From 0fc00e2d29446e95b540d0732b7af2f2b150bd56 Mon Sep 17 00:00:00 2001
From: mjallen18 <matt.l.jallen@gmail.com>
Date: Wed, 7 Aug 2024 18:41:09 -0500
Subject: [PATCH] nix-sops

---
 .sops.yaml                         |  15 +
 flake.lock                         | 434 +++++++++++++++++++++++++----
 flake.nix                          |  16 ++
 hosts/default.nix                  |   4 +
 hosts/desktop/configuration.nix    |   6 +-
 hosts/desktop/home.nix             |   9 +-
 hosts/nas/apps.nix                 |  19 +-
 hosts/nas/configuration.nix        |  63 +++--
 hosts/nas/impermanence.nix         |  38 +++
 hosts/nas/networking.nix           |   5 +-
 hosts/nas/services.nix             |  36 ++-
 hosts/nas/sops.nix                 |  23 ++
 hosts/pi4/configuration.nix        |   2 -
 modules/apps/collabora/default.nix |   3 +-
 modules/apps/collabora/options.nix |   6 +-
 modules/apps/deluge/default.nix    |  56 ++--
 modules/apps/deluge/options.nix    |  20 ++
 modules/apps/mariadb/default.nix   |   5 +-
 modules/apps/mariadb/options.nix   |  11 +-
 modules/apps/nextcloud/default.nix |   4 +-
 modules/apps/nextcloud/options.nix |   5 +
 modules/apps/redis/default.nix     |  26 --
 modules/apps/redis/options.nix     |  27 --
 modules/default.nix                |   1 -
 secrets/secrets.yaml               |  49 ++++
 share/nvidia/default.nix           |   2 -
 26 files changed, 683 insertions(+), 202 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 hosts/nas/impermanence.nix
 create mode 100644 hosts/nas/sops.nix
 delete mode 100644 modules/apps/redis/default.nix
 delete mode 100644 modules/apps/redis/options.nix
 create mode 100644 secrets/secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..0c9b9f8
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,15 @@
+# This example uses YAML anchors which allows reuse of multiple keys 
+# without having to repeat yourself.
+# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
+# for a more complex example.
+keys:
+  - &matt age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0
+  - &desktop age1jv8ap5zwa49ftv0gg7wqf5ps0e68uuwxe2fekjsn0zkyql964unqyc58rf
+  - &jallen-nas age1mn2afyp9my7y7hcyzum0wdwt49zufnkt8swnyy8pj30cwzs4zvgsthj0lt
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *matt
+      - *desktop
+      - *jallen-nas
\ No newline at end of file
diff --git a/flake.lock b/flake.lock
index 3282aba..31f3607 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,21 +1,62 @@
 {
   "nodes": {
+    "authentik-nix": {
+      "inputs": {
+        "authentik-src": "authentik-src",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-utils": "flake-utils",
+        "napalm": "napalm",
+        "nixpkgs": "nixpkgs",
+        "poetry2nix": "poetry2nix"
+      },
+      "locked": {
+        "lastModified": 1722673481,
+        "narHash": "sha256-IWNFRDPVo1mDd0TzHsrweTVkcC0vZblkO3eo5h3lthQ=",
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "rev": "9067dd09db38130c400bc7a392339f757fa5ff45",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "type": "github"
+      }
+    },
+    "authentik-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1722437664,
+        "narHash": "sha256-MtnBndHJmrp7NLIUO2/8SMy/9RKXyoTmh3X19P6KOtI=",
+        "owner": "goauthentik",
+        "repo": "authentik",
+        "rev": "d6904b6aa1440f98f8061c3d12f7358c21b5ae2d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "goauthentik",
+        "ref": "version/2024.6.2",
+        "repo": "authentik",
+        "type": "github"
+      }
+    },
     "chaotic": {
       "inputs": {
         "compare-to": "compare-to",
         "flake-schemas": "flake-schemas",
         "home-manager": "home-manager",
         "jovian": "jovian",
-        "nixpkgs": "nixpkgs",
-        "systems": "systems",
+        "nixpkgs": "nixpkgs_2",
+        "systems": "systems_3",
         "yafas": "yafas"
       },
       "locked": {
-        "lastModified": 1722269440,
-        "narHash": "sha256-eUzqnxgHIfxGcXk0SwXwP011uQ41WOEHX+gg1uPSkcE=",
+        "lastModified": 1722771754,
+        "narHash": "sha256-NXE43sBXHB5kto5dSH9afFUxug7W8bBZg75UHbydX5E=",
         "owner": "chaotic-cx",
         "repo": "nyx",
-        "rev": "a383380ec33f66ef92c4e815260271f6ad7cf286",
+        "rev": "69263a943d93c7af4429924ef66f3f64e5555089",
         "type": "github"
       },
       "original": {
@@ -41,16 +82,17 @@
     },
     "cosmic": {
       "inputs": {
-        "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs_2",
-        "nixpkgs-stable": "nixpkgs-stable"
+        "flake-compat": "flake-compat_2",
+        "nixpkgs": "nixpkgs_3",
+        "nixpkgs-stable": "nixpkgs-stable",
+        "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1722449994,
-        "narHash": "sha256-xcpJE83RMrMPcfmoSScTs8yxGGIexOaHCt2lb3rKzzU=",
+        "lastModified": 1722811556,
+        "narHash": "sha256-tqmK+5gBOBogsoFY/0t8y+7VQGfoIddsWtb5brM7tyI=",
         "owner": "lilyinstarlight",
         "repo": "nixos-cosmic",
-        "rev": "7bccbcaafaf1e1e8077c0440c9e2defc8f5a2a75",
+        "rev": "c0a1d2525807a87ea27cb5ff8d2026e1792d2da0",
         "type": "github"
       },
       "original": {
@@ -122,6 +164,22 @@
       }
     },
     "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
       "flake": false,
       "locked": {
         "lastModified": 1717312683,
@@ -137,7 +195,7 @@
         "type": "github"
       }
     },
-    "flake-compat_2": {
+    "flake-compat_3": {
       "flake": false,
       "locked": {
         "lastModified": 1696426674,
@@ -153,7 +211,7 @@
         "type": "github"
       }
     },
-    "flake-compat_3": {
+    "flake-compat_4": {
       "locked": {
         "lastModified": 1688025799,
         "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
