFw7A+Dyj\nFBY4N1oPSvJFFycDc/yB/6OWg13mxmEGAjsITTnzCfz/3p4OZwOxq419owTlxa4w\n/U8=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBemRMMWNE\nZk1SdDNCeU1NdDNDaisreVVBSVJSWEt2eis1bG5sd3VRME5FOQpGaDRRdUZsQ2hG\neWdYNzN5c1NkVUpTaVpwUE1nN1NSYUhoRXRkc0gzOURNCi0tLSBhYTNiQXFCNDAx\nc05STTlwdm10MDhzeTRCWDR4NFNrVktGcHRnZlFGR1M4CruhBBaooAQHER5by04i\nYViPPL8oRcEijqh+K1eoAI7b/e/OZdC53LTdzU+MGT/kpXka0TUfCcQvkxJQJ/vb\nEBM=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNlNYNjA4THFFL3poc1R4\nVjdNdXpUMVFtSWVGT1ZXeEtLOEZuQjVlLzJRCk0xZ3VMU3MxTEt4L2V4K25lTW9i\ndVU3TTZvYkQ4STJPVUlsRHc2dnNYUFkKLS0tIElDaCtmUll4YWZUMW1UWm5PQUlM\ndW9mVG0zZGJQUEVsRHRGWklwTzJBN3cKQ6mNYTjYypTuEqvycrLnhGgmfYp639Wg\nbOO7KJK7ek1dU+O4OvI6qxMwpfVPQr3q88LAmnXcpkxhST6gUeIDfg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2L2d4RDFETWtlM0dwTkE3\nWEgxUlQ2UUtJWlFFeWVIQ0VLMHJBQWZKSGhNCmszbGkxdi8ycWFEU2xZaGJ0MzVu\naVczUDEyaVh6N1V6V3cxZ1BqTnlJbTgKLS0tIFpGeFhXQkVqVVZPQXZ4RUZLekVM\nWDZrRkF4TmpBOWxKRlBxRmU4cjFzMVUKcnY23qO+bFRT5aYFSmmuuTwBK7pPQwVm\nm7KW6bfWarLj56Rkgs9xvaPCtA5BMEVcMIgc6ovbun/J5tQUC5U/Cg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-29T13:06:57Z",
+		"mac": "ENC[AES256_GCM,data:6PybvwdIi19um8zXFJ3N1kEG611JSVor7fa7cwf4nOR/UCYfhgUc7Rp6YaXpnxACOrMoA8aLQznSKUY19Rrux1EnPFUUlUPRonS64CchoC/Ix941UffZA+HjHTIONOz7uFOBr5qIcWmcWR2EucyMQoWYd501u+chetJMWXErJ9k=,iv:HT5YivDqqkZdVQ/ELdmBBP5KY47VD2IKgpeGGB6pAnM=,tag:a/bUdqqh0TqT5MZrREL1gg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/genepi/syncthing-gui/password/users/rpqt b/vars/per-machine/genepi/syncthing-gui/password/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/genepi/syncthing-gui/password/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/syncthing/api/machines/genepi b/vars/per-machine/genepi/syncthing/api/machines/genepi
new file mode 120000
index 0000000..342fa08
--- /dev/null
+++ b/vars/per-machine/genepi/syncthing/api/machines/genepi
@@ -0,0 +1 @@
+../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/syncthing/api/secret b/vars/per-machine/genepi/syncthing/api/secret
new file mode 100644
index 0000000..b6451db
--- /dev/null
+++ b/vars/per-machine/genepi/syncthing/api/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:u8kuySQoFLShwjIXFfy48R3QCQv1cHlNgBoPirbnq6q1,iv:xpy4QLhZEd5ra7kYJciXk0GRkRd7Z0bPL3jcrKnQdEI=,tag:whUDDBmeuZqnhkLJB9yGDg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBeDNSakFl\nNmV1Z0dvWWE0SGVZekRMVnpxeENkcG5hd2toNExwZkxabDFQRAorbUl3K01NMmpD\nbm1hNi8zWXQwMmVIZXk4SEFrSVlhbExVenVqaW4zemc0Ci0tLSBMNXpjcE51K0JE\nY1Vrd0xDUzJ0dlhXMTFVR1hyUjI4Ymx5Wnh0YzVBY0djCjH2/CjBreDFojlV3Uq3\ngX04zSv938Dk7LJ2dg2KXzRJpXVZPq4DtOQO7zsgph6TsuGtG3STrYa8xjiZCtYh\n8fs=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBN3hEUnNL\nWlF0cEIyZnYvdU84anRZSHlRWkdadHZnWFhmd3A0YWYrZnM3RApXYndSYlk3RlpR\nZGhNK1pqVVlld25QQ3JHQ1ZFYkdlZ0ZFcTVYeWQ3aDA4Ci0tLSBsV1B5Mmh5dFZZ\nTHBVMS9LZzdYdzU3MEEyWDZvcEpxWG4wbklndWxjS3RZCvEVpJ1/0fMslm+KeRm0\nY9bWP2VkRJZRzNKzyoBab3NHy0L5mEK5oAhY05LHrZDVdHXrEFAmqsc/TAXw8bad\nSAs=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZlc2UEMwazFsd2daUld4\nZDAxeEpwZkRIc3JaaFNIcnBLYnd4Y2MyOGcwCkJaRUVnaFExNk5FT015SWtiQ2xZ\neFViTHNBZm1xUFQzNzRNTUt2WjhXRWMKLS0tIENxM1NFV2FCanErNXNZbWdtREZV\nZHU0K3ZvSWZJTnNnT092MHYwWnl4V1UKgoEQy7lTiOelJN+VAQUuNMmG5C3F9O2t\nYChspH7ejw+hysBG/F841hpQPQodWIU26/rMD7gSTzYBtF7cQ2SXXA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWXg3ZDBkWDJ3UzZ1dHYw\neS85ZCtVTmI2bU1sMGEwYzNaZWxrQnBjQTBvCkFqdDZRRkdzUWRXVHJEc0Jud1hr\nR3NuV2tOaDdOQnF0NTNQcXo3SWgyYWsKLS0tIGNLc2Z5cVVlTmRJUVFiRUxqbjZO\nN0FmNGFzUG1KVW5wSHpaOEszSkVoQk0KxOGCSaQSN08ZrEAwpK2gvoOPY79xYSmJ\niJ0S67g6Ltx+ktJb7oR9AbMhiMg0vpXD+i7y/XzKmvHMOJOOGtVFEw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-21T18:39:02Z",
+		"mac": "ENC[AES256_GCM,data:zOFGghGKXE25I72GYPapzpJTBjh7Xv6m9sFMVtskWWqjiX3/Dnfs649E4FUIVoRbHElwc/vmNN7B5ZWaf6JJSlSpM+VzI9i5qkWgbWBqSZfh0QrtevtJ4keRxEyE4iFwoXXV0jk4p2EmL6gHdHxAKxIwarXDB0HVCuO5AwdbYLU=,iv:F7rfPEBUfTLNK00WVZyJNIa8HdvRoSK2p5IvRIOzoCY=,tag:joxrVGKTD5eGFhj32fXnvw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/genepi/syncthing/api/users/rpqt b/vars/per-machine/genepi/syncthing/api/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/genepi/syncthing/api/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/syncthing/cert/machines/genepi b/vars/per-machine/genepi/syncthing/cert/machines/genepi
new file mode 120000
index 0000000..342fa08
--- /dev/null
+++ b/vars/per-machine/genepi/syncthing/cert/machines/genepi
@@ -0,0 +1 @@
+../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/syncthing/cert/secret b/vars/per-machine/genepi/syncthing/cert/secret
new file mode 100644
index 0000000..1fa2ae0
--- /dev/null
+++ b/vars/per-machine/genepi/syncthing/cert/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:cfoGK/Ap+Iq5TVEjRcExmrgxx6sFN9oyQssiAK1Zn6FlNt1+W2mYTtNikrlaDl4neX2N5T6oIVwKqY9XjQKRcBDAXnwoXE0Jkvmlf3hD15lgMCLzi9TXh6YMAWXOz9VkxWokihpw0CyXqZ5j8pLRPbR7OuMryzLiGBwHKBB/5P8BmvDYAGU7fDRX4pHVbsXH9lXaYvrqz/+VFAvkUm+X48RtonLJLNIrN0XaGYRHya9CaqNDmOM9VbHEuJWSzHe8NB5wNhI1PkL8mrXWfwA9oN+ojnyrHDBTAHs8gOJKELqUix/6dNfVbNgop+8Pd8qsjPRo4TEmXZxizj04Jc9klQo61qWiXUg/6eP2EhLIOgAjBE9q11uFLax4rb9FsvJmXYpM7m7hlQC27js4ZiUzy+yqtev8HlRmXIQkN33YS1qkA/F832GAnXX5rAqZn+IgVn5s7pMAu4p/TEFgH0uFy+D2Wm80vJoXgCs59N33p+b+qZgr7t1nqJDyiy8znpJAUtpsucyW47jLXhhmj1ByHmofNOllJfruOXmLfVpTFxfDtDz/H4nHIU8MNNbNL56hijjJrMf7Iyv8ojsqWemt45d2PDHO7mae3riwpt/OS/Mt+tXoEIKlLLEtNiKRYIqG0GFl+CFVvCRUNWliK52TaFUTxGT9EptvW0Th3iKqcVUtlK40Z4QvAGNQ2Dsw4L5GUfCJ/M0LETRxhsn24nlRZq3llMBBrfxmOxtC/o93+psgh77Blt3Su30NsH0HYVUZXjOym1xvpr0DgGQ8wdjekh7sjM0XTtdr/N4WF8+Eigur63t3zg3TiV07k8sHT9l3ZEN4mtUizI8RTRUG9tN9QioU0VjEFIMzTewAhRNQ7HqyOx6LtfFzZs3KqNBiaGCxjg2d3yldlZJ8nEzMmFgZQXmwH8eVVbPm0L3Puy//FRax+rBhSDUCTNc6rzS29mBeMH0wTn1bzztBAOYSWCkspVFxVzjSlZ13jnP0aFbG+HE1dXv26UvkPlinQNPZvpS42Gm913cYg35SpphstZA7+eKZOi8IUkLMITw=,iv:BkAURRGq5AzRG5e+krVpu2DhXbTj5187N6LhHmEKUjQ=,tag:izmZtEQPOgotlDMoV0CGDg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBMGxZZnlG\nWlZVNkFkcWZTczVKb1FvY29rSmJhVlR4d2I5Q1VveTFRRmxWLwpjV3ptclc1TFll\nbkJjaWI2S1dQdEY4YkVlNitpRjBmL0hQSnowOHFZdnVRCi0tLSBpejY2UHVzVDlz\nRXcyRWhlYUR1T3gwZlU1WUR1NHJ5aDZ3V3ZVV0F4V3JrChgY/fvjTe9l6CyJuJrb\nSlLt/SRDAZxIoxmWalMMbg5mrHPdvyWsmDvh6mf3qhtNM+i/SB27CvHTyQSCStQ7\ndGo=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBMS9lNGxG\ncFdzQlhJK2ZjaHNReXBydDdYb3pMWFFQU0QyckJPaGd0aFZCeApvWXBNSVQ1N2w3\nK0NsekJ5aGpKODQ0OWdVdzRUN0xvM3pSNnBwZmpNZEdFCi0tLSBsNVBFQUlmSlZZ\nclNEVjA5YUxBQ3hHWGY0Z21Bd2k2MHpMWHA0SUFTajg4CjN+uBaYGnshQEf7fMtH\n+zzisEGgreT17r7nuG796CZg4yItPBgEw1FORGaqgwsQ4ckymyRME1N7nHjh8v16\noPM=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTXZycEpnZkU4YzZyMHll\nc3FHc1RtUlZwQnRyYVgzY045STJvSnhzWUdvCmQ4QkpyMWxpQWNoc3RTYVBPVjhh\nQnIzN1ZaMmFDc3FaYk1PaDkyVmhJNkEKLS0tIGRoYnVJL1FVZnJ2VFR2ZGlINGZl\nR0cyZEx1a045ZUNpb0Q3dWYzU3VTSDAKIjE/zGEeymPvj5rHuEauY65iwbdcf4ZR\nsFitmyWuHaeUHOWE8SL80D1sbpAnJvwULselkaUwyaW5NtwLzGgu3Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWMWFZUXIzOFo5NEF3c3E5\nQ0MvQ2RtTUdvSVhPT3FZelZsdk5nMXFIRHdJClFDQURpTXhrTkdaZThValBLRHZj\nVGJVN083ZXlzVTZtZUtRdldXTXl1bHMKLS0tIHpqbmkrcHdJamdRM0QwTmFUMHJG\nTWFoV0dqRGRKUUNwY2xlWkFVUnV2SUUK/T5z/k8nxc2qj9HaBeJdLaRLXTh+2ywk\nQVcBVOFNWuGdUZPFEDGzRL6sMCbxUH4as3D1WI13En6aWX5eiUKULQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-21T18:39:02Z",
+		"mac": "ENC[AES256_GCM,data:5G7dqmzDZRk0g2wrmU+i16krW8YqZIozeaqaVoOxiCfRpM4JPT2wT8lXT0gsjRfGXOmuET5o+6r3KtOcn/3L02+yeTeaOxMwWkYg/kF+HJ+uP9DuuELVh4U0NN3EnVYo0JoTtDSYno5ihtx5xdfEkIASQqDAU3Zn0iatIuR9byY=,iv:ljx/17RfbR6J3EdEkdH4S8hQcSl4+JFS3ETK1291pz0=,tag:Q7myt4Y/RA8vhG4H1Y+PEQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/genepi/syncthing/cert/users/rpqt b/vars/per-machine/genepi/syncthing/cert/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/genepi/syncthing/cert/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/syncthing/id/value b/vars/per-machine/genepi/syncthing/id/value
new file mode 100644
index 0000000..dfe1fe5
--- /dev/null
+++ b/vars/per-machine/genepi/syncthing/id/value
@@ -0,0 +1 @@
+E6JDGDV-3V3MYCN-TGBDHSO-TJEXRCM-3IJBVOB-F4Q6FFE-FAYIH4S-HNVBYAJ
diff --git a/vars/per-machine/genepi/syncthing/key/machines/genepi b/vars/per-machine/genepi/syncthing/key/machines/genepi
new file mode 120000
index 0000000..342fa08
--- /dev/null
+++ b/vars/per-machine/genepi/syncthing/key/machines/genepi
@@ -0,0 +1 @@
+../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/syncthing/key/secret b/vars/per-machine/genepi/syncthing/key/secret
new file mode 100644
index 0000000..b98b614
--- /dev/null
+++ b/vars/per-machine/genepi/syncthing/key/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:xlS4AxF6bGWkn//F90xFoqScovc5UCPisx38EGQSUk4uPUxA0LGlBYpajPkWN/05cfpqirNzGnKd2fxOE/97vNusFf71aEn7QcqBW3dxIbNeN1b9DgOd3kCsbn1KHnTUDpE+ucx0im87KvWrLop6GiaGkREElP/hpxJnaZCZB6ae78HN1L31yANo39Ts+YJIfJ18lVFT+AKbvicUfleLKOgyHzv7eO0eohTfJ4UZAvkiW3bODL9QxiLP64pQvVkHFp9HllsWkbjd/28j3dN6ZAiZ5Fg+j2Uhjk/8m+7VkXIbPoTPu2KxXIputM/iN9fQIOaBJs3GfZ9Gj9C+oZeR3Rk5MYz/WS44bExlKd7fHB9xmKnrvTe7JTyHgPjDEvgD,iv:vAxFuqWVe3PSnqZXbFAwqVsajHrhj8ZA/3yJKVKCIrI=,tag:7ERgXif9/mb/Xbk6nsZz5Q==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdXhTb0xa\nRGxkRVdYaDhVaTIxdWxiYk9zQ1c5S2JmaGRTQUQ0RVd0UG56NgpHdmhOcmlJc0RF\nSGNaZUt6UmxxYnh4SUVjR2kyRWVPOWt0YUFhV2Y1c3J3Ci0tLSB2bm1WangvVitD\nRHRVMk9Eb21IdkNLNlhNdDNIb2Q4V0xkQnhycFhRZGhvCtHtxgYg2NTTQZ7ijwh1\neG5eFDUR790uHpXO0IDVm9n4ewxALylMmnbTtoKLXzbhqEtwKFteiWzEo17LNIWp\n5yE=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcTZ3WjVN\nbHlNUGRDTFN3c09reTlrUEF5TzBQL3hNU1FJSTVDUGxQQXBnMApNc2w2TGk0dzI1\nUjBDeURVVDZMUElsWlVkWjFRNnU3WVYyUHhEN1lLRXJZCi0tLSB5ZjBNKzVqSE8x\nMlE4cytVbzB6RldkNkpzNmVoR2MvdHEvUHpCNGdEUGZjCg+YUTaAJI9GstcAR/83\nxx1OqmexxHPxmd3FPP883P/sLerL8vZLOSLQ2R91b4fBCMDYZ2FnZhykk8Ys8kau\nq78=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGeUp5NU9OcWYyUmlXQWJm\nNXNIQ1ZDcFpidjlIdjl0WTUxTjlNUlJSK0JjClRyMHpmRkk5SXpwOWVHd3d1TmxV\nS3RZVGhBeW5yT2poNC9KczNyN2pZbTgKLS0tIEpHOXhPc2RYWURGaW5SeGhKMStE\nU09OZm9jdTU0K0o4U3B1bXA0Zyt4S28KND1NurbdKkzNu4WIUHbmjKczKmgzJ2Re\n8o8wCqR/yGBxgz8kMz4QCqS0BbfuVlfgdBORlTDopSDLXVzLEuiotQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5VGxLM2V2dmJyR0haQnd2\nR2FBci9Xd2FHVnlJRnN5NmQrTEhHMXNLZ2h3CnVXUFY4MUs2WkltczY5cGVRUHI4\nMnVNdzlTUWZ6aE81U21YRmVsZ0VQeGsKLS0tIEF2Mm5pemRvZ0U1YkRYaVhuZnNY\nOUwzb3lHQlMxd0RHWXA2TmE4S3JuWkEKLXcbml9PhFcxoOyo4YbQVKkezSha4mEA\nCkPqB5APjxo03//KaZ48qQIzewGclmKaWaXSOeoxuZ0li7oPF67uzQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-21T18:39:02Z",
+		"mac": "ENC[AES256_GCM,data:7f/wdkK2/haEHCpvVk4QeClmMG76rUBrCFqD86HoKgbnkK4u4FaRreySdt+yZvUq+AZKSQkxkoWTLk7ndyGlEF8bFZzsi0eZtgz8wkJCTwGs4l2zF6giLqs6iPvbSEiWMPJvlKKhhvyh3NfjRP+qVrZuyjL2H73plYZ/7ltSYiw=,iv:eBTEocLzBEna4iL/ynjYpp9Iq9EyTeSmafBHhP+JVUY=,tag:JHteT/rVf0LcFUsUJiOeoA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/genepi/syncthing/key/users/rpqt b/vars/per-machine/genepi/syncthing/key/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/genepi/syncthing/key/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/user-password/user-password-hash/secret b/vars/per-machine/genepi/user-password/user-password-hash/secret
index 3c38fe7..be96ed9 100644
--- a/vars/per-machine/genepi/user-password/user-password-hash/secret
+++ b/vars/per-machine/genepi/user-password/user-password-hash/secret
@@ -3,12 +3,20 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyM09FMUZvLzV1cWpBNnBs\naXgzNXlRcW1FWkdJWjZzS3B5YjdQRWhuYzFFCmRDRTdRUjlaREIwTUNCTFMrbGJG\neFArVS9VUFlCek1Edjc4RGIzeVJOQzAKLS0tIHF0RnRocWhLelJOV3haWVErSXdz\nb2VBZ2ZVTzN5SUNzNENwWFNiT2R2WmcKipvqGOBuh53wU+91w9QFUGQpdVSuQjCR\nUfojMypTMbNWlo2+0jmUJUWbzEP8jzM8LRGNnHyTFjx6qQwDK9fJjw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNnRxRjBI\nUlF2WFkvc3ZpY01jMzJNK002a2JERUM0d2ZHT3ViY1lEQjVjZApyb0grdU9lbU5G\ndDR1SnE4Q0pEUUwvcDJUNzZlTHFObnZXeVJicGJKS0F3Ci0tLSAwMHJHVEpmd3p4\nVHdzNE14Q3hiY0NIUFRFVHN4QUIxNUdjNDZkYnkrN0ZjCpmiS2iTiN0XSc14csEv\nO46lEMxXVymhtT2vtNMydaw0qZ8R/ufHx4WB4nTyLCQO6DW0UaA8+GligVRRk5FI\n+Kk=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbkxqajRX\nckUwRGxEdmN6RFhBUGlLWmp4QkxGQkFKQlp6WU1sd0JwbUgzdgpISXRNVFdjME9p\neTFhSmlOZjlYU1VUalkvNldzZlkyaFQyODczZkYyNFdZCi0tLSAvUjB6TDBjTVFH\nK2tobncvR0RTTU9BY0tUREVCSnZNUFB2SjEwemRqMjg4CuTRXD8jqwrTQyPMr5Q6\nuuJ634To5MbWxXhNFcPGj99wM5xkyIhBbGso7ozhpcvCP/npt19omiwpmYPDtVGy\niHY=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRjR3OXNpeTV2MWxGQVFx\nWXM1dmdPcEF4Mys1NkNWTkY2ZGhIS1lZTDBjClJVZXQ3bHh1ZXlJRkNNV3dsSzI5\na0ZtTW1DTFdBV3J6T2ZLaWs0dUY3T2sKLS0tIG13ZktUVnpuV0kvU09rNmk5amdr\nU3hzSnZWUjE4SXNOeXlHdzFYaXhUS2sKbXpU58n1qmUGpzPz9keex7mQEKYc/PnB\np3gM+nIFuWOqg2EwHd2pNjNT3Jf76Jt/uBzsTPPJzwKJD0xW9CEKWg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5VytkcWVTM3NUY0hSMTAx\nUGM5ZDVJTVJCRnNpd0RIVjY1TGVKREtQV0ZVCnNxOUFJalBDTFVUdUpGLzZzd0Jz\nMjJ4YldNRzNGMjNjYks5bml5TWhVeG8KLS0tIHdodDdsYWhuTWdmNXlpS1QxOERk\nYzcwMkZ6OWVvRVgrWFloZ0tGU1lPYXcKUPGMbQLCZ4M++zerdhfQqzlcO4YHNIMt\nSOTdzgqFiIFa4VpQA/W6pOfOK6Xc9ZZasNcqc6NbutaAxfVSYDTCrA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmK3BzSzlwTVM3bXFuY0Qy\nVjUvaUZJV2VQSUhYUmU3TDRrbkZPWEE4UGlRCkcwVHFCc0JvNjdDSHFCTXkwclVE\nVGZ5OXpTNzBuQVptNjAzMFk2Y3NvNWcKLS0tIEdpZ0t4ZFhTdTVwaEh0YzUzbC96\nQk5VcGg5bjY2UG43UU5sNHUydFFXMEUKC1K1XDvwKG+OWZ01swnc8pJqQZ8jdcYI\nvyVyX0i++6bKEEwiG8FXxpgr6jnjzsq6UIWq8SNPM1GeLJir5hDPtw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T16:16:45Z",
diff --git a/vars/per-machine/genepi/user-password/user-password/secret b/vars/per-machine/genepi/user-password/user-password/secret
index 71bf9ce..e6505f3 100644
--- a/vars/per-machine/genepi/user-password/user-password/secret
+++ b/vars/per-machine/genepi/user-password/user-password/secret
@@ -2,9 +2,17 @@
 	"data": "ENC[AES256_GCM,data:s4vxCXqkVpimQHeT0f6tn5bdUM8N,iv:8keq2DwfeoaOqtZkxSw5SAQ9OwSUnbUWcVDYRdP7s2I=,tag:0tBgLvWkYqkH1RwX1VJSpg==,type:str]",
 	"sops": {
 		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBN0dOWCtK\nMEtYRElOTTVvV2QzbmtCbFRidmluTDFNNldFVFNLdFpVN3B2ZQpZS1k1MERzNnhC\nSllHZmlybHpCb2M0aUthV2l6RjVFUjcyb0NIV085R2tvCi0tLSBWOUU3VFI5ZDRZ\nckdsR2lRTDdpeExPczR2L0FyanYyRis1RTFSMW5tMW00CmDWQSteogGg3bdqZhP7\nIvuPgvFOZ9Z0BiYjhVaZ6ufudErOQA2sxVug0xt/7lbnUKD4a4X/vTKTKF2swnf7\nIiQ=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnTXRMNnpocFZVSXJxWDJB\nNG5NcmU1N05CMU95Q2FuelRDZmNxVjZ6T1FBCkhpZVJUMElPaW9TTnRGTDdza1Z1\naWdSTzRuSU1Zc3c3Mk9PQiszZmZBKzgKLS0tIC9zMVBkRXFnZUI3NWxRMWRGSG9I\nZ2dhdUJ1eTJoTkxtV0VhaW5DK2I5SEUKiulI8V8jMPrD0x1HUrZSo93wGMz+e8BB\nX6r2NVqjihxoHyfyeP1gTg9jpsh44UbeD8a8i50YXn0oc7+kADH4MQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmUVlhL1hWK1ZZRCsvN3Vw\nbE0ydFNzOU4vck96UTJ4TEV5L29hVVprWlFNCnNSenNDMjlCeDRCT2NkOHg2VWZn\ndnV0NFVOSUpDZHE4c2tYQ3pnOWFYczgKLS0tIFZQQktOTzgrb2VLbUlENkdoZmRT\nbXB6bFZlOUNZbi9oTGhoL3pyTXpTMjAK48AqcEGIViyaQrdjeEmtwPTFL7cfysFl\neX/KGigWG2ZpdUkyxqHvOqIkMI7/61epEpxCOY4ryIX5mZzax3geSw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdVZxMElt\nMUdud1UwTjgrVVZ2cVRuUmhLSGJHOGltWElucUcrQnA4cXd1RwpuYW85YTc2eG5T\nNUVIRUwzVGNocHg0ZElmQ2Z2bXkxQXAveHp4Q1pOU1E4Ci0tLSBsTTlxbHlFbnJa\nS2l3NjZlOFRGU3pJN2g1M2cxMGhNTmVmWEI0Q2hEdE5rCgnKaKy4tZzSu7RBTxT1\ngneaq3mtXjdqLbDdKiA2HJbIs2pbGTGOi+BxqV8jFMXx/z1XzImcdsu3CPYqV+OC\nPpI=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-15T16:16:45Z",
diff --git a/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/machines/genepi b/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/machines/genepi
new file mode 120000
index 0000000..342fa08
--- /dev/null
+++ b/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/machines/genepi
@@ -0,0 +1 @@
+../../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/secret b/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/secret
new file mode 100644
index 0000000..fc1de2e
--- /dev/null
+++ b/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:U0tjahIz+X9nKrUH6urXjx8rfWIdPeF+0wMQtB2/JsCZ35E6w74wvz6xWACK,iv:CoD0FgB7gW22UjH44jhaatXrPt2qX0I+ZVDGyCCZ1oU=,tag:HZg5CnIr8ZRKwoXakilCPA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNkVTUyta\neWp5YVNWOW5iNUc3ZytoY2h2Y01NeUdpbDlvRzRMV2x5WmlrZQplYkJEaUhzWlBO\nRzFYZ2h4QUVjLzZmRlM3TnYzYm5Ua0ordWhYRDVmVVpZCi0tLSA5ZGdRQ012UmRh\nN1dGcllqb3N0SmlsTWdzem56bHJzb09rajQzYzNLTXFrCsE42Jp4HGtYspJ4bSKp\nN4LyDSsV297OeCNsQ+ztRiPCGE8SPdgrce4mivnpI/jpmZONU1uY+7TthBCzfpyL\nMgE=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBdmxMdzJH\nSjdTaGJFZEJyQVFmejNCV1FIRGlVOUxnbjE1dGNQQ1FnTkdqMgprRzYzU2t4QjVT\nUXlhUitDVEJnOWZyR1JWelVQRHlIdnFrSTFnbWVVZTljCi0tLSBkN2t3VldyYldJ\nVDNId2RjVmZhZTJUeHEvNzE3ZUppN0Z5ZGRLSUh3cHNVCmbusPriHhV+VgZXN5dr\nntHg4mU8X0vIvcY/V1goQLburmxrgLB/HYr2mL5s2gdldiTh1n2xM/7phD0uKWbD\nN5Q=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZU9UUFdwRlk0NENUQXZi\nQUttQ3FrakdpT3hZcmJJaHNNaFU0WVU0QXpRCm5GdDNMSFZZT2RQT0FlNG4xemhs\naTE5K0dVa2I4Z25MUmVkcnp3ZEpUWVUKLS0tIG0wUEhwblcydTc0c1lzVGw4bkM3\nZW5vWFFsVi9tNklmMWYwSU5ZSllRYkkKg3fCVYwi7v8PpdHkGu6EOaVWubkHBV4b\nXYjb/zAeVfae33qZYQWdxXX8O4ufkFC3+lECERwfL9M6cK29Dc7WzA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZWU1SE13T3Z4b29NOEl5\nRTIxelRnTUxUL2gvMHJPQ2hjT3RuMm5oYUJBCldVa0V3U0J2M1NRWi9odERFWUVS\nRkVRcnlJUnp6b2J4NXY3dFJhVzhUZ0kKLS0tIDFNQ29yVG9Dc1IySEVuN1o5SHhY\nWHFyY1lJaHZwbE1zbW9jbW5VTjVVdGcKjP2huy/43iHqt87pG6Yvg52DEe8eOMcY\nqHxP9IvuTL/bwWibYTW3tusnH95Yny1P9whoayVPA8yzCUpWOuGuiA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-21T16:53:26Z",
+		"mac": "ENC[AES256_GCM,data:UmzngDkTSBiZxhCTWqgzvZIAY2EqsrCcKGeBHRiwErqsC2jFyfUJNC11m9byh6mtYB81vrAFbsQq/kFN0ZAVUfVKqbYSI3ibEFXBbFbKX5oMhFgNs51Rvab61DVFyfn/36u6VXFdkq1FW58j7p8kQXXd/OarC02r7LJzQY0BdNs=,iv:ZJbEM7o1+rsG5/3Hxu+PQ8hARhmoC1QCqH2ElRxfJTo=,tag:HLfgcwexzIoe74Ym5KPE1Q==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/users/rpqt b/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/genepi/wireguard-keys-wireguard/privatekey/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/genepi/wireguard-keys-wireguard/publickey/value b/vars/per-machine/genepi/wireguard-keys-wireguard/publickey/value
new file mode 100644
index 0000000..9260852
--- /dev/null
+++ b/vars/per-machine/genepi/wireguard-keys-wireguard/publickey/value
@@ -0,0 +1 @@
+zBRJ8D6d3IiZ8HzwDq8FM0g/C+fxn2Ef0HGY5QgsiUc=
diff --git a/vars/per-machine/genepi/wireguard-network-wireguard/.validation-hash b/vars/per-machine/genepi/wireguard-network-wireguard/.validation-hash
new file mode 100644
index 0000000..9557718
--- /dev/null
+++ b/vars/per-machine/genepi/wireguard-network-wireguard/.validation-hash
@@ -0,0 +1 @@
+59769e148d924871d37bfb9d1d73953f1e7681d568eb584be88ffe6d9323af6a
\ No newline at end of file
diff --git a/vars/per-machine/genepi/wireguard-network-wireguard/suffix/value b/vars/per-machine/genepi/wireguard-network-wireguard/suffix/value
new file mode 100644
index 0000000..98c5cc6
--- /dev/null
+++ b/vars/per-machine/genepi/wireguard-network-wireguard/suffix/value
@@ -0,0 +1 @@
+ab23:3d38:a148:f539
\ No newline at end of file
diff --git a/vars/per-machine/genepi/zerotier/zerotier-identity-secret/secret b/vars/per-machine/genepi/zerotier/zerotier-identity-secret/secret
index 515e514..85d6030 100644
--- a/vars/per-machine/genepi/zerotier/zerotier-identity-secret/secret
+++ b/vars/per-machine/genepi/zerotier/zerotier-identity-secret/secret
@@ -1,18 +1,26 @@
 {
-	"data": "ENC[AES256_GCM,data:qiV0iFWH0Bo9hX0k8cusHIShcvuIJ2QqXDF0ea0WZrOLgXTlUzqkRk5PB1sKA1JElGN/2sEmFZJXZMEPlUCNVTQSQxkInHF8UTMjChLRPmq0rRAWSjMzPRhS9slscQAudRhxe6baPxztVlhjqCDFH8JnM9zeWRqZfmgTjLjcKF987ZK7fPuBptY/k/QYlCF4ydnjM1wqgNgnhLxal63ItRwBiwHRkxTgBWu+iW5Ewu4p2/n+VgOI96auy9vzb4q2zmegf8FBfH5ltHppc0bwLCS/VwkYYxyN2pK6y0xOQMTfrDaqNcIPaTNPR/PwxHR0xbf+mHpFUu307LF5iew3K0A4JrDRWo7fF3FYCigK,iv:Ab23CcA2KZAsdKcTPGd8b4VSdL8YO8vJzZ8BqA8m/EQ=,tag:opYwCSueDzok0KDjAS2ZVQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:3lcGW28SKHbpHq/g0xpmNqlemZ1W5DTfjbsIwufl34tYZIlAEITBVRAf2M66k0hUAvl/e5My82zVhxKGW2FcLUghxRBWXM0HIUDssKtPJhSjuDeQ5kBqTLDCGDDuyW+nFi16C8tzp4arszeaS3yENn65iWax9hlssQQiAYodRZoLvFoO3fPVkeDlII8qL5sjCqTdVBX318c4XKt1hi3PcgVCsevV7gD8kQKKPBePMD/hzwhoVcjDBcTigLRTVio+JmYMOQOV3sl65q7j4yB1j09C0IX7glq6s80+YWTvNkAwyeC/N2UvDntgGIC7/+1VvawViOC/2W6rZpkF5orsIJhW95xM6uIaOhAPQHot,iv:a+PeVag/u0K9NP8bg7Cz9sqhTqAf5SmucFbIHlYcWmE=,tag:GyF2gl+zVSQ7MkatjHSbrA==,type:str]",
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUaUZ4V0J4WDVycjNvNlRt\nRzVSN2p5RFRkU1NYbEZ4K0xyLzdzQ0U2dGpnCkJUdW9icWd0K2RpQTQvWC9vaXNm\nMERpbVYvVW1VTXkvNUxyTnlqUjgycm8KLS0tIFp1TTIzaVZuSU5QUUZrd0VacVJt\nemE0R2FidnlISlQrWUllZ1oyRmd1SncKeFLYq44Bx9h4PNo44OOLSk83dwJNYuii\ncguM+LjkwHhgMXBDAEf5w0REbkC397yMZ8w9WNaznWhua18kdTIc0w==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBcVVyb3Nm\nZXlSQlFxUEdOd2Y3ZWpERm03M2Z0c0RMTFM5djIzTDVldkM1Ygo4RkNPZkZ4OTMr\nVldBL1hYSkZZME44dXZKcHdoUk5nc1JuYytuN29KL01jCi0tLSBzZUw4dlBranh5\nZG51V1hqbTZYSER1NHdNbHpUNmNuTHZ5Q3NUaFV5R3Q0CnwBTtadLTcqhQ2Fi8IC\nYeKNG7DxU2NaAjJ/rwRbVqElFwD8DZJB63U8T5ovXzS0u350EVJ+E5ulSZGUNNdf\nT38=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeU1LM2ho\nNjFuOXZmbWpsQ2VjZGhsTlVvVDYzNEhOUzFIVk1nb0EwR1hBTAp1bEpGQ1FwVjRh\nZi9QTmd5cjFlMVU5ZFluNk5yS2hBZUJHT3pmWlFYdTVrCi0tLSBxdkRIMDVYbDBZ\ncVU1MjlNUUlHcy83dlNkYWkwcEFxRXY5RWtSY2xLM0U0Cj8fxaBr0oJ+nEx6/kNe\nnz4PNXi3veyt1F+VrCBgu2jH+rcb67qreK/8y4Ev8tAOwXshoAKg4V0KoX7z+i5H\nPRE=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMW40RUVtQjByVm93aGJ3\naG5XWG15MkhFUTY5WTFTQkJtTHZmMk9JQWpNCnVvcE85SFRlbGZxUWRud2Y5TFVE\nTkk4TVdoYlJ0VlpaRXByekxFK2xHVkUKLS0tIE9OM2N3dUpnZHROeEwzc3lmNERU\neHFYcFloRm8yV0R1TFAra29qYWhpaVkKrIdKo8C3upVLvFtXRUxc8RNwGOuUdeGV\nZMO/ClmtXvi8WHRa0CMUOSLYBlemC4yrHjK4FKru3BqYqLVtqjydaA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaY3BuWGFNL3B3WkxZZlJP\na05IMDVLNDR3THpDNmExQ0MxVUpKVjNyc0FRCm1JRUw4eHMram1KY0Y3ZE1HK2Ew\nL1RsOE1Ma2FrWE9SL29YbkdLTDcvMW8KLS0tIGFqZW1nbUZSUkVMWnBNVVZlM05Z\nalEzUitBZmMwelRQOTBGVEN2V2h4Um8KlREiGF8kzhA7CGujppwzACGsK+5atVfz\nS6BTPGw8ZJnDHZsux01ePQ1Pyrz99qwfDTubzk4tywayTA8/LZirQw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVWFWMWRkOGh3QXpiaHkx\nbDM5d1FraVJ1eTMzclFxOGNHREpWL0xYQkcwClNRNFYyUzQ0aHdjZ2M3ZTk1QzBr\nWURGcVRocncwTnlZUUFVZVVyeFhRUTgKLS0tIExVZ3Y5TE5pY2hzWVBJNWRhTmQw\ndVJ4VFlVSWE0dGI5YWExeXpCSEdHZncK5METCsDcyAef/spwZ6MXRSqaXWW/RaoK\nZrbKxBn5ibGwOfwCVvtKz1sPy9SyLNUyBw/S0CzTm3wTD/3KwXvuyA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-05-15T16:16:51Z",
-		"mac": "ENC[AES256_GCM,data:mU+46/g2nd8mUPtg64LriMHS5c04QdG+vbGFD2iLxkwpNurp+bEb//Bfuj5txStp9RA+2Y3sjvzz4YALwZkAtgiX9JPH7j5kBoweI7NYeD/CqfnRPGqhA8M9THe/qpeluaNpTKqLOjkDu9eqn9LzFre9DfsmV7MP4NU5dxjRigk=,iv:LMSxSDww17SmmA06L652/kws87IUBthqrBwhGbMe3c0=,tag:bSKDEdURgwt/30x9Qs8JrA==,type:str]",
+		"lastmodified": "2025-07-01T18:02:24Z",
+		"mac": "ENC[AES256_GCM,data:JsFXULP0hM39nNW4xNQjbsTnOJSNS8n0kNiknCEhRHjE3aIfxrnTdP27DOGTotMWrIvk9lWBknHPW2HZQg5IBVQpglYJwCpNzXyP4ipUYAnATpplPFe36Oa/EciExS0Z2l17UKpGIEcxnrWijAsPAuCyQOD7Z44KtXSR6VeCtTU=,iv:LY3umqELBIMSjBb69EW4+LeJ5lXmREZxJlHYIPcrtOo=,tag:nWfh3bBvxtwgTeGH76NpOw==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
diff --git a/vars/per-machine/genepi/zerotier/zerotier-ip/value b/vars/per-machine/genepi/zerotier/zerotier-ip/value
index 69e3a90..ad42803 100644
--- a/vars/per-machine/genepi/zerotier/zerotier-ip/value
+++ b/vars/per-machine/genepi/zerotier/zerotier-ip/value
@@ -1 +1 @@
-fde5:947a:3cec:e1c5:1999:93e5:947a:3cec
\ No newline at end of file
+fd80:150d:17cc:2ae:6999:9358:3e0e:d738
\ No newline at end of file
diff --git a/vars/per-machine/haze/atuin/key/machines/haze b/vars/per-machine/haze/atuin/key/machines/haze
new file mode 120000
index 0000000..db9551a
--- /dev/null
+++ b/vars/per-machine/haze/atuin/key/machines/haze
@@ -0,0 +1 @@
+../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/atuin/key/secret b/vars/per-machine/haze/atuin/key/secret
new file mode 100644
index 0000000..66cd82d
--- /dev/null
+++ b/vars/per-machine/haze/atuin/key/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:fF1De3CumRtONLJXCxgV/DDy0DbWdEDcgTEf9PB8nI/czxsoe+iQ1nbbHrNkG9ZqJQl72nXL3+y6g4OssZ44aQ==,iv:0oCUhhAJNj7fQLxqLlSiF+rWpDrk/C/WX9+fwWnNeM8=,tag:FzXudt/aGN93XSfaLRMHwQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBdEVKWW1Q\nbUNBdVA4cjdPUWNIeDdnRnFaVUJOWjA2WTYwb1Z2ckFvdEw3aQpvMy9Ic3k2WUxk\na043azJNaXFXbThwTmdmRStnNndFdmdkMHpUbHlVa0NrCi0tLSAwNmp0NitzeWx0\nTmtaa3NKOUJVZFI3R1Rid2tLUnYvTk1ZRXRJVUx6Vzh3Cj7g2RXgUtHC8qL2UkbC\n8DXqgbbJUVlqzhnoNbiIZyt4oHYNayV9j8TsBcMwL0ZipHdqvcfIp6ppW5qw3kn4\ntNE=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Y0QzZTRsME9LUFR3Rmcw\nbXUvUDdkQzQxVmtBaTVWNnNadDJTYUR6bGpZCjV1QjZDOEFjRUVycUV4bDBBMUor\nMVphN1FOZ0phNFRIa2dIKzRVc1RmYTQKLS0tIGNYclc1SHovS1dka3VRU2N1VFp1\na1VreE04UTRwUGRTUE85Rnd3dmVuVW8Kdp0IZDe+Vfa9U0i6t1GBJNndldrXF5Eh\nVPn8TEtAC73hVRDtMKxhqOKlIAoYBGoVxdeCJ/rQV6zI+Paci2+4SA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVDBVWFUwQXd3Z0NjUXB2\nRmlEOEtLSForYjl4dHp1cFd3SHp2dlYrWjFrCnVPVDA5ekxCMU9lb0d1c2VEWXF2\nN3JVME55cVVCbktYek1MSXoyR0tydnMKLS0tIC9uZmhhaTFjMEJTczIxQUt4SzBH\nbFpnNE1TUXN1L3BQL0w5UzFhTGR2dWcKykTdCd9RsebnSCgUSAguWLKVdd3XkQ0G\nhL+yAQD9hff235UVlmJ4eFt0pIGyHrGwvNCCErh4Ng0lY3pHxDsNFw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNnVETlB5\nejlHd0lKMlFFVENkdnhzUDh0Vmxqc2xDQTNKQStncFZZUmpoNQoxbEZSbnQ1ZzB4\nczRVS1JncVdNTm5XQWRESVdtQmF5bE1MT1lGcVVGU0VzCi0tLSBhR1ZHaCsvQjBQ\ncmtjdDVYaVc2NzBNenZMOVhMdFNSR21wbHdYVHlURFRvCpaDO4P9LKhxVpCJW5qp\ndbEA+voDUPM1EAlFWVOesJOf9VHrDgwjq18pMhZg/yUawYIoFtDqj3WlPmShHrPJ\ngu0=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-27T14:56:54Z",
+		"mac": "ENC[AES256_GCM,data:T9Z5jMebdm0UuRsnrFXYxg0Yylvn5So0ZqaEo+3axRMfjq5MS/sikz/nRGhgD5h9OTRk3tWndBB8aUO9u8QE+s+L4jM+wHSD1cI0+mc4/UuQgcs09tVxtCSFED0ETp8Iay0lhl7+yKpImPys0RpGNd4Wjn1qqExXqQ4M5aYcBWQ=,iv:85NKSnnrOGUtrriky0twzhLstnkjFkL11YxXjsgF+Js=,tag:VXb0q5eZFLxW7yE+SLZlYQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/haze/atuin/key/users/rpqt b/vars/per-machine/haze/atuin/key/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/haze/atuin/key/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/garage/admin_token/machines/haze b/vars/per-machine/haze/garage/admin_token/machines/haze
new file mode 120000
index 0000000..db9551a
--- /dev/null
+++ b/vars/per-machine/haze/garage/admin_token/machines/haze
@@ -0,0 +1 @@
+../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/garage/admin_token/secret b/vars/per-machine/haze/garage/admin_token/secret
new file mode 100644
index 0000000..8ae40b3
--- /dev/null
+++ b/vars/per-machine/haze/garage/admin_token/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:5jy8TnyZC5pnZjVHfu2UG5WP0EqiYIAzkxNsfXi49SQM0Jj0YcDGnJK5rhQI,iv:QdixTsOqXAdK28eggOekBsAiecwoW5IIOQLaGJ8TQ6I=,tag:whNmkf7n3HwtfXo4mqsODg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcDFEeXRW\nNFRKQ0FZZnZrTlNuZ1BlSCtoRGZGMU95SDB3T2trL3kyWmtobgpTb096SWJyY0c2\nL290WS9nWi93WTgxd2dnZGNab3JGc3VlbVBqa3dXN2VrCi0tLSAydWJiS1E0R1RY\nRTBsNXJEZVZXbnJVYWwwTEJMdXE2cXF6NVljYW1QTFljCtG5o/LUk1Hmu13aOvf0\nikkI4f4ipg+WpPpWENn2MS2jZ2ZQgP+tauNFwvlJjNxDXB+fSK5RtnAUn6CAzjfR\ngyI=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNem5wNFEwVjRRU0NzREQr\nSmFZTHU5Y1ZTaktGSXZ5alh1UFIzd05LcFZZCjFUMDJqUkwxYis2V1pheEV4Mnlv\nTE5UWE9qYnUxRkpQSjhKa1FsUnQyeUEKLS0tIHJ0TXczY1Rqa0V0RVJtNm9RdW9v\ndTVaSVV0dFc1c092SHNoUDZUSzcrZnMKLDoWd+qdFT/9/83jIxWIcQ8BBed2rn3r\nRugPtd3BWsUK6DF/7Oxofcw2ocz8DY/SjieYARiuAjK57IlZQxYEvA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUFB1a3ZNalJ4L1NYd3hj\nZzFCWFN1M2JDeWlDQ0U3aTA5S2FMRmhGcGl3CjN2ZzJMWDlqN2lhRzcxcjcyTVYv\nckdJRU5BMzhCNVdKRzJDalhKdDZieWsKLS0tIHpOTDdleU45c3hwSmp2dlNLVkhS\nQ0lweGkwWlF4ZWRsZXlja29xK1ZXeTAKddB/O8Ed35cNcjXN2zC+/khnOP6Qim81\n9jS6slVfX/5B9QJ3FZ46TWj2vhmHEDo5vSvdgjOmNRbppTlu9XAiFg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBL2pycUNG\nNkh6bXRTSGxDNDhVZ0pTc3V6VHp6cHFmMkdCUzVITnZvdkNLVwoxeDFMT09iai83\nTmoydTQ5TWsydUZrdVVzLzBvWWNmWENjYzNvQ0R0aHVFCi0tLSAxUDEwWk56dlF0\ndzN6STR4NEdYa0NkYW50WEtCcWhXN1dWVlA4bjRkSDhBCnUZ2Je2hXHMRJuGyRDQ\nJTMRUi013wD3DTgmLE0a40HuLIQud1+fw0AqjCcJpRvz6kQMBMImiwDhm57+LVqo\nn1I=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-20T19:06:32Z",
+		"mac": "ENC[AES256_GCM,data:uSwnPaV5+fi2czQoOhb7aVlYHejjXDeXkUZ1JZbH9m2//OxczfOvue66kVQiiq+m9QdgDnAHKy4LK3JpjuxI5QG/6wPx1aC0CisrjQx+tY4Cw2+mTfgiWWzCrM9q5URVFuxZ+TfFapeHMCL2CQZnLPvesbDwv4wNjLYsvJghVjA=,iv:AnVTpfgULC0bdw802optkPQjk7tDCBpzv3EiQEEfWeI=,tag:eGUZWCmjMl9m1PC1QTVWsw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/haze/garage/admin_token/users/rpqt b/vars/per-machine/haze/garage/admin_token/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/haze/garage/admin_token/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/garage/metrics_token/machines/haze b/vars/per-machine/haze/garage/metrics_token/machines/haze
new file mode 120000
index 0000000..db9551a
--- /dev/null
+++ b/vars/per-machine/haze/garage/metrics_token/machines/haze
@@ -0,0 +1 @@
+../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/garage/metrics_token/secret b/vars/per-machine/haze/garage/metrics_token/secret
new file mode 100644
index 0000000..538e535
--- /dev/null
+++ b/vars/per-machine/haze/garage/metrics_token/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:2sVVTEcBqn7eIZFpKfEWJ4kU1tS4o78cv8VosjG8s3JmXcTxqHczEdbs+gVA,iv:T1eDOxyWNiwDl7+kZKDb78J+A3t/E+0okj1s3OjyyxI=,tag:wDmMUJp1I/vTm4XsK5gHPw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcW8xZDBl\nMkp6Ym9vM3BZWDVGa2JaR0ZEL3VjRER4Tk5Yc0RQc2VWNlUrTwpXckluTHFPOXBk\nNlRiUzNOWHlCeWNLdnV5b3hmUkVSSHVCS2psdkdVUWpNCi0tLSBFZ1RIdExZUkNl\nZTZ5alc3eDR2QTNRNjhNdEFWeE5MNVVHT3FjSkdWR0FrCpWlbh80ZcDR2Pbh43L8\nGtTLxW3muuAqMUy9wtykc77FTPkzT86rz9BUb+EOvWJlH1HQ2mr6qCDsRPH+OhQb\nGOI=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dmNhOWZhZ05FRDZ2cW01\nZkZKZkUzZ3pIZjA4SzRzb0FYQUE1SE0rR1NVCmdiK1ZsMTRJc1ZRelNkNFhQeGlz\nYVI0S2RjS0pOTis2dldHUzQxUVJXb00KLS0tIEMwSXZvM1NySzZ5TzlRSklCSEVj\nUWUwekRkcWFHNkczU0loaTdtVVRFYTgKGVgbrHrBl/wNMR7/zeENghs1jv+Cghh9\nuDBCh6RwYV+vWP7bf/hqZUw/e0bXnbIVgcraunQkUwYpgSS5+B0GXg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS3ZGWG1sQVo5MnlVYXNI\nbHQvVU1reXpzcngxZ3dPbEZFdFlhemdHOHo4CnRFMlUzd2hqdDU4SW1kNW9wUnRn\nbWpuTnhDYmVnVHRrN1dpaWJBMldHRTQKLS0tICt0M1JwcFlDQVJkem80Rmx6TTg3\nS3JrQmFTZGVqdGVlYTI0ZktWaDJvTW8Kq9yjcHnAeGA8qduq/d11awVM8uE82jHo\n0bzID7kjWXiDNKrCb0LXkUthkTt+21kr/qkdG0zmn93eomIbaTm+Wg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNENKaERF\nS2owNUhGdVpWVGcyZVZWcG9BZFRKZnRMc1JtbUIvMGYxNHQ1bgpZM0tBTmJDc2w1\nVEFlMkpDd0E0SDhDSjcwOHV4WHRZc1NGRERuQmZQNG5nCi0tLSB4RUUzcFp2WlJB\nejFTeTNCMlBDMjY1cEx2YkdtUXBJL25ZZFlEL1ExUDFZCptl1mCTAVpTY4lB2Aqm\nYUVVNezPrM15OA6GglDxm+u/gxxtC6yBUFHtsThLypyBMJ+r+4BHF/UOp4OqLxGH\nzt4=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-20T19:06:32Z",
+		"mac": "ENC[AES256_GCM,data:UmVIfwKSX+qHb0nkTA6Bm0pK+j2p2zw1iZLxM1469bICjdyWJCa908kjEzDb/aozx+KGi6LyoIUFHVyBoJKhTfgyiHg8iaEhhWCXNwmNswdainswtN5pXE94dgx7ycGs1jLd1R0bOI6RdziIv1vfm3DGMhw0dszVp44HF4UM4iU=,iv:71/Plcqcemhnn7y7DvffsVXmF2pNmpt5UwHsY0eVEls=,tag:zAn8d1IXZ/5GL4g+F8whlA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/haze/garage/metrics_token/users/rpqt b/vars/per-machine/haze/garage/metrics_token/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/haze/garage/metrics_token/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/openssh-cert/.validation-hash b/vars/per-machine/haze/openssh-cert/.validation-hash
new file mode 100644
index 0000000..15f8ff2
--- /dev/null
+++ b/vars/per-machine/haze/openssh-cert/.validation-hash
@@ -0,0 +1 @@
+5c9d0944c4f6abc9765b12a4c4eebca296ec914fd8ee4e4691b9c40fbdef57b7
\ No newline at end of file
diff --git a/vars/per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value
new file mode 100644
index 0000000..ddf64bf
--- /dev/null
+++ b/vars/per-machine/haze/openssh-cert/ssh.id_ed25519-cert.pub/value
@@ -0,0 +1 @@
+ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAICBUNOo7T8sn7F094li17lssJOCdixjDhLO6eGlO72ZwAAAAIIyNC2sn5m7m52r4kVZqg0T7abqdz5xh/blU3cYtHKAEAAAAAAAAAAAAAAACAAAABGhhemUAAAAVAAAAEWhhemUuaG9tZS5ycHF0LmZyAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQHVWtdcrv4w8xc/YSAJmGkulkMfr3QOdEEGBZLeARu15To31xtScc4U5WhMstZRu9rWBoVENaUIuo0poRvHT/Ak= nixbld@haze
diff --git a/vars/per-machine/haze/openssh/ssh.id_ed25519/secret b/vars/per-machine/haze/openssh/ssh.id_ed25519/secret
index 8f048ef..adb8199 100644
--- a/vars/per-machine/haze/openssh/ssh.id_ed25519/secret
+++ b/vars/per-machine/haze/openssh/ssh.id_ed25519/secret
@@ -3,12 +3,20 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dVVLWVdobjJEL1JQNlFW\nbnFlWXNuK3Q2d01kU1hoQXBWaXBFNXVkVEU4CkFlbzZTMnpwUE1ORU9zM2l4TE5O\nc3lsUjRaVGdtdndldEQ1UTBONEZvejAKLS0tIGU3RmEvYnN0UmYyL0tPUld4cStD\nUVNaSitqZU90TzF1enlBZ3E2bXdXUkkK3WjZzeEbbI/IzC2iyMUtIahzuojJafVY\nhPYUfahwfdt8GDPp7dIsed2IoeS3xnPaHZ9+EhihH/xPZtz2oAIKvA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNng5Ly9J\nczRTSEFMOHlmbEVkV09sVE45SjdLLzFDd3g5d3ZYb2M2N0kxSApkUUM5QXB1Mm1F\nYXJ2eGhCU2s1eHRqVnBMRm44RWl1YTdBdUFYZXJSMjFjCi0tLSBuTEM4RkY3K29m\nbWp2SDJ1S0poWFRrSVZhQ2UxQ1dtODNCazlydEt4MiswCt85xFy0xUKnjxTdea4w\nxSaCvi4ABykBbSZx9nAnZ+PVxlM7CYSkmpYkQUlrwQN7URlfXVuMjhyQF5qr3lzx\nIfY=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUFJqaDNIY1UweElXV2J1\nQ3JWY0pOTW00WG9pT0tJWHNFb0hoc0cxNUE0Ck91ZnJLc2lIWlY4bFArazZwSy92\nQW0wRURrdFNwUHc2ZU1QQVJIeVp3NVEKLS0tIEY2bGJMblRMUjExWm11M3puUE9x\nUlRwY2RSN01taDdXbko0M0s5OTlVWVEKPv1/4E0G0tpwXPpRQrodugA+v9vIhRD+\ntGwTvCJ8z63CQo24Tcb7WNEZ/bDKfS2p8VH6QV8CAJvWWFyF+x/6NQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVUYzOCtQTkJNdWJjYkdi\nQjM4VFhDQnRoeXVUZXBjNFRhemhsSS9haHh3CnR3OHNLV05PTFVMNTE0dUxnbVVR\nWlJlNFJ4QzVvVTk1bnMrd2hzWHRsWFEKLS0tIE9ORnNzT0I3UzhVbExndHBUU0ll\nNjF2VkJKWFh3WDdzdGZ2enRrMlZWQk0K/33zWJ0B0i5Y2W1zqNRKik2iC3GoJXFU\n9jmPH0BmIU/C32bYgZkDAGPkZbqON6OdhYQ4LwY2GTNpQYcQwd0+Lw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvdjBsVTZwUkdNRmN5ay9h\na2hoUUYyZkVieW1Ia2oybEFZa3pBZUpJMlNRClBFenB2NXFNVUJIWERibEgxZGlz\ncDFMaHRMMEM5M052YnJmcnhkeEtvajgKLS0tIG9Hc1BUUVdVYTdESVRrK2VUcHpD\nOG4xT05MbWF5aExjNmRWQW1VYVVldlUKr6FPttKwPIeH+lrbcxVq4yNymRj2Oa7Q\nfWs599WWjw3aSdlHVafgABcqKrxqSo7/gEGy0rtaskzWCQ0pGVe7mA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBL093UVk5\nR2F6NDFBSzBLWkxEdXM4NUNYMmdWQmRBQTNyQ2F4QWxjNlhNZgplOTlMMTVDNEkv\ncytvaHZNU0kyL1dwVlhmWlY0SURQQUpPemNMc1lERDVjCi0tLSBKZ1lOekMwM2Zk\nZEN4cm9TRFJENjUrZmwzQXovMmhPeUV4S0tCRnFlS2dNCrBsWrp9sW0DBMKrEUHI\njWn3DwDsa0E8A72Mbtm1urdE4zyIU7VBONOe7LUzHBNe6Lq07CyJ7mWXHzORQ8Mg\n9Ik=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-14T21:17:44Z",
diff --git a/vars/per-machine/haze/root-password/password-hash/secret b/vars/per-machine/haze/root-password/password-hash/secret
index 4a4d249..4c9c96c 100644
--- a/vars/per-machine/haze/root-password/password-hash/secret
+++ b/vars/per-machine/haze/root-password/password-hash/secret
@@ -3,12 +3,20 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3MzFlb0tWcVAvdExzSWk4\ndjdycmNsbG5xOVFXYkZzN1ZpT1huQ05jSlJFCm9qMDFybjV1Mk9qbHFvU0VCNHlM\nOUpqeVoybTV0c3NjZjlzcTNFSlpQelkKLS0tIHcyY3BGWXNIa0I4NFFHWDFqMFBa\nZG9sZkxMMjRSRUF1ejU5eFZVZWRHbTgK/ZExg03rN+OA/PX/qomcB2nJqQk55haA\n6Ok/1mzgtd4qeDp3tQDn2GqxHj0+Glua4wA55uLeBN7uRgT82IfNLg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNUtxV0lO\nR2M1N3BJd2FRdE1xSFJhbUpJU2ZVL05mNG9NSGtkL0ovRlV1RwpVRFdSQUNyQ2Y3\nL3A3YUpCMTJBb0N4ckczQ01BbTFCOVozUnpFVTNEallZCi0tLSBHdG8yL2tPOHZT\nb3MxdG5QQTRieUtUck1OdkFadStmc1U1UkI4Q04zRiswCuQu31tdmdxlaKHRE+cP\nd3TPJgOMhcbjQqr60JNw4i9pCktiAvGd52gcIYCCKUGYM5QvSAt8JqYJ9F/ZcRVV\nTZk=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5SS9iVncrQVRkYkM0L2hH\nWW1oRWlKT0FmNDk0QndYNTllOTZyS2Jsc2hJCjVKRkR4QW1UcmU4bWpFVm9VVU11\nU3VQbG41UndSWG5wV09DeWVIczE1blkKLS0tIDdwN0FpQ3A4bWtLa0k4YmsyRzVR\nMGpVNUxyM2VZaVpjNm5wbkF0SHludnMK5RxjTcybp5XObn31DC27rU9TDy4ca6oy\n6rn6hX/9AHCq7qAqhjvb4fF+7cwW1WYWZcAdWuWKa8EO/Xtc2MeMXQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbGN4UHJCRkFOclRlL1d6\nVmFzV0FabWkvcTAyUkhYVnFNTHcra3gwZkVFCjF2V01uZ0lyUzZIcEFqVEsxc1Br\nZVZIcGhOOHF2SWlVRU1aK2oxQjNISDgKLS0tIFlQdHhacDFpUGkxaE5lb0JjZlRR\nNDRkWWthZC82SEs2ZU5pWFlRYjhuU00Kv6ht3pXNcgaG4zNbMuhu7B+7lZcZdk3s\nxLLW9W5/M/s6NpwxcxGSkpK7tk6D0etUnuDvZNmmZptEKmrmsnwj9w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQzVKdXpNaklXOWlEdWNa\naW9ZdVRncTRxcE9KZXlZZU1OdFd0QlpvV1JzCjJTQ2p4MEtQUDVqU3lYN1RZcUh2\nSVNQTzlsVlR5dXlVc2xuU3YyVlh5bTQKLS0tIFd1UWpTemxjTCt1MytoSkhHNVZM\nbGc0L0NPTUNPODd6K2JMMmNQRnprbW8KyNnslioY4vi4w0mzyIstqsIlKT8EJ0r2\nBIaduiQkhdVlMbNRtAIN/TlcL1jUZUilx0VjaFaIiQaq8DlJxZ21/g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBeGx0aVR1\nUERLVDdFeUVIMHFSYkhITTBmM05BcStTeis2WkdQa1J0NnZ1dApUZUkzUWFLWkRt\nZ09ONk9LNFI5Z3RYeVRNQmQ1eEtDMDNIZG5DdDd4VjBRCi0tLSA2UGJ2UE1CN25n\nYkZzUUk4ZVBoT2Fkc2JWYUFaYjR6WS9xZlRsT2ZhYjdBCnV1S7LqTPRu4RFTtgiJ\nlGnNMOeyQat3FDFzt3ziheFHC7KQsvSHmLL3bdaV9GghS/L/Gtrk+ZJbDXVKhNJ/\nML0=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-14T20:58:38Z",
diff --git a/vars/per-machine/haze/root-password/password/secret b/vars/per-machine/haze/root-password/password/secret
index 7b8b6a8..c9fe3cd 100644
--- a/vars/per-machine/haze/root-password/password/secret
+++ b/vars/per-machine/haze/root-password/password/secret
@@ -2,9 +2,17 @@
 	"data": "ENC[AES256_GCM,data:ZubfHil6U+zDmAFhVuNKPwpxv02As6JZNVRm,iv:7/UnzVA0yJ5nWC0m9eW6ZQ8N/gZIvxldT6jONbEbcUI=,tag:OZxm7fkGRkxJahq5/79Ctg==,type:str]",
 	"sops": {
 		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBb2g3SkVF\ncUREL3NZZmVNSEpySkpGRU5kNmdxQ3pJZnpvT3JpaDJ4QStzTwo3QU9ueC9ObjNv\naUYxd3lIbTk4L3JHZHZGeU0vb3FQc3dqYjBmNEczbmNJCi0tLSBoalFlMXNLSTVU\naGhWRDZORWY1ZVJEY0JCNUtGMmhuTDR1WFZoYi9NY0w4Cpf7AdOaDFR+Mt4VGota\nA60hpYJzEFitYD5Ky66j+R+z3j9o2mLCE+1UH/Lw0k6cBPECAPBGUR1l27Dl07OR\nLcw=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZGdja09nbFdOSEpRd2po\neHNCdm1NTmh5bEpjZURDZmFKT3NsWitzaWowCkgrSGpTKyt5MzFPZTJoODZBb0tl\nYUxueTgzLy9RWjhXdWEySzlIS2hEMkEKLS0tIEQvMjZTcldjdVRBekxySUc0Q1h4\nbTR6Tkp1Q2JnVU9nRUdHbURHUFRtaWsK3Zq/MNzRV+oViZIn36RMmG7St49I++QQ\n2s+DNrzT2CkGdpXwSegwrxDZdnk6LJ5bJbl8K2POQnDFtvQqipxTaw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSHE0ZlBud2Rjd0taSkhx\nUlczSGIzK0hmMEVzeDFrQVlqdWtBSFlQTHdjClBUK3B4cUV2SEZIb09DWjBNR2o2\nbXZPS3dXNllrUzRmczhiODAyQS9nRmMKLS0tIFhZS2JpTTNNYW5xSTA2TVN0Q2lK\nZ1BSOHVsdy9RS1BONzlzK0Y0emtQUGsK56puPRo0YfMDYtWtK0JvxPOH9HyoNeeK\ndeGwe/S1AjtrgnmJ/1h9UxPPHF5c2h7v1XgstiFfSIAvLCRMvk1sIA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNGlTZ2o0\ncFFvSDdHVmxzVVRFUGt5Y1FqTGlGbmZ0SFpsR0FIM1cxRTFVcwowUWNFLzh0Rk94\nOEN2Z2pxRE5WUW5lMkZKTjE0VTZuQ3ZFdzh0YUg4ZE1ZCi0tLSBHdXpvcjJkeDA3\nbHJDOHIyTkViQ1JlNWVOeER2YWJHb3g3YkZ2Q1ZnVEVnCpcxFzHlO0q2vCsym6gF\ngV0P0sJOorI56UcRUR1aJhhpTuqskQcf08CVOcmOVBQm/l9NQX9mdpp1obyQl94B\n4+g=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-14T20:58:38Z",
diff --git a/vars/per-machine/haze/syncthing/api/machines/haze b/vars/per-machine/haze/syncthing/api/machines/haze
new file mode 120000
index 0000000..db9551a
--- /dev/null
+++ b/vars/per-machine/haze/syncthing/api/machines/haze
@@ -0,0 +1 @@
+../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/syncthing/api/secret b/vars/per-machine/haze/syncthing/api/secret
new file mode 100644
index 0000000..6b2ae4d
--- /dev/null
+++ b/vars/per-machine/haze/syncthing/api/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:wdyPBmRCVrcFH66X01F1VzFfGkKA5hhIEa10WUMfnoM0,iv:QJBi16RI0VvHtEiwrtk76oad/LNqG+xOTPWHS8R7Kys=,tag:AnaCwhmtbCZ6MaJvrRNesw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBd3pvVzFV\neGpzOUhjZ0NTQXBQZG1yZUVsWHRGZW51OENVOGI2MS9ZWlFXcgp6c05jR3hkam9n\nWjZpT05vc3h2cjQvczlkWTVQTVh5MjhXak4xMGNhdzZJCi0tLSB3SkNUOUE5TWVZ\neUxQc25FQVI3UGhSMU1hQ09RaFZVNlg4SllyMEprbWlRCgYJ3cLXwmIw0jcgeiCT\nWE5xJAyX5ckFsaz4m/Wy3agRyuEZBn5xU6CXVFxhnLKPZZFvKoHxm98MIC2MqTXx\ne7E=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOeDdYOE56Qy9yNFJWQllu\nenFPRkdiNmxPUW9yMFh0eUc5UEhiUERqSkJNCnRGSkI3MjRlTHRVRWVRTUhxY3RE\nZGx4NUQ3TWxxT0h4RDR3elBON1E5M1EKLS0tIDhBUkFwMVEvWkRPWUlBdVdITGEr\nYzIraktjbFl6bThoQzFxbnVJaG5UT2sKVXn37flCFIRANh+wWVB4LSXcO8W14G0I\nqsPYPqB6bCHZGkCJiCPoxfPwJkmED659xsQ3FXAOA4+/Deu4IjlaGA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycktKNDhnd2l0cGNCYWRp\nVXhzNlFRcDRNWmRyRDZVV3RyUFBTa2lOd1g4CkxwOFhzYllGZTRKaXpBRU1zTStG\najNXU3lJRnBhei84dWNHTXhhaFJPT2cKLS0tIGhtOGlYVjZoRHpaQ1RhTG1SRlM1\nOUZYMkdPTXN2UkFOYVhabUFLVDNuRFkKvRy0nRWKvMSAh+oOO7w+d8DdTbWOKp+g\nMnhTJxDIDtZ0BuEoF+ekPLmBO9OCnZhOOTamVx9Ip6KEdI6IzwOPcw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBM3RTaUR4\nRHVvSE50cDNSNStCU1FmV2ZJK3NzeGsrd0VGeW5zK0tXWjJlNAovRGZCZldBUXhD\nU1BnT2RxdG1qZWd0UEtLMUt5UTRabkVBaHRqQThKMi8wCi0tLSBTYVlQemRVeEF4\nSVlBa0tnd2MraGlJd1pmTlNvR00vS3RWbGtBV1JCcDY0CmPlEEkFY+7Zvq8pPeWN\nWernuH3s1x8f/35HLpvHlFqLKfgeFtafgH6DlvuhRPdwP7ElxQzvK1iQx+LWu8QA\nUgg=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-21T19:57:39Z",
+		"mac": "ENC[AES256_GCM,data:6B5CrRGH5vjVJ40DUoBo3y7g3Dc+YrsQ1QCwJjUeob85HYY69EF4QEh60TyAW02jcX0AF6m/qprG+66huqqnKcjlI3nlda+WFSQlL3wa2KoT6DcEwgi0p6GjQMT83WYOJBmKfAkd7vCbAnR+IJDiPW4fNpfe0eMsUBUs+EX2+9o=,iv:zrJWdjKABkpGy+F45zCfJtTNcfpGtF9RNsmH0ylsatM=,tag:QTi2ln4Uhq9gppxtA6/IYQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/haze/syncthing/api/users/rpqt b/vars/per-machine/haze/syncthing/api/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/haze/syncthing/api/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/syncthing/cert/machines/haze b/vars/per-machine/haze/syncthing/cert/machines/haze
new file mode 120000
index 0000000..db9551a
--- /dev/null
+++ b/vars/per-machine/haze/syncthing/cert/machines/haze
@@ -0,0 +1 @@
+../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/syncthing/cert/secret b/vars/per-machine/haze/syncthing/cert/secret
new file mode 100644
index 0000000..c99828c
--- /dev/null
+++ b/vars/per-machine/haze/syncthing/cert/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:SKGdJPqhv+RHwVkLjxdeWKfWwR4Oiyi+ftWJ3SmGsqLEQvuXzXjsivIRwYPw7EWwMDpgh8GD28iV5TaUmthcptLucKuWk6no+AXhc6diEeRm6YEh2BAN/L2leNN0l8Dte6wG1O/1FwBQ89qHlfuJZpxCsPZHz/+Xr734F1+mbkrgat+ItET2wvqT56UkSkct0CGMqttY0IlxEVCfxZF3R/I2aQI0TOyTciikBy5yJxvffVReJhfwwJvE9PedZwjiauIxvKbvuev3+WKzLYXEr4jPqFaTI+t/xYVlWXSlXQNot/FlOFy3cfw9kKb5R/l9Xst05xA/5wMDDVEBdx1lbRxTWlS7ZYJDyZbNRtTkB6jYe1H95IupVKrnt9nqLzEaXnxzjonHrJNwopW0sF84XL9HZ8g1u+ZTgCz7CuRzB8WGacBd/nt8NIefgpeS3Coj0XZQx9cMIQM38P5eJuiM22ardknZ8PxCBCFeqXxwrddyTfrZY+FPRrIP6QK+aVMRn7998qqaKlPA0itgvyTYIMHIy3KT4Rv9U8VEfItauDsUCzhJ2TDOIuDpzCTq2pu628WRJA3jbJns0l+XSo5WUEdjK1IXTUOLsaDm+Mph2vty0IRAqoc/JV16WOqn+SeCFxdvy2eOJuosj/6hknKrSP01ptaEhrbZWFsfAVrhc2iv/9u/KpEqzn4f4XAlFkwSevBePnUnYYMrOAuI8OmmLUsWHv1flOTJmbsWLNT4/VYf4z6C9knIiz8Usqpg3BgYIt7XcntU1VWBhpwnzaIA0V4aGtoT9VyCuLP8eafkncaUkFXvYJDge9GJs+JXbrIa6WL2lRXltq7iIcu3F2FCu+sQa5pBuLTZa+dsTFKYoU55zXWRS+kXMe+M4soZ3HwxWUxN//n7KmJWN5Lw+qyNMQwBuraYCuFQR+LL2gus/Plaq8pEmi3u/sl+deU5nKW0pvyjJsCRmLW0Bj1XgJhuNGxqRhdQzHhVfs4TB5U/Na4FLsQRB+kXShz8hb4N99YklGbQ8+aNGJkgg8PnfJTy6kGCTcZnig==,iv:pOJFhXC2+945P31AI3XaGogeDJiLreZXDcBu8OCziEA=,tag:q0/fTUGO06uwq+c7CRf6EQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcmZDT2V3\nK2FudForOWpGU0FuMEg4N3NhbklSRHJVZXNUR21jaHFoOHlkZwpzSVkyQks1MmUr\nRlFUbThvRVR2ZTEySnM0bDNWcE13UHloalNQbnI5cEZJCi0tLSA1WDhmZnY2NGpY\nWThpVkpPUVFZOEMxQ0JlY2ZycjhYNUk2SFgxTEI4OElFCu3r0ynvoeGJ+5y02o1Z\nyStTO2PpxgqNAqB/DVjH75xpQIPb1gqNFaR91xeww7lK8F5hngiKrut1I5Uu/aK9\nscs=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbW1EUUVuR3dObVc5YVlI\na2dRUGNrTnBrSzU3NmRWVGdreEdDVTRuSlFVCnJyRHVJK0tmVDUxdHFSRlpxUWY2\ncCtZeTZPOFpnWG9WMWoxcUd3Z1I4S2cKLS0tIFJ0Y1dBT3NqdWM4aUVvZk9GM0Qr\nOGFqV1pZcXJnNWpSY3VER29jSzhpbmcKlgd/ahLtBvAGRzu2w4ddn0wXz6LwoDzw\neD6HO/TSjdN+tJe1fKcdnywi1XMjLC4qkJiYz64TcE/7vEmVt1YPnw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKeXlpVzgzRC9SNGQ3QjlD\nMjk1SXMvSjNtcFRJMTZhK3JHb3pjMGR2b1NZCmpTVTZCUWJXRmtDY0o5TkV4cUVZ\nWHRseVloUHhWN3kvcTV5TjFNMUdWWjgKLS0tIGYyUHpjWjhwZTAzWTU4dFZabXBG\nMkNMbyt4NlJOM0FxLys5dnh1THZ4bTgKynU4/ygzPLu9u/ye9qLRh8tq6Ajohxjy\nskz0FgGkX7EPRWYuh+v6/vuyKuqke1peZERCLb7WwLlKfYJLeKl9Kw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdGVPVVFV\nSmIrSE0yTmxYT2FpakhBaDkxelVGRzk1dTdWcXZqMHoweTFnbwpNbHFyUnBwUXph\ndWw4N0xONysxRFd3U28wb0d5aG1mZFZmZ0RoY244WTQwCi0tLSB4R3cyV1ZIbzd0\ndEZmUDNRb3FYMFdKcmlkcU1PWFRJMld4SDNBRDRkMExFCna+auo98pjbmBEm212P\nM9HFzbUmW/nQNzFmCmtBPZ12TLYghJIMWciiCz8piN4745Ff5HwKHZHq8AC5l078\nGAk=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-21T19:57:39Z",
+		"mac": "ENC[AES256_GCM,data:QfsTZ8clnaM49i9v/vOGNXC5MQWVeTlSQRe01+TaTSoQCbe9weCgpS0RuIFMMDYfrgjPo+uywsQqtU9h2TIcaciZECm2IlQlBV3E0KXu8YhIZfKdEVw8WubBDaoJ12EoxYLzWH6NO2T4fe1W9oWiPkvXtH2F87JshFQHxU5bjSc=,iv:xs7pXaDTRTfzQH50/ofCox+Nf04q7HaYOhG9YEI9p14=,tag:iu2ZQRZG/YX/4RhJtDq4mQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/haze/syncthing/cert/users/rpqt b/vars/per-machine/haze/syncthing/cert/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/haze/syncthing/cert/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/syncthing/id/value b/vars/per-machine/haze/syncthing/id/value
new file mode 100644
index 0000000..c533a73
--- /dev/null
+++ b/vars/per-machine/haze/syncthing/id/value
@@ -0,0 +1 @@
+OAHRNIM-ZGCKX6L-TT6H7CU-PN37K5R-NSYD73B-MXNMCC6-X7V4ZVX-PXDWHAC
diff --git a/vars/per-machine/haze/syncthing/key/machines/haze b/vars/per-machine/haze/syncthing/key/machines/haze
new file mode 120000
index 0000000..db9551a
--- /dev/null
+++ b/vars/per-machine/haze/syncthing/key/machines/haze
@@ -0,0 +1 @@
+../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/syncthing/key/secret b/vars/per-machine/haze/syncthing/key/secret
new file mode 100644
index 0000000..f14471c
--- /dev/null
+++ b/vars/per-machine/haze/syncthing/key/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:VTGonbJui6BXQSPh6IgxYqh4bJuNNplBzYr9XmddQuVgUheuXOWiIZdWIKQh+/6xGX7J3XRv7hsrmE5XJjUwR79mSgVGwa2K4ZASv8aRZ1JVuephtd9OvJaazCjeA5Y466XJtw6NEmbRiu3SCxItj8Rqk8NeLnX/QzfqTA2ICRBWDq8tBY5gYgDxZNLksDchVF5VziHjENQ0EqW5inRczWoTRf/TnnwHeGj/FY4MNgDbV3brhlHb1ksVLxxZAIJkRvPVUn8O3Q1lAQZsUNBqMcHeFGDXVP6GYyarq0oi6yirajKU+e9240SSpFfF8kkN0Bu60cKaY9ITfp349vi86hgi4t69jF7sUqvJ7q8VXtKQkWyRaiA3iMnWZBBhmVQM,iv:XYXEsPw53CSM6qGVOUx9Wo4uirtGGVqcXAs5F9oNHjQ=,tag:e2lmKXl+Zj5Kz5wv1LTk/w==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNzZyWEpN\ndkVmNFlZNjh3TW1LSk93OVZud0hpa0IyQ3p6eW9Tb3RzdlI4TwpmRnhlT1R5eExI\nTkFMYzhJTWlrMW8yME1aQW9ZWkx2NWZ3WitoamlFcnNRCi0tLSAvUEZ1VTlkRno0\nOXRia1l2NGd3VkMwK0tCcStSeGFUVGtQOHp2U1Z6L3hFCtB/ZCZKsq8AQBW3Y9fY\n5DqikjzAoGIV4/0aduLIFag0B3NpWKgMFTkxbwBdsQPSVc68RtGD9HYHJ2uSZj7J\n9N8=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArVFd6MzlYbXVEZTh3M3M1\nMzRYY05UWkkrYWdaN2tra0lNUTJRdVhzUUdnCnhWT1RPbUowSlo4dDBUcC9Ud1BR\nN1REYnY0OFJTejB5dzVSOHpwc0dLSkkKLS0tIG9GVDJTRDVIWER3TE9INnIvd0Fp\nd1NNZUhOMCtDb3FJRzRSZlV4eGVMcmcKdx7nYm4lTQgYIsumiB6dI2Gv42Y2+yV+\n90GYWy+B1XIMMAgiaGbWfmigV0dqS/XugnDwmXpu9QcLpAkUjfwdBg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwa0hKNTNQZFJmYk9FQTRs\nVVliNUhuYng2UFpJTS9zSHVwYmJOZ1VjTEFjCnFoVWU4eEttb0cxMmI4cmVKbm9T\nak9jVHUvV04rRktVQUE4RmRzdnBxemMKLS0tIGNQbWw0YzRYMzMxdUlMRTNHV0R3\nTmhTWThOVlpuRFRvNnVSaUs1UFRaVnMKjeWq4LTCM2uGfpg5ULat+jKMXmo/wfSV\nELSqAyuLOuxlCeAakXDcv1rcRo/wBgIQZEqv6YkbXtZn5M3Qi8nSww==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBa0dsTnVJ\nemZQWTNJTTcyWmtEVzVDYnVWeEdKUmpMbG1NSVNZeDh2OWdDeQpsV1hTeE1HVW9I\nNnc4MFJkUC9HVDljQjZIb2RWVXQ1dmFpR1FnSXBrbXVvCi0tLSBqaFZyZVNIeEEy\neHkrZld2L1drK0xPVkhUWkdsajNRVzZiVXlXNE0wR2VnCsIb3oF4WVCjIlH1KRdI\nYuzIVbZUkv56xRQfC/2JRgSVCSJobOm9h8JRn9eZuewqzD+4kiLOx27LAXcMvX+Y\nqUI=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-21T19:57:40Z",
+		"mac": "ENC[AES256_GCM,data:sDAMQsdy5og2e7Ch0npphfgMzeLcI2Lh40ZNgXG8JgDzoGLCeuNjcWwPTJDmdXzIpngAs+FuIAAMyjk1u27SY9RyVhIg+/OnAjK03UGr7sYdNNhnP5lQqKJy8PuPUaVclAuR3uavGxNGdXYX3GCFri0qCI6tB+Oqa6feZNxvEn8=,iv:EAAZc3BfqJsv/ax9Rf7uCG/D+NKLLZI6uzFzo5qb4p4=,tag:ZDb8PwLsMIDpMu5zGLNKlg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/haze/syncthing/key/users/rpqt b/vars/per-machine/haze/syncthing/key/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/haze/syncthing/key/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/user-password-rpqt/user-password-hash/machines/haze b/vars/per-machine/haze/user-password-rpqt/user-password-hash/machines/haze
new file mode 120000
index 0000000..db9551a
--- /dev/null
+++ b/vars/per-machine/haze/user-password-rpqt/user-password-hash/machines/haze
@@ -0,0 +1 @@
+../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/user-password-rpqt/user-password-hash/secret b/vars/per-machine/haze/user-password-rpqt/user-password-hash/secret
new file mode 100644
index 0000000..2b0ee92
--- /dev/null
+++ b/vars/per-machine/haze/user-password-rpqt/user-password-hash/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:FPfiUzjYns9F9qYuJCuKQ2gQOtiRM5p9wUM4vTB+itXKiQHNRWaT0Row/wyMLkjMd8roBYgpUpUOpOnI2MZQfUAB3dlvVKoXW+lE4LrC2G8qTleQ3FYfM9FelpWuw+yCq4IJaZu8PVRY0g==,iv:K9B46wJW17JoOU4fKl6o5kYMnXJG8l+0C0UNSq6W5fU=,tag:pfG9rSTlv8HVKs8orUosTg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeEdjcEVh\nR1F4MzZad083RFRZQUh4WUhMUC95bUZaa1dFSXFkRCtaelpQVApRWHJ3a3ZaOW5U\nMUxDVGJOTWV5dHNlWlgvQnBoWHhGNURWOU4vUlBnd293Ci0tLSBUTytzdDhBMzF6\naC84bm5pRm1QNUptZUwwcmFxWXp3TUtpSEF1ejNlSDFFCtjcNkkFY1qMEpy1moJT\n5XpOU++83gy/MXRzBYFcL8WowMte2IwczfdZcc+RN96plAqejRVBZE4Fx6OZIHJr\nLPc=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eGp6c0Evc3RpY01JajZH\nTjcrNm9xN1N1MkYzZ3dldUFZeDFtU1BQOVRNCk1MWmpsN25wUEdtamN5b0dFYmpL\ndEdJaHpUcWR0NVdOWTAyVjBBTGZHRUkKLS0tIGx3U0srVmJMVU13UXZRRTlhWVp3\nTm52TERSbm5odVB1aU0zYTVDVnQ4ZFkK5nDBFPv/S4j/8FShOaMsWXZMQPJO9vCx\nEi9OU2vZ66tlbgHwTq6QdPcEA5/ptAJnYLrzihs9vMFhKpLbn6ElpA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdzEvTnV2cDVSZWM2eEJn\nVlBUbUUxQzV3RGJhN3RtWHZNcXFNaEVSQkhrClQ1dEl3YmcvMTlnWHMzN1JwZFJu\nc090TC9wdjlRSHd2QStvZ3plNmY3UEUKLS0tIFgxZzVPRURUUUhwYVg5UEZrREVq\nNk9VcituMktZb25ub25RTTllTnhVeTAKFHF0ZFU0/nxI8OTvvsiJv/vUJjU7nkH3\nRyn7Sl6yQL0aYwPBRyazS5eo3TesPKU0uO868bUui8LZM9z0687zDA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBd2E0Z1hv\ndENyQnA3UThZZTRQNmwxZFZMREVUWDR0SHFPVTJlbmw1UG5abwpMME9DS0w4WWFn\nUGJ5QVR2cnZndU5Bc3g1Y0J2eWRqbWlnWEpZS3pqNUR3Ci0tLSBSTG5zQUhjaWh4\nRDBzSGhZM2I1ajZ4VjJHbVVhRmlsUWRCZEdnVkVVaXRJCpt1R1StL8pXG62WTts1\nL36IuP3cflSegYmz3bLdcnbMmejldl2EYflNmLlhQMOoa70vSJyFjqEZ7i7+ly20\n6M0=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-24T17:11:23Z",
+		"mac": "ENC[AES256_GCM,data:BS/+1cyvgY3nCjmbDNHDtPbA/1bvnWWl2Je2XpjfsytRTMAZ0QEwkwQ4cJJnpZDwkscOtJOTR/0FY9+sRrSEMQbC5r1TFL3gFYF8PzskFBL21kovKgQD4y07tARlyLzL1Y8EuA9jVGQjIuqi36mXIxrAcCaP+ESDArWSh5IoQfw=,iv:4BZNHlHKgGe08f8tVZXUtaCZhLZZ8Bwl1oQ/S7S1qdM=,tag:Lusfyr8U2G0UpBLkEitLGw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/haze/user-password-rpqt/user-password-hash/users/rpqt b/vars/per-machine/haze/user-password-rpqt/user-password-hash/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/haze/user-password-rpqt/user-password-hash/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/user-password-rpqt/user-password/secret b/vars/per-machine/haze/user-password-rpqt/user-password/secret
new file mode 100644
index 0000000..7ce933a
--- /dev/null
+++ b/vars/per-machine/haze/user-password-rpqt/user-password/secret
@@ -0,0 +1,23 @@
+{
+	"data": "ENC[AES256_GCM,data:bYZDSHz0u+O0UJ3P,iv:7L/ziYffgAM+bYgmlonPyRlA/Sa/x5bXMeJsIjMRORA=,tag:FPk0ggKa6cRTDMiVNWSj3A==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNXMzeVV6\nZG5Xd3Ztbms5YzY5dlAzSHhJWm0xRkdMMjhFUzAyZ3A3V1o4VgpRdWtJMDYvMTlh\nei9oQzRsemloVUE0ai9LRTF0VFZuM2VoR1Z4bXluMVhrCi0tLSBWUW5MODE0THpo\nVWxIMHBON2EwejJneVpPTVlEaTFKSkN4ZHVqSXppRTNNCjqu9qygzCclKZaAZLhc\nnNjXZxhbSTqSXr3KlY6O+1FD26UXUDfEsX9pRibZg7Djx8/mUPxJIrOb96CunFmJ\nADc=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWGNYM3hSMkdsRmRVR1h6\nNjhKNTltRXVvNkhXK0RrbUllN1RVclE2UlNJCk11RUFkbm4zOWxKcFZyK2h5N3BP\nUXE5TkVuc0RuQ283YVIzVGtkNHUwTG8KLS0tIC9lbkNJWk9KMUFwcU9zS0VrVklq\nTjByOWZkaXhTdmUxSW5sODBPSXFPTWsK68XVfgber32/0uwmE7ozcVJQkx59hqGj\n4sV/9pbdJltzMjsZtlRYLRlR8ajdxvf5dv11tIPaZvl9tJMc1tH61g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBMW1CZzR6\nRm1DcW1uU3BYMzlRNTNMTTV5Z0h1VlFqbHBFdUZCWlVxTUMreQpjV3ZlYVdOcnJT\nQXRpZkYyRjNnT2dFZ2J6Mmt3bEkvbm5TM0VudlVIUTVVCi0tLSBpYURCbEY1MzJt\nQnVXWm16TGl4Y0QyUGM4L3dGeTBvNXQ2MTNBRThMRWxFCgeixfvazqFYMj6hZEKn\npsW/I62Uqx3TuRvqseqvyTRC4lSYV+KzOMGJAFnUTVU8fH+tk5tyCpgeUvIEBWJj\nvoI=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-24T17:11:23Z",
+		"mac": "ENC[AES256_GCM,data:WW+UXihwEX5Z29my0bRXEcTFzH6YaUBo2nbkLeXcvkj1bePbZeVB5AJFh6OXQHe1mr4k8/iXNUTmwh2ZxrvAkTuhYn9V83GYVC1aTEHesmoQ+cVlTGpqu6tqpSl6HDJcWUIiC0eAktQbQEK03rIaE8bjJzoQp6Qzj1OZ6DR9nwE=,iv:cnqDZIIxpg1qFRbpZjrXUi4abjydJ6aYfLX3RxGFpMs=,tag:XNmbxi7ZnBdZb0ekU+e6jw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/haze/user-password-rpqt/user-password/users/rpqt b/vars/per-machine/haze/user-password-rpqt/user-password/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/haze/user-password-rpqt/user-password/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/user-password/user-password-hash/secret b/vars/per-machine/haze/user-password/user-password-hash/secret
index a007c47..067ed24 100644
--- a/vars/per-machine/haze/user-password/user-password-hash/secret
+++ b/vars/per-machine/haze/user-password/user-password-hash/secret
@@ -3,12 +3,20 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSd3NhRHdETTUyZGJ1Wkg4\nZ0swODcwTTdCVXhkQllWUkdaTjlpTzMzQWtjClJ1TWJCbmx6d21xb2FlSVRiVlhy\nS3NwWFB4NWQ2SGFrNTNlWklqeVBCbHcKLS0tIGFpV3l3dUFjMSt1MXdwcUpiL2tF\nczNtQXpGK21OUGJacy9ML0dQM1RIQmcK2cbCWsIJfCbKIx28sAioak3ykzp/vG2y\n/k34N1bMLNo8Z5v7OteHdcYXp1jMwV2/gRnbHWoxHwBGtuJWa1JZNg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNlBuWjlQ\nVkhib2FaTDdJYVIwbTE5QUFwY3BlSTA3S291TkVhVHhXVEZHaQpGaFVVM3NIZmhP\nS1hzanRoVzUxWW5YNy80SFYwZklTYStrN09jaDc3U1BJCi0tLSBvZXhCWFJCZXE1\namZONmVQbWNaYWZkQ3FsTVV2M252aHhTdWhmTm9kUFlzChB7LeXc/qhdydGuN7u7\n3RC5X2Wz+0vOrsF48qJ9/689p76HYW6exINfCqahLcIQN5A+HyODLBItr53XmHWE\n0ow=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRGFIeTUwK2RkNzhZUzJH\nUjhLRWl4anlqK3NIbURiYU8rN01laUtLVUJJCkF5NFZiOTByQlBIb0k5R2ZWWm5S\nUkZmc1g3Z05ycXhoYWozSy9zN1JHZG8KLS0tIGswcVRZbHI3L2tUTDZEMjVOMzdI\nL2xkU0JhTzVVSlRmbnZpamd1VW1IZzgKO6nOLxHYT7ebNh2sJou0k+PRuoGewdXA\nGDZd4AF5F/6Xhswa3d1ETIDynQp2EmmvetDVd97u/ezj9h+MDFESag==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNNkV5WWN2MzQ0OVpoOFZU\nU0pEVTVQM3BocGtDY0Q1bHFCVko5RjJWNFJjCnljQ0phUloyWEJ5bVl6Sy9HYUkz\nN0l4a3l0d1hCcis2VVlDY3hYVFpJMGsKLS0tIFc3UjhwRU9GY2lpS3VvQUhWeVBl\nT0hLZktwV0ZvZmxnbUZIZEVqbGxVUG8Kt3wAZM7zlNvx2lAW49TvJvVnh0F2E9CF\nWhy4alo1SpbPLGENdoVJNghRGF4MkhUnC1Yhy8u6rZ1DPkW35Rq82g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBubjBaTEdkZmxjQUFycTNo\neFRZRFNxelVUSmR4OEUwZzV6TCtpTEc0T21ZCmRnZG5JV0Z1QitDQWUycTJ2SjRS\nSmF3YTFtY2dsZ2dWQjJ6Z3FXZnBHcjgKLS0tIHQ2QldhSXo5dXA0RlI0NGpxSGJz\nR1hXc0VlRFNyNEtKSU5NSHhEbEZzeHcKSk7Tf9wbo8OwJMxv89nh5Me9dAvAxEGc\nvDKywtaOXuC3eD/RaSTKN1FsF/tDEST0cpUJcWn9zAgE8lbaw6NGhA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBMEMvUW5Q\nM29ocE1oajR0am9FUFdldkVEdlZKakJFbW0xOVI4bUF3R3VsZwpCc1NCdHdWZXJN\nOHV5ZHFKNWVKUHFlaWROTm1vcU9aYU52MVFKWldLM2lFCi0tLSA4aVBLR0FzUldC\naWdUZlNxRTF2VXZHUTZRRjg5U0lxbm5vWCtWNEc2dUlJCrCjadfT+XQv8D7ySGpr\nDWd6qtkVMrUjZEBzon+UD7E+LEsB+4iwhvsHHT0y4mP2BYbFgJySgTYrMa3MoyNz\nPsA=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-14T20:58:41Z",
diff --git a/vars/per-machine/haze/user-password/user-password/secret b/vars/per-machine/haze/user-password/user-password/secret
index df25ae5..fe12598 100644
--- a/vars/per-machine/haze/user-password/user-password/secret
+++ b/vars/per-machine/haze/user-password/user-password/secret
@@ -2,9 +2,17 @@
 	"data": "ENC[AES256_GCM,data:Lkjm0xRgzB84sHTW,iv:JP+9dWfDR4VbU5QXq7lVvxDYZc16R4lRcRZDBJ+ybKw=,tag:brqhJSuZuLLoxFlyGWPIBw==,type:str]",
 	"sops": {
 		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBenNLV1hV\nb0srQkRSZElxSmEvZEFNZHVJOXZsMVU3d2pJNlNtWFFtZmM4bgpjTGpBanJySmJ0\nMXNYTURWUkNVQ0ZJYzRaUWJrN0cyTmYyZkVCNGQrTUg4Ci0tLSBVOEFIbXdwMVpv\neGM4RTBpM0tQRXBUOStRMEhzRmpTNGt3dWVNaDFNaHNRCnxB+7dTBcKoA9fMy/tF\n/weiA3Dh8j5VCxMDyWOvCVKPMA70rLCh5Rc7/pZU/vCmktQFLGgnXVamHncU5w8r\nlNI=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbFdyU0w5Y1FoQUd6bEls\nRGtkTjNVaGZIUDdHZFhRUGQxQ3FMOC92c200CkM0bUJiemRqd1NpMVNPNEo5a2ts\ncldTNWdVbHVzS3Z5N0VueWZwajJRajgKLS0tIFBDOVltbjdmSEF0bWhkeCt0OFpy\naGJ1REp2eFRKaDJ2VVFPUVhnb0o0TWMKYTiKcLQefKDhDRq9XFNM9rtOHcQHk5CW\n/6lwOKhpTTE26L8O7VyeYSf5xhECZcjImJIbTmfBY+OxOAndwGZ3Xg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQUJOditCdTM5dkF3RXE1\ncGs3cTJQNnpvRzl2Y1pHcmhTY2VMTEtTbERZCnRzT3Q5Sks5VlhQMWNsZG9FR21y\nbDhMRHRLUlUzNi9oM1dBaUM4QjdMaEkKLS0tIFBVVGxBTm1OVG9xWERBbU1sYTVO\nb0NkMVdJR1d4UGtXOWdNTE5xRE9ONDQKP1iVgCXH6HCELkNXsrQCnCkCuubnxFtB\n2fKNNzio1qBr+tYgxAXF2W41z3hWhsSSKKC7LyRDT8ozvfIpPWL1iQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdE10eDk3\nLzFMaE05bDNsTHFvRGE4dC95dDZKd2JYZTNpSzNnWlQxQnhFRApRZm9TNEhIQ2VE\nck1XTkJ6Y2xwNU93M2ZNcFR0UFNiQWl4T1F1WW8xMWlrCi0tLSBvY1dBeGllTGxB\nVDRsalFSTVBXOC9wbGplRmlTdWJYOE5PQTlhVGZySW1nCqNn/hWXd00ypG4DjsSh\nZrs8ZstW4n6d6leph/WHBT5p64rN/U+CD2aHqulW0vTUGZLHrP0RNmOQ0nlnENjh\nl6E=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-14T20:58:41Z",
diff --git a/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/machines/haze b/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/machines/haze
new file mode 120000
index 0000000..db9551a
--- /dev/null
+++ b/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/machines/haze
@@ -0,0 +1 @@
+../../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/secret b/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/secret
new file mode 100644
index 0000000..5dfe94f
--- /dev/null
+++ b/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:qEKpqsrZN2K5tvq3uUeQm1EGJFwF6Y/Gt/xI4PPRfCtqQujkFOtDcHfjGclX,iv:Qfv6vMwHfFp3Ao3rKsed4WIyj4qY68v18HoATl9GtYU=,tag:AvWpclBxN8cVvUswz57tTQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBOU0zNlBk\nbHV0OUIzY3NkQktTNUl5cGtPcWFyWHdNM0NicEd6aGlobXJ1VgpUOW5SUUtEUGV2\ncUtlVFI5eE5GZklaYjIyWk02TE8rdHZ5cHVPdXd5OWw4Ci0tLSBROWZ2WXliN3pi\nUzZzYVZxenpZc0U2QjNiN1lmYStSb0lLQzhGZzg3OEVNCpGnC0PHvxMFKSjjeb3O\n6r22kqZr/jflNAkIRMfK9r0yycIJtir1iO/R6FADk1W0GGgHHLa+dS/TfHThJy/F\n0yw=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYaGNJR1MyZUFnL3d0bHRy\nVFBta2xHdGxoeTZodGlGQkhLdDBSNUlRSDJZCjk2ZjFnWTlDT2tIOFNiNGRvbG01\nYytOcnJGM0N3dUlaME1PMmhyUnNkVEUKLS0tIHVBUU03Q0c2WmZmUjN5WXJzQk9W\nQ2owaDBXa3htWDBmbk8rUEN5a3ZaWWsKmavt7FoM3IvvnXt3jUeSXmuA8h4nhaf8\nRk8dOIZxoWVjWi5cIImV2Bu+zDl9TtWjiRRDxzSux6mtDDUkhyk+dQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkcEMzWFVQN1YxZjBKQkd2\nSGFjYjlTWHppMVhpZlpHSVFqWHRjYUlIVlgwCi83YmZKYytsVXVJZEVibTdEMkc3\nelh3aU94K1BsU2lYakMrbXVXQ015NDQKLS0tIFlIMTJQMFp5THhGUS9RTmIyaXox\ndjBqR3hkdmh0cldVeE9kWWVESldlSU0KcCTg1vasovQBFBXJQJ/CDqBgjPMz7Kdd\njHW2TRJ3Z2a+/Cdqa4Asdi2eYc89Rw44FbMDRwSWAPg7azoneA3NLQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNkdBcjQy\nRXFiOVZLS0g1bnVXYStkOTlZaDB1MzQrQWMxM0ovNXhOa1ZuQgorOG5GQkRKTTh0\nY3ZKYVJ0ZktlQVN3MTFvV1lQSzhVMUlESER0Z2xkYkZ3Ci0tLSBPYndLcnpwZEts\neFBKQzdudXdoaDYvRStGZ0ZORmphMnZoR0VQMUhaZHdnCgi15NaACFCcLpGLGoKk\n/wmhvFIdNm9/6crVhdrnb/qzQUWUF2HYJdMeI22iEaPCughhJfXX7L4uBDlBOcni\n8JI=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-21T16:24:47Z",
+		"mac": "ENC[AES256_GCM,data:uW7rkOZGqrhOZr16MJZNiYD6niGqFdzbhC4sOmdY4l2K/Q+esAycgSakPrVGLi/h0QFGlo8/xBPu1wvCFWiklPDaoPLwyHpZefAr3szmJ751Zo8gJPUPvYFOkGgBNIDYDxg/gyCxAu63M1v+rY2YD2tsegMw0xEAAyusC9rxocM=,iv:fN1537itb9ohJ2dNuQaPRLxKmV7mWJSs15jkEBNjS6U=,tag:q62fQfBBzJ2GjybhbRCViQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/users/rpqt b/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/haze/wireguard-keys-wireguard/privatekey/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/haze/wireguard-keys-wireguard/publickey/value b/vars/per-machine/haze/wireguard-keys-wireguard/publickey/value
new file mode 100644
index 0000000..cf95443
--- /dev/null
+++ b/vars/per-machine/haze/wireguard-keys-wireguard/publickey/value
@@ -0,0 +1 @@
+DX/Oxm7ESVkJlq8gkwGeLG8gpTP15URo4IBTAWcypi4=
diff --git a/vars/per-machine/haze/wireguard-network-wireguard/.validation-hash b/vars/per-machine/haze/wireguard-network-wireguard/.validation-hash
new file mode 100644
index 0000000..3a66342
--- /dev/null
+++ b/vars/per-machine/haze/wireguard-network-wireguard/.validation-hash
@@ -0,0 +1 @@
+8bdf8580329052d98be05520e25f51bc9be58da446951f95962e9924ca336235
\ No newline at end of file
diff --git a/vars/per-machine/haze/wireguard-network-wireguard/suffix/value b/vars/per-machine/haze/wireguard-network-wireguard/suffix/value
new file mode 100644
index 0000000..c042739
--- /dev/null
+++ b/vars/per-machine/haze/wireguard-network-wireguard/suffix/value
@@ -0,0 +1 @@
+840e:e9db:4c08:b920
\ No newline at end of file
diff --git a/vars/per-machine/haze/zerotier/zerotier-identity-secret/secret b/vars/per-machine/haze/zerotier/zerotier-identity-secret/secret
index d893f17..80357a0 100644
--- a/vars/per-machine/haze/zerotier/zerotier-identity-secret/secret
+++ b/vars/per-machine/haze/zerotier/zerotier-identity-secret/secret
@@ -3,12 +3,20 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPMG55a2YzOGlXRXVXa1pK\nRFNsWXMxTUcrMDhJVXhVNXRnNmhpbGFXL1FVClZmSjFQUkh2SjJlTTQ0V2hPNUNn\neDR6bFB6SFJ6NktGUU5ZMmxteDM2UkEKLS0tIEhsQm8xa3hvM1d3TENxK0ROdG9p\nYm1Ya1I5L1QxTU9wb2pwUWFzL2d4dTQK1oDJeC1PqrSYsmKneedZWpjdz0Q+HC4a\nLiM/0O3no2rDO0Ze9ATSY2+NbwhRNr4i98K0h9uoZoh4SVGwusCPPw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBazJPeGFk\nTEl3QzB1SE9xUDIyT0tKaHcxdk1RZXdXbHU4SFp1WkpmWVhsaAo4U2JSbXZLU0tt\nU0lrWFRhajJjN2ltSTk5VnJXS21uRmNMd0c0b3lkN2lvCi0tLSBkb1l0UVFSWWdJ\nb3JaOVo5aTl2dU9yalNtRTk0R0x4UUQ1MXkxUXk4UjNJCvMpWIDWmCj0t6H9GF7y\nVWns9YzQ1P5tEEeZArACMxG5z3Is+hNOOrDZyaLlo23RfrnoKHT2ZIy3kYSbNQzl\nYfI=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcnVRR04yY2h4NzI1ZEoz\nL291SENNdEh1YUdqM1NMaDJNakJBaWc1bXljCmhsdy9EekxGMlc4aEppYTIwR2VX\nQk8zaDRIU3FnUFNYaUl1clBuenlRQzgKLS0tIG1xWGJmTk5pL2sxTUt4M1hEakhE\nUHhWSGYrRHQvcUIvL25qdXI4eUxyc2MK6uGYMbAzXhX4W3ejPOJAmIwHAR47888b\nTrfiPXBivPjel8Nja9mH/NmI2KQjshJl+7kxa3eH5LRlPJm4JfuYeA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbEsvc1MyMDRDUWp3di85\nZmc0eTVQUFZCRFo5N3RsSm91L2VTWGdWRVJzClBwUzJjNjNMVW4yT2M0eFJDb0xw\nQ0NXUGtiUkllbGhOTVVheVlwbUNpYzgKLS0tIGw4OHF3c3Z3K0NKNCt0akhGbWVL\nR2RWRjlDYW9QOHVYRUJxMmVHL1cxb1EKTcDfODorOcvn8D8Z5hNCv4HuzOxHoVcV\n+J+2lwZt1leSlKw4q5HpOGPJclGguXW4P3yZhomqOp5nnAfNXGHuCA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbGF2Tm1YaElZZXVYM0NH\nZXNiS05seEF2NXI0akpYOW9EU1VOZ1lLa1VnClJZQWlMczVKcE1iVmNHaHlpL21s\nQU1Bd3U3NnMrQjV5SjBqUW44ZjFzcnMKLS0tIC9jenFDemNrNWdxRWltUmYwS3Zz\nMFUvVmVsSW5RcCt2UEE5SFRVWTZScjAKT5pk/uhf3deBCO3dA/XMFQEltotkvxtI\ngqt9Db21ZE+d7svhpLWP20YzhNbKBNyC/qzd3Q2ERbmmHb6X5/gakQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBK2xpM3VT\nbUphdFpITXhDTmkxYkM1ZVNjYTlOdTZYa082L1FEK0xNeGRIYgovUWdqeEZqcjdG\nQXhvWUlmMVVHTGppVS94T2kzdWt2dWFNL3JOckl0M3NvCi0tLSBabkx4ZE1iOGZF\naE9RZVZ4Yy9ZL0dneGdLU3NnMGNaVk5HcEhlNXcyRW1vCtgwH7vs9aLr0rP30h5D\npV9hBiMtQOfZxjsMP0RDF0XC08/v9bLxRnjKWESZr7CZioZ8mUI7kXH14jR7yml1\nSIg=\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-05-10T13:20:42Z",
diff --git a/vars/per-machine/verbena/borgbackup/borgbackup.repokey/machines/verbena b/vars/per-machine/verbena/borgbackup/borgbackup.repokey/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/borgbackup/borgbackup.repokey/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/borgbackup/borgbackup.repokey/secret b/vars/per-machine/verbena/borgbackup/borgbackup.repokey/secret
new file mode 100644
index 0000000..9e18a83
--- /dev/null
+++ b/vars/per-machine/verbena/borgbackup/borgbackup.repokey/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:OA19EoSW2Qlea6yBU721FABKZ4Ay3gzR1Q1XbI0K35K8GCo=,iv:Iwm6YD4bEiPK4MDORZz36O8DzSJD2Z0vsqhB+TOePZc=,tag:9fEB0Vai6oQrETo8GlO+Kw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbGJrcWFm\nWEV4WTFUcVhLcXVwVmZWMDJGK0xvQzIyNmJ4cFJsS0pMMlBtcQphdDNlRmtlLzVW\nTEdLdkNpV3ErdEpxWHJjcDRmZkU4VnFpU2hKbW8xMVRFCi0tLSBHTjNCWExuaFB0\ncXcvSWhFVHh2Wjc3LytsSlQrdThmcFJVZDJ1dVl5Q0tRCi+gnK2wd583n+w9rNH6\nYIl8KwduCI9WkNx5Vw2/e99ruhkXi90b9CEawbi5HjgPzisLh0atTYqL1U8NhBNO\nvrA=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBcVRBOWtD\nTGF4elBabkRyTU9rYVk4aldmbVdNalFEZU82cVVuN1g4WEIxdQpkMDBVQkI2RGto\nSUhZWGxyYjZ6eHNpY1piTGFzZUpWMzhxQ1lheHI0MFZZCi0tLSBMd1J2clo4NnRW\nNkU4eW1oVVpsQzFBaFIvMEZuK21OSkcxVFFtQjVYZkt3CtP7JU+W6GtniH2f265N\nzyNJhsTiVPZ+Cm1ao/OpuRyQe9VgaCbBOoEECAFhTlB+GQx8fWQmV5tczjO3j5q3\nCHs=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJUHJZRFloZnZoUjdpS3or\nYkxRcjFNNm1qWFJJTzVDZmRVWU84eFdWeWpNCnhxUFZMZkdSY2FoaWlJSmoxemVp\nSDhoTnJISTRwUm5VMXo3TkYrTUhpZUUKLS0tIEVOcWhCU014QmRCNUtHVFFMYTNt\nbWhYWjdZd2F3enp0MEprL2dTcUQxUjQKdvEU7183HcB7ejQX0STb1WiOzt5VTwAM\n2KZSmB8T7l7zK5QCebVv78bWbseQ0ls3tRqFizxT/dgH3fXwyHbsvA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0cEVSNEhyQUd5RmxZZFA5\nQ1hDcEtFZWdLZnYxRjdKWDhQSmFXK2tIS21BCmFoS3gzQUlpTlhTaWQ1OEJRTUpJ\nZ3dTengvdFBhOVZzOWxlRloxN3RvSTQKLS0tIDJCSjZJcGgrNnBmWnBEQVE4RGJX\nMWdoSDJ2Tm5FZE9Va0VJSjE5N0E2L2sK9oW8SqMwnvuTYr24PwjLsi/u1sTJcRZq\nG9gcbsngY3f5tmvoweNseVNEMqLvIfMDJ5nCLf+37IVsMjlsIJsSoQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-24T23:04:28Z",
+		"mac": "ENC[AES256_GCM,data:Ly28RVEWr6EQv8W+YzrnUki26SEhDe/MIqJ2t7pCSmqvwScMZJ4hWIs6Kq/zMlRabFK0bAM2wWDCZdxOV2yt8mBm/+2BCTGpGL4m216EadBO4Oox00VZsqlkCegrHQufTuNkfTxvym4uMcSTHdUG3QtN5iFzm1R7UV7rMtlLAq0=,iv:wCj7nQmSvx7Bhph6cNempqChvCjfjexg/m+Zr2+1XTQ=,tag:ZTm7knn5pOdXOC0mQOnXtQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/verbena/borgbackup/borgbackup.repokey/users/rpqt b/vars/per-machine/verbena/borgbackup/borgbackup.repokey/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/borgbackup/borgbackup.repokey/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/borgbackup/borgbackup.ssh.pub/value b/vars/per-machine/verbena/borgbackup/borgbackup.ssh.pub/value
new file mode 100644
index 0000000..5907ffd
--- /dev/null
+++ b/vars/per-machine/verbena/borgbackup/borgbackup.ssh.pub/value
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGziB5tTi71e1pQddR3R+GgON3PK+IwJXeuvi7xtAAtp 
diff --git a/vars/per-machine/verbena/borgbackup/borgbackup.ssh/machines/verbena b/vars/per-machine/verbena/borgbackup/borgbackup.ssh/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/borgbackup/borgbackup.ssh/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/borgbackup/borgbackup.ssh/secret b/vars/per-machine/verbena/borgbackup/borgbackup.ssh/secret
new file mode 100644
index 0000000..228c81a
--- /dev/null
