From 8b5f75a2b5611133bb8aef2e0a52770c9b0e0968 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?=
 <leon.schwarzaeugl@imba.oeaw.ac.at>
Date: Thu, 18 Dec 2025 17:29:25 +0100
Subject: [PATCH] docs: increase docs verbosity

---
 .github/README.md  |    3 +-
 SwarselSystems.org |  253 +++---
 index.html         | 1911 +++++++++++++++++++++++++++-----------------
 3 files changed, 1347 insertions(+), 820 deletions(-)

diff --git a/.github/README.md b/.github/README.md
index 62c7dc8..3af1d53 100644
--- a/.github/README.md
+++ b/.github/README.md
@@ -155,6 +155,7 @@
   |⛏️ **Minecraft**            | [Minecraft](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/minecraft.nix)                 |
   |☁️ **S3**                   | [Garage](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/garage.nix)                       |
   |🕸️ **Nix Binary Cache**     | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/attic.nix)                         |
+  |🐙 **Nix Build farm**       | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/hydra.nix)                         |
   |🔑 **Cert-based SSH**       | [OPKSSH](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/opkssh.nix)                       |
   |🔨 **Home Asset Management**| [Homebox](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/homebox.nix)                     |
   |👀 **DNS**                  | [NSD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nsd.nix)                             |
@@ -180,7 +181,7 @@
   |📱 **magicant**      | Samsung Galaxy Z Flip 6                             | Phone                                                           |
   |💿 **drugstore**     | -                                                   | NixOS-installer ISO for bootstrapping new hosts                 |
   |💿 **brickroad**     | -                                                   | Kexec tarball for bootstrapping low-memory machines             |
-  |❔ **chaotheatre**   | -                                                   | Demo config for checking out this configuration                 |
+  |❔ **hotel**         | -                                                   | Demo config for checking out this configuration                 |
   |❔ **toto**          | -                                                   | Helper configuration for testing purposes                       |
   </details>
 
diff --git a/SwarselSystems.org b/SwarselSystems.org
index e4643c6..d461752 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -46,13 +46,13 @@ For a beginner, I recommend to read this file like a book, from start to finish.
 This file is structured as follows:
 
 - [[#h:a86fe971-f169-4052-aacf-15e0f267c6cd][Introduction (no code)]]
-  This is the block you are currently in. It holds no code that actually builds the system, it just outlines the general approach and explains my rough mentality
+  This is the block you are currently in. It holds no code that actually builds the system, it just outlines the general approach and explains the rough design mentality. For simply understanding the code in here, reading this should not be necessary (feel free to skip to [[#h:c7588c0d-2528-485d-b2df-04d6336428d7][flake.nix]])
 
 - [[#h:c7588c0d-2528-485d-b2df-04d6336428d7][flake.nix]]
-  This block holds everything related to the heart of the nix side of the configuration - the =flake.nix= file.
+  This block holds everything related to the heart of the nix side of the configuration - the =flake.nix= file. I am using [[https://github.com/hercules-ci/flake-parts][flake-parts]] to manage this flake, so different aspects of the configuration are handled by flake-part modules in different files.
 
 - [[#h:02cd20be-1ffa-4904-9d5a-da5a89ba1421][System]]
-  This section holds all configuration options that apply to NixOS or home-manager. In other words, here we are doing system and user level configuration.
+  This section holds all configuration options that apply to NixOS or home-manager. In other words, here we are doing system and user level configuration. In a way, I consider this the most important part of this file, as (nearly) all of the nix magic is going to happen here.
 
 - [[#h:ed4cd05c-0879-41c6-bc39-3f1246a96f04][Emacs]]
   This section defines my Emacs configuration. For a while, I considered to use rycee's =emacs-init= module ([[https://github.com/nix-community/nur-combined/blob/master/repos/rycee/hm-modules/emacs-init.nix]]) to manage my Emacs configuration; I have since come to the conclusion that this would be a bad idea: at the moment, even though it might seem as I am very bound to the configuration file that you are currently reading, if I ever decide to change how I run my system, I can simply take the generated =.nix= and =.el= files and put them wherever I need them. This file only simplifies that generation without putting further restrictions on my. If I were however to switch to =emacs-init= then I would be indeed to some level confined to the nix ecosystem with my Emacs configuration, as I would no longer have a valid =.org= file to manage it with, instead generating an =init.el= directly from nix code. I like to keep that level of freedom for potential future use. Also, you will notice there is no package system setup in this configuration. This is because packages are automatically handled on the NixOS side by parsing the generated =init.el= file for package installs.
@@ -120,10 +120,7 @@ window.addEventListener('load', addDarkmodeWidget);
 
   This section hold code that can be templated at other parts of the configuration. This is mostly used for the NixOS side of the configuration where I define my host systems that usually have a lot in common.
 
-- [[#h:8fc9f66a-7412-4091-8dee-a06f897baf67][Appendix A: Supplementary Files]]
-  This section holds files that are not written in nix but are still referenced in the configuration in some way. This is mostly used for configuration of programs that have no native nix support, like tridactyl. Note that shell scripts are still defined under their respective entry in [[#h:64a5cc16-6b16-4802-b421-c67ccef853e1][Packages]].
-
-- Historical Note: Noweb-Ref blocks
+- [[#h:dae0c5bb-edb7-4fe4-ae31-9f8f064cc53c][Appendix A: Noweb-Ref blocks]]
 
 These blocks were used in several places throughout the configurations, but not on all machines necessarily. For example, the theming section used need to be in a NixOS block on NixOS machines but in a home-manager block on non-NixOS.
 
@@ -146,6 +143,13 @@ which can then be used in a block like:
 
 not that noweb-reffed blocks will not be indented correctly. You will want to account for that when checking your nix flake with the formatter of your choice. Personally, I have solved this issue using the functions defined in [[#h:59d4306e-9b73-4b2c-b039-6a6518c357fc][org-mode: Upon-save actions (Auto-tangle, export to html, formatting)]]. Originally, I also automatically exported to html there, but it incurred a too high memory penalty which made Emacs become sluggish over time.
 
+- [[#h:8fc9f66a-7412-4091-8dee-a06f897baf67][Appendix B: Supplementary Files]]
+  This section holds files that are not written in nix but are still referenced in the configuration in some way. This is mostly used for configuration of programs that have no native nix support, like tridactyl. Note that shell scripts are still defined under their respective entry in [[#h:64a5cc16-6b16-4802-b421-c67ccef853e1][Packages]]. Over time, the goal is to reduce this section to a minimum, but things like the aforementioned tridactyl might stay for a long time, until we have a stable interface to configure browser plugins.
+
+- [[#h:8ea35dcc-ef94-4c10-9112-8be8efd6f424][Appendix C: Explanations to nix functions and operators]]
+  When I started to learn about nix, I found that journey quite arduous; while I disagree with the general public in that the documentation is too sparse, I will say that, while it is very good, reading (and understanding!) it requires a certain level of existing nix knowledge that one will problably not have when starging out. Hence, the goal of this document is to explain common nix functions as they come up in this document (I thing I wrote this before :sweat:), in hopes that you will be able to understand most of the code. When a new function appears for the first time, I will try to link to an entry in the appendix.
+
+
 ** TODO Structure of this flake
 :PROPERTIES:
 :CUSTOM_ID: h:2c5529ed-e6d9-44b6-b0d3-5bf96a6bed64
@@ -161,7 +165,7 @@ The structure of this flake as seen many revisions, however lately I have settle
 
   The corresponding configurations are automatically generated by =mkFullHostConfigs= and =mkHalfHostConfigs=. A "full" host either in the nixos or darwin folder, while a "half" host is in either of home or android. This has to do with the scheme in which these configurations are generated.
 
-  These <hosttype> folders hold in turn a number of <hostname> folders, the actual configurations. At this time, the files stored in this folder are:
+  These <hosttype> folders hold on the first level a folder describing the machine archetype (=x86_64-linux= or =aarch64-linux= for linux, =x86_64-darwin= or =aarch64-darwin= for macs). Those folders then hold a number of <hostname> folders, the actual configurations. At this time, the files stored in this folder are:
     - default.nix:
       This file holds the abstracted configuration of the host. This should mostly be enabling [[#h:f0f1c961-3e7a-47b8-99ab-1654bb45dffc][Profiles]] as well as setting some [[#h:f4f22166-e345-43e6-b15f-b7f5bb886554][Shared Configuration Options]].
     - hardware-config.nix:
@@ -169,7 +173,7 @@ The structure of this flake as seen many revisions, however lately I have settle
     - disk-config.nix
       Holds the aforementioned filesystem configuration and is applied using [[https://github.com/nix-community/disko][disko]].
 
-    - The hosts/<hosttype>/<hostname> folders may also have a =secrets= folder, under which a single file =pii.nix.enc= can be stored. As the name suggests, this file should be encrypted. Specifically, it needs to be a [[https://github.com/getsops/sops][sops]]-encrypted file (sops does not seem to suggest a file ending other than .yml or others, which is not verbose enough for me, so I went with =.enc=).  This file should have the structure of a nix expression, e.g.:
+    - The hosts/<hosttype>/<hostname> folders may also have a =secrets= folder, under which files of the ending =.nix.enc= may be stored. As the name suggests, these files should be encrypted. Specifically, they need to be [[https://github.com/getsops/sops][sops]]-encrypted files (sops does not seem to suggest a file ending other than .yml or others, which is not verbose enough for me, so I went with =.enc=).  This should have the structure of a nix expression, e.g.:
 
   #+begin_src nix-ts :tangle no
     {
@@ -182,51 +186,59 @@ The structure of this flake as seen many revisions, however lately I have settle
 
       Using the mechanisms in [[#h:82b8ede2-02d8-4c43-8952-7200ebd4dc23][PII management]] (which in turn uses [[#h:87c7893e-e946-4fc0-8973-1ca27d15cf0e][extra-builtins]] and [[#h:315e6ef6-27d5-4cd8-85ff-053eabe60ddb][sops-decrypt-and-cache]]), these files are decrypted during evaluation time and stored under a persistent directory. As the name suggests, I am using these files to store personally identifiable information - these "secrets" are stored world-readable in the nix store. As such, this should not be used to store important secrets, but rather information that you would not like everyone on the internet to easily find in your git repo.
 
+      Other than that, the =secrets= folder will also be used to store conventional (decryted at activation-time) sops-encrypted secrets in the standard =.yaml= / =.toml= / =.ini= formats.
+
   - =modules=
     This folder holds the most part of the actual system configuration done in this repository. At some point I thought it was cool to have my whole configuration exposed under the flakes =nixosModules=, which is indeed achieved (its usefulness is however debatable). In any way, this folder splits up as:
     - nixos: Holds true NixOS configuration
     - home: Holds configuration to be used by home-manager (either as a NixOS submodule or not)
-    - darwin: Holds configuration for nix-darwin. This folder further splits up into a nixos and a home folder, which hold respective nix or home-manager configuration for nix-darwin.
-    - iso: Holds specific configuration for my installer ISO that I do not want to have loaded in the rest of the configuration.
+    - shared: This is for configuraion bits that are to be used by both types.
 
     The nixos and home folders further split up:
 
       - common: Configuration that can be used by all hosts (TODO: this currently includes configuration used by my user devices, which will mostly not be used by servers)
       - server: Configuration to be used on servers
+      - darwin: Holds configuration for nix-darwin.
       - optional: Configuration that will be used rather rarely
 
-      This structure is very optionated and highly subjective. I will possibly change this in the future.
+        This structure is very optionated and highly subjective. I will possibly change this in the future.
 
-    By themselves, most of the files in the modules folder will not do anything. In order for them to do something, their corresponding =config.swarselsystems.modules= attribute needs to be enabled. This is done using...
+      By themselves, most of the files in the modules folder will not do anything. In order for them to do something, their corresponding =config.swarselmodules= attribute needs to be enabled. This is partly done using...
 
-  - =profiles=: This folder splits up into =home= and =nixos= subfolders, where groupings of module enablers are stored for the respective home and nix setups. Note that =home= profiles are also used in NixOS setups (extensively even)!
+  - =profiles=: This folder splits up into =home= and =nixos= subfolders, where groupings of module enablers are stored for the respective home and nix setups. Note that =home= profiles are also used in NixOS setups (extensively even)! This is used to quickly enable common configuration for a machine use, e.g. the [[#h:dfc076fd-ee74-4663-b164-653370c52b75][Server]] profile.
 
-  - =nix=: This special folder holds mostly =.nix= files that are not automatically loaded, but rather setup specific things that affect most of the flake. For example, here lies the aforementioned [[#h:87c7893e-e946-4fc0-8973-1ca27d15cf0e][extra-builtins]] as well as the setup for the [[*Globals][Globals]] system. TODO: Move flake-parts units there and explain them here.
+  - =nix=: This special folder holds mostly =.nix= files that are not automatically loaded, but rather setup specific things that affect most of the flake. For example, here lies the aforementioned [[#h:87c7893e-e946-4fc0-8973-1ca27d15cf0e][extra-builtins]] as well as the setup for the [[*Globals][Globals]] system. Also in here are the flake-parts files that you read about earlier. This gives the following functionality:
+    - =lib=: I define some utility functions that I add to the nixpkgs library under the =swarselsystems= attribute set. An example would be the =mkIfElse= function.
+    - =checks=: As part of a [[#h:4d0548db-99b2-4e07-b762-6d86fbb26d4c][Devshell (checks)]], I declare pre-commit hooks that should run before I push changes to my repo.
+    - =overlays=: Here we also define the main (default) overlay I am using in my configuration. It is responsible for adding my defined packages and modifications to the final nixpkgs. Also I add some other conveniences like all past stable nixpkgs and some other package sets.
+    - =apps=: I also define [[#h:52e1fae8-0e8c-4be6-a6ce-758ada652dd3][Apps]], which is an output of derivations that can be called by =nix run= without having the flake locally - this is mostly used for my =swarsel-*= utilities.
+    - =topology=: I also created a diagram of my infrastructure using [[https://github.com/oddlama/nix-topology][nix-topology]]. While I do not update this too often, this (I think) can quickly give a good overview of the scope of this flake as well as its services.
 
-  - =lib=: This folder holds utility functions that I add to the nixpkgs library under the =swarselsystems= attribute set. An example would be the =mkIfElse= function.
+  - =pkgs=: This folder holds derivations (mostly packages) that I define myself. This is mostly used to grab versions that are not (yet) in nixpkgs, or modified versions of another package. Each derivation in this folder is in turn in its own folder which holds a defautlt.nix. Using the mechanism in [[#h:64a5cc16-6b16-4802-b421-c67ccef853e1][Packages]], these are automatically built and available to all configurations (packages still need to be installed e.g. in =environment.systemPackages=). Note that the folder at the top level splits up in =config= and =flake= subdirectories:
+    - The =config= dir is used for packages that need the actual config of the machine where they run in order to be built. These packages cannot simply be released as a flake output (or better, it would not make a lot of sense). Instead, these are added within the configuration as an overlay
 
-  - =pkgs=: This folder holds derivations (mostly packages) that I define myself. This is mostly used to grab versions that are not (yet) in nixpkgs, or modified versions of another package. Each derivation in this folder is in turn in its own folder which holds a defautlt.nix. Using the mechanism in [[#h:64a5cc16-6b16-4802-b421-c67ccef853e1][Packages]], these are automatically built and available to all configurations (packages still need to be installed e.g. in =environment.systemPackages=)
+    - The =flake= dir is used for the conventional packages that I described above.
 
-  - =checks=: Holds a file that defines my pre-commit-hook checks. TODO: move this to /nix probably
+  - =files=: This is kind of a catchall folder that holds (nearly) all non-nix files. It mostly holds blocks created in [[#h:8fc9f66a-7412-4091-8dee-a06f897baf67][Appendix B: Supplementary Files]], but also some more specific directories:
+    - =scripts=: This folder holds a bunch of shell scripts that I use for various tasks. Nearly all of these are made into a derivation using =pkgs.writeShellApplication=. In the future (TODO?), I might convert these to native nix, but in the past I kept the as true shellfiles in case I ever wanted to move away from nix. This is becoming less and less likely, however. And even in case that this would happen, I could retrieve these files from the nix store and would simply have to remove the nix store paths.
+    - =wallpaper=: Holds my wallpapers and profile pictures :)
+    - =topology-images=: Holds pictures used by [[#h:391e7712-fef3-4f13-a3ed-d36e228166fd][Topology]] :)
 
-  - =scripts=: This folder holds a bunch of shell scripts that I use for various tasks. Nearly all of these are made into a derivation using =pkgs.writeShellApplication=. In the future (TODO?), I might convert these to native nix, but in the past I kept the as true shellfiles in case I ever wanted to move away from nix. This is becoming less and less likely, however. And even in case that this would happen, I could retrieve these files from the nix store and would simply have to remove the nix store paths.
+  - =secrets=: Unlike the similar folder under =hosts=, this folder holds sops-encrypted secrets and PIIs that are used by a number of hosts that is greater than one.
 
-  - =secrets=: Unlike the similar folder under =hosts=, this folder holds actual sops-encrypted secrets that are created at activation time and not in the nix store. The folder splits up into a bunch of <hostname> folders, as well as a =repo= folder, which holds another =pii.nix.enc=, which holds global PII's, and a =certs= folder that holds some longer certificate style secrets.
+  - =install=: This folder holds another [[#h:1d4514b4-e952-4faf-b30e-d89e73a526c6][Installer flake]]. That flake pulls in the =nixosConfigurationsMinimal= that are defined in [[#h:5c5bf78a-9a66-436f-bd85-85871d9d402b][Hosts]] of the main flake, which enables me to build an extemely reduced configuration when I deploy a new host for the first time - this is used by [[#h:74db57ae-0bb9-4257-84be-eddbc85130dd][swarsel-bootstrap]] in the first installation step. It also holds the configuration of the two installer images that I use to deploy this flake:
+    - [[#h:8583371d-5d47-468b-84ba-210aad7e2c90][Drugstore (ISO installer config)]]: This is the general installer ISO that I use whenever I can when I want to deploy a new host. It has a few conveniences like some of my utility programs for figuring out some dependencies or network quirks, as well as my public ssh keys so that I can immediately login to them.
 
-  - =overlays=: This holds a single =default.nix= that defines the overlay I am using in my configuration. It is responsible for adding my defined packages and modifications to the final nixpkgs. Also I add some other conveniences like all past stable nixpkgs and some other package sets.
+    - [[#h:e9fe580c-f1b2-4d7b-aaff-bbdf89a8c9f9][Brick Road (kexec image)]]: This is a kexec tarball that can be used by [[#h:74db57ae-0bb9-4257-84be-eddbc85130dd][swarsel-bootstrap]] in case that I need to deploy to a machine that has less than 1GB of RAM. It is basically just an even more stripped down version of the detault one used by nixos-anywhere, but notably I added cryptsetup so that it can be used when setting up an encrypted device using disko.
 
-  - =programs=: This folder holds configurations for various programs (most notably emacs' =init.el= and =early-init.el=), that are being rendered using org-babel and loaded using nix.
-
-  - =wallpaper=: Holds wallpapers and profile pictures.
-
-  - =topology=: Holds the configuration used by [[https://github.com/oddlama/nix-topology][nix-topology]].
+  - =.github=: Canonically, this holds github related files like the [[#h:bf3e6fc0-a95a-46d0-9305-0d1068b2f1ec][GitHub Readme]] and some workflows.
 
 ** Hosts
 :PROPERTIES:
 :CUSTOM_ID: h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02
 :END:
 
-Here I give a brief overview over the hostmachines that I am using. This is held in markdown so that I can render it into my GitHub README.
+Here I give a brief overview over the host machines that I am using. This is held in markdown so that I can render it into my [[#h:bf3e6fc0-a95a-46d0-9305-0d1068b2f1ec][GitHub Readme]] without further effort.
 
 #+begin_src markdown :tangle no :noweb-ref hosts
   | Name                | Hardware                                            | Use                                                             |
@@ -247,7 +259,7 @@ Here I give a brief overview over the hostmachines that I am using. This is held
   |📱 **magicant**      | Samsung Galaxy Z Flip 6                             | Phone                                                           |
   |💿 **drugstore**     | -                                                   | NixOS-installer ISO for bootstrapping new hosts                 |
   |💿 **brickroad**     | -                                                   | Kexec tarball for bootstrapping low-memory machines             |
-  |❔ **chaotheatre**   | -                                                   | Demo config for checking out this configuration                 |
+  |❔ **hotel**         | -                                                   | Demo config for checking out this configuration                 |
   |❔ **toto**          | -                                                   | Helper configuration for testing purposes                       |
 #+end_src
 
@@ -256,6 +268,8 @@ Here I give a brief overview over the hostmachines that I am using. This is held
 :CUSTOM_ID: h:3bb92528-c61c-4b8d-8214-bf2a40baaa32
 :END:
 
+This is meant to give a brief overview over the main programs/components that I use on a daily basis on my client machines. This should be mostly useful for people wanting to rice their config, or people who believed this repos title and are looking for =.dotfiles= :p
+
 #+begin_src markdown :tangle no :noweb-ref programs
   | Topic         | Program                                                                                                                     |
   |---------------|-----------------------------------------------------------------------------------------------------------------------------|
@@ -276,6 +290,8 @@ Here I give a brief overview over the hostmachines that I am using. This is held
 :CUSTOM_ID: h:191e82b6-6ae5-4ec8-ae6d-dc683ce325d9
 :END:
 
+This is a comprehensive list of the services/components ran by my server machines.
+
 #+begin_src markdown :tangle no :noweb-ref services
   | Topic                      | Program                                                                                                        |
   |----------------------------|----------------------------------------------------------------------------------------------------------------|
@@ -304,6 +320,7 @@ Here I give a brief overview over the hostmachines that I am using. This is held
   |⛏️ **Minecraft**            | [Minecraft](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/minecraft.nix)                 |
   |☁️ **S3**                   | [Garage](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/garage.nix)                       |
   |🕸️ **Nix Binary Cache**     | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/attic.nix)                         |
+  |🐙 **Nix Build farm**       | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/hydra.nix)                         |
   |🔑 **Cert-based SSH**       | [OPKSSH](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/opkssh.nix)                       |
   |🔨 **Home Asset Management**| [Homebox](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/homebox.nix)                     |
   |👀 **DNS**                  | [NSD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nsd.nix)                             |
@@ -315,7 +332,14 @@ Here I give a brief overview over the hostmachines that I am using. This is held
 :CUSTOM_ID: h:ed34ee4d-31f9-4d27-bc6e-ba37ee502d5a
 :END:
 
-#+begin_src markdown :noweb yes :exports both :results html
+In the [[#h:a86fe971-f169-4052-aacf-15e0f267c6cd][Introduction (no code)]], I mentioned that this is a nearly fully declarative config. In fact, most client configs are in one way or another not fully declarative. I use oneshotting systemd services + sentinel files for most such tasks (which makes them declarative!), but some of them I would rather perform manually once. This mainly concerns work related things.
+
+Whenever I encounter a configuration bit that needs manual steps, I use a [[#h:dae0c5bb-edb7-4fe4-ae31-9f8f064cc53c][Appendix A: Noweb-Ref blocks]] to tangle that bit of information into a central place (here). I discern between the following scenarios:
+  - =setup=: Used in a standard NixOs + home-manager deployment
+  - =worksetup=: Stuff to be done only on work machines
+  - =homemanageronlysetup=: Steps that are needed only on machines that are not running NixOs.
+
+#+begin_src markdown :noweb yes :exports results :results html
   These steps are required when setting up a normal NixOS host:
 
   <<setup>>
@@ -365,14 +389,20 @@ If the new machine is home-manager only, perform these steps:
   1) Clone dotfile repo & change into it
   2) `nix --extra-experimental-features 'nix-command flakes' develop`
   3) `home-manager --extra-experimental-features 'nix-command flakes' switch --flake .#$(hostname) --show-trace`
-#+end_export
+#+end
 
-** Current issues
+** TODO Current issues
 :PROPERTIES:
 :CUSTOM_ID: h:b562adaf-536c-4267-88a5-026d8a0cda61
 :END:
 
-#+begin_src markdown :noweb yes :exports both :results html
+Besides the manual steps outlined above, sometimes things break when I update this flake. The fix, for me, is most of the times one of these two:
+  - instead of the broken package, use the package from the latest stable nixpkgs release where the package is still functoning (this is why I pull all of these in as inputs)
+  - if the broken component is critical, I perform manual patches/overrides.
+
+In order to keep track of these changes, I gather them here in a similar style to what you saw in [[#h:ed34ee4d-31f9-4d27-bc6e-ba37ee502d5a][Manual steps when setting up a new machine]]. I simply prefix them with the date and check them after a while to see if things got better. TODO: this list is not comprehensive probably
+
+#+begin_src markdown :noweb yes :exports results :results html
   Currently, these adaptions are made to the configuration to account for bugs in upstream repos:
 
   <<fixes>>
@@ -419,11 +449,11 @@ Nowadays, I use flake-parts to manage my flake. It allows me to conveniently spl
 :CUSTOM_ID: h:aee5ec75-7ca6-40d8-b6ac-a3e7e33a474b
 :END:
 
-In general, a nix flake consists of one or more inputs and several outputs. The inputs are used to define where nix should be looking for packages, modules, and more. The outputs generate expressions that can be used in .nix files as well as system configurations using these files.
+In general, a nix flake consists of one or more inputs and several outputs. The inputs are used to define where nix should be looking for packages, modules, and more (the most common input is =nixpkgs=, which provides a lot of packages, library functions and modules). The outputs generate expressions that can be used in .nix files as well as system configurations using these files.
 
 In the start, I enable some public cache repositories. This saves some time during rebuilds because it avoids building as many packages from scratch - this is mainly important for community flakes like =emacs-overlay=, which basically would trigger a rebuild whenever updating the flake. The repository does of course not hold everything, but it lightens the pain. It would look cleaner if this were to be used only inside a nix configuration block of an actual system, but I want these caches to be used for e.g. app calls as well.
 
-In many flakes, you see a structure like this: =outputs = inputs@ [...]=, the =inputs@= makes it so that all inputs are automatically passed to the outputs and can be called as =inputs.<name>=, whereas explicit arguments may just be called by using =<name>=. For most flakes this is fully sufficient, as they do not need to be called often and it saves me maintainance effort with this file. In fact, I also used to make use of this mechanism. However, using flake-parts, all I really need for the outputs function is inputs, which is why my outputs = inputs: inputs.flake-parts.lib.mkFlake { inherit inputs; } { [...] ). Note that flake-parts must inherit these inputs and no other arguments are expected.
+In many flakes, you see a structure like this: =outputs = inputs@ [...]=, the =inputs@= makes it so that all inputs are automatically passed to the outputs and can be called as =inputs.<name>=, whereas explicit arguments may just be called by using =<name>= (for a more detailed explanation, s). For most flakes this is fully sufficient, as they do not need to be called often and it saves me maintainance effort with this file. In fact, I also used to make use of this mechanism. However, using flake-parts, all I really need for the outputs function is inputs, which is why my outputs = inputs: inputs.flake-parts.lib.mkFlake { inherit inputs; } { [...] ). Note that flake-parts must inherit these inputs and no other arguments are expected.
 
 In this section I am creating some attributes that define general concepts of my configuration:
 
@@ -450,15 +480,15 @@ Here, just add the input names, urls and other options that are needed, like =ni
 A short overview over each input and what it does:
 
 - [[https://github.com/NixOS/nixpkgs][nixpkgs]]
-  This is the base repository that I am following for all packages. I follow the unstable branch.
+  This is the base repository that I am following for all packages. I follow the unstable branch. Also I pull in some older revisions of nixpkgs stable for various purposes.
 - [[https://github.com/nix-community/home-manager][home-manager]]
   This handles user-level configuration and mostly provides dotfiles that are generated and symlinked to =~/.config/=.
-- [[https://github.com/Swarsel/.dotfiles][swarsel]]
-  This pulls in the very dotfiles you are currently reading. I am adding this to the flake registry in order to have easier access to my customizations in nix calls, for example =nix-instantiate=
+- [[https://github.com/Swarsel/swarsel-nix][swarsel-nix]]
+  This pulls in the very dotfiles you are currently reading. I am adding this to the flake registry in order to
 - [[https://github.com/nix-community/NUR][NUR]]
   The nix user repository contains user provided modules, packages and expressions. These are not audited by the nix community, so be aware of supply chain vulnerabilities when using those. I am only really using rycee's firefox addons from there which saves me a lot of hassle, and it seems to be a safe resource.
 - [[https://github.com/nix-community/nixGL][nixGL]]
-  This solves the problem that nix has with "OpenGL", as libraries are not linked and programs will often fail to find drivers. But I do not fully understand what it does. All I know is that I usually have to use this on non-NIxoS systems.
+  This solves the problem that nix has with =OpenGL=, as libraries are not linked and programs will often fail to find drivers. Nowadays, this is included in the [[#h:90af1862-90b3-4c93-8730-2443bc62986a][nixGL]] module of home-manager, but even that requres a binary for nixGL, which is what I pull from this input.
 - [[https://github.com/danth/stylix][stylix]]
   As described before, this handles all theme related options.
 - [[https://github.com/Mic92/sops-nix][sops-nix]]
@@ -489,10 +519,33 @@ A short overview over each input and what it does:
   Provides access to several checks that can be hooked to be run before several stages in the process.
 - [[https://github.com/oddlama/nix-topology][nix-topology]]
   This automatically creates a topology diagram of my configuration.
-- flake-parts
+- [[https://github.com/hercules-ci/flake-parts][flake-parts]]
   The aforementioned system that allows for more convenient flake crafting.
-- devshell
+- [[https://github.com/numtide/devshell][devshell]]
   This provides devshell support for flake-parts
+- [[https://github.com/Gerg-L/spicetify-nix][spicetify]]
+  This is a improved spotify client. This provides a NixOs module to manage it.
+- [[https://github.com/sodiboo/niri-flake][niri-flake]]
+  This is an optional input that I reserve to use in the future; it provides a module to manage [[#h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb][Niri]] in a way that is way more all-encompassing than the current modules in nixpkgs/home-manager. However, I do not include this by default as this leads to a full compilation of latest niri - this is used only be the niri config evaluator, but is even built if niri is not included in the final config. Also, the binary cache provided by this flake does usually not have the latest niri cached.
+- [[https://github.com/microvm-nix/microvm.nix][microvm.nix]]
+  This flake brings support for microvms to nix. This is basically a more isolated alternative to classic NixOs containers, while keeping most of their benefits.
+- [[https://github.com/numtide/treefmt-nix][treefmt-nix]]
+  This allows to specify a range of formatters for different languages and aspects which can all be run upon =nix fmt=.
+- [[https://github.com/oddlama/nixos-extra-modules][nixos-extra-modules]]
+  This is a collection of modules that add some qualitative functions to several aspects of nix, for example:
+  - microvm management
+  - wireguard support for nix-topology
+  - some extensions to the network library
+
+  At the moment I am not using the full range of modules, but my usage keeps increasing steadily. Using this module forced me to make some adjustments in my config, namely exposing the =nodes= output in [[#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02][Hosts]].
+- [[https://github.com/nix-community/dns.nix][dns.nix]]
+  This adds a module that helps with creating zone files (like [[#h:dc1dbc54-46f7-406d-a551-527e97439614][nsd (dns) - site1]]). This flake was competing with [[https://github.com/Janik-Haag/nixos-dns/][NixOS-DNS]] for my favour - while the latter adds many nice utilities that generage records straight from a host configuration, I prefer to do this myself using the [[#h:af83893d-c0f9-4b45-b816-4849110d41b3][Globals]] + [[#h:5c3027b4-ba66-445e-9c5f-c27e332c90e5][Share configuration between nodes (automatically active)]] systems. In the end, I just tried out dns.nix without giving NixOS-DNS a chance and it has been working great, but I believe NixOS-DNS still deserves a mention here, as it would have been a great fit as well, most likely.
+- [[https://github.com/Infinidoge/nix-minecraft][nix-minecraft]]
+  This adds a module that makes it easier to manage (modded) minecraft servers. At the moment, it does not really work with Forge 1.20.1 (which is what my server is running), so I am not making full use of it right now, but I keep close watch on it every day.
+- [[https://gitlab.com/simple-nixos-mailserver/nixos-mailserver][nixos-mailserver]]
+  This adds a module that basically sets up a full mailserver stack. Apart of DNS records and a few extra steps for e.g. a web client, this is one-stop solution that has been working greatly for me.
+- [[https://github.com/NixOS/hydra][hydra]]
+  The hydra module already exists in nixpkgs - however, because, I am also using [[https://github.com/shlevy/nix-plugins][nix-plugins]], I need to build all tools that are using nix against a specific nix version (this is also why I pull in =nix-eval-jobs= as a flake input).
 
 #+begin_src nix :noweb yes :tangle flake.nix
   {
@@ -2871,8 +2924,9 @@ This is my main server that I run at home. It handles most tasks that require bi
       isLinux = true;
       isNixos = true;
       isSwap = false;
-      rootDisk = "/dev/sda";
+      rootDisk = "/dev/disk/by-id/ata-TS128GMTS430S_H537280456";
       withMicroVMs = false;
+      server.localNetwork = "lan";
     };
 
   } // lib.optionalAttrs (!minimal) {
@@ -2881,38 +2935,8 @@ This is my main server that I run at home. It handles most tasks that require bi
       server = true;
     };
 
-    swarselmodules = {
-      server = {
-        nfs = false;
-        nginx = false;
-        kavita = false;
-        restic = false;
-        jellyfin = false;
-        navidrome = false;
-        spotifyd = false;
-        mpd = false;
-        postgresql = false;
-        matrix = false;
-        nextcloud = false;
-        immich = false;
-        paperless = false;
-        transmission = false;
-        syncthing = false;
-        grafana = false;
-        emacs = false;
-        freshrss = false;
-        jenkins = false;
-        kanidm = false;
-        firefly-iii = false;
-        koillection = false;
-        radicale = false;
-        atuin = false;
-        forgejo = false;
-        ankisync = false;
-        homebox = false;
-        opkssh = false;
-        garage = false;
-      };
+    swarselmodules.server = {
+      nginx = lib.mkForce false;
     };
 
     microvm.vms =
@@ -21414,20 +21438,29 @@ When setting up a new machine:
               };
             }
             {
-              # work main screen
+              # work side screen
               output = {
                 criteria = "HP Inc. HP 732pk CNC4080YL5";
                 scale = 1.0;
                 mode = "3840x2160";
+                transform = "270";
               };
             }
+            # {
+            #   # work side screen
+            #   output = {
+            #     criteria = "Hewlett Packard HP Z24i CN44250RDT";
+            #     scale = 1.0;
+            #     mode = "1920x1200";
+            #     transform = "270";
+            #   };
+            # }
             {
-              # work side screen
+              # work main screen
               output = {
-                criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                criteria = "HP Inc. HP Z32 CN41212T55";
                 scale = 1.0;
-                mode = "1920x1200";
-                transform = "270";
+                mode = "3840x2160";
               };
             }
             {
@@ -21435,28 +21468,28 @@ When setting up a new machine:
                 name = "lidopen";
                 exec = [
                   "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
-                  "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                  "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+                  "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP Z32 CN41212T55' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                  "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
                 ];
                 outputs = [
                   {
                     criteria = config.swarselsystems.sharescreen;
                     status = "enable";
                     scale = 1.5;
-                    position = "1462,0";
+                    position = "2560,0";
                   }
                   {
                     criteria = "HP Inc. HP 732pk CNC4080YL5";
-                    scale = 1.4;
+                    scale = 1.0;
                     mode = "3840x2160";
-                    position = "-1280,0";
+                    position = "-3440,-1050";
+                    transform = "270";
                   }
                   {
-                    criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                    criteria = "HP Inc. HP Z32 CN41212T55";
                     scale = 1.0;
-                    mode = "1920x1200";
-                    transform = "90";
-                    position = "-2480,0";
+                    mode = "3840x2160";
+                    position = "-1280,0";
                   }
                 ];
               };
@@ -21493,8 +21526,8 @@ When setting up a new machine:
               profile = {
                 name = "lidclosed";
                 exec = [
-                  "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                  "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+                  "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP Z32 CN41212T55'  --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                  "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
                 ];
                 outputs = [
                   {
@@ -21503,16 +21536,16 @@ When setting up a new machine:
                   }
                   {
                     criteria = "HP Inc. HP 732pk CNC4080YL5";
-                    scale = 1.4;
+                    scale = 1.0;
                     mode = "3840x2160";
-                    position = "-1280,0";
+                    position = "-3440,-1050";
+                    transform = "270";
                   }
                   {
-                    criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                    criteria = "HP Inc. HP Z32 CN41212T55";
                     scale = 1.0;
-                    mode = "1920x1200";
-                    transform = "270";
-                    position = "-2480,0";
+                    mode = "3840x2160";
+                    position = "-1280,0";
                   }
                 ];
               };
@@ -21697,25 +21730,35 @@ When setting up a new machine:
             # output = "DP-7";
             output = name;
           };
-          work_back_right = rec {
+          work_middle_middle_main = rec {
             name = "HP Inc. HP Z32 CN41212T55";
             mode = "3840x2160";
             scale = "1";
-            position = "5120,0";
+            position = "-1280,0";
             workspace = "1:一";
             # output = "DP-3";
             output = name;
           };
-          work_middle_middle_main = rec {
+          # work_middle_middle_main = rec {
+          #   name = "HP Inc. HP 732pk CNC4080YL5";
+          #   mode = "3840x2160";
+          #   scale = "1";
+          #   position = "-1280,0";
+          #   workspace = "11:M";
+          #   # output = "DP-8";
+          #   output = name;
+          # };
+          work_middle_middle_side = rec {
             name = "HP Inc. HP 732pk CNC4080YL5";
             mode = "3840x2160";
+            transform = "270";
             scale = "1";
-            position = "-1280,0";
-            workspace = "11:M";
+            position = "-3440,-1050";
+            workspace = "12:S";
             # output = "DP-8";
             output = name;
           };
-          work_middle_middle_side = rec {
+          work_middle_middle_old = rec {
             name = "Hewlett Packard HP Z24i CN44250RDT";
             mode = "1920x1200";
             transform = "270";
@@ -23014,6 +23057,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
 
   function cleanup() {
       rm -rf "$temp"
+      rm -rf /tmp/disko-password
   }
   trap cleanup exit
 
@@ -23117,7 +23161,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
 
   LOCKED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.node.lockFromBootstrapping)"
   if [[ $LOCKED == "true" ]]; then
-      red "THIS SYSTEM IS LOCKED FROM BOOTSTRAPPING - set `node.lockFromBootstrapping = lib.mkForce false;` to proceed"
+      red "THIS SYSTEM IS LOCKED FROM BOOTSTRAPPING - set 'node.lockFromBootstrapping = lib.mkForce false;' to proceed"
       exit
   fi
 
@@ -23207,6 +23251,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
           green "Please confirm passphrase:"
           read -rs luks_passphrase_confirm
           if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
+              echo "$luks_passphrase" > /tmp/disko-password
               $ssh_root_cmd "echo '$luks_passphrase' > /tmp/disko-password"
               break
           else
@@ -23295,7 +23340,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
       vim "${git_root}"/.sops.yaml
   fi
   green "Updating all secrets files to reflect updates .sops.yaml"
-  sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/*
+  sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/* || true
   # --------------------------
   green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
   sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
@@ -23366,6 +23411,8 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
   if yes_or_no "Reboot now?"; then
       $ssh_root_cmd "reboot"
   fi
+
+  rm -rf /tmp/disko-password
 #+end_src
 
 #+RESULTS:
diff --git a/index.html b/index.html
index 2b48665..40c054a 100644
--- a/index.html
+++ b/index.html
@@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2025-12-02 Di 17:29 -->
+<!-- 2025-12-18 Do 17:26 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>SwarselSystems: NixOS + Emacs Configurationo</title>
@@ -210,7 +210,7 @@
 <li><a href="#h:3bb92528-c61c-4b8d-8214-bf2a40baaa32">1.5. Programs</a></li>
 <li><a href="#h:191e82b6-6ae5-4ec8-ae6d-dc683ce325d9">1.6. Services</a></li>
 <li><a href="#h:ed34ee4d-31f9-4d27-bc6e-ba37ee502d5a">1.7. Manual steps when setting up a new machine</a></li>
-<li><a href="#h:b562adaf-536c-4267-88a5-026d8a0cda61">1.8. Current issues</a></li>
+<li><a href="#h:b562adaf-536c-4267-88a5-026d8a0cda61">1.8. <span class="todo TODO">TODO</span> Current issues</a></li>
 </ul>
 </li>
 <li><a href="#h:c7588c0d-2528-485d-b2df-04d6336428d7">2. flake.nix</a>
@@ -309,25 +309,25 @@
 <li><a href="#h:19a83f57-9e7a-44b9-ae7f-2f021f21abf7">3.1.3.2.3. disko</a></li>
 </ul>
 </li>
-<li><a href="#org92858eb">3.1.3.3. Stoicclub (OCI)</a>
+<li><a href="#orgb102012">3.1.3.3. Stoicclub (OCI)</a>
 <ul>
-<li><a href="#org4fcacfe">3.1.3.3.1. Main Configuration</a></li>
-<li><a href="#org37ab960">3.1.3.3.2. hardware-configuration</a></li>
-<li><a href="#orgb3e7776">3.1.3.3.3. disko</a></li>
+<li><a href="#orgfc0dbd1">3.1.3.3.1. Main Configuration</a></li>
+<li><a href="#org44fa175">3.1.3.3.2. hardware-configuration</a></li>
+<li><a href="#org64ed767">3.1.3.3.3. disko</a></li>
 </ul>
 </li>
-<li><a href="#orgbc61b21">3.1.3.4. Liliputsteps (OCI)</a>
+<li><a href="#org629ed1e">3.1.3.4. Liliputsteps (OCI)</a>
 <ul>
-<li><a href="#orgcdf9524">3.1.3.4.1. Main Configuration</a></li>
-<li><a href="#org3af6345">3.1.3.4.2. hardware-configuration</a></li>
-<li><a href="#org4a8754e">3.1.3.4.3. disko</a></li>
+<li><a href="#orgfd14c2b">3.1.3.4.1. Main Configuration</a></li>
+<li><a href="#orgac947ce">3.1.3.4.2. hardware-configuration</a></li>
+<li><a href="#org0f9eb0b">3.1.3.4.3. disko</a></li>
 </ul>
 </li>
-<li><a href="#org9fe1d65">3.1.3.5. Twothreetunnel (OCI)</a>
+<li><a href="#org8e0d485">3.1.3.5. Twothreetunnel (OCI)</a>
 <ul>
-<li><a href="#org5ae56f6">3.1.3.5.1. Main Configuration</a></li>
-<li><a href="#orgfb373a9">3.1.3.5.2. hardware-configuration</a></li>
-<li><a href="#org91b78ef">3.1.3.5.3. disko</a></li>
+<li><a href="#orgb29f023">3.1.3.5.1. Main Configuration</a></li>
+<li><a href="#org62cc621">3.1.3.5.2. hardware-configuration</a></li>
+<li><a href="#org6b396fd">3.1.3.5.3. disko</a></li>
 </ul>
 </li>
 <li><a href="#h:81bc8746-b46b-4d29-87de-ddbd77788b43">3.1.3.6. Eagleland (Hetzner)</a>
@@ -393,7 +393,7 @@
 <li><a href="#h:aa433f5e-a455-4414-b76b-0a2692fa06aa">3.2.2.8. Pipewire</a></li>
 <li><a href="#h:7d696b64-debe-4a95-80b5-1e510156a6c6">3.2.2.9. Common network settings</a></li>
 <li><a href="#h:d87d80fd-2ac7-4f29-b338-0518d06b4deb">3.2.2.10. sops</a></li>
-<li><a href="#org67f054d">3.2.2.11. Remote building</a></li>
+<li><a href="#org971dd05">3.2.2.11. Remote building</a></li>
 <li><a href="#h:e6e44705-94af-49fe-9ca0-0629d0f7d932">3.2.2.12. Theme (stylix)</a></li>
 <li><a href="#h:2bbf5f31-246d-4738-925f-eca40681f7b6">3.2.2.13. Programs (including zsh setup)</a>
 <ul>
@@ -441,12 +441,12 @@
 <li><a href="#h:d6840d31-110c-465f-93fa-0306f755de28">3.2.3.4. nfs/samba (smb)</a></li>
 <li><a href="#h:302468d2-106a-41c8-b2bc-9fdc40064a9c">3.2.3.5. NGINX</a></li>
 <li><a href="#h:f3db197d-1d03-4bf8-b59f-f9891b358f0b">3.2.3.6. ssh</a></li>
-<li><a href="#orgb4a730c">3.2.3.7. Bastion</a></li>
-<li><a href="#org2bc1b25">3.2.3.8. ssh builder config</a></li>
+<li><a href="#org8e70117">3.2.3.7. Bastion</a></li>
+<li><a href="#org47acf2d">3.2.3.8. ssh builder config</a></li>
 <li><a href="#h:0ff3acc5-9ce8-4b22-a2e2-f6f1e69d47a5">3.2.3.9. Network settings</a></li>
 <li><a href="#h:19d829f6-580f-4e04-8776-2bfd83c3c3dd">3.2.3.10. Disk encryption</a></li>
-<li><a href="#org1c4f7ad">3.2.3.11. Wireguard</a></li>
-<li><a href="#orge5e48f0">3.2.3.12. BTRFS</a></li>
+<li><a href="#org944eba1">3.2.3.11. Wireguard</a></li>
+<li><a href="#org5b371f2">3.2.3.12. BTRFS</a></li>
 <li><a href="#h:b54f2bbb-0088-46b2-957d-fd8234b772c3">3.2.3.13. Router</a></li>
 <li><a href="#h:d33f5982-dfe6-42d0-9cf2-2cd8c7b04295">3.2.3.14. kavita</a></li>
 <li><a href="#h:e0d4c16e-ab64-48ac-9734-1ab62953ad4b">3.2.3.15. jellyfin</a></li>
@@ -463,7 +463,7 @@
 <li><a href="#h:ad2787a2-7b1c-4326-aeff-9d8d6c3f591d">3.2.3.26. syncthing</a></li>
 <li><a href="#h:b73ac8bf-b721-4563-9eff-973925c99a39">3.2.3.27. restic</a></li>
 <li><a href="#h:a31c7192-e11d-4a26-915d-1bbc38e373d3">3.2.3.28. monitoring (Grafana, Prometheus)</a></li>
-<li><a href="#h:23452a18-a0a1-4515-8612-ceb19bb5fc22">3.2.3.29. Jenkins</a></li>
+<li><a href="#h:23452a18-a0a1-4515-8612-ceb19bb5fc22">3.2.3.29. Jenkins (currently unused)</a></li>
 <li><a href="#h:4e6824bc-c3db-485d-b543-4072e6283b62">3.2.3.30. Emacs elfeed (RSS Server)</a></li>
 <li><a href="#h:9da3df74-6fc5-4ee1-a345-23ab4e8a613d">3.2.3.31. FreshRSS</a></li>
 <li><a href="#h:a9965660-4358-4b9a-8c46-d55f28598344">3.2.3.32. forgejo (git server)</a></li>
@@ -478,16 +478,17 @@
 <li><a href="#h:13071cc3-5cba-44b5-8b5b-2a27be22e021">3.2.3.41. microbin</a></li>
 <li><a href="#h:4ccdcd5c-a4dd-49e4-94e7-d81db970059c">3.2.3.42. shlink</a></li>
 <li><a href="#h:e46c37ac-5610-4603-8afc-2f5f008fc14d">3.2.3.43. slink</a></li>
-<li><a href="#h:470f7ee3-3307-4949-b0fa-403171e3859a">3.2.3.44. Snipe-IT</a></li>
+<li><a href="#h:470f7ee3-3307-4949-b0fa-403171e3859a">3.2.3.44. Snipe-IT (currently unused)</a></li>
 <li><a href="#h:5b4feb1b-e7a3-43f1-9930-8d00012742ad">3.2.3.45. Homebox</a></li>
 <li><a href="#h:6e30509a-1320-4993-a9c7-70d28ef2906a">3.2.3.46. OPKSSH</a></li>
 <li><a href="#h:81c76be4-45f1-44e5-890d-6d082a95ab51">3.2.3.47. Garage</a></li>
-<li><a href="#orgf67d718">3.2.3.48. Set host domain for dns</a></li>
+<li><a href="#org581e723">3.2.3.48. Set host domain for dns</a></li>
 <li><a href="#h:ef5b7ace-4870-4dfa-9532-9a9d2722dc9a">3.2.3.49. nsd (dns)</a></li>
 <li><a href="#h:dc1dbc54-46f7-406d-a551-527e97439614">3.2.3.50. nsd (dns) - site1</a></li>
 <li><a href="#h:948d4f4e-b752-4e2e-b8a9-35d9d7f246c6">3.2.3.51. Minecraft</a></li>
 <li><a href="#h:64cbeb7e-0773-4eb5-8e52-6b97c8f685e2">3.2.3.52. Mailserver</a></li>
 <li><a href="#h:092593d2-0ca0-4f86-9951-6127a3594e25">3.2.3.53. Attic (nix binary cache)</a></li>
+<li><a href="#org677d4e0">3.2.3.54. Hydra</a></li>
 </ul>
 </li>
 <li><a href="#h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47">3.2.4. Darwin</a>
@@ -507,10 +508,10 @@
 <li><a href="#h:0dc68d4f-72b3-465a-8d73-4453d06e7853">3.2.5.8. AMD GPU</a></li>
 <li><a href="#h:15b581ab-09fe-4f84-af26-2f1fbf7d726b">3.2.5.9. Hibernation</a></li>
 <li><a href="#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf">3.2.5.10. work</a></li>
-<li><a href="#org49c6375">3.2.5.11. Uni</a></li>
+<li><a href="#orgc4779bb">3.2.5.11. Uni</a></li>
 <li><a href="#h:ded3276e-3e97-4863-a29e-b978d8aae1c9">3.2.5.12. microvm-host</a></li>
 <li><a href="#h:46419b40-c40b-4b55-ac6f-a30169322bd6">3.2.5.13. microvm-guest</a></li>
-<li><a href="#orgf907470">3.2.5.14. systemd-networkd (server)</a></li>
+<li><a href="#org8d0411f">3.2.5.14. systemd-networkd (server)</a></li>
 </ul>
 </li>
 </ul>
@@ -633,36 +634,37 @@
 <li><a href="#h:e6612cff-0804-47ef-9f2b-d2cc6d81a896">3.4.6.4. hm-specialisation</a></li>
 <li><a href="#h:73b14c7a-5444-4fed-b7ac-d65542cdeda3">3.4.6.5. cdw</a></li>
 <li><a href="#h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1">3.4.6.6. cdb</a></li>
-<li><a href="#h:03b1b77b-3ca8-4a8f-8e28-9f29004d96d3">3.4.6.7. bak</a></li>
-<li><a href="#h:3c72d263-411c-44f0-90ff-55f14d4d9d49">3.4.6.8. timer</a></li>
-<li><a href="#h:1834df06-9238-4efa-9af6-851dafe66c68">3.4.6.9. e</a></li>
-<li><a href="#h:10268005-a9cd-4a00-967c-cbe975c552fa">3.4.6.10. command-not-found</a></li>
-<li><a href="#h:82f4f414-749b-4d5a-aaaa-6e3ec15fbc3d">3.4.6.11. swarselcheck</a></li>
-<li><a href="#h:96da8360-2d23-4e86-9602-415fbdb972af">3.4.6.12. swarselcheck-niri</a></li>
-<li><a href="#h:564c102c-e335-4f17-a613-c5a436bb4864">3.4.6.13. swarselzellij</a></li>
-<li><a href="#h:f93f66f9-6b8b-478e-b139-b2f382c1f25e">3.4.6.14. waybarupdate</a></li>
-<li><a href="#h:a1d94db2-837a-40c4-bbd8-81ce847440ee">3.4.6.15. opacitytoggle</a></li>
-<li><a href="#h:7c4e41b3-8c1e-4f71-87a6-30d40baed6a0">3.4.6.16. fs-diff</a></li>
-<li><a href="#h:a9398c4e-4d3b-4942-b03c-192f9c0517e5">3.4.6.17. github-notifications</a></li>
-<li><a href="#h:3981cd16-00c0-4ea8-95e2-c6d8c04ec4e5">3.4.6.18. kanshare</a></li>
-<li><a href="#h:74db57ae-0bb9-4257-84be-eddbc85130dd">3.4.6.19. swarsel-bootstrap</a></li>
-<li><a href="#h:1eabdc59-8832-44ca-a22b-11f848ab150a">3.4.6.20. swarsel-rebuild</a></li>
-<li><a href="#h:fbd8aaf2-9dca-4ca3-aca1-19d0d188a435">3.4.6.21. swarsel-install</a></li>
-<li><a href="#h:c98a7615-e5da-4f47-8ed1-2b2ea65519e9">3.4.6.22. swarsel-postinstall</a></li>
-<li><a href="#h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1">3.4.6.23. t2ts</a></li>
-<li><a href="#h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1">3.4.6.24. ts2t</a></li>
-<li><a href="#h:7806b129-a4a5-4d10-af27-6cbeafbcb294">3.4.6.25. vershell</a></li>
-<li><a href="#h:9fda7829-09a4-4b8f-86f6-08b078ab2874">3.4.6.26. eontimer</a></li>
-<li><a href="#h:154b6df4-dd50-4f60-9794-05a140d02994">3.4.6.27. project</a></li>
-<li><a href="#h:36d6c17c-6d91-4297-b76d-9d7feab6c1a0">3.4.6.28. fhs</a></li>
-<li><a href="#h:814d5e7f-4b95-412d-b246-33f888514ec6">3.4.6.29. swarsel-displaypower</a></li>
-<li><a href="#h:799579f3-ddd3-4f76-928a-a8c665980476">3.4.6.30. swarsel-mgba</a></li>
-<li><a href="#h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e">3.4.6.31. swarsel-deploy</a></li>
-<li><a href="#h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e">3.4.6.32. swarsel-build</a></li>
-<li><a href="#h:95ebfd13-1f6b-427f-950d-e30c1ed6f9fa">3.4.6.33. swarsel-instantiate</a></li>
-<li><a href="#h:02842543-caca-4d4c-a4d2-7ac749b5c136">3.4.6.34. sshrm</a></li>
-<li><a href="#h:abbd18a2-73ae-4ee4-8487-06fef23638bb">3.4.6.35. endme</a></li>
-<li><a href="#h:e1330feb-4a9b-4e6d-9d15-6d2adb5879d2">3.4.6.36. git-replace</a></li>
+<li><a href="#org0ad352f">3.4.6.7. prstatus</a></li>
+<li><a href="#h:03b1b77b-3ca8-4a8f-8e28-9f29004d96d3">3.4.6.8. bak</a></li>
+<li><a href="#h:3c72d263-411c-44f0-90ff-55f14d4d9d49">3.4.6.9. timer</a></li>
+<li><a href="#h:1834df06-9238-4efa-9af6-851dafe66c68">3.4.6.10. e</a></li>
+<li><a href="#h:10268005-a9cd-4a00-967c-cbe975c552fa">3.4.6.11. command-not-found</a></li>
+<li><a href="#h:82f4f414-749b-4d5a-aaaa-6e3ec15fbc3d">3.4.6.12. swarselcheck</a></li>
+<li><a href="#h:96da8360-2d23-4e86-9602-415fbdb972af">3.4.6.13. swarselcheck-niri</a></li>
+<li><a href="#h:564c102c-e335-4f17-a613-c5a436bb4864">3.4.6.14. swarselzellij</a></li>
+<li><a href="#h:f93f66f9-6b8b-478e-b139-b2f382c1f25e">3.4.6.15. waybarupdate</a></li>
+<li><a href="#h:a1d94db2-837a-40c4-bbd8-81ce847440ee">3.4.6.16. opacitytoggle</a></li>
+<li><a href="#h:7c4e41b3-8c1e-4f71-87a6-30d40baed6a0">3.4.6.17. fs-diff</a></li>
+<li><a href="#h:a9398c4e-4d3b-4942-b03c-192f9c0517e5">3.4.6.18. github-notifications</a></li>
+<li><a href="#h:3981cd16-00c0-4ea8-95e2-c6d8c04ec4e5">3.4.6.19. kanshare</a></li>
+<li><a href="#h:74db57ae-0bb9-4257-84be-eddbc85130dd">3.4.6.20. swarsel-bootstrap</a></li>
+<li><a href="#h:1eabdc59-8832-44ca-a22b-11f848ab150a">3.4.6.21. swarsel-rebuild</a></li>
+<li><a href="#h:fbd8aaf2-9dca-4ca3-aca1-19d0d188a435">3.4.6.22. swarsel-install</a></li>
+<li><a href="#h:c98a7615-e5da-4f47-8ed1-2b2ea65519e9">3.4.6.23. swarsel-postinstall</a></li>
+<li><a href="#h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1">3.4.6.24. t2ts</a></li>
+<li><a href="#h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1">3.4.6.25. ts2t</a></li>
+<li><a href="#h:7806b129-a4a5-4d10-af27-6cbeafbcb294">3.4.6.26. vershell</a></li>
+<li><a href="#h:9fda7829-09a4-4b8f-86f6-08b078ab2874">3.4.6.27. eontimer</a></li>
+<li><a href="#h:154b6df4-dd50-4f60-9794-05a140d02994">3.4.6.28. project</a></li>
+<li><a href="#h:36d6c17c-6d91-4297-b76d-9d7feab6c1a0">3.4.6.29. fhs</a></li>
+<li><a href="#h:814d5e7f-4b95-412d-b246-33f888514ec6">3.4.6.30. swarsel-displaypower</a></li>
+<li><a href="#h:799579f3-ddd3-4f76-928a-a8c665980476">3.4.6.31. swarsel-mgba</a></li>
+<li><a href="#h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e">3.4.6.32. swarsel-deploy</a></li>
+<li><a href="#h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e">3.4.6.33. swarsel-build</a></li>
+<li><a href="#h:95ebfd13-1f6b-427f-950d-e30c1ed6f9fa">3.4.6.34. swarsel-instantiate</a></li>
+<li><a href="#h:02842543-caca-4d4c-a4d2-7ac749b5c136">3.4.6.35. sshrm</a></li>
+<li><a href="#h:abbd18a2-73ae-4ee4-8487-06fef23638bb">3.4.6.36. endme</a></li>
+<li><a href="#h:e1330feb-4a9b-4e6d-9d15-6d2adb5879d2">3.4.6.37. git-replace</a></li>
 </ul>
 </li>
 <li><a href="#h:c01a91b8-b751-4978-b987-733de63c8211">3.4.7. Packages (config)</a>
@@ -696,7 +698,7 @@
 </li>
 </ul>
 </li>
-<li><a href="#h:ed4cd05c-0879-41c6-bc39-3f1246a96f04">4. Emacs</a>
+<li><a href="#h:ed4cd05c-0879-41c6-bc39-3f1246a96f04">4. Emacse</a>
 <ul>
 <li><a href="#h:2c331451-45ed-4592-9e00-d36b5bf31248">4.1. Initialization (early-init.el)</a>
 <ul>
@@ -923,7 +925,7 @@
 </div>
 </div>
 <p>
-<b>This file has 115249 words spanning 30878 lines and was last revised on 2025-12-02 17:29:11 +0100.</b>
+<b>This file has 118389 words spanning 31287 lines and was last revised on 2025-12-18 17:25:42 +0100.</b>
 </p>
 
 <p>
@@ -977,13 +979,13 @@ This file is structured as follows:
 
 <ul class="org-ul">
 <li><a href="#h:a86fe971-f169-4052-aacf-15e0f267c6cd">Introduction (no code)</a>
-This is the block you are currently in. It holds no code that actually builds the system, it just outlines the general approach and explains my rough mentality</li>
+This is the block you are currently in. It holds no code that actually builds the system, it just outlines the general approach and explains the rough design mentality. For simply understanding the code in here, reading this should not be necessary (feel free to skip to <a href="#h:c7588c0d-2528-485d-b2df-04d6336428d7">flake.nix</a>)</li>
 
 <li><a href="#h:c7588c0d-2528-485d-b2df-04d6336428d7">flake.nix</a>
-This block holds everything related to the heart of the nix side of the configuration - the <code>flake.nix</code> file.</li>
+This block holds everything related to the heart of the nix side of the configuration - the <code>flake.nix</code> file. I am using <a href="https://github.com/hercules-ci/flake-parts">flake-parts</a> to manage this flake, so different aspects of the configuration are handled by flake-part modules in different files.</li>
 
 <li><a href="#h:02cd20be-1ffa-4904-9d5a-da5a89ba1421">System</a>
-This section holds all configuration options that apply to NixOS or home-manager. In other words, here we are doing system and user level configuration.</li>
+This section holds all configuration options that apply to NixOS or home-manager. In other words, here we are doing system and user level configuration. In a way, I consider this the most important part of this file, as (nearly) all of the nix magic is going to happen here.</li>
 
 <li><p>
 <a href="#h:ed4cd05c-0879-41c6-bc39-3f1246a96f04">Emacs</a>
@@ -991,7 +993,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
 </p>
 
 <p>
-My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-12-02 17:29:11 +0100)
+My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-12-18 17:25:42 +0100)
 </p></li>
 </ul>
 
@@ -1072,10 +1074,7 @@ This section hold code that can be templated at other parts of the configuration
 </p>
 
 <ul class="org-ul">
-<li><a href="#h:8fc9f66a-7412-4091-8dee-a06f897baf67">Appendix A: Supplementary Files</a>
-This section holds files that are not written in nix but are still referenced in the configuration in some way. This is mostly used for configuration of programs that have no native nix support, like tridactyl. Note that shell scripts are still defined under their respective entry in <a href="#h:64a5cc16-6b16-4802-b421-c67ccef853e1">Packages</a>.</li>
-
-<li>Historical Note: Noweb-Ref blocks</li>
+<li><a href="#h:dae0c5bb-edb7-4fe4-ae31-9f8f064cc53c">Appendix A: Noweb-Ref blocks</a></li>
 </ul>
 
 <p>
@@ -1112,6 +1111,14 @@ which can then be used in a block like:
 <p>
 not that noweb-reffed blocks will not be indented correctly. You will want to account for that when checking your nix flake with the formatter of your choice. Personally, I have solved this issue using the functions defined in <a href="#h:59d4306e-9b73-4b2c-b039-6a6518c357fc">org-mode: Upon-save actions (Auto-tangle, export to html, formatting)</a>. Originally, I also automatically exported to html there, but it incurred a too high memory penalty which made Emacs become sluggish over time.
 </p>
+
+<ul class="org-ul">
+<li><a href="#h:8fc9f66a-7412-4091-8dee-a06f897baf67">Appendix B: Supplementary Files</a>
+This section holds files that are not written in nix but are still referenced in the configuration in some way. This is mostly used for configuration of programs that have no native nix support, like tridactyl. Note that shell scripts are still defined under their respective entry in <a href="#h:64a5cc16-6b16-4802-b421-c67ccef853e1">Packages</a>. Over time, the goal is to reduce this section to a minimum, but things like the aforementioned tridactyl might stay for a long time, until we have a stable interface to configure browser plugins.</li>
+
+<li><a href="#h:8ea35dcc-ef94-4c10-9112-8be8efd6f424">Appendix C: Explanations to nix functions and operators</a>
+When I started to learn about nix, I found that journey quite arduous; while I disagree with the general public in that the documentation is too sparse, I will say that, while it is very good, reading (and understanding!) it requires a certain level of existing nix knowledge that one will problably not have when starging out. Hence, the goal of this document is to explain common nix functions as they come up in this document (I thing I wrote this before :sweat:), in hopes that you will be able to understand most of the code. When a new function appears for the first time, I will try to link to an entry in the appendix.</li>
+</ul>
 </div>
 </div>
 <div id="outline-container-h:2c5529ed-e6d9-44b6-b0d3-5bf96a6bed64" class="outline-3">
@@ -1136,7 +1143,7 @@ The corresponding configurations are automatically generated by <code>mkFullHost
 </p>
 
 <p>
-These &lt;hosttype&gt; folders hold in turn a number of &lt;hostname&gt; folders, the actual configurations. At this time, the files stored in this folder are:
+These &lt;hosttype&gt; folders hold on the first level a folder describing the machine archetype (<code>x86_64-linux</code> or <code>aarch64-linux</code> for linux, <code>x86_64-darwin</code> or <code>aarch64-darwin</code> for macs). Those folders then hold a number of &lt;hostname&gt; folders, the actual configurations. At this time, the files stored in this folder are:
 </p>
 <ul class="org-ul">
 <li>default.nix:
@@ -1146,7 +1153,7 @@ It is not clearly defined what I hold in this file. Mostly it is just the attrib
 <li>disk-config.nix
 Holds the aforementioned filesystem configuration and is applied using <a href="https://github.com/nix-community/disko">disko</a>.</li>
 
-<li>The hosts/&lt;hosttype&gt;/&lt;hostname&gt; folders may also have a <code>secrets</code> folder, under which a single file <code>pii.nix.enc</code> can be stored. As the name suggests, this file should be encrypted. Specifically, it needs to be a <a href="https://github.com/getsops/sops">sops</a>-encrypted file (sops does not seem to suggest a file ending other than .yml or others, which is not verbose enough for me, so I went with <code>.enc</code>).  This file should have the structure of a nix expression, e.g.:</li>
+<li>The hosts/&lt;hosttype&gt;/&lt;hostname&gt; folders may also have a <code>secrets</code> folder, under which files of the ending <code>.nix.enc</code> may be stored. As the name suggests, these files should be encrypted. Specifically, they need to be <a href="https://github.com/getsops/sops">sops</a>-encrypted files (sops does not seem to suggest a file ending other than .yml or others, which is not verbose enough for me, so I went with <code>.enc</code>).  This should have the structure of a nix expression, e.g.:</li>
 </ul>
 
 <div class="org-src-container">
@@ -1163,6 +1170,10 @@ Holds the aforementioned filesystem configuration and is applied using <a href="
 Using the mechanisms in <a href="#h:82b8ede2-02d8-4c43-8952-7200ebd4dc23">PII management</a> (which in turn uses <a href="#h:87c7893e-e946-4fc0-8973-1ca27d15cf0e">extra-builtins</a> and <a href="#h:315e6ef6-27d5-4cd8-85ff-053eabe60ddb">sops-decrypt-and-cache</a>), these files are decrypted during evaluation time and stored under a persistent directory. As the name suggests, I am using these files to store personally identifiable information - these "secrets" are stored world-readable in the nix store. As such, this should not be used to store important secrets, but rather information that you would not like everyone on the internet to easily find in your git repo.
 </p>
 
+<p>
+Other than that, the <code>secrets</code> folder will also be used to store conventional (decryted at activation-time) sops-encrypted secrets in the standard <code>.yaml</code> / <code>.toml</code> / <code>.ini</code> formats.
+</p>
+
 <ul class="org-ul">
 <li><p>
 <code>modules</code>
@@ -1171,8 +1182,7 @@ This folder holds the most part of the actual system configuration done in this
 <ul class="org-ul">
 <li>nixos: Holds true NixOS configuration</li>
 <li>home: Holds configuration to be used by home-manager (either as a NixOS submodule or not)</li>
-<li>darwin: Holds configuration for nix-darwin. This folder further splits up into a nixos and a home folder, which hold respective nix or home-manager configuration for nix-darwin.</li>
-<li>iso: Holds specific configuration for my installer ISO that I do not want to have loaded in the rest of the configuration.</li>
+<li>shared: This is for configuraion bits that are to be used by both types.</li>
 </ul>
 
 <p>
@@ -1182,38 +1192,55 @@ The nixos and home folders further split up:
 <ul class="org-ul">
 <li>common: Configuration that can be used by all hosts (TODO: this currently includes configuration used by my user devices, which will mostly not be used by servers)</li>
 <li>server: Configuration to be used on servers</li>
-<li>optional: Configuration that will be used rather rarely</li>
-</ul>
-
-<p>
-This structure is very optionated and highly subjective. I will possibly change this in the future.
+<li>darwin: Holds configuration for nix-darwin.</li>
+<li><p>
+optional: Configuration that will be used rather rarely
 </p>
 
 <p>
-By themselves, most of the files in the modules folder will not do anything. In order for them to do something, their corresponding <code>config.swarselsystems.modules</code> attribute needs to be enabled. This is done using&#x2026;
+This structure is very optionated and highly subjective. I will possibly change this in the future.
+</p></li>
+</ul>
+
+<p>
+By themselves, most of the files in the modules folder will not do anything. In order for them to do something, their corresponding <code>config.swarselmodules</code> attribute needs to be enabled. This is partly done using&#x2026;
 </p></li>
 
-<li><code>profiles</code>: This folder splits up into <code>home</code> and <code>nixos</code> subfolders, where groupings of module enablers are stored for the respective home and nix setups. Note that <code>home</code> profiles are also used in NixOS setups (extensively even)!</li>
+<li><code>profiles</code>: This folder splits up into <code>home</code> and <code>nixos</code> subfolders, where groupings of module enablers are stored for the respective home and nix setups. Note that <code>home</code> profiles are also used in NixOS setups (extensively even)! This is used to quickly enable common configuration for a machine use, e.g. the <a href="#h:dfc076fd-ee74-4663-b164-653370c52b75">Server</a> profile.</li>
 
-<li><code>nix</code>: This special folder holds mostly <code>.nix</code> files that are not automatically loaded, but rather setup specific things that affect most of the flake. For example, here lies the aforementioned <a href="#h:87c7893e-e946-4fc0-8973-1ca27d15cf0e">extra-builtins</a> as well as the setup for the <a href="#h:af83893d-c0f9-4b45-b816-4849110d41b3">Globals</a> system. TODO: Move flake-parts units there and explain them here.</li>
+<li><code>nix</code>: This special folder holds mostly <code>.nix</code> files that are not automatically loaded, but rather setup specific things that affect most of the flake. For example, here lies the aforementioned <a href="#h:87c7893e-e946-4fc0-8973-1ca27d15cf0e">extra-builtins</a> as well as the setup for the <a href="#h:af83893d-c0f9-4b45-b816-4849110d41b3">Globals</a> system. Also in here are the flake-parts files that you read about earlier. This gives the following functionality:
+<ul class="org-ul">
+<li><code>lib</code>: I define some utility functions that I add to the nixpkgs library under the <code>swarselsystems</code> attribute set. An example would be the <code>mkIfElse</code> function.</li>
+<li><code>checks</code>: As part of a <a href="#h:4d0548db-99b2-4e07-b762-6d86fbb26d4c">Devshell (checks)</a>, I declare pre-commit hooks that should run before I push changes to my repo.</li>
+<li><code>overlays</code>: Here we also define the main (default) overlay I am using in my configuration. It is responsible for adding my defined packages and modifications to the final nixpkgs. Also I add some other conveniences like all past stable nixpkgs and some other package sets.</li>
+<li><code>apps</code>: I also define <a href="#h:52e1fae8-0e8c-4be6-a6ce-758ada652dd3">Apps</a>, which is an output of derivations that can be called by <code>nix run</code> without having the flake locally - this is mostly used for my <code>swarsel-*</code> utilities.</li>
+<li><code>topology</code>: I also created a diagram of my infrastructure using <a href="https://github.com/oddlama/nix-topology">nix-topology</a>. While I do not update this too often, this (I think) can quickly give a good overview of the scope of this flake as well as its services.</li>
+</ul></li>
 
-<li><code>lib</code>: This folder holds utility functions that I add to the nixpkgs library under the <code>swarselsystems</code> attribute set. An example would be the <code>mkIfElse</code> function.</li>
+<li><code>pkgs</code>: This folder holds derivations (mostly packages) that I define myself. This is mostly used to grab versions that are not (yet) in nixpkgs, or modified versions of another package. Each derivation in this folder is in turn in its own folder which holds a defautlt.nix. Using the mechanism in <a href="#h:64a5cc16-6b16-4802-b421-c67ccef853e1">Packages</a>, these are automatically built and available to all configurations (packages still need to be installed e.g. in <code>environment.systemPackages</code>). Note that the folder at the top level splits up in <code>config</code> and <code>flake</code> subdirectories:
+<ul class="org-ul">
+<li>The <code>config</code> dir is used for packages that need the actual config of the machine where they run in order to be built. These packages cannot simply be released as a flake output (or better, it would not make a lot of sense). Instead, these are added within the configuration as an overlay</li>
 
-<li><code>pkgs</code>: This folder holds derivations (mostly packages) that I define myself. This is mostly used to grab versions that are not (yet) in nixpkgs, or modified versions of another package. Each derivation in this folder is in turn in its own folder which holds a defautlt.nix. Using the mechanism in <a href="#h:64a5cc16-6b16-4802-b421-c67ccef853e1">Packages</a>, these are automatically built and available to all configurations (packages still need to be installed e.g. in <code>environment.systemPackages</code>)</li>
-
-<li><code>checks</code>: Holds a file that defines my pre-commit-hook checks. TODO: move this to /nix probably</li>
+<li>The <code>flake</code> dir is used for the conventional packages that I described above.</li>
+</ul></li>
 
+<li><code>files</code>: This is kind of a catchall folder that holds (nearly) all non-nix files. It mostly holds blocks created in <a href="#h:8fc9f66a-7412-4091-8dee-a06f897baf67">Appendix B: Supplementary Files</a>, but also some more specific directories:
+<ul class="org-ul">
 <li><code>scripts</code>: This folder holds a bunch of shell scripts that I use for various tasks. Nearly all of these are made into a derivation using <code>pkgs.writeShellApplication</code>. In the future (TODO?), I might convert these to native nix, but in the past I kept the as true shellfiles in case I ever wanted to move away from nix. This is becoming less and less likely, however. And even in case that this would happen, I could retrieve these files from the nix store and would simply have to remove the nix store paths.</li>
+<li><code>wallpaper</code>: Holds my wallpapers and profile pictures :)</li>
+<li><code>topology-images</code>: Holds pictures used by <a href="#h:391e7712-fef3-4f13-a3ed-d36e228166fd">Topology</a> :)</li>
+</ul></li>
 
-<li><code>secrets</code>: Unlike the similar folder under <code>hosts</code>, this folder holds actual sops-encrypted secrets that are created at activation time and not in the nix store. The folder splits up into a bunch of &lt;hostname&gt; folders, as well as a <code>repo</code> folder, which holds another <code>pii.nix.enc</code>, which holds global PII's, and a <code>certs</code> folder that holds some longer certificate style secrets.</li>
+<li><code>secrets</code>: Unlike the similar folder under <code>hosts</code>, this folder holds sops-encrypted secrets and PIIs that are used by a number of hosts that is greater than one.</li>
 
-<li><code>overlays</code>: This holds a single <code>default.nix</code> that defines the overlay I am using in my configuration. It is responsible for adding my defined packages and modifications to the final nixpkgs. Also I add some other conveniences like all past stable nixpkgs and some other package sets.</li>
+<li><code>install</code>: This folder holds another <a href="#h:1d4514b4-e952-4faf-b30e-d89e73a526c6">Installer flake</a>. That flake pulls in the <code>nixosConfigurationsMinimal</code> that are defined in <a href="#h:5c5bf78a-9a66-436f-bd85-85871d9d402b">Hosts</a> of the main flake, which enables me to build an extemely reduced configuration when I deploy a new host for the first time - this is used by <a href="#h:74db57ae-0bb9-4257-84be-eddbc85130dd">swarsel-bootstrap</a> in the first installation step. It also holds the configuration of the two installer images that I use to deploy this flake:
+<ul class="org-ul">
+<li><a href="#h:8583371d-5d47-468b-84ba-210aad7e2c90">Drugstore (ISO installer config)</a>: This is the general installer ISO that I use whenever I can when I want to deploy a new host. It has a few conveniences like some of my utility programs for figuring out some dependencies or network quirks, as well as my public ssh keys so that I can immediately login to them.</li>
 
-<li><code>programs</code>: This folder holds configurations for various programs (most notably emacs' <code>init.el</code> and <code>early-init.el</code>), that are being rendered using org-babel and loaded using nix.</li>
+<li><a href="#h:e9fe580c-f1b2-4d7b-aaff-bbdf89a8c9f9">Brick Road (kexec image)</a>: This is a kexec tarball that can be used by <a href="#h:74db57ae-0bb9-4257-84be-eddbc85130dd">swarsel-bootstrap</a> in case that I need to deploy to a machine that has less than 1GB of RAM. It is basically just an even more stripped down version of the detault one used by nixos-anywhere, but notably I added cryptsetup so that it can be used when setting up an encrypted device using disko.</li>
+</ul></li>
 
-<li><code>wallpaper</code>: Holds wallpapers and profile pictures.</li>
-
-<li><code>topology</code>: Holds the configuration used by <a href="https://github.com/oddlama/nix-topology">nix-topology</a>.</li>
+<li><code>.github</code>: Canonically, this holds github related files like the <a href="#h:bf3e6fc0-a95a-46d0-9305-0d1068b2f1ec">GitHub Readme</a> and some workflows.</li>
 </ul>
 </div>
 </div>
@@ -1221,30 +1248,30 @@ By themselves, most of the files in the modules folder will not do anything. In
 <h3 id="h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02"><span class="section-number-3">1.4.</span> Hosts</h3>
 <div class="outline-text-3" id="text-h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02">
 <p>
-Here I give a brief overview over the hostmachines that I am using. This is held in markdown so that I can render it into my GitHub README.
+Here I give a brief overview over the host machines that I am using. This is held in markdown so that I can render it into my <a href="#h:bf3e6fc0-a95a-46d0-9305-0d1068b2f1ec">GitHub Readme</a> without further effort.
 </p>
 
 <div class="org-src-container">
-<pre class="src src-markdown">| Name                | Hardware                                            | Use                                                 |
-|---------------------|-----------------------------------------------------|-----------------------------------------------------|
-|💻 **pyramid**       | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop                                         |
-|💻 **bakery**        | Lenovo Ideapad 720S-13IKB                           | Personal laptop                                     |
-|💻 **machpizza**     | MacBook Pro 2016                                    | MacOS reference and build sandbox                   |
-|🏠 **treehouse**     | NVIDIA DGX Spark                                    | AI Workstation, remote builder, hm-only-reference   |
-|🖥️ **summers**       | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM  | Homeserver (microvms), remote builder, datastorage  |
-|🖥️ **winters**       | ASRock J4105-ITX, 32GB RAM                          | Homeserver (IoT server in spe)                      |
-|🖥️ **hintbooth**     | HUNSN RM02, 8GB RAM                                 | Router                                              |
-|☁️ **stoicclub**     | Cloud Server: 1 vCPUs, 8GB RAM                      | Authoritative dns server                            |
-|☁️ **liliputsteps**  | Cloud Server: 1 vCPUs, 8GB RAM                      | SSH bastion                                         |
-|☁️ **twothreetunnel**| Cloud Server: 2 vCPUs, 8GB RAM                      | Service proxy                                       |
-|☁️ **eagleland**     | Cloud Server: 2 vCPUs, 8GB RAM                      | Mailserver                                          |
-|☁️ **moonside**      | Cloud Server: 4 vCPUs, 24GB RAM                     | Gaming server, syncthing + lightweight services     |
-|☁️ **belchsfactory** | Cloud Server: 4 vCPUs, 24GB RAM                     | Hydra builder and nix binarycache                   |
-|📱 **magicant**      | Samsung Galaxy Z Flip 6                             | Phone                                               |
-|💿 **drugstore**     | -                                                   | NixOS-installer ISO for bootstrapping new hosts     |
-|💿 **brickroad**     | -                                                   | Kexec tarball for bootstrapping low-memory machines |
-|❔ **chaotheatre**   | -                                                   | Demo config for checking out this configuration     |
-|❔ **toto**          | -                                                   | Helper configuration for testing purposes           |
+<pre class="src src-markdown">| Name                | Hardware                                            | Use                                                             |
+|---------------------|-----------------------------------------------------|-----------------------------------------------------------------|
+|💻 **pyramid**       | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop                                                     |
+|💻 **bakery**        | Lenovo Ideapad 720S-13IKB                           | Personal laptop                                                 |
+|💻 **machpizza**     | MacBook Pro 2016                                    | MacOS reference and build sandbox                               |
+|🏠 **treehouse**     | NVIDIA DGX Spark                                    | AI Workstation, remote builder, hm-only-reference               |
+|🖥️ **summers**       | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM  | Homeserver (microvms), remote builder, data storage             |
+|🖥️ **winters**       | ASRock J4105-ITX, 32GB RAM                          | Homeserver (IoT server in spe)                                  |
+|🖥️ **hintbooth**     | HUNSN RM02, 8GB RAM                                 | Router                                                          |
+|☁️ **stoicclub**     | Cloud Server: 1 vCPUs, 8GB RAM                      | Authoritative DNS server                                        |
+|☁️ **liliputsteps**  | Cloud Server: 1 vCPUs, 8GB RAM                      | SSH bastion                                                     |
+|☁️ **twothreetunnel**| Cloud Server: 2 vCPUs, 8GB RAM                      | Service proxy                                                   |
+|☁️ **eagleland**     | Cloud Server: 2 vCPUs, 8GB RAM                      | Mailserver                                                      |
+|☁️ **moonside**      | Cloud Server: 4 vCPUs, 24GB RAM                     | Gaming server, syncthing + lightweight services                 |
+|☁️ **belchsfactory** | Cloud Server: 4 vCPUs, 24GB RAM                     | Hydra builder and nix binary cache                              |
+|📱 **magicant**      | Samsung Galaxy Z Flip 6                             | Phone                                                           |
+|💿 **drugstore**     | -                                                   | NixOS-installer ISO for bootstrapping new hosts                 |
+|💿 **brickroad**     | -                                                   | Kexec tarball for bootstrapping low-memory machines             |
+|❔ **hotel**         | -                                                   | Demo config for checking out this configuration                 |
+|❔ **toto**          | -                                                   | Helper configuration for testing purposes                       |
 </pre>
 </div>
 </div>
@@ -1252,19 +1279,23 @@ Here I give a brief overview over the hostmachines that I am using. This is held
 <div id="outline-container-h:3bb92528-c61c-4b8d-8214-bf2a40baaa32" class="outline-3">
 <h3 id="h:3bb92528-c61c-4b8d-8214-bf2a40baaa32"><span class="section-number-3">1.5.</span> Programs</h3>
 <div class="outline-text-3" id="text-h:3bb92528-c61c-4b8d-8214-bf2a40baaa32">
+<p>
+This is meant to give a brief overview over the main programs/components that I use on a daily basis on my client machines. This should be mostly useful for people wanting to rice their config, or people who believed this repos title and are looking for <code>.dotfiles</code> :p
+</p>
+
 <div class="org-src-container">
-<pre class="src src-markdown">| Topic         | Program                         |
-|---------------|---------------------------------|
-|🐚 **Shell**   | [zsh](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix)                            |
-|🚪 **DM**      | [greetd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/common/login.nix)                         |
-|🪟 **WM**      | [SwayFX](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sway.nix)                         |
-|⛩️ **Bar**     | [Waybar](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/waybar.nix)                         |
-|✒️ **Editor**  | [Emacs](https://github.com/Swarsel/.dotfiles/tree/main/files/emacs/init.el)                          |
-|🖥️ **Terminal**| [Kitty](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/kitty.nix)                          |
-|🚀 **Launcher**| [Fuzzel](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/fuzzel.nix)                         |
-|🚨 **Alerts**  | [Mako](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/mako.nix)                           |
-|🌐 **Browser** | [Firefox](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix)                        |
-|🎨 **Theme**   | [City-Lights (managed by stylix)](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sharedsetup.nix)|
+<pre class="src src-markdown">| Topic         | Program                                                                                                                     |
+|---------------|-----------------------------------------------------------------------------------------------------------------------------|
+|🐚 **Shell**   | [zsh](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix)                                           |
+|🚪 **DM**      | [greetd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/common/login.nix)                                     |
+|🪟 **WM**      | [SwayFX](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sway.nix)                                       |
+|⛩️ **Bar**     | [Waybar](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/waybar.nix)                                     |
+|✒️ **Editor**  | [Emacs](https://github.com/Swarsel/.dotfiles/tree/main/files/emacs/init.el)                                                 |
+|🖥️ **Terminal**| [Kitty](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/kitty.nix)                                       |
+|🚀 **Launcher**| [Fuzzel](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/fuzzel.nix)                                     |
+|🚨 **Alerts**  | [Mako](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/mako.nix)                                         |
+|🌐 **Browser** | [Firefox](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix)                                       |
+|🎨 **Theme**   | [City-Lights (managed by stylix)](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sharedsetup.nix)       |
 </pre>
 </div>
 </div>
@@ -1272,31 +1303,43 @@ Here I give a brief overview over the hostmachines that I am using. This is held
 <div id="outline-container-h:191e82b6-6ae5-4ec8-ae6d-dc683ce325d9" class="outline-3">
 <h3 id="h:191e82b6-6ae5-4ec8-ae6d-dc683ce325d9"><span class="section-number-3">1.6.</span> Services</h3>
 <div class="outline-text-3" id="text-h:191e82b6-6ae5-4ec8-ae6d-dc683ce325d9">
+<p>
+This is a comprehensive list of the services/components ran by my server machines.
+</p>
+
 <div class="org-src-container">
-<pre class="src src-markdown">| Topic                 | Program                                                                                                             |
-|-----------------------|---------------------------------------------------------------------------------------------------------------------|
-|📖 **Books**           |  [Kavita](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kavita.nix)                           |
-|📼 **Videos**          | [Jellyfin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/jellyfin.nix)                        |
-|🎵 **Music**           | [Navidrome](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/navidrome.nix) +  [Spotifyd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/spotifyd.nix) +  [MPD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mpd.nix)                                                              |
-|🗨️ **Messaging**       | [Matrix](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/matrix.nix)                            |
-|📁 **Filesharing**     | [Nectcloud](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nextcloud.nix)                      |
-|🎞️ **Photos**          | [Immich](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/immich.nix)                            |
-|📄 **Documents**       | [Paperless](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/paperless.nix)                      |
-|🔄 **File Sync**       | [Syncthing](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/syncthing.nix)                      |
-|💾 **Backups**         | [Restic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/restic.nix)                            |
-|👁️ **Monitoring**      | [Grafana](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/monitoring.nix)                       |
-|🍴 **RSS**             | [FreshRss](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/freshrss.nix)                        |
-|🌳 **Git**             | [Forgejo](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/forgejo.nix)                          |
-|⚓ **Anki Sync**       | [Anki Sync Server](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/ankisync.nix)                |
-|🪪 **SSO**             | [Kanidm](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kanidm.nix) + [oauth2-proxy](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/oauth2-proxy.nix)                                            |
-|💸 **Finance**         | [Firefly-III](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/firefly-iii.nix)                  |
-|🃏 **Collections**     | [Koillection](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/koillection.nix)                  |
-|🗃️ **Shell History**   | [Atuin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/atuin.nix)                              |
-|📅 **CalDav/CardDav**  | [Radicale](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/radicale.nix)                        |
-|↔️ **P2P Filesharing** | [Croc](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/croc.nix)                                |
-|✂️ **Paste Tool**      | [Microbin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/microbin.nix)                        |
-|📸 **Image Sharing**   | [Slink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/slink.nix)                              |
-|🔗 **Link Shortener**  | [Shlink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/shlink.nix)                            |
+<pre class="src src-markdown">| Topic                      | Program                                                                                                        |
+|----------------------------|----------------------------------------------------------------------------------------------------------------|
+|📖 **Books**                |  [Kavita](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kavita.nix)                      |
+|📼 **Videos**               | [Jellyfin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/jellyfin.nix)                   |
+|🎵 **Music**                | [Navidrome](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/navidrome.nix) +  [Spotifyd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/spotifyd.nix) +  [MPD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mpd.nix)                                                              |
+|🗨️ **Messaging**            | [Matrix](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/matrix.nix)                       |
+|📁 **Filesharing**          | [Nectcloud](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nextcloud.nix)                 |
+|🎞️ **Photos**               | [Immich](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/immich.nix)                       |
+|📄 **Documents**            | [Paperless](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/paperless.nix)                 |
+|🔄 **File Sync**            | [Syncthing](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/syncthing.nix)                 |
+|💾 **Backups**              | [Restic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/restic.nix)                       |
+|👁️ **Monitoring**           | [Grafana](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/monitoring.nix)                  |
+|🍴 **RSS**                  | [FreshRss](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/freshrss.nix)                   |
+|🌳 **Git**                  | [Forgejo](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/forgejo.nix)                     |
+|⚓ **Anki Sync**            | [Anki Sync Server](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/ankisync.nix)           |
+|🪪 **SSO**                  | [Kanidm](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kanidm.nix) + [oauth2-proxy](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/oauth2-proxy.nix)                                            |
+|💸 **Finance**              | [Firefly-III](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/firefly-iii.nix)             |
+|🃏 **Collections**          | [Koillection](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/koillection.nix)             |
+|🗃️ **Shell History**        | [Atuin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/atuin.nix)                         |
+|📅 **CalDav/CardDav**       | [Radicale](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/radicale.nix)                   |
+|↔️ **P2P Filesharing**      | [Croc](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/croc.nix)                           |
+|✂️ **Paste Tool**           | [Microbin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/microbin.nix)                   |
+|📸 **Image Sharing**        | [Slink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/slink.nix)                         |
+|🔗 **Link Shortener**       | [Shlink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/shlink.nix)                       |
+|⛏️ **Minecraft**            | [Minecraft](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/minecraft.nix)                 |
+|☁️ **S3**                   | [Garage](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/garage.nix)                       |
+|🕸️ **Nix Binary Cache**     | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/attic.nix)                         |
+|🐙 **Nix Build farm**       | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/hydra.nix)                         |
+|🔑 **Cert-based SSH**       | [OPKSSH](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/opkssh.nix)                       |
+|🔨 **Home Asset Management**| [Homebox](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/homebox.nix)                     |
+|👀 **DNS**                  | [NSD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nsd.nix)                             |
+|✉️ **Mail**                 | [simple-nixos-mailserver](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mailserver.nix)  |
 </pre>
 </div>
 </div>
@@ -1304,43 +1347,18 @@ Here I give a brief overview over the hostmachines that I am using. This is held
 <div id="outline-container-h:ed34ee4d-31f9-4d27-bc6e-ba37ee502d5a" class="outline-3">
 <h3 id="h:ed34ee4d-31f9-4d27-bc6e-ba37ee502d5a"><span class="section-number-3">1.7.</span> Manual steps when setting up a new machine</h3>
 <div class="outline-text-3" id="text-h:ed34ee4d-31f9-4d27-bc6e-ba37ee502d5a">
-<div class="org-src-container">
-<pre class="src src-markdown">These steps are required when setting up a normal NixOS host:
+<p>
+In the <a href="#h:a86fe971-f169-4052-aacf-15e0f267c6cd">Introduction (no code)</a>, I mentioned that this is a nearly fully declarative config. In fact, most client configs are in one way or another not fully declarative. I use oneshotting systemd services + sentinel files for most such tasks (which makes them declarative!), but some of them I would rather perform manually once. This mainly concerns work related things.
+</p>
 
-- setup yubikey (automatic yubikey enrollment is not yet supported by `disko`):
-  - `systemd-cryptenroll --fido2-device=auto /dev/&lt;device, e.g. 'nvme0n1p2'&gt;`
-
-If the new machine is a work machine, these steps are additionally needed:
-
-- setup the work VPN:
-  - using the laptop certificate `.pem` as User cert and private key (CA cert: none)
-  - vpn gateway is found in `nixosConfig.repo.secrets.local.work.vpnGateway`
-- setup gpgsm for signing of mails using S/MIME:
-  - `gpgsm --import ~/Certificates/&lt;certname&gt;.p12`
-  - `gpgsm --import ~/Certificates/harica-root.pem`
-  - `gpgsm --import ~/Certificates/harica-intermediate.pem`
-  - `gpgsm --list-keys --with-validation "HARICA Client RSA Root CA 2021"`
-    - trust the certificate and set passphrase
-- setup pizauth for microsoft mail sync (account names are possibly `uni` and `work`):
-  - `pizauth auth &lt;account name, e.g. 'work'&gt;`
-  - `pizauth dump &gt; ~/.pizauth.state`
-
-If the new machine is home-manager only, perform these steps:
-
-- (Optional) Install openssh-server
-- Set hostname to the name specified in the home-manager configuration
-- Install nix, either:
-  - (if upgrading existing nix) Install nix version matching with version that `nix-plugins` is compiled against: `nix-env --install --file '&lt;nixpkgs&gt;' cacert -I nixpkgs=channel:nixpkgs-unstable --attr nixVersions.nix_x_yy`
-  - (or installing nix freshly):
-    - Grab the link to the install script of the needed nix version from https://releases.nixos.org/?prefix=nix, e.g. https://releases.nixos.org/nix/nix-2.30.1/install
-    - `bash &lt;(curl -L https://releases.nixos.org/nix/nix-x-yy-y/install) --daemon`
-- add the following to /etc/nix/nix.conf to become a trusted user: `trusted-users = @wheel root swarsel`
-- For the first build:
-  1) Clone dotfile repo &amp; change into it
-  2) `nix --extra-experimental-features 'nix-command flakes' develop`
-  3) `home-manager --extra-experimental-features 'nix-command flakes' switch --flake .#$(hostname) --show-trace`
-</pre>
-</div>
+<p>
+Whenever I encounter a configuration bit that needs manual steps, I use a <a href="#h:dae0c5bb-edb7-4fe4-ae31-9f8f064cc53c">Appendix A: Noweb-Ref blocks</a> to tangle that bit of information into a central place (here). I discern between the following scenarios:
+</p>
+<ul class="org-ul">
+<li><code>setup</code>: Used in a standard NixOs + home-manager deployment</li>
+<li><code>worksetup</code>: Stuff to be done only on work machines</li>
+<li><code>homemanageronlysetup</code>: Steps that are needed only on machines that are not running NixOs.</li>
+</ul>
 
 These steps are required when setting up a normal NixOS host:
 
@@ -1376,34 +1394,88 @@ If the new machine is home-manager only, perform these steps:
   1) Clone dotfile repo & change into it
   2) `nix --extra-experimental-features 'nix-command flakes' develop`
   3) `home-manager --extra-experimental-features 'nix-command flakes' switch --flake .#$(hostname) --show-trace`
+<p>
+#+begin<sub>export</sub> html
+These steps are required when setting up a normal NixOS host:
+</p>
+
+<ul class="org-ul">
+<li>setup yubikey (automatic yubikey enrollment is not yet supported by `disko`):
+<ul class="org-ul">
+<li>`systemd-cryptenroll &#x2013;fido2-device=auto /dev/&lt;device, e.g. 'nvme0n1p2'&gt;`</li>
+</ul></li>
+</ul>
+
+<p>
+If the new machine is a work machine, these steps are additionally needed:
+</p>
+
+<ul class="org-ul">
+<li>setup the work VPN:
+<ul class="org-ul">
+<li>using the laptop certificate `.pem` as User cert and private key (CA cert: none)</li>
+<li>vpn gateway is found in `nixosConfig.repo.secrets.local.work.vpnGateway`</li>
+</ul></li>
+<li>setup gpgsm for signing of mails using S/MIME:
+<ul class="org-ul">
+<li>`gpgsm &#x2013;import ~/Certificates/&lt;certname&gt;.p12`</li>
+<li>`gpgsm &#x2013;import ~/Certificates/harica-root.pem`</li>
+<li>`gpgsm &#x2013;import ~/Certificates/harica-intermediate.pem`</li>
+<li>`gpgsm &#x2013;list-keys &#x2013;with-validation "HARICA Client RSA Root CA 2021"`
+<ul class="org-ul">
+<li>trust the certificate and set passphrase</li>
+</ul></li>
+</ul></li>
+<li>setup pizauth for microsoft mail sync (account names are possibly `uni` and `work`):
+<ul class="org-ul">
+<li>`pizauth auth &lt;account name, e.g. 'work'&gt;`</li>
+<li>`pizauth dump &gt; ~/.pizauth.state`</li>
+</ul></li>
+</ul>
+
+<p>
+If the new machine is home-manager only, perform these steps:
+</p>
+
+<ul class="org-ul">
+<li>(Optional) Install openssh-server</li>
+<li>Set hostname to the name specified in the home-manager configuration</li>
+<li>Install nix, either:
+<ul class="org-ul">
+<li>(if upgrading existing nix) Install nix version matching with version that `nix-plugins` is compiled against: `nix-env &#x2013;install &#x2013;file '&lt;nixpkgs&gt;' cacert -I nixpkgs=channel:nixpkgs-unstable &#x2013;attr nixVersions.nix<sub>x</sub><sub>yy</sub>`</li>
+<li>(or installing nix freshly):
+<ul class="org-ul">
+<li>Grab the link to the install script of the needed nix version from <a href="https://releases.nixos.org/?prefix=nix">https://releases.nixos.org/?prefix=nix</a>, e.g. <a href="https://releases.nixos.org/nix/nix-2.30.1/install">https://releases.nixos.org/nix/nix-2.30.1/install</a></li>
+<li>`bash &lt;(curl -L <a href="https://releases.nixos.org/nix/nix-x-yy-y/install">https://releases.nixos.org/nix/nix-x-yy-y/install</a>) &#x2013;daemon`</li>
+</ul></li>
+</ul></li>
+<li>add the following to /etc/nix/nix.conf to become a trusted user: `trusted-users = @wheel root swarsel`</li>
+<li>For the first build:
+<ol class="org-ol">
+<li>Clone dotfile repo &amp; change into it</li>
+<li>`nix &#x2013;extra-experimental-features 'nix-command flakes' develop`</li>
+<li>`home-manager &#x2013;extra-experimental-features 'nix-command flakes' switch &#x2013;flake .#$(hostname) &#x2013;show-trace`</li>
+</ol></li>
+</ul>
+<p>
+#+end
+</p>
 </div>
 </div>
 <div id="outline-container-h:b562adaf-536c-4267-88a5-026d8a0cda61" class="outline-3">
-<h3 id="h:b562adaf-536c-4267-88a5-026d8a0cda61"><span class="section-number-3">1.8.</span> Current issues</h3>
+<h3 id="h:b562adaf-536c-4267-88a5-026d8a0cda61"><span class="section-number-3">1.8.</span> <span class="todo TODO">TODO</span> Current issues</h3>
 <div class="outline-text-3" id="text-h:b562adaf-536c-4267-88a5-026d8a0cda61">
-<div class="org-src-container">
-<pre class="src src-markdown">Currently, these adaptions are made to the configuration to account for bugs in upstream repos:
+<p>
+Besides the manual steps outlined above, sometimes things break when I update this flake. The fix, for me, is most of the times one of these two:
+</p>
+<ul class="org-ul">
+<li>instead of the broken package, use the package from the latest stable nixpkgs release where the package is still functoning (this is why I pull all of these in as inputs)</li>
+<li>if the broken component is critical, I perform manual patches/overrides.</li>
+</ul>
 
-- 202501102:
-  - flake:
-    - emacs-overlay:
-      - : version pinned because emacsclient is currently broken on latest
-    - niri-flake:
-      - currently not using the sugared version of screenshot-[,window], as it is currently broken
-  - home-manager:
-    - emacs-tramp:
-      - using stable version in extraPackages (broken in unstable)
-      - :ensure nil in emacs tramp settings to use package in extraPackages
-    - emacs-calfwL
-      - pinned to version not in nixpkgs (is in latest emacs-overlay, but that is broken)
-    - vesktop:
-      - running stable version (broken in unstable)
-    - batgrep:
-      - running stable version (broken in unstable)
-    - swayosd:
-      - pinned to version not in nixpkgs (fixes https://github.com/ErikReider/SwayOSD/issues/175)
-</pre>
-</div>
+<p>
+In order to keep track of these changes, I gather them here in a similar style to what you saw in <a href="#h:ed34ee4d-31f9-4d27-bc6e-ba37ee502d5a">Manual steps when setting up a new machine</a>. I simply prefix them with the date and check them after a while to see if things got better. TODO: this list is not comprehensive probably
+</p>
 
 Currently, these adaptions are made to the configuration to account for bugs in upstream repos:
 
@@ -1448,7 +1520,7 @@ Nowadays, I use flake-parts to manage my flake. It allows me to conveniently spl
 <h3 id="h:aee5ec75-7ca6-40d8-b6ac-a3e7e33a474b"><span class="section-number-3">2.1.</span> flake.nix skeleton (inputs)</h3>
 <div class="outline-text-3" id="text-h:aee5ec75-7ca6-40d8-b6ac-a3e7e33a474b">
 <p>
-In general, a nix flake consists of one or more inputs and several outputs. The inputs are used to define where nix should be looking for packages, modules, and more. The outputs generate expressions that can be used in .nix files as well as system configurations using these files.
+In general, a nix flake consists of one or more inputs and several outputs. The inputs are used to define where nix should be looking for packages, modules, and more (the most common input is <code>nixpkgs</code>, which provides a lot of packages, library functions and modules). The outputs generate expressions that can be used in .nix files as well as system configurations using these files.
 </p>
 
 <p>
@@ -1456,7 +1528,7 @@ In the start, I enable some public cache repositories. This saves some time duri
 </p>
 
 <p>
-In many flakes, you see a structure like this: <code>outputs = inputs@ [...]</code>, the <code>inputs@</code> makes it so that all inputs are automatically passed to the outputs and can be called as <code>inputs.&lt;name&gt;</code>, whereas explicit arguments may just be called by using <code>&lt;name&gt;</code>. For most flakes this is fully sufficient, as they do not need to be called often and it saves me maintainance effort with this file. In fact, I also used to make use of this mechanism. However, using flake-parts, all I really need for the outputs function is inputs, which is why my outputs = inputs: inputs.flake-parts.lib.mkFlake { inherit inputs; } { [&#x2026;] ). Note that flake-parts must inherit these inputs and no other arguments are expected.
+In many flakes, you see a structure like this: <code>outputs = inputs@ [...]</code>, the <code>inputs@</code> makes it so that all inputs are automatically passed to the outputs and can be called as <code>inputs.&lt;name&gt;</code>, whereas explicit arguments may just be called by using <code>&lt;name&gt;</code> (for a more detailed explanation, s). For most flakes this is fully sufficient, as they do not need to be called often and it saves me maintainance effort with this file. In fact, I also used to make use of this mechanism. However, using flake-parts, all I really need for the outputs function is inputs, which is why my outputs = inputs: inputs.flake-parts.lib.mkFlake { inherit inputs; } { [&#x2026;] ). Note that flake-parts must inherit these inputs and no other arguments are expected.
 </p>
 
 <p>
@@ -1503,15 +1575,15 @@ A short overview over each input and what it does:
 
 <ul class="org-ul">
 <li><a href="https://github.com/NixOS/nixpkgs">nixpkgs</a>
-This is the base repository that I am following for all packages. I follow the unstable branch.</li>
+This is the base repository that I am following for all packages. I follow the unstable branch. Also I pull in some older revisions of nixpkgs stable for various purposes.</li>
 <li><a href="https://github.com/nix-community/home-manager">home-manager</a>
 This handles user-level configuration and mostly provides dotfiles that are generated and symlinked to <code>~/.config/</code>.</li>
-<li><a href="https://github.com/Swarsel/.dotfiles">swarsel</a>
-This pulls in the very dotfiles you are currently reading. I am adding this to the flake registry in order to have easier access to my customizations in nix calls, for example <code>nix-instantiate</code></li>
+<li><a href="https://github.com/Swarsel/swarsel-nix">swarsel-nix</a>
+This pulls in the very dotfiles you are currently reading. I am adding this to the flake registry in order to</li>
 <li><a href="https://github.com/nix-community/NUR">NUR</a>
 The nix user repository contains user provided modules, packages and expressions. These are not audited by the nix community, so be aware of supply chain vulnerabilities when using those. I am only really using rycee's firefox addons from there which saves me a lot of hassle, and it seems to be a safe resource.</li>
 <li><a href="https://github.com/nix-community/nixGL">nixGL</a>
-This solves the problem that nix has with "OpenGL", as libraries are not linked and programs will often fail to find drivers. But I do not fully understand what it does. All I know is that I usually have to use this on non-NIxoS systems.</li>
+This solves the problem that nix has with <code>OpenGL</code>, as libraries are not linked and programs will often fail to find drivers. Nowadays, this is included in the <a href="#h:90af1862-90b3-4c93-8730-2443bc62986a">nixGL</a> module of home-manager, but even that requres a binary for nixGL, which is what I pull from this input.</li>
 <li><a href="https://github.com/danth/stylix">stylix</a>
 As described before, this handles all theme related options.</li>
 <li><a href="https://github.com/Mic92/sops-nix">sops-nix</a>
@@ -1542,10 +1614,39 @@ After learning that MacOS systems can also be configured using nix, I managed to
 Provides access to several checks that can be hooked to be run before several stages in the process.</li>
 <li><a href="https://github.com/oddlama/nix-topology">nix-topology</a>
 This automatically creates a topology diagram of my configuration.</li>
-<li>flake-parts
+<li><a href="https://github.com/hercules-ci/flake-parts">flake-parts</a>
 The aforementioned system that allows for more convenient flake crafting.</li>
-<li>devshell
+<li><a href="https://github.com/numtide/devshell">devshell</a>
 This provides devshell support for flake-parts</li>
+<li><a href="https://github.com/Gerg-L/spicetify-nix">spicetify</a>
+This is a improved spotify client. This provides a NixOs module to manage it.</li>
+<li><a href="https://github.com/sodiboo/niri-flake">niri-flake</a>
+This is an optional input that I reserve to use in the future; it provides a module to manage <a href="#h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb">Niri</a> in a way that is way more all-encompassing than the current modules in nixpkgs/home-manager. However, I do not include this by default as this leads to a full compilation of latest niri - this is used only be the niri config evaluator, but is even built if niri is not included in the final config. Also, the binary cache provided by this flake does usually not have the latest niri cached.</li>
+<li><a href="https://github.com/microvm-nix/microvm.nix">microvm.nix</a>
+This flake brings support for microvms to nix. This is basically a more isolated alternative to classic NixOs containers, while keeping most of their benefits.</li>
+<li><a href="https://github.com/numtide/treefmt-nix">treefmt-nix</a>
+This allows to specify a range of formatters for different languages and aspects which can all be run upon <code>nix fmt</code>.</li>
+<li><p>
+<a href="https://github.com/oddlama/nixos-extra-modules">nixos-extra-modules</a>
+This is a collection of modules that add some qualitative functions to several aspects of nix, for example:
+</p>
+<ul class="org-ul">
+<li>microvm management</li>
+<li>wireguard support for nix-topology</li>
+<li>some extensions to the network library</li>
+</ul>
+
+<p>
+At the moment I am not using the full range of modules, but my usage keeps increasing steadily. Using this module forced me to make some adjustments in my config, namely exposing the <code>nodes</code> output in <a href="#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02">Hosts</a>.
+</p></li>
+<li><a href="https://github.com/nix-community/dns.nix">dns.nix</a>
+This adds a module that helps with creating zone files (like <a href="#h:dc1dbc54-46f7-406d-a551-527e97439614">nsd (dns) - site1</a>). This flake was competing with <a href="https://github.com/Janik-Haag/nixos-dns/">NixOS-DNS</a> for my favour - while the latter adds many nice utilities that generage records straight from a host configuration, I prefer to do this myself using the <a href="#h:af83893d-c0f9-4b45-b816-4849110d41b3">Globals</a> + <a href="#h:5c3027b4-ba66-445e-9c5f-c27e332c90e5">Share configuration between nodes (automatically active)</a> systems. In the end, I just tried out dns.nix without giving NixOS-DNS a chance and it has been working great, but I believe NixOS-DNS still deserves a mention here, as it would have been a great fit as well, most likely.</li>
+<li><a href="https://github.com/Infinidoge/nix-minecraft">nix-minecraft</a>
+This adds a module that makes it easier to manage (modded) minecraft servers. At the moment, it does not really work with Forge 1.20.1 (which is what my server is running), so I am not making full use of it right now, but I keep close watch on it every day.</li>
+<li><a href="https://gitlab.com/simple-nixos-mailserver/nixos-mailserver">nixos-mailserver</a>
+This adds a module that basically sets up a full mailserver stack. Apart of DNS records and a few extra steps for e.g. a web client, this is one-stop solution that has been working greatly for me.</li>
+<li><a href="https://github.com/NixOS/hydra">hydra</a>
+The hydra module already exists in nixpkgs - however, because, I am also using <a href="https://github.com/shlevy/nix-plugins">nix-plugins</a>, I need to build all tools that are using nix against a specific nix version (this is also why I pull in <code>nix-eval-jobs</code> as a flake input).</li>
 </ul>
 
 <div class="org-src-container">
@@ -1562,6 +1663,20 @@ This provides devshell support for flake-parts</li>
   };
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    hydra.url = "github:nixos/hydra/nix-2.30";
+    # hydra.inputs.nix.follows = "nix";
+    hydra.inputs.nix-eval-jobs.follows = "nix-eval-jobs";
+    # nix = {
+    #   url = "github:NixOS/nix/2.30-maintenance";
+    #   # We want to control the deps precisely
+    #   flake = false;
+    # };
+    nix-eval-jobs = {
+      url = "github:nix-community/nix-eval-jobs/v2.30.0";
+      # We want to control the deps precisely
+      flake = false;
+    };
+
     smallpkgs.url = "github:nixos/nixpkgs/08fcb0dcb59df0344652b38ea6326a2d8271baff?narHash=sha256-HXIQzULIG/MEUW2Q/Ss47oE3QrjxvpUX7gUl4Xp6lnc%3D&amp;shallow=1";
     nixpkgs-dev.url = "github:Swarsel/nixpkgs/main";
     nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version
@@ -3872,11 +3987,13 @@ This is my main server that I run at home. It handles most tasks that require bi
 <h6 id="h:8ad68406-4a75-45ba-97ad-4c310b921124"><span class="section-number-6">3.1.2.3.1.</span> Main Configuration</h6>
 <div class="outline-text-6" id="text-h:8ad68406-4a75-45ba-97ad-4c310b921124">
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ lib, minimal, ... }:
+<pre class="src src-nix-ts">{ self, lib, minimal, ... }:
 {
 
   imports = [
     ./hardware-configuration.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
   ];
 
   boot = {
@@ -3899,8 +4016,12 @@ This is my main server that I run at home. It handles most tasks that require bi
     isBtrfs = false;
     isLinux = true;
     isNixos = true;
-    proxyHost = "moonside";
+    proxyHost = "twothreetunnel";
     server = {
+      wireguard = {
+        isClient = true;
+        serverName = "twothreetunnel";
+      };
       restic = {
         bucketName = "SwarselWinters";
         paths = [
@@ -3932,6 +4053,7 @@ This is my main server that I run at home. It handles most tasks that require bi
 
   swarselmodules.server = {
     diskEncryption = lib.mkForce false;
+    wireguard = lib.mkDefault true;
     nfs = lib.mkDefault true;
     nginx = lib.mkDefault true;
     kavita = lib.mkDefault true;
@@ -4047,16 +4169,21 @@ This is my main server that I run at home. It handles most tasks that require bi
     loader.efi.canTouchEfiVariables = true;
   };
 
+  node.lockFromBootstrapping = lib.mkForce false;
+
   swarselsystems = {
     info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM";
     flakePath = "/root/.dotfiles";
     isImpermanence = true;
-    isSecureBoot = true;
+    isSecureBoot = false;
     isCrypted = true;
     isBtrfs = true;
     isLinux = true;
     isNixos = true;
+    isSwap = false;
+    rootDisk = "/dev/disk/by-id/ata-TS128GMTS430S_H537280456";
     withMicroVMs = false;
+    server.localNetwork = "lan";
   };
 
 } // lib.optionalAttrs (!minimal) {
@@ -4065,39 +4192,8 @@ This is my main server that I run at home. It handles most tasks that require bi
     server = true;
   };
 
-  swarselmodules = {
-    server = {
-      diskEncryption = lib.mkForce false; # TODO: disable
-      nfs = false;
-      nginx = false;
-      kavita = false;
-      restic = false;
-      jellyfin = false;
-      navidrome = false;
-      spotifyd = false;
-      mpd = false;
-      postgresql = false;
-      matrix = false;
-      nextcloud = false;
-      immich = false;
-      paperless = false;
-      transmission = false;
-      syncthing = false;
-      grafana = false;
-      emacs = false;
-      freshrss = false;
-      jenkins = false;
-      kanidm = false;
-      firefly-iii = false;
-      koillection = false;
-      radicale = false;
-      atuin = false;
-      forgejo = false;
-      ankisync = false;
-      homebox = false;
-      opkssh = false;
-      garage = false;
-    };
+  swarselmodules.server = {
+    nginx = lib.mkForce false;
   };
 
   microvm.vms =
@@ -4343,19 +4439,21 @@ in
 <h6 id="h:624b3c6a-6e31-4734-a6ea-7c5b461a3429"><span class="section-number-6">3.1.2.5.1.</span> Main Configuration</h6>
 <div class="outline-text-6" id="text-h:624b3c6a-6e31-4734-a6ea-7c5b461a3429">
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ lib, minimal,  ... }:
+<pre class="src src-nix-ts">{ self, lib, minimal,  ... }:
 {
 
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
   ];
 
   swarselsystems = {
     info = "HUNSN RM02, 8GB RAM";
     flakePath = "/root/.dotfiles";
     isImpermanence = true;
-    isSecureBoot = true;
+    isSecureBoot = false;
     isCrypted = true;
     isBtrfs = true;
     isLinux = true;
@@ -4641,7 +4739,7 @@ My phone. I use only a minimal config for remote debugging here.
 <h5 id="h:ced1795a-9884-4277-bcde-6f7b9b1cc2f0"><span class="section-number-5">3.1.2.8.</span> Treehouse (DGX Spark)</h5>
 <div class="outline-text-5" id="text-h:ced1795a-9884-4277-bcde-6f7b9b1cc2f0">
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ self, lib, pkgs, ... }:
+<pre class="src src-nix-ts">{ self, pkgs, ... }:
 {
 
   imports = [
@@ -4709,34 +4807,18 @@ This machine mainly acts as my proxy server to stand before my local machines.
 <h6 id="h:a8f20a56-ce92-43d8-8bfe-3edccebf2bf9"><span class="section-number-6">3.1.3.1.1.</span> Main Configuration</h6>
 <div class="outline-text-6" id="text-h:a8f20a56-ce92-43d8-8bfe-3edccebf2bf9">
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ lib, config, minimal, ... }:
+<pre class="src src-nix-ts">{ self, lib, config, minimal, ... }:
 let
   inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
-  inherit (config.swarselsystems) sopsFile;
 in
 {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
   ];
 
-  sops = {
-    age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
-    secrets = {
-      wireguard-private-key = { inherit sopsFile; };
-      wireguard-home-preshared-key = { inherit sopsFile; };
-    };
-  };
-
-  boot = {
-    loader.systemd-boot.enable = true;
-    tmp.cleanOnBoot = true;
-  };
-
-  environment = {
-    etc."issue".text = "\4";
-  };
-
   topology.self = {
     icon = "devices.cloud-server";
     interfaces.wg = {
@@ -4747,45 +4829,6 @@ in
     };
   };
 
-  networking = {
-    domain = "subnet03291956.vcn03291956.oraclevcn.com";
-    firewall = {
-      allowedTCPPorts = [ 8384 ];
-    };
-    wireguard = {
-      enable = true;
-      interfaces = {
-        home-vpn = {
-          privateKeyFile = config.sops.secrets.wireguard-private-key.path;
-          # ips = [ "192.168.3.4/32" ];
-          ips = [ "192.168.178.201/24" ];
-          peers = [
-            {
-              # publicKey = "NNGvakADslOTCmN9HJOW/7qiM+oJ3jAlSZGoShg4ZWw=";
-              publicKey = "PmeFInoEJcKx+7Kva4dNnjOEnJ8lbudSf1cbdo/tzgw=";
-              presharedKeyFile = config.sops.secrets.wireguard-home-preshared-key.path;
-              name = "moonside";
-              persistentKeepalive = 25;
-              # endpoint = "${config.repo.secrets.common.ipv4}:51820";
-              endpoint = "${config.repo.secrets.common.wireguardEndpoint}";
-              # allowedIPs = [
-              #   "192.168.3.0/24"
-              #   "192.168.1.0/24"
-              # ];
-              allowedIPs = [
-                "192.168.178.0/24"
-              ];
-            }
-          ];
-        };
-      };
-    };
-  };
-
-  hardware = {
-    enableAllFirmware = lib.mkForce false;
-  };
-
   system.stateVersion = "23.11";
 
   services.syncthing = {
@@ -4848,7 +4891,13 @@ in
     isBtrfs = true;
     isNixos = true;
     isLinux = true;
+    isCloud = true;
+    proxyHost = "twothreetunnel";
     server = {
+      wireguard = {
+        isClient = true;
+        serverName = "twothreetunnel";
+      };
       restic = {
         bucketName = "SwarselMoonside";
         paths = [
@@ -4866,7 +4915,7 @@ in
   };
 
   swarselmodules.server = {
-    oauth2-proxy = true;
+    wireguard = true;
     croc = true;
     microbin = true;
     shlink = true;
@@ -5076,7 +5125,12 @@ in
     isNixos = true;
     isLinux = true;
     isCloud = true;
+    proxyHost = "twothreetunnel";
     server = {
+      wireguard = {
+        isClient = true;
+        serverName = "twothreetunnel";
+      };
       garage = {
         data_dir = {
           capacity = "150G";
@@ -5099,10 +5153,12 @@ in
   };
 
   swarselmodules.server = {
-    ssh-builder = lib.mkDefault true;
-    postgresql = lib.mkDefault true;
-    attic = lib.mkDefault true;
-    garage = lib.mkDefault true;
+    wireguard = true;
+    ssh-builder = true;
+    postgresql = true;
+    attic = true;
+    garage = true;
+    hydra = true;
     dns-hostrecord = true;
   };
 
@@ -5266,12 +5322,12 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org92858eb" class="outline-5">
-<h5 id="org92858eb"><span class="section-number-5">3.1.3.3.</span> Stoicclub (OCI)</h5>
+<div id="outline-container-orgb102012" class="outline-5">
+<h5 id="orgb102012"><span class="section-number-5">3.1.3.3.</span> Stoicclub (OCI)</h5>
 <div class="outline-text-5" id="text-3-1-3-3">
 </div>
-<div id="outline-container-org4fcacfe" class="outline-6">
-<h6 id="org4fcacfe"><span class="section-number-6">3.1.3.3.1.</span> Main Configuration</h6>
+<div id="outline-container-orgfc0dbd1" class="outline-6">
+<h6 id="orgfc0dbd1"><span class="section-number-6">3.1.3.3.1.</span> Main Configuration</h6>
 <div class="outline-text-6" id="text-3-1-3-3-1">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ self, lib, minimal, ... }:
@@ -5319,8 +5375,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org37ab960" class="outline-6">
-<h6 id="org37ab960"><span class="section-number-6">3.1.3.3.2.</span> hardware-configuration</h6>
+<div id="outline-container-org44fa175" class="outline-6">
+<h6 id="org44fa175"><span class="section-number-6">3.1.3.3.2.</span> hardware-configuration</h6>
 <div class="outline-text-6" id="text-3-1-3-3-2">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, modulesPath, ... }:
@@ -5342,8 +5398,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgb3e7776" class="outline-6">
-<h6 id="orgb3e7776"><span class="section-number-6">3.1.3.3.3.</span> disko</h6>
+<div id="outline-container-org64ed767" class="outline-6">
+<h6 id="org64ed767"><span class="section-number-6">3.1.3.3.3.</span> disko</h6>
 <div class="outline-text-6" id="text-3-1-3-3-3">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, pkgs, config, ... }:
@@ -5473,12 +5529,12 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgbc61b21" class="outline-5">
-<h5 id="orgbc61b21"><span class="section-number-5">3.1.3.4.</span> Liliputsteps (OCI)</h5>
+<div id="outline-container-org629ed1e" class="outline-5">
+<h5 id="org629ed1e"><span class="section-number-5">3.1.3.4.</span> Liliputsteps (OCI)</h5>
 <div class="outline-text-5" id="text-3-1-3-4">
 </div>
-<div id="outline-container-orgcdf9524" class="outline-6">
-<h6 id="orgcdf9524"><span class="section-number-6">3.1.3.4.1.</span> Main Configuration</h6>
+<div id="outline-container-orgfd14c2b" class="outline-6">
+<h6 id="orgfd14c2b"><span class="section-number-6">3.1.3.4.1.</span> Main Configuration</h6>
 <div class="outline-text-6" id="text-3-1-3-4-1">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ self, lib, minimal, ... }:
@@ -5528,8 +5584,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org3af6345" class="outline-6">
-<h6 id="org3af6345"><span class="section-number-6">3.1.3.4.2.</span> hardware-configuration</h6>
+<div id="outline-container-orgac947ce" class="outline-6">
+<h6 id="orgac947ce"><span class="section-number-6">3.1.3.4.2.</span> hardware-configuration</h6>
 <div class="outline-text-6" id="text-3-1-3-4-2">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, modulesPath, ... }:
@@ -5551,8 +5607,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org4a8754e" class="outline-6">
-<h6 id="org4a8754e"><span class="section-number-6">3.1.3.4.3.</span> disko</h6>
+<div id="outline-container-org0f9eb0b" class="outline-6">
+<h6 id="org0f9eb0b"><span class="section-number-6">3.1.3.4.3.</span> disko</h6>
 <div class="outline-text-6" id="text-3-1-3-4-3">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, pkgs, config, ... }:
@@ -5682,12 +5738,12 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org9fe1d65" class="outline-5">
-<h5 id="org9fe1d65"><span class="section-number-5">3.1.3.5.</span> Twothreetunnel (OCI)</h5>
+<div id="outline-container-org8e0d485" class="outline-5">
+<h5 id="org8e0d485"><span class="section-number-5">3.1.3.5.</span> Twothreetunnel (OCI)</h5>
 <div class="outline-text-5" id="text-3-1-3-5">
 </div>
-<div id="outline-container-org5ae56f6" class="outline-6">
-<h6 id="org5ae56f6"><span class="section-number-6">3.1.3.5.1.</span> Main Configuration</h6>
+<div id="outline-container-orgb29f023" class="outline-6">
+<h6 id="orgb29f023"><span class="section-number-6">3.1.3.5.1.</span> Main Configuration</h6>
 <div class="outline-text-6" id="text-3-1-3-5-1">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ self, lib, minimal, ... }:
@@ -5715,6 +5771,18 @@ in
     isNixos = true;
     isLinux = true;
     isCloud = true;
+    server = {
+      wireguard = {
+        ifName = "wg";
+        isServer = true;
+        peers = [
+          "moonside"
+          "winters"
+          "belchsfactory"
+          "eagleland"
+        ];
+      };
+    };
   };
 } // lib.optionalAttrs (!minimal) {
   swarselprofiles = {
@@ -5722,8 +5790,10 @@ in
   };
 
   swarselmodules.server = {
-    nginx = false;
+    nginx = true; # for now
+    oauth2-proxy = true; # for now
     dns-hostrecord = true;
+    wireguard = true;
   };
 
 }
@@ -5732,8 +5802,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgfb373a9" class="outline-6">
-<h6 id="orgfb373a9"><span class="section-number-6">3.1.3.5.2.</span> hardware-configuration</h6>
+<div id="outline-container-org62cc621" class="outline-6">
+<h6 id="org62cc621"><span class="section-number-6">3.1.3.5.2.</span> hardware-configuration</h6>
 <div class="outline-text-6" id="text-3-1-3-5-2">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, modulesPath, ... }:
@@ -5755,8 +5825,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org91b78ef" class="outline-6">
-<h6 id="org91b78ef"><span class="section-number-6">3.1.3.5.3.</span> disko</h6>
+<div id="outline-container-org6b396fd" class="outline-6">
+<h6 id="org6b396fd"><span class="section-number-6">3.1.3.5.3.</span> disko</h6>
 <div class="outline-text-6" id="text-3-1-3-5-3">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, pkgs, config, ... }:
@@ -5928,6 +5998,7 @@ in
   swarselmodules.server = {
     mailserver = true;
     dns-hostrecord = true;
+    postgresql = true;
   };
 
   swarselprofiles = {
@@ -8049,6 +8120,9 @@ Needed for control over system-wide privileges etc. Also I make sure that the ro
   config = lib.mkIf config.swarselmodules.security {
 
     security = {
+      # pki.certificateFiles = [
+      #   config.sops.secrets.harica-root-ca.path
+      # ];
       pam.services = lib.mkIf (!minimal) {
         login.u2fAuth = true;
         sudo.u2fAuth = true;
@@ -8223,7 +8297,7 @@ Here I only enable <code>networkmanager</code> and a few default networks. The r
 <pre class="src src-nix-ts">{ self, lib, pkgs, config, globals, ... }:
 let
   certsSopsFile = self + /secrets/repo/certs.yaml;
-  clientSopsFile = "${config.node.secretsDir}/secrets.yaml";
+  clientSopsFile = config.node.secretsDir + "/secrets.yaml";
 
   inherit (config.repo.secrets.common.network) wlan1 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
 
@@ -8542,7 +8616,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at
 </ul>
 
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ config, lib, ... }:
+<pre class="src src-nix-ts">{ self, config, lib, ... }:
 {
   options.swarselmodules.sops = lib.mkEnableOption "sops config";
   config = lib.mkIf config.swarselmodules.sops {
@@ -8550,7 +8624,8 @@ I use sops-nix to handle secrets that I want to have available on my machines at
 
       # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
       age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml";
+      # defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml";
+      defaultSopsFile = self + "/secrets/repo/common.yaml";
 
       validateSopsFiles = false;
 
@@ -8561,8 +8636,8 @@ I use sops-nix to handle secrets that I want to have available on my machines at
 </div>
 </div>
 </div>
-<div id="outline-container-org67f054d" class="outline-5">
-<h5 id="org67f054d"><span class="section-number-5">3.2.2.11.</span> Remote building</h5>
+<div id="outline-container-org971dd05" class="outline-5">
+<h5 id="org971dd05"><span class="section-number-5">3.2.2.11.</span> Remote building</h5>
 <div class="outline-text-5" id="text-3-2-2-11">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, globals, ... }:
@@ -8604,6 +8679,7 @@ in
         }
       ];
     };
+
     programs.ssh = {
       knownHosts = {
         nixbuild = {
@@ -9730,6 +9806,7 @@ in
       sops
       swarsel-deploy
       tmux
+      busybox
     ];
   };
 }
@@ -9804,10 +9881,9 @@ in
 <h5 id="h:302468d2-106a-41c8-b2bc-9fdc40064a9c"><span class="section-number-5">3.2.3.5.</span> NGINX</h5>
 <div class="outline-text-5" id="text-h:302468d2-106a-41c8-b2bc-9fdc40064a9c">
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ pkgs, lib, config, ... }:
+<pre class="src src-nix-ts">{ pkgs, lib, config, globals, ... }:
 let
-  inherit (config.repo.secrets.common) dnsProvider dnsBase;
-  inherit (config.repo.secrets.common.mail) address3;
+  inherit (config.repo.secrets.common) dnsProvider dnsBase dnsMail;
 
   serviceUser = "nginx";
   serviceGroup = serviceUser;
@@ -9824,42 +9900,66 @@ in
   options.swarselmodules.server.nginx = lib.mkEnableOption "enable nginx on server";
   options.services.nginx = {
     recommendedSecurityHeaders = lib.mkEnableOption "additional security headers by default in each location block.";
+    defaultStapling = lib.mkEnableOption "add ssl stapling in each location block..";
     virtualHosts = lib.mkOption {
       type = lib.types.attrsOf (
-        lib.types.submodule {
-          options.locations = lib.mkOption {
-            type = lib.types.attrsOf (
-              lib.types.submodule (submod: {
-                options = {
-                  recommendedSecurityHeaders = lib.mkOption {
-                    type = lib.types.bool;
-                    default = config.services.nginx.recommendedSecurityHeaders;
-                    description = "Whether to add additional security headers to this location.";
+        lib.types.submodule (topmod: {
+          options = {
+            defaultStapling = lib.mkOption {
+              type = lib.types.bool;
+              default = config.services.nginx.defaultStapling;
+              description = "Whether to add ssl stapling to this location.";
+            };
+            locations = lib.mkOption {
+              type = lib.types.attrsOf (
+                lib.types.submodule (submod: {
+                  options = {
+                    recommendedSecurityHeaders = lib.mkOption {
+                      type = lib.types.bool;
+                      default = config.services.nginx.recommendedSecurityHeaders;
+                      description = "Whether to add additional security headers to this location.";
+                    };
+
+                    X-Frame-Options = lib.mkOption {
+                      type = lib.types.str;
+                      default = "DENY";
+                      description = "The value to use for X-Frame-Options";
+                    };
                   };
 
-                  X-Frame-Options = lib.mkOption {
-                    type = lib.types.str;
-                    default = "DENY";
-                    description = "The value to use for X-Frame-Options";
+                  config = {
+                    extraConfig = lib.mkIf submod.config.recommendedSecurityHeaders (lib.mkBefore ''
+                      # Hide upstream's versions
+                      proxy_hide_header Strict-Transport-Security;
+                      proxy_hide_header Referrer-Policy;
+                      proxy_hide_header X-Content-Type-Options;
+                      proxy_hide_header X-Frame-Options;
+
+                      # Enable HTTP Strict Transport Security (HSTS)
+                      add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+
+                      # Minimize information leaked to other domains
+                      add_header Referrer-Policy "origin-when-cross-origin";
+
+                      add_header X-XSS-Protection "1; mode=block";
+                      add_header X-Frame-Options "${submod.config.X-Frame-Options}";
+                      add_header X-Content-Type-Options "nosniff";
+                    ''
+                    );
                   };
-                };
-                config = lib.mkIf submod.config.recommendedSecurityHeaders {
-                  extraConfig = lib.mkBefore ''
-                    # Enable HTTP Strict Transport Security (HSTS)
-                    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
-
-                    # Minimize information leaked to other domains
-                    add_header Referrer-Policy "origin-when-cross-origin";
-
-                    add_header X-XSS-Protection "1; mode=block";
-                    add_header X-Frame-Options "${submod.config.X-Frame-Options}";
-                    add_header X-Content-Type-Options "nosniff";
-                  '';
-                };
-              })
-            );
+                })
+              );
+            };
           };
-        }
+          config = {
+            extraConfig = lib.mkIf topmod.config.defaultStapling (lib.mkAfter ''
+              ssl_stapling on;
+              ssl_stapling_verify on;
+              resolver 1.1.1.1 8.8.8.8 valid=300s;
+              resolver_timeout 5s;
+            '');
+          };
+        })
       );
     };
   };
@@ -9868,33 +9968,36 @@ in
       lego
     ];
 
-    sops = {
+    sops = lib.mkIf (config.node.name == config.swarselsystems.proxyHost) {
       secrets = {
-        acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
+        acme-creds = { format = "json"; key = ""; group = "acme"; sopsFile = config.node.secretsDir + "/acme.json"; mode = "0660"; };
       };
       templates."certs.secret".content = ''
-        ACME_DNS_API_BASE=${dnsBase}
-        ACME_DNS_STORAGE_PATH=${config.sops.placeholder.acme-dns-token}
+        ACME_DNS_API_BASE = ${dnsBase}
+        ACME_DNS_STORAGE_PATH=${config.sops.secrets.acme-creds.path}
       '';
     };
 
     users.groups.acme.members = [ "nginx" ];
 
-    security.acme = {
+    security.acme = lib.mkIf (config.node.name == config.swarselsystems.proxyHost) {
       acceptTerms = true;
       defaults = {
         inherit dnsProvider;
-        email = address3;
+        email = dnsMail;
         environmentFile = "${config.sops.templates."certs.secret".path}";
         reloadServices = [ "nginx" ];
         dnsPropagationCheck = true;
       };
+      certs."${globals.domains.main}" = {
+        domain = "*.${globals.domains.main}";
+      };
     };
 
     networking.firewall.allowedTCPPorts = [ 80 443 ];
 
     environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
-      directories = [ { directory = "/var/lib/acme"; } ];
+      directories = [{ directory = "/var/lib/acme"; }];
       files = [ dhParamsPathBase ];
     };
 
@@ -9909,6 +10012,7 @@ in
       recommendedGzipSettings = true;
       recommendedBrotliSettings = true;
       recommendedSecurityHeaders = true;
+      defaultStapling = true;
       sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:!aNULL";
       sslDhparam = dhParamsPathBase;
       virtualHosts.fallback = {
@@ -9935,11 +10039,11 @@ in
         ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else ""}
 
         if [ ! -f "${dhParamsPath}" ]; then
-          ${pkgs.openssl}/bin/openssl dhparam -out "${dhParamsPath}" 4096
-          chmod 0644 "${dhParamsPath}"
-          chown ${serviceUser}:${serviceGroup} "${dhParamsPath}"
+        ${pkgs.openssl}/bin/openssl dhparam -out "${dhParamsPath}" 4096
+        chmod 0644 "${dhParamsPath}"
+        chown ${serviceUser}:${serviceGroup} "${dhParamsPath}"
         else
-          echo 'Already generated DHParams'
+        echo 'Already generated DHParams'
         fi
       '';
     };
@@ -10021,8 +10125,8 @@ Here I am forcing <code>startWhenNeeded</code> to false so that the value will n
 </div>
 </div>
 </div>
-<div id="outline-container-orgb4a730c" class="outline-5">
-<h5 id="orgb4a730c"><span class="section-number-5">3.2.3.7.</span> Bastion</h5>
+<div id="outline-container-org8e70117" class="outline-5">
+<h5 id="org8e70117"><span class="section-number-5">3.2.3.7.</span> Bastion</h5>
 <div class="outline-text-5" id="text-3-2-3-7">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ self, lib, config, ... }:
@@ -10096,8 +10200,8 @@ Here I am forcing <code>startWhenNeeded</code> to false so that the value will n
 </div>
 </div>
 </div>
-<div id="outline-container-org2bc1b25" class="outline-5">
-<h5 id="org2bc1b25"><span class="section-number-5">3.2.3.8.</span> ssh builder config</h5>
+<div id="outline-container-org47acf2d" class="outline-5">
+<h5 id="org47acf2d"><span class="section-number-5">3.2.3.8.</span> ssh builder config</h5>
 <div class="outline-text-5" id="text-3-2-3-8">
 <p>
 Restricts access to the system by the nix build user as per <a href="https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834">https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834</a>.
@@ -10137,6 +10241,14 @@ in
       };
     };
 
+    services.openssh = {
+      settings = {
+        AllowUsers = [
+          "builder"
+        ];
+      };
+    };
+
   };
 }
 </pre>
@@ -10155,7 +10267,7 @@ Generate hostId using <code>head -c4 /dev/urandom | od -A none -t x4</code>
 let
   netConfig = config.repo.secrets.local.networking;
   netPrefix = "${if config.swarselsystems.isCloud then config.node.name else "home"}";
-  netName = "${netPrefix}-${config.swarselsystems.server.localNetwork}";
+  # netName = "${netPrefix}-${config.swarselsystems.server.localNetwork}";
 in
 {
   options = {
@@ -10167,7 +10279,7 @@ in
       };
       netConfigName = lib.mkOption {
         type = lib.types.str;
-        default = netName;
+        default = "${netPrefix}-${config.swarselsystems.server.localNetwork}";
         readOnly = true;
       };
       netConfigPrefix = lib.mkOption {
@@ -10181,10 +10293,21 @@ in
 
     swarselsystems.server.localNetwork = netConfig.localNetwork or "";
 
-    globals.networks.${netName}.hosts.${config.node.name} = {
-      inherit (netConfig.networks.${netConfig.localNetwork}) id;
-      mac = netConfig.networks.${netConfig.localNetwork}.mac or null;
-    };
+    # globals.networks.${netName}.hosts.${config.node.name} = {
+    #   inherit (netConfig.networks.${netConfig.localNetwork}) id;
+    #   mac = netConfig.networks.${netConfig.localNetwork}.mac or null;
+    # };
+
+    globals.networks = lib.mapAttrs'
+      (netName: _:
+        lib.nameValuePair "${netPrefix}-${netName}" {
+          hosts.${config.node.name} = {
+            inherit (netConfig.networks.${netName}) id;
+            mac = netConfig.networks.${netName}.mac or null;
+          };
+        }
+      )
+      netConfig.networks;
 
     globals.hosts.${config.node.name} = {
       inherit (config.repo.secrets.local.networking) defaultGateway4;
@@ -10438,6 +10561,7 @@ in
         "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none"
       ];
       initrd = {
+        secrets."${hostKeyPathBase}" = lib.mkIf (!minimal) hostKeyPathBase;
         availableKernelModules = config.swarselsystems.networkKernelModules;
         network = {
           enable = true;
@@ -10487,141 +10611,191 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org1c4f7ad" class="outline-5">
-<h5 id="org1c4f7ad"><span class="section-number-5">3.2.3.11.</span> Wireguard</h5>
+<div id="outline-container-org944eba1" class="outline-5">
+<h5 id="org944eba1"><span class="section-number-5">3.2.3.11.</span> Wireguard</h5>
 <div class="outline-text-5" id="text-3-2-3-11">
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ lib, config, confLib ... }:
+<pre class="src src-nix-ts">{ self, lib, pkgs, config, confLib, nodes, globals, ... }:
 let
   wgInterface = "wg0";
   inherit (confLib.gen { name = "wireguard"; port = 52829; user = "systemd-network"; group = "systemd-network"; }) servicePort serviceName serviceUser serviceGroup;
 
   inherit (config.swarselsystems) sopsFile;
-  inherit (config.swarselsystems.server.wireguard) peers isClient isServer;
+  wgSopsFile = self + "/secrets/repo/wg.yaml";
+  inherit (config.swarselsystems.server.wireguard) peers isClient isServer serverName serverNetConfigPrefix ifName;
 in
 {
   options = {
-    swarselmodules.${serviceName} = lib.mkEnableOption "enable ${serviceName} settings";
+    swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} settings";
     swarselsystems.server.wireguard = {
       isServer = lib.mkEnableOption "set this as a wireguard server";
+      isClient = lib.mkEnableOption "set this as a wireguard client";
+      serverName = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+      };
+      serverNetConfigPrefix = lib.mkOption {
+        type = lib.types.str;
+        default = "${if nodes.${serverName}.config.swarselsystems.isCloud then nodes.${serverName}.config.node.name else "home"}";
+        readOnly = true;
+      };
+      ifName = lib.mkOption {
+        type = lib.types.str;
+        default = wgInterface;
+      };
       peers = lib.mkOption {
-        type = lib.types.listOf (lib.types.submodule {
-          freeformType = lib.types.attrs;
-          options = { };
-        });
+        type = lib.types.listOf lib.types.str;
         default = [ ];
-        description = "Wireguard peer submodules as expected by systemd.network.netdevs.&lt;name&gt;.wireguardPeers";
+        description = "Wireguard peer config names";
       };
-      ;
-      };
-      config = lib.mkIf config.swarselmodules.${serviceName} {
+    };
 
-        sops = {
-          secrets = {
-            wireguard-private-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
-            wireguard-home-preshared-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
-          };
+  };
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    environment.systemPackages = with pkgs; [
+      wireguard-tools
+    ];
+
+    sops = {
+      secrets = {
+        wireguard-private-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
+        # create this secret only if this is a simple client with only one peer (the server)
+        "wireguard-${serverName}-${config.node.name}-presharedKey" = lib.mkIf (isClient &amp;&amp; peers == [ ]) { sopsFile = wgSopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
+      }
+      # create these secrets only if this host has multiple peers
+      // lib.optionalAttrs (peers != [ ]) (builtins.listToAttrs (map
+        (clientName: {
+          name = "wireguard-${config.node.name}-${clientName}-presharedKey";
+          value = { sopsFile = wgSopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
+        })
+        peers));
+    };
+
+    networking = {
+      firewall.checkReversePath = lib.mkIf isClient "loose";
+      firewall.allowedUDPPorts = [ servicePort ];
+      # nat = lib.mkIf (config.swarselsystems.isCloud &amp;&amp; isServer) {
+      #   enable = true;
+      #   enableIPv6 = true;
+      #   externalInterface = "enp0s6";
+      #   internalInterfaces = [ ifName ];
+      # };
+      # interfaces.${ifName}.mtu = 1280; # the default (1420) is not enough!
+    };
+
+    systemd.network = {
+      enable = true;
+
+      networks."50-${ifName}" = {
+        matchConfig.Name = ifName;
+        linkConfig = {
+          MTUBytes = 1408; # TODO: figure out where we lose those 12 bits (8 from pppoe maybe + ???)
         };
 
-        networking = {
-          firewall.allowedUDPPorts = [ servicePort ];
-          nat = {
-            enable = true;
-            enableIPv6 = true;
-            externalInterface = "ens6";
-            internalInterfaces = [ wgInterface ];
-          };
-        };
-
-        systemd.network = {
-          enable = true;
-
-          networks."50-${wgInterface}" = {
-            matchConfig.Name = wgInterface;
-
-            networkConfig = {
-              IPv4Forwarding = true;
-              IPv6Forwarding = true;
-            };
-
-            address = [
-              "${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv4}"
-              "${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv6}"
-            ];
-          };
-
-          netdevs."50-wg0" = {
-            netdevConfig = {
-              Kind = "wireguard";
-              Name = wgInterface;
-            };
-
-            wireguardConfig = {
-              ListenPort = lib.mkIf isServer servicePort;
-
-              # ensure file is readable by `systemd-network` user
-              PrivateKeyFile = config.age.secrets.wg-key-vps.path;
-
-              # To automatically create routes for everything in AllowedIPs,
-              # add RouteTable=main
-              # RouteTable = "main";
-
-              # FirewallMark marks all packets send and received by wg0
-              # with the number 42, which can be used to define policy rules on these packets.
-              # FirewallMark = 42;
-            };
-            wireguardPeers = peers ++ lib.optionals isClient [
-              {
-                PublicKey = builtins.readFile "${self}/secrets/public/wg/${config.node.name}.pub";
-                PresharedKeyFile = config.sops.secrets."${config.node.name}-presharedKey".path;
-                Endpoint = "${globals.hosts.${config.node.name}.wanAddress4}:${toString servicePort}";
-                # Access to the whole network is routed through our entry node.
-                AllowedIPs =
-                  (optional (networkCfg.cidrv4 != null) networkCfg.cidrv4)
-                    ++ (optional (networkCfg.cidrv6 != null) networkCfg.cidrv6);
-              }
-            ];
-          };
-        };
-
-        # networking = {
-        #   wireguard = {
-        #     enable = true;
-        #     interfaces = {
-        #       wg1 = {
-        #         privateKeyFile = config.sops.secrets.wireguard-private-key.path;
-        #         ips = [ "192.168.178.201/24" ];
-        #         peers = [
-        #           {
-        #             publicKey = "PmeFInoEJcKx+7Kva4dNnjOEnJ8lbudSf1cbdo/tzgw=";
-        #             presharedKeyFile = config.sops.secrets.wireguard-home-preshared-key.path;
-        #             name = "moonside";
-        #             persistentKeepalive = 25;
-        #             # endpoint = "${config.repo.secrets.common.ipv4}:51820";
-        #             endpoint = "${config.repo.secrets.common.wireguardEndpoint}";
-        #             # allowedIPs = [
-        #             #   "192.168.3.0/24"
-        #             #   "192.168.1.0/24"
-        #             # ];
-        #             allowedIPs = [
-        #               "192.168.178.0/24"
-        #             ];
-        #           }
-        #         ];
-        #       };
-        #     };
-        #   };
+        # networkConfig = lib.mkIf (config.swarselsystems.isCloud &amp;&amp; isServer) {
+        #   IPv4Forwarding = true;
+        #   IPv6Forwarding = true;
         # };
 
+        address = if isServer then [
+          globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv4
+          globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv6
+        ] else [
+          globals.networks."${serverNetConfigPrefix}-wg".hosts.${config.node.name}.cidrv4
+          globals.networks."${serverNetConfigPrefix}-wg".hosts.${config.node.name}.cidrv6
+        ];
+      };
+
+      netdevs."50-${ifName}" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = ifName;
+        };
+
+        wireguardConfig = {
+          ListenPort = lib.mkIf isServer servicePort;
+
+          # ensure file is readable by `systemd-network` user
+          PrivateKeyFile = config.sops.secrets.wireguard-private-key.path;
+
+          # To automatically create routes for everything in AllowedIPs,
+          # add RouteTable=main
+          RouteTable = lib.mkIf isClient "main";
+
+          # FirewallMark marks all packets send and received by wg0
+          # with the number 42, which can be used to define policy rules on these packets.
+          # FirewallMark = 42;
+        };
+        wireguardPeers = lib.optionals isClient [
+          {
+            PublicKey = builtins.readFile "${self}/secrets/public/wg/${serverName}.pub";
+            PresharedKeyFile = config.sops.secrets."wireguard-${serverName}-${config.node.name}-presharedKey".path;
+            Endpoint = "server.${serverName}.${globals.domains.main}:${toString servicePort}";
+            # Access to the whole network is routed through our entry node.
+            PersistentKeepalive = 25;
+            AllowedIPs =
+              let
+                wgNetwork = globals.networks."${serverNetConfigPrefix}-wg";
+              in
+                (lib.optional (wgNetwork.cidrv4 != null) wgNetwork.cidrv4)
+                   ++ (lib.optional (wgNetwork.cidrv6 != null) wgNetwork.cidrv6);
+          }
+        ] ++ lib.optionals isServer (map
+          (clientName: {
+            PublicKey = builtins.readFile "${self}/secrets/public/wg/${clientName}.pub";
+            PresharedKeyFile = config.sops.secrets."wireguard-${config.node.name}-${clientName}-presharedKey".path;
+            # PersistentKeepalive = 25;
+            AllowedIPs =
+              let
+                clientInWgNetwork = globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${clientName};
+              in
+                (lib.optional (clientInWgNetwork.ipv4 != null) (lib.net.cidr.make 32 clientInWgNetwork.ipv4))
+                ++ (lib.optional (clientInWgNetwork.ipv6 != null) (lib.net.cidr.make 128 clientInWgNetwork.ipv6));
+          })
+          peers);
 
       };
-    }
+    };
+
+    # networking = {
+    #   wireguard = {
+    #     enable = true;
+    #     interfaces = {
+    #       wg1 = {
+    #         privateKeyFile = config.sops.secrets.wireguard-private-key.path;
+    #         ips = [ "192.168.178.201/24" ];
+    #         peers = [
+    #           {
+    #             publicKey = "PmeFInoEJcKx+7Kva4dNnjOEnJ8lbudSf1cbdo/tzgw=";
+    #             presharedKeyFile = config.sops.secrets.wireguard-home-preshared-key.path;
+    #             name = "moonside";
+    #             persistentKeepalive = 25;
+    #             # endpoint = "${config.repo.secrets.common.ipv4}:51820";
+    #             endpoint = "${config.repo.secrets.common.wireguardEndpoint}";
+    #             # allowedIPs = [
+    #             #   "192.168.3.0/24"
+    #             #   "192.168.1.0/24"
+    #             # ];
+    #             allowedIPs = [
+    #               "192.168.178.0/24"
+    #             ];
+    #           }
+    #         ];
+    #       };
+    #     };
+    #   };
+    # };
+
+
+  };
+}
 </pre>
 </div>
 </div>
 </div>
-<div id="outline-container-orge5e48f0" class="outline-5">
-<h5 id="orge5e48f0"><span class="section-number-5">3.2.3.12.</span> BTRFS</h5>
+<div id="outline-container-org5b371f2" class="outline-5">
+<h5 id="org5b371f2"><span class="section-number-5">3.2.3.12.</span> BTRFS</h5>
 <div class="outline-text-5" id="text-3-2-3-12">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -10759,7 +10933,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -10836,7 +11011,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -10979,7 +11155,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           oauth2.enable = true;
@@ -11520,7 +11697,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           listen = [
@@ -11636,7 +11814,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -11707,7 +11886,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -11861,7 +12041,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -12205,7 +12386,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -12307,7 +12489,7 @@ This section exposes several metrics that I use to check the health of my server
 </p>
 
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ self, lib, config, globals, dns, confLib, ... }:
+<pre class="src src-nix-ts">{ lib, config, globals, dns, confLib, ... }:
 let
   inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
 
@@ -12321,7 +12503,7 @@ let
 
   inherit (config.swarselsystems) sopsFile;
 
-  sopsFile2 = "${config.node.secretsDir}/secrets2.yaml";
+  # sopsFile2 = config.node.secretsDir + "/secrets2.yaml";
 in
 {
   options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -12336,7 +12518,8 @@ in
         grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        prometheus-admin-hash = { sopsFile = sopsFile2; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
+        # prometheus-admin-hash = { sopsFile = sopsFile2; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
+        prometheus-admin-hash = { inherit sopsFile; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
 
       };
       templates = {
@@ -12535,7 +12718,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -12563,7 +12747,7 @@ in
 </div>
 </div>
 <div id="outline-container-h:23452a18-a0a1-4515-8612-ceb19bb5fc22" class="outline-5">
-<h5 id="h:23452a18-a0a1-4515-8612-ceb19bb5fc22"><span class="section-number-5">3.2.3.29.</span> Jenkins</h5>
+<h5 id="h:23452a18-a0a1-4515-8612-ceb19bb5fc22"><span class="section-number-5">3.2.3.29.</span> Jenkins (currently unused)</h5>
 <div class="outline-text-5" id="text-h:23452a18-a0a1-4515-8612-ceb19bb5fc22">
 <p>
 This is a WIP Jenkins instance. It is used to automatically build a new system when pushes to the main repository are detected. I have turned this service off for now however, as I actually prefer to start my builds manually.
@@ -12606,7 +12790,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -12766,7 +12951,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           oauth2.enable = true;
@@ -12936,7 +13122,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -13014,7 +13201,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -13051,6 +13239,18 @@ A stupid (but simple) way to get the <code>originUrl</code> is to simply set any
 To get other URLs (token, etc.), use <a href="https://&lt;kanidmdomain&gt;/oauth2/openid/%3CclientID%3E/.well-known/oauth-authorization-server">https://&lt;kanidmdomain&gt;/oauth2/openid/%3CclientID%3E/.well-known/oauth-authorization-server</a>, e.g. <a href="https://&lt;kanidmdomain&gt;/oauth2/openid/nextcloud/.well-known/oauth-authorization-server">https://&lt;kanidmdomain&gt;/oauth2/openid/nextcloud/.well-known/oauth-authorization-server</a>, with clienID being the client name as specified in kanidm.
 </p>
 
+<p>
+Create user:
+</p>
+
+<p>
+kanidm login -D idm<sub>admin</sub>
+</p>
+
+<p>
+kanidm person credential create-reset-token &lt;user&gt;
+</p>
+
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ self, lib, pkgs, config, globals, dns, confLib, ... }:
 let
@@ -13230,7 +13430,7 @@ in
 
     services = {
       ${serviceName} = {
-        package = pkgs.kanidmWithSecretProvisioning_1_7;
+        package = pkgs.kanidmWithSecretProvisioning_1_8;
         enableServer = true;
         serverSettings = {
           domain = serviceDomain;
@@ -13444,7 +13644,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -13678,7 +13879,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -13796,7 +13998,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           oauth2.enable = true;
@@ -13945,7 +14148,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -14008,7 +14212,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -14034,10 +14239,11 @@ in
 <h5 id="h:c1ca2d28-51d2-45bd-83b5-05007ae94ae6"><span class="section-number-5">3.2.3.39.</span> Radicale</h5>
 <div class="outline-text-5" id="text-h:c1ca2d28-51d2-45bd-83b5-05007ae94ae6">
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ self, lib, config, globals, dns, confLib, ... }:
+<pre class="src src-nix-ts">{ lib, config, globals, dns, confLib, ... }:
 let
   inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
-  sopsFile = "${config.node.secretsDir}/secrets2.yaml";
+  # sopsFile = config.node.secretsDir + "/secrets2.yaml";
+  inherit (config.swarselsystems) sopsFile;
 
   cfg = config.services.${serviceName};
 in
@@ -14136,7 +14342,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           oauth2.enable = false;
@@ -14165,7 +14372,7 @@ in
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ self, lib, config, pkgs, dns, globals, confLib, ... }:
 let
-  inherit (confLib.gen { name = "croc"; }) serviceName serviceDomain proxyAddress4 proxyAddress6;
+  inherit (confLib.gen { name = "croc"; proxy = config.node.name; }) serviceName serviceDomain proxyAddress4 proxyAddress6;
   servicePorts = [
     9009
     9010
@@ -14362,7 +14569,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -14487,7 +14695,7 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -14593,7 +14801,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           oauth2.enable = true;
@@ -14618,13 +14827,14 @@ in
 </div>
 </div>
 <div id="outline-container-h:470f7ee3-3307-4949-b0fa-403171e3859a" class="outline-5">
-<h5 id="h:470f7ee3-3307-4949-b0fa-403171e3859a"><span class="section-number-5">3.2.3.44.</span> Snipe-IT</h5>
+<h5 id="h:470f7ee3-3307-4949-b0fa-403171e3859a"><span class="section-number-5">3.2.3.44.</span> Snipe-IT (currently unused)</h5>
 <div class="outline-text-5" id="text-h:470f7ee3-3307-4949-b0fa-403171e3859a">
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ self, lib, config, globals, dns, confLib, ... }:
+<pre class="src src-nix-ts">{ lib, config, globals, dns, confLib, ... }:
 let
   inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
-  sopsFile = "${config.node.secretsDir}/secrets2.yaml";
+  # sopsFile = config.node.secretsDir + "/secrets2.yaml";
+  inherit (config.swarselsystems) sopsFile;
 
   serviceDB = "snipeit";
 
@@ -14678,7 +14888,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           oauth2.enable = false;
@@ -14745,7 +14956,8 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
+
           forceSSL = true;
           acmeRoot = null;
           oauth2.enable = false;
@@ -14859,8 +15071,8 @@ let
   garageAdminPort = 3903;
   garageK2VPort = 3904;
 
-  adminDomain = "${subDomain}admin.${baseDomain}";
-  webDomain = "${subDomain}web.${baseDomain}";
+  adminDomain = "${subDomain}-admin.${baseDomain}";
+  webDomain = "${subDomain}-web.${baseDomain}";
 in
 {
   options = {
@@ -14911,12 +15123,14 @@ in
       }
     ];
 
+    networking.firewall.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
+
     nodes.stoicclub.swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
       "${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      "${subDomain}admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      "${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      "${subDomain}-admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      "${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       "*.${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
-      "*.${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      "*.${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
     sops = {
@@ -15147,10 +15361,6 @@ in
       };
     };
 
-    security.acme.certs."${webDomain}" = {
-      domain = "*.${webDomain}";
-    };
-
     nodes.${serviceProxy}.services.nginx = {
       upstreams = {
         ${serviceName} = {
@@ -15171,7 +15381,7 @@ in
       };
       virtualHosts = {
         "${adminDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
           forceSSL = true;
           acmeRoot = null;
           oauth2.enable = false;
@@ -15182,7 +15392,7 @@ in
           };
         };
         "*.${webDomain}" = {
-          useACMEHost = webDomain;
+          useACMEHost = globals.domains.main;
           forceSSL = true;
           acmeRoot = null;
           oauth2.enable = false;
@@ -15194,7 +15404,7 @@ in
         };
         "${serviceDomain}" = {
           serverAliases = [ "*.${serviceDomain}" ];
-          enableACME = true;
+          useACMEHost = globals.domains.main;
           forceSSL = true;
           acmeRoot = null;
           oauth2.enable = false;
@@ -15203,6 +15413,11 @@ in
               proxyPass = "http://${serviceName}";
               extraConfig = ''
                 client_max_body_size 0;
+                client_body_timeout        600s;
+                proxy_connect_timeout      600s;
+                proxy_send_timeout         600s;
+                proxy_read_timeout         600s;
+                proxy_request_buffering    off;
               '';
             };
           };
@@ -15216,8 +15431,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgf67d718" class="outline-5">
-<h5 id="orgf67d718"><span class="section-number-5">3.2.3.48.</span> Set host domain for dns</h5>
+<div id="outline-container-org581e723" class="outline-5">
+<h5 id="org581e723"><span class="section-number-5">3.2.3.48.</span> Set host domain for dns</h5>
 <div class="outline-text-5" id="text-3-2-3-48">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, globals, dns, confLib, ... }:
@@ -15345,7 +15560,7 @@ with dns.lib.combinators; {
   SOA = {
     nameServer = "soa";
     adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin")
-    serial = 2025120203; # update this on changes for secondary dns
+    serial = 2025120506; # update this on changes for secondary dns
   };
 
   useOrigin = false;
@@ -15355,6 +15570,7 @@ with dns.lib.combinators; {
     "srv"
   ] ++ globals.domains.externalDns;
 
+  CAA = letsEncrypt config.repo.secrets.common.dnsMail;
 
   A = [ config.repo.secrets.local.dns.homepage-ip ];
 
@@ -15450,7 +15666,7 @@ with dns.lib.combinators; {
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "minecraft"; port = 25565; dir = "/opt/minecraft"; }) serviceName servicePort serviceDir serviceDomain proxyAddress4 proxyAddress6;
+  inherit (confLib.gen { name = "minecraft"; port = 25565; dir = "/opt/minecraft"; proxy = config.node.name; }) serviceName servicePort serviceDir serviceDomain proxyAddress4 proxyAddress6;
   inherit (config.swarselsystems) mainUser;
   worldName = "${mainUser}craft";
 in
@@ -15510,7 +15726,7 @@ in
 let
   inherit (config.swarselsystems) sopsFile;
   inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceDomain serviceProxy proxyAddress4 proxyAddress6;
-  inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 user3;
+  inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 alias2_2 user3;
   baseDomain = globals.domains.main;
 in
 {
@@ -15539,7 +15755,7 @@ in
       { directory = "/var/sieve"; user = serviceUser; group = serviceGroup; mode = "0770"; }
       { directory = "/var/dkim"; user = "rspamd"; group = "rspamd"; mode = "0700"; }
       { directory = serviceDir; user = serviceUser; group = serviceGroup; mode = "0700"; }
-      { directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }
+      # { directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }
       { directory = "/var/lib/rspamd"; user = "rspamd"; group = "rspamd"; mode = "0700"; }
       { directory = "/var/lib/roundcube"; user = "roundcube"; group = "roundcube"; mode = "0700"; }
       { directory = "/var/lib/redis-rspamd"; user = "redis-rspamd"; group = "redis-rspamd"; mode = "0700"; }
@@ -15571,6 +15787,7 @@ in
           hashedPasswordFile = config.sops.secrets.user2-hashed-pw.path;
           aliases = [
             "${alias2_1}@${baseDomain}"
+            "${alias2_2}@${baseDomain}"
           ];
           sendOnly = true;
         };
@@ -15643,7 +15860,7 @@ $ attic cache create hello
 </p>
 
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ lib, config, globals, dns, confLib, ... }:
+<pre class="src src-nix-ts">{ lib, config, pkgs, globals, dns, confLib, ... }:
 let
   inherit (confLib.gen { name = "attic"; port = 8091; }) serviceName serviceDir servicePort serviceAddress serviceDomain serviceProxy proxyAddress4 proxyAddress6;
   inherit (config.swarselsystems) mainUser isPublic sopsFile;
@@ -15681,8 +15898,33 @@ in
       };
     };
 
+    networking.firewall.allowedTCPPorts = [ servicePort ];
+
     services.atticd = {
       enable = true;
+      # NOTE: remove once https://github.com/zhaofengli/attic/pull/268 is merged
+      package = pkgs.attic-server.overrideAttrs
+        (oldAttrs: {
+          patches = (oldAttrs.patches or [ ]) ++ [
+            (pkgs.writeText "remove-s3-checksums.patch" ''
+              diff --git a/server/src/storage/s3.rs b/server/src/storage/s3.rs
+              index 1d5719f3..036f3263 100644
+              --- a/server/src/storage/s3.rs
+              +++ b/server/src/storage/s3.rs
+              @@ -278,10 +278,6 @@ impl StorageBackend for S3Backend {
+                               CompletedPart::builder()
+                                   .set_e_tag(part.e_tag().map(str::to_string))
+                                   .set_part_number(Some(part_number as i32))
+              -                    .set_checksum_crc32(part.checksum_crc32().map(str::to_string))
+              -                    .set_checksum_crc32_c(part.checksum_crc32_c().map(str::to_string))
+              -                    .set_checksum_sha1(part.checksum_sha1().map(str::to_string))
+              -                    .set_checksum_sha256(part.checksum_sha256().map(str::to_string))
+                                   .build()
+                           })
+                           .collect::&lt;Vec&lt;_&gt;&gt;();
+            '')
+          ];
+        });
       environmentFile = config.sops.templates."attic.env".path;
       settings = {
         listen = "[::]:${builtins.toString servicePort}";
@@ -15704,12 +15946,10 @@ in
             bucket = serviceName;
             # attic must be patched to never serve pre-signed s3 urls directly
             # otherwise it will redirect clients to this localhost endpoint
-            endpoint = "http://127.0.0.1:3900";
+            endpoint = "http://127.0.0.1:3900"; # garage port
           } else {
             type = "local";
             path = serviceDir;
-            # attic must be patched to never serve pre-signed s3 urls directly
-            # otherwise it will redirect clients to this localhost endpoint
           };
 
         garbage-collection = {
@@ -15718,11 +15958,11 @@ in
         };
 
         chunking = {
-          nar-size-threshold = if config.swarselmodules.server.garage then 0 else 64 * 1024; # 64 KiB
+          nar-size-threshold = if config.swarselmodules.server.garage then 0 else 64 * 1024; # garage using s3
 
