diff --git a/deploy-nodes b/deploy-nodes
new file mode 100644
index 00000000..179ce392
--- /dev/null
+++ b/deploy-nodes
@@ -0,0 +1,5 @@
+bakersfield-rpi4
+piaware-rpi4
+backups-rpi4
+osaka-linode-01
+milan-linode-01
diff --git a/home-manager/common/software/cli/default.nix b/home-manager/common/software/cli/default.nix
index c1d7d03f..4ded7c48 100644
--- a/home-manager/common/software/cli/default.nix
+++ b/home-manager/common/software/cli/default.nix
@@ -6,6 +6,7 @@
./btop.nix
./starship.nix
./git.nix
+ ./gpg.nix
./neofetch.nix
./ranger.nix
./ssh.nix
diff --git a/home-manager/common/software/cli/gpg.nix b/home-manager/common/software/cli/gpg.nix
new file mode 100644
index 00000000..a93702e2
--- /dev/null
+++ b/home-manager/common/software/cli/gpg.nix
@@ -0,0 +1,75 @@
+{ ... }: {
+ programs.gpg = {
+ enable = true;
+ settings = {
+ # https://github.com/drduh/config/blob/master/gpg.conf
+ # https://www.gnupg.org/documentation/manuals/gnupg/GPG-Options.html
+ # 'gpg --version' to get capabilities
+ # Use AES256, 192, or 128 as cipher
+ personal-cipher-preferences = "AES256 AES192 AES";
+ # Use SHA512, 384, or 256 as digest
+ personal-digest-preferences = "SHA512 SHA384 SHA256";
+ # Use ZLIB, BZIP2, ZIP, or no compression
+ personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
+ # Default preferences for new keys
+ default-preference-list = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
+ # SHA512 as digest to sign keys
+ cert-digest-algo = "SHA512";
+ # SHA512 as digest for symmetric ops
+ s2k-digest-algo = "SHA512";
+ # AES256 as cipher for symmetric ops
+ s2k-cipher-algo = "AES256";
+ # UTF-8 support for compatibility
+ charset = "utf-8";
+ # No comments in messages
+ no-comments = true;
+ # No version in output
+ no-emit-version = true;
+ # Disable banner
+ no-greeting = true;
+ # Long key id format
+ keyid-format "0xlong";
+ # Display UID validity
+ list-options = "show-uid-validity";
+ verify-options = "show-uid-validity";
+ # Display all keys and their fingerprints
+ with-fingerprint = true;
+ # Display key origins and updates
+ #with-key-origin
+ # Cross-certify subkeys are present and valid
+ require-cross-certification = true;
+ # Disable caching of passphrase for symmetrical ops
+ no-symkey-cache = true;
+ # Output ASCII instead of binary
+ armor = true;
+ # Enable smartcard
+ use-agent = true;
+ # Disable recipient key ID in messages (breaks Mailvelope)
+ throw-keyids = true;
+ # Default key ID to use (helpful with throw-keyids)
+ #default-key 0xFF3E7D88647EBCDB
+ #trusted-key 0xFF3E7D88647EBCDB
+ # Group recipient keys (preferred ID last)
+ #group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB
+ # Keyserver URL
+ #keyserver hkps://keys.openpgp.org
+ #keyserver hkps://keys.mailvelope.com
+ #keyserver hkps://keyserver.ubuntu.com:443
+ #keyserver hkps://pgpkeys.eu
+ #keyserver hkps://pgp.circl.lu
+ #keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
+ # Keyserver proxy
+ #keyserver-options http-proxy=http://127.0.0.1:8118
+ #keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
+ # Enable key retrieval using WKD and DANE
+ #auto-key-locate wkd,dane,local
+ #auto-key-retrieve
+ # Trust delegation mechanism
+ #trust-model tofu+pgp
+ # Show expired subkeys
+ #list-options show-unusable-subkeys
+ # Verbose output
+ #verbose
+ };
+ };
+}
diff --git a/home-manager/small.nix b/home-manager/small.nix
index afa178a0..c18804ed 100644
--- a/home-manager/small.nix
+++ b/home-manager/small.nix
@@ -10,6 +10,7 @@
./common/software/cli/starship.nix
./common/software/cli/tmux.nix
./common/software/cli/atuin.nix
+ ./common/software/cli/gpg.nix
# User configs
./users/${username}
diff --git a/nixos/hosts/osaka-linode-01/firewall.nix b/nixos/hosts/osaka-linode-01/firewall.nix
index f9977caa..477d5ee2 100644
--- a/nixos/hosts/osaka-linode-01/firewall.nix
+++ b/nixos/hosts/osaka-linode-01/firewall.nix
@@ -87,7 +87,7 @@
mode tcp
option forwarded
option forwardfor if-none
- server mailserver-wg 10.100.1.3
+ server mailserver-wg 10.100.0.2
backend backend_tcp
mode tcp