@@ -169,6 +227,24 @@
       }
     },
     "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1719745305,
+        "narHash": "sha256-xwgjVUpqSviudEkpQnioeez1Uo2wzrsMaJKJClh+Bls=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "c3c5ecc05edc7dafba779c6c1a61cd08ac6583e9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": [
           "lanzaboote",
@@ -205,7 +281,25 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_4"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -251,11 +345,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722119539,
-        "narHash": "sha256-2kU90liMle0vKR8exJx1XM4hZh9CdNgZGHCTbeA9yzY=",
+        "lastModified": 1722462338,
+        "narHash": "sha256-ss0G8t8RJVDewA3MyqgAlV951cWRK6EtVhVKEZ7J5LU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d0240a064db3987eb4d5204cf2400bc4452d9922",
+        "rev": "6e090576c4824b16e8759ebca3958c5b09659ee8",
         "type": "github"
       },
       "original": {
@@ -292,11 +386,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722407237,
-        "narHash": "sha256-wcpVHUc2nBSSgOM7UJSpcRbyus4duREF31xlzHV5T+A=",
+        "lastModified": 1722630065,
+        "narHash": "sha256-QfM/9BMRkCmgWzrPDK+KbgJOUlSJnfX4OvsUupEUZvA=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "58cef3796271aaeabaed98884d4abaab5d9d162d",
+        "rev": "afc892db74d65042031a093adb6010c4c3378422",
         "type": "github"
       },
       "original": {
@@ -322,7 +416,7 @@
     },
     "jovian": {
       "inputs": {
-        "nix-github-actions": "nix-github-actions",
+        "nix-github-actions": "nix-github-actions_2",
         "nixpkgs": [
           "chaotic",
           "nixpkgs"
@@ -345,14 +439,14 @@
     "lanzaboote": {
       "inputs": {
         "crane": "crane",
-        "flake-compat": "flake-compat_2",
-        "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils",
+        "flake-compat": "flake-compat_3",
+        "flake-parts": "flake-parts_2",
+        "flake-utils": "flake-utils_2",
         "nixpkgs": [
           "nixpkgs-unstable"
         ],
         "pre-commit-hooks-nix": "pre-commit-hooks-nix",
-        "rust-overlay": "rust-overlay"
+        "rust-overlay": "rust-overlay_2"
       },
       "locked": {
         "lastModified": 1718178907,
@@ -385,6 +479,31 @@
         "type": "github"
       }
     },
+    "napalm": {
+      "inputs": {
+        "flake-utils": [
+          "authentik-nix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717929455,
+        "narHash": "sha256-BiI5xWygriOJuNISnGAeL0KYxrEMnjgpg+7wDskVBhI=",
+        "owner": "nix-community",
+        "repo": "napalm",
+        "rev": "e1babff744cd278b56abe8478008b4a9e23036cf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "napalm",
+        "type": "github"
+      }
+    },
     "nci": {
       "inputs": {
         "crane": "crane_2",
@@ -395,7 +514,7 @@
           "nixpkgs"
         ],
         "parts": "parts",
-        "rust-overlay": "rust-overlay_2",
+        "rust-overlay": "rust-overlay_3",
         "treefmt": "treefmt"
       },
       "locked": {
@@ -414,14 +533,14 @@
     },
     "nix-darwin": {
       "inputs": {
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1722445220,
-        "narHash": "sha256-PW5FRqLhqg0xGpPjY2Poa464tyBQiyKd0tQGZ0HnMiU=",
+        "lastModified": 1722609272,
+        "narHash": "sha256-Kkb+ULEHVmk07AX+OhwyofFxBDpw+2WvsXguUS2m6e4=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "7e08a9dd34314fb8051c28b231a68726c54daa7b",
+        "rev": "f7142b8024d6b70c66fd646e1d099d3aa5bfec49",
         "type": "github"
       },
       "original": {
@@ -431,6 +550,28 @@
       }
     },
     "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703863825,
+        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
+    "nix-github-actions_2": {
       "inputs": {
         "nixpkgs": [
           "chaotic",
@@ -456,7 +597,7 @@
     "nix-inspect": {
       "inputs": {
         "nci": "nci",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_5",
         "parts": "parts_2"
       },
       "locked": {
@@ -475,9 +616,9 @@
     },
     "nixos-apple-silicon": {
       "inputs": {
-        "flake-compat": "flake-compat_3",
-        "nixpkgs": "nixpkgs_5",
-        "rust-overlay": "rust-overlay_3"
+        "flake-compat": "flake-compat_4",
+        "nixpkgs": "nixpkgs_6",
+        "rust-overlay": "rust-overlay_4"
       },
       "locked": {
         "lastModified": 1717784003,
@@ -511,11 +652,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1722062969,
-        "narHash": "sha256-QOS0ykELUmPbrrUGmegAUlpmUFznDQeR4q7rFhl8eQg=",
+        "lastModified": 1720542800,
+        "narHash": "sha256-ZgnNHuKV6h2+fQ5LuqnUaqZey1Lqqt5dTUAiAnqH0QQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b73c2221a46c13557b1b3be9c2070cc42cf01eb3",
+        "rev": "feb2849fdeb70028c70d73b848214b00d324a497",
         "type": "github"
       },
       "original": {
@@ -525,13 +666,25 @@
         "type": "github"
       }
     },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1717284937,
+        "narHash": "sha256-lIbdfCsf8LMFloheeE6N31+BMIeixqyQWbSr2vk79EQ=",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1722221733,
-        "narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=",
+        "lastModified": 1722519197,
+        "narHash": "sha256-VEdJmVU2eLFtLqCjTYJd1J7+Go8idAcZoT11IewFiRg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "12bf09802d77264e441f48e25459c10c93eada2e",
+        "rev": "05405724efa137a0b899cce5ab4dde463b4fd30b",
         "type": "github"
       },
       "original": {
@@ -559,11 +712,11 @@
     },
     "nixpkgs-stable_3": {
       "locked": {
-        "lastModified": 1722221733,
-        "narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=",
