Test new jellyseerr version

2024-12-17 17:26:57 +01:00
62 changed files with 13191 additions and 8820 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,88 +1,88 @@
 # Public keys are combination of host + user
 keys:
-  - &laptop_root age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
-  - &laptop_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
+  - &sue_root age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
+  - &sue_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
  - &gamepc_root age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
  - &gamepc_pim age1qlldg2c6kptvnmvlkpf9pae3wnczk6eklcmwdvnzyvvnur3aqdcq3c3trt
  - &warwick_root age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu
  - &niels age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
  - &atlas_root age1unkshctcpucc298kmw9a0qzvtjzgdnjytrxr5p750dv0z95feymqpn68qf
+  - &jefke_root age1upnqu4rpxppdw9zmqu8x3rnaqq2r6m82y25zvry5cec63vjsd9gqtl9e02
  - &lewis_root age108fn93z2c55g9dm9cv5v4w47pykf3khz7e3dmnpv5dhchwnaau0qs20stq
-  - &roeland_root age15qrzsk9t7uyuuy7m0xt3qzk3cmcsegt5wfe5zew4d8najwjnm30sfjc3pk

 creation_rules:
-  - path_regex: secrets/blocktech/colmena.yaml
+  - path_regex: secrets/sue/colmena.yaml
    key_groups:
      - age:
-        - *laptop_root
-  - path_regex: secrets/blocktech/nixos.yaml
+        - *sue_root
+  - path_regex: secrets/sue/nixos.yaml
    key_groups:
      - age:
-        - *laptop_root
-  - path_regex: secrets/blocktech/pkunis.yaml
+        - *sue_root
+  - path_regex: secrets/sue/pim.yaml
    key_groups:
      - age:
-        - *laptop_pim
-        - *laptop_root
+        - *sue_pim
+        - *sue_root
  - path_regex: secrets/gamepc/colmena.yaml
    key_groups:
      - age:
-        - *laptop_pim
-        - *laptop_root
+        - *sue_pim
+        - *sue_root
  - path_regex: secrets/gamepc/pim.yaml
    key_groups:
      - age:
-        - *laptop_pim
-        - *laptop_root
+        - *sue_pim
+        - *sue_root
        - *gamepc_root
        - *gamepc_pim
  - path_regex: secrets/warwick/colmena.yaml
    key_groups:
      - age:
-        - *laptop_pim
-        - *laptop_root
+        - *sue_pim
+        - *sue_root
        - *niels
  - path_regex: secrets/servers.yaml
    key_groups:
      - age:
        - *warwick_root
        - *atlas_root
+        - *jefke_root
        - *lewis_root
-        - *roeland_root
-        - *laptop_pim
-        - *laptop_root
+        - *sue_pim
+        - *sue_root
        - *niels
  - path_regex: secrets/atlas/colmena.yaml
    key_groups:
      - age:
-        - *laptop_pim
-        - *laptop_root
+        - *sue_pim
+        - *sue_root
        - *niels
  - path_regex: secrets/kubernetes.yaml
    key_groups:
      - age:
        - *atlas_root
+        - *jefke_root
        - *lewis_root
-        - *roeland_root
-        - *laptop_pim
-        - *laptop_root
+        - *sue_pim
+        - *sue_root
+        - *niels
+  - path_regex: secrets/jefke/colmena.yaml
+    key_groups:
+      - age:
+        - *sue_pim
+        - *sue_root
        - *niels
  - path_regex: secrets/lewis/colmena.yaml
    key_groups:
      - age:
-        - *laptop_pim
-        - *laptop_root
+        - *sue_pim
+        - *sue_root
        - *niels
  - path_regex: secrets/lewis/nixos.yaml
    key_groups:
      - age:
        - *lewis_root
-        - *laptop_pim
-        - *laptop_root
-        - *niels
-  - path_regex: secrets/roeland/colmena.yaml
-    key_groups:
-      - age:
-        - *laptop_pim
-        - *laptop_root
+        - *sue_pim
+        - *sue_root
        - *niels
--- a/README.md
+++ b/README.md
@ -3,33 +3,33 @@
 NixOS configurations for the machines I manage.

 Currently managed systems:
-
- **blocktech**: My current laptop, a ThinkPad P1 running GNOME.
- **gamepc**: My gaming PC running Cosmic
+- **sue**: My current laptop, a Dell XPS 9315. It has two flavours:
+    - Default running GNOME
+    - Specialisation running Cosmic
+- **gamepc**: My gaming PC running Cinnamon
 - **warwick**: A Raspberry Pi 4 Model B, which mostly does some monitoring
 - **atlas**: A Gigabyte Brix, one of my Kubernetes nodes
- **lewis**: A Gigabyte Brix, one of my Kubernetes nodes. Additionally, contains
-  my media collection and does backups.
- **roeland**: A Minisforum UN100P, one of my Kubernetes nodes
+- **jefke**: A Gigabyte Brix, one of my Kubernetes nodes
+- **lewis**: A Gigabyte Brix, one of my Kubernetes nodes. Additionally, contains my media collection and does backups.

 ## Deployment

 I use [Colmena](https://colmena.cli.rs) for deploying my machines.

 Create garbage collection roots like so:
-
-```shell
-colmena build --keep-result
+```
+colmena build --keep-result --experimental-flake-eval
 ```

 To apply to the local machine:
-
-```shell
-sudo colmena apply-local --sudo
+```
+sudo colmena apply-local --sudo --experimental-flake-eval
 ```

 To apply to all remotely managed systems:
-
-```shell
-colmena apply
 ```
+colmena apply --experimental-flake-eval
+```
+
+> [!NOTE]
+> Currently the `--experimental-flake-eval` flag is necessary to properly use Colmena with flakes. See [this PR](https://github.com/zhaofengli/colmena/pull/228).
--- a/colmena.nix
+++ b/colmena.nix
@ -15,9 +15,9 @@ inputs @ {
      };
    };

-    blocktech = {
+    sue = {
      imports = [
-        (import ./machines).blocktech.nixosModule
+        (import ./machines).sue.nixosModule
        ./nixos
      ];
    };
@ -43,16 +43,16 @@ inputs @ {
      ];
    };

-    lewis = {
+    jefke = {
      imports = [
-        (import ./machines).lewis.nixosModule
+        (import ./machines).jefke.nixosModule
        ./nixos
      ];
    };

-    roeland = {
+    lewis = {
      imports = [
-        (import ./machines).roeland.nixosModule
+        (import ./machines).lewis.nixosModule
        ./nixos
      ];
    };
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -2,26 +2,16 @@
  description = "My NixOS configuration";

  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
-    nixpkgs-oldstable.url = "github:nixos/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    nur.url = "github:nix-community/NUR";
+    stylix.url = "github:pizzapim/stylix/master";
    treefmt-nix.url = "github:numtide/treefmt-nix";
    nixos-facter-modules.url = "github:numtide/nixos-facter-modules";
    flake-utils.url = "github:numtide/flake-utils";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    colmena.url = "github:zhaofengli/colmena";

-    stylix = {
-      url = "github:nix-community/stylix/release-25.05";
-      inputs.tinted-schemes.follows = "tinted-schemes";
-    };
-
-    nvf = {
-      url = "github:notashelf/nvf";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
    git-hooks = {
      url = "github:cachix/git-hooks.nix";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
@ -33,7 +23,7 @@
    };

    home-manager = {
-      url = "github:nix-community/home-manager?ref=release-25.05";
+      url = "github:nix-community/home-manager?ref=release-24.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };

@ -53,17 +43,16 @@
      flake = false;
    };

-    tinted-schemes = {
-      type = "git";
-      url = "https://github.com/tinted-theming/schemes";
-      flake = false;
-    };
-
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    nixos-cosmic = {
+      url = "github:lilyinstarlight/nixos-cosmic";
+      inputs.nixpkgs-stable.follows = "nixpkgs-unstable";
+    };
+
    nix-snapshotter = {
      url = "github:pdtpartners/nix-snapshotter";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
@ -73,6 +62,11 @@
      url = "github:pizzapim/kubenix";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };
+
+    nixng = {
+      url = "github:pizzapim/NixNG/dnsmasq";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs = inputs @ {
--- a/formatter.nix
+++ b/formatter.nix
@ -4,5 +4,5 @@
  ...
 }:
 flake-utils.lib.eachDefaultSystem (system: {
-  inherit (self.packages.${system}) formatter;
+  formatter = self.packages.${system}.formatter;
 })
--- a/home-manager/default.nix
+++ b/home-manager/default.nix
@ -5,6 +5,7 @@
  ...
 }: {
  imports = [
+    ./neovim
    ./firefox
    ./tidal.nix
    ./gnome
@ -12,7 +13,6 @@
    ./vscode.nix
    inputs.nix-index-database.hmModules.nix-index
    inputs.sops-nix.homeManagerModules.sops
-    inputs.nvf.homeManagerModules.default
  ];

  xsession.enable = true;
--- a/home-manager/firefox/default.nix
+++ b/home-manager/firefox/default.nix
@ -30,7 +30,7 @@ in {
          id = 0;
          isDefault = true;
          settings = firefoxSettings;
-          extensions.packages = firefoxAddons;
+          extensions = firefoxAddons;
        };
      };
    };
--- a/home-manager/neovim/bufferline.lua
+++ b/home-manager/neovim/bufferline.lua
@ -0,0 +1,13 @@
+require("bufferline").setup({
+	options = {
+		diagnostics = "nvim_lsp",
+		diagnostics_indicator = function(count, level, diagnostics_dict, context)
+			local icon = level:match("error") and " " or " "
+			return " " .. icon .. count
+		end,
+		separator_style = "slant",
+		hover = { enabled = true, reveal = { "close" } },
+	},
+})
+
+vim.keymap.set("n", "<leader>ft", ":BufferLinePick<CR>", {})
--- a/home-manager/neovim/cmp.lua
+++ b/home-manager/neovim/cmp.lua
@ -0,0 +1,43 @@
+local cmp = require("cmp")
+local luasnip = require("luasnip")
+
+require("luasnip.loaders.from_vscode").lazy_load()
+luasnip.config.setup({})
+
+cmp.setup({
+	snippet = {
+		expand = function(args)
+			luasnip.lsp_expand(args.body)
+		end,
+	},
+	mapping = cmp.mapping.preset.insert({
+		["<C-n>"] = cmp.mapping.select_next_item(),
+		["<C-p>"] = cmp.mapping.select_prev_item(),
+		["<C-d>"] = cmp.mapping.scroll_docs(-4),
+		["<C-f>"] = cmp.mapping.scroll_docs(4),
+		["<C-Space>"] = cmp.mapping.complete({}),
+		["<CR>"] = cmp.mapping.confirm({
+			behavior = cmp.ConfirmBehavior.Replace,
+			select = true,
+		}),
+		["<Tab>"] = cmp.mapping(function(fallback)
+			if cmp.visible() then
+				cmp.select_next_item()
+			elseif luasnip.expand_or_locally_jumpable() then
+				luasnip.expand_or_jump()
+			else
+				fallback()
+			end
+		end, { "i", "s" }),
+		["<S-Tab>"] = cmp.mapping(function(fallback)
+			if cmp.visible() then
+				cmp.select_prev_item()
+			elseif luasnip.locally_jumpable(-1) then
+				luasnip.jump(-1)
+			else
+				fallback()
+			end
+		end, { "i", "s" }),
+	}),
+	sources = { { name = "nvim_lsp" }, { name = "luasnip" } },
+})
--- a/home-manager/neovim/commentary.lua
+++ b/home-manager/neovim/commentary.lua
@ -0,0 +1,2 @@
+vim.cmd([[autocmd FileType nix setlocal commentstring=#%s]])
+vim.cmd([[autocmd FileType terraform setlocal commentstring=#%s]])
--- a/home-manager/neovim/core.lua
+++ b/home-manager/neovim/core.lua
@ -0,0 +1,9 @@
+vim.o.background = "dark"
+vim.cmd([[colorscheme gruvbox]])
+vim.g.mapleader = ";"
+vim.o.signcolumn = "yes"
+vim.wo.number = true
+vim.wo.relativenumber = true
+vim.wo.cursorline = true
+vim.opt.termguicolors = true
+vim.o.mousemoveevent = true
--- a/home-manager/neovim/default.nix
+++ b/home-manager/neovim/default.nix
@ -0,0 +1,91 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.pim.neovim;
+in {
+  options.pim.neovim.enable = lib.mkEnableOption "neovim";
+
+  config = lib.mkIf cfg.enable {
+    programs.neovim = {
+      enable = true;
+      viAlias = true;
+      vimAlias = true;
+      vimdiffAlias = true;
+      defaultEditor = true;
+      extraLuaConfig = builtins.readFile ./core.lua;
+
+      extraPackages = with pkgs; [
+        nil
+        pyright
+        gopls
+        terraform-ls
+        nixfmt-classic
+        stylua
+        black
+        nixpkgs-fmt
+      ];
+
+      plugins = with pkgs.vimPlugins; [
+        {
+          plugin = nvim-lspconfig;
+          type = "lua";
+          config = builtins.readFile ./lspconfig.lua;
+        }
+        gruvbox-nvim
+        {
+          plugin = leap-nvim;
+          type = "lua";
+          config = builtins.readFile ./leap.lua;
+        }
+        {
+          plugin = telescope-nvim;
+          type = "lua";
+          config = builtins.readFile ./telescope.lua;
+        }
+        {
+          plugin = vim-commentary;
+          type = "lua";
+          config = builtins.readFile ./commentary.lua;
+        }
+        vim-sleuth
+        {
+          plugin = gitsigns-nvim;
+          type = "lua";
+          config = ''require("gitsigns").setup()'';
+        }
+        {
+          plugin = nvim-cmp;
+          type = "lua";
+          config = builtins.readFile ./cmp.lua;
+        }
+        cmp-nvim-lsp
+        friendly-snippets
+        neodev-nvim
+        luasnip
+        cmp_luasnip
+        {
+          plugin = nvim-treesitter.withAllGrammars;
+          type = "lua";
+          config = builtins.readFile ./treesitter.lua;
+        }
+        {
+          plugin = bufferline-nvim;
+          type = "lua";
+          config = builtins.readFile ./bufferline.lua;
+        }
+        nvim-web-devicons
+        lsp-format-nvim
+        {
+          plugin = pkgs.vimPlugins.none-ls-nvim;
+          type = "lua";
+          config = builtins.readFile ./none-ls.lua;
+        }
+      ];
+    };
+
+    programs.git.extraConfig.core.editor = "nvim";
+  };
+}
--- a/home-manager/neovim/leap.lua
+++ b/home-manager/neovim/leap.lua
@ -0,0 +1,4 @@
+require("leap").add_default_mappings()
+-- Don't remap 'x' in visual mode.
+vim.keymap.del({ "x", "o" }, "x")
+vim.keymap.del({ "x", "o" }, "X")
--- a/home-manager/neovim/lspconfig.lua
+++ b/home-manager/neovim/lspconfig.lua
@ -0,0 +1,65 @@
+require("lsp-format").setup({})
+
+local on_attach = function(client, bufnr)
+	local bufmap = function(keys, func)
+		vim.keymap.set("n", keys, func, { buffer = bufnr })
+	end
+
+	bufmap("<leader>r", vim.lsp.buf.rename)
+	bufmap("<leader>a", vim.lsp.buf.code_action)
+
+	bufmap("gd", vim.lsp.buf.definition)
+	bufmap("gD", vim.lsp.buf.declaration)
+	bufmap("gI", vim.lsp.buf.implementation)
+	bufmap("<leader>D", vim.lsp.buf.type_definition)
+
+	bufmap("gr", require("telescope.builtin").lsp_references)
+	bufmap("<leader>s", require("telescope.builtin").lsp_document_symbols)
+	bufmap("<leader>S", require("telescope.builtin").lsp_dynamic_workspace_symbols)
+
+	bufmap("K", vim.lsp.buf.hover)
+
+	vim.api.nvim_buf_create_user_command(bufnr, "Format", function(_)
+		vim.lsp.buf.format()
+	end, {})
+end
+
+local capabilities = vim.lsp.protocol.make_client_capabilities()
+capabilities = require("cmp_nvim_lsp").default_capabilities(capabilities)
+
+require("neodev").setup()
+require("lspconfig").nil_ls.setup({
+	on_attach = on_attach,
+	capabilities = capabilities,
+})
+require("lspconfig").pyright.setup({
+	on_attach = on_attach,
+	capabilities = capabilities,
+})
+require("lspconfig").gopls.setup({
+	on_attach = on_attach,
+	capabilities = capabilities,
+})
+require("lspconfig").terraformls.setup({
+	on_attach = on_attach,
+	capabilities = capabilities,
+})
+
+local function has_treefmt()
+    local git_root = vim.fn.systemlist("git rev-parse --show-toplevel")[1]
+    if vim.v.shell_error ~= 0 then
+        return false
+    end
+    local treefmt_path = git_root .. "/treefmt.nix"
+    return vim.fn.filereadable(treefmt_path) == 1
+end
+
+vim.api.nvim_create_autocmd("BufWritePost", {
+    pattern = "*",
+    callback = function()
+	if vim.fn.expand("%:p") ~= vim.fn.getcwd() .. "/.git/COMMIT_EDITMSG" and has_treefmt() then
+		vim.cmd("silent !treefmt > /dev/null 2>&1")
+        end
+    end,
+    group = vim.api.nvim_create_augroup("TreefmtAutoformat", { clear = true }),
+})
--- a/home-manager/neovim/none-ls.lua
+++ b/home-manager/neovim/none-ls.lua
@ -0,0 +1,53 @@
+-- renamed to none-ls
+local null_ls_status_ok, null_ls = pcall(require, "null-ls")
+if not null_ls_status_ok then
+	return
+end
+
+local formatting = null_ls.builtins.formatting
+local diagnostics = null_ls.builtins.diagnostics
+local code_actions = null_ls.builtins.code_actions
+
+-- to setup format on save
+local augroup = vim.api.nvim_create_augroup("LspFormatting", {})
+
+require("null-ls").setup({
+	sources = {
+		formatting.stylua,
+		formatting.black,
+		formatting.nixpkgs_fmt,
+		formatting.mix,
+	},
+
+	-- configure format on save
+	-- on_attach = function(current_client, bufnr)
+	-- 	if current_client.supports_method("textDocument/formatting") then
+	-- 		vim.api.nvim_clear_autocmds({ group = augroup, buffer = bufnr })
+	-- 		vim.api.nvim_create_autocmd("BufWritePre", {
+	-- 			group = augroup,
+	-- 			buffer = bufnr,
+	-- 			callback = function()
+	-- 				vim.lsp.buf.format({
+	-- 					filter = function(client)
+	-- 						--  only use null-ls for formatting instead of lsp server
+	-- 						return client.name == "null-ls"
+	-- 					end,
+	-- 					bufnr = bufnr,
+	-- 				})
+	-- 			end,
+	-- 		})
+	-- 	end
+	-- end,
+})
+
+-- formatting command
+vim.api.nvim_create_user_command("Format", function()
+	vim.lsp.buf.format(nil, 10000)
+end, {})
+
+vim.keymap.set(
+	"n",
+	"<leader>fm",
+	":Format<CR>",
+	{ desc = "Format current buffer (also done on save)", noremap = true, silent = true }
+)
--- a/home-manager/neovim/telescope.lua
+++ b/home-manager/neovim/telescope.lua
@ -0,0 +1,17 @@
+local builtin = require("telescope.builtin")
+
+vim.keymap.set("n", "<leader>ff", builtin.find_files, {})
+vim.keymap.set("n", "<leader>fg", builtin.live_grep, {})
+vim.keymap.set("n", "<leader>fb", builtin.buffers, {})
+vim.keymap.set("n", "<leader>fr", builtin.lsp_references, {})
+vim.keymap.set("n", "<leader>fs", builtin.lsp_document_symbols, {})
+
+require("telescope").setup({
+	pickers = {
+		find_files = { theme = "dropdown" },
+		live_grep = { theme = "dropdown" },
+		buffers = { theme = "dropdown" },
+		lsp_references = { theme = "dropdown" },
+		lsp_document_symbols = { theme = "dropdown" },
+	},
+})
--- a/home-manager/neovim/treesitter.lua
+++ b/home-manager/neovim/treesitter.lua
@ -0,0 +1,9 @@
+require("nvim-treesitter.configs").setup({
+	ensure_installed = {},
+
+	auto_install = false,
+
+	highlight = { enable = true },
+
+	indent = { enable = true },
+})
--- a/home-manager/vscode.nix
+++ b/home-manager/vscode.nix
@ -12,22 +12,20 @@ in {
    programs.vscode = {
      enable = true;
      package = pkgs.vscodium;
-      profiles.default = {
-        extensions = with pkgs.vscode-extensions; [
-          vscodevim.vim
-          marp-team.marp-vscode
-          jnoortheen.nix-ide
-          mkhl.direnv
-        ];
+      extensions = with pkgs.vscode-extensions; [
+        vscodevim.vim
+        marp-team.marp-vscode
+        jnoortheen.nix-ide
+        mkhl.direnv
+      ];

-        userSettings = {
-          "nix.enableLanguageServer" = true;
-          "nix.serverPath" = lib.getExe pkgs.nil;
-          "terminal.integrated.defaultProfile.linux" = "fish";
-          "explorer.confirmDragAndDrop" = false;
-          "explorer.confirmPasteNative" = false;
-          "explorer.confirmDelete" = false;
-        };
+      userSettings = {
+        "nix.enableLanguageServer" = true;
+        "nix.serverPath" = lib.getExe pkgs.nil;
+        "terminal.integrated.defaultProfile.linux" = "fish";
+        "explorer.confirmDragAndDrop" = false;
+        "explorer.confirmPasteNative" = false;
+        "explorer.confirmDelete" = false;
      };
    };
  };
--- a/machines/atlas/configuration.nix
+++ b/machines/atlas/configuration.nix
@ -1,129 +1,27 @@
-{config, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [./jellyseerr-module.nix];
+
+  disabledModules = ["services/misc/jellyseerr.nix"];
+
  config = {
    facter.reportPath = ./facter.json;
    system.stateVersion = "23.05";
    users.users.root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim ++ config.pim.ssh.keys.niels;
-    pim.k3s.serverAddr = "https://lewis.dmz:6443";
-
-    pim.backups.borgBackups = {
-      freshrss = {
-        paths = ["/mnt/longhorn/persistent/volumes/freshrss"];
-        deploymentName = "server";
-        deploymentNamespace = "freshrss";
-      };
-
-      nextcloud = {
-        paths = ["/mnt/longhorn/persistent/volumes/nextcloud"];
-        deploymentName = "server";
-        deploymentNamespace = "nextcloud";
-      };
-
-      nextcloud-db = {
-        paths = ["/mnt/longhorn/persistent/volumes/nextcloud-db"];
-        deploymentName = "database";
-        deploymentNamespace = "nextcloud";
-      };
-
-      authentik = {
-        paths = ["/mnt/longhorn/persistent/volumes/authentik-db" "/mnt/longhorn/persistent/volumes/authentik-redis"];
-        scaleDeployments = false;
-      };
-
-      radicale = {
-        paths = ["/mnt/longhorn/persistent/volumes/radicale"];
-        deploymentName = "server";
-        deploymentNamespace = "radicale";
-      };
-
-      forgejo = {
-        paths = ["/mnt/longhorn/persistent/volumes/forgejo"];
-        deploymentName = "server";
-        deploymentNamespace = "forgejo";
-      };
-
-      syncthing = {
-        paths = ["/mnt/longhorn/persistent/volumes/syncthing" "/mnt/longhorn/persistent/volumes/keepassxc"];
-        deploymentName = "syncthing";
-        deploymentNamespace = "syncthing";
-      };
-
-      ntfy = {
-        paths = ["/mnt/longhorn/persistent/volumes/ntfy"];
-        deploymentName = "ntfy";
-        deploymentNamespace = "ntfy";
-      };
-
-      hedgedoc-uploads = {
-        paths = ["/mnt/longhorn/persistent/volumes/hedgedoc-uploads"];
-        deploymentName = "server";
-        deploymentNamespace = "hedgedoc";
-      };
-
-      hedgedoc-db = {
-        paths = ["/mnt/longhorn/persistent/volumes/hedgedoc-db"];
-        deploymentName = "database";
-        deploymentNamespace = "hedgedoc";
-      };
-
-      atuin-db = {
-        paths = ["/mnt/longhorn/persistent/volumes/atuin-db"];
-        deploymentName = "server";
-        deploymentNamespace = "atuin";
-      };
-
-      paperless-data = {
-        paths = ["/mnt/longhorn/persistent/volumes/paperless-data"];
-        deploymentName = "server";
-        deploymentNamespace = "paperless";
-      };
-
-      paperless-redisdata = {
-        paths = ["/mnt/longhorn/persistent/volumes/paperless-redisdata"];
-        deploymentName = "redis";
-        deploymentNamespace = "paperless";
-      };
-
-      paperless-db = {
-        paths = ["/mnt/longhorn/persistent/volumes/paperless-db"];
-        deploymentName = "database";
-        deploymentNamespace = "paperless";
-      };
-
-      immich = {
-        paths = ["/mnt/longhorn/persistent/volumes/immich"];
-        deploymentName = "immich";
-        deploymentNamespace = "immich";
-      };
-
-      immich-db = {
-        paths = ["/mnt/longhorn/persistent/volumes/immich-db"];
-        deploymentName = "database";
-        deploymentNamespace = "immich";
-      };
-
-      attic = {
-        paths = ["/mnt/longhorn/persistent/volumes/attic"];
-        deploymentName = "attic";
-        deploymentNamespace = "attic";
-      };
-
-      attic-db = {
-        paths = ["/mnt/longhorn/persistent/volumes/attic-db"];
-        deploymentName = "attic-db";
-        deploymentNamespace = "attic";
-      };
-
-      kitchenowl = {
-        paths = ["/mnt/longhorn/persistent/volumes/kitchenowl"];
-        deploymentName = "server";
-        deploymentNamespace = "kitchenowl";
-      };
-    };
+    pim.k3s.serverAddr = "https://jefke.dmz:6443";

    deployment = {
      targetHost = "atlas";
      targetUser = "root";
      tags = ["server" "kubernetes"];
    };
+
+    services.jellyseerr = {
+      enable = true;
+      package = pkgs.callPackage ./jellyseerr.nix {};
+    };
  };
 }
--- a/machines/atlas/facter.json
+++ b/machines/atlas/facter.json
--- a/machines/atlas/jellyseerr-module.nix
+++ b/machines/atlas/jellyseerr-module.nix
@ -0,0 +1,76 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  cfg = config.services.jellyseerr;
+in {
+  meta.maintainers = with lib.maintainers; [camillemndn pizzapim];
+
+  options.services.jellyseerr = {
+    enable = lib.mkEnableOption ''Jellyseerr, a requests manager for Jellyfin'';
+    package = lib.mkPackageOption pkgs "jellyseerr" {};
+
+    openFirewall = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''Open port in the firewall for the Jellyseerr web interface.'';
+    };
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 5055;
+      description = ''The port which the Jellyseerr web UI should listen to.'';
+    };
+
+    config_directory = lib.mkOption {
+      description = ''
+        The directory to save run-time configuration.
+      '';
+      type = lib.types.str;
+      example = "/jellyseerr";
+      default = "/var/lib/jellyseerr";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.jellyseerr = {
+      description = "Jellyseerr, a requests manager for Jellyfin";
+      after = ["network.target"];
+      wantedBy = ["multi-user.target"];
+      environment = {
+        PORT = toString cfg.port;
+        CONFIG_DIRECTORY = cfg.config_directory;
+      };
+      serviceConfig = {
+        Type = "exec";
+        StateDirectory = "jellyseerr";
+        # WorkingDirectory = "${cfg.package}/libexec/jellyseerr/deps/jellyseerr";
+        DynamicUser = true;
+        ExecStart = lib.getExe cfg.package;
+        # BindPaths = ["/var/lib/jellyseerr/:${cfg.package}/libexec/jellyseerr/deps/jellyseerr/config/"];
+        Restart = "on-failure";
+        ProtectHome = true;
+        ProtectSystem = "strict";
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        NoNewPrivileges = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        PrivateMounts = true;
+      };
+    };
+
+    networking.firewall = lib.mkIf cfg.openFirewall {
+      allowedTCPPorts = [cfg.port];
+    };
+  };
+}
--- a/machines/atlas/jellyseerr.nix
+++ b/machines/atlas/jellyseerr.nix
@ -0,0 +1,89 @@
+{
+  lib,
+  fetchFromGitHub,
+  makeWrapper,
+  node-pre-gyp,
+  nodejs,
+  pnpm_9,
+  python3,
+  stdenv,
+}:
+stdenv.mkDerivation (finalAttrs: {
+  pname = "jellyseerr";
+  version = "2.1.0";
+
+  src = with finalAttrs;
+    fetchFromGitHub {
+      owner = "Fallenbagel";
+      repo = "jellyseerr";
+      rev = "v${version}";
+      hash = "sha256-5kaeqhjUy9Lgx4/uFcGRlAo+ROEOdTWc2m49rq8R8Hs=";
+    };
+
+  nativeBuildInputs = [
+    nodejs
+    makeWrapper
+    pnpm_9.configHook
+
+    # Needed for compiling sqlite3 and bcrypt from source
+    node-pre-gyp
+    python3
+  ];
+
+  pnpmDeps = pnpm_9.fetchDeps {
+    inherit (finalAttrs) pname version src;
+    hash = "sha256-xu6DeaBArQmnqEnIgjc1DTZujQebSkjuai9tMHeQWCk=";
+  };
+
+  buildPhase = ''
+    runHook preBuild
+    pnpm build
+
+    # Fixes "SQLite package has not been found installed" at launch
+    pushd node_modules/sqlite3
+    export CPPFLAGS="-I${nodejs}/include/node"
+    npm run install --build-from-source --nodedir=${nodejs}/include/node
+    popd
+
+    pushd node_modules/bcrypt
+    export CPPFLAGS="-I${nodejs}/include/node"
+    npm run install --build-from-source --nodedir=${nodejs}/include/node
+    popd
+
+    runHook postBuild
+  '';
+
+  preInstall = ''
+    mkdir $out
+    cp ./package.json $out
+    rm -r .next/cache
+    cp -R ./.next $out
+    cp -R ./dist $out
+    cp ./overseerr-api.yml $out
+    cp -R ./node_modules $out
+  '';
+
+  postInstall = ''
+    makeWrapper '${nodejs}/bin/node' "$out/bin/jellyseerr" \
+      --chdir $out \
+      --add-flags "$out/dist/index.js" \
+      --set NODE_ENV production
+  '';
+
+  meta = with lib; {
+    description = "Fork of overseerr for jellyfin support";
+    homepage = "https://github.com/Fallenbagel/jellyseerr";
+    longDescription = ''
+      Jellyseerr is a free and open source software application for managing
+      requests for your media library. It is a a fork of Overseerr built to
+      bring support for Jellyfin & Emby media servers!
