diff --git a/.sops.yaml b/.sops.yaml
index 46194ef..52f4dee 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -20,7 +20,7 @@ keys:
     - &winters age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
     - &dgx age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns
     - &hintbooth-adguardhome age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as
-    - &hintbooth-nginx age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as
+    - &hintbooth-nginx age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0
 creation_rules:
   - path_regex: secrets/repo/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
diff --git a/SwarselSystems.org b/SwarselSystems.org
index 4942346..f9d9fe5 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -4811,7 +4811,7 @@ This machine mainly acts as my proxy server to stand before my local machines.
       postgresql = true;
       attic = true;
       garage = true;
-      hydra = true;
+      hydra = false;
     };
 
   }
@@ -10554,7 +10554,7 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
     - global IPv4/IPv6 forwarding is enabled via boot.kernel.sysctl so this host acts as the main router between all VLANs, the WireGuard network, and the WAN (untrusted)
 
 #+begin_src nix-ts :tangle modules/nixos/server/router.nix
-  { lib, config, globals, confLib, ... }:
+  { lib, config, globals, ... }:
   let
     serviceName = "router";
     bridgeVLANs = lib.mapAttrsToList
@@ -10565,7 +10565,7 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
     selectVLANs = vlans: map (vlan: { VLAN = globals.networks.home-lan.vlans.${vlan}.id; }) vlans;
     lan5VLANs = selectVLANs [ "home" "devices" "guests" ];
     lan4VLANs = selectVLANs [ "home" "services" ];
-    inherit (confLib.gen { }) homeDnsServer;
+    inherit (globals.general) homeDnsServer;
   in
   {
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -10603,7 +10603,7 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
 
             rules = {
               masquerade-internet = {
-                from = map (name: "vlan-${name}") (globals.general.internetVLANs);
+                from = map (name: "vlan-${name}") globals.general.internetVLANs;
                 to = [ "untrusted" ];
                 # masquerade = true; NOTE: custom rule below for ip4 + ip6
                 late = true; # Only accept after any rejects have been processed
@@ -10612,7 +10612,7 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
 
               # Allow access to the AdGuardHome DNS server from any VLAN that has internet access
               access-adguardhome-dns = {
-                from = map (name: "vlan-${name}") (globals.general.internetVLANs);
+                from = map (name: "vlan-${name}") globals.general.internetVLANs;
                 to = [ "adguardhome" ];
                 verdict = "accept";
               };
@@ -10650,7 +10650,7 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
               late = true;
               rules =
                 lib.forEach
-                  (map (name: "vlan-${name}") (globals.general.internetVLANs))
+                  (map (name: "vlan-${name}") globals.general.internetVLANs)
                   (
                     zone:
                     lib.concatStringsSep " " [
@@ -10827,7 +10827,8 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
   let
     inherit (config.swarselsystems) sopsFile;
 
-    inherit (confLib.gen { name = "kavita"; port = 8080; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "kavita"; port = 8080; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf nginxAccessRules homeServiceAddress;
   in
   {
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -10836,9 +10837,6 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
         calibre
       ];
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
 
       users.users.${serviceUser} = {
         extraGroups = [ "users" ];
@@ -10859,7 +10857,7 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -10876,30 +10874,14 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
         dataDir = "/Vault/data/${serviceName}";
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
-              };
-            };
-          };
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
+
     };
   }
 #+end_src
@@ -10912,16 +10894,13 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
 #+begin_src nix-ts :tangle modules/nixos/server/jellyfin.nix
   { pkgs, lib, config, globals, dns, confLib, ... }:
   let
-    inherit (confLib.gen { name = "jellyfin"; port = 8096; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "jellyfin"; port = 8096; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf nginxAccessRules homeServiceAddress;
   in
   {
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       users.users.${serviceUser} = {
         extraGroups = [ "video" "render" "users" ];
       };
@@ -10948,7 +10927,7 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -10963,33 +10942,15 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
         # openFirewall = true; # this works only for the default ports
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
-              };
-            };
-          };
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
-    };
 
+    };
   }
 #+end_src
 
@@ -11001,15 +10962,13 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
 #+begin_src nix-ts :tangle modules/nixos/server/navidrome.nix
   { pkgs, config, lib, globals, dns, confLib, ... }:
   let
-    inherit (confLib.gen { name = "navidrome"; port = 4040; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "navidrome"; port = 4040; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf nginxAccessRules homeServiceAddress;
   in
   {
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
 
       environment.systemPackages = with pkgs; [
         pciutils
@@ -11048,7 +11007,7 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -11119,60 +11078,71 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
         };
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            oauth2.enable = true;
-            oauth2.allowedGroups = [ "navidrome_access" ];
-            locations =
-              let
-                extraConfig = ''
-                  proxy_redirect          http:// https://;
-                  proxy_read_timeout      600s;
-                  proxy_send_timeout      600s;
-                  proxy_buffering         off;
-                  proxy_request_buffering off;
-                  client_max_body_size    0;
-                '';
-              in
-              {
-                "/" = {
-                  proxyPass = "http://${serviceName}";
-                  proxyWebsockets = true;
-                  inherit extraConfig;
-                };
-                "/share" = {
-                  proxyPass = "http://${serviceName}";
-                  proxyWebsockets = true;
-                  setOauth2Headers = false;
-                  bypassAuth = true;
-                  inherit extraConfig;
-                };
-                "/rest" = {
-                  proxyPass = "http://${serviceName}";
-                  proxyWebsockets = true;
-                  setOauth2Headers = false;
-                  bypassAuth = true;
-                  inherit extraConfig;
+      nodes =
+        let
+          genNginx = toAddress: extraConfigPre: {
+            upstreams = {
+              ${serviceName} = {
+                servers = {
+                  "${toAddress}:${builtins.toString servicePort}" = { };
                 };
               };
+            };
+            virtualHosts = {
+              "${serviceDomain}" = {
+                useACMEHost = globals.domains.main;
+                forceSSL = true;
+                acmeRoot = null;
+                oauth2 = {
+                  enable = true;
+                  allowedGroups = [ "navidrome_access" ];
+                };
+                extraConfig = extraConfigPre;
+                locations =
+                  let
+                    extraConfig = ''
+                      proxy_redirect          http:// https://;
+                      proxy_read_timeout      600s;
+                      proxy_send_timeout      600s;
+                      proxy_buffering         off;
+                      proxy_request_buffering off;
+                      client_max_body_size    0;
+                    '';
+                  in
+                  {
+                    "/" = {
+                      proxyPass = "http://${serviceName}";
+                      proxyWebsockets = true;
+                      inherit extraConfig;
+                    };
+                    "/share" = {
+                      proxyPass = "http://${serviceName}";
+                      proxyWebsockets = true;
+                      setOauth2Headers = false;
+                      bypassAuth = true;
+                      inherit extraConfig;
+                    };
+                    "/rest" = {
+                      proxyPass = "http://${serviceName}";
+                      proxyWebsockets = true;
+                      setOauth2Headers = false;
+                      bypassAuth = true;
+                      inherit extraConfig;
+                    };
+                  };
+              };
+            };
           };
+        in
+        {
+          ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+            "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+          };
+          ${webProxy}.services.nginx = genNginx serviceAddress "";
+          ${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
         };
-      };
+
     };
-
-
   }
 #+end_src
 
@@ -11391,7 +11361,7 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
           };
 
           local-to-podman = {
-            from = [ "local" "wgProxy" "wgHme"];
+            from = [ "local" "wgProxy" "wgHome"];
             to = [ "podman" ];
             before = [ "drop" ];
             verdict = "accept";
@@ -11403,7 +11373,6 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
   }
 #+end_src
 
-
 **** matrix
 :PROPERTIES:
 :CUSTOM_ID: h:1e68d84a-8f99-422f-89ac-78f664ac0013
@@ -11413,7 +11382,8 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
   { lib, config, pkgs, globals, dns, confLib, ... }:
   let
     inherit (config.swarselsystems) sopsFile;
-    inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
     federationPort = 8448;
     whatsappPort = 29318;
@@ -11432,10 +11402,6 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       environment.systemPackages = with pkgs; [
         matrix-synapse
         lottieconverter
@@ -11509,7 +11475,7 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort federationPort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -11715,61 +11681,73 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
       # messages out after a while.
 
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            listen = [
-              {
-                addr = "0.0.0.0";
-                port = 8448;
-                ssl = true;
-                extraParameters = [
-                  "default_server"
-                ];
-              }
-              {
-                addr = "[::0]";
-                port = 8448;
-                ssl = true;
-                extraParameters = [
-                  "default_server"
-                ];
-              }
-              {
-                addr = "0.0.0.0";
-                port = 443;
-                ssl = true;
-              }
-              {
-                addr = "[::0]";
-                port = 443;
-                ssl = true;
-              }
-            ];
-            locations = {
-              "~ ^(/_matrix|/_synapse/client)" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
+      nodes =
+        let
+          genNginx = toAddress: extraConfig: {
+            upstreams = {
+              ${serviceName} = {
+                servers = {
+                  "${toAddress}:${builtins.toString servicePort}" = { };
+                };
+              };
+            };
+            virtualHosts = {
+              "${serviceDomain}" = {
+                useACMEHost = globals.domains.main;
+
+                forceSSL = true;
+                acmeRoot = null;
+                listen = [
+                  {
+                    addr = "0.0.0.0";
+                    port = 8448;
+                    ssl = true;
+                    extraParameters = [
+                      "default_server"
+                    ];
+                  }
+                  {
+                    addr = "[::0]";
+                    port = 8448;
+                    ssl = true;
+                    extraParameters = [
+                      "default_server"
+                    ];
+                  }
+                  {
+                    addr = "0.0.0.0";
+                    port = 443;
+                    ssl = true;
+                  }
+                  {
+                    addr = "[::0]";
+                    port = 443;
+                    ssl = true;
+                  }
+                ];
+                inherit extraConfig;
+                locations = {
+                  "~ ^(/_matrix|/_synapse/client)" = {
+                    proxyPass = "http://${serviceName}";
+                    extraConfig = ''
+                      client_max_body_size 0;
+                    '';
+                  };
+                  "= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+                  "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+                };
               };
-              "= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
-              "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
             };
           };
+        in
+        {
+          ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+            "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+          };
+          ${webProxy}.services.nginx = genNginx serviceAddress "";
+          ${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
         };
-      };
+
     };
   }
 #+end_src
@@ -11784,7 +11762,8 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
   let
     inherit (config.repo.secrets.local.nextcloud) adminuser;
     inherit (config.swarselsystems) sopsFile;
-    inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome dnsServer webProxy;
+    inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome dnsServer webProxy homeWebProxy homeServiceAddress nginxAccessRules;
 
     nextcloudVersion = "32";
   in
@@ -11792,10 +11771,6 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       sops.secrets = {
         nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@@ -11832,31 +11807,14 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
         };
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size    0;
-                '';
-              };
-            };
-          };
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
+
     };
   }
 #+end_src
@@ -11869,16 +11827,13 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
 #+begin_src nix-ts :tangle modules/nixos/server/immich.nix
   { lib, pkgs, config, globals, dns, confLib, ... }:
   let
-    inherit (confLib.gen { name = "immich"; port = 3001; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "immich"; port = 3001; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
   in
   {
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       users.users.${serviceUser} = {
         extraGroups = [ "video" "render" "users" ];
       };
@@ -11892,7 +11847,7 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -11913,44 +11868,28 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin
         };
       };
 
+      nodes =
+        let
+          extraConfigLoc = ''
+            proxy_http_version 1.1;
+            proxy_set_header   Upgrade    $http_upgrade;
+            proxy_set_header   Connection "upgrade";
+            proxy_redirect     off;
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
+            send_timeout       600s;
+          '';
+        in
+        {
+          ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+            "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
           };
+          ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
+          ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
         };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size    0;
-
-                  proxy_http_version 1.1;
-                  proxy_set_header   Upgrade    $http_upgrade;
-                  proxy_set_header   Connection "upgrade";
-                  proxy_redirect     off;
-
-                  proxy_read_timeout 600s;
-                  proxy_send_timeout 600s;
-                  send_timeout       600s;
-                '';
-              };
-            };
-          };
-        };
-      };
 
     };
-
   }
 #+end_src
 
@@ -11964,149 +11903,133 @@ This is my personal document management system. It automatically pulls documents
 Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml='s. This is needed for e.g. online services that only send their invoices through email body text.
 
 #+begin_src nix-ts :tangle modules/nixos/server/paperless.nix
-  { lib, pkgs, config, dns, globals, confLib, ... }:
-  let
-    inherit (config.swarselsystems) sopsFile;
-    inherit (confLib.gen { name = "paperless"; port = 28981; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+{ lib, pkgs, config, dns, globals, confLib, ... }:
+let
+  inherit (config.swarselsystems) sopsFile;
+  inherit (confLib.gen { name = "paperless"; port = 28981; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
-    tikaPort = 9998;
-    gotenbergPort = 3002;
-    kanidmDomain = globals.services.kanidm.domain;
-  in
-  {
-    options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
-    config = lib.mkIf config.swarselmodules.server.${serviceName} {
+  tikaPort = 9998;
+  gotenbergPort = 3002;
+  kanidmDomain = globals.services.kanidm.domain;
+in
+{
+  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
+    users.users.${serviceUser} = {
+      extraGroups = [ "users" ];
+    };
 
-      users.users.${serviceUser} = {
-        extraGroups = [ "users" ];
-      };
+    sops.secrets = {
+      paperless-admin-pw = { inherit sopsFile; owner = serviceUser; };
+      kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+    };
 
-      sops.secrets = {
-        paperless-admin-pw = { inherit sopsFile; owner = serviceUser; };
-        kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-      };
+    # networking.firewall.allowedTCPPorts = [ servicePort ];
 
-      # networking.firewall.allowedTCPPorts = [ servicePort ];
-
-      globals = {
-        networks = {
-          ${webProxyIf}.hosts = lib.mkIf isProxied {
-            ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
-          };
-          ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
-          };
+    globals = {
+      networks = {
+        ${webProxyIf}.hosts = lib.mkIf isProxied {
+          ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
-        services.${serviceName} = {
-          domain = serviceDomain;
-          inherit proxyAddress4 proxyAddress6 isHome;
+        ${homeProxyIf}.hosts = lib.mkIf isHome {
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
-
-      services = {
-        ${serviceName} = {
-          enable = true;
-          mediaDir = "/Vault/Eternor/Paperless";
-          dataDir = "/Vault/data/${serviceName}";
-          user = serviceUser;
-          port = servicePort;
-          passwordFile = config.sops.secrets.paperless-admin-pw.path;
-          address = "0.0.0.0";
-          settings = {
-            PAPERLESS_OCR_LANGUAGE = "deu+eng";
-            PAPERLESS_URL = "https://${serviceDomain}";
-            PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
-              optimize = 1;
-              invalidate_digital_signatures = true;
-              pdfa_image_compression = "lossless";
-            };
-            PAPERLESS_TIKA_ENABLED = "true";
-            PAPERLESS_TIKA_ENDPOINT = "http://localhost:${builtins.toString tikaPort}";
-            PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:${builtins.toString gotenbergPort}";
-            PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
-            PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
-              openid_connect = {
-                OAUTH_PKCE_ENABLED = "True";
-                APPS = [
-                  rec {
-                    provider_id = "kanidm";
-                    name = "Kanidm";
-                    client_id = "paperless";
-                    # secret will be added by paperless-web.service (see below)
-                    #secret = "";
-                    settings.server_url = "https://${kanidmDomain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
-                  }
-                ];
-              };
-            };
-          };
-        };
-
-        tika = {
-          enable = true;
-          port = tikaPort;
-          openFirewall = false;
-          listenAddress = "127.0.0.1";
-          enableOcr = true;
-        };
-
-        gotenberg = {
-          enable = true;
-          package = pkgs.stable.gotenberg;
-          port = gotenbergPort;
-          bindIP = "127.0.0.1";
-          timeout = "600s";
-          chromium.package = pkgs.stable.chromium;
-        };
-      };
-
-
-      # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
-      systemd.services.paperless-web.script = lib.mkBefore ''
-        oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path})
-        export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$(
-          ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \
-            --compact-output \
-            --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret'
-                       )
-      '';
-
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size    0;
-                  proxy_connect_timeout   300;
-                  proxy_send_timeout      300;
-                  proxy_read_timeout      300;
-                  send_timeout            300;
-                '';
-              };
-            };
-          };
-        };
+      services.${serviceName} = {
+        domain = serviceDomain;
+        inherit proxyAddress4 proxyAddress6 isHome;
       };
     };
 
-  }
+    services = {
+      ${serviceName} = {
+        enable = true;
+        mediaDir = "/Vault/Eternor/Paperless";
+        dataDir = "/Vault/data/${serviceName}";
+        user = serviceUser;
+        port = servicePort;
+        passwordFile = config.sops.secrets.paperless-admin-pw.path;
+        address = "0.0.0.0";
+        settings = {
+          PAPERLESS_OCR_LANGUAGE = "deu+eng";
+          PAPERLESS_URL = "https://${serviceDomain}";
+          PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
+            optimize = 1;
+            invalidate_digital_signatures = true;
+            pdfa_image_compression = "lossless";
+          };
+          PAPERLESS_TIKA_ENABLED = "true";
+          PAPERLESS_TIKA_ENDPOINT = "http://localhost:${builtins.toString tikaPort}";
+          PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:${builtins.toString gotenbergPort}";
+          PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
+          PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
+            openid_connect = {
+              OAUTH_PKCE_ENABLED = "True";
+              APPS = [
+                rec {
+                  provider_id = "kanidm";
+                  name = "Kanidm";
+                  client_id = "paperless";
+                  # secret will be added by paperless-web.service (see below)
+                  #secret = "";
+                  settings.server_url = "https://${kanidmDomain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
+                }
+              ];
+            };
+          };
+        };
+      };
+
+      tika = {
+        enable = true;
+        port = tikaPort;
+        openFirewall = false;
+        listenAddress = "127.0.0.1";
+        enableOcr = true;
+      };
+
+      gotenberg = {
+        enable = true;
+        package = pkgs.stable.gotenberg;
+        port = gotenbergPort;
+        bindIP = "127.0.0.1";
+        timeout = "600s";
+        chromium.package = pkgs.stable.chromium;
+      };
+    };
+
+
+    # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
+    systemd.services.paperless-web.script = lib.mkBefore ''
+      oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path})
+      export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$(
+        ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \
+          --compact-output \
+          --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret'
+                     )
+    '';
+
+    nodes =
+      let
+        extraConfigLoc = ''
+          proxy_connect_timeout   300;
+          proxy_send_timeout      300;
+          proxy_read_timeout      300;
+          send_timeout            300;
+        '';
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+        };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
+      };
+
+  };
+}
 #+end_src
 
 **** transmission
@@ -12115,188 +12038,189 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
 :END:
 
 #+begin_src nix-ts :tangle modules/nixos/server/transmission.nix
-  { self, pkgs, lib, config, confLib, ... }:
-  let
-    inherit (confLib.gen { name = "transmission"; }) serviceName serviceDomain isHome;
+   { self, pkgs, lib, config, confLib, ... }:
+   let
+     inherit (confLib.gen { name = "transmission"; }) serviceName serviceDomain;
+     inherit (confLib.static) isHome;
 
-    lidarrUser = "lidarr";
-    lidarrGroup = lidarrUser;
-    lidarrPort = 8686;
-    radarrUser = "radarr";
-    radarrGroup = radarrUser;
-    radarrPort = 7878;
-    sonarrUser = "sonarr";
-    sonarrGroup = sonarrUser;
-    sonarrPort = 8989;
-    readarrUser = "readarr";
-    readarrGroup = readarrUser;
-    readarrPort = 8787;
-    prowlarrUser = "prowlarr";
-    prowlarrGroup = prowlarrUser;
-    prowlarrPort = 9696;
-  in
-  {
-    options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} and friends on server";
-    config = lib.mkIf config.swarselmodules.server.${serviceName} {
+     lidarrUser = "lidarr";
+     lidarrGroup = lidarrUser;
+     lidarrPort = 8686;
+     radarrUser = "radarr";
+     radarrGroup = radarrUser;
+     radarrPort = 7878;
+     sonarrUser = "sonarr";
+     sonarrGroup = sonarrUser;
+     sonarrPort = 8989;
+     readarrUser = "readarr";
+     readarrGroup = readarrUser;
+     readarrPort = 8787;
+     prowlarrUser = "prowlarr";
+     prowlarrGroup = prowlarrUser;
+     prowlarrPort = 9696;
+   in
+   {
+     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} and friends on server";
+     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      # this user/group section is probably unneeded
-      users = {
-        groups = {
-          dockeruser = {
-            gid = 1155;
-          };
-          "${radarrGroup}" = { };
-          "${readarrGroup}" = { };
-          "${sonarrGroup}" = { };
-          "${lidarrGroup}" = { };
-          "${prowlarrGroup}" = { };
-        };
-        users = {
-          dockeruser = {
-            isSystemUser = true;
-            uid = 1155;
-            group = "docker";
-            extraGroups = [ "users" ];
-          };
-          "${radarrUser}" = {
-            isSystemUser = true;
-            group = radarrGroup;
-            extraGroups = [ "users" ];
-          };
-          "${readarrGroup}" = {
-            isSystemUser = true;
-            group = readarrGroup;
-            extraGroups = [ "users" ];
-          };
-          "${sonarrGroup}" = {
-            isSystemUser = true;
-            group = sonarrGroup;
-            extraGroups = [ "users" ];
-          };
-          "${lidarrUser}" = {
-            isSystemUser = true;
-            group = lidarrGroup;
-            extraGroups = [ "users" ];
-          };
-          "${prowlarrGroup}" = {
-            isSystemUser = true;
-            group = prowlarrGroup;
-            extraGroups = [ "users" ];
-          };
-        };
-      };
+       # this user/group section is probably unneeded
+       users = {
+         groups = {
+           dockeruser = {
+             gid = 1155;
+           };
+           "${radarrGroup}" = { };
+           "${readarrGroup}" = { };
+           "${sonarrGroup}" = { };
+           "${lidarrGroup}" = { };
+           "${prowlarrGroup}" = { };
+         };
+         users = {
+           dockeruser = {
+             isSystemUser = true;
+             uid = 1155;
+             group = "docker";
+             extraGroups = [ "users" ];
+           };
+           "${radarrUser}" = {
+             isSystemUser = true;
+             group = radarrGroup;
+             extraGroups = [ "users" ];
+           };
+           "${readarrGroup}" = {
+             isSystemUser = true;
+             group = readarrGroup;
+             extraGroups = [ "users" ];
+           };
+           "${sonarrGroup}" = {
+             isSystemUser = true;
+             group = sonarrGroup;
+             extraGroups = [ "users" ];
+           };
+           "${lidarrUser}" = {
+             isSystemUser = true;
+             group = lidarrGroup;
+             extraGroups = [ "users" ];
+           };
+           "${prowlarrGroup}" = {
+             isSystemUser = true;
+             group = prowlarrGroup;
+             extraGroups = [ "users" ];
+           };
+         };
+       };
 
-      virtualisation.docker.enable = true;
-      environment.systemPackages = with pkgs; [
-        docker
-      ];
+       virtualisation.docker.enable = true;
+       environment.systemPackages = with pkgs; [
+         docker
+       ];
 
-      topology.self.services = {
-        radarr.info = "https://${serviceDomain}/radarr";
-        readarr = {
-          name = "Readarr";
-          info = "https://${serviceDomain}/readarr";
-          icon = "${self}/files/topology-images/readarr.png";
-        };
-        sonarr.info = "https://${serviceDomain}/sonarr";
-        lidarr.info = "https://${serviceDomain}/lidarr";
-        prowlarr.info = "https://${serviceDomain}/prowlarr";
-      };
+       topology.self.services = {
+         radarr.info = "https://${serviceDomain}/radarr";
+         readarr = {
+           name = "Readarr";
+           info = "https://${serviceDomain}/readarr";
+           icon = "${self}/files/topology-images/readarr.png";
+         };
+         sonarr.info = "https://${serviceDomain}/sonarr";
+         lidarr.info = "https://${serviceDomain}/lidarr";
+         prowlarr.info = "https://${serviceDomain}/prowlarr";
+       };
 
-      globals.services.transmission = {
-        domain = serviceDomain;
-        inherit isHome;
-      };
+       globals.services.transmission = {
+         domain = serviceDomain;
+         inherit isHome;
+       };
 
-      services = {
-        radarr = {
-          enable = true;
-          user = radarrUser;
-          group = radarrGroup;
-          settings.server.port = radarrPort;
-          openFirewall = true;
-          dataDir = "/Vault/data/radarr";
-        };
-        readarr = {
-          enable = true;
-          user = readarrUser;
-          group = readarrGroup;
-          settings.server.port = readarrPort;
-          openFirewall = true;
-          dataDir = "/Vault/data/readarr";
-        };
-        sonarr = {
-          enable = true;
-          user = sonarrUser;
-          group = sonarrGroup;
-          settings.server.port = sonarrPort;
-          openFirewall = true;
-          dataDir = "/Vault/data/sonarr";
-        };
-        lidarr = {
-          enable = true;
-          user = lidarrUser;
-          group = lidarrGroup;
-          settings.server.port = lidarrPort;
-          openFirewall = true;
-          dataDir = "/Vault/data/lidarr";
-        };
-        prowlarr = {
-          enable = true;
-          settings.server.port = prowlarrPort;
-          openFirewall = true;
-        };
+       services = {
+         radarr = {
+           enable = true;
+           user = radarrUser;
+           group = radarrGroup;
+           settings.server.port = radarrPort;
+           openFirewall = true;
+           dataDir = "/Vault/data/radarr";
+         };
+         readarr = {
+           enable = true;
+           user = readarrUser;
+           group = readarrGroup;
+           settings.server.port = readarrPort;
+           openFirewall = true;
+           dataDir = "/Vault/data/readarr";
+         };
+         sonarr = {
+           enable = true;
+           user = sonarrUser;
+           group = sonarrGroup;
+           settings.server.port = sonarrPort;
+           openFirewall = true;
+           dataDir = "/Vault/data/sonarr";
+         };
+         lidarr = {
+           enable = true;
+           user = lidarrUser;
+           group = lidarrGroup;
+           settings.server.port = lidarrPort;
+           openFirewall = true;
+           dataDir = "/Vault/data/lidarr";
+         };
+         prowlarr = {
+           enable = true;
+           settings.server.port = prowlarrPort;
+           openFirewall = true;
+         };
 
-        nginx = {
-          virtualHosts = {
-            "${serviceDomain}" = {
-              enableACME = false;
-              forceSSL = false;
-              acmeRoot = null;
-              locations = {
-                "/" = {
-                  proxyPass = "http://localhost:9091";
-                  extraConfig = ''
-                    client_max_body_size    0;
-                  '';
-                };
-                "/radarr" = {
-                  proxyPass = "http://localhost:${builtins.toString radarrPort}";
-                  extraConfig = ''
-                    client_max_body_size    0;
-                  '';
-                };
-                "/readarr" = {
-                  proxyPass = "http://localhost:${builtins.toString readarrPort}";
-                  extraConfig = ''
-                    client_max_body_size    0;
-                  '';
-                };
-                "/sonarr" = {
-                  proxyPass = "http://localhost:${builtins.toString sonarrPort}";
-                  extraConfig = ''
-                    client_max_body_size    0;
-                  '';
-                };
-                "/lidarr" = {
-                  proxyPass = "http://localhost:${builtins.toString lidarrPort}";
-                  extraConfig = ''
-                    client_max_body_size    0;
-                  '';
-                };
-                "/prowlarr" = {
-                  proxyPass = "http://localhost:${builtins.toString prowlarrPort}";
-                  extraConfig = ''
-                    client_max_body_size    0;
-                  '';
-                };
-              };
-            };
-          };
-        };
-      };
-    };
-  }
+         nginx = {
+           virtualHosts = {
+             "${serviceDomain}" = {
+               enableACME = false;
+               forceSSL = false;
+               acmeRoot = null;
+               locations = {
+                 "/" = {
+                   proxyPass = "http://localhost:9091";
+                   extraConfig = ''
+                     client_max_body_size    0;
+                   '';
+                 };
+                 "/radarr" = {
+                   proxyPass = "http://localhost:${builtins.toString radarrPort}";
+                   extraConfig = ''
+                     client_max_body_size    0;
+                   '';
+                 };
+                 "/readarr" = {
+                   proxyPass = "http://localhost:${builtins.toString readarrPort}";
+                   extraConfig = ''
+                     client_max_body_size    0;
+                   '';
+                 };
+                 "/sonarr" = {
+                   proxyPass = "http://localhost:${builtins.toString sonarrPort}";
+                   extraConfig = ''
+                     client_max_body_size    0;
+                   '';
+                 };
+                 "/lidarr" = {
+                   proxyPass = "http://localhost:${builtins.toString lidarrPort}";
+                   extraConfig = ''
+                     client_max_body_size    0;
+                   '';
+                 };
+                 "/prowlarr" = {
+                   proxyPass = "http://localhost:${builtins.toString prowlarrPort}";
+                   extraConfig = ''
+                     client_max_body_size    0;
+                   '';
+                 };
+               };
+             };
+           };
+         };
+       };
+     };
+   }
 
 #+end_src
 
@@ -12309,7 +12233,8 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
   { lib, config, globals, dns, confLib, ... }:
   let
     inherit (config.swarselsystems.syncthing) serviceDomain;
-    inherit (confLib.gen { name = "syncthing"; port = 8384; }) servicePort serviceName serviceUser serviceGroup serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "syncthing"; port = 8384; }) servicePort serviceName serviceUser serviceGroup serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
     specificServiceName = "${serviceName}-${config.node.name}";
 
@@ -12350,10 +12275,6 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
     };
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${specificServiceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       users.users.${serviceUser} = {
         extraGroups = [ "users" ];
         group = serviceGroup;
@@ -12373,7 +12294,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
             };
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy} = {
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy} = {
               allowedTCPPorts = [ servicePort 20000 ];
               allowedUDPPorts = [ 20000 21027 ];
             };
@@ -12439,31 +12360,14 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
         };
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${specificServiceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://${specificServiceName}";
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
-              };
-            };
-          };
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain; serviceName = specificServiceName; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain; serviceName = specificServiceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
+
     };
   }
 #+end_src
@@ -12550,7 +12454,8 @@ This section exposes several metrics that I use to check the health of my server
 #+begin_src nix-ts :tangle modules/nixos/server/monitoring.nix
   { lib, config, globals, dns, confLib, ... }:
   let
-    inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
     prometheusPort = 9090;
     prometheusUser = "prometheus";
@@ -12568,10 +12473,6 @@ This section exposes several metrics that I use to check the health of my server
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       sops = {
         secrets = {
           grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@@ -12616,7 +12517,7 @@ This section exposes several metrics that I use to check the health of my server
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort prometheusPort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort prometheusPort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort prometheusPort ];
           };
         };
         services.${serviceName} = {
@@ -12772,43 +12673,56 @@ This section exposes several metrics that I use to check the health of my server
       };
 
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          "${grafanaUpstream}" = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
+      nodes =
+        let
+          genNginx = toAddress: extraConfigPre: {
+            upstreams = {
+              "${grafanaUpstream}" = {
+                servers = {
+                  "${toAddress}:${builtins.toString servicePort}" = { };
+                };
+              };
+              "${prometheusUpstream}" = {
+                servers = {
+                  "${toAddress}:${builtins.toString prometheusPort}" = { };
+                };
+              };
             };
-          };
-          "${prometheusUpstream}" = {
-            servers = {
-              "${serviceAddress}:${builtins.toString prometheusPort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
+            virtualHosts = {
+              "${serviceDomain}" = {
+                useACMEHost = globals.domains.main;
 
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://${grafanaUpstream}";
-                proxyWebsockets = true;
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
-              };
-              "/${prometheusWebRoot}" = {
-                proxyPass = "http://${prometheusUpstream}";
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
+                forceSSL = true;
+                acmeRoot = null;
+                extraConfig = extraConfigPre;
+                locations =
+                  let
+                    extraConfig = ''
+                      client_max_body_size 0;
+                    '';
+                  in
+                  {
+                    "/" = {
+                      proxyPass = "http://${grafanaUpstream}";
+                      proxyWebsockets = true;
+                      inherit extraConfig;
+                    };
+                    "/${prometheusWebRoot}" = {
+                      proxyPass = "http://${prometheusUpstream}";
+                      inherit extraConfig;
+                    };
+                  };
               };
             };
           };
+        in
+        {
+          ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+            "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+          };
+          ${webProxy}.services.nginx = genNginx serviceAddress "";
+          ${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
         };
-      };
     };
   }
 #+end_src
@@ -12823,23 +12737,20 @@ This is a WIP Jenkins instance. It is used to automatically build a new system w
 #+begin_src nix-ts :tangle modules/nixos/server/jenkins.nix
   { pkgs, lib, config, globals, dns, confLib, ... }:
   let
-    inherit (confLib.gen { name = "jenkins"; port = 8088; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "jenkins"; port = 8088; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
   in
   {
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       globals = {
         networks = {
           ${webProxyIf}.hosts = lib.mkIf isProxied {
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -12857,33 +12768,15 @@ This is a WIP Jenkins instance. It is used to automatically build a new system w
         home = "/Vault/apps/${serviceName}";
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
-              };
-            };
-          };
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
-    };
 
+    };
   }
 #+end_src
 
@@ -12932,7 +12825,8 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
 #+begin_src nix-ts :tangle modules/nixos/server/freshrss.nix
   { self, lib, config, globals, dns, confLib, ... }:
   let
-    inherit (confLib.gen { name = "freshrss"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome webProxy dnsServer;
+    inherit (confLib.gen { name = "freshrss"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome webProxy homeWebProxy dnsServer homeServiceAddress nginxAccessRules;
 
     inherit (config.swarselsystems) sopsFile;
   in
@@ -12940,10 +12834,6 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       users.users.${serviceUser} = {
         extraGroups = [ "users" ];
         group = serviceGroup;
@@ -13008,35 +12898,47 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
       #   config.sops.templates.freshrss-env.path
       # ];
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
+      nodes =
+        let
+          genNginx = toAddress: extraConfig: {
+            upstreams = {
+              ${serviceName} = {
+                servers = {
+                  "${toAddress}:${builtins.toString servicePort}" = { };
+                };
+              };
             };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
+            virtualHosts = {
+              "${serviceDomain}" = {
+                useACMEHost = globals.domains.main;
 
-            forceSSL = true;
-            acmeRoot = null;
-            oauth2.enable = true;
-            oauth2.allowedGroups = [ "ttrss_access" ];
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-              };
-              "/api" = {
-                proxyPass = "http://${serviceName}";
-                setOauth2Headers = false;
-                bypassAuth = true;
+                forceSSL = true;
+                acmeRoot = null;
+                oauth2.enable = true;
+                oauth2.allowedGroups = [ "ttrss_access" ];
+                inherit extraConfig;
+                locations = {
+                  "/" = {
+                    proxyPass = "http://${serviceName}";
+                  };
+                  "/api" = {
+                    proxyPass = "http://${serviceName}";
+                    setOauth2Headers = false;
+                    bypassAuth = true;
+                  };
+                };
               };
             };
           };
+        in
+        {
+          ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+            "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+          };
+          ${webProxy}.services.nginx = genNginx serviceAddress "";
+          ${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
         };
-      };
+
     };
   }
 #+end_src
@@ -13050,7 +12952,8 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
   { lib, config, pkgs, globals, dns, confLib, ... }:
   let
     inherit (config.swarselsystems) sopsFile;
-    inherit (confLib.gen { name = "forgejo"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "forgejo"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
     kanidmDomain = globals.services.kanidm.domain;
   in
@@ -13058,10 +12961,6 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       # networking.firewall.allowedTCPPorts = [ servicePort ];
 
       users.users.${serviceUser} = {
@@ -13081,7 +12980,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -13189,33 +13088,15 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
           '';
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
-              };
-            };
-          };
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
-    };
 
+    };
   }
 #+end_src
 
@@ -13228,7 +13109,8 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
   { self, lib, config, globals, dns, confLib, ... }:
   let
     inherit (config.swarselsystems) sopsFile;
-    inherit (confLib.gen { name = "ankisync"; port = 27701; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "ankisync"; port = 27701; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
     ankiUser = globals.user.name;
   in
@@ -13236,10 +13118,6 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       # networking.firewall.allowedTCPPorts = [ servicePort ];
 
       sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; };
@@ -13256,7 +13134,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -13278,33 +13156,15 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
         ];
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
-              };
-            };
-          };
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
-    };
 
+    };
   }
 #+end_src
 
@@ -13331,7 +13191,8 @@ kanidm person credential create-reset-token <user>
   let
     certsSopsFile = self + /secrets/repo/certs.yaml;
     inherit (config.swarselsystems) sopsFile;
-    inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy homeProxyIf webProxyIf dnsServer;
+    inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy homeProxyIf webProxyIf dnsServer homeServiceAddress nginxAccessRules;
 
     oauth2ProxyDomain = globals.services.oauth2-proxy.domain;
     immichDomain = globals.services.immich.domain;
@@ -13360,9 +13221,6 @@ kanidm person credential create-reset-token <user>
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
 
       users = {
         users.${serviceUser} = {
@@ -13398,7 +13256,7 @@ kanidm person credential create-reset-token <user>
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -13725,35 +13583,16 @@ kanidm person credential create-reset-token <user>
         };
       };
 
-      systemd.services = {
-        ${serviceName}.serviceConfig.RestartSec = "30";
+      systemd.services.${serviceName}.serviceConfig.RestartSec = "30";
+
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+        };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; protocol = "https"; noSslVerify = true; };
+        ${homeWebProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceDomain serviceName; protocol = "https"; noSslVerify = true; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; };
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "https://${serviceName}";
-              };
-            };
-            extraConfig = ''
-              proxy_ssl_verify off;
-            '';
-          };
-        };
-      };
     };
   }
 #+end_src
@@ -13768,7 +13607,7 @@ kanidm person credential create-reset-token <user>
   { lib, config, globals, dns, confLib, ... }:
   let
     inherit (confLib.gen { name = "oauth2-proxy"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
-    inherit (confLib.static) isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf homeWebProxy oauthServer nginxAccessRules;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf oauthServer nginxAccessRules;
 
     kanidmDomain = globals.services.kanidm.domain;
     mainDomain = globals.domains.main;
@@ -13906,7 +13745,8 @@ kanidm person credential create-reset-token <user>
         };
       };
 
-      # networking.firewall.allowedTCPPorts = [ servicePort ];
+      # needed for homeWebProxy
+      networking.firewall.allowedTCPPorts = [ servicePort ];
 
       globals = {
         networks = {
@@ -13914,7 +13754,7 @@ kanidm person credential create-reset-token <user>
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -13974,39 +13814,17 @@ kanidm person credential create-reset-token <user>
 
       nodes =
         let
-          genNginx = toAddress: extraConfig: {
-            upstreams = {
-              ${serviceName} = {
-                servers = {
-                  "${toAddress}:${builtins.toString servicePort}" = { };
-                };
-              };
-            };
-            virtualHosts = {
-              "${serviceDomain}" = {
-                useACMEHost = globals.domains.main;
-
-                forceSSL = true;
-                acmeRoot = null;
-                locations = {
-                  "/" = {
-                    proxyPass = "http://${serviceName}";
-                  };
-                };
-                extraConfig = ''
-                  proxy_set_header X-Scheme                $scheme;
-                  proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
-                '' + lib.optionalString (extraConfig != "") extraConfig;
-              };
-            };
-          };
+          extraConfig = ''
+            proxy_set_header X-Scheme                $scheme;
+            proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+          '';
         in
         {
           ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
             "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
           };
-          ${webProxy}.services.nginx = genNginx serviceAddress "";
-          ${homeWebProxy}.services.nginx = genNginx globals.hosts.${oauthServer}.wanAddress4 nginxAccessRules;
+          ${webProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceAddress serviceDomain serviceName extraConfig; protocol = "https"; };
+          ${homeWebProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceDomain serviceName; protocol = "https"; extraConfig = extraConfig + nginxAccessRules; serviceAddress = globals.hosts.${oauthServer}.wanAddress4; };
         };
     };
   }
@@ -14020,7 +13838,8 @@ kanidm person credential create-reset-token <user>
 #+begin_src nix-ts :tangle modules/nixos/server/firefly-iii.nix
   { self, lib, config, globals, dns, confLib, ... }:
   let
-    inherit (confLib.gen { name = "firefly-iii"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome dnsServer webProxy;
+    inherit (confLib.gen { name = "firefly-iii"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome dnsServer webProxy homeWebProxy homeServiceAddress nginxAccessRules;
 
     nginxGroup = "nginx";
 
@@ -14031,10 +13850,6 @@ kanidm person credential create-reset-token <user>
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       users = {
         groups.${serviceGroup} = { };
         users.${serviceUser} = {
@@ -14101,37 +13916,49 @@ kanidm person credential create-reset-token <user>
         };
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
+      nodes =
+        let
+          genNginx = toAddress: extraConfig: {
+            upstreams = {
+              ${serviceName} = {
+                servers = {
+                  "${toAddress}:${builtins.toString servicePort}" = { };
+                };
+              };
             };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
+            virtualHosts = {
+              "${serviceDomain}" = {
+                useACMEHost = globals.domains.main;
 
-            forceSSL = true;
-            acmeRoot = null;
-            oauth2.enable = true;
-            oauth2.allowedGroups = [ "firefly_access" ];
-            # main config is automatically added by nixos firefly config.
-            # hence, only provide certificate
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-              };
-              "/api" = {
-                proxyPass = "http://${serviceName}";
-                setOauth2Headers = false;
-                bypassAuth = true;
+                forceSSL = true;
+                acmeRoot = null;
+                oauth2 = {
+                  enable = true;
+                  allowedGroups = [ "firefly_access" ];
+                };
+                inherit extraConfig;
+                locations = {
+                  "/" = {
+                    proxyPass = "http://${serviceName}";
+                  };
+                  "/api" = {
+                    proxyPass = "http://${serviceName}";
+                    setOauth2Headers = false;
+                    bypassAuth = true;
+                  };
+                };
               };
             };
           };
+        in
+        {
+          ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+            "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+          };
+          ${webProxy}.services.nginx = genNginx serviceAddress "";
+          ${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
         };
-      };
+
     };
   }
 #+end_src
@@ -14142,158 +13969,146 @@ kanidm person credential create-reset-token <user>
 :END:
 
 #+begin_src nix-ts :tangle modules/nixos/server/koillection.nix
-  { self, lib, config, globals, dns, confLib, ... }:
-  let
-    inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/Vault/data/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
-    serviceDB = "koillection";
+{ self, lib, config, globals, dns, confLib, ... }:
+let
+  inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/Vault/data/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
+  serviceDB = "koillection";
 
-    postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
-    postgresPort = config.services.postgresql.settings.port; # 5432
-    containerRev = "sha256:96693e41a6eb2aae44f96033a090378270f024ddf4e6095edf8d57674f21095d";
+  postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
+  postgresPort = config.services.postgresql.settings.port; # 5432
+  containerRev = "sha256:96693e41a6eb2aae44f96033a090378270f024ddf4e6095edf8d57674f21095d";
 
-    inherit (config.swarselsystems) sopsFile;
-  in
-  {
-    options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
-    config = lib.mkIf config.swarselmodules.server.${serviceName} {
+  inherit (config.swarselsystems) sopsFile;
+in
+{
+  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      swarselmodules.server = {
-        podman = true;
-        postgresql = true;
-      };
+    swarselmodules.server = {
+      podman = true;
+      postgresql = true;
+    };
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-      sops.secrets = {
-        koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
-        koillection-env-file = { inherit sopsFile; };
-      };
+    sops.secrets = {
+      koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
+      koillection-env-file = { inherit sopsFile; };
+    };
 
-      topology.self.services.${serviceName} = {
-        name = lib.swarselsystems.toCapitalized serviceName;
-        info = "https://${serviceDomain}";
-        icon = "${self}/files/topology-images/${serviceName}.png";
-      };
+    topology.self.services.${serviceName} = {
+      name = lib.swarselsystems.toCapitalized serviceName;
+      info = "https://${serviceDomain}";
+      icon = "${self}/files/topology-images/${serviceName}.png";
+    };
 
-      globals = {
-        networks = {
-          ${webProxyIf}.hosts = lib.mkIf isProxied {
-            ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort postgresPort ];
-          };
-          ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort postgresPort ];
-          };
+    globals = {
+      networks = {
+        ${webProxyIf}.hosts = lib.mkIf isProxied {
+          ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort postgresPort ];
         };
-        services.${serviceName} = {
-          domain = serviceDomain;
-          inherit proxyAddress4 proxyAddress6 isHome;
+        ${homeProxyIf}.hosts = lib.mkIf isHome {
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort postgresPort ];
         };
       };
-
-      virtualisation.oci-containers.containers = {
-        koillection = {
-          image = "koillection/koillection@${containerRev}";
-
-          ports = [
-            "${toString servicePort}:80"
-          ];
-
-          volumes = [
-            "${serviceDir}/uploads:/uploads"
-          ];
-
-          environment = {
-            APP_DEBUG = "0";
-            APP_ENV = "prod";
-            HTTPS_ENABLED = "1";
-            UPLOAD_MAX_FILESIZE = "512M";
-            PHP_MEMORY_LIMIT = "512M";
-            PHP_TZ = config.repo.secrets.common.location.timezone;
-
-            CORS_ALLOW_ORIGIN = "https?://(localhost|swag\\.swarsel\\.win)(:[0-9]+)?$";
-
-            DB_DRIVER = "pdo_pgsql";
-            DB_NAME = serviceDB;
-            DB_HOST = "host.docker.internal";
-            DB_USER = serviceUser;
-            # DB_PASSWORD set in koillection-env-file
-            DB_PORT = "${toString postgresPort}";
-            DB_VERSION = "16";
-          };
-
-          environmentFiles = [
-            config.sops.secrets.koillection-env-file.path
-          ];
-
-          extraOptions = [
-            "--add-host=host.docker.internal:host-gateway" # podman
-          ];
-        };
-      };
-
-      # networking.firewall.allowedTCPPorts = [ servicePort postgresPort ];
-
-      systemd.services.postgresql.postStart =
-        let
-          passwordPath = config.sops.secrets.koillection-db-password.path;
-        in
-        ''
-          ${config.services.postgresql.package}/bin/psql -tA <<'EOF'
-            DO $$
-            DECLARE password TEXT;
-            BEGIN
-              password := trim(both from replace(pg_read_file('${passwordPath}'), E'\n', '''));
-              EXECUTE format('ALTER ROLE ${serviceDB} WITH PASSWORD '''%s''';', password);
-            END $$;
-          EOF
-        '';
-      services = {
-        postgresql = {
-          enable = true;
-          enableTCPIP = true;
-          ensureDatabases = [ serviceDB ];
-          ensureUsers = [
-            {
-              name = serviceDB;
-              ensureDBOwnership = true;
-            }
-          ];
-          authentication = ''
-            host ${serviceDB} ${serviceDB} 10.88.0.0/16 scram-sha-256
-          '';
-        };
-      };
-
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  proxy_buffer_size          128k;
-                  proxy_buffers              4 256k;
-                  proxy_busy_buffers_size    256k;
-                '';
-              };
-            };
-          };
-        };
+      services.${serviceName} = {
+        domain = serviceDomain;
+        inherit proxyAddress4 proxyAddress6 isHome;
       };
     };
-  }
+
+    virtualisation.oci-containers.containers = {
+      koillection = {
+        image = "koillection/koillection@${containerRev}";
+
+        ports = [
+          "${toString servicePort}:80"
+        ];
+
+        volumes = [
+          "${serviceDir}/uploads:/uploads"
+        ];
+
+        environment = {
+          APP_DEBUG = "0";
+          APP_ENV = "prod";
+          HTTPS_ENABLED = "1";
+          UPLOAD_MAX_FILESIZE = "512M";
+          PHP_MEMORY_LIMIT = "512M";
+          PHP_TZ = config.repo.secrets.common.location.timezone;
+
+          CORS_ALLOW_ORIGIN = "https?://(localhost|swag\\.swarsel\\.win)(:[0-9]+)?$";
+
+          DB_DRIVER = "pdo_pgsql";
+          DB_NAME = serviceDB;
+          DB_HOST = "host.docker.internal";
+          DB_USER = serviceUser;
+          # DB_PASSWORD set in koillection-env-file
+          DB_PORT = "${toString postgresPort}";
+          DB_VERSION = "16";
+        };
+
+        environmentFiles = [
+          config.sops.secrets.koillection-env-file.path
+        ];
+
+        extraOptions = [
+          "--add-host=host.docker.internal:host-gateway" # podman
+        ];
+      };
+    };
+
+    # networking.firewall.allowedTCPPorts = [ servicePort postgresPort ];
+
+    systemd.services.postgresql.postStart =
+      let
+        passwordPath = config.sops.secrets.koillection-db-password.path;
+      in
+      ''
+        ${config.services.postgresql.package}/bin/psql -tA <<'EOF'
+          DO $$
+          DECLARE password TEXT;
+          BEGIN
+            password := trim(both from replace(pg_read_file('${passwordPath}'), E'\n', '''));
+            EXECUTE format('ALTER ROLE ${serviceDB} WITH PASSWORD '''%s''';', password);
+          END $$;
+        EOF
+      '';
+    services = {
+      postgresql = {
+        enable = true;
+        enableTCPIP = true;
+        ensureDatabases = [ serviceDB ];
+        ensureUsers = [
+          {
+            name = serviceDB;
+            ensureDBOwnership = true;
+          }
+        ];
+        authentication = ''
+          host ${serviceDB} ${serviceDB} 10.88.0.0/16 scram-sha-256
+        '';
+      };
+    };
+
+    nodes =
+      let
+        extraConfigLoc = ''
+          proxy_buffer_size          128k;
+          proxy_buffers              4 256k;
+          proxy_busy_buffers_size    256k;
+        '';
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+        };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
+      };
+
+
+  };
+}
 #+end_src
 
 **** Atuin
@@ -14304,16 +14119,13 @@ kanidm person credential create-reset-token <user>
 #+begin_src nix-ts :tangle modules/nixos/server/atuin.nix
   { lib, config, globals, dns, confLib, ... }:
   let
-    inherit (confLib.gen { name = "atuin"; port = 8888; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "atuin"; port = 8888; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
   in
   {
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       topology.self.services.${serviceName}.info = "https://${serviceDomain}";
 
       globals = {
@@ -14322,7 +14134,7 @@ kanidm person credential create-reset-token <user>
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -14339,30 +14151,12 @@ kanidm person credential create-reset-token <user>
         openRegistration = false;
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size    0;
-                '';
-              };
-            };
-          };
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
 
     };
@@ -14378,7 +14172,8 @@ kanidm person credential create-reset-token <user>
 #+begin_src nix-ts :tangle modules/nixos/server/radicale.nix
   { lib, config, globals, dns, confLib, ... }:
   let
-    inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
     inherit (config.swarselsystems) sopsFile;
 
     cfg = config.services.${serviceName};
@@ -14387,10 +14182,6 @@ kanidm person credential create-reset-token <user>
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       sops = {
         secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
 
@@ -14418,7 +14209,7 @@ kanidm person credential create-reset-token <user>
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -14478,35 +14269,15 @@ kanidm person credential create-reset-token <user>
 
       # networking.firewall.allowedTCPPorts = [ servicePort ];
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            oauth2.enable = false;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size 16M;
-                '';
-              };
-            };
-          };
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 16; maxBodyUnit = "M"; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 16; maxBodyUnit = "M"; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
 
     };
-
   }
 #+end_src
 
@@ -14516,80 +14287,81 @@ kanidm person credential create-reset-token <user>
 :END:
 
 #+begin_src nix-ts :tangle modules/nixos/server/croc.nix
-  { self, lib, config, pkgs, dns, globals, confLib, ... }:
-  let
-    inherit (confLib.gen { name = "croc"; proxy = config.node.name; }) serviceName serviceDomain proxyAddress4 proxyAddress6 isHome dnsServer;
-    servicePorts = [
-      9009
-      9010
-      9011
-      9012
-      9013
-    ];
+   { self, lib, config, pkgs, dns, globals, confLib, ... }:
+   let
+     inherit (confLib.gen { name = "croc"; proxy = config.node.name; }) serviceName serviceDomain proxyAddress4 proxyAddress6;
+     inherit (confLib.static) isHome dnsServer;
+     servicePorts = [
+       9009
+       9010
+       9011
+       9012
+       9013
+     ];
 
-    inherit (config.swarselsystems) sopsFile;
+     inherit (config.swarselsystems) sopsFile;
 
-    cfg = config.services.croc;
-  in
-  {
-    options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
-    config = lib.mkIf config.swarselmodules.server.${serviceName} {
+     cfg = config.services.croc;
+   in
+   {
+     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
+       nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+         "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+       };
 
-      sops = {
-        secrets = {
-          croc-password = { inherit sopsFile; };
-        };
+       sops = {
+         secrets = {
+           croc-password = { inherit sopsFile; };
+         };
 
-        templates = {
-          "croc-env" = {
-            content = ''
-              CROC_PASS="${config.sops.placeholder.croc-password}"
-            '';
-          };
-        };
-      };
+         templates = {
+           "croc-env" = {
+             content = ''
+               CROC_PASS="${config.sops.placeholder.croc-password}"
+             '';
+           };
+         };
+       };
 
 
-      topology.self.services.${serviceName} = {
-        name = lib.swarselsystems.toCapitalized serviceName;
-        info = "https://${serviceDomain}";
-        icon = "${self}/files/topology-images/${serviceName}.png";
-      };
+       topology.self.services.${serviceName} = {
+         name = lib.swarselsystems.toCapitalized serviceName;
+         info = "https://${serviceDomain}";
+         icon = "${self}/files/topology-images/${serviceName}.png";
+       };
 
-      globals.services.${serviceName} = {
-        domain = serviceDomain;
-        inherit proxyAddress4 proxyAddress6 isHome;
-      };
+       globals.services.${serviceName} = {
+         domain = serviceDomain;
+         inherit proxyAddress4 proxyAddress6 isHome;
+       };
 
-      services.${serviceName} = {
-        enable = true;
-        ports = servicePorts;
-        pass = config.sops.secrets.croc-password.path;
-        openFirewall = true;
-      };
+       services.${serviceName} = {
+         enable = true;
+         ports = servicePorts;
+         pass = config.sops.secrets.croc-password.path;
+         openFirewall = true;
+       };
 
 
-      systemd.services = {
-        ${serviceName} = {
-          serviceConfig = {
-            ExecStart = lib.mkForce "${pkgs.croc}/bin/croc ${lib.optionalString cfg.debug "--debug"} relay --ports ${
-              lib.concatMapStringsSep "," toString cfg.ports}";
-            EnvironmentFile = [
-              config.sops.templates.croc-env.path
-            ];
-          };
-        };
-      };
+       systemd.services = {
+         ${serviceName} = {
+           serviceConfig = {
+             ExecStart = lib.mkForce "${pkgs.croc}/bin/croc ${lib.optionalString cfg.debug "--debug"} relay --ports ${
+               lib.concatMapStringsSep "," toString cfg.ports}";
+             EnvironmentFile = [
+               config.sops.templates.croc-env.path
+             ];
+           };
+         };
+       };
 
-      # ports are opened on the firewall for croc, no nginx config
+       # ports are opened on the firewall for croc, no nginx config
 
-    };
+     };
 
-  }
+   }
 #+end_src
 
 **** microbin
@@ -14600,7 +14372,8 @@ kanidm person credential create-reset-token <user>
 #+begin_src nix-ts :tangle modules/nixos/server/microbin.nix
   { self, lib, config, dns, globals, confLib, ... }:
   let
-    inherit (confLib.gen { name = "microbin"; port = 8777; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "microbin"; port = 8777; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
     inherit (config.swarselsystems) sopsFile;
 
@@ -14610,10 +14383,6 @@ kanidm person credential create-reset-token <user>
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       users = {
         groups.${serviceGroup} = { };
 
@@ -14656,7 +14425,7 @@ kanidm person credential create-reset-token <user>
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -14715,30 +14484,12 @@ kanidm person credential create-reset-token <user>
         { directory = cfg.dataDir; user = serviceUser; group = serviceGroup; mode = "0700"; }
       ];
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size 1G;
-                '';
-              };
-            };
-          };
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 1; maxBodyUnit = "G"; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 1; maxBodyUnit = "G"; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
 
     };
@@ -14751,12 +14502,11 @@ kanidm person credential create-reset-token <user>
 :CUSTOM_ID: h:4ccdcd5c-a4dd-49e4-94e7-d81db970059c
 :END:
 
-
-
 #+begin_src nix-ts :tangle modules/nixos/server/shlink.nix
   { self, lib, config, dns, globals, confLib, ... }:
   let
-    inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
     containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
 
@@ -14772,10 +14522,6 @@ kanidm person credential create-reset-token <user>
         podman = true;
       };
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       sops = {
         secrets = {
           shlink-api = { inherit sopsFile; };
@@ -14848,7 +14594,7 @@ kanidm person credential create-reset-token <user>
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -14857,27 +14603,14 @@ kanidm person credential create-reset-token <user>
         };
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-              };
-            };
-          };
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
+
     };
   }
 #+end_src
@@ -14893,117 +14626,128 @@ Deployment notes:
   - finally, disable new user registration in web ui
 
 #+begin_src nix-ts :tangle modules/nixos/server/slink.nix
-  { self, lib, config, dns, globals, confLib, ... }:
-  let
-    inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+{ self, lib, config, dns, globals, confLib, ... }:
+let
+  inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
-    containerRev = "sha256:98b9442696f0a8cbc92f0447f54fa4bad227af5dcfd6680545fedab2ed28ddd9";
-  in
-  {
-    options = {
-      swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  containerRev = "sha256:98b9442696f0a8cbc92f0447f54fa4bad227af5dcfd6680545fedab2ed28ddd9";
+in
+{
+  options = {
+    swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  };
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    swarselmodules.server = {
+      podman = true;
     };
-    config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      swarselmodules.server = {
-        podman = true;
+    virtualisation.oci-containers.containers.${serviceName} = {
+      image = "anirdev/slink@${containerRev}";
+      environment = {
+        "ORIGIN" = "https://${serviceDomain}";
+        "TZ" = config.repo.secrets.common.location.timezone;
+        "STORAGE_PROVIDER" = "local";
+        "IMAGE_MAX_SIZE" = "50M";
+        "USER_APPROVAL_REQUIRED" = "true";
       };
-
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
-      virtualisation.oci-containers.containers.${serviceName} = {
-        image = "anirdev/slink@${containerRev}";
-        environment = {
-          "ORIGIN" = "https://${serviceDomain}";
-          "TZ" = config.repo.secrets.common.location.timezone;
-          "STORAGE_PROVIDER" = "local";
-          "IMAGE_MAX_SIZE" = "50M";
-          "USER_APPROVAL_REQUIRED" = "true";
-        };
-        ports = [ "${builtins.toString servicePort}:${builtins.toString servicePort}" ];
-        volumes = [
-          "${serviceDir}/var/data:/app/var/data"
-          "${serviceDir}/images:/app/slink/images"
-        ];
-      };
-
-      systemd.tmpfiles.settings."12-slink" = builtins.listToAttrs (
-        map
-          (path: {
-            name = "${serviceDir}/${path}";
-            value = {
-              d = {
-                group = "root";
-                user = "root";
-                mode = "0750";
-              };
-            };
-          }) [
-          "var/data"
-          "images"
-        ]
-      );
-
-      # networking.firewall.allowedTCPPorts = [ servicePort ];
-
-      environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
-        { directory = serviceDir; }
+      ports = [ "${builtins.toString servicePort}:${builtins.toString servicePort}" ];
+      volumes = [
+        "${serviceDir}/var/data:/app/var/data"
+        "${serviceDir}/images:/app/slink/images"
       ];
+    };
 
-      topology.self.services.${serviceName} = {
-        name = lib.swarselsystems.toCapitalized serviceName;
-        info = "https://${serviceDomain}";
-        icon = "${self}/files/topology-images/shlink.png";
-      };
-
-      globals = {
-        networks = {
-          ${webProxyIf}.hosts = lib.mkIf isProxied {
-            ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
-          };
-          ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
-          };
-        };
-        services.${serviceName} = {
-          domain = serviceDomain;
-          inherit proxyAddress4 proxyAddress6 isHome;
-        };
-      };
-
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
+    systemd.tmpfiles.settings."12-slink" = builtins.listToAttrs (
+      map
+        (path: {
+          name = "${serviceDir}/${path}";
+          value = {
+            d = {
+              group = "root";
+              user = "root";
+              mode = "0750";
             };
           };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
+        }) [
+        "var/data"
+        "images"
+      ]
+    );
 
-            forceSSL = true;
-            acmeRoot = null;
-            oauth2.enable = true;
-            oauth2.allowedGroups = [ "slink_access" ];
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-              };
-              "/image" = {
-                proxyPass = "http://${serviceName}";
-                setOauth2Headers = false;
-                bypassAuth = true;
-              };
-            };
-          };
+    # networking.firewall.allowedTCPPorts = [ servicePort ];
+
+    environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
+      { directory = serviceDir; }
+    ];
+
+    topology.self.services.${serviceName} = {
+      name = lib.swarselsystems.toCapitalized serviceName;
+      info = "https://${serviceDomain}";
+      icon = "${self}/files/topology-images/shlink.png";
+    };
+
+    globals = {
+      networks = {
+        ${webProxyIf}.hosts = lib.mkIf isProxied {
+          ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
+        ${homeProxyIf}.hosts = lib.mkIf isHome {
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
+        };
+      };
+      services.${serviceName} = {
+        domain = serviceDomain;
+        inherit proxyAddress4 proxyAddress6 isHome;
       };
     };
-  }
+
+    nodes =
+      let
+        genNginx = toAddress: extraConfig: {
+          upstreams = {
+            ${serviceName} = {
+              servers = {
+                "${toAddress}:${builtins.toString servicePort}" = { };
+              };
+            };
+          };
+          virtualHosts = {
+            "${serviceDomain}" = {
+              useACMEHost = globals.domains.main;
+
+              forceSSL = true;
+              acmeRoot = null;
+              oauth2 = {
+                enable = true;
+                allowedGroups = [ "slink_access" ];
+              };
+              inherit extraConfig;
+              locations = {
+                "/" = {
+                  proxyPass = "http://${serviceName}";
+                };
+                "/image" = {
+                  proxyPass = "http://${serviceName}";
+                  setOauth2Headers = false;
+                  bypassAuth = true;
+                };
+              };
+            };
+          };
+        };
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+        };
+        ${webProxy}.services.nginx = genNginx serviceAddress "";
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
+      };
+
+  };
+}
 #+end_src
 
 **** Snipe-IT (currently unused)
@@ -15014,7 +14758,8 @@ Deployment notes:
 #+begin_src nix-ts :tangle modules/nixos/server/snipe-it.nix
   { lib, config, globals, dns, confLib, ... }:
   let
-    inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome webProxy dnsServer;
+    inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy webProxyIf homeProxyIf dnsServer homeServiceAddress nginxAccessRules;
     # sopsFile = config.node.secretsDir + "/secrets2.yaml";
     inherit (config.swarselsystems) sopsFile;
 
@@ -15026,10 +14771,6 @@ Deployment notes:
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       sops = {
         secrets = {
           snipe-it-appkey = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@@ -15038,9 +14779,19 @@ Deployment notes:
 
       topology.self.services.${serviceName}.info = "https://${serviceDomain}";
 
-      globals.services.${serviceName} = {
-        domain = serviceDomain;
-        inherit proxyAddress4 proxyAddress6 isHome;
+      globals = {
+        networks = {
+          ${webProxyIf}.hosts = lib.mkIf isProxied {
+            ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
+          };
+          ${homeProxyIf}.hosts = lib.mkIf isHome {
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
+          };
+        };
+        services.${serviceName} = {
+          domain = serviceDomain;
+          inherit proxyAddress4 proxyAddress6 isHome;
+        };
       };
 
       services.snipe-it = {
@@ -15060,32 +14811,15 @@ Deployment notes:
         };
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            oauth2.enable = false;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-              };
-            };
-          };
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
 
     };
-
   }
 #+end_src
 **** Homebox
@@ -15096,16 +14830,13 @@ Deployment notes:
 #+begin_src nix-ts :tangle modules/nixos/server/homebox.nix
   { self, lib, pkgs, config, globals, dns, confLib, ... }:
   let
-    inherit (confLib.gen { name = "homebox"; port = 7745; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "homebox"; port = 7745; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
   in
   {
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       topology.self.services.${serviceName} = {
         name = "Homebox";
         info = "https://${serviceDomain}";
@@ -15118,7 +14849,7 @@ Deployment notes:
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -15141,32 +14872,15 @@ Deployment notes:
 
       # networking.firewall.allowedTCPPorts = [ servicePort ];
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
-          };
-        };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            oauth2.enable = false;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-              };
-            };
-          };
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
 
     };
-
   }
 #+end_src
 **** OPKSSH
@@ -15235,11 +14949,8 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
   # inspired by https://github.com/atropos112/nixos/blob/7fef652006a1c939f4caf9c8a0cb0892d9cdfe21/modules/garage.nix
   { self, lib, pkgs, config, globals, dns, confLib, ... }:
   let
-    inherit (confLib.gen {
-      name = "garage";
-      port = 3900;
-      domain = config.repo.secrets.common.services.domains."garage-${config.node.name}";
-    }) servicePort serviceName specificServiceName serviceDomain subDomain baseDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "garage"; port = 3900; domain = config.repo.secrets.common.services.domains."garage-${config.node.name}"; }) servicePort serviceName specificServiceName serviceDomain subDomain baseDomain serviceAddress proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
     cfg = lib.recursiveUpdate config.services.${serviceName} config.swarselsystems.server.${serviceName};
     inherit (config.swarselsystems) sopsFile mainUser;
@@ -15307,14 +15018,6 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
 
       # networking.firewall.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
-        "${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-        "${subDomain}-admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-        "${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-        "*.${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-        "*.${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       topology.self.services.${serviceName} = {
         name = lib.swarselsystems.toCapitalized serviceName;
         info = "https://${serviceDomain}";
@@ -15348,7 +15051,7 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
           };
         };
         services.${specificServiceName} = {
@@ -15559,69 +15262,86 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
         };
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
+      nodes =
+        let
+          genNginx = toAddress: extraConfig: {
+            upstreams = {
+              ${serviceName} = {
+                servers = {
+                  "${toAddress}:${builtins.toString servicePort}" = { };
+                };
+              };
+              "${serviceName}Web" = {
+                servers = {
+                  "${toAddress}:${builtins.toString garageWebPort}" = { };
+                };
+              };
+              "${serviceName}Admin" = {
+                servers = {
+                  "${toAddress}:${builtins.toString garageAdminPort}" = { };
+                };
+              };
+            };
+            virtualHosts = {
+              "${adminDomain}" = {
+                useACMEHost = globals.domains.main;
+                forceSSL = true;
+                acmeRoot = null;
+                oauth2.enable = false;
+                inherit extraConfig;
+                locations = {
+                  "/" = {
+                    proxyPass = "http://${serviceName}Admin";
+                  };
+                };
+              };
+              "*.${webDomain}" = {
+                useACMEHost = globals.domains.main;
+                forceSSL = true;
+                acmeRoot = null;
+                oauth2.enable = false;
+                inherit extraConfig;
+                locations = {
+                  "/" = {
+                    proxyPass = "http://${serviceName}Web";
+                  };
+                };
+              };
+              "${serviceDomain}" = {
+                serverAliases = [ "*.${serviceDomain}" ];
+                useACMEHost = globals.domains.main;
+                forceSSL = true;
+                acmeRoot = null;
+                oauth2.enable = false;
+                inherit extraConfig;
+                locations = {
+                  "/" = {
+                    proxyPass = "http://${serviceName}";
+                    extraConfig = ''
+                      client_max_body_size 0;
+                      client_body_timeout        600s;
+                      proxy_connect_timeout      600s;
+                      proxy_send_timeout         600s;
+                      proxy_read_timeout         600s;
+                      proxy_request_buffering    off;
+                    '';
+                  };
+                };
+              };
             };
           };
-          "${serviceName}Web" = {
-            servers = {
-              "${serviceAddress}:${builtins.toString garageWebPort}" = { };
-            };
-          };
-          "${serviceName}Admin" = {
-            servers = {
-              "${serviceAddress}:${builtins.toString garageAdminPort}" = { };
-            };
+        in
+        {
+          ${dnsServer}.swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
+            "${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+            "${subDomain}-admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+            "${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+            "*.${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+            "*.${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
           };
+          ${webProxy}.services.nginx = genNginx serviceAddress "";
+          ${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
         };
-        virtualHosts = {
-          "${adminDomain}" = {
-            useACMEHost = globals.domains.main;
-            forceSSL = true;
-            acmeRoot = null;
-            oauth2.enable = false;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}Admin";
-              };
-            };
-          };
-          "*.${webDomain}" = {
-            useACMEHost = globals.domains.main;
-            forceSSL = true;
-            acmeRoot = null;
-            oauth2.enable = false;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}Web";
-              };
-            };
-          };
-          "${serviceDomain}" = {
-            serverAliases = [ "*.${serviceDomain}" ];
-            useACMEHost = globals.domains.main;
-            forceSSL = true;
-            acmeRoot = null;
-            oauth2.enable = false;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size 0;
-                  client_body_timeout        600s;
-                  proxy_connect_timeout      600s;
-                  proxy_send_timeout         600s;
-                  proxy_read_timeout         600s;
-                  proxy_request_buffering    off;
-                '';
-              };
-            };
-          };
-        };
-      };
 
     };
   }
@@ -15647,28 +15367,29 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
     };
   }
 #+end_src
-**** Set host entries for home servers
+**** Set dns host entries for home servers
 :PROPERTIES:
 :CUSTOM_ID: h:c539061e-8aa8-4c5a-a2a0-22490cd4e5de
 :END:
 
 #+begin_src nix-ts :tangle modules/nixos/server/dns-home.nix
-  { lib, config, globals, confLib, ... }:
-  let
-    inherit (confLib.gen { name = "dns-home"; }) serviceName homeProxy;
-  in
-  {
-    options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
-    config = lib.mkIf (config.swarselmodules.server.${serviceName}) {
+   { lib, config, globals, confLib, ... }:
+   let
+     inherit (confLib.gen { name = "dns-home"; }) serviceName;
+     inherit (confLib.static) homeProxy;
+   in
+   {
+     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      networking.hosts = {
-        ${globals.networks.home-lan.vlans.services.hosts.${homeProxy}.ipv4} = [ "server.${homeProxy}.${globals.domains.main}" ];
-        ${globals.networks.home-lan.vlans.services.hosts.${homeProxy}.ipv6} = [ "server.${homeProxy}.${globals.domains.main}" ];
-      };
+       networking.hosts = {
+         ${globals.networks.home-lan.vlans.services.hosts.${homeProxy}.ipv4} = [ "server.${homeProxy}.${globals.domains.main}" ];
+         ${globals.networks.home-lan.vlans.services.hosts.${homeProxy}.ipv6} = [ "server.${homeProxy}.${globals.domains.main}" ];
+       };
 
-    };
+     };
 
-  }
+   }
 #+end_src
 
 **** nsd (dns)
@@ -15903,60 +15624,61 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
 :END:
 
 #+begin_src nix-ts :tangle modules/nixos/server/minecraft/default.nix
-  { self, lib, config, pkgs, globals, dns, confLib, ... }:
-  let
-    inherit (confLib.gen { name = "minecraft"; port = 25565; dir = "/opt/minecraft"; proxy = config.node.name; }) serviceName servicePort serviceDir serviceDomain proxyAddress4 proxyAddress6 isHome dnsServer;
-    inherit (config.swarselsystems) mainUser;
-    worldName = "${mainUser}craft";
-  in
-  {
-    options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
-    config = lib.mkIf config.swarselmodules.server.${serviceName} {
+   { self, lib, config, pkgs, globals, dns, confLib, ... }:
+   let
+     inherit (confLib.gen { name = "minecraft"; port = 25565; dir = "/opt/minecraft"; proxy = config.node.name; }) serviceName servicePort serviceDir serviceDomain proxyAddress4 proxyAddress6;
+     inherit (confLib.static) isHome dnsServer;
+     inherit (config.swarselsystems) mainUser;
+     worldName = "${mainUser}craft";
+   in
+   {
+     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
+       nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+         "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+       };
 
-      topology.self.services.${serviceName} = {
-        name = "Minecraft";
-        info = "https://${serviceDomain}";
-        icon = "${self}/files/topology-images/${serviceName}.png";
-      };
+       topology.self.services.${serviceName} = {
+         name = "Minecraft";
+         info = "https://${serviceDomain}";
+         icon = "${self}/files/topology-images/${serviceName}.png";
+       };
 
-      globals.services.${serviceName} = {
-        domain = serviceDomain;
-        inherit proxyAddress4 proxyAddress6 isHome;
-      };
+       globals.services.${serviceName} = {
+         domain = serviceDomain;
+         inherit proxyAddress4 proxyAddress6 isHome;
+       };
 
-      networking.firewall.allowedTCPPorts = [ servicePort ];
+       networking.firewall.allowedTCPPorts = [ servicePort ];
 
-      environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
-        { directory = serviceDir; mode = "0755"; }
-      ];
+       environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
+         { directory = serviceDir; mode = "0755"; }
+       ];
 
-      systemd.services.minecraft-swarselcraft = {
-        description = "Minecraft Server";
-        wants = [ "network-online.target" ];
-        after = [ "network-online.target" ];
+       systemd.services.minecraft-swarselcraft = {
+         description = "Minecraft Server";
+         wants = [ "network-online.target" ];
+         after = [ "network-online.target" ];
 
-        serviceConfig = {
-          User = "root";
-          WorkingDirectory = "${serviceDir}/${worldName}";
+         serviceConfig = {
+           User = "root";
+           WorkingDirectory = "${serviceDir}/${worldName}";
 
-          ExecStart = "${lib.getExe pkgs.temurin-jre-bin-17} @user_jvm_args.txt @libraries/net/minecraftforge/forge/1.20.1-47.2.20/unix_args.txt nogui";
+           ExecStart = "${lib.getExe pkgs.temurin-jre-bin-17} @user_jvm_args.txt @libraries/net/minecraftforge/forge/1.20.1-47.2.20/unix_args.txt nogui";
 
-          Restart = "always";
-          RestartSec = 30;
-          StandardInput = "null";
-        };
+           Restart = "always";
+           RestartSec = 30;
+           StandardInput = "null";
+         };
 
-        wantedBy = [ "multi-user.target" ];
-      };
+         wantedBy = [ "multi-user.target" ];
+       };
 
 
-    };
+     };
 
-  }
+   }
 #+end_src
 **** Mailserver
 :PROPERTIES:
@@ -15969,7 +15691,8 @@ When changing the hashed passwords, =dovecot= needs to be restarted manually, it
   { self, lib, config, globals, dns, confLib, ... }:
   let
     inherit (config.swarselsystems) sopsFile;
-    inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6 isHome webProxy dnsServer;
+    inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome webProxy homeWebProxy dnsServer homeServiceAddress nginxAccessRules;
     inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 alias2_2 alias2_3 user3;
     baseDomain = globals.domains.main;
 
@@ -15983,11 +15706,6 @@ When changing the hashed passwords, =dovecot= needs to be restarted manually, it
     };
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host endpointAddress4 endpointAddress6;
-        "${globals.services.roundcube.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       globals.services = {
         ${serviceName} = {
           domain = serviceDomain;
@@ -16107,33 +15825,21 @@ When changing the hashed passwords, =dovecot= needs to be restarted manually, it
         };
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
+      nodes =
+        let
+          extraConfigLoc = ''
+            proxy_ssl_server_name on;
+            proxy_ssl_name ${roundcubeDomain};
+          '';
+        in
+        {
+          ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+            "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host endpointAddress4 endpointAddress6;
+            "${globals.services.roundcube.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
           };
+          ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; maxBody = 0; };
+          ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
         };
-        virtualHosts = {
-          "${roundcubeDomain}" = {
-            useACMEHost = globals.domains.main;
-
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "https://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size    0;
-                  proxy_ssl_server_name on;
-                  proxy_ssl_name ${roundcubeDomain};
-                '';
-              };
-            };
-          };
-        };
-      };
 
     };
   }
@@ -16155,7 +15861,8 @@ $ attic cache create hello
 #+begin_src nix-ts :tangle modules/nixos/server/attic.nix
   { lib, config, pkgs, globals, dns, confLib, ... }:
   let
-    inherit (confLib.gen { name = "attic"; port = 8091; }) serviceName serviceDir servicePort serviceAddress serviceDomain proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "attic"; port = 8091; }) serviceName serviceDir servicePort serviceAddress serviceDomain proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
     inherit (config.swarselsystems) mainUser isPublic sopsFile;
     serviceDB = "atticd";
   in
@@ -16165,10 +15872,6 @@ $ attic cache create hello
     };
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       topology.self.services.${serviceName} = {
         name = lib.swarselsystems.toCapitalized serviceName;
         info = "https://${serviceDomain}";
@@ -16181,7 +15884,7 @@ $ attic cache create hello
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -16293,36 +15996,23 @@ $ attic cache create hello
         after = [ "garage.service" ];
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
+      nodes =
+        let
+          extraConfigLoc = ''
+            client_body_timeout        600s;
+            proxy_connect_timeout      600s;
+            proxy_send_timeout         600s;
+            proxy_read_timeout         600s;
+            proxy_request_buffering    off;
+          '';
+        in
+        {
+          ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+            "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
           };
+          ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
+          ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
         };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            useACMEHost = globals.domains.main;
-            forceSSL = true;
-            acmeRoot = null;
-            oauth2.enable = false;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                  client_max_body_size 0;
-                  client_body_timeout        600s;
-                  proxy_connect_timeout      600s;
-                  proxy_send_timeout         600s;
-                  proxy_read_timeout         600s;
-                  proxy_request_buffering    off;
-                '';
-              };
-            };
-          };
-        };
-      };
 
     };
   }
@@ -16342,7 +16032,8 @@ $ hydra-create-user alice --full-name 'Alice Q. User' \
 #+begin_src nix-ts :tangle modules/nixos/server/hydra.nix
   { inputs, lib, config, globals, dns, confLib, ... }:
   let
-    inherit (confLib.gen { name = "hydra"; port = 8002; }) serviceName servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+    inherit (confLib.gen { name = "hydra"; port = 8002; }) serviceName servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
     inherit (config.swarselsystems) sopsFile;
   in
   {
@@ -16351,10 +16042,6 @@ $ hydra-create-user alice --full-name 'Alice Q. User' \
     };
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       topology.self.services.${serviceName}.info = "https://${serviceDomain}";
 
       globals = {
@@ -16363,7 +16050,7 @@ $ hydra-create-user alice --full-name 'Alice Q. User' \
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -16456,32 +16143,19 @@ $ hydra-create-user alice --full-name 'Alice Q. User' \
         '';
       };
 
-      nodes.${webProxy}.services.nginx = {
-        upstreams = {
-          ${serviceName} = {
-            servers = {
-              "${serviceAddress}:${builtins.toString servicePort}" = { };
-            };
+      nodes =
+        let
+          extraConfigLoc = ''
+            proxy_set_header  X-Request-Base    /hydra;
+          '';
+        in
+        {
+          ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+            "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
           };
+          ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
+          ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
         };
-        virtualHosts = {
-          "${serviceDomain}" = {
-            enableACME = true;
-            forceSSL = true;
-            acmeRoot = null;
-            oauth2.enable = false;
-            locations = {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                extraConfig = ''
-                    client_max_body_size 0;
-                  proxy_set_header  X-Request-Base    /hydra;
-                '';
-              };
-            };
-          };
-        };
-      };
 
     };
   }
@@ -16494,104 +16168,105 @@ $ hydra-create-user alice --full-name 'Alice Q. User' \
 This is the dhcp config that runs on my router.
 
 #+begin_src nix-ts :tangle modules/nixos/server/kea.nix
-  { self, lib, config, globals, confLib, ... }:
-  let
-    inherit (confLib.gen { name = "kea"; dir = "/var/lib/private/kea"; }) serviceName serviceDir homeDnsServer;
-    dhcpX = intX:
-      let
-        x = builtins.toString intX;
-      in
-      {
-        enable = true;
-        settings = {
-          reservations-out-of-pool = true;
-          lease-database = {
-            name = "/var/lib/kea/dhcp${x}.leases";
-            persist = true;
-            type = "memfile";
-          };
-          valid-lifetime = 86400;
-          renew-timer = 3600;
-          interfaces-config = {
-            interfaces = map (name: "me-${name}") (builtins.attrNames globals.networks.home-lan.vlans);
-            service-sockets-max-retries = -1;
-          };
-          "subnet${x}" = lib.flip lib.mapAttrsToList globals.networks.home-lan.vlans (
-            vlanName: vlanCfg: {
-              inherit (vlanCfg) id;
-              interface = "me-${vlanName}";
-              subnet = vlanCfg."cidrv${x}";
-              rapid-commit = lib.mkIf (intX == 6) true;
-              pools = [
-                {
-                  pool = "${lib.net.cidr.host 20 vlanCfg."cidrv${x}"} - ${lib.net.cidr.host (-6) vlanCfg."cidrv${x}"}";
-                }
-              ];
-              pd-pools = lib.mkIf (intX == 6) [
-                {
-                  prefix = builtins.replaceStrings [ "::" ] [ ":0:0:100::" ] (lib.head (lib.splitString "/" vlanCfg.cidrv6));
-                  prefix-len = 56;
-                  delegated-len = 64;
-                }
-              ];
-              option-data =
-                lib.optional (intX == 4)
-                  {
-                    name = "routers";
-                    data = vlanCfg.hosts.hintbooth."ipv${x}";
-                  }
-                # Advertise DNS server for VLANS that have internet access
-                ++
-                lib.optional
-                  (lib.elem vlanName globals.general.internetVLANs)
-                  {
-                    name = if (intX == 4) then "domain-name-servers" else "dns-servers";
-                    data = globals.networks.home-lan.vlans.services.hosts.${homeDnsServer}."ipv${x}";
-                  };
-              reservations = lib.concatLists (
-                lib.forEach (builtins.attrValues vlanCfg.hosts) (
-                  hostCfg:
-                  lib.optional (hostCfg.mac != null) {
-                    hw-address = lib.mkIf (intX == 4) hostCfg.mac;
-                    duid = lib.mkIf (intX == 6) "00:03:00:01:${hostCfg.mac}"; # 00:03 = duid type 3; 00:01 = ethernet
-                    ip-address = lib.mkIf (intX == 4) hostCfg."ipv${x}";
-                    ip-addresses = lib.mkIf (intX == 6) [ hostCfg."ipv${x}" ];
-                    prefixes = lib.mkIf (intX == 6) [
-                      "${builtins.replaceStrings ["::"] [":0:0:${builtins.toString (256 + hostCfg.id)}::"] (lib.head (lib.splitString "/" vlanCfg.cidrv6))}/64"
-                    ];
-                  }
-                )
-              );
-            }
-          );
-        };
-      };
-  in
-  {
-    options = {
-      swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
-    };
-    config = lib.mkIf config.swarselmodules.server.${serviceName} {
+   { self, lib, config, globals, confLib, ... }:
+   let
+     inherit (confLib.gen { name = "kea"; dir = "/var/lib/private/kea"; }) serviceName serviceDir;
+     inherit (confLib.static) homeDnsServer;
+     dhcpX = intX:
+       let
+         x = builtins.toString intX;
+       in
+       {
+         enable = true;
+         settings = {
+           reservations-out-of-pool = true;
+           lease-database = {
+             name = "/var/lib/kea/dhcp${x}.leases";
+             persist = true;
+             type = "memfile";
+           };
+           valid-lifetime = 86400;
+           renew-timer = 3600;
+           interfaces-config = {
+             interfaces = map (name: "me-${name}") (builtins.attrNames globals.networks.home-lan.vlans);
+             service-sockets-max-retries = -1;
+           };
+           "subnet${x}" = lib.flip lib.mapAttrsToList globals.networks.home-lan.vlans (
+             vlanName: vlanCfg: {
+               inherit (vlanCfg) id;
+               interface = "me-${vlanName}";
+               subnet = vlanCfg."cidrv${x}";
+               rapid-commit = lib.mkIf (intX == 6) true;
+               pools = [
+                 {
+                   pool = "${lib.net.cidr.host 20 vlanCfg."cidrv${x}"} - ${lib.net.cidr.host (-6) vlanCfg."cidrv${x}"}";
+                 }
+               ];
+               pd-pools = lib.mkIf (intX == 6) [
+                 {
+                   prefix = builtins.replaceStrings [ "::" ] [ ":0:0:100::" ] (lib.head (lib.splitString "/" vlanCfg.cidrv6));
+                   prefix-len = 56;
+                   delegated-len = 64;
+                 }
+               ];
+               option-data =
+                 lib.optional (intX == 4)
+                   {
+                     name = "routers";
+                     data = vlanCfg.hosts.hintbooth."ipv${x}";
+                   }
+                 # Advertise DNS server for VLANS that have internet access
+                 ++
+                 lib.optional
+                   (lib.elem vlanName globals.general.internetVLANs)
+                   {
+                     name = if (intX == 4) then "domain-name-servers" else "dns-servers";
+                     data = globals.networks.home-lan.vlans.services.hosts.${homeDnsServer}."ipv${x}";
+                   };
+               reservations = lib.concatLists (
+                 lib.forEach (builtins.attrValues vlanCfg.hosts) (
+                   hostCfg:
+                   lib.optional (hostCfg.mac != null) {
+                     hw-address = lib.mkIf (intX == 4) hostCfg.mac;
+                     duid = lib.mkIf (intX == 6) "00:03:00:01:${hostCfg.mac}"; # 00:03 = duid type 3; 00:01 = ethernet
+                     ip-address = lib.mkIf (intX == 4) hostCfg."ipv${x}";
+                     ip-addresses = lib.mkIf (intX == 6) [ hostCfg."ipv${x}" ];
+                     prefixes = lib.mkIf (intX == 6) [
+                       "${builtins.replaceStrings ["::"] [":0:0:${builtins.toString (256 + hostCfg.id)}::"] (lib.head (lib.splitString "/" vlanCfg.cidrv6))}/64"
+                     ];
+                   }
+                 )
+               );
+             }
+           );
+         };
+       };
+   in
+   {
+     options = {
+       swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+     };
+     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
-        { directory = serviceDir; mode = "0700"; }
-      ];
+       environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
+         { directory = serviceDir; mode = "0700"; }
+       ];
 
-      topology = {
-        extractors.kea.enable = false;
-        self.services.${serviceName} = {
-          name = lib.swarselsystems.toCapitalized serviceName;
-          icon = "${self}/files/topology-images/${serviceName}.png";
-        };
-      };
+       topology = {
+         extractors.kea.enable = false;
+         self.services.${serviceName} = {
+           name = lib.swarselsystems.toCapitalized serviceName;
+           icon = "${self}/files/topology-images/${serviceName}.png";
+         };
+       };
 
-      services.kea = {
-        dhcp4 = dhcpX 4;
-        dhcp6 = dhcpX 6;
-      };
+       services.kea = {
+         dhcp4 = dhcpX 4;
+         dhcp6 = dhcpX 6;
+       };
 
-    };
-  }
+     };
+   }
 #+end_src
 **** nftables (firewall)
 :PROPERTIES:
@@ -16701,7 +16376,8 @@ This has some state:
 #+begin_src nix-ts :tangle modules/nixos/server/firezone.nix
   { self, lib, pkgs, config, globals, confLib, dns, nodes, ... }:
   let
-    inherit (confLib.gen { name = "firezone"; dir = "/var/lib/private/firezone"; }) serviceName serviceDir serviceAddress serviceDomain proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy homeProxyIf webProxyIf idmServer dnsServer;
+    inherit (confLib.gen { name = "firezone"; dir = "/var/lib/private/firezone"; }) serviceName serviceDir serviceAddress serviceDomain proxyAddress4 proxyAddress6;
+    inherit (confLib.static) isHome isProxied homeProxy webProxy homeWebProxy homeProxyIf webProxyIf idmServer dnsServer homeServiceAddress nginxAccessRules;
     inherit (config.swarselsystems) sopsFile;
 
     apiPort = 8081;
@@ -16724,10 +16400,6 @@ This has some state:
     };
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-      nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      };
-
       globals = {
         networks = {
           ${webProxyIf}.hosts = lib.mkIf isProxied {
@@ -16743,7 +16415,7 @@ This has some state:
             };
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy} = {
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy} = {
               allowedTCPPorts = [ apiPort webPort domainPort ];
               allowedUDPPorts = [ relayPort ];
               allowedUDPPortRanges = [
@@ -16958,118 +16630,15 @@ This has some state:
       #   };
 
 
-      nodes = {
-        ${homeProxy} =
-          let
-            nodeCfg = nodes.${homeProxy}.config;
-            nodePkgs = nodes.${homeProxy}.pkgs;
-          in
-          {
-            sops.secrets.firezone-gateway-token = { inherit (nodeCfg.swarselsystems) sopsFile; mode = "0400"; };
-            networking.nftables = {
-              firewall = {
-                zones.firezone.interfaces = [ "tun-firezone" ];
-                rules = {
-                  # masquerade firezone traffic
-                  masquerade-firezone = {
-                    from = [ "firezone" ];
-                    to = [ "vlan-services" ];
-                    # masquerade = true; NOTE: custom rule below for ip4 + ip6
-                    late = true; # Only accept after any rejects have been processed
-                    verdict = "accept";
-                  };
-                  # forward firezone traffic
-                  forward-incoming-firezone-traffic = {
-                    from = [ "firezone" ];
-                    to = [ "vlan-services" ];
-                    verdict = "accept";
-                  };
-
-                  # FIXME: is this needed? conntrack should take care of it and we want to masquerade anyway
-                  forward-outgoing-firezone-traffic = {
-                    from = [ "vlan-services" ];
-                    to = [ "firezone" ];
-                    verdict = "accept";
-                  };
-                };
-              };
-              chains.postrouting = {
-                masquerade-firezone = {
-                  after = [ "hook" ];
-                  late = true;
-                  rules =
-                    lib.forEach
-                      [
-                        "firezone"
-                      ]
-                      (
-                        zone:
-                        lib.concatStringsSep " " [
-                          "meta protocol { ip, ip6 }"
-                          (lib.head nodeCfg.networking.nftables.firewall.zones.${zone}.ingressExpression)
-                          (lib.head nodeCfg.networking.nftables.firewall.zones.vlan-services.egressExpression)
-                          "masquerade random"
-                        ]
-                      );
-                };
-              };
-            };
-
-            boot.kernel.sysctl = {
-              "net.core.wmem_max" = 16777216;
-              "net.core.rmem_max" = 134217728;
-            };
-            services.firezone.gateway = {
-              enable = true;
-              # logLevel = "trace";
-              inherit (nodeCfg.node) name;
-              apiUrl = "wss://${globals.services.firezone.domain}/api/";
-              tokenFile = nodeCfg.sops.secrets.firezone-gateway-token.path;
-              package = nodePkgs.stable25_05.firezone-gateway; # newer versions of firezone-gateway are not compatible with server package
-            };
-
-            topology.self.services."${serviceName}-gateway" = {
-              name = lib.swarselsystems.toCapitalized "${serviceName} Gateway";
-              icon = "${self}/files/topology-images/${serviceName}.png";
-            };
-          };
-        ${idmServer} =
-          let
-            nodeCfg = nodes.${idmServer}.config;
-            accountId = "6b3c6ba7-5240-4684-95ce-f40fdae45096";
-            externalId = "08d714e9-1ab9-4133-a39d-00e843a960cc";
-          in
-          {
-            sops.secrets.kanidm-firezone = { inherit (nodeCfg.swarselsystems) sopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
-            services.kanidm.provision = {
-              groups."firezone.access" = { };
-              systems.oauth2.firezone = {
-                displayName = "Firezone VPN";
-                # NOTE: state: both uuids are runtime values
-                originUrl = [
-                  "https://${globals.services.firezone.domain}/${accountId}/sign_in/providers/${externalId}/handle_callback"
-                  "https://${globals.services.firezone.domain}/${accountId}/settings/identity_providers/openid_connect/${externalId}/handle_callback"
-                ];
-                originLanding = "https://${globals.services.firezone.domain}/";
-                basicSecretFile = nodeCfg.sops.secrets.kanidm-firezone.path;
-                preferShortUsername = true;
-                scopeMaps."firezone.access" = [
-                  "openid"
-                  "email"
-                  "profile"
-                ];
-              };
-
-            };
-          };
-        ${webProxy} = {
-          services.nginx = {
+      nodes =
+        let
+          genNginx = toAddress: extraConfig: {
             upstreams = {
               ${serviceName} = {
-                servers."${serviceAddress}:${builtins.toString webPort}" = { };
+                servers."${toAddress}:${builtins.toString webPort}" = { };
               };
               "${serviceName}-api" = {
-                servers."${serviceAddress}:${builtins.toString apiPort}" = { };
+                servers."${toAddress}:${builtins.toString apiPort}" = { };
               };
             };
             virtualHosts = {
@@ -17077,21 +16646,133 @@ This has some state:
                 useACMEHost = globals.domains.main;
                 forceSSL = true;
                 acmeRoot = null;
-                locations."/" = {
-                  # The trailing slash is important to strip the location prefix from the request
-                  proxyPass = "http://${serviceName}/";
-                  proxyWebsockets = true;
-                };
-                locations."/api/" = {
-                  # The trailing slash is important to strip the location prefix from the request
-                  proxyPass = "http://${serviceName}-api/";
-                  proxyWebsockets = true;
+                inherit extraConfig;
+                locations = {
+                  "/" = {
+                    # The trailing slash is important to strip the location prefix from the request
+                    proxyPass = "http://${serviceName}/";
+                    proxyWebsockets = true;
+                  };
+                  "/api/" = {
+                    # The trailing slash is important to strip the location prefix from the request
+                    proxyPass = "http://${serviceName}-api/";
+                    proxyWebsockets = true;
+                  };
                 };
               };
             };
           };
+        in
+        {
+          ${homeProxy} =
+            let
+              nodeCfg = nodes.${homeProxy}.config;
+              nodePkgs = nodes.${homeProxy}.pkgs;
+            in
+            {
+              sops.secrets.firezone-gateway-token = { inherit (nodeCfg.swarselsystems) sopsFile; mode = "0400"; };
+              networking.nftables = {
+                firewall = {
+                  zones.firezone.interfaces = [ "tun-firezone" ];
+                  rules = {
+                    # masquerade firezone traffic
+                    masquerade-firezone = {
+                      from = [ "firezone" ];
+                      to = [ "vlan-services" ];
+                      # masquerade = true; NOTE: custom rule below for ip4 + ip6
+                      late = true; # Only accept after any rejects have been processed
+                      verdict = "accept";
+                    };
+                    # forward firezone traffic
+                    forward-incoming-firezone-traffic = {
+                      from = [ "firezone" ];
+                      to = [ "vlan-services" ];
+                      verdict = "accept";
+                    };
+
+                    # FIXME: is this needed? conntrack should take care of it and we want to masquerade anyway
+                    forward-outgoing-firezone-traffic = {
+                      from = [ "vlan-services" ];
+                      to = [ "firezone" ];
+                      verdict = "accept";
+                    };
+                  };
+                };
+                chains.postrouting = {
+                  masquerade-firezone = {
+                    after = [ "hook" ];
+                    late = true;
+                    rules =
+                      lib.forEach
+                        [
+                          "firezone"
+                        ]
+                        (
+                          zone:
+                          lib.concatStringsSep " " [
+                            "meta protocol { ip, ip6 }"
+                            (lib.head nodeCfg.networking.nftables.firewall.zones.${zone}.ingressExpression)
+                            (lib.head nodeCfg.networking.nftables.firewall.zones.vlan-services.egressExpression)
+                            "masquerade random"
+                          ]
+                        );
+                  };
+                };
+              };
+
+              boot.kernel.sysctl = {
+                "net.core.wmem_max" = 16777216;
+                "net.core.rmem_max" = 134217728;
+              };
+              services.firezone.gateway = {
+                enable = true;
+                # logLevel = "trace";
+                inherit (nodeCfg.node) name;
+                apiUrl = "wss://${globals.services.firezone.domain}/api/";
+                tokenFile = nodeCfg.sops.secrets.firezone-gateway-token.path;
+                package = nodePkgs.stable25_05.firezone-gateway; # newer versions of firezone-gateway are not compatible with server package
+              };
+
+              topology.self.services."${serviceName}-gateway" = {
+                name = lib.swarselsystems.toCapitalized "${serviceName} Gateway";
+                icon = "${self}/files/topology-images/${serviceName}.png";
+              };
+            };
+          ${idmServer} =
+            let
+              nodeCfg = nodes.${idmServer}.config;
+              accountId = "6b3c6ba7-5240-4684-95ce-f40fdae45096";
+              externalId = "08d714e9-1ab9-4133-a39d-00e843a960cc";
+            in
+            {
+              sops.secrets.kanidm-firezone = { inherit (nodeCfg.swarselsystems) sopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+              services.kanidm.provision = {
+                groups."firezone.access" = { };
+                systems.oauth2.firezone = {
+                  displayName = "Firezone VPN";
+                  # NOTE: state: both uuids are runtime values
+                  originUrl = [
+                    "https://${globals.services.firezone.domain}/${accountId}/sign_in/providers/${externalId}/handle_callback"
+                    "https://${globals.services.firezone.domain}/${accountId}/settings/identity_providers/openid_connect/${externalId}/handle_callback"
+                  ];
+                  originLanding = "https://${globals.services.firezone.domain}/";
+                  basicSecretFile = nodeCfg.sops.secrets.kanidm-firezone.path;
+                  preferShortUsername = true;
+                  scopeMaps."firezone.access" = [
+                    "openid"
+                    "email"
+                    "profile"
+                  ];
+                };
+
+              };
+            };
+          ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+            "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+          };
+          ${webProxy}.services.nginx = genNginx serviceAddress "";
+          ${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
         };
-      };
 
     };
   }
@@ -17103,10 +16784,10 @@ This has some state:
 
 
 #+begin_src nix-ts :tangle modules/nixos/server/adguardhome.nix
-  { self, inputs, lib, config, globals, dns, confLib, ... }:
+  { lib, config, globals, dns, confLib, ... }:
   let
     inherit (confLib.gen { name = "adguardhome"; port = 3000; }) serviceName servicePort serviceAddress serviceDomain proxyAddress4 proxyAddress6;
-    inherit (confLib.static) isHome isProxied homeProxy homeProxyIf webProxy webProxyIf homeWebProxy dnsServer homeDnsServer homeServiceAddress nginxAccessRules;
+    inherit (confLib.static) isHome isProxied homeProxyIf webProxy webProxyIf homeWebProxy dnsServer homeDnsServer homeServiceAddress nginxAccessRules;
 
     homeServices = lib.attrNames (lib.filterAttrs (_: serviceCfg: serviceCfg.isHome) globals.services);
     homeDomains = map (name: globals.services.${name}.domain) homeServices;
@@ -17124,7 +16805,7 @@ This has some state:
             ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
           };
           ${homeProxyIf}.hosts = lib.mkIf isHome {
-            ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+            ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
           };
         };
         services.${serviceName} = {
@@ -17163,11 +16844,7 @@ This has some state:
             ];
             dhcp.enabled = false;
           };
-          filtering.rewrites = [
-          ]
-          # Use the local mirror-proxy for some services (not necessary, just for speed)
-          ++
-          map
+          filtering.rewrites =  map
             (domain: {
               inherit domain;
               # FIXME: change to homeWebProxy once that is setup
@@ -17202,43 +16879,13 @@ This has some state:
         }
       ];
 
-      nodes =
-        let
-          genNginx = toAddress: extraConfig: {
-            upstreams = {
-              ${serviceName} = {
-                servers = {
-                  "${toAddress}:${builtins.toString servicePort}" = { };
-                };
-              };
-            };
-            virtualHosts = {
-              "${serviceDomain}" = {
-                useACMEHost = globals.domains.main;
-                forceSSL = true;
-                acmeRoot = null;
-                oauth2 = {
-                  enable = true;
-                  allowedGroups = [ "adguardhome_access" ];
-                };
-                locations = {
-                  "/" = {
-                    proxyPass = "http://${serviceName}";
-                    proxyWebsockets = true;
-                  };
-                };
-                extraConfig = lib.mkIf (extraConfig != "") extraConfig;
-              };
-            };
-          };
-        in
-        {
-          ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-            "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-          };
-          ${webProxy}.services.nginx = genNginx serviceAddress "";
-          ${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
+      nodes = {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; proxyWebsockets = true; oauth2 = true; oauth2Groups = [ "adguardhome_access" ]; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; proxyWebsockets = true; oauth2 = true; oauth2Groups = [ "adguardhome_access" ]; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
+      };
     };
   }
 #+end_src
@@ -18214,7 +17861,7 @@ A VLAN can also be used as the initrd network - this is however disabled for the
               # this interface to gain a carrier.
               networkConfig.LinkLocalAddressing = "no";
               linkConfig.RequiredForOnline = "carrier";
-              vlan = (map (name: "vlan-${name}") (builtins.attrNames localVLANs));
+              vlan = map (name: "vlan-${name}") (builtins.attrNames localVLANs);
             };
             # Remaining macvtap interfaces should not be touched.
             "90-macvtap-ignore" = lib.mkIf withMicroVMs {
@@ -18809,6 +18456,7 @@ This is just a separate container for derivations defined in [[#h:64a5cc16-6b16-
         prstatus
         swarsel-gens
         swarsel-switch
+        swarsel-sops
       ];
     };
   }
@@ -25501,11 +25149,6 @@ In short, the options defined here are passed to the modules systems using =_mod
           serviceProxy = proxy;
           proxyAddress4 = globals.hosts.${proxy}.wanAddress4 or null;
           proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null;
-          inherit (globals.hosts.${config.node.name}) isHome;
-          inherit (globals.general) homeProxy webProxy dnsServer homeDnsServer homeWebProxy idmServer;
-          webProxyIf = "${webProxy}-wgProxy";
-          homeProxyIf = "home-wgHome";
-          isProxied = config.node.name != webProxy;
         };
 
         static = rec {
@@ -25563,6 +25206,53 @@ In short, the options defined here are passed to the modules systems using =_mod
               };
             }) else (_: { _ = { }; });
 
+        genNginx =
+          { serviceAddress
+          , serviceName
+          , serviceDomain
+          , servicePort
+          , protocol ? "http"
+          , maxBody ? (-1)
+          , maxBodyUnit ? ""
+          , noSslVerify ? false
+          , proxyWebsockets ? false
+          , oauth2 ? false
+          , oauth2Groups ? [ ]
+          , extraConfig ? ""
+          , extraConfigLoc ? ""
+          }: {
+            upstreams = {
+              ${serviceName} = {
+                servers = {
+                  "${serviceAddress}:${builtins.toString servicePort}" = { };
+                };
+              };
+            };
+            virtualHosts = {
+              "${serviceDomain}" = {
+                useACMEHost = globals.domains.main;
+                forceSSL = true;
+                acmeRoot = null;
+                oauth2 = {
+                  enable = lib.mkIf oauth2 true;
+                  allowedGroups = lib.mkIf (oauth2Groups != [ ]) oauth2Groups;
+                };
+                locations = {
+                  "/" = {
+                    proxyPass = "${protocol}://${serviceName}";
+                    proxyWebsockets = lib.mkIf proxyWebsockets true;
+                    extraConfig = lib.optionalString (maxBody != (-1)) ''
+                      client_max_body_size ${builtins.toString maxBody}${maxBodyUnit};
+                    '' + extraConfigLoc;
+                  };
+                };
+                extraConfig = lib.optionalString noSslVerify ''
+                  proxy_ssl_verify off;
+                '' + extraConfig;
+              };
+            };
+          };
+
       };
     };
   }
@@ -27760,6 +27450,23 @@ This script quickly switches to another nix generation.
 
 #+end_src
 
+***** swarsel-sops
+
+#+begin_src nix-ts :tangle pkgs/config/swarsel-sops/default.nix
+  { name, sops, homeConfig, writeShellApplication, ... }:
+  writeShellApplication {
+    inherit name;
+    runtimeInputs = [ sops ];
+    text = ''
+      sops updatekeys ${homeConfig.homeDirectory}/secrets/repo/*
+      sops updatekeys ${homeConfig.homeDirectory}/secrets/nginx/*
+      sops updatekeys ${homeConfig.homeDirectory}/secrets/work/*
+      sops updatekeys ${homeConfig.homeDirectory}/hosts/*/*/*/secrets/*/secrets.yaml
+    '';
+  }
+
+#+end_src
+
 ** Profiles
 :PROPERTIES:
 :CUSTOM_ID: h:f0f1c961-3e7a-47b8-99ab-1654bb45dffc
diff --git a/hosts/nixos/aarch64-linux/belchsfactory/default.nix b/hosts/nixos/aarch64-linux/belchsfactory/default.nix
index f44891b..f024b3b 100644
--- a/hosts/nixos/aarch64-linux/belchsfactory/default.nix
+++ b/hosts/nixos/aarch64-linux/belchsfactory/default.nix
@@ -61,7 +61,7 @@
     postgresql = true;
     attic = true;
     garage = true;
-    hydra = true;
+    hydra = false;
   };
 
 }
diff --git a/hosts/nixos/x86_64-linux/hintbooth/secrets/nginx/secrets.yaml b/hosts/nixos/x86_64-linux/hintbooth/secrets/nginx/secrets.yaml
index cc13dad..7470995 100644
--- a/hosts/nixos/x86_64-linux/hintbooth/secrets/nginx/secrets.yaml
+++ b/hosts/nixos/x86_64-linux/hintbooth/secrets/nginx/secrets.yaml
@@ -4,53 +4,53 @@ sops:
         - recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMEM4alliWlBCT3VsbVA5
-            OGt5bmQvZW1TaUNkbWtFdzVGNDNpY0hBOVhzCm84TldYNHBrU01HMlBkbGNwZFAw
-            WVk0T3FycVRHUUNtM1pTYkQ4Qmw3RTgKLS0tIE9LUlNEVjJHOGVIK1RSMmRXUDF6
-            QlRKY1hRVzNTVXhESUd3OElXL2pBZXcKDWYoOzi2b4qeIbCVCfTj0lTW+OfbnsXB
-            8MugCHu7+b+ju0v/lUP66jDW9/2AH4PzHtCNHjsafyzr2qnW8HlOzA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySStkZDlPL3JYTFlYVXVD
+            VGx0U2xxeDNXcTdwaFZsRWZoblk5eEttZWtNCmJQa3NvUHNwYmFZUG8wMlNxWE8z
+            bkcvNTNhWnozV2Y4Wk1lZmhmMDdEZm8KLS0tIHBkalp0M0NuU3JQQ1FMRmJNQlJX
+            Zlo4akUyVW0yM3FLNG9jQnBHY1BQN2cK48vxR3pPY3LJlTIEx+dy3ZZRfwFyvQGe
+            EuUI7TuLa0ib8JnO287Ay4gp3GH38jtkGcux4yP5Q8eY/M9GNlEK8A==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as
+        - recipient: age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRWJXR2tYdEd4cTZsSi9l
-            Tm1pSC9pek5BakpEMlkwVTcrMlBuVzlXWUVrCmlnV0xJc25nL0twK3VCZ3FRK2x2
-            RW52Q1NxWUhTUGY0NnQ0WEhLMWxIcFUKLS0tIG83eVM0KzdLQ004aDRKNTYvdmVZ
-            d3ZOSStBMFpSU2ZjNWhFRkREQWlUdmcKggVvLy1mLYGf8084RQtlipS4+z4dfPsN
-            HZfid0srwYnezlQ5qOY8/HrDLWHEyuZ4xFZVi4n0k49qBpNwJdmvyQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHTmFTbmNBWldmY2FGSThG
+            K1E5b1RTZE5NTll6WkZvbDhxaUk4d2N5bjNBCm04YkxSTE1FdFNFMGNFREtRbFVE
+            MHFuT1VONzUxcVdoK2kvUFRkc2xXbFkKLS0tIERlWE95MXVnVWk2Tk0xdG1EZUIy
+            cEdOaXNUQmt3KzUvZmRJWkpTdVpHdW8Kv64ZWzQbpmINagumpuHXscRf9stxO4Of
+            DSkGxFyLgq7yDg1iaiWy/mwxQZVw5i4ieR2+VDgi6Web2y6t81jayw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2026-01-03T05:23:18Z"
     mac: ENC[AES256_GCM,data:u9N7GzLPDW7cHT4mkUAC9Diq1RdV5iSwcz/fqzXQKRmic09eVydAgyk2g6NbJ+4tBbAjIfeUch8Bhf5eG0sGzeDkb1qWAMEnP8EPmQ64OdRyN2SxJgxkc8KFGxkrGz9slS2ozWth6q/tKBSsOYbo8WDlCqXhmYp+zBxvYFR30Mg=,iv:HC1e2i0E7dV9/au+A0kHd+UXDhw3xf7RbTpwJI+hjpY=,tag:dPCDh9qalNtbHIhs//cBpg==,type:str]
     pgp:
-        - created_at: "2026-01-02T21:12:51Z"
+        - created_at: "2026-01-04T23:02:15Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTARAAmvkQ9V14f0BT/bNdFVZtTlY4yVon37CX32SZPUcHV7o8
-            Dya0sZd9tuVATSv79TnybscuNx95fkoZJwujBfAadexn2zY8zl1oEWEHx7p+8/mE
-            W8JbQAjbcbX9sNQYXc8kYJylBThmgNN/HXK7CGtgDFr9xnGzDBnDm/M31P1HwYBm
-            IdIQgFGErEt1K3xvw28Lk3tPuZLK3Y+H2Yna7RRF6K1blGJUvEnL6yFdA10/eFW7
-            8066mO26F2l5xFuktK0nNeniLHKa5VVYp8iM+JMhX38l0wiIi8pGyxo3uAjNpa0w
-            IfpCneEBe/yyaUPcWMjXmUG5LJe3kWUup8cSzvu01Z3W159/QsflxIMkIsklqhim
-            B2zuPdAlYsjjS/05DIHInN2IIB/rjADkQvXji1XYLhWJj4jxDeck/UIc6Q22TED+
-            autlbl8d/5sqyO5ghPpShF/s0vMTqUfpXZrDrbuyDFqCfwi0ahP03bUsv20ZEz6u
-            zG3K5HuXHh7ATSppwuMbcv7vcjF1tkbo6XhWZDv0rY0DFWqiYhnxWwlFlGLxf4zX
-            g6r7Ca/E/YXG/eOET6M9DxwHjj0D7u/ryAkCktqPL9w8oNGarZQ/xMx0+ocI3byc
-            Zvzlmd63BtgaGNSxH3stK29KN3ED8cDkG/JzAxCATWiUBBkqW/ga4sGZqtLlSO+F
-            AgwDC9FRLmchgYQBD/9JbFZie25PO2CyELlUWm5SmJcugT9SK/mIA2fe1PlA+Gnf
-            5z9iXraMSQchz4R1IoiixDhubwKeKp/auqhlOPvo58Lsi6iDR/WaLWabD+hcyAb1
-            ck/f/PUzTLhlLcfu18VPfXVzfnky3dX8P5aS0WMLAQblj2RaaiHxnPqf49kXSn3q
-            VSJ0pr0nEsPuWtoCkHUAwAJ8X5GPXN2OD4YbHsNaA9h2vrJAxNd5+HNsvg8JtI88
-            X/uMM7cWcaXcmNZOz166HUIPcJ5cabJ48Sv8sDfMPOcTiJkMiESBnRYTwdUcp08m
-            nGipSrUeW3pVOC1bGyukZb6sF84pTtCpqS+kOSfKFlxFFdAEcpzFIPuOMeo2dbKj
-            GSGPDemZFC2yFq883yk9/mZbgjOUsqrj0ZP3rCD5ZHpfUM5IxGQ+mKaOucTXYmif
-            lrTPMYnAc7pHxKZ87BgiKBYrfRAZvorLYKv8zG8YagAUw8iCtc68YUUdvLW9haQf
-            rwWCU1z+sszYSac7I57gfqICQhMUbs1n9S2Cn0C0xo4q2Lu36ysip4rEVGg6TmUu
-            znXYu+3orodw2TwC0tGxXHYKwmlr7EGnBCbdVKpDoCbV6cYkDYoPUFg0alqIPd5r
-            KCkee9MaCLLX7IdBrbLf1lkHGwSAs81GfZRMLBauM7/hn+hMUeIJnMbtJnVIB9Je
-            AdT2nSH06+POnjvxa2t0dUasnG/6ISBRSk6FgBBZ+pdVlrvaB4javgWGpiAWCUu6
-            b2CMZF3HullmLj+wwAKlsZsIOXGICN5GeQxLHYF8Kx7Doj68Owu/zGM5MS+7XQ==
-            =wYdb
+            hQIMAwDh3VI7VctTAQ/+OHyevGNQqVV8RMOgLxV7CSBCdzCgRiEyDt8/A2twNG1x
+            8lM5boYrVJowPbqd1EV2hfZ8gl3vvWhGMQdR96J+Mt1PWG/lok/Opf8Sdjl5hzpq
+            5AjNWz8p0NQ0e2UAGDuRXy+tjeMWKox86KVhxA/L3Td4S+jV5W+3zRSkRB7g1eIH
+            NJiyFe+jl29mSSABKk5TclzoB/GoojAkO+8iXsjMZYd3upHyQdriipQKkJJGEaxH
+            8fWBYcFB3H+3nMmwi6bz8xhUpOCpKzRbvwmqWYcendqINvDU/sQxQmxcqgMiluzQ
+            ocHNba+K//ptmtJHeL/8o69ljqk49A9mZ3ukRZZ9htWewv5n5T71majA/lJseGv7
+            tsAuKYTHlSkhOVzXuBnIaGrBgF3mB0ag+9/VIlBXCZpEMdjp3C9GJBUQuxoRSwbX
+            3oREyM97O/rtOo9JaqzqX63S59aHPwt83WH6dp2n2hcXF0tpYff3Esw9Vg3Uq+Fp
+            GCSjb4jFQTu25ZbpiiUaaFib+03Y6gGrnzU7W6460cxd4iZNEPGqE1refsQGYUPC
+            6L7R/mkT0SBtC/8lyOvuIpzYHiAkCqdLbrVTmBHUG+a4fIP16IilIFBh8haVKqY0
+            pgBDyLZDVwLzslp3AK+7pusU8STqCazFISe5GPQswwjwo+J3URmQKbCNHXVRyb2F
+            AgwDC9FRLmchgYQBD/94rHN8+Rqod5qxDxa0JR2ZYKSUBdzkkEqYnjp0efn/dY8x
+            m0WUQZEy+L4ZeAmFFL/mQ/Mxk7EW2Vghwy8j8tGTogJtVS7e0GYirKAHr6fgxxpa
+            5BoaUSK75xybQTzWe/CETfpRlDEFmYt/hwMldfCHXwnqZxXNVHj1MN2kVNFbPfwo
+            Ml8RYG8ZllyOVAVgXGsV6kiJp7jKblpuKCDQPkdbE1hFBed0SKW7olUtuBE4ho7Y
+            J1g1gXOAqAWud+crA21bA7Uow7ZYaC0/WzTY2PrgAuS6kpVx52uUj0xqMfK+/Cco
+            r+KFHleJL4b8pIsImsExJv6rDKFohC7E5n5XxLLorTXB6YYie8FkpvmbWK03j+hj
+            Q7xwFLKWYLlPGtdhe+YpL9yiwHWaQbGUjarVH0UAZgSwJCt1cZoiL6++dp1USb3N
+            aV9HS0Milhbseas9YjiSoVvBXrDYEnjShJ7uWOu3Rbh4hx7jvJijLPrPcd7cym+A
+            tjaxFFeD0mTEj1JcjVMk3fEN0wj++oY/l+piVvYvZWvMscq83Sb6CxxDprVw8xt0
+            sECqmgT0yVZrbDNpANwyWMXaHs5SZm5LaW7uDIcr0egkVA6Abn6twaR12660ptjm
+            mcv5K+ubzRomwxgzr/5NcwSg/k8qZ3WMfV/yuNsKIkHK2UI0y49SuBuCGGa1wtJe
+            AenE+Zn4xyF6cpEFXNKNXFDCy2fgHQrdiQ7XawrFAPJupn1JbGXg1gBN7yQI4YW+
+            BuVCb07GtuU/faiT7cIxUQ1nhc1alSE/edfqAPAPqxA/MXhoC7xT9vFmvUPAuw==
+            =moK4
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
diff --git a/modules/home/common/custom-packages.nix b/modules/home/common/custom-packages.nix
index 7e73685..3951d86 100644
--- a/modules/home/common/custom-packages.nix
+++ b/modules/home/common/custom-packages.nix
@@ -35,6 +35,7 @@
       prstatus
       swarsel-gens
       swarsel-switch
+      swarsel-sops
     ];
   };
 }
diff --git a/modules/nixos/optional/systemd-networkd-server-home.nix b/modules/nixos/optional/systemd-networkd-server-home.nix
index 9b6ef50..58da2b7 100644
--- a/modules/nixos/optional/systemd-networkd-server-home.nix
+++ b/modules/nixos/optional/systemd-networkd-server-home.nix
@@ -87,7 +87,7 @@ in
           # this interface to gain a carrier.
           networkConfig.LinkLocalAddressing = "no";
           linkConfig.RequiredForOnline = "carrier";
-          vlan = (map (name: "vlan-${name}") (builtins.attrNames localVLANs));
+          vlan = map (name: "vlan-${name}") (builtins.attrNames localVLANs);
         };
         # Remaining macvtap interfaces should not be touched.
         "90-macvtap-ignore" = lib.mkIf withMicroVMs {
diff --git a/modules/nixos/server/adguardhome.nix b/modules/nixos/server/adguardhome.nix
index f5b6262..a3d37be 100644
--- a/modules/nixos/server/adguardhome.nix
+++ b/modules/nixos/server/adguardhome.nix
@@ -1,7 +1,7 @@
-{ self, inputs, lib, config, globals, dns, confLib, ... }:
+{ lib, config, globals, dns, confLib, ... }:
 let
   inherit (confLib.gen { name = "adguardhome"; port = 3000; }) serviceName servicePort serviceAddress serviceDomain proxyAddress4 proxyAddress6;
-  inherit (confLib.static) isHome isProxied homeProxy homeProxyIf webProxy webProxyIf homeWebProxy dnsServer homeDnsServer homeServiceAddress nginxAccessRules;
+  inherit (confLib.static) isHome isProxied homeProxyIf webProxy webProxyIf homeWebProxy dnsServer homeDnsServer homeServiceAddress nginxAccessRules;
 
   homeServices = lib.attrNames (lib.filterAttrs (_: serviceCfg: serviceCfg.isHome) globals.services);
   homeDomains = map (name: globals.services.${name}.domain) homeServices;
@@ -19,7 +19,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -58,11 +58,7 @@ in
           ];
           dhcp.enabled = false;
         };
-        filtering.rewrites = [
-        ]
-        # Use the local mirror-proxy for some services (not necessary, just for speed)
-        ++
-        map
+        filtering.rewrites = map
           (domain: {
             inherit domain;
             # FIXME: change to homeWebProxy once that is setup
@@ -97,42 +93,12 @@ in
       }
     ];
 
-    nodes =
-      let
-        genNginx = toAddress: extraConfig: {
-          upstreams = {
-            ${serviceName} = {
-              servers = {
-                "${toAddress}:${builtins.toString servicePort}" = { };
-              };
-            };
-          };
-          virtualHosts = {
-            "${serviceDomain}" = {
-              useACMEHost = globals.domains.main;
-              forceSSL = true;
-              acmeRoot = null;
-              oauth2 = {
-                enable = true;
-                allowedGroups = [ "adguardhome_access" ];
-              };
-              locations = {
-                "/" = {
-                  proxyPass = "http://${serviceName}";
-                  proxyWebsockets = true;
-                };
-              };
-              extraConfig = lib.mkIf (extraConfig != "") extraConfig;
-            };
-          };
-        };
-      in
-      {
-        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-        };
-        ${webProxy}.services.nginx = genNginx serviceAddress "";
-        ${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; proxyWebsockets = true; oauth2 = true; oauth2Groups = [ "adguardhome_access" ]; };
+      ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; proxyWebsockets = true; oauth2 = true; oauth2Groups = [ "adguardhome_access" ]; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
+    };
   };
 }
diff --git a/modules/nixos/server/ankisync.nix b/modules/nixos/server/ankisync.nix
index b6f2158..78f6af5 100644
--- a/modules/nixos/server/ankisync.nix
+++ b/modules/nixos/server/ankisync.nix
@@ -1,7 +1,8 @@
 { self, lib, config, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-  inherit (confLib.gen { name = "ankisync"; port = 27701; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "ankisync"; port = 27701; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
   ankiUser = globals.user.name;
 in
@@ -9,10 +10,6 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     # networking.firewall.allowedTCPPorts = [ servicePort ];
 
     sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; };
@@ -29,7 +26,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -51,31 +48,13 @@ in
       ];
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
-          };
-        };
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+      ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
     };
-  };
 
+  };
 }
diff --git a/modules/nixos/server/attic.nix b/modules/nixos/server/attic.nix
index 3aeb11e..31a280a 100644
--- a/modules/nixos/server/attic.nix
+++ b/modules/nixos/server/attic.nix
@@ -1,6 +1,7 @@
 { lib, config, pkgs, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "attic"; port = 8091; }) serviceName serviceDir servicePort serviceAddress serviceDomain proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "attic"; port = 8091; }) serviceName serviceDir servicePort serviceAddress serviceDomain proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
   inherit (config.swarselsystems) mainUser isPublic sopsFile;
   serviceDB = "atticd";
 in
@@ -10,10 +11,6 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     topology.self.services.${serviceName} = {
       name = lib.swarselsystems.toCapitalized serviceName;
       info = "https://${serviceDomain}";
@@ -26,7 +23,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -138,36 +135,23 @@ in
       after = [ "garage.service" ];
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
+    nodes =
+      let
+        extraConfigLoc = ''
+          client_body_timeout        600s;
+          proxy_connect_timeout      600s;
+          proxy_send_timeout         600s;
+          proxy_read_timeout         600s;
+          proxy_request_buffering    off;
+        '';
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-          forceSSL = true;
-          acmeRoot = null;
-          oauth2.enable = false;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                client_max_body_size 0;
-                client_body_timeout        600s;
-                proxy_connect_timeout      600s;
-                proxy_send_timeout         600s;
-                proxy_read_timeout         600s;
-                proxy_request_buffering    off;
-              '';
-            };
-          };
-        };
-      };
-    };
 
   };
 }
diff --git a/modules/nixos/server/atuin.nix b/modules/nixos/server/atuin.nix
index 5c72023..6998aa2 100644
--- a/modules/nixos/server/atuin.nix
+++ b/modules/nixos/server/atuin.nix
@@ -1,15 +1,12 @@
 { lib, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "atuin"; port = 8888; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "atuin"; port = 8888; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
 
     globals = {
@@ -18,7 +15,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -35,30 +32,12 @@ in
       openRegistration = false;
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                client_max_body_size    0;
-              '';
-            };
-          };
-        };
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+      ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
     };
 
   };
diff --git a/modules/nixos/server/croc.nix b/modules/nixos/server/croc.nix
index ae687c6..c5b4f5c 100644
--- a/modules/nixos/server/croc.nix
+++ b/modules/nixos/server/croc.nix
@@ -1,6 +1,7 @@
 { self, lib, config, pkgs, dns, globals, confLib, ... }:
 let
-  inherit (confLib.gen { name = "croc"; proxy = config.node.name; }) serviceName serviceDomain proxyAddress4 proxyAddress6 isHome dnsServer;
+  inherit (confLib.gen { name = "croc"; proxy = config.node.name; }) serviceName serviceDomain proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome dnsServer;
   servicePorts = [
     9009
     9010
diff --git a/modules/nixos/server/dns-home.nix b/modules/nixos/server/dns-home.nix
index abb3f5a..cda9148 100644
--- a/modules/nixos/server/dns-home.nix
+++ b/modules/nixos/server/dns-home.nix
@@ -1,10 +1,11 @@
 { lib, config, globals, confLib, ... }:
 let
-  inherit (confLib.gen { name = "dns-home"; }) serviceName homeProxy;
+  inherit (confLib.gen { name = "dns-home"; }) serviceName;
+  inherit (confLib.static) homeProxy;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
-  config = lib.mkIf (config.swarselmodules.server.${serviceName}) {
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
     networking.hosts = {
       ${globals.networks.home-lan.vlans.services.hosts.${homeProxy}.ipv4} = [ "server.${homeProxy}.${globals.domains.main}" ];
diff --git a/modules/nixos/server/firefly-iii.nix b/modules/nixos/server/firefly-iii.nix
index 75f0553..5c32aee 100644
--- a/modules/nixos/server/firefly-iii.nix
+++ b/modules/nixos/server/firefly-iii.nix
@@ -1,6 +1,7 @@
 { self, lib, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "firefly-iii"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome dnsServer webProxy;
+  inherit (confLib.gen { name = "firefly-iii"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome dnsServer webProxy homeWebProxy homeServiceAddress nginxAccessRules;
 
   nginxGroup = "nginx";
 
@@ -11,10 +12,6 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     users = {
       groups.${serviceGroup} = { };
       users.${serviceUser} = {
@@ -81,36 +78,48 @@ in
       };
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
+    nodes =
+      let
+        genNginx = toAddress: extraConfig: {
+          upstreams = {
+            ${serviceName} = {
+              servers = {
+                "${toAddress}:${builtins.toString servicePort}" = { };
+              };
+            };
           };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
+          virtualHosts = {
+            "${serviceDomain}" = {
+              useACMEHost = globals.domains.main;
 
-          forceSSL = true;
-          acmeRoot = null;
-          oauth2.enable = true;
-          oauth2.allowedGroups = [ "firefly_access" ];
-          # main config is automatically added by nixos firefly config.
-          # hence, only provide certificate
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-            };
-            "/api" = {
-              proxyPass = "http://${serviceName}";
-              setOauth2Headers = false;
-              bypassAuth = true;
+              forceSSL = true;
+              acmeRoot = null;
+              oauth2 = {
+                enable = true;
+                allowedGroups = [ "firefly_access" ];
+              };
+              inherit extraConfig;
+              locations = {
+                "/" = {
+                  proxyPass = "http://${serviceName}";
+                };
+                "/api" = {
+                  proxyPass = "http://${serviceName}";
+                  setOauth2Headers = false;
+                  bypassAuth = true;
+                };
+              };
             };
           };
         };
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+        };
+        ${webProxy}.services.nginx = genNginx serviceAddress "";
+        ${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
       };
-    };
+
   };
 }
diff --git a/modules/nixos/server/firezone.nix b/modules/nixos/server/firezone.nix
index 26addfc..22ca0f2 100644
--- a/modules/nixos/server/firezone.nix
+++ b/modules/nixos/server/firezone.nix
@@ -1,6 +1,7 @@
 { self, lib, pkgs, config, globals, confLib, dns, nodes, ... }:
 let
-  inherit (confLib.gen { name = "firezone"; dir = "/var/lib/private/firezone"; }) serviceName serviceDir serviceAddress serviceDomain proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy homeProxyIf webProxyIf idmServer dnsServer;
+  inherit (confLib.gen { name = "firezone"; dir = "/var/lib/private/firezone"; }) serviceName serviceDir serviceAddress serviceDomain proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied homeProxy webProxy homeWebProxy homeProxyIf webProxyIf idmServer dnsServer homeServiceAddress nginxAccessRules;
   inherit (config.swarselsystems) sopsFile;
 
   apiPort = 8081;
@@ -23,10 +24,6 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     globals = {
       networks = {
         ${webProxyIf}.hosts = lib.mkIf isProxied {
@@ -42,7 +39,7 @@ in
           };
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy} = {
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy} = {
             allowedTCPPorts = [ apiPort webPort domainPort ];
             allowedUDPPorts = [ relayPort ];
             allowedUDPPortRanges = [
@@ -257,118 +254,15 @@ in
     #   };
 
 
-    nodes = {
-      ${homeProxy} =
-        let
-          nodeCfg = nodes.${homeProxy}.config;
-          nodePkgs = nodes.${homeProxy}.pkgs;
-        in
-        {
-          sops.secrets.firezone-gateway-token = { inherit (nodeCfg.swarselsystems) sopsFile; mode = "0400"; };
-          networking.nftables = {
-            firewall = {
-              zones.firezone.interfaces = [ "tun-firezone" ];
-              rules = {
-                # masquerade firezone traffic
-                masquerade-firezone = {
-                  from = [ "firezone" ];
-                  to = [ "vlan-services" ];
-                  # masquerade = true; NOTE: custom rule below for ip4 + ip6
-                  late = true; # Only accept after any rejects have been processed
-                  verdict = "accept";
-                };
-                # forward firezone traffic
-                forward-incoming-firezone-traffic = {
-                  from = [ "firezone" ];
-                  to = [ "vlan-services" ];
-                  verdict = "accept";
-                };
-
-                # FIXME: is this needed? conntrack should take care of it and we want to masquerade anyway
-                forward-outgoing-firezone-traffic = {
-                  from = [ "vlan-services" ];
-                  to = [ "firezone" ];
-                  verdict = "accept";
-                };
-              };
-            };
-            chains.postrouting = {
-              masquerade-firezone = {
-                after = [ "hook" ];
-                late = true;
-                rules =
-                  lib.forEach
-                    [
-                      "firezone"
-                    ]
-                    (
-                      zone:
-                      lib.concatStringsSep " " [
-                        "meta protocol { ip, ip6 }"
-                        (lib.head nodeCfg.networking.nftables.firewall.zones.${zone}.ingressExpression)
-                        (lib.head nodeCfg.networking.nftables.firewall.zones.vlan-services.egressExpression)
-                        "masquerade random"
-                      ]
-                    );
-              };
-            };
-          };
-
-          boot.kernel.sysctl = {
-            "net.core.wmem_max" = 16777216;
-            "net.core.rmem_max" = 134217728;
-          };
-          services.firezone.gateway = {
-            enable = true;
-            # logLevel = "trace";
-            inherit (nodeCfg.node) name;
-            apiUrl = "wss://${globals.services.firezone.domain}/api/";
-            tokenFile = nodeCfg.sops.secrets.firezone-gateway-token.path;
-            package = nodePkgs.stable25_05.firezone-gateway; # newer versions of firezone-gateway are not compatible with server package
-          };
-
-          topology.self.services."${serviceName}-gateway" = {
-            name = lib.swarselsystems.toCapitalized "${serviceName} Gateway";
-            icon = "${self}/files/topology-images/${serviceName}.png";
-          };
-        };
-      ${idmServer} =
-        let
-          nodeCfg = nodes.${idmServer}.config;
-          accountId = "6b3c6ba7-5240-4684-95ce-f40fdae45096";
-          externalId = "08d714e9-1ab9-4133-a39d-00e843a960cc";
-        in
-        {
-          sops.secrets.kanidm-firezone = { inherit (nodeCfg.swarselsystems) sopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
-          services.kanidm.provision = {
-            groups."firezone.access" = { };
-            systems.oauth2.firezone = {
-              displayName = "Firezone VPN";
-              # NOTE: state: both uuids are runtime values
-              originUrl = [
-                "https://${globals.services.firezone.domain}/${accountId}/sign_in/providers/${externalId}/handle_callback"
-                "https://${globals.services.firezone.domain}/${accountId}/settings/identity_providers/openid_connect/${externalId}/handle_callback"
-              ];
-              originLanding = "https://${globals.services.firezone.domain}/";
-              basicSecretFile = nodeCfg.sops.secrets.kanidm-firezone.path;
-              preferShortUsername = true;
-              scopeMaps."firezone.access" = [
-                "openid"
-                "email"
-                "profile"
-              ];
-            };
-
-          };
-        };
-      ${webProxy} = {
-        services.nginx = {
+    nodes =
+      let
+        genNginx = toAddress: extraConfig: {
           upstreams = {
             ${serviceName} = {
-              servers."${serviceAddress}:${builtins.toString webPort}" = { };
+              servers."${toAddress}:${builtins.toString webPort}" = { };
             };
             "${serviceName}-api" = {
-              servers."${serviceAddress}:${builtins.toString apiPort}" = { };
+              servers."${toAddress}:${builtins.toString apiPort}" = { };
             };
           };
           virtualHosts = {
@@ -376,21 +270,133 @@ in
               useACMEHost = globals.domains.main;
               forceSSL = true;
               acmeRoot = null;
-              locations."/" = {
-                # The trailing slash is important to strip the location prefix from the request
-                proxyPass = "http://${serviceName}/";
-                proxyWebsockets = true;
-              };
-              locations."/api/" = {
-                # The trailing slash is important to strip the location prefix from the request
-                proxyPass = "http://${serviceName}-api/";
-                proxyWebsockets = true;
+              inherit extraConfig;
+              locations = {
+                "/" = {
+                  # The trailing slash is important to strip the location prefix from the request
+                  proxyPass = "http://${serviceName}/";
+                  proxyWebsockets = true;
+                };
+                "/api/" = {
+                  # The trailing slash is important to strip the location prefix from the request
+                  proxyPass = "http://${serviceName}-api/";
+                  proxyWebsockets = true;
+                };
               };
             };
           };
         };
+      in
+      {
+        ${homeProxy} =
+          let
+            nodeCfg = nodes.${homeProxy}.config;
+            nodePkgs = nodes.${homeProxy}.pkgs;
+          in
+          {
+            sops.secrets.firezone-gateway-token = { inherit (nodeCfg.swarselsystems) sopsFile; mode = "0400"; };
+            networking.nftables = {
+              firewall = {
+                zones.firezone.interfaces = [ "tun-firezone" ];
+                rules = {
+                  # masquerade firezone traffic
+                  masquerade-firezone = {
+                    from = [ "firezone" ];
+                    to = [ "vlan-services" ];
+                    # masquerade = true; NOTE: custom rule below for ip4 + ip6
+                    late = true; # Only accept after any rejects have been processed
+                    verdict = "accept";
+                  };
+                  # forward firezone traffic
+                  forward-incoming-firezone-traffic = {
+                    from = [ "firezone" ];
+                    to = [ "vlan-services" ];
+                    verdict = "accept";
+                  };
+
+                  # FIXME: is this needed? conntrack should take care of it and we want to masquerade anyway
+                  forward-outgoing-firezone-traffic = {
+                    from = [ "vlan-services" ];
+                    to = [ "firezone" ];
+                    verdict = "accept";
+                  };
+                };
+              };
+              chains.postrouting = {
+                masquerade-firezone = {
+                  after = [ "hook" ];
+                  late = true;
+                  rules =
+                    lib.forEach
+                      [
+                        "firezone"
+                      ]
+                      (
+                        zone:
+                        lib.concatStringsSep " " [
+                          "meta protocol { ip, ip6 }"
+                          (lib.head nodeCfg.networking.nftables.firewall.zones.${zone}.ingressExpression)
+                          (lib.head nodeCfg.networking.nftables.firewall.zones.vlan-services.egressExpression)
+                          "masquerade random"
+                        ]
+                      );
+                };
+              };
+            };
+
+            boot.kernel.sysctl = {
+              "net.core.wmem_max" = 16777216;
+              "net.core.rmem_max" = 134217728;
+            };
+            services.firezone.gateway = {
+              enable = true;
+              # logLevel = "trace";
+              inherit (nodeCfg.node) name;
+              apiUrl = "wss://${globals.services.firezone.domain}/api/";
+              tokenFile = nodeCfg.sops.secrets.firezone-gateway-token.path;
+              package = nodePkgs.stable25_05.firezone-gateway; # newer versions of firezone-gateway are not compatible with server package
+            };
+
+            topology.self.services."${serviceName}-gateway" = {
+              name = lib.swarselsystems.toCapitalized "${serviceName} Gateway";
+              icon = "${self}/files/topology-images/${serviceName}.png";
+            };
+          };
+        ${idmServer} =
+          let
+            nodeCfg = nodes.${idmServer}.config;
+            accountId = "6b3c6ba7-5240-4684-95ce-f40fdae45096";
+            externalId = "08d714e9-1ab9-4133-a39d-00e843a960cc";
+          in
+          {
+            sops.secrets.kanidm-firezone = { inherit (nodeCfg.swarselsystems) sopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+            services.kanidm.provision = {
+              groups."firezone.access" = { };
+              systems.oauth2.firezone = {
+                displayName = "Firezone VPN";
+                # NOTE: state: both uuids are runtime values
+                originUrl = [
+                  "https://${globals.services.firezone.domain}/${accountId}/sign_in/providers/${externalId}/handle_callback"
+                  "https://${globals.services.firezone.domain}/${accountId}/settings/identity_providers/openid_connect/${externalId}/handle_callback"
+                ];
+                originLanding = "https://${globals.services.firezone.domain}/";
+                basicSecretFile = nodeCfg.sops.secrets.kanidm-firezone.path;
+                preferShortUsername = true;
+                scopeMaps."firezone.access" = [
+                  "openid"
+                  "email"
+                  "profile"
+                ];
+              };
+
+            };
+          };
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+        };
+        ${webProxy}.services.nginx = genNginx serviceAddress "";
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
       };
-    };
 
   };
 }
diff --git a/modules/nixos/server/forgejo.nix b/modules/nixos/server/forgejo.nix
index deeaa2a..666cae1 100644
--- a/modules/nixos/server/forgejo.nix
+++ b/modules/nixos/server/forgejo.nix
@@ -1,7 +1,8 @@
 { lib, config, pkgs, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-  inherit (confLib.gen { name = "forgejo"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "forgejo"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
   kanidmDomain = globals.services.kanidm.domain;
 in
@@ -9,10 +10,6 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     # networking.firewall.allowedTCPPorts = [ servicePort ];
 
     users.users.${serviceUser} = {
@@ -32,7 +29,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -140,31 +137,13 @@ in
         '';
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
-          };
-        };
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+      ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
     };
-  };
 
+  };
 }
diff --git a/modules/nixos/server/freshrss.nix b/modules/nixos/server/freshrss.nix
index d7d5cd5..b1d06cb 100644
--- a/modules/nixos/server/freshrss.nix
+++ b/modules/nixos/server/freshrss.nix
@@ -1,6 +1,7 @@
 { self, lib, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "freshrss"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome webProxy dnsServer;
+  inherit (confLib.gen { name = "freshrss"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome webProxy homeWebProxy dnsServer homeServiceAddress nginxAccessRules;
 
   inherit (config.swarselsystems) sopsFile;
 in
@@ -8,10 +9,6 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     users.users.${serviceUser} = {
       extraGroups = [ "users" ];
       group = serviceGroup;
@@ -76,34 +73,46 @@ in
     #   config.sops.templates.freshrss-env.path
     # ];
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
+    nodes =
+      let
+        genNginx = toAddress: extraConfig: {
+          upstreams = {
+            ${serviceName} = {
+              servers = {
+                "${toAddress}:${builtins.toString servicePort}" = { };
+              };
+            };
           };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
+          virtualHosts = {
+            "${serviceDomain}" = {
+              useACMEHost = globals.domains.main;
 
-          forceSSL = true;
-          acmeRoot = null;
-          oauth2.enable = true;
-          oauth2.allowedGroups = [ "ttrss_access" ];
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-            };
-            "/api" = {
-              proxyPass = "http://${serviceName}";
-              setOauth2Headers = false;
-              bypassAuth = true;
+              forceSSL = true;
+              acmeRoot = null;
+              oauth2.enable = true;
+              oauth2.allowedGroups = [ "ttrss_access" ];
+              inherit extraConfig;
+              locations = {
+                "/" = {
+                  proxyPass = "http://${serviceName}";
+                };
+                "/api" = {
+                  proxyPass = "http://${serviceName}";
+                  setOauth2Headers = false;
+                  bypassAuth = true;
+                };
+              };
             };
           };
         };
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+        };
+        ${webProxy}.services.nginx = genNginx serviceAddress "";
+        ${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
       };
-    };
+
   };
 }
diff --git a/modules/nixos/server/garage.nix b/modules/nixos/server/garage.nix
index de46446..dacc0bd 100644
--- a/modules/nixos/server/garage.nix
+++ b/modules/nixos/server/garage.nix
@@ -1,11 +1,8 @@
 # inspired by https://github.com/atropos112/nixos/blob/7fef652006a1c939f4caf9c8a0cb0892d9cdfe21/modules/garage.nix
 { self, lib, pkgs, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen {
-    name = "garage";
-    port = 3900;
-    domain = config.repo.secrets.common.services.domains."garage-${config.node.name}";
-  }) servicePort serviceName specificServiceName serviceDomain subDomain baseDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "garage"; port = 3900; domain = config.repo.secrets.common.services.domains."garage-${config.node.name}"; }) servicePort serviceName specificServiceName serviceDomain subDomain baseDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
   cfg = lib.recursiveUpdate config.services.${serviceName} config.swarselsystems.server.${serviceName};
   inherit (config.swarselsystems) sopsFile mainUser;
@@ -73,14 +70,6 @@ in
 
     # networking.firewall.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
-      "${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      "${subDomain}-admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      "${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      "*.${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      "*.${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     topology.self.services.${serviceName} = {
       name = lib.swarselsystems.toCapitalized serviceName;
       info = "https://${serviceDomain}";
@@ -114,7 +103,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
         };
       };
       services.${specificServiceName} = {
@@ -325,69 +314,86 @@ in
       };
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
+    nodes =
+      let
+        genNginx = toAddress: extraConfig: {
+          upstreams = {
+            ${serviceName} = {
+              servers = {
+                "${toAddress}:${builtins.toString servicePort}" = { };
+              };
+            };
+            "${serviceName}Web" = {
+              servers = {
+                "${toAddress}:${builtins.toString garageWebPort}" = { };
+              };
+            };
+            "${serviceName}Admin" = {
+              servers = {
+                "${toAddress}:${builtins.toString garageAdminPort}" = { };
+              };
+            };
+          };
+          virtualHosts = {
+            "${adminDomain}" = {
+              useACMEHost = globals.domains.main;
+              forceSSL = true;
+              acmeRoot = null;
+              oauth2.enable = false;
+              inherit extraConfig;
+              locations = {
+                "/" = {
+                  proxyPass = "http://${serviceName}Admin";
+                };
+              };
+            };
+            "*.${webDomain}" = {
+              useACMEHost = globals.domains.main;
+              forceSSL = true;
+              acmeRoot = null;
+              oauth2.enable = false;
+              inherit extraConfig;
+              locations = {
+                "/" = {
+                  proxyPass = "http://${serviceName}Web";
+                };
+              };
+            };
+            "${serviceDomain}" = {
+              serverAliases = [ "*.${serviceDomain}" ];
+              useACMEHost = globals.domains.main;
+              forceSSL = true;
+              acmeRoot = null;
+              oauth2.enable = false;
+              inherit extraConfig;
+              locations = {
+                "/" = {
+                  proxyPass = "http://${serviceName}";
+                  extraConfig = ''
+                    client_max_body_size 0;
+                    client_body_timeout        600s;
+                    proxy_connect_timeout      600s;
+                    proxy_send_timeout         600s;
+                    proxy_read_timeout         600s;
+                    proxy_request_buffering    off;
+                  '';
+                };
+              };
+            };
           };
         };
-        "${serviceName}Web" = {
-          servers = {
-            "${serviceAddress}:${builtins.toString garageWebPort}" = { };
-          };
-        };
-        "${serviceName}Admin" = {
-          servers = {
-            "${serviceAddress}:${builtins.toString garageAdminPort}" = { };
-          };
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
+          "${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+          "${subDomain}-admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+          "${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+          "*.${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+          "*.${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = genNginx serviceAddress "";
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
       };
-      virtualHosts = {
-        "${adminDomain}" = {
-          useACMEHost = globals.domains.main;
-          forceSSL = true;
-          acmeRoot = null;
-          oauth2.enable = false;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}Admin";
-            };
-          };
-        };
-        "*.${webDomain}" = {
-          useACMEHost = globals.domains.main;
-          forceSSL = true;
-          acmeRoot = null;
-          oauth2.enable = false;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}Web";
-            };
-          };
-        };
-        "${serviceDomain}" = {
-          serverAliases = [ "*.${serviceDomain}" ];
-          useACMEHost = globals.domains.main;
-          forceSSL = true;
-          acmeRoot = null;
-          oauth2.enable = false;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                client_max_body_size 0;
-                client_body_timeout        600s;
-                proxy_connect_timeout      600s;
-                proxy_send_timeout         600s;
-                proxy_read_timeout         600s;
-                proxy_request_buffering    off;
-              '';
-            };
-          };
-        };
-      };
-    };
 
   };
 }
diff --git a/modules/nixos/server/homebox.nix b/modules/nixos/server/homebox.nix
index 05fd201..9e1ca26 100644
--- a/modules/nixos/server/homebox.nix
+++ b/modules/nixos/server/homebox.nix
@@ -1,15 +1,12 @@
 { self, lib, pkgs, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "homebox"; port = 7745; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "homebox"; port = 7745; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     topology.self.services.${serviceName} = {
       name = "Homebox";
       info = "https://${serviceDomain}";
@@ -22,7 +19,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -45,30 +42,13 @@ in
 
     # networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          oauth2.enable = false;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-            };
-          };
-        };
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+      ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
     };
 
   };
-
 }
diff --git a/modules/nixos/server/hydra.nix b/modules/nixos/server/hydra.nix
index 9798ff8..44ff2b0 100644
--- a/modules/nixos/server/hydra.nix
+++ b/modules/nixos/server/hydra.nix
@@ -1,6 +1,7 @@
 { inputs, lib, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "hydra"; port = 8002; }) serviceName servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "hydra"; port = 8002; }) serviceName servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
   inherit (config.swarselsystems) sopsFile;
 in
 {
@@ -9,10 +10,6 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
 
     globals = {
@@ -21,7 +18,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -114,32 +111,19 @@ in
       '';
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
+    nodes =
+      let
+        extraConfigLoc = ''
+          proxy_set_header  X-Request-Base    /hydra;
+        '';
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          enableACME = true;
-          forceSSL = true;
-          acmeRoot = null;
-          oauth2.enable = false;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                  client_max_body_size 0;
-                proxy_set_header  X-Request-Base    /hydra;
-              '';
-            };
-          };
-        };
-      };
-    };
 
   };
 }
diff --git a/modules/nixos/server/immich.nix b/modules/nixos/server/immich.nix
index 25ad031..891c047 100644
--- a/modules/nixos/server/immich.nix
+++ b/modules/nixos/server/immich.nix
@@ -1,15 +1,12 @@
 { lib, pkgs, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "immich"; port = 3001; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "immich"; port = 3001; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     users.users.${serviceUser} = {
       extraGroups = [ "video" "render" "users" ];
     };
@@ -23,7 +20,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -44,42 +41,26 @@ in
       };
     };
 
+    nodes =
+      let
+        extraConfigLoc = ''
+          proxy_http_version 1.1;
+          proxy_set_header   Upgrade    $http_upgrade;
+          proxy_set_header   Connection "upgrade";
+          proxy_redirect     off;
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
+          proxy_read_timeout 600s;
+          proxy_send_timeout 600s;
+          send_timeout       600s;
+        '';
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                client_max_body_size    0;
-
-                proxy_http_version 1.1;
-                proxy_set_header   Upgrade    $http_upgrade;
-                proxy_set_header   Connection "upgrade";
-                proxy_redirect     off;
-
-                proxy_read_timeout 600s;
-                proxy_send_timeout 600s;
-                send_timeout       600s;
-              '';
-            };
-          };
-        };
-      };
-    };
 
   };
-
 }
diff --git a/modules/nixos/server/jellyfin.nix b/modules/nixos/server/jellyfin.nix
index b525075..c1a6c0d 100644
--- a/modules/nixos/server/jellyfin.nix
+++ b/modules/nixos/server/jellyfin.nix
@@ -1,15 +1,12 @@
 { pkgs, lib, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "jellyfin"; port = 8096; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "jellyfin"; port = 8096; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf nginxAccessRules homeServiceAddress;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     users.users.${serviceUser} = {
       extraGroups = [ "video" "render" "users" ];
     };
@@ -36,7 +33,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -51,31 +48,13 @@ in
       # openFirewall = true; # this works only for the default ports
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
-          };
-        };
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+      ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
     };
-  };
 
+  };
 }
diff --git a/modules/nixos/server/jenkins.nix b/modules/nixos/server/jenkins.nix
index aed10f1..4cce673 100644
--- a/modules/nixos/server/jenkins.nix
+++ b/modules/nixos/server/jenkins.nix
@@ -1,22 +1,19 @@
 { pkgs, lib, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "jenkins"; port = 8088; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "jenkins"; port = 8088; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     globals = {
       networks = {
         ${webProxyIf}.hosts = lib.mkIf isProxied {
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -34,31 +31,13 @@ in
       home = "/Vault/apps/${serviceName}";
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
-          };
-        };
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+      ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
     };
-  };
 
+  };
 }
diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix
index da583f7..218f26c 100644
--- a/modules/nixos/server/kanidm.nix
+++ b/modules/nixos/server/kanidm.nix
@@ -2,7 +2,8 @@
 let
   certsSopsFile = self + /secrets/repo/certs.yaml;
   inherit (config.swarselsystems) sopsFile;
-  inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy homeProxyIf webProxyIf dnsServer;
+  inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy homeProxyIf webProxyIf dnsServer homeServiceAddress nginxAccessRules;
 
   oauth2ProxyDomain = globals.services.oauth2-proxy.domain;
   immichDomain = globals.services.immich.domain;
@@ -31,9 +32,6 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
 
     users = {
       users.${serviceUser} = {
@@ -69,7 +67,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -396,34 +394,15 @@ in
       };
     };
 
-    systemd.services = {
-      ${serviceName}.serviceConfig.RestartSec = "30";
+    systemd.services.${serviceName}.serviceConfig.RestartSec = "30";
+
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; protocol = "https"; noSslVerify = true; };
+      ${homeWebProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceDomain serviceName; protocol = "https"; noSslVerify = true; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; };
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "https://${serviceName}";
-            };
-          };
-          extraConfig = ''
-            proxy_ssl_verify off;
-          '';
-        };
-      };
-    };
   };
 }
diff --git a/modules/nixos/server/kavita.nix b/modules/nixos/server/kavita.nix
index 8a44cdc..6507053 100644
--- a/modules/nixos/server/kavita.nix
+++ b/modules/nixos/server/kavita.nix
@@ -2,7 +2,8 @@
 let
   inherit (config.swarselsystems) sopsFile;
 
-  inherit (confLib.gen { name = "kavita"; port = 8080; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "kavita"; port = 8080; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf nginxAccessRules homeServiceAddress;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -11,9 +12,6 @@ in
       calibre
     ];
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
 
     users.users.${serviceUser} = {
       extraGroups = [ "users" ];
@@ -34,7 +32,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -51,29 +49,13 @@ in
       dataDir = "/Vault/data/${serviceName}";
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
-          };
-        };
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+      ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
     };
+
   };
 }
diff --git a/modules/nixos/server/kea.nix b/modules/nixos/server/kea.nix
index b9686f6..9f331d6 100644
--- a/modules/nixos/server/kea.nix
+++ b/modules/nixos/server/kea.nix
@@ -1,6 +1,7 @@
 { self, lib, config, globals, confLib, ... }:
 let
-  inherit (confLib.gen { name = "kea"; dir = "/var/lib/private/kea"; }) serviceName serviceDir homeDnsServer;
+  inherit (confLib.gen { name = "kea"; dir = "/var/lib/private/kea"; }) serviceName serviceDir;
+  inherit (confLib.static) homeDnsServer;
   dhcpX = intX:
     let
       x = builtins.toString intX;
diff --git a/modules/nixos/server/koillection.nix b/modules/nixos/server/koillection.nix
index 0cef41b..2a99efc 100644
--- a/modules/nixos/server/koillection.nix
+++ b/modules/nixos/server/koillection.nix
@@ -1,6 +1,7 @@
 { self, lib, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/Vault/data/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/Vault/data/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
   serviceDB = "koillection";
 
   postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
@@ -18,9 +19,6 @@ in
       postgresql = true;
     };
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
     sops.secrets = {
       koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
       koillection-env-file = { inherit sopsFile; };
@@ -38,7 +36,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort postgresPort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort postgresPort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort postgresPort ];
         };
       };
       services.${serviceName} = {
@@ -121,32 +119,22 @@ in
       };
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
+    nodes =
+      let
+        extraConfigLoc = ''
+          proxy_buffer_size          128k;
+          proxy_buffers              4 256k;
+          proxy_busy_buffers_size    256k;
+        '';
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
 
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                proxy_buffer_size          128k;
-                proxy_buffers              4 256k;
-                proxy_busy_buffers_size    256k;
-              '';
-            };
-          };
-        };
-      };
-    };
+
   };
 }
diff --git a/modules/nixos/server/mailserver.nix b/modules/nixos/server/mailserver.nix
index 24df0c8..2cb1328 100644
--- a/modules/nixos/server/mailserver.nix
+++ b/modules/nixos/server/mailserver.nix
@@ -1,7 +1,8 @@
 { self, lib, config, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-  inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6 isHome webProxy dnsServer;
+  inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome webProxy homeWebProxy dnsServer homeServiceAddress nginxAccessRules;
   inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 alias2_2 alias2_3 user3;
   baseDomain = globals.domains.main;
 
@@ -15,11 +16,6 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host endpointAddress4 endpointAddress6;
-      "${globals.services.roundcube.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     globals.services = {
       ${serviceName} = {
         domain = serviceDomain;
@@ -139,33 +135,21 @@ in
       };
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
+    nodes =
+      let
+        extraConfigLoc = ''
+          proxy_ssl_server_name on;
+          proxy_ssl_name ${roundcubeDomain};
+        '';
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host endpointAddress4 endpointAddress6;
+          "${globals.services.roundcube.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
-      virtualHosts = {
-        "${roundcubeDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "https://${serviceName}";
-              extraConfig = ''
-                client_max_body_size    0;
-                proxy_ssl_server_name on;
-                proxy_ssl_name ${roundcubeDomain};
-              '';
-            };
-          };
-        };
-      };
-    };
 
   };
 }
diff --git a/modules/nixos/server/matrix.nix b/modules/nixos/server/matrix.nix
index 7982ee9..98da084 100644
--- a/modules/nixos/server/matrix.nix
+++ b/modules/nixos/server/matrix.nix
@@ -1,7 +1,8 @@
 { lib, config, pkgs, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-  inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
   federationPort = 8448;
   whatsappPort = 29318;
@@ -20,10 +21,6 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     environment.systemPackages = with pkgs; [
       matrix-synapse
       lottieconverter
@@ -97,7 +94,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort federationPort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -303,60 +300,72 @@ in
     # messages out after a while.
 
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          listen = [
-            {
-              addr = "0.0.0.0";
-              port = 8448;
-              ssl = true;
-              extraParameters = [
-                "default_server"
-              ];
-            }
-            {
-              addr = "[::0]";
-              port = 8448;
-              ssl = true;
-              extraParameters = [
-                "default_server"
-              ];
-            }
-            {
-              addr = "0.0.0.0";
-              port = 443;
-              ssl = true;
-            }
-            {
-              addr = "[::0]";
-              port = 443;
-              ssl = true;
-            }
-          ];
-          locations = {
-            "~ ^(/_matrix|/_synapse/client)" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
+    nodes =
+      let
+        genNginx = toAddress: extraConfig: {
+          upstreams = {
+            ${serviceName} = {
+              servers = {
+                "${toAddress}:${builtins.toString servicePort}" = { };
+              };
+            };
+          };
+          virtualHosts = {
+            "${serviceDomain}" = {
+              useACMEHost = globals.domains.main;
+
+              forceSSL = true;
+              acmeRoot = null;
+              listen = [
+                {
+                  addr = "0.0.0.0";
+                  port = 8448;
+                  ssl = true;
+                  extraParameters = [
+                    "default_server"
+                  ];
+                }
+                {
+                  addr = "[::0]";
+                  port = 8448;
+                  ssl = true;
+                  extraParameters = [
+                    "default_server"
+                  ];
+                }
+                {
+                  addr = "0.0.0.0";
+                  port = 443;
+                  ssl = true;
+                }
+                {
+                  addr = "[::0]";
+                  port = 443;
+                  ssl = true;
+                }
+              ];
+              inherit extraConfig;
+              locations = {
+                "~ ^(/_matrix|/_synapse/client)" = {
+                  proxyPass = "http://${serviceName}";
+                  extraConfig = ''
+                    client_max_body_size 0;
+                  '';
+                };
+                "= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+                "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+              };
             };
-            "= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
-            "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
           };
         };
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+        };
+        ${webProxy}.services.nginx = genNginx serviceAddress "";
+        ${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
       };
-    };
+
   };
 }
diff --git a/modules/nixos/server/microbin.nix b/modules/nixos/server/microbin.nix
index 3d338f1..d64de1c 100644
--- a/modules/nixos/server/microbin.nix
+++ b/modules/nixos/server/microbin.nix
@@ -1,6 +1,7 @@
 { self, lib, config, dns, globals, confLib, ... }:
 let
-  inherit (confLib.gen { name = "microbin"; port = 8777; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "microbin"; port = 8777; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
   inherit (config.swarselsystems) sopsFile;
 
@@ -10,10 +11,6 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     users = {
       groups.${serviceGroup} = { };
 
@@ -56,7 +53,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -115,30 +112,12 @@ in
       { directory = cfg.dataDir; user = serviceUser; group = serviceGroup; mode = "0700"; }
     ];
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                client_max_body_size 1G;
-              '';
-            };
-          };
-        };
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 1; maxBodyUnit = "G"; };
+      ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 1; maxBodyUnit = "G"; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
     };
 
   };
diff --git a/modules/nixos/server/minecraft/default.nix b/modules/nixos/server/minecraft/default.nix
index d54e031..1c37055 100644
--- a/modules/nixos/server/minecraft/default.nix
+++ b/modules/nixos/server/minecraft/default.nix
@@ -1,6 +1,7 @@
 { self, lib, config, pkgs, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "minecraft"; port = 25565; dir = "/opt/minecraft"; proxy = config.node.name; }) serviceName servicePort serviceDir serviceDomain proxyAddress4 proxyAddress6 isHome dnsServer;
+  inherit (confLib.gen { name = "minecraft"; port = 25565; dir = "/opt/minecraft"; proxy = config.node.name; }) serviceName servicePort serviceDir serviceDomain proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome dnsServer;
   inherit (config.swarselsystems) mainUser;
   worldName = "${mainUser}craft";
 in
diff --git a/modules/nixos/server/monitoring.nix b/modules/nixos/server/monitoring.nix
index a878060..f9d720f 100644
--- a/modules/nixos/server/monitoring.nix
+++ b/modules/nixos/server/monitoring.nix
@@ -1,6 +1,7 @@
 { lib, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
   prometheusPort = 9090;
   prometheusUser = "prometheus";
@@ -18,10 +19,6 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     sops = {
       secrets = {
         grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@@ -66,7 +63,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort prometheusPort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort prometheusPort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort prometheusPort ];
         };
       };
       services.${serviceName} = {
@@ -222,42 +219,55 @@ in
     };
 
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        "${grafanaUpstream}" = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
+    nodes =
+      let
+        genNginx = toAddress: extraConfigPre: {
+          upstreams = {
+            "${grafanaUpstream}" = {
+              servers = {
+                "${toAddress}:${builtins.toString servicePort}" = { };
+              };
+            };
+            "${prometheusUpstream}" = {
+              servers = {
+                "${toAddress}:${builtins.toString prometheusPort}" = { };
+              };
+            };
           };
-        };
-        "${prometheusUpstream}" = {
-          servers = {
-            "${serviceAddress}:${builtins.toString prometheusPort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
+          virtualHosts = {
+            "${serviceDomain}" = {
+              useACMEHost = globals.domains.main;
 
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://${grafanaUpstream}";
-              proxyWebsockets = true;
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
-            "/${prometheusWebRoot}" = {
-              proxyPass = "http://${prometheusUpstream}";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
+              forceSSL = true;
+              acmeRoot = null;
+              extraConfig = extraConfigPre;
+              locations =
+                let
+                  extraConfig = ''
+                    client_max_body_size 0;
+                  '';
+                in
+                {
+                  "/" = {
+                    proxyPass = "http://${grafanaUpstream}";
+                    proxyWebsockets = true;
+                    inherit extraConfig;
+                  };
+                  "/${prometheusWebRoot}" = {
+                    proxyPass = "http://${prometheusUpstream}";
+                    inherit extraConfig;
+                  };
+                };
             };
           };
         };
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+        };
+        ${webProxy}.services.nginx = genNginx serviceAddress "";
+        ${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
       };
-    };
   };
 }
diff --git a/modules/nixos/server/navidrome.nix b/modules/nixos/server/navidrome.nix
index d825653..1e4456b 100644
--- a/modules/nixos/server/navidrome.nix
+++ b/modules/nixos/server/navidrome.nix
@@ -1,14 +1,12 @@
 { pkgs, config, lib, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "navidrome"; port = 4040; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "navidrome"; port = 4040; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf nginxAccessRules homeServiceAddress;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
 
     environment.systemPackages = with pkgs; [
       pciutils
@@ -47,7 +45,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -118,58 +116,69 @@ in
       };
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          oauth2.enable = true;
-          oauth2.allowedGroups = [ "navidrome_access" ];
-          locations =
-            let
-              extraConfig = ''
-                proxy_redirect          http:// https://;
-                proxy_read_timeout      600s;
-                proxy_send_timeout      600s;
-                proxy_buffering         off;
-                proxy_request_buffering off;
-                client_max_body_size    0;
-              '';
-            in
-            {
-              "/" = {
-                proxyPass = "http://${serviceName}";
-                proxyWebsockets = true;
-                inherit extraConfig;
-              };
-              "/share" = {
-                proxyPass = "http://${serviceName}";
-                proxyWebsockets = true;
-                setOauth2Headers = false;
-                bypassAuth = true;
-                inherit extraConfig;
-              };
-              "/rest" = {
-                proxyPass = "http://${serviceName}";
-                proxyWebsockets = true;
-                setOauth2Headers = false;
-                bypassAuth = true;
-                inherit extraConfig;
+    nodes =
+      let
+        genNginx = toAddress: extraConfigPre: {
+          upstreams = {
+            ${serviceName} = {
+              servers = {
+                "${toAddress}:${builtins.toString servicePort}" = { };
               };
             };
+          };
+          virtualHosts = {
+            "${serviceDomain}" = {
+              useACMEHost = globals.domains.main;
+              forceSSL = true;
+              acmeRoot = null;
+              oauth2 = {
+                enable = true;
+                allowedGroups = [ "navidrome_access" ];
+              };
+              extraConfig = extraConfigPre;
+              locations =
+                let
+                  extraConfig = ''
+                    proxy_redirect          http:// https://;
+                    proxy_read_timeout      600s;
+                    proxy_send_timeout      600s;
+                    proxy_buffering         off;
+                    proxy_request_buffering off;
+                    client_max_body_size    0;
+                  '';
+                in
+                {
+                  "/" = {
+                    proxyPass = "http://${serviceName}";
+                    proxyWebsockets = true;
+                    inherit extraConfig;
+                  };
+                  "/share" = {
+                    proxyPass = "http://${serviceName}";
+                    proxyWebsockets = true;
+                    setOauth2Headers = false;
+                    bypassAuth = true;
+                    inherit extraConfig;
+                  };
+                  "/rest" = {
+                    proxyPass = "http://${serviceName}";
+                    proxyWebsockets = true;
+                    setOauth2Headers = false;
+                    bypassAuth = true;
+                    inherit extraConfig;
+                  };
+                };
+            };
+          };
         };
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+        };
+        ${webProxy}.services.nginx = genNginx serviceAddress "";
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
       };
-    };
+
   };
-
-
 }
diff --git a/modules/nixos/server/nextcloud.nix b/modules/nixos/server/nextcloud.nix
index c536802..72298a6 100644
--- a/modules/nixos/server/nextcloud.nix
+++ b/modules/nixos/server/nextcloud.nix
@@ -2,7 +2,8 @@
 let
   inherit (config.repo.secrets.local.nextcloud) adminuser;
   inherit (config.swarselsystems) sopsFile;
-  inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome dnsServer webProxy;
+  inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome dnsServer webProxy homeWebProxy homeServiceAddress nginxAccessRules;
 
   nextcloudVersion = "32";
 in
@@ -10,10 +11,6 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     sops.secrets = {
       nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
       kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@@ -50,30 +47,13 @@ in
       };
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                client_max_body_size    0;
-              '';
-            };
-          };
-        };
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+      ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
     };
+
   };
 }
diff --git a/modules/nixos/server/oauth2-proxy.nix b/modules/nixos/server/oauth2-proxy.nix
index 83e06b3..21b33ac 100644
--- a/modules/nixos/server/oauth2-proxy.nix
+++ b/modules/nixos/server/oauth2-proxy.nix
@@ -1,7 +1,7 @@
 { lib, config, globals, dns, confLib, ... }:
 let
   inherit (confLib.gen { name = "oauth2-proxy"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
-  inherit (confLib.static) isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf homeWebProxy oauthServer nginxAccessRules;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf oauthServer nginxAccessRules;
 
   kanidmDomain = globals.services.kanidm.domain;
   mainDomain = globals.domains.main;
@@ -139,7 +139,8 @@ in
       };
     };
 
-    # networking.firewall.allowedTCPPorts = [ servicePort ];
+    # needed for homeWebProxy
+    networking.firewall.allowedTCPPorts = [ servicePort ];
 
     globals = {
       networks = {
@@ -147,7 +148,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -207,39 +208,17 @@ in
 
     nodes =
       let
-        genNginx = toAddress: extraConfig: {
-          upstreams = {
-            ${serviceName} = {
-              servers = {
-                "${toAddress}:${builtins.toString servicePort}" = { };
-              };
-            };
-          };
-          virtualHosts = {
-            "${serviceDomain}" = {
-              useACMEHost = globals.domains.main;
-
-              forceSSL = true;
-              acmeRoot = null;
-              locations = {
-                "/" = {
-                  proxyPass = "http://${serviceName}";
-                };
-              };
-              extraConfig = ''
-                proxy_set_header X-Scheme                $scheme;
-                proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
-              '' + lib.optionalString (extraConfig != "") extraConfig;
-            };
-          };
-        };
+        extraConfig = ''
+          proxy_set_header X-Scheme                $scheme;
+          proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+        '';
       in
       {
         ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
           "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
-        ${webProxy}.services.nginx = genNginx serviceAddress "";
-        ${homeWebProxy}.services.nginx = genNginx globals.hosts.${oauthServer}.wanAddress4 nginxAccessRules;
+        ${webProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceAddress serviceDomain serviceName extraConfig; protocol = "https"; };
+        ${homeWebProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceDomain serviceName; protocol = "https"; extraConfig = extraConfig + nginxAccessRules; serviceAddress = globals.hosts.${oauthServer}.wanAddress4; };
       };
   };
 }
diff --git a/modules/nixos/server/paperless.nix b/modules/nixos/server/paperless.nix
index d169557..fe71d04 100644
--- a/modules/nixos/server/paperless.nix
+++ b/modules/nixos/server/paperless.nix
@@ -1,7 +1,8 @@
 { lib, pkgs, config, dns, globals, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-  inherit (confLib.gen { name = "paperless"; port = 28981; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "paperless"; port = 28981; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
   tikaPort = 9998;
   gotenbergPort = 3002;
@@ -11,10 +12,6 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     users.users.${serviceUser} = {
       extraGroups = [ "users" ];
     };
@@ -32,7 +29,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -109,35 +106,22 @@ in
                      )
     '';
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
+    nodes =
+      let
+        extraConfigLoc = ''
+          proxy_connect_timeout   300;
+          proxy_send_timeout      300;
+          proxy_read_timeout      300;
+          send_timeout            300;
+        '';
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
         };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
       };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
 
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                client_max_body_size    0;
-                proxy_connect_timeout   300;
-                proxy_send_timeout      300;
-                proxy_read_timeout      300;
-                send_timeout            300;
-              '';
-            };
-          };
-        };
-      };
-    };
   };
-
 }
diff --git a/modules/nixos/server/podman.nix b/modules/nixos/server/podman.nix
index 80bdc22..192e0c3 100644
--- a/modules/nixos/server/podman.nix
+++ b/modules/nixos/server/podman.nix
@@ -26,7 +26,7 @@ in
         };
 
         local-to-podman = {
-          from = [ "local" "wgProxy" "wgHme" ];
+          from = [ "local" "wgProxy" "wgHome" ];
           to = [ "podman" ];
           before = [ "drop" ];
           verdict = "accept";
diff --git a/modules/nixos/server/radicale.nix b/modules/nixos/server/radicale.nix
index a6e30fe..2d3b852 100644
--- a/modules/nixos/server/radicale.nix
+++ b/modules/nixos/server/radicale.nix
@@ -1,6 +1,7 @@
 { lib, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
   inherit (config.swarselsystems) sopsFile;
 
   cfg = config.services.${serviceName};
@@ -9,10 +10,6 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     sops = {
       secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
 
@@ -40,7 +37,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -100,33 +97,13 @@ in
 
     # networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          oauth2.enable = false;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                client_max_body_size 16M;
-              '';
-            };
-          };
-        };
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 16; maxBodyUnit = "M"; };
+      ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 16; maxBodyUnit = "M"; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
     };
 
   };
-
 }
diff --git a/modules/nixos/server/router.nix b/modules/nixos/server/router.nix
index 6dc482f..77663e2 100644
--- a/modules/nixos/server/router.nix
+++ b/modules/nixos/server/router.nix
@@ -1,4 +1,4 @@
-{ lib, config, globals, confLib, ... }:
+{ lib, config, globals, ... }:
 let
   serviceName = "router";
   bridgeVLANs = lib.mapAttrsToList
@@ -9,7 +9,7 @@ let
   selectVLANs = vlans: map (vlan: { VLAN = globals.networks.home-lan.vlans.${vlan}.id; }) vlans;
   lan5VLANs = selectVLANs [ "home" "devices" "guests" ];
   lan4VLANs = selectVLANs [ "home" "services" ];
-  inherit (confLib.gen { }) homeDnsServer;
+  inherit (globals.general) homeDnsServer;
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -47,7 +47,7 @@ in
 
           rules = {
             masquerade-internet = {
-              from = map (name: "vlan-${name}") (globals.general.internetVLANs);
+              from = map (name: "vlan-${name}") globals.general.internetVLANs;
               to = [ "untrusted" ];
               # masquerade = true; NOTE: custom rule below for ip4 + ip6
               late = true; # Only accept after any rejects have been processed
@@ -56,7 +56,7 @@ in
 
             # Allow access to the AdGuardHome DNS server from any VLAN that has internet access
             access-adguardhome-dns = {
-              from = map (name: "vlan-${name}") (globals.general.internetVLANs);
+              from = map (name: "vlan-${name}") globals.general.internetVLANs;
               to = [ "adguardhome" ];
               verdict = "accept";
             };
@@ -94,7 +94,7 @@ in
             late = true;
             rules =
               lib.forEach
-                (map (name: "vlan-${name}") (globals.general.internetVLANs))
+                (map (name: "vlan-${name}") globals.general.internetVLANs)
                 (
                   zone:
                   lib.concatStringsSep " " [
diff --git a/modules/nixos/server/shlink.nix b/modules/nixos/server/shlink.nix
index 00853db..848941d 100644
--- a/modules/nixos/server/shlink.nix
+++ b/modules/nixos/server/shlink.nix
@@ -1,6 +1,7 @@
 { self, lib, config, dns, globals, confLib, ... }:
 let
-  inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
   containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
 
@@ -16,10 +17,6 @@ in
       podman = true;
     };
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     sops = {
       secrets = {
         shlink-api = { inherit sopsFile; };
@@ -92,7 +89,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -101,26 +98,13 @@ in
       };
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-            };
-          };
-        };
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+      ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
     };
+
   };
 }
diff --git a/modules/nixos/server/slink.nix b/modules/nixos/server/slink.nix
index 8ca9509..be92992 100644
--- a/modules/nixos/server/slink.nix
+++ b/modules/nixos/server/slink.nix
@@ -1,6 +1,7 @@
 { self, lib, config, dns, globals, confLib, ... }:
 let
-  inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
   containerRev = "sha256:98b9442696f0a8cbc92f0447f54fa4bad227af5dcfd6680545fedab2ed28ddd9";
 in
@@ -14,10 +15,6 @@ in
       podman = true;
     };
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     virtualisation.oci-containers.containers.${serviceName} = {
       image = "anirdev/slink@${containerRev}";
       environment = {
@@ -69,7 +66,7 @@ in
           ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
         };
       };
       services.${serviceName} = {
@@ -78,34 +75,48 @@ in
       };
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
+    nodes =
+      let
+        genNginx = toAddress: extraConfig: {
+          upstreams = {
+            ${serviceName} = {
+              servers = {
+                "${toAddress}:${builtins.toString servicePort}" = { };
+              };
+            };
           };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
+          virtualHosts = {
+            "${serviceDomain}" = {
+              useACMEHost = globals.domains.main;
 
-          forceSSL = true;
-          acmeRoot = null;
-          oauth2.enable = true;
-          oauth2.allowedGroups = [ "slink_access" ];
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-            };
-            "/image" = {
-              proxyPass = "http://${serviceName}";
-              setOauth2Headers = false;
-              bypassAuth = true;
+              forceSSL = true;
+              acmeRoot = null;
+              oauth2 = {
+                enable = true;
+                allowedGroups = [ "slink_access" ];
+              };
+              inherit extraConfig;
+              locations = {
+                "/" = {
+                  proxyPass = "http://${serviceName}";
+                };
+                "/image" = {
+                  proxyPass = "http://${serviceName}";
+                  setOauth2Headers = false;
+                  bypassAuth = true;
+                };
+              };
             };
           };
         };
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+        };
+        ${webProxy}.services.nginx = genNginx serviceAddress "";
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
       };
-    };
+
   };
 }
diff --git a/modules/nixos/server/snipe-it.nix b/modules/nixos/server/snipe-it.nix
index a7fb222..71d7b31 100644
--- a/modules/nixos/server/snipe-it.nix
+++ b/modules/nixos/server/snipe-it.nix
@@ -1,6 +1,7 @@
 { lib, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome webProxy dnsServer;
+  inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy webProxyIf homeProxyIf dnsServer homeServiceAddress nginxAccessRules;
   # sopsFile = config.node.secretsDir + "/secrets2.yaml";
   inherit (config.swarselsystems) sopsFile;
 
@@ -12,10 +13,6 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     sops = {
       secrets = {
         snipe-it-appkey = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
@@ -24,9 +21,19 @@ in
 
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
 
-    globals.services.${serviceName} = {
-      domain = serviceDomain;
-      inherit proxyAddress4 proxyAddress6 isHome;
+    globals = {
+      networks = {
+        ${webProxyIf}.hosts = lib.mkIf isProxied {
+          ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
+        };
+        ${homeProxyIf}.hosts = lib.mkIf isHome {
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
+        };
+      };
+      services.${serviceName} = {
+        domain = serviceDomain;
+        inherit proxyAddress4 proxyAddress6 isHome;
+      };
     };
 
     services.snipe-it = {
@@ -46,30 +53,13 @@ in
       };
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${serviceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          oauth2.enable = false;
-          locations = {
-            "/" = {
-              proxyPass = "http://${serviceName}";
-            };
-          };
-        };
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
+      ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
     };
 
   };
-
 }
diff --git a/modules/nixos/server/syncthing.nix b/modules/nixos/server/syncthing.nix
index e96fd21..a2fe215 100644
--- a/modules/nixos/server/syncthing.nix
+++ b/modules/nixos/server/syncthing.nix
@@ -1,7 +1,8 @@
 { lib, config, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems.syncthing) serviceDomain;
-  inherit (confLib.gen { name = "syncthing"; port = 8384; }) servicePort serviceName serviceUser serviceGroup serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
+  inherit (confLib.gen { name = "syncthing"; port = 8384; }) servicePort serviceName serviceUser serviceGroup serviceAddress proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
 
   specificServiceName = "${serviceName}-${config.node.name}";
 
@@ -42,10 +43,6 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${specificServiceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-    };
-
     users.users.${serviceUser} = {
       extraGroups = [ "users" ];
       group = serviceGroup;
@@ -65,7 +62,7 @@ in
           };
         };
         ${homeProxyIf}.hosts = lib.mkIf isHome {
-          ${config.node.name}.firewallRuleForNode.${homeProxy} = {
+          ${config.node.name}.firewallRuleForNode.${homeWebProxy} = {
             allowedTCPPorts = [ servicePort 20000 ];
             allowedUDPPorts = [ 20000 21027 ];
           };
@@ -131,30 +128,13 @@ in
       };
     };
 
-    nodes.${webProxy}.services.nginx = {
-      upstreams = {
-        ${specificServiceName} = {
-          servers = {
-            "${serviceAddress}:${builtins.toString servicePort}" = { };
-          };
-        };
-      };
-      virtualHosts = {
-        "${serviceDomain}" = {
-          useACMEHost = globals.domains.main;
-
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://${specificServiceName}";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
-          };
-        };
+    nodes = {
+      ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
+      ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain; serviceName = specificServiceName; maxBody = 0; };
+      ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain; serviceName = specificServiceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
     };
+
   };
 }
diff --git a/modules/nixos/server/transmission.nix b/modules/nixos/server/transmission.nix
index 718f974..8d53c9a 100644
--- a/modules/nixos/server/transmission.nix
+++ b/modules/nixos/server/transmission.nix
@@ -1,6 +1,7 @@
 { self, pkgs, lib, config, confLib, ... }:
 let
-  inherit (confLib.gen { name = "transmission"; }) serviceName serviceDomain isHome;
+  inherit (confLib.gen { name = "transmission"; }) serviceName serviceDomain;
+  inherit (confLib.static) isHome;
 
   lidarrUser = "lidarr";
   lidarrGroup = lidarrUser;
diff --git a/modules/shared/config-lib.nix b/modules/shared/config-lib.nix
index eac2370..83cbfa6 100644
--- a/modules/shared/config-lib.nix
+++ b/modules/shared/config-lib.nix
@@ -35,11 +35,6 @@ in
         serviceProxy = proxy;
         proxyAddress4 = globals.hosts.${proxy}.wanAddress4 or null;
         proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null;
-        inherit (globals.hosts.${config.node.name}) isHome;
-        inherit (globals.general) homeProxy webProxy dnsServer homeDnsServer homeWebProxy idmServer;
-        webProxyIf = "${webProxy}-wgProxy";
-        homeProxyIf = "home-wgHome";
-        isProxied = config.node.name != webProxy;
       };
 
       static = rec {
@@ -97,6 +92,53 @@ in
             };
           }) else (_: { _ = { }; });
 
+      genNginx =
+        { serviceAddress
+        , serviceName
+        , serviceDomain
+        , servicePort
+        , protocol ? "http"
+        , maxBody ? (-1)
+        , maxBodyUnit ? ""
+        , noSslVerify ? false
+        , proxyWebsockets ? false
+        , oauth2 ? false
+        , oauth2Groups ? [ ]
+        , extraConfig ? ""
+        , extraConfigLoc ? ""
+        }: {
+          upstreams = {
+            ${serviceName} = {
+              servers = {
+                "${serviceAddress}:${builtins.toString servicePort}" = { };
+              };
+            };
+          };
+          virtualHosts = {
+            "${serviceDomain}" = {
+              useACMEHost = globals.domains.main;
+              forceSSL = true;
+              acmeRoot = null;
+              oauth2 = {
+                enable = lib.mkIf oauth2 true;
+                allowedGroups = lib.mkIf (oauth2Groups != [ ]) oauth2Groups;
+              };
+              locations = {
+                "/" = {
+                  proxyPass = "${protocol}://${serviceName}";
+                  proxyWebsockets = lib.mkIf proxyWebsockets true;
+                  extraConfig = lib.optionalString (maxBody != (-1)) ''
+                    client_max_body_size ${builtins.toString maxBody}${maxBodyUnit};
+                  '' + extraConfigLoc;
+                };
+              };
+              extraConfig = lib.optionalString noSslVerify ''
+                proxy_ssl_verify off;
+              '' + extraConfig;
+            };
+          };
+        };
+
     };
   };
 }
diff --git a/pkgs/config/swarsel-sops/default.nix b/pkgs/config/swarsel-sops/default.nix
new file mode 100644
index 0000000..43a0bc4
--- /dev/null
+++ b/pkgs/config/swarsel-sops/default.nix
@@ -0,0 +1,11 @@
+{ name, sops, homeConfig, writeShellApplication, ... }:
+writeShellApplication {
+  inherit name;
+  runtimeInputs = [ sops ];
+  text = ''
+    sops updatekeys ${homeConfig.homeDirectory}/secrets/repo/*
+    sops updatekeys ${homeConfig.homeDirectory}/secrets/nginx/*
+    sops updatekeys ${homeConfig.homeDirectory}/secrets/work/*
+    sops updatekeys ${homeConfig.homeDirectory}/hosts/*/*/*/secrets/*/secrets.yaml
+  '';
+}
diff --git a/secrets/nginx/acme.json b/secrets/nginx/acme.json
index 372705b..6ec8ba0 100644
--- a/secrets/nginx/acme.json
+++ b/secrets/nginx/acme.json
@@ -10,19 +10,23 @@
 		"age": [
 			{
 				"recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBWmFOUGZrbkNlQ2ppbnFw\nTVd3RVYrK1RocjU3Z0pPOUNpc05YZ0FKK2hJClAvdkZ0aFRtaE5PRWFNbWdWSjN3\nbWc1WUpuTTVDTlNldTh0ejBGakZvbDgKLS0tIHJaRmwwSEtqQXprcFZ3TlllWmJa\nczN6eE8wWUppc3o1VTRpcjF0VUM1azQKdWhbP34mx6yR6TXUMpP/npA9TjAayjqz\nHC7ztK5/zu4ML7BRCsoLNLDDVtMsmhEVKO8VV9sbMvusSq0WNu0I7g==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHU3ErUkRteVpGV2lFWUg5\nZTlwTWthRkZJRk5sR2pXTzZDdVhOSFY1T3hZCllQalcyR0E3UEN0SjhtbEVsTmM0\nNGxrRm1mUHFYVlpWaEpYYjMvbVlyRTAKLS0tIG5yV2RuMmxFSmFiVnZmaklBRFVY\nV0pDNW00cUdJdzFKNEN2bVQwT2FoVk0Ku1Rk8wsXyxWtgPZFoPpXB32IRRcTXLO5\nz+8H54pCpj+8+5Ew5GQOXW8wd3HXp4iggYuedp828ZjMbFbrZTTQBQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxVUM5eTMrZ3lCeDgxVHlj\naWx4QUZ5c0NGV2xEaXliNHFyVktkTnBYR0d3CnRMcUgyUU1hNzhLcWhaYzJCMndR\nQWJyNEZJV2xNVVBSc2xnbzRqdEx1eXMKLS0tIDJhTGhVYkxJcGZ6N3dHZmV3QlBo\nNzBORDJXb1pRbVNiWHZiVjBKQjNwWDAK1z/XA6gRor2fNX70UooBqHjCFfIIP34j\n+vHx10dtoue5tSPgM3cA8QZzqM6Ht+U282JFMztrlDtiz/j/JofTNg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSHVlbXJyMG1tUGI0SVN2\nQW9CamttbFpySm1XdWRuVTZxcUJaQTV4dmdjCnhVcTVaVHZFUmxiMUVycXc0cmFP\nQ0pTZEJzUjBGaTB4VXd1RExTaDVWdTQKLS0tIDFVK3UxMHVQMkNsQjMwWW43cjht\neVdNbE1iM1h1UDRuLzRIQWJJTXpTTG8K8cn+NWUEHDGUWjqyt5fkNkQffOYLcrYM\nDsxuV9NeRwJ6uoTmeDVF+6R9HhZ4cz6TlklcXclfod6DOhu+rio81Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwU09YQkFuK3JYZnlsOFlw\ndTM0U3U4MVAzMXpBckRWSk1ibVdkME5lT1RjClNIZDJUQXowYzljQ2hJSTdzaGJF\nRjAvekEzbHVtSzAweWtBSjVmTnBHNDgKLS0tIGp4MjRvWnJQNWNvWW1uQmRNbDFk\nZnpXNFhXcDdOQVU1bUdTa05XaFJYd3cKi8/U+tAGtrPL0RMc5HMFrViXW1lQhli7\nBBc98cm3GhzvbJM3y0Dcjy7DWkXTiFXbhplqFjp+spz9LfYP5VuafQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-12-04T19:04:02Z",
 		"mac": "ENC[AES256_GCM,data:nWV/knCo/MeWTBrfq1VlV6SPEQ2i2P+le82S2So0BIxPfz8tqan0MdaIaKLFlapsT9VRJOv8ZCCXSLWeGcbEvfmEz4MP1E4iHcU/4YaO+n895D1JrjeyP1cgGisnXqe01xMXCsDY178sqxHcnDDlXp9foCem+mGjIlKGPYGu5Oo=,iv:qbavbW3MF4fx+E3aybBYaz/T/Hb63ggWml4Oe9WFz+I=,tag:05vBbBGDGRNaXJWoZn1bVw==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-12-22T14:07:12Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//XZNxhn6vCEDo6SAtlIcA5OxNuj3326ITbjjv+XwiTHk/\n28cErtXOF+4bnjIXLwXGbbewWgvrnK0Lx5nBqpidMrhANHVEWDp3iBrW79QPdRl9\ntIcofQUK+6Dwh+XqJK4eorEAeAKlu6l5y3pc19L4j7BiDOxcXBYqTx4ScnZhFFoc\nRVC6ngRjck+2e6bL/+lopntHML41yrXpAHMBlobTbzYP8cnfMKroUZzLoNareVIS\nNlcE7oaCwAvCXYBbQN5qQCIFbLBFB+vD4ArOrL/zNxWVjnEeM4RhBdIjd0bdq1FQ\nLBsO1crEniz4Lgp5N4cWOzuOCz5fHlLJEKtNIIFt8rcocBEdyQf1OmZ2VrY57nN+\nSeCYGN+fPA87UoH+iZcmLNjDvMy+MHNIiGCEuY9jWLzgcDDvtFwtQdl2CpI8a/Ax\nKG9RgMFyjLtPCgNzDkn6LrvHKtnFkcsx22f8PHB4RZIgP43loH//xieOVnA9vo/k\nV3pRHZuZkTp3qmAED3KhbjE7aKP3bjUkJdrTATsal5YyRd76pjPvtXkX6MchgTgh\n6emt6DssvWJy5vhgitM0Ucq1IeeaLwIDTXqP5GShcQrWJ2P5ilzLGp2OKYzOqSBf\n//LfA3EHq4aFaTGuOVxjf/VS1vEeIAMaAo4eo86unIIhcQ6OBVAKzKfrSgzV9iiF\nAgwDC9FRLmchgYQBEACFwFYn12YCzYIwpSfJ7Apo5nEiLYbcD1wXR7bx7MFjJFxc\ncrS6yB/44y6a+OJfTLEVpDTPahKiOFAlmMAb8B05bDd/jqairwJPS+Sw2t/Tb6Ry\nToHi8ucg0+P8b0j+VeXoE0DlnuSMKbKQGvIq9fd8G6FymHppA4TpuKFl0QPUAbX7\nGLQbApk7gRoZK1XTQ/HKjyXdhfRogo8/07oRt6iO3nxC5NkLS/uxk/0ODqiFTGVg\nESkGQK3YQcr8hhhM467S49nzh+AQODgCTm7jSFO8kJwDP6eb5vF63qrIBZNUGc6j\nIoNHzQxqDoaFUd2GZcKg2Zsyizb91qYEMZdHUh51h1XH+jhg8G+L7I+hnBbzIj/o\naZfXALcmYNiI630SsiqA4iSufWy1bONnP0kHPSxVBqilLXpmfzIuNUwrZSQB+ZbR\nkIIA5lRqu1jWIcG/3CGQQMDfjqxus4Wt8bvGfOrbQk2qNs+l3uPb0+OBDNKQfVHD\nenXkTGrKIHt4YqnDc3ziWNAULwvRPviPQZPkJwPCDHdfA2bcQqLJOIYiBF1TdN9o\nv2eMQoTalEXfHOI5ndULjlyy5DaW2ZBKAgtH/WXg/O7ey5Q9e9QcnmwbOezEWx6x\nNNY3eoQs5LYxoWO7cEUv2MiEqY7ZWkrwmwcWzRV/7UmspvPHKULQV/fiNWb1yNJc\nATKv+sla0n0DzD+7BSiFcYC0ZvGAErYAwNIYhlgMEN7okuCscB+tz1d0yLhNt8DK\nZAn0NkIVnTn6esHqhp233ZmCrCmUezccMMINs8xQbqJR8bkns5hTDYLY48s=\n=v2/q\n-----END PGP MESSAGE-----",
+				"created_at": "2026-01-04T22:59:24Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAA0D1lQY8D94Q1cu8g0UihoaImiVUXK944yuayfPO95rlj\nb9De1VOUKsUBE2wGpxwisOa12NG1a52bVVFbVUDBz2vLy4956/EjgP7CZds7OKHj\nbPxIdA75fA8QVHUVkI4AHKFebQU6OsLdOcB5pjqDlkKzmPUihwgtLCI6UfOyx4Se\n7ADHYKj24igh1Xxd2G3HzngYAQ20zn434TK/dr48yeQfNTYODtMJCdfVoYU4/bWD\n4jDdoKA0B/WdvPlJtYar+yvQxQiom2myXeeLXt8yUN5ugJkGNeFYl9JtlpchuyU4\nXvSFAKemAa1DrwFb1zakzOozZqb/i5MRFK8xGCK6CXy5YzwWHlKwW6HbSS95tWvO\nWUqVYdLplRuZ9eif+szrOXm0yQbABeVEGkyo89n3ytsirUTY+gPHpd7jiWID3d+8\nxi3oPDcxaTkfYehaAEn+LBInd47gXTkYTVizxFbdREARRI7qS/6gMXQY6EXnc+FU\npcP+dEFH3fRA7raFW3kL1Bzg1sDomAp8L0EgEaWOdTDR8f4ub3uvBPShQWFgl0t/\n0UwuR/UI//z6FiG66HiDd2ThDzeceRwyZTdFUjDH5CcS0cBBmFhYi9TxvjiJi8D3\n0Ui0h4jA1Y3/5S9Qk8nBfD2sbtzNHMEH3JVotunwTKu7BoZFHZD49SW7dGzJzjyF\nAgwDC9FRLmchgYQBEACQm0ujn9b1TG5gn7P40qv3nrjAJyH7nJXPEYs5TWXFMabm\nKnj2FYPAdynClaA2FVu6puXhbpN2aDWL9qg7iSpvLT1HZcgdudItj3N2sWJIe6Vs\narO25eKSzzJMAwOsOVwJJPCk4LCNPTl+M/o66lru3rSltSHvYJXQmfbw/iesgBVY\npq+4yGy9HxxKx7fCkpaK0cvZ3X8zpyIzkHIjoRcHWzKiW1dirmaYcRahFDOwSGx0\n91RmLpONp67kzrV603jikhsNNppGGUslv91FivK89jpTy1ZwFDw2es59tzdAapxm\nySXf1PTWAdm3VZaEixmQdMYJxrbwN4HrsyDvMmQWM3yiyYbrzGwSISxeYkPEfT8i\nWL+N1tfdM9PhQMKdB1onoyt16e6ga9nkHYDeaVgyNP4yfQedFV3ve0WOjeTqVODu\naSzBVVDTcc7mFd7IoM8cLj82FGBxI807tmBX3rHa41kVDQ7NvL+jVmz2Q4SQ+PHC\nmrifYG+GjvEIWinx4x5b6vmeAWd8nGDmMg7pUm7cVR4ryQHrF8FcIck/qMZTh6Vl\nIbZRuqKkiy+pAlPyS21wx6dqj4EBdxwtyDijrkuIgtbdMiJ/kuSqQAKlkSODVOit\nRTitR8JVHL73usPIgkzdGf16Hc+29HDlON4gaF6CdVwdVQc37oATDT6bzusWD9Jc\nAdYyhlpx1RU+o2PUWf3g4vBthXiybvNkvyUMDL6M58ehaX6UusCGV3h2zcwG8qDC\nBfD7F6+dLMblwf3vOiD3w8Pjn3nDhA7W+r8Ls33fAONg0DrfS/d0aCVCq8U=\n=baij\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],
diff --git a/secrets/repo/certs.yaml b/secrets/repo/certs.yaml
index cec5da9..ea74d3d 100644
--- a/secrets/repo/certs.yaml
+++ b/secrets/repo/certs.yaml
@@ -8,161 +8,170 @@ sops:
         - recipient: age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdDZiY1BsaHhLYy93L2Ju
-            TkJHRUdTU0VFKy9jd1p2ZmJrU092Z09yMTNvCnpzbXFIZ1VMVk1QVzN6YXFmckQ0
-            U0hFam53Z3V5U2xYNjkwU1UxNmI4ZncKLS0tIGk1MC9EV2hnMFN6aFRtekt0enQy
-            RWxXVmhJU3NVbHdlS1Rsd05sSkZiY1UKaK5bSDPhQlVTryAYr/9mIgmXDzVp2KWF
-            M4FQURHk6kvSIVjHNfRyMX0IVtCFZMSmVpuPUP46J/5kzdN59Jn2Bw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRODlCSHVFV3NESi9XaTFz
+            SDcveEUrNzVVSXBISHVxTTQraXlIbmFtNGlVCkVGZXVOY0gxT3NkeW9kRVZzdEZv
+            S2FPRTRSVDBZam1hK2h3ZXdsb2VCV3cKLS0tIGFPOVh2M3FaaTZ3MWp6Mzd0Qzd2
+            YmM3eWhUbkJVbE83UndPUmhxd2NVcFUKeS38ytvWf/XRwh9TCcO4joL28EE1/Yn9
+            F6aPK5RJ0LJQ+fdbl4y3uQNuJ4bjOL0bkW0RAEOUt2LCtUm6qJqPWA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRElrSnhrM0ZVQ043K1Nk
-            VTNlWDVDNW5veDNPM0RuOWZTZ3IwQ2pBdmpFCktEZFNvUTRrVVRBdFU5alhJSTE0
-            RVlqRkl5MUEzZjhUVWwrWTFWMk8yWG8KLS0tIHJKZXJrNXZiRjNiZEh6VEhHWnZT
-            dlI3RTl2MW43YVdJMVlDaUoxSDV3YTAKBCjLqctIpPeTYsRxhj0/7DzR0q1cGe2d
-            w0B8DmH56XP7vq+nLh6+imWFLsbEOS0lRPHRRBEiimEkYljO5ZkoZg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3bC9jT2VEUDhISkRQN2RW
+            ejZNcHE0R083WXpCaXRvTGxLNHhUbi9aWUZrCnNqa3hPaGxWaXM1UXRnVldzait3
+            S0tML2VTelhzM1hrN3JuV1k5TlFPNXMKLS0tIC9Ta3pwdUsrdFllaFIraW41WmlP
+            V1kxSm5LN3lmNU1XSk4yRC9ObkNGSm8K+Z+j2kv+webiouIJDtKlyMxJjmPpapPJ
+            b3LLdnB8/8637zXU4flWcTE/YHA1fMQ5aiF5OmLsZ526a98QJI68yw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3TEREZ0lVR2Q5aEN1S2sv
-            dVhURlhhWTJBdEdhbHlXZGVQa2ZwZkhFd2lnClM1QUJrMW1GU3FuVTFwUkZxR0xD
-            YS9kVFVRdGZKMVVRTk5sNm9nRVV1YkkKLS0tIExyKzlJUHhUdEVhSGJEUUs1YlQz
-            Yk5WMERLb1MyVTRvM3hkVVFNU3ZtajAKqH9sLSNTacfRj4c/FeeOyCITdz9zwgqm
-            e52OOUzI9nmq3zbhzd7b2nWHlJ2d/vmFN0u4oEpLodQPqBy/cvuoLQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSaFd5RVFUbXc1U1orLzBu
+            ZzcraVZYR3RIbUQyNmgyT3ZkNHJhQmx0dEFvCkdVbDFzcENMYWRMM2t5ODdkMTNl
+            dEVKdHhuY2hGSWVnU3c2cXlhZmp2bTgKLS0tIEVCMUN5blgvaDlmMDFNQmNqSFpZ
+            NWwvSFBZVUlPUUFobXJQVzZZK1RSOTQKY4E+x3y2t6h+y4oLEWn+zcDnRYBaYjq7
+            KOHxDiutX+vbnpMtff6fTZMm3+aSSHrzZCubT8Ysy82RZ5bBzVyJtQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbmRtN1FXaFYwUTBsbEhr
-            T0tGcVkvdmhjOWZMLzZ3UUpoQ0V6Y2luRlNrCnU0RThMcXlabWQraHB0ZjNldFRW
-            bUtRNGgwNDZhNjF6MzlQM2V5RmVRRnMKLS0tIDB0ZUpPZzJFMndSZXJNQWEzbjZQ
-            YVJxb3NLNEJkNXlzR0Q2MUNhZ0NGeTQKC204L2g3b/ER0RtnTaGtuZSukTawgiC0
-            94UolrcApg2tAUDJR9AqJ0iAAu8KSkcy77mQIs1t1d5lwejwsOBUMQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDRnQ3cEhySFBsbUp0VXlM
+            REk4UXc0SXo3akxPZGQrWXc3T25zbFhwNldJCmp4ZzhwZVlEYkFnRmtndGdKSHEz
+            QjJJK29PTi9JYkhtaGxOOGlRZ2IvQWcKLS0tIDhGREJWQjkwVWVsOFlhSlNjLzBr
+            cGZTQkZleGE3Z25yOTZtUUVyOGFjZmcK1ayFsX88StLCiYJi9C6aC/y9NV452oR4
+            Hpg4xrLYxVdFEOzKNzz5W6Z3hU3830n9RismzsF3Qgsug65KraP/dg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjbmZRNDYwVjhacnZzTm1J
-            MG5FWVd5TytPNWhDVTR6Z2dxdEYwbEU5VVFNCkVpdmMxTmR2dHBKNnZNTmF4c3hs
-            eUozU2VkKzlKMjhWaDJXQUx3ZXdHV1UKLS0tIEtNb25NU204dFovM2xvMEpDYUJX
-            QWZLNDQvZjZjaDZiN3JLcWswMkhtcnMK0kkTPKMgKNiOOgen2BQANozKY0npxINI
-            ZhKkf/eQsPD5kUbD1gLshfeOS+GOcDJSjrYigneJo11yEhNVF7juDQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4YTVqeExJL2lCUjIvY05E
+            ckZqWWhsQmcvaHRmZ0QvSjBGSkZCRUdHbGs0Ckg3dDcyc21Fc0ZxY0NhYzNhSmRr
+            TDFBR3JJZWhZS1h1VTF6UVFTUjhCc1UKLS0tIE1TUEV0ZExFOHhOOEMxckxuS295
+            M28xRktSOFZaMzFabElNWDB2S2w5ancKuVkMJ6gT5HHezSOa5i4fhT0IJv8EQniP
+            B+o175EyLw8/tIWgKgB/L6RA5Wg7Q7r7P2C4vnSY1JOwa65It9tGAw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0VVBQaVluOExJSnBxaWtn
-            N2RXb0UzaFgvTmpXcENKaTkzb05Vb3hMeHpnCjRVSmhTZ01sVy9ZRnZrK1FTa0Ey
-            TnJmYlVaNGFLRmZUcnFXYkswQnQ5emMKLS0tIGNuMlBmYnNzNXczYTljbUY3bUtk
-            TkFMSlZzTjVjMkVUaVcyVXI3cXc0K28KUDg9+qZqrbUk+D8TEG2p5tu6v8HgGfHK
-            MGkbN/+3wmitC2T1HEdA18ULGrmd1SFN6qGIfYOkR6dkhETIs+w/jQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOUk5TkJjWTZ1MzVCK1RY
+            SWM5MmIxZEllZFJJQTk4dmpuakZCWUNyOFhRCkpvMEI3RDdVYkZHbmRzYmRjQ2dZ
+            RkVpN1EzTEJmK2VjeUFqMFFPWW9pUTgKLS0tIDhQeTZQUVM1S1hxdlJZRUN2WjZy
+            WTd4czkyV0JmN2IxNXZSS1VnK2NsRVUKzxoG+YTZKEDzBdRmOJjygD7Po+i/wTiI
+            RM3U+LpsP96i2vAsOKoJjNOrY6iOH8Iwbj0c5Q/OwgIgLcUQtDq4HQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSjhleGt2Y0JTU3ZRWnda
-            US9ScWpPYTk2Qlhjdlh6RS9JR0lzTVc1djMwCm8zZnJ2a1prOW9Vc3h4RjJXNE5G
-            d0IwYSttaC9iVGZaejBmK1J6SXc0aTgKLS0tIGZvbnJTZ29xcDJGbzkraytKb2tY
-            OUIxMHJmbTlhei9nSEpQeUtIWjJLSGsKwLTnTxIqkumhWoVbt7eKTU03upmZYvF1
-            S3a4mS/FZAU/9PgtHeY7LF4a0wwnHBAOxTwKcj8lYPWQzfPNSBFEBQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdFNUL1VWRHFjMFFmcCtp
+            TjlHMGJVeGMwVG5ZK1k2RWZKYkxHTzBSRmk0CjluNVVDVHMyRXp4ejJnVUNoZFZG
+            SXlZa095OXR0VTZtdzR2Z0hiRTFYZlkKLS0tIGRMRFJUbEtsVDJZSm9IcGhFdWxV
+            YTYycmUrK0RqVXIwTUZtZWNMdEdqRDAKhWlwQP+lz5enUF2EgFuLf2BhxcxAoWf7
+            Tqr0AOEXU3zr8k/pfKPNnQRoRbhjJWsW5uFtuTdTBbL1YnCBir7e3g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMmF1VkdhUHIzYW5sdlo0
-            UnpRUjNieVREc09ONWtqQTdWQU82R2g2S1RzClowWVpMZTEwM1czdW0zWmdiMGd3
-            V1djaDBpRFZHU1BZbmRhUDk2RndmaGMKLS0tIG9oQmlKMW5TVE1lQ2ZEMnU1c0pI
-            dlRVNFR5ZDhJcitoaXdmdFBHenM2NEkKHrWek+5xtVdwVaLF7FuhdJJCdZxvg3ib
-            JKIN6/IKg6v8wWbts+oJZmH0+ibv3dPPCNll0U0toYGBkbJVUUiMbw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZ3JkRHFpc2NSZlc0ajRG
+            Z3FaZGdzUGpqTXNCOW5hRU1NV3VJcCsvdkJNCnlmOVBkY1pZZlJ5d3dJbnlvN3ZN
+            MTBwRUJqNnJMOFdBWmdYMEpTTFpDK3cKLS0tIHhEUysrM2l4R28yRCtxL3VCbjV6
+            VUYvYWlOenNlVUt4UkhldFh2SXN4VEkKc5adiK86x+n+glENAMmeyS5WQce46wDj
+            ALy2W8zCDTeHBWJUXWGqovTCwmiHKb66egHMVtI4MKedTFhBuTLnAw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXQ0FYTnBILzF1TENDVFcx
-            Wi9pZUg1eGNiTCtGdUFrRERBVGxxR05jQWkwClBLK0FBd201ZzlRVC9aQUIwUzlz
-            Yy9Sc2dpQ2l3Ty9ST3JrdU54VFN2UlEKLS0tIG5ldXY1R1k0dGlsRXhPYlpLS2Yv
-            dFBoM0RGQXVLdnhxVnJ0V1FpWmFkTUUKCHv8KQYB2QdcTdCB3Wig7YTRKt1ZiqkA
-            MT5A0z0rizax0YZLGJ7QJlWkT/EmX0EsV62cvjzXeUkE2FKpYffiNQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUjNMQTFHL0sxTlUwa0k3
+            aFhNWDIydWJmdFpkcG5EU1hqc0dQK1NTU0JBClBwUFpXbHQ1Z01MSUdxaFkweUg5
+            d0tiT1dvdXYwZHh6dy9Nak13VjR1Y0EKLS0tIHZsQTk3b25FSWdqNTBaRW1xZUJk
+            M09YMXZ3cDdKK2U3djhIZ24xOTBvY1kKbQyzT/jLiGAU4poUBw0nvkwB5N9X94EP
+            bWN8WNqPv8ak4OD2V4zIvLY6zxzT+meHHF1RVOJrTviOT0LVnWDzhw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1VVlxd3RrRDFnN0Q5SGgx
-            OGlDV3lyYmRQTjBsZ1kydlI4UFNVMUNZYmdRCmh0dzdEUmFDWmU0VjZHZHhhN2ZX
-            MW04LzB1ZHc4K1dCbGVBK1NMRDJJbDAKLS0tIDEzclhsWWhIRlUrU1ZjV2Q2dExF
-            cW42NFdBa1JKZTRpb2Z3aVpNVDJaWFkKynL65X4AjGw7PDrFZw+J34KajCl/TfZ7
-            fA1c8fyngnt42FuKVoSHiIrEUCfFEsf37NbV5WQFF61V0bO83EX5qQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJYjV0bHRXMjNqTndySUpY
+            T3p6U1BOTmw0NnFjdjVFS2R4TkoyR2srcHkwCjlIQVRETldibWx0cmFZaktrWGRC
+            Njc2d3VFUFJucE1EVVplR1NmOVVqeGMKLS0tIGVzZlI4Qm5KWjRreEd3MWc3bStP
+            TjBvb1ZGNHV3S0hiMU1XdExldjZiTDAKVZWM03cRIkLwxaIgr+YohOxEp8ZFhbsC
+            2dYLP/sLx5ab03rLWWViaJ+ONkvXfHvIYosQodO8dvDLlOJPbtTFCg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1U2d3WXpqbkNQUnhvNmxT
-            NE1hUDFSZXBTOFlQMFYxT0F2VkdzK1MvRmlnCmkvc21GMTJjNmlXNWFxS0JsQzBL
-            MUVoWkdMR1hOd09MZUF4bUpubi9CM00KLS0tIDdCVkxXenIwN3F0YW1COEJxMTFn
-            a3VvbEZUUHNJcEhUMllud2tYQU1RQUkKDG5dUpTAKHdGrnD1U2JWWv2Ue/LShVwt
-            XRgdjTwmXtvf2s9sIetX2rLiJxcLkpRz8z+AjK5c3GWxF6ZVPuuGvA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUVJtdXhkUEZMOWdpN1lk
+            QW1BY0FtYS9WN1JoRElFb2tocWJxM3VYTkRFCjcvWURVNDhZbEpRYVVuZ0I0ZGMz
+            M0Q1ZnVpNHk3OTRYa2pMUEl1b1BiT1kKLS0tIGpmZ2QwZHQwSk00M2ZiQkx5RmdP
+            YUtBVFpJYVJaVS95dFdxMmZkVHI3SUkK4Yo0w6ljg2TGkMqbgWqID1aCnSL1IXML
+            o0QeYRHVJII8ImjPbI5MYif4T9rTZKK/Gdxb+VtbnDif88E1P3NjwA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQThNQVJyR1BVOElNNldl
-            ZmphdkE4ZVpaaHE2N2tPdGpxMFFaVHUzZkg4CmlsSmtRdnVMSDhTK1p3S05Kamhi
-            THRVMUE2d1NDc3FIdUpXQXoxa00xRk0KLS0tIEhhUnBIQnJQUnZKU21vTHk5WFVt
-            cUhkVFRNMHFkdVFMQTdWWUwyVGZxZU0K4Dn0V7ulWdSOnsFSaFTBdfOz6RD0R3Ba
-            MOM2I0afFAcbQI2rzdySbGzy7yJeuA1puBbrHDMOkVCK2soYm3Gerg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZVE3SjRxZk1uMW41WGxY
+            bFAvRzhJR3FrUnFieThWNDZKRDhtSVk0akdJCjdCalJSOTVWQlkxdXlLOXB5bk1z
+            S2xFcjdwL2tRL2w4OTRwUGFKaC9sN1UKLS0tIFFMbXBTSWo3aUo1K29BVFZHNkw1
+            ZzRBK1ppd2I5eXl1SUVZL3RiUGJZMnMKqWu3DW5SHRCWaaTl7/a789m+API/L2wD
+            Jh3x94vhEYBWZPlGazZgox2hzPMcCCMPYFZGAwzTFgtsoTF4h53RXQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjOVpRQVJBVWFnaFR6SnBo
-            UXdrTk4yMW95QStMOGFqV0paSHp2Ly9Ga3pNCk1PSnFOWFUramM5OUxLU3BibG1C
-            blJtc3dNTWlBek5POXRMbUZDbG1WelkKLS0tIGZkVEErZ0twTFV6dWhVanUrdlpY
-            VkJDQ2Vmc3FPTEJKbWcrQkRwYnN2TG8KO245mM0A94pLL4/EHi6/eeh4rak02IuR
-            n8rBcJ/U4qOD+1QNW+mHbGiNNSHLtGHuVrM5uKaruRJDmxzNWQjmXA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUVY2d1JkbHYzR1g0MlVl
+            NlJ3V0FLaTM0eWdOQ3gxVG1yY1djTHBuUjBRCjdWWktreWJXNmllQlk3QTBCNW05
+            cjdMQ2pvYW5DbW1zSnA4NFdIQzNVRU0KLS0tIHVkS1kvOVVUaDBKK0JjM01WMjFZ
+            M3U1NWVLdzVDZE94SnBuUUl5eERBZ3MKDqYKfil2536N4HX5bHo1POj0RzWPDhp6
+            +ycatTVYHojVQm3IG+tFpbMBaFD2NG15YbP64Ve45WaRb/Eox/46Kg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkUXdnZ1FLenQ3SjNwN3c1
-            aTREVTBhNEIrN1NWWUJ3SlRrQmppSnVTc1JJCnFydzZoNEdxUVdDUEQ4UkUyUTYv
-            aXAvZmxXT1ZkSmpCWUpWeWJZYXFGcmMKLS0tIDdySzROS3dxSk1id2FKbHZ4UERG
-            ZzZzYjVjVCtMdVpoM0tzY2w4Mm9aSXcKr88HZkBxwuRzDtb/I8D7uopzjglZQsKD
-            oEd1uz/uYhDvy58MIKz9nnTMKyPUOE+uICZbjZ25ZsdkcDdCWNhyig==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOOUVFMTg2T1ZuTjRTNWVj
+            eWh3UWkrdlVmd01kNERLZ3RndFYzZEthMjJVClNmUm1VSEpuUEhtMGY2a0MvZkpz
+            Nzh2SmJ4bDRuQ0RKMnFnWG5KeEF4SkUKLS0tIHExZ2xTTHgzdnRiaG1VLytmNlZh
+            K1VDaXpxdFRZeU5icVlaZkRsaDNNUWcKXQXX6+U9/v3I+Ta+rae+IrDjR57NjEA0
+            ZA9RvGAkTBcbXQ3izPN+qafLmJ3yyDO9HmquuA+gzZ5EKhHPbS1bRQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBueWVNUzFwbzJmOFpTbUdr
+            VnJUME85WEpiRktTTHErbllRaW5CdlVackJVClRodkdadjMxRkRIMlRSMWtLZnJa
+            OXdXV1FaV2tlc0VkQkdhTmxlckJCQ00KLS0tIGFYWW1SK2krb2hVeXovL3NHbUo2
+            THBzKzEvU1NxSElDVWl2elBhRWpsRWcKWwxOi8DGF+jruyKGsxYbeaM+Z9gbrTI7
+            jIBzG3LyLskn1Uo8PNn7QZW+pSUZJP7kFqSgBDPzITrGoZMe/uscEA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-11-19T14:09:27Z"
     mac: ENC[AES256_GCM,data:tZ6QzVPivueZiC9Qfb3KNZAv02QatgHRNnlM+Y0iV4BZkYoBjxeDojutizvAMwUarnubUdk5I6m2OZK1mvVDZKXyI6zALX4JMeT2xYQWRHYzHpOygLhhGwTFVhV+0C4jN+eJFF2cNf9lu7NuZI9ylZSOY8I3YKUl+l0l3CkXUl4=,iv:JSGOUq+j9T/NXspn70dfu0J4ISV6vVFZUe/Z1CirrJk=,tag:Hm9N55f9qMc056nSTR1piw==,type:str]
     pgp:
-        - created_at: "2026-01-02T21:17:29Z"
+        - created_at: "2026-01-04T22:59:11Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTAQ//cFd10y5cI5pCudkNrwJjjCvaJmP33pteHYJrzH951JFt
-            FmO5NVPxFkyZIApN2LJ+neqDhfOHWoAqb+2GWeAnKQwqWWD3mAMzTFbZ/GnfNTpJ
-            tdGh/PtTawnjl5olwv/TSDj4DJSH9B/r5KJG+2oKvDNYHQ06K6qVoZTtlI9wA8nR
-            TLZlqlHlLNrYBBKNH8hUcdwCbd9wlBZGY/dhprTUlKb+W7i5LszQJuKdmxUj4njq
-            QVjxMG9AHKn+SU4awAOyEI0uzTdKApem1REaJE/d+quaR7KLCjZIpQ3n4SsbBUfJ
-            yAsBv57JAlxbaG5xuMZ/kjWQaGiufUK0J9IBfEKAyHZM//iFl+CAPNzPrQDPI4wy
-            6HRL2r9EvUwZb6vJYskd8Od57nT4/0+zV8bSzh18JkEc9UKvMn7d4bx7AnKU+rsP
-            cDeIC5JTJjygaiodIdYAYS81FZZGj+t04hrAzkiPZcM/+3JdHNkuxV4jKbD6ljzr
-            xdCaJUXSmGrK4uznLFoIBz4A35UHSwSsa8s3RUL1Knem59cGSMVqfz6nJPQ/0sOT
-            tI+8VI5HCdJ0vlNw669opzgGGiaIKcBKWfrXsxYkww9ekWxbjWaBcFLKm3g7p/mh
-            KzFRmQwcOXG6nQ2ROUnL18Jh1u+iiXvzc17yK/6xuh3lLi+wvfRXMb3/ePG4j86F
-            AgwDC9FRLmchgYQBD/918RvwuPqcGLYgUJLJr/ycnAG5EzoSA7qqBvItgoJfzbah
-            oCnnVRwAyvvvYYyqWrpIxc9X5w8vD5CeLDWEX4slm6AXUbBFK9i+tesmXC6D7du/
-            Sb/DHYH1Fa168nZ/oK2YieVQto6VS0WK37WqT6thybyEpYZu898tE9mY9riKlE+B
-            JHKjGailLl4KeaWbZQgLNP9KKi1wwOC/Ae43SS3XqFWu0zx/l4RHn/KvNNVcYyc5
-            UuuBHhFem12f14xVy2bwjELTkQfImlBFmPmbN2sqOIG8maFzdwUVfVMcAR2Ceq9Z
-            pTOL2q7NCZ/JlwZ25ficJ1Og4Wnk3oTQwZswoN+nApIF7Td1QxmDLnGB8xmrnLpn
-            7A1PCo9IR3MdOatqN2xvotV1WotYTz3lcqpHfsYpscEBuyozxVw++1c2+QpZtmBQ
-            C3MQoqUDXBwvku5BfVG97XFy1QDCCTelUPdNCvIkXoJg9AUugPYRokCcI2bTybFY
-            unL0sirc8+/mgEQTwZgJXDhtvYTpps0pj5PFwdDHRDgrW/CzSkLz05HIKl+NKDmc
-            +aIxFLAQiFBiqgJneb5q3GK7uZq0YVIb86MD5sqSNT2Utz1KMzhL56sTjPEtn73E
-            zfwMX/EpCkpshsfbG1hLZeKPsYZBAo14Jbv/IfWHX0OXp6EVWrLM4FT8sEEwWtJc
-            AeNU3uXSpOW5xlKv6bpNSl0A9C8XYK28FU8JaENq85Q5VZGLf4JP2auFXQ2PWbpo
-            9MmhPhMNk4a5aDh+AqaB7yXCFvqzsGEJu8Xqe3gAN8Jn9ThMvUW+nwm56A0=
-            =arGb
+            hQIMAwDh3VI7VctTAQ/+I9Y9qGLQ7j2pwSMurnzrX9DlK3VKSTIyOHk1kxcDh2iU
+            UKrkVCsRHJkj9pf2yB5t8ehUXRyYtkzxFmszuBkrLIkqgUE6FUcl1ce37dYgDRUX
+            XLhKbZlEcz0FJEqDAMEqjsM5w75z2xU2M/GR6rIULixYqKPxvZG1AOUj9xi4S9Is
+            cZh2Dnjj8U+hmbYlcwx+zulZk+5QpjVu64GkLn27SfA5os/xj9ThKbpVcPdpXhbV
+            DRak2OOHeKsMAJMagmKokC2/BnAq349kz+xWSMEBgxK9bwTSVczqpJ0Nk280FoIO
+            2GrIQdrxXVzoR1m0sXcLtkNRnAd+OcSMsDcs4xM6jqHU1bHtdw3H4pUGB1lC5jtV
+            lBtkAwhA84xx+ut0UyT19S6HQ3VkgT0HousQ92uSjzkDd/AK77ir6pfM0GI5YhoC
+            LVFANFcind1gWMtg67D3WYcpPMi+o9IkSe7QALhqCL+fPSchrf5OZjc0w/Xb7WCT
+            nOTMMt9deC2GANjE1U466IKsrY+f1V9jig8qxC2XFi/HTe8krUhwblGmyga/a8Vv
+            52O+HX3Ub661HpILDNMi9BKNAKNRLeDZMdi2Vv3eqwFs6wZSWTtzt6m025ECZmIv
+            w3jR6XH2ggJBYqS/j2EpuwUUi8Lll5tnQpLNNB5ZWE1bM6Jy5Fg6pox2K1+9oYqF
+            AgwDC9FRLmchgYQBEACTw0JRff2oy+4h+jKZ5xXNbkk7NZypEPI00c7VX4eaeXsV
+            UKU/lfPEtHFl4aZ2N092McUxS0WDV/xCXoLn2kdHsmcGRDuq59Y0+ITsgLszOFnD
+            usYhmvocgvjWldBB6lS5yIqzr4mbg1bxkrR/7PoxHT3XH/WxdJSXikXLuZ4zpHip
+            E9kZNMq3qI1TnXAxciXFHBpGOjWMKxj2s1i9p46zKeCMo+tvyTVgDzyUaQ1V7OVO
+            NfRI2p1/LyzUANAjf1UHtcQncbGDYVM7wis16sCfUGpts09fvThfYEDZ7COL0WNZ
+            RSzmMgG6ClWcpx+B1WtYIM0I6sQvzgWp/QKdCEof2dHC7Adpp5q5TXmxrNhqnmoX
+            kRwuLSiNZTFrpzqrlXDi5ljPiPRx4RsM2Qmj/r7jlWBn+TP/jRQqO05ZuSe4wCa3
+            NZau32eYedMY6j2DwfHzzpXwxvN9Gj2evwqypCrbg2RYYixMZHasAF+nlPwBZtLy
+            B3PUXE8ftvZp/N7845MYwDrnm8EQGAD0647vffZ+J7T1s3dKQTIADWqY5J0kyfRl
+            lh5H5WpQ0O+POW48HUQ6ee7D7Ncu81rbRhCeOhWNgZTLq/DjdLhxCpKqaE+56Uq9
+            B9m3/0YAeo/6kj6Twded8OaltTEpJcMMU1EqLs+SweLw98bUniwgm+ReQJ4oEtJe
+            AXHdXns/mWqzshUUTLXE6QbUyxCAUlSNGZcFnBuAqaKaLlIwYbgh14Nl9XQ8B/Cd
+            GiHUdMjf16XZXG6evAxfoPGaWJEkvqSxPtgymxev7jpuXWRHNHtSOpRs//V8YQ==
+            =dVCc
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
diff --git a/secrets/repo/common.yaml b/secrets/repo/common.yaml
index 3f054ac..812718e 100644
--- a/secrets/repo/common.yaml
+++ b/secrets/repo/common.yaml
@@ -41,161 +41,170 @@ sops:
         - recipient: age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvcTNvUVVSZ2R1N1FKWWw5
-            dGJHc2swRXN6SmdvZ09zTGhYa1VqWnp3L0VzClZvYmhYTjdnVytBZFI3c2JqdlhI
-            M3NiNVFQTXkzZ09ESkUzamRleU02WFEKLS0tIElxaENIb0V6RElZeVZFZWRIRzlH
-            UE1mM0VEOExFNm9OaUV1NFh4cEc1alUKX6niNF5QxQ9ub+grPkUqeLw+gjBcwV2A
-            Y7zeR9eYAABCkDh789luQd37LXP2QdD90hiaDGMQChVMpmcIjdP34w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrMlNmOFRTZWVZQnRLME1O
+            QyswZlBYM0ZpQTh6eFRudE0ySGxQdWQ3aUFBCnFTdDc0K0hwYzU0NVBObmxrMHZX
+            QjJTU1ROK1d4Q2FuZHhiZWd6VExzUlUKLS0tIDhZSkx4ZVJJUmhUTFQyZy8vR21U
+            TnN5T3VXOWRMdkdhL1hoWDJneTF3R2MK2jdfQKotgXcN2m0y6Pm6KosUQXuVZUix
+            D6yHIkz8VZJpMIrFpGUriBcnQGi+vRzva7tVTo8Ch85jTj9SGT76fQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOS3g4dEhVYlBGMXNzcGN6
-            ZldoUVRtY3FsNVNpcXI2cTk4T3RzNUQ2cW5NCmFmUXRXb3REaXZTVk5MemhOaUNk
-            bjYyYThFSm1ZZ2JRcDF4WnFxSndxL0kKLS0tIGJXZEsxRS9LcVRrd01xYzM5QVQx
-            MW9TYkhMRUdXZVVBeVkvRUFQWElhMW8KIhz1sFGRNkhVyLRZjA3IyYInRbNhN/Qq
-            5OWHJj/iS05xunkPNoWfxphRtHRudljgDXpt2UwYgWoTm1cAnoIj5w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBabG0yZVllMzM5bmNkNjF1
+            Q0ZDeUhRWmtsUG1rV2NDeUg1UXZVeGZmTDBNCjdtQkhHVVRJanMvZU1MSmVwTndq
+            VW9FNlNHNExHb3N4SlNyN096RDhBVm8KLS0tIENtbmF1WEY1MWM5V0NET2pka2Iw
+            M1lBK0h4SFZTR3NPaFVnaVA1bW9FRFkKPqlL9CplnTizVDre+eHOrYl9yxWEN5AM
+            O1xYdBymskD8FF4Se3hpoOTJTv5WaaOiIc+0mlfCBJhS/WAwhCfPnQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbkc3aGtMcXRiTm82Nllp
-            aHRJdFVvcXp6ZEorNmVmUmIySzdRWW8ydWlnCm9oYWZhTStJQmNSL21hVFFyOFpL
-            aUFmQk0wbzVwTWRtSEtkQ3RFc3hOUFkKLS0tIHo4YzU0aHhFVmZCTGZWclNpakdn
-            eVVDYUNXUk5BM2M4MFJjVlY5NzJKd0EKt/vaHVeTowmbc8MfQwHqxnbolf0t5Th/
-            wBQHe+MUBg9lCr+TqDi7+TaRYa93V0oiBVQ1uDLweV5olpOi2ttc3g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwODFJZUJMUGhXT1ZvSHJ6
+            R1NOVDlOWi81RDRUeGphSFJoTWtlY2poSjBBClRkbkU0RVlsVEcxWk9ONVFrSHEr
+            a2dlQ0tNYlRReHhuUlRXR1o2M2lVN0UKLS0tIHZleUtBZUE5TUtpYWJLdHg1bVp1
+            WFc3QmJBZ2NLYnptSDBtdkkraHJZR1EKk+V+rF3u2eKIus9io/kqDwPwHcsPrt8P
+            B1sxlqCNfXtIZWelUT1AghBs5SbVjiNrITVqQORj4G0on3EW/jwfMw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDUVQwYXNiVTE3dENRV2N1
-            Z3AwcDk0YkRFZkRjZW9KZHFlYVNaWHljMUNjCnJmN2pzaXV6RFk4NmVFdSthYVcx
-            TVpTclp3NnlBakNaYUQwMmg3VVM1SDQKLS0tIFF2enEwWXAwYVVTeWxNY0kwRWdC
-            bVJuaEdsOERBKyszcHRYUFpUcm5zeDgKISCkCqLSCUwSM7XqrY+JMW9OE9q5sfbB
-            EXVLqqjqBICQ50vtnGywG70qu3WXzpuVy0NK+zA/3sgVpXuU6/Cplw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMk1PSzIyU3UwaGZPYTB3
+            V0hpWWcwR1pwYStIa1NBK3hDa0ljU1ROUVhnCnljOG96azEzdno3SzFiUmtPWUIz
+            ZUpsNE1UWVUxT05DUmxCQW5IenVMNG8KLS0tIFN2elpZdzVBdGFkckJYc1MweThm
+            VVE1akRvMFJwVXNNREtBRk5Db1JFZlUKtDR4O33K0X8ML20OYy4Pc7ZvKTK2WvmG
+            2a0IaaKW26oek74wjPTc2EaumTANE1hyeXrwZ53mC71nNf+G59cx/w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYnQzTm5nMHUrTForWTlq
-            akhabVhFRlVxQmZFS3RId1RBU3FTYVl0NUJNCmRGUlp3QzR2RFVNU2Q4aGlud1BN
-            bWlzWnNUQnJlelVsS3dhWTdyTGgxUWsKLS0tIG9sRE00QVozUzJ5eEJtekRQWmVr
-            YlM2WXdQTFJRMTlZQ2xlTzMzbXFFd0UKZBiT6x4zfpKQctOCUFmBQHzWZ2rFIIKh
-            Lx2oteWtHrGABf+wc45ypz6CBEJjw7moBf7ZCupOOL+jIJpe3UriqA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWEFmK014SzVzeFU0NXZG
+            cEliSmFoUTlRaHRmNEh5NlNEcVVkWC9WUWhFCkE1QkU1VENhbTJQa2ZZL0s4Q3V2
+            Sk5IMGR6L1JCL1c1YUsvQ2N5SWlhVGsKLS0tIE55MWRnOEF6MGo5TTRHaSt1MVJl
+            djZtZVBSNW5YeTdvV1Y4NjA0Z1FObFUKYLnXoDnCOx0jckEU3m4pfw4WBFsc9xBI
+            SBN/9OqOLn/9Fk71PPBmhDAjsB7ZPYOuR8IOSgPbyFgSbKt+Pd1Fsw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcHZqNFJWNGFOUUNkZTlN
-            L0IzcU9qR09BcGQ5ZGxGMmcxaWx4SHZDakdvCnZpc0N4QzNzTU1XWWhZYk10QjVN
-            dHEwMS9xOGRBSlFKQi82eE84aGMwbTgKLS0tIHNjNUFCaFdEM3lmTlhNUDJHQXlM
-            ZVhBQUNoYlMwQ056V1ZCRUdrdG5ESWsKO8a6+mhNR2jzTHuKROp0QbFFLJD0TN/e
-            5zKySP6bHrlcK9fguXWnOqshWuxPdECNmE32L0pm9maL7G2T4FhvzA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpNVluaHFySm9CakRjdldJ
+            bmhuUlUyUU9GNXdvMlhiZXJvalkyOUtRdlhJCnJqRVd6czJOTmNNQXNtWVkra0lh
+            NVFIKy84V3Jqb0VZOW0rSmhaUlorMUkKLS0tIHc4cTU4d2ZDL3NxUUpaYWF6alB5
+            VlpNektLOGVHdDM2clpBVmFCcWxYWVkKmyXJ+VcI1lRAj/7lX7UMd+bTHNmrsdPr
+            giY5iv//IdW+xKe22ELrIyHwLJ7IHUllntg4bIifttlHXKKm0uaiZA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGWDdyVm51cFZ1SjNVQU5L
-            UUFqbEhkV2puWEJxVmJkb1prOGNnZ1pRZG44CkZpOEZ5dUdjN0NYWXZSK1lLMERG
-            M3Rwb3FLa0crQmx1YkFZTnZlVGF6Z2MKLS0tIHpmd2RyZC9ZR2lIQUszZlNQbUJu
-            bVNkMTI3ZXpDY01KamRFb0FmY1B2dWcK1RRtVtIwzgckwxX5YEQWdL+BHUdEAD57
-            9Y/lLGzhGHwRA9lYaN8q+cpMDjhuIDiDqSZV7N16EZcOjZ0MIjZonw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VVVuNndJekROWVhma0s5
+            TVhKRXpzT1BPQXdwWVJ6dm1oVzRJUEFRc2trCk8ybTdYdWg2M0h2QVFJRG11RGli
+            RWNFeDJwdnVjQnRPUlRlY2VlVXdSc3MKLS0tIC9MWXJEMmVqNkxPUHYvdTRWS1NT
+            M1lTSWMzSFBtbThHamdjQXI2ZE94VDQKy0/CUSyBWTCPZ9kt0XYZFBVQ39NqiJ0Y
+            E8QEcRj8EuNrpN5C6DYrhgNrQXdz7HPH2IGN94D/W9moF2ze23nbpQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzaXZTNU4vNTArazNxZnBz
-            ZGNrWXJ6Y0JSaGY1UzhjdzhIdVVsNjlQUERZCm5RV0Ftams3US9WVzA0eHdOTkpX
-            RVYwS3MvUXZNOFFUMG9VKzh3aWk5YjQKLS0tIHZhb2ZSYndLcGJIK0xURTRBR2NQ
-            OVN2ZURGSWxCNkViK3NFSVRqdUo3aWMK4tjIx7paJg7bTgTwjnXjbpHE+Vvf3YbF
-            C9Ekp1Kw0k+THfTgnjwyNWuaLv+8VoLqt2k10H+oALjLHxQKpPSmCw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTY2orREt1VFpkbmszRi9y
+            RkZlMDlSZHZIaSsyMnI3QkEvdXBqbnV6U0ZZCmpNbWRCMVo5dXBwWU5UVmtqMHFF
+            RWtya1RDZXJvR0lhRUE3VndYa1BOWkkKLS0tIFNvN0lrY2ZhNXVZbFRabFdjTTY1
+            OElqUU8wR01ZUEl5c3Y5Rk9XT2dUdTgKS0QFWO4KWxLnXu2Zud4YqQBBfjXjuWHi
+            woder/Vf066n5N05Xd1nUOwkfim0Qyl8vM7JwRrCEPVaIdp0EyhhEQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ZmV3WUc3SGR3OU8wb1RX
-            aGVLUnJWdU5BTE1uSy9YSUhVUHIrMEhDVVVrCmhNYW9yd0I4RnBaSlJRRzR0R2NS
-            R2JkSENzQ2N4ZW5Xdmh2cW9iZHVvNW8KLS0tIDA4cTI2YitUMFlVL3ZlVFJlT1du
-            eXh3ZkJyRk1oOUlmM1dwdGUraXZsU1EKCVvFlj0X0Q79116nQ+8Ybsjk1HBE55vh
-            /j5g7ggeLdCcoU7qEevHvBukbGa84xmiwJxa13mumI7Yi4383P8Twg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUkZQRlpBR1R4S0VjcG11
+            QTFNOEhMdzBoUnlEY0xtVjAvYmpCM0F2endrCjBRY29nUHlGNXNuR3dsZTZIZkRy
+            OFk5eE5lUVhPYkxXU1pYdFFDMm0vVmsKLS0tIFdJekdUMUJXSHRiMFcyOHhkUDky
+            S3JZSGI3NXFMNG5pNW9oSytBVlBOS3MK0IB3eMRsqAj089lAjym9KNWtz35SmzXF
+            DuGB21O4oJ2sJWCMyPfuuSu1ukz2v+k+1frsXbpJPfYr7WJ6CbSkaw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMZkptNVRuYWZMWmZkdXMz
-            VDR2OEpOM2E2S2tZOTNPaXQ3c0taYVBZVm5rCnNqWnNHNEt2SlphdmhZZ2hGS0JE
-            RXlDQ281cEtjblNZeVBvWkVUaW5lc00KLS0tIGRLKytBRWNvUmlJZ2RzZHZWdFRy
-            K0VWbzdiOTRvbllSb1dIemVLNnZiWjQK9StbdLSPG2h98Dao5ZG3qvhvD6iSg3XK
-            MhgksJ/YfuWo0aaLMZ++1jjGD3O5DE3QbGrBA5R2RcInvUi7jHWBtQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnUlV6dkFUK3BYTmQ0cUI2
+            aEo4a2xTYTYzaDBES2luQTd0WVZEZmtHQXh3CjA4ck1WL0FOcjhkWU9hcG56V1Jz
+            Z1VLakdoMXJ2bzJ5L3A4bmIybEdMbnMKLS0tIDlqZndKNTgxbWdKSGJCVGtRKzEv
+            VFBySENGL3R5bzVaYVlhRjlQdVRGd2sKC81fnlm7UllGjwJsfonPHVdqZeB5se4s
+            66MuY66jHOc28FK2kPhLHs1QiNDv5pHWplOpVXKLJROPJH0cZRVLGg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMjZLa3J2dUlDNnJmcUtq
-            VndpSWxGREhCY21xRlpNb0F6dVhvZXV5YkNNCmJaVFFRdGY4NEdUcTZ4ckhmZldM
-            TmU5TDRwTG5QMGVHN3BwOWZuTFpQWlUKLS0tIEg5TjVjOUpaa1dabTlzM3REMmtz
-            ZUVWRGFsbDNWRTBaVUpnZlZLYW1GT2sKInrMXDj0MLNb4r2hwZEsw9HxpVE/eThv
-            TYyiPbaNkzr0EqDcOQQ/3MEw0Q2XPaMDdCG18u7kYlGGwdYNcWRgmw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZE8va1ZkbW1pOXdVQTZQ
+            TDd0Q3J2bFpzc3VSdXJXWkkrdUMySThCZzM0CjdPRVR2UVBFS3lueW5hak80cGl0
+            akI1STlRazF6WFpvcm5wWXJvL29lT2sKLS0tIDhJalRSbjlHbFBzY1NJZHg4aEVh
+            RGxTVCtaMmx1MmwrdEU3SzRoN2lDdTgKj2wuv4Jre8S8OWQ2J36cBRr7OCNNCDes
+            3ZSKTg9erIPOQDs1AJruw776y1aIbSk3QsVxjUuIyUSE8FZiGX4QLQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UVBvdXMzRVRuc0N4NktF
-            MzdnVExNWDNGanc3cGc0NkNoajJROFR2MUM0ClIvQnk1RmJCWXJZcjk4aHRYUTkv
-            cUN4NHJaSWxHckw0NTV4WWxKWHZHelEKLS0tIEs1em8xamQ4YnVpTzRZMDg0UkIz
-            b2N2RDRYemVDSzZESVhUOVR6MUEydG8KVLj9kVMaZeKDIQiVQF9lu80wA0m8CuMD
-            IBCwg5sHoz7fAK8vHpUPKh2XooD2BL9q0pPZCc3sCUjQvLgW1ZK1YQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOckpaV1gvNFBDNk9YaGlL
+            Tmt5bUNGK3A1dm9iZmdOK3gvOFhJOXRPU2xRCkRHV25QNWxndEpUdyt0NDdqcmVx
+            YWdSd05xS3llNXlodVRHK2VMQjRIRGcKLS0tIG5aSWQyZGdNNE9zVGhhUGd2QkZp
+            RWZMUlJIYVRKcTN4c3VlbWQyWUZzWWMK/5JvgRQo6LEmOMiY3b7mVaZVXX0zAG62
+            DgCxZmnHfTSUlutNPugKRXOrTHxt2VaU74boorPlGBZizFfjJRBZNg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YWtZNlJBMUVna2tmODdo
-            TC82U0ZtMFV5L3Q4NktxZ1N5cklyR0ZUZ1R3ClNzSEhEVmg5WEpROTZIQzQ1dm92
-            UGpxcHNzUytVYUM5dFJDcVVzVzNuWU0KLS0tIGtYaVNBTHNYNVZQTnZUN3BZSEh5
-            eFQvUWx2Y3JPa2VCem55TkR3M3U2M00K5TSdJyIS1yCV8GIYZgWlSC/y2r5+hquL
-            RLougeJFaSXiZ9AOzsnC9jGzzBVvlsf5RNH+fYsK9oHuTH3Kv/s8Jg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTk56dlBBazVHRTM0enVD
+            QnFIYUNGK1Q5T0xiNUwwNm8xSk5MNWdMcmc0ClpVUkhzM1o4d0FRR3RiV3JXUmR4
+            OWlDcldKZEpidm45NUNONVhVT3phN1EKLS0tIHVxcFh6RmlrY0xQSHMvSEVMalJy
+            M0k3eElRRGxaY3hFTjV6STEra0hFc28K7HWQo129OjU0id7l1e3cNRcJa/ZR7ao2
+            a7oEzW/4I7C4eymhsSSAYLRsEzRoJArgQanP1IcqvyI1oR9jn+Xwxw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwWWRpTkFsWVZGbkY4dmli
-            VzRQaWt0UFM0L1BkV3dTSjMxbm4xMFhCT3hVCjNXbllqNDl4cXhZaDJVd1gxQ2No
-            d2tLL2VSY3N1T3E2WldHdDlwNXBycE0KLS0tIGd0YzUrZzF5cjlxVDBwWCtiZHNp
-            RVFnZWs5T1pxN3VHRWdnbjR4UFFIcGsKUnEeBhX9K2tUNd48XOvpb0n2OoeUPyq2
-            N+LBxwPYoSxoiZAW0vDg4mNcJwALYDXA5ew0fSZj1nP2LvaROV84Jw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByU3ZtR3NFSng5MWorNVVT
+            NU9xMlhyMWRuRTVtdFBpUjNXeEt2Wnp6alFjClIwdytPb2s3UXNGT3QvOTlQUWx2
+            eDZXbkY2cnFKbVhZekJKclBOQ3E5VXMKLS0tIGRhMWV5S3V3dFpjMDF1c2diMVlH
+            ZGFEaHlnT2Z6ZVg2dVlURXcxa1hFRDAKYaKXKJUfif1UTrDGGGGrnMrX5PgbPC8p
+            tY2QYvbCIUPg2Ihq7frxwu7mN1kDgHRZhIjNkmxGuwDizbF+p4dYNQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXY0FtT08vYWJYM3NXWjBY
+            UGtyeXU4SG5YTE1vZzJLUlRUTzVWSHhaa0FvClEwR2tTTi83TVllQ1FCUDVmbkt5
+            MmxZMk1COHhUdHYvT2g4S0svaU5pRUUKLS0tIFBZN2ZPVzlKK3dmbllDdTQrUUI2
+            NHBHK2NZaVQxcit1SkYvTmZiTEpqZkkKBza+5xkk+RZP0Ki7x4L0I1zW/8/8tSdo
+            BXrsxtgL28sIyqmh9q74e5W315cWOd/3aoRmgiJMVIx3gM2mCdBs/Q==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-12-23T01:11:36Z"
     mac: ENC[AES256_GCM,data:e0WoFBQSR5q3GOQ+GMJGBd4lNBAMqlnVjtUq3snxrdvcytb9YvKnoYQH+GjbdGIiqrND8pOVnZt34AjkR8YfpWe+VrkP3Vj/3l+1GjF1XIHbzBNKOQHdYPSVsH2NZwftcAdphbStf3GTlb+b+cpTn4a9Y4pTNGVoOaOA1tBr8bM=,iv:sPXktitTNMkBhHr6E/QRZCVKrgyED9/o9hiivbObACI=,tag:tTNr4UEf92UrtI0Jvi5o3g==,type:str]
     pgp:
-        - created_at: "2026-01-02T21:17:35Z"
+        - created_at: "2026-01-04T22:59:13Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTARAAzjG3sJ25PaNOD6VowSNYaaK4DCY6PU2LGCCpJWzDXnwo
-            irJZUtGOiqeZeu/8BdWmQSwBiI9k/JuCt131rwXCrtj0+Yj0MRKTK/xc8NoDnW5t
-            R0CpQnWJ8yc1RRAMhx9l26HXH44786rhVt5/4ZCvq2mje6Ha0yK0vmjO6P+WR8kA
-            AUCuVUtQCtN5UP0yecdRHl6MvZe1qPd8tv3kLittJ2c48LD02CL3g0ZeATtCgiGN
-            5h9cBfDQnFcBh5EuMxn3AoGQjIJollCS5fRNNi1VUTp4uyAqYnyRjnORNI6vRk2k
-            hju5W5ThidbYQlJlwO6hZM7e/sW/XM8RWi6x4TO1VN8MuXavKnIbzlOKmJZlLbb/
-            yp0ueIzKuJpEz0nQZh0DFCD/D8yoTAfgtXgzzZKuUgErhkCQEXe/xKPDFvSKkWqA
-            AnVl6RwyTl5110Ea3535K3vycYR0EAxapEqzEZ0Ez/o28wR/1hgMrTWE9f++6HwT
-            wZ7EiPTs45yzZYJ0ONE4s9u9HNIvUY4UX3ncIhvTIWMyASfS2dbDu5fqxg5e+Szk
-            9QcDL0bzLnGCmR4w6fKUl2mkupTMsi6sfRFMzGlabK6FizUnpwNQHd2LAxL7rNF6
-            JiD6LxVQfY/TfKqQdKa93Ctf2k/tkdW2aw8JKZh02V9PqXUax0N4uR/TxOjKa/GF
-            AgwDC9FRLmchgYQBEADJTfHgtKmwdG4s+Mbml+VD3f0tDJnbOXBfISFp4+s/6Wf+
-            kILyeL7V4yllzJWqUZ97IH4BScUBSbvcg45IvuzgfTrBTx6ZSa3OQYo+2KS76Wsv
-            uQkItpGdsVSrLYDseH4cOWev9D5zscU+pEdT6VKXP47UHbJPdxQ2IU0oncrMatgm
-            rBh+PfB+XeJRX9mKzsL9qVWuc5k9SVcsXLKSCM2IJszfRy/vsSJcAphReHxXHSuO
-            XYGVkSYLGgzA1by0wjZ4Gi3y8MVaUEm8rXYVnbaVRnx5bntEfj1pTjmqStH0EE07
-            vkOooLLDFaP6o4c58jvRTwXBWKlBbgWqoSBgm08OPKQpFFpM+14GrLqGv5ECti6W
-            299pjfyWU99ILNG6RdQiS5MLA01z4wWYXRlxyNVXOHlspVaacX8cE3/uGOslURwH
-            ZbDgmpyAr3Ss5nj7s8plnxpYIRdXNCgPJ8qZtEVSuQkHbkHMKUJ8gycQNRcB8wZI
-            H4EtOkeG6mLt7WJlWa4T2VF1AEfQXZoewkaWCK7JekY+DPyyK+b3JT6qArAMvGMl
-            apVaDegSptYYUteO67yHwP83GNAGwDY+o1/ECZhG4ucGkXYpS6MCBkyCeV++gy3B
-            qotF5Hr5xSOK8jzFm7k4UUiBiQmv8IDh6UUOOXAzejxn61ZYPdA+aEIBiSoueNJe
-            AffTd0ldG9HGm016X1uYrN63xNCRA6kVUWP+2c86CTGX2GKHb4YgtULBrVRW8hUR
-            KoofPhcaEVIUvrnMrPDIrp25Uh4DRakUMQUwsOjfliLmm03/07IJziTMWTZkYQ==
-            =qR6M
+            hQIMAwDh3VI7VctTARAAiIJhabJhfH8+fwpni4PPFhAPGvSeG7q6SBmIJ84WueYk
+            taLXEHLJ11fXflfPrZY8iPkT5ilYwPcs/4jPTtn0eNerPVPAUrVcTT2b7agPNR4r
+            rvnIwtMhB5+mAYtHOVyXnWPfVt+l2pMoTV4PDzumgoIW85eARU8hT8VeN3yZaX2n
+            ipsmFKtGHPBWii/ev39RjVcqa+Bl+CLFF1g9j0jPCZhh9B00V3vaVqVRZ9OV9RQf
+            cGZfYLUS0ZMiM2i9SPPIAuFwt25SHob2n1hxKdYNUGJV2+TCBHfkjMfD6iQ6SzZZ
+            A8DK6VLVgXMbqM+6/o1UzW4DSe7aMVWRUB01ISjvkzEuKkjnwkLb2gJxiILKFFD7
+            g0KPZxrfF0Iz4gFmCh7lRjLggAaivzPn2EJBerVPAk5xikv/8xt/QfmrzsZ9Bnc5
+            YJMIUJWs/U+uKDvEsqWGMK5vGKUz8vmwWz9h0/sWwAGAoPxnHKZ9aj/LvIwcTVRs
+            E4TULZZ66PXprwupqtLaMMTTnW8x0CzsTatJfTbUid9ecQyeWSSCKQod8xK+dOwT
+            EwC+ysJTS//Tfmw1t9q7yG3lRFRsmIbD4tggTyP7LNqw9tKIrAA7XERBe4hX4wE2
+            HOiEBHlVfhKgWdgGfyVy+SdwSb3fBEhXFyxl0QnFWUVdZ2jvPLUWKO7zfYU/rdqF
+            AgwDC9FRLmchgYQBD/4gn7stoW0VDtqzpyxdo97BwGWSUaZxcAsDGtkZBdalW8WB
+            nsyTaGoxqeXC9gEJFdy8vnhn4B0yvC/UIQHUTaZPxPqeVm/OQuGcPISbJnXqEScE
+            pzps09nIfy8tidSSWCa+VerJkprhp9lU56QIZ+YmQVXzqtQF+oNsQQypaKT+bIdZ
+            d55kKGVM8EqtY5qidMBNH80eXvNvY1vONgMX35kdIfHuS2xlOd+O/nmUaeADcBSJ
+            x9583Ot8jRWiCtB0Ap5za1lwJtEJup1OtsqRGX9nbvxckZtPmTMF6KRlqIN6VVCM
+            Miq3UZG0x5FNkoUaHyXoVu5vwAnRyDAo2zZhqscrmPjen8tpzx2n6tKOQkk3pCuQ
+            ofWoGGg3SLs29MWrgkzKtsn21pIZZ90R9wFelCwqCehnFdZW3ElVoVQ7J9lnx+NX
+            ULWP+DfSMD5OP4MUIwRCzBdqAZaFgTxPafSQ2ZPXpzDzJhqqEFJBiJBM4fWG0RgN
+            1F3fB5KEhsF3nWn+J6ngCULanXBpD5tcHdRC1dsBeBpHRxCfPjZftEFs2JrJu73W
+            CXTAyNglUWN2jvRgnLYMPhafSK4JG3uA11nZY6675ifxzOqsebyP1JmG4bOquma4
+            ql+RmYgVvFq3xpYfaI4EsH5cAjOyYtvRBnBAzNVW4tj/Ytn5W1mvOPks+3W8dtJe
+            Ae5ElyCqI+AhRQ2+4ZvqhgfKIDFHPLSppFx3rjRQTN1NglCAl/AuiSwUA6lJ4G6Z
+            0/T4wrvC8fj9HmiuVsY8ALJl3RMpZ46v32uwyZdjRH69L+b6NxRXrw+uO3Ht2A==
+            =zr7F
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
diff --git a/secrets/repo/globals.nix.enc b/secrets/repo/globals.nix.enc
index c95426f..e4cccf5 100644
--- a/secrets/repo/globals.nix.enc
+++ b/secrets/repo/globals.nix.enc
@@ -1,70 +1,74 @@
 {
-	"data": "ENC[AES256_GCM,data:yTsfmoC5bA/1/ghO1kHdF6m7Nw+LfkDzh65qTMOmMmVY+37l1ylE/1VOLH3fDecLQLIjqSykRP8UduNuLF4hieMtOCW/Y/oXKTNN2Ic84w63bGkKuo4oN3MW78uwRLf/EYVW7pIaTqrRJ3dBYDtG95ICfZsgbQQ1mzawATtyJTEHLyg3mtWSKOL1INDKWYgmZpYpfQZr5gttbVyHvF1RHRIGTLEaISnxK6pl673SEXPStA/Gk4Wif0i9RCUiIMVTkIlR/B5gUfJ3O5xMhQ1mQXZ66S0962V+UaUx3RHzhIeY6aII+FYYgLdp6RT32DVdL9g5PrGZOJ72KZr/H89KSX0MKsgiTkf4wi1m1LsfixABgasNMDc8ywrlKrfmjdT88GflsntxY+e2kOWxjn+3XgjSrjilnmEr3qWvC6rFpYhLDGT46j406l2e/cIUge5yj3SbBvf+tuNAmFvj3Kn9WxYjIORIU6MfbIn/51wICjMedIjIPUV2u0QPjezaBNoUOTp27aakHNCi7MeCHS+tHtbhXZJQjdRsX+okdGOKyzcW9ihu7RlKWOGfuSjdJQNGKZx5B5uvXrhnShkIa8YjpmOtBICr7r2EMn4uFMyLwuTSGdt3KP9UzGJbbtdAH3QztAS+XEnBRuPYdthtLcsD0fE6b/LctWO+6LuuSB4c/c41MEzWDRiPe/MpFueKLP/9Qk7gasA5YKFQspLpzmLQS8Az/PYRwCexyuwsctr5ZulzUhMF76F9jzHZJA80e8Nyk9DHtsu30SnPsu5FQi9uB7NgryZlCul4cY8lJVoP+9sViuJtqo4S1qX++pISdkVLDbd02DMDs6dqwqLLo+mQHi9anbcADZwAWXSJc2ax+NvnO3z70f2mmVePygePWp3nSTsDKDijBS3s8Rv3K6C4BHUgLR2Uv3xBk7CCUKjnu/KCEFPoQTf1YRhgVv6h8tARewCO4fuJ8bOhJC6MMDShFEftew9tFB4OKC87G4ZqbJL8axyPwjs1zrBZSOfYAhjJy0EPgBLkioJHQFOjued8DlPaE5MksdTe+XsylRwoYboKhE3+RcZU/txnfgvxCn4s0cxPElAn/PfOJ9AUfLPtFTewSRarFrNwVxbPc40lYknOdGW8q/OA5hFVLYBlBF8M5BgDg+PgIG0zCrGBUS9zenFmOOC8Kw14rqMFuBGihfLdbFJuTM8FcNfTaAFrf3mHsJtLCN3c2F+IVMGuGwgQN+/azvvmQL9+rZjy5BNdEymd3NpQkkzY+DnMZ86RMXYaep0KbFjY6JaHL2/YNaEnUgyGptNAp1FRrub1PAOhs+ajhf3nimYOAAPjww9t6vSMg4xWZZU2nXENw08uOaKnlSqsUadG5X0oKp2vvyuBmnfcaDP6hRVaGIzwFDIp17PfAWsReV5VHo+GEJgs5ze05H2AtPkBSrjGh6f+tFwB/8QKuOno7zB6AW8Qd2sH0rGLEeoM4rpaDzT6Hv8ym/kT2u9lNVboA5Sq+it7AR1YuWCDY82ydZLBhuxmRmAS92k7tIZCoOrEP1Bzs0XmTvLSiz5hN8CLPHEAarOrOWXBND91iPBqGa4qSRugdU7NdoY8+7/OSYijY9Q7fBddlK9DoSu9E99PFRYezNXWGnxHmDZmTgWy+3yuWag4l1pj68iBVgwNCeJx2ZdTgHhiZvpHcv+5+OiBWe97NSOOadHk3WupDVA3TOK4eXS8bjMH8mRJbGu6lCl8SR7cl+Fiqdgp9uWUR9rOB2Ckbnw1/NfMpJICboQSmkPi/pwEAftSzMsFX7PDVMkzHUcJKUDZD23y5X7Ylmzhs/mqe4C7TuDMiWHMZfFjw5GsiF9nv27DNw5QnzClQmrpeG2vXmcqaBEW7ZXJ7KsERXnQilHGVHu4ZgtvWL+ZpgIqG6BvMpIxq9VC8IYxGkN6pAxtOhfCibBVXJwA4QzYNtJhV7HtW9xN0LWrBClKNai42ccBacQBcI9LKS65y468gYEgzCNpJCusngt2fFDpMgRCLDv8KRqKuHvnffua3bYPPOAgDVddEQ70ZCh8NUndbxaSWxu9+kbKyhWPefwMPCGm+M/jx/hg3aOWwlmCCnAKrZpkPGqFZgGyvqHdFPWEctVsb/IscriI6uafPeam1Q69RIbZhK+4mohx75HgdDsWi/0cy4l7/D7ZIHeqrKdIsPHA09XcNzpa2UAvomwit4SVOpO5L/yqVztkQZTsek+umFWd6cOLIQSp8uykUsuHjJmNNtxLJ4X2XhknMYXvnBDBl8IjltgMpIXqWML8XAI0xXDc7DkCsBFSXWBUa5BC9lN3GKOQLrOz1WGbDhF4cIAcTfv3VzZMareSQK0cyGOboWsSEmloW1ID5Ll5ex+4+iCcYHlgzz0TGJnD6kpAsphaonoQXpawdJuO07Hhvk51lA1ZRJ0d/2A8d/wbpeu5rN/HAQmcPeb/vigcFoJqIOuq5Qm670zM/ZwuGywVRbfq7Dot2g4UnLTgog9j1W3spx7HWdStjpYmGLLGaHAebn6TPXDGjZVOny1EPHoWPpjAIjijmi17ppTGpts7qcKCVj8TBZ05wcG9dktZVKozLvPQSvjbi8jd33vR8hmeNqn6zjU7HT+l9AHem+J1vXgfSeUU4ZGd+2YBhz6pKCLg4gPzOVQtnvkx/Dcu9T9RMhfsGuGwfwcjIcuuA24H6NwW/7WkG8b2tWdGiLtGGxbFTymFMtRDDuQVJOP7rGq7H9FeRNv2NOCIzrCICW+o0fXtmivvMn4Nb467w0emPnMoXhoiglfQODND0S+bPQTNB049UJlpZI566/8kM5oFe1Gq+ZQ01gOwpI4G0g6GblCrI3dNwk4txPI4cdhHDm/OIS6GQ5MqzGu8fM1TqYGGhcfpVkxAnFBU2PUquhRBYCgxv1UYLHrNFg/l1LDr6tC0uPj5LY9FNQzSPgIn+cKBkIa5ck3mRtW8aXO8axTpsWMl7zG8zztUPgicedWfakbcq45iZS/7B1srj7hMbeyLROCtQ4b13rMfukkh1x5CrphY16UbXOOVj0iA1UUNVzxBzHhfyOa1qF25Bm+jmNBX4JQ/MIh9+Lm59Y02/sF9+MefG47KWV1ry1+tOD/ykNWKvay0/6PLHlnDn6K1zpVVe/ZxHYIfgSPBiEQ2+qFupzbBmfNs6n63DgYQdz85xcdNr1K9JcgMKGXZGICKapwPlVrFjH0pj4lqbTUZSAVJLtmPW2YDRWM44d/GxcvIQk1owwd9NTH+wxrWZYCtWIsvCpfNqMKnatY8ABgAExIjhjCNKx2+zGGmuJoMrFA5sV8fOkunsfyWrijQm5IrGPY4MJyAVqdF2wXkEMCJZIVDEYq2WBzb+3g82Mjfm334LqKaHwPKY6XSXbMDcBkk/67yS3OnzpYzapPXv9ug4klekuGPAedAeHhqDeyIHUOeUyUZBMsz3ixDfxxkrEjlmvkWRHK535GdGKp4dSF7QInWql4pVXhJpEv2bcQmOrDKV3y1a4uYLGsQ6vVMPPpGzEcJsYMAA6Hs91Pl0w8gwxk7G0qLJTYlpbeeUgsvEbuCowckxQEX5L3ikSQb9e1ih7Q70lnQwSZbF+O6NdfVnm7V8fA/sBFsuM1dJWWfP2+1LBnfpd0AETU5ePtr6H6sLQx/1iZ4YCVzWaI04u6WIHaoKuSSLGEyVpN9+oz68HhewH9wA0uCnbQsClkWaRbMVMtrR/vbajzFIuVjd+X0hbQYtRH7gyyaJi7HwwxDXfpfEQ9B8j8wQiom1Ithk6tJ9VDLdbQaZOLfrQYNOIT+Eq0lnisMf5L1YszD8shhmOWechUMXwAfKbWt9dMAtKnTpYzaysDh1c/hz2zBY2Vb0ulgipVrzOMTEWfphTWjYjqF0zc8lF+liZ5athIwcNh1COCghUpOf6I5sXHu+C5qYPwQhClf7gPl1LpgKHiCYLU5PwU+Q4AiSEuA+Xy2H+XjQNC5kN6kboDU1kUBn2oepxOADdrCxzlvXsJ31C13uo40EjELCIs4FB4rTO3pIcp6NR2Y1zh3KZq9TiKBw+YRVOaRb1I3CCpS4X1tsk6SLII2ay0cjLohEZC7b2Pv8o1k4rKPvkFEpaleBeItB+OxFzDXkxOstTdJSOoGODR5Y2muMj95rNw1FjRPsRNOoWUfiB7BiLaYEaHq73eSKQicwdu8ZRoOGna2qJ66ok+2J3RsSYihZ+MOnXqTVDBSPJxl6fClnrfkeQM3XbSK9R86gX3ziA+SN0Wz40XmE94e6yWvAOTJhG0UrI3u6OG5rpZvKzX/QMyni2TxP2vNLnfY2m9lx65eq0NIpPB/PPGNhod+46EwqDhR4QQBtFzwVBg96OtppOou19U3ZkBoFjP3BionGo+DgMWpEkdtnF8Pm+Y7kFpQjJFolC/sSMGBZGOLdz8GkDbhFydAiUeN3E6FWMRd7CtwXJfMNlNHhLMiYUAVhaXhxYrkTdiZiTivgv+A0t+fFzP833NPaDER3se/SP6Flwaq476IimYHRpgzFECB+ldmsDcWoUmM6j86oOnlZPTf2MC8k8gsE+CV4Us2sOAGdglWMrkmv7eJ5Pd7pzMSt8oLkQg+PLNkwNAtWSQPQoeXejJ1Edqb2sXPMk7sSzcJnpZLz++37zb5b7TulkzWpItbPGpzna+tPQozefOgx4RchcdQOAx90eInnxWv5rp1pYKtLlo70seyPOI9bfF8v4inY0f4ZndI2l1buOp/+tKBb+S1eelqE3X/qkH+WfxYd5UOUvqddz/tQAndvLNWR7lCt2mevewWpO78YTopMIHadBimrek1oHSjhATuLneICUeeha5PE67dlMZSf4UEzS+f56kbbGfI68SfIZI54UXEc4X6eS2NKf2H184jWG7oDUMTYm+n/ACb/hPowKPQayHUEg35ZLnAfUEsv8ItZd623MafLy/qbT/jCTezEhfEgNY4XwtuYN2hnQIQ6oieolbAm5oEqavzE0nNFm8O7sWkFYISqa7c3lW6A+kSrJn9WKGA0pTkDGQr9KDJQaLlmbQbYJO3s5Hxuow958KVBlEzeRqheKG9XojEXUm7gjKjjgmay7AgY0o3gxGchDngfWUpk/mTY80q6jTOLmsEnFVQah4ejBJyHFuZBsg70tqm78LsTbyHPYYei+WUzIxySmf6BNFaYvM+hLEl5tExB5/OEVwo+9VYuHnPs9r3v5rfQ2VptoBq+MHkBHfrDTYzfmiANaeLSF3J4m90NbLC8EYKfIGgzqPAHlfUE7LMfX/0Tg48Y7iEgY258sGj4BuOI7VJ7wOU/1vPkkmHsnkpMZX0Zwrqo/RGAGJH4E998bBdj5Tfzg2DvlWGSeb1jDkieMxamCRMf53XAq4dmx4ZHg6EwnpBiPlXxTL0Qqa2+At0XPvFLS7uvufZDdz8U6KmxTpA0yHpWpAlnd1zCMmt4mVc4+q9kgkkGkTY5ZJ07ObkCIp4qUKZx4UkLMMtnuKvmKS04bspapcPeUzsaI4364U4epjMh4BkhXo+K8vo022DFnBxhzjah8M7X1+fUxRTicgPtgOrPRjbMr1gPeb8p+To0B0THkTWzvkveuo8bNTcRzMaNkSJYuMx3AW0gt2SoxAEU47HxesoqgE4xplYEZLtVl3s6eeaQ+WPIkAT9Ir1EL3UJ1W3rerado8l+qusJhNIruea3I3fynMZEi19N4+dGxsnNlzg4t/g30rTtSMA5tRtoKhgPrsFhVZAqoKnONANtdtpcjwO+oJIi7M6NndmqGn0aRWE/TRxp9rXBypRhbivprgSfUyuR9FKILSppciKs9C2pkp34f5RuEiB+LngcOMAttHeVGYp5I5xh4FtGDRv64bigZVU16vo7Wahax3Fua2iCrPFPctkh9V18q8NAo6158rjSoojGTAJXW/rcnnNzdMDocgxJ7x0QQzQIXKFR461k2ooTaQDlS6uciV+o5K5SI8D7Obd4imXq4JDosNHv/CNAwHf/pj2ynljTubp6LQm7osI5PLbo7iIo2oQfENPC/EEcj0zIQ5tF5xJy4d2LlMk0QQe6aue/4N6kCS/dlo+l8vjdjdL2jkjDgetBCBuqfitGC+Kjz/QTG0bzbPU7Tz0/yOqPqygovczUD216B7qUcnrRPh+B+OitMVKgDjoXO0DGXjKNdsTUI8NkkxIR+xZT9x7A9khTVmFVMG40FmK1Sl2eYvb3c4yUU0iLAOAsvsOu8cFr3tecNHBt8ZxJqoTT4u0y1cN1CGEUEbW1XWBlR0GS2XIBcZRCurEUluYbHc2ZYXvY7eRC4Ry4ERFvZepUlRWfqWa+2almIby5h82PMHXztTwTIhy997HvLm/6RbU2Kr0UGfAbKiiIOyGepfL+ZI86g2Ufei9WBW5WjibrNwomWbHplzxGH0m60vqoWeq3gWa+GilkC37PB802dxuBAzijdl6G61pSE8cirO8zKH0RH+NW1mWjg0c90mT0CMBnS5xBBhbYhOLRccYDhhsgaVENqjSQ6E91Ot5ndcJKlhHTZ/oQtj+eWxndYzJ3oZ83zAu0I8RJbgN+EEH3Uk9TA85nBpTTphLN4vCUw==,iv:O0b7UxLyCOGRu8N3dXjDtHuD/O6vHO3FWnsFT6LyjFU=,tag:qysiXpaiHGvhtjYwS8gjQA==,type:str]",
+	"data": "ENC[AES256_GCM,data:m/njjdI2zEGEb2/ZtADlKTURPj19qxWsTtYaehwUbbLEnnpuG3SNRYvqM11BIOeOVSmFW0lE+pKwB0iEO0zLx879/G5Bh+wa46eYUxe5qmqlbAwMkfEYha9bcHb3E8feAA7y+oHRY5VfILhPTTjFw0e7cYqoDo8Q3BT5e2pQ8cPoTDjCHeVp7HTUNfob56kqWrS/ZXlw8ja6FhnETEOYc/l4DdJ4mWb0qyPb143pKIASdYpM1WLXz7538wSQUlxR3ofTVxvosXvYlA/w2ee/GjyvWahHJlG/bF+10Bzw4h1dB3wnM2+rUkvb5UMGkLdIvHzX2QHbt/CXzIn+7eSaFiVBP6uz9rbtmpHen1zVzEXL+QnHHpfFeyxg+E5QPeq3kSvmQIgGcSO7k7pbQgLvPBQEor9RaGFYQTAFIDQ/dho+0kVhBcx3gAKiFOVFx6OLkSw6/LHJ0vSXYMh9+eSQJQbUz6P8LXhpUdPuH+vletwb+MNkAUVKRrihhpQhS3hDQljCQTCIVKgarrqOiwFftPgBjmP6ll0s28hHe6YDfa9/BiUh0I4iQF2jVtQGpkNtWTZW80MgWHZ6FV+NG1AATRUJhHurfHAOionxPoYxdpJJ+BDxx/kZHy6E87rNNE0mx0+EPHwdoTlMoOwYqV9gncMH51fG++yiMPor0ZN7fIzB3aR7bBZ/IHRjde9heGnVsdTFudn9ztEEq+8W7QPFVpteJsZ09iErrhFGSbLI1Nw1Xa1EQOsz6UdzmyNPDZTWdhvuLto3jUQAABuqf/uaxxWUbPIEqqOuXtk7b2yoPfCltrLE6xaCG6R5Q3nMvnFoVQ3ujqMsTkz/Wm/2z3k50/+8R4CNzf4icfDJEUlGD+pNerTopDNEpNj/NpC/ssGgTP9urgyhA30utE8fX1O6PYlYE7UHSCt5G/j0YcWXTGddKkJIj//HzmzzwRl8n4Pb4wy7KvLaVt1qMrDKlyCflLMB6zUM3IxjEwfUjLy4NoHbvWJJWPIFKLBitAIyninxyzK0qZxc5aX3rF7dRIq9wvOo5KDr23KS39aGZU5JkheOvYGNWTK5ysjw6OZ/ibPzq1z2MRSDdTj8tHYdWDeO5215+WDxztTDMBkX6jvlBXpYDS9+Sgx3l3ZPDYg0NdhzvMQ/AkIERLi2Tlgs9xrv9F/Lssuvz0OVT23maxG3ztcjsWOs80sR3g0LqTBKneFY3ccC7cvGu1qs2XD26EGdMUIY4Z6wEau1n0YvcIcVGFq9s4A9jqjyVv+pagzfTARyfxA0z7xQOLto6PHqAK7dPgZ7x0gWXtaJvL5KFAP7ayS4xPB4zUrRSQ1Idj8CvdDoeO7UdjMpd0939VJG7xiI0SoBBGknGYNUMr46VOn7c4H70EeEQMleHI7ZRHDXjH4PaWv5VI5sAbSqjWoQiiZXMeoqNyLnoZvkx2e0+bDd8iWMTb51Cm7tsdJsTm0uZF3Yc0Hui2nkPbHe6R4CkmkJOdgLkcSSLloYn7tvaiLIfLf8mxwHdzZMgcvR1Adqt52jw8Ai7htdO96r2g5gGXWzQkunOUpJ9r1X9znwR26+OgCbTU99PE4AnvOHoV2oFiA0lPlrT15jGDovzffzTZirdh14HbIy80e1HLcCXuAnZ3qfEXgMfDy+tlDnj0XuwQI3pTvYUdb1yAtw6h8rXc9HxmEUT/jrR6md4EHGcQRbaaN+q+2tlecsdaoiJATb47NUnwiEkTWCuk2BK+/sDKWmxGYcBTbW8RjvkH44NSeGgNdNPmHDkoEZV1LpF934JEFq4cnIaotPCXevB2G558FZZYHahgCNxrSD2bOQboqxYTisPLzfn68uz6mUEDJECqv8JoSRi+v0+C2PAlxrad8y6yJGkarEsQwxAn/S0awbN9bHBB/0FtRplyVIVhaelDku5TTmz+QvvJS3OHbdmzvExg7Nx8yT/wujbSFmzkk50gtBK6g5ZAuVbDhNu0zYkq80b5ZMhmLOeM1kGWQXxNksPnCsH1b5jwVa09vDKTcSVFLVfeI/gNWPEvy7vLO2C489TW/Q7I5ZBrDzE0P3cP+p513lWOs4mGZWvkWEz3yo0P4Zgxk92b7iicsm0+G7jEWzpeJ0qRz9PAn86p/O3FX0ZW7EVzdf+I7wdEfyXcuXO9HvXIXnGTN2lEnpjHdEa2z/pD4mHqXPDqeFNSNC8jE69miJJZxURtgHGCrYlifAItuxoYHIBDjCciqGtX/A+kiLLRHN7H8SsGZ22cBU/i1+Jxz1/hBDqWTYwVUmgJ7bEFgctVgXn2f221+KBWMfpE3Q8TfbdB0CsNou/qJuM2UFyQwvZ9XPP9i94qt5LPqH8V9neqv5PJTZEX7/zveSHY7s2iScV9ZSKgJUA/TYRKYgoqbiJhEF+f8ppJ4jDKb8GFxQHw/+kh9A18rGOaPybzBNpb4bnHw+QHSM1J69lMsEk2GpSVpi/nmzgMuiTjjEEoWr8mgAbKiJ8XdpxSIp53HkpDmneP7EpT5BMDLMbyPArTlR0lowbToGuNvVbo/3BBqRRKQ4t1C9rcJ+IRkHFuuqdTP6yIdry3ubPkrmcCQkzbXL47GmexieUqRP6dhHIPgxfJNV4+dd1YTTdoI9vyEOPcjf5BmmlSGHTb2y90r1z2b1Y7NwyuLd6OKZbdluE7jd2YfptM2ZyHB3VglZSHC59yZCGYjoh3Wbfnz6Xzi6u8mz2ClFRCInxWu6PQhLwnap/PMbW92yBUsMM7lKve67u818mcivj2AZ7XUCe+os3pC6VdeLe+GieuzvbTY1FL/315n1QKuGDU/NblQVck+hriggxmcRO9lqtfiSQ+xd1yOnXYngKQyjZ1n/TkZr6PWiSms4LdljQkC3m4X4cROuqhBQdIEeYH/uDsDZS7YzpxGUJM2PNMwdbh220ll6CqWr4JMp3WvvPXr7pUDWEnJjzgPSn4F2daH/xtycIy0pIl7ZKZEhKLsJRMm+PQkRUDdsyZoJvhdeBN+qIQzz1Xj/abzcmWcx33L8crESmZIKOSem8Qpynz2FYxlrrw27EEZxAkDhMK7opN9V35iJuET0ncasvvI8kblBTxnFhClYk/9LbbOTRkETMrTqTMzFaC4RYgnvFCTaCCJ3GqpLsNQ9nRY5c655IOSu10DccLEqcK2Xf9Zmccex4mMnVPrIjpm4clsieRXloiF48hyr5aMg8UQU5J4xcYoIrFpteAuuXXzklt01QF8k7/6CxA2DqBir24PKAzUhY3R6A3x4Tm/3vJ/Uqrn+1CYp6YHKaDEF7RE4Z8z0PWe/cRbrwQbZwXAGVArOoWmrcC75UvkyondlawIoJDbbudfzGonS856ofQEexREH2oEKeGBpZJJ4RxZirBOSHMqFP3gZvJYs4SKMP+arTu8AgUgCM6IOBmH8SmDp3rsZCQFmOdwd/P3LTl2aovomNkd1yfB2IKtlPt85z1C+CPBogy6dnTj94HnyfHeeY0W5hIp6qyTUTBDpCQucEh+rqb+NfsJ0uR/zKuWontOfl22WsWnh7HToVZtJJmp71RyAqzQcLh6F+J+x+rsBIB2gmby33IvQc6xRaaCYCIfCgCuCzem2CK9ADxEaF0/mSrgvnfXRpVzJtczdSXR5aCwxTzRzSPHwMXiV+ZvA6GGFkJy1jWnxjbQ0Kw1wloYKoCxaRo1/2PAYBxnrm2Y99V/SaOwlqHvR0O3PGrJTPt4Y37bRuWyOpr/w/t/AQsXqdYF3GszBiSkebNbjRoLaDbU0jd8mpiKeJyy9E0RcGjmhjQwZPzejxZh8at3uWBtCZTmvLe8bODhMsIENgphvXjZCQfcK5hxwNw0btFY/aEq5ehVpCjF6VlI67auiNXcZjeY3xUp+KCQJJbVX8LXM3uEQ38qv2XGJuROAOVwfpwfbMumkW6j7VOJlCgqEG82XOyfO8ncIsldWJ/TYBB2KAOpQ5b6GXTD0dPp2LGbmKwKH2Tt2tgSfFanF1wp5b1zyd3Fo0WN1P5aGdprgqbi8J8HxayyVk/vC+4jMFXNswwUQAQI4cJfCh6npgeXHLi0Z16ZgFL0ukUmkqWq59Sm+0n8UsTOPULZbTacCnbLhExLD+hJoASwO9AwJMr0uQlBj39JcKcdunLut23Ul6gkbi0CHHgE1oQdelts3tZ44HF5HIxtDpr3UDkyUcrag1IsmHs84ZnN6pLWZI3uYEAK/wkz+eA38JWMFp4dCQxS+zFUZNHiduCyCJTb4BsRrB9Bq6h5LWhJbinbxrF3uYxD3N1tuONGCdG642MtoAa0XC30n3JvKeAwFM/OAGxK/VA6Gz0mBdU/MTOzUpu9Drpj9rBPCZaSnY/CHk3pn840hLjpaSI9voo3rKUC34m0PNN6cBsk9qJwmtBIX7L0vM+pC13/Redh/BztVIPyFdrjmsY/jxMC0EGBXPylmeRP/moA5gVtNdVNF32ajmoIUP6PFrcLLf8ylAeBTUgkeKHW6d2IgXZ3sjvrCgC/2/3LkHcRCycYpDR51CelDBjb9hsbZxjv3A/6KQblMMgb6GkbnWNarMiy+IiCQbGTaX8qYNXzV0MnzMf6FYZCJIPfKirdzaFJpHM7A8Y7S9+eZ+8uWm3/Evj27WaXNN/YM7n0NPuhWw1KijBjyWnQ2+59qG8Ysa3YZe5qHTtq7+XTDeCE3T0CTinel47Y3s3d3jDHhH3QQHlLoAR7foyyr/y12N7RC1fYmoBpd06YiyyJUSq8nRuCV6UkApxMeSec1Sx5V3RDjjjXhjYYsU9ctqwtvkr2k/C4DfBrzWLBw+BkhuMNeOfFFsAxBHaBqePaiy40oLk5mQKWzRwHyxluPozRvabOioOMquoFnDcNP5B8PJJqfAHQBaEGEVuZHKYkB2A9+gpIiK44cEGkY4og9F9QKnU5WM8r0d32n9pO6okf7IYRJ52DFAUu2ctT1jPf4WyNQRstFtTrxbAPZr7DzGAum5qnGTas9/q1g9uuA4o7n4m2kSd1ziid4x5VymGUL6EaRpV6lX75isqmfn44TX5UV+y7YanpgUIlMfV/EW3Q/jb4GTHj2J1MzUBtk+88ZbJmemNtryEYmDrwpWzXL7UW0+97tOiM6NqYYOofA6AqCbLbLphe6drNMWW01uNmDIZT4G9u/SPernWXoS/aojZ8NrA2aEnM0YKWdWANVN0TQKYnRCLwmsvoV+9zMxoS/vrNIshBMdTRfA14mWG5N2Z/dSLkNDWl5Ws4SsI7jJPok9VacgcKMRKONyF4QGc0/lWrks/1p1VLjGVsa8QaGkEct4vowILl3uXrNoBy9jjpWP4g2wtnSQIKRNLx1E9vF/G0sWFJUdr9PKi8BEGMd9lEaRT+MO19Oj3PU/9LgdBOe9n5dUs89iuhx8eA7d76RAJ9wTnWgh3W7L0jHB6LOvGRBrLiEsGuTzcZtHWXUs5mXsca6nl+J5jC/Iic8jAyw+P94w4FtjJmIDTccoFlXu44OExzdkfbpJll3wdnefW+WF5PGogkJfnNxOxhCzSxvqtBD7EAngsBExeTCjC1k1C7kJ5XNu1i2zFSZvoX245bPf/fBW0Yr+HLWdLMsptvvuyXAZ6LN8FEGdBg1fqcKrRVDPtbwm6Mv4x7niDMHNOWFbrZ5m0veMe+RUOL4JhlFGkuIYo7PbhoGr4FA+Ng3RudhD/yzMYy9fQnrFy5/egWlWc+bPgEhfE8ISIQaenfMV9xeWEr7r2BRTXjDIXJ8IeLixPGXNqS5ToMbvDXOOGSVnK9QP+IaCnWWOYyEpx6Jjdoq9cofquh+51sExdS5AJ0G2mL7ve03Zx6jkti+S87Di7nT8Bvcf6Iv1K4LsACtW4VjIKVZiEDRnVbpAHpLemDgHGshlXtBZ2VxpOe5CXSi2HREuO5CHc4vUb6mHpYtH/KO4OPiDUVL//a5XJDUuHX1ZgFt4UVLryr0o0FIABQoR3Sk4PXaNWHm9U9ux37LeXt7kTSy/yGXuLdJhEPAlmfw1b/XEDq05n2Ote9IFd2pBiiDBm7E278Y3StudC40iw9V57T/A/bSq2xQKKUq3pJzB3NG8YVABGkdQgRag7zqBhKfz1ovQbaptCkkkT9+oV4iBsCXL9YxLz1dpT2nU067frZf7ORrkEjDBH7zw09MwiAUhjUFgB/rCcdnq3M1KBkSpUZY1BNcM7ifnZ44ymkTG8q1OIwNU6sR4Bb6hXweT3QKXD7kY/Fdyq9OBsYk6pPVYrxtbD++tZFn7M72+r70Cx0CDD8/dQR36b427v0a+4vCyxyEadga0c2BGzM5M2tdU1ztFM1neUqwUkCpbQI7j9G4w3ASSNv8jx2oBDoBBjdSIBeISI/4BQS6CG1tjUdoaUNM/HLdwcfA6IDvwrmlWtBE4X6QJGbSTNuyGMt5+3zksqDeYuKvB6oM7ixjcpD8HA+2k3upEkBMWxkx23CSb8iGGZrr8Lwvuv4xi3VDSrKIypU5wEBLYClkNO4VDtnumKR4xodZ04rn7KO26XTYcVN/bxdpBm89KSoxzRAG3qGeGgu234NdPHJ9TA6YynzCNr29W/v+FJLWdpQr/xDyuaLiypYcuDyrDsOwqfkZZL8KsH9jl4qiSeIrmEJIeV+n2axsvmufnrs46Bmw+GITMUttfHTxvAatYXZOfn3O7j+E4p2EDrT4GJaKoZlu5I5CJWEV9n8hFnSpcROVfasQGI4suA2TWMRDmH4fsEC+ehYyGCZxgWPxBTaw+XNtlwbcDnWwXiASukx0jt2O3zWHSNZ2ayN7TdvvWOpev9g=,iv:/I6iQypvcQKc0oUOS2nFnpBzl80Ti+g4l7QUVLyNVa4=,tag:b6lnsj39DviOpnDdMG8Tow==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1YWl2aUhsVUZXVGZHUnhm\nK1hSUVl3ZW1MeGZGWDR3cGNrS2E1WnBCY3drCkNKcWcrZHk1UVZuWkdDRGoxRnhP\nVE8vYzRSSUpOSmRsYUZRaXFDbWVXT28KLS0tIFVLSFRPd3hKTEdtMmkwRFBWdVZ5\nd0hyYXVmYmFubjdHN255b0d6c0F1RlUKHlNhWypoeqRe9wuF5jGh2omhGTvnTtt6\nWRWnEw1i3wa1HFJn8S81oppvGrjmnGYPgaXcHjb4OHxt+9RKQYro6A==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSFZwYzA1TUM5SFphUVQ2\ndzVzbGtpZ013K0JDbTJMMVFHOHlSNmppNnlBCnNIdFNQTzRLV3ZMWTJDdjB6ZjJa\nZ01rMDRjeDh3QTBqQ1Yra2pjV1hBdXMKLS0tIElTK0ZmVEZ4b3ZqVXFyZnJpeHJk\nNlRTRVMxVG14VlQxKzlZY2xnL3V6eUUKnSaJ+pjURGztIBNy4OGvAmj89bPVTUGp\nH+5zRRxDOHbJVBAHNV/qREO0Aklj5/f18cQFZLcFyNGWoPfDiP+YkA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2WE9XZDZJV2tMeGhBanNH\nL2hLUVIwVk54OGFJSE1DMW5BMGk4aGYvTVZJCldKb000N1dFQVVxSFVoblpHSm5C\nM0dpUTREdlAvbkxaS2pLUXdtNjdYOEkKLS0tIHR6djdTMld6dTJSS3ZiRmpVZWtI\nWU1rT3hHWG5rdHU3eXJRTzlWcnV3RnMKI9jX76xcdENMjh4Be4gIzc0qedHUQtk+\nB7ORW+d2Wf9PdlTt3LZazjzw3xu8A+02IBsqwzJJjBIedDnRd/oUqA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0VUIvM0RpMTRMSFNBYjZF\nbU5ZM2p4eldPZldtRXNkeW5PclJwTUVwTzA4ClJEQUtYc3RhaTJLQkFqSUppUENp\nWlJ6ZWZNVk4wMjZneEFadDhLMGU1VlUKLS0tIHlFejhGdWE2cGJZeFpHcVliSGVT\nS0lJWTV1eGViYnNmQUJZbnZQS0pDTG8K4NIU5yTIGrd3QscGkwzhxXelVzZUzG1T\nYerlE66p1jtI1BaXKLtGurUb1h3+9BfYsKY/MswZOOwtYRPvpRFe8Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBESU5DcG1XV3hwb3VmZHdk\nblg3cHYyVVJBWGcrb1lJVEdnNGFzWWtPWUY0CklOZHU2ZWNoYm9ESHhJakl3THQw\nMk1XS0N5K1d1MGdwaEZ2Y1gvZDJqNEUKLS0tIHFvUXVNWHNPZGpTUVBnWWhTampG\nc0tSTC8zUVBuQjN0VjlNRkswZVFJaGsKSZ99ix3CP3IQ0m0GYVML7fa3R0gD5N7z\na1xwlW7e1bSEwMAUyPy5+E0alvVdC1nP95LtDyyPMkSXuiNJLbV07A==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZ1NoYlZubGZoQlAwdEJl\nMzFqencrZUUzUEluWXVyaXhRV3M0ZkhSNXhZCnRoTmJQQ0VBNk5UR0xBZDJTL2Vt\nVTJxcWc3THhmRVlpc0MzM1pGVHg3OHcKLS0tIE5Fb2ppdVFIVVZ3eGwvbEQ2SGRx\nblcxTGtTZ21KSm5lTkVWRlpic0dyK00KggJnQIHv8FkRz8110iGpwXoUZA8YdD0f\nF9ucDi55JoauB/Jq7mkT7UPXjX/S5xVCHkgkRKgX6AunejhdajA5iw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVlA4WUszaWQ3OUc5RXBM\nU0VQWVVKeThtcU9SVTcvdi9VVGtGRDdqWTNzCkRZTXd1a045ZXZWUnFUaXUyNGFM\nU3lodFRtQjVudlFHVS9WMXFVbGo2bk0KLS0tIGVKZVZEQ0x1ZnI4cHhOK2k0elYz\ncFkwMWRHejQ1eURORnpaekNReUg5U1kKKghYvqmOysmJ12ZXjeUomoqc0O334Hcv\nnulvcj1NSwhVLKUZ4JalNrSNo/4xFcdyi7hn2d9DlkkU9KJ9OcWBOQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzcTlqWjdTMTBzZkJoM3hP\nTnFWcmM4cHRGN1hra2ZZK09SQWh3NjRjdVR3CkRnd2tLelZPWXdDeGFRbHpUZzQ2\nSHk0LzRrWEJxZ0swMlBEZlV4clQ0cE0KLS0tIC9pOW1TQ3pUc0gwOGlOR293NytE\nWEtjV3luYlUyazc4VnphSVlhQmZoWlEKnVpdUa4mHynbbGHV6ouPXv8ROmqanb9G\nadTKO6F0+PCSVQ5krBKebods9EBGF7bDm/m6SsAN/CkbtSyL9Tp86g==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaRmc4YlduNzlaK3VXQVFt\nRXdHckU2TlRLUHltSTRxV0Y0UnBJTkFwdm1BCktBWWIyMnZYZnFvWEFRaFd2d1Vs\nc2VVbkY3WlZhRXN4c1FJTnl5dFBTR2MKLS0tIGFKbmdPL200Y01mMzZObEFqZElq\nTkpVb3AvVWswdkNEUWR2V3dXMHpMZDAKFUAb6ZxAycB4PbjUgePEWmUpbWRomU+A\ntpFpU30ZeWSicsRQRbzm340ZmtAhVk0Ud1M2N3J0TcIpre3CghZ9lQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNQ2cyWnRDanYvcGpXTWVB\nUVFPZzNhTlZsdjNFRFFTYzFTeDVXNXI1T2p3CnFKWDNxcHB0RFZuVkxRQlA4Y0xE\nWDdreWdBZU1HcmtmRVBTNE5vTzFSOGsKLS0tIERyeEVNUjBaWHJLVXNYdWhVdzJs\nV3NlNnVHeU95aXZ5NEQzbkplVFFQZjAKrJBK8FuIp89FydPFcMfTf/jEE1ukMbqZ\n6q7nJQgRo8r5S4N7fPbfaYZkN8HIgyKkPdt04+oLv18E0NWKEVv4tw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZU1vVUMyOHBXTm5iNUZz\ndWI2TVZpQnhkdVc4aUlIWmpwbUtwRXlDTkFJCmY3bVZ2ZmlWVEJjVy9oeEN1b01k\nR3pTUUlFTG54c0dyWUlQQzN5TlJFL0kKLS0tIDZGTGlHL1FoWC96dUdJS1I0UkpX\nVWowM1dmVnhYcEJXaEQxTitPQmsrbkUK7R+HqB6ohYcS1rQDfIJ5lHHcqeYcpRTT\nT23fTqjGlDmVUzDUdUISZeaVtTsaAwtq14YWdi1UEzwbGBdUQGmb/g==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSjR3NS9KUWtJQWxuTWgw\nVVdndDd1WW5NUnpRZEJCTVVwOXN3ajVabWxjCnlNRkZlNVRzdGJiWFdwQkE4S0lG\ncGovKzJJODlDaDlQbUhYODBrQTRhUUUKLS0tIHo1Zm9wbVZQSTFLUGY2MzI2VXZD\naDM3VzhTSXhaU2I4NmR3YnRrSmlHZ0EKhfaKRktj9lEq3l36ihmgjgCoasDC+bNu\nQ8vkVB0wntVxLRddYVGrBkzLfekC6P/z7afjndWtIYSOZcj/FoGlDQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxL2pFNG1JTzNQUzN3bDJI\nTi8wU0grcWhQcmp3SzZUYzdqZmc0TGsrNDNnCktwZTBYZEg1dnZsYXhPU3NtL05I\nWHZtQ1Q4YUdYay91RzJaQXVRWW51bTAKLS0tIHNDZ0UxWkRVQlE0L3JjaTZmZzJP\nQStKaGFISEJEVTdQSVdIOVMzNjdhWVUKbMH8jkFLlkvbl1e9mndT9civieCuH/z2\nweqBunzI9ANMqQvBH0HxWymUz6kc4Rg9HpChcLx5be2M1URl1VUTiw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraTd6ME1NcXNjQ2czSmpp\nZ29iSmRhNWMvNTRKaTRNQUdEZlh0RHM5NG1BCnJqcktlRVVaVThXL2FzQ0FHWkti\nVVRvY2k3dmVlMXVuby9QSC9HNnlHRlEKLS0tIHJDamtLSjI4eUV5TVBEdUZyRnVi\nQ21pNzVXMUNPN3dvTGlJV0lQSitRL3cKuyCAD+lA+gYdPAr9A5hDGA8eLupS1EQG\n50Dw3LEfKP14nhvrKgbZDn2j/18zHQGeOYYkrYf/MWeDkuBsDpeLcg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJd21EYyszUU4xdnkxZVRT\neU5FMXVQcEFtM1VWcVBHK2lVOUdkaHk3aG5zCldkWWx5SHVzVWtKRE1LUUR6ZDRF\nc3Z6K0QyYWRiekh0R1pvSTR5UGpLR3cKLS0tIHhGWFppR3cwTEVTUUUwc2dsWUZz\nRVdETzJ2V25LUTU2a3AzWFFZUC9GTEUKrF9QLJEVxxMG0iJULun2QKmd1ATQUGlu\n8nnEWHOpuI+tZS4VM7bjs43fFsN/D1dwA4LFlVfYBNfH0EpVs/CjQw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZWVlNk1HQ25RUjJEWWlH\nUjV4M3ptVzBIWFhyNXNUbkord1gySjk2OUJVClFQVXNLTWlaSWo3SStFZnBCdlJF\nMlZZdmZrNllRNDRoNnZ4a0VXNEFQdXMKLS0tIFdnODh1OFpCdWVzN0hmK0lpMHhR\nc1RKZUszRHBUWkxHYkF5WWZDQi9lTGcKlUSdHjR+uCkp+BrT9mURPl/Q08JwPxV6\ndJ6BcvBitsU0JGoxC3Y9AhNssjjPOqZ622a2i/2rw8K15COPJgHmGw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5anZvRXRFRDRoTFFlL2Rz\nYU1UMWlmZVgrMGpqNC9oK1VhQ3lDbUNRVW1rClJhNVp4NlczWEdWWUdDa3dqSUhn\nLzQ5TTJyZjFrOUtXTTdUSytBb1pCcVkKLS0tIHp5NCs3cCtlNnlFUHN0ZkdNaWVs\nM1hpVlI3ZTVFSUFsdFBVQnM1MlJOUzQKLjYXNFjBkCo/+Sy+/3gzWPXRhAxtvae7\nJGGNUk9AoTPM/VSiKEJL3F+X+z3QvoiMjq/+uLU2hKMlYOH570X1Rw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMZ3YwMFVVNGxLcFhhR2V1\ncDFPVERtTTcxYmNKaGYrYnYvalRUSjRwU2hVCnpxcUhnTkxnSS9WOE9RWk51Wkcy\nbDR0cVcwS1FzdFROdlgzOUd4aGs5ZDQKLS0tIHlIc29YbzcrN0EzZjRYeTZtNWIw\nczc1eTlUcE1SL1lBNU1Nb21VRFFJeFkKIEtwsONy+TLjXjdQsiPcVdTgvakpHQJM\ndTG14ycUBBw6++BDcD4sEFH4P4c7nhaaekeWfoG7H+t8CaS2Zxfkxw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvcXVLanhqYVMxaTJ1NGx2\nNEFvdHRFWmxiS2dMUCs2S2N1OVV6N2IzRHhrCnB4TWZUQ1BqWHVTMVBFeDlSL0tU\nYmd4L29UV3ZVUGk3Snp3V3ZpYmlSdlEKLS0tIFVnYnY1WWJ2dHlWT2o3ZVV1aDlB\neXN5THRUNi9QR2pVUC9IclFBa2gwV1kKghCqpelZh84rvtwH7BjPWma4h+0axaUR\nntG9Bpoya3JzVFgyuae/ljmXf4WQvB+OBhh88GiHwXqX4SpH6udvrA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2R3BJMTVZaFlhc2hRS01I\nWlJYeG1SZzYwU2FlSzRjc0sxOS9wdExBU0hvCnlYc2lqQjg0SkJXSzEwdDFZS1Iw\nOWd1a2lJK29zNUpXTHZtSXZLWlVLdGMKLS0tIEo0cWxVVHhRbi9odmkwcjFhUzZE\nLzZlNnlhUFlFcXJKS0ZVRnU3RGFtSzAKD7xQG1W1RbA1MMK89j2mId2/nrgb1en1\nj2IZc0CNVc3Hx0AcnIb6Igersob1M+AZixIHltznz9fs0fviBr2vSg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NW1lRFFYZjFOUTFkQTF3\nTWpqdGx1Y0lncjFxemNJNmpqN240VjJtWFN3CkhGdnNOVGF4aGdlL3k0RThOaWN3\nU1gvdUQxY2k2YXg3VTFwVTlFdWRSYUEKLS0tIHQyOVJOcjZselNtM2ZRWjZpQlJm\nZ3ozRjdmeWtHNWpESXpCZ3VtK1Nrc28KM0Hjz2wjsefnqAXqcqhE/kCJVXR5r4CD\n4VnG1bl4MV5dcaWooG9RBTgU1eSnoa1CQeH1SBS18ueA6/kRF+RuYg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGdmtZRE1WTzE4SmJVcGY4\nVWphUE00QnYrcDRlMG1CYVhmZXFuM0R2K1EwCkFBaVlVQktMNEs3SkdUcHQzV3FZ\nckN3Tkk3OGh3VUl2b3pxU3ZtUzRsNDQKLS0tIDF6VkxPZzRmZlY1TlhYY1RxcFZy\nOCtDM1FlSHo4Q2tTUGVMb09zb3JFb0EK8n6BDAX2EdgxDYppqncIss47aUpRofB9\nCvY2OFhqbyxP8fXxFdpnh46UbzMj6Z2b5r+tDdI5uYwJpEPdbvh2qg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNHJtSGhZTkR3ZG4wY2NE\nRHozK2cxR3pkZUl5TXREVFRma2ZJN3kzdmo0ClVLb0xXZ1pLVGJ6eGlsWmI1QzNo\nWnRNMTd5N2NYY29wQlZNOUtvMHRVNEUKLS0tIGU4QU9Fd2Y3aEJYT2JvMFdhRFpj\nRmRqRno4RVMzQ1ZzRDRMVDdFQXpiMEEK2QJ0gKd3QOKIVWYfFMbDCwmhPyBuFXG0\niqyCcJIyut/XzoqMTIuyyNWk+74ABdwj+vFPuq0nxnJUwiwnDrT+lw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnQTcrQzBhZnc3Ry93WDNY\ncG10TXdBdkgvWkNHV1RkclM4ck44a0JJWlhzClAwUllzanE2bzJDREdYbjVUSy9j\neFdpSTk0ZkU5VEpVT3V2L014RGlZNFkKLS0tIG5EZkhFRERlZm1XWS8rNlUveGh1\na21reFRJSHVZdWoyMExJelRkKzNiWncKNe1jyKxtJH9aieizxX/m9Gdye4AXfBtp\nnarB9jUcBBl+1rMNBDXOYST9Z46l4C4if7tWoqMWaPfXQpBhKbX6YQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBSTVmQUJ4THA1Ui8yMGxM\nN1dlbUJYSGxycy9WUTE2eSttSVYvR0RIL1VRCmpKbHBFcVBld2lKb1lqdFE0TkJ6\nS1ZCM1BYS0RLNUwzcEcwM01aOVV5V1UKLS0tIE9BNitEelVidDdzZE9QbE1Qb2hk\nWVY2emx0Q3BLbkNhdWJEYys0a2ZyZnMKqGe5ckj9cK1LnbtrOfPJPdhJCIBm2lOt\naq8nl+REJ0xFR2Pl4SMhIbqDgo5oV349OYQfRUBMhVE9XUUa5TsEAg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEVGxsR2UvbG9XQXQ3TVFP\nZWNMWCtWcDJxQS9SSW5pbk5TUWFNamhMNmhrCnE5TFRZbFAvM0RVekZTYTExVDI0\nMjB5T2RpRUVCMzlMZUJvM29UMHVhQkEKLS0tIGZNUThXSW4xYm5rTDZJN21idnU4\nakRSWDlTNkhDaVBQOWc0UURFM2lwbVUKf2ScK1QNfNocx4Rw2VXmtHKF6pO/Lp7T\nv6K43/aC08MgxsXW26mXFv3TGuXz0G/K6b2/WukaM8T7VB19ZcMvjw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwS2paRXpLVk5yQzV3Zjly\nYkd5Q3NTU2xCaUlvZFpPQVVxUm5BZldpWXlNCmd2QzVFR0NuZjgxb0R5VDFmNHhN\nQnFhRWs3NVhBY2dlOUhmMmZYVytaOGsKLS0tIDUyTi9BK3l3RGhLWWxJbVZNZUV5\nWS9pTUdsUTJ6YklRNWhWbG9KVllZSTQKUsrU53r2xbnheBj9aEc2V2ZwKICFsU+5\nVXxUdwwmb6WTE53kK/yV0zsrWTDocb2/4e7qBUqnMb9Wgk2VHvhe4g==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZHJsYmtSSFJKcXJadlV1\nbXQrVWUyV21lQ0VoQldmajVDdmRPdTRxcG1FCk9mbFE1eUNXZTQ4TE1PRCtTWFVJ\nd0JpOG5Nc0FoVWlnanpiRm9uSXN0UzQKLS0tIDNaL3FDUmRuNHNKR0NEa2tFZ2Rs\ncmdpYUtvSVovS1hXL3N6cUswei9lVVUKl6MdBZnLqyojsg2jJUt5YhRxgnIT//lw\nElY1HEAQDQ9Tcff+dp1dC63MNolF0RgE3qFGaAvuWtO1FVGs/2oiEw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMFIxU3NrYjI0b3pzNGpl\nY0JkUzlFZWJ5NkU2RzUvbTc2TGY1cHQvcWw4CmZxT1ZaaldaektPeGlsd2R5SnJw\nRFRkaDdVYTRKaWU1dFE2amIxMngrZTAKLS0tIGdUMzVCSTRGOWE0WFRnVUNUL0Y1\ndVE0dFpaQW5ja3g1MW5vblVGUHkyWm8Kck0ltr4YY6O9UJBjqSvpGxSG/a2eN9iQ\n4RKnzZWtEQn7lo1dL8RKAPbWOk7uaTiaCDAc+nbbc0LWRkTQoDaH5Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2026-01-03T23:44:12Z",
-		"mac": "ENC[AES256_GCM,data:7+fRKPv0JkwHiWZOvPsp+gYHaDN2Dfdrm9cWLY378cA9xqcLpim1TvxeG3UaQQuFV6KSBiU7jBlZSOUUToXSG9mBL/pcLsErBsnqg1Wph7mK0JLzKUxPXJQIlRzZh0KmG1GCSHGQBqVQjVgyw4qUfmUdq4QZ5k5tWcQK3yCpuQA=,iv:1Sb3CkP9ad26vQjCpRLv1wXFtEHZL01EObPzstwY4C4=,tag:k1EC+zR/j/HZ1sejHFXv9A==,type:str]",
+		"lastmodified": "2026-01-05T03:05:04Z",
+		"mac": "ENC[AES256_GCM,data:7I2QOVu0X4QQBjhTYVrAxCC3NkLdjtcrju7UDieT6TdA0qCZo7mfWRy5T+p1IqV3ZcxHIdPSb5al1EZnR3P9u+KgGd5dIAofq1DtK7w4l8E0kBNjW1EKWJ7DuI/yWE02tvB/KBbtsgTFEd30ROUgxjVrBzK6Y+X2vvF2rjd8Pbw=,iv:bvP7vtI7vZ+8UaoIkp6nWpc8GY13KS9GUB9SAQFSQwQ=,tag:IqYmuZzEK74+75mNxA1H5w==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2026-01-02T21:17:44Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/9H7LfgDWyE3F7SrLQaGdx8rNwWy8olBcJC2O7C8usiBUH\nCqKNUUAfXaOqsNoZahWES2KNyTZgARGW/7lsQU3ISrYD/gxn45Pf8HyVXag2qbKQ\nSmYii8HXvrST+XHU7aErAZb293ByBSBvlg9JfQK8lNTKccvIKLLHTI8Xo/EkjUtl\nvfRocIPzesBnOBxTwvuWvnI+nvcuvael3UoKK9V9HaFBrS3i9U/z2EROaBOY+LI8\nCNgSaUNEGqeYh7/g3hSMzLWicM+3YS5MnlVDJIaERz08XvjgAfnqlmZPINZGCKpg\nUY2fBJKkG2lUsx4dfs2XcoIayygA9IIN4kPztI8jDL+KTh2he2iyfDEzTGqZ+Yfr\nbWzoUNxtCT5FluVYLsAUYBJB2TZhQJeNHpV+dOLzs0zTRbzh0f6dQQEs6u1W4ZVe\nRN8UwO+e35Bcn5sJ48y6143BCaJGsNwKg8wqmhOejUV6F8di9nHWasXgaxZKPbnz\nxIyt8E+PvWIYYQHadUQ0SIL5TMWU4csyoDvRbpQxYPVMl/Fi6v1khW7Dw3thhOPD\nXAygAQ3SDr2bzB4ZlWAozx9D4b2jgPk1qMHMHmypf4vdTqxKVs9UhzLRLK4IYDKB\n91drnFsAPhOzgx24CPEZANZEln/IlRmIFPReVCT+8sAvqDU+1CROSvR+OLqwfPyF\nAgwDC9FRLmchgYQBD/0dgT3VStJ6BJH29XYsfQsQcHSGgYan3Ecy6g02d3h4Md1r\npJN4s2THrlHe4LVLIyZ5xdetrxSvU6uz5TM2jAXL6cYLEFyr7FqrHNWHDXcbEiE4\nRgtVxV0P0c69skkVnBSObvc9drD/m7jbAy/9dsTs/1Xij1eAgvHlcItadAQVKCYO\nd7E5jFJfVmtQQ0VWqC6Y1i4tb1J/UKRGUG0T2oP9RkXPdCctVMr8J5DwNIw87p2Y\n2GF87yDM/D7mo6Gk00aeOYFPej9qTQHNo0e1xCw30cGOqlGQpcr+3Fc6hdt+ww8e\nPHVbR7ZA/OifnbBk+Wi1qqIlO4+FdxTHpOK8lZP1A/B2XtJsrmWGLPTHHw2iiIR4\nahPpsBtxOyGZXB9Qr/kTX+uNUQOtFXVbxi0AgnQ3W+UkJlpSd5BhxeeN/IqC0Xsd\nvzhv8A8evy6dEwa4eoDPdECBfHfcXQX7Cin4WFef1Vr/6r/mL4OvY+yeMRmZ0J+O\naEPeP5zX3u9YBZyjay3daLCTS2Jqoh55Vp1e94Hzi2CpZexj+tvph92CHAf0yJz/\nIbJfO1VXSMBnpRDzzM+lSGEv3RNk5OXre09j3kThuscGqXKH4+48qbhYBLr9TkCB\nVwxwYijDEAst0XOky+RXZxtR1muAi/hA07H1jZK0lMJYv26T3SL3pDSheMrxGtJe\nATYtKOMookgjDuzsQAthoIL+bV3Lx5yFJjF+phwL5vqTLWa0xj2IBUSnmXnUgCa7\niRLsMPrLG7qvX34Mr7HrOFRXWQjy8SdmU7PHgUyBAyK8I0JFl+mzF8x+fbRYow==\n=gdhs\n-----END PGP MESSAGE-----",
+				"created_at": "2026-01-04T22:59:14Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//SSBrjT7dW3WJVfbuC3sFdfFa9BUiPDkd07yRQMeOCFjc\nAjiPlfvd2npXvlKX62BS/UMp6Dbx2wcvEQybWBPUbdV5v13mdRwsmbGrds7qKqTk\nn3OHLnhfyshrMhBv2mYOH9I69MDL6w6DTxGqYBj6ALrbqVFnbt3JAfc813Kxpe9p\nN9XAxkzOeyz0ekU/FdaiYupXFNk+W1k1UpUxIQLP5hUgvK8a8NoJqecwCSByLSm3\nz/DStJ0er6HohmLzvj9XgZY7kBd5LOr+t54RiO23aX3tuskmWbtt7VbduV14yldt\nxjn4bEuyl9OJnFFlAYgA2OAk4Dykgb7BtFxXWuNQZPKMJr9xJC2nkM++sFSSxVYP\nZ9ld3UdmN2hlPA7LHoIs62F6a7pt8svX7YyT5DFkcakVBEfE/daSs3EuuQkTeZ8F\n0Rn85fFRAhEWLvRgPKB3xpV8AcexreB9AumlfJ/SGVYgiXXO0v+TrATMrpLJF7x+\nRUO5WL9bnTK6oGTowPv87rPXNceaLdmjgoWyI5AoOnzp8uxsGuHRSz2aTzKSr9CO\n139z+DUG1x6l4rrpRKTbmWo0ahpFIDVXVcscJG5r7d726HoRiJwQEdQO/yM9SF/E\nFmbyZsiQlleJMSZfMa/+efMekY4vbP8obRH52kVY1AkN70/88rw1HxjDKpYhn1+F\nAgwDC9FRLmchgYQBEACjwHKIkl42dil0wonU2fVhZ5ROO43PtLQHJMh3orU5DKwV\nNWZKNuiZ/TMx2AXwd13abCjolWTwEPZZ+8A4ALtPd3E2iVRxL0VPWegdrKkSuGg1\n1NF/M6/HuBxiM6DDKO0Ac6+iIw41nZLtd2CGpEIYLLu6mKntYrJRp92M/Md1bcQQ\n+EX4tmMjuQXRD7U3eZ7OKlKyxxRHY5OhNg4wgCpaW+4RJRw1Y2i89Mpc6YwT7Yxa\nsd1sBttW6drI9RtntLj6vblNCTOlhC5AFesRSzZUfSxOzI1YuMOCvwmGgGkLEtCA\nea95OoxlcHmKhQrmW15E45s1SpsnsWrqlS4uDzBWS/bG6faiBZpv4Lm/9KX0D2C2\npYEyufMTbLmnPc42JqgAWRwf4DZNYM3jQEHgLQ2ddlamuLpZMJo/TFpyd0nXtnrW\n49rPJZLWtv/h2xRigWKIndrP6KfxTkjyUutLOQs2+EDSutRBPV42eXeylfU7eWR1\nloaZVmdQqR5b5iPWceW8dQyAXd93oFMlwBywl3Axxqqu6GrYhhiDk4wV96nI/VPU\nQFXfyuwX5FmBDpAi5/V6gw4Zf3Zv6j4ZcK0GN7kTxGO+kWpXy8Jx89joBurF45UB\nnl9tVDxWFKcyTZvksLa8gq/v/+bQAEA4FY+5Gy6TLvpaYCR/fsUahc6Tx7OEFtJe\nARMZWthWDs5w3UwCgV+wmbUmrGPwHFfoo1OB9uAC4k9wYEL5+qZ86/9l1Ur/1WK4\nMnYGYwQgg0A5Su7iVwGDzT4JY8T8lo43sWVNBWErdQmvFOrKoB55tcqupJ0RJw==\n=+gJd\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],
diff --git a/secrets/repo/pii.nix.enc b/secrets/repo/pii.nix.enc
index c54f933..35bc181 100644
--- a/secrets/repo/pii.nix.enc
+++ b/secrets/repo/pii.nix.enc
@@ -4,67 +4,71 @@
 		"age": [
 			{
 				"recipient": "age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOU3VqNFJpVEFBN2lwWlNS\naExNbUpMMWQ2Zm5kWklxR0dMOUZUVWNhYWxrClFBRkVFUkhaSVlTamxhRTc5d09H\nWW9wVzdxTkZjME5pbVVmUnBXakpaK0EKLS0tIHFIY2JwTDB2REdqWHRSQkFoaGE2\nN3FWbCtpUm1SSFg0b3BEN1ZwUEhINzAKFjA6KD3PK7BZRYkHLSs58ffMHrCwhvy/\nrF0zA2UKhIBN1LvYlyDdO2yZSOCK+0iwEuvz++VhDm1UnR0hDNu8Tw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5dTNOa3NabG94OHZxMFdZ\nRW1ucnNCNHJXYXk4NzhtZCtocEk2R0RFRms4CjNPSVV1ZFhrazFJekpNTzhXT2FY\nenVJR2ljNjg1N3hwUW5teDJiaXhlWU0KLS0tIDd4dS9rWERVYThhKzNJYkpqbnpF\nZG5uMDhwUnBaWjU1V3pmcHB5YjJCQ3cKv1cyhmmH780Qg6GS9y0P/3lrrB+e0brm\nTYGhmyIGS4LqXwpXcY2rTAtajfUU0uk4C0aB5eyXp959yEk2I2cUYA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoa2F5ejliVW80blE4NUwy\nTUdCamtkZ1hPMk9hQ1I0d3hYV2o2R0p5NVNBCmQ5WGZLS0ZnYzRUTk5rc0JKbEQ2\nTEM4V1hNdEhzWFFJbWNuSUpVN3ZTT0UKLS0tIEU0TGlNYVJZV1dCQkRHM0phYmRH\nUVg1bi9IQllUQWpkYTA1bGRyMWVIRVEKPiZdGYR0bxk2ldQ/4Ce1RcXyZACcCjD3\n6oDBe1DT7mPHN1jPertICLYW8Q5/LBRX63AJxZIi+epZMGszI4m48Q==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzVzlZeFlrcXdYd3YvdCtM\nWVROUndnblcvRVRBR1FZRkhYb1IyNnpTQVFFCjNSSHRXUDh5bGNEbjNVSHl3cDh3\naFBVMW5jUWQvRmd5OHJ6bWtpb0UwVm8KLS0tIFkvSWROZ1daZ1N1bzRsTkxoVEdW\nSjdaaE9NTHM2aDVNdWhNa051WXorbGcKfs2BbpCoxIe9z8EPf27xO+x5LwoTNroA\n7RLErW20t8O9f0fTcDZwz3qM47Py0vZ/jk1PmW++10ZFlcSNtF2DNw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1T29EeXY5cDA1em1oWjhn\nYXRuci83ekU2d21ZMFc1R2tPT3c5RHNXazFNCmFYVWNwYXk2Q1pTQW1pVWpPNkV3\nb0UwSk9BVUJMMTFKV0xxQUgrNVNmYUkKLS0tIDNpcW55MTF6a29nd1d4WHEwNTZh\nWDBNcHF4S1hwVzFTaTVycHUyMnNFaHMKCJDevUKtn46qMNpNjTIctBVMCLs5lH5Z\nfU2rzvwIBxwn16NCOAInRxQEOASYITYo7FKuMD7W+3eQf0vAj22LRQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbnIrYkIybys5MytXOUxO\nNjJQdlg1czBndHBVYzhoMDNvVHN2MFJ6ZERnCmZvUE1hSEJSclp3Ykhya0lDeGNu\nQlFLS0JPcHFwREUwazNxRGtZcWJiS3MKLS0tIE9pUDNKRWJUa3c0UXdrblBGaCtq\nY0JJRWhLUWtvZWVQZHEvT3FRQ3BUQmsKN+UlXPD5hwUBa7dSJMt/Smjaz5jfG824\neJHaQskY/aRvC4CMRCBUwANSs3raQQirb4R3+XgthrA/92gwN3LX1A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZUhxUDdETlZCRnNJbldO\nU0NiV0hRVmtNYW5TWjdvOThyS1RSaExaWmdzCjJ3S1lXVmlFMjIyUEdad2xDWmlM\neFJOSnJSc2ZIMEJuK2NLVmdXSzRvcG8KLS0tIHlmZTNra0pzVVA5QThhN1ZaY0lO\naTN2S0VSTVgwSzBVZEN0em53STE3Q2sKlaQp9T/T7ZRY8FLB7yksMOwIfRWs/s7G\nPk3JnpuptFehhI/FeYAh+0fznBuTCKjqXF9X96a6RIFIC44/nKlfxQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1N0I0T0VGbmV4OUVZSU13\nV0kxdDJSN2V5SElCTFRmRUJkT0w0QUxNWkZZCnlYNmI5TFFicjJhR2xIbDlkZjlx\nbWZFM3FUWVRsSFFqZDVBRzJJMjdaTVUKLS0tIGttZ2dUMW45M0FOQlBwMWpoNmgx\neVdabmpybmpiWUdlRUlVcEY4d0d1V0EK99D1AXnubdAbSO3X+10tZ4UFSn5WY8ws\n3cQXdHryJ7AhRP7jA+4G6Flyriuzyv6TTGepZyTal4vmaPL3+mrg5g==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzdVo5cUswRm1yS1BWU20v\nN1RlMkRXR1dhcFQwdXZhUVNWbkVrb2RrVmxFClZVVDJ1ektCT3NmYlk1WTBXVGUy\nWllkOTdlZ24wMHdKSmUzdmFMd0F6SEkKLS0tIGd3WGdueEpWTkNxQnZrbXdXTzhB\ncXVrNk43NlA2OWE1cnpqWmJKVktsNFkKwyaRDz53nk8nljSnqN+CXY7J1f2LmJls\nXfbOZfFH7Ayoelv0OCoWCm1ZfD5QLnTBoCZGCUw21r8YuXzu5+maoA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQV3ZXcWoxWnJEZEdQWWx5\nQ3poeTAwR1l5QWVmaUF5eUhxaU56VW1MUzJ3ClRJMW5JTVJIWlZYWFMzeHRZUHFw\nR0dlR1MyWmx4dWJtOXJSN2h1NHRqQjAKLS0tIFQvU2NWNmljSnNsZkFwMDViampP\nSFFOd1AyTmRNU3hONkFtS2RUbzBveHMK+tKQrsByW2KvpmYIFOmzf1J2N48ou1fO\nzE+gtHjSpc+bn8maRBNJxRfy3OKvNgfi+juD5shmdGo71TANJrAPHQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0dkI2RXR4aDlSaGhxQS9j\naXlXdjdscjJqQVQzblNQdkJxaWpSZG5DaGdFCmcwK0JKVHJZaDNzU1FlR21FUkd0\neW5nWHFhTDZNTnJzZFI1SEdTOExwN1UKLS0tIEhaclEvbXllRG5EWFBYQVoxMXBZ\nSXltdFM1a3Y5bFREVzhBRm1YS0orMHcKUrHg6YkMF20G+GdLI0J1pj1zLe06Xn3Q\nWwxgB6ctI8D1qs+0GMoXB7sOsfczgYtVt1hC6EvYpmiHW+g54GGRHA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBualhJWUN3R3VSNXliZmxT\nbWduRjNkQXFqeGFyWFdBSnhKdCtPUnJFUVRjCjNLaTBxTE9jYU1hNlZDWWJpeVY1\nUzVIMnZrUjY1d05Ed1kzU1BKbFJpajQKLS0tIExxcWdqSXlhTXphYUhWczZYTjQ1\nN2dhdHRYUkRLdTNjTlcwbys5eEdKNWsKnIXUrRJR0M4cPgSS19DBd/ovTAYchUL/\nfTsfVQJnDEiD1QoA6YZd7XZxya4h73KeWzfi+hWBpRW8ZawzZRlyoQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlU1NCRFRYUVkwZ1VMTVlx\nVStFYlBaY3NGTThpS1NYMnVSdzVCU29NV0NVCmdKU0dPM2lySStVOENZajVRU21C\ndmJHVkhqNWFpbEpqOXdxd1kydjNFTXcKLS0tIFI1QWdmSVRHaG8zV29MSFJhRWU5\nREt1THJJR0RrK2ZzWlAzQ3dobjVOM1EK9sczJcZo9sW/rlKczTo3PYRmgm+mJ/ek\nyRniR+IaC+cdiSIuDS6nz6XwGqIrTpBjizpq3a5uWTzwzscU+uMuig==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnS2xSc1lqaUhrS1BaZlN2\nSXdVbEJpdzRYNkp0a1MwQjhZNzd0V01DdEdrCmNNTzNFZmhZQlk3d3AwYnU5WUdQ\naFFnTHA5NGptNUJ0SzZLWjMxQm5jMFkKLS0tIG5zWXNZWW1lZm8xdHFRYmRmVVJt\neUxUazdTT3VlSklBejZjVm1NTXE2MGcKFPA9tQB5RRfwnyfCcGRE7hpOxqkD52Q9\nohSQW87SmzhP6srUiAoao6cXihSk1mjtBU6HADL+TcjhchxN3lGDEQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4L0VvQXk5bWNVc2FUTk83\ndGp2KzdrclF3bW4yQlV4emdCQkIvTmV3WER3CitTOVZVWmp6Um5NVEs0aGg2TFhF\nRWtueVluSUMySVBjYVFmaHlYM1ZhalkKLS0tIDl5ZlZ6bEpIZW0wQ0phbnAwbThV\nVHZ6R1lCZE52alJGS1ZVMDljQzZ0TTAKptXEII9sr9zkdAXJLLCKVd3E3pOsgnIB\nLNqoJfg336E2aquo6LCjtBA0nSBxHkAnw0FFz81Kph7zK+Z1+tFB7A==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVitUYTlYb21uUlFjZ3lF\nTHJFWFh1WG1DNzltUmhYbXl2L3owRnZSZ0NJClFFSHM2SDBKQWpKbkVNd2NRTXlv\nQm1hdHJlaExOUm5zeGtVRnlUck5LN1kKLS0tIGdkSUFYMWkvQlA1dnNTZFdxVmNm\nVnliUHdEVis4VTFXOS83MWlZWVVmcDgKK0vs2LIng8RGRv2yCK8luWz+oJyYFEYJ\nvB2+jgFyFIBF7HQa0lPJzZzu7Ft9bPfskHW3APq+e403I+kJAIC0Jw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcEZVc1RpbC9vck5zYmh5\neWxObTlpMjlpUFZYWExCUDhQU1BHS3EvL1IwCk5xelVyRisyZUVLK3ZueUdRTmxI\nWlhZSlJQT1RSZXNZNWlxRFJpenhvb2MKLS0tIGlxeWl4VnFXQ1VVMXNmM2x2WXI4\nejd6djF5d1k1cm1Kd1JuNVBiWnI5TEEKnjIih/AMCQOakcmiEpG4Fqa+yYDafML/\nSepnQsojq99JF6oxtGAa1P6ibmAIglRtyo5ypRRTVMm6LWt8Nul1yA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNngzRXZtajNqeHJJTkln\ndVcvVHV1bXZ0U09HYkx5Sm1ZcWpNVGFvS1NVCk9URXFMcGNoZEg0T29hVGVpRHRQ\nTkJ5RXgySWg3UWlJTXZMeCtxNFMvU00KLS0tIDlQNWZWRi9YKzQxK2VpZThLM0xu\naUk4aHJvcnhiZEQwSjZJYWloM3hyQ3MKn1X1EbTkSi/8IkjF8iSlRGd0MnP415sJ\nzfevVvPy2xVX0S8VS8C5keICCeB9pc26dpefQh22VS5BHgZMG8YaPw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1ZXpKOHRwWVByVXpUdHBS\nTEJ6dUJJSUQrSzc3MHZ0WHV6ZnM0dzlwTURFCjlxLzVDTDZhbGVpL3pQay9Md2lh\nTStxem5adyt0TVBjRnhsNmR0NnhLek0KLS0tIFhlWkQrKzFHall6Z0JXWEVMY0tT\nR040ZnhzTWFVbnlXdktVWnNuY00yU3cKmNYw+zRsH+KvxPW5o+fSKPKAVbxiVIoJ\nLZNXdAr6NGYMgKmvhq68M0C0mbLmmo505qb/oBntbfoGZJtSULAUnQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MXBXRGxLZDdlUkFWdDdK\nR2gyWGdnQytqTkp4VzF1Qm94S2svc1JuZkQ4CitMa0gyUVNHT0x6Z2l4aHRsNUVL\ndTNTekw0T0lLdWRSRFZwV25NdTRsOXcKLS0tIHptd2tBM0hCQ2w3cnFxZDM0WWov\nVVJBU1dPN1RGWFhCZDUrdk9jMmZ0U0kKJ5Dt6N3ZATCQSO/PMf2AQDRBpeyAu1rq\nu5iDJdRpy17MdiYn02Tdd/c1N5TU5TqTxyePbEnAmnWHeGFronk17Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJeUVRU2hGM1RxS0d0Ykw2\nazc1MWd1ZEZweU9PRFRPRG1BblZTakx3WUdjCmlyZitaZGVwZHRZWnRrOGdSazMw\na25McWhRZ053Y2lRNmdMc04rNGkyTWMKLS0tIGtXRkZWVHdmRTNYcG9xZThZY1VY\nZ0gwQlptSHRzOUVCS3QrNkQ3aG9YelEKt+43DmQ0Zn1x7NIWl57eGxG3gsALxhMv\nImpMryrccmEV3Ddc2LPpxIaRYnFBJhTKDNOyuSOSD+I471PJlOu9yg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrb2hmUS81MkVldzBBS3Bs\najVGeEdpZ0J3Vi9ZekR2djc3eW13dEdCZkNzCmxHSVQ1U0gvVWVUMFdkV0NzeVl3\nNkZDeU92Qm93Q1puZ1V0RVdBMU5MckUKLS0tIHhvbW5rY245TkZzQTYrNm1sd0tk\nY1N3dUNCbVhxL0M4d0hPTEVUUXh0SU0KBJI1e11cg1kSrKLdS3+18/f4KMqcVl17\nyNq38yKRqUNqZ8fV3f9usnZv3qdWuZl9XxNTfqsU6B79SKbyrZFcyQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3emtuVmF1c1hnZFNtcFkz\neVlnbW4xKzJIVE10Y0NtWWZLMXRQNkI2L1JNCjhpb0dmQU5pa0VOZnNaejZSa01I\nRldSSUxOKy8zekpCQVZtUTFMOGptZ2MKLS0tIDJIWDk0OWc0TThTTDJvdkF4RnFn\nZFowbEppZFdBc21SNWlFQVo1bE44ejQK2YVQILlu2yxCkTdwAP7J25NOgSHeNgJj\nOCrH1TU7mjp6dlB/hxeUWDRCbmqHs9ko054ZdXrxY+9BeodA02B1bg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1OHRiWGdUYzRQeWUxUFM3\nY3pyUlRONWdvTGdJamoycmtDeTZTTklxSmxZClk4K3BvSThZNy90Q2pCTVBYL0lH\nZmZGSGdwcE1WSUV2R2VVZHlqL2RnOWMKLS0tIFlQTkhaa25tZDlKZmFMOE5GVW1k\nektlNlp1dWhTdC9ZVnVpb09sWmRCKzgKmNJ8XgJqnBh65PeMUb6VyfC73Lmvkk0y\nZuVYLVuBdHqPIPZ2vfqlDpdK/ejZd6ASAdkcNFKKJFjKQwa5nvLcYw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1NXlqMHAzUUZtbDl4Nnc5\nNmxISjVNUFJsNHlSUDl3U2RpWUV1b2phb0RVCkowVitwa2ViaEpFZUVIMG1LK0ZL\nVG1FU2tUdUFhNzRTeGI4bnNoc3ZuQ1UKLS0tIHZ3amttT0VkbkVuTG9yWkFQcEJN\nc0VqQ2RKb3k1Q0pkV0RjZEg4YTM5dG8KkUaAqAlF5hPuENwYWjVXFETePjtW7w25\nUUHOYmr+3j77FuT44TKYlmN4PJNAabbkDAcXDhBvtN4Ja41SGucy4A==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1eVJsM2NIRE9EQVJDNWp4\nMFJJeGltY0dmK3UyWnBXQWJCeFZTa3FVVHhjCjUyVGdqNmV5c25CU0tCSkIyN3JH\nQXJmVXdGb1YzZGZQR3NCWXNJY2FOeVUKLS0tIEhqakc4cHBleHFPamkyNlltZXdQ\nT216NnAzcVdQT09vZmV4Y3hxeWxtajgKgIkJMiQbPt3y5zbmDcgAxQKXUkA1JEIy\nUSMOusghzm1rbro74Mjp61QY7Gf4FP2OzDKTu8Ha5lMbjC3bSq9wcA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3dGRuaW5XTFdPYlZMNkN4\najZRc1BNWUs1TExCdTAzTCs0RGpDM1lPMXhBCkxac2NmY1lpZmsvbzA4cEF4ekt0\nb3IvQTNrbk03ZWFKREhPZnp3OW5pNDAKLS0tIDdYYWR6NEIrOUtoYWxZdEJDWmdm\nT25XdkYvL2tXOEtFR1U1WlE4RjVGcHMKZ5MM7iTvGFi34ZoTNg65FHrJKa8SONcT\nCjdgJIcU/7wFbgTm295vvjfrXw54+pKUT3u9NqmPGVkA0o1rsBbZoQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURUFPTWRmMHRXa3JpODFx\ndkxQbHVCZmN4Z3Rnb2FZRWdMZjhmQ2ZiMEhjClIwZnpDS1dMUjdtSVJTOUtUSG1r\nZTdKM0hBRHZHOGo0bUZOSHh0ajMxY0EKLS0tIGw2TzFDMlMyT3ZYM2NCZmdvM3NW\nai8vaitmSStJUVRYUFlXUHRvUklYU2sKyQJI/SvpYeT65edWwGTMbOAq3FlN5XTJ\n7m+TkFHpGi1lG35aGndtYDqeXFRyOL1DbgRHO1AvThGI5av7+A6VCQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSdEJUSGtOQ2JEcWg2SFJR\nU1E5NmdwZjhvYTVyK2NNeHlFOVpmVk05SnlFCmxJTi9MOWEwWS91WFBYdHc5S2kv\nOG8zRUJRSE8zY082eVBBb2JiUkkxZGMKLS0tIGRrSm1kY1NKRFk5K0t6bzVuU1hu\nbmlKZUJtVVBCb1E0NEJVRVJiNzMyL00Ks7khrDa6lLXFox9PB7VVas2qhDlymhJg\nX7By+etk2D0H8jTj/N9quJOfHZppLVuFk5w1rpIuJ2up+56Q/dGwNQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2026-01-02T22:08:10Z",
 		"mac": "ENC[AES256_GCM,data:dwn1YbVF8pXOItkLrdPHIXN3ZoXsCuoCcCuv9Cz9UQBKaIISS7xDpwVLbpf2DMxPmpzjq7cbJHTe714Zi7uN9t80wN91Kt1YKIsr14kOAuJkoCZPh35Sanqo0tL347C24E3PrpvB26RWGPqA6CrKp13swDPpljMrdhz9GO5bzo8=,iv:NiEV6uQXthBauTe6otoPxaoPNsaEKQ0JlzZNYna8eg4=,tag:mUc+AUMoDADysZCSin5XQA==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2026-01-02T21:17:51Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/8DSXgLzTxvatqeyCClZwBZ1fczXzy1eCVMRCtd49ci9Fy\nZ28xzCeWf78i5QAEr7UtrkfcDYXojsaiTROQ1VbWm+Xx5SP00sOTsmlMlz4qAVpQ\n2uhIEX+v14jkTh4xluqVmqMnq2cFQCNSoCEJfeUzYiH+IR0JOpltGAsewGc8BVPF\nKCl+/PnybTFeNXNvJV+k6jdw9pboAid6ehJVFW0K7iJ5Ine4fCsnlTSs1xTbofhB\nfzxUDZqLc5VpwCvlM/aN/pFGwGhxezXwYo5arFlcW5ZTpakVWlpBQ9+qF4gSTfTU\nfOaLnKexJnbEIpfK3IfmftZnoSEucs+DG5Fyxf0TNXnovVBk1Q24f3r3b25lL6Pw\nLCkTVc1WB3EVPDkLho1KGx58A2BTLvl8beKXoBDpk+rIFnABVYjqjJcxRSmqgkV0\nSgYxAghk+6UZs9iREvn9ruWRaYMJz3Zyda1cfdbyeqRDi7cT/C2jVaq7LLDSuUQW\nwyKjrAXaHtuNa5goUwPnT4hDgImekXC8N1qR5fzI47/ZoYymeCxGt9z8geE3hEg7\nw4jYcIV+oHFenu7RB3b3NOZwchUEeBFPGlA274oM3nHrtKpL3fclnV1hvHmNEB0u\nirclqP9EYh3DLfvtcXXTpE8Pm5/8QPVbFTIqcc3RMA7b+SE8ZvE0xgMC1PxJN6uF\nAgwDC9FRLmchgYQBD/47FReVLf9fl8aqqiDUnWz3/3Rcz+KUp7UisUgDrdi3L2wv\ne8mYl32v8qOPVPkKyEPIdjLfLhdcv1TxP3U6UT8C9TeP3Edile2s7MbuO6u1V1yj\nSuCez5naXww4KiJozwl6FtAZZZ9aKRLLkxsPcfItkCPKlxcKc2DvEDWKOdHBWB0L\nKYBf0u8bF2SUHR8ykeKybc5imMg3/jI8Vbu0gt8TfihU2btqwR7Pd291421S6irT\nK4/8VCsB4uPz9JxF91XfW5m86NPCTODcTB2C9VIWmdkxnk4jpQmv6qwkQqVKdApN\njJO8P4vgu2iB12zq+dsmx9W+TfSizocrCbuUBieq64EOx80QtZEgGc8ORf7MWq+1\nrO6iC0QjlUnAW4oRNV/Qv3l7NSm0pCA9XQL9x7PMh0f3rTYLajOrYDI7cZticAA9\nC7ZuVjUiMB8ykj8nfflOsXUJyHVYT8njeMqVEixEWehj6aq9eMx1VStphS6C/cbr\nXQT96ISnIG0fa6fNqEqzXBES1HYvd6Wo/jjH70wzNCWezvJ5IDANPkEhvThc+MmW\nxgPSK1+1UEzJGQ7uDo4Aadwn/Fym3P558icaEdjt8Ykay+gZsIi7ANVhJa0SI5tk\nNKAXvcSA6Dq9tnILre+oLewf6A/AfFdUesiantEaKjUgWQtad2P3iDqyJHtsz9Jc\nAXI8hZQSfOmDjpgjG27pTajjhmwNQ7XD2ttm1iHp5ho16zYtS8bDtX7bEB35YyM+\nFBuxrwcUNDD/mfi9uAtcjQm3x/IdLU4e+NL07GvSEWRU5H8pUBPcaOeUqLI=\n=pnj0\n-----END PGP MESSAGE-----",
+				"created_at": "2026-01-04T22:59:15Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAA2YLNxz/sThqhzyG/y8eiKLCXlB7GTZeO7UVw5IQWEvCL\nGQELWjkdVC3KqdsJL6/TmJHZGiH5Wlua7yuFmLGcvGYWQE363S0mhKZa3QmUeVhl\nT2nq4aCmQ+cv1zKZUNzi8GQsZ/utGlxbJrEBBfJxLUq0xTgZKcl9XJsHi8uZNO/x\nzOmUiR4DsTu0h9Iun05FENbydmoscTyI5Npi299F8NpAvyox4yWC6Tu4AjCfVFCA\nEJQcCMnjWO6Ux4LsJMgqVJEYFMkuyv5LV5zbFwO58GYaj5M1jxOggOZRAAjzLSZW\nCB3Sx8OM91U/ajVzfP2tmnysDt9bEN/f0mhlSm5pHUyufC///xDFoXfgP0x6N4/G\ngxEX+JyRYnfxaZyW/i7kIREhxWFbE4RK6SJ7toznjxFE3Jqk94wzW6tEOzjs0m5r\nReUliQKdqfzYTsvJGFNNq7N/OK0hPI+Zu26XbyBcdqRRMCqHTIH9bl0ThZ4QaO2G\nG7r7WdCmNsw6mCz30w8eAqSQ/ICEF68Yd6tXNfM/xk5Rh7dwdWqZyobVJ+3hQUwo\nyj5rQzjk9GaZHtUB1yvpM1GVFFQqi93qCYImsGuMLtRwnc2RCsFqUYAL4/i8QPgI\nEWd5s3kydbCAs8Q3oN5wnNrRkbBFY5ThOZTJlu21EFjmpV2fIJ5Do9Z3nOpZQWGF\nAgwDC9FRLmchgYQBD/9ywMb5GgyiyG8015QNtDqOGw6yCE6pUSzusuxmXN7yECK9\nAn+cVeqC2c8ajdrVs5fdiG+IiPBVm/4Q5r2ZFYgNTMrNTLaar0c/4+72PrHXISQP\nk+M9H+toy44AleSDbncYWTHwcMWwBDIrKad6KNrlTc0K+wn3JXGlL3ZPo/cP1OUo\nM78KdWo1bc+fHljuHHtmAzX3K89JZasxM5kW21vd0/1jiJklhH2EVrphgixIbXIb\nX6lt5zQVarl6vU6wTKSKkRhYaC/1t/vGPl0Tw0a7jNR4pCRZo9GgwOJjgkYLa/+s\nZUOVqDJrIZsTr46WJcBdxRQ4DFMUxPB/Mq7qKzXH6freu2BjBG33ornLedmkLElS\n+QYi93cDlsYtw0+K3eozr/jkd2yY2GcQPtmjdkI4KZ/ShnaPdDwR9G9KcGVDeJXm\nUUSqyDndko/woZc6sXBBYMBFy5jmYO3A+K05Q3eq4pGn9WUrTSVVUxV07+Cij2X2\nAL3UmSV7yBCooPc1tjiz0XLVJ0/Kb8GZYTFc8PBpT8eATYEtLawGAAHa+TY3gnW+\n4np6diWggYK/8LtUXVTvW5TKTFDQ/cXwzHAjWYSgHo+z7jvU2JI2nqB4Z/Srzztt\ni6VlLOHqZ5ODdvJqPqhciUZ9NSxeGhsPi6yS0dkrJQC3XjxYLsl2/N0clbUoltJc\nAUuhQ+EbMNJSYan9rD9RYvIH4e5Bh8YSOMHnnnham8wfQCr85f8RMvUxczUu7Fjl\nUPUdcZy2QUsaNEJsCat5z1pMbwSdWd1rtf4j5/ulaFvyv1M0Yazt9yQTQV4=\n=VUnT\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],
diff --git a/secrets/repo/wg.yaml b/secrets/repo/wg.yaml
index f7ad2a3..5dd0044 100644
--- a/secrets/repo/wg.yaml
+++ b/secrets/repo/wg.yaml
@@ -3,6 +3,7 @@ wireguard-twothreetunnel-moonside-wgProxy-presharedKey: ENC[AES256_GCM,data:Y/Ew
 wireguard-twothreetunnel-eagleland-wgProxy-presharedKey: ENC[AES256_GCM,data:dF8VPApd6iYKIZjBXB2rjIXIxyy2+U76TdyFuyUW0zSbtjzqn1ZKrhX4w/M=,iv:GqOHsS97di9sHqjndlq0EdWLcJ1EMLmDOnFJlBgTvYU=,tag:PdxEYlg3lPShUJYlANLjhg==,type:str]
 wireguard-twothreetunnel-belchsfactory-wgProxy-presharedKey: ENC[AES256_GCM,data:NAbVE7ysGDD6TT0RxdL6bTNloac4RBU1JWeTFqYo9PO6ZU2f/yq6aboi2AA=,iv:Ky4UvgRDEG1UgDmi+m5mHWHO+yUGzphQPYIuyAXDkhw=,tag:WP+/8q8jfitNC/rXN5Mp2A==,type:str]
 wireguard-twothreetunnel-hintbooth-adguardhome-wgProxy-presharedKey: ENC[AES256_GCM,data:Gr9tP9SkizZOR4brFO3+7PqDC9pG5RojWa+xDDtqfZT4Xo6ZAN2002WGUXQ=,iv:Zj7oy/d/o5sNYTsyPaUQ9Th/xDuG7o82NpnP6TZzqeE=,tag:OI/DCxjJNpZC1C7foO4xsw==,type:str]
+wireguard-twothreetunnel-hintbooth-nginx-wgProxy-presharedKey: ENC[AES256_GCM,data:2LdQ/gIt42qnoK8ZfaQO43YzZr0VZe5guji8N9n7o2eNLL/qMQ5ZFbFNa0o=,iv:3U1WmLaUi0CDLiW53PwXE1zvtO5YWfdLw2O/Kpudyww=,tag:CTmwvF8CA6MrqLzQSGoBtg==,type:str]
 wireguard-hintbooth-winters-wgHome-presharedKey: ENC[AES256_GCM,data:57KGUxn1BibZ+9H9mXg9EYmcy1JBX+M79ACL3Qt0XEMl0dFlk9Wq6cr3JTg=,iv:9QHdykNlUU1H0uco21zA8leQH73PAeL+xTVi6V9zx7U=,tag:6mfSCddnVGMBEAqCHDIIrw==,type:str]
 wireguard-hintbooth-hintbooth-adguardhome-wgHome-presharedKey: ENC[AES256_GCM,data:zBfV5HMy3h6q7yEF6Cu7sCTONa8nJRmMDHgVFvHVinKmyj0qpf/WGfnyb3g=,iv:3JlNgsJHkE1EawLWIJaZsiZlu7pN9ymFQ5ZqdM7W+AU=,tag:pGfsh34HnL8mUhKyFkLniA==,type:str]
 wireguard-hintbooth-hintbooth-nginx-wgHome-presharedKey: ENC[AES256_GCM,data:BGdVjcCyhrSgIIZtdoBUscCitNjBat56YjZOFx9Vao3vBMjoHFGY1WFV7zk=,iv:wxVClKJE6R178vCp/RE3PgBYYLIvOdSV97AfJagWZ8o=,tag:zbuMwlJYIKtV7ylwvgLutw==,type:str]
@@ -11,161 +12,170 @@ sops:
         - recipient: age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOcGpVNWtxdTJLYWwxakNk
-            dW5vRTNEOCtBNzlPbEpGR2g5MDhIYU5pWmlzCmo2YnRGU3FCZXBXUXNTdm5qNzBD
-            dWNHYy9kZTJwaWxHeFFmZFh2ZTBtbjgKLS0tIEliVHZIbWFFYUdOUDljNVNwUTNS
-            N0c2ZStaaU8wVFRKeTAwRmtDV25wc2sKjFO0FeMx3v5Zn4Ipm2549/boRorripM/
-            q11ro/tNhsSt+GJ4FTQA2hnmRj+fG7BQuTw/ewXC0posKS5optxAbw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHL0RGd0F3ZW93YjJabnFC
+            WWNZUHBOK1RZemNraWF5MXljNGRUaWNDRlhnCmZ3NlBJTCtQWlF4d1BVV0hLY2NQ
+            TTNEdlFmb2MxcmRkNU4yU3NmZ044eHMKLS0tIEdRU0VjZElSNnVMREExdlpwaE01
+            S2VCaEN0SUkwdWY5ZkxVZDdkS2JqbFEKaG4zwEtWtrVAW8jvFgwX8eoe7MM9X0cQ
+            E/R67hG4G/kewIj/gz3dbN0vI+hvTdx+doR1MVYiBee7iqmgICLTew==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsTUVIQTFYanlUQWswRUg4
-            bSs4ZWZYcnFMVUlUUFdyVnE0T21IVkdWbTFnCkd4dndFcWR1RXRLeCtXWlYvTUFn
-            Uk81dHZXdTBSekJkaEZxUWZnZnUwR1kKLS0tIHc1a2tpSmNOc0s4akRCVzVjcVQv
-            cVNDL1JGd3dGNnIxSHhNckFLcTFJUWMKzqsDS/S3wHigjHBSgztEmg2na/2fR9As
-            JxUe/ZSdEaMKDj2ZJ3EM8u5aY6Sp79aNypHsPcOXjhX0VoAwPtRqFg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMmxLeER3Z2NZMHU0dmlE
+            UEdKZ1dKdVFzZzYyQ095WnNpZ0thMFZWZUE0CnBtRFNGZEE3Q2EybGpiODdES2JF
+            eU9Wb0FFVlpSNUhXRnBFdnN6bk10RkkKLS0tIGpzaUdPeEtnY1BjSUJ6NWU1SU5a
+            ak9OenBtT05lWHVXeVl2SUZ0YWZ6UzQK11o/FPoXrkjOry+4+oiE831HPQ6Cv8Ig
+            V+/zAg2Q+pRsMuVddE8w6S5SI3v/jgTZSGbxyC8Csj3wNxxBvx/SgA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrMjVXZVFnTEczbEg1ZXBG
-            RmQ0c0RoZS9pWXdhT0ZVSURLVGxTWFBWM0FjCjV4cjVER05YZnFaclJnVEllSURy
-            YmtzUzdOK0pldjJiaFVKVDcwY3VzQncKLS0tIC9xMUd2OVlsZ3lmRDYyYlZpYjUv
-            anFDWE1CNGljY3ltN1lpdk9ZK1JySXMK58PNBo74DHptQTfT1ozV3Ikgf5BccRIH
-            Bw26F4GF8hjJL1Gp8szouJ9iN/mSNR47NdQN0nWy0GfOs5fClFfWvA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SnFWVkxEanFYV2dKY0R6
+            d0dKWkRJK0pBZm80SFdwNnRENjU0TUVlalhFCm9lYmUyVHQ4VWRuNWFOVENpcldw
+            RjFPNnA1cmRxZk1Bc2s2Ni9LeWg2aGMKLS0tIC9OckV0bEJGT0NmbzhyTjMrUHhD
+            ZHdpQUN6M0VVKzhCcDlBOUV2VWc0Z2cK7Ns4QO4dhpq2zSEuDGePjJfXRdc3DS5O
+            +nWgDGYzWxq5dRXc52X3y39ozi3cwGP7hysVvVvAANrJAq32T7RljQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4T014MWhrRjdpRGkvallr
-            cDIwME0yUzZseXZVUlBra2d5aXgvOFh1SXdzClM4QS9zanRhWU0xZVFSdktDaWc2
-            TnFWL0N2M3VmUFVMWFN1OGxqSk05QWsKLS0tIG14L1BiVnJ0NFJCYUZnWXl6TU9v
-            VTU1ajNOTWxWTG5OUWRFMStLRXJlTEkKR8JA3U5MLBwMnFDZtlbrkJxmY9nENsza
-            JCmxPW1BTH+VadbefjGPAEwVj8XqgTCw5f8awNNZFUUe0SIud80pmQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsQ1h0LzVkVFo4TjJWSHdw
+            Qy9ZRTIxcWNTb3NHcFhZOUJTY1J1Uk9jSURJClg4Qi9VSGFBMFQxYmJySzJkSjND
+            NWI0T29kVDB1YWhLamgyRE4rKzJFaFUKLS0tIDhkakx3Zkdhc2R6YnFPenFEV0l6
+            L21HWmxpT0pycS9jZFRVVFRuSDJJWnMKUl6daQgN1ldztZNGQZHix0tUNZVTnS2U
+            XvY3OGGtFfqYf/2+GfZmGsJEKMPAHX5nGQe2vyez5jrtYIwI4WpGMQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFWmpBbXY4YVZmVkVzQ3FW
-            eGl1SWZqZWFSa3lmNFBNRUh4UG9qREhQR2ljCk00bElJcHk3dTFNaG5FT1NiOU81
-            aENlNHpkckFoRUVpakpmb3lIYU4zOEUKLS0tIFBpQjFEa2xiMmNHM3NhKzMrMFl3
-            Vm91bU15TFJwSUd5WXI3VER5WnFEZlUK89Iu2PeG/7mXaTaCUClCVL44VFLJEZpM
-            1s6QFAemy/B5UYeZBQsWiN1v9yAktvA+B7BeS0lyZohpV6SypLgjGQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZdlJuN0E1TEVKT01SWVRk
+            Y0pYeUxHOHFRUFRFRjlRY0prOHJkTUNncGlzCkRERDM2bjZBcGx5Zk5MV3dmRTht
+            bXhBQzBxYXQ3OFhoS0ZleTF2TnlabzgKLS0tIHJHdXM1SEU5ditkUlRYejBuRk02
+            U2l3Qy9qNzgxU1pBK1ZNaWJmVVNkQlUKToTU77sH9hEwJerlJTNftzV/cD/Tx9J+
+            2SCd3HyfxEwRzc4nbpJzATu+gnSnE9AbwFdrYlIayaJtT2nXqgJXSw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5RW9MOXMxcmZQRkhKcSt4
-            cXJRYnVPVytOVDY1dlAveFg1eWlMZmxqcTNZCmVhaVZyZU9VcmNVczFLemNuYTJJ
-            SG5WWnNJNExBanVJb1VlT0VIWUtmYzAKLS0tIFBtSDN5aEJRVC90ek4weENZSmhQ
-            QUMrY0dlMStHZXY3VzBkZ3NZMFVnYzAK9C1GRRqXNWesrK3JYwol3hDkmjaBBUNW
-            3CroUXgWDEQ5U8M3aFKSdhXND3WkPdDAKpt9cn34lEtlUOoy4MF/AQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlN1VaT1Q3cjlETEZTbEZZ
+            WkRlMDRzanU4QXNnT2tyWjhTNCs1ckoxTXdzClJnR0JsaE9JM1Bxd3lGcWFTYTZu
+            a0d1NXZIRDdKNUZLTW9JdEdDY2FWK3MKLS0tIDRIb0xxYWhOc1pJQmt5WHI3cVZ2
+            eTBLZWh5M09yekJPNGVBMFkzSXh1Tk0KgATVjuxSUd3eqJV2HGV3cMrTpTtfNSUb
+            SJH/M7ixk+0GQv3DU8QvuIAf8w9/uKjs9nS7dFlHVrJnDWCAKpNYgA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2TTV6QTNBNzV1T1BVQUlq
-            OEVGUFpvNDlUT1lWanlQZ0E0cDhaY29vRUJVCkVVbzR2d2gwWGNESUZNSGJianBC
-            ZDk5anJ2V0hwQUVEMUg1dmZFLzFLODAKLS0tIFlGR0xGamFKY3lwUkhaRFMzK1ds
-            U2dyTlNkdFVTYXJKQ0pBRnE2S295czQKy0E1Iajqkzg8cyTYNXoqf9bas8BaBP4+
-            x7kjIbKIgBbWpT3niLA6Zl+SN0tLva67ddau4undz7YA7OZ4VzZ2Sw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFb1d0VTFSVVYwdjNaUmt4
+            WjBBelQ4QlYvNUcwV3NVbUE3OEF1WlJqZW1RCjc0V2U3QytGYXJTTUFadk12V0Uy
+            QkwvSXZRUEVRMzk4V2ozNE5EWWh4TmsKLS0tIEVkRW5JUTVWSVAzaVBpaGdSWUNC
+            ZzBrN1VlZ3pGVGhaY1M0cWIzcG85R1UKSGFw4lYFtwEuLKNMmNew3ADiXHjv8B75
+            NjeDvYco/mYOj8+TyqI1QHmlo2GjLSNX2M9M/Y2Braxe0obB41KsjA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnajNaMk9JcE1xSHpyOHV5
-            L05FL2lPd0ZBNVBEQ2thRDZEdHFYL3Nnd2hJCjltSnJ3MUVvSGNyclppNTA5TGsw
-            OVozcGJ6c3RCMXkxTnN0M25RcFhyVDQKLS0tIGljdHZUaTNhVEZKZE1FbXNaOGVu
-            T2k5RlNWWGt6a3NSSE9CQjFvK01mMncKuUQ8PeSkfj0RJgDRWbFXBFAuWAOvKAox
-            LxBKr1TZ4oHIYJjtgP9mnKpNL5ikda+EkdEAt7V7exy2m3SvV59frg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBubWpoclVFQm56NURMMGVi
+            V0FBeUp0RnVnYzFiektrTmV0cGh1d3hVNVdzCkF1SEhFcjJ0N2NwM2V4dWVIYmZ6
+            REN2NU5SK1NxbXhMV20zOW1mbHE2N1kKLS0tIENSWDBiODBKMFV0c2RmdUIvWkRJ
+            dFZhWmJNWHpNQmtlNzFySkFpZjdXdDgKsOnFEvnjrSkhoBCkXIiUaDjJmAEueux2
+            HAIIm4jHQYlz/v6j969TxaAln5KW+78ao+Ma4by9rX4sTckbw2bTBw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TFR0dG5YVjRYZUs0bk5W
-            SE5aK0lRWGhMVFhNNmNKbCtLa2tibXhJL0JzCldGN1hNdldXVWJ0b3VwaVRFMzk5
-            OTdjTGpMS1NUTU50RjFRaVAxSHcrY1kKLS0tIHNvaEdING1kc2RMalhZL1FqL09K
-            d29KMENYVEVyNzUwNEVvbitXSHVjUncKokOmKLepXUcsYf/5QUBlsd0G8ZyCsV6T
-            z9otd0AdEPeRTSbh5pJ05WYEIR929aEPlaLLGhIdEI3XCOHey6GpvQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlTUUxY1dqYmdLbGdVOTFQ
+            T1d1R21JV3NzZkVYV3F6M2Zxb1RLd2t1L3lvCnRvTFpQZGhUNldEVjZSL1Z6T0pY
+            UFBxS1kxUzdOSXBGWllHcW9jRG15S2cKLS0tIDU4UUtUeFNEVWI4bC91UWNkb3hW
+            TkJ1Sk9ZZE5oODFXS0JlcWlNSUk4UmsKtTTBv8uYQFSFlIRdzpBl9rdHPxpIHj/t
+            agccAsKe2x+8OOZZEnXhwsI5Il4bavm5X2orsP0kUcyfkuRLR++zyw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZFRFcDc1cWRLeHhmZ0dB
-            RFNOVGVpMENydmRMRkxuWXpCaHdxUWVwa1IwCmRUMmUzampKS3BidFVLYjJEOU1F
-            eEFqVXRCakpTclpGOEpMbUdVbkZORkUKLS0tIGdjUkg5UmRuV1M2Rmc2Uk5VeS9t
-            Z0ZtWWFRdkl5NDQwVjcvYmxKVG1wNFEKrP04VYIFR2V48RqpAMXgp1sDbr1NH0+0
-            kvWoYuJcaKB1Tw3xBaLmrCjKt5Xd54linwpgidX4dOAqHjHWyNIHjQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzZkJacmZqQnNDLzhDeEpk
+            MWxjeExMd1hOUlovYndaNU1qdU1qbFExRW1JCjBZUThjZzNQak9uL3NHVUlWakpF
+            N3NaZ3RhdkQ5UGllTTZRTjBxbWpqRE0KLS0tIDlES0tSNWl1TG0wMEJKdVBWYUF5
+            Q2ttL3pZbkVFZ2Y1aWx5bXhlem9tOU0KH3JQ2Xyz6BK6rNHNd8b/Bprot7fwUyMw
+            FFBQAILpD79ioHvCzanPvUj4KoLd1jU9nRKMdXX0hcWOQchoQ/XnBQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIeFFhbTRvQWNtaUNZWm5l
-            bnlBbVBlb28zd3hMRTFxRnlacUU5dng3SENVCnFDT0J0VWJmZXhueFFmTGs2TUlP
-            a1I4TkVnY2JPSkJlUmU2U3R0cFUzNmMKLS0tIGNLb2JVNnBZWDM0QngraUFkSXB4
-            ZHR1N1Ivejc2VzFVdUlKL0lvdXJja0UKENB2JzmrXT/sFVpVzxR64OpoGwq65Q3H
-            KamGdqdsD1+MYsbnklUdHSJqqAbfTH+BYpjKtF+ZsPqaXcKB9VjKyQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHblVvWWpaWVhNMDdTbEZN
+            SlFTdXNzN0NRT2lVbUtpWDh5Zm5XTW02cGx3CkNvTVYrUDBDUk5lYWFOSEszR011
+            UzYyTnp1YkVEMllHYjlIdjBHcDRiUEkKLS0tIGw1QjBSektnOG9HU2tpUEg4VDM3
+            aE9iOFpHbVpPV1AvR0E3QzZkdWE5OVkKy6k35mWpKLew1VJyhBAb9+7VSg6+y2jy
+            1DaTZ+5drVLyMnfFqbI8dyO3laT/R6MqjEEvgaozUoHxjjELa0rTvw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWXJ0NUlEbXZNdHlzcmlC
-            N3VoaEFKVXdMTjJSYXV3Vlp3dmtFVCtNang4Cm93RDFVVXgrQnM4K2lraWNSVjBo
-            emR1MUlEdWJxY2h6RlhTdEx1SnpmZm8KLS0tIFlLenQ5WC8vZnpGVEZmVG1MbFZU
-            NkRQb3c0YjV1RnhzUm9CRVRtc3Z2MUEKbwFjrd9OxDUmw7SSMGYXjlzsMVL12iNv
-            31E4a7ZCPw0zucoJpB3kFkQ/0vveOHZU3bjj0htm89H1BIaW0AZkzw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWXpUZDdaRjJTeGoyemx5
+            Tk9rSVlRY2JTVVkvVUdGbU53SHEzRHlKeGk4ClN2ZXRlbUZ6Q3ZHYllKYkRObVJo
+            WjZ4eEdCNzJpNy9pSDFTZUMrSmNoLzAKLS0tIEQwa2NvYWlHTWx2YmxPVmFtUTJK
+            MTJGZWpwQXJ3cVRTMWZaTDB3OEVLbEUK2AN9O+L9GyaaMxAGJjaOeY/dLd8qhb8U
+            M8kMdQKNvhFJxTS6j9oMmfM6gIp3v79ejWLefXVjOT27kJAfw5QZHA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCdDZ1QThYRGJ0Ni9QNk9D
-            eE41Y3BsMmJWVkRkV05FWjhlcXF6ZlhsOEFzClBzZGxpU1Y1TmJVOHN0czNNcjZn
-            UGVQSm5RRWhwZjVDMDV6Qzk5RmljMjQKLS0tIGp5dUljSEExUGNxUnRZcHVTMFdj
-            ZW5MY1NJMmRJUmcyRTJnVDMzUzB3cHcK54+0I7202n4P1kZGaCI5kM5BRAnNh/ts
-            7ygeuksGvi+7gs2UFn3LCUdsaL7RsBuX3NBiVyBvE02gfKecT7W/XQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLOTd4YlFodTN0K0o5dmZq
+            Ym9qR3B6TVdvbjlETnNCWE5kS3BVNk9iR2hrCklic1Rha0k1bU1tTjlqNXhIemQx
+            Z3hmV0orVFJuM3NSZy92YldiWmNBNkkKLS0tIDU5RkxGUUdERW5uUHlzZUVQL0ht
+            Z05sT0JFcmczS0kwRXJMSFozUFpOL1EKUEoSYae/2AhcnL9RVUtPuybiRW/ojm5N
+            g2hEYmjsIZCrYDa/6Iyyk7KHUS/55tD+zJtdp83b7pYan2FGvpKWcw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQ04yNzR6MXU3aEdFNU1J
-            c29qdk5pbjA0Q1FGcUZTaytrWFNyM3RXRVNVCmVyU2czclVjYmpmQmNuTmhHdUlv
-            MkpES2FmK1JLc0tmN1BBRW95YXl6SWcKLS0tIHhCendLQ0ZmbThYb2phTG1CWk53
-            TTErRmhuaDlkenNSdkxiWEVTSGFEazgKZj2nEn4bgT8+oVUG38UDGmNrq9wAk7sq
-            9PzYw3cjGwRUFwT4lV3vK8ZNU6DAepga7ebwxfPNjP35h9eMtRVQIg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRHZWeGxxMzJxTXprb0oy
+            MnhBT2FzYXlROGVGZjE2ZTB1djhIK1BZd1hFCkJYSEtlS09NYUF0VFNqZXpqdWxv
+            TVJJSlVTRHg3K0tzbXFPcDUyTytMNDAKLS0tIE40Z3JMMHlCazZKRFJUdVM1dGJO
+            R2J0eWJIQmROZU0zV1k0dkR5R1V4RUkKGcuP1pOhyABTqfiOrKuHM6id9uMuZsVR
+            QfUhXXve7RxghZu/eHYSPhbsPmK5Awt2rWzW/YWsNX/Wttrm6j13Iw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-03T05:23:41Z"
-    mac: ENC[AES256_GCM,data:D1iqvJh7qLoC6GlwFItacyb15X7LrnXZfSQQVhFRQRnVbFc/ECqM6P9OP4PlCfAH5Up0c/iv84MsE/UFubGKGR0i19lCQ78nLPNkFfvJ+NXg0sr03FiFmW0Q8hwzauzdMUiQr9/36D/ax+BVBTQyWgZEneiCY7KoDaQKJWzOGT4=,iv:+AZ+1u+TZNqrLMaDcHU0fgPsvx5HFprlKQExH5pIjyM=,tag:ytnj7FQQ6YivKncyZUHigg==,type:str]
+        - recipient: age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMNGROOGE2MHN2TG9teTFX
+            NHBNV3loWTJ4MXRRRm4zc21MOFpjYTNLcHpVCmJDWnlKc1JzVExnVTEzZ2xMRDgx
+            Z28rK2JEZzF6aVRRWE9vZ2I5MC92QWcKLS0tIDJjV1FpcTFvN1NqcFpwVWUyalZq
+            aS91aDE3RkliYVhRWndkSDRaRkVjNFEK0BFAxjd+QAsN5WYiKprfpYOHooCs35Di
+            yw8IEn7iLdMXAJz7ia5GRHWF1fjF6Um7WaoyQqX50Z4NNh7w1KkuDA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-01-04T23:29:21Z"
+    mac: ENC[AES256_GCM,data:SfZxZpnYQsNQeAdIsnN5eGW7zha4IhCCsprTLk6YUwalDCBYqJ87AY2nz7FzdGvsm5WaojLTXBi7kOlepD3UnJ4v9Qi76tNYCVhLO7djGBW7t9gteyNsJwz2kxCZSKPXJ5nvTB8cLyDMZ+qedR7CO29dV/R++wQ04+Jp0vS8wtE=,iv:w8oYMzEhgjHMKJMpDlC5ukg2CEoG352jgrTF8zcUOn8=,tag:1SS+sLwjCBsdIwn2RoG9Qg==,type:str]
     pgp:
-        - created_at: "2026-01-02T21:17:55Z"
+        - created_at: "2026-01-04T22:59:17Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTARAA001QiHU3uO1goHUTsx+QnhCrfIBDjVAHhZtj8CEx1tqk
-            YaxNUNDra1uyGQqwdH1Ly8h6cSzeUfEtPfkjsvegYo58PSkz5F6mrpROkB1mzzfG
-            /H3MpCHTzroXPmrT3lNxXZyYqxGzcfLBLU05etEiFV+sV2mjoV1nYY2gTnH8XtV9
-            HVayfxR4cYZOS7ox8SkGoTvZHsbNT5+jaJn7GqRjrcjmjd7S3gvq83ROe82YHNA0
-            1O04PSGwnaGC88E9Y/7segZC8Tl1e25Z0c8yMd8JHsn/RL8beHwUHTn6nuyo65Bj
-            Xmic9M5C16ur5yQtVr/+xU/FCbmkecsOL4u5YgECFt5w7zJZzfGUHa2Z5dIQ9T5o
-            2oY/h+GsN9xTM/6ZVcgCbZrcHnIvP+5VmIEmXkdTtb4cvTFJMkDWxx7NrS8dI/Rh
-            76hoCStleuLpw8+zwIYC4QdJfFWBaQyw8w0nON/qp4E+kyU8E3syMsjqFOqclSeU
-            vFDTvgl4/Z0nPxTl+IBzG0cBPMjUXgmvGZj4NAhZhE5nNwkA34GvmMcfjVhy8ROX
-            WWwgiFBP20Po7p3aHz57KA4UTkgIZfhK4BRbb4BhQoaYEcXL8Sata/SJOR3RT2vQ
-            8uB8H8orPpugdafS4wLv/qcwYn6pa2ubEQG59WfihIomDWh4jl+i+kfnM5fYwX+F
-            AgwDC9FRLmchgYQBEAC4bp8seECcmzLFnRZsABQI/TJg7jKDEZuudEiEGmKUhhOf
-            Mz1pQEEHyh5aTFSJDVq2bNgPKt4NJ/bQL1QOq1lnsprpAAL6+HoyezA6ygfh6YmW
-            8kJOwJrVXlgo+H3XD4XeoA7VFVdcHkszFYgq4KCd8KX+haSkt0Wbj0s7sQkKQo/j
-            PUUQN34pxfyJ0IiqlKuLgpu7ggMJkDqZGoYnXH91Qt9TYi/liMMx4wo82YOQFH0d
-            xJUewsVvUpjwmFotOBKdhk+zZlOoNNr7QnyZ2SRyXNUFI66fsw5QsbwDSXJ4Hy8C
-            3RVRZ7baxw2p5wMyZQBtMyqu9quS/XED0cZA+sxvKOTrC24YbD+nb1ktc/9ZJghH
-            TZjhQLLhmrbHPNnrHIrnEJ6XrxbgNHWTFE+yX/e2lRIRGwz0cfgbY2pLFJ+6uhSu
-            PkodKyq/PCerYZPnUMjnLxogNtgZhf6jK4AzG2xuFZne37NBEaXY3q1ktwafpRia
-            1UrO4PC2cwJpNuIpMfHbA8xieppwRZbqBSSAM80V12963cFakUxLmZdMG0ApFTDU
-            5NoAxwBaRooHjTgYwdfgtjikwsPOf/VFWrB2IkBqF/QhxdV2sxasmJCM04e1gidi
-            0prCX7KoMNtBnHpubfwV7sTNdhN15IKmyHNLw9hXfZZmN9UAh6LxUS/KHMZSv9Je
-            AR+Ty00mCszxvBco6ee6Tv7gEhBU2ZBhu4yyWZC5Kd0pNvr4ZtCGNNY5wIjv00jd
-            nNnMW7MrEF4Tz/So+1TJHiLLFuap2RpXifCHRiXDMHqOUuFUgGFSNNlhYXycXQ==
-            =lDR9
+            hQIMAwDh3VI7VctTAQ//RZDgcJwORDcdCgh90HAw+3x/ltfi2O4IeEciyaimNd2G
+            SJKV9y2VGwCFwrDfdlBuy8NDHSnE2oM/Cdk7sv7MTZpuDpofj/41qYVA55PVyh0n
+            oWkXfsNCXx/2mJizPddPDf51bKlEkeG+NrbJym+nWQqPH9Ty+y5QmSDUrSUoir8G
+            bnbS/9O69P8MSsGAL23sLuRr7rnFXVjZkovlsxY+c86Eob34EgY9iryzFHXnQZIA
+            4JqNL9MIygxn1HA8JCBl/zUJOvEO1QBANYFb78pMr4juDFn6n0iU1TeDwMB8j4DB
+            /Wn648EvvR4bt2UR3KCCcG6lJKM/weCd1PEjW3adKIn/D+sUI0gEY8OuEQ0qVhDp
+            w0FUDPa3SI4Tv+RxAbZ4tsVwnK+NDK9ZJ6bb6aSox7By5aCEKQem9YztCl4NclOr
+            arFNC9rNdJVfl6ed3RY1T8pySfpbfWGboQbsAKr/kUoFKPAdOD8dk+IDPnatJHg9
+            S5XoVv/XrB4G+G6ubsQ2hIOh27cnVo8L3Nydtxs1L2Abw2zK0/a/zQLABGxDsSQy
+            UxAi2yJbgcLVmTNssjlTFDPfl0cTUYeH+eitDedLjdgcymFFZYXOaXpoJywaaXHv
+            CC0dF4M3Nx1iz6iJLeP5AwaRDliXVi/f/Imrk2S6Re0dlgJu61ExvCgPUnNl1suF
+            AgwDC9FRLmchgYQBD/0QZwJI6czuYVOarwVttQxZGUaiwXnZaFYuENqoJWyDd3hV
+            dCcy39pM0Ant4khELdSS7qw+47aWAnk1mjMLUIEv+VuA3820p6Y/luBHJZMcaGm8
+            ZDKt8Hamgxevrc68TODacNOu75hq5zKm3w9WLpXc7W/b6+BBcMbq6tTahtvWpEnG
+            x9cSjpW27PeEnE4dM+Q3gzugL9WaXhGg81+Q3s/wOj5nnJ0ydcK0dfV7sk9ciDrE
+            91Or/FtIgDFFEP5VdGI2SFApbBiSSA3/kE5EPf3vVd05TDFh0muVkbl2TnfwXRwx
+            ktBwlLZaFxuNH1jZqj9i3Nt6VT+zDXtGk4s0cuVUN1bHfOZdYN2f1Eim9ewYwwKi
+            iZ9VX+3kznLuY/TbJEO82hnk10uYO45SoQd+4J4h18Sxn7+lVoIxJgEfoafllOPr
+            YcMeD7bteqNePjGGB6HueZ7iUnHWfceHiaIcfOq4nL6c5nQcorrYmcIKMy2Snq6z
+            eS9aiNQvBM6ogJBbdhIqxQCydH5hA71VoBA4ljZj1p/FkQ91ZizOoSfCGuOmkCTf
+            Stv9lRcBV2Fmy1CEwUHbYlZIV7UkZ9ElbV6aF8gyfUvDOhiVmsZAluzvIA0EVYB9
+            L8iyH6qzVgyBPJ0AgAjNEUmRbWH/mx1X4pFRkPCQ4hoVQxoZhN6BDj6xKvBVuNJe
+            AVpL/bfor37Yenx/YBdYsY5ALb6u32vC3Hk2n5bt6fb1BNwi/Trvrv8vLDEAFvRl
+            cUQCj67vh6Wg1LkzGAxuQ5BTE54Mxndjt/PLmOhxBGl+gCBwxKZ0QtuqiH9tIw==
+            =uBYL
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted