chore(cleanup): sops, opencode, etc

2026-01-11 22:19:31 -05:00
parent 1fe9396284
commit c8f5e744d0
32 changed files with 1210 additions and 676 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,22 +1,31 @@
 keys:
-  # Admin - Age Native
+  # Global Admin
  - &admin_reichard age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
-  # lin-va-mbp-personal@evanreichard - SSH Derived
+
  # User SSH Derived
  - &user_lin-va-mbp-personal age17ayje4uv2mhwehhp9jr3u9l0ds07396kt7ef40sufx89vm7cgfjq6d5d4y
  # mac-va-mbp-personal@evanreichard - SSH Derived
  - &user_mac-va-mbp-personal age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c
  - &user_lin-va-thinkpad age1avlhszrryt4gf4ya536jhzm7qwt9xfttm8x4sns6h9w2tahzqp8sspz9y5
  - &user_lin-va-desktop age15hdlen5dgjvdfgg2j0uzvchs5vs3xuptkhsw9xeuatcuk6uwrvcsz7hcsg
  # System SSH Derived
  - &system_lin-va-desktop age1mxjrvjxkn69kfn2np3wpd73g44fuhsgykw7l5ss9rx30em5jfp2scnrq32
  - &system_lin-va-thinkpad age13gymlygyac9z2slecl53jp8spq7e8n4zkan86n0gmnm3nrj4muxqa5ullm
 creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
      - age:
          - *admin_reichard
-  - path_regex: secrets/lin-va-mbp-personal/evanreichard/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/common/systems.yaml
    key_groups:
      - age:
          - *admin_reichard
          - *system_lin-va-desktop
          - *system_lin-va-thinkpad
  - path_regex: secrets/common/evanreichard.yaml
    key_groups:
      - age:
          - *admin_reichard
          - *user_lin-va-mbp-personal
-  - path_regex: secrets/mac-va-mbp-personal/evanreichard/[^/]+\.(yaml|json|env|ini)$
+          - *user_lin-va-thinkpad
    key_groups:
      - age:
          - *admin_reichard
          - *user_mac-va-mbp-personal
--- a/README.md
+++ b/README.md
@@ -78,3 +78,27 @@ if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
 fi
 # End Nix
 ```
 #### SOPS
 1. Convert your SSH key to an age key
 2. Get age public key
 3. Update `.sops.yaml` with rules
 4. Edit file
 ```bash
 # Ensure Config
 mkdir -p ~/.config/sops/age
 # Convert SSH to Age
 ssh-to-age -private-key -i $HOME/.ssh/id_ed25519 -o ~/.config/sops/age/keys.txt
 # Get Public Key
 age-keygen -y ~/.config/sops/age/keys.txt
 ssh-to-age -private-key -i ~/.ssh/id_ed25519 | age-keygen -y
 SOPS_AGE_KEY_FILE=<ADMIN_KEY> sops -d --extract '["lin-va-desktop"]["host"]' ./secrets/keys.yaml | ssh-to-age -private-key | age-keygen -y
 # Edit File
 # NOTE: You can specify key with - `SOPS_AGE_KEY_FILE=~/.config/sops/age/other.txt`
 sops secrets/lin-va-thinkpad/evanreichard/default.yaml
 ```
--- a/homes/aarch64-linux/evanreichard@lin-va-mbp-personal/default.nix
+++ b/homes/aarch64-linux/evanreichard@lin-va-mbp-personal/default.nix
@@ -21,11 +21,7 @@ in
      ssh-agent = enabled;
      fusuma = enabled;
      swww = enabled;
-      sops = {
+      sops = enabled;
        enable = true;
        defaultSopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
      };
    };
    programs = {
--- a/homes/x86_64-linux/evanreichard@lin-va-thinkpad/default.nix
+++ b/homes/x86_64-linux/evanreichard@lin-va-thinkpad/default.nix
@@ -22,11 +22,7 @@ in
      fusuma = enabled;
      swww = enabled;
      poweralertd = enabled;
-      sops = {
+      sops = enabled;
        enable = true;
        defaultSopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
      };
    };
    programs = {
--- a/homes/x86_64-linux/evanreichard@lin-va-utility/default.nix
+++ b/homes/x86_64-linux/evanreichard@lin-va-utility/default.nix
@@ -21,11 +21,7 @@ in
      ssh-agent = enabled;
      fusuma = enabled;
      swww = enabled;
-      sops = {
+      sops = enabled;
        enable = true;
        defaultSopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
      };
    };
    programs = {
@@ -50,10 +46,6 @@ in
    };
  };
  # home.packages = with pkgs; [
  #   catppuccin-gtk
  # ];
  dconf = {
    settings = {
      "org/gnome/desktop/interface" = {
--- a/modules/darwin/security/sops/default.nix
+++ b/modules/darwin/security/sops/default.nix
@@ -1,31 +1,35 @@
-{ config, lib, namespace, ... }:
+{ config
 , lib
 , namespace
 , ...
 }:
 let
  inherit (lib) mkIf mkEnableOption types;
  inherit (lib.${namespace}) mkOpt;
  getFile = lib.snowfall.fs.get-file;
  user = config.users.users.${config.${namespace}.user.name};
  cfg = config.${namespace}.security.sops;
 in
 {
-  options.${namespace}.security.sops = {
+  options.${namespace}.security.sops = with types; {
-    enable = lib.mkEnableOption "sops";
+    enable = mkEnableOption "Enable sops";
-    defaultSopsFile = mkOpt lib.types.path null "Default sops file.";
+    defaultSopsFile = mkOpt str "secrets/systems/${config.system.name}.yaml" "Default sops file.";
-    sshKeyPaths = mkOpt (with lib.types; listOf path) [
+    sshKeyPaths = mkOpt (listOf path) [ ] "Additional SSH key paths to use.";
      "/etc/ssh/ssh_host_ed25519_key"
    ] "SSH Key paths to use.";
  };
-  config = lib.mkIf cfg.enable {
+  config = mkIf cfg.enable {
    sops = {
-      inherit (cfg) defaultSopsFile;
+      defaultSopsFile = getFile cfg.defaultSopsFile;
      age = {
-        inherit (cfg) sshKeyPaths;
+        keyFile = "${user.home}/.config/sops/age/keys.txt";
-
+        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ] ++ cfg.sshKeyPaths;
        keyFile = "${config.users.users.${config.${namespace}.user.name}.home}/.config/sops/age/keys.txt";
      };
    };
    sops.secrets.builder_ssh_key = {
-      sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
+      sopsFile = getFile "secrets/common/systems.yaml";
    };
  };
 }
--- a/modules/home/programs/terminal/nvim/config/lua/llm-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/llm-config.lua
@@ -3,24 +3,29 @@ local llm_assistant_model = "devstral-small-2-instruct"
 local llm_infill_model = "qwen2.5-coder-3b-instruct"
 -- Default Llama - Toggle Llama & Copilot
-- vim.g.copilot_filetypes = { ["*"] = false }
+local current_fim = "llama"
-local current_mode = "copilot"
+local function switch_llm_fim_provider(switch_to)
-local function toggle_llm_fim_provider()
+	if switch_to == "llama" then
 	if current_mode == "llama" then
 		vim.g.copilot_filetypes = { ["*"] = true }
 		vim.cmd("Copilot enable")
 		vim.cmd("LlamaDisable")
 		current_mode = "copilot"
 		vim.notify("Copilot FIM enabled", vim.log.levels.INFO)
 	else
 		vim.g.copilot_filetypes = { ["*"] = true }
 		vim.cmd("Copilot disable")
 		vim.cmd("LlamaEnable")
-		current_mode = "llama"
+		current_fim = "llama"
 		vim.notify("Llama FIM enabled", vim.log.levels.INFO)
 	else
 		vim.g.copilot_filetypes = { ["*"] = true }
 		vim.cmd("Copilot enable")
 		vim.cmd("LlamaDisable")
 		current_fim = "copilot"
 		vim.notify("Copilot FIM enabled", vim.log.levels.INFO)
 	end
 end
 vim.api.nvim_create_autocmd("VimEnter", {
 	callback = function()
 		switch_llm_fim_provider(current_fim)
 	end,
 })
 -- Copilot Configuration
 vim.g.copilot_no_tab_map = true
@@ -75,7 +80,13 @@ codecompanion.setup({
 -- Create KeyMaps for Code Companion
 vim.keymap.set("n", "<leader>aa", codecompanion.actions, { desc = "Actions" })
-vim.keymap.set("n", "<leader>af", toggle_llm_fim_provider, { desc = "Toggle FIM (Llama / Copilot)" })
+vim.keymap.set("n", "<leader>af", function()
 	if current_fim == "llama" then
 		switch_llm_fim_provider("copilot")
 	else
 		switch_llm_fim_provider("llama")
 	end
 end, { desc = "Toggle FIM (Llama / Copilot)" })
 vim.keymap.set("n", "<leader>ao", function() require("snacks.terminal").toggle("opencode") end,
 	{ desc = "Toggle OpenCode" })
 vim.keymap.set("v", "<leader>ai", ":CodeCompanion<cr>", { desc = "Inline Prompt" })
--- a/modules/home/programs/terminal/nvim/config/lua/lsp-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/lsp-config.lua
@@ -134,7 +134,13 @@ setup_lsp("cssls", {
 setup_lsp("ts_ls", {
 	on_attach = on_attach_no_formatting,
 	cmd = { nix_vars.tsls, "--stdio" },
-	filetypes = { "typescript", "typescriptreact" },
+	filetypes = { "typescript", "typescriptreact", "javascript" },
 })
 -- ESLint LSP
 setup_lsp("eslint", {
 	on_attach = on_attach_no_formatting,
 	cmd = { nix_vars.vscls .. "/bin/vscode-eslint-language-server", "--stdio" },
 })
 -- C LSP Configuration
@@ -149,6 +155,11 @@ setup_lsp("lua_ls", {
 	filetypes = { "lua" },
 })
 -- Lua LSP Configuration
 setup_lsp("sqls", {
 	cmd = { nix_vars.sqls },
 })
 -- Nix LSP Configuration
 setup_lsp("nil_ls", {
 	filetypes = { "nix" },
@@ -205,44 +216,19 @@ setup_lsp("golangci_lint_ls", {
 ------------------------------------------------------
 local none_ls = require("null-ls")
 local eslintFiles = {
 	".eslintrc",
 	".eslintrc.js",
 	".eslintrc.cjs",
 	".eslintrc.yaml",
 	".eslintrc.yml",
 	".eslintrc.json",
 	"eslint.config.js",
 	"eslint.config.mjs",
 	"eslint.config.cjs",
 	"eslint.config.ts",
 	"eslint.config.mts",
 	"eslint.config.cts",
 }
 local has_eslint_in_parents = function(fname)
 	local root_file = require("lspconfig").util.insert_package_json(eslintFiles, "eslintConfig", fname)
 	return require("lspconfig").util.root_pattern(unpack(root_file))(fname)
 end
 none_ls.setup({
 	sources = {
-		-- Prettier Formatting
+		-- Formatting
 		none_ls.builtins.formatting.prettier,
 		none_ls.builtins.formatting.prettier.with({ filetypes = { "template" } }),
 		require("none-ls.diagnostics.eslint_d").with({
 			condition = function(utils)
 				return has_eslint_in_parents(vim.fn.getcwd())
 			end,
 		}),
 		none_ls.builtins.completion.spell,
 		none_ls.builtins.formatting.nixpkgs_fmt, -- TODO: nixd native LSP?
 		none_ls.builtins.diagnostics.sqlfluff,
 		none_ls.builtins.formatting.sqlfluff,
 		require("none-ls.formatting.autopep8").with({
 			filetypes = { "starlark", "python" },
 			extra_args = { "--max-line-length", "100" },
 		}),
 		-- Completion
 		none_ls.builtins.completion.spell,
 	},
 	on_attach = function(client, bufnr)
 		if client:supports_method("textDocument/formatting") then
--- a/modules/home/programs/terminal/nvim/default.nix
+++ b/modules/home/programs/terminal/nvim/default.nix
@@ -1,8 +1,9 @@
-{ pkgs
+{
-, lib
+  pkgs,
-, config
+  lib,
-, namespace
+  config,
-, ...
+  namespace,
  ...
 }:
 let
  inherit (lib) mkIf;
@@ -178,6 +179,7 @@ in
          sveltels = "${pkgs.nodePackages.svelte-language-server}/bin/svelteserver",
          tsls = "${pkgs.nodePackages.typescript-language-server}/bin/typescript-language-server",
          vscls = "${pkgs.nodePackages.vscode-langservers-extracted}",
          sqls = "${pkgs.sqls}/bin/sqls",
        }
        return nix_vars
      '';
--- a/modules/home/programs/terminal/opencode/config/agents/agent-creator.md
+++ b/modules/home/programs/terminal/opencode/config/agents/agent-creator.md
@@ -0,0 +1,65 @@
 ---
 description: Creates and configures new OpenCode agents based on requirements
 mode: subagent
 temperature: 0.3
 permission:
  write: allow
 ---
 You help users create custom OpenCode agents. When asked to create an agent:
 1. **Understand the need**: Ask clarifying questions about:
   - What tasks should this agent handle?
   - Should it be primary or subagent?
   - What tools does it need access to?
   - Any special permissions or restrictions?
   - Should it use a specific model?
 2. **Generate the config**: Create a markdown file in the appropriate location:
   - Global: `~/.config/opencode/agent/`
   - Project: `.opencode/agent/`
 3. **Available config options**:
   - `description` (required): Brief description of agent purpose
   - `mode`: "primary", "subagent", or "all" (defaults to "all")
   - `temperature`: 0.0-1.0 (lower = focused, higher = creative)
   - `maxSteps`: Limit agentic iterations
   - `disable`: Set to true to disable agent
   - `tools`: Control tool access (write, edit, bash, etc.)
   - `permission`: Set to "ask", "allow", or "deny" for edit/bash/webfetch
   - Additional provider-specific options pass through to the model
 4. **Tools configuration**:
   - Set individual tools: `write: true`, `bash: false`
   - Use wildcards: `mymcp_*: false`
   - Inherits from global config, agent config overrides
 5. **Permissions** (for edit, bash, webfetch):
   - `ask`: Prompt before running
   - `allow`: Run without approval
   - `deny`: Disable completely
   - Can set per-command for bash: `"git push": "ask"`
 6. **Keep it simple**: Start minimal, users can extend later.
 7. **Explain usage**: Tell them how to invoke with `@agent-name`.
 Example structure:
 ```markdown
 ---
 description: [one-line purpose]
 mode: subagent
 model: anthropic/claude-sonnet-4-20250514
 temperature: 0.2
 tools:
  write: false
  bash: false
 permission:
  edit: deny
 ---
 [Clear instructions for the agent's behavior]
 ```
 Be conversational. Ask questions before generating.
--- a/modules/home/programs/terminal/opencode/config/agents/architect.md
+++ b/modules/home/programs/terminal/opencode/config/agents/architect.md
@@ -0,0 +1,66 @@
 ---
 description: Discovers relevant code and builds a focused implementation plan with exact file references
 mode: subagent
 temperature: 0.4
 permission:
  "*": deny
  context7_*: allow
  glob: allow
  grep: allow
  list: allow
  lsp: allow
  read: allow
  todoread: allow
  todowrite: allow
 ---
 You analyze requirements and discover the relevant code context needed for implementation.
 **Your job:**
 1. Read through the codebase to understand what exists
 2. Identify specific files and line ranges relevant to the task
 3. Create a focused plan with exact references for the @developer agent
 4. Describe what needs to change and why
 **Deliver a compressed context map:**
 For each relevant file section, use this format:
 `path/file.py:10-25` - Current behavior. Needed change.
 Keep it to ONE sentence per part (what it does, what needs changing).
 **Example:**
 `auth.py:45-67` - Login function with basic validation. Add rate limiting using existing middleware pattern.
 `middleware/rate_limit.py:10-35` - Rate limiter for API endpoints. Reference this implementation.
 `config.py:78` - Rate limit config (5 req/min). Use these values.
 **Don't include:**
 - Full code snippets (developer will read the files)
 - Detailed explanations (just pointers)
 - Implementation details (that's developer's job)
 **Do include:**
 - Exact line ranges so developer reads only what's needed
 - Key constraints or patterns to follow
 - Dependencies between files
 **Examples of good references:**
 - "`auth.py:45-67` - login function, needs error handling"
 - "`db.py:12-30` - connection logic, check timeout handling"
 - "`api/routes.py:89` - endpoint definition to modify"
 - "`tests/test_auth.py:23-45` - existing tests to update"
 **Examples of good plans:**
 "Add rate limiting to login:
 - `auth.py:45-67` - Current login function with no rate limiting
 - `middleware/rate_limit.py:10-35` - Existing rate limiter for API
 - Need: Apply same pattern to login endpoint
 - Related: `config.py:78` - Rate limit settings"
 You're the context scout - provide precise pointers so @developer doesn't waste context searching.
