diff --git a/flake.nix b/flake.nix
index 235fc8a..6207bde 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 28 current  2025-10-07 15:30:08  25.05.20251001.5b5be50  6.12.49                          *
+# generation: 29 current  2025-10-07 15:47:05  25.05.20251001.5b5be50  6.12.49                          *
 {
   description = "blakes nix config";
   inputs = {
diff --git a/modules/homelab/nginx-proxy.nix b/modules/homelab/nginx-proxy.nix
index cdcfe7f..0200921 100644
--- a/modules/homelab/nginx-proxy.nix
+++ b/modules/homelab/nginx-proxy.nix
@@ -20,5 +20,17 @@ in
       acceptTerms = true;
       defaults.email = "me@blakedheld.xyz";
     };
+
+    # nginx secrets
+    sops.secrets = {
+      "ssl_blakedheld_crt" = {
+        owner = "nginx";
+        group = "nginx";
+      };
+      "ssl_blakedheld_key" = {
+        owner = "nginx";
+        group = "nginx";
+      };
+    };
   };
 }
diff --git a/modules/homelab/services/default.nix.template b/modules/homelab/services/default.nix.template
index 7c8b458..f7a1cd4 100644
--- a/modules/homelab/services/default.nix.template
+++ b/modules/homelab/services/default.nix.template
@@ -20,6 +20,7 @@ in
     backup = lib.mkOption {
       type = lib.types.bool;
       default = true;
+      description = "enable backups for <service_name>";
     };
   };
 
diff --git a/modules/system/sops.nix b/modules/system/sops.nix
index 0bc98a1..8a41a88 100644
--- a/modules/system/sops.nix
+++ b/modules/system/sops.nix
@@ -18,36 +18,39 @@ in
       age.keyFile = "/home/blake/.config/sops/age/keys.txt";
 
       secrets = {
-        # define secrets with the following syntax
-        # secret path is the nesting of headings in the yaml file
-        # the secret is auto place in /run/<path to secret> path allows you to symlink to the /run to where ever is needed
-        # "<secret_name/path>" = {
-        #   owner = "<user>";
-        #   group = "<group>";
-        #   path = "<path on system to place flile>"
-        # };
+        # blake user secrets
+        lib.mkIf config.users.blake.enable {
+          "blake_passwd" =  { 
+            owner = "root";
+            group = "root";
+            neededForUsers = true;
+          };
+        }
 
-        "tailscale_authkey" = lib.mkIf config.modules.system.tailscale.enable { 
-          owner = "root";
-        };
+        # backups secrets
         "borg_passwd" = lib.mkIf config.modules.system.backups.enable { 
           owner = "root";
           group = "root";
         };
-        "blake_passwd" = lib.mkIf config.users.blake.enable { 
+
+        # tailscale secrets
+        "tailscale_authkey" = lib.mkIf config.modules.system.tailscale.enable { 
           owner = "root";
-          group = "root";
-          neededForUsers = true;
         };
-         "ssl_blakedheld_crt" = lib.mkIf config.modules.homelab.nginx-proxy.enable { 
-          owner = "nginx";
-          group = "nginx";
-        };
-          "ssl_blakedheld_key" = lib.mkIf config.modules.homelab.nginx-proxy.enable { 
-          owner = "nginx";
-          group = "nginx";
-        };
-       
+
+        # nginx secrets
+#        lib.mkIf config.modules.homelab.nginx-proxy.enable {
+#          "ssl_blakedheld_crt" = {
+#            owner = "nginx";
+#            group = "nginx";
+#          };
+#        
+#          "ssl_blakedheld_key" = {
+#            owner = "nginx";
+#            group = "nginx";
+#          };
+#        }
+
       };
     };
   };