diff --git a/.sops.yaml b/.sops.yaml index 4b38475..8aa3235 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,20 +6,20 @@ keys: - &users - &swarsel 4BE7925262289B476DBBC17B76FD3810215AE097 - &hosts - - &winters age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 - - &twothreetunnel age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d - - &liliputsteps age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx - - &stoicclub age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm + - &bakery age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh - &belchsfactory age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6 - &eagleland age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8 - &hintbooth age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x - - &bakery age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh - - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl - - &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - - &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy + - &liliputsteps age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx - &moonside age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh + - &pyramid age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m + - &stoicclub age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm + - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl + - &twothreetunnel age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d + - &winters age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza + - &dgx age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns creation_rules: - - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$ + - path_regex: secrets/repo/[^/]+\.(yaml|json|env|ini|enc)$ key_groups: - pgp: - *swarsel @@ -33,183 +33,93 @@ creation_rules: - *hintbooth - *bakery - *toto - - *surface - - *nbl - - *moonside - - path_regex: secrets/repo/[^/]+$ - key_groups: - - pgp: - - *swarsel - age: - - *winters - - *twothreetunnel - - *liliputsteps - - *stoicclub - - *belchsfactory - - *eagleland - - *hintbooth - - *bakery - - *toto - - *surface - - *nbl - - *moonside - - path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *swarsel - age: - - *nbl - - *twothreetunnel - - *liliputsteps - - *stoicclub - - *belchsfactory - - *eagleland - - *hintbooth - - *bakery - - *toto - - *surface - - *winters + - *pyramid - *moonside + - *dgx + - path_regex: secrets/work/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: - *swarsel age: - - *nbl + - *pyramid - - path_regex: secrets/pyramid/[^/]+\.(yaml|json|env|ini)$ + - path_regex: hosts/nixos/x86_64-linux/pyramid/secrets/[^/]+\.(yaml|json|env|ini|enc)$ key_groups: - pgp: - *swarsel age: - - *nbl - - path_regex: hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc - key_groups: - - pgp: - - *swarsel - age: - - *nbl + - *pyramid - - path_regex: secrets/moonside/secrets.yaml - key_groups: - - pgp: - - *swarsel - age: - - *moonside - - path_regex: hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc - key_groups: - - pgp: - - *swarsel - age: - - *moonside - - - path_regex: secrets/belchsfactory/secrets.yaml - key_groups: - - pgp: - - *swarsel - age: - - *belchsfactory - - path_regex: hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc - key_groups: - - pgp: - - *swarsel - age: - - *belchsfactory - - - path_regex: secrets/bakery/secrets.yaml - key_groups: - - pgp: - - *swarsel - age: - - *bakery - - path_regex: hosts/nixos/x86_64-linux/bakery/secrets/pii.nix.enc + - path_regex: hosts/nixos/x86_64-linux/bakery/secrets/[^/]+\.(yaml|json|env|ini|enc)$ key_groups: - pgp: - *swarsel age: - *bakery - - path_regex: secrets/winters/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *swarsel - age: - - *winters - - path_regex: hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc + - path_regex: hosts/nixos/x86_64-linux/winters/secrets/[^/]+\.(yaml|json|env|ini|enc)$ key_groups: - pgp: - *swarsel age: - *winters - - path_regex: secrets/eagleland/[^/]+\.(yaml|json|env|ini)$ + - path_regex: hosts/nixos/x86_64-linux/eagleland/secrets/[^/]+\.(yaml|json|env|ini|enc)$ key_groups: - pgp: - *swarsel age: - *eagleland - - path_regex: hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc + - path_regex: hosts/nixos/aarch64-linux/moonside/secrets/[^/]+\.(yaml|json|env|ini|enc)$ key_groups: - pgp: - *swarsel age: - - *eagleland + - *moonside - - - - path_regex: secrets/stoicclub/[^/]+\.(yaml|json|env|ini)$ + - path_regex: hosts/nixos/aarch64-linux/belchsfactory/secrets/[^/]+\.(yaml|json|env|ini|enc)$ key_groups: - pgp: - *swarsel age: - - *stoicclub - - path_regex: hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc + - *belchsfactory + + - path_regex: hosts/nixos/aarch64-linux/stoicclub/secrets/[^/]+\.(yaml|json|env|ini|enc)$ key_groups: - pgp: - *swarsel age: - *stoicclub - - path_regex: secrets/liliputsteps/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *swarsel - age: - - *liliputsteps - - path_regex: hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc + - path_regex: hosts/nixos/aarch64-linux/liliputsteps/secrets/[^/]+\.(yaml|json|env|ini|enc)$ key_groups: - pgp: - *swarsel age: - *liliputsteps - - path_regex: secrets/twothreetunnel/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *swarsel - age: - - *twothreetunnel - - path_regex: hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc + - path_regex: hosts/nixos/aarch64-linux/twothreetunnel/secrets/[^/]+\.(yaml|json|env|ini|enc)$ key_groups: - pgp: - *swarsel age: - *twothreetunnel - - path_regex: hosts/nixos/x86_64-linux/summers/secrets/ + - path_regex: hosts/nixos/x86_64-linux/summers/secrets/[^/]+\.(yaml|json|env|ini|enc)$ key_groups: - pgp: - *swarsel - - path_regex: hosts/nixos/x86_64-linux/hintbooth/secrets/ + - path_regex: hosts/nixos/x86_64-linux/hintbooth/secrets/[^/]+\.(yaml|json|env|ini|enc)$ key_groups: - pgp: - *swarsel age: - *hintbooth - - path_regex: hosts/darwin/nbm-imba-166/secrets/pii.nix.enc + - path_regex: hosts/darwin/x86_64-darwin/nbm-imba-166/secrets/[^/]+\.(yaml|json|env|ini|enc)$ key_groups: - pgp: - *swarsel diff --git a/SwarselSystems.org b/SwarselSystems.org index 61821f7..79df0f3 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -407,7 +407,7 @@ Nowadays, I use flake-parts to manage my flake. It allows me to conveniently spl - =imports= are files pulled in to build the flake configuration (similar to the imports in the module system) - =systems= defines the architectures that the flake should be provided for - I go here for the four "main" architectures, although true support is only provided for linux systems (see [[#h:6ed1a641-dba8-4e85-a62e-be93264df57a][Packages (pkgs)]] for the main reason) -** flake.nix skeleton +** flake.nix skeleton (inputs) :PROPERTIES: :CUSTOM_ID: h:aee5ec75-7ca6-40d8-b6ac-a3e7e33a474b :END: @@ -526,7 +526,7 @@ A short overview over each input and what it does: nur.url = "github:nix-community/NUR"; nixgl.url = "github:guibou/nixGL"; stylix.url = "github:danth/stylix"; - sops-nix.url = "github:Mic92/sops-nix"; + sops.url = "github:Mic92/sops-nix"; lanzaboote.url = "github:nix-community/lanzaboote"; nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05"; nixos-generators.url = "github:nix-community/nixos-generators"; @@ -666,7 +666,7 @@ This is the file that manages the actual decryption of the files mentioned in [[ # Decrypt only if necessary if [[ ! -e $out ]]; then - agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/sops || sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) + agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key || sudo ssh-to-age -private-key -i ~/.ssh/sops) SOPS_AGE_KEY="$agekey" sops decrypt --output "$out" "$file" fi @@ -971,9 +971,10 @@ The rest of the outputs either define or help define the actual configurations: mkNixosHost = { minimal }: configName: arch: inputs.nixpkgs.lib.nixosSystem { specialArgs = { - inherit inputs outputs self minimal configName homeLib; + inherit inputs outputs self minimal homeLib configName arch; inherit (config.pkgs.${arch}) lib; inherit (config) globals nodes; + type = "nixos"; }; modules = [ inputs.disko.nixosModules.disko @@ -987,7 +988,7 @@ The rest of the outputs either define or help define the actual configurations: inputs.nix-topology.nixosModules.default inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm inputs.simple-nixos-mailserver.nixosModules.default - inputs.sops-nix.nixosModules.sops + inputs.sops.nixosModules.sops inputs.stylix.nixosModules.stylix inputs.swarsel-nix.nixosModules.default (inputs.nixos-extra-modules + "/modules/guests") @@ -1004,6 +1005,8 @@ The rest of the outputs either define or help define the actual configurations: node = { name = lib.mkForce configName; + arch = lib.mkForce arch; + type = lib.mkForce "nixos"; secretsDir = ../hosts/nixos/${arch}/${configName}/secrets; lockFromBootstrapping = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true); }; @@ -1031,7 +1034,7 @@ The rest of the outputs either define or help define the actual configurations: }; modules = [ # inputs.disko.nixosModules.disko - # inputs.sops-nix.nixosModules.sops + # inputs.sops.nixosModules.sops # inputs.impermanence.nixosModules.impermanence # inputs.lanzaboote.nixosModules.lanzaboote # inputs.fw-fanctrl.nixosModules.default @@ -1040,12 +1043,15 @@ The rest of the outputs either define or help define the actual configurations: "${self}/hosts/darwin/${arch}/${configName}" "${self}/modules/nixos/darwin" # needed for infrastructure - "${self}/modules/nixos/common/meta.nix" + "${self}/modules/shared/meta.nix" "${self}/modules/nixos/common/globals.nix" { - node.name = lib.mkForce configName; - node.secretsDir = ../hosts/darwin/${arch}/${configName}/secrets; - + node = { + name = lib.mkForce configName; + arch = lib.mkForce arch; + type = lib.mkForce "darwin"; + secretsDir = ../hosts/darwin/${arch}/${configName}/secrets; + }; } ]; }; @@ -1058,18 +1064,27 @@ The rest of the outputs either define or help define the actual configurations: systemFunc { inherit pkgs; extraSpecialArgs = { - inherit inputs lib outputs self configName; + inherit inputs lib outputs self configName arch type; inherit (config) globals nodes; minimal = false; }; modules = [ inputs.stylix.homeModules.stylix inputs.nix-index-database.homeModules.nix-index - # inputs.sops-nix.homeManagerModules.sops + inputs.sops.homeManagerModules.sops inputs.spicetify-nix.homeManagerModules.default inputs.swarsel-nix.homeModules.default "${self}/hosts/${type}/${arch}/${configName}" "${self}/profiles/home" + "${self}/modules/nixos/common/pii.nix" + { + node = { + name = lib.mkForce configName; + arch = lib.mkForce arch; + type = lib.mkForce type; + secretsDir = ../hosts/${type}/${arch}/${configName}/secrets; + }; + } ]; }; @@ -2391,6 +2406,7 @@ My work machine. Built for more security, this is the gold standard of my config fileSystems = { "/persist".neededForBoot = true; "/home".neededForBoot = true; + "/".neededForBoot = true; "/var/log".neededForBoot = true; }; } @@ -3399,13 +3415,9 @@ My phone. I use only a minimal config for remote debugging here. { imports = [ - # inputs.sops-nix.homeManagerModules.sops "${self}/modules/home" - "${self}/modules/nixos/common/pii.nix" - "${self}/modules/nixos/common/meta.nix" ]; - services.xcape = { enable = true; mapExpression = { @@ -3628,6 +3640,7 @@ This machine mainly acts as my proxy server to stand before my local machines. minecraft = true; restic = true; diskEncryption = lib.mkForce false; + dns-hostrecord = true; }; } @@ -3852,6 +3865,7 @@ This machine mainly acts as my proxy server to stand before my local machines. postgresql = lib.mkDefault true; attic = lib.mkDefault true; garage = lib.mkDefault true; + dns-hostrecord = true; }; } @@ -4050,6 +4064,7 @@ This machine mainly acts as my proxy server to stand before my local machines. swarselmodules.server = { nsd = true; nginx = false; + dns-hostrecord = true; }; } @@ -4239,6 +4254,7 @@ This machine mainly acts as my proxy server to stand before my local machines. swarselmodules.server = { nginx = false; bastion = true; + dns-hostrecord = true; # ssh = false; }; @@ -4430,6 +4446,7 @@ This machine mainly acts as my proxy server to stand before my local machines. swarselmodules.server = { nginx = false; + dns-hostrecord = true; }; } @@ -4622,7 +4639,10 @@ This machine mainly acts as my proxy server to stand before my local machines. }; } // lib.optionalAttrs (!minimal) { - swarselmodules.server.mailserver = true; + swarselmodules.server = { + mailserver = true; + dns-hostrecord = true; + }; swarselprofiles = { server = true; @@ -4998,7 +5018,7 @@ TODO: cleanup this mess #+begin_src nix-ts :tangle install/installer-config.nix { self, config, pkgs, lib, ... }: let - pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh"; + pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/public/ssh"; stateVersion = lib.mkDefault "23.05"; homeFiles = { ".bash_history" = { @@ -5850,35 +5870,6 @@ in } #+end_src -**** Meta options (options only) -:PROPERTIES: -:CUSTOM_ID: h:30b81bf9-1e69-4ce8-88af-5592896bcee4 -:END: - - -#+begin_src nix-ts :tangle modules/nixos/common/meta.nix - { lib, ... }: - { - options = { - node = { - secretsDir = lib.mkOption { - description = "Path to the secrets directory for this node."; - type = lib.types.path; - default = ./.; - }; - name = lib.mkOption { - description = "Node Name."; - type = lib.types.str; - }; - lockFromBootstrapping = lib.mkOption { - description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap."; - type = lib.types.bool; - }; - }; - }; - } -#+end_src - **** Expose home-manager sops secrets in NixOS (automatically active) :PROPERTIES: :CUSTOM_ID: h:a8bbe15f-a7dd-4e6d-ba49-26206c38e9c8 @@ -5891,7 +5882,7 @@ in inherit (config.repo.secrets.common.emacs) radicaleUser; modules = config.home-manager.users.${mainUser}.swarselmodules; - certsSopsFile = self + /secrets/certs/secrets.yaml; + certsSopsFile = self + /secrets/repo/certs.yaml; in { config = lib.mkIf config.swarselsystems.withHomeManager { @@ -6139,7 +6130,7 @@ A breakdown of the flags being set: We enable the use of =home-manager= as a NixoS module. A nice trick here is the =extraSpecialArgs = inputs= line, which enables the use of =seflf= in most parts of the configuration. This is useful to refer to the root of the flake (which is otherwise quite hard while maintaining flake purity). #+begin_src nix-ts :tangle modules/nixos/common/home-manager.nix - { self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, ... }: + { self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, arch, type, ... }: { options.swarselmodules.home-manager = lib.mkEnableOption "home-manager"; config = lib.mkIf config.swarselmodules.home-manager { @@ -6151,7 +6142,7 @@ We enable the use of =home-manager= as a NixoS module. A nice trick here is the overwriteBackup = true; users.${config.swarselsystems.mainUser}.imports = [ inputs.nix-index-database.homeModules.nix-index - inputs.sops-nix.homeManagerModules.sops + # inputs.sops.homeManagerModules.sops # this is not needed!! we add these secrets in nixos scope inputs.spicetify-nix.homeManagerModules.default inputs.swarsel-nix.homeModules.default { @@ -6172,7 +6163,7 @@ We enable the use of =home-manager= as a NixoS module. A nice trick here is the ]; extraSpecialArgs = { inherit (inputs) self nixgl; - inherit inputs outputs globals nodes minimal configName; + inherit inputs outputs globals nodes minimal configName arch type; lib = homeLib; }; }; @@ -6871,8 +6862,8 @@ Here I only enable =networkmanager= and a few default networks. The rest of the #+begin_src nix-ts :tangle modules/nixos/client/network.nix { self, lib, pkgs, config, globals, ... }: let - certsSopsFile = self + /secrets/certs/secrets.yaml; - clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml; + certsSopsFile = self + /secrets/repo/certs.yaml; + clientSopsFile = "${config.node.secretsDir}/secrets.yaml"; inherit (config.repo.secrets.common.network) wlan1 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon; @@ -7183,7 +7174,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at - `ssh-keygen -t ed25519 -C "NAME sops"` in .ssh directory (or wherever) - name e.g. "sops" - cat ~/.ssh/sops.pub | ssh-to-age | wl-copy - add the output to .sops.yaml -- cp ~/.ssh/sops.pub ~/.dotfiles/secrets/keys/NAME.pub +- cp ~/.ssh/sops.pub ~/.dotfiles/secrets/public/NAME.pub - update entry for sops.age.sshKeyPaths #+begin_src nix-ts :tangle modules/nixos/client/sops.nix @@ -7194,8 +7185,8 @@ I use sops-nix to handle secrets that I want to have available on my machines at sops = { # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ]; - age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/general/secrets.yaml"; + age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml"; validateSopsFiles = false; @@ -8568,14 +8559,14 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t ]; }; users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [ - (self + /secrets/keys/ssh/yubikey.pub) - (self + /secrets/keys/ssh/magicant.pub) - # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub)) + (self + /secrets/public/ssh/yubikey.pub) + (self + /secrets/public/ssh/magicant.pub) + # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub)) ]; users.users.root.openssh.authorizedKeys.keyFiles = [ - (self + /secrets/keys/ssh/yubikey.pub) - (self + /secrets/keys/ssh/magicant.pub) - # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub)) + (self + /secrets/public/ssh/yubikey.pub) + (self + /secrets/public/ssh/magicant.pub) + # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub)) ]; security.sudo.extraConfig = '' Defaults env_keep+=SSH_AUTH_SOCK @@ -8603,9 +8594,9 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t group = lib.mkForce "jump"; createHome = lib.mkForce true; openssh.authorizedKeys.keyFiles = [ - (self + /secrets/keys/ssh/yubikey.pub) - (self + /secrets/keys/ssh/magicant.pub) - (self + /secrets/keys/ssh/builder.pub) + (self + /secrets/public/ssh/yubikey.pub) + (self + /secrets/public/ssh/magicant.pub) + (self + /secrets/public/ssh/builder.pub) ]; }; }; @@ -8689,7 +8680,7 @@ Restricts access to the system by the nix build user as per https://discourse.ni isSystemUser = true; group = "builder"; openssh.authorizedKeys.keys = [ - ''${ssh-restrict} ${builtins.readFile "${self}/secrets/keys/ssh/builder.pub"}'' + ''${ssh-restrict} ${builtins.readFile "${self}/secrets/public/ssh/builder.pub"}'' ]; }; }; @@ -8709,7 +8700,8 @@ Generate hostId using =head -c4 /dev/urandom | od -A none -t x4= { lib, config, ... }: let netConfig = config.repo.secrets.local.networking; - netName = "${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}"; + netPrefix = "${if config.swarselsystems.isCloud then config.node.name else "home"}"; + netName = "${netPrefix}-${config.swarselsystems.server.localNetwork}"; in { options = { @@ -8724,6 +8716,11 @@ Generate hostId using =head -c4 /dev/urandom | od -A none -t x4= default = netName; readOnly = true; }; + netConfigPrefix = lib.mkOption { + type = lib.types.str; + default = netPrefix; + readOnly = true; + }; }; }; config = lib.mkIf config.swarselmodules.server.network { @@ -8836,8 +8833,8 @@ lspci -k -d 14c3:0616 enable = true; port = 2222; # avoid hostkey changed nag authorizedKeys = [ - ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/yubikey.pub"}'' - ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/magicant.pub"}'' + ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/yubikey.pub"}'' + ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/magicant.pub"}'' ]; hostKeys = [ hostKeyPathBase ]; }; @@ -8875,6 +8872,137 @@ lspci -k -d 14c3:0616 } #+end_src +**** Wireguard + +#+begin_src nix-ts :tangle modules/nixos/server/wireguard.nix + { self, lib, config, confLib, globals, ... }: + let + wgInterface = "wg0"; + inherit (confLib.gen { name = "wireguard"; port = 52829; user = "systemd-network"; group = "systemd-network"; }) servicePort serviceName serviceUser serviceGroup; + + inherit (config.swarselsystems) sopsFile; + inherit (config.swarselsystems.server.wireguard) peers isClient isServer; + in + { + options = { + swarselmodules.${serviceName} = lib.mkEnableOption "enable ${serviceName} settings"; + swarselsystems.server.wireguard = { + isServer = lib.mkEnableOption "set this as a wireguard server"; + peers = lib.mkOption { + type = lib.types.listOf (lib.types.submodule { + freeformType = lib.types.attrs; + options = { }; + }); + default = [ ]; + description = "Wireguard peer submodules as expected by systemd.network.netdevs..wireguardPeers"; + }; + }; + + }; + config = lib.mkIf config.swarselmodules.${serviceName} { + + sops = { + secrets = { + wireguard-private-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; }; + wireguard-home-preshared-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; }; + }; + }; + + networking = { + firewall.allowedUDPPorts = [ servicePort ]; + nat = { + enable = true; + enableIPv6 = true; + externalInterface = "ens6"; + internalInterfaces = [ wgInterface ]; + }; + }; + + systemd.network = { + enable = true; + + networks."50-${wgInterface}" = { + matchConfig.Name = wgInterface; + + networkConfig = { + IPv4Forwarding = true; + IPv6Forwarding = true; + }; + + address = [ + "${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv4}" + "${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv6}" + ]; + }; + + netdevs."50-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = wgInterface; + }; + + wireguardConfig = { + ListenPort = lib.mkIf isServer servicePort; + + # ensure file is readable by `systemd-network` user + PrivateKeyFile = config.age.secrets.wg-key-vps.path; + + # To automatically create routes for everything in AllowedIPs, + # add RouteTable=main + # RouteTable = "main"; + + # FirewallMark marks all packets send and received by wg0 + # with the number 42, which can be used to define policy rules on these packets. + # FirewallMark = 42; + }; + wireguardPeers = peers ++ lib.optionals isClient [ + { + PublicKey = builtins.readFile "${self}/secrets/public/wg/${config.node.name}.pub"; + PresharedKeyFile = config.sops.secrets."${config.node.name}-presharedKey".path; + Endpoint = "${globals.hosts.${config.node.name}.wanAddress4}:${toString servicePort}"; + # Access to the whole network is routed through our entry node. + # AllowedIPs = + # (optional (networkCfg.cidrv4 != null) networkCfg.cidrv4) + # ++ (optional (networkCfg.cidrv6 != null) networkCfg.cidrv6); + } + ]; + }; + }; + + # networking = { + # wireguard = { + # enable = true; + # interfaces = { + # wg1 = { + # privateKeyFile = config.sops.secrets.wireguard-private-key.path; + # ips = [ "192.168.178.201/24" ]; + # peers = [ + # { + # publicKey = "PmeFInoEJcKx+7Kva4dNnjOEnJ8lbudSf1cbdo/tzgw="; + # presharedKeyFile = config.sops.secrets.wireguard-home-preshared-key.path; + # name = "moonside"; + # persistentKeepalive = 25; + # # endpoint = "${config.repo.secrets.common.ipv4}:51820"; + # endpoint = "${config.repo.secrets.common.wireguardEndpoint}"; + # # allowedIPs = [ + # # "192.168.3.0/24" + # # "192.168.1.0/24" + # # ]; + # allowedIPs = [ + # "192.168.178.0/24" + # ]; + # } + # ]; + # }; + # }; + # }; + # }; + + + }; + } +#+end_src + **** BTRFS #+begin_src nix-ts :tangle modules/nixos/server/btrfs.nix @@ -10553,7 +10681,7 @@ Note: you still need to run =restic- init= once on the host to get the buc This section exposes several metrics that I use to check the health of my server. I need to expand on the exporters section at some point, but for now I have everything I need. #+begin_src nix-ts :tangle modules/nixos/server/monitoring.nix - { self, lib, config, globals, dns, confLib, ... }: + { lib, config, globals, dns, confLib, ... }: let inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6; @@ -10566,6 +10694,8 @@ This section exposes several metrics that I use to check the health of my server kanidmDomain = globals.services.kanidm.domain; inherit (config.swarselsystems) sopsFile; + + sopsFile2 = "${config.node.secretsDir}/secrets2.yaml"; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -10580,7 +10710,7 @@ This section exposes several metrics that I use to check the health of my server grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; }; + prometheus-admin-hash = { sopsFile = sopsFile2; owner = prometheusUser; group = prometheusGroup; mode = "0440"; }; }; templates = { @@ -11280,7 +11410,7 @@ To get other URLs (token, etc.), use https:///oauth2/openid//oauth2/openid/ s3:/// s3:/// - + SwarselSystems: NixOS + Emacs Configurationo @@ -215,7 +215,7 @@
  • 2. flake.nix @@ -354,18 +368,17 @@
  • 3.2.1.1. Imports
  • 3.2.1.2. Share configuration between nodes (automatically active)
  • 3.2.1.3. Global options (automatically active)
    • -
  • 3.2.1.4. Meta options (options only)
    • -
  • 3.2.1.5. Expose home-manager sops secrets in NixOS (automatically active)
    • -
  • 3.2.1.6. Topology (automatically active)
    • -
  • 3.2.1.7. General NixOS settings (nix, stateVersion)
    • -
  • 3.2.1.8. Setup home-manager base
    • -
  • 3.2.1.9. User setup, Make users non-mutable
    • -
  • 3.2.1.10. Setup login keymap
    • -
  • 3.2.1.11. Time, locale settings
    • -
  • 3.2.1.12. PII management
    • -
  • 3.2.1.13. Lanzaboote (secure boot)
    • -
  • 3.2.1.14. Boot
    • -
  • 3.2.1.15. Impermanence
    • +
  • 3.2.1.4. Expose home-manager sops secrets in NixOS (automatically active)
    • +
  • 3.2.1.5. Topology (automatically active)
    • +
  • 3.2.1.6. General NixOS settings (nix config, stateVersion)
    • +
  • 3.2.1.7. Setup home-manager base
    • +
  • 3.2.1.8. User setup, Make users non-mutable
    • +
  • 3.2.1.9. Setup login keymap
    • +
  • 3.2.1.10. Time, locale settings
    • +
  • 3.2.1.11. PII management
    • +
  • 3.2.1.12. Lanzaboote (secure boot)
    • +
  • 3.2.1.13. Boot
    • +
  • 3.2.1.14. Impermanence
  • 3.2.2. Client @@ -380,44 +393,44 @@
  • 3.2.2.8. Pipewire
  • 3.2.2.9. Common network settings
  • 3.2.2.10. sops
    • -
  • 3.2.2.11. Theme (stylix)
    • -
  • 3.2.2.12. Programs (including zsh setup) +
  • 3.2.2.11. Remote building
    • +
  • 3.2.2.12. Theme (stylix)
    • +
  • 3.2.2.13. Programs (including zsh setup)
    • -
  • 3.2.2.13. Services +
  • 3.2.2.14. Services
    • -
  • 3.2.2.14. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules +
  • 3.2.2.15. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules
    • -
  • 3.2.2.15. System Login (greetd)
    • -
  • 3.2.2.16. nix-ld
    • -
  • 3.2.2.17. Summary of nixos-rebuild diff
    • -
  • 3.2.2.18. gnome-keyring
    • -
  • 3.2.2.19. Sway
    • -
  • 3.2.2.20. xdg-portal (Screensharing)
    • -
  • 3.2.2.21. Podman (distrobox)
    • -
  • 3.2.2.22. Appimage
    • -
  • 3.2.2.23. Handle lid switch correctly
    • -
  • 3.2.2.24. Low battery notification
    • -
  • 3.2.2.25. Auto-login
    • -
  • 3.2.2.26. UWSM
    • -
  • 3.2.2.27. Niri
    • +
  • 3.2.2.16. System Login (greetd)
    • +
  • 3.2.2.17. nix-ld
    • +
  • 3.2.2.18. Summary of nixos-rebuild diff
    • +
  • 3.2.2.19. gnome-keyring
    • +
  • 3.2.2.20. Sway
    • +
  • 3.2.2.21. xdg-portal (Screensharing)
    • +
  • 3.2.2.22. Podman (distrobox)
    • +
  • 3.2.2.23. Appimage
    • +
  • 3.2.2.24. Handle lid switch correctly
    • +
  • 3.2.2.25. Low battery notification
    • +
  • 3.2.2.26. Auto-login
    • +
  • 3.2.2.27. UWSM
  • 3.2.3. Server @@ -428,48 +441,53 @@
  • 3.2.3.4. nfs/samba (smb)
  • 3.2.3.5. NGINX
  • 3.2.3.6. ssh
    • -
  • 3.2.3.7. Network settings
    • -
  • 3.2.3.8. Disk encryption
    • -
  • 3.2.3.9. Router
    • -
  • 3.2.3.10. kavita
    • -
  • 3.2.3.11. jellyfin
    • -
  • 3.2.3.12. navidrome
    • -
  • 3.2.3.13. spotifyd
    • -
  • 3.2.3.14. mpd
    • -
  • 3.2.3.15. pipewire
    • -
  • 3.2.3.16. postgresql
    • -
  • 3.2.3.17. matrix
    • -
  • 3.2.3.18. nextcloud
    • -
  • 3.2.3.19. immich
    • -
  • 3.2.3.20. paperless (tika, gotenberg)
    • -
  • 3.2.3.21. transmission
    • -
  • 3.2.3.22. syncthing
    • -
  • 3.2.3.23. restic
    • -
  • 3.2.3.24. monitoring (Grafana, Prometheus)
    • -
  • 3.2.3.25. Jenkins
    • -
  • 3.2.3.26. Emacs elfeed (RSS Server)
    • -
  • 3.2.3.27. FreshRSS
    • -
  • 3.2.3.28. forgejo (git server)
    • -
  • 3.2.3.29. Anki Sync Server
    • -
  • 3.2.3.30. kanidm
    • -
  • 3.2.3.31. oauth2-proxy
    • -
  • 3.2.3.32. Firefly-III
    • -
  • 3.2.3.33. Koillection
    • -
  • 3.2.3.34. Atuin
    • -
  • 3.2.3.35. Radicale
    • -
  • 3.2.3.36. croc
    • -
  • 3.2.3.37. microbin
    • -
  • 3.2.3.38. shlink
    • -
  • 3.2.3.39. slink
    • -
  • 3.2.3.40. Snipe-IT
    • -
  • 3.2.3.41. Homebox
    • -
  • 3.2.3.42. OPKSSH
    • -
  • 3.2.3.43. Garage
    • -
  • 3.2.3.44. nsd (dns)
    • -
  • 3.2.3.45. nsd (dns) - site1
    • -
  • 3.2.3.46. Minecraft
    • -
  • 3.2.3.47. Mailserver
    • -
  • 3.2.3.48. Attic (nix binary cache)
    • +
  • 3.2.3.7. Bastion
    • +
  • 3.2.3.8. ssh builder config
    • +
  • 3.2.3.9. Network settings
    • +
  • 3.2.3.10. Disk encryption
    • +
  • 3.2.3.11. Wireguard
    • +
  • 3.2.3.12. BTRFS
    • +
  • 3.2.3.13. Router
    • +
  • 3.2.3.14. kavita
    • +
  • 3.2.3.15. jellyfin
    • +
  • 3.2.3.16. navidrome
    • +
  • 3.2.3.17. spotifyd
    • +
  • 3.2.3.18. mpd
    • +
  • 3.2.3.19. pipewire
    • +
  • 3.2.3.20. postgresql
    • +
  • 3.2.3.21. matrix
    • +
  • 3.2.3.22. nextcloud
    • +
  • 3.2.3.23. immich
    • +
  • 3.2.3.24. paperless (tika, gotenberg)
    • +
  • 3.2.3.25. transmission
    • +
  • 3.2.3.26. syncthing
    • +
  • 3.2.3.27. restic
    • +
  • 3.2.3.28. monitoring (Grafana, Prometheus)
    • +
  • 3.2.3.29. Jenkins
    • +
  • 3.2.3.30. Emacs elfeed (RSS Server)
    • +
  • 3.2.3.31. FreshRSS
    • +
  • 3.2.3.32. forgejo (git server)
    • +
  • 3.2.3.33. Anki Sync Server
    • +
  • 3.2.3.34. kanidm
    • +
  • 3.2.3.35. oauth2-proxy
    • +
  • 3.2.3.36. Firefly-III
    • +
  • 3.2.3.37. Koillection
    • +
  • 3.2.3.38. Atuin
    • +
  • 3.2.3.39. Radicale
    • +
  • 3.2.3.40. croc
    • +
  • 3.2.3.41. microbin
    • +
  • 3.2.3.42. shlink
    • +
  • 3.2.3.43. slink
    • +
  • 3.2.3.44. Snipe-IT
    • +
  • 3.2.3.45. Homebox
    • +
  • 3.2.3.46. OPKSSH
    • +
  • 3.2.3.47. Garage
    • +
  • 3.2.3.48. Set host domain for dns
    • +
  • 3.2.3.49. nsd (dns)
    • +
  • 3.2.3.50. nsd (dns) - site1
    • +
  • 3.2.3.51. Minecraft
    • +
  • 3.2.3.52. Mailserver
    • +
  • 3.2.3.53. Attic (nix binary cache)
  • 3.2.4. Darwin @@ -479,18 +497,20 @@
  • 3.2.5. TODO Optional
    • @@ -558,23 +578,22 @@
  • 3.3.2.33. Sway
    • -
  • 3.3.2.34. Niri
    • -
  • 3.3.2.35. Kanshi
    • -
  • 3.3.2.36. gpg-agent
    • -
  • 3.3.2.37. gammastep
    • -
  • 3.3.2.38. Spicetify
    • -
  • 3.3.2.39. Obsidian
    • -
  • 3.3.2.40. Anki
    • -
  • 3.3.2.41. Element-desktop
    • -
  • 3.3.2.42. Hexchat
    • -
  • 3.3.2.43. obs-studio
    • -
  • 3.3.2.44. spotify-player
    • -
  • 3.3.2.45. vesktop
    • -
  • 3.3.2.46. batsignal
    • -
  • 3.3.2.47. autotiling
    • -
  • 3.3.2.48. swayidle
    • -
  • 3.3.2.49. swaylock
    • -
  • 3.3.2.50. opkssh
    • +
  • 3.3.2.34. Kanshi
    • +
  • 3.3.2.35. gpg-agent
    • +
  • 3.3.2.36. gammastep
    • +
  • 3.3.2.37. Spicetify
    • +
  • 3.3.2.38. Obsidian
    • +
  • 3.3.2.39. Anki
    • +
  • 3.3.2.40. Element-desktop
    • +
  • 3.3.2.41. Hexchat
    • +
  • 3.3.2.42. obs-studio
    • +
  • 3.3.2.43. spotify-player
    • +
  • 3.3.2.44. vesktop
    • +
  • 3.3.2.45. batsignal
    • +
  • 3.3.2.46. autotiling
    • +
  • 3.3.2.47. swayidle
    • +
  • 3.3.2.48. swaylock
    • +
  • 3.3.2.49. opkssh
  • 3.3.3. Server @@ -590,10 +609,11 @@
  • 3.3.5. Optional
    • @@ -602,51 +622,52 @@ @@ -657,27 +678,18 @@
  • 3.5.2. home-manager
    • @@ -911,7 +923,7 @@

    -This file has 113366 words spanning 30228 lines and was last revised on 2025-11-27 16:49:14 +0100. +This file has 115249 words spanning 30878 lines and was last revised on 2025-12-02 17:29:11 +0100.

    @@ -934,7 +946,6 @@ This configuration is part of a NixOS system that is (nearly) fully declarative

    @@ -980,7 +991,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry

    -My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-11-27 16:49:14 +0100) +My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-12-02 17:29:11 +0100)

    @@ -1434,7 +1445,7 @@ Nowadays, I use flake-parts to manage my flake. It allows me to conveniently spl
    -

    2.1. flake.nix skeleton

    +

    2.1. flake.nix skeleton (inputs)

    In general, a nix flake consists of one or more inputs and several outputs. The inputs are used to define where nix should be looking for packages, modules, and more. The outputs generate expressions that can be used in .nix files as well as system configurations using these files. @@ -1576,7 +1587,7 @@ This provides devshell support for flake-parts nur.url = "github:nix-community/NUR"; nixgl.url = "github:guibou/nixGL"; stylix.url = "github:danth/stylix"; - sops-nix.url = "github:Mic92/sops-nix"; + sops.url = "github:Mic92/sops-nix"; lanzaboote.url = "github:nix-community/lanzaboote"; nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05"; nixos-generators.url = "github:nix-community/nixos-generators"; @@ -1730,7 +1741,7 @@ mkdir -p "$(dirname "$out")" # Decrypt only if necessary if [[ ! -e $out ]]; then - agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/sops || sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) + agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key || sudo ssh-to-age -private-key -i ~/.ssh/sops) SOPS_AGE_KEY="$agekey" sops decrypt --output "$out" "$file" fi @@ -1876,7 +1887,7 @@ let forEachLinuxSystem = f: lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: f pkgsFor.${system}); readHosts = type: lib.attrNames (builtins.readDir "${self}/hosts/${type}"); - readNix = type: lib.filter (name: name != "default.nix") (lib.attrNames (builtins.readDir "${self}/${type}")); + readNix = type: lib.filter (name: name != "default.nix" && name != "optional" && name != "darwin") (lib.attrNames (builtins.readDir "${self}/${type}")); mkImports = names: baseDir: lib.map (name: "${self}/${baseDir}/${name}") names; }; @@ -2085,9 +2096,10 @@ The rest of the outputs either define or help define the actual configurations: mkNixosHost = { minimal }: configName: arch: inputs.nixpkgs.lib.nixosSystem { specialArgs = { - inherit inputs outputs self minimal configName homeLib; + inherit inputs outputs self minimal homeLib configName arch; inherit (config.pkgs.${arch}) lib; inherit (config) globals nodes; + type = "nixos"; }; modules = [ inputs.disko.nixosModules.disko @@ -2096,13 +2108,12 @@ The rest of the outputs either define or help define the actual configurations: inputs.lanzaboote.nixosModules.lanzaboote inputs.microvm.nixosModules.host inputs.microvm.nixosModules.microvm - inputs.niri-flake.nixosModules.niri inputs.nix-index-database.nixosModules.nix-index inputs.nix-minecraft.nixosModules.minecraft-servers inputs.nix-topology.nixosModules.default inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm inputs.simple-nixos-mailserver.nixosModules.default - inputs.sops-nix.nixosModules.sops + inputs.sops.nixosModules.sops inputs.stylix.nixosModules.stylix inputs.swarsel-nix.nixosModules.default (inputs.nixos-extra-modules + "/modules/guests") @@ -2119,6 +2130,8 @@ The rest of the outputs either define or help define the actual configurations: node = { name = lib.mkForce configName; + arch = lib.mkForce arch; + type = lib.mkForce "nixos"; secretsDir = ../hosts/nixos/${arch}/${configName}/secrets; lockFromBootstrapping = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true); }; @@ -2146,7 +2159,7 @@ The rest of the outputs either define or help define the actual configurations: }; modules = [ # inputs.disko.nixosModules.disko - # inputs.sops-nix.nixosModules.sops + # inputs.sops.nixosModules.sops # inputs.impermanence.nixosModules.impermanence # inputs.lanzaboote.nixosModules.lanzaboote # inputs.fw-fanctrl.nixosModules.default @@ -2155,12 +2168,15 @@ The rest of the outputs either define or help define the actual configurations: "${self}/hosts/darwin/${arch}/${configName}" "${self}/modules/nixos/darwin" # needed for infrastructure - "${self}/modules/nixos/common/meta.nix" + "${self}/modules/shared/meta.nix" "${self}/modules/nixos/common/globals.nix" { - node.name = lib.mkForce configName; - node.secretsDir = ../hosts/darwin/${arch}/${configName}/secrets; - + node = { + name = lib.mkForce configName; + arch = lib.mkForce arch; + type = lib.mkForce "darwin"; + secretsDir = ../hosts/darwin/${arch}/${configName}/secrets; + }; } ]; }; @@ -2173,19 +2189,27 @@ The rest of the outputs either define or help define the actual configurations: systemFunc { inherit pkgs; extraSpecialArgs = { - inherit inputs lib outputs self configName; + inherit inputs lib outputs self configName arch type; inherit (config) globals nodes; minimal = false; }; modules = [ inputs.stylix.homeModules.stylix - inputs.niri-flake.homeModules.niri inputs.nix-index-database.homeModules.nix-index - # inputs.sops-nix.homeManagerModules.sops + inputs.sops.homeManagerModules.sops inputs.spicetify-nix.homeManagerModules.default inputs.swarsel-nix.homeModules.default "${self}/hosts/${type}/${arch}/${configName}" "${self}/profiles/home" + "${self}/modules/nixos/common/pii.nix" + { + node = { + name = lib.mkForce configName; + arch = lib.mkForce arch; + type = lib.mkForce type; + secretsDir = ../hosts/${type}/${arch}/${configName}/secrets; + }; + } ]; }; @@ -2764,7 +2788,8 @@ Defines a formatter that can be called using nix flake format. Whil buildInputs = [ pkgs.makeWrapper ]; paths = [ pkgs.shfmt ]; postBuild = '' - wrapProgram $out/bin/shfmt --append-flags '-sr' + wrapProgram $out/bin/shfmt \ + --add-flags '-sr' ''; }; }; @@ -3360,15 +3385,16 @@ in ./disk-config.nix ./hardware-configuration.nix - ]; + "${self}/modules/nixos/optional/amdcpu.nix" + "${self}/modules/nixos/optional/amdgpu.nix" + "${self}/modules/nixos/optional/framework.nix" + "${self}/modules/nixos/optional/gaming.nix" + "${self}/modules/nixos/optional/hibernation.nix" + "${self}/modules/nixos/optional/nswitch-rcm.nix" + "${self}/modules/nixos/optional/virtualbox.nix" + "${self}/modules/nixos/optional/work.nix" - swarselmodules = { - optional = { - amdcpu = true; - amdgpu = true; - hibernation = true; - }; - }; + ]; swarselsystems = { lowResolution = "1280x800"; @@ -3417,10 +3443,6 @@ in } // lib.optionalAttrs (!minimal) { swarselprofiles = { personal = true; - optionals = true; - work = true; - uni = true; - framework = true; }; } @@ -3590,6 +3612,7 @@ in fileSystems = { "/persist".neededForBoot = true; "/home".neededForBoot = true; + "/".neededForBoot = true; "/var/log".neededForBoot = true; }; } @@ -3622,6 +3645,10 @@ in ./disk-config.nix ./hardware-configuration.nix + "${self}/modules/nixos/optional/gaming.nix" + "${self}/modules/nixos/optional/nswitch-rcm.nix" + "${self}/modules/nixos/optional/virtualbox.nix" + ]; swarselsystems = { @@ -3643,7 +3670,6 @@ in isSwap = true; rootDisk = "/dev/nvme0n1"; swapSize = "4G"; - hostName = config.node.name; }; home-manager.users."${primaryUser}" = { @@ -3846,7 +3872,7 @@ This is my main server that I run at home. It handles most tasks that require bi

    3.1.2.3.1. Main Configuration
    -
    { lib, config, minimal, ... }:
+
    { lib, minimal, ... }:
 {
 
   imports = [
@@ -3875,7 +3901,6 @@ This is my main server that I run at home. It handles most tasks that require bi
     isNixos = true;
     proxyHost = "moonside";
     server = {
-      inherit (config.repo.secrets.local.networking) localNetwork;
       restic = {
         bucketName = "SwarselWinters";
         paths = [
@@ -4007,12 +4032,14 @@ This is my main server that I run at home. It handles most tasks that require bi
 
    3.1.2.4.1. Main Configuration
    
 
    
 
    
-
    { inputs, lib, config, minimal, nodes, globals, ... }:
+
    { self, inputs, lib, config, minimal, nodes, globals, ... }:
 {
 
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
+
+    "${self}/modules/nixos/optional/microvm-host.nix"
   ];
 
   boot = {
@@ -4039,9 +4066,6 @@ This is my main server that I run at home. It handles most tasks that require bi
   };
 
   swarselmodules = {
-    optional = {
-      microvmHost = true;
-    };
     server = {
       diskEncryption = lib.mkForce false; # TODO: disable
       nfs = false;
@@ -4282,8 +4306,11 @@ in
 3.1.2.4.4.1. Guest 1
 
    
 
    
-
    { lib, minimal, ... }:
+
    { self,lib, minimal, ... }:
 {
+  imports = [
+    "${self}/modules/nixos/optional/microvm-guest.nix"
+  ];
 
   swarselsystems = {
     info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM";
@@ -4295,12 +4322,6 @@ in
     server = false;
   };
 
-  swarselmodules = {
-    optional = {
-      microvmGuest = false;
-    };
-  };
-
   microvm = {
     mem = 1024 * 4;
     vcpu = 2;
@@ -4322,7 +4343,7 @@ in
 
    3.1.2.5.1. Main Configuration
    
 
    
 
    
-
    { lib, config, minimal,  ... }:
+
    { lib, minimal,  ... }:
 {
 
   imports = [
@@ -4342,9 +4363,6 @@ in
     rootDisk = "/dev/sda";
     swapSize = "8G";
     networkKernelModules = [ "igb" ];
-    server = {
-      inherit (config.repo.secrets.local.networking) localNetwork;
-    };
   };
 
 } // lib.optionalAttrs (!minimal) {
@@ -4623,17 +4641,13 @@ My phone. I use only a minimal config for remote debugging here.
 