+++ b/vars/per-machine/verbena/borgbackup/borgbackup.ssh/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:vUrRWsUzWhWf+vdoU2PL8TIIdAf2aa3Zlp8jLoZcriw6yWE5cmVW7vHYBiDIYfiusple97nptPm+h5mS70jGpRkRpHq3d/Gq6LLEhYnoekihSjxCYEnpZo9ItdUYCN/RzvQ2vPtOQn0sbiore/uc/0GmrVA5nX6AL3u7F4AY/yUWDKV3HshHBjzQB7uSAm169s/UfroevrMD6q5ghYjtOT7cNEhykhD6kiNFOY/YsCISuYSGR+YBmwH6UfdoPX331IrizraNDhVXdnb3bWWK4sYt5NzUq4yKwzX3EcsY+Te8irGsB1FLoENkRN9ITlaf64O2ZXan76AF0z8GNYsv0k2t+W3sGGR/crV0L2e0Oi3hcLq8+st07/0DmrtzRstsMZDFkYyj+qb496kMSWvyciSeOC7stVGM+5vpZQQYJic7ofeT5rL47rv6heQqTssRO8VAaVhte3Wlf41WOXXCx65Ypl87KXfLh7JdAb1jveZhG4rNOgihrWWFT5A8sJCPgnU1,iv:hD7qjliIBiHZ79YGchL+njgKdaY+O4ek7MJ5eRF5Ivg=,tag:QOxjOqdiN5BFe4Nr4W0MyQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBOGhGQkJ6\nYjM3QW1HeGpIajdTaHV2T084YWdLVlNCekVtbFRwYmFDSXVPagpsTXJyelFVNXdY\nZ2IzcVZJMVFsQkJKbHB3eWV5SGFDK2JJbkVUbTAvUEJNCi0tLSBlVkVNditWdjRh\nRWhyQUUwa29ZU1VnOGF3UFpGS2hvQTk0TE9rM1Z6U0JjCpgokN57F7ElrHAEiRy6\n6DwDTq9A7pCDkqRSQ5rB/VM7eMNMJGrti1oVmp1xQEYl95cuPfI0ZniQjGJRcqBo\nYRk=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBOWhIWWpo\nOEpoK0ZVQWJ4Ti9BKzd1cU5IUFk1TW9GL2o2eXBtRytPU1lxOApCNEcrUHBtTkh1\nME05aVNkOEFmdE9IOXVDM2NUTVBiMGFmeDRpQ2RIY0ZRCi0tLSBqaXhic0hpU0hV\nZmY4RXJGUXBpMlhmdUhQUXVrT2xVQUdPWm9mb29MY0NVCtNOvwH7Hzlrr7U+xT2W\na8clXsg8FiGugnb9b2Cci3PuSPr2ULiH7SIJN3/TB38G5xS871EatgVXfdFEn/OI\nbtc=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRng2VGhPcnBGQWNmWVBw\nUE9LbVd5eTQzQTZqa09PcUtvRlU4bWdLY3k4Cjl1NFhMQURHcUt5M24zUnVha0tj\nSlRHSW5vbklXTjVLWTR5MXRXenc5SnMKLS0tIDlRUC9KTTdKZ3FXSEFUSVR0NUsx\nd3NqaFl5N0JWdGxOcjZFVUJyRkJmSjQK2phuifCZvZU+JjqUeGc9u/tj+E+ksa4f\nbNFVZamjtB5jhxbVPQ1iyQ1Hoi1kkqT9R+43NTzUnJHv921bIeI6cA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaGNVS1JTaVozcklucXJ5\nbERzbllrOUNqSHJTUG44QTNwMkVpQXQyOUcwCmx2MjNZaXpBaHNjSnV1cE5aYnAw\nQUNQWDVJZHZmTS9mRkNyd3ZRM1doVWMKLS0tIGNERXdnL05vRGU1R290MFlQOWlu\nSE5PQnhEOE5hdTRjU3NYcFgwVUxwQzgK5RAMppjBJDe+Z1WUS+y8p3NfAD86vBQH\nRCHlWmry7sLLuKG+80ntFObKr8JmC3/ykg0+8pjmXGl17I2U/fBqIQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-24T23:04:29Z",
+		"mac": "ENC[AES256_GCM,data:9O9q6P/dorPcVCKJz5Yc3OYLaalbD5fXEwyrMfFtvF/AruIE6FEUghpyynTGCNJxY6JC1JI0Q0iQG+uo6ceq05Fa+Yv0yUAOsN/YUP4Yuwi3gSm39VIBglcoDkUi87zU6vFsJDylWb3asTUX5MshZWoXFtH4lzuwTCd3fGBd9ps=,iv:U9Plt0cgLMyi54xI8Nq0G7/1ASR/BE6qnZBsyTdbEDA=,tag:EVKjccREZDvhetsLYnRrdA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/verbena/borgbackup/borgbackup.ssh/users/rpqt b/vars/per-machine/verbena/borgbackup/borgbackup.ssh/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/borgbackup/borgbackup.ssh/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot-worker/worker-password/machines/verbena b/vars/per-machine/verbena/buildbot-worker/worker-password/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot-worker/worker-password/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot-worker/worker-password/secret b/vars/per-machine/verbena/buildbot-worker/worker-password/secret
new file mode 100644
index 0000000..e964c93
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot-worker/worker-password/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:96CnBRKaFXT6y+uLnltdrQEktrpNkRzFhXTD0TszN0KDOYYsRSVStsOPicHoDj1I0lcSqJQwic2/IW885ZDZdII=,iv:qO5NhgplS79EKDFT+1cbRfL3fhm0ZVQbIU67w3lf2+Q=,tag:YDYcajCgWT40tS4uYLyoLQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBM2psQmdL\nZ0ZmTzg3U2hnNS9HcWRoWmdkWG95UlV4b3BKN2ROTHpLZjZHKwoxSUQxcEh2Q0o2\nKzg1dThQaWJOMERoajA2VUtpTjZKMHFYaDRLWlJMWXJ3Ci0tLSBiS3pCZVc4b3Y4\nTEdXNDJYQ1hjZXBDV0xGdVI3d2NnQmROdVpQclZoRzZrCnNCjThvWRxwiVlqI8ID\n/628uDwjoOuI6M06eOCxxe65avnoMd9ViuJyRwJBVtdSphsYKrLWrInvE/bQKkm9\nYW8=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeTJVZ2Jn\nUDByM29GQnd2Z3AyQ1lxZ1NZSG9RMmsrM0Y3eEpRV2wzSFNwOApmU3M5QWFPSEcv\neW1TVm1xS25XVnh2UUg0ZUFpTVd6N1dCVUh1Q2FJdkhZCi0tLSBSdDNJUE9vWEp2\nRU8vMSt0Nm9EdE5XdVF6UXVud1N6REd2Nk93Q21XdnRFCl1Tk0SMTqvop15O6+Lv\neAxdd/p5w4QTLCl4a1Q/wPyxIAbymYs3EX37TnrpyrW7Nf1VmBucJlpjMV/doz6K\nh7M=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFajUwTEpjUUpXVFdNYzZ4\nMXlxZkxsaXJqL28reHBCL3FwWGJ5NXIxNUJzCjNvRmRSR3hiRFBmVkJ1ZlVsQ3ky\nNXIzNmxLNTNMaGlZWVNQdElQcms3dmsKLS0tIHFnUzV1WXlCUkFZQ2pFM3ltV1ps\nV0xULzlDOUY2T3BYNzUvaHlldnBJY0UKh08SR4vFOYyu0qquO5bxtqXoUd7mG9JK\nITMwEvzQtcv+oVIWz6pZjTNsm5A+eER2FLJtJlOzunZgwySPj5Q6XA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UU4vVS9BV3NCaEpQU3Z1\ncDd6bVJoY0xUM3MyVXF0bzJzRExTeEtTWlQ0Cko4MmxYcG91UkFGYlR5eFJQd1da\nRGpLYTc2U1BWVDNQZDVCdnRvTkRKSk0KLS0tIHQ1dWxyUHcxUmJkSU1QaWIvd1Bq\nQnArbVorK0w0VlRMQUR0U3d4d2IvZjQK+8u7NehL+GAUJe74oArXRa7dietE8rlC\nobo6oTN3YYFPAchbsqPpk9g2XF7lQ0CbXq+XPUBXvcVWepXlHZ7/zw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-30T19:23:50Z",
+		"mac": "ENC[AES256_GCM,data:iUkKW49fo6GDb9gQhzeOgs61tWuoMR1LNQ1hQIze5lAqQOMEqZTHI7oq4SDM4wSaoFgTsEdWl+d7rAUC7Iomm4NsYYs5BCIuQq8omUVNxU9qABA+HYIuUI/RSu8W9/Fko7j85E/dOAqmuQz+RKsQjzIyKSORNenwXezkj0p+ADw=,iv:30VfZbHOU6RMN72LqEApDtXXd78pdQKGGmWDQQa7oig=,tag:rFjmDzi86DOmpv/F8CLL7A==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/verbena/buildbot-worker/worker-password/users/rpqt b/vars/per-machine/verbena/buildbot-worker/worker-password/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot-worker/worker-password/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/api-token/machines/verbena b/vars/per-machine/verbena/buildbot/api-token/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/api-token/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/api-token/secret b/vars/per-machine/verbena/buildbot/api-token/secret
new file mode 100644
index 0000000..85e2b69
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/api-token/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:TBkW6fgVu4nOFNI9mQjrnkW++jc7fchjJBDwTjaNkEh9E19MMTlQnw==,iv:jvX3gKJ1I7bRcsihqVOYBv6p0KJhQXT1oAG+wlThRU0=,tag:uYGupsYDsJFFTY/eAC73pg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBOTJEK3Ax\nRVlXaG44NHpzT3NTTXJYTXhlRHpnbXZ2QnR6VXFRWnlHSk91WQprb2FFa0x3SSt0\nRlVBMlJkdE1jMkVxT0cwMm41V2JMUDhsclRhanY3cVBjCi0tLSB3TFp6aTg0anZL\nZERNUEtwK0F3NEVMMzUxMjJieDVQQ1FSWCtnWncxTG9RCnX4zS4JBzof8zEKGfxc\nEvz2y+MCTe1CV31rVXKX8ToRg3ZO6vTp+ChxVD2Euo2q8GGGA/8CG7ejfBPOJJQw\n14E=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBOHpOU053\nalpCQ3ErYzg1ekFIclZqOGdtUFFkQ1JzY1hzSW5rY3JIZ1g3YwozaWNjYTAzVXZJ\naVhwd2dIK2Rpc1U1ZDg1U2UxanlpSzE0LzB1MExYMWtBCi0tLSA3Rnl4YVpNVlVQ\nRWxYSkl6ZWNQbkJZZXlwdkkxOEo2YW95bTJ1QlgvWDJZCq2pDBZJP+8ZHlvR+OaN\nuA9VrVqGoG852JhTDYuy11wJsK/v/f+irLhKB1tBubqCTW0nPT6MqElA6geksp9g\nbbk=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTVVnTEdoSmxqazN3S3FT\ncCsxZ2NKNnhEdHR6enI0dCt4eStoSjY5ZFI0CmdBbkRFWEJncmpsQ2RNM3pZMnpk\nd2w4c1VrQzdhQWJVSjcvblJhd0x4ZlkKLS0tIDVXZFVkdUQ2V3g3c3hOV01oTDFM\nb3MxRjYzSEd3d242WHA4Rlo5QzEyc0EKzAyUGH0whYrqKL6RD887V7OknyrSoCVX\nP8kc6uOopXCsNM3RoOoNZVuq//c1KPB2ilfKddm9CtnQtO14SLzoog==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPZUhVRVlqU2xERTJGVjFD\nZU1icVdYUHlSakZxbTJiajBMSlI0MTdDMEhFClcvWk80YTNKRE9Pbmg3aC9mQ1R1\nb0lTOGNUdm9yanVMcld2di9kZ214TFUKLS0tIGxiek1rRVBFVHlpaTVQQzErRmhi\nM3NEWlFUemlNSDVZNTlIMTA3WnhpOE0K8nuTWNETbyeqA8Rr0XTGnGmTG3Lhsyzr\nF+wIspVSEAPPI+qGZ9v76x5FcJ/kp+AV2oKwYrbdmRY4s7fKRvUR7w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-30T20:24:05Z",
+		"mac": "ENC[AES256_GCM,data:/1u+xf4gfv+/8m45UwGeutMrOKfxDOC/vlF+JY/GS+B4xW+bBIVHtBFg6cqKZ6jvAqMjx5w1j2x+St7xI/S9rVhf7mG8p4sdO5/EnM2Ib+I94dNKLx90h67jAJir7N4sQ6qsT8K5B4CDwBC4ugOBtBVBW3eoRxMFjGNNGoG+mUw=,iv:RUatCLMYYUT9fUluykcaJH+uKOPQGizzGjPnsmROtLw=,tag:K/6z9CHx7kBJtOTgfiXyQA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/verbena/buildbot/api-token/users/rpqt b/vars/per-machine/verbena/buildbot/api-token/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/api-token/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/oauth-id/value b/vars/per-machine/verbena/buildbot/oauth-id/value
new file mode 100644
index 0000000..cc499f4
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/oauth-id/value
@@ -0,0 +1 @@
+23299be5-92d4-4635-b023-099d39b2d056
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/oauth-secret/machines/verbena b/vars/per-machine/verbena/buildbot/oauth-secret/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/oauth-secret/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/oauth-secret/secret b/vars/per-machine/verbena/buildbot/oauth-secret/secret
new file mode 100644
index 0000000..ef6818e
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/oauth-secret/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:BNaSFieGNC+TbU5S8NFYitdQiO51vdAh1q7UMfS5UPHqnASBYAumgrrNotm2Rma2s2QijJJFsyw=,iv:ns6hkNgOVaAJMq4AkZeX2DOXLNqzv/2iD83wWwNeocA=,tag:vmh9crLrJ+2V9FOfVr3Fog==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBZ3YxTFFT\nY0ZRQkRXOVFrVzhiWjM0NmpIVWZFNUF0ck9mYkZEWFVkT1dobgpzSXNBY2dzY2V0\nMmxDOTJrTG1RR2NYTFVhVnhNbng4OVVNeENudm9Ld2FnCi0tLSB2L1pLaWNWZDlx\nZzRhRzRKNG10bnQrLzBpTWV4MWo0RzMxQmxRckU5bjQwChJz3wx9gIcBgq07bRYJ\nXwRznuLU03evUDr9M7TiMrTo88a2IJuSBzLKEseoQfUj0t3eOEvQRgTcgEJL9gwR\nVOs=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBN2orZUpR\nVUlMajdUN3BqamU5bmlxMkdHc3VIR3NkaTh6eit4dFJtWG0wYwpwSnFrZW15Y0Nx\nZzFzbUMzdTA4SWZvb1A3Z1BCWUtIVXdSV1pFem55dU44Ci0tLSBmaW1aeExGa25Y\nR01PbEI5SlEwMWxWdVh5aDlXam0vK3VvbmhkNVg5QzlzCiKUvFiNfNlHZB6g0tB4\nmXKH52wB4d43OLXAPFKFaq4i68CXN1lYOlWiFYUMNjbNFNs/zeBg/+i/mvcMoVMl\nUs4=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUTJpWUFxdkR0V3htN000\naWZacExiYjhHV3FKWFNYQ0R0M0pWczZHUFRNClIva1FJandISzdIMlNFemR1eVpl\neUZpbTVsMkVDYmh0MUNveHhzQWhIY0kKLS0tIFVZcDNXOHQxMUtMb1NqMGxkZmpV\naHZGN1J1bjVzMGVPVEVhczB2Vys5TTQKW2QzPrOGKTXBwqxCgyfaNv78kyhW8IDD\nFEgo4K+3zs+YN2480OCvUf6xfIsk/ynDSJIimOeZ4eZkBGzzmFiESA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyNU9jQ0NoalpZOHhPMG1S\nRnZrK2IwWmpEQ0kxMnB3ckdscnpORkVFZHdFCkdZclNmb0dmVEJzS0RMc1R6SWRw\ndHVmRW9acTZUYVFoZnNFQnU3ckdwZmsKLS0tIFpleWVFUlRERkJqNlFySmkxZjIr\nSU53ZFJCSi9mRVZpYTN1Nk9SRHNBQmsKQcFH9A0Giob4sf/T0GvdLr8dwZVE38xC\nC1BfkCzx+m75trIgfVwDk5/Xdysil/XDlUtx3t5xGjs/6BQpmqPWcA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-30T20:24:05Z",
+		"mac": "ENC[AES256_GCM,data:5uaRAQ4li9OwcIyGqa6r94rHp0HnoS7kh23N/hBNxRmj8kAdDL3YY3JaHdat3na8Le934MtKQ6doAMAZ+HBYn5Kjn8nhJZpE1gNK/BK8zn+mdqRZ6CEIeADbEDVp4B1OO0kWsRBl5h/ndyBzoFcZb5O9mFT2OPg24zOK5D/+h+I=,iv:+C+l/U/mDyGEiZSXP9szlj39BYq/0zEM7UhzIeHbnZk=,tag:6GvdwYKE5N2l1vqq5FllSw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/verbena/buildbot/oauth-secret/users/rpqt b/vars/per-machine/verbena/buildbot/oauth-secret/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/oauth-secret/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/webhook-secret/machines/verbena b/vars/per-machine/verbena/buildbot/webhook-secret/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/webhook-secret/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/webhook-secret/secret b/vars/per-machine/verbena/buildbot/webhook-secret/secret
new file mode 100644
index 0000000..f9cb3b1
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/webhook-secret/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:zT9TZJquGohxc7Q7PpV/H6Bq0BSW/QHTZAUivjP/pk9Pwva563GvDeZavMPk8j5bZEzfMnwaiUl3b9Drcd2fkQ==,iv:8kyv4A1VhS64uiar5I8AJg8ufrMNXvvQVd27UYywgHE=,tag:jNPOp6JT/AMkvueDKmpWrA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBL0syK0pB\neTUvd0dlaStaTkIzeXgvSGpybTY3VVgrYWdiUGpUT3ZkRGtDRwpVdXQ4ZW9xc0xr\nOE9OTWlVTlc2QlErOG5ta1RFTnFoSUMvUFpWZStLUG00Ci0tLSA0NkZZMGhieTFJ\nVS9nSWtwY0Z4MzE2UFhDTjJvMGtIenlBcGFpYm9OaXpVCnfbiEdrm0RcqdbwiRQW\nhasK4g5w4/6qN7AUEX9xFlukEy1PEeeWA3vOISeSI6aPujT+ThRm8oEI7WeZdvL2\nIVk=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBLzVwVEEw\nQnBsMk82ZmtIT1hvWnlRSkhPVVZpVFl5bjlaUysxNStuRWpGKwoxTnFKVURJaGRs\nSGRPRDFQUlJncytucVlNalhxVTRHb0t6cjFmNWNSSFNJCi0tLSBBcDV5QndCTnJy\naVZ4WU4rM29aYTUxWHEzdHQ0NWd1ZmtiWUsyaWllV1V3Cuv876IfeYAoQM8s7eaz\nYuDLeOEBGUoutWHuBQlPrLATp/qhtdJXBoTkXQoPdxjijQGZCfCgGxfLmzT25xNG\nrZQ=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqb1VLOU5Qejd3NCtTSFZ3\nTmppWXRSYnhIeHpoZnJrcURMWnlvQ091Skg0CllwVFJMcndoc1NLN3RoYXlyS2Uw\nOGFGK1BNVUtUVVBBaVFjUU1vU1hscmcKLS0tIDVWL3dBVFJkcG5XNUI3N3hmMSt4\nUTB4cVBZWmk5VkNEaWlTNnFyc3gzTDAKNZDf4n1EZmaLfv6DEQToxMk4C3bX+5kE\nHMeZkkqLL4Buyz/725lAuXUelKWG9Evk0y3T51YXbMaUQGgRb8JXPw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKa1V5NnZtWjV6UHg3K0Y4\ndkRsOXJJaHJDVTBETXA3dUNuR1hSL2ZJYXh3CittNDl3bW1odG1pQkhFZFFMVS90\nRVQ4U0w2ZDB3dFFiM1NhNUVFUG9OQ2sKLS0tIEsyU2tIbTVIanN6VWtLdnZQazdS\nTVN6a09rZllRS292Y3ZJckd5RHJGV1kK3eIIJOCsEsrK7gUvAX1n3acXGKjkQ8b7\n6BZ9nglbtNby9BRnl7Ow+RDTskK5VAnKGUlBWM6UHIBCM0vSKO5NkA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-01T17:32:26Z",
+		"mac": "ENC[AES256_GCM,data:+pSRI6tBtON+7RQHS597E6c9Ov9gbv9X8xTNJf2/wqVvn1iUiUtNgfVAsRhz+TDYrSDukxbJUVBQGAFgzCXJRVibLehI/UqJdtHvN+T69foXfLp46nO5F6zkjh7ZldDzSS5rPlOz/dW/u5l/4Xq+ED9U2beWN94V7flygHxtxz8=,iv:MVFTsbDwe7vwzz39QIPjEJkRFaaNXmyEciF2wAz92sI=,tag:4a0Ef7yO6++44+vTI3nHWg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/verbena/buildbot/webhook-secret/users/rpqt b/vars/per-machine/verbena/buildbot/webhook-secret/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/webhook-secret/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/worker-password/machines/verbena b/vars/per-machine/verbena/buildbot/worker-password/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/worker-password/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/worker-password/secret b/vars/per-machine/verbena/buildbot/worker-password/secret
new file mode 100644
index 0000000..cda6331
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/worker-password/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:nzU7Iem9NU21DOrbFiaT5LL+msF1zxdECowiqeV0A5nYok2PrjT4VVryqjoz4jjwawtXJigflMO0lUjKbQSLdfg=,iv:Al1ZQzAG6gbyvoCBakHQt3hKAV4tjNS38Ij2XSMKkQI=,tag:BS3BZWYCn0Osqvb4ZidGLA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBaEhiUnA2\nTDlYRzVic2dhaEJHT1hDZEdKTGFOL214L0Q1WjdoaXpvV0VuQwp0SVZXbG41clBp\nMDJ4SmV1M3hyRWhLNkhKbTR0ZEoxSDF5U2dNb25rM2hZCi0tLSBEZ28rTjJJeWJK\nMktmR2tKQWVEa2V4YjF2bmttY1JHZXQydWNDQjBYNEprCiHwtMZ/oh5e5GsUD44A\nYg7F/nBl1vVJKbyioZHI47rFjSke6DAL7R8qmTjGclJposH9zoomPZ/DAi9qosg/\nWrU=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBN29xZENH\neUFZcUs2OGl6eitpc0VKWFBobXg4TVplTHV1dGpvdHI3WUhWMgppQ0p2bEFtWTh6\nOEVGcDl6YkRVVWl1L3hOVzRmclgrQ09UUTI3aWZ5cktVCi0tLSB5TlRrQUFEV2Nz\nTzhhNTN1REMvREJ6eFZ1dmRCWTNITGZ1V0hDU1lyeTNFCuHGzKwJd8Fd+lpu06HT\np+6E1W3Rbb8BgRiKqGVNgYF3uSOTkoKbLgMVn14MteqeCfs/MpdtI1U2ffKQ0Cz1\nUhc=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5UUIwa0hWOFlKVU13eEt2\nRmtHS3R1SVUwUHRtNmhUV05Vc3dZTG03WEZNClJvS3VVSXA3UGVrS3F6MHpyZVp0\nVlUyd2dOcDFyc0VTaUxhd0E1a1htVjgKLS0tIHdRUGhJRWJzVXlUMVptbSt1RjZZ\na3NLbVQ4R2VXUnk4MWVENTZDa0YvTWcKVXXEhbUaojv8+u8IPwpeIjSBhPDLOqXy\n1yZz5BpoEf4z5WXzlfm8FfGAaLXCMzHA5DwkG43360puyd9rK+D/Tw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvUU9ScHJEVytkdllYS0RR\nclFlaEphYWFhejNnU3NtSVFIUVloaE83QUVzCmI0NUlwT0JMTVlFcnlCYVNPZGhm\nRzlJcU4zZ2o5cnBpcHgzRklVcW5CTlUKLS0tIE5pYU9uTkdwejE3ZjVFSEFTdHJP\nVVdZd1I2R0tiOWttaU0xalAxWGY2TkUKPbwWTstdkM2fUYW3/lt5OMeF1KsEtiZx\nppxTSphkVFDYfZt28GUUTGCnM0zHdHs0mINTg4UEYZWJXhgEA+49lA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-30T18:24:07Z",
+		"mac": "ENC[AES256_GCM,data:3u3GKO4v3hckZDRU6qzGdbfboEZ2oRpvkJGukUL3PtphiHKcxSUSofHzJQUP4Du+eLJ1nyTmZst8rrfQt38u3CGnaXu/cgQMD9Xgj2UPzvamY0Yc0/gAH/NAHLOx3u2TVOeqYcm7MSIoMmd3ieN4GPUDO/tkMhjh/Rn577T7978=,iv:oWuZNe+i0nLQpr5fYgI9yvRf67GuPXVE+OmiGqXIvkk=,tag:Cbhn91/j0IihNF3SynhocQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/verbena/buildbot/worker-password/users/rpqt b/vars/per-machine/verbena/buildbot/worker-password/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/worker-password/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/workers-file/machines/verbena b/vars/per-machine/verbena/buildbot/workers-file/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/workers-file/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/buildbot/workers-file/secret b/vars/per-machine/verbena/buildbot/workers-file/secret
new file mode 100644
index 0000000..e3e79c0
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/workers-file/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:nAasbZt+rynccMfq4+eUELpdFsO0SQhTTOXDCz9Y2jK0+6KdIdimoH72HU+6YTWrdWjURv7ql7TlakXAYCgCwoIGdLdl6cZLs0hZXAzthxI13OrPUJRyBbYmmUCu5qQ9mCcy1cLkHhe0KQGxBA==,iv:0/kTk36AQTw/mFKvYhUcyfzdkODEq5ZyeXWERpf08vs=,tag:v4uXqzJlzv+kdVaUjzwEEg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBakZKU2xE\nbnl6cE9mQ28rekhQMS9HRENveVJEbXVzODNnb3FoRkNrZGFnRQpsa2dHd2d5NmFP\nZEd2YTB6TkNQUTU3a2xsQjQ0Z0huTk00Mk96ZFloUHpjCi0tLSBNbTFzWmxJWDFY\neUxBQXUxVkVVZ25rL0puL2p1OVh4bTlGT2JiREJtT0lZCuLy/3/BphFvEY2K8zSO\nuJ6f1MWWP/JDw2WNQXmbh2YPj9gXb6QZdAAKf7zLs9pnEUtZWlCCjZBKFdMDDadd\nAic=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBZzRBSE5B\neUVoZ29VQ0VUYVNjVU4zZ1gxZERHaHYyN3dGTWlaWXFoWVRNZwp5cmJsUTQ3Y3Ew\nWGV2YnlHbXgydmlydjdNR2Zmcy91WXh2d1B6N3ZYYWdZCi0tLSBRVi9vbGdES3Ex\nTVI3cHFJaFhkV3FDNkRxd013aGkxYUJSM1F5WVVqaDFJClQait3PGeiKSDkKZhuj\nm2UuEV1GGwAKl+pluNF8hh+XpHMsLtBm/hORnyriqDoH201eGfksXCEO6F0i+Byt\n+eM=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWGlFejVGTGtyQmg1aDly\nNVB6ODBOcXI0NVFybHNCZFFHd1diZlVPS0U4CnZXR09NV3ZaNGVMOUFaRll5OVhp\nN05SaFFPUVhEYVpRbDFQNUlxV09wbzAKLS0tIGwyT1orLzVHeFhmWjdNbU5rVUpk\neDNxaEZ3SkF2OG1LQWUyTlcrQ3orSDgKy0acbjlImm/rT65X054BAEMhJhSLRzvU\nUrIvfV/Z//frzDMp2NNt7YZSPNswJJr0EXJr1z3Fc5xRHhkWKD8kjA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSHA0T1JTdElFMHVvTU1F\ndGFoa2JaWDdQTEZFRXZHUHlYZ1BjNjlHQURBCnZMbWNIMUFtR28za1ZGclYxU1Bp\naThwUFdRd1BLNWd5SGFTTGgxSG90aEkKLS0tIENOcndRL0hRMklTazJMTkNiTE5V\nMTZaaU1kV2JWTTVxNFpTQVVETzJKaVEK6DLpP2HJk+1LIeicHU+NcqjIMkTk8e96\nONnf1BZANmkLEEDw8Z7q4HFGSgDJQOOTDYoyl6bYMLuF7yJfkYU5yw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-30T20:24:05Z",