+        "lastModified": 1722651103,
+        "narHash": "sha256-IRiJA0NVAoyaZeKZluwfb2DoTpBAj+FLI0KfybBeDU0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "12bf09802d77264e441f48e25459c10c93eada2e",
+        "rev": "a633d89c6dc9a2a8aae11813a62d7c58b2c0cc51",
         "type": "github"
       },
       "original": {
@@ -573,13 +726,29 @@
         "type": "github"
       }
     },
-    "nixpkgs-unstable": {
+    "nixpkgs-stable_4": {
       "locked": {
-        "lastModified": 1722185531,
-        "narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=",
+        "lastModified": 1721524707,
+        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d",
+        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1722630782,
+        "narHash": "sha256-hMyG9/WlUi0Ho9VkRrrez7SeNlDzLxalm9FwY7n/Noo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d04953086551086b44b6f3c6b7eeb26294f207da",
         "type": "github"
       },
       "original": {
@@ -591,11 +760,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1722185531,
-        "narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=",
+        "lastModified": 1722630782,
+        "narHash": "sha256-hMyG9/WlUi0Ho9VkRrrez7SeNlDzLxalm9FwY7n/Noo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d",
+        "rev": "d04953086551086b44b6f3c6b7eeb26294f207da",
         "type": "github"
       },
       "original": {
@@ -606,6 +775,22 @@
       }
     },
     "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1722421184,
+        "narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
       "locked": {
         "lastModified": 1718149104,
         "narHash": "sha256-Ds1QpobBX2yoUDx9ZruqVGJ/uQPgcXoYuobBguyKEh8=",
@@ -619,7 +804,7 @@
         "type": "indirect"
       }
     },
-    "nixpkgs_4": {
+    "nixpkgs_5": {
       "locked": {
         "lastModified": 1709961763,
         "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=",
@@ -635,7 +820,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_5": {
+    "nixpkgs_6": {
       "locked": {
         "lastModified": 1716293225,
         "narHash": "sha256-pU9ViBVE3XYb70xZx+jK6SEVphvt7xMTbm6yDIF4xPs=",
@@ -651,6 +836,22 @@
         "type": "github"
       }
     },
+    "nixpkgs_7": {
+      "locked": {
+        "lastModified": 1721466660,
+        "narHash": "sha256-pFSxgSZqZ3h+5Du0KvEL1ccDZBwu4zvOil1zzrPNb3c=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "6e14bbce7bea6c4efd7adfa88a40dac750d80100",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -694,6 +895,34 @@
         "type": "github"
       }
     },
+    "poetry2nix": {
+      "inputs": {
+        "flake-utils": [
+          "authentik-nix",
+          "flake-utils"
+        ],
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ],
+        "systems": "systems_2",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1719549552,
+        "narHash": "sha256-efvBV+45uQA6r7aov48H6MhvKp1QUIyIX5gh9oueUzs=",
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "rev": "4fd045cdb85f2a0173021a4717dc01d92d7ab2b2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "type": "github"
+      }
+    },
     "pre-commit-hooks-nix": {
       "inputs": {
         "flake-compat": [
@@ -764,6 +993,7 @@
     },
     "root": {
       "inputs": {
+        "authentik-nix": "authentik-nix",
         "chaotic": "chaotic",
         "cosmic": "cosmic",
         "home-manager": "home-manager_2",
@@ -775,10 +1005,32 @@
         "nixos-apple-silicon": "nixos-apple-silicon",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs-stable": "nixpkgs-stable_3",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix"
       }
     },
     "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "cosmic",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1722738111,
+        "narHash": "sha256-cWD5pCs9AYb+512/yCx9D0Pl5KcmyuXHeJpsDw/D1vs=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "27ec296d93cb4b2d03e8cbd019b1b4cde8c34280",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_2": {
       "inputs": {
         "flake-utils": [
           "lanzaboote",
@@ -803,7 +1055,7 @@
         "type": "github"
       }
     },
-    "rust-overlay_2": {
+    "rust-overlay_3": {
       "flake": false,
       "locked": {
         "lastModified": 1710123130,
@@ -819,7 +1071,7 @@
         "type": "github"
       }
     },
-    "rust-overlay_3": {
+    "rust-overlay_4": {
       "flake": false,
       "locked": {
         "lastModified": 1686795910,
@@ -859,7 +1111,55 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_7",
+        "nixpkgs-stable": "nixpkgs-stable_4"
+      },
+      "locked": {
+        "lastModified": 1722114803,
+        "narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "id": "systems",
+        "type": "indirect"
+      }
+    },
+    "systems_3": {
       "locked": {
         "lastModified": 1689347949,
         "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@@ -874,7 +1174,7 @@
         "type": "github"
       }
     },
-    "systems_2": {
+    "systems_4": {
       "locked": {
         "lastModified": 1681028828,
         "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@@ -911,6 +1211,28 @@
         "type": "github"
       }
     },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1718522839,
+        "narHash": "sha256-ULzoKzEaBOiLRtjeY3YoGFJMwWSKRYOic6VNw2UyTls=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "68eb1dc333ce82d0ab0c0357363ea17c31ea1f81",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
     "yafas": {
       "inputs": {
         "flake-schemas": [
diff --git a/flake.nix b/flake.nix
index ef1b27c..c297adf 100644
--- a/flake.nix
+++ b/flake.nix
@@ -9,6 +9,9 @@
     # Nix Inspect
     nix-inspect.url = "github:bluskript/nix-inspect";
 
+    # Authentik
+    authentik-nix.url = "github:nix-community/authentik-nix";
+
     # Chaotic-nix
     chaotic.url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
 
@@ -31,6 +34,9 @@
     # Nix hardware
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
 
+    # Sops-nix
+    sops-nix.url = "github:Mic92/sops-nix";
+
     #Apple
     nixos-apple-silicon.url = "github:mjallen18/nixos-apple-silicon";
     nix-darwin.url = "github:LnL7/nix-darwin";
@@ -53,6 +59,8 @@
       home-manager-stable,
       nix-inspect,
       cosmic,
+      authentik-nix,
+      sops-nix,
     }@inputs:
     let
       inherit (self) outputs;
@@ -85,6 +93,8 @@
             nixos-hardware.nixosModules.common-hidpi
             nixos-hardware.nixosModules.common-pc
 
+            sops-nix.nixosModules.sops
+
             cosmic.nixosModules.default
           ];
         };
@@ -96,7 +106,9 @@
             inherit inputs outputs;
           };
           modules = [
+            impermanence.nixosModules.impermanence
             ./hosts/nas/configuration.nix
+            ./hosts/nas/impermanence.nix
             home-manager.nixosModules.home-manager
             {
               home-manager.useGlobalPkgs = true;
@@ -104,6 +116,10 @@
               home-manager.users.admin = import ./hosts/nas/home.nix;
             }
 
+            authentik-nix.nixosModules.default
+            
+            sops-nix.nixosModules.sops
+
             nixos-hardware.nixosModules.common-pc
             nixos-hardware.nixosModules.common-cpu-amd
             nixos-hardware.nixosModules.common-hidpi
diff --git a/hosts/default.nix b/hosts/default.nix
index ad043e2..61b475a 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -2,6 +2,8 @@
   config,
   lib,
   pkgs,
+  inputs,
+  globals,
   ...
 }:
 let
@@ -96,6 +98,8 @@ in
 
   environment.systemPackages = with pkgs; [ pinentry-curses ];
 
+  # users.mutableUsers = lib.mkDefault false;
+
   # Security config
   security = {
 
diff --git a/hosts/desktop/configuration.nix b/hosts/desktop/configuration.nix
index 8691a2e..338c95c 100644
--- a/hosts/desktop/configuration.nix
+++ b/hosts/desktop/configuration.nix
@@ -54,7 +54,7 @@ in
         displayManager.defaultSession = "gnome";
 
         # Enable Flatpak
-        flatpak.enable = false;
+        flatpak.enable = true;
 
         # disable plasma
         displayManager.sddm.enable = false;
@@ -149,6 +149,8 @@ in
 
   apps.discover-wrapped.enable = false;
 
+  nix.settings.trusted-users = [ "root" "matt" ];
+
   services = {
     # Enable Desktop Environment.
     displayManager = {
@@ -161,7 +163,7 @@ in
     desktopManager.plasma6.enable = lib.mkDefault true;
 
     # Enable Flatpak
-    flatpak.enable = lib.mkDefault false;
+    flatpak.enable = lib.mkDefault true;
   };
 
   # xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-kde ];
diff --git a/hosts/desktop/home.nix b/hosts/desktop/home.nix
index 944873b..05c62ed 100644
--- a/hosts/desktop/home.nix
+++ b/hosts/desktop/home.nix
@@ -19,9 +19,9 @@
 
       shellAliases = {
         ll = "ls -alh";
-        update = "sudo nixos-rebuild switch";
+        update = "sudo nixos-rebuild switch --max-jobs 10";
         update-flake = "sudo nix flake update ~/nix-config";
-        update-specialisation = "sudo nixos-rebuild switch --specialisation";
+        update-specialisation = "sudo nixos-rebuild switch --specialisation --max-jobs 10";
         nas-update = "nixos-rebuild switch --use-remote-sudo --target-host admin@jallen-nas.local --build-host localhost --flake ~/nix-config#jallen-nas";
         nas-ssh = "ssh admin@jallen-nas.local";
       };
@@ -55,6 +55,7 @@
   home.packages = with pkgs; [
     # gamescope # using chaotic git version
     # gamescope-wsi # using chaotic git version
+    age
     bottles
     chromium
     deadnix
@@ -67,6 +68,7 @@
     goverlay
     heroic
     home-manager
+    jq
     libreoffice-qt6-fresh
     lm_sensors
     lutris
@@ -88,8 +90,11 @@
     python312Packages.pytest
     python312Packages.pytest-cov
     python312Packages.pyaml
+    sops
     spotify
+    ssh-to-pgp
     tree
+    vesktop
     virt-manager
     vmware-horizon-client
     vorta
diff --git a/hosts/nas/apps.nix b/hosts/nas/apps.nix
index 9bbc5c0..7bb5984 100644
--- a/hosts/nas/apps.nix
+++ b/hosts/nas/apps.nix
@@ -12,7 +12,10 @@
 
     beszel-agent.enable = true;
     
-    collabora.enable = true;
+    collabora = {
+      enable = true;
+      environmentFiles = [ config.sops.secrets."jallen-nas/collabora".path ];
+    };
 
     deluge.enable = true;
 
@@ -22,11 +25,18 @@
 
     jellyseerr.enable = true;
 
-    mariadb.enable = true;
+    mariadb = {
+      enable = true;
+      environmentFiles = [ 
+        config.sops.secrets."jallen-nas/mariadb/db_pass".path
+        config.sops.secrets."jallen-nas/mariadb/root_pass".path
+        ];
+    };
 
     mealie = {
       enable = true;
       baseUrl = "https://mealie.mjallen.dev";
+      port = "9001";
       maxConcurrency = "4";
       maxWorkers = "4";
       allowSignup = "false";
@@ -35,7 +45,8 @@
     nextcloud = {
       enable = true;
       httpPort = "9981";
-      httpsPort = "9443";
+      httpsPort = "9943";
+      redisSock = "/var/run/redis-nextcloud/redis.sock";
     };
 
     ollama.enable = true;
@@ -46,8 +57,6 @@
 
     radarr.enable = true;
 
