From 0b17a32da536d5cf03436ba7010f44e55cb26abf Mon Sep 17 00:00:00 2001
From: Petru Paler <petru@paler.net>
Date: Sun, 19 Oct 2025 20:15:56 +0100
Subject: [PATCH] Configs for sparky.

---
 .sops.yaml                |   7 ++++
 flake.nix                 |  10 +++++
 hosts/sparky/default.nix  |  19 +++++++++
 hosts/sparky/hardware.nix |  21 ++++++++++
 hosts/sparky/key.bin      | Bin 0 -> 4096 bytes
 secrets/common.yaml       |  79 +++++++++++++++++++++-----------------
 secrets/sparky.yaml       |  30 +++++++++++++++
 setup-host.txt            |   1 +
 8 files changed, 132 insertions(+), 35 deletions(-)
 create mode 100644 hosts/sparky/default.nix
 create mode 100644 hosts/sparky/hardware.nix
 create mode 100644 hosts/sparky/key.bin
 create mode 100644 secrets/sparky.yaml

diff --git a/.sops.yaml b/.sops.yaml
index 22d8580..865e61f 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -2,6 +2,7 @@ keys:
   - &admin_ppetru age1df9ukkmg9yn9cjeheq9m6wspa420su8qarmq570rdvf2de3rl38saqauwn
   - &server_zippy age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac
   - &server_chilly age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp
+  - &server_sparky age1zxf8263nk04zf4pu5x2czh6g4trv4e2xydypyjschyekr6udqcsqmrgv68
   - &server_alo_cloud_1 age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z
   - &server_c1 age1wwufz86tm3auxn6pn27c47s8rvu7en58rk00nghtaxsdpw0gya6qj6qxdt
   - &server_c2 age1c2kc034n7tqztarcu7n5ldnjmy9sr3jgwrsaddsj0hwfus9mdp3sctts4m
@@ -13,6 +14,7 @@ creation_rules:
         - *admin_ppetru
         - *server_zippy
         - *server_chilly
+        - *server_sparky
         - *server_alo_cloud_1
         - *server_c1
         - *server_c2
@@ -27,6 +29,11 @@ creation_rules:
       - age:
         - *admin_ppetru
         - *server_chilly
+  - path_regex: secrets/sparky\.yaml
+    key_groups:
+      - age:
+        - *admin_ppetru
+        - *server_sparky
   - path_regex: secrets/alo-cloud-1\.yaml
     key_groups:
       - age:
diff --git a/flake.nix b/flake.nix
index 40add00..1cc22fb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -128,6 +128,7 @@
           ./hosts/zippy
         ];
         chilly = mkHMNixos "x86_64-linux" [ ./hosts/chilly ];
+        sparky = mkHMNixos "x86_64-linux" [ ./hosts/sparky ];
