diff --git a/hosts/modules/nasp.nix b/hosts/modules/nasp.nix
index 304e847..3517712 100644
--- a/hosts/modules/nasp.nix
+++ b/hosts/modules/nasp.nix
@@ -6,6 +6,8 @@ let
   dockerCfg = mainCfg.docker;
   nginxCfg = mainCfg.nginx;
   registryCfg = mainCfg.registry;
+  sopsCfg = mainCfg.sops;
+  telegrafCfg = mainCfg.telegraf;
   gCfg = mainCfg.gSeries;
   dnew = (pkgs.writeShellScriptBin "dnew" (builtins.readFile ./scripts/dnew));
 in
@@ -25,6 +27,12 @@ in
     registry = {
       enable = lib.mkEnableOption "the nasp registry";
     };
+    sops = {
+      enable = lib.mkEnableOption "sops";
+    };
+    telegraf = {
+      enable = lib.mkEnableOption "telegraf";
+    };
     gSeries = {
       enable = lib.mkEnableOption "the g-series server configurations";
       serial = lib.mkOption {
@@ -234,6 +242,58 @@ in
         %nasp ALL = (root) NOPASSWD: /run/current-system/sw/bin/ip
       '';
     })
+    # sops-nix
+    ## gpg --fetch-keys "http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xa5d6250d1806caa8"
+    ## nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+    ## mkdir -p ~/.config/sops/age
+    ## nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key > ~/.config/sops/age/keys.txt"
+    (lib.mkIf sopsCfg.enable {
+      sops.defaultSopsFile = ../${mainCfg.hostName}/secrets.yaml;
+      sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    })
+    # telegraf
+    (lib.mkIf (telegrafCfg.enable) {
+      sops.secrets.telegraf = assert sopsCfg.enable; {};
+      services.telegraf = {
+        enable = true;
+        environmentFiles = [ "/run/secrets/telegraf" ];
+        extraConfig = {
+          agent = {
+            interval = "3s";
+            round_interval = true;
+            metric_batch_size = 1000;
+            metric_buffer_limit = 10000;
+            collection_jitter = "0s";
+            flush_interval = "30s";
+            flush_jitter = "3s";
+            precision = "0s";
+            hostname = assert (mainCfg.netName != ""); mainCfg.netName;
+            omit_hostname = false;
+          };
+          outputs.influxdb_v2 = {
+            urls = [ "\${INFLUX_URL}" ];
+            token = "\${INFLUX_TOKEN}";
+            organization = "nasp.fit";
+            bucket = "trash";
+            bucket_tag = "bucket";
+            exclude_bucket_tag = true;
+            timeout = "5s";
+          };
+          inputs.system = {
+            name_override = "load";
+            tags = { bucket = "device"; };
+            fieldpass = [ "load1" "bucket" ];
+            interval = "15s";
+          };
+          inputs.mem = {
+            name_override = "memory";
+            tags = { bucket = "device"; };
+            fieldpass = [ "used" "total" "bucket"];
+            interval = "30s";
+          };
+        };
+      };
+    })
     # g series
     (lib.mkIf (gCfg.enable) (let
       ipSuffix = (builtins.toString (gCfg.serial + 100)); in {
@@ -314,11 +374,24 @@ in
         fsType = "nfs";
       };
       ## packages and services
-      nasp.docker.enable = true;
-      nasp.nvidia.enable = true;
-      nasp.registry.enable = true;
-      nasp.nginx.enable = true;
-      nasp.nginx.enableCodeServer = true;
+      nasp.docker.enable = lib.mkDefault true;
+      nasp.nvidia.enable = lib.mkDefault true;
+      nasp.registry.enable = lib.mkDefault true;
+      nasp.nginx.enable = lib.mkDefault true;
+      nasp.nginx.enableCodeServer = lib.mkDefault true;
+      nasp.sops.enable = lib.mkDefault true;
+      nasp.telegraf.enable = lib.mkDefault true;
+      services.telegraf.extraConfig = {
+        inputs.net = {
+          interfaces = [ gCfg.eth0Name gCfg.eth1Name gCfg.eth2Name ];
+          ignore_protocol_stats = true;
+          tags = { bucket = "device"; };
+        };
+        inputs.nvidia_smi = {
+          bin_path = "/run/current-system/sw/bin/nvidia-smi";
+          tags = { bucket = "device"; };
+        };
+      };
     }))
   ]);
 }