feat: prepare sync for kanidm

2025-12-06 09:07:21 +01:00 · 2025-06-09 16:21:56 +02:00 · 2025-06-09 16:21:56 +02:00 · 6de42365be
commit 6de42365be
parent f87164088f
9 changed files with 899 additions and 366 deletions
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@ -1268,12 +1268,18 @@ This machine mainly acts as an external sync helper. It manages the following th
  All of these are processes that use little cpu but can take a lot of storage. For this I use a free Ampere instance from OCI with 50G of space. In case my account gets terminated, all of this data is easily replaceable or backed up regularly anyways.
 #+begin_src nix :tangle hosts/nixos/sync/default.nix
-  { lib, primaryUser, ... }:
+  { lib, primaryUser, inputs, ... }:
  let
    sharedOptions = {
      isBtrfs = false;
      isLinux = true;
    };
    secretsDirectory = builtins.toString inputs.nix-secrets;
    workHostName = lib.swarselsystems.getSecret "${secretsDirectory}/work/worklaptop-hostname";
    dev1 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev1";
    dev2 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev2";
    dev3 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev3";
    loc1 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/loc1";
  in
  {
    imports = [
@ -1296,7 +1302,7 @@ This machine mainly acts as an external sync helper. It manages the following th
      enableIPv6 = false;
      domain = "subnet03112148.vcn03112148.oraclevcn.com";
      firewall = {
-        allowedTCPPorts = [ 8384 22000 ];
+        allowedTCPPorts = [ 80 443 8384 9812 22000 27701 ];
        allowedUDPPorts = [ 21027 22000 ];
        extraCommands = ''
          iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
@ -1312,7 +1318,7 @@ This machine mainly acts as an external sync helper. It manages the following th
      };
    };
-    system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change
+    system.stateVersion = "23.11";
    services = {
      nginx = {
@ -1333,11 +1339,83 @@ This machine mainly acts as an external sync helper. It manages the following th
        };
      };
      # do not manage OCI syncthing through nix config
      syncthing = {
        enable = true;
        guiAddress = "0.0.0.0:8384";
        openDefaultPorts = true;
        relay.enable = false;
        settings = {
          urAccepted = -1;
          devices = {
            "magicant" = {
              id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
            };
            "winters" = {
              id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
            };
            "${workHostName}" = {
              id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB";
            };
            "${dev1}" = {
              id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7";
            };
            "${dev2}" = {
              id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH";
            };
            "${dev3}" = {
              id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR";
            };
          };
          folders = {
            "Default Folder" = lib.mkForce {
              path = "/var/lib/syncthing/Sync";
              type = "receiveonly";
              versioning = null;
              devices = [ "winters" "magicant" "${workHostName}" ];
              id = "default";
            };
            "Obsidian" = {
              path = "/var/lib/syncthing/Obsidian";
              type = "receiveonly";
              versioning = {
                type = "simple";
               params.keep = "5";
              };
              devices = [ "winters" "magicant" "${workHostName}" ];
              id = "yjvni-9eaa7";
            };
            "Org" = {
              path = "/var/lib/syncthing/Org";
              type = "receiveonly";
              versioning = {
                type = "simple";
                params.keep = "5";
              };
              devices = [ "winters" "magicant" "${workHostName}" ];
              id = "a7xnl-zjj3d";
            };
            "Vpn" = {
              path = "/var/lib/syncthing/Vpn";
              type = "receiveonly";
              versioning = {
                type = "simple";
                params.keep = "5";
              };
              devices = [ "winters" "magicant" "${workHostName}" ];
              id = "hgp9s-fyq3p";
            };
            "${loc1}" = {
              path = "/var/lib/syncthing/${loc1}";
              type = "receiveonly";
              versioning = {
                type = "simple";
                params.keep = "3";
              };
              devices = [ dev1 dev2 dev3 ];
              id = "5gsxv-rzzst";
            };
          };
        };
      };
    };
@ -2993,6 +3071,9 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
      rm modules/home/common/yubikey.nix
      rm modules/nixos/server/restic.nix
      rm modules/nixos/common/home-manager-extra.nix
      rm hosts/nixos/sync/default.nix
      rm -rf modules/nixos/server
      rm -rf modules/home/server
      nix flake update vbc-nix
      git add .
  else
@ -3025,16 +3106,16 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
 Autoformatting always puts the =EOF= with indentation, which makes shfmt check fail. When editing this block, unindent them manually.
 #+begin_src shell :tangle scripts/swarsel-install.sh
-set -eo pipefail
+  set -eo pipefail
-target_config="chaostheatre"
+  target_config="chaostheatre"
-target_hostname="chaostheatre"
+  target_hostname="chaostheatre"
-target_user="swarsel"
+  target_user="swarsel"
-persist_dir=""
+  persist_dir=""
-target_disk="/dev/vda"
+  target_disk="/dev/vda"
-disk_encryption=0
+  disk_encryption=0
-function help_and_exit() {
+  function help_and_exit() {
      echo
      echo "Locally installs SwarselSystem on this machine."
      echo
@ -3049,28 +3130,28 @@ function help_and_exit() {
      echo "                                          Default: swarsel"
      echo "  -h | --help                             Print this help."
      exit 0
-}
+  }
-function red() {
+  function red() {
      echo -e "\x1B[31m[!] $1 \x1B[0m"
      if [ -n "${2-}" ]; then
          echo -e "\x1B[31m[!] $($2) \x1B[0m"
      fi
-}
+  }
-function green() {
+  function green() {
      echo -e "\x1B[32m[+] $1 \x1B[0m"
      if [ -n "${2-}" ]; then
          echo -e "\x1B[32m[+] $($2) \x1B[0m"
      fi
-}
+  }
-function yellow() {
+  function yellow() {
      echo -e "\x1B[33m[*] $1 \x1B[0m"
      if [ -n "${2-}" ]; then
          echo -e "\x1B[33m[*] $($2) \x1B[0m"
      fi
-}
+  }
-while [[ $# -gt 0 ]]; do
+  while [[ $# -gt 0 ]]; do
      case "$1" in
      -n)
          shift
@ -3092,31 +3173,31 @@ while [[ $# -gt 0 ]]; do
          ;;
      esac
      shift
-done
+  done
-function cleanup() {
+  function cleanup() {
      sudo rm -rf .cache/nix
      sudo rm -rf /root/.cache/nix
-}
+  }
-trap cleanup exit
+  trap cleanup exit
-green "~SwarselSystems~ local installer"
+  green "~SwarselSystems~ local installer"
-cd /home/"$target_user"
+  cd /home/"$target_user"
-sudo rm -rf /root/.cache/nix
+  sudo rm -rf /root/.cache/nix
-sudo rm -rf .cache/nix
+  sudo rm -rf .cache/nix
-sudo rm -rf .dotfiles
+  sudo rm -rf .dotfiles
-green "Cloning repository from GitHub"
+  green "Cloning repository from GitHub"
-git clone https://github.com/Swarsel/.dotfiles.git
+  git clone https://github.com/Swarsel/.dotfiles.git
-local_keys=$(ssh-add -L || true)
+  local_keys=$(ssh-add -L || true)
-pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub)
+  pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub)
-read -ra pub_arr <<< "$pub_key"
+  read -ra pub_arr <<< "$pub_key"
-cd .dotfiles
+  cd .dotfiles
-if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
+  if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
      yellow "The ssh key for this configuration is not available."
      green "Adjusting flake.nix so that the configuration is buildable ..."
      sed -i '/nix-secrets = {/,/^[[:space:]]*};/d' flake.nix
@ -3129,6 +3210,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
      rm modules/home/common/yubikey.nix
      rm modules/nixos/server/restic.nix
      rm modules/nixos/common/home-manager-extra.nix
      rm hosts/nixos/sync/default.nix
      rm -rf modules/nixos/server
      rm -rf modules/home/server
      cat > hosts/nixos/chaostheatre/options.nix << EOF
@ -3142,7 +3224,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
              };
            };
          }
-EOF
+  EOF
      cat > hosts/nixos/chaostheatre/options-home.nix << EOF
          { self, lib, ... }:
          {
@ -3158,50 +3240,50 @@ EOF
            };
          };
          }
-EOF
+  EOF
      nix flake update vbc-nix
      git add .
-else
+  else
      green "Valid SSH key found! Continuing with installation"
-fi
+  fi
-green "Reading system information for $target_config ..."
+  green "Reading system information for $target_config ..."
-DISK="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.rootDisk)"
+  DISK="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.rootDisk)"
-green "Root Disk in config: $DISK - Root Disk passed in cli: $target_disk"
+  green "Root Disk in config: $DISK - Root Disk passed in cli: $target_disk"
-CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isCrypted)"
+  CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isCrypted)"
-if [[ $CRYPTED == "true" ]]; then
+  if [[ $CRYPTED == "true" ]]; then
      green "Encryption: ✓"
      disk_encryption=1
-else
+  else
      red "Encryption: X"
      disk_encryption=0
-fi
+  fi
-IMPERMANENCE="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isImpermanence)"
+  IMPERMANENCE="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isImpermanence)"
-if [[ $IMPERMANENCE == "true" ]]; then
+  if [[ $IMPERMANENCE == "true" ]]; then
      green "Impermanence: ✓"
      persist_dir="/persist"
-else
+  else
      red "Impermanence: X"
      persist_dir=""
-fi
+  fi
-SWAP="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSwap)"
+  SWAP="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSwap)"
-if [[ $SWAP == "true" ]]; then
+  if [[ $SWAP == "true" ]]; then
      green "Swap: ✓"
-else
+  else
      red "Swap: X"
-fi
+  fi
-SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)"
+  SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)"
-if [[ $SECUREBOOT == "true" ]]; then
+  if [[ $SECUREBOOT == "true" ]]; then
      green "Secure Boot: ✓"
-else
+  else
      red "Secure Boot: X"
-fi
+  fi
-if [ "$disk_encryption" -eq 1 ]; then
+  if [ "$disk_encryption" -eq 1 ]; then
      while true; do
          green "Set disk encryption passphrase:"
          read -rs luks_passphrase
@ -3214,30 +3296,30 @@ if [ "$disk_encryption" -eq 1 ]; then
              red "Passwords do not match"
          fi
      done
-fi
+  fi
-green "Setting up disk ..."
+  green "Setting up disk ..."
-if [[ $target_config == "chaostheatre" ]]; then
+  if [[ $target_config == "chaostheatre" ]]; then
      sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/v1.10.0 -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks --arg diskDevice "$target_disk"
-else
+  else
      sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks
-fi
+  fi
-sudo mkdir -p /mnt/"$persist_dir"/home/"$target_user"/
+  sudo mkdir -p /mnt/"$persist_dir"/home/"$target_user"/
-sudo cp -r /home/"$target_user"/.dotfiles /mnt/"$persist_dir"/home/"$target_user"/
+  sudo cp -r /home/"$target_user"/.dotfiles /mnt/"$persist_dir"/home/"$target_user"/
-sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user"
+  sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user"
-green "Generating hardware configuration ..."
+  green "Generating hardware configuration ..."
-sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/
+  sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/
-green "Injecting initialSetup ..."
+  green "Injecting initialSetup ..."
-sudo sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
+  sudo sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
-git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
+  git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
-sudo mkdir -p /root/.local/share/nix/
+  sudo mkdir -p /root/.local/share/nix/
-printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | sudo tee /root/.local/share/nix/trusted-settings.json > /dev/null
+  printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | sudo tee /root/.local/share/nix/trusted-settings.json > /dev/null
-green "Installing flake $target_config"
+  green "Installing flake $target_config"
-sudo nixos-install --flake .#"$target_config"
+  sudo nixos-install --flake .#"$target_config"
-green "Installation finished! Reboot to see changes"
+  green "Installation finished! Reboot to see changes"
 #+end_src
@ -8177,15 +8259,36 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as
 :END:
 #+begin_src nix :tangle modules/nixos/server/forgejo.nix
-  { lib, config, ... }:
+  { lib, config, pkgs, ... }:
  let
    forgejoDomain = "swagit.swarsel.win";
  in
  {
    options.swarselsystems.modules.server.forgejo = lib.mkEnableOption "enable forgejo on server";
    config = lib.mkIf config.swarselsystems.modules.server.forgejo {
      networking.firewall.allowedTCPPorts = [ 3000 ];
      users.users.forgejo = {
        group = "forgejo";
        isSystemUser = true;
      };
      users.groups.forgejo = { };
      sops.secrets = {
        kanidm-forgejo-client = {
          owner = "forgejo";
          group = "forgejo";
          mode = "440";
        };
      };
      services.forgejo = {
        enable = true;
        user = "forgejo";
        group = "forgejo";
        lfs.enable = lib.mkDefault true;
        settings = {
          DEFAULT = {
            APP_NAME = "~SwaGit~";
@ -8194,15 +8297,90 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as
            PROTOCOL = "http";
            HTTP_PORT = 3000;
            HTTP_ADDR = "0.0.0.0";
-            DOMAIN = "swagit.swarsel.win";
+            DOMAIN = forgejoDomain;
-            ROOT_URL = "https://swagit.swarsel.win";
+            ROOT_URL = "https://${forgejoDomain}";
          };
          # federation.ENABLED = true;
          service = {
-            DISABLE_REGISTRATION = true;
+            DISABLE_REGISTRATION = false;
            ALLOW_ONLY_INTERNAL_REGISTRATION = false;
            ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
            SHOW_REGISTRATION_BUTTON = false;
          };
          session.COOKIE_SECURE = true;
          oauth2_client = {
            # Never use auto account linking with this, otherwise users cannot change
            # their new user name and they could potentially overtake other users accounts
            # by setting their email address to an existing account.
            # With "login" linking the user must choose a non-existing username first or login
            # with the existing account to link.
            ACCOUNT_LINKING = "login";
            USERNAME = "nickname";
            # This does not mean that you cannot register via oauth, but just that there should
            # be a confirmation dialog shown to the user before the account is actually created.
            # This dialog allows changing user name and email address before creating the account.
            ENABLE_AUTO_REGISTRATION = false;
            REGISTER_EMAIL_CONFIRM = false;
            UPDATE_AVATAR = true;
          };
        };
      };
      systemd.services.forgejo = {
        serviceConfig.RestartSec = "60"; # Retry every minute
        preStart =
          let
            exe = lib.getExe config.services.forgejo.package;
            providerName = "kanidm";
            clientId = "forgejo";
            args = lib.escapeShellArgs (
              lib.concatLists [
                [
                  "--name"
                  providerName
                ]
                [
                  "--provider"
                  "openidConnect"
                ]
                [
                  "--key"
                  clientId
                ]
                [
                  "--auto-discover-url"
                  "https://sso.swarsel.win/oauth2/openid/${clientId}/.well-known/openid-configuration"
                ]
                [
                  "--scopes"
                  "email"
                ]
                [
                  "--scopes"
                  "profile"
                ]
                [
                  "--group-claim-name"
                  "groups"
                ]
                [
                  "--admin-group"
                  "admin"
                ]
                [ "--skip-local-2fa" ]
              ]
            );
          in
          lib.mkAfter ''
            provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
            SECRET="$(< ${config.sops.secrets.kanidm-forgejo-client.path})"
            if [[ -z "$provider_id" ]]; then
              ${exe} admin auth add-oauth ${args} --secret "$SECRET"
            else
              ${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET"
            fi
          '';
      };
      services.nginx = {
        virtualHosts = {
--- a/flake.lock
+++ b/flake.lock
@ -801,10 +801,10 @@
    "nix-secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1748102838,
+        "lastModified": 1749481004,
-        "narHash": "sha256-o8ACYonrWdDSbb30v1xUhl8BuYuLJsAYH9VMRJ/HSKY=",
+        "narHash": "sha256-UmA5Dx+tzYXaqPMtKucijTwV7l+U2/+fD0Twb/edcxY=",
        "ref": "main",
-        "rev": "3c3d7b593f4b295a1cdf8c4448b4c7ff6c5614ab",
+        "rev": "f7e7b03ea03dbfc8471689f0ba7a7221240e93df",
        "shallow": true,
        "type": "git",
        "url": "ssh://git@github.com/Swarsel/nix-secrets.git"
--- a/hosts/nixos/sync/default.nix
+++ b/hosts/nixos/sync/default.nix
@ -1,9 +1,15 @@
-{ lib, primaryUser, ... }:
+{ lib, primaryUser, inputs, ... }:
 let
  sharedOptions = {
    isBtrfs = false;
    isLinux = true;
  };
  secretsDirectory = builtins.toString inputs.nix-secrets;
  workHostName = lib.swarselsystems.getSecret "${secretsDirectory}/work/worklaptop-hostname";
  dev1 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev1";
  dev2 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev2";
  dev3 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev3";
  loc1 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/loc1";
 in
 {
  imports = [
@ -26,7 +32,7 @@ in
    enableIPv6 = false;
    domain = "subnet03112148.vcn03112148.oraclevcn.com";
    firewall = {
-      allowedTCPPorts = [ 8384 22000 ];
+      allowedTCPPorts = [ 80 443 8384 9812 22000 27701 ];
      allowedUDPPorts = [ 21027 22000 ];
      extraCommands = ''
        iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
@ -42,7 +48,7 @@ in
    };
  };
-  system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change
+  system.stateVersion = "23.11";
  services = {
    nginx = {
@ -63,11 +69,83 @@ in
      };
    };
    # do not manage OCI syncthing through nix config
    syncthing = {
      enable = true;
      guiAddress = "0.0.0.0:8384";
      openDefaultPorts = true;
      relay.enable = false;
      settings = {
        urAccepted = -1;
        devices = {
          "magicant" = {
            id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
          };
          "winters" = {
            id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
          };
          "${workHostName}" = {
            id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB";
          };
          "${dev1}" = {
            id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7";
          };
          "${dev2}" = {
            id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH";
          };
          "${dev3}" = {
            id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR";
          };
        };
        folders = {
          "Default Folder" = lib.mkForce {
            path = "/var/lib/syncthing/Sync";
            type = "receiveonly";
            versioning = null;
            devices = [ "winters" "magicant" "${workHostName}" ];
            id = "default";
          };
          "Obsidian" = {
            path = "/var/lib/syncthing/Obsidian";
            type = "receiveonly";
            versioning = {
              type = "simple";
              params.keep = "5";
            };
            devices = [ "winters" "magicant" "${workHostName}" ];
            id = "yjvni-9eaa7";
          };
          "Org" = {
            path = "/var/lib/syncthing/Org";
            type = "receiveonly";
            versioning = {
              type = "simple";
              params.keep = "5";
            };
            devices = [ "winters" "magicant" "${workHostName}" ];
            id = "a7xnl-zjj3d";
          };
          "Vpn" = {
            path = "/var/lib/syncthing/Vpn";
            type = "receiveonly";
            versioning = {
              type = "simple";
              params.keep = "5";
            };
            devices = [ "winters" "magicant" "${workHostName}" ];
            id = "hgp9s-fyq3p";
          };
          "${loc1}" = {
            path = "/var/lib/syncthing/${loc1}";
            type = "receiveonly";
            versioning = {
              type = "simple";
              params.keep = "3";
            };
            devices = [ dev1 dev2 dev3 ];
            id = "5gsxv-rzzst";
          };
        };
      };
    };
  };
--- a/index.html
+++ b/index.html
@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2025-06-09 Mo 12:45 -->
+<!-- 2025-06-09 Mo 17:08 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>SwarselSystems: NixOS + Emacs Configuration</title>
@ -263,9 +263,9 @@
 <li><a href="#h:7056b9a0-f38b-4bca-b2ba-ab34e2d73493">3.1.4.3. Home-manager only (default non-NixOS)</a></li>
 <li><a href="#h:e1498bef-ec67-483d-bf02-76264e30be8e">3.1.4.4. ChaosTheatre (Demo Physical/VM)</a>
 <ul>
-<li><a href="#org9b449ff">3.1.4.4.1. Main configuration</a></li>
+<li><a href="#orgb5b92fc">3.1.4.4.1. Main configuration</a></li>
-<li><a href="#org10cff1b">3.1.4.4.2. NixOS dummy options configuration</a></li>
+<li><a href="#org032ef4c">3.1.4.4.2. NixOS dummy options configuration</a></li>
-<li><a href="#org0c539d3">3.1.4.4.3. home-manager dummy options configuration</a></li>
+<li><a href="#orgec2d48a">3.1.4.4.3. home-manager dummy options configuration</a></li>
 </ul>
 </li>
 </ul>
@ -305,7 +305,7 @@
 <li><a href="#h:36d6c17c-6d91-4297-b76d-9d7feab6c1a0">3.2.1.27. fhs</a></li>
 <li><a href="#h:814d5e7f-4b95-412d-b246-33f888514ec6">3.2.1.28. swarsel-displaypower</a></li>
 <li><a href="#h:799579f3-ddd3-4f76-928a-a8c665980476">3.2.1.29. swarsel-mgba</a></li>
-<li><a href="#orgda3c026">3.2.1.30. sshrm</a></li>
+<li><a href="#org6b9dc3c">3.2.1.30. sshrm</a></li>
 </ul>
 </li>
 <li><a href="#h:5e3e21e0-57af-4dad-b32f-6400af9b7aab">3.2.2. Overlays (additions, overrides, nixpkgs-stable)</a></li>
@ -313,28 +313,28 @@
 <ul>
 <li><a href="#h:14e68518-8ec7-48ec-b208-0e3d6d49954d">3.2.3.1. NixOS</a>
 <ul>
-<li><a href="#org9037d50">3.2.3.1.1. Personal</a></li>
+<li><a href="#org53f5876">3.2.3.1.1. Personal</a></li>
-<li><a href="#org4d186bc">3.2.3.1.2. Chaostheatre</a></li>
+<li><a href="#org44169ea">3.2.3.1.2. Chaostheatre</a></li>
-<li><a href="#orgb6e7397">3.2.3.1.3. toto</a></li>
+<li><a href="#org8b41d78">3.2.3.1.3. toto</a></li>
-<li><a href="#orgb297f59">3.2.3.1.4. Work</a></li>
+<li><a href="#orge60d201">3.2.3.1.4. Work</a></li>
-<li><a href="#org2faed76">3.2.3.1.5. Framework</a></li>
+<li><a href="#orgb32df32">3.2.3.1.5. Framework</a></li>
-<li><a href="#org9900420">3.2.3.1.6. AMD CPU</a></li>
+<li><a href="#orgf3d0cfc">3.2.3.1.6. AMD CPU</a></li>
-<li><a href="#org895cc35">3.2.3.1.7. AMD GPU</a></li>
+<li><a href="#org52e2e23">3.2.3.1.7. AMD GPU</a></li>
-<li><a href="#org39be1cf">3.2.3.1.8. Hibernation</a></li>
+<li><a href="#org7ddd595">3.2.3.1.8. Hibernation</a></li>
-<li><a href="#org7672d00">3.2.3.1.9. BTRFS</a></li>
+<li><a href="#org74514a8">3.2.3.1.9. BTRFS</a></li>
-<li><a href="#org1bda8d7">3.2.3.1.10. Local Server</a></li>
+<li><a href="#org57a3717">3.2.3.1.10. Local Server</a></li>
-<li><a href="#org17d23c6">3.2.3.1.11. OCI Sync Server</a></li>
+<li><a href="#org5e31399">3.2.3.1.11. OCI Sync Server</a></li>
 </ul>
 </li>
 <li><a href="#h:ced5841f-c088-4d88-b3a1-7d62aad8837b">3.2.3.2. home-manager</a>
 <ul>
-<li><a href="#org47e7345">3.2.3.2.1. Personal</a></li>
+<li><a href="#org58e393c">3.2.3.2.1. Personal</a></li>
-<li><a href="#orgcc5e0f5">3.2.3.2.2. Chaostheatre</a></li>
+<li><a href="#orgd007c2a">3.2.3.2.2. Chaostheatre</a></li>
-<li><a href="#org3185dd7">3.2.3.2.3. toto</a></li>
+<li><a href="#org8f1c8da">3.2.3.2.3. toto</a></li>
-<li><a href="#org061d35f">3.2.3.2.4. Work</a></li>
+<li><a href="#org656b75a">3.2.3.2.4. Work</a></li>
-<li><a href="#org367969f">3.2.3.2.5. Framework</a></li>
+<li><a href="#org005530c">3.2.3.2.5. Framework</a></li>
-<li><a href="#org19a7899">3.2.3.2.6. Darwin</a></li>
+<li><a href="#orgfffaea3">3.2.3.2.6. Darwin</a></li>
-<li><a href="#org22458da">3.2.3.2.7. Local Server</a></li>
+<li><a href="#org08ab54d">3.2.3.2.7. Local Server</a></li>
 </ul>
 </li>
 </ul>
@ -379,7 +379,7 @@
 <li><a href="#h:f101daa2-604d-4553-99e2-f64b9c207f51">3.3.1.22.3. enable GVfs</a></li>
 <li><a href="#h:08d213d5-a9f4-4309-8635-ba557b01dc7d">3.3.1.22.4. interception-tools: Make CAPS work as ESC/CTRL</a></li>
 <li><a href="#h:82fbba41-3a46-4db7-aade-49e4c23fc475">3.3.1.22.5. power-profiles-daemon</a></li>
-<li><a href="#org8e440af">3.3.1.22.6. SwayOSD</a></li>
+<li><a href="#org6e7eb02">3.3.1.22.6. SwayOSD</a></li>
 </ul>
 </li>
 <li><a href="#h:7a89b5e3-b700-4167-8b14-2b8172f33936">3.3.1.23. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules</a>
@ -431,7 +431,7 @@
 <li><a href="#h:9da3df74-6fc5-4ee1-a345-23ab4e8a613d">3.3.2.24. FreshRSS</a></li>
 <li><a href="#h:a9965660-4358-4b9a-8c46-d55f28598344">3.3.2.25. forgejo (git server)</a></li>
 <li><a href="#h:cb3f6552-7751-4f9a-b4c7-8d8ba5b255c4">3.3.2.26. Anki Sync Server</a></li>
-<li><a href="#orgeb2a887">3.3.2.27. kanidm</a></li>
+<li><a href="#org7da46bd">3.3.2.27. kanidm</a></li>
 </ul>
 </li>
 <li><a href="#h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47">3.3.3. Darwin</a>
@ -446,11 +446,11 @@
 <li><a href="#h:34db28fb-62f7-4597-a9ff-0de2991a8415">3.3.4.3. VmWare</a></li>
 <li><a href="#h:fa8d9ec4-3e22-458a-9239-859cffe7f55c">3.3.4.4. Auto-login</a></li>
 <li><a href="#h:5c41c4ee-22ca-405b-9e4f-cc4051634edd">3.3.4.5. nswitch-rcm</a></li>
-<li><a href="#org2fd6795">3.3.4.6. Framework</a></li>
+<li><a href="#org9051388">3.3.4.6. Framework</a></li>
-<li><a href="#org28eaeed">3.3.4.7. AMD CPU</a></li>
+<li><a href="#orgf5515d6">3.3.4.7. AMD CPU</a></li>
-<li><a href="#org4c4411c">3.3.4.8. AMD GPU</a></li>
+<li><a href="#orgdccdfcb">3.3.4.8. AMD GPU</a></li>
-<li><a href="#org8338221">3.3.4.9. Hibernation</a></li>
+<li><a href="#org8e91a13">3.3.4.9. Hibernation</a></li>
-<li><a href="#org952308a">3.3.4.10. BTRFS</a></li>
+<li><a href="#org9ed2a08">3.3.4.10. BTRFS</a></li>
 <li><a href="#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf">3.3.4.11. work</a></li>
 <li><a href="#h:3fc1d301-7bae-4678-9085-d12c23eed8ac">3.3.4.12. Minimal Install</a></li>
 </ul>
@ -499,7 +499,7 @@
 <li><a href="#h:cb812c8a-247c-4ce5-a00c-59332c2f5fb9">3.4.1.29.1. gnome-keyring</a></li>
 <li><a href="#h:be6afd89-9e1e-40b6-8542-5c07a0ab780d">3.4.1.29.2. KDE Connect</a></li>
 <li><a href="#h:99d05729-df35-4958-9940-3319d6a41359">3.4.1.29.3. Mako</a></li>
-<li><a href="#org978f035">3.4.1.29.4. SwayOSD</a></li>
+<li><a href="#org7ceedd9">3.4.1.29.4. SwayOSD</a></li>
 <li><a href="#h:1598c90b-f195-41a0-9132-94612edf3586">3.4.1.29.5. yubikey-touch-detector</a></li>
 </ul>
 </li>
@ -524,7 +524,7 @@
 <ul>
 <li><a href="#h:84fd7029-ecb6-4131-9333-289982f24ffa">3.4.4.1. Gaming</a></li>
 <li><a href="#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6">3.4.4.2. Work</a></li>
-<li><a href="#orgeba9bdf">3.4.4.3. Framework</a></li>
+<li><a href="#org9156d19">3.4.4.3. Framework</a></li>
 </ul>
 </li>
 </ul>
@ -702,7 +702,7 @@
 <ul>
 <li><a href="#h:c1e53aed-fb47-4aff-930c-dc52f3c5dcb8">6.1. Server Emacs config</a></li>
 <li><a href="#h:fc64f42f-e7cf-4829-89f6-2d0d58e04f51">6.2. tridactylrc</a></li>
-<li><a href="#org47034b7">6.3. tridactyl theme</a></li>
+<li><a href="#org8338b01">6.3. tridactyl theme</a></li>
 <li><a href="#h:77b1c523-5074-4610-b320-90af95e6134d">6.4. Waybar style.css</a></li>
 <li><a href="#h:788937cf-8816-466b-8e57-1b695cb50f52">6.5. justfile</a></li>
 </ul>
@ -711,7 +711,7 @@
 </div>
 </div>
 <p>
-<b>This file has 63503 words spanning 16708 lines and was last revised on 2025-06-09 12:45:18 +0200.</b>
+<b>This file has 64040 words spanning 16886 lines and was last revised on 2025-06-09 17:08:15 +0200.</b>
 </p>
 <p>
@ -764,7 +764,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
 </p>
 <p>
-My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-09 12:45:18 +0200)
+My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-09 17:08:15 +0200)
 </p></li>
 </ul>
@ -2247,12 +2247,18 @@ All of these are processes that use little cpu but can take a lot of storage. Fo
 </ul>
 <div class="org-src-container">
-<pre class="src src-nix">{ lib, primaryUser, ... }:
+<pre class="src src-nix">{ lib, primaryUser, inputs, ... }:
 let
  sharedOptions = {
    isBtrfs = false;
    isLinux = true;
  };
  secretsDirectory = builtins.toString inputs.nix-secrets;
  workHostName = lib.swarselsystems.getSecret "${secretsDirectory}/work/worklaptop-hostname";
  dev1 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev1";
  dev2 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev2";
  dev3 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev3";
  loc1 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/loc1";
 in
 {
  imports = [
@ -2275,7 +2281,7 @@ in
    enableIPv6 = false;
    domain = "subnet03112148.vcn03112148.oraclevcn.com";
    firewall = {
-      allowedTCPPorts = [ 8384 22000 ];
+      allowedTCPPorts = [ 80 443 8384 9812 22000 27701 ];
      allowedUDPPorts = [ 21027 22000 ];
      extraCommands = ''
        iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
@ -2291,7 +2297,7 @@ in
    };
  };
-  system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change
+  system.stateVersion = "23.11";
  services = {
    nginx = {
@ -2312,11 +2318,83 @@ in
      };
    };
    # do not manage OCI syncthing through nix config
    syncthing = {
      enable = true;
      guiAddress = "0.0.0.0:8384";
      openDefaultPorts = true;
      relay.enable = false;
      settings = {
        urAccepted = -1;
        devices = {
          "magicant" = {
            id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
          };
          "winters" = {
            id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
          };
          "${workHostName}" = {
            id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB";
          };
          "${dev1}" = {
            id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7";
          };
          "${dev2}" = {
            id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH";
          };
          "${dev3}" = {
            id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR";
          };
        };
        folders = {
          "Default Folder" = lib.mkForce {
            path = "/var/lib/syncthing/Sync";
            type = "receiveonly";
            versioning = null;
            devices = [ "winters" "magicant" "${workHostName}" ];
            id = "default";
          };
          "Obsidian" = {
            path = "/var/lib/syncthing/Obsidian";
            type = "receiveonly";
            versioning = {
              type = "simple";
             params.keep = "5";
            };
            devices = [ "winters" "magicant" "${workHostName}" ];
            id = "yjvni-9eaa7";
          };
          "Org" = {
            path = "/var/lib/syncthing/Org";
            type = "receiveonly";
            versioning = {
              type = "simple";
              params.keep = "5";
            };
            devices = [ "winters" "magicant" "${workHostName}" ];
            id = "a7xnl-zjj3d";
          };
          "Vpn" = {
            path = "/var/lib/syncthing/Vpn";
            type = "receiveonly";
            versioning = {
              type = "simple";
              params.keep = "5";
            };
            devices = [ "winters" "magicant" "${workHostName}" ];
            id = "hgp9s-fyq3p";
          };
          "${loc1}" = {
            path = "/var/lib/syncthing/${loc1}";
            type = "receiveonly";
            versioning = {
              type = "simple";
              params.keep = "3";
            };
            devices = [ dev1 dev2 dev3 ];
            id = "5gsxv-rzzst";
          };
        };
      };
    };
  };
@ -2803,8 +2881,8 @@ This is just a demo host. It applies all the configuration found in the common p
 I also set the <code>WLR_RENDERER_ALLOW_SOFTWARE=1</code> to allow this configuration to run in a virtualized environment. I also enable <code>qemuGuest</code> for a smoother experience when testing on QEMU.
 </p>
 </div>
-<div id="outline-container-org9b449ff" class="outline-6">
+<div id="outline-container-orgb5b92fc" class="outline-6">
-<h6 id="org9b449ff"><span class="section-number-6">3.1.4.4.1.</span> Main configuration</h6>
+<h6 id="orgb5b92fc"><span class="section-number-6">3.1.4.4.1.</span> Main configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ self, inputs, config, pkgs, lib, primaryUser, ... }:
@ -2883,8 +2961,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org10cff1b" class="outline-6">
+<div id="outline-container-org032ef4c" class="outline-6">
-<h6 id="org10cff1b"><span class="section-number-6">3.1.4.4.2.</span> NixOS dummy options configuration</h6>
+<h6 id="org032ef4c"><span class="section-number-6">3.1.4.4.2.</span> NixOS dummy options configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-2">
 <div class="org-src-container">
 <pre class="src src-nix">_:
@ -2894,8 +2972,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org0c539d3" class="outline-6">
+<div id="outline-container-orgec2d48a" class="outline-6">
-<h6 id="org0c539d3"><span class="section-number-6">3.1.4.4.3.</span> home-manager dummy options configuration</h6>
+<h6 id="orgec2d48a"><span class="section-number-6">3.1.4.4.3.</span> home-manager dummy options configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-3">
 <div class="org-src-container">
 <pre class="src src-nix">_:
@ -4054,6 +4132,9 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
    rm modules/home/common/yubikey.nix
    rm modules/nixos/server/restic.nix
    rm modules/nixos/common/home-manager-extra.nix
    rm hosts/nixos/sync/default.nix
    rm -rf modules/nixos/server
    rm -rf modules/home/server
    nix flake update vbc-nix
    git add .
 else
@ -4193,6 +4274,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
    rm modules/home/common/yubikey.nix
    rm modules/nixos/server/restic.nix
    rm modules/nixos/common/home-manager-extra.nix
    rm hosts/nixos/sync/default.nix
    rm -rf modules/nixos/server
    rm -rf modules/home/server
    cat &gt; hosts/nixos/chaostheatre/options.nix &lt;&lt; EOF
@ -4672,8 +4754,8 @@ appimageTools.wrapType2 {
 </div>
 </div>
 </div>
-<div id="outline-container-orgda3c026" class="outline-5">
+<div id="outline-container-org6b9dc3c" class="outline-5">
-<h5 id="orgda3c026"><span class="section-number-5">3.2.1.30.</span> sshrm</h5>
+<h5 id="org6b9dc3c"><span class="section-number-5">3.2.1.30.</span> sshrm</h5>
 <div class="outline-text-5" id="text-3-2-1-30">
 <p>
 This programs simply runs ssh-keygen on the last host that I tried to ssh into. I need this frequently when working with cloud-init usually.
@ -4830,8 +4912,8 @@ in
 </pre>
 </div>
 </div>
-<div id="outline-container-org9037d50" class="outline-6">
+<div id="outline-container-org53f5876" class="outline-6">
-<h6 id="org9037d50"><span class="section-number-6">3.2.3.1.1.</span> Personal</h6>
+<h6 id="org53f5876"><span class="section-number-6">3.2.3.1.1.</span> Personal</h6>
 <div class="outline-text-6" id="text-3-2-3-1-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -4898,8 +4980,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org4d186bc" class="outline-6">
+<div id="outline-container-org44169ea" class="outline-6">
-<h6 id="org4d186bc"><span class="section-number-6">3.2.3.1.2.</span> Chaostheatre</h6>
+<h6 id="org44169ea"><span class="section-number-6">3.2.3.1.2.</span> Chaostheatre</h6>
 <div class="outline-text-6" id="text-3-2-3-1-2">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -4963,8 +5045,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgb6e7397" class="outline-6">
+<div id="outline-container-org8b41d78" class="outline-6">
-<h6 id="orgb6e7397"><span class="section-number-6">3.2.3.1.3.</span> toto</h6>
+<h6 id="org8b41d78"><span class="section-number-6">3.2.3.1.3.</span> toto</h6>
 <div class="outline-text-6" id="text-3-2-3-1-3">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -4996,8 +5078,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgb297f59" class="outline-6">
+<div id="outline-container-orge60d201" class="outline-6">
-<h6 id="orgb297f59"><span class="section-number-6">3.2.3.1.4.</span> Work</h6>
+<h6 id="orge60d201"><span class="section-number-6">3.2.3.1.4.</span> Work</h6>
 <div class="outline-text-6" id="text-3-2-3-1-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5018,8 +5100,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org2faed76" class="outline-6">
+<div id="outline-container-orgb32df32" class="outline-6">
-<h6 id="org2faed76"><span class="section-number-6">3.2.3.1.5.</span> Framework</h6>
+<h6 id="orgb32df32"><span class="section-number-6">3.2.3.1.5.</span> Framework</h6>
 <div class="outline-text-6" id="text-3-2-3-1-5">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5040,8 +5122,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org9900420" class="outline-6">
+<div id="outline-container-orgf3d0cfc" class="outline-6">
-<h6 id="org9900420"><span class="section-number-6">3.2.3.1.6.</span> AMD CPU</h6>
+<h6 id="orgf3d0cfc"><span class="section-number-6">3.2.3.1.6.</span> AMD CPU</h6>
 <div class="outline-text-6" id="text-3-2-3-1-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5062,8 +5144,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org895cc35" class="outline-6">
+<div id="outline-container-org52e2e23" class="outline-6">
-<h6 id="org895cc35"><span class="section-number-6">3.2.3.1.7.</span> AMD GPU</h6>
+<h6 id="org52e2e23"><span class="section-number-6">3.2.3.1.7.</span> AMD GPU</h6>
 <div class="outline-text-6" id="text-3-2-3-1-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5084,8 +5166,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org39be1cf" class="outline-6">
+<div id="outline-container-org7ddd595" class="outline-6">
-<h6 id="org39be1cf"><span class="section-number-6">3.2.3.1.8.</span> Hibernation</h6>
+<h6 id="org7ddd595"><span class="section-number-6">3.2.3.1.8.</span> Hibernation</h6>
 <div class="outline-text-6" id="text-3-2-3-1-8">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5106,8 +5188,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org7672d00" class="outline-6">
+<div id="outline-container-org74514a8" class="outline-6">
-<h6 id="org7672d00"><span class="section-number-6">3.2.3.1.9.</span> BTRFS</h6>
+<h6 id="org74514a8"><span class="section-number-6">3.2.3.1.9.</span> BTRFS</h6>
 <div class="outline-text-6" id="text-3-2-3-1-9">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5128,8 +5210,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org1bda8d7" class="outline-6">
+<div id="outline-container-org57a3717" class="outline-6">
-<h6 id="org1bda8d7"><span class="section-number-6">3.2.3.1.10.</span> Local Server</h6>
+<h6 id="org57a3717"><span class="section-number-6">3.2.3.1.10.</span> Local Server</h6>
 <div class="outline-text-6" id="text-3-2-3-1-10">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5182,8 +5264,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org17d23c6" class="outline-6">
+<div id="outline-container-org5e31399" class="outline-6">
-<h6 id="org17d23c6"><span class="section-number-6">3.2.3.1.11.</span> OCI Sync Server</h6>
+<h6 id="org5e31399"><span class="section-number-6">3.2.3.1.11.</span> OCI Sync Server</h6>
 <div class="outline-text-6" id="text-3-2-3-1-11">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5240,8 +5322,8 @@ in
 </pre>
 </div>
 </div>
-<div id="outline-container-org47e7345" class="outline-6">
+<div id="outline-container-org58e393c" class="outline-6">
-<h6 id="org47e7345"><span class="section-number-6">3.2.3.2.1.</span> Personal</h6>
+<h6 id="org58e393c"><span class="section-number-6">3.2.3.2.1.</span> Personal</h6>
 <div class="outline-text-6" id="text-3-2-3-2-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5298,8 +5380,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgcc5e0f5" class="outline-6">
+<div id="outline-container-orgd007c2a" class="outline-6">
-<h6 id="orgcc5e0f5"><span class="section-number-6">3.2.3.2.2.</span> Chaostheatre</h6>
+<h6 id="orgd007c2a"><span class="section-number-6">3.2.3.2.2.</span> Chaostheatre</h6>
 <div class="outline-text-6" id="text-3-2-3-2-2">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5351,8 +5433,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org3185dd7" class="outline-6">
+<div id="outline-container-org8f1c8da" class="outline-6">
-<h6 id="org3185dd7"><span class="section-number-6">3.2.3.2.3.</span> toto</h6>
+<h6 id="org8f1c8da"><span class="section-number-6">3.2.3.2.3.</span> toto</h6>
 <div class="outline-text-6" id="text-3-2-3-2-3">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5372,8 +5454,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org061d35f" class="outline-6">
+<div id="outline-container-org656b75a" class="outline-6">
-<h6 id="org061d35f"><span class="section-number-6">3.2.3.2.4.</span> Work</h6>
+<h6 id="org656b75a"><span class="section-number-6">3.2.3.2.4.</span> Work</h6>
 <div class="outline-text-6" id="text-3-2-3-2-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5393,8 +5475,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org367969f" class="outline-6">
+<div id="outline-container-org005530c" class="outline-6">
-<h6 id="org367969f"><span class="section-number-6">3.2.3.2.5.</span> Framework</h6>
+<h6 id="org005530c"><span class="section-number-6">3.2.3.2.5.</span> Framework</h6>
 <div class="outline-text-6" id="text-3-2-3-2-5">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5415,8 +5497,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org19a7899" class="outline-6">
+<div id="outline-container-orgfffaea3" class="outline-6">
-<h6 id="org19a7899"><span class="section-number-6">3.2.3.2.6.</span> Darwin</h6>
+<h6 id="orgfffaea3"><span class="section-number-6">3.2.3.2.6.</span> Darwin</h6>
 <div class="outline-text-6" id="text-3-2-3-2-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -5434,8 +5516,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org22458da" class="outline-6">
+<div id="outline-container-org08ab54d" class="outline-6">
-<h6 id="org22458da"><span class="section-number-6">3.2.3.2.7.</span> Local Server</h6>
+<h6 id="org08ab54d"><span class="section-number-6">3.2.3.2.7.</span> Local Server</h6>
 <div class="outline-text-6" id="text-3-2-3-2-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -6968,8 +7050,8 @@ Most of the time I am using <code>power-saver</code>, however, it is good to be
 </div>
 </div>
 </div>
-<div id="outline-container-org8e440af" class="outline-6">
+<div id="outline-container-org6e7eb02" class="outline-6">
-<h6 id="org8e440af"><span class="section-number-6">3.3.1.22.6.</span> SwayOSD</h6>
+<h6 id="org6e7eb02"><span class="section-number-6">3.3.1.22.6.</span> SwayOSD</h6>
 <div class="outline-text-6" id="text-3-3-1-22-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, pkgs, config, ... }:
@ -9480,15 +9562,36 @@ It serves both a Greader API at <a href="https://signpost.swarsel.win/api/greade
 <h5 id="h:a9965660-4358-4b9a-8c46-d55f28598344"><span class="section-number-5">3.3.2.25.</span> forgejo (git server)</h5>
 <div class="outline-text-5" id="text-h:a9965660-4358-4b9a-8c46-d55f28598344">
 <div class="org-src-container">
-<pre class="src src-nix">{ lib, config, ... }:
+<pre class="src src-nix">{ lib, config, pkgs, ... }:
 let
  forgejoDomain = "swagit.swarsel.win";
 in
 {
  options.swarselsystems.modules.server.forgejo = lib.mkEnableOption "enable forgejo on server";
  config = lib.mkIf config.swarselsystems.modules.server.forgejo {
    networking.firewall.allowedTCPPorts = [ 3000 ];
    users.users.forgejo = {
      group = "forgejo";
      isSystemUser = true;
    };
    users.groups.forgejo = { };
    sops.secrets = {
      kanidm-forgejo-client = {
        owner = "forgejo";
        group = "forgejo";
        mode = "440";
      };
    };
    services.forgejo = {
      enable = true;
      user = "forgejo";
      group = "forgejo";
      lfs.enable = lib.mkDefault true;
      settings = {
        DEFAULT = {
          APP_NAME = "~SwaGit~";
@ -9497,15 +9600,90 @@ It serves both a Greader API at <a href="https://signpost.swarsel.win/api/greade
          PROTOCOL = "http";
          HTTP_PORT = 3000;
          HTTP_ADDR = "0.0.0.0";
-          DOMAIN = "swagit.swarsel.win";
+          DOMAIN = forgejoDomain;
-          ROOT_URL = "https://swagit.swarsel.win";
+          ROOT_URL = "https://${forgejoDomain}";
        };
        # federation.ENABLED = true;
        service = {
-          DISABLE_REGISTRATION = true;
+          DISABLE_REGISTRATION = false;
          ALLOW_ONLY_INTERNAL_REGISTRATION = false;
          ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
          SHOW_REGISTRATION_BUTTON = false;
        };
        session.COOKIE_SECURE = true;
        oauth2_client = {
          # Never use auto account linking with this, otherwise users cannot change
          # their new user name and they could potentially overtake other users accounts
          # by setting their email address to an existing account.
          # With "login" linking the user must choose a non-existing username first or login
          # with the existing account to link.
          ACCOUNT_LINKING = "login";
          USERNAME = "nickname";
          # This does not mean that you cannot register via oauth, but just that there should
          # be a confirmation dialog shown to the user before the account is actually created.
          # This dialog allows changing user name and email address before creating the account.
          ENABLE_AUTO_REGISTRATION = false;
          REGISTER_EMAIL_CONFIRM = false;
          UPDATE_AVATAR = true;
        };
      };
    };
    systemd.services.forgejo = {
      serviceConfig.RestartSec = "60"; # Retry every minute
      preStart =
        let
          exe = lib.getExe config.services.forgejo.package;
          providerName = "kanidm";
          clientId = "forgejo";
          args = lib.escapeShellArgs (
            lib.concatLists [
              [
                "--name"
                providerName
              ]
              [
                "--provider"
                "openidConnect"
              ]
              [
                "--key"
                clientId
              ]
              [
                "--auto-discover-url"
                "https://sso.swarsel.win/oauth2/openid/${clientId}/.well-known/openid-configuration"
              ]
              [
                "--scopes"
                "email"
              ]
              [
                "--scopes"
                "profile"
              ]
              [
                "--group-claim-name"
                "groups"
              ]
              [
                "--admin-group"
                "admin"
              ]
              [ "--skip-local-2fa" ]
            ]
          );
        in
        lib.mkAfter ''
          provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
          SECRET="$(&lt; ${config.sops.secrets.kanidm-forgejo-client.path})"
          if [[ -z "$provider_id" ]]; then
            ${exe} admin auth add-oauth ${args} --secret "$SECRET"
          else
            ${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET"
          fi
        '';
    };
    services.nginx = {
      virtualHosts = {
@ -9581,8 +9759,8 @@ It serves both a Greader API at <a href="https://signpost.swarsel.win/api/greade
 </div>
 </div>
 </div>
-<div id="outline-container-orgeb2a887" class="outline-5">
+<div id="outline-container-org7da46bd" class="outline-5">
-<h5 id="orgeb2a887"><span class="section-number-5">3.3.2.27.</span> kanidm</h5>
+<h5 id="org7da46bd"><span class="section-number-5">3.3.2.27.</span> kanidm</h5>
 <div class="outline-text-5" id="text-3-3-2-27">
 <div class="org-src-container">
 <pre class="src src-nix">{ self, lib, pkgs, config, ... }:
@ -9971,8 +10149,8 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using.
 </div>
 </div>
 </div>
-<div id="outline-container-org2fd6795" class="outline-5">
+<div id="outline-container-org9051388" class="outline-5">
-<h5 id="org2fd6795"><span class="section-number-5">3.3.4.6.</span> Framework</h5>
+<h5 id="org9051388"><span class="section-number-5">3.3.4.6.</span> Framework</h5>
 <div class="outline-text-5" id="text-3-3-4-6">
 <p>
 This holds configuration that is specific to framework laptops.
@ -10010,8 +10188,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-org28eaeed" class="outline-5">
+<div id="outline-container-orgf5515d6" class="outline-5">
-<h5 id="org28eaeed"><span class="section-number-5">3.3.4.7.</span> AMD CPU</h5>
+<h5 id="orgf5515d6"><span class="section-number-5">3.3.4.7.</span> AMD CPU</h5>
 <div class="outline-text-5" id="text-3-3-4-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -10027,8 +10205,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-org4c4411c" class="outline-5">
+<div id="outline-container-orgdccdfcb" class="outline-5">
-<h5 id="org4c4411c"><span class="section-number-5">3.3.4.8.</span> AMD GPU</h5>
+<h5 id="orgdccdfcb"><span class="section-number-5">3.3.4.8.</span> AMD GPU</h5>
 <div class="outline-text-5" id="text-3-3-4-8">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -10050,8 +10228,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-org8338221" class="outline-5">
+<div id="outline-container-org8e91a13" class="outline-5">
-<h5 id="org8338221"><span class="section-number-5">3.3.4.9.</span> Hibernation</h5>
+<h5 id="org8e91a13"><span class="section-number-5">3.3.4.9.</span> Hibernation</h5>
 <div class="outline-text-5" id="text-3-3-4-9">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -10082,8 +10260,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-org952308a" class="outline-5">
+<div id="outline-container-org9ed2a08" class="outline-5">
-<h5 id="org952308a"><span class="section-number-5">3.3.4.10.</span> BTRFS</h5>
+<h5 id="org9ed2a08"><span class="section-number-5">3.3.4.10.</span> BTRFS</h5>
 <div class="outline-text-5" id="text-3-3-4-10">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -13031,8 +13209,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org978f035" class="outline-6">
+<div id="outline-container-org7ceedd9" class="outline-6">
-<h6 id="org978f035"><span class="section-number-6">3.4.1.29.4.</span> SwayOSD</h6>
+<h6 id="org7ceedd9"><span class="section-number-6">3.4.1.29.4.</span> SwayOSD</h6>
 <div class="outline-text-6" id="text-3-4-1-29-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@ -14281,8 +14459,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgeba9bdf" class="outline-5">
+<div id="outline-container-org9156d19" class="outline-5">
-<h5 id="orgeba9bdf"><span class="section-number-5">3.4.4.3.</span> Framework</h5>
+<h5 id="org9156d19"><span class="section-number-5">3.4.4.3.</span> Framework</h5>
 <div class="outline-text-5" id="text-3-4-4-3">
 <p>
 This holds configuration that is specific to framework laptops.
@ -18122,8 +18300,8 @@ autocmd DocStart vc-impimba-1.m.imp.ac.at/ui/webconsole mode ignore
 </div>
 </div>
 </div>
-<div id="outline-container-org47034b7" class="outline-3">
+<div id="outline-container-org8338b01" class="outline-3">
-<h3 id="org47034b7"><span class="section-number-3">6.3.</span> tridactyl theme</h3>
+<h3 id="org8338b01"><span class="section-number-3">6.3.</span> tridactyl theme</h3>
 <div class="outline-text-3" id="text-6-3">
 <div class="org-src-container">
 <pre class="src src-config">
@ -18620,7 +18798,7 @@ sync USER HOST:
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: Leon Schwarzäugl</p>
-<p class="date">Created: 2025-06-09 Mo 12:45</p>
+<p class="date">Created: 2025-06-09 Mo 17:08</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>
--- a/modules/nixos/server/forgejo.nix
+++ b/modules/nixos/server/forgejo.nix
@ -1,12 +1,33 @@
-{ lib, config, ... }:
+{ lib, config, pkgs, ... }:
 let
  forgejoDomain = "swagit.swarsel.win";
 in
 {
  options.swarselsystems.modules.server.forgejo = lib.mkEnableOption "enable forgejo on server";
  config = lib.mkIf config.swarselsystems.modules.server.forgejo {
    networking.firewall.allowedTCPPorts = [ 3000 ];
    users.users.forgejo = {
      group = "forgejo";
      isSystemUser = true;
    };
    users.groups.forgejo = { };
    sops.secrets = {
      kanidm-forgejo-client = {
        owner = "forgejo";
        group = "forgejo";
        mode = "440";
      };
    };
    services.forgejo = {
      enable = true;
      user = "forgejo";
      group = "forgejo";
      lfs.enable = lib.mkDefault true;
      settings = {
        DEFAULT = {
          APP_NAME = "~SwaGit~";
@ -15,15 +36,90 @@
          PROTOCOL = "http";
          HTTP_PORT = 3000;
          HTTP_ADDR = "0.0.0.0";
-          DOMAIN = "swagit.swarsel.win";
+          DOMAIN = forgejoDomain;
-          ROOT_URL = "https://swagit.swarsel.win";
+          ROOT_URL = "https://${forgejoDomain}";
        };
        # federation.ENABLED = true;
        service = {
-          DISABLE_REGISTRATION = true;
+          DISABLE_REGISTRATION = false;
          ALLOW_ONLY_INTERNAL_REGISTRATION = false;
          ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
          SHOW_REGISTRATION_BUTTON = false;
        };
        session.COOKIE_SECURE = true;
        oauth2_client = {
          # Never use auto account linking with this, otherwise users cannot change
          # their new user name and they could potentially overtake other users accounts
          # by setting their email address to an existing account.
          # With "login" linking the user must choose a non-existing username first or login
          # with the existing account to link.
          ACCOUNT_LINKING = "login";
          USERNAME = "nickname";
          # This does not mean that you cannot register via oauth, but just that there should
          # be a confirmation dialog shown to the user before the account is actually created.
          # This dialog allows changing user name and email address before creating the account.
          ENABLE_AUTO_REGISTRATION = false;
          REGISTER_EMAIL_CONFIRM = false;
          UPDATE_AVATAR = true;
        };
      };
    };
    systemd.services.forgejo = {
      serviceConfig.RestartSec = "60"; # Retry every minute
      preStart =
        let
          exe = lib.getExe config.services.forgejo.package;
          providerName = "kanidm";
          clientId = "forgejo";
          args = lib.escapeShellArgs (
            lib.concatLists [
              [
                "--name"
                providerName
              ]
              [
                "--provider"
                "openidConnect"
              ]
              [
                "--key"
                clientId
              ]
              [
                "--auto-discover-url"
                "https://sso.swarsel.win/oauth2/openid/${clientId}/.well-known/openid-configuration"
              ]
              [
                "--scopes"
                "email"
              ]
              [
                "--scopes"
                "profile"
              ]
              [
                "--group-claim-name"
                "groups"
              ]
              [
                "--admin-group"
                "admin"
              ]
              [ "--skip-local-2fa" ]
            ]
          );
        in
        lib.mkAfter ''
          provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
          SECRET="$(< ${config.sops.secrets.kanidm-forgejo-client.path})"
          if [[ -z "$provider_id" ]]; then
            ${exe} admin auth add-oauth ${args} --secret "$SECRET"
          else
            ${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET"
          fi
        '';
    };
    services.nginx = {
      virtualHosts = {
--- a/scripts/swarsel-install.sh
+++ b/scripts/swarsel-install.sh
@ -102,6 +102,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
    rm modules/home/common/yubikey.nix
    rm modules/nixos/server/restic.nix
    rm modules/nixos/common/home-manager-extra.nix
    rm hosts/nixos/sync/default.nix
    rm -rf modules/nixos/server
    rm -rf modules/home/server
    cat > hosts/nixos/chaostheatre/options.nix << EOF
--- a/scripts/swarsel-rebuild.sh
+++ b/scripts/swarsel-rebuild.sh
@ -84,6 +84,9 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
    rm modules/home/common/yubikey.nix
    rm modules/nixos/server/restic.nix
    rm modules/nixos/common/home-manager-extra.nix
    rm hosts/nixos/sync/default.nix
    rm -rf modules/nixos/server
    rm -rf modules/home/server
    nix flake update vbc-nix
    git add .
 else
--- a/secrets/sync/secrets.yaml
+++ b/secrets/sync/secrets.yaml
@ -1,11 +1,8 @@
 swarsel: ENC[AES256_GCM,data:WzMlNzg5iAu823s=,iv:U8ZutlrzBqq7z445kSnvluejtta4X/0YMIIOdcQuftg=,tag:IE0WMuXlNwnBHzXtrbVHKA==,type:str]
 dnstokenfull: ENC[AES256_GCM,data:hxgxSm6pcXOEHZHdSwQkfZryFccQXrCu9idULJhWK/tQ44FyRIU4Yg==,iv:ObKf1M1qkgCltkKJX+URaPSiK5Itd3xlfBXPjf1iVak=,tag:PASR0pgBdcDYjdTZ2eEUCg==,type:str]
 swarseluser: ENC[AES256_GCM,data:e/p76dBuM7eLIrO0HBeJMs8eMCAGAklGcA==,iv:r+e9GGMDCCjh1eWnB4AJMFdMuXbVXxoLMefooq0SOlE=,tag:auRo+JnwH+EardJQbKek0A==,type:str]
 kanidm-forgejo-client: ENC[AES256_GCM,data:LuOFq+bj9TIbaN6Arz/etcjEO0WnjswJNw==,iv:eqACcjjr7usTl7Dv8HTqH53cHDa0+HV5IYN8Rh5aChg=,tag:upBfWOUOEoZRPgUtlMZE4Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h
          enc: |
@ -16,8 +13,8 @@ sops:
            cUUxYkVGN0hVZ3UrNHdmSXBQbVpkNTQK7yfeX133PekxsK/2BXxsx0pxmWBcZkZY
            UO4ZHCcZQQKMg22BY/3pPz/Ui+uUfZ7AIdLjQb6WQvUbmgz5Lb0M9w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-16T17:08:33Z"
+    lastmodified: "2025-06-09T14:53:33Z"
-    mac: ENC[AES256_GCM,data:+2WUsrKqCEviPWhNo+Rx818gkaVLJUsCnnR+kdCgIQ0il9I3Kc3e8ZdA1TYX0cIe8D3pGswBx0PecnNiduSeVMAQL65AFUSzFbX9OA03Xs+SVVpmfuzK1xaRNRrl4ILsGyQV+qHGSjVHILoEM+r4rBQ/iwQV9zj6Px9Zs8qdVcY=,iv:Qlm1LXXmE+y96JP55dsKELgDcyz7+Hm1HbOXktsyzuI=,tag:C6TWZSgpw/wX2jGC8/kmjg==,type:str]
+    mac: ENC[AES256_GCM,data:SphJHK+OP0IyBWAAr5FDWhg7VBdD8isL0QsswGI6bpSV/7FTRpd6Ehp+kvmCPcdTwpQlmVIyA5r7DpL0F+F0BQGFtMDnESXVldmsBVpvYL/Q62zvlCq1hsm24tLxHbBssSCCpDNq8b5uCp3qklCQCISBYEFeI28dnFapxl5YI/g=,iv:MbMYmCqhQw9O6VdjjBULa2PBciiNk7AJzSrFTnDhMaI=,tag:2VaUX28dyxhyxYVHinESzA==,type:str]
    pgp:
        - created_at: "2024-12-17T11:38:27Z"
          enc: |-
@ -51,4 +48,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.10.2
--- a/secrets/winters/secrets.yaml
+++ b/secrets/winters/secrets.yaml
@ -40,6 +40,8 @@ kanidm-grafana-client: ENC[AES256_GCM,data:tV25k0XoFZ9wLF0UWvAabgigayowr3wo0g==,
 prometheusadminpass: ENC[AES256_GCM,data:NYUbSnAl0f3FUtvCjvJHFr2wMRsVsbVIeg==,iv:TP4NMwJsft8aEixxJBJCX/0I6BJVBnltFYJDKuXq1hM=,tag:yMY+KZsRjbn8ItgKgjzqSA==,type:str]
 #ENC[AES256_GCM,data:QnIF/xhWguX5tw==,iv:yTUBtPaZk6BXi+SC1P/OOtnc2x9UZ/jXirD5oaxhyQY=,tag:c33L5r5BaPZN6zkwduBCwQ==,type:comment]
 fresh: ENC[AES256_GCM,data:aPF8D96BvgDXhcc=,iv:Ubq3/sUmBipRanLgkAXXeAfXAz51AuR+NojMifsy8S0=,tag:mHf0YYYxulLXAIByqmnOsA==,type:str]
 #ENC[AES256_GCM,data:+lbLElpVOYo=,iv:DaVuudlnW+vy2PZOs9eiwZhOyILnqEX9KUehFlX2gWE=,tag:lvM6r0JM0DZir4y7iVTeKg==,type:comment]
 kanidm-forgejo-client: ENC[AES256_GCM,data:pitJ6re5xm2w1MSs5Ul7Tl1/H1KSR7Ps7w==,iv:4k8/cxpLqWxCgJuk/y9K3OAMCkzu8gb8CDxY+gUuOvg=,tag:OocTFS54teDUfHaHAHZiHw==,type:str]
 #ENC[AES256_GCM,data:Ur0/rfBv5g==,iv:eH+KbbkmtBWbobqAIUFF0jIrGhbHnk9g8hLZoxE3swI=,tag:3dnoA+O5GXW5Dvxcx4jiTw==,type:comment]
 resticpw: ENC[AES256_GCM,data:0oHhUFH+2W7FONA=,iv:jT6o3H4pIkGTANriDVCBvnOsc/XITEGCayb6A86NlGg=,tag:qU3tAvIWFSFIf1krWAJ0+Q==,type:str]
 resticaccesskey: ENC[AES256_GCM,data:3EshJOZpoHqGrKdERYBtUcQZ6taZEe8PBA==,iv:3np3ASFhJrYT1ig3uSpb48lSdZOFl9kFyLJSkYHBnqo=,tag:TqjgnO1XRPZUGjLI20FqUg==,type:str]
@ -62,8 +64,8 @@ sops:
            MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl
            qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-09T02:48:48Z"
+    lastmodified: "2025-06-09T14:21:21Z"
-    mac: ENC[AES256_GCM,data:hHoWSuoIweKC/l/27aTOtn6A3qvlsFpHjoCnx2QtQrSUKvaHCeGnnv9U71hK56GW2OyL9fEfjfTNn7fZR5jQnjlZrwQAtFiXDaUMKT90QtHsZj87RBYmGKLdSpOSGrnimywGivAbJp2yWLQ8WnwnD0LwkYpylSUFOgiGD5W62cA=,iv:QYqCcbfL4x310InrMtTY8gdUpgqxcB85nbBKHLFltLA=,tag:fIV7PAY7hJCTEkEWcoq15g==,type:str]
+    mac: ENC[AES256_GCM,data:6CPsA5krx40G1FoKNQsOFvw3KPX5orSmtYeXeLj0PuDP6l+Pus6LNGxhMyLkL5b/QUx/48ocFwFguRjvREH/qh7K0p6+QJgcJHzE7VLAQw7vZA9m2MB3d3z4LlC7YSUrqlTd67BOt68Jdf1/jpvf71YYcWMC1v1pcVmsoQTR4S4=,iv:ZqO+gqrJLp/XgLzyxE3/zV6Ef9HY2ICgd5vX1CSDVGs=,tag:zsP2y46vscb9xnfWIwiPKw==,type:str]
    pgp:
        - created_at: "2024-12-17T16:24:32Z"
          enc: |-