    3.1.2.8. Treehouse (DGX Spark)
    
 
    
 
    
-
    { self, pkgs, ... }:
+
    { self, lib, pkgs, ... }:
 {
 
   imports = [
-    # inputs.sops-nix.homeManagerModules.sops
     "${self}/modules/home"
-    "${self}/modules/nixos/common/pii.nix"
-    "${self}/modules/nixos/common/meta.nix"
   ];
 
-
   services.xcape = {
     enable = true;
     mapExpression = {
@@ -4834,9 +4848,7 @@ in
     isBtrfs = true;
     isNixos = true;
     isLinux = true;
-    proxyHost = "moonside";
     server = {
-      inherit (config.repo.secrets.local.networking) localNetwork;
       restic = {
         bucketName = "SwarselMoonside";
         paths = [
@@ -4863,6 +4875,7 @@ in
     minecraft = true;
     restic = true;
     diskEncryption = lib.mkForce false;
+    dns-hostrecord = true;
   };
 }
 
@@ -5035,11 +5048,13 @@ in
 
    3.1.3.2.1. Main Configuration
    
 
    
 
    
-
    { lib, config, minimal, ... }:
+
    { self, lib, minimal, ... }:
 {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
   ];
 
   node.lockFromBootstrapping = lib.mkForce false;
@@ -5061,9 +5076,7 @@ in
     isNixos = true;
     isLinux = true;
     isCloud = true;
-    proxyHost = "belchsfactory";
     server = {
-      inherit (config.repo.secrets.local.networking) localNetwork;
       garage = {
         data_dir = {
           capacity = "150G";
@@ -5086,9 +5099,11 @@ in
   };
 
   swarselmodules.server = {
+    ssh-builder = lib.mkDefault true;
     postgresql = lib.mkDefault true;
     attic = lib.mkDefault true;
     garage = lib.mkDefault true;
+    dns-hostrecord = true;
   };
 
 }
@@ -5251,103 +5266,85 @@ in
 
    
 
    
 
    
-
    
-
    3.1.3.3. Milkywell (OCI)
    
-
    
+
    
+
    3.1.3.3. Stoicclub (OCI)
    
+
    
 
    
-
    
-
    3.1.3.3.1. Main Configuration
    
-
    
+
    
+
    3.1.3.3.1. Main Configuration
    
+
    
 
    
-
    { lib, config, minimal, ... }:
+
    { self, lib, minimal, ... }:
 {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
   ];
-  node.lockFromBootstrapping = false;
-  sops = {
-    age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
-  };
 
   topology.self = {
     icon = "devices.cloud-server";
   };
+  swarselmodules.server.nginx = false;
 
-  networking = {
-    domain = "subnet03112148.vcn03112148.oraclevcn.com";
-    firewall = {
-      allowedTCPPorts = [ 53 ];
-    };
-  };
-
-  system.stateVersion = "23.11";
 
   swarselsystems = {
     flakePath = "/root/.dotfiles";
-    info = "VM.Standard.E2.1.Micro";
+    info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM";
     isImpermanence = true;
     isSecureBoot = false;
-    isCrypted = false;
-    isSwap = true;
-    swapSize = "8G";
-    rootDisk = "/dev/sda";
+    isCrypted = true;
+    isSwap = false;
+    rootDisk = "/dev/disk/by-id/scsi-360e1a5236f034316a10a97cc703ce9e3";
     isBtrfs = true;
     isNixos = true;
     isLinux = true;
-    server = {
-      inherit (config.repo.secrets.local.networking) localNetwork;
-    };
+    isCloud = true;
+    isBastionTarget = true;
   };
 } // lib.optionalAttrs (!minimal) {
   swarselprofiles = {
     server = true;
   };
 
+  swarselmodules.server = {
+    nsd = true;
+    nginx = false;
+    dns-hostrecord = true;
+  };
 }
 
 
    
 
    
 
    
 
    
-
    
-
    3.1.3.3.2. hardware-configuration
    
-
    
+
    
+
    3.1.3.3.2. hardware-configuration
    
+
    
 
    
 
    { lib, modulesPath, ... }:
-
 {
-  imports =
-    [
-      (modulesPath + "/profiles/qemu-guest.nix")
-    ];
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
 
   boot = {
     initrd = {
-      availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
-      kernelModules = [ "dm-snapshot" ];
+      availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
+      kernelModules = [ ];
     };
-    kernelModules = [ "kvm-amd" ];
+    kernelModules = [ ];
     extraModulePackages = [ ];
   };
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
 }
-
 
    
 
    
 
    
 
    
-
    
-
    3.1.3.3.3. disko
    
-
    
+
    
+
    3.1.3.3.3. disko
    
+
    
 
    
 
    { lib, pkgs, config, ... }:
 let
@@ -5470,76 +5467,446 @@ in
   fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
   fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
 }
+
 
    
 
    
 
    
 
    
 
    
-
    
-
    3.1.3.4. Eagleland (Hetzner)
    
-
    
+
    
+
    3.1.3.4. Liliputsteps (OCI)
    
+
    
 
    
-
    
-
    3.1.3.4.1. Main Configuration
    
-
    
+
    
+
    3.1.3.4.1. Main Configuration
    
+
    
 
    
-
    { lib, config, minimal, ... }:
+
    { self, lib, minimal, ... }:
 {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
   ];
 
   topology.self = {
     icon = "devices.cloud-server";
   };
 
-  networking = {
-    useDHCP = lib.mkForce false;
-    useNetworkd = true;
-    dhcpcd.enable = false;
-    renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (
-      config.repo.secrets.local.networking.networks or { }
-    );
+  swarselsystems = {
+    flakePath = "/root/.dotfiles";
+    info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM";
+    isImpermanence = true;
+    isSecureBoot = false;
+    isCrypted = true;
+    isSwap = false;
+    rootDisk = "/dev/disk/by-id/scsi-360fb180663ec4f2793a763a087d46885";
+    isBtrfs = true;
+    isNixos = true;
+    isLinux = true;
+    isCloud = true;
+    mainUser = "jump";
   };
-  boot.initrd.systemd.network = {
-    enable = true;
-    networks = {
-      inherit (config.systemd.network.networks) "10-wan";
-    };
+} // lib.optionalAttrs (!minimal) {
+  swarselprofiles = {
+    server = true;
   };
 
-  systemd = {
-    network = {
-      enable = true;
-      wait-online.enable = false;
-      networks =
-        let
-          netConfig = config.repo.secrets.local.networking;
-        in
-        {
-          "10-wan" = {
-            address = [
-              "${netConfig.wanAddress4}/32"
-              "${netConfig.wanAddress6}/64"
-            ];
-            gateway = [ "fe80::1" ];
-            routes = [
-              { Destination = netConfig.defaultGateway4; }
-              {
-                Gateway = netConfig.defaultGateway4;
-                GatewayOnLink = true;
-              }
-            ];
-            matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac;
-            networkConfig.IPv6PrivacyExtensions = "yes";
-            linkConfig.RequiredForOnline = "routable";
+  swarselmodules.server = {
+    nginx = false;
+    bastion = true;
+    dns-hostrecord = true;
+    # ssh = false;
+  };
+
+  # users.users.swarsel.enable = lib.mkForce false;
+  # home-manager.users.swarsel.enable = lib.mkForce false
+}
+
+
    
+
    
+
    
+
    
+
    
+
    3.1.3.4.2. hardware-configuration
    
+
    
+
    
+
    { lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
+}
+
    
+
    
+
    
+
    
+
    
+
    3.1.3.4.3. disko
    
+
    
+
    
+
    { lib, pkgs, config, ... }:
+let
+  type = "btrfs";
+  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
+  subvolumes = {
+    "/root" = {
+      mountpoint = "/";
+      mountOptions = [
+        "subvol=root"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/home";
+      mountOptions = [
+        "subvol=home"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/persist";
+      mountOptions = [
+        "subvol=persist"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/var/log";
+      mountOptions = [
+        "subvol=log"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/nix" = {
+      mountpoint = "/nix";
+      mountOptions = [
+        "subvol=nix"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/swap" = lib.mkIf config.swarselsystems.isSwap {
+      mountpoint = "/.swapvol";
+      swap.swapfile.size = config.swarselsystems.swapSize;
+    };
+  };
+in
+{
+  disko = {
+    imageBuilder.extraDependencies = [ pkgs.kmod ];
+    devices = {
+      disk = {
+        disk0 = {
+          type = "disk";
+          device = config.swarselsystems.rootDisk;
+          content = {
+            type = "gpt";
+            partitions = {
+              ESP = {
+                priority = 1;
+                name = "ESP";
+                size = "512M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "defaults" ];
+                };
+              };
+              root = lib.mkIf (!config.swarselsystems.isCrypted) {
+                size = "100%";
+                content = {
+                  inherit type subvolumes extraArgs;
+                  postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                    MNTPOINT=$(mktemp -d)
+                    mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
+                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                  '';
+                };
+              };
+              luks = lib.mkIf config.swarselsystems.isCrypted {
+                size = "100%";
+                content = {
+                  type = "luks";
+                  name = "cryptroot";
+                  passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
+                  settings = {
+                    allowDiscards = true;
+                    # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
+                    crypttabExtraOpts = [
+                      "fido2-device=auto"
+                      "token-timeout=10"
+                    ];
+                  };
+                  content = {
+                    inherit type subvolumes extraArgs;
+                    postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                      MNTPOINT=$(mktemp -d)
+                      mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
+                      trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                      btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                    '';
+                  };
+                };
+              };
+            };
           };
         };
+      };
     };
   };
 
-  swarselmodules.server.mailserver = true;
+  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+}
+
+
    
+
    
+
    
+
    
+
    
+
    
+
    3.1.3.5. Twothreetunnel (OCI)
    
+
    
+
    
+
    
+
    3.1.3.5.1. Main Configuration
    
+
    
+
    
+
    { self, lib, minimal, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
+  ];
+
+  topology.self = {
+    icon = "devices.cloud-server";
+  };
+
+  swarselsystems = {
+    flakePath = "/root/.dotfiles";
+    info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM";
+    isImpermanence = true;
+    isSecureBoot = false;
+    isCrypted = true;
+    isSwap = false;
+    rootDisk = "/dev/disk/by-id/scsi-3608deb9b0d4244de95c6620086ff740d";
+    isBtrfs = true;
+    isNixos = true;
+    isLinux = true;
+    isCloud = true;
+  };
+} // lib.optionalAttrs (!minimal) {
+  swarselprofiles = {
+    server = true;
+  };
+
+  swarselmodules.server = {
+    nginx = false;
+    dns-hostrecord = true;
+  };
+
+}
+
+
    
+
    
+
    
+
    
+
    
+
    3.1.3.5.2. hardware-configuration
    
+
    
+
    
+
    { lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
+}
+
    
+
    
+
    
+
    
+
    
+
    3.1.3.5.3. disko
    
+
    
+
    
+
    { lib, pkgs, config, ... }:
+let
+  type = "btrfs";
+  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
+  subvolumes = {
+    "/root" = {
+      mountpoint = "/";
+      mountOptions = [
+        "subvol=root"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/home";
+      mountOptions = [
+        "subvol=home"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/persist";
+      mountOptions = [
+        "subvol=persist"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/var/log";
+      mountOptions = [
+        "subvol=log"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/nix" = {
+      mountpoint = "/nix";
+      mountOptions = [
+        "subvol=nix"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/swap" = lib.mkIf config.swarselsystems.isSwap {
+      mountpoint = "/.swapvol";
+      swap.swapfile.size = config.swarselsystems.swapSize;
+    };
+  };
+in
+{
+  disko = {
+    imageBuilder.extraDependencies = [ pkgs.kmod ];
+    devices = {
+      disk = {
+        disk0 = {
+          type = "disk";
+          device = config.swarselsystems.rootDisk;
+          content = {
+            type = "gpt";
+            partitions = {
+              ESP = {
+                priority = 1;
+                name = "ESP";
+                size = "512M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "defaults" ];
+                };
+              };
+              root = lib.mkIf (!config.swarselsystems.isCrypted) {
+                size = "100%";
+                content = {
+                  inherit type subvolumes extraArgs;
+                  postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                    MNTPOINT=$(mktemp -d)
+                    mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
+                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                  '';
+                };
+              };
+              luks = lib.mkIf config.swarselsystems.isCrypted {
+                size = "100%";
+                content = {
+                  type = "luks";
+                  name = "cryptroot";
+                  passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
+                  settings = {
+                    allowDiscards = true;
+                    # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
+                    crypttabExtraOpts = [
+                      "fido2-device=auto"
+                      "token-timeout=10"
+                    ];
+                  };
+                  content = {
+                    inherit type subvolumes extraArgs;
+                    postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                      MNTPOINT=$(mktemp -d)
+                      mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
+                      trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                      btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                    '';
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+}
+
+
    
+
    
+
    
+
    
+
    
+
    
+
    3.1.3.6. Eagleland (Hetzner)
    
+
    
+
    
+
    
+
    3.1.3.6.1. Main Configuration
    
+
    
+
    
+
    { self, lib, minimal, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
+  ];
+
+  topology.self = {
+    icon = "devices.cloud-server";
+  };
+
 
   swarselsystems = {
     flakePath = "/root/.dotfiles";
@@ -5555,11 +5922,14 @@ in
     isNixos = true;
     isLinux = true;
     proxyHost = "eagleland";
-    server = {
-      inherit (config.repo.secrets.local.networking) localNetwork;
-    };
   };
 } // lib.optionalAttrs (!minimal) {
+
+  swarselmodules.server = {
+    mailserver = true;
+    dns-hostrecord = true;
+  };
+
   swarselprofiles = {
     server = true;
   };
@@ -5571,7 +5941,7 @@ in
 
    
 
    
 
    
-
    3.1.3.4.2. hardware-configuration
    
+
    3.1.3.6.2. hardware-configuration
    
 
    
 
    
 
    { lib, modulesPath, ... }:
@@ -5598,7 +5968,7 @@ in
 
    
 
    
 
    
-
    3.1.3.4.3. disko
    
+
    3.1.3.6.3. disko
    
 
    
 
    
 
    { lib, pkgs, config, ... }:
@@ -5948,7 +6318,7 @@ TODO: cleanup this mess
 
    
 
    { self, config, pkgs, lib, ... }:
 let
-  pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh";
+  pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/public/ssh";
   stateVersion = lib.mkDefault "23.05";
       homeFiles = {
         ".bash_history" = {
@@ -6550,6 +6920,11 @@ let
       "nginx"
       "virtualHosts"
     ]
+    [
+      "swarselsystems"
+      "server"
+      "dns"
+    ]
   ];
 
   attrsForEachOption =
@@ -6670,7 +7045,8 @@ let
                 if netSubmod.config.cidrv6 == null then
                   null
                 else
-                  lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv6;
+                  # if we use the /32 wan address as local address directly, do not use the network address in ipv6
+                  lib.net.cidr.hostCidr (if hostSubmod.config.id == 0 then 1 else hostSubmod.config.id) netSubmod.config.cidrv6;
             };
           };
         })
@@ -6784,6 +7160,10 @@ in
             main = mkOption {
               type = types.str;
             };
+            externalDns = mkOption {
+              type = types.listOf types.str;
+              description = "List of external dns nameservers";
+            };
           };
         };
       };
@@ -6801,36 +7181,8 @@ in
 
    
 
    
 
    
-
    
-
    3.2.1.4. Meta options (options only)
    
-
    
-
    
-
    { lib, ... }:
-{
-  options = {
-    node = {
-      secretsDir = lib.mkOption {
-        description = "Path to the secrets directory for this node.";
-        type = lib.types.path;
-        default = ./.;
-      };
-      name = lib.mkOption {
-        description = "Node Name.";
-        type = lib.types.str;
-      };
-      lockFromBootstrapping = lib.mkOption {
-        description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap.";
-        type = lib.types.bool;
-      };
-    };
-  };
-}
-
    
-
    
-
    
-
    
 
    
-
    3.2.1.5. Expose home-manager sops secrets in NixOS (automatically active)
    
+
    3.2.1.4. Expose home-manager sops secrets in NixOS (automatically active)
    
 
    
 
    
 
    { self, lib, config, globals, ... }:
@@ -6839,7 +7191,7 @@ let
   inherit (config.repo.secrets.common.emacs) radicaleUser;
   modules = config.home-manager.users.${mainUser}.swarselmodules;
 
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  certsSopsFile = self + /secrets/repo/certs.yaml;
 in
 {
   config = lib.mkIf config.swarselsystems.withHomeManager {
@@ -6860,7 +7212,7 @@ in
       }) // (lib.optionalAttrs modules.emacs {
         emacs-radicale-pw = { owner = mainUser; };
         github-forge-token = { owner = mainUser; };
-      }) // (lib.optionalAttrs modules.optional.work {
+      }) // (lib.optionalAttrs (modules ? optional-work) {
         harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; };
       }) // (lib.optionalAttrs modules.anki {
         anki-user = { owner = mainUser; };
@@ -6883,7 +7235,7 @@ in
 
    
 
    
 
    
-
    3.2.1.6. Topology (automatically active)
    
+
    3.2.1.5. Topology (automatically active)
    
 
    
 
    
 
    { lib, config, ... }:
@@ -6905,7 +7257,7 @@ in
 
    
 
    
 
    
-
    3.2.1.7. General NixOS settings (nix, stateVersion)
    
+
    3.2.1.6. General NixOS settings (nix config, stateVersion)
    
 
    
 
    
 We disable the warnings that trigger when rebuilding with a dirty flake. At this point, I am also disabling channels and pinning the flake registry - the latter lets me use the local version of nixpkgs for commands like nix shell (without it, we will always download the newest version of nixpkgs for these commands).
@@ -6947,157 +7299,161 @@ A breakdown of the flags being set:
 
 
    
 
    { self, lib, pkgs, config, outputs, inputs, minimal, globals, ... }:
-let
-  inherit (config.swarselsystems) mainUser;
-  inherit (config.repo.secrets.common) atticPublicKey;
-  settings = if minimal then { } else {
-    environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
-      assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
-      { }
-    '';
+   let
+     inherit (config.swarselsystems) mainUser;
+     inherit (config.repo.secrets.common) atticPublicKey;
+     settings = if minimal then { } else {
+       environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
+         assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
+         { }
+       '';
 
-    nix =
-      let
-        flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
-      in
-      {
-        settings = {
-          connect-timeout = 5;
-          bash-prompt-prefix = "$SHLVL:\\w ";
-          bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
-          fallback = true;
-          min-free = 128000000;
-          max-free = 1000000000;
-          flake-registry = "";
-          auto-optimise-store = true;
-          warn-dirty = false;
-          max-jobs = 1;
-          use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
-        };
-        gc = {
-          automatic = true;
-          dates = "weekly";
-          options = "--delete-older-than 10d";
-        };
-        optimise = {
-          automatic = true;
-          dates = "weekly";
-        };
-        channel.enable = false;
-        registry = rec {
-          nixpkgs.flake = inputs.nixpkgs;
-          # swarsel.flake = inputs.swarsel;
-          swarsel.flake = self;
-          n = nixpkgs;
-          s = swarsel;
-        };
-        nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
-      };
+       nix =
+         let
+           flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
+         in
+         {
+           settings = {
+             connect-timeout = 5;
+             bash-prompt-prefix = "$SHLVL:\\w ";
+             bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
+             fallback = true;
+             min-free = 128000000;
+             max-free = 1000000000;
+             flake-registry = "";
+             auto-optimise-store = true;
+             warn-dirty = false;
+             max-jobs = 1;
+             use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
+           };
+           gc = {
+             automatic = true;
+             dates = "weekly";
+             options = "--delete-older-than 10d";
+           };
+           optimise = {
+             automatic = true;
+             dates = "weekly";
+           };
+           channel.enable = false;
+           registry = rec {
+             nixpkgs.flake = inputs.nixpkgs;
+             # swarsel.flake = inputs.swarsel;
+             swarsel.flake = self;
+             n = nixpkgs;
+             s = swarsel;
+           };
+           nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+         };
 
-    services.dbus.implementation = "broker";
+       services.dbus.implementation = "broker";
 
-    systemd.services.nix-daemon = {
-      environment.TMPDIR = "/var/tmp";
-    };
+       systemd.services.nix-daemon = {
+         environment.TMPDIR = "/var/tmp";
+       };
 
-  };
-in
-{
-  options.swarselmodules.general = lib.mkEnableOption "general nix settings";
-  config = lib.mkIf config.swarselmodules.general
-    (lib.recursiveUpdate
-      {
-        sops.secrets.github-api-token = lib.mkIf (!minimal) {
-          owner = mainUser;
-        };
+     };
+   in
+   {
+     options.swarselmodules.general = lib.mkEnableOption "general nix settings";
+     config = lib.mkIf config.swarselmodules.general
+       (lib.recursiveUpdate
+         {
+           sops.secrets = lib.mkIf (!minimal) {
+             github-api-token = { owner = mainUser; };
+           };
 
-        nix =
-          let
-            nix-version = "2_30";
-          in
-          {
-            package = pkgs.nixVersions."nix_${nix-version}";
-            settings = {
-              experimental-features = [
-                "nix-command"
-                "flakes"
-                "ca-derivations"
-                "cgroups"
-                "pipe-operators"
-              ];
-              substituters = [
-                "https://${globals.services.attic.domain}/${mainUser}"
-              ];
-              trusted-public-keys = [
-                atticPublicKey
-              ];
-              trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
-            };
-            # extraOptions = ''
-            #   plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins
-            #   extra-builtins-file = ${self + /nix/extra-builtins.nix}
-            # '' + lib.optionalString (!minimal) ''
-            #   !include ${config.sops.secrets.github-api-token.path}
-            # '';
-            # extraOptions = ''
-            #   plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
-            #     buildInputs = [config.nix.package pkgs.boost];
-            #     patches = o.patches or [];
-            #   })}/lib/nix/plugins
-            #   extra-builtins-file = ${self + /nix/extra-builtins.nix}
-            # '';
+           nix =
+             let
+               nix-version = "2_30";
+             in
+             {
+               package = pkgs.nixVersions."nix_${nix-version}";
+               settings = {
+                 experimental-features = [
+                   "nix-command"
+                   "flakes"
+                   "ca-derivations"
+                   "cgroups"
+                   "pipe-operators"
+                 ];
+                 substituters = [
+                   "https://${globals.services.attic.domain}/${mainUser}"
+                 ];
+                 trusted-public-keys = [
+                   atticPublicKey
+                 ];
+                 trusted-users = [
+                   "@wheel"
+                   "${config.swarselsystems.mainUser}"
+                   (lib.mkIf config.swarselmodules.server.ssh-builder "builder")
+                 ];
+               };
+               # extraOptions = ''
+               #   plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins
+               #   extra-builtins-file = ${self + /nix/extra-builtins.nix}
+               # '' + lib.optionalString (!minimal) ''
+               #   !include ${config.sops.secrets.github-api-token.path}
+               # '';
+               # extraOptions = ''
+               #   plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
+               #     buildInputs = [config.nix.package pkgs.boost];
+               #     patches = o.patches or [];
+               #   })}/lib/nix/plugins
+               #   extra-builtins-file = ${self + /nix/extra-builtins.nix}
+               # '';
 
-            extraOptions =
-              let
-                nix-plugins = pkgs.nix-plugins.override {
-                  nixComponents = pkgs.nixVersions."nixComponents_${nix-version}";
-                };
-              in
-              ''
-                plugin-files = ${nix-plugins}/lib/nix/plugins
-                extra-builtins-file = ${self + /nix/extra-builtins.nix}
-              '' + lib.optionalString (!minimal) ''
-                !include ${config.sops.secrets.github-api-token.path}
-              '';
-          };
+               extraOptions =
+                 let
+                   nix-plugins = pkgs.nix-plugins.override {
+                     nixComponents = pkgs.nixVersions."nixComponents_${nix-version}";
+                   };
+                 in
+                 ''
+                   plugin-files = ${nix-plugins}/lib/nix/plugins
+                   extra-builtins-file = ${self + /nix/extra-builtins.nix}
+                 '' + lib.optionalString (!minimal) ''
+                   !include ${config.sops.secrets.github-api-token.path}
+                 '';
+             };
 
-        system.stateVersion = lib.mkDefault "23.05";
+           system.stateVersion = lib.mkDefault "23.05";
 
-        nixpkgs = {
-          overlays = [
-            outputs.overlays.default
-            (final: prev:
-              let
-                additions = final: _: import "${self}/pkgs/config" {
-                  inherit self config lib;
-                  pkgs = final;
-                  homeConfig = config.home-manager.users.${config.swarselsystems.mainUser};
-                };
-              in
-              additions final prev
-            )
-          ];
-          config = {
-            allowUnfree = true;
-          };
-        };
+           nixpkgs = {
+             overlays = [
+               outputs.overlays.default
+               (final: prev:
+                 let
+                   additions = final: _: import "${self}/pkgs/config" {
+                     inherit self config lib;
+                     pkgs = final;
+                     homeConfig = config.home-manager.users.${config.swarselsystems.mainUser};
+                   };
+                 in
+                 additions final prev
+               )
+             ];
+             config = {
+               allowUnfree = true;
+             };
+           };
 
-      }
-      settings);
-}
+         }
+         settings);
+   }
 
    
 
    
 
    
 
    
 
    
-
    3.2.1.8. Setup home-manager base
    
+
    3.2.1.7. Setup home-manager base
    
 
    
 
    
 We enable the use of home-manager as a NixoS module. A nice trick here is the extraSpecialArgs = inputs line, which enables the use of seflf in most parts of the configuration. This is useful to refer to the root of the flake (which is otherwise quite hard while maintaining flake purity).
 
    
 
 
    
-
    { self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, ... }:
+
    { self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, arch, type, ... }:
 {
   options.swarselmodules.home-manager = lib.mkEnableOption "home-manager";
   config = lib.mkIf config.swarselmodules.home-manager {
@@ -7109,7 +7465,7 @@ We enable the use of home-manager as a NixoS module. A nice trick h
       overwriteBackup = true;
       users.${config.swarselsystems.mainUser}.imports = [
         inputs.nix-index-database.homeModules.nix-index
-        inputs.sops-nix.homeManagerModules.sops
+        # inputs.sops.homeManagerModules.sops # this is not needed!! we add these secrets in nixos scope
         inputs.spicetify-nix.homeManagerModules.default
         inputs.swarsel-nix.homeModules.default
         {
@@ -7130,7 +7486,7 @@ We enable the use of home-manager as a NixoS module. A nice trick h
       ];
       extraSpecialArgs = {
         inherit (inputs) self nixgl;
-        inherit inputs outputs globals nodes minimal configName;
+        inherit inputs outputs globals nodes minimal configName arch type;
         lib = homeLib;
       };
     };
@@ -7141,7 +7497,7 @@ We enable the use of home-manager as a NixoS module. A nice trick h
 
    
 
    
 
    
-
    3.2.1.9. User setup, Make users non-mutable
    
+
    3.2.1.8. User setup, Make users non-mutable
    
 
    
 
    
 This ensures that all user-configuration happens here in the config file.
@@ -7183,7 +7539,7 @@ For that reason, make sure that sops-nix is properly working before
 
    
 
    
 
    
-
    3.2.1.10. Setup login keymap
    
+
    3.2.1.9. Setup login keymap
    
 
    
 
    
 Next, we setup the keymap in case we are not in a graphical session. At this point, I always resort to us/altgr-intl, as it is comfortable to use and I do not write too much German anyways.
@@ -7207,7 +7563,7 @@ Next, we setup the keymap in case we are not in a graphical session. At this poi
 
    
 
    
 
    
-
    3.2.1.11. Time, locale settings
    
+
    3.2.1.10. Time, locale settings
    
 
    
 
    
 Setup timezone and locale. I want to use the US layout, but have the rest adapted to my country and timezone. Also, there is an issue with running Windows/Linux dualboot on the same machine where the hardware clock desyncs between the two OS'es. We fix that bug here as well.
@@ -7244,7 +7600,7 @@ Setup timezone and locale. I want to use the US layout, but have the rest adapte
 
    
 
    
 
    
-
    3.2.1.12. PII management
    
+
    3.2.1.11. PII management
    
 
    
 
    
 This is also exposed to home-manager configurations, in case this ever breaks, I can also go back to importing nixosConfig as an attribute in the input attribute set and call the secrets using nixosConfig.repo.secrets.
@@ -7329,7 +7685,7 @@ in
 
    
 
    
 
    
-
    3.2.1.13. Lanzaboote (secure boot)
    
+
    3.2.1.12. Lanzaboote (secure boot)
    
 
    
 
    
 This dynamically uses systemd boot or Lanzaboote depending on the minimal system state and `config.swarselsystems.isSecureBoot`.
@@ -7363,7 +7719,7 @@ This dynamically uses systemd boot or Lanzaboote depending on the minimal system
 
    
 
    
 
    
-
    3.2.1.14. Boot
    
+
    3.2.1.13. Boot
    
 
    
 
    
 
    { lib, pkgs, config, globals, ... }:
@@ -7396,7 +7752,7 @@ This dynamically uses systemd boot or Lanzaboote depending on the minimal system
 
    
 
    
 
    
-
    3.2.1.15. Impermanence
    
+
    3.2.1.14. Impermanence
    
 
    
 
    
 This is where the impermanence magic happens. When this is enabled, the root directory is rolled back to a blanket state on each reboot.
@@ -7866,8 +8222,8 @@ Here I only enable networkmanager and a few default networks. The r
 
    
 
    { self, lib, pkgs, config, globals, ... }:
 let
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
-  clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
+  certsSopsFile = self + /secrets/repo/certs.yaml;
+  clientSopsFile = "${config.node.secretsDir}/secrets.yaml";
 
   inherit (config.repo.secrets.common.network) wlan1 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
 
@@ -8181,7 +8537,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at
 
  • `ssh-keygen -t ed25519 -C "NAME sops"` in .ssh directory (or wherever) - name e.g. "sops"
    • 
 
  • cat ~/.ssh/sops.pub | ssh-to-age | wl-copy
    • 
 
  • add the output to .sops.yaml
    • 
-
  • cp ~/.ssh/sops.pub ~/.dotfiles/secrets/keys/NAME.pub
    • 
+
  • cp ~/.ssh/sops.pub ~/.dotfiles/secrets/public/NAME.pub
    • 
 
  • update entry for sops.age.sshKeyPaths
    • 
 
 
@@ -8193,8 +8549,8 @@ I use sops-nix to handle secrets that I want to have available on my machines at
     sops = {
 
       # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+      age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
+      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml";
 
       validateSopsFiles = false;
 
@@ -8205,8 +8561,101 @@ I use sops-nix to handle secrets that I want to have available on my machines at
 
    
 
    
 
    
+
    
+
    3.2.2.11. Remote building
    
+
    
+
    
+
    { lib, config, globals, ... }:
+let
+  inherit (config.swarselsystems) homeDir mainUser isClient;
+in
+{
+  options.swarselmodules.remotebuild = lib.mkEnableOption "enable remote builds on this machine";
+  config = lib.mkIf config.swarselmodules.remotebuild {
+
+    sops.secrets = {
+      builder-key = lib.mkIf isClient { owner = mainUser; path = "${homeDir}/.ssh/builder"; mode = "0600"; };
+      nixbuild-net-key = { owner = mainUser; path = "${homeDir}/.ssh/nixbuild-net"; mode = "0600"; };
+    };
+
+    nix = {
+      settings.builders-use-substitutes = true;
+      distributedBuilds = true;
+      buildMachines = [
+        (lib.mkIf isClient {
+          hostName = config.repo.secrets.common.builder1-ip;
+          system = "aarch64-linux";
+          maxJobs = 20;
+          speedFactor = 10;
+        })
+        (lib.mkIf isClient {
+          hostName = globals.hosts.belchsfactory.wanAddress4;
+          system = "aarch64-linux";
+          maxJobs = 4;
+          speedFactor = 2;
+          protocol = "ssh-ng";
+        })
+        {
+          hostName = "eu.nixbuild.net";
+          system = "x86_64-linux";
+          maxJobs = 100;
+          speedFactor = 2;
+          supportedFeatures = [ "big-parallel" ];
+        }
+      ];
+    };
+    programs.ssh = {
+      knownHosts = {
+        nixbuild = {
+          hostNames = [ "eu.nixbuild.net" ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM";
+        };
+        builder1 = lib.mkIf isClient {
+          hostNames = [ config.repo.secrets.common.builder1-ip ];
+          publicKey = config.repo.secrets.common.builder1-pubHostKey;
+        };
+        jump = lib.mkIf isClient {
+          hostNames = [ globals.hosts.liliputsteps.wanAddress4 ];
+          publicKey = config.repo.secrets.common.jump-pubHostKey;
+        };
+        builder2 = lib.mkIf isClient {
+          hostNames = [ globals.hosts.belchsfactory.wanAddress4 ];
+          publicKey = config.repo.secrets.common.builder2-pubHostKey;
+        };
+      };
+      extraConfig = ''
+        Host eu.nixbuild.net
+          ConnectTimeout 1
+          PubkeyAcceptedKeyTypes ssh-ed25519
+          ServerAliveInterval 60
+          IPQoS throughput
+          IdentityFile ${config.sops.secrets.nixbuild-net-key.path}
+      '' + lib.optionalString isClient ''
+        Host ${config.repo.secrets.common.builder1-ip}
+          ConnectTimeout 1
+          User ${mainUser}
+          IdentityFile ${config.sops.secrets.builder-key.path}
+
+        Host ${globals.hosts.belchsfactory.wanAddress4}
+          ConnectTimeout 5
+          ProxyJump ${globals.hosts.liliputsteps.wanAddress4}
+          User builder
+          IdentityFile ${config.sops.secrets.builder-key.path}
+
+        Host ${globals.hosts.liliputsteps.wanAddress4}
+          ConnectTimeout 1
+          User jump
+          IdentityFile ${config.sops.secrets.builder-key.path}
+      '';
+    };
+  };
+}
+
    
+
    
+
    
+
    
 
    
-
    3.2.2.11. Theme (stylix)
    
+
    3.2.2.12. Theme (stylix)
    
 
    
 
    
 By default, stylix wants to style GRUB as well. However, I think that looks horrible.
@@ -8240,7 +8689,7 @@ By default, stylix wants to style
 
    
 
    
 
    
-
    3.2.2.12. Programs (including zsh setup)
    
+
    3.2.2.13. Programs (including zsh setup)
    
 
    
 
    
 Some programs profit from being installed through dedicated NixOS settings on system-level; these go here. Notably the zsh setup goes here and cannot be deleted under any circumstances.
@@ -8262,7 +8711,7 @@ Some programs profit from being installed through dedicated NixOS settings on sy
 
    
 
    
 
    
-
    3.2.2.12.1. zsh
    
+
    3.2.2.13.1. zsh
    
 
    
 
    
 Here I disable global completion to prevent redundant compinit calls and cache invalidation that slow down shell startup (enabled on the home-manager side).
@@ -8287,7 +8736,7 @@ Here I disable global completion to prevent redundant compinit calls and cache i
 
    
 
    
 
    
-
    3.2.2.12.2. syncthing
    
+
    3.2.2.13.2. syncthing
    
 
    
 
    
 
    { lib, config, pkgs, ... }:
@@ -8347,14 +8796,14 @@ in
 
    
 
    
 
    
-
    3.2.2.13. Services
    
+
    3.2.2.14. Services
    
 
    
 
    
 Setting up some hardware services as well as keyboard related settings. Here we make sure that we can use the CAPS key as a ESC/CTRL double key, which is a lifesaver.
 
    
 
    
 
    
-
    3.2.2.13.1. blueman
    
+
    3.2.2.14.1. blueman
    
 
    
 
    
 Enables the blueman service including the nice system tray icon.
@@ -8374,7 +8823,7 @@ Enables the blueman service including the nice system tray icon.
 
    
 
    
 
    
-
    3.2.2.13.2. Network devices
    
+
    3.2.2.14.2. Network devices
    
 
    
 
    
 In this section we enable compatibility with several network devices I have at home, mainly printers and scanners.
@@ -8425,7 +8874,7 @@ Avahi is the service used for the network discovery.
 
    
 
    
 
    
-
    3.2.2.13.3. enable GVfs
    
+
    3.2.2.14.3. enable GVfs
    
 
    
 
    
 This is being set to allow myself to use all functions of nautilus in NixOS
@@ -8444,7 +8893,7 @@ This is being set to allow myself to use all functions of nautilus in NixOS
 
    
 
    
 
    
-
    3.2.2.13.4. interception-tools: Make CAPS work as ESC/CTRL
    
+
    3.2.2.14.4. interception-tools: Make CAPS work as ESC/CTRL
    
 
    
 
    
 This is a super-convenient package that lets my remap my CAPS key to ESC if pressed shortly, and CTRL if being held.
@@ -8488,7 +8937,7 @@ This is a super-convenient package that lets my remap my CAPS key t
 
    
 
    
 
    
-
    3.2.2.13.5. keyd: remap SUPER
    
+
    3.2.2.14.5. keyd: remap SUPER
    
 
    
 
    
 
    { lib, config, ... }:
@@ -8519,7 +8968,7 @@ in
 
    
 
    
 
    
-
    3.2.2.13.6. power-profiles-daemon
    
+
    3.2.2.14.6. power-profiles-daemon
    
 
    
 
    
 This enables power profile management. The available modes are:
@@ -8548,7 +8997,7 @@ Most of the time I am using power-saver, however, it is good to be
 
    
 
    
 
    
-
    3.2.2.13.7. SwayOSD
    
+
    3.2.2.14.7. SwayOSD
    
 
    
 
    
 
    { lib, pkgs, config, ... }:
@@ -8579,11 +9028,11 @@ Most of the time I am using power-saver, however, it is good to be
 
    
 
    
 
    
-
    3.2.2.14. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules
    
+
    3.2.2.15. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules
    
 
    
 
    
 
    
-
    3.2.2.14.1. Yubikey
    
+
    3.2.2.15.1. Yubikey
    
 
    
 
    
 This takes care of the main Yubikey related configuration on the NixOS side - note that the starting of the gpg-agent is done in the sway settings, to also perform this step of the setup for non NixOS-machines at the same time.
@@ -8642,7 +9091,7 @@ in
 
    
 
    
 
    
-
    3.2.2.14.2. Ledger
    
+
    3.2.2.15.2. Ledger
    
 
    
 
    
 This performs the necessary configuration to support this hardware.
@@ -8666,7 +9115,7 @@ This performs the necessary configuration to support this hardware.
 
    
 
    
 
    
-
    3.2.2.14.3. Keyboards
    
+
    3.2.2.15.3. Keyboards
    
 
    
 
    
 This loads some udev rules that I need for my split keyboards.
@@ -8690,7 +9139,7 @@ This loads some udev rules that I need for my split keyboards.
 
    
 
    
 
    
-
    3.2.2.15. System Login (greetd)
    
+
    3.2.2.16. System Login (greetd)
    
 
    
 
    
 This section houses the greetd related settings. I do not really want to use a display manager, but it is useful to have setup in some ways - in my case for starting sway on system startup. Notably the default user login setting that is commented out here goes into the system specific settings, make sure to update it there
@@ -8727,7 +9176,7 @@ This section houses the greetd related settings. I do not really want to use a d
 
    
 
    
 
    
-
    3.2.2.16. nix-ld
    
+
    3.2.2.17. nix-ld
    
 
    
 
    
 This provides libraries for binaries that are not patched for use on NixOS. This really makes the biggest gripe with NixOS go away, that being having to run a binary that is only found in a single spot. It is most of the times possible to patch such a file, but this makes such a situation take much less time to resolve.
@@ -8861,7 +9310,7 @@ When a program does not work, start with nix-ldd <program>. T
 
    
 
    
 
    
-
    3.2.2.17. Summary of nixos-rebuild diff
    
+
    3.2.2.18. Summary of nixos-rebuild diff
    
 
    
 
    
 This snipped is added to the activation script that is run after every rebuild and shows what packages have been added and removed. This is actually not the optimal place to add that snipped, but the correct spot is in some perl file that I have not had the leisure to take a look at yet.
@@ -8891,7 +9340,7 @@ This snipped is added to the activation script that is run after every rebuild a
 
    
 
    
 
    
-
    3.2.2.18. gnome-keyring
    
+
    3.2.2.19. gnome-keyring
    
 
    
 
    
 Used for storing sessions in e.g. Nextcloud. Using this on a system level keeps the login information when logging out of the session as well.
@@ -8914,7 +9363,7 @@ Used for storing sessions in e.g. Nextcloud. Using this on a system level keeps
 
    
 
    
 
    
-
    3.2.2.19. Sway
    
+
    3.2.2.20. Sway
    
 
    
 
    
 This is used to better integrate Sway into the system on NixOS hosts. On the home-manager side, the package attribute will be null for such an host, using the systems derivation instead.
@@ -8945,7 +9394,7 @@ in
 
    
 
    
 
    
-
    3.2.2.20. xdg-portal (Screensharing)
    
+
    3.2.2.21. xdg-portal (Screensharing)
    
 
    
 
    
 This allows me to use screen sharing on Wayland. The implementation is a bit crude and only the whole screen can be shared. However, most of the time that is all I need to do anyways.
@@ -8977,7 +9426,7 @@ This allows me to use screen sharing on Wayland. The implementation is a bit cru
 
    
 
    
 
    
-
    3.2.2.21. Podman (distrobox)
    
+
    3.2.2.22. Podman (distrobox)
    
 
    
 
    
 I am using distrobox to quickly circumvent isses that I cannot immediately solve on NixOS. It is always the goal to quickly get things working on NixOS, but this prevents me from getting completely stuck.
@@ -9005,7 +9454,7 @@ I am using distrobox to quickly circumvent isses that I cannot immediately solve
 
    
 
    
 
    
-
    3.2.2.22. Appimage
    
+
    3.2.2.23. Appimage
    
 
    
 
    
 Adds the necessary tools to allow .appimage programs easily.
@@ -9028,7 +9477,7 @@ Adds the necessary tools to allow .appimage programs easily.
 
    
 
    
 
    
-
    3.2.2.23. Handle lid switch correctly
    
+
    3.2.2.24. Handle lid switch correctly
    
 
    
 
    
 This turns off the display when the lid is closed.
@@ -9077,7 +9526,7 @@ This turns off the display when the lid is closed.
 
    
 
    
 
    
-
    3.2.2.24. Low battery notification
    
+
    3.2.2.25. Low battery notification
    
 
    
 
    
 Since I hide the waybar completely during normal operation, I run the risk of not noticing when my battery is about to run out. This module sends a notification when the battery level falls below 10%. Written by cafkafk.
@@ -9118,7 +9567,7 @@ Since I hide the waybar completely during normal operation, I run the risk of no
 
    
 
    
 
    
-
    3.2.2.25. Auto-login
    
+
    3.2.2.26. Auto-login
    
 
    
 
    
 Auto login for the initial session.
@@ -9143,7 +9592,7 @@ in
 
    
 
    
 
    
-
    3.2.2.26. UWSM
    
+
    3.2.2.27. UWSM
    
 
    
 
    
 Auto login for the initial session.
@@ -9165,7 +9614,7 @@ in
           comment = "Sway compositor managed by UWSM";
           binPath = "/run/current-system/sw/bin/sway";
         };
-        niri = {
+        niri = lib.mkIf (config.swarselmodules ? niri) {
           prettyName = "Niri";
           comment = "Niri compositor managed by UWSM";
           binPath = "/run/current-system/sw/bin/niri-session";
@@ -9178,47 +9627,6 @@ in
 
    
 
    
 
    
-
    
-
    3.2.2.27. Niri
    
-
    
-
    
-Auto login for the initial session.
-
    
-
-
    
-
    { lib, config, pkgs, ... }:
-let
-  moduleName = "niri";
-in
-{
-  options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings";
-  config = lib.mkIf config.swarselmodules.${moduleName} {
-
-    environment.systemPackages = with pkgs; [
-      wl-clipboard
-      wayland-utils
-      libsecret
-      cage
-      gamescope
-      xwayland-satellite-unstable
-    ];
-
-
-    programs.niri = {
-      enable = true;
-      package = pkgs.niri-unstable; # the actual niri that will be installed and used
-    };
-  } // {
-    niri-flake.cache.enable = true;
-    programs.niri = {
-      package = null;
-    };
-  };
-}
-
    
-
    
-
    
-
    
 
    
 
    
 
    3.2.3. Server
    
@@ -9398,7 +9806,7 @@ in
 
    
 
    { pkgs, lib, config, ... }:
 let
-  inherit (config.repo.secrets.common) dnsProvider;
+  inherit (config.repo.secrets.common) dnsProvider dnsBase;
   inherit (config.repo.secrets.common.mail) address3;
 
   serviceUser = "nginx";
@@ -9461,9 +9869,12 @@ in
     ];
 
     sops = {
-      secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
+      secrets = {
+        acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
+      };
       templates."certs.secret".content = ''
-        CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token}
+        ACME_DNS_API_BASE=${dnsBase}
+        ACME_DNS_STORAGE_PATH=${config.sops.placeholder.acme-dns-token}
       '';
     };
 
@@ -9579,6 +9990,10 @@ Here I am forcing startWhenNeeded to false so that the value will n
         PasswordAuthentication = false;
         KbdInteractiveAuthentication = false;
         PermitRootLogin = "yes";
+        AllowUsers = [
+          "root"
+          config.swarselsystems.mainUser
+        ];
       };
       hostKeys = [
         {
@@ -9588,12 +10003,14 @@ Here I am forcing startWhenNeeded to false so that the value will n
       ];
     };
     users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [
-      (self + /secrets/keys/ssh/yubikey.pub)
-      (self + /secrets/keys/ssh/magicant.pub)
+      (self + /secrets/public/ssh/yubikey.pub)
+      (self + /secrets/public/ssh/magicant.pub)
+      # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub))
     ];
     users.users.root.openssh.authorizedKeys.keyFiles = [
-      (self + /secrets/keys/ssh/yubikey.pub)
-      (self + /secrets/keys/ssh/magicant.pub)
+      (self + /secrets/public/ssh/yubikey.pub)
+      (self + /secrets/public/ssh/magicant.pub)
+      # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub))
     ];
     security.sudo.extraConfig = ''
       Defaults    env_keep+=SSH_AUTH_SOCK
@@ -9604,8 +10021,130 @@ Here I am forcing startWhenNeeded to false so that the value will n
 
    
 
    
 
    
+
    
+
    3.2.3.7. Bastion
    
+
    
+
    
+
    { self, lib, config, ... }:
+{
+  options.swarselmodules.server.bastion = lib.mkEnableOption "enable bastion on server";
+  config = lib.mkIf config.swarselmodules.server.bastion {
+
+    users = {
+      groups = {
+        jump = { };
+      };
+      users = {
+        "jump" = {
+          isNormalUser = true;
+          useDefaultShell = true;
+          group = lib.mkForce "jump";
+          createHome = lib.mkForce true;
+          openssh.authorizedKeys.keyFiles = [
+            (self + /secrets/public/ssh/yubikey.pub)
+            (self + /secrets/public/ssh/magicant.pub)
+            (self + /secrets/public/ssh/builder.pub)
+          ];
+        };
+      };
+    };
+
+
+    services.openssh = {
+      enable = true;
+      startWhenNeeded = lib.mkForce false;
+      authorizedKeysInHomedir = false;
+      extraConfig = ''
+        Match User jump
+          PermitTTY no
+          X11Forwarding no
+          PermitTunnel no
+          GatewayPorts no
+          AllowAgentForwarding no
+      '';
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = lib.mkDefault "no";
+        AllowUsers = [
+          "jump"
+        ];
+      };
+      hostKeys = lib.mkIf (!config.swarselmodules.server.ssh) [
+        {
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
+    };
+
+    home-manager.users.jump.config = {
+      home.stateVersion = lib.mkDefault "23.05";
+      programs.ssh = {
+        enable = true;
+        enableDefaultConfig = false;
+        matchBlocks = {
+          "*" = {
+            forwardAgent = false;
+          };
+        } // config.repo.secrets.local.ssh.hosts;
+      };
+    };
+  };
+}
+
    
+
    
+
    
+
    
+
    
+
    3.2.3.8. ssh builder config
    
+
    
+
    
+Restricts access to the system by the nix build user as per https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834.
+
    
+
+
    
+
    { self, pkgs, lib, config, ... }:
+let
+  ssh-restrict = "restrict,pty,command=\"${wrapper-dispatch-ssh-nix}/bin/wrapper-dispatch-ssh-nix\" ";
+
+  wrapper-dispatch-ssh-nix = pkgs.writeShellScriptBin "wrapper-dispatch-ssh-nix" ''
+    case $SSH_ORIGINAL_COMMAND in
+      "nix-daemon --stdio")
+        exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-daemon --stdio
+        ;;
+      "nix-store --serve --write")
+        exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-store --serve --write
+        ;;
+      *)
+        echo "Access only allowed for using the nix remote builder" 1>&2
+        exit
+    esac
+  '';
+in
+{
+  options.swarselmodules.server.ssh-builder = lib.mkEnableOption "enable ssh-builder config on server";
+  config = lib.mkIf config.swarselmodules.server.ssh-builder {
+    users = {
+      groups.builder = { };
+      users.builder = {
+        useDefaultShell = true;
+        isSystemUser = true;
+        group = "builder";
+        openssh.authorizedKeys.keys = [
+          ''${ssh-restrict} ${builtins.readFile "${self}/secrets/public/ssh/builder.pub"}''
+        ];
+      };
+    };
+
+  };
+}
+
    
+
    
+
    
+
    
 
    
-
    3.2.3.7. Network settings
    
+
    3.2.3.9. Network settings
    
 
    
 
    
 Generate hostId using head -c4 /dev/urandom | od -A none -t x4
@@ -9614,29 +10153,47 @@ Generate hostId using head -c4 /dev/urandom | od -A none -t x4
 
    
 
    { lib, config, ... }:
 let
-  inherit (config.swarselsystems.server) localNetwork;
+  netConfig = config.repo.secrets.local.networking;
+  netPrefix = "${if config.swarselsystems.isCloud then config.node.name else "home"}";
+  netName = "${netPrefix}-${config.swarselsystems.server.localNetwork}";
 in
 {
-  options.swarselmodules.server.network = lib.mkEnableOption "enable server network config";
-  options.swarselsystems.server.localNetwork = lib.mkOption {
-    type = lib.types.str;
-    default = "home";
+  options = {
+    swarselmodules.server.network = lib.mkEnableOption "enable server network config";
+    swarselsystems.server = {
+      localNetwork = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+      };
+      netConfigName = lib.mkOption {
+        type = lib.types.str;
+        default = netName;
+        readOnly = true;
+      };
+      netConfigPrefix = lib.mkOption {
+        type = lib.types.str;
+        default = netPrefix;
+        readOnly = true;
+      };
+    };
   };
   config = lib.mkIf config.swarselmodules.server.network {
 
-    globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${localNetwork}".hosts.${config.node.name} = {
-      inherit (config.repo.secrets.local.networking.networks.${localNetwork}) id;
-      mac = config.repo.secrets.local.networking.networks.${localNetwork}.mac or null;
+    swarselsystems.server.localNetwork = netConfig.localNetwork or "";
+
+    globals.networks.${netName}.hosts.${config.node.name} = {
+      inherit (netConfig.networks.${netConfig.localNetwork}) id;
+      mac = netConfig.networks.${netConfig.localNetwork}.mac or null;
     };
 
     globals.hosts.${config.node.name} = {
       inherit (config.repo.secrets.local.networking) defaultGateway4;
-      wanAddress4 = config.repo.secrets.local.networking.wanAddress4 or null;
-      wanAddress6 = config.repo.secrets.local.networking.wanAddress6 or null;
+      wanAddress4 = netConfig.wanAddress4 or null;
+      wanAddress6 = netConfig.wanAddress6 or null;
     };
 
     networking = {
-      inherit (config.repo.secrets.local.networking) hostId;
+      inherit (netConfig) hostId;
       hostName = config.node.name;
       nftables.enable = lib.mkDefault false;
       enableIPv6 = lib.mkDefault true;
@@ -9652,7 +10209,7 @@ in
 
    
 
    
 
    
-
    3.2.3.8. Disk encryption
    
+
    3.2.3.10. Disk encryption
    
 
    
 
    
 The hostkey can be generated with ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key.
@@ -9668,11 +10225,75 @@ Use lspci -nn | grep -i network to find out manufacturer info:
 
    
 
    
 
-
    -04:00.0 Network controller [0280]: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter [14c3:0616]
-
    
+
 
 
+++
++
++
++
++
++
++
++
++
++
++
++
++
++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    















    04:00.0Networkcontroller[0280]:MEDIATEKCorp.MT7922802.11axPCIExpressWirelessNetworkAdapter[14c3:0616]
    6a:00.0Ethernetcontroller[0200]:IntelCorporationI210GigabitNetworkConnection[8086:1533](rev03) 
    
+
 
    
 From the last bracket you then find out the correct kernel module:
 
    
@@ -9776,8 +10397,8 @@ From the last bracket you then find out the correct kernel module:
 
    
 
    { self, pkgs, lib, config, globals, minimal, ... }:
 let
-  localIp = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4;
-  subnetMask = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".subnetMask4;
+  localIp = globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4;
+  subnetMask = globals.networks.${config.swarselsystems.server.netConfigName}.subnetMask4;
   gatewayIp = globals.hosts.${config.node.name}.defaultGateway4;
 
   hostKeyPathBase = "/etc/secrets/initrd/ssh_host_ed25519_key";
@@ -9812,7 +10433,7 @@ in
       files = [ hostKeyPathBase ];
     };
 
-    boot = lib.mkIf (!config.swarselsystems.isLaptop) {
+    boot = lib.mkIf (!config.swarselsystems.isClient) {
       kernelParams = lib.mkIf (!config.swarselsystems.isCloud) [
         "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none"
       ];
@@ -9825,8 +10446,8 @@ in
             enable = true;
             port = 2222; # avoid hostkey changed nag
             authorizedKeys = [
-              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/yubikey.pub"}''
-              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/magicant.pub"}''
+              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/yubikey.pub"}''
+              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/magicant.pub"}''
             ];
             hostKeys = [ hostKeyPathBase ];
           };
@@ -9866,8 +10487,158 @@ in
 
    
 
    
 
    
+
    
+
    3.2.3.11. Wireguard
    
+
    
+
    
+
    { lib, config, confLib ... }:
+let
+  wgInterface = "wg0";
+  inherit (confLib.gen { name = "wireguard"; port = 52829; user = "systemd-network"; group = "systemd-network"; }) servicePort serviceName serviceUser serviceGroup;
+
+  inherit (config.swarselsystems) sopsFile;
+  inherit (config.swarselsystems.server.wireguard) peers isClient isServer;
+in
+{
+  options = {
+    swarselmodules.${serviceName} = lib.mkEnableOption "enable ${serviceName} settings";
+    swarselsystems.server.wireguard = {
+      isServer = lib.mkEnableOption "set this as a wireguard server";
+      peers = lib.mkOption {
+        type = lib.types.listOf (lib.types.submodule {
+          freeformType = lib.types.attrs;
+          options = { };
+        });
+        default = [ ];
+        description = "Wireguard peer submodules as expected by systemd.network.netdevs.<name>.wireguardPeers";
+      };
+      ;
+      };
+      config = lib.mkIf config.swarselmodules.${serviceName} {
+
+        sops = {
+          secrets = {
+            wireguard-private-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
+            wireguard-home-preshared-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
+          };
+        };
+
+        networking = {
+          firewall.allowedUDPPorts = [ servicePort ];
+          nat = {
+            enable = true;
+            enableIPv6 = true;
+            externalInterface = "ens6";
+            internalInterfaces = [ wgInterface ];
+          };
+        };
+
+        systemd.network = {
+          enable = true;
+
+          networks."50-${wgInterface}" = {
+            matchConfig.Name = wgInterface;
+
+            networkConfig = {
+              IPv4Forwarding = true;
+              IPv6Forwarding = true;
+            };
+
+            address = [
+              "${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv4}"
+              "${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv6}"
+            ];
+          };
+
+          netdevs."50-wg0" = {
+            netdevConfig = {
+              Kind = "wireguard";
+              Name = wgInterface;
+            };
+
+            wireguardConfig = {
+              ListenPort = lib.mkIf isServer servicePort;
+
+              # ensure file is readable by `systemd-network` user
+              PrivateKeyFile = config.age.secrets.wg-key-vps.path;
+
+              # To automatically create routes for everything in AllowedIPs,
+              # add RouteTable=main
+              # RouteTable = "main";
+
+              # FirewallMark marks all packets send and received by wg0
+              # with the number 42, which can be used to define policy rules on these packets.
+              # FirewallMark = 42;
+            };
+            wireguardPeers = peers ++ lib.optionals isClient [
+              {
+                PublicKey = builtins.readFile "${self}/secrets/public/wg/${config.node.name}.pub";
+                PresharedKeyFile = config.sops.secrets."${config.node.name}-presharedKey".path;
+                Endpoint = "${globals.hosts.${config.node.name}.wanAddress4}:${toString servicePort}";
+                # Access to the whole network is routed through our entry node.
+                AllowedIPs =
+                  (optional (networkCfg.cidrv4 != null) networkCfg.cidrv4)
+                    ++ (optional (networkCfg.cidrv6 != null) networkCfg.cidrv6);
+              }
+            ];
+          };
+        };
+
+        # networking = {
+        #   wireguard = {
+        #     enable = true;
+        #     interfaces = {
+        #       wg1 = {
+        #         privateKeyFile = config.sops.secrets.wireguard-private-key.path;
+        #         ips = [ "192.168.178.201/24" ];
+        #         peers = [
+        #           {
+        #             publicKey = "PmeFInoEJcKx+7Kva4dNnjOEnJ8lbudSf1cbdo/tzgw=";
+        #             presharedKeyFile = config.sops.secrets.wireguard-home-preshared-key.path;
+        #             name = "moonside";
+        #             persistentKeepalive = 25;
+        #             # endpoint = "${config.repo.secrets.common.ipv4}:51820";
+        #             endpoint = "${config.repo.secrets.common.wireguardEndpoint}";
+        #             # allowedIPs = [
+        #             #   "192.168.3.0/24"
+        #             #   "192.168.1.0/24"
+        #             # ];
+        #             allowedIPs = [
+        #               "192.168.178.0/24"
+        #             ];
+        #           }
+        #         ];
+        #       };
+        #     };
+        #   };
+        # };
+
+
+      };
+    }
+
    
