From baf7580e99fbca13987c79f97492c1dd9567ff30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?=
 <leon.schwarzaeugl@imba.oeaw.ac.at>
Date: Tue, 21 Oct 2025 20:19:57 +0200
Subject: [PATCH 1/7] chore[client]: enable obsidian omnisearch keybind

---
 SwarselSystems.org               | 269 ++++++++++++++++---------------
 modules/home/common/obsidian.nix |  13 ++
 2 files changed, 154 insertions(+), 128 deletions(-)

diff --git a/SwarselSystems.org b/SwarselSystems.org
index f5e95c2..3d1bd75 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -14530,142 +14530,155 @@ This service changes the screen hue at night. I am not sure if that really does
 
 #+begin_src nix-ts :tangle modules/home/common/obsidian.nix
   { lib, config, pkgs, nixosConfig ? config, ... }:
-    let
-      moduleName = "obsidian";
-      inherit (nixosConfig.repo.secrets.common.obsidian) userIgnoreFilters;
-      name = "Main";
-    in
-    {
-      options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} with settings";
-      config = lib.mkIf config.swarselmodules.${moduleName} {
+  let
+    moduleName = "obsidian";
+    inherit (nixosConfig.repo.secrets.common.obsidian) userIgnoreFilters;
+    name = "Main";
+  in
+  {
+    options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} with settings";
+    config = lib.mkIf config.swarselmodules.${moduleName} {
 
-        home.file = {
-          "${config.programs.obsidian.vaults.${name}.target}/.obsidian/app.json".force = true;
-          "${config.programs.obsidian.vaults.${name}.target}/.obsidian/appearance.json".force = true;
-          "${config.programs.obsidian.vaults.${name}.target}/.obsidian/core-plugins.json".force = true;
-        };
+      home.file = {
+        "${config.programs.obsidian.vaults.${name}.target}/.obsidian/app.json".force = true;
+        "${config.programs.obsidian.vaults.${name}.target}/.obsidian/appearance.json".force = true;
+        "${config.programs.obsidian.vaults.${name}.target}/.obsidian/core-plugins.json".force = true;
+      };
 
-        programs.obsidian =
-          {
-            enable = true;
-            package = pkgs.obsidian;
-            defaultSettings = {
-              app = {
-                attachmentFolderPath = "attachments";
-                alwaysUpdateLinks = true;
-                spellcheck = false;
-                inherit userIgnoreFilters;
-                vimMode = false;
-                newFileLocation = "current";
-              };
-              corePlugins = [
-                "backlink"
-                "bookmarks"
-                "canvas"
-                "command-palette"
-                "daily-notes"
-                "editor-status"
-                "file-explorer"
-                "file-recovery"
-                "global-search"
-                "graph"
-                "note-composer"
-                "outgoing-link"
-                "outline"
-                "page-preview"
-                "properties"
-                "slides"
-                "switcher"
-                "tag-pane"
-                "templates"
-                "word-count"
-              ];
-              communityPlugins = with pkgs.swarsel-nix; [
-                advanced-tables
-                calendar
-                file-hider
-                linter
-                omnisearch
-                sort-and-permute-lines
-                tag-wrangler
-                tray
-              ];
+      programs.obsidian =
+        {
+          enable = true;
+          package = pkgs.obsidian;
+          defaultSettings = {
+            app = {
+              attachmentFolderPath = "attachments";
+              alwaysUpdateLinks = true;
+              spellcheck = false;
+              inherit userIgnoreFilters;
+              vimMode = false;
+              newFileLocation = "current";
             };
-            vaults = {
-              ${name} = {
-                target = "./Obsidian/${name}";
-                settings = {
-                  appearance = {
-                    baseFontSize = lib.mkForce 19;
-                  };
-                  communityPlugins = with pkgs.swarsel-nix; [
-                    {
-                      pkg = advanced-tables;
-                      enable = true;
-                    }
-                    {
-                      pkg = calendar;
-                      enable = true;
-                    }
-                    {
-                      pkg = sort-and-permute-lines;
-                      enable = true;
-                    }
-                    {
-                      pkg = tag-wrangler;
-                      enable = true;
-                    }
-                    {
-                      pkg = tray;
-                      enable = true;
-                      settings = {
-                        launchOnStartup = false;
-                        hideOnLaunch = true;
-                        runInBackground = true;
-                        hideTaskbarIcon = false;
-                        createTrayIcon = true;
-                      };
-                    }
-                    {
-                      pkg = file-hider;
-                      enable = true;
-                      settings =
-                        {
-                          hidden = true;
-                          hiddenList = [
-                            "attachments"
-                            "images"
-                            "ltximg"
-                            "logseq"
-                          ];
-                        };
-                    }
-                    {
-                      pkg = linter;
-                      enable = true;
-                      settings = {
-                        auto-correct-common-misspellings = {
-                          skip-words-with-multiple-capitals = true;
-                        };
-                        convert-bullet-list-markers = {
-                          enabled = true;
-                        };
-                      };
-                    }
-                    {
-                      pkg = omnisearch;
-                      enable = true;
-                      settings = {
-                        hideExcluded = true;
-                      };
-                    }
+            hotkeys = {
+              "graph:open" = [ ];
+              "omnisearch:show-modal" = [
+                {
+                  modifiers = [
+                    "Mod"
                   ];
+                  key = "S";
+                }
+              ];
+              "editor:save-file" = [ ];
+              "editor:delete-paragraph" = [ ];
+            };
+            corePlugins = [
+              "backlink"
+              "bookmarks"
+              "canvas"
+              "command-palette"
+              "daily-notes"
+              "editor-status"
+              "file-explorer"
+              "file-recovery"
+              "global-search"
+              "graph"
+              "note-composer"
+              "outgoing-link"
+              "outline"
+              "page-preview"
+              "properties"
+              "slides"
+              "switcher"
+              "tag-pane"
+              "templates"
+              "word-count"
+            ];
+            communityPlugins = with pkgs.swarsel-nix; [
+              advanced-tables
+              calendar
+              file-hider
+              linter
+              omnisearch
+              sort-and-permute-lines
+              tag-wrangler
+              tray
+            ];
+          };
+          vaults = {
+            ${name} = {
+              target = "./Obsidian/${name}";
+              settings = {
+                appearance = {
+                  baseFontSize = lib.mkForce 19;
                 };
+                communityPlugins = with pkgs.swarsel-nix; [
+                  {
+                    pkg = advanced-tables;
+                    enable = true;
+                  }
+                  {
+                    pkg = calendar;
+                    enable = true;
+                  }
+                  {
+                    pkg = sort-and-permute-lines;
+                    enable = true;
+                  }
+                  {
+                    pkg = tag-wrangler;
+                    enable = true;
+                  }
+                  {
+                    pkg = tray;
+                    enable = true;
+                    settings = {
+                      launchOnStartup = false;
+                      hideOnLaunch = true;
+                      runInBackground = true;
+                      hideTaskbarIcon = false;
+                      createTrayIcon = true;
+                    };
+                  }
+                  {
+                    pkg = file-hider;
+                    enable = true;
+                    settings =
+                      {
+                        hidden = true;
+                        hiddenList = [
+                          "attachments"
+                          "images"
+                          "ltximg"
+                          "logseq"
+                        ];
+                      };
+                  }
+                  {
+                    pkg = linter;
+                    enable = true;
+                    settings = {
+                      auto-correct-common-misspellings = {
+                        skip-words-with-multiple-capitals = true;
+                      };
+                      convert-bullet-list-markers = {
+                        enabled = true;
+                      };
+                    };
+                  }
+                  {
+                    pkg = omnisearch;
+                    enable = true;
+                    settings = {
+                      hideExcluded = true;
+                    };
+                  }
+                ];
               };
             };
           };
-      };
-    }
+        };
+    };
+  }
 #+end_src
 
 **** Anki
diff --git a/modules/home/common/obsidian.nix b/modules/home/common/obsidian.nix
index 0e2e7f4..4baa813 100644
--- a/modules/home/common/obsidian.nix
+++ b/modules/home/common/obsidian.nix
@@ -27,6 +27,19 @@ in
             vimMode = false;
             newFileLocation = "current";
           };
+          hotkeys = {
+            "graph:open" = [ ];
+            "omnisearch:show-modal" = [
+              {
+                modifiers = [
+                  "Mod"
+                ];
+                key = "S";
+              }
+            ];
+            "editor:save-file" = [ ];
+            "editor:delete-paragraph" = [ ];
+          };
           corePlugins = [
             "backlink"
             "bookmarks"

From d83ff89712c417fb3b3128b07ee91f2636b6f2ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?=
 <leon.schwarzaeugl@imba.oeaw.ac.at>
Date: Tue, 21 Oct 2025 20:20:18 +0200
Subject: [PATCH 2/7] chore[client]: increase tridactyl hint delay

---
 SwarselSystems.org                  | 2 +-
 files/firefox/tridactyl/tridactylrc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/SwarselSystems.org b/SwarselSystems.org
index 3d1bd75..bfe56d3 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -22316,7 +22316,7 @@ set allowautofocus false
 jsb browser.webRequest.onHeadersReceived.addListener(tri.request.clobberCSP,{urls:["<all_urls>"],types:["main_frame"]},["blocking","responseHeaders"])
 
 " default is 300ms
-set hintdelay 100
+set hintdelay 500
 
 " Some pages like github break on the tridactyl quick search. have this as a fallback
 unbind <C-f>
diff --git a/files/firefox/tridactyl/tridactylrc b/files/firefox/tridactyl/tridactylrc
index b3ef65a..9e4928f 100644
--- a/files/firefox/tridactyl/tridactylrc
+++ b/files/firefox/tridactyl/tridactylrc
@@ -124,7 +124,7 @@ set allowautofocus false
 jsb browser.webRequest.onHeadersReceived.addListener(tri.request.clobberCSP,{urls:["<all_urls>"],types:["main_frame"]},["blocking","responseHeaders"])
 
 " default is 300ms
-set hintdelay 100
+set hintdelay 500
 
 " Some pages like github break on the tridactyl quick search. have this as a fallback
 unbind <C-f>

From 723ce403b206d170841d7daf215ecd7ddb42c729 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?=
 <leon.schwarzaeugl@imba.oeaw.ac.at>
Date: Tue, 21 Oct 2025 20:37:51 +0200
Subject: [PATCH 3/7] feat[work]: use s/mime certificates for mail

---
 SwarselSystems.org                      | 1213 ++++++++++++-----------
 files/emacs/init.el                     |   22 +
 hosts/nixos/pyramid/secrets/pii.nix.enc |    6 +-
 modules/home/common/env.nix             |    2 +-
 modules/home/optional/work.nix          |    8 +-
 secrets/repo/pii.nix.enc                |    6 +-
 6 files changed, 658 insertions(+), 599 deletions(-)

diff --git a/SwarselSystems.org b/SwarselSystems.org
index bfe56d3..2d99cea 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -11715,7 +11715,7 @@ Sets environment variables. Here I am only setting the EDITOR variable, most var
         SWARSEL_CAL3 = source3;
         SWARSEL_CAL3NAME = source3-name;
         SWARSEL_FULLNAME = fullName;
-        SWARSEL_MAIL_ALL = allMailAddresses;
+        SWARSEL_MAIL_ALL = lib.mkDefault allMailAddresses;
         GITHUB_NOTIFICATION_TOKEN_PATH = nixosConfig.sops.secrets.github-notifications-token.path;
         OPENROUTER_API_KEY = openrouterApi;
       };
@@ -15218,633 +15218,637 @@ The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]]
 
 #+begin_src nix-ts :tangle modules/home/optional/work.nix :noweb yes
   { self, config, pkgs, lib, vars, nixosConfig ? config, ... }:
-      let
-        inherit (config.swarselsystems) homeDir;
-      in
+  let
+    inherit (config.swarselsystems) homeDir;
+    inherit (nixosConfig.repo.secrets.local.mail) allMailAddresses;
+    inherit (nixosConfig.repo.secrets.local.work) mailAddress;
+  in
+  {
+    options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
+    config = lib.mkIf config.swarselmodules.optional.work
       {
-        options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
-        config = lib.mkIf config.swarselmodules.optional.work
+        home.packages = with pkgs; [
+          stable.teams-for-linux
+          shellcheck
+          dig
+          docker
+          postman
+          # rclone
+          libguestfs-with-appliance
+          stable.prometheus.cli
+          tigervnc
+          # openstackclient
+
+          vscode
+        ];
+
+        systemd.user.sessionVariables = {
+          DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work";
+        } // lib.optionalAttrs (!config.swarselsystems.isPublic) {
+          SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses;
+          SWARSEL_MAIL_WORK = lib.mkForce mailAddress;
+        };
+
+        accounts.email.accounts.work =
+          let
+            inherit (nixosConfig.repo.secrets.local.work) mailName;
+          in
           {
-            home.packages = with pkgs; [
-              stable.teams-for-linux
-              shellcheck
-              dig
-              docker
-              postman
-              # rclone
-              libguestfs-with-appliance
-              stable.prometheus.cli
-              tigervnc
-              # openstackclient
+            primary = false;
+            address = mailAddress;
+            userName = mailAddress;
+            realName = mailName;
+            passwordCommand = "pizauth show work";
+            imap = {
+              host = "outlook.office365.com";
+              port = 993;
+              tls.enable = true; # SSL/TLS
+            };
+            smtp = {
+              host = "outlook.office365.com";
+              port = 587;
+              tls = {
+                enable = true; # SSL/TLS
+                useStartTls = true;
+              };
+            };
+            thunderbird = {
+              enable = true;
+              profiles = [ "default" ];
+              settings = id: {
+                "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth
+                "mail.server.server_${id}.authMethod" = 10; # oauth
+                # "toolkit.telemetry.enabled" = false;
+                # "toolkit.telemetry.rejected" = true;
+                # "toolkit.telemetry.prompted" = 2;
+              };
+            };
+            msmtp = {
+              enable = true;
+              extraConfig = {
+                auth = "xoauth2";
+                host = "outlook.office365.com";
+                protocol = "smtp";
+                port = "587";
+                tls = "on";
+                tls_starttls = "on";
+                from = "${mailAddress}";
+                user = "${mailAddress}";
+                passwordeval = "pizauth show work";
+              };
+            };
+            mu.enable = true;
+            mbsync = {
+              enable = true;
+              expunge = "both";
+              patterns = [ "INBOX" ];
+              extraConfig = {
+                account = {
+                  AuthMechs = "XOAUTH2";
+                };
+              };
+            };
+          };
 
-              vscode
+        # wayland.windowManager.sway.config = {
+        #   output = {
+        #     "Applied Creative Technology Transmitter QUATTRO201811" = {
+        #       bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}";
+        #     };
+        #     "Hewlett Packard HP Z24i CN44250RDT" = {
+        #       bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}";
+        #     };
+        #     "HP Inc. HP 732pk CNC4080YL5" = {
+        #       bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}";
+        #     };
+        #   };
+        # };
+
+        stylix = {
+          targets.firefox.profileNames =
+            let
+              inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
+            in
+            [
+              "${user1}"
+              "${user2}"
+              "${user3}"
+              "work"
             ];
+        };
 
-
-            systemd.user.sessionVariables = {
-              DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work";
+        programs =
+          let
+            inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds;
+          in
+          {
+            openstackclient = {
+              enable = true;
+              inherit clouds;
             };
+            awscli = {
+              enable = true;
+              package = pkgs.stable24_05.awscli2;
+              # settings = {
+              #   "default" = { };
+              #   "profile s3-imagebuilder-prod" = { };
+              # };
+              # credentials = {
+              #   "s3-imagebuilder-prod" = {
+              #     aws_access_key_id = "5OYXY4879EJG9I91K1B6";
+              #     credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key";
+              #   };
+              # };
+            };
+            git.userEmail = lib.mkForce gitMail;
 
-            accounts.email.accounts.work =
-              let
-                inherit (nixosConfig.repo.secrets.local.work) mailAddress mailName;
-              in
-              {
-                primary = false;
-                address = mailAddress;
-                userName = mailAddress;
-                realName = mailName;
-                passwordCommand = "pizauth show work";
-                imap = {
-                  host = "outlook.office365.com";
-                  port = 993;
-                  tls.enable = true; # SSL/TLS
-                };
-                smtp = {
-                  host = "outlook.office365.com";
-                  port = 587;
-                  tls = {
-                    enable = true; # SSL/TLS
-                    useStartTls = true;
-                  };
-                };
-                thunderbird = {
-                  enable = true;
-                  profiles = [ "default" ];
-                  settings = id: {
-                    "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth
-                    "mail.server.server_${id}.authMethod" = 10; # oauth
-                    # "toolkit.telemetry.enabled" = false;
-                    # "toolkit.telemetry.rejected" = true;
-                    # "toolkit.telemetry.prompted" = 2;
-                  };
-                };
-                msmtp = {
-                  enable = true;
-                  extraConfig = {
-                    auth = "xoauth2";
-                    host = "outlook.office365.com";
-                    protocol = "smtp";
-                    port = "587";
-                    tls = "on";
-                    tls_starttls = "on";
-                    from = "${mailAddress}";
-                    user = "${mailAddress}";
-                    passwordeval = "pizauth show work";
-                  };
-                };
-                mu.enable = true;
-                mbsync = {
-                  enable = true;
-                  expunge = "both";
-                  patterns = [ "INBOX" ];
-                  extraConfig = {
-                    account = {
-                      AuthMechs = "XOAUTH2";
-                    };
-                  };
-                };
+            zsh = {
+              shellAliases = {
+                dssh = "ssh -l ${user1Long}";
+                cssh = "ssh -l ${user2Long}";
+                wssh = "ssh -l ${user3Long}";
+              };
+              cdpath = [
+                "~/Documents/Work"
+              ];
+              dirHashes = {
+                d = "$HOME/.dotfiles";
+                w = "$HOME/Documents/Work";
+                s = "$HOME/.dotfiles/secrets";
+                pr = "$HOME/Documents/Private";
+                ac = path1;
               };
 
-            # wayland.windowManager.sway.config = {
-            #   output = {
-            #     "Applied Creative Technology Transmitter QUATTRO201811" = {
-            #       bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}";
-            #     };
-            #     "Hewlett Packard HP Z24i CN44250RDT" = {
-            #       bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}";
-            #     };
-            #     "HP Inc. HP 732pk CNC4080YL5" = {
-            #       bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}";
-            #     };
-            #   };
-            # };
+              sessionVariables = {
+                VSPHERE_USER = "$(cat ${nixosConfig.sops.secrets.vcuser.path})";
+                VSPHERE_PW = "$(cat ${nixosConfig.sops.secrets.vcpw.path})";
+                GOVC_USERNAME = "$(cat ${nixosConfig.sops.secrets.govcuser.path})";
+                GOVC_PASSWORD = "$(cat ${nixosConfig.sops.secrets.govcpw.path})";
+                GOVC_URL = "$(cat ${nixosConfig.sops.secrets.govcurl.path})";
+                GOVC_DATACENTER = "$(cat ${nixosConfig.sops.secrets.govcdc.path})";
+                GOVC_DATASTORE = "$(cat ${nixosConfig.sops.secrets.govcds.path})";
+                GOVC_HOST = "$(cat ${nixosConfig.sops.secrets.govchost.path})";
+                GOVC_RESOURCE_POOL = "$(cat ${nixosConfig.sops.secrets.govcpool.path})";
+                GOVC_NETWORK = "$(cat ${nixosConfig.sops.secrets.govcnetwork.path})";
+              };
+            };
 
