diff --git a/README.md b/README.md
index 7d3dfca..efe0e1f 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ A project to store homelab stuff.
 ## Fun Facts
 
 On linux, <kbd>ctrl</kbd>+<kbd>shift</kbd>+<kbd>u</kbd>, then, while holding
-<kbd>ctrl</kbd>+<kbd>shift</kbd>, typing <kbd>b</kbd>+<kbd>0</kbd> will type a ° symbol. Also you
+<kbd>ctrl</kbd>+<kbd>shift</kbd>, typing <kbd>b</kbd>+<kbd>0</kbd> will type a ° (degree) symbol. Also you
 can enter any unicode symbol this way.
 
 ## Project Lifecycle
diff --git a/cloud/graduated/aws_iam/README.md b/cloud/graduated/aws_iam/README.md
index 17da9e2..92921ab 100644
--- a/cloud/graduated/aws_iam/README.md
+++ b/cloud/graduated/aws_iam/README.md
@@ -8,17 +8,17 @@ aws iam create-user --user-name $AWS_USERNAME
 aws iam create-access-key --user-name $AWS_USERNAME
 
 # Allow updating reeseapps
-aws iam attach-user-policy --user-name $AWS_USERNAME --policy-arn $(cat secrets/aws/update-reeseapps-iam-policy-arn)
+aws iam attach-user-policy --user-name $AWS_USERNAME --policy-arn $(cat cloud/graduated/aws_iam/secrets/update-reeseapps-iam-policy-arn)
 
 # Allow updating reeselink
-aws iam attach-user-policy --user-name $AWS_USERNAME --policy-arn $(cat secrets/aws/update-reeselink-iam-policy-arn)
+aws iam attach-user-policy --user-name $AWS_USERNAME --policy-arn $(cat cloud/graduated/aws_iam/secrets/update-reeselink-iam-policy-arn)
 ```
 
 ## AWS Certbot Route53 Policies
 
 Example Policy:
 
-secrets/aws/policies/route53_reeselink.json
+cloud/graduated/aws_iam/secrets/policies/route53_reeselink.json
 
 ```json
 {
@@ -50,8 +50,8 @@ secrets/aws/policies/route53_reeselink.json
 
 ```bash
 # Allow updating route53 records for reeselink.com
-aws iam create-policy --policy-name update-reeselink --policy-document file://secrets/aws/policies/route53_reeselink.json
+aws iam create-policy --policy-name update-reeselink --policy-document file://cloud/graduated/aws_iam/secrets/route53_reeselink_policy.json
 
 # Allow updating route53 records for reeseapps.com
-aws iam create-policy --policy-name update-reeseapps --policy-document file://secrets/aws/policies/route53_reeseapps.json
+aws iam create-policy --policy-name update-reeseapps --policy-document file://cloud/graduated/aws_iam/secrets/route53_reeseapps_policy.json
 ```
diff --git a/cloud/graduated/aws_route53/README.md b/cloud/graduated/aws_route53/README.md
index 41155fa..310fe4b 100644
--- a/cloud/graduated/aws_route53/README.md
+++ b/cloud/graduated/aws_route53/README.md
@@ -17,14 +17,14 @@ convenience.
 
 ## Reeselink Addresses
 
-See `example-record-file.json` for example contents of `file://secrets/aws/reeselink.json`.
+See `example-record-file.json` for example contents of `file://cloud/graduated/aws_route53/secrets/aws/reeselink.json`.
 
 ```bash
-aws route53 change-resource-record-sets --hosted-zone-id $(cat secrets/aws/reeselink-zoneid) --change-batch file://secrets/aws/reeselink.json
+aws route53 change-resource-record-sets --hosted-zone-id $(cat cloud/graduated/aws_route53/secrets/reeselink-zoneid) --change-batch file://cloud/graduated/aws_route53/secrets/reeselink.json
 ```
 
