diff --git a/.sops.yaml b/.sops.yaml
index 32d4baf..f7514fa 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -2,7 +2,7 @@ keys:
   - &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
   - &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
   - &marid age10vw4q40dq0tk9xzexeyn7cl6qka0hz7mfkmhv9g322k0u4dacd5sq8gg67
-  - &ophanim age19j87dhkpgrjc5hghwh0njkt6fdgr6tg90hvxrhlrfqa063cwxepq32a23m
+  - &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du
 creation_rules:
   - path_regex: machines/Lilim/[^/]+.yaml$
     key_groups:
diff --git a/machines/Ophanim/hardware-configuration.nix b/machines/Ophanim/hardware-configuration.nix
index 83329fb..ceb6e68 100644
--- a/machines/Ophanim/hardware-configuration.nix
+++ b/machines/Ophanim/hardware-configuration.nix
@@ -1,8 +1,8 @@
-{ pkgs, ... }:
+{ nixpkgs, pkgs, ... }:
 
 {
   imports =
-    [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+    [ "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
     ];
 
   boot = {
@@ -12,7 +12,6 @@
     extraModulePackages = [ ];
     loader.grub = {
       enable = true;
-      version = 2;
       device = "/dev/sda"; # or "nodev" for efi only
     };
   };
diff --git a/machines/Ophanim/options.nix b/machines/Ophanim/options.nix
index 882d958..25fa46e 100644
--- a/machines/Ophanim/options.nix
+++ b/machines/Ophanim/options.nix
@@ -21,7 +21,7 @@ in {
       "server"
     ];
     services = [
-      "fail2ban"
+      "acme"
       "gitea"
 #      "hydra"
       "mailserver"
@@ -41,8 +41,8 @@ in {
     firewall = {
       enable = true;
       allowPing = false;
-      allowedUDPPorts = [ 22 80 443 ];
-      allowedTCPPorts = [ 80 443 ];
+      allowedUDPPorts = [ 22 80 443 7776 ];
+      allowedTCPPorts = [ 80 443 7776 ];
     };
   };
 }
diff --git a/machines/Ophanim/secrets.yaml b/machines/Ophanim/secrets.yaml
new file mode 100644
index 0000000..38ab453
--- /dev/null
+++ b/machines/Ophanim/secrets.yaml
@@ -0,0 +1,44 @@
+users:
+    derped:
+        password: ENC[AES256_GCM,data:XpUNgLLdbzS31XaZm0PbZ6Q/6sDP66YP97VIOV7/ixExFSpJW0gfwIiHuj7ROCeAi8lqcKAnAcTuflUx378HUFtaZ9lSE9GQ26sWcrx9/PYOX0bYnn8nE7S7gVQgf83fIlrK,iv:duZ+xAg/6KgCjEYQbxV4Uhi6RbRhsWW/bHMnlDHzc0M=,tag:iN8uDzDmh7QAMO3ZYiYFLA==,type:str]
+        mail: ENC[AES256_GCM,data:hEQBzZ4IN9BmwA4s/wDUTFiKyuHl/iVep/xJT5fyOfTaQUPuBMWspDsdEG5g/h1dFf5ujHts2+rcWZiZTjiZbrqCj2/Ivsbqy5xG28VztGPh7M7439TMIq6LrgVUaNVmKxU7,iv:KosKUgGPYicjFSR9njgI/NGSQwBkZR46c6DKyiJITp4=,tag:XIC70j6adWTvvKJJojifPg==,type:str]
+services:
+    gitea:
+        dbPass: ENC[AES256_GCM,data:Td8oYUkIPi0xDgepRW4LNTLpWRbGYin4VT8gxGP6fAIADaX2F3pf5g==,iv:pTUvtCkpSZXQLheHfOEKLivervrsCc/lHqXbZ1ennGY=,tag:LcEGyoZNigEYXEHp2lCgDQ==,type:str]
+    hydra:
+        secretKey: ENC[AES256_GCM,data:TkAFImyj7ESA72aPjUTvUwTVzZ3KpXNdw41Bk2yGOJrNRiP3aA/+iK45BzJdeAssc5evZyvhFE+JE4ovOSuaWUz4YFH/TH41N5dkhSmPTND+hU6u24rv/gTcCH9BH/8uvFOnWCBmkKmFopE=,iv:NSCINUwyNCRMsGNjwfO/P1nMpYDQLxt448W2AfCBmLI=,tag:pfMpTExIabCmsHOiOIf6Qg==,type:str]
+    nextcloud:
+        adminPass: ENC[AES256_GCM,data:OEqdKKwpDdnlFA5mTOTaow==,iv:DFHIYqqNNBzmtE+ZbXy1ga2UQyQ9YXE+jYprdEJwYjI=,tag:Rc1viogmOxaK9d60lmGlgg==,type:str]
+        dbPass: ENC[AES256_GCM,data:6x6efRMiBvIt44SrZANwEGe3iZn3U+ZvY6bdOS/q3Olymm+kEwY+cQ==,iv:aJEADtgIbUu1ewV4MjDvepzoJ6nlFG3J4JgVonPNWfM=,tag:2Sgj1dmr8WcahKnpo3nTSg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MnhBVzREYkdEMXYrbG5F
+            Tkh5dUk1Z3pvbFU2b29ScHRreUg4Y0poTFdjClFOQzg2aGF5dUtLdFV1Rm5Rb0ZX
+            cGZDYW9YQWFOa0l6cGFKaFZxVk9PaWcKLS0tIHN2M3puV2V1YzBWd2YvdEdMYTJl
+            Mzh6aFZKM2k3TTZveWRPc2ZkKzNvYm8KpNozbSJDJ3Yd2FsR0krsPXsn1beIyniD
+            0tJNmBFphav57LDQrYz5D+J4pMKKQI1P/USCPDDu1km2dJF/RJzeJQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-09-10T12:32:05Z"
+    mac: ENC[AES256_GCM,data:uJ5Wi9vYGLB/Z3QHHS5nxFkn1CtxR/wkk/wwYZiL1LWa3w/ZeeBy7L3Kq1i8FIYET3i2cHeeimDYLWtl3xQIEH9FF1fXeTKFMMOh2NTWZC6ZdtRnVtPJapHYaCieBd8R0dga+KE2WzFBjwKiYu6OW+nD8W7tBqbSy0lXAY1WyFU=,iv:QdXhTubQAmuR4bLSPwZcECIuNTPYLoKzVfpfx7e3VJY=,tag:G78fxo87AdRUcNG48RLAPg==,type:str]
+    pgp:
+        - created_at: "2023-09-10T17:32:58Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DVbZwA9DOvl8SAQdAJ4Qrf8O6xL6S/cFQVN03zFsAimcaj0i4k1XQt1Nu/Q8w
+            08L6kBtYMw6PdEMJ0Tm+wqS/cB+kL5xQRGH6a05hbYoSDJdApO7Ur7r4RWS1r4cL
+            1GgBCQIQT7t2XPbZ7g8EzhIDDffm4JXi0D7oIoeAnpbnad3ao2YUA2hTFTX025FY
+            dK1kIPCqA4cET+vqM9W3qq1DSKr+YoMrycWyUntwk9TSpy6pmMw4OII8yKnccoNR
+            LkjqppMzPP/4OQ==
+            =+ryG
+            -----END PGP MESSAGE-----
+          fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/machines/Ophanim/sops.nix b/machines/Ophanim/sops.nix
new file mode 100644
index 0000000..85c8b25
--- /dev/null
+++ b/machines/Ophanim/sops.nix
@@ -0,0 +1,11 @@
+{ config, lib, ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age = {
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+  };
+}