-    redis.enable = true;
-
     sabnzbd.enable = true;
 
     sonarr.enable = true;
diff --git a/hosts/nas/configuration.nix b/hosts/nas/configuration.nix
index 88fd1b2..9558014 100755
--- a/hosts/nas/configuration.nix
+++ b/hosts/nas/configuration.nix
@@ -12,7 +12,7 @@
 }:
 let
   user = "admin";
-  password = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06";
+  passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
 in
 {
   imports = [
@@ -25,9 +25,15 @@ in
     ./ups.nix
     ./samba.nix
     ./services.nix
+    ./sops.nix
     ../default.nix
   ];
 
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
   # Cockpit
   services.cockpit = {
     enable = true;
@@ -78,42 +84,39 @@ in
     };
 
     systemPackages = with pkgs; [
-      vim
-      wget
-      nano
-      efibootmgr
-      sbctl
-      pciutils
-      vulkan-tools
-      clinfo
-      glances
-      python3
-      nix-ld
+      authentik
       binutils
-      gcc
+      cryptsetup
+      clinfo
       cmake
+      duperemove
+      efibootmgr
       ffmpeg
+      gcc
+      glances
+      htop
+      lm_sensors
+      nano
       ninja
+      nix-inspect
+      nix-ld
+      nmon
       nodejs-18_x
       nut
-      nmon
-      pass
-      protonvpn-cli
-      protonmail-bridge
-      pass
-      cockpit
       packagekit
-      # gnome.gnome-packagekit
-      unstable.nix-inspect
-      unstable.gpt4all
-      lm_sensors
-      htop
+      pass
+      pciutils
+      protonmail-bridge
+      protonvpn-cli
+      python3
+      sbctl
+      speedtest-cli
       tailscale
       tpm2-tools
       tpm2-tss
-      cryptsetup
-      duperemove
-      speedtest-cli
+      vim
+      vulkan-tools
+      wget
     ];
   };
 
@@ -158,7 +161,7 @@ in
         "nix-apps"
         "jallen-nas"
       ]; # Enable ‘sudo’ for the user.
-      initialHashedPassword = password;
+      hashedPasswordFile = passwordFile;
       shell = pkgs.zsh;
       openssh.authorizedKeys.keys = [
         # macBook
@@ -192,7 +195,7 @@ in
         "docker"
         "podman"
       ]; # Enable ‘sudo’ for the user.
-      hashedPassword = password;
+      hashedPasswordFile = passwordFile;
     };
 
     groups.nut.name = "nut";
@@ -202,7 +205,7 @@ in
       isSystemUser = true;
       createHome = true;
       home = "/var/lib/nut";
-      hashedPassword = password;
+      hashedPasswordFile = passwordFile;
     };
   };
 
diff --git a/hosts/nas/impermanence.nix b/hosts/nas/impermanence.nix
new file mode 100644
index 0000000..f56bf20
--- /dev/null
+++ b/hosts/nas/impermanence.nix
@@ -0,0 +1,38 @@
+{
+  pkgs,
+  lib,
+  LT,
+  config,
+  utils,
+  inputs,
+  ...
+}@args:
+{
+  # Set up impernance configuration for things like bluetooth
+  # In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints.
+
+  environment.persistence."/nix/persist/system" = {
+    hideMounts = true;
+    directories = [
+      "/var/lib/bluetooth"
+      "/var/lib/nixos"
+      "/var/lib/systemd/coredump"
+      "/etc/NetworkManager/system-connections"
+      "/etc/secureboot"
+      {
+        directory = "/var/lib/colord";
+        user = "colord";
+        group = "colord";
+        mode = "u=rwx,g=rx,o=";
+      }
+    ];
+    files = [
+      {
+        file = "/etc/nix/id_rsa";
+        parentDirectory = {
+          mode = "u=rwx,g=,o=";
+        };
+      }
+    ];
+  };
+}
diff --git a/hosts/nas/networking.nix b/hosts/nas/networking.nix
index 977de40..f5a1f4c 100644
--- a/hosts/nas/networking.nix
+++ b/hosts/nas/networking.nix
@@ -10,12 +10,12 @@ let
   hostname = "jallen-nas";
   ipAddress = "10.0.1.18";
   gateway = "10.0.1.1";
-  password = "kR8v&3Qd";
   allowedPorts = [
     2342
     3493
     61208
     9090
+    9000
     #    config.services.tailscale.port
     #    22
   ];
@@ -44,9 +44,10 @@ in
 
     wireless = {
       enable = true;
+      environmentFile = config.sops.secrets."wifi".path;
       networks = {
        "Joey's Jungle 5G" = {
-          psk = password;
+          psk = "@PSK@";
         };
       };
     };
diff --git a/hosts/nas/services.nix b/hosts/nas/services.nix
index 1df9837..3fb2c69 100644
--- a/hosts/nas/services.nix
+++ b/hosts/nas/services.nix
@@ -127,10 +127,11 @@ in
     };
 
     tailscale = {
-      enable = false;
+      enable = true;
       openFirewall = true;
       useRoutingFeatures = "client";
       extraUpFlags = [ "--advertise-exit-node" ];
+      authKeyFile = "/media/nas/ssd/nix-app-data/tailscale/auth";
     };
 
     btrfs = {
@@ -153,6 +154,39 @@ in
         "/media/nas/main/isos"
       ];
     };
+
+    authentik = {
+      enable = true;
+      environmentFile = "/media/nas/ssd/nix-app-data/authentik/.env";
+
+    };
+
+    postgresql = {
+      enable = true;
+      package = pkgs.postgresql_16;
+      dataDir = "/media/nas/ssd/nix-app-data/postgresql";
+      ensureDatabases = [ "authentik" ];
+      ensureUsers = [
+        {
+          name = "authentik";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    redis = {
+      servers = {
+        authentik = {
+          enable = true;
+          port = 6379;
+        };
+
+        nextcloud = {
+          enable = true;
+          port = 6380;
+        };
+      };
+    };
   };
 
