2026-02-03 19:54:21 -06:00
28 changed files with 710 additions and 210 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -2,7 +2,7 @@ keys:
  - &devkey age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
  - &workstation age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
  - &server age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
-  - &miniserver age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
+  - &vps age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
 creation_rules:
  - path_regex: secrets/secrets.yaml$
    key_groups:
@@ -10,46 +10,46 @@ creation_rules:
          - *devkey
          - *workstation
          - *server
-          - *miniserver
+          - *vps
  - path_regex: secrets/keys.yaml$
    key_groups:
      - age:
          - *devkey
          - *workstation
          - *server
-          - *miniserver
+          - *vps
  - path_regex: secrets/env.yaml$
    key_groups:
      - age:
          - *devkey
          - *workstation
          - *server
-          - *miniserver
+          - *vps
  - path_regex: secrets/gallery.yaml$
    key_groups:
      - age:
          - *devkey
          - *workstation
          - *server
-          - *miniserver
+          - *vps
  - path_regex: secrets/wireguard.yaml$
    key_groups:
      - age:
          - *devkey
          - *workstation
          - *server
-          - *miniserver
+          - *vps
  - path_regex: secrets/homepage.yaml$
    key_groups:
      - age:
          - *devkey
          - *workstation
          - *server
-          - *miniserver
+          - *vps
  - path_regex: secrets/certs.yaml$
    key_groups:
      - age:
          - *devkey
          - *workstation
          - *server
-          - *miniserver
+          - *vps
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -5,6 +5,8 @@ Auto-generated from feature plans. Last updated: 2026-01-30
 ## Active Technologies
 - Python 3.12 + MCP server library (Python, JSON-RPC/stdin transport), click for CLI entrypoint, pytest + coverage for tests, ruff/black for lint/format (002-mcp-server)
 - None (in-memory tool definitions; filesystem access for repo interactions) (002-mcp-server)
 - Nix (flakes; nixpkgs 25.11) + nixpkgs, flake-parts, sops-nix (003-vps-image-migration)
 - N/A (configuration repo) (003-vps-image-migration)
 - Documentation set (AI-facing constitution and playbooks) in Markdown (001-ai-docs)
@@ -26,9 +28,10 @@ specs/001-ai-docs/       # Planning artifacts (plan, research, tasks, data model
 - Keep language business-level and technology-agnostic in AI-facing docs.
 ## Recent Changes
- 002-mcp-server: Added Python 3.12 + MCP server library (Python, JSON-RPC/stdin transport), click for CLI entrypoint, pytest + coverage for tests, ruff/black for lint/format
+- 003-vps-image-migration: Added Nix (flakes; nixpkgs 25.11) + nixpkgs, flake-parts, sops-nix
 - 003-vps-image-migration: Added [if applicable, e.g., PostgreSQL, CoreData, files or N/A]
 - 003-vps-image-migration: Added Nix (flakes; nixpkgs 25.11) + nixpkgs, flake-parts, sops-nix
 - 001-ai-docs: Documentation-focused stack; added docs/ for constitution/playbooks and specs/001-ai-docs/ for planning outputs.
 <!-- MANUAL ADDITIONS START -->
 <!-- MANUAL ADDITIONS END -->
--- a/docs/constitution.md
+++ b/docs/constitution.md
@@ -42,6 +42,7 @@ config.services = {
 - Secrets files: `secrets/certs.yaml`, `secrets/env.yaml`, `secrets/gallery.yaml`, `secrets/homepage.yaml`, `secrets/keys.yaml`, `secrets/wireguard.yaml`, `secrets/secrets.yaml`, plus `secrets/ssh/` for host keys.
 - Placement rules: Keep secrets aligned to their file purpose (certificates → `certs.yaml`; environment/service env vars → `env.yaml`; media/gallery creds → `gallery.yaml`; homepage widgets → `homepage.yaml`; SSH/private keys → `keys.yaml`; WireGuard peers → `wireguard.yaml`; misc defaults → `secrets.yaml`).
 - secureHost gating: Only hosts with `my.secureHost = true` load SOPS secrets and WireGuard interfaces. Hosts with `secureHost = false` must avoid secret-dependent services and skip SOPS entries.
 - VPS enrollment flow: The vps host generates its own key on first boot, then operators enroll the public key, re-encrypt secrets, and redeploy. Follow `docs/playbooks/enroll-vps.md`.
 ## Module Categories and Active Hosts
 - Module categories: apps, dev, scripts, servers, services, shell, network, users, nix, patches. Factories sit in `modules/factories/` and are imported explicitly.
--- a/docs/playbooks/enroll-vps.md
+++ b/docs/playbooks/enroll-vps.md
@@ -0,0 +1,16 @@
 # Playbook: Enroll VPS Secrets
 - Name: Enroll VPS secrets after first boot
 - Purpose: Enroll the vps host key and re-encrypt secrets so services can start.
 - Prerequisites: vps host booted and reachable; secure host; SOPS access on operator machine.
 - Inputs: vps host public key; secrets files under `secrets/`; repo checkout.
 - Steps:
  1. Retrieve the vps host public key from the running instance.
  2. Add the vps public key to SOPS recipients for the relevant secrets files.
  3. Re-encrypt secrets and commit updates as needed.
  4. Rebuild the vps host from an explicitly authorized operator machine.
 - Validation:
  - Services that require secrets start successfully after the rebuild.
  - SOPS decrypt succeeds on the vps host without manual intervention.
 - Outputs: Updated secrets files with the vps recipient; vps host with secrets available.
 - References: `docs/constitution.md` (Secrets Map and secureHost), `docs/reference/index.md` (Hosts and Roles)
--- a/docs/playbooks/vps-rebuild.md
+++ b/docs/playbooks/vps-rebuild.md
@@ -0,0 +1,15 @@
 # Playbook: Rebuild VPS
 - Name: Remote rebuild of vps
 - Purpose: Apply configuration changes to the vps host from an explicitly authorized operator machine.
 - Prerequisites: Operator machine authorized; vps reachable via SSH; repo checkout.
 - Inputs: vps hostname or IP; flake path; target profile `vps`.
 - Steps:
  1. Ensure the operator machine is in the authorized key list for `nixremote`.
  2. Run the rebuild helper script with the target host details.
  3. Monitor the rebuild for completion and errors.
 - Validation:
  - vps reports the new configuration after rebuild.
  - Remote access remains available after the update.
 - Outputs: Updated vps host configuration.
 - References: `docs/constitution.md` (Hosts and Roles, secureHost), `docs/reference/index.md` (Hosts and Roles)
--- a/docs/reference/index.md
+++ b/docs/reference/index.md
@@ -20,13 +20,14 @@
 ## Hosts and Roles
 - Configs: `hosts/<name>/configuration.nix` with toggles in `hosts/<name>/toggles.nix`.
- Active hosts: `workstation`, `server`, `miniserver`, `galaxy`, `emacs`.
+- Active hosts: `workstation`, `server`, `miniserver`, `galaxy`, `emacs`, `vps`.
 - Roles:
  - workstation: developer desktop; provides build power for distributed builds.
  - server: primary services host (overrides `my.mainServer = "server"` and enables proxies/containers).
  - miniserver: small-footprint server; default `mainServer` in shared options.
  - galaxy: small server variant using nixpkgs-small.
  - emacs: VM profile, `my.secureHost = false` for secret-free usage.
  - vps: Linode VPS image target, secure host with enrollment-based secrets.
 - Network maps: `my.ips` and `my.interfaces` declared in `modules/modules.nix`; host toggles may override.
 ## Proxy, Firewall, and Networking
--- a/flake.lock
+++ b/flake.lock
@@ -819,42 +819,6 @@
        "type": "github"
      }
    },
    "nixlib": {
      "locked": {
        "lastModified": 1736643958,
        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixos-generators": {
      "inputs": {
        "nixlib": "nixlib",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1769813415,
        "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=",
        "owner": "nix-community",
        "repo": "nixos-generators",
        "rev": "8946737ff703382fda7623b9fab071d037e897d5",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nixos-generators",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1743576891,
@@ -1104,7 +1068,6 @@
        "jawz-scripts": "jawz-scripts",
        "lidarr-mb-gap": "lidarr-mb-gap",
        "nix-gaming": "nix-gaming",
        "nixos-generators": "nixos-generators",
        "nixpkgs": "nixpkgs_2",
        "nixpkgs-small": "nixpkgs-small",
        "nixpkgs-unstable": "nixpkgs-unstable",
--- a/flake.nix
+++ b/flake.nix
@@ -50,10 +50,6 @@
      url = "github:nyawox/nixtendo-switch";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixos-generators = {
      url = "github:nix-community/nixos-generators";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    wallpapers = {
      url = "git+https://git.lebubu.org/jawz/wallpapers.git";
      flake = false;
--- a/hosts/vps/configuration.nix
+++ b/hosts/vps/configuration.nix
@@ -0,0 +1,36 @@
 {
  lib,
  inputs,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../config/base.nix
  ];
  my = {
    secureHost = true;
    users.nixremote = {
      enable = true;
      authorizedKeys = inputs.self.lib.getSshKeys [
        "nixworkstation"
        "nixserver"
        "nixminiserver"
      ];
    };
    services.network.enable = true;
    interfaces = lib.mkMerge [
      {
        vps = "eth0";
      }
    ];
  };
  image.modules.linode = { };
  networking.hostName = "vps";
  sops.age = {
    generateKey = true;
    keyFile = "/var/lib/sops-nix/key.txt";
    sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  };
  environment.systemPackages = [ ];
 }
--- a/hosts/vps/hardware-configuration.nix
+++ b/hosts/vps/hardware-configuration.nix
@@ -0,0 +1,41 @@
 {
  lib,
  modulesPath,
  ...