+		"mac": "ENC[AES256_GCM,data:COlUjsuwrIQz0TX2yUHLfsR+Yv3kcX9PwqfTEfGNJ28xtxLPcuSXQ3k+BGxiM9XDZTUCBOmYcHeozlupdoLU8AryQbGvX6se5rae735DfLIrQ10xbpF0lxIoAf1V3CEj0prdp8wb4xLVtjqJ35BmGQsW89h8f9Pe/SgQCazpl60=,iv:ei8y9IlI9f0HMFuCQr95OuVXQv1ck4t8Sy9OBeO+SeA=,tag:3qSsuhnZPo8PpUTeu2uAXw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/verbena/buildbot/workers-file/users/rpqt b/vars/per-machine/verbena/buildbot/workers-file/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/buildbot/workers-file/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/gandi/gandi-env/machines/verbena b/vars/per-machine/verbena/gandi/gandi-env/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/gandi/gandi-env/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/gandi/gandi-env/secret b/vars/per-machine/verbena/gandi/gandi-env/secret
new file mode 100644
index 0000000..b6014b7
--- /dev/null
+++ b/vars/per-machine/verbena/gandi/gandi-env/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:xLZ3utyBPOOwQ9UZVIjZee5hRUfR1WrzZqXTdPN02vb396Z6L7Ti7B2bXbBxxkxWBJi7uipyD7eC7Uo8iZtp2amncDWeBA==,iv:QtN+VN/fexTQjBtZjoiLgM0DZxEvFbPNUa/sAtgDJ6g=,tag:QCOerJQkXRRzRVez7XKung==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBM01XWmRB\nZEhFRG1YT3BoNlpoSnlqSi9mMTZydXJUMU8rTDcwTWFFekx1YQorc0svbHBCYnFv\naVZlY0Q4OXczN09qb3RNVVNOYnBXeDNXR29YWjJFV1NFCi0tLSBBTkpZbnZZRXB3\ncEZvL20ra0NtM1NtL2paNnRieERQOW9WMS9vTlIrRUxvCnrvGNJEgRsEuxE+mC9P\nKODfgT9bOEmOiRifmHr9e61AsKnBy58hjrcr+h78pYA9jAuX+XbtzXjcVl39CCku\nev0=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBK2R0TjJU\nQ0pLVjNwZlVRSkRPOWRMbTNEanhDRGxrRUE4Q2RJdHpQOFZIMQphWU9SZ29kWE5C\nbjd2VHVWaVdvMWl4Q1FnMTA2YVQyb0I1NEFyNDdranI0Ci0tLSBZcUFUQkJNZkRO\nM21YRHRqMUNaNVdiUWR1S1VmR2pCcXNoQmg3MUJQd3VFCqOqw6zdkK9Jez4p2zVj\ndrqBjKid3DC5/mUwzVhtRjaAk6I1hTmVBgmbnjsZGCdhdPSiUcw6RyFuaevGjvJ9\n8w8=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNCtDd29zdDAzRDN6ZExO\nSC9CZng0dlNNOHpsblRRSDUydUN5Q042ckY0Ck4zdC9URDQ0STBlbmo3SHQ4Ykpw\naVlmOEZEUXFMd3d1TjRwbCtZRGdJaU0KLS0tIE90RHVWNEdrWVEwdWlxQkZoTUJk\nb2ZwZXVBWHFyUk1xRG9Nb2Via0VBVDAKoEpZvao+F3s+b3JHIRbzrp28PHvzG8Mh\nZyBx+Ro8NxfP8nLIGi5Xl1plxsVOOuSLn7q1KTQF17nmeOERR2mWng==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrWjRGeThidDRUczNoNWJG\neGNkMDBhZ0x1VFFZcGdTdnFodFVMUWl6cVV3CkN3TS9YbEluZFdyWG93M0xzQmNB\nc0tXYy9ULytjUzFDclpTT0ZXRjJzcGMKLS0tIE5Ib3VzOVB2TTZDR0tPNlhzc3Zs\nTzRSdVg3amk0SHBDMlFQKzFKNlVtaVUKT6RiWdXqQdHN9PsthvHXeiXZZBl5nBMD\ndcKhGoSnQPGKkSx2wzPVPf041TywLf0nsYkOXhaqFgPevLqmJSsmmQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-29T11:44:19Z",
+		"mac": "ENC[AES256_GCM,data:2pGn0COv50V6zL/P2TnWawiRxCoMf4jaNE4MPcOQW88edw8NUGC/KIKq4numi4NoNfxM6CyGbpyBpC3NhQujQo25bxqXrlHqZhhmAxTgyVgQrmbQZ2QbYKHsG8NGOi4nhTXezI9u/eDXyVyC5DX6sitynvH/tizordn5AN6hpog=,iv:N14abfZJxqroJo2l2D5KJSXT1wJtY2DTf7pkJu8XKnY=,tag:Xn5UMlVW7v6GkQqgUVY4qA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/verbena/gandi/gandi-env/users/rpqt b/vars/per-machine/verbena/gandi/gandi-env/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/gandi/gandi-env/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/garage/admin_token/machines/verbena b/vars/per-machine/verbena/garage/admin_token/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/garage/admin_token/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/garage/admin_token/secret b/vars/per-machine/verbena/garage/admin_token/secret
new file mode 100644
index 0000000..d09b997
--- /dev/null
+++ b/vars/per-machine/verbena/garage/admin_token/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:d7ch6OypkqLBvYkVCDpFVxH0EPJ3m50L4hWQoDPJiXRbKBGyT9P+4iI4voOe,iv:IBU3q9gxwKulFMJa0vbfQnkEc2SnLfSnDaoz4yO2zkE=,tag:RL7+GfFl9oOONRZ599RKUg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBeE5XTmpD\nOW80L2hmU3hsQnFyWEZvUnhiSVUydGNVMTZkaEltbGJwREZlWQpyRjQ4d2UzT1U4\nb0gvSE91SVEzVm9HS0hKNHlLNzNUckQvVnVXWFJLMER3Ci0tLSA2NGtiWmdSQ1JP\nRTBFZGpJbEhUSmlZRW13eGNFOXU3N25uVXRwTUVrMVRJCjq7QsG7ewi/rzVfDEdR\neyX6D6U7mcEvSDXpOmu90oWU8+y7WdXbuSGYsbNEdR3d6Y7/AcM62gNqzjFJ4ufr\ns0s=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBK1VLczZo\nTlR5YWd0OE9raDNYRXllTTZna0dGUkpqWUR5Q1ZabWtDODBlbgoxQ25KWGF4RnBC\nTUxwUkUvRU9KLzk5UHg2QkpONWEyZmNVcHhBOVhiZjJZCi0tLSB6TnI2UTV4Y2ZN\nSFpmeDV1ZUNoUUxBWmdxUlpLSm5WUnFKSDhiZ3NqUnRnCt/EvZGXnIFMvHR5xOrD\nZTHHwsFTTYuaA4ghShDtK/+iR53Y92rq6BDJ15bB+EuU3xNqCx8+q1vV89DIi2yx\nK5E=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBva1pYeHlKemFXc2ZCSW1n\nZXhDYVlseU5jamhMVXJaK2x6aFNpblI5c1hVCi91UG5rL3ZsTTNQbjR0S3VnbWdM\nWE1QZTk2L3BZNGlKeEljMlU0NmlNT0kKLS0tIFpBNDV4RlJYZ1lMand2N3o5QkR0\nRDdPWC85c1NkeWlUNVc1QVJEZlpiV3MKnZynnSUdrLAL5ygYse1+DqU8okQ5xToX\nmG9/UmUMhEspeDrXZnjlsq+JkbaCxGouRwQECVsb0ImDlLP63xhDJg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVUZPU2VFdnhKc003SklF\naitpa25SKzU2cDBRRklUQ09JT0ZQVmpnZXlVCnVMRWRVUm5XRWxrTWxNM3Yzd0dJ\nS1VNdFVpSUk2TUlmVVVvNGNCSldnMjgKLS0tIHhpakoxTHMreXdTYndRaWRxbVc2\nQUFpM1RSN1k4UnY0Zk5NbXVrMEtXQWsK1XOUALji+vmTHFo4t2smOOfdnkBC3BK4\npC4PrDrUO0nThNu8ASBtVqJELly32dJYLKRIpOTTqWxNFCQZ9Vz0RQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-11T22:27:00Z",
+		"mac": "ENC[AES256_GCM,data:tzrsM/GRxEOeZwksc0MjNzG6hNqrVbg0gwctd5LQLRtMLCOokYQO6pS5gjEQ/zS6+SUbauKyifO8xMfkrc5SQ2Iqqgj2tIZIf2xXntQ/152X1IpQKEQN9zO1LQhI6g/w4jtgnNOT4bw6XW5yKW6CN4NfKNCbEzisWjyiQFRxmR4=,iv:LIclgDzRbSYuTbYzONaqaso8TZUBg8r6pG6ZtRLQyXY=,tag:JpnzzVGmNdpRx2jiR4V7oA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/verbena/garage/admin_token/users/rpqt b/vars/per-machine/verbena/garage/admin_token/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/garage/admin_token/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/garage/metrics_token/machines/verbena b/vars/per-machine/verbena/garage/metrics_token/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/garage/metrics_token/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/garage/metrics_token/secret b/vars/per-machine/verbena/garage/metrics_token/secret
new file mode 100644
index 0000000..5da7fd5
--- /dev/null
+++ b/vars/per-machine/verbena/garage/metrics_token/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:ExSv+ji6femtNG+/+JgGpjBNbcMQJeHIOjsrL7arFbWPPJlhV5Bqs6QuVeIT,iv:l43EjooL912qou3fJ5iFObQdHWtSCI+13xQZvnhS+v4=,tag:kqAOc2YYNDks1upXd3aSDQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBcFFSalpW\ndEhCd2pWaWdrT2I4R2tJeDdFczBNSy9xSGlNNUFWa0toSGlRRwo5bkd4ZU1XRm95\nejBEZ2U3eVpUL1k3UW81TGZuTGFhckhkZHJwdkQ1SWdVCi0tLSBkYU5SK3dOdFBw\naXJvQU02N0VZRzhXN3FIUWw1Vjh2a2NDekIyVGVNVUswCvqnFEq+1llQE153aJ6O\nED4X/JS6fGoze0onqdQ/HQUM3UXGRRkmqdGVww71Z1UTMSYt3SRjhiIeFMe0lwXT\nyq4=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBM2FkK01x\nZi9JMHdUZncyNGxoM2dXZDFEd1lOVHVJdXNhVXIybC91V0hOWQo2UGJnSHVjYTZB\nR3F6cVJUKzdJRjAwemlqVDk2RUxLVjJvd0hhemxrc3M0Ci0tLSBjdmx4b1gvblVp\nWTdFVGF6STVCcmEwUC9iSFZTZkpMMkV0Q200a3JwdlVjCpGamkfpSZv9wT1TKBqh\nI57/rmmu66gCC7NMB0Iq/HHbUINo42Vl2TXrj8i26q/oxCVzmCVVpcsRj4tYJ4NK\nqS4=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OWNYVUZWTUltM1ZzUUpZ\nNi9tV1ZSbUdRVThzeEZSMFd4SVk3VVpVMW1VCnRYYnhrWUc4azRrdFF5MDFraDJ2\naXdUUEJKYlJLSEsrTmhFaStsQ2RRK2MKLS0tIFNlWHp0VDh1OWU0TkNiUGgwWjI4\nMTRkQ3BkVHZ5b0Z1bXlZekV1VFdDWEEK3+5bHw30Uf9pNtzVKTwIGlSOJaPzztuD\nKvz5dUJrXX6qF4iGVoZgoEQJsdAvTJ8bCTeEYcEzwIM+fhbuKu9Pxg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUYjJaK2xJY2p2QVNTVEJn\ncHhsZ2tXVGsrUHlFRzVheDR5SXNnaTFWbjMwCnkvUzA2ek9taUhUT1J3TDJWQjNy\nTW1BVDVMWjRCeUJkRFZjT3lRbTNXcU0KLS0tIEE3YzBCcWlVVUNFallmdkczYUxt\nSkN0TjRrT1NLTTJ5MmpVanpyckI0RzAK2T/13fItOBvh43/7Xa2gSmnJcfE7TB8q\nuYCfu80wXTVOPJwvU75A/ao7Wpv95sV80HNY2KaiDM+3QimUe9t8Ng==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-11T22:27:00Z",
+		"mac": "ENC[AES256_GCM,data:o4ehewq1VRocELO4C2wcXAjlJTGCqEgenYXRCS3Yws0G2QQOw767ZSev8EFs7z5H9p/5iS3YWMRBzwcNsAbpcJyc4kDZFkRqOs9GOlkzZLuHlkBLWkkuZSK8N9vvTyon2Lw4veuxVVn0S/2RFXPvkyAHSMxlb1PsRRiu6k7Vn5s=,iv:h+AsVY/+BTTYzRCGT8KcETrZOMuUKQWv5aO1oND85JI=,tag:aOWfgcXEzSgeiUBBP+x5ew==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/verbena/garage/metrics_token/users/rpqt b/vars/per-machine/verbena/garage/metrics_token/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/garage/metrics_token/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/gitea-s3-storage/access-key-id/machines/verbena b/vars/per-machine/verbena/gitea-s3-storage/access-key-id/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/gitea-s3-storage/access-key-id/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/gitea-s3-storage/access-key-id/secret b/vars/per-machine/verbena/gitea-s3-storage/access-key-id/secret
new file mode 100644
index 0000000..eefec14
--- /dev/null
+++ b/vars/per-machine/verbena/gitea-s3-storage/access-key-id/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:VQjMQfKH1lw3nLnccac1p0rwVKQWYpSs7TU=,iv:UQbB/5v9G2wiX5WWMEAOn6KcWywBAoEi1aX6Zjtv33w=,tag:1lOSmj7UbCB9g73jgbRunQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNnRXSFFZ\nUTA4NE5mTXFZWTA3eERuV2M1M1FZWjV4ck91ZFRZOUN5bDlyTgozOVhBV0NlL0di\naUlKNlQ4M1VSMHJtenlaM0t3MVVNa0tDUEc3dXhPeFJRCi0tLSBjNHBZZDZxbWNR\nY0VnNTVxYWhFVThGS28zMFBBQmppQkxzeEoxNGN5Y2FrCqSDhieve+7eqz3voiNb\nZZizAuH+w5Y96s/U8tpGoRztQoYDFFsco6e4GAFo9mYQF45xXB8WBKR2IAMWhw6q\nRM0=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeGlOZFVE\nZkdtNWw2MFBHS3pGWWZlMkUxVEV0VkkyN2ljZGMyQitwYzZEVQo0R3VnN2c5cDRh\nNmZDR25ZcFJCZmV6QW9tcG5qYWx6ZUxLMTJDM3JETWswCi0tLSBzeHJqbEIyZ2VR\nQTdGMUl5MDBFN3NNSndqdExXWjRGc3RRbTlEUk8xaU1FCniYYcxriIA5b2sPaUqS\nDo6QLVIV9XagG1sf1A/rTiarIN+vW7Cz4fU0ghbreDuvzT8PocB/PHPeCUg/ppZK\nwdg=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSYUpxNXlJUDNTKzAvNmZq\ndEdvQWFBYXltQmZ5MHp6ZVJJU3ppd2ZSOUN3CnFsTEo3UHAwWDlmKytSZVErT203\nNkcvMFB3SXMyME8rQ0dOaFJlOGFrajgKLS0tIE1XYkQ4dE51UTRNZXNBUktpbE9M\nN0tjandSUG1PL1Qwb01uVVdvY055cmMKteqB3tp59hK3P1C6SUwusQOdDFZx+0ZS\n2kAYb1kOMbQvd5UvHrUnircB2dZAOs1Ccy6WoFpCjoeONODw0O3hSA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUaGtsa3hHM3E5YVM5SDZC\ncUw5aTVHMlVJRGJPYUR4eE5pRzBXeTczSGtRCi9PaEY4TVJCalBhTUcyRVBGc2lT\nREJrZ25FMG5rVlN4cVg2L3E0OVZ3bFEKLS0tIGswWktrZnIvb2tiNm1WZE52M2NO\nV2htcG9MSnVhSzIveTdpNmR5MHFIMlkK3QC6C7UGvVZbO89DONJWuFLF7bNnr4gm\n8hDvpTwurL8GpdbXRBwjp7ZhzlTkXR3QmOetgPPvDdyYhb/YcnQocA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-17T15:13:14Z",
+		"mac": "ENC[AES256_GCM,data:W2GFjGzFNbA7rcJDDqN4xWModtAe1IOlpsqR4VSg0TJNtLcQOSpzKHM/jd/wGu7yEA+5qRIPw5b8zBhTIqjTHEZv/OgGW1VU9xACNnYIbZj2E6dR5XkMo7Kk4pcClfUrn+mcoFb3qDRUmot4hIoOGwxYlzZCd1AWIoA0LsMwl7E=,iv:N03rEnwGDnnhfQTSr+ustojxUvuAzBRm62W+FPURuKM=,tag:bwYrwKAwi56KAy2iL/QVMQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/verbena/gitea-s3-storage/access-key-id/users/rpqt b/vars/per-machine/verbena/gitea-s3-storage/access-key-id/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/gitea-s3-storage/access-key-id/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/machines/verbena b/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/secret b/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/secret
new file mode 100644
index 0000000..ece12ff
--- /dev/null
+++ b/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:Qw4KdJ8oqtZisPqpgrh7n069YPGjO7t3GE2XLEfFnnvU5UcbIoV77lx8A5d6K0F9OGtR3b2Oo4ka5bPPNI9pCA==,iv:hXORx3mNALVMk2i9MxVebWE/+PY9OZ3Sbu3+enBY3To=,tag:0MPUB3JWDnetR54MSfZt8Q==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNWZjdFp6\nREY1ZlkyRHBLQWptQ3NhazRqaWNWWlhtM002emRzdW0za3FUQgovV1FsRnZkaGcv\ncjNQVXdrV3pBYitsKzBvQU1oL0RmQ1Z2VXFwc1JoNHlrCi0tLSA2L29oK24rbXU3\nWnZ0cE9WYnAxL3UrTzh2L2JZYnZqRGVTL2cyVkszRG9JChpjCgxxGP32VP0yLPmt\n/ocT8e7KkZwAXj2+AJIL74Pb1cUyNZXIOs52bLAnx0scLH0ytx/Jyvf4ePLVDX3v\nu6Q=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBMktuQXY5\nS3dMOFNJb3lzRWlSSVB0bDBvQ1JLL3doQlF2YVE5bGErVHlpSApqQnBVS2JoTGR5\nVUFuTnd3VTlhRWJldGQ0cndIdEpwMnN6VkRIWEovSjdBCi0tLSBOczljN3JyeDdS\nd3hyaHBPS3gwSjNzVlZRSTVSNlRhTUUvVEhIMkMyRXIwCje0iEVypMLnwLbTBYM5\nJmHJ1ChPp95TfxviEcKUiNXXx9uY3uIQ38G33FwI3qN+Bd3dGSkHHqZjyelqcJaO\ngPs=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpTk91SlRGZWlRa0Q5OURZ\nNDAvREExZkQzeExXL1pJTzA1dWxEQU1LZ3p3CkxQWUxxWk5aQTBkdFBrU0daZlI4\nWW1tdGVQODFWU2JZYldabWVYNVJwdkUKLS0tIGRmSzl2eVdPUXBEWW80QnlzdTgx\ncFdqZzMya0Y0K1lFcnYwd0lnWUhpcGsKSpu0myQpuVRO9eOyO543sKf/Z+YZeo75\nDqdsI6deQZnW+0NPy9zI0CXTFkjv7KNG//2G8LbscjV9PziO5ArvXQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoL3pmWUJwYTFqSjRJaGZ6\nMmJwQ21EU240NlJLa3JpUW9QSy9FNno1VERzClhjaWxOVXVPT2piM3pSL3d6QlFm\nMmp1VWExQnV5c2tNMnlNNDlWWTU2U2cKLS0tIC84S2JEUzJXNWVzemRLR2Y5OEhk\nNFFUQTk0b1Mzc3dWSXFra0tJb0gyQXcK7Iw2Oy2dNzazO7Ok8cEwT0lhfL9l9JdS\n9vrk71zRCCNe6UdDQoOYqAukTbT4YKAS2W7AmHH/g0Y9xIJGHpYB/Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-17T15:13:14Z",
+		"mac": "ENC[AES256_GCM,data:WH9GzcZM9ii4CHvtqCoqoKHCFK0S3OQM9x1cO/gkgRftFsO85jSnBUCtiPhRahvTffZT42sN4ZqDBq/LSKYEXB2iJWcN9StpTLs196wPzLyJhSrhY9jEy0JuxoTAhvcAC1MKPW+TsfC4SO9xazvEqShnP2z/BTYhzrgE5lsDDEE=,iv:eD7iBUopEKc5X/l8DowrBthYNPB805+AhuCCZq+fYeY=,tag:fTRAPEH0WXIW8SNso5FmdQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/users/rpqt b/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/gitea-s3-storage/access-key-secret/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/nextcloud-s3-storage/access-key-id/value b/vars/per-machine/verbena/nextcloud-s3-storage/access-key-id/value
new file mode 100644
index 0000000..33bebdc
--- /dev/null
+++ b/vars/per-machine/verbena/nextcloud-s3-storage/access-key-id/value
@@ -0,0 +1 @@
+GK0380f708a7baab9385e45ae9
\ No newline at end of file
diff --git a/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/machines/verbena b/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/secret b/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/secret
new file mode 100644
index 0000000..493a6c2
--- /dev/null
+++ b/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:ekQgkyM4yo8LHVmN2ixGaIaz4quZiMFVhpD7d4K+s4fXKrL/Tc+so+bIxHQj3UlGgYAOvIqWHRZ/aqDZzFGGjw==,iv:bnYpVa1Ug6mhUsGSHPonVBT6g6Bhu+f8O+i8ieRtDik=,tag:jGScke0h1OHKj1DL31JhjA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBaTg0OStI\ndDZzSGtucnplSmpnUndxZnNZMGF1NTRiZkluNy9tTFk2U0xTYQo2elhYbHlkZTlX\nVlZ6SjJtQTJXUzQ3Q25QaGFVdnZYS1Flc1dycG1RREdNCi0tLSBPTFBydDlpMW5l\nR1FKNlNLdE91eFBJcDZrcERiTGEzRjBkUXRIYTVTTTFBCrehdm6kPGFqTr2AbQ0f\nLBNGf3/lPIca/KW7NQS3IKMFh1xsx1EFEbxkUm37/LvQzlpzDCyyfEaKEBjBei1b\nczk=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBdmF4QkVw\naEpWaGlsUVVJZjBKd3BpaFZMbVZtNVFTWFBlVXFxdnhBNlJ1cQpUY0pPV0pmWWln\najdYajArNythcm94d0x6L29PSHlFT204dW96RjBpNlNZCi0tLSB6TXVPRGhkdVRH\nb0lNMllpazZlbFNsNVFGdEt5Sk9aNmZ3ZFhWajkxZTFFCpdwi6IV1i5UnYSgg830\n4L8vS9E/KyKCKzJzgrYVYxJ2Jn4nQsHotBxJgHpy+EhGyX9U61oPUCpCttodfi6a\nlMU=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwSUQxNDlTTVhIZ0l4SlRu\nb05JSzJVQTkxeEhDQ2lwbUk4SFdaV2I5UGc4CmtkM2J4bWRlZ0JqT2Z6VGlqQjcv\ndmNQbVF6STBTWGdjWXVWZ1gvME1UWmMKLS0tIHlGbWI0T1lQbnA0Z0NyN3lhUU82\ndUJTdjdwTTZ2N2lhMk1VL1l6bzFtWUEK3QaPsEpTMuemfvLvmOisEBN6JATMEJOA\nq3UCMhsYu37XLitAyrE6QydiYo4JhvZYoMX+Vrsq+qWCtm7+7KiVTA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5V1hpa3NldGNJU09XaFI4\nTEVWSWNuQ2wzd0FWdUdtQWhsY0hUNkttUDEwCkpBMVJLcHV0NUFBeEVyTUhCbXhu\nOVFvT3A0NUNiRmsraExPWmoxOTVXbWsKLS0tIEJ4WjBXZlkzRU11M3RkYzZld0tL\nS0FXcXhrOEZNZVBxbUhTODhtN2IrK00Kx22WHcIkC/IQmBBVtT41g/KHpnqyCSL0\n1XN0O6glllp4VQG/QqFljjGSqGp7x9DoC1/7RKRRJFh9PLAPK5W0FA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-17T15:13:14Z",
+		"mac": "ENC[AES256_GCM,data:cRSryYYPPVbdkodd63xa7h8DWHH5x5S8IforRB0pYLvbYEcCU88XHOZzJlnw6C42WB/wfYNeE09pG4uEcq8dTxRxseE3vzz+h46EBXQvjhPM/YKvNY5NMPkpda7NVmkABGCydB/MCWpRZBqR2DEyrc0V20/RNIYd7uHfYNi5dWg=,iv:3kLDivvmwa/4C4Nlq5dmaueDSaqxJT+7W21j93yUdKk=,tag:9TZkivjH9C2UtiCDDFohkQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/users/rpqt b/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/nextcloud-s3-storage/access-key-secret/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/nextcloud/admin-password/machines/verbena b/vars/per-machine/verbena/nextcloud/admin-password/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/nextcloud/admin-password/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/nextcloud/admin-password/secret b/vars/per-machine/verbena/nextcloud/admin-password/secret