--- a/modules/home/programs/terminal/opencode/config/agents/developer.md
+++ b/modules/home/programs/terminal/opencode/config/agents/developer.md
@@ -0,0 +1,76 @@
 ---
 description: Implements code based on plans and addresses review feedback
 mode: subagent
 temperature: 0.3
 permission:
  "*": deny
  bash: allow
  context7_*: allow
  edit: allow
  glob: allow
  grep: allow
  list: allow
  lsp: allow
  read: allow
  todoread: allow
  todowrite: allow
 ---
 You implement code. You are the only agent that modifies files.
 **DO NOT re-analyze or re-plan.** @architect already did discovery and planning. You execute.
 **When building from a plan:**
 - Start with the specific files and lines mentioned in the plan
 - Read incrementally if you need to understand:
  - Function/class definitions referenced in those lines
  - Import sources or dependencies
  - Related code that must be updated together
 - Stop reading once you understand what to change and how
 - Don't search the entire codebase or read files "just in case"
 - Trust the plan's pointers as your starting point
 **Example workflow:**
 1. Plan says: `auth.py:45-67` - Read lines 45-67
 2. See it calls `validate_user()` - Read that function definition
 3. Realize validate_user is imported from `utils.py` - Read that too
 4. Implement changes across both files
 5. Done
 **When addressing review feedback:**
 - **Critical findings** (security, logic errors): Must fix
 - **Regular findings** (quality, errors): Must fix
 - **Nits** (style, minor): Optional, use judgment
 **Your workflow:**
 1. Read the specific files mentioned in the plan
 2. Implement the changes described
 3. **When done, commit your work:**
   ```bash
   git add -A
   git commit -m "type: what you implemented"
   ```
   **Conventional commit types:**
   - `feat:` - New feature
   - `fix:` - Bug fix
   - `refactor:` - Code restructuring
   - `docs:` - Documentation only
   - `test:` - Adding/updating tests
   - `chore:` - Maintenance tasks
 4. Done
 **Do NOT:**
 - Re-read the entire codebase
 - Search for additional context
 - Second-guess the plan
 - Do your own discovery phase
 Be efficient. Trust @architect's context work. Just code.
--- a/modules/home/programs/terminal/opencode/config/agents/orchestrator.md
+++ b/modules/home/programs/terminal/opencode/config/agents/orchestrator.md
@@ -0,0 +1,46 @@
 ---
 description: Orchestrates features or bug fixes by delegating to subagents
 mode: primary
 temperature: 0.2
 maxSteps: 50
 permission:
  "*": deny
  task: allow
 ---
 You are a workflow orchestrator. You ONLY call subagents - you never analyze, plan, code, or review yourself. Your high level flow is @architect -> @developer -> @reviewer
 **Your subagents:**
 - **@architect** - Analyzes requirements and creates plans
 - **@developer** - Implements the plan from @architect
 - **@reviewer** - Reviews the implementation from @developer
 **Your workflow:**
 1. Call @architect with user requirements.
 2. Present the plan to the user for approval or changes.
 3. If the user requests changes:
   - Call @architect again with the feedback.
   - Repeat step 2.
 4. Once the plan is approved, call @developer with the full, unmodified plan.
 5. Call @reviewer with the @developer output.
 6. If the verdict is NEEDS_WORK:
   - Call @developer with the plan + review feedback.
 7. Repeat steps 5-6 until the implementation is APPROVED or APPROVED_WITH_NITS.
 8. Report completion to the user:
   - If APPROVED: "Implementation complete and approved."
   - If APPROVED_WITH_NITS: "Implementation complete. Optional improvements available: [list nits]. Address these? (yes/no)"
 9. If the user wants nits fixed:
   - Call @developer with the plan + nit list.
   - Call @reviewer one final time.
 10. Done.
 **Rules:**
 - Never do the work yourself - always delegate
 - Pass information between agents clearly, do not leave out context from the previous agent
 - On iteration 2+ of develop→review, always include both plan AND review feedback
 - Keep user informed of which agent is working
 - Nits are optional - don't require fixes
 - Stop when code is approved or only nits remain
--- a/modules/home/programs/terminal/opencode/config/agents/reviewer.md
+++ b/modules/home/programs/terminal/opencode/config/agents/reviewer.md
@@ -0,0 +1,68 @@
 ---
 description: Expert code reviewer providing structured feedback on implementations
 mode: subagent
 temperature: 0.2
 permission:
  "*": deny
  bash:
    "*": deny
    "git diff *": allow
    "git log *": allow
    "git show *": allow
    "git show": allow
    "git status *": allow
    "git status": allow
  glob: allow
  grep: allow
  list: allow
  lsp: allow
  read: allow
 ---
 You are an expert code reviewer. Review implementations and provide structured feedback.
 **Your process:**
 - Check for uncommitted changes first: `git status`
 - If there are uncommitted changes, respond:
  "ERROR: Found uncommitted changes. @developer must run `git add -A && git commit -m "type: description"` first."
 - Otherwise, review the latest commit with `git show`
 - Read full files for additional context only if needed
 - Focus on the actual changes made by @developer
 **You MUST start your response with a verdict line:**
 VERDICT: [APPROVED | NEEDS_WORK | APPROVED_WITH_NITS]
 **Then categorize all findings:**
 **Critical Findings** (must fix):
 - Security vulnerabilities
 - Logical errors
 - Data corruption risks
 - Breaking changes
 **Regular Findings** (should fix):
 - Code quality issues
 - Missing error handling
 - Performance problems
 - Maintainability concerns
 **Nits** (optional):
 - Style preferences
 - Minor optimizations
 - Documentation improvements
 - Naming suggestions
 **Verdict rules:**
 - NEEDS_WORK: Any critical or regular findings exist
 - APPROVED_WITH_NITS: Only nits remain
 - APPROVED: No findings at all
 If you list any critical or regular findings, your verdict MUST be NEEDS_WORK.
 Be thorough but fair. Don't bikeshed.
--- a/modules/home/programs/terminal/opencode/default.nix
+++ b/modules/home/programs/terminal/opencode/default.nix
@@ -14,63 +14,95 @@ in
  };
  config = mkIf cfg.enable {
    # Enable OpenCode
    programs.opencode = {
      enable = true;
      package = pkgs.reichard.opencode;
      enableMcpIntegration = true;
-      settings = {
+      agents = {
-        theme = "catppuccin";
+        orchestrator = ./config/agents/orchestrator.md;
-        model = "llama-swap/devstral-small-2-instruct";
+        architect = ./config/agents/architect.md;
-        permission = {
+        developer = ./config/agents/developer.md;
-          edit = "allow";
+        reviewer = ./config/agents/reviewer.md;
-          bash = "ask";
+        agent-creator = ./config/agents/agent-creator.md;
-          webfetch = "ask";
+      };
-          doom_loop = "ask";
+    };
-          external_directory = "ask";
+
-        };
+    # Define OpenCode Configuration
-        provider = {
+    sops = {
-          "llama-swap" = {
+      secrets.context7_apikey = {
-            npm = "@ai-sdk/openai-compatible";
+        sopsFile = lib.snowfall.fs.get-file "secrets/common/evanreichard.yaml";
-            options = {
+      };
-              baseURL = "https://llm-api.va.reichard.io/v1";
+      templates."opencode.json" = {
-            };
+        path = ".config/opencode/opencode.json";
-            models = {
+        content = builtins.toJSON {
-              nemotron-3-nano-30b-thinking = {
+          "$schema" = "https://opencode.ai/config.json";
-                name = "Nemotron 3 Nano (30B) - Thinking";
+          theme = "catppuccin";
          # model = "llama-swap/devstral-small-2-instruct";
          provider = {
            "llama-swap" = {
              npm = "@ai-sdk/openai-compatible";
              options = {
                baseURL = "https://llm-api.va.reichard.io/v1";
              };
-              gpt-oss-20b-thinking = {
+              models = {
-                name = "GPT OSS (20B)";
+                "hf:Qwen/Qwen3-Coder-480B-A35B-Instruct" = {
-              };
+                  name = "Qwen3 Coder (480B) Instruct";
-              devstral-small-2-instruct = {
+                };
-                name = "Devstral Small 2 (24B)";
+                "hf:zai-org/GLM-4.7" = {
-              };
+                  name = "GLM 4.7";
-              qwen3-coder-30b-instruct = {
+                };
-                name = "Qwen3 Coder (30B)";
+                "hf:MiniMaxAI/MiniMax-M2.1" = {
-              };
+                  name = "MiniMax M2.1";
-              qwen3-next-80b-instruct = {
+                };
-                name = "Qwen3 Next (80B) - Instruct";
+                devstral-small-2-instruct = {
-              };
+                  name = "Devstral Small 2 (24B)";
-              qwen3-30b-2507-thinking = {
+                };
-                name = "Qwen3 2507 (30B) Thinking";
+                qwen3-coder-30b-instruct = {
-              };
+                  name = "Qwen3 Coder (30B)";
-              qwen3-30b-2507-instruct = {
+                };
-                name = "Qwen3 2507 (30B) Instruct";
+                nemotron-3-nano-30b-thinking = {
-              };
+                  name = "Nemotron 3 Nano (30B) - Thinking";
-              qwen3-4b-2507-instruct = {
+                };
-                name = "Qwen3 2507 (4B) - Instruct";
+                gpt-oss-20b-thinking = {
                  name = "GPT OSS (20B)";
                };
                qwen3-next-80b-instruct = {
                  name = "Qwen3 Next (80B) - Instruct";
                };
                qwen3-30b-2507-thinking = {
                  name = "Qwen3 2507 (30B) Thinking";
                };
                qwen3-30b-2507-instruct = {
                  name = "Qwen3 2507 (30B) Instruct";
                };
                qwen3-4b-2507-instruct = {
                  name = "Qwen3 2507 (4B) - Instruct";
                };
              };
            };
          };
-        };
+          lsp = {
-        lsp = {
+            biome = {
-          starlark = {
+              disabled = true;
-            command = [
+            };
-              "${pkgs.pyright}/bin/pyright-langserver"
+            starlark = {
-              "--stdio"
+              command = [
-            ];
+                "${pkgs.pyright}/bin/pyright-langserver"
-            extensions = [
+                "--stdio"
-              ".star"
+              ];
-            ];
+              extensions = [ ".star" ];
            };
          };
          mcp = {
            context7 = {
              type = "remote";
              url = "https://mcp.context7.com/mcp";
              headers = {
                CONTEXT7_API_KEY = "${config.sops.placeholder.context7_apikey}";
              };
              enabled = true;
            };
          };
        };
      };
--- a/modules/home/services/sops/default.nix
+++ b/modules/home/services/sops/default.nix
@@ -1,15 +1,21 @@
-{ config, lib, namespace, pkgs, ... }:
+{ config
 , lib
 , namespace
 , pkgs
 , ...
 }:
 let
-  inherit (lib) mkIf types;
+  inherit (lib) mkIf mkEnableOption types;
  inherit (lib.${namespace}) mkOpt;
  getFile = lib.snowfall.fs.get-file;
  cfg = config.${namespace}.services.sops;
 in
 {
  options.${namespace}.services.sops = with types; {
-    enable = lib.mkEnableOption "sops";
+    enable = mkEnableOption "Enable sops";
-    defaultSopsFile = mkOpt path null "Default sops file.";
+    defaultSopsFile = mkOpt str "secrets/common/evanreichard.yaml" "Default sops file.";
-    sshKeyPaths = mkOpt (listOf path) [ ] "SSH Key paths to use.";
+    sshKeyPaths = mkOpt (listOf path) [ ] "Additional SSH key paths to use.";
  };
  config = mkIf cfg.enable {
@@ -20,11 +26,9 @@ in
    ];
    sops = {
-      inherit (cfg) defaultSopsFile;
+      defaultSopsFile = getFile cfg.defaultSopsFile;
      defaultSopsFormat = "yaml";
      age = {
        generateKey = true;
        keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ] ++ cfg.sshKeyPaths;
      };
--- a/modules/nixos/security/sops/default.nix
+++ b/modules/nixos/security/sops/default.nix
@@ -1,31 +1,39 @@
-{ config, lib, namespace, ... }:
+{ config
 , lib
 , namespace
 , ...
 }:
 let
  inherit (lib) mkIf mkEnableOption types;
  inherit (lib.${namespace}) mkOpt;
  getFile = lib.snowfall.fs.get-file;
  user = config.users.users.${config.${namespace}.user.name};
  cfg = config.${namespace}.security.sops;
 in
 {
-  options.${namespace}.security.sops = {
+  options.${namespace}.security.sops = with types; {
-    enable = lib.mkEnableOption "sops";
+    enable = mkEnableOption "Enable sops";
-    defaultSopsFile = mkOpt lib.types.path null "Default sops file.";
+    defaultSopsFile = mkOpt str "secrets/systems/${config.system.name}.yaml" "Default sops file.";
-    sshKeyPaths = mkOpt (with lib.types; listOf path) [
+    sshKeyPaths = mkOpt (listOf path) [ ] "Additional SSH key paths to use.";
      # "/etc/ssh/ssh_host_ed25519_key"
    ] "SSH Key paths to use.";
  };
-  config = lib.mkIf cfg.enable {
+  config = mkIf cfg.enable {
    sops = {
-      inherit (cfg) defaultSopsFile;
+      defaultSopsFile = getFile cfg.defaultSopsFile;
      age = {
-        inherit (cfg) sshKeyPaths;
+        keyFile = "${user.home}/.config/sops/age/keys.txt";
-
+        sshKeyPaths = [
-        keyFile = "${config.users.users.${config.${namespace}.user.name}.home}/.config/sops/age/keys.txt";
+          "/etc/ssh/ssh_host_ed25519_key"
          "${user.home}/.ssh/id_ed25519"
        ]
        ++ cfg.sshKeyPaths;
      };
    };
    sops.secrets.builder_ssh_key = {
-      sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
+      sopsFile = getFile "secrets/common/systems.yaml";
    };
  };
 }
--- a/modules/nixos/services/llama-cpp/default.nix
+++ b/modules/nixos/services/llama-cpp/default.nix
@@ -1,123 +0,0 @@
 {
  config,
  pkgs,
  lib,
  namespace,
  ...
 }:
 let
  inherit (lib) types mkIf mkEnableOption;
  inherit (lib.${namespace}) mkOpt;
  cfg = config.${namespace}.services.llama-cpp;
  modelDir = "/models";
  availableModels = {
    "qwen2.5-coder-7b-q8_0.gguf" = {
      url = "https://huggingface.co/ggml-org/Qwen2.5-Coder-7B-Q8_0-GGUF/resolve/main/qwen2.5-coder-7b-q8_0.gguf?download=true";
      flag = "--fim-qwen-7b-default";
    };
    "qwen2.5-coder-3b-q8_0.gguf" = {
      url = "https://huggingface.co/ggml-org/Qwen2.5-Coder-3B-Q8_0-GGUF/resolve/main/qwen2.5-coder-3b-q8_0.gguf?download=true";
      flag = "--fim-qwen-3b-default";
    };
  };
 in
 {
  options.${namespace}.services.llama-cpp = with types; {
    enable = mkEnableOption "llama-cpp support";
    modelName = mkOpt str "qwen2.5-coder-3b-q8_0.gguf" "model to use";
  };
  config =
    let
      modelPath = "${modelDir}/${cfg.modelName}";
    in
    mkIf cfg.enable {
      assertions = [
        {
          assertion = availableModels ? ${cfg.modelName};
          message = "Invalid model '${cfg.modelName}'. Available models: ${lib.concatStringsSep ", " (lib.attrNames availableModels)}";
        }
      ];
      systemd.services = {
        # LLama Download Model
        download-model = {
          description = "Download Model";
          wantedBy = [ "multi-user.target" ];
          before = [ "llama-cpp.service" ];
          path = [
            pkgs.curl
            pkgs.coreutils
          ];
          serviceConfig = {
            Type = "oneshot";
            RemainAfterExit = true;
            User = "root";
            Group = "root";
          };
          script =
            let
              modelURL = availableModels.${cfg.modelName}.url;
            in
            ''
              set -euo pipefail
              if [ ! -f "${modelPath}" ]; then
                mkdir -p "${modelDir}"
                # Add -f flag to follow redirects and -L for location
                # Add --fail flag to exit with error on HTTP errors
                # Add -C - to resume interrupted downloads
                curl -f -L -C - \
                  -H "Accept: application/octet-stream" \
                  --retry 3 \
                  --retry-delay 5 \
                  --max-time 1800 \
                  "${modelURL}" \
                  -o "${modelPath}.tmp" && \
                mv "${modelPath}.tmp" "${modelPath}"
              fi
            '';
        };
        # Setup LLama API Service
        llama-cpp = {
          after = [ "download-model.service" ];
          requires = [ "download-model.service" ];
        };
      };
      services.llama-cpp = {
        enable = true;
        host = "0.0.0.0";
        port = 8012;
        openFirewall = true;
        model = "${modelPath}";
        package =
          (pkgs.llama-cpp.override {
            cudaSupport = true;
            blasSupport = true;
            rocmSupport = false;
            metalSupport = false;
          }).overrideAttrs
            (oldAttrs: {
              cmakeFlags = oldAttrs.cmakeFlags ++ [
                "-DGGML_CUDA_ENABLE_UNIFIED_MEMORY=1"
                "-DCMAKE_CUDA_ARCHITECTURES=61" # GTX-1070 / GTX-1080ti
                "-DGGML_NATIVE=ON"
                # Disable CPU Instructions - Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz
                # "-DLLAMA_FMA=OFF"
                # "-DLLAMA_AVX2=OFF"
                # "-DLLAMA_AVX512=OFF"
                # "-DGGML_FMA=OFF"
                # "-DGGML_AVX2=OFF"
                # "-DGGML_AVX512=OFF"
              ];
            });
        extraFlags = [ availableModels.${cfg.modelName}.flag ];
      };
    };
 }
--- a/modules/nixos/services/llama-swap/default.nix
+++ b/modules/nixos/services/llama-swap/default.nix
@@ -0,0 +1,507 @@
 { config
 , lib
 , pkgs
 , namespace
 , ...
 }:
 let
  inherit (lib) mkIf mkEnableOption;
  cfg = config.${namespace}.services.llama-swap;
  llama-swap = pkgs.reichard.llama-swap;
  llama-cpp = pkgs.reichard.llama-cpp;
  stable-diffusion-cpp = pkgs.reichard.stable-diffusion-cpp.override {
    cudaSupport = true;
  };
 in
 {
  options.${namespace}.services.llama-swap = {
    enable = mkEnableOption "enable llama-swap service";
  };
  config = mkIf cfg.enable {
    # Create User
    users.groups.llama-swap = { };
    users.users.llama-swap = {
      isSystemUser = true;
      group = "llama-swap";
    };
    # Create Service
    systemd.services.llama-swap = {
      description = "Model swapping for LLaMA C++ Server (or any local OpenAPI compatible server)";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "exec";
        ExecStart = "${lib.getExe llama-swap} --listen :8080 --config ${
          config.sops.templates."llama-swap.json".path
        }";
        Restart = "on-failure";
        RestartSec = 3;
        # for GPU acceleration
        PrivateDevices = false;
        # hardening
        User = "llama-swap";
        Group = "llama-swap";
        CapabilityBoundingSet = "";
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
          "AF_UNIX"
        ];
        NoNewPrivileges = true;
        PrivateMounts = true;
        PrivateTmp = true;
        PrivateUsers = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectSystem = "strict";
        MemoryDenyWriteExecute = true;
        LimitMEMLOCK = "infinity";
        LockPersonality = true;
        RemoveIPC = true;
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = [
          "@system-service"
          "~@privileged"
        ];
        SystemCallErrorNumber = "EPERM";
        ProtectProc = "invisible";
        ProtectHostname = true;
        ProcSubset = "pid";
      };
    };
    # Create Config
    sops = {
      secrets.synthetic_apikey = {
        sopsFile = lib.snowfall.fs.get-file "secrets/common/systems.yaml";
      };
      templates."llama-swap.json" = {
        owner = "llama-swap";
        group = "llama-swap";
        mode = "0400";
        content = builtins.toJSON {
          models = {
            # https://huggingface.co/unsloth/Devstral-Small-2-24B-Instruct-2512-GGUF/tree/main
            "devstral-small-2-instruct" = {
              name = "Devstral Small 2 (24B) - Instruct";
              cmd = ''
                ${llama-cpp}/bin/llama-server \
                  --port ''${PORT} \
                  -m /mnt/ssd/Models/Devstral/Devstral-Small-2-24B-Instruct-2512-UD-Q4_K_XL.gguf \
                  --chat-template-file /mnt/ssd/Models/Devstral/Devstral-Small-2-24B-Instruct-2512-UD-Q4_K_XL_template.jinja \
                  --temp 0.15 \
                  -c 98304 \
                  -ctk q8_0 \
                  -ctv q8_0 \
                  -fit off \
                  -dev CUDA0
              '';
              metadata = {
                type = [ "text-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            # https://huggingface.co/mradermacher/gpt-oss-20b-heretic-v2-i1-GGUF/tree/main
            "gpt-oss-20b-thinking" = {
              name = "GPT OSS (20B) - Thinking";
              cmd = ''
                ${llama-cpp}/bin/llama-server \
                  --port ''${PORT} \
                  -m /mnt/ssd/Models/GPT-OSS/gpt-oss-20b-heretic-v2.i1-MXFP4_MOE.gguf \
                  -c 131072 \
                  --temp 1.0 \
                  --top-p 1.0 \
                  --top-k 40 \
                  -dev CUDA0
              '';
              metadata = {
                type = [ "text-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            # https://huggingface.co/mradermacher/GPT-OSS-Cybersecurity-20B-Merged-i1-GGUF/tree/main
            "gpt-oss-csec-20b-thinking" = {
              name = "GPT OSS CSEC (20B) - Thinking";
              cmd = ''
                ${llama-cpp}/bin/llama-server \
                  --port ''${PORT} \
                  -m /mnt/ssd/Models/GPT-OSS/GPT-OSS-Cybersecurity-20B-Merged.i1-MXFP4_MOE.gguf \
                  -c 131072 \
                  --temp 1.0 \
                  --top-p 1.0 \
                  --top-k 40 \
                  -dev CUDA0
              '';
              metadata = {
                type = [ "text-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            # https://huggingface.co/unsloth/Qwen3-Next-80B-A3B-Instruct-GGUF/tree/main
            "qwen3-next-80b-instruct" = {
              name = "Qwen3 Next (80B) - Instruct";
              cmd = ''
                ${llama-cpp}/bin/llama-server \
                  --port ''${PORT} \
                  -m /mnt/ssd/Models/Qwen3/Qwen3-Next-80B-A3B-Instruct-UD-Q2_K_XL.gguf \
                  -c 262144 \
                  --temp 0.7 \
                  --min-p 0.0 \
                  --top-p 0.8 \
                  --top-k 20 \
                  --repeat-penalty 1.05 \
                  -ctk q8_0 \
                  -ctv q8_0 \
                  -fit off
              '';
              metadata = {
                type = [ "text-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            # https://huggingface.co/unsloth/Qwen3-30B-A3B-Instruct-2507-GGUF/tree/main
            "qwen3-30b-2507-instruct" = {
              name = "Qwen3 2507 (30B) - Instruct";
              cmd = ''
                ${llama-cpp}/bin/llama-server \
                  --port ''${PORT} \
                  -m /mnt/ssd/Models/Qwen3/Qwen3-30B-A3B-Instruct-2507-Q4_K_M.gguf \
                  -c 262144 \
                  --temp 0.7 \
                  --min-p 0.0 \
                  --top-p 0.8 \
                  --top-k 20 \
                  --repeat-penalty 1.05 \
                  -ctk q8_0 \
                  -ctv q8_0 \
                  -ts 70,30 \
                  -fit off
              '';
              metadata = {
                type = [ "text-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            # https://huggingface.co/unsloth/Qwen3-Coder-30B-A3B-Instruct-GGUF/tree/main
            "qwen3-coder-30b-instruct" = {
              name = "Qwen3 Coder (30B) - Instruct";
              cmd = ''
                ${llama-cpp}/bin/llama-server \
                  --port ''${PORT} \
                  -m /mnt/ssd/Models/Qwen3/Qwen3-Coder-30B-A3B-Instruct-UD-Q6_K_XL.gguf \
                  -c 131072 \
                  --temp 0.7 \
                  --min-p 0.0 \
                  --top-p 0.8 \
                  --top-k 20 \
                  --repeat-penalty 1.05 \
                  -ctk q8_0 \
                  -ctv q8_0 \
                  -ts 70,30 \
                  -fit off
              '';
              metadata = {
                type = [ "text-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            # https://huggingface.co/unsloth/Qwen3-30B-A3B-Thinking-2507-GGUF/tree/main
            "qwen3-30b-2507-thinking" = {
              name = "Qwen3 2507 (30B) - Thinking";
              cmd = ''
                ${llama-cpp}/bin/llama-server \
                  --port ''${PORT} \
                  -m /mnt/ssd/Models/Qwen3/Qwen3-30B-A3B-Thinking-2507-UD-Q4_K_XL.gguf \
                  -c 262144 \
                  --temp 0.7 \
                  --min-p 0.0 \
                  --top-p 0.8 \
                  --top-k 20 \
                  --repeat-penalty 1.05 \
                  -ctk q8_0 \
                  -ctv q8_0 \
                  -ts 70,30 \
                  -fit off
              '';
              metadata = {
                type = [ "text-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            # https://huggingface.co/unsloth/Nemotron-3-Nano-30B-A3B-GGUF/tree/main
            "nemotron-3-nano-30b-thinking" = {
              name = "Nemotron 3 Nano (30B) - Thinking";
              cmd = ''
                ${llama-cpp}/bin/llama-server \
                  --port ''${PORT} \
                  -m /mnt/ssd/Models/Nemotron/Nemotron-3-Nano-30B-A3B-UD-Q4_K_XL.gguf \
                  -c 1048576 \
                  --temp 1.1 \
                  --top-p 0.95 \
                  -fit off
              '';
              metadata = {
                type = [ "text-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            # https://huggingface.co/unsloth/Qwen3-VL-8B-Instruct-GGUF/tree/main
            "qwen3-8b-vision" = {
              name = "Qwen3 Vision (8B) - Thinking";
              cmd = ''
                ${llama-cpp}/bin/llama-server \
                  --port ''${PORT} \
                  -m /mnt/ssd/Models/Qwen3/Qwen3-VL-8B-Instruct-UD-Q4_K_XL.gguf \
                  --mmproj /mnt/ssd/Models/Qwen3/Qwen3-VL-8B-Instruct-UD-Q4_K_XL_mmproj-F16.gguf \
                  -c 65536 \
                  --temp 0.7 \
                  --min-p 0.0 \
                  --top-p 0.8 \
                  --top-k 20 \
                  -ctk q8_0 \
                  -ctv q8_0 \
                  -fit off \
                  -dev CUDA1
              '';
              metadata = {
                type = [ "text-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            # https://huggingface.co/unsloth/Qwen2.5-Coder-7B-Instruct-128K-GGUF/tree/main
            "qwen2.5-coder-7b-instruct" = {
              name = "Qwen2.5 Coder (7B) - Instruct";
              cmd = ''
                ${llama-cpp}/bin/llama-server \
                  -m /mnt/ssd/Models/Qwen2.5/Qwen2.5-Coder-7B-Instruct-Q8_0.gguf \
                  --fim-qwen-7b-default \
                  -c 131072 \
                  --port ''${PORT} \
                  -fit off \
                  -dev CUDA1
              '';
              metadata = {
                type = [ "text-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            # https://huggingface.co/unsloth/Qwen2.5-Coder-3B-Instruct-128K-GGUF/tree/main
            "qwen2.5-coder-3b-instruct" = {
              name = "Qwen2.5 Coder (3B) - Instruct";
              cmd = ''
                ${llama-cpp}/bin/llama-server \
                  -m /mnt/ssd/Models/Qwen2.5/Qwen2.5-Coder-3B-Instruct-Q8_0.gguf \
                  --fim-qwen-3b-default \
                  --port ''${PORT} \
                  -fit off \
                  -dev CUDA1
              '';
              metadata = {
                type = [ "text-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            # https://huggingface.co/unsloth/Qwen3-4B-Instruct-2507-GGUF/tree/main
            "qwen3-4b-2507-instruct" = {
              name = "Qwen3 2507 (4B) - Instruct";
              cmd = ''
                ${llama-cpp}/bin/llama-server \
                  --port ''${PORT} \
                  -m /mnt/ssd/Models/Qwen3/Qwen3-4B-Instruct-2507-Q4_K_M.gguf \
                  -c 98304 \
                  -fit off \
                  -ctk q8_0 \
                  -ctv q8_0 \
                  -dev CUDA1
              '';