 }:
 {
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
  boot = {
    kernelModules = [ ];
    extraModulePackages = [ ];
    kernelParams = [ "console=ttyS0,19200n8" ];
    initrd.availableKernelModules = [
      "virtio_pci"
      "virtio_scsi"
      "ahci"
      "sd_mod"
    ];
    loader = {
      timeout = 10;
      grub = {
        device = "nodev";
        forceInstall = true;
        extraConfig = ''
          serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
          terminal_input serial;
          terminal_output serial
        '';
      };
    };
  };
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/f222513b-ded1-49fa-b591-20ce86a2fe7f";
    fsType = "ext4";
  };
  swapDevices = [
    {
      device = "/dev/disk/by-uuid/f1408ea6-59a0-11ed-bc9d-525400000001";
    }
  ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/parts/hosts.nix
+++ b/parts/hosts.nix
@@ -6,5 +6,6 @@
    server = inputs.self.lib.createConfig "server" inputs.nixpkgs-small;
    galaxy = inputs.self.lib.createConfig "galaxy" inputs.nixpkgs-small;
    emacs = inputs.self.lib.createConfig "emacs" inputs.nixpkgs;
    vps = inputs.self.lib.createConfig "vps" inputs.nixpkgs-small;
  };
 }
--- a/parts/packages.nix
+++ b/parts/packages.nix
@@ -29,15 +29,8 @@
    in
    {
      packages = (inputs.jawz-scripts.packages.${system} or { }) // {
-        emacs-vm = inputs.nixos-generators.nixosGenerate {
+        emacs-vm = inputs.self.nixosConfigurations.emacs.config.system.build.vm;
-          inherit system;
+        vps-linode = inputs.self.nixosConfigurations.vps.config.system.build.images.linode;
          modules = inputs.self.lib.commonModules "emacs";
          format = "vm";
          specialArgs = {
            inherit inputs;
            outputs = inputs.self;
          };
        };
        nixos-mcp = nixosMcp;
        nixos-mcp-server = mcpServerPkg;
      };
--- a/scripts/rebuild-vps.sh
+++ b/scripts/rebuild-vps.sh
@@ -0,0 +1,15 @@
 #!/usr/bin/env bash
 set -euo pipefail
 if [ "${1:-}" = "" ] || [ "${2:-}" = "" ]; then
  echo "Usage: scripts/rebuild-vps.sh <host> <flake-path>" >&2
  exit 1
 fi
 host="$1"
 flake_path="$2"
 nixos-rebuild switch \
  --flake "${flake_path}#vps" \
  --target-host "${host}" \
  --use-remote-sudo
--- a/secrets/certs.yaml
+++ b/secrets/certs.yaml
@@ -22,38 +22,38 @@ sops:
        - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsbWtvSXZ2MVdpdldmNUhx
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5VUMzYjZ5WlZtQ05LdnVt
-            OXlXSkxQUEdrY2wyMXZFdDNoR0VXU3hhODFzCldQOXFpamRsSmJrMXpDSU45aE55
+            b3V3RmFyM0VZWmh4dC9YZFpsZkRIdC9TRzFrCnBuYnhSaUgwb3JuSUNFSWlwSmVq
-            QzVESG9mdWN2Z2JvdEJzbElud2hWQTAKLS0tIHQvWkxRdXJlRGp0NGhoZWFaRHE5
+            bEoyQ09XSjNBMks3M2ZYdlh0eDFNYjAKLS0tIERpaGhISDFYd3RCYUV6Y0lmdGNQ
-            N1NHa25pT1FscmJ0WUowcXluaDg2WGMKigU7SPfaPWuW0gNF6yQIVWMDkddYWK+/
+            VTNibTBMN2RuN3doU3lYK1drNjVTVkkKMmRW0NtiYKBcUQ8kKjXcS6KjoPdVfN5d
-            BETBlD1+yyFk8pF4IfR9iU2JgWLSCzMK5JDZXjm095eoDS5xTQHj3g==
+            6vczsKTTbUwI0n6T5xrwRdbVIFsP4HisjceQWxJIVBthR0u9dLfXGw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweGpWcDczZFFoTXNDc2xV
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvb1ZtMjV5TjlhMVRwdWNU
-            b01BYVJiYjlvQy80NlF6K0lRTWN1Y0pYcUZrCklsbzAyMFFqNXVRK0x4NU1zc2JL
+            ME93Y0xhVGlxdGxmeWtXQ09EN3lORlJpV3k0CkJxdE14YXpwcytjbnZuMWpHVzZ3
-            WXA1OUhPQzZMNDhxMkU5K2pvc1lCOUEKLS0tIGo1aHA0b2lSdW9HM3ZPTU92Q3VU
+            dVVBYVE0RW1naWVVQ0JRY0NoWG9LZTQKLS0tIG1udE1GbEtTQ2o3bGl0SW9NZmtF
-            dVgyamc5bzJ2T1M3TXh3dEg1d2xlbVEKvEWuB9hPQXkI8AQ5oKs0AU8v9bE4PpLu
+            OFNqTncyaHFUSzBNRzZiSTVBdkhFWVkK2v81N8c8cU1Ig9fQZOn0fltqO+Ej8Wtk
-            x35YD4Wvfva9l21o1d1474bk9+nQnksj1ofgQKYilvKSetH11KkuQA==
+            D0nMQv2fbWp6YlyE17VYPgmhdEY6+Zstve6PlBG86iQE3LTAfjG3Uw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmem1iZmRqSXhVcVA3djBo
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJSVdUWXRUa2tHVGczelhu
-            SFVQemRuS211Q3kvZEZzVkIxSmIrbGdtcDE0ClFwN0NydUNYU0Vpaml5bmhXSDJN
+            UWk5RFl6azRJTkdxZGxvbWlnSDc3K3NlNlgwCjBRZEVta3RuNW1DZmo4RXJyTTNk
-            QlNMWExNRFNUMEYwa0QrbWUyUGFtNjQKLS0tIDcwYzVHYXBOejhHN0Z4Njk3OHNL
+            cnpxTDRGL0kwQXJmc29LNE0wV01hUGsKLS0tIGgyTWZrOHVNTGExRWtYMzJ1aXhp
-            SzJoUVArZ2xkOGpYZG5pWEpGejVyUlEK5VRrn6jp40iXOdoDDLxk4DhcprKBZd8v
+            cURNZXBtbnp2OUZDZDZKeEMrZlN0TEEKznlmLKFHYDm/hv3EPcHjT0A8r06GL7if
-            yHp6GBf7mFWxkvw77fl2/q7J6krlwix2sC5TLlk26zfgSaISz/mR1w==
+            tbuJei8aWWg+uuvCBTZjHqmPUyNR1ixt84vxy1HlwXVu3dYHcG0Wug==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
+        - recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOXRFVjBENnJqY21ZNkw1
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZYnlaTkd3LzFRbldWL3RZ
-            WXIvRURMSGRJUU9WMkRtOVAycHVGQkZnZkZRCnZlYUhYLzYwaEF1UTBCck9lV2c2
+            N2ZneVIzMnRpVVNHVWRMdXJLdjQwSWFKS2pFCmlQZUZMbG03VFVuUXcxZ3NRWjVH
-            Q2pmS1hVR2xkeitGSEpGNXptdDk2cEEKLS0tIDJURXNKUjV4S2VXbXdyNVRJWVhj
+            SHVPYzk5NGpkeUVSU1BmQnNuaWZnZFUKLS0tIFdQZEU1YnhHZWRIajNYWTYxMEwr
-            Y2FnZXZYZzNrZkZubCtneGNHVlVKUHMKTasbVdxTpuK3UYmeAXWt4Gs+M9NnodWF
+            UVBjaDFtSWs1b29DR0R2WS9pSGh3OEkKmG34ldBy4s9nj3ng/HQr+gN0LHJCOPJ8
-            fGuCUVkGNrXHiLBYUjomvmtYIul22xiGzes0xHzSBE9jiZuVnu4qlA==
+            EWhh7cTLSF9AmZKP0sBsj7I4hHhZlOn85bvTM9RDiRVOSz8VrObXHA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-09-21T20:28:29Z"
    mac: ENC[AES256_GCM,data:e267Kxv1Pyun/VOcLepBDBEKN6uSf8/iuY8KQ8u4xK58wsWkMdSDVcDKvO/iKF/Tj9hj+lZapkaKmp5SdeX+gjpyWiZi6QmUuKsCs0jlkV2NydLtZZt9vkmY/LCguIBRMmhDgidrNcfoghTxDDK5lng5H+2MBs0r2zLID65pHUQ=,iv:tr4YFdBltnsD4uTt+0NCam7r1QzhOmdoEbfz5/+JGPI=,tag:R2dDWTC1qrwPI9ghaf1FEw==,type:str]
--- a/secrets/env.yaml
+++ b/secrets/env.yaml
@@ -21,38 +21,38 @@ sops:
        - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDclRxNVVzaC9lazNQSEdp
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcWpKQ3RqSVdxcDllajc2
-            UzNBaTRnNzhzM0dLaVk1QlBaK2ZUelhoWmcwCjAzcnNsakxONSs2UThpNjhMMGpr
+            UzVtdmxBWmJ2QkI3SGhYRlRadGJYaDU3UVN3CkpQYkxhVm5ZQ2djbldYL2VmQWsv
-            TGtnY21OTnd5NXdvdlpKamNCdXNjbzAKLS0tIFVxbGNLNWhudFRoRjBOblNrdW9k
+            SEJmam0zMzlJSFpHS3JZWVorUmh5ZDgKLS0tIFdWdU44VlRDZllCYXRTQzNyajRy
-            VkhOV1BScVQ0RkF2bDBabUs1a2toMTQKDAeEu3+vuVKcpm27igmQuBvFfsMd7o9H
+            cDJqNzA3ektRWll6SkFsVnFMd1FBUEEK0j9X4lYcFaj4MnVh4jnNwrTg2Sl5TTdZ
-            Wbinft1NiaQhc+7KtDEx51+tS+cgaGzObkWabyQutDqWEa/2PZLZLA==
+            uFvTdE4ZNtZsh3nKmj+v2J3JM8dDUtw2NSooqpoqEvCYdDqwK1kDXQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RC9Ea2VSZy95Q3JJWlhB
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGSXlITkpxcHZqR0kzMlFY
-            VFVBVGxnQit0WC9Vc29Ic0g1aDNBNWFySmxzCngyTDg3R292c3VNUkhvUWNXaThE
+            TStOVitPSm0zTURZcE92NkM2ak8xcVF6OVZBCkRRbkpBNW9yek9rWFlOa1pLSk0r
-            NjVjTVlEZHhVODlFeklKNU9peWdad2MKLS0tIFhVTHZoeHV4eVVGOWNHeml0b2JE
+            ViszS3pMNFhLQlcwdW83R1hhTUJLT0UKLS0tIG9NTm5tNzlidlJmejdoOUkvUE9X
-            ZVZiemVkYmZxMFVEQmVvVkZnaU81OUUKPHdwj8s0Ju2Y0Vh31jnR83nQ3jpqjkhr
+            RzV2MUFEMnlHVmp3UmgvNmJKSDFrWHcKQ7y2W0PFLs/I6Tb0J/M91+toDP8XmgWh
-            4z5OxYJk2d0uO9f1jNaiIVLRxCdbj3h84f4fQqoQv5csrc5H9mg7Rg==
+            LYuNc9lkjTs+ylIWuMTwtXdceI+kK8hJlELT47FyKl755DzuB1ufAg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNkNLTzcxa3d0M0pJbXlp
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYXRodjgzR1hoR2VDNHd6
-            b2V1alhBUFY1VVZIZUY3ZHYyVmFKQW5tbGdjCnJXSHpmeDdTWWtHTWt3TVlCR3BU
+            NGJ3SXpqRmJKVlY5aTI0R0hBLzFGQ0VSYmpVCi9BakFwRGlXd1ZPbWpHY2h6RUo0
-            TXFXZDVabjF3d0JYUk5Mb1c1dkVjMTgKLS0tIDFFbHBCSXlPVlM5YUk4MUNiNWdx
+            VGl0T0d1LzdaZGNOZ0pDekZxVVBWUlEKLS0tIEdtVDZlN2FrcFhEU2pTMUdiZ3NH
-            bjg3aWdMbkNDMVd1cTU3NGxPU3cwVjQK4zDOWDUHhK0JVjiYTMTSmGej7yXb5X6G
+            d3ZSMGdkNzNaczBYOHFuZWJmcEM4MXMK6ayh37HUhOYPryv2Y2WlE1U0CX7qZF89
-            SLPWPbrB8WLGyK/gdxDrZAxucxe/n/O0CsR5DQubmetfUSowk9RIIw==
+            PzvHQZYcbZ2gsRW2f1uU2VoJp/6XnSipD7fCjma3iNovoPlu2+A0yw==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
+        - recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WlF0WkxIRkpnR1RhcVJX
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4aUk0WVhTUTZXOVRqam9O
-            b05ZYzk3YU84TDI0cUpBdnRpNGxEQmFIMEVNCkxrTkdkUzBnUDdDQ1RqV3hnamYy
+            WkVNd1FKdDA1SWpwWndHbmVBRlNaSWI4aEVnCnJTTDNYTkRtNkR5cUl0SURVQWxh
-            c0owbnVHbjFPY3JsOGIzN0xIZHp5dmsKLS0tIFJwZ1ZFbG5SSmNoMVFYYlNXNWx1
+            d0c5cEhJVTZ2YXdLdHFQRk9KN04vcW8KLS0tIGF3Rmp2Z0pwM0x1WnpKaVBiUE5x
-            QXRUYWtGcWZCVW11U3VYRktuUjlCbDgKsTK4WhUza/JuoDTU3uATa6fq/8eYzxtb
+            MVBONDBmQjI2enNIVFFQT1hyYm45YXMK2NXWvm8G+Yrvw1NAC6AiDaxA9UftuqYe
-            9BUK1ddzx9Mghea9XBMS17YGtGmW800OsLBomb3SINnOFvejcnKf8Q==
+            ZB7QpfkdCT3vS52lBgcEJrM1TbaVX2868trk5kB4gjqVMPVPYxcGHg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-02-02T03:55:24Z"
    mac: ENC[AES256_GCM,data:+NN+RgkHAIox1IgUuC2ACHneRBzgn5FzsujpbPtmw1IecxeKMMXM7Wa1ZziSkWJSjjDCcBoanox57e+BoNWN5WhWuMdCed04AKcknfKlHAtHrKhoLCsi1sZnsQX7xBmTsA5qHD8788EWfIgPk4gToXkq5KkEfvEWLvalClRK7tY=,iv:kGyw9hk6vp5iu0iMHaCLgVqdcv1gNUBqBhZbRSCa4Ks=,tag:FdKL/5ZraejphDIE2ig8GQ==,type:str]
--- a/secrets/gallery.yaml
+++ b/secrets/gallery.yaml
@@ -5,38 +5,38 @@ sops:
        - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIY05VY1FPOU5FTFFnazlQ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4R05sUnl0UFd3T3pzRm1y
-            RStQVExNdWIySE5qSVMxMFd3NFM0L2VCRWxzClhleTEzNTVOaVl1cGovM1hmWEoy
+            U3piNzlpTmpZeEhkeWJxRkMzRzBWRW9LQmtBCjRHTVg5ZlozUnpsVjhIK05xYjlz
-            eGNxZ2E4U1pRNlBaTDZ0ZW4wbVZjT0EKLS0tIEJ0ZXR5blBlckIxSVlmT0hxY1Bz
+            c2dwbWVKWVNXWFhTWEtlUUFjVUw2RkkKLS0tIElaNXN2ZmROdHd4bWljM3FyMEh6
-            TGVGRFgzaHI5VW5GdjJvcmswUWFvaWMKQCK47p7OQUXq45aYo9BkkcGrzmPKCJOI
+            Szg3WTdrVlFmSUJ1S05xNXY5RlM1V1UK7YETep9hn49UqRUjbRv6oGFUT/8lRgXx
-            OKu/+W4xYOnfIo03GGL6f4LrbCaKr1mdtsRnuHmaFXiXdaKbZFDEhw==
+            5O5eGB1X8kPCY8zXiGWSzfo6X8O5659vWIvqjoY8nZxekgvsISS/WA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJb0MzQVZvY0ZCNlAwT2Qw
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpT1oraHpJb0NUQndMZW9l
-            RnJOUXJISFg1Smt4VWdoYy9PT2hQNG1MNm5ZCmVhUFI5UGpQUkR4MTA4VktuVyt1
+            YWZrOVBqOG1KME5PYS9YVE4zd2VQb0hRN1dJCmVqSzhkbU5DVmc4MFVnSnVYTi9V
-            TXlVZ3haNjd4OHNYNE4rVzd2MkNGTkEKLS0tICtkZDRvODBZaGRCTmdlUkRESjMv
+            RUR2UDNEK3JGOEFUWVoraGtqQVFFWkUKLS0tIDVRdU8rV3diVXNUQSsrKzlBdmFN
-            bElZc21OSXJsZnZaSHF5ZTBDSlNXaHcKixDNfM98AqYagtidcYE3lgkFM9XTIrVg
+            Q0x5QXdaOXRMc211TUhqTndQOXR6ODAKtJYiAeVTYPOpS+GykBDOLx1g3VloFo2P
-            gbYoSOk5rL9Hi2rvP+BCEgsrRSuExGKVvdqODYltD+nNfTI1zcnTFg==
+            fDIkOCrINnAU4y07KPhGBxCV3/2cvOPhIgsd02XqxfZPCEU/cYdCgQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZncwdllnQjYyc284RXVm
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dTIzeCttSGNVNmhPejdW
-            VVVJTHI1Z25FWXBhY3o1SmgyVW01alRlcVVVCklDNDYvMktDU1U4L0RTMVgvaU0v
+            ZFkySng2T2ZYdkRrRGRXQVpER1NJMW5XN2xVCkc0VTdsbXdLUkg5d29zZ3VmY0hH
-            d0NlK3pqYzZ4NFRUd3V1WHZTTkVpK00KLS0tIHVQSmRDekcrK093QUJQVHNZcUg3
+            U1cybHNob3VkdzRWbGt1bFhNeW9XN0EKLS0tIDdoc2cyaEIybjBHOU5tdVRsTWFZ
-            WGVJQm5MdGhMbzd5RkNPU1VuNTZVeFkKQq/WyqLOOde86NNYnVq0Lw31YB2OcLY/
+            TmdZTGNDOFovMDVPakF0WTdHaUpHeFUKl0ub1OOylE2JGJNpeReebiOaVdxbd0wv
-            h/HtFN4GynmBOYcTuqIvBJ/TksXs30kWFKW2XSY0jP0JSY7Yo0BxhA==
+            nvJD7tYYXI666Pi31OHttWhsHR+xkL8TU9Dd6uDs4QxIRQfwy/VxcA==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
+        - recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZU0zK3V6M2IyMkFOdm5U
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUldWbldqTTEwMGF5RVFV
-            UG1oVi9IMzM0SllUQUMwMlh4NkF2V2pCcWtvCk1kR0QxVWRPM1pyWmdVOE1UdWxs
+            ZkZ0Y24ycU1hVDlaTnpGQW1SeFlzaXc2a1FrCmtrUkxLcjNsVHNXemd1cWJJdXI5
-            NldjZXBOZU1uK1JELzF1blhTQy83Zm8KLS0tIFFVRjVScVVGa09sbEdBdjNXNTZR
+            bDFxUThzSFptNWtXMlNqM09aeklUMTgKLS0tIHR5KzE3dStMTXlhUWhtUWUwSkY0
-            d0YvYk8vNitDbzNCQ1VqS20xUWx6ZDgK+kIRATTtC0Vd7/uPf8E4pIans79Ksh6J
+            ZldyVmtRVGppQ0d0SnN5Tld4cEtmQ28K1Yij+7OxQUpEsPt/GTnP+dhEErBH1HuL
-            Y77+owFFw1AvQ3KvaI7QVfKW61MzxI+S1bWqI3ZNOJ19Qv4ZoVhnVg==
+            pBFXqHLAwpqiEiiNhYnb0KVWeQnIqDo9WUnrbPavcWSrSkmCsszgxQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-10-10T05:09:54Z"
    mac: ENC[AES256_GCM,data:N/BwfrwWcnot36Kn6RFZjjpUIluzq5Upy5iVVV4XSs+/0PYdlZGytjoAB+E3gXyPsLZ93UqI0A9/5KbfXBuR2oY2F7iKsu5puzgyYWa0Gl2z9YcPnyDnk1dj7Ne77xJlqR9YquGzFKF8QdqFXFA9cdE3b/1usTFhP26oxofMXs0=,iv:Iz/LzS8yeKQgDiGchYdKNymBeekhopJtBWaQGOwRZlE=,tag:hMRwxJlKR21W7otW01GmGw==,type:str]
--- a/secrets/homepage.yaml
+++ b/secrets/homepage.yaml
@@ -4,38 +4,38 @@ sops:
        - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdnhZNkx1S1IyWmwvdkVh
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDa3NpNG5tenhqWVQ5RFAv
-            VGxNM1lUczd4Z0JKaHVlM3N6RWRWS1dBN0IwCmcvcHJnQ2h4WVV0S01OelA3eldE
+            bjhhRWJWK0NFQVk0cGVpcVJGS3BFeWlSQWc0Ci9IT05mQTVWbmk3SFFpWE9KUnh6
-            Q0lNR0w2Z0owWnNjR3hXWGF6UzhyOTgKLS0tIFMvbW1rd1A1VDRJWW9TemJzQUl5
+            bHhCSktlbzVUQm1lOHp3cVpiSHU3MDgKLS0tIGg1UU4vVVo0SXRwMjJsVUZEZkFC
-            d2hISHVLUnpBVlAydEd1eHo4WGxLSG8K4uAVlEvgrohFbpvLexcfom5HRXMwTYrv
+            TC9Eb2JaVUFDSWRMYm5jR1BBa2lEamMK4V77WUVbMXcsw83FFdL2Rk30oR4cAkqQ
-            ftuFhDAyNHlTNABiPH/dmjy/A86Veb1LKXF0Y1r/RPWRHaxyw5f23g==
+            kc8Z0+5kNJFUFilFb54dnWTOh27K7KZvU1qIdhG3X9fuMIHSuPnyTw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQkFPN3owRjRuZjJ5M3JX
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDRVdYVTY3QzR2MFJPVW9j
-            U3FaMk5XL2xoUmo3eFFGRXc3Q0Nwd2gyV1FjCjFjL2pUaWJyVXZIUHI2OWhPYnlt
+            SUtmTldMRCs0dTlJcGFoMDVnaWMyNlF4OHlnCjg0OFFrOERKRFZVMm9NREhBOGRs
-            ODdFVjVvMDhGSnRGejNTWFRUdXdleHMKLS0tIHpCZlc0TTVxYk1UUUk2NkVpcm1M
+            dTEwc0NZUk9hOEtvNVJDRXl0TDhCaTQKLS0tIE5OWm5CNzc5SW9IdGFud1N6Vm1D
-            NjFnY2JqNkh0NFJkcU40NEFsNjRuTW8KMRIBZVBnxe+Drs5VqGzBLI6AsVJj2Vka
+            djhzM29HK0FIdXIvaGIrRXlOMisxaTgKVCAiniAmfqJuwwiUpcGAvoyqnUEZ9gOS
-            bmPFMl5ZJ97HxpdqQ1xkUqjoebp9KT5osOSglSK3CTkMRTEtyWQ11A==
+            SyhXMzv2cbomuOb0NiALRkd2up/uX0TVuz9wuBQvYYjJhqpFuSnbRg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQkxwV2lQRzNPRUtvclVE
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UlM2MC90SEM5elBtNmpm
-            Tkl5MVQyUUtxUVJpbnZmVTVNRThBd1JYZUVjCk9GSklFWUJBU2owVDVxTjdncEtI
+            cnpTQVF0VEpLUDJPZkEyeGNuYnl0cEY4M0U0CjhOY25BcERjOThkbkVhNnJtaVpv
-            WXp3bkRtS2NEazd1KzZTZmlMZ3Q5U1kKLS0tIFhGby9NV0tidU9MdWRnY0JNNTZ2
+            N00zOUZPWnNYaEtYMzlXZk56dGVPeGsKLS0tIDVDcGY5cG1ETHk4eXRFN1hVOXhV
-            enphU0dnNE84Qkc2V2hxZWRqOUg5QmcKk3qdK28b9072s7bPj+TgqeYVS2lnR8uf
+            Y2xncFJuNUs5ZkhLSjJyc2pzdDZxbEkKn/8BtUXPQ0OdR35ZwiHWFB0AqaDtAlG7
-            R9BUS6c72aJjxPm11JqNW8UPu0ODhZrVMyyv+p+KY1J2iaCNGNdvXw==
+            N4Z7iztqiscuxn8G8VVVFdkQLBY3JcrXhxPYWK4xtJeEtpIMhegxeQ==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
+        - recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTEZFalVYbUdNb2YvOW95
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd1VYanVSZTd5elNlZ2NC
-            M1doTEp1ZHRjUFJSNm14V1VWNE5hTWRpemdZCk1GMTdrck04N2Zydm5aYmQvTzdH
+            bnd0V0VZVmtrVDhBbW5KUHJDMUkrekVZeldRCjBNY3g1SkVKUzhRL2xsbjloUERi
-            TEhrK2dES1lWVGJaOU5CUUY3a0ZtSTAKLS0tIHJXdzRGY1laZnJ2em02ejB4RUpQ
+            UXM4T1A0a1V2eEFlQWlTQ2tDdFdaZ1kKLS0tIFFtNDZzbzYyaE5UT3R4eDJzNnU1
-            N3BtMkE1Y3d6Tk50ald2clJ5VVZaVG8K6BDcM8UAtBf0eBYosTvrRmi0Fcw05q4a
+            RG9UbWM4YTVHcFpKblQwemNScDVteVEKA6fibq6Ozwrz/tg9Hrx4bH9LCadmW5fR
-            FOltP/mH09OQBHYJ466s8eaPj0TwqMl3524Byr4vTPYTy0keRN9EWQ==
+            IkFalgD7nqew8KwS0keyKFk93i2p6sTDZPy2/t+WryMXBIc/y0iQ5Q==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-02-01T22:31:04Z"
    mac: ENC[AES256_GCM,data:gtTuLmgVd5t1Eic+ld6x3pmAlv2+SVf4OgUICu78DJ9L1YCtmJ+LsqIoHFueMdQAmubPA8c4xYsHWCDu2dbrUDUs/79BF2u4P9lbNkJx5cco8bnPdy2tmkhcLwb0HwRduVIbgcm0wzYKUMd76Y0ChxdCddkrkk+PjXkUE7OBNg8=,iv:Eqhoc6GjB1NOnIIeRIdVoQNQm51DguH3vEX4zRUgeBE=,tag:V25oIemZpdJDMRFcZkH4bA==,type:str]
--- a/secrets/keys.yaml
+++ b/secrets/keys.yaml
@@ -9,6 +9,7 @@ public_keys:
    phone: ENC[AES256_GCM,data:PvSqRnz2qGQU5kdZZpeqb3Eg2psLYrMoV/168CKMWpc1h5TZi7TeWkCQa6ktPR556NT4Ny2m6rBzADtYZkjFIKtDLXdhTYCeL2eFWB3VbSGFHsHgvxXHbae+zg==,iv:XGO9d0QZXbP7vuNDY4/Z/YhRCPKwj3RoQBx5daQO/xI=,tag:zayb0RYQj6UOi6FKJbhhRg==,type:str]
    emacs: ENC[AES256_GCM,data:JBdqrtYy/1oVzea3WfvAX077R/8KECe+nziqHM7sZSMSq8nVxMeTIqXuowYsp15Dr9I1hezgedC+IfvkKyu9pCfS3Smzs91o+HEPB5T+nx5Kgn4pwNzw/4ahiA==,iv:OQfL/6UmhWcX2nbyWHZnN1+a5EP0AYAqTIdxn5KLvRE=,tag:JDL3IVYy2jAsDWOObTBFLw==,type:str]
    lidarr-mb-gap: ENC[AES256_GCM,data:KuaF98xCy4fK+mrWZQXPpZ0BMyZ/zblJzkZRFVlSF+G948Rql8+NmhlxpBxJ3A/SvFNIvfjzE+UZUnex4gbgxrtvP/ylWuScjYaKdAa0iWfCOxmIAK4gOR6svBMZxIJ1UA==,iv:4Op/XfSbpNxlaGWUMMYR1pa2GkGK77iF2jUmF07CYck=,tag:hS0d6kJxCrOfvGJ4A3BiHg==,type:str]
    vps: ENC[AES256_GCM,data:irYKlykCixl0kTvE34+OHhzH4FUor079Mjjn8cdfqnEYUT9jT/5Y6P+q5PKNu61ggaddcPkRjjFwmVaFz0LaVJoJa7D5S/UG4wFnw8D7nfcUPNV32vmuLomgFEhgvNYbf9AdURM81Y6pSwhWl5OM,iv:b9C0SLW4S7IUXfJFLxLHmyws8tAs3LJ+Yy0mvOBA7d0=,tag:BnafiWiTJz3CnFrdPtH6kQ==,type:str]
 private_keys:
    age: ENC[AES256_GCM,data:YZtCasGFuxj4mVnhDtNzXgrzvdjwvHVtaBj2gDJf3dzA7dCe+n7MC5mYowHnS+oZpGFt9P0ImKw30yAYRGZgvxJqL32ACbob4oqcnwmJgswx2ZCwboz/I1PKkAb5uo1Bhc3tyhEshiA9wk99CoI7ug+TGOC5eyFw8RM145uJdxaYJjFmYdSorbjYd5JpijYi3u7p5buIVtr8VRt3tuWNUzarW18d+ZjxtCAF68W9jqICtuODdFakt3pZ9/2byKR5KG1sBKdc38DvJFkRq3wlDE0U2PwPyc/RDdlLAnYGYlZD/GsC1YSWEW/ygxO5lpkoJlxF+/02Qs+lyZVEJd7buYCMU3xkR3kGOQB2dZXa7T6F+Jrr6Ek7svTOQRaId68KhQW33piNUXN8d6YnqIRj537exrcmVCNrRwJmlJ1M8pcYN4IGj6OFICw/lwiTcN51OL4UZOOQZZ60jbgdwWj5gM9OFmxLm0PkIRt6KMQVx58jIzmXqh8SF0+mkymbQdVaoDD5JJ+ltTQgIEBaPe7sGVEK4lGH6qbgtm4F,iv:coRTCK6BSI8QFtfjTg8IAdwumSt6fuQryTxF5g+GF9k=,tag:K06p6t3Gso30DTY/Nk5EDA==,type:str]
    workstation: ENC[AES256_GCM,data:QrM6MwsStFeOH9bFaAuNPtxVWB7rlXXV0PD2Em5Nswf7PIPuzYagQaqBF5nV/AteeJjwsz6KLuBceMZ3O/WlccxvyfY6i00DuRvzJBi+5gZl2rfM4OR5sHC93bzcGmyU1dQUA0nEeGFYUfd4+ZM4BFRgD5OyhpjrqaNYw5kES6WZMCYiR8NAPE2Ca8MqCX3KVQp1AAzgFq/nN0cvuWIflYVIngR4PzAqDGXjgWaPT58rmcWk/3KS2nOKRX5tQ/CgJl4FLdrjuR4VLvoupeUqv1yNeSPSljX+gEK8Sn9vONFd5k0bifLzQd+zCLWyEdJgNvSPf7bnXcuqU8RLSmjckMRAP8YVBlyqsNY++JidXuXukV23aB63dUp44yhIYEkt49/ISJb2qerj3U/Sy97VTw/1WNwY1evzHPlobrUjt3ilxWoxAdzjrqJXWultYYBEk0crmKRRvnABMzaHrZaqaSrHsSfvE4E27m+L9HNwMyq7KywlwrB0KAog52iCi17Gbnrva9aEGrn8Mne2VCvwcrKSEciV1soKpQgy,iv:2+xsS/4+vfQ0UBsHgLVCeV6GOU8giclqNpPXoi43shE=,tag:YVSiY79mHJ2LE9Ab05VE1g==,type:str]
@@ -16,16 +17,19 @@ private_keys:
    miniserver: ENC[AES256_GCM,data:OdKoGmxZYBp/XTQIviGXcRrz8sY/Ea1KwqtwmYnDmejGZFQuotyr9IHDBy7nyC38Rq18jtRGK0DvQTs+0z/jaBrtAbnk3/aodRpy0q/82XOpUDJ+oRPIbuC1KEyN+vzzTe3jd5Auwg7dy/W7gKgAoR7vhkNeAY4TPbE2ybqsbPDIhDWmCMK43DIxKcWO8LrtYJ9/h+XR1XthGjICRXygOeMA80Ip4BWGMvXnfGcayKTIlotIWNasYGZNn5E/bfb6uH58zPvCAWavleRm113zOeMjlgbtAyl4IyM1StGvZtJq0ud9Txza4AkWmTvYLcAB0xaiph/Vm01GBlaGSWZmOqo8ybGEEQgh6JBlYzHwJ0swqg3uCW59jxeQcGOnaW0YrYPix8twd/2GQafxx2denWFgvoNk5itIdOr07BF+JYKd5FU/Kajo9P5mpV2uFR8sok8/Q68thYvfOEK4wOysWM46lHS/H/P1qeJvCbO6w0hGt+VN/1lbqm+pcVTDMVsfWOkA1Rmm0aWozoYOAPRXH/PjG1NTiqJnecsyw+vZLlnvaDNHKHWhxnWVJw51hSH2fTg7nVz+WqwC24eOmGpOG7UUCdQ4V8L3wb8qDPTmLmo=,iv:FxxpTqtde+v9c/+xDfWimYlgkhJSI5GFIOAwoSrjNsg=,tag:LcLxjKaQ/5JT3hJnBgzmqQ==,type:str]
    emacs: ENC[AES256_GCM,data:jBLy+gemP+4b15WGaYBMV3fdlPJpZeZfgPSWbj6nnsN0J4b7RIOZQXl2NoDsNS6yi7aO2J6LoQ6WSJX7si05OlCXJESCu3ghmNAdOQq3lWs2taQMISBV3g0S1OlLXFdDCohBC62y55nMp0/yenL7WzfhmtTmBoFxkp1VcSjI5B+MlcEW/0BzVb7YESCXB5GVSlThecGQ9BEEMBxfhKsSwmLQXIrxdtl6nmyZh8lTselwDwRZ5E8LFXLVwccujAI1zYM5H4qYjBnaizs7f4h7fHh2qs1DeZwFaELFtjgU207IDUQ2CKfVBKDL3XES5gjUnHix4l8lj62ZCWniexGQtVUFAxRerRGS5AQRGDtovC6xPZaylF3JoXEeKgMusPygIz9nzyeB1mXq7FqT+Tv9OG0biCqVEphcQ0GEc2RVPq2ftID0iWyoony9T061nWSkY7QCGlPTmp0PVGLbLpTcd3ulVbuoXKsTLrUXJrAA+5xQe62bS22P2FdKlMP93SvRkM5JoSBI/KBEzmWssuLdxyDopNGpoHgL5thc,iv:qDLbsIvW3pBPXTvPGRDzqeXEoWhhcwgNtHBVe9/NeLA=,tag:GejDD6cBIGYhHY+ixLbVWQ==,type:str]
    lidarr-mb-gap: ENC[AES256_GCM,data:53XIXJGZA8ss3dZ4EkNibl6SCo0NRGedRz0Vm6icxSXpDGz9+m8lC0gXlB2bw1/x+pv8pp97r6CTt4vmpfHipCoyUpAPo22EzYHuqr1DxKO9lX5IJ/etzS6igoGklyTZ5P2bKQ9PxdusrT7hLiif0zZEVwakorTHckuryuUr7B/2687RGsrsOFU+4Fo7wfw+JT5nkjzQh4i1nMToL+7JF/2ZCFzPQUHbP5QEcMceogv0fl4CyVaKB2ZRwy1LuUA1vlQnMQnP5UJHQh1/iFCHDG8uzj3G5oL+U2nco9aJYiucGKRsIWe0DIlK+EZscMMXUby3vU1VqYd60FTj9T6e3aI3KX15V6QHaflLmFX1G7IewTJPE6nQZFyZ6HwDavsPBpdY94X2sp8bGCIO0UYM8QfS9Z5x+VRs9+sUq9gHzEL5/++viMaa/0DKgo4zsJOmDVj3n7W4GdtWWN2ZAkEHsz0AUcdkSqbCZN5c5LyAom1BiUIoVEkfPL4VPryA4g1NHQsoH6lVUHV7o65E27GfkB27up+w2dig/YyG,iv:fzUD4VHr/g5l/GzP/7ote2tNtjvZlmgrwbAGMoaGpjg=,tag:ZxVQWTHZkQuUP9UAdR9Mzw==,type:str]
    vps: ENC[AES256_GCM,data:TwWwU1h1ALYjCv2UpXDW8Lq2CI+GUWUEWlaUPBT8llvhRcH57MzdqqjfYxqTmERKywsiekngUEeWER6EsO/t9P9+lMPZCBwvZG+lDdY3ion2MfJOLFcWJnIe1lvHvAWf4Fju7LgEEvEyG5Tn8/hLsJwbH/y37AkfLoSWiKVRrKRcWpSb1/2Aycu3Yn5YeFXeELeaG9ZUeGP+fqUfDSvOfFphEEG1cGWqAXRh41azB+/t8yN7J1HSjjx86jzTCRxlr0b4YA3wu4YgZowSy5fETSxCnAk/gHcTgl6XHDsseFT95CJyOeLBLAz88TfTu7hqXswSdA6InSIPh9uLVuA5yiCYBemUXw/bMR8nESi/OCgzM4jF9ZvkYHngAJWPFJqwnGEGUen0qwmp6wdI+cVsqALsrG79rivtGHZbkJUMzh9ta2yA9LkOurqXi8ciSQqGVWqf01H/lhjPyfqzgASMMD85NdiYVc2dEk04YXzt0oOcgpex/VEhWx2DJfIR7mtAyaIQUei8gS6y6htg0b6jHYJtfYAG8WqE3wZ1XaTzUUavVewziAz2OFj9xbn4FFRjxKm0ONMWbVQ/AhWptY2N45CFFk3HaUMZdxGrOVEuEC7c/G8YAWswjBzcQG733SyVLi76Cg==,iv:gEbyoSt8l6vexUcovwGGt2J3YntkMEeSMf2nYsx5Fpk=,tag:N9woepMdByGZR4JD+2Ep7Q==,type:str]
 git_public_keys:
    workstation: ENC[AES256_GCM,data:VqyW8OFJ4450Okf/CVa8peYPVLjkfW8M+ykpiteTpXhlgXLPRfHdW2QrGXTMOIfRYDZD33Fx3JqGJZ17Sn7/wToLO+uY8i8JPYyYXWrQMqI0Xf/NR9JvMCycVoAT/oWG9w==,iv:VM5cBPHe3CPpiOozy+hsQcwGokQIVB97oFbVr5o6+Vo=,tag:0w4r5zrdNdpVDNcvbJ8bdA==,type:str]
    server: ENC[AES256_GCM,data:WMnUqMgIQ0j4F7G/LppKsN1C+Uoq12DRcYWIEQecTzq9v9+xxe8mAusGenV7SWqz50wrkkjGThmSiXzrdao7Ri4v/BKBX6d+Cql0Us0OOKNplSy1GQ98ML+LfHU=,iv:F/SPXw/BC5JE2u1m9x26qYWrSu/b10QzNPelQN6NBvc=,tag:0YU6dba8y349UvrpeqpbOA==,type:str]
    miniserver: ENC[AES256_GCM,data:M5p2My3d4rOZMj1j4CFMUdHoM2f3BK9y0ikg3NwMs36A2PUzbN39dWzvfhdqoq6stypHbEzmaI4VtUZySPFWaGclBKPea5ujZTxkkZOdt9V6/lvDMdl9O5MUrPBmXYyc,iv:PyVj4OT6ZEqyQDH/K0OtOflGoomUarF25hx95loOgJU=,tag:xZs6wd34LqqqWvRMfUgJbg==,type:str]
    emacs: ENC[AES256_GCM,data:jnCEEpEB5tZAs7Y5LT3zQeFZYRqsBcQY5ZASU6p23jRzr9F4wv9ksqezTdZEYGnY7cv8w9gC7Lc0819OTHJyWP0+A45SRZPb16Ii88Omu/Erp0f69wXQCk2rvm2QnZXzGg==,iv:zlglY4hcSdw24O+aM/0BR1/1MRXNYwTcSVZJEItQgMg=,tag:PWrT0LCzs7GBcj+CFFqfNQ==,type:str]
    vps: ENC[AES256_GCM,data:ljr2eG76JFVBGTSQZ67ViEJRd+q4ocCY9BIOF+Xs4PiqRF9XtmNxIkQZGXYBWcPIRgKouf259frGPAIqyRHS2pJglAYOAbOWxLb1CgfGxWl6jhZXSBINBu8=,iv:XAixV3SwBIGhhaN/AdTjnT2TB/pD6+oxY+nhd+NDM0M=,tag:FfXBde5TURpWpsEaPMev5g==,type:str]
 git_private_keys:
    workstation: ENC[AES256_GCM,data:LZQq96EGcEQsu1hIq0GiPKyfbBXULCXI3umT2NgNJc8YAgYjmfedNZm985GQG+YJeGKYdwlsWnQ59BNc97jQalXGIjvPCI5RAc1bd28VqlUTXZ2ipaHz0nxprgctqMUUSyst18qhumcAdiWT7euInaZiqBhp4xBvIBjK0nMutKfHER/pNV8SYwYPeiKPxB43f6jhKVEYVjItWDsM/C4JvTmwsOvvLUoNMnXtyIKaGDsRhhGSwWcOEj13LWOML6zwB5IUgavvRjKBvnlWy83vH/hFxp1IZNXU4eiePyTAj3Ydne9bmGN1EpF3FyTWZAiWC2uGiML6ZEZUoK94B8mvc8oNwcQPGMzBf0oEBrslWMFOzwItmbNUh5qiVXGUD9a4GiBQzuhPrYX3O0OgFTjveftNcaml4s/qc9MQsiUnYJEIsBVu1959HUS1kEu49LwQzzAIVZQn1dirVaNlq/nbvCv2TYQmgz6v6c/yI7FUDcasjx6hHBUnayGP/xkb0hge6hqGD/T8cZQ8ORKQyj/+R5DvyiHqEtUDNitq,iv:zZOowKGPi7l45djp4IqGdTSf/XDOJACcwpsFGHc8hzQ=,tag:8UQAwcGf3qpDpNoQCVV61A==,type:str]
    server: ENC[AES256_GCM,data:88xWCYNz+gaCUw6EV/i1PTCaPUTU+6qGme5O3r2zz+ebCfR/QXIG80W7rehZgQ0I7YfD9eFydOgq8+I21L8LjF+AalREWOUZVxjERtVyjVpABcNspogBUgJCD/7s7A8DwDk92V4fiUQF8C2Sp2adfs8V7ef4IhfLC2xhFOQA3z5YZl7y2CNhYPhl0k+tpUW6yYTSTvccJLlpqzzZCPdBSnkI5pJJ2ftpoh+PG0GIzBeta+Pq3I4YMpprzxogaVwlLGn8AtTWkwwWvJpzeELfE7WLgJ9f/X9N5o4zojjvVelxHDMQayo9oeqpIUrCE+RStdLNrYrvLmq2dGTDc7DgLBon0h3led5hqBOBoY11XqaKiGKL9xwZjWM0cDhzOBgFOY9GC3el68Zri+alSIVNccybmXoM78ZFc0rbo2zYKX3r8wO1umTi1/KvGr6q35GY7AXCkLh/qVpvDc8/4NUdiVnNwPxukZMiNTWHPaaUd71zA+sphaykhzs7ex5UMQPsiF6/unUtP3bIZ4taf0mO,iv:1nx2USITQFqiYcva2f1WOjxwK7iYVsWRpAmgU87Iqqw=,tag:GbnajMHjuZNkGjYZapaOTw==,type:str]
    miniserver: ENC[AES256_GCM,data:uhnZ/QmMMT+EmtaRgWDvZEvkf8TewV99zYR639e8K16xII3FM6FfrTF4rr1XwnXrh4xmT6Cr0kgHcPFEel8tUEMWqqlaqD2Vzn7VT/NyveEzCbyZ9GdAP2iMAb/xVdg4TjKxUXKZ8l9k7cDNVKKVkNcEfFQF9eTr84YAs0ZLyX5n+NiYlOcVKq0s3EDEOD5+/x7MdnUtdxOrGG3Ob9fRMfQfTVFwVQ/eMeAQXMAzU9MEcE2xFLaoK2POfu233gMf8E4X9ctt18q7S8DB97K1uhJhEsKiAriNJEyxXsQ+LO4mg1lsKDWr85qa2WoXWnq16kHdVdi1Fw/C3dkHW8NZQ7Eem8nBb9yoNNeYP1/GKFUAv9NA2uZQRGYNdiIA63Vp6Yts3rbJ5reUGrrm+NUMwIy5rC4EoCAYL9tIbYvSlk9QNEpELZniW8wf00uCkdpREMJobgQeTBZII5R4oXNqq28AWEGbEfL8nOspiKdoG6LUKMa5mJTBpmuTBo1EvrYnptf1egjQSvy7aH2WDcQOvuxxUzFmx8bLZ+wq,iv:l7raR36S6EHsuw620ch0q8HuWiyJzJaByyWZUrCLXx8=,tag:xDdJ+LVV3KVIaEjWX1YnjQ==,type:str]
    emacs: ENC[AES256_GCM,data:FgJUD7p9MxQVvsz+To0Dx2kJ1WZqyNsX/zqOLAtw7pGCAZRh/FiltTOq6t4/2qJsMuVevaNkri4hUMDMhRReZ1BrPuJZHphdSb9U9JLAywTpDWrfyHdvCwNehWiccoANMz+Hjr3xBh1z7fd9apojMVnF3pAbZj/v3EaPsJzzzyY9I32yHDERXn4yUfuwHWfV/TeodFTV2MMz9Bs2mC5UH9mJhktv6xIn9NhITKWKkKzK4/JNICF9GQfjuDteBfIHmXPNeVfsD4nTle74zBsC2eXfC2Ax1wvvpQzNfrh+B121dWgZzBh0XDOtV7ejjxsN/48HMQCJC2A4XQJXK2IJeEeCz1lZK2dyqT0SMmOaxBHSjamzj9fyo2L0r1iz1vopA7zMRwFTq32x47D7TXWwN1yTSrWhXyT/6/YHqNFWDfuvTHYHF0h51W8zl/KKIjKlJEV2rKIoMjnWzfhPmuB4GRFc967ViKV0LjngpX5ummKIM8MnGY6u4VP4MDRJ/JKh1H3XzWlFBERa4xeNjArmd5cka9eL2tZIzwmh,iv:K7z+vxjyj6IOI/mv31Ngj6iufAHY0EoQPwv9jJyWaC4=,tag:jWSFvIFBGOZfDuqYIhMgFw==,type:str]
    vps: ENC[AES256_GCM,data:JByRbAuQqu4Ciw1kCMDgUrqwUIGWM1QbAlDAJZAUfx57I74FcSEuQSz7iAGYFZi1DWy5hdzi4CjJU6X9GWBkgUq757OqiF0p7pZxJOQdc4EviO9mXLSLI1oVTnt9vcOfKqUVIrEFlz8n9AQSd878bNoisJtCp0qztdowzLPPPswpAvb8hBvxcSfGwGYpsXUngpdaBbs30UuXVtGF0YxPnO9rYqGwYh5kn00T7Ut1Q1h8NGCLhlwHVsxZZMcNxdlL7PjJlAVTH4Gfxphgc4jLdPz+UlPiyxCnG78BTDiWH30eskwm7RUagb6RNAMFMrZekusnu0tInaAe0OYPluYoIe4g9cD4zhhfio5y/8l0b8r3fBf2CeFEkXtXXs8fxCXB5s2BKnW4VXBYBmnT1dZMXuMHBCgEHip3uAr754lUDFu7lKjfmhnST4BRKNt1EXDAQ8jOOA2WGlWi1hqkfxzqyhS5lEv45y9c88sXtc9LbUXg0a97VZiIA+173TtrJ6O9/fghmNycD+7L7tLE+SCx0jUmGFWcy6TtwCjC,iv:PhWCv+qGXljm3I1u5FMKNheaZmIfcUb1OZ2bmgHpyXI=,tag:FyH/bZ68QPL/iZQzLbpv6w==,type:str]
 certificates:
    qbit_cert: ENC[AES256_GCM,data:RQNgCoh/kC/Bi+pamonNaAhniBLD7d5Ilc7YDe02jLnGYWgvtgQCcWflSbnxuLNgIDX1tBEmR7J8hjRyetNF6mQj7z8SmvfG+Mn53qRhiqa+RoSrhL18xtHKjWkNbgwXJtrSFa4g2dMLsqkrp8mK3Xzap2Ge+bCfi8iE17NOd7U/8NwH3ApdjFFz3nmic/gsMZwJE2CvefF4OXLiLl4COeuf+yj6k7C8/e4rP3C418lF3C2HZWwOoTU57LRmfiG3GaTg5mD3Ir1OFC28G4R2MDXh/anSuJEnGQdTgXxQMUa9R8Ec2eCANEwtK7UFvnuLtUEErlJDMuW5h7E3pMXP0iWsqwP5IJrkSDxMwm6TQHlmSx62WhP0wZVGXiIeOdIQgWTgkBPk/3EpkGML9/WH+FAtZ1mhi6YLaRPlSLcKnLd2/YM2JEgq/A52No09BHw15PEMWPrEld2HLdG03MroCazci3shqeVMLk/G/CrXQ7EKUlmvfrR7/6T8/VolyCzezAtmk8LjtWQw3bes/xg+ON+MjHEGAj7H0EkDsZcgbEJZVYEyUI1y75x4TVP+LQpOd7QynlUoj0qkw7QvvMj4j94qAMbAFkTrqk0LwYytcha5A0nwfurMFkTfPGkaAF9TktVtpMCQ/ghCfhWSKAbpuFR0Gpl9Atofs6RfOWXJ4oh0vh3mQNJc4oOQxN+2vlLPjRxVUULNhCTUpffZTaBvbU/gTAKK2XOI54od09YzNwV4oBMS0opg2fi3JA1LFzDDSyCeoA91mq2iWR1NtSwB/T5zRlsnt8dujcNfGPIoyNkjzxaK9hzDdm0Sh80ZGGt6pcibyOCCCuKNt60kgbDGXP58+//Kj0bKp5PTjZz4q1fUVssMQP8cnPte4CZCTgRCrpAlYiPxz58iGo3D0MZrTIcrj/SGaV61m+7W52OXnMPDXHZ2kJ27kdCVK/hDVeBTWqSHg3qYG8AdFG1QSkDS0HkmJ+bQJtXksh36asbDfVBo4I372mI7oYC7o+U/xUDTo3wf3TsP6fzq3jTymripJfcXdNn+3Y7ZfYJTX24eh9oCMTTnlc/HdX3IiYGugcTBpQwSIu0Vx7L1Jz6GpB6hCRzTdvutnH6u+nWOgp5r5s7E3/PTTFFKwY+wxhAauSlhWYoBQcnjnkoW0saLldTpF2rAozCPQuHai/zYvWI0YHmetUJNmYOjxMHcmy/DNohN51ecg6782p4wk5E01LT2+22thAxfAe8jA7Gt87Jxx6fVNb7/r+cPhpciWfOlpbkmLjmLX909HXSekLJa1cq4VIgjJhbGbSty9ooetY4kZSoBosSizxQx5VeNZkjPOvJ/K6QOlDfJAmC5QzJVcgOF7XHSSeeaMdcPWK/TyEGCFBkutsIrYMHefyqH+/InqOco3wUdpvGEWWB8j3DfV89HgKT+Nt95rF+tpOsvt2v2QkzPzULTJ/ZRxJ6i86qJBJZrriKx8t+ns99lmao+aoBa25he6xBAyGVuBwK3eS5fJznGBF2lDg83FOac0KxrcJgOiYNyDwucFMfeY4i1p5X+zALBfVk16XICRRiYjub2+3V2kTQOLaNdPqkQ0DZPaPwwhg2v0WGdOIuAf2iB4bm1T00f1sMPKZ6MtuoXjnYP3E4gTRP9vZAyfB35xOlXmd42fw==,iv:5xKwtvNM1MOwk24m9yl7kEQaTAmFZqHWcE6TkKhmsJI=,tag:ikVouFR7x9cMFoSy/A9c4A==,type:str]
    qbit_key: ENC[AES256_GCM,data:OE+GagWBxtqvnS0kVrbswpBDYWBNLOqEOFxWIIjwvU0WNjBuQNm2kh65WqaYu60rztyu0SFzhRBIARD17EGN0bYQFxIW48Y4sglKbv1WRuimU7YIO2dv0lqjkSlAkgdVWh8TB2AyZkoB/I9tea7nVwoyIUZkM+C8oRG92Wtad/T+oKplpOoe3GtFDc7/XeTacWP142iEGlkMXEIBIHlrZ8V5kDnMxugxkc6zv82dXyXEMLEO7yjcJK51ZmbBnb+HlWcDJkSW62HOuzurKt9qWbqCsfmhjjZXXJ0G7BVVTRosg38ld2dX+SkxkYCWi4xPbO4NGf6M7K8oY+mNMCzbrduyzz95YuverozqLR/f7wrozSN42mtB3XTQgA2Kg3LVhxu486Ox5aHjp9+acpC0YJCEZCwYQw9IK1As3bjUxRhhxSa8Jt+JKXtfUjYtpfC8dOblX69pwdVaQACJospRcqISq8h2+KbwwJPZadUddgQJ4BhIfZWQAFdZzJrD8PmqXjrKqdclBHxYjNYOin/xuHvxLuU06fOby/kKsQP2vs0Eep0uIFd2BVALGwPakEt8+2PpujPXGAPJD3owc3XPObjkTjI9SAP1tYQbQE9wpcMJLtRPOUWTNfbJzmSK1Uh3j+Z3dl+dI967PD9KkdkApiVeu8JKCiFudGksR8n2mzT0i6NVmiy9zTG0jBvI1RUPPp5VXJofWgyVDDobvEn+yn1gLv+cBlrm5RhwZXdtNKuNktNZ8aSYRUi5JXO1JPiPT8oBAqlBJR5GOp85IWVwzA8UQdttaVnTKTrmHULnajZPsrOwZLfTT6ogj4msQbMO+HKq88h4gdXjLmU3wPtgyao2CGRej1cUsnnh3gZvLwcj9p/Gl/OSozoCj0SD66jOYtG7I/oq0nyslcNAaH+HeGU54eCtj5RwM54B0o0JDjVtjo4JP3CRL/YwiJBFpmDdSVDFuQXB8qtYRw7afKE8uS5s6Xm7gJvarrG+LspBQ6zCzN8TqDaJtZ0tx4thevBJL7iEbDhyzcqrwCf7YShSPSvXtV+VtDwrth5SjRj9jh7i+sHJQGGDlC0gUruYosXKO13CDVD2MTYxKxTTo5+E3MMPtcSlr6qoeaEedzrC2c9la0L14xiQw7tOEv8lcY7XqFEjv6e+ATE30+96rbuJkQVUj0U0seeG42LDMHQaanan/asg30QgfPNns25fkTLxXE6Ps2KA7QBfwz0IqVfRGuxySYyqFdOptwxCFkmdT7uxRK86NNWbmAFLku6795GKVIxbFXwSNoK12uUcd8nXqAsnVQf+M1tC5hIqOCywMPHKMbHu1NsiST055L4xbcWv4bDkfkmKOxpsS9z1zfLQ/DpRQeAidc8XTWcvcfnHcFAMJTHxseLHgtnnopf/RRAp3nhygzmaHuWCE1YPK23/gWRh+Cj8ke8TnE7lzfKIE5GOu12ojLe0unzHNOnGvsv1vF5JJbSxT4119LX7SmfTXvOGqzywxoK7ejLuP1DfZR7GejJ2P5IC54FHR0xwrP9W9Y4TfxriA13l0LMKgRsARmM1zXwTwkioFiy0hCNmX0+yERs/5aLg+pvNgFRAtZnFoRVU9lKU+lpQuQd57BSa4hX1jFZ++8kSRWoHi49cp5LBTKD5+Z0HddbPJdaVumkLPs0CXSxMGzSok2VkVfc9tcTIyv4g6biB+7lNmXCBh+RSdnbdXvFe6fYzAXhT8ZWaRmAJ/btkfN4CCRHPN7gFX6ShF56K93nTLBzn4PA50pNToHc4bmF8SYokHNvzdP9oGc1TjSn1UttcBSoWSIO6KunAbZwaL6CH1vk0YLiUOSQOQQg2er/nR8aNd358ym4AX3399+TWL6oy4RrAzha/KcS6JrvtHTI0wH4W2qBeogfcyhwkVuOU4vr63xvoygI+33tkY2j2DkR+h1i2DVvm6NXAt0gZiCQLIe5j8dsfwOZUzXG5glktAl/w0sBrQy6h6MUpZGHzAoCxPQVfZrR/10JN9joEGmbsSc1syqkIVNIh3DhyucVof3cQ6hy0kOZ4zl7q9IlnY0K85C2Pm/NKrAWx18pp8E2Fk6QnUcG+/0f/ls5wUfFsUDFGPFuaUN0WLeMZjWIN4Nzt1THGjdYVbpMymQ0d9YtM+y7iisb0HKguU5KMo7m0gJW/BGkSzfr62VkvFro3ZlZ+r4C2oDK2NO+PsD0yc0NeN45alcgTFeQDtEuNLErp+a7hBae86YhR6UWgmKpuwzqIvHjb32VVKMWcbCnfQIN3,iv:jTER/Q2JKTeMs33IF65J9/OufVMdMsTtBWNY+CwgigI=,tag:CTB5rasvOtpey21jXtxx3Q==,type:str]
@@ -47,40 +51,40 @@ sops:
        - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRcXFhSU03M0U4azM5VnJV
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWRGVscDJsU0ErZ1VBRzVq
-            UExReVBmRnpNaUx3WDViU2hLalpnbE4wTVFjCkkzQzhlVjcrVndaUmVRNUhmSWZT
+            dE5aNUZvcmhVRHVjYUJFT09hdDd0UzhIS3hNCkRFRlphRXBTd3VFTE81RjJRaE5w
-            RlByQUxSSWtNeDJiTEJMR2JhWG1MM2sKLS0tIC9mUDVhNUtQei9VN3dJdmVBK0Y2
+            bzJSaCtsT0QwMkx2WDVyZ0FzeFphWk0KLS0tIGN5M0QyWmQ4Y3lCU0FXaU9vL0hv
-            NDM5SFhNbWp0WWdMYVc4NC9HdHhSR2cKGj8ur7g1F5OTv+XKg5pmFiSMgAcNL3b8
+            MEp1ekxTdWp2b2g4dFd3OVNkUlZBMGMKzNGSzYgQsNW6HEvzTWmo73GShAAv/g8+
-            PjhyPcZqxCB4J8utMf8yxmZkVqbyd3UjZRBUUXSgzg/i1nx0GTGcDA==
+            h3/6n/ObqlKsjDyVFgiOYop3LWfwPMzmOhx4S0wsOHit0UxdyoJwWA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1V0JUSk9FOUkrSzBmZFNY
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUGFaaHFtVWl1cG1XdlRT
-            M1JlZEMxSFVEV0d3NGttZFFrK0U3MWtlb1RBCjJQbmRGSVQ0M0p0NHdGK1ZHSlNo
+            TUh0MHZTa0JhdDFSTVJZOWJBd0F0SWI0N2tNCkdnaG5DcXdDT3dqRVJDcjlsZ3Fz
-            TkVHS3lnN3VOUUNjTVI2V1B6bzlDb1EKLS0tIFRtdko2cjkzMlZyV1hRcWFnWFlv
+            ZFFaeTB4UTBQRVYzcldndm1RSjhCTzQKLS0tIDJySFIvbGpBd0l4RzYwVUd1MWpF
-            TWVXMlpVUWJIZEhLOVVpblhwZjJDOGsKwgqjQZ1XzQNkFPItT+/gjBNnvxiYHbQ/
+            ZHhxdERrd3VNUGpTTlZUM25RYzJwSjAKG2DZUyomWm8Nxn6mPDKbBh1YsEUr642a
-            JP/cse3TR7VsC5dq0SGCFY8zPBPiZPvuU+f9Bq9wfJWDG79CintBnQ==
+            nGYxmuRVBVINbOB3gBPwgLeD+S2Vlm4vrC/u2761fTgm8KFLC+txpQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuaFFlM2M5ZHZIM3FNSEYv
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXTnc0N3JWUGk3cWV0QXNK
-            bnlnbG01YWRPcFR1Z2tUNTdvSmdGZ0QrMjNZCkJPemFBYktBWldPWFdyVS9ZOVBv
+            L0ZWM0I0NVlVbTdsZmdRall2V3FUTllidlJnCjQwbFJ1TjVNQjl3NURQenBDZVhy
-            ZU5zRWpqYXJ4MVVQdFdWcmQ4am5DSkkKLS0tIDNudUpUNnNJUHQyYTM3Y3pwb0FT
+            QXEybkIvc0RnV1dNL1Rhem9GajhzY2cKLS0tIFk0Nm9JK2ZvenJsYVF2RUJLVzVL
-            VUY1c0ZtWDA0THZ3ekVmUFl4ZjgvaHcKuyh3cIwboc2wxectPk0La0CLRX7VvaBR
+            bzFWRnFjd01wbDVrQnhlb3NYampEVEkKWl3/oymEX/TdMHyxE8mOopIwu4Kots27
-            XoBMk4PbfQLS1PuaavH+NLNAp3N7LmF9IlZBS3zFW26Dy1viqWbhFw==
+            teyBmo6aVTAQ1zSxGDszI6kgK6PC3Z/WqaMaoJilGI6k8vCkOT3oMw==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
+        - recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4T3krdSthSnhkVGk5RHg3
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtaG1Ea0ZyZ1IrRGxEaUdw
-            MUVWdXVqM0o3LzZtSzFsZURiSGlLTEd6SlhNCllyaW5BcHZueDRGNlMwWTNaQTNC
+            TzlMRE84ZDBXRTNFWHcwNE81MDZlYStTZWdFCmxLbUxORFNVVHRGYXV4bDRvV1Ra
-            bTBMRWFRSG42WVg0cU9CR1F5ZmpTQ1kKLS0tIFdDaGloemJNWUJWcCtOeUhnMmlQ
+            Rzg0YnpkaDJ3alhxalFFck10MjF4MG8KLS0tIDgwSEhReERtZHZ3U2RWcnFaaHlI
-            dklwODNxYVo4a2FaWDJFM0FnV1l3SlUKMnq/MAJRwR7iEri2KomPrMj0gTkMyhzH
+            UmQzNEJVVTVPRHFqVlAraTR2bHNOdmsKKCVCzZ10sEA7rGRCUxbpYlaR6Y2jZvho
-            P5E4zheU7chJTAz5jf6iecyOvKAt6q5g9Q1MU0D6dkOcv2gzWSNAAw==
+            THbZe5MHY1a44L2XQSZe3I+1qOVBWVSL10KYTjJIBTxoeBtjlQJAVQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-11T21:11:25Z"
+    lastmodified: "2026-02-03T21:56:09Z"
-    mac: ENC[AES256_GCM,data:zhPKEB/u8x6mABVzrKlfSQdW/eCailqqb/JIyTzC21bF503ESfjrJIiTIb889rAjcGXQFfA0BJ398Y+8XLJ3WL25Imc1vF5/HIkeG1u7FZQx7XNVg2A8NxzG42F8Zei28Cf9PBqz/zsu8OyVgFdGWR5oAimli45PJcozcnKaWsU=,iv:G0zYmh9k5aayGY7szw5uf7bp9ss/Kg2UeALpIGIkByA=,tag:0pDYK8Wa7etc1wxDlMiddw==,type:str]
+    mac: ENC[AES256_GCM,data:Bnjo3TFYoGbtB8HF1i+ZQLlfeBMOjq14lu8oLRqcZ6Fx5Am0uuh+/PHClWZ/JX5suC0Kb81+aBHg2QTsLoB6zdUrRpaqa0CUxTDoGw8tpo8m6zLWvSggpYLAuRgTYqBZ0lVK1QxAi9+qVJQ5AIhYwSPrf2oq/Mpq4tFGUoG/tzM=,iv:8JqAeBVYnZM8A+CPAlKN+6SDty0XQ4AKEBJLGV8Q738=,tag:CQXE5QsfJMiI7UQoCfE3dQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -19,38 +19,38 @@ sops:
        - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSTFDNHN2cm5UMDkvb3h3
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQTUEycms3ZkdMd3hpcXJz
-            RUs3aEIrZmlhQ3JvcCtKa09WUkRpZ1o4b3pnCmtiaUJnYUVWcFdpRk9vdmNQRjJT
+            R2pZZEc5STZ3dUdYbUdsSGJaRWI5TWNMK1RRCjVxR1pzY0ZVUmcwSjJFYktteWoz
-            R1NlMUJnRHQwdGRmQWJrc1NySmhPZW8KLS0tIFhnNmE4bGFUYW5GdVprc09PTTBt
+            YmlaVkFPRnZha3h5ckV1TVQyVWZKdGMKLS0tIFgvdWF5VEJwTTcwdXZ6SDRMU3BL
-            N2VpQU5aeUJuRThyQVFwaEs3QnUwSDgKdgsuwN4/dfAVzXnJ7LPwhUpD8kuh3VxO
+            V2x6NlhyY0pmUVBsYmZITjArdjJRbEkKvzsJxs5EHR0uumwhZ36MhKuMS+WkogXU
-            vB9iva29YN85E+CKZ7CryGdrnCy1a1fUC0YiAakbzQejon62fK2d5Q==
+            nSVRQoc5TClzYwShY1ltHK+LCl0DlB4xFoMiO4GWwH1TySKe/ywpUQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQRnEvNzlxT0dWMDNZOEhS
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnQytNaUs1M0hiYi8vdDUx
-            TVpRSHpGM1JvZ0JQRW4zMXpXL3Rza3NiRVVNClovaGF0Z1hPdXltY3pTaGRKUTY2
+            V1NtZ3VGNFVjRHRWUzliR3M3Q2Z6K3RWSHo4ClQ1RE1PeHJ4REpubVJHb0lJcGJ2
-            MGJtYmFqaDQ4THRRTE1rUURhR0N1Y1UKLS0tIGtOOUxVNTdFZGZ3TS8zdUJFWWxO
+            SEFvT2YvNWhMc2lneWR5NmRYc2pzVE0KLS0tIGxkRWRRRTNtVDUzVXh2L0lEa3RK
-            MG1yLzNRaTdmVEJaSnBlbGR0SjR0TlUK7iNC+uyUN3s5T7b1PD+BZ+LvlsKdOpbM
+            YjFSUDJHUjFUeVBFbUlKOS8ya1ZhMW8KssRH3/XT1iCVgV+6Sh25Axp0c96aHtVX
-            pA2P4ZaUcBXCOEonmG4LnflEyUDXrxBoTkswkpBpG/SowF+yXe0Fwg==
+            /HXN3AwTm0GJZCQnZsVIIPtoCzhUZSza+bzGZIZODYtgtCIxtdzVSw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcU05d2R4a3k4Z2VGVlcr
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbkZpZFJCY21IRkJjNkRB
-            VXJWeUZtWjZuY0lDM2dBNWFxbUxyaUdPVm1RCkxkNjFNbmh6L2ZMeitlY3ZwTEw4
+            UEdEVlZhRWhRb1ZDMjJtMmpkUmpnY3ZvMGlFCnBLcHlkMWNyMy8wenYwT2pmRTZL
-            MUhTVnBLdmRVblFOa09nWTlXVHNIWHcKLS0tIC91aHR5d3JlRDlBWFJtWDNsNFUw
+            dWtiWFlaR1FrL21HQTFZM2N3a3BHYW8KLS0tIFlYZWVHb0VEeDU5NnRjbDk5M2po
-            QjhiSVNRMlgwTTAvNmE4SDdQOS8rNVUKIYVulp/SpDmewQkotisfUsSZFh0r1eNB
+            K0xRRFhua09DRE04WUd6NlZuQldFbEEK2OgiawCbCtbrk8l45QdjVu8+VNWbrl4i
-            59ysWy09dse8Oed9lwMVMLI7B4DBT6CRWuefOU//urI/pB9itV6jvw==
+            3U9iwek30JkQSZaWBXaCZlWLvbKNjIMpwTtxDOhxmu4DUh3Hx6In/g==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
+        - recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyazBBS0xKakE0Z0hHRnZo
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySjBmaC9rREpUQ3BvWWNU
-            R0VZUk5qSVF3L2NTb2p6Z29QMnp1MkIrVHowClJVZ3VzUTc4aDVha2tBUE93R2Nw
+            MWEvM3ZGb2RXZ0dMdWxLRTJCR2VSdyt5VUhBCjBvL3MxZ3pTaFQ4aGdZVnAxUmd3
-            T29nakxRQkpidzlrdFZQTFlxMXFwOEkKLS0tIGJWRkdJaVpLWXBVNnZUQ2l3dm9Q
+            YUtoZkhEV01TU0drRUdDaFZ5M2tZLzAKLS0tIHpBL3NwV2NhN0QwcHdwbFpQWlZn
-            RmRyZldlMjUwMEdUUEpDS2JSa2tDTTAKp/pT+0cNnCuKVL+Z0fEMiw1PL9PB/nSM
+            eUNjc2RPOUxLTGowTlRqN3lEdjRLU2cKTTEXmHyhnL/hZGDr8ONrmzdU6Or5xkKY
-            QWVTo0Mt8Y6X0Xt0EAi9G5AYxADZ/mmEWPxB7RFgVAiMKtor5Gy1zw==
+            GHADDt+LCg8njcZom39Aj4kpCx+f7HlV65glKwr37vZ0sL9KE+O9+w==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-16T15:38:39Z"
    mac: ENC[AES256_GCM,data:4xaoGvLq1UIdozNqQ7v+pORVPDCk+FZRsCRvZ3C5AZOwSaM+UfDYZcI32AI0K80yFyhVIrrjqylykvXghbpQGAju3mv7+7Tbn5p2gqXrB/m1FuyVe/ftw7SSn8FTGL14cdHuPPkQTvV/u7z1IfX4YAOEGqtWiEfOe4YoWT3xc3A=,iv:dygbKjQ0ljgBPyk2aEIa/Mpbs/At+UzuhYy8Sndx/nk=,tag:jYbROlRxeDxqF1YqrBGL8A==,type:str]
--- a/secrets/ssh/ed25519_nixvps.pub
+++ b/secrets/ssh/ed25519_nixvps.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDY0RAhoIM9q5xQCqLWJQimk3JAkfYAcabxGFnxmNBq jawz@workstation
--- a/secrets/wireguard.yaml
+++ b/secrets/wireguard.yaml
@@ -13,38 +13,38 @@ sops:
        - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlTXplR3BHYzl1bmxuSzlW
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlemJmbnAwUHZHT3ozdWxH
-            ZVQvTlg2amFnMCtTKzRoZXNYaXBNcmRyWGhZCmpLT1NqbGRtUFpxUzlTMFdYemRJ
+            Njh1ZFUvVW8zcVV6SGxrVW1IWW9ZUFBaTEh3CnJsMnFnM0d5YnBKWE5CT2Flang0
-            ZXF6c2dhOG9LbXVkczU0N1RVK1lqajAKLS0tIHFmQ0FrbVQ2QldiUS9oT2J2RkU0
+            TkNZb0xCY2c4Qk1kdXRkRXcvOU1TSW8KLS0tIE1VdGEraW03bnV4VEc5c0ZheFJ0
-            N0pFQ095Uzdid2NmZXRVZ2l6N285bFUKG52XE8nf9GfESCfNfoP6L8GxLfvrihs4
+            MFJpVTlvTGJ0YXBKSnFFbXhEUEwwSmMKxOtHLbRw5e6dRW4jvqFLsl6UzKZ+mvfR
-            CaZSkRzkuZUsfBND0B2BX/UlrjVHWPQCYMqqTtMpLXoRSmRsvWYCTA==
+            hwKJ4KEbXuCqwtPQEWk/pF0i4vzrgUP1Cp1Y7BxGGyK9ufyV/CCQIg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdWpKeU90cTV6blNZckt0
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cnE5VENCMUxxOVZUdC9X
-            a2hpWms2b1ZuKzEwZUZFbEp0bFlPellVaHdVCkF5RENObjMvalJNc2FNYXk1UUxR
+            QWFMRytGamhaWENZY1Q4STR5L0Jsdk90SlUwCis4ekFWYmMwN2dESXMrVFNIamFG
-            anE0SUI5ZWY5ZUlteVArSVN4T01DS2MKLS0tIEpDWDkzWm1mampQZDkwRCt5STVk
+            RzhET2ZGdGN6b1V1ZHkyOCtDNzBWVjQKLS0tIEF1NGdoU2lqYVdIN3hwRk13SFpP
-            RHg4UklFQUp1KzFWRnpDOEIzRVJWZ2sKyS6bXtqJ3J7FrCyTa16Ithy2JS4HdkOg
+            RHNOeDBlSHFpays2VkRuR2RxaGpYZ1EKwxZfRZthZHVuJe3D5pamCSxYo3hyaaVc
-            NzTn/6RL+F61PLDGvEEa7Ypk/OGIjfJYxDQ5Sd9LODja47jIK5T6Aw==
+            I0UvMDMgcDRZuEzV9g1ZEYnaVXg5InyOO0dDZuCYX/HZqTLPiaOIxg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBueWZlTThKV1d5UEpJUVBE
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaUhOcHV2TkYrZWxnOCtI
-            SlFDMmFYSVREWXVvaDZYWk5TYXFRdTlpeVFZCnM4K3FYNk9hZ3R1K3c3Y0lURzZx
+            TzF1RVpFY3pSa1Y2MmJjVlpKcWZnWGtOOTJ3CmRnTUpyRms2aUtvS1ZvVXFsb0ZQ
-            ZXdsWFNNSSt1VUtZdmRUUFdEK3BEdUkKLS0tIHB6ckZPMUkyM0ljK0RScWJSQlIz
+            U0RiYXM3S0RKQjVwL2hqYllhZENUdmsKLS0tIDNTRHR2ZU1VTzdNNXRDU0xkcTRM
-            UzVRQ3JzS1Q3N3EzTkhpNDZwZEtPbm8K0BzKOk9ljAnc5eydHfNha/QPfq9Eltfb
+            ckowd2p5bitGYVhMNU9Qc0NUeFFJV3MKPKT1/06/fKpWPOMsRaU/fpyVUf7onWGB
-            X/pNFkeW/b6FgLwo+3pc+NfgOFvpOuq7/bRWUCxGSJP/4w9+9q1a6A==
+            0P22NBzP1i5caqSrFnVVeyuhgYxabC4oUKVmjU5QIj1R8Rqh7gworw==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
+        - recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkV1Fsb3FMZGxGZ1A5dk9y
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SHdHTDhKQzFUQVdqM0hW
-            SllKMjZRby9KNzhVSUVpODh0MW1Ya1JzdzBjCjZmQUFoaCtTSS9ybE1hVjExaFVR
+            Tm9QdVozaHViQVRuTExhV1BpdWYvY012enk0CmhjODlUN0FkNldGRG94bVFSTVBv
-            bWlKcFdlQmRIdEJrUE5jKzRlNFdQTVEKLS0tIEtMOW8xb2hLOGluMnVDaWxFMXQw
+            QUNWZmszRStZN24vZWhnajhIcWdXVDgKLS0tIG9ueVZsT29KRE1iM2oreWtGWGVC
-            KzZFSWprL0l0MDdVdEVKbEV5eklZdTAK/1ZyGvElfp+LVloSR6aJUtvrgU0CrzaJ
+            SG40OS8wMHlKNmxQa0VScHQrU2NmT2sKt9xw/8jsgnV1cZndqYNiHvIf8VdEJYCl
-            SQtO7vc4oDedkiTz6LKySta+uyn3e17Jzdyy9nU2D/Q5X+CpKGP3cg==
+            UUJ1KPz9mvUx3ny+rK50FSD61U8PHEZm2UC0w+/qkZwRtCx21Ku6dw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-09-08T00:14:52Z"
    mac: ENC[AES256_GCM,data:O2herKRy4k9ZMuPzzPF5QlBC2isXdRoIsbYLJ/6X7esxtxxgNuAljx4SCR6UMT7pl3G2E33cnnBEkuAIy6SMXOaZNfOuAEJXaCwpRwCXu26lrcTf6n7UdP36GWfIRsR4utD5/vv66ch6MqmQWkW7E5zydy5dOv+BJ4XS/50OUQs=,iv:TscYNQaeI+mBxyobxI1O4wUzRtA27pvjXz27kqMJhA0=,tag:zx/xrYAWJCxYz5HRTKzYfQ==,type:str]
--- a/specs/003-vps-image-migration/checklists/requirements.md
+++ b/specs/003-vps-image-migration/checklists/requirements.md
@@ -0,0 +1,34 @@
 # Specification Quality Checklist: VPS Image Migration
 **Purpose**: Validate specification completeness and quality before proceeding to planning
 **Created**: February 3, 2026
 **Feature**: /home/jawz/Development/NixOS/specs/003-vps-image-migration/spec.md
 ## Content Quality
 - [x] No implementation details (languages, frameworks, APIs)
 - [x] Focused on user value and business needs
 - [x] Written for non-technical stakeholders
 - [x] All mandatory sections completed
 ## Requirement Completeness
 - [x] No [NEEDS CLARIFICATION] markers remain
 - [x] Requirements are testable and unambiguous
 - [x] Success criteria are measurable
 - [x] Success criteria are technology-agnostic (no implementation details)
 - [x] All acceptance scenarios are defined
 - [x] Edge cases are identified
 - [x] Scope is clearly bounded
 - [x] Dependencies and assumptions identified
 ## Feature Readiness
 - [x] All functional requirements have clear acceptance criteria
 - [x] User scenarios cover primary flows
 - [x] Feature meets measurable outcomes defined in Success Criteria
 - [x] No implementation details leak into specification
 ## Notes
 - All checklist items pass based on the current spec.
--- a/specs/003-vps-image-migration/contracts/README.md
+++ b/specs/003-vps-image-migration/contracts/README.md
@@ -0,0 +1,3 @@
 # API Contracts
 This feature does not introduce or modify any external HTTP or RPC APIs. Operator actions (image build, provisioning, secrets enrollment, rebuild trigger) are performed via existing infrastructure workflows, so no API schema is required.
--- a/specs/003-vps-image-migration/data-model.md
+++ b/specs/003-vps-image-migration/data-model.md
@@ -0,0 +1,49 @@
 # Data Model: VPS Image Migration
 ## Host Profile
 - **Purpose**: Defines a named system configuration (e.g., vps).
 - **Key fields**:
  - `name` (string, unique)
  - `target_environment` (string, e.g., Linode)
  - `services_required` (list of service identifiers)
  - `secrets_required` (list of secret identifiers)
 ## Image Artifact
 - **Purpose**: Represents a build output used to provision a VPS.
 - **Key fields**:
  - `image_type` (string, Linode-compatible)
  - `build_reference` (string, build timestamp or revision)
  - `host_profile` (reference to Host Profile)
 ## Bootstrap Secret Material
 - **Purpose**: Material required to unlock secrets on the host.
 - **Key fields**:
  - `bootstrap_method` (enum: generated-on-host)
  - `recipient_public_key` (string)
  - `enrollment_status` (enum: pending, enrolled)
 ## Deployment Target
 - **Purpose**: The environment where the image is launched.
 - **Key fields**:
  - `provider` (string)
  - `region` (string)
  - `instance_id` (string)
 ## Rebuild Trigger
 - **Purpose**: Represents an authorized rebuild action for the VPS.
 - **Key fields**:
  - `actor` (string)
  - `requested_at` (datetime)
  - `status` (enum: queued, running, succeeded, failed)
 ## Relationships
 - Host Profile 1..* Image Artifact
 - Host Profile 1..* Bootstrap Secret Material
 - Deployment Target 1..1 Image Artifact
 - Rebuild Trigger *..1 Host Profile
--- a/specs/003-vps-image-migration/plan.md
+++ b/specs/003-vps-image-migration/plan.md
@@ -0,0 +1,58 @@
 # Implementation Plan: VPS Image Migration
 **Branch**: `003-vps-image-migration` | **Date**: February 3, 2026 | **Spec**: /home/jawz/Development/NixOS/specs/003-vps-image-migration/spec.md
 **Input**: Feature specification from `/specs/003-vps-image-migration/spec.md`
 ## Summary
 Migrate image building away from the deprecated generator to the upstream NixOS image workflow, add a new vps host that produces a Linode-compatible image, and implement a secure two-phase secrets bootstrap that requires re-encryption after the host generates its own key. Provide a repeatable remote rebuild workflow limited to explicitly authorized operator machines.
 ## Technical Context
 **Language/Version**: Nix (flakes; nixpkgs 25.11)  
 **Primary Dependencies**: nixpkgs, flake-parts, sops-nix  
 **Storage**: N/A (configuration repo)  
 **Testing**: Manual validation (image build, boot, network, secret availability, rebuild)  
 **Target Platform**: NixOS image for Linode VPS  
 **Project Type**: Infrastructure configuration (single repo)  
 **Performance Goals**: N/A  
 **Constraints**: No regressions for existing hosts; secrets must remain secure; first boot must be reachable for enrollment; rebuilds restricted to authorized operator machines  
 **Scale/Scope**: Small number of hosts, single vps target
 ## Constitution Check
 No enforceable principles are defined in the current constitution file (placeholders only). Gate passes by default.
 Post-design re-check: no changes; still pass.
 ## Project Structure
 ### Documentation (this feature)
 ```text
 specs/003-vps-image-migration/
 ├── plan.md
 ├── research.md
 ├── data-model.md
 ├── quickstart.md
 ├── contracts/
 └── tasks.md
 ```
 ### Source Code (repository root)
 ```text
 flake.nix
 parts/
 hosts/
 modules/
 secrets/
 scripts/
 config/
 environments/
 ```
 **Structure Decision**: Use the existing Nix flake layout with host definitions in `hosts/`, shared logic in `modules/`, and flake assembly in `parts/`.
 ## Complexity Tracking
 No constitution violations to track.
--- a/specs/003-vps-image-migration/research.md
+++ b/specs/003-vps-image-migration/research.md
@@ -0,0 +1,16 @@
 # Research: VPS Image Migration
 ## Decision 1: Replace deprecated image generator usage
 - **Decision**: Use NixOS's built-in image building workflow (`nixos-rebuild build-image`) for Linode-compatible images.
 - **Rationale**: The NixOS manual documents `nixos-rebuild build-image` and lists Linode as a supported image target via `image.modules`, indicating the upstream path for image generation.
 - **Alternatives considered**:
  - Keep using nixos-generators (rejected due to deprecation and upstream migration).
 ## Decision 2: Secure-first secrets bootstrap for vps
 - **Decision**: Use a two-phase bootstrap where the vps generates its own age key on first boot, then the host public key is added as a recipient and secrets are re-encrypted before the second deploy.
 - **Rationale**: sops-nix supports generating an age key when missing and can use SSH host keys to derive age identities; this avoids embedding private keys in the image or repository.
 - **Alternatives considered**:
  - Bake a static age key into the image (rejected for security risk).
  - Ship a fixed SSH host key in the image (rejected for key reuse across hosts).
--- a/specs/003-vps-image-migration/spec.md
+++ b/specs/003-vps-image-migration/spec.md
@@ -0,0 +1,103 @@
 # Feature Specification: VPS Image Migration
 **Feature Branch**: `003-vps-image-migration`  
 **Created**: February 3, 2026  
 **Status**: Draft  
 **Input**: User description: "Remove deprecated image generator usage, add a new vps host that builds a Linode image, ensure first-boot secrets are available, and support remote rebuilds for ongoing changes."
 ## Clarifications
 ### Session 2026-02-03
 - Q: Who is allowed to trigger remote rebuilds? → A: Only explicitly authorized operator machines.
 ## User Scenarios & Testing *(mandatory)*
 ### User Story 1 - Provision a VPS Image (Priority: P1)
 As an operator, I want to build a Linode-compatible image for the new vps host so I can provision a replacement VPS that boots with network connectivity and remote access.
 **Why this priority**: This is the core migration outcome; without a working image, the VPS replacement cannot proceed.
 **Independent Test**: Can be fully tested by building the image, launching a Linode instance from it, and confirming network and remote access.
 **Acceptance Scenarios**:
 1. **Given** a clean repository state, **When** I build the vps image, **Then** the build completes and produces a Linode-compatible image artifact.
 2. **Given** a Linode instance created from the vps image, **When** it boots, **Then** it has working network connectivity and remote access is available.
 ---
 ### User Story 2 - Secrets Available After Enrollment (Priority: P2)
 As an operator, I want the vps to generate its own secrets key on first boot and then make required secrets available after enrollment so core services can start securely.
 **Why this priority**: The VPS must remain secure; services should start only after the host is enrolled and secrets are re-encrypted for it.
 **Independent Test**: Can be fully tested by provisioning from the image, enrolling the host key, and verifying required secrets become available after the follow-up deployment.
 **Acceptance Scenarios**:
 1. **Given** a freshly provisioned vps instance, **When** the system completes its first boot, **Then** it generates host-specific bootstrap key material and remains reachable for enrollment.
 2. **Given** the host key is enrolled and secrets are re-encrypted, **When** a follow-up deployment runs, **Then** required secrets become available to services.
 ---
 ### User Story 3 - Remote Rebuild Workflow (Priority: P3)
 As an operator, I want to trigger rebuilds of the vps host from any authorized system so updates (such as firewall changes) can be applied consistently.
 **Why this priority**: Ongoing updates are essential for operations and security, and should not depend on a single workstation.
 **Independent Test**: Can be fully tested by triggering a rebuild from a separate authorized system and verifying the changes apply on the VPS.
 **Acceptance Scenarios**:
 1. **Given** an explicitly authorized operator machine, **When** a rebuild is triggered, **Then** the vps host updates successfully and reflects the new configuration.
 ---
 ### Edge Cases
 - What happens when the vps image build completes but the artifact is not compatible with the target environment?
 - How does the system handle first-boot secret access when bootstrap material is missing or corrupted?
 - What happens when a remote rebuild is triggered but the VPS is unreachable?
 ## Requirements *(mandatory)*
 ### Functional Requirements
 - **FR-001**: The system MUST stop using any deprecated image-generation dependency currently used for host images.
 - **FR-002**: The system MUST define a new vps host configuration that produces a Linode-compatible image artifact.
 - **FR-003**: A VPS provisioned from the image MUST boot with working network connectivity and remote access enabled.
 - **FR-004**: The system MUST support a secure, two-phase bootstrap where the host generates key material on first boot and secrets become available after enrollment and re-deploy.
 - **FR-005**: The system MUST provide a documented, repeatable way for explicitly authorized operator machines to trigger remote rebuilds of the vps host.
 - **FR-006**: Existing hosts and images MUST continue to build and operate without regression after the migration.
 ### Key Entities *(include if feature involves data)*
 - **Host Profile**: A named system configuration (e.g., vps) that defines the target environment behavior.
 - **Image Artifact**: A deployable disk image produced from the host profile.
 - **Bootstrap Secret Material**: Data required to unlock or access secrets on first boot.
 - **Deployment Target**: The infrastructure environment where the image is launched.
 - **Rebuild Trigger**: An authorized action that initiates a configuration update on the VPS.
 ## Assumptions
 - The vps host can generate bootstrap key material on first boot and is reachable for enrollment.
 - Operators already have a secure, authorized path for remote access to the VPS.
 - The Linode environment can accept and boot the produced image artifact.
 ## Dependencies
 - Access to the target environment needed to validate image compatibility and boot behavior.
 - Existing secrets management process and data required for the vps host.
 ## Success Criteria *(mandatory)*
 ### Measurable Outcomes
 - **SC-001**: A Linode instance provisioned from the vps image is reachable via remote access within 10 minutes of first boot in at least 95% of test provisions.
 - **SC-002**: Required secrets for core services are available after enrollment and follow-up deployment in 100% of test provisions.
 - **SC-003**: Existing host builds complete without new failures after the deprecated dependency is removed.
 - **SC-004**: Remote rebuilds apply a configuration change to the vps host within 15 minutes in at least 90% of test runs.
--- a/specs/003-vps-image-migration/tasks.md
+++ b/specs/003-vps-image-migration/tasks.md
@@ -0,0 +1,151 @@
 ---
 description: "Task list for VPS Image Migration"
 ---
 # Tasks: VPS Image Migration
 **Input**: Design documents from `/specs/003-vps-image-migration/`
 **Prerequisites**: plan.md (required), spec.md (required for user stories), research.md, data-model.md, contracts/
 **Tests**: Not requested.
 **Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story.
 ## Format: `[ID] [P?] [Story] Description`
 - **[P]**: Can run in parallel (different files, no dependencies)
 - **[Story]**: Which user story this task belongs to (e.g., US1, US2, US3)
 - Include exact file paths in descriptions
 ## Phase 1: Setup (Shared Infrastructure)
 **Purpose**: Project initialization and validation setup
 - [X] T001 Review current image generation usage in `flake.nix` and `parts/packages.nix` and note all nixos-generators references
 - [X] T002 [P] Review host structure in `hosts/` to mirror patterns for the new `hosts/vps/configuration.nix`
 ---
 ## Phase 2: Foundational (Blocking Prerequisites)
 **Purpose**: Remove deprecated generator and ensure existing outputs are preserved
 - [X] T003 Update `parts/packages.nix` to build `emacs-vm` from nixpkgs/NixOS outputs (remove nixos-generators usage)
 - [X] T004 Remove nixos-generators input from `flake.nix`
 - [X] T005 Update `flake.lock` to drop nixos-generators entries
 - [X] T006 STOP: Ask user to validate `emacs-vm` build works without nixos-generators (confirm before proceeding) (reference `parts/packages.nix`)
 **Checkpoint**: Foundation ready after user confirmation
 ---
 ## Phase 3: User Story 1 - Provision a VPS Image (Priority: P1) 🎯 MVP
 **Goal**: Define a new vps host and produce a Linode-compatible image artifact
 **Independent Test**: Build the vps image, launch a Linode instance from it, verify network connectivity and remote access
 ### Implementation for User Story 1
 - [X] T007 [US1] Create `hosts/vps/configuration.nix` with base imports and minimal networking/remote access enablement
 - [X] T008 [US1] Register vps host in `parts/hosts.nix` using existing `createConfig` pattern
 - [X] T009 [US1] Add a Linode image build output for vps in `parts/packages.nix` using the upstream NixOS image workflow
 - [X] T010 [US1] Document the vps host entry and image artifact location in `docs/reference/index.md`
 - [X] T011 [US1] Add a manual validation checklist entry for vps boot connectivity and remote access in `specs/003-vps-image-migration/quickstart.md`
 **Checkpoint**: vps image builds and can boot with connectivity
 ---
 ## Phase 4: User Story 2 - Secrets Available After Enrollment (Priority: P2)
 **Goal**: Secure two-phase secrets bootstrap and enrollment workflow
 **Independent Test**: Boot vps, generate host key, enroll key, re-encrypt secrets, redeploy, verify secrets available
 ### Implementation for User Story 2
 - [X] T012 [US2] Set secure host posture for vps in `hosts/vps/configuration.nix` (secureHost enabled, secrets gated)
 - [X] T013 [US2] Add vps-specific sops-nix bootstrap settings in `hosts/vps/configuration.nix` (generate key on first boot; no baked key)
 - [X] T014 [US2] Document the enrollment and re-encryption steps in `docs/playbooks/enroll-vps.md`
 - [X] T015 [US2] Update secrets guidance to reference the vps enrollment flow in `docs/constitution.md`
 **Checkpoint**: vps can boot without secrets, then unlocks secrets after enrollment and redeploy
 ---
 ## Phase 5: User Story 3 - Remote Rebuild Workflow (Priority: P3)
 **Goal**: Provide a documented, repeatable remote rebuild process
 **Independent Test**: Trigger a rebuild from an explicitly authorized operator machine and verify applied config changes
 ### Implementation for User Story 3
 - [X] T016 [US3] Add a rebuild helper script in `scripts/rebuild-vps.sh` with clear inputs and safety checks
 - [X] T017 [US3] Document remote rebuild usage and prerequisites (explicitly authorized operator machines only) in `docs/playbooks/vps-rebuild.md`
 **Checkpoint**: remote rebuild flow is repeatable and documented
 ---
 ## Phase 6: Polish & Cross-Cutting Concerns
 **Purpose**: Final consistency checks and documentation polish
 - [X] T018 [P] Ensure vps host is referenced in any host inventories or indexes in `docs/reference/index.md`
 - [X] T019 Validate quickstart steps still match implementation in `specs/003-vps-image-migration/quickstart.md`
 - [X] T020 Validate existing host/image builds after migration (document results in `specs/003-vps-image-migration/quickstart.md`)
 ---
 ## Dependencies & Execution Order
 ### Phase Dependencies
 - **Setup (Phase 1)**: No dependencies - can start immediately
 - **Foundational (Phase 2)**: Depends on Setup completion - BLOCKS all user stories
 - **User Stories (Phase 3+)**: Depend on Foundational completion and user validation at T006
 - **Polish (Final Phase)**: Depends on desired user stories being complete
 ### User Story Dependencies
 - **User Story 1 (P1)**: Starts after Phase 2 and user validation at T006
 - **User Story 2 (P2)**: Starts after Phase 2 and user validation at T006; depends on vps host existing (T007/T008)
 - **User Story 3 (P3)**: Starts after Phase 2 and user validation at T006; can be done in parallel with US2
 ### Parallel Opportunities
 - T002 can run in parallel with T001
 - T018 and T019 can run in parallel in the Polish phase
 - After T006, US2 and US3 can proceed in parallel once US1 host scaffolding exists
 ---
 ## Parallel Example: User Story 2
 ```bash
 Task: "Set secure host posture for vps in hosts/vps/configuration.nix"
 Task: "Document the enrollment and re-encryption steps in docs/playbooks/enroll-vps.md"
 ```
 ---
 ## Implementation Strategy
 ### MVP First (User Story 1 Only)
 1. Complete Phase 1: Setup
 2. Complete Phase 2: Foundational
 3. Pause at T006 for user validation of emacs-vm
 4. Complete Phase 3: User Story 1
 5. Stop and validate the image boot and connectivity
 ### Incremental Delivery
 1. Complete Setup + Foundational → user validates emacs-vm
 2. Add User Story 1 → validate image build/boot
 3. Add User Story 2 → validate secrets enrollment flow
 4. Add User Story 3 → validate remote rebuild workflow
 5. Polish and doc consistency checks
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDY0RAhoIM9q5xQCqLWJQimk3JAkfYAcabxGFnxmNBq jawz@workstation`
		`@@ -0,0 +1,3 @@`
							`# API Contracts`

							`This feature does not introduce or modify any external HTTP or RPC APIs. Operator actions (image build, provisioning, secrets enrollment, rebuild trigger) are performed via existing infrastructure workflows, so no API schema is required.`