diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..c50cb04
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,54 @@
+keys:
+  - &chunk age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
+  - &yt age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
+creation_rules:
+  - path_regex: secrets/de3911/yt.yaml
+    key_groups:
+      - age:
+        - *yt
+  - path_regex: secrets/de3911/chunk.yaml
+    key_groups:
+      - age:
+        - *chunk
+  - path_regex: secrets/services/ntfy.yaml
+    key_groups:
+      - age:
+        - *chunk
+        - *yt
+  - path_regex: secrets/restic/*.yaml
+    key_groups:
+      - age:
+        # only yt uses restic
+        - *yt
+  - path_regex: secrets/borg/yt-rsyncnet.yaml
+    key_groups:
+      - age:
+        - *yt
+  - path_regex: secrets/borg/crash-rsyncnet.yaml
+    key_groups:
+      - age:
+        - *chunk
+  - path_regex: secrets/wireguard/yt.yaml
+    key_groups:
+      - age:
+        - *yt
+  - path_regex: secrets/wireguard/chunk.yaml
+    key_groups:
+      - age:
+        - *chunk
+  - path_regex: secrets/services/caddy.yaml
+    key_groups:
+      - age:
+        - *chunk
+  - path_regex: secrets/services/hedgedoc.yaml
+    key_groups:
+      - age:
+        - *chunk
+  - path_regex: secrets/services/miniflux.yaml
+    key_groups:
+      - age:
+        - *chunk
+  - path_regex: secrets/services/gitlab.yaml
+    key_groups:
+      - age:
+        - *chunk
diff --git a/secrets/de3911/chunk.yaml b/secrets/de3911/chunk.yaml
new file mode 100644
index 0000000..f357b81
--- /dev/null
+++ b/secrets/de3911/chunk.yaml
@@ -0,0 +1,21 @@
+id_ed25519: ENC[AES256_GCM,data:4KDp3uxoV+uAF2drnCYzhtjHE4rb05Cb7gGH/z+PkqYIJ4UoOHCDyCXGX9ghB9VejCTLbSD/jfPzhPlE6v5a4nKqjFOzbVqz/58MnOdLT49ml6fu8dvUZ4hgTGURdrkRTUtss8OAwqxUV0/S0w0lF+LA+nxEntZEdgx/wyPcykAkMaWTXLjpWQ/KeJoOvtZlG8YQTSebh2Z+sJrEDV4N86R43xCJlZt342lA1r+EmMS5tmrUydREX67WY4TulzLMt7AeedCDtzQ1vLMjkSA+zmh5IyjitgBv8PsQNbg66S7PcmegNucIq1RorXiOi3sTs8YFi2vF8VgZEqPJxfmviXtwHZHwknLmhyzjUFtEtQ8+ZhykNyGAcxhpooWJ2vJCozTLBEATNQ90w2GMCIfTbp4pzz15VnF8y++eyRLlA9uAIMBkzp19mpGRb/065mwiHTe0ZgtFZxtXOEx8Efuf7szQLxymUL6DmfkZiUjbqASdgTr+58EOaW+tA2piY2Nr38fC/oz7HfFzUVIetN4f,iv:7xOY4UXr8RV/MXjGEDAdYsi5XDpOdRLdOYH1EencRUc=,tag:WdRNHTiCK3goJFHTXx5jDA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWFFJaWVYZXRPa05pcVNl
+            VnB3K3YrbnFuS0RUTHBFRVcxS0hpcWVYRzFRCmpRZUhQSGRKS1BPd0l4MGFROS95
+            eTBsYU0yamZYbEZGZTl0ZHNRVTF1UTAKLS0tIHVwN0d3SVJDSEFnaUhVQ1VsSmYr
+            cXJsSUtTVW1xWFBaMGIwNXZpSjhwSEkK1q5yXlJgHrnyuvtuzTXurl93LDXqWSaV
+            g09SQVF3tzU8zye6aBidhJJnMBrR6jHxK0P6rPYYE8a0U5DMP7D5wA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-17T00:34:54Z"
+    mac: ENC[AES256_GCM,data:4wPwi3H7sTRXFrkFrT/He5wdjGEg2LVlClyUQcBxt8e17s0sX/UQFMztfJmt+PGLrhPY8b1F9J+8oJcmvU0n7sLTtKaLinuBtZgNYXrNpGVQVeiN2YDYjkkLj2IdmloP5KiD8Sdzar1gPRxx4VeyYNAr9e0rsDMBq3qmLjVfKDs=,iv:mK9/Dw3EhDvnFm0lhM1djChlTeZoH+C5hIcPtopuJmE=,tag:TGfS2ER+Cgib6xHv5UGyUQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
diff --git a/secrets/de3911/yt.yaml b/secrets/de3911/yt.yaml
new file mode 100644
index 0000000..9693b37
--- /dev/null
+++ b/secrets/de3911/yt.yaml
@@ -0,0 +1,21 @@
+id_ed25519: ENC[AES256_GCM,data:Yli80jZgpicXecVdgCezbp2XV57XoDgb/6oymt5H3509QLvADkulzx2M/be0vbR5PL3iX2cn8K6yqDNNSA3+Yv8fqPshBPUUIigPIk0bIOudxVpdZwy3jbQRtU7mvQL+pLtuk4Z/wCRPU+EpQldpw05m6dJll7wIWTjWoOgL6ZYFDnK0F4q5PviL4qNuHRlzaxK4Yp3U6TasBcKnrV2OZW5EnDTllHTdbOfRB3vI15YF25a1sxYvq9DveyOok0d/XjD43tfWTXSRFXpbJEmeuqP3akPRTYQGrEP0uRXsx6MIf0USbnAdA4MLGPSL4A4sy6ManvRvn1wQaKckDE+rfAZ3DnLTmE60PO+LEn9KVp/zGtvVEr9m5gHgzcb/2+S8BY4ECg4QZHiEhthVLjnf5Ys3E9/uEb4lMnKjNzZ7QIDYFx/fIiJf2+2FxSr2ApWFl1O3bl8pfNFq2hJzmgi7J/wPypt7nt3G0nTTmwvIB4f4Xy7HSWI+bA3OQT6Nv0T2cDk+DukAZSZ62EVI0ydF,iv:1DyqUOoaHPYAc1zUlAOFBEZhM+JuYm6ggcwrWOTZVQA=,tag:zMR4QlktyL3dZ/S5u7eriA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bWFJR2JmY0JIdzU5OURp
+            MHVDbnMra1hCUklLMjNQVVdyYUZwaFFaMVJjClBsWlIwNm40RW1taGVLaFB5d3BH
+            VHNVUEJoOHNwSWRUQlNjUTk2WERieEkKLS0tIDlVZ2I5VEdJa0hIQ3MxT3RZb0Z1
+            bmVVUjZTVGJzOEdFTno1ZmhZWnkrUFkK0R6GoBKaixAAoRnh89kTvFW7tUvJh7Ce
+            Lxc4pTd/ZDAaNjMy8KCJvAo1CQBb/Hqytl/dERm99RL6C/MifDAodw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-17T00:32:05Z"
+    mac: ENC[AES256_GCM,data:XSJKbq0mvSMbDmNMqY+Fnnt59VgRiEZVVSXcgf3cytVEAqfMthaBi/f9OhMykvTy7lPwe9CHXWI0/1UAZHwEK+gGlIWnMAaqAYSFC+xoLbhRlkDYNUAntC1jhwcK48acK9TWlQirFZsukyWIvsvx1ap2PD/QgotwVNKxMuS0Gig=,iv:BowPffBLvInPh43TVliKudtP3mMtk+eFrniSfFnkThA=,tag:OpZCkPOywDSooOX/TnU8ow==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
diff --git a/secrets/services/ntfy.yaml b/secrets/services/ntfy.yaml
new file mode 100644
index 0000000..05c28d6
--- /dev/null
+++ b/secrets/services/ntfy.yaml
@@ -0,0 +1,30 @@
+ntfy: ENC[AES256_GCM,data:0UkHARZmRniWu7QJGA==,iv:lMC1o866fg+JdIP7HXkBdAEJep4i/TJyNMnKF89Ta9U=,tag:iNu4Ro7ey9JFjh2LrxvbSg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZjBEMjlmZnYwemdjcEov
+            V0xRUnpUZVNVeUwvVmJrQ05FVThjMUJNeFVjCjZUN1ZXQkZPY3lKVll4UENGM3Qz
+            Z0xxVDVGRWJ5WmtOVWw5Z2hQMUpOa2sKLS0tIEM5bWxzaE5RN3gyNjF0WFlBanFz
+            UzR4S1BQLzVhbXo3TnlWVXZIVWFxR1EKZTLkZXWc/7ItdcsMSj0HgbRsq3RARU4b
+            lPsGhz/h3/D4xLnkkA/l52MAiL76SDflU5AMbNQg1iC+BHvpWD8qpg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVU9MSkZIaDArRGQ4bHVR
+            NFRZc0VKSGxnQm1HTkRrMm1LVDZ1cWdjUWxZClY0TjUyVmczNEJNSC8vUGNxTmY4
+            c3hBNTBrZy9nSGE4K1V1aFZZNzl6VFEKLS0tIFhpZlVla01vK0dNczR0T0VyWjF6
+            NUxQNDUyNHpaWW4wYUlDdHZ5d2VyWWsK7pv4z6+RBtzokkcsi6HzuDqUXr/DsK4x
+            ORJS3S8ZloiUF2QZHhjOIqdUtAija1CUreRF3RjFjGLms4/NL5M8Xw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-17T00:39:06Z"
+    mac: ENC[AES256_GCM,data:lsvfZ+uOpu/mA+R8qqfnIOqziH+/jeBRZX6+Sv6Q/bErJ8q2p0dNXNBZ4OcZLVkAE2LQaqk2e4zZeMiI3d6HjwmBRzZ29Nk+EVui5SrD4qU9eHKbOx94O/jNVBN9OwHwXtnhbW82HA8lq0vFFuRJ9N/AnOITiPb55A+dgQgiQVU=,iv:xbncdaZcCjbh5y+WacbwXMjFTbFRIWBw0y+AMdL5tOo=,tag:Ko564HfgVXJBc0swCgVuhQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2