       };
 
       deploy = {
@@ -180,6 +181,15 @@
               };
             };
           };
+          sparky = {
+            hostname = "workshop";
+            profiles = {
+              system = {
+                user = "root";
+                path = (deployPkgsFor "x86_64-linux").deploy-rs.lib.activate.nixos self.nixosConfigurations.sparky;
+              };
+            };
+          };
         };
       };
 
diff --git a/hosts/sparky/default.nix b/hosts/sparky/default.nix
new file mode 100644
index 0000000..8be4f6a
--- /dev/null
+++ b/hosts/sparky/default.nix
@@ -0,0 +1,19 @@
+{ pkgs, inputs, ... }:
+{
+  imports = [
+    ../../common/encrypted-btrfs-layout.nix
+    ../../common/global
+    ../../common/base-node.nix
+    ../../common/dev-node.nix
+    ./hardware.nix
+  ];
+
+  diskLayout = {
+    mainDiskDevice = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_250GB_S4EUNF0MA33640P";
+    #keyDiskDevice = "/dev/disk/by-id/usb-Intenso_Micro_Line_22080777660468-0:0";
+    keyDiskDevice = "/dev/sdb";
+  };
+
+  networking.hostName = "sparky";
+  services.tailscaleAutoconnect.authkey = "tskey-auth-kFGr5T4rtT11CNTRL-Ls3wbQz5Nr2AUyzeLaC3s2eChNasyPdR";
+}
diff --git a/hosts/sparky/hardware.nix b/hosts/sparky/hardware.nix
new file mode 100644
index 0000000..ec8b136
--- /dev/null
+++ b/hosts/sparky/hardware.nix
@@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [
+    "kvm-intel"
+  ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+}
diff --git a/hosts/sparky/key.bin b/hosts/sparky/key.bin
new file mode 100644
index 0000000000000000000000000000000000000000..4c134fbc10b39d5e74a7b08becbaab8453d545be
GIT binary patch
literal 4096
zcmV+b5dZI$GFMfZZ&wzZp@mdzZtMzbD<F&GBWx-gW)whHHR_r_70%Rv6QC39LR_gR
zN76GT5F@BbfQJG6wA~>(Hjm@i`{dkCZ=4ScWOQF>i?5bmX^~|T&h_uN*>6(o(={^L
zh<qR3mM{+qqs;oJ8Bh4pq!&93g|myWm&`F}%6S-iQ!I@qCCgm1oodw&L3&rHJb-x6
zyT1_<`5_a|sE?s$!7Z5fBs$;z8V7fsLJrXNl0-Q0aHU(@OOqJtV79n8VQ4Mb-_;T+
zB?c7D{FcS8hy<BRMy^i<!Gh_Z`0bRzBip{E9*wYpM{7a)kQohRs|!jTnYN2#g?GQl
z3OBs0Wlkr-M{m*4o<u65Q#@Y!#5LphlUINYIqs(lBW;&KG+3!p?U1|xg<)b>WhoTB
zt1wInC|QU?l0BGsS3~OSlFyNos=i;O>o5eQcN*)~*<h%Awu^&oovCyk2(lLUvl6n$
zm8|rv{f|roza{5@EnmvbxvH|!U>4YFVtEirqy_CagvP$6)ylP9jvWug+L9R+)fOAW
zQyFR&RI!vefG_D;$oOl9jimF%$C*2JAg~=~$^!1Z>)o&_O!S%frxQqckQOQdng0Ja
