diff --git a/README.md b/README.md
index 0522fb3..093cc8c 100644
--- a/README.md
+++ b/README.md
@@ -10,13 +10,16 @@
 
 Secret management for NixOS.
 
-This project is highly inspired by [agenix-rekey](https://github.com/oddlama/agenix-rekey) and [sops-nix](https://github.com/Mic92/sops-nix). Based on rust [age](https://docs.rs/age/latest/age) crate.
-
-+ Age Plugin Compatible
-+ Support Template
-+ Support identity with passphrase
-+ Support PIV Card (Yubikey)
-+ No Bash
+This project is highly inspired by [agenix-rekey](https://github.com/oddlama/agenix-rekey) and [sops-nix](https://github.com/Mic92/sops-nix).
+
++ Based on age rust [implemention](https://docs.rs/age/latest/age)
++ Support secure identity with passphrase
++ Support template for reusing insensitive stanza
++ Support Yubikey PIV with [age-yubikey-plugin](https://github.com/str4d/age-plugin-yubikey)
++ Small closure size increase (less than 1.5M)
++ Fits well with new `sysuser` nixos userborn machenism
++ Design with [flake-parts](https://flake.parts/) and modulized flake
++ Compatible and tested with most nixos deployment tools (nixos-rebuild, apply, colmena)
 
 ## Setup
 
diff --git a/TODO.md b/TODO.md
index 41acac1..e6c10d0 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,3 +1,5 @@
+- [ ] multilingual docs
+- [ ] restart/reload sd unit control (after systemd varlink api)
 - [x] secrets for users
 - [x] optimize template placeholder map get
 - [x] test with os
diff --git a/book.toml b/book.toml
index f59bb0d..9992ef7 100644
--- a/book.toml
+++ b/book.toml
@@ -3,7 +3,7 @@ authors = ["oluceps"]
 language = "en"
 multilingual = false
 src = "doc"
-title = "vaultix manual"
+title = "Vaultix Documentation"
 
 [output.html]
 git-repository-url = "https://github.com/oluceps/vaultix"
diff --git a/doc/SUMMARY.md b/doc/SUMMARY.md
index a1e6635..c04950f 100644
--- a/doc/SUMMARY.md
+++ b/doc/SUMMARY.md
@@ -1,6 +1,6 @@
 # Summary
 
-- [Intro](./intro.md)
+- [Introduction](./intro.md)
 - [Prerequisits](./prerequisits.md)
 - [Setup](./setup.md)
   - [Flake Option](./flake-option.md)
diff --git a/doc/advanced.md b/doc/advanced.md
index 872f8fa..bc1ad41 100644
--- a/doc/advanced.md
+++ b/doc/advanced.md
@@ -1,6 +1,28 @@
+# Advanced
+
+
+
+
+## Tricks
+
+In most cases you don't need these.
+
+### Manually deploy
+
+This must be executed on local, and be sure all secrets re-encrypted before that, since there has no module to guarantee it in this case.
+
+Manually deploy not affect next vaultix activation. It's a trick that helps you finish deploy while your flake options of vaultix broken:
+
+This eval nixos vaultix configs to json.
+
+```bash
+nix eval .#nixosConfigurations.your-hostname.config.vaultix-debug --json > profile.json
 ```
-／|、
-(˙、．7
-|、～ヽ
-じしf_,)ノ
+
+So that you can feed it to vaultix cli directly:
+
+```bash
+nix run github:oluceps/vaultix -- -p ./profile.json deploy
 ```
+
+To be notice that deploy secrets that needs to be extracted before user init (deploy with --early) in this way is meaningless.
diff --git a/doc/faq.md b/doc/faq.md
index 06425ea..35400aa 100644
--- a/doc/faq.md
+++ b/doc/faq.md
@@ -2,6 +2,6 @@
 
 **Q.** Rebooting and unit failed with could not found ssh private key, but it indeed just there.
 
-**A.**   Check if using `root on tmpfs`, and modify [hostKeys](https://oluceps.github.io/vaultix/nixos-option.html#hostkeys) path to Absolute path string to your REAL private key location (not bind mounted or symlinked etc.)
+**A.**   Check if using `root on tmpfs`, and modify [hostKeys](https://oluceps.github.io/vaultix/nixos-option.html#hostkeys) path to Absolute path string which your REAL private key located (not bind mounted or symlinked etc.). This could also fix similar issue happened with agenix and sops-nix...
 
 ---
diff --git a/doc/intro.md b/doc/intro.md
index 3f9a4a1..0214174 100644
--- a/doc/intro.md
+++ b/doc/intro.md
@@ -1,13 +1,23 @@
 # Vaultix
 
-### Secret management for NixOS.
+### Single-admin Secret Manage Scheme for NixOS.
 
-This project is highly inspired by [agenix-rekey](https://github.com/oddlama/agenix-rekey) and [sops-nix](https://github.com/Mic92/sops-nix). Based on rust [age](https://docs.rs/age/latest/age) crate.
 
-+ Support Template
-+ Age Plugin Compatible
-+ Support PIV Card (Yubikey)
-+ Support identity with passphrase
-+ Compatible with `userborn` module option
-+ No Bash
+This project is highly inspired by [agenix-rekey](https://github.com/oddlama/agenix-rekey) and [sops-nix](https://github.com/Mic92/sops-nix).
 
++ Based on age rust [implemention](https://docs.rs/age/latest/age)
++ Support secure identity with passphrase
++ Support template for reusing insensitive stanza
++ Support Yubikey PIV with [age-yubikey-plugin](https://github.com/str4d/age-plugin-yubikey)
++ Small closure size increase (less than 1.5M[^1])
++ Fits well with new `sysuser` nixos userborn machenism[^2]
++ Design with [flake-parts](https://flake.parts/) and modulized flake
++ Written in Rust for speed, safety, and simplicity
++ Compatible and tested with known[^3] nixos deployment tools
+
+
+
+
+[^1]: nix build result on Nov 18 2024, 1357112 bytes.
+[^2]: See merged pr [270727](https://github.com/NixOS/nixpkgs/pull/270727) and [332719](https://github.com/NixOS/nixpkgs/pull/332719)
+[^3]: nixos-rebuild, apply, colmena was confirmed supported
diff --git a/doc/nixos-option.md b/doc/nixos-option.md
index 37d6527..7532a82 100644
--- a/doc/nixos-option.md
+++ b/doc/nixos-option.md
@@ -16,7 +16,7 @@ Configurable option could be divided into 3 parts:
 }
 ```
 
-## Settings =
+## Settings
 Literally.
 
 
@@ -33,7 +33,10 @@ Same as above, but for secrets and templates that required by user, which means
 
 <div id="dmp"></div>
 
-### decryptedMountPoint: path str with no trailing slash
+### decryptedMountPoint
+
+Path str with no trailing slash
+
 default is `/run/vaultix.d`
 
 Where secrets are created before they are symlinked to `vaultix.settings.decryptedDir`
@@ -102,7 +105,9 @@ This part basically keeps identical with `agenix`. But has few diffs:
 
 + no `symlink: bool` option, since it has an systemd function called [tmpfiles.d](https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html).
 
-### path: path str
+### path
+
+str of path
 
 If you manually set this, it will deploy to specified location instead of to `/run/vaultix.d` (default value of [decryptedMountPoint](#dmp)).
 
@@ -133,7 +138,7 @@ templates = {
 ```
 
 
-### content: str
+### content
 
 
 Insert `config.vaultix.placeholder.example` in plain string content.
@@ -162,14 +167,18 @@ ${config.vaultix.placeholder.some} here
 
 TO BE NOTICE that the source secret file may have trailing `\n`:
 
-### trim: bool
+### trim
+
+boolean value
 
 default true;
 
 Removing trailing and leading whitespace by default.
 
 
-## beforeUserborn: [str]
+## beforeUserborn
+
+List of string.
 
 For deploying secrets and templates that required before user init.
 
diff --git a/justfile b/justfile
index 0619f7b..dc90ca1 100644
--- a/justfile
+++ b/justfile
@@ -20,5 +20,6 @@ full-test:
     nix run github:nix-community/nixos-anywhere -- --flake .#tester --vm-test
 vm-tests:
     #!/usr/bin/env nu
-    ["tester" "tester-empty-secret" "tester-empty-template"] |
-      par-each { nix run github:nix-community/nixos-anywhere -- --flake $'.#($in)' --vm-test }
+    nix run github:nix-community/nixos-anywhere -- --flake .#tester --vm-test
+    nix run github:nix-community/nixos-anywhere -- --flake .#tester-empty-secret --vm-test
+    nix run github:nix-community/nixos-anywhere -- --flake .#tester-empty-template --vm-test
diff --git a/module/default.nix b/module/default.nix
index 92670c9..1404ec5 100644
--- a/module/default.nix
+++ b/module/default.nix
@@ -218,7 +218,7 @@ in
           };
         };
 
-        systemd.services.vaultix-activate-before-user = {
+        systemd.services.vaultix-activate-before-user = mkIf (cfg.beforeUserborn != [ ]) {
           wantedBy = [ "systemd-sysusers.service" ];
           before = [ "systemd-sysusers.service" ];
           unitConfig.DefaultDependencies = "no";