diff --git a/.ageboxreg.yml b/.ageboxreg.yml
new file mode 100644
index 0000000..083c136
--- /dev/null
+++ b/.ageboxreg.yml
@@ -0,0 +1,2 @@
+file_ids: []
+version: "1"
diff --git a/.gitignore b/.gitignore
index ff51edf..22cce9c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-.direnv
\ No newline at end of file
+.direnv
+private.key
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 188f232..cea3435 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,8 +1,4 @@
 repos:
-  - repo: https://github.com/markdownlint/markdownlint
-    rev: v0.13.0
-    hooks:
-      - id: markdownlint_docker
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0
     hooks:
@@ -16,3 +12,7 @@ repos:
     rev: v1.5.0
     hooks:
       - id: detect-secrets
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.22.0
+    hooks:
+      - id: gitleaks
diff --git a/shell.nix b/shell.nix
index 4c5eff1..0de5987 100644
--- a/shell.nix
+++ b/shell.nix
@@ -2,8 +2,13 @@
 
  pkgs.mkShell {
    packages = with pkgs; [
+      # linters/typos/etc.
       pre-commit
       typos
       detect-secrets
+      gitleaks
+
+      # encrypting secrets
+      agebox
    ];
 }
diff --git a/updates/2024-12-21.md b/updates/2024-12-21.md
index 5bde417..bb525b6 100644
--- a/updates/2024-12-21.md
+++ b/updates/2024-12-21.md
@@ -2,16 +2,28 @@
 
 ## Raspi
 
-- navidrome
-- beszel-agent
-- beszel
+- system packages
+  - docker
+  - rpi-eeprom
+- docker containers
+  - navidrome
+  - beszel-agent
+  - beszel
 
 ## Hetzner
 
-- miniflux
-- vaultwarden
-- gatus
-- diun
-- wireguard
-- stirling-pdf
-- beszel-agent
+- system packages
+  - removed datadog-agent
+  - removed kanidm
+  - update
+    - docker-compose-plugin
+    - linux kernel
+    - a bunch more
+- docker containers
+  - miniflux
+  - vaultwarden
+  - gatus
+  - diun
+  - wireguard
+  - stirling-pdf
+  - beszel-agent