refactor works on lio host

2025-03-18 11:53:54 -05:00 · 2025-03-18 11:53:54 -05:00 · f0c096edec
commit f0c096edec
parent 1d9c4beaf3
73 changed files with 2214 additions and 1091 deletions
--- a/common/_containers/affine.nix
+++ b/common/_containers/affine.nix
@ -0,0 +1,135 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.affine;
+in
+{
+  options.services.affine =
+    let
+      lib = pkgs.lib;
+    in
+    {
+      port = lib.mkOption {
+        type = lib.types.port;
+        default = 3010;
+        description = "Port number for the AFFiNE service";
+      };
+      dataDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/var/lib/affine";
+        description = "Directory to store AFFiNE data";
+      };
+    };
+
+  config = {
+    systemd.services.create-affine-network = {
+      description = "Create Docker network for LibreChat";
+      serviceConfig.Type = "oneshot";
+      wantedBy = [ "multi-user.target" ];
+      script = ''
+        if ! ${pkgs.docker}/bin/docker network inspect affine-network >/dev/null 2>&1; then
+          ${pkgs.docker}/bin/docker network create affine-network
+        fi
+      '';
+    };
+
+    virtualisation.oci-containers.containers = {
+      #############
+      # AFFiNE #
+      #############
+      # NOTE settings live in `/var/lib/affine` manually right now
+      # Note to remove limits from user need to mark user as subscriber in the database manually
+      # docker exec it affine_postgres psql -U affine
+      # select id, feature, configs from features;
+      # select * from users;
+      # select * from user_features;
+      # feature_id = YOUR FEATURE ID YOU WANT TO ASSIGN (get it from 'List possible feature id's')
+      # user_id = YOUR USER ID YOU WANT TO CHANGE (get it from 'List users with id's')
+      # update user_features set feature_id = 35 where user_id = 'xxxxxx-xxxx-xxxxxxx-xxxx-xxxxxxxxxxxx';
+      affine = {
+        user = "root";
+        image = "ghcr.io/toeverything/affine-graphql:stable";
+        ports = [
+          "${toString cfg.port}:${toString cfg.port}"
+        ];
+        dependsOn = [
+          "affine_redis"
+          "affine_postgres"
+          "affine_migration"
+        ];
+        environment = {
+          REDIS_SERVER_HOST = "affine_redis";
+          DATABASE_URL = "postgresql://affine:password@affine_postgres:5432/affine";
+        };
+        volumes = [
+          "${cfg.dataDir}/storage:/root/.affine/storage"
+          "${cfg.dataDir}/config:/root/.affine/config"
+        ];
+        extraOptions = [
+          "--network=affine-network"
+        ];
+      };
+
+      affine_migration = {
+        user = "root";
+        image = "ghcr.io/toeverything/affine-graphql:stable";
+        dependsOn = [
+          "affine_redis"
+          "affine_postgres"
+        ];
+        volumes = [
+          "${cfg.dataDir}/storage:/root/.affine/storage"
+          "${cfg.dataDir}/config:/root/.affine/config"
+        ];
+        environment = {
+          REDIS_SERVER_HOST = "affine_redis";
+          DATABASE_URL = "postgresql://affine:password@affine_postgres:5432/affine";
+        };
+        cmd = [
+          "sh"
+          "-c"
+          "node ./scripts/self-host-predeploy.js"
+        ];
+        extraOptions = [ "--network=affine-network" ];
+      };
+
+      affine_redis = {
+        user = "root";
+        image = "redis";
+        extraOptions = [
+          "--network=affine-network"
+          "--health-cmd=\"CMD-SHELL redis-cli ping\""
+          "--health-interval=30s"
+          "--health-timeout=10s"
+          "--health-retries=3"
+          "--health-start-period=30s"
+        ];
+      };
+
+      affine_postgres = {
+        user = "root";
+        image = "postgres:16";
+        environment = {
+          POSTGRES_USER = "affine";
+          POSTGRES_PASSWORD = "password";
+          POSTGRES_DB = "affine";
+          POSTGRES_INITDB_ARGS = "--data-checksums";
+        };
+        volumes = [
+          "${cfg.dataDir}/postgres:/var/lib/postgresql/data"
+        ];
+        extraOptions = [
+          "--network=affine-network"
+          "--health-cmd=\"CMD-SHELL pg_isready -U affine\""
+          "--health-interval=10s"
+          "--health-timeout=5s"
+          "--health-retries=5"
+          "--health-start-period=30s"
+        ];
+      };
+    };
+  };
+}
--- a/common/_containers/inventory.nix
+++ b/common/_containers/inventory.nix
@ -0,0 +1,166 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+let
+  name = "inventory";
+  app = "pg-${name}";
+
+  hostDataDir = "/var/lib/${name}";
+
+  localAddress = "192.168.100.110";
+  pg_port = 54433;
+  pg_dataDir = "/var/lib/postgres";
+  # pgadmin_port = 5050;
+  # pgadmin_dataDir = "/var/lib/pgadmin";
+
+  binds = [
+    {
+      host = "${hostDataDir}/postgres";
+      container = pg_dataDir;
+      user = "postgres";
+      uid = config.ids.uids.postgres;
+    }
+    # {
+    #   host = "${hostDataDir}/pgadmin";
+    #   container = pgadmin_dataDir;
+    #   user = "pgadmin";
+    #   uid = 1020;
+    # }
+  ];
+in
+{
+
+  users = lib.foldl (
+    acc: bind:
+    {
+      users.${bind.user} = {
+        isSystemUser = true;
+        home = bind.host;
+        createHome = true;
+        uid = bind.uid;
+        group = bind.user;
+      };
+      groups.${bind.user}.gid = bind.uid;
+    }
+    // acc
+  ) { } binds;
+
+  containers.${app} = {
+    ephemeral = true;
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.100.2";
+    localAddress = localAddress;
+    bindMounts = lib.foldl (
+      acc: bind:
+      {
+        "${bind.container}" = {
+          hostPath = bind.host;
+          isReadOnly = false;
+        };
+      }
+      // acc
+    ) { } binds;
+    config =
+      { config, pkgs, ... }:
+      {
+        system.stateVersion = "24.11";
+
+        users = lib.foldl (
+          acc: bind:
+          {
+            users.${bind.user} = {
+              isSystemUser = true;
+              home = bind.container;
+              uid = bind.uid;
+              group = bind.user;
+            };
+            groups.${bind.user}.gid = bind.uid;
+          }
+          // acc
+        ) { } binds;
+
+        services.postgresql = {
+          enable = true;
+          package = pkgs.postgresql_17.withJIT;
+          enableJIT = true;
+          extensions = with pkgs.postgresql17Packages; [
+            # NOTE add extensions here
+            pgvector
+            postgis
+          ];
+          settings.port = pg_port;
+          enableTCPIP = true;
+          authentication = ''
+            local all all trust
+            host all all 127.0.0.1/8 trust
+            host all all ::1/128 trust
+            host all all 192.168.100.0/24 trust
+          '';
+          identMap = ''
+            # ArbitraryMapName systemUser dbUser
+            superuser_map      root       ${name}
+
+            # Let other names login as themselves
+            superuser_map      /^(.*)$    \1
+          '';
+          ensureDatabases = [ name ];
+          ensureUsers = [
+            {
+              name = name;
+              ensureDBOwnership = true;
+              ensureClauses = {
+                login = true;
+                superuser = true;
+              };
+            }
+          ];
+          dataDir =
+            (lib.findFirst (bind: bind.user == "postgres") (throw "No postgres bind found") binds).container;
+        };
+
+        # services.pgadmin = {
+        #   enable = true;
+        #   port = pgadmin_port;
+        #   openFirewall = true;
+        #   initialEmail = "admin@test.com";
+        #   initialPasswordFile = (builtins.toFile "password" "password");
+        # };
+
+        # TODO set this up, had issues since it shares users with postgres service and my bind mounts relys on createhome in that exact directory.
+        # services.postgresqlBackup = {
+        #   enable = true;
+        #   compression = "gzip";
+        #   compressionLevel = 9;
+        #   databases = [ cfg.database ];
+        #   location = "${cfg.dataDir}/backup";
+        #   startAt = "02:30"; # Adjust the backup time as needed
+        # };
+
+        networking.firewall = {
+          enable = true;
+          allowedTCPPorts = [ pg_port ];
+        };
+
+        # Health check to ensure database is ready
+        systemd.services.postgresql-healthcheck = {
+          description = "PostgreSQL Health Check";
+          after = [ "postgresql.service" ];
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            ExecStart = ''
+              ${pkgs.postgresql_17}/bin/pg_isready \
+                -U ${name} \
+                -d ${name} \
+                -h localhost \
+                -p ${toString pg_port}
+            '';
+          };
+        };
+      };
+  };
+}
--- a/common/_containers/librechat.nix
+++ b/common/_containers/librechat.nix
@ -0,0 +1,148 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.librechat;
+in
+{
+  options.services.librechat =
+    let
+      lib = pkgs.lib;
+    in
+    {
+      port = lib.mkOption {
+        type = lib.types.port;
+        default = 3080;
+        description = "Port number for the LibreChat";
+      };
+      ragPort = lib.mkOption {
+        type = lib.types.port;
+        default = 8000;
+        description = "Port number for the RAG API service";
+      };
+      dataDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/var/lib/librechat";
+        description = "Directory to store LibreChat data";
+      };
+    };
+
+  config = {
+    systemd.services.create-librechat-network = {
+      description = "Create Docker network for LibreChat";
+      serviceConfig.Type = "oneshot";
+      wantedBy = [ "multi-user.target" ];
+      script = ''
+        if ! ${pkgs.docker}/bin/docker network inspect librechat-network >/dev/null 2>&1; then
+          ${pkgs.docker}/bin/docker network create librechat-network
+        fi
+      '';
+    };
+
+    virtualisation.oci-containers.containers = {
+      #############
+      # librechat #
+      #############
+      # NOTE settings live in `/var/lib/librechat` manually right now
+      librechat = {
+        user = "root";
+        image = "ghcr.io/danny-avila/librechat-dev:latest";
+        ports = [
+          "${toString cfg.port}:${toString cfg.port}"
+        ];
+        dependsOn = [
+          "librechat_mongodb"
+          "librechat_rag_api"
+        ];
+        environment = {
+          HOST = "0.0.0.0";
+          MONGO_URI = "mongodb://librechat_mongodb:27017/LibreChat";
+          SEARCH = "true";
+          MEILI_HOST = "http://librechat_meilisearch:7700";
+          RAG_PORT = toString cfg.ragPort;
+          RAG_API_URL = "http://librechat_rag_api:${toString cfg.ragPort}";
+          # DEBUG_CONSOLE = "true";
+          # DEBUG_LOGGING = "true";
+        };
+        environmentFiles = [ "${cfg.dataDir}/.env" ];
+        volumes = [
+          "${cfg.dataDir}/.env:/app/.env"
+          "${cfg.dataDir}/librechat.yaml:/app/librechat.yaml"
+          "${cfg.dataDir}/images:/app/client/public/images"
+          "${cfg.dataDir}/logs:/app/api/logs"
+        ];
+        extraOptions = [
+          "--network=librechat-network"
+          "--add-host=azureproxy:100.64.0.8"
+        ];
+      };
+
+      librechat_mongodb = {
+        user = "root";
+        image = "mongo";
+        volumes = [
+          "${cfg.dataDir}/data-node:/data/db"
+        ];
+        cmd = [
+          "mongod"
+          "--noauth"
+        ];
+        extraOptions = [ "--network=librechat-network" ];
+      };
+
+      librechat_meilisearch = {
+        user = "root";
+        image = "getmeili/meilisearch:v1.13";
+        environment = {
+          MEILI_HOST = "http://librechat_meilisearch:7700";
+          MEILI_NO_ANALYTICS = "true";
+        };
+        volumes = [
+          "${cfg.dataDir}/meili_data_v1.13:/meili_data"
+        ];
+        extraOptions = [ "--network=librechat-network" ];
+      };
+
+      librechat_vectordb = {
+        user = "root";
+        image = "ankane/pgvector:latest";
+        environment = {
+          POSTGRES_DB = "mydatabase";
+          POSTGRES_USER = "myuser";
+          POSTGRES_PASSWORD = "mypassword";
+        };
+        volumes = [
+          "${cfg.dataDir}/pgdata2:/var/lib/postgresql/data"
+        ];
+        extraOptions = [ "--network=librechat-network" ];
+      };
+
+      librechat_rag_api = {
+        user = "root";
+        image = "ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest";
+        environment = {
+          DB_HOST = "librechat_vectordb";
+          RAG_PORT = toString cfg.ragPort;
+          OPENAI_API_KEY = "not_using_openai";
+        };
+        dependsOn = [ "librechat_vectordb" ];
+        environmentFiles = [ "${cfg.dataDir}/.env" ];
+        extraOptions = [ "--network=librechat-network" ];
+      };
+
+      # TODO revisit local whisper, for now I am using groq free for STT
+      # librechat_whisper = {
+      # user = "root";
+      #   image = "onerahmet/openai-whisper-asr-webservice:latest";
+      #   # ports = [ "8080:8080" ];
+      #   environment = {
+      #     ASR_MODEL = "base"; # You can change to small, medium, large, etc.
+      #     ASR_ENGINE = "openai_whisper";
+      #   };
+      #   extraOptions = [ "--network=librechat-network" ];
+      # };
+    };
+  };
+}
--- a/common/_containers/mathesar.nix
+++ b/common/_containers/mathesar.nix
@ -0,0 +1,159 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.mathesar;
+in
+{
+  options.services.mathesar =
+    let
+      lib = pkgs.lib;
+    in
+    {
+      port = lib.mkOption {
+        type = lib.types.port;
+        default = 3081;
+        description = "Port number for the Mathesar";
+      };
+      dataDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/var/lib/mathesar";
+        description = "Directory to store Mathesar data";
+      };
+      secretKey = lib.mkOption {
+        type = lib.types.str;
+        # echo $(cat /dev/urandom | LC_CTYPE=C tr -dc 'a-zA-Z0-9' | head -c 50)
+        # https://docs.djangoproject.com/en/4.2/ref/settings/#secret-key
+        description = "Secret key for Django security features";
+      };
+      domainName = lib.mkOption {
+        type = lib.types.str;
+        default = "http://10.20.40.104";
+        description = "Custom domain(s) for accessing Mathesar";
+      };
+      postgresDb = lib.mkOption {
+        type = lib.types.str;
+        default = "mathesar_django";
+        description = "Database name for Mathesar";
+      };
+      postgresUser = lib.mkOption {
+        type = lib.types.str;
+        default = "mathesar";
+        description = "Database user for Mathesar";
+      };
+      postgresPassword = lib.mkOption {
+        type = lib.types.str;
+        default = "mathesar";
+        description = "Database password for Mathesar";
+      };
+      postgresHost = lib.mkOption {
+        type = lib.types.str;
+        default = "mathesar_db";
+        description = "Host running the PostgreSQL database";
+      };
+      postgresPort = lib.mkOption {
+        type = lib.types.port;
+        default = 3082;
+        description = "Port on which PostgreSQL is running";
+      };
+      allowedHosts = lib.mkOption {
+        type = lib.types.str;
+        default = "*";
+        description = "Allowed hosts for Mathesar web service. ";
+      };
+    };
+
+  config = {
+    systemd.services.create-mathesar-network = {
+      description = "Create Docker network for Mathesar";
+      serviceConfig.Type = "oneshot";
+      wantedBy = [ "multi-user.target" ];
+      script = ''
+        if ! ${pkgs.docker}/bin/docker network inspect mathesar_network >/dev/null 2>&1; then
+          ${pkgs.docker}/bin/docker network create mathesar_network
+        fi
+      '';
+    };
+
+    virtualisation.oci-containers.containers = {
+      ################
+      # mathesar_service
+      ################
+      mathesar_service = {
+        user = "root";
+        image = "mathesar/mathesar:latest";
+        dependsOn = [ "mathesar_db" ];
+        environment = {
+          SECRET_KEY = cfg.secretKey;
+          DOMAIN_NAME = cfg.domainName;
+          POSTGRES_DB = cfg.postgresDb;
+          POSTGRES_USER = cfg.postgresUser;
+          POSTGRES_PASSWORD = cfg.postgresPassword;
+          POSTGRES_HOST = cfg.postgresHost;
+          POSTGRES_PORT = (toString cfg.postgresPort);
+          DJANGO_SETTINGS_MODULE = "config.settings.production";
+          # Allowed hosts is * to allow all traffic on service.
+          # The caddy proxy handles the rest.
+          ALLOWED_HOSTS = "*";
+        };
+        volumes = [
+          "${cfg.dataDir}/static:/code/static"
+          "${cfg.dataDir}/media:/code/media"
+        ];
+        extraOptions = [
+          "--network=mathesar_network"
+          "--expose=8000"
+        ];
+      };
+
+      ################
+      # mathesar_db (PostgreSQL Database)
+      ################
+      mathesar_db = {
+        user = "root";
+        image = "postgres:13";
+        environment = {
+          POSTGRES_DB = cfg.postgresDb;
+          POSTGRES_USER = cfg.postgresUser;
+          POSTGRES_PASSWORD = cfg.postgresPassword;
+          PGPORT = toString cfg.postgresPort;
+        };
+        volumes = [
+          "${cfg.dataDir}/pgdata:/var/lib/postgresql/data"
+        ];
+        extraOptions = [
+          "--network=mathesar_network"
+          "--expose=${toString cfg.postgresPort}"
+        ];
+      };
+
+      ##############
+      # caddy-reverse-proxy
+      ##############
+      caddy_reverse_proxy = {
+        user = "root";
+        image = "mathesar/mathesar-caddy:latest";
+        ports = [
+          "10.20.40.104:${toString cfg.port}:80"
+        ];
+        environment = {
+          SECRET_KEY = cfg.secretKey;
+          DOMAIN_NAME = cfg.domainName;
+          POSTGRES_DB = cfg.postgresDb;
+          POSTGRES_USER = cfg.postgresUser;
+          POSTGRES_PASSWORD = cfg.postgresPassword;
+          POSTGRES_HOST = cfg.postgresHost;
+          POSTGRES_PORT = toString cfg.postgresPort;
+        };
+        volumes = [
+          "${cfg.dataDir}/media:/code/media"
+          "${cfg.dataDir}/static:/code/static"
+          "${cfg.dataDir}/caddy:/data"
+        ];
+        extraOptions = [ "--network=mathesar_network" ];
+      };
+    };
+  };
+}
--- a/common/_containers/pgadmin.nix
+++ b/common/_containers/pgadmin.nix
@ -0,0 +1,53 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.customServices.pgadmin;
+in
+{
+  options.customServices.pgadmin =
+    let
+      lib = pkgs.lib;
+    in
+    {
+      port = lib.mkOption {
+        type = lib.types.port;
+        default = 3085;
+        description = "Port number for the PGAdmin interface";
+      };
+      dataDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/var/lib/pgadmin";
+        description = "Directory to store PGAdmin data";
+      };
+    };
+
+  config = {
+    virtualisation.oci-containers.containers = {
+      #############
+      # pgadmin #
+      #############
+      # NOTE settings live in `/var/lib/librechat` manually right now
+      pgadmin = {
+        user = "root";
+        image = "dpage/pgadmin4:latest";
+        ports = [
+          "${toString cfg.port}:${toString cfg.port}"
+        ];
+        environment = {
+          PGADMIN_LISTEN_PORT = toString cfg.port;
+          PGADMIN_DEFAULT_EMAIL = "admin@db.joshuabell.xyz";
+          PGADMIN_DEFAULT_PASSWORD = "password";
+        };
+        volumes = [
+          "${cfg.dataDir}:/var/lib/pgadmin"
+        ];
+        extraOptions = [
+          "--network=host"
+        ];
+      };
+    };
+  };
+}
--- a/common/_containers/tests.nix
+++ b/common/_containers/tests.nix
@ -0,0 +1,39 @@
+{
+  ...
+}:
+{
+  options = { };
+
+  config = {
+    # Random test, visit http://192.168.100.11/
+    containers.wasabi = {
+      ephemeral = true;
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = "192.168.100.2";
+      localAddress = "192.168.100.11";
+      config =
+        { config, pkgs, ... }:
+        {
+          system.stateVersion = "24.11";
+          services.httpd.enable = true;
+          services.httpd.adminAddr = "foo@example.org";
+          networking.firewall = {
+            enable = true;
+            allowedTCPPorts = [ 80 ];
+          };
+        };
+    };
+
+    virtualisation.oci-containers.containers = {
+      # Example of defining a container, visit http://localhost:8085/
+      "nginx_simple" = {
+        # autoStart = true; this is default true
+        image = "nginx:latest";
+        ports = [
+          "127.0.0.1:8085:80"
+        ];
+      };
+    };
+  };
+}
--- a/common/_home_manager/default.nix
+++ b/common/_home_manager/default.nix
@ -33,12 +33,6 @@ in
    home-manager.useGlobalPkgs = true;
    home-manager.backupFileExtension = "bak";

-    home-manager.sharedModules = [
-      ./programs/tmux/tmux.nix
-      ./programs/alacritty.nix
-      ./programs/atuin.nix
-    ];
-
    home-manager.users = lib.mapAttrs' (name: userConfig: {
      inherit name;
      value = userConfig // {
--- a/common/home_manager/programs/alacritty.nix
+++ b/common/home_manager/programs/alacritty.nix
@ -1,6 +1,7 @@
 { ... }:
 {
  programs.alacritty = {
+    enable = true;
    settings = {
      window = {
        decorations = "None";
--- a/common/home_manager/programs/atuin.nix
+++ b/common/home_manager/programs/atuin.nix
@ -1,13 +1,14 @@
 { ... }:
 {
  programs.atuin = {
+    enable = true;
    enableZshIntegration = true;
    flags = [ "--disable-up-arrow" ];
    settings = {
      workspaces = true;
      exit-mode = "return-query";
      enter_accept = true;
-      sync_address = "http://100.64.0.2:8888";
+      sync_address = "http://10.12.14.2:8888";
      sync = { records = true; };
    };
  };
--- a/common/home_manager/programs/direnv.nix
+++ b/common/home_manager/programs/direnv.nix
--- a/common/home_manager/programs/git.nix
+++ b/common/home_manager/programs/git.nix
--- a/common/home_manager/programs/kitty.nix
+++ b/common/home_manager/programs/kitty.nix
--- a/common/home_manager/programs/launcher_rofi.nix
+++ b/common/home_manager/programs/launcher_rofi.nix
--- a/common/home_manager/programs/nix_deprecations.nix
+++ b/common/home_manager/programs/nix_deprecations.nix
--- a/common/home_manager/programs/obs.nix
+++ b/common/home_manager/programs/obs.nix
--- a/common/home_manager/programs/postgres.nix
+++ b/common/home_manager/programs/postgres.nix
--- a/common/home_manager/programs/slicer.nix
+++ b/common/home_manager/programs/slicer.nix
--- a/common/home_manager/programs/ssh.nix
+++ b/common/home_manager/programs/ssh.nix
--- a/common/home_manager/programs/starship.nix
+++ b/common/home_manager/programs/starship.nix
--- a/common/home_manager/programs/tmux/tmux-reset.conf
+++ b/common/home_manager/programs/tmux/tmux-reset.conf
--- a/common/home_manager/programs/tmux/tmux.nix
+++ b/common/home_manager/programs/tmux/tmux.nix
@ -1,16 +1,11 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}:
+{ lib, pkgs, ... }:
 {
  # home manager doesn't give us an option to add tmux extra config at the top so we do it ourselves here.
-  xdg.configFile = lib.mkIf config.programs.tmux.enable {
-    "tmux/tmux.conf".text = (lib.mkBefore (builtins.readFile ./tmux-reset.conf));
-  };
+  xdg.configFile."tmux/tmux.conf".text = lib.mkBefore (builtins.readFile ./tmux-reset.conf);
+
+  programs.tmux = {
+    enable = true;

-  programs.tmux = lib.mkIf config.programs.tmux.enable {
    # Revisit this later, permission denied to make anything in `/run` as my user...
    secureSocket = false;

@ -74,7 +69,7 @@
    ];
  };

-  home.shellAliases = lib.mkIf config.programs.tmux.enable {
+  home.shellAliases = {
    t = "tmux";
    tat = "tmux attach-session";
  };
--- a/common/home_manager/programs/zoxide.nix
+++ b/common/home_manager/programs/zoxide.nix
--- a/common/home_manager/programs/zsh.nix
+++ b/common/home_manager/programs/zsh.nix
--- a/common/desktop_environment/default.nix
+++ b/common/desktop_environment/default.nix
@ -0,0 +1,30 @@
+{ config, lib, ... }:
+let
+  ccfg = import ../config.nix;
+  cfg = config.${ccfg.custom_config_key}.desktopEnvironment;
+in
+{
+  imports = [
+    ./gnome
+  ];
+  config = {
+    assertions = [
+      (
+        let
+          enabledDEs = lib.filter (x: x.enabled) [
+            {
+              name = "gnome";
+              enabled = cfg.gnome.enable;
+            }
+          ];
+        in
+        {
+          assertion = lib.length enabledDEs <= 1;
+          message =
+            "Only one desktop environment can be enabled at a time. Enabled: "
+            + lib.concatStringsSep ", " (map (x: x.name) enabledDEs);
+        }
+      )
+    ];
+  };
+}
--- a/common/desktop_environment/gnome/black.png
+++ b/common/desktop_environment/gnome/black.png
--- a/common/desktop_environment/gnome/dconf.nix
+++ b/common/desktop_environment/gnome/dconf.nix
@ -0,0 +1,206 @@
+{ cfg }:
+{
+  lib,
+  pkgs,
+  ...
+}:
+{
+  config = lib.mkIf cfg.enable {
+    home-manager.sharedModules = [
+      (
+        { lib, ... }:
+        with lib.hm.gvariant;
+        {
+          # use `dconf dump /` before and after and diff the files for easy editing of dconf below
+          #     dconf dump / > /tmp/dconf_dump_start && watch -n0.5 "dconf dump / > /tmp/dconf_dump_current && \diff --color /tmp/dconf_dump_start /tmp/dconf_dump_current -U12"
+          # To get nix specific diff:
+          #     \diff -u /tmp/dconf_dump_start /tmp/dconf_dump_current | grep '^+[^+]' | sed 's/^+//' | dconf2nix
+          # OR (Must be logged into user directly, no SU to user will work): `dconf watch /`
+          # OR get the exact converted nixConfig from `dconf dump / | dconf2nix | less` and search with forward slash
+          dconf.settings = {
+            "org/gnome/shell" = {
+              favorite-apps = [ ];
+              enabled-extensions = with pkgs.gnomeExtensions; [
+                vertical-workspaces.extensionUuid
+                compact-top-bar.extensionUuid
+                tray-icons-reloaded.extensionUuid
+                vitals.extensionUuid
+              ];
+            };
+
+            # Plugin Settings
+            "org/gnome/shell/extensions/vertical-workspaces" = {
+              animation-speed-factor = 42;
+              center-dash-to-ws = false;
+              dash-bg-color = 0;
+              dash-position = 2;
+              dash-position-adjust = 0;
+              hot-corner-action = 0;
+              startup-state = 1;
+              ws-switcher-wraparound = true;
+            };
+            "org/gnome/shell/extensions/compact-top-bar" = {
+              fade-text-on-fullscreen = true;
+            };
+            "org/gnome/shell/extensions/vitals" = {
+              position-in-panel = 1;
+            };
+
+            # Built in settings
+            "org/gnome/desktop/session" = {
+              idle-delay = mkUint32 0;
+            };
+            "org/gnome/desktop/wm/preferences" = {
+              resize-with-right-button = true;
+              button-layout = "maximize:appmenu,close";
+              audible-bell = false;
+              wrap-around = true;
+            };
+            "org/gnome/settings-daemon/plugins/media-keys" = {
+              # Disable the lock screen shortcut
+              screensaver = [ "" ];
+              custom-keybindings = [
+                "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/"
+                "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1/"
+              ];
+            };
+            "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = {
+              binding = "<Super>Return";
+              command = cfg.terminalCommand;
+              name = "Launch terminal";
+            };
+            "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom1" = {
+              binding = "<Super>Space";
+              command = "wofi";
+              name = "Launcher";
+            };
+            "org/gnome/desktop/wm/keybindings" = {
+              minimize = [ "" ];
+              move-to-workspace-1 = [ "" ];
+              move-to-workspace-2 = [ "" ];
+              move-to-workspace-3 = [ "" ];
+              move-to-workspace-4 = [ "" ];
+              move-to-workspace-last = [ "" ];
+              move-to-workspace-down = [ "<Control><Super>j" ];
+              move-to-workspace-up = [ "<Control><Super>k" ];
+              # move-to-workspace-left = [ "<Control><Super>h" ];
+              # move-to-workspace-right = [ "<Control><Super>l" ];
+              switch-input-source = [ ];
+              switch-input-source-backward = [ ];
+              switch-to-workspace-1 = [ "<Super>1" ];
+              switch-to-workspace-2 = [ "<Super>2" ];
+              switch-to-workspace-3 = [ "<Super>3" ];
+              switch-to-workspace-4 = [ "<Super>4" ];
+              switch-to-workspace-last = [ "" ];
+              switch-to-workspace-down = [ "<Super>j" ];
+              switch-to-workspace-up = [ "<Super>k" ];
+              # switch-to-workspace-left = [ "<Super>k" ];
+              # switch-to-workspace-right = [ "<Super>j" ];
+              # move-to-monitor-down = [ "<Control><Super><Shift>j" ];
+              # move-to-monitor-up = [ "<Control><Super><Shift>k" ];
+              move-to-monitor-left = [ "<Control><Super>h" ];
+              move-to-monitor-right = [ "<Control><Super>l" ];
+              unmaximize = [ "<Super><Shift>j" ];
+              maximize = [ "<Super><Shift>k" ];
+            };
+            "org/gnome/mutter" = {
+              dynamic-workspaces = true;
+              edge-tiling = true;
+              workspaces-only-on-primary = true;
+              center-new-windows = true;
+            };
+            "org/gnome/mutter/keybindings" = {
+              toggle-tiled-right = [ "<Super><Shift>l" ];
+              toggle-tiled-left = [ "<Super><Shift>h" ];
+            };
+            "org/gnome/settings-daemon/plugins/power" = {
+              power-button-action = "nothing";
+              sleep-inactive-ac-type = "nothing";
+              sleep-inactive-battery-type = "nothing";
+              idle-brightness = 15;
+              power-saver-profile-on-low-battery = false;
+            };
+            "org/gnome/desktop/background" = {
+              color-shading-type = "solid";
+              picture-options = "zoom";
+              picture-uri = "file://" + (./black.png);
+              picture-uri-dark = "file://" + (./black.png);
+              primary-color = "#000000000000";
+              secondary-color = "#000000000000";
+            };
+            "org/gnome/desktop/screensaver" = {
+              lock-enabled = false;
+              idle-activation-enabled = false;
+              picture-options = "zoom";
+              picture-uri = "file://" + (./black.png);
+              picture-uri-dark = "file://" + (./black.png);
+            };
+            "org/gnome/desktop/applications/terminal" = {
+              exec = "alacritty";
+            };
+            "org/gnome/settings-daemon/plugins/color" = {
+              night-light-enabled = false;
+              night-light-schedule-automatic = false;
+            };
+            "org/gnome/shell/keybindings" = {
+              shift-overview-down = [ "" ];
+              shift-overview-up = [ "" ];
+              switch-to-application-1 = [ "" ];
+              switch-to-application-2 = [ "" ];
+              switch-to-application-3 = [ "" ];
+              switch-to-application-4 = [ "" ];
+              switch-to-application-5 = [ "" ];
+              switch-to-application-6 = [ "" ];
+              switch-to-application-7 = [ "" ];
+              switch-to-application-8 = [ "" ];
+              switch-to-application-9 = [ "" ];
+              toggle-quick-settings = [ "" ];
+              toggle-application-view = [ "" ];
+            };
+            "org/gtk/gtk4/settings/file-chooser" = {
+              show-hidden = true;
+            };
+
+            "org/gnome/desktop/interface" = {
+              accent-color = "orange";
+              show-battery-percentage = true;
+              clock-show-date = true;
+              clock-show-seconds = true;
+              clock-show-weekday = true;
+              color-scheme = "prefer-dark";
+              cursor-size = 24;
+              enable-animations = true;
+              enable-hot-corners = false;
+              font-antialiasing = "grayscale";
+              font-hinting = "slight";
+              gtk-theme = "Adwaita-dark";
+              # icon-theme = "Yaru-magenta-dark";
+            };
+
+            "org/gnome/desktop/notifications" = {
+              application-children = [ "org-gnome-tweaks" ];
+            };
+
+            "org/gnome/desktop/notifications/application/org-gnome-tweaks" = {
+              application-id = "org.gnome.tweaks.desktop";
+            };
+
+            "org/gnome/desktop/peripherals/mouse" = {
+              natural-scroll = false;
+            };
+
+            "org/gnome/desktop/peripherals/touchpad" = {
+              disable-while-typing = true;
+              two-finger-scrolling-enabled = true;
+              natural-scroll = true;
+            };
+
+            "org/gnome/tweaks" = {
+              show-extensions-notice = false;
+            };
+          };
+        }
+      )
+    ];
+  };
+}
--- a/common/desktop_environment/gnome/default.nix
+++ b/common/desktop_environment/gnome/default.nix
@ -0,0 +1,84 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  ccfg = import ../../config.nix;
+  cfg_path = [
+    ccfg.custom_config_key
+    "desktopEnvironment"
+    "gnome"
+  ];
+  cfg = lib.attrsets.getAttrFromPath cfg_path config;
+in
+with lib;
+{
+  options =
+    { }
+    // lib.attrsets.setAttrByPath cfg_path {
+      enable = lib.mkEnableOption "gnome desktop environment";
+      terminalCommand = mkOption {
+        type = lib.types.str;
+        default = "kitty";
+        description = "The terminal command to use.";
+      };
+    };
+
+  imports = [
+    (import ./dconf.nix { inherit cfg; })
+    (import ./wofi.nix { inherit cfg; })
+  ];
+
+  config = lib.mkIf cfg.enable {
+    services.xserver = {
+      enable = true;
+      desktopManager.gnome.enable = true;
+      displayManager.gdm = {
+        enable = true;
+        autoSuspend = false;
+        wayland = true;
+      };
+    };
+    services.gnome.gnome-initial-setup.enable = false;
+
+    environment.gnome.excludePackages = with pkgs; [
+      gnome-backgrounds
+      gnome-video-effects
+      gnome-maps
+      gnome-music
+      gnome-tour
+      gnome-text-editor
+      gnome-user-docs
+    ];
+    environment.systemPackages = with pkgs; [
+      dconf-editor
+      dconf2nix
+      gnome-tweaks
+      wayland
+      wayland-utils
+      xwayland
+      wl-clipboard
+      numix-cursor-theme
+      gnomeExtensions.vertical-workspaces
+      gnomeExtensions.compact-top-bar
+      gnomeExtensions.tray-icons-reloaded
+      gnomeExtensions.vitals
+    ];
+    environment.sessionVariables = {
+      NIXOS_OZONE_WL = "1";
+      GTK_THEME = "Adwaita:dark";
+    };
+
+    qt = {
+      enable = true;
+      platformTheme = "gnome";
+      style = "adwaita-dark";
+    };
+
+    hardware.graphics = {
+      enable = true;
+    };
+  };
+}
--- a/common/desktop_environment/gnome/wofi.css
+++ b/common/desktop_environment/gnome/wofi.css
@ -0,0 +1,51 @@
+window {
+  margin: 0px;
+  border: 1px solid #171717;
+  background-color: #262626;
+}
+
+#input {
+  margin: 5px;
+  border: none;
+  color: #e0e0e0;
+  background-color: #1f1f1f;
+}
+
+#inner-box {
+  margin: 5px;
+  border: none;
+  background-color: #171717;
+}
+
+#outer-box {
+  margin: 5px;
+  border: none;
+  background-color: #191919;
+}
+
+#scroll {
+  margin: 0px;
+  border: none;
+}
+
+#text {
+  margin: 5px;
+  border: none;
+  color: #e0e0e0;
+}
+
+#entry.activatable #text {
+  color: #cccccc;
+}
+
+#entry>* {
+  color: #e0e0e0;
+}
+
+#entry:selected {
+  background-color: #4f4f4f;
+}
+
+#entry:selected #text {
+  font-weight: bold;
+}
--- a/common/desktop_environment/gnome/wofi.nix
+++ b/common/desktop_environment/gnome/wofi.nix
@ -0,0 +1,31 @@
+{ cfg }:
+{ lib, ... }:
+{
+  config = lib.mkIf cfg.enable {
+    home-manager.sharedModules = [
+      (
+        { lib, ... }:
+        {
+          programs.wofi = {
+            enable = true;
+            settings = {
+              width = "28%";
+              height = "38%";
+              show = "drun";
+              location = "center";
+              gtk_dark = true;
+              valign = "center";
+              key_backward = "Ctrl+k";
+              key_forward = "Ctrl+j";
+              insensitive = true;
+              prompt = "Run";
+              allow_images = true;
+            };
+            style = builtins.readFile ./wofi.css;
+          };
+        }
+      )
+    ];
+
+  };
+}
--- a/common/flake.nix
+++ b/common/flake.nix
@ -10,6 +10,7 @@
  outputs =
    {
      home-manager,
+      ragenix,
      ...
    }:
    {
@ -23,14 +24,44 @@
          {
            imports = [
              home-manager.nixosModules.home-manager
+              ragenix.nixosModules.age
+              ./_home_manager
              ./options.nix
              ./general
-              ./home_manager
              ./boot
+              ./desktop_environment
              ./users
              ./programs
+              ./secrets
            ];
+            config = {
+              _module.args = {
+                inherit ragenix;
+              };
+            };
          };
+        containers = {
+          librechat = import ./_containers/librechat.nix;
+        };
+      };
+      homeManagerModules = {
+        zsh = import ./_home_manager/mods/zsh.nix;
+        tmux = import ./_home_manager/mods/tmux/tmux.nix;
+        atuin = import ./_home_manager/mods/atuin.nix;
+        zoxide = import ./_home_manager/mods/zoxide.nix;
+        starship = import ./_home_manager/mods/starship.nix;
+        direnv = import ./_home_manager/mods/direnv.nix;
+        ssh = import ./_home_manager/mods/ssh.nix;
+        git = import ./_home_manager/mods/git.nix;
+        nix_deprecations = import ./_home_manager/mods/nix_deprecations.nix;
+
+        launcher_rofi = import ./_home_manager/mods/launcher_rofi.nix;
+
+        alacritty = import ./_home_manager/mods/alacritty.nix;
+        kitty = import ./_home_manager/mods/kitty.nix;
+        obs = import ./_home_manager/mods/obs.nix;
+        postgres = import ./_home_manager/mods/postgres.nix;
+        slicer = import ./_home_manager/mods/slicer.nix;
      };
    };
 }
--- a/common/general/default.nix
+++ b/common/general/default.nix
@ -53,10 +53,17 @@ in
      };
      enableSleep = lib.mkEnableOption (lib.mdDoc "Enable auto sleeping");
    };
+  imports = [
+    ./shell/common.nix
+    ./fonts.nix
+    ./tty_caps_esc.nix
+  ];
  config = {
    # name this computer
    networking = {
      hostName = top_cfg.systemName;
+      nftables.enable = true;
+      firewall.enable = true;
    };

    # Enable flakes
@ -115,6 +122,10 @@ in
      ) "!include ${config.age.secrets.github_read_token.path}"}
    '';

+    # Enable zsh
+    programs.zsh.enable = true;
+    environment.pathsToLink = [ "/share/zsh" ];
+
    # nix helper
    programs.nh = {
      enable = true;
--- a/common/general/fonts.nix
+++ b/common/general/fonts.nix
@ -0,0 +1,22 @@
+{
+  pkgs,
+  ...
+}:
+let
+  hasNewJetbrainsMono =
+    if builtins.hasAttr "nerd-fonts" pkgs then
+      builtins.hasAttr "jetbrains-mono" pkgs."nerd-fonts"
+    else
+      false;
+
+  jetbrainsMonoFont =
+    if hasNewJetbrainsMono then
+      pkgs.nerd-fonts.jetbrains-mono
+    else
+      (pkgs.nerdfonts.override { fonts = [ "JetBrainsMono" ]; });
+in
+{
+  config = {
+    fonts.packages = [ jetbrainsMonoFont ];
+  };
+}
--- a/common/general/shell/common.nix
+++ b/common/general/shell/common.nix
@ -0,0 +1,66 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+{
+  config = {
+    environment.systemPackages = with pkgs; [
+      # Basics
+      vim
+      nano
+      wget
+      curl
+      fastfetch
+      bat
+      htop
+      unzip
+      git
+      fzf
+      ripgrep
+      lsof
+      killall
+      hdparm
+      speedtest-cli
+      ffmpeg-full
+      appimage-run
+    ];
+
+    environment.shellAliases = {
+      n = "nvim";
+      nn = "nvim --headless '+SessionDelete' +qa > /dev/null 2>&1 && nvim";
+      bat = "bat --theme Coldark-Dark";
+      cat = "bat --pager=never -p";
+      # TODO this may not be needed now that I am using `nh` clean mode (see /hosts/_common/configuration.nix#programs.nh)
+      nix-boot-clean = "find '/boot/loader/entries' -type f ! -name 'windows.conf' | head -n -4 | xargs -I {} rm {}; nix store gc; nixos-rebuild boot; echo; df";
+
+      # general unix
+      date_compact = "date +'%Y%m%d'";
+      date_short = "date +'%Y-%m-%d'";
+      ls = "ls --color -Gah";
+      ll = "ls --color -Galh";
+      lss = "du --max-depth=0 -h * 2>/dev/null | sort -hr";
+      psg = "ps aux | head -n 1 && ps aux | grep -v 'grep' | grep";
+      cl = "clear";
+
+      # git
+      stash = "git stash";
+      pop = "git stash pop";
+      branch = "git checkout -b";
+      status = "git status";
+      diff = "git diff";
+      branches = "git branch -a";
+      gcam = "git commit -a -m";
+      gcm = "git commit -m";
+      stashes = "git stash list";
+
+      # ripgrep
+      rg = "rg --no-ignore";
+      rgf = "rg --files 2>/dev/null | rg";
+    };
+
+    environment.shellInit = builtins.readFile ./common.sh;
+  };
+}
--- a/common/general/shell/common.sh
+++ b/common/general/shell/common.sh
@ -0,0 +1,176 @@
+# Check if ~/.config/environment exists and source all files within it
+if [ -d "$HOME/.config/environment" ]; then
+  for file in "$HOME/.config/environment/"*; do
+    if [ -r "$file" ]; then
+      if ! . "$file"; then
+        echo "Failed to source $file"
+      fi
+    fi
+  done
+fi
+
+# Basics
+htop_psg () {
+  htop -p $(psg $1 | awk '{r=r s $2;s=","} END{print r}')
+}
+
+htop_pid () {
+  htop -p $(ps -ef | awk -v proc=$1 '$3 == proc { cnt++;if (cnt == 1) { printf "%s",$2 } else { printf ",%s",$2 } }')
+}
+
+psg_kill() {
+  ps aux | grep -v "grep" | grep "${1}" | awk '{print $2}' | while read -r pid; do
+    if [ -n "${pid}" ]; then
+      echo "killing ${pid}"
+      kill -9 "${pid}" &> /dev/null
+    fi
+  done
+}
+
+psg_terminate() {
+  ps aux | grep -v "grep" | grep "${1}" | awk '{print $2}' | while read -r pid; do
+    if [ -n "${pid}" ]; then
+      echo "Terminating ${pid}"
+      kill -15 "${pid}" &> /dev/null
+    fi
+  done
+}
+
+psg_skill() {
+  ps aux | grep -v "grep" | grep "${1}" | awk '{print $2}' | while read -r pid; do
+    if [ -n "${pid}" ]; then
+      echo "Killing ${pid}"
+      sudo kill -9 "${pid}" &> /dev/null
+    fi
+  done
+}
+
+mail_clear() {
+  : > /var/mail/$USER
+}
+
+speedtest_fs () {
+  dir=$(pwd)
+  drive=$(df -h ${dir} | awk 'NR==2 {print $1}')
+  echo Testing read speeds on drive ${drive}
+  sudo hdparm -Tt ${drive}
+  test_file=$(date +%u%m%d)
+  test_file="${dir}/speedtest_fs_${test_file}"
+  echo
+  echo Testing write speeds into test file: ${test_file}
+  dd if=/dev/zero of=${test_file} bs=8k count=10k; rm -f ${test_file}
+}
+
+speedtest_internet () {
+  speedtest-cli
+}
+
+# git
+getdefault () {
+  git remote show origin | grep "HEAD branch" | sed 's/.*: //'
+}
+
+master () {
+  git stash
+  git checkout $(getdefault)
+  pull
+}
+
+mp () {
+  master
+  prunel
+}
+
+pullmaster () {
+  git pull origin $(getdefault)
+}
+
+push () {
+  B=$(git branch | sed -n -e 's/^\* \(.*\)/\1/p')
+  git pull origin $B
+  git push origin $B --no-verify
+}
+
+pull () {
+  git fetch
+  B=$(git branch | sed -n -e 's/^\* \(.*\)/\1/p')
+  git pull origin $B
+}
+
+forcepush () {
+  B=$(git branch | sed -n -e 's/^\* \(.*\)/\1/p')
+  git push origin $B --force
+}
+
+remote_branches () {
+  git branch -a | grep 'remotes' | grep -v -E '.*(HEAD|${DEFAULT})' | cut -d'/' -f 3-
+}
+
+local_branches () {
+  git branch -a | grep -v 'remotes' | grep -v -E '.*(HEAD|${DEFAULT})' | grep -v '^*' |  cut -d' ' -f 3-
+}
+
+prunel () {
+  git fetch
+  git remote prune origin
+
+  for local in $(local_branches); do
+    in=false
+    for remote in $(remote_branches); do
+      if [[ ${local} = ${remote} ]]; then
+        in=true
+      fi
+    done;
+    if [[ $in = 'false' ]]; then
+      git branch -D ${local}
+    else
+      echo 'Skipping branch '${local}
+    fi
+  done;
+}
+
+checkout () {
+  git fetch
+  git checkout $1
+  pull
+}
+
+from_master () {
+  git checkout $(getdefault) $@
+}
+
+
+# nix
+alias nixpkgs=nixpkg
+nixpkg () {
+  if [ $# -eq 0 ]; then
+    echo "Error: No arguments provided. Please specify at least one package."
+    return 1
+  fi
+  cmd="nix shell"
+  for pkg in "$@"; do
+    cmd="$cmd \"nixpkgs#$pkg\""
+  done
+  eval $cmd
+}
+
+# Marks some files as in "git" but they won't actually get pushed up to the git repo
+# Usefull for `gintent .envrc flake.lock flake.nix` to add nix items required by flakes in a git repo that won't want flakes added
+gintent() {
+    for file in "$@"; do
+        if [ -f "$file" ]; then
+            git add --intent-to-add "$file"
+            git update-index --assume-unchanged "$file"
+            echo "Intent added for $file"
+        else
+            echo "File not found: $file"
+        fi
+    done
+}
+alias gintentnix="gintent .envrc flake.lock flake.nix"
+
+
+# Aider
+aider () {
+  http_proxy="" all_proxy="" https_proxy="" AZURE_API_BASE=http://100.64.0.8 AZURE_API_VERSION=2024-02-15-preview AZURE_API_KEY=1 nix run "nixpkgs#aider-chat" -- aider --dark-mode --no-gitignore --no-check-update --no-auto-commits --model azure/gpt-4o-2024-05-13 $@
+}
--- a/common/general/tty_caps_esc.nix
+++ b/common/general/tty_caps_esc.nix
@ -0,0 +1,16 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+{
+  config = {
+    services.xserver.xkb.options = "caps:escape";
+    console = {
+      earlySetup = true;
+      packages = with pkgs; [ terminus_font ];
+      useXkbConfig = true; # use xkb.options in tty. (caps -> escape)
+    };
+  };
+}
--- a/common/programs/docker.nix
+++ b/common/programs/docker.nix
@ -1,7 +1,6 @@
 {
  config,
  lib,
-  pkgs,
  ...
 }:
 let
@ -12,7 +11,6 @@ let
    "docker"
  ];
  cfg = lib.attrsets.getAttrFromPath cfg_path config;
-
  users_cfg = config.${ccfg.custom_config_key}.users;
 in
 {
--- a/common/programs/ssh.nix
+++ b/common/programs/ssh.nix
@ -12,6 +12,7 @@ let
    "ssh"
  ];
  cfg = lib.attrsets.getAttrFromPath cfg_path config;
+  users_cfg = config.${ccfg.custom_config_key}.users;
 in
 {
  options =
@ -87,8 +88,6 @@ in
          fi
        '';
      };
-    }) config.mods.common.users;
-
+    }) users_cfg.users;
  };
-
 }
--- a/common/secrets/default.nix
+++ b/common/secrets/default.nix
@ -0,0 +1,91 @@
+{
+  config,
+  ragenix,
+  pkgs,
+  ...
+}:
+
+let
+  ccfg = import ../config.nix;
+  users_cfg = config.${ccfg.custom_config_key}.users;
+in
+# TODO auto import secret files here
+# secretsFile = (settings.secretsDir + /secrets.nix);
+{
+  environment.systemPackages = [
+    ragenix.packages.${pkgs.system}.default
+    pkgs.rage
+  ];
+
+  age = {
+    secrets =
+      # builtins.mapAttrs
+      #   (name: _value: lib.nameValuePair (lib.removeSuffix ".age" name) {
+      #     file = (settings.secretsDir + "/${name}");
+      #     owner = lib.mkDefault users_cfg.primary;
+      #   })
+      #   (import secretsFile);
+      {
+        nix2github = {
+          file = ./secrets/nix2github.age;
+          owner = users_cfg.primary;
+        };
+        nix2bitbucket = {
+          file = ./secrets/nix2bitbucket.age;
+          owner = users_cfg.primary;
+        };
+        nix2gitjosh = {
+          file = ./secrets/nix2gitjosh.age;
+          owner = users_cfg.primary;
+        };
+        nix2h001 = {
+          file = ./secrets/nix2h001.age;
+          owner = users_cfg.primary;
+        };
+        nix2h002 = {
+          file = ./secrets/nix2h002.age;
+          owner = users_cfg.primary;
+        };
+        nix2joe = {
+          file = ./secrets/nix2joe.age;
+          owner = users_cfg.primary;
+        };
+        nix2gpdPocket3 = {
+          file = ./secrets/nix2gpdPocket3.age;
+          owner = users_cfg.primary;
+        };
+        nix2t = {
+          file = ./secrets/nix2t.age;
+          owner = users_cfg.primary;
+        };
+        nix2linode = {
+          file = ./secrets/nix2linode.age;
+          owner = users_cfg.primary;
+        };
+        nix2oracle = {
+          file = ./secrets/nix2oracle.age;
+          owner = users_cfg.primary;
+        };
+        nix2l002 = {
+          file = ./secrets/nix2l002.age;
+          owner = users_cfg.primary;
+        };
+        nix2lio = {
+          file = ./secrets/nix2lio.age;
+          owner = users_cfg.primary;
+        };
+        nix2oren = {
+          file = ./secrets/nix2oren.age;
+          owner = users_cfg.primary;
+        };
+        github_read_token = {
+          file = ./secrets/github_read_token.age;
+          owner = users_cfg.primary;
+        };
+        headscale_auth = {
+          file = ./secrets/headscale_auth.age;
+          owner = users_cfg.primary;
+        };
+      };
+  };
+}
--- a/common/secrets/secrets/github_read_token.age
+++ b/common/secrets/secrets/github_read_token.age
@ -0,0 +1,35 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBvUXpV
+T1BVTDlKcUxjNmwzVWpPM3VtcUVrRWZJVXk3Vm81UHJMSGpMNlJ3Cld5NlV2Z25M
+cmZvZWNrRjJOU2dkVmVCRDQzMWowZnhyTHZrT1dhbDdnOU0KLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIDRicG5Pa2FXVERYdGVyVTZoYkcyWkJjbGRNSHJDeUJjRjVjUlI0
+RjdOMTAKdVN4SWI0L2dibVpxVy9hOGJTSEpxcEoxbSthTEZiQjB2WDUyT2VNdGI1
+WQotPiBzc2gtZWQyNTUxOSBTcENqQlEgdFFzK055WkFPYXIxbzZxT3YwZDdWd3hN
+eU9XRXN1L2NKL2hTL0RVbnJTWQpveUcwanNRaHU2ZTVOQzBvcHY5NXhVZEU1a0Vr
+K2hnOFU3RnJSWEZvWElnCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBqb1YzcnQrQlhS
+eklJTlgrVmRuc0JCTDBZK2VKdGRUTW90djNVeCtya0FRCkc2VStHa1AxRTd0M3c2
+dHR4NXZJWXp3MVNqai96Z21pT09OT3dqZ09BSFkKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIGhneFBKSlNhN1V6NFpRaDlOd2hmWnNjWUkrTDEzSVRsTkxCT1FadDdCVE0K
+dU40YlFjR0cyWjdBQXJDbGJYY0xsSmw0VGM3ZlZwVlpyT3hNeG1YL0IrcwotPiBz
+c2gtZWQyNTUxOSBSNSt4ZncgQ0FkQzl5T2J0UHBFaXpuc0xuaXdndmcrNDJKNGFV
+NHFqcy9Uay9GdUNIdwp4WTBrUkN0SkFuKzZxRUt5aVJ4VTQxUmthQjFEL2NQcTVx
+STg3SkdlK0hFCi0+IHNzaC1lZDI1NTE5IFJvWDVQUSBTcjRsUi9xb3g0TjRuUEQ1
+WVVrVEZsMlRHeklKdG1wVVgvR3pwS0JwWFJNCjF3RTF0WHB2cUxJc2FvM3g2ZG1H
+Um0wRHBNaWdpaEhPZ3dIMnBsbURGd3MKLT4gc3NoLWVkMjU1MTkgRjRiYjhnIG1a
+T0loVjRjTGF3S0NzZm5LUC9UZG9pMmhQQ2kzV2E2SFdTM2hXMUtCZzgKMCtDeUk5
+Tk1RZjhMc2dBZ0IydmZSWm5kcFFIQXAyUHI5MHFCSzZKM0RkUQotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgZlAvRWJUaDRQQW44QkM0Q1BjTWNuOVJ1MEU3K1VkeDZRanB4
+RlR6Sk9nbwpkOWlPS1J4SE81M0dwS0Q5RHZ6cURSOWFBcEFUQWo5a3ZFekJZWXA2
+eDlrCi0+IHNzaC1lZDI1NTE5IDVhZHFNZyBrbGNsWWRyL2dzMzJucHJia0JzTWl4
+TkhIWjF6N2tIcit3eUpMWjMvYW00CmxZNFo4NG9Tb2dDOE1yNTFsSVd3TFlCMTB1
+bEUzOUM2M0c4VlhRbG9JRzQKLT4gc3NoLWVkMjU1MTkgWmUxTXdRIGlQUWlrbjZn
+NGF2QUsybU9WckJNZ05xTnVMZ25aM3RBYmViMW1hVE5UekUKY1Q2VGF6WUVacW4v
+SXY5NjAwaUFkLzhYSktzdmV4SHRjMGY3WVhMckthTQotPiBpQDZ7azFMKC1ncmVh
+c2UgO3sgdwphUEphdmhoTVRTSGJubjBOdmlLQ2JITUoxTTdUMlBEMVJXQTAvaGlI
+U1IvdUFsZ3hVQlZ4RTYzZGNGTE10KytwCnVybzhzeUxRVmNuQW9RCi0tLSBLU3hj
+ck90ZnVRTlViOW9MSStaOXk1S3VQblFjZTUrU1cyVnMxYjBmeDRFCsP4KaZlgIzG
+0xW6BPaEq//3Yi31/ZUZP1ebdyomMaR9SY6ejwG0xLKAGdE12M+g0+YaVJnvHr46
+R4f4rdxeexGMqs+8X2LE4jb4Z1MMKb4mRFlUWSg8g3ejFld59ZDP8MXCNf16Fvek
+Sz1fbg5fycapU5WBfpKkNq3d3j7YCWd4oSe/pgfZQZv7lBeEmyLeFmdmUZ9yLPgs
+Tw==
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/headscale_auth.age
+++ b/common/secrets/secrets/headscale_auth.age
@ -0,0 +1,34 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USA4bmJO
+dWh4c2xlK3NzU09YSXBkaE9YN1h6Tm4wUGJYRnV0bkJYczZCbUdnCkZVQUl0L21w
+S0F3OVE1WnFuRjRkaHNOOHFXdjZURE8xVjh6RWxmY0htNkEKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIGRjRHZlUVBjbyt1OWtpUkJuZENXRzlVa1c2dTNLSktQZEFjdVFn
+UmVkREkKL2VOMk9lajBMRG1wUnNqVW5RdWw4aFpITTFwQ2dta0VYRkhpSGJYWTd5
+RQotPiBzc2gtZWQyNTUxOSBTcENqQlEgU1dTd25VYmtQWllLSmsrT2VOY3pPckcx
+VFd3ZGNnQXZqTGdDWmJFdE94cwp1YmhnVkJrY3R3ZVg1R2NleXFWVW4wY0R6NnVh
+ZnB4WE1JVUx2eFIvRCtNCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBERDhRWjNJTEV5
+QzJLYU1FajBCMkhNQTRocHQ2L3J2OGJIanhPVm5tREJFCk5YNmRtYlZBT2tYVFhQ
+enBRclNsbjFKUTZ0TTlGWU1lL3J6UllkVTVkZkEKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIEc5OGc0eGJyTkhuTlR0Tjl1b3gzak80amNSQ2daMkVyQmdtQm9BQ0QwRk0K
+dktDeDVaU1EzVWxMNjdrZFZiTWpFbTRzRHdXV3VXSUtldDRCM3hoR1llUQotPiBz
+c2gtZWQyNTUxOSBSNSt4ZncgTTF6R2M0bE1jaEhsUWpCNS9hMk9iTGpvSk5Cc0N1
+RVFlSGVCbzNZOGdBdwo2TjAvblNzTFA5bXduRGF2eXJkcUlTalBqTkw5L3pmcW9v
+Rk94RkNndld3Ci0+IHNzaC1lZDI1NTE5IFJvWDVQUSAybWw1YVdmdXdLaXkwd0g2
+MHNSeDZRVHNoVW5sbzZxRnVJaDgzWlBVckVrCml6TldTSTNZMGk5V1E2cyttRGo4
+WXI3RUhFc2g2enNyb0xzaEY0aHE4YVkKLT4gc3NoLWVkMjU1MTkgRjRiYjhnIEl1
+MXJoanFhZWxISzlycS9lZExpUjdJVnZKNlF0SDQ5NjBOVTJzUnhlVVkKS1Vla1U0
+MFNsSXVOSkhlTmdhdks0WW9kUkVDZ3RvbzNBNExjRmMrTVF6VQotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgS3VqejY5QmczdzBWUGJ0eWVRaTZtRGZZOGJDWlhPV3NkRnlN
+MlBRK3NYQQpaZlVHTjEwM0UvM2tJRytmNldVenlmV2hsY1pvcFI1Zm84cmlkTWdU
+YzVnCi0+IHNzaC1lZDI1NTE5IDVhZHFNZyA2T2pnbjl2eXhiQXdzSVVFa0dJZkMr
+T1drclJaa3MvYlJta05vTW9Jb0JNCmV5cHdCYXJxYVlNZEhiVXpxbHJMM2VyNXhr
+aDVERzJTMzMwcjdJZ0Nlc1UKLT4gc3NoLWVkMjU1MTkgWmUxTXdRIEZIbkx1WnpW
+Y0lFRHNsc05Sd0l1T1FNb1FjOTA4cHNjTVV4cjMyYUg1MXcKZXJWaEJNMzRuY3Nj
+VWZXbEZuUlVsNTU0UjdJUktFN2Y4SnZjVW9nV3RETQotPiBhWC1ncmVhc2UgVjlc
+SSAiIjVVZyBEcmhBTyA4X216CmtaUkxGRWJvSEhWUit1b2RxUHpLOENpN0RxeEVE
+NnJqeDQxeUk1enlmSEk0cjVicGZianV1dHl0T1NYWGFjUHAKaEJ5ek5DUThzQWhl
+ZjJLUUYydC9WbmNmTXZkS2V4YwotLS0gQytLV0dGMGJTVSt0dndhQnVHYXA0SnlR
+eElSOGJJZ0xJczNvczRqMGhRdwrVisqYWHfJRTEfdkpjjJxfRdEXBU9cQpCAm4vg
+Z/ys+RbW6dWBgz1PFAsf9F97z+LRBUE/A+aWViiFHXwFFV+PIRi5wtgR3xYRwjPU
+Qw11Ik=
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/nix2bitbucket.age
+++ b/common/secrets/secrets/nix2bitbucket.age
@ -0,0 +1,41 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USB1VGtY
+MEdOWlZaSC9LMU82aWU4RkVQUEtmNXNtRE5jakhJOXRYelNNN3d3CnBBb1FQZ1Bm
+ZU9WWSszT1FUL0F1RDZ2anZRUU56d0lMeEhWN3Y3VjJjTWcKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIEI4dzI2U1FkM0I5a3FjbWc5MEs5aEFPVWhCODcwaFpNZ1RYZnZQ
+bm15aVkKSUNYNjJjOHoreUJ0WUZEVjU0MTd3WXJ6VnNRM2ZlTE5UczdJQXRZN3p2
+OAotPiBzc2gtZWQyNTUxOSBTcENqQlEgNzFnd0JvbWxjSjJRYTR5REQweThRNjcy
+NldVeWVsTHRkempzRHJnRWczZwpHTENSd01zejhkdWFIVlNvVTc0UWVwY3ROMFR0
+VktXSDRCOG54R0d6WE9vCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBWZmdhZmpSaEVR
+d2tFbzhlOEVBdEIvM3pYWDczR1dRMWZrY2ZDVGx4bnlvCnk2Q0JGcUl6bnl5VlMy
+RjBIODI3dXdtb2JtSjJkT2huaFAvM20vM3VJOVUKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIFdleE1tMHNKVWVvTzMzTzV1R1lUeDB6VW9LTE43SEVLelJENXUvZHp0VkEK
+a1ZUTnQ5dEZHZGFuWnlJeHpKNHZ4SlFoaGgzakcvU24xNzZoRW5Xbk9DNAotPiBz
+c2gtZWQyNTUxOSBSNSt4ZncgUGhOV0dwNnl2SjdSb3RiZnNRYnFTa1lVN21XMEhV
+RU95QUkxZWRhajNWNApFZFd6OUpXREE2cnlGNmpLMlMzbVZYWFYwVzBBUlduOVcw
+OXpoZ3g0L2x3Ci0+IHNzaC1lZDI1NTE5IFJvWDVQUSBDcmQ2bVhhTkQ5OUIxMTZZ
+OUQzMG5senZoUWo0Yll2enpVcU1LVS9mRFhnClE4K3RLUVlQbk9lMkh4R1B6U2w4
+ajVFODBKUUhqdjlOdENubzNLNmg3RUEKLT4gc3NoLWVkMjU1MTkgRjRiYjhnIEgw
+dVViclNkMEhibHlQOE4waGdjdE9TaTByOE1jTkdlZ05Jc0FvWUUxaWcKVnd5WVY2
+RzBGZ3RMY2xUWlFsMVdVTnYrQXBlbHVmMXpOaVlCU3JkQm5FMAotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgcWRmSndkbm5VUXZhanZ2ZTZpU1NIT1cxbE9LcjVJOEh4Ymhy
+aU5TYjN5dwpWNXRJQnEzOXdEOTQvM0U1WDhtMmY0NlArYzcvNTIyS1FRa3dOSGQ4
+Nmc4Ci0+IHNzaC1lZDI1NTE5IDVhZHFNZyBsV09IOGc2QWEyUm9ZL2tMTkRvTVdj
+NEhIeVptanRYNlV6WC9kTzh1aERnClN3cHFiTnlQOU15QUNkTWwwdGUwTDR1V29J
+VnNUV29MblRMUVNYaG1oYW8KLT4gc3NoLWVkMjU1MTkgWmUxTXdRIE5OSmxxWnd0
+Q25LdnBIa00yQ0twTmRUVnJDdUxnWGJNS2xYYUQyeDByZ2sKTEhlbEpaVEVsaUlW
+L3NSdXRwZkVHQVE3a1VZYU5pbi9TN1VSUGRGU0hFSQotPiAmLWdyZWFzZSA2dmVb
+T2I7WiBpIFYvIEBSTgpkTFNQUmxZMUFlcDRBUm9EaDhXU0V6emRtN1ljelZLUnVj
+SDVUM2ttU0l3UFh0VnJrdnlkVmRCKzJJV2ExalZOCjhDMWFkUEVjcmRSV0xRemdJ
+Y2xFUTJMaWZhTkYwSlhuMURlSGorZnBDMndWRGZqZG1xS3NSeDAKLS0tIFJScFFC
+OXRBK3NZbFRiZ2RmVTlhWTBaRWh0Q210VjdpZmlvY25VKzl5eWMK0R3SnMZjeShA
+rJ3mEOEIdaz5zvTnRkVvRaMOeSVBERJjm2pP3onTdwWPtr3hYUXWOBiaGJm3UVgt
+XV5rymdIWgDFPJQimxlsOQYWS2DAP08fa70OHNake1DGcnAShZbndv5XO+cM1WKS
+Fjy+/chkTJQAg7Il2NwheMV1m4zST3J0M2b2lTrIPqo/y1zH08OJAEWYRZrGmpDh
+4cqLt3B5aF7hmgFwS1EHg0gygjtg2GbL33XgjONPmL02TbLYMH+lCTTGfrH7NTQx
+06ixXsd+dkMu0SmUX3mKit5/ghNFpCNBOL/ptMJ/T10ryvjeZWHmYe+HlJhC9ncY
+rjjRwFXGGbU6RnzHoZ2I8C70/h3Tu0KXOHhxHG37EJ7PX7MnAWISAugNwGof/0kB
+DbAEw8FRCerrNdcCcTKXIIKCn5xNe3lCDZMtz1axUnN/POQ3uoynGy5LOtG6mwZr
+dIKFY0DLW6Vo2cdr4g/+fCcTXWAhE///kNaL6kUDJemf+L8hH7ZOmGW+udkvl6vq
+2Hc09/FWczLSfEaM+idz5D53gx7ehd/98EPs95AQiraBiB0aaDw=
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/nix2github.age
+++ b/common/secrets/secrets/nix2github.age
@ -0,0 +1,42 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USA3Sjdp
+bmxNOUlJbU14cWc1eU53dGQxQjhjbElZVEhKQVUwYVhXVy9QckJnCldnV2tiVnZx
+UUdRQ1FsN1FuOVRHRDB2WUpvRUM2ZHRWbGtGeXJRdUZ4cDQKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIDBLc0ZZR3RvczVHUzY2bklhWnhqWnJVbkp2bFVLM2hQQXg5V3I3
+Z2Vpd0kKYlNMcnNweVlIYjk1U3lBelo1WmxWaFRRMVlRNkswcEZBQTVlTzVFaFVK
+WQotPiBzc2gtZWQyNTUxOSBTcENqQlEgRDNzeGsrTU1FckJJeFFja1hTbFU3cVVt
+Z29ydW1tOVAxVGlCUVluMW1FTQpzRGU3eDYvMGdUdi9ERDRTNWI0aHdkR0gxL21Y
+R1J1cTliVTRZYXdIM0p3Ci0+IHNzaC1lZDI1NTE5IEJZS0crdyBmWTVGc2I0ZnJN
+UDAxbHp5c0xJelhrTTMrdnQyR3FtUDZNVFhYY05PMDJJCjFHVU4yVWkrNm9KZ3pC
+Tll6R3FiQUVCTndYRlBzeUNmMTlDU0NHRVYzZ3cKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIEltakJ0Qlo3cXdCb01lYUNXQ3VyTkJwd2cwT3BpNXhOR2Yvd0ltSThRQ0UK
+enp5cW9nMDhRQmNFWjNjb1NTMTVhejliODZCSWcwcmlpb3lQYnRIbCthQQotPiBz
+c2gtZWQyNTUxOSBSNSt4ZncgSXhwL01Ca2xpZkVkNVp2ODVidWlhU0FISy9tQ3dO
+YWRMWkdlc1JjVVBtdwpsZGV3dmZteFVvR0tZeWhDM3kwb1dua3JzYWVNRGxpTmRW
+RzdZdnZpMU1NCi0+IHNzaC1lZDI1NTE5IFJvWDVQUSBMTFAwQWIvdE5YTVJiSWJ1
+aVZBREdXeSthaFBJeUJhbFNrTXFlYzMrVEdZCnRjNjVZY1p4OGZqcHcwWDgvZHFq
+eE51YVd5cVdUWTIzQUJXbXRDNDZHQW8KLT4gc3NoLWVkMjU1MTkgRjRiYjhnIGZ0
+Q2toWnJWd2FZVDFRUEVnOVlZbkxoQlFzUDNHZFFJZU9EZGM4OWhZVjAKL3ovMC9h
+Yk5RdzlRM2QxWmJqNVVEZ3RrOGl0cXlvK2pjdjhKbksyQ0UyQQotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgU3kxUWEyUUdPbmxaM1ZzUUlNOCtYQlo1dWhhS29hWEkvK2g5
+ZkVGeWN4cwpPSDFEeEE3TERGM084VzZjUFpiMEJZSkIyWkY0SzhsUGZoQWVTWEo1
+Mk9VCi0+IHNzaC1lZDI1NTE5IDVhZHFNZyBHNXlYbTQxNXJINTVkR2pBOFB0MWV1
+Q1UycEFqQ2RUcThObjg4QkFSZVZZCmNpNFc0Wmx0RzQrYXczZ3hTU2lOWGI5VUlj
+Y2FPNFpKL2NiKzBEVjErSzgKLT4gc3NoLWVkMjU1MTkgWmUxTXdRIElkUWhucnVz
+MEJjd3dLUlhSalZVNWlXZHNoRzU1TWMyS1pWaU5Lbk5nQzAKc2orbmhhWW1yc0J3
+SDIweWI3WEVBeGJJMmEyQTVFcjk4eTl5Rm1aTllrbwotPiBfOmR9SFh+LWdyZWFz
+ZSA3dV4ocWU0WCBbbFAgZDReCmpRTm5ianZlc1RKcTNwTHNlaXFFNmZ2K1VpRTRN
+RGlUUUJhaGpTekJzY1ZZMFM4QmFpZFlBTDJmczhhWHRwZkUKU0RueU1sMlZENi9M
+RnVjbzgzTDN5UHQ3Y0R3Q0YyS0FYcGtQLzhvZndPZjBibGM0K2pVRVpjSTNURmQ5
+dzh1VQpXZwotLS0gNDVMb2tqN0dSU053NXpYZSs1WVQvaHhKYXN4dExTZjZwcGxB
+ZlYwaDBRQQoRn3fGi5O2d7yMfThg58mtf57eNTiUtUyD2Iq6ToRr2KQviWZChhWW
+2S/eOIkFCk6q0Srdo2pP0yIChT6KbmfLkP2H0TxqmwrxJsKrqEBloZlN7hQmD34D
+ZGatzk5TwPKIoZTdPis+tP/7RNtHhDlAQdpRnpfKT6NtW89asQK44XBh80G25DyC
+kD5oSNi2sHXMDj8b3mpUkhqzYh1xlUAuR5KxPtSXSp+d2xQwnmi3Cs0xi5oyYQQA
+VvWVyNkKRJSkSm1+KLej1urqGU+z6KHjv4obF9rtxv0NGUL6Ii4RDFWqxWLHC3JM
+81v3lf65Fb3f9F9L7AfN42tPHogRZz31HlvXfUoRiddMrB4rasaTXjZaciZdf5IK
+WQC6bmI0FYhtCh1o+75QHke3lpaBbi5xuxq+nv4roFeyd4Uqx4i/wDQ6cS7vb40J
+CULCnkHTydNXJODhNlFisprS/b/tR05/Ds+Xr+J3OAdyjK/nKbe525IZKuY6N03q
+tuAyRLxjZQQpOcGSzWxP/hIFFJAGxf/8t1BqYInQ4ikUtnmgHXp2Lumkxti7HSDz
+oUl23nL69A==
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/nix2gitjosh.age
+++ b/common/secrets/secrets/nix2gitjosh.age
@ -0,0 +1,39 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USB6TGVm
+TkdpelRGS2gvcEJxQ01XLzE5SHd0OTc3ajNMNWlwckR6YlViQmdVCkYwYmFIZE1s
+bWtoUDlHSFl4enhOcVlCbjVYbHhUdE9DRXJOUldCcnA0R1kKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIEdUT0lBcjFVVUVrWXY1SGprTmJKR29hWDZ3Q2ZycmV4bCtQcXZO
+RWlrUmcKYlNCZ1MwOHI2VXZjNWxWekk1MjYwc05wcGxEaWJBVzNPeG0rRDBGcmxi
+VQotPiBzc2gtZWQyNTUxOSBTcENqQlEgZzZwR0E4d1JMM3RFUGFvQ2Ivd3hvV25J
+TTQya3pHYkNGTHRkbDE3eVdnSQo2OXBMR1FiZktXOENrODBvUmlrQy9MLzdGU2xT
+QUhEMEd2dlUzSnB1SFkwCi0+IHNzaC1lZDI1NTE5IEJZS0crdyA4OVF1S29teEd4
+UlFkWUVkblFnRlBYWWZWWUw5N3l3cHM5dTdnTGdLcXhZCm1jZnM1NGZkbkVnY0k4
+UEZyS09NSlExRzFFcDJlRDJNTVQwZUlPM0lsUTQKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIDBWOTNjZUhjcGIwTXg0S3MrL1J5OVJqQ3VPMmtVdDlsSXBuK3B6RmFURUUK
+aVVqWk02R2pUNTE0WDBZV1FqNlpnbk5ja1JUcjNZcGQvU3Z4dm5ZTWtVQQotPiBz
+c2gtZWQyNTUxOSBSNSt4ZncgSTlaTkxGNVpaVnpsblhSOVNtdGpqaUNhQ01zbFRG
+QzI1ZDNkTTAxeXF6awo0VmMxeEJXNnA2MUJza2o2MUNISVV6b1hMdFB1M1p2alJ1
+T3J4Y3RXMDNVCi0+IHNzaC1lZDI1NTE5IFJvWDVQUSBxb2t2ZjlSditxa0lnRmJZ
+c01wM000Unh2dVB3OFhwZzV0cklrU2VpZG40ClZuWTg3STlPVXZkZjlkVHZPWVEz
+RjFvTVdFTFdaa2puRGh3WTZvTlRvMkkKLT4gc3NoLWVkMjU1MTkgRjRiYjhnIHFY
+NmxrMnBIYThVTXFaK21hOVFjeGxLWEJRc0VwMGdFZktuemNQbDZ4eW8KWEFPNEpl
+elg2UnY1OFJFcTBHUldOM3UzdktaaVB4dUNoc0hVQ0phcC9mMAotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgRHFkb0lTcXZ4cGFlZzkrWFRIcmVVOStyUmpyZzBhb0xES2h6
+WTRXRHdRRQpWYThoZEhYMGxMTUJEd0hQODFMTUJZT3RGM0E1UFRua1NKd3JxRmU3
+T3hNCi0+IHNzaC1lZDI1NTE5IDVhZHFNZyBlenJkbWdVd0VkYWVUdWx2blhpYnNt
+RlRDeTdUdGY2UFB6eVRkK1lLRHpvClRQTGxLYzlMZFo1aENxS2pEL2lEYU9NTS9I
+RWh0cGlWTW11UVgwekRXb1EKLT4gc3NoLWVkMjU1MTkgWmUxTXdRIDRXL2xUZ21F
+a1FQUWJ0VjVLUkRHZU1SRkV2b0RrbXB1MmlSQjdtcXF6enMKZW5oTFBybGo4clNs
+dnQrZWdpMDl0ZWdYU3Z4bDd2cTU0dGtseEFIcTVGUQotPiBpWEAtZ3JlYXNlCjFG
+VlBBbVdmYlVRYzRtd2Ivb2NjODkxV25KY0lIU21XS1J4T2N5VQotLS0gNDNWMDh2
+bGlMR3I2KzhNN3pWTC9NQmw0NEJ1RXFrRzE3bUVHTCtIUlZVUQqotvqxr8ikzOqN
+qGr5OKLvK21Pi6LR8mF/2ol/n7XKiJEzhNRXwqPN62TOMkd8ODKn0diHwbEvehcT
+jW4F448glda6phmnke29f2Uq8Ls0mivd752Z0mV50pIEKHc0Y6ogUARiMKfBKmoy
+Lebc2XY4Y/lFUVunGWaJoufQLMI4swKbwed7rujdq3sxinDSwzUAw4ltID8IMG4Q
+ql4Q54e7Qu730NcXucmNuryWW0DKopWTobsnDVCfMN7ZXC4u+IsuL1xqdd+yC65u
+6H+5x8EoTaH2EQDaGVa1B9BdTut9E+0VKZRW7OopwGFTuX94PmWrfaaWlfO3BeKx
+JcCMUvWgSbv0PVqHC++mbxrC4/JNC/fr/KIFmG9TEVh1RCVqJTug/MNyY4qwrzEX
+lLEbs6TDPMq77/wij1kbeNArynvzhDBVjPQD/V3xZi8XkaE/quOW9ajnb5P4W9Sy
+yJnqL0WvKER69gOkkouRWlEzS4LWVWCLHwuskpBlJYbmpAmmfSnXRlE9MFzZOwYK
++yH9wViG0crNiic+NCCILFG2JjR1i0bNFgksNaswo374ActWw==
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/nix2gpdPocket3.age
+++ b/common/secrets/secrets/nix2gpdPocket3.age
@ -0,0 +1,40 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBPa21J
+b0Y3OXlUYmduTCtDVVc2TWZCY0RVZUxObW9OR0xmaEZpUjF1aUM0ClpDNzJRaVVk
+ZE0wU1BEYmM4MEw4czluSldHYnhZQldZVktieTdqMWM5NGMKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIFM0WkR2ZHplUW04UTRkenNqV3o2SUxzZWFic0p5WW16Sit1Rk9I
+cU9RaVUKWjhTS3d5Zy9BRVExaCs3Yi8vYi9UVXhSSmtRTEJxK1h4dHlydDhLZjBU
+VQotPiBzc2gtZWQyNTUxOSBTcENqQlEgc1F3QWFqQjdXaTJkQ2hKSi9Bc3pSQTli
+amY5am4wdlFZVnJWNGp2VGZoWQpNV0FSMWJ3c0twYk9wSG1PUjRkR0FYS3JZZVpH
+SGRoQ2RaWjJnUDJvVk5jCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBSR0FnNnF1bjR4
+bk05bWdYaFQrZkRFeGVIUzBCMFZKeW54ZHI0Mk9zYVRFClhEL3phVUFNUkc5amdX
+UWZ5cUtUWHZ0eE9ZbnpobElMS2RoT3NESzhrdEkKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIFJ2SGJYbG5FNmgyeW8xY0J1ZTRrcEZEYnhLS3dUL1VhMVI1endFb2d2M2cK
+cGF0Q2pKMklMTUJmdjhlVGlHc3pzTFdwdDZ1b0daQTI2bHhtNk1URWtNbwotPiBz
+c2gtZWQyNTUxOSBSNSt4ZncgMjZGczJrQ0pWdGIrbTcxMElpZ0FSczc5WGVrN09G
+am5DUVhrVWZZRE5WdworaGozUWRCQmY5dWVOVnJ5YUI0OEJ1NENCbS9YeUI1YXF4
+eGxESVBEeW9JCi0+IHNzaC1lZDI1NTE5IFJvWDVQUSBVRU40YXpBdVZNYXBFVU4z
+ZTUrZHVxWi9KUW0zOHJMbkRFRlFEbGdUUmdzCmcxSndnbG9QSFE3LzFFTUdzUTVD
+c3RsOTdmRzByckFxZ0dHUmxJcUF4dzgKLT4gc3NoLWVkMjU1MTkgRjRiYjhnIGNJ
+YnJpNE13M0FNSmxFaDVoc2lEcGgrOGhydVBVeS9Jc1hnckhqWGE0aU0KOEYzdEpS
+ZnRLLzVXZGYxeG8raUUyVDdQdEE1L3F4NGxJOFB5V2VNTlNTMAotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgYTZybWdSVll2YTNPN3AwRzBVQTNqeHF3SjVFUG1OcFh4RXNK
+UTNwOVF6cwpxZUcrL0gwbHlmODBvMUF6ZEQ2V3VjcTdvNzZadU9mWjA1M2IvVEdS
+R1RNCi0+IHNzaC1lZDI1NTE5IDVhZHFNZyB0VTFXaGwrNUdPNGdhZW83Z0dOdzNK
+RTdlSDFXS2IrYVlzZ2dudnJUbVg4ClNkMHQ2SGIvckViemw2dWhoeEVxSlZhMEk2
+MURjTUNQdGcxYTFUeVN2OWcKLT4gc3NoLWVkMjU1MTkgWmUxTXdRIEZZQ1dPamFv
+cjd1cXVacWI1MFNDY2tiN0NrbU9Jb1ZraFg4d3VIc0RzaXMKVnhEWXNxUkNJbVli
+Vk5NUjBoL1RXN3JpOElzWGRhdXpVemtCTUJWWE5aOAotPiAqUmI0SzxcdS1ncmVh
+c2UgTj5AWUkwVGggQCBCCnNEU2lEaTc4M0hEa2hQb3dmOWdUKy9VV3dKWnVjWnVT
+NW8rTGpGRzBpSXRUCi0tLSBPVzFxckF2NTJBQVkydUNwVVFETmgrcHZLcmhIVTM3
+a3lXTy9oWHAxOE9zCmz8lA4HcXxPG9PDsZrG/bRyYR9uXiGBQ3aPzYgovO7VALuN
+Vj3er0hkDRQOD5r0IiwUsJenqUd/BNPgT69916BOW1e+sugjIXUIjWlkDPuRI78j
+gueTRUnl4OQGEnOesN+qJZPUovyk2br3uKskCuZCAoYEvhgA3u/lMPb4nOj7oGT1
+pvwlJg6v5p7yJ3uBkBpXZEZJoHInF3PRwh8irZ0gJNSp1vJYIW805RGZ8tQ453/y
+a6VKBTk9nT2nOtrM2Fgm4IEqMOJ0aLcGRzLKMCHuALt6akqtuXpIWrc9mvHHZT6Z
+geoNhvFVOCREbksAQT9OqC2sWY77cwLl8GqFGtKOI7a+PSKbBxsZuqD8AgmIoNMq
+JKA1OviYfCc2+MhJ6woavcJp9jYC+uIRQWNeMv/pCBfUMI5GsP5NxocV0rq22n5+
+QXi1GW20cujqVgQjtMqyAun5u9xc6xeKJIKwxjK2xVbQ1Ritqn+Pj2jnUCh5KXBc
+ZCQwCInPO7z06wD5x0mEP+nQbFqe6BzyTtFD6u52gaGhELlBw6RvP7ptEG/GCAvd
+3L4AtcHj4melBlCC5XgW4BbEyvxOhCfY
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/nix2h001.age
+++ b/common/secrets/secrets/nix2h001.age
@ -0,0 +1,39 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBoNVpS
+UWlLTzNmZm9ZVTZXaTVmeEpXSW1ZdWl0d3E5UE11eFJtT1BKZnpnCk1jREVVdUNp
+WkhNSyt4S3Q1MUNtMVVSZnUxbzN5b29LQk5lTWZoZTR2cmMKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIDA3NWl3dVVqbnB1TFRrVGJXb05Ec3QyOXYrdDVxblUrbE50TitT
+ME1lSEkKRWVOSnJ2SWE1OVIrMWdKU2g0YTJjaE5XUTF4a0ovdktsSmZydldXT3NG
+ZwotPiBzc2gtZWQyNTUxOSBTcENqQlEgdWVjQmxaQ2tieTdVeWgyUFNlak1HVVRQ
+Zi9EYVpBekxURURvcitiK3hDRQp3YVIyaWFTS3Y4RnJxUDBua2YvVXUwZjk2dkpv
+Q3pnU0NXNFg4K3FlNG04Ci0+IHNzaC1lZDI1NTE5IEJZS0crdyBtWjBxZXNEZjZF
+aU5Cdkg1ekZ5b2E3REpCQkZOTk1TL25ibUJrbjZBQ1RvCjdGNEVhUGhRNDNxVnpD
+blUvQ0hsYUhkYVE2T0VFb0JBZ1BNUGtNTmlCcXcKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIGJXMno3NDR0OXM5ZkZFOUozSFN3L1RZMU4zY1J0RVNYVHI4REtNbnRVVlkK
+NjV0NkNkdU9Qb2k3Q0RiN0FtaVJ3dWUzdXJOeHVIUG5RUVc3aW5MUTFGSQotPiBz
+c2gtZWQyNTUxOSBSNSt4ZncgYWlYMjkrZmxFckJ3dVBtdVFpd3lPT1ZPL1U1bGl6
+eW5pK2g5NmNVVHJUZwpEQzhKUWVtYUxYTVNPbEp6U1Z3Z01GTC9PMEZQdFREL1Rq
+WGxrRlhicVdjCi0+IHNzaC1lZDI1NTE5IFJvWDVQUSBmemdzeFo1T1dzcERtNU1m
+V01RMVE4Q3QzLzMzb01pOU82bEdUSGRTWkY4CmxsZUhFQzlUcXp2dHdIMW91SFFM
+REtZUDRQdU5sVUQ1UVJYdDIwdUJPMkEKLT4gc3NoLWVkMjU1MTkgRjRiYjhnIGFM
+YlpuTHRLKzVFd1JiT0wyVmo5WWUwaW1kd0VEYWVGQ09rM1JrU1V6QlEKN2NqRk92
+aWZxNlU0TVRvd3E2akY1UytQY2s0bE5PaCtNdFR2SEhqYlF6cwotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgRVZNZUNHOVFIanplMGZuOUtqM3l1Ly9tcHI5MkRwYnVMeG11
+UUxhSmRWZwpsZHVkc2l2RVZCZGxJM1gxeFNVN1k2Rm1mbnRaY1lzcE9GSWVYdzN4
+OURVCi0+IHNzaC1lZDI1NTE5IDVhZHFNZyArc0VlME93TExrQ3JvWlJudzZ6TGJq
+UUZZeW5LUVdjQ1pCSlMzUnkySUJZCjJVSDRTVHY1UlhXdkh2NEhJajhQTGU0ZVlz
+NDV3Yis4UzZGQlBJZkt5dkkKLT4gc3NoLWVkMjU1MTkgWmUxTXdRIG16aVJoODBp
+Snc4ckpaVmRSamd6OTZTQUh3dTZsMW53NzY2ZjMvMkx3aGMKUzFBSDkzRlBvN2Vl
+dkM0RXIzNks5MFcvb1c3cjZBV3piVDFSd3dKZlFydwotPiBsaE1yX3AtZ3JlYXNl
+CmxwTHFySDBzOVBRckgvNThGNk0zTktHbTY0b2llVXJYZ1EKLS0tIEpLN2wxclVK
+MEcxdjUvUnFtem1XQW1UYmVzUGhRVkUyUWN2czM1RlQrSTAKZB2uCnpt9Xqz1w7+
+jwRVePaF2c2mWxgJUdpKpAZVgEUWkGSO6NEh3iTdLpsI9mDfh9KYRSPFqC9P1cf9
+5KId2A/oki3PNUtcuoaLn+xLPV06Zs3QsOds1ghO2AcCsVW4hC+Sgr02JelS5eCt
+Q69nBpQSw3ePEaASSFMCU8Z4F+n0WpkAq5ERACZiHIwWDes4+PR3BRVDvjyUlFG0
+3mtSpotzlTtBJldJTado+oOS8eKBCMgoXmP9t8zFBLe+Aj48humYnNT6rPv2xj+C
+Y+7FK8441uWdbu4PyNJEknF1k5YHYIg5pyrrDRGRtoomShZyqhufEAYpMIlCABpp
+vPYj3iqqyV1T980Od94qlYJgpHEX6650gMSAtqpQdLmhnOwF2LW+g1Gpw7lfk4P2
+kzZCflwDGtXXXXPIyUiAB30zKCufjPXEl1x8oTXzbBKEE6lvHDgixtrNt6iMjVbN
+n+Gon4PcolTdwkiEEst2POOV9Ll7KfOidMl1VfJxXKyt5jBA61xv54IQiCouUan8
+EhD4uiVHoPjWQ5E+h3YvedT7hrGWOzkxNbw8NUf9LDIk7EA=
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/nix2h002.age
+++ b/common/secrets/secrets/nix2h002.age
@ -0,0 +1,39 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBsNVNo
+Z2ZuYkQ5TDhZNEt5VDFDVUlETFc5TDRpcVoyZVJqZjcrK3VTRkY4ClBJd3cyaTd2
+c0dVZXBBSGpQZEhiamEwSGJCZTY5K3VKVU4zSnpmUi8yeEkKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIHd4MnFBWmJiZXdVd2FEQ2ZoS2FjSmVmaCt4Y1J1dFpuVndDTHlr
+UVhpbW8KT2lyc3dxbTNacnprUDBmV3dPMGNoeXR4OWhCKzRLd050bjhOdmxmdlhT
+WQotPiBzc2gtZWQyNTUxOSBTcENqQlEgS2dYbEdxMlZaQmhOSUtkcjg5YU02Yjkw
+Y1RINWVUSVBZRE5MSEd2MWkwawpTZzhPTUlLU24vQkdkSDhsSUNta1h1T1FFUEww
+R3RyaUVFZFpaN1I0ako0Ci0+IHNzaC1lZDI1NTE5IEJZS0crdyBsN1JhTDE3VFNt
+T2xLMmFLUlJBSzVudU4zRXNUM0pWajQ3Ujg2eGhDV1V3CmMwRm9wRTRmeFUzUDNo
+cERtZVhkMy9wYW81OUFMSnFDOWRWc3Z3QlBUWXcKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIHlLS1lieWoxRGlqYUVoRW9zY2Ftd2RyeWNmbktvd2s5SkFKOVF4UDJnbmcK
+ZlRqZEUvN3JXRTM1ZUZoMkRlMUhyUWMzNjgyenROaUNzSU5SRFdGdFJXbwotPiBz
+c2gtZWQyNTUxOSBSNSt4ZncgTWJjbGRkOWMyTGN0RzYwdzd1eEtsc2xuT0tlNDdQ
+NlJYVll6UVhBWkdXcwpVYnNZSDhQeDlhYUVOUk5xb3JlNEVJME0yY0FRcFY0V3A1
+ZDArVXp1bkVzCi0+IHNzaC1lZDI1NTE5IFJvWDVQUSBXaktIV1dQdDdsMkVxOU1z
+YjRFWVVPR0E1VWVmVGxFOW90S2w5ZEMwanpJCkw4ejV5M3RSZ0lYYjI4ekp5VDFO
+Qk1ObzNZRDZtL0NFRWJMN0dUMU5NeGsKLT4gc3NoLWVkMjU1MTkgRjRiYjhnIFBK
+UmhSM3JMRCt3QVVVOUFyVzJ2MHVVRno4NHE2OWM4WU9rTnJQbFB2MTAKVXJySC92
+WldVV1FoL24zeHhiUEpmNDYvZ1NraUZwQmRrMGVXb1ViaUcvTQotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgVCtUb09INWxCVmNQYVVPaXRHS3gzallUS0xjd1hCVUE4TytV
+RFJlLzFscwpvOEdTZEJiTVY1QmE0OTRRMEZlYjRrM21oRzAvbGdMZVVjOUtma1Vs
+Vm93Ci0+IHNzaC1lZDI1NTE5IDVhZHFNZyBPZEsvbjF6NlZpTmlsVkFpbUd3VTFu
+TEN4bGIzSGlZN0tSZ2hrQnhjYzBnCjNzOGhoQmtQRzQ0bXBSLytid3JaVi9pZnlP
+NHpiOUR1b0ZCTVFPUGFTSzAKLT4gc3NoLWVkMjU1MTkgWmUxTXdRIGlGa1dKMzhy
+dHl4NW4xS1BBS3lqdUQxMmJOWnZkaGlkMk5Hd0Q3RjBsaTgKeWFYQzVCVVhGMXZ4
+eHlUSko3dUhVcG5UVGUrdm9lY2FpYjNickJ5WjNjZwotPiBJd35rdy1ncmVhc2Ug
+X0hMXlxLQgpIZkFlCi0tLSBKU1BvTGN6a2JEL043czlmeHdFNWo0amZkelczRW9X
+RVVGdmt4OFg3cTJVCoQXkEX485m5lMpu3aosZI0Smyp+CLo9V0kTfnYGfgcf5tXl
+Foip7PquFErhYrKTumAY0p5VWqdhmTYu57yJW7UeuAMxyBgpVabcf28aFL3ricK0
+CgBSr3JqC2Am9C8Kt4aXm6/m6ylOHFKKyBFcDJlXrgn4c3WpJakAZc9056K+ndMi
+5uGbKZxBYm7TCPvJtt1/78iiBOfrkPRcEaIwwhzSizPC/W0i/QdiWTbzPHoF0vr5
+NBfrIDuCX4ZNfV27nS1vDFfWEynF15vZkszmBSgVz91b0DLarTKKeTGVt/LNimQP
+veUSBa2TAOmf+3OXGPicG/r1hewJtybs7pGMbxFItmjKObgZ/oH3Oa3ITrnVbjCo
+IjCnaFBA/LdoFATLNx1zQh8eNVD1TROzFrgnoyGCEgXTg+FfOAIplFEScq9f3mYT
+ZOWjkqNWWGIHfwOCFW+Isu21EIU+gZQ3kScVbuNSfSBD19cZCsTinR5TjWYgv59q
+N669N7vjX/d+wbcZMllx3ZfBT8CQSf1JCC3a0pzFOEMQdLMmT0HOn9s4zp65kgao
+x8J5Uh5avL1qPTMc
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/nix2joe.age
+++ b/common/secrets/secrets/nix2joe.age
@ -0,0 +1,40 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USB5em1S
+Vkcyd0NFT2EyVlBuSmI5MmEzVmZ4TmNCdXhWMTFBREd6TDhySFJRCm4weWZjdlF0
+QXIwSURHWDZ2RWl2UEFSSlltdHRNTG02SERPUCtrUW45SzAKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIGpWckxUL0t1a3kvMGFSSVNCN281djlYdDNwTncrMHMwYmIvOTJK
+Y28rMGsKTFMvdzNqNS9EL0w4eVpWQlRpS1Mwdk1HRnZVM0c1L2h0Zndybm5ra2hP
+dwotPiBzc2gtZWQyNTUxOSBTcENqQlEgKzFna1FLSHZxbWI5OVlpM3ZSOHp6QlZX
+L1dyNnBtUThUR0VjYTdpaHNqQQpVeEJ1RnZzTnU4Vk9sajQvNGd1azZKUUZ2dG16
+TXUrYnI1UTdkclRCdnVZCi0+IHNzaC1lZDI1NTE5IEJZS0crdyArbmdIS0ZaSHpr
+RC92QzM3WjlYYTRYcTFOUGhPNDYvSDkvMm5RMXJISmdrCmUxb3hvVG4rek9SMHhI
+dlp6VUkwMG1JamNGOTBueVNVU0hsWVZTd2owRkEKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIHBDWFN3dmlxL2R2dGp3SWhJYUovOFZoUGRlQ2w0VkplenlCVUpwaTk1VWMK
+QlFlbnQ1aDJ0QzBMQU53anpNUTBxbUZDY1ljOTZ4TTcyRzFjQldkZTFmMAotPiBz
+c2gtZWQyNTUxOSBSNSt4ZncgbDNFcTdJR0ZJVkNJRkUyR29CK0t2V2w1Yy92UzRh
+WHJUSHdqSlFnbFEzRQpLN2R3dldoNUFTQ3VndVphbDhUWWJtdmhkVkI4alFkdG1N
+WUJWUm81SmZBCi0+IHNzaC1lZDI1NTE5IFJvWDVQUSBKTzgyckMzMklZM2RhZC81
+cnBMY0N3U05XUDNZSTdWYldRcEx1eWFNUXdrCnhlU2FyNDZ0Skt0VDBzWkJMUGNq
+YUxxK1YwTDZTV3cvalRsamdHV2phY00KLT4gc3NoLWVkMjU1MTkgRjRiYjhnIFY3
+cDYxanZRWHFlTDZPT2Jod3pNLzRIWjFnMGdHaHVROGlwVlZWaGZpeDgKT0M0YWZ3
+NGhPdlcxQjdrTms3UUp0TStUazFHUWtGVDFUbnZZU3hpVW5yWQotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgZlpaUFhnT0xXQzRuMHJmeStCTU8yQ05FRmo1RmJ2MDlnRGdE
+ZS9BNmd3UQpiMkpTTmJIZUM1NHlQN2twdkZvUzlWSVhzU3l6WVNVcVcyRTBsMDlh
+TmEwCi0+IHNzaC1lZDI1NTE5IDVhZHFNZyBIN01sZnFrUk12MnJ6NFMzelpJYnlC
+UGlBbDluYlN1ektSZkxBTUlINGhJCjFnQWFyM0hVajBHblR6U0hJNjhuK3psM3dj
+cXNPY2tIMTFLQmsyL3c0aEUKLT4gc3NoLWVkMjU1MTkgWmUxTXdRIDFIc25oVkZX
+Rms4a2V0NHF4L0ovbmlDb05hckJkZUNIbkdGVzF4LytkbjgKUGFMOE45VXBtUlZl
+NlJCeml0ZGNlQktWWFlzRnp6Tkwra0RjWThIT0VUYwotPiBjLHIkLWdyZWFzZSBw
+ClZwdHVUVlNLNVZteEtOVUhoUXo0bnNFOHIvTzJYNEwzRjJOZDYwUysvQmdpY0Fu
+REhicEljN2RoK2VldG9BCi0tLSB5Q2h5dGdZQURpT2pzYkF2QVBnWStpNTl0Wm8w
+OXEvSWxxUFBJNGhRK0VvCnEE9IZkJlvovun4LAyNFKRfn5f3vC6/+Q3QTrL5AOuS
+6UsEYBDc0gaXl8fy/7B8tW2slsWuGnXE8qtXZS4l6jrg/UZiNGkXFyOjv8YhezDr
+QvkBNtgTdjzObO7g0QYoH9cgANZguIZgRKrkmZnKMjqhm+etXFG1v8LYUABpbfRt
+LECIKGLDLgoRnZFaQbgZuVjDZlbKa8bCH0Nz5R5RiJWVlc+Qv37Jau35Qo3dsQgW
+pHlbp/JAIYJc208scmeLz2DqM+1WY01DlGbvcsVnpYn/AkjAN25ymHaZRqj/wAqW
+Zf2GzfpF9B2PeqWpELw6Ag0hWWbsaIfm+NVGYmkMaJf3GnRcozwi4WwPmLle24+r
+bsPBlmIFa/GLSZa3o/EMwZ+uJ7fxMPZGFcLr3s84fSd/7DKhLt6HeJWJfSE+5Tv9
+HWzEy7XU1wz6esaGAMn1KB7lt1o22qoyChEfjTpJUBwAmICnNb3n6l+SDFze7k/w
+IytdbHOcwrbIJScuxXMT1KYuB50MFbZpxGFsjBUfqfoM0vBdxC20NO+T2sCH/NiS
+Oe+f4VrEWDnWkSLTKJoR
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/nix2l002.age
+++ b/common/secrets/secrets/nix2l002.age
@ -0,0 +1,39 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBUQjk4
+R0k5aTVtbDdJbXNvV01Qelo5dEhHMGdCQ09PK2k1K0h1WSsrSlNRCjNuSlZYN3BJ
+MHpxZHRyNkx6U214TTJmTk1vM2dCalp5Y1padFdaK0dUSEkKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIEI0amEvS01qRTE4VWNCOVlFQWpwZVVOQXpwclBnN0JKaUppdXA0
+c0RYUUUKOFpKNG9Ud0FHam83V2NCK1UvYmN5YUJDdjM1Q2luRnJ3SVd0elcydlVh
+MAotPiBzc2gtZWQyNTUxOSBTcENqQlEgZ0VJMHBXcklrZ1RmTFZ4NU45V1IzRldH
+clV2a0RPT0tkaVR5UlozbnNDcwo2b25DZy9iN055VHJsNUp5S0krS1ZzTzhKa3lt
+aFR6elpHT0ZzYVNEYVlRCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBMQ3I3ZG43WkdC
+ZjlTMENVY3UwOVh4VE5GNnE3NW9ILzJDRmRkVHV6a1VBCkJ0V0FwSXQ0QmM0SG5i
+ejZ4SDlBWTlvbmZtSHJTcUdISDFQWUQxTVJicDgKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIDUyNTBTOGlKcUttYzNZL0RGL08zdmdwL0hKbTBwZ1FtU0xOcEt3am9LeXMK
+L21ndXRvSGQ2R0VNNlFsaUhaTnZsV0xsRGRPQU5PTEZCSUlBYVpkRTR4VQotPiBz
+c2gtZWQyNTUxOSBSNSt4ZncgNmIrMlAvS0dRc3p2VGFUV2NDcVBVZTg3N2diM3ow
+djJ5cE5ZMUJ2UGRUMAp1N0ZhVEFsQ1piOUVYN2tRYW16WjBPNjIvNDl2bDdIZ0sx
+OEFFQWZuWjR3Ci0+IHNzaC1lZDI1NTE5IFJvWDVQUSBSV3EyNS9LaFpkdGNWeUVF
+cUVqd0ZSclhLVy9vTjVpSURsVFJ0SDFiaWpnCllUdjAxMG5rOWRWSGwxMXJCbk9r
+NUlZTzFYNHBXdDd6Skd1Ui9EVjY0K00KLT4gc3NoLWVkMjU1MTkgRjRiYjhnIExu
+WkI5aHV5THZEbEZZWldZb0U5eDl4R2d3OVRGUFh4K1ZXMUpBZTlVRFkKNTFZN2d4
+MjlLUk50Y0FaaFRnZHFQVGtWN0V6Ym9kb3J1ZTFkMWhxS09kTQotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgbEtUaGlPSFJNUTlCaTNTZjBVS0gxbjFKYjNFcHVxRldVZUda
+ajh3OGJnWQo1dGlNRmlRZU9IL2F1a0xWemh0Y2hBZ1A1b1NORVV4STY4Q01Tbkpa
+SE5ZCi0+IHNzaC1lZDI1NTE5IDVhZHFNZyBKOUtiOFljK3NRdE40MXNLQWtnK2h1
+d2xIMnJYc2hib1hDTnA5elhGWG0wCm1LaXptdUxaTHkrRWxBY2Vjc0tUQmIyWmF4
+cnFubC9NY3MxMmJLRm5Ra1kKLT4gc3NoLWVkMjU1MTkgWmUxTXdRIHU4OWNxajBL
+dlRwSHNxUUREZ2tVcUpkUWpINmVTY3h5U0Rza2Z6UFpuM2cKMndKSklhOVhEeWt4
+WDRFeHVaSTh3VHcyU1hhKzJyV2lwMHVpWHBwM0ZpMAotPiB9ODdBMj5PLWdyZWFz
+ZSBxLkkKUXBzVlFKawotLS0gSmczS1lET3BHODZIb1kzdVlxVmJyTnhnZ1B1dHU4
+VWJyNzdhWi9sbUJkZwoixf1N43xLWsnwn59HIDqvZaZJ4DZQLMwZV35Q8JQ5Rox5
+ZGyvsR8YCnuXeN4PuycqCYeDZrCPpauY58Ga4A2M+Ix+BalNNtDCV6HEFPsfeWtu
+7tp/rvWMEGKJqulYysuC8uXaWgdc/FMcOhr37b5ErH004RKz/+Mr7Cm9h81KCwhb
+MX4uGWYuhIEATgLaY30djh/eZasKpLN2Fk/zCsEm8wQc0BAF4b0VNMlJsRSEWY8h
+kDDplK++qfp1J0fpCiPXCO2DmgKCrG2D9g5/ahh0W4mQFM0MRDOkmL2VLnHUS4Z1
+CfE5j5/7Xk+eCP44WqOFS/cBOduty89oYbjfwio9Ep2kfBpM1jGSOHyNMMv/oUOr
+LjwLCUVcMX/N1lsQD8Q4Az98QpNmStDfIbcjYLO/c6eAkRNmYDiS2/Zv6gd5NS+S
+jkULCWsHDhUssh24Z5yvwLW9lsgkdTF8Oi7crGaJsy8UJBY+3Dx6qV7UeXXLa/sT
+DEi0CvB3iZiqmyctLDMUI0F3BibasRnCYYsNM36vU5NviMj9wh3DXiAVaN9/QerP
+vLVf8sjTlRFO85bZyw==
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/nix2linode.age
+++ b/common/secrets/secrets/nix2linode.age
@ -0,0 +1,40 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBQQ1VG
+cnB0WEtRSTB6eDNZYXcwNmZwL1lTVUlaT2lvaCtHQzJKM3VRUWdBCm9WV3ErWm1L
+MlJOMG9abnZjUkRrbi91d2o1emp1YTRYVkhZSDVIbWdzZXcKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIGRmT0ltdFJYaHhGeE1oNlRsNEFrUlVhUDZUSzM0YUNvRktGM0pM
+cmxqaFkKOWZXeGJDQTUrZXlmRE81MURDL2o2SkpjZ1NiRWRFVUNlTFlsZzJTUjJq
+cwotPiBzc2gtZWQyNTUxOSBTcENqQlEgaTFWdG1LOGVGUVlrN1RnaU11aENxWXlh
+enl1YnB4MjBMSHkwQit1ZkQycwpNQWNFNkxQUmdWVUxQOUFSU3VORVpTdEFnNitu
+YStFWG9ZaDNwb0NNYWdnCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBMM1dEYnBmL1Bl
+RUhURW44WDdDVWVNSDF6aEVxRnlqbW1qQmsxQ0g5b1FNCmhWcjZIQ1l5QndIRE5D
+dE44aDBzTHVGWTdEbDMrbUo3bDMzUlhrdkM5SjgKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIFF2Q2VJT1orUzhHZFRLb1NRNlRaMlVyK29NVGQ5NjZZU015K1R6cHVwVVUK
+WkM2WVJtWUk3OHNZb1pXeU9KZG9GQkJvcXFCd3BCL3VOcUIrWS9iQkJXQQotPiBz
+c2gtZWQyNTUxOSBSNSt4ZncgRkFtblVwZGtndlJUYkNjYmIzdEh5am1IYXFUNFBj
+OExLUi9NckVxS2JoZwpHMTJ3cUU5VCtrUDBlakNxanJaWU5zSHB4bW9EKzhjUlZu
+R0U4c3hOdHBBCi0+IHNzaC1lZDI1NTE5IFJvWDVQUSByTGkyZmY4aTYzQTBxV056
+OWNzdHNrMUhqSGNvTU9VajE1eWwxNmo3a24wCkNGc2w5cEhEcVBoZllOM2ZjSS9w
+WEJBcTRSQVUvVTh1L3RJRUpKUVNNRDAKLT4gc3NoLWVkMjU1MTkgRjRiYjhnIFYz
+WGh5NGEvZ0EvSkVFamVpeU1wRWVjaE5QcGl5d3FpaTgwZFo1WFhla2MKeWNlNDdP
+anF2K21peEVBakcraDkxV1htU0VXdVlKUHQ5Q0h5eDBqSlltVQotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgUXlmSXliZFBzamlST3lkTFFscktYbi9QTm5pelVrY0Z1c2J4
+WTNDc1BsVQpxeHZwdXI0UFNMSER0WmZ1Z1lrSDBibGd2cEJGQjQ3VnZmRWZFMkw5
+RklvCi0+IHNzaC1lZDI1NTE5IDVhZHFNZyA2bjNlY0dvT2JjMFp6cTlXT2M5WjUz
+eURzaHNKN1h6SC92Q0xsOWdOSXhNCjJ2dDdGNWp2ZmwyemplRFk2SUxVMVdFblFn
+eHNkREVhZ0k5aFZKTnY5TEUKLT4gc3NoLWVkMjU1MTkgWmUxTXdRIHEwVGYwTExB
+V01YT3dUZlNWV3Zwem0ydXFtQjlnVWl4NW9FRVJEUDNEaGsKWW5Cb21mZ0FFZ1h6
+YUJucVc2amJYeFdHWnM2Y1FqMjdkZTQ3SkIzVEFlTQotPiBJKHtyey1ncmVhc2Ug
+OF0tP1UlXyggKCcnXU5FIHwwNlZtMyBsVSckS1xSCkVUNmlxLzVvZG1QVXhacjdF
+c0l6YzJFTlQ2VVZEeGFoRzlVCi0tLSA2UTFTQlh2bG9WS1l3T0J1ZjdhSzcxOUd6
+VXA5Snloc1F5bTMvSi82QWVBCrpftJGo7RMOlfmxiUgnwuKVjo97b6fbgNgJaBBb
+6nXQfGOxsfWDv38CXuIA0QVuarawk6MZUdeflEoH8SlTihZ/YGm3m66ddUGSQANB
+QLl2q3iFpmrAgyYMYh+3htHhxeQ1XqUGGYgQUFqaD+mevmGSRozH+3lJMi9x377/
+qI+hSy3WZTg4A3czLk5xu3cwr3jTyINBz+yWKudtGmSmPZEoWYOtv9+jWmEsZ4rh
+9dkhqdas89zYBnAaJ6T8aS9O5QnVPqpx/5AzK1YCY/aRM6TJMAq39fttbmAg8P4I
+ueiHAEdmeNpdHpPy3fbw4uPjlr0u0olBawE+XzpziwA+R1+p8pb7BTrbvNL7tT+U
+kUojuHBVsS0f1/FD+LnHXIUU9BEq1Ld3+BOewyhdte0C+FzQcwBID3qMrapOwcRC
+SK8xwNFwmxUuwFuA2uKEmnVyDGFIkOUymSrMlfzc6GzSHWMIhXnhi7mMknYCgSNQ
+WzfLPoZevuxRZ4jXi9/O6/35eYjK5tapCuELRnzTHf27xaYSWThv4fBEg1JntNOd
+rz/5PBvnlsccjJU73UrB7A1r
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/nix2lio.age
+++ b/common/secrets/secrets/nix2lio.age
@ -0,0 +1,41 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USA5REFK
+SXBXcVIyVjZlKzA4UUVQbHhJNjcwc1JXQ2RPTUhPVERWWUZCdzJRCi9CWndhK0RD
+dHZHYzgrR1hIZzU5R2s0Q1N1Q29pSXU0QWNqazE3RHZEcFUKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIGYyVGZwMWhNVTJHVTduNURBM29WL3ZHVkJJTVZzTFRJNUVTdm1R
+SEJVUjAKR1RVR2FvY2NSVVBaaUR5eU5Pbm9BRXR4QzFJeENxWmFxS0FjVFN1UGxL
+UQotPiBzc2gtZWQyNTUxOSBTcENqQlEgTE9IaWduejVsM01rTnUyVEJucm1wS2ty
+VjZmcE4yenY0YnVvdDI3TXB6YwpyRnN2U3FoS0lwYmtzNTVXSFBYZm4rOG9sNWJX
+d01jcVdmbVFLK0tiUW5nCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBCSHQxV3o2MkVh
+SGlnMTNOWXNYMkc5YVVtV2hEbFdrdjIzRmFkOEJOd3dzCjhaRjMwV09IYjQyRnVa
+MUs4TS9zdnBVQis3OTEwZVpWOVFvWVNNSnZwVWMKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIDFVby9DNGRqbE12ZVc1OUpxUEVLRkRDcmkwK2ZjTExQZTUyemNacjFyQVEK
+V0M5ZXVHd2JibCtFdm01YnRRU3Jwa1VDQTZxRG9oZE40bFJKMzJ3ZXJmcwotPiBz
+c2gtZWQyNTUxOSBSNSt4ZncgcTMzTmp4QXVGaDZ1akVIWktmZkJBZnpPTitwL3dq
+NnI1MXU3ZDd0Ym5ubwoyTllzNDNFWlVYK1pNSzFISHlBYmwyNHRBVHpxUy9LUjZw
+L0RNemwyTEhNCi0+IHNzaC1lZDI1NTE5IFJvWDVQUSBhblRMZUhTTi9nTWJGZHRk
+MUhCN3lsUW1QSWZKTWxzVUk1ZmdqMmN2SW1JCk9pd1F0elpucE54bWExZmVUbHFB
+aXVEMFB3dnB2bEtoWDJ4bFkrdDFYZTgKLT4gc3NoLWVkMjU1MTkgRjRiYjhnIG5S
+UFZyc3ZyRW1LMnFBQStUa2VkV3U1aWVSbEt4UVYwTXdmaGZMeEFvajQKeHM5b2Ru
+bDZNb2N1MHk3Q0Yxc1BodnJZaU03alFXeDVCYnJzdXRRajc2ZwotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgd2hVa3VkbzBDbjlLcWJsSGxtSmhHMWJNUUNkSnlwSVlLcFhM
+b1cvM0RWYwpBRjc2UmplVDBzek5CVkZKUzEzQXMzc2F5cytaRzc2SVhpdnNhQWFX
+bmh3Ci0+IHNzaC1lZDI1NTE5IDVhZHFNZyBBN0pnSm55czgralJJK0I5SHJKeTh0
+dWZoYXEzVzJ0TDY4Zno4MDQyMlJrClE3b2NTWW4yUEFMaFhEOE9DVG1IZTR4dFBo
+UGxTZEYxcTlUK0Y3UGJraG8KLT4gc3NoLWVkMjU1MTkgWmUxTXdRIDV6YTJjUW1Q
+aTZvTjYyQ2lKUWlNNC9UT3I2T0RpTUllcG5Od1BUNG51RncKZVYzbEd6VjZKVEla
+d0lPTk5iTzNPTURrNGVjdzJYaEhoa0lEM3piaktwTQotPiB4SDZfTT0tZ3JlYXNl
+IF5za3tQaSB3XylqLC5lRyA+XW5AMF1qOyBsdDhiCkZpNFJPaXJJSG14QTZDS3pz
+ZzRBSFV3V1BnS3d0N2JLK1Bia09JUDRWZVNxamdMdU0zbmdEekQ4MURnL292dkUK
+c2cKLS0tIG5QTm9IR3FyUGVGWVM5bjNPYk5vdnVpaGswSWlCWUxab0FaZ25WZHNG
+YW8Krvkb3AjClvfTUHThubvKKHjLuIBiQc8NlW6PClnGoh1J7pTnIObysgYRGemR
+gt6ilnB8NGS/iUgMvGNlJbqt49JIejCajmLyFLzlOsn6TPe2GvhWNtf3DA0JtcW6
+7GHBrHE9c9fvfqCGoW6ywFxXeOhcCYsBsXMuUu8dB3nME70TaA8lAUSI0Gvx2u8U
+qcH6Oqh0lG4/98s1dCe2TCqjqa/0xQ07PE/7rbC2+YpuX58UYDDwRFDzPtiUihNI
+hhp1Gco3DVrJwpNmXBe2TuE70oKRzlvmwbiuK1lQ4B7OWyFds97RP4h9OGq3Tn3E
+qENrcRTd4MdHcj3/TqriLuHZwJCNxmG614JhlSrzjZtlUuyCa4Q+UfB/9FBq+lkZ
+jNttM+gJzt7HY/5VSl2EY6GtbpbIpJU3W5D+fMneB0no2jOc00YVLMjsY9uDF6nY
+xeVBOMJpYHZrlou54xeKmaXbjrdEwYGqt6syz2MW8YV0VtJc1piVsoeHtO5ajDMt
+7WeyklfOSx5ZDUCKLlXP3u3en3fXsAtKNa/JT/hBWf6JvCdYlI6SZLsGGSz/wD6g
+w8c=
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/nix2oracle.age
+++ b/common/secrets/secrets/nix2oracle.age
@ -0,0 +1,40 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBuQnNX
+UUtpejU2Ym5ZZGg5dUt1b1VNZGZMZzJiSHBKRVk2OEN3V3dWdVg0Ck00UHlIcW4w
+cGp5YjJDNERFUnlPQURucUt1NWNydjhwL09DNG5NdmsrNjgKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIG5sdjZzckpIaW1LUHRJelNjYlNET2RhcEsrZXhGR3hLZGdvVi80
+YU9qbEUKSExvTTZKZXlDRWVDcXVqVFhlT0NkZzhmT25iNkJVU1N3SXZib0FlODBJ
+OAotPiBzc2gtZWQyNTUxOSBTcENqQlEgNGIzWE1LcDNrN1RlTTQrQ1oyME90c2Fr
+NEFjblpHcStlM1RkbTZHd0tsawpxcFQvR0dRcDV3Q1pmV2JFSk1sV0x6Qlh5cXZL
+eFpWdVovU2RGTnRWcUZRCi0+IHNzaC1lZDI1NTE5IEJZS0crdyAyZGl4WnMvRG5V
+Q0YzRDd6dXdtNTlTbVlFRTFWRkRzdnI2NmkrUm10MmlZCkk1Snk5eERvcXo2WDRE
+c0l6L292aFVERHUwNDBPL3cxbXBydEZsQ2lhcU0KLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIGdVQUhDZ0FVTG5COW95K3VPNnVNY3JZbGVnNDhWTzRubkFlTUMyeTlaZ2cK
+M2Z1MFZna29sMGF6MG45RVVZVnhVOWY1alpxQW52d1E4bmNLSUtnVjNvdwotPiBz
+c2gtZWQyNTUxOSBSNSt4Zncgbnk1ZzRDbzZBczliWFVGVWU3K2RrQk4zZEFNOWxS
+SXUzTjJnd3U1MjFqOAo3L0JCSDh3MmlPSzVZTnBwYUxSYXNtKzIzY3hMTmIyS1cr
+WGthcm02WS80Ci0+IHNzaC1lZDI1NTE5IFJvWDVQUSAwUTlzVEVsT2JaWnU0bnhi
+V1ZBV3NKU3RVTEcxR2N1NHFtTDlXMWxKZERvCjN2VE9CSzZVRzVDN3I5WFFKVm9v
+aXF5cVh2aXJ0L2IvcFFqcndjc0F2dDQKLT4gc3NoLWVkMjU1MTkgRjRiYjhnIDhr
+MXFrLzlWZWNvdFZZWndNYzhzeHFzMXAxdGx1d1ZnVjFiUmZlY2xSMzAKOVJEM0hO
+Tm1KZHQwbVNLcmkxQndjQ2M1dS9YWlRZUG9wdGplV05PQkhkQQotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgdVlMN052Mk9YT29BUTBKc1JSZ2JQK2FCalR0RTVWU0tzMlFa
+MU9GZXdocwpUVHR3a2RHSHZwSXE3WVZ4dEdQTTNNblZBVDNaMFcrWEJVa0ZrY1VS
+eUhNCi0+IHNzaC1lZDI1NTE5IDVhZHFNZyBEUHlnaUkxbnJRYWQ0UDVmbUhzcXBa
+VE1FeE5YbWZFR0p3anUxN0krNnlnCnFCNXZBSnhzZ3FPS0V4OGs3YlF6RVU1M2Rk
+bGNiSGl4VEV2UlZHMkI5QkkKLT4gc3NoLWVkMjU1MTkgWmUxTXdRIE5raFFWOVhO
+Q1RQVjBqNEIxMGFtczE2STRJN1JqNW1MaTNNOWs4bktGWEEKMkRyVC9XSVdFVGVF
+NE1jWmxWSzdPdmZWV2haY3ZjN1FIaXZzVS9yQXkydwotPiB9SlBFNS1ncmVhc2UK
+RE1xM1MrQzZXVUFQbTNhSlpwaG9WZ1NVcHRnNEl2RlNUUmtTaXdhbDA5M1JyUVU2
+cDl2MTJVbkgKLS0tIG5ZV0dhcVYzL0hBTWpqUWtNbS9nUDhJSGplU29CcGU2UGtI
+Ni9ScHNHbEEK+33ZrBrxJELcVu6ZdYmZOQyJr4/CwlQwPAzbMqjhyTGqxbOlAyvf
+hZVVfv+HIVZdj911jjKY/EMOv1z3uAzFFMEdMQCBhjuC5dk/MEtQipJexgdupRfN
+y6DK9ns1TyMXWCvm+EsSsOSYfV69l3uee9lsXDGG05EmJJ+nLNkeODD3kr2uwQbl
+b4CI/Eul1Z1Bzi9Fc10yp5daJt+8yEWhQp4sPKlSdYOjFV3+EIK9ZUOE+r9gG904
+FIqeNLv0Sed01TEeDcFhSzLCrbMsMzesBh/uxSOpAjqJsoJGTqF/Qjlq1YMQCBrV
+JSC3tP+XOUokK/yEBeFuE2EmnF+dh3HcSWXOGoh/kViqoWYdpt/V4Mdtzu4wppgv
+V3ri2C4CUfP4zwUm90wVU7fW6NmfGdRg97w7IIrRdTNknN1O5g5L+zoXiA9RF7ac
+qZkrv6caEgiGtrLIVVkcHujWApvcYHYhxRi0KRLFwjUYNrOaMY9k/DgP6eY6pFLt
+jPcxGEalMxgIwORJ7rG7+u7Fjbaw9Aa8klsEVnjVWJBDwa0Lbaiaz7ggPzQq5lKB
+/zg8ixczAUY=
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/nix2oren.age
+++ b/common/secrets/secrets/nix2oren.age
@ -0,0 +1,38 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USA4ejJq
+VHBFbVAxNWhPZnlNY1BZNkJqUXdhdGdHamFYVkVLNlpPQnFOakZZClNObTc2YU5Z
+KzJpMDF3TTVrWmJWdkVsMkJpVkRlOVJleVRoTXoraUY3dTAKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIFBwT2tDdFVjMWxhYlB6QmQvdGRjTDhZSzlUNUFvbG0wYytLcitS
+Vk9ha2MKVVRFQ1hMS0Yzd3oxbEZFWHY3ODJSRGhpbS9iVVZsWStZYzZmQmF1Ym5T
+bwotPiBzc2gtZWQyNTUxOSBTcENqQlEgd0g2SmlwQ0RCSnpnaWNOTmx0SmRESUpz
+Q1ZPTis5NHVicFAwRVZlR3F5WQo1eC9xQTNEelJKbUtFMWxSOThQUnpteVY0QmNl
+TzhKVi9NZ1N0eVFQVVFvCi0+IHNzaC1lZDI1NTE5IEJZS0crdyAzYUVNakZzeldL
+MzhoQzY0T09CWnBNYjZQYXVDTFFPS1hqRG9QcFJPQm00ClFJdGtnUkwzbHhQQnJD
+U1pvZUJ6Mjl4cDNyNm9uczdSZG5CKy8vb3czc2MKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIHZlT0k3YXhXT012SVBMUEtRYXpaMmh3c3kxbUluNkNGeDBRRkdRcmRnQzgK
+UEhWNGZPSlhXcHB1MnArcUp0Z3Y0amtKV284YU1aZWNUZE1zaDBkVm9wSQotPiBz
+c2gtZWQyNTUxOSBSNSt4ZncgN0YvQlFNUFBheUJURzhoQkg5bEZCUGM3VUVFSDk0
+bDUyMW1RdjRzQklnTQpXTktUOTdvWE5FWEwzNFBKSjZWbTZIcUpIL2dYQkJOVEUr
+YlFudE5PYmlnCi0+IHNzaC1lZDI1NTE5IFJvWDVQUSB5WGtlUURGZ2thMkdOMmdX
+d2drUklkeW1xVlk1eDVSNGc5ZkJEZjVwWEhBCmRiazcrVzRGbktGNnl5c1ZudC90
+b0swK0cwdUQ4S2V0RGV4enFZWFh3WVUKLT4gc3NoLWVkMjU1MTkgRjRiYjhnIGFB
+THloYVM5eE9zSnQ4ejd5T0pSK1UzTmY5T0F5ejFUcWUySHdsaG1BMk0KUGd1Smov
+ZlFkdDhQT1FCNkNaQzU5RmpYSHlFMzNzRGJMeHNRVzZscCs5NAotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgSVh5aVFlOFZHb0YxclRUZjJjWnAvMEdGU25zTkNYcUc3djRh
+VFdBZ1RCdwpDTFFYbUtlQ3ZrdXR1d1Q4L0p5ckhvNGlwYzgrRndraHdFMXRlRkIy
+OXdNCi0+IHNzaC1lZDI1NTE5IDVhZHFNZyBpNVNOTC9Id3JTMUEyNDM2OEcxcGNu
+NVlJTWQzSVl0U2o5YUl0TjZYa2xNCjd1WDFPbXNuQmo1anM3eFRpU3NJc0NMeFJX
+L2Rsc2xTbXBqSXdaTk50cUUKLT4gc3NoLWVkMjU1MTkgWmUxTXdRICtJbURKL2da
+eEsycSt6TzBvWUIrS1R2L2VKbUJvZVA1ZmtjQXplaWIvd1kKWm5vbzVkQ0dMOW5r
+T1QvOFpoSW5MY21EN3gzRzJDRjRTYVJhVkJjeGt2dwotPiAjTkx0LWdyZWFzZQpq
+d0kKLS0tIFpoamdUTXpvNkQ3N3ZkUlMwQUY3am03UUVLNVNXRmZsUUhlOTZ2MExD
+bWcKi208SBEsgIk4hDTvAT/5xB2pd/vfQVwS/tRT4lOAMwZV5wNb7412LVDek5Ym
+jdwoGkItzbmBYyXgWQn55dTApcDqGTJYK4qy4BT6w9yMsKcm0weF4suO/W8o+38D
+Q0A/N+m9NbTEjTUM2uppr2T0dkpSqyK3ordVvbjOq/B7eBQNCRVm1ShcbyLekfiU
+iwfh98Vlw8uQiCbCPA14IjBN25SvT1kvchkAgGtzozGrNRLVW8kYKv9KgRlVEU1r
+kkS0Rhm9uRe6Kppo4K5+bHCKo8g8q7dcbya9a6Edlx36zdJwGWZ0EXkQtijCBcz1
+Ipgfktovy/yfhiBv9eYPjxJe+njyZUpUJNpydScnHJejGg0OJMkA0tRULNbxs1Uy
+x5bCPl7SvZZlgsIktMwhekxJ9kIUsYgwtHbSEP9xIFFyRxSeaJSVFBx4jKFeFJlf
+4pzuFOHp4RVyylYuhkKvWtuJ/PXYXm5wUptDc72vGeA7NDo5p/6u7KO6CfhVTpQ9
+cRKIdLxFFhqfV6m+BxoJY/TCyA/MONXxabETpQ3skPu9sCZXR4rpEKY=
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/nix2t.age
+++ b/common/secrets/secrets/nix2t.age
@ -0,0 +1,41 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBWaXVx
+enVoekp2ZG9nd0ZQZ2UySnViS1hPRmpINFRYbndxajVRRFBEU25zCnJOU3JXa2o0
+anNkVStiY1lEYVppSHNFdjRPLzNobTVCZlVzTjY0V0dWQzAKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIEF1KzhtYlh1Y3k1bFZYQSt3OE1PYzAzQ1lITEQ3Y0Vlc1ZIMnZ1
+NHZiREUKSW9tZ1FxdXAzMHkrbHgva3ZROTFjTzFvb2JVeUllZ2IrUkJKWUo5dmpl
+ZwotPiBzc2gtZWQyNTUxOSBTcENqQlEgeDdrRDUyTTBySUhMZ0pzdnBHbmJQWXh1
+SkdrTjBRTG5PaVh6L0cxZ1drdwpVZUtDN29wQ0tWNjFMOWlSSE9KUVNQRzF6ckto
+SS9EbzJ0ODFsNTJlcW5FCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBPMk03MGQ3UWdy
+M0VaTnE2Q0pVdFM2TytsS1g0WGhkckVzdEE3L2xjWXlRCmJCVncwZjFUUGJzaHR5
+QmtPU0F5K0duQkRhRkMzb2FBdGErRWQvb1poS3MKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIHNqa1dkYTdKbjBHTG1OYTlONlNTcXpCSGxQdWllZE9pOXVDWjJFSkY2VjAK
+VjRnZ1JyOFI3cnEydG9uM1hhbVVKeXFkWU5DQ1lPdWU1ZHVMTUpCNXRpbwotPiBz
+c2gtZWQyNTUxOSBSNSt4ZncgWFBuWFBjSGFhdEVGSlFsalh4aXRqZDROdWpZK0Yr
+bCtwdWpxRm1SS0NGMAo1bVc1Nkc3T1AvNFV6MlQvK3dLZzdSRkZyVTM1b2VnQlkz
+elRwc0JqOVJvCi0+IHNzaC1lZDI1NTE5IFJvWDVQUSAzSDBXb29lT2dRR1F2d25L
+VjhQVjY4L2ZqT2N2ZVF1UVBSQTlqUVJlU2p3CklqUnVyM2V2U1IwWURVUDZGbGZY
+aXZWYitMTmtlRUprZnBreWI0UTZjY1kKLT4gc3NoLWVkMjU1MTkgRjRiYjhnIHpC
+TVZzZHV0UFJlODc0RHY4OHJJNTd4VEdnK29vUkRwMWV1Qktza0k5aG8KbXJtTnVX
+MEN3MjN0d1pSOTlpazN2Y2R3R2JrVi91eTFIdFRwNGFTZmJOcwotPiBzc2gtZWQy
+NTUxOSB3ZHJaSkEgdkpiUlFWcVJKNlBYanMzVUZ0K2pKc2hiSGwwTi9lSkJPUW1r
+M0NWOGxDcwpZQlVWNkRIeFNvV3ZHUlFBSTN2RDZaUGhobUdQQzNlNitpZ1h0VmR3
+T0tRCi0+IHNzaC1lZDI1NTE5IDVhZHFNZyB3YVdDOTRoemdjVHFLMUNEV0RXcVF3
+am9sNkY2eG9vRGZ1Qkd5aTUyVmlJCmw0ZHpqMzBWRnU1RUkraExTVDhEdnQxQU9t
+STl6ckJsUFhWMmI4enVxYWcKLT4gc3NoLWVkMjU1MTkgWmUxTXdRIG5SNEhGb3FQ
+QkYxcnJBam9GazhXNE8wZW1OZlZVMnhUZnRPT0t2UkVHaG8KQmRlUkVkRk1QYlJp
+Sko2OWNSb3ZLbXVGOU85dGt5ZjF4cWsrK3ZZYjJ4cwotPiBaPykzYTw6YC1ncmVh
+c2UKRkhKVER5M1FWdzNScEd0STRDdit0Lzl6Vmh0RE9kQjNPWFFEWkhla2JaZlZx
+QzVRMVBiSVIxbDdGaWlrZC8rcgo0Z2lRbGJwKytCRWRvRUhMSGFoclg1UjFwYTUw
+VUN4UlNHaEtxZTJmQTN5MVNKcG1naDFRTncKLS0tIGNaRG5CQjNWMEozNDVQNFda
+M1hoK3MyUWk4b20zN2NCa2w0NkRTM3hMdVEKVkLTC4doxAz7FnAkZfezL3XxVl48
+12l/ReMfiBHh1Fv5U2Z+/QjewTiBm+liq2zdvpAZZpiSLCPXEIAZDI8g1mC5eEgp
+7jVhi78v8qPQexx3DV4t5CqWaP2tpJWXNmxQlTp0zykgxSZuMtNF4B3UefCTQK7c
+RV3awDpKDj5ApyC54BhkL+OmSxlvaCwbeGL9tgNKhFV0WEwFjWHrMTI++Nu0K5mG
+X8Hj0aqDKO8k5Bku+hK/LHNDT+/aCAfRfKMfwyo6ABBCej7YfTZKn/gyp+dDr6o2
+B2MBB4Dkuk7ioVgH5Iw4yxm97RHk4Ts+8Ntvhc7hOwDAnOl2bkDWBxPsqkXzHuFc
+nTBTSh5Fl+/o2O+it2A5I05f9TN3ZucKtI5dkG/HSy4sDMJZ6hsFA5dXvJ1RQtfZ
+qjoqjv70+zJ3fCQ939IxMBDEZhkD/WlxMnkNB3GNKZsOGd/YxyGcqVjmZ/SePMjv
+qpYhdPzfoqUp5IpsaAwHexUKa5S8UaMEEfXhDbq8UlmnA+b8E6UcRlbpq3b9j8B6
+1rcXbEyHOAw5+HJDZv4=
+-----END AGE ENCRYPTED FILE-----
--- a/common/secrets/secrets/secrets.nix
+++ b/common/secrets/secrets/secrets.nix
@ -0,0 +1,82 @@
+## To onboard a new machine, you must use a machine that is already onboarded, or the backup authority key saved in a secure location
+## Once the new machine is setup at least once, then we can generate/fetch ssh keys from it and add to this list. Then rekey the secrets and commit the changes and pull down from the nix repo
+
+# System key: `cat /etc/ssh/ssh_host_ed25519_key.pub`
+#
+# from authority
+# `nix run github:yaxitech/ragenix -- -i ~/.ssh/ragenix_authority --rules ~/.config/nixos-config/secrets/secrets.nix` <-r(eykey)|-e(edit) <File>>
+
+let
+  publicKeys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdG4tG18VeuEr/g4GM7HWUzHuUVcR9k6oS3TPBs4JRF ragenix authority key"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzAQ2Dzl8EvQtYLjEZS5K0bQeNop8QRkwrfxMkBagW2 root@gpdPocket3"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIr/aS0qyn5hCLR6wH1P2GhH3hGOqniewMkIseGZ23HB josh@gpdPocket3"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4PwrrOuZJWRjlc2dKBUKKE4ybqifJeVOn7x9J5IxIS josh@joe"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP+GYfPPKxR/18RdD736G7IQhImX/CYU3A+Gifud3CHg root@joe"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9GW9W3DT9AqTonG5rDta3ziZdYOEEdukh2ErJfHxoP root@h002"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC60tzOVF0mcyfnYK2V/omzikuyE8Ol0K+yAjGxBV7q4 luser@h002"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFGp6oInUcGVnDl5axV1EHflMfZUiHxtqNa4eAuye/av root@lio"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKxNhtJNx/y4W54kAGmm2pF80l437z1RLWl/GTVKy0Pd josh@lio"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7bNX7R9ApoX/cHdXIhQdpA2sHrC9ii6VAulboAIJM2 root@oren"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICauUtSa71+oQAiLxp3GMMbmNXcbr9Mc7eK8b/lqZbbS josh@oren"
+  ];
+in
+{
+  ## To make a new secret:
+  # - FIRST add file below that you want to create
+  # - cd to the secrets directory here
+  # - `ragenix --editor=vi -v -e FILE.age` add file below and in the ragenix.nix file
+  #
+  # TODO come up with a rotate method/encrypt the device keys better. This isn't very secure feeling to me the way I am doing this now. If anyone gains access to any one of my devices, then my secrets are no longer secret. This is not a good model.
+
+  # Git keys
+  "nix2github.age" = {
+    inherit publicKeys;
+  };
+  "nix2bitbucket.age" = {
+    inherit publicKeys;
+  };
+  "nix2gitjosh.age" = {
+    inherit publicKeys;
+  };
+  # Server keys
+  "nix2h001.age" = {
+    inherit publicKeys;
+  };
+  "nix2h002.age" = {
+    inherit publicKeys;
+  };
+  "nix2joe.age" = {
+    inherit publicKeys;
+  };
+  "nix2gpdPocket3.age" = {
+    inherit publicKeys;
+  };
+  "nix2t.age" = {
+    inherit publicKeys;
+  };
+  "nix2l002.age" = {
+    inherit publicKeys;
+  };
+  # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJuo6L6V52AzdQIK6fWW9s0aX1yKUUTXbPd8v8IU9p2o nix2linode
+  "nix2linode.age" = {
+    inherit publicKeys;
+  };
+  # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG90Gg6dV3yhZ5+X40vICbeBwV9rfD39/8l9QSqluTw8 nix2oracle
+  "nix2oracle.age" = {
+    inherit publicKeys;
+  };
+  "nix2lio.age" = {
+    inherit publicKeys;
+  };
+  "nix2oren.age" = {
+    inherit publicKeys;
+  };
+  # Others
+  "github_read_token.age" = {
+    inherit publicKeys;
+  };
+  "headscale_auth.age" = {
+    inherit publicKeys;
+  };
+}