feat: switch proxt host

2025-12-06 00:57:22 +01:00 · 2025-12-05 02:25:45 +01:00 · 2025-12-05 02:25:45 +01:00 · 0cb34c98cb
commit 0cb34c98cb
parent 5d27d18f85
61 changed files with 1147 additions and 736 deletions
--- a/.github/README.md
+++ b/.github/README.md
@ -22,33 +22,38 @@
    - [nix-darwin](https://github.com/LnL7/nix-darwin)
    - [nix-on-droid](https://github.com/nix-community/nix-on-droid)
  - Streamlined configuration and deployment pipeline:
-    - Framework for [packages](https://github.com/Swarsel/.dotfiles/blob/main/pkgs/default.nix), [overlays](https://github.com/Swarsel/.dotfiles/blob/main/overlays/default.nix), [modules](https://github.com/Swarsel/.dotfiles/tree/main/modules), and [library functions](https://github.com/Swarsel/.dotfiles/tree/main/lib/default.nix)
-    - Dynamically generated host configurations
-    - Limited local installer (no secrets handling) with a supported demo build
-    - Fully autonomous remote deployment using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) and [disko](https://github.com/nix-community/disko) (with secrets handling)
+    - Framework for [packages](https://github.com/Swarsel/.dotfiles/blob/main/nix/packages.nix), [overlays](https://github.com/Swarsel/.dotfiles/blob/main/nix/overlays.nix), [modules](https://github.com/Swarsel/.dotfiles/tree/main/modules), and [library functions](https://github.com/Swarsel/.dotfiles/blob/main/nix/lib.nix)
+    - Dynamically generated config:
+      - host configurations
+      - dns records
+      - network setup (+ wireguard mesh on systemd-networkd)
+    - Remote Builders for [x86_64,aarch64]-linux running in hydra, feeding a private nix binary cache
+    - Bootstrapping:
+      - Limited local installer (no secrets handling) with a supported demo build
+      - Fully autonomous remote deployment using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) and [disko](https://github.com/nix-community/disko) (with secrets handling)
    - Improved nix tooling
  - Support for advanced features:
    - Secrets handling using [sops-nix](https://github.com/Mic92/sops-nix) (pls no pwn ❤️)
    - Management of personally identifiable information using [nix-plugins](https://github.com/shlevy/nix-plugins)
    - Full Yubikey support
-    - LUKS-encryption
+    - LUKS-encryption with support for remote disk unlock over SSH
    - Secure boot using [Lanzaboote](https://github.com/nix-community/lanzaboote)
    - BTRFS-based [Impermanence](https://github.com/nix-community/impermanence)
    - Configuration shared between configurations (configuration for one nixosConfiguration can be defined in another nixosConfiguration)
    - Global attributes shared between all configurations to reduce attribute redeclaration
+    - [Config library](https://github.com/Swarsel/.dotfiles/blob/9acfc5f93457ec14773cc0616cab616917cc8af5/modules/shared/config-lib.nix#L4) for defining config-based functions for generating service information
+    - Reduced friction between full NixOS- and home-manager-only deployments regarding secrets handling and config sharing

  ## Documentation

-  If you are mainly interested in how I configured this system, check out this page:
+  The full documentation can be found here:

  [SwarselSystems literate configuration](https://swarsel.github.io/.dotfiles/)

-  This file will take you through my design process, in varying amounts of detail.
+  I went to great lengths in order to document the full design process of my infrastructure properly; the above document strives to serve as an introductory lecture to nix / NixOS while at the same time explaining the config in general.

-  Otherwise, the files that are possibly of biggest interest are found here:
+  If you only came here for my Emacs configuration, the relevant files are here:

-  - [SwarselSystems.org](../SwarselSystems.org)
-  - [flake.nix](../flake.nix)
  - [early-init.el](../files/emacs/early-init.el)
  - [init.el](../files/emacs/init.el)

@ -108,68 +113,75 @@

  ### Programs

-  | Topic         | Program                         |
-  |---------------|---------------------------------|
-  |🐚 **Shell**   | [zsh](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix)                            |
-  |🚪 **DM**      | [greetd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/common/login.nix)                         |
-  |🪟 **WM**      | [SwayFX](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sway.nix)                         |
-  |⛩️ **Bar**     | [Waybar](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/waybar.nix)                         |
-  |✒️ **Editor**  | [Emacs](https://github.com/Swarsel/.dotfiles/tree/main/files/emacs/init.el)                          |
-  |🖥️ **Terminal**| [Kitty](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/kitty.nix)                          |
-  |🚀 **Launcher**| [Fuzzel](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/fuzzel.nix)                         |
-  |🚨 **Alerts**  | [Mako](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/mako.nix)                           |
-  |🌐 **Browser** | [Firefox](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix)                        |
-  |🎨 **Theme**   | [City-Lights (managed by stylix)](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sharedsetup.nix)|
+  | Topic         | Program                                                                                                                     |
+  |---------------|-----------------------------------------------------------------------------------------------------------------------------|
+  |🐚 **Shell**   | [zsh](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix)                                           |
+  |🚪 **DM**      | [greetd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/common/login.nix)                                     |
+  |🪟 **WM**      | [SwayFX](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sway.nix)                                       |
+  |⛩️ **Bar**     | [Waybar](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/waybar.nix)                                     |
+  |✒️ **Editor**  | [Emacs](https://github.com/Swarsel/.dotfiles/tree/main/files/emacs/init.el)                                                 |
+  |🖥️ **Terminal**| [Kitty](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/kitty.nix)                                       |
+  |🚀 **Launcher**| [Fuzzel](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/fuzzel.nix)                                     |
+  |🚨 **Alerts**  | [Mako](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/mako.nix)                                         |
+  |🌐 **Browser** | [Firefox](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix)                                       |
+  |🎨 **Theme**   | [City-Lights (managed by stylix)](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sharedsetup.nix)       |

  ### Services

-  | Topic                 | Program                                                                                                             |
-  |-----------------------|---------------------------------------------------------------------------------------------------------------------|
-  |📖 **Books**           |  [Kavita](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kavita.nix)                           |
-  |📼 **Videos**          | [Jellyfin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/jellyfin.nix)                        |
-  |🎵 **Music**           | [Navidrome](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/navidrome.nix) +  [Spotifyd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/spotifyd.nix) +  [MPD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mpd.nix)                                                              |
-  |🗨️ **Messaging**       | [Matrix](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/matrix.nix)                            |
-  |📁 **Filesharing**     | [Nectcloud](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nextcloud.nix)                      |
-  |🎞️ **Photos**          | [Immich](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/immich.nix)                            |
-  |📄 **Documents**       | [Paperless](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/paperless.nix)                      |
-  |🔄 **File Sync**       | [Syncthing](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/syncthing.nix)                      |
-  |💾 **Backups**         | [Restic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/restic.nix)                            |
-  |👁️ **Monitoring**      | [Grafana](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/monitoring.nix)                       |
-  |🍴 **RSS**             | [FreshRss](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/freshrss.nix)                        |
-  |🌳 **Git**             | [Forgejo](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/forgejo.nix)                          |
-  |⚓ **Anki Sync**       | [Anki Sync Server](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/ankisync.nix)                |
-  |🪪 **SSO**             | [Kanidm](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kanidm.nix) + [oauth2-proxy](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/oauth2-proxy.nix)                                            |
-  |💸 **Finance**         | [Firefly-III](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/firefly-iii.nix)                  |
-  |🃏 **Collections**     | [Koillection](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/koillection.nix)                  |
-  |🗃️ **Shell History**   | [Atuin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/atuin.nix)                              |
-  |📅 **CalDav/CardDav**  | [Radicale](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/radicale.nix)                        |
-  |↔️ **P2P Filesharing** | [Croc](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/croc.nix)                                |
-  |✂️ **Paste Tool**      | [Microbin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/microbin.nix)                        |
-  |📸 **Image Sharing**   | [Slink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/slink.nix)                              |
-  |🔗 **Link Shortener**  | [Shlink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/shlink.nix)                            |
+  | Topic                      | Program                                                                                                        |
+  |----------------------------|----------------------------------------------------------------------------------------------------------------|
+  |📖 **Books**                |  [Kavita](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kavita.nix)                      |
+  |📼 **Videos**               | [Jellyfin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/jellyfin.nix)                   |
+  |🎵 **Music**                | [Navidrome](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/navidrome.nix) +  [Spotifyd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/spotifyd.nix) +  [MPD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mpd.nix)                                                              |
+  |🗨️ **Messaging**            | [Matrix](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/matrix.nix)                       |
+  |📁 **Filesharing**          | [Nectcloud](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nextcloud.nix)                 |
+  |🎞️ **Photos**               | [Immich](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/immich.nix)                       |
+  |📄 **Documents**            | [Paperless](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/paperless.nix)                 |
+  |🔄 **File Sync**            | [Syncthing](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/syncthing.nix)                 |
+  |💾 **Backups**              | [Restic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/restic.nix)                       |
+  |👁️ **Monitoring**           | [Grafana](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/monitoring.nix)                  |
+  |🍴 **RSS**                  | [FreshRss](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/freshrss.nix)                   |
+  |🌳 **Git**                  | [Forgejo](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/forgejo.nix)                     |
+  |⚓ **Anki Sync**            | [Anki Sync Server](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/ankisync.nix)           |
+  |🪪 **SSO**                  | [Kanidm](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kanidm.nix) + [oauth2-proxy](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/oauth2-proxy.nix)                                            |
+  |💸 **Finance**              | [Firefly-III](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/firefly-iii.nix)             |
+  |🃏 **Collections**          | [Koillection](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/koillection.nix)             |
+  |🗃️ **Shell History**        | [Atuin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/atuin.nix)                         |
+  |📅 **CalDav/CardDav**       | [Radicale](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/radicale.nix)                   |
+  |↔️ **P2P Filesharing**      | [Croc](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/croc.nix)                           |
+  |✂️ **Paste Tool**           | [Microbin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/microbin.nix)                   |
+  |📸 **Image Sharing**        | [Slink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/slink.nix)                         |
+  |🔗 **Link Shortener**       | [Shlink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/shlink.nix)                       |
+  |⛏️ **Minecraft**            | [Minecraft](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/minecraft.nix)                 |
+  |☁️ **S3**                   | [Garage](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/garage.nix)                       |
+  |🕸️ **Nix Binary Cache**     | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/attic.nix)                         |
+  |🔑 **Cert-based SSH**       | [OPKSSH](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/opkssh.nix)                       |
+  |🔨 **Home Asset Management**| [Homebox](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/homebox.nix)                     |
+  |👀 **DNS**                  | [NSD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nsd.nix)                             |
+  |✉️ **Mail**                 | [simple-nixos-mailserver](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mailserver.nix)  |

  ### Hosts

-  | Name                | Hardware                                            | Use                                                 |
-  |---------------------|-----------------------------------------------------|-----------------------------------------------------|
-  |💻 **pyramid**       | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop                                         |
-  |💻 **bakery**        | Lenovo Ideapad 720S-13IKB                           | Personal laptop                                     |
-  |💻 **machpizza**     | MacBook Pro 2016                                    | MacOS reference and build sandbox                   |
-  |🏠 **treehouse**     | NVIDIA DGX Spark                                    | AI Workstation, remote builder, hm-only-reference   |
-  |🖥️ **summers**       | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM  | Homeserver (microvms), remote builder, datastorage  |
-  |🖥️ **winters**       | ASRock J4105-ITX, 32GB RAM                          | Homeserver (IoT server in spe)                      |
-  |🖥️ **hintbooth**     | HUNSN RM02, 8GB RAM                                 | Router                                              |
-  |☁️ **stoicclub**     | Cloud Server: 1 vCPUs, 8GB RAM                      | Authoritative dns server                            |
-  |☁️ **liliputsteps**  | Cloud Server: 1 vCPUs, 8GB RAM                      | SSH bastion                                         |
-  |☁️ **twothreetunnel**| Cloud Server: 2 vCPUs, 8GB RAM                      | Service proxy                                       |
-  |☁️ **eagleland**     | Cloud Server: 2 vCPUs, 8GB RAM                      | Mailserver                                          |
-  |☁️ **moonside**      | Cloud Server: 4 vCPUs, 24GB RAM                     | Gaming server, syncthing + lightweight services     |
-  |☁️ **belchsfactory** | Cloud Server: 4 vCPUs, 24GB RAM                     | Hydra builder and nix binarycache                   |
-  |📱 **magicant**      | Samsung Galaxy Z Flip 6                             | Phone                                               |
-  |💿 **drugstore**     | -                                                   | NixOS-installer ISO for bootstrapping new hosts     |
-  |💿 **brickroad**     | -                                                   | Kexec tarball for bootstrapping low-memory machines |
-  |❔ **chaotheatre**   | -                                                   | Demo config for checking out this configuration     |
-  |❔ **toto**          | -                                                   | Helper configuration for testing purposes           |
+  | Name                | Hardware                                            | Use                                                             |
+  |---------------------|-----------------------------------------------------|-----------------------------------------------------------------|
+  |💻 **pyramid**       | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop                                                     |
+  |💻 **bakery**        | Lenovo Ideapad 720S-13IKB                           | Personal laptop                                                 |
+  |💻 **machpizza**     | MacBook Pro 2016                                    | MacOS reference and build sandbox                               |
+  |🏠 **treehouse**     | NVIDIA DGX Spark                                    | AI Workstation, remote builder, hm-only-reference               |
+  |🖥️ **summers**       | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM  | Homeserver (microvms), remote builder, data storage             |
+  |🖥️ **winters**       | ASRock J4105-ITX, 32GB RAM                          | Homeserver (IoT server in spe)                                  |
+  |🖥️ **hintbooth**     | HUNSN RM02, 8GB RAM                                 | Router                                                          |
+  |☁️ **stoicclub**     | Cloud Server: 1 vCPUs, 8GB RAM                      | Authoritative DNS server                                        |
+  |☁️ **liliputsteps**  | Cloud Server: 1 vCPUs, 8GB RAM                      | SSH bastion                                                     |
+  |☁️ **twothreetunnel**| Cloud Server: 2 vCPUs, 8GB RAM                      | Service proxy                                                   |
+  |☁️ **eagleland**     | Cloud Server: 2 vCPUs, 8GB RAM                      | Mailserver                                                      |
+  |☁️ **moonside**      | Cloud Server: 4 vCPUs, 24GB RAM                     | Gaming server, syncthing + lightweight services                 |
+  |☁️ **belchsfactory** | Cloud Server: 4 vCPUs, 24GB RAM                     | Hydra builder and nix binary cache                              |
+  |📱 **magicant**      | Samsung Galaxy Z Flip 6                             | Phone                                                           |
+  |💿 **drugstore**     | -                                                   | NixOS-installer ISO for bootstrapping new hosts                 |
+  |💿 **brickroad**     | -                                                   | Kexec tarball for bootstrapping low-memory machines             |
+  |❔ **chaotheatre**   | -                                                   | Demo config for checking out this configuration                 |
+  |❔ **toto**          | -                                                   | Helper configuration for testing purposes                       |
  </details>

  ## General Nix tips & useful links
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
--- a/hosts/nixos/aarch64-linux/belchsfactory/secrets/secrets.yaml
+++ b/hosts/nixos/aarch64-linux/belchsfactory/secrets/secrets.yaml
@ -1,3 +1,4 @@
+wireguard-private-key: ENC[AES256_GCM,data:0cxqNz1r2Hqx2JIjzEFz32gvZ+92rT5+zsHyFo5/Wx/+vdtj+KG4gNuk4ys=,iv:qonukOR1cpuCTjoR/db8WqjlJoDGJZlG25W9ql7vfzQ=,tag:iFAKWfQ7Fb6VlFwlHDK+zw==,type:str]
 #ENC[AES256_GCM,data:WqtrDDqt,iv:Ksv7cH9opsgWoXj+YnTct3VtAT6qbaAr78uaZxkN+zc=,tag:9KPeAi/JZvxjKh1w4scsdQ==,type:comment]
 #ENC[AES256_GCM,data:kwewartySAHzmyssuWFPv0XODI/njYrSXxqEE2JBJvuCsJKwZrq4+EzKOtwOlyssEpAvaxxejmb7,iv:p3KO21NvM7zfp4U0s9TVW5jfnOzvQkn06mcFgHp9xVA=,tag:sn/zQwI8EdhWb2w9F+V4rw==,type:comment]
 acme-dns-token: ENC[AES256_GCM,data:Fj1V4MMKYJdXTur3xc7EDnYGXg8GBVPx8X/I6A7bRIdm7cX63yRrtw==,iv:Gaz6xYtEkQilaQG6+5Bz2gHWN3sIRQmCqLryZZYjefM=,tag:lGu+e1u6JOdxq8l8J+6+cw==,type:str]
@ -20,8 +21,8 @@ sops:
            NHZwMEl2ZWVONkNuVWprUFhsek91NzQK84WqkK9mtR4q1G2wS6gKqflEUv0VefUJ
            jcQij+3T2O81paZytTzZNPX3JuebyyitC5KeEoz3Z99uSrCDaLuZAQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-28T17:45:56Z"
-    mac: ENC[AES256_GCM,data:t+L6NWHaZCrSbHJhFja28E0vSNGHf5hyH183J0KPL/SrJDcK/XuxwSbbCTfwMQtRiuhjprjPjH4ioqZV/eCiLEd3C3LikEwlXb7CutYknpjceNuhi3aJ5+oRVb8vwcrMAtbPKKB1ZJc7PNcRWIFk6oEF7M8NjkC92/3C4fSH9Q4=,iv:t/YjiqCEPJkyHz/W/p6T19An2Lyr8khmwsv8it/nnZM=,tag:lccvtgBMM4NgMfKwgWoeQw==,type:str]
+    lastmodified: "2025-12-03T16:14:45Z"
+    mac: ENC[AES256_GCM,data:3lipxr63nyC5ZCI8Pi9E9lTImopXtMAh1b6tI+f8TrlB4ai6x7ZdpPDuptvyNh47asFLr6lIkFPWq7xX9Pi/78BwhJoh8x23Ee2nS2gE+MbHo2g86tMeZUBuKvpg+1Ruorodq3RslZITQEyQo75qzh8vQZ3uYx3I7iFgxdev4Qg=,iv:JhkxhwaYcDKEwh3XGuqn0f8PQWWAXzQY2GuDRg54h5w=,tag:SCbcn5TkgL+PjTP9IiXORQ==,type:str]
    pgp:
        - created_at: "2025-11-26T12:40:31Z"
          enc: |-
--- a/hosts/nixos/aarch64-linux/moonside/default.nix
+++ b/hosts/nixos/aarch64-linux/moonside/default.nix
@ -1,31 +1,15 @@
-{ lib, config, minimal, ... }:
+{ self, lib, config, minimal, ... }:
 let
  inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
-  inherit (config.swarselsystems) sopsFile;
 in
 {
  imports = [
    ./hardware-configuration.nix
    ./disk-config.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
  ];

-  sops = {
-    age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
-    secrets = {
-      wireguard-private-key = { inherit sopsFile; };
-      wireguard-home-preshared-key = { inherit sopsFile; };
-    };
-  };
-
-  boot = {
-    loader.systemd-boot.enable = true;
-    tmp.cleanOnBoot = true;
-  };
-
-  environment = {
-    etc."issue".text = "\4";
-  };
-
  topology.self = {
    icon = "devices.cloud-server";
    interfaces.wg = {
@ -36,45 +20,6 @@ in
    };
  };

-  networking = {
-    domain = "subnet03291956.vcn03291956.oraclevcn.com";
-    firewall = {
-      allowedTCPPorts = [ 8384 ];
-    };
-    wireguard = {
-      enable = true;
-      interfaces = {
-        home-vpn = {
-          privateKeyFile = config.sops.secrets.wireguard-private-key.path;
-          # ips = [ "192.168.3.4/32" ];
-          ips = [ "192.168.178.201/24" ];
-          peers = [
-            {
-              # publicKey = "NNGvakADslOTCmN9HJOW/7qiM+oJ3jAlSZGoShg4ZWw=";
-              publicKey = "PmeFInoEJcKx+7Kva4dNnjOEnJ8lbudSf1cbdo/tzgw=";
-              presharedKeyFile = config.sops.secrets.wireguard-home-preshared-key.path;
-              name = "moonside";
-              persistentKeepalive = 25;
-              # endpoint = "${config.repo.secrets.common.ipv4}:51820";
-              endpoint = "${config.repo.secrets.common.wireguardEndpoint}";
-              # allowedIPs = [
-              #   "192.168.3.0/24"
-              #   "192.168.1.0/24"
-              # ];
-              allowedIPs = [
-                "192.168.178.0/24"
-              ];
-            }
-          ];
-        };
-      };
-    };
-  };
-
-  hardware = {
-    enableAllFirmware = lib.mkForce false;
-  };
-
  system.stateVersion = "23.11";

  services.syncthing = {
@ -137,7 +82,13 @@ in
    isBtrfs = true;
    isNixos = true;
    isLinux = true;
+    isCloud = true;
+    proxyHost = "twothreetunnel";
    server = {
+      wireguard = {
+        isClient = true;
+        serverName = "twothreetunnel";
+      };
      restic = {
        bucketName = "SwarselMoonside";
        paths = [
@ -155,7 +106,7 @@ in
  };

  swarselmodules.server = {
-    oauth2-proxy = true;
+    wireguard = true;
    croc = true;
    microbin = true;
    shlink = true;
--- a/hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc
+++ b/hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:jGfSfCOqW+p24TaH0vlcNImiY/Pu9YhdIwri4N4RvG64f1fmfNV3z6LmoShCYBfIWF2P7DvOa92dPY2ek9UiC1bEmiMtc/scpGxpir4WNuMLUtMWb0IGmnhtzq7fRAH5FkYLJBSW7pAgVsoajRGbo8Dbk5Dqcm75Pfj2YcC79oAckYt3vSzBcskgJ+ccdCfJ6vDlnAilay/GatZbIQmbEefOi9Rplfln8Ounj/hH+Z6zat04+rI5Lj8bTPu7NOeUlUmgoApuJSFafTb3zgxqnvQL5axOgIaJqiXFWhIf5httmu0mjhJupMXxt14IXgKe+ESAZFF8hWHHUNOpE8gEt5tPRQ1hqA7eHoGSYCrEQK9rSXRweO9LCfGV1+UduXgX1hKgwKDS4A5u69MvcpXQoSYX33ZzuwY7tbykb1tbEb3jN2BOSCBB2ZKHRfsTMqAHTE1RekcBArMxp7+8BkM/oww8RTMJ3I8tcU3QAr/LoFvKwvfIVrbT9gSlKSZUeoBc0WMzmRdjXhAZmQe2pb/TOFmPm31ih/E98zKA8PXhNrqjzEVN99lfn/NKsOLd9a8LXK8XoTTueTWqENEdJRx6dHpWuqBy5GdkrDVCRzgiO3Hpkwg56nPmCGoD5o1IgnRLJItNYrIRejIRaISjlefpezCMYIGMIx+CusvAwiOuuWT6kNfDnaK1U4P3Ndk39lsz8Eg2GMruc4VZ3kpTCeQdvbl/jmFwNMPtzJYooiDualIAL95iZU+RW/K+2g3ZA/Q/gJrc+hB6I+z3PzMod5015Oj0FG97XQzn2TeBD1fuO8UtyxSNajGD3ZK3Laa5QrSNUrzlf7YONSn98Z8OqKsAz+D/vnr0Lg4kjrrhYvN6GpR/QqMnNZT7m4d/oxACDycao6ZUDNE/dvuXSA4nSJp+5cxDXjgSMhnOgS7/gCiLhEBkLwzwdexT/e5vGcqqMmyeMK8vSFsPpRoPv26nsyRalwctY2ClX5KrEEckHNf+p9djB7eJDyLxXkPRLm0yp3dcmcEyk0tUffpcJ6zqWnlm46yfAf29fmIJfQWJ8ehSY+bYwDnx2LmCPcfH+sRSSV2Y1Ay22ry9rVJU88SuRdSPsHOitCuu0TQU56Su0wG24ilh6Bq4Dk+0JxlL3wyPWsnoaYvaRiJ6cs3j0tTwwxepbwiakLzWnVcqHDSoQ+Bn0T4CmcF5ztmpuLZSe/UXA48k77JmbT8vne0ig+kVfRuKhG+qV6g+GnxTIPPXGzQ1hWTS3Fg8YBMt1XYyjX3xa218agvPwLhCru1v3dAfHKk6N8G6SN6EN78RQmJApjSHAGFO,iv:a18hH0e5s4BTTlVIkQT34z8a2jELj59ZHhBbb93o3t0=,tag:sj4baRiZic6sWnJXjhL7TQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:t3En0FAhzVnLIv9tuvrTtmYMGeKvZ5e3FoVZHlEbHsmvUlVl+t1Po2uANatzIeKX3HRZJ1mURXMKh7Xk9O9DsKssadBYa2YqZTugU5m9o4+xESQlqHlnnKALaiyfSXFlhAZ6X50e8nfPCDLicjKzQnk7S/0XMaFB7XN9T4SfonVLElHSZtmOC+85WgAn4uAyfPq44UDVw116g7ogpjztsCG3deqTxP/mcY5trtk+SCEEHLHO6AiEe+Jz628Z+t+3YttQMKQulrakUzzvP07jQhW4m8X1cQOfX2xeTVTwNiqEq75Pt7g+mycKO952BVmMPYIvQAU2xUNC3YIqaFHUDS2QbooAeSJq8TT/s/zM/tjXXLsA7EsFTcduDKDGXhBFt7AlicruhymgtuGv2IwQLeprytRpwz2wcWFGLeiOKp/Zdqwf/3yhGeYlOEv+yhCXI2oZxS+8q4Vu0ejDkTtSeGzm5EtTrxzmS4X2psq2In+9Jb70TrkutAA6F50VyKJV6WQX7Q9yFU6Z6URHlxpwOUzwpto4Z3gxOn9Hm9VyrhTSJZ7sjd9sYf0WO4CJpUYrTu5/ZRcdy8i6Wu2GA/ylt+XXsG1yicgPxDvUcWSg6VfD5/tSTEHtUUVD/sAf7xl/sPcd76Z1DFfgkfA/s4BbbyZKzaZpAz1WYTuhambFpKWDY8YKCoLZdSCahP0jupm3OcnNw7ZCYu43k2JHp4X1mW0gb4TPvIGOcpC+pJvLsa2Q4AUAt4eUmlMCogJ7R89LPLy3fTYDeQV9ly6Z54N70kfsJVCuzrqOjFS4WxqJPZZ4HcRth4JmFE0mcCDsWQVOGJdJmShFxr7kijEoAyfrrZeRG29PgU+2CCcm2dvswJ8DdEtI4E8i/tOwQlHpUmWAM5dFFvKWZjxd89tofYyB/mrAQwXhD7+9Yu4KJM1C3v2IbrvkOgaSMVL7Ekn5YqU+g2BfGYQbkCYMM3DLpllTMGjiMFeOLgvHPAhA3ozR0KxJUaUVZe5B5XscA1xaKedl3hDxR6A9r/g1EQvv7F0n1rWpJvMVSZ3oo8YmzO2DKDwsfKglkR3TrmvQyPvwO/F5wnKMb2+GWh0EmeQLcxHldB6j5CpAj6O1AqfOZjZNcFc8/RfAdLS+OMXgNaWvahVjlPKqI17zLTSJCaCF8KP/T9Chj90l5XqgPsV0t6bPDueOrBOrieQD8UKOjQHR/fgSunjZQrVfYgDBTilb3UyGJ3sqlL9zcTjTgLkNSkNd41EmnCm6SdB3RpQb1fcXfzuCp4bD5Ty01PU380YWXXkAinXDP8961uexWryckhsCqkfbdDnjti3CPfEOBWc6u1R9cI6oLZRw34NpY/4z/fuLAnxgjEgwLAQLG0am/tT1ySH/Cmfy,iv:aa5FNi/z0WnPHFsLUk3odDnghUq7YyA9U6nI71ug4fI=,tag:kd3TDY3mWiEEXsB9RopnUg==,type:str]",
 	"sops": {
 		"age": [
 			{
@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-27T14:12:09Z",
-		"mac": "ENC[AES256_GCM,data:6CqpegjS90H6fAllBsvz3d/y4MpNyMUo+v1sby4hHHw36GlQvnULHuv8dhXrlYaE+L21aoz1RITl7IEtNl/R8zjGh8b0dGIc2iUa2M5dNvHNPMTuucAEQPuEEvTiwI72winpEkdB86fHFFHvBwHwmlNVFJYx5b9bNlpjCofewQI=,iv:qOv8s8j5jOtcoKzgN/HkXvIsS/sk/DFZ4lcEKBLsrKA=,tag:ifXbcFGzpJ+DSJPkvaX0pw==,type:str]",
+		"lastmodified": "2025-12-04T23:10:31Z",
+		"mac": "ENC[AES256_GCM,data:gNsVWFrs92csjnRvhtXcKLuZUiHo9dxpFRLwjWz7VQSLeOBL4iv+Hq3SNyx4F69AC2nr9HL1QTLzX+444EhDYot0jLqOH6xz/FaQPf6OXKHg+Nr05MUe8X2QsLjodOW81Vv7HqIMypU5dyt0FBr74++9oEz6072AuFl5JAUWIvo=,iv:tGX+wUKvWYOnxVCTqhra7tg+r+TT8tyAr1tlRP2FkWA=,tag:WI5D0FTguiCJcrQh47qJow==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-13T20:12:55Z",
--- a/hosts/nixos/aarch64-linux/twothreetunnel/default.nix
+++ b/hosts/nixos/aarch64-linux/twothreetunnel/default.nix
@ -23,6 +23,18 @@
    isNixos = true;
    isLinux = true;
    isCloud = true;
+    server = {
+      wireguard = {
+        ifName = "wg";
+        isServer = true;
+        peers = [
+          "moonside"
+          "winters"
+          "belchsfactory"
+          "eagleland"
+        ];
+      };
+    };
  };
 } // lib.optionalAttrs (!minimal) {
  swarselprofiles = {
@ -30,8 +42,10 @@
  };

  swarselmodules.server = {
-    nginx = false;
+    nginx = true; # for now
+    oauth2-proxy = true; # for now
    dns-hostrecord = true;
+    wireguard = true;
  };

 }
--- a/hosts/nixos/aarch64-linux/twothreetunnel/secrets/acme.json
+++ b/hosts/nixos/aarch64-linux/twothreetunnel/secrets/acme.json
@ -0,0 +1,28 @@
+{
+	"swarsel.win": {
+		"fulldomain": "ENC[AES256_GCM,data:CVasUSMRn/KWzVRlcYfTO/RL+W5Cz2JpDj0JLAKITXrDZrl+Wsg46X8zv4hX6NLj/wAyvXQ=,iv:N3DL4JPX8vWTbllFWcpNulwtDJ57xpHrAwoUxWhTzxs=,tag:CYWoK9uT121rFXQ5h69CZA==,type:str]",
+		"subdomain": "ENC[AES256_GCM,data:uM457vEJa10IV4SovBDUzLLlW+mPwh1SiWr8thQisFoe6zAk,iv:Tdbd5a20Gv/thkPfsvNiAbI86JjcDs70MAfk4yCZLgs=,tag:MulJiRWPs215x0bc+1jBiA==,type:str]",
+		"username": "ENC[AES256_GCM,data:ePE2BEKL5uaXqzGngW9ArhwP3qwDzwULtfwUfb5Q56VGGURp,iv:/GZRbyXHorcq1PIYlhfOmUVwCg0I/N4ZraEzSrc8qmA=,tag:wM5B1U0BsRsBAJg3qNOXpA==,type:str]",
+		"password": "ENC[AES256_GCM,data:RGzdi8IMqm+rtiuU4RtWGQ4N/7FYBbp5Pir8/k2V1QEdM8z7SIn0FQ==,iv:ThFbY9eZuEZoyzcWV5DwtSi8ugNwM49JfRof560Qx/Y=,tag:sgMaLrPB8WgpXWPzaCwOBQ==,type:str]",
+		"server_url": "ENC[AES256_GCM,data:zJdXoO7ED7qeskYJ9Wu0Rdprbvj/uP+Z,iv:ce+QXocqCjNKCsZRyVt6koUyc2lsTwPNMcfQyqbktN0=,tag:bQSE4/6va+V0TORWANLdUA==,type:str]"
+	},
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZ0ErYjZTb2o1LzdZY2tz\nNUR0dy9DWkVyQlZBQU1WSmFja0pUN3NJSkNvClNLbTU5RFFwUkJQVUNML291eG5N\nZDlCK0JvMjVDL3lvMURMbFptQ1Z4ZWsKLS0tIFA3OEUrL2tXZGM3TFk4L2l6RUo0\nMVBZOFBYS2lablRuR0hneU02eURYQWMK1M9ng/GcFH+NEmknJ8SHOUxc8atX3p1E\nB/3+4dVWSwVdTEkG2VqQTdo/irjbTKpqZ0m5bg9zDhxZpyQ2lr2ePA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-12-04T19:04:02Z",
+		"mac": "ENC[AES256_GCM,data:nWV/knCo/MeWTBrfq1VlV6SPEQ2i2P+le82S2So0BIxPfz8tqan0MdaIaKLFlapsT9VRJOv8ZCCXSLWeGcbEvfmEz4MP1E4iHcU/4YaO+n895D1JrjeyP1cgGisnXqe01xMXCsDY178sqxHcnDDlXp9foCem+mGjIlKGPYGu5Oo=,iv:qbavbW3MF4fx+E3aybBYaz/T/Hb63ggWml4Oe9WFz+I=,tag:05vBbBGDGRNaXJWoZn1bVw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-12-04T17:59:06Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//bwwqP095CUku9qYMYLJToU9iuL7USF7UxfKQLgP7Lx3a\nilbrofOS508V2og32sZD8y8GGDCMc7HMQv8TcgIk/kq6jX5dHUYN68nVMQ8ZG0As\nW1kpo/cLZAPHoWWEG5E1INX+KSN3b/KhZgXohuVyrax3aTy0kcKeApAJlntr+gyV\nfjPjjvGxXrCXZHN6DzKZ+zqEIs18T0ByLtqLsYzTlD4FszISGCnf6Kr5jpj43BcA\ny1Hj6avzk1bQqPEFovf5JcB+O3DnkIwus+GlXihu/6gIiatbdshVKk/vDdR6TR1/\noDg2EV98uX1K+gEe1JvJdC1JrAPZkOtx4hiFcLVc5G6phdQ08hY4PZ8On4Yajkby\nj46FkPNLB4TwwSC2Ga03CadpaUK0twNGAH7oya3VXUiHqqu2rnVgUjrsZCr6yA4d\nJmumRiTHvnQjECQB5J837wXoDOivaaY0OszELM41p6UIhMTG4/SkkEvfgAI3goGN\nV5g4uBES/TGCedU5NS5EMtsjRoJSQDyvhfkzMUBDcUm8xQ3RKRtdqTZVkT75Ti6M\nmnZolAkqq3uWwmSTIXTgC7T2dnWLRVgfpj7hzZX43ucf5bXCn6QXoZscMUL9LKR5\nd3lyh66PoHghatrb0u3E1ub6XJQWkbDDkKDHRuYjU02Ai12oPd48nhyTuhnmeLCF\nAgwDC9FRLmchgYQBEACgklMklJy3J1U542h3ofmkH5otjNaWv14oVr2yNdOxhlIG\nDYTb9vuLL1lAwxOB7JW6sgPbS9TmiCU6ZBYDeQDmfth7yPWK3/Epmd5wmXDENqra\njoZcpNSvvMnescS0MJWsSF2BHJiwPJewuOCAiL0EXGYVNB7z54kAt342okScNDK2\ndS6/ddjVKFsSi73HmLqQk7wmYpZuqIGoJQXH+E2to8h19e35YxOEsnG2DcVyC7xZ\nqHeUfuM9BTVJmUvqFdovz3lYJ+xg2CjBf8u0jRKOhhufS8JAu9H2ye9dWPktslMF\nRjfRbTAwryVGYmajnlmfoge+OD0XsubSaT79BixZ6xwXgA8xrCvM8in8ZeYsug66\nrgA/I7sO2PPQBh+FNVfuxVVr4MC1Nehk3/JghYzF9Ip7uAvoB9bzi0Yx7L3wGY8i\nr5Rss81IIYvZY4NmPwsOkeX+v9k6GbrcBDa521nl9gz3Ll9Q59jicZBaNyuIvJ3f\nP/bmh1nZc9CM+uIP3A5e/5tUTS5E7judEmOeqlotOjZGdoqyGsG1VqJcrcyTzscY\n8LxCIJtQEeM4KoptKaIXt0Mu/puMzQxIpcx9eFDZ+SE7Cl1QXC6HRLW5N99AuD5f\nSmxquKsmc+xB+gNGkYuySeTqfklK3FLTvISXZmoAQKgqdgO0d+hpCpOQ9lkprtJc\nAbMyytjCe+RLnIWHXi1hjQyspcF8JvBgnRp0zWEZwn+C7QI7ChHlSIrudMohS76L\nN2rF646oaFcxr8mDHy9bebQDXlWahbDB/2jFm3/SuyARtKSg8/PaNcuh+c8=\n=LxIo\n-----END PGP MESSAGE-----",
+				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
--- a/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc
+++ b/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:JMh/Ce8H/sC/58gz8MpwbME5f0jY8SMRAdI1U9bBVvQ+x3G9rH/d6aU5SSOqB6ryKf+GXqjTzDMpsNZSMvLSs3VM0nUvHh/AYCHkA2dIjQVLpmxK4jBvku5GySRJmHKzA45Sgw6WyeKQD7wuEj3Tfme+MI5x6jjBXWOcRaDqBF5RIK9UWmv91/nYU8lyw6igqWybb5pX6X2Iil5hq6FWyVSa8mRWKle26LwYzS9u6tUEmPd56vOvXH1mhgkeaHNh8nZPS0gew2K8CKvdpuXzRslWew2kjBWD48YArZwBjyTTgJ+l85qtVp7HNKgGrT3WY8KgWyLNqmWlycMzE1uRcwMpzUAO9y05H2ZUrolx7IM/c9wsyGPD4YOV5/mAX+uA/Lw8UlrR9gyjD07FEE5ob7bmvHX8e45DIaHTSjcWt6U3vX9P+6aD/wmOcjptN43qNmeh5WlVB0Te5ISsKhQbMa/6oBMKF9um8j41N8mCcb+NqIkdouuToLHv0WcBWLeBaMwAYSknmrlYaV3Z0Jf5kpEV5YRKXPyRpRiobbwq,iv:SWNkLzfXRku9GxDyc9PTca/FHFhHMPsTObumtkMpn5U=,tag:O0x8oIeCKc76KfcDP6G+5A==,type:str]",
+	"data": "ENC[AES256_GCM,data:8MWVw/6bXo/1lp3IKzN/9rt3RKoU+2bv8voov+CLQzYWZ8yzOCp3ZxtK1qT8ol4oalTdf5KLnVcHjBCrI2vECO10otXQMmr7oyDpe6ORvIFSSjc3wCfA5Ddaot4qd7Eqwg261mjk2xtk+rNG1mkIfshMDXwX0GKXEocp7kGFncagMNB5armJjMC/HeukQMi7yxe5ahpz4K10/mkQiluZKVYxzzFkBMAyAUgzNYJxRbxnalq0nNmtb7pSHaVJk0JnapFEy2Jnswl8NmbmmC7O91EdDxEWUX6MRI9DMoLehFcU/Ij/Nn994jC3RNywgkPDv29uEvz5BPw3y9KNYrqzuCj0GFTODgNBykjw/fmmYPfSfgXrpS4QRE3ZklLsFvADPMIwnW7F65XCx7VVy5j9OGT3NObdwweFpsqh1+gyIq/Ity/RpkQ6uqqseRclO1vQYAqDzuh1SOi3SBP3C7J2HNMfJy5TkhzyzRTBItaYbKqVPWm1nsBf8ZldCQ==,iv:wYfg9ZesEPMsF9GbM2r4vZoiOABPRyWOHUrZJMetPVQ=,tag:pJJ7yGSme2EXmk4duQ+0RA==,type:str]",
 	"sops": {
 		"age": [
 			{
@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEhDamZTRUhQZFNDTTl4\nVVVNNGZXa2h2THVzY0JWMjE2WjNJT0ZoblV3ClYzeEt4c0dWRzlISnN3NGthR21M\nTEtDQ011dFdhRVdPWlpweS9ma0N3dmsKLS0tIHFPQzQ5VzkyODZyY1JpcE4xR2Nl\nY2MrSERXTWkvNVZCR2xHUGh4ZXMvYTgK7pxPjnh3idl4QzBkR6LHyRskgqA3apS2\nkbg7As6wlEs34TAO8reyZknKTUd3Xif1v9RXiTcu1sEKHqkcqEoDog==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-12-02T10:34:04Z",
-		"mac": "ENC[AES256_GCM,data:bWya8/HiExhIVMhQwW2882YJQFBbPvow1HAVh4hpb6FdQiQ+nywjBN/o+/wARXXAoHPO224rEHy2Z82RmLtqhZp8PLvs8ttEpwxsTipTkVgjkgrOsHSQDbO57RmFjmZKyJ7P2jhCUUD/oQVLGl8RCOESHhslG4M2zvUOkeavGro=,iv:rLAD+1Ma9RiSfLH0rkgXMnk04jdPCWI29B2wQtUyFjM=,tag:sLuh6qe9KQrvt5U2OburMA==,type:str]",
+		"lastmodified": "2025-12-03T16:34:02Z",
+		"mac": "ENC[AES256_GCM,data:OBETnq727ZC90fB5eZsgGGpLz8tImqaRH4LEQsxzDWbLBeGz/eFTBAHiB5MRHV1X87M2RLgtLsylu58AKmctPxQtAwuDl/oy6AIyGhEbK0bohzryHX7hv4JlWasTWoBg64nCu63YlvuWLiLPNOuqDe6ODa7kLfk+SW8rOoVzJSc=,iv:+5SgpVThJnJUeqZUc2Sn1nkYjnaDGMjjRaSgn0gDCo8=,tag:lIsAjeaO9R6zluwdibD2BQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-12-01T23:06:36Z",
--- a/hosts/nixos/aarch64-linux/twothreetunnel/secrets/secrets.yaml
+++ b/hosts/nixos/aarch64-linux/twothreetunnel/secrets/secrets.yaml
@ -1,9 +1,9 @@
 #ENC[AES256_GCM,data:Zj552Ho=,iv:uOiDvsLPsT3D6A1SLgDl8jbAyz5bK8s1h7mIc6WT10k=,tag:rTD510uyO65F/qcD/UTUpw==,type:comment]
 #ENC[AES256_GCM,data:a8v9FPS8GcZOyREs74GhUpnAZlYF9Q9lRU3ZdsYERajtDiGncywKPLE61PlnH8o/h+QkkWjpsjy+,iv:Ck+7CaYym5fT4uy44b8yLw+b1FDvvjxrxql3ed+B2as=,tag:sb7vA0tVe1G+TDcJLhQ66g==,type:comment]
 acme-dns-token: ENC[AES256_GCM,data:9AvuFB/nYm2H6JK+pKY0wD658dHGZyV9w8B/+PeTKb5PkFJGlqdz0A==,iv:DeH3sRv9hCzhy38jnXVeGlAbUeXWOwf2avdINWuhJb8=,tag:jXjmtG+uoTonlXSSKLkY3g==,type:str]
+acme-creds: ENC[AES256_GCM,data:X8qOlnbaQo2RE8MyMnI/1EsyyHl5t7TemUTRYqhuHGtFP4mK5+obd/S+VzscfVJqPkCY/faGAQXtbI7x9ST3AmxiCZEbuuV85OvrM+lz5muV16YNjovPxG5BsjI/ZzYZ2V7H9CiUQLvoZ9D652mvwA10wPnKrIpZ0Z8TFeC6vFx8vyin07IOQmNnfanUVMf46/axAR9KM9ksB0uJfsEo8WFmt5q0sfXRRe+qBtdgPgvn9ebeU++Tv8JpHTPSIoagh1PslabrsgNEcM8H4kzIsOly9uYmYCZ7X732vTKLRvimJ64+MLWw3+DCy2eX5sgrSRZw8r5F19P6a+gGBTy3TsW+Ql1dI468fayltXg1hiy8bD/WEXaEalaB2w==,iv:DkX6988ls3nc5aoLP8sQOXR2alXKuogRAXCtrj8/pVs=,tag:LTwZhUWgXfbLg3YxQGlZZQ==,type:str]
 #ENC[AES256_GCM,data:/+idD/eetpnX,iv:NNXMyIt6uUfT3JVU9g39xjUL71cw5UVmESKVIf54tqc=,tag:pz+D3tUk0gWTfAirJGhlkw==,type:comment]
-wireguard-private-key: ENC[AES256_GCM,data:7cSHZL3c1P2oPPOX+HLFCDSg9gcWmdHY8LLb8kBVaRMsvRCk7gx/b2H6+Xg=,iv:YNKe76UGywvChY46X52nunFFHj3c4qJJVQRcU7bkRY0=,tag:uR4UZbtXSm6ywlVOZ4wQIg==,type:str]
-wireguard-home-preshared-key: ENC[AES256_GCM,data:YeTvFuNDs7Yb9pvzcb/tHyYeQrVJGpvKzr0l1F+4ch6F1rTpk5ad37bi9kc=,iv:bI+KSgSwbanPjKi0zV38zhXamCo6Lnu9z0PhvA1n82U=,tag:4m7rJ5K0RSkU/dGm1bRInA==,type:str]
+wireguard-private-key: ENC[AES256_GCM,data:m8fL4Y5TusV4imzcVqTmJZB0rlb+ndoH/Bl7KvbP/7awfR0FyDTmt81+3aM=,iv:qKT+61HLz8q/0T0nKvnV+wap/cvjss8THXupPNlotAE=,tag:cKrRuJjhVYdEWfrFEhUKZQ==,type:str]
 #ENC[AES256_GCM,data:IpoTYZX4KGjPA+hZ,iv:Hd1V9//M1f/10HQ7ZEEA9ZtuO8EBtY1kn3n28krYxpg=,tag:We6WirbRgSH1qOjC4g7spg==,type:comment]
 oauth2-cookie-secret: ENC[AES256_GCM,data:ZN44Kdai0hUgx0GduynlyMHDnZpdnp1SPAGEaNaNFHGMhM9Q5HPzotiNXQM=,iv:vsYhWriY5G4KLiJ12MLm26B7aBzCL5GAr+S15klH4Bc=,tag:t+MsS0Wgo5papvoeK1nk+g==,type:str]
 kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:a90dn//LD6tvDYGSNT2neorQRfo0puo7GA==,iv:a/R6xlwGdrwJNc7qBoo0Zmlh7GkZ1+uU+RzOxRE+okc=,tag:3WpAVThFLXZFsCIl5xM0IQ==,type:str]
@ -18,8 +18,8 @@ sops:
            NmVFamgzKzRlV2oxS0x0UCsrc240eEEKByZ5WYf+QO8T43VLfO2ym4x7TQltS1nS
            ckgZLorWZBWQg2vAwQktxQ0WTcjhM6tktZ7zgCIzKBLbQXtSt7VG9Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-01T22:42:29Z"
-    mac: ENC[AES256_GCM,data:CTOMF/JUbJjKrO/WCaNqCgNVv/XuBGu5nD7ssRplhg7Fmfpqyg6+qQylZcVO4XXQPvpXsA7VfnACe0irflx2Rh/5eULLfaL6eSVnr15CmwTxxnJatMtvnn1V6tGDX7Fs2s3xdEM0G7Zu022A7WWgibiiVzv/tH09znKuxpNIdio=,iv:iYgbJLaOM3JZK1BGV8fVsq5wrh+7hpQwUdXBbsTQEj8=,tag:cPQdmBkZ+DAlQ3xAQts6BA==,type:str]
+    lastmodified: "2025-12-04T19:12:20Z"
+    mac: ENC[AES256_GCM,data:WAAHE40CAJgdT1tMYBBuFeSqaziHOvpUKrBlfycHvpXhPZ4Oa8sDElpc1lxp1VY2AVeLkqeAB7bH/HVQYGVJhxbfSVHAXm0kCQTT7yNLW8x7RK8RlwzGq9jDfng5UoA46kP2GWyGbicnaUzaH6gnF0Os3rqAMMhTg8pme7pUVwg=,iv:vJ+XFfGMwmIlgJ9ZSu/+kow4dhVsY5aeB0jPjL4TIpk=,tag:mBZzL2JGFPwIx8hNM09hEw==,type:str]
    pgp:
        - created_at: "2025-12-01T23:06:35Z"
          enc: |-
--- a/hosts/nixos/x86_64-linux/eagleland/secrets/secrets.yaml
+++ b/hosts/nixos/x86_64-linux/eagleland/secrets/secrets.yaml
@ -1,3 +1,4 @@
+wireguard-private-key: ENC[AES256_GCM,data:grHYayd0/og7SZhnkemUE9NySA8M2Pev5C/GgXH/UMnRXJLDQiJameGMZuQ=,iv:FyJJeDpGu3OqV0YihVUnBNcgHVH4yFOR4KkVxM0qQzU=,tag:MTGgQ+RT5boa85gHNkWBwg==,type:str]
 #ENC[AES256_GCM,data:TeJxdPs=,iv:M76JVBlBfgjjm1SuT/0tG/98FXpkIPpGng4u4F5p07I=,tag:RXAqa2R0HmEOjW0dD1treA==,type:comment]
 #ENC[AES256_GCM,data:YczkPHAlYVsdVPPGyuByxK9wvRVbAuR6rR9rSFjMvMGxg0QUdIa/yo8o0ppe8I2ywwlLSROp3WLJ,iv:ltLRGMLZsOte9jQEi/VW4Diu/Od8kHPbzsmvPqVgLCE=,tag:YbtxLcYhvPZrC+QFfxtMrA==,type:comment]
 acme-dns-token: ENC[AES256_GCM,data:5U/74jeGpQH39kyjuVwLU3WBYk5MrCMZSFouRFRVbB5FhOkiJtqYBA==,iv:f1TgdiVVbAB+580AtQAe8mCXU0WuS9JX7AWukKbDYj4=,tag:Ut0tbtiNcV/NxfStyZA9XA==,type:str]
@ -16,8 +17,8 @@ sops:
            SmZrb2xuVW5VVjM0b244U0lkVmlkVGcKin/6A8ONfW72fbQmvJWiNCzAZfGUtxCI
            WV0DaPvO7sO5y7q37QxVUOxgJgF0WpKiNel4Y9E06xbl3TK6jXk2MA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-28T17:45:38Z"
-    mac: ENC[AES256_GCM,data:dQYfZvGJukraN3/rPbu4JxItMxrsEIY2mkLf3ZWmC+wNZ1qLaI+EuqmLRDicNJqQ9cGljystJvrZouUhJXQNwsg4WNck5+WAfFZ4MRevxbZre+LqFfsFi4of6b65iwRTGIahtiLApNoSI6SfcjCt28i1CIofjuQIEk8LBrBlEys=,iv:fKeo9Ot8sG6qYOBE3gt06VqoYKM1/aXMs/jj9dNNFhs=,tag:sOuhoIO4SBUITo8WfCmwaw==,type:str]
+    lastmodified: "2025-12-03T16:14:20Z"
+    mac: ENC[AES256_GCM,data:PrF5wUKzsDuJUCdAvJFKQ/ILxTNyrsHK/tJnN7tM+46gAIsQge2Nzcq7/sRCjBBy5/c0Gyv2XJqlWrO2hNHHkdEqM2NCMosxIhNknjE2znYz5giMRbmNqxR8MLbohXHZ3pgUIKKQnBqPic0T6xEgPuGnt6j0Dwb8rmy4xUByhFQ=,iv:g+iOSoOn+zydHyA56+lqAo7wTXgZ05K1C4H8DNj3MrA=,tag:Zj6a2GESBA755uVHtEpTMQ==,type:str]
    pgp:
        - created_at: "2025-11-24T12:05:01Z"
          enc: |-
--- a/hosts/nixos/x86_64-linux/winters/default.nix
+++ b/hosts/nixos/x86_64-linux/winters/default.nix
@ -1,8 +1,10 @@
-{ lib, minimal, ... }:
+{ self, lib, minimal, ... }:
 {

  imports = [
    ./hardware-configuration.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
  ];

  boot = {
@ -25,8 +27,12 @@
    isBtrfs = false;
    isLinux = true;
    isNixos = true;
-    proxyHost = "moonside";
+    proxyHost = "twothreetunnel";
    server = {
+      wireguard = {
+        isClient = true;
+        serverName = "twothreetunnel";
+      };
      restic = {
        bucketName = "SwarselWinters";
        paths = [
@ -58,6 +64,7 @@

  swarselmodules.server = {
    diskEncryption = lib.mkForce false;
+    wireguard = lib.mkDefault true;
    nfs = lib.mkDefault true;
    nginx = lib.mkDefault true;
    kavita = lib.mkDefault true;
--- a/hosts/nixos/x86_64-linux/winters/secrets/acme.json
+++ b/hosts/nixos/x86_64-linux/winters/secrets/acme.json
@ -0,0 +1,28 @@
+{
+	"swarsel.win": {
+		"fulldomain": "ENC[AES256_GCM,data:CVasUSMRn/KWzVRlcYfTO/RL+W5Cz2JpDj0JLAKITXrDZrl+Wsg46X8zv4hX6NLj/wAyvXQ=,iv:N3DL4JPX8vWTbllFWcpNulwtDJ57xpHrAwoUxWhTzxs=,tag:CYWoK9uT121rFXQ5h69CZA==,type:str]",
+		"subdomain": "ENC[AES256_GCM,data:uM457vEJa10IV4SovBDUzLLlW+mPwh1SiWr8thQisFoe6zAk,iv:Tdbd5a20Gv/thkPfsvNiAbI86JjcDs70MAfk4yCZLgs=,tag:MulJiRWPs215x0bc+1jBiA==,type:str]",
+		"username": "ENC[AES256_GCM,data:ePE2BEKL5uaXqzGngW9ArhwP3qwDzwULtfwUfb5Q56VGGURp,iv:/GZRbyXHorcq1PIYlhfOmUVwCg0I/N4ZraEzSrc8qmA=,tag:wM5B1U0BsRsBAJg3qNOXpA==,type:str]",
+		"password": "ENC[AES256_GCM,data:RGzdi8IMqm+rtiuU4RtWGQ4N/7FYBbp5Pir8/k2V1QEdM8z7SIn0FQ==,iv:ThFbY9eZuEZoyzcWV5DwtSi8ugNwM49JfRof560Qx/Y=,tag:sgMaLrPB8WgpXWPzaCwOBQ==,type:str]",
+		"server_url": "ENC[AES256_GCM,data:zJdXoO7ED7qeskYJ9Wu0Rdprbvj/uP+Z,iv:ce+QXocqCjNKCsZRyVt6koUyc2lsTwPNMcfQyqbktN0=,tag:bQSE4/6va+V0TORWANLdUA==,type:str]"
+	},
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZ2Fhcnd4RnNIbExibGlr\nMGNoLzltYStyQjNDSG5jbCs2WkpqR0VINHhnClF0eW91OUVvSzhackNPS2JaUitJ\nSW9VSnEyWjRHM29hT0xHUUIwTkFQamMKLS0tIDJqRERxQ0l2NElxeUhScUQ4R2hS\nT1dhQnRTVWM0Y3dUMUxLTGRhZ1h0NkkKJI58M5YOldaj0gy67WywMK1vTNqBLz+T\nK+/0PuEooKZkcdd92+UUoMMU9JcfvnvzKmC8Ot9xwiaLaupb2Fb7Lw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-12-04T19:04:02Z",
+		"mac": "ENC[AES256_GCM,data:nWV/knCo/MeWTBrfq1VlV6SPEQ2i2P+le82S2So0BIxPfz8tqan0MdaIaKLFlapsT9VRJOv8ZCCXSLWeGcbEvfmEz4MP1E4iHcU/4YaO+n895D1JrjeyP1cgGisnXqe01xMXCsDY178sqxHcnDDlXp9foCem+mGjIlKGPYGu5Oo=,iv:qbavbW3MF4fx+E3aybBYaz/T/Hb63ggWml4Oe9WFz+I=,tag:05vBbBGDGRNaXJWoZn1bVw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-12-04T21:07:49Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/+Owp3VI6TVHSb6hxNioVb4P/e80pnf2LZQxhLUOb4QAfd\nkXGJLcdC3rIDF7b0qfJJrH+hCHSZBqrE6in43wDXe3Cj2CzOWaU8kABqMWKoRhG8\nd5Lbrn5uMN9sOWQugjFwtDPQo/g38wkHjJRwtpp57K3W7t7A1Np1Hma9APLwf6NV\n4t/A5vkib6n3Ilyc8e4eNlZu2yV+9fkygcSQYd9QxCRdqAbH9yCgtQ/iYpW4wNXW\nB18ENwOi9KiyWO8zMtGdj8Modaw3yLo9qku2u5BkBnbvE/SDD2QzxVEy8dc2P2/9\nkT3GLI14WaoTc0uCHQfGG6FOKbyD8P7VMdk6K7LuBrAANEaqwb77NlsIulekCuff\nRHjWYzzLv14wumO8+3dXvSWwdG3or0/caH4oKfifTbwSOwSTVru6WAWBGx0reqwO\n4+CQ1WmqHM68aFzlQY40dcT6i0jCZpvL+kMncbOn40oZt2+7T6h6zfa/YyWN9n1Z\nc3LhbHTYjA/gyjc+hD88SKCyn1tFK076209KeOpAJnu37Vb/O0BB9T8cxe9KVkMa\nz7SBXE7BEq+vc1BKpHN51zVmCP9REbQ//2RS2JwfxuKxj5ti7xQNBfliCVn/04bj\nEYnortuIFKjXGhZBBrgWKddS7zaU4Ux+1Nj8NAou4u+Cpi+EwFfpVvp11136H5OF\nAgwDC9FRLmchgYQBD/9fuQYiGbtsS6dm4kQzS6Ptmx4+Yi1QYywY0aU/S0wz+LBc\nn3ECc3AypbLEemNU7OeoveOtPj7TyJ9Wth2AqeWSEizgA/xCttiX311+emK5LqjM\n4KtlxJe8P0Hun9vxbcGRVXIN9IKDk07MWPBVQ0nUPnPlNTzZtlu/ahW+Rsyxm8wY\nq035Wtyr97Ak+gtB72EU3sEJ7INpNbIsbfa+AAbda1drrhvtde5kgnVKsSdC3oBy\nTo6rgSjRT91MZoiY+L3oR1lwmxtu6snajhnCWHe/u4iuMMK8a3b3WAUNBxG/tbQd\ni9qOLYyjtdfuqRsNvSK6WsgpAqabfUmvBCYsvKlNUGx4LDMmKsMwLC5DfPSGk8FS\n1haVyfmMNoCkcG2RuT+mwDm4I6aX1VbeKbIFrCYBEAYuWh8Hdobw3TYNrjGvHScq\nVE47Q7bCsUeiMybmtHTcHH6WNI+LWx9EHVZCaccqT19FV1PAUDvU3Z9HO48kcrjs\nX2UM3HtmU84p+zgQQzk7I1ociHqFBnKQmVd5KVs52V3Sj0a4EhRMDrWOjoucgUqD\nqMPk9HpO8A8gL/Xoaxbs3EdaQJsy30aVKaeDUyTcTqTLvEAocUQApi1QQCKgoc5K\nT9Y2EqfC/ArWSJOtylcQk0sJfKSo317lBb50+h1XcFXC3gNcXgipxURTwUSqb9Jc\nATpFH2B+AS7/fG22KpHsop4b3Mwm4nNZKTnJ+5IY2iu1hg/96AYe+njp+7BtbrbH\nTxOiYyszqQ+E8WykRO7QwPxgGtlGkgW2fXRFmAxvCHMbnNVvf2YSQLefUPg=\n=MyHr\n-----END PGP MESSAGE-----",
+				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
--- a/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc
+++ b/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:vevuVfscWMiD3Lzc/bAS+jAqpzgkfBfcFAB7ChacGaj/PJfoi5AzpmlkDhm11GBcvUXcveMnbLbQexaF3dgPVwvbD9xr6e+mcMJjIry5c5a5wOcZkyGxXgPuPg415An9AQrO56XeTTSaUL+ScQB3kv6eIyzCtxZag7pRLnOgwFuGYqfwcDIcX8QHCc0ijf3XLPaM6dEgiFYDeOMFhOF4+Z8/d9eHoEQ3tOkWTmkoVqZFz80ZicEraliWnWMvCBhRLKo3gb7KFRce/AAEZQaS3CZOJz7v7var4Ds1+PZnU282aSU/xsY5Dq1vOrsZuoYqXA5WrdC9HaXAYLGaGFCzLwRTAfJvigV4PNwOePskCSa/qRlOGpyO1t1B01Y4pghdERNlS+1ltEz8nKVfIi4DR6dKy8NIhLl3huJQy6KHsLrjDHnmxeypo2sJ+NeyuNTKqwJo9x3krcIBt8SaUoFIDkBgshcDCp2eBcKvRIOFIa8r3rsxQ7gwG3YV7hS+NR0nwsUXodGXVzrdehDNddr+mI4GEMl8TTP9sdVSaPhKpN+QB3GGGoYwX2HJYXdY9CKIIlYcgFiDfPz9x4HqGnGfSpeB6QgTK40pmRmG6jQyIFZiW+hQBS4XHtKQ8CJx4zUNpiUArYzustw6riPkfYDex21SzsUIjpRYxB8uGHFvJlJVgr4FkQQg6frebKf2EjIhjc9Mjdw+g7cGb5+WavUfy+fIXztYwRI0l8aftosfCMdGsSChntKCymz0kpGREx00HF5blA6oyifHaVxRYoqraxCwbe+p1RTFlGonaYtb0gBWpdrQU+24HVQU1rMhc8HFHPjcWofE/ymEPkhRzkxIXMmNQFi/18KvZWoy2qOVtPmsEc4mOVRtC6w9AZZpcxI9CXhhuyDZlJ/k4bJzkZFrcNW8I7OjEXTNmsYkzJDSVzD3Od/1zhubU8LYZBBXuejzeH0TXNsXbS6tQXCJ2D7Gzrcx8LpXL/a1IjAUmIXguVtPT9nGallXO9jHV9g7GGjF7weTaEMb/eNSuLgQOpq8vziN1XLWhVo0WEQ8zU97KSVJS5moaTEPAEUlHC4PfM3AQHpWMW4EL7FZu5r1yw+EDOUA4k9u9HIVbn5XVZbWb18aVVkYZoulLIVU7I74LJlYE/BSYhGzp6Ff1k6qzPNTbVgXEtiNuLQKa//8gHoQUCsu019MEVAU4LhZ+nt4genG4qFUTuBujTriO4Vhdel9Qsoq95FLXDzdwRInUzfUhbLli/rKv+LDW7wIdh/peWslq5XkWBeMqJC97OSGzM/MaWIzzMY68FjCJfYX6I2nskFD1xZiECKukn0LV/wqQhrkmUuyG6RsZGAZuOoStWJMs8v+x+ZIMHzg1jItXO2ozt8P73EvdgOExJi5/aSf8sQwX7H5lesDtnGYU5+xV9k6R8icsIqG/TLuFAiqK1hmFQv7H/9pFkRq1LUXFmJXoKDfDByG6xUjMeyYOwT6yLShhH3MMWvh3yjflwzGo7uTU1BTpNbKT0LEh3Q9C1txZ0uKROhWKu70iH+kHRFVlhUbyYpZovu3BPB3WDhLiLuXIOss5+dVv5RBSYUtxpzp7Oq7mbMRIGCY1hOVCiCcUEvcXXiQ8JBCklWUEEJ15BAIewetgDiVci4USgZZYrALplmSFkKTZbFjYEIrf3ghKFXfVTkMixRmzTHoxKpYXzvB3TZnkmAXVhvJbGEiHsAaHpcfycAXygQAWsIFYzYSDrqYXmRhwEy/A5cqy8dYx+UA3bBAi4v0QPMoro3UtdI2ipM=,iv:+QSRj/TyZl6xbwLDbuwb83RkBiLUi85VYcpss8Jn8fk=,tag:uPqu0GaUGmChLweOGN10yQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:LZ0+D88y3gJk9OD40ko+msYTB9KUkBlFAup1+rcqthZ5l78mKyMoNR1leBf0AaraKft/9FfGSKT26e9I+Hd62XvGid2VzenR5TpVptm4+KLMBgHSUjcSiO8dl1ZrLOYD9T4vrBlVgnmhjotLMjmsQLNJwXiCuTqe3oE3N6C4J4nqBY0YKeJKoNEqb1oQL81nGgWdncEoRBhSZMLTaYApjqRCzzwlcL366Im1UebHmCb89GMUuHJrBudaiyf8gNOpQiGMFBpLCJZ2AwD78Ob91ELj5vKgv07siY44GvPP8nr7ryo3xThrcd9kde9IqJMLFh70lVM8ULztyYzxLsD0qkaAza4U0649+9UYmoA9grxkRbXtJgphjyxmxFmx2qPxx69A+PSr7l6fLaqV/B70RyXKOWxYPvkGdRW44HZKblcRUC24EjzpllqRJJRCspAUOzo2tHBvMwx8znQdjfGlpa2gSZf21Rx41qQQ7NlHt1wH1E+Twmte6SSd8EoSqdrCmNvnkuRK5tv8fgWxEXyy/3w97YeKjmjgTBqp4yhWLG5GXE2oO9WaQIYC1rbNcjGeBKJutY7fnuVZOWQPyqdDR058fGwznVRqyRxseXLPkES/4/ay0i3Za4C6fmAmiL3znQ+j39HXoFvn4GKig2PpJ/o1W2Cp0s/TqgVT+O/SmRv+VO4g4nZvqTPrXAFSj+dcoRUpof/Y+PGTsFc8WLjDndPqKhq7ApGhHnj+5Dh6dYJV07a+8Mfo6qecEGKhTwnTSCE0tuANI69/2kElExv+RJhbQLFNZ5Q346f0xkhm1Gggd1rPBONJEAm6bu6pBN5QSnpcLIDX5Z2pNIHjVvjcFz9beMbSA3HmEkEX1tEUF8Q4xNmo0h8F7T33V4E9KRRPlz8kM1lBhfnz4lj5cmTB7DCUCVpAm4Q9eDmLtpVdpic3HXmAX+LP+kiFNPUiJJH5En42MSsX/qDT4knwrcsCw7dIrpV3XsnDJ9tifZvOxfiRwRZplu8IJ9hvw9kBUDKUaxrkAw+B1PzmBOE4w19a0fh1ah0MWp7bNopEYDfrtip+FiHUSA5CzqggL6BExFmIffcUvh/Be579gRXzTEs2fhXzodJw4FF8HiyN2QPY6Irvwgs4TfBDH3btaVHvQV8nXE90s5u7PAkdYQ5UEzZePDu0QbbL6rDUk+GmzA04dEWeWfRhxNZ1MNXADqeF9kRCEmoiRANAvi2BK1b6oYQegALbZNm+xGyE5UvWQ6ZiZ4O8MTGzDiDsgnxvLRcgCbjDSC5lhwCd0elFRpeuZMAeE5apGdquLiBHaPJo8mmkE8nBc0HSf/JnKXDHN1NI0FXl14LM/Qm3Z7Mp/8tRpB5RA2AfndZsaAilBwFAqMIbJv21EGZ1UBFaG9SK5TJHO6A2KIE8rZ8OQ8TPbZORW1XfJI7y8OXWW8X1cUfCTEfd8MC4UmDf7s6XWTPVZPQ70fxhaStj+yypGQ2iJoKreC58oN9QFXdgBq6JTXRK3W4AwQoYoK6jNWG/y5wVDlPYKKM5O9fn/ODk6aFPmFs7pdfES7jOxKTAQBcZzgEKToNSvCdT49nhSe/tCBNxr5WNF/hLzIJXgZvqWXEaRz/rfIZCwf7FlqlpMT7XLXNktjItEhis+nEwz5NNdm0RzGVNE2GjaiFr8WQaF6AuoellY3jSWNSOk+jNAg0wBgj4FoklaH5JzQ9cRAKYu4xEC9amYgGGl9x4nWBTLSHfj5o5B5Yj0hBKaSDI7gUFgZNzaC1NgqxH2rhqy9pZO4YcclRh4diJ/3grYd/n8+vLr8Faa/v+68sIyvsLGklGS6IEJmipXWHqng4U+id5zU9xf7o99qZnIw==,iv:vLzkbn3IYrD+L6iwyRLPTtxLrrIKTMzIIZyoGgvXKxU=,tag:Hj2CG+kEnyVt9xlELVGkPA==,type:str]",
 	"sops": {
 		"age": [
 			{
@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3UFZTaXFNdjF2UmRFd3VL\nY2pZZ3ZaRkhZSjdVUjIraHV5ZlNaNGtwM3k0CkZ4OVRFcmR3MFBDcmdsbWFId3Iy\nVzQyUGI1eG44d3JFL2NvZEg4NnduT2cKLS0tIEdhOEZETk9nRTlVbmJ5UW9GalVx\nS00yaUpJZVFVNThFei8yRzJYejRkYk0Kf6Z8WnG8phRtFIUWIPys3PW0OImhAcF+\nUFLuL4Qr7zWaeItCRieYCs1yBn7KbUJHZNkJcvnkYW50NYvlEa8wBw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-23T18:03:21Z",
-		"mac": "ENC[AES256_GCM,data:8KSKQH7qF2vLnR17a3XhYGAqYq4YNgf7XEkpeNVHD39Aj8MzdlsGPr9vI2o/N1yTpQyJrPW1ntKVvI9rHwcJhm5nyaQiHVwKHWcxcn7li6AeztV4HUqwKxQwf3MHfZ4fhWJrI7NYAuMAbmK6epa/ROGsIGnT6vQh3SImcn+Kkcg=,iv:dT8dBuSsYRxGe93/9ie/6/X4Ru5NDycz2pgMVI83wbc=,tag:r1mPjG/JOQsRDzCktIlisQ==,type:str]",
+		"lastmodified": "2025-12-04T08:30:09Z",
+		"mac": "ENC[AES256_GCM,data:AeuHRN9aIfEj18uBBOR4BKGExANsUGZuxWI7K8dX+qhVLfNmsXv3ABM3FoaxhUIAyU/3mfFSK2o4SzHhAEXOo5+aN4gppvFecibSFltgME5+rSWyH9U44YB1v3MWiZkjMHuZJcyM1XDX1sLZ5TMsH72/Cu18w0u7m+QsnJ6Lc+Q=,iv:2ZIeMPnH25EAF2Xtf06ZRsCOILhn7sSWtakjl6KxDos=,tag:V8Sc6BNyi49giz5g3BpAUA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-12-02T14:59:33Z",
--- a/hosts/nixos/x86_64-linux/winters/secrets/secrets.yaml
+++ b/hosts/nixos/x86_64-linux/winters/secrets/secrets.yaml
@ -47,6 +47,17 @@ koillection-db-password: ENC[AES256_GCM,data:5Ue4l8CMZpjRpcryEtzPyR2Zf7M=,iv:Ol/
 anki-pw: ENC[AES256_GCM,data:h4RBhKV6ZzDQk7s=,iv:r21zH3sDKwRxfi8A1DPNEVhKTbb35qWv2mTGaXJxynM=,tag:kT4pVhz6pHxyBZ0iXdGx7w==,type:str]
 #ENC[AES256_GCM,data:5jJoV7vZl1A=,iv:Uc9/nyvdzgH6USVxhDhVs6aDqy/k9D53AJP2AvTj3ZQ=,tag:K4zDz5RoLuHevTeLqxw/XQ==,type:comment]
 kanidm-forgejo-client: ENC[AES256_GCM,data:2iXE/dmOQtY2NEsBgDqkqwD/brF0vJs+Ag==,iv:PBQ03z/E6R+u7Y56fPzJSnsoCa5PUYSiezZFOMLz4eo=,tag:jThgOC6h2hHJUclDju/MtQ==,type:str]
+#ENC[AES256_GCM,data:JwCES+wj/NRGTw==,iv:sKjF9r+7FlHyzY0MTfzvrV4B49T6+50AxBuXXh8PNUc=,tag:WvSqYTR7yDuqbZKaPWfvvw==,type:comment]
+wireguard-private-key: ENC[AES256_GCM,data:TdZwS+qF/sI8WV92N+pe/w8GYs3RmPgc8AABQ9FhpPPAcPTAHoUVo1Y3TkU=,iv:lgJyqYdtsuPzAKRUdnjiw5inHNAL2yMHFJwtUC8WB34=,tag:ub3PQ+xU7EmxohAL8GvuRA==,type:str]
+#ENC[AES256_GCM,data:m0bvaZ5XHR4p,iv:4uMJCmguAIu1533g0g666BS0Hx4otlhzjVQT5Ny8DKU=,tag:jDuowQCXWJBJ3a2/pAxvGg==,type:comment]
+radicale-user: ENC[AES256_GCM,data:UZaQbgYKjZxxBqw=,iv:ekmZvvOITSC37eNzy8WId7zeG9HPgVQ2Q/v8jezHuw0=,tag:YB41QXdZjIbEaFS4l+yuJw==,type:str]
+#ENC[AES256_GCM,data:2IlXs0WZnFsribQ=,iv:KL+5KM8bEFiERA/SA6FwudqFJziax7pdbDdOex7aaFM=,tag:TAOlu5N/B2YyVFnFgJG/oQ==,type:comment]
+prometheus-admin-hash: ENC[AES256_GCM,data:X9nTcdg+W08kT3aDfXQAf9luzPszZdz70ELkoTEoWoUrh5+Dv0D++OA4QKyBi4MMAGK5USdVZECKGa/0,iv:t9PmR6IsuEJuqdj0Zn0vbVCH+Ijz31t5vC7+9MkxB8A=,tag:bH9Zd1E3RpsU3QzwGouoXQ==,type:str]
+snipe-it-appkey: ENC[AES256_GCM,data:3CZRYxbhXfw9VrbZPXuUbxmcy+FxUuOGNTxsdU7RNsx++GAbrqSNxppXCf8=,iv:/bI9mKan6mMlu9Pts976FFCboRD3nnjkePqTAEbvl+E=,tag:XMjs8hkXG1TYRK7UN1lFlA==,type:str]
+snipe-it-db-password: ENC[AES256_GCM,data:ePhz/cE8kP3GVryiCfJwyuIljYc9cOmeg4q2Vi5cyiNWX0M=,iv:SHAG/TNaHx9/4wg5A19/LOnHYHq2Lnlc72b5WooHp1c=,tag:Kw9/PSEG2Bg726R8FCVSFA==,type:str]
+#ENC[AES256_GCM,data:HluZDLxPjQ==,iv:Gjd8lM7gFu8c1EshHXD6nJvCkZJoRhh26IPIOn2fQnQ=,tag:/7wXjcLCGNa8Td8ELeH4pw==,type:comment]
+garage-admin-token: ENC[AES256_GCM,data:RB1KaPCJkWNL6CSN5d2ClWedHCUgEMlTrb8DSLIN2guEJrMLyTIGRjXpwEs=,iv:2u/XszX7avx9m+0Ne7CbQjLpireP2pzKmKhuh/9RZRk=,tag:vf8XxjlTaE5/T0ccK1FTfQ==,type:str]
+garage-rpc-secret: ENC[AES256_GCM,data:GiXPUfNYbmJJovSXO6qgeNQ5+jHJFSOc5392RzRmyseSXjImMxenQ1OPyLDga2b7I2dt3KgIu+f56qr52LKyuA==,iv:6RiK1eTQr1PR1M7TV84kjHSQtNXBiM94uBQffk5c8W8=,tag:KcJh/UQ6i0nSsmD+7dzJUQ==,type:str]
 sops:
    age:
        - recipient: age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
@ -58,8 +69,8 @@ sops:
            c0lDa2EvQkUwM1ZIc1ppY1REZnlPKzQKJRXSl8SYQwzgPw+twNAFy3y+S2r7JwS0
            xESNBdFS4Ntg9gXENRBzCaGmoOJfiFtGditBlvWUwbDYwLdn/y3kIQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-28T17:45:19Z"
-    mac: ENC[AES256_GCM,data:lIdIP+Js+FzjJCoClGxqP1epl5fVkPzfJmOVauFNlXKRxx90/E3478oQHi/KbP7eFgPoy+0hAbMwnBmo/1tOKb2ky80/6IMEkbftiO7YZqy8opbSbCtj6ypOOwwPf5rgtXHn0LV+EtDQZzIBY6GhcERO6IQpFRAXeIkSGcpM3TE=,iv:sphhFBg1xgupLGQzRovea0wvsTolzfW/z+gjj9CyklM=,tag:bdo9FlPPYKdl87lsBsiEsQ==,type:str]
+    lastmodified: "2025-12-04T12:35:41Z"
+    mac: ENC[AES256_GCM,data:0Ps8slUmB7A+2vvCa44pOIVs+ehzczFyVUYh8vledsEW3odgm5LemmilspSw3xmf4V3cTl0h7mgGvLHJhpaZpI4nS4W4Cz3CrN6v3eu8ELRorVHUIDPIJNfzaCeRlat+oujGCWAuMbaEyXYj40PtXq9pSaYSluxDiPQu+QwKRaA=,iv:Rb1RcTJThoWO76vfDcyYlF3VnrDkN12frVdcQhRTLzQ=,tag:Mu5IgH541rXP3rlP1XlJrA==,type:str]
    pgp:
        - created_at: "2025-12-02T14:59:44Z"
          enc: |-
--- a/hosts/nixos/x86_64-linux/winters/secrets/secrets2.yaml
+++ b/hosts/nixos/x86_64-linux/winters/secrets/secrets2.yaml
@ -1,56 +0,0 @@
-#ENC[AES256_GCM,data:K3S1LFrPmaS5,iv:dxFzPLhN2otgy02VWzrLURmomtYdoIBHvEJ1LJ7Lj9k=,tag:stKgkBnRDZkCPlvFk+btRg==,type:comment]
-radicale-user: ENC[AES256_GCM,data:2G+WXxw6jrnPXsI=,iv:bUEhBDrdTt+O/4TXMkhmqnzfkSiws4n7L54Z0zZnSOI=,tag:JGQPit5uGqITUyyCpU3OIg==,type:str]
-#ENC[AES256_GCM,data:+7JEI2P/6/5yiWQ=,iv:hV4TyNFsyugrfFM0emxGDDDq54XWy7fVCf/kwD0mtCM=,tag:iZz9mPsLG02rlgV1vP8aBQ==,type:comment]
-prometheus-admin-hash: ENC[AES256_GCM,data:dUmTW6W419TzF8dLGcgRLlbLBg9puzgznNCrrAuNOIuhXCBrqaJdtyIVFCsnrDSEh1ZdMfGki4UERZcf,iv:XIlb65V6yhrKSU7AbRs6k1ISljZjWnAm1dPTCONwDJI=,tag:UkdDTywivitSxYR902uM5A==,type:str]
-snipe-it-appkey: ENC[AES256_GCM,data:VWEGKbCD5P3uxeyMVtK9a7BcVjXlXSEsJxfLEwkHz8l5o0Xq9lTbTpsfOoc=,iv:3nq+xuuujjevWdmk3SdBai/EWXwL4F3Kv4M3yc/faIM=,tag:/cNC/EKR1NWQhJrh46meCw==,type:str]
-snipe-it-db-password: ENC[AES256_GCM,data:O+LgX+XyJEaF+1oYcjyMpUab7AD7tWK3LBd+7VJOKq/Mz+k=,iv:yJgwlG/ln5BdwW2c62UJLIkrCWakKvj64LMQsjTIwJI=,tag:yw0rC1GJo+KMn1wXRdJomA==,type:str]
-#ENC[AES256_GCM,data:jGvWDKbVKA==,iv:N4cMopsUPOfymKpMD7oB04VtS0cUX9yNNqwyWEdyMi4=,tag:L4PMmMcM1NCc8LPG6GJLMQ==,type:comment]
-garage-admin-token: ENC[AES256_GCM,data:2N2kqXt7kraqMQEkDuNQN3SRiL2WKRA959Uc7HAdSlZcC2Ft06YUb+Elktw=,iv:dhAZoQBhvK07+wBpMEsI73YN2oX9dMthV3SaDWZgea4=,tag:0Pu0BDEYU9WYQQ1hJr8qFQ==,type:str]
-garage-rpc-secret: ENC[AES256_GCM,data:s8qGCm8WM/pvX7wZJyenohMAHnNWrumUxyJvst194h2XPfpLBbKVZwZ5t4zkwqh0yJNgLqE+2ekwCxa/xKqemQ==,iv:zUo/x2LWS7b2E2kZHDfa6lAwxAcuNir5a+mg+ASDarE=,tag:XgBh3ajVDy0vWccX8yZXSg==,type:str]
-sops:
-    age:
-        - recipient: age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cy9Md1hDczh5a3R0cHBk
-            WkhVQjF0Z2M4Tkl6cUhKengxQURjbTIzZmdzCldLQkNieWxPbWUweTBsTGhTVXdk
-            ak5vbm5MMnV6ODhYMlVIZ1VCNCtrS1UKLS0tIGE5NW1oMjdEOG44LzVPSWJBRXRH
-            Vlo0aFFGYStnUWFINS9pQmI3UVA0QncKVwXbULXogQRI1naoeyV2OdIcFA0khAaA
-            jNEQyT1ijbq/w445dN9AhJIWiD+r3JdF49HCyqw2Vfw2uaQ0VSGVEg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-05T14:55:44Z"
-    mac: ENC[AES256_GCM,data:nyz3jp/qV8bwgx0q6c7RmXtzdmwVrt8C6FU36qtzUm8tPlAd1K7MmgxRKFi85NqOu3XPII2OkwhNPRBOJuQOoXGfo27odfZl4riQ+any4GNarDZ5deZ54+kjgqyvP70dsm/tiZgZ8Fjwat4iLV+mqJYMS4OBl5krr5ocU+LY1pU=,iv:l56tIBgMog4HSxP9Fb4pWSD/z5FaPlHRkUYqlkhydzc=,tag:IT++kT0EncDzEEX4DdjW3g==,type:str]
-    pgp:
-        - created_at: "2025-12-02T14:59:37Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwDh3VI7VctTAQ//dPCsdkrC5mSklMv6p5BYAznEEoH+lzjiL0ZEWj1ZzOFR
-            PNWlhPyievd0MR995M7M+MEjLEcfIPR59kviuWhSHgb/pQwOL4lDFhDeno44Z1o9
-            PSHI7Fl0Ew0QSm+PLjUgdhcKTBJNvUtJuK243oaXCbWLHGXbaFBdEkZcgMBTP0mo
-            8eexRFk81ggxzwbJhbmVmXBvn+mpdvFqnphZY0tL1bDiZ53OKA9YsKQAA5gwNKGQ
-            oaDS1mxVbxazsgWNqFLyQzQHua/gGQu8l8kTm2qB+MB5qbT6kFrTjRnQlXKmp6t/
-            0/+QUox1IG7bu/h6AJMaixbGVup+YkMcIW7Yplhd6r6pBENtCrCS/9I3ichjwk19
-            WyPI5HIYd1ojwiz7N6MMweshAZSGA4HHPJH/i3BaRGiGmKPAjF4IqJ/9VSqdyrA4
-            cb04Yg6vJEeZMoApEggbS/sWoi2OIetpCyijF0GhRO+jaxRZh4i7LyixOVocfRSp
-            QW9xfyt3FwCQNZYSIu4Q/xUE4twC8mPGYdrZn0Wmtran7Riwpm8X6kkSg/yan4/q
-            2PFhglzyWB2of3zEbWJF5bXlZi8LY/CkC26Jhpeo4kV2414sjWf/VScqGKoZZivx
-            az84NTpSQsd5DdLDPTXpMCekBTSEs7Qi5ynLvfljGAIwXMdXx96EmQEQ0AHgXhGF
-            AgwDC9FRLmchgYQBEACOT9l+VWm9JDIkrYK8JXRcXo0hryvR+b4T2yfNJqRSzIu5
-            rUcgbjKdehBW3trWiAnn4P3PpGnkACgbWYdNRjdTxYRTi0ngjb2IoMkMlEeBklpE
-            hPK+T2NhdjXcz9kOgG8zBu3rKq4hZDrno+s7RDEtQdAu+ocBljz6KtkPvx0QDwsU
-            vX0f+ANsdWVBcgkkQbnHP+htI7GOan0KjTCNaFCYjXYpQ6AjdyosRNOVLs336LUj
-            +M5oOhvLAIYD5djQ+xQcSp1Ysml5NqttIlQbW+Pdm4WCi+Aq8QQ+IMQQCPBwJwx+
-            NjzcxTrtvMQ0s6lFR/BpO7YCTuyQtU9QAmxlf/mLmw2eG40+fmTHHfmWdgdOaYNV
-            /2V9t55LnyVeBOzBBta1yt6r+TjIrSPnEnDeeffJ0BrRX5SRxkYAht946qZLaaw8
-            k2gLVqdwCsc04pM64Gy2/pazU5tVJvOifds0hHGDiCSB7lbqIXJGtj4hDqTfFNyq
-            U0RUQLoD2Chu+JPlP1I/yrwjbOfYd/8WrqAp9lLq1VrMYxRbJ8VR3iKMt52bL3LB
-            8wBHd3fK/dqjRsWqmjXX9MgH88QEMoBMlmZFhHduSNn1b8G3euC/X0TuWtitrhfD
-            AuC1ltIYyPIPi9hDCnTVGIdh0Yd2sSRcNSDm9haLGtujKI+dX++gHcS10FWlAdJc
-            AVicyxR4eepEnBDypeofatCECsYftWsIF7u5avxPbfN30l5kO9PKaI0J1t/n1r0w
-            +5Q3mRfDzBJcAQOQ7aHGcMJd7dvdm0VC89JsCoI3VA08g/dimLRZyBhVwY4=
-            =oajO
-            -----END PGP MESSAGE-----
-          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
-    unencrypted_suffix: _unencrypted
-    version: 3.11.0
--- a/modules/home/common/sops.nix
+++ b/modules/home/common/sops.nix
@ -1,4 +1,4 @@
-{ config, lib, type, ... }:
+{ self, config, lib, type, ... }:
 let
  inherit (config.swarselsystems) homeDir;
 in
@ -7,7 +7,8 @@ in
  config = lib.optionalAttrs (type != "nixos") {
    sops = lib.mkIf (!config.swarselsystems.isNixos) {
      age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/sops" ];
-      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/repo/common.yaml";
+      # defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/repo/common.yaml";
+      defaultSopsFile = self + "/secrets/repo/common.yaml";

      validateSopsFiles = false;
    };
--- a/modules/nixos/client/network.nix
+++ b/modules/nixos/client/network.nix
@ -1,7 +1,7 @@
 { self, lib, pkgs, config, globals, ... }:
 let
  certsSopsFile = self + /secrets/repo/certs.yaml;
-  clientSopsFile = "${config.node.secretsDir}/secrets.yaml";
+  clientSopsFile = config.node.secretsDir + "/secrets.yaml";

  inherit (config.repo.secrets.common.network) wlan1 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;

--- a/modules/nixos/client/polkit.nix
+++ b/modules/nixos/client/polkit.nix
@ -4,6 +4,9 @@
  config = lib.mkIf config.swarselmodules.security {

    security = {
+      # pki.certificateFiles = [
+      #   config.sops.secrets.harica-root-ca.path
+      # ];
      pam.services = lib.mkIf (!minimal) {
        login.u2fAuth = true;
        sudo.u2fAuth = true;
--- a/modules/nixos/client/sops.nix
+++ b/modules/nixos/client/sops.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ self, config, lib, ... }:
 {
  options.swarselmodules.sops = lib.mkEnableOption "sops config";
  config = lib.mkIf config.swarselmodules.sops {
@ -6,7 +6,8 @@

      # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
      age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml";
+      # defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml";
+      defaultSopsFile = self + "/secrets/repo/common.yaml";

      validateSopsFiles = false;

--- a/modules/nixos/optional/systemd-networkd-server.nix
+++ b/modules/nixos/optional/systemd-networkd-server.nix
@ -4,7 +4,7 @@
    useDHCP = lib.mkForce false;
    useNetworkd = true;
    dhcpcd.enable = false;
-    renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (
+    renameInterfacesByMac = lib.mapAttrs (_: v: if (v ? mac) then v.mac else "") (
      config.repo.secrets.local.networking.networks or { }
    );
  };
--- a/modules/nixos/server/ankisync.nix
+++ b/modules/nixos/server/ankisync.nix
@ -51,7 +51,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/atuin.nix
+++ b/modules/nixos/server/atuin.nix
@ -35,7 +35,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/disk-encrypt.nix
+++ b/modules/nixos/server/disk-encrypt.nix
@ -41,6 +41,7 @@ in
        "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none"
      ];
      initrd = {
+        secrets."${hostKeyPathBase}" = lib.mkIf (!minimal) hostKeyPathBase;
        availableKernelModules = config.swarselsystems.networkKernelModules;
        network = {
          enable = true;
--- a/modules/nixos/server/firefly-iii.nix
+++ b/modules/nixos/server/firefly-iii.nix
@ -91,7 +91,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          oauth2.enable = true;
--- a/modules/nixos/server/forgejo.nix
+++ b/modules/nixos/server/forgejo.nix
@ -140,7 +140,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/freshrss.nix
+++ b/modules/nixos/server/freshrss.nix
@ -86,7 +86,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          oauth2.enable = true;
--- a/modules/nixos/server/homebox.nix
+++ b/modules/nixos/server/homebox.nix
@ -41,7 +41,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          oauth2.enable = false;
--- a/modules/nixos/server/immich.nix
+++ b/modules/nixos/server/immich.nix
@ -45,7 +45,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/jellyfin.nix
+++ b/modules/nixos/server/jellyfin.nix
@ -51,7 +51,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/jenkins.nix
+++ b/modules/nixos/server/jenkins.nix
@ -34,7 +34,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/kanidm.nix
+++ b/modules/nixos/server/kanidm.nix
@ -176,7 +176,7 @@ in

    services = {
      ${serviceName} = {
-        package = pkgs.kanidmWithSecretProvisioning_1_7;
+        package = pkgs.kanidmWithSecretProvisioning_1_8;
        enableServer = true;
        serverSettings = {
          domain = serviceDomain;
@ -390,7 +390,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/kavita.nix
+++ b/modules/nixos/server/kavita.nix
@ -52,7 +52,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/koillection.nix
+++ b/modules/nixos/server/koillection.nix
@ -117,7 +117,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/matrix.nix
+++ b/modules/nixos/server/matrix.nix
@ -303,7 +303,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          listen = [
--- a/modules/nixos/server/microbin.nix
+++ b/modules/nixos/server/microbin.nix
@ -115,7 +115,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/monitoring.nix
+++ b/modules/nixos/server/monitoring.nix
@ -12,7 +12,7 @@ let

  inherit (config.swarselsystems) sopsFile;

-  sopsFile2 = "${config.node.secretsDir}/secrets2.yaml";
+  # sopsFile2 = config.node.secretsDir + "/secrets2.yaml";
 in
 {
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -27,7 +27,8 @@ in
        grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
        prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
        kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        prometheus-admin-hash = { sopsFile = sopsFile2; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
+        # prometheus-admin-hash = { sopsFile = sopsFile2; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
+        prometheus-admin-hash = { inherit sopsFile; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };

      };
      templates = {
@ -226,7 +227,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/navidrome.nix
+++ b/modules/nixos/server/navidrome.nix
@ -116,7 +116,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          oauth2.enable = true;
--- a/modules/nixos/server/network.nix
+++ b/modules/nixos/server/network.nix
@ -2,7 +2,7 @@
 let
  netConfig = config.repo.secrets.local.networking;
  netPrefix = "${if config.swarselsystems.isCloud then config.node.name else "home"}";
-  netName = "${netPrefix}-${config.swarselsystems.server.localNetwork}";
+  # netName = "${netPrefix}-${config.swarselsystems.server.localNetwork}";
 in
 {
  options = {
@ -14,7 +14,7 @@ in
      };
      netConfigName = lib.mkOption {
        type = lib.types.str;
-        default = netName;
+        default = "${netPrefix}-${config.swarselsystems.server.localNetwork}";
        readOnly = true;
      };
      netConfigPrefix = lib.mkOption {
@ -28,10 +28,21 @@ in

    swarselsystems.server.localNetwork = netConfig.localNetwork or "";

-    globals.networks.${netName}.hosts.${config.node.name} = {
-      inherit (netConfig.networks.${netConfig.localNetwork}) id;
-      mac = netConfig.networks.${netConfig.localNetwork}.mac or null;
-    };
+    # globals.networks.${netName}.hosts.${config.node.name} = {
+    #   inherit (netConfig.networks.${netConfig.localNetwork}) id;
+    #   mac = netConfig.networks.${netConfig.localNetwork}.mac or null;
+    # };
+
+    globals.networks = lib.mapAttrs'
+      (netName: _:
+        lib.nameValuePair "${netPrefix}-${netName}" {
+          hosts.${config.node.name} = {
+            inherit (netConfig.networks.${netName}) id;
+            mac = netConfig.networks.${netName}.mac or null;
+          };
+        }
+      )
+      netConfig.networks;

    globals.hosts.${config.node.name} = {
      inherit (config.repo.secrets.local.networking) defaultGateway4;
--- a/modules/nixos/server/nextcloud.nix
+++ b/modules/nixos/server/nextcloud.nix
@ -60,7 +60,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/nginx.nix
+++ b/modules/nixos/server/nginx.nix
@ -1,7 +1,6 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, globals, ... }:
 let
-  inherit (config.repo.secrets.common) dnsProvider dnsBase;
-  inherit (config.repo.secrets.common.mail) address3;
+  inherit (config.repo.secrets.common) dnsProvider dnsBase dnsMail;

  serviceUser = "nginx";
  serviceGroup = serviceUser;
@ -18,42 +17,66 @@ in
  options.swarselmodules.server.nginx = lib.mkEnableOption "enable nginx on server";
  options.services.nginx = {
    recommendedSecurityHeaders = lib.mkEnableOption "additional security headers by default in each location block.";
+    defaultStapling = lib.mkEnableOption "add ssl stapling in each location block..";
    virtualHosts = lib.mkOption {
      type = lib.types.attrsOf (
-        lib.types.submodule {
-          options.locations = lib.mkOption {
-            type = lib.types.attrsOf (
-              lib.types.submodule (submod: {
-                options = {
-                  recommendedSecurityHeaders = lib.mkOption {
-                    type = lib.types.bool;
-                    default = config.services.nginx.recommendedSecurityHeaders;
-                    description = "Whether to add additional security headers to this location.";
+        lib.types.submodule (topmod: {
+          options = {
+            defaultStapling = lib.mkOption {
+              type = lib.types.bool;
+              default = config.services.nginx.defaultStapling;
+              description = "Whether to add ssl stapling to this location.";
+            };
+            locations = lib.mkOption {
+              type = lib.types.attrsOf (
+                lib.types.submodule (submod: {
+                  options = {
+                    recommendedSecurityHeaders = lib.mkOption {
+                      type = lib.types.bool;
+                      default = config.services.nginx.recommendedSecurityHeaders;
+                      description = "Whether to add additional security headers to this location.";
+                    };
+
+                    X-Frame-Options = lib.mkOption {
+                      type = lib.types.str;
+                      default = "DENY";
+                      description = "The value to use for X-Frame-Options";
+                    };
                  };

-                  X-Frame-Options = lib.mkOption {
-                    type = lib.types.str;
-                    default = "DENY";
-                    description = "The value to use for X-Frame-Options";
+                  config = {
+                    extraConfig = lib.mkIf submod.config.recommendedSecurityHeaders (lib.mkBefore ''
+                      # Hide upstream's versions
+                      proxy_hide_header Strict-Transport-Security;
+                      proxy_hide_header Referrer-Policy;
+                      proxy_hide_header X-Content-Type-Options;
+                      proxy_hide_header X-Frame-Options;
+
+                      # Enable HTTP Strict Transport Security (HSTS)
+                      add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+
+                      # Minimize information leaked to other domains
+                      add_header Referrer-Policy "origin-when-cross-origin";
+
+                      add_header X-XSS-Protection "1; mode=block";
+                      add_header X-Frame-Options "${submod.config.X-Frame-Options}";
+                      add_header X-Content-Type-Options "nosniff";
+                    ''
+                    );
                  };
-                };
-                config = lib.mkIf submod.config.recommendedSecurityHeaders {
-                  extraConfig = lib.mkBefore ''
-                    # Enable HTTP Strict Transport Security (HSTS)
-                    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
-
-                    # Minimize information leaked to other domains
-                    add_header Referrer-Policy "origin-when-cross-origin";
-
-                    add_header X-XSS-Protection "1; mode=block";
-                    add_header X-Frame-Options "${submod.config.X-Frame-Options}";
-                    add_header X-Content-Type-Options "nosniff";
-                  '';
-                };
-              })
-            );
+                })
+              );
+            };
          };
-        }
+          config = {
+            extraConfig = lib.mkIf topmod.config.defaultStapling (lib.mkAfter ''
+              ssl_stapling on;
+              ssl_stapling_verify on;
+              resolver 1.1.1.1 8.8.8.8 valid=300s;
+              resolver_timeout 5s;
+            '');
+          };
+        })
      );
    };
  };
@ -62,27 +85,30 @@ in
      lego
    ];

-    sops = {
+    sops = lib.mkIf (config.node.name == config.swarselsystems.proxyHost) {
      secrets = {
-        acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
+        acme-creds = { format = "json"; key = ""; group = "acme"; sopsFile = config.node.secretsDir + "/acme.json"; mode = "0660"; };
      };
      templates."certs.secret".content = ''
-        ACME_DNS_API_BASE=${dnsBase}
-        ACME_DNS_STORAGE_PATH=${config.sops.placeholder.acme-dns-token}
+        ACME_DNS_API_BASE = ${dnsBase}
+        ACME_DNS_STORAGE_PATH=${config.sops.secrets.acme-creds.path}
      '';
    };

    users.groups.acme.members = [ "nginx" ];

-    security.acme = {
+    security.acme = lib.mkIf (config.node.name == config.swarselsystems.proxyHost) {
      acceptTerms = true;
      defaults = {
        inherit dnsProvider;
-        email = address3;
+        email = dnsMail;
        environmentFile = "${config.sops.templates."certs.secret".path}";
        reloadServices = [ "nginx" ];
        dnsPropagationCheck = true;
      };
+      certs."${globals.domains.main}" = {
+        domain = "*.${globals.domains.main}";
+      };
    };

    networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -103,6 +129,7 @@ in
      recommendedGzipSettings = true;
      recommendedBrotliSettings = true;
      recommendedSecurityHeaders = true;
+      defaultStapling = true;
      sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:!aNULL";
      sslDhparam = dhParamsPathBase;
      virtualHosts.fallback = {
@ -129,11 +156,11 @@ in
        ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else ""}

        if [ ! -f "${dhParamsPath}" ]; then
-          ${pkgs.openssl}/bin/openssl dhparam -out "${dhParamsPath}" 4096
-          chmod 0644 "${dhParamsPath}"
-          chown ${serviceUser}:${serviceGroup} "${dhParamsPath}"
+        ${pkgs.openssl}/bin/openssl dhparam -out "${dhParamsPath}" 4096
+        chmod 0644 "${dhParamsPath}"
+        chown ${serviceUser}:${serviceGroup} "${dhParamsPath}"
        else
-          echo 'Already generated DHParams'
+        echo 'Already generated DHParams'
        fi
      '';
    };
--- a/modules/nixos/server/nsd/site1.nix
+++ b/modules/nixos/server/nsd/site1.nix
@ -3,7 +3,7 @@ with dns.lib.combinators; {
  SOA = {
    nameServer = "soa";
    adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin")
-    serial = 2025120203; # update this on changes for secondary dns
+    serial = 2025120501; # update this on changes for secondary dns
  };

  useOrigin = false;
@ -13,6 +13,7 @@ with dns.lib.combinators; {
    "srv"
  ] ++ globals.domains.externalDns;

+  CAA = letsEncrypt config.repo.secrets.common.dnsMail;

  A = [ config.repo.secrets.local.dns.homepage-ip ];

--- a/modules/nixos/server/oauth2-proxy.nix
+++ b/modules/nixos/server/oauth2-proxy.nix
@ -208,7 +208,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/packages.nix
+++ b/modules/nixos/server/packages.nix
@ -13,6 +13,7 @@
      sops
      swarsel-deploy
      tmux
+      busybox
    ];
  };
 }
--- a/modules/nixos/server/paperless.nix
+++ b/modules/nixos/server/paperless.nix
@ -109,7 +109,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/radicale.nix
+++ b/modules/nixos/server/radicale.nix
@ -1,7 +1,8 @@
 { lib, config, globals, dns, confLib, ... }:
 let
  inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
-  sopsFile = "${config.node.secretsDir}/secrets2.yaml";
+  # sopsFile = config.node.secretsDir + "/secrets2.yaml";
+  inherit (config.swarselsystems) sopsFile;

  cfg = config.services.${serviceName};
 in
@ -100,7 +101,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          oauth2.enable = false;
--- a/modules/nixos/server/shlink.nix
+++ b/modules/nixos/server/shlink.nix
@ -97,7 +97,7 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/slink.nix
+++ b/modules/nixos/server/slink.nix
@ -74,7 +74,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          oauth2.enable = true;
--- a/modules/nixos/server/snipe-it.nix
+++ b/modules/nixos/server/snipe-it.nix
@ -1,7 +1,8 @@
 { lib, config, globals, dns, confLib, ... }:
 let
  inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
-  sopsFile = "${config.node.secretsDir}/secrets2.yaml";
+  # sopsFile = config.node.secretsDir + "/secrets2.yaml";
+  inherit (config.swarselsystems) sopsFile;

  serviceDB = "snipeit";

@ -55,7 +56,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          oauth2.enable = false;
--- a/modules/nixos/server/syncthing.nix
+++ b/modules/nixos/server/syncthing.nix
@ -125,7 +125,8 @@ in
      };
      virtualHosts = {
        "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
          forceSSL = true;
          acmeRoot = null;
          locations = {
--- a/modules/nixos/server/wireguard.nix
+++ b/modules/nixos/server/wireguard.nix
@ -1,94 +1,144 @@
-{ self, lib, config, confLib, globals, ... }:
+{ self, lib, pkgs, config, confLib, nodes, globals, ... }:
 let
  wgInterface = "wg0";
  inherit (confLib.gen { name = "wireguard"; port = 52829; user = "systemd-network"; group = "systemd-network"; }) servicePort serviceName serviceUser serviceGroup;

  inherit (config.swarselsystems) sopsFile;
-  inherit (config.swarselsystems.server.wireguard) peers isClient isServer;
+  wgSopsFile = self + "/secrets/repo/wg.yaml";
+  inherit (config.swarselsystems.server.wireguard) peers isClient isServer serverName serverNetConfigPrefix ifName;
 in
 {
  options = {
-    swarselmodules.${serviceName} = lib.mkEnableOption "enable ${serviceName} settings";
+    swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} settings";
    swarselsystems.server.wireguard = {
      isServer = lib.mkEnableOption "set this as a wireguard server";
+      isClient = lib.mkEnableOption "set this as a wireguard client";
+      serverName = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+      };
+      serverNetConfigPrefix = lib.mkOption {
+        type = lib.types.str;
+        default = "${if nodes.${serverName}.config.swarselsystems.isCloud then nodes.${serverName}.config.node.name else "home"}";
+        readOnly = true;
+      };
+      ifName = lib.mkOption {
+        type = lib.types.str;
+        default = wgInterface;
+      };
      peers = lib.mkOption {
-        type = lib.types.listOf (lib.types.submodule {
-          freeformType = lib.types.attrs;
-          options = { };
-        });
+        type = lib.types.listOf lib.types.str;
        default = [ ];
-        description = "Wireguard peer submodules as expected by systemd.network.netdevs.<name>.wireguardPeers";
+        description = "Wireguard peer config names";
      };
    };

  };
-  config = lib.mkIf config.swarselmodules.${serviceName} {
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    environment.systemPackages = with pkgs; [
+      wireguard-tools
+    ];

    sops = {
      secrets = {
        wireguard-private-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
-        wireguard-home-preshared-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
-      };
+        # create this secret only if this is a simple client with only one peer (the server)
+        "wireguard-${serverName}-${config.node.name}-presharedKey" = lib.mkIf (isClient && peers == [ ]) { sopsFile = wgSopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
+      }
+      # create these secrets only if this host has multiple peers
+      // lib.optionalAttrs (peers != [ ]) (builtins.listToAttrs (map
+        (clientName: {
+          name = "wireguard-${config.node.name}-${clientName}-presharedKey";
+          value = { sopsFile = wgSopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
+        })
+        peers));
    };

    networking = {
+      firewall.checkReversePath = lib.mkIf isClient "loose";
      firewall.allowedUDPPorts = [ servicePort ];
-      nat = {
-        enable = true;
-        enableIPv6 = true;
-        externalInterface = "ens6";
-        internalInterfaces = [ wgInterface ];
-      };
+      # nat = lib.mkIf (config.swarselsystems.isCloud && isServer) {
+      #   enable = true;
+      #   enableIPv6 = true;
+      #   externalInterface = "enp0s6";
+      #   internalInterfaces = [ ifName ];
+      # };
+      # interfaces.${ifName}.mtu = 1280; # the default (1420) is not enough!
    };

    systemd.network = {
      enable = true;

-      networks."50-${wgInterface}" = {
-        matchConfig.Name = wgInterface;
-
-        networkConfig = {
-          IPv4Forwarding = true;
-          IPv6Forwarding = true;
+      networks."50-${ifName}" = {
+        matchConfig.Name = ifName;
+        linkConfig = {
+          MTUBytes = 1408; # TODO: figure out where we lose those 12 bits (8 from pppoe maybe + ???)
        };

-        address = [
-          "${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv4}"
-          "${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv6}"
-        ];
+        # networkConfig = lib.mkIf (config.swarselsystems.isCloud && isServer) {
+        #   IPv4Forwarding = true;
+        #   IPv6Forwarding = true;
+        # };
+
+        address =
+          if isServer then [
+            globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv4
+            globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv6
+          ] else [
+            globals.networks."${serverNetConfigPrefix}-wg".hosts.${config.node.name}.cidrv4
+            globals.networks."${serverNetConfigPrefix}-wg".hosts.${config.node.name}.cidrv6
+          ];
      };

-      netdevs."50-wg0" = {
+      netdevs."50-${ifName}" = {
        netdevConfig = {
          Kind = "wireguard";
-          Name = wgInterface;
+          Name = ifName;
        };

        wireguardConfig = {
          ListenPort = lib.mkIf isServer servicePort;

          # ensure file is readable by `systemd-network` user
-          PrivateKeyFile = config.age.secrets.wg-key-vps.path;
+          PrivateKeyFile = config.sops.secrets.wireguard-private-key.path;

          # To automatically create routes for everything in AllowedIPs,
          # add RouteTable=main
-          # RouteTable = "main";
+          RouteTable = lib.mkIf isClient "main";

          # FirewallMark marks all packets send and received by wg0
          # with the number 42, which can be used to define policy rules on these packets.
          # FirewallMark = 42;
        };
-        wireguardPeers = peers ++ lib.optionals isClient [
+        wireguardPeers = lib.optionals isClient [
          {
-            PublicKey = builtins.readFile "${self}/secrets/public/wg/${config.node.name}.pub";
-            PresharedKeyFile = config.sops.secrets."${config.node.name}-presharedKey".path;
-            Endpoint = "${globals.hosts.${config.node.name}.wanAddress4}:${toString servicePort}";
+            PublicKey = builtins.readFile "${self}/secrets/public/wg/${serverName}.pub";
+            PresharedKeyFile = config.sops.secrets."wireguard-${serverName}-${config.node.name}-presharedKey".path;
+            Endpoint = "server.${serverName}.${globals.domains.main}:${toString servicePort}";
            # Access to the whole network is routed through our entry node.
-            # AllowedIPs =
-            #   (optional (networkCfg.cidrv4 != null) networkCfg.cidrv4)
-            #     ++ (optional (networkCfg.cidrv6 != null) networkCfg.cidrv6);
+            # PersistentKeepalive = 25;
+            AllowedIPs =
+              let
+                wgNetwork = globals.networks."${serverNetConfigPrefix}-wg";
+              in
+              (lib.optional (wgNetwork.cidrv4 != null) wgNetwork.cidrv4)
+                ++ (lib.optional (wgNetwork.cidrv6 != null) wgNetwork.cidrv6);
          }
-        ];
+        ] ++ lib.optionals isServer (map
+          (clientName: {
+            PublicKey = builtins.readFile "${self}/secrets/public/wg/${clientName}.pub";
+            PresharedKeyFile = config.sops.secrets."wireguard-${config.node.name}-${clientName}-presharedKey".path;
+            # PersistentKeepalive = 25;
+            AllowedIPs =
+              let
+                clientInWgNetwork = globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${clientName};
+              in
+              (lib.optional (clientInWgNetwork.ipv4 != null) (lib.net.cidr.make 32 clientInWgNetwork.ipv4))
+                ++ (lib.optional (clientInWgNetwork.ipv6 != null) (lib.net.cidr.make 128 clientInWgNetwork.ipv6));
+          })
+          peers);
+
      };
    };

--- a/modules/shared/config-lib.nix
+++ b/modules/shared/config-lib.nix
@ -3,7 +3,18 @@
  _module.args = {
    confLib = rec {

-      addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4 else "localhost";
+      addressDefault =
+        if
+          config.swarselsystems.proxyHost != config.node.name
+        then
+          if
+            config.swarselsystems.server.wireguard.isClient
+          then
+            globals.networks."${config.swarselsystems.server.wireguard.serverNetConfigPrefix}-wg".hosts.${config.node.name}.ipv4
+          else
+            globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4
+        else
+          "localhost";

      domainDefault = service: config.repo.secrets.common.services.domains.${service};
      proxyDefault = config.swarselsystems.proxyHost;
--- a/modules/shared/options.nix
+++ b/modules/shared/options.nix
@ -53,8 +53,9 @@
    isLinux = lib.mkEnableOption "whether this is a linux machine";
    isBtrfs = lib.mkEnableOption "use btrfs filesystem";
    sopsFile = lib.mkOption {
-      type = lib.types.str;
-      default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.node.secretsDir}/secrets.yaml";
+      type = lib.types.either lib.types.str lib.types.path;
+      # default = (if config.swarselsystems.isImpermanence then "/persist" else "") + config.node.secretsDir + "/secrets.yaml";
+      default = config.node.secretsDir + "/secrets.yaml";
    };
    homeDir = lib.mkOption {
      type = lib.types.str;
--- a/secrets/public/wg/belchsfactory.pub
+++ b/secrets/public/wg/belchsfactory.pub
@ -0,0 +1 @@
+adiXfMBluP8wEs3FZbZnTvFzelwVyK3WvcpukExKuRI=
--- a/secrets/public/wg/eagleland.pub
+++ b/secrets/public/wg/eagleland.pub
@ -0,0 +1 @@
+adEWnXoSez06yuruhwIpvX4w0tUlDANk3QqAUuFiix8=
--- a/secrets/public/wg/moonside.pub
+++ b/secrets/public/wg/moonside.pub
@ -0,0 +1 @@
+DsgFwllnKQhW4Ni695UxSmfOA0uMYtceEp4WdBfNtBM=
--- a/secrets/public/wg/pyramid.pub
+++ b/secrets/public/wg/pyramid.pub
@ -0,0 +1 @@
+Lnmc2H5cplxH128TTVindy8WvTqifTFs2LLSQVT1uU4=
--- a/secrets/public/wg/twothreetunnel.pub
+++ b/secrets/public/wg/twothreetunnel.pub
@ -0,0 +1 @@
+RhpEIXDF8r6cNX++K94vhIcXb/rL+FlxC+JzOO3x3VM=
--- a/secrets/public/wg/winters.pub
+++ b/secrets/public/wg/winters.pub
@ -0,0 +1 @@
+sWDyt8uSIeWERTvzrnR6J1nRwltZp4wG+VKr9+b/xxc=
--- a/secrets/repo/globals.nix.enc
+++ b/secrets/repo/globals.nix.enc
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:sxGOffKdJMzWq+3HGNeIRX73Etd7acwW+wXufdCjQ2/vaN8OQRCjMxFcGkxp+OAZXF7dZSLgXvGjEOFpwHL+ote+sFqE8heebp9FtYbg6vbuk1p6Xz9EE4t0bYhi8o76QrswdkC7zzgx53cCFezojEfHXOOHlmzA+C+aPvwTkF7Cn0WbUOyb+KYYi0WtzcxzF0A24KSb9Fup4WyF0OStrV7l5H4BVXgrDBH/sdohTKznTHhrz7PfgWGpvPtRnT6o26Llh0I1vqp8F88ZVmjQ5bwpTxa/wAc/sgayWuVkU8Qf1j26vPYKluC+ZAR3jZSsHrqCKO5t3JY2t5o2A53QxpF+KqN1qUQpeGowhwfHMxAtY2VSsvS3kis7V2qM8yChfIgp/SZAcjJUp5t23eqgpBFd+IP2emhqlSy1mGN0Mii8XP8J4DyucoRb5ryAnCSyJKXK9w6dx/CeBYEMe02An8HeUytVUtGhhJ90m5vKPheovarR1CLrBgnegcfyLG2OiKwQ5F/KorQ1Hub7KJYAFBl5QsarTTiDS0BKHtQiVJgWLlTaramyi4GCTCVGDTRZwV0ordWKm6xCTkuoC9kukvnabpM3AKZAFOKL/6MLZviukkF5SiJhDQN89e8BuqWtPUkfto9XnNwkHHiqWRWkfAjCjs3wCpehX1ef0Q9xAon79VgeE7SK9qoYvVo4koD6fKWCJF5O0isvCkX8wEdoMAniNIFXReIKpVRWe7uTF40+Xlt70Y/a6RPvtJPGRYe0yfw29LlZfUwmV1XlxoIXL5aKTn2DeLhYXXqsBb6AkPh6oDPXIt5VdoThIsdlvRyiVLtFwE8Ov6pOQXYJgnRAGWzK+8qzaHyqmeiCM7k+WpbnvmdbVTCmReO/7q7eGpgF0C/6+sVES3uWqP1SWFv51G+v/58xilXL9DG+ZWZ0RNXz/mDfMtRg5CT32pIMUKiCAYvMvIF4yw9sSeWyu0ljQckIGb7l6xj3DkOlhx9PaQPEdaTVczqtOcHyfX15TXKySmHjEB4NCy1PsLoXcyFefw1flamFADyo2/+oXb/53r67T/kaMxk9T/PN1JB6DES496EVyo9TAOXdyubfo8DbEsDT8h7aUCKpFvNgGx24jBAMn/2iouxsmBUY65maVWdRodgQk+XOA5DfLbKm+LlZawuuyqoLxoIa0ix/53bxyD6U3AO7MTisgJyHA1USvdhaSmEe42ecA3voR2LXvSkRX8+izs8DwJRvtfIsTUgs1GBOgLSn6ULm1a0mFmaXTh4S6kT4ujDIYNXL53vUUVBtUaVDvnhZoXTTTgms7s3BHa69lGuadg22kHfNdO6FJ+HhXSHqz628zelJgwqjwBybMGo7xi2B9MPgiSvC0N2HFXBn54vFY1n6Af7b5jZ2cQEcjGbrjP+Lk+nN0wm89pFUxPcZEUIQWxgmQm36quh9kXj7gYaaim9Eh75vORywLwD709R8VT5BuzugcTp15aA1w5cLSpuR5TPNium+72jA8NnZQqV14380i2doUq23CXGjM38A5WF8Q+JJBCYJu1kc5fU2BEvwfZ0JJQ8QQZrMxZ48K/X8ATlC+pJie3sLByv6YqDtZyES8tldjYZ/vhopExhK1L0Bw4dNTviH0Zktx7OE9T0qVMSxOLETIRxuKLRmH2FFOHLhSn6S6SXYjK1pBTJRKGz+487Qr5SYcqqv3G2lD0khtP0L32Lr6iSedAmkJPxXyW71tvputzZPxGc1Lke/Ml69M8I92JMxggUcHkr435hPzTfrBIN3IdAEYrjB8CUYlxt7fDfxi018QTCZ+6Hs+e/Ezt3n0g7KKYvzJ3FISB7oRvTyUK1EqZI2JjHLiJK9QYOeheBiwTUK8OgLNfwy3rMpUvE4VuvAhl0TmiUcwOhbRT8ttyos5HiZC0nHUvwwIZguhK9hvZM11N3/trsFRqRlJvTf9mNEzglEDgs0mhkgnyGY1y+xm9KBZFXgG00ic+4MFsRzLn+eqmeAl12Edop916yEhZyAHfPkzshK8h1qRE5mR3N81w+PLGkRuL7XCVKNZxKODusxDfZ48yD17qtSgwUcHsovoLand3WyswdVf+7k8IxEhQ+HaeZO4As92LhFgOL+ocA2pj6zptNmgUN246egJaJUPF7hmw+DyUpmOcEcnhBYAYzVcUtNuSvMjYfjps0k/LLEYIOI3s+SWWjnx2fVQndMpnnoeWJBkw9sD6s7zQMncINttrZBkILzM4TcibegAXZzQB3HukC08HzkgvlfZ7OOt4PvsfGB0AmWkN7P+Kcvp6XxgSxadKoUwJYxOfcEMaVqBhM81DmDIrlJWDUNYcvs5Jm77isXK/xQjJPAxZfCUTrm9eDQEm45GeJ/z5OeGPMncXpKowkPoBGyjzBYDf1E3A0VrziJq7x8I8d1N2Z37UMO/l8zPpYQyrPRdrLt80cRINOUZcHnOKzSU7NPVZfmvbTtLwijbqapVGI6cPIcv6NgIBfhzPqXNhMLLr+dOQcfWAr/xICLUQhr5RrdmMvDeKJPT7gKhK00294XPg2Qu+JW6X1VPFrf+ISt4iMaJPAFhCCFYLRFlEaNScJyQN6JzERev61YTVERmFcJEicH6f0nckgT+BfvkaKDCg==,iv:6JNRrm3yUVTUXocmNbZGbMV3oS/XyWsuuHo3eHR37PA=,tag:RMHyYGpwOzCQjNUd7ANINw==,type:str]",
+	"data": "ENC[AES256_GCM,data:B46rhLphJ3aN90FqW5OvwyiKxa3Lsgfef1hj/I43vBCrndGhc6xVjL4ZqMKyddd2CLwKlwi62mBqPqThHkexB47SaJMwrml/TNVLOC16MjXNyQBVEj7ulb+Kq3juTiO9D49i809cAuy4K8Rq3XMHhPX5xyqC4cSfBLO5p7Ql/ktl57VyaDwKubd6z8iaSoF0d6Uy+MyoEKqDQBZBFHlSewxr5FIYI2w/av0Gxj88ONfcNbzdOHurU7zBhsHMO5L8YNXuU9Lmv7/Ay/Z7og5ISs0Bgje1dAdQ2/UBnodhZighZc6an+baLDH2Ja+Suc5XzSh+xxUAssGnXO7rVYKUrQhCa1gL+kTRecnYUMKdvfUbuQRjAqKQbFFGTAdHggJOQeoWcl60YpC3M//XVue6lG8RQrdiqJZ2jI9IzWKrt4dBXJh+nwew9xvZQQfeR2EcsYSt2cGZPUdfkL+CgasE64J7DaBtG+sorMjM8kGZK7pBqfOfNcHN0tlzdee5Bkc4QdsboW2PfmnYq6pa4S8ysSiqZ8mg42lSHbaVP8cET5bVi3JObqqaoR8ohMdo3ofih9FWuu1ovdtK7+m5dKwp15oWNUICWtNbWi5HqeoSYSDbjZJaIxY2wy3U4ULcUMShYwa9kRcKeTD1nsWF53J+Nkj+p22vxxOJ2crb2fzMpqv4whTxciY2uQ7PVljTW6O45Y5JeY4z2HEEEvZhz+XwQZjlki2AlA0CRpbOH10UHOMYzISZTCJKJyEFt9EmeCdIstYJCtYap7KdCOTmwrqnRuZByBgv6ZIwRwXUCI+hANTHOR1D+0nCZaURmW7gIKJ8pr4prUvA0e88i6pFWIBPSWkwsaZW4eO2YCgQ5TDjCdV5X1BLmcSGVa69FGb2tlVHN2B4WFhXYscZyGMvdfOiENLBVic+cxXd3RIqlEwaMew7E8hd92nwHKSkkb2yphMdPRLM22ruCI0jA1lrEl5GAL74f2+5loa23QeEtoxtYzfCCHi8vbNNdkeCfDBJCpORysOvuUOgqg+ZdVJQ29iug0rDXmTNkoxOm04C4WI4TEbMniLGcBDPH0re+oGsxwjmBUO5Nbjo/CnZNF1z7COGIY1U1KLAg1HAjy/pUt6c2SbDazBysBClVuubb7ghBdRiKWzZtWLQk6m9fwm9z8nMocNjmYbDLhp5MnrnuCA7JnyqU0TpvuJoGDy9vyQR/JKp9AAUrT//C69gdWsc83uRoLs8qtyU3YU42ey4+8jBh+opVYbKsz3NfNwnUSrGoLCb5qn6Yun+uD/95ljNCr/m5ec4kZEHBTrC9b9KU0cl8wYM/y81KA5eL4Ao0Ns7iP8YoKmQOOwmKPkWLsl1fNzr1SXjKGu+YaoF8pTHGGy697cq7aD33kxsUCL94nN20zzCeYoIEXKA2qw7tOPBrQZGMTKg8rDAK2gHZRqNRbRplhUegznTRl/ss78NDvBaVyE/DQGlWA3gEOX8CV8RyBA011LFUpbaAbqKpsiBp25YHTN4D2bLR8J6uT8Dgw23FlsDd+PG6q4T3B8pDvXERfVsORGBzAhU/Hmdnr06K1zgz6fpY/YUgrYGHCdto7+WMxMXbF6pxZVZQW7L5CtQJ1s9XdQ5lT41ddFISeQx6xpE5QxhBUzwA5kinHNzbNPHrW2uRLZQ/5ghVObyKokChZdMnhBR+OLmZdx0dBWl9Ym4IQpA/r7BqeGhvZBUlQBfq/gen+RNqzhhU7jXGyQjiC8k2UiKLzS2BaPYnxrMhTOkTEtb+GwGnQyKXXNhWspu9ETOmcSMvCXrhsq91oY5SKgBy6c0h/qtAgS/UFB70BRPjjfX68qRtyfCjJbAIAtGJcct8soOa6HBqnV1keb66eZRzYWkrHGUgRYx0aJ+LmrGhfLtW1vCjKoHCXcveZELF9Vm2FVsED9RIeNiaeBAtKhx/ibmPO2VlTHVAgB4fZ3Zo3b/kkXEULlcTAL6jLMiyysjyVHHD7iPkt++8UU4Xz4m6/Z/raGQMToeNOnUMQdCGKxvigrj/xql9DGta8QzQv6btj33mRxw7OMN0dZUe0GaYLRjyUF2h4rBpYRQSk5GUgn+JXFef+tcCmJVwTRlbAMfrXvOFNFhTexH4Ap3Sct/Rltm0J5ZBQFhOVpeJCA2c9o1aEF6xL01cQrz9nBYUvCfOgmm10js5dEu737mNsKH4uyVre+VD2NdJTy0nhIw80PfRaRjhyKfptPn4zMVZcqQaWpHLY20F/1FuGUPf+CM+t6GF4Su4GvLZ1DLzxVGZymhK5Kjx6HI/h29DkKRZfhV4DIu0j7cSqgaFde1rAXV9KlvrGCA2gQgEI7wlcJ6I/4iWwL0DDRuUWPdedKlhaSehab3kEl2xGE1u9hn8cTK5xy8Q/qdnOrMDR74852gT6qz1Jl7/sG5j+I47Mi1kCmjVKRlolbvh/IVW1dRccuXCrBzbmGOnTcTvIwIKr8MAb7li5WjlbpyBP9V2zk/fFn+F3P9agVL1MupW7RwCeViG7BOUru4l6qGlwfkgCCcUkJz/Cr4aL4BA9bHUuQ1OOz4ml15ukEqxpBymIetQjFvNLSHrfc2CPZQbwAk5gaxMda+uvy8uMqhQW3WUUiPfIamx+ZfXO/johhrN6nSe2sisQXMjVSCDGR0J/58PAMtkIRfGRtAjcbh5NXg/i4vZkcEWLbQ+QwfXfF2KDcXudzkOSyNyXCCPrGIKWay6GkB/dTjl1O9Wwj6hrniDYTGp8b/80PEQmIl9uQJYN1MS/tm/ehUJPuaaEDcqdQgIUNMBABpqjPN1ynJsIC+5YCoB0iVbUsNsHIzEkdl/kOGEHQgHkxX5V9I9eQa7RIWzHBN00V3hqIvTQLHhB14HydZwe0X+rc8qAJzvk9uM4gYvB4uZZcdhASoWrJzitv2P+Tw0uNz2TWSrJLswk3c9GU4AhP2ztT5xFsai1XfTGxdq3QvNjH3Jkv4raUm4uloPdEiAHsRj5kW0trZTqKxfvHd18HQY0dFSGylEzaKIyJSwf7rz06xUg==,iv:dHojDlbXWHw/EkpZkAJjT25TRh5vvVUxRY+Y9pbFBxA=,tag:E6DwDyrk79dS49wjX9XLag==,type:str]",
 	"sops": {
 		"age": [
 			{
@ -51,8 +51,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiYjdYN2h3eFJ5K01Vb1Fa\nckF2aTNSRkFVeHI4b21vNjhZcHNzV0tMYTFBClQ2VFJDb245ZzhybmhCTEMrS2h5\nUGNlM1pEUzlmSTBTK2tRb0xrc0hCTXcKLS0tIGtuUXVzMTUzT0IwWXo0SWRQNHY5\nc1JyZ0NLblpBWXEzSVNxc2R0Nm9mc0kKbKkbLE4+EWSu+k/Alt47O3ADYFuTZuKl\nIeoJagaLNFSfmT78+KWmhW8pgsTN5nh7wk4qH/WALYgMfy03rdLPzQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-12-02T10:25:26Z",
-		"mac": "ENC[AES256_GCM,data:sIWxzlxMc7/NgSa2AeOx40GyOCCpNnPiQU4soVahKcbv4ydiBk0/utqV+25WRMPt+YvY0sSYVdl5O4F516vf5XYL1C83jXWM3Yi6Y75BQKkbZBsiG0tNTY3A3r4wbWwOx95UbxzmwKyx9EuzCc8NmXVpemnfiy6b4EIdttz8bSc=,iv:K7cec/NfyMZQgQu0gloM1uVx1DEG+CCpnBL8OIYPzCk=,tag:qNVd1BrNdHYqbV6mqjwF3A==,type:str]",
+		"lastmodified": "2025-12-04T23:12:18Z",
+		"mac": "ENC[AES256_GCM,data:PzZro7emdnVU18DBrLzIcsJgFk8WzNT9uTZydHlHsdDZj2zTwQFrvQ+T6I8ZMDJ8e4DISC9yGcmMYIm/LebGUROGUQHIBfKH7VpWOaFUZj8N0FksQGdWso/Q83jO7TPMQXqUg80WIBT00hoNgWznZpHR15TNKJSvGo91Wrb0Ms4=,iv:UHL+biMhOOXZ2IRLhH7gQTg01VuwyqS2xOjfhqGzjpI=,tag:9Va8ieM8upWt0Mxk4rJ6cQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-12-02T15:47:02Z",
--- a/secrets/repo/pii.nix.enc
+++ b/secrets/repo/pii.nix.enc
--- a/secrets/repo/wg.yaml
+++ b/secrets/repo/wg.yaml
@ -0,0 +1,150 @@
+wireguard-twothreetunnel-winters-presharedKey: ENC[AES256_GCM,data:v+RyEcJh7dSBuOUgJFG6f3C8CYchEDy1mk2vUXlJbeeqAFcU3d9/M7QbHz0=,iv:GGJ61LsTq1lKcg0xjO3Co1PVqGW56Tgb0dWtT+7suz8=,tag:WCAsVbBsOeo7xmqRwdCinA==,type:str]
+wireguard-twothreetunnel-moonside-presharedKey: ENC[AES256_GCM,data:vkUcgip1lrYEYwcbLF5WSPUK8m7ouuyDtVykcl4Lah21asBhCmDtqqNzvvw=,iv:1zVhRsxLQvBpHcSjcswwSCotelZk7SWI9NkXdrAS21Y=,tag:0DvNJMaiYl93flbjNQBVwg==,type:str]
+wireguard-twothreetunnel-eagleland-presharedKey: ENC[AES256_GCM,data:5JMTgXPcRzcr3GfGinAeLvldweArGyB8gyqRNtxlKa1RPY9pPa7s8Pxhdng=,iv:Mk6fLKpf8XbSGEU8b/j+ZZcQxcxhKGHRPSmk5Q9lrXQ=,tag:GACQf8x46LVQMwrlp6+NSA==,type:str]
+wireguard-twothreetunnel-belchsfactory-presharedKey: ENC[AES256_GCM,data:MKla1VJiFzpWxrxXA+FUU10KQmrO926wKdBCM0tQDvkQWrR1FpvbbeBfdzM=,iv:5aIhbhiAsfIXUojuLwRsuhZAPvGkORZTOo+0Rc5/bpY=,tag:nG++1kDULmAMfCx0a8P40Q==,type:str]
+sops:
+    age:
+        - recipient: age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxYmRmMVVWaTdBVnZKbm9R
+            NWFVbU50MG81MkdlOG10SGxjV2dJZnpXSXo0CjMyTDVlL21VZ3IyMlU0QWtKUHEw
+            Q3JJUmk2V2YwQmZwWFZTb2s1b0ZpSEkKLS0tIExTTWVvZEQzNWNZeGNIcmx2VGFI
+            eHdyenQvanJHRDM3NFhraUIyYkxlMDQKTvBLW/m4OI5o3vP6zCf5t8U32enklnMH
+            2HMl+atAb6ES0IztyFrXt5652J2/N/OSXUVO5jjGkJw1UEIpkliGlA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcnBrc1VLcTRTemdEaHh2
+            VUw3QVVyWlNhUXlBbEVEWERycmFWNml0SUZVCnNLK01PQmg0eE83WmlKZDNNVDVs
+            VkZURWs1SzV6NmNpODVZckhqdHcrb2cKLS0tIDJPeVYxQ3kxTWVqTGZZNUFwc054
+            Njg3WVN6c0psay9kMFRTL25tMVgrdEEKrpTRsh9AIOxUiZ/K5ZEyxXn0cNaVOkuM
+            oUL2dUUDzcrx56MutkEJG28BFDJOvHg+/Jh60Claw1o6s9zNw1MUvA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJSXRFdUMweXBtRFFHTmg1
+            L2JHb0F4ZnYrVk5hVHhYS1FPQzZoUHpYYUNzCjNnK0hrdkljaE94K1NPY0pITit1
+            Y1AzMFpHMWRSMjFEbzhMdkZxYWNENjgKLS0tIFg2bGx4dnNpTk1LNDI4ZlJYT2p0
+            K1U2TVg0enRSQ24yK2NmVG1ZSXdnYjAK4Byo/3S8dIxIeBeTWVdpH4vz7zsxn7nw
+            rHGYsgi7QveiIjFPHODhqmGXviLkc7PoyHpeEtawim9U/xVG8yiUDA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2d0tkdnFYQXhvRnZWUzhj
+            UG96VC9iYnhUbEk5RXhKdWRWSjFDM3BzaldVCjJjanFyYTU0NEFBMmNNWnpOOEo5
+            OVI2blFxRG45QmZnaU5XaEZuYzFYY0kKLS0tIGhtc2pHcU5zazl5V1JMelorSW0r
+            TFZ4MkJaemxNdDBCaVFITEFSQ3FnYWsKnwhXVO81u7apioH0puixiy+N6zfvNy1b
+            dqWYCpquGC6PYdFnl6Dh6BQrbuYnNay+qNdTks2O5ZB5GEOPqavLMg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYckNJZHlhZFAybE9Ic2Vh
+            NDVmU0lFblk0WHhxckdLWWRPelljNUpIcG1BCjY3Y1ZFMFdTNDFZM295czZTVnRy
+            UzZ5aU9HeExFQVRzZlY3dmFpK2VuSlkKLS0tIEVxNDNVS0pEV29zWmRIRTh5VExi
+            bDd6WUEzanVUdWE1V0RKMTkvS1p0WkEKOzmnKSoyR7w9dtelAHKu/2YNckVNGuDJ
+            YkbtT+uPpKZ8JljWmNtngswDpWXk9FqOd5d9I/DDVLd2SNfKHBWdZQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRmUxUjhYd3dmOHVmUUtZ
+            dEs1VnAxSi9VQXZYOWgyOXRDZ0k5ZEVQMHdJCk9FQWRxOWVZSnJGSEVRNkREMnFk
+            S1NpUGFMSExtNk90UG1lL2dyY2xGRjgKLS0tIG8vY21FR281aGdseDFHSHRPM3NF
+            Y3M3WFF6ZmhSSFBCV0dEYUU4cVpvSXMKOFgOws7JRqa4UEmaFDWaS2O9e9VaK6jD
+            O1M3ktT9zRAGEY3qpTHkO+J87l3sTWrqMpS/VnRTIJ54W2WVYJ7S4w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlLzRuNVBsN28xQ2x1L2pZ
+            UXIvRXY5NXBXTk4yM0tVMEpXKy91M3F5aW44CjFpanUydk12c08zMTlzc2o2Y0Z2
+            RDNlQjl3cGRqb3F4OG04QStFSkRpSUkKLS0tIGVWNDR3d2I3V3k2WC9XVWtobTFw
+            ZTR4ck8rUzdxVDhSZjdiZGxDNjBCcWMK0g3p0a8ZZYweVwxlGWk+qGjntMui3tdC
+            +d+L1ZHwzPOsrJrxk7TrihXF+g9bAHMBs9gdWkLzfUCD3sU7AGQ+Sw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUcGsveTBCSFFaRlFTMERL
+            V0Zrc2FoYTE3Z0E4WDl2cGh2dk9kT1dpbjJvCitpVnpTcU5KK2hPblpKV0swNGxG
+            WHVDSGliVWZHbStyREk3SGdtcmdwb2sKLS0tIExJMklNL0h0M1BzZnRZbmEzU0tK
+            c0U0UDNlbXdLR3ZsSXNmWU95L2NBWDgKwOUPJU7ODCP4BE8bsUO9/JPkP0OjKbko
+            LidaW3y6hqL5Ev0urYQoEFkTi6pjgdRTykM/OOkgCXLuLKto/tC/YQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTK0pLbnYxRUlwRFRGSDNu
+            ZlArd2RFdmQ0SkFibERuN3pId3dsZFF6ZVhJCkNsZVJoQXhEUEFTSFJueTdBcGFj
+            R0QwZGxxckRCR2hOTHJ0ZTFtdWJDdmcKLS0tIHB3aExabEFsUWFvbGR5ajJsakZZ
+            RFBrOW5WVk53dkNtVlBqbUdaTTc4MmMKABtghH/jogivVfVgLAz1r+wxHj+btuBj
+            kmjYq/hXrEh6OHxuYBmOp5IDLz3xDxwYz0+Ab+D8pdEQBLarnHhBcg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkR29hZDNJdGMrUWNvaCth
+            Q000WFFXeVZCMnVEVlpGUmFDdmtEOXJ4Q1ZFCllSSDRwUVRrRmcrY3hqZ3ducUZt
+            Nlg2TnRsQzBYZitITlhPcDRwSnVUM2MKLS0tIG5mQU15MG9HOER3dTZsaFJUQnY5
+            cUtqL0hnZVVraWJqM1o5Z1o4SXc5SGcKKT+nTkdT+3UejhHG0BTfNW5oF3bCybnf
+            BzGS0X33zBX3u/sALV2xD5DG2GbeEyLHFjuamjRsdKEy3X89McVEcA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNFBiYTR6eFVZUTAvSU8r
+            UDgwZjZtNWhaTWJmb1NTNFErbGxzeWJpSEV3Cm9wcmppQkN6d3haTHNlZCttZk56
+            THord0JNZWxvSlFxTmx5MEZZdjVQb00KLS0tIG82Z2JRZUJ0a1BKdnFLQXhuWWd3
+            SFFqd2orcDVHdFBybUJiZGlXWG1WWDAK37RnefrZWgy19JCmHWwCEkaZg7bI6hfT
+            eMQf656dnHXUwDQEFkP0gNKh4s+V0yjDJ9+VkyZz5TuHwBHijUnQIg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMTh4eE9yNXBZQVpBOEhZ
+            TUh6R2JpZGE5ODVPV25pWHFhWmpocVhQN3lJCjNDVDR6TDY1UlVGSnBVVVcvdHJy
+            S0F5MXVLNFV2ODE5NXZoMmRmN1ZEOWcKLS0tIFJETmR2Z0FaNmlpVGxacXV4WEZB
+            NzRVODJ3MGpsUjlETzdPTHE3Y2oydEUKnhWFgLZGMb/9eP0IMsj26tZ+EHACszBv
+            ALz3f5aiAivzdCS9tRilWb5MO6MCr3JvWJbApblpoDYcFRvg9jHIpg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-03T15:54:14Z"
+    mac: ENC[AES256_GCM,data:yPPp6WQvcMB6mV/V62Y0Ki8Fq2trV3HKTykP5HD7J7ZgUiFNmLPbAApMeefe7Bb8pF7ETrkjRhET7/pXJX7anaOd6Y6pCyF75/xQDzwJ0Ac3FSPgeoOwlA/W+OrRMm9Hla9Q5gNPzgYirIHXoO+aScLcTQp46tiQv8B0Ol0ZSoI=,iv:eIT/EcVpWk79eerrxqy7AqtqNtpJi5sOIe0wmHRjYfI=,tag:4KPyZE9s62fCisjgihH4Jg==,type:str]
+    pgp:
+        - created_at: "2025-12-03T15:47:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTARAArr7faxZOuvStuHza22knsgn/P5bF+iycV6q0xWNC5GWr
+            6Dkpbe/8lvMAhpivjHrB7YsUQue/jWWv4Gx1gjMI/nkLxx4oWPu6lfLoc4e0tBmB
+            bW/S2oWoImGDaW0zTIZW9tK/cNcagFmIh+dJsSfmToTdiY26eoRlomQac98hJW6e
+            ydrnHpmDzs4VE+ZsXsNM3vf/hplicDkHLdY0DDYkDokRyhOHg9i7sod/rijnIa70
+            12tfTAvNL4UYrvQJGNmd/aZ2FwXGt+sXMc/DX7WnY4rJbJZqh2kqp3FGfqtrT+0H
+            lMxUOwqX4bzAcjpL0TLKf1gy0Vc3FFvvzQ7Q1CYDbAkT7NoU4KFPbFjI7iKZkZLa
+            9yuc5FHKkpIucia28FAQssFPaCbyq53XcJuxhdrViGiyEDMbha5wy7JOo5Skjoo6
+            xdsKgqE1xaieYSsZ+PRrhfWV0kprbG4vQdmnCyR2I5qv3QFpPTpR1xcmAZLYzft+
+            8LaZwJNcc0SFwAZ5iEfL+S9p22RkS+rNvxtUnpJV4iObBJA38PW4Y2aqExUd8XbI
+            Y7SXGosjUX8v1bOsrug4O8iSsT5/Phzpdz4en7idJPKeZ6WkwEjdMpM/NTtF9L5M
+            Oy3wC9GY3X/tjtYnXzckJMRYr3Os1RkSMfOzwrNFKZsgBKbYykK87gfvqNAKAD6F
+            AgwDC9FRLmchgYQBD/95PlEzNmf4hsr9gXOXtZXYeIp7EaCtqAlszdmku9AP13gp
+            M/boBG/NFvyY/dKqrsl9k3J3nY+u1ovP7PG5H/RhpuxyYRbI1agtp7Oki1VA1PxX
+            kfSCdKjzscMP1qcDGyvRABWhCiwWG6j5yNqLjWmgNadL6TmC0oQyMqtCtVok9GrJ
+            v45AdZwhimUv2nv0zWvzmuexJyOoagWp8WWHRrO9AZ5JtYC43joOEJ3NA7TtdmJw
+            6VZFmUFLT8KRRFlvcUNFQFBgJCwF149KLoc/m1MGkjaOLv30JdP5dy+tK04eDEpc
+            7eQkpC7xbSwbHEfq/yuYgUpB6fJ37VwvbZNZnKai4ae/AHy0aZWBiZW9zYYyWNj+
+            WSMI4kAGL4om+Ac4sgURqOwfTvRdhB4PllhL2MtYIiBoE/KMExY3usGXHYn/wVvG
+            Op0EZM0u6Qioh1js8J0QrSFflyjvivZVL9GTC3fxZIRDzOvrJqfWOQ1PZAx0E0O1
+            +rl+0acxEg4vc1eaTn07KpWAGaq9Zo9O1EJv2qECa8eNYPLhV5Lcn38rMCbcofwi
+            Z+FgnML0UOcSd1TjFLnetjK96TqtxSduBojM/f+cF4t7KsY/areRBDqJlojWjHNr
+            EdE1KhDcK4qGHZZRMQdzkYH38GpnrZfGmbuqrcwGNcCCIjaiWvmgabps42a/T9Je
+            AUTTLrZwQB5hUN+w92Wr5/aYVMBKxpYoYJ6P8RUUI4irVtn0bu65GdvpEtrxsLLo
+            cPrfieTqFye9yXM+668Tqt/lykHHFWBDP6I/g4Rhtxj+zvDCbB3Aedcz2bzV/g==
+            =xmwy
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
				`@ -0,0 +1 @@`
				`adiXfMBluP8wEs3FZbZnTvFzelwVyK3WvcpukExKuRI=`
				`@ -0,0 +1 @@`
				`adEWnXoSez06yuruhwIpvX4w0tUlDANk3QqAUuFiix8=`
				`@ -0,0 +1 @@`
				`DsgFwllnKQhW4Ni695UxSmfOA0uMYtceEp4WdBfNtBM=`
				`@ -0,0 +1 @@`
				`Lnmc2H5cplxH128TTVindy8WvTqifTFs2LLSQVT1uU4=`
				`@ -0,0 +1 @@`
				`RhpEIXDF8r6cNX++K94vhIcXb/rL+FlxC+JzOO3x3VM=`
				`@ -0,0 +1 @@`
				`sWDyt8uSIeWERTvzrnR6J1nRwltZp4wG+VKr9+b/xxc=`