              metadata = {
                type = [ "text-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            "z-image-turbo" = {
              name = "Z-Image-Turbo";
              checkEndpoint = "/";
              cmd = ''
                ${stable-diffusion-cpp}/bin/sd-server \
                  --listen-port ''${PORT} \
                  --diffusion-fa \
                  --diffusion-model /mnt/ssd/StableDiffusion/ZImageTurbo/z-image-turbo-Q8_0.gguf \
                  --vae /mnt/ssd/StableDiffusion/ZImageTurbo/ae.safetensors \
                  --llm /mnt/ssd/Models/Qwen3/Qwen3-4B-Instruct-2507-Q4_K_M.gguf \
                  --cfg-scale 1.0 \
                  --steps 8 \
                  --rng cuda
              '';
              metadata = {
                type = [ "image-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            # https://huggingface.co/unsloth/Qwen-Image-Edit-2511-GGUF/tree/main
            "qwen-image-edit-2511" = {
              name = "Qwen Image Edit 2511";
              checkEndpoint = "/";
              cmd = ''
                ${stable-diffusion-cpp}/bin/sd-server \
                  --listen-port ''${PORT} \
                  --diffusion-fa \
                  --qwen-image-zero-cond-t \
                  --diffusion-model /mnt/ssd/StableDiffusion/QwenImage/qwen-image-edit-2511-Q5_K_M.gguf \
                  --vae /mnt/ssd/StableDiffusion/QwenImage/qwen_image_vae.safetensors \
                  --llm /mnt/ssd/Models/Qwen2.5/Qwen2.5-VL-7B-Instruct.Q4_K_M.gguf \
                  --lora-model-dir /mnt/ssd/StableDiffusion/QwenImage/Loras \
                  --cfg-scale 2.5 \
                  --sampling-method euler \
                  --flow-shift 3 \
                  --steps 20 \
                  --rng cuda
              '';
              metadata = {
                type = [
                  "image-edit"
                  "image-generation"
                ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            "qwen-image-2512" = {
              name = "Qwen Image 2512";
              checkEndpoint = "/";
              cmd = ''
                ${stable-diffusion-cpp}/bin/sd-server \
                  --listen-port ''${PORT} \
                  --diffusion-fa \
                  --diffusion-model /mnt/ssd/StableDiffusion/QwenImage/qwen-image-2512-Q5_K_M.gguf \
                  --vae /mnt/ssd/StableDiffusion/QwenImage/qwen_image_vae.safetensors \
                  --llm /mnt/ssd/Models/Qwen2.5/Qwen2.5-VL-7B-Instruct.Q4_K_M.gguf \
                  --lora-model-dir /mnt/ssd/StableDiffusion/QwenImage/Loras \
                  --cfg-scale 2.5 \
                  --sampling-method euler \
                  --flow-shift 3 \
                  --steps 20 \
                  --rng cuda
              '';
              metadata = {
                type = [ "image-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
            "chroma-radiance" = {
              name = "Chroma Radiance";
              checkEndpoint = "/";
              cmd = ''
                ${stable-diffusion-cpp}/bin/sd-server \
                  --listen-port ''${PORT} \
                  --diffusion-fa --chroma-disable-dit-mask \
                  --diffusion-model /mnt/ssd/StableDiffusion/Chroma/chroma_radiance_x0_q8.gguf \
                  --t5xxl /mnt/ssd/StableDiffusion/Chroma/t5xxl_fp16.safetensors \
                  --cfg-scale 4.0 \
                  --sampling-method euler \
                  --rng cuda
              '';
              metadata = {
                type = [ "image-generation" ];
              };
              env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
            };
          };
          groups = {
            shared = {
              swap = true;
              exclusive = false;
              members = [
                "nemotron-3-nano-30b-thinking"
                "qwen3-30b-2507-instruct"
                "qwen3-30b-2507-thinking"
                "qwen3-coder-30b-instruct"
                "qwen3-next-80b-instruct"
              ];
            };
            cuda0 = {
              swap = true;
              exclusive = false;
              members = [
                "devstral-small-2-instruct"
                "gpt-oss-20b-thinking"
                "gpt-oss-csec-20b-thinking"
              ];
            };
            cuda1 = {
              swap = true;
              exclusive = false;
              members = [
                "qwen2.5-coder-3b-instruct"
                "qwen2.5-coder-7b-instruct"
                "qwen3-4b-2507-instruct"
                "qwen3-8b-vision"
              ];
            };
          };
          peers = {
            synthetic = {
              proxy = "https://api.synthetic.new/openai/";
              apiKey = "${config.sops.placeholder.synthetic_apikey}";
              models = [
                "hf:deepseek-ai/DeepSeek-R1-0528"
                "hf:deepseek-ai/DeepSeek-V3"
                "hf:deepseek-ai/DeepSeek-V3-0324"
                "hf:deepseek-ai/DeepSeek-V3.1"
                "hf:deepseek-ai/DeepSeek-V3.1-Terminus"
                "hf:deepseek-ai/DeepSeek-V3.2"
                "hf:meta-llama/Llama-3.3-70B-Instruct"
                "hf:meta-llama/Llama-4-Maverick-17B-128E-Instruct-FP8"
                "hf:MiniMaxAI/MiniMax-M2"
                "hf:MiniMaxAI/MiniMax-M2.1"
                "hf:moonshotai/Kimi-K2-Instruct-0905"
                "hf:moonshotai/Kimi-K2-Thinking"
                "hf:openai/gpt-oss-120b"
                "hf:Qwen/Qwen3-235B-A22B-Instruct-2507"
                "hf:Qwen/Qwen3-235B-A22B-Thinking-2507"
                "hf:Qwen/Qwen3-Coder-480B-A35B-Instruct"
                "hf:Qwen/Qwen3-VL-235B-A22B-Instruct"
                "hf:zai-org/GLM-4.5"
                "hf:zai-org/GLM-4.6"
                "hf:zai-org/GLM-4.7"
              ];
            };
          };
        };
      };
    };
    networking.firewall.allowedTCPPorts = [ 8080 ];
  };
 }
--- a/modules/nixos/services/openssh/default.nix
+++ b/modules/nixos/services/openssh/default.nix
@@ -14,16 +14,11 @@ let
  cfg = config.${namespace}.services.openssh;
  globalKeys = [
-    # evanreichard@lin-va-mbp-personal
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY evanreichard@lin-va-mbp-personal"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWj6rd6uDtHj/gGozgIEgxho/vBKebgN5Kce/N6vQWV evanreichard@mac-va-mbp-personal"
-    # evanreichard@mac-va-mbp-personal
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5JQr/6WJMIHhR434nK95FrDmf2ApW2Ahd2+cBKwDz evanreichard@lin-va-thinkpad"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWj6rd6uDtHj/gGozgIEgxho/vBKebgN5Kce/N6vQWV"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5e6Cty+7rX5BjIEHBTU6GnzfOxPJiHpSqin/BnsypO evanreichard@lin-va-terminal"
-    # evanreichard@lin-va-thinkpad
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARTNbl4lgQsp7SJEng7vprL0+ChC9e6iR7o/PiC4Jme evanreichard@mobile"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5JQr/6WJMIHhR434nK95FrDmf2ApW2Ahd2+cBKwDz"
    # evanreichard@lin-va-terminal
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5e6Cty+7rX5BjIEHBTU6GnzfOxPJiHpSqin/BnsypO"
    # evanreichard@mobile
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARTNbl4lgQsp7SJEng7vprL0+ChC9e6iR7o/PiC4Jme"
  ];
 in
 {
--- a/packages/opencode/default.nix
+++ b/packages/opencode/default.nix
@@ -13,12 +13,12 @@
 }:
 let
  pname = "opencode";
-  version = "1.1.4";
+  version = "1.1.12";
  src = fetchFromGitHub {
    owner = "anomalyco";
    repo = "opencode";
    tag = "v${version}";
-    hash = "sha256-i9IO9FSZ2Mw0tPqFxfQfSbejx04J1eJ0IYy5fa77O2Y=";
+    hash = "sha256-k6wRBtWFwyLWJ6R0el3dY/nBlg2t+XkTpsuEseLXp+E=";
  };
  node_modules = stdenvNoCC.mkDerivation {
@@ -75,7 +75,7 @@ let
    # NOTE: Required else we get errors that our fixed-output derivation references store paths
    dontFixup = true;
-    outputHash = "sha256-tea/pSuUOELsSSMdwi0mmG5GsFZpqR5MlyQvVUno7dM=";
+    outputHash = "sha256-vRIWQt02VljcoYG3mwJy8uCihSTB/OLypyw+vt8LuL8=";
    outputHashAlgo = "sha256";
    outputHashMode = "recursive";
  };
@@ -95,8 +95,8 @@ stdenvNoCC.mkDerivation (finalAttrs: {
  ];
  patches = [
-    # NOTE: Relax Bun version check to be a warning instead of an error
+    ./relax-bun-version-check.patch # NOTE: Relax Bun version check to be a warning instead of an error
-    ./relax-bun-version-check.patch
+    ./root_fix.patch # https://github.com/anomalyco/opencode/pull/7691
  ];
  configurePhase = ''
--- a/packages/opencode/root_fix.patch
+++ b/packages/opencode/root_fix.patch
@@ -0,0 +1,31 @@
 diff --git i/packages/opencode/src/lsp/server.ts w/packages/opencode/src/lsp/server.ts
 index 24da77edc..b94285ba8 100644
 --- a/packages/opencode/src/lsp/server.ts
 +++ b/packages/opencode/src/lsp/server.ts
@@ -94,7 +94,7 @@ export namespace LSPServer {
     ),
     extensions: [".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs", ".mts", ".cts"],
     async spawn(root) {
 -      const tsserver = await Bun.resolve("typescript/lib/tsserver.js", Instance.directory).catch(() => {})
 +      const tsserver = await Bun.resolve("typescript/lib/tsserver.js", root).catch(() => {})
       log.info("typescript server", { tsserver })
       if (!tsserver) return
       const proc = spawn(BunProc.which(), ["x", "typescript-language-server", "--stdio"], {
@@ -169,7 +169,7 @@ export namespace LSPServer {
     root: NearestRoot(["package-lock.json", "bun.lockb", "bun.lock", "pnpm-lock.yaml", "yarn.lock"]),
     extensions: [".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs", ".mts", ".cts", ".vue"],
     async spawn(root) {
 -      const eslint = await Bun.resolve("eslint", Instance.directory).catch(() => {})
 +      const eslint = await Bun.resolve("eslint", root).catch(() => {})
       if (!eslint) return
       log.info("spawning eslint server")
       const serverPath = path.join(Global.Path.bin, "vscode-eslint", "server", "out", "eslintServer.js")
@@ -1081,7 +1081,7 @@ export namespace LSPServer {
     extensions: [".astro"],
     root: NearestRoot(["package-lock.json", "bun.lockb", "bun.lock", "pnpm-lock.yaml", "yarn.lock"]),
     async spawn(root) {
 -      const tsserver = await Bun.resolve("typescript/lib/tsserver.js", Instance.directory).catch(() => {})
 +      const tsserver = await Bun.resolve("typescript/lib/tsserver.js", root).catch(() => {})
       if (!tsserver) {
         log.info("typescript not found, required for Astro language server")
         return
--- a/secrets/common/evanreichard.yaml
+++ b/secrets/common/evanreichard.yaml
@@ -0,0 +1,44 @@
 context7_apikey: ENC[AES256_GCM,data:K8/OoJMWBhN3ufmTa/tAiD3iMergDZQ1OBucUtLsrg+L26DXDPAko9D41w==,iv:/IVpaaPivUTn2rbIAPIwyN5nb7TmtDh05YlMdOlBkhE=,tag:0XJfoNlDelBwMXMAAqKjtQ==,type:str]
 rke2_kubeconfig: ENC[AES256_GCM,data:DLH4BNrQgkANalwz05S+zs7ak6G6hxJx/VqNyVxlBeVY3tvwVc5jxwva/WWEvy3Aoncf8V12XD6Tir8ste4j9OlFLYkb+yhHRTB+EavrmKWyZ/w7d2EKIMr/535DoZgfhFhlUqxLw6QR5lMFv6Md/vLDj/nj47cIGx302m5Lk10N/7Ltngvjx6GG1AZs8pQAKMhFuKJLzWL4xT5DcxcgfX5j50f8hOJ7DWIbLZfiFAi/ipUFo6GGjFgNpoLfpGJvw6LGw1t+Wr6f0NuWHwCNhR4Aj/Dff13XX6TW7o8sOXgN8RejNTnN4ntMBwA+eH3i9aQ3E2U3K3zgAGgERFrjg+c5p/y/sCWxNx+3v0Hkqj5WqF4k7PvGhG4S5eAJ85UpAlxtFBVO5LU0B7M9OH8K+ie+N/ZitJWBM0F2Pq2g8VKDcsJoEUotc3yoWCicjPH9Ohu55balf9L/xDrn+EfmmIGuHRT1GMwLiOVBolOO4tJF26sNuTONGJ5abrE6divNN3DPjZgPNNfX04wn4j5icT/omArwszpvw8zgtL+k2pA1aHRFoVqmT4sIgIJJrhXDCoG5f9/9q7gddVCfbXXhHV/GO0NKZnXRzIMF7ya2ntnLIBCBy3pIvhau1JJkMkKkEZT/pcExOMqAJzLoRc+oZz5TDhB5tE8H+AZD6tZJ2CsaIfRcKqo6QODcstpP+pSjg49t5DqJ/BkdlsQDBQyuSWz5JmGNMzp1jkwOajoS8qGu9jhQIQO/pj8RK859uRkm4fr4DmhPya13T+tILUf8+RN2ZyTn2+rdsDFD72CUm5WsOGg9plFAvWPArn0RLgMHMRb37Ggt3dCF7GESyQ1Owz3NBmrWVrCXB75FcIdCmCZG2OXP3yrYvihV4iLykq+myUZW+a5SnfLeZoB/gGCC2whcw+J3srQrFLlTfQ9eRYxSxsDCExTb6RmvZ6xYP22kSqtlQGrqmyBsHzpfVxZKL6h+kxZ16IMhXvkwjPUIsa8YysKXtrDLWW7U/sCbrYpfJU+cQ2zILtBBGLaaoeLAG/g2GNleEcLrUz9CS3ttf33GU3d2b1d83sAKMrB6fgma+wBsq1TC56m5G2aQs/Y5opqNIvWKWSSENXRRWmeLYJLBqvHiGtfL7kjGLli5cgcF0NuhK36AXrvoyAv+mfcgiNbWjLXOwlerHR1ByxKpYPO2CMmvVGlX4rQI74/UHfWX3MaagwXQLK/jQP7YjYHl1VivLy9ljfO1WOG0ruGmb6WJZhpuhTHB1cchiKSbxdZFP17mN+UxwuPtHAbQSxq0hL986bH1Jju4Dt4KkuAEqpHSrdHmRaT1Geovt7P3YsXh6eEAC7PHc0GhiaDCsacGMSzcqVYCFCbTg6PWx951jX7eLmh8KCBYObs0c7Wt4dLXaIYgH1nZgHt3CPkJ84O2O2UgssNjpeGz9HBXo20DwnUz/snKwKbUaMppRCPhag+zhkbBtH9SGq3GO0sXtAv4Imdm6nCfi+oBIvXw/91B82WuNUbAboU5kizOLGR4+vDAF6px5C7yfwVBaEQohkaKsQNDumpMDUFOO7gMNBHw3x5GD9+pG27bOIGcNTiaBhpFqbaaWcwyNMCmlSHqCEuOHEIeDJeRAgJXmVKp2bggTSoICIbY6Ar7ELNQ7IjRNJNxQKuoG42g1Wc054ScU+ClVkA5HYWfyrN8KSQaqUsucmqeAldR9PX7k1x8E4pi0C0fgtVumLam8uLx7d2s72ALh7EZ6uPC4Vuws/xtLlCrKtmIz37iXZQjOJ4pfHZCXzqJLrFW9vaYelK1RGt/dERvJqagjmVwQGSvP4o20KcqkCJlEtNvH4yKUKf9NbcGcaFvwhOdxew0BJDh8BN2VK7LBZcFquA5cYVOYLohBLPTw+RyWXCL7V2O6XThECOnOC+O1eKV8OAkTtSl6ywSDh9CxtWf43rmSz1SXEZlMIiGjG2YRVLaGf2gPpP9fbaNKH3GuXlfQAuplOyENWhIm5uIxg7ty2SFEHqHozjrOBPYgFN+Db96StcU6z9VDdNoEUEj/jyRlWBS+g60xze1Xu7vJ+cawvqBC5bXoK2Qx/b8JKQmlWt9A4W1dbUc+2Tqze1nsmG759o4r91aZllvDqN0IWmNQzNEYNi30pEqvrqWdRVno6r0Iwriwo9LfA1s84WU9RRpODBJLXZBPJ3iju0ejye1LqejgPn1fbgCvwLdJM/rFXTQQmup8ud6dHnVmGPcs1y+qIM47dev4g0KbeCbWLUAPhBjJk2WR2XYUSZOls3ZH4ITMkf+8cSap7JQC/j/aTiIkF4vTsh2aVJbyZWe1tdIz1IYcgQmcP50+DW/Lnx/YeBHBOPwrAMZlIiH7O017h74VBDLzIVNbamvVffZtO5NepWlwUz6zvU0Qvpqo37GFxs+EzgwkGAcyzOXU249bzGuD5K8GR4Tg+fAk+Hvvj5z6m93dmROC4HPX8Tr6qnCtlDX9LoKHPbF1V/KNLZ5fTgM3d2uqas2/EJfpRUKIHlP2jUAmHsj7j+KIYaItPkSe2lm+IBKSoIBmRE94ZSgQwdd6iqH630DBOvGcIGwmLGqRNLRT1+NwwIq9R3vdM/nh1Bk4oEKKkEFRtqldyEsqHa+21wNyUfDlb8B8VsE45Gn4tWaxBEAJf97iF+Csu6kK1h3GtBhkrK5aiH9gn5xnjWbXaqf9nYPZBC+WTVzPPDP3Q9yMAWoxqnbOKCHMjN0+it2ze66w2Hn6WWlt2SLvOKQkS4mp0Jb6AJy/8lxQN0m5ZpLALHOONBB5DLycjZ++4rGhex+ttDeb4R88AS8IlbirGWxge4Pkoxy58nLVRKbOPn6wtW5754bfUvwQco6igqgDrjsSWcQdCT+4g3hPJZJ3CXZ/XIR4MBr3kVgndnBBt6BgkdkB3UYifadG+E3WQhEkTP5tXzeqdVz9fqf0y+/AnAe3gJD7pJRAtulGEHMkhT5HpSHiBDaeVzIJiXL9J849AG/nCZHA5BaTx0xVq/K/WLMSJ9163AF6HgIpb6fF6BFD3eE/vV/xOJonUsvDebYButBPUHqKguNpjnNzoL4xN2Hp56qmo9RymxZrGOesOG4f8k6mvu+0+8C/lqn2kJpFYPlpRFrUuDdS5WBhUG9h/UG3HzY5IRqxPnRXNESbQJdKcSIpX73dTxg5y3vJTBIsZlSG3VpR0vRYfFvY4p+x4i27fE1d74BZcwNMKPsyeZC2YEGzgu3kdB42IGVyZcq6TkpjERLgt9YVAQDinmWSQsstQO+scOfzNY8o8iQdGspkwYFwW/AslZGwf4coxD4INNIAekfPk/utIcz/AOr1PEsz6gIS/U4Wg88ANaAp89ESNemjV4h3Op5pvmIna0KFX19QW777mSnkYWhT/Berm/FmQwziCAy0kUGIcjtjNhNQO7t0UjeHueZdiop25KoLkxBRQUp5vMCS2GSlvth5kkqeRUzawnU8dYyELJX+IbvNvjxx/1KkPbc/a5gIq5rSRTx1VPiPNBnwhqp++BRV1+vfeFVBV0+REY2jhsnbckAbeiLxaGo9V4s1dfS4i4u6A3iB/mbz6Lz4CL8fXFfik6233moOyB2NXsUGAzO8uXkjMgbrjK52ySrb/JZ4Dw5sJjoa0qCIR+a2ckD3ASFrrJVHafbkHTvJbG1uyP+rLqn4nz43UUfHDiKzYDkFT0VN8PPjnWYP5p3v/DYfbQYK2QBJyQVr33ssSlwEgH5HJIm7rAtf5nYA+Trsox+HU7/+/UwgVm1sF0hwEGxeeFaOirWEGdWpeq3MacvskjPyqtWZ+sPlYndo5setvFdCEIoeEv0QfLJzI30zTr8pcopwZLZS+TNrHqZWziDHPy+ssszghPANKWmziOKah+UJSU+xoQ2Z9Y4PTCZJFR9TCIhWYE4eXB+GJ5cH6b/mpI2THNN28cM,iv:rAkcmlrQuax2Khog8KOtoYcPC63Pv2X/NgM6aVGEmyQ=,tag:9wUJYjTF277eqrrvxOFS3w==,type:str]
 sops:
    age:
        - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQTZkSS9RVXdEOW8zeFdh
            UWVUS2Zac2FwTm5wd2tNbVp3RGpPT3ltWTNRCkduTzZ4bzI2ekI3b2JOam0rMmpF
            RWFsTW4xZWw4MnBsZFdMTWVXK1MrVjgKLS0tIHFDblJTbnJoeGhLNFRhZ1MrQWMx
            RjE2c2hGbWtubUlTUUZNenBOMUpaQUUKJuuITY+LTX5c4BIxJfHcJqDKRyEdwk4P
            yFvFB7WnxdJBODk3m+by6Y4HDUkd0GjvUDegazT2e7/jX9kGMlMAog==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17ayje4uv2mhwehhp9jr3u9l0ds07396kt7ef40sufx89vm7cgfjq6d5d4y
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRlB1UFhRWDNPVWZ5U05J
            aENEdXA2em4vV2ZPUDVJMTU1cU8yd3VxcmcwCmVPT0JDcE9jc1ZsQzdoeE0xQVUx
            SXBydmFPT3BOYXVMYmVVQzFkZUVacDAKLS0tIGZXZGZEaElJZ2NpTGdYR0o5ek5z
            UTIxQ2tiaUVDKzU0YVRqelVsb1NqcjAKoTULI81692/CS8kiIdnwDaNu6XBBchkS
            niK4hBgwTC7F8BtyoYbzdjTdP5DDMOTQYaQbcJRWlHv71e/Np75UVQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ejdFVHVabDlpdzl5cUw2
            N2UzSUV5VkVXdUZNRzkxQWRmWTZJLzVRM1JJCks5WVdVMEt6enp1a0xWajZUUi9G
            amFvckVueCs4ZFczTUZuRjlReHlkUmcKLS0tIGpvVE9ET0M3N0lyamc5bWxJZis2
            cGhQN3B4OUFGbXhMb2VwMFBBT0F4amcKlbWZbECEZFd5SOUemw7uCj9qSuYSPNTP
            kb8RyUTVSNOpfdVckBOfgjZq9G4CLH+Ypl+buwqyO/jrSEGjQjpDrg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1avlhszrryt4gf4ya536jhzm7qwt9xfttm8x4sns6h9w2tahzqp8sspz9y5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhWGhFWVFCcGZKQ2FRbDkz
            MVZTKzJZblcwM2ZBanJTOE4zNXpnWkx4RVNNCjNaQW9IcHJjaVdXK1Yrdm9zNUM0
            RVAwa0VGd3FkYkNCck1Ham5EZG9MTUkKLS0tIFF5WEJFS1VqTytFTGkxUEs5MUdW
            TmgrVUFoUFJsMFNTbE4rQmtKelhCWHcKsFxYaS2QABbyTplVAsACUveK2Q640tei
            YYR2d56OLzZQqfnqE+lpR29zVvT1Q6yq2LJmj1GamhJPBIdeclvMIg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-12T02:52:28Z"
    mac: ENC[AES256_GCM,data:CYI9KKsr2zCnuw0wqrQk2yuJ91t818Ww0iqGP5j7mWATCNmg7V+gPivRVry3riqH+yVQm+v4J6coUFQyyngqPfLfHT1XybKtHbCP+vBxyU9YJc5DjZb1gatiJHHSNSUKDgU5bHn1/0ND+yK5o2iE16spCqXkBnSkxjtG7IkqXpA=,iv:vA3tIMvWe94/6npAmSi1AGn6gltPjkkxhbQZPFyTvec=,tag:+7eXnqA/EuaFsQvoWOqTMg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/common/systems.yaml
+++ b/secrets/common/systems.yaml
@@ -0,0 +1,35 @@
 synthetic_apikey: ENC[AES256_GCM,data:hs/50QG6DHyoSc306NX8lo7Y26QkdgMsFRKcMRKMD7OmPIF5,iv:uYRgiqPZ30IECqYLH/4v1FwAX0ZzU32jUj5GO3R4Hxc=,tag:pvip34Jvg6Cma7nbksBZZQ==,type:str]
 builder_ssh_key: ENC[AES256_GCM,data:JFky9teEUjj1GqVt/wKMH+YD6CMj7AQZ/J4JzCvvm5NgMWkCHJ6ipryq5nwklRkfUcUo3SzMutORxDytLeugyZ1Z8UlBBp/S+BwWHrzr8BcAnvFDxiIYtpf6n1hlpTixKiP5Z6HM/JMIbfnHlzyN7Ggk21oVCv8m7MTH8U6MShEOm+SuVM65Ibf8yBWcOkb7IHNodMvJfhUnU67ymWqVeujzosqTAvEf8cWFzl+E1lRcjM+zJ25WlhEd98jBDaL5gFfgDpbMiW+/oT2Ibq2FZzgwM+0Ye4OMMQUVxfPhh64DZrnmfSYZlYjfsA84DdaFko//zvslz+qFTv95f6SVxk1JQoX666J7naASfwf+Vv3foplsFBJvi0SDhlLC/92m/w/El777wrKZuBxjXSB7M0WqSobb9QHP+/03ktetGbckyNj+jotEylR2vx6kwPtQyf+VcmIU0RrX/EUJxVL9HPF3va3Ot0v2dzYkGHDeVbH+5QbjTt40wSjO1RH5rXR6liOGNt+5LsDBXfkF1TxKJcxnuwtjWknCS4w9BqhzqZ4bV44=,iv:HVtYNFnMe9WPdcbYjfEhmU7Zqd23j7amv/HA+hO6Rao=,tag:ZA0YdBPy9m4r8JSUrY37PA==,type:str]
 sops:
    age:
        - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNzNQMlF1MGI2TkQxZFl1
            WGV2d3lVTVFRSmQwamx5eG9NRi92WWF4U0JrClF2SWdaNStwK1UraUF5Z2RpQ0dQ
            TGs4angrM1lrWkZzVm9EU2xoV1hieWcKLS0tIFVHN3hlVFFnSElpcTJvUDRwdVlU
            OVNDc0VpbDVmUmlwS3lHTlFBaGZ0UEkKMhxvuNH2lw2rn31G26u9ur8ShHRCZQHg
            PXPPBxMmbuoU4t5g1ongWqERG85YgOAOMO3werVw0Iw49AtQQzGE8w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mxjrvjxkn69kfn2np3wpd73g44fuhsgykw7l5ss9rx30em5jfp2scnrq32
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5YTZUMUNUeElqbmFKanc2
            TklFbk8yTU93YUFTUW4vM3BwREgzditnSFMwCk1nNW1XWnBBWXBTb3k4enpwZlVQ
            bFVwNkNWOHZ3MTZUSjN4SWZYaDFzak0KLS0tIEtLYUhvNFVkOUp0QzVOei9XTm9C
            ZVNmVktSNDYxdGFvRUpmYnlJbGFHQTgKf7ovzPU3Vo84gwGTKU/SNCy+76WY88ve
            ZPkJ29D8BeaEwFCbNcDOygwiKGSFYV31a+2zYnTP4j5pf01d2it2eQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age13gymlygyac9z2slecl53jp8spq7e8n4zkan86n0gmnm3nrj4muxqa5ullm
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2c2dEWVRDbzYxeWkyRmdo
            RzdBcm9UbXE5Q01zeHRxMisxajlDMnMvZW5vCm9pMEVlU3pEUGpoNmFlRlV4OXJ4
            QXg5ZTZSVkMzcTlFc2cvNzVQR2ZwelEKLS0tIDhhQmtGYTZjcEZwMXJoMjdMNVFt
            aHc4a3UvZUFRNzRtQTc2NTloWE0zdkUKL5FRH7D8MlR8ofvIieFqIStwEXQUvu2w
            +/SHKsi3lt9/1Vkk/Jlm1aymglp3ZdGVzTS/cxpM43VDDx+E3HYOQQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-12T02:56:42Z"
    mac: ENC[AES256_GCM,data:R6s3ErVrw2nvRhkCdiaa6FCmIxBKZGQggQX5bYe1xmhIXuujsl9NZ9aqlzlS1XvVDICJEIbryfoEnOqSCrY/vAmdlKNfzakZqLZRrkfOZed6PWFWjk3SX6HmuMR9dQSQgLRlDZINZcKMNE0kuLL+mx4bo8lV84VoqMHGHtkwAJI=,iv:NCh3zDMEiYcrYxPxP5lfGWYwWLl1/yylq7+gTEHyWF4=,tag:t7MOwGHejUFotIBi7kfecw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/default.yaml
+++ b/secrets/default.yaml
@@ -1,22 +0,0 @@
 builder_ssh_key: ENC[AES256_GCM,data:7WoeR4Fc9FQrTHsujqlIm/b0ASJuLQcWUwIeMqQ4wk9WEFrwycnMyoxzPyZ2oxRqmUp0LY2DFWaByOAABhKRN6oQFFse8ol4KOr4EZkFR131bFy8WhJaJWq6VZo8gLv+1hHo1etLeoNl/fwBVixqrqBibEWWBtTSlvEE6PYFPV/BcW/LfFaabnhmRjIEL5hCqcQTlBqPq9jMt6ALWcj42mdzsbamRWbaN0/W5QkcKDPTIfALMdJ36VR38+slOkkmxPGJFUMhgL08SgOcnitSevvo+hq6xkGhXY8hnV1lk9nC9o8MXYURacPobqW88fx145ez8a+o2xSjm3E/+KoGfGsWSatqrKqTMfm6pJndvf5JeCTCMER2sCZCF620OJ2fZM6VS/XwMzQjLQICFGMCKZm8RQEKhPjyPVVbu5voa9KNxdWp7l40Ya86dty2oUR56CB8lHB32uWiZAMR9v8LytUkoOy/8LZpfbRVIHm7nnywNirnve+81egixUz9t+vgZ2u7vL2LzzApWUjcLa/1pFVTPwspYJDohMSGtpHtmAInN80=,iv:emhMHi7Htuy7quNbKPNb/TdqkuDeHbYym1ubEeDOfls=,tag:pJGBVr69QbT1FerG153gUA==,type:str]
 rke2_kubeconfig: ENC[AES256_GCM,data:ZfqWAsIcx2h/cyrfkcyQXrO+dzYF7JRkplj3Y9mm4oEiQKeG7xeYdtNAE112PdFfLcI00HQRaKbzrcNBbG1M+kUQZROUk47sr7AqpeRxJIob1ZoTgwN98gQ1W0ikPFYBUw4HIVxmY9wuNyqDk54LNwu47A3hMUmCLEv8sPkk8r7lhA9Vf3HTtTbQBK8VBa5059YJyEIpZjMMaXPZReIR6Gka9qsZ4d1F1B8VYu+fBH2ZIKtG1HMCXzl/RvjaCqtlrk5AptooSQ/upOMq6omHWfBf8oty/0o6yasxYldMawetUW55TOm12QlgdmbDkXqeMAai03N3tj8zMESOVEHVxRzjosVTq4u5DzPAMmLFAk5NYaPpd5c6jlM2Gk7pT9v+X+n+GGYW9xfYLURe1sSy/yWmLXhEhOzLXkyc1T3M1bHWqnXDXfU1bhXWVLKwNDmuS96YWHb1o+Qr+3HTUCPQa70M9Va18O+pERD0Yj/Jz1HxwyAHKClRs06Lo73gl3eY7lOGhnafRSyxR91oMXs+ijSfFk8CNEA/PxKPaXUoKpDLpM6+iPnEmnsAT/kV9IrqnevsIABtzWMR6XHQbRodPowsx2zlSgzJfLkVZ37dsZawALv1FN/XOtrW53Zt8BGK3dIwIM1tRy6nR+UKoN8mQ4KI43MNZ7A7CagCAkWbs3AserDqU+4VYIF/biLVA9q+tZZory7lLraLpByVa2Mi1/JFUW23PyW6fa9nVvBDonzs5M4N7p4/Yw9rdWBWC/1ZQIvSKbTIla+mtDKX6GTlEAsaoJOFc+F8fX8FxGEZtxoXENshoyAvsQSihUbdsKkjDQAIcZ0lHAUKLJyJZSWFRkQsl64MkvBJwGedsMq/zzU8K96iBojYLQspPq8Yp612nxQahRyxAXWFvYAfMmxMqhSbEYuJA62DSUA1KwILZx7yPfKZWXLQzGDnpGyFRuORP+ZjANGXo1eqAED4cHqwZCHTo6q6Zh9zN4Y4jrO/z4G16PwheAi/WTJswzdI83J9FAR3TrKAGyf3a5hR03BNVHBbO+I6dX/Rhwp0eIdR0MPVXJE+CshcTixQNKWK7SRmpDQemAQq3g6c4i5DWB9PUlipkry+pcQzsz1omPLGjf/2Mz2CAdvPnjCYfeTeFxz42s6VJHBBd5Sgg/7ONQTj6QpvFhpP2u8aWmgbPnV3n0phejq9Bpj1lEEEN5JZlU2Swj6t6rtFD5fAZUu3L5FRPg5xZhCV0zu4VXuaEflPdidK35b0jIiz22qpAkw+/0vh36u+kkUOabgpnt+I3CqeCilRuq6tIvtIx2AHFZ4Y9WdfXpjd/BEl2GY8VrxSWzpXS0YYWiNwypJx/J1zzmZZO6G7QcKSpIuoULM4uneBlaZurjXdVT8QzupUmX+CVyXHZUTXX3tM0rFnuDG3uGjOUM+67kS/zd3LJk8fnY1awU08gTOrs7qIDIzqEaEVxvK60XcBqc4dDYG+FTKEOEOi88WGIZH12gFy49epciPaTQMxcKbRftE9R1fZNdze1PwX2lrm891KTBD7YwFJkUin88Ype7bQNI4Djyca0TumZjYKok1AoSzjLTJGYOmiZg9wYyN+6m/FrdM0krgUQzvErtfSFryX4XaLbpPJnpRcdzoiNzwwuVYMLn5mBhj4m08gjiiHQlVlSMSJxpXi6GdXqrMCDudDHyPX5LHh21e2wajZ59p1Y42Gew1dOOP+M/5/0PrwDvqKhUWgAp2q8PzQuQ+ZyCq63jVpTI0/BskiD1iQBwQFDN2A32V9xymnkuS1pKn9xnosNMWVR3R9l6sLQDxH6vJcCEqWvCmxg8n5nfPtgx0E+clmmFFHVQ/xmXbe1lKS1o/M5dLHDG3CdrUpSEf8IC7/qkhaG8d3EmKGFskwJcbpPSzCJfMLS1JuYGJL/m7jqSI5JJ+KzTlPQCjubW74+EEvScTIaQP7e+RtE60LbgkwLprIEfCao3I+P0W4YgqLfE/xF4NQ3qVy3vrXOVGJSR4e0R3rI9RiuHmYoduldqtLr8rhqVqbU33q9s1ifL/62Rh2ZnXcnP4w75eH1EtunucZ2ml9QwHbpG0liKrthvPlmUNVsOhWdwlUfHrCUs8sgLNwW98mgG+7Kva4edejNmaEq/43TtN/RBmrNanB0Dp2SIeEbYRFfLqWGCtIRJpeJF227ggJXxt3fZnCW1eiEihDLKfc3hz+7zo/QlkBkbbj9D1BRURieH7DCr8cvymKa1QL9nRl0aJzWvMg//Q8/nMA23qBays34s4EUrcDin6AnUZIu63eAvxtcesPDTVq31+NatLmty21VG3mk7s7yw1dDwJncCXQ6zYp+SOC90xMFUR++FYcpX6qFiRGk7qNln9hnllwu1SqQYgV/w9MmD6GYLk+/xCUWK3kbCjWZ0Nhxkk+A3snUealYeeK75fZfL8TlAkgKqpRL1KlY3jrDe2rgzQyrHb7AoLukf2RJcXwu3GBP9PLQjJSSJw3vEHltCDnt7YR2KRA5NvJw429brs/4RvkBlX2a593swY63YthWinhCs6I3kgiDVaycpiQit4HCwMATAnhkzD590QLgf/am+7vcQlxl1MCtG6V+mBSIDQw17kxfrq/P18MyKixtREI/TW2lT127JvMlH3Te3f5KDQNyWc5oUP8bsfvxpZ6nO6xrUY1pZ+1eCsapkNalLH5x4yk3viGHiWS7ow44jjaCDraL/YCvGN+7SHjDBIWRpt+/ncrjezxWJa2yN29y+JrJgRxHYmfmZVMHxPGZ9aexCRHxnTVgwlT577VTDltqYi9CC0kQmTPt3CZzSiOP8ht4gwHNuNjNus8qGT9w7nYd81ViCYV/VpMRKmq9cR3rY75U6BU8QO74hFTfDigmGBPxXwGuhWZEWMbmK1Xl867xybVj9UTHhdbgnhta0J9RXm29A9YL3RMdL/DDZNQGq2eMK4CDq2l9X7UdPqbJphXfCv1AmCdufdvzEAq8kVEw5+RQxEOVV0g84G8bH5dOKfOwr7b9Bogtg37+j5pLPJzcoRKl3NynlWMGZVcnkEgRqmzFreXAYIyScE16rIzeEHdL5ngvm9EcPQfAWz6CvylrK7Bl91pJonNYprSqHUO0F4K4/kscm4j90kD5wpGOcrwke2+OI3oqez7QPmfzKnYoSrtcXqbt9lnluqobdYsCHY6mUjn4utROUD+g7gW5yYkxC7R1ySvvt5t63rOX6QH4UP9Uz7dCpo831vMHQ8Am+VFNbLXirq6/2P4TKTnScSQh/OnJ8Sx0/zxbPAb3jwzmx/eFAd+eazL0hCGTnh/D0WxcqfxTItOllsKUGX+md2VAoJQLra07gMJlh1tuDk2+ZXjvOsoGOMAzswpKPLf6TVe5Yi4eEosDM8ZFkVSngF3qx4TB2NcuKl739qUvLf0eL461y7+doJcdC+sl19scJjlEBFmEU9YNoJ8T0m9nT5UIi7l0tuek2i9SpzQRjHym1Y12JsiYoTR83mTBMR33hChE9aMc0FBkNesVJ9SBWOtLsd1i/UxUyZIk/C8shVGPmYplT9QOO/RqwJtvTeOkhrEWQq9zRoGqKQJs+j6VatHOdqVweX4/0icBN5QamXwgH61c7RbT79MDCZHvHSKkAe+eNVw7y6+0ZgCxtiIbo3RJwdRGqy6XHGnRfzRbzjO9H26gBmWX+Z7ZfeHLghen/tOW/qEh+uT1TR+O71GnhOgd1QQh84vyE2U+lAzneHI2gVG8EzA8Ho/UGiXJALQPElkJzR3GXDXVAHAw8Q6wCjLnxpmpkJZEJiJ9uDktKkNdF5uM6oEfQbxpP8uWJQnK4sCaZOTBsqEzyBm+KUXOpt0PbGFmb+gfPHIpO6rNGdWJ/C9F63ZbWhMXfONuLCjMis86lLJimwYH9G0PQWrmh7ENuZB3/giYbVqUjD3yP44axfw,iv:zfbeDFKb3hHQFi9wEuDj8XRqTLhc+2AnJU1roGJVZkU=,tag:mwNz9UCO6lCDK5hMWNLfNw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SnA3M2F0cXZjOGlFSTJw
            aE9BNGJsQ1JzelFoQk4yMGlpN2dkVUR4ZUNvCmljSDhsVU4rUnowV2dIdlhZYnMy
            aXo2OGZRd21PYk81ZE9pV05XSmpVOEEKLS0tIGhGNkVmTnVYRENEYlBxZXJTaExt
            SC91WFNocEN2K1NFK2dBUHYwZTQrVFkKKb3AlaRX96vJwEmxNNAThTlO9ZwtD1tv
            c6aBELEbmJFdHOcIJITzmS3YOssDOgTL2TbcSFu8mdAQYsRvxC96HA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-04-09T00:53:28Z"
    mac: ENC[AES256_GCM,data:NKv91i8Ms4TfbU0t9td4QoGD+9d9KYGQ9Mu1QlFdCc4AjMfRCcUCrvb9SVMF5JbYa8oZAH4Qp9FEJ5fFmgoTNrewspLUMpyjUYRgARYQWiHYhZjE/uTNhFo2FxXYLWsAlQjEJ8abbwUyr2y6NsK2tcQcOBDIWUssb4XqajNcylE=,iv:gvwQZB20JR4bKfMMR6sYjTnf3CNiOjcd8T30s2drKwY=,tag:mF9etyVyPVw5YblI8VdtTw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/secrets/keys.yaml
+++ b/secrets/keys.yaml
@@ -0,0 +1,27 @@
 lin-va-mbp-personal:
    user: ENC[AES256_GCM,data:sdEzYZW5HYS7gLM13JeJfBqdQR3+ITPwYWT0KNaqxmtv8uSwMFWrL2LFCOxvH+5aVcy2prc65uhb5i7tSR1awM/OnHfuW348MGft8m1FKzW4fC0J4gZLyX8v9jG7kTQCap6XnWhL6ebimW7z6omFlGZgWvVZlA76rXXYx1B1Q5YBrHg8Dy227bIpUGDSAMuHE2KDaORGcUi2TK7k9JZKeY+9EMtVZqGYZqfIlG55Ov65GYETjGotvUx59si9fNgQ3e1ENl1PyqPOqQiz5kFZcloBarzt6u0MkJtIunCbia/PXabsL/C8M0F3iycVT8O2Y3nHCk0WyCeb6WEhguwO0ODA/JxfAlOihgeAp1DCzs79JE+kquXvO0UtnFdlnuJqDXQwenUVIsOx7rUmqMRMGl0kwoLZ0T6sW0iXPkixBa2sRJIRtS09HFPuo/azFskeGJ8NQcE1s8CAYI4LhOiXldCrVfPqFNrKlS0l26gMBAeACkGtGCYo/Sw7QXEYSs/Wc+h9Hf0RLjWTpb4mkCKHBgZYVTnqMdY03rZZ,iv:F5n/cfEyq9MHJ9BHznPYh1edgIG8z2iXtZAfwrqlEBc=,tag:iX7iczPwdV8vku7ODze5pQ==,type:str]
 mac-va-mbp-personal:
    user: ENC[AES256_GCM,data:SqN4GK3UYe2EqBtW8pckko3Z5pB+J9yKUiV5EUpB9DTnk0qpufUMM5xdcUPXu5kLLRfrpOHVLU3iKNfXuNrbvgAD/Ex59fvIFMyFcvMOCW7DxAv20GouDsYsm4r/IJ3a5kooo4UolA8O8gPH8ABRdfiBc8qSoUiyNZuCB1s2ap7GVklHzUqsfpAvknhjZJdgNnBKyZd93qkj0sdHLqzrzde462OnTj9r5qPX0wmC51rrUBO9XyWEXcvXhXJf6vStHhVUSayGGn9XxD3opmHeUjdurnV4GtnJQS786oSagcbl0LaqgfLB1xvCc3M0jx5Z8TtHR48TztEXGBXyBfV+qv/hDe+FAydAL7ZITjpYjj1C00CHkMfQdSYyjj8ux9xCfWAq4oeKS+JNlEYiNKE0Q5lQeDrhOT5df9j9tUK3H0I65EEMkV9BMvK+CLnM7Rn5CXhz02wqEryJOmv/LkmU9aUUtmMZdSpKGdd/XSBiD5RpEISkxHipmlXwusha1uLjn6boDCIAQBlfopGqZRkEBJP5/yVJsyHwqlHLnaoWeoM4HENsOD+YUiColHnnSK8x,iv:+OQ0qKDIypVw/gVZW6RqqA76dq95R75ugN+PtTgq+T0=,tag:FmIIl2HHqYAdmfoXizKfXA==,type:str]
 lin-va-thinkpad:
    host: ENC[AES256_GCM,data:4gZHNXP+rzezfL8UATeAJRyFZsoE24BJ4cWzhYBbgm7VCpQn4tLwFNAtOyLNhOa/zwbbQaysLWbRNt34dw0VKoUiYkZ/YOD1w6j8lZl9U0Yl2O16iw1+uXrCqxax7skDgeF3vKJCQQa3KM/sX13TQ57MKcjEVwGapm/5rQ9h43fhWp3+923fcX6TWtLzJL0sxxnplPkqIPTJVn72VQDOsm1R4+UkY+AxczvsQzuvOpbKWNRjeTc9k0QEe0PsN7SijR8MsT1urrAKPaRJj2DQ0LGpO+6lBLSJN06o6lkOw/k3U7+vRZ4PSX+VexTnsPAis2Zy2JJktO7sZ5bc6kfOu3/hcHAbGFxbB3zueBMmW+LBd7sBdNDBfbFcieCpHpVUmeZNvmHCLhJjUkA/Ob8G6iHstSOMFenGQPb2IT64XwUSFF5RKHZ3JdDhv942Ha6l+ZRCW3rWd+u1WVo40uLSJmGqXCPUyYPi5Jzm0aZy2o0eDi6uCfDPSNhQgRa7+YLXJqXPnft/TJx/tc9Rb628t9oI5C1AOLGCBO6T,iv:eMAeHReoTLXkRbermeZ+2zOh/9dv1F0mqXU703+w/8g=,tag:oN0JjnkY3bt82LPBfdoYBQ==,type:str]
    user: ENC[AES256_GCM,data:qaRODwwBXyeCLv3CaCwK7M4n6OSakAqV6/sHnZJLUEhVjrY5R1omjQqHbG2VgBt+McCgvXElGhTZVxnadbGxv+0vhMcnmT1A8VdAovsD7SkLdUY5sPwAkzJCzD1XMA8e1EN/cvJBd48xFmQAHJReKV9SFNugj+Az3ZLqlyRa27BFet5uyOzBokMiYL34nbI+voP0xWNqVOmhexbz77UfGDr/JArdXEJNw5ITxlEpuKMDDcB3xPdoU3aRuZgg0HMH2q1ppeSPPE6PWpgmult6a90Fm320RnCTbSK3eASXh0ciqS6HGc4ej1W0Fy+ZeXhJlqoeash5GH6IMJgAfkW2i79gdd64BIWSKp7XtONFWKIzTSateMwLWYzPPuKSyaqRK0bsdsDCqE7LLyO5C/LCKog2Qnkb+7czYQRGMhnRQDfN/lK1xrbUaLbZPqHLDVG51IjI5c1k6DedjLiCaUrsGxFmqAtytFUQH08fTdT1iJr3cGzJzukXyi9MDQk/Y8mVLbpoVuyyNXPFGNoHSla5l5Ru1ijGuaQ2IuFfjRSaMQ/848g=,iv:1HjULpLbqPUefFiFd7TNT6VFv0pu43RDFC/cD4u+ZBU=,tag:mqiW2GEjDiwnT6bMUosQpg==,type:str]
 lin-va-terminal:
    user: ENC[AES256_GCM,data:CkE7Kef23kJpWdZMVlMuFM7FPSm/OGU/ye+BHP1kuRnaEFFPWCPeK8wxAqiXg5MyL7cpq2gGHj9OrvqLeceG76PZk2EmrUy+bx6FtETYwINxr7dhXIbqLdloFjmrqWF2SPbn3SyQBb2PSMl5vzg1zdKAHwoo+jyb2AE3plkAiPi7U/RTh9nTBgdzM8jAOpvQJ1+ezaLK+t4YcS9uZ017jacXjVsqZnUYaYvov3UWJDd8fGmIurb1LKo7sTgoZX0PVA6GsAwpzNJmSLZTCMRDEP5AQKe/Sz5HyKSeXDNykMLw5oG1pC9uWDbdMa9k4NW/PonZ/PwkbSStunbT9HSFlCq1ZheZQvI6IQ9irE5nZYGvjHDnibJv3+x7pfpayJFqdjG+fFwdjXP+Knn163MXdx9SqWtOjFhgULomS7fCLkx64EzjNPRqG84O67PP/YUFu7D58uTJ4GGndeM/e2rRZZ5t+6RxTlSATCGLyMvRLQCuuLMBDwlCo5VI8mWGWi91WDVNWjsHqmMpk0ASCwY6zDhLQPxdbkzcLBlG4LxGS124/Sw=,iv:mpkVnd/w1vAj/LpxppzgVOVNgq851bXqaSKz7wff1Q4=,tag:43OhgDHYAlrRO29fecMrrQ==,type:str]
 lin-va-desktop:
    host: ENC[AES256_GCM,data:4/t4s27KqqYGqogZVcGVjOSujiIzR9UUFz6b9FGfFFFCjz/tE69QvcMiDMde2zXLdjr85mClzRkhj5/RYb+QrdJFIcp+KnvjNuu8khdUVqRJwahyBc4XpKpRcKZX6qr9lKHQHnZjD/sbgn+Wx7Sm+dCxpnlArwGcxYTWOBCJ6KDoIYBd7AwyOZY9zsLJUm2AJyytcnE7cjeca0uXFO8CckRxlkKhBo+Q36kLwvchXne6idDRiqNep1J+4+NsiHW4Z/P1pOqm0YT96Qxd16k7OkonY7gt+ujjZLMvYVb5u0HDd6bc9uNEy+oxRTuxLNS9+1Gyz8bWgvDY2+E6MUZmefSJ6DM6USIJ3hS2oaiUF7MiDRzmSi5bolnFK2pfhRyQuozgPy5D684cvQrVzVZSuP5vwg+0HRmqsYxY+bMWoWwVqFWR9kRTxhzTCuOOLaoY9vPejTJLUlea1o/+NQZoo27Sb/kSRAc2cQDwBoFzqprhvE7sygkUYORd3utSH9B+EogLrBh85BXQmVv03x+6EQxuHKKxYB8LlpcM,iv:LtKNN1cRXap9LJvBMD9fHHXrScfmMOklCBQBbPEzs64=,tag:WsqCUGlyTlHOMvwfOGxAhw==,type:str]
    user: ENC[AES256_GCM,data:PqCBjNQ6ACH6qKXhjjzP0QKDXdk7jR8DnvCFrz1RH7+jRMSq30lFSPB62j/TgDx3PXevkNItuT9smyWHjB0eOVS0Ms4R6y3FYITIoY5PaNfGwYIxawpLr3BtFmkS+TLxTKf3WAikejwFTGeR8pl/clDsOlJuSDwGwR+1GghDhanxD+v+J9AizaK0/F88DknA694W+T3Ty2e8tqShV5e6VT2So9tJl78Q+duH458rL9WVMz8NhUW9KlBNYCYXZfRQbkZZojbPK0W70ne1BqNvbGPZXnWNfQQQodd9sQ7uCnyIL1o92uZoAQKAQTmD/fV6PWkLD2JgQD51MxZPBr4KziXgBiqE2xqg6Wtsi8FZMFMWgp+MnmWuNSMhFK5UOwb3894lbltAq0nX5OiYkZVBLKxQeU23fASxbJipzNKtaeP10Nf029GkWIq/zq5sThqmg/O97qse8YJJclMPvOqnO2mQsjktZk7PeJVi3ONnCkxACwk6CQsuzAu3ce+Jddz+lb57q4WFzzj1752vjDY5keacNhSyaalE4YXF7oY6xjy/T6A=,iv:KnZ+3H7tbz47eGZ/R5AFmk9zYHng7ghUozyd/p3Wl8k=,tag:BMXlLI04JAhaLMkmuEC7pQ==,type:str]
 sops:
    age:
        - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcXhLbmU0czdSbDJUR3My
            engxSCtaL2Q3TUtwK1gvWlVPN2d2bVg5QlJjCmpjMWo5cEU0ZWpWTVlNczF3alFL
            U3QwdXFUTnM1Z3oxSkVEK2JmdUNqQ0UKLS0tIGF3U09rMmRPdmdRZ0dwdDVtZGZS
            bFIvV0QxbjZaSTZEVHhWVm9aaFQzZkEKCpWTU3EB4/eeW0X1U8e0XvZqCRri2LOX
            yEhVxm3WUF2eQvuEonkso9I/A1fV5OjE2RgldCnqzwW0U7kBtbrc8w==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-12T03:17:42Z"
    mac: ENC[AES256_GCM,data:Ld7+F9dIQTfFuJt7wc3XWXqw4hcojCz8xeKpNoBXrsLfQSjMR+JpHfzWUHgVtnGUTLIpx2d7MQEq5gs+OtYysxuFacX3HrcPVWbDVxDPgG6XryvFAJ/VOUpKC8zoHQcD9uTzd4oibT0rCMUHjmuO6Hz7fGFIjX/devKhRCzRmYk=,iv:HGeyk/EcC2DIb27w/8hBsbGsJ3GueENYg1kokPsGWq4=,tag:Z9orAdD3tiTAzO3WLS7DeQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/secrets/lin-va-mbp-personal/evanreichard/default.yaml
+++ b/secrets/lin-va-mbp-personal/evanreichard/default.yaml
@@ -1,21 +0,0 @@
 rke2_kubeconfig: ENC[AES256_GCM,data:ZfqWAsIcx2h/cyrfkcyQXrO+dzYF7JRkplj3Y9mm4oEiQKeG7xeYdtNAE112PdFfLcI00HQRaKbzrcNBbG1M+kUQZROUk47sr7AqpeRxJIob1ZoTgwN98gQ1W0ikPFYBUw4HIVxmY9wuNyqDk54LNwu47A3hMUmCLEv8sPkk8r7lhA9Vf3HTtTbQBK8VBa5059YJyEIpZjMMaXPZReIR6Gka9qsZ4d1F1B8VYu+fBH2ZIKtG1HMCXzl/RvjaCqtlrk5AptooSQ/upOMq6omHWfBf8oty/0o6yasxYldMawetUW55TOm12QlgdmbDkXqeMAai03N3tj8zMESOVEHVxRzjosVTq4u5DzPAMmLFAk5NYaPpd5c6jlM2Gk7pT9v+X+n+GGYW9xfYLURe1sSy/yWmLXhEhOzLXkyc1T3M1bHWqnXDXfU1bhXWVLKwNDmuS96YWHb1o+Qr+3HTUCPQa70M9Va18O+pERD0Yj/Jz1HxwyAHKClRs06Lo73gl3eY7lOGhnafRSyxR91oMXs+ijSfFk8CNEA/PxKPaXUoKpDLpM6+iPnEmnsAT/kV9IrqnevsIABtzWMR6XHQbRodPowsx2zlSgzJfLkVZ37dsZawALv1FN/XOtrW53Zt8BGK3dIwIM1tRy6nR+UKoN8mQ4KI43MNZ7A7CagCAkWbs3AserDqU+4VYIF/biLVA9q+tZZory7lLraLpByVa2Mi1/JFUW23PyW6fa9nVvBDonzs5M4N7p4/Yw9rdWBWC/1ZQIvSKbTIla+mtDKX6GTlEAsaoJOFc+F8fX8FxGEZtxoXENshoyAvsQSihUbdsKkjDQAIcZ0lHAUKLJyJZSWFRkQsl64MkvBJwGedsMq/zzU8K96iBojYLQspPq8Yp612nxQahRyxAXWFvYAfMmxMqhSbEYuJA62DSUA1KwILZx7yPfKZWXLQzGDnpGyFRuORP+ZjANGXo1eqAED4cHqwZCHTo6q6Zh9zN4Y4jrO/z4G16PwheAi/WTJswzdI83J9FAR3TrKAGyf3a5hR03BNVHBbO+I6dX/Rhwp0eIdR0MPVXJE+CshcTixQNKWK7SRmpDQemAQq3g6c4i5DWB9PUlipkry+pcQzsz1omPLGjf/2Mz2CAdvPnjCYfeTeFxz42s6VJHBBd5Sgg/7ONQTj6QpvFhpP2u8aWmgbPnV3n0phejq9Bpj1lEEEN5JZlU2Swj6t6rtFD5fAZUu3L5FRPg5xZhCV0zu4VXuaEflPdidK35b0jIiz22qpAkw+/0vh36u+kkUOabgpnt+I3CqeCilRuq6tIvtIx2AHFZ4Y9WdfXpjd/BEl2GY8VrxSWzpXS0YYWiNwypJx/J1zzmZZO6G7QcKSpIuoULM4uneBlaZurjXdVT8QzupUmX+CVyXHZUTXX3tM0rFnuDG3uGjOUM+67kS/zd3LJk8fnY1awU08gTOrs7qIDIzqEaEVxvK60XcBqc4dDYG+FTKEOEOi88WGIZH12gFy49epciPaTQMxcKbRftE9R1fZNdze1PwX2lrm891KTBD7YwFJkUin88Ype7bQNI4Djyca0TumZjYKok1AoSzjLTJGYOmiZg9wYyN+6m/FrdM0krgUQzvErtfSFryX4XaLbpPJnpRcdzoiNzwwuVYMLn5mBhj4m08gjiiHQlVlSMSJxpXi6GdXqrMCDudDHyPX5LHh21e2wajZ59p1Y42Gew1dOOP+M/5/0PrwDvqKhUWgAp2q8PzQuQ+ZyCq63jVpTI0/BskiD1iQBwQFDN2A32V9xymnkuS1pKn9xnosNMWVR3R9l6sLQDxH6vJcCEqWvCmxg8n5nfPtgx0E+clmmFFHVQ/xmXbe1lKS1o/M5dLHDG3CdrUpSEf8IC7/qkhaG8d3EmKGFskwJcbpPSzCJfMLS1JuYGJL/m7jqSI5JJ+KzTlPQCjubW74+EEvScTIaQP7e+RtE60LbgkwLprIEfCao3I+P0W4YgqLfE/xF4NQ3qVy3vrXOVGJSR4e0R3rI9RiuHmYoduldqtLr8rhqVqbU33q9s1ifL/62Rh2ZnXcnP4w75eH1EtunucZ2ml9QwHbpG0liKrthvPlmUNVsOhWdwlUfHrCUs8sgLNwW98mgG+7Kva4edejNmaEq/43TtN/RBmrNanB0Dp2SIeEbYRFfLqWGCtIRJpeJF227ggJXxt3fZnCW1eiEihDLKfc3hz+7zo/QlkBkbbj9D1BRURieH7DCr8cvymKa1QL9nRl0aJzWvMg//Q8/nMA23qBays34s4EUrcDin6AnUZIu63eAvxtcesPDTVq31+NatLmty21VG3mk7s7yw1dDwJncCXQ6zYp+SOC90xMFUR++FYcpX6qFiRGk7qNln9hnllwu1SqQYgV/w9MmD6GYLk+/xCUWK3kbCjWZ0Nhxkk+A3snUealYeeK75fZfL8TlAkgKqpRL1KlY3jrDe2rgzQyrHb7AoLukf2RJcXwu3GBP9PLQjJSSJw3vEHltCDnt7YR2KRA5NvJw429brs/4RvkBlX2a593swY63YthWinhCs6I3kgiDVaycpiQit4HCwMATAnhkzD590QLgf/am+7vcQlxl1MCtG6V+mBSIDQw17kxfrq/P18MyKixtREI/TW2lT127JvMlH3Te3f5KDQNyWc5oUP8bsfvxpZ6nO6xrUY1pZ+1eCsapkNalLH5x4yk3viGHiWS7ow44jjaCDraL/YCvGN+7SHjDBIWRpt+/ncrjezxWJa2yN29y+JrJgRxHYmfmZVMHxPGZ9aexCRHxnTVgwlT577VTDltqYi9CC0kQmTPt3CZzSiOP8ht4gwHNuNjNus8qGT9w7nYd81ViCYV/VpMRKmq9cR3rY75U6BU8QO74hFTfDigmGBPxXwGuhWZEWMbmK1Xl867xybVj9UTHhdbgnhta0J9RXm29A9YL3RMdL/DDZNQGq2eMK4CDq2l9X7UdPqbJphXfCv1AmCdufdvzEAq8kVEw5+RQxEOVV0g84G8bH5dOKfOwr7b9Bogtg37+j5pLPJzcoRKl3NynlWMGZVcnkEgRqmzFreXAYIyScE16rIzeEHdL5ngvm9EcPQfAWz6CvylrK7Bl91pJonNYprSqHUO0F4K4/kscm4j90kD5wpGOcrwke2+OI3oqez7QPmfzKnYoSrtcXqbt9lnluqobdYsCHY6mUjn4utROUD+g7gW5yYkxC7R1ySvvt5t63rOX6QH4UP9Uz7dCpo831vMHQ8Am+VFNbLXirq6/2P4TKTnScSQh/OnJ8Sx0/zxbPAb3jwzmx/eFAd+eazL0hCGTnh/D0WxcqfxTItOllsKUGX+md2VAoJQLra07gMJlh1tuDk2+ZXjvOsoGOMAzswpKPLf6TVe5Yi4eEosDM8ZFkVSngF3qx4TB2NcuKl739qUvLf0eL461y7+doJcdC+sl19scJjlEBFmEU9YNoJ8T0m9nT5UIi7l0tuek2i9SpzQRjHym1Y12JsiYoTR83mTBMR33hChE9aMc0FBkNesVJ9SBWOtLsd1i/UxUyZIk/C8shVGPmYplT9QOO/RqwJtvTeOkhrEWQq9zRoGqKQJs+j6VatHOdqVweX4/0icBN5QamXwgH61c7RbT79MDCZHvHSKkAe+eNVw7y6+0ZgCxtiIbo3RJwdRGqy6XHGnRfzRbzjO9H26gBmWX+Z7ZfeHLghen/tOW/qEh+uT1TR+O71GnhOgd1QQh84vyE2U+lAzneHI2gVG8EzA8Ho/UGiXJALQPElkJzR3GXDXVAHAw8Q6wCjLnxpmpkJZEJiJ9uDktKkNdF5uM6oEfQbxpP8uWJQnK4sCaZOTBsqEzyBm+KUXOpt0PbGFmb+gfPHIpO6rNGdWJ/C9F63ZbWhMXfONuLCjMis86lLJimwYH9G0PQWrmh7ENuZB3/giYbVqUjD3yP44axfw,iv:zfbeDFKb3hHQFi9wEuDj8XRqTLhc+2AnJU1roGJVZkU=,tag:mwNz9UCO6lCDK5hMWNLfNw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SnA3M2F0cXZjOGlFSTJw
            aE9BNGJsQ1JzelFoQk4yMGlpN2dkVUR4ZUNvCmljSDhsVU4rUnowV2dIdlhZYnMy
            aXo2OGZRd21PYk81ZE9pV05XSmpVOEEKLS0tIGhGNkVmTnVYRENEYlBxZXJTaExt
            SC91WFNocEN2K1NFK2dBUHYwZTQrVFkKKb3AlaRX96vJwEmxNNAThTlO9ZwtD1tv
            c6aBELEbmJFdHOcIJITzmS3YOssDOgTL2TbcSFu8mdAQYsRvxC96HA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-04-07T18:09:21Z"
    mac: ENC[AES256_GCM,data:RxVXYkx4JD2l6zIcx051DSyw4yYMWdK23ssaw94jkxlICvDyeZy9aO9kC0bAYqn0iB2BDEdh/0rzNZeJHlkjKQx9+et82iwFdwC9GSTVl/FV39fr9YbsqFQGqMAEo/JqElul9Sjd5vgdC1xQOF+Jceo11F9LhDteOiFn2a3Sv5I=,iv:sb9ah+Tk39FUIDpq4g5YGScIku3w5tVlDDNyxuHS4OY=,tag:nC+yLdj/moS2+nMIzNAOdw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/secrets/mac-va-mbp-personal/evanreichard/default.yaml
+++ b/secrets/mac-va-mbp-personal/evanreichard/default.yaml
@@ -1,26 +0,0 @@
 builder_ssh_key: ENC[AES256_GCM,data:1cYuaFJke/8GyqxPKp2zH/uARvW6Bqx6AsB16U8f3WkDpnxO6kym19MpDyQUBEjJ9Bj3RiBkSSL96jBv4YZfq+1cN8D6E14faKoYF5FZy5o1C+aTl+4L9zbrQIl/QDFh42qcJ6cYsOSjbEJv8kvZQBV7l+LNo8ZX07f76Kld3boouJJMMZWa9oaZgEifTxN4yDOPXTXNjCO3blGnsm+V3FPkba+EUASL9WH6+XLU2oW1Bc/sydOTiKGRJcs5eyqYvKi3evtxUUyqgdPVtUHNTsh6/B5kDLWFavfEfchPHT0LHIuqGJwGBglTp/NJThAoo5vNFAFIAUw9QWlY4alHhsi2L5g49r3s6i+3fGeyGCTP61uffY9HgF7nOdkTVMsRXacKh9fwgdsZAepcU+kJ3LJSdOaa4hUtCsZpFHUe4jA0kTHI1/V+7ak+iw92gNZTLKsCjIOzWFvEBVSXLctPdxQ8ezvF9ekvw5mkAwO7QYonlrQ3MUY/8b1DDOdjmfSwEyrLruew2KajFhm8/NM/2BOwcO/y+DbX2MSe5x0sx4HN79E=,iv:V25Tc7bOxc4wl5lf6gZOstN1InaCb3sfpCHMl65iwn8=,tag:mBFZcX2G3vpAOMw7V12d6w==,type:str]
 rke2_kubeconfig: ENC[AES256_GCM,data:oTOBktUE71QNJXqy8l5hhYKF3mSQlLxXE7rjsctyJi4nIk4bhKACGdYkB8B37Ws9QHm5h9tAn9J/ehbWyBwsOFQIhX7S0kov8/HPlatbY3aJ+PiHO5GWRkJjbq+GZrJgdGeOCSRlA5C4lOy9cYbCqbsgfp42cNxOPhOQUyqFNCmsWJvBiJDuQX3Sqk2QoDtfTayho/v5IiJ9Xjms6m1ng98uXmANHK2wFAv4IZ2+7j14jy5RRKylTtjooJxTalSzdODV4wufHOLqFRCeGs9U4A/SEbRWacssdTWOp/wkaumruEpbuRaX33EwFzAxnawD0T/PBA1w9MfrXoz7bYaQ8S0fpWQHTr7xj79yrlJslBvTp/SzC+7LlpdsOtJr/2LpbzwFowMFPOGg0XJUWlkevIIObBuEYyAnlytxlys+2UNx+szOuUsUDTdZlEtTyJT+Xp8WjFlXkHsi66s+rDxDvUcMG6oLy3IYiYA4D7Q65aDgiy87kDmdfItf5koEEpHU2wV20EtAP2mRZ8UNYnDHd3ZV1L2gLXHGMA/sa0Tn0l4fhfr+6K0niQ9RaZxrVfqyChCw4bSCyZZFajZXcEDXsQB5UKsnMmZ3p5ZtRe/mqKydAz/xQc8mZPYFWwXN3uWgOWLRraRib0thg/PQzsbGNrKxoqc0sY3JbUSBcyhtz2x7b0Sj+g8ibtySmSEM1DrcYFdLG/QHbg8MaSOIIlZDDan2SJ0vAd432hI9BBIxj3L0EOfVBkbzEdtuuW7SSCG650X2u4Rd0Kkjc7HoB6pafJTWx2QZ/CMKIZFiHfMJ1zRyxco7SwZzsTRZ1Y0W7qgnssKpqtRNwCfRTdDM/6aZ1HorNP2NombuyGmfvD/EZSt4xxsOZIgioqfghbcsTCFZQPUvfBSZvJ5KBXS8qacBmsUxMLRMyzSbq0mM/S9Rz8oUxN587K7pLTNNiwFsQ9mXlGgh//rzhdAfzQZF/uuMrjqYgxt3iOAT3Nd34RbZ8YK31SRf6lFy7b+hafS1FFVUnW8jnC57eo2wNpHFBNA1y60dokx9P1dzZUVVYK5iCK+QFkUweD9WSo0al09E3By2pQxZ1OS9UOcTxFbpP/WakD57/tkOvmGIirqrexVecDcODelGXhCVeXb8zJQDz2PdXz3M4G0zIV2JcgJDjJy91Rx56vxRQv0/mvPfjexm9gQcTWOpIeUOBGRCfMXMh0g0AANHxDheRa9WzYQ10uDE3DsyMT53+FGW73PyPBk5MzRY/RQXjTEVbhO/e8Km7KOuhRxpohcLHCugEFMqjsW/c5b6GU24s3n69XPxMWtdtMmnf1FaGGufuOXyYd2s1vQqi+542x41HYnXiT6OQwsFttnlbwfrosl9qgSSgsfwXNv7qHQUBDg1KczwlPBZ3cMA/rQUqHL2N4vEp00JoJFjBTbWrin2FCOBafQmpKPv9j/nqiJROr3I93bSaodk0rFOUDWV3Sp/YepeuYb6wY+lMgysg4jDuJxEYQytFfNI2SBd7g4Xh6vBW/GS1/JdaHhh/Ub5/Cqa0Pxl5fBjV1HQIaM8mXi+V90zRVqzKm9vl9wXjXzAk8QvWRiW5ruP3IsMl5myL1KBuFIgZNPkbv8Nap3XDgmO2IvM6gWI3LHW81cgS6dDcsuC2C9zr291MAlYQiaotqQ33u0ga/y8DTXB3mcLTPLpkWWRY+Cc+qVAuD3LwCvd2StUhxUNwDbwVaxtuSk+uWMx1PCPPwHDVB3sm93wbnKrvj0TMHdkh0im+KzSplaMAsCgKJj1YO3Yhjg+E9CwIaYEDKcCE8FNqioSzzaXABQgpa4zUWkWC+D4iD/kSS3Z+BgB0VCytB705SMbmHmAlWnNayFgQLx3xo/TkgF51jEghj2w2gPyTM8gLqq8kvpXnDx95nhfStRu3KZCuCZKadrv0V5mSCCSzw0STDKZjfwYHHMWOnf41UDG7M9+vWHdtZdnJjLvw8gIqmLl0fkw75jFXYXQaNj4vh6MNSp7ABA8wY5Ala/EckHjx9R88czgyvHTLfVOiFgIiOLvldSYmDlaMcyPTVH7JSTiSoZ7aUwNROQE0/C9GyvZH8MGN9Iy6YQAUQYf5jjesoe3dPJf66GmeCKKlAcO1aK91XXow+pWrYJBZilhXJgPNTKltP2ObDLeJ/30KYF7Gee9GvtJaKzBGjYFZZz9nj8ixIBymS+M7N65U8Sw+/37qCnkSDe6VgkMoXXijaPgfToR4yb6FdZOqRlvynbyC+lSO44l2S1CkKbUxrqzZX2pQ6iB1eJdaHmIBYawVg7tJOO3snPXYMiMAgmojrH1BUUpbQRRvG4BTrUOES4N+2etytiZ7N4GEDzshosVaf9NeFBWRGC58siec/BtKwo7HGcsc0zDvcq8MFJ6rEUDbuZuWn3+CvxC9fi4+CzDP3j3K9lOUiXJ6vxv+1eImFMVgQUiV4g2M/JMTv6+Ix8U9dHoaNVjQlnL1NZRo92C/T2WRx42V97hJOe81CXqRLY8mW30MXat7KK+n92bNsWTKZrNsKnzVb+i1YwMAiwG1bw0OCcmfVojozZ4wjUNkFJI2K0v0CCvwVIl9yUKMkCvo+I1m2ZInOXRme2HK82YFg6JxitlQvovdlUndN1Lo4PhaxbW3BNwJSn81FxJ4yh+d34eawZlsQ4l+er2CyWrXSOvQnK1F8UwDB5xgPb8TBj5FD4IZM+op2LPQiaPQZ7bShzpN20W413lBvauirbD8EaZqt2QExmDnYHs1EMcj10bvu7IyKwZTlBqOa/LpyUH/imY4DTB0aYHby+xnLX7760S0sJfKuJ7omQ4QBgz+NSZ/aFfPicugkPsCZI0lS9WCcczvHgbFRzB6YQ5uJEoK5o5SdVTpYWUBvuLbJ6IOKNKWxlBcrsj4aPm+AAsxRc9cHPbrCns6y01K2wCYCL5nzK7jnneQiR4edtfnwMlUoo3c6/vzwiof4EVVrN29QxVsIA/9yqk375mKlI/l7/eOf083Kbad215wvZ+0U7cgI0oaaVvapj3Ni3e3Es8XUIQCua5HRE6d4M6A7P+Ye1Wkt+8oTpKJzd9Hn/ITwCYVssdpMSwF2ARHgmTtq+sacvkR9gojG/LAJMUwA48Sc4M5rn+5vTCRTvuKXDFphLSUwNzqd58YENC/HJjZS8+co+BN7AaafrybfA0QQrXkY7f+elsAFmNfho+taMpkfQZCmmgfoHPVPYR0pxkV1czCymm5lTjgkC7e4ydngcyJSrUzrXrWREkEcEdXoSRt1/JHABKRbvRuTbuUlah1xS1pvffosnA7KJL+aTLErkWwww3WUPMRrvmhVlWZqHGqE8lCRyMUPny7li3I2IB+aHFXepYwZSMMQPIOIiE19Oz7MsaIrMknqfTtdc58McEPGUPKiVO8x+nfRQPY45jFF60XtiK+yemYDicUGMSkWdtVLXgDCD+KAJz5YzBl5YbnPD9L1X9pB8P0vEpnKC6X+GGiaPflVGiNAKRTUyVv8CJ+Yh+KEfJw8og/P6d/7dSKheBeAdaliigZ9qG8xfyY0jE++xedaxIcOBObBu6j70j+Tpp5bUPN25FyVR2GqG4xz5YbuhnrRjhA6lAh0nppPlP+Oz/j9pPvPaDGESLZ/WM6MWru7R8DrHePBtulRvhvwUsmrjosPXuCNGU4sd1MFh6kNyyJH3W1quy3IopUij0Amu40mmd8XEzsN2nmT2Eh3NCd/r/2yj/t+xwxNcQZ+bfxeMFOiEfX5RU2paKNrRIDUEbgR1rS8A3PEUPTxwTP10IuY+IMToCSgZkVIq7UjXg0Bx9QdwvXcN74ADwkD0Un5+jLf4mo43QacwnBLpm24XqDzO09vKOzA9XU5fdC6AJ4mqAJ5J/XU8bC1RWiSCul6NekoJAPVgMlpWTPCAdSrWeYoE0d7lVkl+g+nEIS4sb,iv:mC5XSWReVzjwheF1IzCzp34JRvL/vJipyaKhptkH+cU=,tag:SDoNiaWaPKzruj+HPv5jbw==,type:str]
 sops:
    age:
        - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVWFObG51K2lTYlZidXBU
            aW55RnpkVDExbVBkNDl4NkV3MFNkNThjbWdZCklhWkVSaWpPSE1VY09iWGlPVE9Q
            bW1SY05jK3BwcDIwSHdMZjJHdWQyQkkKLS0tIHZYS2c2U2xtQ1QxajlKeWpmNXZW
            bmdpcTl2NjRWM3F3Q2RHbk1rTEFvZEkKWag1nmqFZMRjwFtIo6oqs+9UI/Mer5bK
            Ax7P7uwoZdiMN2g84W1pNTjj6GktFn3jrBaE+MxY6NUBr02apkRYZw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cURST1FTbVk4RGZTaitF
            MEt3Z2U0a004Zmo0VG1BN29DUnBLNGxPMEJFCkcyL1JrMkZsSTM5WCtZSldSeGZw
            SmdpV3AxRDJyVW1WMXBuclhBSDkvTXcKLS0tIDZsU2pBbEFHNkdqWW1CZW1hdVN3
            eW9OdlJmS21IVDNVNk9OMjZBT21PUTAK+lpsdEp2uvg8nFWu/hPtK0+Ahi5J//5d
            NB6JJ7lwRWKy2NppFf9sy20Y1Z0Z5Ui40nbnURRzYgtsqbKBveUDcA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-07-29T23:30:28Z"
    mac: ENC[AES256_GCM,data:x3dnanNbIX0fippbbFqOSR9ptZGdAwWuyn7hf3z6i43rk8Nk9p9EVqmE4/Guz2QY2tG/cph/5/nwX4UCO4ixAdB7pAWZa6lI1JdFzMBfW1IGeXOLyprDt6xdFnCVXjy64HgNWiVOPUS4+olxNZ0LPmCof7odqn+Axj+icFK3N34=,iv:OyFac4TxnKXwJ0l7LcJTqVyl11gIpw8fvEAEQTrEBc0=,tag:zMOGwIwAZmel+4EIqy9/tQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/systems/aarch64-darwin/mac-va-mbp-personal/default.nix
+++ b/systems/aarch64-darwin/mac-va-mbp-personal/default.nix
@@ -1,4 +1,7 @@
-{ lib, ... }:
+{ lib, namespace, ... }:
 let
  inherit (lib.${namespace}) enabled;
 in
 {
  system.stateVersion = 6;
  nix.enable = false;
@@ -11,11 +14,7 @@
    };
    security = {
-      sops = {
+      sops = enabled;
        enable = true;
        sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
        defaultSopsFile = lib.snowfall.fs.get-file "secrets/mac-va-mbp-personal/default.yaml";
      };
    };
  };
 }
--- a/systems/aarch64-linux/lin-va-mbp-personal/default.nix
+++ b/systems/aarch64-linux/lin-va-mbp-personal/default.nix
@@ -41,10 +41,7 @@ in
    };
    security = {
-      sops = {
+      sops = enabled;
        enable = true;
        defaultSopsFile = lib.snowfall.fs.get-file "secrets/lin-va-mbp-personal/default.yaml";
      };
    };
    virtualisation = {
--- a/systems/x86_64-linux/lin-va-desktop/default.nix
+++ b/systems/x86_64-linux/lin-va-desktop/default.nix
@@ -6,7 +6,6 @@
 let
  inherit (lib.${namespace}) enabled;
  llama-swap = pkgs.reichard.llama-swap;
  llama-cpp = pkgs.reichard.llama-cpp;
  stable-diffusion-cpp = pkgs.reichard.stable-diffusion-cpp.override {
    cudaSupport = true;
@@ -15,7 +14,10 @@ in
 {
  system.stateVersion = "25.11";
  time.timeZone = "America/New_York";
  boot.supportedFilesystems = [ "nfs" ];
  nixpkgs.config.allowUnfree = true;
  hardware.nvidia-container-toolkit.enable = true;
  security.pam.loginLimits = [
    {
      domain = "*";
@@ -31,8 +33,6 @@ in
    }
  ];
  nixpkgs.config.allowUnfree = true;
  fileSystems."/mnt/ssd" = {
    device = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_1TB_S6PTNZ0R620739L-part1";
    fsType = "exfat";
@@ -82,308 +82,16 @@ in
    services = {
      openssh = enabled;
      llama-swap = enabled;
      mosh = enabled;
    };
    virtualisation = {
      podman = enabled;
    };
  };
-  systemd.services.llama-swap.serviceConfig.LimitMEMLOCK = "infinity";
+    security = {
-  services.llama-swap = {
+      sops = enabled;
    enable = true;
    openFirewall = true;
    package = llama-swap;
    settings = {
      models = {
        # https://huggingface.co/unsloth/Devstral-Small-2-24B-Instruct-2512-GGUF/tree/main
        "devstral-small-2-instruct" = {
          name = "Devstral Small 2 (24B) - Instruct";
          cmd = ''
            ${llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Devstral/Devstral-Small-2-24B-Instruct-2512-UD-Q4_K_XL.gguf \
              --chat-template-file /mnt/ssd/Models/Devstral/Devstral-Small-2-24B-Instruct-2512-UD-Q4_K_XL_template.jinja \
              --temp 0.15 \
              -c 98304 \
              -ctk q8_0 \
              -ctv q8_0 \
              -fit off \
              -dev CUDA0
          '';
          env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
        };
        # https://huggingface.co/mradermacher/gpt-oss-20b-heretic-v2-i1-GGUF/tree/main
        #  --chat-template-kwargs '{\"reasoning_effort\":\"low\"}'
        "gpt-oss-20b-thinking" = {
          name = "GPT OSS (20B) - Thinking";
          cmd = ''
            ${llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/GPT-OSS/gpt-oss-20b-F16.gguf \
              -c 131072 \
              --temp 1.0 \
              --top-p 1.0 \
              --top-k 40 \
              -dev CUDA0
          '';
          env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
        };
        # https://huggingface.co/mradermacher/GPT-OSS-Cybersecurity-20B-Merged-i1-GGUF/tree/main
        "gpt-oss-csec-20b-thinking" = {
          name = "GPT OSS CSEC (20B) - Thinking";
          cmd = ''
            ${llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/GPT-OSS/GPT-OSS-Cybersecurity-20B-Merged.i1-MXFP4_MOE.gguf \
              -c 131072 \
              --temp 1.0 \
              --top-p 1.0 \
              --top-k 40 \
              -dev CUDA0
          '';
          env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
        };
        # https://huggingface.co/shb777/Llama-3.3-8B-Instruct-GGUF/tree/main
        # llama-server --host 0.0.0.0 --port 8081 -m /mnt/ssd/Models/Llama/llama-3.3-8b-instruct-q6_k.gguf -c 131072 -dev CUDA0 -fit off
        # https://huggingface.co/unsloth/Qwen3-Next-80B-A3B-Instruct-GGUF/tree/main
        "qwen3-next-80b-instruct" = {
          name = "Qwen3 Next (80B) - Instruct";
          cmd = ''
            ${llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Qwen3/Qwen3-Next-80B-A3B-Instruct-UD-Q2_K_XL.gguf \
              -c 262144 \
              --temp 0.7 \
              --min-p 0.0 \
              --top-p 0.8 \
              --top-k 20 \
              --repeat-penalty 1.05 \
              -ctk q8_0 \
              -ctv q8_0 \
              -fit off
          '';
          env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
        };
        # https://huggingface.co/unsloth/Qwen3-30B-A3B-Instruct-2507-GGUF/tree/main
        "qwen3-30b-2507-instruct" = {
          name = "Qwen3 2507 (30B) - Instruct";
          cmd = ''
            ${llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Qwen3/Qwen3-30B-A3B-Instruct-2507-Q4_K_M.gguf \
              -c 262144 \
              --temp 0.7 \
              --min-p 0.0 \
              --top-p 0.8 \
              --top-k 20 \
              --repeat-penalty 1.05 \
              -ctk q8_0 \
              -ctv q8_0 \
              -ts 70,30
          '';
          env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
        };
        # https://huggingface.co/unsloth/Qwen3-Coder-30B-A3B-Instruct-GGUF/tree/main
        "qwen3-coder-30b-instruct" = {
          name = "Qwen3 Coder (30B) - Instruct";
          cmd = ''
            ${llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Qwen3/Qwen3-Coder-30B-A3B-Instruct-UD-Q6_K_XL.gguf \
              -c 131072 \
              --temp 0.7 \
              --min-p 0.0 \
              --top-p 0.8 \
              --top-k 20 \
              --repeat-penalty 1.05 \
              -ctk q8_0 \
              -ctv q8_0 \
              -ts 70,30
          '';
          env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
        };
        # https://huggingface.co/unsloth/Qwen3-30B-A3B-Thinking-2507-GGUF/tree/main
        "qwen3-30b-2507-thinking" = {
          name = "Qwen3 2507 (30B) - Thinking";
          cmd = ''
            ${llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Qwen3/Qwen3-30B-A3B-Thinking-2507-UD-Q4_K_XL.gguf \
              -c 262144 \
              --temp 0.7 \
              --min-p 0.0 \
              --top-p 0.8 \
              --top-k 20 \
              --repeat-penalty 1.05 \
              -ctk q8_0 \
              -ctv q8_0 \
              -ts 70,30
          '';
          env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
        };
        # https://huggingface.co/unsloth/Nemotron-3-Nano-30B-A3B-GGUF/tree/main
        "nemotron-3-nano-30b-thinking" = {
          name = "Nemotron 3 Nano (30B) - Thinking";
          cmd = ''
            ${llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Nemotron/Nemotron-3-Nano-30B-A3B-UD-Q4_K_XL.gguf \
              -c 1048576 \
              --temp 1.1 \
              --top-p 0.95 \
              -fit off
          '';
          env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
        };
        # https://huggingface.co/unsloth/Qwen3-VL-8B-Instruct-GGUF/tree/main
        "qwen3-8b-vision" = {
          name = "Qwen3 Vision (8B) - Thinking";
          cmd = ''
            ${llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Qwen3/Qwen3-VL-8B-Instruct-UD-Q4_K_XL.gguf \
              --mmproj /mnt/ssd/Models/Qwen3/Qwen3-VL-8B-Instruct-UD-Q4_K_XL_mmproj-F16.gguf \
              -c 65536 \
              --temp 0.7 \
              --min-p 0.0 \
              --top-p 0.8 \
              --top-k 20 \
              -ctk q8_0 \
              -ctv q8_0 \
              -fit off \
              -dev CUDA1
          '';
          env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
        };
        # https://huggingface.co/unsloth/Qwen2.5-Coder-7B-Instruct-128K-GGUF/tree/main
        "qwen2.5-coder-7b-instruct" = {
          name = "Qwen2.5 Coder (7B) - Instruct";
          cmd = ''
            ${llama-cpp}/bin/llama-server \
              -m /mnt/ssd/Models/Qwen2.5/Qwen2.5-Coder-7B-Instruct-Q8_0.gguf \
              --fim-qwen-7b-default \
              -c 131072 \
              --port ''${PORT} \
              -fit off \
              -dev CUDA1
          '';
          env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
        };
        # https://huggingface.co/unsloth/Qwen2.5-Coder-3B-Instruct-128K-GGUF/tree/main
        "qwen2.5-coder-3b-instruct" = {
          name = "Qwen2.5 Coder (3B) - Instruct";
          cmd = ''
            ${llama-cpp}/bin/llama-server \
              -m /mnt/ssd/Models/Qwen2.5/Qwen2.5-Coder-3B-Instruct-Q8_0.gguf \
              --fim-qwen-3b-default \
              --port ''${PORT} \
              -fit off \
              -dev CUDA1
          '';
          env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
        };
        # https://huggingface.co/unsloth/Qwen3-4B-Instruct-2507-GGUF/tree/main
        "qwen3-4b-2507-instruct" = {
          name = "Qwen3 2507 (4B) - Instruct";
          cmd = ''
            ${llama-cpp}/bin/llama-server \
              --port ''${PORT} \
              -m /mnt/ssd/Models/Qwen3/Qwen3-4B-Instruct-2507-Q4_K_M.gguf \
              -c 98304 \
              -fit off \
              -ctk q8_0 \
              -ctv q8_0 \
              -dev CUDA1
          '';
          env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
        };
        "z-image-turbo" = {
          name = "Z-Image-Turbo";
          checkEndpoint = "/";
          cmd = ''
            ${stable-diffusion-cpp}/bin/sd-server \
              --listen-port ''${PORT} \
              --diffusion-fa \
              --diffusion-model /mnt/ssd/StableDiffusion/ZImageTurbo/z-image-turbo-Q8_0.gguf \
              --vae /mnt/ssd/StableDiffusion/ZImageTurbo/ae.safetensors \
              --llm /mnt/ssd/Models/Qwen3/Qwen3-4B-Instruct-2507-Q4_K_M.gguf \
              --cfg-scale 1.0 \
              --steps 9 \
              --rng cuda
          '';
          env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
        };
        "qwen-image-edit" = {
          name = "Qwen Image Edit";
          checkEndpoint = "/";
          cmd = ''
            ${stable-diffusion-cpp}/bin/sd-server \
              --listen-port ''${PORT} \
              --diffusion-fa \
              --diffusion-model /mnt/ssd/StableDiffusion/QwenImageEdit/Qwen-Rapid-v18_Q5_K.gguf \
              --vae /mnt/ssd/StableDiffusion/QwenImageEdit/qwen_image_vae.safetensors \
              --llm /mnt/ssd/Models/Qwen2.5/Qwen2.5-VL-7B-Instruct.Q4_K_M.gguf \
              --cfg-scale 2.5 \
              --sampling-method euler \
              --flow-shift 3 \
              --steps 9 \
              --rng cuda
          '';
          env = [ "GGML_CUDA_ENABLE_UNIFIED_MEMORY=1" ];
        };
      };
      groups = {
        shared = {
          swap = true;
          exclusive = false;
          members = [
            "nemotron-3-nano-30b-thinking"
            "qwen3-30b-2507-instruct"
            "qwen3-30b-2507-thinking"
            "qwen3-coder-30b-instruct"
            "qwen3-next-80b-instruct"
          ];
        };
        cuda0 = {
          swap = true;
          exclusive = false;
          members = [
            "devstral-small-2-instruct"
            "gpt-oss-20b-thinking"
            "gpt-oss-csec-20b-thinking"
          ];
        };
        cuda1 = {
          swap = true;
          exclusive = false;
          members = [
            "qwen2.5-coder-3b-instruct"
            "qwen2.5-coder-7b-instruct"
            "qwen3-4b-2507-instruct"
            "qwen3-8b-vision"
          ];
        };
      };
    };
  };
--- a/systems/x86_64-linux/lin-va-thinkpad/default.nix
+++ b/systems/x86_64-linux/lin-va-thinkpad/default.nix
@@ -58,6 +58,7 @@ in
    };
    services = {
      openssh = enabled;
      tailscale = enabled;
      avahi = enabled;
      ydotool = enabled;
@@ -79,10 +80,7 @@ in
    };
    security = {
-      sops = {
+      sops = enabled;
        enable = true;
        defaultSopsFile = lib.snowfall.fs.get-file "secrets/lin-va-thinkpad/default.yaml";
      };
    };
  };