new file mode 100644
index 0000000..7157997
--- /dev/null
+++ b/vars/per-machine/verbena/nextcloud/admin-password/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:1MidunOjhcm7MZSfQSor8xrGR3KSM6CAPw==,iv:/QIxqzJ+115R0C8eH1T6gHeJ5HdDAWcLZzEvhpu9SnU=,tag:PvoxKpIz3nTPlHgMD/MQ2w==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBb3BKOGZw\ndC9oQTJKMDZqZUxZdzJMRjV6MFF3eEV3TEtHZnZQcjVSN2dJVwp2MlFseGdMUWgz\nenpONktML1B0aVFxNFNWVWZoc2I1NUI3cDBIUk0xY0ZnCi0tLSBrM0hzV3h5Ylh6\naHhxcWZLaVNqZWtueUFTdGpOUnRNNm5GSmd0YXoxanBvCtuxwSc3CToGHVflPDm5\nS33vbLLfD7+y9ZtYCyAmfZ9fSu6Go0vZxbGoIe3vdg9vvIOQoO7IWRdr805VQjc8\n+1w=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBNXBpcjNN\nY3BSSC9lakJUR1BOV0RqNEdEL3lPL3V4bHdaUHhBVlhleFVDMQo0ZWxyb2ZUTHV1\nQnYxUWw5cnAyTEQ0K2R5dGlXMUJwaGpRZmMxVGJ5SUpJCi0tLSAxZUxMcTlKL1dZ\nVzBMZm1XY2pVbEljQnlFR0VmbDNGVUE3U2N0dEVscmY0ConyoftT5dCvCP5iHF7S\n10DI9LZsyafIrCjhKjUxvwZ35sk52tZFxBs30WMZpDipctPXO5grmXtydYxDjjOI\n08Y=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3RlRMb01rOHJqTVRZY1Bq\ncGNTVlJXZGI4bU5tbHdKTXN0bUttTlZaQ3lJCnJjTitiZjNPQXIxdWJzeGtteWN4\nNFRrUVdsT0RDTVIydTN0OWRtS2pmZkEKLS0tIDVyN01CenVVSE55OE1xZ2dNUnE4\nWEhLeEhEbnlyaUVYS01XcU1rV3FmT00KLGcgKGhhWgf12XbPy8VEqeoObyfEoPXF\ngofpkwyQ8havZnGsbwqJDaD9KSxtLb16vyam82Nr2wlNAxoQdMnDSg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZlJYa0wybHdRUVBaK2ph\nTWJ4L3pCa2gyRTdMQjNQMTNDY3JPZ01UbVVjCk1RSkdlNGxib05BV014Qm1FdHFG\nNEdiWkM1dlhINXdWT09jK1Nub3dVYmsKLS0tIENacE4ydFNUSHdseDFnKy9qVk9a\nUlE4VkQxUUVGYUZNQWtXVjFQMmhVTjAKeXpKLW/n5f24iudXBG9tAptzKfDD0QMR\nWf2PazgiqOpBpBBRAoxV1nXseUMI6Q9ORsddyfa0BTGlX8BJknizFw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-17T15:13:14Z",
+		"mac": "ENC[AES256_GCM,data:3ljtqcuR64WFghGRQT5sSQtnHE8XhaaYZTZljGVmb9LHpY2p0GVCzyEBTFj4t3RoOfaRh4NGxR5FGGn03WTghN604zXAZZokdq3jDZANXtu5F46dmtaN3JZPPpQof6tq+lNfuYQZBGFxSHd1Aq3iuIOTXLFyox7Pw5ECDHsw690=,iv:b/uFAqMc4KCMscztPxUQ7VTBq0IT9+iIb6U2+xCKlg4=,tag:1Zu11VuTry0fcsXq/Fx6jw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/verbena/nextcloud/admin-password/users/rpqt b/vars/per-machine/verbena/nextcloud/admin-password/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/nextcloud/admin-password/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/openssh-cert/.validation-hash b/vars/per-machine/verbena/openssh-cert/.validation-hash
new file mode 100644
index 0000000..e0bfa42
--- /dev/null
+++ b/vars/per-machine/verbena/openssh-cert/.validation-hash
@@ -0,0 +1 @@
+ac6a5c1a1f92820a01374e2f28f5e230bc28104313a3c01c5bfa91ee112805e5
\ No newline at end of file
diff --git a/vars/per-machine/verbena/openssh-cert/ssh.id_ed25519-cert.pub/value b/vars/per-machine/verbena/openssh-cert/ssh.id_ed25519-cert.pub/value
new file mode 100644
index 0000000..8b9264c
--- /dev/null
+++ b/vars/per-machine/verbena/openssh-cert/ssh.id_ed25519-cert.pub/value
@@ -0,0 +1 @@
+ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIERlRW05oWOKBoc6WXhIbkMsu/GGjZ7GtsDWGbilP6FQAAAAIOFmER+Rjwzfr/GLrD3kItVEEdhPTIjUFgSbhNOJtNJVAAAAAAAAAAAAAAACAAAAB3ZlcmJlbmEAAAAYAAAAFHZlcmJlbmEuaG9tZS5ycHF0LmZyAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgYTtHXal+9FJexLwzAySnnt+5z43bBzhVxcBjCj94knsAAABTAAAAC3NzaC1lZDI1NTE5AAAAQN93JKKLUpCkdj2D2wHbhn8MK3JH0PMUuQqBLUqK29+YlRlPZI9ZesKK0JsAnraDLyn7UEg7cyt0cXRkCPfcqwc= /tmp/vars-ifid6s0y/in/openssh/ssh.id_ed25519.pub
diff --git a/vars/per-machine/verbena/openssh/ssh.id_ed25519.pub/value b/vars/per-machine/verbena/openssh/ssh.id_ed25519.pub/value
new file mode 100644
index 0000000..a9778c7
--- /dev/null
+++ b/vars/per-machine/verbena/openssh/ssh.id_ed25519.pub/value
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFmER+Rjwzfr/GLrD3kItVEEdhPTIjUFgSbhNOJtNJV 
diff --git a/vars/per-machine/verbena/openssh/ssh.id_ed25519/machines/verbena b/vars/per-machine/verbena/openssh/ssh.id_ed25519/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/openssh/ssh.id_ed25519/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/openssh/ssh.id_ed25519/secret b/vars/per-machine/verbena/openssh/ssh.id_ed25519/secret
new file mode 100644
index 0000000..96f6b6f
--- /dev/null
+++ b/vars/per-machine/verbena/openssh/ssh.id_ed25519/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:rhT/tKlqv0mjlvVCExyYssF9gO2R145z+R4XT6vFYnmVwl8gparg2CGZjnFf7ukS/7Uh/yhG7lMIstd5kaLnmeop9EEclzXoIa4XP1s4FAsb6oD/7PJtxuWF8cvDq+whwYtau8ci8HhkxazVu445rQYzmVOtttxDCwpol+3r+OP6Ey+dSITQ4n03X61bffQoBjnh4gT5wpaMaOEh6B6D1Tzp4NuitdUIBqKgBUi/LSeejePIamkGdhxRJ8ZNua4y9NcrDDxYhwzPkNirQB/Bc6urbaNRKVqdMKhNG4gT0tXkuestfiHwHpjrq0Ymuy7d/RF1M5cLXIY4Hjix8qXh8GfpyxPYBSXilRy9nmgc1k9MkPQvmxdGNis71XxI1oF3rA+wa3VRjJS+Kc+Hu+9aBUr2YY9FrUO3kQg977ttUOyJO9ihrNvlsgDmm/y7cOpQ5Fx7TkSd32ugOG2TtHJTk8+L0j56Xb1kPuoQ3P92gB5I+X0bflYDf1IftgFD/M2lHIRd,iv:9UymekNxnAfYblC3/9sYvenWS2370oD/fG4LHHsXz0k=,tag:Ywl9wF7w/QvYVIIjQ3mrdQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdi9ZNmVL\nYXhySkgyOE42U1Z2TStlUkcrRGQzRmg5eTRYOUN3bmYzeVVxaQpQckNvT200WVdr\nZ2FnM3ZXbmpFdGlMUU9hYlhQeUJJL3FkMG5rZFVnSCtvCi0tLSB6RTZOSFRtdm50\nazRTOVlxdzd1alNoRDhwYlVmTnI2SmlOUjExdVBHTGJVCtznop8akfkY5A/XO8OY\n+eB6YgNQaF8Tijoq3tM3ynifvLQGbQYMh/92N9wsFZs7K4ObsbdHbtNks6nMAWXd\neic=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBam1HMSt3\nTElLOGNsQmZwVmNMcm9CSWc5QUc4RkxjUEl0RURkeUZKZk1ZNQpzNDhVV0dlbnN4\naWZZY24xbDBiMVFRbmpOcDlhbGtGTjVqSnh3VjFIZUpNCi0tLSBCaFg3RWZWU2ZM\nclVBeUI2ZXJZMFpNd2NvOEJwTlFESVlqaG03UC8vZDJBCpqzxKfjr8oLfhXpEH/k\nP+m4pUdpFxWbSN79OjauXMsaCLiyNcRRh/stzgUVZSY06p8BjY54dXLxnFIwXGje\n5b4=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VWhMK2hwcUxhUURqc0ZN\nZkxHazFpL2VXbzYyN1AzeTBETVZRKzc5ckZnCmNvcXJOdGo5Uk10OHhYVVczd3BU\nNStPdlVHeks5c0xMUm5ITWJ6QkNROUkKLS0tIE1OT0ZXd0trL0VITzNvakhGNkxY\nVUtZZ3EweEZaNy9YMDdWS21xamp3SmsKdRWrBH3Urx8Ws8ND6kB7ZvKCNM4R9NQd\nMDfPhLWxm3QPAYUX+VOsqz7A+0/ppIF72WTEPDxcu9HF5X7a+dW7qg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuN1hPek1xQWIvazRXenZ0\nRk1OVFFtMUswalhxVU5tY0ZHUGFKbWV5bEcwCjJ1T1dXbng1VHVnWmdoUGNCZGtx\naGU0bnZnTWpETVIvTzM2T0g3SXE4MEkKLS0tIG9ZL3A4MTRsM2hqZU9IaE1tbkkv\nOGQwekJMWnFZWms4ekl0T3RjUCtiZ00KvEufhdEDX7wJKFY4qKgOEN0qNGEWrzeC\n7buI+inOG+40IGPQKDNEobhTthdvC/QOlcBrYb6YyMonXd5mzvs4Rg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-11T22:27:04Z",
+		"mac": "ENC[AES256_GCM,data:G1jAZtxL8+nZRrB9E2dU/huAH92eHl2ir7tuabZK9f3RnlqPXZRKvahESp4VuFSAEWhO0dCbgmvoG6qwDjmvb4oZsA5quouWs0JVJA9a/Z09KyqslLgKZA3zO8t/wMRYUX6uu+2NmvGZDCPt4WiWtMIJ+sFsIza0DyrsdmVJGYw=,iv:KveqtGOpq4vlqQYA9/rMJWLXJ74j3VZuu3MRc8s54Gs=,tag:E4ZUcAdv0ZRJ+Y0/xg80VQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/verbena/openssh/ssh.id_ed25519/users/rpqt b/vars/per-machine/verbena/openssh/ssh.id_ed25519/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/openssh/ssh.id_ed25519/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/root-password/password-hash/machines/verbena b/vars/per-machine/verbena/root-password/password-hash/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/root-password/password-hash/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/root-password/password-hash/secret b/vars/per-machine/verbena/root-password/password-hash/secret
new file mode 100644
index 0000000..60b11a1
--- /dev/null
+++ b/vars/per-machine/verbena/root-password/password-hash/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:trmjf2lKYlYKajTS2t2pSDVQB3X4NYFNdnapx+xAyGJGgQtGV/TCJDDP+9JsWgbv89+SARrQ1qNhl/tw/HZpaOE66kYhZSEtVpVzsGWAoSdKxQVvvNbySBo2Y1TOfg2JS+f+/O5MLiRoQw==,iv:a/4JT2zmH/uyMYEq7YNR7CoONowtQjRCEUGYTgKj2rU=,tag:2nqHveDnULuXnUWmaW7Rng==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNmgwNzVQ\nTWg2dHo5ek5McVNPcWV3ZXRlc0VSaCtxSlduYUtNejlEME1EdgpBalZXN1FBN2k2\nY3EwOGZkVFVFTjJ5RUZSUHIwNm1UN1ZJOGViSmZsRWU0Ci0tLSB5RnA4cmZPb3hC\nK0RlRWJvZ1RaTC9sQ05yQysxbUZvaVY5cHNLQlhqN1V3CtyWHyYRJFWh2HKUvYSe\nMezFaFiuAy+raN3I/okVQzP8oDHkOYL8EjFSH0YsYZOjeEH4nWuVFRWSD9s1OsAt\nZS0=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBKzRTWWt4\nVk9OQ3Qya2FzUEhjSUJDZXRMemdoWXp3WDVQaXRqN01CWE0zRQpQeVh5TXYxS0JO\neGo2ekRDZmtIaDRFUEt3bHpNcDNEYVpOQk5WNytBdU00Ci0tLSBUM1RnNmJ5Mjdi\nSUlxUVltVXFGMTNWa1Z5c3pGWkVhTGhFTG8vZzkwQUQwCnqSvJ32XEp0CAAcyzq7\nLSQJlNV90YiS1nQVcrJmK/vAtKYnWksrwEF/q2HryBl9t6UEWKrWccPdE0t9sKJV\n8Hw=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBISGlPNzlZVWY0WDQ3WGNa\nVmpWcXI0TEMzcEd1SElNZVBKancxdUh4U1FFClJOSFVoQmVLSDVXZldEbHJ5SWdS\nbjFDZUEvQnh0ZG1Vc1FmWGdONHlXNEUKLS0tIDFlMlAvblRlSkxIQUdDY0o0ZzU2\nWC8xdlE3RThTa0tjQWl3SWoraG01dXMKg3N3lY9Nq2MEwDPI68/x5SmQItOrrFw0\neq3ejjoarreaQY0gC4Q32fbTjvumhmEYbMObMUgs7tfET26TWSQ15Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSndOZ1Zka0FvdkY2YTlB\nT255WFFQUzR1bXNuakRYRjQzWTMwQWVDZUZnCjZhRldDYVgxcDVCS2NpZnY2bWQ2\nZWlXMFh5NG1HeG1ENEJRYnRZb0hobFEKLS0tIFdQLzQ0b2Q2bTFZbmxIYy9nTUwv\nN1ZUcUpHM0VFdVhSZkFEWlZrVnlGVEEKxDF/S1N8H+y5z5Ef9PeL3TNG17HnDMtM\nZXdf279bpDCP7NZXMXdSPS7CYsxEs6/O4oezTA0RfiCIVsRGPrJYfA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-11T22:27:07Z",
+		"mac": "ENC[AES256_GCM,data:tsDk5m3xnjQgLJcJ/Z8GRu0es1Y13vWUwmxQoZm7CkW8B1SWj4tb0JxBEpmulq5cBAsgIxa1U68N3ooWgV10tjmvy+789RCINi6SPwTzXNPFVuzGwWmfSxIIZqMEvoqAOAQ3CT95lHd5+Gti5XtoRDDniGi5gq/fTQjAXn5mCIc=,iv:JtrQjj3MxoY/GU7DKG7vOCZuIKOsM/ITdjfDuH0/UrQ=,tag:FZl+mjv1krHTqWeBR7pA1Q==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/verbena/root-password/password-hash/users/rpqt b/vars/per-machine/verbena/root-password/password-hash/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/root-password/password-hash/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/root-password/password/secret b/vars/per-machine/verbena/root-password/password/secret
new file mode 100644
index 0000000..4aa7bf2
--- /dev/null
+++ b/vars/per-machine/verbena/root-password/password/secret
@@ -0,0 +1,23 @@
+{
+	"data": "ENC[AES256_GCM,data:8KysUmawUtddgXWrH52syDDHO89TngtD3vVX6BWUJUuMfD2YaNCfQQ==,iv:d37zoPVJlRCsaQRJOqc08OoiwjclHu6yIwqHCGg0Nsg=,tag:YxwhlS32hvP0h2yo2BhCSg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeWV2YTNa\nTFhYYkxUcmtjV2Y2RC9xN21mM1BrbGZ0cjVlUWJGNmt1em5rbwpGR2IrbEI4OUF2\ndVIrSmVVNXF3dk1INmtIY2NpYnNpYjZYWmt0cmwzMEtNCi0tLSBVVkxpOTZESjAy\nd1dVVjBlbDRwZ2dlbm56ZTZMOC9EcDhDVTNqVE9YdzZFCrBb7pbTKjMh/MQBqmNe\nGhoktFc9quC6WpEJngRJ7lqRjXgIHxGlMUvhhebaQ1vwfMN5zQRa6DhwV+tb0R4V\npCE=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPMFhKcGdkNkU5OUR1bENR\nRHkyOXZINCtNSmpMR1NUaU5YM3dlVGdLSGowCkRwWEtISHk1QW53WW53djNINmlu\neWxLOTk3QmRkYkhDb1BEMjAybmlmUkkKLS0tIGxZakVlaDZtOFJ5eWR2aFBFMTBY\nUDltU0IwMnZpL1VubENTeHhBbklDQVUKkma8t35fQqvZ7/RpCwfyPpndvzngehK9\npLcJXr64/eYlOrHBNWbnCodiRrBAVmc2nLgBZlG/rK2tjRvMWOEMuw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBbjNaRWt6\nd01IeXBHM0huQk4rRlJ4c00zd1h0WktLYzdHOWJoWGhQWnRrTQpyblZCYm02cDMz\nRjdwVkZscldieENsWmw1WXREQ2xPY2N3RzVyYUpnTDVRCi0tLSBSSEo1aXdXcTdy\nT1JLcFJaQWptNmhpZGx4QUNUZVl3V01ZU2ZjQkhVK1k0CrQtWlYxBIoB2+8BRf6M\nbQEStAJfuIOIOmP97xbMCpfo0O2kJttsWu0p9BmSMtyuOJQtqMu0edVqCEA0qf9v\nwkE=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-11T22:27:07Z",
+		"mac": "ENC[AES256_GCM,data:4rOTlVEL3hIzF52chd57/9lYPLpZCZDPzl73j9V0wtkT6/heVZgq0HjoHEMj2WY7kqRluPeUFpfwgD/t1ITKMPCwobDUH0qkkfStBGErKBxmFMQVM+iexqtwEEyDX61tERbB4tnwaLodMXs9QqiT0IZSfboIaXi2W8kcgzsk0J8=,iv:eaZCpx4td8tPk1dHO6GUe3UvKh8AXFKv+ABP+Jpzx+c=,tag:CAccNNNfOv6NfMtfBNWmMQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/verbena/root-password/password/users/rpqt b/vars/per-machine/verbena/root-password/password/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/root-password/password/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/state-version/version/value b/vars/per-machine/verbena/state-version/version/value
new file mode 100644
index 0000000..115ab7a
--- /dev/null
+++ b/vars/per-machine/verbena/state-version/version/value
@@ -0,0 +1 @@
+25.11
\ No newline at end of file
diff --git a/vars/per-machine/verbena/step-intermediate-cert/intermediate.crt/value b/vars/per-machine/verbena/step-intermediate-cert/intermediate.crt/value
new file mode 100644
index 0000000..3f7ba1c
--- /dev/null
+++ b/vars/per-machine/verbena/step-intermediate-cert/intermediate.crt/value
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAUGgAwIBAgIRALMIUcjKX/BUO1h5k+5GU7MwCgYIKoZIzj0EAwIwFzEV
+MBMGA1UEAxMMQ2xhbiBSb290IENBMB4XDTI1MTEyMjAyMDI0NVoXDTI2MTEyMjE0
+MDI0NVowHzEdMBsGA1UEAxMUQ2xhbiBJbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAATzv2ktJtY0x2czkJDKaTucQ9xuFdgKMRXRbcdHRW5e
+abKOEJ8BCWdaYQa9SKztMu5V9TTInqYo9+MqDLyyM9/To2YwZDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUkB4ETjcnhqUlXSQ1
+TvLMMrFK1hwwHwYDVR0jBBgwFoAUWdZmxk+2XBZzgVucaLlY3rD0p3owCgYIKoZI
+zj0EAwIDSAAwRQIhANpFk+c7h1VqH2x/zyyL82uZti6zbbYiteQ9RJ2jtqkbAiAv
+vKAz5q2poLKocrMBz4N2ABBr3Y6IO7kPCIvoXBrEMA==
+-----END CERTIFICATE-----
diff --git a/vars/per-machine/verbena/step-intermediate-key/intermediate.key/machines/verbena b/vars/per-machine/verbena/step-intermediate-key/intermediate.key/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/step-intermediate-key/intermediate.key/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/step-intermediate-key/intermediate.key/secret b/vars/per-machine/verbena/step-intermediate-key/intermediate.key/secret
new file mode 100644
index 0000000..5823b0b
--- /dev/null
+++ b/vars/per-machine/verbena/step-intermediate-key/intermediate.key/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:QviBFbMDWAFaeuBSOCTA+qnQZlOIK1KZVK/6GzlsmouLxh1rytk6EGeSQycHAhQwuddinTfU3VKGT2PZUmUhOinHrcf3RBlD+QMRUSf4Ikj4Q5dCwW3agSe7fzRutRVTA5cjBQaKnWPllYmy4+l3Am9UfOPwz8nETzvMK2IfttaQf4w6KJOvg/mxT2OM96pzRIcITLBeNpZI6Jxjds9LQVcisEwpQyxbJ7qi5QnICq5wTtlhh6fGaYM38FTLcSi7NIspP3BN8teX8oOdY01JjnXpIuMSKVQSya6RPUWTEQ36hlY=,iv:E/SCmZoEGVu1ou3Co+kEXDm6cJFrLrvSTbfdkeHrkIU=,tag:+4ACjvUtTT22r4uepTfWjg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBOFA4L3Zr\nZUdYZDBSUCs0RitKajdveGlJbUE2ZFhiV3lsNGFrOUdHenZoOQpxQVZKVTdrYzRp\nVGVPSGpjQTBGYkFYWFplL3dON2dCNDgycFpmYW9QZU93Ci0tLSBnZjVOc1RON0x1\nWGxRS3I0UTJqVXEvTlpINS84OFRJcmZVdnNUTmNkSlZjCmOjq4Dj8c2iGswQvHU6\nyT5DIFwIWhsKb26z2zpcVajp2kdYpdunoCJfYt8FeIRg1cl/zL/HeH5NcO6XxGhM\niS8=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBb0ZHNUx4\nT0NOcTJxR1BLRFQvdFc0U3l2eTlrNFZQTU9Ua1RrNXJrY1ZlawplTk1sNE1Yd2dt\nQzJOZGYwdVRVV0JkR0pPaGFzdzI4TEtxWEFYdmoxcmtnCi0tLSBIckk3ZXp2Z1RN\nN3g1VFV1UjRxYmUya1IrOXRZK09HZmZqdFl4VWUxc0MwCn530MbLBtgL3bkNwVP2\n3udSFE3EnObtaOnqrlEbggrpLPWMR23plqGV2t9mC4a+xyDXESgnrRlSYbwwVw1T\nE84=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxNW1WSXZISk13Z3JRTUFC\nT291cnpsb29WMG4yYTh3eWlrK0k5ZmpTV0JvClZpMk01aUREWHgzbGZhZjJHM1BQ\nSDkrMkdQOW83UWRQbFZvUUlHWHU3YkkKLS0tIDZTaFhqeVpYODNReUU0ay9GMWd2\neDZ5bUlXZXRiVlY1Nm1UQktxK0FmWTgKwUw3iHRnF1rAEFCyWTCCbtVWoWIPSVR9\nuCY+sPNHqZZlJ8AotgXl6ogcolx7ztbcgU4L0wuqfPeLZkE5t5sB5Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQmlFaUxWS3BZTjRqMFVm\nZVVRcXA3NzNQNGpzVGZVNzB5QUVvTFZnNG1vCmtUUk9jdy9GQ2YydjErUENYU0cv\nb0RXTEROSXREQ3hFM0k3TFpXUDV3TDAKLS0tIDZCbitTNTRaL2I5SlZ1SUhvQWQ3\nTXJSazBOSFh6cHg4UlpwaXo4ZFliamcK6E//G58skkbC50OTFgxNIShCdMY7BoMz\nK2NJidEtpExXA1fo+/D6xA9kuh5poCOxinfTS25ONP+xhWIpchs0cg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-22T14:02:44Z",
+		"mac": "ENC[AES256_GCM,data:9MuR8Na+/sEhfuTBrgHk2ydsUgo3UIQYzS4PMWIwCcqKTzZ4rqB2Xynq0PCsqq+3l/ZadtzDwB8gRP6m0f+wL3ZUY8lMG74lek6mBLLAaIUZSflgg24V2o0naKWCZVXWld2GKWDOxupUM5bWYE6SLwhOuepSZ4JMH59mD925v9Q=,iv:aKzJFPgfVqqpETySdFIM0+MVGr8IFcy0M2lzbWVPjAM=,tag:vZyPNmwcF5l1PgyMBjtp4g==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/verbena/step-intermediate-key/intermediate.key/users/rpqt b/vars/per-machine/verbena/step-intermediate-key/intermediate.key/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/step-intermediate-key/intermediate.key/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/machines/verbena b/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/secret b/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/secret
new file mode 100644
index 0000000..bd161fb
--- /dev/null
