diff --git a/.sops.yaml b/.sops.yaml
index 6aacff65..50c5638c 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -8,6 +8,7 @@ keys:
 - &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt
 - &tei_osh age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
 - &mediabox_osh age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489
+- &litterbox_osh age13qgddr326g5je0fpq2r3k940vsr3fh9nlvl9xtcxk3xg2x0k3vsq7pvzaj
 - &kuwubernetes_osh age1q2yjpxlqkfhsfxumtmax6zsyt669vlr9ffjks3dpkjf3cqdakcwqt2nt66
 - &kuwubernetes_cluster age1nmdv4q8hcyj3s6qevrmc9w2vhd4a8tsj5j5e0cry5utex7vqeprslyjvxz
 creation_rules:
@@ -23,6 +24,7 @@ creation_rules:
     - *aya_osh
     - *tei_osh
     - *mediabox_osh
+    - *litterbox_osh
 - path_regex: 'systems/hakurei/secrets\.yaml$'
   shamir_threshold: 1
   key_groups:
@@ -60,6 +62,12 @@ creation_rules:
   - pgp: *pgp_common
     age:
     - *mediabox_osh
+- path_regex: 'systems/litterbox/secrets\.yaml$'
+  shamir_threshold: 1
+  key_groups:
+  - pgp: *pgp_common
+    age:
+    - *litterbox_osh
 - path_regex: 'systems/kuwubernetes/secrets\.yaml$'
   shamir_threshold: 1
   key_groups:
diff --git a/nixos/syncthing-kat/syncthing.nix b/nixos/syncthing-kat/syncthing.nix
index ed16d191..83eda231 100644
--- a/nixos/syncthing-kat/syncthing.nix
+++ b/nixos/syncthing-kat/syncthing.nix
@@ -2,11 +2,5 @@
   services.syncthing = {
     enable = true;
     relay.enable = true;
-    settings = {
-      options = {
-      };
-      folders = {
-      };
-    };
   };
 }
diff --git a/systems/litterbox/nixos.nix b/systems/litterbox/nixos.nix
index 857ed206..d0cc8fb6 100644
--- a/systems/litterbox/nixos.nix
+++ b/systems/litterbox/nixos.nix
@@ -2,14 +2,14 @@
   imports = let
     inherit (meta) nixos;
   in [
-    #nixos.sops
+    nixos.sops
     nixos.base
     nixos.reisen-ct
     nixos.tailscale
     nixos.syncthing-kat
   ];
 
-  #sops.defaultSopsFile = ./secrets.yaml;
+  sops.defaultSopsFile = ./secrets.yaml;
 
   systemd.network.networks.eth0 = {
     name = "eth0";
diff --git a/systems/litterbox/secrets.yaml b/systems/litterbox/secrets.yaml
new file mode 100644
index 00000000..f816820b
--- /dev/null
+++ b/systems/litterbox/secrets.yaml
@@ -0,0 +1,57 @@
+tailscale-key: ENC[AES256_GCM,data:fJ+Eikbocenx5EbQR8CN4wclrxbf+Y/0tI4GSPrrt38QPt3Lw8DhY4s=,iv:LDK8zO7tWzU7+YYfC83GnOawNwXkikYJKN97sV+S6zc=,tag:7AFJPd8pRD0R2rvy5aAdeg==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age13qgddr326g5je0fpq2r3k940vsr3fh9nlvl9xtcxk3xg2x0k3vsq7pvzaj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCdEk0eDVHN2N0R3ZjaVhs
+            WHVkMmxtTW91WHByQ014RGF4alBYL0Nub0ZjCk1tRElkdFFPakJ3S011bWVndkl3
+            V3VCRGRQUy94RzFXdHJrQVJhT211ZVEKLS0tIFpxbjB3bnNLbi9zWUlNazJ3bkcw
+            YUVtek41eFdhUGNUUUN4cmJVSmVCS0kKJuR692ubqxlx/QQms4LYE1LWoaBDiTR1
+            VSYqy8NM4T+1nVlLy5xNk0fjrO18VU0W1vGPm6hVYy5XArvXsDAbtQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-23T00:08:06Z"
+    mac: ENC[AES256_GCM,data:KRSoHWTux2BTJ7KH16xyJkyZnynPYIO+C6rM3WhbdphIx5WtfpSO6pX8juTDmYCob3n3jJdFEfy28M2UjSRJhC/CLcdvUx5vV7J8WVldXox8YN5uyQG5cyW2TkO1qwTov1mj4f2FWQsTgKSyXgn/yyzbA9tcfQ4qBHrUj8XiPHc=,iv:bw7UVnVOT6PN6I8iySrCxh1UIqbRQl5RMgnG5WqIPWA=,tag:NV2NTnsYwIjWJdQoTmhECg==,type:str]
+    pgp:
+        - created_at: "2024-02-23T00:05:05Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UAQ//TX+tHe5+9ak83y7y2GbRBWJzrmpBaMUjzoMjez90PbTR
+            GaW2S6GxTSzxzU463IKfN8va52YJUuRCp3SAPVigN15VSqf9c22KHMKBrAFunNNa
+            vZ/VRc3LotY9BBok1zp/ryT/LScV2CA6DYiewxq7D+qYuyuXSyV4hQpFNu2Wv+MV
+            nqkBkAawEDzyB2zOp0HbZAEOQmytNydhuhNyRlapKxtm1hZe22qb2FfqfN+i0l/D
+            lDCdAi7HkRjQlN+vTC44BmUN7eYWpXi4yHYVeMU+tu8DCrHoTjwGxK/7HsDFMytN
+            4iVZtXSYQA5Fy2WExnLMKE7aGkI+OJQijm35oGjbMs0z1rAlXWFJplI8anr/B/Nu
+            VAMZjPAkRrhAVOVpT0eChZN+sdiVJbSqiwdTYLIovAHfUFkXVK0IhQfRAAI1TCN2
+            0EbBqWQ8+TIwtfKsQpyBPK9c7ch8SR+Wv9IrchkQQeTSv90BrIquVFV65bMOeNoG
+            /N5jxMTX/QzLLoqbS19H1q8Bs8wsTdvg+WKL79iLexMZl6qw5WM7utzlwYk8S7z+
+            pN/m5q4HMSWra7cgXWDAtviHFvVZm6mdQqFk7xUPyFXqpTLclfW1ywiMBH62zLrH
+            pui2THDFN2IqDOUF/fMYHlpVT+WcaqU4qe+ksdi8wTgNQEfxhDvYYvFPo/cK2HrS
+            XgHLjbcq47Swi9wnOmnq6jZ1NY9jbHcD6Z61mgjvWYga7ioPf2XMNYZosn1Wmhs5
+            8u8WUdvA/hkc3opAIPGem0HKyNfbv6G/wTfTq/a8pSMb0nEIrMVtX+YwHrOe5Bw=
+            =+Na6
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+        - created_at: "2024-02-23T00:05:05Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA2W9MER3HLb7AQf+Nem3ugtOpY8NPgktO+fqraGQjDjMpFDryhvLwh7uuAWg
+            Z997gb3wY4BVrl0E2omo11vGxzDcjWagLdrVsSpiawyLHZ8JH+WI13zWGXcr4i0H
+            rnA5kXYy+KC9cWUBP3Vb3kg4t2OczVlgvn67H4+41qYO+uxSh+67tFBF7U0LPFOI
+            JrUyMvollSTzRyIQmKGgu32/0HxcxZparhIRn3DkxuRElFGubmpQ72N6GCAs9MGB
+            xosvIwnmHoKjtEbg2y5EJYxnqF8nINlCPTkYpzcre5yCLtxx7fWkvqJUr+kw3GPY
+            v7SH2g+/dhMpTaV1HG8inf18W1YBDni8qZHV5HZfdNJeAdLzVXK7KOu4C3uoy+EK
+            WXk0eDttvt5bkPiqJX1aGF/02mPbcqrgZBAVWl+Emte4qzmXr/tySvWeUQSj9X2O
+            E6GfrzNS97jlQ1N6Lwcx9rE1jqijX8H9I5L2p/GwgA==
+            =6/ik
+            -----END PGP MESSAGE-----
+          fp: 65BD3044771CB6FB
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/tf/proxmox_vms.tf b/tf/proxmox_vms.tf
index 85be3805..ddc8f901 100644
--- a/tf/proxmox_vms.tf
+++ b/tf/proxmox_vms.tf
@@ -18,6 +18,7 @@ locals {
   proxmox_mediabox_config  = jsondecode(file("${path.root}/../systems/mediabox/lxc.json"))
   proxmox_kubernetes_vm_id = 201
   proxmox_freeipa_vm_id    = 202
+  proxmox_freepbx_vm_id    = 203
 }
 
 data "proxmox_virtual_environment_vm" "kubernetes" {
@@ -451,3 +452,60 @@ module "litterbox_config" {
   container  = proxmox_virtual_environment_container.litterbox
   config     = local.proxmox_litterbox_config.lxc
 }
+
+resource "proxmox_virtual_environment_vm" "freepbx" {
+  name        = "freepbx"
+  tags        = ["tf"]
+  description = <<EOT
+FreePBX, our phone system
+EOT
+
+  node_name = "reisen"
+  vm_id     = local.proxmox_freepbx_vm_id
+
+  agent {
+    # read 'Qemu guest agent' section, change to true only when ready
+    enabled = false
+  }
+
+  startup {
+    order      = 8
+    up_delay   = 0
+    down_delay = 2
+  }
+
+  cdrom {
+    enabled = true
+    file_id = "local:iso/SNG7-PBX16-64bit-2302-1.iso"
+  }
+
+  memory {
+    dedicated = 2048
+  }
+
+  disk {
+    datastore_id = "local-zfs"
+    file_format  = "raw"
+    interface    = "scsi0"
+    size         = 32
+  }
+
+  network_device {
+    bridge = "vmbr0"
+  }
+
+  operating_system {
+    type = "l26"
+  }
+
+  tpm_state {
+    datastore_id = "local-zfs"
+    version      = "v2.0"
+  }
+
+  serial_device {}
+
+  lifecycle {
+    ignore_changes = [started, description, operating_system[0], cdrom[0].enabled, cdrom[0].file_id]
+  }
+}