feat[server]: add dns server

.sops.yaml

@@ -7,6 +7,8 @@ keys:
     - &swarsel 4BE7925262289B476DBBC17B76FD3810215AE097
   - &hosts
     - &winters age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
+    - &belchsfactory age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
+    - &eagleland age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
     - &hintbooth age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x
     - &bakery age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
     - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
@@ -21,6 +23,8 @@ creation_rules:
       - *swarsel
       age:
       - *winters
+      - *belchsfactory
+      - *eagleland
       - *hintbooth
       - *bakery
       - *toto
@@ -34,6 +38,8 @@ creation_rules:
       - *swarsel
       age:
       - *winters
+      - *belchsfactory
+      - *eagleland
       - *hintbooth
       - *bakery
       - *toto
@@ -47,6 +53,8 @@ creation_rules:
       - *swarsel
       age:
       - *nbl
+      - *belchsfactory
+      - *eagleland
       - *hintbooth
       - *bakery
       - *toto
@@ -86,6 +94,19 @@ creation_rules:
       age:
       - *moonside
 
+  - path_regex: secrets/belchsfactory/secrets.yaml
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *belchsfactory
+  - path_regex: hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *belchsfactory
+
   - path_regex: secrets/bakery/secrets.yaml
     key_groups:
     - pgp:
@@ -111,7 +132,22 @@ creation_rules:
       - *swarsel
       age:
       - *winters
-      - *moonside
+
+  - path_regex: secrets/eagleland/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *eagleland
+
+  - path_regex: hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *eagleland
+
+
 
   - path_regex: secrets/milkywell/[^/]+\.(yaml|json|env|ini)$
     key_groups:
@@ -119,7 +155,7 @@ creation_rules:
       - *swarsel
       age:
       - *milkywell
-  - path_regex: hosts/nixos/aarch64-linux/milkywell/secrets/pii.nix.enc
+  - path_regex: hosts/nixos/x86_64-linux/milkywell/secrets/pii.nix.enc
     key_groups:
     - pgp:
       - *swarsel

hosts/nixos/aarch64-linux/belchsfactory/default.nix

@@ -0,0 +1,35 @@
+{ lib, config, minimal, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+  ];
+
+  node.lockFromBootstrapping = lib.mkForce false;
+
+  topology.self = {
+    icon = "devices.cloud-server";
+  };
+  swarselmodules.server.nginx = false;
+
+  swarselsystems = {
+    flakePath = "/root/.dotfiles";
+    info = "VM.Standard.A1.Flex, 4 vCPUs, 24GB RAM";
+    isImpermanence = true;
+    isSecureBoot = false;
+    isCrypted = true;
+    isSwap = false;
+    rootDisk = "/dev/sda";
+    isBtrfs = true;
+    isNixos = true;
+    isLinux = true;
+    proxyHost = "belchsfactory";
+    server = {
+      inherit (config.repo.secrets.local.networking) localNetwork;
+    };
+  };
+} // lib.optionalAttrs (!minimal) {
+  swarselprofiles = {
+    server = true;
+  };
+}

hosts/nixos/aarch64-linux/belchsfactory/disk-config.nix

@@ -0,0 +1,121 @@
+{ lib, pkgs, config, ... }:
+let
+  type = "btrfs";
+  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
+  subvolumes = {
+    "/root" = {
+      mountpoint = "/";
+      mountOptions = [
+        "subvol=root"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/home";
+      mountOptions = [
+        "subvol=home"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/persist";
+      mountOptions = [
+        "subvol=persist"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/var/log";
+      mountOptions = [
+        "subvol=log"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/nix" = {
+      mountpoint = "/nix";
+      mountOptions = [
+        "subvol=nix"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/swap" = lib.mkIf config.swarselsystems.isSwap {
+      mountpoint = "/.swapvol";
+      swap.swapfile.size = config.swarselsystems.swapSize;
+    };
+  };
+in
+{
+  disko = {
+    imageBuilder.extraDependencies = [ pkgs.kmod ];
+    devices = {
+      disk = {
+        disk0 = {
+          type = "disk";
+          device = config.swarselsystems.rootDisk;
+          content = {
+            type = "gpt";
+            partitions = {
+              ESP = {
+                priority = 1;
+                name = "ESP";
+                size = "512M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "defaults" ];
+                };
+              };
+              root = lib.mkIf (!config.swarselsystems.isCrypted) {
+                size = "100%";
+                content = {
+                  inherit type subvolumes extraArgs;
+                  postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                    MNTPOINT=$(mktemp -d)
+                    mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
+                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                  '';
+                };
+              };
+              luks = lib.mkIf config.swarselsystems.isCrypted {
+                size = "100%";
+                content = {
+                  type = "luks";
+                  name = "cryptroot";
+                  passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
+                  settings = {
+                    allowDiscards = true;
+                    # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
+                    crypttabExtraOpts = [
+                      "fido2-device=auto"
+                      "token-timeout=10"
+                    ];
+                  };
+                  content = {
+                    inherit type subvolumes extraArgs;
+                    postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                      MNTPOINT=$(mktemp -d)
+                      mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
+                      trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                      btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                    '';
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+}

hosts/nixos/aarch64-linux/belchsfactory/hardware-configuration.nix

@@ -0,0 +1,15 @@
+{ lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
+}

hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc

@@ -0,0 +1,22 @@
+{
+	"data": "ENC[AES256_GCM,data:asdaPhz9nquyhCH8NuvAMdgEXW/RxPCEpqwFbyCYxfjMeWjvEe8yzWJDjVlTjP+73ql/CGSRajcahRNhOd1rgGoyMm71HJGxSWA2rbn7oNmll9lOquUJkDwXLHk5ApgIrTbvUX1C5rha/L/JSli5Hiy59WU/FB4WWDizhcN3XFSVdNYIKoA992JT0GjJ1dzHvzi+rw/8Mw+BJzm592t1CxhpS8qXRTpuyPSh09IWACNSJYBuEoEwA7aB9EVwG6SskUJKvU3bwyaI9nuc0iXHGbL5VLVJ95e2fcn7K3w2OEq1oigu4q5bpNUazX+mhLv7S8HN3c6/JJn69LaCkQeXhnNmrfy8J5+6i6fnXCdvXxHy00DI2p7fIeEM/MqaymhqoxoGxQs+vBcb2iY1OmvI6zrPRPKEghAo2zvzKHQF7ykRTi3ed6V6aVMSpu1rO1Z0UwwVbvEzSHtVnEU/gp4=,iv:lSRKdYmGE/XeGcalDIM0yuU+GaXMrxJrjqfVhHd7lIY=,tag:dD9LkrzuHLsoa2UcGfXHWA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbi9PZkRob2JkcjlEMUJu\nSG5TemplWkhWVXZNWStCVXhrUlFRSUtPeWk4CjZEQVN4b1lYVkxYQmU0SEJ0QnAv\nTE9IdHZUYmVjb0hxSno1QWxGN1ZMUFEKLS0tIEwrVU5uZmZPRGdZcjVsVk1IQ1Vv\nRXdMcW0xR2g5SCswKzF5RkIwUmtocDgKVI/EMQuvfKGeJH7wFm8VP5rKLhYKOlPt\nA+QIDAdrtFogW9Swwhzxu1tIOfMXzfyW9P+ec/b6/vU96PMqJQ6ZGg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-24T23:34:04Z",
+		"mac": "ENC[AES256_GCM,data:O7COFKQkK6aGkX8fp/ihHBxRVV8UM3khi549O6RWMFGDxgwMTh1qr3hNIJa3B4sTfhFuvOxpfxLjR4Yw02JH6wuwuuzANFzQ9uiVsVv5UDVDD0msYneTXVbSBo92gLFr4ZXcAoTtf9AKitkjwWjLK2sTJcZ608NjQSpOo+rSJ3o=,iv:s5wB+8B+igS7PhDTHL6XS17QBdhvobXFgCzHxHu52q4=,tag:ulySxIPinWRRRY8XbE8pWg==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-11-25T18:32:49Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/+Mi33CAnGK/475xmMlZn2P4aR2iFjWFms6XU540JZnfQi\nF6/bjq1otgxGlnR6x3zhPQU3whCQIv538UeiYWMoS8oPxj5b5eF33agihYaCq2wx\nHv4p0+hOJMl2SJPCHfmTkClqYGYMOzTPe1g6oiY0N3FWVoiWXdbWNkIGVNjgkedz\n5f9JPFWn6iB/Z07qUMwG2OOzh8ZPlh/PgNCBrCVMUYrD/FrAck389uMw4yHFz8AV\n3ETnx2gHFTwL5F8H7x3uVungoBVCJk+NpXiKS6nVKwH4jliydiU2ZClSzjHpCqCW\nd365MCahC67IkuCkWhwuPwDaKIk7Qw4rZaLybcad5/TQ0zT+XCm6/2DYIYTj2gip\nqrBDZxHZhkpYcArjckWDRchO9t9E/c3qJfD1Zxi6fBz0vu2WcCuTT8Qd6Zn+DlMb\nVr0D2LPlZGRJ+kM9xuZXaY1bGNAA2POvLn698prPuTkMNxidQEhPNuNy4PlYKXAP\nFfRzJ5zFUneW19j8SgL6BxfLoYDFWkoHIutNDH5H290MJqnFDUrQ5bQn8odM+1OL\noJ1AchHN3J0J5aa2Z8X0NSVN7N0TmU3xVZ1GmfdqbH+3V+OR3NMgJ/FKMQEutT56\nAsBc7tSHtJGaRS9plJ+RryuPRRnqGmRkS3vVmBkrD+pY/TwUbXUBKjEOWhq9uwiF\nAgwDC9FRLmchgYQBEACD1XnsK/sTsgtvt69H/aBHWVIWQNTmdhwJBUHmqkusFhPf\nXxfGN+bvapWulYI+Wb4LAQQbUhMmz8drPnWpCEobS3LSeU8CDD3wBrGAJubI7YLK\nttn4oB7XK5mrg9SIQ8M8kOElv19oCMudkX8dRs4gs0TBO6jbr7/lsiyL/sN3Ylk+\nnyORFeSgE9vVcvJ8QnIF+MQXF9Re61zJFqjXiDMEklzbHHVeLzS5IlYgJoDvV3Gg\n9lTtvdO/FV5JtjFeYI16rjPb7ip/KtljU5pBM8wp6VU4Dre0VsRBgztm279g+WaL\nDJuf6lmfwNSk66tiLpsaJoEu7A+UhLURI10cv92E7fydbGRZMgSjK6ZK4Ue6WH1U\nYQJenngZPXcRcqfCeTVTjzG6ikL3aCfvbuJ3/oT8Y8oBA5Ch2PG7fWAJMMUVIFAM\nLO8KqCSdRCoJrJ69s8iyBycOhPhMiwLZU2HLlMux/kLq5OB2JMGm8P4nxoXTp9Dz\n2TPoPigZritYHsIXZ3cM2iR3OL3AiotKlaIp74ElUeuc0K+Bcp1C//OtKTPuYGnc\n0ttC/dx3c9vv6W80JJ6i7bCRoDiuGrrdx783ly2br4VLDFSaS8rNbrM5ccSTVImw\nUFxZO9rLO0n7N6z4hlgrKw3G1SWKYqbgOVXxIog7st8JvmPLQZYjEuH9Xwq6WdJc\nAU2esxsAaDKyIPHg+DAXOPBagzU1tBKFYtwaiFVDqYk5gNE/2hAnKcuU7O3sua1q\ntsgL2kY8VSHcFFv8N6FhDYPdCrDgAwOtJSZGf7uV92q7/vbMWx+vGq/7FaQ=\n=m1sm\n-----END PGP MESSAGE-----",
+				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}

hosts/nixos/aarch64-linux/moonside/default.nix

@@ -11,7 +11,6 @@ in
 
   sops = {
     age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
-    # defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml";
     secrets = {
       wireguard-private-key = { inherit sopsFile; };
       wireguard-home-preshared-key = { inherit sopsFile; };
@@ -138,9 +137,12 @@ in
     isBtrfs = true;
     isNixos = true;
     isLinux = true;
+    proxyHost = "moonside";
+    server = {
+      inherit (config.repo.secrets.local.networking) localNetwork;
+    };
     syncthing = {
       serviceDomain = config.repo.secrets.common.services.domains.syncthing3;
-      serviceIP = "localhost";
     };
   };
 } // lib.optionalAttrs (!minimal) {

hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:RTj0FFJudZusWh2SuAPBHhpYEU20GmWbeZZSCG/vKCz83iUEJxpZ0lSDm71BN1Di7sz+VchcbWxkUjc+SV9paFOtuRKMPynW5n/HTyp/ub3y8oPUN4AjxiRnvfzh8Qxd/vnmxd6lSh2HxMlOqJURN0JY3D3g+tpHyTIvFUWef6HgzLNZCXDnP3HJzbIY53VPj9f+DsdxtFwU5OHkWd8gH2D4XuPPetN0Iv2HaR9+dvlVrbKEXgElgdENkU+ED78TFxvabk1hqPZqXhsfORF/5RpwF15ip5iSlVWPTwMdBREqCsHRiA+u5F9nwJ5C70U1wz39J40CJoa9oihIxyAmN3dktD0JuY0jiqyxwTRFZXYh7Ioe4CksaET0P7LbTa7+BpctgoBqvmnhM3ZDNcSZMNcCbtX98V30UqEPBoTn3kRYvg/1C1SycR96bVW/AiHMiIzD93dNw2gUWdyQX9xtHvgdxLo3U20pJhjMEcsk9V98H6lPiLp3lltrjAX35RsG5R629W8/WVOGoUQn9nX/y6m9VFKoUPf8/M7tvlxDT9A/QBQQvShdA4AM0K8mdNzb85ac5In+43gWDRXWQPPf72e5gL5nPIqPcZvAcoLHsYFH5ebr7VUaUbHm890jQDoNvtezZ1w9nRlZNGVTwdvwWB3rfzorzwCAKLhkFv6ATUYimP0tiHPOz0MxTQKXg12rtyPXbh8bwjhg0kdIlwljAYnYUKiX7SVSeYq7TQksQIiH83JwxCGrL4xjMWZhNkrg3KQUrEMHHaMbNCZvb5M2nMceBo6eA2zi5qYA9sLVnLTrlwx+3Wl7uFBv+9Z+8qvGg3adpGrtJTJjVf+cig01gzao5WrJtT9q4YD1tOHnWfBhwI9/3ny2A0WlyjlY/fS8WUiOmyhl/6N+ukdffzDZQOcTGf1QD0zO+9FYPqYhxr8eGKRHAB0R81Q5y+ORTLwXJ7EhRIK2f45FJisRIsiR+VTsI2cqy7n9HtubY8jQPxLMLnxuUqTu/OjtUMCcbJO8iqYDxWf6NlCZuTaLsQuUPWvO5uUelQpDmN6HhxSGKD9XG4M7/zCuCWNhKWoH0Z9xfw==,iv:Bs1fdmD4jbM/9hiPHxu+yENrVrwFsmhJ5J38W5+4PtM=,tag:UBpHq3ldgdVORaRxuswzVQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:2BVykBGxqpEx6OGG4//MRHDPfE9xJYatb96gn/NXlaYC5nI8zm/9etMRqX6VWEMLdc+4szrCzwNnJx07P6fvY7psER+kd0iuuJc3dLwpm708/fDMP1eOblL0SpIEOHuw8khxtB8KwwMFrwI+858vJvek0/EGN9owCotseJY0lPfX3Kz1StdEspwf0cNAEtck0sQ8MxyODMQggei1eBpr7R+8KRlMg2hBvKw+KbL4C+05twtno3Emar36aeYZurXplm6Z9o3mhvRbpjAkC4cdv9ffiiqQdRuqD0SIbmswjq2ntAVoike6Go0Gflld8POQvE3inZ0pQFC4khTdsheC7nwkI9eudQbNIPzoGq0tjlF4n+/PWgQwoxDiNFvKuKAMrVaAIjQlflt483ofq+TubC9P6FqyjW1gAI94976RIyoBKWWKvJBfr8WKDbwKErLFeTyCnNci96Uctvw4ivYohBj4bUfrZ2zyQk/Y0u7cJYl6qbb+lT1TwHw2Fe9kbn9dDA0wwck5vh0c+q9nhaSG1QNNWxr62w/UyQL/vDxYv1SF5/CwTRmTxDobjhJu+tkzSAfitJ4d41c4/vZ25fG3wehgdLJsdhrjL1JB8smDs/GOFetFO6vPkHZq8HYUc5JB4lg/v9WFXE+nACaFHcZlISrOV9Eh4dG/xu2hsd/rh1uldBVqEZq39PiTk1y94m6AyeQ+dtmGvgBbAFvIpQfUB4+4f7+qO2yQqbb2R/RuqKUuyt+Yy5DrcciFTivGXmlHvC3Cz/qmtpI19boXwiF1uNzKDUHebvK1+azOc2qxOsM15g+jZG9V23o/kP4sGTY9dXqeuMmfELvBBrPgBB8Nhgdi0DrDed4cpQEp2E+rSGCM7V1IdEFa4iMyC8jJ8xq9eBnluNMdmvC8iWanhO7R4AiMzd2JOQImJ11ZX0QAxgG4FwyvYxyX+QXgIHuJDqUVsMxba6HWqwEU0B4qjgVJUDuf0WZxLNBh8bbjH8pV0sa8c7fJBTdHg8X5MBbbaSsYDxQBhdTVKiUXoG5T/2npr1Efjlr09JDbtZlzWYkNfhJ9gLyQI54hXJ0DHWvtnydzHGLKwsPSXRjFcf/jGgCZr2FideArza5y53HBqz2NSOvzvYgZp/avhNumKRQroFZ930Rx2UJoSI+VNDQiPe1aZpOdFsmS923vxlCg/EC0dElKHt0Ou/RRZeonMAmrqak+JIF1+dWn9k2cNNQ=,iv:aP0jgnZRCiLE+BFimZk7k4ElQmPIeZPOvZnc/96j2zs=,tag:0UQF0LlWWGI9tF0UKf8eIA==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-10T23:16:52Z",
+		"lastmodified": "2025-11-24T23:21:12Z",
-		"mac": "ENC[AES256_GCM,data:CuwVt8/XKRMUHs1rh7Yf4Bk5tWXqTz0HXUiEEjuLhj1TRuMWs6aTC1h9uTMoybP+FmjKeRTar1E8dgUmoheFUGaBFqxd1Kx/FmNeJVLhUOPgmT9XOIjEjTNnzOoaMsYvfhP+AnLKgx+CfOsLnLMOqdKEggx1t5jNfiI2rXqOdfI=,iv:4Mc3WcgMg3z99dERJk+EF4hPpgGZo4mfMt6X45zgp5I=,tag:MP0YDtR1Wq3088WVzXS+8A==,type:str]",
+		"mac": "ENC[AES256_GCM,data:qf8XNu9bUnwXh/XDMR/2MKf2HKfpqA9GhKjOln97kU57jqqTLxQkdjIwazwoNxEkVkiXHwSd0J/0ZblqcJoCGgy90PC6nYktxRG5y8c462P6Xv259xfpLFTtxtV9Q/Wg18QOruZzULO6ENYTAXGsPZ46VEpf7HQng03PFe9WtlA=,iv:kI2HHNcMjCC5jzI2EAh1nh86HYj7fb11EPkclhIsHSY=,tag:zeWbqVq0c+GzUdJpvcJeEw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-13T20:12:55Z",

hosts/nixos/x86_64-linux/hintbooth/default.nix

@@ -1,4 +1,4 @@
-{ lib, minimal, ... }:
+{ lib, config, minimal, ... }:
 {
 
   imports = [
@@ -18,6 +18,9 @@
     rootDisk = "/dev/sda";
     swapSize = "8G";
     networkKernelModules = [ "igb" ];
+    server = {
+      inherit (config.repo.secrets.local.networking) localNetwork;
+    };
   };
 
 } // lib.optionalAttrs (!minimal) {

hosts/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:RwbQZyqU0OjA/wD3o0HppPWFjfHNAHsGF8DzdJrXZLlE5RPUigHWtMLcX+2bNd0DpS3r7WHCSyiu+mmg6GWFiE6wAOBU1Q19BpQ8k3oTt8sP3N4/5PfzYcXlHRfwxmB9/pv8YCi5+cOU5ExWiQ+kC767UbgPIC2ugUD6tkP14KkhW0EGgEhF3elBfOGrSHGgjltgIFMYm/WKZjM=,iv:EBpghMcCGd/wow68V3zoDfzwywDGwmlqn3btNHrfxbk=,tag:jvSZyRIQ7BmQdKc6YEBIZQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:trvZ+abrf69YhdmIQ1ekgDW82PtPnJkC5bfvh6lABb1BBkPWZk8Ds7Ug4CtulspitB/Spwd0ksGHSuEpk7Xg9V+5O9nm4/8JWWh7EF4qKWeRiwqj/dpfHTtTQPOzywHQFwLg6EWS3wSwUu60dZqJ8f36rvr+KAZc71jZayZmm3TIpeDaMsCAyO+TrfzeKM8AYN4uUVr30raquNjd2XzGgufE3FFCQdo4yhvzVGHGq0+wrZGr,iv:Yx4RkCBSkB4gK1dnMGudPwPP6moR4/7ovDZ77f1WL9o=,tag:9tTUU6ax2K2CqKjxHn2ZaQ==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0VHAxaWdiV1VlWEY2UktF\ncE96UHJnWGNpY0ZFUmZVSi9xSXpBMmI2S1VFCjB6cWtDTTJrNFhZRC9yUHRYdUpS\naytwOUJ4NTRxTmJmc0R0Wmh5dFVKbzQKLS0tIHQ2NUtqRjh6MVF6VHJFSHVFTFFD\nNWh0MDVjekFDUWZvTUZNK0Z4M0lJbVEKGZk1BvZsNTkIor5rTcpi2UE4W/BqNMWU\nIAe3irNN6p1si2zebrCEyiaJYuaVn7uYVwXcscJlNTfkr9szm8TjSA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-10T01:10:14Z",
+		"lastmodified": "2025-11-23T18:19:50Z",
-		"mac": "ENC[AES256_GCM,data:NSUKiOFGZyTb9U6e8cJoOJPAMfnk5iuw7pLK0JJzdwf4pI1aMSqjSDylQ5EqqbdFKZKRmaIjjHSpcJep6q0TRFA6wOznHWyv/UCECGwqZrS3EXgcQF5lZl7NVXPPSsMZgPReEVQcMtMivatPrfksEeCaam4WC/M+dqd2d2RrOXI=,iv:KnBNepDoaQeQ9MSrSN6dkrbS6YqkMYMpmXFd5v+oWoI=,tag:vPhsazyi8d3ugGoW8Z1Asg==,type:str]",
+		"mac": "ENC[AES256_GCM,data:IA71SHchjrqqU5tRlJ4Ozgx2rRxhKE42CsC7ygBLdAZcyZs+7iMpskYejIue8+JXto7zJxe38UbolnLOaTkHzSVGJkKMYQQQ/sXoDtaWlsYTN648ug4zAbgN1neifNnG+756abcg9NEuJRXBhXDzqmAecHkzv6U0HW9LHPO9W1s=,iv:dEiu6FnSqALXDOtpCZ3FiQ8D6GU0FjQAFA12SPaSIAY=,tag:/SXghsNzu8ceOQk/2w8e7w==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-11-11T17:51:27Z",

hosts/nixos/x86_64-linux/winters/default.nix

@@ -1,4 +1,4 @@
-{ lib, minimal, ... }:
+{ lib, config, minimal, ... }:
 {
 
   imports = [
@@ -25,13 +25,17 @@
     isBtrfs = false;
     isLinux = true;
     isNixos = true;
-    server.garage = {
+    proxyHost = "moonside";
-      data_dir = [
+    server = {
-        {
+      inherit (config.repo.secrets.local.networking) localNetwork;
-          capacity = "200G";
+      garage = {
-          path = "/Vault/data/garage/main";
+        data_dir = [
-        }
+          {
-      ];
+            capacity = "200G";
+            path = "/Vault/data/garage/main";
+          }
+        ];
+      };
     };
   };
 

hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:dwoz+/DxlUbk05hmg/EwtmUkuD759sQ4iVbjHqcPpY9y2l/gzuPSJT2CMI2GbZs5SKhtlqoqZ5jHG3LwcQjgulmYHB2ThJR4ALi7usJm08q0UfMirnm6mPxjnhdhJXdO6YQ4LaRyP81txSphrl28eJwp2efz3rkUp8nAA3keL6MLZsBkdOXujOJhpreTr1mprWTA6U8aRWFBW7Y1vWvxAH3dtQ03XhYXM88pY6k+HKMvcXSsiDhvwnxG/+UYvSIHcanmboCJDYbgXZECnIGsar7ZOmbsZ3GM6X37qPJpxNmUjc4OoRaJJCcn6saH8kOJkx2rxMyzgMryuGdBq4R/m2JsvDoCPDh+gKO+luCI+hH/iduxnDgYjZAQ2gv3Q14MGNe9nvPWVfiRXXzqRf/8vDXjpnD2FFKmMSqiCvPJHRL52uwO3R2zYUrUfQgDN0Jk6nII8B64l+l69Q8Mod1J5nEMwoUOihhOsjaz6TMIUo6b0GKvxZG04Noyd7S+KuxZe1BsrxSnn7REt6qyQKqAHnMYVXpBmOxOpzhAhOrBIOz6LuqHPzmooQukuBDH/Ej2rC5hLBAFW7mvHIcTqo9sJFbnT3lYYtwLSlHBE3R26vud9pG8K2SuVdy2MWJMpLscR48V9r3nAbWsXKXLZALW38z33/UMfzTJ4g4L7Eo/4E5RXlihyL5/p8ISsoQdf6Uj718pVPTToBRBbIEMOSoJ4ntPoVxQbcpdrGO9zrqqPeZWQSE1JM8anGeZVqeMEVmZJxIbfquX8eMKJrkTroa/9HysuIi0O311F/kntoCtDOYCd3mYPcT8UnZHW3wuG7lqYRd15i/eaMhj3z1eTWoZ40R8w+2TaQB+TjyoLoGGzHvyktI5UkYiaMwa2FoFz40tz5YdZ8aODLQhwJc1mv3Fm0VLudXm7NUcfc4tr35EKbDg1wKtUS13VMSHjbi8ANbTB3nBvpBsPKtD12BTqaP4Q0HJipdnDbcwas/MoG27rFO5+q8+cb82IgjSpCeekrIgUY1wsnOyR3j3ByITp8jfmCRMF1vjKifKr0pgREF1dW59VQ33TvUyjfveQV0ixeV+vM9QueQsUVFzeqYTagsPSM/Czx/UNo8hyG1ze0p+acoOb257Q/Um8nkj3iNPAzx3WN6IdjJkpN1Ldp1SvU5qd3o3DDcSw2ztz8usBkH91BrBaV9MYGH/FSM/HL2CfTZoZodP1VqKFi1Hl3pHHyPEagvoJp1ayUZqmymKu4x1wFxC5FMUXjWUwWZZx1PIOwOtf8pLqVd6FySJlwG/MA4Bfxcnc+eSZ1EYcuHU3ziGbtGiB0eqWXA0fhUwIHHUFnV7H8NoRaJnbDS+kviFdTQKvoF3OmymEwhaq/Oak0ZQk8NLHC7KTQ6xVCb7bBtLpkBdXFE3YB5ltXvEYvSL02qX9i6oBf8GRi4Tl+k6zca6QVJzHG4hU8Nh3cxXBmF2IIY4JiKy0YlsVXCg7OHEWMEl4qT09dAsrDcKQC205YRF7XO8AXimENFQM2Nr/moadk2SF3D2DuJEE2HnSBk4H2tVlMNns32MpTFBZwbf3JOIHJV9CFyVSjhjuNjVjMK4vVdpnEzhmnaKjDqMnuRGNZmrl6p8gKM26KlWcYpIclQkPxy1pY1iFINxGH4YEGdAztpx1YhBkQNkQT492InrPA/PE5XFStP4WsKsLW72lhSVgH8D27S76yGihXyaVXXfd0VF5Fx/gUnbd7fph4Vi1VtFonhfK+ctHg==,iv:aQoC+pr7OoTyTT0FE4MbENfzfJ0Beq1Lsz9G1jnFQPs=,tag:JuYmfDP2foCVDH8CwfL4fQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:vevuVfscWMiD3Lzc/bAS+jAqpzgkfBfcFAB7ChacGaj/PJfoi5AzpmlkDhm11GBcvUXcveMnbLbQexaF3dgPVwvbD9xr6e+mcMJjIry5c5a5wOcZkyGxXgPuPg415An9AQrO56XeTTSaUL+ScQB3kv6eIyzCtxZag7pRLnOgwFuGYqfwcDIcX8QHCc0ijf3XLPaM6dEgiFYDeOMFhOF4+Z8/d9eHoEQ3tOkWTmkoVqZFz80ZicEraliWnWMvCBhRLKo3gb7KFRce/AAEZQaS3CZOJz7v7var4Ds1+PZnU282aSU/xsY5Dq1vOrsZuoYqXA5WrdC9HaXAYLGaGFCzLwRTAfJvigV4PNwOePskCSa/qRlOGpyO1t1B01Y4pghdERNlS+1ltEz8nKVfIi4DR6dKy8NIhLl3huJQy6KHsLrjDHnmxeypo2sJ+NeyuNTKqwJo9x3krcIBt8SaUoFIDkBgshcDCp2eBcKvRIOFIa8r3rsxQ7gwG3YV7hS+NR0nwsUXodGXVzrdehDNddr+mI4GEMl8TTP9sdVSaPhKpN+QB3GGGoYwX2HJYXdY9CKIIlYcgFiDfPz9x4HqGnGfSpeB6QgTK40pmRmG6jQyIFZiW+hQBS4XHtKQ8CJx4zUNpiUArYzustw6riPkfYDex21SzsUIjpRYxB8uGHFvJlJVgr4FkQQg6frebKf2EjIhjc9Mjdw+g7cGb5+WavUfy+fIXztYwRI0l8aftosfCMdGsSChntKCymz0kpGREx00HF5blA6oyifHaVxRYoqraxCwbe+p1RTFlGonaYtb0gBWpdrQU+24HVQU1rMhc8HFHPjcWofE/ymEPkhRzkxIXMmNQFi/18KvZWoy2qOVtPmsEc4mOVRtC6w9AZZpcxI9CXhhuyDZlJ/k4bJzkZFrcNW8I7OjEXTNmsYkzJDSVzD3Od/1zhubU8LYZBBXuejzeH0TXNsXbS6tQXCJ2D7Gzrcx8LpXL/a1IjAUmIXguVtPT9nGallXO9jHV9g7GGjF7weTaEMb/eNSuLgQOpq8vziN1XLWhVo0WEQ8zU97KSVJS5moaTEPAEUlHC4PfM3AQHpWMW4EL7FZu5r1yw+EDOUA4k9u9HIVbn5XVZbWb18aVVkYZoulLIVU7I74LJlYE/BSYhGzp6Ff1k6qzPNTbVgXEtiNuLQKa//8gHoQUCsu019MEVAU4LhZ+nt4genG4qFUTuBujTriO4Vhdel9Qsoq95FLXDzdwRInUzfUhbLli/rKv+LDW7wIdh/peWslq5XkWBeMqJC97OSGzM/MaWIzzMY68FjCJfYX6I2nskFD1xZiECKukn0LV/wqQhrkmUuyG6RsZGAZuOoStWJMs8v+x+ZIMHzg1jItXO2ozt8P73EvdgOExJi5/aSf8sQwX7H5lesDtnGYU5+xV9k6R8icsIqG/TLuFAiqK1hmFQv7H/9pFkRq1LUXFmJXoKDfDByG6xUjMeyYOwT6yLShhH3MMWvh3yjflwzGo7uTU1BTpNbKT0LEh3Q9C1txZ0uKROhWKu70iH+kHRFVlhUbyYpZovu3BPB3WDhLiLuXIOss5+dVv5RBSYUtxpzp7Oq7mbMRIGCY1hOVCiCcUEvcXXiQ8JBCklWUEEJ15BAIewetgDiVci4USgZZYrALplmSFkKTZbFjYEIrf3ghKFXfVTkMixRmzTHoxKpYXzvB3TZnkmAXVhvJbGEiHsAaHpcfycAXygQAWsIFYzYSDrqYXmRhwEy/A5cqy8dYx+UA3bBAi4v0QPMoro3UtdI2ipM=,iv:+QSRj/TyZl6xbwLDbuwb83RkBiLUi85VYcpss8Jn8fk=,tag:uPqu0GaUGmChLweOGN10yQ==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -11,8 +11,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGtTZ0ZSV0trWlQrS2dV\nSFo0dytGYXhRTjl6cDZrUU0wZ1IybDVRaFZrCmZmRmxJNmdwS0xodHdEOGU4bldU\nR1JScHAvZHhlVTBJbWExb0VpR0h2MXMKLS0tIDYwQmZpMjdYRmpBeXFNOXArN0h5\nVGN1THljeCtVV0hXenMyRVJkMjlHNEEKm+yZTT48nYr3H0Bd1OKw/CYk1kwnrBzk\nTgSQHsGXhmOyDag9cSZ4wAOmqtqSjA9bouFBuhl2lSbgpjnarvFaXQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-10T01:10:47Z",
+		"lastmodified": "2025-11-23T18:03:21Z",
-		"mac": "ENC[AES256_GCM,data:2gKEGIYctY7g7mL7lay1T7XmxGdsRzz/dIC1p98zDTnIoBrq5mf5CV/FjAGi5jDsmEMoCSUTWFaT/0Wq3nmRC+OyjL3/Hsit+HJDBVbyf/mY+zs2UQd3KVYoxmpDeAJ1E9s8ygxEu5lJGzacWbJ9BggKUUnywXYfNg0fS7ntjUw=,iv:5xedOuJ3VFm4pEjXyVBM9Iwe5pK1dYP4nTRkk7exrvo=,tag:sEVygcLMqkI9CWQDjoaEqQ==,type:str]",
+		"mac": "ENC[AES256_GCM,data:8KSKQH7qF2vLnR17a3XhYGAqYq4YNgf7XEkpeNVHD39Aj8MzdlsGPr9vI2o/N1yTpQyJrPW1ntKVvI9rHwcJhm5nyaQiHVwKHWcxcn7li6AeztV4HUqwKxQwf3MHfZ4fhWJrI7NYAuMAbmK6epa/ROGsIGnT6vQh3SImcn+Kkcg=,iv:dT8dBuSsYRxGe93/9ie/6/X4Ru5NDycz2pgMVI83wbc=,tag:r1mPjG/JOQsRDzCktIlisQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-08-24T23:36:17Z",

modules/home/common/sops.nix

@@ -6,8 +6,8 @@ in
   options.swarselmodules.sops = lib.mkEnableOption "sops settings";
   config = lib.optionalAttrs (inputs ? sops) {
     sops = {
-      age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${homeDir}/.ssh/ssh_host_ed25519_key" ];
+      age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
+      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/general/secrets.yaml";
 
       validateSopsFiles = false;
     };

modules/nixos/client/sops.nix

@@ -5,9 +5,8 @@
     sops = {
 
       # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
+      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
-      # defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
-      defaultSopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
 
       validateSopsFiles = false;
 

modules/nixos/common/globals.nix

@@ -114,13 +114,31 @@ in
 
           services = mkOption {
             type = types.attrsOf (
-              types.submodule {
+              types.submodule (serviceSubmod: {
                 options = {
                   domain = mkOption {
                     type = types.str;
                   };
+                  subDomain = mkOption {
+                    readOnly = true;
+                    type = types.str;
+                    default = lib.swarselsystems.getSubDomain serviceSubmod.config.domain;
+                  };
+                  baseDomain = mkOption {
+                    readOnly = true;
+                    type = types.str;
+                    default = lib.swarselsystems.getBaseDomain serviceSubmod.config.domain;
+                  };
+                  proxyAddress4 = mkOption {
+                    type = types.nullOr types.str;
+                    default = null;
+                  };
+                  proxyAddress6 = mkOption {
+                    type = types.nullOr types.str;
+                    default = null;
+                  };
                 };
-              }
+              })
             );
           };
 
@@ -163,6 +181,12 @@ in
                   defaultGateway6 = mkOption {
                     type = types.nullOr types.net.ipv6;
                   };
+                  wanAddress4 = mkOption {
+                    type = types.nullOr types.net.ipv4;
+                  };
+                  wanAddress6 = mkOption {
+                    type = types.nullOr types.net.ipv6;
+                  };
                 };
               }
             );

modules/nixos/common/home-manager.nix

@@ -12,7 +12,6 @@
         inputs.nix-index-database.homeModules.nix-index
         inputs.sops-nix.homeManagerModules.sops
         inputs.spicetify-nix.homeManagerModules.default
-        # inputs.swarsel-modules.homeModules.default
         inputs.swarsel-nix.homeModules.default
         {
           imports = [

modules/nixos/common/impermanence.nix

@@ -72,6 +72,7 @@ in
       hideMounts = true;
       directories =
         [
+          "/root/.dotfiles"
           "/etc/nix"
           "/etc/NetworkManager/system-connections"
           "/var/lib/nixos"

modules/nixos/common/settings.nix

@@ -1,5 +1,6 @@
 { self, lib, pkgs, config, outputs, inputs, minimal, ... }:
 let
+  inherit (config.swarselsystems) mainUser;
   settings = if minimal then { } else {
     environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
       assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
@@ -36,7 +37,8 @@ let
         channel.enable = false;
         registry = rec {
           nixpkgs.flake = inputs.nixpkgs;
-          swarsel.flake = inputs.swarsel;
+          # swarsel.flake = inputs.swarsel;
+          swarsel.flake = self;
           n = nixpkgs;
           s = swarsel;
         };
@@ -57,7 +59,7 @@ in
     (lib.recursiveUpdate
       {
         sops.secrets.github-api-token = lib.mkIf (!minimal) {
-          sopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+          owner = mainUser;
         };
 
         nix =

modules/nixos/common/users.nix

@@ -1,11 +1,8 @@
-{ self, pkgs, config, lib, globals, minimal, ... }:
+{ pkgs, config, lib, globals, minimal, ... }:
-let
-  sopsFile = self + /secrets/general/secrets.yaml;
-in
 {
   options.swarselmodules.users = lib.mkEnableOption "user config";
   config = lib.mkIf config.swarselmodules.users {
-    sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; };
+    sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { neededForUsers = true; };
 
     users = {
       mutableUsers = lib.mkIf (!minimal) false;

modules/nixos/server/nsd/default.nix

@@ -0,0 +1,38 @@
+{ inputs, lib, config, globals, dns, confLib, ... }:
+let
+  inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName;
+  # servicePort = 53;
+  # serviceDomain = config.repo.secrets.common.services.domains."${serviceName}";
+  # serviceAddress = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4;
+
+in
+{
+  options = {
+    swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+    swarselsystems.server.dns = lib.mkOption {
+      type = lib.types.attrsOf (
+        lib.types.submodule {
+          options = {
+            subdomainRecords = lib.mkOption {
+              type = lib.types.attrsOf inputs.dns.subzone;
+              default = { };
+            };
+          };
+        }
+      );
+    };
+  };
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+    services.nsd = {
+      enable = true;
+      zones = {
+        "${globals.domains.main}" = {
+          # provideXFR = [ ... ];
+          # notify = [ ... ];
+          data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns; });
+        };
+      };
+    };
+
+  };
+}

modules/nixos/server/nsd/site1.nix

@@ -0,0 +1,117 @@
+{ config, globals, dns, ... }:
+with dns.lib.combinators; {
+  SOA = {
+    nameServer = "soa";
+    adminEmail = "admin@${globals.domains.main}";
+    serial = 2025112101;
+  };
+
+  useOrigin = false;
+
+  NS = [
+    "soa.${globals.domains.name}."
+    "ns1.he.net"
+    "ns2.he.net"
+    "ns3.he.net"
+    "ns4.he.net"
+    "ns5.he.net"
+    "oxygen.ns.hetzner.com"
+    "pola.ns.cloudflare.com"
+  ];
+
+  A = [ "75.2.60.5" ];
+
+  SRV = [
+    {
+      service = "_matrix";
+      proto = "_tcp";
+      port = 443;
+      target = "${globals.services.matrix.baseDomain}.${globals.domains.main}";
+      priority = 10;
+      wweight = 5;
+    }
+    {
+      service = "_submissions";
+      proto = "_tcp";
+      port = 465;
+      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+    {
+      service = "_submission";
+      proto = "_tcp";
+      port = 587;
+      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+    {
+      service = "_imap";
+      proto = "_tcp";
+      port = 143;
+      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+    {
+      service = "_imaps";
+      proto = "_tcp";
+      port = 993;
+      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+  ];
+
+  MX = [
+    {
+      preference = 10;
+      exchange = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+    }
+  ];
+
+  CNAME = [
+    {
+      cname = "www.${glovals.domains.main}";
+    }
+  ];
+
+  DKIM = [
+    {
+      selector = "mail";
+      k = "rsa";
+      p = config.repo.secrets.local.dns.mailserver.dkim-public;
+      ttl = 10800;
+    }
+  ];
+
+  DMARC = [
+    {
+      p = "none";
+      ttl = 10800;
+    }
+  ];
+
+  TXT = [
+    (with spf; strict [ "a:${globals.services.mailserver.baseDomain}.${globals.domains.main}" ])
+    "google-site-verification=${config.repo.secrets.local.dns.google-site-verification}"
+  ];
+
+  DMARC = [
+    {
+      selector = "mail";
+      k = "rsa";
+      p = "none";
+      ttl = 10800;
+    }
+  ];
+
+  subdomains = config.swarselsystems.server.dns.${globals.domain.main}.subdomainRecords // {
+    "minecraft" = host "130.61.119.12" null;
+  };
+}

modules/shared/options.nix

@@ -1,6 +1,14 @@
 { self, config, lib, ... }:
 {
   options.swarselsystems = {
+    proxyHost = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+    };
+    isCloud = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
     withHomeManager = lib.mkOption {
       type = lib.types.bool;
       default = true;
@@ -34,7 +42,7 @@
     isBtrfs = lib.mkEnableOption "use btrfs filesystem";
     sopsFile = lib.mkOption {
       type = lib.types.str;
-      default = "${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
+      default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
     };
     homeDir = lib.mkOption {
       type = lib.types.str;

nix/lib.nix

@@ -29,6 +29,23 @@ let
 
       mkIfElse = p: yes: no: if p then yes else no;
 
+      getSubDomain = domain:
+        let
+          parts = builtins.split "\\." domain;
+          domainParts = builtins.filter (x: builtins.isString x && x != "") parts;
+        in
+        if builtins.length domainParts > 0
+        then builtins.head domainParts
+        else "";
+
+      getBaseDomain = domain:
+        let
+          parts = builtins.split "\\." domain;
+          domainParts = builtins.filter (x: builtins.isString x && x != "") parts;
+          baseParts = builtins.tail domainParts;
+        in
+        builtins.concatStringsSep "." baseParts;
+
       pkgsFor = lib.genAttrs (import systems) (system:
         import inputs.nixpkgs {
           inherit system;