diff --git a/.devfiles/hooks/.gitkeep b/.devfiles/hooks/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/.devfiles/hooks/commit-msg.sh b/.devfiles/hooks/commit-msg.sh
new file mode 100644
index 0000000..1c54b90
--- /dev/null
+++ b/.devfiles/hooks/commit-msg.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+cog verify --file "$1"
diff --git a/.devfiles/hooks/pre-commit.sh b/.devfiles/hooks/pre-commit.sh
new file mode 100644
index 0000000..c8d84f5
--- /dev/null
+++ b/.devfiles/hooks/pre-commit.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+root="$(git rev-parse --show-toplevel)"
+
+cd "$root"
+
+export PATH=$PATH:.devfiles/bin
+
+gitleaks git
+
+# Only validate encrypted files if we are tracking any
+if [[ -e .ageboxreg.yml ]]; then
+  agebox validate --no-decrypt
+fi
diff --git a/.devfiles/justfile b/.devfiles/justfile
index 1833382..2d9a105 100644
--- a/.devfiles/justfile
+++ b/.devfiles/justfile
@@ -1,14 +1,22 @@
 set dotenv-load := true
 
+export PATH := source_dir() + "/bin:" + source_dir() + "/scripts:" + env("PATH")
 export AGEBOX_DEBUG := "0"
 export AGEBOX_PUBLIC_KEYS := source_dir() + "/public_keys.txt"
 
-fetch-deps:
-  .devfiles/scripts/fetch_gh_release.sh "slok/agebox" "agebox-linux-amd64" "agebox"
+# Install agebox from the latest github realse
+install-agebox:
+  curl -sSL "https://github.com/slok/agebox/releases/latest/download/agebox-linux-amd64" -o .devfiles/bin/agebox
+  chmod + x .devfiles/bin/agebox
+
+[no-cd]
+install-hooks:
+  cog install-hook --all
 
 # Easy and simple file repository encryption tool based on Age.
+[working-directory('..')]
 agebox +ARGS="--help":
-  @.devfiles/bin/agebox  {{ ARGS }}
+  @agebox  {{ ARGS }}
 
 # Encrypt the provided files, relative to project root.
 encrypt +FILES: (agebox "encrypt " + FILES)
@@ -26,7 +34,11 @@ decrypt-all: (agebox "decrypt --all --force")
 reencrypt: (agebox "reencrypt")
 
 # Show the content of an encrypted file to stdout.
-peek +FILES: (agebox "cat " + FILES)
+crypt-peek +FILES: (agebox "cat " + FILES)
 
 # Validate that all tracked files are encrypted.
-check:(agebox "validate --no-decrypt ")
+crypt-check:(agebox "validate --no-decrypt ")
+
+# Validate no credentials are pushed to git
+leaks:
+  @gitleaks git --verbose --redact
diff --git a/.devfiles/scripts/.gitkeep b/.devfiles/scripts/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/.devfiles/scripts/dependecy-check.sh b/.devfiles/scripts/dependecy-check.sh
new file mode 100755
index 0000000..684a14b
--- /dev/null
+++ b/.devfiles/scripts/dependecy-check.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+root="$(git rev-parse --show-toplevel)"
+
+export PATH=$root/.devfiles/bin:$root/.devfiles/scripts:$PATH
+
+devtools=(
+  age
+  agebox
+  cog
+  gitleaks
+)
+
+missing_tools=()
+
+for cmd in "${devtools[@]}"; do
+  if ! command -v "$cmd" &>/dev/null; then
+    missing_tools+=("$cmd")
+  fi
+done
+
+if [[ ${#missing_tools[@]} != 0 ]]; then
+  echo "The following tools where not found:"
+  printf "%s\n" "${missing_tools[@]}"
+  exit 1
+else
+  echo -e "All tools are installed!"
+fi
diff --git a/.devfiles/scripts/gitignore.sh b/.devfiles/scripts/gitignore.sh
new file mode 100755
index 0000000..0b5100d
--- /dev/null
+++ b/.devfiles/scripts/gitignore.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+root="$(git rev-parse --show-toplevel)"
+
+base_url="https://git.alecodes.page/api/v1/gitignore/templates"
+
+query="$*"
+
+list_available() {
+  curl -Ssl $base_url | jq -r '.[]'
+}
+
+if [[ -z $query ]]; then
+  list_available
+  exit 0
+fi
+
+tmp_file="$(mktemp)"
+
+for template in $query; do
+  # Capitalize the string
+  template=${template,,}
+  template=${template^}
+
+  response="$(curl -Ssl "$base_url/$template")"
+  name="$(echo "$response" | jq -r '.name')"
+  content="$(echo "$response" | jq -r '.source')"
+
+  if [[ "$content" == "null" ]]; then
+    echo "Template not found, available options:"
+    list_available
+    exit 1
+  fi
+
+  printf "\n### %s\n\n%s\n\n" "$name" "$content" >>"$tmp_file"
+done
+
+sed -i -ne "/#### -- TEMPLATES BEGIN -- ####/ {p; r $tmp_file" -e ':a; n; /#### -- TEMPLATES END -- ####/ {p; b}; ba}; p' "$root/.gitignore"
+
+rm "$tmp_file"
diff --git a/.env.agebox b/.env.agebox
new file mode 100644
index 0000000..ae7ac75
Binary files /dev/null and b/.env.agebox differ
diff --git a/.gitleaksignore b/.gitleaksignore
new file mode 100644
index 0000000..284c7b0
--- /dev/null
+++ b/.gitleaksignore
@@ -0,0 +1,3 @@
+467de171837c165cd412332584d54201f93b0d41:files/docker/lemmy/lemmy.hjson:generic-api-key:12
+467de171837c165cd412332584d54201f93b0d41:files/docker/lemmy/lemmy.hjson:generic-api-key:8
+467de171837c165cd412332584d54201f93b0d41:files/docker/lemmy/pictrs.toml:generic-api-key:2
diff --git a/.justfile b/.justfile
index 8c48d89..9b84444 100644
--- a/.justfile
+++ b/.justfile
@@ -1,4 +1,5 @@
-import '.devfiles/justfile'
+# Repo management tasks
+mod repo '.devfiles/justfile'
 
 export ANSIBLE_VAULT_PASSWORD_FILE := justfile_directory() + "/.decrypt-pass.txt"
 export ANSIBLE_BECOME_PASSWORD_FILE := justfile_directory() + "/.become-pass.txt"
diff --git a/cog.toml b/cog.toml
new file mode 100644
index 0000000..2f52731
--- /dev/null
+++ b/cog.toml
@@ -0,0 +1,31 @@
+from_latest_tag = false
+ignore_merge_commits = true
+disable_changelog = false
+disable_bump_commit = false
+generate_mono_repository_global_tag = true
+generate_mono_repository_package_tags = true
+branch_whitelist = []
+skip_ci = "[skip ci]"
+skip_untracked = false
+pre_bump_hooks = []
+post_bump_hooks = []
+pre_package_bump_hooks = []
+post_package_bump_hooks = []
+
+[git_hooks]
+
+[git_hooks.pre-commit]
+path = ".devfiles/hooks/pre-commit.sh"
+
+[git_hooks.commit-msg]
+path = ".devfiles/hooks/commit-msg.sh"
+
+[commit_types]
+
+[changelog]
+path = "CHANGELOG.md"
+authors = []
+
+[bump_profiles]
+
+[packages]
diff --git a/roles/common/files/robo_key b/roles/common/files/robo_key
deleted file mode 100644
index 3bb907f..0000000
--- a/roles/common/files/robo_key
+++ /dev/null
@@ -1,25 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-34326137303139636664306330643433353766383839373262633531633336336434326136633331
-6266336136633662366234303339343435633935653835330a313337386531346535633164363732
-33333162663564343032323038353737663532616133353538626265646665393131336132393863
-3335613064643365380a366633363531363332663939343030373265343438633365633264376236
-30313862373337343961363164666166633137636232646365666333333261356264313235643365
-36663336636132376366396338346164303066343234613236633561393063313636616630303838
-33636231373465333830613630393366653363643561396465363765383764326538633464366530
-66626363336565343832373631363237653333653265616331623938356266343235656239656134
-66306565646333656337336632636162356531666337613766396439623135633430623132643335
-32373965613962336338633933346437396139393539656437326666363661653231653230313634
-61633032316436646663616437343161363534383365656364303131646636643232366361653231
-30643839343961366665653265666662386537623738356537393364336365396136346361656538
-38653936613261306632386665336162666539646564666232353064646564643036343437396566
-64656261633534316166656564326563323732316436316161303633373564653834356433366561
-39643164373866346531353037613563623038626536616434316266323130643534303736653263
-63643632316562616462333835343437613865363763323464646231343066393264653833383662
-30326332373432326665306338383963333137376538373839626631356236353838376332636132
-64636632336139396437356336326331343832346166386136356239323966376532346130613833
-36316633633536653163313166396238373139383763306532346334343466366136636339646235
-66326162323666306566616339353930353732336538303835366132363139336462373736366538
-39636138383536363332326534356366313362353739373666303133326364643832616431316363
-35393364386536393761303733336230633832646531623264616463323862313565316566666137
-30306433313563313363643034356265316564393166336361663431633930663361356432313861
-38393732626237353131
diff --git a/roles/common/files/robo_key.agebox b/roles/common/files/robo_key.agebox
new file mode 100644
index 0000000..93e0f99
--- /dev/null
+++ b/roles/common/files/robo_key.agebox
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> X25519 gYcsPablv8DX5YR2YElCe9IYxd4jACU30GaL97JfETM
+PSYUSaAkiHBtprz6qUKqP8RFPkgHCwwnFCACzKlsGU0
+--- giGOMUX2iMWaixyGM7ZxyCPMz10xFxNIJA9vpsJEW+4
+Jïö™µ–vÝtôüpŸT(~AnfL¦™¿“3Â$PÈyU	î“²ü!˜…]ìoÞ˜×‘/×£LµÓ¦S:…bÔå-fÓÂrÿ¢Åql¢=@Ùwrq6{±eÛƒ€lg¸øö‘ué”Ã×{›b·L_®“º>cÆb4?eŠ®}¡)Pp|ÚD,üØo²¢Ië’X•_×c´ì‰êƒpGÖø¡¿%y¾ÿG)`žãŒsR7PRæKu%¼	ÁØz0a›Ô®˜XKìrÍ>'ðßSáÖLwÁp¬pIo/MåšçÎ	è/2:€@.n9þcXùåÔÃÙG_¤-ŽObš†½OPÆTDÆ™`p:F˜¬{,ŠxUµûLa• 1•ãšerÓÙB»½‹‡\ÅJBë˜q¬e…sB‘Ñ½=ˆíù"è‹X7õ0=vyWÆÇÎÿ¿æ}U¦'ÒÅõ!å:Ö ;p·‡nÌÂr2ªD¨*²n¤äQv4™É%ª|Kx¯ó®ŸîÃH“\“Ç1¬¤:D40r«ì†{†”
\ No newline at end of file