+    '';
+    license = licenses.mit;
+    maintainers = with maintainers; [
+      camillemndn
+      pizzapim
+    ];
+    platforms = platforms.linux;
+    mainProgram = "jellyseerr";
+  };
+})
--- a/machines/blocktech/configuration.nix
+++ b/machines/blocktech/configuration.nix
@ -1,80 +0,0 @@
-{
-  self,
-  pkgs,
-  lib,
-  inputs,
-  config,
-  ...
-}: {
-  config = {
-    pim = {
-      lanzaboote.enable = false;
-      tidal.enable = false;
-      gnome.enable = true;
-      stylix.enable = true;
-      wireguard.enable = true;
-      sops-nix.usersWithSopsKeys = ["pkunis"];
-    };
-
-    users.users.pkunis = {
-      isNormalUser = true;
-      extraGroups = ["wheel" "docker" "input" "wireshark" "dialout"];
-    };
-
-    deployment = {
-      allowLocalDeployment = true;
-      targetHost = null;
-      tags = ["desktop"];
-    };
-
-    facter.reportPath = ./facter.json;
-    home-manager.users.pkunis.imports = [./pkunis.home.nix];
-    nix.settings.trusted-users = ["pkunis"];
-    system.stateVersion = "23.05";
-    sops.defaultSopsFile = "${self}/secrets/blocktech/nixos.yaml";
-
-    environment.systemPackages = with pkgs; [
-      borgbackup
-      kubectl
-      nmap
-      poppler_utils # For pdfunite
-      silicon
-      units
-    ];
-
-    virtualisation = {
-      libvirtd.enable = true;
-
-      docker = {
-        enable = true;
-
-        rootless = {
-          enable = true;
-          setSocketVariable = true;
-        };
-      };
-    };
-
-    swapDevices = [
-      {device = "/dev/disk/by-uuid/949815d4-cfc4-4cf3-bbbe-22516f91119c";}
-    ];
-
-    fileSystems."/" = {
-      device = "/dev/disk/by-uuid/06710546-327b-402a-b221-8d88b75301d2";
-      fsType = "ext4";
-    };
-    fileSystems."/boot" = {
-      device = "/dev/disk/by-uuid/E547-7E6C";
-      fsType = "vfat";
-      options = ["fmask=0077" "dmask=0077"];
-    };
-
-    boot = {
-      initrd.luks.devices."luks-4cc1ad7c-a794-4c54-adc8-c9f666c9b781".device = "/dev/disk/by-uuid/4cc1ad7c-a794-4c54-adc8-c9f666c9b781";
-      initrd.luks.devices."luks-161f5109-c2d7-4307-91f6-27c655d6ab3e".device = "/dev/disk/by-uuid/161f5109-c2d7-4307-91f6-27c655d6ab3e";
-
-      loader.systemd-boot.enable = true;
-      loader.efi.canTouchEfiVariables = true;
-    };
-  };
-}
--- a/machines/default.nix
+++ b/machines/default.nix
@ -1,7 +1,7 @@
 {
-  blocktech = {
+  sue = {
    system = "x86_64-linux";
-    nixosModule = import ./blocktech/configuration.nix;
+    nixosModule = import ./sue/configuration.nix;
  };

  gamepc = {
@ -19,13 +19,13 @@
    nixosModule = import ./atlas/configuration.nix;
  };

+  jefke = {
+    system = "x86_64-linux";
+    nixosModule = import ./jefke/configuration.nix;
+  };
+
  lewis = {
    system = "x86_64-linux";
    nixosModule = import ./lewis/configuration.nix;
  };
-
-  roeland = {
-    system = "x86_64-linux";
-    nixosModule = import ./roeland/configuration.nix;
-  };
 }
--- a/machines/gamepc/configuration.nix
+++ b/machines/gamepc/configuration.nix
@ -5,6 +5,7 @@
 }: {
  config = {
    pim = {
+      cinnamon.enable = true;
      sops-nix.usersWithSopsKeys = ["pim"];
    };

@ -31,24 +32,27 @@

    services = {
      openssh.enable = true;
-      displayManager.cosmic-greeter.enable = true;
-      desktopManager.cosmic.enable = true;

      xserver.displayManager.lightdm.extraSeatDefaults = ''
        autologin-user=pim
      '';
+
+      sunshine = {
+        enable = true;
+        openFirewall = true;
+
+        settings = {
+          sunshine_name = config.networking.hostName;
+          origin_web_ui_allowed = "wan";
+          credentials_file = "/home/pim/.config/sunshine/sunshine_credentials.json";
+        };
+      };
    };

-    boot = {
-      loader.grub = {
-        enable = true;
-        efiSupport = true;
-        efiInstallAsRemovable = true;
-      };
-
-      swraid.mdadmConf = ''
-        MAILADDR pim@kunis.nl
-      '';
+    boot.loader.grub = {
+      enable = true;
+      efiSupport = true;
+      efiInstallAsRemovable = true;
    };

    disko.devices.disk = lib.genAttrs ["0" "1"] (name: {
--- a/machines/gamepc/pim.home.nix
+++ b/machines/gamepc/pim.home.nix
@ -14,7 +14,6 @@
      vlc
      handbrake
      lutris
-      chromium
    ];
  };

@ -22,5 +21,6 @@
    defaultSopsFile = "${self}/secrets/gamepc/pim.yaml";
    # TODO: should be set automatically?
    age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
+    secrets."sunshine_credentials".path = "${config.xdg.configHome}/sunshine/sunshine_credentials.json";
  };
 }
--- a/machines/jefke/configuration.nix
+++ b/machines/jefke/configuration.nix
@ -0,0 +1,14 @@
+{config, ...}: {
+  config = {
+    pim.k3s.clusterInit = true;
+    facter.reportPath = ./facter.json;
+    system.stateVersion = "23.05";
+    users.users.root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim ++ config.pim.ssh.keys.niels;
+
+    deployment = {
+      targetHost = "jefke";
+      targetUser = "root";
+      tags = ["server" "kubernetes"];
+    };
+  };
+}
--- a/machines/jefke/facter.json
+++ b/machines/jefke/facter.json
--- a/machines/lewis/configuration.nix
+++ b/machines/lewis/configuration.nix
@ -2,7 +2,6 @@
  self,
  config,
  pkgs,
-  lib,
  ...
 }: {
  config = {
@ -19,100 +18,9 @@
    };

    pim = {
-      k3s.serverAddr = "https://atlas.dmz:6443";
-
-      backups.borgBackups = {
-        bazarr = {
-          paths = ["/mnt/longhorn/persistent/volumes/bazarr"];
-          deploymentName = "bazarr";
-          deploymentNamespace = "media";
-        };
-
-        deluge = {
-          paths = ["/mnt/longhorn/persistent/volumes/deluge"];
-          deploymentName = "deluge";
-          deploymentNamespace = "media";
-        };
-
-        jellyfin = {
-          paths = ["/mnt/longhorn/persistent/volumes/jellyfin"];
-          deploymentName = "jellyfin";
-          deploymentNamespace = "media";
-        };
-
-        jellyseerr = {
-          paths = ["/mnt/longhorn/persistent/volumes/jellyseerr"];
-          deploymentName = "jellyseerr";
-          deploymentNamespace = "media";
-        };
-
-        prowlarr = {
-          paths = ["/mnt/longhorn/persistent/volumes/prowlarr"];
-          deploymentName = "prowlarr";
-          deploymentNamespace = "media";
-        };
-
-        radarr = {
-          paths = ["/mnt/longhorn/persistent/volumes/radarr"];
-          deploymentName = "radarr";
-          deploymentNamespace = "media";
-        };
-
-        sonarr = {
-          paths = ["/mnt/longhorn/persistent/volumes/sonarr"];
-          deploymentName = "sonarr";
-          deploymentNamespace = "media";
-        };
-      };
+      k3s.serverAddr = "https://jefke.dmz:6443";
+      data-sharing.enable = true;
+      backups.enable = true;
    };
-
-    systemd = {
-      timers.read-dir-sizes = {
-        wantedBy = ["timers.target"];
-        timerConfig = {
-          OnBootSec = "5m";
-          OnUnitActiveSec = "5m";
-          Unit = "read-dir-sizes.service";
-        };
-      };
-
-      services."read-dir-sizes" = {
-        script = let
-          script = pkgs.writeShellScriptBin "read-dir-sizes.sh" ''
-            DIRS=(
-              "/mnt/longhorn/persistent/media/movies"
-              "/mnt/longhorn/persistent/media/shows"
-            )
-
-            temp_file=$(mktemp)
-            trap 'rm -f "$temp_file"' EXIT
-
-            for DIR_PATH in "''${DIRS[@]}"; do
-                # Find all top-level subdirectories and calculate their size
-                find "$DIR_PATH" -mindepth 1 -maxdepth 1 -type d | while read -r subdir; do
-                    # Calculate the size of the top-level subdirectory
-                    du --block-size=1 -s "$subdir" | while read -r size path; do
-                        # Print size in Prometheus format
-                        echo "directory_size_bytes{dir=\"$path\"} $size" >> $temp_file
-                    done
-                done
-            done
-            mkdir -p /var/lib/node_exporter/textfile_collector
-            cp $temp_file /var/lib/node_exporter/textfile_collector/dir_sizes.prom
-            chmod o=r /var/lib/node_exporter/textfile_collector/dir_sizes.prom
-          '';
-        in "${lib.getExe script}";
-        serviceConfig = {
-          Type = "oneshot";
-          User = "root";
-        };
-      };
-
-      tmpfiles.rules = [
-        "d /mnt/longhorn/persistent/media/torrents 775 414 51 8d"
-      ];
-    };
-
-    services.prometheus.exporters.node.extraFlags = ["--collector.textfile.directory=/var/lib/node_exporter/textfile_collector"];
  };
 }
--- a/machines/lewis/facter.json
+++ b/machines/lewis/facter.json
--- a/machines/roeland/configuration.nix
+++ b/machines/roeland/configuration.nix
@ -1,72 +0,0 @@
-{
-  lib,
-  config,
-  ...
-}: {
-  config = {
-    facter.reportPath = ./facter.json;
-    system.stateVersion = "25.05";
-    users.users.root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim ++ config.pim.ssh.keys.niels;
-    pim.k3s.serverAddr = "https://atlas.dmz:6443";
-    pim.hasK8sStorageSetup = lib.mkForce false;
-
-    deployment = {
-      targetHost = "roeland";
-      targetUser = "root";
-      tags = ["server" "kubernetes"];
-    };
-
-    disko.devices = {
-      disk.disk1 = {
-        device = lib.mkDefault "/dev/nvme0n1";
-        type = "disk";
-        content = {
-          type = "gpt";
-          partitions = {
-            boot = {
-              name = "boot";
-              size = "1M";
-              type = "EF02";
-            };
-            esp = {
-              name = "ESP";
-              size = "500M";
-              type = "EF00";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-              };
-            };
-            root = {
-              name = "root";
-              size = "100%";
-              content = {
-                type = "lvm_pv";
-                vg = "pool";
-              };
-            };
-          };
-        };
-      };
-      lvm_vg = {
-        pool = {
-          type = "lvm_vg";
-          lvs = {
-            root = {
-              size = "100%FREE";
-              content = {
-                type = "filesystem";
-                format = "ext4";
-                mountpoint = "/";
-                mountOptions = [
-                  "defaults"
-                ];
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}
--- a/machines/roeland/facter.json
+++ b/machines/roeland/facter.json
--- a/machines/sue/configuration.nix
+++ b/machines/sue/configuration.nix
@ -0,0 +1,97 @@
+{
+  self,
+  pkgs,
+  lib,
+  inputs,
+  config,
+  ...
+}: {
+  options = {
+    pim.cosmic.enable = lib.mkEnableOption "cosmic";
+  };
+
+  config = {
+    pim = {
+      lanzaboote.enable = true;
+      tidal.enable = true;
+      gnome.enable = true;
+      stylix.enable = true;
+      wireguard.enable = true;
+      compliance.enable = true;
+      sops-nix.usersWithSopsKeys = ["pim"];
+    };
+
+    users.users.pim = {
+      isNormalUser = true;
+      extraGroups = ["wheel" "docker" "input" "wireshark" "dialout"];
+    };
+
+    deployment = {
+      allowLocalDeployment = true;
+      targetHost = null;
+      tags = ["desktop"];
+    };
+
+    facter.reportPath = ./facter.json;
+    home-manager.users.pim.imports = [./pim.home.nix];
+    nix.settings.trusted-users = ["pim"];
+    system.stateVersion = "23.05";
+    sops.defaultSopsFile = "${self}/secrets/sue/nixos.yaml";
+
+    environment.systemPackages = with pkgs; [
+      borgbackup
+      kubectl
+      nmap
+      poppler_utils # For pdfunite
+      silicon
+      units
+    ];
+
+    virtualisation = {
+      libvirtd.enable = true;
+
+      docker = {
+        enable = true;
+
+        rootless = {
+          enable = true;
+          setSocketVariable = true;
+        };
+      };
+    };
+
+    swapDevices = [{device = "/dev/disk/by-uuid/96a43c35-0174-4e92-81f0-168a5f601f0b";}];
+    fileSystems = {
+      "/" = {
+        device = "/dev/disk/by-uuid/31638735-5cc4-4013-8037-17e30edcbb0a";
+        fsType = "ext4";
+      };
+
+      "/boot" = {
+        device = "/dev/disk/by-uuid/560E-F8A2";
+        fsType = "vfat";
+        options = ["fmask=0022" "dmask=0022"];
+      };
+    };
+
+    nix.settings = {
+      substituters = ["https://cosmic.cachix.org/"];
+      trusted-public-keys = ["cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="];
+    };
+
+    boot.initrd.luks.devices."luks-8ffd3129-4908-4209-98c4-4eb68a35c494".device = "/dev/disk/by-uuid/8ffd3129-4908-4209-98c4-4eb68a35c494";
+
+    specialisation.cosmic = lib.mkIf config.pim.cosmic.enable {
+      configuration = {
+        imports = [
+          inputs.nixos-cosmic.nixosModules.default
+        ];
+
+        services = {
+          desktopManager.cosmic.enable = true;
+          displayManager.cosmic-greeter.enable = true;
+        };
+      };
+    };
+  };
+}
--- a/machines/blocktech/facter.json
+++ b/machines/blocktech/facter.json
--- a/machines/blocktech/pkunis.home.nix
+++ b/machines/blocktech/pkunis.home.nix
@ -1,54 +1,43 @@
 {
-  lib,
  self,
  pkgs,
  config,
  ...
-}: let
-  inherit (self.packages.${pkgs.system}) neovim;
-in {
+}: {
  config = {
    pim = {
-      tidal.enable = false;
+      tidal.enable = true;
      gnome.enable = true;
      vscode.enable = true;
      syncthing.enable = true;
+      neovim.enable = true;
      firefox.enable = true;
    };

-    programs = {
-      chromium.enable = true;
-      git.extraConfig.core.editor = lib.getExe neovim;
-    };
+    programs.chromium.enable = true;

    home = {
-      username = "pkunis";
-      homeDirectory = "/home/pkunis";
+      username = "pim";
+      homeDirectory = "/home/pim";
      stateVersion = "23.05";
-      sessionVariables = {
-        MANPAGER = "${lib.getExe neovim} +Man!";
-        EDITOR = lib.getExe neovim;
-      };
    };

    sops = {
-      defaultSopsFile = "${self}/secrets/blocktech/pkunis.yaml";
+      defaultSopsFile = "${self}/secrets/sue/pim.yaml";
      age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
      secrets."keepassxc".path = "${config.xdg.configHome}/keepassxc/keepassxc.ini";
    };

    home.packages =
-      [self.packages.${pkgs.system}.neovim]
-      ++ (with pkgs; [
+      (with pkgs; [
        jellyfin-media-player
        virt-manager
-        bottles-unwrapped
-        feishin
      ])
      ++ (with pkgs.unstable; [
        attic-client
        dbeaver-bin
        devenv
+        bottles-unwrapped
        gimp
        hexchat
        impression
@ -57,6 +46,7 @@ in {
        krita
        libreoffice
        # logseq # Has insecure electron dependency
+        moonlight-qt
        nicotine-plus
        qFlipper
        signal-desktop
@ -67,6 +57,7 @@ in {
        wireshark
        # nheko # Has insecure olm dependency
        handbrake
+        feishin
        redfishtool
      ]);
  };
--- a/machines/warwick/configuration.nix
+++ b/machines/warwick/configuration.nix
@ -3,9 +3,7 @@
  config,
  inputs,
  ...
-}: let
-  gatusPort = 8080;
-in {
+}: {
  imports = [inputs.nixos-hardware.nixosModules.raspberry-pi-4];

  config = {
@ -37,289 +35,5 @@ in {
      fsType = "ext4";
      options = ["noatime"];
    };
-
-    networking.firewall.allowedTCPPorts = [gatusPort];
-
-    services.gatus = {
-      enable = true;
-      environmentFile = config.sops.secrets."gatus/env".path;
-
-      settings = {
-        maintenance = {
-          start = "00:00";
-          duration = "5h";
-          timezone = "Europe/Amsterdam";
-        };
-
-        alerting = let
-          default-alert = {
-            enabled = true;
-            failure-threshold = 2;
-            success-threshold = 1;
-            send-on-resolved = true;
-          };
-        in {
-          email = {
-            from = "gatus@kun.is";
-            host = "mail.smtp2go.com";
-            port = 2525;
-            to = "pim@kunis.nl";
-            client.insecure = true;
-            username = "$SMTP_USERNAME";
-            password = "$SMTP_PASSWORD";
-            click = "http://warwick:${toString gatusPort}";
-            inherit default-alert;
-          };
-
-          ntfy = {
-            url = "https://ntfy.kun.is";
-            token = "$NTFY_ACCESS_TOKEN";
-            topic = "gatus";
-            inherit default-alert;
-          };
-        };
-
-        web.port = gatusPort;
-        endpoints = let
-          status = code: "[STATUS] == ${toString code}";
-          bodyContains = text: "[BODY] == pat(*${text}*)";
-          maxResponseTime = ms: "[RESPONSE_TIME] < ${toString ms}";
-          serviceEndpoints = [
-            {
-              name = "Blog";
-              url = "https://pim.kun.is";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-              ];
-            }
-            {
-              name = "Cyberchef";
-              url = "https://cyberchef.kun.is";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-                (bodyContains "CyberChef - The Cyber Swiss Army Knife")
-              ];
-            }
-            {
-              name = "HedgeDoc";
-              url = "https://md.kun.is/status";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-                "[BODY].notesCount > 0"
-              ];
-            }
-            {
-              name = "Forgejo";
-              url = "https://git.kun.is";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-                (bodyContains "Forgejo: Beyond coding. We forge.")
-              ];
-            }
-            {
-              name = "Authentik";
-              url = "https://authentik.kun.is/-/health/live/";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-              ];
-            }
-            {
-              name = "Ntfy";
-              url = "https://ntfy.kun.is";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-              ];
-            }
-            {
-              name = "Jellyfin";
-              url = "https://media.kun.is/health";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-              ];
-            }
-            {
-              name = "Attic";
-              url = "https://attic.kun.is";
-              conditions = [
-                (status 200)
-                (bodyContains "attic push")
-                (maxResponseTime 300)
-              ];
-            }
-            {
-              name = "Esrom";
-              url = "https://esrom.kun.is/seinlamp";
-              conditions = [
-                (status 200)
-                (bodyContains "Welcome to")
-                (maxResponseTime 300)
-              ];
-            }
-            {
-              name = "Atuin";
-              url = "https://atuin.kun.is";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-                "[BODY].total_history > 0"
-              ];
-            }
-            {
-              name = "KitchenOwl";
-              url = "https://boodschappen.kun.is";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-                (bodyContains "<title>KitchenOwl</title>")
-              ];
-            }
-            {
-              name = "Inbucket";
-              url = "https://inbucket.griffin-mermaid.ts.net/status";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-              ];
-            }
-            {
-              name = "FreshRSS";
-              url = "https://freshrss.griffin-mermaid.ts.net/i";
-              conditions = [
-                (status 401)
-                (maxResponseTime 300)
-              ];
-            }
-            {
-              name = "Paperless-ngx";
-              url = "https://paperless.griffin-mermaid.ts.net/accounts/login/";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-                (bodyContains "Please sign in.")
-              ];
-            }
-            {
-              name = "Jellyseerr";
-              url = "https://jellyseerr.griffin-mermaid.ts.net/login";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-              ];
-            }
-            {
-              name = "Radarr";
-              url = "https://radarr.griffin-mermaid.ts.net";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-              ];
-            }
-            {
-              name = "Sonarr";
-              url = "https://sonarr.griffin-mermaid.ts.net/login";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-              ];
-            }
-            {
-              name = "Bazarr";
-              url = "https://bazarr.griffin-mermaid.ts.net/system/status";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-                (bodyContains "<title>Bazarr</title>")
-              ];
-            }
-            {
-              name = "Prowlarr";
-              url = "https://prowlarr.griffin-mermaid.ts.net/login";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-              ];
-            }
-            {
-              name = "Deluge";
-              url = "https://deluge.griffin-mermaid.ts.net";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-              ];
-            }
-            {
-              name = "SyncThing";
-              url = "https://syncthing.griffin-mermaid.ts.net/";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-              ];
-            }
-            {
-              name = "Radicale";
-              url = "https://radicale.griffin-mermaid.ts.net/.web/";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-                (bodyContains "Sign in")
-              ];
-            }
-            {
-              name = "Nextcloud";
-              url = "https://nextcloud.griffin-mermaid.ts.net/status.php";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-                "[BODY].installed == true"
-                "[BODY].maintenance == false"
-                "[BODY].needsDbUpgrade == false"
-              ];
-            }
-            {
-              name = "kms";
-              url = "tcp://kms.kun.is:1688";
-              conditions = [
-                "[CONNECTED] == true"
-              ];
-            }
-            {
-              name = "BIND";
-              url = "192.168.30.134";
-              dns = {
-                query-type = "SOA";
-                query-name = "kun.is";
-              };
-              conditions = [
-                "[DNS_RCODE] == NOERROR"
-              ];
-            }
-            {
-              name = "Immich";
-              url = "https://immich.griffin-mermaid.ts.net";
-              conditions = [
-                (status 200)
-                (maxResponseTime 300)
-                (bodyContains "To use Immich, you must enable JavaScript or use a JavaScript compatible browser.")
-              ];
-            }
-          ];
-        in
-          map
-          (endpoint:
-            endpoint
-            // {
-              interval = "5m";
-              alerts = [{type = "email";} {type = "ntfy";}];
-            })
-          serviceEndpoints;
-      };
-    };
  };
 }
--- a/machines/warwick/facter.json
+++ b/machines/warwick/facter.json
--- a/nixos-configurations.nix
+++ b/nixos-configurations.nix
@ -3,7 +3,7 @@ inputs @ {
  self,
  ...
 }: {
-  nixosConfigurations = nixpkgs.lib.mapAttrs (_: {
+  nixosConfigurations = nixpkgs.lib.mapAttrs (name: {
    system,
    nixosModule,
  }:
--- a/nixos/backups-ng.nix
+++ b/nixos/backups-ng.nix
@ -1,75 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}: let
-  borgBackupOpts = {
-    options = {
-      paths = lib.mkOption {
-        type = with lib.types; listOf str;
-      };
-      scaleDeployments = lib.mkOption {
-        type = lib.types.bool;
-        default = true;
-      };
-      deploymentName = lib.mkOption {
-        type = lib.types.str;
-      };
-      deploymentNamespace = lib.mkOption {
-        type = lib.types.str;
-      };
-      replicaCount = lib.mkOption {
-        type = lib.types.int;
-        default = 1;
-      };
-    };
-  };
-in {
-  options.pim.backups = {
-    borgBackups = lib.mkOption {
-      type = with lib.types; attrsOf (submodule borgBackupOpts);
-      default = {};
-    };
-  };
-
-  # TODO: should have some timeout and alerting?
-  config = {
-    services.borgbackup.jobs =
-      lib.mapAttrs (name: c: let
-        preHook = ''
-          ${pkgs.k3s}/bin/kubectl scale deployment -n ${c.deploymentNamespace} ${c.deploymentName} --replicas=0
-
-          while [ -n "$(${pkgs.k3s}/bin/kubectl get deployment -n ${c.deploymentNamespace} ${c.deploymentName} -o jsonpath='{.status.replicas}')" ]; do
-            echo "Waiting for replicas to scale down to 0..."
-            sleep 2
-          done
-        '';
-        postHook = "${pkgs.k3s}/bin/kubectl scale deployment -n ${c.deploymentNamespace} ${c.deploymentName} --replicas=${toString c.replicaCount}";
-      in {
-        inherit (c) paths;
-        repo = "ssh://w553a7cb@w553a7cb.repo.borgbase.com/./repo";
-        startAt = "*-*-* 00:00:00";
-        # TODO: low benefit, but we could set borgbase's host keys here as they are published online.
-        environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg/borgbasePrivateKey".path} -o StrictHostKeychecking=no";
-        postHook = lib.mkIf c.scaleDeployments postHook;
-        archiveBaseName = name;
-
-        prune.keep = {
-          within = "7d";
-          weekly = 4;
-          monthly = 6;
-        };
-
-        preHook = lib.mkIf c.scaleDeployments preHook;
-
-        encryption = {
-          passCommand = "cat ${config.sops.secrets."borg/borgPassphrase".path}";
-          mode = "repokey-blake2";
-        };
-      })
-      config.pim.backups.borgBackups;
-
-    systemd.timers = lib.mapAttrs' (name: _c: lib.nameValuePair "borgbackup-job-${name}" {timerConfig.RandomizedDelaySec = "5h";}) config.pim.backups.borgBackups;
-  };
-}
--- a/nixos/backups.nix
+++ b/nixos/backups.nix
@ -0,0 +1,94 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.pim.backups;
+
+  borgmaticConfig = pkgs.writeTextFile {
+    name = "borgmatic-config.yaml";
+
+    text = lib.generators.toYAML {} {
+      source_directories = ["/mnt/longhorn/persistent/longhorn-backup"];
+
+      repositories = [
+        {
+          path = cfg.repoLocation;
+          label = "nfs";
+        }
+        {
+          path = "ssh://s6969ym3@s6969ym3.repo.borgbase.com/./repo";
+          label = "borgbase";
+        }
+      ];
+
+      ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borg/borgbasePrivateKey".path} -o StrictHostKeychecking=no";
+      keep_daily = 7;
+      keep_weekly = 4;
+      keep_monthly = 12;
+      keep_yearly = -1;
+      encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/borgPassphrase".path}";
+    };
+  };
+in {
+  options.pim.backups = {
+    enable = lib.mkOption {
+      default = false;
+      type = lib.types.bool;
+      description = ''
+        Whether to enable backups of persistent data on this machine.
+      '';
+    };
+
+    repoLocation = lib.mkOption {
+      default = "/mnt/longhorn/persistent/nfs.borg";
+      type = lib.types.str;
+      description = ''
+        Location of the Borg repository to back up to.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [borgbackup];
+    # Converted from:
+    # https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd
+    systemd.services.borgmatic = {
+      description = "borgmatic backup";
+      wants = ["network-online.target"];
+      after = ["network-online.target"];
+      unitConfig.ConditionACPower = true;
+      preStart = "${pkgs.coreutils}/bin/sleep 10s";
+
+      serviceConfig = {
+        Type = "oneshot";
+        Nice = 19;
+        CPUSchedulingPolicy = "batch";
+        IOSchedulingClass = "best-effort";
+        IOSchedulingPriority = 7;
+        IOWeight = 100;
+        Restart = "no";
+        LogRateLimitIntervalSec = 0;
+        Environment = "BORG_PASSPHRASE_FILE=${config.sops.secrets."borg/borgPassphrase".path}";
+      };
+
+      script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}";
+    };
+
+    systemd.timers.borgmatic = {
+      description = "Run borgmatic backup";
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnCalendar = "*-*-* 3:00:00";
+        Persistent = true;
+        RandomizedDelaySec = "1h";
+      };
+    };
+
+    sops.secrets = {
+      "borg/borgPassphrase" = {};
+      "borg/borgbasePrivateKey" = {};
+    };
+  };
+}
--- a/nixos/cinnamon.nix
+++ b/nixos/cinnamon.nix
@ -0,0 +1,24 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.pim.cinnamon;
+in {
+  options.pim.cinnamon.enable = lib.mkEnableOption "cinnamon";
+  config = lib.mkIf cfg.enable {
+    services = {
+      displayManager.defaultSession = "cinnamon";
+      libinput.enable = true;
+      xserver = {
+        desktopManager.cinnamon.enable = true;
+        displayManager.lightdm.enable = true;
+      };
+    };
+
+    environment.cinnamon.excludePackages = [
+      pkgs.gnome-terminal
+    ];
+  };
+}
--- a/nixos/compliance.nix
+++ b/nixos/compliance.nix
@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.pim.compliance;
+in {
+  options.pim.compliance.enable = lib.mkEnableOption "compliance";
+  config = lib.mkIf cfg.enable {
+    services.clamav = {
+      daemon.enable = true;
+    };
+  };
+}
--- a/nixos/data-sharing.nix
+++ b/nixos/data-sharing.nix
@ -0,0 +1,47 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.pim.data-sharing;
+
+  nfsShares = [
+    "/mnt/longhorn/persistent/media"
+    "/mnt/longhorn/persistent/media/books"
+    "/mnt/longhorn/persistent/media/movies"
+    "/mnt/longhorn/persistent/media/music"
+    "/mnt/longhorn/persistent/media/shows"
+    "/mnt/longhorn/persistent/longhorn-backup"
+  ];
+
+  nfsExports = lib.strings.concatLines (
+    builtins.map
+    (
+      share: "${share} 192.168.30.0/16(rw,sync,no_subtree_check,no_root_squash) 127.0.0.1/8(rw,sync,no_subtree_check,no_root_squash) 10.0.0.0/8(rw,sync,no_subtree_check,no_root_squash)"
+    )
+    nfsShares
+  );
+in {
+  options.pim.data-sharing = {
+    enable = lib.mkOption {
+      default = false;
+      type = lib.types.bool;
+      description = ''
+        Configure this server to serve our data using NFS.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [
+      2049 # NFS
+      111 # NFS
+      20048 # NFS
+    ];
+
+    services.nfs.server = {
+      enable = true;
+      exports = nfsExports;
+    };
+  };
+}
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -18,12 +18,15 @@
    ./stylix.nix
    ./wireguard.nix
    ./gnome.nix
+    ./compliance.nix
+    ./cinnamon.nix
    ./ssh.nix
    ./desktop.nix
    ./server.nix
    ./prometheus.nix
    ./kubernetes
-    ./backups-ng.nix
+    ./data-sharing.nix
+    ./backups.nix
  ];

  options = {
@ -42,6 +45,7 @@

  config = {
    time.timeZone = "Europe/Amsterdam";
+    hardware.pulseaudio.enable = false;
    sops.age.keyFile = "/root/.config/sops/age/keys.txt";

    i18n = {
@ -93,7 +97,6 @@
      xserver.excludePackages = [pkgs.xterm];
      printing.drivers = [pkgs.hplip pkgs.gutenprint];
      tailscale.enable = true;
-      pulseaudio.enable = false;

      pipewire = {
        alsa.enable = true;
@ -125,8 +128,6 @@
        ncdu
        lshw
        sops
-        nix-tree
-        fd
      ];
    };

@ -145,8 +146,7 @@
    };

    nix = {
-      package = lib.mkDefault pkgs.nixVersions.stable;
-      channel.enable = false;
+      package = pkgs.nixVersions.stable;

      extraOptions = ''
        experimental-features = nix-command flakes
@ -170,6 +170,8 @@
    };

    nixpkgs = {
+      # hostPlatform = lib.mkDefault "x86_64-linux";
+
      config = {
        allowUnfreePredicate = pkg:
          builtins.elem (lib.getName pkg) [
@ -179,16 +181,11 @@
            "steam-run"
            "steam-unwrapped"
          ];
-
-        permittedInsecurePackages = [
-          "electron-33.4.11"
-        ];
      };

      overlays = [
-        inputs.nur.overlays.default
-        (_final: _prev: {
-          inherit (inputs.nixpkgs-oldstable.legacyPackages.x86_64-linux) containerd;
+        inputs.nur.overlay
+        (final: _prev: {
          unstable = import inputs.nixpkgs-unstable {
            inherit (pkgs) system;
            config.allowUnfree = true;
@ -197,13 +194,9 @@
      ];
    };

-    boot = {
-      kernelPackages = pkgs.linuxKernel.packages.linux_6_14;
-
-      kernel.sysctl = {
-        "net.core.default_qdisc" = "fq";
-        "net.ipv4.tcp_congestion_control" = "bbr";
-      };
+    boot.kernel.sysctl = {
+      "net.core.default_qdisc" = "fq";
+      "net.ipv4.tcp_congestion_control" = "bbr";
    };

    home-manager = {
--- a/nixos/desktop.nix
+++ b/nixos/desktop.nix
@ -6,11 +6,6 @@
  config = lib.mkIf (builtins.elem "desktop" config.deployment.tags) {
    programs.ssh.startAgent = true;

-    hardware.graphics = {
-      enable = true;
-      enable32Bit = true;
-    };
-
    services = {
      xserver.enable = true;
      printing.enable = true;
--- a/nixos/kubernetes/k3s/default.nix
+++ b/nixos/kubernetes/k3s/default.nix
@ -46,6 +46,8 @@ in {
  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      k3s
+      openiscsi # Required for Longhorn
+      nfs-utils # Required for Longhorn
    ];

    # TODO!!!!!
@ -119,13 +121,27 @@ in {
        serverFlags = builtins.concatStringsSep " " serverFlagList;
      in {
        enable = true;
-        inherit (cfg) role clusterInit;
+        role = cfg.role;
        tokenFile = config.sops.secrets."k3s/serverToken".path;
        extraFlags = lib.mkIf (cfg.role == "server") (lib.mkForce serverFlags);
+        clusterInit = cfg.clusterInit;
        serverAddr = lib.mkIf (! (cfg.serverAddr == null)) cfg.serverAddr;
      };
+
+      # Required for Longhorn
+      openiscsi = {
+        enable = true;
+        name = "iqn.2016-04.com.open-iscsi:${config.networking.fqdn}";
+      };
    };

+    # HACK: Symlink binaries to /usr/local/bin such that Longhorn can find them
+    # when they use nsenter.
+    # https://github.com/longhorn/longhorn/issues/2166#issuecomment-1740179416
+    systemd.tmpfiles.rules = [
+      "L+ /usr/local/bin - - - - /run/current-system/sw/bin/"
+    ];
+
    system.activationScripts = {
      k3s-bootstrap = lib.mkIf (cfg.role == "server") {
        text = (
--- a/nixos/prometheus.nix
+++ b/nixos/prometheus.nix
@ -12,39 +12,42 @@
    services.prometheus = {
      enable = true;

-      scrapeConfigs = let
-        node = {
-          job_name = "node";
-          static_configs = [
-            {
-              targets = lib.pipe nodes [
-                (lib.filterAttrs (_name: node: node.config.services.prometheus.exporters.node.enable))
-                (lib.attrsets.mapAttrsToList
-                  (_name: node: "${node.config.networking.fqdn}:${toString node.config.services.prometheus.exporters.node.port}"))
-              ];
-            }
+      scrapeConfigs = (
+        let
+          generated = lib.pipe nodes [
+            (lib.filterAttrs (name: node: node.config.services.prometheus.exporters.node.enable))
+            (lib.attrsets.mapAttrsToList
+              (name: node: {
+                job_name = name;
+                static_configs = [
+                  {
+                    targets = ["${node.config.networking.fqdn}:${toString node.config.services.prometheus.exporters.node.port}"];
+                  }
+                ];
+              }))
          ];
-        };

-        pikvm = {
-          job_name = "pikvm";
-          metrics_path = "/api/export/prometheus/metrics";
-          scheme = "https";
-          tls_config.insecure_skip_verify = true;
+          pikvm = {
+            job_name = "pikvm";
+            metrics_path = "/api/export/prometheus/metrics";
+            scheme = "https";
+            tls_config.insecure_skip_verify = true;

-          # We don't care about security here, it's behind a VPN.
-          basic_auth = {
-            username = "admin";
-            password = "admin";
+            # We don't care about security here, it's behind a VPN.
+            basic_auth = {
+              username = "admin";
+              password = "admin";
+            };
+
+            static_configs = [
+              {
+                targets = ["pikvm.dmz"];
+              }
+            ];
          };
-
-          static_configs = [
-            {
-              targets = ["pikvm.dmz"];
-            }
-          ];
-        };
-      in [node pikvm];
+        in
+          generated ++ [pikvm]
+      );
    };

    services.nginx = {
--- a/nixos/server.nix
+++ b/nixos/server.nix
@ -2,7 +2,6 @@
  lib,
  config,
  self,
-  pkgs,
  ...
 }: {
  options.pim.tailscale.advertiseExitNode = lib.mkOption {
@ -11,8 +10,6 @@
  };

  config = lib.mkIf (builtins.elem "server" config.deployment.tags) {
-    environment.systemPackages = [pkgs.unar];
-
    networking = {
      firewall.allowedTCPPorts = [config.services.prometheus.exporters.node.port];
      domain = "dmz";
@ -55,11 +52,7 @@

        extraUpFlags =
          [
-            (
-              if builtins.elem "kubernetes" config.deployment.tags
-              then "--accept-dns=false"
-              else "--accept-dns=true"
-            )
+            "--accept-dns=false"
            "--hostname=${config.networking.hostName}"
          ]
          ++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-exit-node"
@ -67,11 +60,8 @@
      };
    };

-    sops.secrets = {
-      "tailscale/authKey".sopsFile = "${self}/secrets/servers.yaml";
-      "borg/borgPassphrase".sopsFile = "${self}/secrets/servers.yaml";
-      "borg/borgbasePrivateKey".sopsFile = "${self}/secrets/servers.yaml";
-      "gatus/env".sopsFile = "${self}/secrets/servers.yaml";
+    sops.secrets."tailscale/authKey" = {
+      sopsFile = "${self}/secrets/servers.yaml";
    };
  };
 }
--- a/nixos/stylix.nix
+++ b/nixos/stylix.nix
@ -19,11 +19,6 @@ in {
        enable = true;
        base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-dark-medium.yaml";

-        # targets = {
-        #   firefox.profileNames = ["default"];
-        #   librewolf.profileNames = ["default"];
-        # };
-
        cursor = {
          package = pkgs.bibata-cursors;
          name = "Bibata-Modern-Classic";
@ -31,7 +26,10 @@ in {
        };

        fonts = {
-          monospace.package = pkgs.nerd-fonts.jetbrains-mono;
+          monospace = {
+            package = pkgs.nerdfonts.override {fonts = ["JetBrainsMono"];};
+            name = "JetBrainsMono Nerd Font Mono";
+          };

          sansSerif = {
            package = pkgs.dejavu_fonts;
--- a/nixos/tidal.nix
+++ b/nixos/tidal.nix
@ -5,7 +5,6 @@
 }: let
  cfg = config.pim.tidal;
 in {
-  # TODO: this is bad and broken
  options.pim.tidal.enable = lib.mkEnableOption "tidal";

  config = lib.mkIf cfg.enable {
--- a/nixos/wireguard.nix
+++ b/nixos/wireguard.nix
@ -15,16 +15,32 @@ in {
      wg-quick.interfaces = {
        home = {
          privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path;
-          address = ["10.225.191.7/24" "5ee:bad:c0de::7/128"];
-          dns = ["10.225.191.1"];
+          address = ["10.225.191.4/24"];
+          dns = ["192.168.30.131"];
          autostart = false;
          mtu = 1412;
          peers = [
            {
              presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path;
              endpoint = "wg.kun.is:51820";
-              publicKey = "1+gTBx8ghAt/BJICtgUKMKu52rufxuM6e46MN2g0Dlc=";
-              allowedIPs = ["0.0.0.0/0" "::/0"];
+              publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
+              allowedIPs = ["0.0.0.0/0"];
+            }
+          ];
+        };
+
+        home-no-pihole = {
+          privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path;
+          address = ["10.225.191.4/24"];
+          dns = ["192.168.10.1"];
+          autostart = false;
+          mtu = 1412;
+          peers = [
+            {
+              presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path;
+              endpoint = "wg.kun.is:51820";
+              publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
+              allowedIPs = ["0.0.0.0/0"];
            }
          ];
        };
--- a/packages.nix
+++ b/packages.nix
@ -2,129 +2,12 @@
  nixpkgs,
  flake-utils,
  treefmt-nix,
-  nvf,
  ...
 }:
 flake-utils.lib.eachDefaultSystem (system: let
  pkgs = nixpkgs.legacyPackages.${system};
  treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
  treefmtWrapper = treefmtEval.config.build.wrapper;
-  neovimConfigured = nvf.lib.neovimConfiguration {
-    inherit pkgs;
-    modules = [
-      {
-        config.vim = {
-          preventJunkFiles = true;
-          telescope.enable = true;
-          autopairs.nvim-autopairs.enable = true;
-          autocomplete.nvim-cmp.enable = true;
-          snippets.luasnip.enable = true;
-          filetree.neo-tree.enable = true;
-          tabline.nvimBufferline.enable = true;
-          dashboard.alpha.enable = true;
-          notify.nvim-notify.enable = true;
-          projects.project-nvim.enable = true;
-          comments.comment-nvim.enable = true;
-          extraPlugins.vim-sleuth.package = pkgs.vimPlugins.vim-sleuth;
-
-          keymaps = [
-            {
-              key = "<C-e>";
-              mode = ["n"];
-              action = ":Neotree toggle<CR>";
-              silent = true;
-              desc = "Toggle Neotree";
-            }
-          ];
-
-          lsp = {
-            enable = true;
-            formatOnSave = true;
-            lightbulb.enable = true;
-            trouble.enable = true;
-            lspSignature.enable = true;
-            otter-nvim.enable = true;
-          };
-
-          languages = {
-            enableFormat = true;
-            enableTreesitter = true;
-            enableExtraDiagnostics = true;
-            nix.enable = true;
-            markdown.enable = true;
-            bash.enable = true;
-            clang.enable = true;
-            css.enable = true;
-            html.enable = true;
-            sql.enable = true;
-            go.enable = true;
-            python.enable = true;
-
-            rust = {
-              enable = true;
-              crates.enable = true;
-            };
-          };
-
-          visuals = {
-            nvim-web-devicons.enable = true;
-            cinnamon-nvim.enable = true;
-            fidget-nvim.enable = true;
-            highlight-undo.enable = true;
-            cellular-automaton.enable = true;
-          };
-
-          statusline.lualine = {
-            enable = true;
-            theme = "gruvbox";
-          };
-
-          theme = {
-            enable = true;
-            name = "gruvbox";
-            style = "dark";
-            transparent = false;
-          };
-
-          binds = {
-            whichKey.enable = true;
-            cheatsheet.enable = true;
-          };
-
-          git = {
-            enable = true;
-            gitsigns.enable = true;
-          };
-
-          utility = {
-            surround.enable = true;
-            diffview-nvim.enable = true;
-
-            motion = {
-              hop.enable = true;
-              leap.enable = true;
-            };
-          };
-
-          terminal.toggleterm = {
-            enable = true;
-            lazygit.enable = true;
-          };
-
-          ui = {
-            borders.enable = true;
-            noice.enable = true;
-            colorizer.enable = true;
-            smartcolumn.enable = true;
-            fastaction.enable = true;
-          };
-        };
-      }
-    ];
-  };
 in {
-  packages = {
-    formatter = treefmtWrapper;
-    inherit (neovimConfigured) neovim;
-  };
+  packages.formatter = treefmtWrapper;
 })
--- a/secrets/blocktech/nixos.yaml
+++ b/secrets/blocktech/nixos.yaml
@ -1,19 +0,0 @@
-wireguard:
-    home:
-        presharedKey: ENC[AES256_GCM,data:ayLbDjTDMnLNr5v7hDVtV2iCQ4/VMXk6qWpp2CjJI+NCIMxUOb2Ozd+6hMs=,iv:jkfYVgJebkbRFXfUMefn6A1+rkQW/md13rpoaJKCdik=,tag:itsm94ieGagpoiPqfyNGcQ==,type:str]
-        privateKey: ENC[AES256_GCM,data:DkVLF6YZsNYEMS7pKK5BWPxgcar2Bv8U/Nk9Wssktbfvt60vqa4YBCnO314=,iv:PZ6adaCeEXhodO2k5O2E1GRLLajyE3aMzUtWYPfsDZM=,tag:d4EMsDlPiOvTHOMIktVV5A==,type:str]
-sops:
-    age:
-        - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWEc5K3p3QytpZ1pxeEJy
-            TUtENXdnT3ZJUGNXaHo0ZktwK21OMVJmNzA4CjdlMUtWY2hBc3U1UVZQZEllK2xC
-            NGZSK2VyQVdBRmZYejBWM0FIeFE5K2MKLS0tIEQ3MHhOcW92dlo4NUdBdFlKdEM0
-            N1Rab3RNZ00vd0xPOVBYRHphaldWU1EKNKnKPWO1l8NwWXG2e15Y3td9I0rN9Wwn
-            QdoeVf2+cPJOO5g9stZpl2DBF3QxJojt+dQhwjuEbP9nQtlVQPAlMQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-02T19:43:11Z"
-    mac: ENC[AES256_GCM,data:GtaZa2Ce0rr6c5rB+u2q8R8y0zDfNRbFesEnbSaQlxGjXF/6tzEfARbMhVjpjrUn7HCvNK3dbtm5QtCOFqtjyUkbS5NoelH9fdNj1SqzITuhLynxwldfkWpo0TpDf0MA3OjzxPhQz9FiIN58d94wCEhS4ma3yyPq0kvNmYopQN0=,iv:nmtkdSnSwKGNlantq6aWBQMySpkRMJ+cxdEji46DL5I=,tag:Ix0EnzWJXZzyNR4FQx5Rag==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
--- a/secrets/gamepc/pim.yaml
+++ b/secrets/gamepc/pim.yaml
@ -1,3 +1,4 @@
+sunshine_credentials: ENC[AES256_GCM,data:P1sttD3H65DQje+Cs5CVLqvhtXWtoBgu/TBZ3WFIWqErRKtKa31V2lLrgixrty4TVM5qq06zE5z3lQ78ZAHLNh80jMPvoAcCqTXXoWwIYwdHJT0iG09f0ZfpiVTZU4MuCn0uuaJ6873AYe60siZW8uFntu3v230izoAqY9Ex+BzIOOliuqrnIRzdw06TCrrBTJUr,iv:WZqkSZOsiCWx7VPuTDA1Js1DcHZLK9YLDxTQ2nVlFQ8=,tag:iJ6bSofnPWWm7B+VPm+MyQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
--- a/secrets/jefke/colmena.yaml
+++ b/secrets/jefke/colmena.yaml
@ -0,0 +1,40 @@
+sops_nix_keys:
+    root: ENC[AES256_GCM,data:BvaIcGQhrYyq+2OA4r1n8Jg5NS6RZXFarzcOGAlRMpYZSJkP3x4difJgorSGEqufRxKtm2aboLWmyTSso1EXxcICb0B+RRLXIJc=,iv:eLPkpCnS7qr8/nu/xKU1qPx9BIMrWUNtqbeDeeNohJw=,tag:4EljW04w9qM4xx2xHzVzxA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIenFvSVdyZ3kxSXMwdnha
+            MTNyT2RUTTh3OHkrSFpzYkhmSW81aEx6MURJClpoQVNWTXI3d0F0aEgwSjJJZTVK
+            aEZFSFJ1OXRsUjVvM0dWZFlwcEYyYlEKLS0tIEgyUHU5RkdldUUrNnhZTHFQaG0w
+            TkFXcGNURFo0d1U1UXZ5a2pwMHRtMmsKODDUjZ+PdbmTMYKfmHNqG2t7FG6ItdRA
+            A+usHM6Y/fwwN1j4+Uszcy69874XhVMOFXkcODmf/12RRpHNuI2W/g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSjY1WXMwcHhmY0xFMVFx
+            WFhiUmN1VGh1NGIyQ0ViRDh1ME1nVStTYVJzCm1wMHhHcWhNdXlENGlNVnJnbmND
+            MlB4T3NvRDJhRzFTU28wUDdKY3c5NkUKLS0tIHh6VUxqRUxWYlZ4eWtQby9DRVZp
+            UjdxZGF6dEIzQXR0eGNiQUh4bjZjSVkKZfMdF9BuvVQQbKloZ57WJXYzpUFfwB/5
+            Hsdr5DySNaObp/gkddAIB6y79ogx/pl8jV58/ptYKEVk4rq+ga5NJg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYMHRrejBrcU55bHAvd0tL
+            ajNkT0N3SmcyaVZEbXB5ZXpRbHk5cVF2Y0N3CitBa2x5N1FRNDg2SzlJKzhjeXBF
+            SXh3cWxiZnlINmtnY2hrb2lVOG5LSEkKLS0tIGhEREZnWHRnSUF5bjlmNHB1ZDZt
+            SW1jaG02MEZzTVV6OHQrWDNkcG1Oc3MK63Z6TyYvNus/+25GaSVDCNFajfdKDCtb
+            zgMKIpx9BsJH1NHfx711MwQVD1r5Vx0Tuwg7j6A6UdGOf2GdIhNiaA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-01T14:09:02Z"
+    mac: ENC[AES256_GCM,data:gO7uviWsVA28EmhJuc7M8/lrRdZPfsXsyCWHJEt6m5EofIk96Il0GAbcI5VNmbIPCjt5Ihlm6MFp7MHo0+6AnOseW53wgZy4jMdQ9JmdgL6Mw8kuqrxublOZD56TqmRDYdMZo5IYxgBZcRFQm7UfjEgAjp4cradcAv/vhbQNN7k=,iv:hcCJLD8zdLPQ2qcvknsJ7eENcjR0RNZbI9iIAqaMFZ0=,tag:AYROyHfhcE0dqfIMVkFM3w==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
--- a/secrets/kubernetes.yaml
+++ b/secrets/kubernetes.yaml
@ -9,71 +9,67 @@ k3s:
            peerCAKey: ENC[AES256_GCM,data:guzHtQx+rn778FE3omR7h5VrFvMcR1pVeIRT19b6i1ZyfR1YLAEyzZU/gAiokb3XDNF+UcR2D0zR7ra9k7WcNtyHlskU7vctT2iURssexMS9XbbS3nlklx0utsqO1KKeuLI+bU+/cuf4zAYxoSKpO8NcqBhfTRlNu53IBF+mHZtSQ5BbWlOjvHiBXMxRMNiTRvzC0XlkSFOF7ERslWPkOWDkIuKv6Jd+LuQ3tnxIpjp4g9HSsmLlARf9IdVp9qpeZMXrnjfyLmbNABVYPL6XJHyMudYtzG+tpwW08Q6qKZy2KEw=,iv:tnGOwMyDQOXzguTh4pBJumpaV5ObgAT50qtPIu5u9O4=,tag:agUs9H7i7Mm5rAFj3eligw==,type:str]
            serverCAKey: ENC[AES256_GCM,data:S79OqkFK+z7+YecsH8Mdlel8+T50rhBnixfB9047uCZIIZ6LsxknGs1wkCAFPnymUVEzIIGW3lCog9xIvIWJSfV4wh2TMOetPGj95OBV0zQy4vdMhHHt2OV5+R6e262n0FwaQkn+kndPlVvnlPnFbkiQys0vO8GashWWddyBGQf6P/5TvYuJtz+qjW1FsrtjDTu77Vn85y7bYRENQ1o6sZxevftTHnEjSmvWHgcYey0TytkIYZpMHm1G1Up3+HtgiFAFDy1VtSv913El5W4EfLeRhV3B51ktG+SR0bxfMv/P+qU=,iv:UkWTAXYiaRqptN4PyCfMDot20Ln+/QkPIBSGabJSj+c=,tag:I056m8hcwNyOkoxsNRjYXw==,type:str]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
    age:
        - recipient: age1unkshctcpucc298kmw9a0qzvtjzgdnjytrxr5p750dv0z95feymqpn68qf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBNUQwMFR5cTQ2UmFkQUdp
-            WEZGNHZnMWlLRVBhdEdzeERMc0JQL25ORzFRCnZqQTFiak9UTTlyVnZrOTVFbDJv
-            VUdCUXcwazhZelB6VDRCRWd1KzhjT1UKLS0tIEpyeGNHcjRNQWVBYS9YNzVEY3Vr
-            S1JMakx0VURKMFcyMXdheVhJeVJ3WG8KTRcEpMxIXVlVmh2u1+GIEWWPgR4ETK3W
-            t0ISYfu/7+SsVtkWDSydWlrXLjn6yiWG3qXBI7xVLszO56a6/dRklw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2anAraGp2YlNWZnNENWMw
+            WVFqMW4zQUl6UWNRK0lSVnNZMVl0SjJGdFJFCndyVnQwejFFWUxTQ0pmRnNDbUJK
+            VjM1ajl5cHhHN1A1cjdhdFhtcnVEcWMKLS0tIHNUQWx2endUUFNMUENUNjhvdDZl
+            Qk9yY0N5N05UZG4rcG5iS3NkR2hVaVUKxRS9Mf17cG8WyDdCLwpqPiMObbKCTz/4
+            iejyULwJNOBcl3Tvzgc9FANNZpC4UrO51HTCzQvmw9tBboVkEkLA0Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1upnqu4rpxppdw9zmqu8x3rnaqq2r6m82y25zvry5cec63vjsd9gqtl9e02
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYL2xkV2FhTUp2ekFSOHpW
-            QnF6Y0xoRXFqd2R2Q1ZNYTE5Y1ptYTVHZG1zCjhwQk5pMXZDWVlVZitUSExvb3Vj
-            VEw3dVUxbmFJN1NrYU83bzhmL3UyZDQKLS0tIDQ4MUdQb2Y1Q2l6UHpXdWNFUUJs
-            WG5qdkVNWHBSN2lZd1UxY3o0NWdSYW8KtGdyCOGNnCsuDW+H2E6HBxwGUh6ZjkY2
-            Kc2W8kzxfsRLLzll2n61G2dG0Rg/oRwj2CKJR3PfCsrmK4RAdy2ogQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpY1lJQ3BKSFhia0RUZFdV
+            dldKbmoxN1pwY2Z4V1VXNlY3cWE4cnJOYm5BCkNMc3hZbzF3RHlUMmdSRndMWDBy
+            eUFjOCtMaXZQY2R6N2RsRDNDNDhOZkkKLS0tIFVSRzFySG00VktGa1ZmYkx6Um1W
+            V25mbkcxQjhqb1cxa0hkTWlFNkVsS2sKbP1bqNh0DRiZtK3fXaZ4J1d2b+nYwFqQ
+            knwond7pkN9YBRsU4/HHtFCp1XPxRiNQCXXfzWy0X365VzON32huqQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age108fn93z2c55g9dm9cv5v4w47pykf3khz7e3dmnpv5dhchwnaau0qs20stq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTzIxSXJjRFExS1JocFNt
-            cm5TVWdYS2RsR3FVOWtyblJvOTgxSUlGdnpjClhhM2poSHZrK1QyMENqaTgrdlo4
-            bmw0ODlJWnByclZEZ3pmTE91QXRmcXMKLS0tIFJFbXJoZkM2Y2d1SERJeDFoVitm
-            Z3JySC9zRGl0MUQwZXdVajkwamxHVXMKoxxZjUpYyG3XqHNmDXv3SwMqdST74gK7
-            KvdWf65QRCX1M0bgg+5CKmd69fS6KkBqUvy/i/jNO57QHuGIL4/4Dg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age15qrzsk9t7uyuuy7m0xt3qzk3cmcsegt5wfe5zew4d8najwjnm30sfjc3pk
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxS3d1YzVyRmZ1N042Vllw
-            VmFxUzBEeS9lTHoxSUpFVlRzWUxuaS9DRW1ZCmpCMEVxbGpvL2hueW16UlJuR0xw
-            MEF2RExSYWdIUDFtV3dBVnVsWGZ6VWcKLS0tIDNNV1V1UGVMNEc2SUtXMkZtQzcx
-            dURxSVdiMWdEOVpldUloRmhzUFVXeWMKaaOOD9i6HrhvqPICJRqSR454zFr0NAgP
-            5eYj00O9TVZwVzmjxd/tqecLKVDKeCelyHjKerQvAUy1TPVhRCxqCQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLL0xwbXNENzQ2N1BIZGZC
+            YzhMdFdyREpMQlRHaTZmRTllUnhEUm1lcm40Cmc3MzRheDYrQjgvaWVaZE1tNUp5
+            RTFZbXltV05lRDNBdVJ3VFEyeFlxQTgKLS0tIEx1ZG1IMHF5a25LZGlzWjNrZTJ1
+            c3VCWjRmKytyVzE1SzBlMXQvblptNmsKNnl6VQIBn2Gfkrlatf23kOMWW+1Ej2wv
+            O9Q8twttjPoTPx/9pWHOCNHmbnkabwi94lRujbXgIAQXUAL00n3M7Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTFlUSG0yNkZRRDlZMTZz
-            WUVTNEJTZkcwbURWY1NMcktNZDhHMFhyWlVNCnY2OEpzamxzNGR2OEY0a0NKRkQ0
-            NmgySjJIWUIxeGpRbUQ3c0JvcU5CSGMKLS0tIGZBcEl6dVRBNFh2c05QeW1ROWhl
-            MWdUS3lmREJGMFI3bUZzSzlsZ1loNjQKET1S0K1Rq8VeK1DfD0CFUI7Mewp+dDVQ
-            +TzooK5oDHD3RsUqN1zDILxH7Iz/+IZps/HigdpBVtEU6jmxANtCVA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTGdrWlE2SER5OUNjQWEw
+            MUdEZ3VJbCtwTytZU3ZWM3lNclJBUXhBdm5VCmRpQXNxVVV1cGxlMUJNa1lEcUdx
+            Qkt4clg1cVpOV0FhdEd6aEQ2ZkdlUTgKLS0tIGl3YWxjRlM0MHFncm5wdlpSeEdj
+            TkRSZmJyQmg2QnpYanZLVFRlWnowY3MKvM9kUm/F0vtQcwdnIKff3HWUtGbR2vmH
+            eOKnbOE5WMAWIi8oSR/uBMzE9lK2kyisby19XZUf5JcG4wS4YRlC1Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0OWxRVGdqYnc4YXF2UGI2
-            cERlbFJlUkloSkI1RFZuTlZyZnVVRmJCWDFzCnBqNDR5NWo4bGFGQ3Y1WkNTSFlh
-            WWU3dmZOVE4xcGpmZk1wSGxYVHYyNk0KLS0tIFAzaFI1T1djMDBCS0p5SE5UR1dK
-            eVZweUhBOXVoN21QQzNvbWFDU0VpTEkKpvI0Fy+ybDcasrT/IvIecMnr8kTKTFmV
-            +RC9+6+oSHCHScl3nVloA8ewAO3U4ChTvNKiHy0QAr5iT4BNtklxxQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZDhSMEw3RVcyQ2NmZkpD
+            bVp6SFpMckZmNGdoeCtzQVo0VDFEWkZ0dVUwClA2WVd5NG90MkVRZEUyeW9JaW1r
+            YVpJbEpDV0VCREFVMy9taFJBODlGWkUKLS0tIHN0eCtrNUM2K3VTaHNMWTRXUFA4
+            WEhTSHNtdE9qSVJVay93R2ZxeXI5SEkK7ZjIfQevnd1yyz8Ra9kBJb2DvlajgNEn
+            88JXgtSrxtiVfrCFUKEIsEV6v/fT7BECOGCYaoxskwgLgCZ9mL6sTA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SURHU2laa3k0TXhlMkZq
-            eXZOVWRxWVdsc0FKWFRUbUhmZDh2QVkxMVhzCklvTU5ReTA5MGNLcUsvTUlCWE90
-            S3l6dDJ5ajhSY0RGRnFCTldkeFhKOVEKLS0tIG9lUzJxRFNKUTRTcnd3cTlUbnNC
-            aFRKNlRXZTZEWllHeWNlTEJ3NUNXc00KHDPf+CN63UqMslALi8g5bjryE8TtTF5f
-            XPjlIt0jUm1EDIyFWTjeHwgmRaC6VBfO1qCNiELEUVWOHrpycqGQBg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyR2xBS291Q1lHc3UrT293
+            TlUvVnRxcUFHT01iNWJ5NFJtcVYyd3dLVFdnCjVqQlVLVzBEMlRFbjdDZkV2VWJa
+            c1RyKzh0S25VTk1wQ04xdEFCOHVySkEKLS0tIHkxMXJUbWxZNDU2VmFuRVpobUpF
+            djd1d01oTzh3WGNVaml1RWJ6alllQ3MKfiUTGCuQ0+6CbkRPFAKnIh2icOScNSVq
+            qbhQZVbF1zkTAACtJYRsw9LYhjK0QlT52fcLVuyWL9GRI5ZL6n3GRg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-12-01T11:24:36Z"
    mac: ENC[AES256_GCM,data:aQQPjSLHgvBPU0eZA95qFoRsklw3Jaj2N42DpKSheDoSJ5SwWV1GK0IJqkis71eBpMG9Mjn2wWj/1IdU1upRqfZU5dwNPdVXFb2+qPZyTkz1jhvBVTRGUNedd/L3t2a2nsaj5frZyzUPBELMs7n335pB9I36e+xOgTmA8OW3XAE=,iv:UI82ZmzcXtjO9fv2bSBZVVzNs7uvlopyxKXW+wBmNf8=,tag:HySaRX4Ihpnx+a8lASHicw==,type:str]
+    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/secrets/roeland/colmena.yaml
+++ b/secrets/roeland/colmena.yaml
@ -1,35 +0,0 @@
-sops_nix_keys:
-    root: ENC[AES256_GCM,data:+V4RZsyfGlaZokQ0LFxfbUuWuNnOGxdAkxerIgA+fnwdsz+3msXWPwAVcCsGM5PLRSGtJ5NhDPT2J7yVmB6RxVqaVHBsxHp5kPs=,iv:ooHX2MQfddREDyWanVtkBzJhf78s9gb6P73Qgn+db7M=,tag:+Ky7upH2Lph9IcnjAiSbJQ==,type:str]
-sops:
-    age:
-        - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByc3JPZmlzeUFqU252bXAw
-            UFhEWk53V1VLVE5PMC9EeHlhZkdZcHhRbVJZClFObnhYVDBxS21HWWNoUWxrdXVj
-            RGY4T0djdmVSMXdrdG1iWTlDVTRkTDQKLS0tIFRNVTdJYmZjMkNLdUoyWXZFZkNn
-            ckdSTUdyWUtacDVMc3FPMTFQbGpSa0kKlo3KBNj4OIn4BepD7PTebBQVBjR+agxv
-            h0SE/t+0TTYcVe6Aq6l1w/IDFumpSmoNMYOyzkA4ABbqQy0WHkNfOA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVRE1OWUN5OTg4TTJaY0dy
-            eXJTVmpuTWVEQ2tGb1RKMlU5ZGlRMXo2enh3CnpTdTkyVG1wcGt6bkhoM3YwdTZG
-            K1llQVM4ajZXT1ZMU2dPSUI1NEQ2Tk0KLS0tIC83aVZQZFNsa3VnT2FlbGEya1Ir
-            WmJGeEh4QUg4bDk5U3dRNG1VaUthVjAKNiD5srj8mCy9QO4PwjdKR/Y4qyie04dQ
-            NOSpfDnVNKUF65oR4xr4B6eyQahctFt4yrk4IoYQBlG4N0zqE1bu2w==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2VFB6WDcwOVhqZWs5RDJ6
-            L0J4TXY2bWZDTmEwL3d1bGZLdzVuQi96Nm1BClc3WlBENkhwTW9PT1J1MHdtZ3pz
-            a2s2S3ZLS204MGZ2Tms1TGpPYnFOK0kKLS0tIFhFWFJDblBWQngwMTZDbWlIdGhJ
-            OFIwVUxQTlFsSldFRG5qdkJ3NWxEUGsKzUNf6dUX8CA6sD2P0blrvAyso4dnDcwi
-            4mE7veq3arjyd0qcvoNIifs8omM4jgE97zjQfY1AOTEgAlFykgqhzA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-05T14:18:20Z"
-    mac: ENC[AES256_GCM,data:5K+tBj8JFF2wY1bdzOc8nYThH39sYAmDGp/8gylINV6s87ROUy4XPdQhRGkd5y5BknGfIh8XnxrUmRvsf9t1FYSJwgPed0V/nU+Bl8cnMlzN87V5qgjbRKV8Aqd7fKm9SJKejdx3S7WoT2VLg6avc8PSOlqSaBVBjLp3F816XiA=,iv:GBLL+7MhfiGo4Alt6ffwlud4+ugeHAH8Yq5wXW9Book=,tag:xrQwBHTKMtWtycV279zxDg==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
--- a/secrets/servers.yaml
+++ b/secrets/servers.yaml
@ -1,85 +1,76 @@
 tailscale:
    authKey: ENC[AES256_GCM,data:3eXxQBY6AVqU4R1NlsyhGCfXW5wL58ODRH/f+zo5YFRad/ys1vB9JeKagq0SJSj/w4zxRAEpCf1o47Ypww==,iv:QklyIFuXlbH6cM/I0gqDH/Xeay9gqxqeyulQ7W/dbig=,tag:E/3UqtsfSVOi6otSlReO0Q==,type:str]
-borg:
-    borgPassphrase: ENC[AES256_GCM,data:UWA2sBLPi63MRVOPTYPWYLujF2M=,iv:FQq/IsZK7LWo30gZc7oT2E9feCLn7Oeg6wDGuezkhu8=,tag:fWYaZUwJrM8x6cemXzz6xg==,type:str]
-    borgbasePrivateKey: ENC[AES256_GCM,data:O7eIY1yvbnBTS96tt5a8vcOEOzit4tEbIHmxnSbNsowC7YNk2g6MShQ6ll86GDiunLY33/Px0bqq9+4z/dk4N3FWQ1v5KQjr/gh+CS8VpIrv9zLv+Ru9UzeWQusbYxqnCu/IAQ1aB8UGV2LSCesQ0r/B6XEe51Phi65uWkbUYa/8voSiws3T3hnNrUDqiHdzfBgWZIQszz7zD92Q+aXu/kGNSxVKbXjWVfqBiyDEtuLEWoC1eENeEs41Ov5YT0Lm6+CUWadPqEwkDSvZWnBhoPwPLTZ/+ftZ/nizXUujsTdRwjcbOwJER+ObhgWDxbJE2WifxFOmHt3ggfSmAN842u5PjfT5gqpXMlTdCwYAYEJvDMqGsADe4p7+vPWJbetaahFrFGN8uBw7rs7W2wIiUKB5bAbAG0o6hdTpWfysuzMOFK/fROvCJsNhhKbbdiQbI0+SogtCkwv69+3uaRTFi33uqKCO6PQ6rMIahjo1lutm9iWq2nX4oI40W1KPC6EU/wF2,iv:rzkjjSnyrs58ZEO8XLsCSFsPHbtnL39SF6NJ6lUg3Ww=,tag:q0sunVc+9bLFoSdeykuT6g==,type:str]
-gatus:
-    env: ENC[AES256_GCM,data:HKZFD9yKUxUl42ucUvV/i6gzzIkQ9zlUQ1p06ImRwW0T/DIOHp6G2QHlWr60Q5Xc9HWfVCSNby5Su5DLAso3pX/a+b4CoG7q4pRhekVNQwcDYVWzfek33onDLtAhL/AUVLfT1m3LXFR1xBJc87lbP/KWG4IEYI5+ZVgQXKC47HVADXE=,iv:EbiHksIFeG6j90fdAACnD5ukalI58So5DV9ztytR5p8=,tag:OLDa4NOpYs+UWLMlndEqow==,type:str]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
    age:
        - recipient: age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnazB6cTFiNHVrWXBuQjk2
-            NmYxT0FldVE5Qk8rMkRrdHlFeUFPYlJKUkNRCmpGMVpyVmgrVDZ5R0pZQVNraFht
-            enRUSU81eG5ZOGQ5TVVKUkp0NGs4cWcKLS0tIDBJczllVVRJQ3UyVEs2UlRyalJa
-            RTZKdTU4QjNxWFpYYzBmZ2o4QWhuY1UKR2L8Og8LIXlAyiseRbexCn2S67y549Lx
-            Fi78+c5Kn+FDep6GDpaO/cGzFyJ1cG3OX3nT9KdRiGiNg54dOH31DQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBielJoNjNXQW9SRDY1dE9y
+            akw5M2hTSkgvbWJxaGZqZnNsdGVhVWFlRnkwCmN6bDRYclJNY2d5NVJvcllCdjhu
+            UkJxMDRyMmFMc3hQVUp3Q2RKRDJaN3cKLS0tIHlFV21zZ3RNYW10UTQ0SmdBbVpG
+            TFI2eVorL3BCYUZpcGNCU21mcHpBNXMK0JBvnhT2fNNWfLcXFYbelee5OlkCrRyv
+            ZHKawtyH60g1nUB+AQqneUJhiYH0UJ40Ttz06rVyzOYUCV8M6tghsQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1unkshctcpucc298kmw9a0qzvtjzgdnjytrxr5p750dv0z95feymqpn68qf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5U0IvTnJwUEdqM0tXV3h4
-            WllxZHBEblNoMmRub1FCaldJTlgwMDBUYVhrCm1iSmVFK2NTU2tjazdwdnIxT2xT
-            ZWJ0cm9qZURrUnZaWnJVRkIvZ3pJbFkKLS0tIEFsbDJaT3piUENuVHJPNkFuSVhO
-            VDFQcnBiMjNyQUFjdTJGZk92R1cydTQKlodgshGR87gz+qhrBFzmFZ2iKy4yPVWk
-            1YYfPkN6PvJr3JZ2grcVLbjFF+/gQnIGcSrluv8WikvBb3TqVuDGyg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyc29QQ1FoT1RIbE9neG56
+            T1MrQzdHWEFORnF3ZlRBMUVvdVRtWjRxYUFzCjd5aDBISHlVdUFSQ3dySmFRZ284
+            SHNjdjlBeVFjbW5kSmVKM2doTHczS2cKLS0tIDkrOVpHUVIwSUl4Zno3cENoTDJu
+            V3krQU1VUjFaY0pFbVJkQ0E2STF1N00KrqqxZo8CzJLwiE/uibJMA6V/g4vlRFhB
+            mj/lWkEAek7MhncNKFPgoNON+5rU1bqmEHufhpLaBV8NYEWMTM5/XQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1upnqu4rpxppdw9zmqu8x3rnaqq2r6m82y25zvry5cec63vjsd9gqtl9e02
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VjZzME9VMFlLR0Z3L2VH
-            amFncUlka3BVbEdVSlB0S09seGZWd0lpblJvCmFJcmJZM0RUL0xkR0psSEp2U1dz
-            eEYvenl6NEZyb0FnK0Z3SFhNK1BhazQKLS0tIDU3djVua256ak5JdDFKbGlQbXVk
-            Z0FybjFQakJPQmtLM3djRElpYnlPK0kKl48acrM96svviQh3wGNFW1cTnX9l/8L2
-            IzHpGGg47lEsEaefm1wQuR89AzToWECLKgz3uFrl1vtXFzmQ/qGJag==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZVJCblJHZGo3bFA3NitQ
+            OXMvakVVOUdISUlCYW9SL0xIZEluUzZENEVNCmNqMGg0azVac3pRVW9obzVOUEpz
+            RFZTYnhIU0E3c2h5aS9mL3NvK1lGMkkKLS0tIGdZOUlhbjMxTUcrdHN0VTFqK0lj
+            bzFiakFNNUE4RllrdkR4WW4rN1hJTE0KnIrPDg9U2eXrQU20hpFBULFv4AQZn18J
+            TGrgn5CzRHEjWrDBxQfN5u0tNu/07KJN5xRvd3MroH1KVe2Z0pQn4g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age108fn93z2c55g9dm9cv5v4w47pykf3khz7e3dmnpv5dhchwnaau0qs20stq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbXgveXJxc1BlYXlxRjNQ
-            aXEyUVRvS3ZqTTNXVmdtaytsT2Y0YWgwR3hFCkZpd1VGQ1NVVC9FaVNOc2c4K2ZX
-            aWVjd2FXU1BzS3MyWVorRzJJRnRpWG8KLS0tIDNsZjhwOXZhTjN1c1Z2SXV2Q0Ey
-            MzFCRFFLR1dqVUlMOEJhdVNoR2hZaHcKY6bNAv9EnGQg83wC0cvm3Sd+WXCGb1bW
-            WSGMbrEWULo1kTbtzal9LbM3uiEytp1Ei7WDtEy9knfhuV+RggwVyg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age15qrzsk9t7uyuuy7m0xt3qzk3cmcsegt5wfe5zew4d8najwjnm30sfjc3pk
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxQWlhclFKRTgvdmU5aWwr
-            VlhxVGk3cmkrTGo0RjlXSVlPZ3ZJMVhIa1U4Ci9MT3ZQZUNVZ0VuZ0t3eFZRVkN0
-            bUEwQThSSmJ0OUhRc1F0RVZ6aHcwODAKLS0tIHgrM3NxaWhpaHA5QVlYL014aWlB
-            dlNQS3UwdEVQVEV1TGE4ai9RU0xzaHMKA0NpL+bikvjJFd4UJOOqaRINXVX64uZA
-            3cOqv0PbUfsp2ON3Nm8SX5g74hraDaKGRtTA2XWJBHfXv0C+WDbbiA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiS2lpSWQ4R3U4QVhRcU8y
+            OXVKcVNWTzJ1L3k1a2lIUE1FeE50VzcwOXlnCm1na1JiSmVPUHlVVFdGVzkwZzNB
+            b3ZlN2R5NExBeU9YZlhBRHY5VThrb1kKLS0tIC93bEFLdWxZaDRpanJDV3V5VXVM
+            ZGExZXl1ZWtTMExLalhMUlJqWk01MUkKhCweI+hyY3qCf+XA5XP/QiMG57LQ98/i
+            msKrrNp6yX5FX32n0mPiVehb/6xY2/mTAtGtIt17MxdMY6QwXjQmEg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArTklFei8xcUYyKys3WFN4
-            UXlubmpWdC9WdUlOVm9nTlVGdUdTaE12SXlBCkZkNVN4aGUxTkJNb1dxLzVMczE1
-            ZzdjdWR0SE10Qkx2eXJ3TFltV1pRb0EKLS0tIHJNNmZhV3BCQUtoRjFNM2lLRlh1
-            VTA1K0luREtnMU9kSVUrMTBLNEo2WlkK23HeYnA/NIsdXqhqTQIOGSNGmWcgp8KV
-            yXdyozkRxnBm0xFgGJ+qjCDlOIIBQbgzT66SX+arGEY3g8UGDFEsrA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyU1Nnc2taYWIyVVhEZXVE
+            MTJLSjhNcG13S2Nqa0E4YnU2ZklZUS9QVUNJCkVUdWRWMGNnRTNSYjNvMjA1YTIx
+            UXZhTkNwY0Z6VXI1b09yRHl4aUVpYmsKLS0tIE5CZ0VmVHFZTlZJSzB3OTRKeUlz
+            L2gzMDdySit6VWd4RzBMcENobTJLVGcKMYhRprFglCN5gUpcZ2ZKV8YgwdcRNuOs
+            h+rEUaHuMlPSGe/t29hU6FfRGJ3vbPAKJpYDWANC6QTF+/TnFokzew==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2aFQrVjcrUFBTVkhkNlhx
-            cnR6WFdJNW43bDhxWWNLcUtqTENGUkFHVkVZCjBNbHQrNWMzWk9zdE95Wm9CR3hU
-            RDhBMHdVUXgzditLMTJaM2tJU3ZBVDAKLS0tIGc4MEgwUXBaT2gyNGhnUytjMld5
-            OVQzNFJJT0VQT1ZOZ3YwaTUzV09ZbUUK6ZX7XonLQGVQKawwyFAJSlZq9jwKyR+l
-            MJYtGMFAZv+qGTe/TN2Lhxkfo5VIXQUknt/ud94ceOW8A87WJ5RFIw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQktCL0QrRGNpVkI5UXQx
+            bUNQZnc0ZUI0Q3lHQkNnbTk2VGZ1ZDYwY0NnCi9OZkhUc3hSTWhiejZPWVhhdHc1
+            d2llWjBKNTVNS21LODIwTlVLNTFUVFEKLS0tIGJLWEZaUGR5YXYvVHIvQUpBU2Jr
+            QjF6SDZhWktHR1BwdVdBRWIvVTFpT1kK4id9BOXza/HPySMgGi+kjLuQvokUZNlf
+            0+vleCcyAIT/9sv/RHm7ctAxsGp/NkdUBr//ED0hhYVd2zszejXHFw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age159whjxeyw94xmkkephmtlur8e85xd9d5vnvkwkcayfv7el0neqfq863yga
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwYlVTci8wU0Q3aWhMKzY0
-            UmxIMWRxaHVORS90Tm5rQjJPRERVNSs5VURrCmNCWGN0MEtBMWxGTUsrYlcvWG5s
-            RTNwc3pFV0J4MERqWENESFFDKzEyYzAKLS0tIGwvM3Y0QU9SM1F6dk9STHJmYnhO
-            OXptbEVubTdZdHhKc01sdmJ2bTh4L1kKusHQnya/o0TzGK3y084bKrWD67tdQ/aW
-            6va2HjLoCBu/dO6yPl9XU+Ocub9AY8p+Rs8XcQS+ypi2sSNi4i2Syw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGd2tSVmR5SjhmR3BSTCtH
+            NzJLNEYvSVVvaytZOEM0NnJsRjdoL3d2VDJJCi9nbVZzdlJZS2plUjlKWEt3SWxm
+            WEVrVlpqRUIzYjJTOGFveWR4UjIyWTAKLS0tIEFFajNrLzdXT1JXSXN3eXhGd1Vr
+            Y2cwK05uWXFhbndyRlhrSFNjYUlmZ1UKZ1vFRu1QhGGf7BIP8TxK2BIlMZlP3muA
+            R3qLr1lEQmob4O0ilwn65nSCEd1/9W6dUWqeSlJ6CavjG59AvSHfIA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-07T16:08:34Z"
-    mac: ENC[AES256_GCM,data:uMpavfH72TyTc+tRTw+hyv5N+NHdTvO7J4TThOTqV1ACOl9DOIBimUsREDONEgUn4cOdDOZzSR6LDlva60+B30xoJUL8fsRzNXtHkZ/aR0WJmkFcKu5rkVvRQjJt378ICid/et0R4SEojxeIvhI3MzGxyF25NdhIswGKgDh2lMU=,iv:gUbAdaxBJFBXxJHJXeRXTynC4cwaP8vL9Z61TN2pIEw=,tag:lUFk/ydWRO/ZjA4V89IdHw==,type:str]
+    lastmodified: "2024-11-30T18:44:29Z"
+    mac: ENC[AES256_GCM,data:SG6a5pWa3gMaSz9d9fOchUXtXbRTpMOXmbOjZo5Fdx8Es1MEDwezwscQaj9p1dzmGa+7U8UUUzMYxlg2SmGgGdPgCs0a5RQVYvQFNdgpRiuknflFMcdgXLv7XFsTqsqSmbN0O662YDvCcz4DWRKjNCZAimlLym8pwDihj1D8dcU=,iv:JmCbcazDK2KPyYsoVy39sr4IbfiGfmGoopit5ojVADk=,tag:6tKYfMkJBjsThaa4qLqobw==,type:str]
+    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.9.1
--- a/secrets/blocktech/colmena.yaml
+++ b/secrets/blocktech/colmena.yaml
@ -1,6 +1,6 @@
 sops_nix_keys:
    root: ENC[AES256_GCM,data:CxF2wjcQ2OFuS7Pgjnc8zc7sqGEz3dcHt4NXkL+V6w7kGPP+b4wBhOlT7b+bEESNslpK2htLY7x+IZWIA8JQpeRKHAKymAUK86I=,iv:5qNFDb86/Vr9Iqzx1eES4wUVY5XTq3iOR4VQliuP1lg=,tag:gx/Q7t52l9kMhPRXdpsB6A==,type:str]
-    pkunis: ENC[AES256_GCM,data:192vkgOdMoDEhPU6yilatIfaFS/1LJFvteEMYI1/3SBP773lN62pWoDiJDiBtjBCisA/3yHriL3Dpvs1PwbV0BChmbL+svwKrFE=,iv:/YyZ+NSyZwyGp4NJYUSeYOOUfGaH5jOiVUH8QeWnFUA=,tag:sWN0bQvm8Ejw5+XST0pAEQ==,type:str]
+    pim: ENC[AES256_GCM,data:PWFlRBaqImbCpj3IXU+BtNIRvwru+GRwxDQO4QwINRvxRqC36LE6JpMqaJNrTdCPy+aQ01brTN8y99qXTDlrul32cZnopc37r78=,iv:1tG7rDB5D7D2myes6Ro8hXC140ugjXpiwNpivWFw/xw=,tag:BNm/Ep55tt7xBWZFyzTR5g==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -16,8 +16,8 @@ sops:
            NkJzL3JSN2sxbnF6NGNhQlJqTHpHRTAKK+3FqqBAGxdlMtnbsySEcZT1lkQwJWvK
            GFB+6CtH9UtyIGrdK8Pm/0ahsolYGAim2OjeiKBbs3Q8kLm5WAsgRg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-25T13:53:06Z"
-    mac: ENC[AES256_GCM,data:lLojNOq2QtdeqiCHOg6+Kssfa+Ey6JefPQulFkgnr1Onrt60ds2qWg5TTMHMlUaa6vB1S78WqyquTRBLv9Ek/alOae+CgdDi+vVX8hG5Mc2Edcfl+z8rRNFB+2mOEl1gJwKntyxySx6YBiDhZsH0p+Xflw9WGm/lL/FyRCJCwq0=,iv:8PqXupgwdfgdfIzsymVSrjQACoMODR+XYPgLMvASjos=,tag:rLGJlL3alm/qy+3qeS637g==,type:str]
+    lastmodified: "2024-11-30T23:42:51Z"
+    mac: ENC[AES256_GCM,data:fo856uaz54nxHDJVDpMOPc6GHAzMdVJTfqBiMtJkEwm3AVICtRcI8ucceBnmfKZf9DM2MC2DffU1tvJd5iqpqFZMXCElRnBxWVZGhvrZqIZtmoAin5zBgwOudf1o6msmdNGmZk1ECq/HpHNO/QMQ3rnFdBvOZwL0zu6iZm9XwC0=,iv:T6Tv1ukk0CWbTRVWYdfn/bWQoETk8DRVMOzpJE9mCWE=,tag:eICIYTBvAJLUTpRcMYqc5Q==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/secrets/sue/nixos.yaml
+++ b/secrets/sue/nixos.yaml
@ -0,0 +1,24 @@
+wireguard:
+    home:
+        presharedKey: ENC[AES256_GCM,data:nFOqWcdo8zG83v1ceod8Uy4wX3w2LHmDPp2PaAAJ/lUexU4DhY9RZ4wtgC8=,iv:UvzQSZZ62I+QVFHMkHczC2KPeqX8z+DodS7nxLmXr4U=,tag:otwdNc2636DJdkzg22puqQ==,type:str]
+        privateKey: ENC[AES256_GCM,data:RCQ3hvrnxCerTmKYfZFV7c9smMj5tbP+iFWouo1oxfhbec5K3uXipkL+KSg=,iv:zKSPvtDH3WcuxVpQydGScX6m0isZzLKk/F+/Wlpt/YQ=,tag:BDag2DSoHQDzg8xTS3SX3A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWEc5K3p3QytpZ1pxeEJy
+            TUtENXdnT3ZJUGNXaHo0ZktwK21OMVJmNzA4CjdlMUtWY2hBc3U1UVZQZEllK2xC
+            NGZSK2VyQVdBRmZYejBWM0FIeFE5K2MKLS0tIEQ3MHhOcW92dlo4NUdBdFlKdEM0
+            N1Rab3RNZ00vd0xPOVBYRHphaldWU1EKNKnKPWO1l8NwWXG2e15Y3td9I0rN9Wwn
+            QdoeVf2+cPJOO5g9stZpl2DBF3QxJojt+dQhwjuEbP9nQtlVQPAlMQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-30T23:42:09Z"
+    mac: ENC[AES256_GCM,data:nHLeqi4DAoyIi0CfARfx9b753BFdMmIR/fkOrhV5yehl7rUWvSh0+H7sb/ncgW6Blrc5g6Ek8BxXAt8a2SXfCEQaFU6tI1wJ/3mPtEPSvWQnZ75wAQLRgaBE3oxdL2FxSu3sjXMRjipPa/ACbau60FpNFzVbGuwNYfQAquwWtFg=,iv:LYn+36pfIw8zCnhQE4nCyt9yhetoHZRVNrBXL8N12Jo=,tag:aZsxtfEdK99+aBQS6OEwWg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
--- a/secrets/blocktech/pkunis.yaml
+++ b/secrets/blocktech/pkunis.yaml