+++ b/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:Le4PZ5jFQXxJYGb8LgjrK4xWbjGvVgRziD1IYove4qmoIYfxNmbb8zZxctZA,iv:PqFFN7WM9oMXk1w8S3Gcqv5nIpaB7KrcqCIsX0L2ONg=,tag:SpVwb//AdQUmMhFf0RzMWQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBdzdLbjBX\nTEw5eWhaK2h0MTE2bDBGczQwZXpQZUx3bGZ5THdqNVRpaCtQNApnMEdybTNFMmJY\nanZ6M1J5bTltT2N2dGRDRldvVjJNc1dva2RNSDF2azVrCi0tLSBEWTBvUERwdVlz\nRE55UkdLSHNGREN3TTFZdVFkbW1pOFJuU2cxRTJpQXhRCiPuchb1k8uEctJJH7+/\nMRpRSYQoX1SVcSXGLhbVimVelCPddjIBmdqmnayJl91dBU6UKP2nTGJWOOunFFQj\nGLc=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBMW1jMHY1\nNnhUU3R2bkRmbCtzQ1ErWEVLdmY4amhob1MxNG1CTWhhREFoMgpMSDV2LzdlZXQ1\ndzdDS0tjQmFNRHVxb1dDS2psS1lFdklqMlM1dTIrbWh3Ci0tLSBOVlZXLytmUGs4\nRytFNllOVzBmUlNGV0NZUXBDUTYyU2UxWXFuUmw4d1ZJCkaqdnvc0xNwNDvMjVyO\nx+Y5MOXIrjOnOu1IgGo1NKsrfOW315sP2fuVxgVBF2UW+3pGYu+3FE/z8Yqbk3BE\nJWw=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvV1NHaFRLTUNtWXhkNjgz\nd0dyaThweVIzc2M5VjZrUHFmcER6cWJna25nCm5iL1JTdDFwRlhJSTRWYlBmaTh4\nOGpULzZGZFZiMlpvNHU3enhTd3hUdWcKLS0tIEJjbjBET0RISXBFZjRGTC9OMWJY\nekloMmVhRzhSQzhhcHZhNzh6NEhnUEkKeFExfpKJ7VbHjKVDB/HAptqg/flCkeOy\nSZ0IlXrQtCiYXVq2uebrLxxkcNKp3exd60YOUZLBHTUjuUspqwV4cA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3OVY2MmRZWVJqeHJiclho\nbTFXSzExM1kvTi9CdEMxakZ1aWtxMGJXMGxrCnlSUSs2RmROTG1WaXprbVpnYzZr\naytWSXFOdDFhSHBTQm9xVXh4Y1hiTGsKLS0tIFcydlZ6NWJ2VVBFbm5meEMwalRT\ndDBXb1UzN3dCMUkyK2Exa1lsTDNpKzAKQLQKn4NwQwSnPauRTWytIX6FxzUzF17S\nTw8HQV0BZ6z6Dv0wbzGMwTRudGRM6f26RWXvgYHny1nBahSOvnzUxg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-21T15:59:22Z",
+		"mac": "ENC[AES256_GCM,data:5b0R/lLXv2WL5WJ1p+lzzvU11VshSrs20eND7sROcvZ+9bIC0sX8wAozyTPMsPvXEMpgDk2HWkULaJH//zZ6jjC8i+b9c4vOvj+qF02uea6+KwhC/ZvAhZzNkHe53zyLcfI+N8/p2tPkZwEZfpNln36GKRtyxHQrzlCmSrRWrpI=,iv:gSN7EpfGZexA1pEIKel3Q6V2SPWXbfUXtHF2LqTm14E=,tag:JWkTFLOxsRP/phNLKBQONA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/users/rpqt b/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/wireguard-keys-wireguard/privatekey/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/wireguard-keys-wireguard/publickey/value b/vars/per-machine/verbena/wireguard-keys-wireguard/publickey/value
new file mode 100644
index 0000000..3ecfd22
--- /dev/null
+++ b/vars/per-machine/verbena/wireguard-keys-wireguard/publickey/value
@@ -0,0 +1 @@
+KiRDNfRjn9Y8HmHuFdK4CgJyY5p9QLjgMAwhYJB+qzY=
diff --git a/vars/per-machine/verbena/wireguard-network-wireguard/.validation-hash b/vars/per-machine/verbena/wireguard-network-wireguard/.validation-hash
new file mode 100644
index 0000000..0a8e2fa
--- /dev/null
+++ b/vars/per-machine/verbena/wireguard-network-wireguard/.validation-hash
@@ -0,0 +1 @@
+bb4d45d8f4c57db556ce4fb89236761a1fce2b7815628b103932b895230c3acf
\ No newline at end of file
diff --git a/vars/per-machine/verbena/wireguard-network-wireguard/prefix/value b/vars/per-machine/verbena/wireguard-network-wireguard/prefix/value
new file mode 100644
index 0000000..de23f70
--- /dev/null
+++ b/vars/per-machine/verbena/wireguard-network-wireguard/prefix/value
@@ -0,0 +1 @@
+fd28:387a:90:c400
\ No newline at end of file
diff --git a/vars/per-machine/verbena/zerotier/zerotier-identity-secret/machines/verbena b/vars/per-machine/verbena/zerotier/zerotier-identity-secret/machines/verbena
new file mode 120000
index 0000000..e061a4c
--- /dev/null
+++ b/vars/per-machine/verbena/zerotier/zerotier-identity-secret/machines/verbena
@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/per-machine/verbena/zerotier/zerotier-identity-secret/secret b/vars/per-machine/verbena/zerotier/zerotier-identity-secret/secret
new file mode 100644
index 0000000..61b5991
--- /dev/null
+++ b/vars/per-machine/verbena/zerotier/zerotier-identity-secret/secret
@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:msrulcai/A5C7SmFzRsIgpAWFft6fHURoVQCPLYjEIQcWOm9K8mPpeX8Wy6tLp5Sz1Ts9WC5RCq4G4baXWYi4YZ/sP0shJVHQnSjJbqNTw40NN07snlpSiwyGK8zU/RGyS9jxA6SHAiw5kCFZwdLbkVVHwgGIzxq1a6fztMr1gEjfPHILZ7hkEoNGIA/Z9/ry5b7gFdFLdjW3EfjBGdDJX8+Vk+QPqHJEYM9vR5kb86XkH1ZSaKtKaG/vIvYm932iZUP+J/MGee7RC5epvYKUgdKj3Py3w4YQNO0IY7gyzgio3Qr/qQaclN9kPY9rwG6WPbPT46SxJAzzqzzhkx9wJJyLSiFwm8nW+Nfy1km,iv:8F/sYFTc0fiIgTFmssM1nVeG1OZnqS0nXU5ap7QyK88=,tag:BvWwqQPX1QSTyzavUvIhVQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBaVZUeFlj\na0JnRTN0K0JwUGszck1xMS96ckdjUEtpRjJkUjFyT2Vqd2lJYgpuR0JsVStGLzBu\nYWhUVmxDM05teXdnTytJU2ZsMmJuRmlMTWRmUDJBL0Z3Ci0tLSBFYjVLeGVuMUFV\ndDkycmVpSWZIRnMvWVFoKzJXVHBqZ1ZsU1BLMEhTS0NzCuhvoZEAlqVtFfdy9j1i\nz+ZAkIBvFd35D/lXxr2oTcYbEjYziPNUA5Iy+sSQ7/La+yZ4CVAEIRCgp8tWSi/A\ncOo=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBMnAzdkUz\nY3lmRS9BVkdrbkxFb3FPblJHRGhzdWptMlRkWVVrQU9wd1pvUApTaTNWSTdnQVRV\nblFzeFNCRDRxbzI3SyttVk10bFFvWVpDZzUveHlScXpjCi0tLSBPbzNsZzFBZVkx\nQnduMmM4alFRTXNvMllmM284Wi8xdm8wbnZ1RDN3UTRNCmeiu77z9pFT9jjcdSkS\n99Wc8y+JdrhfBlpso9zfFD7IbI+pTC2DDmy5hKTLMet7MKebB5LtmT5Cll/Xqhbz\nun0=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzbFIyTVJxdEpnQzNDeGZ2\nOUt0WG04THZNbDBORDNGTWljZ25kVGpMY1NvCmhnUmp4UFJZWHl0b1ErZWJpTkpa\nenVWcnRyeS9hQjlrRkxNQ2VLc3dpMzQKLS0tIElFNkpPZHZ5ekhhMitJdWQ1Ti83\nVHVyQnAxblFLK1hrbG9qNXdyQm1GR0UKEVtE1Rpt5Yn0b4S/YGksLslk4O1E+F6i\nSEzI8QD6JOpFBBoGxjWiihzGyyalqcnaLP9E6fW6yAkI5GC1GogkUg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwa0hKZlZyb1QrQmlSZkFM\nZzNTeVNraTVWWDJFeWEyM2RaUVZET0swUVh3CnpGNDA1cGFhYnIzWS95Y0M5U1BK\nckdrM240MWtyZDJjL1FlRHdweFFWWEEKLS0tIGpLbkZwcGJtRmdHNEpCaXZNU0FR\nTHdpOUh6c1dVNUtpbWE2SHV5MTVSblUKClOTFz/FzLlK1U2WsfUdQ3m9t49vzDtf\n6c7vIHOlBr6C/N3CufIozyohjfFP3DabtzaA4cVI85kU9Alx86y+QQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-11T22:30:18Z",
+		"mac": "ENC[AES256_GCM,data:cTWCHpWFF7uWtJd6xlCeKdbkr3yv2yD635NGxKzkMgCJRy5SGsyMD6KtaPE3IH62JPZ7ssWzJmHfC+aqlFUaqLQeEoExkz+SCpxDHHQtRjsB7zvSB2Hemkp4E3Tg9KpC9Y2Hhmhn+yYjoDPEJiol9XI0n+Yf5B5ojKyVA8mqC/o=,iv:4D+P3In6v4TzEsZ+xXMzUGDA0smK7BnDsvu09jNLmok=,tag:X3UumaiLPCTl+xmIcXUFcg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/per-machine/verbena/zerotier/zerotier-identity-secret/users/rpqt b/vars/per-machine/verbena/zerotier/zerotier-identity-secret/users/rpqt
new file mode 120000
index 0000000..c6af5c7
--- /dev/null
+++ b/vars/per-machine/verbena/zerotier/zerotier-identity-secret/users/rpqt
@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/per-machine/verbena/zerotier/zerotier-ip/value b/vars/per-machine/verbena/zerotier/zerotier-ip/value
new file mode 100644
index 0000000..ecb2750
--- /dev/null
+++ b/vars/per-machine/verbena/zerotier/zerotier-ip/value
@@ -0,0 +1 @@
+fd80:150d:17cc:2ae:6999:9306:9a0e:c197
\ No newline at end of file
diff --git a/vars/shared/garage-shared/rpc_secret/machines/crocus b/vars/shared/garage-shared/rpc_secret/machines/crocus
new file mode 120000
index 0000000..1ca5db3
--- /dev/null
+++ b/vars/shared/garage-shared/rpc_secret/machines/crocus
@@ -0,0 +1 @@
+../../../../../sops/machines/crocus
\ No newline at end of file
diff --git a/vars/shared/garage-shared/rpc_secret/machines/genepi b/vars/shared/garage-shared/rpc_secret/machines/genepi
new file mode 120000
index 0000000..be44d39
--- /dev/null
+++ b/vars/shared/garage-shared/rpc_secret/machines/genepi
@@ -0,0 +1 @@
+../../../../../sops/machines/genepi
\ No newline at end of file
diff --git a/vars/shared/garage-shared/rpc_secret/machines/haze b/vars/shared/garage-shared/rpc_secret/machines/haze
new file mode 120000
index 0000000..0bcd94e
--- /dev/null
+++ b/vars/shared/garage-shared/rpc_secret/machines/haze
@@ -0,0 +1 @@
+../../../../../sops/machines/haze
\ No newline at end of file
diff --git a/vars/shared/garage-shared/rpc_secret/machines/verbena b/vars/shared/garage-shared/rpc_secret/machines/verbena
new file mode 120000
index 0000000..de62703
--- /dev/null
+++ b/vars/shared/garage-shared/rpc_secret/machines/verbena
@@ -0,0 +1 @@
+../../../../../sops/machines/verbena
\ No newline at end of file
diff --git a/vars/shared/garage-shared/rpc_secret/secret b/vars/shared/garage-shared/rpc_secret/secret
new file mode 100644
index 0000000..c92b38a
--- /dev/null
+++ b/vars/shared/garage-shared/rpc_secret/secret
@@ -0,0 +1,39 @@
+{
+	"data": "ENC[AES256_GCM,data:/lXB/mx52rLK4TzJgkyHYleiKQLX/FYVRdgSPrg1+cLzpMxHFRUfedoovKC4ibFHNhnLO3p54TAd353xiINvrX8=,iv:kbcqCEC6/i58u78HQRTXaozOrrdNS3PEMrGfHJqxuKY=,tag:2s/7ZGLok5BRbn25h2wetg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBeTZmMjE0ME9mZU1UTXNu\nNFdtbFFZT2YwODJtTkwrUlRzNDNZTWdQVFNNCkZ3YWpLWmxJMXRnNmkyYnIzU1Jv\nc2dyRUZSblM5b1hFazlUMVZmU1BpVUEKLS0tIDRKTTJPeFJiOGtjQjRuQ0xqd2lE\nNkFBblRKT1dPR3FmbmVlWVlVWkFyUGcKloraZGC3O2nMPx/4Zoy8yqGZiSP4ocyM\nsxWW6IYOrvKL6P6cP5OXV3fnHTQ2jjbeurrWNDJ+V4YMIVI1ZkEqig==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBL2p0cTVj\nOUxvb2ttREpka0ExQmxYRHczVi9RWElJemFOMWJFQ2tVQkR3cQpmdjdXM3o1NFZa\nVkZ4Ukgra3FQNjV3Yk16d0ZXb0lMdXdrRTV2OXo3T0pjCi0tLSByK2ZiTS9SV2JM\neTM5VE1jRVhPTUpwTnhBMU4xU1k2MWVHdE5iTVA2N0JNCi9wVqdMPBoo/RTrgWAt\nfBnxtMedy5+uSWjX6KV0OiydeOERCawIkaZPx9KWFoPQc74SCw1PQv4IeG5gk0ge\na6k=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBZ24vZXZl\nSDM0Sk1HeUh5V2VoZjhyekZ5alg0MlFsNXAvT1FlbUhya3JFNQpjZHZXSTVSZXlH\nUlF1RGdNSWFNSlV4V2phcnBrWENEQWxnSk5kTEVocERRCi0tLSBTZGhVZVA4bW5M\nZlpzYzZPMzQyQytpM0RRcldJcTJrUmwzVWZzSkxjTTFNCmTG9lZ5yzS0k11DV672\nbBb+wMpqsSgq05ObCs7EVcnYDLMOQ6L2yMJ8UH7V/tUiT0+kAq36Wfc2O0CafXYW\n+yY=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbmJZSGllbUNiellkWGlO\nQ2VINUZYQnoycnRYZDVnMmxxaW5EdHJqTlc0Ck84ZjVKRnp2cG9HSkRnWnpWZmRX\nUXhtVmF0bWp0WmVVdXBEU0s5ZmtIbk0KLS0tIE5sOW1ES3V5T2JCUmhKcnBQNFB2\nL3g5L015NFk1T0p3U0xTZWRNRVNlNzAKo1V3RVUwP9wCRCbFeOYEE5gAoWglUmAW\nLSUWSJSLU6L/BwHfp1iakKof9Y9sKdYsVWjelftLGEJp6QbkohjQbA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtOE90L3BUZFBsQ1hoemdx\nYTFTdTVmRUJFSVU1R0pZTmNQOGxGTmtsTFFzClhHYi9iN1BvSmc0aGpnNHczYUdS\nKzRYbGMrRWQvaWpyR001YTV1MEErOW8KLS0tIFR4M21SZGNucDN4N1Y0K3RERzJZ\nQ3E2MENzUWxwOVpDUnlzMko0bWRvVVEKoaMGCVivMJHUZriTgCkSDEaeCh45BcHG\nb5jgClScpwqqq/P5Smr+SL+OgaX28ibG+kPRSp0yIfOdfsd/ox6kPA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1xkp0rmm5xwxurdxq3a0lxc77pjh5z4dylddvnf6ktrghyfhcxq4sdk3ysn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OTVuUlphY2FiVHlpbGp6\nQlFiRWczTEkxUVcvb2V2R1E1TUFZM0pYSnhjCitaL2VSa04veU5vN0o0RWNneDdu\nNmIwMk4ycDJkSXIzV0xwaElPbEZhb1EKLS0tIDltVWErU2t1U0FoVHlhSW9DRFg1\nYmFRM0NWQlpNeGxjTzJHYXN3dzNZeUEKs/Jsj6iDHGIDHYN57MUYaYG5oKHFU6ZY\nug4YR9rOh889PF4xq3w51wJJiSEnQKfVrtNTaj67gxBXXC/EHI7fOQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsZUN4ekNyMjdRNW10ZUVU\nSDZOcVVraStneVl3eEJCVzdhWWIrQ0phRXlVCk5Ob2NwRHhqWnJtQ3RFUXlvRjgx\nanpuL25ST2Zva0JQVlJ5Z1FEbHo5QzgKLS0tIGJSV3pYcVU1WXcwUmdqa3dYam1M\nalpmbUVqSkZabXpCM25JZGp3cnRxWHcKNCXjj8zvR+cqXq2XkEsYkMSI+b1NLwh6\n1pkRibsoyhQwzC0vkMdYQV4Kt9SzheFqKTuNhthW9J5I0Jf4R9lR6A==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-19T21:51:53Z",
+		"mac": "ENC[AES256_GCM,data:wJObpbZ91sGruEO043TWY1UdqMjBxEKMHUQOkw8xfMCmqgsRp12fqJKqK/jFZD4FZyJSw8WKrVKEklx7+9v4GGH4udS1KSrypm0UVmhIMV1/X1FANL0ZZ80Yqt9mnSOcRcLPaAHjqeD6NfB/rss5wCRwqeqdwjlfGyMr1bUHPOc=,iv:fFYsziILeWLVSyOZ48AcmGZEtdEOOi3FBTGpATbsP7U=,tag:uT4nj2WuELKRLitZeuRElQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
diff --git a/vars/shared/garage-shared/rpc_secret/users/rpqt b/vars/shared/garage-shared/rpc_secret/users/rpqt
new file mode 120000
index 0000000..825a187
--- /dev/null
+++ b/vars/shared/garage-shared/rpc_secret/users/rpqt
@@ -0,0 +1 @@
+../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/shared/openssh-ca/id_ed25519.pub/value b/vars/shared/openssh-ca/id_ed25519.pub/value
new file mode 100644
index 0000000..2613f81
--- /dev/null
+++ b/vars/shared/openssh-ca/id_ed25519.pub/value
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGE7R12pfvRSXsS8MwMkp57fuc+N2wc4VcXAYwo/eJJ7 
diff --git a/vars/shared/openssh-ca/id_ed25519/secret b/vars/shared/openssh-ca/id_ed25519/secret
new file mode 100644
index 0000000..b8904d2
--- /dev/null
+++ b/vars/shared/openssh-ca/id_ed25519/secret
@@ -0,0 +1,23 @@
+{
+	"data": "ENC[AES256_GCM,data:sPSi5gWzieSktKNwVzD+c0WhCFt2u/FtsiKfwkpFceKbzyLLqBWQwyF9/CrAfExMky230YxA9atQxilpZLTZ0zmuk0D7Mi4xLsF+G9sFdyKz2DFuBHZ1hQZNiVAsQlHLvqcDtdixgo0gHfjHJ9t0eH+q4tgVJe0QhhzmcDSj0EjrE3SUnxzTszS0ZHL4X+Wfx+lrJtL8Do5eSXKXcoQHS8d6bOW/psLA8AHNJypOMlplXd4vASXPJmj9RQ1GFdzSFz5TZoyxShBuImukcLO6EoTc2TXtAclbN5JLHEbvx9I5K4S74WR7amtYV/8g1tquZ5nHVxVHr4sFY3pHDUuMvGdiVgVbrBwK4iJ5GtAUU81jCQzZ1MwtT74cldFXfwJIUAHbV0s4cSNQpH+f2bYO2uyVhykpIuLmI23Vb1ezRJqW1cGcg0VRoBRoduxQzOAeI1LE4EuniH/w1xtdKmn2XTMwwl6YetT1KbPBRMVScqcEF2ZadJV3X7hJFh0awn1cSWsG,iv:Kjm+58JsE/FCEYEpYIEVwjRuWYWaLP8VrysgsZGDs6g=,tag:xdlA9tvtw9cm8YFW64a+pw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBeDczWEw4\ndGQydE1DN3RRRFpDQm1RWUcrOExaY0w3dEtLN2wzL0RDU0NkRQoydVBFOFY2eHpD\nUWk0T2V6cUNxZFZBZ1U4NS9adzc2ZXlUcWVRZGNscURzCi0tLSBpZ3VoYXhGdldS\nMVFralNzaTRQMEhVT0xRdEJDcUxPNHFOY29NUnh2K2ZvCjflIFoO8/97HXz0893D\nnNc5EVMRMNhJbDb/Nj4MCafNrf3JeN3jWmCX1IA5AZqMt2Nq2SB1Itx8iaIcRq0t\nlTY=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBaURsSGZ3\neFRLVCtjYW90bytBcG1MUHpXdVpYZHVZK01tcVpJOWRBYitsUgp3RTE1UUFOUjVV\nRGcvbFJ0MUpFdnVUYmVuN2pUVkdEdDdjSFlwRGZPWVhJCi0tLSB4WWNRMEM3ZDVX\nMUVXUklPbkFVcjBGcU14WjZpTTY0RlFvYXB2STRtSEpZCmTYPzBXojpndrIeuMi+\nj4oGZRPWKkx0EMORJFBIR1YQJhjjVrnrv7BbWYRGPkcS1mJZH2x4IgmUz7ZTfN5F\njuw=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByY1pvaWhUSnZqeFl4blo1\nNGtRN2g2Tit1OFFxTnVvV1VSVFFjVlpjUVNvClRBTldvb2NEaHA3Vi80L3pnTzly\nOFBYMUUyLzhtdmNraXJCQmJ5bGxIWlEKLS0tIGVRcFJ6MmdjL2VuVUdVbCtnM1Bi\nbW9Bdm5OdWJRSUwwYWdaSXFEbzhsOW8K5dda6d6wkUvMYU3PpTLG65RWxdH/3ewB\n+yakGuatvZP1nJo7THhHXyZ9dQ2CMOnnOFi0W8W4hVcgBNWc8HR2xg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-15T14:18:28Z",
+		"mac": "ENC[AES256_GCM,data:mOSflPXxdKtJH6dfmR41msVSp1Bcc7M4eBpFQFsTe5edUa8qWKjOeBnIN0U7Sqm7fQngOmfxIzqViaPCqSFg4TX01F4Trv6gcMUErF9OqIl+HbkZKHQxPIktXnb0OX95V85GsRvwUrLKX5l6PwQrPK+ovCHr9NjcUos2T4vlJkc=,iv:HSWHk5J+lPuiNBppKuJHRLwjcvm+H4DqBTlvR+mHUTk=,tag:PkKNbxHu61iuidj0MhkiaQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/shared/openssh-ca/id_ed25519/users/rpqt b/vars/shared/openssh-ca/id_ed25519/users/rpqt
new file mode 120000
index 0000000..825a187
--- /dev/null
+++ b/vars/shared/openssh-ca/id_ed25519/users/rpqt
@@ -0,0 +1 @@
+../../../../../sops/users/rpqt
\ No newline at end of file
diff --git a/vars/shared/step-ca/ca.crt/value b/vars/shared/step-ca/ca.crt/value
new file mode 100644
index 0000000..02fc004
--- /dev/null
+++ b/vars/shared/step-ca/ca.crt/value
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBcjCCARegAwIBAgIQBATaX7P9gLOPdEvyU6ulFDAKBggqhkjOPQQDAjAXMRUw
+EwYDVQQDEwxDbGFuIFJvb3QgQ0EwHhcNMjUxMTIyMDIwMjQ0WhcNMjYxMTIyMTQw
+MjQ0WjAXMRUwEwYDVQQDEwxDbGFuIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAAQ3PdFudbQHMrKLU59IeUqw1kUOwTAWco5d4fLUrz5JpaSDsq0UJT1j
+wayaUeFstMGEQqOZ5nqle7UC64G7Wn1Lo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYD
+VR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUWdZmxk+2XBZzgVucaLlY3rD0p3ow
+CgYIKoZIzj0EAwIDSQAwRgIhANS0Pn0MmVx3w6+h0686NBrvobqt6Tue9/WlkAW6
+mJTlAiEA5j8DHm66BnmlYlCqQaz9wuAQ4q+g26XqWvvlEFkpYuo=
+-----END CERTIFICATE-----
diff --git a/vars/shared/step-ca/ca.key/secret b/vars/shared/step-ca/ca.key/secret
new file mode 100644
index 0000000..318a2ba
--- /dev/null
+++ b/vars/shared/step-ca/ca.key/secret
@@ -0,0 +1,23 @@
+{
+	"data": "ENC[AES256_GCM,data:eJ0fq3tBFpJmKad1zQoY/2EczN1tnER8Mxo8erioOUBi0caiH3BRUdHQzLU9gbfbmr2CX6X0PzX1G5TknROF4d0n7pK4lLzlH+/zXX9niLkZKf4sNibUcAa6xwaUu+bQZPdrbMsxz0hFjztTHfhhcEkqTwImYcJxtmKNQTc0qJSq7C4j82QVJzN+rvAnuEBp3pXMnqbbpmmUG4D6oIvdR8f5e5E8qe/fO13s8EglU583/sTV5Jm/dMPvyQVhL2U18GiRAXCTcJ8abHU1yczMU4aZKqpQwinG1pLg267IRxvrSaM=,iv:+NWxLy+HEtZ2m8eJGk6Y6t0B96QhdLa7zBtLEMz1KRM=,tag:7ccHbUUEW+GX/TsfBHzdXw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeFJhbU82\nY1d0TUlsdW5paksvZG5ZNXBIUERCQ0F6dnhFdmFyK2krK09vMQozcmxVTEJEdWYr\nRjkyWFJucmJpSVg0YWRWdHczdnE4c0V3cHVmcVpzTHowCi0tLSB5ajZvb2xsbUQw\nM1RKdElsaEZzREFLUjBSYndwbTNtNzJWNXpMQ29QeGtzCrUf6JJLxT4HMiMoyKEw\nJfY8r6arxomgg3cexPcjJhU/efRMKwkDwr8ophyui/1aNAo6sBrcww+XLWNhBG91\nkws=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUGFTWTdrdlVuS0pnV1dL\nVXg4c2hOYVlaVko0ZkdRbnVYYlovZ3FlZ0JFCjA5Y2F5am96eno0KzYvWkgwKytB\nYWhPTGRrSzZNaFIzek9JSlpQdmd5TVEKLS0tIFAwRWpOOGcrVER3YVBaekxXenZV\nd2dBU1VaT0szWWtOenpHWFJ0WmdwV0UKaDmXZwd4ZNrFcGGadq/M6Vf409UgPtO+\nyJ4KSMLJtTMhKN2PfP8BdprIDyS6zVDQoHAv+rmGdyOlIjrXzTT6xQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBN2plcTcx\nekErR2hFOTdZeGxEQ254NnNOZGpYZ0dVOVZlbTE1R1QvRmtJLwpEOVJnZlBKTjB1\nWmNTckU4NFpPL2FlTVJrMk5CYURoeG90cTlxbkU2VFJRCi0tLSBjcnZmK25EUGYz\ncWwvbFBzZmNIcEJGUmZ5T080aUQ5cUFiZi9UMy9oTldvChJ4z5z6qo9wbQyGzW3s\nTwLC/spurP0EetY9UWOFDeyCcIdkl2xYC7SvM+hrl/LmPxfyDpQwPBNBvgUsfQHe\nopU=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-22T14:02:44Z",
+		"mac": "ENC[AES256_GCM,data:Zua39bnqFiyDcf5aWMo/PcbjN8/EAecI/nOuQ7WwSE7KHhQ+wnYMDaeQFROYSjvlJdzn4upCeQCpid+k09ZSYE3upUdCVSiPqo+IFziE9kifs5if5LS1V39QKvHP5h2rXPrwS+bYPk8Z198HyX3SUu0yoU7DVZ+zrt4s9hbzuAA=,iv:NxsrTAhEYPvWGjG64n7mK7ABDXaLKHxYazqYfuP4giY=,tag:AbpEDuNkC3kBOtonVzdBdA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/shared/step-ca/ca.key/users/rpqt b/vars/shared/step-ca/ca.key/users/rpqt
new file mode 120000
index 0000000..825a187
--- /dev/null
+++ b/vars/shared/step-ca/ca.key/users/rpqt
@@ -0,0 +1 @@
+../../../../../sops/users/rpqt
\ No newline at end of file