+
    
+
    
+
    
+
    
+
    3.2.3.12. BTRFS
    
+
    
+
    
+
    { lib, config, ... }:
+{
+  options.swarselmodules.btrfs = lib.mkEnableOption "optional btrfs settings";
+  config = lib.mkIf config.swarselmodules.btrfs {
+    boot = {
+      supportedFilesystems = lib.mkIf config.swarselsystems.isBtrfs [ "btrfs" ];
+    };
+  };
+}
+
    
+
    
+
    
+
    
 
    
-
    3.2.3.9. Router
    
+
    3.2.3.13. Router
    
 
    
 
    
 
    { lib, config, ... }:
@@ -9931,7 +10702,7 @@ in
 
    
 
    
 
    
-
    3.2.3.10. kavita
    
+
    3.2.3.14. kavita
    
 
    
 
    
 
    { self, lib, config, pkgs, globals, dns, confLib, ... }:
@@ -9947,7 +10718,7 @@ in
       calibre
     ];
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -10009,7 +10780,7 @@ in
 
    
 
    
 
    
-
    3.2.3.11. jellyfin
    
+
    3.2.3.15. jellyfin
    
 
    
 
    
 
    { pkgs, lib, config, globals, dns, confLib, ... }:
@@ -10020,7 +10791,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -10087,7 +10858,7 @@ in
 
    
 
    
 
    
-
    3.2.3.12. navidrome
    
+
    3.2.3.16. navidrome
    
 
    
 
    
 
    { pkgs, config, lib, globals, dns, confLib, ... }:
@@ -10098,7 +10869,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -10257,7 +11028,7 @@ in
 
    
 
    
 
    
-
    3.2.3.13. spotifyd
    
+
    3.2.3.17. spotifyd
    
 
    
 
    
 
    { lib, config, confLib, ... }:
@@ -10313,7 +11084,7 @@ in
 
    
 
    
 
    
-
    3.2.3.14. mpd
    
+
    3.2.3.18. mpd
    
 
    
 
    
 
    { self, lib, config, pkgs, confLib, ... }:
@@ -10383,7 +11154,7 @@ in
 
    
 
    
 
    
-
    3.2.3.15. pipewire
    
+
    3.2.3.19. pipewire
    
 
    
 
    
 
    { lib, config, ... }:
@@ -10411,7 +11182,7 @@ in
 
    
 
    
 
    
-
    3.2.3.16. postgresql
    
+
    3.2.3.20. postgresql
    
 
    
 
    
 
    { config, lib, pkgs, confLib, ... }:
@@ -10441,7 +11212,7 @@ in
 
    
 
    
 
    
-
    3.2.3.17. matrix
    
+
    3.2.3.21. matrix
    
 
    
 
    
 
    { lib, config, pkgs, globals, dns, confLib, ... }:
@@ -10466,7 +11237,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -10800,7 +11571,7 @@ in
 
    
 
    
 
    
-
    3.2.3.18. nextcloud
    
+
    3.2.3.22. nextcloud
    
 
    
 
    
 
    { pkgs, lib, config, globals, dns, confLib, ... }:
@@ -10815,7 +11586,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -10886,7 +11657,7 @@ in
 
    
 
    
 
    
-
    3.2.3.19. immich
    
+
    3.2.3.23. immich
    
 
    
 
    
 
    { lib, pkgs, config, globals, dns, confLib, ... }:
@@ -10897,7 +11668,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -10968,7 +11739,7 @@ in
 
    
 
    
 
    
-
    3.2.3.20. paperless (tika, gotenberg)
    
+
    3.2.3.24. paperless (tika, gotenberg)
    
 
    
 
    
 This is my personal document management system. It automatically pulls documents from several sources, the only manual step for physical documents is to put them in my scanner and use email delivery.
@@ -10992,7 +11763,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -11116,7 +11887,7 @@ in
 
    
 
    
 
    
-
    3.2.3.21. transmission
    
+
    3.2.3.25. transmission
    
 
    
 
    
 
    { self, pkgs, lib, config, confLib, ... }:
@@ -11304,7 +12075,7 @@ in
 
    
 
    
 
    
-
    3.2.3.22. syncthing
    
+
    3.2.3.26. syncthing
    
 
    
 
    
 
    { lib, config, globals, dns, confLib, ... }:
@@ -11351,7 +12122,7 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${specificServiceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -11455,7 +12226,7 @@ in
 
    
 
    
 
    
-
    3.2.3.23. restic
    
+
    3.2.3.27. restic
    
 
    
 
    
 This manages backups for my pictures and obsidian files.
@@ -11529,7 +12300,7 @@ in
 
    
 
    
 
    
-
    3.2.3.24. monitoring (Grafana, Prometheus)
    
+
    3.2.3.28. monitoring (Grafana, Prometheus)
    
 
    
 
    
 This section exposes several metrics that I use to check the health of my server. I need to expand on the exporters section at some point, but for now I have everything I need.
@@ -11549,12 +12320,14 @@ let
   kanidmDomain = globals.services.kanidm.domain;
 
   inherit (config.swarselsystems) sopsFile;
+
+  sopsFile2 = "${config.node.secretsDir}/secrets2.yaml";
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -11563,7 +12336,7 @@ in
         grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
+        prometheus-admin-hash = { sopsFile = sopsFile2; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
 
       };
       templates = {
@@ -11790,7 +12563,7 @@ in
 
    
 
    
 
    
-
    3.2.3.25. Jenkins
    
+
    3.2.3.29. Jenkins
    
 
    
 
    
 This is a WIP Jenkins instance. It is used to automatically build a new system when pushes to the main repository are detected. I have turned this service off for now however, as I actually prefer to start my builds manually.
@@ -11805,7 +12578,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -11855,7 +12628,7 @@ in
 
    
 
    
 
    
-
    3.2.3.26. Emacs elfeed (RSS Server)
    
+
    3.2.3.30. Emacs elfeed (RSS Server)
    
 
    
 
    
 This was an approach of hosting an RSS server from within emacs. That would have been useful as it would have allowed me to allow my feeds from any device. However, it proved impossible to do bidirectional syncing, so I abandoned this configuration in favor of FreshRSS.
@@ -11886,7 +12659,7 @@ in
 
    
 
    
 
    
-
    3.2.3.27. FreshRSS
    
+
    3.2.3.31. FreshRSS
    
 
    
 
    
 FreshRSS is a more 'classical' RSS aggregator that I can just host as a distinct service. This also has its upsides because I jave more control over the state this way.
@@ -11915,7 +12688,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -12018,7 +12791,7 @@ in
 
    
 
    
 
    
-
    3.2.3.28. forgejo (git server)
    
+
    3.2.3.32. forgejo (git server)
    
 
    
 
    
 
    { lib, config, pkgs, globals, dns, confLib, ... }:
@@ -12032,7 +12805,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -12185,7 +12958,7 @@ in
 
    
 
    
 
    
-
    3.2.3.29. Anki Sync Server
    
+
    3.2.3.33. Anki Sync Server
    
 
    
 
    
 
    { self, lib, config, globals, dns, confLib, ... }:
@@ -12199,7 +12972,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -12263,7 +13036,7 @@ in
 
    
 
    
 
 
    
-
    3.2.3.31. oauth2-proxy
    
+
    3.2.3.35. oauth2-proxy
    
 
    
 
    
 
    { lib, config, globals, dns, confLib, ... }:
@@ -12816,7 +13589,7 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -12927,7 +13700,7 @@ in
 
    
 
    
 
    
-
    3.2.3.32. Firefly-III
    
+
    3.2.3.36. Firefly-III
    
 
    
 
    
 
    { self, lib, config, globals, dns, confLib, ... }:
@@ -12943,7 +13716,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -13050,7 +13823,7 @@ in
 
    
 
    
 
    
-
    3.2.3.33. Koillection
    
+
    3.2.3.37. Koillection
    
 
    
 
    
 
    { self, lib, config, globals, dns, confLib, ... }:
@@ -13069,7 +13842,7 @@ in
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
     sops.secrets = {
@@ -13195,7 +13968,7 @@ in
 
    
 
    
 
    
-
    3.2.3.34. Atuin
    
+
    3.2.3.38. Atuin
    
 
    
 
    
 
    { lib, config, globals, dns, confLib, ... }:
@@ -13206,7 +13979,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -13258,13 +14031,13 @@ in
 
    
 
    
 
    
-
    3.2.3.35. Radicale
    
+
    3.2.3.39. Radicale
    
 
    
 
    
 
    { self, lib, config, globals, dns, confLib, ... }:
 let
   inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
-  sopsFile = self + /secrets/winters/secrets2.yaml;
+  sopsFile = "${config.node.secretsDir}/secrets2.yaml";
 
   cfg = config.services.${serviceName};
 in
@@ -13272,7 +14045,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -13387,7 +14160,7 @@ in
 
    
 
    
 
    
-
    3.2.3.36. croc
    
+
    3.2.3.40. croc
    
 
    
 
    
 
    { self, lib, config, pkgs, dns, globals, confLib, ... }:
@@ -13409,7 +14182,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -13469,7 +14242,7 @@ in
 
    
 
    
 
    
-
    3.2.3.37. microbin
    
+
    3.2.3.41. microbin
    
 
    
 
    
 
    { self, lib, config, dns, globals, confLib, ... }:
@@ -13484,7 +14257,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -13612,7 +14385,7 @@ in
 
    
 
    
 
    
-
    3.2.3.38. shlink
    
+
    3.2.3.42. shlink
    
 
    
 
    
 
    { self, lib, config, dns, globals, confLib, ... }:
@@ -13629,7 +14402,7 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -13732,7 +14505,7 @@ in
 
    
 
    
 
    
-
    3.2.3.39. slink
    
+
    3.2.3.43. slink
    
 
    
 
    
 Deployment notes:
@@ -13756,7 +14529,7 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -13845,13 +14618,13 @@ in
 
    
 
    
 
    
-
    3.2.3.40. Snipe-IT
    
+
    3.2.3.44. Snipe-IT
    
 
    
 
    
 
    { self, lib, config, globals, dns, confLib, ... }:
 let
   inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
-  sopsFile = self + /secrets/winters/secrets2.yaml;
+  sopsFile = "${config.node.secretsDir}/secrets2.yaml";
 
   serviceDB = "snipeit";
 
@@ -13861,7 +14634,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -13926,7 +14699,7 @@ in
 
    
 
    
 
    
-
    3.2.3.41. Homebox
    
+
    3.2.3.45. Homebox
    
 
    
 
    
 
    { lib, pkgs, config, globals, dns, confLib, ... }:
@@ -13937,7 +14710,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -13993,7 +14766,7 @@ in
 
    
 
    
 
    
-
    3.2.3.42. OPKSSH
    
+
    3.2.3.46. OPKSSH
    
 
    
 
    
 
    { lib, config, globals, confLib, ... }:
@@ -14037,7 +14810,7 @@ in
 
    
 
    
 
    
-
    3.2.3.43. Garage
    
+
    3.2.3.47. Garage
    
 
    
 
    
 Garage acts as my s3 endpoint. I use it on two of my servers:
@@ -14121,11 +14894,11 @@ in
     assertions = [
       {
         assertion = config.swarselsystems.server.${serviceName}.buckets != [ ];
-        message = "If Garage is enabled, at least one bucket must be specified in atro.garage.buckets";
+        message = "If Garage is enabled, at least one bucket must be specified in swarselsystems.server.${serviceName}.buckets";
       }
       {
         assertion = builtins.length (lib.attrsToList config.swarselsystems.server.${serviceName}.keys) > 0;
-        message = "If Garage is enabled, at least one key must be specified in atro.garage.keys";
+        message = "If Garage is enabled, at least one key must be specified in swarselsystems.server.${serviceName}.keys";
       }
       {
         assertion =
@@ -14138,7 +14911,7 @@ in
       }
     ];
 
-    swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
       "${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       "${subDomain}admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       "${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
@@ -14188,7 +14961,7 @@ in
 
         rpc_bind_addr = "[::]:${builtins.toString garageRpcPort}";
         # we are not joining our nodes, just use the private ipv4
-        rpc_public_addr = "${globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4}:${builtins.toString garageRpcPort}";
+        rpc_public_addr = "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4}:${builtins.toString garageRpcPort}";
 
         rpc_secret_file = config.sops.secrets.garage-rpc-secret.path;
 
@@ -14443,17 +15216,36 @@ in
 
    
 
    
 
    
+
    
+
    3.2.3.48. Set host domain for dns
    
+
    
+
    
+
    { lib, config, globals, dns, confLib, ... }:
+let
+  inherit (confLib.gen { name = "dns-hostrecord"; proxy = config.node.name; }) serviceName proxyAddress4 proxyAddress6;
+in
+{
+  options. swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    nodes.stoicclub.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords = {
+      "server.${config.node.name}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
+  };
+}
+
    
+
    
+
    
+
    
 
    
-
    3.2.3.44. nsd (dns)
    
+
    3.2.3.49. nsd (dns)
    
 
    
 
    
-
    { inputs, lib, config, globals, dns, confLib, ... }:
+
    { lib, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName;
-  # servicePort = 53;
-  # serviceDomain = config.repo.secrets.common.services.domains."${serviceName}";
-  # serviceAddress = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4;
-
+  inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName servicePort proxyAddress4 proxyAddress6;
+  inherit (config.swarselsystems) sopsFile;
 in
 {
   options = {
@@ -14463,7 +15255,7 @@ in
         lib.types.submodule {
           options = {
             subdomainRecords = lib.mkOption {
-              type = lib.types.attrsOf inputs.dns.subzone;
+              type = lib.types.attrsOf dns.lib.types.subzone;
               default = { };
             };
           };
@@ -14472,14 +15264,69 @@ in
     };
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    sops.secrets = {
+      tsig-key = { inherit sopsFile; };
+    };
+
+    # services.resolved.enable = false;
+    networking = {
+      # nameservers = [ "1.1.1.1" "8.8.8.8" ];
+      firewall = {
+        allowedUDPPorts = [ servicePort ];
+        allowedTCPPorts = [ servicePort ];
+      };
+    };
+
     services.nsd = {
       enable = true;
-      zones = {
-        "${globals.domains.main}" = {
-          # provideXFR = [ ... ];
-          # notify = [ ... ];
-          data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns; });
+      keys = {
+        "${globals.domains.main}.${proxyAddress4}" = {
+          algorithm = "hmac-sha256";
+          keyFile = config.sops.secrets.tsig-key.path;
         };
+        "${globals.domains.main}.${proxyAddress6}" = {
+          algorithm = "hmac-sha256";
+          keyFile = config.sops.secrets.tsig-key.path;
+        };
+        "${globals.domains.main}" = {
+          algorithm = "hmac-sha256";
+          keyFile = config.sops.secrets.tsig-key.path;
+        };
+      };
+      interfaces = [
+        "10.1.2.157"
+        "2603:c020:801f:a0cc::9d"
+      ];
+      zones = {
+        "${globals.domains.main}" =
+          let
+            keyName4 = "${globals.domains.main}.${proxyAddress4}";
+            keyName6 = "${globals.domains.main}.${proxyAddress6}";
+            keyName = "${globals.domains.main}";
+            transferList = [
+              "213.239.242.238 ${keyName4}"
+              "2a01:4f8:0:a101::a:1 ${keyName6}"
+              "213.133.100.103 ${keyName4}"
+              "2a01:4f8:0:1::5ddc:2 ${keyName6}"
+              "193.47.99.3 ${keyName4}"
+              "2001:67c:192c::add:a3 ${keyName6}"
+            ];
+
+          in
+          {
+            outgoingInterface = "2603:c020:801f:a0cc::9d";
+            notify = transferList ++ [
+              "216.218.130.2 ${keyName}"
+            ];
+            provideXFR = transferList ++ [
+              "216.218.133.2 ${keyName}"
+              "2001:470:600::2 ${keyName}"
+            ];
+
+            # dnssec = true;
+            data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns proxyAddress4 proxyAddress6; });
+          };
       };
     };
 
@@ -14490,46 +15337,41 @@ in
 
    
 
    
 
    
-
    3.2.3.45. nsd (dns) - site1
    
+
    3.2.3.50. nsd (dns) - site1
    
 
    
 
    
-
    { config, globals, dns, ... }:
+
    { config, globals, dns, proxyAddress4, proxyAddress6, ... }:
 with dns.lib.combinators; {
   SOA = {
     nameServer = "soa";
-    adminEmail = "admin@${globals.domains.main}";
-    serial = 2025112101;
+    adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin")
+    serial = 2025120203; # update this on changes for secondary dns
   };
 
   useOrigin = false;
 
   NS = [
-    "soa.${globals.domains.name}."
-    "ns1.he.net"
-    "ns2.he.net"
-    "ns3.he.net"
-    "ns4.he.net"
-    "ns5.he.net"
-    "oxygen.ns.hetzner.com"
-    "pola.ns.cloudflare.com"
-  ];
+    "soa"
+    "srv"
+  ] ++ globals.domains.externalDns;
 
-  A = [ "75.2.60.5" ];
+
+  A = [ config.repo.secrets.local.dns.homepage-ip ];
 
   SRV = [
     {
       service = "_matrix";
       proto = "_tcp";
       port = 443;
-      target = "${globals.services.matrix.baseDomain}.${globals.domains.main}";
+      target = "${globals.services.matrix.subDomain}";
       priority = 10;
-      wweight = 5;
+      weight = 5;
     }
     {
       service = "_submissions";
       proto = "_tcp";
       port = 465;
-      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      target = "${globals.services.mailserver.subDomain}";
       priority = 5;
       weight = 0;
       ttl = 3600;
@@ -14538,7 +15380,7 @@ with dns.lib.combinators; {
       service = "_submission";
       proto = "_tcp";
       port = 587;
-      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      target = "${globals.services.mailserver.subDomain}";
       priority = 5;
       weight = 0;
       ttl = 3600;
@@ -14547,7 +15389,7 @@ with dns.lib.combinators; {
       service = "_imap";
       proto = "_tcp";
       port = 143;
-      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      target = "${globals.services.mailserver.subDomain}";
       priority = 5;
       weight = 0;
       ttl = 3600;
@@ -14556,7 +15398,7 @@ with dns.lib.combinators; {
       service = "_imaps";
       proto = "_tcp";
       port = 993;
-      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      target = "${globals.services.mailserver.subDomain}";
       priority = 5;
       weight = 0;
       ttl = 3600;
@@ -14566,48 +15408,36 @@ with dns.lib.combinators; {
   MX = [
     {
       preference = 10;
-      exchange = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
-    }
-  ];
-
-  CNAME = [
-    {
-      cname = "www.${glovals.domains.main}";
+      exchange = "${globals.services.mailserver.subDomain}";
     }
   ];
 
   DKIM = [
     {
-    selector = "mail";
+      selector = "mail";
       k = "rsa";
       p = config.repo.secrets.local.dns.mailserver.dkim-public;
       ttl = 10800;
     }
   ];
 
-  DMARC = [
-    {
-      p = "none";
-      ttl = 10800;
-    }
-  ];
-
   TXT = [
-    (with spf; strict [ "a:${globals.services.mailserver.baseDomain}.${globals.domains.main}" ])
+    (with spf; strict [ "a:${globals.services.mailserver.subDomain}.${globals.domains.main}" ])
     "google-site-verification=${config.repo.secrets.local.dns.google-site-verification}"
   ];
 
   DMARC = [
     {
-    selector = "mail";
-      k = "rsa";
       p = "none";
       ttl = 10800;
     }
   ];
 
-  subdomains = config.swarselsystems.server.dns.${globals.domain.main}.subdomainRecords // {
-    "minecraft" = host "130.61.119.12" null;
+  subdomains = config.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords // {
+    "www".CNAME = [ "${globals.domains.main}." ];
+    "_acme-challenge".CNAME = [ "${config.repo.secrets.local.dns.acme-challenge-domain}." ];
+    "soa" = host proxyAddress4 proxyAddress6;
+    "srv" = host proxyAddress4 proxyAddress6;
   };
 }
 
    
@@ -14615,7 +15445,7 @@ with dns.lib.combinators; {
 
    
 
    
 
    
-
    3.2.3.46. Minecraft
    
+
    3.2.3.51. Minecraft
    
 
    
 
    
 
    { lib, config, pkgs, globals, dns, confLib, ... }:
@@ -14628,7 +15458,7 @@ in
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -14673,7 +15503,7 @@ in
 
    
 
    
 
    
-
    3.2.3.47. Mailserver
    
+
    3.2.3.52. Mailserver
    
 
    
 
    
 
    { lib, config, globals, dns, confLib, ... }:
@@ -14689,7 +15519,7 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -14796,7 +15626,7 @@ in
 
    
 
    
 
    
-
    3.2.3.48. Attic (nix binary cache)
    
+
    3.2.3.53. Attic (nix binary cache)
    
 
    
 
    
 Generate the attic server token using openssl genrsa -traditional 4096 | base64 -w0
@@ -14825,7 +15655,7 @@ in
   };
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
       "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
@@ -15023,18 +15853,68 @@ in
 
    
 
    
 
    
+
    
+
    3.2.5.1. Niri
    
+
    
+
    
+Auto login for the initial session.
+
    
+
+
    
+
    { inputs, lib, config, pkgs, ... }:
+let
+  moduleName = "niri";
+in
+{
+  imports = [
+    inputs.niri-flake.nixosModules.niri
+  ];
+  options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings";
+  config = lib.mkIf config.swarselmodules.${moduleName} {
+
+    environment.systemPackages = with pkgs; [
+      wl-clipboard
+      wayland-utils
+      libsecret
+      cage
+      gamescope
+      xwayland-satellite-unstable
+    ];
+
+
+    programs.niri = {
+      enable = true;
+      package = pkgs.niri-unstable; # the actual niri that will be installed and used
+    };
+  } // {
+    niri-flake.cache.enable = true;
+    programs.niri = {
+      package = null;
+    };
+  };
+}
+
    
+
    
+
    
+
    
 
    
-
    3.2.5.1. gaming
    
+
    3.2.5.2. gaming
    
 
    
 
    
 This opens a few gaming ports and installs the steam configuration suite for gaming. There are more options in Gaming (home-manager side).
 
    
 
 
    
-
    { pkgs, lib, config, ... }:
+
    { self, pkgs, config, ... }:
 {
-  options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings";
-  config = lib.mkIf config.swarselmodules.optional.gaming {
+  config = {
+
+    home-manager.users."${config.swarselsystems.mainUser}" = {
+      imports = [
+        "${self}/modules/home/optional/gaming.nix"
+      ];
+    };
+
     programs.steam = {
       enable = true;
       package = pkgs.steam;
@@ -15078,7 +15958,7 @@ This opens a few gaming ports and installs the steam configuration suite for gam
 
    
 
    
 
    
-
    3.2.5.2. VirtualBox
    
+
    3.2.5.3. VirtualBox
    
 
    
 
    
 This sets the VirtualBox configuration. Guest should not be enabled if not direly needed, it will make rebuilds unbearably slow. I only use this privately to run an old editor that does not run well under wine, so I put it into it's own specialisation.
@@ -15087,8 +15967,7 @@ This sets the VirtualBox configuration. Guest should not be enabled if not direl
 
    
 
    { lib, config, pkgs, ... }:
 {
-  options.swarselmodules.optional.virtualbox = lib.mkEnableOption "optional VBox settings";
-  config = lib.mkIf config.swarselmodules.optional.virtualbox {
+  config = {
     # specialisation = {
     #   VBox.configuration = {
     virtualisation.virtualbox = {
@@ -15126,18 +16005,17 @@ This sets the VirtualBox configuration. Guest should not be enabled if not direl
 
    
 
    
 
    
-
    3.2.5.3. VmWare
    
+
    3.2.5.4. VmWare
    
 
    
 
    
 This sets the VirtualBox configuration. Guest should not be enabled if not direly needed, it will make rebuilds unbearably slow.
 
    
 
 
    
-
    { lib, config, ... }:
+
    _:
 {
 
-  options.swarselmodules.optional.vmware = lib.mkEnableOption "optional vmware settings";
-  config = lib.mkIf config.swarselmodules.optional.vmware {
+  config = {
     virtualisation.vmware.host.enable = true;
     virtualisation.vmware.guest.enable = true;
   };
@@ -15147,17 +16025,16 @@ This sets the VirtualBox configuration. Guest should not be enabled if not direl
 
    
 
    
 
    
-
    3.2.5.4. nswitch-rcm
    
+
    3.2.5.5. nswitch-rcm
    
 
    
 
    
 This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using.
 
    
 
 
    
-
    { lib, config, pkgs, ... }:
+
    { pkgs, ... }:
 {
-  options.swarselmodules.optional.nswitch-rcm = lib.mkEnableOption "optional nswitch-rcm settings";
-  config = lib.mkIf config.swarselmodules.optional.nswitch-rcm {
+  config = {
     services.nswitch-rcm = {
       enable = true;
       package = pkgs.fetchurl {
@@ -15172,17 +16049,23 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using.
 
    
 
    
 
    
-
    3.2.5.5. Framework
    
+
    3.2.5.6. Framework
    
 
    
 
    
 This holds configuration that is specific to framework laptops.
 
    
 
 
    
-
    { lib, config, ... }:
+
    { self, config, ... }:
 {
-  options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings";
-  config = lib.mkIf config.swarselmodules.optional.framework {
+  config = {
+
+    home-manager.users."${config.swarselsystems.mainUser}" = {
+      imports = [
+        "${self}/modules/home/optional/framework.nix"
+      ];
+    };
+
     services = {
       fwupd = {
         enable = true;
@@ -15211,13 +16094,12 @@ This holds configuration that is specific to framework laptops.
 
    
 
    
 
    
-
    3.2.5.6. AMD CPU
    
+
    3.2.5.7. AMD CPU
    
 
    
 
    
-
    { lib, config, ... }:
+
    _:
 {
-  options.swarselmodules.optional.amdcpu = lib.mkEnableOption "optional amd cpu settings";
-  config = lib.mkIf config.swarselmodules.optional.amdcpu {
+  config = {
     hardware = {
       cpu.amd.updateMicrocode = true;
     };
@@ -15228,13 +16110,12 @@ This holds configuration that is specific to framework laptops.
 
    
 
    
 
    
-
    3.2.5.7. AMD GPU
    
+
    3.2.5.8. AMD GPU
    
 
    
 
    
-
    { lib, config, ... }:
+
    _:
 {
-  options.swarselmodules.optional.amdgpu = lib.mkEnableOption "optional amd gpu settings";
-  config = lib.mkIf config.swarselmodules.optional.amdgpu {
+  config = {
     hardware = {
       amdgpu = {
         opencl.enable = true;
@@ -15252,12 +16133,11 @@ This holds configuration that is specific to framework laptops.
 
    
 
    
 
    
-
    3.2.5.8. Hibernation
    
+
    3.2.5.9. Hibernation
    
 
    
 
    
 
    { lib, config, ... }:
   {
-    options.swarselmodules.optional.hibernation = lib.mkEnableOption "optional amd gpu settings";
     options.swarselsystems = {
       hibernation = {
         offset = lib.mkOption {
@@ -15270,7 +16150,7 @@ This holds configuration that is specific to framework laptops.
         };
       };
     };
-    config = lib.mkIf config.swarselmodules.optional.hibernation {
+    config = {
       boot = {
         kernelParams = [
           "resume_offset=${builtins.toString config.swarselsystems.hibernation.offset}"
@@ -15290,23 +16170,6 @@ This holds configuration that is specific to framework laptops.
 
    
 
    
 
    
-
    
-
    3.2.5.9. BTRFS
    
-
    
-
    
-
    { lib, config, ... }:
-{
-  options.swarselmodules.btrfs = lib.mkEnableOption "optional btrfs settings";
-  config = lib.mkIf config.swarselmodules.btrfs {
-    boot = {
-      supportedFilesystems = lib.mkIf config.swarselsystems.isBtrfs [ "btrfs" ];
-    };
-  };
-}
-
    
-
    
-
    
-
    
 
    
 
    3.2.5.10. work
    
 
    
@@ -15330,7 +16193,7 @@ When setting up a new machine:
   - vpn gateway is found in `nixosConfig.repo.secrets.local.work.vpnGateway`
 
 
    
-
    { self, lib, pkgs, config, configName, ... }:
+
    { self, lib, pkgs, config, ... }:
 let
   inherit (config.swarselsystems) mainUser homeDir;
   iwd = config.networking.networkmanager.wifi.backend == "iwd";
@@ -15338,18 +16201,24 @@ let
   sopsFile = self + /secrets/work/secrets.yaml;
 in
 {
-  options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
   options.swarselsystems = {
     hostName = lib.mkOption {
       type = lib.types.str;
-      default = configName;
+      default = config.node.name;
     };
     fqdn = lib.mkOption {
       type = lib.types.str;
       default = "";
     };
   };
-  config = lib.mkIf config.swarselmodules.optional.work {
+  config = {
+
+    home-manager.users."${config.swarselsystems.mainUser}" = {
+      imports = [
+        "${self}/modules/home/optional/work.nix"
+      ];
+    };
+
     sops =
       let
         secretNames = [
@@ -15564,28 +16433,45 @@ in
   };
 
 }
+
    
+
    
+
    
+
    
+
    
+
    3.2.5.11. Uni
    
+
    
+
    
+
    { self, config, ... }:
+{
+  config = {
+
+    home-manager.users."${config.swarselsystems.mainUser}" = {
+      imports = [
+        "${self}/modules/home/optional/work.nix"
+      ];
+    };
+  };
+}
+
 
    
 
    
 
    
 
    
 
    
-
    3.2.5.11. microvm-host
    
+
    3.2.5.12. microvm-host
    
 
    
 
    
 Some standard options that should be set for every microvm host.
 
    
 
 
    
-
    { lib, config, ... }:
+
    { config, lib, ... }:
 {
-  options = {
-    swarselmodules.optional.microvmHost = lib.mkEnableOption "optional microvmHost settings";
-  };
-    # imports = [
-    #   inputs.microvm.nixosModules.host
-    # ];
+  # imports = [
+  # inputs.microvm.nixosModules.host
+  # ];
 
-  config = lib.mkIf (config.guests != {}) {
+  config = lib.mkIf (config.guests != { }) {
 
     microvm = {
       hypervisor = lib.mkDefault "qemu";
@@ -15597,24 +16483,84 @@ Some standard options that should be set for every microvm host.
 
    
 
    
 
    
-
    3.2.5.12. microvm-guest
    
+
    3.2.5.13. microvm-guest
    
 
    
 
    
 Some standard options that should be set vor every microvm guest. We set the default
 
    
 
 
    
-
    { lib, config, ... }:
+
    _:
 {
-  options.swarselmodules.optional.microvmGuest = lib.mkEnableOption "optional microvmGuest settings";
   # imports = [
   #   inputs.microvm.nixosModules.microvm
-  #   "${self}/profiles/nixos"
-  #   "${self}/modules/nixos"
   # ];
-  config = lib.mkIf config.swarselmodules.optional.microvmGuest
-    {
+
+  config =
+    { };
+}
+
+
    
+
    
+
    
+
    
+
    
+
    3.2.5.14. systemd-networkd (server)
    
+
    
+
    
+Some standard options that should be set vor every microvm guest. We set the default
+
    
+
+
    
+
    { lib, config, globals, ... }:
+{
+  networking = {
+    useDHCP = lib.mkForce false;
+    useNetworkd = true;
+    dhcpcd.enable = false;
+    renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (
+      config.repo.secrets.local.networking.networks or { }
+    );
+  };
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks."10-${config.swarselsystems.server.localNetwork}" = config.systemd.network.networks."10-${config.swarselsystems.server.localNetwork}";
+  };
+
+  systemd = {
+    network = {
+      enable = true;
+      wait-online.enable = false;
+      networks =
+        let
+          netConfig = config.repo.secrets.local.networking;
+        in
+        {
+          "10-${config.swarselsystems.server.localNetwork}" = {
+            address = [
+              "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv4}"
+              "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv6}"
+            ];
+            routes = [
+              {
+                Gateway = netConfig.defaultGateway6;
+                GatewayOnLink = true;
+              }
+              {
+                Gateway = netConfig.defaultGateway4;
+                GatewayOnLink = true;
+              }
+            ];
+            networkConfig = {
+              IPv6PrivacyExtensions = true;
+              IPv6AcceptRA = false;
+            };
+            matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac;
+            linkConfig.RequiredForOnline = "routable";
+          };
+        };
     };
+  };
 }
 
 
    
@@ -15735,118 +16681,122 @@ Again, we adapt nix to our needs, enable the home-manager command f
 
 
    
 
    { self, outputs, lib, pkgs, config, globals, confLib, ... }:
-let
-  inherit (config.swarselsystems) mainUser flakePath isNixos isLinux;
-  inherit (confLib.getConfig.repo.secrets.common) atticPublicKey;
-in
-{
-  options.swarselmodules.general = lib.mkEnableOption "general nix settings";
-  config =
-    let
-      nix-version = "2_30";
-    in
-    lib.mkIf config.swarselmodules.general {
-      nix = lib.mkIf (!config.swarselsystems.isNixos) {
-        package = lib.mkForce pkgs.nixVersions."nix_${nix-version}";
-        # extraOptions = ''
-        #   plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins
-        #   extra-builtins-file = ${self + /nix/extra-builtins.nix}
-        # '';
-        extraOptions =
+      let
+        inherit (config.swarselsystems) mainUser flakePath isNixos isLinux;
+        inherit (confLib.getConfig.repo.secrets.common) atticPublicKey;
+      in
+      {
+        options.swarselmodules.general = lib.mkEnableOption "general nix settings";
+        config =
           let
-            nix-plugins = pkgs.nix-plugins.override {
-              nixComponents = pkgs.nixVersions."nixComponents_${nix-version}";
-            };
+            nix-version = "2_30";
           in
-          ''
-            plugin-files = ${nix-plugins}/lib/nix/plugins
-            extra-builtins-file = ${self + /nix/extra-builtins.nix}
-          '';
-        settings = {
-          experimental-features = [
-            "nix-command"
-            "flakes"
-            "ca-derivations"
-            "cgroups"
-            "pipe-operators"
-          ];
-          substituters = [
-            "https://${globals.services.attic.domain}/${mainUser}"
-          ];
-          trusted-public-keys = [
-            atticPublicKey
-          ];
-          trusted-users = [ "@wheel" "${mainUser}" ];
-          connect-timeout = 5;
-          bash-prompt-prefix = "$SHLVL:\\w ";
-          bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
-          fallback = true;
-          min-free = 128000000;
-          max-free = 1000000000;
-          auto-optimise-store = true;
-          warn-dirty = false;
-          max-jobs = 1;
-          use-cgroups = lib.mkIf isLinux true;
-        };
-      };
-
-      nixpkgs = lib.mkIf (!isNixos) {
-        overlays = [
-          outputs.overlays.default
-          (final: prev:
-            let
-              additions = final: _: import "${self}/pkgs/config" {
-                inherit self config lib;
-                pkgs = final;
-                homeConfig = config;
+          lib.mkIf config.swarselmodules.general {
+            nix = lib.mkIf (!config.swarselsystems.isNixos) {
+              package = lib.mkForce pkgs.nixVersions."nix_${nix-version}";
+              # extraOptions = ''
+              #   plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins
+              #   extra-builtins-file = ${self + /nix/extra-builtins.nix}
+              # '';
+              extraOptions =
+                let
+                  nix-plugins = pkgs.nix-plugins.override {
+                    nixComponents = pkgs.nixVersions."nixComponents_${nix-version}";
+                  };
+                in
+                ''
+                  plugin-files = ${nix-plugins}/lib/nix/plugins
+                  extra-builtins-file = ${self + /nix/extra-builtins.nix}
+                '';
+              settings = {
+                experimental-features = [
+                  "nix-command"
+                  "flakes"
+                  "ca-derivations"
+                  "cgroups"
+                  "pipe-operators"
+                ];
+                substituters = [
+                  "https://${globals.services.attic.domain}/${mainUser}"
+                ];
+                trusted-public-keys = [
+                  atticPublicKey
+                ];
+                trusted-users = [
+                  "@wheel"
+                  "${mainUser}"
+                  (lib.mkIf ((config.swarselmodules ? server) ? ssh-builder) "builder")
+                ];
+                connect-timeout = 5;
+                bash-prompt-prefix = lib.mkIf (config.swarselsystems.isClient) "$SHLVL:\\w ";
+                bash-prompt = lib.mkIf (config.swarselsystems.isClient) "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
+                fallback = true;
+                min-free = 128000000;
+                max-free = 1000000000;
+                auto-optimise-store = true;
+                warn-dirty = false;
+                max-jobs = 1;
+                use-cgroups = lib.mkIf isLinux true;
               };
-            in
-            additions final prev
-          )
-        ];
-        config = {
-          allowUnfree = true;
-        };
-      };
+            };
 
-      programs = {
-        # home-manager.enable = lib.mkIf (!isNixos) true;
-        man = {
-          enable = true;
-          generateCaches = true;
-        };
-      };
+            nixpkgs = lib.mkIf (!isNixos) {
+              overlays = [
+                outputs.overlays.default
+                (final: prev:
+                  let
+                    additions = final: _: import "${self}/pkgs/config" {
+                      inherit self config lib;
+                      pkgs = final;
+                      homeConfig = config;
+                    };
+                  in
+                  additions final prev
+                )
+              ];
+              config = {
+                allowUnfree = true;
+              };
+            };
 
-      targets.genericLinux.enable = lib.mkIf (!isNixos) true;
+            programs = {
+              # home-manager.enable = lib.mkIf (!isNixos) true;
+              man = {
+                enable = true;
+                generateCaches = true;
+              };
+            };
 
-      home = {
-        username = lib.mkDefault mainUser;
-        homeDirectory = lib.mkDefault "/home/${mainUser}";
-        stateVersion = lib.mkDefault "23.05";
-        keyboard.layout = "us";
-        sessionVariables = {
-          FLAKE = "/home/${mainUser}/.dotfiles";
-        };
-        extraOutputsToInstall = [
-          "doc"
-          "info"
-          "devdoc"
-        ];
-        packages = lib.mkIf (!isNixos) [
-          (pkgs.symlinkJoin {
-            name = "home-manager";
-            buildInputs = [ pkgs.makeWrapper ];
-            paths = [ pkgs.home-manager ];
-            postBuild = ''
-                  wrapProgram $out/bin/home-manager \
-              --append-flags '--flake ${flakePath}#$(hostname)'
-            '';
-          })
-        ];
-      };
-    };
+            targets.genericLinux.enable = lib.mkIf (!isNixos) true;
 
-}
+            home = {
+              username = lib.mkDefault mainUser;
+              homeDirectory = lib.mkDefault "/home/${mainUser}";
+              stateVersion = lib.mkDefault "23.05";
+              keyboard.layout = "us";
+              sessionVariables = {
+                FLAKE = "/home/${mainUser}/.dotfiles";
+              };
+              extraOutputsToInstall = [
+                "doc"
+                "info"
+                "devdoc"
+              ];
+              packages = lib.mkIf (!isNixos) [
+                (pkgs.symlinkJoin {
+                  name = "home-manager";
+                  buildInputs = [ pkgs.makeWrapper ];
+                  paths = [ pkgs.home-manager ];
+                  postBuild = ''
+                        wrapProgram $out/bin/home-manager \
+                    --append-flags '--flake ${flakePath}#$(hostname)'
+                  '';
+                })
+              ];
+            };
+          };
+
+      }
 
    
 
    
 
    
@@ -16178,27 +17128,31 @@ I use sops-nix to handle secrets that I want to have available on my machines at
 
  • `ssh-keygen -t ed25519 -C "NAME sops"` in .ssh directory (or wherever) - name e.g. "sops"
    • 
 
  • cat ~/.ssh/sops.pub | ssh-to-age | wl-copy
    • 
 
  • add the output to .sops.yaml
    • 
-
  • cp ~/.ssh/sops.pub ~/.dotfiles/secrets/keys/NAME.pub
    • 
+
  • cp ~/.ssh/sops.pub ~/.dotfiles/secrets/public/NAME.pub
    • 
 
  • 
 update entry for sops.age.sshKeyPaths
 
    
 
 
    
 Since we are using the home-manager implementation here, we need to specify the runtime path.
+
    
+
+
    
+At the same time, I want to avoid running the homeManager module of sops on a NixOS machine. Note that we cannot use lib.mkIf in the line config = …= as this would evaluate the blocks that are within; however, on a NixOS machine, there will be no sops module in the homeManager scope. Hence we use optionalAttrs. Also, we cannot make use of config.swarselsystems.isNixos because that will lead to an infinite recursion. Hence, we take the type arg that we passed during host declaration to make sure sops stays disabled. This is used in all places in the home-manager config that make use of sops-secrets.
 
    • 
 
 
 
    
-
    { config, lib, inputs, ... }:
+
    { config, lib, inputs, type, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
   {
     options.swarselmodules.sops = lib.mkEnableOption "sops settings";
-    config = lib.optionalAttrs (inputs ? sops)  {
-      sops = {
-        age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/ssh_host_ed25519_key" ];
-        defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/general/secrets.yaml";
+    config = lib.optionalAttrs (type != "nixos")  {
+      sops = lib.mkIf (!config.swarselsystems.isNixos) {
+        age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/sops" ];
+        defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/repo/common.yaml";
 
         validateSopsFiles = false;
       };
@@ -16212,7 +17166,7 @@ in
 
    3.3.2.7. Yubikey
    
 
    
 
    
-
    { lib, config, inputs, nixosConfig ? config, ... }:
+
    { lib, config, inputs, confLib, type, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
@@ -16223,11 +17177,11 @@ in
 
     pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
       ids = [
-        nixosConfig.repo.secrets.common.yubikeys.dev1
-        nixosConfig.repo.secrets.common.yubikeys.dev2
+        confLib.getConfig.repo.secrets.common.yubikeys.dev1
+        confLib.getConfig.secrets.common.yubikeys.dev2
       ];
     };
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
       u2f-keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
     };
@@ -16245,10 +17199,10 @@ It is very convenient to have SSH aliases in place for machines that I use. This
 
    
 
 
    
-
    { lib, config, nixosConfig ? config, ... }:
+
    { inputs, lib, config, confLib, type, ... }:
 {
   options.swarselmodules.ssh = lib.mkEnableOption "ssh settings";
-  config = lib.mkIf config.swarselmodules.ssh {
+  config = lib.mkIf config.swarselmodules.ssh ({
     programs.ssh = {
       enable = true;
       enableDefaultConfig = false;
@@ -16265,13 +17219,17 @@ It is very convenient to have SSH aliases in place for machines that I use. This
           serverAliveCountMax = 3;
           hashKnownHosts = false;
           userKnownHostsFile = "~/.ssh/known_hosts";
-          controlMaster = "no";
+          controlMaster = "auto";
           controlPath = "~/.ssh/master-%r@%n:%p";
-          controlPersist = "no";
+          controlPersist = "5m";
         };
-      } // nixosConfig.repo.secrets.common.ssh.hosts;
+      } // confLib.getConfig.repo.secrets.common.ssh.hosts;
     };
-  };
+  } // lib.optionalAttrs (type != "nixos") {
+    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
+      builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; };
+    };
+  });
 }
 
    
 
    
@@ -16494,11 +17452,11 @@ Sets environment variables. Here I am only setting the EDITOR variable, most var
 
    
 
 
    
-
    { lib, config, nixosConfig ? config, ... }:
+
    { lib, config, confLib, globals, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
-  inherit (nixosConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name;
-  inherit (nixosConfig.repo.secrets.common) fullName openrouterApi;
+  inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
+  inherit (confLib.getConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name;
+  inherit (confLib.getConfig.repo.secrets.common) fullName openrouterApi instaDomain sportDomain;
   inherit (config.swarselsystems) isPublic homeDir;
 
   DISPLAY = ":0";
@@ -16514,6 +17472,12 @@ in
       DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private";
       FLAKE = "${config.home.homeDirectory}/.dotfiles";
     } // lib.optionalAttrs (!isPublic) {
+      SWARSEL_DOMAIN = globals.domains.main;
+      SWARSEL_RSS_DOMAIN = globals.services.freshrss.domain;
+      SWARSEL_MUSIC_DOMAIN = globals.services.navidrome.domain;
+      SWARSEL_FILES_DOMAIN = globals.services.nextcloud.domain;
+      SWARSEL_INSTA_DOMAIN = instaDomain;
+      SWARSEL_SPORT_DOMAIN = sportDomain;
       SWARSEL_MAIL1 = address1;
       SWARSEL_MAIL2 = address2;
       SWARSEL_MAIL3 = address3;
@@ -16526,7 +17490,7 @@ in
       SWARSEL_CAL3NAME = source3-name;
       SWARSEL_FULLNAME = fullName;
       SWARSEL_MAIL_ALL = lib.mkDefault allMailAddresses;
-      GITHUB_NOTIFICATION_TOKEN_PATH = nixosConfig.sops.secrets.github-notifications-token.path;
+      GITHUB_NOTIFICATION_TOKEN_PATH = confLib.getConfig.sops.secrets.github-notifications-token.path;
       OPENROUTER_API_KEY = openrouterApi;
     };
   };
@@ -16808,10 +17772,10 @@ Here I set up my git config, automatic signing of commits, useful aliases for my
 
    
 
 
    
-
    { lib, config, globals, minimal, nixosConfig ? config, ... }:
+
    { lib, config, globals, minimal, confLib, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1;
-  inherit (nixosConfig.repo.secrets.common) fullName;
+  inherit (confLib.getConfig.repo.secrets.common.mail) address1;
+  inherit (confLib.getConfig.repo.secrets.common) fullName;
 
   gitUser = globals.user.name;
 in
@@ -17118,7 +18082,7 @@ Currently I only use it as before with initExtra though.
 
    
 
 
    
-
    { config, pkgs, lib, minimal, inputs, globals, nixosConfig ? config, ... }:
+
    { config, pkgs, lib, minimal, inputs, globals, confLib, type, ... }:
 let
   inherit (config.swarselsystems) flakePath isNixos;
   crocDomain = globals.services.croc.domain;
@@ -17247,15 +18211,15 @@ in
         '';
         sessionVariables = lib.mkIf (!config.swarselsystems.isPublic) {
           CROC_RELAY = crocDomain;
-          CROC_PASS = "$(cat ${nixosConfig.sops.secrets.croc-password.path or ""})";
-          GITHUB_TOKEN = "$(cat ${nixosConfig.sops.secrets.github-nixpkgs-review-token.path or ""})";
+          CROC_PASS = "$(cat ${confLib.getConfig.sops.secrets.croc-password.path or ""})";
+          GITHUB_TOKEN = "$(cat ${confLib.getConfig.sops.secrets.github-nixpkgs-review-token.path or ""})";
           QT_QPA_PLATFORM_PLUGIN_PATH = "${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins";
           # QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox";
         };
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
 
-      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
+      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
         croc-password = { };
         github-nixpkgs-review-token = { };
       };
@@ -18633,10 +19597,10 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
 
    
 
 
    
-
    { lib, config, inputs, globals, nixosConfig ? config, ... }:
+
    { lib, config, inputs, globals, confLib, type, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
-  inherit (nixosConfig.repo.secrets.common) fullName;
+  inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
+  inherit (confLib.getConfig.repo.secrets.common) fullName;
   inherit (config.swarselsystems) xdgDir;
 in
 {
@@ -18775,7 +19739,7 @@ in
                 address = address4;
                 userName = address4;
                 realName = fullName;
-                passwordCommand = "cat ${nixosConfig.sops.secrets.address4-token.path}";
+                passwordCommand = "cat ${confLib.getConfig.sops.secrets.address4-token.path}";
                 mu.enable = true;
                 msmtp = {
                   enable = true;
@@ -18804,7 +19768,7 @@ in
                   address = address1;
                   userName = address1;
                   realName = fullName;
-                  passwordCommand = "cat ${nixosConfig.sops.secrets.address1-token.path}";
+                  passwordCommand = "cat ${confLib.getConfig.sops.secrets.address1-token.path}";
                   gpg = {
                     key = "0x76FD3810215AE097";
                     signByDefault = true;
@@ -18818,7 +19782,7 @@ in
                   address = address2;
                   userName = address2;
                   realName = address2-name;
-                  passwordCommand = "cat ${nixosConfig.sops.secrets.address2-token.path}";
+                  passwordCommand = "cat ${confLib.getConfig.sops.secrets.address2-token.path}";
                 }
                 defaultSettings;
 
@@ -18828,14 +19792,14 @@ in
                   address = address3;
                   userName = address3;
                   realName = address3-name;
-                  passwordCommand = "cat ${nixosConfig.sops.secrets.address3-token.path}";
+                  passwordCommand = "cat ${confLib.getConfig.sops.secrets.address3-token.path}";
                 }
                 defaultSettings;
 
             };
           };
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
       sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
         address1-token = { path = "${xdgDir}/secrets/address1-token"; };
         address2-token = { path = "${xdgDir}/secrets/address2-token"; };
@@ -18860,7 +19824,7 @@ Lastly, I am defining some more packages here that the parser has problems findi
 
    
 
 
    
-
    { self, lib, config, pkgs, globals, inputs, ... }:
+
    { self, lib, config, pkgs, globals, inputs, type, ... }:
 let
   inherit (config.swarselsystems) homeDir mainUser isPublic isNixos;
   inherit (config.repo.secrets.common.emacs) radicaleUser;
@@ -18965,7 +19929,7 @@ in
       startWithUserSession = "graphical";
     };
 
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
 
     sops = lib.mkIf (!isPublic && !isNixos) {
       secrets = {
@@ -19014,7 +19978,7 @@ The rest of the related configuration is found here:
 
 
 
    
-
    { self, config, lib, inputs, pkgs, ... }:
+
    { self, config, lib, inputs, pkgs, type, ... }:
 let
   inherit (config.swarselsystems) xdgDir;
   generateIcons = n: lib.concatStringsSep " " (builtins.map (x: "{icon" + toString x + "}") (lib.range 0 (n - 1)));
@@ -19336,7 +20300,7 @@ in
       };
       style = builtins.readFile (self + /files/waybar/style.css);
     };
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
       github-notifications-token = { path = "${xdgDir}/secrets/github-notifications-token"; };
     };
@@ -20014,7 +20978,7 @@ Currently, I am too lazy to explain every option here, but most of it is very se
 
    
 
 
    
-
    { config, lib, vars, nixosConfig ? config, ... }:
+
    { config, lib, vars, confLib, ... }:
   let
     eachOutput = _: monitor: {
       inherit (monitor) name;
@@ -20397,7 +21361,7 @@ Currently, I am too lazy to explain every option here, but most of it is very se
             export XDG_CURRENT_DESKTOP=sway;
             export XDG_SESSION_DESKTOP=sway;
             export _JAVA_AWT_WM_NONREPARENTING=1;
-            export GITHUB_NOTIFICATION_TOKEN_PATH=${nixosConfig.sops.secrets.github-notifications-token.path};
+            export GITHUB_NOTIFICATION_TOKEN_PATH=${confLib.getConfig.sops.secrets.github-notifications-token.path};
           '' + vars.waylandExports;
           # extraConfigEarly = "
           # exec systemctl --user import-environment DISPLAY WAYLAND_DISPLAY SWAYSOCK
@@ -20446,228 +21410,8 @@ Currently, I am too lazy to explain every option here, but most of it is very se
 
    
 
    
 
    
-
    
-
    3.3.2.34. Niri
    
-
    
-
    
-
    { config, pkgs, lib, vars, ... }:
-{
-  options.swarselmodules.niri = lib.mkEnableOption "niri settings";
-  config = lib.mkIf config.swarselmodules.niri {
-
-    programs.niri = {
-      package = pkgs.niri-unstable; # which package to use for niri validation
-      settings = {
-        xwayland-satellite = {
-          enable = true;
-          path = "${lib.getExe pkgs.xwayland-satellite-unstable}";
-        };
-        prefer-no-csd = true;
-        layer-rules = [
-          { matches = [{ namespace = "^notifications$"; }]; block-out-from = "screencast"; }
-          { matches = [{ namespace = "^wallpaper$"; }]; place-within-backdrop = true; }
-        ];
-        window-rules = [
-          {
-            matches = [{ app-id = ".*"; }];
-            opacity = 0.95;
-            default-column-width = { proportion = 0.5; };
-            shadow = {
-              enable = true;
-              draw-behind-window = true;
-            };
-            geometry-corner-radius = { top-left = 2.0; top-right = 2.0; bottom-left = 2.0; bottom-right = 2.0; };
-          }
-          { matches = [{ app-id = "at.yrlf.wl_mirror"; }]; opacity = 1.0; }
-          { matches = [{ app-id = "Gimp"; }]; opacity = 1.0; }
-          { matches = [{ app-id = "firefox"; }]; opacity = 0.99; }
-          { matches = [{ app-id = "^special.*"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; }
-          { matches = [{ app-id = "chromium-browser"; }]; opacity = 0.99; }
-          { matches = [{ app-id = "^qalculate-gtk$"; }]; open-floating = true; }
-          { matches = [{ app-id = "^blueman$"; }]; open-floating = true; }
-          { matches = [{ app-id = "^pavucontrol$"; }]; open-floating = true; }
-          { matches = [{ app-id = "^syncthingtray$"; }]; open-floating = true; }
-          { matches = [{ app-id = "^Element$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; }
-          # { matches = [{ app-id = "^Element$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; }
-          { matches = [{ app-id = "^vesktop$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; }
-          # { matches = [{ app-id = "^vesktop$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; }
-          { matches = [{ app-id = "^com.nextcloud.desktopclient.nextcloud$"; }]; open-floating = true; }
-          { matches = [{ title = ".*1Password.*"; }]; excludes = [{ app-id = "^firefox$"; } { app-id = "^emacs$"; } { app-id = "^kitty$"; }]; open-floating = true; block-out-from = "screencast"; }
-          { matches = [{ title = "(?:Open|Save) (?:File|Folder|As)"; }]; open-floating = true; }
-          { matches = [{ title = "^Add$"; }]; open-floating = true; }
-          { matches = [{ title = "^Picture-in-Picture$"; }]; open-floating = true; }
-          { matches = [{ title = "Syncthing Tray"; }]; open-floating = true; }
-          { matches = [{ title = "^Emacs Popup Frame$"; }]; open-floating = true; }
-          { matches = [{ title = "^Emacs Popup Anchor$"; }]; open-floating = true; }
-          { matches = [{ app-id = "^spotifytui$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; }
-          { matches = [{ app-id = "^kittyterm$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; }
-        ];
-        environment = {
-          DISPLAY = ":0";
-        } // vars.waylandSessionVariables;
-        screenshot-path = "~/Pictures/Screenshots/screenshot_%Y-%m-%d-%H%M%S.png";
-        input = {
-          mod-key = "Super";
-          keyboard = {
-            xkb = {
-              layout = "us";
-              variant = "altgr-intl";
-            };
-          };
-          mouse = {
-            natural-scroll = false;
-          };
-          touchpad = {
-            enable = true;
-            tap = true;
-            tap-button-map = "left-right-middle";
-            natural-scroll = true;
-            scroll-method = "two-finger";
-            click-method = "clickfinger";
-            disabled-on-external-mouse = true;
-            drag = true;
-            drag-lock = false;
-            dwt = true;
-            dwtp = true;
-          };
-        };
-        cursor = {
-          hide-after-inactive-ms = 2000;
-          hide-when-typing = true;
-        };
-        layout = {
-          background-color = "transparent";
-          border = {
-            enable = true;
-            width = 1;
-          };
-          focus-ring = {
-            enable = false;
-          };
-          gaps = 5;
-        };
-        binds = with config.lib.niri.actions; let
-          sh = spawn "sh" "-c";
-        in
-        {
-
-          # "Mod+Super_L" = spawn "killall -SIGUSR1 .waybar-wrapped";
-          "Mod+z".action = spawn "killall -SIGUSR1 .waybar-wrapped";
-          "Mod+Shift+t".action = toggle-window-rule-opacity;
-          # "Mod+Escape".action = "mode $exit";
-          "Mod+m".action = focus-workspace-previous;
-          "Mod+Shift+Space".action = toggle-window-floating;
-          "Mod+Shift+f".action = toggle-windowed-fullscreen;
-          "Mod+q".action = close-window;
-          "Mod+f".action = spawn "firefox";
-          "Mod+Space".action = spawn "fuzzel";
-          "Mod+Shift+c".action = spawn "qalculate-gtk";
-          "Mod+Ctrl+p".action = spawn "1password" "--quick-acces";
-          "Mod+Shift+Escape".action = spawn "kitty" "-o" "confirm_os_window_close=0" "btm";
-          "Mod+h".action = sh ''hyprpicker | wl-copy'';
-          # "Mod+s".action = spawn "grim" "-g" "\"$(slurp)\"" "-t" "png" "-" "|" "wl-copy" "-t" "image/png";
-          # "Mod+s".action = screenshot { show-pointer = false; };
-          "Mod+s".action.screenshot = { show-pointer = false; };
-          # "Mod+Shift+s".action = spawn "slurp" "|" "grim" "-g" "-" "Pictures/Screenshots/$(date +'screenshot_%Y-%m-%d-%H%M%S.png')";
-          # "Mod+Shift+s".action = screenshot-window { write-to-disk = true; };
-          "Mod+Shift+s".action.screenshot-window = { write-to-disk = true; };
-          # "Mod+Shift+v".action = spawn "wf-recorder" "-g" "'$(slurp -f %o -or)'" "-f" "~/Videos/screenrecord_$(date +%Y-%m-%d-%H%M%S).mkv";
-
-          "Mod+e".action = sh "emacsclient -nquc -a emacs -e '(dashboard-open)'";
-          "Mod+c".action = sh "emacsclient -ce '(org-capture)'";
-          "Mod+t".action = sh "emacsclient -ce '(org-agenda)'";
-          "Mod+Shift+m".action = sh "emacsclient -ce '(mu4e)'";
-          "Mod+Shift+a".action = sh "emacsclient -ce '(swarsel/open-calendar)'";
-
-          "Mod+a".action = spawn "swarselcheck-niri" "-s";
-          "Mod+x".action = spawn "swarselcheck-niri" "-k";
-          "Mod+d".action = spawn "swarselcheck-niri" "-d";
-          "Mod+w".action = spawn "swarselcheck-niri" "-e";
-
-          "Mod+p".action = spawn "pass-fuzzel";
-          "Mod+o".action = spawn "pass-fuzzel" "--otp";
-          "Mod+Shift+p".action = spawn "pass-fuzzel" "--type";
-          "Mod+Shift+o".action = spawn "pass-fuzzel" "--otp" "--type";
-
-          "Mod+Left".action = focus-column-or-monitor-left;
-          "Mod+Right".action = focus-column-or-monitor-right;
-          "Mod+Down".action = focus-window-or-workspace-down;
-          "Mod+Up".action = focus-window-or-workspace-up;
-          "Mod+Shift+Left".action = move-column-left;
-          "Mod+Shift+Right".action = move-column-right;
-          "Mod+Shift+Down".action = move-window-down-or-to-workspace-down;
-          "Mod+Shift+Up".action = move-window-up-or-to-workspace-up;
-          # "Mod+Ctrl+Shift+c".action = "reload";
-          # "Mod+Ctrl+Shift+r".action = "exec swarsel-displaypower";
-          # "Mod+Shift+e".action = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
-          # "Mod+r".action = "mode resize";
-          # "Mod+Return".action = "exec kitty";
-          "Mod+Return".action = spawn "swarselzellij";
-          "XF86AudioRaiseVolume".action = spawn "swayosd-client" "--output-volume" "raise";
-          "XF86AudioLowerVolume".action = spawn "swayosd-client" "--output-volume" "lower";
-          "XF86AudioMute".action = spawn "swayosd-client" "--output-volume" "mute-toggle";
-          "XF86MonBrightnessUp".action = spawn "swayosd-client" "--brightness raise";
-          "XF86MonBrightnessDown".action = spawn "swayosd-client" "--brightness lower";
-          "XF86Display".action = spawn "wl-mirror" "eDP-1";
-          "Mod+Escape".action = spawn "wlogout";
-          "Mod+Equal".action = set-column-width "+10%";
-          "Mod+Minus".action = set-column-width "-10%";
-
-          "Mod+1".action = focus-workspace 1;
-          "Mod+2".action = focus-workspace 2;
-          "Mod+3".action = focus-workspace 3;
-          "Mod+4".action = focus-workspace 4;
-          "Mod+5".action = focus-workspace 5;
-          "Mod+6".action = focus-workspace 6;
-          "Mod+7".action = focus-workspace 7;
-          "Mod+8".action = focus-workspace 8;
-          "Mod+9".action = focus-workspace 9;
-          "Mod+0".action = focus-workspace 0;
-
-          "Mod+Shift+1".action = move-column-to-index 1;
-          "Mod+Shift+2".action = move-column-to-index 2;
-          "Mod+Shift+3".action = move-column-to-index 3;
-          "Mod+Shift+4".action = move-column-to-index 4;
-          "Mod+Shift+5".action = move-column-to-index 5;
-          "Mod+Shift+6".action = move-column-to-index 6;
-          "Mod+Shift+7".action = move-column-to-index 7;
-          "Mod+Shift+8".action = move-column-to-index 8;
-          "Mod+Shift+9".action = move-column-to-index 9;
-          "Mod+Shift+0".action = move-column-to-index 0;
-        };
-        spawn-at-startup = [
-          # { command = [ "vesktop" "--start-minimized" "--enable-speech-dispatcher" "--ozone-platform-hint=auto" "--enable-features=WaylandWindowDecorations" "--enable-wayland-ime" ]; }
-          # { command = [ "element-desktop" "--hidden" "--enable-features=UseOzonePlatform" "--ozone-platform=wayland" "--disable-gpu-driver-bug-workarounds" ]; }
-          # { command = [ "anki" ]; }
-          # { command = [ "obsidian" ]; }
-          # { command = [ "nm-applet" ]; }
-          { command = [ "niri" "msg" "action" "focus-workspace" "2" ]; }
-        ];
-        workspaces = {
-          # "01-Main" = {
-          #   name = "Scratchpad";
-          # };
-          "99-Scratchpad" = {
-            name = "";
-          };
-        };
-      };
-    };
-
-  } // {
-    programs.niri = lib.mkIf (!config.swarselmodules.niri) {
-      package = null;
-      config = null;
-      settings = null;
-    };
-  };
-}
-
    
-
    
-
    
-
    
 
    
-
    3.3.2.35. Kanshi
    
+
    3.3.2.34. Kanshi
    
 
    
 
    
 
    { self, lib, pkgs, config, ... }:
@@ -20777,7 +21521,7 @@ Currently, I am too lazy to explain every option here, but most of it is very se
 
    
 
    
 
    
-
    3.3.2.36. gpg-agent
    
+
    3.3.2.35. gpg-agent
    
 
    
 
    
 Settings that are needed for the gpg-agent. Also we are enabling emacs support for unlocking my Yubikey here.
@@ -20837,7 +21581,7 @@ in
       enable = true;
       publicKeys = [
         {
-          source = "${self}/secrets/keys/gpg/gpg-public-key-0x76FD3810215AE097.asc";
+          source = "${self}/secrets/public/gpg/gpg-public-key-0x76FD3810215AE097.asc";
           trust = 5;
         }
       ];
@@ -20861,16 +21605,16 @@ in
 
    
 
    
 
    
-
    3.3.2.37. gammastep
    
+
    3.3.2.36. gammastep
    
 
    
 
    
 This service changes the screen hue at night. I am not sure if that really does something, but I like the color anyways.
 
    
 
 
    
-
    { lib, config, nixosConfig ? config, ... }:
+
    { lib, config, confLib, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.location) latitude longitude;
+  inherit (confLib.getConfig.repo.secrets.common.location) latitude longitude;
 in
 {
   options.swarselmodules.gammastep = lib.mkEnableOption "gammastep settings";
@@ -20887,7 +21631,7 @@ in
 
    
 
    
 
    
-
    3.3.2.38. Spicetify
    
+
    3.3.2.37. Spicetify
    
 
    
 
    
 
    { inputs, lib, config, pkgs, ... }:
@@ -20918,13 +21662,13 @@ in
 
    
 
    
 
    
-
    3.3.2.39. Obsidian
    
+
    3.3.2.38. Obsidian
    
 
    
 
    
-
    { lib, config, pkgs, nixosConfig ? config, ... }:
+
    { lib, config, pkgs, confLib, ... }:
 let
   moduleName = "obsidian";
-  inherit (nixosConfig.repo.secrets.common.obsidian) userIgnoreFilters;
+  inherit (confLib.getConfig.repo.secrets.common.obsidian) userIgnoreFilters;
   name = "Main";
 in
 {
@@ -21079,10 +21823,10 @@ in
 
    
 
    
 
    
-
    3.3.2.40. Anki
    
+
    3.3.2.39. Anki
    
 
    
 
    
-
    { lib, config, pkgs, globals, inputs, nixosConfig ? config, ... }:
+
    { lib, config, pkgs, globals, inputs, confLib, type, ... }:
 let
   moduleName = "anki";
   inherit (config.swarselsystems) isPublic isNixos;
@@ -21107,11 +21851,11 @@ in
           syncMedia = true;
           autoSyncMediaMinutes = 5;
           url = "https://${globals.services.ankisync.domain}";
-          usernameFile = nixosConfig.sops.secrets.anki-user.path;
+          usernameFile = confLib.getConfig.sops.secrets.anki-user.path;
           # this is not the password but the syncKey
           # get it by logging in or out, saving preferences and then
           # show details on the "settings wont be saved" dialog
-          keyFile = nixosConfig.sops.secrets.anki-pw.path;
+          keyFile = confLib.getConfig.sops.secrets.anki-pw.path;
         };
         addons =
           let
@@ -21138,7 +21882,7 @@ in
               })
           ];
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
       sops = lib.mkIf (!isPublic && !isNixos) {
         secrets = {
           anki-user = { };
@@ -21153,10 +21897,10 @@ in
 
    
 
    
 
    
-
    3.3.2.41. Element-desktop
    
+
    3.3.2.40. Element-desktop
    
 
    
 
    
-
    { lib, config, ... }:
+
    { lib, config, globals, ... }:
 let
   moduleName = "element-desktop";
 in
@@ -21168,7 +21912,7 @@ in
       settings = {
         default_server_config = {
           "m.homeserver" = {
-            base_url = "https://swatrix.swarsel.win/";
+            base_url = "https://${globals.services.matrix.domain}/";
           };
         };
         UIFeature = {
@@ -21190,13 +21934,13 @@ in
 
    
 
    
 
    
-
    3.3.2.42. Hexchat
    
+
    3.3.2.41. Hexchat
    
 
    
 
    
-
    { lib, config, nixosConfig ? config, ... }:
+
    { lib, config, confLib, ... }:
 let
   moduleName = "hexchat";
-  inherit (nixosConfig.repo.secrets.common.irc) irc_nick1;
+  inherit (confLib.getConfig.repo.secrets.common.irc) irc_nick1;
 in
 {
   options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
@@ -21215,7 +21959,7 @@ in
 
    
 
    
 
    
-
    3.3.2.43. obs-studio
    
+
    3.3.2.42. obs-studio
    
 
    
 
    
 
    { lib, config, ... }:
@@ -21236,7 +21980,7 @@ in
 
    
 
    
 
    
-
    3.3.2.44. spotify-player
    
+
    3.3.2.43. spotify-player
    
 
    
 
    
 
    { lib, config, ... }:
@@ -21257,7 +22001,7 @@ in
 
    
 
    
 
    
-
    3.3.2.45. vesktop
    
+
    3.3.2.44. vesktop
    
 
    
 
    
 
    { lib, pkgs, config, ... }:
@@ -21345,7 +22089,7 @@ in
 
    
 
    
 
    
-
    3.3.2.46. batsignal
    
+
    3.3.2.45. batsignal
    
 
    
 
    
 
    { lib, config, ... }:
@@ -21378,7 +22122,7 @@ in
 
    
 
    
 
    
-
    3.3.2.47. autotiling
    
+
    3.3.2.46. autotiling
    
 
    
 
    
 
    { lib, config, ... }:
@@ -21400,7 +22144,7 @@ in
 
    
 
    
 
    
-
    3.3.2.48. swayidle
    
+
    3.3.2.47. swayidle
    
 
    
 
    
 
    { lib, config, pkgs, ... }:
@@ -21442,7 +22186,7 @@ in
 
    
 
    
 
    
-
    3.3.2.49. swaylock
    
+
    3.3.2.48. swaylock
    
 
    
 
    
 
    { lib, config, pkgs, ... }:
@@ -21471,10 +22215,10 @@ in
 
    
 
    
 
    
-
    3.3.2.50. opkssh
    
+
    3.3.2.49. opkssh
    
 
    
 
    
-
    { lib, config, ... }:
+
    { lib, config, globals, ... }:
 let
   moduleName = "opkssh";
 in
@@ -21489,7 +22233,7 @@ in
         providers = [
           {
             alias = "kanidm";
-            issuer = "https://sso.swarsel.win/oauth2/openid/opkssh";
+            issuer = "https://${globals.services.kanidm.domain}/oauth2/openid/opkssh";
             client_id = "opkssh";
             scopes = "openid email profile";
             redirect_uris = [
@@ -21614,21 +22358,244 @@ in
 
    
 
    
 
    
+
    
+
    3.3.5.1. Niri
    
+
    
+
    
+
    { inputs, config, pkgs, lib, vars, ... }:
+{
+  imports = [
+    inputs.niri-flake.homeModules.niri
+  ];
+  options.swarselmodules.niri = lib.mkEnableOption "niri settings";
+  config = lib.mkIf config.swarselmodules.niri
+    {
+
+      programs.niri = {
+        package = pkgs.niri-unstable; # which package to use for niri validation
+        settings = {
+          xwayland-satellite = {
+            enable = true;
+            path = "${lib.getExe pkgs.xwayland-satellite-unstable}";
+          };
+          prefer-no-csd = true;
+          layer-rules = [
+            { matches = [{ namespace = "^notifications$"; }]; block-out-from = "screencast"; }
+            { matches = [{ namespace = "^wallpaper$"; }]; place-within-backdrop = true; }
+          ];
+          window-rules = [
+            {
+              matches = [{ app-id = ".*"; }];
+              opacity = 0.95;
+              default-column-width = { proportion = 0.5; };
+              shadow = {
+                enable = true;
+                draw-behind-window = true;
+              };
+              geometry-corner-radius = { top-left = 2.0; top-right = 2.0; bottom-left = 2.0; bottom-right = 2.0; };
+            }
+            { matches = [{ app-id = "at.yrlf.wl_mirror"; }]; opacity = 1.0; }
+            { matches = [{ app-id = "Gimp"; }]; opacity = 1.0; }
+            { matches = [{ app-id = "firefox"; }]; opacity = 0.99; }
+            { matches = [{ app-id = "^special.*"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; }
+            { matches = [{ app-id = "chromium-browser"; }]; opacity = 0.99; }
+            { matches = [{ app-id = "^qalculate-gtk$"; }]; open-floating = true; }
+            { matches = [{ app-id = "^blueman$"; }]; open-floating = true; }
+            { matches = [{ app-id = "^pavucontrol$"; }]; open-floating = true; }
+            { matches = [{ app-id = "^syncthingtray$"; }]; open-floating = true; }
+            { matches = [{ app-id = "^Element$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; }
+            # { matches = [{ app-id = "^Element$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; }
+            { matches = [{ app-id = "^vesktop$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; }
+            # { matches = [{ app-id = "^vesktop$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; }
+            { matches = [{ app-id = "^com.nextcloud.desktopclient.nextcloud$"; }]; open-floating = true; }
+            { matches = [{ title = ".*1Password.*"; }]; excludes = [{ app-id = "^firefox$"; } { app-id = "^emacs$"; } { app-id = "^kitty$"; }]; open-floating = true; block-out-from = "screencast"; }
+            { matches = [{ title = "(?:Open|Save) (?:File|Folder|As)"; }]; open-floating = true; }
+            { matches = [{ title = "^Add$"; }]; open-floating = true; }
+            { matches = [{ title = "^Picture-in-Picture$"; }]; open-floating = true; }
+            { matches = [{ title = "Syncthing Tray"; }]; open-floating = true; }
+            { matches = [{ title = "^Emacs Popup Frame$"; }]; open-floating = true; }
+            { matches = [{ title = "^Emacs Popup Anchor$"; }]; open-floating = true; }
+            { matches = [{ app-id = "^spotifytui$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; }
+            { matches = [{ app-id = "^kittyterm$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; }
+          ];
+          environment = {
+            DISPLAY = ":0";
+          } // vars.waylandSessionVariables;
+          screenshot-path = "~/Pictures/Screenshots/screenshot_%Y-%m-%d-%H%M%S.png";
+          input = {
+            mod-key = "Super";
+            keyboard = {
+              xkb = {
+                layout = "us";
+                variant = "altgr-intl";
+              };
+            };
+            mouse = {
+              natural-scroll = false;
+            };
+            touchpad = {
+              enable = true;
+              tap = true;
+              tap-button-map = "left-right-middle";
+              natural-scroll = true;
+              scroll-method = "two-finger";
+              click-method = "clickfinger";
+              disabled-on-external-mouse = true;
+              drag = true;
+              drag-lock = false;
+              dwt = true;
+              dwtp = true;
+            };
+          };
+          cursor = {
+            hide-after-inactive-ms = 2000;
+            hide-when-typing = true;
+          };
+          layout = {
+            background-color = "transparent";
+            border = {
+              enable = true;
+              width = 1;
+            };
+            focus-ring = {
+              enable = false;
+            };
+            gaps = 5;
+          };
+          binds = with config.lib.niri.actions; let
+            sh = spawn "sh" "-c";
+          in
+          {
+
+            # "Mod+Super_L" = spawn "killall -SIGUSR1 .waybar-wrapped";
+            "Mod+z".action = spawn "killall -SIGUSR1 .waybar-wrapped";
+            "Mod+Shift+t".action = toggle-window-rule-opacity;
+            # "Mod+Escape".action = "mode $exit";
+            "Mod+m".action = focus-workspace-previous;
+            "Mod+Shift+Space".action = toggle-window-floating;
+            "Mod+Shift+f".action = toggle-windowed-fullscreen;
+            "Mod+q".action = close-window;
+            "Mod+f".action = spawn "firefox";
+            "Mod+Space".action = spawn "fuzzel";
+            "Mod+Shift+c".action = spawn "qalculate-gtk";
+            "Mod+Ctrl+p".action = spawn "1password" "--quick-acces";
+            "Mod+Shift+Escape".action = spawn "kitty" "-o" "confirm_os_window_close=0" "btm";
+            "Mod+h".action = sh ''hyprpicker | wl-copy'';
+            # "Mod+s".action = spawn "grim" "-g" "\"$(slurp)\"" "-t" "png" "-" "|" "wl-copy" "-t" "image/png";
+            # "Mod+s".action = screenshot { show-pointer = false; };
+            "Mod+s".action.screenshot = { show-pointer = false; };
+            # "Mod+Shift+s".action = spawn "slurp" "|" "grim" "-g" "-" "Pictures/Screenshots/$(date +'screenshot_%Y-%m-%d-%H%M%S.png')";
+            # "Mod+Shift+s".action = screenshot-window { write-to-disk = true; };
+            "Mod+Shift+s".action.screenshot-window = { write-to-disk = true; };
+            # "Mod+Shift+v".action = spawn "wf-recorder" "-g" "'$(slurp -f %o -or)'" "-f" "~/Videos/screenrecord_$(date +%Y-%m-%d-%H%M%S).mkv";
+
+            "Mod+e".action = sh "emacsclient -nquc -a emacs -e '(dashboard-open)'";
+            "Mod+c".action = sh "emacsclient -ce '(org-capture)'";
+            "Mod+t".action = sh "emacsclient -ce '(org-agenda)'";
+            "Mod+Shift+m".action = sh "emacsclient -ce '(mu4e)'";
+            "Mod+Shift+a".action = sh "emacsclient -ce '(swarsel/open-calendar)'";
+
+            "Mod+a".action = spawn "swarselcheck-niri" "-s";
+            "Mod+x".action = spawn "swarselcheck-niri" "-k";
+            "Mod+d".action = spawn "swarselcheck-niri" "-d";
+            "Mod+w".action = spawn "swarselcheck-niri" "-e";
+
+            "Mod+p".action = spawn "pass-fuzzel";
+            "Mod+o".action = spawn "pass-fuzzel" "--otp";
+            "Mod+Shift+p".action = spawn "pass-fuzzel" "--type";
+            "Mod+Shift+o".action = spawn "pass-fuzzel" "--otp" "--type";
+
+            "Mod+Left".action = focus-column-or-monitor-left;
+            "Mod+Right".action = focus-column-or-monitor-right;
+            "Mod+Down".action = focus-window-or-workspace-down;
+            "Mod+Up".action = focus-window-or-workspace-up;
+            "Mod+Shift+Left".action = move-column-left;
+            "Mod+Shift+Right".action = move-column-right;
+            "Mod+Shift+Down".action = move-window-down-or-to-workspace-down;
+            "Mod+Shift+Up".action = move-window-up-or-to-workspace-up;
+            # "Mod+Ctrl+Shift+c".action = "reload";
+            # "Mod+Ctrl+Shift+r".action = "exec swarsel-displaypower";
+            # "Mod+Shift+e".action = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
+            # "Mod+r".action = "mode resize";
+            # "Mod+Return".action = "exec kitty";
+            "Mod+Return".action = spawn "swarselzellij";
+            "XF86AudioRaiseVolume".action = spawn "swayosd-client" "--output-volume" "raise";
+            "XF86AudioLowerVolume".action = spawn "swayosd-client" "--output-volume" "lower";
+            "XF86AudioMute".action = spawn "swayosd-client" "--output-volume" "mute-toggle";
+            "XF86MonBrightnessUp".action = spawn "swayosd-client" "--brightness raise";
+            "XF86MonBrightnessDown".action = spawn "swayosd-client" "--brightness lower";
+            "XF86Display".action = spawn "wl-mirror" "eDP-1";
+            "Mod+Escape".action = spawn "wlogout";
+            "Mod+Equal".action = set-column-width "+10%";
+            "Mod+Minus".action = set-column-width "-10%";
+
+            "Mod+1".action = focus-workspace 1;
+            "Mod+2".action = focus-workspace 2;
+            "Mod+3".action = focus-workspace 3;
+            "Mod+4".action = focus-workspace 4;
+            "Mod+5".action = focus-workspace 5;
+            "Mod+6".action = focus-workspace 6;
+            "Mod+7".action = focus-workspace 7;
+            "Mod+8".action = focus-workspace 8;
+            "Mod+9".action = focus-workspace 9;
+            "Mod+0".action = focus-workspace 0;
+
+            "Mod+Shift+1".action = move-column-to-index 1;
+            "Mod+Shift+2".action = move-column-to-index 2;
+            "Mod+Shift+3".action = move-column-to-index 3;
+            "Mod+Shift+4".action = move-column-to-index 4;
+            "Mod+Shift+5".action = move-column-to-index 5;
+            "Mod+Shift+6".action = move-column-to-index 6;
+            "Mod+Shift+7".action = move-column-to-index 7;
+            "Mod+Shift+8".action = move-column-to-index 8;
+            "Mod+Shift+9".action = move-column-to-index 9;
+            "Mod+Shift+0".action = move-column-to-index 0;
+          };
+          spawn-at-startup = [
+            # { command = [ "vesktop" "--start-minimized" "--enable-speech-dispatcher" "--ozone-platform-hint=auto" "--enable-features=WaylandWindowDecorations" "--enable-wayland-ime" ]; }
+            # { command = [ "element-desktop" "--hidden" "--enable-features=UseOzonePlatform" "--ozone-platform=wayland" "--disable-gpu-driver-bug-workarounds" ]; }
+            # { command = [ "anki" ]; }
+            # { command = [ "obsidian" ]; }
+            # { command = [ "nm-applet" ]; }
+            { command = [ "niri" "msg" "action" "focus-workspace" "2" ]; }
+          ];
+          workspaces = {
+            # "01-Main" = {
+            #   name = "Scratchpad";
+            # };
+            "99-Scratchpad" = {
+              name = "";
+            };
+          };
+        };
+      };
+
+    } // {
+    programs.niri = lib.mkIf (!config.swarselmodules.niri) {
+      package = null;
+      config = null;
+      settings = null;
+    };
+  };
+}
+
    
+
    
+
    
+
    
 
    
-
    3.3.5.1. Gaming
    
+
    3.3.5.2. Gaming
    
 
    
 
    
 The rest of the settings is at gaming.
 
    
 
 
    
-
    { lib, config, pkgs, nixosConfig ? config,  ... }:
+
    { config, pkgs, confLib,  ... }:
 let
   inherit (config.swarselsystems) isNixos;
 in
 {
-  options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings";
-  config = lib.mkIf config.swarselmodules.optional.gaming {
+  config = {
     # specialisation = {
     #   gaming.configuration = {
     home.packages = with pkgs; [
@@ -21668,7 +22635,7 @@ in
         gamescope
         umu-launcher
       ];
-      steamPackage = if isNixos then nixosConfig.programs.steam.package else pkgs.steam;
+      steamPackage = if isNixos then confLib.getConfig.programs.steam.package else pkgs.steam;
       winePackages = with pkgs; [
         wineWow64Packages.waylandFull
       ];
@@ -21686,7 +22653,7 @@ in
 
    
 
    
 
    
-
    3.3.5.2. Work (pizauth)
    
+
    3.3.5.3. Work (pizauth)
    
 
    
 
    
 The rest of the settings is at work. Here, I am setting up the different firefox profiles that I need for the SSO sites that I need to access at work as well as a few ssh shorthands.
@@ -21708,398 +22675,428 @@ When setting up a new machine:
   - `pizauth dump > ~/.pizauth.state`
 
 
    
-
    { self, inputs, config, pkgs, lib, vars, nixosConfig ? config, ... }:
+
    { self, inputs, config, pkgs, lib, vars, confLib, type, ... }:
 let
   inherit (config.swarselsystems) homeDir mainUser;
-  inherit (nixosConfig.repo.secrets.local.mail) allMailAddresses;
-  inherit (nixosConfig.repo.secrets.local.work) mailAddress;
+  inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses;
+  inherit (confLib.getConfig.repo.secrets.local.work) mailAddress;
 
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  certsSopsFile = self + /secrets/repo/certs.yaml;
 in
 {
-  options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
-  config = lib.mkIf config.swarselmodules.optional.work
-    ({
-      home = {
-        packages = with pkgs; [
-          stable.teams-for-linux
-          shellcheck
-          dig
-          docker
-          postman
-          # rclone
-          libguestfs-with-appliance
-          prometheus.cli
-          tigervnc
-          # openstackclient
+  options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption;
+  config = {
+    home = {
+      packages = with pkgs; [
+        stable.teams-for-linux
+        shellcheck
+        dig
+        docker
+        postman
+        # rclone
+        libguestfs-with-appliance
+        prometheus.cli
+        tigervnc
+        # openstackclient
 
-          vscode
-          dev.antigravity
+        vscode
+        dev.antigravity
 
-          rustdesk-vbc
+        rustdesk-vbc
+      ];
+      sessionVariables = {
+        AWS_CA_BUNDLE = confLib.getConfig.sops.secrets.harica-root-ca.path;
+      };
+    };
+    systemd.user.sessionVariables = {
+      DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work";
+    } // lib.optionalAttrs (!config.swarselsystems.isPublic) {
+      SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses;
+      SWARSEL_MAIL_WORK = lib.mkForce mailAddress;
+    };
+
+    accounts.email.accounts.work =
+      let
+        inherit (confLib.getConfig.repo.secrets.local.work) mailName;
+      in
+      {
+        primary = false;
+        address = mailAddress;
+        userName = mailAddress;
+        realName = mailName;
+        passwordCommand = "pizauth show work";
+        imap = {
+          host = "outlook.office365.com";
+          port = 993;
+          tls.enable = true; # SSL/TLS
+        };
+        smtp = {
+          host = "outlook.office365.com";
+          port = 587;
+          tls = {
+            enable = true; # SSL/TLS
+            useStartTls = true;
+          };
+        };
+        thunderbird = {
+          enable = true;
+          profiles = [ "default" ];
+          settings = id: {
+            "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth
+            "mail.server.server_${id}.authMethod" = 10; # oauth
+            # "toolkit.telemetry.enabled" = false;
+            # "toolkit.telemetry.rejected" = true;
+            # "toolkit.telemetry.prompted" = 2;
+          };
+        };
+        msmtp = {
+          enable = true;
+          extraConfig = {
+            auth = "xoauth2";
+            host = "outlook.office365.com";
+            protocol = "smtp";
+            port = "587";
+            tls = "on";
+            tls_starttls = "on";
+            from = "${mailAddress}";
+            user = "${mailAddress}";
+            passwordeval = "pizauth show work";
+          };
+        };
+        mu.enable = true;
+        mbsync = {
+          enable = true;
+          expunge = "both";
+          patterns = [ "INBOX" ];
+          extraConfig = {
+            account = {
+              AuthMechs = "XOAUTH2";
+            };
+          };
+        };
+      };
+
+    # wayland.windowManager.sway.config = {
+    #   output = {
+    #     "Applied Creative Technology Transmitter QUATTRO201811" = {
+    #       bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}";
+    #     };
+    #     "Hewlett Packard HP Z24i CN44250RDT" = {
+    #       bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}";
+    #     };
+    #     "HP Inc. HP 732pk CNC4080YL5" = {
+    #       bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}";
+    #     };
+    #   };
+    # };
+
+    wayland.windowManager.sway =
+      let
+        inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress;
+      in
+      {
+        config = {
+          keybindings =
+            let
+              inherit (config.wayland.windowManager.sway.config) modifier;
+            in
+            {
+              "${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}";
+              "${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}";
+            };
+        };
+      };
+
+    stylix = {
+      targets.firefox.profileNames =
+        let
+          inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3;
+        in
+        [
+          "${user1}"
+          "${user2}"
+          "${user3}"
+          "work"
         ];
-        sessionVariables = {
-          AWS_CA_BUNDLE = nixosConfig.sops.secrets.harica-root-ca.path;
+    };
+
+    programs =
+      let
+        inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds;
+      in
+      {
+        openstackclient = {
+          enable = true;
+          inherit clouds;
         };
-      };
-      systemd.user.sessionVariables = {
-        DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work";
-      } // lib.optionalAttrs (!config.swarselsystems.isPublic) {
-        SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses;
-        SWARSEL_MAIL_WORK = lib.mkForce mailAddress;
-      };
-
-      accounts.email.accounts.work =
-        let
-          inherit (nixosConfig.repo.secrets.local.work) mailName;
-        in
-        {
-          primary = false;
-          address = mailAddress;
-          userName = mailAddress;
-          realName = mailName;
-          passwordCommand = "pizauth show work";
-          imap = {
-            host = "outlook.office365.com";
-            port = 993;
-            tls.enable = true; # SSL/TLS
-          };
-          smtp = {
-            host = "outlook.office365.com";
-            port = 587;
-            tls = {
-              enable = true; # SSL/TLS
-              useStartTls = true;
-            };
-          };
-          thunderbird = {
-            enable = true;
-            profiles = [ "default" ];
-            settings = id: {
-              "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth
-              "mail.server.server_${id}.authMethod" = 10; # oauth
-              # "toolkit.telemetry.enabled" = false;
-              # "toolkit.telemetry.rejected" = true;
-              # "toolkit.telemetry.prompted" = 2;
-            };
-          };
-          msmtp = {
-            enable = true;
-            extraConfig = {
-              auth = "xoauth2";
-              host = "outlook.office365.com";
-              protocol = "smtp";
-              port = "587";
-              tls = "on";
-              tls_starttls = "on";
-              from = "${mailAddress}";
-              user = "${mailAddress}";
-              passwordeval = "pizauth show work";
-            };
-          };
-          mu.enable = true;
-          mbsync = {
-            enable = true;
-            expunge = "both";
-            patterns = [ "INBOX" ];
-            extraConfig = {
-              account = {
-                AuthMechs = "XOAUTH2";
-              };
-            };
-          };
+        awscli = {
+          enable = true;
+          package = pkgs.stable24_05.awscli2;
+          # settings = {
+          #   "default" = { };
+          #   "profile s3-imagebuilder-prod" = { };
+          # };
+          # credentials = {
+          #   "s3-imagebuilder-prod" = {
+          #     aws_access_key_id = "5OYXY4879EJG9I91K1B6";
+          #     credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key";
+          #   };
+          # };
         };
+        git.settings.user.email = lib.mkForce gitMail;
 
-      # wayland.windowManager.sway.config = {
-      #   output = {
-      #     "Applied Creative Technology Transmitter QUATTRO201811" = {
-      #       bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}";
-      #     };
-      #     "Hewlett Packard HP Z24i CN44250RDT" = {
-      #       bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}";
-      #     };
-      #     "HP Inc. HP 732pk CNC4080YL5" = {
-      #       bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}";
-      #     };
-      #   };
-      # };
-
-      wayland.windowManager.sway =
-        let
-          inherit (nixosConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress;
-        in
-        {
-          config = {
-            keybindings =
-              let
-                inherit (config.wayland.windowManager.sway.config) modifier;
-              in
-              {
-                "${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}";
-                "${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}";
-              };
+        zsh = {
+          shellAliases = {
+            dssh = "ssh -l ${user1Long}";
+            cssh = "ssh -l ${user2Long}";
+            wssh = "ssh -l ${user3Long}";
           };
-        };
-
-      stylix = {
-        targets.firefox.profileNames =
-          let
-            inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
-          in
-          [
-            "${user1}"
-            "${user2}"
-            "${user3}"
-            "work"
+          cdpath = [
+            "~/Documents/Work"
           ];
-      };
-
-      programs =
-        let
-          inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds;
-        in
-        {
-          openstackclient = {
-            enable = true;
-            inherit clouds;
-          };
-          awscli = {
-            enable = true;
-            package = pkgs.stable24_05.awscli2;
-            # settings = {
-            #   "default" = { };
-            #   "profile s3-imagebuilder-prod" = { };
-            # };
-            # credentials = {
-            #   "s3-imagebuilder-prod" = {
-            #     aws_access_key_id = "5OYXY4879EJG9I91K1B6";
-            #     credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key";
-            #   };
-            # };
-          };
-          git.settings.user.email = lib.mkForce gitMail;
-
-          zsh = {
-            shellAliases = {
-              dssh = "ssh -l ${user1Long}";
-              cssh = "ssh -l ${user2Long}";
-              wssh = "ssh -l ${user3Long}";
-            };
-            cdpath = [
-              "~/Documents/Work"
-            ];
-            dirHashes = {
-              d = "$HOME/.dotfiles";
-              w = "$HOME/Documents/Work";
-              s = "$HOME/.dotfiles/secrets";
-              pr = "$HOME/Documents/Private";
-              ac = path1;
-            };
-
-            sessionVariables = {
-              VSPHERE_USER = "$(cat ${nixosConfig.sops.secrets.vcuser.path})";
-              VSPHERE_PW = "$(cat ${nixosConfig.sops.secrets.vcpw.path})";
-              GOVC_USERNAME = "$(cat ${nixosConfig.sops.secrets.govcuser.path})";
-              GOVC_PASSWORD = "$(cat ${nixosConfig.sops.secrets.govcpw.path})";
-              GOVC_URL = "$(cat ${nixosConfig.sops.secrets.govcurl.path})";
-              GOVC_DATACENTER = "$(cat ${nixosConfig.sops.secrets.govcdc.path})";
-              GOVC_DATASTORE = "$(cat ${nixosConfig.sops.secrets.govcds.path})";
-              GOVC_HOST = "$(cat ${nixosConfig.sops.secrets.govchost.path})";
-              GOVC_RESOURCE_POOL = "$(cat ${nixosConfig.sops.secrets.govcpool.path})";
-              GOVC_NETWORK = "$(cat ${nixosConfig.sops.secrets.govcnetwork.path})";
-            };
+          dirHashes = {
+            d = "$HOME/.dotfiles";
+            w = "$HOME/Documents/Work";
+            s = "$HOME/.dotfiles/secrets";
+            pr = "$HOME/Documents/Private";
+            ac = path1;
           };
 
-          ssh = {
-            matchBlocks = {
-              "${loc1}" = {
-                hostname = "${loc1}.${domain2}";
-                user = user4;
-              };
-              "${loc1}.stg" = {
-                hostname = "${loc1}.${lifecycle1}.${domain2}";
-                user = user4;
-              };
-              "${loc1}.staging" = {
-                hostname = "${loc1}.${lifecycle1}.${domain2}";
-                user = user4;
-              };
-              "${loc1}.dev" = {
-                hostname = "${loc1}.${lifecycle2}.${domain2}";
-                user = user4;
-              };
-              "${loc2}" = {
-                hostname = "${loc2}.${domain1}";
-                user = user1Long;
-              };
-              "${loc2}.stg" = {
-                hostname = "${loc2}.${lifecycle1}.${domain2}";
-                user = user1Long;
-              };
-              "${loc2}.staging" = {
-                hostname = "${loc2}.${lifecycle1}.${domain2}";
-                user = user1Long;
-              };
-              "*.${domain1}" = {
-                user = user1Long;
-              };
-            };
-          };
-
-          firefox = {
-            profiles =
-              let
-                isDefault = false;
-              in
-              {
-                "${user1}" = lib.recursiveUpdate
-                  {
-                    inherit isDefault;
-                    id = 1;
-                    settings = {
-                      "browser.startup.homepage" = "${site1}|${site2}";
-                    };
-                  }
-                  vars.firefox;
-                "${user2}" = lib.recursiveUpdate
-                  {
-                    inherit isDefault;
-                    id = 2;
-                    settings = {
-                      "browser.startup.homepage" = "${site3}";
-                    };
-                  }
-                  vars.firefox;
-                "${user3}" = lib.recursiveUpdate
-                  {
-                    inherit isDefault;
-                    id = 3;
-                  }
-                  vars.firefox;
-                work = lib.recursiveUpdate
-                  {
-                    inherit isDefault;
-                    id = 4;
-                    settings = {
-                      "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
-                    };
-                  }
-                  vars.firefox;
-              };
-          };
-
-          chromium = {
-            enable = true;
-            package = pkgs.chromium;
-
-            extensions = [
-              # 1password
-              "gejiddohjgogedgjnonbofjigllpkmbf"
-              # dark reader
-              "eimadpbcbfnmbkopoojfekhnkhdbieeh"
-              # ublock origin
-              "cjpalhdlnbpafiamejdnhcphjbkeiagm"
-              # i still dont care about cookies
-              "edibdbjcniadpccecjdfdjjppcpchdlm"
-              # browserpass
-              "naepdomgkenhinolocfifgehidddafch"
-            ];
+          sessionVariables = {
+            VSPHERE_USER = "$(cat ${confLib.getConfig.sops.secrets.vcuser.path})";
+            VSPHERE_PW = "$(cat ${confLib.getConfig.sops.secrets.vcpw.path})";
+            GOVC_USERNAME = "$(cat ${confLib.getConfig.sops.secrets.govcuser.path})";
+            GOVC_PASSWORD = "$(cat ${confLib.getConfig.sops.secrets.govcpw.path})";
+            GOVC_URL = "$(cat ${confLib.getConfig.sops.secrets.govcurl.path})";
+            GOVC_DATACENTER = "$(cat ${confLib.getConfig.sops.secrets.govcdc.path})";
+            GOVC_DATASTORE = "$(cat ${confLib.getConfig.sops.secrets.govcds.path})";
+            GOVC_HOST = "$(cat ${confLib.getConfig.sops.secrets.govchost.path})";
+            GOVC_RESOURCE_POOL = "$(cat ${confLib.getConfig.sops.secrets.govcpool.path})";
+            GOVC_NETWORK = "$(cat ${confLib.getConfig.sops.secrets.govcnetwork.path})";
           };
         };
 
-      services = {
-        kanshi = {
-          settings = [
+        ssh = {
+          matchBlocks = {
+            "${loc1}" = {
+              hostname = "${loc1}.${domain2}";
+              user = user4;
+            };
+            "${loc1}.stg" = {
+              hostname = "${loc1}.${lifecycle1}.${domain2}";
+              user = user4;
+            };
+            "${loc1}.staging" = {
+              hostname = "${loc1}.${lifecycle1}.${domain2}";
+              user = user4;
+            };
+            "${loc1}.dev" = {
+              hostname = "${loc1}.${lifecycle2}.${domain2}";
+              user = user4;
+            };
+            "${loc2}" = {
+              hostname = "${loc2}.${domain1}";
+              user = user1Long;
+            };
+            "${loc2}.stg" = {
+              hostname = "${loc2}.${lifecycle1}.${domain2}";
+              user = user1Long;
+            };
+            "${loc2}.staging" = {
+              hostname = "${loc2}.${lifecycle1}.${domain2}";
+              user = user1Long;
+            };
+            "*.${domain1}" = {
+              user = user1Long;
+            };
+          };
+        };
+
+        firefox = {
+          profiles =
+            let
+              isDefault = false;
+            in
             {
-              # seminary room
-              output = {
-                criteria = "Applied Creative Technology Transmitter QUATTRO201811";
-                scale = 1.0;
-                mode = "1280x720";
-              };
-            }
-            {
-              # work main screen
-              output = {
-                criteria = "HP Inc. HP 732pk CNC4080YL5";
-                scale = 1.0;
-                mode = "3840x2160";
-              };
-            }
-            {
-              # work side screen
-              output = {
-                criteria = "Hewlett Packard HP Z24i CN44250RDT";
-                scale = 1.0;
-                mode = "1920x1200";
-                transform = "270";
-              };
-            }
-            {
-              profile = {
+              "${user1}" = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 1;
+                  settings = {
+                    "browser.startup.homepage" = "${site1}|${site2}";
+                  };
+                }
+                vars.firefox;
+              "${user2}" = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 2;
+                  settings = {
+                    "browser.startup.homepage" = "${site3}";
+                  };
+                }
+                vars.firefox;
+              "${user3}" = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 3;
+                }
+                vars.firefox;
+              work = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 4;
+                  settings = {
+                    "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
+                  };
+                }
+                vars.firefox;
+            };
+        };
+
+        chromium = {
+          enable = true;
+          package = pkgs.chromium;
+
+          extensions = [
+            # 1password
+            "gejiddohjgogedgjnonbofjigllpkmbf"
+            # dark reader
+            "eimadpbcbfnmbkopoojfekhnkhdbieeh"
+            # ublock origin
+            "cjpalhdlnbpafiamejdnhcphjbkeiagm"
+            # i still dont care about cookies
+            "edibdbjcniadpccecjdfdjjppcpchdlm"
+            # browserpass
+            "naepdomgkenhinolocfifgehidddafch"
+          ];
+        };
+      };
+
+    services = {
+      kanshi = {
+        settings = [
+          {
+            # seminary room
+            output = {
+              criteria = "Applied Creative Technology Transmitter QUATTRO201811";
+              scale = 1.0;
+              mode = "1280x720";
+            };
+          }
+          {
+            # work main screen
+            output = {
+              criteria = "HP Inc. HP 732pk CNC4080YL5";
+              scale = 1.0;
+              mode = "3840x2160";
+            };
+          }
+          {
+            # work side screen
+            output = {
+              criteria = "Hewlett Packard HP Z24i CN44250RDT";
+              scale = 1.0;
+              mode = "1920x1200";
+              transform = "270";
+            };
+          }
+          {
+            profile = {
+              name = "lidopen";
+              exec = [
+                "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+              ];
+              outputs = [
+                {
+                  criteria = config.swarselsystems.sharescreen;
+                  status = "enable";
+                  scale = 1.5;
+                  position = "1462,0";
+                }
+                {
+                  criteria = "HP Inc. HP 732pk CNC4080YL5";
+                  scale = 1.4;
+                  mode = "3840x2160";
+                  position = "-1280,0";
+                }
+                {
+                  criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                  scale = 1.0;
+                  mode = "1920x1200";
+                  transform = "90";
+                  position = "-2480,0";
+                }
+              ];
+            };
+          }
+          {
+            profile =
+              let
+                monitor = "Applied Creative Technology Transmitter QUATTRO201811";
+              in
+              {
                 name = "lidopen";
                 exec = [
                   "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
-                  "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                  "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+                  "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
+                  "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'"
                 ];
                 outputs = [
                   {
                     criteria = config.swarselsystems.sharescreen;
                     status = "enable";
-                    scale = 1.5;
-                    position = "1462,0";
+                    scale = 1.7;
+                    position = "2560,0";
                   }
                   {
-                    criteria = "HP Inc. HP 732pk CNC4080YL5";
-                    scale = 1.4;
-                    mode = "3840x2160";
-                    position = "-1280,0";
-                  }
-                  {
-                    criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                    criteria = "Applied Creative Technology Transmitter QUATTRO201811";
                     scale = 1.0;
-                    mode = "1920x1200";
-                    transform = "90";
-                    position = "-2480,0";
+                    mode = "1280x720";
+                    position = "10000,10000";
                   }
                 ];
               };
-            }
-            {
-              profile =
-                let
-                  monitor = "Applied Creative Technology Transmitter QUATTRO201811";
-                in
+          }
+          {
+            profile = {
+              name = "lidclosed";
+              exec = [
+                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+              ];
+              outputs = [
                 {
-                  name = "lidopen";
-                  exec = [
-                    "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
-                    "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
-                    "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'"
-                  ];
-                  outputs = [
-                    {
-                      criteria = config.swarselsystems.sharescreen;
-                      status = "enable";
-                      scale = 1.7;
-                      position = "2560,0";
-                    }
-                    {
-                      criteria = "Applied Creative Technology Transmitter QUATTRO201811";
-                      scale = 1.0;
-                      mode = "1280x720";
-                      position = "10000,10000";
-                    }
-                  ];
-                };
-            }
-            {
-              profile = {
+                  criteria = config.swarselsystems.sharescreen;
+                  status = "disable";
+                }
+                {
+                  criteria = "HP Inc. HP 732pk CNC4080YL5";
+                  scale = 1.4;
+                  mode = "3840x2160";
+                  position = "-1280,0";
+                }
+                {
+                  criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                  scale = 1.0;
+                  mode = "1920x1200";
+                  transform = "270";
+                  position = "-2480,0";
+                }
+              ];
+            };
+          }
+          {
+            profile =
+              let
+                monitor = "Applied Creative Technology Transmitter QUATTRO201811";
+              in
+              {
                 name = "lidclosed";
                 exec = [
-                  "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                  "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+                  "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
                 ];
                 outputs = [
                   {
@@ -22107,272 +23104,241 @@ in
                     status = "disable";
                   }
                   {
-                    criteria = "HP Inc. HP 732pk CNC4080YL5";
-                    scale = 1.4;
-                    mode = "3840x2160";
-                    position = "-1280,0";
-                  }
-                  {
-                    criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                    criteria = "Applied Creative Technology Transmitter QUATTRO201811";
                     scale = 1.0;
-                    mode = "1920x1200";
-                    transform = "270";
-                    position = "-2480,0";
+                    mode = "1280x720";
+                    position = "10000,10000";
                   }
                 ];
               };
-            }
-            {
-              profile =
-                let
-                  monitor = "Applied Creative Technology Transmitter QUATTRO201811";
-                in
-                {
-                  name = "lidclosed";
-                  exec = [
-                    "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
-                  ];
-                  outputs = [
-                    {
-                      criteria = config.swarselsystems.sharescreen;
-                      status = "disable";
-                    }
-                    {
-                      criteria = "Applied Creative Technology Transmitter QUATTRO201811";
-                      scale = 1.0;
-                      mode = "1280x720";
-                      position = "10000,10000";
-                    }
-                  ];
-                };
-            }
-          ];
-        };
-      };
-
-      systemd.user.services = {
-        pizauth.Service = {
-          ExecStartPost = [
-            "${pkgs.toybox}/bin/sleep 1"
-            "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'"
-          ];
-        };
-
-        teams-applet = {
-          Unit = {
-            Description = "teams applet";
-            Requires = [ "tray.target" ];
-            After = [
-              "graphical-session.target"
-              "tray.target"
-            ];
-            PartOf = [ "graphical-session.target" ];
-          };
-
-          Install = {
-            WantedBy = [ "graphical-session.target" ];
-          };
-
-          Service = {
-            ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true";
-          };
-        };
-
-        onepassword-applet = {
-          Unit = {
-            Description = "1password applet";
-            Requires = [ "tray.target" ];
-            After = [
-              "graphical-session.target"
-              "tray.target"
-            ];
-            PartOf = [ "graphical-session.target" ];
-          };
-
-          Install = {
-            WantedBy = [ "graphical-session.target" ];
-          };
-
-          Service = {
-            ExecStart = "${pkgs._1password-gui}/bin/1password";
-          };
-        };
-
-      };
-
-      services.pizauth = {
-        enable = true;
-        extraConfig = ''
-          auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi";
-          error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\"";
-          token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state";
-        '';
-        accounts = {
-          work = {
-            authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
-            tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
-            clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
-            clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
-            scopes = [
-              "https://outlook.office365.com/IMAP.AccessAsUser.All"
-              "https://outlook.office365.com/SMTP.Send"
-              "offline_access"
-            ];
-            loginHint = "${nixosConfig.repo.secrets.local.work.mailAddress}";
-          };
-        };
-
-      };
-
-      xdg =
-        let
-          inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
-        in
-        {
-          mimeApps = {
-            defaultApplications = {
-              "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
-            };
-          };
-          desktopEntries =
-            let
-              terminal = false;
-              categories = [ "Application" ];
-              icon = "firefox";
-            in
-            {
-              firefox_work = {
-                name = "Firefox (work)";
-                genericName = "Firefox work";
-                exec = "firefox -p work";
-                inherit terminal categories icon;
-              };
-              "firefox_${user1}" = {
-                name = "Firefox (${user1})";
-                genericName = "Firefox ${user1}";
-                exec = "firefox -p ${user1}";
-                inherit terminal categories icon;
-              };
-
-              "firefox_${user2}" = {
-                name = "Firefox (${user2})";
-                genericName = "Firefox ${user2}";
-                exec = "firefox -p ${user2}";
-                inherit terminal categories icon;
-              };
-
-              "firefox_${user3}" = {
-                name = "Firefox (${user3})";
-                genericName = "Firefox ${user3}";
-                exec = "firefox -p ${user3}";
-                inherit terminal categories icon;
-              };
-
-
-            };
-        };
-      swarselsystems = {
-        startup = [
-          # { command = "nextcloud --background"; }
-          # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; }
-          # { command = "element-desktop --hidden  --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; }
-          # { command = "anki"; }
-          # { command = "obsidian"; }
-          # { command = "nm-applet"; }
-          # { command = "feishin"; }
-          # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }
-          # { command = "1password"; }
+          }
         ];
-        monitors = {
-          work_back_middle = rec {
-            name = "LG Electronics LG Ultra HD 0x000305A6";
-            mode = "2560x1440";
-            scale = "1";
-            position = "5120,0";
-            workspace = "1:一";
-            # output = "DP-10";
-            output = name;
-          };
-          work_front_left = rec {
-            name = "LG Electronics LG Ultra HD 0x0007AB45";
-            mode = "3840x2160";
-            scale = "1";
-            position = "5120,0";
-            workspace = "1:一";
-            # output = "DP-7";
-            output = name;
-          };
-          work_back_right = rec {
-            name = "HP Inc. HP Z32 CN41212T55";
-            mode = "3840x2160";
-            scale = "1";
-            position = "5120,0";
-            workspace = "1:一";
-            # output = "DP-3";
-            output = name;
-          };
-          work_middle_middle_main = rec {
-            name = "HP Inc. HP 732pk CNC4080YL5";
-            mode = "3840x2160";
-            scale = "1";
-            position = "-1280,0";
-            workspace = "11:M";
-            # output = "DP-8";
-            output = name;
-          };
-          work_middle_middle_side = rec {
-            name = "Hewlett Packard HP Z24i CN44250RDT";
-            mode = "1920x1200";
-            transform = "270";
-            scale = "1";
-            position = "-2480,0";
-            workspace = "12:S";
-            # output = "DP-9";
-            output = name;
-          };
-          work_seminary = rec {
-            name = "Applied Creative Technology Transmitter QUATTRO201811";
-            mode = "1280x720";
-            scale = "1";
-            position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse
-            workspace = "14:T";
-            # output = "DP-4";
-            output = name;
-          };
-        };
-        inputs = {
-          "1133:45081:MX_Master_2S_Keyboard" = {
-            xkb_layout = "us";
-            xkb_variant = "altgr-intl";
-          };
-          # "2362:628:PIXA3854:00_093A:0274_Touchpad" = {
-          #   dwt = "enabled";
-          #   tap = "enabled";
-          #   natural_scroll = "enabled";
-          #   middle_emulation = "enabled";
-          #   drag_lock = "disabled";
-          # };
-          "1133:50504:Logitech_USB_Receiver" = {
-            xkb_layout = "us";
-            xkb_variant = "altgr-intl";
-          };
-          "1133:45944:MX_KEYS_S" = {
-            xkb_layout = "us";
-            xkb_variant = "altgr-intl";
-          };
+      };
+    };
+
+    systemd.user.services = {
+      pizauth.Service = {
+        ExecStartPost = [
+          "${pkgs.toybox}/bin/sleep 1"
+          "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'"
+        ];
+      };
+
+      teams-applet = {
+        Unit = {
+          Description = "teams applet";
+          Requires = [ "tray.target" ];
+          After = [
+            "graphical-session.target"
+            "tray.target"
+          ];
+          PartOf = [ "graphical-session.target" ];
         };
 
-      };
-    } // lib.optionalAttrs (inputs ? sops) {
-      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
-        harica-root-ca = {
-          sopsFile = certsSopsFile;
-          path = "${homeDir}/.aws/certs/harica-root.pem";
-          owner = mainUser;
+        Install = {
+          WantedBy = [ "graphical-session.target" ];
+        };
+
+        Service = {
+          ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true";
         };
       };
 
-    });
+      onepassword-applet = {
+        Unit = {
+          Description = "1password applet";
+          Requires = [ "tray.target" ];
+          After = [
+            "graphical-session.target"
+            "tray.target"
+          ];
+          PartOf = [ "graphical-session.target" ];
+        };
+
+        Install = {
+          WantedBy = [ "graphical-session.target" ];
+        };
+
+        Service = {
+          ExecStart = "${pkgs._1password-gui}/bin/1password";
+        };
+      };
+
+    };
+
+    services.pizauth = {
+      enable = true;
+      extraConfig = ''
+        auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi";
+        error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\"";
+        token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state";
+      '';
+      accounts = {
+        work = {
+          authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+          tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
+          clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
+          clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
+          scopes = [
+            "https://outlook.office365.com/IMAP.AccessAsUser.All"
+            "https://outlook.office365.com/SMTP.Send"
+            "offline_access"
+          ];
+          loginHint = "${confLib.getConfig.repo.secrets.local.work.mailAddress}";
+        };
+      };
+
+    };
+
+    xdg =
+      let
+        inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3;
+      in
+      {
+        mimeApps = {
+          defaultApplications = {
+            "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
+          };
+        };
+        desktopEntries =
+          let
+            terminal = false;
+            categories = [ "Application" ];
+            icon = "firefox";
+          in
+          {
+            firefox_work = {
+              name = "Firefox (work)";
+              genericName = "Firefox work";
+              exec = "firefox -p work";
+              inherit terminal categories icon;
+            };
+            "firefox_${user1}" = {
+              name = "Firefox (${user1})";
+              genericName = "Firefox ${user1}";
+              exec = "firefox -p ${user1}";
+              inherit terminal categories icon;
+            };
+
+            "firefox_${user2}" = {
+              name = "Firefox (${user2})";
+              genericName = "Firefox ${user2}";
+              exec = "firefox -p ${user2}";
+              inherit terminal categories icon;
+            };
+
+            "firefox_${user3}" = {
+              name = "Firefox (${user3})";
+              genericName = "Firefox ${user3}";
+              exec = "firefox -p ${user3}";
+              inherit terminal categories icon;
+            };
+
+
+          };
+      };
+    swarselsystems = {
+      startup = [
+        # { command = "nextcloud --background"; }
+        # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; }
+        # { command = "element-desktop --hidden  --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; }
+        # { command = "anki"; }
+        # { command = "obsidian"; }
+        # { command = "nm-applet"; }
+        # { command = "feishin"; }
+        # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }
+        # { command = "1password"; }
+      ];
+      monitors = {
+        work_back_middle = rec {
+          name = "LG Electronics LG Ultra HD 0x000305A6";
+          mode = "2560x1440";
+          scale = "1";
+          position = "5120,0";
+          workspace = "1:一";
+          # output = "DP-10";
+          output = name;
+        };
+        work_front_left = rec {
+          name = "LG Electronics LG Ultra HD 0x0007AB45";
+          mode = "3840x2160";
+          scale = "1";
+          position = "5120,0";
+          workspace = "1:一";
+          # output = "DP-7";
+          output = name;
+        };
+        work_back_right = rec {
+          name = "HP Inc. HP Z32 CN41212T55";
+          mode = "3840x2160";
+          scale = "1";
+          position = "5120,0";
+          workspace = "1:一";
+          # output = "DP-3";
+          output = name;
+        };
+        work_middle_middle_main = rec {
+          name = "HP Inc. HP 732pk CNC4080YL5";
+          mode = "3840x2160";
+          scale = "1";
+          position = "-1280,0";
+          workspace = "11:M";
+          # output = "DP-8";
+          output = name;
+        };
+        work_middle_middle_side = rec {
+          name = "Hewlett Packard HP Z24i CN44250RDT";
+          mode = "1920x1200";
+          transform = "270";
+          scale = "1";
+          position = "-2480,0";
+          workspace = "12:S";
+          # output = "DP-9";
+          output = name;
+        };
+        work_seminary = rec {
+          name = "Applied Creative Technology Transmitter QUATTRO201811";
+          mode = "1280x720";
+          scale = "1";
+          position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse
+          workspace = "14:T";
+          # output = "DP-4";
+          output = name;
+        };
+      };
+      inputs = {
+        "1133:45081:MX_Master_2S_Keyboard" = {
+          xkb_layout = "us";
+          xkb_variant = "altgr-intl";
+        };
+        # "2362:628:PIXA3854:00_093A:0274_Touchpad" = {
+        #   dwt = "enabled";
+        #   tap = "enabled";
+        #   natural_scroll = "enabled";
+        #   middle_emulation = "enabled";
+        #   drag_lock = "disabled";
+        # };
+        "1133:50504:Logitech_USB_Receiver" = {
+          xkb_layout = "us";
+          xkb_variant = "altgr-intl";
+        };
+        "1133:45944:MX_KEYS_S" = {
+          xkb_layout = "us";
+          xkb_variant = "altgr-intl";
+        };
+      };
+
+    };
+  } // lib.optionalAttrs (type != "nixos") {
+    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
+      harica-root-ca = {
+        sopsFile = certsSopsFile;
+        path = "${homeDir}/.aws/certs/harica-root.pem";
+        owner = mainUser;
+      };
+    };
+
+  };
 
 }
 
@@ -22381,32 +23347,30 @@ in
 
    
 
    
 
    
-
    3.3.5.3. Uni
    
+
    3.3.5.4. Uni
    
 
    
 
    
-
    { config, lib, nixosConfig ? config, ... }:
+
    { confLib, ... }:
 {
-  options.swarselmodules.optional.uni = lib.mkEnableOption "optional uni settings";
-  config = lib.mkIf config.swarselmodules.optional.uni
-    {
-      services.pizauth = {
-        enable = true;
-        accounts = {
-          uni = {
-            authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
-            tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
-            clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
-            clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
-            scopes = [
-              "https://outlook.office365.com/IMAP.AccessAsUser.All"
-              "https://outlook.office365.com/SMTP.Send"
-              "offline_access"
-            ];
-            loginHint = "${nixosConfig.repo.secrets.local.uni.mailAddress}";
-          };
+  config = {
+    services.pizauth = {
+      enable = true;
+      accounts = {
+        uni = {
+          authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+          tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
+          clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
+          clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
+          scopes = [
+            "https://outlook.office365.com/IMAP.AccessAsUser.All"
+            "https://outlook.office365.com/SMTP.Send"
+            "offline_access"
+          ];
+          loginHint = "${confLib.getConfig.repo.secrets.local.uni.mailAddress}";
         };
       };
     };
+  };
 }
 
 
    
@@ -22414,17 +23378,16 @@ in
 
    
 
    
 
    
-
    3.3.5.4. Framework
    
+
    3.3.5.5. Framework
    
 
    
 
    
 This holds configuration that is specific to framework laptops.
 
    
 
 
    
-
    { lib, config, ... }:
+
    _:
 {
-  options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings";
-  config = lib.mkIf config.swarselmodules.optional.framework {
+  config =  {
     swarselsystems = {
       inputs = {
         "12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = {
@@ -22465,12 +23428,24 @@ TODO: check which of these can be replaced but builtin functions.
   options.swarselsystems = {
     proxyHost = lib.mkOption {
       type = lib.types.str;
-      default = "";
+      default = config.node.name;
+    };
+    isBastionTarget = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
     };
     isCloud = lib.mkOption {
       type = lib.types.bool;
       default = false;
     };
+    isServer = lib.mkOption {
+      type = lib.types.bool;
+      default = config.swarselsystems.isCloud;
+    };
+    isClient = lib.mkOption {
+      type = lib.types.bool;
+      default = config.swarselsystems.isLaptop;
+    };
     withHomeManager = lib.mkOption {
       type = lib.types.bool;
       default = true;
@@ -22504,7 +23479,7 @@ TODO: check which of these can be replaced but builtin functions.
     isBtrfs = lib.mkEnableOption "use btrfs filesystem";
     sopsFile = lib.mkOption {
       type = lib.types.str;
-      default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
+      default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.node.secretsDir}/secrets.yaml";
     };
     homeDir = lib.mkOption {
       type = lib.types.str;
@@ -22805,21 +23780,54 @@ In short, the options defined here are passed to the modules systems using 
 
    
 
    
+
    
+
    3.4.3. Meta options (options only)
    
+
    
+
    
+
    { lib, ... }:
+{
+  options = {
+    node = {
+      secretsDir = lib.mkOption {
+        description = "Path to the secrets directory for this node.";
+        type = lib.types.path;
+        default = ./.;
+      };
+      name = lib.mkOption {
+        type = lib.types.str;
+      };
+      arch = lib.mkOption {
+        type = lib.types.str;
+      };
+      type = lib.mkOption {
+        type = lib.types.str;
+      };
+      lockFromBootstrapping = lib.mkOption {
+        description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap.";
+        type = lib.types.bool;
+      };
+    };
+  };
+}
+
    
+
    
+
    
+
    
 
    
-
    3.4.3. Config Library (confLib)
    
+
    3.4.4. Config Library (confLib)
    
 
    
 
    
-
    { config, lib, globals, ... }:
+
    { config, lib, globals, nixosConfig ? null, ... }:
 {
   _module.args = {
     confLib = rec {
 
-      addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4 else "localhost";
+      addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4 else "localhost";
 
       domainDefault = service: config.repo.secrets.common.services.domains.${service};
       proxyDefault = config.swarselsystems.proxyHost;
 
-      getConfig = config;
+      getConfig = if nixosConfig == null then config else nixosConfig;
 
       gen = { name, user ? name, group ? name, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec {
         servicePort = port;
@@ -22833,7 +23841,7 @@ In short, the options defined here are passed to the modules systems using 
 
    
 
    
-
    3.4.4. Packages
    
+
    3.4.5. Packages
    
 
    
 
    
 This is the central station for self-defined packages. These are all referenced in default.nix. Wherever possible, I am keeping the shell version of these scripts in this file as well and then read it using builtin.readFile in the NixOS configurations. This lets me keep full control in this one file but also keep the separate files uncluttered.
@@ -22856,7 +23864,7 @@ Note: The structure of generating the packages was changed in commit 2cf03
 
    
 
    
 
    
-
    3.4.5. Packages (flake)
    
+
    3.4.6. Packages (flake)
    
 
    
 
    
 
    { self, lib, pkgs, ... }:
@@ -22876,7 +23884,7 @@ mkPackages packageNames pkgs
 
    
 
    
 
    
-
    3.4.5.1. pass-fuzzel
    
+
    3.4.6.1. pass-fuzzel
    
 
    
 
    
 This app allows me, in conjunction with my Yubikey, to quickly enter passwords when the need arises. Normal and TOTP passwords are supported, and they can either be printed directly or copied to the clipboard.
@@ -22950,7 +23958,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.2. quickpass
    
+
    3.4.6.2. quickpass
    
 
    
 
    
 
    shopt -s nullglob globstar
@@ -22981,7 +23989,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.3. cura5
    
+
    3.4.6.3. cura5
    
 
    
 
    
 The version of cura used to be quite outdated in nixpkgs. I am fetching a newer AppImage here and use that instead.
@@ -23024,7 +24032,7 @@ writeScriptBin "cura" ''
 
    
 
    
 
    
-
    3.4.5.4. hm-specialisation
    
+
    3.4.6.4. hm-specialisation
    
 
    
 
    
 This script allows for quick git home-manager specialisation switching.
@@ -23050,7 +24058,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.5. cdw
    
+
    3.4.6.5. cdw
    
 
    
 
    
 This script allows for quick git worktree switching.
@@ -23074,7 +24082,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.6. cdb
    
+
    3.4.6.6. cdb
    
 
    
 
    
 This script allows for quick git branch switching.
@@ -23096,7 +24104,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.7. bak
    
+
    3.4.6.7. bak
    
 
    
 
    
 This script lets me quickly backup files by appending .bak to the filename.
@@ -23119,7 +24127,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.8. timer
    
+
    3.4.6.8. timer
    
 
    
 
    
 This app starts a configuratble timer and uses TTS to say something once the timer runs out.
@@ -23142,7 +24150,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.9. e
    
+
    3.4.6.9. e
    
 
    
 
    
 This is a shorthand for calling emacsclient mostly. Also, it hides the kittyterm scratchpad window that I sometimes use for calling a command quickly, in case it is on the screen. After emacs closes, the kittyterm window is then shown again if it was visible earlier.
@@ -23188,7 +24196,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.10. command-not-found
    
+
    3.4.6.10. command-not-found
    
 
    
 
    
 The normal command-not-found.sh uses the outdated nix-shell commands as suggestions. This version supplies me with the more modern nixpkgs#<name> version.
@@ -23234,7 +24242,7 @@ command_not_found_handler() {
 
    
 
    
 
    
-
    3.4.5.11. swarselcheck
    
+
    3.4.6.11. swarselcheck
    
 
    
 
    
 This app checks for different apps that I keep around in the scratchpad for quick viewing and hiding (messengers and music players mostly) and then behaves like the kittyterm hider that I described in e.
@@ -23319,7 +24327,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.12. swarselcheck-niri
    
+
    3.4.6.12. swarselcheck-niri
    
 
    
 
    
 
    while :; do
@@ -23374,7 +24382,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.13. swarselzellij
    
+
    3.4.6.13. swarselzellij
    
 
    
 
    
 
    # KITTIES=$(($(pgrep -P 1 kitty | wc -l) - 1))
@@ -23401,7 +24409,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.14. waybarupdate
    
+
    3.4.6.14. waybarupdate
    
 
    
 
    
 This scripts checks if there are uncommited changes in either my dotfile repo, my university repo, or my passfile repo. In that case a warning will be shown in waybar.
@@ -23448,7 +24456,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.15. opacitytoggle
    
+
    3.4.6.15. opacitytoggle
    
 
    
 
    
 This app quickly toggles between 5% and 0% transparency.
@@ -23475,7 +24483,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.16. fs-diff
    
+
    3.4.6.16. fs-diff
    
 
    
 
    
 This utility is used to compare the current state of the root directory with the blanket state that is stored in /root-blank (the snapshot that is restored on each reboot of an impermanence machine). Using this, I can find files that I will lose once I reboot - if there are important files in that list, I can then easily add them to the persist options.
@@ -23516,7 +24524,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.17. github-notifications
    
+
    3.4.6.17. github-notifications
    
 
    
 
    
 This utility checks if there are updated packages in nixpkgs-unstable. It does so by fully building the most recent configuration, which I do not love, but it has its merits once I am willing to switch to the newer version.
@@ -23542,7 +24550,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.18. kanshare
    
+
    3.4.6.18. kanshare
    
 
    
 
    
 This utility checks if there are updated packages in nixpkgs-unstable. It does so by fully building the most recent configuration, which I do not love, but it has its merits once I am willing to switch to the newer version.
@@ -23566,7 +24574,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.19. swarsel-bootstrap
    
+
    3.4.6.19. swarsel-bootstrap
    
 
    
 
    
 This program sets up a new NixOS host remotely. It also takes care of secret management on the new host.
@@ -23892,8 +24900,7 @@ if yes_or_no "Do you want to manually edit .sops.yaml now?"; then
     vim "${git_root}"/.sops.yaml
 fi
 green "Updating all secrets files to reflect updates .sops.yaml"
-sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml
-sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/pii.nix.enc
+sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/*
 # --------------------------
 green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
 sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
@@ -23904,8 +24911,8 @@ $ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519
 
 if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then
     green "Adding ssh host fingerprints for git{lab,hub}"
-    $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /home/$target_user/.ssh/known_hosts"
-    $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /root/.ssh/known_hosts"
+    $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /home/$target_user/.ssh/known_hosts"
+    $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /root/.ssh/known_hosts"
 fi
 # --------------------------
 
@@ -23980,7 +24987,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.20. swarsel-rebuild
    
+
    3.4.6.20. swarsel-rebuild
    
 
    
 
    
 
    set -eo pipefail
@@ -24063,7 +25070,7 @@ else
 fi
 
 local_keys=$(ssh-add -L || true)
-pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub)
+pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/public/ssh/yubikey.pub)
 read -ra pub_arr <<< "$pub_key"
 
 cd .dotfiles
@@ -24110,7 +25117,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.21. swarsel-install
    
+
    3.4.6.21. swarsel-install
    
 
    
 
    
 Autoformatting always puts the EOF with indentation, which makes shfmt check fail. When editing this block, unindent them manually.
@@ -24215,7 +25222,7 @@ green "Cloning repository from GitHub"
 git clone https://github.com/Swarsel/.dotfiles.git
 
 local_keys=$(ssh-add -L || true)
-pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub)
+pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/public/ssh/yubikey.pub)
 read -ra pub_arr <<< "$pub_key"
 
 cd .dotfiles
@@ -24323,7 +25330,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.22. swarsel-postinstall
    
+
    3.4.6.22. swarsel-postinstall
    
 
    
 
    
 
    set -eo pipefail
@@ -24415,7 +25422,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.23. t2ts
    
+
    3.4.6.23. t2ts
    
 
    
 
    
 
    { name, writeShellApplication, ... }:
@@ -24433,7 +25440,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.24. ts2t
    
+
    3.4.6.24. ts2t
    
 
    
 
    
 
    { name, writeShellApplication, ... }:
@@ -24451,7 +25458,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.25. vershell
    
+
    3.4.6.25. vershell
    
 
    
 
    
 
    { name, writeShellApplication, ... }:
@@ -24469,7 +25476,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.26. eontimer
    
+
    3.4.6.26. eontimer
    
 
    
 
    
 
    { lib
@@ -24573,7 +25580,7 @@ python3.pkgs.buildPythonApplication rec {
 
    
 
    
 
    
-
    3.4.5.27. project
    
+
    3.4.6.27. project
    
 
    
 
    
 
    set -euo pipefail
@@ -24597,7 +25604,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.28. fhs
    
+
    3.4.6.28. fhs
    
 
    
 
    
 
    { name, pkgs, ... }:
@@ -24616,7 +25623,7 @@ pkgs.buildFHSEnv (base // {
 
    
 
    
 
    
-
    3.4.5.29. swarsel-displaypower
    
+
    3.4.6.29. swarsel-displaypower
    
 
    
 
    
 A crude script to power on all displays that might be attached. Needed because sometimes displays do not awake from sleep.
@@ -24641,7 +25648,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.30. swarsel-mgba
    
+
    3.4.6.30. swarsel-mgba
    
 
    
 
    
 AppImage version of mgba in which the lua scripting works.
@@ -24675,7 +25682,7 @@ appimageTools.wrapType2 {
 
    
 
    
 
    
-
    3.4.5.31. swarsel-deploy
    
+
    3.4.6.31. swarsel-deploy
    
 
    
 
    
 
    # heavily inspired from https://github.com/oddlama/nix-config/blob/d42cbde676001a7ad8a3cace156e050933a4dcc3/pkgs/deploy.nix
@@ -24807,7 +25814,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.32. swarsel-build
    
+
    3.4.6.32. swarsel-build
    
 
    
 
    
 
    { name, nix-output-monitor, writeShellApplication, ... }:
@@ -24831,7 +25838,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.33. swarsel-instantiate
    
+
    3.4.6.33. swarsel-instantiate
    
 
    
 
    
 This is a convenience function that calls nix-instantiate with a number of flags that I need in order to evaluate nix expressions in org-src blocks.
@@ -24852,7 +25859,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.34. sshrm
    
+
    3.4.6.34. sshrm
    
 
    
 
    
 This programs simply runs ssh-keygen on the last host that I tried to ssh into. I need this frequently when working with cloud-init usually.
@@ -24885,7 +25892,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.35. endme
    
+
    3.4.6.35. endme
    
 
    
 
    
 Sometimes my DE crashes after putting it to suspend - to be precise, it happens when I put it into suspend when I have multiple screens plugged in. I have never taken the time to debug the issue, but instead just switch to a different TTY and then use this script to kill the hanging session.
@@ -24907,7 +25914,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.5.36. git-replace
    
+
    3.4.6.36. git-replace
    
 
    
 
    
 This script allows for quick git replace of a string.
@@ -24986,7 +25993,7 @@ writeShellApplication {
 
    
 
    
 
    
-
    3.4.6. Packages (config)
    
+
    3.4.7. Packages (config)
    
 
    
 
    
 
    { self, homeConfig, lib, pkgs, ... }:
@@ -25004,7 +26011,7 @@ mkPackages packageNames pkgs
 
    
 
    
 
    
-
    3.4.6.1. cdr
    
+
    3.4.7.1. cdr
    
 
    
 
    
 
    { name, homeConfig, writeShellApplication, fzf, ... }:
@@ -25089,7 +26096,6 @@ in
       lowBattery = lib.mkDefault false;
       network = lib.mkDefault true;
       networkDevices = lib.mkDefault true;
-      niri = lib.mkDefault false;
       nix-ld = lib.mkDefault true;
       nvd = lib.mkDefault true;
       packages = lib.mkDefault true;
@@ -25098,6 +26104,7 @@ in
       ppd = lib.mkDefault true;
       programs = lib.mkDefault true;
       pulseaudio = lib.mkDefault true;
+      remotebuild = lib.mkDefault true;
       security = lib.mkDefault true;
       sops = lib.mkDefault true;
       stylix = lib.mkDefault true;
@@ -25163,41 +26170,12 @@ in
 
 }
 
-
    
-
    
-
    
-
    
-
    
-
    3.5.1.3. Optionals
    
-
    
-
    
-
    { lib, config, ... }:
-{
-  options.swarselprofiles.optionals = lib.mkEnableOption "is this a host with optionals";
-  config = lib.mkIf config.swarselprofiles.optionals {
-    swarselmodules = {
-      optional = {
-        gaming = lib.mkDefault true;
-        virtualbox = lib.mkDefault true;
-        nswitch-rcm = lib.mkDefault true;
-      };
-    };
-
-    home-manager.users."${config.swarselsystems.mainUser}" = {
-      swarselprofiles = {
-        optionals = lib.mkDefault true;
-      };
-    };
-  };
-
-}
-
 
    
 
    
 
    
 
    
 
    
-
    3.5.1.4. Hotel
    
+
    3.5.1.3. Hotel
    
 
    
 
    
 
    { lib, config, ... }:
@@ -25251,93 +26229,12 @@ in
 
 }
 
-
    
-
    
-
    
-
    
-
    
-
    3.5.1.5. Work
    
-
    
-
    
-
    { lib, config, ... }:
-{
-  options.swarselprofiles.work = lib.mkEnableOption "is this a work host";
-  config = lib.mkIf config.swarselprofiles.work {
-    swarselmodules = {
-      optional = {
-        work = lib.mkDefault true;
-      };
-    };
-    home-manager.users."${config.swarselsystems.mainUser}" = {
-      swarselprofiles = {
-        work = lib.mkDefault true;
-      };
-    };
-
-  };
-
-}
-
-
    
-
    
-
    
-
    
-
    
-
    3.5.1.6. Uni
    
-
    
-
    
-
    { lib, config, ... }:
-{
-  options.swarselprofiles.uni = lib.mkEnableOption "is this a uni host";
-  config = lib.mkIf config.swarselprofiles.uni {
-    # swarselmodules = {
-    #   optional = {
-    #     uni = lib.mkDefault true;
-    #   };
-    # };
-    home-manager.users."${config.swarselsystems.mainUser}" = {
-      swarselprofiles = {
-        uni = lib.mkDefault true;
-      };
-    };
-
-  };
-
-}
-
-
    
-
    
-
    
-
    
-
    
-
    3.5.1.7. Framework
    
-
    
-
    
-
    { lib, config, ... }:
-{
-  options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host";
-  config = lib.mkIf config.swarselprofiles.framework {
-    swarselmodules = {
-      optional = {
-        framework = lib.mkDefault true;
-      };
-    };
-    home-manager.users."${config.swarselsystems.mainUser}" = {
-      swarselprofiles = {
-        framework = lib.mkDefault true;
-      };
-    };
-
-  };
-
-}
-
 
    
 
    
 
    
 
    
 
    
-
    3.5.1.8. Server
    
+
    3.5.1.4. Server
    
 
    
 
    
 
    { lib, config, ... }:
@@ -25374,7 +26271,7 @@ in
 
    
 
    
 
    
-
    3.5.1.9. Router
    
+
    3.5.1.5. Router
    
 
    
 
    
 
    { lib, config, ... }:
@@ -25448,7 +26345,6 @@ in
       kitty = lib.mkDefault true;
       mail = lib.mkDefault true;
       mako = lib.mkDefault true;
-      niri = lib.mkDefault false;
       nix-index = lib.mkDefault true;
       nixgl = lib.mkDefault true;
       nix-your-shell = lib.mkDefault true;
@@ -25526,7 +26422,6 @@ in
       kitty = lib.mkDefault true;
       mail = lib.mkDefault false;
       mako = lib.mkDefault false;
-      niri = lib.mkDefault false;
       nix-index = lib.mkDefault true;
       nixgl = lib.mkDefault true;
       nix-your-shell = lib.mkDefault true;
@@ -25563,34 +26458,12 @@ in
 
 }
 
-
    
-
    
-
    
-
    
-
    
-
    3.5.2.3. Optionals
    
-
    
-
    
-
    { lib, config, ... }:
-{
-  options.swarselprofiles.optionals = lib.mkEnableOption "is this a host with optionals";
-  config = lib.mkIf config.swarselprofiles.optionals {
-    swarselmodules = {
-      optional = {
-        gaming = lib.mkDefault true;
-        uni = lib.mkDefault true;
-      };
-    };
-  };
-
-}
-
 
    
 
    
 
    
 
    
 
    
-
    3.5.2.4. Minimal
    
+
    3.5.2.3. Minimal
    
 
    
 
    
 
    { lib, config, ... }:
@@ -25613,7 +26486,7 @@ in
 
    
 
    
 
    
-
    3.5.2.5. Hotel
    
+
    3.5.2.4. Hotel
    
 
    
 
    
 
    { lib, config, ... }:
@@ -25661,99 +26534,12 @@ in
 
 }
 
-
    
-
    
-
    
-
    
-
    
-
    3.5.2.6. toto
    
-
    
-
    
-
    { lib, config, ... }:
-{
-  options.swarselprofiles.toto = lib.mkEnableOption "is this a toto (setup) host";
-  config = lib.mkIf config.swarselprofiles.toto {
-    swarselmodules = {
-      general = lib.mkDefault true;
-      sops = lib.mkDefault true;
-      ssh = lib.mkDefault true;
-      kitty = lib.mkDefault true;
-      git = lib.mkDefault true;
-    };
-  };
-
-}
-
-
    
-
    
-
    
-
    
-
    
-
    3.5.2.7. Work
    
-
    
-
    
-
    { lib, config, ... }:
-{
-  options.swarselprofiles.work = lib.mkEnableOption "is this a work host";
-  config = lib.mkIf config.swarselprofiles.work {
-    swarselmodules = {
-      optional = {
-        work = lib.mkDefault true;
-      };
-    };
-  };
-
-}
-
-
    
-
    
-
    
-
    
-
    
-
    3.5.2.8. Uni
    
-
    
-
    
-
    { lib, config, ... }:
-{
-  options.swarselprofiles.uni = lib.mkEnableOption "is this a uni host";
-  config = lib.mkIf config.swarselprofiles.uni {
-    swarselmodules = {
-      optional = {
-        uni = lib.mkDefault true;
-      };
-    };
-  };
-
-}
-
-
    
-
    
-
    
-
    
-
    
-
    3.5.2.9. Framework
    
-
    
-
    
-
    { lib, config, ... }:
-{
-  options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host";
-  config = lib.mkIf config.swarselprofiles.framework {
-    swarselmodules = {
-      optional = {
-        framework = lib.mkDefault true;
-      };
-    };
-
-  };
-
-}
-
 
    
 
    
 
    
 
    
 
    
-
    3.5.2.10. Local Server
    
+
    3.5.2.5. Local Server
    
 
    
 
    
 
    { lib, config, ... }:
@@ -28415,9 +29201,13 @@ This adds elfeed, a neat RSS reader for Emacs. I use this as a client for dashboard, which is really quite useless. But, it
   :config
   (dashboard-setup-startup-hook)
   ;; (setq initial-buffer-choice (lambda () (get-buffer-create "*dashboard*")))
-  (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal
-        dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package
-        dashboard-set-file-icons t
-        dashboard-items '((recents . 5)
-                          (projects . 5)
-                          (agenda . 5))
-        dashboard-set-footer nil
-        dashboard-banner-logo-title "Welcome to SwarsEmacs!"
-        dashboard-image-banner-max-height 300
-        dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png"
-        dashboard-projects-backend 'projectile
-        dashboard-projects-switch-function 'magit-status
-        dashboard-set-navigator t
-        dashboard-startupify-list '(dashboard-insert-banner
-                                    dashboard-insert-newline
-                                    dashboard-insert-banner-title
-                                    dashboard-insert-newline
-                                    dashboard-insert-navigator
-                                    dashboard-insert-newline
-                                    dashboard-insert-init-info
-                                    dashboard-insert-items
-                                    )
-        dashboard-navigator-buttons
-        `(;; line1
-          ((,""
-            "SwarselSocial"
-            "Browse Swarsele"
-            (lambda (&rest _) (browse-url "instagram.com/Swarsele")))
 
-           (,""
-            "SwarselSound"
-            "Browse SwarselSound"
-            (lambda (&rest _) (browse-url "sound.swarsel.win")) )
-           (,""
-            "SwarselSwarsel"
-            "Browse Swarsel"
-            (lambda (&rest _) (browse-url "github.com/Swarsel")) )
-           (,""
-            "SwarselStash"
-            "Browse SwarselStash"
-            (lambda (&rest _) (browse-url "stash.swarsel.win")) )
-           (,"󰫑"
-            "SwarselSport"
-            "Browse SwarselSports"
-            (lambda (&rest _) (browse-url "social.parkour.wien/@Lenno")))
-           )
-          (
-           (,"󱄅"
-            "swarsel.win"
-            "Browse swarsel.win"
-            (lambda (&rest _) (browse-url "swarsel.win")))
-           )
-          )))
+  (let ((files-domain (getenv "SWARSEL_FILES_DOMAIN"))
+        (music-domain (getenv "SWARSEL_MUSIC_DOMAIN"))
+        (insta-domain (getenv "SWARSEL_INSTA_DOMAIN"))
+        (sport-domain (getenv "SWARSEL_SPORT_DOMAIN"))
+        (swarsel-domain (getenv "SWARSEL_DOMAIN"))
+        )
+    (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal
+          dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package
+          dashboard-set-file-icons t
+          dashboard-items '((recents . 5)
+                            (projects . 5)
+                            (agenda . 5))
+          dashboard-set-footer nil
+          dashboard-banner-logo-title "Welcome to SwarsEmacs!"
+          dashboard-image-banner-max-height 300
+          dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png"
+          dashboard-projects-backend 'projectile
+          dashboard-projects-switch-function 'magit-status
+          dashboard-set-navigator t
+          dashboard-startupify-list '(dashboard-insert-banner
+                                      dashboard-insert-newline
+                                      dashboard-insert-banner-title
+                                      dashboard-insert-newline
+                                      dashboard-insert-navigator
+                                      dashboard-insert-newline
+                                      dashboard-insert-init-info
+                                      dashboard-insert-items
+                                      )
+          dashboard-navigator-buttons
+          `(;; line1
+            ((,""
+              "SwarselSocial"
+              "Browse Swarsele"
+              (lambda (&rest _) (browse-url ,insta-domain)))
+
+             (,""
+              "SwarselSound"
+              "Browse SwarselSound"
+              (lambda (&rest _) (browse-url ,(concat "https://" music-domain))) )
+             (,""
+              "SwarselSwarsel"
+              "Browse Swarsel"
+              (lambda (&rest _) (browse-url "https://github.com/Swarsel")) )
+             (,""
+              "SwarselStash"
+              "Browse SwarselStash"
+              (lambda (&rest _) (browse-url ,(concat "https://" files-domain))) )
+             (,"󰫑"
+              "SwarselSport"
+              "Browse SwarselSports"
+              (lambda (&rest _) (browse-url ,sport-domain)))
+             )
+            (
+             (,"󱄅"
+              ,swarsel-domain
+              ,(concat "Browse " main-domain)
+              (lambda (&rest _) (browse-url ,(concat "https://" swarsel-domain))))
+             )
+            ))))
 
 
 
    
@@ -32696,7 +33493,7 @@ similarly, there exists an version that starts from the right.
 
    
 
 
diff --git a/install/installer-config.nix b/install/installer-config.nix
index 435fd70..bbeafb3 100644
--- a/install/installer-config.nix
+++ b/install/installer-config.nix
@@ -1,6 +1,6 @@
 { self, config, pkgs, lib, ... }:
 let
-  pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh";
+  pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/public/ssh";
   stateVersion = lib.mkDefault "23.05";
   homeFiles = {
     ".bash_history" = {
diff --git a/modules/home/common/anki.nix b/modules/home/common/anki.nix
index 995cd3a..8b26ac6 100644
--- a/modules/home/common/anki.nix
+++ b/modules/home/common/anki.nix
@@ -1,4 +1,4 @@
-{ lib, config, pkgs, globals, inputs, confLib, ... }:
+{ lib, config, pkgs, globals, confLib, type, ... }:
 let
   moduleName = "anki";
   inherit (config.swarselsystems) isPublic isNixos;
@@ -54,7 +54,7 @@ in
               })
           ];
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
       sops = lib.mkIf (!isPublic && !isNixos) {
         secrets = {
           anki-user = { };
diff --git a/modules/home/common/emacs.nix b/modules/home/common/emacs.nix
index 22d01cd..a1c8677 100644
--- a/modules/home/common/emacs.nix
+++ b/modules/home/common/emacs.nix
@@ -1,4 +1,4 @@
-{ self, lib, config, pkgs, globals, inputs, ... }:
+{ self, lib, config, pkgs, globals, inputs, type, ... }:
 let
   inherit (config.swarselsystems) homeDir mainUser isPublic isNixos;
   inherit (config.repo.secrets.common.emacs) radicaleUser;
@@ -103,7 +103,7 @@ in
       startWithUserSession = "graphical";
     };
 
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
 
     sops = lib.mkIf (!isPublic && !isNixos) {
       secrets = {
diff --git a/modules/home/common/gpg-agent.nix b/modules/home/common/gpg-agent.nix
index 247dba4..49f30d4 100644
--- a/modules/home/common/gpg-agent.nix
+++ b/modules/home/common/gpg-agent.nix
@@ -30,7 +30,7 @@ in
       enable = true;
       publicKeys = [
         {
-          source = "${self}/secrets/keys/gpg/gpg-public-key-0x76FD3810215AE097.asc";
+          source = "${self}/secrets/public/gpg/gpg-public-key-0x76FD3810215AE097.asc";
           trust = 5;
         }
       ];
diff --git a/modules/home/common/mail.nix b/modules/home/common/mail.nix
index 6c46e4a..9ee8884 100644
--- a/modules/home/common/mail.nix
+++ b/modules/home/common/mail.nix
@@ -1,4 +1,4 @@
-{ lib, config, inputs, globals, confLib, ... }:
+{ lib, config, globals, confLib, type, ... }:
 let
   inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
   inherit (confLib.getConfig.repo.secrets.common) fullName;
@@ -200,7 +200,7 @@ in
             };
           };
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
       sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
         address1-token = { path = "${xdgDir}/secrets/address1-token"; };
         address2-token = { path = "${xdgDir}/secrets/address2-token"; };
diff --git a/modules/home/common/settings.nix b/modules/home/common/settings.nix
index c624b34..fc6ff86 100644
--- a/modules/home/common/settings.nix
+++ b/modules/home/common/settings.nix
@@ -43,11 +43,11 @@ in
           trusted-users = [
             "@wheel"
             "${mainUser}"
-            (lib.mkIf config.swarselmodules.server.ssh-builder "builder")
+            (lib.mkIf ((config.swarselmodules ? server) ? ssh-builder) "builder")
           ];
           connect-timeout = 5;
-          bash-prompt-prefix = "$SHLVL:\\w ";
-          bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
+          bash-prompt-prefix = lib.mkIf config.swarselsystems.isClient "$SHLVL:\\w ";
+          bash-prompt = lib.mkIf config.swarselsystems.isClient "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
           fallback = true;
           min-free = 128000000;
           max-free = 1000000000;
diff --git a/modules/home/common/sops.nix b/modules/home/common/sops.nix
index 64bbc28..290b580 100644
--- a/modules/home/common/sops.nix
+++ b/modules/home/common/sops.nix
@@ -1,13 +1,13 @@
-{ config, lib, inputs, ... }:
+{ config, lib, type, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
 {
   options.swarselmodules.sops = lib.mkEnableOption "sops settings";
-  config = lib.optionalAttrs (inputs ? sops) {
-    sops = {
-      age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/general/secrets.yaml";
+  config = lib.optionalAttrs (type != "nixos") {
+    sops = lib.mkIf (!config.swarselsystems.isNixos) {
+      age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/sops" ];
+      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/repo/common.yaml";
 
       validateSopsFiles = false;
     };
diff --git a/modules/home/common/ssh.nix b/modules/home/common/ssh.nix
index e575925..ef38ab1 100644
--- a/modules/home/common/ssh.nix
+++ b/modules/home/common/ssh.nix
@@ -1,4 +1,4 @@
-{ inputs, lib, config, confLib, ... }:
+{ lib, config, confLib, type, ... }:
 {
   options.swarselmodules.ssh = lib.mkEnableOption "ssh settings";
   config = lib.mkIf config.swarselmodules.ssh ({
@@ -24,7 +24,7 @@
         };
       } // confLib.getConfig.repo.secrets.common.ssh.hosts;
     };
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
       builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; };
     };
diff --git a/modules/home/common/waybar.nix b/modules/home/common/waybar.nix
index 2e00614..4978ffd 100644
--- a/modules/home/common/waybar.nix
+++ b/modules/home/common/waybar.nix
@@ -1,4 +1,4 @@
-{ self, config, lib, inputs, pkgs, ... }:
+{ self, config, lib, pkgs, type, ... }:
 let
   inherit (config.swarselsystems) xdgDir;
   generateIcons = n: lib.concatStringsSep " " (builtins.map (x: "{icon" + toString x + "}") (lib.range 0 (n - 1)));
@@ -320,7 +320,7 @@ in
       };
       style = builtins.readFile (self + /files/waybar/style.css);
     };
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
       github-notifications-token = { path = "${xdgDir}/secrets/github-notifications-token"; };
     };
diff --git a/modules/home/common/yubikey.nix b/modules/home/common/yubikey.nix
index 095e90c..5a91419 100644
--- a/modules/home/common/yubikey.nix
+++ b/modules/home/common/yubikey.nix
@@ -1,4 +1,4 @@
-{ lib, config, inputs, confLib, ... }:
+{ lib, config, confLib, type, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
@@ -13,7 +13,7 @@ in
         confLib.getConfig.secrets.common.yubikeys.dev2
       ];
     };
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
       u2f-keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
     };
diff --git a/modules/home/common/zsh.nix b/modules/home/common/zsh.nix
index 7f7b6e3..5b90606 100644
--- a/modules/home/common/zsh.nix
+++ b/modules/home/common/zsh.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, minimal, inputs, globals, confLib, ... }:
+{ config, pkgs, lib, minimal, globals, confLib, type, ... }:
 let
   inherit (config.swarselsystems) flakePath isNixos;
   crocDomain = globals.services.croc.domain;
@@ -133,9 +133,9 @@ in
           # QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox";
         };
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
 
-      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
+      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
         croc-password = { };
         github-nixpkgs-review-token = { };
       };
diff --git a/modules/home/optional/work.nix b/modules/home/optional/work.nix
index 26b377a..40b60eb 100644
--- a/modules/home/optional/work.nix
+++ b/modules/home/optional/work.nix
@@ -1,10 +1,10 @@
-{ self, inputs, config, pkgs, lib, vars, confLib, ... }:
+{ self, config, pkgs, lib, vars, confLib, type, ... }:
 let
   inherit (config.swarselsystems) homeDir mainUser;
   inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses;
   inherit (confLib.getConfig.repo.secrets.local.work) mailAddress;
 
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  certsSopsFile = self + /secrets/repo/certs.yaml;
 in
 {
   options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption;
@@ -652,7 +652,7 @@ in
       };
 
     };
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
       harica-root-ca = {
         sopsFile = certsSopsFile;
diff --git a/modules/nixos/client/network.nix b/modules/nixos/client/network.nix
index d878939..108ccdc 100644
--- a/modules/nixos/client/network.nix
+++ b/modules/nixos/client/network.nix
@@ -1,7 +1,7 @@
 { self, lib, pkgs, config, globals, ... }:
 let
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
-  clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
+  certsSopsFile = self + /secrets/repo/certs.yaml;
+  clientSopsFile = "${config.node.secretsDir}/secrets.yaml";
 
   inherit (config.repo.secrets.common.network) wlan1 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
 
diff --git a/modules/nixos/client/sops.nix b/modules/nixos/client/sops.nix
index d0ea6f3..58652b1 100644
--- a/modules/nixos/client/sops.nix
+++ b/modules/nixos/client/sops.nix
@@ -5,8 +5,8 @@
     sops = {
 
       # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+      age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
+      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml";
 
       validateSopsFiles = false;
 
diff --git a/modules/nixos/common/home-manager-secrets.nix b/modules/nixos/common/home-manager-secrets.nix
index f853132..1dbc2c9 100644
--- a/modules/nixos/common/home-manager-secrets.nix
+++ b/modules/nixos/common/home-manager-secrets.nix
@@ -4,7 +4,7 @@ let
   inherit (config.repo.secrets.common.emacs) radicaleUser;
   modules = config.home-manager.users.${mainUser}.swarselmodules;
 
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  certsSopsFile = self + /secrets/repo/certs.yaml;
 in
 {
   config = lib.mkIf config.swarselsystems.withHomeManager {
diff --git a/modules/nixos/common/home-manager.nix b/modules/nixos/common/home-manager.nix
index 47cc879..edd4c88 100644
--- a/modules/nixos/common/home-manager.nix
+++ b/modules/nixos/common/home-manager.nix
@@ -1,4 +1,4 @@
-{ self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, ... }:
+{ self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, arch, type, ... }:
 {
   options.swarselmodules.home-manager = lib.mkEnableOption "home-manager";
   config = lib.mkIf config.swarselmodules.home-manager {
@@ -10,7 +10,7 @@
       overwriteBackup = true;
       users.${config.swarselsystems.mainUser}.imports = [
         inputs.nix-index-database.homeModules.nix-index
-        inputs.sops-nix.homeManagerModules.sops
+        # inputs.sops.homeManagerModules.sops # this is not needed!! we add these secrets in nixos scope
         inputs.spicetify-nix.homeManagerModules.default
         inputs.swarsel-nix.homeModules.default
         {
@@ -31,7 +31,7 @@
       ];
       extraSpecialArgs = {
         inherit (inputs) self nixgl;
-        inherit inputs outputs globals nodes minimal configName;
+        inherit inputs outputs globals nodes minimal configName arch type;
         lib = homeLib;
       };
     };
diff --git a/modules/nixos/server/bastion.nix b/modules/nixos/server/bastion.nix
index 3d797d7..9961997 100644
--- a/modules/nixos/server/bastion.nix
+++ b/modules/nixos/server/bastion.nix
@@ -14,9 +14,9 @@
           group = lib.mkForce "jump";
           createHome = lib.mkForce true;
           openssh.authorizedKeys.keyFiles = [
-            (self + /secrets/keys/ssh/yubikey.pub)
-            (self + /secrets/keys/ssh/magicant.pub)
-            (self + /secrets/keys/ssh/builder.pub)
+            (self + /secrets/public/ssh/yubikey.pub)
+            (self + /secrets/public/ssh/magicant.pub)
+            (self + /secrets/public/ssh/builder.pub)
           ];
         };
       };
diff --git a/modules/nixos/server/disk-encrypt.nix b/modules/nixos/server/disk-encrypt.nix
index 54e678a..48205cb 100644
--- a/modules/nixos/server/disk-encrypt.nix
+++ b/modules/nixos/server/disk-encrypt.nix
@@ -49,8 +49,8 @@ in
             enable = true;
             port = 2222; # avoid hostkey changed nag
             authorizedKeys = [
-              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/yubikey.pub"}''
-              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/magicant.pub"}''
+              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/yubikey.pub"}''
+              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/magicant.pub"}''
             ];
             hostKeys = [ hostKeyPathBase ];
           };
diff --git a/modules/nixos/server/dns-hostrecord.nix b/modules/nixos/server/dns-hostrecord.nix
new file mode 100644
index 0000000..b0feaf1
--- /dev/null
+++ b/modules/nixos/server/dns-hostrecord.nix
@@ -0,0 +1,14 @@
+{ lib, config, globals, dns, confLib, ... }:
+let
+  inherit (confLib.gen { name = "dns-hostrecord"; proxy = config.node.name; }) serviceName proxyAddress4 proxyAddress6;
+in
+{
+  options. swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    nodes.stoicclub.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords = {
+      "server.${config.node.name}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
+  };
+}
diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix
index 5bb4472..d04a6a0 100644
--- a/modules/nixos/server/kanidm.nix
+++ b/modules/nixos/server/kanidm.nix
@@ -1,6 +1,6 @@
 { self, lib, pkgs, config, globals, dns, confLib, ... }:
 let
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  certsSopsFile = self + /secrets/repo/certs.yaml;
   inherit (config.swarselsystems) sopsFile;
   inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
diff --git a/modules/nixos/server/monitoring.nix b/modules/nixos/server/monitoring.nix
index 4a115a5..23b7925 100644
--- a/modules/nixos/server/monitoring.nix
+++ b/modules/nixos/server/monitoring.nix
@@ -1,4 +1,4 @@
-{ self, lib, config, globals, dns, confLib, ... }:
+{ lib, config, globals, dns, confLib, ... }:
 let
   inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
@@ -11,6 +11,8 @@ let
   kanidmDomain = globals.services.kanidm.domain;
 
   inherit (config.swarselsystems) sopsFile;
+
+  sopsFile2 = "${config.node.secretsDir}/secrets2.yaml";
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -25,7 +27,7 @@ in
         grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
+        prometheus-admin-hash = { sopsFile = sopsFile2; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
 
       };
       templates = {
diff --git a/modules/nixos/server/network.nix b/modules/nixos/server/network.nix
index 91e9608..0a4dee5 100644
--- a/modules/nixos/server/network.nix
+++ b/modules/nixos/server/network.nix
@@ -1,7 +1,8 @@
 { lib, config, ... }:
 let
   netConfig = config.repo.secrets.local.networking;
-  netName = "${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}";
+  netPrefix = "${if config.swarselsystems.isCloud then config.node.name else "home"}";
+  netName = "${netPrefix}-${config.swarselsystems.server.localNetwork}";
 in
 {
   options = {
@@ -16,6 +17,11 @@ in
         default = netName;
         readOnly = true;
       };
+      netConfigPrefix = lib.mkOption {
+        type = lib.types.str;
+        default = netPrefix;
+        readOnly = true;
+      };
     };
   };
   config = lib.mkIf config.swarselmodules.server.network {
diff --git a/modules/nixos/server/nsd/site1.nix b/modules/nixos/server/nsd/site1.nix
index 8cf0deb..495deb0 100644
--- a/modules/nixos/server/nsd/site1.nix
+++ b/modules/nixos/server/nsd/site1.nix
@@ -3,7 +3,7 @@ with dns.lib.combinators; {
   SOA = {
     nameServer = "soa";
     adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin")
-    serial = 2025120201; # update this on changes for secondary dns
+    serial = 2025120203; # update this on changes for secondary dns
   };
 
   useOrigin = false;
diff --git a/modules/nixos/server/radicale.nix b/modules/nixos/server/radicale.nix
index b71ea61..d53b258 100644
--- a/modules/nixos/server/radicale.nix
+++ b/modules/nixos/server/radicale.nix
@@ -1,7 +1,7 @@
-{ self, lib, config, globals, dns, confLib, ... }:
+{ lib, config, globals, dns, confLib, ... }:
 let
   inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
-  sopsFile = self + /secrets/winters/secrets2.yaml;
+  sopsFile = "${config.node.secretsDir}/secrets2.yaml";
 
   cfg = config.services.${serviceName};
 in
diff --git a/modules/nixos/server/snipe-it.nix b/modules/nixos/server/snipe-it.nix
index aad544f..d2e6f82 100644
--- a/modules/nixos/server/snipe-it.nix
+++ b/modules/nixos/server/snipe-it.nix
@@ -1,7 +1,7 @@
-{ self, lib, config, globals, dns, confLib, ... }:
+{ lib, config, globals, dns, confLib, ... }:
 let
   inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
-  sopsFile = self + /secrets/winters/secrets2.yaml;
+  sopsFile = "${config.node.secretsDir}/secrets2.yaml";
 
   serviceDB = "snipeit";
 
diff --git a/modules/nixos/server/ssh-builder.nix b/modules/nixos/server/ssh-builder.nix
index 3791bf7..9e03da9 100644
--- a/modules/nixos/server/ssh-builder.nix
+++ b/modules/nixos/server/ssh-builder.nix
@@ -26,7 +26,7 @@ in
         isSystemUser = true;
         group = "builder";
         openssh.authorizedKeys.keys = [
-          ''${ssh-restrict} ${builtins.readFile "${self}/secrets/keys/ssh/builder.pub"}''
+          ''${ssh-restrict} ${builtins.readFile "${self}/secrets/public/ssh/builder.pub"}''
         ];
       };
     };
diff --git a/modules/nixos/server/ssh.nix b/modules/nixos/server/ssh.nix
index 41b1e23..faf6560 100644
--- a/modules/nixos/server/ssh.nix
+++ b/modules/nixos/server/ssh.nix
@@ -22,14 +22,14 @@
       ];
     };
     users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [
-      (self + /secrets/keys/ssh/yubikey.pub)
-      (self + /secrets/keys/ssh/magicant.pub)
-      # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub))
+      (self + /secrets/public/ssh/yubikey.pub)
+      (self + /secrets/public/ssh/magicant.pub)
+      # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub))
     ];
     users.users.root.openssh.authorizedKeys.keyFiles = [
-      (self + /secrets/keys/ssh/yubikey.pub)
-      (self + /secrets/keys/ssh/magicant.pub)
-      # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub))
+      (self + /secrets/public/ssh/yubikey.pub)
+      (self + /secrets/public/ssh/magicant.pub)
+      # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub))
     ];
     security.sudo.extraConfig = ''
       Defaults    env_keep+=SSH_AUTH_SOCK
diff --git a/modules/nixos/server/wireguard.nix b/modules/nixos/server/wireguard.nix
new file mode 100644
index 0000000..ed1f5d0
--- /dev/null
+++ b/modules/nixos/server/wireguard.nix
@@ -0,0 +1,126 @@
+{ self, lib, config, confLib, globals, ... }:
+let
+  wgInterface = "wg0";
+  inherit (confLib.gen { name = "wireguard"; port = 52829; user = "systemd-network"; group = "systemd-network"; }) servicePort serviceName serviceUser serviceGroup;
+
+  inherit (config.swarselsystems) sopsFile;
+  inherit (config.swarselsystems.server.wireguard) peers isClient isServer;
+in
+{
+  options = {
+    swarselmodules.${serviceName} = lib.mkEnableOption "enable ${serviceName} settings";
+    swarselsystems.server.wireguard = {
+      isServer = lib.mkEnableOption "set this as a wireguard server";
+      peers = lib.mkOption {
+        type = lib.types.listOf (lib.types.submodule {
+          freeformType = lib.types.attrs;
+          options = { };
+        });
+        default = [ ];
+        description = "Wireguard peer submodules as expected by systemd.network.netdevs..wireguardPeers";
+      };
+    };
+
+  };
+  config = lib.mkIf config.swarselmodules.${serviceName} {
+
+    sops = {
+      secrets = {
+        wireguard-private-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
+        wireguard-home-preshared-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
+      };
+    };
+
+    networking = {
+      firewall.allowedUDPPorts = [ servicePort ];
+      nat = {
+        enable = true;
+        enableIPv6 = true;
+        externalInterface = "ens6";
+        internalInterfaces = [ wgInterface ];
+      };
+    };
+
+    systemd.network = {
+      enable = true;
+
+      networks."50-${wgInterface}" = {
+        matchConfig.Name = wgInterface;
+
+        networkConfig = {
+          IPv4Forwarding = true;
+          IPv6Forwarding = true;
+        };
+
+        address = [
+          "${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv4}"
+          "${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv6}"
+        ];
+      };
+
+      netdevs."50-wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = wgInterface;
+        };
+
+        wireguardConfig = {
+          ListenPort = lib.mkIf isServer servicePort;
+
+          # ensure file is readable by `systemd-network` user
+          PrivateKeyFile = config.age.secrets.wg-key-vps.path;
+
+          # To automatically create routes for everything in AllowedIPs,
+          # add RouteTable=main
+          # RouteTable = "main";
+
+          # FirewallMark marks all packets send and received by wg0
+          # with the number 42, which can be used to define policy rules on these packets.
+          # FirewallMark = 42;
+        };
+        wireguardPeers = peers ++ lib.optionals isClient [
+          {
+            PublicKey = builtins.readFile "${self}/secrets/public/wg/${config.node.name}.pub";
+            PresharedKeyFile = config.sops.secrets."${config.node.name}-presharedKey".path;
+            Endpoint = "${globals.hosts.${config.node.name}.wanAddress4}:${toString servicePort}";
+            # Access to the whole network is routed through our entry node.
+            # AllowedIPs =
+            #   (optional (networkCfg.cidrv4 != null) networkCfg.cidrv4)
+            #     ++ (optional (networkCfg.cidrv6 != null) networkCfg.cidrv6);
+          }
+        ];
+      };
+    };
+
+    # networking = {
+    #   wireguard = {
+    #     enable = true;
+    #     interfaces = {
+    #       wg1 = {
+    #         privateKeyFile = config.sops.secrets.wireguard-private-key.path;
+    #         ips = [ "192.168.178.201/24" ];
+    #         peers = [
+    #           {
+    #             publicKey = "PmeFInoEJcKx+7Kva4dNnjOEnJ8lbudSf1cbdo/tzgw=";
+    #             presharedKeyFile = config.sops.secrets.wireguard-home-preshared-key.path;
+    #             name = "moonside";
+    #             persistentKeepalive = 25;
+    #             # endpoint = "${config.repo.secrets.common.ipv4}:51820";
+    #             endpoint = "${config.repo.secrets.common.wireguardEndpoint}";
+    #             # allowedIPs = [
+    #             #   "192.168.3.0/24"
+    #             #   "192.168.1.0/24"
+    #             # ];
+    #             allowedIPs = [
+    #               "192.168.178.0/24"
+    #             ];
+    #           }
+    #         ];
+    #       };
+    #     };
+    #   };
+    # };
+
+
+  };
+}
diff --git a/modules/shared/config-lib.nix b/modules/shared/config-lib.nix
index ba5e8bf..6dfbb71 100644
--- a/modules/shared/config-lib.nix
+++ b/modules/shared/config-lib.nix
@@ -22,7 +22,7 @@
         serviceDir = dir;
         serviceAddress = address;
         serviceProxy = proxy;
-        proxyAddress4 = globals.hosts.${proxy}.wanAddress4;
+        proxyAddress4 = globals.hosts.${proxy}.wanAddress4 or null;
         proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null;
       };
     };
diff --git a/modules/nixos/common/meta.nix b/modules/shared/meta.nix
similarity index 78%
rename from modules/nixos/common/meta.nix
rename to modules/shared/meta.nix
index 93b3a90..28eb685 100644
--- a/modules/nixos/common/meta.nix
+++ b/modules/shared/meta.nix
@@ -8,7 +8,12 @@
         default = ./.;
       };
       name = lib.mkOption {
-        description = "Node Name.";
+        type = lib.types.str;
+      };
+      arch = lib.mkOption {
+        type = lib.types.str;
+      };
+      type = lib.mkOption {
         type = lib.types.str;
       };
       lockFromBootstrapping = lib.mkOption {
diff --git a/modules/shared/options.nix b/modules/shared/options.nix
index 911cf5b..2b0fc45 100644
--- a/modules/shared/options.nix
+++ b/modules/shared/options.nix
@@ -54,7 +54,7 @@
     isBtrfs = lib.mkEnableOption "use btrfs filesystem";
     sopsFile = lib.mkOption {
       type = lib.types.str;
-      default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
+      default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.node.secretsDir}/secrets.yaml";
     };
     homeDir = lib.mkOption {
       type = lib.types.str;
diff --git a/nix/hosts.nix b/nix/hosts.nix
index 858322a..e582437 100644
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@@ -9,9 +9,10 @@
       mkNixosHost = { minimal }: configName: arch:
         inputs.nixpkgs.lib.nixosSystem {
           specialArgs = {
-            inherit inputs outputs self minimal configName homeLib;
+            inherit inputs outputs self minimal homeLib configName arch;
             inherit (config.pkgs.${arch}) lib;
             inherit (config) globals nodes;
+            type = "nixos";
           };
           modules = [
             inputs.disko.nixosModules.disko
@@ -25,7 +26,7 @@
             inputs.nix-topology.nixosModules.default
             inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
             inputs.simple-nixos-mailserver.nixosModules.default
-            inputs.sops-nix.nixosModules.sops
+            inputs.sops.nixosModules.sops
             inputs.stylix.nixosModules.stylix
             inputs.swarsel-nix.nixosModules.default
             (inputs.nixos-extra-modules + "/modules/guests")
@@ -42,6 +43,8 @@
 
               node = {
                 name = lib.mkForce configName;
+                arch = lib.mkForce arch;
+                type = lib.mkForce "nixos";
                 secretsDir = ../hosts/nixos/${arch}/${configName}/secrets;
                 lockFromBootstrapping = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true);
               };
@@ -69,7 +72,7 @@
           };
           modules = [
             # inputs.disko.nixosModules.disko
-            # inputs.sops-nix.nixosModules.sops
+            # inputs.sops.nixosModules.sops
             # inputs.impermanence.nixosModules.impermanence
             # inputs.lanzaboote.nixosModules.lanzaboote
             # inputs.fw-fanctrl.nixosModules.default
@@ -78,12 +81,15 @@
             "${self}/hosts/darwin/${arch}/${configName}"
             "${self}/modules/nixos/darwin"
             # needed for infrastructure
-            "${self}/modules/nixos/common/meta.nix"
+            "${self}/modules/shared/meta.nix"
             "${self}/modules/nixos/common/globals.nix"
             {
-              node.name = lib.mkForce configName;
-              node.secretsDir = ../hosts/darwin/${arch}/${configName}/secrets;
-
+              node = {
+                name = lib.mkForce configName;
+                arch = lib.mkForce arch;
+                type = lib.mkForce "darwin";
+                secretsDir = ../hosts/darwin/${arch}/${configName}/secrets;
+              };
             }
           ];
         };
@@ -96,18 +102,27 @@
         systemFunc {
           inherit pkgs;
           extraSpecialArgs = {
-            inherit inputs lib outputs self configName;
+            inherit inputs lib outputs self configName arch type;
             inherit (config) globals nodes;
             minimal = false;
           };
           modules = [
             inputs.stylix.homeModules.stylix
             inputs.nix-index-database.homeModules.nix-index
-            # inputs.sops-nix.homeManagerModules.sops
+            inputs.sops.homeManagerModules.sops
             inputs.spicetify-nix.homeManagerModules.default
             inputs.swarsel-nix.homeModules.default
             "${self}/hosts/${type}/${arch}/${configName}"
             "${self}/profiles/home"
+            "${self}/modules/nixos/common/pii.nix"
+            {
+              node = {
+                name = lib.mkForce configName;
+                arch = lib.mkForce arch;
+                type = lib.mkForce type;
+                secretsDir = ../hosts/${type}/${arch}/${configName}/secrets;
+              };
+            }
           ];
         };
 
diff --git a/nix/sops-decrypt-and-cache.sh b/nix/sops-decrypt-and-cache.sh
index 3398743..a160cda 100755
--- a/nix/sops-decrypt-and-cache.sh
+++ b/nix/sops-decrypt-and-cache.sh
@@ -28,7 +28,7 @@ mkdir -p "$(dirname "$out")"
 
 # Decrypt only if necessary
 if [[ ! -e $out ]]; then
-    agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/sops || sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key)
+    agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key || sudo ssh-to-age -private-key -i ~/.ssh/sops)
     SOPS_AGE_KEY="$agekey" sops decrypt --output "$out" "$file"
 fi
 
diff --git a/secrets/keys/gpg/gpg-owner-trust.txt b/secrets/public/gpg/gpg-owner-trust.txt
similarity index 100%
rename from secrets/keys/gpg/gpg-owner-trust.txt
rename to secrets/public/gpg/gpg-owner-trust.txt
diff --git a/secrets/keys/gpg/gpg-public-key-0x76FD3810215AE097.asc b/secrets/public/gpg/gpg-public-key-0x76FD3810215AE097.asc
similarity index 100%
rename from secrets/keys/gpg/gpg-public-key-0x76FD3810215AE097.asc
rename to secrets/public/gpg/gpg-public-key-0x76FD3810215AE097.asc
diff --git a/secrets/keys/ssh/builder.pub b/secrets/public/ssh/builder.pub
similarity index 100%
rename from secrets/keys/ssh/builder.pub
rename to secrets/public/ssh/builder.pub
diff --git a/secrets/keys/ssh/jump.pub b/secrets/public/ssh/jump.pub
similarity index 100%
rename from secrets/keys/ssh/jump.pub
rename to secrets/public/ssh/jump.pub
diff --git a/secrets/keys/ssh/magicant.pub b/secrets/public/ssh/magicant.pub
similarity index 100%
rename from secrets/keys/ssh/magicant.pub
rename to secrets/public/ssh/magicant.pub
diff --git a/secrets/keys/ssh/yubikey.pub b/secrets/public/ssh/yubikey.pub
similarity index 100%
rename from secrets/keys/ssh/yubikey.pub
rename to secrets/public/ssh/yubikey.pub
diff --git a/secrets/pyramid/secrets.yaml b/secrets/pyramid/secrets.yaml
deleted file mode 100644
index 501b5a5..0000000
--- a/secrets/pyramid/secrets.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-home-wireguard-client-private-key: ENC[AES256_GCM,data:YL/nP4DGGjVc0wRrbJ0x+iyJfdqhE90Ws92QBl/lr3RnJzA+stcz0ey/Rk4=,iv:Ek/RVzDpcT7fqVh7OnNc9QXD3Tk/2bm6vSQDA38j+DI=,tag:G2dSpA3KZmbKAfIN+2d45w==,type:str]
-sops:
-    age:
-        - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZ3dtNEZtWVJlNDN0NzVR
-            MGdkNXd3VGZoNGN4MEM0YUFHTHFiN0xVQWpjCjlmNUxUbW4ralFnVTQ3SFRjQU51
-            Vkx4TGFaQWtOUThYRmo1T1kyZ3doOEEKLS0tIE9aQWx2VkNxL3RkTVRRd3Bjb25k
-            S3FUSDRTSFBxTkJUWkdoaDRCSmRJMFUKA01cibzIRlGFFxLFKBLnoKqZvLekuC0w
-            hA3ep81RWwZbumtMzRtjMfmw6XJQN6rGwYSQDkGjBjDdph8HX7i8kQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-05T10:37:12Z"
-    mac: ENC[AES256_GCM,data:RcvRagYaFGwMwrV63tffmYcA/m1GRjXpefR8Ab65jaldcWjfERiCWLFha9aQ1QlWUgSvCWbgC9/zFJkBBca1qVIvLOK1+nkI/ZjQ5rdUOJaP7mukLC3tcm+5f0Fe+GjTCDHGIZd/dUgkF+xVhN2XnFW1ExzRRt6q4a4pKvL6Ml0=,iv:EISJGqa2hQfjpu0X5wMJNZXzv0Loejj0Eb6kosXjU64=,tag:S81dIphr1rqQSO8jAZCABQ==,type:str]
-    pgp:
-        - created_at: "2025-07-05T10:36:28Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwDh3VI7VctTARAAkLai8l9TxzmcB++jp16pVf1dxOLArOduzSzu2m/olZdM
-            wUnPzfLUH72XD52D3v4Hw4CKpgCDjEq3SDo5jdxkcAl7UHa43CY/Z5xr1WreQIET
-            ppHpnkX+zaFeE/uFe+Q+oYnGAIUetod0WNRsZOJKQJ31HaahOAVhM/mej7TrtuZG
-            DPdmbV26ZIXiqrMifqa/dG88o0arms4GqIqjkynSDcmcSEbf5q+aonAHs5kUylem
-            kBQKQUmbfksFgBkOBcg91ZJfK6SJgods44MVj677HfJ3Nmdmp0W1hmAi3WZtuzry
-            OVf09sY3Pow90q2qNeUEHJSktbj6KnBj3+BRMmZXvIR3aPYqhkQ5v6VJ0mjyq+uP
-            cD6Re+QDxU1SdymmLfzs+4O8gtbKmYt7DXiFy2e5m+geON1akfHfP6OgfHY9M94p
-            WOwV6IX0BwK1yeNLeoc7lO+yiDEZAzXqBhllKo6ckPpRa/i/V2YFP/5i/TxCK1tw
-            mMm5vruaEP0d3HzRzyY5rwXH8nKmGkt7MjTJtFd/uSQmy3r7cNKVdDFYaOhJt7QN
-            P81fYd+PBTEKcE969MkIKVjOx4qSWlkaAgWnHjgJ75Fc/CEfC/DVfdVkGkxepSqq
-            st+Zrr2S6DyAtrunqqwFHUrReynR7leq5R/ueyviNu6EiwT9CHLWvyA9xZvqWySF
-            AgwDC9FRLmchgYQBD/9kIT5mzCZRLFLwHkvKRzqCTolG977e1MIq3pGNdYSaAFPY
-            Z5FYnvjlV7fFbKHOZOB/BAEl2fcyElv8UjbM7L/mJkE1zHcpsmJK2OnKJPplNcK3
-            7MVm3/yqkjV6GtmNtTwlTFOzd+Z8Rc+303s7Mp7jaie68OCoZO21jjxkTn+xPh7s
-            U8yhxk1BLjsZFrPo45JdaVTrSKxsmr8c47fyNToTUuBg2zyqSxkqiNK0DToUncad
-            eiwgLTvTcFxuijQMcIAWCcoi+JAgIjK3XItNp8IqYFvLv4iQqDUtzLbWzhnEpqpZ
-            Tg6dt9JKV9TvZbwR67AnFD5QGEEys681NmrkEyrA8LuXEMTAt790hjvlCSY7RfhI
-            WPcUAmHUN8sFsKLiIyTRQ03PbEji2wsbq7TKBB/DuN6ivfjOLNnm9XgzMPG9sbRV
-            1BO+tnovcKmLn9FWiwWAyPtqFEvfITbj9qYpvAuJ6PmKUihkqfs8rh/FKgyo0gmh
-            Wq8s2rqOrmV0o/WVRxRTfoauCyyJSx+ENdR6KQLCDdE2eV7ocrztsJRIiPG2fXBi
-            0/38/S7oJgJA08uSz1egtK8lvI3MIojB+dWX0v+bonxxkYMNSbIOdZfTFBd68D23
-            2y2OG9e4/TvZjjSqM5+4fSnH74QzvxIqFMW5LSFw4UqhdiAk4/r8ljo3mIvLxNJc
-            AVGSBZJ95vR/FZM/25ojTGo2iBU7DAG+5uXXVeHSfckmVo5HjExQYqkYCm+imK4P
-            uzhLHz+6EPmnSTBnTMLU8W/U2i4cOxlDjpHCpjZs/BJk6g7yv+0+/BpiV4E=
-            =eLw3
-            -----END PGP MESSAGE-----
-          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
diff --git a/secrets/certs/secrets.yaml b/secrets/repo/certs.yaml
similarity index 71%
rename from secrets/certs/secrets.yaml
rename to secrets/repo/certs.yaml
index 7bc7436..e1cb978 100644
--- a/secrets/certs/secrets.yaml
+++ b/secrets/repo/certs.yaml
@@ -5,146 +5,146 @@ kanidm-self-signed-key: ENC[AES256_GCM,data:IIi2LK13Tskk7V6jALsVYOYKgNobhUlmai1z
 harica-root-ca: ENC[AES256_GCM,data:Q81ku0Cpn+taKbgSb6JntZjGblSHO7mzNIGqiHzsUrEpT7fZ7dCBTtHrOv5vQCz3W7k8u2HEEyrJBIgTdaECBTENp/rRwXBh3BCj78taxK+iweF86Ty/BnhWd3POLoYVIJcdG6Yn/oJtoFPqVLb94zzmx1yRXs3mgiItPoWjhIZFe7myQkxGCkPvAU+sJhMCkj+nQ/ZmEOQSgv7kQhhNrNAWidYRcW+vOb2gj+6na4Vw9yIA13zXWX8NQ+4El62UOJ+WPpmVbwl4MOxffKnETYFFRnkpGb9cTL4Cfujs2nFpyJzqA/GwrbOvbbCevMZf+78M3LUtFSk5+tnhE+J3qwnq3ADey3Pcya6VrJJJSVQw4cue92aKP3dGFF3lb59HO9KEqEBIZ+xMSEcqmZcfvBaAFqNeCqw9h2lNFsK/0Yz5Fx+uJXr6BOS8Mt5fZ2SKSKoUpm/Y0qaloEwnqs/KGTA1BBjhwjtO8NjcD8HM3FWkjP2/atR57jKMe35Rz9LTysb6N0ntotK67wEM52Vp4gliIcPlOzNA3LREaVcycRqW8OHvTHiW2SRe0sDVz9hzBCJirNGAGY+qMZHuXMQoKxySmj6GvvtEiptSt1UmDqgcwAbz5ki6DTYM96ZoEH6AtH1tG7tHcuZ6EfT+hMQPLY9wpTMATEWMYOFUfPY+u4cEnvJbQPdQMNN5mxOfsqu+2rhomekTDzPDqSdmPdjOAqHZHSvZ2n6x9pb1ChIcpWbLkB6I6NtSZ1LnVJl0KlaID35396gJ2nkTlCmBHaeIs9q+RvsDGOS898iONh6mvBBVj0l69sKRTa9XS/gJPoBwLX7WSNRls9MQGgzXo0CbmmnsqNnSZVtmITNMX5xaum/rU/Ej+3UBdVbH19McqbQ0sJVTAyqJgtJyNu5M4ktrueJK4wz+Ik4DryBB+23VrRFb3RoeBTa00oqWqwFDphsvx/OWdJ2D04hb0ITCYtg8rV0e52AO2evqL5o/1NUJdyq79QvXKSRYPPmuTsCfR7uCG9Le9gibqPhubCawJWwA0m5K/B39Rrnphu2/2KFn8CSS6rct5vr4vqYdYdfbv+qhcstkoQaYvu8StLHrtmXs6P0ySFAatBnzTuHlIk0IhmcZCTULp1OeDTpZyPH/fILLp/fE6TcdASCrWijSWN2mzAq/vp+Gz0AHXn7n0MVeMOkUvvmi6K+6dLgY8AmL8ceFamWg4TsxWxPNNeZiHlQmMD4jbQ/uR33iaXrstu2g5CfB9XEt3HRw5ZnulVHDrpHY9rECi/PtgpkbrwD8f8sBuaDzfEsBpbWGOUrFBHzdDKQmHltor3WmYJAdflSeJ9P0X3WuVuL3iEues8HWkTOk8SqiKgMKTwpJsg9uUm86hm4to0vaVG9C4Qkyvcs79MAHLMT16Ujg9pmm3xQsFKFvr8LrbfbxdOPWRvbLPLCnaULG9mi20pixtTcnIv1kx7AZ5d8pxwJBRcCaWZtpV0PIWIDjDMY3mxB1wHzjfonS/ZQ4nOuF5pNL5HxlfxLW7eRbqbc3+gJIJOeVSVNY/xwRVmBN6c+n9+nFrgp0geBJjG2h5hQ3TyyVn6iuWeT3+XB8+F97/76Jj6mbQdxAkQ+e7NLxDpEsBmOaXHOhP851nWiAgIIYYeKcMbjNiTdHghjWndEEEf/flrV84mZtgEcKwR01yC4+FiTPceI0yNcIx99yoFb8G72u6f5KiH/fsbYV0otraEEmmMQcMpH3s3OgFjkVQQz0i6WETJHMjz8L1Sb8/iUm3nIt9W+y0xEftSeoJAJ3n5hGp0gayC+XV1pcDDRCVryBrMYzBhYBcrfYuiL6KaGrHGm2nfkhosDEVFcyA1D4xqXhC6Mndy6Uv4AMYBKAMq0opgkdqMDe5jAlmFyd/xSEZk8ySNlD+d64AZqETTc+MgZ1sh4dMNEeN5H9A291kTJIbRXzUP6GbP14lW3z1Meq0WxH0ijsDJHdHwu8u8LPu0D8m3FVHR4kWn0eLrYrYaGyRW0rfvdMvc3rVOGwGR/7e4P1py7/7q3TS2/6ZoHJDNptPF7K0XBbapSNjFBCpo/QT22vo3eBmw3WvG/CLPk7yAc47EmT64YP7zvvNaA9JcQWlx3r5oWT7lhYvgP3tcUFlWXXOcV4EN8CeAB7fOF3T2vU7HxM5CC+mBYFXydSh4a/yK40aR7C7HMLpNGDIZaLPk6GxsQbCrsqcAqc+BitSAUiTZ90cgAQf+V8iadZPLb/xYUnqhT8EwWrNB2af7PSX8oM6Ot8zXLaTfnxsQmq11FeNyUHxU32UhjnC0JsdXzL6i57VlLs0iWqkoHZO4ICtezkXbOeWapZGSecWdXlY+/4CURQDV8owqppos9GIEBBDr1IiXy6V5EoMW1cphEWIL+EqHCD7puYijvVMI9FjJwsJN5lpz556FaNIcB5tQXqeQ0GNpIxJkOmR6tLBH6BokbXoVq+atWVa56O2hegXmltc2LSZrWTaTEI1MAmR3hSxd0wcIOEPAj1ZHYTLLxo4HUa4Ks/lpgxWUYKAIzrVxo5YSRgm29P5ZOqt72DaqZe7PePoR6OPhzFJCe3SYlQ2Ofxcn4ArH7N5u1pwkomFJAgv7cEGNm8jZs+hZdx43fdu2bB8as8S7xGAQEYEMtFjb28TMgLT/RSZfTmjnWC04Ktf0E1oO9u7L+PrQ==,iv:0FTPt+bXgzOngxxFqoP1Sg12j0BMk4pJj5JIsHWPIuQ=,tag:tigFlF0LxzG8Za5+kbG4fA==,type:str]
 sops:
     age:
-        - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
+        - recipient: age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ0p3QlY2c1dGcGIvektO
-            c1BRWWFJTndub0dxUXhlMTlreDUyUlZ5U0NjCldCamVrN24yZ1QycksxTDV4Sk9V
-            aklIT1dGVHJKL0ZWNFN6WnhJN1Z4SzQKLS0tIC9lZUI0cE5aYzBHcWlWc3FkS041
-            bTdlMU5qbHRBZ1V0ZXhjL3FKYmR0Z0EKpA48GyFC1W2+O3WL7Dgjb5dRRfkyJNFi
-            Yl3i2st6zBGH6OFJGdLlBAJ/lqw9LgHKxYbId7XcuAfMkDTNz4Fjjg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEVHRDYVdsMHowdXRSRHhU
+            dnVORzhoK3ZNVnY5YS9oc1ZuQlhUVUJBalZ3CkRNd3BCNFBFR2t0RHFPVXBxb2hH
+            Ync5ZndZRlB1aFdQL1IzeUJxODlTM0EKLS0tIFBqbWdnYktJRUdYM0hrZG4ycnE4
+            bSs3R0lPS2l4UWNFaHNEWXBxZU1kOWsKHIZ2FMrWVEnMcOYIjRmXiteCbE8BIpjW
+            AOjolgawHy1xibc9s1QbWfKu0biY6TVIvqS3M5RLiKz8YgewpWrnQQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WDBMV3RUYUovS0ZmV0JJ
-            bWdqSWE1TTA4MjNvbzFtM1NoY1FsL0FIWm5nCkV5cSt5VWVzYmM1MytuTUJsVHBB
-            a2hoMTNwcXZaYzl4d3lmZUZIVDBQekUKLS0tIHlTcEFqR2pIQTBFU21EZ0h0Z3hL
-            UHN3QmtreUpUMmxTNy8vbXRnV25jRFEKTaCbReUitrOJGVncdR/VQBXmM+mTzTKj
-            HzRnYSUmuuRdkHC/ljjeYR4rkSjN4RJABX0fraKdARBfkoi+x5ulCQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WGNEeEhHY0JCaWVGMWc4
+            NWlObTk5L3RCOFNKZWFSeHlWMUczTGJ5d1FNCkhDYmlHNlBEdzR2a3pQMG1qOHhl
+            S0VoV3pmTEhBTmxIb1FvcmRrZTdNaTAKLS0tIGNvU1pxN1pLMEhlUEUrYndQQ2NO
+            TTFwczlDbjczOUVBb3ZhdzhobkQ0K0kKc0GD1iA9uLzdpSR1yBRHm+K38b6PpLzL
+            10kWSoSNHV6tjkCjbFiwT0l2QOIgKlmGm092NDz6aCvfC+6GHCDvAg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJM0k4SW96SXVJejBGcHJR
-            UVZneUVBT0VzZXNlazJKcU1DYWNPZGNiTFc0CmRtTEdCSkF6dTZZamhPWTF2dWlw
-            QmdNTmJ2Q2JiNXhJd3kxdTdZNXkzU1UKLS0tIHoyMEU0UUJEN3lkZDlGNjJKWjFI
-            Z3A1b1BJNVg3SDNXZ2JPUDZwOXpHTkEKv+NRRLHfnc8j4rVmBDrLdTTtNyb9sUUm
-            EhEmbKkXZfHUQtx3bYUJQeod2wd7CYGzvfrbU96xpFkTAqvUJtWAJw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNjNqdjRBcEpZdWpZUVRD
+            UGpBVjZRU1VkWXowaXRvWTRkSjd3NFVLcWk0CmNHb1R2Yy92RC8rRFBJQzN5eHFR
+            bHNsaDRFMzNrSFU1OVE5dm1zOHIxcG8KLS0tIEYvOElqZHJ0cmFxREdTTmJXUFFU
+            Q3o1R1hodDZaK0NYbHpGU21oQTNPb0kKsuGhQytQDmbMWrp5wTCwEnc7TRWRjLlL
+            fp2gyJSr0EgfzsdDl9QgC9dgkB3qxiqKSAiinBOOUwyaWeUepmv6/w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdXJzVkxzZDlZaStpQm0y
-            d3lyQnFZcUNaZDdrdm1sSW1HS1Y1VkN2cmdJClVuM2Z3ckF0RWsrQ3RkN1Q4SGFF
-            M0d6THFpRDlXTXZseWJjQzU2OCtCWUEKLS0tIGJ6ajNRSmJqNVMveFBSUWF3TmRh
-            VnlXdTd0VS9RSnUwWit5M2RqYk5FVzgKLD8+uG/KUxBUTu4WFcgl187eKapyPrVq
-            0+nL/jITbzy0HA3cTdVR1b2pueKODohBdVIqD+JpPs86z8FaLro80Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArbmNRRGkzRC9NeG9xMTho
+            NDVXUFViU1BRM2J0UTR0R3RRWXJReGpvRXhNCjRFUWZ0NW8yV3lWOGIzTkFKYVdu
+            QmFLOXM0OEE3OXJXTUtMVGdHanVnc2sKLS0tIDRWa2wzQk13Z1FKTkhkTUxYM3g3
+            VmpoVDBsd1BxcE5BVEV1ais1UXJGMFEK9jGgDHNzrAHf1YeZ2TZcnQK/1xbLsL4Q
+            slgCerhBPS7a70iAmOy5pA/cM1VqaYFiphSzor/tBTDwJvmWB/xmnw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcUYwUHZYNmNLYjV0WGhV
-            N09HUVo5SUpvUS92UThaV3hvVlN1Tnc4RGhBCk9HL0pXalBiMnJtSWlaOEFKNVlX
-            S3g3eTVtYXJwRy8vSGtmUDBpOGlYMGsKLS0tIDBnMkJaTnBnUGx5d0hXLzJPNWVZ
-            aHc3KzhBT2I0YkNCNkpBdWZPTDB2cm8KSwgUwcFRqWFxEqGrnTd6a7sle5SBXI3J
-            KyfOOrS1agk+nTaUJNpxLOG3aUWPSG8DBlEvP4Z1Kx5kG4e7/kRapQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NXdqMEsxQk5sUlpvUW5M
+            THJsL0M0cjNpZW5nc2lUdDRRRGZHd2tjQTBFCnB4U2oyZ2gxOHRuclRjL2lpVTB3
+            cFlEeHhVVTd5R3FTcEpERS9VMEdnbzgKLS0tIHdGajhaSkpLTEVubmpMT3BGazFu
+            OE5teDBLZnJYNzZSbEFhYkN0VW5uNVkKtzW2pqt3bZuwCUSvvdHZv7LF8CYlIRQl
+            OEln65gTsKgsWC/PxfWryLS73xD+7vQB9yHT8m8ctaAqKfQbkFTngg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRWdKL0VjSkJZRERNWWVD
-            eWNobG15RUtQUXpWMlZTYXNBbFowc3pQOEM0CndTK2cwc3ZRWGxiSjQvb2l6YXEy
-            SGdHNVQrZy9tc3k4emRBeVByZExmd1UKLS0tIEdBZFRMejVtalE0WGh0WTExM1Ay
-            R29XRC9wNE4wMUdyTTFpYkh6VnJ5NHcKEDsie612hQqxjH/IdM61a449jiSaqNvW
-            fG6x6U3GQxnjH6yM+Fn1S87c7ZihTIAPzbAmbIiTmVbv7cp8XVz/LA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMeHhlL01wNkRJbjJOcU93
+            ak9JRit6RHJwL1hlVGRWTUdHd256S01XdzNJClY4T1BzYUJIZmplNmhscWF0U01l
+            MTBHdjNSbXh3SXBOMTRWRVp3OHZlTEkKLS0tIFJ2QnVIZEEyWjdNQ29vejgwb3M2
+            cXhVYzZnME9tYzJmTnhhV0J1UGVZbUEK++9AnOgt6MVPQ16BFsxfVqG9EpI0/bBo
+            frr089MkdKo1XTNoMaGgcDKgMTKzBphtiK/k5jZE+qivnBengrlXLA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTkNHVmtwK2JOdHM1ZUJ6
-            aWhTeUxpc0pFd0tXcThYb1NkS3V4V3pwU21NClA1Y29QN29nc2dsY0Z0SmdFZUtE
-            Rk9PdUVhU3ZvSmsxcVhGU3gyMktwcnMKLS0tIGF3dEs3dnBoa1VIWUorZjJwRkJl
-            SStnREZnTGFpMmFGZ1B2MVF2RWRqN2cK5HHfMKlmLG1UQpDYr1Gg8GU3Gg+oGebE
-            y2efhe+oiIwr2uo9+zielNVAykKg2hvwUmyAXBsXsl95sIXFfN2WQw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhYzI3UjZDUzB6d3RCUHIz
+            ZzhkMVRneXIxNG5yaHpFS2tkdUhNVVNZRHo0CmduSzVmQU5YWWpQQXBYZXlkNStM
+            RThObEZmWk9jK2ZzZXdhYjZPSEZJTmMKLS0tIDFFbkkzUGdaT29OSWFIQ2owa1ll
+            V0Q4QmFmU3owT2E4Tmk4Tk5KQks2R0kK236hs8GhGUFpVLX1aneLunIuTuD/QpQC
+            Z51gh+oQ6eC0J1lq13VvXX8rd/4VjR7pDcU7PMjACtqeKfFiwCoVgg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRXRVSk1SRzdIZkpobFV4
-            Qjg3K3NrTDRGY2VZWWNOTXhDLzlodVhTeG1FCjJvanhyN2pITnVBOXRINUtCbE10
-            TlBEK1hoRHIzRGtoSDRCQmRnZVg4RUUKLS0tIGF3Q1RKL2h1WGdSRWc4MzF1cTBE
-            K3Z2TEZycktQRC9NN3R6bVVUSE9FTE0KOtBDjkAezsWR6wfrfnrdUcpdQgnCXm+s
-            WS/RX6Q5Jw5nOSgkR5SyhHqOpalYlCnYQdE0zmW7n3C/BqnX+53T1A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmVzZ5WHFlQ2NENFpBcEls
+            VEx0SG9vYXdteDhJQzdibHVLZG05NVM3L2w0CnlLZVAvM3d1bVFKMjFNbUFwemxs
+            amtuZWV4VEx1UDNvaVR3U01MY0I4elkKLS0tIERkRXgwNGtCZ0Fyd25sNlRoU2pn
+            citkQm5tbjlRSHZwZ05WUUtSdUdXWW8KCmuyjN3UuNys9H2ShcXFtoqcVK2OTACs
+            4DrO/ATf4P0tSGUelFhZ7uknNOC66H7uWQZmbhc4eqfnV1JNbctFYg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdXQxOWNveEtZUGkwclVp
-            aER3dERtUHZxRjBweDBYdERROVA3OTNYQTFjCjBZSEVYRGpEWFFUNnM1SU5aWjhs
-            MWNUdUt3UTQ5SUF3MVVHMW5Wam9KazAKLS0tIEtUekJPVlpyYjFzcmJ2Z200OXNs
-            N25JN3BJenVhNnhmYXdFVnZEM25mdXMKpzEJ0eqnUoiyboiy9FBeeZFBNHRrO52Y
-            RICf2lc1bx6i7fLjOhbV+ewjNk7p6ApdJPHaE6Pxa+jJ0O5vVVJjiw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZakM0UW9hVmY5UEIzK2tk
+            aGdyTmVzZmViQ2RIUStwQ0ZWazBoblFMSmhRCk5wQkxZMXlOKzNnSjE0SUlpTEp5
+            N1l4OWhKT01TRkhFZmlsME9EUEVSUEUKLS0tIHdMcmxTQjhCbHVWd2F3WVRIeXZk
+            Z1hma1dKcGNoUEVsbEtiemdmODFKdDgKQPKBQTdj8Fd1jvm+f7eKmq/qkUbiReXt
+            adDQ6RefRQ0FwJD4cyZetVpOmwBK97K2vrFDoEfvZmS4naUC5NnnmA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
+        - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NEpqQjN3WkFYSlNrOUZj
-            aXNDd1JSWnlXNEJCREN0VE04QktNK1gyOHhVCnhCcWdEV2NVYk9vK0xNY1RTRVdU
-            YS9kRWMrSnE1T04yUER1eGMrM1RsS1EKLS0tIFM4dWxCRTBJNExsakxCOTBQSUxQ
-            ZjRQRTQwK0k1bzdzQVBYalBlcE5OV3cK1vkdKETqGDbsj/WMjwLmjwUz38yPXh/H
-            vjJxq20D05HNI3PdBMzZZcaaBzVqf3hx+afk3jQPxggrDiysiRNWLg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSnZNQlZVWlIrVm9HcDVa
-            Q0lCN1pKaVd1amkwdTFibU83bWlzcmdzM2xrCjU2bExsQ2JhN0laK2hocDVBUnNS
-            Y2MyTGp6WGUyUmkyc0VLa1JBSDIySHcKLS0tIHBVYXVQKzFUdEJjdGlBL2VHMldG
-            UzZhUDBCWC94b2lyWEdWeWpJK0tqcWsKH8QLyHTIIEwzUAZCTeUBbOAd78fNHlqk
-            uImJM5y/vjVw8490Uo7rkypQ5Faab+ekcWqPSj6sE/nFEBWTCKdSrA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONXkrbk9STHhqVVdPT293
+            RXlYc1c1S0dpMmRqSkNtTXN0eFRiZkVwTEJrCmpQOThTdkJwVFBXTXBYL3NtTVNT
+            Y0J5aGFHV1pjMC9FWG44WUI1RFQ4bkUKLS0tIHpZQ3ZWeFNzNUVEUDBNSzNla3dT
+            NnBRRUFhbllYM3d3eksxaXFyWEZFVFkKfSZzN8CEWB9aj+YMChUaRCeOIbrV0gyo
+            wsV0SN/wn+yvxZqGOXFOyAlLZBA9VThQ6G+lDm/1DMoAj4Rdqnb1Bg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNlNabmNqK29OQzZJWjFX
-            Sk5OM0FTcGxUVCs4OXV0VUE2dXNMVG5oZUJjCmtRR3l2SHlEd2xBQVFPcjlMMzFR
-            TCtDTmEwVS9ZMFV0Y1VOWEJGWGtSUlEKLS0tIExZUWVMWTVkUisvMEFmUy9QZ1VG
-            RnBDMFZ3TmJObElRYVg2SGFBaWxkZFEKq7un72Bpl2st9AUvAXE9rBir1mORSkAA
-            GnHQyN1tVPurKINQeAmuA8gIn7UlaIi5MxpIkaJFqmO1/6H5e7tkGg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBekI2TzBnN1F5blNiNFJR
+            ZE1EZFZYbjFBR2dncXpVNVNodFJMUzRoSVgwCkhwTkpSVmlUYmd6MEx6M0xLSGI1
+            S3FYbkU3aEVHTHoyUEN1TlhHb0FxU2MKLS0tIFNuNHFxQklFL282Vkg4ZW5SZzcv
+            dEozYjBwVm9mNnhuZ2Z2ekhvRmg3ckUKU/IISe/82KCPh4Tf5nqWgbiUQEr8n+0s
+            /R/DuIu9+67me1Xyb9fA4xq1lD8ZR/OTfPaDRVVtP3hleeinRfTL3g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVjc4MllqbjhoUG9YS0xa
+            TGJESy9LMGMraGxpRU9MTWFBNDFaNGxxQWxRCmdtNEdjRGpFUnNoYkMwNVM5OWtH
+            Y2M2QmxmVEt2a1dhR2hteVR4S0QwRm8KLS0tIGZCbDJCV29meDR4bTg4ZStTZm5J
+            eXZiNHZEc1M0REl3MmdlMUpvRW5abWsKcmhzalAkWx7ZY5mullayejnqVQMrLNKF
+            J7mHKyP+mST+5vvkxCPSDN3GRaD2McOVAvDSgS8rd97a35tbSMzxXQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-11-19T14:09:27Z"
     mac: ENC[AES256_GCM,data:tZ6QzVPivueZiC9Qfb3KNZAv02QatgHRNnlM+Y0iV4BZkYoBjxeDojutizvAMwUarnubUdk5I6m2OZK1mvVDZKXyI6zALX4JMeT2xYQWRHYzHpOygLhhGwTFVhV+0C4jN+eJFF2cNf9lu7NuZI9ylZSOY8I3YKUl+l0l3CkXUl4=,iv:JSGOUq+j9T/NXspn70dfu0J4ISV6vVFZUe/Z1CirrJk=,tag:Hm9N55f9qMc056nSTR1piw==,type:str]
     pgp:
-        - created_at: "2025-12-01T23:06:33Z"
+        - created_at: "2025-12-02T15:46:59Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTAQ/9HmPTBEVh2e92ES0g0sOUx7S9I1zoRFm3ONWNoaT6hld4
-            UJiKqbHMQTyjr8m2IvkzT7MhXr6fPsspAFguxdXLAD6LSeWJUkBn6IBT43ISvbkZ
-            1KrJnZHzwMjxMGe1MrBk4C17YPlAwB+CDNNehkKHWkSPfVqNurY4gtNoTrZn7HIz
-            5Npvi9d5W984CeuFoCmY+w7DbKINk0J0YkgT9zBMdfGw1cVAV5aUS5lIBqvo0YAO
-            yIQf5tbG9aCa5CL3OH0JD72GBUkODLfWFzcTpzfjYtjx1rsbu6gqkLcH1eGFqTsa
-            cQ7+A0wbB+9iDN0OXmmPNVix+uMY1yQpxMve3r34v18R9KTCvsSK9gOpk0ilg/T1
-            lBG5wFNEutJmwuXai1Zme5+MJLK0ggUQYywhYY9auGmwC74ZRtRQ48o3SsQ0HJTc
-            tLG0thDciyF/Xy2IPjqnp9vCfITnVw42ZsSIbXfHHYoEBYu4mYhqAP0pmHFzY3jE
-            rc8LzraecOslqfLVgdCPo/7moBpegIfJfCkX+gYxZKRJsuOHNiTVyFHceP2mztKu
-            F6MIVxsJsQjRnkavaHXEwNFr+X+YlzoOAid3UNzO78rKAGUw6mJ8PvLBekqw3wfI
-            zXOWNOgNR/aCUTAbSPn1VBLSM1kioGAKrs6+bAeRypmQGaYiLsDkvOU+qfNxtaKF
-            AgwDC9FRLmchgYQBD/9iq1JX0DpTayA4qSDo7i9qeET6MKK5VmrawaV2LqQpxOk/
-            dEEIT8+ZBhAGjKRIPRZdF0bgcBP92IeOOduPvcdJcRstB1va3nyeKDXkYwaBN0XY
-            FPKMrTk2hifnmlGdBzN3RWGOXURDZdhqjsR0g4M1/85//0ZA1ogFnUsqtPI07TVd
-            oKoZqdt068pgBDgAxiwA4Y6WbSSdEo2xQIQ0JTRMGnIycHGnU8UYWElEjnusGKSc
-            jpC2jzc9TUABawOjCnauExHkBp6PhPRlAbzLA7Kq7v7lLkMKQdnJ0T7kIJUd5LlS
-            7TVXSq97WvGBhtQ45cSIZTskjnXEx3TQip9gNrV+MkZ14ASOwc9Lmw1O4z6cVUte
-            IHzUELZsupE8KQPifgMOyx2Q4OQPQ/vv0CSYJwozbpK+g3XRAtsm70mSlagCtye2
-            MsNNQFfZe3vSV4o+vQfbWQ/LMxP/8YcRmh1/2q02yXS6sjW4MWiAjcW6nTRCxJbI
-            SjMKmIbGNn60MOqn+9MNHA/S12SS1yI2cTPenebbhXAbMnCOHW31D5ufr/UR7Pkm
-            xiBXOT2jROYtvFozH35OpkIPr7tV0O4riUVvPw7swlqTVrJKR67Fi7ORsGJKbztv
-            YgUuZC3679TzXyWRMGauTmOPQO1+jZ0WD1QYtKkXPpTZNLx02a0XaGcc4if3gNJc
-            ATICbOTfcwy5HkC+KcLy0KADtfrO004fSIXV4TNrdfyXNnUshnutAmZBRAilvvdG
-            OQRfyr8P0jKoZw2UUoAFEGFU2GaNg8NvCoZTOesN2BNhSVIdA6QKjnZOzBI=
-            =HuIS
+            hQIMAwDh3VI7VctTAQ/+Nc4lUmAq2MvWuvfc9PjJla7aQrTvmRe+b2Fro+kfE8N7
+            AHLFhKnw2+VI55jWXT0KJwfm7uQY95lkLiXOQKqF0wNfY2JhLSUlYD6LlM5NU6Tj
+            N7k0XVpN0SanwWfL1eFsDtEG65bc9A5XzpdE7gw7YeaZBjVruYujFV+bM78QHSrK
+            pNlmCuxZxp6tobtI4YLaKkzbKJxLJjfhFUh0D3HjYHbjlwZSari7Ep7ZMPgy3w01
+            MQ2Ol669Aot0YEu55HHOY1lqmXQbgHGN23V+n0ZUXByHcUR2XlG1Ifo7sn2+QH8H
+            L+xYjQNFJWeTCsAD0I6sVSRP/+ZC9OfgwPa4ZRw1EXv28qaKRP1Ws2PiTe/hCvIX
+            a4rjl1mWqlcIahs2HpiQWyJPNJCc4Zuu256YBjWhWhqY74TI2SLKj6p/pQILjDSL
+            v6VYMQJLfyK6T7YT9IwHZfDYABp7gRzjRwhJScQA8y7hKOub9ctiBvVOOaO1znYh
+            GXxz3Vrc52lUGpErbbsZ1tEX3Blh37b+uNhvPPobuIVdN8JDdkx6U8oVHkazhP4W
+            WVeYP6B4nqt6xFf/SF9N4fL7q2y3iEqNrTFjX++hXXfBF9H3C1bGP07KqCK54LH1
+            HRMEvpsa0K1v6uCi9Ufud7eFtLm1m3kH3f6+rQsN1Km6aLDUcvfGzNxxl16ZuIKF
+            AgwDC9FRLmchgYQBEACLOQcZBtu9VMd+SblsCl3kC6TeSgH9r0P6itoCm1XsAlLq
+            6mUve2RFedLzxGW5K65XwaKDTzwdHpO0kj2wLxyLgUMXgFnXNAtAqsM1Wvy5HCH2
+            yiVpNLLrLSiT4VmEwDGrN4u8iR8Ynuf1epNFBrQ5KzkpZ8F+/+dfNCXyuSuf4sIX
+            XfJ1Sp7dBqZJ7OzRY1MTs1pdaOIwirVWTaYu3kfbdIZAtlb8uZsmvWFq+fhj4BoU
+            5yoRptvzLV0mkn89CwB3tEDxjkOzLtHpdtRWNLaknjDZTA8Ti19DGWaAungTTk5+
+            LJuwQOmR0535A5DnhAU9sjVXj0qV3wPOKmPbWrCujFGNfjqh8SHmn3sET5Q+K+Nm
+            0B0kfPBpGayGkhbeveuK0AEgymm18tlBjTenno5LpGvI1A99uP8KXFOwmNA4ONTy
+            lz3RbH/fTGFJTeobUOMI9Gtng5uzuxObOkg54oef5LzS0ub+kNXtpsG0BcK3PDxP
+            sEbbPIb+VlIcAwQ9+4kyi+jSF+uuHevWq6sMmGz378k/3wwkExnixVjCQr1Wwsxp
+            t1HGDDrMAjXoNZBLSua13GYUMfeGoPabiTmzAZjZavg0AwR4xcfWEFkrPI2THRoe
+            OYUreF8t7ZBXEQzkeIwJWvmCs/4djaKoVf6YyLmgefvV4CLcj24UdV1HSDHuSdJc
+            AUfdGjEwj4Nc87coiGFl0r1vc7kWJ4xeQ4/je9CXaKhgLYYjlUEyipOhs2aMRUMM
+            +nLdfiWmK7aoRtW5WiZzOK57XAgKY5IZOOEzj+4RVW1xnsf1RmbroJJvSmM=
+            =IIlY
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
diff --git a/secrets/general/secrets.yaml b/secrets/repo/common.yaml
similarity index 60%
rename from secrets/general/secrets.yaml
rename to secrets/repo/common.yaml
index bc0079d..1907f0f 100644
--- a/secrets/general/secrets.yaml
+++ b/secrets/repo/common.yaml
@@ -36,146 +36,146 @@ builder-key: ENC[AES256_GCM,data:OOoA7oRIFJwS48qs42WmIXU4vLTQLRi6Nzb6IUNXAwnj7E9
 nixbuild-net-key: ENC[AES256_GCM,data:aAa6iyZsjH1sAb6ucSPJb2R+QiG2bTj46Csnjg58+2ngYdfuim6SzWEid8IHJV1+M0s/hVTbZWiPsU2KQ+JCdJ84as520avxs6I0URvNx+VmFi6DNGbBJJJJKdTXIKvtmLHqHobs9XtIHahQKoyUpXiSY88DcwAt4e2mUTa6olgrDv66+/fEGeexP4S7AVB0wYeegyMgWODRrA9gS/YLMxMdqk/VHuwIQpWkhxX+AY8mXkx7LalxrbtV/24qdNtr2GittrvYBAkYGWAVZYotBVKjaWVUVzqF3BU+wmg0c56OG5qtt9eD1THAqNauN3iIfUnV301S+TvVtYjpy7gOj3WzntO/kh4kD+7FnfleLXIVSLgBRc0vHhd+7HKKtVRnAINyPkyjaBpnnBa4cksBvHtI0uis0Pi+4JtObD3m+5dywTeL+HDQfHwu+7CgjvXHQYKvEaJ8z6alyXL88Q6uT2Ikaoyrkpi7OJsuIBiNbs5YzRReSfLVyepm8SAtA8UIwnMiTtgFvwGUEW19ne96,iv:2HN9X9CA1liWuY+LYqTCX6Zy3xARMS/TOL61r2UKsE8=,tag:XcPBwYrQjqhexI7u+0zXQw==,type:str]
 sops:
     age:
-        - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
+        - recipient: age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeU14bE1QWGlneTBhYXJy
-            eFU5WTZwVlFXTlFOMVdmZGpYNkdMNFk4M1VzClhTeW8zdkRzcUhLRkpKdWxCZnVj
-            R0JaN3RvYk4wTjMrR2JzTU1taFE2blUKLS0tIElUaEVCVDNGbGtCZUZTZ2hwNEdZ
-            ZlhHZDBROW9HQUx0RE5KSlRFNkJVM00KVKIC6Il9Vq4lwNS4Va/Zy+EciImnjEE7
-            uK9asNYPNFLWOGH8WRUYmcsDGupKBCtSJszd9+DoQ28nWo5f2DjHAg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQVpGeWg0UHh4b01QUWRh
+            d2N3RHR6L05nNzlnT3I2U05waUNWY2FSVUVNCm55M0t0MFo2dVlnQzBLSWd6S3Vt
+            OXB4VFlaS3BBLzc5QkpBYk1ObWxDdkUKLS0tIHZ5OS9tNG9mVkpGSjBTd3FsL2lJ
+            bkFHLy9GL1dGamxBQ0pod3NwV0psb0EKvnAGhx0er8opFktatPIp0+mVbaIpz6jn
+            eq1jflf+K2dDQ3MxK4gCYaCeMzJSNa39NKqX0DaFjWTecjtnua76Wg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSXA5YnZyQkJrUUI1UGp1
-            TFdPZVhTS1RwNVJ6SVhNeWV6TzhMTnZJUnpRClZuRWxPNXdWUk9GS0ZIUUVsUVdJ
-            RFNtMjVQVURWVW9iQXhWblFRQTYxVUEKLS0tIExFMFZ1eUorbmxCeGFqV0lEa0ow
-            c1VSTjFXVCt6alprYlZaZkVCUHB5R2sKGrXDZrwhZ/IZhX5EheYrM0nBMrAvzKRC
-            o9lLy+KZg/0JTZFE9iz+lPLzzPBVnrSXMSC79Tj28YKTR7xOOPTBnw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWnRYemFEdkNJSmFqMUZm
+            WWRlTCtHMTdsV3drdEZ0cDg4TlB0Q0xZYnljClAvbVZoMmtBdDB5TTFNcGFvTHg5
+            QkJZSHNRWmkvSlZaK0JaWWtacnVyT1kKLS0tIGVVY2dYaE5nMlNHQ0xsaXNiNDVm
+            Ti9CaENjUTF2RThwYitrOEZnbjNTaUkKSY6DoZjavWV38BJF4uagWyeuXdaQxSLj
+            l8sxmMX9QU3lIIhdsBTmIf+zPoCa3oKSpOn5ZEsxU4O3PSfzaevHHw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYzAyZG85d3hRaUJrajZT
-            R0crcFJNT1Z2YjZEU3BuZEJwYnhleEZBMGd3CkxnNGppRVhqRjRjbWlpaTJRdWI1
-            NVpiNVBJSW1OTWNMNGlRdFVIRW50bjQKLS0tIEQrVmlwdUkxajNtK2ZhV1l0ZXBt
-            Vnp4eDd3Y0RrUlhMbUxNcFpsTkZ3UGsKv1HuzJH4rm1onXAlV7KO0MLNIxndRVNX
-            hFFSSV4QelNtjdEmqYwGpqAuILRpZ7g2/wMLVMMQ7l978KrfL5BFZw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCR0dFMG9OeGREQlBkcktj
+            SnhSWEpjbFNCdUsrRklUcmJWQURtYkJPZUdVCkptNnFaU3hwNEFtOElwdWRkeWMr
+            RTluTExGM0VMdGVhZmw4c1NiM1czeFkKLS0tIFBkT3hQd2xZOWpjSDUya1dmblQ1
+            bXp6WlNnQnNiR0cxSDdhWWY4Y1FjcFUKjXWTI2YGkDHwA1mubH1hwHVyAlX/lbja
+            8TEH9TwOCFAZE9k2CFu9p0K0jjbnUBpo3YjLtUmWmTwD1sn51BqNTQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRlNiY2ZRYy93SFZqWlZh
-            Q1NaUFlmQVhUMVE4bVp1Smw2cGNzSDJjQzJrClFEZ3BKdEUzVTZCT2tpb2NHNGVH
-            RzR3SzhvbFNzNzB2eU1oTUZEUmlsUVUKLS0tIEVzTlRodkZWOFpoc0pFendwS3dL
-            YUV0OHJiVDY5enhUYnIyYUZ3RG0weFkKIW1K8NVG4M/YvrGYwbGL6IyaV6dX7qtV
-            tFd57d/A8A3vugzQcMCYvRuiEl1uqqId9Npof+GdS//8AhGeH/LOQQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZFRGZVBocGNENlE0RTFH
+            TGRvS2hGMVd4bmlTRkpheWFzaU1udklzam1NCmxKemVjclFhZTBQVnNHMDQ3dFRt
+            WHZnbFpFbEthR25RVVh4cmlseDFKZ0EKLS0tIFV6aHdacXpTRS8zMlJ4ZWJNWWNY
+            Slg2M0JkcjlFKy9lSTY2akFQellmcEUKNYo83GUqRAMXaTizbbnHejygH07tH9QG
+            QcfwY4r26Dl3CKuafTJkK59pFB7ySd0hwtIg5P1s5Bu++L+WDrD+QA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TUVkT0xrblI4V1NXVkl3
-            am1FK2VsTTMyS0ZqT2lzTG1NYTdkS3pvNFV3CmdzakU5ZnpJdEdncEVFcXBaYVMv
-            dE5aMXlzRUVtZTJQSXJSWlArSzBtZzgKLS0tIFhxYVFWa1R1VFhDOGNyZmdPc1Rh
-            N2VRNE02ZTNxUDNVWnNMb0ttc0JEZzAKCSgy9q357fSjSjnivOEgaNmhocNpzaPK
-            TIzJqTsUoLvGBdpXa5bNSe+guuIZgZfm7PCohyKrcm1AUhFJOWZ5yQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuOGMwZ0t5UWZuc2ovTFFB
+            YVBINU0yNXJFSXRxNndybEpiNFZkZFE1NEJ3CmFNSGZFWENBRW1CN0JPSnh1dFBp
+            dnk1ZkpjeHc2S0pCdnNqcm5CZzZKMXMKLS0tIEJpRjdqYzgwYXBwbTNudGFibTZa
+            V0l2REZGS2tPSlk2dHVjZVI3Q242c1EKUjGxjcqP3jHeXEvqcsuGV7CoZZIg6tLz
+            Sh7kVXXUqpGJPcJMSQ6Zd85/bdY+S9CAwptYqzASOZMA1STD+owvSw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOEVyV0ZwSWREWDFab1RB
-            VFczcWxkckk4SkVZU2Nlc1c3UDREaEpHb2dNClIzN3hsMFgwT0VuZVM5aGFKcmx2
-            azNBeXVrMGJyVmM2S0p6eWd6VHNPV2sKLS0tIE1JZVRWWTFnUjYwR3dTZUl1aCtu
-            RFpEREJhRVBacGEzRWhCY010NllET28KqGfrDBjMUogZLG8oGWxUi/J0MNql1Wb8
-            vPbOdd5PI36qAjxWEoax/WMG1LBDWxgJJva5VgI2uNoQtpo6rWHTeg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVeFc2ZGxBYkdkeGdlVE1n
+            QkZlaUFJM3pJdjYrby8yNHhLK01uK2tEaUYwCnV1MEVsamQreUxncm8zMm14R21F
+            L2RvQUN6d29UcHhVakJMOFdmbjU0SjQKLS0tIDdqNWJwLzB1QWYvMFFra1o5b0px
+            TTJoRTlqT2NkYTA3LzJmbzZBakVIRUEKejrBiriwNKU+hQQ21TFqABobebDiFDeo
+            ZVwJ8DL41r77SnhqcSUO649/NSWT2HTdyg+RQ41PRBjWaRzMtvgLVw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlc1hldmx0cVJaQ3lkY2hR
-            TDcyQVJ0ampnWFdva05YTzdNZHB2VHdkR2trCmtMaDJUSEhPeUZFS2dXZjRSUEY2
-            dER0T2N5cFpNSVNtVDBtU3Avb1JwZmsKLS0tIHhJY0ErOEhUMkNjTXVCbWFSeW0x
-            WmhYaFpXVXlFTWlhNzY3eVk5bFkvK0UKVf0W1kcQr8uHyY89KW5LfZxkb5tKhsEj
-            H8SwJ2pvLuY5aRudkmnbXQwpF1i7oL17DWKcQI8qIZovxtdJqovmtg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1clBQSWpRbWUvN1FHNUlR
+            cVpaVTFuQmgwb05xdWdGVWdwaWEwcEN5L2k4Ckw0dlpKY1ViZkplVzVrSmw1aEJT
+            RlNpNExrU2V0WStBQm9tVGtUK2JZTk0KLS0tIGNjV05KcmFnQzIyTk8vUnAxdHhn
+            Yk5DQVNoMlpZbXdmRVl5WlFLc3hHUXcK209QCF3SpRTbIxwzVK391si02yLxHuus
+            4ldUeA3LZFW7JulDAGmhGjqmAJI+pJoZfmjjoZ5p4T25PHsob4v9/A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBweWlhVGhyMUR5QTFlcytP
-            T1ZMSEkrbVNjdGNjZUU1VzB0Um52S3ZNd1FNCnBjRzUxMyt0VzFnQkJTWVM4YWw5
-            NFhxR1dZeENndVhkU2lkdmQ5RWpoYlkKLS0tIDYzK1pzL29jTXI4SStKYmRWQjBW
-            MWt4NmhOdWlOckIzejJTYStnV01nN28K96etySWmQwVux8Xdo8pXFmCgT9qRq4ZJ
-            X1Bl/iIKZDkeFSZjt+wunABbgG2e086xUFsiUvAXclVKBEnuUf6RDQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucExsVk01cDl4WUZZcHRU
+            L3pJYXphRTk2UFpRbU0vbUI2bnJ2Q1NURWhrCk5QVnE5VCtFcThOSzM0aFRseVJm
+            WkFzUWRLYUx2MWRNdlNydmNrTFJlNFUKLS0tIGwrNlRldE4vcVBrd0krdzFyVnpO
+            S0tzZVN1UkVMLzhOaEgwYTZaMTVKSHMKpb5SQ5bArfFthZdktU/Lt9hszKPnWa+k
+            23rnrL+wCgbHPLTB66+xa2asRh5PdYeXbW3A9SnKXQjlwuquJlqvVg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0RjhEVkNhc3VUcm9zZXFY
-            djJ1QXc1UTJTUlltNHJpblU4TU5PQUZXM1d3CkUzWVVucWp5VGd6TmFQQ2oyaTEy
-            c21leUY1Qy9hMm9KajAyOWRCNERwVkkKLS0tIFlMeEFKRUZTZ1U5OVBvOGNpaUhQ
-            WWZPbWtyYTU1dFRoSWw5NTFRTG5IbzQKyDv4/mBPR8Ev3cGrHzHw/+nGnw39GkB3
-            YGjqlKMpfX1Y8BGlPRxCVRH0c+iQqEBxdqVwOQDC/njKGcMXMT90tA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1TkhtQUdlU1hNZThvSElj
+            MUFpVGRsZTdIeWNyUzRjQ01ZaGhUV1NWbkJvClZCTkRRcG5mdWxVQmxXUnZRc0ti
+            bDV2cFhoczJVcE4relZVYUlWQTJaelEKLS0tIFBvTHZDQmE1QlozaE1henpUSTM4
+            WGROOExORWRoczJoS3dyTVlSWktvOUkKpQkWu5z+tLJyQXIkp1ZpmI+Xc0DYrb+L
+            YEO54SnEJ7S35+6unRfPL5AI9LpRpSkIHp6p+jsHpLUMFm9GDUOFtA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
+        - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcElsLy9WV2NmNVRwTi9G
-            YWM3MHZEYUdLMmI0NENTV0JXWXlneU9iOFdJCkxUWE14ZkJtUUF1VFNFcTRRU2hj
-            YmRoUkxJcStEcFQ2eUtPSnEya25xaU0KLS0tIHlweHZlTkovRVEzNkl5ZmppeEI2
-            TTVQUGlaZzB6WjhEeFp3eUdzMGJIVWMK5dQgr7YfvilutGW5nieHcsyTQu3pxzVF
-            gYoCAmKUESrmIubSPOD0RifFBQTFObHJDU5xiDC4a+vampqH/5uOTw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxTzhUM3ZOaEdoT3ZqQ2p2
-            VjBvS3RrVG11ZjVnKzVmM0grTlg0b0RKNVNzCjZhb254b3QyUHg5UFppc1o1bGZZ
-            M29yZDNvRnVKL0JqQWoxUGNKNHJXRncKLS0tIEdYWGQ0SmQwT256dGsxZEhqRGY0
-            VThvSXAvMVA3cW9qMW53Q01TdHFtZm8KoiRiL8tDLUJeLocbRIfnGWuUG/0Up5pp
-            exdFlTaLNUej8UT7UCUPZvvYN89Zq1ea110xr9Nim5zzFBErJfRPKA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQnlMUDFmSkd1OU5TRFJN
+            cW1tTVl6OXMrdHAwYW1QVGRBaVJYWFVCc3pVClorSEpjQ2NQLzZvbUJzVHVlQlNR
+            SXVQdldyMkJ1Y3o5MUo2MjNMLzd1ME0KLS0tIFZjYld0YW1LR1VYTGluTUNGVnda
+            b0Z3MW5tUC9sVDMzV1FWMjNyRUNLRDQKXPuK86rcj3My0l+vkxCKxow9XMh4JrWW
+            /431Hjeyf67N3RYOqWyP7ElcMiA+9ePjulVIwUFy1vxGPmq8AMuWpQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNVZ1WGR6NnJtMC80STNH
-            dFZuRC9jT0lDdGlSWlFIZmJCUEFDanNib25RCm00YVZyakl0RkRBbUM2THNaWEpC
-            K0JtaUVtM2N5NEdyeEtpTDUyTElaQTQKLS0tIHcyN1Brd2hYYTdIZDNoeDBVMjZH
-            NS9yV0dlc3lVOXNIS3dVR2pmYnNwVjAKlbBNLNA7Pl7tUg0S9X3BTICkbehkmTP/
-            mqVVce7F1Ml0dXi0t8AsxK6HyrR14ZF3QsFr2q9PgQ7qnLv9o4xzUw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTMGx4OGQ0a3ZvbW95aGZO
+            SGpHeGlDRFpRNmc1VldodHBjQVBsbzhzbWxjCjlxd2kwbTdmb3NobjF3cE5qajNH
+            NGphdmtuMmZGU1hHY2NKRWNOT3N4L00KLS0tIExldnk1cnFMMkIzdGVZb1lyMjhT
+            dGRydFUrS2d0SlN1SnVtVVBJTjc1VXcKhkNl+/n/8OB8kk6ZU6xkWNextIX8w4HT
+            RGLbEsBF1Eftr6e/MgZRptvZuUvq2EWvl9GVe1GDSIf7EjJBYUW0BA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVQ2tjN250TDJqdGFaWmgz
+            UXNxTTJ4bmR5NE5aOURBWmlNai9xNTZlWURNCngyK0FmUnVMTzYrYlBQMDltdEdI
+            eFRoM05oQU9ndjBnK2VWeXh2WlI0Y1EKLS0tIHNac2RqRW9VK25rd2F2SUxLZjZR
+            UUhFN0FNa0FXUzAvanNRb2xRUG5Bbm8K9MTHuo3lWH/gg6UDZLChj+EGZ+7HV52w
+            bm32bk+B050aCo8QNeFvIo6AL1XDk0YD0q3vcLBjxlcUjeg3tLKx7g==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-12-01T19:57:43Z"
     mac: ENC[AES256_GCM,data:2CLFlduO1fsxtvF1fbH18kadQuawMwIYEjsJBvZ65tecIdjT5efPD07+czmysKWBh6FQuVPL8a3uVlqT2WUW57AjQZtxloCMAFS9m2S//I6I8GsLVccGnmudiHUdXFnt+gI1gtb6ukZMEps4m/LSqUHGSptVwqrIN2gBM6Yy9Mo=,iv:S/crBYhr2HTzMYn83bK2YYO7kwfDspF0gvkoiuI9J7o=,tag:+sO+jFMFGZSsCb7PGnlUmw==,type:str]
     pgp:
-        - created_at: "2025-12-01T23:06:34Z"
+        - created_at: "2025-12-02T15:47:01Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTARAAq+50+eWOM8TOM93JkwnSjUFLjwO17fT5jfBwWxqLRULp
-            SgO5pCfJSCr2xFgzcuS40+c/ewP8NHwI+S8Mu8lcJ6Olyx279QyZJxdKvVba46Ti
-            7Dgb31UzMQKjjOW8/nhf0JFIq6KH5HUQP+LmmQK59VEdoEnz4XYdxq7mGeJQsn26
-            E0AG5UvIKjjSrZQXbx8zojIEwE3l1t7Ipw2oTzHCalWf5at41cXyWmfIzomWHElC
-            XPwO8mjcBY5LQXDeTu2Xv0mBvFzXNBIFaEhrdphFxJIvpfl1FLefK6LKCDLhQtal
-            HNDBziTORUAnvP9JiIviSr+OUhTHTkDqSMYE6SD3SFsvQ/nArQHRin/FvPPNMVhU
-            TD0yec1VgXTJDJGe0jq+PiWNTwwnxwSRmKdXutp2DPEuv0amRGVOkeAJNSQPADOk
-            ZUGBKqjr+trvcKWReCC+gi6jMTP5N7rpjemufQ/p0pOTKmPeapTcWitqtRvAvGQ9
-            +Q59sDqTgG5w3oSAnvboDwITFil7Pr39Oiwn01btDDlGXj0+ieer1mHOT3vI+NPE
-            LSrFqUa/kMMW4+zZHGlwMoNHZbwLWHGX0O0KZFKauht3ypSsjrJbOeBIGgAq57S/
-            1U+oerlPbnCCrUTuP5Mns0Q86mEbOmQQyGMgfigJ0zFkMOlO3306T01keUv35giF
-            AgwDC9FRLmchgYQBD/4vNejy7yGJSxzL9ouoEDqEaIGx1+pzzAyU+P0GYXV4rwat
-            P6YL8a0CikYLdkjgUsVDfFV7/Ou2Q1aPBn8AGRG6eaMlaICYK1UX0xiP9196dENl
-            qxkm3zQWCfxAkgWyUFernSzzWeE1z9FgEfrTOqKaETprFVxxv5tUKVABcXHSPNqD
-            hYqllb8tL1tS2QrqvxIOcrL7KHAnRPhHimIFeByNN5lN81Z3hLFRQ1Bl3LwDPeF3
-            /kEhVjmGqzw2jEkH60Am9I6xZ2nlSimF7Bi4pcu6QCWhN7PMwWEyGxj+Qu8Osr6F
-            3ab4M2vkyTZyewUGsn9qO3CcPAHPxyvf+pyV/q87ejuE2e4wR8LYcJnk8BOKsNRJ
-            m3sJffhhmB+f58HLzy9TwvaQqMno+/KnbV118lJrdzf8iCJrlUNY62MEjBFo3QhQ
-            2rc4vJXk9VINiZlHW3y9ZXV+dTus/gHKjN137dxq/RPU9tf/1Y3Ow407fDu39DT3
-            YrAAXj3jfEK1aoTtHpLZAp563Q99NYyBQLt3C32X9YZb4VuYCXvGsi3kqjdQl/zg
-            ZxUVlB3Wzm1jhL2KPOu1SuPAT9HLwu1QdDw+kw050DNBWgeLJx9i8/U8LC05vF6z
-            VWyozdZIdIfAKnMrFOU/8pJ/lNYb6pXbIYwbpSIDslV3Cj60KWx7X6JgVUf6d9Je
-            AQZ83SkdK0sBXS3sfjwCewyY+ta7i8zWYcG8KDbW2s7hxRb05u2nYKhJZZJ5xLcK
-            eRhg3W/bMUWk1bYZ+Whz77uSIC3n/mgzIlsaRjMokiX9i0a1jXVyH4LEluPO5Q==
-            =MgE6
+            hQIMAwDh3VI7VctTARAAuyStDAAmBNGBL/wAl7CNV99+AOHHP9vMlZXZ1Urcxr67
+            rVXMAJpMkcIDCCsu6hU5fCIl7p3zvS78QOvLJvdlJ/GGpgfQF1us0Z9IL3xqQVjG
+            Jz+r9CtoGF8LEmZ7UYpNiiLNKWqem6Z6Fs7NlVwYtK30to+PAJ4s0Kqui/FfVnCR
+            B6R5CmjMMKepqLGD+g1RasihtFY7QzPRnAcc1/d+VuebuWx7VFr7U1wXim+rLg+Q
+            MfoHpfLb57iI4nfUYrBH8I32EtkQuD87GagebvdnjxhuzxUVH38FNLSnvFhNyxsD
+            GgJOcLdrrKaJYOjDaBZV9BffGr5NTIfn1Zc3xQ2BVLS/xs9t/DZBaSj6ksDcUb75
+            L/R/OWqW7DRw1Te0fC91WhNloXL142TA+FhsOyvqNsdye+AlzQLSWCuXDAHmeLY5
+            dld8PPF+uWAfdRYORDgoIpN0HlERwev7GlQTILPrL98v4RnKrHJQdTFRFa+7JMyB
+            DLYht+ieZM6GfYhy1LoHG9ydUfRnRpGV3GNaDJKWbDp1rqsrACgJu9XwN9QGVIOc
+            qeoLAW7E/bOwBkkQoX0v94inSSW/yLFT+m1/Xaq4CdrqBkI09EInfj+WHvGDBguv
+            YjmQVpsmN2I9/+mb+CMHdhnqzojc+ccimjRnWxANKqSxTTV+NT8LGl+7wm0SBtiF
+            AgwDC9FRLmchgYQBEACIMrpv+fn/c6eURqJ5/z7SjMzLlIXM3MJbYk052W0IPu3Q
+            vx5MgLmCI/nT0uPH2IeeGLiA2Y4R8TNbNNdFT8dARdo9IsNPZfhd3xvAlSNmt1Gn
+            PCdV2f4Ts2OH/UlAXGF28edUgSGknKTV8WFJHMD3cRVAfRISZuVz1VzeKLFdv5qP
+            CQafg4v9O73hhSyg2HTimXnj+b5omUhgLg/rVbzP4GLCQddu3m4vQrsdfiCmVgn6
+            AzH1aTkKpmXKXIh4ibgs5u+Yy/Yx4SS9YkRvw3fk4HqfPeBTIPLnqTjrloLbQi31
+            4PR4vMb2gvBTo+cIFvT7PaNF7CNndWBhxQVCPIDjZ0BgVsN3Gg9mepuU3OfFwnVa
+            RHMP1ACUCKd1+JYYtX1Ey+UlyblRpzbTvg6+O394QpY0IrJIb56aUUgrQIq/xBcl
+            6fSarhnZ4D+r0pCT+YsTqV1WpFxrMELLQMCt5phJr/pDMiW6qWw/adRmsVBvJJsw
+            VCQ6zlfT8pnItWNgmIj/+vM25amGIu4JPviELamhU0TsgKsJ+EcoHylRrCsjg3C/
+            fWOV1eXVXlALXjg50O0mvpRT/8WgQU87QT96tmgvXP/9wy+piqOmYBKxPv3amSXO
+            wncrzPoUTLo/mw0dvOfB7ZRsIeg22EUlgESKCKo7k1dTQ+f9ALfjm9rNJARZe9Je
+            AdADaDBobnLh+yCFCRIHPYj3c54ItF8b6sNwbZaeyr+JLBYiWccp5hkF4H0/sZV4
+            D+na+jJW279GDrQ1UMlXnRmo7FrBwh70Rn7vpqSMOranPDsvWvgkS/SMu8SJYw==
+            =YZqm
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
diff --git a/secrets/repo/globals.nix.enc b/secrets/repo/globals.nix.enc
index b9e9770..f3b17a8 100644
--- a/secrets/repo/globals.nix.enc
+++ b/secrets/repo/globals.nix.enc
@@ -1,50 +1,62 @@
 {
-	"data": "ENC[AES256_GCM,data:q80uSaX4Xyy7mMSskw8lnCagLIci19YvQC60/jqv1O877lEDHnHXh7DlK0XcWM6pa96mISk6zILfJk/eMxG0CyR12ryBlPHtzARmcpAQspD9oRaLKEuKDqvm57BmL5J5yItapJlBKfWQwQS/pEI4HJF8+xVrX8eTsMB+pBk/HsBLl7w1VU6Ob/hlEzyn8v5QMS+nB01v/61GTPuluslneXKnHC221A8ek2lyPN/D1uj6hXnifRsuo8DoPghe5asQ3VM8mOZa2SJ4NWEvWJ7V5SLbgPLvNGi0G+XfQ1kgb4qDSdNpBlCWY2hlqEquEO9YJoLjr9jNYGMysPtnmIGPEinGF5SLDLpQomph5krAZsQPxG/oTiB89SYN9hF5SuUzSHuuRJao5hVgWj4d/KPy/xjZ5rN9dOL7c35EiCuMViH+vsYBue1ehYSww7Y+JR49ho84+sSJeEHTdpnnhtogRxbekPawBbYs9w3gXx/pUhVGZJS8QqcNLsGeEvWgDGmfbsZagQHG9Mdib5wAVp8o8O318EFoptlf2TrRK07BS/ibSc7GE6KIOde31OVamVwfAYL0p5JopQNEDuW9YStMhDQa5YhfuRCrlZFteXqXAMh775uXQge14pwtETExTE5PxI3hBWKIqrb8XP5ke+j73cx4A0VsuG6TtXf7YfWohiuRBkcojp1r0FY12jzkCOstJ2DjBFBI+5u5dF0R6SbezQ9vZs8yWbYF0kICTtZ32cEWnE/pVgdS8S9CqVsVyflpjtM/DeedkpoLh9JtN1oKSDos7+SJA+r8/ilXIhRTwb7tt3hSBw0AFkZ/rnSHOGHTBRY4T5lH5IkOqOQqAqbH0ta6hhxPoDjKzj8R2JatCnZGOLzL6tK50w/Xm80Wtj0LxDmmzmYPxCRI14nUobeFqDi1aGU4jpqKUayUHZcnTVgfURtSV/lT5QrsXdTXt1k9ywwq+1oT37D8Irk6+gaSZNcI6PQG/KpBPzmeS7r2ubrKhwhVMNlwF0QxDGR3273+AD90rAZq9niuS2yJRINXs0pImPK8y20uKDiv77B1HSpP+CpoPlikGy4jAgCqbpyrUYyYUB0O5MMZ6VK4aLwJABsE12Ef+WGC8tbtGNxGTAGm3gxRZ3/iKNl++WKZWo3khVflHWb026iYqEl5oOnUif7TVmXGbEiccjos0QoygbEtxSqeN4IxxXg2QxRh5rbfxsFiURln6lhGhjUj7SrSnbRZT6o38xdhKrLqs1zM5ss6na/9W0rHel3wmy+Ocz6UgJ8Nj412EM2dwo/oQq3k0epRLOGBJE8f86qjQAn+GZXnq0pwGq8MijhRWJDc+4uBxoYLiHrFJIy9MvqNRgQ3QRwgMXDB0psnKpybMyHd7VDWmNd7GLopEfQEv/o6Fk53ZW6rLu6l6EdS9GuZONOJsjHB7rVoUl9qi/AjXWenzZYaDrqAY6P3lDWdoNZLmV4AQu+t4EIaMz1QjLfzeDhVG/v13+hZ7UbCIOtr/FQ6hfKjZ0A6l7sfLKcuerH5AwMs9/TYEcqEppfrcAKtBK47kJiB6Vnr0uVg13D3w3PlL/8kA54xuJzQUO3+ns73yPLjjhpqt52WfyzUmhpymzNo+3EPuUC/l8GWohvdNntb0rkx0ibJA3LirgGE1IQK6qzeZNkvXVHvY1pYVV1nDRWi3HlpsA3UCMI4IxRX+brFQqM49o0cqoE7CZPnEQR3UoUg9qQ0RJpiW3BlaIPUexxdgn1j9RbUt47zQsEI7+5gvg7EYLbj9ZPEJCxUH+UkukrPESHauKXPvI1EbbUncMd2sLyxn6IX7Zili26O9vON7PM1gL/Y1s25T3meBn2CqT76Zl0HjB2Mzh4XjuDGE01Agp4BETiKrCMprZB7+mR89PQywIyaJWS1mvDSmzbaTXk4VZVqH3lpwNC4QpaxOb1ZFjj80uPKErBZ4yeLKIEVaDW1fwQyjkXWjIwHhUle3AJgnAfxsM33fvxFucjGyc91FAJgX7IhTSATnjsf3dUm9FyW4xR4RXbJ1OCuZZ9C/M8LIHZSuXYNNmjOq0D7qUiCR2Lesth6hquHCnomLDxcPtzYlUlC7ZdF71jLyaop6QWk2n3nKbURLV5Vm+DrLi3Zuy6OAy2K/MLJhKEi1LhMw9pJYbNgq1z8SGFz8O+k96JXuZnIDZxzj9zdlTOjawkCu3WCGSAOqLcvPryZqe8LYOlozyVQcDQ7d1h9fTlz5gA6a6UViH9dl7uzkR0i0srEVbhuZLw/YTM4dEANtXT9MbKE/KoqG0jmzI4vf+mAux8mgIGNTQ04AfFxG+Coghn6WHWFJtEdOOT8hCfoZxs1qJA446Q2+ACCNeZgMiT4BE3x5L+wiS7Km/7d01XV3KCuOC4P5GwkVcH0l9WToJN0ViuM2bi6uz7JcEvgCb8AiVfpLk2NCE0YAcWY8nMV+aw1hOAKvuzIwt8vptTb3TApUQ==,iv:Xbgn+Nv6py85+Sl72aYxyDgfPEGsWK4+YqiYTQ/5pw8=,tag:CInhg7J3Au9HcgIWkisiOg==,type:str]",
+	"data": "ENC[AES256_GCM,data:sxGOffKdJMzWq+3HGNeIRX73Etd7acwW+wXufdCjQ2/vaN8OQRCjMxFcGkxp+OAZXF7dZSLgXvGjEOFpwHL+ote+sFqE8heebp9FtYbg6vbuk1p6Xz9EE4t0bYhi8o76QrswdkC7zzgx53cCFezojEfHXOOHlmzA+C+aPvwTkF7Cn0WbUOyb+KYYi0WtzcxzF0A24KSb9Fup4WyF0OStrV7l5H4BVXgrDBH/sdohTKznTHhrz7PfgWGpvPtRnT6o26Llh0I1vqp8F88ZVmjQ5bwpTxa/wAc/sgayWuVkU8Qf1j26vPYKluC+ZAR3jZSsHrqCKO5t3JY2t5o2A53QxpF+KqN1qUQpeGowhwfHMxAtY2VSsvS3kis7V2qM8yChfIgp/SZAcjJUp5t23eqgpBFd+IP2emhqlSy1mGN0Mii8XP8J4DyucoRb5ryAnCSyJKXK9w6dx/CeBYEMe02An8HeUytVUtGhhJ90m5vKPheovarR1CLrBgnegcfyLG2OiKwQ5F/KorQ1Hub7KJYAFBl5QsarTTiDS0BKHtQiVJgWLlTaramyi4GCTCVGDTRZwV0ordWKm6xCTkuoC9kukvnabpM3AKZAFOKL/6MLZviukkF5SiJhDQN89e8BuqWtPUkfto9XnNwkHHiqWRWkfAjCjs3wCpehX1ef0Q9xAon79VgeE7SK9qoYvVo4koD6fKWCJF5O0isvCkX8wEdoMAniNIFXReIKpVRWe7uTF40+Xlt70Y/a6RPvtJPGRYe0yfw29LlZfUwmV1XlxoIXL5aKTn2DeLhYXXqsBb6AkPh6oDPXIt5VdoThIsdlvRyiVLtFwE8Ov6pOQXYJgnRAGWzK+8qzaHyqmeiCM7k+WpbnvmdbVTCmReO/7q7eGpgF0C/6+sVES3uWqP1SWFv51G+v/58xilXL9DG+ZWZ0RNXz/mDfMtRg5CT32pIMUKiCAYvMvIF4yw9sSeWyu0ljQckIGb7l6xj3DkOlhx9PaQPEdaTVczqtOcHyfX15TXKySmHjEB4NCy1PsLoXcyFefw1flamFADyo2/+oXb/53r67T/kaMxk9T/PN1JB6DES496EVyo9TAOXdyubfo8DbEsDT8h7aUCKpFvNgGx24jBAMn/2iouxsmBUY65maVWdRodgQk+XOA5DfLbKm+LlZawuuyqoLxoIa0ix/53bxyD6U3AO7MTisgJyHA1USvdhaSmEe42ecA3voR2LXvSkRX8+izs8DwJRvtfIsTUgs1GBOgLSn6ULm1a0mFmaXTh4S6kT4ujDIYNXL53vUUVBtUaVDvnhZoXTTTgms7s3BHa69lGuadg22kHfNdO6FJ+HhXSHqz628zelJgwqjwBybMGo7xi2B9MPgiSvC0N2HFXBn54vFY1n6Af7b5jZ2cQEcjGbrjP+Lk+nN0wm89pFUxPcZEUIQWxgmQm36quh9kXj7gYaaim9Eh75vORywLwD709R8VT5BuzugcTp15aA1w5cLSpuR5TPNium+72jA8NnZQqV14380i2doUq23CXGjM38A5WF8Q+JJBCYJu1kc5fU2BEvwfZ0JJQ8QQZrMxZ48K/X8ATlC+pJie3sLByv6YqDtZyES8tldjYZ/vhopExhK1L0Bw4dNTviH0Zktx7OE9T0qVMSxOLETIRxuKLRmH2FFOHLhSn6S6SXYjK1pBTJRKGz+487Qr5SYcqqv3G2lD0khtP0L32Lr6iSedAmkJPxXyW71tvputzZPxGc1Lke/Ml69M8I92JMxggUcHkr435hPzTfrBIN3IdAEYrjB8CUYlxt7fDfxi018QTCZ+6Hs+e/Ezt3n0g7KKYvzJ3FISB7oRvTyUK1EqZI2JjHLiJK9QYOeheBiwTUK8OgLNfwy3rMpUvE4VuvAhl0TmiUcwOhbRT8ttyos5HiZC0nHUvwwIZguhK9hvZM11N3/trsFRqRlJvTf9mNEzglEDgs0mhkgnyGY1y+xm9KBZFXgG00ic+4MFsRzLn+eqmeAl12Edop916yEhZyAHfPkzshK8h1qRE5mR3N81w+PLGkRuL7XCVKNZxKODusxDfZ48yD17qtSgwUcHsovoLand3WyswdVf+7k8IxEhQ+HaeZO4As92LhFgOL+ocA2pj6zptNmgUN246egJaJUPF7hmw+DyUpmOcEcnhBYAYzVcUtNuSvMjYfjps0k/LLEYIOI3s+SWWjnx2fVQndMpnnoeWJBkw9sD6s7zQMncINttrZBkILzM4TcibegAXZzQB3HukC08HzkgvlfZ7OOt4PvsfGB0AmWkN7P+Kcvp6XxgSxadKoUwJYxOfcEMaVqBhM81DmDIrlJWDUNYcvs5Jm77isXK/xQjJPAxZfCUTrm9eDQEm45GeJ/z5OeGPMncXpKowkPoBGyjzBYDf1E3A0VrziJq7x8I8d1N2Z37UMO/l8zPpYQyrPRdrLt80cRINOUZcHnOKzSU7NPVZfmvbTtLwijbqapVGI6cPIcv6NgIBfhzPqXNhMLLr+dOQcfWAr/xICLUQhr5RrdmMvDeKJPT7gKhK00294XPg2Qu+JW6X1VPFrf+ISt4iMaJPAFhCCFYLRFlEaNScJyQN6JzERev61YTVERmFcJEicH6f0nckgT+BfvkaKDCg==,iv:6JNRrm3yUVTUXocmNbZGbMV3oS/XyWsuuHo3eHR37PA=,tag:RMHyYGpwOzCQjNUd7ANINw==,type:str]",
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNjR2L09PalRkUTREY2lW\nSWFmL2lTRWtMOXA4Qk9kbzNicTJZV0JEM1FRClpjQmlZRGhHUDR0YlZlUW1uaUJm\nSElmZXJ5RnczVm5uZnpyejVMQkhDNlUKLS0tIFdhZzB6TGh4UkZUUktmY3ZRUXM2\nSURjZG9kVXZ0a1dCZWczV3VGTXVva3cKTGhXQjLhn3hpY72nfeu0pVCz+qzJi1gJ\n6AcGZQDKavoJaP+qadTVe8pa0Vu1NX3ILJBKigPF6OTVJY8/BaiX1Q==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WjZLbEF6aGc1TnROM3Fn\nWDVhWlRwajNzYytLVUZSdzVkaTg0YWc2YjNFCjlCMjNrTFlGTUtZOExIY3JES1JU\nODV0RDNKaGxJRlMvQkRCMkhlK1JFdDAKLS0tIGowSkZGd1B6QjQvd1hKTVAvb3Va\nbTlLbFE3ejBBVDhyQjVmbElHMUlqeUUK/RS7asoLCKs2lDqAXc+YjjHkczOmS2ZN\n8Zp/f66TDqMSWKEW08vyMXOTve+8Uw5LJA4s8B+OzaOp7A1YKuAtGA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRHVXeXhHTDdhZTk4MGpH\nTzkvdnVHNHF5RHRtQ1F6R0w0SStIdjloSDJVCktmZDkybzk0ZFQxUEVqdjAwZzBR\nTXRsLzBsaGtDdnhTM09qVDZ5VG0wU3cKLS0tIGNJUmdseUNMUnlmMmlEQk0wYlhC\nb2tudWFlZEhkalJXUlE3V3drKys0ZFkK/HPemyCo9WH2snhSZ30O6NxS/JvI2wln\nxbHZ3jio4m9bA81zMMKOIvBFoijsG/jFL2Q3f9DkI1xii9IeG2sUFA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVUdXK2NnSzdwUUE0NmR6\nYjhzLzRTM2EyOW1Kc05mdk1hbnJ4N1B0M2xVClluMUM2RlVwTGpIL3BmZW9GbDVs\nQm9kY3d2Wnp4bnJJc3lnMkVCNStnVFkKLS0tIDdHT2VFYmFubVVXSWtDcGRyTGpn\nZ1dTUk9LcHJlSnZYUktMNUtmL08rZ00Kw4RPnFeKVDB423Q8fJQXN5CCjxAnye2s\nHIPXbheEHODy62Wp73T/iMfC6aFYmuggk7fWesajg5ZF/ulCtb+kuw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqMUh4YnU4ZkhoK0N3SFhp\naURRWmRJY2dKOVMxMzV5Q0FlQkxOTUxEYjBBClpYN1RTYlNYaGlEbUJUbkd4VjNp\nSDh3UWMzUXFzeWxOWHdteEphSWpSUzAKLS0tIDZySStqRkdCWnBnWFV1VWU2NHR3\ndy9zQTRRVGVkcHFsWWtQdWJ2QitJUncKIb++KE362NynQcDXgImGE8f1eIOzIT/s\nkAj7TURYX0GlDkdUjkvlo4DBRA5Rs09WqMZDbFqBC5Cgvtmit0jYxQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyWDlJNWt0T3FOWlRMVVB5\nc0ljdjhueEtPdDFWaGh5UFdwemlMdDFIcURjClJKNkxCVTJDTXJaODR3akhUL3I1\nT0ZVeTJzUXErcUFRazZmN0sxZENLbFUKLS0tIGptSldXWmU0SXhDMEQvVkx2bXhJ\nQkNuSSs2bk0xTkR2UVpUa2R6RjZ3WHcK0VPe3tuOtTCj/a3R4lotiuBpAbx1JdKN\nBYHV8GMe+vM/6yo/+zFLV8HjUmh7RndrT+q3xg65a55CobRSw6icwA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWE8ydmNXRlBEM2lidU5k\nb01jQ0Q5TjlRZXI1YjlTTDF2N0VNZ2pJOTJFCjV5bmZuWE82UGtWSGJFWkVCbmVD\nRlJLczhwN21XSGhaaWFpVlNyWUNZem8KLS0tIGphZ0RFVUdXdUVTbDFibjR1TFp5\nQ3hvZjhaWFI2TnVzTWJ6dCt4K05lTzAK5pJgUGGCwzPO6yWyqiQuCEwYc3PrFXV9\n/fhVaRhdLJXc6/hBvWsK5vzQNe4o64AfUjS+iHyXi5m0dGINzWCDSw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRSWs1VkcrWnl5NjkydW5n\nOTBPMHV2d0Y5UG9sdTZPUFZUUnFLY3NFZzBzCk44ZmZRRmpDVVMyTTZKTUpMRmx0\nU3BHLytzMVNtQkYxL0hhZEJKdXcvazQKLS0tIFdkcXVLaHNkZ1dXK3FYUEppZ0Jv\nSW91dis0dVhOdS9GQ0FGNWluNU1vVGcKVBCLrCtb2Y0pTXClB5qhQdBIimNR6U07\n+BNb5d8VoTgafFQTU/RHLt41420nfCdLYmgk8dztz5dVEa0OmES4DA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnUFV1Q2pQUEJvOUtQWFZL\nNlowSmg3MGQwUTJxMFhXcFZ0aElLMEM5NWpNCk5lZkNUQzNzNnVVZCtkMzdIdStV\ndmJ1dDBwck9lVUc5MmhKekxWV3h1UGcKLS0tIC9yOHBUbzY4R1c1aXZ4N0JVZkpF\nZ0gvMnhxSXl0LytxVUVxVGV1eElIYlkKPa58QsZc7y15LJlOamtTNrWPH+EkblLX\nEI7IkmOWK/lhG9KEwG4h1+8gDS+5bHPuvqz/7+sROo/A8Ry0Tj9oWg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbHY4Sko3NWc0VWk2UGJC\nMS93RHdvRmNJRUtMOE1lL1AvcjRxb3lxRVJZCmdXZkRFQ2ZFMjU4UVhHVzdZOFlr\nK29yeURjUnNEZVJUSFA0aGlzdUJxTVkKLS0tIG4zY2RBbTZKWGJWTkg5UGpQZEdO\nNVhWSDRIWEp5amVmTTlNTVl4NllsOXMK9Z1wKx+6JZ40Z2/ALe1rGHPlE7Tz9RDg\nnk7SWr/f5Yya1cfVyMEDZGCKm27jPnV3BltfqETLZfblQjGsvBUEVQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIODlXSjhFbmo4ZWZUWkdj\ncEVHT3N5Vjg1NnJVNzFOWEkybzVxTEtWbWhZCjRHUlo2L0U4YjZFS2tMMVM0NjJQ\nQWtLV21MWTZRWkFWVGdUNUEzK0g1TnMKLS0tIDFxaTNtQ00zbXJNQUdqVUc4QUJ5\ndWVvTGpMNVkxZmVjK2xKN3F0dE1mZTQKuw+pFE5tYe6vcTL4FrgvJs7RKKGJBNZO\nDUjlUxMB/WBR52BNuDL7kviFeLaF2HLeF4s+GkvqYugHnTBiZ5fzww==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBscGZ1bzlSdkQrTWxNaENo\nM1pHTTk0ZmhkOUc4ZjRGSDBQYjRmL1lqV1ZzCklOd3U2andEMWlVcHQwSFdTcUlH\nMkoxMUJsazY1RzJ6VGwvVjYxTkpwSGsKLS0tIDdJeGhPRlAyUFZmYlBTSU1UL0ZN\nekR4TUxHRXRmRjRlcGtpb2pHZU5MNncKc/Ry5YBhbbi4T2toL6wW/oAfRXobUGqg\nQDJIjb9evCO7tOkxYphGFnxYl05wfIlWVUxJeAzEXTg+zgWDk5ElhA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WkJ1Q3Rlcjc0QTRmallo\nRlRlclFmcXArUW04R3JEY2FWYlBBTWxscGxjCnpOcTJqN3FzR05NcTh2SytFbU1l\nbEJHZXZPdHVuODcyVjZLU1k2WEJxaHcKLS0tIEtNRnBzK29mZlZXeGdpYTRXWW1S\nZVVuQk9rQXBOZk5QQ01ucDAyelh3eEUKKmljNvAc5Af+B6x4hVlNjZZiznPu+U2/\n4cA9twbGvxJab6cU/aXLtB1yOmQMbm5sroBZ8+sqThGo1n1eBRHQDg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WFBJaFhhZnBiaVU1a2Rx\nYmp0bnVQbE9aeERady9LVjg4U2kvSGVvTnhrCjFDcnBwMFNEK0ZLdmZSZkxaTDhY\nb1U4c3Z4M0FOaVFISFBVVFp1U294WncKLS0tIGJxS1JsUUdpd1RxREZaVWx4SEs2\nY0J6cERieWVUdk4vUCt2SW1qck10dmcKUiYEDqsN5xJvNmaDIZU7x4uuq5KzjE+M\n5lCFSTmIIoexUsTbYLdz1cWgll0Hc5z13OSSFgJt/iTuj7ocRuHmYw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
-				"recipient": "age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMWtLZkZHRHBGK0JnQThs\nN1g2K2lQYWFmdTIyOEE4cmg4R3FnWWdldEQ0CndFbFBZOGRhWlh5QU9DWlc3MkVk\ncktUdDZjWXQ4anE1S3RsMnN4UnJOc3MKLS0tIFZlSU02eHByMzNScCs5QWdHYnlU\nWDdJcHBzQ0l2MjMxdFU4Q1c1S2pVdHcKvAzlHn0XQ3Oi5SqckELFtEWl3kOulf/U\nZ4ux4+FGfkjYbq7jiyyHL8RfLVuBRDS4MGcGYEsI0YQvmcgxBFLP2Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiMkh6ZG11ZVIzKzdocnNw\nODVzSmFlaEt3bEo5QWZCUVErRUQ5WklpUjBVCnNzZkdoSHdJNEJtYlpEV1VHNWF3\nQjAvVE9ZOWU0U01QdmdDMzU5NHA2ZWcKLS0tIHJZeGpsMVJhRFZCVnk4T0JqVExm\ndDYxU3RMNTVvUVhEdVJ1VHVybkhJaDgKOcg5MoybrReGg5Y+kVusweFcEKzc1xd9\ndhZC22Klz/va5RRS5IVnoaIj9JaDuN6p//mZGKtYhUQfr5SaiWnfHQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bVBGL0l0bzFiREVscjcx\nRElzN243eDRwV0g5NGMwRzdlTmk5Umd5Unl3CnBDTlV4b3Z4K0hUbFRiMmpObE4r\nSEZPampwNUxxRGMzbFBwQldWVEFIY1UKLS0tIGtzZE1NSFFWdlFHQTg3RXNwSEdM\nTnZ2R3ppbEVBeCtvaGlNWTVWZXQ0Q2MKoOLKAxiCiTrQ1gATwuqh2aphq3zWskp/\nWeQ8oqOwc4mL5nzKIJp3VzTQ+CdL2BYfDsxhsqgilSruht0tFm+Opw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dkJOSXUvTmc0MHVCOExn\nazhGallGN3FUcGw5SCtwYzYxeHptWUp4cVFRCkRoYy9YT3NCWE5ybGFMYVI1Z0h0\nVlptSXMwWFMrZ1VWYW9xMTdVRmk2a00KLS0tIG03Yjh4Z3N4QWR2MnRjZWgwdi9X\nSFlUQ2FEU0xXUTlLdnJEWFViSmt4ZmsKHxI0u8x2zcvZgstTSOEVXyiPx0ZPRE8U\njDnnOn+oZf6WKNBTCQ8J/QTii2QNa2Rtg3h1EsEYVD4qEBOtou8n+w==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHblFPenlYNDA2WnlVdFBm\nait3bEpqR2ZUUjlOM0tMT1Q4UEpFSXpNUGxFCmtvQjVyc3RUT2pMKzdBbHNwaFUz\nelFFRVZFVzdSekY3c2M3RmJvcDR1N28KLS0tIFZBazRsTW41N0tHdXJWZnpwUUJB\nNk1iMkxZOFFDY2JtVnM4WU5KUVVEVmsKHb8PCo8cTyipymup/F8Oue5DiP+uPznd\nXbD74jiB732WPPNOrXh+wU74Uj7EpYoazvTcs4tHu30cCpbCz6cqCw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzc2dXbXQ0V3pIN1pFbFkx\nQklBQmF0VWtMUC91a0hQaUZBSUdUUWY5SzFBCnMxaVFjUmFjcEpLeXdZUDNUczFp\nS2xCQmc1ZytLNW1sc3hBNHlwZEpvZ2cKLS0tIEF2eHAzUnBqNTNSMXJ4SFRRYVlI\nQ003NFZqa3d0S3pIWVZQeXlUUU9xNlUKevDsJeis0GYCwRLNwAIXqyjGedV5rcJt\ncyDaMsDWR3kCRYZrvsUV6e8IkClJLVKtleClGjdPTh8fkk7bVan1FQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiYjdYN2h3eFJ5K01Vb1Fa\nckF2aTNSRkFVeHI4b21vNjhZcHNzV0tMYTFBClQ2VFJDb245ZzhybmhCTEMrS2h5\nUGNlM1pEUzlmSTBTK2tRb0xrc0hCTXcKLS0tIGtuUXVzMTUzT0IwWXo0SWRQNHY5\nc1JyZ0NLblpBWXEzSVNxc2R0Nm9mc0kKbKkbLE4+EWSu+k/Alt47O3ADYFuTZuKl\nIeoJagaLNFSfmT78+KWmhW8pgsTN5nh7wk4qH/WALYgMfy03rdLPzQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-12-01T12:37:59Z",
-		"mac": "ENC[AES256_GCM,data:F9Ma+RYXq2sAYc+uPn2u/A6hxbhybc0wDDVVspFJNIYBu1aUi34xKjxPaPQ+H5hWJEa4V3FtUugCJnMSv63gbA9sKPdxHI/AXIUAK3f7b4aPXEs4RTAQaxuvlAz98wi8cU59BDmdzRpYxfN0+FsIeIxjT7lcDS1JIcFo3M2o6+U=,iv:qWMGQYH+DERoSiMTJ5i/eviFD0diTujCjHGK+c+U0y4=,tag:hvrPpfhzdD/g/JXLwKRrtg==,type:str]",
+		"lastmodified": "2025-12-02T10:25:26Z",
+		"mac": "ENC[AES256_GCM,data:sIWxzlxMc7/NgSa2AeOx40GyOCCpNnPiQU4soVahKcbv4ydiBk0/utqV+25WRMPt+YvY0sSYVdl5O4F516vf5XYL1C83jXWM3Yi6Y75BQKkbZBsiG0tNTY3A3r4wbWwOx95UbxzmwKyx9EuzCc8NmXVpemnfiy6b4EIdttz8bSc=,iv:K7cec/NfyMZQgQu0gloM1uVx1DEG+CCpnBL8OIYPzCk=,tag:qNVd1BrNdHYqbV6mqjwF3A==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-11-23T20:29:01Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//QwNJ7lhnXTXntHGRFgxzpIRgDBFe/cIjztt3FfA5tavw\nWt9+Zm3et3imgGE2n/7CrgWFobhsFLP5oEXavzea6IjyH3T+RWeW9nxCzFZrP6fQ\nOS3oEhQ/SBTUFP5xDJHz/b2oNrEMQjDXlZYoMtMQihmn6qx3fiFK+dTaCKvnH3zC\nrKH03Y1iWiK5JsKs8nn97m3x9XfT/TQSlbDe1ktlGIzh0p8zvIEJcGgbz35BkBYL\nN/RK/l+xHWnt2jLLi6vj6WFano8x3BzpVrahYA7ynKoVWQChE80TUDacaVjh64MO\nYqGUluZwTSaw1NXlaRIas2z2Rm+HEpeeNEyVUCpe/gAGOawmTAhcIgORhkIK81S6\nToiAqIWaw/i/xtH+U2M59YOPRwG9XHG9/DAEmdCsztB/AykNxOMq6xJDayu++kyY\nRXe0uYbPd3b0nGMcngBr/DTWUSuO9qcpg21d4VfmNTaLHgXY8QS+8bYTETJDqyvR\nFioAfHx+H+/la+OrLwee+CONCHGrlItSo1s4jQXW3TvbWlB19gj9XYVLU6dohrke\n1h9hr0Ia82/a+5or7RCU5Gtf8tHqueOdIfG0acv7ohtmjxtZOegSgZZfPIRpUI+X\npuLxrD1u9FFF/KaVJOERZJze4jVOHvPbr69B3OD2TJkoHXQzlCEu1E2/U/zGNz+F\nAgwDC9FRLmchgYQBEAC+7PFEa8+euceAKBBPiV6CswPFy1n+4o2E3n5DGFMxm3n/\n9O074js/c2X8km0FZLg/OQ68h5iZPX/mavCybvNOdIDUDzpEYiiYhQKThVW0Oz07\nOPxXNA1U34hv+raMlvR0Uyuync7RoMJLy3VIlqttqn9urQsusUJPYTtWpVRaojjc\nhunYPQV7XdIGJG92sCMgG8JeYLpRpDJphX232xuxt4L6BZh+Ddr0TUGmKdMbPGSo\nU50Ub1uDWWDYL0BWN8BzsuQQNDOTBMVqucG/WCr7d//x1A6CY2wz8tK0pIzyv0sa\nIF0PYAguFFZ2noT9QA64wyB4BJn8bgW7L6ohv0XfVdLK0fR59lb1A9Ar386uhaCc\nstjmijCLy9T1aN8roKM98CUUamNwPFZhv+Fb70/5qN6OLRz1SPrpZRyaaqOsiyz8\nyJCxMz0KwOSc3PsLLBVhBPr5wk2w9tB7CJxk6hCjgbugXbLXXedYtlNwXyOXb7kB\nAMjGWFw1e46pCmkpHr8e0XbKqY1lXfeBPO6y3MhrqQ7Atn61lSGGuwmsbRM0oLET\nHYNbjZexMVTxsle29eM6k6Y/MPSxLp2mwj4orPgIOXKaxletNKDgLoqnSUIhbItX\n102RMnCLptObGPmlzJ3z7xSWievOiyOtT6yY1tCQQfdWE9cHONni1TYTupY9/tJe\nATViviHLvdhJTVcj/MJY5pQ3EK/UYwxJPXZG0CWHixz1uJeZTdfJm0t++tiWlRO3\nDRZ7TIvYUsicqCj/DKrcOLpS3U9toBp2dz2tCzHwZC7u99v5YgpCl058ZEMwcw==\n=TbqJ\n-----END PGP MESSAGE-----",
+				"created_at": "2025-12-02T15:47:02Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAoSZ8k5N+uuVrTgN9qQYOGrJ1NS0yjcxjqHEYbVaFh32D\nltM6zdpKORmPxfKSjacGQLJDxh31df8xn6ZhuTpi78vZAdhe120uwnmMayMsCGvE\n7lx2sZOmFay6oVGCevo5rFzKMmpLRHdy6l7pjCusR9JL6FQEhq2ME2Z/qzBGrkPt\njLPAX9nPWiPBRaj7tYwyMbD+mbNxeakf2RlNwShPhVJGYD4+k1I6GdWZdbabjZtr\n3HiUFvGbPbDHPS8z9OxaD++HNBmeEdSAdfm8Lwx0UzKuQfC9+R3tZj+QMm0LT0vg\nJtyPTeEd1baT3s62G6sznLfIGIkd+BZ0hGhazqs9R3Vqj5+w+EDW5UnEBwztrlel\np6Fs7jNAVlJmLXTfydh2WgK/jIolkSavwpmVdO/H+e+vB3pc+6bMBMBjxogJhHNC\n5mRhC88OtoBlN3tadP6raPY3LcoTPSC9YFfnNCLvPwsVcsBz17vl0wGF8OFLk8PZ\nhJ8es1E94p5+/4W++DN2KWtOH52jRt7sNEpEfdFPd9N5aUrt7haTTRMTOFC4lRDa\nnWNHMrHyIXXQ/3hw1X0Pun7r6tj05R7mkTL6PVjvgQWS9q+GAczBbATYzAKGXeeC\n+nemfP+xeEx/QkpNcBAp2R2smZjf3xjp2xyLYZwv+ML7OFsgKpTTRLqMG58vVJeF\nAgwDC9FRLmchgYQBD/9Ez42Y9nKcBYb6WwIDOxb4xFjRrvAj8ODl9/h3m6GrXfU0\nmwPR8PxgqyR/fTUzqe+RqECb3L9N2P4JIT9UyVjpD9fs3WkKbwjPKOL4RtJNZ4mP\nOZbxjrxdZXz9Kmug/G40Eo4nNLYexG2Qn1CNsMxVKnn5FHD0d6nW3JOszqTCG9dG\nFHDrOxF5CKFTeUioRM6AwjEwoUZ7MlyPLtEsrhdpWnRw1FqQgRkeNIqLzy0DD8if\n2kcLx7eQ7bFWtUvdVSUK2zMbiSOrc3pq9/r8MBpTZ6adEMd7xuezrpPlADh4Ve69\nkzLs9L8cN9Kc5p/HQ43XUlQeUQJ8l6/dzI47u480yxx3uFwoZkK56SYY4fohl15S\nPFigWmNOzyRxHVhMAlcRp8MaYYeeSDT8ap1khUxgZkQgBV38MLAjdN824mZijhat\nEfzxMJ3OOKQypNlHeZpoRcpyvebTFmZLeFvNH54dvFrQ0ofJBCrG8LtK1BOI57XP\n5/5XrXrj6S0UD2bntONyrhvd+tYLy3N8/WoRvWBdfOPM9jshCAeo9BU6/doZys9x\nNUzr9LnVrSza+rTMM4rROlDgrVgoLLcC9TXfSQV0tEb7MI84x6H1AYw+t7qByCPa\nqzMek0sN8V7bZHkGIaezd7LvkVHn155sTgC8mFukSFVqBNkDoWJoYGgut+PLo9Je\nAVJdeEDQqOrf+yXuDsLhPWofwWuxrPo098H42QSuntCKLoakbGkR5Ct/4JGTu15A\nQ0pWOArVFQgBM6C2qqib1qK2yLoJMuDcbX1qzStNJLS+wrBf5Mm6wHDLnfEjyQ==\n=FmzC\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],
diff --git a/secrets/repo/pii.nix.enc b/secrets/repo/pii.nix.enc
index 6e6edd2..fb3624c 100644
--- a/secrets/repo/pii.nix.enc
+++ b/secrets/repo/pii.nix.enc
@@ -3,48 +3,60 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGejd4Rlhqb09hWE01czJm\nMGpuazBFcWJ6bElnQ3pMUHVVV25MYVhMSldRCi9VNm5jcTRkaUNPemZkQmtvZjNC\nL3FVbjhYT0pLV3RTVGg4d3ZQMmJ3VE0KLS0tIDRFMGJJemFNM3E2a1BabmFvNWdx\nMDBsbWVhd1puQm54SDZiNlYxT3Znam8KIcaM7GlsZS2jieYlN4bi/CX5dp+TYsQN\nXJUKYKg4+vrtZpVi9NHyFif0Hwask+vdaziogHO/xKA7KiCo+NqCNg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvUUw0blVNUUROcmpra1lh\nOWY3YnZlc1ZDSG9QQ2NjbWp0dzlQd3lCMmxzCjRuRlUvT3N5WkdsaDVwY1pUdWY2\nMEYwQ095UjR0TWdSczQyQzVVU0g0TlUKLS0tIE9Qd1VPWk5NU3pJVFZSR1h6anNP\ndy9Ld2pCeTFlaENUb2s1UjBaODZITU0Ky64qhIpF6rmeybVtu/QhTYK6uBdNGF9t\n1+vfBHOxOxdlYOXezlHi4cCPoo7uQ29tsV88VJuDo4caPIKaTsN9nA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoM21iSERkTi93YXovZW4r\nbkoxTTM2L1RKSFJJbU8zbzh1ZUFsMFdleldvCkIwWDAvbU5hVGhKM1lUS1BYcHMy\nai94U0tBSk5XN1dLL2NrZDNZd3hlQVUKLS0tIHdZN0dqM3E1anplU1Y2bWY5ZUZm\nVTJteG5lS3BCTWV1WHFTYVJYeDF5bHMKeIhSkhv36eo+lXpYCZ6490NlnYZjm9b4\n53Czk0CumRJ+3IIdJ+Q6K5CHbQfigDWP3XcUPmTpsWrRqwogtwZwbA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSDBJdWttNmNOT3lsUW1y\ndlRpdWRmNEFOa2xmRzdiNHZRTk9FNy9SUGhJCm5TMlVCdksrSkw3RVA5dnAvekxD\nMkJuOE0wL1lORis5MDJ1SlcrZTNHVnMKLS0tIGNxOXpibFlYdnZZczVLbmg1Y2Rv\nc0VOd0FERm5nblh2c1pDY1RNT2M2UzAKcHZwkMsJTs++TG6YwAuLqxF8GaHdOHU2\n++4ZY0hZXIJlg+W3sYfc3klrzTOSDpLq2KnCskQITK84ZpZ6NKr0PA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzYzdGRGJqV0J3b2FMQnRm\nUEVmS0FiUEFGdEt1RFdsUm9PY2ZiMWlnNmc0CnZqZE9LdThLSEErVnFwcXhWQ1Nh\neW9XUFNST3QrZ0l1Q2RERWdUQ3BpdUEKLS0tIDA4eWhnVUxnOGZST25Za0ZpcG5M\nejBSRUtBOTRJN0RrUlJDV2RRSFl0TDAKpNmKXLIsahh+sdgSwXWbdpE+7ceD/xjH\n16VvzaJc1nAxU4cOBZzM/tFYP/KXAfC+lxjbr9r4L+tWjfhoiMr5dQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0bkx2YmFZVW5iaVYrQnAy\nbnhrNnZ6a1pzeUZDbW1xS0RSREk0aytsMEdvCnNhMmdKSHVJQnE3bGhoY0RaakhP\nbkp0QTFnT3BnNlYyVjE0bE1OOEpaSlkKLS0tIE1mZmorZXFrVUJFaC92djhVMjRX\nUFRkUDQzVkh6eUtEaHoyNGphbXdVRmsKQ1y/V9IanXDrcnHRk3dDXROLglHMHqbB\noMX/5dF7p7izLToYsNGr/VrkCHVN6xVxOayGEuRhOd7JlqGKwowTUw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwOUJSMHVRR3VKcjlOeUFH\nazFYS0R4T0NnU1hzWjFYNk1qai9NYmdJaDFVCkZpUUJKeTBmbnVZTXJVZERVQm9m\nemw1V0lJb1JVRjlGcnZjZW1lNDltWGsKLS0tIHNZaks2M2tXVC93ajNYTSthTDZu\nNXc2WG5MejJ1Z0thajJDSldBSVE1b00Kusadu31IGTpzXG8/1BXjdMrUWFWm+Gew\n+c52Tbh8tm778zYb0Z6EFupjd4lVUYfn3GuyCCB8mpGteLidOeuqPw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SFRBTjdDRTgrYTZjMG53\nTEVlM0Q5R3ZnWUZ1RkE1dEJWSUpPQWZBODNBCjBTM1pibEVwaWxWNDFKTWRNWk8z\nVnBwQVU4NS9xTjJRQWE3N3lsM3pFZm8KLS0tIEFOR2Q0VXZKWk0veDhFWHFEMTBx\na3RHUXBSZzlxUTZWdXVpcmQwbTZjKzQKr88EqRwIP8Snzp+dEyos1++ZD4aH3379\nNkfQp+ZdUxTjbCvPQlk1osJ1hJFWutisNloMLGb3+4pQx3H+k5iaxA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZDBzY0pJNDdEVlNDYTgx\nb0FkZERJZE1HVEhQSUVlOEJUZjVFWVVmenhvCjJoS1hGVkxpY3czTjcrR0V5Mkds\nZSs5d0dEUmx1TnlyS3RsZmV4VWJXaXMKLS0tIHoyeGNQVEdmRWpOMlViOGdmalhI\nZzZha29SUmFaNk4xMXFDVlZaZGI3WVkKc1eB7uQChwRejq1h6F44uXeshmvsn0Aa\nCHzCJ/uGc4bx8hfY9inZ/XVh0JsGa2w1G1lSbE0heTottM2bpHad1w==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHM1NHUVVqTS84Q09wTGgr\nL1BoV1h2blUwMlNQOHgyQ3E2OVVTVGtDZ0hJCnVrRjN2WldYWGdiQVkxY0JjS0dq\nelVidWk3S3Mwd3c0U2Zhd09jMnBISTQKLS0tIEUxeWQ2QUNMQzJvbFRBSjFYZCtm\nWXpRdmdaSUg5U05UYzdvVktkU3lFb2sKI/Xd2j+qlHZxcpyl12e3poZ1lO2HZY+o\nEYEXwg4aUqmtJo9UCHZ00v6Xiq+y1zuE0Ac3R0apl7wI5Zv7OA7s+A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmQXVMRmtQbFl5Z2VTVkVT\naDBnV0cvcGp5WGtYcVZMaTc5OWlncitZTjNFCmcvY2F0Wnl4TU5tY1Y2WWlUWjNq\nL1IzWU42Y29yZGRsSnA0RTFZVUhwR0EKLS0tIFlYOEJ0U2VWc3RMNzFhT2RhYjZZ\nZkd2QndCbGV3RnpaWkYxTkRVMytqcDgKqFoTKhY6DzxBWRjuy2Qd3jWQBYlT6pFa\n9WH0t3bOtm86oIjJf8kUICmE2oRVX8OqFNIpzKD0dMoOuXgz5O1EwQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOWE16aUI3bVVWQzVvUFpt\nMWoxSVZPQkNCSCtHcmVFblNqT0NmTHNqakQwCmNzZk1QZXlDc3lGMHJSZ3Rad3BY\nc0dMMlNTMWtwL0gyanplWUUraFFpbzQKLS0tIG4rSjVjUFRxVWx1K2J6ZitnNmpl\nWW5wWjc4dGpiUm9icDY2VVhzL1ArZXcKorvI4lqTtabc2+8SAlRi19fwHyHC9XuW\nPFREx6paLv2Bg9sY5tdfeZnf03iXrXe2zfEMLyQF0470P63yv0LIfw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUaU5BVGlBUUdrVzFYM0Vu\nZ0RHaUlKZzkxQS9UcXB2UnQwY1REOSsyc1YwClIya0FtU1NlRUk2amwyWnQ4Qnor\nMWpPTzJRS3FSaEU3ajA5NnVhZDJQcnMKLS0tIDRlemVKdjZ2MzVCRm4yZ0VGZjZH\nYXdJUXlOZ3R1YU16djNMUmxHb045UXcK4kvPN486Phfe8lwLU2E+QIVb3uXHo+v5\nUkxjdxWjpWV1DWFKtFzILU8f9gwYs2LNGqe/uaik/cnECqS+m050KQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArVkxVK0JzZUtuR0o2VUk4\nRGtqQVVUVjdaM2o1WHc5ZWhxNnZoM29TUTE4Cmk0ODRQTzRTSkVDSHJjMzZCWDNZ\nTDFsMWNvdjZZKzRJR2RCeklSendhK0EKLS0tIDFvOWxTeVQ5WTFSSjliQ2JVdzBH\nWHFLdm51WnViM2JreDRYK2JnUHR6enMKuOEqqCPfC8E9ci3f+u+Thg0Co2+cvEaY\ny6iPRauDOLUUq1Zo3yR0mYQP82Lk/uVo+Jh5tGCQw67nd6V/fzzLoQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
-				"recipient": "age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZFd6NGlQMW1Jb2Vac1Jy\nam9zL2hzK085KzB0cExWNTc1RHRIRTVQMzAwCjRPekg3WGVETmc5TFYzaVAreVNB\nU2JoaHpqdnhsd1hseVUvY2V1a2E1ZHMKLS0tIGpFR0h1bDJlTnVpQ0NmazhlRStu\nUjlGZGJTYUdHU1ZwNzloQWYrYUJzNlUKns93LeJxg8zNxnWxVH2DWIjGGmWcwOHa\nRD6+2MDs0fcaTIvzLhTihVaykBZ1rvk3Nq1p7p4Zz7cyDUvwW8bO8A==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcHhWQ1lVNUFpY0hhZ1Ft\nRWY1UFdidGlSN1dNSnJrTEwzQVRUUGxQTms0CmtOTE5FczYxYldVbkRvLzlLRUkw\nTFIyTFBQekM4TmNqZ0pWV012b01EOUEKLS0tIC9qdUlsSnI5S0RrRlc4aDZIc3c1\nZVprZlJtRnNrbGpzaVNrWSt1enBNT1UKHrdxe5Qf1aMbY8Ne/uqNPYhYstIKPmun\nuCMseNq4SRUYa3Jw/bUy+l0GYC9+srFFJ45inpV4XAPeaKBr4WhPgA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4c3pxR0Rpd1doeWhsSVB4\ndWtxNHkxdkZjWHJDMW9sUFM1UnBNaS95M0RRCk5GMldwUWdhUWJJZGdSbWptQ2VE\nRHpMM1lqV202cjRrQ1N5WjBDd1kxKzAKLS0tIEZDc2VHaHBXd1loL0UrZTJJaGRk\nLzVzb1RZVmtNYkZNM1pqZHhYRWVSOGcKIH/JKbzaOlWOpt1YShHar0i5T/rd5m1w\nkx6wZ3b4dpUdN3FyPdhrjT5RWOL1BHhcpjmRdBTAHgdqRLSZfYEosw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMNTNITjh0ZjdIaW45dXNG\nYWdmVlhjbHlBTjUwcndsSS9ydUdlakxKeEhZCitiU29nRDE5T3liOEpvR1paMHlE\nVWhvWVE1dU4vTDJ6V2J5eEpud0RMRk0KLS0tIGpGMWRwSkVDRUkyZzBHQkJlS3JB\nY3hhaFVTRUw3N0pOMDNmRHIxNHNIUFUKfWhcs6II9k4G9NrJ+i50nbOkOxUXYPiq\ndrpvA2YXwd/x+TGZ4m/IJ8CkESEpNp2Ql0GyemJ5knjb1mx2Cqqwcw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEdC8yODJqc2dBZzFodlJw\ndEJUejNMbVZXZm1uQ0FHeFhKd0craG14N2o4CnlvVkp6eFVLcDlnYStHaVRoajlm\nb05yZXA2aGpNaXROY2paYmpqM0dCencKLS0tIEVhMDR3d0Fla1RKY3l5cXZsNEFP\nZk9vdGl4eGxhcnBxVE91Z3ZoZ3Zzd1UKavS6iLiXL5acrtOc34OT2V/Ol6lWLtCo\nZglO7H8Agh58FRhyQUvDu+bHXTGnxWIhOnyAjJYwP3XUk0p/3E4PPA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSWh2VDk2SE01VHBkdG40\nZjBRaGpYS1Bjd1NkQjd6KytLMFJqY1ZjVFdRCmd0dzk5K2g4Z1NyUXk5M1h5eDhS\nSjFiYnVtWmdwekZyUUplaVRJVnY0dzAKLS0tIE5xdi81R0pQemNmYjIzdGNyU0dY\nZHE3R0pEUjQvN21hRzZWS2VhemdRZ2sKkxOMwLetpbV5ZUC9ZxG3/N7vCT1vZRtR\nVRPoJB/3ws5hSE6G+5Qv0V/EjvzT1JkNFKsNBLl80Lf/veebX15KVA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndExDdXBrblUwY2hKYVFV\nMGRJNzQzZVQ1c3ZCMjhhQURVcUJoN3NuZUVvCm92aFdqaEtwM0czTW10L29HT1BL\nay9IV3l5QUphWkFyV1YyM3BZelpiWTAKLS0tIGtFbTdXMk5LcEgxTFh1ZmhWNlpX\nQUExdFNOaUNkN1N2VFpBd0h2SjhrdDAKFoNlyz+coOn1lFUTZlOuVOFvhnoQwwiT\n5U2TdCA8hlFyxlf7gGu47MyGVXbgtRBVGTXH0oVU8nn6RvquT2aBUQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-12-01T23:39:07Z",
 		"mac": "ENC[AES256_GCM,data:WEVxtO3Y7YI/COpOvvadujDYV66MtcKKujiE9P5mrDqqdjG8p2fLwhSNJHVJUwPyV8xAIIxCTqIA3bKmVKJ7vRCn2GQo5tRsWljNVU6g44LcXcX5wSeIgExyvUNjBppLbWsjstvfuJatAZwqDBN7eP/Ntu0R7p3wlr4IddDe/t0=,iv:es5N9A7ypxtNB9wPYT9uumwpLZg7wT/gesO5Q6njtxA=,tag:kgxsF5ZiYvM0wHDq6C19PA==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-11-23T20:29:17Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cXb4LCSFl87V234GULIunsSJFGmzu1fp/lwq4I9UShKy\nb0GHhheX+z+0U1+L4Qk4SeE408A4su52sRJJ3EN63+eq0+FPFxoxQH0NtfTSQcWa\nn9/sXnP8hrjnm6r64lAFd3B0HQQE/l0kqDrvU+UYAKfwomxpbdenoqQbinqX5Qgm\nY1Yqz8jIIxU064S4iiwTkLzqUi8SCPa1MCGQi9HEPxUHoVeuquNEQcs0HB34XW8Z\nxLUWSsUdpjb8NM73WArpml8XG9bHmdG0xxX1mZwK+uA552t1WDVqX9QHClGmQTdl\nPM21S8chJI1W77EjCsV6QfSicICU3RbvLSfLU0WoZ394VmZmxTGGoofpESdLVd4F\nU5ZLR2t7iXy0jb/TEeZfTGD2PPrt+hSWt5K3PIQnAb7fvLg/9fiG1LOeQlW+SZKD\nlojaMn01Dg6Rfex2qsXNrKfi/qmA3tpjeN8pIBpCg6EPlCFUzp7/cueTF9Xj/Tqk\nL+IOOFTKLECr/lQepz6rS1XRHrJtWSyksd3rt03s2Q5UqLdoiUZAYXgJAWntNMKL\nU65rKQdJZXtp99oDG+YVp9F2ZCogZN/Ac5+sUTmke66xku6dh5Qqe9MpYtAhPmQO\najMZiAeIaoaYwc8vFMGvNbJH2pmJaFrW9v4MELkTmi0EjZEPgPWCOIgUkEtKanOF\nAgwDC9FRLmchgYQBD/9eJUINu1YEtZZI8iNujEBNMlgmKjl4nVAwB3sviKvByWgx\nXxN4xptU+6gHpAeyRxwvWLhv/xGkHWAUJHkMsqMKYyXQQPAC9x4l1pq67AsNpMu7\nWcec+B8n+X3gwnmLes5H0fvdJ+gCMR32JL1PRnLnkTjeSX/JBFRG9tPZ09k0YvTw\n4ebwpYxlimxXZGR0DDRh3Jls9+YqgBzMb4EOo64SyzD1ZWUjP9addRpj4A5UpSRN\nFscy54sG1CMRzLyXYJb6AgDLVysfMq0Fgg2AgvaadmoKh82/Knf42C1K9DPqakQl\nmLyzXprvUR8mlBpWwZ5b/XIC6DuhiCz0g7dYX4XPeUxvah7PkRp3cmdWsJDCgq8V\nbwQg4Dm+k+8BZIZwRC4+3gLchhm9Jq/KtJ7iWqeVb+YQ/v+/712BiEJSANofqMQy\nmkHVksp8E/PFU9KYhG5lkQu88zVmnimfWFO7UKfIJGBBzgt0vicrSKjHPkgbb88R\nG9diNPOuXpCJJVecE5p0BEfizfDWnV7JSm9s7GNdTqglQx2KkLYJ1mijWuF1OIf/\nl1cdN8IFRI/glXC53+Wfj6D5B+lhdT1D3DG9MVGxeEyhQCDdnF7+Zy1jyDsrOpDv\naCq0MqXoa+FrtEBwlke2Dukf4RHtyBWsAg94dJuHVV0STnJbB+2T7uDDvVikvtJc\nAQw36Ni1lDO239BV5VYMDiNR7zzcLRHV+hXjlGqo4f+UbTy4jXxgQwS0z4lGn5XY\n1AKcAoNYxjuuGhgoM5Gw1ch02QFFzXWD/Bva5dLEMO/1Kqre/LM6+iUhKd0=\n=bZ7p\n-----END PGP MESSAGE-----",
+				"created_at": "2025-12-02T15:47:04Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/7Ba1CD9+AjiKFX8tlrPIaQF/3i0t3irrZJG2tX0aGjEWq\nVMZOp/tgBfLLODYHLF8LAgRF0IAzn1ehpvzzESMrXc+X4Zm3ls8yH+n80/O9o648\n925HxLh+E5PXbcOksCw/PaVBjfqaEi+k6rbTyphgO0bwaisbtSZdMjPmawfCbw45\nD7QyCJd/XNdLyGE5wvxSj7shUaBqFzkoE5iQ6pR9mlyeWVy+QY7703+IyfU0tcw9\nIAQohfO4n5h58IfS0QuygBUCoLaDG5iniGoQ7Tu5FcUEP5MO1zF7izbtYYE5ueQs\nI4MoJ3RdsUIwd++CNnFDTRJCzfbB0NvCYd0hArqEdVcIr4rKrNoMchhUdP63Zu4Q\nwhTb4EmwGJg1MlZ/rEfQJRU3Ywc95aNX7IxcywDw/5FMQsON6EckcYcE8oNzhFfC\naxpaAjqI8jEb0XAsNcpJTJRhc8GG9YOpbROAm9FGXgRDh4YOWiMyVOwqLsOk6vpJ\nFaGAlelZsWcnmYllp/63QZKz5IXOjlHo8p20/2A0bfSfjLNGgq2x0Y3SCHOW/T6S\nUXYQQnijckqxQlNtkJVFaBXH5fxTzYAYjaLvCA49KoG1+NwCQqDV6+8giCaIYSME\nAf3f+Fj7ylXOtH5QR2rTA7/DcQlmMBV6BeRzFg8m4jRXjrmfWaN+sgNaT3aRHkeF\nAgwDC9FRLmchgYQBD/92rCyWj39tfr0Nr3YbSU18MvJVcLkviXPtLtOQLzhWgAnH\nTiB93LOw2ViaJI3SRPs2QOlOxFy/7PwhbRpB39dDqIL8zeVQtGjQhE3apbYguQc8\nTFP6Ky+0T7E3ycrYIF5R3U1GBcXBJ4jljDuLfPCDYJr6azWmZFQep2l9p4ZQfPBA\nQwTBrrrZo2uFCuLvXoEADaWwM0c0PaVdF0VopB08zWeLD+W/YLxRxdgeXPc6SKkT\nl1PGaeq+rzON+PSLQOmC4vnpBzB6GUUH9fZxBQl3didomBZxjM8dBwqScQQMaSX0\ncbnXy1YbwHiAMnlFaV4uAATyG0eKqlYfxk79WK9BLaVNiPe8bXHBdZTCYkUrY1FI\ntODKa0Mzhgxmcth7uu0654EnqDbiPr2HyEsYC1CKyjO4x704k7jWPn6jzV+RNO2a\ngiJd9WftMzFHFGSK4qVXd3OKvpPE9WYUeyPJYquD8luMPGIj16pidxb1WtdTDVdw\nE5Qt+CTIct2aNCiSyPunCkyfFpFDkfdUehAmK6WbjAWsq7/mHdTIDxsxsBWzx6bS\nxwyXjepky3cO4POTz3js6MapR0xwGsWzm2s7YkMgHtrfwf8d9JnMuJuzf/Jrr5du\nn5oSNToTny1edhuhP0mC66K0avAe1K9WJCGzgdhGBYcRj22o/d3YoZzgg+0LBdJc\nAVFrJ+X2amLM/SEYE3+2fBnV5zgf2RV9VzBy5caNArOnWIFkM+g3zdQKgSqR70gk\n8hPRggQ/u7jJx6wps+JyoTBhHJmcntB82RDTgJ7Ht20PZgmX6GIreQl/obU=\n=prsF\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],
diff --git a/secrets/winters/secrets2.yaml b/secrets/winters/secrets2.yaml
deleted file mode 100644
index 00ea63e..0000000
--- a/secrets/winters/secrets2.yaml
+++ /dev/null
@@ -1,56 +0,0 @@
-#ENC[AES256_GCM,data:K3S1LFrPmaS5,iv:dxFzPLhN2otgy02VWzrLURmomtYdoIBHvEJ1LJ7Lj9k=,tag:stKgkBnRDZkCPlvFk+btRg==,type:comment]
-radicale-user: ENC[AES256_GCM,data:2G+WXxw6jrnPXsI=,iv:bUEhBDrdTt+O/4TXMkhmqnzfkSiws4n7L54Z0zZnSOI=,tag:JGQPit5uGqITUyyCpU3OIg==,type:str]
-#ENC[AES256_GCM,data:+7JEI2P/6/5yiWQ=,iv:hV4TyNFsyugrfFM0emxGDDDq54XWy7fVCf/kwD0mtCM=,tag:iZz9mPsLG02rlgV1vP8aBQ==,type:comment]
-prometheus-admin-hash: ENC[AES256_GCM,data:dUmTW6W419TzF8dLGcgRLlbLBg9puzgznNCrrAuNOIuhXCBrqaJdtyIVFCsnrDSEh1ZdMfGki4UERZcf,iv:XIlb65V6yhrKSU7AbRs6k1ISljZjWnAm1dPTCONwDJI=,tag:UkdDTywivitSxYR902uM5A==,type:str]
-snipe-it-appkey: ENC[AES256_GCM,data:VWEGKbCD5P3uxeyMVtK9a7BcVjXlXSEsJxfLEwkHz8l5o0Xq9lTbTpsfOoc=,iv:3nq+xuuujjevWdmk3SdBai/EWXwL4F3Kv4M3yc/faIM=,tag:/cNC/EKR1NWQhJrh46meCw==,type:str]
-snipe-it-db-password: ENC[AES256_GCM,data:O+LgX+XyJEaF+1oYcjyMpUab7AD7tWK3LBd+7VJOKq/Mz+k=,iv:yJgwlG/ln5BdwW2c62UJLIkrCWakKvj64LMQsjTIwJI=,tag:yw0rC1GJo+KMn1wXRdJomA==,type:str]
-#ENC[AES256_GCM,data:jGvWDKbVKA==,iv:N4cMopsUPOfymKpMD7oB04VtS0cUX9yNNqwyWEdyMi4=,tag:L4PMmMcM1NCc8LPG6GJLMQ==,type:comment]
-garage-admin-token: ENC[AES256_GCM,data:2N2kqXt7kraqMQEkDuNQN3SRiL2WKRA959Uc7HAdSlZcC2Ft06YUb+Elktw=,iv:dhAZoQBhvK07+wBpMEsI73YN2oX9dMthV3SaDWZgea4=,tag:0Pu0BDEYU9WYQQ1hJr8qFQ==,type:str]
-garage-rpc-secret: ENC[AES256_GCM,data:s8qGCm8WM/pvX7wZJyenohMAHnNWrumUxyJvst194h2XPfpLBbKVZwZ5t4zkwqh0yJNgLqE+2ekwCxa/xKqemQ==,iv:zUo/x2LWS7b2E2kZHDfa6lAwxAcuNir5a+mg+ASDarE=,tag:XgBh3ajVDy0vWccX8yZXSg==,type:str]
-sops:
-    age:
-        - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUHpqd0JJMEVmSHNici9W
-            QzRmK2pUMWFtN3ZPQURxa0hzQk9wUTRsbjM0CkxtVjBFd2VLVEpkZmhLWis1YlhY
-            Yzg4MHpzdHZkZmloZWNDUVZRbkF4bE0KLS0tIGhsQ0dmbHVvYjRuVHVzTzNIbGh5
-            ZWxwbGs1bTNzdXVNSzhpNWVESGJlUzQKzZr3cYBF6s5ihgW/6CreOKWvQpqITrFX
-            pW6gwbRbxaxDPRRdfn8qswcezxq5AwOk9drbOH+qgcwL2owRGxEhcQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-05T14:55:44Z"
-    mac: ENC[AES256_GCM,data:nyz3jp/qV8bwgx0q6c7RmXtzdmwVrt8C6FU36qtzUm8tPlAd1K7MmgxRKFi85NqOu3XPII2OkwhNPRBOJuQOoXGfo27odfZl4riQ+any4GNarDZ5deZ54+kjgqyvP70dsm/tiZgZ8Fjwat4iLV+mqJYMS4OBl5krr5ocU+LY1pU=,iv:l56tIBgMog4HSxP9Fb4pWSD/z5FaPlHRkUYqlkhydzc=,tag:IT++kT0EncDzEEX4DdjW3g==,type:str]
-    pgp:
-        - created_at: "2025-06-28T23:22:37Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwDh3VI7VctTARAAqpPsEJZDZZ2Wezne03E310ix6dOcJ7ZdpPNkPJBprJh5
-            ip4PmWKnYPnNS5SZV6+1jHOrconChnF4hAxVMH4bgZ/hCkPVNijac3xl2en5NP3a
-            gPcKSQl6SdiCvfcs+bU7hdCn1glL/PHeilUl+ORJ3olbK4fjrdj82qxxlWVPpqyX
-            iwjhvcS6rjJ3rTv0KAVRmpGQjFN6cBnei1Yv2wQqypcmD7D6kcsTp8w9MXz8waPI
-            3Qm0gGjDSUWCrSF8FAwy7QSkJ/Mwjz7yTtQfVIDUQU+MOx0kLY9sIYNkqwZV63RV
-            HxfxrvIOOdkeCi71x6v0s+Kf3PoqxJgqRAV5pOmoMT6cnLH6+g4q4PHKoRY9d1Dj
-            EP84VtQkqDLt9JYJJfN2FyVukhUZf38ECdzC+DrTeXuVcd5VV0t7q9LJWG4wL0ba
-            8P5rFzRcR6TnW/7Ku1rwebnawxeMoppaWlD8hbX5gEtuLKjLfGtwG7qcMdY2YWVZ
-            HQsLrMsOrNrY4hvT3j1Tgs67sFpa3b4zCbs57ecUPihiFElpnRueFtIFJY73UYF6
-            5VNSxhWNhXigFOBoX7Z6LmGB2hGrMi1FnYU93Kx1uz6rqypolQ2sG8UUbkH203gN
-            4R1xA2mD/uQ5824Uo9I3W090XASI6w784pduDdtzCruZVhvuRd3tRtsAJBGwKPWF
-            AgwDC9FRLmchgYQBD/sE6rUSTcVVmgbr/FYPgglMFw0AM9Zwrpw2vn19eIBwkDc/
-            HS3J23UVqHlzBFQo2oLQQQ2NZB9ObrYNxwsEqkQnEDp0vBVZHQMlFHYOzvJo8TeL
-            lxUhT4cSa5mkTWLD+1XjDllNzudVB82uJERLvcM5qRAiksaZpBUchUlDIGXiH7kI
-            /C4gRYN/JoMPrIOx/1LBZDHiP/9vcnK68P8XdV2l9pvIEo/S1aEHcvtey/WnX1ze
-            YIREcghXmvith8D2CL6Yd3vrKcfi3QG2CPoKSk61G+NpjcRpozI78T2KU8jL3jgz
-            XqHqLpmH696z2vnh9IzGtMMvUvck1519M6CLOa9cey3+ByDs5JYHWAxH/jepqCIy
-            kPfxHVhoqiHJiRRSAkBveYLAlInppH1FLY74emJpo9UJyweJZMpn714EuKIQXcxQ
-            S/3p9FGM7fyTAKK3EK6t8FRYb0ees//u1Ol+iiWbnR4cmsksN4gEx22IDDBcxPGE
-            V0oW82pGoR9ZfDWpy8IdPsir3feIcU7cyoYCvhOKemJt+kg9hqxJjACuBbrvS1N6
-            lF4tzelsZeFQ/HZMINnNvsgdz7tbZsNQWa0EXe2kzBAtLPD3rIfRi9sFsUkT5X7Q
-            T+fKstJA06o1QafjjPWKnY3lMV1BvbMMHJ2EgaeZr3IYjmsN9zOvIb/71u6vj9Jc
-            AZcfV02X9OFN5T/NJ3WQ487L0B/T1vyFxijB+APW57noWoNjroIrIozL+Ke7wiKL
-            c4of/1Hsw4O7QclIMvLl4Vk4nZj7CfedbYHCFocL5rIB/oQe6GV4N2o6e/M=
-            =fult
-            -----END PGP MESSAGE-----
-          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
-    unencrypted_suffix: _unencrypted
-    version: 3.11.0
diff --git a/secrets/work/secrets.yaml b/secrets/work/secrets.yaml
index 796d3bb..6537a9b 100644
--- a/secrets/work/secrets.yaml
+++ b/secrets/work/secrets.yaml
@@ -12,47 +12,47 @@ govcnetwork: ENC[AES256_GCM,data:Hevnb0fAMbXTrg1CCmAgwZbJ+sxaTUgJLRc=,iv:UoNyPYu
 govcpool: ENC[AES256_GCM,data:sfglbCi3,iv:UdvDgyI8AAFdfOxKD1sVYCof7rXFPavq8eYDaK6Kp2I=,tag:iMn7XPf0rmql2EiaqsAn8w==,type:str]
 sops:
     age:
-        - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
+        - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UFRiR2d5RTVLckN6akhK
-            TXoyTmNqMGtlY0gxbEVQb1NoK3VJaks3YWc4CmdnYmo5VmNqM21ITGg0dzhreUFq
-            dHZjK2s4UjZGUFFKVi9JS2F6RE5leGcKLS0tIHZLeWZCV3V0RGNmNDd0VVhLejF3
-            Z0dpTnpXcnRub2NWU21PblBtUnBXTnMKfmW5I2G+XhXEi8ssdnlavppxhgI4G56B
-            555YBJ8mLRXKINtd37nUyfydEUYiM4zUbTFlJ+83VVF//+4KUeOCYw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwN1BJamlqTmcvZWZPNFVi
+            bU5XalhTTDgrajd6OFBBNFZ6RTBTaGZzWTFJCkN0VG1WYlRzeTlxZ3ZhNlNmZ0pN
+            MlY0K0lFWUNJbkFoQVA4bmVVOEZGcU0KLS0tIFFpa04yQkQrZXlsSzRiTUVicXdF
+            VDhiYldnZ3piamFoUHBuU0ZVaGQvbk0K/n41+x2YL/rpaEAUbjvCtyUmw1uwCXVo
+            jmH2cXi/GH4CSoLY6oekq1m9dY/Jxgl7BK+KdRwf79IwhpP98E0xzA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-07-03T13:26:17Z"
     mac: ENC[AES256_GCM,data:35J6pbaTXcq8zW3wtLqBAHSTaWjCxx+BsOZlKWNwxEOCkGzXIIKFtakZJIaMktgPNLvYOlUEOP7dhjUc5IvJCM5beMSNOjBVJJNnLkKQv5sCJK+4p4uTzXo3Neht/Y3xan4DQItdm5lwwQpyNlCecGynVjqN+F44liyxsAR8gtQ=,iv:gaVY3PUn7NdmBNAvuvij990T5pRrAfqY1qgCPWxGBiA=,tag:CuOMqH34hlQX8WPikAL0qw==,type:str]
     pgp:
-        - created_at: "2024-12-17T11:38:28Z"
+        - created_at: "2025-12-02T15:00:16Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTARAA2c8ZhXvI1hepU4CUbRb8/DoEjRFTcRKFr5XrsndHVCwL
-            xCLtBH9KqMf95/WzcF97qbUF+d1R2Kc2rxd+WPwYK2q7dxaR2BHyTbcbuSy92Dvc
-            yT7qlfl+l6HhgKXzQD97siWbXpY7AnKVb7swLlaODjWH3PN1Qw3In6n+o8i88lts
-            879uyzs7wsr1L8a/cp666KrW45E9nqxpTa4cdCr+bdWdCdlhTPPFSonF53YfLLBR
-            1rsscv7w6nQy6/hRZ/rcXuMZbqF4mium8KY6TqaRDGgctth+7ZNhIS1HRfDhXwXs
-            HcZwdvBvQ7EqBS34v4J0DOMqlBLKlFFtTLP/5AeXy4sCOs6vCx51WxqG8Wzj0ybZ
-            N2ykQHOQGVW5zbP/OQdZF9TUHJFhcF9leyV86XTWBcNOBJb0+N43milKuZwczd0o
-            jLBODysOTM26YtB+4NFyR+uFCFHgCrCnIxc3CApnPnzJbEc+ze3+otGdzPgkMJ70
-            vK/RzpXhSvuFu3reDpuyde6PbWyktj7CDVbYkt27DGEj2yQonfYKjJeL2RfgITOg
-            7433ZM9Sz54ZOEsBmw3ELaVRKu5CPIyBY1o2+JSBdxLSP2OCGRE6/GVzmJC4ryyM
-            LNQ3UCoXS4YpuBbZUuI6yUt+4VRYBFDUiyZaJJA22A8Yr9DVxJfZGjpb4q30HdWF
-            AgwDC9FRLmchgYQBEADCC8VMLPXd7doX5JSXrGa5QY54QUP3HlzGX8hbJ9XUx/yB
-            eXfl5FdqGQZ/dfb5T+rYH/7pSYt+6nBaJ6GeuVQOT+MWhSXqZRt/LVkHHHpwQl6X
-            u3aNHcNmuS2LrTN/U+isWGamTUEokIxoNU+GZxmV4HlWLR7I9k8BlFO3PDpJ952s
-            sRxX6gWk7JS28GKo1IozMsncoryH4Ry/vjCCHos4Vm99BkkxrlSrO2MyRXiEmXPU
-            AiiydYDBHRrMWxDkRy1nlkdh7ikNeV92bAqBQmbKQyams0z96BDnAYQ7e1gUX/gb
-            yB2m+YLuZZK15aFoy8Kq+bY9gQltRVJF2RrgEr3aNm3TOAsSx6Mu6EfRq4MfG569
-            TlWDHEmf7+imSqFV6UVN3x7Jcbks6lkTHFNctofZHYpcLmq79FhbdpRTLhXLDrOZ
-            cXYDtkjyRgBYIcjzj7Rf+6Ve/XLfdTRmqX+o11Iaqp95mRqHenm4qdsBw8FK2/Cq
-            FvlUz+Ms4C+xAWS9tIagKYyJkoH9ZJqqaTfq/c6o2SJlsd6jJ9eNyhKHmgy0vCBQ
-            u1ulEl84jZcSZl7XoMTC+HLWAM0T9AGPXenAg8+sMxl6Ck2rduv6CIyHzFqGrqTt
-            90sZkkW2DQFOrkaSeu48in42L1Rc88aRSsVc3Z4ID7z1XC7sAlJGgOn/Ua2j6dJe
-            AbCP+ritlU21urp0OHdrefGazJvHYURTTR+s2NwoeeHaoTgDU7Gf0ddSaYyzqaB8
-            LfkLAdMXXBWGCLWNVg5vCBRwZIImuQz67DZSSR1Dulz4Fy+WNSAC0m5AGBKtnQ==
-            =dcOv
+            hQIMAwDh3VI7VctTAQ/+N+OvAooLwatMFprJMVOfItYBfn77l+FSI0Xj2wlJcq8l
+            XZcvUGtmmuoVQPow2H/M9FAxxP5ZTsOtRlgFl+Tt3JxXh3lo2L+Ia6jRYKFX9255
+            YhGS5rBG4YReaxPXy9sZgcuZL4KmO8nVzbrpTpYutvOxmjeMF2pfwUeFMa3UJ+5k
+            11sSpuR6h4qux+VGeLZ0hRakjlyTWbhCBL0EDpijo4YKOHCCOEPo8hOvpxRDlvbj
+            P2hOKlVr8idIBET40BjNbMQ1dcfDwXMAOm5tevWTypBH9KqHgQWUyt+sok5yMqis
+            E5DvY8G54daFU4v5n1XSVw/C7iWx8XeN/h2SnlJK5AkUqnrcNb4f0jlqwDFEzkPS
+            yht56C3om7xzh2PpiLxGC8iJdWnT3QjTghrU5J/LwXNlACh9NhHItVf0P/FHMeL9
+            aXCb/Ylzpg/txGZnylgF/rTQ2Y0ZbsNm/fyNF/IamMrJvsGUGQ56Z67Axk622Gyi
+            cl/bF9CruGdyq0iL7Zgpz+BlNOIRQpEaYKJqkZes+aS/fyKnPUFaBV9DHAjCNEZT
+            xwBxZIRXSxNx9JAmrpzO+0QLOS1G4N/Yk0sEnmjFZBW+ajplSh+2ZXVoiV86iBYA
+            /QjcB/I6sjT1dEvEc5qatrxjEgA9mSIco302o2JRzLv5PnB6QN1Gr9NBPitz7eaF
+            AgwDC9FRLmchgYQBD/wJUf+LJKZAHI+Zeh4afS2xlfLXRZ+pTlScdBIaX0ZtAxwH
+            mmBfmRdCY+xR7Bx4qYZrHhWeE13Q1qCvSsNuIPU3L3vHtdkxpr52Vt4NUFZ1DP3G
+            D3dMqHulpqrxvw0iMDrIsKJveNkGqojwPtZr2ougr/CguQ/HiH4Lm2QUaf3UzExm
+            di75yiTpjW3ifOvCwBUErkdOozL6HxrWH2bQn8f0qElsmryF4RJ1ve7x9Am5L16s
+            zP7cxZv/s3sNH17i9PgqjytSdoKrv3KIGMxnV1rasWNnUYTkO7KZPMkeFsZQX14Z
+            2OtIpYZs0UFvwsfwd3J8KAexwocF8lUS0CrgPeNQUzn+I44vQtMMd4Aoia5ULrU4
+            ClLn1KtOrLFBSkzytrcyjTORLANdYix6lGEgZtC75ICjzDRayivtO8XrO1xbzFjT
+            hZsoJjpd35sIkVczr/joCq1jP6aKMyKEzunvUufw9wMCiIgwgY4htrE3BoPAP0v1
+            ZE1ToX3OAniY3iSfyVCCm4bVNoOKU5iXD9UpV8DV+AZOQaYZyUzBnvstBGigHxKW
+            TckIvX3esXq1MADETFmm8kzzyDaKbPm6tRii/04CT/lXjSJiOFbJlCkGZaBbAIOJ
+            q/WSa1Z0hfoHz/BdNqelkmKjsrsmS4nJlGL6ereGmByu+lL2z2IN4M81Jpk/qdJe
+            AUSIVKQhAIS1N6qLzNTz1GtnI1NDFozEP3bXEhdN7KZVp/ivv/na5pzSHnvPodK0
+            hPtNU4gLlKqaQ9FczVc0t1rBxFz16rNCn6EvsE35bMQe4l8jydls49UJsQZyAw==
+            =gZNd
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted