From e9da090c2a4be091f032d3d88f9efc9fc5ae6d5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?= Date: Mon, 14 Jul 2025 01:08:22 +0200 Subject: [PATCH] chore: cleanup --- .sops.yaml | 16 + SwarselSystems.org | 1687 ++++++---- files/scripts/swarsel-bootstrap.sh | 3 +- flake.lock | 25 +- flake.nix | 5 - hosts/nixos/bakery/default.nix | 66 + hosts/nixos/bakery/disk-config.nix | 122 + hosts/nixos/bakery/hardware-configuration.nix | 23 + hosts/nixos/bakery/secrets/pii.nix.enc | 22 + hosts/nixos/milkywell/default.nix | 148 +- hosts/nixos/milkywell/disk-config.nix | 98 + .../milkywell/hardware-configuration.nix | 16 - hosts/nixos/moonside/default.nix | 7 +- hosts/nixos/moonside/secrets/pii.nix.enc | 6 +- hosts/nixos/winters/default.nix | 1 + index.html | 2874 ++++++++++------- install/installer-config.nix | 1 + modules/home/common/env.nix | 6 +- modules/home/common/gammastep.nix | 4 +- modules/home/common/git.nix | 6 +- modules/home/common/mail.nix | 6 +- modules/home/common/sharedsetup.nix | 8 +- modules/home/common/ssh.nix | 4 + modules/home/common/swayosd.nix | 3 +- modules/home/common/yubikey.nix | 6 +- modules/home/optional/work.nix | 343 +- modules/nixos/client/default.nix | 7 +- modules/nixos/client/network.nix | 403 +-- modules/nixos/client/nvd-rebuild.nix | 5 + modules/nixos/client/packages.nix | 1 + modules/nixos/client/stylix.nix | 20 +- modules/nixos/client/swayosd.nix | 6 +- modules/nixos/common/home-manager.nix | 15 +- modules/nixos/common/lanzaboote.nix | 7 +- modules/nixos/common/settings.nix | 4 +- modules/nixos/server/ankisync.nix | 12 +- modules/nixos/server/croc.nix | 4 +- modules/nixos/server/firefly-iii.nix | 3 +- modules/nixos/server/forgejo.nix | 9 +- modules/nixos/server/freshrss.nix | 32 +- modules/nixos/server/kanidm.nix | 19 +- modules/nixos/server/kavita.nix | 6 +- modules/nixos/server/koillection.nix | 8 +- modules/nixos/server/matrix.nix | 24 +- modules/nixos/server/microbin.nix | 8 +- modules/nixos/server/monitoring.nix | 148 +- modules/nixos/server/mpd.nix | 6 +- modules/nixos/server/nextcloud.nix | 15 +- modules/nixos/server/nginx.nix | 6 +- modules/nixos/server/oauth2-proxy.nix | 6 +- modules/nixos/server/packages.nix | 1 + modules/nixos/server/paperless.nix | 12 +- modules/nixos/server/radicale.nix | 34 +- modules/nixos/server/restic.nix | 64 +- modules/nixos/server/shlink.nix | 4 +- nix/hosts.nix | 2 + profiles/home/personal/default.nix | 1 - profiles/home/reduced/default.nix | 47 + profiles/nixos/localserver/default.nix | 2 + profiles/nixos/reduced/default.nix | 55 + profiles/nixos/syncserver/default.nix | 4 +- secrets/bakery/secrets.yaml | 48 + secrets/certs/secrets.yaml | 113 +- secrets/general/secrets.yaml | 121 +- secrets/milkywell/secrets.yaml | 10 +- secrets/moonside/secrets.yaml | 10 +- secrets/winters/secrets.yaml | 65 +- 67 files changed, 4146 insertions(+), 2727 deletions(-) create mode 100644 hosts/nixos/bakery/default.nix create mode 100644 hosts/nixos/bakery/disk-config.nix create mode 100644 hosts/nixos/bakery/hardware-configuration.nix create mode 100644 hosts/nixos/bakery/secrets/pii.nix.enc create mode 100644 hosts/nixos/milkywell/disk-config.nix create mode 100644 profiles/home/reduced/default.nix create mode 100644 profiles/nixos/reduced/default.nix create mode 100644 secrets/bakery/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index e4e01e0..a8bf631 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,6 +7,7 @@ keys: - &swarsel 4BE7925262289B476DBBC17B76FD3810215AE097 - &hosts - &winters age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 + - &bakery age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl - &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy @@ -19,6 +20,7 @@ creation_rules: - *swarsel age: - *winters + - *bakery - *toto - *surface - *nbl @@ -30,6 +32,7 @@ creation_rules: - *swarsel age: - *winters + - *bakery - *toto - *surface - *nbl @@ -41,6 +44,7 @@ creation_rules: - *swarsel age: - *nbl + - *bakery - *toto - *surface - *winters @@ -57,6 +61,12 @@ creation_rules: - *swarsel age: - *moonside + - path_regex: secrets/bakery/secrets.yaml + key_groups: + - pgp: + - *swarsel + age: + - *bakery - path_regex: secrets/winters/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: @@ -93,6 +103,12 @@ creation_rules: - *swarsel age: - *milkywell + - path_regex: hosts/nixos/bakery/secrets/pii.nix.enc + key_groups: + - pgp: + - *swarsel + age: + - *bakery - path_regex: hosts/nixos/moonside/secrets/pii.nix.enc key_groups: - pgp: diff --git a/SwarselSystems.org b/SwarselSystems.org index 29cd94b..134dddd 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -451,11 +451,6 @@ When setting this option normally, the password would normally be written world- url = "github:cachix/git-hooks.nix"; inputs.nixpkgs.follows = "nixpkgs"; }; - nix-secrets = { - url = "git+ssh://git@github.com/Swarsel/nix-secrets.git?ref=main&shallow=1"; - flake = false; - inputs = { }; - }; vbc-nix = { url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main"; inputs.nixpkgs.follows = "nixpkgs"; @@ -792,90 +787,92 @@ The structure of =globals.nix.enc= requires a toplevel =globals=. # lib = (inputs.nixpkgs.lib // inputs.home-manager.lib).extend (_: _: { swarselsystems = import "${self}/lib" { inherit self lib inputs outputs; inherit (inputs) systems; }; }); mkNixosHost = { minimal }: configName: - lib.nixosSystem { - specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; }; - modules = [ - inputs.disko.nixosModules.disko - inputs.sops-nix.nixosModules.sops - inputs.impermanence.nixosModules.impermanence - inputs.lanzaboote.nixosModules.lanzaboote - inputs.nix-topology.nixosModules.default - inputs.home-manager.nixosModules.home-manager - "${self}/hosts/nixos/${configName}" - "${self}/profiles/nixos" - "${self}/modules/nixos" - { - node = { - name = configName; - secretsDir = ../hosts/nixos/${configName}/secrets; - }; - } - ]; - }; + lib.nixosSystem { + specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; }; + modules = [ + inputs.disko.nixosModules.disko + inputs.sops-nix.nixosModules.sops + inputs.impermanence.nixosModules.impermanence + inputs.lanzaboote.nixosModules.lanzaboote + inputs.nix-topology.nixosModules.default + inputs.home-manager.nixosModules.home-manager + inputs.stylix.nixosModules.stylix + inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm + "${self}/hosts/nixos/${configName}" + "${self}/profiles/nixos" + "${self}/modules/nixos" + { + node = { + name = configName; + secretsDir = ../hosts/nixos/${configName}/secrets; + }; + } + ]; + }; mkDarwinHost = { minimal }: configName: - inputs.nix-darwin.lib.darwinSystem { - specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; }; - modules = [ - # inputs.disko.nixosModules.disko - # inputs.sops-nix.nixosModules.sops - # inputs.impermanence.nixosModules.impermanence - # inputs.lanzaboote.nixosModules.lanzaboote - # inputs.fw-fanctrl.nixosModules.default - # inputs.nix-topology.nixosModules.default - inputs.home-manager.darwinModules.home-manager - "${self}/hosts/darwin/${configName}" - "${self}/modules/nixos/darwin" - # needed for infrastructure - "${self}/modules/nixos/common/meta.nix" - "${self}/modules/nixos/common/globals.nix" - { - node.name = configName; - node.secretsDir = ../hosts/darwin/${configName}/secrets; - } - ]; - }; + inputs.nix-darwin.lib.darwinSystem { + specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; }; + modules = [ + # inputs.disko.nixosModules.disko + # inputs.sops-nix.nixosModules.sops + # inputs.impermanence.nixosModules.impermanence + # inputs.lanzaboote.nixosModules.lanzaboote + # inputs.fw-fanctrl.nixosModules.default + # inputs.nix-topology.nixosModules.default + inputs.home-manager.darwinModules.home-manager + "${self}/hosts/darwin/${configName}" + "${self}/modules/nixos/darwin" + # needed for infrastructure + "${self}/modules/nixos/common/meta.nix" + "${self}/modules/nixos/common/globals.nix" + { + node.name = configName; + node.secretsDir = ../hosts/darwin/${configName}/secrets; + } + ]; + }; mkHalfHost = configName: type: pkgs: { ${configName} = let systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration; in - systemFunc - { - inherit pkgs; - extraSpecialArgs = { inherit inputs outputs lib self configName; }; - modules = [ "${self}/hosts/${type}/${configName}" ]; - }; + systemFunc + { + inherit pkgs; + extraSpecialArgs = { inherit inputs outputs lib self configName; }; + modules = [ "${self}/hosts/${type}/${configName}" ]; + }; }; mkHalfHostConfigs = hosts: type: pkgs: lib.foldl (acc: set: acc // set) { } (lib.map (name: mkHalfHost name type pkgs) hosts); nixosHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/nixos")); darwinHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/darwin")); in - { - nixosConfigurations = lib.genAttrs nixosHosts (mkNixosHost { - minimal = false; - }); - nixosConfigurationsMinimal = lib.genAttrs nixosHosts (mkNixosHost { - minimal = true; - }); - darwinConfigurations = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = false; - }); - darwinConfigurationsMinimal = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = true; - }); + { + nixosConfigurations = lib.genAttrs nixosHosts (mkNixosHost { + minimal = false; + }); + nixosConfigurationsMinimal = lib.genAttrs nixosHosts (mkNixosHost { + minimal = true; + }); + darwinConfigurations = lib.genAttrs darwinHosts (mkDarwinHost { + minimal = false; + }); + darwinConfigurationsMinimal = lib.genAttrs darwinHosts (mkDarwinHost { + minimal = true; + }); - # TODO: Build these for all architectures - homeConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "home") "home" lib.swarselsystems.pkgsFor.x86_64-linux; - nixOnDroidConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "android") "android" lib.swarselsystems.pkgsFor.aarch64-linux; + # TODO: Build these for all architectures + homeConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "home") "home" lib.swarselsystems.pkgsFor.x86_64-linux; + nixOnDroidConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "android") "android" lib.swarselsystems.pkgsFor.aarch64-linux; - diskoConfigurations.default = import "${self}/files/templates/hosts/nixos/disk-config.nix"; + diskoConfigurations.default = import "${self}/files/templates/hosts/nixos/disk-config.nix"; - nodes = config.nixosConfigurations // config.darwinConfigurations; + nodes = config.nixosConfigurations // config.darwinConfigurations; - }; + }; } #+end_src @@ -1442,6 +1439,9 @@ Lastly, I add some of my own library functions to be used alongside the function } #+end_src ** Installer iso +:PROPERTIES: +:CUSTOM_ID: h:1d1ccae5-62ca-4d37-a28e-c59987850ed2 +:END: #+begin_src nix-ts :tangle nix/iso.nix { self, inputs, ... }: @@ -1467,6 +1467,9 @@ Lastly, I add some of my own library functions to be used alongside the function } #+end_src ** Installer flake +:PROPERTIES: +:CUSTOM_ID: h:1d4514b4-e952-4faf-b30e-d89e73a526c6 +:END: #+begin_src nix-ts :tangle install/flake.nix { @@ -1964,6 +1967,249 @@ My work machine. Built for more security, this is the gold standard of my config }; } +#+end_src +**** Bakery (Lenovo ThinkPad) +:PROPERTIES: +:CUSTOM_ID: h:a320569e-7bf0-4552-9039-b2a8e0939a12 +:END: + +My personal laptop. + +***** Main Configuration +:PROPERTIES: +:CUSTOM_ID: h:6f80d614-d76a-433b-8956-78d7b323b68c +:END: +#+begin_src nix-ts :tangle hosts/nixos/bakery/default.nix + { self, config, inputs, lib, minimal, ... }: + let + primaryUser = config.swarselsystems.mainUser; + sharedOptions = { + isLaptop = true; + isNixos = true; + isBtrfs = true; + isLinux = true; + sharescreen = "eDP-1"; + profiles = { + reduced = lib.mkIf (!minimal) true; + minimal = lib.mkIf minimal true; + }; + }; + in + { + + imports = [ + inputs.nixos-hardware.nixosModules.common-cpu-intel + + ./disk-config.nix + ./hardware-configuration.nix + + ]; + + + swarselsystems = lib.recursiveUpdate + { + info = "Lenovo ThinkPad"; + firewall = lib.mkForce true; + wallpaper = self + /files/wallpaper/lenovowp.png; + hasBluetooth = true; + hasFingerprint = true; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = true; + rootDisk = "/dev/nvme0n1"; + swapSize = "4G"; + hostName = config.node.name; + profiles = { + btrfs = true; + }; + } + sharedOptions; + + home-manager.users."${primaryUser}" = { + # home.stateVersion = lib.mkForce "23.05"; + swarselsystems = lib.recursiveUpdate + { + lowResolution = "1280x800"; + highResolution = "1920x1080"; + monitors = { + main = { + name = "LG Display 0x04EF Unknown"; + mode = "1920x1080"; # TEMPLATE + scale = "1"; + position = "1920,0"; + workspace = "15:L"; + output = "eDP-1"; + }; + }; + } + sharedOptions; + }; + } + + + +#+end_src + +***** hardware-configuration +:PROPERTIES: +:CUSTOM_ID: h:bbba1646-fb5f-4d04-baf0-f606037a8b39 +:END: + +#+begin_src nix-ts :tangle hosts/nixos/bakery/hardware-configuration.nix + # Do not modify this file! It was generated by ‘nixos-generate-config’ + # and may be overwritten by future invocations. Please make changes + # to /etc/nixos/configuration.nix instead. + { config, lib, modulesPath, ... }: + + { + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + } +#+end_src +***** disko +:PROPERTIES: +:CUSTOM_ID: h:72444f85-7951-47c0-858f-b51d8299de8c +:END: + +#+begin_src nix-ts :tangle hosts/nixos/bakery/disk-config.nix + { lib, pkgs, config, rootDisk, ... }: + let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; + in + { + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + + environment.systemPackages = [ + pkgs.yubikey-manager + ]; + } + #+end_src **** Winters (Server) :PROPERTIES: @@ -1983,6 +2229,7 @@ This is my main server that I run at home. It handles most tasks that require bi sharedOptions = { isBtrfs = false; isLinux = true; + isNixos = true; profiles = { server.local = true; }; @@ -2198,168 +2445,49 @@ This machine mainly acts as an external sync helper. It manages the following th :END: #+begin_src nix-ts :tangle hosts/nixos/milkywell/default.nix - { lib, config, globals, ... }: + { lib, config, minimal, ... }: let primaryUser = config.swarselsystems.mainUser; sharedOptions = { - isBtrfs = false; + isBtrfs = true; isLinux = true; + isNixos = true; + }; + profiles = { + minimal = lib.mkIf minimal true; }; - inherit (config.repo.secrets.common) workHostName; - inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1; - serviceDomain = config.repo.secrets.common.services.domains.syncthing2; in { imports = [ ./hardware-configuration.nix + ./disk-config.nix ]; - sops = { - defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/milkywell/secrets.yaml"; - }; - boot = { + loader.systemd-boot.enable = true; tmp.cleanOnBoot = true; - loader.grub.device = "nodev"; }; - zramSwap.enable = false; networking = { nftables.enable = lib.mkForce false; hostName = "milkywell"; - enableIPv6 = false; + enableIPv6 = true; domain = "subnet03112148.vcn03112148.oraclevcn.com"; - firewall = { - allowedTCPPorts = [ 80 443 8384 9812 22000 27701 ]; - allowedUDPPorts = [ 21027 22000 ]; - extraCommands = '' - iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT - iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT - iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT - iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT - iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT - iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT - iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT - iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT - iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT - ''; - }; }; hardware = { enableAllFirmware = lib.mkForce false; }; - system.stateVersion = "23.11"; - - globals.services."syncthing-${config.networking.hostName}".domain = serviceDomain; - - services = { - nginx = { - virtualHosts = { - ${serviceDomain} = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://localhost:8384"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - }; - }; - - syncthing = { - enable = true; - guiAddress = "0.0.0.0:8384"; - openDefaultPorts = true; - relay.enable = false; - settings = { - urAccepted = -1; - devices = { - "magicant" = { - id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO"; - }; - "winters" = { - id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; - }; - "${workHostName}" = { - id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB"; - }; - "${dev1}" = { - id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7"; - }; - "${dev2}" = { - id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH"; - }; - "${dev3}" = { - id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR"; - }; - }; - folders = { - "Default Folder" = lib.mkForce { - path = "/var/lib/syncthing/Sync"; - type = "receiveonly"; - versioning = null; - devices = [ "winters" "magicant" "${workHostName}" ]; - id = "default"; - }; - "Obsidian" = { - path = "/var/lib/syncthing/Obsidian"; - type = "receiveonly"; - versioning = { - type = "simple"; - params.keep = "5"; - }; - devices = [ "winters" "magicant" "${workHostName}" ]; - id = "yjvni-9eaa7"; - }; - "Org" = { - path = "/var/lib/syncthing/Org"; - type = "receiveonly"; - versioning = { - type = "simple"; - params.keep = "5"; - }; - devices = [ "winters" "magicant" "${workHostName}" ]; - id = "a7xnl-zjj3d"; - }; - "Vpn" = { - path = "/var/lib/syncthing/Vpn"; - type = "receiveonly"; - versioning = { - type = "simple"; - params.keep = "5"; - }; - devices = [ "winters" "magicant" "${workHostName}" ]; - id = "hgp9s-fyq3p"; - }; - "${loc1}" = { - path = "/var/lib/syncthing/${loc1}"; - type = "receiveonly"; - versioning = { - type = "simple"; - params.keep = "3"; - }; - devices = [ dev1 dev2 dev3 ]; - id = "5gsxv-rzzst"; - }; - }; - }; - }; - }; - swarselsystems = lib.recursiveUpdate { info = "VM.Standard.E2.1.Micro"; - flakePath = "/root/.dotfiles"; - isImpermanence = false; + isImpermanence = true; isSecureBoot = false; - isCrypted = false; + isCrypted = true; + isSwap = true; + rootDisk = "/dev/sda"; + swapSize = "4G"; profiles = { server.syncserver = true; }; @@ -2367,7 +2495,6 @@ This machine mainly acts as an external sync helper. It manages the following th sharedOptions; home-manager.users."${primaryUser}" = { - home.stateVersion = lib.mkForce "23.05"; swarselsystems = lib.recursiveUpdate { } sharedOptions; @@ -2394,22 +2521,6 @@ This machine mainly acts as an external sync helper. It manages the following th extraModulePackages = [ ]; }; - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a"; - fsType = "xfs"; - }; - - "/boot" = { - device = "/dev/disk/by-uuid/2B75-2AD5"; - fsType = "vfat"; - }; - }; - - swapDevices = [ - { device = "/dev/disk/by-uuid/f0126a93-753e-4769-ada8-7499a1efb3a9"; } - ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction @@ -2420,6 +2531,113 @@ This machine mainly acts as an external sync helper. It manages the following th nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } +#+end_src +***** disko +:PROPERTIES: +:CUSTOM_ID: h:cec82b06-39ca-4c0e-b4f5-c1fda9b14e6d +:END: + +#+begin_src nix-ts :tangle hosts/nixos/milkywell/disk-config.nix + # NOTE: ... is needed because dikso passes diskoFile + { lib + , config + , rootDisk + , ... + }: + let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; + in + { + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + } + + #+end_src **** Moonside (OCI) :PROPERTIES: @@ -2436,10 +2654,12 @@ This machine mainly acts as an external sync helper. It manages the following th primaryUser = config.swarselsystems.mainUser; inherit (config.repo.secrets.common) workHostName; inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1; + inherit (config.swarselsystems) sopsFile; serviceDomain = config.repo.secrets.common.services.domains.syncthing3; sharedOptions = { isBtrfs = true; + isNixos = true; isLinux = true; }; in @@ -2451,9 +2671,9 @@ This machine mainly acts as an external sync helper. It manages the following th sops = { age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml"; + # defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml"; secrets = { - wireguard-private-key = { }; + wireguard-private-key = { inherit sopsFile; }; }; }; @@ -2643,7 +2863,6 @@ This machine mainly acts as an external sync helper. It manages the following th swarselsystems = lib.recursiveUpdate { info = "VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM"; - flakePath = "/home/swarsel/.dotfiles"; isImpermanence = true; isSecureBoot = false; isCrypted = false; @@ -3121,6 +3340,7 @@ This is a live environment ISO that I use to bootstrap new systems. It only load curl git gnupg + networkmanager rsync ssh-to-age sops @@ -3845,7 +4065,9 @@ A breakdown of the flags being set: config = lib.mkIf config.swarselsystems.modules.general (lib.recursiveUpdate { - sops.secrets.github-api-token = lib.mkIf (!minimal) { }; + sops.secrets.github-api-token = lib.mkIf (!minimal) { + sopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml"; + }; nix = { package = pkgs.nixVersions.nix_2_28; @@ -3904,23 +4126,24 @@ We enable the use of =home-manager= as a NixoS module. A nice trick here is the useGlobalPkgs = true; useUserPackages = true; verbose = true; - sharedModules = [ + users.swarsel.imports = [ inputs.nix-index-database.hmModules.nix-index inputs.sops-nix.homeManagerModules.sops + # inputs.stylix.homeModules.stylix { imports = [ "${self}/profiles/home" "${self}/modules/home" - "${self}/modules/nixos/common/pii.nix" - "${self}/modules/nixos/common/meta.nix" + # "${self}/modules/nixos/common/pii.nix" + # "${self}/modules/nixos/common/meta.nix" ]; - node = { - secretsDir = if config.swarselsystems.isNixos then ../../../hosts/nixos/${configName}/secrets else ../../../hosts/home/${configName}/secrets; - }; + # node = { + # secretsDir = if (!config.swarselsystems.isNixos) then ../../../hosts/home/${configName}/secrets else ../../../hosts/nixos/${configName}/secrets; + # }; home.stateVersion = lib.mkDefault config.system.stateVersion; } ]; - extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal; }; + extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal configName; }; }; }; } @@ -4109,10 +4332,15 @@ This is also exposed to home-manager configurations, in case this ever breaks, I This dynamically uses systemd boot or Lanzaboote depending on the minimal system state and `config.swarselsystems.isSecureBoot`. #+begin_src nix-ts :tangle modules/nixos/common/lanzaboote.nix - { lib, config, minimal, ... }: + { lib, pkgs, config, minimal, ... }: { options.swarselsystems.modules.lanzaboote = lib.mkEnableOption "lanzaboote config"; config = lib.mkIf config.swarselsystems.modules.lanzaboote { + + environment.systemPackages = lib.mkIf config.swarselsystems.isSecureBoot [ + pkgs.sbctl + ]; + boot = { loader = { efi.canTouchEfiVariables = true; @@ -4246,15 +4474,12 @@ Normally, doing that also resets the lecture that happens on the first use of =s This section is for setting things that should be used on hosts that are using the default NixOS configuration. This means that servers should NOT import this, as much of these imported modules are user-configured. #+begin_src nix-ts :tangle modules/nixos/client/default.nix - { lib, inputs, ... }: + { lib, ... }: let importNames = lib.swarselsystems.readNix "modules/nixos/client"; in { - imports = lib.swarselsystems.mkImports importNames "modules/nixos/client" ++ [ - inputs.stylix.nixosModules.stylix - inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm - ]; + imports = lib.swarselsystems.mkImports importNames "modules/nixos/client"; } #+end_src @@ -4344,6 +4569,7 @@ Mostly used to install some compilers and lsp's that I want to have available wh elk-to-svg ] ++ lib.optionals minimal [ + networkmanager curl git gnupg @@ -4566,11 +4792,10 @@ Here I only enable =networkmanager= and a few default networks. The rest of the { self, lib, pkgs, config, ... }: let certsSopsFile = self + /secrets/certs/secrets.yaml; - clientSopsFile = self + /secrets/${config.networking.hostName}/secrets.yaml; + clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml; inherit (config.swarselsystems) mainUser; inherit (config.repo.secrets.common.network) wlan1 wlan2 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon; - inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips; iwd = config.networking.networkmanager.wifi.backend == "iwd"; in @@ -4656,7 +4881,10 @@ Here I only enable =networkmanager= and a few default networks. The rest of the environmentFiles = [ "${config.sops.templates."network-manager.env".path}" ]; - profiles = { + profiles = let + inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips; + in + { ${wlan1} = { connection = { id = wlan1; @@ -4921,16 +5149,20 @@ By default, [[https://github.com/danth/stylix][stylix]] wants to style GRUB as w =theme= is defined in [[#h:5bc1b0c9-dc59-4c81-b5b5-e60699deda78][Theme (stylix)]]. #+begin_src nix-ts :noweb yes :tangle modules/nixos/client/stylix.nix - { lib, config, ... }: + { self, lib, config, ... }: { options.swarselsystems.modules.stylix = lib.mkEnableOption "stylix config"; - config = lib.mkIf config.swarselsystems.modules.stylix { - stylix = lib.recursiveUpdate - { - targets.grub.enable = false; # the styling makes grub more ugly - image = config.swarselsystems.wallpaper; - } - config.swarselsystems.stylix; + config = { + stylix = { + enable = true; + base16Scheme = "${self}/files/stylix/swarsel.yaml"; + } // lib.optionalAttrs config.swarselsystems.modules.stylix + (lib.recursiveUpdate + { + targets.grub.enable = false; # the styling makes grub more ugly + image = config.swarselsystems.wallpaper; + } + config.swarselsystems.stylix); home-manager.users."${config.swarselsystems.mainUser}" = { stylix = { targets = config.swarselsystems.stylixHomeTargets; @@ -5214,8 +5446,8 @@ Most of the time I am using =power-saver=, however, it is good to be able to cho { options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings"; config = lib.mkIf config.swarselsystems.modules.swayosd { - environment.systemPackages = [ pkgs.swayosd ]; - services.udev.packages = [ pkgs.swayosd ]; + environment.systemPackages = [ pkgs.dev.swayosd ]; + services.udev.packages = [ pkgs.dev.swayosd ]; systemd.services.swayosd-libinput-backend = { description = "SwayOSD LibInput backend for listening to certain keys like CapsLock, ScrollLock, VolumeUp, etc."; documentation = [ "https://github.com/ErikReider/SwayOSD" ]; @@ -5226,7 +5458,7 @@ Most of the time I am using =power-saver=, however, it is good to be able to cho serviceConfig = { Type = "dbus"; BusName = "org.erikreider.swayosd"; - ExecStart = "${pkgs.swayosd}/bin/swayosd-libinput-backend"; + ExecStart = "${pkgs.dev.swayosd}/bin/swayosd-libinput-backend"; Restart = "on-failure"; }; }; @@ -5485,6 +5717,11 @@ This snipped is added to the activation script that is run after every rebuild a { options.swarselsystems.modules.nvd = lib.mkEnableOption "nvd config"; config = lib.mkIf config.swarselsystems.modules.nvd { + + environment.systemPackages = [ + pkgs.nvd + ]; + system.activationScripts.diff = { supportsDryActivation = true; text = '' @@ -5829,6 +6066,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in vim sops swarsel-deploy + tmux ]; }; } @@ -5906,6 +6144,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in let inherit (config.repo.secrets.common) dnsProvider; inherit (config.repo.secrets.common.mail) address3; + in { options.swarselsystems.modules.server.nginx = lib.mkEnableOption "enable nginx on server"; @@ -5915,10 +6154,9 @@ Here we just define some aliases for rebuilding the system, and we allow some in ]; sops = { - # secrets.dnstokenfull = { owner = "acme"; }; - secrets.dnstokenfull = { }; + secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; }; templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} + CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token} ''; }; @@ -5995,6 +6233,8 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t #+begin_src nix-ts :tangle modules/nixos/server/kavita.nix { self, lib, config, pkgs, ... }: let + inherit (config.swarselsystems) sopsFile; + servicePort = 8080; serviceName = "kavita"; serviceUser = "kavita"; @@ -6011,7 +6251,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t extraGroups = [ "users" ]; }; - sops.secrets.kavita = { owner = serviceUser; }; + sops.secrets.kavita-token = { inherit sopsFile; owner = serviceUser; }; networking.firewall.allowedTCPPorts = [ servicePort ]; @@ -6026,7 +6266,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t enable = true; user = serviceUser; settings.Port = servicePort; - tokenKeyFile = config.sops.secrets.kavita.path; + tokenKeyFile = config.sops.secrets.kavita-token.path; dataDir = "/Vault/data/${serviceName}"; }; @@ -6329,6 +6569,8 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t #+begin_src nix-ts :tangle modules/nixos/server/mpd.nix { self, lib, config, pkgs, ... }: let + inherit (config.swarselsystems) sopsFile; + servicePort = 3254; serviceUser = "mpd"; serviceGroup = serviceUser; @@ -6352,7 +6594,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t }; sops = { - secrets.mpdpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; + secrets.mpd-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; }; environment.systemPackages = with pkgs; [ @@ -6378,7 +6620,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t }; credentials = [ { - passwordFile = config.sops.secrets.mpdpass.path; + passwordFile = config.sops.secrets.mpd-pw.path; permissions = [ "read" "add" @@ -6454,6 +6696,8 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t #+begin_src nix-ts :tangle modules/nixos/server/matrix.nix { lib, config, pkgs, ... }: let + inherit (config.swarselsystems) sopsFile; + servicePort = 8008; serviceName = "matrix"; serviceDomain = config.repo.secrets.common.services.domains.matrix; @@ -6483,29 +6727,29 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t sops = { secrets = { - matrixsharedsecret = { owner = serviceUser; }; - mautrixtelegram_as = { owner = serviceUser; }; - mautrixtelegram_hs = { owner = serviceUser; }; - mautrixtelegram_api_id = { owner = serviceUser; }; - mautrixtelegram_api_hash = { owner = serviceUser; }; + matrix-shared-secret = { inherit sopsFile; owner = serviceUser; }; + mautrix-telegram-as-token = { inherit sopsFile; owner = serviceUser; }; + mautrix-telegram-hs-token = { inherit sopsFile; owner = serviceUser; }; + mautrix-telegram-api-id = { inherit sopsFile; owner = serviceUser; }; + mautrix-telegram-api-hash = { inherit sopsFile; owner = serviceUser; }; }; templates = { "matrix_user_register.sh".content = '' - register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:${builtins.toString servicePort} + register_new_matrix_user -k ${config.sops.placeholder.matrix-shared-secret} http://localhost:${builtins.toString servicePort} ''; matrixshared = { owner = serviceUser; content = '' - registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} + registration_shared_secret: ${config.sops.placeholder.matrix-shared-secret} ''; }; mautrixtelegram = { owner = serviceUser; content = '' - MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as} - MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} - MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} - MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} + MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrix-telegram-as-token} + MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrix-telegram-hs-token} + MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrix-telegram-api-id} + MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrix-telegram-api-hash} ''; }; }; @@ -6808,6 +7052,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t { pkgs, lib, config, ... }: let inherit (config.repo.secrets.local.nextcloud) adminuser; + inherit (config.swarselsystems) sopsFile; servicePort = 80; serviceUser = "nextcloud"; @@ -6820,16 +7065,8 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t config = lib.mkIf config.swarselsystems.modules.server.${serviceName} { sops.secrets = { - nextcloudadminpass = { - owner = serviceUser; - group = serviceGroup; - mode = "0440"; - }; - kanidm-nextcloud-client = { - owner = serviceUser; - group = serviceGroup; - mode = "0440"; - }; + nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; }; @@ -6855,7 +7092,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t extraAppsEnable = true; config = { inherit adminuser; - adminpassFile = config.sops.secrets.nextcloudadminpass.path; + adminpassFile = config.sops.secrets.nextcloud-admin-pw.path; dbtype = "sqlite"; }; }; @@ -6974,6 +7211,8 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= #+begin_src nix-ts :tangle modules/nixos/server/paperless.nix { lib, pkgs, config, globals, ... }: let + inherit (config.swarselsystems) sopsFile; + servicePort = 28981; serviceUser = "paperless"; serviceGroup = serviceUser; @@ -6993,12 +7232,8 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= }; sops.secrets = { - paperless_admin = { owner = serviceUser; }; - kanidm-paperless-client = { - owner = serviceUser; - group = serviceGroup; - mode = "0440"; - }; + paperless-admin-pw = { inherit sopsFile; owner = serviceUser; }; + kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; }; networking.firewall.allowedTCPPorts = [ servicePort ]; @@ -7012,7 +7247,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= dataDir = "/Vault/data/${serviceName}"; user = serviceUser; port = servicePort; - passwordFile = config.sops.secrets.paperless_admin.path; + passwordFile = config.sops.secrets.paperless-admin-pw.path; address = "0.0.0.0"; settings = { PAPERLESS_OCR_LANGUAGE = "deu+eng"; @@ -7444,17 +7679,17 @@ This manages backups for my pictures and obsidian files. #+begin_src nix-ts :tangle modules/nixos/server/restic.nix { lib, pkgs, config, ... }: let - inherit (config.repo.secrets.local) resticRepo; - in + inherit (config.swarselsystems) sopsFile; + in { options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server"; config = lib.mkIf config.swarselsystems.modules.server.restic { sops = { secrets = { - resticpw = { }; - resticaccesskey = { }; - resticsecretaccesskey = { }; + resticpw = { inherit sopsFile; }; + resticaccesskey = { inherit sopsFile; }; + resticsecretaccesskey = { inherit sopsFile; }; }; templates = { "restic-env".content = '' @@ -7464,35 +7699,39 @@ This manages backups for my pictures and obsidian files. }; }; - services.restic = { - backups = { - SwarselWinters = { - environmentFile = config.sops.templates."restic-env".path; - passwordFile = config.sops.secrets.resticpw.path; - paths = [ - "/Vault/data/paperless" - "/Vault/Eternor/Paperless" - "/Vault/Eternor/Bilder" - "/Vault/Eternor/Immich" - ]; - pruneOpts = [ - "--keep-daily 3" - "--keep-weekly 2" - "--keep-monthly 3" - "--keep-yearly 100" - ]; - backupPrepareCommand = '' - ${pkgs.restic}/bin/restic prune - ''; - repository = "${resticRepo}"; - initialize = true; - timerConfig = { - OnCalendar = "03:00"; + services.restic = + let + inherit (config.repo.secrets.local) resticRepo; + in + { + backups = { + SwarselWinters = { + environmentFile = config.sops.templates."restic-env".path; + passwordFile = config.sops.secrets.resticpw.path; + paths = [ + "/Vault/data/paperless" + "/Vault/Eternor/Paperless" + "/Vault/Eternor/Bilder" + "/Vault/Eternor/Immich" + ]; + pruneOpts = [ + "--keep-daily 3" + "--keep-weekly 2" + "--keep-monthly 3" + "--keep-yearly 100" + ]; + backupPrepareCommand = '' + ${pkgs.restic}/bin/restic prune + ''; + repository = "${resticRepo}"; + initialize = true; + timerConfig = { + OnCalendar = "03:00"; + }; }; - }; + }; }; - }; }; } @@ -7508,7 +7747,6 @@ This section exposes several metrics that I use to check the health of my server #+begin_src nix-ts :tangle modules/nixos/server/monitoring.nix { self, lib, config, globals, ... }: let - servicePort = 3000; serviceUser = "grafana"; serviceGroup = serviceUser; @@ -7518,11 +7756,12 @@ This section exposes several metrics that I use to check the health of my server prometheusPort = 9090; prometheusUser = "prometheus"; prometheusGroup = prometheusUser; - nextcloudUser = config.repo.secrets.local.nextcloud.adminuser; grafanaUpstream = "grafana"; prometheusUpstream = "prometheus"; prometheusWebRoot = "prometheus"; kanidmDomain = globals.services.kanidm.domain; + + inherit (config.swarselsystems) sopsFile; in { options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7530,9 +7769,9 @@ This section exposes several metrics that I use to check the health of my server sops = { secrets = { - grafanaadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; - prometheusadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; - kanidm-grafana-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; + grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; }; }; @@ -7592,7 +7831,7 @@ This section exposes several metrics that I use to check the health of my server incrementalQueryOverlapWindow = "10m"; }; secureJsonData = { - basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}"; + basicAuthPassword = "$__file{/run/secrets/prometheus-admin-pw}"; }; } ]; @@ -7603,7 +7842,7 @@ This section exposes several metrics that I use to check the health of my server analytics.reporting_enabled = false; users.allow_sign_up = false; security = { - admin_password = "$__file{/run/secrets/grafanaadminpass}"; + admin_password = "$__file{/run/secrets/grafana-admin-pw}"; cookie_secure = true; disable_gravatar = true; }; @@ -7638,74 +7877,78 @@ This section exposes several metrics that I use to check the health of my server }; }; - prometheus = { - enable = true; - webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}"; - port = prometheusPort; - listenAddress = "0.0.0.0"; - globalConfig = { - scrape_interval = "10s"; - }; - webConfigFile = config.sops.templates.web-config.path; - scrapeConfigs = [ - { - job_name = "node"; - static_configs = [{ - targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; - }]; - } - { - job_name = "zfs"; - static_configs = [{ - targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ]; - }]; - } - { - job_name = "nginx"; - static_configs = [{ - targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ]; - }]; - } - { - job_name = "nextcloud"; - static_configs = [{ - targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ]; - }]; - } - ]; - exporters = { - node = { - enable = true; - port = 9000; - enabledCollectors = [ "systemd" ]; - extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ]; + prometheus = + let + nextcloudUser = config.repo.secrets.local.nextcloud.adminuser; + in + { + enable = true; + webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}"; + port = prometheusPort; + listenAddress = "0.0.0.0"; + globalConfig = { + scrape_interval = "10s"; }; - zfs = { - enable = true; - port = 9134; - pools = [ - "Vault" - ]; - }; - restic = { - enable = false; - port = 9753; - }; - nginx = { - enable = true; - port = 9113; - sslVerify = false; - scrapeUri = "http://localhost/nginx_status"; - }; - nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud { - enable = true; - port = 9205; - url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info"; - username = nextcloudUser; - passwordFile = config.sops.secrets.nextcloudadminpass.path; + webConfigFile = config.sops.templates.web-config.path; + scrapeConfigs = [ + { + job_name = "node"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + } + { + job_name = "zfs"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ]; + }]; + } + { + job_name = "nginx"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ]; + }]; + } + { + job_name = "nextcloud"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ]; + }]; + } + ]; + exporters = { + node = { + enable = true; + port = 9000; + enabledCollectors = [ "systemd" ]; + extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ]; + }; + zfs = { + enable = true; + port = 9134; + pools = [ + "Vault" + ]; + }; + restic = { + enable = false; + port = 9753; + }; + nginx = { + enable = true; + port = 9113; + sslVerify = false; + scrapeUri = "http://localhost/nginx_status"; + }; + nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud { + enable = true; + port = 9205; + url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info"; + username = nextcloudUser; + passwordFile = config.sops.secrets.nextcloud-admin-pw.path; + }; }; }; - }; }; @@ -7851,13 +8094,13 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with #+begin_src nix-ts :tangle modules/nixos/server/freshrss.nix { self, lib, config, ... }: let - inherit (config.repo.secrets.local.freshrss) defaultUser; - servicePort = 80; serviceName = "freshrss"; serviceUser = "freshrss"; serviceGroup = serviceName; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; + + inherit (config.swarselsystems) sopsFile; in { options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7873,9 +8116,9 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with sops = { secrets = { - fresh = { owner = serviceUser; }; - "kanidm-freshrss-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; - "oidc-crypto-key" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; + freshrss-pw = { inherit sopsFile; owner = serviceUser; }; + kanidm-freshrss-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + # freshrss-oidc-crypto-key = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; }; # templates = { @@ -7906,15 +8149,19 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with globals.services.${serviceName}.domain = serviceDomain; - services.${serviceName} = { - inherit defaultUser; - enable = true; - virtualHost = serviceDomain; - baseUrl = "https://${serviceDomain}"; - authType = "form"; - dataDir = "/Vault/data/tt-rss"; - passwordFile = config.sops.secrets.fresh.path; - }; + services.${serviceName} = + let + inherit (config.repo.secrets.local.freshrss) defaultUser; + in + { + inherit defaultUser; + enable = true; + virtualHost = serviceDomain; + baseUrl = "https://${serviceDomain}"; + authType = "form"; + dataDir = "/Vault/data/tt-rss"; + passwordFile = config.sops.secrets.freshrss-pw.path; + }; # systemd.services.freshrss-config.serviceConfig.EnvironmentFile = [ # config.sops.templates.freshrss-env.path @@ -7960,7 +8207,9 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with #+begin_src nix-ts :tangle modules/nixos/server/forgejo.nix { lib, config, pkgs, globals, ... }: let - servicePort = 3000; + inherit (config.swarselsystems) sopsFile; + + servicePort = 3004; serviceUser = "forgejo"; serviceGroup = serviceUser; serviceName = "forgejo"; @@ -7982,13 +8231,14 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with users.groups.${serviceGroup} = { }; sops.secrets = { - kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; + kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; }; globals.services.${serviceName}.domain = serviceDomain; services.${serviceName} = { enable = true; + stateDir = "/Vault/data/${serviceName}"; user = serviceUser; group = serviceGroup; lfs.enable = lib.mkDefault true; @@ -8085,7 +8335,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with ''; }; - services.nginx = { + nodes.moonside.services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -8122,6 +8372,8 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with #+begin_src nix-ts :tangle modules/nixos/server/ankisync.nix { self, lib, config, globals, ... }: let + inherit (config.swarselsystems) sopsFile; + servicePort = 27701; serviceName = "ankisync"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; @@ -8134,11 +8386,11 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with networking.firewall.allowedTCPPorts = [ servicePort ]; - sops.secrets.swarsel = { owner = "root"; }; + sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; }; - topology.self.services.${serviceName} = { + topology.self.services.anki = { name = lib.mkForce "Anki Sync Server"; - icon = "${self}/files/topology-images/${serviceName}.png"; + icon = lib.mkForce "${self}/files/topology-images/${serviceName}.png"; info = "https://${serviceDomain}"; }; @@ -8152,12 +8404,12 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with users = [ { username = ankiUser; - passwordFile = config.sops.secrets.swarsel.path; + passwordFile = config.sops.secrets.anki-pw.path; } ]; }; - services.nginx = { + nodes.moonside.services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -8202,6 +8454,7 @@ To get other URLs (token, etc.), use https:///oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid/ toolkit.legacyUserProfileCustomizations.styleshe Sets environment variables. Here I am only setting the EDITOR variable, most variables are set in the [[#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20][Sway]] section. #+begin_src nix-ts :tangle modules/home/common/env.nix - { lib, config, globals, ... }: + { lib, config, globals, nixosConfig, ... }: let - inherit (config.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; - inherit (config.repo.secrets.common) fullName; + inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; + inherit (nixosConfig.repo.secrets.common) fullName; crocDomain = globals.services.croc.domain; in { @@ -11210,10 +11484,10 @@ Eza provides me with a better =ls= command and some other useful aliases. Here I set up my git config, automatic signing of commits, useful aliases for my ost used commands (for when I am not using [[#h:d2c7323d-f8c6-4f23-b70a-930e3e4ecce5][Magit]]) as well as a git template defined in [[#h:5ef03803-e150-41bc-b603-e80d60d96efc][Linking dotfiles]]. #+begin_src nix-ts :tangle modules/home/common/git.nix - { lib, config, globals, minimal, ... }: + { lib, config, globals, minimal, nixosConfig, ... }: let - inherit (config.repo.secrets.common.mail) address1; - inherit (config.repo.secrets.common) fullName; + inherit (nixosConfig.repo.secrets.common.mail) address1; + inherit (nixosConfig.repo.secrets.common) fullName; gitUser = globals.user.name; in @@ -11751,10 +12025,10 @@ Currently I only use it as before with =initExtra= though. Normally I use 4 mail accounts - here I set them all up. Three of them are Google accounts (sadly), which are a chore to setup. The last is just a sender account that I setup SMTP for here. #+begin_src nix-ts :tangle modules/home/common/mail.nix - { lib, config, ... }: + { lib, config, nixosConfig, ... }: let - inherit (config.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host; - inherit (config.repo.secrets.common) fullName; + inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host; + inherit (nixosConfig.repo.secrets.common) fullName; inherit (config.swarselsystems) xdgDir; in { @@ -12598,12 +12872,13 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi :END: #+begin_src nix-ts :tangle modules/home/common/swayosd.nix - { lib, config, ... }: + { lib, pkgs, config, ... }: { options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings"; config = lib.mkIf config.swarselsystems.modules.swayosd { services.swayosd = { enable = true; + package = pkgs.dev.swayosd; topMargin = 0.5; }; }; @@ -13224,9 +13499,9 @@ Settinfs that are needed for the gpg-agent. Also we are enabling emacs support f This service changes the screen hue at night. I am not sure if that really does something, but I like the color anyways. #+begin_src nix-ts :tangle modules/home/common/gammastep.nix - { lib, config, ... }: + { lib, config, nixosConfig, ... }: let - inherit (config.repo.secrets.common.location) latitude longitude; + inherit (nixosConfig.repo.secrets.common.location) latitude longitude; in { options.swarselsystems.modules.gammastep = lib.mkEnableOption "gammastep settings"; @@ -13387,10 +13662,9 @@ The rest of the settings is at [[#h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431][gaming The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]]. Here, I am setting up the different firefox profiles that I need for the SSO sites that I need to access at work as well as a few ssh shorthands. #+begin_src nix-ts :tangle modules/home/optional/work.nix :noweb yes - { self, config, pkgs, lib, ... }: + { self, config, pkgs, lib, nixosConfig, ... }: let inherit (config.swarselsystems) homeDir; - inherit (config.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail; in { options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings"; @@ -13428,131 +13702,141 @@ The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]] }; }; - stylix.targets.firefox.profileNames = [ - "${user1}" - "${user2}" - "${user3}" - "work" - ]; - - programs = { - git.userEmail = lib.mkForce gitMail; - - zsh = { - shellAliases = { - dssh = "ssh -l ${user1Long}"; - cssh = "ssh -l ${user2Long}"; - wssh = "ssh -l ${user3Long}"; - }; - cdpath = [ - "~/Documents/Work" + stylix = { + targets.firefox.profileNames = + let + inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3; + in + [ + "${user1}" + "${user2}" + "${user3}" + "work" ]; - dirHashes = { - d = "$HOME/.dotfiles"; - w = "$HOME/Documents/Work"; - s = "$HOME/.dotfiles/secrets"; - pr = "$HOME/Documents/Private"; - ac = path1; - }; - }; - - ssh = { - matchBlocks = { - "${loc1}" = { - hostname = "${loc1}.${domain2}"; - user = user4; - }; - "${loc1}.stg" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.staging" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.dev" = { - hostname = "${loc1}.${lifecycle2}.${domain2}"; - user = user4; - }; - "${loc2}" = { - hostname = "${loc2}.${domain1}"; - user = user1Long; - }; - "${loc2}.stg" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "${loc2}.staging" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "*.${domain1}" = { - user = user1Long; - }; - }; - }; - - firefox = { - profiles = - let - isDefault = false; - in - { - "${user1}" = lib.recursiveUpdate - { - inherit isDefault; - id = 1; - settings = { - "browser.startup.homepage" = "${site1}|${site2}"; - }; - } - config.swarselsystems.firefox; - "${user2}" = lib.recursiveUpdate - { - inherit isDefault; - id = 2; - settings = { - "browser.startup.homepage" = "${site3}"; - }; - } - config.swarselsystems.firefox; - "${user3}" = lib.recursiveUpdate - { - inherit isDefault; - id = 3; - } - config.swarselsystems.firefox; - work = lib.recursiveUpdate - { - inherit isDefault; - id = 4; - settings = { - "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}"; - }; - } - config.swarselsystems.firefox; - }; - }; - - chromium = { - enable = true; - package = pkgs.chromium; - - extensions = [ - # 1password - "gejiddohjgogedgjnonbofjigllpkmbf" - # dark reader - "eimadpbcbfnmbkopoojfekhnkhdbieeh" - # ublock origin - "cjpalhdlnbpafiamejdnhcphjbkeiagm" - # i still dont care about cookies - "edibdbjcniadpccecjdfdjjppcpchdlm" - # browserpass - "naepdomgkenhinolocfifgehidddafch" - ]; - }; }; + programs = + let + inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail; + in + { + git.userEmail = lib.mkForce gitMail; + + zsh = { + shellAliases = { + dssh = "ssh -l ${user1Long}"; + cssh = "ssh -l ${user2Long}"; + wssh = "ssh -l ${user3Long}"; + }; + cdpath = [ + "~/Documents/Work" + ]; + dirHashes = { + d = "$HOME/.dotfiles"; + w = "$HOME/Documents/Work"; + s = "$HOME/.dotfiles/secrets"; + pr = "$HOME/Documents/Private"; + ac = path1; + }; + }; + + ssh = { + matchBlocks = { + "${loc1}" = { + hostname = "${loc1}.${domain2}"; + user = user4; + }; + "${loc1}.stg" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.staging" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.dev" = { + hostname = "${loc1}.${lifecycle2}.${domain2}"; + user = user4; + }; + "${loc2}" = { + hostname = "${loc2}.${domain1}"; + user = user1Long; + }; + "${loc2}.stg" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "${loc2}.staging" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "*.${domain1}" = { + user = user1Long; + }; + }; + }; + + firefox = { + profiles = + let + isDefault = false; + in + { + "${user1}" = lib.recursiveUpdate + { + inherit isDefault; + id = 1; + settings = { + "browser.startup.homepage" = "${site1}|${site2}"; + }; + } + config.swarselsystems.firefox; + "${user2}" = lib.recursiveUpdate + { + inherit isDefault; + id = 2; + settings = { + "browser.startup.homepage" = "${site3}"; + }; + } + config.swarselsystems.firefox; + "${user3}" = lib.recursiveUpdate + { + inherit isDefault; + id = 3; + } + config.swarselsystems.firefox; + work = lib.recursiveUpdate + { + inherit isDefault; + id = 4; + settings = { + "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}"; + }; + } + config.swarselsystems.firefox; + }; + }; + + chromium = { + enable = true; + package = pkgs.chromium; + + extensions = [ + # 1password + "gejiddohjgogedgjnonbofjigllpkmbf" + # dark reader + "eimadpbcbfnmbkopoojfekhnkhdbieeh" + # ublock origin + "cjpalhdlnbpafiamejdnhcphjbkeiagm" + # i still dont care about cookies + "edibdbjcniadpccecjdfdjjppcpchdlm" + # browserpass + "naepdomgkenhinolocfifgehidddafch" + ]; + }; + }; + services = { kanshi = { settings = [ @@ -13671,49 +13955,53 @@ The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]] }; }; - xdg = { - mimeApps = { - defaultApplications = { - "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; + xdg = + let + inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3; + in + { + mimeApps = { + defaultApplications = { + "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; + }; }; + desktopEntries = + let + terminal = false; + categories = [ "Application" ]; + icon = "firefox"; + in + { + firefox_work = { + name = "Firefox (work)"; + genericName = "Firefox work"; + exec = "firefox -p work"; + inherit terminal categories icon; + }; + "firefox_${user1}" = { + name = "Firefox (${user1})"; + genericName = "Firefox ${user1}"; + exec = "firefox -p ${user1}"; + inherit terminal categories icon; + }; + + "firefox_${user2}" = { + name = "Firefox (${user2})"; + genericName = "Firefox ${user2}"; + exec = "firefox -p ${user2}"; + inherit terminal categories icon; + }; + + "firefox_${user3}" = { + name = "Firefox (${user3})"; + genericName = "Firefox ${user3}"; + exec = "firefox -p ${user3}"; + inherit terminal categories icon; + }; + + + }; }; - desktopEntries = - let - terminal = false; - categories = [ "Application" ]; - icon = "firefox"; - in - { - firefox_work = { - name = "Firefox (work)"; - genericName = "Firefox work"; - exec = "firefox -p work"; - inherit terminal categories icon; - }; - "firefox_${user1}" = { - name = "Firefox (${user1})"; - genericName = "Firefox ${user1}"; - exec = "firefox -p ${user1}"; - inherit terminal categories icon; - }; - - "firefox_${user2}" = { - name = "Firefox (${user2})"; - genericName = "Firefox ${user2}"; - exec = "firefox -p ${user2}"; - inherit terminal categories icon; - }; - - "firefox_${user3}" = { - name = "Firefox (${user3})"; - genericName = "Firefox ${user3}"; - exec = "firefox -p ${user3}"; - inherit terminal categories icon; - }; - - - }; - }; swarselsystems = { startup = [ # { command = "nextcloud --background"; } @@ -14689,7 +14977,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man green "Please confirm passphrase:" read -rs luks_passphrase_confirm if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then - $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'" + $ssh_root_cmd "echo '$luks_passphrase' > /tmp/disko-password" break else red "Passwords do not match" @@ -14766,6 +15054,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man fi green "Updating all secrets files to reflect updates .sops.yaml" sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml + sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_hostname"/secrets/pii.nix.enc # -------------------------- green "Making ssh_host_ed25519_key available to home-manager for user $target_user" sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts @@ -14838,6 +15127,10 @@ This program sets up a new NixOS host remotely. It also takes care of secret man fi #+end_src +#+RESULTS: +| trap: | undefined | signal: | exit | | | | | +| [ | Babel | evaluation | exited | with | code | 1 | ] | + #+begin_src nix-ts :tangle pkgs/swarsel-bootstrap/default.nix { self, name, writeShellApplication, openssh }: @@ -15795,7 +16088,74 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a #+end_src +**** Reduced +:PROPERTIES: +:CUSTOM_ID: h:2d0eac3b-6e2e-4006-9032-59f2ba7e98ec +:END: + +#+begin_src nix-ts :tangle profiles/nixos/reduced/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselsystems.profiles.reduced = lib.mkEnableOption "is this a reduced personal host"; + config = lib.mkIf config.swarselsystems.profiles.reduced { + swarselsystems.modules = { + packages = lib.mkDefault true; + pii = lib.mkDefault true; + general = lib.mkDefault true; + home-manager = lib.mkDefault true; + xserver = lib.mkDefault true; + users = lib.mkDefault true; + env = lib.mkDefault true; + security = lib.mkDefault true; + systemdTimeout = lib.mkDefault true; + hardware = lib.mkDefault true; + pulseaudio = lib.mkDefault true; + pipewire = lib.mkDefault true; + network = lib.mkDefault true; + time = lib.mkDefault true; + sops = lib.mkDefault true; + stylix = lib.mkDefault true; + programs = lib.mkDefault true; + zsh = lib.mkDefault true; + syncthing = lib.mkDefault true; + blueman = lib.mkDefault true; + networkDevices = lib.mkDefault true; + gvfs = lib.mkDefault true; + interceptionTools = lib.mkDefault true; + swayosd = lib.mkDefault true; + ppd = lib.mkDefault true; + yubikey = lib.mkDefault true; + ledger = lib.mkDefault true; + keyboards = lib.mkDefault true; + login = lib.mkDefault true; + nix-ld = lib.mkDefault true; + impermanence = lib.mkDefault true; + nvd = lib.mkDefault true; + gnome-keyring = lib.mkDefault true; + sway = lib.mkDefault true; + xdg-portal = lib.mkDefault true; + distrobox = lib.mkDefault true; + appimage = lib.mkDefault true; + lid = lib.mkDefault true; + lowBattery = lib.mkDefault true; + lanzaboote = lib.mkDefault true; + autologin = lib.mkDefault true; + + server = { + ssh = lib.mkDefault true; + }; + }; + + }; + + } + +#+end_src + **** Minimal +:PROPERTIES: +:CUSTOM_ID: h:b926f0c8-7968-4079-924c-a5d0ae4d3a45 +:END: #+begin_src nix-ts :tangle profiles/nixos/minimal/default.nix :mkdirp yes { lib, config, ... }: @@ -16098,6 +16458,8 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a koillection = lib.mkDefault true; radicale = lib.mkDefault true; atuin = lib.mkDefault true; + forgejo = lib.mkDefault true; + ankisync = lib.mkDefault true; }; }; }; @@ -16131,8 +16493,8 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a packages = lib.mkDefault true; nginx = lib.mkDefault true; ssh = lib.mkDefault true; - forgejo = lib.mkDefault true; - ankisync = lib.mkDefault true; + forgejo = lib.mkDefault false; + ankisync = lib.mkDefault false; }; }; }; @@ -16207,7 +16569,6 @@ This holds modules that are to be used on most hosts. These are also the most im config = lib.mkIf config.swarselsystems.profiles.personal { swarselsystems.modules = { packages = lib.mkDefault true; - pii = lib.mkDefault true; ownpackages = lib.mkDefault true; general = lib.mkDefault true; nixgl = lib.mkDefault true; @@ -16255,6 +16616,62 @@ This holds modules that are to be used on most hosts. These are also the most im #+end_src +**** Reduced +:PROPERTIES: +:CUSTOM_ID: h:0554a271-f8ec-4885-b46f-2a02dfd967bd +:END: + +#+begin_src nix-ts :tangle profiles/home/reduced/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselsystems.profiles.reduced = lib.mkEnableOption "is this a reduced personal host"; + config = lib.mkIf config.swarselsystems.profiles.reduced { + swarselsystems.modules = { + packages = lib.mkDefault true; + ownpackages = lib.mkDefault true; + general = lib.mkDefault true; + nixgl = lib.mkDefault true; + sops = lib.mkDefault true; + yubikey = lib.mkDefault true; + ssh = lib.mkDefault true; + stylix = lib.mkDefault true; + desktop = lib.mkDefault true; + symlink = lib.mkDefault true; + env = lib.mkDefault true; + programs = lib.mkDefault true; + nix-index = lib.mkDefault true; + passwordstore = lib.mkDefault true; + direnv = lib.mkDefault true; + eza = lib.mkDefault true; + atuin = lib.mkDefault true; + git = lib.mkDefault true; + fuzzel = lib.mkDefault true; + starship = lib.mkDefault true; + kitty = lib.mkDefault true; + zsh = lib.mkDefault true; + zellij = lib.mkDefault true; + tmux = lib.mkDefault true; + mail = lib.mkDefault true; + emacs = lib.mkDefault true; + waybar = lib.mkDefault true; + firefox = lib.mkDefault true; + gnome-keyring = lib.mkDefault true; + kdeconnect = lib.mkDefault true; + mako = lib.mkDefault true; + swayosd = lib.mkDefault true; + yubikeytouch = lib.mkDefault true; + sway = lib.mkDefault true; + kanshi = lib.mkDefault false; + gpgagent = lib.mkDefault true; + gammastep = lib.mkDefault true; + + }; + }; + + } + +#+end_src + **** Minimal :PROPERTIES: :CUSTOM_ID: h:26512487-8c29-4b92-835b-d67394c3f5ef diff --git a/files/scripts/swarsel-bootstrap.sh b/files/scripts/swarsel-bootstrap.sh index 02899e8..46ea715 100644 --- a/files/scripts/swarsel-bootstrap.sh +++ b/files/scripts/swarsel-bootstrap.sh @@ -200,7 +200,7 @@ if [ "$disk_encryption" -eq 1 ]; then green "Please confirm passphrase:" read -rs luks_passphrase_confirm if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then - $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'" + $ssh_root_cmd "echo '$luks_passphrase' > /tmp/disko-password" break else red "Passwords do not match" @@ -277,6 +277,7 @@ if yes_or_no "Do you want to manually edit .sops.yaml now?"; then fi green "Updating all secrets files to reflect updates .sops.yaml" sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml +sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_hostname"/secrets/pii.nix.enc # -------------------------- green "Making ssh_host_ed25519_key available to home-manager for user $target_user" sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts diff --git a/flake.lock b/flake.lock index 7d75b88..233156d 100644 --- a/flake.lock +++ b/flake.lock @@ -755,24 +755,6 @@ "type": "github" } }, - "nix-secrets": { - "flake": false, - "locked": { - "lastModified": 1749481004, - "narHash": "sha256-UmA5Dx+tzYXaqPMtKucijTwV7l+U2/+fD0Twb/edcxY=", - "ref": "main", - "rev": "f7e7b03ea03dbfc8471689f0ba7a7221240e93df", - "shallow": true, - "type": "git", - "url": "ssh://git@github.com/Swarsel/nix-secrets.git" - }, - "original": { - "ref": "main", - "shallow": true, - "type": "git", - "url": "ssh://git@github.com/Swarsel/nix-secrets.git" - } - }, "nix-topology": { "inputs": { "devshell": "devshell_2", @@ -883,11 +865,11 @@ }, "nixpkgs-dev": { "locked": { - "lastModified": 1751913235, - "narHash": "sha256-4iJDKcKd57CuisFTQRMTS1EfiBlwbyUzXlCkQQ63g54=", + "lastModified": 1752440522, + "narHash": "sha256-CInQkEG3f8XwIBQxYFhuFCT+T++JPstThfifAMD0yRk=", "owner": "Swarsel", "repo": "nixpkgs", - "rev": "2c18d068b3df6bc0fb461583c327b7b94ff4df08", + "rev": "1f569e3bd49502cb4ec312214662d93619cf2c54", "type": "github" }, "original": { @@ -1387,7 +1369,6 @@ "nix-darwin": "nix-darwin", "nix-index-database": "nix-index-database_2", "nix-on-droid": "nix-on-droid", - "nix-secrets": "nix-secrets", "nix-topology": "nix-topology", "nixgl": "nixgl", "nixos-generators": "nixos-generators", diff --git a/flake.nix b/flake.nix index 708e8eb..6f82b3c 100644 --- a/flake.nix +++ b/flake.nix @@ -73,11 +73,6 @@ url = "github:cachix/git-hooks.nix"; inputs.nixpkgs.follows = "nixpkgs"; }; - nix-secrets = { - url = "git+ssh://git@github.com/Swarsel/nix-secrets.git?ref=main&shallow=1"; - flake = false; - inputs = { }; - }; vbc-nix = { url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/nixos/bakery/default.nix b/hosts/nixos/bakery/default.nix new file mode 100644 index 0000000..1e0b9bf --- /dev/null +++ b/hosts/nixos/bakery/default.nix @@ -0,0 +1,66 @@ +{ self, config, inputs, lib, minimal, ... }: +let + primaryUser = config.swarselsystems.mainUser; + sharedOptions = { + isLaptop = true; + isNixos = true; + isBtrfs = true; + isLinux = true; + sharescreen = "eDP-1"; + profiles = { + reduced = lib.mkIf (!minimal) true; + minimal = lib.mkIf minimal true; + }; + }; +in +{ + + imports = [ + inputs.nixos-hardware.nixosModules.common-cpu-intel + + ./disk-config.nix + ./hardware-configuration.nix + + ]; + + + swarselsystems = lib.recursiveUpdate + { + info = "Lenovo ThinkPad"; + firewall = lib.mkForce true; + wallpaper = self + /files/wallpaper/lenovowp.png; + hasBluetooth = true; + hasFingerprint = true; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = true; + rootDisk = "/dev/nvme0n1"; + swapSize = "4G"; + hostName = config.node.name; + profiles = { + btrfs = true; + }; + } + sharedOptions; + + home-manager.users."${primaryUser}" = { + # home.stateVersion = lib.mkForce "23.05"; + swarselsystems = lib.recursiveUpdate + { + lowResolution = "1280x800"; + highResolution = "1920x1080"; + monitors = { + main = { + name = "LG Display 0x04EF Unknown"; + mode = "1920x1080"; # TEMPLATE + scale = "1"; + position = "1920,0"; + workspace = "15:L"; + output = "eDP-1"; + }; + }; + } + sharedOptions; + }; +} diff --git a/hosts/nixos/bakery/disk-config.nix b/hosts/nixos/bakery/disk-config.nix new file mode 100644 index 0000000..5605eb2 --- /dev/null +++ b/hosts/nixos/bakery/disk-config.nix @@ -0,0 +1,122 @@ +{ lib, pkgs, config, rootDisk, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + + environment.systemPackages = [ + pkgs.yubikey-manager + ]; +} diff --git a/hosts/nixos/bakery/hardware-configuration.nix b/hosts/nixos/bakery/hardware-configuration.nix new file mode 100644 index 0000000..8322c04 --- /dev/null +++ b/hosts/nixos/bakery/hardware-configuration.nix @@ -0,0 +1,23 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/nixos/bakery/secrets/pii.nix.enc b/hosts/nixos/bakery/secrets/pii.nix.enc new file mode 100644 index 0000000..903f22f --- /dev/null +++ b/hosts/nixos/bakery/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:M8uEE2uxhHHh5UdLO+J18EMVWm+9FCR2BHMJ3P0Il4h+0CqWOS27aVWPjI2lIt+jw5svt5kVbTIzwvw1GmEdcXzJrE9yZ0eKkXSm/TYQQZhlmcPcNeJyDf/bLivwExKicRy2JR2KNyAoiW5gISF7nkUv10EnM60mzH2RftPijvdgSTmdoNu/9Q0J3M46k+EVGO370NXT89eSbhFMS4r6M94vKaA=,iv:C4ELLFaF9yFfDH+g/TwQtRm1DuRtIAxcI55I0mpKd70=,tag:jLWAD2pLkqzekJipf/Rc5Q==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaGtCbDBYaDZTMUhhbTY2\nbk45NWRPZU5nWmh5M0ZDNGF2Q09rNHNzRGhzCjh1d3pLRnRtZjVnaG1oN0daOXRy\nUzVFd3QzVTBib29QbGN4cXNheVRCNWcKLS0tIFlielcwODk4MjFsS29ybXNDMm5y\nN01aaHBFN0VPdTNrMzJNaE9NRG9KRnMKNV4rqYphPTyXF5m+qNq10aIov8quVh2Y\nALelTPRpD/hMYou/s8Ro49GHNNNKeV9J+4Tvq1QEmIIdvjFLy9AS9A==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-07-10T15:25:21Z", + "mac": "ENC[AES256_GCM,data:pMWJo+JuSgs7RE+rc6vB1u/V3kfQzRjknxIMkNNJCcBp2WVoz84BZ23oruaB2Z/ZSO9zpaQMHkuAqGZU7CuvZ1JvECHWov5fRkXDPeaeIVw3dtof1XzH5plRmAUzabrmEzrGSnwJrJ6DRlAhrq2gDyyIY4qmUeySc7zgR7QVf0o=,iv:iCM7ulRAP5FYyR/z7CSDRYMsm2Gjs7qWLChtslGfzO4=,tag:QJ2Lxmwvgd+ILHeYhMvmwg==,type:str]", + "pgp": [ + { + "created_at": "2025-07-10T23:51:27Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAmKgk+exHX36+IkSQC03yiRpEKpmkqt+FcGsbDMonTyow\nmvhmwSc7UscNOgOQYDYA66vMCWE2Ij9gxFJNpPG3rXFiC11XN1/pq+Jy3Qvk3DNV\ntnXgwDvSt7Ry7FThXnPiJAkcjwYNeTniyjzKcUmXA+yEJAlswjGjH6uP/Nvkeo2n\np+OvRQc0cXHBSTbnIq4dHaqVlp1JWOQgtZVrIgwN/rv3xvDPE2E2dmCc9hUg83vk\naUT7fDo8v5hWwJJO7Q6OvECKw/D4jWTxnBP1nS3a66shkpcC7lpYQjE6AtAM3AbY\nB84rat/Tff6ZcmtxMvIa62vfwrfSh/00DmRlPkIe1KlbjrV1kafzbySjI7q1vy2l\neZL7/Zi49fy/KudQ+/OOMC/PlhGLYGtEo3sNmLY7pfBNuMmwjYQ0K/1kKQ8XXJDw\nbWQDP+8aeIKKciLy07NW5Fd5gc5S1exSFHDQyhCXjdUcPk3cTfnEvMP/T1bCNCaD\nGxy6IEifdJvYNeWyaxgbKzsLmz8kTd6wPj/v0BIdL+dy3/a/4SVLR9r7Qn3bMgkc\nb1wVY4XDyt6LPnwVY3UOFPSCVckGb8NRnciKOj1TnsaYI6xEQ0ObuuAedVJQj0wF\n5OqYrwnH+riiLFMVzsEspNQNlMTRY86zPIxuNe8qPDdVL5CotAoobzdmr9cc75uF\nAgwDC9FRLmchgYQBD/4ntfP9dGtNzb9BjR6NEmdqJDIS37lHCc6ts/f86VCiy0tk\nhdtVdZ7sYdFvzkGimfmcbsVJ5VOPK6S82L0xUlROCax1bVkjK8VjqppUbTxQMgWh\nek7pPzE66MJzXlpqGgmRHgLuV0yhTqz9TGbTetjYYlWiOGMGYHwvxMLnvTvQIbJb\nBwtpbK0SEu7ODMn1mGtWpzkVI9rDeCW/FT0bBj1KvkWBWbCVFCSVGjmxuWcFgRs/\nc3aNA/DLQMsX7TzvqiY+dXLdp9/vuyqIf+qzC8IIrI5fskzaVfjP+OzeAVTXeI/f\nYsgvF31Z+DfMAFQ7dnAQ56Ys/oSdNTaAnhfFjI4S40qw0SfZdTWzUm9IjhnZKgaU\nNV9V3b2D7nr64JxutHzYiJemlB4Oy+HhqMQR3AYeMDX3hEG1Xt7splkBLdXccIEe\nGTOoaIffV1QUAB2M9PVyidpLf98Ii9s8Mr2OUcQsYiJy7jNXTudx50mnIhmBSDPN\nk/RSFoMo0+v7jC7lWkfWhvunUJrJ37zNSEHZcJo7Wj+SflqZDI/QRQAez6xRF6ih\nzgFfAgNSDAkbymvju7I6V9TEOw8rLdlXLlBNd+GAy0S2HfNIN8lx2tVnP++zP54C\nhdEDMU+uKp98Wu1fVuMipzjfPqJ0lpNj9M2+ma3q3w1L4YbMa+nVEK4/mmP0e9Jc\nAdvTsgHHFgN5KOwmZkQdAhKJ89cwcGUwZwn/gO7pEGoOw6WaHIIE6ueOiThfkXm/\nWIe1AC/JQapdMlvmF+2Rf51RmSkWX3/vtFPNkWvgkGgCely/eDXRK/si+kk=\n=ep9e\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/hosts/nixos/milkywell/default.nix b/hosts/nixos/milkywell/default.nix index 5b18239..2554037 100644 --- a/hosts/nixos/milkywell/default.nix +++ b/hosts/nixos/milkywell/default.nix @@ -1,165 +1,46 @@ -{ lib, config, globals, ... }: +{ lib, config, minimal, ... }: let primaryUser = config.swarselsystems.mainUser; sharedOptions = { - isBtrfs = false; + isBtrfs = true; isLinux = true; + isNixos = true; + }; + profiles = { + minimal = lib.mkIf minimal true; }; - inherit (config.repo.secrets.common) workHostName; - inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1; - serviceDomain = config.repo.secrets.common.services.domains.syncthing2; in { imports = [ ./hardware-configuration.nix + ./disk-config.nix ]; - sops = { - defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/milkywell/secrets.yaml"; - }; - boot = { + loader.systemd-boot.enable = true; tmp.cleanOnBoot = true; - loader.grub.device = "nodev"; }; - zramSwap.enable = false; networking = { nftables.enable = lib.mkForce false; hostName = "milkywell"; - enableIPv6 = false; + enableIPv6 = true; domain = "subnet03112148.vcn03112148.oraclevcn.com"; - firewall = { - allowedTCPPorts = [ 80 443 8384 9812 22000 27701 ]; - allowedUDPPorts = [ 21027 22000 ]; - extraCommands = '' - iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT - iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT - iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT - iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT - iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT - iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT - iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT - iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT - iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT - ''; - }; }; hardware = { enableAllFirmware = lib.mkForce false; }; - system.stateVersion = "23.11"; - - globals.services."syncthing-${config.networking.hostName}".domain = serviceDomain; - - services = { - nginx = { - virtualHosts = { - ${serviceDomain} = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://localhost:8384"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - }; - }; - - syncthing = { - enable = true; - guiAddress = "0.0.0.0:8384"; - openDefaultPorts = true; - relay.enable = false; - settings = { - urAccepted = -1; - devices = { - "magicant" = { - id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO"; - }; - "winters" = { - id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; - }; - "${workHostName}" = { - id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB"; - }; - "${dev1}" = { - id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7"; - }; - "${dev2}" = { - id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH"; - }; - "${dev3}" = { - id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR"; - }; - }; - folders = { - "Default Folder" = lib.mkForce { - path = "/var/lib/syncthing/Sync"; - type = "receiveonly"; - versioning = null; - devices = [ "winters" "magicant" "${workHostName}" ]; - id = "default"; - }; - "Obsidian" = { - path = "/var/lib/syncthing/Obsidian"; - type = "receiveonly"; - versioning = { - type = "simple"; - params.keep = "5"; - }; - devices = [ "winters" "magicant" "${workHostName}" ]; - id = "yjvni-9eaa7"; - }; - "Org" = { - path = "/var/lib/syncthing/Org"; - type = "receiveonly"; - versioning = { - type = "simple"; - params.keep = "5"; - }; - devices = [ "winters" "magicant" "${workHostName}" ]; - id = "a7xnl-zjj3d"; - }; - "Vpn" = { - path = "/var/lib/syncthing/Vpn"; - type = "receiveonly"; - versioning = { - type = "simple"; - params.keep = "5"; - }; - devices = [ "winters" "magicant" "${workHostName}" ]; - id = "hgp9s-fyq3p"; - }; - "${loc1}" = { - path = "/var/lib/syncthing/${loc1}"; - type = "receiveonly"; - versioning = { - type = "simple"; - params.keep = "3"; - }; - devices = [ dev1 dev2 dev3 ]; - id = "5gsxv-rzzst"; - }; - }; - }; - }; - }; - swarselsystems = lib.recursiveUpdate { info = "VM.Standard.E2.1.Micro"; - flakePath = "/root/.dotfiles"; - isImpermanence = false; + isImpermanence = true; isSecureBoot = false; - isCrypted = false; + isCrypted = true; + isSwap = true; + rootDisk = "/dev/sda"; + swapSize = "4G"; profiles = { server.syncserver = true; }; @@ -167,7 +48,6 @@ in sharedOptions; home-manager.users."${primaryUser}" = { - home.stateVersion = lib.mkForce "23.05"; swarselsystems = lib.recursiveUpdate { } sharedOptions; diff --git a/hosts/nixos/milkywell/disk-config.nix b/hosts/nixos/milkywell/disk-config.nix new file mode 100644 index 0000000..c557fa3 --- /dev/null +++ b/hosts/nixos/milkywell/disk-config.nix @@ -0,0 +1,98 @@ +# NOTE: ... is needed because dikso passes diskoFile +{ lib +, config +, rootDisk +, ... +}: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosts/nixos/milkywell/hardware-configuration.nix b/hosts/nixos/milkywell/hardware-configuration.nix index 38606e5..7e5e589 100644 --- a/hosts/nixos/milkywell/hardware-configuration.nix +++ b/hosts/nixos/milkywell/hardware-configuration.nix @@ -10,22 +10,6 @@ extraModulePackages = [ ]; }; - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a"; - fsType = "xfs"; - }; - - "/boot" = { - device = "/dev/disk/by-uuid/2B75-2AD5"; - fsType = "vfat"; - }; - }; - - swapDevices = [ - { device = "/dev/disk/by-uuid/f0126a93-753e-4769-ada8-7499a1efb3a9"; } - ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction diff --git a/hosts/nixos/moonside/default.nix b/hosts/nixos/moonside/default.nix index 31edc7b..ba84c3b 100644 --- a/hosts/nixos/moonside/default.nix +++ b/hosts/nixos/moonside/default.nix @@ -3,10 +3,12 @@ let primaryUser = config.swarselsystems.mainUser; inherit (config.repo.secrets.common) workHostName; inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1; + inherit (config.swarselsystems) sopsFile; serviceDomain = config.repo.secrets.common.services.domains.syncthing3; sharedOptions = { isBtrfs = true; + isNixos = true; isLinux = true; }; in @@ -18,9 +20,9 @@ in sops = { age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml"; + # defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml"; secrets = { - wireguard-private-key = { }; + wireguard-private-key = { inherit sopsFile; }; }; }; @@ -210,7 +212,6 @@ in swarselsystems = lib.recursiveUpdate { info = "VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM"; - flakePath = "/home/swarsel/.dotfiles"; isImpermanence = true; isSecureBoot = false; isCrypted = false; diff --git a/hosts/nixos/moonside/secrets/pii.nix.enc b/hosts/nixos/moonside/secrets/pii.nix.enc index b82de98..05564b0 100644 --- a/hosts/nixos/moonside/secrets/pii.nix.enc +++ b/hosts/nixos/moonside/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:CmkNQJe2siUanybNt9Nv8JSsOnJuoLUOpAPXbACPQFLc4YL9u5R9wImwbbOOgXGfVl8hQwYS5dc+2nu4kj11zdT4mCe62/fO+HgIMBEbU/c0zGZj2hjArJYBkOCHQYu1IzgXdACyamJ9s3MVe0xGJUkwK93X+89YQpc=,iv:9tzNWIk10A4w986fo6pkpaUvo4+y5+RD+OmBksy9TbU=,tag:r5Dlv/HGwtlAdKp3HsKiMg==,type:str]", + "data": "ENC[AES256_GCM,data:Wk3OGKwcuY72VLL+SBYXZUqxTQ8SlYroF4H81YDGMUZu6gt6ialXNvAsZSmYyFNh+3p+ejvzqMO5mxbvAI9tKAvbdamtfO4Pi3A+sNvJ9XSLE9iLAdfWeoT2qLqGPgkXI1SGDof+FP5yIb36C8Um9P4hE3zaE+UdJBk0qgzlc1Zlq2Pdg0TGU6wwJQkRhZIDun1wabeqGWjLrBqUa9VPfNB1El63q/1rhP5v3m6tI7dXt0SQArTtbPWkkHHYPehObG6Q5s4Cm2QrWGpbK+R6xe5F+nEv4+dOuSkZgOB2HsOjzenjp/slqoZTCJYnKT5IDkFQaj5G8YftySyNE/OguMW6atCgulSygwaeuFsnjMNxxsHssrTndNe22jpTTrh2Odp9BT7oRiZPPR8zj/Z3hpLYca24X4oSlZLD0PFEExQNir6V7eT0gH6Paj7wz2rYeYKB8focatLNAwug7L6lWxnr/pw8IXCrfx4ZHw7VYn4hf/KF4isrPju6XW0u2wuiIVlJfOUXZXONmJULB6biftgZapveIMy1oHaabyuIIxkKGParhSUfj6/8/qPVftVFYotdlAy9oNRpZ8JG8z8Sf34etu9Fi7uzcZySKU9e8cU43o6kAo+r39RHRDuhUmYP0ocN2bdlTAkhPoFccK2A1Qx+W/+EwQr55mb5NCH95AVh2QX0SwWgD79FV7EYGN7iVEc+duV5YH8Qy37f6ebehQy+mZGFqCZ5s7Cqy7ChypB476qDqh82qp4K5Uv2NwoF7TT9REzjU0cbRseFbC77AgEUNvfHpHvLBTsw5Y4963GefSKltNHxKROboBfLkaGFHNOlQ8sHIY+vd5Y=,iv:g9iNn/sH7CtxcT4SeI8/DFG8BPIIoseYTuprGEQPqJ8=,tag:SuV+seYm30JAMN7QbdDl9g==,type:str]", "sops": { "age": [ { @@ -7,8 +7,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-06-13T17:33:11Z", - "mac": "ENC[AES256_GCM,data:/PDAd2LB2n3gwnaYaUHDHT/Ze1YxXTA0wDxAZEc72B9DQO8trN0XISSqQ3YbopOy8J7wZu/HveX5nx4zoCPKcrMtqtFtlyviAE5Afl+3XcgKcNOGK/0yCq1fAD6q8Lfsl/t/5/4qXA5jlhobVmsDFfXJ8woYqCLijZXNNkc3X+w=,iv:Q9yngw0Z6aS1aB/iF6+oFoCYg1yN+mNKEsv8zaX4ba0=,tag:470JaIY68O3NublQLYw7GA==,type:str]", + "lastmodified": "2025-07-08T00:23:59Z", + "mac": "ENC[AES256_GCM,data:Db2w9giZy+TyXp2hpMN1h7ZgBaJ4WiAN2P6IFaoXufOlxT2uwulbzDMYFoUm9jcdFc8zqnYCvttosJIzyjevY5up9gDarzTu+43XFrTxYqPdgRBzzvxSeXmKqDnngAvv/qOWfzt7TG1IzpyytHX/DEPHvPM9dWgut/1K6Eq94Hs=,iv:WoWAAjse1kyn9IGX4kqCl3zvq4kXEMkfTjAi2j5OCFs=,tag:xco/8fudn2kCLnFa8mUIsA==,type:str]", "pgp": [ { "created_at": "2025-06-13T20:12:55Z", diff --git a/hosts/nixos/winters/default.nix b/hosts/nixos/winters/default.nix index d622812..6b65107 100644 --- a/hosts/nixos/winters/default.nix +++ b/hosts/nixos/winters/default.nix @@ -4,6 +4,7 @@ let sharedOptions = { isBtrfs = false; isLinux = true; + isNixos = true; profiles = { server.local = true; }; diff --git a/index.html b/index.html index 2669981..3b60c2e 100644 --- a/index.html +++ b/index.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + SwarselSystems: NixOS + Emacs Configuration @@ -230,7 +230,8 @@
  • 2.11. Modules
  • 2.12. Apps
  • 2.13. Overlays
    • -
  • 2.14. Installer iso
    • +
  • 2.14. Installer iso
    • +
  • 2.15. Installer flake
  • 3. System @@ -252,22 +253,30 @@
  • 3.1.2.1.3. disko
    • -
  • 3.1.2.2. Winters (Server) +
  • 3.1.2.2. Bakery (Lenovo ThinkPad)
    • -
  • 3.1.2.3. nbm-imba-166 (MacBook Pro)
    • -
  • 3.1.2.4. Magicant (Phone)
    • +
  • 3.1.2.3. Winters (Server) + +
    • +
  • 3.1.2.4. nbm-imba-166 (MacBook Pro)
    • +
  • 3.1.2.5. Magicant (Phone)
  • 3.1.3. Virtual hosts
    • -
  • 3.1.4.2. drugstore (ISO)
    • -
  • 3.1.4.3. Home-manager only (default non-NixOS)
    • +
  • 3.1.4.2. Drugstore (ISO installer config)
    • +
  • 3.1.4.3. Treehouse (home-manager only example)
  • 3.1.4.4. ChaosTheatre (Demo Physical/VM) @@ -769,7 +782,7 @@

    -This file has 83754 words spanning 22016 lines and was last revised on 2025-07-04 18:25:33 +0200. +This file has 85605 words spanning 22598 lines and was last revised on 2025-07-14 01:07:45 +0200.

    @@ -822,7 +835,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry

    -My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-07-04 18:25:33 +0200) +My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-07-14 01:07:45 +0200)

    • @@ -834,7 +847,7 @@ system-configuration-options 
    ---prefix=/nix/store/903l8w4515jym9sq67wdg4zqsi7wn654-emacs-git-pgtk-20250626.0 --disable-build-details --with-modules --with-pgtk --with-compress-install --with-toolkit-scroll-bars --with-native-compilation --without-imagemagick --with-mailutils --without-small-ja-dic --with-tree-sitter --without-xinput2 --without-xwidgets --with-dbus --with-selinux
+--prefix=/nix/store/sjapaaf7z48pzml6dw2njyfdgvpp1nn7-emacs-git-pgtk-20250707.0 --disable-build-details --with-modules --with-pgtk --with-compress-install --with-toolkit-scroll-bars --with-native-compilation --without-imagemagick --with-mailutils --without-small-ja-dic --with-tree-sitter --without-xinput2 --without-xwidgets --with-dbus --with-selinux
    @@ -1061,13 +1074,13 @@ Here I give a brief overview over the hostmachines that I am using. This is held |💻 **nbl-imba-2** | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop | |💻 **nbm-imba-166** | MacBook Pro 2016 | MacOS Sandbox | |🖥️ **winters** | ASRock J4105-ITX, 32GB RAM | Main homeserver and data storgae | -|🖥️ **sync** | Oracle Cloud: VM.Standard.E2.1.Micro | Server for lightweight synchronization tasks | +|🖥️ **milkywell** | Oracle Cloud: VM.Standard.E2.1.Micro | Server for lightweight synchronization tasks | |🖥️ **moonside** | Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Proxy for local services, some lightweight services | |📱 **magicant** | Samsung Galaxy Z Flip 6 | Phone | |💿 **drugstore** | - | ISO installer configuration | |❔ **chaotheatre** | - | Demo config for checking out my configurtion | |❔ **toto** | - | Helper configuration for bootstrapping a new system | -|🏠 **home** | - | Reference configuration for a home-manager only host | +|🏠 **Treehouse** | - | Reference configuration for a home-manager only host | @@ -1263,6 +1276,7 @@ This automatically creates a topology diagram of my configuration. }; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-dev.url = "github:Swarsel/nixpkgs/main"; nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05"; nixpkgs-stable24_05.url = "github:NixOS/nixpkgs/nixos-24.05"; @@ -1322,11 +1336,6 @@ This automatically creates a topology diagram of my configuration. url = "github:cachix/git-hooks.nix"; inputs.nixpkgs.follows = "nixpkgs"; }; - nix-secrets = { - url = "git+ssh://git@github.com/Swarsel/nix-secrets.git?ref=main&shallow=1"; - flake = false; - inputs = { }; - }; vbc-nix = { url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main"; inputs.nixpkgs.follows = "nixpkgs"; @@ -1680,89 +1689,93 @@ The structure of globals.nix.enc requires a toplevel globals< inherit (outputs) lib; # lib = (inputs.nixpkgs.lib // inputs.home-manager.lib).extend (_: _: { swarselsystems = import "${self}/lib" { inherit self lib inputs outputs; inherit (inputs) systems; }; }); - mkNixosHost = { minimal }: name: - lib.nixosSystem { - specialArgs = { inherit inputs outputs lib self minimal; inherit (config) globals nodes; }; - modules = [ - inputs.disko.nixosModules.disko - inputs.sops-nix.nixosModules.sops - inputs.impermanence.nixosModules.impermanence - inputs.lanzaboote.nixosModules.lanzaboote - inputs.nix-topology.nixosModules.default - inputs.home-manager.nixosModules.home-manager - "${self}/hosts/nixos/${name}" - "${self}/profiles/nixos" - "${self}/modules/nixos" - { - node.name = name; - node.secretsDir = ../hosts/nixos/${name}/secrets; - } - ]; - }; + mkNixosHost = { minimal }: configName: + lib.nixosSystem { + specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; }; + modules = [ + inputs.disko.nixosModules.disko + inputs.sops-nix.nixosModules.sops + inputs.impermanence.nixosModules.impermanence + inputs.lanzaboote.nixosModules.lanzaboote + inputs.nix-topology.nixosModules.default + inputs.home-manager.nixosModules.home-manager + inputs.stylix.nixosModules.stylix + inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm + "${self}/hosts/nixos/${configName}" + "${self}/profiles/nixos" + "${self}/modules/nixos" + { + node = { + name = configName; + secretsDir = ../hosts/nixos/${configName}/secrets; + }; + } + ]; + }; - mkDarwinHost = { minimal }: name: - inputs.nix-darwin.lib.darwinSystem { - specialArgs = { inherit inputs outputs lib self minimal; inherit (config) globals nodes; }; - modules = [ - # inputs.disko.nixosModules.disko - # inputs.sops-nix.nixosModules.sops - # inputs.impermanence.nixosModules.impermanence - # inputs.lanzaboote.nixosModules.lanzaboote - # inputs.fw-fanctrl.nixosModules.default - # inputs.nix-topology.nixosModules.default - inputs.home-manager.darwinModules.home-manager - "${self}/hosts/darwin/${name}" - "${self}/modules/nixos/darwin" - # needed for infrastructure - "${self}/modules/nixos/common/meta.nix" - "${self}/modules/nixos/common/globals.nix" - { - node.name = name; - node.secretsDir = ../hosts/darwin/${name}/secrets; - } - ]; - }; + mkDarwinHost = { minimal }: configName: + inputs.nix-darwin.lib.darwinSystem { + specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; }; + modules = [ + # inputs.disko.nixosModules.disko + # inputs.sops-nix.nixosModules.sops + # inputs.impermanence.nixosModules.impermanence + # inputs.lanzaboote.nixosModules.lanzaboote + # inputs.fw-fanctrl.nixosModules.default + # inputs.nix-topology.nixosModules.default + inputs.home-manager.darwinModules.home-manager + "${self}/hosts/darwin/${configName}" + "${self}/modules/nixos/darwin" + # needed for infrastructure + "${self}/modules/nixos/common/meta.nix" + "${self}/modules/nixos/common/globals.nix" + { + node.name = configName; + node.secretsDir = ../hosts/darwin/${configName}/secrets; + } + ]; + }; - mkHalfHost = name: type: pkgs: { - ${name} = + mkHalfHost = configName: type: pkgs: { + ${configName} = let systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration; in - systemFunc - { - inherit pkgs; - extraSpecialArgs = { inherit inputs outputs lib self; }; - modules = [ "${self}/hosts/${type}/${name}" ]; - }; + systemFunc + { + inherit pkgs; + extraSpecialArgs = { inherit inputs outputs lib self configName; }; + modules = [ "${self}/hosts/${type}/${configName}" ]; + }; }; mkHalfHostConfigs = hosts: type: pkgs: lib.foldl (acc: set: acc // set) { } (lib.map (name: mkHalfHost name type pkgs) hosts); nixosHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/nixos")); darwinHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/darwin")); in - { - nixosConfigurations = lib.genAttrs nixosHosts (mkNixosHost { - minimal = false; - }); - nixosConfigurationsMinimal = lib.genAttrs nixosHosts (mkNixosHost { - minimal = true; - }); - darwinConfigurations = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = false; - }); - darwinConfigurationsMinimal = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = true; - }); + { + nixosConfigurations = lib.genAttrs nixosHosts (mkNixosHost { + minimal = false; + }); + nixosConfigurationsMinimal = lib.genAttrs nixosHosts (mkNixosHost { + minimal = true; + }); + darwinConfigurations = lib.genAttrs darwinHosts (mkDarwinHost { + minimal = false; + }); + darwinConfigurationsMinimal = lib.genAttrs darwinHosts (mkDarwinHost { + minimal = true; + }); - # TODO: Build these for all architectures - homeConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "home") "home" lib.swarselsystems.pkgsFor.x86_64-linux; - nixOnDroidConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "android") "android" lib.swarselsystems.pkgsFor.aarch64-linux; + # TODO: Build these for all architectures + homeConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "home") "home" lib.swarselsystems.pkgsFor.x86_64-linux; + nixOnDroidConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "android") "android" lib.swarselsystems.pkgsFor.aarch64-linux; - diskoConfigurations.default = import "${self}/files/templates/hosts/nixos/disk-config.nix"; + diskoConfigurations.default = import "${self}/files/templates/hosts/nixos/disk-config.nix"; - nodes = config.nixosConfigurations // config.darwinConfigurations; + nodes = config.nixosConfigurations // config.darwinConfigurations; - }; + }; } @@ -1808,7 +1821,7 @@ The structure of globals.nix.enc requires a toplevel globals< connections = [ (mkConnection "moonside" "wan") (mkConnection "pfsense" "wan") - (mkConnection "sync" "wan") + (mkConnection "milkywell" "wan") (mkConnection "toto" "bootstrapper") (mkConnection "chaostheatre" "demo host") ]; @@ -1816,7 +1829,7 @@ The structure of globals.nix.enc requires a toplevel globals< chaostheatre.interfaces."demo host" = { }; toto.interfaces."bootstrapper" = { }; - sync.interfaces.wan = { }; + milkywell.interfaces.wan = { }; moonside.interfaces.wan = { }; pfsense = mkRouter "pfSense" { @@ -2296,6 +2309,13 @@ in }; }; + nixpkgs-dev = final: _: { + dev = import inputs.nixpkgs-dev { + inherit (final) system; + config.allowUnfree = true; + }; + }; + nixpkgs-kernel = final: _: { kernel = import inputs.nixpkgs-kernel { inherit (final) system; @@ -2325,6 +2345,7 @@ in (additions final prev) // (modifications final prev) // (nixpkgs-stable final prev) + // (nixpkgs-dev final prev) // (nixpkgs-kernel final prev) // (nixpkgs-stable24_05 final prev) // (nixpkgs-stable24_11 final prev) @@ -2341,20 +2362,21 @@ in -
    -

    2.14. Installer iso

    -
    +
    +

    2.14. Installer iso

    +
    -
    { inputs, ... }:
+
    { self, inputs, ... }:
 {
   perSystem = { pkgs, system, ... }:
     {
       # nix build --print-out-paths --no-link .#images.<target-system>.live-iso
       packages.live-iso = inputs.nixos-generators.nixosGenerate {
         inherit pkgs;
+        specialArgs = { inherit self; };
         modules = [
           inputs.home-manager.nixosModules.home-manager
-          ./installer-config.nix
+          "${self}/install/installer-config.nix"
         ];
         format =
           {
@@ -2369,6 +2391,21 @@ in
    +
    +

    2.15. Installer flake

    +
    +
    +
    {
+  description = "Minimal installer flake - not to be used manually";
+
+  inputs.swarsel.url = "./..";
+
+  outputs = { swarsel, ... }: { nixosConfigurations = swarsel.nixosConfigurationsMinimal; };
+}
+
    +
    +
    +

    3. System

    @@ -2396,13 +2433,13 @@ This is the template that I use for new deployments of personal machines. Server
    3.1.1.1. Main Configuration
    -
    { self, inputs, pkgs, lib, globals, ... }:
+
    { self, config, inputs, pkgs, lib, ... }:
 let
+  primaryUser = config.swarselsystems.mainUser;
   modulesPath = "${self}/modules";
   sharedOptions = {
     isBtrfs = true;
   };
-  primaryUser = globals.user.name;
 in
 {
 
@@ -2614,17 +2651,20 @@ My work machine. Built for more security, this is the gold standard of my config
 
    3.1.2.1.1. Main Configuration
    
 
    
 
    
-
    { self, config, inputs, lib, globals, ... }:
+
    { self, config, inputs, lib, minimal, ... }:
 let
-  primaryUser = globals.user.name;
+  primaryUser = config.swarselsystems.mainUser;
   sharedOptions = {
+    isLaptop = true;
+    isNixos = true;
     isBtrfs = true;
     isLinux = true;
     sharescreen = "eDP-2";
     profiles = {
-      personal = true;
-      work = true;
-      framework = true;
+      personal = lib.mkIf (!minimal) true;
+      minimal = lib.mkIf minimal true;
+      work = lib.mkIf (!minimal) true;
+      framework = lib.mkIf (!minimal) true;
     };
   };
 in
@@ -2665,8 +2705,6 @@ in
     # home.stateVersion = lib.mkForce "23.05";
     swarselsystems = lib.recursiveUpdate
       {
-        isLaptop = true;
-        isNixos = true;
         isSecondaryGpu = true;
         SecondaryGpuCard = "pci-0000_03_00_0";
         cpuCount = 16;
@@ -2854,8 +2892,258 @@ in
     };
   };
 
-  fileSystems."/persist".neededForBoot = true;
-  fileSystems."/var/log".neededForBoot = true;
+  fileSystems = {
+    "/persist".neededForBoot = true;
+    "/home".neededForBoot = true;
+    "/var/log".neededForBoot = true;
+  };
+}
+
+
    
+
    
+
    
+
    +
    +
    +
    3.1.2.2. Bakery (Lenovo ThinkPad)
    +
    +

    +My personal laptop. +

    +
    +
    +
    3.1.2.2.1. Main Configuration
    +
    +
    +
    { self, config, inputs, lib, minimal, ... }:
+let
+  primaryUser = config.swarselsystems.mainUser;
+  sharedOptions = {
+    isLaptop = true;
+    isNixos = true;
+    isBtrfs = true;
+    isLinux = true;
+    sharescreen = "eDP-1";
+    profiles = {
+      reduced = lib.mkIf (!minimal) true;
+      minimal = lib.mkIf minimal true;
+    };
+  };
+in
+{
+
+  imports = [
+    inputs.nixos-hardware.nixosModules.common-cpu-intel
+
+    ./disk-config.nix
+    ./hardware-configuration.nix
+
+  ];
+
+
+  swarselsystems = lib.recursiveUpdate
+    {
+      info = "Lenovo ThinkPad";
+      firewall = lib.mkForce true;
+      wallpaper = self + /files/wallpaper/lenovowp.png;
+      hasBluetooth = true;
+      hasFingerprint = true;
+      isImpermanence = true;
+      isSecureBoot = false;
+      isCrypted = true;
+      isSwap = true;
+      rootDisk = "/dev/nvme0n1";
+      swapSize = "4G";
+      hostName = config.node.name;
+      profiles = {
+        btrfs = true;
+      };
+    }
+    sharedOptions;
+
+  home-manager.users."${primaryUser}" = {
+    # home.stateVersion = lib.mkForce "23.05";
+    swarselsystems = lib.recursiveUpdate
+      {
+        lowResolution = "1280x800";
+        highResolution = "1920x1080";
+        monitors = {
+          main = {
+            name = "LG Display 0x04EF Unknown";
+            mode = "1920x1080"; # TEMPLATE
+            scale = "1";
+            position = "1920,0";
+            workspace = "15:L";
+            output = "eDP-1";
+          };
+        };
+      }
+      sharedOptions;
+  };
+}
+
+
+
+
    +
    +
    +
    +
    +
    3.1.2.2.2. hardware-configuration
    +
    +
    +
    # Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
+
    +
    +
    +
    +
    +
    3.1.2.2.3. disko
    +
    +
    +
    { lib, pkgs, config, rootDisk, ... }:
+let
+  type = "btrfs";
+  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
+  subvolumes = {
+    "/root" = {
+      mountpoint = "/";
+      mountOptions = [
+        "subvol=root"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/home";
+      mountOptions = [
+        "subvol=home"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/persist";
+      mountOptions = [
+        "subvol=persist"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/var/log";
+      mountOptions = [
+        "subvol=log"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/nix" = {
+      mountpoint = "/nix";
+      mountOptions = [
+        "subvol=nix"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/swap" = lib.mkIf config.swarselsystems.isSwap {
+      mountpoint = "/.swapvol";
+      swap.swapfile.size = config.swarselsystems.swapSize;
+    };
+  };
+in
+{
+  disko.devices = {
+    disk = {
+      disk0 = {
+        type = "disk";
+        device = config.swarselsystems.rootDisk;
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              priority = 1;
+              name = "ESP";
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "defaults" ];
+              };
+            };
+            root = lib.mkIf (!config.swarselsystems.isCrypted) {
+              size = "100%";
+              content = {
+                inherit type subvolumes extraArgs;
+                postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                  MNTPOINT=$(mktemp -d)
+                  mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
+                  trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                  btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                '';
+              };
+            };
+            luks = lib.mkIf config.swarselsystems.isCrypted {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "cryptroot";
+                passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
+                settings = {
+                  allowDiscards = true;
+                  # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
+                  crypttabExtraOpts = [
+                    "fido2-device=auto"
+                    "token-timeout=10"
+                  ];
+                };
+                content = {
+                  inherit type subvolumes extraArgs;
+                  postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                    MNTPOINT=$(mktemp -d)
+                    mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
+                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                  '';
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+
+  environment.systemPackages = [
+    pkgs.yubikey-manager
+  ];
 }
    @@ -2864,22 +3152,23 @@ in
    -
    3.1.2.2. Winters (Server)
    +
    3.1.2.3. Winters (Server)

    This is my main server that I run at home. It handles most tasks that require bigger amounts of storage than I can receive for free at OCI. Also it houses some data that I find too sensitive to hand over to Oracle.

    -
    3.1.2.2.1. Main Configuration
    +
    3.1.2.3.1. Main Configuration
    -
    { lib, config, globals, ... }:
+
    { lib, config, ... }:
 let
-  primaryUser = globals.user.name;
+  primaryUser = config.swarselsystems.mainUser;
   sharedOptions = {
     isBtrfs = false;
     isLinux = true;
+    isNixos = true;
     profiles = {
       server.local = true;
     };
@@ -2928,7 +3217,7 @@ in
    -
    3.1.2.2.2. hardware-configuration
    +
    3.1.2.3.2. hardware-configuration
    { config, lib, modulesPath, ... }:
@@ -2982,7 +3271,7 @@ in
    -
    3.1.2.3. nbm-imba-166 (MacBook Pro)
    +
    3.1.2.4. nbm-imba-166 (MacBook Pro)

    A Mac notebook that I have received from work. I use this machine for getting accustomed to the Apple ecosystem as well as as a sandbox for nix-darwin configurations. @@ -3017,7 +3306,7 @@ in

    -
    3.1.2.4. Magicant (Phone)
    +
    3.1.2.5. Magicant (Phone)

    My phone. I use only a minimal config for remote debugging here. @@ -3088,7 +3377,7 @@ I have removed most of the machines from this section. What remains are some hos

    -
    3.1.3.1. Sync (OCI)
    +
    3.1.3.1. MilkyWell (OCI)

    This machine mainly acts as an external sync helper. It manages the following things: @@ -3110,176 +3399,56 @@ All of these are processes that use little cpu but can take a lot of storage. Fo

    3.1.3.1.1. Main configuration
    -
    { lib, config, globals, ... }:
+
    { lib, config, minimal, ... }:
 let
-  primaryUser = globals.user.name;
+  primaryUser = config.swarselsystems.mainUser;
   sharedOptions = {
-    isBtrfs = false;
+    isBtrfs = true;
     isLinux = true;
+    isNixos = true;
+  };
+  profiles = {
+    minimal = lib.mkIf minimal true;
   };
-  inherit (config.repo.secrets.common) workHostName;
-  inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
-  serviceDomain = config.repo.secrets.common.services.domains.syncthing2;
 in
 {
   imports = [
     ./hardware-configuration.nix
+    ./disk-config.nix
   ];
 
-  sops = {
-    defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/sync/secrets.yaml";
-  };
-
   boot = {
+    loader.systemd-boot.enable = true;
     tmp.cleanOnBoot = true;
-    loader.grub.device = "nodev";
   };
-  zramSwap.enable = false;
 
   networking = {
     nftables.enable = lib.mkForce false;
-    hostName = "sync";
-    enableIPv6 = false;
+    hostName = "milkywell";
+    enableIPv6 = true;
     domain = "subnet03112148.vcn03112148.oraclevcn.com";
-    firewall = {
-      allowedTCPPorts = [ 80 443 8384 9812 22000 27701 ];
-      allowedUDPPorts = [ 21027 22000 ];
-      extraCommands = ''
-        iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-        iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
-        iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
-        iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
-        iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
-        iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
-        iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
-        iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
-        iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT
-      '';
-    };
   };
 
   hardware = {
     enableAllFirmware = lib.mkForce false;
   };
 
-  system.stateVersion = "23.11";
-
-  globals.services."syncthing-${config.networking.hostName}".domain = serviceDomain;
-
-  services = {
-    nginx = {
-      virtualHosts = {
-        ${serviceDomain} = {
-          enableACME = true;
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "http://localhost:8384";
-              extraConfig = ''
-                client_max_body_size 0;
-              '';
-            };
-          };
-        };
-      };
-    };
-
-    syncthing = {
-      enable = true;
-      guiAddress = "0.0.0.0:8384";
-      openDefaultPorts = true;
-      relay.enable = false;
-      settings = {
-        urAccepted = -1;
-        devices = {
-          "magicant" = {
-            id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
-          };
-          "winters" = {
-            id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
-          };
-          "${workHostName}" = {
-            id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB";
-          };
-          "${dev1}" = {
-            id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7";
-          };
-          "${dev2}" = {
-            id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH";
-          };
-          "${dev3}" = {
-            id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR";
-          };
-        };
-        folders = {
-          "Default Folder" = lib.mkForce {
-            path = "/var/lib/syncthing/Sync";
-            type = "receiveonly";
-            versioning = null;
-            devices = [ "winters" "magicant" "${workHostName}" ];
-            id = "default";
-          };
-          "Obsidian" = {
-            path = "/var/lib/syncthing/Obsidian";
-            type = "receiveonly";
-            versioning = {
-              type = "simple";
-              params.keep = "5";
-            };
-            devices = [ "winters" "magicant" "${workHostName}" ];
-            id = "yjvni-9eaa7";
-          };
-          "Org" = {
-            path = "/var/lib/syncthing/Org";
-            type = "receiveonly";
-            versioning = {
-              type = "simple";
-              params.keep = "5";
-            };
-            devices = [ "winters" "magicant" "${workHostName}" ];
-            id = "a7xnl-zjj3d";
-          };
-          "Vpn" = {
-            path = "/var/lib/syncthing/Vpn";
-            type = "receiveonly";
-            versioning = {
-              type = "simple";
-              params.keep = "5";
-            };
-            devices = [ "winters" "magicant" "${workHostName}" ];
-            id = "hgp9s-fyq3p";
-          };
-          "${loc1}" = {
-            path = "/var/lib/syncthing/${loc1}";
-            type = "receiveonly";
-            versioning = {
-              type = "simple";
-              params.keep = "3";
-            };
-            devices = [ dev1 dev2 dev3 ];
-            id = "5gsxv-rzzst";
-          };
-        };
-      };
-    };
-  };
-
   swarselsystems = lib.recursiveUpdate
     {
       info = "VM.Standard.E2.1.Micro";
-      flakePath = "/root/.dotfiles";
-      isImpermanence = false;
+      isImpermanence = true;
       isSecureBoot = false;
-      isCrypted = false;
+      isCrypted = true;
+      isSwap = true;
+      rootDisk = "/dev/sda";
+      swapSize = "4G";
       profiles = {
-        server.sync = true;
+        server.syncserver = true;
       };
     }
     sharedOptions;
 
   home-manager.users."${primaryUser}" = {
-    home.stateVersion = lib.mkForce "23.05";
     swarselsystems = lib.recursiveUpdate
       { }
       sharedOptions;
@@ -3307,22 +3476,6 @@ in
     extraModulePackages = [ ];
   };
 
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a";
-      fsType = "xfs";
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-uuid/2B75-2AD5";
-      fsType = "vfat";
-    };
-  };
-
-  swapDevices = [
-    { device = "/dev/disk/by-uuid/f0126a93-753e-4769-ada8-7499a1efb3a9"; }
-  ];
-
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
@@ -3333,6 +3486,114 @@ in
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
+
    
+
    +
    +
    +
    +
    3.1.3.1.3. disko
    +
    +
    +
    # NOTE: ... is needed because dikso passes diskoFile
+{ lib
+, config
+, rootDisk
+, ...
+}:
+let
+  type = "btrfs";
+  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
+  subvolumes = {
+    "/root" = {
+      mountpoint = "/";
+      mountOptions = [
+        "subvol=root"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/home";
+      mountOptions = [
+        "subvol=home"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/persist";
+      mountOptions = [
+        "subvol=persist"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
+      mountpoint = "/var/log";
+      mountOptions = [
+        "subvol=log"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/nix" = {
+      mountpoint = "/nix";
+      mountOptions = [
+        "subvol=nix"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+    "/swap" = lib.mkIf config.swarselsystems.isSwap {
+      mountpoint = "/.swapvol";
+      swap.swapfile.size = config.swarselsystems.swapSize;
+    };
+  };
+in
+{
+  disko.devices = {
+    disk = {
+      disk0 = {
+        type = "disk";
+        device = config.swarselsystems.rootDisk;
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              priority = 1;
+              name = "ESP";
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "defaults" ];
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                inherit type subvolumes extraArgs;
+                postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
+                  MNTPOINT=$(mktemp -d)
+                  mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
+                  trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                  btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+                '';
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
+}
+
+
    @@ -3348,13 +3609,15 @@ in 
    { lib, config, globals, ... }:
 let
-  primaryUser = globals.user.name;
+  primaryUser = config.swarselsystems.mainUser;
   inherit (config.repo.secrets.common) workHostName;
   inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
+  inherit (config.swarselsystems) sopsFile;
   serviceDomain = config.repo.secrets.common.services.domains.syncthing3;
 
   sharedOptions = {
     isBtrfs = true;
+    isNixos = true;
     isLinux = true;
   };
 in
@@ -3366,9 +3629,9 @@ in
 
   sops = {
     age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
-    defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml";
+    # defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml";
     secrets = {
-      wireguard-private-key = { };
+      wireguard-private-key = { inherit sopsFile; };
     };
   };
 
@@ -3558,7 +3821,6 @@ in
   swarselsystems = lib.recursiveUpdate
     {
       info = "VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM";
-      flakePath = "/home/swarsel/.dotfiles";
       isImpermanence = true;
       isSecureBoot = false;
       isCrypted = false;
@@ -3757,14 +4019,15 @@ This is a slim setup for developing base configuration. I do not track the hardw
 
    3.1.4.1.1. Main Configuration
    
 
    
 
    
-
    { self, inputs, pkgs, lib, ... }:
+
    { self, config, lib, minimal, ... }:
 let
-  modulesPath = "${self}/modules";
+  primaryUser = config.swarselsystems.mainUser;
   sharedOptions = {
     isBtrfs = true;
     isLinux = true;
     profiles = {
-      toto = true;
+      toto = lib.mkIf (!minimal) true;
+      minimal = lib.mkIf minimal true;
     };
   };
 in
@@ -3773,41 +4036,9 @@ in
   imports = [
     ./disk-config.nix
     ./hardware-configuration.nix
-
-    "${modulesPath}/nixos/common/sharedsetup.nix"
-    "${modulesPath}/home/common/sharedsetup.nix"
-    "${self}/profiles/nixos"
-
-    inputs.home-manager.nixosModules.home-manager
-    {
-      home-manager.users."setup".imports = [
-        inputs.sops-nix.homeManagerModules.sops
-        "${modulesPath}/home/common/sharedsetup.nix"
-        "${self}/profiles/home"
-      ];
-    }
   ];
 
 
-  environment.systemPackages = with pkgs; [
-    curl
-    git
-    gnupg
-    rsync
-    ssh-to-age
-    sops
-    vim
-    just
-    sbctl
-  ];
-
-  system.stateVersion = lib.mkForce "23.05";
-
-  boot = {
-    supportedFilesystems = [ "btrfs" ];
-    kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
-  };
-
 
   networking = {
     hostName = "toto";
@@ -3819,17 +4050,18 @@ in
       info = "~SwarselSystems~ remote install helper";
       wallpaper = self + /files/wallpaper/lenovowp.png;
       isImpermanence = true;
-      isCrypted = false;
+      isCrypted = true;
       isSecureBoot = false;
-      isSwap = false;
-      swapSize = "8G";
+      isSwap = true;
+      swapSize = "2G";
       # rootDisk = "/dev/nvme0n1";
-      rootDisk = "/dev/sda";
+      rootDisk = "/dev/vda";
+      profiles.btrfs = true;
       # rootDisk = "/dev/vda";
     }
     sharedOptions;
 
-  home-manager.users."setup" = {
+  home-manager.users.${primaryUser} = {
     home.stateVersion = lib.mkForce "23.05";
     swarselsystems = lib.recursiveUpdate
       {
@@ -3985,7 +4217,7 @@ in
 
    
 
    
 
    
-
    3.1.4.2. drugstore (ISO)
    
+
    3.1.4.2. Drugstore (ISO installer config)
    
 
    
 
    
 This is a live environment ISO that I use to bootstrap new systems. It only loads a minimal configuration and no graphical interface. After booting this image on a host, find out its IP and bootstrap the system using the bootstrap utility.
@@ -3993,8 +4225,11 @@ This is a live environment ISO that I use to bootstrap new systems. It only load
 
 
 
    
-
    { pkgs, lib, ... }:
-{
+
    { self, config, pkgs, lib, ... }:
+let
+  pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh";
+in
+  {
 
   config = {
     home-manager.users.root.home = {
@@ -4007,9 +4242,48 @@ This is a live environment ISO that I use to bootstrap new systems. It only load
         };
       };
     };
+    home-manager.users.swarsel = {
+      home = {
+        username = "swarsel";
+        homeDirectory = lib.mkDefault "/home/swarsel";
+        stateVersion = lib.mkDefault "23.05";
+        keyboard.layout = "us";
+        sessionVariables = {
+          FLAKE = "/home/swarsel/.dotfiles";
+        };
+        file = {
+          ".bash_history" = {
+            text = ''
+              swarsel-install -n chaostheatre
+            '';
+          };
+        };
+      };
+    };
 
-    nix.settings = {
-      experimental-features = [ "nix-command" "flakes" ];
+    security.sudo.extraConfig = ''
+      Defaults    env_keep+=SSH_AUTH_SOCK
+      Defaults lecture = never
+    '';
+    security.pam = {
+      sshAgentAuth.enable = true;
+      services = {
+        sudo.u2fAuth = true;
+      };
+    };
+
+    nix = {
+      channel.enable = false;
+      package = pkgs.nixVersions.nix_2_28;
+      extraOptions = ''
+        plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
+          buildInputs = [pkgs.nixVersions.nix_2_28 pkgs.boost];
+          patches = (o.patches or []) ++ [ ../nix/nix-plugins.patch ];
+        })}/lib/nix/plugins
+        extra-builtins-file = ${../nix/extra-builtins.nix}
+      '';
+
+      settings.experimental-features = [ "nix-command" "flakes" ];
     };
 
     boot = {
@@ -4034,6 +4308,7 @@ This is a live environment ISO that I use to bootstrap new systems. It only load
       curl
       git
       gnupg
+      networkmanager
       rsync
       ssh-to-age
       sops
@@ -4050,16 +4325,16 @@ This is a live environment ISO that I use to bootstrap new systems. It only load
 
     environment.etc."issue".text = ''
       ~SwarselSystems~
-                               IP of primary interface: \4
-                                                                   The Password for all users & root is 'setup'.
-                                                                   Install the system remotely by running 'bootstrap -n <CONFIGURATION_NAME> -d <IP_FROM_ABOVE> ' on a machine with deployed secrets.
-                                                                   Alternatively, run 'swarsel-install -n <CONFIGURATION_NAME>' for a local install. For your convenience, an example call is in the bash history (press up on the keyboard to access).
+      IP of primary interface: \4
+      The Password for all users & root is 'setup'.
+      Install the system remotely by running 'bootstrap -n <CONFIGURATION_NAME> -d <IP_FROM_ABOVE> ' on a machine with deployed secrets.
+      Alternatively, run 'swarsel-install -n <CONFIGURATION_NAME>' for a local install. For your convenience, an example call is in the bash history (press up on the keyboard to access).
     '';
 
     networking = {
       hostName = "drugstore";
       wireless.enable = false;
-      dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload";
+      # dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload";
       networkmanager.enable = true;
     };
 
@@ -4067,11 +4342,20 @@ This is a live environment ISO that I use to bootstrap new systems. It only load
 
     users = {
       allowNoPasswordLogin = true;
+      groups.swarsel = { };
       users = {
-        root = {
+        swarsel = {
+          name = "swarsel";
+          group = "swarsel";
+          isNormalUser = true;
           password = "setup"; # this is overwritten after install
+          openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
+          extraGroups = [ "wheel" ];
+        };
+        root = {
           initialHashedPassword = lib.mkForce null;
-          openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDd0XXoLfRE0AyasxscEBwMqOnLWPqwz+etGqzVNeSw/RcgnxOi903mlVjCH+jzWMSe2GVSgzgM20j/r9sfE2P1z+wq/RODFS04JM0ltUoFkkm/IDZXQ2piOk7AoVi5ajdx4EiBnXY87jvxh5cCgQltkj3ouPF7FVN/MaN21IgWYB8NgkaVGft//OplodlDQNot17c0sFMibY0HcquwmHhqKOtKM1gT98+jZl0rd1rCqXFOvkesW6FPC4nzirPai+Hizp5gncrkJOZmLLqrjVx6PfpQzqzIhoUn1YS5CpyfXnKZUgx2Oi8SENmWOZ9DxYvDklgEttob37E2bIXbUhOw/u4I3olGFgCsKL6jg0N+d5teEaCZFnzlOp0UMWiUo7lVqq7Bwl3rNka2pxEdZ9v/1+m9cJiP7h6pnKmccVGku57iGIDnsnoTrmo1qbAje+EsmPYbc+qMnTDvOdSHTOXnjsyTd+ADklvMHCUAuf6ku4ktQEhlZxU3PvYvKHa1cTCEXxLWjytIgHgTgab9M5IH29Q55LSRRQBzUdkwjOG6KhsqG+xEE6038EbXr0MGKTm01AFmeVZWewmkSLu2UdoOMiw8mTSQhQFfp2QruYHnh7oJCo7ttKT1sLoRX+TfgQm1ryn/orhReg2GFfmbiLGxaJGVNvjqCxqrIFQXx4ZDHw== cardno:22_412_399" ];
+          password = lib.mkForce config.users.users.swarsel.password; # this is overwritten after install
+          openssh.authorizedKeys.keys = config.users.users.swarsel.openssh.authorizedKeys.keys;
         };
       };
     };
@@ -4082,10 +4366,10 @@ This is a live environment ISO that I use to bootstrap new systems. It only load
 
     system.activationScripts.cache = {
       text = ''
-          mkdir -p -m=0777 /home/setup/.local/state/nix/profiles
-        mkdir -p -m=0777 /home/setup/.local/state/home-manager/gcroots
-        mkdir -p -m=0777 /home/setup/.local/share/nix/
-        printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /home/setup/.local/share/nix/trusted-settings.json > /dev/null
+        mkdir -p -m=0777 /home/swarsel/.local/state/nix/profiles
+        mkdir -p -m=0777 /home/swarsel/.local/state/home-manager/gcroots
+        mkdir -p -m=0777 /home/swarsel/.local/share/nix/
+        printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /home/swarsel/.local/share/nix/trusted-settings.json > /dev/null
         mkdir -p /root/.local/share/nix/
         printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json > /dev/null
       '';
@@ -4111,7 +4395,7 @@ This is a live environment ISO that I use to bootstrap new systems. It only load
 
    
 
    
 
    
-
    3.1.4.3. Home-manager only (default non-NixOS)
    
+
    3.1.4.3. Treehouse (home-manager only example)
    
 
    
 
    
 This is the "reference implementation" of a setup that runs without NixOS, only relying on home-manager. I try to test this every now and then and keep it supported. However, manual steps are needed to get the system to work fully, depending on what distribution you are running on.
@@ -4176,7 +4460,7 @@ I also set the WLR_RENDERER_ALLOW_SOFTWARE=1 to allow this configur
 
    3.1.4.4.1. Main configuration
    
 
    
 
    
-
    { self, inputs, config, pkgs, lib, ... }:
+
    { self, config, pkgs, lib, minimal, ... }:
 let
   mainUser = "demo";
   sharedOptions = {
@@ -4185,7 +4469,8 @@ let
     isLinux = true;
     isPublic = true;
     profiles = {
-      chaostheatre = true;
+      chaostheatre = lib.mkIf (!minimal) true;
+      minimal = lib.mkIf minimal true;
     };
   };
 in
@@ -4197,15 +4482,6 @@ in
       {
         _module.args.diskDevice = config.swarselsystems.rootDisk;
       }
-      "${self}/hosts/nixos/chaostheatre/options.nix"
-      inputs.home-manager.nixosModules.home-manager
-      {
-        home-manager.users."${mainUser}".imports = [
-          "${self}/modules/home/common/settings.nix"
-          "${self}/hosts/nixos/chaostheatre/options-home.nix"
-          "${self}/modules/home/common/sharedsetup.nix"
-        ];
-      }
     ];
 
     environment.variables = {
@@ -4229,13 +4505,13 @@ in
       {
         info = "~SwarselSystems~ demo host";
         wallpaper = self + /files/wallpaper/lenovowp.png;
-        initialSetup = true;
         isImpermanence = true;
         isCrypted = true;
         isSecureBoot = false;
         isSwap = true;
         swapSize = "4G";
         rootDisk = "/dev/vda";
+        profiles.btrfs = true;
       }
       sharedOptions;
 
@@ -4651,7 +4927,6 @@ I usually use mutableUsers = false in my NixOS configuration. Howev
         default = "";
       };
       isCrypted = lib.mkEnableOption "uses full disk encryption";
-      initialSetup = lib.mkEnableOption "initial setup (no sops keys available)";
 
       isImpermanence = lib.mkEnableOption "use impermanence on this system";
       isSecureBoot = lib.mkEnableOption "use secure boot on this system";
@@ -4726,17 +5001,9 @@ A breakdown of the flags being set:
 
 
 
    
-
    { lib, pkgs, config, outputs, inputs, ... }:
-{
-  options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
-  config = lib.mkIf config.swarselsystems.modules.general {
-    nixpkgs = {
-      overlays = [ outputs.overlays.default ];
-      config = {
-        allowUnfree = true;
-      };
-    };
-
+
    { self, lib, pkgs, config, outputs, inputs, minimal, ... }:
+let
+  settings = if minimal then { } else {
     environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
       assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
       { }
@@ -4746,7 +5013,56 @@ A breakdown of the flags being set:
       let
         flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
       in
-        {
+      {
+        settings = {
+          connect-timeout = 5;
+          bash-prompt-prefix = "$SHLVL:\\w ";
+          bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
+          fallback = true;
+          min-free = 128000000;
+          max-free = 1000000000;
+          flake-registry = "";
+          auto-optimise-store = true;
+          warn-dirty = false;
+          max-jobs = 1;
+          use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
+        };
+        gc = {
+          automatic = true;
+          dates = "weekly";
+          options = "--delete-older-than 10d";
+        };
+        optimise = {
+          automatic = true;
+          dates = "weekly";
+        };
+        channel.enable = false;
+        registry = rec {
+          nixpkgs.flake = inputs.nixpkgs;
+          p = nixpkgs;
+        };
+        nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+      };
+
+    services.dbus.implementation = "broker";
+
+    systemd.services.nix-daemon = {
+      environment.TMPDIR = "/var/tmp";
+    };
+
+  };
+in
+{
+  options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
+  config = lib.mkIf config.swarselsystems.modules.general
+    (lib.recursiveUpdate
+      {
+        sops.secrets.github-api-token = lib.mkIf (!minimal) {
+          sopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+        };
+
+        nix = {
+          package = pkgs.nixVersions.nix_2_28;
           settings = {
             experimental-features = [
               "nix-command"
@@ -4756,43 +5072,33 @@ A breakdown of the flags being set:
               "pipe-operators"
             ];
             trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
-            connect-timeout = 5;
-            bash-prompt-prefix = "$SHLVL:\\w ";
-            bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]λ\[\e[0m\] ";
-            fallback = true;
-            min-free = 128000000;
-            max-free = 1000000000;
-            flake-registry = "";
-            auto-optimise-store = true;
-            warn-dirty = false;
-            max-jobs = 1;
-            use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
           };
-          gc = {
-            automatic = true;
-            dates = "weekly";
-            options = "--delete-older-than 10d";
-          };
-          optimise = {
-            automatic = true;
-            dates = "weekly";
-          };
-          channel.enable = false;
-          registry = rec {
-            nixpkgs.flake = inputs.nixpkgs;
-            p = nixpkgs;
-          };
-          nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+          # extraOptions = ''
+          #   plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
+          #   extra-builtins-file = ${self + /nix/extra-builtins.nix}
+          # '';
+          extraOptions = ''
+            plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
+              buildInputs = [pkgs.nixVersions.nix_2_28 pkgs.boost];
+              patches = (o.patches or []) ++ ["${self}/nix/nix-plugins.patch"];
+            })}/lib/nix/plugins
+            extra-builtins-file = ${self + /nix/extra-builtins.nix}
+          '' + lib.optionalString (!minimal) ''
+            !include ${config.sops.secrets.github-api-token.path}
+          '';
         };
 
-    services.dbus.implementation = "broker";
+        system.stateVersion = lib.mkDefault "23.05";
 
-    systemd.services.nix-daemon = {
-      environment.TMPDIR = "/var/tmp";
-    };
+        nixpkgs = {
+          overlays = [ outputs.overlays.default ];
+          config = {
+            allowUnfree = true;
+          };
+        };
 
-    system.stateVersion = lib.mkDefault "23.05";
-  };
+      }
+      settings);
 }
 
    
 
    
@@ -4806,10 +5112,7 @@ We enable the use of home-manager as a NixoS module. A nice trick h
 
    
 
 
    
-
    { self, inputs, config, lib, outputs, globals, nodes, ... }:
-let
-  mainUser = globals.user.name;
-in
+
    { self, inputs, config, lib, outputs, globals, nodes, minimal, configName, ... }:
   {
     options.swarselsystems.modules.home-manager = lib.mkEnableOption "home-manager";
     config = lib.mkIf config.swarselsystems.modules.home-manager {
@@ -4817,18 +5120,24 @@ in
         useGlobalPkgs = true;
         useUserPackages = true;
         verbose = true;
-        users."${mainUser}".imports = [
-          "${self}/profiles/home"
-          "${self}/modules/home"
-        ];
-        sharedModules = [
+        users.swarsel.imports = [
           inputs.nix-index-database.hmModules.nix-index
           inputs.sops-nix.homeManagerModules.sops
+          # inputs.stylix.homeModules.stylix
           {
+            imports = [
+              "${self}/profiles/home"
+              "${self}/modules/home"
+              # "${self}/modules/nixos/common/pii.nix"
+              # "${self}/modules/nixos/common/meta.nix"
+            ];
+            # node = {
+            #   secretsDir = if (!config.swarselsystems.isNixos) then ../../../hosts/home/${configName}/secrets else ../../../hosts/nixos/${configName}/secrets;
+            # };
             home.stateVersion = lib.mkDefault config.system.stateVersion;
           }
         ];
-        extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes; };
+        extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal configName; };
       };
     };
   }
@@ -4845,27 +5154,27 @@ In case of using a fully setup system, this makes also sure that no further user
 
    
 
 
    
-For that reason, make sure that sops-nix is properly working before setting the initialSetup flag, otherwise you might lose user access.
+For that reason, make sure that sops-nix is properly working before finishing the minimal setup, otherwise we might lose user access. The bootstrapping script takes care of this.
 
    
 
 
    
-
    { self, pkgs, config, lib, ... }:
+
    { self, pkgs, config, lib, minimal, ... }:
 let
   sopsFile = self + /secrets/general/secrets.yaml;
 in
   {
     options.swarselsystems.modules.users = lib.mkEnableOption "user config";
     config = lib.mkIf config.swarselsystems.modules.users {
-      sops.secrets.swarseluser = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; };
+      sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; };
 
       users = {
-        mutableUsers = lib.mkIf (!config.swarselsystems.initialSetup) false;
+        mutableUsers = lib.mkIf (!minimal) false;
         users."${config.swarselsystems.mainUser}" = {
           isNormalUser = true;
           description = "Leon S";
-          password = lib.mkIf config.swarselsystems.initialSetup "setup";
-          hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup) config.sops.secrets.swarseluser.path;
-          extraGroups = [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
+          password = lib.mkIf minimal "setup";
+          hashedPasswordFile = lib.mkIf (!minimal) config.sops.secrets.main-user-hashed-pw.path;
+          extraGroups = [ "wheel" ] ++ lib.optionals (!minimal) [ "networkmanager" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
           packages = with pkgs; [ ];
         };
       };
@@ -4939,11 +5248,14 @@ Setup timezone and locale. I want to use the US layout, but have the rest adapte
 
    
 
    3.2.1.12. PII management
    
 
    
+
    
+This is also exposed to home-manager configurations, in case this ever breaks, I can also go back to importing nixosConfig as an attribute in the input attribute set and call the secrets using nixosConfig.repo.secrets.
+
    
+
 
    
 
    # largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix
-{ config, inputs, lib, ... }:
+{ config, inputs, lib, minimal, ... }:
 let
-
   # If the given expression is a bare set, it will be wrapped in a function,
   # so that the imported file can always be applied to the inputs, similar to
   # how modules can be functions or sets.
@@ -4968,51 +5280,51 @@ let
 in
 {
   options = {
-    repo = {
-      secretFiles = lib.mkOption {
-        default = { };
-        type = lib.types.attrsOf lib.types.path;
-        example = lib.literalExpression "{ local = ./pii.nix.enc; }";
-        description = ''
-        This file manages the origin for this machine's repository-secrets. Anything that is
-        technically not a secret in the classical sense (i.e. that it has to be protected
-        after it has been deployed), but something you want to keep secret from the public;
-        Anything that you wouldn't want people to see on GitHub, but that can live unencrypted
-        on your own devices. Consider it a more ergonomic nix alternative to using git-crypt.
+      repo = {
+        secretFiles = lib.mkOption {
+          default = { };
+          type = lib.types.attrsOf lib.types.path;
+          example = lib.literalExpression "{ local = ./pii.nix.enc; }";
+          description = ''
+            This file manages the origin for this machine's repository-secrets. Anything that is
+            technically not a secret in the classical sense (i.e. that it has to be protected
+            after it has been deployed), but something you want to keep secret from the public;
+            Anything that you wouldn't want people to see on GitHub, but that can live unencrypted
+            on your own devices. Consider it a more ergonomic nix alternative to using git-crypt.
 
-        All of these secrets may (and probably will be) put into the world-readable nix-store
-        on the build and target hosts. You'll most likely want to store personally identifiable
-        information here, such as:
-          - MAC Addreses
-          - Static IP addresses
-          - Your full name (when configuring your users)
-          - Your postal address (when configuring e.g. home-assistant)
-          - ...
+            All of these secrets may (and probably will be) put into the world-readable nix-store
+            on the build and target hosts. You'll most likely want to store personally identifiable
+            information here, such as:
+              - MAC Addreses
+              - Static IP addresses
+              - Your full name (when configuring your users)
+              - Your postal address (when configuring e.g. home-assistant)
+              - ...
 
-        Each path given here must be an sops-encrypted .nix file. For each attribute `<name>`,
-        the corresponding file will be decrypted, imported and exposed as {option}`repo.secrets.<name>`.
-      '';
-      };
-
-      secrets = lib.mkOption {
-        readOnly = true;
-        default = lib.mapAttrs (_: x: importEncrypted x inputs) config.repo.secretFiles;
-        type = lib.types.unspecified;
-        description = "Exposes the loaded repo secrets. This option is read-only.";
+            Each path given here must be an sops-encrypted .nix file. For each attribute `<name>`,
+            the corresponding file will be decrypted, imported and exposed as {option}`repo.secrets.<name>`.
+          '';
+        };
+
+        secrets = lib.mkOption {
+          readOnly = true;
+          default = lib.mapAttrs (_: x: importEncrypted x inputs) config.repo.secretFiles;
+          type = lib.types.unspecified;
+          description = "Exposes the loaded repo secrets. This option is read-only.";
+        };
       };
+      swarselsystems.modules.pii = lib.mkEnableOption "enable pii management";
     };
-    swarselsystems.modules.pii = lib.mkEnableOption "enable pii management";
-  };
   config = lib.mkIf config.swarselsystems.modules.pii {
     repo.secretFiles =
       let
         local = config.node.secretsDir + "/pii.nix.enc";
       in
-        (lib.optionalAttrs (lib.pathExists local) { inherit local; }) // {
-         common = ../../../secrets/repo/pii.nix.enc;
+      (lib.optionalAttrs (lib.pathExists local && !minimal ) { inherit local; }) // lib.optionalAttrs (!minimal) {
+        common = ../../../secrets/repo/pii.nix.enc;
       };
   };
-  }
+}
 
 
    
 
    
@@ -5022,20 +5334,25 @@ in
 
    3.2.1.13. Lanzaboote (secure boot)
    
 
    
 
    
-This dynamically uses systemd boot or Lanzaboote depending on `config.swarselsystems.initialSetup` and `config.swarselsystems.isSecureBoot`.
+This dynamically uses systemd boot or Lanzaboote depending on the minimal system state and `config.swarselsystems.isSecureBoot`.
 
    
 
 
    
-
    { lib, config, ... }:
+
    { lib, pkgs, config, minimal, ... }:
 {
   options.swarselsystems.modules.lanzaboote = lib.mkEnableOption "lanzaboote config";
   config = lib.mkIf config.swarselsystems.modules.lanzaboote {
+
+    environment.systemPackages = lib.mkIf config.swarselsystems.isSecureBoot [
+      pkgs.sbctl
+    ];
+
     boot = {
       loader = {
         efi.canTouchEfiVariables = true;
-        systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
+        systemd-boot.enable = lib.swarselsystems.mkIfElse (minimal || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
       };
-      lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
+      lanzaboote = lib.mkIf (!minimal && config.swarselsystems.isSecureBoot) {
         enable = true;
         pkiBundle = "/var/lib/sbctl";
         configurationLimit = 6;
@@ -5170,15 +5487,12 @@ This section is for setting things that should be used on hosts that are using t
 
    
 
 
    
-
    { lib, inputs, ... }:
+
    { lib, ... }:
 let
   importNames = lib.swarselsystems.readNix "modules/nixos/client";
 in
 {
-  imports = lib.swarselsystems.mkImports importNames "modules/nixos/client" ++ [
-    inputs.stylix.nixosModules.stylix
-    inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
-  ];
+  imports = lib.swarselsystems.mkImports importNames "modules/nixos/client";
 }
 
 
    
@@ -5193,11 +5507,12 @@ Mostly used to install some compilers and lsp's that I want to have available wh
 
    
 
 
    
-
    { lib, config, pkgs, ... }:
+
    { lib, config, pkgs, minimal, ... }:
 {
   options.swarselsystems.modules.packages = lib.mkEnableOption "install packages";
   config = lib.mkIf config.swarselsystems.modules.packages {
-    environment.systemPackages = with pkgs; [
+
+    environment.systemPackages = with pkgs; lib.optionals (!minimal) [
       # yubikey packages
       gnupg
       yubikey-personalization
@@ -5268,9 +5583,20 @@ Mostly used to install some compilers and lsp's that I want to have available wh
 
       elk-to-svg
 
+    ] ++ lib.optionals minimal [
+      networkmanager
+      curl
+      git
+      gnupg
+      rsync
+      ssh-to-age
+      sops
+      vim
+      just
+      sbctl
     ];
 
-    nixpkgs.config.permittedInsecurePackages = [
+    nixpkgs.config.permittedInsecurePackages = lib.mkIf (!minimal) [
       "jitsi-meet-1.0.8043"
       "electron-29.4.6"
       "SDL_ttf-2.0.11"
@@ -5313,32 +5639,33 @@ Next, we will setup some environment variables that need to be set on the system
 
    
 
    
 
    
-
    3.2.2.4. Security
    
+
    3.2.2.4. Security (polkit)
    
 
    
 
    
 Needed for control over system-wide privileges etc. Also I make sure that the root user has access to SSH_AUTH_SOCK (without this, root will not be able to read my nix-secrets repository).
 
    
 
 
    
-
    { lib, config, ... }:
+
    { lib, config, minimal, ... }:
 {
   options.swarselsystems.modules.security = lib.mkEnableOption "security config";
   config = lib.mkIf config.swarselsystems.modules.security {
 
     security = {
-      pam.services = {
+      pam.services = lib.mkIf (!minimal) {
         login.u2fAuth = true;
         sudo.u2fAuth = true;
         swaylock.u2fAuth = true;
         swaylock.fprintAuth = false;
       };
-      polkit.enable = true;
+      polkit.enable = lib.mkIf (!minimal) true;
 
       sudo.extraConfig = ''
         Defaults    env_keep+=SSH_AUTH_SOCK
-        Defaults    env_keep+=XDG_RUNTIME_DIR
-        Defaults    env_keep+=WAYLAND_DISPLAY
-      '';
+      '' + lib.optionalString (!minimal) ''
+          Defaults    env_keep+=XDG_RUNTIME_DIR
+          Defaults    env_keep+=WAYLAND_DISPLAY
+        '';
     };
   };
 }
@@ -5493,10 +5820,14 @@ Here I only enable networkmanager and a few default networks. The r
 
    
 
 
    
-
    { self, lib, config, ... }:
+
    { self, lib, pkgs, config, ... }:
 let
   certsSopsFile = self + /secrets/certs/secrets.yaml;
+  clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
+
   inherit (config.swarselsystems) mainUser;
+  inherit (config.repo.secrets.common.network) wlan1 wlan2 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
+
   iwd = config.networking.networkmanager.wifi.backend == "iwd";
 in
 {
@@ -5508,39 +5839,33 @@ in
 
     sops = {
       secrets = lib.mkIf (!config.swarselsystems.isPublic) {
-        ernest = { };
-        frauns = { };
-        hotspot = { };
-        eduid = { };
-        edupass = { };
-        handyhotspot = { };
-        vpnuser = { };
-        vpnpass = { };
-        wireguardpriv = { };
-        wireguardpub = { };
-        wireguardendpoint = { };
-        stashuser = { };
-        stashpass = { };
-        githubforgeuser = { };
-        githubforgepass = { };
-        gitlabforgeuser = { };
-        gitlabforgepass = { };
-        "sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
-        "sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
+        wlan1-pw = { };
+        wlan2-pw = { };
+        laptop-hotspot-pw = { };
+        mobile-hotspot-pw = { };
+        eduroam-user = { };
+        eduroam-pw = { };
+        pia-vpn-user = { };
+        pia-vpn-pw = { };
+        home-wireguard-client-private-key = { sopsFile = clientSopsFile; };
+        home-wireguard-server-public-key = { };
+        home-wireguard-endpoint = { };
+        pia-vpn1-crl-pem = { sopsFile = certsSopsFile; };
+        pia-vpn1-ca-pem = { sopsFile = certsSopsFile; };
       };
       templates = lib.mkIf (!config.swarselsystems.isPublic) {
         "network-manager.env".content = ''
-          ERNEST=${config.sops.placeholder.ernest}
-          FRAUNS=${config.sops.placeholder.frauns}
-          HOTSPOT=${config.sops.placeholder.hotspot}
-          EDUID=${config.sops.placeholder.eduid}
-          EDUPASS=${config.sops.placeholder.edupass}
-          HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
-          VPNUSER=${config.sops.placeholder.vpnuser}
-          VPNPASS=${config.sops.placeholder.vpnpass}
-          WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
-          WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
-          WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
+          WLAN1_PW=${config.sops.placeholder.wlan1-pw}
+          WLAN2_PW=${config.sops.placeholder.wlan2-pw}
+          LAPTOP_HOTSPOT_PW=${config.sops.placeholder.laptop-hotspot-pw}
+          MOBILE_HOTSPOT_PW=${config.sops.placeholder.mobile-hotspot-pw}
+          EDUROAM_USER=${config.sops.placeholder.eduroam-user}
+          EDUROAM_PW=${config.sops.placeholder.eduroam-pw}
+          PIA_VPN_USER=${config.sops.placeholder.pia-vpn-user}
+          PIA_VPN_PW=${config.sops.placeholder.pia-vpn-pw}
+          HOME_WIREGUARD_CLIENT_PRIVATE_KEY=${config.sops.placeholder.home-wireguard-client-private-key}
+          HOME_WIREGUARD_SERVER_PUBLIC_KEY=${config.sops.placeholder.home-wireguard-server-public-key}
+          HOME_WIREGUARD_ENDPOINT=${config.sops.placeholder.home-wireguard-endpoint}
         '';
       };
     };
@@ -5577,14 +5902,23 @@ in
       networkmanager = {
         enable = true;
         wifi.backend = "iwd";
+        plugins = [
+          # list of plugins: https://search.nixos.org/packages?query=networkmanager-
+          # docs https://networkmanager.dev/docs/vpn/
+          pkgs.networkmanager-openconnect
+          pkgs.networkmanager-openvpn
+        ];
         ensureProfiles = lib.mkIf (!config.swarselsystems.isPublic) {
           environmentFiles = [
             "${config.sops.templates."network-manager.env".path}"
           ];
-          profiles = {
-            "Ernest Routerford" = {
+          profiles = let
+            inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
+          in
+            {
+            ${wlan1} = {
               connection = {
-                id = "Ernest Routerford";
+                id = wlan1;
                 permissions = "";
                 type = "wifi";
               };
@@ -5600,12 +5934,12 @@ in
               wifi = {
                 mac-address-blacklist = "";
                 mode = "infrastructure";
-                ssid = "Ernest Routerford";
+                ssid = wlan1;
               };
               wifi-security = {
                 auth-alg = "open";
                 key-mgmt = "wpa-psk";
-                psk = "$ERNEST";
+                psk = "WLAN1_PW";
               };
             };
 
@@ -5618,7 +5952,6 @@ in
               ethernet = {
                 auto-negotiate = "true";
                 cloned-mac-address = "preserve";
-                mac-address = "90:2E:16:D0:A1:87";
               };
               ipv4 = { method = "shared"; };
               ipv6 = {
@@ -5631,10 +5964,10 @@ in
             eduroam = {
               "802-1x" = {
                 eap = if (!iwd) then "ttls;" else "peap;";
-                identity = "$EDUID";
-                password = "$EDUPASS";
+                identity = "$EDUROAM_USER";
+                password = "$EDUROAM_PW";
                 phase2-auth = "mschapv2";
-                anonymous-identity = lib.mkIf iwd "anonymous@student.tuwien.ac.at";
+                anonymous-identity = lib.mkIf iwd eduroam-anon;
               };
               connection = {
                 id = "eduroam";
@@ -5674,9 +6007,9 @@ in
               proxy = { };
             };
 
-            HH40V_39F5 = {
+            ${wlan2} = {
               connection = {
-                id = "HH40V_39F5";
+                id = wlan2;
                 type = "wifi";
               };
               ipv4 = { method = "auto"; };
@@ -5688,17 +6021,17 @@ in
               wifi = {
                 band = "bg";
                 mode = "infrastructure";
-                ssid = "HH40V_39F5";
+                ssid = wlan2;
               };
               wifi-security = {
                 key-mgmt = "wpa-psk";
-                psk = "$FRAUNS";
+                psk = "$WLAN2_PW";
               };
             };
 
-            magicant = {
+            ${mobile1} = {
               connection = {
-                id = "magicant";
+                id = mobile1;
                 type = "wifi";
               };
               ipv4 = { method = "auto"; };
@@ -5709,30 +6042,30 @@ in
               proxy = { };
               wifi = {
                 mode = "infrastructure";
-                ssid = "magicant";
+                ssid = mobile1;
               };
               wifi-security = {
                 auth-alg = "open";
                 key-mgmt = "wpa-psk";
-                psk = "$HANDYHOTSPOT";
+                psk = "$MOBILE_HOTSPOT_PW";
               };
             };
 
-            wireguardvpn = {
+            home-wireguard = {
               connection = {
                 id = "HomeVPN";
                 type = "wireguard";
                 autoconnect = "false";
                 interface-name = "wg1";
               };
-              wireguard = { private-key = "$WIREGUARDPRIV"; };
-              "wireguard-peer.$WIREGUARDPUB" = {
-                endpoint = "$WIREGUARDENDPOINT";
-                allowed-ips = "0.0.0.0/0";
+              wireguard = { private-key = "$HOME_WIREGUARD_CLIENT_PRIVATE_KEY"; };
+              "wireguard-peer.$HOME_WIREGURARD_SERVER_PUBLIC_KEY" = {
+                endpoint = "$HOME_WIREGUARD_ENDPOINT";
+                allowed-ips = home-wireguard-allowed-ips;
               };
               ipv4 = {
                 method = "ignore";
-                address1 = "192.168.3.3/32";
+                address1 = home-wireguard-address;
               };
               ipv6 = {
                 addr-gen-mode = "stable-privacy";
@@ -5741,10 +6074,10 @@ in
               proxy = { };
             };
 
-            "sweden-aes-128-cbc-udp-dns" = {
+            pia-vpn1 = {
               connection = {
                 autoconnect = "false";
-                id = "PIA Sweden";
+                id = "PIA ${vpn1-location}";
                 type = "vpn";
               };
               ipv4 = { method = "auto"; };
@@ -5755,21 +6088,21 @@ in
               proxy = { };
               vpn = {
                 auth = "sha1";
-                ca = config.sops.secrets."sweden-aes-128-cbc-udp-dns-ca.pem".path;
+                ca = config.sops.secrets."pia-vpn1-ca-pem".path;
                 challenge-response-flags = "2";
-                cipher = "aes-128-cbc";
+                cipher = vpn1-cipher;
                 compress = "yes";
                 connection-type = "password";
-                crl-verify-file = config.sops.secrets."sweden-aes-128-cbc-udp-dns-crl-verify.pem".path;
+                crl-verify-file = config.sops.secrets."pia-vpn1-crl-pem".path;
                 dev = "tun";
                 password-flags = "0";
-                remote = "sweden.privacy.network:1198";
+                remote = vpn1-address;
                 remote-cert-tls = "server";
                 reneg-seconds = "0";
                 service-type = "org.freedesktop.NetworkManager.openvpn";
-                username = "$VPNUSER";
+                username = "$PIA_VPN_USER";
               };
-              vpn-secrets = { password = "$VPNPASS"; };
+              vpn-secrets = { password = "$PIA_VPN_PW"; };
             };
 
             Hotspot = {
@@ -5793,7 +6126,7 @@ in
                 key-mgmt = "wpa-psk";
                 pairwise = "ccmp;";
                 proto = "rsn;";
-                psk = "$HOTSPOT";
+                psk = "$MOBILE_HOTSPOT_PW";
               };
             };
 
@@ -5853,16 +6186,20 @@ By default, stylix wants to style
 
    
 
 
    
-
    { lib, config, ... }:
+
    { self, lib, config, ... }:
 {
   options.swarselsystems.modules.stylix = lib.mkEnableOption "stylix config";
-  config = lib.mkIf config.swarselsystems.modules.stylix {
-    stylix = lib.recursiveUpdate
-      {
-        targets.grub.enable = false; # the styling makes grub more ugly
-        image = config.swarselsystems.wallpaper;
-      }
-      config.swarselsystems.stylix;
+  config = {
+    stylix = {
+      enable = true;
+      base16Scheme = "${self}/files/stylix/swarsel.yaml";
+    } // lib.optionalAttrs config.swarselsystems.modules.stylix
+      (lib.recursiveUpdate
+        {
+          targets.grub.enable = false; # the styling makes grub more ugly
+          image = config.swarselsystems.wallpaper;
+        }
+        config.swarselsystems.stylix);
     home-manager.users."${config.swarselsystems.mainUser}" = {
       stylix = {
         targets = config.swarselsystems.stylixHomeTargets;
@@ -6168,8 +6505,8 @@ Most of the time I am using power-saver, however, it is good to be
 {
   options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings";
   config = lib.mkIf config.swarselsystems.modules.swayosd {
-    environment.systemPackages = [ pkgs.swayosd ];
-    services.udev.packages = [ pkgs.swayosd ];
+    environment.systemPackages = [ pkgs.dev.swayosd ];
+    services.udev.packages = [ pkgs.dev.swayosd ];
     systemd.services.swayosd-libinput-backend = {
       description = "SwayOSD LibInput backend for listening to certain keys like CapsLock, ScrollLock, VolumeUp, etc.";
       documentation = [ "https://github.com/ErikReider/SwayOSD" ];
@@ -6180,7 +6517,7 @@ Most of the time I am using power-saver, however, it is good to be
       serviceConfig = {
         Type = "dbus";
         BusName = "org.erikreider.swayosd";
-        ExecStart = "${pkgs.swayosd}/bin/swayosd-libinput-backend";
+        ExecStart = "${pkgs.dev.swayosd}/bin/swayosd-libinput-backend";
         Restart = "on-failure";
       };
     };
@@ -6463,6 +6800,11 @@ This snipped is added to the activation script that is run after every rebuild a
 {
   options.swarselsystems.modules.nvd = lib.mkEnableOption "nvd config";
   config = lib.mkIf config.swarselsystems.modules.nvd {
+
+    environment.systemPackages = [
+      pkgs.nvd
+    ];
+
     system.activationScripts.diff = {
       supportsDryActivation = true;
       text = ''
@@ -6513,7 +6855,7 @@ This is used to better integrate Sway into the system on NixOS hosts. On the hom
   config = lib.mkIf config.swarselsystems.modules.sway {
     programs.sway = {
       enable = true;
-      package = pkgs.swayfx;
+      package = pkgs.dev.swayfx;
       wrapperFeatures = {
         base = true;
         gtk = true;
@@ -6833,6 +7175,7 @@ in
       vim
       sops
       swarsel-deploy
+      tmux
     ];
   };
 }
@@ -6910,6 +7253,7 @@ in
 let
   inherit (config.repo.secrets.common) dnsProvider;
   inherit (config.repo.secrets.common.mail) address3;
+
 in
 {
   options.swarselsystems.modules.server.nginx = lib.mkEnableOption "enable nginx on server";
@@ -6919,10 +7263,9 @@ in
     ];
 
     sops = {
-      # secrets.dnstokenfull = { owner = "acme"; };
-      secrets.dnstokenfull = { };
+      secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
       templates."certs.secret".content = ''
-        CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
+        CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token}
       '';
     };
 
@@ -7001,6 +7344,8 @@ Here I am forcing startWhenNeeded to false so that the value will n
 
    
 
    { self, lib, config, pkgs, ... }:
 let
+  inherit (config.swarselsystems) sopsFile;
+
   servicePort = 8080;
   serviceName = "kavita";
   serviceUser = "kavita";
@@ -7017,7 +7362,7 @@ in
       extraGroups = [ "users" ];
     };
 
-    sops.secrets.kavita = { owner = serviceUser; };
+    sops.secrets.kavita-token = { inherit sopsFile; owner = serviceUser; };
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
@@ -7032,7 +7377,7 @@ in
       enable = true;
       user = serviceUser;
       settings.Port = servicePort;
-      tokenKeyFile = config.sops.secrets.kavita.path;
+      tokenKeyFile = config.sops.secrets.kavita-token.path;
       dataDir = "/Vault/data/${serviceName}";
     };
 
@@ -7335,6 +7680,8 @@ in
 
    
 
    { self, lib, config, pkgs, ... }:
 let
+  inherit (config.swarselsystems) sopsFile;
+
   servicePort = 3254;
   serviceUser = "mpd";
   serviceGroup = serviceUser;
@@ -7358,7 +7705,7 @@ in
     };
 
     sops = {
-      secrets.mpdpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      secrets.mpd-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
     environment.systemPackages = with pkgs; [
@@ -7384,7 +7731,7 @@ in
       };
       credentials = [
         {
-          passwordFile = config.sops.secrets.mpdpass.path;
+          passwordFile = config.sops.secrets.mpd-pw.path;
           permissions = [
             "read"
             "add"
@@ -7460,6 +7807,8 @@ in
 
    
 
    { lib, config, pkgs, ... }:
 let
+  inherit (config.swarselsystems) sopsFile;
+
   servicePort = 8008;
   serviceName = "matrix";
   serviceDomain = config.repo.secrets.common.services.domains.matrix;
@@ -7489,29 +7838,29 @@ in
 
     sops = {
       secrets = {
-        matrixsharedsecret = { owner = serviceUser; };
-        mautrixtelegram_as = { owner = serviceUser; };
-        mautrixtelegram_hs = { owner = serviceUser; };
-        mautrixtelegram_api_id = { owner = serviceUser; };
-        mautrixtelegram_api_hash = { owner = serviceUser; };
+        matrix-shared-secret = { inherit sopsFile; owner = serviceUser; };
+        mautrix-telegram-as-token = { inherit sopsFile; owner = serviceUser; };
+        mautrix-telegram-hs-token = { inherit sopsFile; owner = serviceUser; };
+        mautrix-telegram-api-id = { inherit sopsFile; owner = serviceUser; };
+        mautrix-telegram-api-hash = { inherit sopsFile; owner = serviceUser; };
       };
       templates = {
         "matrix_user_register.sh".content = ''
-          register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:${builtins.toString servicePort}
+          register_new_matrix_user -k ${config.sops.placeholder.matrix-shared-secret} http://localhost:${builtins.toString servicePort}
         '';
         matrixshared = {
           owner = serviceUser;
           content = ''
-            registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
+            registration_shared_secret: ${config.sops.placeholder.matrix-shared-secret}
           '';
         };
         mautrixtelegram = {
           owner = serviceUser;
           content = ''
-            MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
-            MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
-            MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
-            MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
+            MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrix-telegram-as-token}
+            MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrix-telegram-hs-token}
+            MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrix-telegram-api-id}
+            MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrix-telegram-api-hash}
           '';
         };
       };
@@ -7814,6 +8163,7 @@ in
 
    { pkgs, lib, config, ... }:
 let
   inherit (config.repo.secrets.local.nextcloud) adminuser;
+  inherit (config.swarselsystems) sopsFile;
 
   servicePort = 80;
   serviceUser = "nextcloud";
@@ -7826,16 +8176,8 @@ in
   config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
 
     sops.secrets = {
-      nextcloudadminpass = {
-        owner = serviceUser;
-        group = serviceGroup;
-        mode = "0440";
-      };
-      kanidm-nextcloud-client = {
-        owner = serviceUser;
-        group = serviceGroup;
-        mode = "0440";
-      };
+      nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
 
@@ -7861,7 +8203,7 @@ in
         extraAppsEnable = true;
         config = {
           inherit adminuser;
-          adminpassFile = config.sops.secrets.nextcloudadminpass.path;
+          adminpassFile = config.sops.secrets.nextcloud-admin-pw.path;
           dbtype = "sqlite";
         };
       };
@@ -7984,6 +8326,8 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of 
 
    
 
    { lib, pkgs, config, globals, ... }:
 let
+  inherit (config.swarselsystems) sopsFile;
+
   servicePort = 28981;
   serviceUser = "paperless";
   serviceGroup = serviceUser;
@@ -8003,12 +8347,8 @@ in
     };
 
     sops.secrets = {
-      paperless_admin = { owner = serviceUser; };
-      kanidm-paperless-client = {
-        owner = serviceUser;
-        group = serviceGroup;
-        mode = "0440";
-      };
+      paperless-admin-pw = { inherit sopsFile; owner = serviceUser; };
+      kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
@@ -8022,7 +8362,7 @@ in
         dataDir = "/Vault/data/${serviceName}";
         user = serviceUser;
         port = servicePort;
-        passwordFile = config.sops.secrets.paperless_admin.path;
+        passwordFile = config.sops.secrets.paperless-admin-pw.path;
         address = "0.0.0.0";
         settings = {
           PAPERLESS_OCR_LANGUAGE = "deu+eng";
@@ -8354,7 +8694,7 @@ in
           "magicant" = {
             id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
           };
-          "sync@oracle" = {
+          "milkywell@oracle" = {
             id = "ETW6TST-NPK7MKZ-M4LXMHA-QUPQHDT-VTSHH5X-CR5EIN2-YU7E55F-MGT7DQB";
           };
           "${workHostName}" = {
@@ -8369,7 +8709,7 @@ in
             path = "${cfg.dataDir}/Sync";
             type = "receiveonly";
             versioning = null;
-            devices = [ "sync@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
+            devices = [ "milkywell@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
             id = "default";
           };
           "Obsidian" = {
@@ -8379,7 +8719,7 @@ in
               type = "simple";
               params.keep = "5";
             };
-            devices = [ "sync@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
+            devices = [ "milkywell@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
             id = "yjvni-9eaa7";
           };
           "Org" = {
@@ -8389,7 +8729,7 @@ in
               type = "simple";
               params.keep = "5";
             };
-            devices = [ "sync@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
+            devices = [ "milkywell@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
             id = "a7xnl-zjj3d";
           };
           "Vpn" = {
@@ -8399,7 +8739,7 @@ in
               type = "simple";
               params.keep = "5";
             };
-            devices = [ "sync@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
+            devices = [ "milkywell@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
             id = "hgp9s-fyq3p";
           };
           # "Documents" = {
@@ -8456,17 +8796,17 @@ This manages backups for my pictures and obsidian files.
 
    
 
    { lib, pkgs, config, ... }:
 let
-  inherit (config.repo.secrets.local) resticRepo;
-in
+  inherit (config.swarselsystems) sopsFile;
+  in
 {
   options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server";
   config = lib.mkIf config.swarselsystems.modules.server.restic {
 
     sops = {
       secrets = {
-        resticpw = { };
-        resticaccesskey = { };
-        resticsecretaccesskey = { };
+        resticpw = { inherit sopsFile; };
+        resticaccesskey = { inherit sopsFile; };
+        resticsecretaccesskey = { inherit sopsFile; };
       };
       templates = {
         "restic-env".content = ''
@@ -8476,35 +8816,39 @@ in
       };
     };
 
-    services.restic = {
-      backups = {
-        SwarselWinters = {
-          environmentFile = config.sops.templates."restic-env".path;
-          passwordFile = config.sops.secrets.resticpw.path;
-          paths = [
-            "/Vault/data/paperless"
-            "/Vault/Eternor/Paperless"
-            "/Vault/Eternor/Bilder"
-            "/Vault/Eternor/Immich"
-          ];
-          pruneOpts = [
-            "--keep-daily 3"
-            "--keep-weekly 2"
-            "--keep-monthly 3"
-            "--keep-yearly 100"
-          ];
-          backupPrepareCommand = ''
-            ${pkgs.restic}/bin/restic prune
-          '';
-          repository = "${resticRepo}";
-          initialize = true;
-          timerConfig = {
-            OnCalendar = "03:00";
+    services.restic =
+      let
+        inherit (config.repo.secrets.local) resticRepo;
+      in
+      {
+        backups = {
+          SwarselWinters = {
+            environmentFile = config.sops.templates."restic-env".path;
+            passwordFile = config.sops.secrets.resticpw.path;
+            paths = [
+              "/Vault/data/paperless"
+              "/Vault/Eternor/Paperless"
+              "/Vault/Eternor/Bilder"
+              "/Vault/Eternor/Immich"
+            ];
+            pruneOpts = [
+              "--keep-daily 3"
+              "--keep-weekly 2"
+              "--keep-monthly 3"
+              "--keep-yearly 100"
+            ];
+            backupPrepareCommand = ''
+              ${pkgs.restic}/bin/restic prune
+            '';
+            repository = "${resticRepo}";
+            initialize = true;
+            timerConfig = {
+              OnCalendar = "03:00";
+            };
           };
-        };
 
+        };
       };
-    };
 
   };
 }
@@ -8522,7 +8866,6 @@ This section exposes several metrics that I use to check the health of my server
 
    
 
    { self, lib, config, globals, ... }:
 let
-
   servicePort = 3000;
   serviceUser = "grafana";
   serviceGroup = serviceUser;
@@ -8532,11 +8875,12 @@ let
   prometheusPort = 9090;
   prometheusUser = "prometheus";
   prometheusGroup = prometheusUser;
-  nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
   grafanaUpstream = "grafana";
   prometheusUpstream = "prometheus";
   prometheusWebRoot = "prometheus";
   kanidmDomain = globals.services.kanidm.domain;
+
+  inherit (config.swarselsystems) sopsFile;
 in
 {
   options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -8544,9 +8888,9 @@ in
 
     sops = {
       secrets = {
-        grafanaadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        prometheusadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        kanidm-grafana-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
 
       };
@@ -8606,7 +8950,7 @@ in
                   incrementalQueryOverlapWindow = "10m";
                 };
                 secureJsonData = {
-                  basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}";
+                  basicAuthPassword = "$__file{/run/secrets/prometheus-admin-pw}";
                 };
               }
             ];
@@ -8617,7 +8961,7 @@ in
           analytics.reporting_enabled = false;
           users.allow_sign_up = false;
           security = {
-            admin_password = "$__file{/run/secrets/grafanaadminpass}";
+            admin_password = "$__file{/run/secrets/grafana-admin-pw}";
             cookie_secure = true;
             disable_gravatar = true;
           };
@@ -8652,74 +8996,78 @@ in
         };
       };
 
-      prometheus = {
-        enable = true;
-        webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
-        port = prometheusPort;
-        listenAddress = "0.0.0.0";
-        globalConfig = {
-          scrape_interval = "10s";
-        };
-        webConfigFile = config.sops.templates.web-config.path;
-        scrapeConfigs = [
-          {
-            job_name = "node";
-            static_configs = [{
-              targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
-            }];
-          }
-          {
-            job_name = "zfs";
-            static_configs = [{
-              targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
-            }];
-          }
-          {
-            job_name = "nginx";
-            static_configs = [{
-              targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
-            }];
-          }
-          {
-            job_name = "nextcloud";
-            static_configs = [{
-              targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
-            }];
-          }
-        ];
-        exporters = {
-          node = {
-            enable = true;
-            port = 9000;
-            enabledCollectors = [ "systemd" ];
-            extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
+      prometheus =
+        let
+          nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
+        in
+        {
+          enable = true;
+          webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
+          port = prometheusPort;
+          listenAddress = "0.0.0.0";
+          globalConfig = {
+            scrape_interval = "10s";
           };
-          zfs = {
-            enable = true;
-            port = 9134;
-            pools = [
-              "Vault"
-            ];
-          };
-          restic = {
-            enable = false;
-            port = 9753;
-          };
-          nginx = {
-            enable = true;
-            port = 9113;
-            sslVerify = false;
-            scrapeUri = "http://localhost/nginx_status";
-          };
-          nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud {
-            enable = true;
-            port = 9205;
-            url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
-            username = nextcloudUser;
-            passwordFile = config.sops.secrets.nextcloudadminpass.path;
+          webConfigFile = config.sops.templates.web-config.path;
+          scrapeConfigs = [
+            {
+              job_name = "node";
+              static_configs = [{
+                targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
+              }];
+            }
+            {
+              job_name = "zfs";
+              static_configs = [{
+                targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
+              }];
+            }
+            {
+              job_name = "nginx";
+              static_configs = [{
+                targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
+              }];
+            }
+            {
+              job_name = "nextcloud";
+              static_configs = [{
+                targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
+              }];
+            }
+          ];
+          exporters = {
+            node = {
+              enable = true;
+              port = 9000;
+              enabledCollectors = [ "systemd" ];
+              extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
+            };
+            zfs = {
+              enable = true;
+              port = 9134;
+              pools = [
+                "Vault"
+              ];
+            };
+            restic = {
+              enable = false;
+              port = 9753;
+            };
+            nginx = {
+              enable = true;
+              port = 9113;
+              sslVerify = false;
+              scrapeUri = "http://localhost/nginx_status";
+            };
+            nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud {
+              enable = true;
+              port = 9205;
+              url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
+              username = nextcloudUser;
+              passwordFile = config.sops.secrets.nextcloud-admin-pw.path;
+            };
           };
         };
-      };
     };
 
 
@@ -8877,13 +9225,13 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
 
    
 
    { self, lib, config, ... }:
 let
-  inherit (config.repo.secrets.local.freshrss) defaultUser;
-
   servicePort = 80;
   serviceName = "freshrss";
   serviceUser = "freshrss";
   serviceGroup = serviceName;
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
+
+  inherit (config.swarselsystems) sopsFile;
 in
 {
   options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -8899,9 +9247,9 @@ in
 
     sops = {
       secrets = {
-        fresh = { owner = serviceUser; };
-        "kanidm-freshrss-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "oidc-crypto-key" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        freshrss-pw = { inherit sopsFile; owner = serviceUser; };
+        kanidm-freshrss-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        # freshrss-oidc-crypto-key = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
 
       #   templates = {
@@ -8932,15 +9280,19 @@ in
 
     globals.services.${serviceName}.domain = serviceDomain;
 
-    services.${serviceName} = {
-      inherit defaultUser;
-      enable = true;
-      virtualHost = serviceDomain;
-      baseUrl = "https://${serviceDomain}";
-      authType = "form";
-      dataDir = "/Vault/data/tt-rss";
-      passwordFile = config.sops.secrets.fresh.path;
-    };
+    services.${serviceName} =
+      let
+        inherit (config.repo.secrets.local.freshrss) defaultUser;
+      in
+      {
+        inherit defaultUser;
+        enable = true;
+        virtualHost = serviceDomain;
+        baseUrl = "https://${serviceDomain}";
+        authType = "form";
+        dataDir = "/Vault/data/tt-rss";
+        passwordFile = config.sops.secrets.freshrss-pw.path;
+      };
 
     # systemd.services.freshrss-config.serviceConfig.EnvironmentFile = [
     #   config.sops.templates.freshrss-env.path
@@ -8986,7 +9338,9 @@ in
 
    
 
    { lib, config, pkgs, globals, ... }:
 let
-  servicePort = 3000;
+  inherit (config.swarselsystems) sopsFile;
+
+  servicePort = 3004;
   serviceUser = "forgejo";
   serviceGroup = serviceUser;
   serviceName = "forgejo";
@@ -9008,13 +9362,14 @@ in
     users.groups.${serviceGroup} = { };
 
     sops.secrets = {
-      kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
     globals.services.${serviceName}.domain = serviceDomain;
 
     services.${serviceName} = {
       enable = true;
+      stateDir = "/Vault/data/${serviceName}";
       user = serviceUser;
       group = serviceGroup;
       lfs.enable = lib.mkDefault true;
@@ -9111,7 +9466,7 @@ in
         '';
     };
 
-    services.nginx = {
+    nodes.moonside.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -9148,6 +9503,8 @@ in
 
    
 
    { self, lib, config, globals, ... }:
 let
+  inherit (config.swarselsystems) sopsFile;
+
   servicePort = 27701;
   serviceName = "ankisync";
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
@@ -9160,11 +9517,11 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    sops.secrets.swarsel = { owner = "root"; };
+    sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; };
 
-    topology.self.services.${serviceName} = {
+    topology.self.services.anki = {
       name = lib.mkForce "Anki Sync Server";
-      icon = "${self}/files/topology-images/${serviceName}.png";
+      icon = lib.mkForce "${self}/files/topology-images/${serviceName}.png";
       info = "https://${serviceDomain}";
     };
 
@@ -9178,12 +9535,12 @@ in
       users = [
         {
           username = ankiUser;
-          passwordFile = config.sops.secrets.swarsel.path;
+          passwordFile = config.sops.secrets.anki-pw.path;
         }
       ];
     };
 
-    services.nginx = {
+    nodes.moonside.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -9234,6 +9591,7 @@ To get other URLs (token, etc.), use { self, lib, pkgs, config, globals, ... }:
 let
   certsSopsFile = self + /secrets/certs/secrets.yaml;
+  inherit (config.swarselsystems) sopsFile;
 
   servicePort = 8300;
   serviceUser = "kanidm";
@@ -9263,15 +9621,15 @@ in
       secrets = {
         "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-admin-pw" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-idm-admin-pw" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-immich" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-paperless" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-forgejo" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-grafana" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-nextcloud" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-freshrss" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-oauth2-proxy" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-idm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-immich" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-paperless" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-forgejo" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-grafana" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-nextcloud" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-freshrss" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-oauth2-proxy" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
     };
 
@@ -9502,6 +9860,8 @@ let
 
   kanidmDomain = globals.services.kanidm.domain;
   mainDomain = globals.domains.main;
+
+  inherit (config.swarselsystems) sopsFile;
 in
 {
   options = {
@@ -9617,8 +9977,8 @@ in
 
     sops = {
       secrets = {
-        "oauth2-cookie-secret" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-oauth2-proxy-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "oauth2-cookie-secret" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-oauth2-proxy-client" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
 
       templates = {
@@ -9732,6 +10092,7 @@ let
 
   nginxGroup = "nginx";
 
+  inherit (config.swarselsystems) sopsFile;
   cfg = config.services.firefly-iii;
 in
 {
@@ -9749,7 +10110,7 @@ in
 
     sops = {
       secrets = {
-        "firefly-iii-app-key" = { owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
+        "firefly-iii-app-key" = { inherit sopsFile; owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
       };
     };
 
@@ -9851,14 +10212,16 @@ let
   postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
   postgresPort = config.services.postgresql.settings.port; # 5432
   containerRev = "sha256:96693e41a6eb2aae44f96033a090378270f024ddf4e6095edf8d57674f21095d";
+
+  inherit (config.swarselsystems) sopsFile;
 in
 {
   options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
 
     sops.secrets = {
-      koillection-db-password = { owner = postgresUser; group = postgresUser; mode = "0440"; };
-      koillection-env-file = { };
+      koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
+      koillection-env-file = { inherit sopsFile; };
     };
 
     topology.self.services.${serviceName} = {
@@ -9912,7 +10275,7 @@ in
         passwordPath = config.sops.secrets.koillection-db-password.path;
       in
       ''
-        $PSQL -tA <<'EOF'
+        ${config.services.postgresql.package}/bin/psql -tA <<'EOF'
           DO $$
           DECLARE password TEXT;
           BEGIN
@@ -10028,7 +10391,6 @@ in
 
    
 
    { self, lib, config, ... }:
 let
-  inherit (config.repo.secrets.local.radicale) user1;
   sopsFile = self + /secrets/winters/secrets2.yaml;
 
   servicePort = 8000;
@@ -10046,16 +10408,20 @@ in
     sops = {
       secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
 
-      templates = {
-        "radicale-users" = {
-          content = ''
-            ${user1}:${config.sops.placeholder.radicale-user}
-          '';
-          owner = serviceUser;
-          group = serviceGroup;
-          mode = "0440";
+      templates =
+        let
+          inherit (config.repo.secrets.local.radicale) user1;
+        in
+        {
+          "radicale-users" = {
+            content = ''
+              ${user1}:${config.sops.placeholder.radicale-user}
+            '';
+            owner = serviceUser;
+            group = serviceGroup;
+            mode = "0440";
+          };
         };
-      };
     };
 
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
@@ -10070,11 +10436,12 @@ in
             "[::]:${builtins.toString servicePort}"
           ];
         };
-        auth = {
-          type = "htpasswd";
-          htpasswd_filename = config.sops.templates.radicale-users.path;
-          htpasswd_encryption = "autodetect";
-        };
+        auth =
+          {
+            type = "htpasswd";
+            htpasswd_filename = config.sops.templates.radicale-users.path;
+            htpasswd_encryption = "autodetect";
+          };
         storage = {
           filesystem_folder = "/Vault/data/radicale/collections";
         };
@@ -10154,6 +10521,8 @@ let
   serviceName = "croc";
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
 
+  inherit (config.swarselsystems) sopsFile;
+
   cfg = config.services.croc;
 in
 {
@@ -10162,7 +10531,7 @@ in
 
     sops = {
       secrets = {
-        croc-password = { };
+        croc-password = { inherit sopsFile; };
       };
 
       templates = {
@@ -10224,6 +10593,8 @@ let
   serviceGroup = serviceUser;
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
 
+  inherit (config.swarselsystems) sopsFile;
+
   cfg = config.services.${serviceName};
 in
 {
@@ -10241,9 +10612,9 @@ in
 
     sops = {
       secrets = {
-        microbin-admin-username = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        microbin-admin-password = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        microbin-uploader-password = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        microbin-admin-username = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        microbin-admin-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        microbin-uploader-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
 
       templates = {
@@ -10360,6 +10731,8 @@ let
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
 
   containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
+
+  inherit (config.swarselsystems) sopsFile;
 in
 {
   options = {
@@ -10369,7 +10742,7 @@ in
 
     sops = {
       secrets = {
-        shlink-api = { };
+        shlink-api = { inherit sopsFile; };
       };
 
       templates = {
@@ -10989,7 +11362,7 @@ in
       govc
       terraform
       opentofu
-      terragrunt
+      dev.terragrunt
       graphviz
       azure-cli
 
@@ -11130,7 +11503,7 @@ This is where the theme for the whole OS is defined. Originally, this noweb-ref
 
    
 
 
    
-
    { self, lib, pkgs, ... }:
+
    { self, config, lib, pkgs, globals, minimal, ... }:
 {
   options.swarselsystems = {
     isLaptop = lib.mkEnableOption "laptop host";
@@ -11141,7 +11514,11 @@ This is where the theme for the whole OS is defined. Originally, this noweb-ref
     isBtrfs = lib.mkEnableOption "use btrfs filesystem";
     mainUser = lib.mkOption {
       type = lib.types.str;
-      default = "swarsel";
+      default = if (!minimal) then globals.user.name else "swarsel" ;
+    };
+    sopsFile = lib.mkOption {
+      type = lib.types.str;
+      default = "${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
     };
     homeDir = lib.mkOption {
       type = lib.types.str;
@@ -11175,8 +11552,6 @@ This is where the theme for the whole OS is defined. Originally, this noweb-ref
     stylix = lib.mkOption {
       type = lib.types.attrs;
       default = {
-        enable = true;
-        base16Scheme = "${self}/files/stylix/swarsel.yaml";
         polarity = "dark";
         opacity.popups = 0.5;
         cursor = {
@@ -11409,7 +11784,7 @@ Again, we adapt nix to our needs, enable the home-manager command f
 
    
 
 
    
-
    { lib, config, ... }:
+
    { self, lib, pkgs, config, ... }:
 let
   inherit (config.swarselsystems) mainUser;
 in
@@ -11417,6 +11792,14 @@ in
   options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
   config = lib.mkIf config.swarselsystems.modules.general {
     nix = lib.mkIf (!config.swarselsystems.isNixos) {
+      package = lib.mkForce pkgs.nixVersions.nix_2_28;
+      extraOptions = ''
+        plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
+          buildInputs = [pkgs.nixVersions.nix_2_28 pkgs.boost];
+          patches = (o.patches or []) ++ ["${self}/nix/nix-plugins.patch"];
+        })}/lib/nix/plugins
+        extra-builtins-file = ${self + /nix/extra-builtins.nix}
+      '';
       settings = {
         experimental-features = [
           "nix-command"
@@ -11428,7 +11811,7 @@ in
         trusted-users = [ "@wheel" "${mainUser}" ];
         connect-timeout = 5;
         bash-prompt-prefix = "$SHLVL:\\w ";
-        bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]λ\[\e[0m\] ";
+        bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
         fallback = true;
         min-free = 128000000;
         max-free = 1000000000;
@@ -11560,7 +11943,7 @@ This holds packages that I can use as provided, or with small modifications (as
       (aspellWithDicts (dicts: with dicts; [ de en en-computers en-science ]))
 
       # browser
-      vieb
+      stable24_11.vieb
       mgba
 
       # utilities
@@ -11791,24 +12174,16 @@ Since we are using the home-manager implementation here, we need to specify the
 
    
 
    { config, lib, ... }:
 let
-  inherit (config.swarselsystems) homeDir xdgDir;
+  inherit (config.swarselsystems) homeDir;
 in
 {
   options.swarselsystems.modules.sops = lib.mkEnableOption "sops settings";
   config = lib.mkIf config.swarselsystems.modules.sops {
     sops = {
       age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${homeDir}/.ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
+      defaultSopsFile = "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
 
       validateSopsFiles = false;
-      secrets = lib.mkIf (!config.swarselsystems.isPublic) {
-        mrswarsel = { path = "${xdgDir}/secrets/mrswarsel"; };
-        nautilus = { path = "${xdgDir}/secrets/nautilus"; };
-        leon = { path = "${xdgDir}/secrets/leon"; };
-        swarselmail = { path = "${xdgDir}/secrets/swarselmail"; };
-        github_notif = { path = "${xdgDir}/secrets/github_notif"; };
-        u2f_keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
-      };
     };
   };
 }
@@ -11821,10 +12196,18 @@ in
 
    
 
    
 
    { lib, config, nixosConfig, ... }:
+let
+  inherit (config.swarselsystems) homeDir;
+in
 {
   options.swarselsystems.modules.yubikey = lib.mkEnableOption "yubikey settings";
 
   config = lib.mkIf config.swarselsystems.modules.yubikey {
+
+    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
+      u2f-keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
+    };
+
     pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
       ids = [
         nixosConfig.repo.secrets.common.yubikeys.dev1
@@ -11861,6 +12244,10 @@ It is very convenient to have SSH aliases in place for machines that I use. This
           hostname = "192.168.1.1";
           user = "root";
         };
+        "bakery" = {
+          hostname = "192.168.1.136";
+          user = "root";
+        };
         "winters" = {
           hostname = "192.168.1.2";
           user = "root";
@@ -11869,7 +12256,7 @@ It is very convenient to have SSH aliases in place for machines that I use. This
           hostname = "130.61.119.129";
           user = "opc";
         };
-        "sync" = {
+        "milkywell" = {
           hostname = "193.122.53.173";
           user = "root";
         };
@@ -12105,7 +12492,7 @@ Sets environment variables. Here I am only setting the EDITOR variable, most var
 
    
 
 
    
-
    { lib, config, nixosConfig, globals, ... }:
+
    { lib, config, globals, nixosConfig, ... }:
 let
   inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
   inherit (nixosConfig.repo.secrets.common) fullName;
@@ -12323,7 +12710,7 @@ Here I set up my git config, automatic signing of commits, useful aliases for my
 
    
 
 
    
-
    { lib, config, nixosConfig, globals, ... }:
+
    { lib, config, globals, minimal, nixosConfig, ... }:
 let
   inherit (nixosConfig.repo.secrets.common.mail) address1;
   inherit (nixosConfig.repo.secrets.common) fullName;
@@ -12335,6 +12722,7 @@ in
   config = lib.mkIf config.swarselsystems.modules.git {
     programs.git = {
       enable = true;
+      } // lib.optionalAttrs (!minimal) {
       aliases = {
         a = "add";
         c = "commit";
@@ -12616,7 +13004,7 @@ Currently I only use it as before with initExtra though.
 
    
 
 
    
-
    { config, lib, ... }:
+
    { config, lib, minimal, ... }:
 let
   inherit (config.swarselsystems) flakePath;
 in
@@ -12628,117 +13016,120 @@ in
       default = { };
     };
   };
-  config = lib.mkIf config.swarselsystems.modules.zsh {
+  config = lib.mkIf config.swarselsystems.modules.zsh
+    {
 
-    sops.secrets = {
-      croc-password = { };
-    };
+      sops.secrets = {
+        croc-password = { };
+      };
 
-    programs.zsh = {
-      enable = true;
-      shellAliases = lib.recursiveUpdate
-        {
-          hg = "history | grep";
-          hmswitch = "home-manager --flake ${flakePath}#$(whoami)@$(hostname) switch |& nom";
-          # nswitch = "sudo nixos-rebuild --flake ${flakePath}#$(hostname) --show-trace --log-format internal-json -v switch |& nom --json";
-          nswitch = "swarsel-deploy $(hostname) switch";
-          # nboot = "sudo nixos-rebuild --flake ${flakePath}#$(hostname) --show-trace --log-format internal-json -v boot |& nom --json";
-          nboot = "swarsel-deploy $(hostname) boot";
-          magit = "emacsclient -nc -e \"(magit-status)\"";
-          config = "git --git-dir=$HOME/.cfg/ --work-tree=$HOME";
-          g = "git";
-          c = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/";
-          passpush = "cd ~/.local/share/password-store; git add .; git commit -m 'pass file changes'; git push; cd -;";
-          passpull = "cd ~/.local/share/password-store; git pull; cd -;";
-          hotspot = "nmcli connection up local; nmcli device wifi hotspot;";
-          youtube-dl = "yt-dlp";
-          cat-orig = "cat";
-          cdr = "cd \"$( (find $DOCUMENT_DIR_WORK $DOCUMENT_DIR_PRIV -maxdepth 1 && echo $FLAKE) | fzf )\"";
-          nix-ldd-ldd = "LD_LIBRARY_PATH=$NIX_LD_LIBRARY_PATH ldd";
-          nix-ldd = "LD_LIBRARY_PATH=$NIX_LD_LIBRARY_PATH ldd";
-          nix-ldd-locate = "nix-locate --minimal --top-level -w ";
-          nix-store-search = "ls /nix/store | grep";
-          fs-diff = "sudo mount -o subvol=/ /dev/mapper/cryptroot /mnt ; fs-diff";
-          lt = "eza -las modified --total-size";
-          boot-diff = "nix store diff-closures /run/*-system";
-          gen-diff = "nix profile diff-closures --profile /nix/var/nix/profiles/system";
-          cc = "wl-copy";
-        }
-        config.swarselsystems.shellAliases;
-      autosuggestion.enable = true;
-      enableCompletion = true;
-      syntaxHighlighting.enable = true;
-      autocd = false;
-      cdpath = [
-        "~/.dotfiles"
-        # "~/Documents/GitHub"
-      ];
-      defaultKeymap = "emacs";
-      dirHashes = {
-        dl = "$HOME/Downloads";
-        gh = "$HOME/Documents/GitHub";
-      };
-      history = {
-        expireDuplicatesFirst = true;
-        path = "$HOME/.histfile";
-        save = 100000;
-        size = 100000;
-      };
-      historySubstringSearch = {
+      programs.zsh = {
         enable = true;
-        searchDownKey = "^[OB";
-        searchUpKey = "^[OA";
+      }
+      // lib.optionalAttrs (!minimal) {
+        shellAliases = lib.recursiveUpdate
+          {
+            hg = "history | grep";
+            hmswitch = "home-manager --flake ${flakePath}#$(whoami)@$(hostname) switch |& nom";
+            # nswitch = "sudo nixos-rebuild --flake ${flakePath}#$(hostname) --show-trace --log-format internal-json -v switch |& nom --json";
+            nswitch = "swarsel-deploy $(hostname) switch";
+            # nboot = "sudo nixos-rebuild --flake ${flakePath}#$(hostname) --show-trace --log-format internal-json -v boot |& nom --json";
+            nboot = "swarsel-deploy $(hostname) boot";
+            magit = "emacsclient -nc -e \"(magit-status)\"";
+            config = "git --git-dir=$HOME/.cfg/ --work-tree=$HOME";
+            g = "git";
+            c = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/";
+            passpush = "cd ~/.local/share/password-store; git add .; git commit -m 'pass file changes'; git push; cd -;";
+            passpull = "cd ~/.local/share/password-store; git pull; cd -;";
+            hotspot = "nmcli connection up local; nmcli device wifi hotspot;";
+            youtube-dl = "yt-dlp";
+            cat-orig = "cat";
+            cdr = "cd \"$( (find $DOCUMENT_DIR_WORK $DOCUMENT_DIR_PRIV -maxdepth 1 && echo $FLAKE) | fzf )\"";
+            nix-ldd-ldd = "LD_LIBRARY_PATH=$NIX_LD_LIBRARY_PATH ldd";
+            nix-ldd = "LD_LIBRARY_PATH=$NIX_LD_LIBRARY_PATH ldd";
+            nix-ldd-locate = "nix-locate --minimal --top-level -w ";
+            nix-store-search = "ls /nix/store | grep";
+            fs-diff = "sudo mount -o subvol=/ /dev/mapper/cryptroot /mnt ; fs-diff";
+            lt = "eza -las modified --total-size";
+            boot-diff = "nix store diff-closures /run/*-system";
+            gen-diff = "nix profile diff-closures --profile /nix/var/nix/profiles/system";
+            cc = "wl-copy";
+          }
+          config.swarselsystems.shellAliases;
+        autosuggestion.enable = true;
+        enableCompletion = true;
+        syntaxHighlighting.enable = true;
+        autocd = false;
+        cdpath = [
+          "~/.dotfiles"
+          # "~/Documents/GitHub"
+        ];
+        defaultKeymap = "emacs";
+        dirHashes = {
+          dl = "$HOME/Downloads";
+          gh = "$HOME/Documents/GitHub";
+        };
+        history = {
+          expireDuplicatesFirst = true;
+          path = "$HOME/.histfile";
+          save = 100000;
+          size = 100000;
+        };
+        historySubstringSearch = {
+          enable = true;
+          searchDownKey = "^[OB";
+          searchUpKey = "^[OA";
+        };
+        plugins = [
+          # {
+          #   name = "fzf-tab";
+          #   src = pkgs.zsh-fzf-tab;
+          # }
+        ];
+        initContent = lib.mkIf (!config.swarselsystems.isPublic) ''
+          my-forward-word() {
+            local WORDCHARS=$WORDCHARS
+            WORDCHARS="''${WORDCHARS//:}"
+            WORDCHARS="''${WORDCHARS//\/}"
+            WORDCHARS="''${WORDCHARS//.}"
+            zle forward-word
+          }
+          zle -N my-forward-word
+          # ctrl + right
+          bindkey "^[[1;5C" my-forward-word
+
+          # shift + right
+          bindkey "^[[1;2C" forward-word
+
+          my-backward-word() {
+            local WORDCHARS=$WORDCHARS
+            WORDCHARS="''${WORDCHARS//:}"
+            WORDCHARS="''${WORDCHARS//\/}"
+            WORDCHARS="''${WORDCHARS//.}"
+            zle backward-word
+          }
+          zle -N my-backward-word
+          # ctrl + left
+          bindkey "^[[1;5D" my-backward-word
+
+          # shift + left
+          bindkey "^[[1;2D" backward-word
+
+          my-backward-delete-word() {
+            local WORDCHARS=$WORDCHARS
+            WORDCHARS="''${WORDCHARS//:}"
+            WORDCHARS="''${WORDCHARS//\/}"
+            WORDCHARS="''${WORDCHARS//.}"
+            zle backward-delete-word
+          }
+          zle -N my-backward-delete-word
+          # ctrl + del
+          bindkey '^H' my-backward-delete-word
+
+          export CROC_PASS="$(cat ${config.sops.secrets.croc-password.path})"
+        '';
       };
-      plugins = [
-        # {
-        #   name = "fzf-tab";
-        #   src = pkgs.zsh-fzf-tab;
-        # }
-      ];
-      initContent = lib.mkIf (!config.swarselsystems.isPublic) ''
-        my-forward-word() {
-          local WORDCHARS=$WORDCHARS
-          WORDCHARS="''${WORDCHARS//:}"
-          WORDCHARS="''${WORDCHARS//\/}"
-          WORDCHARS="''${WORDCHARS//.}"
-          zle forward-word
-        }
-        zle -N my-forward-word
-        # ctrl + right
-        bindkey "^[[1;5C" my-forward-word
-
-        # shift + right
-        bindkey "^[[1;2C" forward-word
-
-        my-backward-word() {
-          local WORDCHARS=$WORDCHARS
-          WORDCHARS="''${WORDCHARS//:}"
-          WORDCHARS="''${WORDCHARS//\/}"
-          WORDCHARS="''${WORDCHARS//.}"
-          zle backward-word
-        }
-        zle -N my-backward-word
-        # ctrl + left
-        bindkey "^[[1;5D" my-backward-word
-
-        # shift + left
-        bindkey "^[[1;2D" backward-word
-
-        my-backward-delete-word() {
-          local WORDCHARS=$WORDCHARS
-          WORDCHARS="''${WORDCHARS//:}"
-          WORDCHARS="''${WORDCHARS//\/}"
-          WORDCHARS="''${WORDCHARS//.}"
-          zle backward-delete-word
-        }
-        zle -N my-backward-delete-word
-        # ctrl + del
-        bindkey '^H' my-backward-delete-word
-
-        export CROC_PASS="$(cat ${config.sops.secrets.croc-password.path})"
-      '';
     };
-  };
 }
 
    
 
    
@@ -12891,12 +13282,21 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
 
    
 
    { lib, config, nixosConfig, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 add2Name address3 add3Name address4;
+  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host;
   inherit (nixosConfig.repo.secrets.common) fullName;
+  inherit (config.swarselsystems) xdgDir;
 in
 {
   options.swarselsystems.modules.mail = lib.mkEnableOption "mail settings";
   config = lib.mkIf config.swarselsystems.modules.mail {
+
+    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
+      address1-token = { path = "${xdgDir}/secrets/address1-token"; };
+      address2-token = { path = "${xdgDir}/secrets/address2-token"; };
+      address3-token = { path = "${xdgDir}/secrets/address3-token"; };
+      address4-token = { path = "${xdgDir}/secrets/address4-token"; };
+    };
+
     programs = {
       mbsync = {
         enable = true;
@@ -12924,7 +13324,7 @@ in
             address = address1;
             userName = address1;
             realName = fullName;
-            passwordCommand = "cat ${config.sops.secrets.leon.path}";
+            passwordCommand = "cat ${config.sops.secrets.address1-token.path}";
             gpg = {
               key = "0x76FD3810215AE097";
               signByDefault = true;
@@ -12954,11 +13354,11 @@ in
 
           swarsel = {
             address = address4;
-            userName = "8227dc594dd515ce232eda1471cb9a19";
+            userName = address4-user;
             realName = fullName;
-            passwordCommand = "cat ${config.sops.secrets.swarselmail.path}";
+            passwordCommand = "cat ${config.sops.secrets.address4-token.path}";
             smtp = {
-              host = "in-v3.mailjet.com";
+              host = address4-host;
               port = 587;
               tls = {
                 enable = true;
@@ -12978,8 +13378,8 @@ in
             primary = false;
             address = address2;
             userName = address2;
-            realName = add2Name;
-            passwordCommand = "cat ${config.sops.secrets.nautilus.path}";
+            realName = address2-name;
+            passwordCommand = "cat ${config.sops.secrets.address2-token.path}";
             imap.host = "imap.gmail.com";
             smtp.host = "smtp.gmail.com";
             msmtp.enable = true;
@@ -13005,8 +13405,8 @@ in
             primary = false;
             address = address3;
             userName = address3;
-            realName = add3Name;
-            passwordCommand = "cat ${config.sops.secrets.mrswarsel.path}";
+            realName = address3-name;
+            passwordCommand = "cat ${config.sops.secrets.address3-token.path}";
             imap.host = "imap.gmail.com";
             smtp.host = "smtp.gmail.com";
             msmtp.enable = true;
@@ -13057,7 +13457,7 @@ in
   options.swarselsystems.modules.emacs = lib.mkEnableOption "emacs settings";
   config = lib.mkIf config.swarselsystems.modules.emacs {
     # needed for elfeed
-    sops.secrets.fever = lib.mkIf (!isPublic) { path = "${homeDir}/.emacs.d/.fever"; };
+    sops.secrets.fever-pw = lib.mkIf (!isPublic) { path = "${homeDir}/.emacs.d/.fever"; };
 
     # enable emacs overlay for bleeding edge features
     # also read init.el file and install use-package packages
@@ -13158,6 +13558,7 @@ The rest of the related configuration is found here:
 
    
 
    { self, config, lib, pkgs, ... }:
 let
+  inherit (config.swarselsystems) xdgDir;
   generateIcons = n: lib.concatStringsSep " " (builtins.map (x: "{icon" + toString x + "}") (lib.range 0 (n - 1)));
   modulesLeft = [
     "custom/outer-left-arrow-dark"
@@ -13210,11 +13611,17 @@ in
     };
   };
   config = lib.mkIf config.swarselsystems.modules.waybar {
+
     swarselsystems = {
       waybarModules = lib.mkIf config.swarselsystems.isLaptop (modulesLeft ++ [
         "battery"
       ] ++ modulesRight);
     };
+
+    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
+      github-notifications-token = { path = "${xdgDir}/secrets/github-notifications-token"; };
+    };
+
     programs.waybar = {
       enable = true;
       systemd = {
@@ -13750,12 +14157,13 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 
    3.3.1.30.4. SwayOSD
    
 
    
 
    
-
    { lib, config, ... }:
+
    { lib, pkgs, config, ... }:
 {
   options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings";
   config = lib.mkIf config.swarselsystems.modules.swayosd {
     services.swayosd = {
       enable = true;
+      package = pkgs.dev.swayosd;
       topMargin = 0.5;
     };
   };
@@ -14564,7 +14972,6 @@ The rest of the settings is at { self, config, pkgs, lib, nixosConfig, ... }:
 let
   inherit (config.swarselsystems) homeDir;
-  inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
 in
 {
   options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings";
@@ -14602,131 +15009,141 @@ in
       };
     };
 
-    stylix.targets.firefox.profileNames = [
-      "${user1}"
-      "${user2}"
-      "${user3}"
-      "work"
-    ];
-
-    programs = {
-      git.userEmail = lib.mkForce gitMail;
-
-      zsh = {
-        shellAliases = {
-          dssh = "ssh -l ${user1Long}";
-          cssh = "ssh -l ${user2Long}";
-          wssh = "ssh -l ${user3Long}";
-        };
-        cdpath = [
-          "~/Documents/Work"
+    stylix = {
+      targets.firefox.profileNames =
+        let
+          inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
+        in
+        [
+          "${user1}"
+          "${user2}"
+          "${user3}"
+          "work"
         ];
-        dirHashes = {
-          d = "$HOME/.dotfiles";
-          w = "$HOME/Documents/Work";
-          s = "$HOME/.dotfiles/secrets";
-          pr = "$HOME/Documents/Private";
-          ac = path1;
-        };
-      };
-
-      ssh = {
-        matchBlocks = {
-          "${loc1}" = {
-            hostname = "${loc1}.${domain2}";
-            user = user4;
-          };
-          "${loc1}.stg" = {
-            hostname = "${loc1}.${lifecycle1}.${domain2}";
-            user = user4;
-          };
-          "${loc1}.staging" = {
-            hostname = "${loc1}.${lifecycle1}.${domain2}";
-            user = user4;
-          };
-          "${loc1}.dev" = {
-            hostname = "${loc1}.${lifecycle2}.${domain2}";
-            user = user4;
-          };
-          "${loc2}" = {
-            hostname = "${loc2}.${domain1}";
-            user = user1Long;
-          };
-          "${loc2}.stg" = {
-            hostname = "${loc2}.${lifecycle1}.${domain2}";
-            user = user1Long;
-          };
-          "${loc2}.staging" = {
-            hostname = "${loc2}.${lifecycle1}.${domain2}";
-            user = user1Long;
-          };
-          "*.${domain1}" = {
-            user = user1Long;
-          };
-        };
-      };
-
-      firefox = {
-        profiles =
-          let
-            isDefault = false;
-          in
-          {
-            "${user1}" = lib.recursiveUpdate
-              {
-                inherit isDefault;
-                id = 1;
-                settings = {
-                  "browser.startup.homepage" = "${site1}|${site2}";
-                };
-              }
-              config.swarselsystems.firefox;
-            "${user2}" = lib.recursiveUpdate
-              {
-                inherit isDefault;
-                id = 2;
-                settings = {
-                  "browser.startup.homepage" = "${site3}";
-                };
-              }
-              config.swarselsystems.firefox;
-            "${user3}" = lib.recursiveUpdate
-              {
-                inherit isDefault;
-                id = 3;
-              }
-              config.swarselsystems.firefox;
-            work = lib.recursiveUpdate
-              {
-                inherit isDefault;
-                id = 4;
-                settings = {
-                  "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
-                };
-              }
-              config.swarselsystems.firefox;
-          };
-      };
-
-      chromium = {
-        enable = true;
-        package = pkgs.chromium;
-
-        extensions = [
-          # 1password
-          "gejiddohjgogedgjnonbofjigllpkmbf"
-          # dark reader
-          "eimadpbcbfnmbkopoojfekhnkhdbieeh"
-          # ublock origin
-          "cjpalhdlnbpafiamejdnhcphjbkeiagm"
-          # i still dont care about cookies
-          "edibdbjcniadpccecjdfdjjppcpchdlm"
-          # browserpass
-          "naepdomgkenhinolocfifgehidddafch"
-        ];
-      };
     };
 
+    programs =
+      let
+        inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
+      in
+      {
+        git.userEmail = lib.mkForce gitMail;
+
+        zsh = {
+          shellAliases = {
+            dssh = "ssh -l ${user1Long}";
+            cssh = "ssh -l ${user2Long}";
+            wssh = "ssh -l ${user3Long}";
+          };
+          cdpath = [
+            "~/Documents/Work"
+          ];
+          dirHashes = {
+            d = "$HOME/.dotfiles";
+            w = "$HOME/Documents/Work";
+            s = "$HOME/.dotfiles/secrets";
+            pr = "$HOME/Documents/Private";
+            ac = path1;
+          };
+        };
+
+        ssh = {
+          matchBlocks = {
+            "${loc1}" = {
+              hostname = "${loc1}.${domain2}";
+              user = user4;
+            };
+            "${loc1}.stg" = {
+              hostname = "${loc1}.${lifecycle1}.${domain2}";
+              user = user4;
+            };
+            "${loc1}.staging" = {
+              hostname = "${loc1}.${lifecycle1}.${domain2}";
+              user = user4;
+            };
+            "${loc1}.dev" = {
+              hostname = "${loc1}.${lifecycle2}.${domain2}";
+              user = user4;
+            };
+            "${loc2}" = {
+              hostname = "${loc2}.${domain1}";
+              user = user1Long;
+            };
+            "${loc2}.stg" = {
+              hostname = "${loc2}.${lifecycle1}.${domain2}";
+              user = user1Long;
+            };
+            "${loc2}.staging" = {
+              hostname = "${loc2}.${lifecycle1}.${domain2}";
+              user = user1Long;
+            };
+            "*.${domain1}" = {
+              user = user1Long;
+            };
+          };
+        };
+
+        firefox = {
+          profiles =
+            let
+              isDefault = false;
+            in
+            {
+              "${user1}" = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 1;
+                  settings = {
+                    "browser.startup.homepage" = "${site1}|${site2}";
+                  };
+                }
+                config.swarselsystems.firefox;
+              "${user2}" = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 2;
+                  settings = {
+                    "browser.startup.homepage" = "${site3}";
+                  };
+                }
+                config.swarselsystems.firefox;
+              "${user3}" = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 3;
+                }
+                config.swarselsystems.firefox;
+              work = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 4;
+                  settings = {
+                    "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
+                  };
+                }
+                config.swarselsystems.firefox;
+            };
+        };
+
+        chromium = {
+          enable = true;
+          package = pkgs.chromium;
+
+          extensions = [
+            # 1password
+            "gejiddohjgogedgjnonbofjigllpkmbf"
+            # dark reader
+            "eimadpbcbfnmbkopoojfekhnkhdbieeh"
+            # ublock origin
+            "cjpalhdlnbpafiamejdnhcphjbkeiagm"
+            # i still dont care about cookies
+            "edibdbjcniadpccecjdfdjjppcpchdlm"
+            # browserpass
+            "naepdomgkenhinolocfifgehidddafch"
+          ];
+        };
+      };
+
     services = {
       kanshi = {
         settings = [
@@ -14845,49 +15262,53 @@ in
       };
     };
 
-    xdg = {
-      mimeApps = {
-        defaultApplications = {
-          "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
+    xdg =
+      let
+        inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
+      in
+      {
+        mimeApps = {
+          defaultApplications = {
+            "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
+          };
         };
+        desktopEntries =
+          let
+            terminal = false;
+            categories = [ "Application" ];
+            icon = "firefox";
+          in
+          {
+            firefox_work = {
+              name = "Firefox (work)";
+              genericName = "Firefox work";
+              exec = "firefox -p work";
+              inherit terminal categories icon;
+            };
+            "firefox_${user1}" = {
+              name = "Firefox (${user1})";
+              genericName = "Firefox ${user1}";
+              exec = "firefox -p ${user1}";
+              inherit terminal categories icon;
+            };
+
+            "firefox_${user2}" = {
+              name = "Firefox (${user2})";
+              genericName = "Firefox ${user2}";
+              exec = "firefox -p ${user2}";
+              inherit terminal categories icon;
+            };
+
+            "firefox_${user3}" = {
+              name = "Firefox (${user3})";
+              genericName = "Firefox ${user3}";
+              exec = "firefox -p ${user3}";
+              inherit terminal categories icon;
+            };
+
+
+          };
       };
-      desktopEntries =
-        let
-          terminal = false;
-          categories = [ "Application" ];
-          icon = "firefox";
-        in
-        {
-          firefox_work = {
-            name = "Firefox (work)";
-            genericName = "Firefox work";
-            exec = "firefox -p work";
-            inherit terminal categories icon;
-          };
-          "firefox_${user1}" = {
-            name = "Firefox (${user1})";
-            genericName = "Firefox ${user1}";
-            exec = "firefox -p ${user1}";
-            inherit terminal categories icon;
-          };
-
-          "firefox_${user2}" = {
-            name = "Firefox (${user2})";
-            genericName = "Firefox ${user2}";
-            exec = "firefox -p ${user2}";
-            inherit terminal categories icon;
-          };
-
-          "firefox_${user3}" = {
-            name = "Firefox (${user3})";
-            genericName = "Firefox ${user3}";
-            exec = "firefox -p ${user3}";
-            inherit terminal categories icon;
-          };
-
-
-        };
-    };
     swarselsystems = {
       startup = [
         # { command = "nextcloud --background"; }
@@ -15625,7 +16046,7 @@ writeShellApplication {
   inherit name;
   runtimeInputs = [ jq ];
   text = ''
-    count=$(curl -u Swarsel:"$(cat "$XDG_RUNTIME_DIR/secrets/github_notif")" https://api.github.com/notifications | jq '. | length')
+    count=$(curl -u Swarsel:"$(cat "$XDG_RUNTIME_DIR/secrets/github-notifications-token")" https://api.github.com/notifications | jq '. | length')
 
     if [[ "$count" != "0" ]]; then
         echo "{\"text\":\"$count\"}"
@@ -15885,6 +16306,7 @@ if [ ! -d "$FLAKE" ]; then
 fi
 
 cd "$FLAKE"
+rm install/flake.lock || true
 git_root=$(git rev-parse --show-toplevel)
 # ------------------------
 green "Wiping known_hosts of $target_destination"
@@ -15910,7 +16332,7 @@ if [ "$disk_encryption" -eq 1 ]; then
         green "Please confirm passphrase:"
         read -rs luks_passphrase_confirm
         if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
-            $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'"
+            $ssh_root_cmd "echo '$luks_passphrase' > /tmp/disko-password"
             break
         else
             red "Passwords do not match"
@@ -15921,15 +16343,12 @@ fi
 green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
 $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
 
-green "Injecting initialSetup"
-$ssh_root_cmd "sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
-
 mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname"
 $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
 # ------------------------
 
 green "Deploying minimal NixOS installation on $target_destination"
-SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --ssh-port "$ssh_port" --extra-files "$temp" --flake .#"$target_hostname" root@"$target_destination"
+nix run github:nix-community/nixos-anywhere/1.10.0 -- --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination"
 
 echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
 ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
@@ -15955,8 +16374,6 @@ if [[ $SECUREBOOT == "true" ]]; then
     $ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
 fi
 # ------------------------
-green "Disabling initialSetup"
-sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
 
 if [ -n "$persist_dir" ]; then
     $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"
@@ -15992,17 +16409,19 @@ if yes_or_no "Do you want to manually edit .sops.yaml now?"; then
 fi
 green "Updating all secrets files to reflect updates .sops.yaml"
 sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml
+sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_hostname"/secrets/pii.nix.enc
 # --------------------------
 green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
 sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
+$ssh_root_cmd "mkdir -p /home/$target_user/.ssh; chown -R $target_user:users /home/$target_user/.ssh/"
 $scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key
-$ssh_root_cmd "mkdir -p /home/$target_user/.ssh; chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key"
+$ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key"
 # __________________________
 
 if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then
     green "Adding ssh host fingerprints for git{lab,hub}"
-    $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >> /home/$target_user/.ssh/known_hosts"
-    $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >> /root/.ssh/known_hosts"
+    $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /home/$target_user/.ssh/known_hosts"
+    $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /root/.ssh/known_hosts"
 fi
 # --------------------------
 
@@ -16019,35 +16438,48 @@ if yes_or_no "Do you want to copy your full nix-config and nix-secrets to $targe
     fi
 
     if yes_or_no "Do you want to rebuild immediately?"; then
-        green "Rebuilding nix-config on $target_hostname"
-        yellow "Reminder: The password is 'setup'"
-        $ssh_root_cmd "mkdir -p /root/.local/share/nix/; printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' > /root/.local/share/nix/trusted-settings.json"
-        $ssh_cmd -oForwardAgent=yes "cd .dotfiles && sudo nixos-rebuild --show-trace --flake .#$target_hostname switch"
+        green "Building nix-config for $target_hostname"
+        # yellow "Reminder: The password is 'setup'"
+        $ssh_root_cmd "mkdir -p /root/.local/share/nix/; printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json"
+        # $ssh_cmd -oForwardAgent=yes "cd .dotfiles && sudo nixos-rebuild --show-trace --flake .#$target_hostname switch"
+        store_path=$(nix build --no-link --print-out-paths .#nixosConfigurations."$target_hostname".config.system.build.toplevel)
+        green "Copying generation to $target_hostname"
+        nix copy --to "ssh://root@$target_destination" "$store_path"
+        # prev_system=$($ssh_root_cmd " readlink -e /nix/var/nix/profiles/system")
+        green "Linking generation in bootloader"
+        $ssh_root_cmd "/run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set $store_path"
+        green "Setting generation to activate upon next boot"
+        $ssh_root_cmd "$store_path/bin/switch-to-configuration boot"
+    else
+        echo
+        green "NixOS was successfully installed!"
+        echo "Post-install config build instructions:"
+        echo "To copy nix-config from this machine to the $target_hostname, run the following command from ~/nix-config"
+        echo "just sync $target_user $target_destination"
+        echo "To rebuild, sign into $target_hostname and run the following command from ~/nix-config"
+        echo "cd nix-config"
+        # see above FIXME:(bootstrap)
+        echo "sudo nixos-rebuild .pre-commit-config.yaml show-trace --flake .#$target_hostname switch"
+        # echo "just rebuild"
+        echo
     fi
-else
-    echo
-    green "NixOS was successfully installed!"
-    echo "Post-install config build instructions:"
-    echo "To copy nix-config from this machine to the $target_hostname, run the following command from ~/nix-config"
-    echo "just sync $target_user $target_destination"
-    echo "To rebuild, sign into $target_hostname and run the following command from ~/nix-config"
-    echo "cd nix-config"
-    # see above FIXME:(bootstrap)
-    echo "sudo nixos-rebuild --show-trace --flake .#$target_hostname switch"
-    # echo "just rebuild"
-    echo
 fi
 
+green "NixOS was successfully installed!"
 if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then
     cd "${git_root}"
     deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe
-    nixpkgs-fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix
-    (pre-commit run --all-files 2> /dev/null || true) &&
+    nixpkgs--fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix
+    (.pre-commit-config.yaml mit run --all-files 2> /dev/null || true) &&
         git add "$git_root/hosts/nixos/$target_hostname/hardware-configuration.nix" &&
         git add "$git_root/.sops.yaml" &&
         git add "$git_root/secrets" &&
         (git commit -m "feat: deployed $target_hostname" || true) && git push
 fi
+
+if yes_or_no "Reboot now?"; then
+    $ssh_root_cmd "reboot"
+fi
 
    
 
    
 
@@ -16152,7 +16584,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     rm modules/home/common/mail.nix
     rm modules/home/common/yubikey.nix
     rm modules/nixos/server/restic.nix
-    rm hosts/nixos/sync/default.nix
+    rm hosts/nixos/milkywell/default.nix
     rm -rf modules/nixos/server
     rm -rf modules/home/server
     nix flake update vbc-nix
@@ -16284,34 +16716,8 @@ cd .dotfiles
 if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     yellow "The ssh key for this configuration is not available."
     green "Adjusting flake.nix so that the configuration is buildable ..."
-    sed -i '/nix-secrets = {/,/^[[:space:]]*};/d' flake.nix
     sed -i '/vbc-nix = {/,/^[[:space:]]*};/d' flake.nix
     sed -i '/[[:space:]]*\/\/ (inputs.vbc-nix.overlays.default final prev)/d' overlays/default.nix
-    rm modules/home/common/env.nix
-    rm modules/home/common/gammastep.nix
-    rm modules/home/common/git.nix
-    rm modules/home/common/mail.nix
-    rm modules/home/common/yubikey.nix
-    rm modules/nixos/server/restic.nix
-    rm hosts/nixos/sync/default.nix
-    rm -rf modules/nixos/server
-    rm -rf modules/home/server
-    cat > hosts/nixos/chaostheatre/options-home.nix << EOF
-        { self, lib, ... }:
-        {
-        options = {
-          swarselsystems = {
-            modules = {
-              yubikey = lib.mkEnableOption "dummy option for chaostheatre";
-              env = lib.mkEnableOption "dummy option for chaostheatre";
-              git = lib.mkEnableOption "dummy option for chaostheatre";
-              mail = lib.mkEnableOption "dummy option for chaostheatre";
-              gammastep = lib.mkEnableOption "dummy option for chaostheatre";
-            };
-          };
-        };
-        }
-EOF
     nix flake update vbc-nix
     git add .
 else
@@ -16382,15 +16788,18 @@ sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user"
 green "Generating hardware configuration ..."
 sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/
 
-green "Injecting initialSetup ..."
-sudo sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
-
 git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
 sudo mkdir -p /root/.local/share/nix/
 printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | sudo tee /root/.local/share/nix/trusted-settings.json > /dev/null
 green "Installing flake $target_config"
-sudo nixos-install --flake .#"$target_config"
+
+store_path=$(nix build --no-link --print-out-paths .#nixosConfigurationsMinimal."$target_config".config.system.build.toplevel)
+green "Linking generation in bootloader"
+sudo "/run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set $store_path"
+green "Setting generation to activate upon next boot"
+sudo "$store_path/bin/switch-to-configuration boot"
 green "Installation finished! Reboot to see changes"
+
 
    
 
    
 
@@ -16481,8 +16890,6 @@ if [[ $SECUREBOOT == "true" ]]; then
     sbctl enroll-keys --ignore-immutable --microsoft || true
 fi
 
-green "Disabling initialSetup"
-sed -i '/swarselsystems\.initialSetup = true;/d' /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
 sudo nixos-rebuild --flake .#"$target_config" switch
 green "Post-install finished!"
 
    
@@ -16990,6 +17397,7 @@ in
   config = lib.mkIf config.swarselsystems.profiles.personal {
     swarselsystems.modules = {
       packages = lib.mkDefault true;
+      pii = lib.mkDefault true;
       general = lib.mkDefault true;
       home-manager = lib.mkDefault true;
       xserver = lib.mkDefault true;
@@ -17003,7 +17411,6 @@ in
       network = lib.mkDefault true;
       time = lib.mkDefault true;
       sops = lib.mkDefault true;
-      pii = lib.mkDefault true;
       stylix = lib.mkDefault true;
       programs = lib.mkDefault true;
       zsh = lib.mkDefault true;
@@ -17046,12 +17453,112 @@ in
 
 }
 
+
    
+
    
+
    
+
    
+
    
+
    3.5.1.2. Reduced
    
+
    
+
    
+
    { lib, config, ... }:
+{
+  options.swarselsystems.profiles.reduced = lib.mkEnableOption "is this a reduced personal host";
+  config = lib.mkIf config.swarselsystems.profiles.reduced {
+    swarselsystems.modules = {
+      packages = lib.mkDefault true;
+      pii = lib.mkDefault true;
+      general = lib.mkDefault true;
+      home-manager = lib.mkDefault true;
+      xserver = lib.mkDefault true;
+      users = lib.mkDefault true;
+      env = lib.mkDefault true;
+      security = lib.mkDefault true;
+      systemdTimeout = lib.mkDefault true;
+      hardware = lib.mkDefault true;
+      pulseaudio = lib.mkDefault true;
+      pipewire = lib.mkDefault true;
+      network = lib.mkDefault true;
+      time = lib.mkDefault true;
+      sops = lib.mkDefault true;
+      stylix = lib.mkDefault true;
+      programs = lib.mkDefault true;
+      zsh = lib.mkDefault true;
+      syncthing = lib.mkDefault true;
+      blueman = lib.mkDefault true;
+      networkDevices = lib.mkDefault true;
+      gvfs = lib.mkDefault true;
+      interceptionTools = lib.mkDefault true;
+      swayosd = lib.mkDefault true;
+      ppd = lib.mkDefault true;
+      yubikey = lib.mkDefault true;
+      ledger = lib.mkDefault true;
+      keyboards = lib.mkDefault true;
+      login = lib.mkDefault true;
+      nix-ld = lib.mkDefault true;
+      impermanence = lib.mkDefault true;
+      nvd = lib.mkDefault true;
+      gnome-keyring = lib.mkDefault true;
+      sway = lib.mkDefault true;
+      xdg-portal = lib.mkDefault true;
+      distrobox = lib.mkDefault true;
+      appimage = lib.mkDefault true;
+      lid = lib.mkDefault true;
+      lowBattery = lib.mkDefault true;
+      lanzaboote = lib.mkDefault true;
+      autologin = lib.mkDefault true;
+
+      server = {
+        ssh = lib.mkDefault true;
+      };
+    };
+
+  };
+
+}
+
+
    
+
    
+
    
+
    
+
    
+
    3.5.1.3. Minimal
    
+
    
+
    
+
    { lib, config, ... }:
+{
+  options.swarselsystems.profiles.minimal = lib.mkEnableOption "declare this a minimal host";
+  config = lib.mkIf config.swarselsystems.profiles.minimal {
+    swarselsystems.modules = {
+      general = lib.mkDefault true;
+      home-manager = lib.mkDefault true;
+      xserver = lib.mkDefault true;
+      lanzaboote = lib.mkDefault true;
+      time = lib.mkDefault true;
+      users = lib.mkDefault true;
+      impermanence = lib.mkDefault true;
+      security = lib.mkDefault true;
+      sops = lib.mkDefault true;
+      pii = lib.mkDefault true;
+      zsh = lib.mkDefault true;
+      yubikey = lib.mkDefault true;
+      autologin = lib.mkDefault true;
+
+      server = {
+        ssh = lib.mkDefault true;
+      };
+    };
+
+  };
+
+}
+
 
    
 
    
 
    
 
    
 
    
-
    3.5.1.2. Chaostheatre
    
+
    3.5.1.4. Chaostheatre
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17110,7 +17617,7 @@ in
 
    
 
    
 
    
-
    3.5.1.3. toto
    
+
    3.5.1.5. toto
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17119,6 +17626,7 @@ in
   config = lib.mkIf config.swarselsystems.profiles.toto {
     swarselsystems.modules = {
       general = lib.mkDefault true;
+      packages = lib.mkDefault true;
       home-manager = lib.mkDefault true;
       xserver = lib.mkDefault true;
       users = lib.mkDefault true;
@@ -17126,6 +17634,7 @@ in
       impermanence = lib.mkDefault true;
       lanzaboote = lib.mkDefault true;
       autologin = lib.mkDefault true;
+      pii = lib.mkDefault true;
       server = {
         ssh = lib.mkDefault true;
       };
@@ -17140,7 +17649,7 @@ in
 
    
 
    
 
    
-
    3.5.1.4. Work
    
+
    3.5.1.6. Work
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17162,7 +17671,7 @@ in
 
    
 
    
 
    
-
    3.5.1.5. Framework
    
+
    3.5.1.7. Framework
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17184,7 +17693,7 @@ in
 
    
 
    
 
    
-
    3.5.1.6. AMD CPU
    
+
    3.5.1.8. AMD CPU
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17206,7 +17715,7 @@ in
 
    
 
    
 
    
-
    3.5.1.7. AMD GPU
    
+
    3.5.1.9. AMD GPU
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17228,7 +17737,7 @@ in
 
    
 
    
 
    
-
    3.5.1.8. Hibernation
    
+
    3.5.1.10. Hibernation
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17250,7 +17759,7 @@ in
 
    
 
    
 
    
-
    3.5.1.9. BTRFS
    
+
    3.5.1.11. BTRFS
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17272,7 +17781,7 @@ in
 
    
 
    
 
    
-
    3.5.1.10. Local Server
    
+
    3.5.1.12. Local Server
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17316,6 +17825,8 @@ in
           koillection = lib.mkDefault true;
           radicale = lib.mkDefault true;
           atuin = lib.mkDefault true;
+          forgejo = lib.mkDefault true;
+          ankisync = lib.mkDefault true;
         };
       };
     };
@@ -17328,13 +17839,13 @@ in
 
    
 
    
 
    
-
    3.5.1.11. OCI Sync Server
    
+
    3.5.1.13. OCI Sync Server
    
 
    
 
    
 
    { lib, config, ... }:
 {
-  options.swarselsystems.profiles.server.sync = lib.mkEnableOption "is this a oci sync server";
-  config = lib.mkIf config.swarselsystems.profiles.server.sync {
+  options.swarselsystems.profiles.server.syncserver = lib.mkEnableOption "is this a oci syncserver server";
+  config = lib.mkIf config.swarselsystems.profiles.server.syncserver {
     swarselsystems = {
       modules = {
         general = lib.mkDefault true;
@@ -17350,8 +17861,8 @@ in
           packages = lib.mkDefault true;
           nginx = lib.mkDefault true;
           ssh = lib.mkDefault true;
-          forgejo = lib.mkDefault true;
-          ankisync = lib.mkDefault true;
+          forgejo = lib.mkDefault false;
+          ankisync = lib.mkDefault false;
         };
       };
     };
@@ -17364,7 +17875,7 @@ in
 
    
 
    
 
    
-
    3.5.1.12. Moonside
    
+
    3.5.1.14. Moonside
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17475,12 +17986,91 @@ in
 
 }
 
+
    
+
    
+
    
+
    
+
    
+
    3.5.2.2. Reduced
    
+
    
+
    
+
    { lib, config, ... }:
+{
+  options.swarselsystems.profiles.reduced = lib.mkEnableOption "is this a reduced personal host";
+  config = lib.mkIf config.swarselsystems.profiles.reduced {
+    swarselsystems.modules = {
+      packages = lib.mkDefault true;
+      ownpackages = lib.mkDefault true;
+      general = lib.mkDefault true;
+      nixgl = lib.mkDefault true;
+      sops = lib.mkDefault true;
+      yubikey = lib.mkDefault true;
+      ssh = lib.mkDefault true;
+      stylix = lib.mkDefault true;
+      desktop = lib.mkDefault true;
+      symlink = lib.mkDefault true;
+      env = lib.mkDefault true;
+      programs = lib.mkDefault true;
+      nix-index = lib.mkDefault true;
+      passwordstore = lib.mkDefault true;
+      direnv = lib.mkDefault true;
+      eza = lib.mkDefault true;
+      atuin = lib.mkDefault true;
+      git = lib.mkDefault true;
+      fuzzel = lib.mkDefault true;
+      starship = lib.mkDefault true;
+      kitty = lib.mkDefault true;
+      zsh = lib.mkDefault true;
+      zellij = lib.mkDefault true;
+      tmux = lib.mkDefault true;
+      mail = lib.mkDefault true;
+      emacs = lib.mkDefault true;
+      waybar = lib.mkDefault true;
+      firefox = lib.mkDefault true;
+      gnome-keyring = lib.mkDefault true;
+      kdeconnect = lib.mkDefault true;
+      mako = lib.mkDefault true;
+      swayosd = lib.mkDefault true;
+      yubikeytouch = lib.mkDefault true;
+      sway = lib.mkDefault true;
+      kanshi = lib.mkDefault false;
+      gpgagent = lib.mkDefault true;
+      gammastep = lib.mkDefault true;
+
+    };
+  };
+
+}
+
+
    
+
    
+
    
+
    
+
    
+
    3.5.2.3. Minimal
    
+
    
+
    
+
    { lib, config, ... }:
+{
+  options.swarselsystems.profiles.minimal = lib.mkEnableOption "is this a personal host";
+  config = lib.mkIf config.swarselsystems.profiles.minimal {
+    swarselsystems.modules = {
+      general = lib.mkDefault true;
+      sops = lib.mkDefault true;
+      kitty = lib.mkDefault true;
+      zsh = lib.mkDefault true;
+      git = lib.mkDefault true;
+    };
+  };
+
+}
+
 
    
 
    
 
    
 
    
 
    
-
    3.5.2.2. Chaostheatre
    
+
    3.5.2.4. Chaostheatre
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17533,7 +18123,7 @@ in
 
    
 
    
 
    
-
    3.5.2.3. toto
    
+
    3.5.2.5. toto
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17544,6 +18134,8 @@ in
       general = lib.mkDefault true;
       sops = lib.mkDefault true;
       ssh = lib.mkDefault true;
+      kitty = lib.mkDefault true;
+      git = lib.mkDefault true;
     };
   };
 
@@ -17554,7 +18146,7 @@ in
 
    
 
    
 
    
-
    3.5.2.4. Work
    
+
    3.5.2.6. Work
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17575,7 +18167,7 @@ in
 
    
 
    
 
    
-
    3.5.2.5. Framework
    
+
    3.5.2.7. Framework
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17597,7 +18189,7 @@ in
 
    
 
    
 
    
-
    3.5.2.6. Darwin
    
+
    3.5.2.8. Darwin
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17616,7 +18208,7 @@ in
 
    
 
    
 
    
-
    3.5.2.7. Local Server
    
+
    3.5.2.9. Local Server
    
 
    
 
    
 
    { lib, config, ... }:
@@ -23715,13 +24307,13 @@ Alternatively, to install this from any NixOS live ISO, run `nix run --experimen
 |💻 **nbl-imba-2**   | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop                                          |
 |💻 **nbm-imba-166** | MacBook Pro 2016                                    | MacOS Sandbox                                        |
 |🖥️ **winters**      | ASRock J4105-ITX, 32GB RAM                          | Main homeserver and data storgae                     |
-|🖥️ **sync**         | Oracle Cloud: VM.Standard.E2.1.Micro                | Server for lightweight synchronization tasks         |
+|🖥️ **milkywell**         | Oracle Cloud: VM.Standard.E2.1.Micro                | Server for lightweight synchronization tasks         |
 |🖥️ **moonside**     | Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Proxy for local services, some lightweight services  |
 |📱 **magicant**     | Samsung Galaxy Z Flip 6                             | Phone                                                |
 |💿 **drugstore**    | -                                                   | ISO installer configuration                          |
 |❔ **chaotheatre**  | -                                                   | Demo config for checking out my configurtion         |
 |❔ **toto**         | -                                                   | Helper configuration for bootstrapping a new system  |
-|🏠 **home**         | -                                                   | Reference configuration for a home-manager only host |
+|🏠 **Treehouse**         | -                                                   | Reference configuration for a home-manager only host |
 </details>
 
 ## General Nix tips & useful links
@@ -23850,7 +24442,7 @@ If you feel that I forgot to pay you tribute for code that I used in this reposi
 
    
 
    
 
    Author: Leon Schwarzäugl
    
-
    Created: 2025-07-04 Fr 18:25
    
+
    Created: 2025-07-14 Mo 01:07
    
 
    Validate
    
 
    
 
diff --git a/install/installer-config.nix b/install/installer-config.nix
index 19874d6..f720a1c 100644
--- a/install/installer-config.nix
+++ b/install/installer-config.nix
@@ -81,6 +81,7 @@ in
       curl
       git
       gnupg
+      networkmanager
       rsync
       ssh-to-age
       sops
diff --git a/modules/home/common/env.nix b/modules/home/common/env.nix
index 3021bd8..a8acacd 100644
--- a/modules/home/common/env.nix
+++ b/modules/home/common/env.nix
@@ -1,7 +1,7 @@
-{ lib, config, globals, ... }:
+{ lib, config, globals, nixosConfig, ... }:
 let
-  inherit (config.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
-  inherit (config.repo.secrets.common) fullName;
+  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
+  inherit (nixosConfig.repo.secrets.common) fullName;
   crocDomain = globals.services.croc.domain;
 in
 {
diff --git a/modules/home/common/gammastep.nix b/modules/home/common/gammastep.nix
index 0ce6d40..e6d9e73 100644
--- a/modules/home/common/gammastep.nix
+++ b/modules/home/common/gammastep.nix
@@ -1,6 +1,6 @@
-{ lib, config, ... }:
+{ lib, config, nixosConfig, ... }:
 let
-  inherit (config.repo.secrets.common.location) latitude longitude;
+  inherit (nixosConfig.repo.secrets.common.location) latitude longitude;
 in
 {
   options.swarselsystems.modules.gammastep = lib.mkEnableOption "gammastep settings";
diff --git a/modules/home/common/git.nix b/modules/home/common/git.nix
index bb16547..97632a1 100644
--- a/modules/home/common/git.nix
+++ b/modules/home/common/git.nix
@@ -1,7 +1,7 @@
-{ lib, config, globals, minimal, ... }:
+{ lib, config, globals, minimal, nixosConfig, ... }:
 let
-  inherit (config.repo.secrets.common.mail) address1;
-  inherit (config.repo.secrets.common) fullName;
+  inherit (nixosConfig.repo.secrets.common.mail) address1;
+  inherit (nixosConfig.repo.secrets.common) fullName;
 
   gitUser = globals.user.name;
 in
diff --git a/modules/home/common/mail.nix b/modules/home/common/mail.nix
index ec1ab97..ad5d529 100644
--- a/modules/home/common/mail.nix
+++ b/modules/home/common/mail.nix
@@ -1,7 +1,7 @@
-{ lib, config, ... }:
+{ lib, config, nixosConfig, ... }:
 let
-  inherit (config.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host;
-  inherit (config.repo.secrets.common) fullName;
+  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host;
+  inherit (nixosConfig.repo.secrets.common) fullName;
   inherit (config.swarselsystems) xdgDir;
 in
 {
diff --git a/modules/home/common/sharedsetup.nix b/modules/home/common/sharedsetup.nix
index 3110029..ce37e10 100644
--- a/modules/home/common/sharedsetup.nix
+++ b/modules/home/common/sharedsetup.nix
@@ -1,4 +1,4 @@
-{ self, lib, pkgs, globals, minimal, ... }:
+{ self, config, lib, pkgs, globals, minimal, ... }:
 {
   options.swarselsystems = {
     isLaptop = lib.mkEnableOption "laptop host";
@@ -11,6 +11,10 @@
       type = lib.types.str;
       default = if (!minimal) then globals.user.name else "swarsel";
     };
+    sopsFile = lib.mkOption {
+      type = lib.types.str;
+      default = "${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
+    };
     homeDir = lib.mkOption {
       type = lib.types.str;
       default = "/home/swarsel";
@@ -43,8 +47,6 @@
     stylix = lib.mkOption {
       type = lib.types.attrs;
       default = {
-        enable = true;
-        base16Scheme = "${self}/files/stylix/swarsel.yaml";
         polarity = "dark";
         opacity.popups = 0.5;
         cursor = {
diff --git a/modules/home/common/ssh.nix b/modules/home/common/ssh.nix
index 2e61fb9..dd7361a 100644
--- a/modules/home/common/ssh.nix
+++ b/modules/home/common/ssh.nix
@@ -14,6 +14,10 @@
           hostname = "192.168.1.1";
           user = "root";
         };
+        "bakery" = {
+          hostname = "192.168.1.136";
+          user = "root";
+        };
         "winters" = {
           hostname = "192.168.1.2";
           user = "root";
diff --git a/modules/home/common/swayosd.nix b/modules/home/common/swayosd.nix
index 9af1ac8..e422fc2 100644
--- a/modules/home/common/swayosd.nix
+++ b/modules/home/common/swayosd.nix
@@ -1,9 +1,10 @@
-{ lib, config, ... }:
+{ lib, pkgs, config, ... }:
 {
   options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings";
   config = lib.mkIf config.swarselsystems.modules.swayosd {
     services.swayosd = {
       enable = true;
+      package = pkgs.dev.swayosd;
       topMargin = 0.5;
     };
   };
diff --git a/modules/home/common/yubikey.nix b/modules/home/common/yubikey.nix
index 2e8cb29..04e21f0 100644
--- a/modules/home/common/yubikey.nix
+++ b/modules/home/common/yubikey.nix
@@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ lib, config, nixosConfig, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
@@ -13,8 +13,8 @@ in
 
     pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
       ids = [
-        config.repo.secrets.common.yubikeys.dev1
-        config.repo.secrets.common.yubikeys.dev2
+        nixosConfig.repo.secrets.common.yubikeys.dev1
+        nixosConfig.repo.secrets.common.yubikeys.dev2
       ];
     };
   };
diff --git a/modules/home/optional/work.nix b/modules/home/optional/work.nix
index bd8e0c9..bbd5201 100644
--- a/modules/home/optional/work.nix
+++ b/modules/home/optional/work.nix
@@ -1,7 +1,6 @@
-{ self, config, pkgs, lib, ... }:
+{ self, config, pkgs, lib, nixosConfig, ... }:
 let
   inherit (config.swarselsystems) homeDir;
-  inherit (config.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
 in
 {
   options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings";
@@ -39,131 +38,141 @@ in
       };
     };
 
-    stylix.targets.firefox.profileNames = [
-      "${user1}"
-      "${user2}"
-      "${user3}"
-      "work"
-    ];
-
-    programs = {
-      git.userEmail = lib.mkForce gitMail;
-
-      zsh = {
-        shellAliases = {
-          dssh = "ssh -l ${user1Long}";
-          cssh = "ssh -l ${user2Long}";
-          wssh = "ssh -l ${user3Long}";
-        };
-        cdpath = [
-          "~/Documents/Work"
+    stylix = {
+      targets.firefox.profileNames =
+        let
+          inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
+        in
+        [
+          "${user1}"
+          "${user2}"
+          "${user3}"
+          "work"
         ];
-        dirHashes = {
-          d = "$HOME/.dotfiles";
-          w = "$HOME/Documents/Work";
-          s = "$HOME/.dotfiles/secrets";
-          pr = "$HOME/Documents/Private";
-          ac = path1;
-        };
-      };
-
-      ssh = {
-        matchBlocks = {
-          "${loc1}" = {
-            hostname = "${loc1}.${domain2}";
-            user = user4;
-          };
-          "${loc1}.stg" = {
-            hostname = "${loc1}.${lifecycle1}.${domain2}";
-            user = user4;
-          };
-          "${loc1}.staging" = {
-            hostname = "${loc1}.${lifecycle1}.${domain2}";
-            user = user4;
-          };
-          "${loc1}.dev" = {
-            hostname = "${loc1}.${lifecycle2}.${domain2}";
-            user = user4;
-          };
-          "${loc2}" = {
-            hostname = "${loc2}.${domain1}";
-            user = user1Long;
-          };
-          "${loc2}.stg" = {
-            hostname = "${loc2}.${lifecycle1}.${domain2}";
-            user = user1Long;
-          };
-          "${loc2}.staging" = {
-            hostname = "${loc2}.${lifecycle1}.${domain2}";
-            user = user1Long;
-          };
-          "*.${domain1}" = {
-            user = user1Long;
-          };
-        };
-      };
-
-      firefox = {
-        profiles =
-          let
-            isDefault = false;
-          in
-          {
-            "${user1}" = lib.recursiveUpdate
-              {
-                inherit isDefault;
-                id = 1;
-                settings = {
-                  "browser.startup.homepage" = "${site1}|${site2}";
-                };
-              }
-              config.swarselsystems.firefox;
-            "${user2}" = lib.recursiveUpdate
-              {
-                inherit isDefault;
-                id = 2;
-                settings = {
-                  "browser.startup.homepage" = "${site3}";
-                };
-              }
-              config.swarselsystems.firefox;
-            "${user3}" = lib.recursiveUpdate
-              {
-                inherit isDefault;
-                id = 3;
-              }
-              config.swarselsystems.firefox;
-            work = lib.recursiveUpdate
-              {
-                inherit isDefault;
-                id = 4;
-                settings = {
-                  "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
-                };
-              }
-              config.swarselsystems.firefox;
-          };
-      };
-
-      chromium = {
-        enable = true;
-        package = pkgs.chromium;
-
-        extensions = [
-          # 1password
-          "gejiddohjgogedgjnonbofjigllpkmbf"
-          # dark reader
-          "eimadpbcbfnmbkopoojfekhnkhdbieeh"
-          # ublock origin
-          "cjpalhdlnbpafiamejdnhcphjbkeiagm"
-          # i still dont care about cookies
-          "edibdbjcniadpccecjdfdjjppcpchdlm"
-          # browserpass
-          "naepdomgkenhinolocfifgehidddafch"
-        ];
-      };
     };
 
+    programs =
+      let
+        inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
+      in
+      {
+        git.userEmail = lib.mkForce gitMail;
+
+        zsh = {
+          shellAliases = {
+            dssh = "ssh -l ${user1Long}";
+            cssh = "ssh -l ${user2Long}";
+            wssh = "ssh -l ${user3Long}";
+          };
+          cdpath = [
+            "~/Documents/Work"
+          ];
+          dirHashes = {
+            d = "$HOME/.dotfiles";
+            w = "$HOME/Documents/Work";
+            s = "$HOME/.dotfiles/secrets";
+            pr = "$HOME/Documents/Private";
+            ac = path1;
+          };
+        };
+
+        ssh = {
+          matchBlocks = {
+            "${loc1}" = {
+              hostname = "${loc1}.${domain2}";
+              user = user4;
+            };
+            "${loc1}.stg" = {
+              hostname = "${loc1}.${lifecycle1}.${domain2}";
+              user = user4;
+            };
+            "${loc1}.staging" = {
+              hostname = "${loc1}.${lifecycle1}.${domain2}";
+              user = user4;
+            };
+            "${loc1}.dev" = {
+              hostname = "${loc1}.${lifecycle2}.${domain2}";
+              user = user4;
+            };
+            "${loc2}" = {
+              hostname = "${loc2}.${domain1}";
+              user = user1Long;
+            };
+            "${loc2}.stg" = {
+              hostname = "${loc2}.${lifecycle1}.${domain2}";
+              user = user1Long;
+            };
+            "${loc2}.staging" = {
+              hostname = "${loc2}.${lifecycle1}.${domain2}";
+              user = user1Long;
+            };
+            "*.${domain1}" = {
+              user = user1Long;
+            };
+          };
+        };
+
+        firefox = {
+          profiles =
+            let
+              isDefault = false;
+            in
+            {
+              "${user1}" = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 1;
+                  settings = {
+                    "browser.startup.homepage" = "${site1}|${site2}";
+                  };
+                }
+                config.swarselsystems.firefox;
+              "${user2}" = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 2;
+                  settings = {
+                    "browser.startup.homepage" = "${site3}";
+                  };
+                }
+                config.swarselsystems.firefox;
+              "${user3}" = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 3;
+                }
+                config.swarselsystems.firefox;
+              work = lib.recursiveUpdate
+                {
+                  inherit isDefault;
+                  id = 4;
+                  settings = {
+                    "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
+                  };
+                }
+                config.swarselsystems.firefox;
+            };
+        };
+
+        chromium = {
+          enable = true;
+          package = pkgs.chromium;
+
+          extensions = [
+            # 1password
+            "gejiddohjgogedgjnonbofjigllpkmbf"
+            # dark reader
+            "eimadpbcbfnmbkopoojfekhnkhdbieeh"
+            # ublock origin
+            "cjpalhdlnbpafiamejdnhcphjbkeiagm"
+            # i still dont care about cookies
+            "edibdbjcniadpccecjdfdjjppcpchdlm"
+            # browserpass
+            "naepdomgkenhinolocfifgehidddafch"
+          ];
+        };
+      };
+
     services = {
       kanshi = {
         settings = [
@@ -282,49 +291,53 @@ in
       };
     };
 
-    xdg = {
-      mimeApps = {
-        defaultApplications = {
-          "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
+    xdg =
+      let
+        inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
+      in
+      {
+        mimeApps = {
+          defaultApplications = {
+            "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
+          };
         };
+        desktopEntries =
+          let
+            terminal = false;
+            categories = [ "Application" ];
+            icon = "firefox";
+          in
+          {
+            firefox_work = {
+              name = "Firefox (work)";
+              genericName = "Firefox work";
+              exec = "firefox -p work";
+              inherit terminal categories icon;
+            };
+            "firefox_${user1}" = {
+              name = "Firefox (${user1})";
+              genericName = "Firefox ${user1}";
+              exec = "firefox -p ${user1}";
+              inherit terminal categories icon;
+            };
+
+            "firefox_${user2}" = {
+              name = "Firefox (${user2})";
+              genericName = "Firefox ${user2}";
+              exec = "firefox -p ${user2}";
+              inherit terminal categories icon;
+            };
+
+            "firefox_${user3}" = {
+              name = "Firefox (${user3})";
+              genericName = "Firefox ${user3}";
+              exec = "firefox -p ${user3}";
+              inherit terminal categories icon;
+            };
+
+
+          };
       };
-      desktopEntries =
-        let
-          terminal = false;
-          categories = [ "Application" ];
-          icon = "firefox";
-        in
-        {
-          firefox_work = {
-            name = "Firefox (work)";
-            genericName = "Firefox work";
-            exec = "firefox -p work";
-            inherit terminal categories icon;
-          };
-          "firefox_${user1}" = {
-            name = "Firefox (${user1})";
-            genericName = "Firefox ${user1}";
-            exec = "firefox -p ${user1}";
-            inherit terminal categories icon;
-          };
-
-          "firefox_${user2}" = {
-            name = "Firefox (${user2})";
-            genericName = "Firefox ${user2}";
-            exec = "firefox -p ${user2}";
-            inherit terminal categories icon;
-          };
-
-          "firefox_${user3}" = {
-            name = "Firefox (${user3})";
-            genericName = "Firefox ${user3}";
-            exec = "firefox -p ${user3}";
-            inherit terminal categories icon;
-          };
-
-
-        };
-    };
     swarselsystems = {
       startup = [
         # { command = "nextcloud --background"; }
diff --git a/modules/nixos/client/default.nix b/modules/nixos/client/default.nix
index b6b0e59..84ef47c 100644
--- a/modules/nixos/client/default.nix
+++ b/modules/nixos/client/default.nix
@@ -1,10 +1,7 @@
-{ lib, inputs, ... }:
+{ lib, ... }:
 let
   importNames = lib.swarselsystems.readNix "modules/nixos/client";
 in
 {
-  imports = lib.swarselsystems.mkImports importNames "modules/nixos/client" ++ [
-    inputs.stylix.nixosModules.stylix
-    inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
-  ];
+  imports = lib.swarselsystems.mkImports importNames "modules/nixos/client";
 }
diff --git a/modules/nixos/client/network.nix b/modules/nixos/client/network.nix
index e8eceb6..40ebbd0 100644
--- a/modules/nixos/client/network.nix
+++ b/modules/nixos/client/network.nix
@@ -1,11 +1,10 @@
 { self, lib, pkgs, config, ... }:
 let
   certsSopsFile = self + /secrets/certs/secrets.yaml;
-  clientSopsFile = self + /secrets/${config.networking.hostName}/secrets.yaml;
+  clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
 
   inherit (config.swarselsystems) mainUser;
   inherit (config.repo.secrets.common.network) wlan1 wlan2 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
-  inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
 
   iwd = config.networking.networkmanager.wifi.backend == "iwd";
 in
@@ -91,222 +90,226 @@ in
           environmentFiles = [
             "${config.sops.templates."network-manager.env".path}"
           ];
-          profiles = {
-            ${wlan1} = {
-              connection = {
-                id = wlan1;
-                permissions = "";
-                type = "wifi";
+          profiles =
+            let
+              inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
+            in
+            {
+              ${wlan1} = {
+                connection = {
+                  id = wlan1;
+                  permissions = "";
+                  type = "wifi";
+                };
+                ipv4 = {
+                  dns-search = "";
+                  method = "auto";
+                };
+                ipv6 = {
+                  addr-gen-mode = "stable-privacy";
+                  dns-search = "";
+                  method = "auto";
+                };
+                wifi = {
+                  mac-address-blacklist = "";
+                  mode = "infrastructure";
+                  ssid = wlan1;
+                };
+                wifi-security = {
+                  auth-alg = "open";
+                  key-mgmt = "wpa-psk";
+                  psk = "WLAN1_PW";
+                };
               };
-              ipv4 = {
-                dns-search = "";
-                method = "auto";
-              };
-              ipv6 = {
-                addr-gen-mode = "stable-privacy";
-                dns-search = "";
-                method = "auto";
-              };
-              wifi = {
-                mac-address-blacklist = "";
-                mode = "infrastructure";
-                ssid = wlan1;
-              };
-              wifi-security = {
-                auth-alg = "open";
-                key-mgmt = "wpa-psk";
-                psk = "WLAN1_PW";
-              };
-            };
 
-            LAN-Party = {
-              connection = {
-                autoconnect = "false";
-                id = "LAN-Party";
-                type = "ethernet";
+              LAN-Party = {
+                connection = {
+                  autoconnect = "false";
+                  id = "LAN-Party";
+                  type = "ethernet";
+                };
+                ethernet = {
+                  auto-negotiate = "true";
+                  cloned-mac-address = "preserve";
+                };
+                ipv4 = { method = "shared"; };
+                ipv6 = {
+                  addr-gen-mode = "stable-privacy";
+                  method = "auto";
+                };
+                proxy = { };
               };
-              ethernet = {
-                auto-negotiate = "true";
-                cloned-mac-address = "preserve";
-              };
-              ipv4 = { method = "shared"; };
-              ipv6 = {
-                addr-gen-mode = "stable-privacy";
-                method = "auto";
-              };
-              proxy = { };
-            };
 
-            eduroam = {
-              "802-1x" = {
-                eap = if (!iwd) then "ttls;" else "peap;";
-                identity = "$EDUROAM_USER";
-                password = "$EDUROAM_PW";
-                phase2-auth = "mschapv2";
-                anonymous-identity = lib.mkIf iwd eduroam-anon;
+              eduroam = {
+                "802-1x" = {
+                  eap = if (!iwd) then "ttls;" else "peap;";
+                  identity = "$EDUROAM_USER";
+                  password = "$EDUROAM_PW";
+                  phase2-auth = "mschapv2";
+                  anonymous-identity = lib.mkIf iwd eduroam-anon;
+                };
+                connection = {
+                  id = "eduroam";
+                  type = "wifi";
+                };
+                ipv4 = { method = "auto"; };
+                ipv6 = {
+                  addr-gen-mode = "default";
+                  method = "auto";
+                };
+                proxy = { };
+                wifi = {
+                  mode = "infrastructure";
+                  ssid = "eduroam";
+                };
+                wifi-security = {
+                  auth-alg = "open";
+                  key-mgmt = "wpa-eap";
+                };
               };
-              connection = {
-                id = "eduroam";
-                type = "wifi";
-              };
-              ipv4 = { method = "auto"; };
-              ipv6 = {
-                addr-gen-mode = "default";
-                method = "auto";
-              };
-              proxy = { };
-              wifi = {
-                mode = "infrastructure";
-                ssid = "eduroam";
-              };
-              wifi-security = {
-                auth-alg = "open";
-                key-mgmt = "wpa-eap";
-              };
-            };
 
-            local = {
-              connection = {
-                autoconnect = "false";
-                id = "local";
-                type = "ethernet";
+              local = {
+                connection = {
+                  autoconnect = "false";
+                  id = "local";
+                  type = "ethernet";
+                };
+                ethernet = { };
+                ipv4 = {
+                  address1 = "10.42.1.1/24";
+                  method = "shared";
+                };
+                ipv6 = {
+                  addr-gen-mode = "stable-privacy";
+                  method = "auto";
+                };
+                proxy = { };
               };
-              ethernet = { };
-              ipv4 = {
-                address1 = "10.42.1.1/24";
-                method = "shared";
-              };
-              ipv6 = {
-                addr-gen-mode = "stable-privacy";
-                method = "auto";
-              };
-              proxy = { };
-            };
 
-            ${wlan2} = {
-              connection = {
-                id = wlan2;
-                type = "wifi";
+              ${wlan2} = {
+                connection = {
+                  id = wlan2;
+                  type = "wifi";
+                };
+                ipv4 = { method = "auto"; };
+                ipv6 = {
+                  addr-gen-mode = "stable-privacy";
+                  method = "auto";
+                };
+                proxy = { };
+                wifi = {
+                  band = "bg";
+                  mode = "infrastructure";
+                  ssid = wlan2;
+                };
+                wifi-security = {
+                  key-mgmt = "wpa-psk";
+                  psk = "$WLAN2_PW";
+                };
               };
-              ipv4 = { method = "auto"; };
-              ipv6 = {
-                addr-gen-mode = "stable-privacy";
-                method = "auto";
-              };
-              proxy = { };
-              wifi = {
-                band = "bg";
-                mode = "infrastructure";
-                ssid = wlan2;
-              };
-              wifi-security = {
-                key-mgmt = "wpa-psk";
-                psk = "$WLAN2_PW";
-              };
-            };
 
-            ${mobile1} = {
-              connection = {
-                id = mobile1;
-                type = "wifi";
+              ${mobile1} = {
+                connection = {
+                  id = mobile1;
+                  type = "wifi";
+                };
+                ipv4 = { method = "auto"; };
+                ipv6 = {
+                  addr-gen-mode = "default";
+                  method = "auto";
+                };
+                proxy = { };
+                wifi = {
+                  mode = "infrastructure";
+                  ssid = mobile1;
+                };
+                wifi-security = {
+                  auth-alg = "open";
+                  key-mgmt = "wpa-psk";
+                  psk = "$MOBILE_HOTSPOT_PW";
+                };
               };
-              ipv4 = { method = "auto"; };
-              ipv6 = {
-                addr-gen-mode = "default";
-                method = "auto";
-              };
-              proxy = { };
-              wifi = {
-                mode = "infrastructure";
-                ssid = mobile1;
-              };
-              wifi-security = {
-                auth-alg = "open";
-                key-mgmt = "wpa-psk";
-                psk = "$MOBILE_HOTSPOT_PW";
-              };
-            };
 
-            home-wireguard = {
-              connection = {
-                id = "HomeVPN";
-                type = "wireguard";
-                autoconnect = "false";
-                interface-name = "wg1";
+              home-wireguard = {
+                connection = {
+                  id = "HomeVPN";
+                  type = "wireguard";
+                  autoconnect = "false";
+                  interface-name = "wg1";
+                };
+                wireguard = { private-key = "$HOME_WIREGUARD_CLIENT_PRIVATE_KEY"; };
+                "wireguard-peer.$HOME_WIREGURARD_SERVER_PUBLIC_KEY" = {
+                  endpoint = "$HOME_WIREGUARD_ENDPOINT";
+                  allowed-ips = home-wireguard-allowed-ips;
+                };
+                ipv4 = {
+                  method = "ignore";
+                  address1 = home-wireguard-address;
+                };
+                ipv6 = {
+                  addr-gen-mode = "stable-privacy";
+                  method = "ignore";
+                };
+                proxy = { };
               };
-              wireguard = { private-key = "$HOME_WIREGUARD_CLIENT_PRIVATE_KEY"; };
-              "wireguard-peer.$HOME_WIREGURARD_SERVER_PUBLIC_KEY" = {
-                endpoint = "$HOME_WIREGUARD_ENDPOINT";
-                allowed-ips = home-wireguard-allowed-ips;
-              };
-              ipv4 = {
-                method = "ignore";
-                address1 = home-wireguard-address;
-              };
-              ipv6 = {
-                addr-gen-mode = "stable-privacy";
-                method = "ignore";
-              };
-              proxy = { };
-            };
 
-            pia-vpn1 = {
-              connection = {
-                autoconnect = "false";
-                id = "PIA ${vpn1-location}";
-                type = "vpn";
+              pia-vpn1 = {
+                connection = {
+                  autoconnect = "false";
+                  id = "PIA ${vpn1-location}";
+                  type = "vpn";
+                };
+                ipv4 = { method = "auto"; };
+                ipv6 = {
+                  addr-gen-mode = "stable-privacy";
+                  method = "auto";
+                };
+                proxy = { };
+                vpn = {
+                  auth = "sha1";
+                  ca = config.sops.secrets."pia-vpn1-ca-pem".path;
+                  challenge-response-flags = "2";
+                  cipher = vpn1-cipher;
+                  compress = "yes";
+                  connection-type = "password";
+                  crl-verify-file = config.sops.secrets."pia-vpn1-crl-pem".path;
+                  dev = "tun";
+                  password-flags = "0";
+                  remote = vpn1-address;
+                  remote-cert-tls = "server";
+                  reneg-seconds = "0";
+                  service-type = "org.freedesktop.NetworkManager.openvpn";
+                  username = "$PIA_VPN_USER";
+                };
+                vpn-secrets = { password = "$PIA_VPN_PW"; };
               };
-              ipv4 = { method = "auto"; };
-              ipv6 = {
-                addr-gen-mode = "stable-privacy";
-                method = "auto";
-              };
-              proxy = { };
-              vpn = {
-                auth = "sha1";
-                ca = config.sops.secrets."pia-vpn1-ca-pem".path;
-                challenge-response-flags = "2";
-                cipher = vpn1-cipher;
-                compress = "yes";
-                connection-type = "password";
-                crl-verify-file = config.sops.secrets."pia-vpn1-crl-pem".path;
-                dev = "tun";
-                password-flags = "0";
-                remote = vpn1-address;
-                remote-cert-tls = "server";
-                reneg-seconds = "0";
-                service-type = "org.freedesktop.NetworkManager.openvpn";
-                username = "$PIA_VPN_USER";
-              };
-              vpn-secrets = { password = "$PIA_VPN_PW"; };
-            };
 
-            Hotspot = {
-              connection = {
-                autoconnect = "false";
-                id = "Hotspot";
-                type = "wifi";
+              Hotspot = {
+                connection = {
+                  autoconnect = "false";
+                  id = "Hotspot";
+                  type = "wifi";
+                };
+                ipv4 = { method = "shared"; };
+                ipv6 = {
+                  addr-gen-mode = "default";
+                  method = "ignore";
+                };
+                proxy = { };
+                wifi = {
+                  mode = "ap";
+                  ssid = "Hotspot-${config.swarselsystems.mainUser}";
+                };
+                wifi-security = {
+                  group = "ccmp;";
+                  key-mgmt = "wpa-psk";
+                  pairwise = "ccmp;";
+                  proto = "rsn;";
+                  psk = "$MOBILE_HOTSPOT_PW";
+                };
               };
-              ipv4 = { method = "shared"; };
-              ipv6 = {
-                addr-gen-mode = "default";
-                method = "ignore";
-              };
-              proxy = { };
-              wifi = {
-                mode = "ap";
-                ssid = "Hotspot-${config.swarselsystems.mainUser}";
-              };
-              wifi-security = {
-                group = "ccmp;";
-                key-mgmt = "wpa-psk";
-                pairwise = "ccmp;";
-                proto = "rsn;";
-                psk = "$MOBILE_HOTSPOT_PW";
-              };
-            };
 
-          };
+            };
         };
       };
     };
diff --git a/modules/nixos/client/nvd-rebuild.nix b/modules/nixos/client/nvd-rebuild.nix
index 9b2b482..36f6188 100644
--- a/modules/nixos/client/nvd-rebuild.nix
+++ b/modules/nixos/client/nvd-rebuild.nix
@@ -2,6 +2,11 @@
 {
   options.swarselsystems.modules.nvd = lib.mkEnableOption "nvd config";
   config = lib.mkIf config.swarselsystems.modules.nvd {
+
+    environment.systemPackages = [
+      pkgs.nvd
+    ];
+
     system.activationScripts.diff = {
       supportsDryActivation = true;
       text = ''
diff --git a/modules/nixos/client/packages.nix b/modules/nixos/client/packages.nix
index 6d7b65e..d613402 100644
--- a/modules/nixos/client/packages.nix
+++ b/modules/nixos/client/packages.nix
@@ -75,6 +75,7 @@
       elk-to-svg
 
     ] ++ lib.optionals minimal [
+      networkmanager
       curl
       git
       gnupg
diff --git a/modules/nixos/client/stylix.nix b/modules/nixos/client/stylix.nix
index 849f295..8caa08d 100644
--- a/modules/nixos/client/stylix.nix
+++ b/modules/nixos/client/stylix.nix
@@ -1,13 +1,17 @@
-{ lib, config, ... }:
+{ self, lib, config, ... }:
 {
   options.swarselsystems.modules.stylix = lib.mkEnableOption "stylix config";
-  config = lib.mkIf config.swarselsystems.modules.stylix {
-    stylix = lib.recursiveUpdate
-      {
-        targets.grub.enable = false; # the styling makes grub more ugly
-        image = config.swarselsystems.wallpaper;
-      }
-      config.swarselsystems.stylix;
+  config = {
+    stylix = {
+      enable = true;
+      base16Scheme = "${self}/files/stylix/swarsel.yaml";
+    } // lib.optionalAttrs config.swarselsystems.modules.stylix
+      (lib.recursiveUpdate
+        {
+          targets.grub.enable = false; # the styling makes grub more ugly
+          image = config.swarselsystems.wallpaper;
+        }
+        config.swarselsystems.stylix);
     home-manager.users."${config.swarselsystems.mainUser}" = {
       stylix = {
         targets = config.swarselsystems.stylixHomeTargets;
diff --git a/modules/nixos/client/swayosd.nix b/modules/nixos/client/swayosd.nix
index f1c0cdf..e0dcaeb 100644
--- a/modules/nixos/client/swayosd.nix
+++ b/modules/nixos/client/swayosd.nix
@@ -2,8 +2,8 @@
 {
   options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings";
   config = lib.mkIf config.swarselsystems.modules.swayosd {
-    environment.systemPackages = [ pkgs.swayosd ];
-    services.udev.packages = [ pkgs.swayosd ];
+    environment.systemPackages = [ pkgs.dev.swayosd ];
+    services.udev.packages = [ pkgs.dev.swayosd ];
     systemd.services.swayosd-libinput-backend = {
       description = "SwayOSD LibInput backend for listening to certain keys like CapsLock, ScrollLock, VolumeUp, etc.";
       documentation = [ "https://github.com/ErikReider/SwayOSD" ];
@@ -14,7 +14,7 @@
       serviceConfig = {
         Type = "dbus";
         BusName = "org.erikreider.swayosd";
-        ExecStart = "${pkgs.swayosd}/bin/swayosd-libinput-backend";
+        ExecStart = "${pkgs.dev.swayosd}/bin/swayosd-libinput-backend";
         Restart = "on-failure";
       };
     };
diff --git a/modules/nixos/common/home-manager.nix b/modules/nixos/common/home-manager.nix
index 37da96f..fb0b3ed 100644
--- a/modules/nixos/common/home-manager.nix
+++ b/modules/nixos/common/home-manager.nix
@@ -6,23 +6,24 @@
       useGlobalPkgs = true;
       useUserPackages = true;
       verbose = true;
-      sharedModules = [
+      users.swarsel.imports = [
         inputs.nix-index-database.hmModules.nix-index
         inputs.sops-nix.homeManagerModules.sops
+        # inputs.stylix.homeModules.stylix
         {
           imports = [
             "${self}/profiles/home"
             "${self}/modules/home"
-            "${self}/modules/nixos/common/pii.nix"
-            "${self}/modules/nixos/common/meta.nix"
+            # "${self}/modules/nixos/common/pii.nix"
+            # "${self}/modules/nixos/common/meta.nix"
           ];
-          node = {
-            secretsDir = if config.swarselsystems.isNixos then ../../../hosts/nixos/${configName}/secrets else ../../../hosts/home/${configName}/secrets;
-          };
+          # node = {
+          #   secretsDir = if (!config.swarselsystems.isNixos) then ../../../hosts/home/${configName}/secrets else ../../../hosts/nixos/${configName}/secrets;
+          # };
           home.stateVersion = lib.mkDefault config.system.stateVersion;
         }
       ];
-      extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal; };
+      extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal configName; };
     };
   };
 }
diff --git a/modules/nixos/common/lanzaboote.nix b/modules/nixos/common/lanzaboote.nix
index 7d149c5..b4c671e 100644
--- a/modules/nixos/common/lanzaboote.nix
+++ b/modules/nixos/common/lanzaboote.nix
@@ -1,7 +1,12 @@
-{ lib, config, minimal, ... }:
+{ lib, pkgs, config, minimal, ... }:
 {
   options.swarselsystems.modules.lanzaboote = lib.mkEnableOption "lanzaboote config";
   config = lib.mkIf config.swarselsystems.modules.lanzaboote {
+
+    environment.systemPackages = lib.mkIf config.swarselsystems.isSecureBoot [
+      pkgs.sbctl
+    ];
+
     boot = {
       loader = {
         efi.canTouchEfiVariables = true;
diff --git a/modules/nixos/common/settings.nix b/modules/nixos/common/settings.nix
index 65ab5e8..22347bd 100644
--- a/modules/nixos/common/settings.nix
+++ b/modules/nixos/common/settings.nix
@@ -54,7 +54,9 @@ in
   config = lib.mkIf config.swarselsystems.modules.general
     (lib.recursiveUpdate
       {
-        sops.secrets.github-api-token = lib.mkIf (!minimal) { };
+        sops.secrets.github-api-token = lib.mkIf (!minimal) {
+          sopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+        };
 
         nix = {
           package = pkgs.nixVersions.nix_2_28;
diff --git a/modules/nixos/server/ankisync.nix b/modules/nixos/server/ankisync.nix
index d3db63a..b7b3c6e 100644
--- a/modules/nixos/server/ankisync.nix
+++ b/modules/nixos/server/ankisync.nix
@@ -1,5 +1,7 @@
 { self, lib, config, globals, ... }:
 let
+  inherit (config.swarselsystems) sopsFile;
+
   servicePort = 27701;
   serviceName = "ankisync";
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
@@ -12,11 +14,11 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    sops.secrets.swarsel = { owner = "root"; };
+    sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; };
 
-    topology.self.services.${serviceName} = {
+    topology.self.services.anki = {
       name = lib.mkForce "Anki Sync Server";
-      icon = "${self}/files/topology-images/${serviceName}.png";
+      icon = lib.mkForce "${self}/files/topology-images/${serviceName}.png";
       info = "https://${serviceDomain}";
     };
 
@@ -30,12 +32,12 @@ in
       users = [
         {
           username = ankiUser;
-          passwordFile = config.sops.secrets.swarsel.path;
+          passwordFile = config.sops.secrets.anki-pw.path;
         }
       ];
     };
 
-    services.nginx = {
+    nodes.moonside.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/croc.nix b/modules/nixos/server/croc.nix
index 86dbe89..c3d9f1d 100644
--- a/modules/nixos/server/croc.nix
+++ b/modules/nixos/server/croc.nix
@@ -10,6 +10,8 @@ let
   serviceName = "croc";
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
 
+  inherit (config.swarselsystems) sopsFile;
+
   cfg = config.services.croc;
 in
 {
@@ -18,7 +20,7 @@ in
 
     sops = {
       secrets = {
-        croc-password = { };
+        croc-password = { inherit sopsFile; };
       };
 
       templates = {
diff --git a/modules/nixos/server/firefly-iii.nix b/modules/nixos/server/firefly-iii.nix
index 2b5c313..ce5e8ee 100644
--- a/modules/nixos/server/firefly-iii.nix
+++ b/modules/nixos/server/firefly-iii.nix
@@ -8,6 +8,7 @@ let
 
   nginxGroup = "nginx";
 
+  inherit (config.swarselsystems) sopsFile;
   cfg = config.services.firefly-iii;
 in
 {
@@ -25,7 +26,7 @@ in
 
     sops = {
       secrets = {
-        "firefly-iii-app-key" = { owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
+        "firefly-iii-app-key" = { inherit sopsFile; owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
       };
     };
 
diff --git a/modules/nixos/server/forgejo.nix b/modules/nixos/server/forgejo.nix
index 0745438..a0ea0d5 100644
--- a/modules/nixos/server/forgejo.nix
+++ b/modules/nixos/server/forgejo.nix
@@ -1,6 +1,8 @@
 { lib, config, pkgs, globals, ... }:
 let
-  servicePort = 3000;
+  inherit (config.swarselsystems) sopsFile;
+
+  servicePort = 3004;
   serviceUser = "forgejo";
   serviceGroup = serviceUser;
   serviceName = "forgejo";
@@ -22,13 +24,14 @@ in
     users.groups.${serviceGroup} = { };
 
     sops.secrets = {
-      kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
     globals.services.${serviceName}.domain = serviceDomain;
 
     services.${serviceName} = {
       enable = true;
+      stateDir = "/Vault/data/${serviceName}";
       user = serviceUser;
       group = serviceGroup;
       lfs.enable = lib.mkDefault true;
@@ -125,7 +128,7 @@ in
         '';
     };
 
-    services.nginx = {
+    nodes.moonside.services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/freshrss.nix b/modules/nixos/server/freshrss.nix
index 6454fb7..2e6e657 100644
--- a/modules/nixos/server/freshrss.nix
+++ b/modules/nixos/server/freshrss.nix
@@ -1,12 +1,12 @@
 { self, lib, config, ... }:
 let
-  inherit (config.repo.secrets.local.freshrss) defaultUser;
-
   servicePort = 80;
   serviceName = "freshrss";
   serviceUser = "freshrss";
   serviceGroup = serviceName;
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
+
+  inherit (config.swarselsystems) sopsFile;
 in
 {
   options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -22,9 +22,9 @@ in
 
     sops = {
       secrets = {
-        fresh = { owner = serviceUser; };
-        "kanidm-freshrss-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "oidc-crypto-key" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        freshrss-pw = { inherit sopsFile; owner = serviceUser; };
+        kanidm-freshrss-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        # freshrss-oidc-crypto-key = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
 
       #   templates = {
@@ -55,15 +55,19 @@ in
 
     globals.services.${serviceName}.domain = serviceDomain;
 
-    services.${serviceName} = {
-      inherit defaultUser;
-      enable = true;
-      virtualHost = serviceDomain;
-      baseUrl = "https://${serviceDomain}";
-      authType = "form";
-      dataDir = "/Vault/data/tt-rss";
-      passwordFile = config.sops.secrets.fresh.path;
-    };
+    services.${serviceName} =
+      let
+        inherit (config.repo.secrets.local.freshrss) defaultUser;
+      in
+      {
+        inherit defaultUser;
+        enable = true;
+        virtualHost = serviceDomain;
+        baseUrl = "https://${serviceDomain}";
+        authType = "form";
+        dataDir = "/Vault/data/tt-rss";
+        passwordFile = config.sops.secrets.freshrss-pw.path;
+      };
 
     # systemd.services.freshrss-config.serviceConfig.EnvironmentFile = [
     #   config.sops.templates.freshrss-env.path
diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix
index 90eed84..6096297 100644
--- a/modules/nixos/server/kanidm.nix
+++ b/modules/nixos/server/kanidm.nix
@@ -1,6 +1,7 @@
 { self, lib, pkgs, config, globals, ... }:
 let
   certsSopsFile = self + /secrets/certs/secrets.yaml;
+  inherit (config.swarselsystems) sopsFile;
 
   servicePort = 8300;
   serviceUser = "kanidm";
@@ -30,15 +31,15 @@ in
       secrets = {
         "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-admin-pw" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-idm-admin-pw" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-immich" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-paperless" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-forgejo" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-grafana" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-nextcloud" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-freshrss" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-oauth2-proxy" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-idm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-immich" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-paperless" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-forgejo" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-grafana" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-nextcloud" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-freshrss" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-oauth2-proxy" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
     };
 
diff --git a/modules/nixos/server/kavita.nix b/modules/nixos/server/kavita.nix
index 2fe9752..e24fdb7 100644
--- a/modules/nixos/server/kavita.nix
+++ b/modules/nixos/server/kavita.nix
@@ -1,5 +1,7 @@
 { self, lib, config, pkgs, ... }:
 let
+  inherit (config.swarselsystems) sopsFile;
+
   servicePort = 8080;
   serviceName = "kavita";
   serviceUser = "kavita";
@@ -16,7 +18,7 @@ in
       extraGroups = [ "users" ];
     };
 
-    sops.secrets.kavita = { owner = serviceUser; };
+    sops.secrets.kavita-token = { inherit sopsFile; owner = serviceUser; };
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
@@ -31,7 +33,7 @@ in
       enable = true;
       user = serviceUser;
       settings.Port = servicePort;
-      tokenKeyFile = config.sops.secrets.kavita.path;
+      tokenKeyFile = config.sops.secrets.kavita-token.path;
       dataDir = "/Vault/data/${serviceName}";
     };
 
diff --git a/modules/nixos/server/koillection.nix b/modules/nixos/server/koillection.nix
index 07b45b1..d022495 100644
--- a/modules/nixos/server/koillection.nix
+++ b/modules/nixos/server/koillection.nix
@@ -9,14 +9,16 @@ let
   postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
   postgresPort = config.services.postgresql.settings.port; # 5432
   containerRev = "sha256:96693e41a6eb2aae44f96033a090378270f024ddf4e6095edf8d57674f21095d";
+
+  inherit (config.swarselsystems) sopsFile;
 in
 {
   options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
 
     sops.secrets = {
-      koillection-db-password = { owner = postgresUser; group = postgresUser; mode = "0440"; };
-      koillection-env-file = { };
+      koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
+      koillection-env-file = { inherit sopsFile; };
     };
 
     topology.self.services.${serviceName} = {
@@ -70,7 +72,7 @@ in
         passwordPath = config.sops.secrets.koillection-db-password.path;
       in
       ''
-        $PSQL -tA <<'EOF'
+        ${config.services.postgresql.package}/bin/psql -tA <<'EOF'
           DO $$
           DECLARE password TEXT;
           BEGIN
diff --git a/modules/nixos/server/matrix.nix b/modules/nixos/server/matrix.nix
index 06a73c5..b95f03f 100644
--- a/modules/nixos/server/matrix.nix
+++ b/modules/nixos/server/matrix.nix
@@ -1,5 +1,7 @@
 { lib, config, pkgs, ... }:
 let
+  inherit (config.swarselsystems) sopsFile;
+
   servicePort = 8008;
   serviceName = "matrix";
   serviceDomain = config.repo.secrets.common.services.domains.matrix;
@@ -29,29 +31,29 @@ in
 
     sops = {
       secrets = {
-        matrixsharedsecret = { owner = serviceUser; };
-        mautrixtelegram_as = { owner = serviceUser; };
-        mautrixtelegram_hs = { owner = serviceUser; };
-        mautrixtelegram_api_id = { owner = serviceUser; };
-        mautrixtelegram_api_hash = { owner = serviceUser; };
+        matrix-shared-secret = { inherit sopsFile; owner = serviceUser; };
+        mautrix-telegram-as-token = { inherit sopsFile; owner = serviceUser; };
+        mautrix-telegram-hs-token = { inherit sopsFile; owner = serviceUser; };
+        mautrix-telegram-api-id = { inherit sopsFile; owner = serviceUser; };
+        mautrix-telegram-api-hash = { inherit sopsFile; owner = serviceUser; };
       };
       templates = {
         "matrix_user_register.sh".content = ''
-          register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:${builtins.toString servicePort}
+          register_new_matrix_user -k ${config.sops.placeholder.matrix-shared-secret} http://localhost:${builtins.toString servicePort}
         '';
         matrixshared = {
           owner = serviceUser;
           content = ''
-            registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
+            registration_shared_secret: ${config.sops.placeholder.matrix-shared-secret}
           '';
         };
         mautrixtelegram = {
           owner = serviceUser;
           content = ''
-            MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
-            MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
-            MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
-            MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
+            MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrix-telegram-as-token}
+            MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrix-telegram-hs-token}
+            MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrix-telegram-api-id}
+            MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrix-telegram-api-hash}
           '';
         };
       };
diff --git a/modules/nixos/server/microbin.nix b/modules/nixos/server/microbin.nix
index 99efa1a..06dc4f5 100644
--- a/modules/nixos/server/microbin.nix
+++ b/modules/nixos/server/microbin.nix
@@ -6,6 +6,8 @@ let
   serviceGroup = serviceUser;
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
 
+  inherit (config.swarselsystems) sopsFile;
+
   cfg = config.services.${serviceName};
 in
 {
@@ -23,9 +25,9 @@ in
 
     sops = {
       secrets = {
-        microbin-admin-username = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        microbin-admin-password = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        microbin-uploader-password = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        microbin-admin-username = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        microbin-admin-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        microbin-uploader-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
 
       templates = {
diff --git a/modules/nixos/server/monitoring.nix b/modules/nixos/server/monitoring.nix
index 8fe35f0..183cb90 100644
--- a/modules/nixos/server/monitoring.nix
+++ b/modules/nixos/server/monitoring.nix
@@ -1,6 +1,5 @@
 { self, lib, config, globals, ... }:
 let
-
   servicePort = 3000;
   serviceUser = "grafana";
   serviceGroup = serviceUser;
@@ -10,11 +9,12 @@ let
   prometheusPort = 9090;
   prometheusUser = "prometheus";
   prometheusGroup = prometheusUser;
-  nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
   grafanaUpstream = "grafana";
   prometheusUpstream = "prometheus";
   prometheusWebRoot = "prometheus";
   kanidmDomain = globals.services.kanidm.domain;
+
+  inherit (config.swarselsystems) sopsFile;
 in
 {
   options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -22,9 +22,9 @@ in
 
     sops = {
       secrets = {
-        grafanaadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        prometheusadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        kanidm-grafana-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
 
       };
@@ -84,7 +84,7 @@ in
                   incrementalQueryOverlapWindow = "10m";
                 };
                 secureJsonData = {
-                  basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}";
+                  basicAuthPassword = "$__file{/run/secrets/prometheus-admin-pw}";
                 };
               }
             ];
@@ -95,7 +95,7 @@ in
           analytics.reporting_enabled = false;
           users.allow_sign_up = false;
           security = {
-            admin_password = "$__file{/run/secrets/grafanaadminpass}";
+            admin_password = "$__file{/run/secrets/grafana-admin-pw}";
             cookie_secure = true;
             disable_gravatar = true;
           };
@@ -130,74 +130,78 @@ in
         };
       };
 
-      prometheus = {
-        enable = true;
-        webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
-        port = prometheusPort;
-        listenAddress = "0.0.0.0";
-        globalConfig = {
-          scrape_interval = "10s";
-        };
-        webConfigFile = config.sops.templates.web-config.path;
-        scrapeConfigs = [
-          {
-            job_name = "node";
-            static_configs = [{
-              targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
-            }];
-          }
-          {
-            job_name = "zfs";
-            static_configs = [{
-              targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
-            }];
-          }
-          {
-            job_name = "nginx";
-            static_configs = [{
-              targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
-            }];
-          }
-          {
-            job_name = "nextcloud";
-            static_configs = [{
-              targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
-            }];
-          }
-        ];
-        exporters = {
-          node = {
-            enable = true;
-            port = 9000;
-            enabledCollectors = [ "systemd" ];
-            extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
+      prometheus =
+        let
+          nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
+        in
+        {
+          enable = true;
+          webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
+          port = prometheusPort;
+          listenAddress = "0.0.0.0";
+          globalConfig = {
+            scrape_interval = "10s";
           };
-          zfs = {
-            enable = true;
-            port = 9134;
-            pools = [
-              "Vault"
-            ];
-          };
-          restic = {
-            enable = false;
-            port = 9753;
-          };
-          nginx = {
-            enable = true;
-            port = 9113;
-            sslVerify = false;
-            scrapeUri = "http://localhost/nginx_status";
-          };
-          nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud {
-            enable = true;
-            port = 9205;
-            url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
-            username = nextcloudUser;
-            passwordFile = config.sops.secrets.nextcloudadminpass.path;
+          webConfigFile = config.sops.templates.web-config.path;
+          scrapeConfigs = [
+            {
+              job_name = "node";
+              static_configs = [{
+                targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
+              }];
+            }
+            {
+              job_name = "zfs";
+              static_configs = [{
+                targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
+              }];
+            }
+            {
+              job_name = "nginx";
+              static_configs = [{
+                targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
+              }];
+            }
+            {
+              job_name = "nextcloud";
+              static_configs = [{
+                targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
+              }];
+            }
+          ];
+          exporters = {
+            node = {
+              enable = true;
+              port = 9000;
+              enabledCollectors = [ "systemd" ];
+              extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
+            };
+            zfs = {
+              enable = true;
+              port = 9134;
+              pools = [
+                "Vault"
+              ];
+            };
+            restic = {
+              enable = false;
+              port = 9753;
+            };
+            nginx = {
+              enable = true;
+              port = 9113;
+              sslVerify = false;
+              scrapeUri = "http://localhost/nginx_status";
+            };
+            nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud {
+              enable = true;
+              port = 9205;
+              url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
+              username = nextcloudUser;
+              passwordFile = config.sops.secrets.nextcloud-admin-pw.path;
+            };
           };
         };
-      };
     };
 
 
diff --git a/modules/nixos/server/mpd.nix b/modules/nixos/server/mpd.nix
index 9212229..454fbb1 100644
--- a/modules/nixos/server/mpd.nix
+++ b/modules/nixos/server/mpd.nix
@@ -1,5 +1,7 @@
 { self, lib, config, pkgs, ... }:
 let
+  inherit (config.swarselsystems) sopsFile;
+
   servicePort = 3254;
   serviceUser = "mpd";
   serviceGroup = serviceUser;
@@ -23,7 +25,7 @@ in
     };
 
     sops = {
-      secrets.mpdpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      secrets.mpd-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
     environment.systemPackages = with pkgs; [
@@ -49,7 +51,7 @@ in
       };
       credentials = [
         {
-          passwordFile = config.sops.secrets.mpdpass.path;
+          passwordFile = config.sops.secrets.mpd-pw.path;
           permissions = [
             "read"
             "add"
diff --git a/modules/nixos/server/nextcloud.nix b/modules/nixos/server/nextcloud.nix
index f18274b..143c677 100644
--- a/modules/nixos/server/nextcloud.nix
+++ b/modules/nixos/server/nextcloud.nix
@@ -1,6 +1,7 @@
 { pkgs, lib, config, ... }:
 let
   inherit (config.repo.secrets.local.nextcloud) adminuser;
+  inherit (config.swarselsystems) sopsFile;
 
   servicePort = 80;
   serviceUser = "nextcloud";
@@ -13,16 +14,8 @@ in
   config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
 
     sops.secrets = {
-      nextcloudadminpass = {
-        owner = serviceUser;
-        group = serviceGroup;
-        mode = "0440";
-      };
-      kanidm-nextcloud-client = {
-        owner = serviceUser;
-        group = serviceGroup;
-        mode = "0440";
-      };
+      nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
 
@@ -48,7 +41,7 @@ in
         extraAppsEnable = true;
         config = {
           inherit adminuser;
-          adminpassFile = config.sops.secrets.nextcloudadminpass.path;
+          adminpassFile = config.sops.secrets.nextcloud-admin-pw.path;
           dbtype = "sqlite";
         };
       };
diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix
index adc741b..354e444 100644
--- a/modules/nixos/server/nginx.nix
+++ b/modules/nixos/server/nginx.nix
@@ -2,6 +2,7 @@
 let
   inherit (config.repo.secrets.common) dnsProvider;
   inherit (config.repo.secrets.common.mail) address3;
+
 in
 {
   options.swarselsystems.modules.server.nginx = lib.mkEnableOption "enable nginx on server";
@@ -11,10 +12,9 @@ in
     ];
 
     sops = {
-      # secrets.dnstokenfull = { owner = "acme"; };
-      secrets.dnstokenfull = { };
+      secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
       templates."certs.secret".content = ''
-        CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
+        CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token}
       '';
     };
 
diff --git a/modules/nixos/server/oauth2-proxy.nix b/modules/nixos/server/oauth2-proxy.nix
index 69cb302..401cd6b 100644
--- a/modules/nixos/server/oauth2-proxy.nix
+++ b/modules/nixos/server/oauth2-proxy.nix
@@ -8,6 +8,8 @@ let
 
   kanidmDomain = globals.services.kanidm.domain;
   mainDomain = globals.domains.main;
+
+  inherit (config.swarselsystems) sopsFile;
 in
 {
   options = {
@@ -123,8 +125,8 @@ in
 
     sops = {
       secrets = {
-        "oauth2-cookie-secret" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-oauth2-proxy-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "oauth2-cookie-secret" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-oauth2-proxy-client" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
 
       templates = {
diff --git a/modules/nixos/server/packages.nix b/modules/nixos/server/packages.nix
index 1781091..136245a 100644
--- a/modules/nixos/server/packages.nix
+++ b/modules/nixos/server/packages.nix
@@ -13,6 +13,7 @@
       vim
       sops
       swarsel-deploy
+      tmux
     ];
   };
 }
diff --git a/modules/nixos/server/paperless.nix b/modules/nixos/server/paperless.nix
index 2749099..9d52754 100644
--- a/modules/nixos/server/paperless.nix
+++ b/modules/nixos/server/paperless.nix
@@ -1,5 +1,7 @@
 { lib, pkgs, config, globals, ... }:
 let
+  inherit (config.swarselsystems) sopsFile;
+
   servicePort = 28981;
   serviceUser = "paperless";
   serviceGroup = serviceUser;
@@ -19,12 +21,8 @@ in
     };
 
     sops.secrets = {
-      paperless_admin = { owner = serviceUser; };
-      kanidm-paperless-client = {
-        owner = serviceUser;
-        group = serviceGroup;
-        mode = "0440";
-      };
+      paperless-admin-pw = { inherit sopsFile; owner = serviceUser; };
+      kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
@@ -38,7 +36,7 @@ in
         dataDir = "/Vault/data/${serviceName}";
         user = serviceUser;
         port = servicePort;
-        passwordFile = config.sops.secrets.paperless_admin.path;
+        passwordFile = config.sops.secrets.paperless-admin-pw.path;
         address = "0.0.0.0";
         settings = {
           PAPERLESS_OCR_LANGUAGE = "deu+eng";
diff --git a/modules/nixos/server/radicale.nix b/modules/nixos/server/radicale.nix
index 046dffe..4d22aae 100644
--- a/modules/nixos/server/radicale.nix
+++ b/modules/nixos/server/radicale.nix
@@ -1,6 +1,5 @@
 { self, lib, config, ... }:
 let
-  inherit (config.repo.secrets.local.radicale) user1;
   sopsFile = self + /secrets/winters/secrets2.yaml;
 
   servicePort = 8000;
@@ -18,16 +17,20 @@ in
     sops = {
       secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
 
-      templates = {
-        "radicale-users" = {
-          content = ''
-            ${user1}:${config.sops.placeholder.radicale-user}
-          '';
-          owner = serviceUser;
-          group = serviceGroup;
-          mode = "0440";
+      templates =
+        let
+          inherit (config.repo.secrets.local.radicale) user1;
+        in
+        {
+          "radicale-users" = {
+            content = ''
+              ${user1}:${config.sops.placeholder.radicale-user}
+            '';
+            owner = serviceUser;
+            group = serviceGroup;
+            mode = "0440";
+          };
         };
-      };
     };
 
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
@@ -42,11 +45,12 @@ in
             "[::]:${builtins.toString servicePort}"
           ];
         };
-        auth = {
-          type = "htpasswd";
-          htpasswd_filename = config.sops.templates.radicale-users.path;
-          htpasswd_encryption = "autodetect";
-        };
+        auth =
+          {
+            type = "htpasswd";
+            htpasswd_filename = config.sops.templates.radicale-users.path;
+            htpasswd_encryption = "autodetect";
+          };
         storage = {
           filesystem_folder = "/Vault/data/radicale/collections";
         };
diff --git a/modules/nixos/server/restic.nix b/modules/nixos/server/restic.nix
index 4044808..804b18a 100644
--- a/modules/nixos/server/restic.nix
+++ b/modules/nixos/server/restic.nix
@@ -1,6 +1,6 @@
 { lib, pkgs, config, ... }:
 let
-  inherit (config.repo.secrets.local) resticRepo;
+  inherit (config.swarselsystems) sopsFile;
 in
 {
   options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server";
@@ -8,9 +8,9 @@ in
 
     sops = {
       secrets = {
-        resticpw = { };
-        resticaccesskey = { };
-        resticsecretaccesskey = { };
+        resticpw = { inherit sopsFile; };
+        resticaccesskey = { inherit sopsFile; };
+        resticsecretaccesskey = { inherit sopsFile; };
       };
       templates = {
         "restic-env".content = ''
@@ -20,35 +20,39 @@ in
       };
     };
 
-    services.restic = {
-      backups = {
-        SwarselWinters = {
-          environmentFile = config.sops.templates."restic-env".path;
-          passwordFile = config.sops.secrets.resticpw.path;
-          paths = [
-            "/Vault/data/paperless"
-            "/Vault/Eternor/Paperless"
-            "/Vault/Eternor/Bilder"
-            "/Vault/Eternor/Immich"
-          ];
-          pruneOpts = [
-            "--keep-daily 3"
-            "--keep-weekly 2"
-            "--keep-monthly 3"
-            "--keep-yearly 100"
-          ];
-          backupPrepareCommand = ''
-            ${pkgs.restic}/bin/restic prune
-          '';
-          repository = "${resticRepo}";
-          initialize = true;
-          timerConfig = {
-            OnCalendar = "03:00";
+    services.restic =
+      let
+        inherit (config.repo.secrets.local) resticRepo;
+      in
+      {
+        backups = {
+          SwarselWinters = {
+            environmentFile = config.sops.templates."restic-env".path;
+            passwordFile = config.sops.secrets.resticpw.path;
+            paths = [
+              "/Vault/data/paperless"
+              "/Vault/Eternor/Paperless"
+              "/Vault/Eternor/Bilder"
+              "/Vault/Eternor/Immich"
+            ];
+            pruneOpts = [
+              "--keep-daily 3"
+              "--keep-weekly 2"
+              "--keep-monthly 3"
+              "--keep-yearly 100"
+            ];
+            backupPrepareCommand = ''
+              ${pkgs.restic}/bin/restic prune
+            '';
+            repository = "${resticRepo}";
+            initialize = true;
+            timerConfig = {
+              OnCalendar = "03:00";
+            };
           };
-        };
 
+        };
       };
-    };
 
   };
 }
diff --git a/modules/nixos/server/shlink.nix b/modules/nixos/server/shlink.nix
index d1615a9..e388ad3 100644
--- a/modules/nixos/server/shlink.nix
+++ b/modules/nixos/server/shlink.nix
@@ -5,6 +5,8 @@ let
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
 
   containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
+
+  inherit (config.swarselsystems) sopsFile;
 in
 {
   options = {
@@ -14,7 +16,7 @@ in
 
     sops = {
       secrets = {
-        shlink-api = { };
+        shlink-api = { inherit sopsFile; };
       };
 
       templates = {
diff --git a/nix/hosts.nix b/nix/hosts.nix
index fe51c40..192c521 100644
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@@ -16,6 +16,8 @@
             inputs.lanzaboote.nixosModules.lanzaboote
             inputs.nix-topology.nixosModules.default
             inputs.home-manager.nixosModules.home-manager
+            inputs.stylix.nixosModules.stylix
+            inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
             "${self}/hosts/nixos/${configName}"
             "${self}/profiles/nixos"
             "${self}/modules/nixos"
diff --git a/profiles/home/personal/default.nix b/profiles/home/personal/default.nix
index e64605e..767629b 100644
--- a/profiles/home/personal/default.nix
+++ b/profiles/home/personal/default.nix
@@ -4,7 +4,6 @@
   config = lib.mkIf config.swarselsystems.profiles.personal {
     swarselsystems.modules = {
       packages = lib.mkDefault true;
-      pii = lib.mkDefault true;
       ownpackages = lib.mkDefault true;
       general = lib.mkDefault true;
       nixgl = lib.mkDefault true;
diff --git a/profiles/home/reduced/default.nix b/profiles/home/reduced/default.nix
new file mode 100644
index 0000000..48ca3ce
--- /dev/null
+++ b/profiles/home/reduced/default.nix
@@ -0,0 +1,47 @@
+{ lib, config, ... }:
+{
+  options.swarselsystems.profiles.reduced = lib.mkEnableOption "is this a reduced personal host";
+  config = lib.mkIf config.swarselsystems.profiles.reduced {
+    swarselsystems.modules = {
+      packages = lib.mkDefault true;
+      ownpackages = lib.mkDefault true;
+      general = lib.mkDefault true;
+      nixgl = lib.mkDefault true;
+      sops = lib.mkDefault true;
+      yubikey = lib.mkDefault true;
+      ssh = lib.mkDefault true;
+      stylix = lib.mkDefault true;
+      desktop = lib.mkDefault true;
+      symlink = lib.mkDefault true;
+      env = lib.mkDefault true;
+      programs = lib.mkDefault true;
+      nix-index = lib.mkDefault true;
+      passwordstore = lib.mkDefault true;
+      direnv = lib.mkDefault true;
+      eza = lib.mkDefault true;
+      atuin = lib.mkDefault true;
+      git = lib.mkDefault true;
+      fuzzel = lib.mkDefault true;
+      starship = lib.mkDefault true;
+      kitty = lib.mkDefault true;
+      zsh = lib.mkDefault true;
+      zellij = lib.mkDefault true;
+      tmux = lib.mkDefault true;
+      mail = lib.mkDefault true;
+      emacs = lib.mkDefault true;
+      waybar = lib.mkDefault true;
+      firefox = lib.mkDefault true;
+      gnome-keyring = lib.mkDefault true;
+      kdeconnect = lib.mkDefault true;
+      mako = lib.mkDefault true;
+      swayosd = lib.mkDefault true;
+      yubikeytouch = lib.mkDefault true;
+      sway = lib.mkDefault true;
+      kanshi = lib.mkDefault false;
+      gpgagent = lib.mkDefault true;
+      gammastep = lib.mkDefault true;
+
+    };
+  };
+
+}
diff --git a/profiles/nixos/localserver/default.nix b/profiles/nixos/localserver/default.nix
index 0239082..6cb9a55 100644
--- a/profiles/nixos/localserver/default.nix
+++ b/profiles/nixos/localserver/default.nix
@@ -39,6 +39,8 @@
           koillection = lib.mkDefault true;
           radicale = lib.mkDefault true;
           atuin = lib.mkDefault true;
+          forgejo = lib.mkDefault true;
+          ankisync = lib.mkDefault true;
         };
       };
     };
diff --git a/profiles/nixos/reduced/default.nix b/profiles/nixos/reduced/default.nix
new file mode 100644
index 0000000..3993fac
--- /dev/null
+++ b/profiles/nixos/reduced/default.nix
@@ -0,0 +1,55 @@
+{ lib, config, ... }:
+{
+  options.swarselsystems.profiles.reduced = lib.mkEnableOption "is this a reduced personal host";
+  config = lib.mkIf config.swarselsystems.profiles.reduced {
+    swarselsystems.modules = {
+      packages = lib.mkDefault true;
+      pii = lib.mkDefault true;
+      general = lib.mkDefault true;
+      home-manager = lib.mkDefault true;
+      xserver = lib.mkDefault true;
+      users = lib.mkDefault true;
+      env = lib.mkDefault true;
+      security = lib.mkDefault true;
+      systemdTimeout = lib.mkDefault true;
+      hardware = lib.mkDefault true;
+      pulseaudio = lib.mkDefault true;
+      pipewire = lib.mkDefault true;
+      network = lib.mkDefault true;
+      time = lib.mkDefault true;
+      sops = lib.mkDefault true;
+      stylix = lib.mkDefault true;
+      programs = lib.mkDefault true;
+      zsh = lib.mkDefault true;
+      syncthing = lib.mkDefault true;
+      blueman = lib.mkDefault true;
+      networkDevices = lib.mkDefault true;
+      gvfs = lib.mkDefault true;
+      interceptionTools = lib.mkDefault true;
+      swayosd = lib.mkDefault true;
+      ppd = lib.mkDefault true;
+      yubikey = lib.mkDefault true;
+      ledger = lib.mkDefault true;
+      keyboards = lib.mkDefault true;
+      login = lib.mkDefault true;
+      nix-ld = lib.mkDefault true;
+      impermanence = lib.mkDefault true;
+      nvd = lib.mkDefault true;
+      gnome-keyring = lib.mkDefault true;
+      sway = lib.mkDefault true;
+      xdg-portal = lib.mkDefault true;
+      distrobox = lib.mkDefault true;
+      appimage = lib.mkDefault true;
+      lid = lib.mkDefault true;
+      lowBattery = lib.mkDefault true;
+      lanzaboote = lib.mkDefault true;
+      autologin = lib.mkDefault true;
+
+      server = {
+        ssh = lib.mkDefault true;
+      };
+    };
+
+  };
+
+}
diff --git a/profiles/nixos/syncserver/default.nix b/profiles/nixos/syncserver/default.nix
index b1ce625..a784c87 100644
--- a/profiles/nixos/syncserver/default.nix
+++ b/profiles/nixos/syncserver/default.nix
@@ -17,8 +17,8 @@
           packages = lib.mkDefault true;
           nginx = lib.mkDefault true;
           ssh = lib.mkDefault true;
-          forgejo = lib.mkDefault true;
-          ankisync = lib.mkDefault true;
+          forgejo = lib.mkDefault false;
+          ankisync = lib.mkDefault false;
         };
       };
     };
diff --git a/secrets/bakery/secrets.yaml b/secrets/bakery/secrets.yaml
new file mode 100644
index 0000000..429dee6
--- /dev/null
+++ b/secrets/bakery/secrets.yaml
@@ -0,0 +1,48 @@
+home-wireguard-client-private-key: ENC[AES256_GCM,data:ozkjvpAAo33495w2c06Iu1ZFvh+IGNXUDYuWVWACBoNRQSKaBX00c3Ynd10=,iv:wbeYJFEopuANyiKnWoCBESxa1dB/insEFJChEqxm/Pk=,tag:QfvICpbK5fiNEDhRLxQYGQ==,type:str]
+sops:
+    age:
+        - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Q0Z6VUR4VjgremM4UHBZ
+            Tk5vSm1Ma1RzMkZNRVE5NHBtMG8vNFVXR2l3Ck1yN3NoS1UyOWMyRXZTdndwaXdW
+            MHRkU0d0YThST1VEdVJXQ2IyMDlwaUUKLS0tIENrV0tLK2QrK2t3d3FlZU1WMVIw
+            aVN2eEE2WDE0RHZxNTN0aXVZbGJoUXMKjje3viWHrfHFnxoXOS3R1/TEEr2nV2Dv
+            2Tepz+F/vrNkH705fVePD+SmPXv0j+bEH5Lf3vLi/9zFqhrqgFDExw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-13T11:20:48Z"
+    mac: ENC[AES256_GCM,data:vqg0HHoDSLlPFh++CZZBpALrIOrnBtLL30XWzoXpYXMBKM/XCKGhjFPmna/ew5stK7ylNjIiAmvX8rZB3ynG5Si1/4zfGV8aKvVKhcrUjB1Upkphq7jFb0MI2JoJN9dv4SDVwKtiog8T9aYImNXe62/nMI/5xHlF1moY6JXDE0s=,iv:LprVDQU9KeSwuC/cmy06YQeCMYhaEygb44I+GkvnbiI=,tag:fodgL725veQmxsLuA57nDA==,type:str]
+    pgp:
+        - created_at: "2025-07-13T11:20:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTARAAtBAhSfBmcZqHKU+JiBPcs8WftmIZ1L48ERCyWAfh5iHJ
+            lfGyM61PVxb7qAFbXf+sXsZX2QtMVjobqYgAlibGLnlUl6f1RaFHdfkbUIr2NGY+
+            gjCZEGUmunwRzd9hozXj12B1juop8nB5kAdeGhJ/H9CIJofYalkqlU33YNLcROa/
+            lGqV4Xu89QfMm+tXzz8JpsXnW+1z1j/9j0Om3KNQYN7t04BmNAYwSymFuubFEnFR
+            Y+tvBPqDPhpxT3YvRIkbPGhnWZBlr60owL8S1nKujVLQmSr/DjwS+om12kPl+Tpy
+            s0jAVB5ja6FCIE6pa5WMV3wNUinis/a/P6xJGiFxS47ZLoVjQjuF2y0pW3N8O/8v
+            mm7Q7J5rWjF4odZfDyfpPdh3+Gmb2cUERpK0i0BDT8xAo+6F4EkcsWrTb8BrI56X
+            NaTPFLenluIedqqewgN6AVjX0WaxZRdQIKupmujeWefhBgDwX++5misZdCErqLcX
+            uG0R8ziHGi13dm7mhn+PorFEMRcAHhQqVIA9Ck/Eg48W3GQcbGlOl6e/0S84g+YU
+            ndfz2J4qbJtJk/RmarpbSE2kI3edfs1DC0nM1YUIUHm91UxXZ/yhXSiR0BsW0BpG
+            YRtyT6TpseAfBhyMgFjeyiDk3ngLHogJT8ov706X+jG2IGz1n6MldM8EMKry8amF
+            AgwDC9FRLmchgYQBD/wLPUOWXyhPfuXkPuC4wOdH8q7uvIpDCJM1QfegvM0Vbfaa
+            BcqU8V0uC2+XirM3nLYjfgEuLtXpDnPnGx26jYXiAwO2rzurWW3Z9BJzyp+n5fBb
+            uoWCfTlihAznDOW5TvPTUpgosZShFKGs4Gh8Nvcm2lqx8wQfOjSYJnLdotmOYEJi
+            t38OTIFDobNATXvsuNHSocue5TjgCHwLvSFUPg+o0s1Xx3DSMytX83slXuYd+WRx
+            GbA0wQDxV03kH27AkhsvYefcsntxOW/FsZk5XzARtkCRdtBfiRb4bRRWsrrnzNBT
+            6hCb8+MCmnCeFFJRkj0izsA00j0Q6tE8s+NlhpeNIB0p1bxOvjyeJyOEBwI+G/s+
+            vE1mewutNnPYploy+E+zsmszSrWwGe97QL1rKmVgYMirLKtGo2CBHlRsgmpdhoNZ
+            ADrgwNCAUPD5K4eEi1Dl87p1LbdjCd4CY+c50NWpnJP//LAvTVjZFqkQr7xgnBqO
+            maPzDbHCQgjboSWHA/bBDlv0b164NsWJtpDrf+z9R92bhCvjTtQxQdcJ4ZXz8HWU
+            Z32ilAALR+uySN9gLoaVMMZyQ5vELWvFK66zMBpk3wLWPEus0e9zOA764+JYXbUG
+            25T6DbKNNBDtnT9w2ZRrmrK/B2CsFbZDQ4R+pom8Q8IeSke90d+jDAZzHF1erdJe
+            AYZ0wZtqJgw+IJL4TI9QEgFBGa1z/+83ZFuztRmwQJIawEHisWt+3cj+mbZKSHRS
+            aRRmLWPtvK9w/RSeoI7op7s3rUdpl/FabzcIudRYqtRiP9/Syly52YkRD7503w==
+            =hhjd
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/secrets/certs/secrets.yaml b/secrets/certs/secrets.yaml
index 30ca906..3f54024 100644
--- a/secrets/certs/secrets.yaml
+++ b/secrets/certs/secrets.yaml
@@ -7,80 +7,89 @@ sops:
         - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcmpISEJCeDFtaHlMaUp6
-            RlI5QnVSQ01OSVViMHZROFozWE03QU1ob2pjCk1ySzZDSUtoaTN0TSswN1R4Q1Q5
-            azB0Y1RUWTc4dXN2OE00cFBNeGY2ZVEKLS0tIHM1ZTFON2k1eW1MNzFWUWs4Vmwv
-            SjhWM3daU3ZGUE1Ud293NENxVVUyRHMK3beWpg6G/gn8kT+ZZtnlnCw+K4Pr5O06
-            UNFlbnWIxNzJ7ML5Rd3u88XOLmD7OO4sxwQCNZgFCFfljiyl3UW27A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBieGlsd0NScm5WYldITTJ2
+            cG9mcnBKSGo2eXlFaURNa2FxNkZ1MGNVTjJZCldROGZiWGp0dXlMc3cwbFh0cG5H
+            RDNPNUtWNFBlTG1lOUo5QVJMdncxYUEKLS0tIDNJKzc1WExlTW5ycTQyVFlXQVAz
+            cTRDK1h5Z3NjK0h1QnhNSm51YjA4VUkKUlshWYOQLs1z8AOsFvjfl+RJBvmJWU39
+            oVVvBEkCF6pw/yZp7Zp6ejLpVQojqT0JvLzSMA0tJBt9QvNmdTT1xQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcEh3MGxWRGJPeEQvNGlh
+            bEc5T3ZRYkhkdkZFQy9zRHBNeksrRG56T1R3CjUxMUxhbDduRWo0N3FwaUYrUFpu
+            S0t6bGdXYTZGMmcyeElXcDJ1Z3QzVGMKLS0tIGRUWG9GYi9vT3dzSFh1aFRKNWhH
+            M2pGTzR6T29tcVltS21RMkNCcFpPc0kKkXGoVCNU72f8efjJvtz7cbUpPcfVG3Dl
+            puffE6poAyeevdSW5cAFGNgJMMWzyweUf5QvX0lu9i0CpuLFFTdacQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0c3pjTmFPZzF3NTFla0c5
-            QmEwa3R5NG9NVnNQUVZWTjY3VkxtaWlFRXdFCnpwSnpJU0RMSkxrUVpIdk5ycVF1
-            c0ZTbGNRK2RqNTVtb1ozSUZjeTYwbHMKLS0tIFEzcG1xdCt1Wmw0S2NtMHk2TGJ6
-            bU13M2NvNVQxbnJGTEl1Q09YcE5Mb1EKpCJSyUVvDndc7/RkPGcutcfOz1lM6WWp
-            lRBXFELXRmdRFAF4F+7sEICIu+3zJ/bpycQPGBIfjD8uYNSa5GRbng==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZzFNdmJpTDVFTlJPN3ZV
+            cWNNaGE1bzNmbjQ0TUh3bVJXZm85R1hDOEh3Cm1GQmxsTWJxWWl5eDUvUk9DTkRP
+            L3pNVEovc2FLSFgxZHQ5L051VlptSlUKLS0tIHVUSUZsMm9SRE1INDExR3djMmR5
+            dlJMc1ladVduUExXZVdHNlY4TU9UOHcKh9lzumXbRm2lkNPw39EQ990cNznX6Hj2
+            s2dMmqHIbanQ0VCGW2Bwi542sII7qT4YW87EX+0LpUN+6bHKCR/YhQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWY3JVbU5OSithUVJSaERk
-            V25zbmJ4Z3NkNkxaeFZMRmZLTG1RWG1OdzA4CklvZ2lTMGZXSHRpMzkrSGdIdSs2
-            N0NTZzI1YjVCVzFkNDJJMld1Vmt5QUEKLS0tIE9uUDY0WDM5RzVQUFN4WGFZL3M4
-            YUtnZjBwTi80VURBNmhBQjNxMmE1UlEKsMUniG4+/nvrqXH0AoB7I0sVRBfevGov
-            bqbZWhQoxo2lCly9RVT1EjJdk6pbes1qy4/H4vNMmjsUn0Pac4FE+A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cHpkZFBES3B0bGNUYjU3
+            Yi9kTVNNNDNSTG4xK3NMMmxFSTd3VEJtdEVJCnFYengyY291ZFNyNE1hQ3ZVSDA1
+            SXVkNDdVUjRDNHorZGlOQWM3V1QzcUkKLS0tIDZmekswRXB3OWRDVi9icUw1ZVFs
+            NytRZVZXTzhhRmZqeGxRZ1lQdVBYMzgKs8tR6IlB84pbS9/T4fixD43hDIrHeDIY
+            Bk0d64w2bkUJk7xKjxY+SNk9RHqLYmaHSudLVSlbSZ96exNBt/L9jA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNGdEZEI5QlVmQXp2MWp1
-            YkRnUWM0S2k4ZEk4R21rc3ZsTGdzUjlOY25nCkg2OEZ3blpzem5QTktoTVB6eXNS
-            NzRVejNuS1NpbzN0ZDE2dzBldUR6bm8KLS0tIHJmT2t1UGZGVWFMNTN3WmRVOVZm
-            QVpQS1ZGbWdOYXNsNmlFYTNhUnIyZFEKBQaXEuhKe/qvqmXK6G/Ew+gwY8NgvyVm
-            Kd13hqsHcllaiAwg2lZ7RMl8gbKY9Sa6iQ1laV+0LHiEc/1hbg9sWg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOaUFqYVFHcnM0ZllNYUR5
+            a09mZVA0OWhNSnI0aUw5WFZlaHUzN2lRR0NvCkhaaUVSWUxuQU9qRHpSdTROSVJi
+            SS9YQTdtdzdWNnhRd2FSdFpVTHVvWlEKLS0tIGVkN3Q1UE9NSXZGWHRGRGwzZGRh
+            Ni8rbWRWSkdtc1BwdGlaVGlNZExBWWcKbHXUCrg7c1Ekq2bQs/m22TwBijcG+3WP
+            vNp6a5V0wDgoDP49W4AodMarygePJzW/NgndlUXqIWuIbm6VFUEHRQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1gj6uhy8lx9asjhwmqcmm4rtu6wptrd9dr42lhf9xreet6tra4fpswkvket
+        - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQ1J4SFQ4K3RVTUlGRGxx
-            UzZhMnBXUGNYZ1dvbFozS3krVjBLUGFGQm1BCmdBQjhlcFhPaFk4RmtIRGFSUSsz
-            R2ZIR2VwQUZIaUZ4RWRLN01XdndURDQKLS0tIGg0eG9tVlB1WDhoRUpnZXhlQ21w
-            M3FXei9menJlNjB4ZFFoQURhdHFCUjgKmkTR92+6hZ705u9I5VPyJVfD5HrLxk7m
-            7O1EPw9oPNSihFhl85PbQTAJWVMjRmJFFdDxz/I0XuHKE/XaNW+ijA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLdlF3bzF4d004VS9NcHNH
+            ZnBEa2xHd3ZUYW5NUlVGd2JxRGJPcW9lT2tRCnVSUWx4Z1g2U2pyNjhaWnVxdDEx
+            SGtSNTdrMmtHeUtuL1lWQi9FUTZyZW8KLS0tIE1tNTdoOFdQV1p4MGNUYWtRQ0N5
+            bFNpdm00MXJIMCtxelVIMXVtNG5XWlUKtkL3P6x2rafYSTCW5zv/54tgU20FYwhi
+            RFc5sZRkgXhoXw+zrKkhDc28Xn+Aby2pUth9ihs1ngVB8OUqAZbrXg==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-07-05T11:01:02Z"
     mac: ENC[AES256_GCM,data:XnLmZ65mZqoTHQfSKdvPVr+IGb1mb0nFRQLBiVPSyKfg9ABlqwsht3sykR+enDkmIk1urRewpKvPRr1YyLKAezHaE2I5CQdRwMViGTxbtN18SCqlKcL6CgGzC7UzAI8A2jVqB6D9swCx63TEOwnaWySBFnQuOog58R43rhxcJJc=,iv:U0ZMZZyuRJVAE0el0tRAdvHS7qtqU+z2kN78XEZOW2k=,tag:TrPIoG7cxLBDgG4vXJ5NiQ==,type:str]
     pgp:
-        - created_at: "2025-06-13T18:41:14Z"
+        - created_at: "2025-07-10T23:51:25Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTAQ//bvg76FopkB85Na1yjedNZjDbfg5R0H5sNOvJi/KkZRaB
-            siZZHUN1jrrYH9WJxhrYhE6wmtqhClWI0r0I/prcJj2gvJWs1EAC5HoJYCNQEZjA
-            jVqyPWveL+1AxLze9kGcHpb/YKO++XclmbjRB7RkW9oS8h3RN+BWgjoL379fygFn
-            tcYhB1zn2k1pvKovq6KQiBThGgaATShCh65sl10NXrEEzR37TBRubseC/Bhj6oDG
-            SoviST+7tbMETKDoDvXHzKE+tVvQPi1qCagbk1FL681ldjcvTFhsLEQc7brlskoC
-            w3H3BLKLrfpWPnsfeavMOghK6ctztwuOd6qbZCcdS0QRPbSlOWY27gzLg9nCoVYm
-            3ZS4o+OIOBKCkaCiWqwORqa6MTNNOgzJHmrpXygehrhyy+RCvPyV1MUgo9YyfABb
-            uoRZxoY3svvm1mUcwJwySj0fKljF8YBOxmYHAq+cO1jPe3282Mbh8haOFxVF34c/
-            sB7q8AJHTks9KZdO/wfMt//e3oN+IVFEsgEE8d0ecScIyVcqyEGYGcloQ+m/cUSF
-            onfJKz/WhgHUh4VngDF4HTMS2L4IRPnPFTebRNBirnM7ruQut9Q+NqYHF//UmlIa
-            6CWifbSdcDujd4P5O9FIG7/bRhRf5CsUdn137o9vF9hBnX5KtdrRwyYzy4dp4HGF
-            AgwDC9FRLmchgYQBEAC2KYQRNAYxczza6nmW6n2bkGDypvKwDWV34GKtL1hy3mla
-            Dfh/k1yv0o/I6ebnbgh6yFzyFq2GRi+yNkTPF1mpGboyex4Ot3d3y7gurs0Y1p8g
-            oYYniqtQmuRmkplU6EFFZf4LgQvcArmLFCzp0SbZ37AaXYFjk/pY1hSrfDbiExVV
-            OK1pkE82vYXWm2bkFRE6YVNUf4lp7Q41CmDq+H+mf4DLfgw9J4TnseNi+ZsGldSj
-            4jFEtxvO/t2vhNHvbXJoSVKeLKn4mUEpJdfi843XWwo0VEk0JcnzfReYUbqjLChv
-            gV13mqwGmrDY28IWzyCr4h8FURWUMJSFqkVnrEoHQ303ujX5qV3JSadl6ham4h4o
-            s3gS2F4m0h9YAJnxj4/ahbBLk8go4IQ7FA+rmjVhMLRuTyUcEyPPCiY8tRJm7p/X
-            vpkZdT2hVyYeLtK/mP5ieDArDVYUa3QTkJ3knjSfdZWBv3MtrXsTAK/C4frnOxoM
-            inMpCnJtCnVQ8/xbtyXMhJWnz72vbEwDblaLId9nVtU9p9GqHB2OT1CflJBhDjb6
-            a49C0mIGS6xBkW3YBSJxf7szUK/lL2qXSW+aI4dg5naci62jChtagnkXbN2afhOR
-            91hpJ2oohMkB8rbbi2uXN0wIBUO9t8GTUKKaTjCOOTWm5nXNOCW5CtamYASeetJc
-            AeW10mAZSNUyh8FWs9XeLtppGEdERSqWs3gPvGO+TJ9o/8v+BPIwLEu0POoUuRWo
-            3Lkqrl4JHC01T7buQU3vzRfWrdranL0Ll8H2iYvsyfaJrsO01weS2jGqmgg=
-            =PGCv
+            hQIMAwDh3VI7VctTAQ//R2fMRdWshY0+/feMDAF7t/Z0YwwAT63gzfqKG8aKC3cf
+            skGJtXBZ4CFW/tK0J62nS0qUIYrkWokACJk72luYg61u1KX1wUaEEqnRcEzZsxQC
+            Ib6hYXyKl87WYv99QUDaItBBBoSd9BhiDCnWv5nrstZSDy+RwlIYPhQy9KgeDt0H
+            6pRnPEL3VU41AYt6YKl4yLBOjweftLwZkDgKyaJalwbLmFHWOvmvESL0kBj83hyX
+            Lw/XZlh9KUi+xEeYmHUCjO9xDgvJsMGTUY7m52U0W0faarzy59yYWnENROwm9jCK
+            XoYDu903CtxqSybKJ2AtGHWx2cuOmTjsHPEefqmK7M3XsVpsHgvx1Jo1eQYO1mPI
+            ZiryTsN1YMYXUkgGfFePmqA9X2iC/meboCWPcRt8lUIfmWx7uMGsv+mGXT37lWyu
+            wYl9Y2x0qwfAOyg3wNdojE5t4rlr/XaQ+k8Ep1ud37pgXFryQtnNhwgtYuPVWiFK
+            jnnUDCZrbsWbMmL88ZGYPNIcrBGAgmfYWzkWrU6fICYWIzJdgiWg91ANRHX9vnwG
+            5YjZHoHnBRMQg32MInjBJrm/4r38DFQBm67bI1Ol6RMDp/wD5hLrbC6gnq0hGRJt
+            GzsRPphwrecifIBtck5/vs/f134Y+6BIADJHNEHTA/LnJC8K1VYRW5aBiFvyUWqF
+            AgwDC9FRLmchgYQBEADKxwFZHBejt2dr2w83XZcLCV/0Mf64DOk7I16VKZ5gBNXA
+            4N4W8Q/of2/EH1a8eZ5A8DZPkVZMavdXkQnww8+if6yx0e4moBusUAzeKP0XtY7T
+            ABUueS7B9Ou3yhdVynpOfmU+EBwQXEuYhVsOlWUJGpfESoOBRyQv12P7ToOS4pz+
+            panGeOMo5tzU/8vfkbRIF+9WWKPy/JfsufXGNQkdErgnTAdRCUegPO8kVpwZ5hE/
+            7IGtddUUnwC+kIlkv4N4eM9QabjWmU70L+THveJ4q7JJCmsimYPocbikVhPK7pb0
+            mqU9hUMxJbBq6sPjLIq4QaSkSSipbiUUdZjoWuKuIbMjm6M7oWR2uGfQO3d5R+VZ
+            3N3xkWPVnzoChq3zB35gkF6RniMhFMCjhYOPidYQ8QH68zN7pe3YzE0HkXgirjs1
+            Zux8KlR/Vmh7wQjzWEfv3yK7Rjj8ePt4cdAfozFf7YMUPQWSr+BJ+1CVfI3X5Gb0
+            RrWwJm59MicK7mONCDB59LMKUYciQc9JGlpl6oSkbdsy49OToPtuShsoBN/nmgVE
+            yU8BWhJt02KFLKvs+v+HXuxXgrUfl1zNAtzH0PrB40nuyoCFuvomUExCJiTTEMgs
+            YBwXdecgwcRta0/Q368DZqJzxiiYIy5xlZxFFMkA62JfJLUFy9/Suy+mReWBLdJc
+            Acr8AJq92TiCmHED4Rc78SaFDYjJYfvc6JLJDHxU0r2ucoMwKAR15gDDOaARt3B5
+            Af7fxGWQ40sY56YgjgpBRaoXYDySuQ9Ylegd33hUzEOfOqKHFNAE+aH54QM=
+            =Enyz
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
diff --git a/secrets/general/secrets.yaml b/secrets/general/secrets.yaml
index 5247a7d..88d54c0 100644
--- a/secrets/general/secrets.yaml
+++ b/secrets/general/secrets.yaml
@@ -25,89 +25,98 @@ sops:
         - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybmk3azNkM1A0MHBJZElF
-            Y244UzIvQmtSWThPbksrVmNnVEErSldLM3hFCmUxZ3hNaTkxQStNNkwxV2pkdWEr
-            bVQ3U2kzL0ZlOGp1NDJIaTNMYVRZd28KLS0tIFFZUENYdkRIVW1Gb2pjMjdFcG5h
-            TGRYcFpicXpFdjU4ZEk4RVpnODdBVE0Kq/i8NDtYB3L+kBs0q3NYlzRa22mWG7hi
-            lZZtwXjxTpoWacZgkNnxr/YjiOZLV7wt22TpFSKew1sfs77HvosPRw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhU2M0UFVMOXFONzN5WVU5
+            TExjNEkxbnhEOWJPemtqcW92WDVJTXlNRDNBCnVoMTFreXBZVjdFMWpxUzZhaU5j
+            d0xZYUQxdUx4ZFZteHlsM2pJZXZQQ28KLS0tIEJjdjlHdklmalRUUGhLSEFDTmkx
+            cjZNZnRVSmcxNnFCRzgrWnhOMlYzc2sKK13rGMFVsXQkNERYQLrhgYHbDn0jPYbl
+            H1pQPZdWw+LXw1Z+Y9nj74KTPPLnPckVTwETUfvs9EFkcFIyhzGK6w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWM01DeFcvQjM2bW5DcFM4
+            YzF5TTlURkxRYVdVbjdReG9LbUdYNjMwMFNBCmZJckdBM1YyZEFDT2RhT3g5bHJo
+            eVVISmhqQUZJTm1WQjNvOUE5MytiTU0KLS0tIEwrVGFwVEE2ODQwb2RyNzdselJa
+            b2tiTzZCcHB1NVJWS3Z6VTdMelcvTlEKdW6kkCiI1YhV7Da6SrCQxP0zdUc2ICSC
+            voGlNOnPb5iACvgLnX/a6EBKKO7PScKIFAzsWROC9MlLoF7ERnZdSA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQmFSM3lPRHN3eE9Gd0Jr
-            T2hVb2t2NTEwbVVlNGNhZFZCekRrOEVSbmlvClAra2pnS0NPTXE5aTArZnQrcXNQ
-            bVY2cnhUeCt0N1ZQRGNDYTZETDFMVmsKLS0tIDRsV1hDM05KcWRFbE5ITGttVk9u
-            ek8rTHZYenNzbXVVYnhIUU1DY3h3VEUK5iRHq7pIa4tbYo4mrFUwPT50CWzCLnqK
-            X8Je+8lzkrVZ/M4RNXlgFxyD62LHycOZx342KVVdgl2b8w83xVud1Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNNnF1N25qMUkyL0N1RSt4
+            ZlRPVGpsY2hkbWZKREg4cU92Y2MwM0twaXdJCmJwTWl2NjlETXJ6WFNwN2JpT3Fm
+            WjRqVlc4SW9DejV0Q0JGNkJpQm1NOGMKLS0tIHpQRGc5eHQ3bHFnRzBNRGx0ckFV
+            czdKU1p0WXQ0enRyWXpaT0k2NHBzZkEKqLRezUd0z2PF0wakJe39NAz/MkpXIRAl
+            hvIqWsWyXHUU4a+mXwX8XWgs/uejuyXmHa7TgavqkHs9s4/p+KtNnw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNGxsQU1wcFpIYUxLcnFK
-            bjhubFRxMGwzQlpqeWpIbnZBNTQ1cGxVb1M4CmNFTFlCczJMUXJpd09zT3phMHRm
-            OE9sRC8zQ3FDUXoraG9jNUFITHVOYzAKLS0tIEtPSmhVVFNRdEd3d1RobEZMUlhV
-            OU9tWkNlSTZWcVZZbk00SjkxSEFZeGMK9Uq8oBYa7TJiaSOv5AIfPqnfH+lM8jeY
-            QEvT/llQqNHo2h1PbzoCd0W+WN81/yVvWhweJUO5GcA4cqE0Ed15yQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWTFhTlMyVkZpeFRqaG4y
+            RDBhMEtpSXYyMGFnN3pkVGljSGN6MVlTaFMwCjlJd1UwbXVDT2M2R0hsQStqeEQ1
+            YmNTNjdTRkU5aDZZd01DYjNaOWhKMFEKLS0tIFFKS1dXc2ZjVWlRR2ppSDRaRHRJ
+            cGwzMUFNTHZzcjZVTFNCcmp6VmdFNDQKNVeV1BGVuaUbSHHBOZzb/RJP4umX45RR
+            14RInoF9i1ByEzY6KS2nyP83EQzbAgfdaUkPKkIpzytj+3gvlnI/RQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYK3FyVzkwZEZLNU5hamMr
-            d0ViS3FnVHVjcEtYVlM3VFp5S2dlNXQwQ1EwCjQ5dmhJenpFZmt3aUZsM0J0UFJY
-            SXhNdHVRbjNYZ2YrYmF1QVVMS1hBbnMKLS0tIDUyRkhTSjVhUnhBTEdtNGNqS2Vi
-            cWIrcmxRUFpKM3V3d2ZwVm1STGlpSFkK+VMJXgzdehOUhdevVIfO68wo6VF0Lfj1
-            gsHJHH6GmQbUsCt+F+fPaXUlrdN+BlCnk4ZMNKutTm2g4thAeiAeng==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiWk81ZXFRQnRnMjhVZmZL
+            N1p0eTRSQWt5akJ2ZjZid2VUNW1ndFNWeFQ4CjBlZndkV0pKeFpZUjlzdHJsQTlR
+            VXE1K0p3TlhJdkdPMFRTL29BaUd5bmMKLS0tIDVlS0FmRUFjTTBpd3pGRVZMbWxF
+            cjlaR0xvUmZvdlFlZlFwam5IU1hYZ2MKOMW/ZsXOLtYnYCVf0JIxlfXNTDjSuscn
+            l1p2HspWo7J1RfJbOQgScy6rmUB/9HRMHlnwpnjgOYWE4EmuKcMYSA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RVRBOHo0ekVGakVadHBZ
-            SWhKcDVjNHNUcGhlYkxkenovcDdpWUpwdFNzCkt6SlVCaHgxK28xQmtrR045T3Br
-            MEJjbXhKUTRSREV6YUo5d1RKenR2TUkKLS0tIHhnZW85VHRraWRXZjhWMHI4SUpD
-            SUp3cUNwN1NXaXpjSm05UkFCcGw2d00K7Ai/uCOnqonQCy20hNjV8YALVlFZFbac
-            C8QIpfo5FEiONRZNOB2tlr7+ziGC+1ia1DXRvobHOKzgVfmW0VP86A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArOUhETXZpTWs5dWw1VVhX
+            Zi85OU9PekJQSHBIbHpNMVh6b2doa0wvSHc0CitvanJBOFgwb3V1TEpjQ2xXa2Fq
+            UGtzdTB1OEwxSWJKVkZJWjBDV2MwMncKLS0tIERpTlE1cWRaemZFZDAvcGx6QTNK
+            amtUQkgvTEJFblFUWTE0RWg1cUVUbmsKx35Yu+wpJwlVd2JrXCT/qybmLjCmT+/0
+            v99LzVDWiiAPx8ryU2FeAZ/umDDIQfkzyLbi2f460ATKZhVfqhNDDw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzeUVtUXZuTVl2SEhVMWdl
-            RTNsNU1pWmZVeTZ4YzR6RkVwSUc0YVo1VzE0CjNvKzl0QTROUEVnOWNObnFNLzRm
-            aStSOVIvNC8rOEE4WnRoUHlwV29hTFEKLS0tIG5NM1F5OVIwQUtraURRdW1hT0Ji
-            azY5dGFTUWhiQ083VlBzdVRrSmZFNTQKqoJy8eP+beb/86Dg7BLaYEmZJG2oMS/I
-            y1tSw+Ij5TfghzbtKcK++88L7ZPJLRocnKXftFbjutHNKmWW3+oW7Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycEx1eUR0TnRVL0tsN1lV
+            amN2M0VlUHVpNjJvM0x3UVVhUzY5QTRObG5VCndkblVGdExHZDBMbVZmU3J4K2JI
+            dHZoVDZHTHJldTFLMDdlMUFTNGtjbEUKLS0tIExKVVd1UGtvelRsQldnMTBXTll3
+            SjV6L3crUkdLWTlsNFgyRHBla2FFam8KILYsNbLdCirfoC/Vex8yEYpS2G4O0EQP
+            wa1xzPk3Ue0/g67dv5UZFhUn0ZB2XGFC3kEPWpptTj0VL+9Z/r0zKA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-07-07T15:40:09Z"
     mac: ENC[AES256_GCM,data:IgodPXcdFB7zYwt1dbRXkuQ2Ko2cAy4L6BvObuP8sWRO26Sn0CRvBtfwEtJLRMoXyS3hXJ25hzTeQOUaTVRw/5GEViM4SxdUuE9b5rX1J7tRftgdI45f12tsBMJQhk4NDtxpm4CSUvh11XqNdBkBjFUMxfZVweXFhoZ7tJ3oElg=,iv:9WNevYqRUe5DtCWN6mMNNwQvxB4Z8ac/zKPocjMa33A=,tag:n/DL3B8WB/YKfcbo6ArMDw==,type:str]
     pgp:
-        - created_at: "2025-06-14T18:15:57Z"
+        - created_at: "2025-07-10T23:51:26Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTAQ/+JiUgauFwbjrUsmGPseQJMraVr3cILCN05ufXeZLWXeuj
-            ZJV+7IecJa4BpCtaMD/xhvXiH7KNjlvlbN04AOHX/gGgJ3mENxHGtNOPb41RBzrH
-            5FK1icAGt8xaXi8VdEwEDitKhRBnP2VzVC8ETrD+aQjVQM5DkJtvijvU3i0qsDnY
-            Y/oE56IWhldeXZcsXylW8x3NfskGbOQQ4hOmRamvi5ubrfAVkMlbzCS01rXTP4tu
-            8MMbHtjZZcAeWrsj3rzlRw8SG/GRubn3lEd5nI7gfxHzyK6uv4sdaapw+5Y1vjbv
-            hB0wESidhzheIQmKeuLGTe6S+RTo+G8RNIqmrMXawFdmBoexKMFtJMXCca4LNawK
-            TE2UWbniQqMX53XM31EW1MrkjvM325E0p5TWz3JcA3JPqkmTJQSyccuJizvf2Bdi
-            M6stq6RPl9n5feSJJSfROP1IX1+fpQOLfToOJpOm5MPCrm0YhY5h1uSTKemfVGkO
-            cV1B2SGkN+w80eEhUX/EskNagROZBHn5cuZXldCcBzEIsA4G2ZsIuVujXTcL8wmn
-            EL/HiEB6UQ8P5TrAREbNw6wOXVdlfkUovyfmI02NFL6wr0xY07a3Nn9qADKQzhpE
-            5fFudXWe6mLx/bRcuhl2ozCBk9fTcVkb5SF43Pp5fmQKzKvqN8GjEHtdFrN5vfuF
-            AgwDC9FRLmchgYQBD/wNVDcCYqGdZ/J4wt7BEx3bG/QOkpacnQXGqo0Xv69BjOi0
-            tOsylTe+Nqge2ImCgu2lNlOYMjfhHCcnLILdriZX0KpEiEM4lzbpB2ntm+p2wMjg
-            TqMhzupy7iPZbPg12rtr71Mc7pLYKn6DRTBYv+HsMY8E24T3bMnGPOn31VP1N+0k
-            U0rySjg6Tuqo/F1Usi5wMG/zvLqSTJ5Sev0tHj0K8yKcmoHmSy62SdkrOd5S9xBt
-            KtGqHmJrPnKKb84BdSQThp+WfK1E3Vmsj7bd4TdqYlvo2GWMBj/bV7CuCOQvonnB
-            x27GEOCoFOn4ySIyTn3LrqGOVyRmQBELLXXCQASwWBKeruh70GN1XsfPYVxBXjWQ
-            ydOTCZNqBufQzakUFdly6WyaBOr1m6p9rbW0icA17ot7tVqgC5DsvVkPlgqXgI1W
-            oMhq8KvURlsflLJJ8ovI4wrpNZfDmIXZiFGTSVRcdJF6jDEYbypN34IRi5Idf9rg
-            SsH3tSLemJG5FZdztmStGTX9zWnfsCk7ivqJJpIgj7feWIr3WD1Y9Rt9KRZpJ05c
-            zHnGaXJYLX378q6L03C3klBhGfzBLTikApo/dmEy3DMSgsrtQt5vF7B6w4aHd318
-            Gn+neiFXDxOsUVA+nFKkEPSFVR3XKzWE3TeO8AYJ80KYoywDAqeB9//p/MefeNJe
-            AZlxqdyhUqqzW2/95RC7sznoU/zVYvQ9ORfZ1K85xjAvahGWn50q2w4OKIs/gLBE
-            W7s8fkHqU71bMp7Al6Mx6RFK67x3OM1srb+jAR1OCFy4WTqPDkW7bSbQTNsAkQ==
-            =NdF8
+            hQIMAwDh3VI7VctTAQ/+OG92tnH/dwXLTdqlvN6sEPREG/oZTLGvjPiM0Ipqyrcz
+            rgTrso9MjBf0xZkxjH49CWqBpTBoOsxopdSU2cvte2IdQEQCgCJcqff3okBsT/Cm
+            3yz10DNTdI17cc2tLFJtvcWubf+amRXTM8IbDozkc4ttuhCbCRcFMaJ0NTVMz+rV
+            pff9UQWGmAWBKK/u26prf6NeCU2C/v3vLAxAxVjuPBxNpXFZEuu88DdE0lIMy1rO
+            ZAsYz7O6/flf3qbl74HXhNUhWwDTUJtU0beGSv/sziAPSEV0lpScZbq5HdFvNUk6
+            rH8Tf1IdV6n0lvDqVdnY7XbmXlF0neSLJedWf6eAmcvnedCTVzMGSNAIVhiW9Y2f
+            IURsyK8NXnZTw2G5J4BOwx082Z1wroH0cJgQz1IcfU/I78DUaysH87mYfUQAGPV7
+            cLICS/2n+olgkC9nAz9ZQO7+98Ylk1n4EKkhW2hzR5av8LSu5rs9uTkO1KWz5mTT
+            QjsWNlD8+1OvEFxELJtdMLnTpMTZqPouwRhDhJLoh6to2/HT48xCpUu4sMyj1AY+
+            ECGsXzNbfb6dlAvuloNq9DoEP3nP4KJ6DKv7gnsbS1WVT6LoG9Yg6s00YnWiMomd
+            0ByLH5KZdlBkZFV0K/WGWpj3c3H0IIM32+w2yYSCVQEY8UeSTQ54bI0ao+ISPLCF
+            AgwDC9FRLmchgYQBEAC2x72z23cpRyfiQD32Pzb4cDheSawiXSolOZMAExsRDmYl
+            IhMyMOwWmetg4HOwfGhq1PuM7t1k7maVa8ulWQcmD7eSmehiaMzYpA/gctf8GFQ6
+            4mmQ1siBC1qArfMgFgd9yS126NUGqXAWsrnptnlIbYuY/OsiS7W2JKLQUcx8TZqx
+            6NC2zIi5+h+ZbRugpz4ZG8OjFnUwbLdZeDJ1M6i/TVuDJjGC1JkEePjY3IvcmB7P
+            QTzGCsYKwYSeUuAKel9ueqvznNqACQ78/NC/mYy8xTMiyjnhOqOFvmlHLZLy8cFs
+            m0eLlEfQycwGOIPZa7xo98AZ0Ohvykqy8SBcp6JSEoWcXi//lLfG2z5agfd7bEUP
+            X0rOKwmFL1l3w1sAUzmKTa29G8b2+rrCoKCHyByDQXyhgLa3aCx7tKS1iNwGdXmc
+            emvV15+jf/xQ8FrDDZFJGRuCVyuCGphEN8VxFR2BWRjEHEsy9gRMaJlo8gIw54Oe
+            ciMEBRjT+3l9B4Qipvm8V+okrdHQ56k9AbpbsAnpyHQ6A8AN7oJ19uzBq1nzRU9p
+            yE4lKNIjOIJmghvUcL8jwld6+w6iMkk7Ss0ClavTA06hWld6mDoRvfrQl+t4nogT
+            xypUidp/KtILrorNEVwaCsuXrqe5AspOcr8SqA77t9+Yj6b9x8gdJNZwvcMIB9Je
+            AXC4iun4BpIMdbg2beONi0Iwq+IeYOTdvpo8HKk1qrQCN4zHGaO6iZLrDFqN01DA
+            IyppFwRhJ60d5TjKweEn03KAT9oVsjN4nwpazd4JkLANXrxXX2wDYOVlnfYyng==
+            =jNoq
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
diff --git a/secrets/milkywell/secrets.yaml b/secrets/milkywell/secrets.yaml
index 63b9413..1177071 100644
--- a/secrets/milkywell/secrets.yaml
+++ b/secrets/milkywell/secrets.yaml
@@ -1,6 +1,6 @@
-swarsel: ENC[AES256_GCM,data:WzMlNzg5iAu823s=,iv:U8ZutlrzBqq7z445kSnvluejtta4X/0YMIIOdcQuftg=,tag:IE0WMuXlNwnBHzXtrbVHKA==,type:str]
-dnstokenfull: ENC[AES256_GCM,data:hxgxSm6pcXOEHZHdSwQkfZryFccQXrCu9idULJhWK/tQ44FyRIU4Yg==,iv:ObKf1M1qkgCltkKJX+URaPSiK5Itd3xlfBXPjf1iVak=,tag:PASR0pgBdcDYjdTZ2eEUCg==,type:str]
-swarseluser: ENC[AES256_GCM,data:e/p76dBuM7eLIrO0HBeJMs8eMCAGAklGcA==,iv:r+e9GGMDCCjh1eWnB4AJMFdMuXbVXxoLMefooq0SOlE=,tag:auRo+JnwH+EardJQbKek0A==,type:str]
+#ENC[AES256_GCM,data:VljHjyZqPvnVxhuoEMhGrWA=,iv:nCHj+sdhAOJx37fGFkRzfrK+PsEP+tRELBhnP3bfoIU=,tag:fH5QNt5TeM3K4nXkeIC4wA==,type:comment]
+anki-pw: ENC[AES256_GCM,data:TR3roG7I1213Lj8=,iv:bK3WIC8Q4Cm6cccXPFx4K25GRRUq7Le6bEAVdEZdNPA=,tag:LLC/agUxZT0MIKxk+TSevw==,type:str]
+#ENC[AES256_GCM,data:EUHyFduvRqc=,iv:RHW3wsx8P1V4hkwnrl456qMgi9uz/1qoSOg5AvqwmhM=,tag:p26hGYMn5fbuNJ7Qr98E0Q==,type:comment]
 kanidm-forgejo-client: ENC[AES256_GCM,data:LuOFq+bj9TIbaN6Arz/etcjEO0WnjswJNw==,iv:eqACcjjr7usTl7Dv8HTqH53cHDa0+HV5IYN8Rh5aChg=,tag:upBfWOUOEoZRPgUtlMZE4Q==,type:str]
 sops:
     age:
@@ -13,8 +13,8 @@ sops:
             cUUxYkVGN0hVZ3UrNHdmSXBQbVpkNTQK7yfeX133PekxsK/2BXxsx0pxmWBcZkZY
             UO4ZHCcZQQKMg22BY/3pPz/Ui+uUfZ7AIdLjQb6WQvUbmgz5Lb0M9w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-09T14:53:33Z"
-    mac: ENC[AES256_GCM,data:SphJHK+OP0IyBWAAr5FDWhg7VBdD8isL0QsswGI6bpSV/7FTRpd6Ehp+kvmCPcdTwpQlmVIyA5r7DpL0F+F0BQGFtMDnESXVldmsBVpvYL/Q62zvlCq1hsm24tLxHbBssSCCpDNq8b5uCp3qklCQCISBYEFeI28dnFapxl5YI/g=,iv:MbMYmCqhQw9O6VdjjBULa2PBciiNk7AJzSrFTnDhMaI=,tag:2VaUX28dyxhyxYVHinESzA==,type:str]
+    lastmodified: "2025-07-09T13:41:17Z"
+    mac: ENC[AES256_GCM,data:9SntfZTrKnCMwrQAncIcGO9qPXM4PT+ZWnmk0F6S0Lb2xx5O35/i39P9vYN/QMPMzKc5KmmLCzhictWvBE8mr4+17pfJBH0KgiAqaOm9Vgy8Zg79/xH4fCia8bwYDfKe5uNwvRwknM3u5/eXLNcr6MnkDspDYTusXhw/qTQav54=,iv:P+fHF35oMNP24vadFA/rAYDm6n0ieAMB43ovP+7vJCo=,tag:4gJqIhqRg+3P84aUgRIPbA==,type:str]
     pgp:
         - created_at: "2024-12-17T11:38:27Z"
           enc: |-
diff --git a/secrets/moonside/secrets.yaml b/secrets/moonside/secrets.yaml
index a966591..cc08428 100644
--- a/secrets/moonside/secrets.yaml
+++ b/secrets/moonside/secrets.yaml
@@ -1,6 +1,6 @@
-swarsel: ENC[AES256_GCM,data:AnxZLN+3ta2Dmg0=,iv:S25Xbbj5K3tWynO4/7XGRp/+XexxoUofHjlPNDo5el8=,tag:uov6okR56P324TYA3/YN/g==,type:str]
-dnstokenfull: ENC[AES256_GCM,data:z9gi0pwfbDyHkKw8rhiGOIlaLUzepAAxQfAH4esla2NkSCx/S0VAiQ==,iv:qtCE+V4vHImViCquHwUEADEzl6dj7PB16PoRqYEgQ6o=,tag:jVfWgt3cx+bpYeMuyesjrA==,type:str]
-swarseluser: ENC[AES256_GCM,data:s09lyp9yRPJaSsDXj19s1mosF3O39Fk7Eg==,iv:tVBEFqTQPreul617EU6CfBUhz3Fmt37VAi3GzezeEmA=,tag:9sbJ465VxKoW3/q6ju7hpg==,type:str]
+#ENC[AES256_GCM,data:HCHFN2Q=,iv:Z3tD7Hn5eudPR9DuX6etamkpNnYB/NRYGppWdyuUDuM=,tag:tbuWEFDmh4HAyksOZOihLw==,type:comment]
+acme-dns-token: ENC[AES256_GCM,data:lW/XJCHwApvIofSZHL5h7AUPISjARfmDnpSnprDBHQYzj0u5ZlZS5A==,iv:/y3gjgC9AEU3r+l8Uq6P7DAU2C8i+qTQ9DP4t0g8ZhE=,tag:v24WRudw8NB84b3XBFupHQ==,type:str]
+#ENC[AES256_GCM,data:XdLlonkGBN0b,iv:wimLW/7+a4MJCVg4zazY0ogakxXjdyPNZmZt0CzpXao=,tag:rg7FEi1qaYMkCXX+dwjFLA==,type:comment]
 wireguard-private-key: ENC[AES256_GCM,data:GCi+otqW06yoBKnG0WCIN4Wu9VKDsOUv8WRm240cHBnSAoW/ycd2WgDWsYY=,iv:TYj38C00fMIhg8LEGz6HPWxg11xUdwGgnxOmy+1SG9k=,tag:CQr9phCmU5it2EYjzqhAlA==,type:str]
 #ENC[AES256_GCM,data:u/O2rHXqOoTNpOSm,iv:hqhZC9R76P3sPkpQMximrvcTC15IM99QaRZErC9AIc4=,tag:wc2w7iwtfazlwWpnQJV63w==,type:comment]
 oauth2-cookie-secret: ENC[AES256_GCM,data:cbNVAkBAWJCN4fLmkYUFhy8v9iE5fB30hFI3nTpZuVIFCnmXPBtlftI58Zg=,iv:q9xjUDOH9M4pW+9YB9dEYSqEu9gpsezbxcGbpORNljU=,tag:KoGNcssD608huewmHeJOxw==,type:str]
@@ -24,8 +24,8 @@ sops:
             bURRem1aY203VW0ya0tZWUY3WTJLQ3MKonflaevgNP91G1cVgzoE6/K800kyG6BK
             Goe81HCYFfm86pzv5wV3/38j7fTZNeZnKwPFkMgEUueF1kA8J9V5CA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-28T20:39:53Z"
-    mac: ENC[AES256_GCM,data:eJf8SlsN5lxPLVnN0m+LAd6twJ2QnnmUK3h3ueAFV96oTsG7wUCJ/M/cqMGUkG3hy38OKk/BFDAHDmmjc02stWf14HiN02fm5CYjROLhJMaeXuSXOLQSPuo72s45YiKZL1x3ph//cgO3CQP+mvElywYDy4LQRTVKm9Eajq5Q/ZU=,iv:Ch9dS9Vkk8ag/3BIsxoWyJ3ksbh8oIjHZJJjoQSGGHA=,tag:PjNd3256sSb6o/6iUIjjyQ==,type:str]
+    lastmodified: "2025-07-09T13:40:12Z"
+    mac: ENC[AES256_GCM,data:B1pkubTJuLU1pCprTHtANC58sfgbvjgnDtztF4g7M4cIgj4pasrPGjOXLw5hrRwpYKffuciOogDOJx1/DekpFG0rydc5+R46saCtzGYVBEXWpH+SuaiHGBokTq0zIwnNEDpMpQ2xKTDiv3yKJBNUXOPugEYgDuvmg1wRyZ9iWBY=,iv:ZUij0KY74PEYo2IcCQoFiHFB/uOF6CxyHIpL4yJyFlg=,tag:srWW114VV3oCMjSLG9lVwA==,type:str]
     pgp:
         - created_at: "2025-06-13T21:18:31Z"
           enc: |-
diff --git a/secrets/winters/secrets.yaml b/secrets/winters/secrets.yaml
index b35d486..9c3883a 100644
--- a/secrets/winters/secrets.yaml
+++ b/secrets/winters/secrets.yaml
@@ -1,51 +1,29 @@
-#ENC[AES256_GCM,data:ZDHvt3C3,iv:7zsB088YWliEbEvDSaiYS/Tf54PtkQ/G/4/gSE0PbhU=,tag:YFDfhVQdYc6CnM9UaeKXXw==,type:comment]
-smbuser: ENC[AES256_GCM,data:KWW6VBGTh/Y=,iv:laYedVHB/aK8VKKsTk8BViTG7xQ3VSCEoh0bcsZzzCE=,tag:0TBFVELPpsNhJPhvtBhCjg==,type:str]
-smbpassword: ENC[AES256_GCM,data:qKQQQtat2Rf6ETzb1AdxhzoD10VUi2U=,iv:yUGL4TPvFtDy7FHSQM9YfgK54ZvhnWFYQyVIQiBUzl0=,tag:aWVzJ4hVitMJRrfCaifJpg==,type:str]
-smbdomain: ENC[AES256_GCM,data:hbK/MXee6gI=,iv:X+NapRDPAYqhi+CQOWSKwNpP0lCGmGe3vvKDQFkq32M=,tag:L8dDN+WgmaB1rqIes0WHKQ==,type:str]
-#ENC[AES256_GCM,data:GCIBk7ouxPsX18czYCrhOQahUG3JSV83l2ujNxKQK8LAlBInFeSpjWOyYHuS2XWhYiJrW4I=,iv:jgYXl2DnDqUjLBpXjRNbxydktY65IvD2JcUb2SPwQjM=,tag:Wpnhf1NGf/AELvmPpjgM7g==,type:comment]
-kavita: ENC[AES256_GCM,data:2dQNwfRXw6SPhNbP0fRaVryhc64dxJOZuMw6ZpeFzwY7LVB6Oo6PJCzfL0S+Gr3od31d6yeOo/64Z5hJ8h6rXjnkqNU/46jUpChzOfihwkNzhcJZgdFzIQ==,iv:kNxQgqjxDXvNXvlEiXfFoBs69CzuzMNB1ka/7ywxUiw=,tag:ZEwbJu/86LIKuvtfKcx2Qw==,type:str]
+#ENC[AES256_GCM,data:2coSbGjKAg==,iv:QXAGBCUEBypVs93R6p9DpWsZ6i6VMmdlmeffQxPTGWI=,tag:2sfSIFT9W8anEunXHxP7oA==,type:comment]
+kavita-token: ENC[AES256_GCM,data:T59wnJO0CClMP+jGd6LFtIDihYxDEZ6OATN1LizmLqYyPZ0Sxqoavgm3B3VWywLEIpSXyHfH3+qZKahnUA5/3c9okEbI1X3FFkiOYM0tVHe/E3lLQhHujw==,iv:ojm6RKZbxDjnGE377tjqZ6Zu3jkR6GHpxjZ7uZ3I5Y4=,tag:Y7KliDHxx2QIWoUdLbtH1A==,type:str]
 #ENC[AES256_GCM,data:EnKPtPHaMw==,iv:6bKMTGB7CFBGzpcXv5bq1pPoN2dcfSsQn8CIAuawAEE=,tag:B7s6b5A1W8cr+rk12sfnzw==,type:comment]
-matrixsharedsecret: ENC[AES256_GCM,data:P9dO+qmeKAtRL482s/Z4Zdmfo1KN9hB21b6zJsi4C29DQlpFwyMRwd7bCNB78I6r2NNQIdnsOtZvcy5Wy4mLCw==,iv:H7eqV7DqvGNfmwN95AjPAgecZE+xGeXMF1r/VpxAHaQ=,tag:pZB2SaxHx60Enn+ycbZ25w==,type:str]
-mautrixtelegram_as: ENC[AES256_GCM,data:twr126P6/7zRPntbgPqpIerNgg4bw6pwmMUjyzwMlMJCdPOP3TVaaXkXccOnkyZY80U3e89WZ5MA+sIEbZb98g==,iv:92dtW8lRLXdOIx/iTmb27Er55XY6p2Rne/14TzYGfJA=,tag:zEGPFhsQCU3RniY7rC+5pw==,type:str]
-mautrixtelegram_hs: ENC[AES256_GCM,data:C4amampQPckSWZCpYANfXjLHZV64smadRAUUlJnLNPlMUuoFja4m5rPjKdu6p2bqTAmPO92wSeCuqi2kMZycuw==,iv:h33AR1d7QA++uFC3VcJKuJmOOEvG+5zooLGhkYUMRgY=,tag:oNZXsvwWlTaoJ98BODav4w==,type:str]
-mautrixtelegram_api_id: ENC[AES256_GCM,data:DR5GoVM2Dg==,iv:PYIHS65piMhXppV4vL54lxtsb8Mmw5BIAXkFixgfvNM=,tag:4JgwEvTckNuOmb+Jjn6IBg==,type:str]
-mautrixtelegram_api_hash: ENC[AES256_GCM,data:M3qA63nhw5tIQfqgtnAth/O1COrtpli7dfKuC7wFGIk=,iv:uppaVZDpqY7d3LhKqO/b/3WInkiKkaDFM/gZnlPGTZA=,tag:J986Cd6p2BrEq60LYoe4iw==,type:str]
+matrix-shared-secret: ENC[AES256_GCM,data:ykgD+w6nxfegBhzVZmXmuxxsf1lIdV+0OOHlEt9V7YgmFFjHPw+SUxOsGnpwfTXB6Bwo70MDC9fLMSWZxtfIlQ==,iv:LoKIuJYvdKTE7QKrbJvAaKXucesrGgCZpVfmMNt1WhA=,tag:Q8EQSF28Cx/UMCBp5k+vCg==,type:str]
+mautrix-telegram-as-token: ENC[AES256_GCM,data:nVragL+I4Fl0+0gG0nnSFoVt6PrDGCic8nh7AneOiJ8ktpsmq3wkuMzeg3aQkfM27HXTkkdhKBmCy/W+i9G2XA==,iv:ozhwDo8H87UCHIPEHCjWfnUtdK8L2jChz6y3NIO5j6Y=,tag:H2geLETkaUnM3xM/2Jvp7Q==,type:str]
+mautrix-telegram-hs-token: ENC[AES256_GCM,data:bsuGGKASj65MkSri1MbZDEppRlr5qXzdRnpTF9gDshj4ahpvt0R1aLyr/dIaHk+OKdDvaeJ8JHkr2AVsJxMAzQ==,iv:ESnTEmOjkkOAJTJZq4CjPtPs17dBoc06fgI4T41Z1Hs=,tag:EC6CukTgFIDzlmeuOvLIWA==,type:str]
+mautrix-telegram-api-id: ENC[AES256_GCM,data:GLaYJupsuA==,iv:EZ7i3jregI2puUAQbbkUK7OWA9Dnk0GdXRQuF/crD0Y=,tag:FL86Xji+YEkBPIm7m6sStw==,type:str]
+mautrix-telegram-api-hash: ENC[AES256_GCM,data:vikwgZLPV7YBdKlzf8+LEUnNIMx950CfBMGXKOga2cs=,iv:16+qS4L1LEKyWQKC2+a9l4OugWLJou2I2t9oRfKjS24=,tag:zhjD2dyGkqfMQlAt/LTCzw==,type:str]
 #ENC[AES256_GCM,data:3ZJfIpB7,iv:bS0q1SvUfAX8s6/R1z9IWoJ1vIitIDc2lGZUjS6P+Ao=,tag:Hc1HVrtkT6gNceN87PF/YA==,type:comment]
-dnsmail: ENC[AES256_GCM,data:fsmv/CVSpVJ2ZwBibs6PzCTKtA0g,iv:Pdy91cL2jxRLpMfzeveAbjr/mpQ+iWVPXK7eLQg6mMM=,tag:CbgTXpf6G0gz6YTjlV7AqQ==,type:str]
-dnstoken: ENC[AES256_GCM,data:mRVmT1B1xzQWLRjwJUPBoYKSzr4Np3BJiV7psARFKcOZJlBAW38ztw==,iv:YEKdzGBRlwPv0baJ28uRJvWkFSmF2+VHP5VHJtMn4nM=,tag:1S5l0HMpqvY9llveT1dTmw==,type:str]
-dnstokenfull: ENC[AES256_GCM,data:nIFYEO0KMXWBQyLsfM0v7xPSCbmW9Z4qKiGVh38b3mhWklYdMtarqQ==,iv:aQfxbBolEpMkfWHC+5/c5a/xiDhlz8BfJuuKicjVCzo=,tag:LoDgjcR6/VwKVy8DubLdew==,type:str]
+acme-dns-token: ENC[AES256_GCM,data:QyOHnPFiNiOXBK41pr6XfG9KCWRysTxzW4cjuUesbGdFOOFi8W4lCQ==,iv:Iuc77X4t5V1xFPu2F1njo93l4oaciou7UfOLBm18gaM=,tag:+40ELYAGxaQfwiTKPPwI4w==,type:str]
 #ENC[AES256_GCM,data:ZbWnE+gcmtR47A==,iv:a/WxLMGb2Y+lenUfUk8c73o/QUB6ImBVRUkHQjfWoq8=,tag:7FHXVb7qBGSXv3oO5f2M1w==,type:comment]
-paperless_admin: ENC[AES256_GCM,data:IbZxJzscc2z77RTYTBt5ZdCgtEgTSq5k0A==,iv:lrmP3rOLMuV04H+E0nsKF+KhNKAGHCFyaQnT+gg0wM0=,tag:lNbMYqAdjn0K1AhJKvhB9w==,type:str]
+paperless-admin-pw: ENC[AES256_GCM,data:8s2WunvnlL0xE8XNN1Re6/9nBAM57AgM9g==,iv:Pol+RjNMKpNYCQWY0BZamRnob+MO/e/14jc8uArtDz4=,tag:FXRrlhR3DpZ+7lSlXb7wsw==,type:str]
 kanidm-paperless-client: ENC[AES256_GCM,data:1lpf9LzAZeAe0ZJiXPE6KRDZxhi24CQmoA==,iv:eZKA/2JJzojPDJc/I8V4tw9tA7zK9Y7wrpgLww7sigg=,tag:YjlH+hHdzJHqMBdkxTZVwQ==,type:str]
-#ENC[AES256_GCM,data:+dReUV9p,iv:gmVwWra3sP+9I0KVxzTXGzdbZEyRiT7p2BwE34ZDttM=,tag:jse7bGtSva6llqjSOCY/KA==,type:comment]
-mpdpass: ENC[AES256_GCM,data:OXDL8eyfBpX2gXB8aODahA5wNK7laaCQUg==,iv:zSQUtu1j+Z7SnYMA3jNvIFbG9LEbiB7uJ4y9xEmnvJY=,tag:ZKgtccYWT/k4q6Qc2y5WEg==,type:str]
-#ENC[AES256_GCM,data:pn5jSPCWhDl+,iv:f7dyv+83dT3azAuY+/+6i/KzX2a4JIEi+PLeYamORmg=,tag:c5doNQBt6A7fRXl26dWsEg==,type:comment]
-username: ENC[AES256_GCM,data:ONoDSJL0VTqts6n8yAEwOPFyJFbC,iv:soHSy4FV0JiXNqqj/zL+52e9tGOKOtG3iCni8FQpTBk=,tag:1iHXNP0l5fQ0S3wUZrFWbg==,type:str]
-password: ENC[AES256_GCM,data:xFb/oOmzJmUN37Q=,iv:Jb/gAWJdHOm+8Nd2r3CyXeH72ex11L3AqcjbkZMs/oE=,tag:Zx3As+yV3N3R0njzGzRLhg==,type:str]
-#ENC[AES256_GCM,data:hEEbuFI=,iv:wO77BmvRu5EgQPKQZTQm4nd4Hr0AG5Ws6QQzjclen4I=,tag:ZU31DwdIbsQHBlNPLhFldg==,type:comment]
-swarsel: ENC[AES256_GCM,data:20UAUTx54IX7LV4=,iv:odWk+VMnMahH8Uue21S8PAv9mW6T5c1eUjftZMe4JJw=,tag:gLnjqQsHWmkytpq6x4iIEQ==,type:str]
-#ENC[AES256_GCM,data:MKBsVnZ42nZ+9Xy0Cg==,iv:Myk1h9p6zGLiW6/UHkI9yLKb+HKY+wH5AcqAoQVBppM=,tag:Cu9TkUZTs6qZ6htxQpHEbA==,type:comment]
-vpnuser: ENC[AES256_GCM,data:NipHQzuXa2o=,iv:3SnaJGVpcazJYQmbqgKv33ZfZBBQ+N+A8OzXNN9ayNU=,tag:IWrIoWJiMYEyI1Xhrcb2uQ==,type:str]
-rpcuser: ENC[AES256_GCM,data:o1BipxnQTg==,iv:edlFbnE20p6ub/N1Ko/wplMwNQRsB6yNaJ6h8cI/1QE=,tag:1XwbOzO/QF0KJpwkSy0B0A==,type:str]
-vpnpass: ENC[AES256_GCM,data:fnnvxcRXM5AsnA==,iv:OP4A1qyyUc73zUB4+5wJ4yk+xff4WEFDDWrBldFn9QE=,tag:/L4GXKpIL4Mhb29wZTj5Wg==,type:str]
-rpcpass: ENC[AES256_GCM,data:2kHNLnsSsndOZ6xaKFY0QQFD3i43NOt2,iv:8IQEIgPdRT6gqkPZsrs5c5D0iamUaZGrWNag4fDoUkU=,tag:R5d1uMGwvxFt0i2Y1DPmbA==,type:str]
-vpnprot: ENC[AES256_GCM,data:/NV2,iv:wVvlcdisq2PdLeNpaxE7cwBsKEJgoi/MAmWoTgHFMbQ=,tag:9wZXcI1AsSH/mHUFwiwRGw==,type:str]
-vpnloc: ENC[AES256_GCM,data:U8ModKho4vSHnMo9BOE978V6ZlMeQEoLaFW/,iv:Sw06YsWSZ4tGt/TRhRGkU4KdLBcmZTCY4mGqQbpEh7Q=,tag:kDoTkpzXZKEUIa1CSh3Pwg==,type:str]
-#ENC[AES256_GCM,data:yp7ApA4YLSk=,iv:O/SQxKe9EWqExHbeKsTXvbst0pjCxy3yiOjmeCVjmdY=,tag:RMkAOLOLCodnPSDEuImwRw==,type:comment]
-swarseluser: ENC[AES256_GCM,data:XvmOHYFNhb/bAYAZ/kmUWbbmRy/WrxSYri/Y5k+SH4N7ZIjuZDHOkWk93ERFuTb77HvhbPX/NRQraUoJoFsxGGg5co/gJnyfRg==,iv:J50PeDcC4PM3+yQ/YQNb8TW4kubwi2kjjSFU0RVFM30=,tag:ydLYkz1YKyguGZZZD/JcLA==,type:str]
+#ENC[AES256_GCM,data:RamYuA==,iv:4/LaPYi4hIvg2/ftF8Dh5eEVrsgtuOkmB75Cpm5oHJc=,tag:blCudo/EVHesDdUs1nLBhQ==,type:comment]
+mpd-pw: ENC[AES256_GCM,data:/j++A2IrOwNse4+lvq7OI3Wde4KsdQ5UkQ==,iv:e0mjQyeefB3FFVsYQvTtjO9mewlmtQ8pl7O/ZmEllSU=,tag:SwbWBN8PqUrXTpKILhLquw==,type:str]
 #ENC[AES256_GCM,data:7UtHAqAZLmzT,iv:xBbdv1aHFrSc5/H6o3VujZdtAN7JwHbpckDcoZ5z78M=,tag:0ZEFJcPa6RIwv+kIgNHj4A==,type:comment]
-nextcloudadminpass: ENC[AES256_GCM,data:ZOCsu4/ijfheBfY9ZR5DBXSB,iv:bNlTLKQblnt2eYJqVgXwCaGAyAw2yhlb9Whsz0LBhm4=,tag:VQAWP/b8IghzXDFLJxXZ4Q==,type:str]
+nextcloud-admin-pw: ENC[AES256_GCM,data:PN1K4gyosG9YQUbXrLt7okDe,iv:HpAQOmTXnixm3cd/gNOzICrR4xoSKxsYWavJReKnhvM=,tag:KhCQ+8HpTaFfzn7dFSwE+Q==,type:str]
 kanidm-nextcloud-client: ENC[AES256_GCM,data:RJ5XSYvnJS6r2zzs2SOBZYx+GV7EVjB7XQ==,iv:KfinHenUiYgWrZtMBSGTuVUd5aZlfxvM7Rf8ocFv64k=,tag:WiknAlc29ohsLwnBCXzHpQ==,type:str]
 #ENC[AES256_GCM,data:dyEwvFDSvI0=,iv:4LPFthS73mIYQt6MRLBTeNxCwKnJGc7sNFJfZCpMU3Y=,tag:X2mBwG1++2gcFIOi/xIgFA==,type:comment]
-grafanaadminpass: ENC[AES256_GCM,data:TBu0WOdvE+9CAH8EVm8=,iv:/usKOYscSXpo8tiSV/Las9eucBeYnpwG5DM9gJg8bfU=,tag:/LZqwuPWQyjSZURnsqq3hA==,type:str]
+grafana-admin-pw: ENC[AES256_GCM,data:FBF/YEPTL7HAfLybMqg=,iv:SctfD7uRKeclHr7R831Ns87/ASCfhFE0yfDQrNxWOMU=,tag:UuaSMMs/y4h4ASueseywYA==,type:str]
+prometheus-admin-pw: ENC[AES256_GCM,data:onPtYsfFbE1LFRpeDC5ipGJ7xnLRLbAPqQ==,iv:CDxzBfIzgF9naCQ0UDyTYWQGZ/J0Noia56YASsHLz3I=,tag:xs+PiGk5dfvUpGXVsDnAFQ==,type:str]
 kanidm-grafana-client: ENC[AES256_GCM,data:tV25k0XoFZ9wLF0UWvAabgigayowr3wo0g==,iv:p0y/UyIrFBTvWZKHbfdOSEpbMun7dZ8FyB5W7VS0oSY=,tag:+jKD+d9cRGKJkapGYxUEnw==,type:str]
-prometheusadminpass: ENC[AES256_GCM,data:NYUbSnAl0f3FUtvCjvJHFr2wMRsVsbVIeg==,iv:TP4NMwJsft8aEixxJBJCX/0I6BJVBnltFYJDKuXq1hM=,tag:yMY+KZsRjbn8ItgKgjzqSA==,type:str]
 #ENC[AES256_GCM,data:QnIF/xhWguX5tw==,iv:yTUBtPaZk6BXi+SC1P/OOtnc2x9UZ/jXirD5oaxhyQY=,tag:c33L5r5BaPZN6zkwduBCwQ==,type:comment]
-fresh: ENC[AES256_GCM,data:aPF8D96BvgDXhcc=,iv:Ubq3/sUmBipRanLgkAXXeAfXAz51AuR+NojMifsy8S0=,tag:mHf0YYYxulLXAIByqmnOsA==,type:str]
+freshrss-pw: ENC[AES256_GCM,data:GU5rHmJCAb27pWo=,iv:f1YcUsf2jznGAk0zSX3L01lbB9kXiFKAKSgB/RMaq0U=,tag:xsB1QxhDQPX/B2VJV3Wi9g==,type:str]
+freshrss-oidc-crypto-key: ENC[AES256_GCM,data:FvkaTTfOIo2wn5SnOCiMqy/g/4vcjSX7BjX6GIJrPsQUkqWHvL4LmQ==,iv:930d5Cgb6jly8NAdr21XO0lkWWCXujCho6fW+RYNlRI=,tag:fidIhKA25mwsxpORJOVeTA==,type:str]
 kanidm-freshrss-client: ENC[AES256_GCM,data:jBplXWOX/mRTQf6cKmP3C5PZJoBAmb3mhg==,iv:5hcLNGuEQ0T9FiczznGKMul38Ftv8PmG3q0Vaao10oI=,tag:tpx+EDvA31HCnG1/XJOBWg==,type:str]
-oidc-crypto-key: ENC[AES256_GCM,data:O48Va8j2L/GDdTZRQEtVsoy1jsZSCLx0IxFYnCBGhoGRwDW+t0LKPw==,iv:DLCeGhRqRp/JfFaY3vva86OzMwGlcXxiBbQ4Tayjyq4=,tag:We5W8cIntW3D/5vdC/t8IA==,type:str]
-#ENC[AES256_GCM,data:+lbLElpVOYo=,iv:DaVuudlnW+vy2PZOs9eiwZhOyILnqEX9KUehFlX2gWE=,tag:lvM6r0JM0DZir4y7iVTeKg==,type:comment]
-kanidm-forgejo-client: ENC[AES256_GCM,data:pitJ6re5xm2w1MSs5Ul7Tl1/H1KSR7Ps7w==,iv:4k8/cxpLqWxCgJuk/y9K3OAMCkzu8gb8CDxY+gUuOvg=,tag:OocTFS54teDUfHaHAHZiHw==,type:str]
 #ENC[AES256_GCM,data:Ur0/rfBv5g==,iv:eH+KbbkmtBWbobqAIUFF0jIrGhbHnk9g8hLZoxE3swI=,tag:3dnoA+O5GXW5Dvxcx4jiTw==,type:comment]
 resticpw: ENC[AES256_GCM,data:0oHhUFH+2W7FONA=,iv:jT6o3H4pIkGTANriDVCBvnOsc/XITEGCayb6A86NlGg=,tag:qU3tAvIWFSFIf1krWAJ0+Q==,type:str]
 resticaccesskey: ENC[AES256_GCM,data:3EshJOZpoHqGrKdERYBtUcQZ6taZEe8PBA==,iv:3np3ASFhJrYT1ig3uSpb48lSdZOFl9kFyLJSkYHBnqo=,tag:TqjgnO1XRPZUGjLI20FqUg==,type:str]
@@ -60,14 +38,15 @@ kanidm-grafana: ENC[AES256_GCM,data:61PEA1fBcaRy8+x0dn9WrH9P0D+NOkbeZw==,iv:kbR3
 kanidm-nextcloud: ENC[AES256_GCM,data:9FjsOzBos18ouHBeuzrzHIpCDowFt0Aktw==,iv:iqUQUsWsO5N+KZqHyqNxMxSija/yPrrrAqvz4b1NG1M=,tag:/WC3wg/eYXV3hLJPRVWLog==,type:str]
 kanidm-oauth2-proxy: ENC[AES256_GCM,data:DQ5tj7N+P1b8vFnF+MGhaUBvbVQoE4sVhQ==,iv:Xy4bdi8fSFuFHsQKgZ3PswFFYsqtiAeqeSRam1k/H0E=,tag:9W4LRPPYtDOrSpxRDK/7sg==,type:str]
 kanidm-freshrss: ENC[AES256_GCM,data:4y0X3sSOfs5pKNCmZGJhxlAKH7GD1UACdw==,iv:LuQQCfOpsTqglwQvohHMFpNGaOjoZ8PKDgG50qBP02k=,tag:Z5mVYP/9nToerQ1qui1eWQ==,type:str]
-#ENC[AES256_GCM,data:5wFeVBBdeDlAHZwUdA==,iv:mAmgS9gbPklWPFu425MPngjGm3SNGnUSNyR5oG4EK+E=,tag:nNUTTbs+aWAU1qNgtTsBgA==,type:comment]
-oauth2-cookie-secret: ENC[AES256_GCM,data:l8BPYA7t9NG9MPFs/LDlFHqwbnwsvie7FM5v613358E+jLf2wD+tipyUb6c=,iv:1kZ6G6Z0cSQS53kc/hygh/1Ke491agWDlYHR9Yq0jT0=,tag:mi7Un2JBnrq1dnP3jZX4ng==,type:str]
-kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:+mcA/sz3AZuw+I44iIdOEfDmtjEVdxi2fg==,iv:m4NpieUicS7xsR+F5AgPqkcUFRF+CGOA8IK6GeS9tgM=,tag:1wypxpiHPdQBD8Td/PSdMw==,type:str]
 #ENC[AES256_GCM,data:M9U+Mr1cAhlt7NpW,iv:LY19BZEwDdQD1Nhbmgdt9/9VNJjcTkOGP7SwEDE3Xwk=,tag:TlYrhu5dBj1D+Qd72r7Ofg==,type:comment]
 firefly-iii-app-key: ENC[AES256_GCM,data:hzgl8eRL0irNRP5TO7G1rNtNM7fXCkmbcaX4QoTsM0xA1rgyKwiy6a4lYDjoXZyOMy5p,iv:q5eepIELwIecyQ56A6THUOu+rebK3irKVYb7/gNHlU8=,tag:+M/KTX1JzPzXeK4TRzW42w==,type:str]
 #ENC[AES256_GCM,data:mBlfyJvQyrhTnpkJ,iv:hHnTCsHfzCgKuBO82JjNbjYYjWV8e7+0VRkbTGw+WRE=,tag:7Dp77Q2VjWJM5LydvpbJnQ==,type:comment]
 koillection-env-file: ENC[AES256_GCM,data:X1dndR7XIhGCwbRQzET5MbzW71PT7WmyryNbOhCKx2I=,iv:bP/90aJT+eA8EmwoFZ7uXxOWfOprpHfc9CvL/A9Os5M=,tag:ZxFDInJBtFrulvOL9PwNJQ==,type:str]
 koillection-db-password: ENC[AES256_GCM,data:5Ue4l8CMZpjRpcryEtzPyR2Zf7M=,iv:Ol/G6nFY5H/SIY7l4o5woqFVeLfnv3FJfaAZIqI4NHA=,tag:hYorZv2nyLvsJ8AT2xTkBA==,type:str]
+#ENC[AES256_GCM,data:oTo0OgB8QQyPVxzEoEw38eM=,iv:V8UJrZvlAEUVxajLjty56LoiHqi9mvX2NxlZeYr0P0g=,tag:gSiHry8iRcYWAFi5Lt1GiQ==,type:comment]
+anki-pw: ENC[AES256_GCM,data:h4RBhKV6ZzDQk7s=,iv:r21zH3sDKwRxfi8A1DPNEVhKTbb35qWv2mTGaXJxynM=,tag:kT4pVhz6pHxyBZ0iXdGx7w==,type:str]
+#ENC[AES256_GCM,data:5jJoV7vZl1A=,iv:Uc9/nyvdzgH6USVxhDhVs6aDqy/k9D53AJP2AvTj3ZQ=,tag:K4zDz5RoLuHevTeLqxw/XQ==,type:comment]
+kanidm-forgejo-client: ENC[AES256_GCM,data:2iXE/dmOQtY2NEsBgDqkqwD/brF0vJs+Ag==,iv:PBQ03z/E6R+u7Y56fPzJSnsoCa5PUYSiezZFOMLz4eo=,tag:jThgOC6h2hHJUclDju/MtQ==,type:str]
 sops:
     age:
         - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
@@ -79,8 +58,8 @@ sops:
             MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl
             qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-01T23:25:43Z"
-    mac: ENC[AES256_GCM,data:TS1UWyZGQ1zgzHGVlcWhWgWgo56zaSbhcB3KryS6Ya5clgyFt4vY0R4dC+uYnjmY1QCXAFPVLQU24ufKFDz94fEm0sQCPEWF2d1n156IpMce4wtCUqc0sXJOqTI3OA8ty91EWSUXTaapXEG2Pd9MSKr6XXpAVVbhzXKU1rFd1zc=,iv:xeOThqJ0tWUu55O8JAQMi0D6YzkrrHe7AshSATgpQ2U=,tag:VvtzsK1/06BD39bfQUr7Mg==,type:str]
+    lastmodified: "2025-07-09T20:28:09Z"
+    mac: ENC[AES256_GCM,data:tLAljNEDR4Ab27OXVJhvDuGmfuxE/L9KSFsJGDo25Vs3P56/HnjrI77y+ytLuf2sK/OHup7jXnlwBWUDAfNWIQzUdjIBtr/OiggkPHgWhr4rH55ayLM1IfZU1ex6MPvliz2yi0nU6jqHXoSlBCqu+hdfyTQri1EmZ9Bh811YDqs=,iv:4VmwBcmQIjQ16mwxYjgud3OUjQE0rH0wN72sAXXs3to=,tag:OQNYvxLZg+0hapvUYsexuA==,type:str]
     pgp:
         - created_at: "2024-12-17T16:24:32Z"
           enc: |-