   systemd.user.services = {
diff --git a/hosts/nas/sops.nix b/hosts/nas/sops.nix
new file mode 100644
index 0000000..d16b302
--- /dev/null
+++ b/hosts/nas/sops.nix
@@ -0,0 +1,23 @@
+{
+  ...
+}:
+{
+  sops.defaultSopsFile = ../../secrets/secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets."jallen-nas/admin_password" = {};
+  sops.secrets."jallen-nas/admin_password".neededForUsers = true;
+
+  sops.secrets."wifi" = {};
+
+  sops.secrets."jallen-nas/collabora" = {
+    restartUnits = [ "podman-collabora.service" ];
+  };
+
+  sops.secrets."jallen-nas/mariadb/db_pass" = {
+    restartUnits = [ "podman-mariadb.service" ];
+  };
+  sops.secrets."jallen-nas/mariadb/root_pass" = {
+    restartUnits = [ "podman-mariadb.service" ];
+  };
+}
\ No newline at end of file
diff --git a/hosts/pi4/configuration.nix b/hosts/pi4/configuration.nix
index 96ac31d..0996eb1 100644
--- a/hosts/pi4/configuration.nix
+++ b/hosts/pi4/configuration.nix
@@ -106,8 +106,6 @@ in
     };
   };
 
-  virtualisation.docker.enable = true;
-
   # This option defines the first version of NixOS you have installed on this particular machine,
   # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
   #
diff --git a/modules/apps/collabora/default.nix b/modules/apps/collabora/default.nix
index 7e84419..d8497be 100755
--- a/modules/apps/collabora/default.nix
+++ b/modules/apps/collabora/default.nix
@@ -23,12 +23,13 @@ in
       volumes = [
         # ...
       ];
+      environmentFiles = cfg.environmentFiles;
       environment = {
         PUID = cfg.puid;
         PGID = cfg.pgid;
         TZ = cfg.timeZone;
         username = cfg.username;
-        password = cfg.password;
+        # password = cfg.password; # get from env file
         domain = "office.mjallen.dev";
         aliasgroup1 = "https://cloud\.mjallen\.dev:443";
         aliasgroup2 = "https://cloud\.mjallen\.dev:443";
diff --git a/modules/apps/collabora/options.nix b/modules/apps/collabora/options.nix
index 1ce4d7e..2cdf88b 100755
--- a/modules/apps/collabora/options.nix
+++ b/modules/apps/collabora/options.nix
@@ -44,9 +44,9 @@ with lib;
       default = "mjallen";
     };
 
-    password = mkOption {
-      type = types.str;
-      default = "BogieDudie1";
+    environmentFiles = mkOption {
+      type = with types; listOf path;
+      default = [];
     };
 
     dontGenSslCert = mkOption {
diff --git a/modules/apps/deluge/default.nix b/modules/apps/deluge/default.nix
index e7edc37..1bcfb77 100644
--- a/modules/apps/deluge/default.nix
+++ b/modules/apps/deluge/default.nix
@@ -13,36 +13,34 @@ in
 
   config = mkIf cfg.enable {
 
-    systemd.services.deluge-docker = {
-      path = [
-        pkgs.bash
-        pkgs.docker
+    virtualisation.oci-containers.containers."${cfg.name}" = {
+      autoStart = cfg.autoStart;
+      image = cfg.image;
+      ports = [
+        "${toString cfg.port1}:8112"
+        "${toString cfg.port2}:8118"
+        "${toString cfg.port3}:58846"
+        "${toString cfg.port4}:58966"
       ];
-      script = ''
-        set -e
-        exec docker run \
-          --rm \
-          --cap-add=NET_ADMIN \
-          --name=${cfg.name} \
-          -e PUID=${cfg.puid} \
-          -e PGID=${cfg.pgid} \
-          -e TZ=${cfg.timeZone} \
-          -p 8112:8112 \
-          -p 8118:8118 \
-          -p 58846:58846 \
-          -p 58946:58966 \
-          -v '${cfg.configPath}:/config' \
-          -v '${cfg.moviesPath}:/data/downloads' \
-          -v '${cfg.tvPath}:/data/downloads-icomplete' \
-          -v /etc/localtime:/etc/localtime:ro \
-          -e VPN_ENABLED=yes \
-          -e VPN_PROV=custom \
-          -e VPN_CLIENT=openvpn \
-          -e LAN_NETWORK=10.0.1.0/24 \
-          -e NAME_SERVERS=1.1.1.1 \
-          ${cfg.image}:latest
-      '';
-      wantedBy = [ "multi-user.target" ];
+      extraOptions = [
+        "--cap-add=NET_ADMIN"
+      ];
+      volumes = [ 
+        "${cfg.configPath}:/config"
+        "${cfg.moviesPath}:/data/downloads"
+        "${cfg.tvPath}:/data/downloads-icomplete"
+        "/etc/localtime:/etc/localtime:ro"
+        ];
+      environment = {
+        PUID = cfg.puid;
+        PGID = cfg.pgid;
+        TZ = cfg.timeZone;
+        VPN_ENABLED = "yes";
+        VPN_PROV = "custom";
+        VPN_CLIENT = "openvpn";
+        LAN_NETWORK = "10.0.1.0/24";
+        NAME_SERVERS = "1.1.1.1";
+      };
     };
   };
 }
diff --git a/modules/apps/deluge/options.nix b/modules/apps/deluge/options.nix
index cf493eb..6d6af1c 100644
--- a/modules/apps/deluge/options.nix
+++ b/modules/apps/deluge/options.nix
@@ -14,6 +14,26 @@ with lib;
       default = "deluge";
     };
 
+    port1 = mkOption {
+      type = types.str;
+      default = "8112";
+    };
+
+    port2 = mkOption {
+      type = types.str;
+      default = "8118";
+    };
+
+    port3 = mkOption {
+      type = types.str;
+      default = "58846";
+    };
+
+    port4 = mkOption {
+      type = types.str;
+      default = "58966";
+    };
+
     image = mkOption {
       type = types.str;
       default = "binhex/arch-delugevpn";
diff --git a/modules/apps/mariadb/default.nix b/modules/apps/mariadb/default.nix
index 7a69ed1..116a26b 100644
--- a/modules/apps/mariadb/default.nix
+++ b/modules/apps/mariadb/default.nix
@@ -17,14 +17,15 @@ in
       image = cfg.image;
       ports = [ "${cfg.port}:3306" ];
       volumes = [ "${cfg.configPath}:/config" ];
+      environmentFiles = cfg.environmentFiles;
       environment = {
         PUID = cfg.puid;
         PGID = cfg.pgid;
         TZ = cfg.timeZone;
-        MYSQL_ROOT_PASSWORD = cfg.rootPassword;
+        # MYSQL_ROOT_PASSWORD = cfg.rootPassword; # get from env file
         MYSQL_DATABASE = cfg.databaseName;
         MYSQL_USER = cfg.databaseUser;
-        MYSQL_PASSWORD = cfg.databasePassword;
+        # MYSQL_PASSWORD = cfg.databasePassword; # get from env file
       };
     };
   };
diff --git a/modules/apps/mariadb/options.nix b/modules/apps/mariadb/options.nix
index 9bdba18..b71b305 100644
--- a/modules/apps/mariadb/options.nix
+++ b/modules/apps/mariadb/options.nix
@@ -44,11 +44,6 @@ with lib;
       default = "America/Chicago";
     };
 
-    rootPassword = mkOption {
-      type = types.str;
-      default = "BogieDudie1";
-    };
-
     databaseName = mkOption {
       type = types.str;
       default = "jallen_nextcloud";
@@ -59,9 +54,9 @@ with lib;
       default = "nextcloud";
     };
 
-    databasePassword = mkOption {
-      type = types.str;
-      default = "BogieDudie1";
+    environmentFiles = mkOption {
+      type = with types; listOf path;
+      default = [];
     };
   };
 }
diff --git a/modules/apps/nextcloud/default.nix b/modules/apps/nextcloud/default.nix
index daca4c9..24d4e55 100644
--- a/modules/apps/nextcloud/default.nix
+++ b/modules/apps/nextcloud/default.nix
@@ -22,14 +22,12 @@ in
       volumes = [
         "${cfg.configPath}:/config"
         "${cfg.dataPath}:/data"
+        "${cfg.redisSock}:/var/redis/redis.sock"
       ];
       environment = {
         PUID = cfg.puid;
         PGID = cfg.pgid;
         TZ = cfg.timeZone;
-        REDIS_HOST = "10.0.1.18";
-        REDIS_PORT = "6379";
-        REDIS_HOST_PASSWORD = "BogieDudie1";
       };
     };
   };
diff --git a/modules/apps/nextcloud/options.nix b/modules/apps/nextcloud/options.nix
index e03ba6a..4417b2c 100644
--- a/modules/apps/nextcloud/options.nix
+++ b/modules/apps/nextcloud/options.nix
@@ -39,6 +39,11 @@ with lib;
       default = "/media/nas/main/nextcloud";
     };
 
+    redisSock = mkOption {
+      type = types.str;
+      default = "";
+    };
+
     puid = mkOption {
       type = types.str;
       default = "911";
diff --git a/modules/apps/redis/default.nix b/modules/apps/redis/default.nix
deleted file mode 100644
index 8396f6e..0000000
--- a/modules/apps/redis/default.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-  lib,
-  pkgs,
-  config,
-  ...
-}:
-with lib;
-let
-  cfg = config.nas-apps.redis;
-in
-{
-  imports = [ ./options.nix ];
-
-  config = mkIf cfg.enable {
-    virtualisation.oci-containers.containers."${cfg.name}" = {
-      autoStart = cfg.autoStart;
-      image = cfg.image;
-      cmd = [
-        "redis-server"
-        "--requirepass"
-        "BogieDudie1"
-      ];
-      ports = [ "6379:6379" ];
-    };
-  };
-}
diff --git a/modules/apps/redis/options.nix b/modules/apps/redis/options.nix
deleted file mode 100644
index c584558..0000000
--- a/modules/apps/redis/options.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ lib, ... }:
-with lib;
-{
-  options.nas-apps.redis = {
-    enable = mkEnableOption "redis docker service";
-
-    autoStart = mkOption {
-      type = types.bool;
-      default = true;
-    };
-
-    name = mkOption {
-      type = types.str;
-      default = "redis";
-    };
-
-    image = mkOption {
-      type = types.str;
-      default = "redis";
-    };
-
-    cmd = mkOption {
-      type = types.str;
-      default = "redis-server --requirepass BogieDudie1";
-    };
-  };
-}
diff --git a/modules/default.nix b/modules/default.nix
index 40fe37f..8f5d858 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -17,7 +17,6 @@
     ./apps/open-webui
     ./apps/orca-slicer
     ./apps/radarr
-    ./apps/redis
     ./apps/sabnzbd
     ./apps/sonarr
     ./apps/swag
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
new file mode 100644
index 0000000..1792935
--- /dev/null
+++ b/secrets/secrets.yaml
@@ -0,0 +1,49 @@
+#ENC[AES256_GCM,data:HkOno2ohMSLs46g=,iv:7KHzoElBP/GMIVubcIBya42SoFKVyt/+YRIxkgRE3Cw=,tag:U87dYHrKu/qqbLf5r7XEiA==,type:comment]
+wifi: ENC[AES256_GCM,data:Rs+4Km4DogO7XatA,iv:JUv9HkNWsv/l4Fli5sFeUeYuWG1Yju95G59FJ/Q5W50=,tag:gRFCG4d5OBMRx1QayRV8Zg==,type:str]
+jallen-nas:
+    admin_password: ENC[AES256_GCM,data:RGb0UQkLhqfBWflIc5r8yWgYvc0EZuM49uhnXH1r6o9d7Ya7eAoTn2DHdWmYnd9/LpTXPmLF07Nf8s1+/odYx8RBmaji56yWbQ==,iv:dGlvZtZFB8jsI33Qkmmb3iHTXqpVWfbd0EfNK0uX3i4=,tag:z6THeY0UmG64VwOdwnL/AA==,type:str]
+    collabora: ENC[AES256_GCM,data:A01H7FzgSplAEn0dsENgllyWza4=,iv:L9bPHKdeIHn7caYn78XOkdmuSk1RIuSVcIW5HFQL8PY=,tag:h0kiClGAwGB6iP327flWew==,type:str]
+    mariadb:
+        root_pass: ENC[AES256_GCM,data:YLPfEG4/6FeCnrKdfXv9z4hHwtpM/KtBCYqlm4IUvA==,iv:pc9Ljasy76bfkmFRJ4M+wfEtjXBUD7Kb0S0WQZhCmOs=,tag:Wk/7gpKidirhRqw4+Pu96g==,type:str]
+        db_pass: ENC[AES256_GCM,data:zC+BPQ5EvQAyK/ZSReBmuOtluYg4ZePKA7U=,iv:WarwZCPlpcLMjZLCs1SjKE9vZ1udZ13aNuziX2ReHJo=,tag:oT8slCgO8w8Iam2Of4HyfA==,type:str]
+    redis_nextcloud: ENC[AES256_GCM,data:BIQOGBdYh5KefMk=,iv:jeVj1PZG0RsCwal0zMg4zT16r23tCWcfRVGg4kdqdQo=,tag:VfPR6ygR1CeT0RU+DVM0pA==,type:str]
+desktop:
+    matt_password: ENC[AES256_GCM,data:z/Jjzr+/PREpNEQsAVl4soeKAwW3sdteIqjhZT2txQDiR0FvGvEBoE/aYCM9NS7XSCgTeTuOqgBGfq4xDLc5/ZBAl7KoGHmKIQ==,iv:qVONkw8PDI2ydqybqGIU2XFq4+qC1BeXnfwxbxbWBww=,tag:eYOD2EoBn9XMiYOaBDFlRw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVUNkY2tOS2NBWk9ZdExr
+            VHIvVDRYN2l2Smxzb1pYY1VGdisrZnpsUWhNCjhQdGg4OGo0dDJhTzh2LzcxTThh
+            NHRvRHVscE96VXpjQTM5U3lndys1WUEKLS0tICtOVDdEV0hUTldHRktBNURIOTRa
+            eU80cmFjTnlQZnhqVk0zQjZ0blhoY0EKnrNm0BY1ePJjeKGcXqir02+DB1VfqQxh
+            7ZXHouXdzv/K11tun59BuBy6VEgwGX2GmVDVpAs1r/d/GEZ4IyFccA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jv8ap5zwa49ftv0gg7wqf5ps0e68uuwxe2fekjsn0zkyql964unqyc58rf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWWC91OXMwRmY0V0I1cTlN
+            K2RSKytQaEdSN1plUElaMDc0MU9FY2ZNTVg4CkFReVJVeW40dUU0NVpiMXpmWGJZ
+            M2RGSWNWSnBFWlJ2SWNLa0Jtd0tPYzAKLS0tIGpZd2ZlU2NUOVdBUE1oaHZmdHky
+            ZjhvZWE3N2xIOUoyaXhtTGRpaHhEN2MKAvMYbkWVVM4oXxrZfUUOnmb2pU1eO8Ia
+            HGMNfpo/LDcGbk4BJKWbFPOJnJeCzMH5/IL2Z+ZhxnnK11j57y/88g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mn2afyp9my7y7hcyzum0wdwt49zufnkt8swnyy8pj30cwzs4zvgsthj0lt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNbUEyMVYvZ3VtUndST01p
+            dHIvMklKVkRFZGZXR2ozZTI5aVJlbUJobFN3CktoWHc3M0phN0tiMm9WbXVPajcz
+            c3VqRkRFSWpycVNyalFOaWpISnp4a2cKLS0tIGlCQXBaaVhiSDdvdEJtMzkzd1BX
+            UGhsN2N0Mjl3UEJvUVlGRlJiN05WaUkKW37lU4G4CLTo6JoHC2OyhKsG/FuO+BiN
+            pzlVJwzRnmAqwklRbc6RMbQLl2EQrp6KQcgYsUxCMH9OQ/9WJ98dxQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-07T21:24:21Z"
+    mac: ENC[AES256_GCM,data:79381C9vRsWWD5MNmsqjm86/KqvXmOvCzcpN0bvBtu3jHr1EOPmWwmstfnsZiRLo1r9SxJECyuYsrRilpPY1yorURipp3vGtHRVKLb1YZmN1LtoA0yVAPD49YACGTWU4ogdiRkrfAqDfI9sRshHK98axHv72Q7FZJFnsJ6QpPak=,iv:hFtp5t+m9Hsh5zUsA3RA7uTPJ5fEZ7PD04gBfAq0dYA=,tag:tK3zCY3YWEurDIkegH+U2g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0
diff --git a/share/nvidia/default.nix b/share/nvidia/default.nix
index 43d0035..defacda 100644
--- a/share/nvidia/default.nix
+++ b/share/nvidia/default.nix
@@ -59,8 +59,6 @@ in
     };
 
     # Virtualisation
-    virtualisation.docker.enableNvidia = cfg.enableNvidiaDocker;
-
     hardware.nvidia-container-toolkit.enable = cfg.enableNvidiaDocker;
   };
 }