diff --git a/hardware/oracle/common.nix b/hardware/oracle/common.nix
index 2fab81f3..77232b9a 100644
--- a/hardware/oracle/common.nix
+++ b/hardware/oracle/common.nix
@@ -109,6 +109,8 @@ in
         ];
         };
 
+      services.cockroachdb.locality = "provider=oracle,region=${oci-root.outputs.oci_region.import},ad=${cfg.ad},host=${config.networking.hostName}";
+
       deploy.tf =
         let
           compartment_id = oci-root.resources.oci_kw_compartment.importAttr "id";
diff --git a/modules/esphome/deploy.nix b/modules/esphome/deploy.nix
index 2408738f..6b6087f0 100644
--- a/modules/esphome/deploy.nix
+++ b/modules/esphome/deploy.nix
@@ -62,6 +62,7 @@ in {
       _module.args.tf = mapNullable (target: target.tf) target;
       out = jsonConfig;
     deploy.tf = {
+        terraform.environment.ESPHOME = "${pkgs.esphome}";
         attrs = [ "import" "imports" "out" "attrs" "triggers" ];
         import = genAttrs cfg.tf.imports (target: meta.deploy.targets.${target}.tf);
         out.set = removeAttrs cfg.tf cfg.tf.attrs;
@@ -75,7 +76,7 @@ in {
             provider = "local";
             type = "file";
             inputs = {
-              filename = "${tf.terraform.dataDir}/esphome-${name}-secrets.json";
+              filename = "${builtins.toString tf.terraform.dataDir}/esphome-${name}-secrets.json";
               content = secretsFile;
             };
           };
@@ -86,10 +87,13 @@ in {
             provisioners = [
               {
                 type = "local-exec";
-                local-exec.command = ''
-                  ${pkgs.esphome}/bin/esphome compile ${closureConfig} ${tf.resources."${name}-secrets".refAttr "filename"}
-                  ${pkgs.esphome}/bin/esphome upload ${closureConfig} --device ${name}.local
-                '';
+                local-exec = {
+                  working_dir = builtins.toString tf.terraform.dataDir;
+                  command = ''
+                    ${pkgs.esphome}/bin/esphome compile ${closureConfig} ${tf.resources."${name}-secrets".refAttr "filename"}
+                    ${pkgs.esphome}/bin/esphome upload ${closureConfig} ${tf.resources."${name}-secrets".refAttr "filename"} --device ${name}.local
+                  '';
+                };
               }
             ];
           };
@@ -103,7 +107,7 @@ in {
         path = if length parts > 1 then head parts else "password";
       in nameValuePair "${config.esphome.name}-secret-${name}" ({
         value.shellCommand = let
-          bitw = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.network.nodes.all.${builtins.getEnv "HOME_HOSTNAME"}.secrets.repo.bitw.source} "$@"'';
+          bitw = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${meta.network.nodes.all.${builtins.getEnv "HOME_HOSTNAME"}.secrets.repo.bitw.source} "$@"'';
         in "${bitw}/bin/bitw get ${path} -f ${field}";
         type = "string";
         sensitive = true;
diff --git a/modules/system/genesis.nix b/modules/system/genesis.nix
index 31c4092e..130e86c5 100644
--- a/modules/system/genesis.nix
+++ b/modules/system/genesis.nix
@@ -1,3 +1,3 @@
-{ config, pkgs, lib, ... }: {
-  _module.args.pkgs = lib.mkDefault pkgs;
+{ config, pkgs, lib, meta, ... }: {
+  _module.args.pkgs = lib.mkDefault meta.pkgs;
 }
diff --git a/nixos/systems/daiyousei.nix b/nixos/systems/daiyousei.nix
index 1e2a5153..0c6f31c0 100644
--- a/nixos/systems/daiyousei.nix
+++ b/nixos/systems/daiyousei.nix
@@ -21,6 +21,7 @@
     services.vaultwarden
     services.weechat
     services.znc
+    services.cockroachdb
   ];
 
   nixfiles.oci = {
diff --git a/nixos/systems/marisa.nix b/nixos/systems/marisa.nix
index 2c2403ae..6189285f 100644
--- a/nixos/systems/marisa.nix
+++ b/nixos/systems/marisa.nix
@@ -6,8 +6,11 @@
     services.nginx
     services.access
     services.irlsite
+    services.cockroachdb
   ];
 
+  services.cockroachdb.locality = "provider=buyvm,region=luxembourg,host=${config.networking.hostName}";
+
   boot = {
     loader.grub = {
       enable = true;
diff --git a/nixos/systems/tewi/home-assistant.nix b/nixos/systems/tewi/home-assistant.nix
index f427eeb3..e18e6572 100644
--- a/nixos/systems/tewi/home-assistant.nix
+++ b/nixos/systems/tewi/home-assistant.nix
@@ -28,10 +28,36 @@
     group = "hass";
   };
 
+  secrets.variables.latitude = {
+    path = "secrets/home-assistant";
+    field = "latitude";
+  };
+
+  secrets.variables.longitude = {
+    path = "secrets/home-assistant";
+    field = "longitude";
+  };
+
+  secrets.variables.elevation = {
+    path = "secrets/home-assistant";
+    field = "elevation";
+  };
+
+
+  secrets.files.home-assistant-secrets = {
+    text = builtins.toJSON {
+      latitude = tf.variables.latitude.ref;
+      longitude = tf.variables.longitude.ref;
+      elevation = tf.variables.elevation.ref;
+    };
+    owner = "hass";
+    group = "hass";
+  };
+
   systemd.services.home-assistant = {
     preStart = lib.mkBefore ''
-      rm ${config.services.home-assistant.configDir}/integration.json
-      cp --no-preserve=mode ${config.secrets.files.ha-integration.path} ${config.services.home-assistant.configDir}/integration.json
+      cp --no-preserve=mode ${config.secrets.files.home-assistant-secrets.path} ${config.services.home-assistant.configDir}/secrets.yaml
+      cp --no-preserve=mode ${config.secrets.files.ha-integration.path} ${config.services.home-assistant.configDir}/integration.yaml
       '';
   };
 
@@ -41,6 +67,11 @@
       homeassistant = {
         name = "Gensokyo";
         unit_system = "metric";
+        latitude = "!secret latitude";
+        longitude = "!secret longitude";
+        elevation = "!secret elevation";
+        currency = "CAD";
+        time_zone = "America/Vancouver";
         external_url = "https://home.gensokyo.zone";
       };
       frontend = {
@@ -93,7 +124,7 @@
       };
       google_assistant = {
         project_id = "gensokyo-5cfaf";
-        service_account = "!include integration.json";
+        service_account = "!include integration.yaml";
       };
       homekit = {
         name = "Tewi";
diff --git a/nixos/systems/tewi/nixos.nix b/nixos/systems/tewi/nixos.nix
index 432e6397..b886bfc2 100644
--- a/nixos/systems/tewi/nixos.nix
+++ b/nixos/systems/tewi/nixos.nix
@@ -5,6 +5,7 @@
     (modulesPath + "/installer/scan/not-detected.nix")
     hardware.local
     nixos.network
+    services.cockroachdb
     ./kanidm.nix
     ./vouch.nix
     ./home-assistant.nix
@@ -14,6 +15,8 @@
     ./nginx.nix
   ];
 
+  services.cockroachdb.locality = "provider=local,network=gensokyo,host=${config.networking.hostName}";
+
   networks = {
     gensokyo = {
       interfaces = [
diff --git a/nixos/systems/yukari.nix b/nixos/systems/yukari.nix
index 492248c8..095d757b 100644
--- a/nixos/systems/yukari.nix
+++ b/nixos/systems/yukari.nix
@@ -12,8 +12,11 @@
     services.tvheadend
     services.zfs
     services.plex
+    services.cockroachdb
   ];
 
+  services.cockroachdb.locality = "provider=local,network=chitei,host=${config.networking.hostName}";
+
   boot.supportedFilesystems = singleton "zfs";
 
   fileSystems = {
diff --git a/services/cockroachdb.nix b/services/cockroachdb.nix
new file mode 100644
index 00000000..4e273a5d
--- /dev/null
+++ b/services/cockroachdb.nix
@@ -0,0 +1,21 @@
+{ config, meta, lib, ... }: let
+  inherit (lib.attrsets) mapAttrsToList filterAttrs;
+  inherit (lib.strings) concatStringsSep;
+in {
+  services = {
+    cockroachdb = {
+      enable = true;
+      insecure = true;
+      join = concatStringsSep "," (mapAttrsToList (_: nixos:
+        "${nixos.networks.tailscale.ipv4}:${builtins.toString nixos.services.cockroachdb.listen.port}"
+      ) (filterAttrs (_: nixos: nixos.services.cockroachdb.enable) meta.network.nodes.nixos));
+      http = {
+        address = config.networks.tailscale.ipv4;
+        port = 8973;
+      };
+      listen = {
+        address = config.networks.tailscale.ipv4;
+      };
+    };
+  };
+}
diff --git a/services/minio.nix b/services/minio.nix
new file mode 100644
index 00000000..2a53bec9
--- /dev/null
+++ b/services/minio.nix
@@ -0,0 +1,41 @@
+{ config, lib, ... }: let
+  import (lib.modules) mkIf mkDefault;
+  cfg = config.services.minio;
+in {
+  options.services.minio.isNAS = mkEnableFunction "NAS lack of defaults";
+
+  config = {
+    secrets = {
+      variables = mapAttrs' (name: value: nameValuePair "minio-${name}-key" value) (genAttrs ["access" "secret"] (name: {
+          path = "gensokyo/minio";
+          field = "${name}-key";
+      }));
+      };
+      files = {
+        minio-root-credentials = {
+          text = ''
+            MINIO_ROOT_USER=${tf.variables.minio-access-key.ref}
+            MINIO_ROOT_PASSWORD=${tf.variables.minio-secret-key.ref}
+          '';
+          owner = "minio";
+          group = "minio";
+        };
+      };
+    };
+
+    systemd.tmpfiles.rules = mkIf !cfg.isNAS ''
+      v /minio 700 minio minio
+    '';
+
+    services = {
+      minio = {
+        region = config.services.cockroachdb.locality;
+        enable = true;
+        dataDir = lib.optional !cfg.isNAS "/minio";
+        listenAddress = "${config.networks.tailscale.ipv4}:9000";
+        consoleAddress = "${config.networks.tailcale.ipv4}:9001";
+        rootCredentialsFile = config.secrets.files.minio-root-credentials.path;
+      };
+    };
+  };
+}
diff --git a/tf b/tf
index 109f8803..158e27e7 160000
--- a/tf
+++ b/tf
@@ -1 +1 @@
-Subproject commit 109f880332d0f9f4cfaf2ed8db8e9cee577a6cbd
+Subproject commit 158e27e798d8808a0a54127122a6ceaffa2b12a7