-          min-size = 16 * 1024; # 16 KiB
-          avg-size = 64 * 1024; # 64 KiB
-          max-size = 256 * 1024; # 256 KiBize = 262144;
+          min-size = 16 * 1024;
+          avg-size = 64 * 1024;
+          max-size = 256 * 1024;
         };
       };
     };
@@ -15754,7 +15994,7 @@ in
       };
       virtualHosts = {
         "${serviceDomain}" = {
-          enableACME = true;
+          useACMEHost = globals.domains.main;
           forceSSL = true;
           acmeRoot = null;
           oauth2.enable = false;
@@ -15763,6 +16003,11 @@ in
               proxyPass = "http://${serviceName}";
               extraConfig = ''
                 client_max_body_size 0;
+                client_body_timeout        600s;
+                proxy_connect_timeout      600s;
+                proxy_send_timeout         600s;
+                proxy_read_timeout         600s;
+                proxy_request_buffering    off;
               '';
             };
           };
@@ -15776,6 +16021,157 @@ in
 </div>
 </div>
 </div>
+<div id="outline-container-org677d4e0" class="outline-5">
+<h5 id="org677d4e0"><span class="section-number-5">3.2.3.54.</span> Hydra</h5>
+<div class="outline-text-5" id="text-3-2-3-54">
+<p>
+Need to create user manually:
+</p>
+
+<p>
+$ hydra-create-user alice &#x2013;full-name 'Alice Q. User' \
+    &#x2013;email-address 'alice@example.org' &#x2013;password-prompt &#x2013;role admin
+</p>
+
+
+<div class="org-src-container">
+<pre class="src src-nix-ts">{ inputs, lib, config, globals, dns, confLib, ... }:
+let
+  inherit (confLib.gen { name = "hydra"; port = 8002; }) serviceName servicePort serviceUser serviceGroup serviceAddress serviceDomain serviceProxy proxyAddress4 proxyAddress6;
+  inherit (config.swarselsystems) sopsFile;
+in
+  {
+    options = {
+      swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+    };
+    config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+      nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      };
+
+      globals.services.${serviceName} = {
+        domain = serviceDomain;
+        inherit proxyAddress4 proxyAddress6;
+      };
+
+      sops = {
+        secrets = {
+          nixbuild-net-key = { mode = "0600"; };
+          hydra-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        };
+        templates = {
+          "hydra-env" = {
+            content = ''
+              HYDRA_PW="${config.sops.placeholder.hydra-pw}"
+            '';
+            owner = serviceUser;
+            group = serviceGroup;
+            mode = "0440";
+          };
+        };
+      };
+
+      services.hydra = {
+        enable = true;
+        package = inputs.hydra.packages.${config.node.arch}.hydra;
+        port = servicePort;
+        hydraURL = "https://${serviceDomain}";
+        listenHost = "*";
+        notificationSender = "hydra@${globals.domains.main}";
+        minimumDiskFreeEvaluator = 20; # 20G
+        minimumDiskFree = 20; # 20G
+        useSubstitutes = true;
+        smtpHost = globals.services.mailserver.domain;
+        buildMachinesFiles = [
+          "/etc/nix/machines"
+        ];
+        extraConfig = ''
+          using_frontend_proxy 1
+        '';
+      };
+
+      systemd.services.hydra-user-setup = {
+        description = "Create admin user for Hydra";
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          User = "hydra";
+          EnvironmentFile = [
+            config.sops.templates.hydra-env.path
+          ];
+        };
+        wantedBy = [ "multi-user.target" ];
+        requires = [ "hydra-init.service" ];
+        after = [ "hydra-init.service" ];
+        environment = lib.mkForce config.systemd.services.hydra-init.environment;
+        script = ''
+          set -eu
+        if [ ! -e ~hydra/.user-setup-done ]; then
+          /run/current-system/sw/bin/hydra-create-user admin --full-name 'admin' --email-address 'admin@${globals.domains.main}' --password "$HYDRA_PW" --role admin
+          touch ~hydra/.user-setup-done
+        fi
+        '';
+      };
+
+      environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
+      ];
+
+      nix = {
+        settings.builders-use-substitutes = true;
+        distributedBuilds = true;
+        buildMachines = [
+          {
+            hostName = "localhost";
+            protocol = null;
+            system = config.node.arch;
+            supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
+            maxJobs = 4;
+          }
+        ];
+      };
+
+      networking.firewall.allowedTCPPorts = [ servicePort ];
+
+      programs.ssh = {
+        extraConfig = ''
+          StrictHostKeyChecking no
+        '';
+      };
+
+      nodes.${serviceProxy}.services.nginx = {
+        upstreams = {
+          ${serviceName} = {
+            servers = {
+              "${serviceAddress}:${builtins.toString servicePort}" = { };
+            };
+          };
+        };
+        virtualHosts = {
+          "${serviceDomain}" = {
+            enableACME = true;
+            forceSSL = true;
+            acmeRoot = null;
+            oauth2.enable = false;
+            locations = {
+              "/" = {
+                proxyPass = "http://${serviceName}";
+                extraConfig = ''
+                  client_max_body_size 0;
+                proxy_set_header  X-Request-Base    /hydra;
+                '';
+              };
+            };
+          };
+        };
+      };
+
+    };
+  }
+</pre>
+</div>
+</div>
+</div>
 </div>
 <div id="outline-container-h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47" class="outline-4">
 <h4 id="h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47"><span class="section-number-4">3.2.4.</span> Darwin</h4>
@@ -16270,6 +16666,7 @@ in
       _1password.enable = true;
       _1password-gui = {
         enable = true;
+        package = pkgs._1password-gui-beta;
         polkitPolicyOwners = [ "${mainUser}" ];
       };
     };
@@ -16437,8 +16834,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org49c6375" class="outline-5">
-<h5 id="org49c6375"><span class="section-number-5">3.2.5.11.</span> Uni</h5>
+<div id="outline-container-orgc4779bb" class="outline-5">
+<h5 id="orgc4779bb"><span class="section-number-5">3.2.5.11.</span> Uni</h5>
 <div class="outline-text-5" id="text-3-2-5-11">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ self, config, ... }:
@@ -16504,8 +16901,8 @@ Some standard options that should be set vor every microvm guest. We set the def
 </div>
 </div>
 </div>
-<div id="outline-container-orgf907470" class="outline-5">
-<h5 id="orgf907470"><span class="section-number-5">3.2.5.14.</span> systemd-networkd (server)</h5>
+<div id="outline-container-org8d0411f" class="outline-5">
+<h5 id="org8d0411f"><span class="section-number-5">3.2.5.14.</span> systemd-networkd (server)</h5>
 <div class="outline-text-5" id="text-3-2-5-14">
 <p>
 Some standard options that should be set vor every microvm guest. We set the default
@@ -16518,7 +16915,7 @@ Some standard options that should be set vor every microvm guest. We set the def
     useDHCP = lib.mkForce false;
     useNetworkd = true;
     dhcpcd.enable = false;
-    renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (
+    renameInterfacesByMac = lib.mapAttrs (_: v: if (v ? mac) then v.mac else "") (
       config.repo.secrets.local.networking.networks or { }
     );
   };
@@ -16728,8 +17125,8 @@ Again, we adapt <code>nix</code> to our needs, enable the home-manager command f
                   (lib.mkIf ((config.swarselmodules ? server) ? ssh-builder) "builder")
                 ];
                 connect-timeout = 5;
-                bash-prompt-prefix = lib.mkIf (config.swarselsystems.isClient) "$SHLVL:\\w ";
-                bash-prompt = lib.mkIf (config.swarselsystems.isClient) "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
+                bash-prompt-prefix = lib.mkIf config.swarselsystems.isClient "$SHLVL:\\w ";
+                bash-prompt = lib.mkIf config.swarselsystems.isClient "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
                 fallback = true;
                 min-free = 128000000;
                 max-free = 1000000000;
@@ -17110,6 +17507,7 @@ This is just a separate container for derivations defined in <a href="#h:64a5cc1
       sshrm
       endme
       git-replace
+      prstatus
     ];
   };
 }
@@ -17143,7 +17541,7 @@ At the same time, I want to avoid running the homeManager module of sops on a Ni
 </ul>
 
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ config, lib, inputs, type, ... }:
+<pre class="src src-nix-ts">{ self, config, lib, type, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
@@ -17152,7 +17550,8 @@ in
     config = lib.optionalAttrs (type != "nixos")  {
       sops = lib.mkIf (!config.swarselsystems.isNixos) {
         age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/sops" ];
-        defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/repo/common.yaml";
+        # defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/repo/common.yaml";
+        defaultSopsFile = self + "/secrets/repo/common.yaml";
 
         validateSopsFiles = false;
       };
@@ -17166,7 +17565,7 @@ in
 <h5 id="h:4c850b80-56e0-437b-b564-2dd897027b2f"><span class="section-number-5">3.3.2.7.</span> Yubikey</h5>
 <div class="outline-text-5" id="text-h:4c850b80-56e0-437b-b564-2dd897027b2f">
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ lib, config, inputs, confLib, type, ... }:
+<pre class="src src-nix-ts">{ lib, config, confLib, type, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
@@ -17199,7 +17598,7 @@ It is very convenient to have SSH aliases in place for machines that I use. This
 </p>
 
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ inputs, lib, config, confLib, type, ... }:
+<pre class="src src-nix-ts">{ lib, config, confLib, type, ... }:
 {
   options.swarselmodules.ssh = lib.mkEnableOption "ssh settings";
   config = lib.mkIf config.swarselmodules.ssh ({
@@ -18082,7 +18481,7 @@ Currently I only use it as before with <code>initExtra</code> though.
 </p>
 
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ config, pkgs, lib, minimal, inputs, globals, confLib, type, ... }:
+<pre class="src src-nix-ts">{ config, pkgs, lib, minimal, globals, confLib, type, ... }:
 let
   inherit (config.swarselsystems) flakePath isNixos;
   crocDomain = globals.services.croc.domain;
@@ -19597,7 +19996,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
 </p>
 
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ lib, config, inputs, globals, confLib, type, ... }:
+<pre class="src src-nix-ts">{ lib, config, globals, confLib, type, ... }:
 let
   inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
   inherit (confLib.getConfig.repo.secrets.common) fullName;
@@ -19978,7 +20377,7 @@ The rest of the related configuration is found here:
 </ul>
 
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ self, config, lib, inputs, pkgs, type, ... }:
+<pre class="src src-nix-ts">{ self, config, lib, pkgs, type, ... }:
 let
   inherit (config.swarselsystems) xdgDir;
   generateIcons = n: lib.concatStringsSep " " (builtins.map (x: "{icon" + toString x + "}") (lib.range 0 (n - 1)));
@@ -21826,7 +22225,7 @@ in
 <h5 id="h:6f2839dc-c681-4697-8e93-4ef191362434"><span class="section-number-5">3.3.2.39.</span> Anki</h5>
 <div class="outline-text-5" id="text-h:6f2839dc-c681-4697-8e93-4ef191362434">
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ lib, config, pkgs, globals, inputs, confLib, type, ... }:
+<pre class="src src-nix-ts">{ lib, config, pkgs, globals, confLib, type, ... }:
 let
   moduleName = "anki";
   inherit (config.swarselsystems) isPublic isNixos;
@@ -22675,7 +23074,7 @@ When setting up a new machine:
   - `pizauth dump > ~/.pizauth.state`
 
 <div class="org-src-container">
-<pre class="src src-nix-ts">{ self, inputs, config, pkgs, lib, vars, confLib, type, ... }:
+<pre class="src src-nix-ts">{ self, config, pkgs, lib, vars, confLib, type, ... }:
 let
   inherit (config.swarselsystems) homeDir mainUser;
   inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses;
@@ -22985,20 +23384,29 @@ in
             };
           }
           {
-            # work main screen
+            # work side screen
             output = {
               criteria = "HP Inc. HP 732pk CNC4080YL5";
               scale = 1.0;
               mode = "3840x2160";
+              transform = "270";
             };
           }
+          # {
+          #   # work side screen
+          #   output = {
+          #     criteria = "Hewlett Packard HP Z24i CN44250RDT";
+          #     scale = 1.0;
+          #     mode = "1920x1200";
+          #     transform = "270";
+          #   };
+          # }
           {
-            # work side screen
+            # work main screen
             output = {
-              criteria = "Hewlett Packard HP Z24i CN44250RDT";
+              criteria = "HP Inc. HP Z32 CN41212T55";
               scale = 1.0;
-              mode = "1920x1200";
-              transform = "270";
+              mode = "3840x2160";
             };
           }
           {
@@ -23006,28 +23414,28 @@ in
               name = "lidopen";
               exec = [
                 "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
-                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP Z32 CN41212T55' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
               ];
               outputs = [
                 {
                   criteria = config.swarselsystems.sharescreen;
                   status = "enable";
                   scale = 1.5;
-                  position = "1462,0";
+                  position = "2560,0";
                 }
                 {
                   criteria = "HP Inc. HP 732pk CNC4080YL5";
-                  scale = 1.4;
+                  scale = 1.0;
                   mode = "3840x2160";
-                  position = "-1280,0";
+                  position = "-3440,-1050";
+                  transform = "270";
                 }
                 {
-                  criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                  criteria = "HP Inc. HP Z32 CN41212T55";
                   scale = 1.0;
-                  mode = "1920x1200";
-                  transform = "90";
-                  position = "-2480,0";
+                  mode = "3840x2160";
+                  position = "-1280,0";
                 }
               ];
             };
@@ -23064,8 +23472,8 @@ in
             profile = {
               name = "lidclosed";
               exec = [
-                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP Z32 CN41212T55'  --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
               ];
               outputs = [
                 {
@@ -23074,16 +23482,16 @@ in
                 }
                 {
                   criteria = "HP Inc. HP 732pk CNC4080YL5";
-                  scale = 1.4;
+                  scale = 1.0;
                   mode = "3840x2160";
-                  position = "-1280,0";
+                  position = "-3440,-1050";
+                  transform = "270";
                 }
                 {
-                  criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                  criteria = "HP Inc. HP Z32 CN41212T55";
                   scale = 1.0;
-                  mode = "1920x1200";
-                  transform = "270";
-                  position = "-2480,0";
+                  mode = "3840x2160";
+                  position = "-1280,0";
                 }
               ];
             };
@@ -23160,7 +23568,7 @@ in
         };
 
         Service = {
-          ExecStart = "${pkgs._1password-gui}/bin/1password";
+          ExecStart = "${pkgs._1password-gui-beta}/bin/1password";
         };
       };
 
@@ -23268,25 +23676,35 @@ in
           # output = "DP-7";
           output = name;
         };
-        work_back_right = rec {
+        work_middle_middle_main = rec {
           name = "HP Inc. HP Z32 CN41212T55";
           mode = "3840x2160";
           scale = "1";
-          position = "5120,0";
+          position = "-1280,0";
           workspace = "1:一";
           # output = "DP-3";
           output = name;
         };
-        work_middle_middle_main = rec {
+        # work_middle_middle_main = rec {
+        #   name = "HP Inc. HP 732pk CNC4080YL5";
+        #   mode = "3840x2160";
+        #   scale = "1";
+        #   position = "-1280,0";
+        #   workspace = "11:M";
+        #   # output = "DP-8";
+        #   output = name;
+        # };
+        work_middle_middle_side = rec {
           name = "HP Inc. HP 732pk CNC4080YL5";
           mode = "3840x2160";
+          transform = "270";
           scale = "1";
-          position = "-1280,0";
-          workspace = "11:M";
+          position = "-3440,-1050";
+          workspace = "12:S";
           # output = "DP-8";
           output = name;
         };
-        work_middle_middle_side = rec {
+        work_middle_middle_old = rec {
           name = "Hewlett Packard HP Z24i CN44250RDT";
           mode = "1920x1200";
           transform = "270";
@@ -23478,8 +23896,9 @@ TODO: check which of these can be replaced but builtin functions.
     isLinux = lib.mkEnableOption "whether this is a linux machine";
     isBtrfs = lib.mkEnableOption "use btrfs filesystem";
     sopsFile = lib.mkOption {
-      type = lib.types.str;
-      default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.node.secretsDir}/secrets.yaml";
+      type = lib.types.either lib.types.str lib.types.path;
+      # default = (if config.swarselsystems.isImpermanence then "/persist" else "") + config.node.secretsDir + "/secrets.yaml";
+      default = config.node.secretsDir + "/secrets.yaml";
     };
     homeDir = lib.mkOption {
       type = lib.types.str;
@@ -23822,7 +24241,18 @@ In short, the options defined here are passed to the modules systems using <code
   _module.args = {
     confLib = rec {
 
-      addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4 else "localhost";
+      addressDefault =
+        if
+          config.swarselsystems.proxyHost != config.node.name
+        then
+          if
+            config.swarselsystems.server.wireguard.isClient
+          then
+            globals.networks."${config.swarselsystems.server.wireguard.serverNetConfigPrefix}-wg".hosts.${config.node.name}.ipv4
+          else
+            globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4
+        else
+          "localhost";
 
       domainDefault = service: config.repo.secrets.common.services.domains.${service};
       proxyDefault = config.swarselsystems.proxyHost;
@@ -24099,12 +24529,34 @@ writeShellApplication {
   '';
 }
 
+</pre>
+</div>
+</div>
+</div>
+<div id="outline-container-org0ad352f" class="outline-5">
+<h5 id="org0ad352f"><span class="section-number-5">3.4.6.7.</span> prstatus</h5>
+<div class="outline-text-5" id="text-3-4-6-7">
+<p>
+This script allows for quick checking of nixpkgs PR statuses.
+</p>
+
+<div class="org-src-container">
+<pre class="src src-nix-ts">{ name, writeShellApplication, curl, ... }:
+
+writeShellApplication {
+  inherit name;
+  runtimeInputs = [ curl ];
+  text = ''
+    curl https://nixpkgs.molybdenum.software/api/v2/landings/"$1"
+  '';
+}
+
 </pre>
 </div>
 </div>
 </div>
 <div id="outline-container-h:03b1b77b-3ca8-4a8f-8e28-9f29004d96d3" class="outline-5">
-<h5 id="h:03b1b77b-3ca8-4a8f-8e28-9f29004d96d3"><span class="section-number-5">3.4.6.7.</span> bak</h5>
+<h5 id="h:03b1b77b-3ca8-4a8f-8e28-9f29004d96d3"><span class="section-number-5">3.4.6.8.</span> bak</h5>
 <div class="outline-text-5" id="text-h:03b1b77b-3ca8-4a8f-8e28-9f29004d96d3">
 <p>
 This script lets me quickly backup files by appending <code>.bak</code> to the filename.
@@ -24127,7 +24579,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:3c72d263-411c-44f0-90ff-55f14d4d9d49" class="outline-5">
-<h5 id="h:3c72d263-411c-44f0-90ff-55f14d4d9d49"><span class="section-number-5">3.4.6.8.</span> timer</h5>
+<h5 id="h:3c72d263-411c-44f0-90ff-55f14d4d9d49"><span class="section-number-5">3.4.6.9.</span> timer</h5>
 <div class="outline-text-5" id="text-h:3c72d263-411c-44f0-90ff-55f14d4d9d49">
 <p>
 This app starts a configuratble timer and uses TTS to say something once the timer runs out.
@@ -24150,7 +24602,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:1834df06-9238-4efa-9af6-851dafe66c68" class="outline-5">
-<h5 id="h:1834df06-9238-4efa-9af6-851dafe66c68"><span class="section-number-5">3.4.6.9.</span> e</h5>
+<h5 id="h:1834df06-9238-4efa-9af6-851dafe66c68"><span class="section-number-5">3.4.6.10.</span> e</h5>
 <div class="outline-text-5" id="text-h:1834df06-9238-4efa-9af6-851dafe66c68">
 <p>
 This is a shorthand for calling emacsclient mostly. Also, it hides the kittyterm scratchpad window that I sometimes use for calling a command quickly, in case it is on the screen. After emacs closes, the kittyterm window is then shown again if it was visible earlier.
@@ -24196,7 +24648,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:10268005-a9cd-4a00-967c-cbe975c552fa" class="outline-5">
-<h5 id="h:10268005-a9cd-4a00-967c-cbe975c552fa"><span class="section-number-5">3.4.6.10.</span> command-not-found</h5>
+<h5 id="h:10268005-a9cd-4a00-967c-cbe975c552fa"><span class="section-number-5">3.4.6.11.</span> command-not-found</h5>
 <div class="outline-text-5" id="text-h:10268005-a9cd-4a00-967c-cbe975c552fa">
 <p>
 The normal <code>command-not-found.sh</code> uses the outdated <code>nix-shell</code> commands as suggestions. This version supplies me with the more modern <code>nixpkgs#&lt;name&gt;</code> version.
@@ -24242,7 +24694,7 @@ command_not_found_handler() {
 </div>
 </div>
 <div id="outline-container-h:82f4f414-749b-4d5a-aaaa-6e3ec15fbc3d" class="outline-5">
-<h5 id="h:82f4f414-749b-4d5a-aaaa-6e3ec15fbc3d"><span class="section-number-5">3.4.6.11.</span> swarselcheck</h5>
+<h5 id="h:82f4f414-749b-4d5a-aaaa-6e3ec15fbc3d"><span class="section-number-5">3.4.6.12.</span> swarselcheck</h5>
 <div class="outline-text-5" id="text-h:82f4f414-749b-4d5a-aaaa-6e3ec15fbc3d">
 <p>
 This app checks for different apps that I keep around in the scratchpad for quick viewing and hiding (messengers and music players mostly) and then behaves like the kittyterm hider that I described in <a href="#h:1834df06-9238-4efa-9af6-851dafe66c68">e</a>.
@@ -24327,7 +24779,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:96da8360-2d23-4e86-9602-415fbdb972af" class="outline-5">
-<h5 id="h:96da8360-2d23-4e86-9602-415fbdb972af"><span class="section-number-5">3.4.6.12.</span> swarselcheck-niri</h5>
+<h5 id="h:96da8360-2d23-4e86-9602-415fbdb972af"><span class="section-number-5">3.4.6.13.</span> swarselcheck-niri</h5>
 <div class="outline-text-5" id="text-h:96da8360-2d23-4e86-9602-415fbdb972af">
 <div class="org-src-container">
 <pre class="src src-shell">while :; do
@@ -24382,7 +24834,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:564c102c-e335-4f17-a613-c5a436bb4864" class="outline-5">
-<h5 id="h:564c102c-e335-4f17-a613-c5a436bb4864"><span class="section-number-5">3.4.6.13.</span> swarselzellij</h5>
+<h5 id="h:564c102c-e335-4f17-a613-c5a436bb4864"><span class="section-number-5">3.4.6.14.</span> swarselzellij</h5>
 <div class="outline-text-5" id="text-h:564c102c-e335-4f17-a613-c5a436bb4864">
 <div class="org-src-container">
 <pre class="src src-shell"># KITTIES=$(($(pgrep -P 1 kitty | wc -l) - 1))
@@ -24409,7 +24861,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:f93f66f9-6b8b-478e-b139-b2f382c1f25e" class="outline-5">
-<h5 id="h:f93f66f9-6b8b-478e-b139-b2f382c1f25e"><span class="section-number-5">3.4.6.14.</span> waybarupdate</h5>
+<h5 id="h:f93f66f9-6b8b-478e-b139-b2f382c1f25e"><span class="section-number-5">3.4.6.15.</span> waybarupdate</h5>
 <div class="outline-text-5" id="text-h:f93f66f9-6b8b-478e-b139-b2f382c1f25e">
 <p>
 This scripts checks if there are uncommited changes in either my dotfile repo, my university repo, or my passfile repo. In that case a warning will be shown in waybar.
@@ -24456,7 +24908,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:a1d94db2-837a-40c4-bbd8-81ce847440ee" class="outline-5">
-<h5 id="h:a1d94db2-837a-40c4-bbd8-81ce847440ee"><span class="section-number-5">3.4.6.15.</span> opacitytoggle</h5>
+<h5 id="h:a1d94db2-837a-40c4-bbd8-81ce847440ee"><span class="section-number-5">3.4.6.16.</span> opacitytoggle</h5>
 <div class="outline-text-5" id="text-h:a1d94db2-837a-40c4-bbd8-81ce847440ee">
 <p>
 This app quickly toggles between 5% and 0% transparency.
@@ -24483,7 +24935,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:7c4e41b3-8c1e-4f71-87a6-30d40baed6a0" class="outline-5">
-<h5 id="h:7c4e41b3-8c1e-4f71-87a6-30d40baed6a0"><span class="section-number-5">3.4.6.16.</span> fs-diff</h5>
+<h5 id="h:7c4e41b3-8c1e-4f71-87a6-30d40baed6a0"><span class="section-number-5">3.4.6.17.</span> fs-diff</h5>
 <div class="outline-text-5" id="text-h:7c4e41b3-8c1e-4f71-87a6-30d40baed6a0">
 <p>
 This utility is used to compare the current state of the root directory with the blanket state that is stored in /root-blank (the snapshot that is restored on each reboot of an impermanence machine). Using this, I can find files that I will lose once I reboot - if there are important files in that list, I can then easily add them to the persist options.
@@ -24524,7 +24976,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:a9398c4e-4d3b-4942-b03c-192f9c0517e5" class="outline-5">
-<h5 id="h:a9398c4e-4d3b-4942-b03c-192f9c0517e5"><span class="section-number-5">3.4.6.17.</span> github-notifications</h5>
+<h5 id="h:a9398c4e-4d3b-4942-b03c-192f9c0517e5"><span class="section-number-5">3.4.6.18.</span> github-notifications</h5>
 <div class="outline-text-5" id="text-h:a9398c4e-4d3b-4942-b03c-192f9c0517e5">
 <p>
 This utility checks if there are updated packages in nixpkgs-unstable. It does so by fully building the most recent configuration, which I do not love, but it has its merits once I am willing to switch to the newer version.
@@ -24550,7 +25002,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:3981cd16-00c0-4ea8-95e2-c6d8c04ec4e5" class="outline-5">
-<h5 id="h:3981cd16-00c0-4ea8-95e2-c6d8c04ec4e5"><span class="section-number-5">3.4.6.18.</span> kanshare</h5>
+<h5 id="h:3981cd16-00c0-4ea8-95e2-c6d8c04ec4e5"><span class="section-number-5">3.4.6.19.</span> kanshare</h5>
 <div class="outline-text-5" id="text-h:3981cd16-00c0-4ea8-95e2-c6d8c04ec4e5">
 <p>
 This utility checks if there are updated packages in nixpkgs-unstable. It does so by fully building the most recent configuration, which I do not love, but it has its merits once I am willing to switch to the newer version.
@@ -24574,7 +25026,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:74db57ae-0bb9-4257-84be-eddbc85130dd" class="outline-5">
-<h5 id="h:74db57ae-0bb9-4257-84be-eddbc85130dd"><span class="section-number-5">3.4.6.19.</span> swarsel-bootstrap</h5>
+<h5 id="h:74db57ae-0bb9-4257-84be-eddbc85130dd"><span class="section-number-5">3.4.6.20.</span> swarsel-bootstrap</h5>
 <div class="outline-text-5" id="text-h:74db57ae-0bb9-4257-84be-eddbc85130dd">
 <p>
 This program sets up a new NixOS host remotely. It also takes care of secret management on the new host.
@@ -24619,6 +25071,7 @@ function help_and_exit() {
 
 function cleanup() {
     rm -rf "$temp"
+    rm -rf /tmp/disko-password
 }
 trap cleanup exit
 
@@ -24722,7 +25175,7 @@ fi
 
 LOCKED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.node.lockFromBootstrapping)"
 if [[ $LOCKED == "true" ]]; then
-    red "THIS SYSTEM IS LOCKED FROM BOOTSTRAPPING"
+    red "THIS SYSTEM IS LOCKED FROM BOOTSTRAPPING - set 'node.lockFromBootstrapping = lib.mkForce false;' to proceed"
     exit
 fi
 
@@ -24812,6 +25265,7 @@ if [ "$disk_encryption" -eq 1 ]; then
         green "Please confirm passphrase:"
         read -rs luks_passphrase_confirm
         if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
+            echo "$luks_passphrase" &gt; /tmp/disko-password
             $ssh_root_cmd "echo '$luks_passphrase' &gt; /tmp/disko-password"
             break
         else
@@ -24900,7 +25354,7 @@ if yes_or_no "Do you want to manually edit .sops.yaml now?"; then
     vim "${git_root}"/.sops.yaml
 fi
 green "Updating all secrets files to reflect updates .sops.yaml"
-sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/*
+sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/* || true
 # --------------------------
 green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
 sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
@@ -24971,6 +25425,8 @@ fi
 if yes_or_no "Reboot now?"; then
     $ssh_root_cmd "reboot"
 fi
+
+rm -rf /tmp/disko-password
 </pre>
 </div>
 
@@ -24987,7 +25443,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:1eabdc59-8832-44ca-a22b-11f848ab150a" class="outline-5">
-<h5 id="h:1eabdc59-8832-44ca-a22b-11f848ab150a"><span class="section-number-5">3.4.6.20.</span> swarsel-rebuild</h5>
+<h5 id="h:1eabdc59-8832-44ca-a22b-11f848ab150a"><span class="section-number-5">3.4.6.21.</span> swarsel-rebuild</h5>
 <div class="outline-text-5" id="text-h:1eabdc59-8832-44ca-a22b-11f848ab150a">
 <div class="org-src-container">
 <pre class="src src-shell">set -eo pipefail
@@ -25117,7 +25573,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:fbd8aaf2-9dca-4ca3-aca1-19d0d188a435" class="outline-5">
-<h5 id="h:fbd8aaf2-9dca-4ca3-aca1-19d0d188a435"><span class="section-number-5">3.4.6.21.</span> swarsel-install</h5>
+<h5 id="h:fbd8aaf2-9dca-4ca3-aca1-19d0d188a435"><span class="section-number-5">3.4.6.22.</span> swarsel-install</h5>
 <div class="outline-text-5" id="text-h:fbd8aaf2-9dca-4ca3-aca1-19d0d188a435">
 <p>
 Autoformatting always puts the <code>EOF</code> with indentation, which makes shfmt check fail. When editing this block, unindent them manually.
@@ -25330,7 +25786,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:c98a7615-e5da-4f47-8ed1-2b2ea65519e9" class="outline-5">
-<h5 id="h:c98a7615-e5da-4f47-8ed1-2b2ea65519e9"><span class="section-number-5">3.4.6.22.</span> swarsel-postinstall</h5>
+<h5 id="h:c98a7615-e5da-4f47-8ed1-2b2ea65519e9"><span class="section-number-5">3.4.6.23.</span> swarsel-postinstall</h5>
 <div class="outline-text-5" id="text-h:c98a7615-e5da-4f47-8ed1-2b2ea65519e9">
 <div class="org-src-container">
 <pre class="src src-shell">set -eo pipefail
@@ -25422,7 +25878,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1" class="outline-5">
-<h5 id="h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1"><span class="section-number-5">3.4.6.23.</span> t2ts</h5>
+<h5 id="h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1"><span class="section-number-5">3.4.6.24.</span> t2ts</h5>
 <div class="outline-text-5" id="text-h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ name, writeShellApplication, ... }:
@@ -25440,7 +25896,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1" class="outline-5">
-<h5 id="h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1"><span class="section-number-5">3.4.6.24.</span> ts2t</h5>
+<h5 id="h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1"><span class="section-number-5">3.4.6.25.</span> ts2t</h5>
 <div class="outline-text-5" id="text-h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ name, writeShellApplication, ... }:
@@ -25458,7 +25914,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:7806b129-a4a5-4d10-af27-6cbeafbcb294" class="outline-5">
-<h5 id="h:7806b129-a4a5-4d10-af27-6cbeafbcb294"><span class="section-number-5">3.4.6.25.</span> vershell</h5>
+<h5 id="h:7806b129-a4a5-4d10-af27-6cbeafbcb294"><span class="section-number-5">3.4.6.26.</span> vershell</h5>
 <div class="outline-text-5" id="text-h:7806b129-a4a5-4d10-af27-6cbeafbcb294">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ name, writeShellApplication, ... }:
@@ -25476,7 +25932,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:9fda7829-09a4-4b8f-86f6-08b078ab2874" class="outline-5">
-<h5 id="h:9fda7829-09a4-4b8f-86f6-08b078ab2874"><span class="section-number-5">3.4.6.26.</span> eontimer</h5>
+<h5 id="h:9fda7829-09a4-4b8f-86f6-08b078ab2874"><span class="section-number-5">3.4.6.27.</span> eontimer</h5>
 <div class="outline-text-5" id="text-h:9fda7829-09a4-4b8f-86f6-08b078ab2874">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib
@@ -25580,7 +26036,7 @@ python3.pkgs.buildPythonApplication rec {
 </div>
 </div>
 <div id="outline-container-h:154b6df4-dd50-4f60-9794-05a140d02994" class="outline-5">
-<h5 id="h:154b6df4-dd50-4f60-9794-05a140d02994"><span class="section-number-5">3.4.6.27.</span> project</h5>
+<h5 id="h:154b6df4-dd50-4f60-9794-05a140d02994"><span class="section-number-5">3.4.6.28.</span> project</h5>
 <div class="outline-text-5" id="text-h:154b6df4-dd50-4f60-9794-05a140d02994">
 <div class="org-src-container">
 <pre class="src src-shell">set -euo pipefail
@@ -25604,7 +26060,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:36d6c17c-6d91-4297-b76d-9d7feab6c1a0" class="outline-5">
-<h5 id="h:36d6c17c-6d91-4297-b76d-9d7feab6c1a0"><span class="section-number-5">3.4.6.28.</span> fhs</h5>
+<h5 id="h:36d6c17c-6d91-4297-b76d-9d7feab6c1a0"><span class="section-number-5">3.4.6.29.</span> fhs</h5>
 <div class="outline-text-5" id="text-h:36d6c17c-6d91-4297-b76d-9d7feab6c1a0">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ name, pkgs, ... }:
@@ -25623,7 +26079,7 @@ pkgs.buildFHSEnv (base // {
 </div>
 </div>
 <div id="outline-container-h:814d5e7f-4b95-412d-b246-33f888514ec6" class="outline-5">
-<h5 id="h:814d5e7f-4b95-412d-b246-33f888514ec6"><span class="section-number-5">3.4.6.29.</span> swarsel-displaypower</h5>
+<h5 id="h:814d5e7f-4b95-412d-b246-33f888514ec6"><span class="section-number-5">3.4.6.30.</span> swarsel-displaypower</h5>
 <div class="outline-text-5" id="text-h:814d5e7f-4b95-412d-b246-33f888514ec6">
 <p>
 A crude script to power on all displays that might be attached. Needed because sometimes displays do not awake from sleep.
@@ -25648,7 +26104,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:799579f3-ddd3-4f76-928a-a8c665980476" class="outline-5">
-<h5 id="h:799579f3-ddd3-4f76-928a-a8c665980476"><span class="section-number-5">3.4.6.30.</span> swarsel-mgba</h5>
+<h5 id="h:799579f3-ddd3-4f76-928a-a8c665980476"><span class="section-number-5">3.4.6.31.</span> swarsel-mgba</h5>
 <div class="outline-text-5" id="text-h:799579f3-ddd3-4f76-928a-a8c665980476">
 <p>
 AppImage version of mgba in which the lua scripting works.
@@ -25682,7 +26138,7 @@ appimageTools.wrapType2 {
 </div>
 </div>
 <div id="outline-container-h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e" class="outline-5">
-<h5 id="h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e"><span class="section-number-5">3.4.6.31.</span> swarsel-deploy</h5>
+<h5 id="h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e"><span class="section-number-5">3.4.6.32.</span> swarsel-deploy</h5>
 <div class="outline-text-5" id="text-h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e">
 <div class="org-src-container">
 <pre class="src src-nix-ts"># heavily inspired from https://github.com/oddlama/nix-config/blob/d42cbde676001a7ad8a3cace156e050933a4dcc3/pkgs/deploy.nix
@@ -25814,7 +26270,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e" class="outline-5">
-<h5 id="h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e"><span class="section-number-5">3.4.6.32.</span> swarsel-build</h5>
+<h5 id="h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e"><span class="section-number-5">3.4.6.33.</span> swarsel-build</h5>
 <div class="outline-text-5" id="text-h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ name, nix-output-monitor, writeShellApplication, ... }:
@@ -25838,7 +26294,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:95ebfd13-1f6b-427f-950d-e30c1ed6f9fa" class="outline-5">
-<h5 id="h:95ebfd13-1f6b-427f-950d-e30c1ed6f9fa"><span class="section-number-5">3.4.6.33.</span> swarsel-instantiate</h5>
+<h5 id="h:95ebfd13-1f6b-427f-950d-e30c1ed6f9fa"><span class="section-number-5">3.4.6.34.</span> swarsel-instantiate</h5>
 <div class="outline-text-5" id="text-h:95ebfd13-1f6b-427f-950d-e30c1ed6f9fa">
 <p>
 This is a convenience function that calls <code>nix-instantiate</code> with a number of flags that I need in order to evaluate nix expressions in org-src blocks.
@@ -25859,7 +26315,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:02842543-caca-4d4c-a4d2-7ac749b5c136" class="outline-5">
-<h5 id="h:02842543-caca-4d4c-a4d2-7ac749b5c136"><span class="section-number-5">3.4.6.34.</span> sshrm</h5>
+<h5 id="h:02842543-caca-4d4c-a4d2-7ac749b5c136"><span class="section-number-5">3.4.6.35.</span> sshrm</h5>
 <div class="outline-text-5" id="text-h:02842543-caca-4d4c-a4d2-7ac749b5c136">
 <p>
 This programs simply runs ssh-keygen on the last host that I tried to ssh into. I need this frequently when working with cloud-init usually.
@@ -25892,7 +26348,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:abbd18a2-73ae-4ee4-8487-06fef23638bb" class="outline-5">
-<h5 id="h:abbd18a2-73ae-4ee4-8487-06fef23638bb"><span class="section-number-5">3.4.6.35.</span> endme</h5>
+<h5 id="h:abbd18a2-73ae-4ee4-8487-06fef23638bb"><span class="section-number-5">3.4.6.36.</span> endme</h5>
 <div class="outline-text-5" id="text-h:abbd18a2-73ae-4ee4-8487-06fef23638bb">
 <p>
 Sometimes my DE crashes after putting it to suspend - to be precise, it happens when I put it into suspend when I have multiple screens plugged in. I have never taken the time to debug the issue, but instead just switch to a different TTY and then use this script to kill the hanging session.
@@ -25914,7 +26370,7 @@ writeShellApplication {
 </div>
 </div>
 <div id="outline-container-h:e1330feb-4a9b-4e6d-9d15-6d2adb5879d2" class="outline-5">
-<h5 id="h:e1330feb-4a9b-4e6d-9d15-6d2adb5879d2"><span class="section-number-5">3.4.6.36.</span> git-replace</h5>
+<h5 id="h:e1330feb-4a9b-4e6d-9d15-6d2adb5879d2"><span class="section-number-5">3.4.6.37.</span> git-replace</h5>
 <div class="outline-text-5" id="text-h:e1330feb-4a9b-4e6d-9d15-6d2adb5879d2">
 <p>
 This script allows for quick git replace of a string.
@@ -26564,7 +27020,7 @@ in
 </div>
 </div>
 <div id="outline-container-h:ed4cd05c-0879-41c6-bc39-3f1246a96f04" class="outline-2">
-<h2 id="h:ed4cd05c-0879-41c6-bc39-3f1246a96f04"><span class="section-number-2">4.</span> Emacs</h2>
+<h2 id="h:ed4cd05c-0879-41c6-bc39-3f1246a96f04"><span class="section-number-2">4.</span> Emacse</h2>
 <div class="outline-text-2" id="text-h:ed4cd05c-0879-41c6-bc39-3f1246a96f04">
 </div>
 <div id="outline-container-h:2c331451-45ed-4592-9e00-d36b5bf31248" class="outline-3">
@@ -32857,7 +33313,7 @@ Here lies defined the readme for GitHub and Forgejo:
 </p>
 
 <div class="org-src-container">
-<pre class="src src-markdown">  [![Build Status](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2FSwarsel%2F.dotfiles%2Fbadge%3Fref%3Dmain&amp;style=flat&amp;labelColor=11111b)](https://actions-badge.atrox.dev/Swarsel/.dotfiles/goto?ref=main)
+<pre class="src src-markdown">[![Build Status](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2FSwarsel%2F.dotfiles%2Fbadge%3Fref%3Dmain&amp;style=flat&amp;labelColor=11111b)](https://actions-badge.atrox.dev/Swarsel/.dotfiles/goto?ref=main)
 
   ###### Disclaimer
 
@@ -32881,33 +33337,38 @@ Here lies defined the readme for GitHub and Forgejo:
     - [nix-darwin](https://github.com/LnL7/nix-darwin)
     - [nix-on-droid](https://github.com/nix-community/nix-on-droid)
   - Streamlined configuration and deployment pipeline:
-    - Framework for [packages](https://github.com/Swarsel/.dotfiles/blob/main/pkgs/default.nix), [overlays](https://github.com/Swarsel/.dotfiles/blob/main/overlays/default.nix), [modules](https://github.com/Swarsel/.dotfiles/tree/main/modules), and [library functions](https://github.com/Swarsel/.dotfiles/tree/main/lib/default.nix)
-    - Dynamically generated host configurations
-    - Limited local installer (no secrets handling) with a supported demo build
-    - Fully autonomous remote deployment using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) and [disko](https://github.com/nix-community/disko) (with secrets handling)
+    - Framework for [packages](https://github.com/Swarsel/.dotfiles/blob/main/nix/packages.nix), [overlays](https://github.com/Swarsel/.dotfiles/blob/main/nix/overlays.nix), [modules](https://github.com/Swarsel/.dotfiles/tree/main/modules), and [library functions](https://github.com/Swarsel/.dotfiles/blob/main/nix/lib.nix)
+    - Dynamically generated config:
+      - host configurations
+      - dns records
+      - network setup (+ wireguard mesh on systemd-networkd)
+    - Remote Builders for [x86_64,aarch64]-linux running in hydra, feeding a private nix binary cache
+    - Bootstrapping:
+      - Limited local installer (no secrets handling) with a supported demo build
+      - Fully autonomous remote deployment using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) and [disko](https://github.com/nix-community/disko) (with secrets handling)
     - Improved nix tooling
   - Support for advanced features:
     - Secrets handling using [sops-nix](https://github.com/Mic92/sops-nix) (pls no pwn ❤️)
     - Management of personally identifiable information using [nix-plugins](https://github.com/shlevy/nix-plugins)
     - Full Yubikey support
-    - LUKS-encryption
+    - LUKS-encryption with support for remote disk unlock over SSH
     - Secure boot using [Lanzaboote](https://github.com/nix-community/lanzaboote)
     - BTRFS-based [Impermanence](https://github.com/nix-community/impermanence)
     - Configuration shared between configurations (configuration for one nixosConfiguration can be defined in another nixosConfiguration)
     - Global attributes shared between all configurations to reduce attribute redeclaration
+    - [Config library](https://github.com/Swarsel/.dotfiles/blob/9acfc5f93457ec14773cc0616cab616917cc8af5/modules/shared/config-lib.nix#L4) for defining config-based functions for generating service information
+    - Reduced friction between full NixOS- and home-manager-only deployments regarding secrets handling and config sharing
 
   ## Documentation
 
-  If you are mainly interested in how I configured this system, check out this page:
+  The full documentation can be found here:
 
   [SwarselSystems literate configuration](https://swarsel.github.io/.dotfiles/)
 
-  This file will take you through my design process, in varying amounts of detail.
+  I went to great lengths in order to document the full design process of my infrastructure properly; the above document strives to serve as an introductory lecture to nix / NixOS while at the same time explaining the config in general.
 
-  Otherwise, the files that are possibly of biggest interest are found here:
+  If you only came here for my Emacs configuration, the relevant files are here:
 
-  - [SwarselSystems.org](../SwarselSystems.org)
-  - [flake.nix](../flake.nix)
   - [early-init.el](../files/emacs/early-init.el)
   - [init.el](../files/emacs/init.el)
 
@@ -32967,68 +33428,76 @@ Here lies defined the readme for GitHub and Forgejo:
 
   ### Programs
 
-  | Topic         | Program                         |
-  |---------------|---------------------------------|
-  |🐚 **Shell**   | [zsh](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix)                            |
-  |🚪 **DM**      | [greetd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/common/login.nix)                         |
-  |🪟 **WM**      | [SwayFX](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sway.nix)                         |
-  |⛩️ **Bar**     | [Waybar](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/waybar.nix)                         |
-  |✒️ **Editor**  | [Emacs](https://github.com/Swarsel/.dotfiles/tree/main/files/emacs/init.el)                          |
-  |🖥️ **Terminal**| [Kitty](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/kitty.nix)                          |
-  |🚀 **Launcher**| [Fuzzel](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/fuzzel.nix)                         |
-  |🚨 **Alerts**  | [Mako](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/mako.nix)                           |
-  |🌐 **Browser** | [Firefox](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix)                        |
-  |🎨 **Theme**   | [City-Lights (managed by stylix)](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sharedsetup.nix)|
+  | Topic         | Program                                                                                                                     |
+  |---------------|-----------------------------------------------------------------------------------------------------------------------------|
+  |🐚 **Shell**   | [zsh](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix)                                           |
+  |🚪 **DM**      | [greetd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/common/login.nix)                                     |
+  |🪟 **WM**      | [SwayFX](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sway.nix)                                       |
+  |⛩️ **Bar**     | [Waybar](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/waybar.nix)                                     |
+  |✒️ **Editor**  | [Emacs](https://github.com/Swarsel/.dotfiles/tree/main/files/emacs/init.el)                                                 |
+  |🖥️ **Terminal**| [Kitty](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/kitty.nix)                                       |
+  |🚀 **Launcher**| [Fuzzel](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/fuzzel.nix)                                     |
+  |🚨 **Alerts**  | [Mako](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/mako.nix)                                         |
+  |🌐 **Browser** | [Firefox](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix)                                       |
+  |🎨 **Theme**   | [City-Lights (managed by stylix)](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sharedsetup.nix)       |
 
   ### Services
 
-  | Topic                 | Program                                                                                                             |
-  |-----------------------|---------------------------------------------------------------------------------------------------------------------|
-  |📖 **Books**           |  [Kavita](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kavita.nix)                           |
-  |📼 **Videos**          | [Jellyfin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/jellyfin.nix)                        |
-  |🎵 **Music**           | [Navidrome](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/navidrome.nix) +  [Spotifyd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/spotifyd.nix) +  [MPD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mpd.nix)                                                              |
-  |🗨️ **Messaging**       | [Matrix](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/matrix.nix)                            |
-  |📁 **Filesharing**     | [Nectcloud](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nextcloud.nix)                      |
-  |🎞️ **Photos**          | [Immich](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/immich.nix)                            |
-  |📄 **Documents**       | [Paperless](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/paperless.nix)                      |
-  |🔄 **File Sync**       | [Syncthing](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/syncthing.nix)                      |
-  |💾 **Backups**         | [Restic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/restic.nix)                            |
-  |👁️ **Monitoring**      | [Grafana](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/monitoring.nix)                       |
-  |🍴 **RSS**             | [FreshRss](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/freshrss.nix)                        |
-  |🌳 **Git**             | [Forgejo](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/forgejo.nix)                          |
-  |⚓ **Anki Sync**       | [Anki Sync Server](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/ankisync.nix)                |
-  |🪪 **SSO**             | [Kanidm](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kanidm.nix) + [oauth2-proxy](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/oauth2-proxy.nix)                                            |
-  |💸 **Finance**         | [Firefly-III](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/firefly-iii.nix)                  |
-  |🃏 **Collections**     | [Koillection](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/koillection.nix)                  |
-  |🗃️ **Shell History**   | [Atuin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/atuin.nix)                              |
-  |📅 **CalDav/CardDav**  | [Radicale](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/radicale.nix)                        |
-  |↔️ **P2P Filesharing** | [Croc](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/croc.nix)                                |
-  |✂️ **Paste Tool**      | [Microbin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/microbin.nix)                        |
-  |📸 **Image Sharing**   | [Slink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/slink.nix)                              |
-  |🔗 **Link Shortener**  | [Shlink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/shlink.nix)                            |
+  | Topic                      | Program                                                                                                        |
+  |----------------------------|----------------------------------------------------------------------------------------------------------------|
+  |📖 **Books**                |  [Kavita](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kavita.nix)                      |
+  |📼 **Videos**               | [Jellyfin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/jellyfin.nix)                   |
+  |🎵 **Music**                | [Navidrome](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/navidrome.nix) +  [Spotifyd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/spotifyd.nix) +  [MPD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mpd.nix)                                                              |
+  |🗨️ **Messaging**            | [Matrix](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/matrix.nix)                       |
+  |📁 **Filesharing**          | [Nectcloud](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nextcloud.nix)                 |
+  |🎞️ **Photos**               | [Immich](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/immich.nix)                       |
+  |📄 **Documents**            | [Paperless](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/paperless.nix)                 |
+  |🔄 **File Sync**            | [Syncthing](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/syncthing.nix)                 |
+  |💾 **Backups**              | [Restic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/restic.nix)                       |
+  |👁️ **Monitoring**           | [Grafana](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/monitoring.nix)                  |
+  |🍴 **RSS**                  | [FreshRss](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/freshrss.nix)                   |
+  |🌳 **Git**                  | [Forgejo](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/forgejo.nix)                     |
+  |⚓ **Anki Sync**            | [Anki Sync Server](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/ankisync.nix)           |
+  |🪪 **SSO**                  | [Kanidm](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kanidm.nix) + [oauth2-proxy](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/oauth2-proxy.nix)                                            |
+  |💸 **Finance**              | [Firefly-III](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/firefly-iii.nix)             |
+  |🃏 **Collections**          | [Koillection](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/koillection.nix)             |
+  |🗃️ **Shell History**        | [Atuin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/atuin.nix)                         |
+  |📅 **CalDav/CardDav**       | [Radicale](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/radicale.nix)                   |
+  |↔️ **P2P Filesharing**      | [Croc](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/croc.nix)                           |
+  |✂️ **Paste Tool**           | [Microbin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/microbin.nix)                   |
+  |📸 **Image Sharing**        | [Slink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/slink.nix)                         |
+  |🔗 **Link Shortener**       | [Shlink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/shlink.nix)                       |
+  |⛏️ **Minecraft**            | [Minecraft](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/minecraft.nix)                 |
+  |☁️ **S3**                   | [Garage](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/garage.nix)                       |
+  |🕸️ **Nix Binary Cache**     | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/attic.nix)                         |
+  |🐙 **Nix Build farm**       | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/hydra.nix)                         |
+  |🔑 **Cert-based SSH**       | [OPKSSH](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/opkssh.nix)                       |
+  |🔨 **Home Asset Management**| [Homebox](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/homebox.nix)                     |
+  |👀 **DNS**                  | [NSD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nsd.nix)                             |
+  |✉️ **Mail**                 | [simple-nixos-mailserver](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mailserver.nix)  |
 
   ### Hosts
 
-  | Name                | Hardware                                            | Use                                                 |
-  |---------------------|-----------------------------------------------------|-----------------------------------------------------|
-  |💻 **pyramid**       | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop                                         |
-  |💻 **bakery**        | Lenovo Ideapad 720S-13IKB                           | Personal laptop                                     |
-  |💻 **machpizza**     | MacBook Pro 2016                                    | MacOS reference and build sandbox                   |
-  |🏠 **treehouse**     | NVIDIA DGX Spark                                    | AI Workstation, remote builder, hm-only-reference   |
-  |🖥️ **summers**       | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM  | Homeserver (microvms), remote builder, datastorage  |
-  |🖥️ **winters**       | ASRock J4105-ITX, 32GB RAM                          | Homeserver (IoT server in spe)                      |
-  |🖥️ **hintbooth**     | HUNSN RM02, 8GB RAM                                 | Router                                              |
-  |☁️ **stoicclub**     | Cloud Server: 1 vCPUs, 8GB RAM                      | Authoritative dns server                            |
-  |☁️ **liliputsteps**  | Cloud Server: 1 vCPUs, 8GB RAM                      | SSH bastion                                         |
-  |☁️ **twothreetunnel**| Cloud Server: 2 vCPUs, 8GB RAM                      | Service proxy                                       |
-  |☁️ **eagleland**     | Cloud Server: 2 vCPUs, 8GB RAM                      | Mailserver                                          |
-  |☁️ **moonside**      | Cloud Server: 4 vCPUs, 24GB RAM                     | Gaming server, syncthing + lightweight services     |
-  |☁️ **belchsfactory** | Cloud Server: 4 vCPUs, 24GB RAM                     | Hydra builder and nix binarycache                   |
-  |📱 **magicant**      | Samsung Galaxy Z Flip 6                             | Phone                                               |
-  |💿 **drugstore**     | -                                                   | NixOS-installer ISO for bootstrapping new hosts     |
-  |💿 **brickroad**     | -                                                   | Kexec tarball for bootstrapping low-memory machines |
-  |❔ **chaotheatre**   | -                                                   | Demo config for checking out this configuration     |
-  |❔ **toto**          | -                                                   | Helper configuration for testing purposes           |
+  | Name                | Hardware                                            | Use                                                             |
+  |---------------------|-----------------------------------------------------|-----------------------------------------------------------------|
+  |💻 **pyramid**       | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop                                                     |
+  |💻 **bakery**        | Lenovo Ideapad 720S-13IKB                           | Personal laptop                                                 |
+  |💻 **machpizza**     | MacBook Pro 2016                                    | MacOS reference and build sandbox                               |
+  |🏠 **treehouse**     | NVIDIA DGX Spark                                    | AI Workstation, remote builder, hm-only-reference               |
+  |🖥️ **summers**       | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM  | Homeserver (microvms), remote builder, data storage             |
+  |🖥️ **winters**       | ASRock J4105-ITX, 32GB RAM                          | Homeserver (IoT server in spe)                                  |
+  |🖥️ **hintbooth**     | HUNSN RM02, 8GB RAM                                 | Router                                                          |
+  |☁️ **stoicclub**     | Cloud Server: 1 vCPUs, 8GB RAM                      | Authoritative DNS server                                        |
+  |☁️ **liliputsteps**  | Cloud Server: 1 vCPUs, 8GB RAM                      | SSH bastion                                                     |
+  |☁️ **twothreetunnel**| Cloud Server: 2 vCPUs, 8GB RAM                      | Service proxy                                                   |
+  |☁️ **eagleland**     | Cloud Server: 2 vCPUs, 8GB RAM                      | Mailserver                                                      |
+  |☁️ **moonside**      | Cloud Server: 4 vCPUs, 24GB RAM                     | Gaming server, syncthing + lightweight services                 |
+  |☁️ **belchsfactory** | Cloud Server: 4 vCPUs, 24GB RAM                     | Hydra builder and nix binary cache                              |
+  |📱 **magicant**      | Samsung Galaxy Z Flip 6                             | Phone                                                           |
+  |💿 **drugstore**     | -                                                   | NixOS-installer ISO for bootstrapping new hosts                 |
+  |💿 **brickroad**     | -                                                   | Kexec tarball for bootstrapping low-memory machines             |
+  |❔ **hotel**         | -                                                   | Demo config for checking out this configuration                 |
+  |❔ **toto**          | -                                                   | Helper configuration for testing purposes                       |
   &lt;/details&gt;
 
   ## General Nix tips &amp; useful links
@@ -33315,6 +33784,16 @@ If you want to merge nested attribute sets, use <code>nixpkgs.lib.recursiveUpdat
 <pre class="example">
 [ 2 3 4 ]
 </pre>
+
+
+<div class="org-src-container">
+<pre class="src src-bash">swarsel-instantiate 'lib.map (x: { result = x + 1; }) [1 2 3]'
+</pre>
+</div>
+
+<pre class="example">
+[ { result = 2; } { result = 3; } { result = 4; } ]
+</pre>
 </div>
 </div>
 <div id="outline-container-h:9e81b727-1436-4228-82b1-1edec5c50e06" class="outline-3">
@@ -33493,7 +33972,7 @@ similarly, there exists an version that starts from the right.
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: Leon Schwarzäugl</p>
-<p class="date">Created: 2025-12-02 Di 17:29</p>
+<p class="date">Created: 2025-12-18 Do 17:26</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>