z2<fWm+;*>pkb}>#Ce%{kl+uQmKhXEevVHLdI}25z1ky-MX0<RLS!BT~J9Z%Lh!JVC
z*&XZg3WzrRzL$}mCx0PgDnL>y=gq!iGk#M9J<n##Mi;9n;cN8*$#M!_1$d_gh0=vE
zhfe)iBsW_sBYWkTr1S1lqkiNec1sSG@}w@FB+Gu}Q>Llc6g4GDRw^ep$iOz-s0@gS
zA-N_c)Kl2>5ZXi2n<X0}T4mGc*6eYCb3HA_Q56I3R`b5}RD-qX-w4C<X^@i)yWX{D
zOL&@kgs3>E4prNYY#KFhW*r0wx84Nt9NN7#sug@^QOen9C=>N5>hhA~h>|#OsmnRu
z@-rRX2-p+{VvfF<k;ha4`v|PQTMD0Lz)8CQM7A>6>1{ig`0l&fMT1Ltuo2>2cIU76
z|Ai7{&_%wy&#A4uPWKeCxeUe=HP)Q;0x*Lse~s}rj|+f-JQha|cnH{J#g|p1MSEZq
zPDkwMI&#w*p();EE$WoJ%m8M4C%BAZ1y{}UC)y{KuYBhM4IX^w%VyfeRvqV+=l)95
z;{;v>FfLgS-2d+OOE5X4*Y~$u`U093eq$Wmx#S?$T9&<>V~4`hg~amvx&e<~F|%YK
zlBuRpKY;1E%X1+-uPlT(tFFGigr@n+ZH(iLyc-nTBZ!^@NJ%GCUYHz5iErP>K4IU}
z@s8L|a?{kI{=#T=WTsf<Ai!4@2fE=oYSgK48!~?>BD1V;xrlF+dP>8)nv4D>tAR%V
zmuyQsSj$?RQJOEMm-~)yH4-+Oea0~Iuy5`sDMf3@X|8>H<o@?ZNMY^#b_gAiyh)>F
zp>s61feiaRPybKoW-|mfzwOM9bQ2m~^tE$+#WwHkK>b8@#nj#L!^|jXso}w->949j
zJ?q_$=k13gIkhftKzrTIbw2V2HvGE+uy=ap79i1k(D>-Vzm=Ht8#FyXwQ5-xZDt3;
z6n&!Nfy}#dLG1>>3+MclKm6bkmuR|3VWO0sG_Go@-gHc-777bU26?RYWZY}5`cR_8
zPuB&#%I*;}lG|jRq#sWzX~#JLMYJ*hI098dp-WN)-02R*`iUlT!`jvpQ;=UkJ}5$U
z&rFTRF}(xDyi!<IwtgpRJ_eWoHd9mV*xGDMdU{pOKy$lqn7{tgwQ7El$a*noaKCo@
zYYEuRlN>q@UxM?wQ&x)egUtBZO|SoCxuRljeO+g~%1sn8U#MoiBDm+EY4tnc{~b<n
z6^?)#KQiR8E9$N&TzQ!Gr+iQF6@=%KM>%&UUvwQPesCEc)mjAx?4%J=KwZm?f$rOy
zZCcx#k#w;%o%A-#=0?2={s3k*eGIPU;`Kj@X|?V@-Oqn`vlfYG5VM-4`grpLoh5OK
z$$g0*ss(M7rAa|@Z2XoBN~qs*$U?pn6m#z+uqMPt_5eJ{@@=LklxVU`UfosSMvh>!
ze`mtZck7A>Qj?)9VImJE{nD-`#y+@2!IG20faN2V!=r#feYT?@EzGLIxBZjJkpQYu
zTg2gtoah<zpn6#Mt-2JD1gbrzZE_`Vi)9B)b*R><n)a8-7l%oqfn1L;8vsOMbZyNc
zLdpioI&u+tGNYjo-YHv=)W-8uW_SyN6{A~_gg6B{lJRO#1fFDmOs4txzr+1u9xS&5
ze5ct)GNkmaEM&}Brx!;sx5sJHo+G&UWow=3ey?DEkbE=6de5HNWUa->a$0<Tp3Vad
zU1oR4#MX<<p4~=qDFd!HQ*!WxL)UJ>R2Afj)#P#)ZNiCIo_zAIHET|Gh>RSU3)m~e
znt>$`)`w#f?zCPWEeqgd`%>6U@YLUge!ZnXqD!K7Xk~j!QazB9dYSVKYDKRU&Q+mr
z>+ux4wL~k^v+*_mL)QIq_r2Xq>DwGvlf53LZ)NeQV<MTU?*BH`C>_X)2gHif**O%L
zY<v8`9a%<(JJjiHE%cR`2=b~eP2WDsqbYN|VY{4b2gx?c=Yk1DPxePzSnPC`IK$7j
zb0V1O${f>>bbTT$x1)|kVLCz<4ui=-sRFIi84I3M`nx~qNV3&x7u%Wr{3QV5k}rHN
zwHHW{Y&it}(_9@~%?cDVQ5btYg*9Bfe#F<lqXaAG@wO@Y&Tfr>0vybS07#J>Ny{vA
z0@h)%A>$(#)4y*%+(`sN?mi0LyNvnXK|^%FLH)I+pKa<I<)AxR9L0UD+5rpGl0erS
z#<#4fb}@AcI!hz<3bdI+c2QpXUY)*)+U?wC`aBPnIe$f}?L#$dtHO8M)!Fqbh~^<L
zDP|GI^r7C2&oGPOeGbEDV!2z@VlCd)<sGdWB|cH6PAI78I0^ik+ed?>9k<xu=>ppn
z_8?t}O4sGUDhhKT-W%iM89*x&>=RnNLWO~UEo?Z^LKY_%xRZ?06itp0nz6*o@PXUE
zZh01IHp{;*=53T<_)kB(%Or?TSfekHTaB|Ik&3q>BmTT+RW-*CY6T?ta??NM=hJoz
zE`a5^qI&p?TEc{5_jLJ+u9U>2k<`?Jka%^WYsQ>y^bBJ;MFh@sOdu)IF#<Szznk02
z$=Hh?#FCG+1b4UIEeBpWXj-X~-=GzE;Yftd23y>ZzIx7mbxgm4cm}a0otsZ9dD+j3
z+5r?<4@@E;Q1MJ0u4704+uEEZ)EZ9G$m{wt>zJWJ(1>FLXPAdrI_+&21)ljWuR55x
zF6wG1)LA5|-x}NsUwTEW{Vo@`A6ZC=aX2%WE@N=TCeCq$(FIYHWzD$=M<Lc}0UDOe
zm6|2pg<J*LEs6w5WlC&~o<acV+AX7rD);y>M;>`UeN6r25O3iS3mfTKUHazBFQQEM
z_jjneYKf~&6?)I$KShQOxRzNV3@~djy0?n5iu=M+=n)sQ$>0c|v?IoRgjhBl9tiPD
zWz_+`)b^*!e5b2}(_@TX-1Wk=<X2;fxaBKWK~VpYaQ^0uycvEQ2NZYfJJjyBw~_&r
zrOn%6{*XTl`hsKk5X}Y|7@{IOBS*;z9I;2nWw<#a=)|6BfGwjBZ`kK&Fo{4tr?%>2
zi_me_KhGpE+TqRBKGr`~YXN6*%&oRD_6O_#5f{&naKc@`E+0dpEDVTe=GF-%xtabk
z#*3D>N*$*Xzq{7VoS^|OYYY|;EX}dnJ=nK5Rrce`o<jY%Y*$Qz2S7~yDb7ILa18wp
z4x5E#RW6F|yN4AlvD!3>fWlXlc3}yo=foDwpYB^6r9hf{O}tVkG&k2Nt`4?Mf5ROE
zpB&O8c|F{15$ajEaklYg;Poj=e2#0MbTHwNjmpsr<bRzWCrvSouM=lRKIc$c@$xVh
za8``qo1~IR*ETd>_GLu2KmQG)MY@DS!&>f+r;gJ+nresuIneYZ+WLq|io!&Hyhp(r
z5Pb3?rZfaq)p>3u{A`D44;Ql&acC_mA96LVgdf!YtR;)>2bL5w=*|=Em94Sftq=-=
z=K+y}ZBM#LAtw7wbb&SxyK*h}O{keTs1N1>4;400Ul}3ZS5N2pzUIXsDSowP+r#L-
zGsI14T~$wQTF4)l<U(Ol&m5MDfG~;T<FelbTB8zUOn0W$oGvgQ=62a0uD6o}g{T%D
zk13|NQum_S_Rj0GNYQY+_z150{ge`s)1SLt{YU+?4`wMjXIDNAZQ&!Q{kPXJ!}m_B
z;3By>iFQ*OFW1$cTq(P@ygQc)Y;ZMPtkx+Qn0ei$cyh(Bq*eIs&a8B-!(P-%tXf9=
zO20L-y2TX}&$dqbR~8owioe$|9dsTuuDsS7o;fFh8n0^ajzvLAC7Yv{&Gx6Z8sR-;
zcugg9e}k`7ii^nshPbH59mQNCeat#AFY3w#bT&p8?!x`GJjrn%l0lOZ6B}G|2URhv
zdLDAhdj%D>9&QAL;>b!H@4ofkXB_w)XikklU^W7<uD|OJ3V{R*KptOokSp^2NsR^n
zb^SGgDWF1mok;jchn+*=KLA?qu#tapUjqPx*1+7z<N91swv{(zk#v-9c7ShmkDPUH
zOl;dg#RxOKWjJS=9Lj#(<EIbv083oDFZi-w)lQ!!W*0#J*fY+RslOVZ-!Nt<px|~g
z30r0p|LQ}^{BY4w`!3X6XRBq{;4V(55TPIzRAV?4XZ&|GLKVc}6nl)wL}y?7Fc01o
zg`X&mkO21_!1Xy)X3DQfFA?i0$Hk*-)y>oCTXTtP6p#z)FYluZiUk7MD9l8e8b4ZY
zrRU5tDiju8lJMQ+MZ{qtP1Qu{Q;s9m@_z<oB-S=+#h{uD!NaXv6-#Y0ue5U_{?gPk
z@sN_WISsn3MBp;>-fumupy1L%n5D@$p(7Jpipe_u!J~8g8+>R!g#!oVc*QSUM&N!{
zWHX6x8lde5?(7^AV8@{{3O=#dlXj3BaYF=44+3Y1X=&j!?i`i}=B7uY(vt-rE3&wl
zT6UGWB`v;f$K6ALzv|Y?v+5)mndz327!^!baN^lN(ytKZ=l$c8NM}y+p&$%WnHH{7
zdVb@>lNW9dfD*faA0W>oCqKmj$QiU8ezmHouRLImj>8X|g=Y^~0#&G~0ZlJ@b}my4
zmzw@p^jJlp)dy|+WE+)jK=SpZo?s=#HNnanFsl}VU$>VIb(oKIeCBa0)Oq_#xxeDA
z$Svz^00iOEvv1}(zW;GGkv6Qun&WNCmS^5H>nswBAHYDdaTXXi*p=0MY>|0a#Z5xx
zF2;9>5Ezz~vF-tb<7mp+n1xN2?6>EO`r9TEP-8vbT7NvcuVQc-?NI=7ma_8ZljE>h
yVeVfukhn>O#7qs>rGz4L-{ymRI;FOW{=#-c;M~wM(ER#&VU}`VwvV|sp||<@Z|=AN

literal 0
HcmV?d00001

diff --git a/secrets/common.yaml b/secrets/common.yaml
index 8395cf7..90d9a66 100644
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@@ -8,65 +8,74 @@ sops:
         - recipient: age1df9ukkmg9yn9cjeheq9m6wspa420su8qarmq570rdvf2de3rl38saqauwn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjOWdvMkRQQUV0emx3WDZt
-            aDEvRHhKZGQxTThjakc5VVpMRFlxQ3pwdEhrCjl1Y3hKM2FRVENRcEtCYlphVTR5
-            ejFDZzhYUG5NTHgyUVp2emgwVWx1RVEKLS0tIDFWM1RublZVWjN3cXZKM1RsZHBt
-            ZFl4elUxbHdUZVQ4ajYvd2h3RHpMaVkKxviRk3TCTl9SdqAC7C+e+ugD3o/6/3sh
-            6I7Z1f9K99ONAaP3VhVoW34+qDXyA/RmNk85TWDjE8U/Y4A7/+kYAQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeCtRemFxOUErVll5OGlx
+            Sk5UM3Z2SUdJeUVoYlBXZFdiMlc2NlFLNEhFCk94YUtDbGtzVm9wbkRWNkFNbjY1
+            aUQxSVhmWVVLRThMRWRCR00xbFk5czgKLS0tIG5wMGlaNi8wT3FTdkhhMkhvV3Ft
+            WHg4Zis0K20vM1MwcFVDSDQ3Tmx5N3cK8QO9Uyc11TdIDTUiOvTgAvgehVnWclRI
+            UX7ISxlF+qBwfkoXeo3N6jl4buAOrKhY/ssrvjF8fXwl/dc4iVRbRw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBOVNYRTB1NVpMYzJlakpZ
-            cXd4amF2dUEyZXVubFZvUDVJZFVlSWh2TTBnCmhRMDhTdjFDQzg4eGNBYzhVTGNy
-            THJrbXZBeVVxMkJweXJESDVSR1U1S1kKLS0tIGpOcFZ1NnZyczZZT01BcUVLVGo5
-            cmdiMTNKZ0pJVWpOTDNHSUt1UUJCM2cKsCOQM166AQjNqlBoB3r04HMGiUkgkFvA
-            /uxxVnapjzn0Fj9OgtTSsHT7TnRHsPLvFbIPNuvzk2T7j2sv8TEZnw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1bm9uQVZ3YlFXaldDSGhC
+            d3lEbjFweGY3b1Eyd2RQcFRYQ1ZCNDU5U0ZBCjVBUHhmOEtieVp3M0UrbzE5U0Nn
+            cnJjR0g3MCt0SngreWJpMFlFM2RDekUKLS0tIGdmQWgzelpabFJ0VWRaQ1FiRjRZ
+            UW9GbmUybkpXUExtWnJldENMek5wV00K/3ZKwVjEc/gfkwPZ/baPPNrc1SN9Yudn
+            DtKZfbR9nsqflEtuP2y7vEkEzBj3u/nRD8t7gvj9bAnjJGB+9HCdyA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ZnVQVzhYaGlzcUY2ckNW
-            RkxKVHZpa2RRZ3ZuWGFkaTNWVVNISnpaMEhRCmxjbnlGbEJPWGhOdGFnNzNoSkgx
-            ZTNvL0ZKZ2JyeFRlMFJHK2dRTzhoTVkKLS0tIHBoZ09TdHFpTUs4TE5BVUxKemRr
-            WCttVkpwNVVhRUhtaWlDcDBSMzA1eEEKG149AvnnLyGGYA7oXIhUz46rFzYDFcC+
-            r1UrA6MrJXSDggNh2puQ1dDtntub9BHCO8qDGsxSOCpp/TqEtrv9eA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQk9lUWRWcEpzYlNnSStt
+            L2E3RUE0VG9SZ2pZcmYrbmZ3M3c2VkVWckFNClRHSnJhakcwNkZaSmg3aWVPSXZG
+            dUVQQWpqQjlwazQ4SitScllWMnhHRG8KLS0tIFZRWU1lbWhEdkZ5VFl2bWRJTkZM
+            Q1VaTjl6U2hzeWZUeDlab0RaNGlIa1EKaiEDRzdkn0dAoQdps1W1UHAYATDvP531
+            6V/KikZPwY8g6UBUsq53CKKx8tx4SvqixAuAYJT29WtPLIfn2wGnDA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zxf8263nk04zf4pu5x2czh6g4trv4e2xydypyjschyekr6udqcsqmrgv68
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFVnZ0OERvMzRxSVE2MEFI
+            dmRCQUZ1a2YyN1JoMGcxdGhwT0cvcFhnSDNZCnYxa2R2T01aWmVpWUdrK0JTNGkv
+            empMTjFkRzZLZUFJVkpZU0tXUnRlcTgKLS0tIFU4QXk3NlR3b1o0UmVhNWt4NVR3
+            anJ5R3Z0MVNFWEZVM0pnQVgzcjdaSVUKcKKDp0mu4yO6Sxu6CDweETwJ6b404+rT
+            YfznubwZw+bbTS/W1yXvmKE9cSZ1A6EUldaGjizS+wR1fKpCwEGoHQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTTV0QkdnWDlVckJjaVF6
-            bXhZUHFFNEVReE1qSURZdjlXVkN4ZE1VOVVrCjBsdTdOSXRISkpVMGVDY0RtMXIy
-            MGtHakFuV2VqNk4vcFJmV2FmQjhJQk0KLS0tIC9nRHJSVWVWY0tEaURValdOY1Vm
-            bTFWS25lajdzNDdXd0lJY3VCbm0xbW8KgW0kqgIoH2UWqMPhyI1lY3qJJhDankCr
-            wQ1s6Jyxi58hFpCChfSi0q3s0Nd1RWo/MMHZnw8IJ9YAp7MFRY/6lA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTm1XZTdDU2tCMlRUZlR3
+            SURZbU5LOHl6MlVpb0J1QW5TbmZ1S3J5aERFCm5pTnJjUmg0Q1VWWUJ6TThTWGx0
+            dmMwUGlVc3FqTHFvRWhiQnp0UWljSTgKLS0tIHVXWjlaNjBTaTM4ck1XVWRFcXNi
+            L2pWazRCVnZDUHd6bUpvbG1JWEgvNFEKKT3AWCrMFyGp2bnAUMi1RDxKvJSUm5We
+            qt5ZaZbV8VqAhrZhHXb3KpWZYcof5yxTRGOalfKMSaAGg9Mr0itN6w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wwufz86tm3auxn6pn27c47s8rvu7en58rk00nghtaxsdpw0gya6qj6qxdt
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIeTBZM2NnV3EvSFQveUFE
-            OWJoeC9sR1BVemczT01YbjJCUW45dCtOamh3CjJycHNBb2RRaUVrd1E4V2k5d0Jt
-            SUhuakRFWDRQbnJmNDl1b0g2ZGV1S1kKLS0tIHd2eW5sNFAwUjhCaVVibGowSVNS
-            VGRMUmUxcjVqekFXV0MzbnpVN2V6dUUKze9Ys+rYb46Oz1ZTCoUGCjWteuheoa4h
-            DnhKGEcHVYVsJ+lxRheLeEEilLUSluWK0ejAomPSR9oi9y0Z3rEUAw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQWhWcC95OGRpNStyY21U
+            K3UyaXR3dUJhelVVUXpvMDRpNzlYZHFUVFNvCitzaUM5akl2RGlsTDBsdHptaTRM
+            MUFsNmlrS1JYV0w4anZMc2QxNy9sbjAKLS0tIHFGY2cwekpoL3IyMHAwK1VBai9D
+            NlVPMFNySmhjNzhSR0k2Z3kyRnpKZEkKfTCC2nPXDFEx7w2U5Z2Kdp8FPHAFakL1
+            xX4L4l878IfuRz7yMQGdS90tCexPocord/zWRks65JFdm31TLdkOVg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1c2kc034n7tqztarcu7n5ldnjmy9sr3jgwrsaddsj0hwfus9mdp3sctts4m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5L3FmS3JFTHRqeUkxY1JS
-            TXFONTNFNnUyVE1CSWhnM05pT21aVStWVDN3ClE2WHhRTExsVmhaaWQyNCs4LzJo
-            ampVZHlycE9McEEzdCtFZzNoY1ROcmcKLS0tIGFhcFM3cVNEa0k2NS93amtEVHp4
-            cE42N2Y5WGVMOUZ5a3VvQVlEcDNqZUEKUhfElhoxunhwhIEouSCzqbsqAHcBcuh6
-            tuzDqSuc3z8NMfLKW3EwCwmGbk9YX57WHmGbd1EM54kAE7zflymOLQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXT2Q5Z3BoZzFPQ2FSbkY4
+            dFYyRHc0dlpHdktUR2tKYUJ3Zjg3dWJpMWxJCkthenZ5TnkwL3B2bzFFQzN5WUJ0
+            Uk5iRm5QOTk2Y1BDcXFmVElDTjAySDAKLS0tIElVUkpyeXYwQ2Z6N0QvdDZVdkVo
+            K1MySzNiNWhBV2VaTVdEQ2pzZjJmME0K+Fvb4fpLEc8fcAFyeCQmdrXERUogjIvR
+            hlkO/x5nFdipBqNPLzY5ytE3GpgRTuq/O3+uXpdOk65Eq1Uwlrcm7w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RS9maGVJeDNnRUl5Yk0r
-            N3pvbWxQL3h6aU01TGRFNysrZkd1TmRER1JBCmJjdnBiUUlMR1poZGpTeC8wSVQx
-            aGF0STE0TE1sa3YxakEwMUt3bURxUkkKLS0tIDVsdnpxcHpvQStjM09iSDRMdU1T
-            c09FQVJURG5PaW43cGhIWFRhQ1ppcEUK2iJ/M228wXCdIcs7LBbnntTrJqzmfdOi
-            btMKaOX0d3vecXooJF6smssVrdUIwRdoLe8qBeGiMqhjCqjwur0UzQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdkE0Uk5RNzI0MnRnc0Q5
+            UFVxOVRyQjRrTUNla0lpblVBUDNCVGU3clVzCk1Pd0RzUmxuVVI5WHRhYVdVYUVQ
+            MGkyS0F2ZlhIT0d3WU5SQloyYWN0eXMKLS0tIGROZ3J5SUZBVGt5SkZRY3dpdzht
+            bkFsT1NyWXhXbGJ6dWJRcWZBbE1vZ1UK2q/dIfdaRn18XvPJJUC/ML/cHZN+/XhQ
+            BYxCkg+8z6F+tWzJ/7yuV522fKRW7Vw/8jPQ1obPTRTYGvWSgPVVBg==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-04-04T09:34:06Z"
     mac: ENC[AES256_GCM,data:YIcRrsPparPfPaI2+MLlKsxu7M19H8nndOsrDLuh/5BXzIZNiuTIWyvxODyhI745rDwlibO+7Q0QctanhTl4+IzGaYtuY4i+rb+3dzBMpcdT2VAbtCHHxcltWeanRGFq2K3WM2tbnQCERst5kejfn0Razjq3UU5vNwfBsdJMwGc=,iv:izDxy0ufVnH8ImkZIngcYhGuj0PGpLqBD/ZDvQyE+5I=,tag:oYBUEQS52pr09h5OvOadNg==,type:str]
diff --git a/secrets/sparky.yaml b/secrets/sparky.yaml
new file mode 100644
index 0000000..cc1d673
--- /dev/null
+++ b/secrets/sparky.yaml
@@ -0,0 +1,30 @@
+kopia: ENC[AES256_GCM,data:AS5zTDpPPuPGEoT05uHyAfPTbls=,iv:YZK8O0/osP0/ay1tw2kkiCoxws+DlzquVqXNdVayE+k=,tag:tCNM8fzEEuRTPDJybq7fUA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1df9ukkmg9yn9cjeheq9m6wspa420su8qarmq570rdvf2de3rl38saqauwn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOUY0MFRzNkV4WTlyVXhj
+            L2drMTlUZ2pzN09mVk4xYk90cmg0VXVvbXdFCjNrYjNCQ1RXaXo3Nm5ScTZIcHJy
+            eGdVRkhpV0J1bC9jenkwS3l0UXVSMXMKLS0tIDZXbythcWN3Y21zZVVvNkhiVmY5
+            cnJZYWg3VVZsbGZhSHM5b2tXMTk2d1EKz1Dd5jhfVT+f+nRCYNFo1YuTDVzTUq91
+            W1HDd/6SvBfky80+KXTEqZL/TL+gjgKEdyXQryrfH/rfvymqzDpGaA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zxf8263nk04zf4pu5x2czh6g4trv4e2xydypyjschyekr6udqcsqmrgv68
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPcWZxaE9EbWlIM0R5Wkhj
+            MmFMdlhyR2Vma3RsbnM4ak9sKzdLWENaUTJFCkNXVDNmRUJTRWFPeEpXcWl0cE9Z
+            dm53UTJVSlZpNmdieFJEYmU5TVhhUkUKLS0tIHhwSWhuWUhUYmZrK1Ezelpud3J3
+            Sit5S0hzcGZEL0oxRmNVbVNhYklaaTAKf0ts/HpTcrLH8svaB3gwFH4W4QIdrPPE
+            trGqXGj8YOkiA78J1maKijXuqjtPvKkBEPYekEY3c378gZhFdL+8lQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-19T17:33:13Z"
+    mac: ENC[AES256_GCM,data:IwEyBr/I7BJa0gWZ494dCT0ogyP2PbnUg5fLOn15vZAHIyYtTB3dI3gV5Lx7oPdqOPlI61MsShIYBnk0uBChpNu6O4oiGUfwvBfegzlDyHHERLx+S7nZpcwmf/3JoNXwq0f2OtOu8nA6Q1V4gVjFFNWUCAh5cq106vG1awsQkn0=,iv:j+JcVtKz2RfyWu55dUeJJTRK6prB9DGLvcjiAAdVySM=,tag:Pg5sKiLzYUFoN9Duu+nF0w==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4
diff --git a/setup-host.txt b/setup-host.txt
index c612edc..84db3dd 100644
--- a/setup-host.txt
+++ b/setup-host.txt
@@ -10,3 +10,4 @@
 * on base host: nix run github:nix-community/nixos-anywhere -- --flake '.#<target>' nixos@<target IP>
 * after confirmed working, update hosts/<target>/default.nix to set keyFile to /dev/sdX (otherwise when the USB drive fails it's harder to replace)
 * if replacing failed host in place, update key in .sops.yaml with the output from "ssh-keyscan <host> | ssh-to-age" then "sops updatekeys secrets/*.yaml"
+** if installing new host, do the same for install then again after the first reboot (the installer key is not persisted)