diff --git a/modules/collections/server.nix b/modules/collections/server.nix
index 750c417..6bbe3ff 100644
--- a/modules/collections/server.nix
+++ b/modules/collections/server.nix
@@ -28,7 +28,6 @@
     ../hdd-spindown.nix
     ../logging.nix
     ../motd.nix
-    ../static-ip.nix
   ];
 
   custom = {
@@ -44,7 +43,10 @@
       settings.enable = true;
     };
     services = {
-      kavita.enable = true;
+      kavita = {
+        enable = true;
+        dir = "/mnt/1tbssd/kavita";
+      };
     };
     hardware = {
       firmware.enable = true;
diff --git a/modules/misc/static-ip.nix b/modules/misc/static-ip.nix
index e67a83e..f2559b5 100644
--- a/modules/misc/static-ip.nix
+++ b/modules/misc/static-ip.nix
@@ -11,11 +11,11 @@ in
         description = "ipv4 address";
       };
       dns = lib.mkOption {
-        default = types.str;
+        type = types.str;
         description = "ip of the dns server";
       };
       interface = lib.mkOption {
-        default = types.str;
+        type = types.str;
         description = "interface to apply the change to";
       };
    };
diff --git a/modules/services/kavita.nix b/modules/services/kavita.nix
index 0c95fa9..95e5937 100644
--- a/modules/services/kavita.nix
+++ b/modules/services/kavita.nix
@@ -6,13 +6,23 @@ in
 {
   options.custom.services.kavita = {
       enable = mkEnableOption "Enables kavita";
+      https = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Should it use https?";
+      };
+      dir = mkOption {
+        default = "/data/kavita";
+        type = types.path;
+        description = "data path";
+      };
   };
   config =
 let
   fqdn = "kavita-kopatz.duckdns.org";
   useStepCa = false; #config.services.step-ca.enable;
-  useHttps = true;
-  baseDir = "/mnt/1tbssd/kavita";
+  useHttps = cfg.https;
+  baseDir = cfg.dir;
   mangal = "${pkgs.mangal}/bin/mangal";
   githubRunnerEnabled = config.services.github-runners ? oberprofis.enable;
 in lib.mkIf cfg.enable {
diff --git a/secrets/coturn-secret.age b/secrets/coturn-secret.age
index d27aeef..4a9e9ec 100644
Binary files a/secrets/coturn-secret.age and b/secrets/coturn-secret.age differ
diff --git a/secrets/create_secrets.md b/secrets/create_secrets.md
index 1c83ada..aca1b76 100644
--- a/secrets/create_secrets.md
+++ b/secrets/create_secrets.md
@@ -1,4 +1,5 @@
-agenix -e secret1.age
+# create secrets
+`agenix -e secret1.age`
 
 
 example secrets.nix file
@@ -28,4 +29,7 @@ services.nextcloud = {
   hostName = "localhost";
   config.adminpassFile = config.age.secrets.nextcloud.path;
 };
-```
\ No newline at end of file
+```
+
+# rekeying
+`agenix -r`
diff --git a/secrets/duckdns.age b/secrets/duckdns.age
index 232f847..37a1153 100644
--- a/secrets/duckdns.age
+++ b/secrets/duckdns.age
@@ -1,11 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 yfCCMw bknEVINSpmzqbs669XXGW10WlRU2eYqM21nCra4Grm0
-UH/rieabfARVLfMojUzRpMV8OgQQegmkERr3OsudizI
--> ssh-ed25519 IV3DkQ ae0X4te6ZevvoybUP20LgE4ymTiisoBMfrZQBm0LHEo
-f9VxOHjo6W349d/T9DuH0KbQRHj+EXa+yascxnG/oEA
--> ssh-ed25519 DCzi1A vBpgN1TwpEv+mJNIMoHitLshG0q1RDTz3WrvRbRGnno
-Nc9I8WWXDDzCfOHkcbhqXjk0Fvp23f8QxiW6bdPix3Q
--> 5-grease ;gX' KVd. S[Du |%f:LC8
-g5R1yuzS9892Jf0N+RsaVg77389vLxeowKKcD/PM962AMYCe4iHdCw
---- u/d/x8qCopx23d4TiecnfbaL+l+JJu5i+yJqmU6XH/c
-4”‘n„~¡Xv€6ŒÉjÌ80ÄÚã}	_›=$H@ÒuÕ{Àqú·É/¬^+vÔ¹ÁOyˆ³‹E—p¢K3ªL²âZ
\ No newline at end of file
+-> ssh-ed25519 su0Eyw abgbb/Gl03Gkn8FXt8OWvsQZIIkmp+9OJYJBARfuMHE
+C6btapYsEstmrPfOSzApBxo88PCVG0ECbJJ9ATvHwSo
+-> ssh-ed25519 IV3DkQ r1h8O7eotpWQ7R2MC/EgWsndd+V+YNJs6SEQqxY4DHk
+FRuoj1KMLoHYGYk+78cgQbtH6QN0LQX69LzS72zTeLA
+-> ssh-ed25519 DCzi1A S5japvaVIvNF8gB8d6lDMniYvWDhPXKxdHIypoYQiho
+us1sOKs3YwTQZEbgh3YgN6GgRDP7Na3KGdzTSqzENrA
+--- Nq1cKNge2TngWd41zf1sTneHozmQzGrFQ6y6qtXzRDs
+91
+ºU ¤6¤®eØ¯0n×¹‰çvª›¢[ðªfZ½ž(~½sY'™SG‰±fí€û¯cÐ$ùŠÆ#yÚÓDk
\ No newline at end of file
diff --git a/secrets/github-runner-pw.age b/secrets/github-runner-pw.age
index a59a99e..5ff3cf1 100644
Binary files a/secrets/github-runner-pw.age and b/secrets/github-runner-pw.age differ
diff --git a/secrets/github-runner-token.age b/secrets/github-runner-token.age
index 981a396..a6ad2e7 100644
Binary files a/secrets/github-runner-token.age and b/secrets/github-runner-token.age differ
diff --git a/secrets/grafana-contact-points.age b/secrets/grafana-contact-points.age
index dea2c70..dffcfec 100644
Binary files a/secrets/grafana-contact-points.age and b/secrets/grafana-contact-points.age differ
diff --git a/secrets/kavita.age b/secrets/kavita.age
index 35fd4e7..3f561b1 100644
Binary files a/secrets/kavita.age and b/secrets/kavita.age differ
diff --git a/secrets/matrix-registration.age b/secrets/matrix-registration.age
index 046ca6b..721af66 100644
Binary files a/secrets/matrix-registration.age and b/secrets/matrix-registration.age differ
diff --git a/secrets/nextcloud-admin.age b/secrets/nextcloud-admin.age
index 3f0a5e0..36b10c0 100644
Binary files a/secrets/nextcloud-admin.age and b/secrets/nextcloud-admin.age differ
diff --git a/secrets/nextcloud-cert.age b/secrets/nextcloud-cert.age
index 37a12ac..00570c1 100644
Binary files a/secrets/nextcloud-cert.age and b/secrets/nextcloud-cert.age differ
diff --git a/secrets/nextcloud-key.age b/secrets/nextcloud-key.age
index ca2d4a7..0336400 100644
Binary files a/secrets/nextcloud-key.age and b/secrets/nextcloud-key.age differ
diff --git a/secrets/paperless.age b/secrets/paperless.age
index 1b9364c..2795016 100644
Binary files a/secrets/paperless.age and b/secrets/paperless.age differ
diff --git a/secrets/restic-gdrive.age b/secrets/restic-gdrive.age
index 660992f..65a3384 100644
Binary files a/secrets/restic-gdrive.age and b/secrets/restic-gdrive.age differ
diff --git a/secrets/restic-pw.age b/secrets/restic-pw.age
index 2064b01..ee59339 100644
Binary files a/secrets/restic-pw.age and b/secrets/restic-pw.age differ
diff --git a/secrets/restic-s3.age b/secrets/restic-s3.age
index e8687bb..e7efad6 100644
Binary files a/secrets/restic-s3.age and b/secrets/restic-s3.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 52e7af6..c28a354 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,26 +1,26 @@
 let
   kop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeP6qtVqE/gu72ZUZE8cdRi3INiUW9NqDR7SjXIzTw2 lukas@Kopatz-PC2";
-  nix-test-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVqEb1U1c9UX3AF8otNyYKpIUMjc7XSjZY3IkIPGOqi root@server";
   server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAUA7uVKXAF2UcwaIDSJP2Te8Fi++2zkKzSPoRx1vQrI root@server";
+  mini-pc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKla9+Gj2i9Ax7cIdnTM6zsmze3g1N/qCPqhga0P+toU root@mini-pc";
   users = [ kop ];
-  systems = [ nix-test-vm server ];
+  systems = [ mini-pc server ];
 in
 {
-  "github-runner-token.age".publicKeys = [ nix-test-vm server kop ];
-  "github-runner-pw.age".publicKeys = [ nix-test-vm server kop ];
-  "duckdns.age".publicKeys = [ nix-test-vm server kop ];
-  "nextcloud-admin.age".publicKeys = [ nix-test-vm server kop ];
-  "nextcloud-cert.age".publicKeys = [ nix-test-vm server kop ];
-  "nextcloud-key.age".publicKeys = [ nix-test-vm server kop ];
-  "restic-pw.age".publicKeys = [ nix-test-vm server kop ];
-  "restic-s3.age".publicKeys = [ nix-test-vm server kop ];
-  "restic-gdrive.age".publicKeys = [ nix-test-vm server kop ];
-  "wireguard-private.age".publicKeys = [ nix-test-vm server kop ];
-  "coturn-secret.age".publicKeys = [ nix-test-vm server kop ];
-  "matrix-registration.age".publicKeys = [ nix-test-vm server kop ];
-  "paperless.age".publicKeys = [ nix-test-vm server kop ];
-  "kavita.age".publicKeys = [ nix-test-vm server kop ];
-  "step-ca-pw.age".publicKeys = [ nix-test-vm server kop ];
-  "step-ca-key.age".publicKeys = [ nix-test-vm server kop ];
-  "grafana-contact-points.age".publicKeys = [ server kop];
+  "github-runner-token.age".publicKeys = [ mini-pc server kop ];
+  "github-runner-pw.age".publicKeys = [ mini-pc server kop ];
+  "duckdns.age".publicKeys = [ mini-pc server kop ];
+  "nextcloud-admin.age".publicKeys = [ mini-pc server kop ];
+  "nextcloud-cert.age".publicKeys = [ mini-pc server kop ];
+  "nextcloud-key.age".publicKeys = [ mini-pc server kop ];
+  "restic-pw.age".publicKeys = [ mini-pc server kop ];
+  "restic-s3.age".publicKeys = [ mini-pc server kop ];
+  "restic-gdrive.age".publicKeys = [ mini-pc server kop ];
+  "wireguard-private.age".publicKeys = [ mini-pc server kop ];
+  "coturn-secret.age".publicKeys = [ mini-pc server kop ];
+  "matrix-registration.age".publicKeys = [ mini-pc server kop ];
+  "paperless.age".publicKeys = [ mini-pc server kop ];
+  "kavita.age".publicKeys = [ mini-pc server kop ];
+  "step-ca-pw.age".publicKeys = [ mini-pc server kop ];
+  "step-ca-key.age".publicKeys = [ mini-pc server kop ];
+  "grafana-contact-points.age".publicKeys = [ mini-pc server kop ];
 }
diff --git a/secrets/step-ca-key.age b/secrets/step-ca-key.age
index 7a85a77..ca7244c 100644
Binary files a/secrets/step-ca-key.age and b/secrets/step-ca-key.age differ
diff --git a/secrets/step-ca-pw.age b/secrets/step-ca-pw.age
index 0da0878..418e6b2 100644
--- a/secrets/step-ca-pw.age
+++ b/secrets/step-ca-pw.age
@@ -1,12 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 yfCCMw OgXEZi4GHlh0htigcyT0c86ZlZvmv5ve6g0Dnk9mhS8
-57hPI3DO/2Lic5JZ/4Cgq1y0tYoZKc+E6LwS62Zi0kg
--> ssh-ed25519 IV3DkQ YG3gxtuOx5sfD7rwAClr+MrFzEgw2sgfpxzZDyT9nj4
-VIP3Hkk9ZBG9BHNPHt4C6LazylU6htJ6gmdamqAYLUw
--> ssh-ed25519 DCzi1A DcsbrGWEyzUB7QKGvlMU9CMB/bq7JVz/aSz7uJprQRg
-NpBDT786hL0GZNaY1IsDnU9iFxlYZs8ti1FAfBeHBIQ
--> z-grease |WDf ~K7q9K *xzH^n6{
-6G9KAajGo/o6dcYb/MAOE7AIIZKTTMrN9fh9ACkINLB38ZrREUCsrJDE90sx62nX
-MOJKZ3k4
---- ExlgUArhnqSMlZwWWoFdM/Ugc3fLKbQ9ZCguzqUIlkM
-òF!ºà0QÀ†¶ÎQm¾[ öeç«Ü6–M“ýÕûéxB†Ô˜Êò³ÐÁ÷½cq6>ð¿ùH’
\ No newline at end of file
+-> ssh-ed25519 su0Eyw 6vviSJcXLLG9cOZb1owE2oudEYGqRfq9lk8Ulq9Gmj0
+OHuZl76lF83C8kMhoRMV6cMLR0LXVim/vG5hm+MqnCM
+-> ssh-ed25519 IV3DkQ DKxFE4xir6ykfEohvZOE/zh5dqb05mRRksapheXSfUM
+HkdZI6L96PLSXvnnfcMhaxB67JBjFr6pdfShB0FeBpY
+-> ssh-ed25519 DCzi1A kHrUepWwMDt6pgmETeclWpscQdWS/X0744mKn1C7kjU
+vrWA1Dapi5APp2EDXccCEEGV0j8YrRrC2e2Wfp75Vko
+--- StnQRDu2BAUK36iyf9lOUtWOwwwcNA7De2G3tSd1L2M
+c2“ímÚŸŸ¢Á}bö†EüßÖßFä"÷YVâìD_àSØE fhGû¡îJ63Íw:ëO§ùhu²2Í
\ No newline at end of file
diff --git a/secrets/wireguard-private.age b/secrets/wireguard-private.age
index 28b3005..16dc233 100644
--- a/secrets/wireguard-private.age
+++ b/secrets/wireguard-private.age
@@ -1,11 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 yfCCMw HoX1AI2rIYDJbfKRDRXr1ZRsNM1OVRVrr0XRnBD29FQ
-aM3HP0kxq9ACb2TFcb7f9rxKXFoT2Y9nEjL+XD3nHIM
--> ssh-ed25519 IV3DkQ EKn/xr5EWEev3stYXDGrzfLtwt2thJ+34e5eP1v4l0g
-raaOM6zpmokVCBKNWx9xHpsQJSpTbHHQeRbz2+wC3+0
--> ssh-ed25519 DCzi1A mVLJ1c2e1UOsTuDCKIwLliBz3OVBH8vGp/gICb8cyQY
-dXok0Tr56SdW5sf74IYk7rDnim/s7vZI/PZIGKvNuaM
--> ;mHckk.i-grease [&? MW78 %Ee4m
-LebJ6ZshTkkY+fM5zI/sbQzGpcKN5oGiEu5tWSPnmeQQxJrjT7Utqf3KAfI
---- 6HedZR4VvouzHmjeV9DY6BsybKcainxK9fro9MSjpxg
-h‚ÔqÂÇ<3:7{,Á9'Äš„öw¾(FVGuLAA0“Ì½üÿa|½õKwµ?–¥!\Z’-\¼³$üä6yÖÖ§¿xý
\ No newline at end of file
+-> ssh-ed25519 su0Eyw 9mpUnyWpauqdSlrjHZb2uyTG5U7wyWesQz0WfNms1nc
+652z/tIinaCwhBQitxSLWMl1n9FCEaRKC6F/h9c4rzk
+-> ssh-ed25519 IV3DkQ esDKdA6+78STpPx2kCRbRCjJ7w5+YCRwR9G5IHusRl8
+cFc2EJE+gfY7YJzindI+3Q7Eum/D02GetqjHjaZUQzk
+-> ssh-ed25519 DCzi1A meR8aXi4kq1xxSdGvieMZ0tcrgT4Ifo2fRoR6v7wP1U
+rULzoIdJyh/MwDXGfI9Nh3nPfqdUBoQHV7s15cYpKsw
+--- 6cTo396+lzrd+YrQnEU3GvW6gPLo4rVaukpx48QdGGY
+ˆšœØäÈhÐ´fF¼¥š8Fö~õ˜¼0ò^|™Éu«_aãIvy!ýeVCdj2º™v?+*úß8€‡g0¸›½F©CZróŽ‡7K¤
\ No newline at end of file
diff --git a/systems/mini-pc/configuration.nix b/systems/mini-pc/configuration.nix
index c28018e..026fd37 100644
--- a/systems/mini-pc/configuration.nix
+++ b/systems/mini-pc/configuration.nix
@@ -29,6 +29,12 @@
       firmware.enable = true;
       ssd.enable = true;
     };
+    services = {
+      kavita = {
+        enable = true;
+        dir = "/data/kavita";
+      };
+    };
     nftables.enable = true;
     cli-tools.enable = true;
     nix = {