chore: backup work done so far

.sops.yaml

@@ -6,20 +6,20 @@ keys:
   - &users
     - &swarsel 4BE7925262289B476DBBC17B76FD3810215AE097
   - &hosts
-    - &winters age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
+    - &bakery age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
-    - &twothreetunnel age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
-    - &liliputsteps age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
-    - &stoicclub age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
     - &belchsfactory age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
     - &eagleland age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
     - &hintbooth age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x
-    - &bakery age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
+    - &liliputsteps age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
-    - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
-    - &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
-    - &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
     - &moonside age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
+    - &pyramid age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
+    - &stoicclub age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
+    - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
+    - &twothreetunnel age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
+    - &winters age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
+    - &dgx age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns
 creation_rules:
-  - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/repo/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
@@ -33,183 +33,93 @@ creation_rules:
       - *hintbooth
       - *bakery
       - *toto
-      - *surface
+      - *pyramid
-      - *nbl
-      - *moonside
-  - path_regex: secrets/repo/[^/]+$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *winters
-      - *twothreetunnel
-      - *liliputsteps
-      - *stoicclub
-      - *belchsfactory
-      - *eagleland
-      - *hintbooth
-      - *bakery
-      - *toto
-      - *surface
-      - *nbl
-      - *moonside
-  - path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *nbl
-      - *twothreetunnel
-      - *liliputsteps
-      - *stoicclub
-      - *belchsfactory
-      - *eagleland
-      - *hintbooth
-      - *bakery
-      - *toto
-      - *surface
-      - *winters
       - *moonside
+      - *dgx
+
   - path_regex: secrets/work/[^/]+\.(yaml|json|env|ini)$
     key_groups:
     - pgp:
       - *swarsel
       age:
-      - *nbl
+      - *pyramid
 
-  - path_regex: secrets/pyramid/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: hosts/nixos/x86_64-linux/pyramid/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
       age:
-      - *nbl
+      - *pyramid
-  - path_regex: hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *nbl
 
-  - path_regex: secrets/moonside/secrets.yaml
+  - path_regex: hosts/nixos/x86_64-linux/bakery/secrets/[^/]+\.(yaml|json|env|ini|enc)$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *moonside
-  - path_regex: hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *moonside
-
-  - path_regex: secrets/belchsfactory/secrets.yaml
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *belchsfactory
-  - path_regex: hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *belchsfactory
-
-  - path_regex: secrets/bakery/secrets.yaml
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *bakery
-  - path_regex: hosts/nixos/x86_64-linux/bakery/secrets/pii.nix.enc
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *bakery
 
-  - path_regex: secrets/winters/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: hosts/nixos/x86_64-linux/winters/secrets/[^/]+\.(yaml|json|env|ini|enc)$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *winters
-  - path_regex: hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *winters
 
-  - path_regex: secrets/eagleland/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: hosts/nixos/x86_64-linux/eagleland/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *eagleland
 
-  - path_regex: hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc
+  - path_regex: hosts/nixos/aarch64-linux/moonside/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
       age:
-      - *eagleland
+      - *moonside
 
-
+  - path_regex: hosts/nixos/aarch64-linux/belchsfactory/secrets/[^/]+\.(yaml|json|env|ini|enc)$
-
-  - path_regex: secrets/stoicclub/[^/]+\.(yaml|json|env|ini)$
     key_groups:
     - pgp:
       - *swarsel
       age:
-      - *stoicclub
+      - *belchsfactory
-  - path_regex: hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc
+
+  - path_regex: hosts/nixos/aarch64-linux/stoicclub/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *stoicclub
 
-  - path_regex: secrets/liliputsteps/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: hosts/nixos/aarch64-linux/liliputsteps/secrets/[^/]+\.(yaml|json|env|ini|enc)$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *liliputsteps
-  - path_regex: hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *liliputsteps
 
-  - path_regex: secrets/twothreetunnel/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: hosts/nixos/aarch64-linux/twothreetunnel/secrets/[^/]+\.(yaml|json|env|ini|enc)$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *twothreetunnel
-  - path_regex: hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *twothreetunnel
 
-  - path_regex: hosts/nixos/x86_64-linux/summers/secrets/
+  - path_regex: hosts/nixos/x86_64-linux/summers/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
 
-  - path_regex: hosts/nixos/x86_64-linux/hintbooth/secrets/
+  - path_regex: hosts/nixos/x86_64-linux/hintbooth/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *hintbooth
 
-  - path_regex: hosts/darwin/nbm-imba-166/secrets/pii.nix.enc
+  - path_regex: hosts/darwin/x86_64-darwin/nbm-imba-166/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel

SwarselSystems.org

@@ -407,7 +407,7 @@ Nowadays, I use flake-parts to manage my flake. It allows me to conveniently spl
 - =imports= are files pulled in to build the flake configuration (similar to the imports in the module system)
 - =systems= defines the architectures that the flake should be provided for - I go here for the four "main" architectures, although true support is only provided for linux systems (see [[#h:6ed1a641-dba8-4e85-a62e-be93264df57a][Packages (pkgs)]] for the main reason)
 
-** flake.nix skeleton
+** flake.nix skeleton (inputs)
 :PROPERTIES:
 :CUSTOM_ID: h:aee5ec75-7ca6-40d8-b6ac-a3e7e33a474b
 :END:
@@ -526,7 +526,7 @@ A short overview over each input and what it does:
       nur.url = "github:nix-community/NUR";
       nixgl.url = "github:guibou/nixGL";
       stylix.url = "github:danth/stylix";
-      sops-nix.url = "github:Mic92/sops-nix";
+      sops.url = "github:Mic92/sops-nix";
       lanzaboote.url = "github:nix-community/lanzaboote";
       nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05";
       nixos-generators.url = "github:nix-community/nixos-generators";
@@ -666,7 +666,7 @@ This is the file that manages the actual decryption of the files mentioned in [[
 
   # Decrypt only if necessary
   if [[ ! -e $out ]]; then
-      agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/sops || sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key)
+      agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key || sudo ssh-to-age -private-key -i ~/.ssh/sops)
       SOPS_AGE_KEY="$agekey" sops decrypt --output "$out" "$file"
   fi
 
@@ -971,9 +971,10 @@ The rest of the outputs either define or help define the actual configurations:
         mkNixosHost = { minimal }: configName: arch:
           inputs.nixpkgs.lib.nixosSystem {
             specialArgs = {
-              inherit inputs outputs self minimal configName homeLib;
+              inherit inputs outputs self minimal homeLib configName arch;
               inherit (config.pkgs.${arch}) lib;
               inherit (config) globals nodes;
+              type = "nixos";
             };
             modules = [
               inputs.disko.nixosModules.disko
@@ -987,7 +988,7 @@ The rest of the outputs either define or help define the actual configurations:
               inputs.nix-topology.nixosModules.default
               inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
               inputs.simple-nixos-mailserver.nixosModules.default
-              inputs.sops-nix.nixosModules.sops
+              inputs.sops.nixosModules.sops
               inputs.stylix.nixosModules.stylix
               inputs.swarsel-nix.nixosModules.default
               (inputs.nixos-extra-modules + "/modules/guests")
@@ -1004,6 +1005,8 @@ The rest of the outputs either define or help define the actual configurations:
 
                 node = {
                   name = lib.mkForce configName;
+                  arch = lib.mkForce arch;
+                  type = lib.mkForce "nixos";
                   secretsDir = ../hosts/nixos/${arch}/${configName}/secrets;
                   lockFromBootstrapping = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true);
                 };
@@ -1031,7 +1034,7 @@ The rest of the outputs either define or help define the actual configurations:
             };
             modules = [
               # inputs.disko.nixosModules.disko
-              # inputs.sops-nix.nixosModules.sops
+              # inputs.sops.nixosModules.sops
               # inputs.impermanence.nixosModules.impermanence
               # inputs.lanzaboote.nixosModules.lanzaboote
               # inputs.fw-fanctrl.nixosModules.default
@@ -1040,12 +1043,15 @@ The rest of the outputs either define or help define the actual configurations:
               "${self}/hosts/darwin/${arch}/${configName}"
               "${self}/modules/nixos/darwin"
               # needed for infrastructure
-              "${self}/modules/nixos/common/meta.nix"
+              "${self}/modules/shared/meta.nix"
               "${self}/modules/nixos/common/globals.nix"
               {
-                node.name = lib.mkForce configName;
+                node = {
-                node.secretsDir = ../hosts/darwin/${arch}/${configName}/secrets;
+                  name = lib.mkForce configName;
-
+                  arch = lib.mkForce arch;
+                  type = lib.mkForce "darwin";
+                  secretsDir = ../hosts/darwin/${arch}/${configName}/secrets;
+                };
               }
             ];
           };
@@ -1058,18 +1064,27 @@ The rest of the outputs either define or help define the actual configurations:
           systemFunc {
             inherit pkgs;
             extraSpecialArgs = {
-              inherit inputs lib outputs self configName;
+              inherit inputs lib outputs self configName arch type;
               inherit (config) globals nodes;
               minimal = false;
             };
             modules = [
               inputs.stylix.homeModules.stylix
               inputs.nix-index-database.homeModules.nix-index
-              # inputs.sops-nix.homeManagerModules.sops
+              inputs.sops.homeManagerModules.sops
               inputs.spicetify-nix.homeManagerModules.default
               inputs.swarsel-nix.homeModules.default
               "${self}/hosts/${type}/${arch}/${configName}"
               "${self}/profiles/home"
+              "${self}/modules/nixos/common/pii.nix"
+              {
+                node = {
+                  name = lib.mkForce configName;
+                  arch = lib.mkForce arch;
+                  type = lib.mkForce type;
+                  secretsDir = ../hosts/${type}/${arch}/${configName}/secrets;
+                };
+              }
             ];
           };
 
@@ -2391,6 +2406,7 @@ My work machine. Built for more security, this is the gold standard of my config
     fileSystems = {
       "/persist".neededForBoot = true;
       "/home".neededForBoot = true;
+      "/".neededForBoot = true;
       "/var/log".neededForBoot = true;
     };
   }
@@ -3399,13 +3415,9 @@ My phone. I use only a minimal config for remote debugging here.
   {
 
     imports = [
-      # inputs.sops-nix.homeManagerModules.sops
       "${self}/modules/home"
-      "${self}/modules/nixos/common/pii.nix"
-      "${self}/modules/nixos/common/meta.nix"
     ];
 
-
     services.xcape = {
       enable = true;
       mapExpression = {
@@ -3628,6 +3640,7 @@ This machine mainly acts as my proxy server to stand before my local machines.
       minecraft = true;
       restic = true;
       diskEncryption = lib.mkForce false;
+      dns-hostrecord = true;
     };
   }
 
@@ -3852,6 +3865,7 @@ This machine mainly acts as my proxy server to stand before my local machines.
       postgresql = lib.mkDefault true;
       attic = lib.mkDefault true;
       garage = lib.mkDefault true;
+      dns-hostrecord = true;
     };
 
   }
@@ -4050,6 +4064,7 @@ This machine mainly acts as my proxy server to stand before my local machines.
     swarselmodules.server = {
       nsd = true;
       nginx = false;
+      dns-hostrecord = true;
     };
   }
 
@@ -4239,6 +4254,7 @@ This machine mainly acts as my proxy server to stand before my local machines.
     swarselmodules.server = {
       nginx = false;
       bastion = true;
+      dns-hostrecord = true;
       # ssh = false;
     };
 
@@ -4430,6 +4446,7 @@ This machine mainly acts as my proxy server to stand before my local machines.
 
     swarselmodules.server = {
       nginx = false;
+      dns-hostrecord = true;
     };
 
   }
@@ -4622,7 +4639,10 @@ This machine mainly acts as my proxy server to stand before my local machines.
     };
   } // lib.optionalAttrs (!minimal) {
 
-    swarselmodules.server.mailserver = true;
+    swarselmodules.server = {
+      mailserver = true;
+      dns-hostrecord = true;
+    };
 
     swarselprofiles = {
       server = true;
@@ -4998,7 +5018,7 @@ TODO: cleanup this mess
 #+begin_src nix-ts :tangle install/installer-config.nix
   { self, config, pkgs, lib, ... }:
   let
-    pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh";
+    pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/public/ssh";
     stateVersion = lib.mkDefault "23.05";
         homeFiles = {
           ".bash_history" = {
@@ -5850,35 +5870,6 @@ in
   }
 #+end_src
 
-**** Meta options (options only)
-:PROPERTIES:
-:CUSTOM_ID: h:30b81bf9-1e69-4ce8-88af-5592896bcee4
-:END:
-
-
-#+begin_src nix-ts :tangle modules/nixos/common/meta.nix
-  { lib, ... }:
-  {
-    options = {
-      node = {
-        secretsDir = lib.mkOption {
-          description = "Path to the secrets directory for this node.";
-          type = lib.types.path;
-          default = ./.;
-        };
-        name = lib.mkOption {
-          description = "Node Name.";
-          type = lib.types.str;
-        };
-        lockFromBootstrapping = lib.mkOption {
-          description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap.";
-          type = lib.types.bool;
-        };
-      };
-    };
-  }
-#+end_src
-
 **** Expose home-manager sops secrets in NixOS (automatically active)
 :PROPERTIES:
 :CUSTOM_ID: h:a8bbe15f-a7dd-4e6d-ba49-26206c38e9c8
@@ -5891,7 +5882,7 @@ in
     inherit (config.repo.secrets.common.emacs) radicaleUser;
     modules = config.home-manager.users.${mainUser}.swarselmodules;
 
-    certsSopsFile = self + /secrets/certs/secrets.yaml;
+    certsSopsFile = self + /secrets/repo/certs.yaml;
   in
   {
     config = lib.mkIf config.swarselsystems.withHomeManager {
@@ -6139,7 +6130,7 @@ A breakdown of the flags being set:
 We enable the use of =home-manager= as a NixoS module. A nice trick here is the =extraSpecialArgs = inputs= line, which enables the use of =seflf= in most parts of the configuration. This is useful to refer to the root of the flake (which is otherwise quite hard while maintaining flake purity).
 
 #+begin_src nix-ts :tangle modules/nixos/common/home-manager.nix
-  { self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, ... }:
+  { self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, arch, type, ... }:
   {
     options.swarselmodules.home-manager = lib.mkEnableOption "home-manager";
     config = lib.mkIf config.swarselmodules.home-manager {
@@ -6151,7 +6142,7 @@ We enable the use of =home-manager= as a NixoS module. A nice trick here is the
         overwriteBackup = true;
         users.${config.swarselsystems.mainUser}.imports = [
           inputs.nix-index-database.homeModules.nix-index
-          inputs.sops-nix.homeManagerModules.sops
+          # inputs.sops.homeManagerModules.sops # this is not needed!! we add these secrets in nixos scope
           inputs.spicetify-nix.homeManagerModules.default
           inputs.swarsel-nix.homeModules.default
           {
@@ -6172,7 +6163,7 @@ We enable the use of =home-manager= as a NixoS module. A nice trick here is the
         ];
         extraSpecialArgs = {
           inherit (inputs) self nixgl;
-          inherit inputs outputs globals nodes minimal configName;
+          inherit inputs outputs globals nodes minimal configName arch type;
           lib = homeLib;
         };
       };
@@ -6871,8 +6862,8 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
 #+begin_src nix-ts :tangle modules/nixos/client/network.nix
   { self, lib, pkgs, config, globals, ... }:
   let
-    certsSopsFile = self + /secrets/certs/secrets.yaml;
+    certsSopsFile = self + /secrets/repo/certs.yaml;
-    clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
+    clientSopsFile = "${config.node.secretsDir}/secrets.yaml";
 
     inherit (config.repo.secrets.common.network) wlan1 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
 
@@ -7183,7 +7174,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at
 - `ssh-keygen -t ed25519 -C "NAME sops"` in .ssh directory (or wherever) - name e.g. "sops"
 - cat ~/.ssh/sops.pub | ssh-to-age | wl-copy
 - add the output to .sops.yaml
-- cp ~/.ssh/sops.pub ~/.dotfiles/secrets/keys/NAME.pub
+- cp ~/.ssh/sops.pub ~/.dotfiles/secrets/public/NAME.pub
 - update entry for sops.age.sshKeyPaths
 
 #+begin_src nix-ts :tangle modules/nixos/client/sops.nix
@@ -7194,8 +7185,8 @@ I use sops-nix to handle secrets that I want to have available on my machines at
       sops = {
 
         # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-        age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
+        age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
-        defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+        defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml";
 
         validateSopsFiles = false;
 
@@ -8568,14 +8559,14 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
         ];
       };
       users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [
-        (self + /secrets/keys/ssh/yubikey.pub)
+        (self + /secrets/public/ssh/yubikey.pub)
-        (self + /secrets/keys/ssh/magicant.pub)
+        (self + /secrets/public/ssh/magicant.pub)
-        # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub))
+        # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub))
       ];
       users.users.root.openssh.authorizedKeys.keyFiles = [
-        (self + /secrets/keys/ssh/yubikey.pub)
+        (self + /secrets/public/ssh/yubikey.pub)
-        (self + /secrets/keys/ssh/magicant.pub)
+        (self + /secrets/public/ssh/magicant.pub)
-        # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub))
+        # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub))
       ];
       security.sudo.extraConfig = ''
         Defaults    env_keep+=SSH_AUTH_SOCK
@@ -8603,9 +8594,9 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
             group = lib.mkForce "jump";
             createHome = lib.mkForce true;
             openssh.authorizedKeys.keyFiles = [
-              (self + /secrets/keys/ssh/yubikey.pub)
+              (self + /secrets/public/ssh/yubikey.pub)
-              (self + /secrets/keys/ssh/magicant.pub)
+              (self + /secrets/public/ssh/magicant.pub)
-              (self + /secrets/keys/ssh/builder.pub)
+              (self + /secrets/public/ssh/builder.pub)
             ];
           };
         };
@@ -8689,7 +8680,7 @@ Restricts access to the system by the nix build user as per https://discourse.ni
           isSystemUser = true;
           group = "builder";
           openssh.authorizedKeys.keys = [
-            ''${ssh-restrict} ${builtins.readFile "${self}/secrets/keys/ssh/builder.pub"}''
+            ''${ssh-restrict} ${builtins.readFile "${self}/secrets/public/ssh/builder.pub"}''
           ];
         };
       };
@@ -8709,7 +8700,8 @@ Generate hostId using =head -c4 /dev/urandom | od -A none -t x4=
   { lib, config, ... }:
   let
     netConfig = config.repo.secrets.local.networking;
-    netName = "${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}";
+    netPrefix = "${if config.swarselsystems.isCloud then config.node.name else "home"}";
+    netName = "${netPrefix}-${config.swarselsystems.server.localNetwork}";
   in
   {
     options = {
@@ -8724,6 +8716,11 @@ Generate hostId using =head -c4 /dev/urandom | od -A none -t x4=
           default = netName;
           readOnly = true;
         };
+        netConfigPrefix = lib.mkOption {
+          type = lib.types.str;
+          default = netPrefix;
+          readOnly = true;
+        };
       };
     };
     config = lib.mkIf config.swarselmodules.server.network {
@@ -8836,8 +8833,8 @@ lspci -k -d 14c3:0616
                 enable = true;
                 port = 2222; # avoid hostkey changed nag
                 authorizedKeys = [
-                  ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/yubikey.pub"}''
+                  ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/yubikey.pub"}''
-                  ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/magicant.pub"}''
+                  ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/magicant.pub"}''
                 ];
                 hostKeys = [ hostKeyPathBase ];
               };
@@ -8875,6 +8872,137 @@ lspci -k -d 14c3:0616
     }
 #+end_src
 
+**** Wireguard
+
+#+begin_src nix-ts :tangle modules/nixos/server/wireguard.nix
+  { self, lib, config, confLib, globals, ... }:
+  let
+    wgInterface = "wg0";
+    inherit (confLib.gen { name = "wireguard"; port = 52829; user = "systemd-network"; group = "systemd-network"; }) servicePort serviceName serviceUser serviceGroup;
+
+    inherit (config.swarselsystems) sopsFile;
+    inherit (config.swarselsystems.server.wireguard) peers isClient isServer;
+  in
+  {
+    options = {
+      swarselmodules.${serviceName} = lib.mkEnableOption "enable ${serviceName} settings";
+      swarselsystems.server.wireguard = {
+        isServer = lib.mkEnableOption "set this as a wireguard server";
+        peers = lib.mkOption {
+          type = lib.types.listOf (lib.types.submodule {
+            freeformType = lib.types.attrs;
+            options = { };
+          });
+          default = [ ];
+          description = "Wireguard peer submodules as expected by systemd.network.netdevs.<name>.wireguardPeers";
+        };
+      };
+
+    };
+        config = lib.mkIf config.swarselmodules.${serviceName} {
+
+          sops = {
+            secrets = {
+              wireguard-private-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
+              wireguard-home-preshared-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
+            };
+          };
+
+          networking = {
+            firewall.allowedUDPPorts = [ servicePort ];
+            nat = {
+              enable = true;
+              enableIPv6 = true;
+              externalInterface = "ens6";
+              internalInterfaces = [ wgInterface ];
+            };
+          };
+
+          systemd.network = {
+            enable = true;
+
+            networks."50-${wgInterface}" = {
+              matchConfig.Name = wgInterface;
+
+              networkConfig = {
+                IPv4Forwarding = true;
+                IPv6Forwarding = true;
+              };
+
+              address = [
+                "${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv4}"
+                "${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv6}"
+              ];
+            };
+
+            netdevs."50-wg0" = {
+              netdevConfig = {
+                Kind = "wireguard";
+                Name = wgInterface;
+              };
+
+              wireguardConfig = {
+                ListenPort = lib.mkIf isServer servicePort;
+
+                # ensure file is readable by `systemd-network` user
+                PrivateKeyFile = config.age.secrets.wg-key-vps.path;
+
+                # To automatically create routes for everything in AllowedIPs,
+                # add RouteTable=main
+                # RouteTable = "main";
+
+                # FirewallMark marks all packets send and received by wg0
+                # with the number 42, which can be used to define policy rules on these packets.
+                # FirewallMark = 42;
+              };
+              wireguardPeers = peers ++ lib.optionals isClient [
+                {
+                  PublicKey = builtins.readFile "${self}/secrets/public/wg/${config.node.name}.pub";
+                  PresharedKeyFile = config.sops.secrets."${config.node.name}-presharedKey".path;
+                  Endpoint = "${globals.hosts.${config.node.name}.wanAddress4}:${toString servicePort}";
+                  # Access to the whole network is routed through our entry node.
+                  # AllowedIPs =
+                  #   (optional (networkCfg.cidrv4 != null) networkCfg.cidrv4)
+                  #     ++ (optional (networkCfg.cidrv6 != null) networkCfg.cidrv6);
+                }
+              ];
+            };
+          };
+
+          # networking = {
+          #   wireguard = {
+          #     enable = true;
+          #     interfaces = {
+          #       wg1 = {
+          #         privateKeyFile = config.sops.secrets.wireguard-private-key.path;
+          #         ips = [ "192.168.178.201/24" ];
+          #         peers = [
+          #           {
+          #             publicKey = "PmeFInoEJcKx+7Kva4dNnjOEnJ8lbudSf1cbdo/tzgw=";
+          #             presharedKeyFile = config.sops.secrets.wireguard-home-preshared-key.path;
+          #             name = "moonside";
+          #             persistentKeepalive = 25;
+          #             # endpoint = "${config.repo.secrets.common.ipv4}:51820";
+          #             endpoint = "${config.repo.secrets.common.wireguardEndpoint}";
+          #             # allowedIPs = [
+          #             #   "192.168.3.0/24"
+          #             #   "192.168.1.0/24"
+          #             # ];
+          #             allowedIPs = [
+          #               "192.168.178.0/24"
+          #             ];
+          #           }
+          #         ];
+          #       };
+          #     };
+          #   };
+          # };
+
+
+        };
+      }
+#+end_src
+
 **** BTRFS
 
 #+begin_src nix-ts :tangle modules/nixos/server/btrfs.nix
@@ -10553,7 +10681,7 @@ Note: you still need to run =restic-<name> init= once on the host to get the buc
 This section exposes several metrics that I use to check the health of my server. I need to expand on the exporters section at some point, but for now I have everything I need.
 
 #+begin_src nix-ts :tangle modules/nixos/server/monitoring.nix
-  { self, lib, config, globals, dns, confLib, ... }:
+  { lib, config, globals, dns, confLib, ... }:
   let
     inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
@@ -10566,6 +10694,8 @@ This section exposes several metrics that I use to check the health of my server
     kanidmDomain = globals.services.kanidm.domain;
 
     inherit (config.swarselsystems) sopsFile;
+
+    sopsFile2 = "${config.node.secretsDir}/secrets2.yaml";
   in
   {
     options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -10580,7 +10710,7 @@ This section exposes several metrics that I use to check the health of my server
           grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
           prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
           kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-          prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
+          prometheus-admin-hash = { sopsFile = sopsFile2; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
 
         };
         templates = {
@@ -11280,7 +11410,7 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
 #+begin_src nix-ts :tangle modules/nixos/server/kanidm.nix
   { self, lib, pkgs, config, globals, dns, confLib, ... }:
   let
-    certsSopsFile = self + /secrets/certs/secrets.yaml;
+    certsSopsFile = self + /secrets/repo/certs.yaml;
     inherit (config.swarselsystems) sopsFile;
     inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
@@ -12261,10 +12391,10 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
 :END:
 
 #+begin_src nix-ts :tangle modules/nixos/server/radicale.nix
-  { self, lib, config, globals, dns, confLib, ... }:
+  { lib, config, globals, dns, confLib, ... }:
   let
     inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
-    sopsFile = self + /secrets/winters/secrets2.yaml;
+    sopsFile = "${config.node.secretsDir}/secrets2.yaml";
 
     cfg = config.services.${serviceName};
   in
@@ -12846,10 +12976,10 @@ Deployment notes:
 :END:
 
 #+begin_src nix-ts :tangle modules/nixos/server/snipe-it.nix
-  { self, lib, config, globals, dns, confLib, ... }:
+  { lib, config, globals, dns, confLib, ... }:
   let
     inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
-    sopsFile = self + /secrets/winters/secrets2.yaml;
+    sopsFile = "${config.node.secretsDir}/secrets2.yaml";
 
     serviceDB = "snipeit";
 
@@ -13423,6 +13553,24 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
     };
   }
 #+end_src
+**** Set host domain for dns
+
+#+begin_src nix-ts :tangle modules/nixos/server/dns-hostrecord.nix
+  { lib, config, globals, dns, confLib, ... }:
+  let
+    inherit (confLib.gen { name = "dns-hostrecord"; proxy = config.node.name; }) serviceName proxyAddress4 proxyAddress6;
+  in
+  {
+    options. swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+    config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+      nodes.stoicclub.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords = {
+        "server.${config.node.name}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      };
+
+    };
+  }
+#+end_src
 **** nsd (dns)
 :PROPERTIES:
 :CUSTOM_ID: h:ef5b7ace-4870-4dfa-9532-9a9d2722dc9a
@@ -13531,7 +13679,7 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
     SOA = {
       nameServer = "soa";
       adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin")
-      serial = 2025120201; # update this on changes for secondary dns
+      serial = 2025120203; # update this on changes for secondary dns
     };
 
     useOrigin = false;
@@ -14842,11 +14990,11 @@ Again, we adapt =nix= to our needs, enable the home-manager command for non-NixO
                   trusted-users = [
                     "@wheel"
                     "${mainUser}"
-                    (lib.mkIf config.swarselmodules.server.ssh-builder "builder")
+                    (lib.mkIf ((config.swarselmodules ? server) ? ssh-builder) "builder")
                   ];
                   connect-timeout = 5;
-                  bash-prompt-prefix = "$SHLVL:\\w ";
+                  bash-prompt-prefix = lib.mkIf config.swarselsystems.isClient "$SHLVL:\\w ";
-                  bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
+                  bash-prompt = lib.mkIf config.swarselsystems.isClient "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
                   fallback = true;
                   min-free = 128000000;
                   max-free = 1000000000;
@@ -15227,22 +15375,24 @@ I use sops-nix to handle secrets that I want to have available on my machines at
 - `ssh-keygen -t ed25519 -C "NAME sops"` in .ssh directory (or wherever) - name e.g. "sops"
 - cat ~/.ssh/sops.pub | ssh-to-age | wl-copy
 - add the output to .sops.yaml
-- cp ~/.ssh/sops.pub ~/.dotfiles/secrets/keys/NAME.pub
+- cp ~/.ssh/sops.pub ~/.dotfiles/secrets/public/NAME.pub
 - update entry for sops.age.sshKeyPaths
 
   Since we are using the home-manager implementation here, we need to specify the runtime path.
 
+  At the same time, I want to avoid running the homeManager module of sops on a NixOS machine. Note that we cannot use =lib.mkIf= in the line =config == ...= as this would evaluate the blocks that are within; however, on a NixOS machine, there will be no =sops= module in the homeManager scope. Hence we use =optionalAttrs=. Also, we cannot make use of =config.swarselsystems.isNixos= because that will lead to an infinite recursion. Hence, we take the =type= arg that we passed during host declaration to make sure sops stays disabled. This is used in all places in the home-manager config that make use of sops-secrets.
+
 #+begin_src nix-ts :tangle modules/home/common/sops.nix
-  { config, lib, inputs, ... }:
+  { config, lib, type, ... }:
   let
     inherit (config.swarselsystems) homeDir;
   in
     {
       options.swarselmodules.sops = lib.mkEnableOption "sops settings";
-      config = lib.optionalAttrs (inputs ? sops)  {
+      config = lib.optionalAttrs (type != "nixos")  {
-        sops = {
+        sops = lib.mkIf (!config.swarselsystems.isNixos) {
-          age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/ssh_host_ed25519_key" ];
+          age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/sops" ];
-          defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/general/secrets.yaml";
+          defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/repo/common.yaml";
 
           validateSopsFiles = false;
         };
@@ -15256,7 +15406,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at
 :END:
 
 #+begin_src nix-ts :tangle modules/home/common/yubikey.nix
-  { lib, config, inputs, confLib, ... }:
+  { lib, config, confLib, type, ... }:
   let
     inherit (config.swarselsystems) homeDir;
   in
@@ -15271,7 +15421,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at
           confLib.getConfig.secrets.common.yubikeys.dev2
         ];
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
       sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
         u2f-keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
       };
@@ -15287,7 +15437,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at
 It is very convenient to have SSH aliases in place for machines that I use. This is mainly used for some server machines and some university clusters. We also enable agent forwarding to have our Yubikey SSH key accessible on the remote host.
 
 #+begin_src nix-ts :tangle modules/home/common/ssh.nix
-  { inputs, lib, config, confLib, ... }:
+  { lib, config, confLib, type, ... }:
   {
     options.swarselmodules.ssh = lib.mkEnableOption "ssh settings";
     config = lib.mkIf config.swarselmodules.ssh ({
@@ -15313,7 +15463,7 @@ It is very convenient to have SSH aliases in place for machines that I use. This
           };
         } // confLib.getConfig.repo.secrets.common.ssh.hosts;
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
       sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
         builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; };
       };
@@ -16117,7 +16267,7 @@ lib.mkMerge [ zshConfigEarlyInit zshConfig ];
 Currently I only use it as before with =initExtra= though.
 
 #+begin_src nix-ts :tangle modules/home/common/zsh.nix
-  { config, pkgs, lib, minimal, inputs, globals, confLib, ... }:
+  { config, pkgs, lib, minimal, globals, confLib, type, ... }:
   let
     inherit (config.swarselsystems) flakePath isNixos;
     crocDomain = globals.services.croc.domain;
@@ -16252,9 +16402,9 @@ Currently I only use it as before with =initExtra= though.
             # QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox";
           };
         };
-      } // lib.optionalAttrs (inputs ? sops) {
+      } // lib.optionalAttrs (type != "nixos") {
 
-        sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
+        sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
           croc-password = { };
           github-nixpkgs-review-token = { };
         };
@@ -17624,7 +17774,7 @@ Currently I only use it as before with =initExtra= though.
 Normally I use 4 mail accounts - here I set them all up. Three of them are Google accounts (sadly), which are a chore to setup. The last is just a sender account that I setup SMTP for here.
 
 #+begin_src nix-ts :tangle modules/home/common/mail.nix
-  { lib, config, inputs, globals, confLib, ... }:
+  { lib, config, globals, confLib, type, ... }:
   let
     inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
     inherit (confLib.getConfig.repo.secrets.common) fullName;
@@ -17826,7 +17976,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
               };
             };
         };
-      } // lib.optionalAttrs (inputs ? sops) {
+      } // lib.optionalAttrs (type != "nixos") {
         sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
           address1-token = { path = "${xdgDir}/secrets/address1-token"; };
           address2-token = { path = "${xdgDir}/secrets/address2-token"; };
@@ -17847,7 +17997,7 @@ By using the emacs-overlay NixOS module, I can install all Emacs packages that I
 Lastly, I am defining some more packages here that the parser has problems finding. Also there are some packages that are not in ELPA or MELPA that I still want to use, like =calfw= and =fast-scroll=, so I build them here.
 
 #+begin_src nix-ts :tangle modules/home/common/emacs.nix
-  { self, lib, config, pkgs, globals, inputs, ... }:
+  { self, lib, config, pkgs, globals, inputs, type, ... }:
   let
     inherit (config.swarselsystems) homeDir mainUser isPublic isNixos;
     inherit (config.repo.secrets.common.emacs) radicaleUser;
@@ -17952,7 +18102,7 @@ Lastly, I am defining some more packages here that the parser has problems findi
         startWithUserSession = "graphical";
       };
 
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
 
       sops = lib.mkIf (!isPublic && !isNixos) {
         secrets = {
@@ -17991,7 +18141,7 @@ The rest of the related configuration is found here:
 - [[#h:f93f66f9-6b8b-478e-b139-b2f382c1f25e][waybarupdate]]
 
 #+begin_src nix-ts :tangle modules/home/common/waybar.nix
-  { self, config, lib, inputs, pkgs, ... }:
+  { self, config, lib, pkgs, type, ... }:
   let
     inherit (config.swarselsystems) xdgDir;
     generateIcons = n: lib.concatStringsSep " " (builtins.map (x: "{icon" + toString x + "}") (lib.range 0 (n - 1)));
@@ -18313,7 +18463,7 @@ The rest of the related configuration is found here:
         };
         style = builtins.readFile (self + /files/waybar/style.css);
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
       sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
         github-notifications-token = { path = "${xdgDir}/secrets/github-notifications-token"; };
       };
@@ -19560,7 +19710,7 @@ When setting up a new machine:
         enable = true;
         publicKeys = [
           {
-            source = "${self}/secrets/keys/gpg/gpg-public-key-0x76FD3810215AE097.asc";
+            source = "${self}/secrets/public/gpg/gpg-public-key-0x76FD3810215AE097.asc";
             trust = 5;
           }
         ];
@@ -19805,7 +19955,7 @@ This service changes the screen hue at night. I am not sure if that really does
 
 
 #+begin_src nix-ts :tangle modules/home/common/anki.nix
-  { lib, config, pkgs, globals, inputs, confLib, ... }:
+  { lib, config, pkgs, globals, confLib, type, ... }:
   let
     moduleName = "anki";
     inherit (config.swarselsystems) isPublic isNixos;
@@ -19861,7 +20011,7 @@ This service changes the screen hue at night. I am not sure if that really does
                 })
             ];
         };
-      } // lib.optionalAttrs (inputs ? sops) {
+      } // lib.optionalAttrs (type != "nixos") {
         sops = lib.mkIf (!isPublic && !isNixos) {
           secrets = {
             anki-user = { };
@@ -20634,13 +20784,13 @@ When setting up a new machine:
 #+end_src
 
 #+begin_src nix-ts :tangle modules/home/optional/work.nix :noweb yes
-  { self, inputs, config, pkgs, lib, vars, confLib, ... }:
+  { self, config, pkgs, lib, vars, confLib, type, ... }:
   let
     inherit (config.swarselsystems) homeDir mainUser;
     inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses;
     inherit (confLib.getConfig.repo.secrets.local.work) mailAddress;
 
-    certsSopsFile = self + /secrets/certs/secrets.yaml;
+    certsSopsFile = self + /secrets/repo/certs.yaml;
   in
   {
     options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption;
@@ -21288,7 +21438,7 @@ When setting up a new machine:
         };
 
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
       sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
         harica-root-ca = {
           sopsFile = certsSopsFile;
@@ -21429,7 +21579,7 @@ TODO: check which of these can be replaced but builtin functions.
       isBtrfs = lib.mkEnableOption "use btrfs filesystem";
       sopsFile = lib.mkOption {
         type = lib.types.str;
-        default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
+        default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.node.secretsDir}/secrets.yaml";
       };
       homeDir = lib.mkOption {
         type = lib.types.str;
@@ -21718,6 +21868,40 @@ In short, the options defined here are passed to the modules systems using =_mod
   }
 #+end_src
 
+*** Meta options (options only)
+:PROPERTIES:
+:CUSTOM_ID: h:30b81bf9-1e69-4ce8-88af-5592896bcee4
+:END:
+
+
+#+begin_src nix-ts :tangle modules/shared/meta.nix
+  { lib, ... }:
+  {
+    options = {
+      node = {
+        secretsDir = lib.mkOption {
+          description = "Path to the secrets directory for this node.";
+          type = lib.types.path;
+          default = ./.;
+        };
+        name = lib.mkOption {
+          type = lib.types.str;
+        };
+        arch = lib.mkOption {
+          type = lib.types.str;
+        };
+        type = lib.mkOption {
+          type = lib.types.str;
+        };
+        lockFromBootstrapping = lib.mkOption {
+          description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap.";
+          type = lib.types.bool;
+        };
+      };
+    };
+  }
+#+end_src
+
 *** Config Library (confLib)
 :PROPERTIES:
 :CUSTOM_ID: h:a33322d5-014a-4072-a4a5-91bc71c343b8
@@ -21747,7 +21931,7 @@ In short, the options defined here are passed to the modules systems using =_mod
           serviceDir = dir;
           serviceAddress = address;
           serviceProxy = proxy;
-          proxyAddress4 = globals.hosts.${proxy}.wanAddress4;
+          proxyAddress4 = globals.hosts.${proxy}.wanAddress4 or null;
           proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null;
         };
       };
@@ -22762,8 +22946,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
       vim "${git_root}"/.sops.yaml
   fi
   green "Updating all secrets files to reflect updates .sops.yaml"
-  sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml
+  sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/*
-  sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/pii.nix.enc
   # --------------------------
   green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
   sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
@@ -22936,7 +23119,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
   fi
 
   local_keys=$(ssh-add -L || true)
-  pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub)
+  pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/public/ssh/yubikey.pub)
   read -ra pub_arr <<< "$pub_key"
 
   cd .dotfiles
@@ -23085,7 +23268,7 @@ Autoformatting always puts the =EOF= with indentation, which makes shfmt check f
   git clone https://github.com/Swarsel/.dotfiles.git
 
   local_keys=$(ssh-add -L || true)
-  pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub)
+  pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/public/ssh/yubikey.pub)
   read -ra pub_arr <<< "$pub_key"
 
   cd .dotfiles

files/scripts/swarsel-bootstrap.sh

@@ -317,8 +317,7 @@ if yes_or_no "Do you want to manually edit .sops.yaml now?"; then
     vim "${git_root}"/.sops.yaml
 fi
 green "Updating all secrets files to reflect updates .sops.yaml"
-sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml
+sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/*
-sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/pii.nix.enc
 # --------------------------
 green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
 sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts

files/scripts/swarsel-install.sh

@@ -96,7 +96,7 @@ green "Cloning repository from GitHub"
 git clone https://github.com/Swarsel/.dotfiles.git
 
 local_keys=$(ssh-add -L || true)
-pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub)
+pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/public/ssh/yubikey.pub)
 read -ra pub_arr <<< "$pub_key"
 
 cd .dotfiles

files/scripts/swarsel-rebuild.sh

@@ -78,7 +78,7 @@ else
 fi
 
 local_keys=$(ssh-add -L || true)
-pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub)
+pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/public/ssh/yubikey.pub)
 read -ra pub_arr <<< "$pub_key"
 
 cd .dotfiles

flake.lock

@@ -1908,11 +1908,11 @@
     },
     "nixpkgs_21": {
       "locked": {
-        "lastModified": 1763618868,
+        "lastModified": 1764445028,
-        "narHash": "sha256-v5afmLjn/uyD9EQuPBn7nZuaZVV9r+JerayK/4wvdWA=",
+        "narHash": "sha256-ik6H/0Zl+qHYDKTXFPpzuVHSZE+uvVz2XQuQd1IVXzo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a8d610af3f1a5fb71e23e08434d8d61a466fc942",
+        "rev": "a09378c0108815dbf3961a0e085936f4146ec415",
         "type": "github"
       },
       "original": {
@@ -2526,7 +2526,7 @@
         "pre-commit-hooks": "pre-commit-hooks_3",
         "simple-nixos-mailserver": "simple-nixos-mailserver",
         "smallpkgs": "smallpkgs",
-        "sops-nix": "sops-nix",
+        "sops": "sops",
         "spicetify-nix": "spicetify-nix",
         "stylix": "stylix",
         "swarsel-nix": "swarsel-nix",
@@ -2683,16 +2683,16 @@
         "type": "github"
       }
     },
-    "sops-nix": {
+    "sops": {
       "inputs": {
         "nixpkgs": "nixpkgs_21"
       },
       "locked": {
-        "lastModified": 1763870012,
+        "lastModified": 1764483358,
-        "narHash": "sha256-AHxFfIu73SpNLAOZbu/AvpLhZ/Szhx6gRPj9ufZtaZA=",
+        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "4e7d74d92398b933cc0e0e25af5b0836efcfdde3",
+        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
         "type": "github"
       },
       "original": {

flake.nix

@@ -36,7 +36,7 @@
     nur.url = "github:nix-community/NUR";
     nixgl.url = "github:guibou/nixGL";
     stylix.url = "github:danth/stylix";
-    sops-nix.url = "github:Mic92/sops-nix";
+    sops.url = "github:Mic92/sops-nix";
     lanzaboote.url = "github:nix-community/lanzaboote";
     nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05";
     nixos-generators.url = "github:nix-community/nixos-generators";

hosts/home/aarch64-linux/treehouse/default.nix

@@ -2,13 +2,9 @@
 {
 
   imports = [
-    # inputs.sops-nix.homeManagerModules.sops
     "${self}/modules/home"
-    "${self}/modules/nixos/common/pii.nix"
-    "${self}/modules/nixos/common/meta.nix"
   ];
 
-
   services.xcape = {
     enable = true;
     mapExpression = {

hosts/nixos/aarch64-linux/belchsfactory/default.nix

@@ -53,6 +53,7 @@
     postgresql = lib.mkDefault true;
     attic = lib.mkDefault true;
     garage = lib.mkDefault true;
+    dns-hostrecord = true;
   };
 
 }

hosts/nixos/aarch64-linux/liliputsteps/default.nix

@@ -33,6 +33,7 @@
   swarselmodules.server = {
     nginx = false;
     bastion = true;
+    dns-hostrecord = true;
     # ssh = false;
   };
 

hosts/nixos/aarch64-linux/moonside/default.nix

@@ -164,5 +164,6 @@ in
     minecraft = true;
     restic = true;
     diskEncryption = lib.mkForce false;
+    dns-hostrecord = true;
   };
 }

hosts/nixos/aarch64-linux/stoicclub/default.nix

@@ -35,5 +35,6 @@
   swarselmodules.server = {
     nsd = true;
     nginx = false;
+    dns-hostrecord = true;
   };
 }

hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc

@@ -3,16 +3,16 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h",
+				"recipient": "age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZzY0QVQ4ZUxxZkdhQ2Zn\nOHpmTnRaR0R3cXh2Z2JFM1RDVDB2QnE3M3prCm43NjQyOS93UTZKaUlUUmhVcTdG\nUWp1YU1kVmZPc0tBN2FMY2FFVkI1a0UKLS0tIFovZi9FQlhMaXpvcnRYN2FiSm16\nTzJESjNyZ1NzajJRNDR6ZTd2TitoQTgKe2hC6OpYIzgqzhmeJuHWe0yXNE+/Ek26\nGt7s1B6OKnrj+S3es84ePOjAbLHr/ez282b/h0y55ws4R7jMemUIrQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzclI3dlQ1dUY3WGVYL29E\nSGhZV3VMcm5zYmRsTHVlM2wvNFVyMy9CRlh3CkQrZEIvMyt2TVdXQUJJT21mY0lF\nZU1oakIzOWduU3pNeWVvcFMzNDBFTTgKLS0tIDF6YTROOHBjUnBkVklPQjFRQ3pX\nQWtlYi9iOFFjNUFrSUNMZGJqT1pTVEEKFesEHZQjpenLp3oBQwxDcMv1pEAReXQs\njT8ydzfTuvIP6bXu6lcJe0J90NVZ36qBZ2fTs/RqvZbvM0oufb5/VA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-12-01T12:12:55Z",
 		"mac": "ENC[AES256_GCM,data:AhvfUvZnKSnhQCTHJpqs5OBELhGYv66on1+kSLX2lONyTbNfwHYsJHII4zHY+bS5cBkZbjtzMfJQkFWtDbU7c8wvdJnHN6H11MOEzC+GfI3R7UzwzJsUjNYE03u8FJCuLvI1SO3EObiKIgH80MV8qlXC+1+f7mKnfZNH8Kekor8=,iv:pAEz8tDZzaFee1EcNBd6zrl0yN55ywVK/eGof/B5MAU=,tag:LbjMr3rOb3By87yOfUK/3A==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-11-20T01:03:05Z",
+				"created_at": "2025-12-02T14:57:22Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//eTxMD8ZbwJUqVsi1IKK2qdprLTjE0rqdDue+OvP0V+Ns\n1uTnw+b2UBykbIofXcG4P61OxAFdEs8whiIdffQtkDTkOgzV9IQCBOSGxZGEJXMe\nrl5BZLlF98JZ5R15v8V8vMwWwtC90GZ7gZLDV+yZz40Zqm3mTrFz/3PERukwu4Gb\nLTJDOsGmpooyI8KnrIsBhfEwo7/ouAayuKQfvt2i2Tngk9Em73R91BlpcxsOEmqr\n5KWA4GCsjUOmZZKLj2vyENPgQh8t8bP5fGJ3Rf4J1MCWAB89omcE0aRWId/l5sdA\n/Nxinh3xQsiXHPzPLZQ+UjHs+MjNdUoZapoDBP84j2tHsSxh0RMRhlHpESDWq3Mm\n1acWrChyyds6Lz5ZqkioqvAZ3lslS0kPdQqfsLzYWBhA9kLOIJKYfat+vxsAPwAa\n6kceXtxSzUpThtDUPDibjomn7Mrj7ZoHhiJZup/M27glf/V4P3zk+ctpXMSIE7Ia\nQ/jgRDzpcs+u05RsP32jFbCAfi//WxRo77MoxGMJxDhYibBp+aRkFAgVYiElhxbt\n/NedcIAHSJZFyDPm0wn411+DPnUTPn9D9LCkmSG68ZeGDGZJl7Sz3bJ3obWWecTG\nBjqxMZVwRuU2gdg1IwempP9u1dP0Q+g8B3veui/gczGx3J5kvNv8hnUBTeUl2EyF\nAgwDC9FRLmchgYQBD/oCciOvXMrH9/hWIIYb1sKiuCmgdVfs7H0q92XdVNgkbPRz\nXAakX7dl5cZt748u/eCHlGUGr4q7yA1tDx9Vm/J+O2HljN3lBVCbm7HP+YcI+5g0\nvvxr0cIPtr5CXlZz6hJjTgzE4HfEKagGdjgllbHYBB+0rtq/2pZTa20fG0w4coeI\nB/D0iVFwyuM3Wxt/7gXpPtI+m/3qt8QoFIGsZkck7X5hdJwGF4DD5jKxYB28s5Hc\n4ZBG19jezjMIVJUGE58TTVDTvZvJ5Vaw2RizV8DRkFS3q0UIOapOESpZiRnoOqA1\nDQpAU26RSEj8wlYsgNrVWUpdwlYs5e3EWYNkGROTRSB/dGcCSVF31A76W7af+6uv\nwZdMCrAGlD4GBj/yojdnqstfB2Jxu99VubcImWKfaJEXYx5xoREGmK9+t896GJi+\nE8mjiMOMRZFV2n2nwTxAFMaiDJ+VpKpKGVKCOSDwqsePhY/A4kb+N1nnhutmSl/v\n1SCDDvC9+jYNLUC1IaJfFOrNClA43IdJELOAavRx2t1RdyfyOx3D8rrWhF4+NB9Z\nlAc2e7hOoP/OEtf4YjZWq3dQtWSdwePWBxD9xyvF/kEmd2NcezqdfggH3g84qBxy\nUxBDD3ojMMAXlkPU3hRiDeLd1mHxDizVxqYkIYDSeAKtuv2ECH8y7/mv3sKrFtJe\nAQvSMW7gOmIdtQaIpsXHMxzXf+Nv0l3dZeWYD/TnVvoeVOaRQ9dHrtl3J0U9UN3j\nBOJdFaptlS4SIRkva6v6srrM7dXKvjR6IabdzaWl098VW9RFD+YGJ6ZhuQ+zOA==\n=l0k2\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//RNM47rdREvCOPQ83++DSlGWeoGlVeFvM4a1og2Nkzoq9\nLKsZh6bQP2SC01UOD4UDKBcT7PoQU86xePjV1ze6nejo+L0twrhQNT76jAw5OhFh\n1DkOVnUpcjZE3aBxDa6g79qVKfp31i6xfvgjipF4SMGpSlZuMLKL+nTL1357HXU+\nzQKPwSLymDq7EdxnCUwTGx8rVI59j4hyEwinxZhbQYiiHQpTQ3AHDu3oBO64daPh\n7WEmMShU4I9PIdvie7sRK3txZTcjM759m9B3Fm+KEWZXO/bQXjy9/Kab5WlEWwFK\nP7aHLin53wc6HMZjset3o61i/FPeQdm6IVoUujjuSI6076OqsWv7fQp9NApftCko\ns0yNY0RMgRpOQNho5Navr71eH6X8QujrEkCGzVqHm16issJUJkw95tlj9q4qghSn\na4RCUmgfToQYvL9ahNTfqP2S1xqI4hbP0elBXbrMUJ7iYOWOLwEPCgmuoTyw+RXD\nA5P/HDEvgnkVxB4vdzfcQjgVtR01nG5rAcclec9gXZg8Q3K0b+MoKOhdvTucRNek\n8+t3XEzTBBjPdaIhW8038qbCueuetsWNjb7B3Km/muQ0CnTzQ45GWozKdDC2qB69\nS9z1KIn9FrmGxCd5hrL9fbwJpisdtOD0foQKoD6X2B+h9KqORWbSGLXfxRo2uBOF\nAgwDC9FRLmchgYQBD/0Y8owdtA5dgxv6W5lej/sT7+PSc2fvIQVQvvYTrT2wJxc5\nrTX49HtIFxPwGdwBHH6Z3oLZjojpX7u8bm9+ewD7sOsvC3PLsKfrvx3naUnEZrww\nzKC762LWiYS3qlFR1QAbPWDjJSi7rDqFkQhGMP59MDOifYOLCbSQQpdTCMYC550I\nmljenkA5nm6sdYnHa54hkyiWzGSO+pAv531X5GMaTvHB3+Fy8QA5o3/+ZpNtVieG\n8RAbvqeH8PyTZsc2GW2D6WfudB4jrhvYBio4T8+5/3Fg6pWIq4pmi4o0F8I8BaAi\nuL90IEtSeFQSytg/EL0JtFxMBy8ImlE/SAfM4Y6UZAbiWBykmrD9TM5IPMUbMTT6\nxwfhcsQ97m9sRT2TWSrxp2Q+k/BQxVK+AbOaxEtWqqOUnWG4sskw8DQ+qAU5v0yC\nGH46gbklEYDmvYMY/kLXSK4iYJ0UmXNhB+DuM0WihQJ22PUPZy6YGWjwPgxjoYXZ\nbfoRjzb5N6etY/W3QjGbzhy7H+JLKXZbq+DLtH5A3Wya09ilpf2cy6FWD+o857op\nKdfybFtXZIBTZWjRQSeLOL+a157M5c6MFC/xr7E18qqL6xl6v3jgF05SZ72bcGVG\n2zvTWnAV1Y+oH8NhRb0i2uyZCEWvv8MRrHJFypcUqImAJylGnYu8lwicGXA9C9Je\nAZ6JqTMkc6Ji6AOzY75gP1lPQNv0HrIbE6RzZyAX41WDB+0okERps2IZF7HSb5/7\nVAXUR2QRmqagMf/qV3iNDQS/kuwGiv/2WTXAtm4446/mpdkaKf+gN7dgcJf84A==\n=eXQe\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

hosts/nixos/aarch64-linux/twothreetunnel/default.nix

@@ -31,6 +31,7 @@
 
   swarselmodules.server = {
     nginx = false;
+    dns-hostrecord = true;
   };
 
 }

hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:G3Q+Hn7QkvBZeXzNR+0Bax+Va5sK5E0K3hNTkdsNJx4C6pIwrBEBOt3IKv/c00QhpAnPqo9gbKqWU9gv7I56nEOwVtVH3lrMlbxNl9LIiSv9SvSxVkTOow2msSJV/U+1KpjNQ/LnOo2Fxebfz1yiRtgi7hSazzqzIazZAFBldlKkjLR5SFCG8t5s/nccqZU+cLmS7hJDS5LtgW1XeunqUY7jnKuh7gT2I6fPsu15Vy+YeKLmYIt0a20bWGePBIlyiGRtpnMgtIt5gk5+OpSndO8P/GMgUzRwRZEL1b8U57jbhkPLdnwwy/iV6rEFCD9i6qB0ufVW/euc+y5mN0dx8op9FwJVzkJhUIIy9Qbbc8WOjjjWlwbKJNkWfYX7pTtx+xfBKuPF+IwaoMS9j+C3etkoYe5QCr9YGYM5Xer/HL0otYNacQU5S0VqPBzDnLu7NxzB4i22,iv:aFPDBmZasoqEFCbhrRtA2QMB27khuT3rdfCGAafjov0=,tag:GQGuHL5aYPc98tzc6Bb5mA==,type:str]",
+	"data": "ENC[AES256_GCM,data:JMh/Ce8H/sC/58gz8MpwbME5f0jY8SMRAdI1U9bBVvQ+x3G9rH/d6aU5SSOqB6ryKf+GXqjTzDMpsNZSMvLSs3VM0nUvHh/AYCHkA2dIjQVLpmxK4jBvku5GySRJmHKzA45Sgw6WyeKQD7wuEj3Tfme+MI5x6jjBXWOcRaDqBF5RIK9UWmv91/nYU8lyw6igqWybb5pX6X2Iil5hq6FWyVSa8mRWKle26LwYzS9u6tUEmPd56vOvXH1mhgkeaHNh8nZPS0gew2K8CKvdpuXzRslWew2kjBWD48YArZwBjyTTgJ+l85qtVp7HNKgGrT3WY8KgWyLNqmWlycMzE1uRcwMpzUAO9y05H2ZUrolx7IM/c9wsyGPD4YOV5/mAX+uA/Lw8UlrR9gyjD07FEE5ob7bmvHX8e45DIaHTSjcWt6U3vX9P+6aD/wmOcjptN43qNmeh5WlVB0Te5ISsKhQbMa/6oBMKF9um8j41N8mCcb+NqIkdouuToLHv0WcBWLeBaMwAYSknmrlYaV3Z0Jf5kpEV5YRKXPyRpRiobbwq,iv:SWNkLzfXRku9GxDyc9PTca/FHFhHMPsTObumtkMpn5U=,tag:O0x8oIeCKc76KfcDP6G+5A==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEhDamZTRUhQZFNDTTl4\nVVVNNGZXa2h2THVzY0JWMjE2WjNJT0ZoblV3ClYzeEt4c0dWRzlISnN3NGthR21M\nTEtDQ011dFdhRVdPWlpweS9ma0N3dmsKLS0tIHFPQzQ5VzkyODZyY1JpcE4xR2Nl\nY2MrSERXTWkvNVZCR2xHUGh4ZXMvYTgK7pxPjnh3idl4QzBkR6LHyRskgqA3apS2\nkbg7As6wlEs34TAO8reyZknKTUd3Xif1v9RXiTcu1sEKHqkcqEoDog==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-12-01T22:45:54Z",
+		"lastmodified": "2025-12-02T10:34:04Z",
-		"mac": "ENC[AES256_GCM,data:b2sWPq+S5qqSM6lON+9A//LehgR7Wy7x8EfqeiFOFo9RT3niwaKjfp/Jnf6nKbXF43XM4dsn+dIX52fgxyd0KVLnJTqinhz97sSSs7hYFdXa2FGRhI+VwmuGVvr2ylAJODQgTn+MD7I+s/3DTfh6h0V47IZvxrUpYgg7tJrxzBc=,iv:g4XVN24+COVtRQPzTiI4iki1crjBUVc7vpnJ/vucd2A=,tag:gcnfSvPWvLqG2wTZELRMsg==,type:str]",
+		"mac": "ENC[AES256_GCM,data:bWya8/HiExhIVMhQwW2882YJQFBbPvow1HAVh4hpb6FdQiQ+nywjBN/o+/wARXXAoHPO224rEHy2Z82RmLtqhZp8PLvs8ttEpwxsTipTkVgjkgrOsHSQDbO57RmFjmZKyJ7P2jhCUUD/oQVLGl8RCOESHhslG4M2zvUOkeavGro=,iv:rLAD+1Ma9RiSfLH0rkgXMnk04jdPCWI29B2wQtUyFjM=,tag:sLuh6qe9KQrvt5U2OburMA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-12-01T23:06:36Z",

hosts/nixos/x86_64-linux/eagleland/default.nix

@@ -29,7 +29,10 @@
   };
 } // lib.optionalAttrs (!minimal) {
 
-  swarselmodules.server.mailserver = true;
+  swarselmodules.server = {
+    mailserver = true;
+    dns-hostrecord = true;
+  };
 
   swarselprofiles = {
     server = true;

hosts/nixos/x86_64-linux/pyramid/disk-config.nix

@@ -75,6 +75,7 @@
   fileSystems = {
     "/persist".neededForBoot = true;
     "/home".neededForBoot = true;
+    "/".neededForBoot = true;
     "/var/log".neededForBoot = true;
   };
 }

hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc

@@ -3,20 +3,16 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy",
+				"recipient": "age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjb21CZ0tQZlNKZkxKMGEz\nUlpMV3lSa1h5TXFNaEpvbWp3ZzZsMUFLd2hnCm9xQlo5Q3RsdW1tSFMxZjVKbjhM\nLzBaS3E1Z0lSQ2lQZEhtclBocE9CcXMKLS0tIHpaYjFIVVRWc2QyQ3hDWmNPODJR\nOFpPQlcwOERMYzhWV3J4ZmpIVUFXcGMKq/CmiIaBFfcx9Muj5LaTQ//ELHmC6WSG\ncJWyfZfrKcPDlXrz7+o9qufLogw3VIkCsTghqsbK6HOKGC5/FbnGSg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsTXhHajBUQnY4MzJuTW5u\nME4vWHJrRCtQMWhWQ1pvU3h1UWVielFQSFFRCkl2RmpTRDh5Z3Q5UWcwS3RCVHds\nM05GNi8vNnpwS3FZcDBGWVdlZEdyVEUKLS0tIEM1SWdtZGV4QjhpaktRNkw0NDl1\neWlYN0tDMUhsWG1OSm9xWlM2VWJKcXcKa9aySsFOXPdwkmrmFc6X+WZT67vcuJf0\ndd1soIklu7xRuNpGKMuZbNKKgyRZnGrcUZUwwGIlJ2KRDag2risOXw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Z2tONmQxTUhZUW12Z2Jm\nUnoxSnpYcnZDNGNzSko1ckl2RDh3NG1VS2dFCmIwUXhmSk1OUk02S0JPVDR5UWJ4\na0gwWlg0V005ZWxYa29PZ0laS2VqM0kKLS0tIHN5SU9pQ090eHljeXJGWm5hRFQ4\nZ001Nzkyb29RYkNUMDNDNlo4YnVQeTQK34bNIBgxId2+DHKQNVV3Iro3KGkE03Sp\niB1+dADT6nRvGvoyPqnLq/NYfw7eQ6XqYt55zkdCta8v6L1UNUkw8g==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-10-21T19:32:24Z",
 		"mac": "ENC[AES256_GCM,data:wM862FQH/qX/abuD+krJOazli9Ci5GrpLtdcnzFgKCeNdjA2cfZ8M3DyzsBwMXjp6HxBHLyO7QXGcQkx3kIKGnRhEBuQzVOtrZhqcDi2Ho8iBV8Dh4xkhcpBYufw7xP8hGWg6ZVZ4JyM3P4NfAdxbfWTdc1VMStAafJ2SZ3pAYI=,iv:tDAKNe8LV40hRCqKzN6j6B71IV81SnrBgerxGPzU4Zk=,tag:7ZsST8pl9TjMog0dNKcUcA==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-06-14T22:31:01Z",
+				"created_at": "2025-12-02T14:58:23Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAA3TBZeXf6RLph9szeqCtmoXyXDMS1l7NRjhmM85YyxcRo\nTuJQrXA8gmIAen7iVjO/FnndAqd86ddCirpBr/aEKtB9v7Poxx6A/kubV2/EurY7\ngbjWsvY/x6Cqv8IMCTkVdolZNOIYlw4bK3RqERoeWXnvCEXVK2c8fqxmcVoNv6yR\n5leIyApzs7dihbdhK+8nTunIMFJSfP+HQY/wgyowgp3cFVjPe+eTUk8T1xkrir7+\ngfddOHNKnbQWpZRBVj2NE/0dwcKX/rxPHU1sCxOg1TW05jTxavsf8x1+2ST5VLI8\nvttzB8H58OMpDZ1xgoMN7SGSWdTN7BgNcLG4rsGb/GW4+2bxJQ3hS+4aTa59ugXG\nGpqY4ooUopRyOh/hE9xqZ4CXy7IEAGbiBKnwJH+CFlXNygPSURoz9wCH5sgqQ1eA\nGfHrXcGNe2flx9gHZ3g2FUKeORs45CFQLxn2HDSuzVqn9nZfWUFddk9v7G4jSsRg\ntVrSevOXTSFzaSQr5GTQocQILG8HHkg67gKXWMNnk5CiUMVojTljcCej1F5s4Lwg\nljTfTWJMUXfD3Djc2Ap/L+PfxO/Zr0Z5glAndSFQB7aijFaQOR+TVQznRNv90UOk\nwQdF6XANcFMiK3yKQ3xZ6d7lXNTCPlLi5ngakpXhMM1lP0/xFuMWB15IL4yA1FmF\nAgwDC9FRLmchgYQBEADAz9QQ92i1rObvnk3utRhxqizU1SIKhZHEzkdJ+M/9AUQl\nDqj4ge191QMWlEh9jo5ln1abxfVMEjDbomtniPsM5kxPw9qK20M2873ibkps0yNZ\nTdqI2hhB8qBtdEOD/gKq3M27/0c3O7rpsIv8kxxdnmZ9GlRjG9c+SmVqdmZ+PLcP\nOrC+Fq8kQKhINaYdpPoT6x85FW0YLvNiR72grHOKDofqBrFChxapf4HKK6T44TX4\nPKw9G2o/XtN9Z1sfh/R44XsNwTjG8EHrwQLsFYoH3+L7UoNkkNtcwleAl0tkjyVZ\nkq4g0nJKO0KbB1HAM0opamYKOsCUaXQ1MLbXKAmIKy1wuKJR9ibH7E+2Ne41fHJv\n0v243FBnebJP5wlrDY6aBNBX5lPeJBF2q9njp2OnkHWktQD47EyhPhI0hUxN3vzL\n0dSE9/LFgWtvzXqVWIYBWMHToBBiqJRgspw3Jf4Fg0l7Q9p7u2/rwgqbIWMLIDt+\n4tn0ySuiV9jV9dVG3Ho/X7owgr57PPetTvUcU6Ph8Yiv6riLZ+qBy636iGmQd9Zz\n/8nG0BRAnU0YOdWUtvOvBvI+JC5DIs2Trj7Th0AJvlAVLiiR1+0dKk+BdNo/LGE5\nRNNgJIwGHMOZXJonuYfYe15Qy+Qcx3J/NI9VOOfSmzl7A4s8NqtuAt8FNm1cDNJc\nAZp7gi3i3PxxsEXefNMtbFDLe+5yQ4lHro47BxnNAyvnYwKC/VAiwatow9kZGNWn\nc9J/PZinOYPfalwqOl0Zn+pem0hIestNplin7v6ynxa23Cg4g1xUou0ve14=\n=UG0o\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQILAwDh3VI7VctTAQ/3W4JR3l6Aiw+cfwFMgYLr/7AwJSwC1k4w2G1VCwXMBN3g\nmC6YPp67WDR1lOTb6zpviUqVTKAEy20BMJxU7JulAQPInd/zL8woaAHc1tp+cbFE\nr2mIHPKFGgA7tc2xuGxw9+WeWHzjrdjW42vWfvmjoL1crubSzWzr20onKgT/dMwJ\nbFMGEyD7gfDY8Z3TAlMGoRTNyGVzFrsKHkvL01kW4T6K+69ECSUDXyMimA4njPt0\nj+ukDmjojtyUjxHKEvyDtjfTZh8hT6f80w8o7cG+YSJF0h4lXEdvKay3WZ0RbwZg\n6ZUI9Ng9SkFEhcIDzePg3urdne+oJQQxDuFYfioh1Lm0aX1kt0GzU9r4p5pwjNoz\nAwoHuAPaVnwU553qYm6XtghzwsHGMIa4r4JFF4+/txlC21XN9u0sslIUc/CC2fyu\n1rNRgg/4TvipAFHfp0GRWMraf3FchDhFzRqPs4Ei6Vv1ffEKQGun8iykLnN7gC3f\nclCjiorc7pmh/ZVylyKuSvR+TTih3Ysttm9jCNMB3rIkCIdz4XaNYbCPUtb8sMub\niBxcqgTIDNCc5r7CnfDyalmHLZ8s+Q31H0Ci71I3EhHf+7c6KlfCLWuLHUpN4abX\nr5xv/q6kXJJHFOAirrUH8Sik1ydE9g6gLNr3udJzdDehkSflkHAd5mka+v/+n4UC\nDAML0VEuZyGBhAEP/jGuSsy8X3dCKtdbvnN+6SCspC/reKhptMGhyxLoItcyqku+\nXCjAe5yxfHEFjPzA+zMmOF2pmsc0FlZu5+eR2+karAuK+f0fzbv2krhEE06X9mpi\n3vJDoG+Vd03Wz+C/Y69xSIbGXY97msQo9XkUuuBcVjUcsFaf7je6NNLAFmj0Mmk5\nzKmXgCL0yjwFmGSGUnFIjrXlKil1gBrYHYWH+vkeFnNHbkbh1Ul7LYPkDrT81Occ\ne7D+yMp/URxTY5IjX7yVDSANCBhK3reGSSJ5M7a7K1LolGGKUtgMLKfWs9uSVqtJ\nA619Xvo19QYladZxmvhLNS4ZbZkR5mH7pcUmX9ltB6K6/kNpSdujaYALFFLnIgmv\nwBaUjZ9jmx4zkW5B0MFshh8SNrSfbPrmEJyBF/tOLGj1YGzj3TIq9Yf0OnDtmycW\narqmFyh0CWhMVfI/ekCjSCUI+LQTi22/itmfv1IFlrVXLWtWjVNN3y+MHz/9v+Cr\n5t8mWcTy01upfwNxSEcjsAFsjyAfvjdA/TZMBJWZ5ltnEQF3tZFV5WChmh++FNY+\n1GPqtEJdinTVxfv99N9CZIwZUap4+WSYVbXEmygVMUP41BVxNLjAPo4Z6PrDfnSB\nz27BqzIDnNwVz6Si+UreJDUhogGDH7lZua09Mjb+plUyBhAJEvT50Nj2XQyV0lwB\nky4gz5OsMQivfD+bWKOx0E29KnVWWSR2HW82uPaDfWI7uPxaON7YPIvI6Xd9pOUd\n7EdEmSiVVAfbqeplRRdClabiBL8Tm6QLiAnkQiImg38jGU02IeCNbXfzbA==\n=jGFv\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

hosts/nixos/x86_64-linux/pyramid/secrets/secrets.yaml

@@ -0,0 +1,48 @@
+home-wireguard-client-private-key: ENC[AES256_GCM,data:YL/nP4DGGjVc0wRrbJ0x+iyJfdqhE90Ws92QBl/lr3RnJzA+stcz0ey/Rk4=,iv:Ek/RVzDpcT7fqVh7OnNc9QXD3Tk/2bm6vSQDA38j+DI=,tag:G2dSpA3KZmbKAfIN+2d45w==,type:str]
+sops:
+    age:
+        - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcVdIU1MwTlQrVlRMbDkw
+            WXZlclBlYmp4elMrTkFPZHRpMGlGZXBDNWc4CkliYkNuTnNuZzRieGlvSHV3SCs1
+            S1Nmb0VJaVd4MFQzTU5XVVBuQldIVzQKLS0tIFpGUjNaSy93MDVQVEFvbXZzQnJp
+            Z1AzcVZpVlQ0WU9pNDNoTXoyR1RGUEEK0dfAegOiBXCnLakgBtWCYb7+hDqWFYUK
+            rXlXTBtICLgSzLWTtPbSVzrrZgT0SAM6vnLO/iNfAIXZlxjeOZrP8w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-05T10:37:12Z"
+    mac: ENC[AES256_GCM,data:RcvRagYaFGwMwrV63tffmYcA/m1GRjXpefR8Ab65jaldcWjfERiCWLFha9aQ1QlWUgSvCWbgC9/zFJkBBca1qVIvLOK1+nkI/ZjQ5rdUOJaP7mukLC3tcm+5f0Fe+GjTCDHGIZd/dUgkF+xVhN2XnFW1ExzRRt6q4a4pKvL6Ml0=,iv:EISJGqa2hQfjpu0X5wMJNZXzv0Loejj0Eb6kosXjU64=,tag:S81dIphr1rqQSO8jAZCABQ==,type:str]
+    pgp:
+        - created_at: "2025-12-02T14:59:04Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTARAAlcSjeRYoj2Hhff3PbKtUdIisAyRHtX84+m5BYeRmcx5k
+            gwMmitFaYQO9IL8EJHXfwIlx+7gubTCHKVDEIJPT6+jwNjWPvdvRSdmelY+xIhPE
+            rISqzUlbpKdkhRco0vKNX1bqfLWPqcWPREyHLg0WsnPJjAmNHNz3GKDnqFJG4tip
+            CDMTp16dJWAnGF9uCPDZ6CcpuP7U4CHDBH5KcGnZFJoZg0VvQhqW1uTwmqI99j5G
+            pB54n/nhCuNbL2vktBZQp+vrwiykb4+1rZw+CcK2awcD2Ugk0d/7KieRSxRIKEbW
+            COIkJRxXkc3JbLjdVIZBQGUSNTtjG3Q6pUaPuECUhb+5SyUDIpiUmpR+/3iIitjo
+            OY+1nDWji5Q2d0BSkoRFiH9KeZn65vduQyEQRX6B0yrElBNk7etkvPdJ3bGoJ2WX
+            Qwlkx0YP+a2dwEtvlKav2D6aJ+uCH2MTAVVL6wEK5a6s2QYkc39qpGhzRv83nbsU
+            Bp0QnJ6ZSjf/C5fAealZldXO1ZDIDpbH5xObaanrYgZ5ufnUl2Q1sKUXNljTYigB
+            tN5z28AiDeV/INr7e1tPV+C6RtHDYi5Rxo9lfoehvdAWkbfdl/iucV2LkwWTKFLO
+            istGzbaxnPtJmlx6FXq+fk6g3GQcPvuv64ZqnIv76VclWcPZDYUK/EU87LAO8NiF
+            AgwDC9FRLmchgYQBD/4maY4LhehaKtNMt6r331YjlsnZxcv/4L5zJRc43XLeJJjf
+            3xjU+TZ9RvjwsTaJ4bTeoVxu8OkFgugvRVhp9sQuu/tGfWbCpn3hWIxebivarQdI
+            7L0SkuHg1Die2g3YqdbpDIzvnLueSvuNDJNmyUgekR8TdWJ0A/pwl/poAu8nZgtw
+            hiIXBdLt5xEUOihXVJwYIoHu8yjL6aZttDyZfHuDDTcCwXdqYqMHyTYmcNdGakrl
+            DG+x2TgsJMtipvYHT4WqcVtOYlVAH4VfgxfmcWvEIXT5u1ZpizntFqGAgsTwQwCS
+            vs8vbZ5WFqQTYZL2t1U0cX7ExWWdY7LZ+ap3uZ5/2R2VkT+FdplRz12DsobWMP9z
+            mjveWhiZx1TPa1rf5pigcvtFSQLllrLhS79Per37EoGUArS9iM6Iyhd9avHAqNTp
+            ywZnJ5JpQKVDeRsMZfpoKdN/C/wqSAl6O6NQX06aY3EIYvxKF8h6qK7u/4WdlVd5
+            Ml4Yn18HyeTkbz616TlMLlGQMNuloDc+XVORVutVphvxI50faIwi4I4q06+7+yuX
+            A87uJatXS8K20mDkzygP/j+T3eSzEMB69mPLo+cbhOfcmk29x7Sg5pf/JYAOuYMS
+            XGlIpa/VmqHOVcbD32sm2/M3AOgZBz3D2Tr2tI2JyK4ZqW/7AIFYNhnv7siTXNJe
+            AXNBE4bU/FRXGOH4vOqoVFvBwYOd7Jlr8QnMpFQuBDMz/408lkIojd5njvLsu/4n
+            qE0HKP9Sq3XY8dP4012GbkN9U/m/ca2oqVUy7rrEhGc1gLddlISHMMjNa7GsBw==
+            =fGF1
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc

@@ -1,22 +1,12 @@
 {
 	"data": "ENC[AES256_GCM,data:umKGtD7jTa+ex3ADPs1zR2o9YU2j3y3zCEupCGOsdJyicM7u0efXDI0g755RdPeNJiB/z1DPy+mAkePPq/m93CCppTq0BYyt0JJw53/j3ghCMJj7N3wUVstMUB01jewDSUc7SLay0lkhMCWbrTKsR1pwnfFRAG8C3rWXQB2EkU9FViCo8VaOfEF6Cq9ev/r+SEepT85wvoMxxIg=,iv:bgJXEoj7nRUsi4fA+bYVYvJYavS+BoDuQt2SCrX/2W8=,tag:lmOjPU0J0Qf/vcnO0owTZg==,type:str]",
 	"sops": {
-		"age": [
-			{
-				"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBET1RmRTM5OUxJMGNyWUZK\nMXFqUWF2ZHhOZ1pxa0RDbkNzWnVzVFFCbTJrCm1oU25haDl5eFg5T1VzOXByai84\ndTR6TGREVnBHNlV4S254dzh2Z1lvK2sKLS0tIGFLaWJFQ2VwaWtxaURqNDU2ekRQ\na09Hbm4vNnVQaEV1aGtqTTVOUWN2b28KQaoPc/UKaeQ72GdlbtWFdALywHcUkewf\nK5pEz41pzDKOjatypm9X8ZEIEarjOHIZgMpazVM4i1PRUUefSE0phw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGtTZ0ZSV0trWlQrS2dV\nSFo0dytGYXhRTjl6cDZrUU0wZ1IybDVRaFZrCmZmRmxJNmdwS0xodHdEOGU4bldU\nR1JScHAvZHhlVTBJbWExb0VpR0h2MXMKLS0tIDYwQmZpMjdYRmpBeXFNOXArN0h5\nVGN1THljeCtVV0hXenMyRVJkMjlHNEEKm+yZTT48nYr3H0Bd1OKw/CYk1kwnrBzk\nTgSQHsGXhmOyDag9cSZ4wAOmqtqSjA9bouFBuhl2lSbgpjnarvFaXQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
 		"lastmodified": "2025-11-10T01:10:33Z",
 		"mac": "ENC[AES256_GCM,data:4vPX9TdAGGBwzEc3W6pQj+BVKjp2kSAMB/L3QVXZbDHfvyKFWUOqwG8u8P7XDcuIrrpx65YuJp6zwexpJjg5zkU4favJt+uHD1wWC3TZcCpda6v3hGW3RduQAwVy+18JJ+PdSxHzrC4jmj+t/HIKp6Bt7qB0Z1ynrt/CdGIVxh0=,iv:zQQrl19jK823UynE3EXLgazehpWW5ltRCWKdnElVh5k=,tag:zIIgbyXSw6f6xW2CaVW88g==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-08-24T23:36:17Z",
+				"created_at": "2025-12-02T14:59:08Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAwf7TLx0TR1HBhh57CyIQLw8ztc9oblKAW/V7bSlQM/wR\nIwQTcTi3azdI9yewDRO30rIr++FEapdGVdpXoqQ8zcl49VjwDux6wzF3bsmR5Goc\nlTkDd0bmz8RBfsK+6efXiRqo3C0yP2ZTOh3PSOvsXKbYS6wY3TvNBdGnAYrfOvEw\nmBFRhn6uakw3zjVUngB1di07DH3y0wEb/r6+Mzoswzg4DqT1SAdDkfS9dpn9h3MW\n3NBesYlOukLrNA5Toi6x/fmE2lrPHt5QxPdvfvKe5ye4myZ/gBn1mdejB6U9nOsk\nRCJFMosjBH7jIpwokTjUT6Vs+zs8yrF+gbP82H4RVfZymMfdZoU/pTfYe1Mwg6Yi\ntlHyiRBgSPBY8Doa2hM8/yvmfHVMqSQf8uXltz2VC7JUGD6P0QbDLpqY3URmHg/q\nwN3zYJLlSIkU6Z7oivTjfg0dR32Z80lCdZDQf+OQsRtCUi169Fgxr7+HhdxJyj49\nFIb6CR0DHW4vsEj1GPAa0Q4uMfCxLiSZfesY8myoCtlVo7oeqx787KicJB5PryHr\nyZweKd7tXO9g8LNJtECTZ81y2/sCfSZPBia6M4oz56pIFK4jhYCY3iPnWIS77axu\n5MmqZNOP06obp87nt1ea51BmXkaYxmSPoQ5R29CeYU+m9q+kKvizncgsCl/O7U6F\nAgwDC9FRLmchgYQBEADJo2kPzrxLHptsr6aoIxfYNrQ7JJM3FAZ7do5YvAbQsl5t\ny45qZ4+qWIEMRXwji2TvgSg8/ylnZfN2+rTHdtNJkDdJ2sX+RDr8pm7L3VS2Zhjf\nIp1SdPd5cm/3QupegzUR+kcPa+gPM4asGSytIkAnnpev/DCnLsrqiejdosTDj9dn\nFtPKJKSUBzJSNRxBSpM9L+cTU1qyMT024D5Qvq6vBOjFI1YV3LSfVXQe7OZxxxVX\naChkGR1v3UjndQ4Yv9hamJJ81lRLeIcVEOpOPxLHJX76AJUqP3fR/+m2Poah8bFF\n+yIdSp2jyWOoU60We72fvlEwxsTLl8Zani+xX2ckkUCe+wsiGJLch4Df1pepxpef\nb95wZ9L0msRdHY8vRQYapde/ju8CUHgywVX7+YH3EF1bJSnUOBmyOA76v9ir09am\n49g+VomkWUuzPJ2VYQXXH6d/qn/sm9Z9yxy7e1eh5m+9cd42b4sMdW6ZCTMAtGJF\nPX0SiOMR6S0hjKVBcfcyNoT/wo7wqEl4mYDpoCy10K0nYRn+ggJnIZEJzBWibMYH\nDWUDyuQIYLjOBAchFatXyMtbc8qDorYelLX7amPRDSiDhhj6Y5nYMJtUSwfTLwkN\nrI0Q4bjE+fgNACCqPoq/BDFZotcr1b664ZUJqgnTBPKZ5OnmW/iFkOfzu4fF9tJe\nAcekEPwsFbugu2bZ0Hs5Rl/Dh9p4L9gceuMiwJ3oYGA5cwXFCeVZLNqSDLy4upVX\nnXRaMzBNGgWo4geDq5JL10Mh7/1d4GGVxdts8RGdI8zUFTPV3GOaPEHeNyIO+g==\n=2UMI\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAg27rgWRCxICvDLydZqI0o07B04O561l4O7AeLWQ65TnR\nxguqU8QnpivNec8d+EB8n8TrWv4Ed/AqTITXAjmDNWCKYE9Hn2XJwsWjBgonlPyG\nDy3uZQcMJfly25mJe9ystb2W/DVqrRlYv8ioqeRaBKIV6ZamAYIWn0PYWMZDgnK1\nlElG33ekrMvE+iCEIfRrvf/SaiX6+8LI6x+rVKpHJwC7HHg99uWxZS/RF/VroHZ7\nqpgLYlLWcx2Xt2OVdOH1NKLKmk4969UOAgifAJN0o+Ub6PtThtlQnG3goCbI4qxg\nXNCwBHYlWGbne6hOrXdnTgWlasgESc3iG8W6jUc8R2rnqkofoHlfSlB3ElinrYYv\nkxSp69F4K9OD0QBzcZTq7CcEeelYye3ur/+/sk+vOwW+FY9aWWIwRX/uyiqqvhV5\nHxhNXvaPbMwr6UP5vb/DmInVgHnxOBsiG7fYwtCFREVgMB03ML4EFf6wRDsXok/i\ngMYAgsX658E7uCA12peheZrT9UO8Hzhd2aqty8LG+uLDf42B/6/95uM5iCZjWY8H\ng6FIriuog1UcStCVXrM7FbH+Wq618cS567dTUYMsuXB1AU7DxQU9a5dqIfoqAx4F\n6PGd3qhCEaLuqiN2sVjukckzMtFaTZqf5vYTomHiNH88xJlDyFdcqqYH9ATMWLmF\nAgwDC9FRLmchgYQBEACnkjVAIWe7V6MbemMOFRbXMPmJr0e/5JIgG0ao045qhEwU\nZuVamn3JuYMfGK6JaKtzajN+jBrWixjxSs8gROyN1h+bTYH2vChiSpRU2xGGdT8Z\nRmK/KvD72imD2trt/DX+kRAXSjzppCJLSqSc2ndEVorrP02tfKVuBGchVD79X1R1\nGyEvMLSuCwa2scvWwl+lVG30D7lebtdFlBQ+iMyUhe7RSBsYtPo3uUwScOwg1TiK\n3nNtPrNDVU15AuoG3343OJRZpvw/XNbuv09Zu+tPbEIPzUux6KiwkZDBLlfNngC+\n6ti51ttlQvpuW9ESqLA1INEnlPfnXJ4ANMBJefq/E+oI4ihEaeODn6tovmOw6Fil\nF8Ng+bFH6TnsRX8czhv4UomH1b73zvwxt4BRKVHJltBY6GwrLy3AMCOqkK6kIQmY\ntd0k+joZOosdcPkfrdJgB4fHi+RZjegMgRIVZFSw5oe1RvyNIqnWt73WtCOQTVXr\nOSqaxE3cllVbbsCdo6ZqT0EbZPX/UH7DLMgcc9AcueRnDte/8Tk2xrLRBJ6kcVT2\nVVD9ralFIL5HGbH2FmxyvZVP3zbavy1FQWwwKVQQu2crEOt91PDV0SWb20ta1ot3\nYZ/KKmClCllTHsJC8VxXXDiVz0+NjFTEIlrqDsXo4dbzlxqAipW67TCZTaDOBtJe\nATHY0+eECbhizKn9B+qtHBMwO6U0DauAkQhH30Udk3t6DoklF8OJ7/2YbGV19nRJ\ndtjfG5RhPGP7o3E7wGhtf9fHpCU/AgkSR+13UTwAvbl38P2k+qAggeD5xDxrfQ==\n=CANG\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc

@@ -3,20 +3,16 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
+				"recipient": "age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBET1RmRTM5OUxJMGNyWUZK\nMXFqUWF2ZHhOZ1pxa0RDbkNzWnVzVFFCbTJrCm1oU25haDl5eFg5T1VzOXByai84\ndTR6TGREVnBHNlV4S254dzh2Z1lvK2sKLS0tIGFLaWJFQ2VwaWtxaURqNDU2ekRQ\na09Hbm4vNnVQaEV1aGtqTTVOUWN2b28KQaoPc/UKaeQ72GdlbtWFdALywHcUkewf\nK5pEz41pzDKOjatypm9X8ZEIEarjOHIZgMpazVM4i1PRUUefSE0phw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3UFZTaXFNdjF2UmRFd3VL\nY2pZZ3ZaRkhZSjdVUjIraHV5ZlNaNGtwM3k0CkZ4OVRFcmR3MFBDcmdsbWFId3Iy\nVzQyUGI1eG44d3JFL2NvZEg4NnduT2cKLS0tIEdhOEZETk9nRTlVbmJ5UW9GalVx\nS00yaUpJZVFVNThFei8yRzJYejRkYk0Kf6Z8WnG8phRtFIUWIPys3PW0OImhAcF+\nUFLuL4Qr7zWaeItCRieYCs1yBn7KbUJHZNkJcvnkYW50NYvlEa8wBw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGtTZ0ZSV0trWlQrS2dV\nSFo0dytGYXhRTjl6cDZrUU0wZ1IybDVRaFZrCmZmRmxJNmdwS0xodHdEOGU4bldU\nR1JScHAvZHhlVTBJbWExb0VpR0h2MXMKLS0tIDYwQmZpMjdYRmpBeXFNOXArN0h5\nVGN1THljeCtVV0hXenMyRVJkMjlHNEEKm+yZTT48nYr3H0Bd1OKw/CYk1kwnrBzk\nTgSQHsGXhmOyDag9cSZ4wAOmqtqSjA9bouFBuhl2lSbgpjnarvFaXQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-11-23T18:03:21Z",
 		"mac": "ENC[AES256_GCM,data:8KSKQH7qF2vLnR17a3XhYGAqYq4YNgf7XEkpeNVHD39Aj8MzdlsGPr9vI2o/N1yTpQyJrPW1ntKVvI9rHwcJhm5nyaQiHVwKHWcxcn7li6AeztV4HUqwKxQwf3MHfZ4fhWJrI7NYAuMAbmK6epa/ROGsIGnT6vQh3SImcn+Kkcg=,iv:dT8dBuSsYRxGe93/9ie/6/X4Ru5NDycz2pgMVI83wbc=,tag:r1mPjG/JOQsRDzCktIlisQ==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-08-24T23:36:17Z",
+				"created_at": "2025-12-02T14:59:33Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAwf7TLx0TR1HBhh57CyIQLw8ztc9oblKAW/V7bSlQM/wR\nIwQTcTi3azdI9yewDRO30rIr++FEapdGVdpXoqQ8zcl49VjwDux6wzF3bsmR5Goc\nlTkDd0bmz8RBfsK+6efXiRqo3C0yP2ZTOh3PSOvsXKbYS6wY3TvNBdGnAYrfOvEw\nmBFRhn6uakw3zjVUngB1di07DH3y0wEb/r6+Mzoswzg4DqT1SAdDkfS9dpn9h3MW\n3NBesYlOukLrNA5Toi6x/fmE2lrPHt5QxPdvfvKe5ye4myZ/gBn1mdejB6U9nOsk\nRCJFMosjBH7jIpwokTjUT6Vs+zs8yrF+gbP82H4RVfZymMfdZoU/pTfYe1Mwg6Yi\ntlHyiRBgSPBY8Doa2hM8/yvmfHVMqSQf8uXltz2VC7JUGD6P0QbDLpqY3URmHg/q\nwN3zYJLlSIkU6Z7oivTjfg0dR32Z80lCdZDQf+OQsRtCUi169Fgxr7+HhdxJyj49\nFIb6CR0DHW4vsEj1GPAa0Q4uMfCxLiSZfesY8myoCtlVo7oeqx787KicJB5PryHr\nyZweKd7tXO9g8LNJtECTZ81y2/sCfSZPBia6M4oz56pIFK4jhYCY3iPnWIS77axu\n5MmqZNOP06obp87nt1ea51BmXkaYxmSPoQ5R29CeYU+m9q+kKvizncgsCl/O7U6F\nAgwDC9FRLmchgYQBEADJo2kPzrxLHptsr6aoIxfYNrQ7JJM3FAZ7do5YvAbQsl5t\ny45qZ4+qWIEMRXwji2TvgSg8/ylnZfN2+rTHdtNJkDdJ2sX+RDr8pm7L3VS2Zhjf\nIp1SdPd5cm/3QupegzUR+kcPa+gPM4asGSytIkAnnpev/DCnLsrqiejdosTDj9dn\nFtPKJKSUBzJSNRxBSpM9L+cTU1qyMT024D5Qvq6vBOjFI1YV3LSfVXQe7OZxxxVX\naChkGR1v3UjndQ4Yv9hamJJ81lRLeIcVEOpOPxLHJX76AJUqP3fR/+m2Poah8bFF\n+yIdSp2jyWOoU60We72fvlEwxsTLl8Zani+xX2ckkUCe+wsiGJLch4Df1pepxpef\nb95wZ9L0msRdHY8vRQYapde/ju8CUHgywVX7+YH3EF1bJSnUOBmyOA76v9ir09am\n49g+VomkWUuzPJ2VYQXXH6d/qn/sm9Z9yxy7e1eh5m+9cd42b4sMdW6ZCTMAtGJF\nPX0SiOMR6S0hjKVBcfcyNoT/wo7wqEl4mYDpoCy10K0nYRn+ggJnIZEJzBWibMYH\nDWUDyuQIYLjOBAchFatXyMtbc8qDorYelLX7amPRDSiDhhj6Y5nYMJtUSwfTLwkN\nrI0Q4bjE+fgNACCqPoq/BDFZotcr1b664ZUJqgnTBPKZ5OnmW/iFkOfzu4fF9tJe\nAcekEPwsFbugu2bZ0Hs5Rl/Dh9p4L9gceuMiwJ3oYGA5cwXFCeVZLNqSDLy4upVX\nnXRaMzBNGgWo4geDq5JL10Mh7/1d4GGVxdts8RGdI8zUFTPV3GOaPEHeNyIO+g==\n=2UMI\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//Qx2BW0k3Q/pAvbKZScmhoIoFpV5nb+ZB72J6+f2HQLSv\nVQP72XDoYyIfW7ERsY09gkNIJejZ5n/fgB5KkyEqsBRP4fYDXl+XfAvPTu3YuQOo\n9mA2baJ0HkBnsrikycaUQAIXMMCAUBS6Ooi1blQeYA9khqr5Kc361IwB4bv8WcIz\nGcBPSWBc3B86qK/v8l0Kle1mcUu9RFxNZkitjxKdf9GDn6gKo3yBWt+/8NJLDUTq\nHjrBH4WpqB8mVDupg/p6OUASc8y0pnNmbU0GK3is4IO/bk9QqPX/t2y4CUhlE3Bh\nnxYGYauohXGs/IbCGXtkd/wRcMwsXtgkZYT/wfu44/O2VW7V7MpBGVlTXmOWK5yI\n2dkqpAt2T5tFVDDX8bqDfZ2xbGgSLsY/XWwNzl60WSvcAnFoZSf4mu2RJFLAK5QZ\nGDz+N8shR8BgkzIWIjMwzBbUB+3snYkJVA7wm/idhernkB0E83JAOOHk+UGuHFWA\nkrrWPHRWf4Gy5ZEmkzVACfhzH9AbPP8yHbTh5y33I7Yv4E+4qjoVEwTNA1LSYy17\nlaMI410x7htrzxv8M06LlE47HrJPLu3+YHUPKQC/LzV831LB9IYymskYL3rYUHzn\n7BS+9Njfg+7cdHXjRABZk2yz2+XZlSLIyCC82Kbmybd3F+s8u/pP0N0TcBDTPrSF\nAgwDC9FRLmchgYQBEACaz79q7F+YshiA4MSiKoiwgVnq0HWruMtQ+exE9Ky/hTfT\nCnNn43KSE/s4KytcB8KPkXPpZ/BHSv+oxY/XGh1dNWnKQocyCHqEOax/QruAu7VS\n/CbxyUFYQS4sJIbfmQLkx/FEnaHenSOTjOBatlnVFQ3qn6MjXyq1LThyfGaMlH84\ntAUYnNG3MQsz/U7Pj2nkScfDZ0XGIu2rvB2ddVdkjr1H3acQVplAlw88yGD+lDOA\nqnafNS8FgUtXoXCPVe6SRdpqfWPGmn1jhvjCiCUtzZG3RPew2AV50RAlxP2AEXY0\n6cMeL+NJdqIGaP3Ttyn9oVbroW4N7p3rb/AGj4ZRy4QOXPkWI088qmhYgIpjJZM5\nI3g80gnkBfFrOaVM1RVfn1smT9KlCR/8noKTE3ajBaTZZJrzBclzATdkGi7rIaqS\nvAWH9LnEGFs30W/mj9avis8aJwiPYsO+1ah5sVMnNKMo8KND2MMy+EI6AvgwJKz1\nNQoIP7jHB3h8sw91Z9YhB0RTQ8yCG+IrpXnWGAVAcswtTtJbBQlXxc/h0jpT4Yw0\nV+J6xX5/PI/ZQbIbj/i5hgh+8lsvG3gRRh0zH8nSNf7yMTYQe6iAe9xHRH/kSHX/\nOwObvvrCzZcsX8b6gTXn9AzXYGST3j3wBa8sQH0NRkcZFsCh30FhEDApItQA8tJe\nAbaLVOZ9WKJCCVkTJCOBCus1zInXbFr1ZQjTciJ4WjnqedH6SVvPC9HmI9vDCXw4\nzonohAH+mjtmoRfwMGdiJO74IfX81p5MwOX94TwYB2gAp6ycyCHjZgUtpAFPKw==\n=wNQ4\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

hosts/nixos/x86_64-linux/winters/secrets/secrets.yaml

@@ -49,47 +49,47 @@ anki-pw: ENC[AES256_GCM,data:h4RBhKV6ZzDQk7s=,iv:r21zH3sDKwRxfi8A1DPNEVhKTbb35qW
 kanidm-forgejo-client: ENC[AES256_GCM,data:2iXE/dmOQtY2NEsBgDqkqwD/brF0vJs+Ag==,iv:PBQ03z/E6R+u7Y56fPzJSnsoCa5PUYSiezZFOMLz4eo=,tag:jThgOC6h2hHJUclDju/MtQ==,type:str]
 sops:
     age:
-        - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
+        - recipient: age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRkpkWUJicWZkVStiWkZm
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVL1FJNlFQeXBJWEoydWEy
-            d2lYR0o2dXFsUDdHUjI3YjJSc2FDM3FDS1dFCnE4TDRCTUg2OUlocGVaL1lNd0dT
+            dDZiNTYvSE9ZWE1Sb2xXZjRWMzhRYWQ1UENJCmkrSFNsZk51aGZtSnJoWlQzbURS
-            cUFBbDQ0c1hHTmlBbnNsR0hjNFdidDQKLS0tIHNWSzUwSkdZZWZiOFpiVVVGNXlh
+            aGJQTVpQMVJFTldwYldzN0l0cnVTeWcKLS0tIDlSb3BwV1ViYU4ySWc1dzdPbTMx
-            MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl
+            c0lDa2EvQkUwM1ZIc1ppY1REZnlPKzQKJRXSl8SYQwzgPw+twNAFy3y+S2r7JwS0
-            qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA==
+            xESNBdFS4Ntg9gXENRBzCaGmoOJfiFtGditBlvWUwbDYwLdn/y3kIQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-11-28T17:45:19Z"
     mac: ENC[AES256_GCM,data:lIdIP+Js+FzjJCoClGxqP1epl5fVkPzfJmOVauFNlXKRxx90/E3478oQHi/KbP7eFgPoy+0hAbMwnBmo/1tOKb2ky80/6IMEkbftiO7YZqy8opbSbCtj6ypOOwwPf5rgtXHn0LV+EtDQZzIBY6GhcERO6IQpFRAXeIkSGcpM3TE=,iv:sphhFBg1xgupLGQzRovea0wvsTolzfW/z+gjj9CyklM=,tag:bdo9FlPPYKdl87lsBsiEsQ==,type:str]
     pgp:
-        - created_at: "2024-12-17T16:24:32Z"
+        - created_at: "2025-12-02T14:59:44Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTAQ//XSGUC2tN5WFAcjrJK9uj7gh5l5vrpPxhQZWI+rBGukeG
+            hQIMAwDh3VI7VctTAQ/+N3ZPYAsZ2e/nJZAxuSJd+kmlAk+JHJFrf0K4e/u6Cpct
-            dQZKiLtmdxS3XcLYRfTOEpuBj5ThKwR51Nw+W6HAXWl76Z8BFON7J8dJCmVMvqZy
+            T/UmlYpX4w3LMjkctSzNvBbih/aQgrSTlBfalffxh+B/NBqnWZQn3BfgcRtJYdxq
-            UJN+PpeLWpmtNIP9ZlVEYcvz4kaPV5Z/1WoApNEi5ean6W1nyWEHDsFfrXwtDYes
+            Oov3bCNXuJuvQvvc+J6FAZ3hJUnSOfZX//KAgO6osYQ0UePkE6a5mWjsflO0u7d7
-            vNehJG/HnNCo89MEgp6rpnART5Q/lu1h8kYFMvTMPAcGS2I7C/P2vyT/9zklaNpC
+            H8iPt0T9O427sN7mi6D3Nx4okjeRPLWEAyel1i4Obcr+w4xMTsDQJyTvCT9EnIfA
-            kWDla4QUFutnDkqtIWJtAfX5etJ+sgs+qCU/YhBAW7goOGetORklhlCvpL4Izddl
+            STTUAhIIbNYW9UU9OLhx5du+uar4TrEMzw0x709WXxyX5hZpjEsJ1XefqI62utLb
-            o/7y9S+qK2IEDm2IOCqvOtNgiGRyodvfrE1GeCT5UHoSpwXIfpqY/+zMLQN6LAVi
+            LseYg1XXkBtfnkbUzVGHjCzi2pifGaBYklZOlgYnd2gCIwxqlp8QQrBSsViPhSTw
-            3k/gLBSk1t0linguBElV79mxasymXpoIvm5obuUazz/yTei7PJpy9e37hbxQVSIq
+            p3Iee+FfAVeJLfk6Nn9M25j4v0WymyM5DcWVkHfG3X3Jmh0ZpvKeyN0PMl3OnwFd
-            fCA5q8kulhyNaQjs5TtzzVLtIUcWrXoypgxDbBB/GCr3DaRmoww0RHhxlZEsVjKf
+            Ol8gZGAvfj1d38XzP5RcG/ezDPXSKE2BMju+KpTlWCVSO2o5mJhN9DrDzgv4TaBj
-            I0zMAz/dzfjey85OVommkCGQ48yvF4B1jXfn82ebdo8JzgMbnBZx0z5mLChq3Tfw
+            QVOkA+XmeT3UXoU7qUPFm4pLGxLm2hSPLDDOSjRxSMcG9QmsRs3fK4FaxQ6+NELi
-            8aDvgRc3XwoyoyAxDbcYswWVHvBznXfKcd4141V1ESsJYR0ucDokyG5PeMK3oe0d
+            RtG3xY3ZtdIeMKGsrclaRI2TTDeXsO66IzRbfEh6Kb40IoXcEjMQB+EMGw6qVs1S
-            boyQ8z8oby+4b+HNhwquos/kbVyvIya78UK+OMsJVddR4Wxfzg5MPozmjQCDVzSF
+            1m81oKNquiN+MCyZST7WbGsQAGcW0h815V+1O0oBTzXvgNIvGIFBu2k2WjqsT/KF
-            AgwDC9FRLmchgYQBEAC7UHMJIQveWcvTh0T5gqaYig7R8GToFAe4gXRFbE66pbWJ
+            AgwDC9FRLmchgYQBEADAP8JaZPeXM9n2rkVuiPijTBD8cutEbXQh6orb8susSzqS
-            WrzbnvpWPejHyLLRPz92eO0cFx1kGIx5pU8GRzVv8ZNUPhfrxnZanpt1OM2XhPrO
+            ukflPweamJRFdWUkxzCFLZGbnx/Hxx+wjwyPTeYFJDGTafYj9Qbls+jlVPYycUJ7
-            rXrYI7tjhKV6arkgufr7zoUp1uvPt74PAdtcjxyOzel+YJTnGVxDnw9SE1fZwz4o
+            Mp0XaqTDBDKGJF6n2Qyl2RSrl1j2fB/94Z3eQLMmdR2ojuyAMUcVK3+/NtooV7yH
-            UGujT/5TANf2W2b934PW+jgvLzIBFBK8z1dk1FRsRaYepAE8P3GzFh1MkJTog5Xi
+            WcB89pIhLeRU+D+qvn6Yr64m0lc65FIVo4zYxGEVCf/RRYrC2nGEeAUxjfEAnAJo
-            4QMUtx5603/TAxaR3PoLqZ8URr4mu9Nuzjdufz2VUT5NzHF/tjJ11kL9YV5Cztll
+            OvO+yKPvmzL+Xn9Ecc/OC6axuzuxuDm/X89b0QE+TuvzqEPwm45s9RUkdco8nDJX
-            i7AHdEOWObruayFlFlz7p+cf/MvGWLrBzx0mrjjj9xabOZngjBzlkntfGQF2Z6NA
+            23Ds5BhuX0h++2SjfWXUOAfj4VCgTPTUE+hWor96FDGdneKvpIt3rUVdEg/ggRae
-            ai7/lgylY7UzenmXScDYiHBBKvUhZlo/aRm/P0DXvcPgay4TyG59mwVGw37eRlp6
+            SOpn5f0dXtin0K1QQZENcj38ldr4AremCaQVc0vg3IEl/3Qz0xNSX//YjJxUbHmC
-            050B0shFW0Q0zpyaCDBvLk1MpGzEOk4rwxmGnlgkN+ucdnIEBbaaAWKytUWLqhPL
+            5WvFMXTrIbpnnEoVdk+UavAsaL9mOOhRRU8feyMSawztLV2mJLBDz91hQP7UE520
-            v8y9ACBeKhmTCUbaPx8ZrRYMGSNR++D6CaS/evFOXCKmKk9vVpCHC8oNUYEEmh0u
+            4k3DWf+6KF3D9V0B9WCfapTPWjiJZrHWI2jBZzJ2KAZx8LLoRrNlVDUJ79lYI/y+
-            6brYvlWHDCP+iBrU3kWvVi9tQNw8uA7484a25nPl3nXaIvZMnDqZz9TR5R3Y0iPr
+            Xk3s9O0jq9BrLSLm/CLar5JwUY26ZxUb8buvzXovABqggjtWI+uUPdNR8CGrcFgH
-            RFCnoh+dxz3eFyNApoixi3TeE84HFS+vBJW6ltL9bGcUtTTkPvpZaYpfYk/sj9Je
+            4pcyrzkUc0YqR+SkI/xVAAXuD3LqLA2OkJGCI47duEkv2GyHvLe/ZRh0/K66n9Je
-            ARU3lavfUxnA09R5Rg+JV8VQIN5Alir93aiqir2hN+qk8PDnL/vM5LqL3OW1GM5G
+            AW0Rgbbszs5H51MG5OKM8PYg/fP9wkMlAjEoSvk7I853CFibR5frNhDwYY859Xsf
-            yx+BAO+JfvOdZf+L1EwKtA7RqJPp7pxGtdgvzO+9lpUVdGN1A3wLwekp6obNpA==
+            YEHROhyEE+2nCui16IJ2DkyEXK+yO33cPLyXJ0Z+kRb5toRALr5o3iOgo1x5rA==
-            =O/2K
+            =SXse
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted

hosts/nixos/x86_64-linux/winters/secrets/secrets2.yaml

@@ -0,0 +1,56 @@
+#ENC[AES256_GCM,data:K3S1LFrPmaS5,iv:dxFzPLhN2otgy02VWzrLURmomtYdoIBHvEJ1LJ7Lj9k=,tag:stKgkBnRDZkCPlvFk+btRg==,type:comment]
+radicale-user: ENC[AES256_GCM,data:2G+WXxw6jrnPXsI=,iv:bUEhBDrdTt+O/4TXMkhmqnzfkSiws4n7L54Z0zZnSOI=,tag:JGQPit5uGqITUyyCpU3OIg==,type:str]
+#ENC[AES256_GCM,data:+7JEI2P/6/5yiWQ=,iv:hV4TyNFsyugrfFM0emxGDDDq54XWy7fVCf/kwD0mtCM=,tag:iZz9mPsLG02rlgV1vP8aBQ==,type:comment]
+prometheus-admin-hash: ENC[AES256_GCM,data:dUmTW6W419TzF8dLGcgRLlbLBg9puzgznNCrrAuNOIuhXCBrqaJdtyIVFCsnrDSEh1ZdMfGki4UERZcf,iv:XIlb65V6yhrKSU7AbRs6k1ISljZjWnAm1dPTCONwDJI=,tag:UkdDTywivitSxYR902uM5A==,type:str]
+snipe-it-appkey: ENC[AES256_GCM,data:VWEGKbCD5P3uxeyMVtK9a7BcVjXlXSEsJxfLEwkHz8l5o0Xq9lTbTpsfOoc=,iv:3nq+xuuujjevWdmk3SdBai/EWXwL4F3Kv4M3yc/faIM=,tag:/cNC/EKR1NWQhJrh46meCw==,type:str]
+snipe-it-db-password: ENC[AES256_GCM,data:O+LgX+XyJEaF+1oYcjyMpUab7AD7tWK3LBd+7VJOKq/Mz+k=,iv:yJgwlG/ln5BdwW2c62UJLIkrCWakKvj64LMQsjTIwJI=,tag:yw0rC1GJo+KMn1wXRdJomA==,type:str]
+#ENC[AES256_GCM,data:jGvWDKbVKA==,iv:N4cMopsUPOfymKpMD7oB04VtS0cUX9yNNqwyWEdyMi4=,tag:L4PMmMcM1NCc8LPG6GJLMQ==,type:comment]
+garage-admin-token: ENC[AES256_GCM,data:2N2kqXt7kraqMQEkDuNQN3SRiL2WKRA959Uc7HAdSlZcC2Ft06YUb+Elktw=,iv:dhAZoQBhvK07+wBpMEsI73YN2oX9dMthV3SaDWZgea4=,tag:0Pu0BDEYU9WYQQ1hJr8qFQ==,type:str]
+garage-rpc-secret: ENC[AES256_GCM,data:s8qGCm8WM/pvX7wZJyenohMAHnNWrumUxyJvst194h2XPfpLBbKVZwZ5t4zkwqh0yJNgLqE+2ekwCxa/xKqemQ==,iv:zUo/x2LWS7b2E2kZHDfa6lAwxAcuNir5a+mg+ASDarE=,tag:XgBh3ajVDy0vWccX8yZXSg==,type:str]
+sops:
+    age:
+        - recipient: age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cy9Md1hDczh5a3R0cHBk
+            WkhVQjF0Z2M4Tkl6cUhKengxQURjbTIzZmdzCldLQkNieWxPbWUweTBsTGhTVXdk
+            ak5vbm5MMnV6ODhYMlVIZ1VCNCtrS1UKLS0tIGE5NW1oMjdEOG44LzVPSWJBRXRH
+            Vlo0aFFGYStnUWFINS9pQmI3UVA0QncKVwXbULXogQRI1naoeyV2OdIcFA0khAaA
+            jNEQyT1ijbq/w445dN9AhJIWiD+r3JdF49HCyqw2Vfw2uaQ0VSGVEg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-11-05T14:55:44Z"
+    mac: ENC[AES256_GCM,data:nyz3jp/qV8bwgx0q6c7RmXtzdmwVrt8C6FU36qtzUm8tPlAd1K7MmgxRKFi85NqOu3XPII2OkwhNPRBOJuQOoXGfo27odfZl4riQ+any4GNarDZ5deZ54+kjgqyvP70dsm/tiZgZ8Fjwat4iLV+mqJYMS4OBl5krr5ocU+LY1pU=,iv:l56tIBgMog4HSxP9Fb4pWSD/z5FaPlHRkUYqlkhydzc=,tag:IT++kT0EncDzEEX4DdjW3g==,type:str]
+    pgp:
+        - created_at: "2025-12-02T14:59:37Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTAQ//dPCsdkrC5mSklMv6p5BYAznEEoH+lzjiL0ZEWj1ZzOFR
+            PNWlhPyievd0MR995M7M+MEjLEcfIPR59kviuWhSHgb/pQwOL4lDFhDeno44Z1o9
+            PSHI7Fl0Ew0QSm+PLjUgdhcKTBJNvUtJuK243oaXCbWLHGXbaFBdEkZcgMBTP0mo
+            8eexRFk81ggxzwbJhbmVmXBvn+mpdvFqnphZY0tL1bDiZ53OKA9YsKQAA5gwNKGQ
+            oaDS1mxVbxazsgWNqFLyQzQHua/gGQu8l8kTm2qB+MB5qbT6kFrTjRnQlXKmp6t/
+            0/+QUox1IG7bu/h6AJMaixbGVup+YkMcIW7Yplhd6r6pBENtCrCS/9I3ichjwk19
+            WyPI5HIYd1ojwiz7N6MMweshAZSGA4HHPJH/i3BaRGiGmKPAjF4IqJ/9VSqdyrA4
+            cb04Yg6vJEeZMoApEggbS/sWoi2OIetpCyijF0GhRO+jaxRZh4i7LyixOVocfRSp
+            QW9xfyt3FwCQNZYSIu4Q/xUE4twC8mPGYdrZn0Wmtran7Riwpm8X6kkSg/yan4/q
+            2PFhglzyWB2of3zEbWJF5bXlZi8LY/CkC26Jhpeo4kV2414sjWf/VScqGKoZZivx
+            az84NTpSQsd5DdLDPTXpMCekBTSEs7Qi5ynLvfljGAIwXMdXx96EmQEQ0AHgXhGF
+            AgwDC9FRLmchgYQBEACOT9l+VWm9JDIkrYK8JXRcXo0hryvR+b4T2yfNJqRSzIu5
+            rUcgbjKdehBW3trWiAnn4P3PpGnkACgbWYdNRjdTxYRTi0ngjb2IoMkMlEeBklpE
+            hPK+T2NhdjXcz9kOgG8zBu3rKq4hZDrno+s7RDEtQdAu+ocBljz6KtkPvx0QDwsU
+            vX0f+ANsdWVBcgkkQbnHP+htI7GOan0KjTCNaFCYjXYpQ6AjdyosRNOVLs336LUj
+            +M5oOhvLAIYD5djQ+xQcSp1Ysml5NqttIlQbW+Pdm4WCi+Aq8QQ+IMQQCPBwJwx+
+            NjzcxTrtvMQ0s6lFR/BpO7YCTuyQtU9QAmxlf/mLmw2eG40+fmTHHfmWdgdOaYNV
+            /2V9t55LnyVeBOzBBta1yt6r+TjIrSPnEnDeeffJ0BrRX5SRxkYAht946qZLaaw8
+            k2gLVqdwCsc04pM64Gy2/pazU5tVJvOifds0hHGDiCSB7lbqIXJGtj4hDqTfFNyq
+            U0RUQLoD2Chu+JPlP1I/yrwjbOfYd/8WrqAp9lLq1VrMYxRbJ8VR3iKMt52bL3LB
+            8wBHd3fK/dqjRsWqmjXX9MgH88QEMoBMlmZFhHduSNn1b8G3euC/X0TuWtitrhfD
+            AuC1ltIYyPIPi9hDCnTVGIdh0Yd2sSRcNSDm9haLGtujKI+dX++gHcS10FWlAdJc
+            AVicyxR4eepEnBDypeofatCECsYftWsIF7u5avxPbfN30l5kO9PKaI0J1t/n1r0w
+            +5Q3mRfDzBJcAQOQ7aHGcMJd7dvdm0VC89JsCoI3VA08g/dimLRZyBhVwY4=
+            =oajO
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

install/installer-config.nix

@@ -1,6 +1,6 @@
 { self, config, pkgs, lib, ... }:
 let
-  pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh";
+  pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/public/ssh";
   stateVersion = lib.mkDefault "23.05";
   homeFiles = {
     ".bash_history" = {

modules/home/common/anki.nix

@@ -1,4 +1,4 @@
-{ lib, config, pkgs, globals, inputs, confLib, ... }:
+{ lib, config, pkgs, globals, confLib, type, ... }:
 let
   moduleName = "anki";
   inherit (config.swarselsystems) isPublic isNixos;
@@ -54,7 +54,7 @@ in
               })
           ];
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
       sops = lib.mkIf (!isPublic && !isNixos) {
         secrets = {
           anki-user = { };

modules/home/common/emacs.nix

@@ -1,4 +1,4 @@
-{ self, lib, config, pkgs, globals, inputs, ... }:
+{ self, lib, config, pkgs, globals, inputs, type, ... }:
 let
   inherit (config.swarselsystems) homeDir mainUser isPublic isNixos;
   inherit (config.repo.secrets.common.emacs) radicaleUser;
@@ -103,7 +103,7 @@ in
       startWithUserSession = "graphical";
     };
 
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
 
     sops = lib.mkIf (!isPublic && !isNixos) {
       secrets = {

modules/home/common/gpg-agent.nix

@@ -30,7 +30,7 @@ in
       enable = true;
       publicKeys = [
         {
-          source = "${self}/secrets/keys/gpg/gpg-public-key-0x76FD3810215AE097.asc";
+          source = "${self}/secrets/public/gpg/gpg-public-key-0x76FD3810215AE097.asc";
           trust = 5;
         }
       ];

modules/home/common/mail.nix

@@ -1,4 +1,4 @@
-{ lib, config, inputs, globals, confLib, ... }:
+{ lib, config, globals, confLib, type, ... }:
 let
   inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
   inherit (confLib.getConfig.repo.secrets.common) fullName;
@@ -200,7 +200,7 @@ in
             };
           };
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
       sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
         address1-token = { path = "${xdgDir}/secrets/address1-token"; };
         address2-token = { path = "${xdgDir}/secrets/address2-token"; };

modules/home/common/settings.nix

@@ -43,11 +43,11 @@ in
           trusted-users = [
             "@wheel"
             "${mainUser}"
-            (lib.mkIf config.swarselmodules.server.ssh-builder "builder")
+            (lib.mkIf ((config.swarselmodules ? server) ? ssh-builder) "builder")
           ];
           connect-timeout = 5;
-          bash-prompt-prefix = "$SHLVL:\\w ";
+          bash-prompt-prefix = lib.mkIf config.swarselsystems.isClient "$SHLVL:\\w ";
-          bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
+          bash-prompt = lib.mkIf config.swarselsystems.isClient "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
           fallback = true;
           min-free = 128000000;
           max-free = 1000000000;

modules/home/common/sops.nix

@@ -1,13 +1,13 @@
-{ config, lib, inputs, ... }:
+{ config, lib, type, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
 {
   options.swarselmodules.sops = lib.mkEnableOption "sops settings";
-  config = lib.optionalAttrs (inputs ? sops) {
+  config = lib.optionalAttrs (type != "nixos") {
-    sops = {
+    sops = lib.mkIf (!config.swarselsystems.isNixos) {
-      age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/ssh_host_ed25519_key" ];
+      age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/sops" ];
-      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/general/secrets.yaml";
+      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/repo/common.yaml";
 
       validateSopsFiles = false;
     };

modules/home/common/ssh.nix

@@ -1,4 +1,4 @@
-{ inputs, lib, config, confLib, ... }:
+{ lib, config, confLib, type, ... }:
 {
   options.swarselmodules.ssh = lib.mkEnableOption "ssh settings";
   config = lib.mkIf config.swarselmodules.ssh ({
@@ -24,7 +24,7 @@
         };
       } // confLib.getConfig.repo.secrets.common.ssh.hosts;
     };
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
       builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; };
     };

modules/home/common/waybar.nix

@@ -1,4 +1,4 @@
-{ self, config, lib, inputs, pkgs, ... }:
+{ self, config, lib, pkgs, type, ... }:
 let
   inherit (config.swarselsystems) xdgDir;
   generateIcons = n: lib.concatStringsSep " " (builtins.map (x: "{icon" + toString x + "}") (lib.range 0 (n - 1)));
@@ -320,7 +320,7 @@ in
       };
       style = builtins.readFile (self + /files/waybar/style.css);
     };
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
       github-notifications-token = { path = "${xdgDir}/secrets/github-notifications-token"; };
     };

modules/home/common/yubikey.nix

@@ -1,4 +1,4 @@
-{ lib, config, inputs, confLib, ... }:
+{ lib, config, confLib, type, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
@@ -13,7 +13,7 @@ in
         confLib.getConfig.secrets.common.yubikeys.dev2
       ];
     };
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
       u2f-keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
     };

modules/home/common/zsh.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, minimal, inputs, globals, confLib, ... }:
+{ config, pkgs, lib, minimal, globals, confLib, type, ... }:
 let
   inherit (config.swarselsystems) flakePath isNixos;
   crocDomain = globals.services.croc.domain;
@@ -133,9 +133,9 @@ in
           # QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox";
         };
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
 
-      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
+      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
         croc-password = { };
         github-nixpkgs-review-token = { };
       };

modules/home/optional/work.nix

@@ -1,10 +1,10 @@
-{ self, inputs, config, pkgs, lib, vars, confLib, ... }:
+{ self, config, pkgs, lib, vars, confLib, type, ... }:
 let
   inherit (config.swarselsystems) homeDir mainUser;
   inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses;
   inherit (confLib.getConfig.repo.secrets.local.work) mailAddress;
 
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  certsSopsFile = self + /secrets/repo/certs.yaml;
 in
 {
   options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption;
@@ -652,7 +652,7 @@ in
       };
 
     };
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
       harica-root-ca = {
         sopsFile = certsSopsFile;

modules/nixos/client/network.nix

@@ -1,7 +1,7 @@
 { self, lib, pkgs, config, globals, ... }:
 let
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  certsSopsFile = self + /secrets/repo/certs.yaml;
-  clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
+  clientSopsFile = "${config.node.secretsDir}/secrets.yaml";
 
   inherit (config.repo.secrets.common.network) wlan1 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
 

modules/nixos/client/sops.nix

@@ -5,8 +5,8 @@
     sops = {
 
       # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
+      age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml";
 
       validateSopsFiles = false;
 

modules/nixos/common/home-manager-secrets.nix

@@ -4,7 +4,7 @@ let
   inherit (config.repo.secrets.common.emacs) radicaleUser;
   modules = config.home-manager.users.${mainUser}.swarselmodules;
 
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  certsSopsFile = self + /secrets/repo/certs.yaml;
 in
 {
   config = lib.mkIf config.swarselsystems.withHomeManager {

modules/nixos/common/home-manager.nix

@@ -1,4 +1,4 @@
-{ self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, ... }:
+{ self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, arch, type, ... }:
 {
   options.swarselmodules.home-manager = lib.mkEnableOption "home-manager";
   config = lib.mkIf config.swarselmodules.home-manager {
@@ -10,7 +10,7 @@
       overwriteBackup = true;
       users.${config.swarselsystems.mainUser}.imports = [
         inputs.nix-index-database.homeModules.nix-index
-        inputs.sops-nix.homeManagerModules.sops
+        # inputs.sops.homeManagerModules.sops # this is not needed!! we add these secrets in nixos scope
         inputs.spicetify-nix.homeManagerModules.default
         inputs.swarsel-nix.homeModules.default
         {
@@ -31,7 +31,7 @@
       ];
       extraSpecialArgs = {
         inherit (inputs) self nixgl;
-        inherit inputs outputs globals nodes minimal configName;
+        inherit inputs outputs globals nodes minimal configName arch type;
         lib = homeLib;
       };
     };

modules/nixos/server/bastion.nix

@@ -14,9 +14,9 @@
           group = lib.mkForce "jump";
           createHome = lib.mkForce true;
           openssh.authorizedKeys.keyFiles = [
-            (self + /secrets/keys/ssh/yubikey.pub)
+            (self + /secrets/public/ssh/yubikey.pub)
-            (self + /secrets/keys/ssh/magicant.pub)
+            (self + /secrets/public/ssh/magicant.pub)
-            (self + /secrets/keys/ssh/builder.pub)
+            (self + /secrets/public/ssh/builder.pub)
           ];
         };
       };

modules/nixos/server/disk-encrypt.nix

@@ -49,8 +49,8 @@ in
             enable = true;
             port = 2222; # avoid hostkey changed nag
             authorizedKeys = [
-              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/yubikey.pub"}''
+              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/yubikey.pub"}''
-              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/magicant.pub"}''
+              ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/magicant.pub"}''
             ];
             hostKeys = [ hostKeyPathBase ];
           };

modules/nixos/server/dns-hostrecord.nix

@@ -0,0 +1,14 @@
+{ lib, config, globals, dns, confLib, ... }:
+let
+  inherit (confLib.gen { name = "dns-hostrecord"; proxy = config.node.name; }) serviceName proxyAddress4 proxyAddress6;
+in
+{
+  options. swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    nodes.stoicclub.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords = {
+      "server.${config.node.name}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+    };
+
+  };
+}

modules/nixos/server/kanidm.nix

@@ -1,6 +1,6 @@
 { self, lib, pkgs, config, globals, dns, confLib, ... }:
 let
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  certsSopsFile = self + /secrets/repo/certs.yaml;
   inherit (config.swarselsystems) sopsFile;
   inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 

modules/nixos/server/monitoring.nix

@@ -1,4 +1,4 @@
-{ self, lib, config, globals, dns, confLib, ... }:
+{ lib, config, globals, dns, confLib, ... }:
 let
   inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
@@ -11,6 +11,8 @@ let
   kanidmDomain = globals.services.kanidm.domain;
 
   inherit (config.swarselsystems) sopsFile;
+
+  sopsFile2 = "${config.node.secretsDir}/secrets2.yaml";
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -25,7 +27,7 @@ in
         grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
+        prometheus-admin-hash = { sopsFile = sopsFile2; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
 
       };
       templates = {

modules/nixos/server/network.nix

@@ -1,7 +1,8 @@
 { lib, config, ... }:
 let
   netConfig = config.repo.secrets.local.networking;
-  netName = "${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}";
+  netPrefix = "${if config.swarselsystems.isCloud then config.node.name else "home"}";
+  netName = "${netPrefix}-${config.swarselsystems.server.localNetwork}";
 in
 {
   options = {
@@ -16,6 +17,11 @@ in
         default = netName;
         readOnly = true;
       };
+      netConfigPrefix = lib.mkOption {
+        type = lib.types.str;
+        default = netPrefix;
+        readOnly = true;
+      };
     };
   };
   config = lib.mkIf config.swarselmodules.server.network {

modules/nixos/server/nsd/site1.nix

@@ -3,7 +3,7 @@ with dns.lib.combinators; {
   SOA = {
     nameServer = "soa";
     adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin")
-    serial = 2025120201; # update this on changes for secondary dns
+    serial = 2025120203; # update this on changes for secondary dns
   };
 
   useOrigin = false;

modules/nixos/server/radicale.nix

@@ -1,7 +1,7 @@
-{ self, lib, config, globals, dns, confLib, ... }:
+{ lib, config, globals, dns, confLib, ... }:
 let
   inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
-  sopsFile = self + /secrets/winters/secrets2.yaml;
+  sopsFile = "${config.node.secretsDir}/secrets2.yaml";
 
   cfg = config.services.${serviceName};
 in

modules/nixos/server/snipe-it.nix

@@ -1,7 +1,7 @@
-{ self, lib, config, globals, dns, confLib, ... }:
+{ lib, config, globals, dns, confLib, ... }:
 let
   inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
-  sopsFile = self + /secrets/winters/secrets2.yaml;
+  sopsFile = "${config.node.secretsDir}/secrets2.yaml";
 
   serviceDB = "snipeit";
 

modules/nixos/server/ssh-builder.nix

@@ -26,7 +26,7 @@ in
         isSystemUser = true;
         group = "builder";
         openssh.authorizedKeys.keys = [
-          ''${ssh-restrict} ${builtins.readFile "${self}/secrets/keys/ssh/builder.pub"}''
+          ''${ssh-restrict} ${builtins.readFile "${self}/secrets/public/ssh/builder.pub"}''
         ];
       };
     };

modules/nixos/server/ssh.nix

@@ -22,14 +22,14 @@
       ];
     };
     users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [
-      (self + /secrets/keys/ssh/yubikey.pub)
+      (self + /secrets/public/ssh/yubikey.pub)
-      (self + /secrets/keys/ssh/magicant.pub)
+      (self + /secrets/public/ssh/magicant.pub)
-      # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub))
+      # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub))
     ];
     users.users.root.openssh.authorizedKeys.keyFiles = [
-      (self + /secrets/keys/ssh/yubikey.pub)
+      (self + /secrets/public/ssh/yubikey.pub)
-      (self + /secrets/keys/ssh/magicant.pub)
+      (self + /secrets/public/ssh/magicant.pub)
-      # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub))
+      # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub))
     ];
     security.sudo.extraConfig = ''
       Defaults    env_keep+=SSH_AUTH_SOCK

modules/nixos/server/wireguard.nix

@@ -0,0 +1,126 @@
+{ self, lib, config, confLib, globals, ... }:
+let
+  wgInterface = "wg0";
+  inherit (confLib.gen { name = "wireguard"; port = 52829; user = "systemd-network"; group = "systemd-network"; }) servicePort serviceName serviceUser serviceGroup;
+
+  inherit (config.swarselsystems) sopsFile;
+  inherit (config.swarselsystems.server.wireguard) peers isClient isServer;
+in
+{
+  options = {
+    swarselmodules.${serviceName} = lib.mkEnableOption "enable ${serviceName} settings";
+    swarselsystems.server.wireguard = {
+      isServer = lib.mkEnableOption "set this as a wireguard server";
+      peers = lib.mkOption {
+        type = lib.types.listOf (lib.types.submodule {
+          freeformType = lib.types.attrs;
+          options = { };
+        });
+        default = [ ];
+        description = "Wireguard peer submodules as expected by systemd.network.netdevs.<name>.wireguardPeers";
+      };
+    };
+
+  };
+  config = lib.mkIf config.swarselmodules.${serviceName} {
+
+    sops = {
+      secrets = {
+        wireguard-private-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
+        wireguard-home-preshared-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
+      };
+    };
+
+    networking = {
+      firewall.allowedUDPPorts = [ servicePort ];
+      nat = {
+        enable = true;
+        enableIPv6 = true;
+        externalInterface = "ens6";
+        internalInterfaces = [ wgInterface ];
+      };
+    };
+
+    systemd.network = {
+      enable = true;
+
+      networks."50-${wgInterface}" = {
+        matchConfig.Name = wgInterface;
+
+        networkConfig = {
+          IPv4Forwarding = true;
+          IPv6Forwarding = true;
+        };
+
+        address = [
+          "${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv4}"
+          "${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv6}"
+        ];
+      };
+
+      netdevs."50-wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = wgInterface;
+        };
+
+        wireguardConfig = {
+          ListenPort = lib.mkIf isServer servicePort;
+
+          # ensure file is readable by `systemd-network` user
+          PrivateKeyFile = config.age.secrets.wg-key-vps.path;
+
+          # To automatically create routes for everything in AllowedIPs,
+          # add RouteTable=main
+          # RouteTable = "main";
+
+          # FirewallMark marks all packets send and received by wg0
+          # with the number 42, which can be used to define policy rules on these packets.
+          # FirewallMark = 42;
+        };
+        wireguardPeers = peers ++ lib.optionals isClient [
+          {
+            PublicKey = builtins.readFile "${self}/secrets/public/wg/${config.node.name}.pub";
+            PresharedKeyFile = config.sops.secrets."${config.node.name}-presharedKey".path;
+            Endpoint = "${globals.hosts.${config.node.name}.wanAddress4}:${toString servicePort}";
+            # Access to the whole network is routed through our entry node.
+            # AllowedIPs =
+            #   (optional (networkCfg.cidrv4 != null) networkCfg.cidrv4)
+            #     ++ (optional (networkCfg.cidrv6 != null) networkCfg.cidrv6);
+          }
+        ];
+      };
+    };
+
+    # networking = {
+    #   wireguard = {
+    #     enable = true;
+    #     interfaces = {
+    #       wg1 = {
+    #         privateKeyFile = config.sops.secrets.wireguard-private-key.path;
+    #         ips = [ "192.168.178.201/24" ];
+    #         peers = [
+    #           {
+    #             publicKey = "PmeFInoEJcKx+7Kva4dNnjOEnJ8lbudSf1cbdo/tzgw=";
+    #             presharedKeyFile = config.sops.secrets.wireguard-home-preshared-key.path;
+    #             name = "moonside";
+    #             persistentKeepalive = 25;
+    #             # endpoint = "${config.repo.secrets.common.ipv4}:51820";
+    #             endpoint = "${config.repo.secrets.common.wireguardEndpoint}";
+    #             # allowedIPs = [
+    #             #   "192.168.3.0/24"
+    #             #   "192.168.1.0/24"
+    #             # ];
+    #             allowedIPs = [
+    #               "192.168.178.0/24"
+    #             ];
+    #           }
+    #         ];
+    #       };
+    #     };
+    #   };
+    # };
+
+
+  };
+}

modules/shared/config-lib.nix

@@ -22,7 +22,7 @@
         serviceDir = dir;
         serviceAddress = address;
         serviceProxy = proxy;
-        proxyAddress4 = globals.hosts.${proxy}.wanAddress4;
+        proxyAddress4 = globals.hosts.${proxy}.wanAddress4 or null;
         proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null;
       };
     };

modules/shared/meta.nix

@@ -8,7 +8,12 @@
         default = ./.;
       };
       name = lib.mkOption {
-        description = "Node Name.";
+        type = lib.types.str;
+      };
+      arch = lib.mkOption {
+        type = lib.types.str;
+      };
+      type = lib.mkOption {
         type = lib.types.str;
       };
       lockFromBootstrapping = lib.mkOption {

modules/shared/options.nix

@@ -54,7 +54,7 @@
     isBtrfs = lib.mkEnableOption "use btrfs filesystem";
     sopsFile = lib.mkOption {
       type = lib.types.str;
-      default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
+      default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.node.secretsDir}/secrets.yaml";
     };
     homeDir = lib.mkOption {
       type = lib.types.str;

nix/hosts.nix

@@ -9,9 +9,10 @@
       mkNixosHost = { minimal }: configName: arch:
         inputs.nixpkgs.lib.nixosSystem {
           specialArgs = {
-            inherit inputs outputs self minimal configName homeLib;
+            inherit inputs outputs self minimal homeLib configName arch;
             inherit (config.pkgs.${arch}) lib;
             inherit (config) globals nodes;
+            type = "nixos";
           };
           modules = [
             inputs.disko.nixosModules.disko
@@ -25,7 +26,7 @@
             inputs.nix-topology.nixosModules.default
             inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
             inputs.simple-nixos-mailserver.nixosModules.default
-            inputs.sops-nix.nixosModules.sops
+            inputs.sops.nixosModules.sops
             inputs.stylix.nixosModules.stylix
             inputs.swarsel-nix.nixosModules.default
             (inputs.nixos-extra-modules + "/modules/guests")
@@ -42,6 +43,8 @@
 
               node = {
                 name = lib.mkForce configName;
+                arch = lib.mkForce arch;
+                type = lib.mkForce "nixos";
                 secretsDir = ../hosts/nixos/${arch}/${configName}/secrets;
                 lockFromBootstrapping = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true);
               };
@@ -69,7 +72,7 @@
           };
           modules = [
             # inputs.disko.nixosModules.disko
-            # inputs.sops-nix.nixosModules.sops
+            # inputs.sops.nixosModules.sops
             # inputs.impermanence.nixosModules.impermanence
             # inputs.lanzaboote.nixosModules.lanzaboote
             # inputs.fw-fanctrl.nixosModules.default
@@ -78,12 +81,15 @@
             "${self}/hosts/darwin/${arch}/${configName}"
             "${self}/modules/nixos/darwin"
             # needed for infrastructure
-            "${self}/modules/nixos/common/meta.nix"
+            "${self}/modules/shared/meta.nix"
             "${self}/modules/nixos/common/globals.nix"
             {
-              node.name = lib.mkForce configName;
+              node = {
-              node.secretsDir = ../hosts/darwin/${arch}/${configName}/secrets;
+                name = lib.mkForce configName;
-
+                arch = lib.mkForce arch;
+                type = lib.mkForce "darwin";
+                secretsDir = ../hosts/darwin/${arch}/${configName}/secrets;
+              };
             }
           ];
         };
@@ -96,18 +102,27 @@
         systemFunc {
           inherit pkgs;
           extraSpecialArgs = {
-            inherit inputs lib outputs self configName;
+            inherit inputs lib outputs self configName arch type;
             inherit (config) globals nodes;
             minimal = false;
           };
           modules = [
             inputs.stylix.homeModules.stylix
             inputs.nix-index-database.homeModules.nix-index
-            # inputs.sops-nix.homeManagerModules.sops
+            inputs.sops.homeManagerModules.sops
             inputs.spicetify-nix.homeManagerModules.default
             inputs.swarsel-nix.homeModules.default
             "${self}/hosts/${type}/${arch}/${configName}"
             "${self}/profiles/home"
+            "${self}/modules/nixos/common/pii.nix"
+            {
+              node = {
+                name = lib.mkForce configName;
+                arch = lib.mkForce arch;
+                type = lib.mkForce type;
+                secretsDir = ../hosts/${type}/${arch}/${configName}/secrets;
+              };
+            }
           ];
         };
 

nix/sops-decrypt-and-cache.sh

@@ -28,7 +28,7 @@ mkdir -p "$(dirname "$out")"
 
 # Decrypt only if necessary
 if [[ ! -e $out ]]; then
-    agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/sops || sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key)
+    agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key || sudo ssh-to-age -private-key -i ~/.ssh/sops)
     SOPS_AGE_KEY="$agekey" sops decrypt --output "$out" "$file"
 fi
 

secrets/pyramid/secrets.yaml

@@ -1,48 +0,0 @@
-home-wireguard-client-private-key: ENC[AES256_GCM,data:YL/nP4DGGjVc0wRrbJ0x+iyJfdqhE90Ws92QBl/lr3RnJzA+stcz0ey/Rk4=,iv:Ek/RVzDpcT7fqVh7OnNc9QXD3Tk/2bm6vSQDA38j+DI=,tag:G2dSpA3KZmbKAfIN+2d45w==,type:str]
-sops:
-    age:
-        - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZ3dtNEZtWVJlNDN0NzVR
-            MGdkNXd3VGZoNGN4MEM0YUFHTHFiN0xVQWpjCjlmNUxUbW4ralFnVTQ3SFRjQU51
-            Vkx4TGFaQWtOUThYRmo1T1kyZ3doOEEKLS0tIE9aQWx2VkNxL3RkTVRRd3Bjb25k
-            S3FUSDRTSFBxTkJUWkdoaDRCSmRJMFUKA01cibzIRlGFFxLFKBLnoKqZvLekuC0w
-            hA3ep81RWwZbumtMzRtjMfmw6XJQN6rGwYSQDkGjBjDdph8HX7i8kQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-05T10:37:12Z"
-    mac: ENC[AES256_GCM,data:RcvRagYaFGwMwrV63tffmYcA/m1GRjXpefR8Ab65jaldcWjfERiCWLFha9aQ1QlWUgSvCWbgC9/zFJkBBca1qVIvLOK1+nkI/ZjQ5rdUOJaP7mukLC3tcm+5f0Fe+GjTCDHGIZd/dUgkF+xVhN2XnFW1ExzRRt6q4a4pKvL6Ml0=,iv:EISJGqa2hQfjpu0X5wMJNZXzv0Loejj0Eb6kosXjU64=,tag:S81dIphr1rqQSO8jAZCABQ==,type:str]
-    pgp:
-        - created_at: "2025-07-05T10:36:28Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwDh3VI7VctTARAAkLai8l9TxzmcB++jp16pVf1dxOLArOduzSzu2m/olZdM
-            wUnPzfLUH72XD52D3v4Hw4CKpgCDjEq3SDo5jdxkcAl7UHa43CY/Z5xr1WreQIET
-            ppHpnkX+zaFeE/uFe+Q+oYnGAIUetod0WNRsZOJKQJ31HaahOAVhM/mej7TrtuZG
-            DPdmbV26ZIXiqrMifqa/dG88o0arms4GqIqjkynSDcmcSEbf5q+aonAHs5kUylem
-            kBQKQUmbfksFgBkOBcg91ZJfK6SJgods44MVj677HfJ3Nmdmp0W1hmAi3WZtuzry
-            OVf09sY3Pow90q2qNeUEHJSktbj6KnBj3+BRMmZXvIR3aPYqhkQ5v6VJ0mjyq+uP
-            cD6Re+QDxU1SdymmLfzs+4O8gtbKmYt7DXiFy2e5m+geON1akfHfP6OgfHY9M94p
-            WOwV6IX0BwK1yeNLeoc7lO+yiDEZAzXqBhllKo6ckPpRa/i/V2YFP/5i/TxCK1tw
-            mMm5vruaEP0d3HzRzyY5rwXH8nKmGkt7MjTJtFd/uSQmy3r7cNKVdDFYaOhJt7QN
-            P81fYd+PBTEKcE969MkIKVjOx4qSWlkaAgWnHjgJ75Fc/CEfC/DVfdVkGkxepSqq
-            st+Zrr2S6DyAtrunqqwFHUrReynR7leq5R/ueyviNu6EiwT9CHLWvyA9xZvqWySF
-            AgwDC9FRLmchgYQBD/9kIT5mzCZRLFLwHkvKRzqCTolG977e1MIq3pGNdYSaAFPY
-            Z5FYnvjlV7fFbKHOZOB/BAEl2fcyElv8UjbM7L/mJkE1zHcpsmJK2OnKJPplNcK3
-            7MVm3/yqkjV6GtmNtTwlTFOzd+Z8Rc+303s7Mp7jaie68OCoZO21jjxkTn+xPh7s
-            U8yhxk1BLjsZFrPo45JdaVTrSKxsmr8c47fyNToTUuBg2zyqSxkqiNK0DToUncad
-            eiwgLTvTcFxuijQMcIAWCcoi+JAgIjK3XItNp8IqYFvLv4iQqDUtzLbWzhnEpqpZ
-            Tg6dt9JKV9TvZbwR67AnFD5QGEEys681NmrkEyrA8LuXEMTAt790hjvlCSY7RfhI
-            WPcUAmHUN8sFsKLiIyTRQ03PbEji2wsbq7TKBB/DuN6ivfjOLNnm9XgzMPG9sbRV
-            1BO+tnovcKmLn9FWiwWAyPtqFEvfITbj9qYpvAuJ6PmKUihkqfs8rh/FKgyo0gmh
-            Wq8s2rqOrmV0o/WVRxRTfoauCyyJSx+ENdR6KQLCDdE2eV7ocrztsJRIiPG2fXBi
-            0/38/S7oJgJA08uSz1egtK8lvI3MIojB+dWX0v+bonxxkYMNSbIOdZfTFBd68D23
-            2y2OG9e4/TvZjjSqM5+4fSnH74QzvxIqFMW5LSFw4UqhdiAk4/r8ljo3mIvLxNJc
-            AVGSBZJ95vR/FZM/25ojTGo2iBU7DAG+5uXXVeHSfckmVo5HjExQYqkYCm+imK4P
-            uzhLHz+6EPmnSTBnTMLU8W/U2i4cOxlDjpHCpjZs/BJk6g7yv+0+/BpiV4E=
-            =eLw3
-            -----END PGP MESSAGE-----
-          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2

secrets/repo/certs.yaml

@@ -5,146 +5,146 @@ kanidm-self-signed-key: ENC[AES256_GCM,data:IIi2LK13Tskk7V6jALsVYOYKgNobhUlmai1z
 harica-root-ca: ENC[AES256_GCM,data:Q81ku0Cpn+taKbgSb6JntZjGblSHO7mzNIGqiHzsUrEpT7fZ7dCBTtHrOv5vQCz3W7k8u2HEEyrJBIgTdaECBTENp/rRwXBh3BCj78taxK+iweF86Ty/BnhWd3POLoYVIJcdG6Yn/oJtoFPqVLb94zzmx1yRXs3mgiItPoWjhIZFe7myQkxGCkPvAU+sJhMCkj+nQ/ZmEOQSgv7kQhhNrNAWidYRcW+vOb2gj+6na4Vw9yIA13zXWX8NQ+4El62UOJ+WPpmVbwl4MOxffKnETYFFRnkpGb9cTL4Cfujs2nFpyJzqA/GwrbOvbbCevMZf+78M3LUtFSk5+tnhE+J3qwnq3ADey3Pcya6VrJJJSVQw4cue92aKP3dGFF3lb59HO9KEqEBIZ+xMSEcqmZcfvBaAFqNeCqw9h2lNFsK/0Yz5Fx+uJXr6BOS8Mt5fZ2SKSKoUpm/Y0qaloEwnqs/KGTA1BBjhwjtO8NjcD8HM3FWkjP2/atR57jKMe35Rz9LTysb6N0ntotK67wEM52Vp4gliIcPlOzNA3LREaVcycRqW8OHvTHiW2SRe0sDVz9hzBCJirNGAGY+qMZHuXMQoKxySmj6GvvtEiptSt1UmDqgcwAbz5ki6DTYM96ZoEH6AtH1tG7tHcuZ6EfT+hMQPLY9wpTMATEWMYOFUfPY+u4cEnvJbQPdQMNN5mxOfsqu+2rhomekTDzPDqSdmPdjOAqHZHSvZ2n6x9pb1ChIcpWbLkB6I6NtSZ1LnVJl0KlaID35396gJ2nkTlCmBHaeIs9q+RvsDGOS898iONh6mvBBVj0l69sKRTa9XS/gJPoBwLX7WSNRls9MQGgzXo0CbmmnsqNnSZVtmITNMX5xaum/rU/Ej+3UBdVbH19McqbQ0sJVTAyqJgtJyNu5M4ktrueJK4wz+Ik4DryBB+23VrRFb3RoeBTa00oqWqwFDphsvx/OWdJ2D04hb0ITCYtg8rV0e52AO2evqL5o/1NUJdyq79QvXKSRYPPmuTsCfR7uCG9Le9gibqPhubCawJWwA0m5K/B39Rrnphu2/2KFn8CSS6rct5vr4vqYdYdfbv+qhcstkoQaYvu8StLHrtmXs6P0ySFAatBnzTuHlIk0IhmcZCTULp1OeDTpZyPH/fILLp/fE6TcdASCrWijSWN2mzAq/vp+Gz0AHXn7n0MVeMOkUvvmi6K+6dLgY8AmL8ceFamWg4TsxWxPNNeZiHlQmMD4jbQ/uR33iaXrstu2g5CfB9XEt3HRw5ZnulVHDrpHY9rECi/PtgpkbrwD8f8sBuaDzfEsBpbWGOUrFBHzdDKQmHltor3WmYJAdflSeJ9P0X3WuVuL3iEues8HWkTOk8SqiKgMKTwpJsg9uUm86hm4to0vaVG9C4Qkyvcs79MAHLMT16Ujg9pmm3xQsFKFvr8LrbfbxdOPWRvbLPLCnaULG9mi20pixtTcnIv1kx7AZ5d8pxwJBRcCaWZtpV0PIWIDjDMY3mxB1wHzjfonS/ZQ4nOuF5pNL5HxlfxLW7eRbqbc3+gJIJOeVSVNY/xwRVmBN6c+n9+nFrgp0geBJjG2h5hQ3TyyVn6iuWeT3+XB8+F97/76Jj6mbQdxAkQ+e7NLxDpEsBmOaXHOhP851nWiAgIIYYeKcMbjNiTdHghjWndEEEf/flrV84mZtgEcKwR01yC4+FiTPceI0yNcIx99yoFb8G72u6f5KiH/fsbYV0otraEEmmMQcMpH3s3OgFjkVQQz0i6WETJHMjz8L1Sb8/iUm3nIt9W+y0xEftSeoJAJ3n5hGp0gayC+XV1pcDDRCVryBrMYzBhYBcrfYuiL6KaGrHGm2nfkhosDEVFcyA1D4xqXhC6Mndy6Uv4AMYBKAMq0opgkdqMDe5jAlmFyd/xSEZk8ySNlD+d64AZqETTc+MgZ1sh4dMNEeN5H9A291kTJIbRXzUP6GbP14lW3z1Meq0WxH0ijsDJHdHwu8u8LPu0D8m3FVHR4kWn0eLrYrYaGyRW0rfvdMvc3rVOGwGR/7e4P1py7/7q3TS2/6ZoHJDNptPF7K0XBbapSNjFBCpo/QT22vo3eBmw3WvG/CLPk7yAc47EmT64YP7zvvNaA9JcQWlx3r5oWT7lhYvgP3tcUFlWXXOcV4EN8CeAB7fOF3T2vU7HxM5CC+mBYFXydSh4a/yK40aR7C7HMLpNGDIZaLPk6GxsQbCrsqcAqc+BitSAUiTZ90cgAQf+V8iadZPLb/xYUnqhT8EwWrNB2af7PSX8oM6Ot8zXLaTfnxsQmq11FeNyUHxU32UhjnC0JsdXzL6i57VlLs0iWqkoHZO4ICtezkXbOeWapZGSecWdXlY+/4CURQDV8owqppos9GIEBBDr1IiXy6V5EoMW1cphEWIL+EqHCD7puYijvVMI9FjJwsJN5lpz556FaNIcB5tQXqeQ0GNpIxJkOmR6tLBH6BokbXoVq+atWVa56O2hegXmltc2LSZrWTaTEI1MAmR3hSxd0wcIOEPAj1ZHYTLLxo4HUa4Ks/lpgxWUYKAIzrVxo5YSRgm29P5ZOqt72DaqZe7PePoR6OPhzFJCe3SYlQ2Ofxcn4ArH7N5u1pwkomFJAgv7cEGNm8jZs+hZdx43fdu2bB8as8S7xGAQEYEMtFjb28TMgLT/RSZfTmjnWC04Ktf0E1oO9u7L+PrQ==,iv:0FTPt+bXgzOngxxFqoP1Sg12j0BMk4pJj5JIsHWPIuQ=,tag:tigFlF0LxzG8Za5+kbG4fA==,type:str]
 sops:
     age:
-        - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
+        - recipient: age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ0p3QlY2c1dGcGIvektO
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEVHRDYVdsMHowdXRSRHhU
-            c1BRWWFJTndub0dxUXhlMTlreDUyUlZ5U0NjCldCamVrN24yZ1QycksxTDV4Sk9V
+            dnVORzhoK3ZNVnY5YS9oc1ZuQlhUVUJBalZ3CkRNd3BCNFBFR2t0RHFPVXBxb2hH
-            aklIT1dGVHJKL0ZWNFN6WnhJN1Z4SzQKLS0tIC9lZUI0cE5aYzBHcWlWc3FkS041
+            Ync5ZndZRlB1aFdQL1IzeUJxODlTM0EKLS0tIFBqbWdnYktJRUdYM0hrZG4ycnE4
-            bTdlMU5qbHRBZ1V0ZXhjL3FKYmR0Z0EKpA48GyFC1W2+O3WL7Dgjb5dRRfkyJNFi
+            bSs3R0lPS2l4UWNFaHNEWXBxZU1kOWsKHIZ2FMrWVEnMcOYIjRmXiteCbE8BIpjW
-            Yl3i2st6zBGH6OFJGdLlBAJ/lqw9LgHKxYbId7XcuAfMkDTNz4Fjjg==
+            AOjolgawHy1xibc9s1QbWfKu0biY6TVIvqS3M5RLiKz8YgewpWrnQQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WDBMV3RUYUovS0ZmV0JJ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WGNEeEhHY0JCaWVGMWc4
-            bWdqSWE1TTA4MjNvbzFtM1NoY1FsL0FIWm5nCkV5cSt5VWVzYmM1MytuTUJsVHBB
+            NWlObTk5L3RCOFNKZWFSeHlWMUczTGJ5d1FNCkhDYmlHNlBEdzR2a3pQMG1qOHhl
-            a2hoMTNwcXZaYzl4d3lmZUZIVDBQekUKLS0tIHlTcEFqR2pIQTBFU21EZ0h0Z3hL
+            S0VoV3pmTEhBTmxIb1FvcmRrZTdNaTAKLS0tIGNvU1pxN1pLMEhlUEUrYndQQ2NO
-            UHN3QmtreUpUMmxTNy8vbXRnV25jRFEKTaCbReUitrOJGVncdR/VQBXmM+mTzTKj
+            TTFwczlDbjczOUVBb3ZhdzhobkQ0K0kKc0GD1iA9uLzdpSR1yBRHm+K38b6PpLzL
-            HzRnYSUmuuRdkHC/ljjeYR4rkSjN4RJABX0fraKdARBfkoi+x5ulCQ==
+            10kWSoSNHV6tjkCjbFiwT0l2QOIgKlmGm092NDz6aCvfC+6GHCDvAg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJM0k4SW96SXVJejBGcHJR
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNjNqdjRBcEpZdWpZUVRD
-            UVZneUVBT0VzZXNlazJKcU1DYWNPZGNiTFc0CmRtTEdCSkF6dTZZamhPWTF2dWlw
+            UGpBVjZRU1VkWXowaXRvWTRkSjd3NFVLcWk0CmNHb1R2Yy92RC8rRFBJQzN5eHFR
-            QmdNTmJ2Q2JiNXhJd3kxdTdZNXkzU1UKLS0tIHoyMEU0UUJEN3lkZDlGNjJKWjFI
+            bHNsaDRFMzNrSFU1OVE5dm1zOHIxcG8KLS0tIEYvOElqZHJ0cmFxREdTTmJXUFFU
-            Z3A1b1BJNVg3SDNXZ2JPUDZwOXpHTkEKv+NRRLHfnc8j4rVmBDrLdTTtNyb9sUUm
+            Q3o1R1hodDZaK0NYbHpGU21oQTNPb0kKsuGhQytQDmbMWrp5wTCwEnc7TRWRjLlL
-            EhEmbKkXZfHUQtx3bYUJQeod2wd7CYGzvfrbU96xpFkTAqvUJtWAJw==
+            fp2gyJSr0EgfzsdDl9QgC9dgkB3qxiqKSAiinBOOUwyaWeUepmv6/w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdXJzVkxzZDlZaStpQm0y
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArbmNRRGkzRC9NeG9xMTho
-            d3lyQnFZcUNaZDdrdm1sSW1HS1Y1VkN2cmdJClVuM2Z3ckF0RWsrQ3RkN1Q4SGFF
+            NDVXUFViU1BRM2J0UTR0R3RRWXJReGpvRXhNCjRFUWZ0NW8yV3lWOGIzTkFKYVdu
-            M0d6THFpRDlXTXZseWJjQzU2OCtCWUEKLS0tIGJ6ajNRSmJqNVMveFBSUWF3TmRh
+            QmFLOXM0OEE3OXJXTUtMVGdHanVnc2sKLS0tIDRWa2wzQk13Z1FKTkhkTUxYM3g3
-            VnlXdTd0VS9RSnUwWit5M2RqYk5FVzgKLD8+uG/KUxBUTu4WFcgl187eKapyPrVq
+            VmpoVDBsd1BxcE5BVEV1ais1UXJGMFEK9jGgDHNzrAHf1YeZ2TZcnQK/1xbLsL4Q
-            0+nL/jITbzy0HA3cTdVR1b2pueKODohBdVIqD+JpPs86z8FaLro80Q==
+            slgCerhBPS7a70iAmOy5pA/cM1VqaYFiphSzor/tBTDwJvmWB/xmnw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcUYwUHZYNmNLYjV0WGhV
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NXdqMEsxQk5sUlpvUW5M
-            N09HUVo5SUpvUS92UThaV3hvVlN1Tnc4RGhBCk9HL0pXalBiMnJtSWlaOEFKNVlX
+            THJsL0M0cjNpZW5nc2lUdDRRRGZHd2tjQTBFCnB4U2oyZ2gxOHRuclRjL2lpVTB3
-            S3g3eTVtYXJwRy8vSGtmUDBpOGlYMGsKLS0tIDBnMkJaTnBnUGx5d0hXLzJPNWVZ
+            cFlEeHhVVTd5R3FTcEpERS9VMEdnbzgKLS0tIHdGajhaSkpLTEVubmpMT3BGazFu
-            aHc3KzhBT2I0YkNCNkpBdWZPTDB2cm8KSwgUwcFRqWFxEqGrnTd6a7sle5SBXI3J
+            OE5teDBLZnJYNzZSbEFhYkN0VW5uNVkKtzW2pqt3bZuwCUSvvdHZv7LF8CYlIRQl
-            KyfOOrS1agk+nTaUJNpxLOG3aUWPSG8DBlEvP4Z1Kx5kG4e7/kRapQ==
+            OEln65gTsKgsWC/PxfWryLS73xD+7vQB9yHT8m8ctaAqKfQbkFTngg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRWdKL0VjSkJZRERNWWVD
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMeHhlL01wNkRJbjJOcU93
-            eWNobG15RUtQUXpWMlZTYXNBbFowc3pQOEM0CndTK2cwc3ZRWGxiSjQvb2l6YXEy
+            ak9JRit6RHJwL1hlVGRWTUdHd256S01XdzNJClY4T1BzYUJIZmplNmhscWF0U01l
-            SGdHNVQrZy9tc3k4emRBeVByZExmd1UKLS0tIEdBZFRMejVtalE0WGh0WTExM1Ay
+            MTBHdjNSbXh3SXBOMTRWRVp3OHZlTEkKLS0tIFJ2QnVIZEEyWjdNQ29vejgwb3M2
-            R29XRC9wNE4wMUdyTTFpYkh6VnJ5NHcKEDsie612hQqxjH/IdM61a449jiSaqNvW
+            cXhVYzZnME9tYzJmTnhhV0J1UGVZbUEK++9AnOgt6MVPQ16BFsxfVqG9EpI0/bBo
-            fG6x6U3GQxnjH6yM+Fn1S87c7ZihTIAPzbAmbIiTmVbv7cp8XVz/LA==
+            frr089MkdKo1XTNoMaGgcDKgMTKzBphtiK/k5jZE+qivnBengrlXLA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTkNHVmtwK2JOdHM1ZUJ6
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhYzI3UjZDUzB6d3RCUHIz
-            aWhTeUxpc0pFd0tXcThYb1NkS3V4V3pwU21NClA1Y29QN29nc2dsY0Z0SmdFZUtE
+            ZzhkMVRneXIxNG5yaHpFS2tkdUhNVVNZRHo0CmduSzVmQU5YWWpQQXBYZXlkNStM
-            Rk9PdUVhU3ZvSmsxcVhGU3gyMktwcnMKLS0tIGF3dEs3dnBoa1VIWUorZjJwRkJl
+            RThObEZmWk9jK2ZzZXdhYjZPSEZJTmMKLS0tIDFFbkkzUGdaT29OSWFIQ2owa1ll
-            SStnREZnTGFpMmFGZ1B2MVF2RWRqN2cK5HHfMKlmLG1UQpDYr1Gg8GU3Gg+oGebE
+            V0Q4QmFmU3owT2E4Tmk4Tk5KQks2R0kK236hs8GhGUFpVLX1aneLunIuTuD/QpQC
-            y2efhe+oiIwr2uo9+zielNVAykKg2hvwUmyAXBsXsl95sIXFfN2WQw==
+            Z51gh+oQ6eC0J1lq13VvXX8rd/4VjR7pDcU7PMjACtqeKfFiwCoVgg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRXRVSk1SRzdIZkpobFV4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmVzZ5WHFlQ2NENFpBcEls
-            Qjg3K3NrTDRGY2VZWWNOTXhDLzlodVhTeG1FCjJvanhyN2pITnVBOXRINUtCbE10
+            VEx0SG9vYXdteDhJQzdibHVLZG05NVM3L2w0CnlLZVAvM3d1bVFKMjFNbUFwemxs
-            TlBEK1hoRHIzRGtoSDRCQmRnZVg4RUUKLS0tIGF3Q1RKL2h1WGdSRWc4MzF1cTBE
+            amtuZWV4VEx1UDNvaVR3U01MY0I4elkKLS0tIERkRXgwNGtCZ0Fyd25sNlRoU2pn
-            K3Z2TEZycktQRC9NN3R6bVVUSE9FTE0KOtBDjkAezsWR6wfrfnrdUcpdQgnCXm+s
+            citkQm5tbjlRSHZwZ05WUUtSdUdXWW8KCmuyjN3UuNys9H2ShcXFtoqcVK2OTACs
-            WS/RX6Q5Jw5nOSgkR5SyhHqOpalYlCnYQdE0zmW7n3C/BqnX+53T1A==
+            4DrO/ATf4P0tSGUelFhZ7uknNOC66H7uWQZmbhc4eqfnV1JNbctFYg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdXQxOWNveEtZUGkwclVp
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZakM0UW9hVmY5UEIzK2tk
-            aER3dERtUHZxRjBweDBYdERROVA3OTNYQTFjCjBZSEVYRGpEWFFUNnM1SU5aWjhs
+            aGdyTmVzZmViQ2RIUStwQ0ZWazBoblFMSmhRCk5wQkxZMXlOKzNnSjE0SUlpTEp5
-            MWNUdUt3UTQ5SUF3MVVHMW5Wam9KazAKLS0tIEtUekJPVlpyYjFzcmJ2Z200OXNs
+            N1l4OWhKT01TRkhFZmlsME9EUEVSUEUKLS0tIHdMcmxTQjhCbHVWd2F3WVRIeXZk
-            N25JN3BJenVhNnhmYXdFVnZEM25mdXMKpzEJ0eqnUoiyboiy9FBeeZFBNHRrO52Y
+            Z1hma1dKcGNoUEVsbEtiemdmODFKdDgKQPKBQTdj8Fd1jvm+f7eKmq/qkUbiReXt
-            RICf2lc1bx6i7fLjOhbV+ewjNk7p6ApdJPHaE6Pxa+jJ0O5vVVJjiw==
+            adDQ6RefRQ0FwJD4cyZetVpOmwBK97K2vrFDoEfvZmS4naUC5NnnmA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
+        - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NEpqQjN3WkFYSlNrOUZj
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONXkrbk9STHhqVVdPT293
-            aXNDd1JSWnlXNEJCREN0VE04QktNK1gyOHhVCnhCcWdEV2NVYk9vK0xNY1RTRVdU
+            RXlYc1c1S0dpMmRqSkNtTXN0eFRiZkVwTEJrCmpQOThTdkJwVFBXTXBYL3NtTVNT
-            YS9kRWMrSnE1T04yUER1eGMrM1RsS1EKLS0tIFM4dWxCRTBJNExsakxCOTBQSUxQ
+            Y0J5aGFHV1pjMC9FWG44WUI1RFQ4bkUKLS0tIHpZQ3ZWeFNzNUVEUDBNSzNla3dT
-            ZjRQRTQwK0k1bzdzQVBYalBlcE5OV3cK1vkdKETqGDbsj/WMjwLmjwUz38yPXh/H
+            NnBRRUFhbllYM3d3eksxaXFyWEZFVFkKfSZzN8CEWB9aj+YMChUaRCeOIbrV0gyo
-            vjJxq20D05HNI3PdBMzZZcaaBzVqf3hx+afk3jQPxggrDiysiRNWLg==
+            wsV0SN/wn+yvxZqGOXFOyAlLZBA9VThQ6G+lDm/1DMoAj4Rdqnb1Bg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSnZNQlZVWlIrVm9HcDVa
-            Q0lCN1pKaVd1amkwdTFibU83bWlzcmdzM2xrCjU2bExsQ2JhN0laK2hocDVBUnNS
-            Y2MyTGp6WGUyUmkyc0VLa1JBSDIySHcKLS0tIHBVYXVQKzFUdEJjdGlBL2VHMldG
-            UzZhUDBCWC94b2lyWEdWeWpJK0tqcWsKH8QLyHTIIEwzUAZCTeUBbOAd78fNHlqk
-            uImJM5y/vjVw8490Uo7rkypQ5Faab+ekcWqPSj6sE/nFEBWTCKdSrA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNlNabmNqK29OQzZJWjFX
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBekI2TzBnN1F5blNiNFJR
-            Sk5OM0FTcGxUVCs4OXV0VUE2dXNMVG5oZUJjCmtRR3l2SHlEd2xBQVFPcjlMMzFR
+            ZE1EZFZYbjFBR2dncXpVNVNodFJMUzRoSVgwCkhwTkpSVmlUYmd6MEx6M0xLSGI1
-            TCtDTmEwVS9ZMFV0Y1VOWEJGWGtSUlEKLS0tIExZUWVMWTVkUisvMEFmUy9QZ1VG
+            S3FYbkU3aEVHTHoyUEN1TlhHb0FxU2MKLS0tIFNuNHFxQklFL282Vkg4ZW5SZzcv
-            RnBDMFZ3TmJObElRYVg2SGFBaWxkZFEKq7un72Bpl2st9AUvAXE9rBir1mORSkAA
+            dEozYjBwVm9mNnhuZ2Z2ekhvRmg3ckUKU/IISe/82KCPh4Tf5nqWgbiUQEr8n+0s
-            GnHQyN1tVPurKINQeAmuA8gIn7UlaIi5MxpIkaJFqmO1/6H5e7tkGg==
+            /R/DuIu9+67me1Xyb9fA4xq1lD8ZR/OTfPaDRVVtP3hleeinRfTL3g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVjc4MllqbjhoUG9YS0xa
+            TGJESy9LMGMraGxpRU9MTWFBNDFaNGxxQWxRCmdtNEdjRGpFUnNoYkMwNVM5OWtH
+            Y2M2QmxmVEt2a1dhR2hteVR4S0QwRm8KLS0tIGZCbDJCV29meDR4bTg4ZStTZm5J
+            eXZiNHZEc1M0REl3MmdlMUpvRW5abWsKcmhzalAkWx7ZY5mullayejnqVQMrLNKF
+            J7mHKyP+mST+5vvkxCPSDN3GRaD2McOVAvDSgS8rd97a35tbSMzxXQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-11-19T14:09:27Z"
     mac: ENC[AES256_GCM,data:tZ6QzVPivueZiC9Qfb3KNZAv02QatgHRNnlM+Y0iV4BZkYoBjxeDojutizvAMwUarnubUdk5I6m2OZK1mvVDZKXyI6zALX4JMeT2xYQWRHYzHpOygLhhGwTFVhV+0C4jN+eJFF2cNf9lu7NuZI9ylZSOY8I3YKUl+l0l3CkXUl4=,iv:JSGOUq+j9T/NXspn70dfu0J4ISV6vVFZUe/Z1CirrJk=,tag:Hm9N55f9qMc056nSTR1piw==,type:str]
     pgp:
-        - created_at: "2025-12-01T23:06:33Z"
+        - created_at: "2025-12-02T15:46:59Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTAQ/9HmPTBEVh2e92ES0g0sOUx7S9I1zoRFm3ONWNoaT6hld4
+            hQIMAwDh3VI7VctTAQ/+Nc4lUmAq2MvWuvfc9PjJla7aQrTvmRe+b2Fro+kfE8N7
-            UJiKqbHMQTyjr8m2IvkzT7MhXr6fPsspAFguxdXLAD6LSeWJUkBn6IBT43ISvbkZ
+            AHLFhKnw2+VI55jWXT0KJwfm7uQY95lkLiXOQKqF0wNfY2JhLSUlYD6LlM5NU6Tj
-            1KrJnZHzwMjxMGe1MrBk4C17YPlAwB+CDNNehkKHWkSPfVqNurY4gtNoTrZn7HIz
+            N7k0XVpN0SanwWfL1eFsDtEG65bc9A5XzpdE7gw7YeaZBjVruYujFV+bM78QHSrK
-            5Npvi9d5W984CeuFoCmY+w7DbKINk0J0YkgT9zBMdfGw1cVAV5aUS5lIBqvo0YAO
+            pNlmCuxZxp6tobtI4YLaKkzbKJxLJjfhFUh0D3HjYHbjlwZSari7Ep7ZMPgy3w01
-            yIQf5tbG9aCa5CL3OH0JD72GBUkODLfWFzcTpzfjYtjx1rsbu6gqkLcH1eGFqTsa
+            MQ2Ol669Aot0YEu55HHOY1lqmXQbgHGN23V+n0ZUXByHcUR2XlG1Ifo7sn2+QH8H
-            cQ7+A0wbB+9iDN0OXmmPNVix+uMY1yQpxMve3r34v18R9KTCvsSK9gOpk0ilg/T1
+            L+xYjQNFJWeTCsAD0I6sVSRP/+ZC9OfgwPa4ZRw1EXv28qaKRP1Ws2PiTe/hCvIX
-            lBG5wFNEutJmwuXai1Zme5+MJLK0ggUQYywhYY9auGmwC74ZRtRQ48o3SsQ0HJTc
+            a4rjl1mWqlcIahs2HpiQWyJPNJCc4Zuu256YBjWhWhqY74TI2SLKj6p/pQILjDSL
-            tLG0thDciyF/Xy2IPjqnp9vCfITnVw42ZsSIbXfHHYoEBYu4mYhqAP0pmHFzY3jE
+            v6VYMQJLfyK6T7YT9IwHZfDYABp7gRzjRwhJScQA8y7hKOub9ctiBvVOOaO1znYh
-            rc8LzraecOslqfLVgdCPo/7moBpegIfJfCkX+gYxZKRJsuOHNiTVyFHceP2mztKu
+            GXxz3Vrc52lUGpErbbsZ1tEX3Blh37b+uNhvPPobuIVdN8JDdkx6U8oVHkazhP4W
-            F6MIVxsJsQjRnkavaHXEwNFr+X+YlzoOAid3UNzO78rKAGUw6mJ8PvLBekqw3wfI
+            WVeYP6B4nqt6xFf/SF9N4fL7q2y3iEqNrTFjX++hXXfBF9H3C1bGP07KqCK54LH1
-            zXOWNOgNR/aCUTAbSPn1VBLSM1kioGAKrs6+bAeRypmQGaYiLsDkvOU+qfNxtaKF
+            HRMEvpsa0K1v6uCi9Ufud7eFtLm1m3kH3f6+rQsN1Km6aLDUcvfGzNxxl16ZuIKF
-            AgwDC9FRLmchgYQBD/9iq1JX0DpTayA4qSDo7i9qeET6MKK5VmrawaV2LqQpxOk/
+            AgwDC9FRLmchgYQBEACLOQcZBtu9VMd+SblsCl3kC6TeSgH9r0P6itoCm1XsAlLq
-            dEEIT8+ZBhAGjKRIPRZdF0bgcBP92IeOOduPvcdJcRstB1va3nyeKDXkYwaBN0XY
+            6mUve2RFedLzxGW5K65XwaKDTzwdHpO0kj2wLxyLgUMXgFnXNAtAqsM1Wvy5HCH2
-            FPKMrTk2hifnmlGdBzN3RWGOXURDZdhqjsR0g4M1/85//0ZA1ogFnUsqtPI07TVd
+            yiVpNLLrLSiT4VmEwDGrN4u8iR8Ynuf1epNFBrQ5KzkpZ8F+/+dfNCXyuSuf4sIX
-            oKoZqdt068pgBDgAxiwA4Y6WbSSdEo2xQIQ0JTRMGnIycHGnU8UYWElEjnusGKSc
+            XfJ1Sp7dBqZJ7OzRY1MTs1pdaOIwirVWTaYu3kfbdIZAtlb8uZsmvWFq+fhj4BoU
-            jpC2jzc9TUABawOjCnauExHkBp6PhPRlAbzLA7Kq7v7lLkMKQdnJ0T7kIJUd5LlS
+            5yoRptvzLV0mkn89CwB3tEDxjkOzLtHpdtRWNLaknjDZTA8Ti19DGWaAungTTk5+
-            7TVXSq97WvGBhtQ45cSIZTskjnXEx3TQip9gNrV+MkZ14ASOwc9Lmw1O4z6cVUte
+            LJuwQOmR0535A5DnhAU9sjVXj0qV3wPOKmPbWrCujFGNfjqh8SHmn3sET5Q+K+Nm
-            IHzUELZsupE8KQPifgMOyx2Q4OQPQ/vv0CSYJwozbpK+g3XRAtsm70mSlagCtye2
+            0B0kfPBpGayGkhbeveuK0AEgymm18tlBjTenno5LpGvI1A99uP8KXFOwmNA4ONTy
-            MsNNQFfZe3vSV4o+vQfbWQ/LMxP/8YcRmh1/2q02yXS6sjW4MWiAjcW6nTRCxJbI
+            lz3RbH/fTGFJTeobUOMI9Gtng5uzuxObOkg54oef5LzS0ub+kNXtpsG0BcK3PDxP
-            SjMKmIbGNn60MOqn+9MNHA/S12SS1yI2cTPenebbhXAbMnCOHW31D5ufr/UR7Pkm
+            sEbbPIb+VlIcAwQ9+4kyi+jSF+uuHevWq6sMmGz378k/3wwkExnixVjCQr1Wwsxp
-            xiBXOT2jROYtvFozH35OpkIPr7tV0O4riUVvPw7swlqTVrJKR67Fi7ORsGJKbztv
+            t1HGDDrMAjXoNZBLSua13GYUMfeGoPabiTmzAZjZavg0AwR4xcfWEFkrPI2THRoe
-            YgUuZC3679TzXyWRMGauTmOPQO1+jZ0WD1QYtKkXPpTZNLx02a0XaGcc4if3gNJc
+            OYUreF8t7ZBXEQzkeIwJWvmCs/4djaKoVf6YyLmgefvV4CLcj24UdV1HSDHuSdJc
-            ATICbOTfcwy5HkC+KcLy0KADtfrO004fSIXV4TNrdfyXNnUshnutAmZBRAilvvdG
+            AUfdGjEwj4Nc87coiGFl0r1vc7kWJ4xeQ4/je9CXaKhgLYYjlUEyipOhs2aMRUMM
-            OQRfyr8P0jKoZw2UUoAFEGFU2GaNg8NvCoZTOesN2BNhSVIdA6QKjnZOzBI=
+            +nLdfiWmK7aoRtW5WiZzOK57XAgKY5IZOOEzj+4RVW1xnsf1RmbroJJvSmM=
-            =HuIS
+            =IIlY
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted

secrets/repo/common.yaml

@@ -36,146 +36,146 @@ builder-key: ENC[AES256_GCM,data:OOoA7oRIFJwS48qs42WmIXU4vLTQLRi6Nzb6IUNXAwnj7E9
 nixbuild-net-key: ENC[AES256_GCM,data:aAa6iyZsjH1sAb6ucSPJb2R+QiG2bTj46Csnjg58+2ngYdfuim6SzWEid8IHJV1+M0s/hVTbZWiPsU2KQ+JCdJ84as520avxs6I0URvNx+VmFi6DNGbBJJJJKdTXIKvtmLHqHobs9XtIHahQKoyUpXiSY88DcwAt4e2mUTa6olgrDv66+/fEGeexP4S7AVB0wYeegyMgWODRrA9gS/YLMxMdqk/VHuwIQpWkhxX+AY8mXkx7LalxrbtV/24qdNtr2GittrvYBAkYGWAVZYotBVKjaWVUVzqF3BU+wmg0c56OG5qtt9eD1THAqNauN3iIfUnV301S+TvVtYjpy7gOj3WzntO/kh4kD+7FnfleLXIVSLgBRc0vHhd+7HKKtVRnAINyPkyjaBpnnBa4cksBvHtI0uis0Pi+4JtObD3m+5dywTeL+HDQfHwu+7CgjvXHQYKvEaJ8z6alyXL88Q6uT2Ikaoyrkpi7OJsuIBiNbs5YzRReSfLVyepm8SAtA8UIwnMiTtgFvwGUEW19ne96,iv:2HN9X9CA1liWuY+LYqTCX6Zy3xARMS/TOL61r2UKsE8=,tag:XcPBwYrQjqhexI7u+0zXQw==,type:str]
 sops:
     age:
-        - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
+        - recipient: age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeU14bE1QWGlneTBhYXJy
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQVpGeWg0UHh4b01QUWRh
-            eFU5WTZwVlFXTlFOMVdmZGpYNkdMNFk4M1VzClhTeW8zdkRzcUhLRkpKdWxCZnVj
+            d2N3RHR6L05nNzlnT3I2U05waUNWY2FSVUVNCm55M0t0MFo2dVlnQzBLSWd6S3Vt
-            R0JaN3RvYk4wTjMrR2JzTU1taFE2blUKLS0tIElUaEVCVDNGbGtCZUZTZ2hwNEdZ
+            OXB4VFlaS3BBLzc5QkpBYk1ObWxDdkUKLS0tIHZ5OS9tNG9mVkpGSjBTd3FsL2lJ
-            ZlhHZDBROW9HQUx0RE5KSlRFNkJVM00KVKIC6Il9Vq4lwNS4Va/Zy+EciImnjEE7
+            bkFHLy9GL1dGamxBQ0pod3NwV0psb0EKvnAGhx0er8opFktatPIp0+mVbaIpz6jn
-            uK9asNYPNFLWOGH8WRUYmcsDGupKBCtSJszd9+DoQ28nWo5f2DjHAg==
+            eq1jflf+K2dDQ3MxK4gCYaCeMzJSNa39NKqX0DaFjWTecjtnua76Wg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSXA5YnZyQkJrUUI1UGp1
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWnRYemFEdkNJSmFqMUZm
-            TFdPZVhTS1RwNVJ6SVhNeWV6TzhMTnZJUnpRClZuRWxPNXdWUk9GS0ZIUUVsUVdJ
+            WWRlTCtHMTdsV3drdEZ0cDg4TlB0Q0xZYnljClAvbVZoMmtBdDB5TTFNcGFvTHg5
-            RFNtMjVQVURWVW9iQXhWblFRQTYxVUEKLS0tIExFMFZ1eUorbmxCeGFqV0lEa0ow
+            QkJZSHNRWmkvSlZaK0JaWWtacnVyT1kKLS0tIGVVY2dYaE5nMlNHQ0xsaXNiNDVm
-            c1VSTjFXVCt6alprYlZaZkVCUHB5R2sKGrXDZrwhZ/IZhX5EheYrM0nBMrAvzKRC
+            Ti9CaENjUTF2RThwYitrOEZnbjNTaUkKSY6DoZjavWV38BJF4uagWyeuXdaQxSLj
-            o9lLy+KZg/0JTZFE9iz+lPLzzPBVnrSXMSC79Tj28YKTR7xOOPTBnw==
+            l8sxmMX9QU3lIIhdsBTmIf+zPoCa3oKSpOn5ZEsxU4O3PSfzaevHHw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYzAyZG85d3hRaUJrajZT
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCR0dFMG9OeGREQlBkcktj
-            R0crcFJNT1Z2YjZEU3BuZEJwYnhleEZBMGd3CkxnNGppRVhqRjRjbWlpaTJRdWI1
+            SnhSWEpjbFNCdUsrRklUcmJWQURtYkJPZUdVCkptNnFaU3hwNEFtOElwdWRkeWMr
-            NVpiNVBJSW1OTWNMNGlRdFVIRW50bjQKLS0tIEQrVmlwdUkxajNtK2ZhV1l0ZXBt
+            RTluTExGM0VMdGVhZmw4c1NiM1czeFkKLS0tIFBkT3hQd2xZOWpjSDUya1dmblQ1
-            Vnp4eDd3Y0RrUlhMbUxNcFpsTkZ3UGsKv1HuzJH4rm1onXAlV7KO0MLNIxndRVNX
+            bXp6WlNnQnNiR0cxSDdhWWY4Y1FjcFUKjXWTI2YGkDHwA1mubH1hwHVyAlX/lbja
-            hFFSSV4QelNtjdEmqYwGpqAuILRpZ7g2/wMLVMMQ7l978KrfL5BFZw==
+            8TEH9TwOCFAZE9k2CFu9p0K0jjbnUBpo3YjLtUmWmTwD1sn51BqNTQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRlNiY2ZRYy93SFZqWlZh
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZFRGZVBocGNENlE0RTFH
-            Q1NaUFlmQVhUMVE4bVp1Smw2cGNzSDJjQzJrClFEZ3BKdEUzVTZCT2tpb2NHNGVH
+            TGRvS2hGMVd4bmlTRkpheWFzaU1udklzam1NCmxKemVjclFhZTBQVnNHMDQ3dFRt
-            RzR3SzhvbFNzNzB2eU1oTUZEUmlsUVUKLS0tIEVzTlRodkZWOFpoc0pFendwS3dL
+            WHZnbFpFbEthR25RVVh4cmlseDFKZ0EKLS0tIFV6aHdacXpTRS8zMlJ4ZWJNWWNY
-            YUV0OHJiVDY5enhUYnIyYUZ3RG0weFkKIW1K8NVG4M/YvrGYwbGL6IyaV6dX7qtV
+            Slg2M0JkcjlFKy9lSTY2akFQellmcEUKNYo83GUqRAMXaTizbbnHejygH07tH9QG
-            tFd57d/A8A3vugzQcMCYvRuiEl1uqqId9Npof+GdS//8AhGeH/LOQQ==
+            QcfwY4r26Dl3CKuafTJkK59pFB7ySd0hwtIg5P1s5Bu++L+WDrD+QA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TUVkT0xrblI4V1NXVkl3
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuOGMwZ0t5UWZuc2ovTFFB
-            am1FK2VsTTMyS0ZqT2lzTG1NYTdkS3pvNFV3CmdzakU5ZnpJdEdncEVFcXBaYVMv
+            YVBINU0yNXJFSXRxNndybEpiNFZkZFE1NEJ3CmFNSGZFWENBRW1CN0JPSnh1dFBp
-            dE5aMXlzRUVtZTJQSXJSWlArSzBtZzgKLS0tIFhxYVFWa1R1VFhDOGNyZmdPc1Rh
+            dnk1ZkpjeHc2S0pCdnNqcm5CZzZKMXMKLS0tIEJpRjdqYzgwYXBwbTNudGFibTZa
-            N2VRNE02ZTNxUDNVWnNMb0ttc0JEZzAKCSgy9q357fSjSjnivOEgaNmhocNpzaPK
+            V0l2REZGS2tPSlk2dHVjZVI3Q242c1EKUjGxjcqP3jHeXEvqcsuGV7CoZZIg6tLz
-            TIzJqTsUoLvGBdpXa5bNSe+guuIZgZfm7PCohyKrcm1AUhFJOWZ5yQ==
+            Sh7kVXXUqpGJPcJMSQ6Zd85/bdY+S9CAwptYqzASOZMA1STD+owvSw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOEVyV0ZwSWREWDFab1RB
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVeFc2ZGxBYkdkeGdlVE1n
-            VFczcWxkckk4SkVZU2Nlc1c3UDREaEpHb2dNClIzN3hsMFgwT0VuZVM5aGFKcmx2
+            QkZlaUFJM3pJdjYrby8yNHhLK01uK2tEaUYwCnV1MEVsamQreUxncm8zMm14R21F
-            azNBeXVrMGJyVmM2S0p6eWd6VHNPV2sKLS0tIE1JZVRWWTFnUjYwR3dTZUl1aCtu
+            L2RvQUN6d29UcHhVakJMOFdmbjU0SjQKLS0tIDdqNWJwLzB1QWYvMFFra1o5b0px
-            RFpEREJhRVBacGEzRWhCY010NllET28KqGfrDBjMUogZLG8oGWxUi/J0MNql1Wb8
+            TTJoRTlqT2NkYTA3LzJmbzZBakVIRUEKejrBiriwNKU+hQQ21TFqABobebDiFDeo
-            vPbOdd5PI36qAjxWEoax/WMG1LBDWxgJJva5VgI2uNoQtpo6rWHTeg==
+            ZVwJ8DL41r77SnhqcSUO649/NSWT2HTdyg+RQ41PRBjWaRzMtvgLVw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlc1hldmx0cVJaQ3lkY2hR
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1clBQSWpRbWUvN1FHNUlR
-            TDcyQVJ0ampnWFdva05YTzdNZHB2VHdkR2trCmtMaDJUSEhPeUZFS2dXZjRSUEY2
+            cVpaVTFuQmgwb05xdWdGVWdwaWEwcEN5L2k4Ckw0dlpKY1ViZkplVzVrSmw1aEJT
-            dER0T2N5cFpNSVNtVDBtU3Avb1JwZmsKLS0tIHhJY0ErOEhUMkNjTXVCbWFSeW0x
+            RlNpNExrU2V0WStBQm9tVGtUK2JZTk0KLS0tIGNjV05KcmFnQzIyTk8vUnAxdHhn
-            WmhYaFpXVXlFTWlhNzY3eVk5bFkvK0UKVf0W1kcQr8uHyY89KW5LfZxkb5tKhsEj
+            Yk5DQVNoMlpZbXdmRVl5WlFLc3hHUXcK209QCF3SpRTbIxwzVK391si02yLxHuus
-            H8SwJ2pvLuY5aRudkmnbXQwpF1i7oL17DWKcQI8qIZovxtdJqovmtg==
+            4ldUeA3LZFW7JulDAGmhGjqmAJI+pJoZfmjjoZ5p4T25PHsob4v9/A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBweWlhVGhyMUR5QTFlcytP
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucExsVk01cDl4WUZZcHRU
-            T1ZMSEkrbVNjdGNjZUU1VzB0Um52S3ZNd1FNCnBjRzUxMyt0VzFnQkJTWVM4YWw5
+            L3pJYXphRTk2UFpRbU0vbUI2bnJ2Q1NURWhrCk5QVnE5VCtFcThOSzM0aFRseVJm
-            NFhxR1dZeENndVhkU2lkdmQ5RWpoYlkKLS0tIDYzK1pzL29jTXI4SStKYmRWQjBW
+            WkFzUWRLYUx2MWRNdlNydmNrTFJlNFUKLS0tIGwrNlRldE4vcVBrd0krdzFyVnpO
-            MWt4NmhOdWlOckIzejJTYStnV01nN28K96etySWmQwVux8Xdo8pXFmCgT9qRq4ZJ
+            S0tzZVN1UkVMLzhOaEgwYTZaMTVKSHMKpb5SQ5bArfFthZdktU/Lt9hszKPnWa+k
-            X1Bl/iIKZDkeFSZjt+wunABbgG2e086xUFsiUvAXclVKBEnuUf6RDQ==
+            23rnrL+wCgbHPLTB66+xa2asRh5PdYeXbW3A9SnKXQjlwuquJlqvVg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0RjhEVkNhc3VUcm9zZXFY
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1TkhtQUdlU1hNZThvSElj
-            djJ1QXc1UTJTUlltNHJpblU4TU5PQUZXM1d3CkUzWVVucWp5VGd6TmFQQ2oyaTEy
+            MUFpVGRsZTdIeWNyUzRjQ01ZaGhUV1NWbkJvClZCTkRRcG5mdWxVQmxXUnZRc0ti
-            c21leUY1Qy9hMm9KajAyOWRCNERwVkkKLS0tIFlMeEFKRUZTZ1U5OVBvOGNpaUhQ
+            bDV2cFhoczJVcE4relZVYUlWQTJaelEKLS0tIFBvTHZDQmE1QlozaE1henpUSTM4
-            WWZPbWtyYTU1dFRoSWw5NTFRTG5IbzQKyDv4/mBPR8Ev3cGrHzHw/+nGnw39GkB3
+            WGROOExORWRoczJoS3dyTVlSWktvOUkKpQkWu5z+tLJyQXIkp1ZpmI+Xc0DYrb+L
-            YGjqlKMpfX1Y8BGlPRxCVRH0c+iQqEBxdqVwOQDC/njKGcMXMT90tA==
+            YEO54SnEJ7S35+6unRfPL5AI9LpRpSkIHp6p+jsHpLUMFm9GDUOFtA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
+        - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcElsLy9WV2NmNVRwTi9G
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQnlMUDFmSkd1OU5TRFJN
-            YWM3MHZEYUdLMmI0NENTV0JXWXlneU9iOFdJCkxUWE14ZkJtUUF1VFNFcTRRU2hj
+            cW1tTVl6OXMrdHAwYW1QVGRBaVJYWFVCc3pVClorSEpjQ2NQLzZvbUJzVHVlQlNR
-            YmRoUkxJcStEcFQ2eUtPSnEya25xaU0KLS0tIHlweHZlTkovRVEzNkl5ZmppeEI2
+            SXVQdldyMkJ1Y3o5MUo2MjNMLzd1ME0KLS0tIFZjYld0YW1LR1VYTGluTUNGVnda
-            TTVQUGlaZzB6WjhEeFp3eUdzMGJIVWMK5dQgr7YfvilutGW5nieHcsyTQu3pxzVF
+            b0Z3MW5tUC9sVDMzV1FWMjNyRUNLRDQKXPuK86rcj3My0l+vkxCKxow9XMh4JrWW
-            gYoCAmKUESrmIubSPOD0RifFBQTFObHJDU5xiDC4a+vampqH/5uOTw==
+            /431Hjeyf67N3RYOqWyP7ElcMiA+9ePjulVIwUFy1vxGPmq8AMuWpQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxTzhUM3ZOaEdoT3ZqQ2p2
-            VjBvS3RrVG11ZjVnKzVmM0grTlg0b0RKNVNzCjZhb254b3QyUHg5UFppc1o1bGZZ
-            M29yZDNvRnVKL0JqQWoxUGNKNHJXRncKLS0tIEdYWGQ0SmQwT256dGsxZEhqRGY0
-            VThvSXAvMVA3cW9qMW53Q01TdHFtZm8KoiRiL8tDLUJeLocbRIfnGWuUG/0Up5pp
-            exdFlTaLNUej8UT7UCUPZvvYN89Zq1ea110xr9Nim5zzFBErJfRPKA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNVZ1WGR6NnJtMC80STNH
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTMGx4OGQ0a3ZvbW95aGZO
-            dFZuRC9jT0lDdGlSWlFIZmJCUEFDanNib25RCm00YVZyakl0RkRBbUM2THNaWEpC
+            SGpHeGlDRFpRNmc1VldodHBjQVBsbzhzbWxjCjlxd2kwbTdmb3NobjF3cE5qajNH
-            K0JtaUVtM2N5NEdyeEtpTDUyTElaQTQKLS0tIHcyN1Brd2hYYTdIZDNoeDBVMjZH
+            NGphdmtuMmZGU1hHY2NKRWNOT3N4L00KLS0tIExldnk1cnFMMkIzdGVZb1lyMjhT
-            NS9yV0dlc3lVOXNIS3dVR2pmYnNwVjAKlbBNLNA7Pl7tUg0S9X3BTICkbehkmTP/
+            dGRydFUrS2d0SlN1SnVtVVBJTjc1VXcKhkNl+/n/8OB8kk6ZU6xkWNextIX8w4HT
-            mqVVce7F1Ml0dXi0t8AsxK6HyrR14ZF3QsFr2q9PgQ7qnLv9o4xzUw==
+            RGLbEsBF1Eftr6e/MgZRptvZuUvq2EWvl9GVe1GDSIf7EjJBYUW0BA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVQ2tjN250TDJqdGFaWmgz
+            UXNxTTJ4bmR5NE5aOURBWmlNai9xNTZlWURNCngyK0FmUnVMTzYrYlBQMDltdEdI
+            eFRoM05oQU9ndjBnK2VWeXh2WlI0Y1EKLS0tIHNac2RqRW9VK25rd2F2SUxLZjZR
+            UUhFN0FNa0FXUzAvanNRb2xRUG5Bbm8K9MTHuo3lWH/gg6UDZLChj+EGZ+7HV52w
+            bm32bk+B050aCo8QNeFvIo6AL1XDk0YD0q3vcLBjxlcUjeg3tLKx7g==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-12-01T19:57:43Z"
     mac: ENC[AES256_GCM,data:2CLFlduO1fsxtvF1fbH18kadQuawMwIYEjsJBvZ65tecIdjT5efPD07+czmysKWBh6FQuVPL8a3uVlqT2WUW57AjQZtxloCMAFS9m2S//I6I8GsLVccGnmudiHUdXFnt+gI1gtb6ukZMEps4m/LSqUHGSptVwqrIN2gBM6Yy9Mo=,iv:S/crBYhr2HTzMYn83bK2YYO7kwfDspF0gvkoiuI9J7o=,tag:+sO+jFMFGZSsCb7PGnlUmw==,type:str]
     pgp:
-        - created_at: "2025-12-01T23:06:34Z"
+        - created_at: "2025-12-02T15:47:01Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTARAAq+50+eWOM8TOM93JkwnSjUFLjwO17fT5jfBwWxqLRULp
+            hQIMAwDh3VI7VctTARAAuyStDAAmBNGBL/wAl7CNV99+AOHHP9vMlZXZ1Urcxr67
-            SgO5pCfJSCr2xFgzcuS40+c/ewP8NHwI+S8Mu8lcJ6Olyx279QyZJxdKvVba46Ti
+            rVXMAJpMkcIDCCsu6hU5fCIl7p3zvS78QOvLJvdlJ/GGpgfQF1us0Z9IL3xqQVjG
-            7Dgb31UzMQKjjOW8/nhf0JFIq6KH5HUQP+LmmQK59VEdoEnz4XYdxq7mGeJQsn26
+            Jz+r9CtoGF8LEmZ7UYpNiiLNKWqem6Z6Fs7NlVwYtK30to+PAJ4s0Kqui/FfVnCR
-            E0AG5UvIKjjSrZQXbx8zojIEwE3l1t7Ipw2oTzHCalWf5at41cXyWmfIzomWHElC
+            B6R5CmjMMKepqLGD+g1RasihtFY7QzPRnAcc1/d+VuebuWx7VFr7U1wXim+rLg+Q
-            XPwO8mjcBY5LQXDeTu2Xv0mBvFzXNBIFaEhrdphFxJIvpfl1FLefK6LKCDLhQtal
+            MfoHpfLb57iI4nfUYrBH8I32EtkQuD87GagebvdnjxhuzxUVH38FNLSnvFhNyxsD
-            HNDBziTORUAnvP9JiIviSr+OUhTHTkDqSMYE6SD3SFsvQ/nArQHRin/FvPPNMVhU
+            GgJOcLdrrKaJYOjDaBZV9BffGr5NTIfn1Zc3xQ2BVLS/xs9t/DZBaSj6ksDcUb75
-            TD0yec1VgXTJDJGe0jq+PiWNTwwnxwSRmKdXutp2DPEuv0amRGVOkeAJNSQPADOk
+            L/R/OWqW7DRw1Te0fC91WhNloXL142TA+FhsOyvqNsdye+AlzQLSWCuXDAHmeLY5
-            ZUGBKqjr+trvcKWReCC+gi6jMTP5N7rpjemufQ/p0pOTKmPeapTcWitqtRvAvGQ9
+            dld8PPF+uWAfdRYORDgoIpN0HlERwev7GlQTILPrL98v4RnKrHJQdTFRFa+7JMyB
-            +Q59sDqTgG5w3oSAnvboDwITFil7Pr39Oiwn01btDDlGXj0+ieer1mHOT3vI+NPE
+            DLYht+ieZM6GfYhy1LoHG9ydUfRnRpGV3GNaDJKWbDp1rqsrACgJu9XwN9QGVIOc
-            LSrFqUa/kMMW4+zZHGlwMoNHZbwLWHGX0O0KZFKauht3ypSsjrJbOeBIGgAq57S/
+            qeoLAW7E/bOwBkkQoX0v94inSSW/yLFT+m1/Xaq4CdrqBkI09EInfj+WHvGDBguv
-            1U+oerlPbnCCrUTuP5Mns0Q86mEbOmQQyGMgfigJ0zFkMOlO3306T01keUv35giF
+            YjmQVpsmN2I9/+mb+CMHdhnqzojc+ccimjRnWxANKqSxTTV+NT8LGl+7wm0SBtiF
-            AgwDC9FRLmchgYQBD/4vNejy7yGJSxzL9ouoEDqEaIGx1+pzzAyU+P0GYXV4rwat
+            AgwDC9FRLmchgYQBEACIMrpv+fn/c6eURqJ5/z7SjMzLlIXM3MJbYk052W0IPu3Q
-            P6YL8a0CikYLdkjgUsVDfFV7/Ou2Q1aPBn8AGRG6eaMlaICYK1UX0xiP9196dENl
+            vx5MgLmCI/nT0uPH2IeeGLiA2Y4R8TNbNNdFT8dARdo9IsNPZfhd3xvAlSNmt1Gn
-            qxkm3zQWCfxAkgWyUFernSzzWeE1z9FgEfrTOqKaETprFVxxv5tUKVABcXHSPNqD
+            PCdV2f4Ts2OH/UlAXGF28edUgSGknKTV8WFJHMD3cRVAfRISZuVz1VzeKLFdv5qP
-            hYqllb8tL1tS2QrqvxIOcrL7KHAnRPhHimIFeByNN5lN81Z3hLFRQ1Bl3LwDPeF3
+            CQafg4v9O73hhSyg2HTimXnj+b5omUhgLg/rVbzP4GLCQddu3m4vQrsdfiCmVgn6
-            /kEhVjmGqzw2jEkH60Am9I6xZ2nlSimF7Bi4pcu6QCWhN7PMwWEyGxj+Qu8Osr6F
+            AzH1aTkKpmXKXIh4ibgs5u+Yy/Yx4SS9YkRvw3fk4HqfPeBTIPLnqTjrloLbQi31
-            3ab4M2vkyTZyewUGsn9qO3CcPAHPxyvf+pyV/q87ejuE2e4wR8LYcJnk8BOKsNRJ
+            4PR4vMb2gvBTo+cIFvT7PaNF7CNndWBhxQVCPIDjZ0BgVsN3Gg9mepuU3OfFwnVa
-            m3sJffhhmB+f58HLzy9TwvaQqMno+/KnbV118lJrdzf8iCJrlUNY62MEjBFo3QhQ
+            RHMP1ACUCKd1+JYYtX1Ey+UlyblRpzbTvg6+O394QpY0IrJIb56aUUgrQIq/xBcl
-            2rc4vJXk9VINiZlHW3y9ZXV+dTus/gHKjN137dxq/RPU9tf/1Y3Ow407fDu39DT3
+            6fSarhnZ4D+r0pCT+YsTqV1WpFxrMELLQMCt5phJr/pDMiW6qWw/adRmsVBvJJsw
-            YrAAXj3jfEK1aoTtHpLZAp563Q99NYyBQLt3C32X9YZb4VuYCXvGsi3kqjdQl/zg
+            VCQ6zlfT8pnItWNgmIj/+vM25amGIu4JPviELamhU0TsgKsJ+EcoHylRrCsjg3C/
-            ZxUVlB3Wzm1jhL2KPOu1SuPAT9HLwu1QdDw+kw050DNBWgeLJx9i8/U8LC05vF6z
+            fWOV1eXVXlALXjg50O0mvpRT/8WgQU87QT96tmgvXP/9wy+piqOmYBKxPv3amSXO
-            VWyozdZIdIfAKnMrFOU/8pJ/lNYb6pXbIYwbpSIDslV3Cj60KWx7X6JgVUf6d9Je
+            wncrzPoUTLo/mw0dvOfB7ZRsIeg22EUlgESKCKo7k1dTQ+f9ALfjm9rNJARZe9Je
-            AQZ83SkdK0sBXS3sfjwCewyY+ta7i8zWYcG8KDbW2s7hxRb05u2nYKhJZZJ5xLcK
+            AdADaDBobnLh+yCFCRIHPYj3c54ItF8b6sNwbZaeyr+JLBYiWccp5hkF4H0/sZV4
-            eRhg3W/bMUWk1bYZ+Whz77uSIC3n/mgzIlsaRjMokiX9i0a1jXVyH4LEluPO5Q==
+            D+na+jJW279GDrQ1UMlXnRmo7FrBwh70Rn7vpqSMOranPDsvWvgkS/SMu8SJYw==
-            =MgE6
+            =YZqm
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted

secrets/repo/globals.nix.enc

@@ -1,50 +1,62 @@
 {
-	"data": "ENC[AES256_GCM,data:q80uSaX4Xyy7mMSskw8lnCagLIci19YvQC60/jqv1O877lEDHnHXh7DlK0XcWM6pa96mISk6zILfJk/eMxG0CyR12ryBlPHtzARmcpAQspD9oRaLKEuKDqvm57BmL5J5yItapJlBKfWQwQS/pEI4HJF8+xVrX8eTsMB+pBk/HsBLl7w1VU6Ob/hlEzyn8v5QMS+nB01v/61GTPuluslneXKnHC221A8ek2lyPN/D1uj6hXnifRsuo8DoPghe5asQ3VM8mOZa2SJ4NWEvWJ7V5SLbgPLvNGi0G+XfQ1kgb4qDSdNpBlCWY2hlqEquEO9YJoLjr9jNYGMysPtnmIGPEinGF5SLDLpQomph5krAZsQPxG/oTiB89SYN9hF5SuUzSHuuRJao5hVgWj4d/KPy/xjZ5rN9dOL7c35EiCuMViH+vsYBue1ehYSww7Y+JR49ho84+sSJeEHTdpnnhtogRxbekPawBbYs9w3gXx/pUhVGZJS8QqcNLsGeEvWgDGmfbsZagQHG9Mdib5wAVp8o8O318EFoptlf2TrRK07BS/ibSc7GE6KIOde31OVamVwfAYL0p5JopQNEDuW9YStMhDQa5YhfuRCrlZFteXqXAMh775uXQge14pwtETExTE5PxI3hBWKIqrb8XP5ke+j73cx4A0VsuG6TtXf7YfWohiuRBkcojp1r0FY12jzkCOstJ2DjBFBI+5u5dF0R6SbezQ9vZs8yWbYF0kICTtZ32cEWnE/pVgdS8S9CqVsVyflpjtM/DeedkpoLh9JtN1oKSDos7+SJA+r8/ilXIhRTwb7tt3hSBw0AFkZ/rnSHOGHTBRY4T5lH5IkOqOQqAqbH0ta6hhxPoDjKzj8R2JatCnZGOLzL6tK50w/Xm80Wtj0LxDmmzmYPxCRI14nUobeFqDi1aGU4jpqKUayUHZcnTVgfURtSV/lT5QrsXdTXt1k9ywwq+1oT37D8Irk6+gaSZNcI6PQG/KpBPzmeS7r2ubrKhwhVMNlwF0QxDGR3273+AD90rAZq9niuS2yJRINXs0pImPK8y20uKDiv77B1HSpP+CpoPlikGy4jAgCqbpyrUYyYUB0O5MMZ6VK4aLwJABsE12Ef+WGC8tbtGNxGTAGm3gxRZ3/iKNl++WKZWo3khVflHWb026iYqEl5oOnUif7TVmXGbEiccjos0QoygbEtxSqeN4IxxXg2QxRh5rbfxsFiURln6lhGhjUj7SrSnbRZT6o38xdhKrLqs1zM5ss6na/9W0rHel3wmy+Ocz6UgJ8Nj412EM2dwo/oQq3k0epRLOGBJE8f86qjQAn+GZXnq0pwGq8MijhRWJDc+4uBxoYLiHrFJIy9MvqNRgQ3QRwgMXDB0psnKpybMyHd7VDWmNd7GLopEfQEv/o6Fk53ZW6rLu6l6EdS9GuZONOJsjHB7rVoUl9qi/AjXWenzZYaDrqAY6P3lDWdoNZLmV4AQu+t4EIaMz1QjLfzeDhVG/v13+hZ7UbCIOtr/FQ6hfKjZ0A6l7sfLKcuerH5AwMs9/TYEcqEppfrcAKtBK47kJiB6Vnr0uVg13D3w3PlL/8kA54xuJzQUO3+ns73yPLjjhpqt52WfyzUmhpymzNo+3EPuUC/l8GWohvdNntb0rkx0ibJA3LirgGE1IQK6qzeZNkvXVHvY1pYVV1nDRWi3HlpsA3UCMI4IxRX+brFQqM49o0cqoE7CZPnEQR3UoUg9qQ0RJpiW3BlaIPUexxdgn1j9RbUt47zQsEI7+5gvg7EYLbj9ZPEJCxUH+UkukrPESHauKXPvI1EbbUncMd2sLyxn6IX7Zili26O9vON7PM1gL/Y1s25T3meBn2CqT76Zl0HjB2Mzh4XjuDGE01Agp4BETiKrCMprZB7+mR89PQywIyaJWS1mvDSmzbaTXk4VZVqH3lpwNC4QpaxOb1ZFjj80uPKErBZ4yeLKIEVaDW1fwQyjkXWjIwHhUle3AJgnAfxsM33fvxFucjGyc91FAJgX7IhTSATnjsf3dUm9FyW4xR4RXbJ1OCuZZ9C/M8LIHZSuXYNNmjOq0D7qUiCR2Lesth6hquHCnomLDxcPtzYlUlC7ZdF71jLyaop6QWk2n3nKbURLV5Vm+DrLi3Zuy6OAy2K/MLJhKEi1LhMw9pJYbNgq1z8SGFz8O+k96JXuZnIDZxzj9zdlTOjawkCu3WCGSAOqLcvPryZqe8LYOlozyVQcDQ7d1h9fTlz5gA6a6UViH9dl7uzkR0i0srEVbhuZLw/YTM4dEANtXT9MbKE/KoqG0jmzI4vf+mAux8mgIGNTQ04AfFxG+Coghn6WHWFJtEdOOT8hCfoZxs1qJA446Q2+ACCNeZgMiT4BE3x5L+wiS7Km/7d01XV3KCuOC4P5GwkVcH0l9WToJN0ViuM2bi6uz7JcEvgCb8AiVfpLk2NCE0YAcWY8nMV+aw1hOAKvuzIwt8vptTb3TApUQ==,iv:Xbgn+Nv6py85+Sl72aYxyDgfPEGsWK4+YqiYTQ/5pw8=,tag:CInhg7J3Au9HcgIWkisiOg==,type:str]",
+	"data": "ENC[AES256_GCM,data:sxGOffKdJMzWq+3HGNeIRX73Etd7acwW+wXufdCjQ2/vaN8OQRCjMxFcGkxp+OAZXF7dZSLgXvGjEOFpwHL+ote+sFqE8heebp9FtYbg6vbuk1p6Xz9EE4t0bYhi8o76QrswdkC7zzgx53cCFezojEfHXOOHlmzA+C+aPvwTkF7Cn0WbUOyb+KYYi0WtzcxzF0A24KSb9Fup4WyF0OStrV7l5H4BVXgrDBH/sdohTKznTHhrz7PfgWGpvPtRnT6o26Llh0I1vqp8F88ZVmjQ5bwpTxa/wAc/sgayWuVkU8Qf1j26vPYKluC+ZAR3jZSsHrqCKO5t3JY2t5o2A53QxpF+KqN1qUQpeGowhwfHMxAtY2VSsvS3kis7V2qM8yChfIgp/SZAcjJUp5t23eqgpBFd+IP2emhqlSy1mGN0Mii8XP8J4DyucoRb5ryAnCSyJKXK9w6dx/CeBYEMe02An8HeUytVUtGhhJ90m5vKPheovarR1CLrBgnegcfyLG2OiKwQ5F/KorQ1Hub7KJYAFBl5QsarTTiDS0BKHtQiVJgWLlTaramyi4GCTCVGDTRZwV0ordWKm6xCTkuoC9kukvnabpM3AKZAFOKL/6MLZviukkF5SiJhDQN89e8BuqWtPUkfto9XnNwkHHiqWRWkfAjCjs3wCpehX1ef0Q9xAon79VgeE7SK9qoYvVo4koD6fKWCJF5O0isvCkX8wEdoMAniNIFXReIKpVRWe7uTF40+Xlt70Y/a6RPvtJPGRYe0yfw29LlZfUwmV1XlxoIXL5aKTn2DeLhYXXqsBb6AkPh6oDPXIt5VdoThIsdlvRyiVLtFwE8Ov6pOQXYJgnRAGWzK+8qzaHyqmeiCM7k+WpbnvmdbVTCmReO/7q7eGpgF0C/6+sVES3uWqP1SWFv51G+v/58xilXL9DG+ZWZ0RNXz/mDfMtRg5CT32pIMUKiCAYvMvIF4yw9sSeWyu0ljQckIGb7l6xj3DkOlhx9PaQPEdaTVczqtOcHyfX15TXKySmHjEB4NCy1PsLoXcyFefw1flamFADyo2/+oXb/53r67T/kaMxk9T/PN1JB6DES496EVyo9TAOXdyubfo8DbEsDT8h7aUCKpFvNgGx24jBAMn/2iouxsmBUY65maVWdRodgQk+XOA5DfLbKm+LlZawuuyqoLxoIa0ix/53bxyD6U3AO7MTisgJyHA1USvdhaSmEe42ecA3voR2LXvSkRX8+izs8DwJRvtfIsTUgs1GBOgLSn6ULm1a0mFmaXTh4S6kT4ujDIYNXL53vUUVBtUaVDvnhZoXTTTgms7s3BHa69lGuadg22kHfNdO6FJ+HhXSHqz628zelJgwqjwBybMGo7xi2B9MPgiSvC0N2HFXBn54vFY1n6Af7b5jZ2cQEcjGbrjP+Lk+nN0wm89pFUxPcZEUIQWxgmQm36quh9kXj7gYaaim9Eh75vORywLwD709R8VT5BuzugcTp15aA1w5cLSpuR5TPNium+72jA8NnZQqV14380i2doUq23CXGjM38A5WF8Q+JJBCYJu1kc5fU2BEvwfZ0JJQ8QQZrMxZ48K/X8ATlC+pJie3sLByv6YqDtZyES8tldjYZ/vhopExhK1L0Bw4dNTviH0Zktx7OE9T0qVMSxOLETIRxuKLRmH2FFOHLhSn6S6SXYjK1pBTJRKGz+487Qr5SYcqqv3G2lD0khtP0L32Lr6iSedAmkJPxXyW71tvputzZPxGc1Lke/Ml69M8I92JMxggUcHkr435hPzTfrBIN3IdAEYrjB8CUYlxt7fDfxi018QTCZ+6Hs+e/Ezt3n0g7KKYvzJ3FISB7oRvTyUK1EqZI2JjHLiJK9QYOeheBiwTUK8OgLNfwy3rMpUvE4VuvAhl0TmiUcwOhbRT8ttyos5HiZC0nHUvwwIZguhK9hvZM11N3/trsFRqRlJvTf9mNEzglEDgs0mhkgnyGY1y+xm9KBZFXgG00ic+4MFsRzLn+eqmeAl12Edop916yEhZyAHfPkzshK8h1qRE5mR3N81w+PLGkRuL7XCVKNZxKODusxDfZ48yD17qtSgwUcHsovoLand3WyswdVf+7k8IxEhQ+HaeZO4As92LhFgOL+ocA2pj6zptNmgUN246egJaJUPF7hmw+DyUpmOcEcnhBYAYzVcUtNuSvMjYfjps0k/LLEYIOI3s+SWWjnx2fVQndMpnnoeWJBkw9sD6s7zQMncINttrZBkILzM4TcibegAXZzQB3HukC08HzkgvlfZ7OOt4PvsfGB0AmWkN7P+Kcvp6XxgSxadKoUwJYxOfcEMaVqBhM81DmDIrlJWDUNYcvs5Jm77isXK/xQjJPAxZfCUTrm9eDQEm45GeJ/z5OeGPMncXpKowkPoBGyjzBYDf1E3A0VrziJq7x8I8d1N2Z37UMO/l8zPpYQyrPRdrLt80cRINOUZcHnOKzSU7NPVZfmvbTtLwijbqapVGI6cPIcv6NgIBfhzPqXNhMLLr+dOQcfWAr/xICLUQhr5RrdmMvDeKJPT7gKhK00294XPg2Qu+JW6X1VPFrf+ISt4iMaJPAFhCCFYLRFlEaNScJyQN6JzERev61YTVERmFcJEicH6f0nckgT+BfvkaKDCg==,iv:6JNRrm3yUVTUXocmNbZGbMV3oS/XyWsuuHo3eHR37PA=,tag:RMHyYGpwOzCQjNUd7ANINw==,type:str]",
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
+				"recipient": "age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNjR2L09PalRkUTREY2lW\nSWFmL2lTRWtMOXA4Qk9kbzNicTJZV0JEM1FRClpjQmlZRGhHUDR0YlZlUW1uaUJm\nSElmZXJ5RnczVm5uZnpyejVMQkhDNlUKLS0tIFdhZzB6TGh4UkZUUktmY3ZRUXM2\nSURjZG9kVXZ0a1dCZWczV3VGTXVva3cKTGhXQjLhn3hpY72nfeu0pVCz+qzJi1gJ\n6AcGZQDKavoJaP+qadTVe8pa0Vu1NX3ILJBKigPF6OTVJY8/BaiX1Q==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WjZLbEF6aGc1TnROM3Fn\nWDVhWlRwajNzYytLVUZSdzVkaTg0YWc2YjNFCjlCMjNrTFlGTUtZOExIY3JES1JU\nODV0RDNKaGxJRlMvQkRCMkhlK1JFdDAKLS0tIGowSkZGd1B6QjQvd1hKTVAvb3Va\nbTlLbFE3ejBBVDhyQjVmbElHMUlqeUUK/RS7asoLCKs2lDqAXc+YjjHkczOmS2ZN\n8Zp/f66TDqMSWKEW08vyMXOTve+8Uw5LJA4s8B+OzaOp7A1YKuAtGA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRHVXeXhHTDdhZTk4MGpH\nTzkvdnVHNHF5RHRtQ1F6R0w0SStIdjloSDJVCktmZDkybzk0ZFQxUEVqdjAwZzBR\nTXRsLzBsaGtDdnhTM09qVDZ5VG0wU3cKLS0tIGNJUmdseUNMUnlmMmlEQk0wYlhC\nb2tudWFlZEhkalJXUlE3V3drKys0ZFkK/HPemyCo9WH2snhSZ30O6NxS/JvI2wln\nxbHZ3jio4m9bA81zMMKOIvBFoijsG/jFL2Q3f9DkI1xii9IeG2sUFA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVUdXK2NnSzdwUUE0NmR6\nYjhzLzRTM2EyOW1Kc05mdk1hbnJ4N1B0M2xVClluMUM2RlVwTGpIL3BmZW9GbDVs\nQm9kY3d2Wnp4bnJJc3lnMkVCNStnVFkKLS0tIDdHT2VFYmFubVVXSWtDcGRyTGpn\nZ1dTUk9LcHJlSnZYUktMNUtmL08rZ00Kw4RPnFeKVDB423Q8fJQXN5CCjxAnye2s\nHIPXbheEHODy62Wp73T/iMfC6aFYmuggk7fWesajg5ZF/ulCtb+kuw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqMUh4YnU4ZkhoK0N3SFhp\naURRWmRJY2dKOVMxMzV5Q0FlQkxOTUxEYjBBClpYN1RTYlNYaGlEbUJUbkd4VjNp\nSDh3UWMzUXFzeWxOWHdteEphSWpSUzAKLS0tIDZySStqRkdCWnBnWFV1VWU2NHR3\ndy9zQTRRVGVkcHFsWWtQdWJ2QitJUncKIb++KE362NynQcDXgImGE8f1eIOzIT/s\nkAj7TURYX0GlDkdUjkvlo4DBRA5Rs09WqMZDbFqBC5Cgvtmit0jYxQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyWDlJNWt0T3FOWlRMVVB5\nc0ljdjhueEtPdDFWaGh5UFdwemlMdDFIcURjClJKNkxCVTJDTXJaODR3akhUL3I1\nT0ZVeTJzUXErcUFRazZmN0sxZENLbFUKLS0tIGptSldXWmU0SXhDMEQvVkx2bXhJ\nQkNuSSs2bk0xTkR2UVpUa2R6RjZ3WHcK0VPe3tuOtTCj/a3R4lotiuBpAbx1JdKN\nBYHV8GMe+vM/6yo/+zFLV8HjUmh7RndrT+q3xg65a55CobRSw6icwA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWE8ydmNXRlBEM2lidU5k\nb01jQ0Q5TjlRZXI1YjlTTDF2N0VNZ2pJOTJFCjV5bmZuWE82UGtWSGJFWkVCbmVD\nRlJLczhwN21XSGhaaWFpVlNyWUNZem8KLS0tIGphZ0RFVUdXdUVTbDFibjR1TFp5\nQ3hvZjhaWFI2TnVzTWJ6dCt4K05lTzAK5pJgUGGCwzPO6yWyqiQuCEwYc3PrFXV9\n/fhVaRhdLJXc6/hBvWsK5vzQNe4o64AfUjS+iHyXi5m0dGINzWCDSw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRSWs1VkcrWnl5NjkydW5n\nOTBPMHV2d0Y5UG9sdTZPUFZUUnFLY3NFZzBzCk44ZmZRRmpDVVMyTTZKTUpMRmx0\nU3BHLytzMVNtQkYxL0hhZEJKdXcvazQKLS0tIFdkcXVLaHNkZ1dXK3FYUEppZ0Jv\nSW91dis0dVhOdS9GQ0FGNWluNU1vVGcKVBCLrCtb2Y0pTXClB5qhQdBIimNR6U07\n+BNb5d8VoTgafFQTU/RHLt41420nfCdLYmgk8dztz5dVEa0OmES4DA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnUFV1Q2pQUEJvOUtQWFZL\nNlowSmg3MGQwUTJxMFhXcFZ0aElLMEM5NWpNCk5lZkNUQzNzNnVVZCtkMzdIdStV\ndmJ1dDBwck9lVUc5MmhKekxWV3h1UGcKLS0tIC9yOHBUbzY4R1c1aXZ4N0JVZkpF\nZ0gvMnhxSXl0LytxVUVxVGV1eElIYlkKPa58QsZc7y15LJlOamtTNrWPH+EkblLX\nEI7IkmOWK/lhG9KEwG4h1+8gDS+5bHPuvqz/7+sROo/A8Ry0Tj9oWg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbHY4Sko3NWc0VWk2UGJC\nMS93RHdvRmNJRUtMOE1lL1AvcjRxb3lxRVJZCmdXZkRFQ2ZFMjU4UVhHVzdZOFlr\nK29yeURjUnNEZVJUSFA0aGlzdUJxTVkKLS0tIG4zY2RBbTZKWGJWTkg5UGpQZEdO\nNVhWSDRIWEp5amVmTTlNTVl4NllsOXMK9Z1wKx+6JZ40Z2/ALe1rGHPlE7Tz9RDg\nnk7SWr/f5Yya1cfVyMEDZGCKm27jPnV3BltfqETLZfblQjGsvBUEVQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIODlXSjhFbmo4ZWZUWkdj\ncEVHT3N5Vjg1NnJVNzFOWEkybzVxTEtWbWhZCjRHUlo2L0U4YjZFS2tMMVM0NjJQ\nQWtLV21MWTZRWkFWVGdUNUEzK0g1TnMKLS0tIDFxaTNtQ00zbXJNQUdqVUc4QUJ5\ndWVvTGpMNVkxZmVjK2xKN3F0dE1mZTQKuw+pFE5tYe6vcTL4FrgvJs7RKKGJBNZO\nDUjlUxMB/WBR52BNuDL7kviFeLaF2HLeF4s+GkvqYugHnTBiZ5fzww==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBscGZ1bzlSdkQrTWxNaENo\nM1pHTTk0ZmhkOUc4ZjRGSDBQYjRmL1lqV1ZzCklOd3U2andEMWlVcHQwSFdTcUlH\nMkoxMUJsazY1RzJ6VGwvVjYxTkpwSGsKLS0tIDdJeGhPRlAyUFZmYlBTSU1UL0ZN\nekR4TUxHRXRmRjRlcGtpb2pHZU5MNncKc/Ry5YBhbbi4T2toL6wW/oAfRXobUGqg\nQDJIjb9evCO7tOkxYphGFnxYl05wfIlWVUxJeAzEXTg+zgWDk5ElhA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WkJ1Q3Rlcjc0QTRmallo\nRlRlclFmcXArUW04R3JEY2FWYlBBTWxscGxjCnpOcTJqN3FzR05NcTh2SytFbU1l\nbEJHZXZPdHVuODcyVjZLU1k2WEJxaHcKLS0tIEtNRnBzK29mZlZXeGdpYTRXWW1S\nZVVuQk9rQXBOZk5QQ01ucDAyelh3eEUKKmljNvAc5Af+B6x4hVlNjZZiznPu+U2/\n4cA9twbGvxJab6cU/aXLtB1yOmQMbm5sroBZ8+sqThGo1n1eBRHQDg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WFBJaFhhZnBiaVU1a2Rx\nYmp0bnVQbE9aeERady9LVjg4U2kvSGVvTnhrCjFDcnBwMFNEK0ZLdmZSZkxaTDhY\nb1U4c3Z4M0FOaVFISFBVVFp1U294WncKLS0tIGJxS1JsUUdpd1RxREZaVWx4SEs2\nY0J6cERieWVUdk4vUCt2SW1qck10dmcKUiYEDqsN5xJvNmaDIZU7x4uuq5KzjE+M\n5lCFSTmIIoexUsTbYLdz1cWgll0Hc5z13OSSFgJt/iTuj7ocRuHmYw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
-				"recipient": "age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg",
+				"recipient": "age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMWtLZkZHRHBGK0JnQThs\nN1g2K2lQYWFmdTIyOEE4cmg4R3FnWWdldEQ0CndFbFBZOGRhWlh5QU9DWlc3MkVk\ncktUdDZjWXQ4anE1S3RsMnN4UnJOc3MKLS0tIFZlSU02eHByMzNScCs5QWdHYnlU\nWDdJcHBzQ0l2MjMxdFU4Q1c1S2pVdHcKvAzlHn0XQ3Oi5SqckELFtEWl3kOulf/U\nZ4ux4+FGfkjYbq7jiyyHL8RfLVuBRDS4MGcGYEsI0YQvmcgxBFLP2Q==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dkJOSXUvTmc0MHVCOExn\nazhGallGN3FUcGw5SCtwYzYxeHptWUp4cVFRCkRoYy9YT3NCWE5ybGFMYVI1Z0h0\nVlptSXMwWFMrZ1VWYW9xMTdVRmk2a00KLS0tIG03Yjh4Z3N4QWR2MnRjZWgwdi9X\nSFlUQ2FEU0xXUTlLdnJEWFViSmt4ZmsKHxI0u8x2zcvZgstTSOEVXyiPx0ZPRE8U\njDnnOn+oZf6WKNBTCQ8J/QTii2QNa2Rtg3h1EsEYVD4qEBOtou8n+w==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiMkh6ZG11ZVIzKzdocnNw\nODVzSmFlaEt3bEo5QWZCUVErRUQ5WklpUjBVCnNzZkdoSHdJNEJtYlpEV1VHNWF3\nQjAvVE9ZOWU0U01QdmdDMzU5NHA2ZWcKLS0tIHJZeGpsMVJhRFZCVnk4T0JqVExm\ndDYxU3RMNTVvUVhEdVJ1VHVybkhJaDgKOcg5MoybrReGg5Y+kVusweFcEKzc1xd9\ndhZC22Klz/va5RRS5IVnoaIj9JaDuN6p//mZGKtYhUQfr5SaiWnfHQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bVBGL0l0bzFiREVscjcx\nRElzN243eDRwV0g5NGMwRzdlTmk5Umd5Unl3CnBDTlV4b3Z4K0hUbFRiMmpObE4r\nSEZPampwNUxxRGMzbFBwQldWVEFIY1UKLS0tIGtzZE1NSFFWdlFHQTg3RXNwSEdM\nTnZ2R3ppbEVBeCtvaGlNWTVWZXQ0Q2MKoOLKAxiCiTrQ1gATwuqh2aphq3zWskp/\nWeQ8oqOwc4mL5nzKIJp3VzTQ+CdL2BYfDsxhsqgilSruht0tFm+Opw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHblFPenlYNDA2WnlVdFBm\nait3bEpqR2ZUUjlOM0tMT1Q4UEpFSXpNUGxFCmtvQjVyc3RUT2pMKzdBbHNwaFUz\nelFFRVZFVzdSekY3c2M3RmJvcDR1N28KLS0tIFZBazRsTW41N0tHdXJWZnpwUUJB\nNk1iMkxZOFFDY2JtVnM4WU5KUVVEVmsKHb8PCo8cTyipymup/F8Oue5DiP+uPznd\nXbD74jiB732WPPNOrXh+wU74Uj7EpYoazvTcs4tHu30cCpbCz6cqCw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzc2dXbXQ0V3pIN1pFbFkx\nQklBQmF0VWtMUC91a0hQaUZBSUdUUWY5SzFBCnMxaVFjUmFjcEpLeXdZUDNUczFp\nS2xCQmc1ZytLNW1sc3hBNHlwZEpvZ2cKLS0tIEF2eHAzUnBqNTNSMXJ4SFRRYVlI\nQ003NFZqa3d0S3pIWVZQeXlUUU9xNlUKevDsJeis0GYCwRLNwAIXqyjGedV5rcJt\ncyDaMsDWR3kCRYZrvsUV6e8IkClJLVKtleClGjdPTh8fkk7bVan1FQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiYjdYN2h3eFJ5K01Vb1Fa\nckF2aTNSRkFVeHI4b21vNjhZcHNzV0tMYTFBClQ2VFJDb245ZzhybmhCTEMrS2h5\nUGNlM1pEUzlmSTBTK2tRb0xrc0hCTXcKLS0tIGtuUXVzMTUzT0IwWXo0SWRQNHY5\nc1JyZ0NLblpBWXEzSVNxc2R0Nm9mc0kKbKkbLE4+EWSu+k/Alt47O3ADYFuTZuKl\nIeoJagaLNFSfmT78+KWmhW8pgsTN5nh7wk4qH/WALYgMfy03rdLPzQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-12-01T12:37:59Z",
+		"lastmodified": "2025-12-02T10:25:26Z",
-		"mac": "ENC[AES256_GCM,data:F9Ma+RYXq2sAYc+uPn2u/A6hxbhybc0wDDVVspFJNIYBu1aUi34xKjxPaPQ+H5hWJEa4V3FtUugCJnMSv63gbA9sKPdxHI/AXIUAK3f7b4aPXEs4RTAQaxuvlAz98wi8cU59BDmdzRpYxfN0+FsIeIxjT7lcDS1JIcFo3M2o6+U=,iv:qWMGQYH+DERoSiMTJ5i/eviFD0diTujCjHGK+c+U0y4=,tag:hvrPpfhzdD/g/JXLwKRrtg==,type:str]",
+		"mac": "ENC[AES256_GCM,data:sIWxzlxMc7/NgSa2AeOx40GyOCCpNnPiQU4soVahKcbv4ydiBk0/utqV+25WRMPt+YvY0sSYVdl5O4F516vf5XYL1C83jXWM3Yi6Y75BQKkbZBsiG0tNTY3A3r4wbWwOx95UbxzmwKyx9EuzCc8NmXVpemnfiy6b4EIdttz8bSc=,iv:K7cec/NfyMZQgQu0gloM1uVx1DEG+CCpnBL8OIYPzCk=,tag:qNVd1BrNdHYqbV6mqjwF3A==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-11-23T20:29:01Z",
+				"created_at": "2025-12-02T15:47:02Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//QwNJ7lhnXTXntHGRFgxzpIRgDBFe/cIjztt3FfA5tavw\nWt9+Zm3et3imgGE2n/7CrgWFobhsFLP5oEXavzea6IjyH3T+RWeW9nxCzFZrP6fQ\nOS3oEhQ/SBTUFP5xDJHz/b2oNrEMQjDXlZYoMtMQihmn6qx3fiFK+dTaCKvnH3zC\nrKH03Y1iWiK5JsKs8nn97m3x9XfT/TQSlbDe1ktlGIzh0p8zvIEJcGgbz35BkBYL\nN/RK/l+xHWnt2jLLi6vj6WFano8x3BzpVrahYA7ynKoVWQChE80TUDacaVjh64MO\nYqGUluZwTSaw1NXlaRIas2z2Rm+HEpeeNEyVUCpe/gAGOawmTAhcIgORhkIK81S6\nToiAqIWaw/i/xtH+U2M59YOPRwG9XHG9/DAEmdCsztB/AykNxOMq6xJDayu++kyY\nRXe0uYbPd3b0nGMcngBr/DTWUSuO9qcpg21d4VfmNTaLHgXY8QS+8bYTETJDqyvR\nFioAfHx+H+/la+OrLwee+CONCHGrlItSo1s4jQXW3TvbWlB19gj9XYVLU6dohrke\n1h9hr0Ia82/a+5or7RCU5Gtf8tHqueOdIfG0acv7ohtmjxtZOegSgZZfPIRpUI+X\npuLxrD1u9FFF/KaVJOERZJze4jVOHvPbr69B3OD2TJkoHXQzlCEu1E2/U/zGNz+F\nAgwDC9FRLmchgYQBEAC+7PFEa8+euceAKBBPiV6CswPFy1n+4o2E3n5DGFMxm3n/\n9O074js/c2X8km0FZLg/OQ68h5iZPX/mavCybvNOdIDUDzpEYiiYhQKThVW0Oz07\nOPxXNA1U34hv+raMlvR0Uyuync7RoMJLy3VIlqttqn9urQsusUJPYTtWpVRaojjc\nhunYPQV7XdIGJG92sCMgG8JeYLpRpDJphX232xuxt4L6BZh+Ddr0TUGmKdMbPGSo\nU50Ub1uDWWDYL0BWN8BzsuQQNDOTBMVqucG/WCr7d//x1A6CY2wz8tK0pIzyv0sa\nIF0PYAguFFZ2noT9QA64wyB4BJn8bgW7L6ohv0XfVdLK0fR59lb1A9Ar386uhaCc\nstjmijCLy9T1aN8roKM98CUUamNwPFZhv+Fb70/5qN6OLRz1SPrpZRyaaqOsiyz8\nyJCxMz0KwOSc3PsLLBVhBPr5wk2w9tB7CJxk6hCjgbugXbLXXedYtlNwXyOXb7kB\nAMjGWFw1e46pCmkpHr8e0XbKqY1lXfeBPO6y3MhrqQ7Atn61lSGGuwmsbRM0oLET\nHYNbjZexMVTxsle29eM6k6Y/MPSxLp2mwj4orPgIOXKaxletNKDgLoqnSUIhbItX\n102RMnCLptObGPmlzJ3z7xSWievOiyOtT6yY1tCQQfdWE9cHONni1TYTupY9/tJe\nATViviHLvdhJTVcj/MJY5pQ3EK/UYwxJPXZG0CWHixz1uJeZTdfJm0t++tiWlRO3\nDRZ7TIvYUsicqCj/DKrcOLpS3U9toBp2dz2tCzHwZC7u99v5YgpCl058ZEMwcw==\n=TbqJ\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAoSZ8k5N+uuVrTgN9qQYOGrJ1NS0yjcxjqHEYbVaFh32D\nltM6zdpKORmPxfKSjacGQLJDxh31df8xn6ZhuTpi78vZAdhe120uwnmMayMsCGvE\n7lx2sZOmFay6oVGCevo5rFzKMmpLRHdy6l7pjCusR9JL6FQEhq2ME2Z/qzBGrkPt\njLPAX9nPWiPBRaj7tYwyMbD+mbNxeakf2RlNwShPhVJGYD4+k1I6GdWZdbabjZtr\n3HiUFvGbPbDHPS8z9OxaD++HNBmeEdSAdfm8Lwx0UzKuQfC9+R3tZj+QMm0LT0vg\nJtyPTeEd1baT3s62G6sznLfIGIkd+BZ0hGhazqs9R3Vqj5+w+EDW5UnEBwztrlel\np6Fs7jNAVlJmLXTfydh2WgK/jIolkSavwpmVdO/H+e+vB3pc+6bMBMBjxogJhHNC\n5mRhC88OtoBlN3tadP6raPY3LcoTPSC9YFfnNCLvPwsVcsBz17vl0wGF8OFLk8PZ\nhJ8es1E94p5+/4W++DN2KWtOH52jRt7sNEpEfdFPd9N5aUrt7haTTRMTOFC4lRDa\nnWNHMrHyIXXQ/3hw1X0Pun7r6tj05R7mkTL6PVjvgQWS9q+GAczBbATYzAKGXeeC\n+nemfP+xeEx/QkpNcBAp2R2smZjf3xjp2xyLYZwv+ML7OFsgKpTTRLqMG58vVJeF\nAgwDC9FRLmchgYQBD/9Ez42Y9nKcBYb6WwIDOxb4xFjRrvAj8ODl9/h3m6GrXfU0\nmwPR8PxgqyR/fTUzqe+RqECb3L9N2P4JIT9UyVjpD9fs3WkKbwjPKOL4RtJNZ4mP\nOZbxjrxdZXz9Kmug/G40Eo4nNLYexG2Qn1CNsMxVKnn5FHD0d6nW3JOszqTCG9dG\nFHDrOxF5CKFTeUioRM6AwjEwoUZ7MlyPLtEsrhdpWnRw1FqQgRkeNIqLzy0DD8if\n2kcLx7eQ7bFWtUvdVSUK2zMbiSOrc3pq9/r8MBpTZ6adEMd7xuezrpPlADh4Ve69\nkzLs9L8cN9Kc5p/HQ43XUlQeUQJ8l6/dzI47u480yxx3uFwoZkK56SYY4fohl15S\nPFigWmNOzyRxHVhMAlcRp8MaYYeeSDT8ap1khUxgZkQgBV38MLAjdN824mZijhat\nEfzxMJ3OOKQypNlHeZpoRcpyvebTFmZLeFvNH54dvFrQ0ofJBCrG8LtK1BOI57XP\n5/5XrXrj6S0UD2bntONyrhvd+tYLy3N8/WoRvWBdfOPM9jshCAeo9BU6/doZys9x\nNUzr9LnVrSza+rTMM4rROlDgrVgoLLcC9TXfSQV0tEb7MI84x6H1AYw+t7qByCPa\nqzMek0sN8V7bZHkGIaezd7LvkVHn155sTgC8mFukSFVqBNkDoWJoYGgut+PLo9Je\nAVJdeEDQqOrf+yXuDsLhPWofwWuxrPo098H42QSuntCKLoakbGkR5Ct/4JGTu15A\nQ0pWOArVFQgBM6C2qqib1qK2yLoJMuDcbX1qzStNJLS+wrBf5Mm6wHDLnfEjyQ==\n=FmzC\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

secrets/repo/pii.nix.enc

@@ -3,48 +3,60 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
+				"recipient": "age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGejd4Rlhqb09hWE01czJm\nMGpuazBFcWJ6bElnQ3pMUHVVV25MYVhMSldRCi9VNm5jcTRkaUNPemZkQmtvZjNC\nL3FVbjhYT0pLV3RTVGg4d3ZQMmJ3VE0KLS0tIDRFMGJJemFNM3E2a1BabmFvNWdx\nMDBsbWVhd1puQm54SDZiNlYxT3Znam8KIcaM7GlsZS2jieYlN4bi/CX5dp+TYsQN\nXJUKYKg4+vrtZpVi9NHyFif0Hwask+vdaziogHO/xKA7KiCo+NqCNg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvUUw0blVNUUROcmpra1lh\nOWY3YnZlc1ZDSG9QQ2NjbWp0dzlQd3lCMmxzCjRuRlUvT3N5WkdsaDVwY1pUdWY2\nMEYwQ095UjR0TWdSczQyQzVVU0g0TlUKLS0tIE9Qd1VPWk5NU3pJVFZSR1h6anNP\ndy9Ld2pCeTFlaENUb2s1UjBaODZITU0Ky64qhIpF6rmeybVtu/QhTYK6uBdNGF9t\n1+vfBHOxOxdlYOXezlHi4cCPoo7uQ29tsV88VJuDo4caPIKaTsN9nA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoM21iSERkTi93YXovZW4r\nbkoxTTM2L1RKSFJJbU8zbzh1ZUFsMFdleldvCkIwWDAvbU5hVGhKM1lUS1BYcHMy\nai94U0tBSk5XN1dLL2NrZDNZd3hlQVUKLS0tIHdZN0dqM3E1anplU1Y2bWY5ZUZm\nVTJteG5lS3BCTWV1WHFTYVJYeDF5bHMKeIhSkhv36eo+lXpYCZ6490NlnYZjm9b4\n53Czk0CumRJ+3IIdJ+Q6K5CHbQfigDWP3XcUPmTpsWrRqwogtwZwbA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSDBJdWttNmNOT3lsUW1y\ndlRpdWRmNEFOa2xmRzdiNHZRTk9FNy9SUGhJCm5TMlVCdksrSkw3RVA5dnAvekxD\nMkJuOE0wL1lORis5MDJ1SlcrZTNHVnMKLS0tIGNxOXpibFlYdnZZczVLbmg1Y2Rv\nc0VOd0FERm5nblh2c1pDY1RNT2M2UzAKcHZwkMsJTs++TG6YwAuLqxF8GaHdOHU2\n++4ZY0hZXIJlg+W3sYfc3klrzTOSDpLq2KnCskQITK84ZpZ6NKr0PA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzYzdGRGJqV0J3b2FMQnRm\nUEVmS0FiUEFGdEt1RFdsUm9PY2ZiMWlnNmc0CnZqZE9LdThLSEErVnFwcXhWQ1Nh\neW9XUFNST3QrZ0l1Q2RERWdUQ3BpdUEKLS0tIDA4eWhnVUxnOGZST25Za0ZpcG5M\nejBSRUtBOTRJN0RrUlJDV2RRSFl0TDAKpNmKXLIsahh+sdgSwXWbdpE+7ceD/xjH\n16VvzaJc1nAxU4cOBZzM/tFYP/KXAfC+lxjbr9r4L+tWjfhoiMr5dQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0bkx2YmFZVW5iaVYrQnAy\nbnhrNnZ6a1pzeUZDbW1xS0RSREk0aytsMEdvCnNhMmdKSHVJQnE3bGhoY0RaakhP\nbkp0QTFnT3BnNlYyVjE0bE1OOEpaSlkKLS0tIE1mZmorZXFrVUJFaC92djhVMjRX\nUFRkUDQzVkh6eUtEaHoyNGphbXdVRmsKQ1y/V9IanXDrcnHRk3dDXROLglHMHqbB\noMX/5dF7p7izLToYsNGr/VrkCHVN6xVxOayGEuRhOd7JlqGKwowTUw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwOUJSMHVRR3VKcjlOeUFH\nazFYS0R4T0NnU1hzWjFYNk1qai9NYmdJaDFVCkZpUUJKeTBmbnVZTXJVZERVQm9m\nemw1V0lJb1JVRjlGcnZjZW1lNDltWGsKLS0tIHNZaks2M2tXVC93ajNYTSthTDZu\nNXc2WG5MejJ1Z0thajJDSldBSVE1b00Kusadu31IGTpzXG8/1BXjdMrUWFWm+Gew\n+c52Tbh8tm778zYb0Z6EFupjd4lVUYfn3GuyCCB8mpGteLidOeuqPw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SFRBTjdDRTgrYTZjMG53\nTEVlM0Q5R3ZnWUZ1RkE1dEJWSUpPQWZBODNBCjBTM1pibEVwaWxWNDFKTWRNWk8z\nVnBwQVU4NS9xTjJRQWE3N3lsM3pFZm8KLS0tIEFOR2Q0VXZKWk0veDhFWHFEMTBx\na3RHUXBSZzlxUTZWdXVpcmQwbTZjKzQKr88EqRwIP8Snzp+dEyos1++ZD4aH3379\nNkfQp+ZdUxTjbCvPQlk1osJ1hJFWutisNloMLGb3+4pQx3H+k5iaxA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZDBzY0pJNDdEVlNDYTgx\nb0FkZERJZE1HVEhQSUVlOEJUZjVFWVVmenhvCjJoS1hGVkxpY3czTjcrR0V5Mkds\nZSs5d0dEUmx1TnlyS3RsZmV4VWJXaXMKLS0tIHoyeGNQVEdmRWpOMlViOGdmalhI\nZzZha29SUmFaNk4xMXFDVlZaZGI3WVkKc1eB7uQChwRejq1h6F44uXeshmvsn0Aa\nCHzCJ/uGc4bx8hfY9inZ/XVh0JsGa2w1G1lSbE0heTottM2bpHad1w==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHM1NHUVVqTS84Q09wTGgr\nL1BoV1h2blUwMlNQOHgyQ3E2OVVTVGtDZ0hJCnVrRjN2WldYWGdiQVkxY0JjS0dq\nelVidWk3S3Mwd3c0U2Zhd09jMnBISTQKLS0tIEUxeWQ2QUNMQzJvbFRBSjFYZCtm\nWXpRdmdaSUg5U05UYzdvVktkU3lFb2sKI/Xd2j+qlHZxcpyl12e3poZ1lO2HZY+o\nEYEXwg4aUqmtJo9UCHZ00v6Xiq+y1zuE0Ac3R0apl7wI5Zv7OA7s+A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmQXVMRmtQbFl5Z2VTVkVT\naDBnV0cvcGp5WGtYcVZMaTc5OWlncitZTjNFCmcvY2F0Wnl4TU5tY1Y2WWlUWjNq\nL1IzWU42Y29yZGRsSnA0RTFZVUhwR0EKLS0tIFlYOEJ0U2VWc3RMNzFhT2RhYjZZ\nZkd2QndCbGV3RnpaWkYxTkRVMytqcDgKqFoTKhY6DzxBWRjuy2Qd3jWQBYlT6pFa\n9WH0t3bOtm86oIjJf8kUICmE2oRVX8OqFNIpzKD0dMoOuXgz5O1EwQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOWE16aUI3bVVWQzVvUFpt\nMWoxSVZPQkNCSCtHcmVFblNqT0NmTHNqakQwCmNzZk1QZXlDc3lGMHJSZ3Rad3BY\nc0dMMlNTMWtwL0gyanplWUUraFFpbzQKLS0tIG4rSjVjUFRxVWx1K2J6ZitnNmpl\nWW5wWjc4dGpiUm9icDY2VVhzL1ArZXcKorvI4lqTtabc2+8SAlRi19fwHyHC9XuW\nPFREx6paLv2Bg9sY5tdfeZnf03iXrXe2zfEMLyQF0470P63yv0LIfw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUaU5BVGlBUUdrVzFYM0Vu\nZ0RHaUlKZzkxQS9UcXB2UnQwY1REOSsyc1YwClIya0FtU1NlRUk2amwyWnQ4Qnor\nMWpPTzJRS3FSaEU3ajA5NnVhZDJQcnMKLS0tIDRlemVKdjZ2MzVCRm4yZ0VGZjZH\nYXdJUXlOZ3R1YU16djNMUmxHb045UXcK4kvPN486Phfe8lwLU2E+QIVb3uXHo+v5\nUkxjdxWjpWV1DWFKtFzILU8f9gwYs2LNGqe/uaik/cnECqS+m050KQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArVkxVK0JzZUtuR0o2VUk4\nRGtqQVVUVjdaM2o1WHc5ZWhxNnZoM29TUTE4Cmk0ODRQTzRTSkVDSHJjMzZCWDNZ\nTDFsMWNvdjZZKzRJR2RCeklSendhK0EKLS0tIDFvOWxTeVQ5WTFSSjliQ2JVdzBH\nWHFLdm51WnViM2JreDRYK2JnUHR6enMKuOEqqCPfC8E9ci3f+u+Thg0Co2+cvEaY\ny6iPRauDOLUUq1Zo3yR0mYQP82Lk/uVo+Jh5tGCQw67nd6V/fzzLoQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
-				"recipient": "age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg",
+				"recipient": "age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZFd6NGlQMW1Jb2Vac1Jy\nam9zL2hzK085KzB0cExWNTc1RHRIRTVQMzAwCjRPekg3WGVETmc5TFYzaVAreVNB\nU2JoaHpqdnhsd1hseVUvY2V1a2E1ZHMKLS0tIGpFR0h1bDJlTnVpQ0NmazhlRStu\nUjlGZGJTYUdHU1ZwNzloQWYrYUJzNlUKns93LeJxg8zNxnWxVH2DWIjGGmWcwOHa\nRD6+2MDs0fcaTIvzLhTihVaykBZ1rvk3Nq1p7p4Zz7cyDUvwW8bO8A==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMNTNITjh0ZjdIaW45dXNG\nYWdmVlhjbHlBTjUwcndsSS9ydUdlakxKeEhZCitiU29nRDE5T3liOEpvR1paMHlE\nVWhvWVE1dU4vTDJ6V2J5eEpud0RMRk0KLS0tIGpGMWRwSkVDRUkyZzBHQkJlS3JB\nY3hhaFVTRUw3N0pOMDNmRHIxNHNIUFUKfWhcs6II9k4G9NrJ+i50nbOkOxUXYPiq\ndrpvA2YXwd/x+TGZ4m/IJ8CkESEpNp2Ql0GyemJ5knjb1mx2Cqqwcw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcHhWQ1lVNUFpY0hhZ1Ft\nRWY1UFdidGlSN1dNSnJrTEwzQVRUUGxQTms0CmtOTE5FczYxYldVbkRvLzlLRUkw\nTFIyTFBQekM4TmNqZ0pWV012b01EOUEKLS0tIC9qdUlsSnI5S0RrRlc4aDZIc3c1\nZVprZlJtRnNrbGpzaVNrWSt1enBNT1UKHrdxe5Qf1aMbY8Ne/uqNPYhYstIKPmun\nuCMseNq4SRUYa3Jw/bUy+l0GYC9+srFFJ45inpV4XAPeaKBr4WhPgA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4c3pxR0Rpd1doeWhsSVB4\ndWtxNHkxdkZjWHJDMW9sUFM1UnBNaS95M0RRCk5GMldwUWdhUWJJZGdSbWptQ2VE\nRHpMM1lqV202cjRrQ1N5WjBDd1kxKzAKLS0tIEZDc2VHaHBXd1loL0UrZTJJaGRk\nLzVzb1RZVmtNYkZNM1pqZHhYRWVSOGcKIH/JKbzaOlWOpt1YShHar0i5T/rd5m1w\nkx6wZ3b4dpUdN3FyPdhrjT5RWOL1BHhcpjmRdBTAHgdqRLSZfYEosw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEdC8yODJqc2dBZzFodlJw\ndEJUejNMbVZXZm1uQ0FHeFhKd0craG14N2o4CnlvVkp6eFVLcDlnYStHaVRoajlm\nb05yZXA2aGpNaXROY2paYmpqM0dCencKLS0tIEVhMDR3d0Fla1RKY3l5cXZsNEFP\nZk9vdGl4eGxhcnBxVE91Z3ZoZ3Zzd1UKavS6iLiXL5acrtOc34OT2V/Ol6lWLtCo\nZglO7H8Agh58FRhyQUvDu+bHXTGnxWIhOnyAjJYwP3XUk0p/3E4PPA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSWh2VDk2SE01VHBkdG40\nZjBRaGpYS1Bjd1NkQjd6KytLMFJqY1ZjVFdRCmd0dzk5K2g4Z1NyUXk5M1h5eDhS\nSjFiYnVtWmdwekZyUUplaVRJVnY0dzAKLS0tIE5xdi81R0pQemNmYjIzdGNyU0dY\nZHE3R0pEUjQvN21hRzZWS2VhemdRZ2sKkxOMwLetpbV5ZUC9ZxG3/N7vCT1vZRtR\nVRPoJB/3ws5hSE6G+5Qv0V/EjvzT1JkNFKsNBLl80Lf/veebX15KVA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndExDdXBrblUwY2hKYVFV\nMGRJNzQzZVQ1c3ZCMjhhQURVcUJoN3NuZUVvCm92aFdqaEtwM0czTW10L29HT1BL\nay9IV3l5QUphWkFyV1YyM3BZelpiWTAKLS0tIGtFbTdXMk5LcEgxTFh1ZmhWNlpX\nQUExdFNOaUNkN1N2VFpBd0h2SjhrdDAKFoNlyz+coOn1lFUTZlOuVOFvhnoQwwiT\n5U2TdCA8hlFyxlf7gGu47MyGVXbgtRBVGTXH0oVU8nn6RvquT2aBUQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-12-01T23:39:07Z",
 		"mac": "ENC[AES256_GCM,data:WEVxtO3Y7YI/COpOvvadujDYV66MtcKKujiE9P5mrDqqdjG8p2fLwhSNJHVJUwPyV8xAIIxCTqIA3bKmVKJ7vRCn2GQo5tRsWljNVU6g44LcXcX5wSeIgExyvUNjBppLbWsjstvfuJatAZwqDBN7eP/Ntu0R7p3wlr4IddDe/t0=,iv:es5N9A7ypxtNB9wPYT9uumwpLZg7wT/gesO5Q6njtxA=,tag:kgxsF5ZiYvM0wHDq6C19PA==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-11-23T20:29:17Z",
+				"created_at": "2025-12-02T15:47:04Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cXb4LCSFl87V234GULIunsSJFGmzu1fp/lwq4I9UShKy\nb0GHhheX+z+0U1+L4Qk4SeE408A4su52sRJJ3EN63+eq0+FPFxoxQH0NtfTSQcWa\nn9/sXnP8hrjnm6r64lAFd3B0HQQE/l0kqDrvU+UYAKfwomxpbdenoqQbinqX5Qgm\nY1Yqz8jIIxU064S4iiwTkLzqUi8SCPa1MCGQi9HEPxUHoVeuquNEQcs0HB34XW8Z\nxLUWSsUdpjb8NM73WArpml8XG9bHmdG0xxX1mZwK+uA552t1WDVqX9QHClGmQTdl\nPM21S8chJI1W77EjCsV6QfSicICU3RbvLSfLU0WoZ394VmZmxTGGoofpESdLVd4F\nU5ZLR2t7iXy0jb/TEeZfTGD2PPrt+hSWt5K3PIQnAb7fvLg/9fiG1LOeQlW+SZKD\nlojaMn01Dg6Rfex2qsXNrKfi/qmA3tpjeN8pIBpCg6EPlCFUzp7/cueTF9Xj/Tqk\nL+IOOFTKLECr/lQepz6rS1XRHrJtWSyksd3rt03s2Q5UqLdoiUZAYXgJAWntNMKL\nU65rKQdJZXtp99oDG+YVp9F2ZCogZN/Ac5+sUTmke66xku6dh5Qqe9MpYtAhPmQO\najMZiAeIaoaYwc8vFMGvNbJH2pmJaFrW9v4MELkTmi0EjZEPgPWCOIgUkEtKanOF\nAgwDC9FRLmchgYQBD/9eJUINu1YEtZZI8iNujEBNMlgmKjl4nVAwB3sviKvByWgx\nXxN4xptU+6gHpAeyRxwvWLhv/xGkHWAUJHkMsqMKYyXQQPAC9x4l1pq67AsNpMu7\nWcec+B8n+X3gwnmLes5H0fvdJ+gCMR32JL1PRnLnkTjeSX/JBFRG9tPZ09k0YvTw\n4ebwpYxlimxXZGR0DDRh3Jls9+YqgBzMb4EOo64SyzD1ZWUjP9addRpj4A5UpSRN\nFscy54sG1CMRzLyXYJb6AgDLVysfMq0Fgg2AgvaadmoKh82/Knf42C1K9DPqakQl\nmLyzXprvUR8mlBpWwZ5b/XIC6DuhiCz0g7dYX4XPeUxvah7PkRp3cmdWsJDCgq8V\nbwQg4Dm+k+8BZIZwRC4+3gLchhm9Jq/KtJ7iWqeVb+YQ/v+/712BiEJSANofqMQy\nmkHVksp8E/PFU9KYhG5lkQu88zVmnimfWFO7UKfIJGBBzgt0vicrSKjHPkgbb88R\nG9diNPOuXpCJJVecE5p0BEfizfDWnV7JSm9s7GNdTqglQx2KkLYJ1mijWuF1OIf/\nl1cdN8IFRI/glXC53+Wfj6D5B+lhdT1D3DG9MVGxeEyhQCDdnF7+Zy1jyDsrOpDv\naCq0MqXoa+FrtEBwlke2Dukf4RHtyBWsAg94dJuHVV0STnJbB+2T7uDDvVikvtJc\nAQw36Ni1lDO239BV5VYMDiNR7zzcLRHV+hXjlGqo4f+UbTy4jXxgQwS0z4lGn5XY\n1AKcAoNYxjuuGhgoM5Gw1ch02QFFzXWD/Bva5dLEMO/1Kqre/LM6+iUhKd0=\n=bZ7p\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/7Ba1CD9+AjiKFX8tlrPIaQF/3i0t3irrZJG2tX0aGjEWq\nVMZOp/tgBfLLODYHLF8LAgRF0IAzn1ehpvzzESMrXc+X4Zm3ls8yH+n80/O9o648\n925HxLh+E5PXbcOksCw/PaVBjfqaEi+k6rbTyphgO0bwaisbtSZdMjPmawfCbw45\nD7QyCJd/XNdLyGE5wvxSj7shUaBqFzkoE5iQ6pR9mlyeWVy+QY7703+IyfU0tcw9\nIAQohfO4n5h58IfS0QuygBUCoLaDG5iniGoQ7Tu5FcUEP5MO1zF7izbtYYE5ueQs\nI4MoJ3RdsUIwd++CNnFDTRJCzfbB0NvCYd0hArqEdVcIr4rKrNoMchhUdP63Zu4Q\nwhTb4EmwGJg1MlZ/rEfQJRU3Ywc95aNX7IxcywDw/5FMQsON6EckcYcE8oNzhFfC\naxpaAjqI8jEb0XAsNcpJTJRhc8GG9YOpbROAm9FGXgRDh4YOWiMyVOwqLsOk6vpJ\nFaGAlelZsWcnmYllp/63QZKz5IXOjlHo8p20/2A0bfSfjLNGgq2x0Y3SCHOW/T6S\nUXYQQnijckqxQlNtkJVFaBXH5fxTzYAYjaLvCA49KoG1+NwCQqDV6+8giCaIYSME\nAf3f+Fj7ylXOtH5QR2rTA7/DcQlmMBV6BeRzFg8m4jRXjrmfWaN+sgNaT3aRHkeF\nAgwDC9FRLmchgYQBD/92rCyWj39tfr0Nr3YbSU18MvJVcLkviXPtLtOQLzhWgAnH\nTiB93LOw2ViaJI3SRPs2QOlOxFy/7PwhbRpB39dDqIL8zeVQtGjQhE3apbYguQc8\nTFP6Ky+0T7E3ycrYIF5R3U1GBcXBJ4jljDuLfPCDYJr6azWmZFQep2l9p4ZQfPBA\nQwTBrrrZo2uFCuLvXoEADaWwM0c0PaVdF0VopB08zWeLD+W/YLxRxdgeXPc6SKkT\nl1PGaeq+rzON+PSLQOmC4vnpBzB6GUUH9fZxBQl3didomBZxjM8dBwqScQQMaSX0\ncbnXy1YbwHiAMnlFaV4uAATyG0eKqlYfxk79WK9BLaVNiPe8bXHBdZTCYkUrY1FI\ntODKa0Mzhgxmcth7uu0654EnqDbiPr2HyEsYC1CKyjO4x704k7jWPn6jzV+RNO2a\ngiJd9WftMzFHFGSK4qVXd3OKvpPE9WYUeyPJYquD8luMPGIj16pidxb1WtdTDVdw\nE5Qt+CTIct2aNCiSyPunCkyfFpFDkfdUehAmK6WbjAWsq7/mHdTIDxsxsBWzx6bS\nxwyXjepky3cO4POTz3js6MapR0xwGsWzm2s7YkMgHtrfwf8d9JnMuJuzf/Jrr5du\nn5oSNToTny1edhuhP0mC66K0avAe1K9WJCGzgdhGBYcRj22o/d3YoZzgg+0LBdJc\nAVFrJ+X2amLM/SEYE3+2fBnV5zgf2RV9VzBy5caNArOnWIFkM+g3zdQKgSqR70gk\n8hPRggQ/u7jJx6wps+JyoTBhHJmcntB82RDTgJ7Ht20PZgmX6GIreQl/obU=\n=prsF\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

secrets/winters/secrets2.yaml

@@ -1,56 +0,0 @@
-#ENC[AES256_GCM,data:K3S1LFrPmaS5,iv:dxFzPLhN2otgy02VWzrLURmomtYdoIBHvEJ1LJ7Lj9k=,tag:stKgkBnRDZkCPlvFk+btRg==,type:comment]
-radicale-user: ENC[AES256_GCM,data:2G+WXxw6jrnPXsI=,iv:bUEhBDrdTt+O/4TXMkhmqnzfkSiws4n7L54Z0zZnSOI=,tag:JGQPit5uGqITUyyCpU3OIg==,type:str]
-#ENC[AES256_GCM,data:+7JEI2P/6/5yiWQ=,iv:hV4TyNFsyugrfFM0emxGDDDq54XWy7fVCf/kwD0mtCM=,tag:iZz9mPsLG02rlgV1vP8aBQ==,type:comment]
-prometheus-admin-hash: ENC[AES256_GCM,data:dUmTW6W419TzF8dLGcgRLlbLBg9puzgznNCrrAuNOIuhXCBrqaJdtyIVFCsnrDSEh1ZdMfGki4UERZcf,iv:XIlb65V6yhrKSU7AbRs6k1ISljZjWnAm1dPTCONwDJI=,tag:UkdDTywivitSxYR902uM5A==,type:str]
-snipe-it-appkey: ENC[AES256_GCM,data:VWEGKbCD5P3uxeyMVtK9a7BcVjXlXSEsJxfLEwkHz8l5o0Xq9lTbTpsfOoc=,iv:3nq+xuuujjevWdmk3SdBai/EWXwL4F3Kv4M3yc/faIM=,tag:/cNC/EKR1NWQhJrh46meCw==,type:str]
-snipe-it-db-password: ENC[AES256_GCM,data:O+LgX+XyJEaF+1oYcjyMpUab7AD7tWK3LBd+7VJOKq/Mz+k=,iv:yJgwlG/ln5BdwW2c62UJLIkrCWakKvj64LMQsjTIwJI=,tag:yw0rC1GJo+KMn1wXRdJomA==,type:str]
-#ENC[AES256_GCM,data:jGvWDKbVKA==,iv:N4cMopsUPOfymKpMD7oB04VtS0cUX9yNNqwyWEdyMi4=,tag:L4PMmMcM1NCc8LPG6GJLMQ==,type:comment]
-garage-admin-token: ENC[AES256_GCM,data:2N2kqXt7kraqMQEkDuNQN3SRiL2WKRA959Uc7HAdSlZcC2Ft06YUb+Elktw=,iv:dhAZoQBhvK07+wBpMEsI73YN2oX9dMthV3SaDWZgea4=,tag:0Pu0BDEYU9WYQQ1hJr8qFQ==,type:str]
-garage-rpc-secret: ENC[AES256_GCM,data:s8qGCm8WM/pvX7wZJyenohMAHnNWrumUxyJvst194h2XPfpLBbKVZwZ5t4zkwqh0yJNgLqE+2ekwCxa/xKqemQ==,iv:zUo/x2LWS7b2E2kZHDfa6lAwxAcuNir5a+mg+ASDarE=,tag:XgBh3ajVDy0vWccX8yZXSg==,type:str]
-sops:
-    age:
-        - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUHpqd0JJMEVmSHNici9W
-            QzRmK2pUMWFtN3ZPQURxa0hzQk9wUTRsbjM0CkxtVjBFd2VLVEpkZmhLWis1YlhY
-            Yzg4MHpzdHZkZmloZWNDUVZRbkF4bE0KLS0tIGhsQ0dmbHVvYjRuVHVzTzNIbGh5
-            ZWxwbGs1bTNzdXVNSzhpNWVESGJlUzQKzZr3cYBF6s5ihgW/6CreOKWvQpqITrFX
-            pW6gwbRbxaxDPRRdfn8qswcezxq5AwOk9drbOH+qgcwL2owRGxEhcQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-05T14:55:44Z"
-    mac: ENC[AES256_GCM,data:nyz3jp/qV8bwgx0q6c7RmXtzdmwVrt8C6FU36qtzUm8tPlAd1K7MmgxRKFi85NqOu3XPII2OkwhNPRBOJuQOoXGfo27odfZl4riQ+any4GNarDZ5deZ54+kjgqyvP70dsm/tiZgZ8Fjwat4iLV+mqJYMS4OBl5krr5ocU+LY1pU=,iv:l56tIBgMog4HSxP9Fb4pWSD/z5FaPlHRkUYqlkhydzc=,tag:IT++kT0EncDzEEX4DdjW3g==,type:str]
-    pgp:
-        - created_at: "2025-06-28T23:22:37Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwDh3VI7VctTARAAqpPsEJZDZZ2Wezne03E310ix6dOcJ7ZdpPNkPJBprJh5
-            ip4PmWKnYPnNS5SZV6+1jHOrconChnF4hAxVMH4bgZ/hCkPVNijac3xl2en5NP3a
-            gPcKSQl6SdiCvfcs+bU7hdCn1glL/PHeilUl+ORJ3olbK4fjrdj82qxxlWVPpqyX
-            iwjhvcS6rjJ3rTv0KAVRmpGQjFN6cBnei1Yv2wQqypcmD7D6kcsTp8w9MXz8waPI
-            3Qm0gGjDSUWCrSF8FAwy7QSkJ/Mwjz7yTtQfVIDUQU+MOx0kLY9sIYNkqwZV63RV
-            HxfxrvIOOdkeCi71x6v0s+Kf3PoqxJgqRAV5pOmoMT6cnLH6+g4q4PHKoRY9d1Dj
-            EP84VtQkqDLt9JYJJfN2FyVukhUZf38ECdzC+DrTeXuVcd5VV0t7q9LJWG4wL0ba
-            8P5rFzRcR6TnW/7Ku1rwebnawxeMoppaWlD8hbX5gEtuLKjLfGtwG7qcMdY2YWVZ
-            HQsLrMsOrNrY4hvT3j1Tgs67sFpa3b4zCbs57ecUPihiFElpnRueFtIFJY73UYF6
-            5VNSxhWNhXigFOBoX7Z6LmGB2hGrMi1FnYU93Kx1uz6rqypolQ2sG8UUbkH203gN
-            4R1xA2mD/uQ5824Uo9I3W090XASI6w784pduDdtzCruZVhvuRd3tRtsAJBGwKPWF
-            AgwDC9FRLmchgYQBD/sE6rUSTcVVmgbr/FYPgglMFw0AM9Zwrpw2vn19eIBwkDc/
-            HS3J23UVqHlzBFQo2oLQQQ2NZB9ObrYNxwsEqkQnEDp0vBVZHQMlFHYOzvJo8TeL
-            lxUhT4cSa5mkTWLD+1XjDllNzudVB82uJERLvcM5qRAiksaZpBUchUlDIGXiH7kI
-            /C4gRYN/JoMPrIOx/1LBZDHiP/9vcnK68P8XdV2l9pvIEo/S1aEHcvtey/WnX1ze
-            YIREcghXmvith8D2CL6Yd3vrKcfi3QG2CPoKSk61G+NpjcRpozI78T2KU8jL3jgz
-            XqHqLpmH696z2vnh9IzGtMMvUvck1519M6CLOa9cey3+ByDs5JYHWAxH/jepqCIy
-            kPfxHVhoqiHJiRRSAkBveYLAlInppH1FLY74emJpo9UJyweJZMpn714EuKIQXcxQ
-            S/3p9FGM7fyTAKK3EK6t8FRYb0ees//u1Ol+iiWbnR4cmsksN4gEx22IDDBcxPGE
-            V0oW82pGoR9ZfDWpy8IdPsir3feIcU7cyoYCvhOKemJt+kg9hqxJjACuBbrvS1N6
-            lF4tzelsZeFQ/HZMINnNvsgdz7tbZsNQWa0EXe2kzBAtLPD3rIfRi9sFsUkT5X7Q
-            T+fKstJA06o1QafjjPWKnY3lMV1BvbMMHJ2EgaeZr3IYjmsN9zOvIb/71u6vj9Jc
-            AZcfV02X9OFN5T/NJ3WQ487L0B/T1vyFxijB+APW57noWoNjroIrIozL+Ke7wiKL
-            c4of/1Hsw4O7QclIMvLl4Vk4nZj7CfedbYHCFocL5rIB/oQe6GV4N2o6e/M=
-            =fult
-            -----END PGP MESSAGE-----
-          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
-    unencrypted_suffix: _unencrypted
-    version: 3.11.0

secrets/work/secrets.yaml

@@ -12,47 +12,47 @@ govcnetwork: ENC[AES256_GCM,data:Hevnb0fAMbXTrg1CCmAgwZbJ+sxaTUgJLRc=,iv:UoNyPYu
 govcpool: ENC[AES256_GCM,data:sfglbCi3,iv:UdvDgyI8AAFdfOxKD1sVYCof7rXFPavq8eYDaK6Kp2I=,tag:iMn7XPf0rmql2EiaqsAn8w==,type:str]
 sops:
     age:
-        - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
+        - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UFRiR2d5RTVLckN6akhK
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwN1BJamlqTmcvZWZPNFVi
-            TXoyTmNqMGtlY0gxbEVQb1NoK3VJaks3YWc4CmdnYmo5VmNqM21ITGg0dzhreUFq
+            bU5XalhTTDgrajd6OFBBNFZ6RTBTaGZzWTFJCkN0VG1WYlRzeTlxZ3ZhNlNmZ0pN
-            dHZjK2s4UjZGUFFKVi9JS2F6RE5leGcKLS0tIHZLeWZCV3V0RGNmNDd0VVhLejF3
+            MlY0K0lFWUNJbkFoQVA4bmVVOEZGcU0KLS0tIFFpa04yQkQrZXlsSzRiTUVicXdF
-            Z0dpTnpXcnRub2NWU21PblBtUnBXTnMKfmW5I2G+XhXEi8ssdnlavppxhgI4G56B
+            VDhiYldnZ3piamFoUHBuU0ZVaGQvbk0K/n41+x2YL/rpaEAUbjvCtyUmw1uwCXVo
-            555YBJ8mLRXKINtd37nUyfydEUYiM4zUbTFlJ+83VVF//+4KUeOCYw==
+            jmH2cXi/GH4CSoLY6oekq1m9dY/Jxgl7BK+KdRwf79IwhpP98E0xzA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-07-03T13:26:17Z"
     mac: ENC[AES256_GCM,data:35J6pbaTXcq8zW3wtLqBAHSTaWjCxx+BsOZlKWNwxEOCkGzXIIKFtakZJIaMktgPNLvYOlUEOP7dhjUc5IvJCM5beMSNOjBVJJNnLkKQv5sCJK+4p4uTzXo3Neht/Y3xan4DQItdm5lwwQpyNlCecGynVjqN+F44liyxsAR8gtQ=,iv:gaVY3PUn7NdmBNAvuvij990T5pRrAfqY1qgCPWxGBiA=,tag:CuOMqH34hlQX8WPikAL0qw==,type:str]
     pgp:
-        - created_at: "2024-12-17T11:38:28Z"
+        - created_at: "2025-12-02T15:00:16Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTARAA2c8ZhXvI1hepU4CUbRb8/DoEjRFTcRKFr5XrsndHVCwL
+            hQIMAwDh3VI7VctTAQ/+N+OvAooLwatMFprJMVOfItYBfn77l+FSI0Xj2wlJcq8l
-            xCLtBH9KqMf95/WzcF97qbUF+d1R2Kc2rxd+WPwYK2q7dxaR2BHyTbcbuSy92Dvc
+            XZcvUGtmmuoVQPow2H/M9FAxxP5ZTsOtRlgFl+Tt3JxXh3lo2L+Ia6jRYKFX9255
-            yT7qlfl+l6HhgKXzQD97siWbXpY7AnKVb7swLlaODjWH3PN1Qw3In6n+o8i88lts
+            YhGS5rBG4YReaxPXy9sZgcuZL4KmO8nVzbrpTpYutvOxmjeMF2pfwUeFMa3UJ+5k
-            879uyzs7wsr1L8a/cp666KrW45E9nqxpTa4cdCr+bdWdCdlhTPPFSonF53YfLLBR
+            11sSpuR6h4qux+VGeLZ0hRakjlyTWbhCBL0EDpijo4YKOHCCOEPo8hOvpxRDlvbj
-            1rsscv7w6nQy6/hRZ/rcXuMZbqF4mium8KY6TqaRDGgctth+7ZNhIS1HRfDhXwXs
+            P2hOKlVr8idIBET40BjNbMQ1dcfDwXMAOm5tevWTypBH9KqHgQWUyt+sok5yMqis
-            HcZwdvBvQ7EqBS34v4J0DOMqlBLKlFFtTLP/5AeXy4sCOs6vCx51WxqG8Wzj0ybZ
+            E5DvY8G54daFU4v5n1XSVw/C7iWx8XeN/h2SnlJK5AkUqnrcNb4f0jlqwDFEzkPS
-            N2ykQHOQGVW5zbP/OQdZF9TUHJFhcF9leyV86XTWBcNOBJb0+N43milKuZwczd0o
+            yht56C3om7xzh2PpiLxGC8iJdWnT3QjTghrU5J/LwXNlACh9NhHItVf0P/FHMeL9
-            jLBODysOTM26YtB+4NFyR+uFCFHgCrCnIxc3CApnPnzJbEc+ze3+otGdzPgkMJ70
+            aXCb/Ylzpg/txGZnylgF/rTQ2Y0ZbsNm/fyNF/IamMrJvsGUGQ56Z67Axk622Gyi
-            vK/RzpXhSvuFu3reDpuyde6PbWyktj7CDVbYkt27DGEj2yQonfYKjJeL2RfgITOg
+            cl/bF9CruGdyq0iL7Zgpz+BlNOIRQpEaYKJqkZes+aS/fyKnPUFaBV9DHAjCNEZT
-            7433ZM9Sz54ZOEsBmw3ELaVRKu5CPIyBY1o2+JSBdxLSP2OCGRE6/GVzmJC4ryyM
+            xwBxZIRXSxNx9JAmrpzO+0QLOS1G4N/Yk0sEnmjFZBW+ajplSh+2ZXVoiV86iBYA
-            LNQ3UCoXS4YpuBbZUuI6yUt+4VRYBFDUiyZaJJA22A8Yr9DVxJfZGjpb4q30HdWF
+            /QjcB/I6sjT1dEvEc5qatrxjEgA9mSIco302o2JRzLv5PnB6QN1Gr9NBPitz7eaF
-            AgwDC9FRLmchgYQBEADCC8VMLPXd7doX5JSXrGa5QY54QUP3HlzGX8hbJ9XUx/yB
+            AgwDC9FRLmchgYQBD/wJUf+LJKZAHI+Zeh4afS2xlfLXRZ+pTlScdBIaX0ZtAxwH
-            eXfl5FdqGQZ/dfb5T+rYH/7pSYt+6nBaJ6GeuVQOT+MWhSXqZRt/LVkHHHpwQl6X
+            mmBfmRdCY+xR7Bx4qYZrHhWeE13Q1qCvSsNuIPU3L3vHtdkxpr52Vt4NUFZ1DP3G
-            u3aNHcNmuS2LrTN/U+isWGamTUEokIxoNU+GZxmV4HlWLR7I9k8BlFO3PDpJ952s
+            D3dMqHulpqrxvw0iMDrIsKJveNkGqojwPtZr2ougr/CguQ/HiH4Lm2QUaf3UzExm
-            sRxX6gWk7JS28GKo1IozMsncoryH4Ry/vjCCHos4Vm99BkkxrlSrO2MyRXiEmXPU
+            di75yiTpjW3ifOvCwBUErkdOozL6HxrWH2bQn8f0qElsmryF4RJ1ve7x9Am5L16s
-            AiiydYDBHRrMWxDkRy1nlkdh7ikNeV92bAqBQmbKQyams0z96BDnAYQ7e1gUX/gb
+            zP7cxZv/s3sNH17i9PgqjytSdoKrv3KIGMxnV1rasWNnUYTkO7KZPMkeFsZQX14Z
-            yB2m+YLuZZK15aFoy8Kq+bY9gQltRVJF2RrgEr3aNm3TOAsSx6Mu6EfRq4MfG569
+            2OtIpYZs0UFvwsfwd3J8KAexwocF8lUS0CrgPeNQUzn+I44vQtMMd4Aoia5ULrU4
-            TlWDHEmf7+imSqFV6UVN3x7Jcbks6lkTHFNctofZHYpcLmq79FhbdpRTLhXLDrOZ
+            ClLn1KtOrLFBSkzytrcyjTORLANdYix6lGEgZtC75ICjzDRayivtO8XrO1xbzFjT
-            cXYDtkjyRgBYIcjzj7Rf+6Ve/XLfdTRmqX+o11Iaqp95mRqHenm4qdsBw8FK2/Cq
+            hZsoJjpd35sIkVczr/joCq1jP6aKMyKEzunvUufw9wMCiIgwgY4htrE3BoPAP0v1
-            FvlUz+Ms4C+xAWS9tIagKYyJkoH9ZJqqaTfq/c6o2SJlsd6jJ9eNyhKHmgy0vCBQ
+            ZE1ToX3OAniY3iSfyVCCm4bVNoOKU5iXD9UpV8DV+AZOQaYZyUzBnvstBGigHxKW
-            u1ulEl84jZcSZl7XoMTC+HLWAM0T9AGPXenAg8+sMxl6Ck2rduv6CIyHzFqGrqTt
+            TckIvX3esXq1MADETFmm8kzzyDaKbPm6tRii/04CT/lXjSJiOFbJlCkGZaBbAIOJ
-            90sZkkW2DQFOrkaSeu48in42L1Rc88aRSsVc3Z4ID7z1XC7sAlJGgOn/Ua2j6dJe
+            q/WSa1Z0hfoHz/BdNqelkmKjsrsmS4nJlGL6ereGmByu+lL2z2IN4M81Jpk/qdJe
-            AbCP+ritlU21urp0OHdrefGazJvHYURTTR+s2NwoeeHaoTgDU7Gf0ddSaYyzqaB8
+            AUSIVKQhAIS1N6qLzNTz1GtnI1NDFozEP3bXEhdN7KZVp/ivv/na5pzSHnvPodK0
-            LfkLAdMXXBWGCLWNVg5vCBRwZIImuQz67DZSSR1Dulz4Fy+WNSAC0m5AGBKtnQ==
+            hPtNU4gLlKqaQ9FczVc0t1rBxFz16rNCn6EvsE35bMQe4l8jydls49UJsQZyAw==
-            =dcOv
+            =gZNd
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted