refactor: use true common config and split rest

flake.nix

@@ -130,45 +130,38 @@
                   inputs.impermanence.nixosModules.impermanence
                   inputs.lanzaboote.nixosModules.lanzaboote
                   inputs.fw-fanctrl.nixosModules.default
+                  inputs.nix-topology.nixosModules.default
+                  inputs.home-manager.nixosModules.home-manager
                   "${self}/hosts/${type}/${host}"
                   {
                     _module.args.primaryUser = linuxUser;
                   }
                 ] ++
                 (if (host == "iso") then [
-                  inputs.nix-topology.nixosModules.default
                 ] else
                   ([
                     # put nixos imports here that are for all servers and normal hosts
-                    inputs.nix-topology.nixosModules.default
+                    "${self}/modules/nixos"
-                    "${self}/modules/${type}/common"
                     inputs.stylix.nixosModules.stylix
                     inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
                   ] ++ (if (type == "nixos") then [
-                    inputs.home-manager.nixosModules.home-manager
                     "${self}/profiles/nixos"
-                    "${self}/modules/nixos/server"
-                    "${self}/modules/nixos/optional"
                     {
                       home-manager.users."${linuxUser}".imports = [
                         # put home-manager imports here that are for all normal hosts
-                        "${self}/modules/home/common"
-                        "${self}/modules/home/server"
-                        "${self}/modules/home/optional"
                         "${self}/profiles/home"
+                        "${self}/modules/home"
                       ];
                     }
                   ] else [
                     # put nixos imports here that are for darwin hosts
-                    "${self}/modules/darwin/nixos/common"
+                    "${self}/modules/nixos/darwin"
-                    "${self}/profiles/darwin"
+                    "${self}/profiles/nixos"
                     inputs.home-manager.darwinModules.home-manager
                     {
                       home-manager.users."${macUser}".imports = [
                         # put home-manager imports here that are for darwin hosts
-                        "${self}/modules/darwin/home"
+                        "${self}/modules/home/darwin"
-                        "${self}/modules/home/server"
-                        "${self}/modules/home/optional"
                         "${self}/profiles/home"
                       ];
                     }

modules/darwin/nixos/default.nix

@@ -1,14 +0,0 @@
-_:
-{
-
-  nix.settings.experimental-features = "nix-command flakes";
-  nixpkgs = {
-    hostPlatform = "x86_64-darwin";
-    overlays = [ outputs.overlays.default ];
-    config = {
-      allowUnfree = true;
-    };
-  };
-
-  system.stateVersion = 4;
-}

modules/home/default.nix

@@ -0,0 +1,7 @@
+{ lib, ... }:
+let
+  importNames = lib.swarselsystems.readNix "modules/home";
+in
+{
+  imports = lib.swarselsystems.mkImports importNames "modules/home";
+}

modules/nixos/client/autologin.nix

@@ -3,8 +3,8 @@ let
   inherit (config.swarselsystems) mainUser;
 in
 {
-  options.swarselsystems.modules.optional.autologin = lib.mkEnableOption "optional autologin settings";
+  options.swarselsystems.modules.autologin = lib.mkEnableOption "optional autologin settings";
-  config = lib.mkIf config.swarselsystems.modules.optional.autologin {
+  config = lib.mkIf config.swarselsystems.modules.autologin {
     services = {
       getty.autologinUser = mainUser;
       greetd.settings.initial_session.user = mainUser;

modules/nixos/client/default.nix

@@ -0,0 +1,7 @@
+{ lib, ... }:
+let
+  importNames = lib.swarselsystems.readNix "modules/nixos/client";
+in
+{
+  imports = lib.swarselsystems.mkImports importNames "modules/nixos/client";
+}

modules/nixos/client/network.nix

@@ -1,11 +1,70 @@
-{ lib, config, ... }:
+{ self, lib, config, ... }:
+let
+  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  inherit (config.swarselsystems) mainUser;
+  iwd = config.networking.networkmanager.wifi.backend == "iwd";
+in
 {
   options.swarselsystems = {
     modules.network = lib.mkEnableOption "network config";
     firewall = lib.swarselsystems.mkTrueOption;
   };
   config = lib.mkIf config.swarselsystems.modules.network {
+
+    sops = {
+      secrets = lib.mkIf (!config.swarselsystems.isPublic) {
+        ernest = { };
+        frauns = { };
+        hotspot = { };
+        eduid = { };
+        edupass = { };
+        handyhotspot = { };
+        vpnuser = { };
+        vpnpass = { };
+        wireguardpriv = { };
+        wireguardpub = { };
+        wireguardendpoint = { };
+        stashuser = { };
+        stashpass = { };
+        githubforgeuser = { };
+        githubforgepass = { };
+        gitlabforgeuser = { };
+        gitlabforgepass = { };
+        "sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
+        "sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
+      };
+      templates = lib.mkIf (!config.swarselsystems.isPublic) {
+        "network-manager.env".content = ''
+          ERNEST=${config.sops.placeholder.ernest}
+          FRAUNS=${config.sops.placeholder.frauns}
+          HOTSPOT=${config.sops.placeholder.hotspot}
+          EDUID=${config.sops.placeholder.eduid}
+          EDUPASS=${config.sops.placeholder.edupass}
+          HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
+          VPNUSER=${config.sops.placeholder.vpnuser}
+          VPNPASS=${config.sops.placeholder.vpnpass}
+          WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
+          WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
+          WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
+        '';
+      };
+    };
+
     networking = {
+      wireless.iwd = {
+        enable = true;
+        settings = {
+          IPv6 = {
+            Enabled = true;
+          };
+          Settings = {
+            AutoConnect = true;
+          };
+          DriverQuirks = {
+            UseDefaultInterface = true;
+          };
+        };
+      };
       nftables.enable = lib.mkDefault true;
       enableIPv6 = lib.mkDefault true;
       firewall = {
@@ -76,10 +135,11 @@
 
             eduroam = {
               "802-1x" = {
-                eap = "ttls;";
+                eap = if (!iwd) then "ttls;" else "peap;";
                 identity = "$EDUID";
                 password = "$EDUPASS";
                 phase2-auth = "mschapv2";
+                anonymous-identity = lib.mkIf iwd "anonymous@student.tuwien.ac.at";
               };
               connection = {
                 id = "eduroam";

modules/nixos/client/sops.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+{
+  options.swarselsystems.modules.sops = lib.mkEnableOption "sops config";
+  config = lib.mkIf config.swarselsystems.modules.sops {
+    sops = {
+
+      # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
+      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
+      # defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+      defaultSopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+
+      validateSopsFiles = false;
+
+    };
+  };
+}

modules/nixos/common/home-manager-extra.nix

@@ -1,9 +0,0 @@
-{ inputs, config, lib, ... }:
-{
-  options.swarselsystems.modules.home-managerExtra = lib.mkEnableOption "home-manager extras for non-chaostheatre";
-  config = lib.mkIf config.swarselsystems.modules.home-managerExtra {
-    home-manager = lib.mkIf config.swarselsystems.withHomeManager {
-      extraSpecialArgs = { inherit (inputs) nix-secrets nixgl; };
-    };
-  };
-}

modules/nixos/common/home-manager.nix

@@ -14,7 +14,7 @@
           home.stateVersion = lib.mkDefault config.system.stateVersion;
         }
       ];
-      extraSpecialArgs = { inherit (inputs) self; inherit inputs outputs globals nodes; };
+      extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes; };
     };
   };
 }

modules/nixos/common/impermanence.nix

@@ -7,6 +7,7 @@ in
   options.swarselsystems.modules.impermanence = lib.mkEnableOption "impermanence config";
   config = lib.mkIf config.swarselsystems.modules.impermanence {
 
+
     security.sudo.extraConfig = lib.mkIf isImpermanence ''
       # rollback results in sudo lectures after each reboot
       Defaults lecture = never
@@ -15,10 +16,10 @@ in
     # This script does the actual wipe of the system
     # So if it doesn't run, the btrfs system effectively acts like a normal system
     # Taken from https://github.com/NotAShelf/nyx/blob/2a8273ed3f11a4b4ca027a68405d9eb35eba567b/modules/core/common/system/impermanence/default.nix
-
+    boot.tmp.useTmpfs = lib.mkIf (!isImpermanence) true;
-    boot.initrd.systemd.enable = lib.mkIf isImpermanence true;
+    boot.initrd.systemd = lib.mkIf isImpermanence {
-
+      enable = true;
-    boot.initrd.systemd.services.rollback = lib.mkIf isImpermanence {
+      services.rollback = {
         description = "Rollback BTRFS root subvolume to a pristine state";
         wantedBy = [ "initrd.target" ];
         # make sure it's done after encryption
@@ -64,6 +65,7 @@ in
           umount /mnt
         '';
       };
+    };
 
 
     environment.persistence."/persist" = lib.mkIf isImpermanence {

modules/nixos/common/sops.nix

@@ -1,54 +0,0 @@
-{ self, config, lib, ... }:
-let
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
-  inherit (config.swarselsystems) mainUser homeDir;
-in
-{
-  options.swarselsystems.modules.commonSops = lib.mkEnableOption "sops config";
-  config = lib.mkIf config.swarselsystems.modules.commonSops {
-    sops = {
-
-      age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${homeDir}/.ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
-
-      validateSopsFiles = false;
-
-      secrets = lib.mkIf (!config.swarselsystems.isPublic) {
-        ernest = { };
-        frauns = { };
-        hotspot = { };
-        eduid = { };
-        edupass = { };
-        handyhotspot = { };
-        vpnuser = { };
-        vpnpass = { };
-        wireguardpriv = { };
-        wireguardpub = { };
-        wireguardendpoint = { };
-        stashuser = { };
-        stashpass = { };
-        githubforgeuser = { };
-        githubforgepass = { };
-        gitlabforgeuser = { };
-        gitlabforgepass = { };
-        "sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
-        "sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
-      };
-      templates = lib.mkIf (!config.swarselsystems.isPublic) {
-        "network-manager.env".content = ''
-          ERNEST=${config.sops.placeholder.ernest}
-          FRAUNS=${config.sops.placeholder.frauns}
-          HOTSPOT=${config.sops.placeholder.hotspot}
-          EDUID=${config.sops.placeholder.eduid}
-          EDUPASS=${config.sops.placeholder.edupass}
-          HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
-          VPNUSER=${config.sops.placeholder.vpnuser}
-          VPNPASS=${config.sops.placeholder.vpnpass}
-          WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
-          WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
-          WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
-        '';
-      };
-    };
-  };
-}

modules/nixos/common/tmp.nix

@@ -1,7 +0,0 @@
-{ config, lib, ... }:
-{
-  options.swarselsystems.modules.tmp = lib.mkEnableOption "tmp dir config";
-  config = lib.mkIf config.swarselsystems.modules.tmp {
-    boot.tmp.useTmpfs = !config.swarselsystems.modules.impermanence true;
-  };
-}

modules/nixos/darwin/default.nix

@@ -0,0 +1,17 @@
+{ lib, config, outputs, ... }:
+{
+
+  options.swarselsystems.modules.darwin.general = lib.mkEnableOption "darwin config";
+  config = lib.mkIf config.swarselsystems.modules.darwin.general {
+    nix.settings.experimental-features = "nix-command flakes";
+    nixpkgs = {
+      hostPlatform = "x86_64-darwin";
+      overlays = [ outputs.overlays.default ];
+      config = {
+        allowUnfree = true;
+      };
+    };
+
+    system.stateVersion = 4;
+  };
+}

modules/nixos/default.nix

@@ -0,0 +1,7 @@
+{ lib, ... }:
+let
+  importNames = lib.swarselsystems.readNix "modules/nixos";
+in
+{
+  imports = lib.swarselsystems.mkImports importNames "modules/nixos";
+}

modules/nixos/optional/work.nix

@@ -1,6 +1,7 @@
 { self, lib, pkgs, config, ... }:
 let
   inherit (config.swarselsystems) mainUser homeDir xdgDir;
+  iwd = config.networking.networkmanager.wifi.backend == "iwd";
   owner = mainUser;
   sopsFile = self + /secrets/work/secrets.yaml;
   swarselService = name: description: execStart: {
@@ -49,6 +50,8 @@ in
           "govchost"
           "govcnetwork"
           "govcpool"
+          "baseuser"
+          "basepw"
         ];
       in
       {
@@ -60,6 +63,12 @@ in
             })
             secretNames
         );
+        templates = {
+          "network-manager-work.env".content = ''
+            BASEUSER=${config.sops.placeholder.baseuser}
+            BASEPASS=${config.sops.placeholder.basepw}
+          '';
+        };
       };
 
     boot.initrd = {
@@ -97,7 +106,48 @@ in
 
     networking = {
       inherit (config.swarselsystems) hostName fqdn;
-      networkmanager.wifi.scanRandMacAddress = false;
+
+      networkmanager = {
+        wifi.scanRandMacAddress = false;
+        ensureProfiles = {
+          environmentFiles = [
+            "${config.sops.templates."network-manager-work.env".path}"
+          ];
+          profiles = {
+            VBC = {
+              "802-1x" = {
+                eap = if (!iwd) then "ttls;" else "peap;";
+                identity = "$BASEUSER";
+                password = "$BASEPASS";
+                phase2-auth = "mschapv2";
+              };
+              connection = {
+                id = "VBC";
+                type = "wifi";
+              };
+              ipv4 = { method = "auto"; };
+              ipv6 = {
+                addr-gen-mode = "default";
+                method = "auto";
+              };
+              proxy = { };
+              wifi = {
+                cloned-mac-address = "permanent";
+                mac-address = "E8:65:38:52:63:FF";
+                mac-address-randomization = "1";
+                mode = "infrastructure";
+                ssid = "VBC";
+              };
+              wifi-security = {
+                auth-alg = "open";
+                key-mgmt = "wpa-eap";
+              };
+            };
+          };
+        };
+      };
+
+
       firewall = {
         enable = lib.mkDefault true;
         trustedInterfaces = [ "virbr0" ];

modules/nixos/server/default.nix

@@ -1,18 +1,7 @@
-{ self, lib, ... }:
+{ lib, ... }:
 let
   importNames = lib.swarselsystems.readNix "modules/nixos/server";
-  modulesPath = "${self}/modules";
 in
 {
-  imports = lib.swarselsystems.mkImports importNames "modules/nixos/server" ++ [
+  imports = lib.swarselsystems.mkImports importNames "modules/nixos/server";
-    "${modulesPath}/nixos/common/settings.nix"
-    "${modulesPath}/nixos/common/home-manager.nix"
-    "${modulesPath}/nixos/common/home-manager-extra.nix"
-    "${modulesPath}/nixos/common/xserver.nix"
-    "${modulesPath}/nixos/common/time.nix"
-    "${modulesPath}/nixos/common/users.nix"
-    "${modulesPath}/nixos/common/nix-ld.nix"
-    "${modulesPath}/nixos/common/sharedsetup.nix"
-    "${modulesPath}/home/common/sharedsetup.nix"
-  ];
 }

modules/nixos/server/sops.nix

@@ -1,11 +0,0 @@
-{ config, lib, ... }:
-{
-  options.swarselsystems.modules.server.sops = lib.mkEnableOption "enable sops on server";
-  config = lib.mkIf config.swarselsystems.modules.server.sops {
-    sops = {
-      age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/sops" ];
-      defaultSopsFile = lib.mkDefault "${config.swarselsystems.flakePath}/secrets/winters/secrets.yaml";
-      validateSopsFiles = false;
-    };
-  };
-}

profiles/nixos/chaostheatre/default.nix

@@ -6,7 +6,6 @@
       packages = lib.mkDefault true;
       general = lib.mkDefault true;
       home-manager = lib.mkDefault true;
-      home-managerExtra = lib.mkDefault false;
       xserver = lib.mkDefault true;
       users = lib.mkDefault true;
       env = lib.mkDefault true;
@@ -17,7 +16,7 @@
       pipewire = lib.mkDefault true;
       network = lib.mkDefault true;
       time = lib.mkDefault true;
-      commonSops = lib.mkDefault true;
+      sops = lib.mkDefault false;
       stylix = lib.mkDefault true;
       programs = lib.mkDefault true;
       zsh = lib.mkDefault true;
@@ -43,11 +42,8 @@
       lid = lib.mkDefault true;
       lowBattery = lib.mkDefault true;
       lanzaboote = lib.mkDefault true;
-
-      optional = {
       autologin = lib.mkDefault true;
     };
-    };
 
   };
 

profiles/nixos/localserver/default.nix

@@ -7,14 +7,13 @@
         general = lib.mkDefault true;
         pii = lib.mkDefault true;
         home-manager = lib.mkDefault true;
-        home-managerExtra = lib.mkDefault true;
         xserver = lib.mkDefault true;
         time = lib.mkDefault true;
         users = lib.mkDefault true;
+        sops = lib.mkDefault true;
         server = {
           general = lib.mkDefault true;
           packages = lib.mkDefault true;
-          sops = lib.mkDefault true;
           nfs = lib.mkDefault true;
           nginx = lib.mkDefault true;
           ssh = lib.mkDefault true;

profiles/nixos/moonside/default.nix

@@ -7,15 +7,14 @@
         general = lib.mkDefault true;
         pii = lib.mkDefault true;
         home-manager = lib.mkDefault true;
-        home-managerExtra = lib.mkDefault true;
         xserver = lib.mkDefault true;
         time = lib.mkDefault true;
         users = lib.mkDefault true;
         impermanence = lib.mkDefault true;
+        sops = lib.mkDefault true;
         server = {
           general = lib.mkDefault true;
           packages = lib.mkDefault true;
-          sops = lib.mkDefault true;
           nginx = lib.mkDefault true;
           ssh = lib.mkDefault true;
           oauth2-proxy = lib.mkDefault true;

profiles/nixos/personal/default.nix

@@ -6,7 +6,6 @@
       packages = lib.mkDefault true;
       general = lib.mkDefault true;
       home-manager = lib.mkDefault true;
-      home-managerExtra = lib.mkDefault true;
       xserver = lib.mkDefault true;
       users = lib.mkDefault true;
       env = lib.mkDefault true;
@@ -17,7 +16,7 @@
       pipewire = lib.mkDefault true;
       network = lib.mkDefault true;
       time = lib.mkDefault true;
-      commonSops = lib.mkDefault true;
+      sops = lib.mkDefault true;
       pii = lib.mkDefault true;
       stylix = lib.mkDefault true;
       programs = lib.mkDefault true;
@@ -44,12 +43,11 @@
       lid = lib.mkDefault true;
       lowBattery = lib.mkDefault true;
       lanzaboote = lib.mkDefault true;
-      tmp = lib.mkDefault true;
+      autologin = lib.mkDefault true;
 
       optional = {
         gaming = lib.mkDefault true;
         virtualbox = lib.mkDefault true;
-        autologin = lib.mkDefault true;
         nswitch-rcm = lib.mkDefault true;
       };
 

profiles/nixos/syncserver/default.nix

@@ -8,14 +8,13 @@
         nix-ld = lib.mkDefault true;
         pii = lib.mkDefault true;
         home-manager = lib.mkDefault true;
-        home-managerExtra = lib.mkDefault true;
         xserver = lib.mkDefault true;
         time = lib.mkDefault true;
         users = lib.mkDefault true;
+        sops = lib.mkDefault true;
         server = {
           general = lib.mkDefault true;
           packages = lib.mkDefault true;
-          sops = lib.mkDefault true;
           nginx = lib.mkDefault true;
           ssh = lib.mkDefault true;
           forgejo = lib.mkDefault true;

profiles/nixos/toto/default.nix

@@ -5,18 +5,15 @@
     swarselsystems.modules = {
       general = lib.mkDefault true;
       home-manager = lib.mkDefault true;
-      home-managerExtra = lib.mkDefault true;
       xserver = lib.mkDefault true;
       users = lib.mkDefault true;
-      commonSops = lib.mkDefault true;
+      sops = lib.mkDefault true;
       impermanence = lib.mkDefault true;
       lanzaboote = lib.mkDefault true;
+      autologin = lib.mkDefault true;
       server = {
         ssh = lib.mkDefault true;
       };
-      optional = {
-        autologin = lib.mkDefault true;
-      };
     };
 
   };

programs/git/.gitmessage

@@ -1,3 +1,5 @@
+
+
 #                         max. 50 chars is here: #
 # <type>[optional scope]: <description>
 # types: feat, fix, build, chore, ci, docs, style, refactor, perf, test

scripts/swarsel-install.sh

@@ -101,22 +101,9 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     rm modules/home/common/mail.nix
     rm modules/home/common/yubikey.nix
     rm modules/nixos/server/restic.nix
-    rm modules/nixos/common/home-manager-extra.nix
     rm hosts/nixos/sync/default.nix
     rm -rf modules/nixos/server
     rm -rf modules/home/server
-    cat > hosts/nixos/chaostheatre/options.nix << EOF
-        { self, lib, ... }:
-        {
-          options = {
-            swarselsystems = {
-              modules = {
-                home-managerExtra = lib.mkEnableOption "dummy option for chaostheatre";
-              };
-            };
-          };
-        }
-EOF
     cat > hosts/nixos/chaostheatre/options-home.nix << EOF
         { self, lib, ... }:
         {

scripts/swarsel-rebuild.sh

@@ -83,7 +83,6 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     rm modules/home/common/mail.nix
     rm modules/home/common/yubikey.nix
     rm modules/nixos/server/restic.nix
-    rm modules/nixos/common/home-manager-extra.nix
     rm hosts/nixos/sync/default.nix
     rm -rf modules/nixos/server
     rm -rf modules/home/server

secrets/work/secrets.yaml

@@ -1,5 +1,7 @@
 vcuser: ENC[AES256_GCM,data:M2LmjWGI6boQtOdTZz3dZ9Qb,iv:/KAC1RF0bqviHzPFP8F8GlX32f/8Qp07iXz2Yz5UO5o=,tag:rYzeylJIWtoQrSGy8OZqQg==,type:str]
 vcpw: ENC[AES256_GCM,data:bgqPbdJMVZXPWXiNsr9GxFRE1Q==,iv:5HuagCnNWLBvw7Z+nmLhCfMFV6b9mOd+afqCBUvWjNc=,tag:LfMOFvQZtNUh+7z6a+mpZA==,type:str]
+baseuser: ENC[AES256_GCM,data:JMbIoKr7wXLN7/Ly9KF0fbg=,iv:JhJK2etCfFmrEYyQenWwZkZ9aEDvktcRTK1oI0BKrWU=,tag:lGEcSuBQOUpwgGw/oUzrxg==,type:str]
+basepw: ENC[AES256_GCM,data:ESeZuCoqmcXbWT5uiWOhYfSGm2rNHw==,iv:+ZOqaeazPrh2TzZWCCgHK6fyZ/OteVfw0RzNo3ih45M=,tag:eycX5Zlo7T9n4V2KmVgSfg==,type:str]
 govcuser: ENC[AES256_GCM,data:4uJfzjBYgFJhskgxr4hN4GjlsOQyTRPF5Vmxlfs=,iv:/XsJeDUxvxjYythNKcEztmuKaC8yJALCV2N9ni2q46k=,tag:rtC/7SZlJsRQ2uMJs0nZXw==,type:str]
 govcpw: ENC[AES256_GCM,data:qNscuAkxb4cp0AJneh7oSfCO0PQL4g==,iv:Ch9vlo4B6dYmF3jg7Bi9FhQNlGHmMizFIhmijBP5cnA=,tag:HD4wMsH57+dBFAAS9DPN8A==,type:str]
 govcurl: ENC[AES256_GCM,data:vjYrQLIY7z0XS20NUDx+g4KFVbSXVIJMdFpS9NU+z7U=,iv:lQJkDAPBKvsf48V/w0pPSyYaueNR6rwEGIX0TGVXIV4=,tag:7rjFW180OUJ4zDaiHinA2Q==,type:str]
@@ -9,10 +11,6 @@ govchost: ENC[AES256_GCM,data:l/5kcvUQkT/4TYl1j7Ws,iv:Lc+D4ukKkTrIIg8sKy/9NYX1D6
 govcnetwork: ENC[AES256_GCM,data:Hevnb0fAMbXTrg1CCmAgwZbJ+sxaTUgJLRc=,iv:UoNyPYuKnACv/euoE5SGlsF4/0ni32+ysLc7nM/pCrQ=,tag:jSHYFecVUvmTKr6AmNLbgw==,type:str]
 govcpool: ENC[AES256_GCM,data:sfglbCi3,iv:UdvDgyI8AAFdfOxKD1sVYCof7rXFPavq8eYDaK6Kp2I=,tag:iMn7XPf0rmql2EiaqsAn8w==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
           enc: |
@@ -23,8 +21,8 @@ sops:
             Z0dpTnpXcnRub2NWU21PblBtUnBXTnMKfmW5I2G+XhXEi8ssdnlavppxhgI4G56B
             555YBJ8mLRXKINtd37nUyfydEUYiM4zUbTFlJ+83VVF//+4KUeOCYw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-03T15:35:39Z"
+    lastmodified: "2025-07-03T13:26:17Z"
-    mac: ENC[AES256_GCM,data:SKVgG2bNNYik+oUpJehJaWSjZb9ltl8MEAFmbUu2ZfPN4GEarXcscvMuoRdYa58xWRnzpDg23/85+cKhK2MpXjfe5r7oE43xZbPyUA1aCy0XoygcezNbcS7kYx6vyWaBIJEnVGM1EXWrD+f45SmNc3jT0yUdQS+H0Tt1hWNmleQ=,iv:zpEGVcLsjo7PEEiFyM4W+JeT6ODJ4xXV0ToFACnom6o=,tag:rFWZTs8pPTJza/PyLckvug==,type:str]
+    mac: ENC[AES256_GCM,data:35J6pbaTXcq8zW3wtLqBAHSTaWjCxx+BsOZlKWNwxEOCkGzXIIKFtakZJIaMktgPNLvYOlUEOP7dhjUc5IvJCM5beMSNOjBVJJNnLkKQv5sCJK+4p4uTzXo3Neht/Y3xan4DQItdm5lwwQpyNlCecGynVjqN+F44liyxsAR8gtQ=,iv:gaVY3PUn7NdmBNAvuvij990T5pRrAfqY1qgCPWxGBiA=,tag:CuOMqH34hlQX8WPikAL0qw==,type:str]
     pgp:
         - created_at: "2024-12-17T11:38:28Z"
           enc: |-
@@ -58,4 +56,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2