From 12736a97de055e1078fcb44c2c0c8d09548e59f8 Mon Sep 17 00:00:00 2001
From: auricom <27022259+auricom@users.noreply.github.com>
Date: Sun, 3 Jul 2022 15:45:26 +0200
Subject: [PATCH] feat: rework ansible & secrets

---
 .sops.yaml                                    |  14 +-
 README.md                                     |  19 +-
 ansible/.envrc                                |   2 +
 ansible/ansible.cfg                           |  35 +++
 ansible/inventory/group_vars/all/all.sops.yml |  24 ++
 ansible/inventory/group_vars/all/k3s.yml      |  34 +++
 ansible/inventory/group_vars/master/k3s.yml   |  71 +++++
 .../inventory/group_vars/worker/k3s.yml       |   9 +-
 .../inventory/host_vars/k3s-master.sops.yaml  |  23 ++
 .../inventory/host_vars/k3s-worker1.sops.yaml |  23 ++
 .../inventory/host_vars/k3s-worker2.sops.yaml |  23 ++
 .../inventory/host_vars/k3s-worker3.sops.yaml |  23 ++
 .../host_vars/truenas-remote.sops.yaml        |  23 ++
 .../inventory/host_vars/truenas-remote.yaml   |   3 +
 ansible/inventory/host_vars/truenas.sops.yaml |  22 ++
 ansible/inventory/host_vars/truenas.yaml      |   4 +
 ansible/inventory/hosts.yml                   |  40 +++
 ansible/playbooks/bootstrap_ansible.yml       |  17 ++
 .../playbooks/cluster-installation.yml        |  10 +-
 ansible/playbooks/cluster-nuke.yml            |  29 ++
 ansible/playbooks/cluster-prepare.yml         | 167 +++++++++++
 ansible/playbooks/coreelec.yml                |   7 +
 ansible/playbooks/rook-nuke.yml               |  33 +++
 ansible/playbooks/truenas.yml                 |   7 +
 ansible/playbooks/workstation.yml             |   7 +
 ansible/requirements.yml                      |  13 +
 ansible/roles/coreelec/defaults/main.yml      |   6 +
 ansible/roles/coreelec/files/backup.bash      |  16 ++
 ansible/roles/coreelec/tasks/backup.yml       |  13 +
 ansible/roles/coreelec/tasks/main.yml         |   8 +
 ansible/roles/coreelec/tasks/nfs.yml          |  19 ++
 .../coreelec/templates/storage-nfs.mount      |  16 ++
 .../roles/installation.k3s/defaults/main.yml  |   2 +
 ansible/roles/installation.k3s/tasks/k3s.yml  |  50 ++++
 ansible/roles/installation.k3s/tasks/main.yml |   4 +
 .../calico}/calico-bgpconfiguration.yaml.j2   |   3 +-
 .../templates/calico}/calico-bgppeer.yaml.j2  |   4 +-
 .../calico/calico-installation.yaml.j2        |  18 ++
 .../installation.k3s/vars/main/calico.yml     |  14 +
 .../roles/installation.k3s/vars/main/k3s.yml  |  53 ++++
 ansible/roles/truenas/defaults/main.yml       |   9 +
 .../files/scripts/certificates_deploy.py      | 240 ++++++++++++++++
 .../files/scripts/snapshots_clearempty.py     | 107 +++++++
 .../truenas/files/scripts/snapshots_prune.py  | 262 +++++++++++++++++
 .../files/scripts/telegraf_hddtemp.bash       |  28 ++
 ansible/roles/truenas/tasks/directories.yml   |  19 ++
 ansible/roles/truenas/tasks/main.yml          |   9 +
 ansible/roles/truenas/tasks/scripts.yml       |  25 ++
 ansible/roles/truenas/tasks/telegraf.yml      |  10 +
 ansible/roles/truenas/tasks/wireguard.yml     |  17 ++
 .../scripts/backupconfig_cloudsync_pre.bash   |  20 ++
 .../scripts/certificates_deploy.bash          |  22 ++
 .../scripts/certificates_deploy.conf          |  48 ++++
 .../truenas/templates/scripts/report_pools.sh | 162 +++++++++++
 .../truenas/templates/scripts/report_smart.sh | 267 ++++++++++++++++++
 .../truenas/templates/scripts/report_ups.sh   |  93 ++++++
 .../templates/scripts/snapshots_prune.sh      |  17 ++
 .../truenas/templates/telegraf/telegraf.conf  |  49 ++++
 .../truenas/templates/wireguard/ip-check.bash |  24 ++
 .../wireguard/truenas-remote.xpander.ovh.conf |  11 +
 ansible/roles/workstation/defaults/main.yml   |  42 +++
 .../scripts/backup-local-usb-disk-one.bash    |  11 +
 .../scripts/backup-local-usb-disk-two.bash    |   9 +
 .../workstation/files/scripts/update-pip.bash |   3 +
 .../files/throttled/throttled.conf            |  53 ++++
 .../wireguard/claude-thinkpad-fedora.conf     |  10 +
 .../roles/workstation/files/yum/vscodium.repo |   7 +
 ansible/roles/workstation/files/yum/yum.conf  |   2 +
 ansible/roles/workstation/tasks/chezmoi.yml   |  15 +
 ansible/roles/workstation/tasks/gnome.yml     |  16 ++
 ansible/roles/workstation/tasks/gpg.yml       |  13 +
 ansible/roles/workstation/tasks/main.yml      |  56 ++++
 ansible/roles/workstation/tasks/nfs.yml       |  63 +++++
 .../tasks/packages-claude-fixe-fedora.yml     |  27 ++
 .../tasks/packages-claude-thinkpad-fedora.yml |  14 +
 .../workstation/tasks/packages-common.yml     |  99 +++++++
 .../roles/workstation/tasks/packages-post.yml |  14 +
 .../tasks/packages-prerequisites.yml          |  18 ++
 .../roles/workstation/tasks/repositories.yml  |  65 +++++
 ansible/roles/workstation/tasks/scripts.yml   |  14 +
 ansible/roles/workstation/tasks/shell.yml     |   6 +
 ansible/roles/workstation/tasks/system.yml    |  27 ++
 ansible/roles/workstation/tasks/wireguard.yml |   6 +
 .../workstation/templates/chezmoi.toml.j2     |  11 +
 .../workstation/vars/claude-fixe-fedora.yml   |   7 +
 .../vars/claude-thinkpad-fedora.yml           |   7 +
 .../apps/data/bookstack/kustomization.yaml    |   2 +-
 cluster/apps/data/bookstack/secrets.sops.yaml |  27 ++
 cluster/apps/data/bookstack/secrets.yaml      |  58 ----
 .../apps/development/gitea/helm-release.yaml  |   2 +-
 .../apps/development/gitea/kustomization.yaml |   2 +-
 .../apps/development/gitea/secrets.sops.yaml  |  27 ++
 cluster/apps/development/gitea/secrets.yaml   |  58 ----
 .../home-assistant/kustomization.yaml         |   2 +-
 .../home-assistant/token.sops.yaml            |  27 ++
 .../home-automation/home-assistant/token.yaml |  58 ----
 .../apps/media/music_transcode/cronjob.yaml   |   4 +-
 .../monitoring/terra-exporter/deployment.yaml |  50 ----
 .../terra-exporter/kustomization.yaml         |   5 -
 .../monitoring/terra-exporter/podmonitor.yaml |  16 --
 .../networking/external-dns/secret.sops.yaml  |  61 +---
 cluster/base/apps.yaml                        |   2 +-
 cluster/base/configuration.yaml               |   2 +-
 cluster/base/core.yaml                        |   2 +-
 .../secrets/cluster-secrets.sops.yaml         | 111 ++++++++
 .../secrets/cluster-secrets.yaml              | 142 ----------
 .../secrets/drone-pipelines.yaml              |  66 -----
 .../configuration/secrets/kustomization.yaml  |   4 +-
 cluster/configuration/secrets/regcred.yaml    |  59 ----
 cluster/core/cert-manager/kustomization.yaml  |   2 +-
 cluster/core/cert-manager/secret.enc.yaml     |  59 ----
 cluster/core/cert-manager/secret.sops.yaml    |  28 ++
 .../notifications/discord/kustomization.yaml  |   2 +-
 .../notifications/discord/secret.enc.yaml     |  59 ----
 .../notifications/discord/secret.sops.yaml    |  28 ++
 .../transcode_music/transcode.bash            |   0
 .../transcode_music/transcode_exclude.cfg     |   0
 server/ansible/ansible.cfg                    |  53 ----
 .../group_vars/all/calico-settings.yml        |  15 -
 .../inventory/group_vars/all/k3s-settings.yml |  24 --
 .../group_vars/all/rsyslog-settings.yml       |   7 -
 .../group_vars/all/ubuntu-settings.yml        |  24 --
 .../group_vars/server-nodes/k3s-settings.yml  |  27 --
 .../inventory/host_vars/k3s-server.yml        |   9 -
 .../inventory/host_vars/k3s-worker1.yml       |  15 -
 .../inventory/host_vars/k3s-worker2.yml       |  15 -
 .../inventory/host_vars/k3s-worker3.yml       |  15 -
 server/ansible/inventory/hosts.yml            |  17 --
 server/ansible/playbooks/k3s/install.yml      |  14 -
 server/ansible/playbooks/k3s/nuke.yml         |  32 ---
 server/ansible/playbooks/k3s/prune.yml        |  13 -
 server/ansible/playbooks/k3s/upgrade.yml      |  13 -
 .../playbooks/power-outage/shutdown.yml       |  36 ---
 server/ansible/playbooks/rook-ceph/nuke.yaml  |  48 ----
 server/ansible/playbooks/ubuntu/upgrade.yml   |  22 --
 server/ansible/requirements.txt               |   1 -
 server/ansible/requirements.yml               |   4 -
 server/ansible/roles/.gitignore               |   1 -
 server/ansible/roles/k3s/tasks/calico.yml     |  38 ---
 server/ansible/roles/k3s/tasks/kubeconfig.yml |  20 --
 server/ansible/roles/k3s/tasks/main.yml       |  21 --
 server/ansible/roles/k3s/tasks/registry.yml   |  21 --
 .../k3s/templates/calico-installation.yaml.j2 |  19 --
 .../roles/k3s/templates/registries.yaml.j2    |  20 --
 server/ansible/roles/ubuntu/tasks/boot.yml    |  43 ---
 server/ansible/roles/ubuntu/tasks/disks.yml   |   9 -
 .../ansible/roles/ubuntu/tasks/filesystem.yml |  27 --
 server/ansible/roles/ubuntu/tasks/host.yml    |   6 -
 server/ansible/roles/ubuntu/tasks/kernel.yml  |  25 --
 server/ansible/roles/ubuntu/tasks/locale.yml  |  44 ---
 server/ansible/roles/ubuntu/tasks/main.yml    |  51 ----
 server/ansible/roles/ubuntu/tasks/network.yml |  45 ---
 .../ansible/roles/ubuntu/tasks/packages.yml   |  94 ------
 .../roles/ubuntu/tasks/power-button.yml       |  15 -
 server/ansible/roles/ubuntu/tasks/rsyslog.yml |  19 --
 .../ubuntu/tasks/unattended-upgrades.yml      |  37 ---
 server/ansible/roles/ubuntu/tasks/user.yml    |  35 ---
 .../roles/ubuntu/templates/resolv.conf        |   1 -
 .../templates/rsyslog-50-promtail.conf.j2     |   4 -
 server/ansible/roles/ubuntu/vars/main.yml     |  69 -----
 160 files changed, 3210 insertions(+), 1785 deletions(-)
 create mode 100644 ansible/.envrc
 create mode 100644 ansible/ansible.cfg
 create mode 100644 ansible/inventory/group_vars/all/all.sops.yml
 create mode 100644 ansible/inventory/group_vars/all/k3s.yml
 create mode 100644 ansible/inventory/group_vars/master/k3s.yml
 rename server/ansible/inventory/group_vars/worker-nodes/k3s-settings.yml => ansible/inventory/group_vars/worker/k3s.yml (50%)
 create mode 100644 ansible/inventory/host_vars/k3s-master.sops.yaml
 create mode 100644 ansible/inventory/host_vars/k3s-worker1.sops.yaml
 create mode 100644 ansible/inventory/host_vars/k3s-worker2.sops.yaml
 create mode 100644 ansible/inventory/host_vars/k3s-worker3.sops.yaml
 create mode 100644 ansible/inventory/host_vars/truenas-remote.sops.yaml
 create mode 100644 ansible/inventory/host_vars/truenas-remote.yaml
 create mode 100644 ansible/inventory/host_vars/truenas.sops.yaml
 create mode 100644 ansible/inventory/host_vars/truenas.yaml
 create mode 100644 ansible/inventory/hosts.yml
 create mode 100644 ansible/playbooks/bootstrap_ansible.yml
 rename server/ansible/playbooks/ubuntu/prepare.yml => ansible/playbooks/cluster-installation.yml (50%)
 create mode 100644 ansible/playbooks/cluster-nuke.yml
 create mode 100644 ansible/playbooks/cluster-prepare.yml
 create mode 100644 ansible/playbooks/coreelec.yml
 create mode 100644 ansible/playbooks/rook-nuke.yml
 create mode 100644 ansible/playbooks/truenas.yml
 create mode 100644 ansible/playbooks/workstation.yml
 create mode 100644 ansible/requirements.yml
 create mode 100644 ansible/roles/coreelec/defaults/main.yml
 create mode 100644 ansible/roles/coreelec/files/backup.bash
 create mode 100644 ansible/roles/coreelec/tasks/backup.yml
 create mode 100644 ansible/roles/coreelec/tasks/main.yml
 create mode 100644 ansible/roles/coreelec/tasks/nfs.yml
 create mode 100644 ansible/roles/coreelec/templates/storage-nfs.mount
 create mode 100644 ansible/roles/installation.k3s/defaults/main.yml
 create mode 100644 ansible/roles/installation.k3s/tasks/k3s.yml
 create mode 100644 ansible/roles/installation.k3s/tasks/main.yml
 rename {server/ansible/roles/k3s/templates => ansible/roles/installation.k3s/templates/calico}/calico-bgpconfiguration.yaml.j2 (58%)
 rename {server/ansible/roles/k3s/templates => ansible/roles/installation.k3s/templates/calico}/calico-bgppeer.yaml.j2 (53%)
 create mode 100644 ansible/roles/installation.k3s/templates/calico/calico-installation.yaml.j2
 create mode 100644 ansible/roles/installation.k3s/vars/main/calico.yml
 create mode 100644 ansible/roles/installation.k3s/vars/main/k3s.yml
 create mode 100644 ansible/roles/truenas/defaults/main.yml
 create mode 100644 ansible/roles/truenas/files/scripts/certificates_deploy.py
 create mode 100644 ansible/roles/truenas/files/scripts/snapshots_clearempty.py
 create mode 100644 ansible/roles/truenas/files/scripts/snapshots_prune.py
 create mode 100644 ansible/roles/truenas/files/scripts/telegraf_hddtemp.bash
 create mode 100644 ansible/roles/truenas/tasks/directories.yml
 create mode 100644 ansible/roles/truenas/tasks/main.yml
 create mode 100644 ansible/roles/truenas/tasks/scripts.yml
 create mode 100644 ansible/roles/truenas/tasks/telegraf.yml
 create mode 100644 ansible/roles/truenas/tasks/wireguard.yml
 create mode 100644 ansible/roles/truenas/templates/scripts/backupconfig_cloudsync_pre.bash
 create mode 100644 ansible/roles/truenas/templates/scripts/certificates_deploy.bash
 create mode 100644 ansible/roles/truenas/templates/scripts/certificates_deploy.conf
 create mode 100644 ansible/roles/truenas/templates/scripts/report_pools.sh
 create mode 100644 ansible/roles/truenas/templates/scripts/report_smart.sh
 create mode 100644 ansible/roles/truenas/templates/scripts/report_ups.sh
 create mode 100644 ansible/roles/truenas/templates/scripts/snapshots_prune.sh
 create mode 100644 ansible/roles/truenas/templates/telegraf/telegraf.conf
 create mode 100644 ansible/roles/truenas/templates/wireguard/ip-check.bash
 create mode 100644 ansible/roles/truenas/templates/wireguard/truenas-remote.xpander.ovh.conf
 create mode 100644 ansible/roles/workstation/defaults/main.yml
 create mode 100755 ansible/roles/workstation/files/scripts/backup-local-usb-disk-one.bash
 create mode 100755 ansible/roles/workstation/files/scripts/backup-local-usb-disk-two.bash
 create mode 100644 ansible/roles/workstation/files/scripts/update-pip.bash
 create mode 100644 ansible/roles/workstation/files/throttled/throttled.conf
 create mode 100644 ansible/roles/workstation/files/wireguard/claude-thinkpad-fedora.conf
 create mode 100644 ansible/roles/workstation/files/yum/vscodium.repo
 create mode 100644 ansible/roles/workstation/files/yum/yum.conf
 create mode 100644 ansible/roles/workstation/tasks/chezmoi.yml
 create mode 100644 ansible/roles/workstation/tasks/gnome.yml
 create mode 100644 ansible/roles/workstation/tasks/gpg.yml
 create mode 100644 ansible/roles/workstation/tasks/main.yml
 create mode 100644 ansible/roles/workstation/tasks/nfs.yml
 create mode 100644 ansible/roles/workstation/tasks/packages-claude-fixe-fedora.yml
 create mode 100644 ansible/roles/workstation/tasks/packages-claude-thinkpad-fedora.yml
 create mode 100644 ansible/roles/workstation/tasks/packages-common.yml
 create mode 100644 ansible/roles/workstation/tasks/packages-post.yml
 create mode 100644 ansible/roles/workstation/tasks/packages-prerequisites.yml
 create mode 100644 ansible/roles/workstation/tasks/repositories.yml
 create mode 100644 ansible/roles/workstation/tasks/scripts.yml
 create mode 100644 ansible/roles/workstation/tasks/shell.yml
 create mode 100644 ansible/roles/workstation/tasks/system.yml
 create mode 100644 ansible/roles/workstation/tasks/wireguard.yml
 create mode 100644 ansible/roles/workstation/templates/chezmoi.toml.j2
 create mode 100755 ansible/roles/workstation/vars/claude-fixe-fedora.yml
 create mode 100755 ansible/roles/workstation/vars/claude-thinkpad-fedora.yml
 create mode 100644 cluster/apps/data/bookstack/secrets.sops.yaml
 delete mode 100644 cluster/apps/data/bookstack/secrets.yaml
 create mode 100644 cluster/apps/development/gitea/secrets.sops.yaml
 delete mode 100644 cluster/apps/development/gitea/secrets.yaml
 create mode 100644 cluster/apps/home-automation/home-assistant/token.sops.yaml
 delete mode 100644 cluster/apps/home-automation/home-assistant/token.yaml
 delete mode 100644 cluster/apps/monitoring/terra-exporter/deployment.yaml
 delete mode 100644 cluster/apps/monitoring/terra-exporter/kustomization.yaml
 delete mode 100644 cluster/apps/monitoring/terra-exporter/podmonitor.yaml
 create mode 100644 cluster/configuration/secrets/cluster-secrets.sops.yaml
 delete mode 100644 cluster/configuration/secrets/cluster-secrets.yaml
 delete mode 100644 cluster/configuration/secrets/drone-pipelines.yaml
 delete mode 100644 cluster/configuration/secrets/regcred.yaml
 delete mode 100644 cluster/core/cert-manager/secret.enc.yaml
 create mode 100644 cluster/core/cert-manager/secret.sops.yaml
 delete mode 100644 cluster/core/flux-system/notifications/discord/secret.enc.yaml
 create mode 100644 cluster/core/flux-system/notifications/discord/secret.sops.yaml
 rename {server/scripts => scripts}/transcode_music/transcode.bash (100%)
 rename {server/scripts => scripts}/transcode_music/transcode_exclude.cfg (100%)
 delete mode 100644 server/ansible/ansible.cfg
 delete mode 100644 server/ansible/inventory/group_vars/all/calico-settings.yml
 delete mode 100644 server/ansible/inventory/group_vars/all/k3s-settings.yml
 delete mode 100644 server/ansible/inventory/group_vars/all/rsyslog-settings.yml
 delete mode 100644 server/ansible/inventory/group_vars/all/ubuntu-settings.yml
 delete mode 100644 server/ansible/inventory/group_vars/server-nodes/k3s-settings.yml
 delete mode 100644 server/ansible/inventory/host_vars/k3s-server.yml
 delete mode 100644 server/ansible/inventory/host_vars/k3s-worker1.yml
 delete mode 100644 server/ansible/inventory/host_vars/k3s-worker2.yml
 delete mode 100644 server/ansible/inventory/host_vars/k3s-worker3.yml
 delete mode 100644 server/ansible/inventory/hosts.yml
 delete mode 100644 server/ansible/playbooks/k3s/install.yml
 delete mode 100644 server/ansible/playbooks/k3s/nuke.yml
 delete mode 100644 server/ansible/playbooks/k3s/prune.yml
 delete mode 100644 server/ansible/playbooks/k3s/upgrade.yml
 delete mode 100644 server/ansible/playbooks/power-outage/shutdown.yml
 delete mode 100644 server/ansible/playbooks/rook-ceph/nuke.yaml
 delete mode 100644 server/ansible/playbooks/ubuntu/upgrade.yml
 delete mode 100644 server/ansible/requirements.txt
 delete mode 100644 server/ansible/requirements.yml
 delete mode 100644 server/ansible/roles/.gitignore
 delete mode 100644 server/ansible/roles/k3s/tasks/calico.yml
 delete mode 100644 server/ansible/roles/k3s/tasks/kubeconfig.yml
 delete mode 100644 server/ansible/roles/k3s/tasks/main.yml
 delete mode 100644 server/ansible/roles/k3s/tasks/registry.yml
 delete mode 100644 server/ansible/roles/k3s/templates/calico-installation.yaml.j2
 delete mode 100644 server/ansible/roles/k3s/templates/registries.yaml.j2
 delete mode 100644 server/ansible/roles/ubuntu/tasks/boot.yml
 delete mode 100644 server/ansible/roles/ubuntu/tasks/disks.yml
 delete mode 100644 server/ansible/roles/ubuntu/tasks/filesystem.yml
 delete mode 100644 server/ansible/roles/ubuntu/tasks/host.yml
 delete mode 100644 server/ansible/roles/ubuntu/tasks/kernel.yml
 delete mode 100644 server/ansible/roles/ubuntu/tasks/locale.yml
 delete mode 100644 server/ansible/roles/ubuntu/tasks/main.yml
 delete mode 100644 server/ansible/roles/ubuntu/tasks/network.yml
 delete mode 100644 server/ansible/roles/ubuntu/tasks/packages.yml
 delete mode 100644 server/ansible/roles/ubuntu/tasks/power-button.yml
 delete mode 100644 server/ansible/roles/ubuntu/tasks/rsyslog.yml
 delete mode 100644 server/ansible/roles/ubuntu/tasks/unattended-upgrades.yml
 delete mode 100644 server/ansible/roles/ubuntu/tasks/user.yml
 delete mode 100644 server/ansible/roles/ubuntu/templates/resolv.conf
 delete mode 100644 server/ansible/roles/ubuntu/templates/rsyslog-50-promtail.conf.j2
 delete mode 100644 server/ansible/roles/ubuntu/vars/main.yml

diff --git a/.sops.yaml b/.sops.yaml
index 820752ea7..58bcf0450 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,5 +1,11 @@
 creation_rules:
-  - encrypted_regex: "^(data|stringData)$"
-    pgp: >-
-      19B850FBA7685A526CF11E5F9BBE834259976EE8,
-      5749D0AE39445C1CCA6006DF8913091C690BDD69
+  - path_regex: cluster/.*\.sops\.ya?ml
+    encrypted_regex: "^(data|stringData)$"
+    key_groups:
+      - age:
+          - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+  - path_regex: ansible/.*\.sops\.ya?ml
+    unencrypted_regex: "^(kind)$"
+    key_groups:
+      - age:
+          - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
diff --git a/README.md b/README.md
index 2c3d42168..9dd499b4b 100644
--- a/README.md
+++ b/README.md
@@ -27,25 +27,20 @@ flux bootstrap github \
   --network-policy=false
 ```
 
-## SOPS secret from GPG key
+## SOPS secret from age key
 
 ```bash
-gpg \
-  --export-secret-keys \
-  --armor <GPG_KEY_ID> | \
-  kubectl create secret generic sops-gpg \
-  --namespace=flux-system \
-  --from-file=sops.asc=/dev/stdin
+age-keygen -o $HOME/sops/age/key.txt
+cat $HOME/sops/age/key.txt |
+kubectl create secret generic sops-age \
+--namespace=flux-system \
+--from-file=$HOME/sops/age/key.txt=/dev/stdin
 ```
 
 ## Encrypt kubernetes resources with sops binary
 
 ```bash
-sops \
-  --encrypt \
-  --pgp=<GPG_KEY_ID> \
-  --encrypted-regex '^(data|stringData)$' \
-  --in-place <FILE_PATH>
+sops --encrypt --in-place <FILE_PATH>
 ```
 
 ## Install pre-commit hooks
diff --git a/ansible/.envrc b/ansible/.envrc
new file mode 100644
index 000000000..a978e813c
--- /dev/null
+++ b/ansible/.envrc
@@ -0,0 +1,2 @@
+#shellcheck disable=SC2148,SC2155
+export ANSIBLE_CONFIG=$(expand_path ./ansible.cfg)
diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
new file mode 100644
index 000000000..5869cbfc4
--- /dev/null
+++ b/ansible/ansible.cfg
@@ -0,0 +1,35 @@
+[defaults]
+# General settings
+nocows                      = True
+executable                  = /bin/bash
+stdout_callback             = yaml
+force_valid_group_names     = ignore
+# File/Directory settings
+log_path                    = ~/.ansible/ansible.log
+inventory                   = ./inventory
+roles_path                  = ~/.ansible/roles:./roles
+collections_path            = ~/.ansible/collections
+remote_tmp                  = ~/.ansible/tmp
+local_tmp                   = ~/.ansible/tmp
+# Fact Caching settings
+fact_caching                = jsonfile
+fact_caching_connection     = ~/.ansible/facts_cache
+# SSH settings
+remote_port                 = 22
+timeout                     = 60
+host_key_checking           = False
+# Plugin settings
+vars_plugins_enabled        = host_group_vars,community.sops.sops
+
+[inventory]
+unparsed_is_failed          = true
+
+[privilege_escalation]
+become                      = True
+
+[ssh_connection]
+scp_if_ssh                  = smart
+retries                     = 3
+ssh_args                    = -o ControlMaster=auto -o ControlPersist=30m -o Compression=yes -o ServerAliveInterval=15s
+pipelining                  = True
+control_path                = %(directory)s/%%h-%%r
diff --git a/ansible/inventory/group_vars/all/all.sops.yml b/ansible/inventory/group_vars/all/all.sops.yml
new file mode 100644
index 000000000..467756a20
--- /dev/null
+++ b/ansible/inventory/group_vars/all/all.sops.yml
@@ -0,0 +1,24 @@
+kind: Secret
+SECRET_DOMAIN: ENC[AES256_GCM,data:n+Lk4Mw+/akb1XA=,iv:5kXTjxflpwZM3vlkZde4S8O9RM8V0Ij5zHhmt67IKXg=,tag:AXQguN0ZVM89qpNQDXDKXA==,type:str]
+SECRET_CLUSTER_DOMAIN: ENC[AES256_GCM,data:nzhB4YHDYvQwTjRdTUGj,iv:emxp70PPzGPJP2x3LlCRRzh0gTNohnvI9Nr+f+PFZwo=,tag:m44ScVH/9hNxiYRdVx2xrA==,type:str]
+SECRET_EMAIL_DOMAIN: ENC[AES256_GCM,data:Xu0RNCdH+AUHpoq2c9Q=,iv:RxBNXZU2tXqv78Orkf/aWTrKVTHVDurnX/YldvNRl/o=,tag:DJZk/5QAnUUzeEwsRidUCQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0dGgya0lVNUtvMEhmWFpm
+            dE8wdkppSEZiMjVteS9pZkxFaUltQ0VlUzNFCk1oVzVHTVIxVnIvL21YemtZVmJz
+            a3lmMnJaNGI2NXlUKzduS1ZVa1o5amcKLS0tICtLS2pRZjk4U285TzJnV0J3MUkw
+            c3JkOFZzYnpINjQ5QnNkaE9IYUdXL3MKsBelDv/z5nTYC6/1Zm8kmzqEoLBVPnhy
+            v0v/6n1GksmzslbNdKhy+xtxHYrqouhc2P4hNi0R8p8u76RXERN5fg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-03T14:39:29Z"
+    mac: ENC[AES256_GCM,data:Ny+6wcVbhfKt3lrB8mJTH29VS0ikuTBvU4Rf7dSXVWx/8y/RB+NlhY8Ul9frxH9J0QxCB3sKw0ur3OLg5FS+cuDa8QjO0MLgSDLcleHDwF7t2uiKX1RPMR1uvAlJzD/c9Meord+xfHv1XSjs80mPXuApr03o+pV1pSpf/0XgntY=,iv:Uq3+LEvQAoH1O0EYFX/gxuaIEjycPbik/Etdhpz8h2k=,tag:Btvd9va/CmOY6ruYXvdPVQ==,type:str]
+    pgp: []
+    unencrypted_regex: ^(kind)$
+    version: 3.7.3
diff --git a/ansible/inventory/group_vars/all/k3s.yml b/ansible/inventory/group_vars/all/k3s.yml
new file mode 100644
index 000000000..2681f0858
--- /dev/null
+++ b/ansible/inventory/group_vars/all/k3s.yml
@@ -0,0 +1,34 @@
+---
+timezone: Europe/Paris
+
+public_ssh_keys:
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+GMHgvbtf6f7xUMAQR+vZFfD/mIIfIDNX5iP8tDRXZ claude@claude-thinkpad-fedora"
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo7E0oAOzaq0XvUHkWvZSC8u1XxX8dDCq3bSyK2BCen claude@claude-fixe-fedora"
+
+packages:
+  - "https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-{{ ansible_distribution_major_version }}.noarch.rpm"
+  - "https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-{{ ansible_distribution_major_version }}.noarch.rpm"
+  - dnf-automatic
+  - dnf-utils
+  - fish
+  - hdparm
+  - htop
+  - intel-gpu-tools
+  - ipvsadm
+  # TODO(ansible): Might be required for newer Intel CPU generations
+  # https://ask.fedoraproject.org/t/intel-graphics-best-practices-and-settings-for-hardware-acceleration/21119
+  # - intel-media-driver
+  # - mesa-dri-drivers
+  # - libva-intel-driver
+  # - libva-intel-hybrid-driver
+  # - libva-utils
+  # - libva-vdpau-driver
+  # - libvdpau-va-gl
+  - lm_sensors
+  - nano
+  - nvme-cli
+  - socat
+  - cockpit-pcp
+
+k3s_registration_address: 192.168.9.100
+k3s_become: true
diff --git a/ansible/inventory/group_vars/master/k3s.yml b/ansible/inventory/group_vars/master/k3s.yml
new file mode 100644
index 000000000..f88054679
--- /dev/null
+++ b/ansible/inventory/group_vars/master/k3s.yml
@@ -0,0 +1,71 @@
+---
+# https://rancher.com/docs/k3s/latest/en/installation/install-options/server-config/
+# https://github.com/PyratLabs/ansible-role-k3s#server-control-plane-configuration
+
+# Define the host as control plane nodes
+k3s_control_node: true
+
+k3s_etcd_datastore: false
+
+# k3s settings for all control-plane nodes
+k3s_server:
+  node-ip: "{{ ansible_host }}"
+  tls-san:
+    # # kube-vip
+    # - "{{ kubevip_address }}"
+    # haproxy
+    - "{{ k3s_registration_address }}"
+  docker: false
+  flannel-backend: "none" # This needs to be in quotes
+  disable:
+    - flannel
+    - traefik
+    - servicelb
+    - metrics-server
+    - local-storage
+  disable-network-policy: true
+  disable-cloud-controller: true
+  # Network CIDR to use for pod IPs
+  cluster-cidr: "10.95.0.0/16"
+  # Network CIDR to use for service IPs
+  service-cidr: "10.96.0.0/16"
+  # Required to monitor component with kube-prometheus-stack
+  #etcd-expose-metrics: true
+  kubelet-arg:
+    # Enable Alpha/Beta features
+    - "feature-gates=EphemeralContainers=true,MixedProtocolLBService=true,ReadWriteOncePod=true"
+    # Allow pods to be rescheduled quicker in the case of a node failure
+    # https://github.com/k3s-io/k3s/issues/1264
+    - "node-status-update-frequency=4s"
+  kube-controller-manager-arg:
+    # Enable Alpha/Beta features
+    - "feature-gates=EphemeralContainers=true,MixedProtocolLBService=true,ReadWriteOncePod=true"
+    # Required to monitor component with kube-prometheus-stack
+    - "bind-address=0.0.0.0"
+    # Allow pods to be rescheduled quicker in the case of a node failure
+    # https://github.com/k3s-io/k3s/issues/1264
+    - "node-monitor-period=4s"
+    - "node-monitor-grace-period=16s"
+    - "pod-eviction-timeout=20s"
+  kube-proxy-arg:
+    # Enable Alpha/Beta features
+    - "feature-gates=EphemeralContainers=true,MixedProtocolLBService=true,ReadWriteOncePod=true"
+    # Required to monitor component with kube-prometheus-stack
+    - "metrics-bind-address=0.0.0.0"
+  kube-scheduler-arg:
+    # Enable Alpha/Beta features
+    - "feature-gates=EphemeralContainers=true,MixedProtocolLBService=true,ReadWriteOncePod=true"
+    # Required to monitor component with kube-prometheus-stack
+    - "bind-address=0.0.0.0"
+  kube-apiserver-arg:
+    # Enable Alpha/Beta features
+    - "feature-gates=EphemeralContainers=true,MixedProtocolLBService=true,ReadWriteOncePod=true"
+    # Required for HAProxy health-checks
+    - "anonymous-auth=true"
+    # Allow pods to be rescheduled quicker in the case of a node failure
+    # https://github.com/k3s-io/k3s/issues/1264
+    - "default-not-ready-toleration-seconds=20"
+    - "default-unreachable-toleration-seconds=20"
+  # Stop k3s control plane having workloads scheduled on them
+  node-taint:
+    - "node-role.kubernetes.io/control-plane:NoSchedule"
diff --git a/server/ansible/inventory/group_vars/worker-nodes/k3s-settings.yml b/ansible/inventory/group_vars/worker/k3s.yml
similarity index 50%
rename from server/ansible/inventory/group_vars/worker-nodes/k3s-settings.yml
rename to ansible/inventory/group_vars/worker/k3s.yml
index 35ae1b9ff..8c7e94c80 100644
--- a/server/ansible/inventory/group_vars/worker-nodes/k3s-settings.yml
+++ b/ansible/inventory/group_vars/worker/k3s.yml
@@ -8,6 +8,9 @@ k3s_control_node: false
 # k3s settings for all worker nodes
 k3s_agent:
   node-ip: "{{ ansible_host }}"
-  node-label:
-    #- "kubernetes.io/role=worker"
-    - "k3s-upgrade=true"
+  kubelet-arg:
+    # Enable Alpha/Beta features
+    - "feature-gates=EphemeralContainers=true,MixedProtocolLBService=true,ReadWriteOncePod=true"
+    # Allow pods to be rescheduled quicker in the case of a node failure
+    # https://github.com/k3s-io/k3s/issues/1264
+    - "node-status-update-frequency=4s"
diff --git a/ansible/inventory/host_vars/k3s-master.sops.yaml b/ansible/inventory/host_vars/k3s-master.sops.yaml
new file mode 100644
index 000000000..4a22c00b2
--- /dev/null
+++ b/ansible/inventory/host_vars/k3s-master.sops.yaml
@@ -0,0 +1,23 @@
+kind: Secret
+ansible_password: ENC[AES256_GCM,data:NTaCi8mqE7kAQA==,iv:yfHBgrBCf2CqWPyuVTKSwH/WUy6bkgiSoyL4hWQHG7s=,tag:e3311IReXe0RHGgttNg3pg==,type:str]
+ansible_become_pass: ENC[AES256_GCM,data:ChsZxKZ1qvICFA==,iv:vuc4eZG4Ls2CiSP/vLazCy/sZkiPjjpGPZr97CvIoX4=,tag:onYhcvFkmAMN6PTFSp0Ikg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5azdoWUV2SWdxaDl1NXVF
+            U1pvRjBncEpzM2E4TEs1MGlRbTRseG1zS0dNCnF6QmRmNU1iZ0J5K28rSlB4emFF
+            ODlnU1lXVFZrTHlyTEg5VlFXUERJNGcKLS0tIGhMQUhsa0xaUVU0RTRpbkx0Vk5r
+            NjJBcHVOSmUvNkt3b3I3dmJwTlJWS3MKw/hRA/oh1fiWts2aqbzTV3TTTcnSk3mi
+            fsw9jQF3QRL5PGbdT6iz7j58IokV32ilJubQHtfrxus29hd/qAn0yQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-03T14:40:36Z"
+    mac: ENC[AES256_GCM,data:c5yyBdFVs1wqDe8nsQOLeSzFv4QJ2n+VbrSf0dP5oW8593WBcdI8fXn9Q8fdY+wN2BOLn5vRdXBx7btlw0OrEIOOZ/Wz9tUxqIEUFZU6tT4TIB9g5jEqMgs2eKJmgLUoW/fcPC6QJ8ATApF6y8lI4RIV2LOItqK4AUpiVy4E2SU=,iv:kfrYGRaKY37OEl8ilrFFkRkItHpz/1VuAgWimjhujGA=,tag:STGaUOdwNlOAMcbU3Po1HQ==,type:str]
+    pgp: []
+    unencrypted_regex: ^(kind)$
+    version: 3.7.3
diff --git a/ansible/inventory/host_vars/k3s-worker1.sops.yaml b/ansible/inventory/host_vars/k3s-worker1.sops.yaml
new file mode 100644
index 000000000..7c5c64e08
--- /dev/null
+++ b/ansible/inventory/host_vars/k3s-worker1.sops.yaml
@@ -0,0 +1,23 @@
+kind: Secret
+ansible_password: ENC[AES256_GCM,data:AihMvIUjgEpCjg==,iv:Bk9uFrbhOvlQvoYaJz+JhtMJTAiQ0u9TcaS8eKO0+fE=,tag:R2sLCjH/my9kcsu4Ddg9jg==,type:str]
+ansible_become_pass: ENC[AES256_GCM,data:nR/Wkn8NqM3vaA==,iv:iV8c6Qg59qKtHoaQReUTX+KDB+iSboxpSM/K8+gcZvQ=,tag://89MQ4jmQPib/D595YTbA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZSs4aVZ5VGdyVllEMXl3
+            c2NGS2d0dkd4NVZlSVlBd2V3RVEzQ2FiaHlrCld0SkNKUjcvRHNEQ1dZZFUzM014
+            ejd5QW5uUzJmMERLR2h4R2M3UmdKWU0KLS0tIFdYOStkVG40TXIzVjRkK0RzZStj
+            UmhGcmVidTVKbWQ5VVpHSklYN2NyWGMKsfv/KG02qk3EJoNJQ9HNl1iyfyic6Puf
+            5owrc62PfohWnLVQby9SaVK80PJVaMRU/kcHIJvbt1Iv2f47qpKczg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-03T14:40:40Z"
+    mac: ENC[AES256_GCM,data:6BqgWJTOzQKwu6Mr7/2WemzOmFNnIilSLH9LPG01UtvaO7FnOQXV1ezgYntKdSXGJWza/pvvqDURaBT7O7Rwv5kR25B6Fo3XWdVSuTLf+N4fGnWKiINaa6UjZhosm5KLs7VB0I3eiBTcHrxqb9jupgPkUErwy0H0LT8yLYRGpe8=,iv:kXeAB7zUoZoZPgEntWV80DNKSEiFiH4xQtbYpStO36U=,tag:gWusG9MGl+bYcjYfQGMbWA==,type:str]
+    pgp: []
+    unencrypted_regex: ^(kind)$
+    version: 3.7.3
diff --git a/ansible/inventory/host_vars/k3s-worker2.sops.yaml b/ansible/inventory/host_vars/k3s-worker2.sops.yaml
new file mode 100644
index 000000000..79d6996e4
--- /dev/null
+++ b/ansible/inventory/host_vars/k3s-worker2.sops.yaml
@@ -0,0 +1,23 @@
+kind: Secret
+ansible_password: ENC[AES256_GCM,data:495JSVNY5Rn0hg==,iv:ZvJb1M4Ys8FkQpekm5jnGWKE5q63Z44OUhhtYWsJUvQ=,tag:KxgvJbsEMsdYu59yCOCjMg==,type:str]
+ansible_become_pass: ENC[AES256_GCM,data:O8lTma7A2n6+5g==,iv:ggmSecFPtTI9vy81of5I6AHnRX2YWOw0VtVldv4PZmo=,tag:IfIuN8xcKHBF6Ojlmki5Tw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0d21nNHZQRkloNnd1M2xF
+            RlJCUzBZK04rQ1RSa0hFSXUrVTlzK0V1dEdjCkg0ZnVJNGJOZjN3RlZ2RGRmRFdV
+            akRPQzhwN3NqNHJlK0o1VVFncDVnd1kKLS0tIDhhRGlhNXJmanM5amR6eHZERElj
+            RndiYkJFaWZuUmVIU3JwSWYzTFZlS3cKHFe4yce/091eEvtrSBYggNgyO88eHA4s
+            3TvjHmS7tLv7BnBAT9LLcQVSIW0UOszzF3PvVWIqFqzB/wn0j370kw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-03T14:40:42Z"
+    mac: ENC[AES256_GCM,data:qFIsrbqI+c3fe88H40KkWhwOnZ2aePoorpfxeTjhBtPviT4jBMvIGYZKULCehcdULNMxe7QWuPWsdYY/o5ruqZC49/OrV9qI0XVU6gdiCsM1jcXXiyFkVFfMoMhj5c5yAIMoUKRWbZe2kFtJxaG7ng8VusMgCc9f7LofWiFToVo=,iv:BI2hEL/AsaZoZ4RL7QNy4vins877XgZwxCdJ0ciFEUo=,tag:7tOEfmkFEApTy5wIgJLEBA==,type:str]
+    pgp: []
+    unencrypted_regex: ^(kind)$
+    version: 3.7.3
diff --git a/ansible/inventory/host_vars/k3s-worker3.sops.yaml b/ansible/inventory/host_vars/k3s-worker3.sops.yaml
new file mode 100644
index 000000000..800eee362
--- /dev/null
+++ b/ansible/inventory/host_vars/k3s-worker3.sops.yaml
@@ -0,0 +1,23 @@
+kind: Secret
+ansible_password: ENC[AES256_GCM,data:n0ASYgah4hAFvw==,iv:P0OPjAGh4AWkw0HUpBNEom6twa3sAXsh0Ei+2UDj/qo=,tag:GNcmaw2BQr5TV755NL/0vw==,type:str]
+ansible_become_pass: ENC[AES256_GCM,data:a2wZnzPgf91HvQ==,iv:8wIjFmwSkYZIZmLLhvZTG1EnMmNffuSoPkpao6Kk9wI=,tag:gta1yPH1tRzBdViIO9WOAg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQL2pJWVRDU0lBVVgxNkd6
+            MStqdFRFNGdwTEpUWUxEaVVMUVBkY2RXWFUwCmJmbGZnMzVPZjhQMWh0eWhybXdi
+            K1FIa1YrNDZjMnhONDBiSEFtTW80WlkKLS0tIHJJTFpINUowclNUZXVsa2I1Vjdw
+            NkhyZm5SVnlBYWxlajh6NjV0OVBCSE0Kl6ovgsGkzq4XetwG5b77mvztpa3bD5ej
+            mWlPbSV66yw4eENVuDtZRX5/lrnbW7EqkwjfGoEJ9YGA7ya0G6IVQw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-03T14:40:44Z"
+    mac: ENC[AES256_GCM,data:/AA8sbAxsYhGAad8/ymYq0YgzwmNvnnwK+p9J7+NUpFC9YGWwuR/dV8oxKzqOs/zEzFTwyBTvOrGeQ59xyJ/Id/xSt5Av0FTmrOXQxFwIOsMUsH5RP8khQpp9yO1c2cvxwNLi1oWGzLLE63Zl2JwutQdTVH0KgibPhtdL0sV8eQ=,iv:rTpWgrMAZrCymFqKGcEGOyQJdPAw/SmeW8vdVNX/Ptg=,tag:rlg3dcQhVwcXUKkEc4Jdww==,type:str]
+    pgp: []
+    unencrypted_regex: ^(kind)$
+    version: 3.7.3
diff --git a/ansible/inventory/host_vars/truenas-remote.sops.yaml b/ansible/inventory/host_vars/truenas-remote.sops.yaml
new file mode 100644
index 000000000..5965e79fb
--- /dev/null
+++ b/ansible/inventory/host_vars/truenas-remote.sops.yaml
@@ -0,0 +1,23 @@
+kind: Secret
+root_api_key: ENC[AES256_GCM,data:e+g6jvxD9kBSYVbzGXR0QZZMAnxndPu04Dhs3UjNsjHyq+GQRlapPJDQmnTWFa11KaEK3lOiSmU4yxcRjbgG2t3a,iv:mLG+dFHrmndRm5fT4KU+TIOMiAg/urQ4Zv3YaRaoVlg=,tag:DXTWollNdF4o2Pe2qdyufw==,type:str]
+ansible_host: ENC[AES256_GCM,data:ldsDTnydWPMnAnOiSlVrkiiL6w==,iv:luNgXdV3uBRaGzBIlw4E5UrZqKBaakgwc+9YC9xXInM=,tag:MldHmJpsOqe7oJMA83Xm9g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVy9DRjhqOW05Wm4rNXZo
+            bFJxem9UZjNSQW5UaTRZaWQ1clZQSHJrNHpVCmo3Y0RPd1BRRC9ZZHJ0SndSUXJv
+            UkpPWTNOUWFPL1hCUGJrTFBPZml5QncKLS0tIGI5UUJKMXR0d1d3ZzRDSURuWVFl
+            ZFlyQ1lGbnVPaSs4cytQYzNwRnJabmcKP0ogZqsaoD6heCqmObwttBgE039aLqe2
+            R55NPkQJJyFSbDbdDmPApE4IwtXay54QGw2RR4AxOZW4G2dWhdzP3w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-04T18:20:37Z"
+    mac: ENC[AES256_GCM,data:IzuN61G8NkZwqNDkIQQPNVODoxgPQieRlSTcInajbBUdHHdVkFRlyLI2INoGd1RDDV06NsmJPM3Yj6fRlWlF4iRCO60cEHgnSyq3FRcFa6oKe9f5p5hmIBin8KMIAQOinNf8/4kqUpkZOFeY/fViBayin1cYgJ2MlMYtZRFVt0A=,iv:2DNQdjHRbtTlTgSVOrS/UTeSaVOhldbf+ek2e1gNv5s=,tag:ef/4Xtbf/021Z5NHv8Up9A==,type:str]
+    pgp: []
+    unencrypted_regex: ^(kind)$
+    version: 3.7.3
diff --git a/ansible/inventory/host_vars/truenas-remote.yaml b/ansible/inventory/host_vars/truenas-remote.yaml
new file mode 100644
index 000000000..40302316b
--- /dev/null
+++ b/ansible/inventory/host_vars/truenas-remote.yaml
@@ -0,0 +1,3 @@
+main_nas: false
+pool_name: vol1
+snapshots_interval: "daily:14,weekly:12,monthly:12,yearly:3"
diff --git a/ansible/inventory/host_vars/truenas.sops.yaml b/ansible/inventory/host_vars/truenas.sops.yaml
new file mode 100644
index 000000000..2f9a8f054
--- /dev/null
+++ b/ansible/inventory/host_vars/truenas.sops.yaml
@@ -0,0 +1,22 @@
+kind: Secret
+root_api_key: ENC[AES256_GCM,data:Fhj1MGeHxe/A6O7uVjMrCEu7J4rsiWrhbXgbAenb5CunoRPu0XLV/227WAFc4wFkboFNnt3bjzugvdvM5w/0JSry,iv:7uuHkrSKGShhIso8RgIJsOSYOxBiyyM/D5Dg+IGDh1Y=,tag:dP4gfIIUAEBUm91h5IHSug==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtVllLOFcwWXVoNXZobFF1
+            VGJmczlkL1V3blhvcnFzN2V6S1B1Ui81alRNClVEUWFmSWxKbENBRVZJN01PSWM5
+            d2M3OHFhOGpadEdrWUIxZGpMNTR2aVkKLS0tIE84ZkxzTlBpZVlqR2xQRmM0V0ZR
+            aG5zWW1XclBOS2cxMkwzZ3c1R1psNGsKzeSHHV7AYXCUNiiXJlBRFVWMZtfK3naj
+            VRtF22+DYfjumQuwam2ZzhdLQ//1ciHnkJc58dKeTbYUHzC+fWpaZQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-03T14:40:48Z"
+    mac: ENC[AES256_GCM,data:ple3qtcoOwSBg0AbkZSFAwySlvBYvk5/6jx3rsj1lptNDNGQyGd+X9oYqtAN+f58Q8y2Wbn+KwVWpKTvFzX6lEedv6iR0rFpPW6mMTX8Py8vboD2hCp96hpBMtNqf4JLIzPQoc5WG5kK88KDc17/M2HaQFPX56YSCHn0ABnH8Vg=,iv:o5WZqE3doTnpbFmBP77U6yKRvmCPgXVCjYQ0Z2VaR0I=,tag:e72lHlzwLX90pz36RJXsuw==,type:str]
+    pgp: []
+    unencrypted_regex: ^(kind)$
+    version: 3.7.3
diff --git a/ansible/inventory/host_vars/truenas.yaml b/ansible/inventory/host_vars/truenas.yaml
new file mode 100644
index 000000000..120c07c29
--- /dev/null
+++ b/ansible/inventory/host_vars/truenas.yaml
@@ -0,0 +1,4 @@
+main_nas: true
+pool_name: storage
+service_s3: true
+snapshots_interval: "daily:14,weekly:12,monthly:3"
diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml
new file mode 100644
index 000000000..c40d8b02e
--- /dev/null
+++ b/ansible/inventory/hosts.yml
@@ -0,0 +1,40 @@
+---
+all:
+  hosts:
+    localhost:
+      ansible_connection: local
+      ansible_python_interpreter: /usr/bin/python3
+    coreelec:
+      ansible_user: root
+  children:
+    truenas-instances:
+      hosts:
+        truenas:
+        truenas-remote:
+          ansible_port: 35875
+      vars:
+        ansible_user: homelab
+kubernetes:
+  children:
+    master:
+      hosts:
+        k3s-master:
+          ansible_host: 192.168.9.100
+          ansible_user: fedora
+          ansible_ssh_port: 22
+    worker:
+      hosts:
+        k3s-worker1:
+          ansible_host: 192.168.9.105
+          rook_devices:
+            - /dev/nvme0n1
+        k3s-worker2:
+          ansible_host: 192.168.9.106
+          rook_devices:
+            - /dev/nvme0n1
+        k3s-worker3:
+          ansible_host: 192.168.9.107
+          rook_devices:
+            - /dev/nvme0n1
+      vars:
+        ansible_user: fedora
diff --git a/ansible/playbooks/bootstrap_ansible.yml b/ansible/playbooks/bootstrap_ansible.yml
new file mode 100644
index 000000000..da906004d
--- /dev/null
+++ b/ansible/playbooks/bootstrap_ansible.yml
@@ -0,0 +1,17 @@
+---
+- name: Boostrap host to enable Ansible playbooks
+  hosts: all
+  become: true
+  become_user: root
+  vars:
+    python_pwd: /usr/bin/python
+    python_package: python3
+  tasks:
+    - name: Check for Python
+      raw: test -e {{ python_pwd }}
+      changed_when: false
+      failed_when: false
+      register: check_python
+    - name: Install Python
+      raw: pkg install -y {{ python_package }}
+      when: check_python.rc != 0
diff --git a/server/ansible/playbooks/ubuntu/prepare.yml b/ansible/playbooks/cluster-installation.yml
similarity index 50%
rename from server/ansible/playbooks/ubuntu/prepare.yml
rename to ansible/playbooks/cluster-installation.yml
index b98be53e2..4922f3c0a 100644
--- a/server/ansible/playbooks/ubuntu/prepare.yml
+++ b/ansible/playbooks/cluster-installation.yml
@@ -1,13 +1,13 @@
 ---
 - hosts:
-    - server-nodes
-    - worker-nodes
+    - master
+    - worker
   become: true
   gather_facts: true
   any_errors_fatal: true
   pre_tasks:
-    - name: Pausing for 5 seconds...