 ## Reeseapps Addresses
 
 ```bash
-aws route53 change-resource-record-sets --hosted-zone-id $(cat secrets/aws/reeseapps-zoneid) --change-batch file://secrets/aws/reeseapps.json
+aws route53 change-resource-record-sets --hosted-zone-id $(cat cloud/graduated/aws_route53/secrets/reeseapps-zoneid) --change-batch file://cloud/graduated/aws_route53/secrets/reeseapps.json
 ```
diff --git a/docker/graduated/nextcloud/README.md b/docker/graduated/nextcloud/README.md
index f42814d..4fc70ad 100644
--- a/docker/graduated/nextcloud/README.md
+++ b/docker/graduated/nextcloud/README.md
@@ -48,6 +48,7 @@ docker network create --subnet="fd12:3456:789a:2::/64" --driver bridge --ipv6 ne
 # Default
 # Note: this puts all your nextcloud data in /nextcloud
 docker run \
+-d \
 --init \
 --sig-proxy=false \
 --name nextcloud-aio-mastercontainer \
diff --git a/hardware/graduated/home-assistant/README.md b/hardware/graduated/home-assistant/README.md
index b4d0269..4a339a1 100644
--- a/hardware/graduated/home-assistant/README.md
+++ b/hardware/graduated/home-assistant/README.md
@@ -5,6 +5,8 @@
     - [Door Lock](#door-lock)
     - [Philips Hue Lights](#philips-hue-lights)
     - [Shelly](#shelly)
+    - [Relative Humidity Calculator](#relative-humidity-calculator)
+    - [Font Colors](#font-colors)
 
 ## Setup and Configuration
 
@@ -37,3 +39,32 @@ the range of your home assistant's bluetooth capabilities. Active scanning uses
 is quicker to pick up and transmit device information. Note that "gateway mode" is not required,
 just enable bluetooth and rpc or select "active" from the configuration menu for the shelly
 device.
+
+### Relative Humidity Calculator
+
+<https://www.wikihow.com/Calculate-Humidity>
+
+You can calculate the relative humidity of the outdoor air if warmed to indoor temperatures like so:
+
+```jinja
+{% set dew_point = state_attr("weather.forecast_home", "dew_point") %}
+{% set air_temp_f = state_attr("climate.ecobee_thermostat", "current_temperature") %}
+{% set air_temp = (5/9)*(air_temp_f-32) %}
+{% set sat_vap_press = 6.11 * 10**((7.5*air_temp) / (237.3+air_temp)) %}
+{% set act_vap_press = 6.11 * 10**((7.5*dew_point) / (237.3+dew_point)) %}
+{% set rel_hum = 100*(act_vap_press / sat_vap_press) %}
+
+{{ dew_point }}
+{{ air_temp }}
+{{ sat_vap_press }}
+{{ act_vap_press }}
+{{ rel_hum }}
+```
+
+### Font Colors
+
+```html
+<font color = {{ "green" if state_attr("climate.ecobee_thermostat", "current_humidity") > low_humidity and state_attr("climate.ecobee_thermostat", "current_humidity") < high_humidity else "red" }}>
+HVAC Humidity: {{ state_attr("climate.ecobee_thermostat", "current_humidity") }}%
+</font>
+```
\ No newline at end of file
diff --git a/infrastructure/graduated/arch/README.md b/infrastructure/graduated/arch/README.md
index e1825d2..4fae60d 100644
--- a/infrastructure/graduated/arch/README.md
+++ b/infrastructure/graduated/arch/README.md
@@ -18,6 +18,8 @@ instructions for building a:
     - [Base Tools](#base-tools)
     - [ZSH](#zsh)
     - [Prompt Themes](#prompt-themes)
+    - [Pacman](#pacman)
+      - [Rollback previous upgrade](#rollback-previous-upgrade)
     - [AUR](#aur)
     - [Security](#security)
       - [Secure Boot](#secure-boot)
@@ -325,15 +327,59 @@ promptinit
 prompt grml
 ```
 
+### Pacman
+
+<https://wiki.archlinux.org/title/Pacman>
+
+#### Rollback previous upgrade
+
+This script will roll back a pacman update if something goes wrong.
+
+~/.local/scripts/rollback_update.sh
+
+```bash
+#!/bin/bash
+
+# Extract the list of most recent updates and save them to /tmp/lastupdates.txt
+grep -a upgraded /var/log/pacman.log| grep $(date +"%Y-%m-%d") > /tmp/lastupdates.txt
+
+# Extract the package names, save to /tmp/lines1
+awk '{print $4}' /tmp/lastupdates.txt > /tmp/lines1
+
+# Extract the previous version of each package, save to /tmp/lines2
+awk '{print $5}' /tmp/lastupdates.txt | sed 's/(/-/g' > /tmp/lines2
+
+# concat package name with previous version, save to /tmp/lines
+paste /tmp/lines1 /tmp/lines2 > /tmp/lines
+
+# Remove the whitespace between the package name and the version
+tr -d "[:blank:]" < /tmp/lines > /tmp/packages
+
+# Old versions of packages are stored here
+cd /var/cache/pacman/pkg/
+
+# For each package, install from cache
+for i in $(cat /tmp/packages);
+do
+    sudo pacman --noconfirm -U "$i"*
+done
+```
+
 ### AUR
 
 The AUR lets you install community-created and maintained packages. Here are the basics:
 
 ```bash
 pacman -S --needed git base-devel
-mkdir ~/AUR
+
+# For packages you plan on keeping (works with auto-update script)
+mkdir -p ~/AUR/install
+
+# For packages you are experimenting with (no auto-update)
+mkdir -p ~/AUR/inspect
 
 # When you find a project, the basic installation looks like this:
+cd ~/AUR/inspect
 git clone <git repo from aur>
 cd <folder name>
 ```
@@ -366,28 +412,48 @@ makepkg -si
 ```
 
 We can update our AUR packages with a script. As long as you clone your AUR
-packages into ~/AUR this will work:
+packages into ~/AUR/install this will work:
+
+1. Add `#%sudo   ALL=(ALL) NOPASSWD: /usr/bin/pacman` (commented out) to `/etc/sudoers`
+2. Create the following script:
 
 ~./local/scripts/update-aur.sh
 
 ```bash
 #!/bin/bash
 
-for file in $(ls /home/ducoterra/AUR);
+# Ensure password is required for pacman if ctrl+c pressed
+trap 'on_exit' SIGINT
+
+function on_exit() {
+  # Comment out pacman NOPASSWD line in /etc/sudoers
+  sudo sed -i -E 's/^([^#].*ALL=\(ALL\) NOPASSWD: \/usr\/bin\/pacman)/#\1/g' /etc/sudoers
+  exit
+}
+
+# Allow sudo pacman without password temporarily
+sudo sed -i -E 's/#(.*ALL=\(ALL\) NOPASSWD: \/usr\/bin\/pacman)/\1/g' /etc/sudoers
+
+for file in $(ls ~/AUR/install);
 do
-    cd /home/ducoterra/AUR/$file
-    git pull
-    makepkg -si
+  cd ~/AUR/install/$file
+  git pull
+  makepkg -si --noconfirm
 done
+
+# Ensure sudoers is put back to normal
+on_exit
 ```
 
+Now you can run `~/.local/scripts/update-aur.sh` and update all AUR packages.
+
 ### Security
 
 <https://wiki.archlinux.org/title/security>
 
 Every machine, regardless of use-case, should perform some basic hardening. You don't need to follow
 every instruction in the above wiki, but you should at least enable secure boot, tpm2 disk
-decryption, firewall, apparmor, clamav, btrfs snapshots, and btrfs backups.
+decryption, firewall, clamav, btrfs snapshots, and btrfs backups.
 
 Security Philosophy
 
@@ -687,6 +753,17 @@ Now set up the backup:
     systemctl enable --now btrbk_backup.conf
     ```
 
+Running the backup manually with progress is a good way to make things go well the first time:
+
+```bash
+# Prevent anything from putting the machine to sleep
+systemctl mask sleep.target
+
+btrbk -c /etc/btrbk/backups.conf --progress run
+
+systemctl unmask sleep.target
+```
+
 ##### Backing up a snapshot
 
 ```bash
diff --git a/kubernetes/graduated/metallb/addresspool.yaml b/kubernetes/graduated/metallb/addresspool.yaml
index aae429d..a5e2369 100644
--- a/kubernetes/graduated/metallb/addresspool.yaml
+++ b/kubernetes/graduated/metallb/addresspool.yaml
@@ -1,5 +1,15 @@
 apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
+metadata:
+  name: internal
+  namespace: kube-system
+spec:
+  addresses:
+    - 2603:6013:3140:103::4-2603:6013:3140:103:ffff:ffff:ffff:ffff
+    - 10.4.0.4-10.4.255.255
+---
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
 metadata:
   name: external
   namespace: kube-system
@@ -9,16 +19,6 @@ spec:
     - 10.5.0.4-10.5.255.255
 ---
 apiVersion: metallb.io/v1beta1
-kind: IPAddressPool
-metadata:
-  name: internal
-  namespace: kube-system
-spec:
-  addresses:
-    - 2603:6013:3140:101::4-2603:6013:3140:101:ffff:ffff:ffff:ffff
-    - 10.4.0.4-10.4.255.255
----
-apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
   name: l2advertisement
diff --git a/systemd/graduated/ipv4-proxy/vars.yaml b/systemd/graduated/ipv4-proxy/vars.yaml
index 521f67c..0eee258 100644
--- a/systemd/graduated/ipv4-proxy/vars.yaml
+++ b/systemd/graduated/ipv4-proxy/vars.yaml
@@ -1,10 +1,4 @@
 stream_ssl:
-  - external:
-      domain: homeassistant.reeseapps.com
-    internal:
-      domain: homeassistant.reeselink.com
-      port: 443
-      protocol: https
   - external:
       domain: gitea.reeseapps.com
     internal: