diff --git a/flake.lock b/flake.lock
index ace5b99..1470d35 100644
--- a/flake.lock
+++ b/flake.lock
@@ -63,15 +63,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1749483884,
-        "narHash": "sha256-HdyfdVx0NbgrVtLY4lXdX9X/YE3PZjGZFnSyoAy1GJc=",
+        "lastModified": 1749154018,
+        "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "74d196c9943a67908d1883f61154e594d03863e5",
+        "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
+        "ref": "release-25.05",
         "repo": "home-manager",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index b0cfa02..8637b27 100644
--- a/flake.nix
+++ b/flake.nix
@@ -90,7 +90,7 @@
     };
 
     home-manager = {
-      url = "github:nix-community/home-manager";
+      url = "github:nix-community/home-manager/release-25.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
diff --git a/hosts/common/core/sops.nix b/hosts/common/core/sops.nix
index 2e1a03b..1c0bbfb 100644
--- a/hosts/common/core/sops.nix
+++ b/hosts/common/core/sops.nix
@@ -1,3 +1,4 @@
+# hosts level sops. see home/[user]/common/optional/sops.nix for home/user level
 {
   pkgs,
   lib,
@@ -7,11 +8,54 @@
 }: let
   sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
 in {
+  #the import for inputs.sops-nix.nixosModules.sops is handled in hosts/common/core/default.nix so that it can be dynamically input according to the platform
+
   sops = {
+    #    defaultSopsFile = "${secretsFile}";
     defaultSopsFile = "${sopsFolder}/${config.hostSpec.hostName}.yaml";
     validateSopsFiles = false;
     age = {
+      # automatically import host SSH keys as age keys
       sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
     };
+    # secrets will be output to /run/secrets
+    # e.g. /run/secrets/msmtp-password
+    # secrets required for user creation are handled in respective ./users/<username>.nix files
+    # because they will be output to /run/secrets-for-users and only when the user is assigned to a host.
   };
+
+  # For home-manager a separate age key is used to decrypt secrets and must be placed onto the host. This is because
+  # the user doesn't have read permission for the ssh service private key. However, we can bootstrap the age key from
+  # the secrets decrypted by the host key, which allows home-manager secrets to work without manually copying over
+  # the age key.
+  sops.secrets = lib.mkMerge [
+    {
+      # These age keys are are unique for the user on each host and are generated on their own (i.e. they are not derived
+      # from an ssh key).
+
+      "keys/age" = {
+        owner = config.users.users.${config.hostSpec.username}.name;
+        inherit (config.users.users.${config.hostSpec.username}) group;
+        # We need to ensure the entire directory structure is that of the user...
+        path = "${config.hostSpec.home}/.config/sops/age/keys.txt";
+      };
+      # extract password/username to /run/secrets-for-users/ so it can be used to create the user
+      "passwords/${config.hostSpec.username}" = {
+        sopsFile = "${sopsFolder}/shared.yaml";
+        neededForUsers = true;
+      };
+    }
+  ];
+  # The containing folders are created as root and if this is the first ~/.config/ entry,
+  # the ownership is busted and home-manager can't target because it can't write into .config...
+  # FIXME(sops): We might not need this depending on how https://github.com/Mic92/sops-nix/issues/381 is fixed
+  system.activationScripts.sopsSetAgeKeyOwnership = let
+    ageFolder = "${config.hostSpec.home}/.config/sops/age";
+    user = config.users.users.${config.hostSpec.username}.name;
+    group = config.users.users.${config.hostSpec.username}.group;
+  in ''
+    mkdir -p ${ageFolder} || true
+    chown -R ${user}:${group} ${config.hostSpec.home}/.config
+  '';
 }
+
diff --git a/hosts/nixos/Infiltrator/default.nix b/hosts/nixos/Infiltrator/default.nix
new file mode 100644
index 0000000..8b51450
--- /dev/null
+++ b/hosts/nixos/Infiltrator/default.nix
@@ -0,0 +1,49 @@
+############################
+#                          #
+# Infiltrator - Redteam VM #
+#                          #
+############################
+{
+  inputs,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = lib.flatten [
+    # Disks
+    inputs.disko.nixosModules.disko
+    (lib.custom.relativeToRoot "hosts/common/disks/btrfs-disk.nix")
+    {
+      _module.args = {
+        disk = "/dev/vda";
+        withSwap = false;
+      };
+    }
+
+    # Misc
+
+    (map lib.custom.relativeToRoot [
+      # Required configs
+      "hosts/common/core"
+
+      # Optional configs
+    ])
+  ];
+
+  hostSpec = {
+    hostName = "infiltrator";
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  networking = {
+    networkmanager.enable = true;
+    enableIPv6 = false;
+  };
+
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+    timeout = 3;
+  };
+}