+    - name: Pausing for 2 seconds...
       pause:
-        seconds: 5
+        seconds: 2
   roles:
-    - ubuntu
+    - installation.k3s
diff --git a/ansible/playbooks/cluster-nuke.yml b/ansible/playbooks/cluster-nuke.yml
new file mode 100644
index 000000000..7e7aea084
--- /dev/null
+++ b/ansible/playbooks/cluster-nuke.yml
@@ -0,0 +1,29 @@
+---
+- hosts:
+    - master
+    - worker
+  become: true
+  gather_facts: true
+  any_errors_fatal: true
+  pre_tasks:
+    - name: Pausing for 2 seconds...
+      pause:
+        seconds: 2
+    - name: Uninstall k3s
+      include_role:
+        name: xanmanning.k3s
+        public: true
+      vars:
+        k3s_state: uninstalled
+  tasks:
+    - name: Gather list of CNI files
+      ansible.builtin.find:
+        paths: /etc/cni/net.d
+        patterns: "*"
+        hidden: true
+      register: directory_contents
+    - name: Delete CNI files
+      ansible.builtin.file:
+        path: "{{ item.path }}"
+        state: absent
+      loop: "{{ directory_contents.files }}"
diff --git a/ansible/playbooks/cluster-prepare.yml b/ansible/playbooks/cluster-prepare.yml
new file mode 100644
index 000000000..ee4615ae5
--- /dev/null
+++ b/ansible/playbooks/cluster-prepare.yml
@@ -0,0 +1,167 @@
+---
+- hosts:
+    - master
+    - worker
+  become: true
+  gather_facts: true
+  any_errors_fatal: true
+  pre_tasks:
+    - name: Pausing for 2 seconds...
+      pause:
+        seconds: 2
+  tasks:
+    - name: Locale
+      block:
+        - name: Locale | Set timezone
+          community.general.timezone:
+            name: "{{ timezone | default('America/New_York') }}"
+    - name: Networking
+      block:
+        - name: Networking | Set hostname to inventory hostname
+          ansible.builtin.hostname:
+            name: "{{ inventory_hostname }}"
+          when:
+            - ansible_hostname != inventory_hostname
+        - name: Networking | Update /etc/hosts to include inventory hostname
+          ansible.builtin.blockinfile:
+            path: /etc/hosts
+            block: |
+              127.0.1.1   {{ inventory_hostname }}
+    - name: Packages
+      block:
+        - name: Packages | Improve dnf performance
+          ansible.builtin.blockinfile:
+            path: /etc/dnf/dnf.conf
+            block: |
+              defaultyes=True
+              deltarpm=True
+              install_weak_deps=False
+              max_parallel_downloads={{ ansible_processor_vcpus | default('8') }}
+        - name: Packages | Import rpmfusion keys
+          ansible.builtin.rpm_key:
+            state: present
+            key: "{{ item }}"
+          loop:
+            - https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-fedora-2020
+            - https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020
+        - name: Packages | Install required packages
+          ansible.builtin.dnf:
+            name: "{{ packages | default([]) }}"
+            state: present
+            update_cache: true
+        - name: Packages | Remove leaf packages
+          ansible.builtin.dnf:
+            autoremove: true
+        - name: Packages | Enable automatic downloads of updates
+          ansible.builtin.systemd:
+            service: dnf-automatic-download.timer
+            enabled: true
+            state: started
+    - name: User Configuration
+      block:
+        - name: User Configuration | Change shell to fish
+          ansible.builtin.user:
+            name: "{{ item }}"
+            shell: /usr/bin/fish
+          loop:
+            - root
+            - fedora
+        - name: User Configuration | Disable password sudo
+          ansible.builtin.lineinfile:
+            dest: /etc/sudoers
+            state: present
+            regexp: "^%wheel"
+            line: "%wheel ALL=(ALL) NOPASSWD: ALL"
+            validate: visudo -cf %s
+          become: true
+        - name: User Configuration | Add additional SSH public keys
+          ansible.posix.authorized_key:
+            user: "{{ ansible_user }}"
+            key: "{{ item }}"
+          loop: "{{ public_ssh_keys | default([]) }}"
+    - name: System Configuration (1)
+      block:
+        - name: System Configuration (1) | Configure smartd
+          ansible.builtin.copy:
+            dest: /etc/smartd.conf
+            mode: 0644
+            content: DEVICESCAN -a -o on -S on -n standby,q -s (S/../.././02|L/../../6/03) -W 4,35,40
+          notify: Restart smartd
+        - name: System Configuration (1) | Disable firewalld
+          ansible.builtin.systemd:
+            service: firewalld.service
+            enabled: false
+            masked: true
+            state: stopped
+        - name: System Configuration (1) | Enable fstrim
+          ansible.builtin.systemd:
+            service: fstrim.timer
+            enabled: true
+        - name: System Configuration (1) | Enable chronyd
+          ansible.builtin.systemd:
+            service: chronyd
+            enabled: true
+    - name: System Configuration (2)
+      block:
+        - name: System Configuration (2) | Enable kernel modules now
+          community.general.modprobe:
+            name: "{{ item }}"
+            state: present
+          loop: [br_netfilter, overlay, rbd]
+        - name: System Configuration (2) | Enable kernel modules on boot
+          ansible.builtin.copy:
+            mode: 0644
+            content: "{{ item }}"
+            dest: "/etc/modules-load.d/{{ item }}.conf"
+          loop: [br_netfilter, overlay, rbd]
+        - name: System Configuration (2) | Set sysctls
+          ansible.posix.sysctl:
+            name: "{{ item.key }}"
+            value: "{{ item.value }}"
+            sysctl_file: /etc/sysctl.d/99-kubernetes.conf
+            reload: true
+          with_dict: "{{ sysctl_config }}"
+          vars:
+            sysctl_config:
+              net.ipv4.ip_forward: 1
+              net.ipv4.conf.all.forwarding: 1
+              net.ipv4.conf.all.rp_filter: 0
+              net.ipv4.conf.default.rp_filter: 0
+              net.ipv6.conf.all.forwarding: 1
+              net.bridge.bridge-nf-call-iptables: 1
+              net.bridge.bridge-nf-call-ip6tables: 1
+              fs.inotify.max_user_watches: 524288
+              fs.inotify.max_user_instances: 512
+        - name: System Configuration (2) | Disable swap
+          ansible.builtin.dnf:
+            name: zram-generator-defaults
+            state: absent
+        - name: System Configuration (2) | Disable SELinux
+          ansible.posix.selinux:
+            state: disabled
+        - name: System Configuration (2) | Disable mitigations
+          ansible.builtin.replace:
+            path: /etc/default/grub
+            regexp: '^(GRUB_CMDLINE_LINUX=(?:(?![" ]{{ item.key | regex_escape }}=).)*)(?:[" ]{{ item.key | regex_escape }}=\S+)?(.*")$'
+            replace: '\1 {{ item.key }}={{ item.value }}\2'
+          with_dict: "{{ grub_config }}"
+          vars:
+            grub_config:
+              mitigations: "off"
+          register: grub_status
+        - name: System Configuration (2) | Reconfigure grub and initramfs
+          ansible.builtin.command: "{{ item }}"
+          loop:
+            - grub2-mkconfig -o /boot/grub2/grub.cfg
+            - dracut --force --regenerate-all -v
+          when: grub_status.changed
+      notify: Reboot
+
+  handlers:
+    - name: Reboot
+      ansible.builtin.reboot:
+    - name: Restart smartd
+      ansible.builtin.service:
+        name: smartd.service
+        enabled: true
+        state: restarted
diff --git a/ansible/playbooks/coreelec.yml b/ansible/playbooks/coreelec.yml
new file mode 100644
index 000000000..f6679330b
--- /dev/null
+++ b/ansible/playbooks/coreelec.yml
@@ -0,0 +1,7 @@
+---
+- hosts: coreelec
+  become: true
+  gather_facts: true
+  any_errors_fatal: true
+  roles:
+    - role: coreelec
diff --git a/ansible/playbooks/rook-nuke.yml b/ansible/playbooks/rook-nuke.yml
new file mode 100644
index 000000000..e3a1ed600
--- /dev/null
+++ b/ansible/playbooks/rook-nuke.yml
@@ -0,0 +1,33 @@
+---
+- hosts:
+    - worker
+  become: true
+  gather_facts: true
+  any_errors_fatal: true
+  pre_tasks:
+    - name: Pausing for 5 seconds...
+      pause:
+        seconds: 5
+  tasks:
+    - name: Reset disks
+      block:
+        - name: Remove /var/lib/rook
+          ansible.builtin.file:
+            state: absent
+            path: "/var/lib/rook"
+        - name: Zap the drives
+          ansible.builtin.shell: >
+            sgdisk --zap-all {{ item }} || true
+          loop:
+            - "{{ rook_devices | default([]) }}"
+        - name: Remove lvm partitions
+          ansible.builtin.shell: "{{ item }}"
+          loop:
+            - ls /dev/mapper/ceph--* | xargs -I% -- fuser --kill %
+            - ls /dev/mapper/ceph--* | xargs -I% -- dmsetup clear %
+            - ls /dev/mapper/ceph--* | xargs -I% -- dmsetup remove -f %
+            - ls /dev/mapper/ceph--* | xargs -I% -- rm -rf %
+        - name: Wipe the block device
+          ansible.builtin.command: "wipefs -af {{ item }}"
+          with_items:
+            - "{{ rook_devices | default([]) }}"
diff --git a/ansible/playbooks/truenas.yml b/ansible/playbooks/truenas.yml
new file mode 100644
index 000000000..fcfce95e6
--- /dev/null
+++ b/ansible/playbooks/truenas.yml
@@ -0,0 +1,7 @@
+---
+- hosts: truenas-instances
+  become: false
+  gather_facts: true
+  any_errors_fatal: true
+  roles:
+    - role: truenas
diff --git a/ansible/playbooks/workstation.yml b/ansible/playbooks/workstation.yml
new file mode 100644
index 000000000..61d5d49c3
--- /dev/null
+++ b/ansible/playbooks/workstation.yml
@@ -0,0 +1,7 @@
+---
+- hosts: localhost
+  become: false
+  gather_facts: true
+  any_errors_fatal: true
+  roles:
+    - role: workstation
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
new file mode 100644
index 000000000..6f4077d09
--- /dev/null
+++ b/ansible/requirements.yml
@@ -0,0 +1,13 @@
+---
+collections:
+  - name: ansible.posix
+    version: 1.4.0
+  - name: community.general
+    version: 5.2.0
+  - name: kubernetes.core
+    version: 2.3.2
+  - name: community.sops
+    version: 1.2.3
+roles:
+  - src: xanmanning.k3s
+    version: v3.2.0
diff --git a/ansible/roles/coreelec/defaults/main.yml b/ansible/roles/coreelec/defaults/main.yml
new file mode 100644
index 000000000..7b943df7f
--- /dev/null
+++ b/ansible/roles/coreelec/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+root_path: /storage
+nfs_shares:
+  - music
+  - photo
+  - video
diff --git a/ansible/roles/coreelec/files/backup.bash b/ansible/roles/coreelec/files/backup.bash
new file mode 100644
index 000000000..2f1579f26
--- /dev/null
+++ b/ansible/roles/coreelec/files/backup.bash
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Variables
+FLAG_NOTIF=false
+
+DATE=`date +%Y%m%d%H%M`
+BACKUP_PATH="/storage/backup"
+
+cd /
+
+tar cvf ${BACKUP_PATH}/${DATE}.tar \
+    storage/.kodi storage/.config storage/.cache storage/.ssh \
+    --exclude=storage/.kodi/userdata/Thumbnails
+
+# Keep the last 5 backups on disk
+find ${BACKUP_PATH}/*.tar -mtime +5 -type f -delete
diff --git a/ansible/roles/coreelec/tasks/backup.yml b/ansible/roles/coreelec/tasks/backup.yml
new file mode 100644
index 000000000..8bc0c3756
--- /dev/null
+++ b/ansible/roles/coreelec/tasks/backup.yml
@@ -0,0 +1,13 @@
+---
+- name: backup | copy script
+  ansible.builtin.copy:
+    src: backup.bash
+    dest: /storage/backup.bash
+    mode: 0755
+
+- name: backup | crontab
+  ansible.builtin.cron:
+    name: "daily backup"
+    minute: "14"
+    hour: "4"
+    job: "/storage/backup.bash && curl -fsS -m 10 --retry 5 -o /dev/null https://healthchecks.{{ SECRET_CLUSTER_DOMAIN }}/ping/aae30879-cfdf-4b90-889f-d4ff69dd8aad"
diff --git a/ansible/roles/coreelec/tasks/main.yml b/ansible/roles/coreelec/tasks/main.yml
new file mode 100644
index 000000000..445ef9052
--- /dev/null
+++ b/ansible/roles/coreelec/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+- ansible.builtin.include_tasks: backup.yml
+  tags:
+    - backup
+
+- ansible.builtin.include_tasks: nfs.yml
+  tags:
+    - nfs
diff --git a/ansible/roles/coreelec/tasks/nfs.yml b/ansible/roles/coreelec/tasks/nfs.yml
new file mode 100644
index 000000000..22dbff6bb
--- /dev/null
+++ b/ansible/roles/coreelec/tasks/nfs.yml
@@ -0,0 +1,19 @@
+---
+- name: nfs | create directories
+  ansible.builtin.file:
+    path: "{{ root_path }}/mnt/{{ item }}"
+    state: directory
+  loop: "{{ nfs_shares }}"
+
+- name: nfs | create system.d services
+  ansible.builtin.template:
+    src: "storage-nfs.mount"
+    dest: "/storage/.config/system.d/storage-mnt-{{ item }}.mount"
+  loop: "{{ nfs_shares }}"
+
+- name: nfs | activate system.d services
+  ansible.builtin.systemd:
+    name: storage-mnt-{{ item }}.mount
+    state: started
+    enabled: yes
+  loop: "{{ nfs_shares }}"
diff --git a/ansible/roles/coreelec/templates/storage-nfs.mount b/ansible/roles/coreelec/templates/storage-nfs.mount
new file mode 100644
index 000000000..acd929898
--- /dev/null
+++ b/ansible/roles/coreelec/templates/storage-nfs.mount
@@ -0,0 +1,16 @@
+ #====================================================
+[Unit]
+Description=TrueNAS nfs share {{ item }}
+Requires=network-online.service
+After=network-online.service
+Before=kodi.service
+
+[Mount]
+What=truenas:/mnt/storage/{{ item }}
+Where=/storage/mnt/{{ item }}
+Options=
+Type=nfs
+
+[Install]
+WantedBy=multi-user.target
+#====================================================
\ No newline at end of file
diff --git a/ansible/roles/installation.k3s/defaults/main.yml b/ansible/roles/installation.k3s/defaults/main.yml
new file mode 100644
index 000000000..7229bf1f7
--- /dev/null
+++ b/ansible/roles/installation.k3s/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+k3s_etcd_s3: false
diff --git a/ansible/roles/installation.k3s/tasks/k3s.yml b/ansible/roles/installation.k3s/tasks/k3s.yml
new file mode 100644
index 000000000..fc5d892d8
--- /dev/null
+++ b/ansible/roles/installation.k3s/tasks/k3s.yml
@@ -0,0 +1,50 @@
+---
+- name: Check if cluster is installed
+  ansible.builtin.stat:
+    path: /etc/rancher/k3s/config.yaml
+  register: k3s_check_installed
+  check_mode: false
+
+- name: Set manifest facts
+  ansible.builtin.set_fact:
+    k3s_server_manifests_templates: []
+    k3s_server_manifests_urls: []
+  when: k3s_check_installed.stat.exists
+
+- name: Install Kubernetes
+  include_role:
+    name: xanmanning.k3s
+    public: true
+  vars:
+    k3s_state: installed
+
+- name: Copy kubeconfig to provision folder
+  run_once: true
+  ansible.builtin.fetch:
+    src: "/etc/rancher/k3s/k3s.yaml"
+    dest: "{{ playbook_dir }}/../../../cluster/kubeconfig"
+    flat: true
+  when:
+    - k3s_control_node is defined
+    - k3s_control_node
+
+- name: Update kubeconfig with the right IPv4 address
+  delegate_to: localhost
+  become: false
+  run_once: true
+  ansible.builtin.replace:
+    path: "{{ playbook_dir }}/../../../cluster/kubeconfig"
+    regexp: "https://127.0.0.1:6443"
+    replace: "https://{{ k3s_registration_address }}:6443"
+
+- name: Remove deployed manifest templates
+  ansible.builtin.file:
+    path: "{{ k3s_server_manifests_dir }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
+    state: absent
+  loop: "{{ k3s_server_manifests_templates | default([]) }}"
+
+- name: Remove deployed manifest urls
+  ansible.builtin.file:
+    path: "{{ k3s_server_manifests_dir }}/{{ item.filename }}"
+    state: absent
+  loop: "{{ k3s_server_manifests_urls | default([]) }}"
diff --git a/ansible/roles/installation.k3s/tasks/main.yml b/ansible/roles/installation.k3s/tasks/main.yml
new file mode 100644
index 000000000..f046f4222
--- /dev/null
+++ b/ansible/roles/installation.k3s/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+- import_tasks: k3s.yml
+  tags:
+    - k3s
diff --git a/server/ansible/roles/k3s/templates/calico-bgpconfiguration.yaml.j2 b/ansible/roles/installation.k3s/templates/calico/calico-bgpconfiguration.yaml.j2
similarity index 58%
rename from server/ansible/roles/k3s/templates/calico-bgpconfiguration.yaml.j2
rename to ansible/roles/installation.k3s/templates/calico/calico-bgpconfiguration.yaml.j2
index 89cd115a8..538bcff55 100644
--- a/server/ansible/roles/k3s/templates/calico-bgpconfiguration.yaml.j2
+++ b/ansible/roles/installation.k3s/templates/calico/calico-bgpconfiguration.yaml.j2
@@ -4,5 +4,6 @@ kind: BGPConfiguration
 metadata:
   name: default
 spec:
+  asNumber: {{ calico_bgp_as_number }}
   serviceExternalIPs:
-  - cidr: {{ calico.bgp.externalIPs }}
+    - cidr: "{{ calico_bgp_external_ips }}"
diff --git a/server/ansible/roles/k3s/templates/calico-bgppeer.yaml.j2 b/ansible/roles/installation.k3s/templates/calico/calico-bgppeer.yaml.j2
similarity index 53%
rename from server/ansible/roles/k3s/templates/calico-bgppeer.yaml.j2
rename to ansible/roles/installation.k3s/templates/calico/calico-bgppeer.yaml.j2
index 818ffb8ea..bfa7cb01e 100644
--- a/server/ansible/roles/k3s/templates/calico-bgppeer.yaml.j2
+++ b/ansible/roles/installation.k3s/templates/calico/calico-bgppeer.yaml.j2
@@ -4,5 +4,5 @@ kind: BGPPeer
 metadata:
   name: global
 spec:
-  peerIP: {{ calico.bgp.peer }}
-  asNumber: {{ calico.bgp.as }}
+  peerIP: {{ calico_bgp_peer_ip }}
+  asNumber: {{ calico_bgp_as_number }}
diff --git a/ansible/roles/installation.k3s/templates/calico/calico-installation.yaml.j2 b/ansible/roles/installation.k3s/templates/calico/calico-installation.yaml.j2
new file mode 100644
index 000000000..386a54dfc
--- /dev/null
+++ b/ansible/roles/installation.k3s/templates/calico/calico-installation.yaml.j2
@@ -0,0 +1,18 @@
+---
+apiVersion: operator.tigera.io/v1
+kind: Installation
+metadata:
+  name: default
+spec:
+  registry: quay.io
+  imagePath: calico
+  calicoNetwork:
+    # Note: The ipPools section cannot be modified post-install.
+    ipPools:
+      - blockSize: 26
+        cidr: "{{ k3s_server['cluster-cidr'] }}"
+        encapsulation: "{{ calico_encapsulation }}"
+        natOutgoing: Enabled
+        nodeSelector: all()
+  nodeMetricsPort: 9091
+  typhaMetricsPort: 9093
diff --git a/ansible/roles/installation.k3s/vars/main/calico.yml b/ansible/roles/installation.k3s/vars/main/calico.yml
new file mode 100644
index 000000000..32d1a7e75
--- /dev/null
+++ b/ansible/roles/installation.k3s/vars/main/calico.yml
@@ -0,0 +1,14 @@
+---
+# -- Encapsulation type
+calico_encapsulation: "None"
+# -- BGP Peer IP
+# -- (usually your router IP address)
+calico_bgp_peer_ip: 192.168.8.1
+# -- BGP Autonomous System Number
+# -- (must be the same across all BGP peers)
+calico_bgp_as_number: 64512
+# -- BGP Network you want services to consume
+# -- (this network should not exist or be defined anywhere in your network)
+calico_bgp_external_ips: 192.168.169.0/24
+# -- CIDR of the host node interface Calico should use
+calico_node_cidr: 10.69.0.0/16
diff --git a/ansible/roles/installation.k3s/vars/main/k3s.yml b/ansible/roles/installation.k3s/vars/main/k3s.yml
new file mode 100644
index 000000000..6a541d6e0
--- /dev/null
+++ b/ansible/roles/installation.k3s/vars/main/k3s.yml
@@ -0,0 +1,53 @@
+---
+#
+# Below vars are for the xanmanning.k3s role
+# ...see https://github.com/PyratLabs/ansible-role-k3s#globalcluster-variables
+#
+
+# Use a specific version of k3s
+# renovate: datasource=github-releases depName=k3s-io/k3s
+k3s_release_version: "v1.24.2+k3s1"
+
+# -- Install using hard links rather than symbolic links.
+# ...if you are using the system-upgrade-controller you will need to
+# use hard links rather than symbolic links as the controller will
+# not be able to follow symbolic links.
+k3s_install_hard_links: true
+
+# -- Escalate user privileges for all tasks.
+k3s_become: true
+
+# -- Enable debugging
+k3s_debug: false
+
+# -- Enabled embedded etcd
+# k3s_etcd_datastore: false
+
+# -- Enable for single or even number of masters
+k3s_use_unsupported_config: false
+
+# -- /var/lib/rancher/k3s/server/manifests
+k3s_server_manifests_templates:
+  - "calico/calico-installation.yaml.j2"
+  - "calico/calico-bgpconfiguration.yaml.j2"
+  - "calico/calico-bgppeer.yaml.j2"
+
+# -- /var/lib/rancher/k3s/server/manifests
+k3s_server_manifests_urls:
+  - url: https://docs.projectcalico.org/archive/v3.23/manifests/tigera-operator.yaml
+    filename: tigera-operator.yaml
+
+# -- /etc/rancher/k3s/registries.yaml
+# k3s_registries:
+#   mirrors:
+#     "docker.io":
+#       endpoint:
+#         - "https://mirror.{{ SECRET_PRIVATE_DOMAIN }}"
+#     "*":
+#       endpoint:
+#         - "https://mirror.{{ SECRET_PRIVATE_DOMAIN }}"
+#   config:
+#     "https://registry.{{ SECRET_PRIVATE_DOMAIN }}":
+#       auth:
+#         username: "{{ SECRET_NEXUS_USERNAME }}"
+#         password: "{{ SECRET_NEXUS_PASSWORD }}"
diff --git a/ansible/roles/truenas/defaults/main.yml b/ansible/roles/truenas/defaults/main.yml
new file mode 100644
index 000000000..256199d83
--- /dev/null
+++ b/ansible/roles/truenas/defaults/main.yml
@@ -0,0 +1,9 @@
+homelab_homedir: "/mnt/{{ pool_name }}/home/homelab"
+backups_dir: "/mnt/{{ pool_name }}/backups/"
+telegraf_dir: "{{ homelab_homedir }}/telegraf"
+scripts_dir: "{{ homelab_homedir }}/scripts"
+certificates_dir: "{{ homelab_homedir }}/letsencrypt/{{ SECRET_DOMAIN }}"
+
+ping_ip: 192.168.8.1
+wg_interface: wg0-client
+dns_hostname: services.{{ SECRET_DOMAIN }}
diff --git a/ansible/roles/truenas/files/scripts/certificates_deploy.py b/ansible/roles/truenas/files/scripts/certificates_deploy.py
new file mode 100644
index 000000000..1fab27e11
--- /dev/null
+++ b/ansible/roles/truenas/files/scripts/certificates_deploy.py
@@ -0,0 +1,240 @@
+#!/usr/bin/env python3
+
+"""
+Import and activate a SSL/TLS certificate into FreeNAS 11.1 or later
+Uses the FreeNAS API to make the change, so everything's properly saved in the config
+database and captured in a backup.
+
+Requires paths to the cert (including the any intermediate CA certs) and private key,
+and username, password, and FQDN of your FreeNAS system.
+
+Your private key should only be readable by root, so this script must run with root
+privileges.  And, since it contains your root password, this script itself should
+only be readable by root.
+
+Source: https://github.com/danb35/deploy-freenas
+"""
+
+import argparse
+import os
+import sys
+import json
+import requests
+import time
+import configparser
+import socket
+from datetime import datetime, timedelta
+from urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+parser = argparse.ArgumentParser(description='Import and activate a SSL/TLS certificate into FreeNAS.')
+parser.add_argument('-c', '--config', default=(os.path.join(os.path.dirname(os.path.realpath(__file__)),
+    'deploy_config')), help='Path to config file, defaults to deploy_config.')
+args = parser.parse_args()
+
+if os.path.isfile(args.config):
+    config = configparser.ConfigParser()
+    config.read(args.config)
+    deploy = config['deploy']
+else:
+    print("Config file", args.config, "does not exist!")
+    exit(1)
+
+# We'll use the API key if provided
+API_KEY = deploy.get('api_key')
+# Otherwise fallback to basic password authentication
+USER = "root"
+PASSWORD = deploy.get('password')
+
+DOMAIN_NAME = deploy.get('cert_fqdn',socket.gethostname())
+FREENAS_ADDRESS = deploy.get('connect_host','localhost')
+VERIFY = deploy.getboolean('verify',fallback=False)
+PRIVATEKEY_PATH = deploy.get('privkey_path',"/root/.acme.sh/" + DOMAIN_NAME + "/" + DOMAIN_NAME + ".key")
+FULLCHAIN_PATH = deploy.get('fullchain_path',"/root/.acme.sh/" + DOMAIN_NAME + "/fullchain.cer")
+PROTOCOL = deploy.get('protocol','http://')
+PORT = deploy.get('port','80')
+FTP_ENABLED = deploy.getboolean('ftp_enabled',fallback=False)
+S3_ENABLED = deploy.getboolean('s3_enabled',fallback=False)
+now = datetime.now()
+cert = "letsencrypt-%s-%s-%s-%s" %(now.year, now.strftime('%m'), now.strftime('%d'), ''.join(c for c in now.strftime('%X') if
+c.isdigit()))
+
+
+# Set some general request params
+session = requests.Session()
+session.headers.update({
+  'Content-Type': 'application/json'
+})
+if API_KEY:
+  session.headers.update({
+    'Authorization': f'Bearer {API_KEY}'
+  })
+elif PASSWORD:
+  session.auth = (USER, PASSWORD)
+else:
+  print ("Unable to authenticate. Specify 'api_key' or 'password' in the config.")
+  exit(1)
+
+# Load cert/key
+with open(PRIVATEKEY_PATH, 'r') as file:
+  priv_key = file.read()
+with open(FULLCHAIN_PATH, 'r') as file:
+  full_chain = file.read()
+
+# Update or create certificate
+r = session.post(
+  PROTOCOL + FREENAS_ADDRESS + ':' + PORT + '/api/v2.0/certificate/',
+  verify=VERIFY,
+  data=json.dumps({
+    "create_type": "CERTIFICATE_CREATE_IMPORTED",
+    "name": cert,
+    "certificate": full_chain,
+    "privatekey": priv_key,
+  })
+)
+
+if r.status_code == 200:
+  print ("Certificate import successful")
+else:
+  print ("Error importing certificate!")
+  print (r.text)
+  sys.exit(1)
+
+# Sleep for a few seconds to let the cert propagate
+time.sleep(5)
+
+# Download certificate list
+limit = {'limit': 0} # set limit to 0 to disable paging in the event of many certificates
+r = session.get(
+  PROTOCOL + FREENAS_ADDRESS + ':' + PORT + '/api/v2.0/certificate/',
+  verify=VERIFY,
+  params=limit
+)
+
+if r.status_code == 200:
+  print ("Certificate list successful")
+else:
+  print ("Error listing certificates!")
+  print (r.text)
+  sys.exit(1)
+
+# Parse certificate list to find the id that matches our cert name
+cert_list = r.json()
+
+new_cert_data = None
+for cert_data in cert_list:
+  if cert_data['name'] == cert:
+    new_cert_data = cert_data
+    cert_id = new_cert_data['id']
+    break
+
+if not new_cert_data:
+  print ("Error searching for newly imported certificate in certificate list.")
+  sys.exit(1)
+
+# Set our cert as active
+r = session.put(
+  PROTOCOL + FREENAS_ADDRESS + ':' + PORT + '/api/v2.0/system/general/',
+  verify=VERIFY,
+  data=json.dumps({
+    "ui_certificate": cert_id,
+  })
+)
+
+if r.status_code == 200:
+  print ("Setting active certificate successful")
+else:
+  print ("Error setting active certificate!")
+  print (r.text)
+  sys.exit(1)
+
+if FTP_ENABLED:
+  # Set our cert as active for FTP plugin
+  r = session.put(
+    PROTOCOL + FREENAS_ADDRESS + ':' + PORT + '/api/v2.0/ftp/',
+    verify=VERIFY,
+    data=json.dumps({
+      "ssltls_certfile": cert,
+    }),
+  )
+
+  if r.status_code == 200:
+    print ("Setting active FTP certificate successful")
+  else:
+    print ("Error setting active FTP certificate!")
+    print (r.text)
+    sys.exit(1)
+
+if S3_ENABLED:
+  # Set our cert as active for S3 plugin
+  r = session.put(
+    PROTOCOL + FREENAS_ADDRESS + ':' + PORT + '/api/v2.0/s3/',
+    verify=VERIFY,
+    data=json.dumps({
+      "certificate": cert_id,
+    }),
+  )
+
+  if r.status_code == 200:
+    print ("Setting active S3 certificate successful")
+  else:
+    print ("Error setting active S3 certificate!")
+    print (r)
+    sys.exit(1)
+
+# Get expired and old certs with same SAN
+cert_ids_same_san = set()
+cert_ids_expired = set()
+for cert_data in cert_list:
+  if set(cert_data['san']) == set(new_cert_data['san']):
+      cert_ids_same_san.add(cert_data['id'])
+
+  issued_date = datetime.strptime(cert_data['from'], "%c")
+  lifetime = timedelta(days=cert_data['lifetime'])
+  expiration_date = issued_date + lifetime
+  if expiration_date < now:
+      cert_ids_expired.add(cert_data['id'])
+
+# Remove new cert_id from lists
+if cert_id in cert_ids_expired:
+  cert_ids_expired.remove(cert_id)
+
+if cert_id in cert_ids_same_san:
+  cert_ids_same_san.remove(cert_id)
+
+# Delete expired and old certificates with same SAN from freenas
+for cid in (cert_ids_same_san | cert_ids_expired):
+  r = session.delete(
+    PROTOCOL + FREENAS_ADDRESS + ':' + PORT + '/api/v2.0/certificate/id/' + str(cid),
+    verify=VERIFY
+  )
+
+  for c in cert_list:
+    if c['id'] == cid:
+      cert_name = c['name']
+
+  if r.status_code == 200:
+    print ("Deleting certificate " + cert_name + " successful")
+  else:
+    print ("Error deleting certificate " + cert_name + "!")
+    print (r.text)
+    sys.exit(1)
+
+# Reload nginx with new cert
+# If everything goes right, the request fails with a ConnectionError
+try:
+  r = session.post(
+    PROTOCOL + FREENAS_ADDRESS + ':' + PORT + '/api/v2.0/system/general/ui_restart',
+    verify=VERIFY
+  )
+  
+  if r.status_code == 200:
+    print ("Reloading WebUI successful")
+    print ("deploy_freenas.py executed successfully")
+  else:
+    print ("Error reloading WebUI!")
+    print ("{}: {}".format(r.status_code, r.text))
+    sys.exit(1)
+except requests.exceptions.ConnectionError:
+    print ("Error reloading WebUI!")
+    sys.exit(1)
diff --git a/ansible/roles/truenas/files/scripts/snapshots_clearempty.py b/ansible/roles/truenas/files/scripts/snapshots_clearempty.py
new file mode 100644
index 000000000..5ef65c6ad
--- /dev/null
+++ b/ansible/roles/truenas/files/scripts/snapshots_clearempty.py
@@ -0,0 +1,107 @@
+#!/usr/bin/env python3
+
+# clearempty.py - Koen Vermeer <k.vermeer@eyehospital.nl>
+# Inspired by rollup.py by Arno Hautala <arno@alum.wpi.edu>
+# modifications by Arno Hautala
+#   This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
+#   (CC BY-SA-3.0) http://creativecommons.org/licenses/by-sa/3.0/
+
+# This script removes empty snapshots, based on their 'used' property.
+# Note that one snapshot's 'used' value may change when another snapshot is
+# destroyed. This script iteratively destroys the oldest empty snapshot. It
+# does not remove the latest snapshot of each dataset or manual snapshots
+
+import subprocess
+import argparse
+import sys
+from collections import defaultdict
+
+parser = argparse.ArgumentParser(description='Removes empty auto snapshots.')
+parser.add_argument('datasets', nargs='+', help='the root dataset(s) from which to remove snapshots')
+parser.add_argument('--test', '-t', action="store_true", default=False, help='only display the snapshots that would be deleted, without actually deleting them. Note that due to dependencies between snapshots, this may not match what would really happen.')
+parser.add_argument('--recursive', '-r', action="store_true", default=False, help='recursively removes snapshots from nested datasets')
+parser.add_argument('--prefix', '-p', action='append', help='list of snapshot name prefixes that will be considered')
+
+args = parser.parse_args()
+
+if not args.prefix:
+    args.prefix = ['auto']
+
+args.prefix = [prefix+"-" for prefix in set(args.prefix)]
+
+deleted = defaultdict(lambda : defaultdict(lambda : defaultdict(int)))
+
+snapshot_was_deleted = True
+
+while snapshot_was_deleted:
+    snapshot_was_deleted = False
+    snapshots = defaultdict(lambda : defaultdict(lambda : defaultdict(int)))
+
+    # Get properties of all snapshots of the selected datasets
+    for dataset in args.datasets:
+        subp = subprocess.Popen(["zfs", "get", "-Hrpo", "name,property,value", "type,creation,used,freenas:state", dataset], stdout=subprocess.PIPE)
+        zfs_snapshots = subp.communicate()[0]
+        if subp.returncode:
+            print("zfs get failed with RC=%s" % subp.returncode)
+            sys.exit(1)
+
+        for snapshot in zfs_snapshots.splitlines():
+            name,property,value = snapshot.decode().split('\t',3)
+
+            # if the rollup isn't recursive, skip any snapshots from child datasets
+            if not args.recursive and not name.startswith(dataset+"@"):
+                continue
+
+            try:
+                dataset,snapshot = name.split('@',2)
+            except ValueError:
+                continue
+
+            snapshots[dataset][snapshot][property] = value
+
+    # Ignore non-snapshots and not-auto-snapshots
+    # Remove already destroyed snapshots
+    for dataset in list(snapshots.keys()):
+        latest = None
+        latestNEW = None
+        for snapshot in sorted(snapshots[dataset], key=lambda snapshot: snapshots[dataset][snapshot]['creation'], reverse=True):
+            if not any(map(snapshot.startswith, args.prefix)) \
+                or snapshots[dataset][snapshot]['type'] != "snapshot":
+                del snapshots[dataset][snapshot]
+                continue
+            if not latest:
+                latest = snapshot
+                del snapshots[dataset][snapshot]
+                continue
+            if not latestNEW and snapshots[dataset][snapshot]['freenas:state'] == 'NEW':
+                latestNEW = snapshot
+                del snapshots[dataset][snapshot]
+                continue
+            if snapshots[dataset][snapshot]['freenas:state'] == 'LATEST':
+                del snapshots[dataset][snapshot]
+                continue
+            if snapshots[dataset][snapshot]['used'] != '0' \
+                or snapshot in list(deleted[dataset].keys()):
+                del snapshots[dataset][snapshot]
+                continue
+
+        # Stop if no snapshots are in the list
+        if not snapshots[dataset]:
+            del snapshots[dataset]
+            continue
+
+        # destroy the most recent empty snapshot
+        snapshot = max(snapshots[dataset], key=lambda snapshot: snapshots[dataset][snapshot]['creation'])
+        if not args.test:
+            # destroy the snapshot
+            subprocess.call(["zfs", "destroy", dataset+"@"+snapshot])
+
+        deleted[dataset][snapshot] = snapshots[dataset][snapshot]
+        snapshot_was_deleted = True
+
+for dataset in sorted(deleted.keys()):
+    if not deleted[dataset]:
+        continue
+    print(dataset)
+    for snapshot in sorted(deleted[dataset].keys()):
+        print("\t", snapshot, deleted[dataset][snapshot]['used'])
diff --git a/ansible/roles/truenas/files/scripts/snapshots_prune.py b/ansible/roles/truenas/files/scripts/snapshots_prune.py
new file mode 100644
index 000000000..86cb9a173
--- /dev/null
+++ b/ansible/roles/truenas/files/scripts/snapshots_prune.py
@@ -0,0 +1,262 @@
+#!/usr/bin/env python3
+
+# rollup.py - Arno Hautala <arno@alum.wpi.edu>
+#   This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
+#   (CC BY-SA-3.0) http://creativecommons.org/licenses/by-sa/3.0/
+
+# For the latest version, visit:
+#   https://github.com/fracai/zfs-rollup
+#   https://bitbucket.org/fracai/zfs-rollup
+
+# A snapshot pruning script, similar in behavior to Apple's TimeMachine
+# Keep hourly snapshots for the last day, daily for the last week, and weekly thereafter.
+
+# TODO:
+#   rollup based on local time, not UTC
+#     requires pytz, or manually determining and converting time offsets
+#   improve documentation
+
+# TEST:
+
+import datetime
+import calendar
+import time
+import subprocess
+import argparse
+import sys
+from collections import defaultdict
+
+intervals = {}
+intervals['hourly']  = { 'max':24, 'abbreviation':'h', 'reference':'%Y-%m-%d %H' }
+intervals['daily']   = { 'max': 7, 'abbreviation':'d', 'reference':'%Y-%m-%d' }
+intervals['weekly']  = { 'max': 0, 'abbreviation':'w', 'reference':'%Y-%W' }
+intervals['monthly'] = { 'max':12, 'abbreviation':'m', 'reference':'%Y-%m' }
+intervals['yearly']  = { 'max':10, 'abbreviation':'y', 'reference':'%Y' }
+
+modifiers = {
+    'M' : 1,
+    'H' : 60,
+    'h' : 60,
+    'd' : 60*24,
+    'w' : 60*24*7,
+    'm' : 60*24*28,
+    'y' : 60*24*365,
+}
+
+used_intervals = {
+    'hourly': intervals['hourly'],
+    'daily' : intervals['daily'],
+    'weekly': intervals['weekly']
+}
+
+parser = argparse.ArgumentParser(description='Prune excess snapshots, keeping hourly for the last day, daily for the last week, and weekly thereafter.')
+parser.add_argument('datasets', nargs='+', help='The root dataset(s) from which to prune snapshots')
+parser.add_argument('-t', '--test', action="store_true", default=False, help='Only display the snapshots that would be deleted, without actually deleting them')
+parser.add_argument('-v', '--verbose', action="store_true", default=False, help='Display verbose information about which snapshots are kept, pruned, and why')
+parser.add_argument('-r', '--recursive', action="store_true", default=False, help='Recursively prune snapshots from nested datasets')
+parser.add_argument('--prefix', '-p', action='append', help='list of snapshot name prefixes that will be considered')
+parser.add_argument('-c', '--clear', action="store_true", default=False, help='remove all snapshots')
+parser.add_argument('-i', '--intervals',
+    help="Modify and define intervals with which to keep and prune snapshots. Either name existing intervals ("+
+    ", ".join(sorted(intervals, key=lambda interval: modifiers[intervals[interval]['abbreviation']]))+"), "+
+    "modify the number of those to store (hourly:12), or define new intervals according to interval:count (2h:12). "+
+    "Multiple intervals may be specified if comma seperated (hourly,daily:30,2h:12). Available modifier abbreviations are: "+
+    ", ".join(sorted(modifiers, key=modifiers.get))
+)
+
+args = parser.parse_args()
+
+if not args.prefix:
+    args.prefix = ['auto']
+
+args.prefix = [prefix+"-" for prefix in set(args.prefix)]
+
+if args.test:
+    args.verbose = True
+
+if args.intervals:
+    used_intervals = {}
+
+    for interval in args.intervals.split(','):
+        if interval.count(':') == 1:
+            period,count = interval.split(':')
+
+            try:
+                int(count)
+            except ValueError:
+                print("invalid count: "+count)
+                sys.exit(1)
+
+            if period in intervals:
+                used_intervals[period] = intervals[period]
+                used_intervals[period]['max'] = count
+
+            else:
+                try:
+                    if period[-1] in modifiers:
+                        used_intervals[interval] = { 'max' : count, 'interval' : int(period[:-1]) * modifiers[period[-1]] }
+                    else:
+                        used_intervals[interval] = { 'max' : count, 'interval' : int(period) }
+
+                except ValueError:
+                    print("invalid period: "+period)
+                    sys.exit(1)
+
+        elif interval.count(':') == 0 and interval in intervals:
+            used_intervals[interval] = intervals[interval]
+
+        else:
+            print("invalid interval: "+interval)
+            sys.exit(1)
+
+for interval in used_intervals:
+    if 'abbreviation' not in used_intervals[interval]:
+        used_intervals[interval]['abbreviation'] = interval
+
+snapshots = defaultdict(lambda : defaultdict(lambda : defaultdict(int)))
+
+for dataset in args.datasets:
+    subp = subprocess.Popen(["zfs", "get", "-Hrpo", "name,property,value", "creation,type,used,freenas:state", dataset], stdout=subprocess.PIPE)
+    zfs_snapshots = subp.communicate()[0]
+    if subp.returncode:
+        print("zfs get failed with RC=%s" % subp.returncode)
+        sys.exit(1)
+
+    for snapshot in zfs_snapshots.splitlines():
+        name,property,value = snapshot.decode().split('\t',3)
+
+        # if the rollup isn't recursive, skip any snapshots from child datasets
+        if not args.recursive and not name.startswith(dataset+"@"):
+            continue
+
+        try:
+            dataset,snapshot = name.split('@',2)
+        except ValueError:
+            continue
+
+        # enforce that this is a snapshot starting with one of the requested prefixes
+        if not any(map(snapshot.startswith, args.prefix)):
+            if property == 'creation':
+                print("will ignore:\t", dataset+"@"+snapshot)
+
+        snapshots[dataset][snapshot][property] = value
+
+for dataset in list(snapshots.keys()):
+    latestNEW = None
+    latest = None
+    for snapshot in sorted(snapshots[dataset], key=lambda snapshot: snapshots[dataset][snapshot]['creation'], reverse=True):
+        if not latest:
+            latest = snapshot
+            snapshots[dataset][snapshot]['keep'] = 'RECENT'
+            continue
+        if not any(map(snapshot.startswith, args.prefix)) \
+            or snapshots[dataset][snapshot]['type'] != "snapshot":
+            snapshots[dataset][snapshot]['keep'] = '!PREFIX'
+            continue
+        if not latestNEW and snapshots[dataset][snapshot]['freenas:state'] == 'NEW':
+            latestNEW = snapshot
+            snapshots[dataset][snapshot]['keep'] = 'NEW'
+            continue
+        if snapshots[dataset][snapshot]['freenas:state'] == 'LATEST':
+            snapshots[dataset][snapshot]['keep'] = 'LATEST'
+            continue
+
+    if not len(list(snapshots[dataset].keys())):
+        del snapshots[dataset]
+
+for dataset in sorted(snapshots.keys()):
+    print(dataset)
+
+    sorted_snapshots = sorted(snapshots[dataset], key=lambda snapshot: snapshots[dataset][snapshot]['creation'])
+    most_recent = sorted_snapshots[-1]
+
+    rollup_intervals = defaultdict(lambda : defaultdict(int))
+
+    for snapshot in sorted_snapshots:
+        prune = True
+
+        if args.clear:
+            continue
+
+        epoch = snapshots[dataset][snapshot]['creation']
+
+        for interval in list(used_intervals.keys()):
+            if 'reference' in used_intervals[interval]:
+                reference = time.strftime(used_intervals[interval]['reference'], time.gmtime(float(epoch)))
+
+                if reference not in rollup_intervals[interval]:
+                    if int(used_intervals[interval]['max']) != 0 and len(rollup_intervals[interval]) >= int(used_intervals[interval]['max']):
+                        rollup_intervals[interval].pop(sorted(rollup_intervals[interval].keys())[0])
+                    rollup_intervals[interval][reference] = epoch
+
+            elif 'interval' in used_intervals[interval]:
+                if int(used_intervals[interval]['max']) != 0 and len(rollup_intervals[interval]) >= int(used_intervals[interval]['max']):
+                    rollup_intervals[interval].pop(sorted(rollup_intervals[interval].keys())[0])
+
+                if (not rollup_intervals[interval]) or int(sorted(rollup_intervals[interval].keys())[-1]) + (used_intervals[interval]['interval']*60*.9) < int(epoch):
+                    rollup_intervals[interval][epoch] = epoch
+
+    ranges = list()
+    ranges.append(list())
+    for snapshot in sorted_snapshots:
+        prune = True
+
+        epoch = snapshots[dataset][snapshot]['creation']
+
+        if 'keep' in snapshots[dataset][snapshot]:
+            prune = False
+            ranges.append(list())
+
+
+        for interval in list(used_intervals.keys()):
+            if 'reference' in used_intervals[interval]:
+                reference = time.strftime(used_intervals[interval]['reference'], time.gmtime(float(epoch)))
+                if reference in rollup_intervals[interval] and rollup_intervals[interval][reference] == epoch:
+                    prune = False
+                    ranges.append(list())
+
+            elif 'interval' in used_intervals[interval]:
+                if epoch in rollup_intervals[interval]:
+                    prune = False
+                    ranges.append(list())
+
+        if prune or args.verbose:
+            print("\t","pruning\t" if prune else " \t", "@"+snapshot, end=' ')
+            if args.verbose:
+                for interval in list(used_intervals.keys()):
+                    if 'reference' in used_intervals[interval]:
+                        reference = time.strftime(used_intervals[interval]['reference'], time.gmtime(float(epoch)))
+                        if reference in rollup_intervals[interval] and rollup_intervals[interval][reference] == epoch:
+                            print(used_intervals[interval]['abbreviation'], end=' ')
+                        else:
+                            print('-', end=' ')
+                    if 'interval' in used_intervals[interval]:
+                        if epoch in rollup_intervals[interval]:
+                            print(used_intervals[interval]['abbreviation'], end=' ')
+                        else:
+                            print('-', end=' ')
+                if 'keep' in snapshots[dataset][snapshot]:
+                    print(snapshots[dataset][snapshot]['keep'][0], end=' ')
+                else:
+                    print('-', end=' ')
+                print(snapshots[dataset][snapshot]['used'])
+            else:
+                print()
+
+        if prune:
+            ranges[-1].append(snapshot)
+
+    for range in ranges:
+        if not range:
+            continue
+        to_delete = dataset+'@'+range[0]
+        if len(range) > 1:
+            to_delete += '%' + range[-1]
+        to_delete = to_delete.replace(' ', '')
+        if not to_delete:
+            continue
+        if args.verbose:
+            print('zfs destroy ' + to_delete)
+        if not args.test:
+            # destroy the snapshot
+            subprocess.call(['zfs', 'destroy', to_delete])
diff --git a/ansible/roles/truenas/files/scripts/telegraf_hddtemp.bash b/ansible/roles/truenas/files/scripts/telegraf_hddtemp.bash
new file mode 100644
index 000000000..ba5e24212
--- /dev/null
+++ b/ansible/roles/truenas/files/scripts/telegraf_hddtemp.bash
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+# Runs smartctl to report current temperature of all disks.
+
+JSON="["
+
+DISKS=$(/sbin/sysctl -n kern.disks | cut -d= -f2)
+
+for i in ${DISKS}
+do
+  # Get temperature from smartctl (requires root).
+  [[ "${i}" = *"ada"* ]] && TEMP=$(/usr/local/sbin/smartctl -l scttemp /dev/$i | grep '^Current Temperature:' | awk '{print $3}')
+  [[ "${i}" = *"nvd"* ]] && DEVICE_NUMBER=$(echo ${i} | cut -c 4) && TEMP=$(smartctl -a /dev/nvme${DEVICE_NUMBER} | grep Temperature: | head -1 | awk '{print $2}')
+  
+  if [ ${TEMP:-0} -gt 0 ]
+  then
+    JSON=$(echo "${JSON}{")
+    JSON=$(echo "${JSON}\"temperature\":${TEMP},")
+    JSON=$(echo "${JSON}\"disk\":\"${i}\"")
+    JSON=$(echo "${JSON}},")
+  fi
+
+done
+
+# Remove trailing "," on last field.
+JSON=$(echo ${JSON} | sed 's/,$//')
+
+echo -e "${JSON}]"
\ No newline at end of file
diff --git a/ansible/roles/truenas/tasks/directories.yml b/ansible/roles/truenas/tasks/directories.yml
new file mode 100644
index 000000000..9f9c18536
--- /dev/null
+++ b/ansible/roles/truenas/tasks/directories.yml
@@ -0,0 +1,19 @@
+---
+- name: directories | create
+  ansible.builtin.file:
+    state: directory
+    path: "{{ item }}"
+  loop:
+    - "{{ homelab_homedir }}/letsencrypt"
+    - "{{ telegraf_dir }}"
+    - "{{ backups_dir }}servers/{{ ansible_facts['nodename'] }}"
+    - "{{ scripts_dir }}"
+
+- name: directories | truenas
+  ansible.builtin.file:
+    state: directory
+    path: "{{ item }}"
+  loop:
+    - "{{ backups_dir }}servers/coreelec.{{ SECRET_DOMAIN }}"
+    - "{{ backups_dir }}servers/opnsense.{{ SECRET_DOMAIN }}"
+  when: "main_nas == true"
diff --git a/ansible/roles/truenas/tasks/main.yml b/ansible/roles/truenas/tasks/main.yml
new file mode 100644
index 000000000..1df06d640
--- /dev/null
+++ b/ansible/roles/truenas/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+- ansible.builtin.include_tasks: directories.yml
+
+- ansible.builtin.include_tasks: scripts.yml
+
+- ansible.builtin.include_tasks: telegraf.yml
+
+- ansible.builtin.include_tasks: wireguard.yml
+  when: "main_nas == false"
diff --git a/ansible/roles/truenas/tasks/scripts.yml b/ansible/roles/truenas/tasks/scripts.yml
new file mode 100644
index 000000000..2b3adabc3
--- /dev/null
+++ b/ansible/roles/truenas/tasks/scripts.yml
@@ -0,0 +1,25 @@
+---
+- name: scripts | copy scripts
+  ansible.builtin.copy:
+    src: "scripts/{{ item }}"
+    dest: "{{ scripts_dir }}/{{ item }}"
+    mode: 0755
+  loop:
+    - certificates_deploy.py
+    - snapshots_clearempty.py
+    - snapshots_prune.py
+    - telegraf_hddtemp.bash
+
+- name: scripts | template scripts
+  ansible.builtin.template:
+    src: "scripts/{{ item.name }}"
+    dest: "{{ scripts_dir }}/{{ item.name }}"
+    mode: "{{ item.mode }}"
+  loop:
+    - { name: "backupconfig_cloudsync_pre.bash", mode: "0775" }
+    - { name: "certificates_deploy.bash", mode: "0775" }
+    - { name: "certificates_deploy.conf", mode: "0664" }
+    - { name: "snapshots_prune.sh", mode: "0775" }
+    - { name: "report_pools.sh", mode: "0775" }
+    - { name: "report_smart.sh", mode: "0775" }
+    - { name: "report_ups.sh", mode: "0775" }
diff --git a/ansible/roles/truenas/tasks/telegraf.yml b/ansible/roles/truenas/tasks/telegraf.yml
new file mode 100644
index 000000000..ea35d051e
--- /dev/null
+++ b/ansible/roles/truenas/tasks/telegraf.yml
@@ -0,0 +1,10 @@
+---
+- name: telegraf | clone git repository
+  ansible.builtin.git:
+    repo: https://github.com/samuelkadolph/truenas-telegraf
+    dest: "{{ telegraf_dir }}"
+
+- name: telegraf | copy configuration
+  ansible.builtin.template:
+    src: telegraf/telegraf.conf
+    dest: "{{ telegraf_dir }}/telegraf.conf"
diff --git a/ansible/roles/truenas/tasks/wireguard.yml b/ansible/roles/truenas/tasks/wireguard.yml
new file mode 100644
index 000000000..2775b2d2e
--- /dev/null
+++ b/ansible/roles/truenas/tasks/wireguard.yml
@@ -0,0 +1,17 @@
+---
+- name: wireguard | configuration
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
+  loop:
+    - {
+        src: "wireguard/{{ ansible_facts['nodename'] }}.conf",
+        dest: "{{ homelab_homedir }}/{{ wg_interface }}.conf",
+        mode: 400,
+      }
+    - {
+        src: "wireguard/ip-check.bash",
+        dest: "{{ homelab_homedir }}/wireguard-ip-check.bash",
+        mode: 700,
+      }
diff --git a/ansible/roles/truenas/templates/scripts/backupconfig_cloudsync_pre.bash b/ansible/roles/truenas/templates/scripts/backupconfig_cloudsync_pre.bash
new file mode 100644
index 000000000..1808be7b9
--- /dev/null
+++ b/ansible/roles/truenas/templates/scripts/backupconfig_cloudsync_pre.bash
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# DEBUG
+# set -x
+
+# Configuration backup Cloud Sync pre-script
+
+# Variables
+SOURCE_FOLDER="/var/db/system/configs"
+BACKUP_FOLDER="{{ backups_dir }}servers/{{ ansible_facts['nodename'] }}"
+
+cd ${SOURCE_FOLDER}*
+rsync --archive --delete --human-readable --delete ./ ${BACKUP_FOLDER}
+test $? -ne 0 && FLAG_NOTIF=true
+
+chmod -R 775 ${BACKUP_FOLDER}/*
+chown -R homelab:homelab ${BACKUP_FOLDER}/*
+
+# Keep the last 90 backups on disk
+# find ${BACKUP_FOLDER}/* -mtime +90 -type f -delete
\ No newline at end of file
diff --git a/ansible/roles/truenas/templates/scripts/certificates_deploy.bash b/ansible/roles/truenas/templates/scripts/certificates_deploy.bash
new file mode 100644
index 000000000..b1eeabe5a
--- /dev/null
+++ b/ansible/roles/truenas/templates/scripts/certificates_deploy.bash
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# DEBUG
+# set -x
+
+# Get certificates from remote server
+
+# Variables
+SCRIPT_PATH="{{ scripts_dir }}"
+CERTIFICATE_PATH="{{ certificates_dir }}"
+CONFIG_FILE="${SCRIPT_PATH}/certificates_deploy.conf"
+
+# Check if cert has been uploaded last week
+result=$(find ${CERTIFICATE_PATH}/cert.pem -mtime -7)
+
+if [[ "$result" == "${CERTIFICATE_PATH}/cert.pem" ]]; then
+
+    # Deploy certificate
+    python ${SCRIPT_PATH}/certificates_deploy.py -c ${CONFIG_FILE}
+    test $? -ne 0 && FLAG_NOTIF=true
+
+fi
\ No newline at end of file
diff --git a/ansible/roles/truenas/templates/scripts/certificates_deploy.conf b/ansible/roles/truenas/templates/scripts/certificates_deploy.conf
new file mode 100644
index 000000000..c37de9a73
--- /dev/null
+++ b/ansible/roles/truenas/templates/scripts/certificates_deploy.conf
@@ -0,0 +1,48 @@
+# Configuration file for deploy_certificates.py
+
+[deploy]
+# Choose one of the following authentication methods, "api_key" or "password" (comment out the other one).
+# Auth via API keys is highly recommended, but is only available from TrueNAS (Core) 12.0 up.
+# You can generate a new API key in the web interface under "Settings" (upper right) > "API Keys".
+api_key = {{ root_api_key }}
+# If you are on FreeNAS 11 or lower, set this to your FreeNAS root password
+# password = 
+
+# Everything below here is optional
+
+# cert_fqdn specifies the FQDN used for your certificate.  Default is your system hostname
+# cert_fqdn = foo.bar.baz
+
+# connect_host specifies the hostname the script should attempt to connect to, to deploy the cert.
+# Default is localhost (assuming the script is running on your FreeNAS box)
+# connect_host = baz.bar.foo
+
+# verify sets whether the script will attempt to verify the server's certificate with a HTTPS
+# connection.  Set to true if you're using a HTTPS connection to a remote host.  If connect_host
+# is set to localhost (or is unset), set to false.  Default is false.
+# verify = false
+
+# privkey_path is the path to the certificate private key on your system.  Default
+# assumes you're using acme.sh:
+# /root/.acme.sh/cert_fqdn/cert_fqdn.key
+privkey_path = {{ certificates_dir }}/key.pem
+
+# fullchain_path is the path to the full chain (leaf cert + intermediate certs)
+# on your system.  Default assumes you're using acme.sh:
+# /root/.acme.sh/cert_fqdn/fullchain.cer
+fullchain_path = {{ certificates_dir }}/fullchain.pem
+
+# protocol sets the connection protocol, http or https.  Include '://' at the end.
+# Default is http
+# protocol = https://
+
+# port sets the port to use to connect.  Default is 80.  If protocol is https,
+# this MUST be set to your https port.
+# port = 443
+
+# set ftp_enabled to true if you have the FTP service enabled on your FreeNAS. Default is false.
+# ftp_enabled = true
+
+{% if service_s3 is defined %}
+s3_enabled = true
+{% endif %}
\ No newline at end of file
diff --git a/ansible/roles/truenas/templates/scripts/report_pools.sh b/ansible/roles/truenas/templates/scripts/report_pools.sh
new file mode 100644
index 000000000..8c3261602
--- /dev/null
+++ b/ansible/roles/truenas/templates/scripts/report_pools.sh
@@ -0,0 +1,162 @@
+#!/bin/sh
+
+### Parameters ###
+
+# Specify your email address here:
+email="truenas@{{ SECRET_EMAIL_DOMAIN }}"
+
+# zpool output changed from FreeNAS version 11.0 to 11.1, breaking
+# our parsing of the scrubErrors and scrubDate variables. Added a
+# conditional to test for the FreeNAS version and parse accordingly.
+# This changed again with the release of TrueNAS. Ironically, back to
+# the way parsing worked with older versions of FreeNAS.
+# 
+# We obtain the FreeBSD version using uname, as suggested by user
+# Chris Moore on the FreeBSD forum.
+# 
+# 'uname -K' gives 7-digit OS release and version, e.g.:
+#
+#   FreeBSD 11.0  1100512
+#   FreeBSD 11.1  1101505
+#   FreeBSD 12.2  1202000
+ 
+fbsd_relver=$(uname -K)
+
+freenashost=$(hostname -s | tr '[:lower:]' '[:upper:]')
+boundary="===== MIME boundary; FreeNAS server ${freenashost} ====="
+logfile="/tmp/zpool_report.tmp"
+subject="ZPool Status Report for ${freenashost}"
+pools=$(zpool list -H -o name)
+usedWarn=75
+usedCrit=90
+scrubAgeWarn=30
+warnSymbol="?"
+critSymbol="!"
+
+### Set email headers ###
+printf "%s\n" "To: ${email}
+Subject: ${subject}
+Mime-Version: 1.0
+Content-Type: multipart/mixed; boundary=\"$boundary\"
+
+--${boundary}
+Content-Type: text/html; charset=\"US-ASCII\"
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline
+<html><head></head><body><pre style=\"font-size:14px; white-space:pre\">" >> ${logfile}
+
+###### summary ######
+(
+  echo "########## ZPool status report summary for all pools on server ${freenashost} ##########"
+  echo ""
+  echo "+--------------+--------+------+------+------+----+----+--------+------+-----+"
+  echo "|Pool Name     |Status  |Read  |Write |Cksum |Used|Frag|Scrub   |Scrub |Last |"
+  echo "|              |        |Errors|Errors|Errors|    |    |Repaired|Errors|Scrub|"
+  echo "|              |        |      |      |      |    |    |Bytes   |      |Age  |"
+  echo "+--------------+--------+------+------+------+----+----+--------+------+-----+"
+) >> ${logfile}
+
+for pool in $pools; do
+  if [ "$fbsd_relver" -ge 1101000 ]; then
+    frag="$(zpool list -H -o frag "$pool")"   
+  else
+    if [ "${pool}" = "freenas-boot" ] || [ "${pool}" = "boot-pool" ]; then
+      frag=""
+    else
+      frag="$(zpool list -H -o frag "$pool")"
+    fi
+  fi
+
+  status="$(zpool list -H -o health "$pool")"
+  errors="$(zpool status "$pool" | grep -E "(ONLINE|DEGRADED|FAULTED|UNAVAIL|REMOVED)[ \t]+[0-9]+")"
+  readErrors=0
+  for err in $(echo "$errors" | awk '{print $3}'); do
+    if echo "$err" | grep -E -q "[^0-9]+"; then
+      readErrors=1000
+      break
+    fi
+    readErrors=$((readErrors + err))
+  done
+  writeErrors=0
+  for err in $(echo "$errors" | awk '{print $4}'); do
+    if echo "$err" | grep -E -q "[^0-9]+"; then
+      writeErrors=1000
+      break
+    fi
+    writeErrors=$((writeErrors + err))
+  done
+  cksumErrors=0
+  for err in $(echo "$errors" | awk '{print $5}'); do
+    if echo "$err" | grep -E -q "[^0-9]+"; then
+      cksumErrors=1000
+      break
+    fi
+    cksumErrors=$((cksumErrors + err))
+  done
+  if [ "$readErrors" -gt 999 ]; then readErrors=">1K"; fi
+  if [ "$writeErrors" -gt 999 ]; then writeErrors=">1K"; fi
+  if [ "$cksumErrors" -gt 999 ]; then cksumErrors=">1K"; fi
+  used="$(zpool list -H -p -o capacity "$pool")"
+  scrubRepBytes="N/A"
+  scrubErrors="N/A"
+  scrubAge="N/A"
+  if [ "$(zpool status "$pool" | grep "scan" | awk '{print $2}')" = "scrub" ]; then
+    scrubRepBytes="$(zpool status "$pool" | grep "scan" | awk '{print $4}')"
+    if [ "$fbsd_relver" -gt 1101000 ] && [ "$fbsd_relver" -lt 1200000 ]; then
+      scrubErrors="$(zpool status "$pool" | grep "scan" | awk '{print $10}')"
+      scrubDate="$(zpool status "$pool" | grep "scan" | awk '{print $17"-"$14"-"$15"_"$16}')"
+    else
+      scrubErrors="$(zpool status "$pool" | grep "scan" | awk '{print $8}')"
+      scrubDate="$(zpool status "$pool" | grep "scan" | awk '{print $15"-"$12"-"$13"_"$14}')"
+    fi
+    scrubTS="$(date -j -f "%Y-%b-%e_%H:%M:%S" "$scrubDate" "+%s")"
+    currentTS="$(date "+%s")"
+    scrubAge=$((((currentTS - scrubTS) + 43200) / 86400))
+  fi
+  if [ "$status" = "FAULTED" ] || [ "$used" -gt "$usedCrit" ]; then
+    symbol="$critSymbol"  
+  elif [ "$scrubErrors" != "N/A" ] && [ "$scrubErrors" != "0" ]; then
+    symbol="$critSymbol"
+  elif [ "$status" != "ONLINE" ] \
+  || [ "$readErrors" != "0" ] \
+  || [ "$writeErrors" != "0" ] \
+  || [ "$cksumErrors" != "0" ] \
+  || [ "$used" -gt "$usedWarn" ] \
+  || [ "$(echo "$scrubAge" | awk '{print int($1)}')" -gt "$scrubAgeWarn" ]; then
+    symbol="$warnSymbol"  
+  elif [ "$scrubRepBytes" != "0" ] &&  [ "$scrubRepBytes" != "0B" ] && [ "$scrubRepBytes" != "N/A" ]; then
+    symbol="$warnSymbol"
+  else
+    symbol=" "
+  fi
+  (
+  printf "|%-12s %1s|%-8s|%6s|%6s|%6s|%3s%%|%4s|%8s|%6s|%5s|\n" \
+  "$pool" "$symbol" "$status" "$readErrors" "$writeErrors" "$cksumErrors" \
+  "$used" "$frag" "$scrubRepBytes" "$scrubErrors" "$scrubAge"
+  ) >> ${logfile}
+  done
+
+(
+  echo "+--------------+--------+------+------+------+----+----+--------+------+-----+"
+) >> ${logfile}
+
+###### for each pool ######
+for pool in $pools; do
+  (
+  echo ""
+  echo "########## ZPool status report for ${pool} ##########"
+  echo ""
+  zpool status -v "$pool"
+  ) >> ${logfile}
+done
+
+printf "%s\n" "</pre></body></html>
+--${boundary}--" >> ${logfile}
+
+### Send report ###
+if [ -z "${email}" ]; then
+  echo "No email address specified, information available in ${logfile}"
+else
+  sendmail -t -oi < ${logfile}
+  rm ${logfile}
+fi
\ No newline at end of file
diff --git a/ansible/roles/truenas/templates/scripts/report_smart.sh b/ansible/roles/truenas/templates/scripts/report_smart.sh
new file mode 100644
index 000000000..8b5e7588c
--- /dev/null
+++ b/ansible/roles/truenas/templates/scripts/report_smart.sh
@@ -0,0 +1,267 @@
+#!/bin/sh
+
+### Parameters ###
+
+# Specify your email address here:
+email="truenas@{{ SECRET_EMAIL_DOMAIN }}"
+
+# Full path to 'smartctl' program:
+smartctl=/usr/local/sbin/smartctl
+
+freenashost=$(hostname -s | tr '[:lower:]' '[:upper:]')
+boundary="===== MIME boundary; FreeNAS server ${freenashost} ====="
+logfile="smart_report.tmp"
+subject="SMART Status Report for ${freenashost}"
+tempWarn=40
+tempCrit=45
+sectorsCrit=10
+testAgeWarn=1
+warnSymbol="?"
+critSymbol="!"
+Drive_count=0
+SATA_count=0
+SAS_count=0
+Drive_list=""
+SATA_list=""
+SAS_list=""
+
+# Get list of SMART-enabled drives
+get_smart_drives()
+{
+  gs_drives=$("$smartctl" --scan | awk '{print $1}')
+  for gs_drive in $gs_drives; do
+    gs_smart_flag=$("$smartctl" -i "$gs_drive" | grep -E "SMART support is:[[:blank:]]+Enabled" | awk '{print $4}')
+    if [ "$gs_smart_flag" = "Enabled" ]; then
+      Drive_list="$Drive_list $gs_drive"
+      Drive_count=$((Drive_count + 1))
+    fi
+  done
+}
+
+# Get list of SATA disks, including older drives that only report an ATA version
+get_sata_drives()
+{
+  for drive in $Drive_list; do
+    lFound=0
+    gsata_smart_flag=$("$smartctl" -i "$drive" | grep -E "SATA Version is:[[:blank:]]" | awk '{print $4}')
+    if [ "$gsata_smart_flag" = "SATA" ]; then
+      lFound=$((lFound + 1))
+    else
+      gsata_smart_flag=$("$smartctl" -i "$drive" | grep -E "ATA Version is:[[:blank:]]" | awk '{print $1}')
+      if [ "$gsata_smart_flag" = "ATA" ]; then  
+        lFound=$((lFound + 1))
+      fi
+    fi
+    if [ $lFound -gt 0 ]; then  
+      SATA_list="$SATA_list $drive"
+      SATA_count=$((SATA_count + 1))
+    fi
+  done
+}
+
+# Get list of SAS disks
+get_sas_drives()
+{
+  for drive in $Drive_list; do
+    gsas_smart_flag=$("$smartctl" -i "$drive" | grep -E "Transport protocol:[[:blank:]]+SAS" | awk '{print $3}')
+    if [ "$gsas_smart_flag" = "SAS" ]; then
+      SAS_list="$SAS_list $drive"
+      SAS_count=$((SAS_count + 1))
+    fi
+  done
+}
+
+### Fetch drive lists ###
+get_smart_drives
+get_sata_drives
+get_sas_drives
+
+### Set email headers ###
+printf "%s\n" "To: ${email}
+Subject: ${subject}
+Mime-Version: 1.0
+Content-Type: multipart/mixed; boundary=\"$boundary\"
+
+--${boundary}
+Content-Type: text/html; charset=\"US-ASCII\"
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline
+<html><head></head><body><pre style=\"font-size:14px; white-space:pre\">" > ${logfile}
+
+if [ $Drive_count -eq 0 ]; then
+  echo "##### No SMART-enabled disks found on this system #####" >> "$logfile"
+fi
+
+###### Summary for SATA drives ######
+if [ $SATA_count -gt 0 ]; then
+  (
+   echo "########## SMART status report summary for all SATA drives on server ${freenashost} ##########"
+   echo ""
+   echo "+------+------------------------+----+------+-----+-----+-------+-------+--------+------+----------+------+-----------+----+"
+   echo "|Device|Serial                  |Temp| Power|Start|Spin |ReAlloc|Current|Offline |Seek  |Total     |High  |    Command|Last|"
+   echo "|      |Number                  |    | On   |Stop |Retry|Sectors|Pending|Uncorrec|Errors|Seeks     |Fly   |    Timeout|Test|"
+   echo "|      |                        |    | Hours|Count|Count|       |Sectors|Sectors |      |          |Writes|    Count  |Age |"
+   echo "+------+------------------------+----+------+-----+-----+-------+-------+--------+------+----------+------+-----------+----+"
+  ) >> "$logfile"
+  
+  ###### Detail information for each SATA drive ######
+  for drive in $SATA_list; do
+    (
+    devid=$(basename "$drive")
+    lastTestHours=$("$smartctl" -l selftest "$drive" | grep "# 1" | awk '{print $9}')
+    "$smartctl" -A -i -v 7,hex48 "$drive" | \
+    awk -v device="$devid" -v tempWarn="$tempWarn" -v tempCrit="$tempCrit" -v sectorsCrit="$sectorsCrit" \
+    -v testAgeWarn="$testAgeWarn" -v warnSymbol="$warnSymbol" -v critSymbol="$critSymbol" \
+    -v lastTestHours="$lastTestHours" '
+    /Serial Number:/{serial=$3}
+    /190 Airflow_Temperature/{temp=$10}
+    /194 Temperature/{temp=$10}
+    /Power_On_Hours/{split($10,a,"+");sub(/h/,"",a[1]);onHours=a[1];}
+    /Start_Stop_Count/{startStop=$10}
+    /Spin_Retry_Count/{spinRetry=$10}
+    /Reallocated_Sector/{reAlloc=$10}
+    /Current_Pending_Sector/{pending=$10}
+    /Offline_Uncorrectable/{offlineUnc=$10}
+    /Seek_Error_Rate/{seekErrors=("0x" substr($10,3,4));totalSeeks=("0x" substr($10,7))}
+    /High_Fly_Writes/{hiFlyWr=$10}
+    /Command_Timeout/{cmdTimeout=$10}
+    END {
+      testAge=sprintf("%.0f", (onHours - lastTestHours) / 24);
+      if (temp > tempCrit || reAlloc > sectorsCrit || pending > sectorsCrit || offlineUnc > sectorsCrit)
+        device=device " " critSymbol;
+      else if (temp > tempWarn || reAlloc > 0 || pending > 0 || offlineUnc > 0 || testAge > testAgeWarn)
+        device=device " " warnSymbol;
+      seekErrors=sprintf("%d", seekErrors);
+      totalSeeks=sprintf("%d", totalSeeks);
+      if (totalSeeks == "0") {
+        seekErrors="N/A";
+        totalSeeks="N/A";
+      }
+      if (temp > tempWarn || temp > tempCrit) temp=temp"*"
+      if (reAlloc > 0 || reAlloc > sectorsCrit) reAlloc=reAlloc"*"
+      if (pending > 0 || pending > sectorsCrit) pending=pending"*"
+      if (offlineUnc > 0 || offlineUnc > sectorsCrit) offlineUnc=offlineUnc"*"
+      if (testAge > testAgeWarn) testAge=testAge"*"
+      if (hiFlyWr == "") hiFlyWr="N/A";
+      if (cmdTimeout == "") cmdTimeout="N/A";
+      printf "|%-6s|%-24s|%-4s|%6s|%5s|%5s|%7s|%7s|%8s|%6s|%10s|%6s|%11s|%4s|\n",
+        device, serial, temp, onHours, startStop, spinRetry, reAlloc, pending, offlineUnc,
+        seekErrors, totalSeeks, hiFlyWr, cmdTimeout, testAge;
+      }'
+    ) >> "$logfile"
+  done
+  (
+    echo "+------+------------------------+----+------+-----+-----+-------+-------+--------+------+----------+------+-----------+----+"
+  ) >> "$logfile"
+fi
+
+###### Summary for SAS drives ######
+if [ $SAS_count -gt 0 ]; then
+  (
+    if [ $SATA_count -gt 0 ]; then
+      echo ""
+    fi
+  
+    echo "########## SMART status report summary for all SAS drives on server ${freenashost} ##########"
+    echo ""
+    echo "+------+------------------------+----+-----+------+------+------+------+------+------+"
+    echo "|Device|Serial                  |Temp|Start|Load  |Defect|Uncorr|Uncorr|Uncorr|Non   |"
+    echo "|      |Number                  |    |Stop |Unload|List  |Read  |Write |Verify|Medium|"
+    echo "|      |                        |    |Count|Count |Elems |Errors|Errors|Errors|Errors|"
+    echo "+------+------------------------+----+-----+------+------+------+------+------+------+"
+  ) >> "$logfile"
+  
+  ###### Detail information for each SAS drive ######
+  for drive in $SAS_list; do
+    (
+    devid=$(basename "$drive")
+    "$smartctl" -a "$drive" | \
+    awk -v device="$devid" -v tempWarn="$tempWarn" -v tempCrit="$tempCrit" \
+    -v warnSymbol="$warnSymbol" -v critSymbol="$critSymbol" '\
+    /Serial number:/{serial=$3}
+    /Current Drive Temperature:/{temp=$4} \
+    /start-stop cycles:/{startStop=$4} \
+    /load-unload cycles:/{loadUnload=$4} \
+    /grown defect list:/{defectList=$6} \
+    /read:/{readErrors=$8} \
+    /write:/{writeErrors=$8} \
+    /verify:/{verifyErrors=$8} \
+    /Non-medium error count:/{nonMediumErrors=$4} \
+    END {
+      if (temp > tempCrit)
+      device=device " " critSymbol;
+    else if (temp > tempWarn)
+        device=device " " warnSymbol;
+      printf "|%-6s|%-24s| %3s|%5s|%6s|%6s|%6s|%6s|%6s|%6s|\n",
+      device, serial, temp, startStop, loadUnload, defectList, \
+      readErrors, writeErrors, verifyErrors, nonMediumErrors;
+     }'
+    ) >> "$logfile"
+  done
+  (
+    echo "+------+------------------------+----+-----+------+------+------+------+------+------+"
+  ) >> "$logfile"
+fi
+
+if [ $SATA_count -gt 0 ] || [ $SAS_count -gt 0 ]; then
+ 
+  ###### Emit SATA drive information ######
+  for drive in $SATA_list; do
+    vendor=$("$smartctl" -i "$drive" | grep "Vendor:" | awk '{print $NF}')
+    if [ -z "$vendor" ]; then
+      dfamily=$("$smartctl" -i "$drive" | grep "Model Family" | awk '{print $3, $4, $5, $6, $7}' | sed -e 's/[[:space:]]*$//')
+      dmodel=$("$smartctl" -i "$drive" | grep "Device Model" | awk '{print $3, $4, $5, $6, $7}' | sed -e 's/[[:space:]]*$//')
+      if [ -z "$dfamily" ]; then
+        dinfo=$dmodel
+      else
+        dinfo="$dfamily ($dmodel)"
+      fi
+    else
+      product=$("$smartctl" -i "$drive" | grep "Product:" | awk '{print $NF}')
+      revision=$("$smartctl" -i "$drive" | grep "Revision:" | awk '{print $NF}')
+      dinfo="$vendor $product $revision"
+    fi
+    serial=$("$smartctl" -i "$drive" | grep "Serial Number" | awk '{print $3}')
+    (
+    echo ""
+    echo "########## SATA drive $drive Serial: $serial"
+    echo "########## ${dinfo}" 
+    "$smartctl" -n never -H -A -l error "$drive"
+    "$smartctl" -n never -l selftest "$drive" | grep "# 1 \\|Num" | cut -c6-
+    ) >> "$logfile"
+  done
+  
+  ###### Emit SAS drive information ######
+  for drive in $SAS_list; do
+    devid=$(basename "$drive")
+    brand=$("$smartctl" -i "$drive" | grep "Product" | sed "s/^.* //")
+    serial=$("$smartctl" -i "$drive" | grep "Serial number" | sed "s/^.* //")
+    (
+    echo ""
+    echo "########## SMART status for SAS drive $drive $serial (${brand}) ##########"
+    "$smartctl" -n never -H -A -l error "$drive"
+    "$smartctl" -n never -l selftest "$drive" | grep "# 1 \\|Num" | cut -c6-
+    ) >> "$logfile"
+  done
+fi
+
+sed -i '' -e '/smartctl 7.*/d' "$logfile"
+sed -i '' -e '/smartctl 6.*/d' "$logfile"
+sed -i '' -e '/smartctl 5.*/d' "$logfile"
+sed -i '' -e '/smartctl 4.*/d' "$logfile"
+sed -i '' -e '/Copyright/d' "$logfile"
+sed -i '' -e '/=== START OF READ/d' "$logfile"
+sed -i '' -e '/SMART Attributes Data/d' "$logfile"
+sed -i '' -e '/Vendor Specific SMART/d' "$logfile"
+sed -i '' -e '/SMART Error Log Version/d' "$logfile"
+
+printf "%s\n" "</pre></body></html>
+--${boundary}--" >> ${logfile}
+
+### Send report ###
+if [ -z "${email}" ]; then
+  echo "No email address specified, information available in ${logfile}"
+else
+  sendmail -t -oi < "$logfile"
+  rm "$logfile"
+fi
\ No newline at end of file
diff --git a/ansible/roles/truenas/templates/scripts/report_ups.sh b/ansible/roles/truenas/templates/scripts/report_ups.sh
new file mode 100644
index 000000000..13277ddaf
--- /dev/null
+++ b/ansible/roles/truenas/templates/scripts/report_ups.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+
+# Send UPS report to designated email address
+# Reference: http://networkupstools.org/docs/developer-guide.chunked/apas01.html
+
+### Parameters ###
+
+# Specify your email address here:
+email="truenas@{{ SECRET_EMAIL_DOMAIN }}"
+
+# Set to a value greater than zero to include all available UPSC
+# variables in the report:
+senddetail=0
+
+freenashost=$(hostname -s)
+freenashostuc=$(hostname -s | tr '[:lower:]' '[:upper:]')
+boundary="===== MIME boundary; FreeNAS server ${freenashost} ====="
+logfile="/tmp/ups_report.tmp"
+subject="UPS Status Report for ${freenashostuc}"
+
+### Set email headers ###
+printf "%s\n" "To: ${email}
+Subject: ${subject}
+Mime-Version: 1.0
+Content-Type: multipart/mixed; boundary=\"$boundary\"
+
+--${boundary}
+Content-Type: text/html; charset=\"US-ASCII\"
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline
+<html><head></head><body><pre style=\"font-size:14px; white-space:pre\">" >> ${logfile}
+
+# Get a list of all ups devices installed on the system:
+
+upslist=$(upsc -l "${freenashost}")
+
+### Set email body ###
+(
+ date "+Time: %Y-%m-%d %H:%M:%S"
+ echo ""
+ for ups in $upslist; do
+   ups_type=$(upsc "${ups}" device.type 2> /dev/null | tr '[:lower:]' '[:upper:]')
+   ups_mfr=$(upsc "${ups}" ups.mfr 2> /dev/null)
+   ups_model=$(upsc "${ups}" ups.model 2> /dev/null)
+   ups_serial=$(upsc "${ups}" ups.serial 2> /dev/null)
+   ups_status=$(upsc "${ups}" ups.status 2> /dev/null)
+   ups_load=$(upsc "${ups}" ups.load 2> /dev/null)
+   ups_realpower=$(upsc "${ups}" ups.realpower 2> /dev/null)
+   ups_realpowernominal=$(upsc "${ups}" ups.realpower.nominal 2> /dev/null)
+   ups_batterycharge=$(upsc "${ups}" battery.charge 2> /dev/null)
+   ups_batteryruntime=$(upsc "${ups}" battery.runtime 2> /dev/null)
+   ups_batteryvoltage=$(upsc "${ups}" battery.voltage 2> /dev/null)
+   ups_inputvoltage=$(upsc "${ups}" input.voltage 2> /dev/null)
+   ups_outputvoltage=$(upsc "${ups}" output.voltage 2> /dev/null)
+   printf "=== %s %s, model %s, serial number %s\n\n" "${ups_mfr}" "${ups_type}" "${ups_model}" "${ups_serial} ==="
+   echo "Name: ${ups}"
+   echo "Status: ${ups_status}"
+   echo "Output Load: ${ups_load}%"
+   if [ ! -z "${ups_realpower}" ]; then
+     echo "Real Power: ${ups_realpower}W"
+   fi
+   if [ ! -z "${ups_realpowernominal}" ]; then
+     echo "Real Power: ${ups_realpowernominal}W (nominal)"
+   fi
+   if [ ! -z "${ups_inputvoltage}" ]; then
+     echo "Input Voltage: ${ups_inputvoltage}V"
+   fi
+   if [ ! -z "${ups_outputvoltage}" ]; then
+     echo "Output Voltage: ${ups_outputvoltage}V"
+   fi
+   echo "Battery Runtime: ${ups_batteryruntime}s"
+   echo "Battery Charge: ${ups_batterycharge}%"
+   echo "Battery Voltage: ${ups_batteryvoltage}V"
+   echo ""
+   if [ $senddetail -gt 0 ]; then
+     echo "=== ALL AVAILABLE UPS VARIABLES ==="
+     upsc "${ups}"
+     echo ""
+   fi
+ done
+) >> ${logfile}
+
+printf "%s\n" "</pre></body></html>
+--${boundary}--" >> ${logfile}
+
+### Send report ###
+if [ -z "${email}" ]; then
+  echo "No email address specified, information available in ${logfile}"
+else
+  sendmail -t -oi < ${logfile}
+  rm ${logfile}
+fi
+
diff --git a/ansible/roles/truenas/templates/scripts/snapshots_prune.sh b/ansible/roles/truenas/templates/scripts/snapshots_prune.sh
new file mode 100644
index 000000000..cead76aeb
--- /dev/null
+++ b/ansible/roles/truenas/templates/scripts/snapshots_prune.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# DEBUG
+# set -x
+
+# Variables
+SCRIPT_PATH="{{ scripts_dir }}"
+INTERVAL="{{ snapshots_interval }}"
+POOL_NAME="{{ pool_name }}"
+
+# Prune
+
+${SCRIPT_PATH}/snapshots_prune.py --recursive --intervals ${INTERVAL} ${POOL_NAME}
+${SCRIPT_PATH}/snapshots_clearempty.py --recursive ${POOL_NAME}
+{% if ansible_facts['nodename'] == "truenas.{{ SECRET_DOMAIN }}" %}
+${SCRIPT_PATH}/snapshots_prune.py --recursive --intervals daily:14 storage/video
+{% endif %}
\ No newline at end of file
diff --git a/ansible/roles/truenas/templates/telegraf/telegraf.conf b/ansible/roles/truenas/templates/telegraf/telegraf.conf
new file mode 100644
index 000000000..edd942ae1
--- /dev/null
+++ b/ansible/roles/truenas/templates/telegraf/telegraf.conf
@@ -0,0 +1,49 @@
+[agent]
+  interval = "20s"
+  round_interval = true
+  metric_batch_size = 1000
+  metric_buffer_limit = 10000
+  collection_jitter = "0s"
+  flush_interval = "30s"
+  flush_jitter = "0s"
+  precision = ""
+  debug = false
+  quiet = false
+  hostname = "{{ ansible_facts['nodename'] }}"
+  omit_hostname = false
+
+[[outputs.prometheus_client]]
+  listen = ":9273"
+  metric_version = 2
+  path = "/metrics"
+  string_as_label = true
+  expiration_interval = "60m"
+
+[[inputs.cpu]]
+  percpu = true
+  totalcpu = true
+
+[[inputs.diskio]]
+
+[[inputs.exec]]
+  commands = ["{{ telegraf_dir }}/cputemp"]
+  data_format = "influx"
+
+[[inputs.exec]]
+  commands = ["{{ scripts_dir }}/telegraf_hddtemp.bash"]
+  name_override = "disktemp"
+  timeout = "5s"
+  data_format = "json"
+  tag_keys = ["disk"]
+
+[[inputs.mem]]
+
+[[inputs.net]]
+  interfaces = ["em0", "igb0"]
+
+[[inputs.system]]
+
+[[inputs.netstat]]
+
+[[inputs.zfs]]
+  poolMetrics = true
diff --git a/ansible/roles/truenas/templates/wireguard/ip-check.bash b/ansible/roles/truenas/templates/wireguard/ip-check.bash
new file mode 100644
index 000000000..cb8c1416d
--- /dev/null
+++ b/ansible/roles/truenas/templates/wireguard/ip-check.bash
@@ -0,0 +1,24 @@
+#!/bin/bash
+# Check status of interface
+# {{ wg_interface }}: name of the interface to check
+# {{ dns_hostname }}: the name of the peer whose IP should be checked
+        
+cip=$(wg show {{ wg_interface }} endpoints | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
+echo "Wireguard peer IP from Interface: $cip"
+pingip=$(ping -c 1 {{ ping_ip }} &> /dev/null && echo success || echo fail) #change ip to target server
+digIP=$(dig +short {{ dns_hostname }}) #the peer address must be set
+echo "$digIP"
+if [ "$digIP" != "$cip" ]
+then
+    echo "IPs doesn't match, restarting wireguard"
+    wg-quick down {{ homelab_homedir }}/{{ wg_interface }}.conf
+    wg-quick up {{ homelab_homedir }}/{{ wg_interface }}.conf
+elif [ "$pingip" != "success" ]
+then
+    echo "Ping failed, restarting wireguard..."
+    wg-quick down {{ homelab_homedir }}/{{ wg_interface }}.conf
+    wg-quick up {{ homelab_homedir }}/{{ wg_interface }}.conf
+else
+    echo "OK"
+    #nothing else todo
+fi
diff --git a/ansible/roles/truenas/templates/wireguard/truenas-remote.xpander.ovh.conf b/ansible/roles/truenas/templates/wireguard/truenas-remote.xpander.ovh.conf
new file mode 100644
index 000000000..72b2bbfe7
--- /dev/null
+++ b/ansible/roles/truenas/templates/wireguard/truenas-remote.xpander.ovh.conf
@@ -0,0 +1,11 @@
+[Interface]
+Address = 10.10.0.2/32
+ListenPort = 51820
+PrivateKey = 8Gw/9MJpo8AwSmEY8W/zgPu6z0Lvn7E2LvRRDpkMhFo=
+DNS = 192.168.8.1, {{ SECRET_DOMAIN }}
+
+[Peer]
+PublicKey = K7kgSuPwH2NA7FeLHwvGMX02kvhD8DxHgL/wflsgx34=
+AllowedIPs = 0.0.0.0/0
+Endpoint = services.{{ SECRET_DOMAIN }}:51820
+PersistentKeepalive = 25
diff --git a/ansible/roles/workstation/defaults/main.yml b/ansible/roles/workstation/defaults/main.yml
new file mode 100644
index 000000000..0a5651e93
--- /dev/null
+++ b/ansible/roles/workstation/defaults/main.yml
@@ -0,0 +1,42 @@
+fonts_dir: ~/.local/share/fonts
+icons_dir: ~/.local/share/icons
+newaita_iconset_url: "https://github.com/cbrnix/Newaita/archive/1.09.20a.tar.gz"
+nas_hostname: truenas
+mnt_dir: /mnt
+nas_dir: ~/NAS
+nfs_shares:
+  - {
+      src: "{{ nas_hostname }}:/mnt/storage/downloads",
+      path: "{{ mnt_dir }}/downloads",
+      link: "{{ nas_dir }}/downloads",
+    }
+  - {
+      src: "{{ nas_hostname }}:/mnt/storage/shared-documents",
+      path: "{{ mnt_dir }}/shared-documents",
+      link: "{{ nas_dir }}/shared-documents",
+    }
+  - {
+      src: "{{ nas_hostname }}:/mnt/storage/home/claude",
+      path: "{{ mnt_dir }}/home-claude",
+      link: "{{ nas_dir }}/home-claude",
+    }
+  - {
+      src: "{{ nas_hostname }}:/mnt/storage/home/helene",
+      path: "{{ mnt_dir }}/home-helene",
+      link: "{{ nas_dir }}/home-helene",
+    }
+  - {
+      src: "{{ nas_hostname }}:/mnt/storage/photo",
+      path: "{{ mnt_dir }}/photo",
+      link: "{{ nas_dir }}/photo",
+    }
+  - {
+      src: "{{ nas_hostname }}:/mnt/storage/music",
+      path: "{{ mnt_dir }}/music",
+      link: "/home/claude/Music",
+    }
+  - {
+      src: "{{ nas_hostname }}:/mnt/storage/video",
+      path: "{{ mnt_dir }}/video",
+      link: "/home/claude/Videos",
+    }
diff --git a/ansible/roles/workstation/files/scripts/backup-local-usb-disk-one.bash b/ansible/roles/workstation/files/scripts/backup-local-usb-disk-one.bash
new file mode 100755
index 000000000..242d09bc8
--- /dev/null
+++ b/ansible/roles/workstation/files/scripts/backup-local-usb-disk-one.bash
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+mkdir -p /run/media/claude/local-backups/{backups,documents,downloads,photo,piracy,jails}
+
+# Disk one (4TB)
+sudo rsync -avhP /mnt/backups/ /run/media/claude/local-backups/backups/ --delete
+sudo rsync -avhP /mnt/documents/ /run/media/claude/local-backups/documents/ --delete
+sudo rsync -avhP /mnt/downloads/ /run/media/claude/local-backups/downloads/ --delete
+sudo rsync -avhP /mnt/photo/ /run/media/claude/local-backups/photo/ --delete
+sudo rsync -avhP /mnt/piracy/ /run/media/claude/local-backups/piracy/ --delete
+sudo rsync -avhP /mnt/iocage/jails/ /run/media/claude/local-backups/jails/ --delete
\ No newline at end of file
diff --git a/ansible/roles/workstation/files/scripts/backup-local-usb-disk-two.bash b/ansible/roles/workstation/files/scripts/backup-local-usb-disk-two.bash
new file mode 100755
index 000000000..fb34855b0
--- /dev/null
+++ b/ansible/roles/workstation/files/scripts/backup-local-usb-disk-two.bash
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Disk two (2.5TB)
+mkdir -p /run/media/claude/local-backups/music
+mkdir -p /run/media/claude/local-backups/home/{claude,helene}
+
+sudo rsync -avhP /mnt/home-claude/ /run/media/claude/local-backups/home/claude/ --delete
+sudo rsync -avhP /mnt/home-helene/ /run/media/claude/local-backups/home/helene/ --delete
+sudo rsync -avhP /mnt/music/ /run/media/claude/local-backups/music/ --delete
\ No newline at end of file
diff --git a/ansible/roles/workstation/files/scripts/update-pip.bash b/ansible/roles/workstation/files/scripts/update-pip.bash
new file mode 100644
index 000000000..fba7f73d0
--- /dev/null
+++ b/ansible/roles/workstation/files/scripts/update-pip.bash
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+pip3 list --outdated --user --format=freeze | grep -v '^\-e' | cut -d = -f 1  | xargs -n1 pip3 install -U --user
\ No newline at end of file
diff --git a/ansible/roles/workstation/files/throttled/throttled.conf b/ansible/roles/workstation/files/throttled/throttled.conf
new file mode 100644
index 000000000..b2823753f
--- /dev/null
+++ b/ansible/roles/workstation/files/throttled/throttled.conf
@@ -0,0 +1,53 @@
+[GENERAL]
+# Enable or disable the script execution
+Enabled: True
+# SYSFS path for checking if the system is running on AC power
+Sysfs_Power_Path: /sys/class/power_supply/AC*/online
+
+## Settings to apply while connected to Battery power
+[BATTERY]
+# Update the registers every this many seconds
+Update_Rate_s: 30
+# Max package power for time window #1
+PL1_Tdp_W: 29
+# Time window #1 duration
+PL1_Duration_s: 28
+# Max package power for time window #2
+PL2_Tdp_W: 44
+# Time window #2 duration
+PL2_Duration_S: 0.002
+# Max allowed temperature before throttling
+Trip_Temp_C: 85
+# Set cTDP to normal=0, down=1 or up=2 (EXPERIMENTAL)
+cTDP: 0
+
+## Settings to apply while connected to AC power
+[AC]
+# Update the registers every this many seconds
+Update_Rate_s: 5
+# Max package power for time window #1
+PL1_Tdp_W: 44
+# Time window #1 duration
+PL1_Duration_s: 28
+# Max package power for time window #2
+PL2_Tdp_W: 44
+# Time window #2 duration
+PL2_Duration_S: 0.002
+# Max allowed temperature before throttling
+Trip_Temp_C: 95
+# Set HWP energy performance hints to 'performance' on high load (EXPERIMENTAL)
+HWP_Mode: False
+# Set cTDP to normal=0, down=1 or up=2 (EXPERIMENTAL)
+cTDP: 0
+
+[UNDERVOLT]
+# CPU core voltage offset (mV)
+CORE: -105
+# Integrated GPU voltage offset (mV)
+GPU: -85
+# CPU cache voltage offset (mV)
+CACHE: -105
+# System Agent voltage offset (mV)
+UNCORE: -85
+# Analog I/O voltage offset (mV)
+ANALOGIO: 0
diff --git a/ansible/roles/workstation/files/wireguard/claude-thinkpad-fedora.conf b/ansible/roles/workstation/files/wireguard/claude-thinkpad-fedora.conf
new file mode 100644
index 000000000..8c8f97524
--- /dev/null
+++ b/ansible/roles/workstation/files/wireguard/claude-thinkpad-fedora.conf
@@ -0,0 +1,10 @@
+[Interface]
+Address = 10.10.0.4/32
+ListenPort = 51820
+PrivateKey = kPbM3V+bV74avE/GXFwhOrmaRSf3p34bm/aR3A72GG4=
+DNS = 10.10.0.1
+
+[Peer]
+PublicKey = K7kgSuPwH2NA7FeLHwvGMX02kvhD8DxHgL/wflsgx34=
+AllowedIPs = 0.0.0.0/0
+Endpoint = services.{{ SECRET_DOMAIN }}:51820
diff --git a/ansible/roles/workstation/files/yum/vscodium.repo b/ansible/roles/workstation/files/yum/vscodium.repo
new file mode 100644
index 000000000..368994572
--- /dev/null
+++ b/ansible/roles/workstation/files/yum/vscodium.repo
@@ -0,0 +1,7 @@
+[gitlab.com_paulcarroty_vscodium_repo]
+name=gitlab.com_paulcarroty_vscodium_repo
+baseurl=https://paulcarroty.gitlab.io/vscodium-deb-rpm-repo/rpms/
+enabled=1
+gpgcheck=1
+repo_gpgcheck=1
+gpgkey=https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/-/raw/master/pub.gpg
diff --git a/ansible/roles/workstation/files/yum/yum.conf b/ansible/roles/workstation/files/yum/yum.conf
new file mode 100644
index 000000000..2dc022fd9
--- /dev/null
+++ b/ansible/roles/workstation/files/yum/yum.conf
@@ -0,0 +1,2 @@
+#https://www.2daygeek.com/remove-delete-old-unused-kernels-centos-fedora-rhel/
+installonly_limit=3
\ No newline at end of file
diff --git a/ansible/roles/workstation/tasks/chezmoi.yml b/ansible/roles/workstation/tasks/chezmoi.yml
new file mode 100644
index 000000000..a9716ac8b
--- /dev/null
+++ b/ansible/roles/workstation/tasks/chezmoi.yml
@@ -0,0 +1,15 @@
+---
+- name: configuration | include vars
+  ansible.builtin.include_vars:
+    file: vars/{{ ansible_facts['nodename'] }}.yml
+
+- name: configuration | create chezmoi directory
+  ansible.builtin.file:
+    state: directory
+    path: ~/.config/chezmoi
+
+- name: configuration | templating chezmoi.toml
+  ansible.builtin.template:
+    src: chezmoi.toml.j2
+    dest: ~/.config/chezmoi/chezmoi.toml
+    mode: 0600
diff --git a/ansible/roles/workstation/tasks/gnome.yml b/ansible/roles/workstation/tasks/gnome.yml
new file mode 100644
index 000000000..f21562ba1
--- /dev/null
+++ b/ansible/roles/workstation/tasks/gnome.yml
@@ -0,0 +1,16 @@
+---
+- name: gnome | create directories
+  ansible.builtin.file:
+    state: directory
+    path: "{{ item }}"
+  loop:
+    - "{{ fonts_dir }}"
+    - "{{ icons_dir }}"
+
+- name: gnome | download nerd fonts
+  ansible.builtin.get_url:
+    url: "{{ item }}"
+    dest: "{{ fonts_dir }}"
+  loop:
+    - https://github.com/ryanoasis/nerd-fonts/raw/master/patched-fonts/FiraCode/Retina/complete/Fira%20Code%20Retina%20Nerd%20Font%20Complete.ttf
+    - https://github.com/ryanoasis/nerd-fonts/raw/master/patched-fonts/FiraCode/Retina/complete/Fira%20Code%20Retina%20Nerd%20Font%20Complete%20Mono.ttf
diff --git a/ansible/roles/workstation/tasks/gpg.yml b/ansible/roles/workstation/tasks/gpg.yml
new file mode 100644
index 000000000..01f8b1750
--- /dev/null
+++ b/ansible/roles/workstation/tasks/gpg.yml
@@ -0,0 +1,13 @@
+---
+- name: gpg | create directory
+  ansible.builtin.file:
+    state: directory
+    path: ~/.gnupg
+    mode: 0700
+
+# https://github.com/drduh/YubiKey-Guide#using-keys
+- name: gpg | get gpg configuration
+  ansible.builtin.get_url:
+    url: https://raw.githubusercontent.com/drduh/config/master/gpg.conf
+    dest: ~/.gnupg/gpg.conf
+    mode: 0600
diff --git a/ansible/roles/workstation/tasks/main.yml b/ansible/roles/workstation/tasks/main.yml
new file mode 100644
index 000000000..26bf36b7d
--- /dev/null
+++ b/ansible/roles/workstation/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+- ansible.builtin.include_tasks: system.yml
+  tags:
+    - system
+
+- ansible.builtin.include_tasks: repositories.yml
+  tags:
+    - packages
+
+- ansible.builtin.include_tasks: packages-prerequisites.yml
+  tags:
+    - packages
+
+- ansible.builtin.include_tasks: packages-common.yml
+  tags:
+    - packages
+
+- ansible.builtin.include_tasks: packages-claude-fixe-fedora.yml
+  tags:
+    - packages
+  when: ansible_facts['nodename'] == "claude-fixe-fedora"
+
+- ansible.builtin.include_tasks: packages-claude-thinkpad-fedora.yml
+  tags:
+    - packages
+  when: ansible_facts['nodename'] == "claude-thinkpad-fedora"
+
+- ansible.builtin.include_tasks: packages-post.yml
+  tags:
+    - packages
+
+- ansible.builtin.include_tasks: chezmoi.yml
+  tags:
+    - chezmoi
+
+- ansible.builtin.include_tasks: gpg.yml
+  tags:
+    - gpg
+
+- ansible.builtin.include_tasks: shell.yml
+  tags:
+    - shell
+
+- ansible.builtin.include_tasks: gnome.yml
+  tags:
+    - gnome
+
+- ansible.builtin.include_tasks: nfs.yml
+  tags:
+    - nfs
+  when: ansible_facts['nodename'] == "claude-fixe-fedora"
+
+- ansible.builtin.include_tasks: wireguard.yml
+  tags:
+    - wireguard
+  when: ansible_facts['nodename'] == "claude-thinkpad-fedora"
diff --git a/ansible/roles/workstation/tasks/nfs.yml b/ansible/roles/workstation/tasks/nfs.yml
new file mode 100644
index 000000000..ee44affa4
--- /dev/null
+++ b/ansible/roles/workstation/tasks/nfs.yml
@@ -0,0 +1,63 @@
+---
+- name: nfs | create root directory
+  ansible.builtin.file:
+    state: directory
+    path: "{{ mnt_dir }}"
+    mode: 0777
+  become: true
+
+- name: nfs | create directories
+  ansible.builtin.file:
+    state: directory
+    path: "{{ item.path }}"
+  loop: "{{ nfs_shares }}"
+  become: true
+
+- name: nfs | mount shares
+  ansible.builtin.mount:
+    state: present
+    path: "{{ item.path }}"
+    src: "{{ item.src }}"
+    fstype: nfs4
+    opts: _netdev
+  with_items: "{{ nfs_shares }}"
+  become: true
+
+- name: nfs | create links dir
+  ansible.builtin.file:
+    state: directory
+    path: "{{ nas_dir }}"
+
+- name: nfs | stat music folder
+  ansible.builtin.stat:
+    path: ~/Music
+  register: music
+
+- name: nfs | remove music folder
+  file:
+    path: ~/Music
+    state: absent
+  when: music.stat.isdir is defined and music.stat.isdir
+  
+- name: nfs | stat videos folder
+  ansible.builtin.stat:
+    path: ~/Videos
+  register: videos
+
+- name: nfs | remove videos folder
+  file:
+    path: ~/Videos
+    state: absent
+  when: videos.stat.isdir is defined and videos.stat.isdir
+
+- name: nfs | stat music folder
+  ansible.builtin.stat:
+    path: ~/Music
+  register: music
+
+- name: nfs | create links
+  ansible.builtin.file:
+    state: link
+    src: "{{ item.path }}"
+    dest: "{{ item.link }}"
+  with_items: "{{ nfs_shares }}"
diff --git a/ansible/roles/workstation/tasks/packages-claude-fixe-fedora.yml b/ansible/roles/workstation/tasks/packages-claude-fixe-fedora.yml
new file mode 100644
index 000000000..6e02f40c0
--- /dev/null
+++ b/ansible/roles/workstation/tasks/packages-claude-fixe-fedora.yml
@@ -0,0 +1,27 @@
+---
+- name: packages-claude-fixe-fedora | dnf
+  ansible.builtin.dnf:
+    name:
+      - akmod-nvidia
+      - libva-utils
+      - libva-vdpau-driver
+      - handbrake
+      - vdpauinfo
+  become: true
+
+- name: packages-claude-fixe-fedora | flatpak
+  community.general.flatpak:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - https://dl.flathub.org/repo/appstream/fr.handbrake.ghb.flatpakref
+    - https://dl.flathub.org/repo/appstream/org.bunkus.mkvtoolnix-gui.flatpakref
+  become: true
+
+- name: packages-claude-fixe-fedora | brew
+  community.general.homebrew:
+    name:
+      - jpeg-archive
+      - parallel
+    path: /home/{{ lookup('env', 'USER') }}/.linuxbrew/bin
+    state: present
diff --git a/ansible/roles/workstation/tasks/packages-claude-thinkpad-fedora.yml b/ansible/roles/workstation/tasks/packages-claude-thinkpad-fedora.yml
new file mode 100644
index 000000000..ff23824f7
--- /dev/null
+++ b/ansible/roles/workstation/tasks/packages-claude-thinkpad-fedora.yml
@@ -0,0 +1,14 @@
+---
+- name: packages-claude-thinkpad-fedora | dnf
+  ansible.builtin.dnf:
+    name:
+      - tlp
+      - wireguard-tools
+  become: true
+
+- name: packages-claude-thinkpad-fedora | tlp-ui
+  ansible.builtin.pip:
+    name:
+      - git+https://github.com/d4nj1/TLPUI.git
+    state: present
+  become: true
diff --git a/ansible/roles/workstation/tasks/packages-common.yml b/ansible/roles/workstation/tasks/packages-common.yml
new file mode 100644
index 000000000..f159549ee
--- /dev/null
+++ b/ansible/roles/workstation/tasks/packages-common.yml
@@ -0,0 +1,99 @@
+---
+- name: packages-common | dnf
+  ansible.builtin.dnf:
+    name:
+      - codium
+      - mpv
+      - resilio-sync
+      - gnome-tweak-tool
+      - la-capitaine-cursor-theme
+      - git
+      - fish
+      - alacritty
+      - redhat-rpm-config
+      - python3-devel
+      - python3-virtualenv
+      - ffmpeg-libs
+      - nano
+      - nfs-utils
+      - libgtop2-devel
+      - fuse-exfat
+      - exfat-utils
+      - openssl
+      - openssl-devel
+      - libacl-devel
+      - gcc-c++
+      - picard
+      - pinta
+      - calibre
+      - mediawriter
+      - hugo
+      - stress
+      - vlc
+      - p7zip
+      - p7zip-plugins
+      - lsd
+      - bat
+      - fzf
+      - fd-find
+      - remmina
+      - yp-tools
+      - ffmpeg
+      - deadbeef
+      - nmap
+      - jq
+      - gnupg
+      - steam
+      - npm
+      - ShellCheck
+      - gnome-extensions-app
+      - neovim
+      - brave-browser
+      - starship
+      - tmux
+      - cawbird
+      - age
+    state: present
+    update_cache: yes
+  become: true
+
+- name: packages-common | python
+  ansible.builtin.pip:
+    name:
+      - borgbackup
+      - yt-dlp
+      - s-tui
+      - pylint
+      - pre-commit
+      - comictagger
+    state: present
+    extra_args: --user
+
+- name: packages-common | flatpak
+  community.general.flatpak:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - https://dl.flathub.org/repo/appstream/com.borgbase.Vorta.flatpakref
+    - https://dl.flathub.org/repo/appstream/com.discordapp.Discord.flatpakref
+    - https://dl.flathub.org/repo/appstream/com.bitwarden.desktop.flatpakref
+    - https://dl.flathub.org/repo/appstream/net.mediaarea.MediaInfo.flatpakref
+    - https://dl.flathub.org/repo/appstream/net.cozic.joplin_desktop.flatpakref
+    - https://dl.flathub.org/repo/appstream/uk.co.ibboard.cawbird.flatpakref
+  become: true
+
+- name: packages-common | brew
+  community.general.homebrew:
+    name:
+      - minio/stable/mc
+      - kubectl
+      - helm
+      - kustomize
+      - fluxcd/tap/flux
+      - sops
+      - gh
+      - derailed/popeye/popeye
+      - chezmoi
+    path: /home/{{ lookup('env', 'USER') }}/.linuxbrew/bin
+    state: present
+    update_homebrew: yes
diff --git a/ansible/roles/workstation/tasks/packages-post.yml b/ansible/roles/workstation/tasks/packages-post.yml
new file mode 100644
index 000000000..9ac3d35a1
--- /dev/null
+++ b/ansible/roles/workstation/tasks/packages-post.yml
@@ -0,0 +1,14 @@
+---
+- name: packages-post | modify resilio-sync service file
+  ansible.builtin.replace:
+    path: /usr/lib/systemd/user/resilio-sync.service
+    regexp: "multi-user"
+    replace: "default"
+  become: true
+
+- name: packages-post | activate resilio-sync service
+  ansible.builtin.systemd:
+    name: resilio-sync
+    scope: user
+    state: started
+    enabled: yes
diff --git a/ansible/roles/workstation/tasks/packages-prerequisites.yml b/ansible/roles/workstation/tasks/packages-prerequisites.yml
new file mode 100644
index 000000000..4dc1a0ace
--- /dev/null
+++ b/ansible/roles/workstation/tasks/packages-prerequisites.yml
@@ -0,0 +1,18 @@
+---
+- name: packages-prerequisites | clone homebrew GitHub repo
+  ansible.builtin.git:
+    repo: "https://github.com/Homebrew/brew"
+    dest: "/home/{{ lookup('env', 'USER') }}/.linuxbrew/Homebrew"
+    version: "master"
+
+
+- name: packages-prerequisites | create bin directory for homebrew
+  ansible.builtin.file:
+    path: "/home/{{ lookup('env', 'USER') }}/.linuxbrew/bin"
+    state: directory
+
+- name: packages-prerequisites | create a symbolic link for brew
+  ansible.builtin.file:
+    src: "/home/{{ lookup('env', 'USER') }}/.linuxbrew/Homebrew/bin/brew"
+    dest: "/home/{{ lookup('env', 'USER') }}/.linuxbrew/bin/brew"
+    state: link
diff --git a/ansible/roles/workstation/tasks/repositories.yml b/ansible/roles/workstation/tasks/repositories.yml
new file mode 100644
index 000000000..e1f3cb139
--- /dev/null
+++ b/ansible/roles/workstation/tasks/repositories.yml
@@ -0,0 +1,65 @@
+---
+- name: repositories | enable the RPM Fusion repository
+  ansible.builtin.dnf:
+    name: "{{ item }}"
+    state: present
+    disable_gpg_check: True
+  loop:
+    - https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-{{ ansible_distribution_major_version }}.noarch.rpm
+    - https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-{{ ansible_distribution_major_version }}.noarch.rpm
+  become: true
+
+- name: repositories | enable copr repositories
+  ansible.builtin.command:
+    cmd: dnf copr enable -y {{ item.repo }}
+    creates: "{{ item.file }}"
+  loop:
+    - {
+        repo: "tomaszgasior/mushrooms",
+        file: "/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:tomaszgasior:mushrooms.repo",
+      }
+  become: true
+  when: ansible_facts['nodename'] == "claude-fixe-fedora"
+
+- name: repositories | copy yum repo files
+  ansible.builtin.copy:
+    src: "yum/{{ item }}"
+    dest: "/etc/yum.repos.d/{{ item }}"
+  loop:
+    - vscodium.repo
+  become: true
+
+- name: repositories | resilio sync - import repository GPG key
+  ansible.builtin.rpm_key:
+    state: present
+    key: https://linux-packages.resilio.com/resilio-sync/key.asc
+  become: true
+
+- name: repositories | resilio sync - add repository
+  ansible.builtin.yum_repository:
+    name: rslsync
+    description: Resilio Sync Repository
+    baseurl: https://linux-packages.resilio.com/resilio-sync/rpm/$basearch
+    gpgcheck: yes
+  become: true
+
+- name: repositories | brave - check presence
+  ansible.builtin.stat:
+    path: /etc/yum.repos.d/brave-browser-rpm-release.s3.brave.com_x86_64_.repo
+  register: brave
+
+- name: repositories | brave - add repository
+  ansible.builtin.command:
+    cmd: dnf config-manager --add-repo https://brave-browser-rpm-release.s3.brave.com/x86_64/
+    warn: false
+  args:
+    creates: /etc/yum.repos.d/brave-browser-rpm-release.s3.brave.com_x86_64_.repo
+  become: true
+  when: brave.stat.exists == False
+
+- name: repositories | brave - import asc
+  ansible.builtin.command:
+    cmd: rpm --import https://brave-browser-rpm-release.s3.brave.com/brave-core.asc
+    warn: false
+  become: true
+  when: brave.stat.exists == False
diff --git a/ansible/roles/workstation/tasks/scripts.yml b/ansible/roles/workstation/tasks/scripts.yml
new file mode 100644
index 000000000..38b82b122
--- /dev/null
+++ b/ansible/roles/workstation/tasks/scripts.yml
@@ -0,0 +1,14 @@
+---
+- name: scripts | create directory
+  ansible.builtin.file:
+    state: directory
+    path: "~/.local/scripts"
+
+- name: scripts | copy scripts
+  ansible.builtin.copy:
+    src: "scripts/{{ item }}"
+    dest: "~/.local/scripts"
+    mode: 0755
+  with_items:
+    - backup-local-usb-disk-one.bash
+    - backup-local-usb-disk-two.bash
diff --git a/ansible/roles/workstation/tasks/shell.yml b/ansible/roles/workstation/tasks/shell.yml
new file mode 100644
index 000000000..4b6fe62a4
--- /dev/null
+++ b/ansible/roles/workstation/tasks/shell.yml
@@ -0,0 +1,6 @@
+---
+- name: shell | make Fish default shell
+  ansible.builtin.user:
+    name: claude
+    shell: /usr/bin/fish
+  become: true
diff --git a/ansible/roles/workstation/tasks/system.yml b/ansible/roles/workstation/tasks/system.yml
new file mode 100644
index 000000000..13a89f353
--- /dev/null
+++ b/ansible/roles/workstation/tasks/system.yml
@@ -0,0 +1,27 @@
+---
+- name: system | disable password sudo
+  ansible.builtin.lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: "^%wheel"
+    line: "%wheel ALL=(ALL) NOPASSWD: ALL"
+    validate: visudo -cf %s
+  become: true
+
+- name: system | remove old unused kernels
+  ansible.builtin.lineinfile:
+    dest: /etc/yum.conf
+    state: present
+    line: "installonly_limit=3"
+    create: true
+  become: true
+
+- name: system | get better download speed with DNF
+  ansible.builtin.blockinfile:
+    path: /etc/dnf/dnf.conf
+    block: |
+      defaultyes=True
+      deltarpm=True
+      install_weak_deps=False
+      max_parallel_downloads={{ ansible_processor_vcpus | default('8') }}
+  become: true
diff --git a/ansible/roles/workstation/tasks/wireguard.yml b/ansible/roles/workstation/tasks/wireguard.yml
new file mode 100644
index 000000000..644dcc5e4
--- /dev/null
+++ b/ansible/roles/workstation/tasks/wireguard.yml
@@ -0,0 +1,6 @@
+---
+- name: wireguard | copy wireguard configuration
+  ansible.builtin.copy:
+    src: wireguard/{{ ansible_facts['nodename'] }}.conf
+    dest: ~/wireguard.conf
+    mode: 0600
diff --git a/ansible/roles/workstation/templates/chezmoi.toml.j2 b/ansible/roles/workstation/templates/chezmoi.toml.j2
new file mode 100644
index 000000000..bf9525037
--- /dev/null
+++ b/ansible/roles/workstation/templates/chezmoi.toml.j2
@@ -0,0 +1,11 @@
+encryption = "age"
+
+[age]
+    identity = "/home/claude/.config/sops/age/keys.txt"
+    recipient = "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg"
+
+[data]
+    alacritty_font_size = {{ alacritty.font_size }}
+    alacritty_window_columns = {{ alacritty.window_columns }}
+    alacritty_window_lines = {{ alacritty.window_lines }}
+    remmina_font_size = {{ remmina.font_size }}
diff --git a/ansible/roles/workstation/vars/claude-fixe-fedora.yml b/ansible/roles/workstation/vars/claude-fixe-fedora.yml
new file mode 100755
index 000000000..e28d8f6ec
--- /dev/null
+++ b/ansible/roles/workstation/vars/claude-fixe-fedora.yml
@@ -0,0 +1,7 @@
+---
+alacritty:
+  font_size: 11.0
+  window_columns: 150
+  window_lines: 40
+remmina:
+  font_size: 11
diff --git a/ansible/roles/workstation/vars/claude-thinkpad-fedora.yml b/ansible/roles/workstation/vars/claude-thinkpad-fedora.yml
new file mode 100755
index 000000000..94b3386d8
--- /dev/null
+++ b/ansible/roles/workstation/vars/claude-thinkpad-fedora.yml
@@ -0,0 +1,7 @@
+---
+alacritty:
+  font_size: 9.0
+  window_columns: 100
+  window_lines: 28
+remmina:
+  font_size: 9
diff --git a/cluster/apps/data/bookstack/kustomization.yaml b/cluster/apps/data/bookstack/kustomization.yaml
index ea3c3df94..a586c08f0 100644
--- a/cluster/apps/data/bookstack/kustomization.yaml
+++ b/cluster/apps/data/bookstack/kustomization.yaml
@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - secrets.yaml
+  - secrets.sops.yaml
   - volume.yaml
   - export-job.yaml
   - helm-release.yaml
diff --git a/cluster/apps/data/bookstack/secrets.sops.yaml b/cluster/apps/data/bookstack/secrets.sops.yaml
new file mode 100644
index 000000000..51db66b63
--- /dev/null
+++ b/cluster/apps/data/bookstack/secrets.sops.yaml
@@ -0,0 +1,27 @@
+kind: Secret
+apiVersion: v1
+metadata:
+    name: bookstack-secrets
+    namespace: data
+stringData:
+    deployment_rsa_priv_key: ENC[AES256_GCM,data:3nzWhlYxZD3raKI2Yj49F3kEYMGZihYtPzBIKj9+jU0hzAVTxoQ3X9tiFxtaqd+IQZDZ0VSN/iZUmdDBoqe0R+Fj2LOltqPK8nNlwUQHDifqVTTSYKB01+c4vsSxFanPoNi748OoZwnDAVVv74ScoQa2WdDjjtmz6ROFe7UY2nRncBfpn0BT2uMIoDpxJ4iU1aPcTLaw30LtoDr6AiVVwCrSFimJ8ed3QLA+0wV/NDCwkHhkYMKu4+0pCxk9l6b3I3jWINrx9k5qU7U2BGaX1IG/U/nkq+3oK/azXSH4WxBea2w6AhfEittk6sBUvaPpwqUD90g7O+omBaiwhZsI6zI2yCvmZH6N07EOQOeceRiTKTzt+/flhyClpZXL1h/cgr50me8sp+Cha38VVQiqstbvAkwD+vn17X6Qr3SmPxtbK6C2UFTD3IJu24NDOy0PtL7GN1EMWZ6jr3mEvkHs8iluyCr/XvWOjsoo0X1SI89KW/+bWHpvutfedSiNRjsppZUeQSY4T7pZR5/R4vjp3eYIVI0zprsmsMcCE0NxgXl73jRir/kjOzt7Up8wNyJ7xLzndg3oZENICCb/o4IFnO8V487dFL6sA0yl+eL8deGf+fs6efQCVceMAyfvmUIRVyDNMOd9ngDwCZuAQvTx4SJjLP6o59Stxd/lf2a0NXeZsvrbKZfApvisckHblM+OTuKCXoVaetyZgswYzgjSw8suBSp09uaA24MhTR7yNGgxqB5IwuIW6EnOEmjhiMdjgM9Q9R1mxDbPC52GUXg89UkVJi2lM7zvuHHnnKyOTmpZJA/62ru986Kh1tt9LZjUMJYzXwkRIVuiPe7b+Y0QYjcP8VzCYgBuC6wrq/iOl5lqV3Que2J+A0PkhCFNyjZaosfP7bMQ/xVN4mvSCwtcfrnlN9HnSX8rhbu67yvxFo4OyTPNhrGCXW8ZuhylDQ+GLCOcvLyhzG2g0FAhcWhY9wb1PFlEcrf4JZb6NRIfpyeSlaRgZM1o8WB+5a59jP0RVlftay+Vrv0TAJtg+/y7ZZ+1dnAzwQ8MHNr0HttJFsniNYxRBtuGDJht8esSursopB1fRlDjfjPI23Lr043DTSboy89uSeuggDfGORiU6lSghfYWXJgwlTWwid3d+ClVCWMHCXJERcnsOsr+b1AdCFEwcDNoQmL9nfXdn0IU0BS2n+BpTHnBUJhr1klTNB0khORTr9byHvKboTTG0TyypTmberIt/MjLnXBpWP3xJ7zY/gsEBHbHkyoPe3wQD8jdlxltHGrjzmw24XhzTwMy42lPtWiHt4rZ6shNvPdYK4gRo7lmHiAlQf9UPd4d+BUSTyYGssBOGh1WfR77OxmAiXlMnhYLlQahpWiNCP3bol2a9jzGuoRCUXc/p6eJcwwY4iMCK4QMnn1zRvCvyuTSZJ75q1i4Fdfs7nV6rWg5yR8cXLumUPh2gyH6I7qAZQbmjvNVOONBcC2izfF3sXrYR+asfx/bzMqsc2GQz28LBi2SVhtePDi+irkApjaKHBmVYLOj8l95BziGGKwx9ANvoe5CLcODULmK+rFSmDwS5UJrjPvcuBmZFX3atwdu10c4ME1XUGgkagN0t3fVG60xi7Dz+mlFtL97Dy9pnFoSe+uDiXqIWAkYFC8Mr34ojOv4/dw+EwwekYc0YOvi4oJ9eZp5gaYGuamCTNGMlBEmPOu5rEsJ+UHvBVToSOKBu+yoLgTWibQqXp2+FzYPiycU4PuYZv3NXjUVFZw8k/xzOowD12kEdZw3T6mfHkdBnaQ0VX68F+2dq/maceMX9AiVFGiY5UwTgD4CfvKAoJV9W+aOQJqs4o4fGyAb1hRlKWECAdRz6GHmnU8p/v2rFBLss7H6hNk2IAQEQ2u9sChkTmczRgOco1wRcggXj74b9MHnnp8RUjpuvfBD8RBKwJwsIxkUm47Nwqjw60e2A88/hzBvRpG3XVnXnpaUsRckhtFMaWf/C6KcQYgo9BuYccxu2+3PXlXioG/sF5JOr3m1xLknr61tTprvymxhtAgPT0PRAzdJmIvd9rSWRlkHvJePyfaHQ6ggTWVb7xhpC6vmdWk59TC9+wSRw21p9mFvqI7YhuoVHKNLD+T7o8Ymn9fy3/DnXUhmnzyXKN+athtKtPa61llz6OqGN5AucZpThI0QjvMyxUFfQweOrzCcYdGZZvmBODDUkP48I/l5L423xHMQ4ZdWADxSzlcH2tAgrRvDGoQ45qXIABdXS8L7kKoaFkCjQk32Ij3WHNqTTptU56w/l/XE1lWVBNRIb/QPnjTW00mdWXT484PPCR24JuA6oyLiUcFHQ5Cnp9dQebUWXQ5NEuJzPNFXnCWvNeXTvxgzCpeZG82tCRgFyp3AX6GODpb4W8mXt+eUkgj25dmxYbunIZNfTma6PiSoaeiVAsxTorVNbCy5o5KyrCzdClZ9JEUKScJc6lcn6trf0cPRok+r12tQpbC8zLCy+4TPaq9EmI/zAp3/e4YyKggC0tCsk4acRe0iNeP0lzrYG4ya8UT1iw5nz1X8HWdlMoiNfk2Xec6JW5/OOV16lxh2JkRkPfT0OdPMdqpC8vLyDNfr59ZDcx+KamQUO1Uxty93iem7EyG/c7Y5wRtKF52tJF2BXN0900NawcM1TT967Nr9Ar9yBbuxGrL8SaksB7E64rZabyErs0vZXuWv7ZSU6ZDW8GBwsmm5ofRU5mCdTqTivdwkm6TjA2KELTPyC0E1S7qrcEphCi6YHySMgLucn05b4RTESXr3jjjwsJ255exD4qz0Abx0EXE2O5TaoguK4KUJnQjAegzYMVlj7eyQlo9xNBT3M7SsegvwW5SkGJFf2gNpKQKfVEzvARgQempCs5QOwgxSsB6KeIY3BJKOyWavwiW9FyqGZFnmWpGUt7LWN6Y/s42dgZF88V/rCguZCkBsl+rzEFCXkHff4yGy//Ap1YMr1bFEu+V11Feet84yjnkGfy9QrOVRfkag2Dcaf+wwxT0p6MMuZUWfQLE2QTN1j3BVSzVQNiGHEZWcokbkd+3XfzZp7lXSyeOPeUTjTY4R/xe+ZMKSKpB4Sq1JAEs8eUVtPBqSDL8WSrShPA6AsR1k+4m6MkmCYxDux19hLGghh0BTF7KNjSLOl/Dz/ga3GmyuJO1nU3t7swJl44A4ABFe1kV/N1YwS4VysGbJ6+vLXmZ9YeoMw46ssyUB22jD/plBRkJZPnSovOoUI/xFbnDDUIcsBpmSlTMwqPpV/IDqgNUk6z1tG6CCuzttzitPR4PcPrykzSn8uSQKLcUiKCaeB6vsoS0wcUCUFCxu/8xNrXZrnREcbRRmzj62FmX34XfEgJ0ZGk8pqwHVWpnFyJE24Rn2bfPzdzr/IgFLf3rrI1vYcyW2k7GfnibtFqrPdD5UDEhMyF8OiV+xC/8jiG3p4fJ5739w81o7T7SEJe9kwGlI2tr5jTKapfnv/xiV9so4,iv:vMdKKCnWBgTDiqvJdXAN9QJeoBEMucPFQlF634QLV9M=,tag:iJ3dUexqwiEfT/mboY7HZA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQUJSSUc3K1hxZ1d1Q3dI
+            SENqMUlaVkJEN3RkMXpsTnUyN05hN0ZuZ0d3CkYvVVdkNDF1WkRMREM1U3FtNzZk
+            NGxtM25oaUMzeEYwNFA4TW4xTG1ENVEKLS0tIG1vY3JQRUplR1VBUzQ5VTR0L3Ro
+            cG5JYXp0cllxTXVnY1ZOL1RlNWRaK2sK76zdi1HuLcoHEc0JTVLsenoa7JQv0DGz
+            y/yDIArOoocUryeb62DuSKQNZmcZLhHbJUWvFIkacDi82CcxuvdDLw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-03T14:41:17Z"
+    mac: ENC[AES256_GCM,data:kIa5+mV0ZY9XR/6zb5INz8bUaPCMHSaE0s7R697ogrnYufx971Nr8TVA7X4dgNpvYC6HUgdRbUxWr/TbtJCq+z1hkXdIiFZKJBBy7gcgJRXCleduMi4IikrkW7fAcQZmeHqvd+MNUXBiebGWCpGe0PCij5xnjq/K4pJ4qJX1OdY=,iv:PfuJ+VSxKzhJGGwN+WQ9KGwF2aJITKT4CAmPCP/8DCg=,tag:JCk32OUKBIweJoO9FpwFGA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
diff --git a/cluster/apps/data/bookstack/secrets.yaml b/cluster/apps/data/bookstack/secrets.yaml
deleted file mode 100644
index 5c5d155ff..000000000
--- a/cluster/apps/data/bookstack/secrets.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-kind: Secret
-apiVersion: v1
-metadata:
-    name: bookstack-secrets
-    namespace: data
-stringData:
-    deployment_rsa_priv_key: ENC[AES256_GCM,data:mu0ks6G/LA3Sr66K7v1tdOQWSz5jrtBVYV8LcmpVmKpKeNh5dhPf95ShWSq1FWP/CzFBx/3857usRd0yPrGJocEig+/MTbLHTAXe9sVoWSIEHkl4fUAT7qFCU0seZgNLynw2EtH9hBsPSS7e849DSjN1fMO4OLCFkCcAE2Zsz2j15cs/MztlwwJTHMYQ3A2Ek9G07mVAITAKiX3s/r1tPwNKD8kHUUDsaGOB1964Js9wYqvvdIQl/uGsQvJe6sro2xGMOlhpaOpKEY3t93CIi4ywBPviS7olcZs9XEybXttcrWfJWX0auq48NS8GQDhHRT2v1oZPHBI84XssNmnVott3ngCGFoXfTDWdjazKsNcq2iOtwRJLxCkLagnv7Jyvu48rQtQFOYsHw/Lpp7WIAep4WUu+5MABYcn1BeX3H/hAHjvauNXdwK5kbVLCrfN1jzW7qgkBVKOdxUBHs13bjL+3AC5EzuFd9tXhCDngn4uOvIvRswWBVw1D301UrEArjBnarEfPibYMJADoXtTlp0ypUK5qs6yMsGYV970UgAhemRFZJ9a3WdlQIxscALba8hXyDHpSj/U2ZDzcBLDDpUHMYJaxfgG2RQacJijg9CNFGksCbSVnyBBieOBBBmv1YKWRNByeCPivQRyrmXWkg5pLCuM2bqyhxcOTyZXlq6gUzoyKzwhPPu4nUYBK661ARzwaLTk7zibjcPIjUPA5CYWRGONGalm4oY3mNCdML8tc/1HK1ijHqZ2ZivSZl5L8iKv4H8DWjCELIhT+X+X5ztTyzU2fNYqgyiK643bSVnZ9Dj+Aq7w9QnM7zcvkajtJCWbuItw8hILbAZ/Xyl/gWdGxG6SXvb7zNICxsf+rjNQrrR2Kug1/tfj/2L1uMvZIKSGnJqj41eVR4U6zZ5O3ArTgaQddjav8EwERKysc2a++WocdHNFokm8LuNzWwZFPGYdocAAVCMGm/67JHUYOj1w0vh1/+2ZFouxUkvvcmwJMr8VVc0VahUeqxE8se3HyEsbxG6RKAhIu1q5RfzcACiFYjne3KPbRzOAOe788WufScbLE9FEx+GG9wnqzG34gk315pgz6NTObPXnwcmr002AkG0UXRTviqWC5vsm7/SWcV77UEH+Q0vKHt2xy7mVSPb0EIO9Jxi6CiMWfnM/14XA/nLiJnrbe707EyOrr01dF++aIJ0SycIz+rzJaUoJL3naUvE08JPld94Kk2e7AnH7NX3XnBJoeY+/hcjxMV8f59uC8999yJHu806P6LGJjqc5uEhn7CGILtwnxEm5ySaGtRIu5xMJWiEE0C7CwytQD2lYb2GQ7Jsp25Gm1BbgxbtiEZ9nWPlpY9WvmDhIPytzAUu84ustW3i4VPu239tvnooqSfgBeTg/H4Zz9jIb+9TtJhE5yMhmK8qeJomJ7NPkGL9+czoSkHlUPvKkyONfBTqnrXIFa9PwszNGAO4Tw6hiKCKhmepTM7zxNIGz86uJs3lmPsbulVNnkmXwogbvgi5OrMXMylBzPF7aGGoSwI35CQxeQGLQh/1tw9AGrRp2SGtYBZdAlkNNcCdYDiBppaSAAUCyUYlw/FabCfN0pYQHy83A46+O5FRfmU5UBnujTwtt/CRFPsULxjZH2GMjzzxkTU4BsFS71Syu2gMSIIT1CHpOAhTtID2KAc6VPd+EgVZqtRDi86tnEHJqnraBgT+H0RjexzsIpWiqM5EcdZ6aIbvlAIyucPAXp6TS0rHU/FgEJguSZfMCxYB5VAj9O8oE6FwrsiK7vnV5iX6MrxviB8HUekk4bfr4y9oduK/FYs+oh24uQQGMWo6Cgn5guWaLpx3CH6cAEe/NGR5LHaSVxmweIWq+RkktK2zDC4QQ483+XMQ51SvaPrCYcH12eXjsjGKd0NK9P1h7OXLJ2SbiJ2gwnjcbjzTAOVx2lcXIax4WaOiSepM/TQbAogL4OnkHNd/xWrBZfPy9uY/lxUaPA3JwaNLzcGAkLa3S8kUNlRthFn0UNOfcrtpaavNxutY/Ml/OrBkXB9x94qrcC593pJMurf93FgFSDwl7GhB2Up0nUSrvLhnjpfvF/0/Blr8QQtR95AO2vc1IkiZvrGw7p/7FAC+GPVNBHMJuBDmWSUqwRl82I9nR2ni3oQx/Gx+SkIBeQIeEOmVOn8lZZHZIM5DldGfsukO/5TA6t/YSVK6C3IveY5jTJNhXYEIRGdfK+qYRzWli9sl98t7p2RRC7JufGi/43GsxuGPCR0MeID5l+KQxvJmF9CXVRKXVjXsvBqUoFBPL1v3Goc8g6iEexNZSzL4zCawc7HcHuO4WNyctfmB1k3JCZ9IaRhri6zbJSVvzf6YlDQoP2aBgvjWR8SdqgJsuUc6/pHfEeyPtaUSqimB7gSvrvQSg5cDEs+N1JFdVhA5iIWvfqqMRYvUViVWB0BHbPqIlz+Nt/DXC0Av0FIzrLTh3cY3x3ZbzItDLUIPKqxgqCTFrKpXgoHyfCwzPA2XUPLBj5ihyzpNsoRZ9jJIrNUWewEhIpSVW8OKGxBkIE82/mHWjQGD25rpE8W4PnuThS3YCAVFWzowaVdpVR/hv0TxXUBEJnM7wVsXRYYazA18pha3UydqVyS4uPMZxAPsWN7O6KBTUP9RdMOyvXi2WveJvY99ifnQmLYWWRnKfIqJJ136Zo8WJmXS/iqyswXQMnJCpUIfMNHa94QHlVGmQjhL20THtzT2w4c+BW3YxaeD8OYa9HQkaTZZSCqA25Tyu+lJPcDfEqWyzFAmN7RCir/Gfs8miEnMitZ4TWZvvtqhP5BAFvm7j2py9/9wrsRm4XJjeO58l0qin/HDq5L7EZGdf+kebjaGQbVQkmTpgCnobxse4v4uyZqU6QaeA35rUaIleuOcvQlpLH33OEF9FDEMjww2k7A8/ymFy4muTdDT4sFNydEKRvVj0duLo6EZ6iEpsAo0RinQO1pBQ8b3T3L8d8GRKdljlsN7WyxmfbJ5IfbQtH4q3HnFG0TdqDIeg5zZeFddoSC+MjPMwCTGt7XqEIUVbAdSmT0tG69M+r8Gxc8Z2eWVnUYu95GBNoJSyNaPKcSk5xoGWBAlP1+Qz14eGl72kBLa7YUSUArUCcWowbOztjjD7/bmIBuOWJlokjv0bHIJao6vy9qHHwqWLHT2ByGGv1UcoYqEhtKsXnqx1IFUnI0RlsAOURMmQMW207eQDddUdgwC9pIpKLJPHtf2F+rGqWtDlHkjvx3yJGleRVV7e/oHlZN5WW4aKIR9ntkQar75moDywVxEMBRnBPzwwNOGFAf/LUaHnaIpgP0qQetY/DHNMeUKVPcPsDWeppqKBxFW9Uhr8Oc3QmgwAnIdTMlWr4a8NgSn1WKcbvOiJyFu2mU8UXBZ3ZEazG53ZRkvViy9TGhD+e1O/3GLlUo6psiSkQt6Vn3YScErf2IPOdDpdfeXP7K4ndBVcb0tcRY1NHynpSfySp,iv:majin48BvzBk04GDahOnaxkDcxLsFKVEtijncxfKkl0=,tag:J7M/IYKppIXG4LDPpY+8Bw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2022-07-03T12:13:13Z"
-    mac: ENC[AES256_GCM,data:fx1wBJU77yblwu76N5LD2HoAE0dYTEWGIB48cYAPBjRdYMFmL7JQMk6sdT4KmcGZy/0IpVaC9ZwFfVR9VapPpzKnUUY/8V189e1GYu/cRpy3q4W7l6KU0jHLbasBERV4QZI8HF3vrAxNI3zd7TUprqQ8DZCTpX/QZ3sThO5QG1c=,iv:M2wxwzEjxZRxdW6WTsWjMueN8yl3Hi0B++axkNSSqgo=,tag:pfxppxufXeXfvqe2EW+Clw==,type:str]
-    pgp:
-        - created_at: "2021-07-17T21:15:45Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA6nQR2zACjUjAQ//fQ863OpprkOuu7ZzjHoq9ereZ+wu7jYg/rQ/1VbI9QL2
-            WzC8o/Csc2qrN1adnTx9s61HPGkAyqzsSJLmBrVufc+I1sGcJsCg8kzezO0HYau9
-            xV30mazw2sPca80fjbqeUY6hcp4oPcDg8METk9/TZ955UILit2nUWdCTOX+C6yxw
-            R206DfKb/UvQ3zLKpbeSvarf8+pyp7TpEmPnPjC9jYMzftD+lhqwRmaFjeeGjWIJ
-            NyeybL50kFBFJYou7AHxhLT7Ona2IASJCYvUj8kjwMc/MedjjcHdh+CysYlRgt0D
-            Ces7cUI+PVRdvWY2hi/EO/VCaD60bDEfy6zB8KHPRE+E53A4GlMvnvYF7QI5z4qC
-            HdCsQ8v2IOpU0/e/32eiAKtJmMqy+v1hVFavh+5u4epc5iFuJzoTAEdDg45FfQap
-            Kq6tDFWXP30Y3HfOc+7BBz9lep49zJB5cK47WvNM8Tfazb3DpHFXDbFgLyAkWuaq
-            QvZIijHeH2P5advD2gONUY9gDlVV8/HxYHNQVgwWyaVdmXXvzFtgpZQtIvIHA+Di
-            EhNrw8L/qtOW6B/uM+FzvcuGVTF3nnU4g43Y0XkTOd7JxP/l7CC78pcjl4IdgGbK
-            nb+1+/ShzjRJA3n0fvlkrbiMdep9hMQUWJlzsG15rRlvtLTxTZjNHX0kacn/4yTS
-            XgGKX2C4ZX3Pxdq/Mkr7muGZbLZIOHXL0OPouDzs8E64UPR0u8ayDDlsX9SYZ8hq
-            kvAL3ktnKNf1R3shWGKMcra8skjIKIoSmzEXf7RgCoNnewjt8wAqBY3+RGiaBUA=
-            =jwm/
-            -----END PGP MESSAGE-----
-          fp: 19B850FBA7685A526CF11E5F9BBE834259976EE8
-        - created_at: "2021-07-17T21:15:45Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA98IrODHuiZ9ARAAk2hc8IbzfVSagc4qeymEpDBwME2MpzYv7a6RPK7vS/VR
-            8PGYJT4DuJ0op4N/IiTKUeO1DVlqfZvzKBfAKDNdpojzaheNdy/L4nIKMN2klfx+
-            7BAXljRpqzyRjC2lyMFbDWgMMWcJG4PZIuCRQCm6ej0LOFwkoL4EitpfltdHj5tt
-            /qUWGICXSlgN882axw23Z9ZpfKmLLn2tKplFmgKErrPaXQxiqRHjPFzXh1JkGnaG
-            wtxBMdgX4eMDWGcSgiVqPFzMuecIA34u2bSnCrU4xmLGglHgm2oWpL9PZcdWBR1U
-            H9OzDrFNDD2X3Hey5jv5v3h64YwbFnZ89Y51lUbP8fbv65OrVGMQKE0ZQ7ueVwLk
-            H/IM9FnVDfkQ615ykPxUtr0AT47l9mffi6Iy1/XBmrqiCnaKhT5PEbSywmaKzOD9
-            9B7UG4l6kLh9F/bqNRsQWkarYlSmGf8BvAQNFH7ZtzyfRxTAP2wKxvaHA5/sqMO8
-            em0WDxvdeVtHSVYx/Kbu50RW0eDJRDD21P5neb2Jj7rZTVYD+L5Dxne+JXpTbI+8
-            jKesyEk3RYGzpthHHyWPZAo76cidqYVRvENfPFJljaRHpxcQLkYECTvyDmgyRNz0
-            uMHnQ76ZqeyGQ9NrYflcqd3XakTOvAmrwKz0p1zhmTlSgrUmGCUaZT8VXwRjsnDS
-            XgF3B6c9YDZz8f7wmtJqj0DTgxdgWGoQBrJowkyHhTxQetj++7EYaH0hdzrI+5bt
-            ZTM5I8y6zRrCAfvLKzKlMeh0R4XRREmNCyVzRuAfwjnVzXRVtcxRN8IAJR2mCNQ=
-            =vETF
-            -----END PGP MESSAGE-----
-          fp: 5749D0AE39445C1CCA6006DF8913091C690BDD69
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3
diff --git a/cluster/apps/development/gitea/helm-release.yaml b/cluster/apps/development/gitea/helm-release.yaml
index dc47d7e19..252080b0f 100644
--- a/cluster/apps/development/gitea/helm-release.yaml
+++ b/cluster/apps/development/gitea/helm-release.yaml
@@ -59,7 +59,7 @@ spec:
           DISABLE_REGISTRATION: true
           REQUIRE_SIGNIN_VIEW: true
         webhook:
-          ALLOWED_HOST_LIST: "drone.k3s.xpander.ovh"
+          ALLOWED_HOST_LIST: "drone.${SECRET_CLUSTER_DOMAIN}"
 
     postgresql:
       enabled: false
diff --git a/cluster/apps/development/gitea/kustomization.yaml b/cluster/apps/development/gitea/kustomization.yaml
index 22c45c1f5..c707432e3 100644
--- a/cluster/apps/development/gitea/kustomization.yaml
+++ b/cluster/apps/development/gitea/kustomization.yaml
@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - secrets.yaml
+  - secrets.sops.yaml
   - volume.yaml
   - helm-release.yaml
   - backup-job.yaml
diff --git a/cluster/apps/development/gitea/secrets.sops.yaml b/cluster/apps/development/gitea/secrets.sops.yaml
new file mode 100644
index 000000000..22c2c12d9
--- /dev/null
+++ b/cluster/apps/development/gitea/secrets.sops.yaml
@@ -0,0 +1,27 @@
+kind: Secret
+apiVersion: v1
+metadata:
+    name: gitea-secrets
+    namespace: development
+stringData:
+    deployment_rsa_priv_key: ENC[AES256_GCM,data:Lq5ZoC8cAHFNmqHa6oVcwb4rbfdbQdaxQWJ2EeTjWRAP/ySBa6RyLknqejdJT46pxEDsJub1ponZJnRXhpVzzIgpul5fYo8eD/CFYHJB3y0o29HAWXaSAH+A1u5mDD1YYUMrfoEofb2E3gLu7rTvxePaVF/eGu4W/rQueIppkRlEOFcCjaCV7ezXpa3UBeqXAIdQbQyothMVpGjk0uVZXpEPr7QeBFgopBDRFtnr2b1Hz9xIfntB6I251ISmPnzuBdhn16nLcQihZt12/8E4Mgy5gcHyeApKKYXcNK66rPqojDBKLvfDacEp/S6BriUYrMqwuCgagoHrj0TGENepVufblICOLH7wSKEfk9dOjRRqTlwIAPs5Umtv4tuB/amaQSdxcH7xOYW7OCtX/seQqn92uwo1VPcOjMTymWWt36pGkbhI2JXJr4h5XUbDZ2M7ppurWp1S4/lGgoQSucRYQUIlVxdLx13CmL/znk6XwFNa8BOYW8PqP2Ydqvsp60QkymJjK8r8ox3HEwkBkiqsfiMlzvtXbfHuImXyP1WTB+txxCv88u7pdGq6/yXHUFWJ13qPkWC+68bPxzD27aVe9PD/4dKsPysxAOu0P/htQ73ltzStz+lvXO2F+rFVAwdjrttSiQG5BmBfeGqJva1ZTu6aEQbYgavN/7gVhX+FbZ1JY2v+/Tk2xCE9TCp8/8MmgqsZH3TJE7VUwx9yJoR6/xNIjYfaZxNTNO2ndKbWBpu3vS46YJx9pLgE9B0YXaRAkJqemryJZd5KXOzutfNMqvNnrQSWpRQ6gzS8M2hbgj1xQUJIlWyB8c9YSZaGxoq+GW4m09GYiuGoYiIIgY5sN5L0nf+2I7OZ9aVvVLuyj39XLZ+/udD2BG5wDX6NKh7Ha6ci4QG1Og7IQYS6LdX4c2Y8/C+E4PY3scx0px2H2S9JW0tZ4fcnz8iiAYkWr0RewXXnpr/hidbugkNtHGD5lT9SnVJmxcYZ8R3v2G+4q0HPlM6ThJUHIP4To8n1Ya71Ne/TJW5BLkSEyxSASvtPtqIdNLml3aIr5+UgEXSNZdK8PRCe153r+XCt8kCgXBOt5q2lLXwXtSFgMQEmRf53I2zZB2f9XcqZv13I6Y1loQgPJLVdghnKNOLiR+VBQ1SC0vChhHTMvqM5w9WYsfGW0v2LZUURNUM6pmNdNrFHZ3rEakKPfI0FDDsyfo62m8iJClReprHgLsHjSP1425wvlW09OO5w+z3ibVKNTYbdI2AT3kzZnljkPQYf8HgLBKnh06hA/X6hoZoKvxW8F6Pos7TVMD81TUrttOZCT8wh8dlceP6PW9qAa/TMBzZ5NGVQqh8e3kjkcqW3ATwlumW0hK1OZx3HNTm1PFQv4D7uvfRlFJSsxzWJgIsOGF8A04YtoAQKXbEuSldqg4s68Hpu5fERwOAah59V/FvR70Cbe2sqoF96/LM08MZ0Wg+IE/gSnhaOz9MEsYzLmUMFKHQZ2zDheH143zcHnf4T16E+8BEf4GDaBHfLHt7xxQlgyKmG0gHRVYkA6J77nMgmKUvO18D5x8qhlZVQV5Fww3LIhn1TfduMjltfz3ZFnkSrDB022iaRBeV8bgC/9+1fegkko30Wf9PSCsPWEbddjika4oVdOF2Sg7f8CmueCiSu3KGB61Qy3Pcexw/1yBBG6KcWtsIfUdas5o44FS99tTv0DthhYi2NQgf7CK4MD467QRJ7j31/S+NbRF6sLAf0f6i28+2Zt3uPwlJuiI6rsDdV2r8duqYyDFYcvTdfo3wNxuZF6uZLcrgRdk25iAtPvBKOmB/1ps3qqVvp14NDcU4x7hl9pEY60m0HLnA0z7npTEycyvgbV3jlfsrX8Hpvmn93w9k8X10Ktjwk5cu3k5RPkjpnrZlUmOjgRhI4ZS9Pw2BdwM0D/zok5d+O2Xfuhp8mFGf5nSxILUJ7GyTxQNRgKQN6qkoJNXLSPGhfk6rUElDTBj5vwTX+tJXS+HNuztRHh5eKHMuVcG1ZVdHPveRyz+mnom3UdQGpbIkHME0lS2jykj5RT7BoYRutb/uMkB0F7QWDbrznCGHXqm6ZH/1v7bV19LWw3Dmk85HX6rHRERKrbitrGs8LiCB/lUaGiC12dnzgvo5YtBNf+AgTihidAuuu5C/QIw3AhGuB7AdkPHo87RYyxTzeMKTkJWX49+lVtVcbdy6N8SjFR2RrAX0874OkgtEnyePBumL+wzckCozFjMEyduAnk5hQ+oGtrHftFiSKKfeh+6EbX/YGu4lqU8L7GueBXon95UyTi41Lcv64TqeX+GWZbkk3koTiWdLlH7UfjFtxonSAGHHsWmiQwcW3RxHn0yJBuSXPnGy0PXPqkam5V2Jm8X5Xwu/9yQICCQfWrk+jOFitziF3ydCC6vFUaQk+dlvd06d0bwIMsz/L8GQun7rh2NGR1gPoLzSnJDLkEz6q9Q/zcUZ9JeGbn8ufKiJ0KWXFOa4illjifkZNIMkmtojTeKJMOdxCJzVlgrJZ8JNJAjCgOfWueOrboNcCDee7YAvY1APJDzc4dvuIGGvlquNW9IpS58CXl+OqXt79EQt6JVko7Y0B+FBP225qTKLpGY+R5ql4dHBsJXNVvBl3+IkqnADDrPAHKu0TGG+rvJU79pi35V6a2eQSOy7bcEDAKRuC0b85pkQ+EXOejwks5vIITJD3MTki+rIoOQ0+n6kt9GKYakfiQh/d507/UF2Vu4m2K7vfFSUx+t9NDyIZ/nZauXYK4HnzDwxsRAHWFAqqHCzkG2Q4QpY6fTePEo3KnDMr4UUz++8RhEh4BqXyfwqUzevVAk1iSpHN6aXSxf9RqcC65SLpEufTNt6fKdvoUxatkkUr/JVs5eTSYbI6U8oiRmacQ/bJocXLU9WBBF8zgrNSiCwahnvBoHJW+1rzvQSZuddYRrvWtpHRgqFfbE4yZtvWkermpiLaU3e7v78gLd/izKMNDauGW4B9e+C+9EuAtdwddbfQOVj5N9jIJPNCSAV/MOxFGAWuQPx2img+wJCqwxs9fyTPNbCe/H/a3ypc6Oog27ie8RMrDyNj5mzhUD/D2lhuLcy32pQKl3/+0NvytTi/FIOGGKSswdOLQ1fmIyDAHLfUwWgfKEL8pudNOnC6FVpspWOSYJL4D/Ah0QeHxjoLzPBNF00vQoRaMTS/4iSkPlg8YqpFjcVCNRKPsVm55gr6LO2aKI6qZqAI9TYkPRVIPt4M93EjdcUsaWa+TrJGITIlnxEO+T81HkbA9V6lQML6DYYUjPkVc1/u4HXtNnDQfdCN0uu7AzHZWJN7Zn64NM0DJ8ZVhZu8dB3wK4zt5021o1f/rp3dhhudLe1YRdnDYJXkkawI1J0KzIbRwy/qwQ/YYOo+xI/Uq6pTFJpFswOuQSXtxx2x6GyfzQjy+K5o6NfeepRCPMLQ7YRhs/6tR/Dugsk3XJRBrLp0mRWlmGAiF7eq12vI,iv:PKmf+mytOTMdVitS5avOAi5yChAx44mG2YNnaDFLTlw=,tag:0ejHj1EpeXqRF686ZsmVmA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5UnFTTUZTT2dxV1JFY2R0
+            aS9yUWNHeDdnVStyTTV1ZjRXU1hQYVVQRTFvCktjL0VwNjdsczdmcFI2TnhXMHU1
+            RXRhQnhhYjc4ZHNzN0wyN1ErcVkvNXcKLS0tIE1WNTBhV0xwSk9rcklLWkVESElS
+            ZVpwVVRmV2VHU0NJcFptYXJPZnhXT28KIQgCy66P7kb1hc9TxEolPBaP68Pp116Y
+            5cxfpbXZYnsDItjB1FtwrIxFRjDBHrpHoEb2e6AC47pHvai+OflqCg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-03T14:41:34Z"
+    mac: ENC[AES256_GCM,data:dQ7zJWFeZboFrR1pbKHoXcnqv6yjZVrHahb79bfdfJiXt7qbnr1w+WSTbcv78zsN9y0pZ6hPyzc8+QzwFH5xbBSdi8TkHifcuvQqTMtmrMnHZM6GMXyiN8BUvPEq8iT5OO0UFwbXitQSavn9Ib52j+HSvyDzLy9MkGbmLHrKA88=,iv:YywQ58kygqVBKQ4BxIVkGMgi8SoL842qsuJ4q7hZikY=,tag:17wpoXBlhOdHnls7uU5IQA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
diff --git a/cluster/apps/development/gitea/secrets.yaml b/cluster/apps/development/gitea/secrets.yaml
deleted file mode 100644
index 661212239..000000000
--- a/cluster/apps/development/gitea/secrets.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-kind: Secret
-apiVersion: v1
-metadata:
-    name: gitea-secrets
-    namespace: development
-stringData:
-    deployment_rsa_priv_key: ENC[AES256_GCM,data:mu0ks6G/LA3Sr66K7v1tdOQWSz5jrtBVYV8LcmpVmKpKeNh5dhPf95ShWSq1FWP/CzFBx/3857usRd0yPrGJocEig+/MTbLHTAXe9sVoWSIEHkl4fUAT7qFCU0seZgNLynw2EtH9hBsPSS7e849DSjN1fMO4OLCFkCcAE2Zsz2j15cs/MztlwwJTHMYQ3A2Ek9G07mVAITAKiX3s/r1tPwNKD8kHUUDsaGOB1964Js9wYqvvdIQl/uGsQvJe6sro2xGMOlhpaOpKEY3t93CIi4ywBPviS7olcZs9XEybXttcrWfJWX0auq48NS8GQDhHRT2v1oZPHBI84XssNmnVott3ngCGFoXfTDWdjazKsNcq2iOtwRJLxCkLagnv7Jyvu48rQtQFOYsHw/Lpp7WIAep4WUu+5MABYcn1BeX3H/hAHjvauNXdwK5kbVLCrfN1jzW7qgkBVKOdxUBHs13bjL+3AC5EzuFd9tXhCDngn4uOvIvRswWBVw1D301UrEArjBnarEfPibYMJADoXtTlp0ypUK5qs6yMsGYV970UgAhemRFZJ9a3WdlQIxscALba8hXyDHpSj/U2ZDzcBLDDpUHMYJaxfgG2RQacJijg9CNFGksCbSVnyBBieOBBBmv1YKWRNByeCPivQRyrmXWkg5pLCuM2bqyhxcOTyZXlq6gUzoyKzwhPPu4nUYBK661ARzwaLTk7zibjcPIjUPA5CYWRGONGalm4oY3mNCdML8tc/1HK1ijHqZ2ZivSZl5L8iKv4H8DWjCELIhT+X+X5ztTyzU2fNYqgyiK643bSVnZ9Dj+Aq7w9QnM7zcvkajtJCWbuItw8hILbAZ/Xyl/gWdGxG6SXvb7zNICxsf+rjNQrrR2Kug1/tfj/2L1uMvZIKSGnJqj41eVR4U6zZ5O3ArTgaQddjav8EwERKysc2a++WocdHNFokm8LuNzWwZFPGYdocAAVCMGm/67JHUYOj1w0vh1/+2ZFouxUkvvcmwJMr8VVc0VahUeqxE8se3HyEsbxG6RKAhIu1q5RfzcACiFYjne3KPbRzOAOe788WufScbLE9FEx+GG9wnqzG34gk315pgz6NTObPXnwcmr002AkG0UXRTviqWC5vsm7/SWcV77UEH+Q0vKHt2xy7mVSPb0EIO9Jxi6CiMWfnM/14XA/nLiJnrbe707EyOrr01dF++aIJ0SycIz+rzJaUoJL3naUvE08JPld94Kk2e7AnH7NX3XnBJoeY+/hcjxMV8f59uC8999yJHu806P6LGJjqc5uEhn7CGILtwnxEm5ySaGtRIu5xMJWiEE0C7CwytQD2lYb2GQ7Jsp25Gm1BbgxbtiEZ9nWPlpY9WvmDhIPytzAUu84ustW3i4VPu239tvnooqSfgBeTg/H4Zz9jIb+9TtJhE5yMhmK8qeJomJ7NPkGL9+czoSkHlUPvKkyONfBTqnrXIFa9PwszNGAO4Tw6hiKCKhmepTM7zxNIGz86uJs3lmPsbulVNnkmXwogbvgi5OrMXMylBzPF7aGGoSwI35CQxeQGLQh/1tw9AGrRp2SGtYBZdAlkNNcCdYDiBppaSAAUCyUYlw/FabCfN0pYQHy83A46+O5FRfmU5UBnujTwtt/CRFPsULxjZH2GMjzzxkTU4BsFS71Syu2gMSIIT1CHpOAhTtID2KAc6VPd+EgVZqtRDi86tnEHJqnraBgT+H0RjexzsIpWiqM5EcdZ6aIbvlAIyucPAXp6TS0rHU/FgEJguSZfMCxYB5VAj9O8oE6FwrsiK7vnV5iX6MrxviB8HUekk4bfr4y9oduK/FYs+oh24uQQGMWo6Cgn5guWaLpx3CH6cAEe/NGR5LHaSVxmweIWq+RkktK2zDC4QQ483+XMQ51SvaPrCYcH12eXjsjGKd0NK9P1h7OXLJ2SbiJ2gwnjcbjzTAOVx2lcXIax4WaOiSepM/TQbAogL4OnkHNd/xWrBZfPy9uY/lxUaPA3JwaNLzcGAkLa3S8kUNlRthFn0UNOfcrtpaavNxutY/Ml/OrBkXB9x94qrcC593pJMurf93FgFSDwl7GhB2Up0nUSrvLhnjpfvF/0/Blr8QQtR95AO2vc1IkiZvrGw7p/7FAC+GPVNBHMJuBDmWSUqwRl82I9nR2ni3oQx/Gx+SkIBeQIeEOmVOn8lZZHZIM5DldGfsukO/5TA6t/YSVK6C3IveY5jTJNhXYEIRGdfK+qYRzWli9sl98t7p2RRC7JufGi/43GsxuGPCR0MeID5l+KQxvJmF9CXVRKXVjXsvBqUoFBPL1v3Goc8g6iEexNZSzL4zCawc7HcHuO4WNyctfmB1k3JCZ9IaRhri6zbJSVvzf6YlDQoP2aBgvjWR8SdqgJsuUc6/pHfEeyPtaUSqimB7gSvrvQSg5cDEs+N1JFdVhA5iIWvfqqMRYvUViVWB0BHbPqIlz+Nt/DXC0Av0FIzrLTh3cY3x3ZbzItDLUIPKqxgqCTFrKpXgoHyfCwzPA2XUPLBj5ihyzpNsoRZ9jJIrNUWewEhIpSVW8OKGxBkIE82/mHWjQGD25rpE8W4PnuThS3YCAVFWzowaVdpVR/hv0TxXUBEJnM7wVsXRYYazA18pha3UydqVyS4uPMZxAPsWN7O6KBTUP9RdMOyvXi2WveJvY99ifnQmLYWWRnKfIqJJ136Zo8WJmXS/iqyswXQMnJCpUIfMNHa94QHlVGmQjhL20THtzT2w4c+BW3YxaeD8OYa9HQkaTZZSCqA25Tyu+lJPcDfEqWyzFAmN7RCir/Gfs8miEnMitZ4TWZvvtqhP5BAFvm7j2py9/9wrsRm4XJjeO58l0qin/HDq5L7EZGdf+kebjaGQbVQkmTpgCnobxse4v4uyZqU6QaeA35rUaIleuOcvQlpLH33OEF9FDEMjww2k7A8/ymFy4muTdDT4sFNydEKRvVj0duLo6EZ6iEpsAo0RinQO1pBQ8b3T3L8d8GRKdljlsN7WyxmfbJ5IfbQtH4q3HnFG0TdqDIeg5zZeFddoSC+MjPMwCTGt7XqEIUVbAdSmT0tG69M+r8Gxc8Z2eWVnUYu95GBNoJSyNaPKcSk5xoGWBAlP1+Qz14eGl72kBLa7YUSUArUCcWowbOztjjD7/bmIBuOWJlokjv0bHIJao6vy9qHHwqWLHT2ByGGv1UcoYqEhtKsXnqx1IFUnI0RlsAOURMmQMW207eQDddUdgwC9pIpKLJPHtf2F+rGqWtDlHkjvx3yJGleRVV7e/oHlZN5WW4aKIR9ntkQar75moDywVxEMBRnBPzwwNOGFAf/LUaHnaIpgP0qQetY/DHNMeUKVPcPsDWeppqKBxFW9Uhr8Oc3QmgwAnIdTMlWr4a8NgSn1WKcbvOiJyFu2mU8UXBZ3ZEazG53ZRkvViy9TGhD+e1O/3GLlUo6psiSkQt6Vn3YScErf2IPOdDpdfeXP7K4ndBVcb0tcRY1NHynpSfySp,iv:majin48BvzBk04GDahOnaxkDcxLsFKVEtijncxfKkl0=,tag:J7M/IYKppIXG4LDPpY+8Bw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2022-07-03T12:11:25Z"
-    mac: ENC[AES256_GCM,data:b0JPukzFNt2KJ4xLiPqZu1jXqPMozJMm7q5mUiPUtiCZTBDz8ixKvYSh0d2fIb7mj33rewCE5oWZT+brK+lwDRiHLshzyxh4/2foPsHzkl2Sf7mbFUsSTtMSPulwZw1geMX2L2//41CpDDhettIlla9obMsrdW8EI2nqGL0nqfQ=,iv:rrTUj9HIPx23+LQ3gtSMTB5/kIXQuvZ/GbPMx6FqBTQ=,tag:EAEV0GEBXpV9IIJOav3qvg==,type:str]
-    pgp:
-        - created_at: "2021-07-17T21:15:45Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA6nQR2zACjUjAQ//fQ863OpprkOuu7ZzjHoq9ereZ+wu7jYg/rQ/1VbI9QL2
-            WzC8o/Csc2qrN1adnTx9s61HPGkAyqzsSJLmBrVufc+I1sGcJsCg8kzezO0HYau9
-            xV30mazw2sPca80fjbqeUY6hcp4oPcDg8METk9/TZ955UILit2nUWdCTOX+C6yxw
-            R206DfKb/UvQ3zLKpbeSvarf8+pyp7TpEmPnPjC9jYMzftD+lhqwRmaFjeeGjWIJ
-            NyeybL50kFBFJYou7AHxhLT7Ona2IASJCYvUj8kjwMc/MedjjcHdh+CysYlRgt0D
-            Ces7cUI+PVRdvWY2hi/EO/VCaD60bDEfy6zB8KHPRE+E53A4GlMvnvYF7QI5z4qC
-            HdCsQ8v2IOpU0/e/32eiAKtJmMqy+v1hVFavh+5u4epc5iFuJzoTAEdDg45FfQap
-            Kq6tDFWXP30Y3HfOc+7BBz9lep49zJB5cK47WvNM8Tfazb3DpHFXDbFgLyAkWuaq
-            QvZIijHeH2P5advD2gONUY9gDlVV8/HxYHNQVgwWyaVdmXXvzFtgpZQtIvIHA+Di
-            EhNrw8L/qtOW6B/uM+FzvcuGVTF3nnU4g43Y0XkTOd7JxP/l7CC78pcjl4IdgGbK
-            nb+1+/ShzjRJA3n0fvlkrbiMdep9hMQUWJlzsG15rRlvtLTxTZjNHX0kacn/4yTS
-            XgGKX2C4ZX3Pxdq/Mkr7muGZbLZIOHXL0OPouDzs8E64UPR0u8ayDDlsX9SYZ8hq
-            kvAL3ktnKNf1R3shWGKMcra8skjIKIoSmzEXf7RgCoNnewjt8wAqBY3+RGiaBUA=
-            =jwm/
-            -----END PGP MESSAGE-----
-          fp: 19B850FBA7685A526CF11E5F9BBE834259976EE8
-        - created_at: "2021-07-17T21:15:45Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA98IrODHuiZ9ARAAk2hc8IbzfVSagc4qeymEpDBwME2MpzYv7a6RPK7vS/VR
-            8PGYJT4DuJ0op4N/IiTKUeO1DVlqfZvzKBfAKDNdpojzaheNdy/L4nIKMN2klfx+
-            7BAXljRpqzyRjC2lyMFbDWgMMWcJG4PZIuCRQCm6ej0LOFwkoL4EitpfltdHj5tt
-            /qUWGICXSlgN882axw23Z9ZpfKmLLn2tKplFmgKErrPaXQxiqRHjPFzXh1JkGnaG
-            wtxBMdgX4eMDWGcSgiVqPFzMuecIA34u2bSnCrU4xmLGglHgm2oWpL9PZcdWBR1U
-            H9OzDrFNDD2X3Hey5jv5v3h64YwbFnZ89Y51lUbP8fbv65OrVGMQKE0ZQ7ueVwLk
-            H/IM9FnVDfkQ615ykPxUtr0AT47l9mffi6Iy1/XBmrqiCnaKhT5PEbSywmaKzOD9
-            9B7UG4l6kLh9F/bqNRsQWkarYlSmGf8BvAQNFH7ZtzyfRxTAP2wKxvaHA5/sqMO8
-            em0WDxvdeVtHSVYx/Kbu50RW0eDJRDD21P5neb2Jj7rZTVYD+L5Dxne+JXpTbI+8
-            jKesyEk3RYGzpthHHyWPZAo76cidqYVRvENfPFJljaRHpxcQLkYECTvyDmgyRNz0
-            uMHnQ76ZqeyGQ9NrYflcqd3XakTOvAmrwKz0p1zhmTlSgrUmGCUaZT8VXwRjsnDS
-            XgF3B6c9YDZz8f7wmtJqj0DTgxdgWGoQBrJowkyHhTxQetj++7EYaH0hdzrI+5bt
-            ZTM5I8y6zRrCAfvLKzKlMeh0R4XRREmNCyVzRuAfwjnVzXRVtcxRN8IAJR2mCNQ=
-            =vETF
-            -----END PGP MESSAGE-----
-          fp: 5749D0AE39445C1CCA6006DF8913091C690BDD69
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3
diff --git a/cluster/apps/home-automation/home-assistant/kustomization.yaml b/cluster/apps/home-automation/home-assistant/kustomization.yaml
index 496bf3856..aa13e5e43 100644
--- a/cluster/apps/home-automation/home-assistant/kustomization.yaml
+++ b/cluster/apps/home-automation/home-assistant/kustomization.yaml
@@ -3,5 +3,5 @@ kind: Kustomization
 resources:
   - helm-release.yaml
   - volume.yaml
-  - token.yaml
+  - token.sops.yaml
   - podmonitor.yaml
diff --git a/cluster/apps/home-automation/home-assistant/token.sops.yaml b/cluster/apps/home-automation/home-assistant/token.sops.yaml
new file mode 100644
index 000000000..91ae20497
--- /dev/null
+++ b/cluster/apps/home-automation/home-assistant/token.sops.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: home-automation
+    namespace: home-automation
+stringData:
+    prometheus-token: ENC[AES256_GCM,data:XQS2cNao60Cw3oWPBG3qRs69u4ZhBB8qWm5s6z13CDomfcdfA60YSSU7Vtcdb8E7wnI2t/X3Kul8Vlt8evYv/Tkh5UN1oiqa+upFQ/tOlIHFmRfz1snE5XlREc/sB2FN8xUIDRdHObfwz9NcfEcrt0MP+1mXN1IUIA5BDAAFT05TALeUjdY3CTfht6idIFlqs3YN2uvfDYoq5nKIN4J3uN0rWJI46BD+FnmpE243ChM+Cn1NS2sa,iv:lcCmW8TASJHWgOjs9qRh1XaGqPpCHn9HkU+Ma+Iqyv0=,tag:bRNDK8TEyHIMZlixYRDGGw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWjZ1RG9QZnBQSUNNSHN4
+            MTdwMDlvaGk4NEVxdmdZOGR1QnpLNFkzOTNZCjhZeEloeWQzemp1cVJrbEpxbWJB
+            T3NXRkRxTU54MGxUbk45YTJoQkl2dWMKLS0tIFkzQ0hvQWdxK2NKQlVlNWhUODQ3
+            RDRiUkRFSVI4S29mdWRMbE9RNFhLQlUKcx+FKlWUqt5YOxIKlvNiexCarLnW3FXU
+            M+lPXuGDvjo2Pg5InhPCheuxSVxea85uRRmROTWWOfjMKNYyfMiXLw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-03T14:41:50Z"
+    mac: ENC[AES256_GCM,data:rCAXrXozuI+YJwCDMWQeMvzC3Aoa/Eb89AQEBbLeOQMp7z5p7VCuzaSP52vsW50ii/Rr+VjgDEhoyVSiRAw9IoqcQCjNFZfW6nbXyKZIQGgSfiDKg5DrZLsLOJEg5JUX9u8zzVB2VyIpuDAtDrZHgmvBq+t/gSncSNzb7UW2Aw4=,iv:nkSndVS3YbIGPLMvPWwjgfRL8L5Qac71Jls1OBvX3s8=,tag:nmCKDjXBURMtQpQ5WfjHSg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
diff --git a/cluster/apps/home-automation/home-assistant/token.yaml b/cluster/apps/home-automation/home-assistant/token.yaml
deleted file mode 100644
index 8e6ea1c1b..000000000
--- a/cluster/apps/home-automation/home-assistant/token.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: home-automation
-    namespace: home-automation
-stringData:
-    prometheus-token: ENC[AES256_GCM,data:NiP3ioOYLz+DEeo39/Guk1iyxw9eMzHv/x4L/hq+LRDfpPnxlmWixuq2yOmhaW8bZSFDXudr2eGUZwBMXXmTUVTL/RgVg6yDy70kJ53YGLcRCWI3GntlwZqF1xqMkUXk+4Ap663cYFM15pS18s9SaWogJ3N/SXrC3uD0l7aPxlF5O+MNoTiK+CNogXS0/QAAnvaop3Y3MN6i81qp5owHATV2SOorXlatgQxR0pxf0ZEfU36NoIBQ,iv:PSvU8RUnULu5Wm/F8jSLb2ESH2QTx3UZUUJgzUPEyio=,tag:bnSVYptDVsWAfvEvo6nJwg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2022-02-08T14:42:41Z"
-    mac: ENC[AES256_GCM,data:ZdNG4+tlVJgi7KYQDEJZ01rzjscrgX2Pel/kneV9kZqbukmJi5yWLFdPM9Ll0xO89hLGW/Aa2PCvA5Kwpa8x5itGODiY6LimCWqX1YQ5/nZ4eUMHjXorWcduxHD8qc5zFkDbvUwhCyZ1mmhgN5sI0pFBDWtkVbQd7nfDCnxHwLE=,iv:GH81+X9bbww4o+eAMp6+yosUX3R77SXW8xFlTzOFv34=,tag:pDT+ybsa1UgWRNSFzGtw1g==,type:str]
-    pgp:
-        - created_at: "2021-08-20T16:21:08Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA6nQR2zACjUjAQ/9FbK6Z+2UwtViXJmelHPuttQoNM85U3V4RCoRcalp9z73
-            Y5Jcum3plDPf7E9bsqiJtt4xWvxZWXFtFp6s2mTTRTfy8OBbM+xLpFXrvSXqE3Ug
-            YUBiMWI5QnEqC0eo2NKey53DRxOzqsMoVMwp/2FEAUYwC2pkT7XjMiAn8X54QMjj
-            MlNM8JAfjdEvaZ4Blk5egdvmBNm8Em7DzJ3LGyTfksyWA66W+qbTkEH46n4DZHv/
-            0X8AtjU+dWILW0SA/DUXkmUEccrM40ZfD0Rm70TvvKGeCNM0zaDv+ikeq8muklIn
-            oDSRUQm9aZ7NB5xP8mC7AULHwHN6jvHGymNEJEjl10tmEsI0Y4eEEer3MAEBH93V
-            w0rPOOPVZPYXD/rFQF6f4nvimT0/dlrQYFepIFZbwmQYPcbXAP9OhngMgNM71Oeb
-            qKf0KorRL4VT3K6NPZxu05QhIsTFPM4pZrHA6ZotZ7+JW9pZe1LCE7ROm0AzPp3b
-            btlEr/MKwrkSouBI0aO866pxSpbHjHZU4m8Y7NWelwSy8cY35dXbCudC5ScMT5Y/
-            5dccmaLEfSpu6eiwi6bfrGIpROlbbj1dINJKJOCeoXRtvXyADao4AKfa2c28fqwM
-            Mx9Fn8O76/YfyRqO1dFbd896OwqSRstq1nVB2+xl/7Infch8NkBCIkb4Xe1zSmLS
-            XAG1UPCsQfjt3BI8b+5BmeJHdKAHtZ3w7Bb96AGaWn7wh7c8+QZugPbsxm2+l+8H
-            wEgYrTMvk6BP4zzA15T6iOKh2qw5qlxi+k9zN5rmOsjmP+0SwUr8mfCL/Ze0
-            =9u2m
-            -----END PGP MESSAGE-----
-          fp: 19B850FBA7685A526CF11E5F9BBE834259976EE8
-        - created_at: "2021-08-20T16:21:08Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA98IrODHuiZ9AQ//cs99xtkOc9d9nbiGmirNkUsWZGzhxaLZ7SUDY6mQvtj7
-            ibV7fkG5kf/uNu9mw+DRA8M3PBM5j+y3Hv0xt+1fBAhttra1GU127DwSAHChbWJT
-            BMnx2Bm5zAmeoh4ksMphuggOsLL2x1IYiTk7dnaMuPo/5CUPxXpTpPrJYHf0Pg1b
-            1j8l0N+t2hUWj93Mh392mggf28w+PLD5ty/d6a0Eyky6UG62LbyjhJaJt5nBMvfS
-            jvRW1QXb7iQ7ljbml1X2FHK/vzYtiMh5OUfYCzHRK6u5yTQybghNSVr8L0N2MgvC
-            unNp/PEvfvpzU34hInmi1zdW6BZK3iAvuiKHfgrJy2iZnjGZahBN7tLcKyHrAKpe
-            Q+hMQ1+neHvcgJAl50jRrUAbJJ1ssypwW6+zz3Bj1b+6IvZ/tuV31dZkKozsi4Y4
-            UKyds4IOEMLHv8FOlHfkOrvkTmij+6bqj1UoQIO7qTSuxI6M5jFmJ7vNnpYWS6IC
-            944JPbmX5hzDLrqMICzsetIxXNS0uTbvTo2APVIHjDkgX8ukcNw0YKfIQFgMi8Fc
-            /Sp8wCaUULkotlEb4Bvdq+yTrj1mQCpHaz6m1w/8RnSzLUecD0hVMUUPGctZ5IKl
-            3ZJrdMAJdad2Zjf7GVXwxNXtKaH9gCjZ1n4zqMg3Ob1l5BmUQI4M5IlZlPGAqhDS
-            XAFdxfYkHPbKWXDUPWcj6P+FUqDjdCV++z5kpeIXmtW8eouxIrV3DvwhdO+H3yKc
-            KkdnXPjCzSPf9AzYhgpGXKG70yh4gtMeLeDAPpDjguu6Eskd8VoQBus6tZ4F
-            =6Ilp
-            -----END PGP MESSAGE-----
-          fp: 5749D0AE39445C1CCA6006DF8913091C690BDD69
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.1
diff --git a/cluster/apps/media/music_transcode/cronjob.yaml b/cluster/apps/media/music_transcode/cronjob.yaml
index 9ec9163c5..19d711c60 100644
--- a/cluster/apps/media/music_transcode/cronjob.yaml
+++ b/cluster/apps/media/music_transcode/cronjob.yaml
@@ -36,9 +36,9 @@ spec:
                 - |
                   #!/bin/bash
 
-                  curl --location raw.githubusercontent.com/auricom/home-ops/main/server/scripts/transcode_music/transcode.bash --output /tmp/transcode.bash
+                  curl --location raw.githubusercontent.com/auricom/home-ops/main/scripts/transcode_music/transcode.bash --output /tmp/transcode.bash
                   chmod a+x /tmp/transcode.bash
-                  curl --location raw.githubusercontent.com/auricom/home-ops/main/server/scripts/transcode_music/transcode_exclude.cfg --output /tmp/transcode_exclude.cfg
+                  curl --location raw.githubusercontent.com/auricom/home-ops/main/scripts/transcode_music/transcode_exclude.cfg --output /tmp/transcode_exclude.cfg
                   cd /tmp
                   ./transcode.bash -c
                   ./transcode.bash -r
diff --git a/cluster/apps/monitoring/terra-exporter/deployment.yaml b/cluster/apps/monitoring/terra-exporter/deployment.yaml
deleted file mode 100644
index d9edf7186..000000000
--- a/cluster/apps/monitoring/terra-exporter/deployment.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: terra-exporter
-  namespace: monitoring
-  labels:
-    app.kubernetes.io/instance: terra-exporter
-    app.kubernetes.io/name: terra-exporter
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/instance: terra-exporter
-      app.kubernetes.io/name: terra-exporter
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/instance: terra-exporter
-        app.kubernetes.io/name: terra-exporter
-    spec:
-      imagePullSecrets:
-        - name: regcred
-      containers:
-        - image: registry.${SECRET_CLUSTER_DOMAIN}/homelab/terra-exporter:develop
-          imagePullPolicy: Always
-          name: terra-exporter
-          ports:
-            - containerPort: 9000
-              name: http
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/instance: terra-exporter
-    app.kubernetes.io/name: terra-exporter
-  name: terra-exporter
-  namespace: monitoring
-spec:
-  ports:
-    - name: http
-      port: 9000
-      protocol: TCP
-      targetPort: 9000
-  selector:
-    app.kubernetes.io/instance: terra-exporter
-    app.kubernetes.io/name: terra-exporter
-  type: ClusterIP
----
diff --git a/cluster/apps/monitoring/terra-exporter/kustomization.yaml b/cluster/apps/monitoring/terra-exporter/kustomization.yaml
deleted file mode 100644
index 8fc6fdbf2..000000000
--- a/cluster/apps/monitoring/terra-exporter/kustomization.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - deployment.yaml
-  - podmonitor.yaml
diff --git a/cluster/apps/monitoring/terra-exporter/podmonitor.yaml b/cluster/apps/monitoring/terra-exporter/podmonitor.yaml
deleted file mode 100644
index b4b33f438..000000000
--- a/cluster/apps/monitoring/terra-exporter/podmonitor.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
-  name: terra-exporter
-  namespace: monitoring
-spec:
-  podMetricsEndpoints:
-    - interval: 5m
-      path: /
-      port: http
-      scrapeTimeout: 30s
-  selector:
-    matchLabels:
-      app.kubernetes.io/instance: terra-exporter
-      app.kubernetes.io/name: terra-exporter
diff --git a/cluster/apps/networking/external-dns/secret.sops.yaml b/cluster/apps/networking/external-dns/secret.sops.yaml
index e934591a2..01e61a4c0 100644
--- a/cluster/apps/networking/external-dns/secret.sops.yaml
+++ b/cluster/apps/networking/external-dns/secret.sops.yaml
@@ -6,57 +6,26 @@ metadata:
     name: ovh-external-dns-creds
     namespace: networking
 stringData:
-    application-key: ENC[AES256_GCM,data:JosobXOtM8Cc3pDkUMiHHg==,iv:lK5JvNw2Ait2uZq1ocL5qB+Tc5qsh36HwJC4gW7gnjk=,tag:kLMXweVbm8cwarw5SOmlUA==,type:str]
-    application-secret: ENC[AES256_GCM,data:j+S/IFh+JoaB0QaOUXo8Jb6MUmVwTO4knwdwqFgYb0I=,iv:j7uXYbXomcL/fo7fQimL4ChwFyOxMupOVmvLz+Prp+c=,tag:rWHJF/u/0ezOvHFlxUtp0A==,type:str]
-    consummer-key: ENC[AES256_GCM,data:4VwQMQBSqVZjfSqcy9Auk64GJ7E56306yEv/0Rpcttk=,iv:LrEBQuTKtfL7lpgAP7Vxk1xrlzUmPiHeGq/0v3S7PZE=,tag:tr5KVDnm94YKgdx4jFAxWA==,type:str]
+    application-key: ENC[AES256_GCM,data:eM+c4o7krcCr38iYl+V9aw==,iv:bWvn6Du2AYczidEiYcCiiXiCWQoNTM55+pEqEDT5gVg=,tag:XAtpQsK7J7mQWs47qqAt/Q==,type:str]
+    application-secret: ENC[AES256_GCM,data:dsAI3MXIpqC5FQZojzchOUfJPARBYOOUbnmY042w9DQ=,iv:gLh0ySZfm1akVIcnN/LMuuI7GZrBBq/X6mnQd1j9BeA=,tag:wIKWVoDMRfn68Ot56HFPGA==,type:str]
+    consummer-key: ENC[AES256_GCM,data:5RZrrLBGOhmnPLyRBy83SSAYz67h9zfIwx2cEUSxFAs=,iv:x3rMt3obLjR12PSiuzFb4qPirnMXpxojFZ9sTDp2pis=,tag:2ve3wWb2bHQQUA8m7+gyKQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
-    age: []
-    lastmodified: "2022-06-24T23:48:18Z"
-    mac: ENC[AES256_GCM,data:5nV54X2didfcYS+gVjcSADZwUX7XwD/Dtc03KVSgVvnUQcTsHBofxToGJgezlTjQqWyR750smPI6GuBOj9Kg1hnv+ZxdhRPUngdHxEOV+WMYOX7BbbaNlW8rA2V5vUJ5/YZWf/oBgXMlv2nj1nFGsNmH+h/XBIuSHEhZ+9dq/sE=,iv:PQFZtvEm5T9y56yyxEbC+y5IxYDEvyxtic0xrf2Mnmc=,tag:398zIuXtenHEHUhJm7SuPw==,type:str]
-    pgp:
-        - created_at: "2022-06-24T22:12:58Z"
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
           enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwAAAAAAAAAAAQ/9EQOAgnln5dNy2Nkk7WV9V+FUtLXtlRpoqzICZdqFARd9
-            86/xRseBKzxGIDc9yF2GyFoKhwZ5F8v7mFa7/QZMQwr5SGOgQfdzJSlRxZg1vTpb
-            r7jds7htsFAUhJJCITsHZVQgTnwPYTQKajBBrwqTzEMc7MPA2jvObznvpz+XJWYq
-            +XWoQZ9aE0mYYuYpdgUoTr0sk+WloUFZTIyt8P+LHTPpKJ3NeWFywOjMU+Ralu/2
-            B/MSt3WTdxiKjpon0KZ/HHMlz+gdr8c4RFthUaqg1SPcfQ2FCANUtU8rCbb7W5I+
-            TDUHgm9mysA7UnNlRfBznwxLJH84xFB/JqRVULlaTktaVvpjfhYjVDlAZ7DN9TsW
-            1nDWEMOnMh8nfC6srktgsmbOZB+CXpHlyP1+W5hmRlQouzwT0FUSuKdkAw0AG85N
-            rPlu6iB/Ctpjo8jOFFc/XSX1jqO8ppfzdLua3NWtNlbrAL+Pi5qkRQo5YTXgPkD/
-            Wwn4HLiGWgDRrk0DGny12xSooQik6q7h+YDE9AHwW+p4QOlMRr6Uk4rhB5G6Jsao
-            EBHFRpvP4s3HosSLhkdghC5h2XQynaj3P7NYHxRPCHAzowNkwG+K4+AzkOWSLiZf
-            AP6DW1pBirKAqkhaY79oNXRP1EwAYf8r3Mrzxppiybr7HUwSHm9aC1bZ50L3qYPS
-            XgHtHl+3f97+g08iQEnzH90EjEjljqbwhY9ng3whaFArr9K3irV2nenlqKFY+kU0
-            Qw4bQIqRm3WTs37ixgV5sRmHODV/kjF/kn07zBpZ3PvxrMeqedv1Js/aCYs7geE=
-            =uZvW
-            -----END PGP MESSAGE-----
-          fp: 19B850FBA7685A526CF11E5F9BBE834259976EE8
-        - created_at: "2022-06-24T22:12:58Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwAAAAAAAAAAAQ//UTom94LvUIj4fnSgLCvxAbqjGVLeOQBiKyjXTVxS8H3v
-            4MhGsZbnL8WM413udiUTI9SHs3NS6+bl4GBKziAk9Ra1BVEJvHiI3NrHnPoL+Ivh
-            j9OU2XvZSK0jgDgUtMqsQSABoNr9thdqn9ZlTbjDFhpVz5s4hn34H5w3sZctvzwO
-            f1ROkNxjUpKifPNdi4PfE8cnDPRRFEebM5u0uwxsD0pLs2FjIvr43OkqMkybb9qO
-            mMi48DKscUP53s/ytpxDIUDnCuRS/BaSNolKqqwx32bAw9gdwVVM7kbjHinh3wDJ
-            2hjwTLqDAxA0JCmwckGMdTHDyh0g7OyCI5Pzlgmc7CzIt5/tumB51g4VeD/aFg0j
-            G0wP0cW00fV6SRiCvMpQRSAw5b4lCRjmpgZNSGgLfKGPvYrUSs6ZfiSBcXCbeDKs
-            lpzfH+e22Hj0h9exBiYc7EZSZCNEdvMYmN5ntY9DZb/7r8W6VXUeU569zenhOJA1
-            o7DN4o3ZKTyWbsVyBXixs0PUyqXMVd6+2WhoZPEYjo03S5kx6Z1MDpNww0pnjJn2
-            46dBi1wmeS3bODibSwECUrmrjBF/amF+NRaA1j+cwk+WW5WArmfaPT3hviw/y5dO
-            8uyB+H0foJO0F12ns6rkOSDRGq8OLhxyJqaxtUKB4qm8v0Ecte5KO22Pg1paEm3S
-            XgFQFZqLP3LA9YygKzpbGQK/R2bYUekmC0yWyASvphjjP6XFzLpVZzQYblVv9wWa
-            s9KeiUxt0CJ4tFZ5Owtkg03+Q1dAKLd8P+tuZjI/8MRt4xFMySj1B13ZCCaPJsQ=
-            =uxhs
-            -----END PGP MESSAGE-----
-          fp: 5749D0AE39445C1CCA6006DF8913091C690BDD69
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByazlaTU9oZFR2Y2U1blg0
+            VXdUK3BzL1hsM3RydHQzcE95RklOTUdVWEE4CnNkOGprRVFCNFZjTkpOMnJ0R09T
+            RWhhemdvb243UGlVMHhjWVUzTW03V00KLS0tIDJ3d1NYdkJLaHlvQXBCbFlDZXRp
+            bi8wYjlEM0xGZExSV05HSGlkYjQ2VlUKesUixJpqR2iYx5kNxrbD0kTG1siHVKqq
+            sh8UblAqd1av0/3Qpj9dMF8awR8Q80dElcEwXT90Ks/S7p/uEA358g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-03T14:42:00Z"
+    mac: ENC[AES256_GCM,data:xJz+bm7161D3j/NEHZi9XxEp5uHsDDIqKow/nOQzSeHufyiGg34pdR8ibXt+7p6sru64ZIRNKV/OklwtRrLFoiyM/+ZFsgpWC67ACIdksu0cBjIKXsaKSyvdkcZ/hC9C5wMpYMqABBDogYPhR32PqsJ1VBWlCckG0kjo7PNOubk=,iv:ponCl1jFjElSY8HbCbRv4w4gL0C12deWBRzgrXSQpTE=,tag:p/kxR5ZiVxvX7JO6e/ZtMw==,type:str]
+    pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.7.3
diff --git a/cluster/base/apps.yaml b/cluster/base/apps.yaml
index 3006180b1..cd9fef180 100644
--- a/cluster/base/apps.yaml
+++ b/cluster/base/apps.yaml
@@ -16,7 +16,7 @@ spec:
   decryption:
     provider: sops
     secretRef:
-      name: sops-gpg
+      name: sops-age
   postBuild:
     substitute: {}
     substituteFrom:
diff --git a/cluster/base/configuration.yaml b/cluster/base/configuration.yaml
index 8851c7b1e..2ded6d874 100644
--- a/cluster/base/configuration.yaml
+++ b/cluster/base/configuration.yaml
@@ -14,4 +14,4 @@ spec:
   decryption:
     provider: sops
     secretRef:
-      name: sops-gpg
+      name: sops-age
diff --git a/cluster/base/core.yaml b/cluster/base/core.yaml
index abfc3c361..1faab13f4 100644
--- a/cluster/base/core.yaml
+++ b/cluster/base/core.yaml
@@ -16,7 +16,7 @@ spec:
   decryption:
     provider: sops
     secretRef:
-      name: sops-gpg
+      name: sops-age
   postBuild:
     substitute: {}
     substituteFrom:
diff --git a/cluster/configuration/secrets/cluster-secrets.sops.yaml b/cluster/configuration/secrets/cluster-secrets.sops.yaml
new file mode 100644
index 000000000..c817b71fb
--- /dev/null
+++ b/cluster/configuration/secrets/cluster-secrets.sops.yaml
@@ -0,0 +1,111 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cluster-secrets
+    namespace: flux-system
+stringData:
+    SECRET_AUTHELIA_JWT_SECRET: ENC[AES256_GCM,data:B3+umypR5/b1Emnk5C4iPOKV0guv6kHPm24SOA==,iv:cGSElgFacEEfrYXNYMbfLnJzeILcrfA/hehyJc2pwiM=,tag:Z0VOJic0pnzEicU1tOwDxg==,type:str]
+    SECRET_AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:Mtm1pKD/EKy0iCp+MZu13FsNWRm1A87831gp5g==,iv:Rgz11SVbvgNEmG2DDEvD7OFtUjr9uc2s6Ba7eAw2VWU=,tag:3DvjMDhZR/Id0+lvaNuQQg==,type:str]
+    SECRET_AUTHELIA_POSTGRES_PASSWORD: ENC[AES256_GCM,data:s7FKzSB4j/loBw+kGio=,iv:AaDnVGqR/AnkTtwaWc2MdZMTEzS9oqD69Yx7ERCMLw4=,tag:oxqPv3/ScxDmau5D1jRHgg==,type:str]
+    SECRET_AUTHELIA_SMTP_EMAIL: ENC[AES256_GCM,data:usksxAwWDJgxCejqz5ynheZXhxCuGpE=,iv:9WLNIRs5rPm8tXnQvp8W5ul4I6EHB2u+Y59/TNPSRXk=,tag:AbTglJEGLAk3PgZzqspobg==,type:str]
+    SECRET_AUTHELIA_SMTP_PASSWORD: ENC[AES256_GCM,data:mvCc46QgBCeehMS9KRIu8w==,iv:w8P/rbIdElioKaMLHQ54G/w/qSepgYBoo/B+qUT60xs=,tag:AZxjNRoQ/h7DpqIhH8Mi1w==,type:str]
+    SECRET_AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:YBU5F2QjInHEVg6zg6QFVqTLCsztq9VDfvAWeg==,iv:SAD1P95b5SUxPsq9+KGEaJr5+/NcC7nFkIZ23SuMe6g=,tag:HTdrjhqmAzoa8Me7YF+9rg==,type:str]
+    SECRET_AUTHELIA_USER_CLAUDE_EMAIL: ENC[AES256_GCM,data:zFcLu4r4WFMVU1T1EPgiJKi8CxAyvuE=,iv:pv6ea/TcPEI9jIntJrjo14iBqj9GjgVhWHWrPn6mnQs=,tag:yMbeHtwIkjXt7aNGJU/UWA==,type:str]
+    SECRET_AUTHELIA_USER_CLAUDE_PASSWORD: ENC[AES256_GCM,data:LMO3QfNvpse/BEjyOG6cfsllHcJ28OE8LLqlPGZdVOHkqG9C/naZ2Ri4k1x/1fyzL6YUOODZYExj6g3Zdl3zTsbjdVEryTrZ810183Zcb7RjBrXSZB81tk1CW+EARFq5Jc2N,iv:OGlGQQAPrrF9YP+tux39MeZWnrr+F7IsLfklv5xKfkE=,tag:sPewO2VQNR+8aq7S4JiXLg==,type:str]
+    SECRET_AUTHELIA_USER_HELENE_EMAIL: ENC[AES256_GCM,data:OHljFRDSlX7MG0qOhPodseC1Xqa815tl,iv:NmuPZt3KkJPV28i26eU84Z+aPE55DHkkAz+llmSnloU=,tag:aUMYpZp+ObeYZ9GmrAbJ4g==,type:str]
+    SECRET_AUTHELIA_USER_HELENE_PASSWORD: ENC[AES256_GCM,data:DyRpTyVyey4lhjDijfB/2Cf4Weg8virytgtsirtIUuBesq9QAuUffgLScA6TF4FYY79vbZNupfICuUwaHvZM1eyhzfwilWhlNp6dIxPTuEqC6TWP7dHEIGKF8yFB659veOis,iv:NJ7ENJU5Gr1VGdivBS4JCAbvsig1g92cx62kC6EKPu0=,tag:bjr90OBDYyE6c1kwXam1wg==,type:str]
+    SECRET_AUTHELIA_USER_VISITOR_EMAIL: ENC[AES256_GCM,data:9k/iAk6pG/nNpn2wedTz20s+IsZ3ww==,iv:ZgNGCEeLkdymzq+xVfur9T/24+v2mzrjwwsr7VKdNe4=,tag:H2o6blNKxgMRFhE/QtVSNg==,type:str]
+    SECRET_AUTHELIA_USER_VISITOR_PASSWORD: ENC[AES256_GCM,data:VlKk9ZOpKCHy1AW4usy9o0G5f5iSLRlSM0Lo265UC4EP6XO6HLR0415Ro2FFdHm8NkJZqjguFgqd0bC7G4HDjVqS4Y+kwd1wO5TzVQGtI3aE9npJdo+zlISM0aX6eID8Vp+s,iv:Bz7Bow0Gb4VRFRLB8eNXq2kyPveX+t6H0BEdLxh2Igk=,tag:JGkgQIWoCZGM3Fcj+l6i4g==,type:str]
+    SECRET_AUTHENTIK_POSTGRES_PASSWORD: ENC[AES256_GCM,data:gLLL0VT6SkW2RGOQZYMjbw==,iv:CTZHa1FAq+UdYJw0Kcsi8MkF14J9/HA3gh+trZGaL8U=,tag:KZyiq1/0qZdMh3rF7BtZaw==,type:str]
+    SECRET_AUTHENTIK_REDIS_PASSWORD: ENC[AES256_GCM,data:8UKy8FWNwz498drJFK4cUQ==,iv:JSQkNlOy4m3N6TwWnySjtAn+Zescr/C2/IqfE+AXHeo=,tag:UNivYxMMkpSNPUMVPqbbLA==,type:str]
+    SECRET_AUTHENTIK_SECRET_KEY: ENC[AES256_GCM,data:5Uu2QvzabzK1hLuHkyzn7Is5T5KcfWP2i1QiU0e+Q/fPTEv89JmY4g==,iv:d+kntD2aEk69BlWX35cu41/6wkipeE2JDQR88IwWZxE=,tag:uW1F/ZfyKXbMMqvgunHCyA==,type:str]
+    SECRET_AUTHENTIK_SMTP_PASSWORD: ENC[AES256_GCM,data:U6XeL1mb8MOKGnQMCMprGQ==,iv:PDX4QYQoR4/B4wVPJsClxiE1JfXHa+ntqAXOJroWn7I=,tag:i4yVJan0WFKXkNqY0tW4Sg==,type:str]
+    SECRET_BOOKSTACK_DB_PASSWORD: ENC[AES256_GCM,data:cq8X8QDvbi3IO/g2bEj1tQ==,iv:6YtfNCxqeq7iifIeSrA26DrEBKTjUNB4nrtM72hKpbY=,tag:DxX88KMJXYWM3FsYbK58+Q==,type:str]
+    SECRET_BOOKSTACK_TOKEN_ID: ENC[AES256_GCM,data:wR2K8DEdDiDBL1Q1QFLHPbbtPwCucXns3r0pt38kNmQ=,iv:yVWYuPMrxImLJQyw7yvqCESBLcMIMxUMbY9RVYH54JQ=,tag:mL1TDd2A+EsN0p5SPH6jKw==,type:str]
+    SECRET_BOOKSTACK_TOKEN_SECRET: ENC[AES256_GCM,data:zRNzXpum9u/6VEIIhoYdIyh9zrLq5gxYXTX5WHrb+fQ=,iv:oIU2pm6PO7tGHbuvVe1XC7VcmeAeewSV+PbU3Pj9b7s=,tag:Lcej5PL+aNgY3GLHrs6VwQ==,type:str]
+    SECRET_BOTKUBE_DISCORD_BOTID: ENC[AES256_GCM,data:zTskU2EM2/0EqQ99ioz/t6/7,iv:lPCL+q0blTcOEKuBp+tQLCEePSem6nW3gyb1Zt9ZSc4=,tag:6uvfMW1cpa9swL1dWKyTJQ==,type:str]
+    SECRET_BOTKUBE_DISCORD_TOKEN: ENC[AES256_GCM,data:KKdPGV5Q5/DmuwgeKh2NImDEpdJmHRZcIhME0eKGaouePtHz/57z5r5NnKye/pcmUzfpsLuJm/ygh2E=,iv:H1IpHRW/5XWIXuIeXKiI4TuUxKvWl6aVg9Q/uaO+juw=,tag:aRVNdZ/6BhER43gXcRgEFA==,type:str]
+    SECRET_CLUSTER_CERTIFICATE_DEFAULT: ENC[AES256_GCM,data:7BbZIX1f2j2a15gq1/gwqKcSTA==,iv:WOhJ5HlcnsPEeI/ALT5O+AnKtorJYueQqPJQStpvIMo=,tag:GPOpCrQ9F1ku7tqAtxHJdw==,type:str]
+    SECRET_CLUSTER_DOMAIN_EMAIL: ENC[AES256_GCM,data:j1yBajAlXKQeDuvbV2IyJp8IT3wA,iv:pxPgYZEZ6pvcr6trM1gkL5MZORewARaiVfwRTyWxny0=,tag:y31EGp46NgF/Pf3hQ2Iavw==,type:str]
+    SECRET_DOMAIN: ENC[AES256_GCM,data:UtdBDs6+azVHO7Y=,iv:ZnWrBW+vW6HiMs1PbgY2LjcwUwuUh1HxYjqvOXvCrDk=,tag:r6uDIJhVoTIcizIfRW+lHw==,type:str]
+    SECRET_CLUSTER_DOMAIN: ENC[AES256_GCM,data:lTfn9GCJHlgeO/BGXbvT,iv:LBsxVLf+WpS7Ac233XjVoWCjHqZpnhhhiJn2Q0YEHt8=,tag:d//kWxt2bJkqCF1EkEzYqA==,type:str]
+    SECRET_CLUSTER_OVH_APPLICATION_KEY: ENC[AES256_GCM,data:W8BOyYQbQJpQco0XQ8wgtA==,iv:z/nc9+DkIkvKw6Daf/UpuMsIc/H7AnwQF5ZjQarf03U=,tag:j+Qm6oK6jei7EFDBTT5ddQ==,type:str]
+    SECRET_CLUSTER_OVH_APPLICATION_SECRET: ENC[AES256_GCM,data:+R6Vy1qlYZuvFsGTnK3m94PuzdsYNPe1JVpGqhq9Dy0=,iv:bNKMp6VNMyuiJokr5xm9To2OuBYzoiJSRXUm4S00MdI=,tag:8YJoz5MICyC9bES/IP6ROw==,type:str]
+    SECRET_CLUSTER_OVH_CONSUMER_KEY: ENC[AES256_GCM,data:HwEaNSLEoON99KzgVLuDWxj8DPz1gz8tc3q/1hWJOvM=,iv:uTHCAT81Js9yQ/7iK90+elZzA0j6ia7AOWEufE1i/4k=,tag:D4tI50RyJz8o3n9hrrYz4Q==,type:str]
+    SECRET_DRONE_DATABASE_DATASOURCE: ENC[AES256_GCM,data:GhtpNNHY7qQAuiRolsTBtNh3DQRpWvyVr2QXPTvVXF2b1EQ6yeftl55r0Yq/VYqsqP3aTkTDtpEyC5SQSynNGsy+6Q4ZmQeznUVpfOK4n02KRHT3cET9r68iJq4Mxos1IzWd/A==,iv:0ETS1beKB9ib16BDYIxSRjqMKAGa3ouu2WtkDmel0zQ=,tag:7lHd9tKSCKb3WMqrSarvcA==,type:str]
+    SECRET_DRONE_DATABASE_SECRET: ENC[AES256_GCM,data:NaZVmiJLqbV331CurAfCd1u2A97syADge2/oWLlQzOE=,iv:HdzmM2gwKb09CmdOSg7ho7zYmUT7ZSgBfUwwZfa3X+w=,tag:7fgLrQMSLPtAXOjpCRZoFQ==,type:str]
+    SECRET_DRONE_GITEA_API_KEY: ENC[AES256_GCM,data:E8XEAI6wrauWa47f23/lxu2WyVBQ8HEsfsgYoKqQqmuqwC61HxfhBQ==,iv:lBxNk6gP42LUJ/TgRDQ9rtRNezVXfAictpxyW7fjkY8=,tag:cHdgfALsAXGcDR5U0jaLkA==,type:str]
+    SECRET_DRONE_GITEA_CLIENT_ID: ENC[AES256_GCM,data:mQVgJe81k985wlcwtoI9sW8CARLIB3wDP9VVaJTIqrpkrw4S,iv:yyD/bVOrKkUJOFBW5r4zKfdnBdjszZ7xW7KK4HT6Uj0=,tag:2PP1d8GWTFIPJaPpMRSo3Q==,type:str]
+    SECRET_DRONE_GITEA_CLIENT_SECRET: ENC[AES256_GCM,data:1Oqr6cUbbOEaWGU0HO9/jZ+EcyW3ZOoc6XSPwYmP95YFgyr0S6EyzVr8yOA=,iv:BHZ5NnWBpqs97NozkYsAvzn4aTlGS0FASUyDq/g1ZJo=,tag:SF7m8oUTgribjVAtidTgnA==,type:str]
+    SECRET_DRONE_PLUGIN_TOKEN: ENC[AES256_GCM,data:2/cwV9ei5Lp5ALiPQQ8OiBWDInO1B3E2bE0dnQ==,iv:sseFrBHn2p+gf8hP6NyaS2SoNo9/A5EVxivkE7Vufqo=,tag:s23OxUhdOzyvv8w+sTuRcQ==,type:str]
+    SECRET_DRONE_RPC_SECRET: ENC[AES256_GCM,data:/LFFZQ6nGKllzbiKhumohiTMWROjsMKTRyDh+bLPxsw=,iv:xhTd+YYL/Z9ta5sHVms3lT0SUl4S+Rvtj6YLHvWWlsQ=,tag:gZ20TPRGjuOQ01TZ8UwL/Q==,type:str]
+    SECRET_DOCKER_REGISTRY_HTPASSWD: ENC[AES256_GCM,data:tNEj+OvznAf3ukPPHNIEF6j+JX6y9L+1zQ60RVbTkCz+u3Nbpc0Dzt9tU2BOoHXcPrGQKWmrRGL4b4e3FttvLBz4gkY=,iv:T/xTtxE3bXrgRhc3iFupUygSP7A2ovcTG4N6fFkCesU=,tag:wlQS4LZTFVYvlbIMt2znbw==,type:str]
+    SECRET_EMQX_ADMIN_PASSWORD: ENC[AES256_GCM,data:1TU2rUWjqHTX4a7P4L9cZSHUoO/OxrYS,iv:QUpEZs2nDNREOt915MSwMMVXAscC1rszIPRp4F/Slig=,tag:DN91F66rvha5TjMB/ZHGFQ==,type:str]
+    SECRET_GITEA_ADMIN_EMAIL: ENC[AES256_GCM,data:IJiZAgExGAUcYW1L8jW0m2zr+hZL,iv:T+T9AM5wYqNoWKlDVDpsmxf4gvYSsLHwSoxxFAZfiuU=,tag:QeL6xFPsgxgBjMb79zrWZw==,type:str]
+    SECRET_GITEA_ADMIN_PASSWORD: ENC[AES256_GCM,data:w1BcZzMeLqEMVFdX94c=,iv:bc4IaH9YXvRQTW38Rb1tySKx9/1npWtqI2DtS0y/p3w=,tag:X3hyHEhbGNJcYaH2yWMQNQ==,type:str]
+    SECRET_GITEA_API_TOKEN: ENC[AES256_GCM,data:Xsk9tJLyy6LaoGdIhIQ0rrbu4qREg5fKWJ0KDp7f4qPme7Q1Iha7YA==,iv:uHcaLAaQ/l737UMTzjX3okEAba7gxrowMDu/GO98FnM=,tag:4rKcU+z1sqnDcZoZ+9Zqxg==,type:str]
+    SECRET_GITEA_DB_PASSWORD: ENC[AES256_GCM,data:1Nol+xY5U6bwK5OpCII=,iv:309gSLUAMPpou+D1+MqjaPXxz7fWPnJVV0y3irmQe68=,tag:NIAbD7cLSFJ3Na64H9PV7A==,type:str]
+    SECRET_HASS_DB_URL: ENC[AES256_GCM,data:wUWfq0pREQNNYVeHBpYRID/G9iwqgDOyVKixaB5s4Syl7S+SLg2j2sELh0egOuBk7MLwjfry+5v5G+E8fz/6aVhpckQ/cqypIdgE4aHZOA==,iv:PjMiM8MX/jXIS48K7s51ikcPmUdG3C9Pg5Cy5HPdRnE=,tag:UA2QbdBsE7MP+NnH+U3Dcw==,type:str]
+    SECRET_HASS_LATITUDE: ENC[AES256_GCM,data:t3MRZlv84+0w0oNAYPl9XsQ=,iv:4Res2auWXUXGNBgbg6nhv347oFOKD5v2c4901u6Cxis=,tag:DrYJmj14uL902BGqSuyGtA==,type:str]
+    SECRET_HASS_LONGITUDE: ENC[AES256_GCM,data:4oVXOt3rIcGoG4hw2rmdlFg=,iv:o9xgLwOqmFf6lKmemdnsHoII3IkJ5/8kTVqYEyz9cTI=,tag:cWgo7COp7macBiQJm/Me9A==,type:str]
+    SECRET_HASS_ELEVATION: ENC[AES256_GCM,data:hzc=,iv:xoLUrHGxKl8io37Xus6aLPdS8F0E820v2Syj9SRKME4=,tag:KDJl+51oIuk+uamy+WkX9g==,type:str]
+    SECRET_HEALTHCHECKS_DB_PASSWORD: ENC[AES256_GCM,data:DVnyW1CpzkwcS9h5FtKuzg==,iv:qXxN0NyGEOwNcw+geeWeH4kOdhtAOzgSJ2rPOCBudEk=,tag:WPTg09xR++yY+znP+o/lqQ==,type:str]
+    SECRET_HEALTHECKS_SECRET_KEY: ENC[AES256_GCM,data:t/88WWwJw4DywbCvKur4mapyBrHB/ypYhEb+3SI3coM=,iv:N/lRnrrWyO9Z4sK4dVt+nwSN6cBN+DUtIt4kYLdvJ5I=,tag:SOgAakGtFTsXs+AprGvgrg==,type:str]
+    SECRET_HEALTHCHECKS_SUPERUSER_EMAIL: ENC[AES256_GCM,data:fWTxCifpo1NKYQCvcsd5vj+lmHNTrC355K2v,iv:fzIotAiPRtVq738UZX6DiDeVylLH0f2LZEalnpum7WU=,tag:HgNkq8Cb/1XG/sQONFLivA==,type:str]
+    SECRET_HEALTHCHECKS_SUPERUSER_PASSWORD: ENC[AES256_GCM,data:EhK66mVhLbAQy6KunehRVg==,iv:aSELZvNj7AsEiDQa5kBHTsm5makyhUr+L6ta6FXWvPo=,tag:hPVdbNKnXD1MlL/b2r3Wcw==,type:str]
+    SECRET_HEALTHCHECKS_DISCORD_CLIENT_ID: ENC[AES256_GCM,data:iXzRxJRn9gIbUPV1QIy3jneQ,iv:ImsWcSQIBLW4GKQ1KSORr3NeQqkaZ48h0NTU+18YUmw=,tag:aOL5Qe97NglSnqBAIRAZdg==,type:str]
+    SECRET_HEALTHCHECKS_DISCORD_CLIENT_SECRET: ENC[AES256_GCM,data:c/Es7U24j+3mvos6nR45OGqPE1IAsnDw0+4R/bvfATc=,iv:qm6OWJOSo19k3pIb9nnyB2B0MLYAXGRYziI/1z3gtQk=,tag:T6qDSN0e8BFVftj8TdBnWA==,type:str]
+    SECRET_JOPLIN_DB_PASSWORD: ENC[AES256_GCM,data:+j4QFm4zS17l2YPaMn1Hcw==,iv:WYuz6wyVephLlEHTFCjKo+dIi5+B6RvNPC9FlU9T99g=,tag:IAgqgpghCO5jBYCPsMo0qg==,type:str]
+    SECRET_K10_HTPASSWD: ENC[AES256_GCM,data:u89AKCM/FSXn6Czo6KnG1rqkxclczczcE+wz7GMWU2HIoC9qUzqHvFKe7w==,iv:ZjE1p2P65TbSeVk0oXiWd4nH+7zNWonTjWYNmb3NFg0=,tag:UJn01B6MdJDHv1fN8mV21g==,type:str]
+    SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:X1J9WLT26soYzlDb8+YtPotGw8p0lJKMuNkn69WX,iv:mW2cJOq5gfzSE+U24IuvPVL+dL2nZcTFpPAkG77Ohus=,tag:kxokidtuE5RAGJlj4Q4P2A==,type:str]
+    SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:Bwvuy/jHIRduy/r1A8dOs0OE8ewdjCgs8g/br1oW,iv:PdnPH9I509MT6UJkUG1zLAGn9aV4AVrROgAVCD4a3Y0=,tag:59kBGx9qx3jeauokyoolQQ==,type:str]
+    SECRET_KUBE_PROMETHEUS_STACK_GRAFANA_ADMIN_PASSWORD: ENC[AES256_GCM,data:L7LS6+tuwPCyb5HN4zg=,iv:JM2KTtDN/VrKicjp5qwqusWiJKHRZnfTtsZE2hkLq6Q=,tag:XGF3L5P6JxVBrlGuKosdZA==,type:str]
+    SECRET_LYCHEE_DB_PASSWORD: ENC[AES256_GCM,data:tn8r2epnKSC0koed54s=,iv:2ojoEzTJYQHniFD002bx2i3uBlTdwV17dYBCBoMSglo=,tag:jcuI1iqJXaKPCwmSuOYjJw==,type:str]
+    SECRET_MARIADB_ROOT_PASSWORD: ENC[AES256_GCM,data:RPW9YDRn+OE0b0xmmuPZMw==,iv:vG/rLxCDs7MWGFY63ERINRRPnEXRombhobnEKq9oJjE=,tag:LNae+haPYSoFMvw6lxOYvw==,type:str]
+    SECRET_MINIO_ACCESS_KEY: ENC[AES256_GCM,data:cv4//sg=,iv:dx1hciCvVBFcKXbAqoArkTjc/YLyKUp1sXPGuPoX7lw=,tag:+AYVkGKVWXR06h+TwTO9ZQ==,type:str]
+    SECRET_MINIO_SECRET_KEY: ENC[AES256_GCM,data:qcV/b9q12949ZYExzDP3Yy2nAOY=,iv:7qg5IGEWBF1idgZxObcbWyxeNDAXbuwuf4BqwqC67Qo=,tag:wx44bn38jTel2TocUkCghA==,type:str]
+    SECRET_MINIO_ENDPOINT: ENC[AES256_GCM,data:2/+oaWr84857KBx8yXrR7JK+EFIGw7ed,iv:iyfCkYl7yIgwDn0fR95rjcLj5Tsrho17ubGW1KDfym8=,tag:o2VTxHOjKrbX94wbRKHRRA==,type:str]
+    SECRET_MQTT_USERNAME: ENC[AES256_GCM,data:KkxVYfSPPz/bBFphww==,iv:zh83aX1OySv2+n1mhTmcgK9SzCAQcVtvlmXbAhiNQcE=,tag:mCHE13e12m4DHOWelYY4Zg==,type:str]
+    SECRET_MQTT_PASSWORD: ENC[AES256_GCM,data:8B3BfPFPQm/eZnhMYe4DOGdmiQ==,iv:a1PzZHBVDSVTE0oDy1Abb99F4RyPNIIm8cMV53AySQk=,tag:VzaPwV9bu9R7brGRy7N7wg==,type:str]
+    SECRET_PGADMIN_EMAIL: ENC[AES256_GCM,data:Cqvgf0l1A3V8C43YJ20RkCToOGQrxA==,iv:6TsLUzW0yMnx+pGK9MLD/1pm7TGcoVz/Ibn4wYGWZ3k=,tag:YBHhIJl28Cnnncz+fPbPNw==,type:str]
+    SECRET_PGADMIN_PASSWORD: ENC[AES256_GCM,data:1TDN5XLr4ZGQC4qjF9A=,iv:ydluXBbIfFYNEfhgNKxtVOOdqsY2SX+40CjyN4nOsvQ=,tag:hPmQpDYQR3X67AEIOa6sog==,type:str]
+    SECRET_POSTGRESQL_KUBE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:MzS+wtyT7drhX+BN1y0LHg==,iv:ZjJaag75/g/lA5IP76zKGMdC1+f9FSTbHIn8TAnJbaI=,tag:AuPT+Af9byIfJzktHhstBw==,type:str]
+    SECRET_RADARR_API_KEY: ENC[AES256_GCM,data:Mom5SOMHf7xUvvUkjLIRqMzOSSQshzWdKlSGIzZtIGM=,iv:4vrZFrsTCUW2e0bo2sA2iT+ZVKUDEuyferNJ5Q5klFY=,tag:xha/NKx2XN3Mpa0XPSMPvA==,type:str]
+    SECRET_RECIPES_DB_PASSWORD: ENC[AES256_GCM,data:p48hux/huJTkYPJaciglPQ==,iv:5rOHaqYSPZbVvh2anmNEtkMNk2OlsPqCRCasV4EPpUM=,tag:Ot5BDGTKfnEPKCriGaTEbA==,type:str]
+    SECRET_RECIPES_SECRET_KEY: ENC[AES256_GCM,data:qW6IeclLI1PeLkuRcLyTtA==,iv:6aJoRDjNS1Mtf6IC+R8ubcEO/dIc6GU36GZE1IJgqsw=,tag:LdKVsoA4AtYpvrROY30OAg==,type:str]
+    SECRET_REDIS_PASSWORD: ENC[AES256_GCM,data:xlWToq0iPIDSulLc3cShcjXk,iv:+nrMpEYZN83vF6XQNbm8lCchU7o7k/Hg65VdBqfsloQ=,tag:8uDLy/2PL/v3vtjs5Ao6OQ==,type:str]
+    SECRET_SONARR_API_KEY: ENC[AES256_GCM,data:JO5N+MeVeQmAlfv/dLJru5oHyVjpy9iUrfrTe4PLVXA=,iv:NjGstpjwFapd2LJNPy6nhXsp9UuCYTBuHRovmHdCSNc=,tag:BARsx6FBISHhxueBSDJSNw==,type:str]
+    SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:Y0gk4bRcEws2b0SF4AY=,iv:3cQbD/uvWNGjEmz3z8uEbXWwJffIrTj3nSDsGBS0MEU=,tag:RsIBq9zI8+2temGj5r/Lqg==,type:str]
+    SECRET_SHARRY_JDBC_URL: ENC[AES256_GCM,data:FzbiyvLcrzOQ0r2Rh9DA3hvsB1TkVtIwhiCk8O5pAK1DVr/097sXNHEz9SiEcn3KfLU1O2LcEGWT2yu4bCD1s6jH2ajO,iv:RW9llPx2AtPLl75AVZAfj7kbXMq+ktPw+zhdjpBptBA=,tag:f39qOwiLqwQ9+ibtpt5CdQ==,type:str]
+    SECRET_SEARX_MORTY_KEY: ENC[AES256_GCM,data:YXsOaeIYkls6xIZVJnuIe+pZvjE+yMFyZUCYGluk8Z37bQYtoaQpmdgz32U=,iv:02CLI3WXWJXSGHLskfkj/VQewS+UYNjaglltKdM8wzA=,tag:ugrYLNSJXVTN8iPt4GnhAw==,type:str]
+    SECRET_SMTP_USERNAME: ENC[AES256_GCM,data:mxPsPTmiQFngo2ZEAnMHbLhysMn7P8I=,iv:rJkydYYl8ct49IYwsy5zpCmBv9/sW7/qUxsaLxmZCXY=,tag:A8lSLRKW8vGGPAwP7X7KjA==,type:str]
+    SECRET_TRAEFIK_PILOT_TOKEN: ENC[AES256_GCM,data:xXxiixXMLqhD8Q+6ySflMgLFcb/sOwZCh1tbsxT/3ugTybs2,iv:lh55sIqwz8H5Efk9MDNoHORtHoae62wsR5NXKvh7Je4=,tag:lfYbWiYQVz8bxCYgCwA3rg==,type:str]
+    SECRET_QBITTORRENT_PASSWORD: ENC[AES256_GCM,data:+2IrY0dEoMDmHIuO4qP+LpNk24M=,iv:qZFA6PotReANHTQDpf8nRLtbOkUSFJEkfhS6yEZoleY=,tag:75gwdDU2bCiJms6H/v7kDQ==,type:str]
+    SECRET_VAULTWARDEN_ADMIN_TOKEN: ENC[AES256_GCM,data:IK9y9radCvkNHmx7hvjn692zLEPuBDLEm4UkXzsvChXK9Kc79qCYyyCQ5QDbsVoZQDj0Amk138c1XkpEoNvg3g==,iv:UGLSQ0LlMX+qvFyxwOXWUC5j3XnGy12NA8WMIW+HIbM=,tag:ASuRdQmBaati2fRzzq6RwQ==,type:str]
+    SECRET_VAULTWARDEN_DB_URL: ENC[AES256_GCM,data:pUcVSOKhCwogtWAMx5cuHChu31G73ti2f15IHvxY+RjBksUIilXjsFlbtKQw23baQzzD6+Qim54kxtl+G5bgSWq0zYx5dyXPUDmEn2N9plnJh+mUVIEw60RW77i4kNVxsjYQYw==,iv:boc2LcabZetVwM2NpO1pzSMg/XF9c5pKHXxG1oDhfBQ=,tag:p1UBHo39401yEUyUmnYSrw==,type:str]
+    SECRET_VAULTWARDEN_SMTP_PASSWORD: ENC[AES256_GCM,data:j8zz65lWneLFw9U6tYJgjA==,iv:/8w8jFrNoRolZyHyuunJoIdMf04htdXmlbK/ICsRNbk=,tag:oh6vXrtHknXFpW6kWv06Yg==,type:str]
+    SECRET_VIKUNJA_JWT_SECRET: ENC[AES256_GCM,data:8axiOB5PPhjEwBoYB3NtT0ewlNWNK92EAIEAi+NR1J4=,iv:uNBL/FfhamQwBzfKbZTPBeGUgbOfKKQM4SdDCGMv+HU=,tag:YpK+cW/ISWj9jGCeWBeJSg==,type:str]
+    SECRET_VIKUNJA_PASSWORD: ENC[AES256_GCM,data:m3pGmQGYvqPO0ubxhaDGNg==,iv:hIzZP5JMnG9W3QWr50YeZ9FDRNRh1qOWFliRIDHV6+I=,tag:6/ymdGs4Q2cla+bN8r9KGw==,type:str]
+    SECRET_WALLABAG_DB_PASSWORD: ENC[AES256_GCM,data:6kI1fYuCEZzgNSqJ0vE=,iv:QMzl/GI5Wmudv7kp4y5PtyiCygAQDJHfVzLquMkjLsY=,tag:6Dr9lwtxKL1hlskTtcyKBg==,type:str]
+    SECRET_WIFI_SSID: ENC[AES256_GCM,data:ChUJY7mgQSZ1IQ==,iv:uJ8FasEK+ZvxLMulSp7l9wXOjb3Ojnnt31sfekPRm9s=,tag:QBwdk4qtLCwG7G0AqdOoQA==,type:str]
+    SECRET_WIFI_PASSWORD: ENC[AES256_GCM,data:pE7jOD2WNVw6+KmyRzlXgwErVbVCSpx4p9AL3kyv,iv:51HVZpqSMVt10b96Ugx9ZDOG0Eh47QR9gypCr2s/FCc=,tag:hxhk8vuVBSZeihZoF2nwsA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVkZXb3RYbEZ5eTVSbmFE
+            R1QxMmw0ZzkvT0NIa01URTAvQ0xWa2tZKzNvCnl0UDQ1MGV6dEtuVEd2S0NhcThS
+            MGZ1VWNXMmxHSi90eFBGbXE2V0hwamcKLS0tIEp3a2ZTeTNyaXBhSW5nSU0yN1hu
+            WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm
+            pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-03T14:42:15Z"
+    mac: ENC[AES256_GCM,data:ECnd8uOneyMlJWCdck8D+ZjKwVZVkI+rLdY9HBwmwzqGa5CB6Y1WqelhRhlT2y4o7YpOiGDkFRdBiMo25eT5iNFHuvHByxgrl3++5FR0TzDP3gyfmIr8pAbZrrkyxxPMk3Ubcgk0dBXg0aZqpQReYaifEhjRg7HD7SIJIjaaLEU=,iv:B2VKso76VygK1p4GfOfP7nC6j7rV6DYjn3bf/MyfMu4=,tag:+OmbcNkwIk0JIBzDfyk7yw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
diff --git a/cluster/configuration/secrets/cluster-secrets.yaml b/cluster/configuration/secrets/cluster-secrets.yaml
deleted file mode 100644
index f8c0961b3..000000000
--- a/cluster/configuration/secrets/cluster-secrets.yaml
+++ /dev/null
@@ -1,142 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: cluster-secrets
-    namespace: flux-system
-stringData:
-    SECRET_AUTHELIA_JWT_SECRET: ENC[AES256_GCM,data:IRNpIz9qOWxV7i32T0r+VgxgNVsMtlif/8MbZg==,iv:+UBy68Um0zz47t6piig4UPzxMicS4jZo6El1N9dFxyQ=,tag:yroEqqBPWtwBcadBYu/qeA==,type:str]
-    SECRET_AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:MM4QbvniS1beSDItP7Rl6RK1Q0AC3cXowhpRVw==,iv:JH6DjoxhP320I8bEz2EGIkZN5YnE2fBBQiNRT3QU0Io=,tag:3tSV5fPpNRq7B954Ekg3Fg==,type:str]
-    SECRET_AUTHELIA_POSTGRES_PASSWORD: ENC[AES256_GCM,data:DeTJa/46cXpttKHv7lc=,iv:wfPxrT40BXyLrXbtpCVIO3V6TwwNC0vkj5o4wBXHREY=,tag:L+JAdBCqo9iruPYcAaxNhw==,type:str]
-    SECRET_AUTHELIA_SMTP_EMAIL: ENC[AES256_GCM,data:LYao1jIoWnPwCi/y7E8jhre4fUS8mus=,iv:AXZ/U/mnUorXQL5ZjsGF2pG0raGt6qqGtZeR9gszqxc=,tag:HRphgEocLVwPIDhv9PDKrw==,type:str]
-    SECRET_AUTHELIA_SMTP_PASSWORD: ENC[AES256_GCM,data:ECMn+cb0Elsn9Lw0/p+rjw==,iv:HfWcFvxWS/f2AVC84E/A/KvnPnbB0pAK57DBqBC0jCA=,tag:wIPN3KHzkmo/pxLm5bH8Dg==,type:str]
-    SECRET_AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:3PUJHgD89PVubKeWIm+KKk93rnx6d9aRbiL44A==,iv:0kEXwZhiu4Qh746EX4UoxmNlser2UmKg6H1FBgeLO38=,tag:fMkNIl3Sl0vwd8R0Ni/O/Q==,type:str]
-    SECRET_AUTHELIA_USER_CLAUDE_EMAIL: ENC[AES256_GCM,data:knvCmfHMtArGS1ZTeCyLh+GEaJJ0PEk=,iv:1FTHTLAJSlW1n9i4gJnYqMPRiopZ0ij638ErX60Ga2w=,tag:hSfudgcTWz6bT1viYXIMiw==,type:str]
-    SECRET_AUTHELIA_USER_CLAUDE_PASSWORD: ENC[AES256_GCM,data:I+K7hNZYOE8SdQvJi7g4d366QFjR47zTyS51rMpeONOebSGUgTtrysZFPcfU/7uVu171e6xRoAslUmzoaeFW7zT1kzvXWtsoeL3Kg4VJ6JYsdixHSppWdcLRLg5YEqq/F9GH,iv:NaCxrccqDZIYnLIwAreWzdv7HrE2FCLPfzht+i1BiKU=,tag:1CuHY5iHvbQdvTrj5+GHrA==,type:str]
-    SECRET_AUTHELIA_USER_HELENE_EMAIL: ENC[AES256_GCM,data:b6jDhf1dpi4XoulAY+O+LHfFnr9BL8rt,iv:ChbfUAsZdUvigGZWJPA2a4AZQWcUBwjDsxzymqo9OXs=,tag:VD1ioYwssccDq9W2/MAFtQ==,type:str]
-    SECRET_AUTHELIA_USER_HELENE_PASSWORD: ENC[AES256_GCM,data:3SmXt0GnbzW+aXmWCTjoQqTG3cqR0LbuvBrvsHnmgWWJ7hoGeDLG7x6BKIGmFNT0j3DbH8gjagB9poNJ73Yf9tWOwcXzpeH+8DwwcXHBnPDYkANAdqriyaO2kbbmXPmHmuaC,iv:9TT19sJ2E5ZPS6fNBpYPQ9telzWmMC8Kfbzg0oT3ZJg=,tag:3PeB/+rOS3VbIHuLklv/jQ==,type:str]
-    SECRET_AUTHELIA_USER_VISITOR_EMAIL: ENC[AES256_GCM,data:1EajzA5v2NQwBoKeKeKDtVVMsJLoAA==,iv:22Kc2zNlT2PpER76tXyfXEvBQH/6mphzcmM2ruWoy4A=,tag:mtELIYv/Hyj3KkMI1qJLtA==,type:str]
-    SECRET_AUTHELIA_USER_VISITOR_PASSWORD: ENC[AES256_GCM,data:YI8Mxfb5Wk/ImcxveGeSPpnESuFgnOpk+swvR9hZDPtCgaYSrk02LCo/iORMrooSCnxeq4MYnBwVxkKlOSswHyOUDDwuLoa3rKcppsQmXNiiqVySjG/ML/Gypp7JKTXqAEgr,iv:jmNczKy9zjKAE++LaCnsXKl/4JdpaACuolEXThn4TnU=,tag:su2Ygx7hRFS6o3k1KETp4w==,type:str]
-    SECRET_AUTHENTIK_POSTGRES_PASSWORD: ENC[AES256_GCM,data:9/ZXctbcunUhMPBJ3M3iTA==,iv:/RXn9/4N2z9KojCERzQ6JtL5nhvcym1TWkdGid3iBfA=,tag:VJStvEbAI5cfsrC2gwjhww==,type:str]
-    SECRET_AUTHENTIK_REDIS_PASSWORD: ENC[AES256_GCM,data:GNI1JaJrtyBE1qnnBSctog==,iv:yCMxmBWwk4CF135uv0b6jrQEj838SQxHDh2sX/i8Rq0=,tag:hrt7054Kh1YdUT1QIyyZaw==,type:str]
-    SECRET_AUTHENTIK_SECRET_KEY: ENC[AES256_GCM,data:TGG++vu0/qfBxi+rHM4LJ2xWo3xyju3OI3G7+YrNINaX/QvHtzR9Gw==,iv:yDAqbXmYcJJNWRJh7zLzy4RHRK2d3oaH8kdi9k6vzLw=,tag:TzDCXMKRTXfCce0SrQDs2g==,type:str]
-    SECRET_AUTHENTIK_SMTP_PASSWORD: ENC[AES256_GCM,data:Nxs003UgKqBejYryUoAetA==,iv:kpXxW75YXTL1lv4m1loaVJ68etNeYk6ObqTVdbkm/oI=,tag:05zeNjIzvnAT+2aBEB4Gjw==,type:str]
-    SECRET_BOOKSTACK_DB_PASSWORD: ENC[AES256_GCM,data:CEj/jUiLg3g5LNNT7raqew==,iv:zlpPWBTAxRpuU9UTn/bLjT47DCs9NCZuG3jwemnfwZI=,tag:vlffnqv+O64uvaad4mV1wA==,type:str]
-    SECRET_BOOKSTACK_TOKEN_ID: ENC[AES256_GCM,data:lNyl5khaHCneLTlmsIu8uCH9lo8E1+RC5KC9CqU/4Rg=,iv:hH3tho0Xl4kivMRXLTTXtzZ/KfVw+lYqJIIBazUNodc=,tag:FhFr3Ul9Cz7SbY9DevI4mA==,type:str]
-    SECRET_BOOKSTACK_TOKEN_SECRET: ENC[AES256_GCM,data:XmY+0wvh90wiRjjIEk9HneHTuaYRDtUv912SuAywQ7U=,iv:i0hwrKeK509v9uzmHJbLL4tX7sj38pDm5BY3P+guRCE=,tag:/7TJeMCho2OghzixULidUQ==,type:str]
-    SECRET_BOTKUBE_DISCORD_BOTID: ENC[AES256_GCM,data:4woCPg5S4rwHdCU7q+e9MLC9,iv:Bc3kokQe+uN+j8VtjJhE8SlPxuac7WJncY+12olrzqM=,tag:BAO0425EGxqTqO3trthCUQ==,type:str]
-    SECRET_BOTKUBE_DISCORD_TOKEN: ENC[AES256_GCM,data:JNZ738Ovj0TChAFkBINHHbvyzZXHOUFF2DeILLjdLWVJq7gAzKUupUo6wCupsNtuE/bdIYZVMFCXRrg=,iv:cBY3hlVECPHp6WIYOHMe4ncIWkBdbzBbTS4t8inl+fc=,tag:wpspuFVh24KY+VPPzeewjw==,type:str]
-    SECRET_CLUSTER_CERTIFICATE_DEFAULT: ENC[AES256_GCM,data:Ua4abZ3ZQsS6GSjoCqAkgAwFrw==,iv:NAPG6q9qOh5riRUH/yqBMfr2VDR5exOLkK2WGHUdzqE=,tag:9ZEkwBpVx75fknr0pGH/Zw==,type:str]
-    SECRET_CLUSTER_DOMAIN_EMAIL: ENC[AES256_GCM,data:W3/pbznkUTkxRaUop1Us4pTsIm4T,iv:pZEyNpuk3b8Pb0vGopUsm1mAX3aBkuNHx0UL07oOTHg=,tag:9NOewIGINBbSpcz1EBW/mQ==,type:str]
-    SECRET_DOMAIN: ENC[AES256_GCM,data:9M5byFCsOzFQB14=,iv:GokP3xMIY/BPT8QodI+cQNP2Zur+SAeXjOVLG0vZeBc=,tag:uor4rgQuqvpSptFEWg8m+A==,type:str]
-    SECRET_CLUSTER_DOMAIN: ENC[AES256_GCM,data:xlV2sk0wkze7+NDh86IY,iv:8aThmdkgTZOecUf+e0zSMOIZwPNgF0KsNfGGwkjxNdk=,tag:MeTDseBmR99DYxFDEohs8w==,type:str]
-    SECRET_CLUSTER_OVH_APPLICATION_KEY: ENC[AES256_GCM,data:6VXp1M0x53jsLWig6ioVmQ==,iv:zN6Qk9Db+ZeNkZrk1suzNMVAjFW2xm0La1rzfyeu674=,tag:aKUcYlcCbv89S0e6UH50SA==,type:str]
-    SECRET_CLUSTER_OVH_APPLICATION_SECRET: ENC[AES256_GCM,data:1ZGI5ssc1XCQZq5IxlLLKzqoAoyC9sY9QV/U/qmKgKQ=,iv:tcOkDoCVGhZ53HDW8QUt/N2kSuD2hWkdPK0KzVfssvA=,tag:BDA54Rw4Ly9OnGDpR60lKQ==,type:str]
-    SECRET_CLUSTER_OVH_CONSUMER_KEY: ENC[AES256_GCM,data:5Fkq/AxrFtFi8HiXbwCpC9Ads3jdsN93wBCpDVwspiI=,iv:ovWbjFk2I8mLWoc9hSqahWqtFVGkXTH5kiaZFDK52WU=,tag:gx7Zp24uh5LYQhXTf6arQg==,type:str]
-    SECRET_DRONE_DATABASE_DATASOURCE: ENC[AES256_GCM,data:KCBLMehk3svbN5BCzBwmTfeWcqOGBygePFKsRxdmYZWI7r/y4e23ovPWLB9pvdoa6u+J+d70tIzztZTaoXGrH77wSrDNPP4sfoT2F8nvX8zii8rE7C3H1DD1PuLBEFp5wkwxEQ==,iv:RM1bYThU/Racm+70XlF23gty299XjoZ+sw+dxwznxCE=,tag:qFOAmz9aDWoMmT7XORbkFw==,type:str]
-    SECRET_DRONE_DATABASE_SECRET: ENC[AES256_GCM,data:VDnH071B37ZzmlO0mEODxzxKa1pR2LTSwewOgEJB1QU=,iv:aOYWZ1W4/rdKV8teIEzuqy5zC2X0QHYKWaC9DfY476Q=,tag:5gwbR0CNueIl2MxgiJthRA==,type:str]
-    SECRET_DRONE_GITEA_API_KEY: ENC[AES256_GCM,data:z84ZAjBleBqJcA4OS3KBRCOFr6TwdtsHuLTT8f6RiBcoi716Z9WOqA==,iv:uNTWutINP/UHIzczMMg2pH+YWJS3fRViTdWauV8V+J0=,tag:ThP0pov1tu/r0UZbyYJdVQ==,type:str]
-    SECRET_DRONE_GITEA_CLIENT_ID: ENC[AES256_GCM,data:8V2nExG6QQcS/8PlnttrNm4/FTznYOWFTZjJXQU9W0AchTwY,iv:z9+xSyZVVscHDpWzeaM7plQkVZHUJJ5/un9R9dS9040=,tag:KG3oSYx7e5iinSNLZSabSg==,type:str]
-    SECRET_DRONE_GITEA_CLIENT_SECRET: ENC[AES256_GCM,data:X0HhHVI8J/nlfYaWvf1P7TVINXatbr+FZiQqDjOven/yPZSItWAMQh/XqRo=,iv:DEMd/Rsa8k/t2RjiDZGdnZcmJaJO6E+nFfl0Js4JLz4=,tag:rSm8AO2LGKJuYa8ErGzTUQ==,type:str]
-    SECRET_DRONE_PLUGIN_TOKEN: ENC[AES256_GCM,data:mXzPAfViPQxWpH814F/nN66vlnLk35Cc33HY6g==,iv:XLNkQr1BuQz/yjq5v3m1x7bXAtHJ8x4dusVITydkAG0=,tag:gHp8ySAIKsR8iG50ocuViw==,type:str]
-    SECRET_DRONE_RPC_SECRET: ENC[AES256_GCM,data:ib22K+Z32Xq+wt4zTwCFiNywupQy+Ze/ncbY5UKxp0M=,iv:9q0ffcEcWZ3Mm2UiO1zFo3nlY4usBQZlDe5O3d25PSY=,tag:6eiak9+lLqoVo+Q0TeClsw==,type:str]
-    SECRET_DOCKER_REGISTRY_HTPASSWD: ENC[AES256_GCM,data:ipfXjv8fa76Abi3I+5CGehBGc260rqFDCNFl1qkTwUH6W6zAcdzUNMLCI0+3WoiqO4b+Fz9fS2auqo8wZsx0NuRscQU=,iv:zWLM0IVQzc8d8gqvkrRyzrtD+8JzSe3QIMtFsI8RRFc=,tag:xYeWhSWlhIoamMCZNfU4VQ==,type:str]
-    SECRET_EMQX_ADMIN_PASSWORD: ENC[AES256_GCM,data:CoccfeM49hs6Nv15zy01iy5v7c6JPR+5,iv:iuRCUGANQJBOq2sZ/RWwbmT8WX4Y1TyXFDjORTWdmjY=,tag:i2WsMlnCjavk8vPN0fPjAg==,type:str]
-    SECRET_GITEA_ADMIN_EMAIL: ENC[AES256_GCM,data:8COo5zSGBW8gjtUy2Kif/z9wDZ9D,iv:TA/cp/vmc2/31DIp1Hilg1GweFf5nBNYwxbyAjSflPE=,tag:SzcNh+o5xjhe5he84b8luQ==,type:str]
-    SECRET_GITEA_ADMIN_PASSWORD: ENC[AES256_GCM,data:gkcQTvMd78a5VfP5CGo=,iv:qEonzIVYBJqcFX5qDJZkyKJNK3U+nDdDBQTkhzbgTto=,tag:N6eNqb1rI+6gTm8pqc8f4A==,type:str]
-    SECRET_GITEA_API_TOKEN: ENC[AES256_GCM,data:0EmooDnLR3rDEAZ2KSeBXNivm0DVuUM/C1R5O3EnnvGDgaFWhrFjcA==,iv:hGVvznqwB8FvlBijHey3ePLDJi/8/7+YbB1diy7ew/M=,tag:tw79GxBb7bOjqoMdits4ow==,type:str]
-    SECRET_GITEA_DB_PASSWORD: ENC[AES256_GCM,data:rsOEXHvTtmKgz9g82WU=,iv:ss1YTKM3TbKN13H1Z0Qihq930y5/xd3spLuQwIHe/wY=,tag:2VCZYXOypSCuX7Mkt9dAhA==,type:str]
-    SECRET_HASS_DB_URL: ENC[AES256_GCM,data:8nvkhm+kgmbFCywZuSwqA1aC8dxgGr2n81aWLpjoJZRAm/wpaIwDN7HN0hdadOBZgX3oXlJatAldOKUw1CARzEky4YiTxJintJn1xXuTAQ==,iv:z5CEjBwufaT1uEph+aRvtn4mbMXfb+sTYfQ3TEcXw3Y=,tag:GmHUFg0/V6E2vhARayN5FA==,type:str]
-    SECRET_HASS_LATITUDE: ENC[AES256_GCM,data:W/Kn0QcRwKYYkt6/4SGKsSg=,iv:uuWzxB9UW/AIgH72pLVRwzSZwfJl1Pr4K/PlaYNnOcI=,tag:KtOgs9eC4FkjNSYtYybPsg==,type:str]
-    SECRET_HASS_LONGITUDE: ENC[AES256_GCM,data:lZHZvVNNqnincmkvxElCxhA=,iv:aSqGTbBk7+YV1frdFtD/nn4/xOg5C8vKxMAA7wRFMrM=,tag:qFhf9NeTs7AAnUd3Q4f5Vw==,type:str]
-    SECRET_HASS_ELEVATION: ENC[AES256_GCM,data:03A=,iv:KtdCMY4y82ZoYn3p5ds3Hoq2zVFNG9ERR1T9sX2tkTc=,tag:i3QwgfuTq1U9bZ6HaFrh7Q==,type:str]
-    SECRET_HEALTHCHECKS_DB_PASSWORD: ENC[AES256_GCM,data:kRiziJ853r7YZ7co0NXOsw==,iv:q0MCuMF3i7kL39G3u9cw/5vnHzpklocvWjf2nYmeapA=,tag:g3BsNNn+/+pzxGX3uLg14Q==,type:str]
-    SECRET_HEALTHECKS_SECRET_KEY: ENC[AES256_GCM,data:IERjUdOmfziEqoESdGId0yT2T5lM8vASoHbL2/0GZb4=,iv:CdSEQ/Pu6+krUGgnUEdxWGIBI0I5eOJ/pVxvzsL2OgM=,tag:GcnDruROjh/hEggpDImxCg==,type:str]
-    SECRET_HEALTHCHECKS_SUPERUSER_EMAIL: ENC[AES256_GCM,data:UAamQEzS1+6yn6K2xwnjUyGP7NLP31hKdddr,iv:ZTTpSu3EOcotzmi9H3XiGXYArj7te3ERnTsAscJCgTQ=,tag:TsJ22PVMsqPpVHzQnr/RvA==,type:str]
-    SECRET_HEALTHCHECKS_SUPERUSER_PASSWORD: ENC[AES256_GCM,data:egMJZ5iCJlpW617jsM0EOw==,iv:zFnYKuBGZ4U13C3Yy1xX6CxVS0x/gGTK09fQEsqaQZ8=,tag:S1xtjn2v1gfp3ct/p08PUg==,type:str]
-    SECRET_HEALTHCHECKS_DISCORD_CLIENT_ID: ENC[AES256_GCM,data:1fhciaZJhq682NZqrfuObpV+,iv:yPgFQ61z1Zz6aEwXgscuIMTrdKmvuP+iutp+Dc0+igg=,tag:+Wl1N8byzGX/x5wWETMlIQ==,type:str]
-    SECRET_HEALTHCHECKS_DISCORD_CLIENT_SECRET: ENC[AES256_GCM,data:X7eswfQYVyonbgIvZ2XnYv0CnujbSe2jG/jTZQ6zNCU=,iv:WcjBJYr1t44t0yvlxwKWkQVjiinOPKg/orSBwbg25HI=,tag:DuFNUyxqFRGYNP5Wq+zWSw==,type:str]
-    SECRET_JOPLIN_DB_PASSWORD: ENC[AES256_GCM,data:zgvbYH0CmePLVFnQMqABtg==,iv:k3vPge3zvXoCt5z3Y1MD7iPOR3y4lAcnDkiZWARAqXk=,tag:ewkvuh2sFevrLAlctT6b3w==,type:str]
-    SECRET_K10_HTPASSWD: ENC[AES256_GCM,data:4QPiJdx0T9aUZL2VhNL5VZX35M6Vl2n3XdRDJPWVX7TX16Ialu17Xl7cYg==,iv:yUzG2/uOKlhq23k3BckRznkG7EA9T0IOJxpTvuOtuoU=,tag:kiWnfQNc/KS8UixDmrvO8Q==,type:str]
-    SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:vJWgnfPIYfFGma6LDq1hZEMRkB0DPBFQsQqmqU2f,iv:PeFdeHcA0bB5SPkZXH83GxDoWuGSsb7GPfC6/Mq7m1U=,tag:ChRciuJoS+YFSQvV+rT0Yg==,type:str]
-    SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:bjWq7HVvqLzSsbMLGUQEPr3T2+HkCDlS8vt+JZC5,iv:OR5CViMlWocHwq9ThWdJ+2kz/Acp0DNxdQHfQIlI+YQ=,tag:dyj51h4h8y6r1RrVzmAXAA==,type:str]
-    SECRET_KUBE_PROMETHEUS_STACK_GRAFANA_ADMIN_PASSWORD: ENC[AES256_GCM,data:vnDx2uLz/XaVvY0/eCs=,iv:9hySKMeLLLJd+1DOu4Q7Es1ntuuFhq0p6NklhMD/zM0=,tag:Ga6FBwzyDZ1a8nB1b/r6/A==,type:str]
-    SECRET_LYCHEE_DB_PASSWORD: ENC[AES256_GCM,data:SI29hE4SW3dlgnZEK9Y=,iv:+n5Ug0CRMjyhIQJtKOPI+PNGtoU7ynhpBvQ5Fm1BFAE=,tag:oJzkv3RTHF68ro46MpyQXQ==,type:str]
-    SECRET_MARIADB_ROOT_PASSWORD: ENC[AES256_GCM,data:gZoU/cVniyGP1Ji2bz6Dug==,iv:8iR2XK7EynCD3XPnjBI2bVaAH1h45T14wTcyDoW3O7s=,tag:quqbVYQN6piN7P9c4TBSZA==,type:str]
-    SECRET_MINIO_ACCESS_KEY: ENC[AES256_GCM,data:kIcERZk=,iv:9dDdNkPPE67XZpH7PIPE+zv0+d4xAx+QIHVMz/+FUU0=,tag:JVe+e4yxPq94nixXyZKlAg==,type:str]
-    SECRET_MINIO_SECRET_KEY: ENC[AES256_GCM,data:Df71Ne55eXRML+VWQ6LqKCjqhrQ=,iv:UWxbdhn0uLizu60ZGW1CLdKOp1EAazb5CqzTEh/aJ2I=,tag:h9UwPn+E3wm6jD85VsBntw==,type:str]
-    SECRET_MINIO_ENDPOINT: ENC[AES256_GCM,data:WRswUk2JeeFDP/aOlhNL/TW6pSDmq9jV,iv:Uo5dg7g0ce5dNaO3UG8ccFY0R0iyyRCpPTljdK6qqfA=,tag:rU1uHl6SW51Na++xPoBvhQ==,type:str]
-    SECRET_MQTT_USERNAME: ENC[AES256_GCM,data:wsKupqXH0xbTqzJIHA==,iv:kMr1pKC6HG8KISWZQEe8uRxBW7X60xuP3jgC78Sz2fM=,tag:FPuK5RR7fFl+gr8kB4R8xw==,type:str]
-    SECRET_MQTT_PASSWORD: ENC[AES256_GCM,data:iVaxnjF1RabeL5RzByEH8Ztvpg==,iv:EdyNxkYPLr+4ogwv7sBXtL3YbPjDgoPXp3FEQxWkV4M=,tag:b/Db4UW467axmX8/5uCOog==,type:str]
-    SECRET_PGADMIN_EMAIL: ENC[AES256_GCM,data:Tp8VhRGZ0/tfsu2RBlqklyzvt4ATZA==,iv:9vi668hhS0A3h+60SdNmLTUoexeHhPz97rNWLVxWcLw=,tag:yipydPqzTZxEhvY/LCNPew==,type:str]
-    SECRET_PGADMIN_PASSWORD: ENC[AES256_GCM,data:jFMRgQIC+R1vN4uIcKE=,iv:faPyXdZRTr0vuIB9LILdqTZawUpgMRHl3AlDK3RJlps=,tag:QQBgzJJTjBpnyD4y5ipI4A==,type:str]
-    SECRET_POSTGRESQL_KUBE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:IlAGwP1TNkfiC/6+jdojnA==,iv:AiEPhwVp2g7JnDE8R6fyY62E00rqPjPMvodidMYLeLc=,tag:TESmmZ/IBpYPXPE8PyTJzQ==,type:str]
-    SECRET_RADARR_API_KEY: ENC[AES256_GCM,data:ke9IW5tjkSBPP1w/2VUeA2xOqYmU2/2NNkQo6OV6ZU0=,iv:5A87FM/sxEwES1KsHXasoMKsi1mt2wSgsCdJOyUVE98=,tag:0U3Nz3n3NiBMVITT0x6AMg==,type:str]
-    SECRET_RECIPES_DB_PASSWORD: ENC[AES256_GCM,data:dCqbXuQ9eL+c4PMFais6BA==,iv:HRDICY2HkZnT65N2OD/hfRukuaMZnUd7IgGzaJq/XiE=,tag:0iKix84KpHjJViP42/cZxQ==,type:str]
-    SECRET_RECIPES_SECRET_KEY: ENC[AES256_GCM,data:MSqPt+NPoc2YZiE/GO0ncA==,iv:+ZfEwsMyMKVSHcTl6a0i5CoWPkziiyUH2IN54SLO6F0=,tag:qp/PxUqd7eNfJv3E02KPZg==,type:str]
-    SECRET_REDIS_PASSWORD: ENC[AES256_GCM,data:HViUVrhLduBPMhsQRA2Xfoqx,iv:2GHGkXZFANSwC0YvANg+kLN0VPKa7dkrhqy1l2sE64w=,tag:XMHRzagfX6cCZ2PlN4tXVA==,type:str]
-    SECRET_SONARR_API_KEY: ENC[AES256_GCM,data:0mdfD4rVN0wxVL4+txN3QomQjo+nXMDi+2j6JHD2vWI=,iv:30k02poZUPjb8fS6hZT7XbVaAiljRV3+Cy6xl0BOop4=,tag:ltMzWaTh5jm5YorrUm/Ddw==,type:str]
-    SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:piI9+upBIus5r4EbJic=,iv:6a3zzz9himWbd/MwYY8R0YwJ7Ta2C2dkWE78qWPAXME=,tag:m2zuqFGMVaVMZHFX4f4jcw==,type:str]
-    SECRET_SHARRY_JDBC_URL: ENC[AES256_GCM,data:Nbas/agL7znOjIczTaQnk/iZ9zkXqN0NldFUEDdDHVGet6JcBFDVPrPD7OAazYSgfjgkdx3RyJQmFfmDRynDMlKxjzF1,iv:CfmSIYlNogZKeL6LVLEfUR31uX/aMqt9aTqgDpN57aI=,tag:4nTDugV7ziHPsYr9hRvxAA==,type:str]
-    SECRET_SEARX_MORTY_KEY: ENC[AES256_GCM,data:DIP8iXJ9gDnNnVCyx2GdA4zuU7JG5LU8LIwPAIQvAH9n1f0NDpsSDTuA4Bw=,iv:BYwDABwS22yUTBMDejISZJTmX9wb7X+FkPIE9raBNeU=,tag:7E1cyZ1MNIRJEs8OtElpSw==,type:str]
-    SECRET_SMTP_USERNAME: ENC[AES256_GCM,data:flczPcQ8IEYosnbQe1wR/cm/7jDKssY=,iv:iD4muFyoffq7wzWpag6lGG4nlGOsJgXt+nyqoqVL4r4=,tag:sZWAGv9AQ/tc2c+DIlA1rQ==,type:str]
-    SECRET_TRAEFIK_PILOT_TOKEN: ENC[AES256_GCM,data:RuxCpr1dvGXU1sX+8Xor6EeUBS4BYrLh/AQAGZ3UIBqun6AO,iv:vRxUyDXh6yMGqSwAZfgw1vTLX8pRCXs3n+keQL6D8ao=,tag:opzWeDXhYPqXKQSc8/uLKQ==,type:str]
-    SECRET_QBITTORRENT_PASSWORD: ENC[AES256_GCM,data:dQ4QEfdKBRM+kclIJ+T1EtfZ+Uc=,iv:2D3sBtcTkpWKfqHLqr1cBKgtbE6PtYPD0W7B+Gs5CWw=,tag:GvF38MMJg62Yo+JwE+HUaw==,type:str]
-    SECRET_VAULTWARDEN_ADMIN_TOKEN: ENC[AES256_GCM,data:csXCShLIfaRowze0GtmnPK76SQqfT6t6QXOETnsgTLwVmDTPKGaFicBljJ5Obrp1c9dPuu2IN6hxTBLXqU4I7g==,iv:hVFb/lA2y8eumF47jiy8kcl7PP0UsTSiLl9gQSOLvSE=,tag:Jfqw/L5i2UsJdR5bL0H/og==,type:str]
-    SECRET_VAULTWARDEN_DB_URL: ENC[AES256_GCM,data:atRgQHllhb2wJ+bKCoFbOT2B5cnFGNiKSYIpbiHO1TRDky4NAC3h3rK58l6rCTZ3b1J6Xv8QrLiYTXAGoTexQ7ja/iYNC3a/KXyzQqbDvR0a8tHnBmO8pJ2pIOgkArgScoVT0Q==,iv:IJ/KwlAdPUx/bDN7bVO2VQFU2Yie6ckg58PxN8zDkVQ=,tag:vS66IlKeznrR4fgCB1lyRw==,type:str]
-    SECRET_VAULTWARDEN_SMTP_PASSWORD: ENC[AES256_GCM,data:4l8WhoZo9Zn1lnoWW2oALA==,iv:Io+sJA91w/PtWKHCisnXdNVEWXg5WkuoMNcp4WccZow=,tag:iev1fCJq/OL9HgWb8tCLAQ==,type:str]
-    SECRET_VIKUNJA_JWT_SECRET: ENC[AES256_GCM,data:XXtNqaCWjpuUfWiZFEIocbEEUwOCDNwWy7c1HLo5p04=,iv:hTFnC3uz00dladVmVwX8YqhKe8LUvQg7v9SwQOhmNgw=,tag:08PMO0Ejd/d7yu1sJp64Jg==,type:str]
-    SECRET_VIKUNJA_PASSWORD: ENC[AES256_GCM,data:7Bg5hWqK7W8XlyGqS+4g9w==,iv:RLeLoBBERSonWQSJ/MDV/58sdEXjtVRZaa29ourO7kI=,tag:1g+vOEWArjQ1coVlAPHR+w==,type:str]
-    SECRET_WALLABAG_DB_PASSWORD: ENC[AES256_GCM,data:Cwa+LyNjnP/yuuARAL4=,iv:WQdBlr7MA6KE10Dy78lnAt3NFcY3XlDP6b+0UiairUs=,tag:HQntjvMsSSq+b4WC06d0+g==,type:str]
-    SECRET_WIFI_SSID: ENC[AES256_GCM,data:9DPsutvd3YmEtg==,iv:nU7Of0dl3tjwBp8fC6sTGTk1KspO7y7Az/FcWavModE=,tag:BwmIhl6nAegkA8GBzB7HkQ==,type:str]
-    SECRET_WIFI_PASSWORD: ENC[AES256_GCM,data:XckytMALPIRMM5RgimceioS5bKRhWR70o8ibK5ZE,iv:Mna1uNac0uhg/kZRHEbi6ggVXMS3rnLfv1YrxENfHRU=,tag:K8AqFcEXsw0Q2l/4E6HZzQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2022-07-03T10:35:00Z"
-    mac: ENC[AES256_GCM,data:b5Redl4ueXs2NpwzrxTqUeftZ/pJ3cZnTOhTrYrGZ4VKZjeoqWbPIqdNqPs3V/daz/po1Pa2dim1C9Ql+//+hsMKka+aL0QFiDwVQHYgIKhG+JA6TcfKT4A0Pe/k1dKynQM7/621IaoMRnus3+eKPLnrUssSdG++8XHXGk2NPNU=,iv:yOJgveFs0UpmjPV5xT+wzPrs2H/iLhxVIOT9GkjqPLI=,tag:F0jb0S4HvleIw00whM76Pg==,type:str]
-    pgp:
-        - created_at: "2022-07-03T09:37:47Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwAAAAAAAAAAAQ//QdCXBvyKQTSl31+zXmw+Aje45IRsAT1asq8NniQYJ8c1
-            HvC7C+goELIXFjNXWLcANAXGTkdPGM2z3PeuS7R1pIF3tSii/wgLHq4qbPkfcMNp
-            lfzOquOVAlH2zFM+3U/4jdQMk49KoyUKByJlqieur7+bq13M7pV1Wxqgekve5AGq
-            rWqD/4g9AvOBLEG0H871gdlkfsPHBzozv+YqNQTJKJLg91DdM9/+j0cTfzccdt19
-            kpK7MhjwbCstqEliH6UEg9uM3AHFpYcP9aRpfFdhvjfQHjgUVCLi6JktNkHhGeXP
-            y/ulHkouep8p4HpYzogVu4aprq01FZQtwrm8P47aJA3VtxFG9G9s23HsNaWip8pC
-            i6YScWN6EVGCo+RKvCeTZiXmShafzSVpTyY3HryCQrZe/ULWXzxkKQyRIy5lykuQ
-            iwrlei2myZshU+9U0jPKWJgClvUIlOvImHA5MJ58iwhYI6FnsW5QLhuG15S6JUAU
-            5nXaAhbVPGaXeGiWvMm1/TqaRms1jnGTkodXwf72Y5Gbi42sUjhwBu1ityrsrhKU
-            N9Yom1Mq7kJowLYM+RgtSltW3VVJcigERSbdcaXo4aw9HiEnb2REuh7nBvcfnKSL
-            yQdVD49o0Un2vHG30mTEI5VNdzw5SgnqANN0rk4RuB+Vgp2TZmGlBUWSVzMksAbS
-            XgHUncJPJlAod9WIt8b2Aou0hes73ojKjCMHolNbeT9/D8GWftPsxlATjVitq0Z9
-            lMfZnCZWd8xMNVihU/5M8dEAMaAsRob4CN9gSEgXkxnDHRnRJMean7CGUpFRXoU=
-            =ULhR
-            -----END PGP MESSAGE-----
-          fp: 19B850FBA7685A526CF11E5F9BBE834259976EE8
-        - created_at: "2022-07-03T09:37:47Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwAAAAAAAAAAARAAv5+IDdea1uxhMBRfqRWNNAvaqMWbuxvbzT7GjVDsi8Bx
-            1Rjsu0c8N6BqotZcDxQokxX3hXlyidYCOACffvxSe1BGF/UGNdBJqizzKGFptuQB
-            K912KN79fUviybkhbGqPIzCeD1QJ3L5af9vJn64XmL9ei92uBk7tSAX4JpgvaqfS
-            Le6sIN0l0YAwIN6rCexrhD9xsmuqjQ/r2Wtbg67HJzoVM4Ab9n88uJt5F+QEdRQD
-            Q/giO8M0+G5LmYTf8j4llSD2+x0DfmTqVeHFtMgRihUVrbBVPb99LpSjcVZAMeDG
-            1Y4AdMuD3zUXHlWNKTHU5TOcg2tW4FJyPuDK1YxWA0PmWD8XAxqul44IVItBEv0b
-            jg5ivJ13FrJHJMHDZraIhuFVSmem9Jvuwq5Jq4gw1tLHp/pm6PURWL9ulsyb/wnf
-            2tfXmb4/yZrPSgNAheK3HDNzLanLvB8fJQESfWbniHURPcl0AWE08GIAen46Iu7f
-            vk+0iR6r1Fq+KKNlQwayOjRY4dHpBCXztNFvi5OMU0ZWsr1zIEKNOLzJmzpQitAk
-            aUELnnzdytG2Nx0rT3rJBggNZlSKMdtv1CUWypAyjr3eZkiuZG3g35wOwsentVDG
-            L5ulYe3kCZ+Iey/kHYj7yt0esaiC1qJZccKzrFRKAYhE+bSuiVykPwq1d1JRF7rS
-            XgESbxZvJOe0SpKX4etiFiamzJyDXzM5shKSyZvvCpjfy2vYjesbCbqj1imoo9M4
-            ebKt+Mjts8sWEmJq1VxN36sONDqMACYMhKQyTuLWQtP7cXWQO44RzyUZ+t/4JcU=
-            =2OuL
-            -----END PGP MESSAGE-----
-          fp: 5749D0AE39445C1CCA6006DF8913091C690BDD69
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3
diff --git a/cluster/configuration/secrets/drone-pipelines.yaml b/cluster/configuration/secrets/drone-pipelines.yaml
deleted file mode 100644
index 256dcde4c..000000000
--- a/cluster/configuration/secrets/drone-pipelines.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
-kind: Secret
-apiVersion: v1
-metadata:
-    name: drone-pipelines
-    namespace: developement
-stringData:
-    registry-username: ENC[AES256_GCM,data:0feiw+FkNQ==,iv:qlqyZnDaxDWSotJudzuVBnGRv4Nm5BkzcYvtzdXGG/c=,tag:6LpLEQWy9Bl6NrpgqslXVQ==,type:str]
-    registry-password: ENC[AES256_GCM,data:bXkbSETYKwDpoulIcEE=,iv:kbDngo9bEnY2wuyy42rXb+zUvgFLY3LEpHTmk2sXDog=,tag:Q2rIX1k5tNLLx7sTEOMPXQ==,type:str]
-    registry-repo-terraexporter: ENC[AES256_GCM,data:NOZomVH6cbNULBSqHaRbcEn1EGMM/IgSCOZGaRtm0qFRDQH/AdQeGfO9O1ea3DY=,iv:V/kcOuVrQdbMLUD4euZuu9ODAyP6lbLowgWE5ifH1jQ=,tag:aBU888W8rb62b0IITNcuRA==,type:str]
-    registry-repo-custom-error-pages: ENC[AES256_GCM,data:NEXyDQgNDOfi5kKNlHnHN4RRfGJQ8JGMN+cVHafXFjshu9w9qwKUZkCLD0z9iBjIQ6SR,iv:vKVAbx3jtitZaG0xBDxjBaXhdKPdVQ/xzs/w0QSVDcU=,tag:7HfeJL7nPeLzI8ja1WlkVw==,type:str]
-    registry-registry: ENC[AES256_GCM,data:vpwfYNgLHHsFWaVtiQZhc4wuG2oEOPR0,iv:lxHQDvx25zRrxe/vj+DYRQ4aowgi01nBYy6qTjthztk=,tag:zSIdHh36riRsqGzCTUZIPQ==,type:str]
-    deployment-rsa-priv-key: ENC[AES256_GCM,data:dJu9zAauXUW2F+3BiwEGXJHWCwz1Mk3BBW9az5ysc4aelDQxmaQeZNQS6QpPUNLEyBGWm2h42NOwdO2WwEFpdj7GOybFRPdFayAgHeh62Z/ZjG/q3/awJZCHHkAzvkaNkODedpOuXEx1D1E+8vZbONNfNUl9dyzBq14tXvmc6f5wbtAkAkTTGc+qfCDei7W6hRkqxLDHX3E1m3PGg1jP+z5DYmDUHSxuKhz7TLWl1mIirJx2DN/zranxw7wmDtv1UOY3ZPdiwqKLVYHdHRL/fiOZ/U/m6IA53++pCNsPpbJJncnXz9ZciXsw2gUn+lPVDBo4X0sgNPfJe651TZFtBmhhRSammu8WlrnUlzcjxHaxmlxghcvEUEg/Zy2Me1geTk+ti4XMHCh3IbNzwNR/fVL5DppvmXN23PtTcDlee/idfwP9/+B2Jb4+S1zVZ8trTrXbEEuxrkdwuyU6irAxFjJe2ecjynf1iFFEJ4X/6d0e1IigCaas0Xrh0M9Vuk/RzQOnrWyVo3OkA8H3O8ZPm0+yBzs+KNBS6k3gNnpManM2cwml/TaLY728V4nh3ijZfdri2+PUHIil2IjobIYq2fU3y4/HwsVjm5CPKQISVejFaRFXM5xjT82XaIIZygoXdmnUDaeV2MKMlbnoCb8fdC1Q214kMF2YeCAzd41ySECl+a0yfE9GK+G9ipv2ZWtAbebP+4POGlgYfiFPvvGuGJDD5xrX1Afsnzqrd7mZZpYmpU9loSePdKmmqnxvdE7JlAk2M4T9VqgaCzoGJQuydE67XUwYUbf0cDcWU0wqQAsZ9/3laRWWOgXUCkGkx0/MiO4aRuED4uDvUFjGnhO41ofsaQ7uUh15l1rayrG5uKnDkd+Fzrch2+tGy5XPu2MgEnrhJAbAxOLvNZDkQEg/ug3JJs+giCZD8B4evOFAmS4bBQaMMN7qoRTpVvz50NxhExzRbgqv1nVUp0FEo9c6RdTgPuWkb/9frFbXIISYZofdZMjlRxpks65kewOjm9auVZF6EfEhMXr6Mm0xCleBHbiIkVi4wvN01MgaM4OT0AUrO9butkxQo3MkcZex+iwbpKk0XfkKOqy+KwD0R2XY+6jY3TOcWWlYbGcaZwYACyU5Sr14aRx3M+N64efy47ka0HZgcarB2DV0p3axSY/QiVvylFXtjTR2LuDwkRdWw7zynnb7VweCb7x5vF7vZbKjdaI5u6JksIDA78rHLPSUzBcIuSeMGzqtTmXRmZLkEZPfRG1Hs+kFAmkSGO/nAXVAUzwNEgDIQsPKVS1U0pSrMLhxfsrw6EOcn+aMh1ONXmrxRQLg7duu40ddnxAYLy5/ebCppMq9x0GWFT1JUlMhYyvHeNZtKL+sxeIM2M5Zfp6+VTjyCgwuFykO6Pq0NEP6WArtQpXiylN/hOAZvOiS7BSJ4vCwPg+465u8fI8ak+bVxXeJv/jgsiVdVCsaoKpNthxHv6eaomwESvY2/YgV4gnhMWYfjMftPf32Nq8dLIVUBDvBy4Nj47or+CDVl1IfWhlhUZSlJeLJjHb7w0rOMb8wiBq9SpqHCZv9ZS8KVJ7wTOpW8eSuAIidwpT0GVqKchsF0Zj7/6Keips6pVMTiqo6xsr1l91QNME0KlXohsS1D/+t/p5vuABWwI1z0Y7HvAk0rV9pXir65VtI7yCjk2GE3f0a3+MMSvv0WTnr2Ho2DwLskTtrSqSq+591b9Q6R6IPQlpeD1jzKpUyR9iUyS5lfQQDOnO2gbm8teEkXaCtUC3Gj5LEW7iAOohSTD54n9vp4AoSAZt/lNXvroE4FG0C1Us3RQ2RJm+6axfeGOJm315ou2+m2Oc5mFifcY/MIO8QDbhCDyQN7eSlkSDTklqG9hOoXp2ulW3eCqncbRtNGRUy3WIPQQcRSQYsCB3N1tBBfizFdc3M76BTLf6e4klfVQDRYEXpoy+2jGDMirVGJDQ+Cjy10SIh6uDy9m+T2wXCB8gRM/b5S3MHb7a6Ys0xQpajN0JQptxf7weWj97EOupKJLal0ub1h40F0aAa6WMiXx/+yY/17L6BEeXhLyfwSU1/wNBSK4/hwpbhdn5otwjbJjZzdj4WD5y40EYqMZ1x87R5VE7Lk8chb3qc54k3Oex5Rdt82/8tRJH9ysqhagV/Md2mnV+HgQM4gLmTJQaFECbSSY1gj68pibkKA8o1PoDc7CNpjML0Grp3woyKkN2kgX/v0is5rogtZcRXgVivr8MOWmQDfZzqmN0QjB8IJRm41Ue/waieEGmd+5tacEYxNLYN7f7xCq9m7j3OD6cosxVUu3Ygfe+elwinNVoBDMemYLk8ai31FS0z9YfvDFIhspytm1f2494Dt7i+R3Sej3G7BWwc7+vJ08Xa1/RerSi1EbFXuU41ZDrNzky2wFK160fX2al6kUS6CdTUG22L0s4SSqDS9MNcrZ+gWTYIFYCztjpYT12YOODi9sbDcQcLFAOcjYkCfFMe2kasnjRGY9HiVRGOsQqCbbIDtCur4iFT+zE2r3HNxmqCIVHjulamQ6fHWJqQG1igWl3ko5Zd7Etj+wXloVv9LdVWLLqJOcoRxXHnbkbv9ae1WFrwTpI45n9OVmu5pmqpG5QZtdKcuaZH60mpL6RqvZiTjcCocCbNdPVlcbIj1gv6nxei65+s6TkVgPtssVXzG/KSVtiVmmtjGdSKm9PVLqZxRlQNrWEImrbGhA4ADhXZj1FrT+6DI3QoQx73zpl2nGRwc9+3iZ21CRvoHUrunlusvaaL9qSecQ6D37ozKOlr5iKikDwankPTJ+jk0yKe2+vtV0IPWBejLx44nW8zHC3r1x3dZzMTtJH+GVJ+v3alv7EVoqPyLQUs5iiZW5oEagef9lKaSEmVmPK0hbnLru07Ou8LsOHJe090JXas06dmnSf0B1qEQXXm3LhL0k335GnO7XTjXCGsCPSLvHv0vMutPALW94q8ToTeey2yFCqb/A/FYICGeadtV3QrXqvJ4Br9OCJbOdrTHz31kK3Z+obsVdUIYBsVItToXHm71wIQLbaIg/zC5MIgSj4aEq64wQ2jKY84MiX7CGkpml14GaAQQP92zQ+J+wzuKiRX+iew+iKGSu+BFtKc06oCDwBMGzOPUSb0tEKAtuOGV0sDTVQZMLZRMs9qp1aZW290mR1kE//TbhONXU+v2/jPsNhislx9zfv6HzNStUsAfHRdlE/G7rtMrpD+J2F/bSx7mIPf/+0AA1xRImAJyhWI0rExStfIyNtiCL9uHvav3odXIqwx7h+DMnukBKbW7bfamNCPwS+vfOmqPYmQLMRvsEVmOOmWTtFgE/Qr07XwxiNwkwHShjXij0R/r8rBEWo+xzLwdu2o4qu9D3CXYytB3q75YgF0AQESYuc3SE9UYew/M495jA2GamSehIiddCZUVF+Yp2z+cbltC9q2Dn1MuRejH1Wb5PcO9ldukPtfMpsgH990EYGN,iv:qO5xapgBk35sH0LUG1ZYacnzCaBTA+5WqkspCF/RIR0=,tag:3YbgE7o58r7tKVAIZAH1IQ==,type:str]
-    minio-url: ENC[AES256_GCM,data:b0o1qKmEhN58Sh92Lu7m/5F7QZ6gs+bsIn4atTCl5v0=,iv:kA7tktyoDyRQX53+vugAzUrEbvXj13H7wtzMz3FVE94=,tag:LguimnEpBqk4IivECN3xzw==,type:str]
-    minio-access-key: ENC[AES256_GCM,data:JnrqUvo=,iv:iotVVHQp/oXmNEn3Svhr62knCq3Ucl4zBdC7GEH1upo=,tag:GuT3rx/Y6/UVShWqeFTbGw==,type:str]
-    minio-secret-key: ENC[AES256_GCM,data:ZKsLYIc/kmkw1tHAeq+dg8Q4mbk=,iv:cfstsQgDF9EGf6aMYp7WI4PTk9ZzMxqXex5+cxv4ujg=,tag:8AdbsMO8OAoNWQqORjmRMA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2022-07-03T10:16:07Z"
-    mac: ENC[AES256_GCM,data:r22xAu7fHYL2PZD/ejuMmjaMJA2l1pvzwu5FSYVpW+xU5qv1jHbe7NgsLychPFbseDgT4O3JFqpzYnLqVZPd1Q/DZEYvgNKJOtlhdwW/UX9MSMnU7NHjeunxGGQLNaYg60WHaZKVSB5Xmb542YA49cwi8IBSHc6igWTh2pRb3nw=,iv:cGtPq1igvXnpCxYOZ0E/5f+vN5f/nf98HZcvhyznuAw=,tag:G8Gzf5HTkvm6VJixXhySuQ==,type:str]
-    pgp:
-        - created_at: "2021-07-17T21:15:45Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA6nQR2zACjUjAQ//fQ863OpprkOuu7ZzjHoq9ereZ+wu7jYg/rQ/1VbI9QL2
-            WzC8o/Csc2qrN1adnTx9s61HPGkAyqzsSJLmBrVufc+I1sGcJsCg8kzezO0HYau9
-            xV30mazw2sPca80fjbqeUY6hcp4oPcDg8METk9/TZ955UILit2nUWdCTOX+C6yxw
-            R206DfKb/UvQ3zLKpbeSvarf8+pyp7TpEmPnPjC9jYMzftD+lhqwRmaFjeeGjWIJ
-            NyeybL50kFBFJYou7AHxhLT7Ona2IASJCYvUj8kjwMc/MedjjcHdh+CysYlRgt0D
-            Ces7cUI+PVRdvWY2hi/EO/VCaD60bDEfy6zB8KHPRE+E53A4GlMvnvYF7QI5z4qC
-            HdCsQ8v2IOpU0/e/32eiAKtJmMqy+v1hVFavh+5u4epc5iFuJzoTAEdDg45FfQap
-            Kq6tDFWXP30Y3HfOc+7BBz9lep49zJB5cK47WvNM8Tfazb3DpHFXDbFgLyAkWuaq
-            QvZIijHeH2P5advD2gONUY9gDlVV8/HxYHNQVgwWyaVdmXXvzFtgpZQtIvIHA+Di
-            EhNrw8L/qtOW6B/uM+FzvcuGVTF3nnU4g43Y0XkTOd7JxP/l7CC78pcjl4IdgGbK
-            nb+1+/ShzjRJA3n0fvlkrbiMdep9hMQUWJlzsG15rRlvtLTxTZjNHX0kacn/4yTS
-            XgGKX2C4ZX3Pxdq/Mkr7muGZbLZIOHXL0OPouDzs8E64UPR0u8ayDDlsX9SYZ8hq
-            kvAL3ktnKNf1R3shWGKMcra8skjIKIoSmzEXf7RgCoNnewjt8wAqBY3+RGiaBUA=
-            =jwm/
-            -----END PGP MESSAGE-----
-          fp: 19B850FBA7685A526CF11E5F9BBE834259976EE8
-        - created_at: "2021-07-17T21:15:45Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA98IrODHuiZ9ARAAk2hc8IbzfVSagc4qeymEpDBwME2MpzYv7a6RPK7vS/VR
-            8PGYJT4DuJ0op4N/IiTKUeO1DVlqfZvzKBfAKDNdpojzaheNdy/L4nIKMN2klfx+
-            7BAXljRpqzyRjC2lyMFbDWgMMWcJG4PZIuCRQCm6ej0LOFwkoL4EitpfltdHj5tt
-            /qUWGICXSlgN882axw23Z9ZpfKmLLn2tKplFmgKErrPaXQxiqRHjPFzXh1JkGnaG
-            wtxBMdgX4eMDWGcSgiVqPFzMuecIA34u2bSnCrU4xmLGglHgm2oWpL9PZcdWBR1U
-            H9OzDrFNDD2X3Hey5jv5v3h64YwbFnZ89Y51lUbP8fbv65OrVGMQKE0ZQ7ueVwLk
-            H/IM9FnVDfkQ615ykPxUtr0AT47l9mffi6Iy1/XBmrqiCnaKhT5PEbSywmaKzOD9
-            9B7UG4l6kLh9F/bqNRsQWkarYlSmGf8BvAQNFH7ZtzyfRxTAP2wKxvaHA5/sqMO8
-            em0WDxvdeVtHSVYx/Kbu50RW0eDJRDD21P5neb2Jj7rZTVYD+L5Dxne+JXpTbI+8
-            jKesyEk3RYGzpthHHyWPZAo76cidqYVRvENfPFJljaRHpxcQLkYECTvyDmgyRNz0
-            uMHnQ76ZqeyGQ9NrYflcqd3XakTOvAmrwKz0p1zhmTlSgrUmGCUaZT8VXwRjsnDS
-            XgF3B6c9YDZz8f7wmtJqj0DTgxdgWGoQBrJowkyHhTxQetj++7EYaH0hdzrI+5bt
-            ZTM5I8y6zRrCAfvLKzKlMeh0R4XRREmNCyVzRuAfwjnVzXRVtcxRN8IAJR2mCNQ=
-            =vETF
-            -----END PGP MESSAGE-----
-          fp: 5749D0AE39445C1CCA6006DF8913091C690BDD69
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3
diff --git a/cluster/configuration/secrets/kustomization.yaml b/cluster/configuration/secrets/kustomization.yaml
index 77a8e9a63..eebe86748 100644
--- a/cluster/configuration/secrets/kustomization.yaml
+++ b/cluster/configuration/secrets/kustomization.yaml
@@ -1,6 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - cluster-secrets.yaml
-  #-drone-pipelines.yaml
-  #- regcred.yaml
+  - cluster-secrets.sops.yaml
diff --git a/cluster/configuration/secrets/regcred.yaml b/cluster/configuration/secrets/regcred.yaml
deleted file mode 100644
index 3a151e400..000000000
--- a/cluster/configuration/secrets/regcred.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-kind: Secret
-apiVersion: v1
-metadata:
-    name: regcred
-    namespace: networking
-type: kubernetes.io/dockerconfigjson
-stringData:
-    .dockerconfigjson: ENC[AES256_GCM,data:HfEH30Dis81WFXJ2bAbKPVUmHTkqcpPB7bLm1Zn1f0ELUJzD2Z8JGJ7xOBcfJR9CvzUma9gLYlrz1J8moy4B2n/hIGQFySN4zKR3iDjHNFLJo+HcRn2rONzfKX0lTFZ4YXWhw6Rlx3j0MZ7OFBnhI2I5kyfEyYcc1Xqq4c8++GosYCG4lwTrwFjmTeCo9BoTvOphgnkC5NuihDQ/UiHV9/po9zeQO/I=,iv:3XqfPFv3Rc7g8W7Bk1Q0n945mPvQTqkLX4yWh9CfLyc=,tag:l+LpDfWt1K5uRfBbM71DhQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2021-08-09T14:19:09Z"
-    mac: ENC[AES256_GCM,data:dDz9VfodCTZWDvMZGU40zRoxOhd2P/0AjRTs5p/wwFjRVw/QjVwSRQ5hcf/BhbKMIAG2xa1k4UWE3bkymf/g4avtwejAJVz69gUPe+RVqNVsEuG1YXJYVG7lPd+gzOPwH2wo0zr0+LX6+D9IaKPeQ2Sngyxl7ITRRoxVizbJzK0=,iv:CuFQyDTRH8CW0ysqsAWERPkGC3wk9Taclq7oG5XUyMo=,tag:e7f7IrLDMt7mCzXCfT/DwA==,type:str]
-    pgp:
-        - created_at: "2021-07-17T21:25:06Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA6nQR2zACjUjAQ/9G4rlzO+Mf9NXs5jwGf+yuj0VM3SWl9Rz7kEAFdnEhYNG
-            RWBu/lpg6ipIBAIramz1hV4NQPraoEEO/OwEwj0Bez88ydt3a7CxMFyu2q+pNjvi
-            QIrQuM+3J3dM8l5qVh3/5r81QvSb/g+USgYIGhbd9jABxBzglnb3GYA+KBgWncsp
-            PVaBG5t3+7jd2FbKd+6fzYkMiW1kZmK4/3P2etoDFR4bgoADck0Coy9Y155QAlnk
-            /AYVwS6IIZ8+BUwwT+gOk8V9QJRwcKFFo9TJ2gmnkNb5MbXgX7DEKwGPIegEUyKY
-            Ex9x+yEdfy5dlsJ7TE4C5olk4yOEnXfhxUeiMD6myEJjVM9SjP3A7DK+/f/E6+9Q
-            MAMFxxHaKGLu2wRmUPMWH78VhVLExgq7P9l8YGMEKch32wdwo4b4295mLe+AtXlw
-            z3vWLx1PYU+l0sJ8leVZtd//547NbLxtUGYhI+5ozzxaL8Hwps5fWbcmXLWaz8Dr
-            Lj1zwatetd1Loc0OZFR90giQVl9JREHK9QlARAFnIMnu7eKZlln/TnF7MjdgAuD4
-            2diAocyU+X7PZty+oWbi56LQE90Vr01MBO/wsvUUETZ+6sAEYB805EKpGj+r432H
-            /WPx2Yedn9HAE8ZPIRedYK5gXh8867mA3XCw6sd9ELI67BWiqdveR1jeKreFPJjS
-            XgHx9krMM0IcX2V0rT0nJea8m3M+b6ZpvdBicmfjTCBxrnAgMnbOGuzwoUGNePX2
-            IZtgHNvqEaQfEONDtIJM6gtY6soJJxQ790w+FmTGs7av4o0IHgT4xqZRhDZSF/8=
-            =p08Q
-            -----END PGP MESSAGE-----
-          fp: 19B850FBA7685A526CF11E5F9BBE834259976EE8
-        - created_at: "2021-07-17T21:25:06Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA98IrODHuiZ9ARAArzhyppi7wq055mnLiBm3CG1JUIELebfLwyD4Xj46Rjq4
-            cRZAeRKSM/MjUT0G8RuhssaJPoI2uNtZT9z3+qIZDUoCHLt8horo147oMzN7RqVW
-            VjEbO63Tiv253Jles3lax5eCmO0f88frzOqs4IqSluYWL1AlKkA6zGZuEhysasHk
-            RtZh2jWe7/ZBP8gICgTaPv/ptIWF4mJYcK2rD9mM3PeZ1oBVfwVhsxumGISo9hEm
-            oDtfFqTaX+nDRcjofIp/u85Jt3SrD+NCyCyBUzoprs5npPlLcy/cjrQ1HCxrOSxh
-            fzGo90CWg0TqSFx545CiTxT6wJzRVsLspP662/nV1wHXOu3fO1IqAjWsmDk66oBp
-            A4tgE8eDo7NA849VmsUkNfdgFOiFFBW8TolHZUJHbV4BomWK1KXJuRRAqIdg620Y
-            oDjHClWLpJTpkhlN+GhU0AojXWEYnpQhDApqrFnpQECEjOUuu643JSjDOj/kY/IJ
-            0DeveaBy9clylq8G+SMXSKt/LivATquvuMzsDnLzy+SYjnOsjpIL/JNdFH5uWqm7
-            1erIyM9Ix7cIAzk4qm/5M3smy/7p+eOMlqFgRrN+fbt54uSbW+7BamjTCPsXnqk5
-            0zHMdf6BHC1QKgOH24jhPFUATiJeY4fJBPIJF+orbWlBTBrFFp3h6W12HdHUG83S
-            XgHN9EqRP9PC1n+F3Ni4VVVfx5kBr4g5tyrGhpSgYNJqSdIQCdaWySsTVLs2D4Xr
-            69Bdc0tBQv5aCyU4g2PT2CDYjLrPFxImCcyr/JeZd2x44scuHUqjAl/plihSmes=
-            =cyE+
-            -----END PGP MESSAGE-----
-          fp: 5749D0AE39445C1CCA6006DF8913091C690BDD69
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.1
diff --git a/cluster/core/cert-manager/kustomization.yaml b/cluster/core/cert-manager/kustomization.yaml
index db9726b85..9cc781cd5 100644
--- a/cluster/core/cert-manager/kustomization.yaml
+++ b/cluster/core/cert-manager/kustomization.yaml
@@ -9,4 +9,4 @@ resources:
   - letsencrypt-production.yaml
   - letsencrypt-staging.yaml
   - prometheus-rule.yaml
-  - secret.enc.yaml
+  - secret.sops.yaml
diff --git a/cluster/core/cert-manager/secret.enc.yaml b/cluster/core/cert-manager/secret.enc.yaml
deleted file mode 100644
index e6edf8078..000000000
--- a/cluster/core/cert-manager/secret.enc.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-kind: Secret
-apiVersion: v1
-metadata:
-    name: ovh-credentials
-    namespace: cert-manager
-stringData:
-    applicationSecret: ENC[AES256_GCM,data:gIaQ5jBtPjTb769oVDRJeN9tXSueRf48yIY6PTctfL4=,iv:TNpG3eVZjjP2u9+kjtISSTRUWCtQQA8yetaUyoQWDsI=,tag:itDnKq/nfe0W3Tsqv48wGw==,type:str]
-type: Opaque
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2021-07-29T23:41:19Z"
-    mac: ENC[AES256_GCM,data:12BdFA2cIjmAYJ7Po1s76q4pO68nJfMmlLKyfMet0JlgISvQSU4VKnt+51p4fzAMztHLE8C5FPysfNPvadsIMV9WS6OTtq3qjy/qhNqM/y6l6mkMEL38H/426MHXXdj/QHfSuyovMYHEFkGBNikcia48ooSSYnssmttj9D0aL1E=,iv:aWKefe2o5V1RP8u3rBZ2R6YWKoX4zoSHtH72BbpNalE=,tag:F1dYap/uvelyb+4sfCrRjA==,type:str]
-    pgp:
-        - created_at: "2021-07-17T21:25:22Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA6nQR2zACjUjAQ/9GG5pSYEjWoVimLQ95TgQskBhjgGkdFncWoJ1c69wMTW3
-            C4nFAUgrxIYfOAmnsj38tOAHEIO4nbMsGKAsyJkH1H4RKtgl8FHVpkgbLs/k2I5x
-            ktsLt8X/CJEBd9iPatEdnGwq1+FADRsKjdioH87NCuONmBMRRSapyeTPYMR2/5RI
-            VdAnLqrVPXpHpU0HliyRXuy6RrysmCG96Xo4O/rjADJVxzVU3nBp0L0RyGRgdawD
-            OMLau2krM5WEx45utos+KvTmcHhe5rDkktpWblwTuj28HYqXG0FXp8NigasK2S/w
-            AdVEWBEdXNNYkiQJYvgJoCnQRC1KxDREAXRZLpfJ1lGgnzGO/q08EwGtFU4yyWMX
-            FAEBr47QUlWUACgHUVOm1jIcLMidgKHS4ORfNCQNA6pYLsNSgHaOjzTX8MgiLL1x
-            o5aj5AhAwkaj7XWvcDtHZW5o3knf+ntvfxIlYn379UfQjglp1filyJKtuVk2i8LR
-            RyK4j7TjOidSaM2XwKqZsVacSzNTvPuwl/atFXj+14UqRHzOgaYTzFzKHsO/kEl7
-            myrdW+0Uk9VTVm86FpPkaFrWsGlYvTemeJK/02I90N+llP1X3t48pNLtkcFV0Vue
-            EyOOVRRmYemzIDou+ZgB8f94Hl4MMST4Vonezt647Yf8215HedA1fTBn0fDL3pPS
-            XgHF24UjrdRDCM9S39/d2RE06ACkl1XBzE5SywpoPAWNdu3qWLF+29Eig+6k7gqn
-            AyJQtra9SzoruriC3Pwhq26uAgzyhhAePb1nyMgIBgjzkDg4zGrqgq9qgz5P61I=
-            =G+xw
-            -----END PGP MESSAGE-----
-          fp: 19B850FBA7685A526CF11E5F9BBE834259976EE8
-        - created_at: "2021-07-17T21:25:22Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA98IrODHuiZ9ARAAz+meIMba8DmMxU8sXGOO7aKWtIOQb7h/kP2X3aNAu4YT
-            rf1SxyqpYlpzejNMMfM3253HRlq053xCEKitQT3ixKacx/mmAsRuhuDVfXXTH17p
-            djiz4GtbgMoSn+iLv/UxMLgrxMAvkbrW/vEG2zcWnxyGd+KxqIJmxPAnShhb3QQT
-            y1i3q1aUFwen5xSgnQAVu9wpnpYaSqjeOnTD6ugnHG8Xo8WnKHcxBcBx/B2hN9QF
-            BgfvvxxqXLq31cga44FDT1Ox/IVUDcXGaxoDTKEkuWfKVB1Hb8vaNmRo+PDP1Zg8
-            tpbthWA4j/ctTJ25760j/R7BC+mcTLTqY22PCVhj47UE9Kus0IqrVS9JjRAfJadi
-            BbyVuSaTRXRm6hakH1xoGRK4smZBeOCX4oWqBn1rcwawQHB70HkTsTbS1LEHWzR7
-            nzmpHEzOnI1fWsYP6A6D8D9UpiuV9ByX8vUH1SCbKDB1ftPr3zEJEN4uog/HTgTh
-            GOLpzPqAO5gQFe9srK83CUgAVhoSlYSkgrFUYHNy8p0kDK+3lCC7lMGmrBQHWx7T
-            Df8aVwdrok1/cOztDfz2uuervWw54ZMgHjjrD6KBK20ZT7QN5fOZb/E80djWtlmY
-            NFD+lMBXBM+/hzHHiJx1SzOqjkpK2R9dGN++zi/pW/h9s5BZQr4/TZij4klyfuzS
-            XgFIhn0ph+1EapqOqRHnjeVxaDIx5m4K/Y+Vn2wZgCxn1GQ3gLBA3W93YMluAwY0
-            wTci6t2GZMxG4Pd3mcZeQGoxcd8MYkWOMegQY66MFUPB/R2FNLifeJuOR3KCIbA=
-            =Vnjd
-            -----END PGP MESSAGE-----
-          fp: 5749D0AE39445C1CCA6006DF8913091C690BDD69
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.1
diff --git a/cluster/core/cert-manager/secret.sops.yaml b/cluster/core/cert-manager/secret.sops.yaml
new file mode 100644
index 000000000..c33c77c99
--- /dev/null
+++ b/cluster/core/cert-manager/secret.sops.yaml
@@ -0,0 +1,28 @@
+kind: Secret
+apiVersion: v1
+metadata:
+    name: ovh-credentials
+    namespace: cert-manager
+stringData:
+    applicationSecret: ENC[AES256_GCM,data:9vWD0QZ5mSIVhTOg5BinGUhEdJW0Tv6/CzoJor2FO5I=,iv:ymVqh3DKnvTzKi8nWW6ULDLyJLfXE/HDGLmTmLuo9WE=,tag:Aoy6ClqB1K4HVNn6d8H94w==,type:str]
+type: Opaque
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcGV1NGhhY3hOa0pjSThx
+            ZGt5Y2FPNVcrN0d1SCtCS2NjMHFjM2Y0QUJ3CncvUzB2QlpDL0xxZTQ4NVFyNm51
+            bFovMHhXRDVwSmpGaDR2YnBlTUQzTEkKLS0tIGx6bjRQNHQ4enJZN1UydEtiSkxP
+            d0Vid3lIQ0NPSmxicFlBN2NCRnE5ZFUKo1l3ST2oUmaWBgbjub/BWPpRzB588ZoJ
+            NvB6P1YivKsDZf/fsRT0gf1GPx9gZgql/w3g/9mggKANW4rFrMH1Mg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-03T14:42:43Z"
+    mac: ENC[AES256_GCM,data:shI/qzyWbCozb7CH4KgwZStp21+c/CsT5y+TtdzI+O5Xbbg4WHwUIw73DEqvOD8Rrj39Ym53L8f6G7apvAToU1nv23POs/e4ew2yMOhypfsw19hq93IDLmon6jmj7C2DCSwLWukzCX3/Ot+OELm8t8svZYDD+xE1wtYidmfiZdo=,iv:tURq+EP7UqMKaKHkWD4K3E4lLKFNqBLFut1Se8sC9No=,tag:RAbjiVPIEtkOoAFWE+/l7A==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
diff --git a/cluster/core/flux-system/notifications/discord/kustomization.yaml b/cluster/core/flux-system/notifications/discord/kustomization.yaml
index e72a2f6ac..ec2284f2b 100644
--- a/cluster/core/flux-system/notifications/discord/kustomization.yaml
+++ b/cluster/core/flux-system/notifications/discord/kustomization.yaml
@@ -3,4 +3,4 @@ kind: Kustomization
 resources:
   - alerts.yaml
   - provider.yaml
-  - secret.enc.yaml
+  - secret.sops.yaml
diff --git a/cluster/core/flux-system/notifications/discord/secret.enc.yaml b/cluster/core/flux-system/notifications/discord/secret.enc.yaml
deleted file mode 100644
index e9085f22b..000000000
--- a/cluster/core/flux-system/notifications/discord/secret.enc.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-kind: Secret
-apiVersion: v1
-metadata:
-    name: discord-url
-    namespace: flux-system
-stringData:
-    address: ENC[AES256_GCM,data:ZDBJgiVAgdAG3/fvq0jsOZYH0Tk2+mmqOrE/4Q4g60m8pt5IV5LWq8kDCW/9az5tQK4NZe0VFMl7bH5Ba4mLZPpnvM00gxkTMLtyNiEuddrUjJeBNfDwIXChHAZKVIeidK5qROYilW7TUqQOdxTNqPhrHFGKCeLG,iv:RNYVhzU3gHZgvH3uS+Ikw5pnoZ/GU0pBRJK73moB9tk=,tag:vOL2FU79AG2VTF9IBelaYA==,type:str]
-type: Opaque
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2021-07-29T23:39:44Z"
-    mac: ENC[AES256_GCM,data:mKHRdQCdKVqYonpwP5z4FH97XKRyavvx3gl01OCxdrx5eCtHwSdLSWSQKRR3f+yaFPAilap5Adi1JGlAe0vPSvOSE2KBEEXpIWRhGRTaxtJC6CG/8aC6T1hgw5BGbWOj/MfMmTVxhJW0WudrwEThrAb8nPAbUAYYUrZNbjxCJKg=,iv:/Jq17BVf0bLMeFUlgOZRgSJ/W71hw3+EmPAWxqSj62A=,tag:UjS1AAlhNaHmmgJk9o8kgQ==,type:str]
-    pgp:
-        - created_at: "2021-07-17T21:25:31Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA6nQR2zACjUjARAA2eqapAEnadaPRy1NRe8496g9Tyz6VGsFgBzVgGxBND37
-            CZoodfTj9GZUl/N9BfCORc/40+5mLWmT3gN77ghDfx+D7LBu8RD1uAI+AHkv+ifU
-            gGquVfItxLUkKIXE3v6rcPeuYejpJH5vupTs/ojT2loC27oFb4IIIx8qWZ6dj73A
-            Xv/cdLzv8G9DTnY1J8zbrVytuTj4FyKZ1uSHiLUQdwV+TnfQtGx1hKNsx5Q1p1i9
-            Qjisym2NwbkFDPwDgb0rhMa7r79FVADv08I3+lvdo9Q7E3k5agTZk0UYvkaggokp
-            6fhKE/m6c2eFF2PaOI1Vo9hdQNZlIdcrNAdCXYZJ2FehSzMX5jU7tJcHR81LrsAx
-            OckHlnJNVot1bV1VuxVBPG03baqWKUSmw1lW9KuNdDhf5RmDdfIUIsMbkIw8tYlL
-            H77BD/E5J8Q+j8pArsYPR4HQMVj1j4000EwNV5B/NNF8EzT42wUA4LwKNw2+54l8
-            uFW/utiIcn42s8wIHsEgLOmeK274inh2Zzuns7wadCbEKwPjRSLox+S+1Ctdbg3C
-            NV4xMWFL9yqXi6Tul5psYOdMxr5XEgYXUcDzOfy6sztdHFHwFzpYeN7m5/lhZM2r
-            NDOgFbxN5oNbAjX5Otyh/PQnod+RP1YYN3HJReUEUNwxw0wHgc6CYl2Bv4l82izS
-            XgFGYko6jrmXJ8FZTiSUDYM2RfNEK+VBPvpjnsz+bMI1pX2DEk+2/ntZG4pbbglT
-            aiEk2wmAsCKZn7IcN+OR71E6u9kBSiAdaJBRFkdjmQ2Kca2Mz5VvXhNbMyvTi/A=
-            =O8SN
-            -----END PGP MESSAGE-----
-          fp: 19B850FBA7685A526CF11E5F9BBE834259976EE8
-        - created_at: "2021-07-17T21:25:31Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA98IrODHuiZ9AQ/+MsuVGjrTCSQsz9spesrhixPrabvN9Zvspq/Si7orXLOU
-            M/0D+RmElCkvGIXU3jcacp7SrK9hocEtPuTaBkfw17wziUaOs2X8YZJOrw004ULJ
-            0UTTuW1pzNPkp9MFq4oQrs5Dx9LB1YgoWyrq+/x6xw5q13e0KP/giFSOmOLeUlmN
-            6x7kWZD0Ie74+uKxanLdK+LhLa2y3MaCVKgfblTiw4R2ba/4Dq3vhh062lUrbOHv
-            k3/NgmcvESPDyuCnSvyq+BoBhqFRPNyGxOUK2A/RtF2sabvbgwJB1Zz2k8rujVOo
-            Z7suDbw4vQrpQUsvC20KKva3tP3xE1j/tJTlOsoq4iIXv4x2HI4FwdcfRR8bkdTG
-            gpfwh5vlIXbw27/CVXKjNlH9Qu65Xpr3UNO/4OCrLBHemW6ZL0lgjd78kSQTqe2a
-            dm3ama1/ETAfYvmaDbbksOimHaMiX8YFuK1QnBhykme9kErbCBHG4t4tdd7LreZ3
-            qUazidnZgelkS84yWskqKLfYjdbOWS8EzrM9zwYJQG4HgvHoIO2MQ52wRLWU0zy/
-            MffnucRCGrkrHxau75Nri7RGhRjwmQbslsS7TK3nxYuxImk0CR8ChiJCAA3fTTk6
-            9NpnCMlbsjqkyK+eHctADlkRwDZbQpDOGSxxnRt+zZwGH6eUHxK63W4kthhQj+jS
-            XgF1N9ibgz3MH8YGpCdANRI660/EAxlU86Dc7EXKa0NH47crqRUBmot/JDSdk3lr
-            2HRhHuFGcQrTXRUL60H4fQ4wMcWBxPb59IeEslqYnA79FJB9uuVzjKlGNTbT0Zk=
-            =ru2F
-            -----END PGP MESSAGE-----
-          fp: 5749D0AE39445C1CCA6006DF8913091C690BDD69
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.1
diff --git a/cluster/core/flux-system/notifications/discord/secret.sops.yaml b/cluster/core/flux-system/notifications/discord/secret.sops.yaml
new file mode 100644
index 000000000..af3ea8e51
--- /dev/null
+++ b/cluster/core/flux-system/notifications/discord/secret.sops.yaml
@@ -0,0 +1,28 @@
+kind: Secret
+apiVersion: v1
+metadata:
+    name: discord-url
+    namespace: flux-system
+stringData:
+    address: ENC[AES256_GCM,data:KO84UDRtsZI/m6ajEpbvYmkUiUoUP9nf/+nCcXe1KPmr/3ixW92vtp9aPZXTlddJIvWYLWlWX8pix6+g2S03q2aOKyRDpiDwc3aZ9MMOCBQAoUd2YmHx/iWkB7L4Tw+Cu3KKGmE4jAvTw5RpPBmKoWtXECEOmRL8,iv:cL0WYV18HrxSXO3rYE/SvWpm82cDoJXmbDsy5irGqxw=,tag:UqoUALRGssUnDqQKr0rNSA==,type:str]
+type: Opaque
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpNzJiVUJ5QnEycnYvekda
+            aWQ3QmE3REQrWDZtUThQcTJ3NlhtdjNhNVFRCmppcUxkaFlyWkphK2tPSTNiUHR5
+            ckphZE9rVVRlOGFlNDFEQ3U5eTJJb2sKLS0tIG92akVUcGZTTWFtek0vVUtsSDBW
+            L2pQNDZQZjMxakttY05QRldMUHo0VGsKyCezuvurM5JPDPmVg+DiEM6zFfUoLFqU
+            W98m5UwdKVJSTvb8C2hV46spPMwEx8Q5iz7+2AMxcxe12OPZHnMzQg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-03T14:42:32Z"
+    mac: ENC[AES256_GCM,data:tSt5MEgmSTCjlva7J15Dw7C2+6jDlrBhj4H4B1/sFzZcGdA/M7wa+pL5yzfrKk1EG9gE7G3kFtpnGDI6vtQ0jsLhRQzF3Xw1n8Yloj7vrqp6vNkq3dCs6Z+ymUr52Sp7jUYDW0a3vcdcRzmB0SmsBiOsBPpCkMwZ3bdy9tEhP34=,iv:PEZFHW4pLeP5/GYvvhJNiDOMKnJeGfc7Mj5Uxc204oM=,tag:uh/Oel8L4RuErfx2xLFY3A==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
diff --git a/server/scripts/transcode_music/transcode.bash b/scripts/transcode_music/transcode.bash
similarity index 100%
rename from server/scripts/transcode_music/transcode.bash
rename to scripts/transcode_music/transcode.bash
diff --git a/server/scripts/transcode_music/transcode_exclude.cfg b/scripts/transcode_music/transcode_exclude.cfg
similarity index 100%
rename from server/scripts/transcode_music/transcode_exclude.cfg
rename to scripts/transcode_music/transcode_exclude.cfg
diff --git a/server/ansible/ansible.cfg b/server/ansible/ansible.cfg
deleted file mode 100644
index 10f8555ab..000000000
--- a/server/ansible/ansible.cfg
+++ /dev/null
@@ -1,53 +0,0 @@
-[defaults]
-
-#--- General settings
-nocows                      = True
-forks                       = 8
-module_name                 = command
-deprecation_warnings        = True
-executable                  = /bin/bash
-
-#--- Files/Directory settings
-log_path                = ~/ansible.log
-inventory               = ./inventory
-library                 = /usr/share/my_modules
-remote_tmp              = ~/.ansible/tmp
-local_tmp               = ~/.ansible/tmp
-roles_path              = ./roles
-retry_files_enabled     = False
-
-#--- Fact Caching settings
-fact_caching            = jsonfile
-fact_caching_connection = ~/.ansible/facts_cache
-fact_caching_timeout    = 7200
-
-#--- SSH settings
-remote_port             = 22
-timeout                 = 60
-host_key_checking       = False
-ssh_executable          = /usr/bin/ssh
-private_key_file        = ~/.ssh/id_rsa
-
-force_valid_group_names = ignore
-
-#--- Speed
-callback_enabled = ansible.posix.profile_tasks
-internal_poll_interval = 0.001
-
-[inventory]
-unparsed_is_failed      = true
-
-[privilege_escalation]
-become                  = True
-become_method           = sudo
-become_user             = root
-become_ask_pass         = False
-
-[ssh_connection]
-scp_if_ssh              = smart
-transfer_method         = smart
-retries                 = 3
-timeout                 = 10
-ssh_args                = -o ControlMaster=auto -o ControlPersist=30m -o Compression=yes -o ServerAliveInterval=15s
-pipelining              = True
-control_path            = %(directory)s/%%h-%%r
diff --git a/server/ansible/inventory/group_vars/all/calico-settings.yml b/server/ansible/inventory/group_vars/all/calico-settings.yml
deleted file mode 100644
index a530c61f1..000000000
--- a/server/ansible/inventory/group_vars/all/calico-settings.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-# Use Calico CNI driver
-calico:
-  enabled: true
-  operator_manifest: "https://docs.projectcalico.org/manifests/tigera-operator.yaml"
-  # Enabling BGP requires your router set up to handle it
-  bgp:
-    enabled: true
-    # peer is usually your router e.g. 192.168.1.1
-    peer: 192.168.8.1
-    as: 64512
-    # externalIPs is the network you want services to consume
-    # this network should not exist or be defined anywhere in your network
-    # e.g. 192.168.169.0/24
-    externalIPs: 192.168.169.0/24
diff --git a/server/ansible/inventory/group_vars/all/k3s-settings.yml b/server/ansible/inventory/group_vars/all/k3s-settings.yml
deleted file mode 100644
index 08026726c..000000000
--- a/server/ansible/inventory/group_vars/all/k3s-settings.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-#
-# Below vars are for the xanmanning.k3s role
-# ...see https://github.com/PyratLabs/ansible-role-k3s#globalcluster-variables
-#
-
-# Use a specific version of k3s
-# renovate: datasource=github-releases depName=k3s-io/k3s
-k3s_release_version: "v1.24.2+k3s1"
-
-# Install using hard links rather than symbolic links.
-# ...if you are using the system-upgrade-controller you will need to use hard links rather than symbolic links as the controller will not be able to follow symbolic links.
-k3s_install_hard_links: true
-
-# Escalate user privileges for all tasks.
-k3s_become_for_all: true
-
-# Use experimental features (spooky!)
-k3s_use_experimental: false
-
-# Enable debugging
-k3s_debug: false
-# # Enable embedded-etcd
-# k3s_etcd_datastore: true
diff --git a/server/ansible/inventory/group_vars/all/rsyslog-settings.yml b/server/ansible/inventory/group_vars/all/rsyslog-settings.yml
deleted file mode 100644
index 1768d8345..000000000
--- a/server/ansible/inventory/group_vars/all/rsyslog-settings.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-# Enable rsyslog
-# ...requires a rsyslog server already set up
-rsyslog:
-  enabled: false
-  ip: 192.168.169.xxx
-  port: 1514
diff --git a/server/ansible/inventory/group_vars/all/ubuntu-settings.yml b/server/ansible/inventory/group_vars/all/ubuntu-settings.yml
deleted file mode 100644
index f6e0335a7..000000000
--- a/server/ansible/inventory/group_vars/all/ubuntu-settings.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-dns_server: 192.168.8.1
-# Enable to skip apt upgrade
-skip_upgrade_packages: false
-# Enable to skip removing crufty packages
-skip_remove_packages: false
-
-# Timezone for the servers
-timezone: "${TIMEZONE}"
-
-# # Set custom ntp servers
-# ntp_servers:
-#   primary:
-#   - "time.cloudflare.com"
-#   - "time.google.com"
-#   fallback:
-#   - "0.us.pool.ntp.org"
-#   - "1.us.pool.ntp.org"
-#   - "2.us.pool.ntp.org"
-#   - "3.us.pool.ntp.org"
-
-# Additional ssh public keys to add to the nodes
-ssh_authorized_keys:
-  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+GMHgvbtf6f7xUMAQR+vZFfD/mIIfIDNX5iP8tDRXZ claude@claude-thinkpad-fedora"
diff --git a/server/ansible/inventory/group_vars/server-nodes/k3s-settings.yml b/server/ansible/inventory/group_vars/server-nodes/k3s-settings.yml
deleted file mode 100644
index ebc9555d0..000000000
--- a/server/ansible/inventory/group_vars/server-nodes/k3s-settings.yml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-# https://rancher.com/docs/k3s/latest/en/installation/install-options/server-config/
-# https://github.com/PyratLabs/ansible-role-k3s#server-control-plane-configuration
-
-# Define the host as control plane nodes
-k3s_control_node: true
-
-# k3s settings for all control-plane nodes
-k3s_server:
-  node-ip: "{{ ansible_host }}"
-  docker: false
-  flannel-backend: "none" # This needs to be in quotes
-  disable:
-    - flannel
-    - traefik
-    - servicelb
-    - metrics-server
-    - local-storage
-  node-taint:
-    - "node-role.kubernetes.io/control-plane=true:NoSchedule"
-  disable-network-policy: true
-  disable-cloud-controller: true
-  write-kubeconfig-mode: "644"
-  # Network CIDR to use for pod IPs
-  cluster-cidr: "10.69.0.0/16"
-  # Network CIDR to use for service IPs
-  service-cidr: "10.96.0.0/16"
diff --git a/server/ansible/inventory/host_vars/k3s-server.yml b/server/ansible/inventory/host_vars/k3s-server.yml
deleted file mode 100644
index cc0160f10..000000000
--- a/server/ansible/inventory/host_vars/k3s-server.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-# IP address of node
-ansible_host: "192.168.9.100"
-
-# Ansible user to ssh into servers with
-ansible_user: "ubuntu"
-# ansible_ssh_pass: "ubuntu"
-# ansible_ssh_common_args: "-o UserKnownHostsFile=/dev/null"
-# ansible_become_pass: "ubuntu"
diff --git a/server/ansible/inventory/host_vars/k3s-worker1.yml b/server/ansible/inventory/host_vars/k3s-worker1.yml
deleted file mode 100644
index 4bdc628cc..000000000
--- a/server/ansible/inventory/host_vars/k3s-worker1.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-# IP address of node
-ansible_host: "192.168.9.105"
-
-# Ansible user to ssh into servers with
-ansible_user: "ubuntu"
-# ansible_ssh_pass: "ubuntu"
-# ansible_ssh_common_args: "-o UserKnownHostsFile=/dev/null"
-# ansible_become_pass: "ubuntu"
-
-# Set enabled to true to mark this host as running a distributed storage rook-ceph
-rook_ceph:
-  enabled: true
-  devices:
-  - /dev/nvme0n1
diff --git a/server/ansible/inventory/host_vars/k3s-worker2.yml b/server/ansible/inventory/host_vars/k3s-worker2.yml
deleted file mode 100644
index 89968b0d4..000000000
--- a/server/ansible/inventory/host_vars/k3s-worker2.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-# IP address of node
-ansible_host: "192.168.9.106"
-
-# Ansible user to ssh into servers with
-ansible_user: "ubuntu"
-# ansible_ssh_pass: "ubuntu"
-# ansible_ssh_common_args: "-o UserKnownHostsFile=/dev/null"
-# ansible_become_pass: "ubuntu"
-
-# Set enabled to true to mark this host as running a distributed storage rook-ceph
-rook_ceph:
-  enabled: true
-  devices:
-  - /dev/nvme0n1
diff --git a/server/ansible/inventory/host_vars/k3s-worker3.yml b/server/ansible/inventory/host_vars/k3s-worker3.yml
deleted file mode 100644
index e344792fb..000000000
--- a/server/ansible/inventory/host_vars/k3s-worker3.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-# IP address of node
-ansible_host: "192.168.9.107"
-
-# Ansible user to ssh into servers with
-ansible_user: "ubuntu"
-# ansible_ssh_pass: "ubuntu"
-# ansible_ssh_common_args: "-o UserKnownHostsFile=/dev/null"
-# ansible_become_pass: "ubuntu"
-
-# Set enabled to true to mark this host as running a distributed storage rook-ceph
-rook_ceph:
-  enabled: true
-  devices:
-  - /dev/nvme0n1
diff --git a/server/ansible/inventory/hosts.yml b/server/ansible/inventory/hosts.yml
deleted file mode 100644
index dd17d799e..000000000
--- a/server/ansible/inventory/hosts.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-all:
-  children:
-    # Control Plane group, do not change the 'control-plane' name
-    # hosts should match the filenames in 'host_vars'
-    server-nodes:
-      hosts:
-        k3s-server:
-    # Node group, do not change the 'node' name
-    # hosts should match the filenames in 'host_vars'
-    worker-nodes:
-      hosts:
-        k3s-worker1:
-        k3s-worker2:
-        k3s-worker3:
-    # Storage group, these are my NAS devices
-    # hosts should match the filenames in 'host_vars'
diff --git a/server/ansible/playbooks/k3s/install.yml b/server/ansible/playbooks/k3s/install.yml
deleted file mode 100644
index 0bbd295e5..000000000
--- a/server/ansible/playbooks/k3s/install.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-- hosts:
-    - server-nodes
-    - worker-nodes
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  pre_tasks:
-    - name: Pausing for 5 seconds...
-      pause:
-        seconds: 5
-  roles:
-    - xanmanning.k3s
-    - k3s
diff --git a/server/ansible/playbooks/k3s/nuke.yml b/server/ansible/playbooks/k3s/nuke.yml
deleted file mode 100644
index 77596ba0b..000000000
--- a/server/ansible/playbooks/k3s/nuke.yml
+++ /dev/null
@@ -1,32 +0,0 @@
----
-- hosts:
-    - server-nodes
-    - worker-nodes
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  pre_tasks:
-    - name: Pausing for 5 seconds...
-      pause:
-        seconds: 5
-  tasks:
-    - name: kill k3s
-      ansible.builtin.command: /usr/local/bin/k3s-killall.sh
-    - name: uninstall k3s
-      ansible.builtin.command:
-        cmd: /usr/local/bin/k3s-uninstall.sh
-        removes: /usr/local/bin/k3s-uninstall.sh
-    - name: uninstall k3s agent
-      ansible.builtin.command:
-        cmd: /usr/local/bin/k3s-agent-uninstall.sh
-        removes: /usr/local/bin/k3s-agent-uninstall.sh
-    - name: gather list of CNI files to delete
-      find:
-        paths: /etc/cni/net.d
-        patterns: "*"
-      register: files_to_delete
-    - name: delete CNI files
-      ansible.builtin.file:
-        path: "{{ item.path }}"
-        state: absent
-      loop: "{{ files_to_delete.files }}"
diff --git a/server/ansible/playbooks/k3s/prune.yml b/server/ansible/playbooks/k3s/prune.yml
deleted file mode 100644
index 146df21de..000000000
--- a/server/ansible/playbooks/k3s/prune.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-- hosts:
-    - server-nodes
-    - worker-nodes
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  pre_tasks:
-    - name: Pausing for 5 seconds...
-      pause:
-        seconds: 5
-  tasks:
-    - ansible.builtin.shell: k3s crictl rmi --prune
diff --git a/server/ansible/playbooks/k3s/upgrade.yml b/server/ansible/playbooks/k3s/upgrade.yml
deleted file mode 100644
index 25c64a566..000000000
--- a/server/ansible/playbooks/k3s/upgrade.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-- hosts:
-    - server-nodes
-    - worker-nodes
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  pre_tasks:
-    - name: Pausing for 5 seconds...
-      pause:
-        seconds: 5
-  roles:
-    - xanmanning.k3s
diff --git a/server/ansible/playbooks/power-outage/shutdown.yml b/server/ansible/playbooks/power-outage/shutdown.yml
deleted file mode 100644
index f598c5656..000000000
--- a/server/ansible/playbooks/power-outage/shutdown.yml
+++ /dev/null
@@ -1,36 +0,0 @@
----
-- hosts:
-    - server-nodes
-    - worker-nodes
-  become: true
-  gather_facts: true
-  tasks:
-    #
-    # Turn off control-nodes and generic-nodes devices in 2 minutes
-    #
-
-    - name: turn off control-nodes
-      # ansible.builtin.command: /sbin/shutdown -h 2
-      ansible.builtin.command: /sbin/shutdown --help
-      when: "'control-nodes' in group_names"
-
-    - name: turn off generic-nodes
-      # ansible.builtin.command: /sbin/shutdown -h 2
-      ansible.builtin.command: /sbin/shutdown --help
-      when: "'generic-nodes' in group_names"
-
-    #
-    # Turn off NAS devices in 5 minutes
-    #
-
-    # Qnap devices do not have /sbin/shutdown and
-    # instead use busybox /sbin/poweroff
-    - name: turn off storage nodes
-      # ansible.builtin.command: /sbin/poweroff -d 300
-      ansible.builtin.command: /sbin/poweroff --help
-      when: inventory_hostname == "nas-rocinante"
-
-    - name: turn off storage nodes
-      # ansible.builtin.command: /sbin/shutdown -h 5
-      ansible.builtin.command: /sbin/shutdown --help
-      when: inventory_hostname == "nas-serenity"
diff --git a/server/ansible/playbooks/rook-ceph/nuke.yaml b/server/ansible/playbooks/rook-ceph/nuke.yaml
deleted file mode 100644
index 40ac2dbc0..000000000
--- a/server/ansible/playbooks/rook-ceph/nuke.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
----
-
-- hosts:
-  - worker-nodes
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  pre_tasks:
-  - name: Pausing for 5 seconds...
-    pause:
-      seconds: 5
-  tasks:
-  - name: remove /var/lib/rook
-    become: true
-    ansible.builtin.file:
-      state: absent
-      path: "/var/lib/rook"
-    when:
-    - rook_ceph.enabled is defined
-    - rook_ceph.enabled
-  - name: zap the drives
-    become: true
-    ansible.builtin.shell: >
-      sgdisk --zap-all {{ item }} || true
-    loop:
-    - "{{ rook_ceph.devices }}"
-    when:
-    - rook_ceph.enabled is defined
-    - rook_ceph.enabled
-  - name: remove lvm partitions
-    become: true
-    ansible.builtin.shell: "{{ item }}"
-    loop:
-    - ls /dev/mapper/ceph--* | xargs -I% -- fuser --kill %
-    - ls /dev/mapper/ceph--* | xargs -I% -- dmsetup clear %
-    - ls /dev/mapper/ceph--* | xargs -I% -- dmsetup remove -f %
-    - ls /dev/mapper/ceph--* | xargs -I% -- rm -rf %
-    when:
-    - rook_ceph.enabled is defined
-    - rook_ceph.enabled
-  - name: wipe the block device
-    become: true
-    ansible.builtin.command: "wipefs -af {{ item }}"
-    with_items:
-    - "{{ rook_ceph.devices }}"
-    when:
-    - rook_ceph.enabled is defined
-    - rook_ceph.enabled
\ No newline at end of file
diff --git a/server/ansible/playbooks/ubuntu/upgrade.yml b/server/ansible/playbooks/ubuntu/upgrade.yml
deleted file mode 100644
index 06de291a0..000000000
--- a/server/ansible/playbooks/ubuntu/upgrade.yml
+++ /dev/null
@@ -1,22 +0,0 @@
----
-- hosts:
-    - server-nodes
-    - worker-nodes
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  pre_tasks:
-    - name: Pausing for 5 seconds...
-      pause:
-        seconds: 5
-  tasks:
-    - name: upgrade
-      ansible.builtin.apt:
-        upgrade: full
-        update_cache: true
-        cache_valid_time: 3600
-        autoclean: true
-        autoremove: true
-      register: apt_upgrade
-      retries: 5
-      until: apt_upgrade is success
diff --git a/server/ansible/requirements.txt b/server/ansible/requirements.txt
deleted file mode 100644
index 9fe48850e..000000000
--- a/server/ansible/requirements.txt
+++ /dev/null
@@ -1 +0,0 @@
-jmespath==1.0.1
diff --git a/server/ansible/requirements.yml b/server/ansible/requirements.yml
deleted file mode 100644
index 5900fc0b5..000000000
--- a/server/ansible/requirements.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-roles:
-- src: xanmanning.k3s
-  version: v3.2.0
diff --git a/server/ansible/roles/.gitignore b/server/ansible/roles/.gitignore
deleted file mode 100644
index 192333de8..000000000
--- a/server/ansible/roles/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-xanmanning.k3s
\ No newline at end of file
diff --git a/server/ansible/roles/k3s/tasks/calico.yml b/server/ansible/roles/k3s/tasks/calico.yml
deleted file mode 100644
index 072153507..000000000
--- a/server/ansible/roles/k3s/tasks/calico.yml
+++ /dev/null
@@ -1,38 +0,0 @@
----
-- name: cluster | calico | deploy tigera operator to k3s manifest directory
-  become: true
-  # run_once: true
-  ansible.builtin.get_url:
-    url: "{{ calico.operator_manifest }}"
-    dest: "{{ k3s_server_manifests_dir }}/tigera-operator.yaml"
-    mode: 0644
-
-- name: cluster | calico | deploy configuration to k3s manifest directory
-  become: true
-  # run_once: true
-  ansible.builtin.template:
-    src: "calico-installation.yaml.j2"
-    dest: "{{ k3s_server_manifests_dir }}/calico-installation.yaml"
-    mode: 0644
-
-- name: cluster | calico | deploy BGP-peer to k3s manifest directory
-  become: true
-  # run_once: true
-  ansible.builtin.template:
-    src: "calico-bgppeer.yaml.j2"
-    dest: "{{ k3s_server_manifests_dir }}/calico-bgppeer.yaml"
-    mode: 0644
-  when:
-    - calico.bgp.enabled is defined
-    - calico.bgp.enabled
-
-- name: cluster | calico | deploy BGP-configuration to k3s manifest directory
-  become: true
-  # run_once: true
-  ansible.builtin.template:
-    src: "calico-bgpconfiguration.yaml.j2"
-    dest: "{{ k3s_server_manifests_dir }}/calico-bgpconfiguration.yaml"
-    mode: 0644
-  when:
-    - calico.bgp.enabled is defined
-    - calico.bgp.enabled
diff --git a/server/ansible/roles/k3s/tasks/kubeconfig.yml b/server/ansible/roles/k3s/tasks/kubeconfig.yml
deleted file mode 100644
index 64af64551..000000000
--- a/server/ansible/roles/k3s/tasks/kubeconfig.yml
+++ /dev/null
@@ -1,20 +0,0 @@
----
-- name: cluster | kubeconfig | copy config file to /tmp
-  become: true
-  run_once: true
-  ansible.builtin.fetch:
-    src: "/etc/rancher/k3s/k3s.yaml"
-    dest: "/tmp/kubeconfig"
-    flat: true
-  when:
-    - k3s_control_node is defined
-    - k3s_control_node
-
-- name: cluster | kubeconfig | update kubeconfig with the right IPv4 address
-  delegate_to: localhost
-  become: false
-  run_once: true
-  ansible.builtin.replace:
-    path: "/tmp/kubeconfig"
-    regexp: "https://127.0.0.1:6443"
-    replace: "https://{{ k3s_registration_address }}:6443"
diff --git a/server/ansible/roles/k3s/tasks/main.yml b/server/ansible/roles/k3s/tasks/main.yml
deleted file mode 100644
index b5d5eea9d..000000000
--- a/server/ansible/roles/k3s/tasks/main.yml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-- include: kubeconfig.yml
-  tags:
-    - kubeconfig
-
-#- include: registry.yml
-#  when: mirror_registry is defined
-#        or (private_registries is defined
-#          and private_registries|length > 0)
-#  tags:
-#  - registry
-
-- include: calico.yml
-  when:
-    # - "'k8s-control-node-a' in inventory_hostname"
-    - k3s_control_node is defined
-    - k3s_control_node
-    - calico.enabled is defined
-    - calico.enabled
-  tags:
-    - calico
diff --git a/server/ansible/roles/k3s/tasks/registry.yml b/server/ansible/roles/k3s/tasks/registry.yml
deleted file mode 100644
index 1aaa726ef..000000000
--- a/server/ansible/roles/k3s/tasks/registry.yml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-- name: cluster-registry | create /etc/rancher/k3s
-  become: true
-  ansible.builtin.file:
-    path: "/etc/rancher/k3s"
-    state: directory
-    mode: 0644
-
-- name: cluster-registry | configure mirrors and custom registries
-  become: true
-  ansible.builtin.template:
-    src: "registries.yaml.j2"
-    dest: "/etc/rancher/k3s/registries.yaml"
-    mode: 0644
-
-- name: cluster-registry | restart k3s systemd service
-  ansible.builtin.systemd:
-    name: k3s.service
-    daemon_reload: true
-    enabled: true
-    state: restarted
diff --git a/server/ansible/roles/k3s/templates/calico-installation.yaml.j2 b/server/ansible/roles/k3s/templates/calico-installation.yaml.j2
deleted file mode 100644
index 2f1cea903..000000000
--- a/server/ansible/roles/k3s/templates/calico-installation.yaml.j2
+++ /dev/null
@@ -1,19 +0,0 @@
-#jinja2:lstrip_blocks: True
----
-apiVersion: operator.tigera.io/v1
-kind: Installation
-metadata:
-  name: default
-spec:
-  calicoNetwork:
-    # Note: The ipPools section cannot be modified post-install.
-    ipPools:
-    - blockSize: 26
-      cidr: "{{ k3s_server["cluster-cidr"] }}"
-      {% if calico.bgp.enabled is defined and calico.bgp.enabled %}
-      encapsulation: None
-      {% else %}
-      encapsulation: VXLANCrossSubnet
-      {% endif %}
-      natOutgoing: Enabled
-      nodeSelector: all()
diff --git a/server/ansible/roles/k3s/templates/registries.yaml.j2 b/server/ansible/roles/k3s/templates/registries.yaml.j2
deleted file mode 100644
index 10d0bf508..000000000
--- a/server/ansible/roles/k3s/templates/registries.yaml.j2
+++ /dev/null
@@ -1,20 +0,0 @@
-#jinja2:lstrip_blocks: True
----
-{% if mirror_registry is defined %}
-mirrors:
-  "docker.io":
-    endpoint:
-    - "{{ mirror_registry.address }}"
-  "*":
-    endpoint:
-    - "{{ mirror_registry.address }}"
-{% endif %}
-{% if private_registries is defined and private_registries|length > 0 %}
-configs:
-  {% for private_registry in private_registries %}
-  "{{ private_registry.address }}":
-    auth:
-      username: "{{ private_registry.username }}"
-      password: "{{ private_registry.password }}"
-  {% endfor %}
-{% endif %}
diff --git a/server/ansible/roles/ubuntu/tasks/boot.yml b/server/ansible/roles/ubuntu/tasks/boot.yml
deleted file mode 100644
index 3f071a9e3..000000000
--- a/server/ansible/roles/ubuntu/tasks/boot.yml
+++ /dev/null
@@ -1,43 +0,0 @@
----
-- name: boot | grub | check for existence of grub
-  ansible.builtin.stat:
-    path: /etc/default/grub
-  register: grub_result
-
-- name: boot | grub | set apparmor=0
-  ansible.builtin.replace:
-    path: /etc/default/grub
-    regexp: '^(GRUB_CMDLINE_LINUX_DEFAULT=(?:(?![" ]{{ option | regex_escape }}=).)*)(?:[" ]{{ option | regex_escape }}=\S+)?(.*")$'
-    replace: '\1"{{ option }}={{ value }}\2'
-  vars:
-    option: apparmor
-    value: "0"
-  when:
-    - grub_result.stat.exists
-
-- name: boot | grub | set mitigations=off
-  ansible.builtin.replace:
-    path: /etc/default/grub
-    regexp: '^(GRUB_CMDLINE_LINUX_DEFAULT=(?:(?![" ]{{ option | regex_escape }}=).)*)(?:[" ]{{ option | regex_escape }}=\S+)?(.*")$'
-    replace: '\1 {{ option }}={{ value }}\2'
-  vars:
-    option: mitigations
-    value: "off"
-  when:
-    - grub_result.stat.exists
-
-- name: boot | grub | set pti=off
-  ansible.builtin.replace:
-    path: /etc/default/grub
-    regexp: '^(GRUB_CMDLINE_LINUX_DEFAULT=(?:(?![" ]{{ option | regex_escape }}=).)*)(?:[" ]{{ option | regex_escape }}=\S+)?(.*")$'
-    replace: '\1 {{ option }}={{ value }}\2'
-  vars:
-    option: pti
-    value: "off"
-  when:
-    - grub_result.stat.exists
-
-- name: boot | grub | run grub-mkconfig
-  ansible.builtin.command: grub-mkconfig -o /boot/grub/grub.cfg
-  when:
-    - grub_result.stat.exists
diff --git a/server/ansible/roles/ubuntu/tasks/disks.yml b/server/ansible/roles/ubuntu/tasks/disks.yml
deleted file mode 100644
index ea579cde9..000000000
--- a/server/ansible/roles/ubuntu/tasks/disks.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: disks | create directories
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: directory
-    mode: "0644"
-  when: disks is defined
-  loop:
-    - /local-path/
\ No newline at end of file
diff --git a/server/ansible/roles/ubuntu/tasks/filesystem.yml b/server/ansible/roles/ubuntu/tasks/filesystem.yml
deleted file mode 100644
index adeab925e..000000000
--- a/server/ansible/roles/ubuntu/tasks/filesystem.yml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-- name: filesystem | sysctl | update max_user_instances
-  ansible.posix.sysctl:
-    name: fs.inotify.max_user_instances
-    value: "8192"
-    state: present
-    sysctl_file: /etc/sysctl.d/98-kubernetes-fs.conf
-
-- name: filesystem | sysctl | update max_user_watches
-  ansible.posix.sysctl:
-    name: fs.inotify.max_user_watches
-    value: "524288"
-    state: present
-    sysctl_file: /etc/sysctl.d/98-kubernetes-fs.conf
-
-- name: filesystem | swap | disable at runtime
-  ansible.builtin.command: swapoff -a
-  when: ansible_swaptotal_mb > 0
-
-- name: filesystem | swap| disable on boot
-  ansible.posix.mount:
-    name: "{{ item }}"
-    fstype: swap
-    state: absent
-  loop:
-    - swap
-    - none
diff --git a/server/ansible/roles/ubuntu/tasks/host.yml b/server/ansible/roles/ubuntu/tasks/host.yml
deleted file mode 100644
index 3582ba57e..000000000
--- a/server/ansible/roles/ubuntu/tasks/host.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-- name: host | hostname | update inventory hostname
-  ansible.builtin.hostname:
-    name: "{{ inventory_hostname }}"
-  when:
-    - ansible_hostname != inventory_hostname
diff --git a/server/ansible/roles/ubuntu/tasks/kernel.yml b/server/ansible/roles/ubuntu/tasks/kernel.yml
deleted file mode 100644
index 99a68c113..000000000
--- a/server/ansible/roles/ubuntu/tasks/kernel.yml
+++ /dev/null
@@ -1,25 +0,0 @@
----
-- name: kernel | modules | enable at runtime
-  community.general.modprobe:
-    name: "{{ item }}"
-    state: present
-  loop:
-    - br_netfilter
-    - nf_conntrack
-    - overlay
-    - rbd
-    - ip_vs
-    - iscsi_tcp
-
-- name: kernel | modules | enable on boot
-  ansible.builtin.copy:
-    mode: 0644
-    content: "{{ item }}"
-    dest: "/etc/modules-load.d/{{ item }}.conf"
-  loop:
-    - br_netfilter
-    - nf_conntrack
-    - overlay
-    - rbd
-    - ip_vs
-    - iscsi_tcp
diff --git a/server/ansible/roles/ubuntu/tasks/locale.yml b/server/ansible/roles/ubuntu/tasks/locale.yml
deleted file mode 100644
index 7d1dcdff7..000000000
--- a/server/ansible/roles/ubuntu/tasks/locale.yml
+++ /dev/null
@@ -1,44 +0,0 @@
----
-- name: locale | set timezone
-  community.general.timezone:
-    name: "{{ timezone | default('${TIMEZONE}') }}"
-
-- name: locale | copy timesyncd config
-  ansible.builtin.copy:
-    mode: 0644
-    content: |
-      [Time]
-      NTP={{ ntp_servers.primary | default("") | join(" ") }}
-      FallbackNTP={{ ntp_servers.fallback | join(" ") }}
-    dest: /etc/systemd/timesyncd.conf
-  when:
-    - ntp_servers.primary is defined
-    - ntp_servers.primary is iterable
-    - ntp_servers.primary | length > 0
-    - ntp_servers.fallback is defined
-    - ntp_servers.fallback is iterable
-    - ntp_servers.fallback | length > 0
-
-- name: locale | start systemd service
-  ansible.builtin.systemd:
-    name: systemd-timesyncd
-    enabled: true
-    state: started
-
-- name: locale | restart systemd service
-  ansible.builtin.systemd:
-    name: systemd-timesyncd
-    daemon_reload: true
-    enabled: true
-    state: restarted
-
-- name: locale | run timedatectl status
-  ansible.builtin.command: /usr/bin/timedatectl show
-  changed_when: false
-  check_mode: false
-  register: timedatectl_result
-
-- name: locale | enable ntp
-  ansible.builtin.command: /usr/bin/timedatectl set-ntp true
-  when:
-    - "'NTP=no' in timedatectl_result.stdout"
diff --git a/server/ansible/roles/ubuntu/tasks/main.yml b/server/ansible/roles/ubuntu/tasks/main.yml
deleted file mode 100644
index 21174212a..000000000
--- a/server/ansible/roles/ubuntu/tasks/main.yml
+++ /dev/null
@@ -1,51 +0,0 @@
----
-- include: host.yml
-  tags:
-    - host
-
-- include: locale.yml
-  tags:
-    - locale
-
-- include: packages.yml
-  tags:
-    - packages
-
-#- include: power-button.yml
-#  tags:
-#    - power-button
-
-- include: kernel.yml
-  tags:
-    - kernel
-
-- include: boot.yml
-  tags:
-    - boot
-
-- include: network.yml
-  tags:
-    - network
-
-- include: filesystem.yml
-  tags:
-    - filesystem
-
-- include: unattended-upgrades.yml
-  tags:
-    - unattended-upgrades
-
-- include: user.yml
-  tags:
-    - user
-
-- include: rsyslog.yml
-  when:
-    - rsyslog.enabled is defined
-    - rsyslog.enabled
-  tags:
-    - rsyslog
-
-- include: disks.yml
-  tags:
-    - disks
diff --git a/server/ansible/roles/ubuntu/tasks/network.yml b/server/ansible/roles/ubuntu/tasks/network.yml
deleted file mode 100644
index 346603f05..000000000
--- a/server/ansible/roles/ubuntu/tasks/network.yml
+++ /dev/null
@@ -1,45 +0,0 @@
----
-- name: network | check for bridge-nf-call-iptables
-  ansible.builtin.stat:
-    path: /proc/sys/net/bridge/bridge-nf-call-iptables
-  register: bridge_nf_call_iptables_result
-
-- name: network | sysctl | set config
-  ansible.builtin.blockinfile:
-    path: /etc/sysctl.d/99-kubernetes-cri.conf
-    mode: 0644
-    create: true
-    block: |
-      net.ipv4.ip_forward = 1
-      net.bridge.bridge-nf-call-iptables = 1
-  when:
-    - bridge_nf_call_iptables_result.stat.exists
-  register: sysctl_network
-
-- name: network | sysctl | reload
-  ansible.builtin.shell: sysctl -p /etc/sysctl.d/99-kubernetes-cri.conf
-  when:
-    - sysctl_network.changed
-    - bridge_nf_call_iptables_result.stat.exists
-
-- name: network | systemd-resolved | disable
-  ansible.builtin.systemd:
-    name: systemd-resolved
-    state: stopped
-    enabled: no
-
-- name: network | resolv.conf | check symlink
-  ansible.builtin.stat:
-    path: "/etc/resolv.conf"
-  register: resolv
-
-- name: network | resolv.conf | remove symlink
-  ansible.builtin.file:
-    path: "/etc/resolv.conf"
-    state: absent
-  when: resolv.stat.islnk is defined and resolv.stat.islnk
-
-- name: network | resolv.conf | static files
-  ansible.builtin.template:
-    src: resolv.conf
-    dest: /etc/resolv.conf
diff --git a/server/ansible/roles/ubuntu/tasks/packages.yml b/server/ansible/roles/ubuntu/tasks/packages.yml
deleted file mode 100644
index af98dded4..000000000
--- a/server/ansible/roles/ubuntu/tasks/packages.yml
+++ /dev/null
@@ -1,94 +0,0 @@
----
-- name: packages | disable recommends
-  ansible.builtin.blockinfile:
-    path: /etc/apt/apt.conf.d/02norecommends
-    mode: 0644
-    create: true
-    block: |
-      APT::Install-Recommends "false";
-      APT::Install-Suggests "false";
-      APT::Get::Install-Recommends "false";
-      APT::Get::Install-Suggests "false";
-
-- name: packages | upgrade all packages
-  ansible.builtin.apt:
-    upgrade: full
-    update_cache: true
-    cache_valid_time: 3600
-    autoclean: true
-    autoremove: true
-  register: apt_upgrade
-  retries: 5
-  until: apt_upgrade is success
-  when:
-    - (skip_upgrade_packages is not defined or (skip_upgrade_packages is defined and not skip_upgrade_packages))
-
-- name: packages | install common
-  ansible.builtin.apt:
-    name: "{{ packages.apt_install }}"
-    install_recommends: false
-    update_cache: true
-    cache_valid_time: 3600
-    autoclean: true
-    autoremove: true
-  register: apt_install_common
-  retries: 5
-  until: apt_install_common is success
-  when:
-    - packages.apt_install is defined
-    - packages.apt_install is iterable
-    - packages.apt_install | length > 0
-
-- name: packages | remove crufty packages
-  block:
-    - name: packages | remove crufty packages | gather install packages
-      ansible.builtin.package_facts:
-        manager: auto
-      when:
-        - "'snapd' in packages.apt_remove"
-    - name: packages | remove crufty packages | check if snap is installed
-      ansible.builtin.debug:
-        msg: "snapd is installed"
-      register: snapd_check
-      when:
-        - "'snapd' in packages.apt_remove"
-        - "'snapd' in ansible_facts.packages"
-    - name: packages | remove crufty packages | remove snap packages
-
-      ansible.builtin.command: snap remove {{ item }}
-      loop:
-        - lxd
-        - core18
-        - snapd
-      when:
-        - "'snapd' in packages.apt_remove"
-        - "'snapd' in ansible_facts.packages"
-        - snapd_check.failed is defined
-    - name: packages | remove crufty packages | remove packages
-
-      ansible.builtin.apt:
-        name: "{{ packages.apt_remove }}"
-        state: absent
-        autoremove: true
-    - name: packages | remove crufty packages | remove crufty files
-
-      ansible.builtin.file:
-        state: absent
-        path: "{{ item }}"
-      loop:
-        - "/home/{{ ansible_user }}/.snap"
-        - "/snap"
-        - "/var/snap"
-        - "/var/lib/snapd"
-        - "/var/cache/snapd"
-        - "/usr/lib/snapd"
-        - "/etc/cloud"
-        - "/var/lib/cloud"
-      when:
-        - "'snapd' in packages.apt_remove"
-        - "'cloud-init' in packages.apt_remove"
-  when:
-    - packages.apt_remove is defined
-    - packages.apt_remove is iterable
-    - packages.apt_remove | length > 0
-    - (skip_remove_packages is not defined or (skip_remove_packages is defined and not skip_remove_packages))
diff --git a/server/ansible/roles/ubuntu/tasks/power-button.yml b/server/ansible/roles/ubuntu/tasks/power-button.yml
deleted file mode 100644
index 18d93524a..000000000
--- a/server/ansible/roles/ubuntu/tasks/power-button.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-- name: power-button | disable single power button press shutdown
-  ansible.builtin.lineinfile:
-    path: /etc/systemd/logind.conf
-    regexp: "{{ item.setting }}"
-    line: "{{ item.setting }}={{ item.value }}"
-  loop:
-    - { setting: HandlePowerKey, value: ignore }
-
-- name: power-button | restart logind systemd service
-  ansible.builtin.systemd:
-    name: systemd-logind.service
-    daemon_reload: true
-    enabled: true
-    state: restarted
diff --git a/server/ansible/roles/ubuntu/tasks/rsyslog.yml b/server/ansible/roles/ubuntu/tasks/rsyslog.yml
deleted file mode 100644
index aa5ad4bbe..000000000
--- a/server/ansible/roles/ubuntu/tasks/rsyslog.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-- name: rsyslog
-  block:
-    - name: rsyslog | copy promtail configuration
-      ansible.builtin.template:
-        src: "rsyslog-50-promtail.conf.j2"
-        dest: "/etc/rsyslog.d/50-promtail.conf"
-        mode: 0644
-    - name: rsyslog | start systemd service
-      ansible.builtin.systemd:
-        name: rsyslog
-        enabled: true
-        state: started
-    - name: rsyslog | restart systemd service
-      ansible.builtin.systemd:
-        name: rsyslog.service
-        daemon_reload: true
-        enabled: true
-        state: restarted
diff --git a/server/ansible/roles/ubuntu/tasks/unattended-upgrades.yml b/server/ansible/roles/ubuntu/tasks/unattended-upgrades.yml
deleted file mode 100644
index 1f9ab677f..000000000
--- a/server/ansible/roles/ubuntu/tasks/unattended-upgrades.yml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-- name: unattended-upgrades | copy 20auto-upgrades config
-  ansible.builtin.blockinfile:
-    path: /etc/apt/apt.conf.d/20auto-upgrades
-    mode: 0644
-    create: true
-    block: |
-      APT::Periodic::Update-Package-Lists "14";
-      APT::Periodic::Download-Upgradeable-Packages "14";
-      APT::Periodic::AutocleanInterval "7";
-      APT::Periodic::Unattended-Upgrade "1";
-
-- name: unattended-upgrades | copy 50unattended-upgrades config
-  ansible.builtin.blockinfile:
-    path: /etc/apt/apt.conf.d/50unattended-upgrades
-    mode: 0644
-    create: true
-    block: |
-      Unattended-Upgrade::Automatic-Reboot "false";
-      Unattended-Upgrade::Remove-Unused-Dependencies "true";
-      Unattended-Upgrade::Allowed-Origins {
-          "${distro_id}:${distro_codename}";
-          "${distro_id} ${distro_codename}-security";
-      };
-
-- name: unattended-upgrades | start systemd service
-  ansible.builtin.systemd:
-    name: unattended-upgrades
-    enabled: true
-    state: started
-
-- name: unattended-upgrades | restart systemd service
-  ansible.builtin.service:
-    name: unattended-upgrades.service
-    daemon_reload: true
-    enabled: true
-    state: restarted
diff --git a/server/ansible/roles/ubuntu/tasks/user.yml b/server/ansible/roles/ubuntu/tasks/user.yml
deleted file mode 100644
index 4fc3309fd..000000000
--- a/server/ansible/roles/ubuntu/tasks/user.yml
+++ /dev/null
@@ -1,35 +0,0 @@
----
-- name: user | get home directory
-  ansible.builtin.shell: "echo $HOME"
-  changed_when: false
-  check_mode: no
-  register: user_home
-
-- name: user | add to sudoers
-  ansible.builtin.copy:
-    content: "{{ ansible_user }} ALL=(ALL:ALL) NOPASSWD:ALL"
-    dest: "/etc/sudoers.d/{{ ansible_user }}_nopasswd"
-    mode: "0440"
-
-- name: user | add additional SSH public keys
-  ansible.posix.authorized_key:
-    user: "{{ ansible_user }}"
-    key: "{{ item }}"
-  loop: "{{ ssh_authorized_keys }}"
-  when:
-    - ssh_authorized_keys is defined
-    - ssh_authorized_keys is iterable
-    - ssh_authorized_keys | length > 0
-
-- name: user | check if hushlogin exists
-  ansible.builtin.stat:
-    path: "/{{ user_home.stdout }}/.hushlogin"
-  register: hushlogin_result
-
-- name: user | silence the login prompt
-  ansible.builtin.file:
-    dest: "/{{ user_home.stdout }}/.hushlogin"
-    state: touch
-    owner: "{{ ansible_user }}"
-    mode: "0775"
-  when: not hushlogin_result.stat.exists
diff --git a/server/ansible/roles/ubuntu/templates/resolv.conf b/server/ansible/roles/ubuntu/templates/resolv.conf
deleted file mode 100644
index d86cc0b96..000000000
--- a/server/ansible/roles/ubuntu/templates/resolv.conf
+++ /dev/null
@@ -1 +0,0 @@
-nameserver {{ dns_server }}
diff --git a/server/ansible/roles/ubuntu/templates/rsyslog-50-promtail.conf.j2 b/server/ansible/roles/ubuntu/templates/rsyslog-50-promtail.conf.j2
deleted file mode 100644
index fa61c4e12..000000000
--- a/server/ansible/roles/ubuntu/templates/rsyslog-50-promtail.conf.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-module(load="omprog")
-module(load="mmutf8fix")
-action(type="mmutf8fix" replacementChar="?")
-action(type="omfwd" protocol="tcp" target="{{ rsyslog.ip }}" port="{{ rsyslog.port }}" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted" KeepAlive="on")
diff --git a/server/ansible/roles/ubuntu/vars/main.yml b/server/ansible/roles/ubuntu/vars/main.yml
deleted file mode 100644
index 7426ec76d..000000000
--- a/server/ansible/roles/ubuntu/vars/main.yml
+++ /dev/null
@@ -1,69 +0,0 @@
----
-packages:
-  apt_install:
-    - apt-transport-https
-    - arptables
-    - ca-certificates
-    - curl
-    # - dnsutils
-    - ebtables
-    # - ethtool
-    # - git
-    # - gnupg-agent
-    # - gnupg2
-    # - haveged
-    - hdparm
-    - htop
-    # - iperf3
-    - iputils-ping
-    - ipvsadm
-    # - jq
-    - lvm2
-    # - neofetch
-    - net-tools
-    # - netcat
-    - nfs-common
-    - nano
-    # - nmap
-    - ntpdate
-    - open-iscsi
-    # - pigz
-    - psmisc
-    # - python3
-    # - python3-openssl
-    # - python3-pip
-    # - rclone
-    # - rsync
-    # - scsitools
-    - smartmontools
-    - socat
-    - software-properties-common
-    # - traceroute
-    # - tree
-    - unattended-upgrades
-    - unzip
-  # - vim
-  apt_remove:
-    - apparmor
-    - apport
-    - bcache-tools
-    - btrfs-progs
-    - byobu
-    - cloud-init
-    - cloud-guest-utils
-    - cloud-initramfs-copymods
-    - cloud-initramfs-dyn-netconf
-    - friendly-recovery
-    - fwupd
-    - landscape-common
-    - lxd-agent-loader
-    - ntfs-3g
-    - open-vm-tools
-    - plymouth
-    - plymouth-theme-ubuntu-text
-    - popularity-contest
-    - snapd
-    - sosreport
-    - tmux
-    - ubuntu-advantage-tools
-    - ufw