-            stylix = {
-              targets.firefox.profileNames =
+            ssh = {
+              matchBlocks = {
+                "${loc1}" = {
+                  hostname = "${loc1}.${domain2}";
+                  user = user4;
+                };
+                "${loc1}.stg" = {
+                  hostname = "${loc1}.${lifecycle1}.${domain2}";
+                  user = user4;
+                };
+                "${loc1}.staging" = {
+                  hostname = "${loc1}.${lifecycle1}.${domain2}";
+                  user = user4;
+                };
+                "${loc1}.dev" = {
+                  hostname = "${loc1}.${lifecycle2}.${domain2}";
+                  user = user4;
+                };
+                "${loc2}" = {
+                  hostname = "${loc2}.${domain1}";
+                  user = user1Long;
+                };
+                "${loc2}.stg" = {
+                  hostname = "${loc2}.${lifecycle1}.${domain2}";
+                  user = user1Long;
+                };
+                "${loc2}.staging" = {
+                  hostname = "${loc2}.${lifecycle1}.${domain2}";
+                  user = user1Long;
+                };
+                "*.${domain1}" = {
+                  user = user1Long;
+                };
+              };
+            };
+
+            firefox = {
+              profiles =
                 let
-                  inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
+                  isDefault = false;
                 in
-                [
-                  "${user1}"
-                  "${user2}"
-                  "${user3}"
-                  "work"
-                ];
+                {
+                  "${user1}" = lib.recursiveUpdate
+                    {
+                      inherit isDefault;
+                      id = 1;
+                      settings = {
+                        "browser.startup.homepage" = "${site1}|${site2}";
+                      };
+                    }
+                    vars.firefox;
+                  "${user2}" = lib.recursiveUpdate
+                    {
+                      inherit isDefault;
+                      id = 2;
+                      settings = {
+                        "browser.startup.homepage" = "${site3}";
+                      };
+                    }
+                    vars.firefox;
+                  "${user3}" = lib.recursiveUpdate
+                    {
+                      inherit isDefault;
+                      id = 3;
+                    }
+                    vars.firefox;
+                  work = lib.recursiveUpdate
+                    {
+                      inherit isDefault;
+                      id = 4;
+                      settings = {
+                        "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
+                      };
+                    }
+                    vars.firefox;
+                };
             };
 
-            programs =
-              let
-                inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds;
-              in
+            chromium = {
+              enable = true;
+              package = pkgs.chromium;
+
+              extensions = [
+                # 1password
+                "gejiddohjgogedgjnonbofjigllpkmbf"
+                # dark reader
+                "eimadpbcbfnmbkopoojfekhnkhdbieeh"
+                # ublock origin
+                "cjpalhdlnbpafiamejdnhcphjbkeiagm"
+                # i still dont care about cookies
+                "edibdbjcniadpccecjdfdjjppcpchdlm"
+                # browserpass
+                "naepdomgkenhinolocfifgehidddafch"
+              ];
+            };
+          };
+
+        services = {
+          kanshi = {
+            settings = [
               {
-                openstackclient = {
-                  enable = true;
-                  inherit clouds;
-  };
-                awscli = {
-                  enable = true;
-                  package = pkgs.stable24_05.awscli2;
-                  # settings = {
-                  #   "default" = { };
-                  #   "profile s3-imagebuilder-prod" = { };
-                  # };
-                  # credentials = {
-                  #   "s3-imagebuilder-prod" = {
-                  #     aws_access_key_id = "5OYXY4879EJG9I91K1B6";
-                  #     credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key";
-                  #   };
-                  # };
+                # seminary room
+                output = {
+                  criteria = "Applied Creative Technology Transmitter QUATTRO201811";
+                  scale = 1.0;
+                  mode = "1280x720";
                 };
-                git.userEmail = lib.mkForce gitMail;
-
-                zsh = {
-                  shellAliases = {
-                    dssh = "ssh -l ${user1Long}";
-                    cssh = "ssh -l ${user2Long}";
-                    wssh = "ssh -l ${user3Long}";
-                  };
-                  cdpath = [
-                    "~/Documents/Work"
+              }
+              {
+                # work main screen
+                output = {
+                  criteria = "HP Inc. HP 732pk CNC4080YL5";
+                  scale = 1.0;
+                  mode = "3840x2160";
+                };
+              }
+              {
+                # work side screen
+                output = {
+                  criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                  scale = 1.0;
+                  mode = "1920x1200";
+                  transform = "270";
+                };
+              }
+              {
+                profile = {
+                  name = "lidopen";
+                  exec = [
+                    "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
+                    "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                    "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
                   ];
-                  dirHashes = {
-                    d = "$HOME/.dotfiles";
-                    w = "$HOME/Documents/Work";
-                    s = "$HOME/.dotfiles/secrets";
-                    pr = "$HOME/Documents/Private";
-                    ac = path1;
-                  };
-
-                  sessionVariables = {
-                    VSPHERE_USER = "$(cat ${nixosConfig.sops.secrets.vcuser.path})";
-                    VSPHERE_PW = "$(cat ${nixosConfig.sops.secrets.vcpw.path})";
-                    GOVC_USERNAME = "$(cat ${nixosConfig.sops.secrets.govcuser.path})";
-                    GOVC_PASSWORD = "$(cat ${nixosConfig.sops.secrets.govcpw.path})";
-                    GOVC_URL = "$(cat ${nixosConfig.sops.secrets.govcurl.path})";
-                    GOVC_DATACENTER = "$(cat ${nixosConfig.sops.secrets.govcdc.path})";
-                    GOVC_DATASTORE = "$(cat ${nixosConfig.sops.secrets.govcds.path})";
-                    GOVC_HOST = "$(cat ${nixosConfig.sops.secrets.govchost.path})";
-                    GOVC_RESOURCE_POOL = "$(cat ${nixosConfig.sops.secrets.govcpool.path})";
-                    GOVC_NETWORK = "$(cat ${nixosConfig.sops.secrets.govcnetwork.path})";
-                  };
-                };
-
-                ssh = {
-                  matchBlocks = {
-                    "${loc1}" = {
-                      hostname = "${loc1}.${domain2}";
-                      user = user4;
-                    };
-                    "${loc1}.stg" = {
-                      hostname = "${loc1}.${lifecycle1}.${domain2}";
-                      user = user4;
-                    };
-                    "${loc1}.staging" = {
-                      hostname = "${loc1}.${lifecycle1}.${domain2}";
-                      user = user4;
-                    };
-                    "${loc1}.dev" = {
-                      hostname = "${loc1}.${lifecycle2}.${domain2}";
-                      user = user4;
-                    };
-                    "${loc2}" = {
-                      hostname = "${loc2}.${domain1}";
-                      user = user1Long;
-                    };
-                    "${loc2}.stg" = {
-                      hostname = "${loc2}.${lifecycle1}.${domain2}";
-                      user = user1Long;
-                    };
-                    "${loc2}.staging" = {
-                      hostname = "${loc2}.${lifecycle1}.${domain2}";
-                      user = user1Long;
-                    };
-                    "*.${domain1}" = {
-                      user = user1Long;
-                    };
-                  };
-                };
-
-                firefox = {
-                  profiles =
-                    let
-                      isDefault = false;
-                    in
+                  outputs = [
                     {
-                      "${user1}" = lib.recursiveUpdate
-                        {
-                          inherit isDefault;
-                          id = 1;
-                          settings = {
-                            "browser.startup.homepage" = "${site1}|${site2}";
-                          };
-                        }
-                        vars.firefox;
-                      "${user2}" = lib.recursiveUpdate
-                        {
-                          inherit isDefault;
-                          id = 2;
-                          settings = {
-                            "browser.startup.homepage" = "${site3}";
-                          };
-                        }
-                        vars.firefox;
-                      "${user3}" = lib.recursiveUpdate
-                        {
-                          inherit isDefault;
-                          id = 3;
-                        }
-                        vars.firefox;
-                      work = lib.recursiveUpdate
-                        {
-                          inherit isDefault;
-                          id = 4;
-                          settings = {
-                            "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
-                          };
-                        }
-                        vars.firefox;
-                    };
-                };
-
-                chromium = {
-                  enable = true;
-                  package = pkgs.chromium;
-
-                  extensions = [
-                    # 1password
-                    "gejiddohjgogedgjnonbofjigllpkmbf"
-                    # dark reader
-                    "eimadpbcbfnmbkopoojfekhnkhdbieeh"
-                    # ublock origin
-                    "cjpalhdlnbpafiamejdnhcphjbkeiagm"
-                    # i still dont care about cookies
-                    "edibdbjcniadpccecjdfdjjppcpchdlm"
-                    # browserpass
-                    "naepdomgkenhinolocfifgehidddafch"
+                      criteria = config.swarselsystems.sharescreen;
+                      status = "enable";
+                      scale = 1.5;
+                      position = "1462,0";
+                    }
+                    {
+                      criteria = "HP Inc. HP 732pk CNC4080YL5";
+                      scale = 1.4;
+                      mode = "3840x2160";
+                      position = "-1280,0";
+                    }
+                    {
+                      criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                      scale = 1.0;
+                      mode = "1920x1200";
+                      transform = "90";
+                      position = "-2480,0";
+                    }
                   ];
                 };
-              };
-
-            services = {
-              kanshi = {
-                settings = [
+              }
+              {
+                profile =
+                  let
+                    monitor = "Applied Creative Technology Transmitter QUATTRO201811";
+                  in
                   {
-                    # seminary room
-                    output = {
-                      criteria = "Applied Creative Technology Transmitter QUATTRO201811";
-                      scale = 1.0;
-                      mode = "1280x720";
-                    };
-                  }
-                  {
-                    # work main screen
-                    output = {
+                    name = "lidopen";
+                    exec = [
+                      "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
+                      "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
+                      "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'"
+                    ];
+                    outputs = [
+                      {
+                        criteria = config.swarselsystems.sharescreen;
+                        status = "enable";
+                        scale = 1.7;
+                        position = "2560,0";
+                      }
+                      {
+                        criteria = "Applied Creative Technology Transmitter QUATTRO201811";
+                        scale = 1.0;
+                        mode = "1280x720";
+                        position = "10000,10000";
+                      }
+                    ];
+                  };
+              }
+              {
+                profile = {
+                  name = "lidclosed";
+                  exec = [
+                    "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                    "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+                  ];
+                  outputs = [
+                    {
+                      criteria = config.swarselsystems.sharescreen;
+                      status = "disable";
+                    }
+                    {
                       criteria = "HP Inc. HP 732pk CNC4080YL5";
-                      scale = 1.0;
+                      scale = 1.4;
                       mode = "3840x2160";
-                    };
-                  }
-                  {
-                    # work side screen
-                    output = {
+                      position = "-1280,0";
+                    }
+                    {
                       criteria = "Hewlett Packard HP Z24i CN44250RDT";
                       scale = 1.0;
                       mode = "1920x1200";
                       transform = "270";
-                    };
-                  }
-                  {
-                    profile = {
-                      name = "lidopen";
-                      exec = [
-                        "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
-                        "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                        "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
-                      ];
-                      outputs = [
-                        {
-                          criteria = config.swarselsystems.sharescreen;
-                          status = "enable";
-                          scale = 1.5;
-                          position = "1462,0";
-                        }
-                        {
-                          criteria = "HP Inc. HP 732pk CNC4080YL5";
-                          scale = 1.4;
-                          mode = "3840x2160";
-                          position = "-1280,0";
-                        }
-                        {
-                          criteria = "Hewlett Packard HP Z24i CN44250RDT";
-                          scale = 1.0;
-                          mode = "1920x1200";
-                          transform = "90";
-                          position = "-2480,0";
-                        }
-                      ];
-                    };
-                  }
-                  {
-                    profile =
-                      let
-                        monitor = "Applied Creative Technology Transmitter QUATTRO201811";
-                      in
-                      {
-                        name = "lidopen";
-                        exec = [
-                          "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
-                          "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
-                          "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'"
-                        ];
-                        outputs = [
-                          {
-                            criteria = config.swarselsystems.sharescreen;
-                            status = "enable";
-                            scale = 1.7;
-                            position = "2560,0";
-                          }
-                          {
-                            criteria = "Applied Creative Technology Transmitter QUATTRO201811";
-                            scale = 1.0;
-                            mode = "1280x720";
-                            position = "10000,10000";
-                          }
-                        ];
-                      };
-                  }
-                  {
-                    profile = {
-                      name = "lidclosed";
-                      exec = [
-                        "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                        "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
-                      ];
-                      outputs = [
-                        {
-                          criteria = config.swarselsystems.sharescreen;
-                          status = "disable";
-                        }
-                        {
-                          criteria = "HP Inc. HP 732pk CNC4080YL5";
-                          scale = 1.4;
-                          mode = "3840x2160";
-                          position = "-1280,0";
-                        }
-                        {
-                          criteria = "Hewlett Packard HP Z24i CN44250RDT";
-                          scale = 1.0;
-                          mode = "1920x1200";
-                          transform = "270";
-                          position = "-2480,0";
-                        }
-                      ];
-                    };
-                  }
-                  {
-                    profile =
-                      let
-                        monitor = "Applied Creative Technology Transmitter QUATTRO201811";
-                      in
-                      {
-                        name = "lidclosed";
-                        exec = [
-                          "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
-                        ];
-                        outputs = [
-                          {
-                            criteria = config.swarselsystems.sharescreen;
-                            status = "disable";
-                          }
-                          {
-                            criteria = "Applied Creative Technology Transmitter QUATTRO201811";
-                            scale = 1.0;
-                            mode = "1280x720";
-                            position = "10000,10000";
-                          }
-                        ];
-                      };
-                  }
-                ];
-              };
-            };
-
-            systemd.user.services = {
-              pizauth.Service = {
-                ExecStartPost = [
-                  "${pkgs.toybox}/bin/sleep 1"
-                  "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'"
-                ];
-              };
-
-              teams-applet = {
-                Unit = {
-                  Description = "teams applet";
-                  Requires = [ "tray.target" ];
-                  After = [
-                    "graphical-session.target"
-                    "tray.target"
+                      position = "-2480,0";
+                    }
                   ];
-                  PartOf = [ "graphical-session.target" ];
                 };
-
-                Install = {
-                  WantedBy = [ "graphical-session.target" ];
-                };
-
-                Service = {
-                  ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true";
-                };
-              };
-
-              onepassword-applet = {
-                Unit = {
-                  Description = "1password applet";
-                  Requires = [ "tray.target" ];
-                  After = [
-                    "graphical-session.target"
-                    "tray.target"
-                  ];
-                  PartOf = [ "graphical-session.target" ];
-                };
-
-                Install = {
-                  WantedBy = [ "graphical-session.target" ];
-                };
-
-                Service = {
-                  ExecStart = "${pkgs._1password-gui}/bin/1password";
-                };
-              };
-
-            };
-
-            swarselservices.pizauth = {
-              enable = true;
-              extraConfig = ''
-                auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi";
-                error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\"";
-                token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state";
-              '';
-              accounts = {
-                work = {
-                  authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
-                  tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
-                  clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
-                  clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
-                  scopes = [
-                    "https://outlook.office365.com/IMAP.AccessAsUser.All"
-                    "https://outlook.office365.com/SMTP.Send"
-                    "offline_access"
-                  ];
-                  loginHint = "${nixosConfig.repo.secrets.local.work.mailAddress}";
-                };
-              };
-
-            };
-
-            xdg =
-              let
-                inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
-              in
+              }
               {
-                mimeApps = {
-                  defaultApplications = {
-                    "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
-                  };
-                };
-                desktopEntries =
+                profile =
                   let
-                    terminal = false;
-                    categories = [ "Application" ];
-                    icon = "firefox";
+                    monitor = "Applied Creative Technology Transmitter QUATTRO201811";
                   in
                   {
-                    firefox_work = {
-                      name = "Firefox (work)";
-                      genericName = "Firefox work";
-                      exec = "firefox -p work";
-                      inherit terminal categories icon;
-                    };
-                    "firefox_${user1}" = {
-                      name = "Firefox (${user1})";
-                      genericName = "Firefox ${user1}";
-                      exec = "firefox -p ${user1}";
-                      inherit terminal categories icon;
-                    };
-
-                    "firefox_${user2}" = {
-                      name = "Firefox (${user2})";
-                      genericName = "Firefox ${user2}";
-                      exec = "firefox -p ${user2}";
-                      inherit terminal categories icon;
-                    };
-
-                    "firefox_${user3}" = {
-                      name = "Firefox (${user3})";
-                      genericName = "Firefox ${user3}";
-                      exec = "firefox -p ${user3}";
-                      inherit terminal categories icon;
-                    };
-
-
+                    name = "lidclosed";
+                    exec = [
+                      "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
+                    ];
+                    outputs = [
+                      {
+                        criteria = config.swarselsystems.sharescreen;
+                        status = "disable";
+                      }
+                      {
+                        criteria = "Applied Creative Technology Transmitter QUATTRO201811";
+                        scale = 1.0;
+                        mode = "1280x720";
+                        position = "10000,10000";
+                      }
+                    ];
                   };
-              };
-            swarselsystems = {
-              startup = [
-                # { command = "nextcloud --background"; }
-                # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; }
-                # { command = "element-desktop --hidden  --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; }
-                # { command = "anki"; }
-                # { command = "obsidian"; }
-                # { command = "nm-applet"; }
-                # { command = "feishin"; }
-                # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }
-                # { command = "1password"; }
-              ];
-              monitors = {
-                work_back_middle = rec {
-                  name = "LG Electronics LG Ultra HD 0x000305A6";
-                  mode = "2560x1440";
-                  scale = "1";
-                  position = "5120,0";
-                  workspace = "1:一";
-                  # output = "DP-10";
-                  output = name;
-                };
-                work_front_left = rec {
-                  name = "LG Electronics LG Ultra HD 0x0007AB45";
-                  mode = "3840x2160";
-                  scale = "1";
-                  position = "5120,0";
-                  workspace = "1:一";
-                  # output = "DP-7";
-                  output = name;
-                };
-                work_back_right = rec {
-                  name = "HP Inc. HP Z32 CN41212T55";
-                  mode = "3840x2160";
-                  scale = "1";
-                  position = "5120,0";
-                  workspace = "1:一";
-                  # output = "DP-3";
-                  output = name;
-                };
-                work_middle_middle_main = rec {
-                  name = "HP Inc. HP 732pk CNC4080YL5";
-                  mode = "3840x2160";
-                  scale = "1";
-                  position = "-1280,0";
-                  workspace = "11:M";
-                  # output = "DP-8";
-                  output = name;
-                };
-                work_middle_middle_side = rec {
-                  name = "Hewlett Packard HP Z24i CN44250RDT";
-                  mode = "1920x1200";
-                  transform = "270";
-                  scale = "1";
-                  position = "-2480,0";
-                  workspace = "12:S";
-                  # output = "DP-9";
-                  output = name;
-                };
-                work_seminary = rec {
-                  name = "Applied Creative Technology Transmitter QUATTRO201811";
-                  mode = "1280x720";
-                  scale = "1";
-                  position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse
-                  workspace = "14:T";
-                  # output = "DP-4";
-                  output = name;
-                };
-              };
-              inputs = {
-                "1133:45081:MX_Master_2S_Keyboard" = {
-                  xkb_layout = "us";
-                  xkb_variant = "altgr-intl";
-                };
-                # "2362:628:PIXA3854:00_093A:0274_Touchpad" = {
-                #   dwt = "enabled";
-                #   tap = "enabled";
-                #   natural_scroll = "enabled";
-                #   middle_emulation = "enabled";
-                #   drag_lock = "disabled";
-                # };
-                "1133:50504:Logitech_USB_Receiver" = {
-                  xkb_layout = "us";
-                  xkb_variant = "altgr-intl";
-                };
-                "1133:45944:MX_KEYS_S" = {
-                  xkb_layout = "us";
-                  xkb_variant = "altgr-intl";
-                };
-              };
+              }
+            ];
+          };
+        };
 
+        systemd.user.services = {
+          pizauth.Service = {
+            ExecStartPost = [
+              "${pkgs.toybox}/bin/sleep 1"
+              "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'"
+            ];
+          };
+
+          teams-applet = {
+            Unit = {
+              Description = "teams applet";
+              Requires = [ "tray.target" ];
+              After = [
+                "graphical-session.target"
+                "tray.target"
+              ];
+              PartOf = [ "graphical-session.target" ];
+            };
+
+            Install = {
+              WantedBy = [ "graphical-session.target" ];
+            };
+
+            Service = {
+              ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true";
             };
           };
 
-      }
+          onepassword-applet = {
+            Unit = {
+              Description = "1password applet";
+              Requires = [ "tray.target" ];
+              After = [
+                "graphical-session.target"
+                "tray.target"
+              ];
+              PartOf = [ "graphical-session.target" ];
+            };
+
+            Install = {
+              WantedBy = [ "graphical-session.target" ];
+            };
+
+            Service = {
+              ExecStart = "${pkgs._1password-gui}/bin/1password";
+            };
+          };
+
+        };
+
+        swarselservices.pizauth = {
+          enable = true;
+          extraConfig = ''
+            auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi";
+            error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\"";
+            token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state";
+          '';
+          accounts = {
+            work = {
+              authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+              tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
+              clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
+              clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
+              scopes = [
+                "https://outlook.office365.com/IMAP.AccessAsUser.All"
+                "https://outlook.office365.com/SMTP.Send"
+                "offline_access"
+              ];
+              loginHint = "${nixosConfig.repo.secrets.local.work.mailAddress}";
+            };
+          };
+
+        };
+
+        xdg =
+          let
+            inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
+          in
+          {
+            mimeApps = {
+              defaultApplications = {
+                "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
+              };
+            };
+            desktopEntries =
+              let
+                terminal = false;
+                categories = [ "Application" ];
+                icon = "firefox";
+              in
+              {
+                firefox_work = {
+                  name = "Firefox (work)";
+                  genericName = "Firefox work";
+                  exec = "firefox -p work";
+                  inherit terminal categories icon;
+                };
+                "firefox_${user1}" = {
+                  name = "Firefox (${user1})";
+                  genericName = "Firefox ${user1}";
+                  exec = "firefox -p ${user1}";
+                  inherit terminal categories icon;
+                };
+
+                "firefox_${user2}" = {
+                  name = "Firefox (${user2})";
+                  genericName = "Firefox ${user2}";
+                  exec = "firefox -p ${user2}";
+                  inherit terminal categories icon;
+                };
+
+                "firefox_${user3}" = {
+                  name = "Firefox (${user3})";
+                  genericName = "Firefox ${user3}";
+                  exec = "firefox -p ${user3}";
+                  inherit terminal categories icon;
+                };
+
+
+              };
+          };
+        swarselsystems = {
+          startup = [
+            # { command = "nextcloud --background"; }
+            # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; }
+            # { command = "element-desktop --hidden  --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; }
+            # { command = "anki"; }
+            # { command = "obsidian"; }
+            # { command = "nm-applet"; }
+            # { command = "feishin"; }
+            # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }
+            # { command = "1password"; }
+          ];
+          monitors = {
+            work_back_middle = rec {
+              name = "LG Electronics LG Ultra HD 0x000305A6";
+              mode = "2560x1440";
+              scale = "1";
+              position = "5120,0";
+              workspace = "1:一";
+              # output = "DP-10";
+              output = name;
+            };
+            work_front_left = rec {
+              name = "LG Electronics LG Ultra HD 0x0007AB45";
+              mode = "3840x2160";
+              scale = "1";
+              position = "5120,0";
+              workspace = "1:一";
+              # output = "DP-7";
+              output = name;
+            };
+            work_back_right = rec {
+              name = "HP Inc. HP Z32 CN41212T55";
+              mode = "3840x2160";
+              scale = "1";
+              position = "5120,0";
+              workspace = "1:一";
+              # output = "DP-3";
+              output = name;
+            };
+            work_middle_middle_main = rec {
+              name = "HP Inc. HP 732pk CNC4080YL5";
+              mode = "3840x2160";
+              scale = "1";
+              position = "-1280,0";
+              workspace = "11:M";
+              # output = "DP-8";
+              output = name;
+            };
+            work_middle_middle_side = rec {
+              name = "Hewlett Packard HP Z24i CN44250RDT";
+              mode = "1920x1200";
+              transform = "270";
+              scale = "1";
+              position = "-2480,0";
+              workspace = "12:S";
+              # output = "DP-9";
+              output = name;
+            };
+            work_seminary = rec {
+              name = "Applied Creative Technology Transmitter QUATTRO201811";
+              mode = "1280x720";
+              scale = "1";
+              position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse
+              workspace = "14:T";
+              # output = "DP-4";
+              output = name;
+            };
+          };
+          inputs = {
+            "1133:45081:MX_Master_2S_Keyboard" = {
+              xkb_layout = "us";
+              xkb_variant = "altgr-intl";
+            };
+            # "2362:628:PIXA3854:00_093A:0274_Touchpad" = {
+            #   dwt = "enabled";
+            #   tap = "enabled";
+            #   natural_scroll = "enabled";
+            #   middle_emulation = "enabled";
+            #   drag_lock = "disabled";
+            # };
+            "1133:50504:Logitech_USB_Receiver" = {
+              xkb_layout = "us";
+              xkb_variant = "altgr-intl";
+            };
+            "1133:45944:MX_KEYS_S" = {
+              xkb_layout = "us";
+              xkb_variant = "altgr-intl";
+            };
+          };
+
+        };
+      };
+
+  }
 
 #+end_src
 
@@ -21838,6 +21842,35 @@ This adds the simple utility of sending desktop notifications whenever a new mai
   (mu4e t)
 #+end_src
 
+**** Work: Signing Mails (S/MIME, smime)
+
+Used to automatically sign messages sent from my work email address using S/MIME certificate.
+
+#+begin_src emacs-lisp
+  (let ((work (getenv "SWARSEL_MAIL_WORK")))
+    (when (and work (not (string-empty-p work)))
+
+      (setq swarsel-smime-cert-path "~/.Certificates/$SWARSEL_MAIL_WORK.pem")
+      (setq swarsel-smime-cert-path (substitute-env-vars swarsel-smime-cert-path))
+      (setq mml-secure-prefer-scheme 'smime)
+      (setq mml-secure-smime-sign-with-sender t)
+      (add-hook 'mu4e-compose-mode-hook
+                (lambda ()
+                  (when (and (boundp 'user-mail-address)
+                             (stringp user-mail-address)
+                             (string-equal user-mail-address (getenv "SWARSEL_MAIL_WORK")))
+                    (mml-secure-message-sign-smime))))
+
+      (setq smime-keys
+            `((,(getenv "SWARSEL_MAIL_WORK")
+               ,swarsel-smime-cert-path
+               ("~/Certificates/harica-root.pem"
+                "~/Certificates/harica-intermediate.pem"
+                ))))
+      ))
+
+#+end_src
+
 *** Calendar
 :PROPERTIES:
 :CUSTOM_ID: h:c760f04e-622f-4b3e-8916-53ca8cce6edc
diff --git a/files/emacs/init.el b/files/emacs/init.el
index 935c1ee..e8d147e 100644
--- a/files/emacs/init.el
+++ b/files/emacs/init.el
@@ -1605,6 +1605,28 @@ create a new one."
 
 (mu4e t)
 
+(let ((work (getenv "SWARSEL_MAIL_WORK")))
+  (when (and work (not (string-empty-p work)))
+
+    (setq swarsel-smime-cert-path "~/.Certificates/$SWARSEL_MAIL_WORK.pem")
+    (setq swarsel-smime-cert-path (substitute-env-vars swarsel-smime-cert-path))
+    (setq mml-secure-prefer-scheme 'smime)
+    (setq mml-secure-smime-sign-with-sender t)
+    (add-hook 'mu4e-compose-mode-hook
+              (lambda ()
+                (when (and (boundp 'user-mail-address)
+                           (stringp user-mail-address)
+                           (string-equal user-mail-address (getenv "SWARSEL_MAIL_WORK")))
+                  (mml-secure-message-sign-smime))))
+
+    (setq smime-keys
+          `((,(getenv "SWARSEL_MAIL_WORK")
+             ,swarsel-smime-cert-path
+             ("~/Certificates/harica-root.pem"
+              "~/Certificates/harica-intermediate.pem"
+              ))))
+    ))
+
 (use-package org-caldav
   :init
   ;; set org-caldav-sync-initalization
diff --git a/hosts/nixos/pyramid/secrets/pii.nix.enc b/hosts/nixos/pyramid/secrets/pii.nix.enc
index 1cd9d41..f95ff57 100644
--- a/hosts/nixos/pyramid/secrets/pii.nix.enc
+++ b/hosts/nixos/pyramid/secrets/pii.nix.enc
@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:TAwmpSF2fhM/gHIL2qUs4lvaLwzbg3UR2ges9x3uioLMYCn4o0fFnf+NbqM3CBERqrBTh6f4TpWTD1SJ9934ZhvwR09xhjc1wVM6JcE9yWfAifm8zwxK85SAn8c3Ap1WRsuDKT7RdoyDwh5IDkl2bgkznlFNVIrIMaUSjj1XITacNwFuIBKoPBJjX9jHjYg0PT07RSQ2VWh9xGLbp9/RKDu+csVaNSdPqRRPYwPbwpcML34ABWvlwDre1dCwJjhq/hdBdAL9/fasvHSdYOinDytH67d8jrEOPGZGKUTOERf2GUGsgqMYuPmkVSG+3JRhZvOZZEVuCexvyErVvHoxXzMCfv/DzaqB9KgKZmL1Wfak/KLCeXs4jfPUS0+dEi0sxNc+R77opPbVqTEBO64mgniWbtvk0N3GHrBJj1BDR/9v/gs72QMcatQnSuWMAZ1DnRfsHVBYxvuAdZ+vEKhQ61lkdh7bV7FKkG9xQwO/W0b2dfAdpfTe3n2tRhzznEwhGDyujfTTguOpQrd/0whuI8Ete0eTGNFj5zrUcBOHR+HE+CuQlathFUEMAjxx+/oy7gk6pm9olDBSl6ptzJjGDF/suV0NUT5mcm6zVSUxGMMCjuH3MlKI0VTcdm69WpgDYj07seFvBfRs/pAEj5mMVbEY9VE8BRNiM5fQumQzwr5BlAEyWgy6VZ74wt4F/Y/3iPHv3n516ZwmBYVJ7xxqYqo3+lpenVurYCy9v0rw0KndojcE852oil90GX6R6ZhMQmM0JbUl4n75oI6ug5zHyzHUluuTNIZ1rNZzPamt32EOIeXkSTs+jAfyjku0eENt8aX14BZBsCh7JG+f7YNyIs711wK7rzMw3JBvk1vXveOFPjK4vBimIG3uBkiAiQ4GFk01ISTbpMvdmLmdtPeZdjp29OiMqWlG4GLm/4XfmHMvsLpnkCTKEKn75RD4eOuvp1P1oaopkPt1oQqMVJtUmFjA4NZlyRSn+KkLTO0lAjsfl03HsTC6RnQcnBNlEMBD0I2VFhH4qIKHrmwgMy5LCeWWQ0/QYPgtfV/xbO2AlvRwX4I5VYjlAZ00TZ3147qXF2KAweINOEHGavegFabx9Bh3MwM8JP2l1BPlO7eE5iXkwmvIPT2yr+dzNyd3A/uV4tnX/h3z7eErpmv189EZY6iKq6011d1En8l3x3PJMrtU0qwCXbwG0RBERbh1rH++gfED0A2LFnVDUAmiVTWTv26ik3kG9YRQbAL1LC9Bfx0jhktRy8uQRu9COMJX6oobC64/FThV1phuPfsEm468r5sJ/8sTkVHYQPf57ePE4uP5axvNB9D0nZwRhlh5duSaaOY64Sg3PdxT6h39V6GR42q9lCTJ7MFxm8YLzaeh3cf0Tl2aoZC4T6WQCbcNZ4SzncUBwDmJvbBjHqHM63nHuvlK5XPAgyWCtAoLpvQAKWeDPupCxLNyHB6uDbzAS3sY/XVD5qDAJffZBxNqwJHdPiO3gDn8aBZe51AamOmdqxK2ujl1XlBSLFmFkRSwssGoQQrLfQp1o0O0pCSfRy0cSStCp8uwzSubGF2Z1ebYViBpl8HwFmAA+i31nWhplEsFivdBqSlO+R5slKCZcZRVQynFsvLe2Rrp2uXaQzs27GeKUKE5jl0Yzmia8V7EKacTxZhs0/uEkhTRiMIjLzGPjFDHCPQr5APYzXrzauJeVbf9w7pkDlXeyDfu3pG+Nk3ljL+blyCA/sPFMFpwEUm5WdoVAb5sE2d8WcCDmJG9jWRrRs32i3lrfEphORYku8qd+jdBiqqnOGqAySv01Ip+0zkhstXuze6WoH7k32DMHgxKEfPLHqqGKJxAVfCluKhybJlWnaZ2BMW2Ctz5yZHNyXnkqv9FONArLJPgnNpecaEPiZXDWLbOsBXuqjhuNvuB6llX5GOCoc36ynZGjoI/PgG2V7SU2DDQf5ibM7qQnLye/bKi8YiZKvzDcMzbkujM5+PZDhuXbilYjMybR5ct03QOHnv2xg7Tc2Uf0uCCc9GqaFGiKL/q7tTR2AqYJ0moypVVLRVhMBJolQtO1eUrUoZjtbM9gFRF8+BHbDbNP/zVO2Gk0hNIBl/VCG0eusqmSPk5dfesF2xhoTTdwTBjoxTGWzEezoBj+ufL1zK49n44+uLwTF1isS0PSsTlGHQmvZC4sDQCtr0bjzWag6CHAe3cYa6zizC0SHbrrkZhuxJId3yk0pVzpRMYZ5HRGMrTw0W9Y5oQt10GeCtmhM03H80J+Q7M8/TtqF2dWf249aNI93RGQLiVMUj06k5hLwHk2/BlFdeOgzzQxzrVx03Y+qWNUMPVVJViyQp42tCinAaLYw2eCbtrj4/Ze0v8u/gZYMdgq1KegyNEPIQqlM9MGbCcwIXgEWGl9hvIngmQ+ZuoiJtjGhvRHtqUzql4x2IsfxOxcUVwXxoM6yISZrOdmiLgpd/mp/NBPEomba6E5AjQFlzy/b5Vk0/HT6EgYdJNXBthVWqB+X0/4IzQ79o9Kwd1VjOAkBvXy/siWuSU03demYuKnZTsCBV7h2bWyge19rCYyUryN9WaB+fcnVHmFvU999SUudE+6QXZC/0ZIU1SV2K9K5Cqovw7zSCTM2w+0QZp+0LCbPDS/tDOKpd2z0uHg5UWy11gH/i4P9Lt7ygRAjRQ0gZ9K3N41Z2RfH9UTTUsnKMXR5+Z6ebZhi6IST6VlOa1ahJj7CRXOSBxNeK6vWtHfSmO56wJN7FcoItsehpcwDyMYVIYYEe53eZTuho3UKqd/q9QEBlgwFpiBmUy6CEX4jryiC6LDiUEFL63YIq2qNy4JLhSjG7JwaAzjCXdDv3Au3tiWV+sDXNV88MG0AEAM/zQ83bHMhv/xcyvp/TA2YOuYBfvlVYuxXASbFzl,iv:Fu+GmDArq6JSpODMPTJ7boKT/N33l57UbHqdTwpYuxA=,tag:gi/VuS3QTzeOiUsZBfm7BQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:Avje6G0sf17iETA622PNdboM3FlYSFtdiPtEuCKpytuUS/2ATu1g9rTeLuSwKHzMfuweF1l+GWkME4D3PQZ2hzgtyByISnuHTFB0kO/QmnmpoNpEkGXgUKpogEaFWiTyFkg+Ceo8IFzSA+AW22DcNnU6ygZlnuK92XH3qJ9F/xyF8yd3eFXx9skA68GdpyoOxnw648ZKeL0/mWLcZVSxDpt7o2bnnL/lU8qp4HErRkgbIh8aUCfaZjRJMXOMfZj4rNSZ58ZCSTl1akuDRYQfqk8WdprrveDXVPtFe3Ol1LY2yqZtTTjE/L94fmQtkLE4U36uJfQBtnUAjqXJQqCpZRrJcQgqPyW29CWwIxK/2hccYIikv6033j2kUKQbXWMcniBsnFfmBvLLKBHdylNX2AstKjtkJ48dZskL833QvYwxNxePEk0heJ463goWHtDLWNFAMW5vrI/BYg8NM6PDYvZWG6yswUZFlUmzKoQxzbxKgnsXj4yDH+pNu8B8uWzKaEYDQjeKdOPEhagNVroeT+T6r0hp/sEJUTh8ekIwpmmNssF7DalKumEcuQy0K3Lvt7fUhB5Z+dFMz3eqhQuXtwQl9p0mpf13F8qVtbuB4Ye0N8HmGFp+TF5sVXy1RsgP80uVawaqKVyhiRoT+ZDMUno4MwkmPAmkYhemkH9UIsooiRdFOb9W4zzQbpC79htnGXGVWgDQMNYVun/TX0RMNnmFls/HoPQz5Ft6sKQp6cQ8bNxsWMJKTRR/Y8g32OomcGMegPDM+oeutvTFkUhhZdgFHd98brOZjrEeQVwyh6fOLqHaSIZB8XFjh/rDytPbX85/HQSH+k9zWgL4kpHoZeLPUK0alY2RMFlYuNd/a8yhgdlQZGGSfVP92JrdmOcTxgOd11zy6/eTWBWVZVE279CJvAYkKDTFN/MyoAC0gTl2mR9vW44BbDAHywOy8AJjzoDMWacg7DBFSqxW9ZGJbFs3udqYk5IDhrdOz941jE+WsP978K8uTn2F7d/Qz6lhmberdyIuPC0H18+2Gzv1L/LWtc6/kqqPOB9RYrlaayAfymqNV/3FdhFSxfx4Pm4SD5MIaZ99FS7+AwP3B5kmnCZToLZlFsgPL9DUwqwgx69gQxUlb362ih5swaCY0nOL63oa6c25/UvO9rYkDh52FhGl1N9gzvbzbYC0Mp7QuwzF1XWUFbhE+f9aJ6bAXHyS10GMfa76eLnnoPSslYZ4rZfLMjHOGjbTMY7wTLl50wKg4VbThWtpkxwbITGd5VZH1/iO6e7F8K0gMwHNMYSm/doNaRcN1HWi7eD6YtQVWlWlewx0C9BzW6TsOy3e9MtQBULFDkPEIbzoT/29dS1o7YKyomdBG867xbqKV31DkqBpq9G0Fv6kHCeu5MmfzeqhueA11+XFQvvNl2KsLW5LvlP7GPOl0VjlEBY61SGjXibMGcLOAEgsxyzzZhLP97pl1dTb2yokBkDTy9n9pgpWJ5NmZi68XMVew8Nx4vz0Dj6jZruPgO3vBtpUytx6vjp/hwKcUQq09PxY8QN5l3gfmZJvAiDMuZh6ZzaJvVhkK/afzt2YN1rozd+Ibo4k3831X+RkfKLFoiA6E0g9SEgm6HAl/gfRIKR740yH0uVVbpCNIRpfBuAQMAvoLczcgYjsMaZ5hqHh0nOC+hsHmEIP47KrPzyA8U3+TjQEbAN1aHAGkzVDVJ4E8iwPkPAP0B+b6mtSNfscdyG5iX2zlqcivvA51s8zouhxEZ4KZ9TiVtg6dlngP7fu1SjM2DYzG2Sshg8L+WyzFFjDgWPe5RO8btzWEFuNTpFgvaRYQWONa7JWgnigP4ZE7Tc+shN8BXGhjJnGM4Z1+PNPRWvB/d1Fqe1KbgTyVFHizD8DnNWmfgghFLOwenKbZXe8wAAGmfIaCHE7IMrTSeuqhfKpGGnrnlE9Hd3y/8ojYtOFPQ16ohTPxBVwN/gt8RCmBdP+i4Y11He0vdX3HaF3W9yGkIPDLY/aJ33NvK9lmCvXBYANSLirBJmY/xEgdxIbG9TDRnZPoUQ0b8WBZS8RFg7wuxNucNrMAHp+8n3Ww0D9+zqo1rropr7FRc1xYjRrxSvx+g0xhb46qe7In+mSaJy1seITD6T+LdnOz3SK6bXpZ1I1sg7B0XXCLyMe2cs3KrqmUwDYowm6rbyM65X2CVgl/ULXg0rjPBaKqqYpFeQDAYdBgLiLiA99tWhI3hf6WEYb9aio6gIgkDtKMe242TnauUBkCDHxqgC/Lhp4fG4+TCjRTNopO3nmEYoYH67+VQONyU4YRn7lmWReT5pFrkczBIogeihgCwL+zNzA/f4wvGdADNLH9uxuGIpR5a1/HwWa6cKxCQ375kl013By6dHre50zal18KHMz/ou8dDQOsWDMbjE01aDJEHHSVPZiySjXiNWD+mvy8SE8hMRVyP/9PyB91wXwhRAU1UJifFSCuKAlqkwOCkqrMJ+EDhoIrGhx+XfM84/wu/RIowKTtF4Zz7CmpjN8cSgm+Ht4akg7XaBiAGsZMal3TY33SzY7MHZ1Tsv2AeYHPtssyXBdVd8GRZAw7phoPqXpV1hSvLwS7fY2F3+Ie8U3E55p4U7HrYGo9SHqF90rSB/tUhQdah7ptcpywBWlCWqA9L+q7I5kljSLFSf/2Hl1B33M80rCCdnOSiyjawF+0n9Pysw4C/z0aHQIBTDYYTZ9a6RIEjHDFlX7GKX8CKw6XvTvsIgs2kDklcUNTgXI5MRMtkyIrh081V2gNj65B0+yWxlK2VvyKLv2AuFCH2m401Dazusp89yA624wMFRF/DQmiC7MPvWFMzhLbsQu3dRW+JKDv88t18OymQeQlbP+lNdff4Cd4fVoTqt6xCoDLrIcmX/rw9QZnmJF/dW2wmMVQIONdfBx6O+CHsaaLScHdJg0/RIfjA8bkObPh+p1ULvJ9ddLQA5J7Cd2omwhZqXpPbAiveykCEWRMOCD0mama5RHJOyNnqQGYUmPvpq+QwaR4+6DeGy319uyNiLcmKKMIx+hSq2qQhK+ler1DS5VLJC0g5rWcovE7bUs7sNKETvMfO8gr1Crve2wTWA6DCrNZSSkWXwzwJOsVmVx66e/hmh17k/DCqDG55z11QR6X7C0EryzAj1JPJ6wG9KamgsZOCqJL1h2piNdbTnnBPfE5btg2OIw1453OYgWI2f833p6BZR4irditSs67fNt4ZFGad7pq5ETlpFU1FQUZFuEm7iFrw==,iv:7YztaPs7GSC4AdIF36G3qb8lQAhUwkaD613z8LcUW7A=,tag:ULku+TZreQNt5/6ZyLtWog==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -11,8 +11,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Z2tONmQxTUhZUW12Z2Jm\nUnoxSnpYcnZDNGNzSko1ckl2RDh3NG1VS2dFCmIwUXhmSk1OUk02S0JPVDR5UWJ4\na0gwWlg0V005ZWxYa29PZ0laS2VqM0kKLS0tIHN5SU9pQ090eHljeXJGWm5hRFQ4\nZ001Nzkyb29RYkNUMDNDNlo4YnVQeTQK34bNIBgxId2+DHKQNVV3Iro3KGkE03Sp\niB1+dADT6nRvGvoyPqnLq/NYfw7eQ6XqYt55zkdCta8v6L1UNUkw8g==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-10-11T08:44:45Z",
-		"mac": "ENC[AES256_GCM,data:pNbRA83NQcfWwTjgowEaFlfZVbZntWb1alGKdaX3IqjBlZEmYfJGKaxkbiL1uoMFNmrc5HtQUQLz0QVUpQ87ggH/HEUtdVcHnT65hxWjX3NWg3G2C9cbPqe3SiLv+UWPUsN70gu/xAJUuaiM9tsQoHkpNdefT3t382/uxF+Cb3M=,iv:1njSCqZFoCX46IhiowRqUteG8VJ5EEHDxricjMd4l58=,tag:9WBBXfUUW+7wmXy3zksMKQ==,type:str]",
+		"lastmodified": "2025-10-21T17:51:36Z",
+		"mac": "ENC[AES256_GCM,data:nogwxr8xZVIPv1vnZyBZuGu5WHO7ygxfeoF+Nrmdqin4YrZ8nK3f8oVNAsEBfNvUyr2mkRAbAT3tgcP+u/w+RJgH9ERHWljnw5xy8iGLkTF36B83+lCL7cp3wIzllOQyRUYEHegnQWA79WoWWHD3u4sZmlinByJRUMscRV9uTww=,iv:rZd+3+WlcOVtqgJGhoBkJGm/HF/01wuopeFlEwvcupI=,tag:P7fIdk4ithHyOAfqui6xNw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-14T22:31:01Z",
diff --git a/modules/home/common/env.nix b/modules/home/common/env.nix
index 240b677..f2f463d 100644
--- a/modules/home/common/env.nix
+++ b/modules/home/common/env.nix
@@ -28,7 +28,7 @@ in
       SWARSEL_CAL3 = source3;
       SWARSEL_CAL3NAME = source3-name;
       SWARSEL_FULLNAME = fullName;
-      SWARSEL_MAIL_ALL = allMailAddresses;
+      SWARSEL_MAIL_ALL = lib.mkDefault allMailAddresses;
       GITHUB_NOTIFICATION_TOKEN_PATH = nixosConfig.sops.secrets.github-notifications-token.path;
       OPENROUTER_API_KEY = openrouterApi;
     };
diff --git a/modules/home/optional/work.nix b/modules/home/optional/work.nix
index 28c66b7..72df0b1 100644
--- a/modules/home/optional/work.nix
+++ b/modules/home/optional/work.nix
@@ -1,6 +1,8 @@
 { self, config, pkgs, lib, vars, nixosConfig ? config, ... }:
 let
   inherit (config.swarselsystems) homeDir;
+  inherit (nixosConfig.repo.secrets.local.mail) allMailAddresses;
+  inherit (nixosConfig.repo.secrets.local.work) mailAddress;
 in
 {
   options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
@@ -21,14 +23,16 @@ in
         vscode
       ];
 
-
       systemd.user.sessionVariables = {
         DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work";
+      } // lib.optionalAttrs (!config.swarselsystems.isPublic) {
+        SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses;
+        SWARSEL_MAIL_WORK = lib.mkForce mailAddress;
       };
 
       accounts.email.accounts.work =
         let
-          inherit (nixosConfig.repo.secrets.local.work) mailAddress mailName;
+          inherit (nixosConfig.repo.secrets.local.work) mailName;
         in
         {
           primary = false;
diff --git a/secrets/repo/pii.nix.enc b/secrets/repo/pii.nix.enc
index 89f4f54..85d15f6 100644
--- a/secrets/repo/pii.nix.enc
+++ b/secrets/repo/pii.nix.enc
@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:4J1fELKd55+B/WTnmKrP/uRFFsSQWrbtDIaFqMkdqqjGuGlni0QXll/qVRGNhRw5rHRWThZf5Gb2Pll92YVfb5j9Jq2m+Yz2dZvQNpaTB3be8RD9OzExc1mjqMGuy6Oa0J2XuRXh4hy3oAXDgQxRkICLssRwB2aC3wHlXCyxr3jDIlWEZMM1wvTJ9zIiClamOaS+oABdjR/W151QSa7VcVIMyXfyk19xCxAvlD8kjB1Pyhvn1hgfRY7Sv/R67Wo7IrlfHaH0dK6xng+5EkxZOJtcsQy0jPQRXUCLOHWYr6UVXI7f9OPfRzr8WEL0mz0Qvv/ML6OadycXJnW/rOsxV0domBa93dNO4V3smydlizgTCekswyw7CU9q1MrOSc2SQquez2pBJK6nQUrVurOP98RN/GXn7fEQg1c1CEKkCqlax8CKqGFMlET9ek/LqQD9N2fv3Vu7IdqZSORpSP4Ti0UeuXibybURHCblV1lETxqDqMhdwrBR6knsI+/5EO6BzV2p1Lh2HkE8gacoekqHg3+mTIEmsn2/Gb+7r1ja1vj8P4h0V+CKse4sq19ae2azxPzBMon4RvCcMKskUIojZVYgi5RfZkKYdQGPWKIRXmekwmceDKO21L1SDOxkmxa/fqtVJWiNLU4/6zzu83K2nKoc4kMtIm9hA3DZf3jk4KfZ2EcAuqcrzAPTAQiPDG/StP1SWbjbj8xG8yGpCHNLUgxlxq01oi5KgbpfZ9d0Ap5PwDxiMsX2N/8kikldhN3610rdI+K8fxYrYDfQZ4ZJtM46JpeL4zZvxU2gTc1vfN4xfhzXFT442GWg652TFsCDpq9EqyG7R+/8V5LwRTW59JsyBy91ZptEypq/v8QM4bP1w9Wigkl3v/8zq/RtReiwPfcxNXpSkMYFAs0iLq6M/Zlb7VLr3iA4qogiMAY6C8KbP23PHvWTpP2lUHNR5AptL11DqfG5wj+7NPyj4WCpX+3nrzLYku0iJnpMcOLTwzNenOTlSAC6toRsKqnFHwubIRykTN9ARyGW+qjiew37x6tRb7yovFJZfeQMJQCtdAtQHiANiV5n9n7IBCaesZuhMPqusXhEhzapjpo7WV1ONyAsDvWS6Y/Fiakm371QWHtN81YU+1vNXhYcFiXGeIUK8Pxrs0pD3Ega+G19/kisfngYoXK50gSrCKJ7UVK0pShYRsknPkDFsDGiLT1Mf8ZyQFyKNtr4FQJY+GtpfKPsjdt+XMjGh3ewx4cL0vxuDU33flgsR0dBWLTwUtZIs3fgt0oU03sXVUuCHAg+hIiuNyh+O36eiTVo0vOBJ+KiP7Vb/ng3+cGU1ZYyXpfE+xFV/vRwEE4SvNX67BGrhk2Avw5shOiU9QncLBpP6RnLTlEIQXw+J6ez/FfUQh9F06jLZ0j/PWG1QIpT75KEmbW7GrTKqsD70XW0Lx1jd09SieyYnUgTSGQmdHB+BbtNJfJKRk55PGfRE+3IkrC/i82racawunjJnuLn/6Q05+dlVhrfBdxMLB1RA0biSFIJuwEQfDEGjBcQA2qg4IvOrsmOa15dVcs8waxQmj/7ABUeODV9Fj4xuNrPS44q+BLAZU+4oRejMORImvPuh3f/dMoH2n18aqSkXYLk+fGEXKrvfzVt7M85z/Jx4YgqTn9YkzOZbveR3UUFfhIdOUKBgeeh15ts/BfQGRB8VUsDfIXygcS5BOAHys09JigJ3yZWtaHzI8kMZwIvBpFltciQ4eLPpEF2NSAuPU7hVAwnwI5Vkl9N14eWJFLHL6xwhD68H9zS1Z3wt234bDeHhKTzQ9tyPioYGj8mG5TJZcufVB+sg6HDLAjAIsi2EratJfDRyEr+E7QF+kyHv+KPslF5rH8W3fdo+wh1ULMduIB4EtD3MqOhCliXNN71P3ESQAQSjEHFqAW+mZ3BjWw1JY2rH0FbT2/gJJU4ZHBAycMqC/9zOtG+M6WrivSaYK61k7Y9poN1TJRWV/C6kmfvhRZylalmbjqUx3xYO+oB9+yiEp1PI8QEVDeSg8i0zeDvmII6ijg1p/tq3oAPfXOWyzcxrWFy/mHW4O4NgtYsDYoPu6+reYgAVqgsREg4wHDZetbn4JGbc4/qqQt8RSUlTLXJ3jEZYwovLg89x0CigXrAKvWjEgFkq8T52wFcHB4GBgzjTLD0Y2PL4RK+c1Zc8ARkRbHel0EER4Zj4fEM0kVwuvIhtCxDM13L2HYAO2Dbk0i2VnjjiKgmVnwQuBPv0hlOV97Vw5Jq+Sx8AyOImVmBULhDxCVIZ891PewLhmb9xioM7TewRGV5cDdqDtF+nwtik8zF4YUTTzxjAS08v9B2G9ZBmsA7RkA+hfhIY5QMiQNndqQex/WzNZaOnbMf91gKRsfKMixFevtMCyqXIMK5hfqrbxaUSPe5pISMdnBbIpmVBjwMJGAfzSTCxeEfMtrLsufYeS5NxeamZQtAmaHDP4KhFpyQ7ZIhtvyMXpHA+6tTHCDpmdv/NvuRcVAHNUrgHkYjtBLZdK7MxX61yYt0+3N25gPQ7edXqb3xWxpyV7XPGlm71Q1R8G7+YfUK9BcqKDCD9OFf+dPLiNbtOBj4MNh38op1X9TBmzzrbQr41LWQCJOI6lL0L2FF5NJiWE/Kk0a4rX7b0c0OeXubIidaGXMeP/ZDCNgxTe+BuEDTAAtlusbayEE/8VPtVyzempR4rMlNi50YR3Z8XfkRdw/W0PTQR/uDkNf3Ox4qzyAiLogDbD/xxZzlHWHiJOrbMbpQvQvBzJIUih/OFDP5fQZCvt06KHXANmlS2Yb8Vu7az0v2JCpjlKb4P9/8NoPtwm06adGfBzpP42zgJBmysxFCWO9ndxromt+JqhijL/lIndn7GWjX6w+Dunchs7Hz+l7pakzw2qKhmYAy15hKPfRkkxu2w9hxjx2LrpW/QQQhrKUTiTpoSwmqefGqZqDPtnajzL3Udhm0Azmj8ub7CAD5k2KVLadu/IDXfUZGzoyZgQvpLUGSmNOCn2Zp8VJOXed5RfTIeDbelpD7tOYglL0Cx0b3PpYhmLh2Xn1zx3em65Kp5RCr6UZxmTbhew38DibnNDtXISSd2ZKnwh+ZRAnfCEfsr3pYRdg9YXbHglxI9oUMz1gsSzSUESk32SfwxCskUYiGpom1Tpfe3MO9FDWkA3dy0fmeFU4FKHX+jNhfMw6si76j4/RHdm1A/DSG0QKvuL3LBJXJvWAxCD13idL4L3IXAKu4iJIgORrhcIa50lXn0C8H/iSFymeWMzMfMIhvKOuUVyRjhGlMNT/xAWuC2nqIqrqpik8pFUGU/JQQBt9bTzpnoE7UF/IXsnp6iAzQVwXaeGHzEOk9i3WOR3iCXVM/OIWYGUiA86Fy0rWt0IxDAEantmxSkZELdOyYVHFhkZHsQ5uLuvvohDshSN7MDF1njoMZRq+PCsf0UflTCbSvIWhu5z4YzX6J+9xYfIt3apNW2zWWUc292VruofKSOb71LzuIOqqW8OdcSKhGW/MsUC1LSQZpNg6mE4iidoiKyZQKgliA6ox2ubrzbD+xXx7Hpn3Mlk26/b/84zsAEnsNDZY5FQwFTbM1yKDJ7MRpNnksgZ+b5bkwI3Xc1qhBzLd5hRPoSqeD5nd2O/us5YC+dcHdzZjnPg97E5Lha/+b2fz7H7+N49BN7ArjWW2vEIuO4oJNqCY2wAUm039pJikh4V0aSQw0hMZjDZOzajxaSwRw4TXXPqzcjxWNXQLJTRz1/IfZnsKbRSmTqYpb8SXwSu7H6vV8+LD08HtVyf1lCCwtv0B0yR9U9a1cyGoeg0AZfWrGbalorYS3NEwYpabwDWX292K0TtQMsJypFJvudAPp43T5VK1WKx9pU9KXsZzz3CI1bQPFByMSMtbfcxODVhncN8egC3JiBiMR47TxGG9cGykWtEVj9/jzGTuREKqmAwlwZCL3hog4dgFaXYpd0grCtDw7PABk6Xi7NcXeJ3fCtWZukyTrFxyIxZsadfXK+VwuUEpbARLYU24qYW4cus8ySomaiLw5k5wrBjhYdt3Q3GiLi/jJQKrMCl8RzS+PuBubExDHoqAslh0Q0Cnjy/610ZOPVpomqMKRhLrvaWa5Hh5pGlx9bBfFTb5jCC3Qr+87z++hj5Ta+FcfIRAW/ze0ivTjuuGHnOEc1rx4Um12F7rCF6PNkceReJGMLyZa/wAk8f2nFrjpBcnfqrTDeg1B8pOTxYy1IiCoeMuqt7h9YWu1U45ljoCcM2Pbv7i1n9Qkt6Q+ZphV931RJQ/turPfQkYjkUspvRDVVPQvsSMTzXkssA224mLkBUwwQ0cVU7/pM4GlbzlGuSOg2A6vka6CG4lPg25iHzkK8dxzDIEm09iSGFnioDFg0fA9WPoYFYHekY+cpNjHvQERuGHBPJb2ZnHPyYpvtzOcTpLKJm8gL+M6J/bxkPkLQLXfa3kJg+mBs9ciYG1YLiMmKs4zDk7bw2XSOXo0+O/4Sv4npwJLbMXly0aY85ERY3woYpknbk5BeNnh8mxIIllZUXr16GsFYg5HdBu4kbY9RSCG6SPYZw8vVUmFDwXg8uaWFFgMg48ShhNQ8bPBeYwkqwaitPr+VnKDw/j+p6cMfOs8HsJSUrEB/OGFTG2jz103pFp3ZqqJeC/fEXACZMuhgXT1WL/pZQ6cBZ0ZccRU4XNIyPu/ia2NmcVgZFtVHzlufFeYQSjYgzjRzvsIb5DicckvH/zKrpXhcx4ytHBWOQinYbKYpbbjv5SSPNXV6IcLwaZajK6FWMFZtKILZhbIhGSDb0HIXYmU/EjuxiO4qhduZXSMecAdk5cH3Rp6aqACg2/4xUxcuH+L+bT6bJdiFFLOZLKy5qU=,iv:Y6SA957nt4h9t7KP2btXKIVhWZXBjW+6BrZ6ylYidT0=,tag:eRzQgj1EU6eGAZjzgL4mhw==,type:str]",
+	"data": "ENC[AES256_GCM,data:FMhv0WezQAH1OX7F2WlgdAEn54aAZtCXyFNP+8CboukwlL1+VzzcsjQK7/KJqXiHfIFHfn7N0P/y8tk2P+A2Ucbl1NYxj5IgfL7ohAACDhAVkofCM5CD4KcE1DoL4Ja56K6qkjlAi/t7NRv6tUYIr+NZqr2g70F0RQbgF1dkdpxW1JUNmreF5CnXDYtqz6+iMpekNXkj+wt/Zc9lQ/zW1fP4IH0C64SG+lFucpseOwP3YhvjFpzyT/11+uiStc6l2r+luNT8eJsaCYmcSqK5+1lJglIph1k4H+Xy1ccRHHeesy9+ySaGBP3h5uY9+JOdYe5fO9SYZt0cKO4Oic32Yq+uZ0Ldu0hPzDN4MMHsBP6lYidSXqs/kVgxEbPJ7T0RnQmFCVDhWE346HquZBfrGuxBOu2ifkxAFVHJyGaItOk2wlxcPDbU0P+t584CXlVIdGRS/mvW4xxXBCVlEi+QM8a4JcM7y1RJZV6S6R1DGC1nXgdscpcRGIfp6BcKPmSB2vZO8rx2qOMdUPS0FEOEVnHsvnwczGZHJuq6WjxvLNnzBH4gZtc30OKimlxXhQA6qyjupH7P65ayiFt9vvT/fFnYZr9aABc2xbSmqyJZS1wfvl5JMQWnUayigxfzYMdxuMC9+8SCykqXmy7hDlJeBBobSxdQUVhHAprY/sn+FOBzK5ZYb0wsavXI9w9sUSdQiU4XIxDb/FXJgs89FZ8p+uWQ1vFglF6XYR299LScIN7CsvLyGdk1idr08WCc92+9DSnSv9onM1UGD6IkSjMB3SoexuGa6Kj5yi5qyAOtvmMl8NwJn8Xh+gEE+FSUi+GAhh+aLvNbiIVPPmNXgI2+slUn6bzGDLk3NQMMeQ+JrX/SdT7q9Awxe9jtdsej4CGINrrTYKHsaPocVQkK6wpiQh8XbvxKoOV3UU3x9ouEVUjHrN06UbXWFXQSjEz5QXdtjpyTqxi6AaoL8M/yFTL4uB2ahPZ8bC17ZVq9eXwUtHIyKwClbTHTzlkJzr7lR7I1zWLtZIKy0pr8Si5DEkIuT7YCo5w5Pa3Z9DCkdAAL2t7TNTdrQo3H/iid7YKupfCeQxYYf836toX1Ff7jTCLtTEbfk3fOcbpu4uD0geWx4vI6V5lolJJ950ETnx+pq8EFVEk5D6VSfGo+Hl9c2xZ9UraYo9I0HzSSe12FSEVF/anKMVhBZGxdIxqCQQuu/FSNhkaFpmYpcEgodmFGQbAY0OworSg9ZnFWVMgQ33T/cna9Ene4AZ93DJaNrlzT8Jk0QIqCQjIIiZwUqPxABk0epNMLMZzZBJ/8nwN28YU5/pp4c+53RYPjMD4NlC/P+JXMxF+bidSOSYHb4Ucs1vIRljDSWumb46ZXoV+4sCBSdG0LjNVLkyx9P2vYhcw5G1KduSrUMY9VVOePcVQGYfsWjyi0nLyWadu9UUASafUwkOo2JoEjIdKWqg3zQRYIMr0GYp0Kf1EGVTPRPOApnbyLezDQsSnSZzakcJ1qDSFyLjlBMwoE5Rmndp+TS5kUEQaNeJQb56tTbDLWxlpgCoDgtfL5q+gjuVsjwkvUA9o9usBF+hndDl/fzs/ajR9q8V+hBS4j1AQROFRQhQv7vYdGA+Q3z18nTBheY2MgzpGBUwOEFuJJ+ndPANtVC7EIMz/rwKg7g777cwYLHyiJG1Rtj+45w1DmktS7sIyD0/RUt7ApF/v6PeMY+lVjXCKUfgNDaeiHQzKQpCF4+O4CThKa7Tg0keKI4fuJMoFEqZcfEr1TVEFg8AKcBzqdHMyUeUDyLIf2Sp7GJQXTbNA7TlCI5iABJ9McCK01RMqf/1Ew6NJfNDp1yjMd3NpozvAvMXIunmjUjKHzraW+gw/+z4XCq9ifALcKes3Y1R/tQmVfymnMGGoB3bErSIRIDA47IeR5OnrNVwrTM+l2Ew6jFBoWXH6pfaPj6SkdNgOEPp1mHlHf/x9YDBp2ZmtLAG3vlf4bXk0PQhNIb4bm71WyqqFiYwrI82o0Q+UocSxo/lNnLuvO3OxL1P9tp7OPi8kiB7G/D65qvE653xgXmo1OLk+RBJjhqSxBrPJTNbEcPhp36xjg4QtE9alC0XvzKaGUR9GawD6ZEmgE5payDSRXMPD1ZHx8dxr4wdJmxYFpwXFH8UheiKk2dhoGLkMoIempdsmteyaBh+qbeomXaq0+ihHAHkCtzQOc83cr5OS1tmcU1LbsHQ6ZMfBtpig/yWUdpGzFFTPPVKKx2+bWOkOW44IfkLsnAVjo0fvofnL6wuFBKVVF0bfQmlWBheR/VeVrwEjbxTfVOqRmBsliBSxzr5A5FsK5LGfzsyll/8IegLuE+412Kj3EZLVx3c+xq15oAh66/5JaiZ2C69azvb3gPr5NryLFqW0a5gxw1o3SiOA/L5mgzhqvFpf2+dfXLebahVpAYCpP+XLbYTuDiIbCJouUxBMWZgsmaIcwrGKecixLa0LtESsfLSi7F7jk37OlrOaR1gW0PHhYDfmXq0fqHPulthCWEbm76xSCbuLc9L5FI4Kc648WkxXXR8388mv4xIFAURcorse7DObygZSOx+BW8zynUs7NexXnT9OGa9vTB0OTWadOGXNSIL3LNCmoGNtxjfMCfl+CgAWFQxC2OkajkLxu2g0Ff9eEBNUQGrs8EzMB4wKPDHvtnNrezq0NMFsA7NDyl24taCXZ9jNtk6wsq2mWPW+BjvmlwK5Q8VgMXGLhxDXn4322s5NXDZc2GrafflDgAz8cdMWD1kwj7I+V1YRR4BjXikON3ZeDc3IkvW/ZPbIklr1IfAz5dZ6/pxo1TOHbfkxeS1/xW4+QnCBNznoxMH8QpPnm35Ch++Hl5raSegQ1iDGcGaTu7cG3f3E9sAI8J/x9xzps0kybF1B9ngyvLP+Y+sQ6plqaiWhrAtOtSvQIuZwIqJ6CLTVvGGN0CJVxWz/GU2cxL4ierNmSmni9MroSWz6U+M5K9P2rAQdskIwv0pcZ/esk0C/IHRZEs4DbaFBTVJoPk/8eMKBhxXmomAOm7SFRTp6LMD7OrD/ext2S4cWXbcnXY7WX4+R2GT4yCIo0au3/CLX6znK0o4ml8dH6FzClJCiWL9pc3tFbCh5iCiIGaCXFZmAM3NStD8XLKvqatFxgmK9I2jSN98eSSMU8MexiRtTttzza/7Nqj3/3nCM1Qw4sIEC+a8TWjHJeE/6tJ9JyAHEYZuhE9P3AbECwa7nIQB5NbKF/IDrHUN+fw7mKEPMgbMBQ1ITWg8Glmb2trzms2WlxIm071j+9jYEs/F/n9/mzX6/iyCRegmXUhN9rcPr34GQiw4uLrWKnRhHMQNwOMPVOG6MgPm9+eYBExY7Avl/Evscidd6uewc/+z1soTNIh0qjWS5R5ubgET+Y1G6B68dVrqLE9rA9Z3yIfcp8q/mal+qlkiSv9Vx8285CcM1H2nmXN40zGO3Ad9kVwsgzoHknIW9woUNly9GZeeSx6m5GCqAR7RFsNh6G0xYE7gtWoNs5xhGOyY7Dp+6XhYUPJQJF/kJkKmfFr/0nzXDjCqC2Fdc+OO5ao2nMod3uXFFUZBZzms0+RM0fcTwDLdaEkTw2q63ik4yRcBL7k5uMb7YTeZTitKFmaqPfq9DNgs+hItzDDAUBiJxbww40Z7O1kByg5J2PHU0Z0QJR5pXdMIwakLsKBIWZ7vVWGTmiPM46uRQSrdmjLUVCpanXk4OnRp2JA/Enhe76eASIN0rmHNLAPgzY5H8uhdAnlZ83RZ9qacOgQbjQ9s+rvUl+LpbxnZOolWcVnGUHZj/u11AVIz4VS6AB4g2rFpxSpt0welvuvngshOW+qpzIiw1k0oXsX4WkvxG4s7dwlfAUuYpJCU92EtSkF3z8qBSG35J6k156nXul/zIrxsYv8iuj7Oc5YwceqPhWNaysdRfueEgarfTdJiLisKqeWB8JTEFLDQCHDrbT8krWbbxe1e948grStUpx86BhQIB9bY3lleGgb8J3NNbU1qIltoVwxegECm2CyoA5NHJG5pLaaYBRlWlQC/VZMoo385DQL3k/Vsrn31qdNc50aPisQnqrKbqCdIcdG26VnXkJC9gyhHefzXwu+VkvJJ4eGBmRZF+eB7enzyjHaqjLXJJuk2drsDzWnuAGGA8Ys1KN/mJY4tF741Ba8rZmr/4BcPPRzR47PDOtBQsaI7RsdX+DoVsdgX6P8b3iVIuEm3DHjZlaeQDqFqrp/Q9gHEAjUmpa+zAk1wZ1XU5fw8YiKj3xP+/9pQ5QHqU+IkeZK7306b7rywI7PJf32QOfaSFPBiPI1NhQsBRoVbR5VKNiwK9nKA6fhxiWjvHqcCI8+MoxWhXbq2TwSfQLg91+NwzAUaH61xR1dQw55UAAUS0HfoZTSKqyyIffTNvF6ulRJITMtr6h1q0N8cVdZln0zTBT2k8uMvt5z5RFc58XpRhm8FXXx9LYtlMSdshVhYYyqepMOnhn/4UU25aqQ6swVmsyoJgFYM9ABXbMlFIGVivGEptHDEA5EFhfb6uPUHFmMKkT4rV4Uy8h0h2P8vEitCRZLW/VM3t14/2CN7IT5EQqmKyei+CdKHXiqJlb+Oi7bAATLiroIRoRdF9Ydp1nDRgU6XMxfv+60o2Cxkal2lSmM9YsCByLXY0Zefen0TNca/wndhuRkSJ/GVu2+E6OZtx9zfC0I/GDV4g8TfK3GLGINXBwifOrTcPTyaRgGmAO7OmhNES1pgEvebbeTJipVvq6PCGzVMARsQMF10eHvZQpgMjSq0mSSyccW4BF7PVF4013hgZuT3ZzHHN8zPUyRPifqyLYc3grL0ZOrY6zM+HWM0WvtE3T0u7psdxdxkqHWIxaCnbn3w8H/pqjBb5f6xWjC0auzM6lPtJ6zZ28TBuwSm2ovcOpeGVUx0iYMGLrRty6Iu02,iv:0rzvTEH041voxTfHnSlAfQx7SyBvcY6fUQxbmfqyGmA=,tag:CmyhGqlyXqI5o2H3T+otpw==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -27,8 +27,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtU240VjVRZmJ5TGsrclJF\nRXRLbTRCZURtR0Z3d2E2eDNNeGRDODlXVEY4CllTeVFYbDJQWlRSS1RFLzAxSnlM\nZi9NU1c3cWo3YWRLcUJ2U2ZFWFBBVEEKLS0tIGtmZU9qSWdBT3RDeStaaFFDSWtk\ndkUzZXJwZUl4LzVxYXdidmxXRnNnclUKyAMZqCKSY/RQvTR4bbjLaPnGKwdBcHXc\nvtiVSrLdIdzMa6id/J07TJH5UesUmcp0wjU41MDa4aMBLy+cXhuBHA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-10-11T07:31:31Z",
-		"mac": "ENC[AES256_GCM,data:PnHpvceDR85hyKkOTcSaqY4Lg/2mqFvxCSShBxi4DSaTSJkSJwcJ+pWgSdZFu9+P2k/fQv49U/2uTiLZuvPZaIsZKFWG2ngQU9WgxDkte8/DlSHW2yjW2KdJrs4Gv45GcEMzGJRUC8XzY1r5x40VvqyYZX0F30qiOpYGtLJiGKk=,iv:QwhVQaGMj+2m8DDfXeX0iaOlOgwe4I9fhBEQ6t5WF9Y=,tag:cm+1ccwoDfLjbe8UcaTa+Q==,type:str]",
+		"lastmodified": "2025-10-21T17:52:25Z",
+		"mac": "ENC[AES256_GCM,data:SNsmzPknGzx9H7baoKo8gKSac/86sW5em3MKyhYFUxfRhZEtkUwkzz6KwDgZ4YCBzUlLrToiLUICA6KPnkXDHhKBh+8dyyVlB8ISU3gDbozjwRNA78oatLlA4h5sa5RADLha9j7Fr9euy4rcrCmk6jpL26RmsiFZhzaAxhkal4s=,iv:hmRyoG9tW5Wl9AKxWDW4Hv9Qvb5zlM4Ktrk0Q8jsVxg=,tag:ofsjndQpjLmnCMvz1NTsCA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-13T20:13:06Z",

From 8813fb51176c1df384b8b05567cfbb19ea991bd3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?=
 <leon.schwarzaeugl@imba.oeaw.ac.at>
Date: Tue, 21 Oct 2025 21:37:42 +0200
Subject: [PATCH 4/7] fix[client]: stop anki from halting shutdown

---
 SwarselSystems.org                | 61 +++++++++++++++++--------------
 modules/home/common/anki-tray.nix |  7 +++-
 2 files changed, 40 insertions(+), 28 deletions(-)

diff --git a/SwarselSystems.org b/SwarselSystems.org
index 2d99cea..abca051 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -13555,38 +13555,45 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 
 ***** anki service for tray
 
+Sets up a systemd user service for anki that does not stall the shutdown process. Note that the outcommented =ExecStart= does not work because the home-manager anki package builds a separate anki package that - I think - cannot be referenced as no such expression exists in the module.
+
 #+begin_src nix-ts :tangle modules/home/common/anki-tray.nix
-   { lib, config, ... }:
-   {
-     options.swarselmodules.anki-tray = lib.mkEnableOption "enable anki applet for tray";
-     config = lib.mkIf config.swarselmodules.anki-tray {
+  { lib, config, ... }:
+  {
+    options.swarselmodules.anki-tray = lib.mkEnableOption "enable anki applet for tray";
+    config = lib.mkIf config.swarselmodules.anki-tray {
 
-       systemd.user.services.anki-applet = {
-         Unit = {
-           Description = "Anki applet";
-           Requires = [ "tray.target" ];
-           After = [
-             "graphical-session.target"
-             "tray.target"
-           ];
-           PartOf = [ "graphical-session.target" ];
-         };
+      systemd.user.services.anki-applet = {
+        Unit = {
+          Description = "Anki applet";
+          Requires = [ "tray.target" ];
+          After = [
+            "graphical-session.target"
+            "tray.target"
+          ];
+          PartOf = [ "graphical-session.target" ];
+        };
 
-         Install = {
-           WantedBy = [ "graphical-session.target" ];
-         };
+        Install = {
+          WantedBy = [ "graphical-session.target" ];
+        };
 
-         Service = {
-           # ExecStart = "${lib.getExe config.programs.anki.package}";
-           ExecStart = "/etc/profiles/per-user/swarsel/bin/anki";
-           Environment = [
-             "QT_QPA_PLATFORM=xcb"
-           ];
-         };
-       };
+        Service = {
+          # ExecStart = "${lib.getExe config.programs.anki.package}";
+          Type = "simple";
+          ExecStart = "/etc/profiles/per-user/${config.swarselsystems.mainUser}/bin/anki";
+          Environment = [
+            "QT_QPA_PLATFORM=xcb"
+          ];
+          TimeoutStopSec = "2s";
+          KillMode = "mixed";
+          KillSignal = "SIGTERM";
+          SendSIGKILL = "yes";
+        };
+      };
 
-     };
-   }
+    };
+  }
 #+end_src
 
 ***** element service for tray
diff --git a/modules/home/common/anki-tray.nix b/modules/home/common/anki-tray.nix
index d70fa67..0019bb6 100644
--- a/modules/home/common/anki-tray.nix
+++ b/modules/home/common/anki-tray.nix
@@ -20,10 +20,15 @@
 
       Service = {
         # ExecStart = "${lib.getExe config.programs.anki.package}";
-        ExecStart = "/etc/profiles/per-user/swarsel/bin/anki";
+        Type = "simple";
+        ExecStart = "/etc/profiles/per-user/${config.swarselsystems.mainUser}/bin/anki";
         Environment = [
           "QT_QPA_PLATFORM=xcb"
         ];
+        TimeoutStopSec = "2s";
+        KillMode = "mixed";
+        KillSignal = "SIGTERM";
+        SendSIGKILL = "yes";
       };
     };
 

From f5ff5d5066bef51df809addde01e9b09aa9772d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?=
 <leon.schwarzaeugl@imba.oeaw.ac.at>
Date: Tue, 21 Oct 2025 21:37:59 +0200
Subject: [PATCH 5/7] docs: outline manual setup steps (WIP)

---
 SwarselSystems.org                      |   51 +-
 hosts/nixos/pyramid/secrets/pii.nix.enc |    6 +-
 index.html                              | 1737 ++++++++++++-----------
 3 files changed, 992 insertions(+), 802 deletions(-)

diff --git a/SwarselSystems.org b/SwarselSystems.org
index abca051..cda52c9 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -297,6 +297,18 @@ Here I give a brief overview over the hostmachines that I am using. This is held
   |🔗 **Link Shortener**  | [Shlink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/shlink.nix)                            |
 #+end_src
 
+** Manual steps when setting up a new machine
+
+#+begin_src markdown :noweb yes :exports both :results html
+
+  <<setup>>
+
+  If the new machine is a work machine, these steps are additionally needed:
+
+  <<worksetup>>
+
+#+end_src
+
 * flake.nix
 :PROPERTIES:
 :CUSTOM_ID: h:c7588c0d-2528-485d-b2df-04d6336428d7
@@ -10580,6 +10592,14 @@ This holds configuration that is specific to framework laptops.
 
 Options that I need specifically at work. There are more options at [[#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6][Work]] (home-manager side).
 
+When setting up a new machine:
+
+#+begin_src markdown :noweb-ref worksetup :exports both :results html
+  - setup the work VPN:
+    - using the laptop certificate `.pem` as User cert and private key (CA cert: none)
+    - vpn gateway is found in `nixosConfig.repo.secrets.local.work.vpnGateway`
+#+end_src
+
 #+begin_src nix-ts :tangle modules/nixos/optional/work.nix
   { self, lib, pkgs, config, configName, ... }:
   let
@@ -14427,7 +14447,18 @@ Currently, I am too lazy to explain every option here, but most of it is very se
 :CUSTOM_ID: h:7d384e3b-1be7-4644-b304-ada4af0b692b
 :END:
 
-Settinfs that are needed for the gpg-agent. Also we are enabling emacs support for unlocking my Yubikey here.
+Settings that are needed for the gpg-agent. Also we are enabling emacs support for unlocking my Yubikey here.
+
+When setting up a new machine:
+
+#+begin_src markdown :noweb-ref setup :exports both :results html
+  - setup gpgsm for signing of mails using S/MIME:
+    - `gpgsm --import ~/Certificates/<certname>.p12`
+    - `gpgsm --import ~/Certificates/harica-root.pem`
+    - `gpgsm --import ~/Certificates/harica-intermediate.pem`
+    - `gpgsm --list-keys --with-validation "HARICA Client RSA Root CA 2021"`
+      - trust the certificate and set passphrase
+#+end_src
 
 #+begin_src nix-ts :tangle modules/home/common/gpg-agent.nix
   { self, lib, config, pkgs, ... }:
@@ -15216,13 +15247,21 @@ The rest of the settings is at [[#h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431][gaming
 
 #+end_src
 
-**** Work
+**** Work (pizauth)
 :PROPERTIES:
 :CUSTOM_ID: h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6
 :END:
 
 The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]]. Here, I am setting up the different firefox profiles that I need for the SSO sites that I need to access at work as well as a few ssh shorthands.
 
+When setting up a new machine:
+
+#+begin_src markdown :noweb-ref setup :exports both :results html
+  - setup pizauth for microsoft mail sync (account names are possibly `uni` and `work`):
+    - `pizauth auth <account name, e.g. 'work'>`
+    - `pizauth dump > ~/.pizauth.state`
+#+end_src
+
 #+begin_src nix-ts :tangle modules/home/optional/work.nix :noweb yes
   { self, config, pkgs, lib, vars, nixosConfig ? config, ... }:
   let
@@ -22120,6 +22159,14 @@ This sets up the =dashboard=, which is really quite useless. But, it looks cool
 :END:
 
 This sections is no longer used really. An introduction can be found in [[#h:bcc3ebbe-df8a-46bd-b42d-73aad6fc66e5][Structure of this file]] under the historical note. The little noweb-ref blocks that I still use are found in [[#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02][Hosts]] and [[#h:3bb92528-c61c-4b8d-8214-bf2a40baaa32][Services]].
+** General steps when setting up a new machine
+
+These general steps are needed when setting up a new machine and do not fit into another block well:
+
+#+begin_src markdown :noweb-ref setup :exports both :results html
+  - setup yubikey (automatic yubikey enrollment is not yet supported by `disko`):
+    - `systemd-cryptenroll --fido2-device=auto /dev/<device, e.g. 'nvme0n1p2'>`
+#+end_src
 
 * Appendix B: Supplementary Files
 :PROPERTIES:
diff --git a/hosts/nixos/pyramid/secrets/pii.nix.enc b/hosts/nixos/pyramid/secrets/pii.nix.enc
index f95ff57..8545d57 100644
--- a/hosts/nixos/pyramid/secrets/pii.nix.enc
+++ b/hosts/nixos/pyramid/secrets/pii.nix.enc
@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:Avje6G0sf17iETA622PNdboM3FlYSFtdiPtEuCKpytuUS/2ATu1g9rTeLuSwKHzMfuweF1l+GWkME4D3PQZ2hzgtyByISnuHTFB0kO/QmnmpoNpEkGXgUKpogEaFWiTyFkg+Ceo8IFzSA+AW22DcNnU6ygZlnuK92XH3qJ9F/xyF8yd3eFXx9skA68GdpyoOxnw648ZKeL0/mWLcZVSxDpt7o2bnnL/lU8qp4HErRkgbIh8aUCfaZjRJMXOMfZj4rNSZ58ZCSTl1akuDRYQfqk8WdprrveDXVPtFe3Ol1LY2yqZtTTjE/L94fmQtkLE4U36uJfQBtnUAjqXJQqCpZRrJcQgqPyW29CWwIxK/2hccYIikv6033j2kUKQbXWMcniBsnFfmBvLLKBHdylNX2AstKjtkJ48dZskL833QvYwxNxePEk0heJ463goWHtDLWNFAMW5vrI/BYg8NM6PDYvZWG6yswUZFlUmzKoQxzbxKgnsXj4yDH+pNu8B8uWzKaEYDQjeKdOPEhagNVroeT+T6r0hp/sEJUTh8ekIwpmmNssF7DalKumEcuQy0K3Lvt7fUhB5Z+dFMz3eqhQuXtwQl9p0mpf13F8qVtbuB4Ye0N8HmGFp+TF5sVXy1RsgP80uVawaqKVyhiRoT+ZDMUno4MwkmPAmkYhemkH9UIsooiRdFOb9W4zzQbpC79htnGXGVWgDQMNYVun/TX0RMNnmFls/HoPQz5Ft6sKQp6cQ8bNxsWMJKTRR/Y8g32OomcGMegPDM+oeutvTFkUhhZdgFHd98brOZjrEeQVwyh6fOLqHaSIZB8XFjh/rDytPbX85/HQSH+k9zWgL4kpHoZeLPUK0alY2RMFlYuNd/a8yhgdlQZGGSfVP92JrdmOcTxgOd11zy6/eTWBWVZVE279CJvAYkKDTFN/MyoAC0gTl2mR9vW44BbDAHywOy8AJjzoDMWacg7DBFSqxW9ZGJbFs3udqYk5IDhrdOz941jE+WsP978K8uTn2F7d/Qz6lhmberdyIuPC0H18+2Gzv1L/LWtc6/kqqPOB9RYrlaayAfymqNV/3FdhFSxfx4Pm4SD5MIaZ99FS7+AwP3B5kmnCZToLZlFsgPL9DUwqwgx69gQxUlb362ih5swaCY0nOL63oa6c25/UvO9rYkDh52FhGl1N9gzvbzbYC0Mp7QuwzF1XWUFbhE+f9aJ6bAXHyS10GMfa76eLnnoPSslYZ4rZfLMjHOGjbTMY7wTLl50wKg4VbThWtpkxwbITGd5VZH1/iO6e7F8K0gMwHNMYSm/doNaRcN1HWi7eD6YtQVWlWlewx0C9BzW6TsOy3e9MtQBULFDkPEIbzoT/29dS1o7YKyomdBG867xbqKV31DkqBpq9G0Fv6kHCeu5MmfzeqhueA11+XFQvvNl2KsLW5LvlP7GPOl0VjlEBY61SGjXibMGcLOAEgsxyzzZhLP97pl1dTb2yokBkDTy9n9pgpWJ5NmZi68XMVew8Nx4vz0Dj6jZruPgO3vBtpUytx6vjp/hwKcUQq09PxY8QN5l3gfmZJvAiDMuZh6ZzaJvVhkK/afzt2YN1rozd+Ibo4k3831X+RkfKLFoiA6E0g9SEgm6HAl/gfRIKR740yH0uVVbpCNIRpfBuAQMAvoLczcgYjsMaZ5hqHh0nOC+hsHmEIP47KrPzyA8U3+TjQEbAN1aHAGkzVDVJ4E8iwPkPAP0B+b6mtSNfscdyG5iX2zlqcivvA51s8zouhxEZ4KZ9TiVtg6dlngP7fu1SjM2DYzG2Sshg8L+WyzFFjDgWPe5RO8btzWEFuNTpFgvaRYQWONa7JWgnigP4ZE7Tc+shN8BXGhjJnGM4Z1+PNPRWvB/d1Fqe1KbgTyVFHizD8DnNWmfgghFLOwenKbZXe8wAAGmfIaCHE7IMrTSeuqhfKpGGnrnlE9Hd3y/8ojYtOFPQ16ohTPxBVwN/gt8RCmBdP+i4Y11He0vdX3HaF3W9yGkIPDLY/aJ33NvK9lmCvXBYANSLirBJmY/xEgdxIbG9TDRnZPoUQ0b8WBZS8RFg7wuxNucNrMAHp+8n3Ww0D9+zqo1rropr7FRc1xYjRrxSvx+g0xhb46qe7In+mSaJy1seITD6T+LdnOz3SK6bXpZ1I1sg7B0XXCLyMe2cs3KrqmUwDYowm6rbyM65X2CVgl/ULXg0rjPBaKqqYpFeQDAYdBgLiLiA99tWhI3hf6WEYb9aio6gIgkDtKMe242TnauUBkCDHxqgC/Lhp4fG4+TCjRTNopO3nmEYoYH67+VQONyU4YRn7lmWReT5pFrkczBIogeihgCwL+zNzA/f4wvGdADNLH9uxuGIpR5a1/HwWa6cKxCQ375kl013By6dHre50zal18KHMz/ou8dDQOsWDMbjE01aDJEHHSVPZiySjXiNWD+mvy8SE8hMRVyP/9PyB91wXwhRAU1UJifFSCuKAlqkwOCkqrMJ+EDhoIrGhx+XfM84/wu/RIowKTtF4Zz7CmpjN8cSgm+Ht4akg7XaBiAGsZMal3TY33SzY7MHZ1Tsv2AeYHPtssyXBdVd8GRZAw7phoPqXpV1hSvLwS7fY2F3+Ie8U3E55p4U7HrYGo9SHqF90rSB/tUhQdah7ptcpywBWlCWqA9L+q7I5kljSLFSf/2Hl1B33M80rCCdnOSiyjawF+0n9Pysw4C/z0aHQIBTDYYTZ9a6RIEjHDFlX7GKX8CKw6XvTvsIgs2kDklcUNTgXI5MRMtkyIrh081V2gNj65B0+yWxlK2VvyKLv2AuFCH2m401Dazusp89yA624wMFRF/DQmiC7MPvWFMzhLbsQu3dRW+JKDv88t18OymQeQlbP+lNdff4Cd4fVoTqt6xCoDLrIcmX/rw9QZnmJF/dW2wmMVQIONdfBx6O+CHsaaLScHdJg0/RIfjA8bkObPh+p1ULvJ9ddLQA5J7Cd2omwhZqXpPbAiveykCEWRMOCD0mama5RHJOyNnqQGYUmPvpq+QwaR4+6DeGy319uyNiLcmKKMIx+hSq2qQhK+ler1DS5VLJC0g5rWcovE7bUs7sNKETvMfO8gr1Crve2wTWA6DCrNZSSkWXwzwJOsVmVx66e/hmh17k/DCqDG55z11QR6X7C0EryzAj1JPJ6wG9KamgsZOCqJL1h2piNdbTnnBPfE5btg2OIw1453OYgWI2f833p6BZR4irditSs67fNt4ZFGad7pq5ETlpFU1FQUZFuEm7iFrw==,iv:7YztaPs7GSC4AdIF36G3qb8lQAhUwkaD613z8LcUW7A=,tag:ULku+TZreQNt5/6ZyLtWog==,type:str]",
+	"data": "ENC[AES256_GCM,data:8y8t7e8XhVy3lc+JcPnFFzI7DTpr+JlXfOKZJu7uX7DczTYQHIZQTrMcFjyBbB8SWJLWLUG8Yd5JGXk377CBX73cxGF+r895lxP+puoKRRzDapkg6y2uN0E3Gr1wnQFB4I8YX7n8UWnj18s3mTIohQHmhoxkuIqu2zvgEGBpMiz3oZIL4zmb8diLXh4PyB1qAI5U5RFWPpkwRWjXteD5m8mqcZ8k4A4l00IMgz2n9MJDQPMjYNITR3XbOlI1qNMYBVb3xuVLXBOBN6x5W4539kGAiHcAi8pOUvBjAXphOEGQ7uLoorAniHx2PPyqReDr5tx47h4RtKJGeGoJ6ZdaFS2LwD10Dkiac330ELLGpSuHoNn7cfw6P8xSyYfreIXbzgavZAlJ1t3fNjEwVtgz63bXL1IX326fP1WcFqBUgAMd8I+VZsxo15j92zZS8gUbdu4KdSMag4dlOa9rgJCLpZGw4UIifHn6RqbH8s/HdisWV2YA3p1/Oowp39Hnr1ZeUecHQCpC2Y/nVLZid9wy4NcIPDbkeb33vMzJ/G5o4EVeYcrnM4J7+KS7aJ4c2bbkRixc1w0bTYeQHFgvM9VBHHEO30t68AGEzju29XeMVi7bzamJZeApPEacMVzzCXlRiAWtPru9JtBYz17VXliMBiEc5Ffo12PXPV7VK/BimKBppJAGNSJiWg/fXawRJNs/fJkLywEL88cf3RYP0Wdy01umjU9tW7Y0W1zc46auKy8KPpCcT0e6kBGmlG2WJje3dNYDFUutFTllV+N7VeDOuZi4oaGrwF1Rz8cAKPrZWMyLX3bMc4EkP7t7h0DoTyXvl3CcA9/wgeCQrLIPLnUTBDTF6jsyt32IjxfiMMBTtR5hLJeM5BzybuYHI2Jbbnt2Ko+tCWOUNdRR7rOYT7o+xzm7g3apcrKIKaufc5YUxdD9asc8uAx+9w7tkg7O/2Ak9qPVgE7HIu9m5O4qaEQn8I1P1GbwiHZeIrfiRzcf6+KgjsLU7i+gCCb3EtMZJUS1CFmlyA+akgsFaunZFYLjg6vUmhQgTKhWooNj3DkdWXWN4bOB/lUyzsCezAD+HfPYyy2pYETRtS/XlpBktSYhP2yLZSxEyjsKBH8roZ/LpNwJV3RuvM+CPstj/pxf23Ayi8LrU1t88Q+/mje1OsMCr67Ltbl+7HXNcpM8zwLUfmTt72YZd1CnoAvbqM3pfecLM1AZEeR+p+xq8tsl1tRE2V0y/SH9kew4UOYRY/eZHmiy8P8Eyjj6/PL+/9+CLU9KGeK/28hGz1u1Ao03FxcPL1AeAeA1mlCNAErT/Q4GUKdDNa5uTHpU86VrMoELtvVaVn3V4AS5I+kTfvI9WF8oaI20U2ysAMpJSiPJyC5AVteyehXAEdGY7bgltvity8arU8efxwmrjbZ29ZWwRezqf1kZLb7pySCfsoqYwCFFDx4s7hD4RF1N4X9GQA5JupUO/+UZTcVX4aud+yf6uTb9yRC5LGjXJj5S03DQ+Vj35nZMUn6xhbPPnEj0uS9yug685mQm/bwUVHIEyoBZfPZquSSh1oolKsKnAPS2+fS13dr2sNuHktq40sJTTglz97ZexoIbZ7Ftx3tzFtqFMhh11EBV4eb0MCu9zwaq5DMoLugXECSkUy6Nfc9XGdRU/x3iIha36jg0wj9MwKNpztNFJzzWSVd8XU5rILbr9yWs4xZKBZq6PFx3NEXCIsJ0kkfc1FUBlnsiYG52A/zcFQZmUAPDy58M4rzLnWjC+qk7jU01Yw6aOcFqqE5kg9+AvYmF8JQ16s17d4o49I/fmL0MYVbSgdXrJZF9ejrkBkIMfu7UgbBlQdJCSW8BFx6zFmg2Y22bh52q8+//PK1rgUKs9RAsAasl8WKrKo+xNgai+1M9eMxg+wsBIP+j4WutMHXPv3AMeqt+JwIPiydPwny49820Z24h49pXPVK0EXTqZl46b7bUvyZqAbDTTDmjb/gOJII/ho6/EeaEUSk/r1NVUehq5S/e/UJagTDI3csmBgEcMYdk5CfoJt0cDeqHgrAo8U8xpURT5BAbeCHwWpI7sE47LZwHStf9WbHyacCGsob+ELvfMvunaY2YmqnlVaYulf0mgmn5YmBI8ouQ2Zc4eklzso+NN6e9j7ODhxPxF/MWKjoi/kpF8eBiEKEbPk0drOS4PcOFEDvbA7fFrwiwUnTqG2+FVBTgyidxDYX70jX5asox5wBc4WAgPXU0WNNb5I2bbenUoGKbDrZ989FblN5I3xnP5kxFq25evPtEvA5R9mwBYtBnd3UBBnDzcsI6gA7o73VW7Y25gfX5ODTRbMjxGYBU+xnNK+B9IOeMGTmFjuqchrlyaSOQ9T2Wx4kNyVUwWRMw/eZPkP6LtEQLVM8iotO6BNcPVqx6dCU4nh19IbjbfyrO0I5ZqSV/PVCRx2Pomceu0EfMpVReFvlIi/UyKROzLuOy6AY1RlthR8gM39l6a6l+WZeukkn+SoAEXeyw4U83K2H9WR6hYcgX0SPGVYfI3C83I0EChET30kiX/rb/fFtb8xdQogA4+R/vR3mPBaGMiWh0WDZVDhNy5/DlwYPYp1zDxtVjQffEhqWS5FqRdw5BsQJQc9glptU5QCgY/ITYwGlaW4OYWokFQWinH0JF9bcCjjjZMT9C52N9ZuZ0muxTT2/UxyhKhX7Eojxq6sz0HJ+TISa5FpUKx/W7I+XqT25n3PtKfnkRDDba+RxDy3bCYo60aOPfR9aCG0VbGLWgc4TQHCmC209rSSIlsD2DhBzFC2lCxasXHIgNAymGfbpOjvqdId9ev1XN0EEd0al4HBUvvGsq9FUeshAWMeWDKu1t0aDKJ6/c4bphThjoAqxtQaGPUFOhNw94PedCBgiRqXN02WZcrnqp/spj+uIfch1F/X5A3jTUev8vq/s7lge7h3CNWXNpBFrW5trdzE8N2Kw3AahsJfZCo/Qd9e6WHIDRgbZFEbKwkTIyeEW8rMv5Ls0Aq+kFvs76muJVnr+Pb7e/GabhgT3pPhYNLQWjPRQYkF2KDKrGUlrc2BkJqRLF3fhI7vQPFphWPl0Lj5idYglIn5v2P2HR9n3Z1+9oyIpmFsqjqILCdoMCDleQOb4DCzXnR5QE4LKg/jjJqqGyO4mAbpwdvN9Q4j1FOUsJNOgMNBUUdEr7n65ktKnJX5wX9cymosRUozgoteb2dblFJjY/pf8toH5kU+YIYmbQR0caw8tdpBl0ETcsaQpF3LbCsSfmN8tZyxS4R/0W782i08IsaN9uXEevlsyFgMg7I2q739fHqJ7kFeosXpKdUpOnmuoLu1A7,iv:9SAQXPwrhy5yjkNxn1lITD77MjqdrYOSlFpUBE8a/fY=,tag:tYApnwq2auUk+/N9alPX3w==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -11,8 +11,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Z2tONmQxTUhZUW12Z2Jm\nUnoxSnpYcnZDNGNzSko1ckl2RDh3NG1VS2dFCmIwUXhmSk1OUk02S0JPVDR5UWJ4\na0gwWlg0V005ZWxYa29PZ0laS2VqM0kKLS0tIHN5SU9pQ090eHljeXJGWm5hRFQ4\nZ001Nzkyb29RYkNUMDNDNlo4YnVQeTQK34bNIBgxId2+DHKQNVV3Iro3KGkE03Sp\niB1+dADT6nRvGvoyPqnLq/NYfw7eQ6XqYt55zkdCta8v6L1UNUkw8g==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-10-21T17:51:36Z",
-		"mac": "ENC[AES256_GCM,data:nogwxr8xZVIPv1vnZyBZuGu5WHO7ygxfeoF+Nrmdqin4YrZ8nK3f8oVNAsEBfNvUyr2mkRAbAT3tgcP+u/w+RJgH9ERHWljnw5xy8iGLkTF36B83+lCL7cp3wIzllOQyRUYEHegnQWA79WoWWHD3u4sZmlinByJRUMscRV9uTww=,iv:rZd+3+WlcOVtqgJGhoBkJGm/HF/01wuopeFlEwvcupI=,tag:P7fIdk4ithHyOAfqui6xNw==,type:str]",
+		"lastmodified": "2025-10-21T19:32:24Z",
+		"mac": "ENC[AES256_GCM,data:wM862FQH/qX/abuD+krJOazli9Ci5GrpLtdcnzFgKCeNdjA2cfZ8M3DyzsBwMXjp6HxBHLyO7QXGcQkx3kIKGnRhEBuQzVOtrZhqcDi2Ho8iBV8Dh4xkhcpBYufw7xP8hGWg6ZVZ4JyM3P4NfAdxbfWTdc1VMStAafJ2SZ3pAYI=,iv:tDAKNe8LV40hRCqKzN6j6B71IV81SnrBgerxGPzU4Zk=,tag:7ZsST8pl9TjMog0dNKcUcA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-14T22:31:01Z",
diff --git a/index.html b/index.html
index 28c698b..07f172c 100644
--- a/index.html
+++ b/index.html
@@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2025-10-21 Di 13:09 -->
+<!-- 2025-10-21 Di 21:37 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>SwarselSystems: NixOS + Emacs Configurationo</title>
@@ -209,6 +209,7 @@
 <li><a href="#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02">1.4. Hosts</a></li>
 <li><a href="#h:3bb92528-c61c-4b8d-8214-bf2a40baaa32">1.5. Programs</a></li>
 <li><a href="#h:191e82b6-6ae5-4ec8-ae6d-dc683ce325d9">1.6. Services</a></li>
+<li><a href="#org1e210f0">1.7. Manual steps when setting up a new machine</a></li>
 </ul>
 </li>
 <li><a href="#h:c7588c0d-2528-485d-b2df-04d6336428d7">2. flake.nix</a>
@@ -443,8 +444,8 @@
 <li><a href="#h:15b581ab-09fe-4f84-af26-2f1fbf7d726b">3.2.5.8. Hibernation</a></li>
 <li><a href="#h:86fb3236-9e18-43f0-8a08-3a2acd61cc98">3.2.5.9. BTRFS</a></li>
 <li><a href="#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf">3.2.5.10. work</a></li>
-<li><a href="#orgcb2fcb7">3.2.5.11. microvm-host</a></li>
-<li><a href="#orgcf7e090">3.2.5.12. microvm-guest</a></li>
+<li><a href="#org3b29611">3.2.5.11. microvm-host</a></li>
+<li><a href="#org5500ccc">3.2.5.12. microvm-guest</a></li>
 </ul>
 </li>
 </ul>
@@ -472,7 +473,7 @@
 <li><a href="#h:4486b02f-4fb8-432b-bfa2-2e786206341d">3.3.1.12. Sourcing environment variables</a></li>
 <li><a href="#h:f0e0b580-2e1c-4ca6-a983-f05d3ebbbcde">3.3.1.13. General Programs: bottom, imv, less, lesspipe, sioyek, bat, carapace, wlogout, swayr, yt-dlp, mpv, jq, nix-index, ripgrep, pandoc, fzf, zoxide, timidity</a></li>
 <li><a href="#h:64dbbb9e-8097-4c1b-813c-8c10cf9b9748">3.3.1.14. nix-index</a></li>
-<li><a href="#org0bc7fbc">3.3.1.15. nix-your-shell</a></li>
+<li><a href="#orgef57e77">3.3.1.15. nix-your-shell</a></li>
 <li><a href="#h:ac0e5e62-0dbf-4782-9a96-9e558eae86ae">3.3.1.16. password-store</a></li>
 <li><a href="#h:1ab84307-b3fb-4c32-9def-4b89a53a8547">3.3.1.17. direnv</a></li>
 <li><a href="#h:1bd6b0c7-f201-43e2-9624-6c50de00a1f6">3.3.1.18. eza</a></li>
@@ -495,12 +496,12 @@
 <li><a href="#h:99d05729-df35-4958-9940-3319d6a41359">3.3.1.31.3. Mako</a></li>
 <li><a href="#h:388e71be-f00a-4d45-ade1-218ce942057d">3.3.1.31.4. SwayOSD</a></li>
 <li><a href="#h:1598c90b-f195-41a0-9132-94612edf3586">3.3.1.31.5. yubikey-touch-detector</a></li>
-<li><a href="#org2568de8">3.3.1.31.6. blueman-applet</a></li>
-<li><a href="#org84c1201">3.3.1.31.7. network-manager-applet</a></li>
-<li><a href="#org43f6e21">3.3.1.31.8. obsidian service for tray</a></li>
-<li><a href="#orgaa41ee3">3.3.1.31.9. anki service for tray</a></li>
-<li><a href="#orgcb4f253">3.3.1.31.10. element service for tray</a></li>
-<li><a href="#orgb766ab8">3.3.1.31.11. vesktop service for tray</a></li>
+<li><a href="#org44c9877">3.3.1.31.6. blueman-applet</a></li>
+<li><a href="#org163a2af">3.3.1.31.7. network-manager-applet</a></li>
+<li><a href="#orgd6b832c">3.3.1.31.8. obsidian service for tray</a></li>
+<li><a href="#org7b3c601">3.3.1.31.9. anki service for tray</a></li>
+<li><a href="#orgaea42f4">3.3.1.31.10. element service for tray</a></li>
+<li><a href="#org030b0b2">3.3.1.31.11. vesktop service for tray</a></li>
 </ul>
 </li>
 <li><a href="#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20">3.3.1.32. Sway</a></li>
@@ -509,17 +510,17 @@
 <li><a href="#h:7d384e3b-1be7-4644-b304-ada4af0b692b">3.3.1.35. gpg-agent</a></li>
 <li><a href="#h:74e236be-a977-4d38-b8c5-0b9feef8af91">3.3.1.36. gammastep</a></li>
 <li><a href="#h:d1fb3075-ad52-4c1b-ba45-5ddbd0d3b708">3.3.1.37. Spicetify</a></li>
-<li><a href="#org3f19616">3.3.1.38. Obsidian</a></li>
-<li><a href="#orgd0e6499">3.3.1.39. Anki</a></li>
-<li><a href="#orgb6ac1d9">3.3.1.40. Element-desktop</a></li>
-<li><a href="#org68fbf73">3.3.1.41. Hexchat</a></li>
-<li><a href="#orgea285a9">3.3.1.42. obs-studio</a></li>
-<li><a href="#orgd003fee">3.3.1.43. spotify-player</a></li>
-<li><a href="#org8616bfa">3.3.1.44. vesktop</a></li>
-<li><a href="#orgab3d85e">3.3.1.45. batsignal</a></li>
-<li><a href="#orgde9dc92">3.3.1.46. autotiling</a></li>
-<li><a href="#orge7185ca">3.3.1.47. swayidle</a></li>
-<li><a href="#org4e801e4">3.3.1.48. swaylock</a></li>
+<li><a href="#org2444730">3.3.1.38. Obsidian</a></li>
+<li><a href="#org7ee88af">3.3.1.39. Anki</a></li>
+<li><a href="#org4137b9c">3.3.1.40. Element-desktop</a></li>
+<li><a href="#orge83b29c">3.3.1.41. Hexchat</a></li>
+<li><a href="#orgc6e077d">3.3.1.42. obs-studio</a></li>
+<li><a href="#org61af274">3.3.1.43. spotify-player</a></li>
+<li><a href="#orga884d29">3.3.1.44. vesktop</a></li>
+<li><a href="#org86c0973">3.3.1.45. batsignal</a></li>
+<li><a href="#org503cbe5">3.3.1.46. autotiling</a></li>
+<li><a href="#orgf1d300b">3.3.1.47. swayidle</a></li>
+<li><a href="#org3b0dfc9">3.3.1.48. swaylock</a></li>
 </ul>
 </li>
 <li><a href="#h:b1a00339-6e9b-4ae4-b5dc-6fd5669a2ddb">3.3.2. Server</a>
@@ -536,7 +537,7 @@
 <li><a href="#h:be623200-557e-4bb7-bb11-1ec5d76c6b8b">3.3.4. Optional</a>
 <ul>
 <li><a href="#h:84fd7029-ecb6-4131-9333-289982f24ffa">3.3.4.1. Gaming</a></li>
-<li><a href="#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6">3.3.4.2. Work</a></li>
+<li><a href="#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6">3.3.4.2. Work (pizauth)</a></li>
 <li><a href="#h:52b41e73-46f3-4c2c-af64-eafb51e3b6b6">3.3.4.3. Uni</a></li>
 <li><a href="#h:8a7b1c26-3448-42d3-932a-5d05d54b5490">3.3.4.4. Framework</a></li>
 </ul>
@@ -584,8 +585,8 @@
 <li><a href="#h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e">3.5.31. swarsel-build</a></li>
 <li><a href="#h:95ebfd13-1f6b-427f-950d-e30c1ed6f9fa">3.5.32. swarsel-instantiate</a></li>
 <li><a href="#h:02842543-caca-4d4c-a4d2-7ac749b5c136">3.5.33. sshrm</a></li>
-<li><a href="#org6a36b50">3.5.34. endme</a></li>
-<li><a href="#orgb3faf9e">3.5.35. git-replace</a></li>
+<li><a href="#orgc62e7de">3.5.34. endme</a></li>
+<li><a href="#orge3590e8">3.5.35. git-replace</a></li>
 </ul>
 </li>
 <li><a href="#h:f0f1c961-3e7a-47b8-99ab-1654bb45dffc">3.6. Profiles</a>
@@ -594,7 +595,7 @@
 <ul>
 <li><a href="#h:32d654de-8db2-403a-9a27-4c46d7b9172d">3.6.1.1. Personal</a></li>
 <li><a href="#h:b926f0c8-7968-4079-924c-a5d0ae4d3a45">3.6.1.2. Minimal</a></li>
-<li><a href="#orgefd2161">3.6.1.3. Optionals</a></li>
+<li><a href="#org30fc974">3.6.1.3. Optionals</a></li>
 <li><a href="#h:b79fbb59-9cf2-48eb-b469-2589223dda95">3.6.1.4. Chaostheatre</a></li>
 <li><a href="#h:cb3631a8-9c1b-42f2-ab01-502c7b4c273d">3.6.1.5. Work</a></li>
 <li><a href="#h:87a83b10-3c2f-407c-89aa-922ad77748a4">3.6.1.6. Uni</a></li>
@@ -775,6 +776,7 @@
 <ul>
 <li><a href="#h:b92a18cf-eec3-4605-a8c2-37133ade3574">4.4.39.1. mu4e</a></li>
 <li><a href="#h:43209eeb-5d46-472e-b7c2-58a3fb465199">4.4.39.2. mu4e-alert</a></li>
+<li><a href="#org234e39c">4.4.39.3. Work: Signing Mails (S/MIME, smime)</a></li>
 </ul>
 </li>
 <li><a href="#h:c760f04e-622f-4b3e-8916-53ca8cce6edc">4.4.40. Calendar</a></li>
@@ -787,7 +789,11 @@
 </li>
 </ul>
 </li>
-<li><a href="#h:dae0c5bb-edb7-4fe4-ae31-9f8f064cc53c">5. Appendix A: Noweb-Ref blocks</a></li>
+<li><a href="#h:dae0c5bb-edb7-4fe4-ae31-9f8f064cc53c">5. Appendix A: Noweb-Ref blocks</a>
+<ul>
+<li><a href="#orge8ed16b">5.1. General steps when setting up a new machine</a></li>
+</ul>
+</li>
 <li><a href="#h:8fc9f66a-7412-4091-8dee-a06f897baf67">6. Appendix B: Supplementary Files</a>
 <ul>
 <li><a href="#h:c1e53aed-fb47-4aff-930c-dc52f3c5dcb8">6.1. Server Emacs config</a></li>
@@ -837,7 +843,7 @@
 </div>
 </div>
 <p>
-<b>This file has 96128 words spanning 24842 lines and was last revised on 2025-10-21 13:09:36 +0200.</b>
+<b>This file has 96609 words spanning 24942 lines and was last revised on 2025-10-21 21:36:59 +0200.</b>
 </p>
 
 <p>
@@ -906,7 +912,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
 </p>
 
 <p>
-My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-10-21 13:09:36 +0200)
+My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-10-21 21:36:59 +0200)
 </p></li>
 </ul>
 
@@ -1205,6 +1211,33 @@ Here I give a brief overview over the hostmachines that I am using. This is held
 |✂️ **Paste Tool**      | [Microbin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/microbin.nix)                        |
 |📸 **Image Sharing**   | [Slink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/slink.nix)                              |
 |🔗 **Link Shortener**  | [Shlink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/shlink.nix)                            |
+</pre>
+</div>
+</div>
+</div>
+<div id="outline-container-org1e210f0" class="outline-3">
+<h3 id="org1e210f0"><span class="section-number-3">1.7.</span> Manual steps when setting up a new machine</h3>
+<div class="outline-text-3" id="text-1-7">
+<div class="org-src-container">
+<pre class="src src-markdown">
+- setup gpgsm for signing of mails using S/MIME:
+  - `gpgsm --import ~/Certificates/&lt;certname&gt;.p12`
+  - `gpgsm --import ~/Certificates/harica-root.pem`
+  - `gpgsm --import ~/Certificates/harica-intermediate.pem`
+  - `gpgsm --list-keys --with-validation "HARICA Client RSA Root CA 2021"`
+    - trust the certificate and set passphrase
+- setup pizauth for microsoft mail sync (account names are possibly `uni` and `work`):
+  - `pizauth auth &lt;account name, e.g. 'work'&gt;`
+  - `pizauth dump &gt; ~/.pizauth.state`
+- setup yubikey (automatic yubikey enrollment is not yet supported by `disko`):
+  - `systemd-cryptenroll --fido2-device=auto /dev/&lt;device, e.g. 'nvme0n1p2'&gt;`
+
+If the new machine is a work machine, these steps are additionally needed:
+
+- setup the work VPN:
+  - using the laptop certificate `.pem` as User cert and private key (CA cert: none)
+  - vpn gateway is found in `nixosConfig.repo.secrets.local.work.vpnGateway`
+
 </pre>
 </div>
 </div>
@@ -11895,6 +11928,17 @@ This holds configuration that is specific to framework laptops.
 Options that I need specifically at work. There are more options at <a href="#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6">Work</a> (home-manager side).
 </p>
 
+<p>
+When setting up a new machine:
+</p>
+
+<div class="org-src-container">
+<pre class="src src-markdown">- setup the work VPN:
+  - using the laptop certificate `.pem` as User cert and private key (CA cert: none)
+  - vpn gateway is found in `nixosConfig.repo.secrets.local.work.vpnGateway`
+</pre>
+</div>
+
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ self, lib, pkgs, config, configName, ... }:
 let
@@ -12134,8 +12178,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgcb2fcb7" class="outline-5">
-<h5 id="orgcb2fcb7"><span class="section-number-5">3.2.5.11.</span> microvm-host</h5>
+<div id="outline-container-org3b29611" class="outline-5">
+<h5 id="org3b29611"><span class="section-number-5">3.2.5.11.</span> microvm-host</h5>
 <div class="outline-text-5" id="text-3-2-5-11">
 <p>
 Some standard options that should be set for every microvm host.
@@ -12161,8 +12205,8 @@ Some standard options that should be set for every microvm host.
 </div>
 </div>
 </div>
-<div id="outline-container-orgcf7e090" class="outline-5">
-<h5 id="orgcf7e090"><span class="section-number-5">3.2.5.12.</span> microvm-guest</h5>
+<div id="outline-container-org5500ccc" class="outline-5">
+<h5 id="org5500ccc"><span class="section-number-5">3.2.5.12.</span> microvm-guest</h5>
 <div class="outline-text-5" id="text-3-2-5-12">
 <p>
 Some standard options that should be set vor every microvm guest. We set the default
@@ -13089,7 +13133,7 @@ in
       SWARSEL_CAL3 = source3;
       SWARSEL_CAL3NAME = source3-name;
       SWARSEL_FULLNAME = fullName;
-      SWARSEL_MAIL_ALL = allMailAddresses;
+      SWARSEL_MAIL_ALL = lib.mkDefault allMailAddresses;
       GITHUB_NOTIFICATION_TOKEN_PATH = nixosConfig.sops.secrets.github-notifications-token.path;
       OPENROUTER_API_KEY = openrouterApi;
     };
@@ -13232,8 +13276,8 @@ nix-index provides a way to find out which packages are provided by which deriva
 </div>
 </div>
 </div>
-<div id="outline-container-org0bc7fbc" class="outline-5">
-<h5 id="org0bc7fbc"><span class="section-number-5">3.3.1.15.</span> nix-your-shell</h5>
+<div id="outline-container-orgef57e77" class="outline-5">
+<h5 id="orgef57e77"><span class="section-number-5">3.3.1.15.</span> nix-your-shell</h5>
 <div class="outline-text-5" id="text-3-3-1-15">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -14946,8 +14990,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org2568de8" class="outline-6">
-<h6 id="org2568de8"><span class="section-number-6">3.3.1.31.6.</span> blueman-applet</h6>
+<div id="outline-container-org44c9877" class="outline-6">
+<h6 id="org44c9877"><span class="section-number-6">3.3.1.31.6.</span> blueman-applet</h6>
 <div class="outline-text-6" id="text-3-3-1-31-6">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -14961,8 +15005,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org84c1201" class="outline-6">
-<h6 id="org84c1201"><span class="section-number-6">3.3.1.31.7.</span> network-manager-applet</h6>
+<div id="outline-container-org163a2af" class="outline-6">
+<h6 id="org163a2af"><span class="section-number-6">3.3.1.31.7.</span> network-manager-applet</h6>
 <div class="outline-text-6" id="text-3-3-1-31-7">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -14977,8 +15021,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org43f6e21" class="outline-6">
-<h6 id="org43f6e21"><span class="section-number-6">3.3.1.31.8.</span> obsidian service for tray</h6>
+<div id="outline-container-orgd6b832c" class="outline-6">
+<h6 id="orgd6b832c"><span class="section-number-6">3.3.1.31.8.</span> obsidian service for tray</h6>
 <div class="outline-text-6" id="text-3-3-1-31-8">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -15012,9 +15056,13 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-orgaa41ee3" class="outline-6">
-<h6 id="orgaa41ee3"><span class="section-number-6">3.3.1.31.9.</span> anki service for tray</h6>
+<div id="outline-container-org7b3c601" class="outline-6">
+<h6 id="org7b3c601"><span class="section-number-6">3.3.1.31.9.</span> anki service for tray</h6>
 <div class="outline-text-6" id="text-3-3-1-31-9">
+<p>
+Sets up a systemd user service for anki that does not stall the shutdown process. Note that the outcommented <code>ExecStart</code> does not work because the home-manager anki package builds a separate anki package that - I think - cannot be referenced as no such expression exists in the module.
+</p>
+
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
 {
@@ -15038,10 +15086,15 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 
       Service = {
         # ExecStart = "${lib.getExe config.programs.anki.package}";
-        ExecStart = "/etc/profiles/per-user/swarsel/bin/anki";
+        Type = "simple";
+        ExecStart = "/etc/profiles/per-user/${config.swarselsystems.mainUser}/bin/anki";
         Environment = [
           "QT_QPA_PLATFORM=xcb"
         ];
+        TimeoutStopSec = "2s";
+        KillMode = "mixed";
+        KillSignal = "SIGTERM";
+        SendSIGKILL = "yes";
       };
     };
 
@@ -15051,8 +15104,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-orgcb4f253" class="outline-6">
-<h6 id="orgcb4f253"><span class="section-number-6">3.3.1.31.10.</span> element service for tray</h6>
+<div id="outline-container-orgaea42f4" class="outline-6">
+<h6 id="orgaea42f4"><span class="section-number-6">3.3.1.31.10.</span> element service for tray</h6>
 <div class="outline-text-6" id="text-3-3-1-31-10">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -15086,8 +15139,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-orgb766ab8" class="outline-6">
-<h6 id="orgb766ab8"><span class="section-number-6">3.3.1.31.11.</span> vesktop service for tray</h6>
+<div id="outline-container-org030b0b2" class="outline-6">
+<h6 id="org030b0b2"><span class="section-number-6">3.3.1.31.11.</span> vesktop service for tray</h6>
 <div class="outline-text-6" id="text-3-3-1-31-11">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -15891,9 +15944,23 @@ Currently, I am too lazy to explain every option here, but most of it is very se
 <h5 id="h:7d384e3b-1be7-4644-b304-ada4af0b692b"><span class="section-number-5">3.3.1.35.</span> gpg-agent</h5>
 <div class="outline-text-5" id="text-h:7d384e3b-1be7-4644-b304-ada4af0b692b">
 <p>
-Settinfs that are needed for the gpg-agent. Also we are enabling emacs support for unlocking my Yubikey here.
+Settings that are needed for the gpg-agent. Also we are enabling emacs support for unlocking my Yubikey here.
 </p>
 
+<p>
+When setting up a new machine:
+</p>
+
+<div class="org-src-container">
+<pre class="src src-markdown">- setup gpgsm for signing of mails using S/MIME:
+  - `gpgsm --import ~/Certificates/&lt;certname&gt;.p12`
+  - `gpgsm --import ~/Certificates/harica-root.pem`
+  - `gpgsm --import ~/Certificates/harica-intermediate.pem`
+  - `gpgsm --list-keys --with-validation "HARICA Client RSA Root CA 2021"`
+    - trust the certificate and set passphrase
+</pre>
+</div>
+
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ self, lib, config, pkgs, ... }:
 let
@@ -16001,153 +16068,166 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org3f19616" class="outline-5">
-<h5 id="org3f19616"><span class="section-number-5">3.3.1.38.</span> Obsidian</h5>
+<div id="outline-container-org2444730" class="outline-5">
+<h5 id="org2444730"><span class="section-number-5">3.3.1.38.</span> Obsidian</h5>
 <div class="outline-text-5" id="text-3-3-1-38">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, nixosConfig ? config, ... }:
-  let
-    moduleName = "obsidian";
-    inherit (nixosConfig.repo.secrets.common.obsidian) userIgnoreFilters;
-    name = "Main";
-  in
-  {
-    options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} with settings";
-    config = lib.mkIf config.swarselmodules.${moduleName} {
+let
+  moduleName = "obsidian";
+  inherit (nixosConfig.repo.secrets.common.obsidian) userIgnoreFilters;
+  name = "Main";
+in
+{
+  options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} with settings";
+  config = lib.mkIf config.swarselmodules.${moduleName} {
 
-      home.file = {
-        "${config.programs.obsidian.vaults.${name}.target}/.obsidian/app.json".force = true;
-        "${config.programs.obsidian.vaults.${name}.target}/.obsidian/appearance.json".force = true;
-        "${config.programs.obsidian.vaults.${name}.target}/.obsidian/core-plugins.json".force = true;
-      };
+    home.file = {
+      "${config.programs.obsidian.vaults.${name}.target}/.obsidian/app.json".force = true;
+      "${config.programs.obsidian.vaults.${name}.target}/.obsidian/appearance.json".force = true;
+      "${config.programs.obsidian.vaults.${name}.target}/.obsidian/core-plugins.json".force = true;
+    };
 
-      programs.obsidian =
-        {
-          enable = true;
-          package = pkgs.obsidian;
-          defaultSettings = {
-            app = {
-              attachmentFolderPath = "attachments";
-              alwaysUpdateLinks = true;
-              spellcheck = false;
-              inherit userIgnoreFilters;
-              vimMode = false;
-              newFileLocation = "current";
-            };
-            corePlugins = [
-              "backlink"
-              "bookmarks"
-              "canvas"
-              "command-palette"
-              "daily-notes"
-              "editor-status"
-              "file-explorer"
-              "file-recovery"
-              "global-search"
-              "graph"
-              "note-composer"
-              "outgoing-link"
-              "outline"
-              "page-preview"
-              "properties"
-              "slides"
-              "switcher"
-              "tag-pane"
-              "templates"
-              "word-count"
-            ];
-            communityPlugins = with pkgs.swarsel-nix; [
-              advanced-tables
-              calendar
-              file-hider
-              linter
-              omnisearch
-              sort-and-permute-lines
-              tag-wrangler
-              tray
-            ];
+    programs.obsidian =
+      {
+        enable = true;
+        package = pkgs.obsidian;
+        defaultSettings = {
+          app = {
+            attachmentFolderPath = "attachments";
+            alwaysUpdateLinks = true;
+            spellcheck = false;
+            inherit userIgnoreFilters;
+            vimMode = false;
+            newFileLocation = "current";
           };
-          vaults = {
-            ${name} = {
-              target = "./Obsidian/${name}";
-              settings = {
-                appearance = {
-                  baseFontSize = lib.mkForce 19;
-                };
-                communityPlugins = with pkgs.swarsel-nix; [
-                  {
-                    pkg = advanced-tables;
-                    enable = true;
-                  }
-                  {
-                    pkg = calendar;
-                    enable = true;
-                  }
-                  {
-                    pkg = sort-and-permute-lines;
-                    enable = true;
-                  }
-                  {
-                    pkg = tag-wrangler;
-                    enable = true;
-                  }
-                  {
-                    pkg = tray;
-                    enable = true;
-                    settings = {
-                      launchOnStartup = false;
-                      hideOnLaunch = true;
-                      runInBackground = true;
-                      hideTaskbarIcon = false;
-                      createTrayIcon = true;
-                    };
-                  }
-                  {
-                    pkg = file-hider;
-                    enable = true;
-                    settings =
-                      {
-                        hidden = true;
-                        hiddenList = [
-                          "attachments"
-                          "images"
-                          "ltximg"
-                          "logseq"
-                        ];
-                      };
-                  }
-                  {
-                    pkg = linter;
-                    enable = true;
-                    settings = {
-                      auto-correct-common-misspellings = {
-                        skip-words-with-multiple-capitals = true;
-                      };
-                      convert-bullet-list-markers = {
-                        enabled = true;
-                      };
-                    };
-                  }
-                  {
-                    pkg = omnisearch;
-                    enable = true;
-                    settings = {
-                      hideExcluded = true;
-                    };
-                  }
+          hotkeys = {
+            "graph:open" = [ ];
+            "omnisearch:show-modal" = [
+              {
+                modifiers = [
+                  "Mod"
                 ];
+                key = "S";
+              }
+            ];
+            "editor:save-file" = [ ];
+            "editor:delete-paragraph" = [ ];
+          };
+          corePlugins = [
+            "backlink"
+            "bookmarks"
+            "canvas"
+            "command-palette"
+            "daily-notes"
+            "editor-status"
+            "file-explorer"
+            "file-recovery"
+            "global-search"
+            "graph"
+            "note-composer"
+            "outgoing-link"
+            "outline"
+            "page-preview"
+            "properties"
+            "slides"
+            "switcher"
+            "tag-pane"
+            "templates"
+            "word-count"
+          ];
+          communityPlugins = with pkgs.swarsel-nix; [
+            advanced-tables
+            calendar
+            file-hider
+            linter
+            omnisearch
+            sort-and-permute-lines
+            tag-wrangler
+            tray
+          ];
+        };
+        vaults = {
+          ${name} = {
+            target = "./Obsidian/${name}";
+            settings = {
+              appearance = {
+                baseFontSize = lib.mkForce 19;
               };
+              communityPlugins = with pkgs.swarsel-nix; [
+                {
+                  pkg = advanced-tables;
+                  enable = true;
+                }
+                {
+                  pkg = calendar;
+                  enable = true;
+                }
+                {
+                  pkg = sort-and-permute-lines;
+                  enable = true;
+                }
+                {
+                  pkg = tag-wrangler;
+                  enable = true;
+                }
+                {
+                  pkg = tray;
+                  enable = true;
+                  settings = {
+                    launchOnStartup = false;
+                    hideOnLaunch = true;
+                    runInBackground = true;
+                    hideTaskbarIcon = false;
+                    createTrayIcon = true;
+                  };
+                }
+                {
+                  pkg = file-hider;
+                  enable = true;
+                  settings =
+                    {
+                      hidden = true;
+                      hiddenList = [
+                        "attachments"
+                        "images"
+                        "ltximg"
+                        "logseq"
+                      ];
+                    };
+                }
+                {
+                  pkg = linter;
+                  enable = true;
+                  settings = {
+                    auto-correct-common-misspellings = {
+                      skip-words-with-multiple-capitals = true;
+                    };
+                    convert-bullet-list-markers = {
+                      enabled = true;
+                    };
+                  };
+                }
+                {
+                  pkg = omnisearch;
+                  enable = true;
+                  settings = {
+                    hideExcluded = true;
+                  };
+                }
+              ];
             };
           };
         };
-    };
-  }
+      };
+  };
+}
 </pre>
 </div>
 </div>
 </div>
-<div id="outline-container-orgd0e6499" class="outline-5">
-<h5 id="orgd0e6499"><span class="section-number-5">3.3.1.39.</span> Anki</h5>
+<div id="outline-container-org7ee88af" class="outline-5">
+<h5 id="org7ee88af"><span class="section-number-5">3.3.1.39.</span> Anki</h5>
 <div class="outline-text-5" id="text-3-3-1-39">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, globals, nixosConfig ? config, ... }:
@@ -16219,8 +16299,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgb6ac1d9" class="outline-5">
-<h5 id="orgb6ac1d9"><span class="section-number-5">3.3.1.40.</span> Element-desktop</h5>
+<div id="outline-container-org4137b9c" class="outline-5">
+<h5 id="org4137b9c"><span class="section-number-5">3.3.1.40.</span> Element-desktop</h5>
 <div class="outline-text-5" id="text-3-3-1-40">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16256,8 +16336,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org68fbf73" class="outline-5">
-<h5 id="org68fbf73"><span class="section-number-5">3.3.1.41.</span> Hexchat</h5>
+<div id="outline-container-orge83b29c" class="outline-5">
+<h5 id="orge83b29c"><span class="section-number-5">3.3.1.41.</span> Hexchat</h5>
 <div class="outline-text-5" id="text-3-3-1-41">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, nixosConfig ? config, ... }:
@@ -16281,8 +16361,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgea285a9" class="outline-5">
-<h5 id="orgea285a9"><span class="section-number-5">3.3.1.42.</span> obs-studio</h5>
+<div id="outline-container-orgc6e077d" class="outline-5">
+<h5 id="orgc6e077d"><span class="section-number-5">3.3.1.42.</span> obs-studio</h5>
 <div class="outline-text-5" id="text-3-3-1-42">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16302,8 +16382,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgd003fee" class="outline-5">
-<h5 id="orgd003fee"><span class="section-number-5">3.3.1.43.</span> spotify-player</h5>
+<div id="outline-container-org61af274" class="outline-5">
+<h5 id="org61af274"><span class="section-number-5">3.3.1.43.</span> spotify-player</h5>
 <div class="outline-text-5" id="text-3-3-1-43">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16323,8 +16403,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org8616bfa" class="outline-5">
-<h5 id="org8616bfa"><span class="section-number-5">3.3.1.44.</span> vesktop</h5>
+<div id="outline-container-orga884d29" class="outline-5">
+<h5 id="orga884d29"><span class="section-number-5">3.3.1.44.</span> vesktop</h5>
 <div class="outline-text-5" id="text-3-3-1-44">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16410,8 +16490,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgab3d85e" class="outline-5">
-<h5 id="orgab3d85e"><span class="section-number-5">3.3.1.45.</span> batsignal</h5>
+<div id="outline-container-org86c0973" class="outline-5">
+<h5 id="org86c0973"><span class="section-number-5">3.3.1.45.</span> batsignal</h5>
 <div class="outline-text-5" id="text-3-3-1-45">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16443,8 +16523,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgde9dc92" class="outline-5">
-<h5 id="orgde9dc92"><span class="section-number-5">3.3.1.46.</span> autotiling</h5>
+<div id="outline-container-org503cbe5" class="outline-5">
+<h5 id="org503cbe5"><span class="section-number-5">3.3.1.46.</span> autotiling</h5>
 <div class="outline-text-5" id="text-3-3-1-46">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16465,8 +16545,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orge7185ca" class="outline-5">
-<h5 id="orge7185ca"><span class="section-number-5">3.3.1.47.</span> swayidle</h5>
+<div id="outline-container-orgf1d300b" class="outline-5">
+<h5 id="orgf1d300b"><span class="section-number-5">3.3.1.47.</span> swayidle</h5>
 <div class="outline-text-5" id="text-3-3-1-47">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -16507,8 +16587,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org4e801e4" class="outline-5">
-<h5 id="org4e801e4"><span class="section-number-5">3.3.1.48.</span> swaylock</h5>
+<div id="outline-container-org3b0dfc9" class="outline-5">
+<h5 id="org3b0dfc9"><span class="section-number-5">3.3.1.48.</span> swaylock</h5>
 <div class="outline-text-5" id="text-3-3-1-48">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -16714,641 +16794,656 @@ in
 </div>
 </div>
 <div id="outline-container-h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6" class="outline-5">
-<h5 id="h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6"><span class="section-number-5">3.3.4.2.</span> Work</h5>
+<h5 id="h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6"><span class="section-number-5">3.3.4.2.</span> Work (pizauth)</h5>
 <div class="outline-text-5" id="text-h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6">
 <p>
 The rest of the settings is at <a href="#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf">work</a>. Here, I am setting up the different firefox profiles that I need for the SSO sites that I need to access at work as well as a few ssh shorthands.
 </p>
 
+<p>
+When setting up a new machine:
+</p>
+
+<div class="org-src-container">
+<pre class="src src-markdown">- setup pizauth for microsoft mail sync (account names are possibly `uni` and `work`):
+  - `pizauth auth &lt;account name, e.g. 'work'&gt;`
+  - `pizauth dump &gt; ~/.pizauth.state`
+</pre>
+</div>
+
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ self, config, pkgs, lib, vars, nixosConfig ? config, ... }:
-    let
-      inherit (config.swarselsystems) homeDir;
-    in
+let
+  inherit (config.swarselsystems) homeDir;
+  inherit (nixosConfig.repo.secrets.local.mail) allMailAddresses;
+  inherit (nixosConfig.repo.secrets.local.work) mailAddress;
+in
+{
+  options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
+  config = lib.mkIf config.swarselmodules.optional.work
     {
-      options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
-      config = lib.mkIf config.swarselmodules.optional.work
+      home.packages = with pkgs; [
+        stable.teams-for-linux
+        shellcheck
+        dig
+        docker
+        postman
+        # rclone
+        libguestfs-with-appliance
+        stable.prometheus.cli
+        tigervnc
+        # openstackclient
+
+        vscode
+      ];
+
+      systemd.user.sessionVariables = {
+        DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work";
+      } // lib.optionalAttrs (!config.swarselsystems.isPublic) {
+        SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses;
+        SWARSEL_MAIL_WORK = lib.mkForce mailAddress;
+      };
+
+      accounts.email.accounts.work =
+        let
+          inherit (nixosConfig.repo.secrets.local.work) mailName;
+        in
         {
-          home.packages = with pkgs; [
-            stable.teams-for-linux
-            shellcheck
-            dig
-            docker
-            postman
-            # rclone
-            libguestfs-with-appliance
-            stable.prometheus.cli
-            tigervnc
-            # openstackclient
+          primary = false;
+          address = mailAddress;
+          userName = mailAddress;
+          realName = mailName;
+          passwordCommand = "pizauth show work";
+          imap = {
+            host = "outlook.office365.com";
+            port = 993;
+            tls.enable = true; # SSL/TLS
+          };
+          smtp = {
+            host = "outlook.office365.com";
+            port = 587;
+            tls = {
+              enable = true; # SSL/TLS
+              useStartTls = true;
+            };
+          };
+          thunderbird = {
+            enable = true;
+            profiles = [ "default" ];
+            settings = id: {
+              "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth
+              "mail.server.server_${id}.authMethod" = 10; # oauth
+              # "toolkit.telemetry.enabled" = false;
+              # "toolkit.telemetry.rejected" = true;
+              # "toolkit.telemetry.prompted" = 2;
+            };
+          };
+          msmtp = {
+            enable = true;
+            extraConfig = {
+              auth = "xoauth2";
+              host = "outlook.office365.com";
+              protocol = "smtp";
+              port = "587";
+              tls = "on";
+              tls_starttls = "on";
+              from = "${mailAddress}";
+              user = "${mailAddress}";
+              passwordeval = "pizauth show work";
+            };
+          };
+          mu.enable = true;
+          mbsync = {
+            enable = true;
+            expunge = "both";
+            patterns = [ "INBOX" ];
+            extraConfig = {
+              account = {
+                AuthMechs = "XOAUTH2";
+              };
+            };
+          };
+        };
 
-            vscode
+      # wayland.windowManager.sway.config = {
+      #   output = {
+      #     "Applied Creative Technology Transmitter QUATTRO201811" = {
+      #       bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}";
+      #     };
+      #     "Hewlett Packard HP Z24i CN44250RDT" = {
+      #       bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}";
+      #     };
+      #     "HP Inc. HP 732pk CNC4080YL5" = {
+      #       bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}";
+      #     };
+      #   };
+      # };
+
+      stylix = {
+        targets.firefox.profileNames =
+          let
+            inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
+          in
+          [
+            "${user1}"
+            "${user2}"
+            "${user3}"
+            "work"
           ];
+      };
 
-
-          systemd.user.sessionVariables = {
-            DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work";
+      programs =
+        let
+          inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds;
+        in
+        {
+          openstackclient = {
+            enable = true;
+            inherit clouds;
           };
+          awscli = {
+            enable = true;
+            package = pkgs.stable24_05.awscli2;
+            # settings = {
+            #   "default" = { };
+            #   "profile s3-imagebuilder-prod" = { };
+            # };
+            # credentials = {
+            #   "s3-imagebuilder-prod" = {
+            #     aws_access_key_id = "5OYXY4879EJG9I91K1B6";
+            #     credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key";
+            #   };
+            # };
+          };
+          git.userEmail = lib.mkForce gitMail;
 
-          accounts.email.accounts.work =
-            let
-              inherit (nixosConfig.repo.secrets.local.work) mailAddress mailName;
-            in
-            {
-              primary = false;
-              address = mailAddress;
-              userName = mailAddress;
-              realName = mailName;
-              passwordCommand = "pizauth show work";
-              imap = {
-                host = "outlook.office365.com";
-                port = 993;
-                tls.enable = true; # SSL/TLS
-              };
-              smtp = {
-                host = "outlook.office365.com";
-                port = 587;
-                tls = {
-                  enable = true; # SSL/TLS
-                  useStartTls = true;
-                };
-              };
-              thunderbird = {
-                enable = true;
-                profiles = [ "default" ];
-                settings = id: {
-                  "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth
-                  "mail.server.server_${id}.authMethod" = 10; # oauth
-                  # "toolkit.telemetry.enabled" = false;
-                  # "toolkit.telemetry.rejected" = true;
-                  # "toolkit.telemetry.prompted" = 2;
-                };
-              };
-              msmtp = {
-                enable = true;
-                extraConfig = {
-                  auth = "xoauth2";
-                  host = "outlook.office365.com";
-                  protocol = "smtp";
-                  port = "587";
-                  tls = "on";
-                  tls_starttls = "on";
-                  from = "${mailAddress}";
-                  user = "${mailAddress}";
-                  passwordeval = "pizauth show work";
-                };
-              };
-              mu.enable = true;
-              mbsync = {
-                enable = true;
-                expunge = "both";
-                patterns = [ "INBOX" ];
-                extraConfig = {
-                  account = {
-                    AuthMechs = "XOAUTH2";
-                  };
-                };
-              };
+          zsh = {
+            shellAliases = {
+              dssh = "ssh -l ${user1Long}";
+              cssh = "ssh -l ${user2Long}";
+              wssh = "ssh -l ${user3Long}";
+            };
+            cdpath = [
+              "~/Documents/Work"
+            ];
+            dirHashes = {
+              d = "$HOME/.dotfiles";
+              w = "$HOME/Documents/Work";
+              s = "$HOME/.dotfiles/secrets";
+              pr = "$HOME/Documents/Private";
+              ac = path1;
             };
 
-          # wayland.windowManager.sway.config = {
-          #   output = {
-          #     "Applied Creative Technology Transmitter QUATTRO201811" = {
-          #       bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}";
-          #     };
-          #     "Hewlett Packard HP Z24i CN44250RDT" = {
-          #       bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}";
-          #     };
-          #     "HP Inc. HP 732pk CNC4080YL5" = {
-          #       bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}";
-          #     };
-          #   };
-          # };
+            sessionVariables = {
+              VSPHERE_USER = "$(cat ${nixosConfig.sops.secrets.vcuser.path})";
+              VSPHERE_PW = "$(cat ${nixosConfig.sops.secrets.vcpw.path})";
+              GOVC_USERNAME = "$(cat ${nixosConfig.sops.secrets.govcuser.path})";
+              GOVC_PASSWORD = "$(cat ${nixosConfig.sops.secrets.govcpw.path})";
+              GOVC_URL = "$(cat ${nixosConfig.sops.secrets.govcurl.path})";
+              GOVC_DATACENTER = "$(cat ${nixosConfig.sops.secrets.govcdc.path})";
+              GOVC_DATASTORE = "$(cat ${nixosConfig.sops.secrets.govcds.path})";
+              GOVC_HOST = "$(cat ${nixosConfig.sops.secrets.govchost.path})";
+              GOVC_RESOURCE_POOL = "$(cat ${nixosConfig.sops.secrets.govcpool.path})";
+              GOVC_NETWORK = "$(cat ${nixosConfig.sops.secrets.govcnetwork.path})";
+            };
+          };
 
-          stylix = {
-            targets.firefox.profileNames =
+          ssh = {
+            matchBlocks = {
+              "${loc1}" = {
+                hostname = "${loc1}.${domain2}";
+                user = user4;
+              };
+              "${loc1}.stg" = {
+                hostname = "${loc1}.${lifecycle1}.${domain2}";
+                user = user4;
+              };
+              "${loc1}.staging" = {
+                hostname = "${loc1}.${lifecycle1}.${domain2}";
+                user = user4;
+              };
+              "${loc1}.dev" = {
+                hostname = "${loc1}.${lifecycle2}.${domain2}";
+                user = user4;
+              };
+              "${loc2}" = {
+                hostname = "${loc2}.${domain1}";
+                user = user1Long;
+              };
+              "${loc2}.stg" = {
+                hostname = "${loc2}.${lifecycle1}.${domain2}";
+                user = user1Long;
+              };
+              "${loc2}.staging" = {
+                hostname = "${loc2}.${lifecycle1}.${domain2}";
+                user = user1Long;
+              };
+              "*.${domain1}" = {
+                user = user1Long;
+              };
+            };
+          };
+
+          firefox = {
+            profiles =
               let
-                inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
+                isDefault = false;
               in
-              [
-                "${user1}"
-                "${user2}"
-                "${user3}"
-                "work"
-              ];
+              {
+                "${user1}" = lib.recursiveUpdate
+                  {
+                    inherit isDefault;
+                    id = 1;
+                    settings = {
+                      "browser.startup.homepage" = "${site1}|${site2}";
+                    };
+                  }
+                  vars.firefox;
+                "${user2}" = lib.recursiveUpdate
+                  {
+                    inherit isDefault;
+                    id = 2;
+                    settings = {
+                      "browser.startup.homepage" = "${site3}";
+                    };
+                  }
+                  vars.firefox;
+                "${user3}" = lib.recursiveUpdate
+                  {
+                    inherit isDefault;
+                    id = 3;
+                  }
+                  vars.firefox;
+                work = lib.recursiveUpdate
+                  {
+                    inherit isDefault;
+                    id = 4;
+                    settings = {
+                      "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
+                    };
+                  }
+                  vars.firefox;
+              };
           };
 
-          programs =
-            let
-              inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds;
-            in
+          chromium = {
+            enable = true;
+            package = pkgs.chromium;
+
+            extensions = [
+              # 1password
+              "gejiddohjgogedgjnonbofjigllpkmbf"
+              # dark reader
+              "eimadpbcbfnmbkopoojfekhnkhdbieeh"
+              # ublock origin
+              "cjpalhdlnbpafiamejdnhcphjbkeiagm"
+              # i still dont care about cookies
+              "edibdbjcniadpccecjdfdjjppcpchdlm"
+              # browserpass
+              "naepdomgkenhinolocfifgehidddafch"
+            ];
+          };
+        };
+
+      services = {
+        kanshi = {
+          settings = [
             {
-              openstackclient = {
-                enable = true;
-                inherit clouds;
-};
-              awscli = {
-                enable = true;
-                package = pkgs.stable24_05.awscli2;
-                # settings = {
-                #   "default" = { };
-                #   "profile s3-imagebuilder-prod" = { };
-                # };
-                # credentials = {
-                #   "s3-imagebuilder-prod" = {
-                #     aws_access_key_id = "5OYXY4879EJG9I91K1B6";
-                #     credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key";
-                #   };
-                # };
+              # seminary room
+              output = {
+                criteria = "Applied Creative Technology Transmitter QUATTRO201811";
+                scale = 1.0;
+                mode = "1280x720";
               };
-              git.userEmail = lib.mkForce gitMail;
-
-              zsh = {
-                shellAliases = {
-                  dssh = "ssh -l ${user1Long}";
-                  cssh = "ssh -l ${user2Long}";
-                  wssh = "ssh -l ${user3Long}";
-                };
-                cdpath = [
-                  "~/Documents/Work"
+            }
+            {
+              # work main screen
+              output = {
+                criteria = "HP Inc. HP 732pk CNC4080YL5";
+                scale = 1.0;
+                mode = "3840x2160";
+              };
+            }
+            {
+              # work side screen
+              output = {
+                criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                scale = 1.0;
+                mode = "1920x1200";
+                transform = "270";
+              };
+            }
+            {
+              profile = {
+                name = "lidopen";
+                exec = [
+                  "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
+                  "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                  "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
                 ];
-                dirHashes = {
-                  d = "$HOME/.dotfiles";
-                  w = "$HOME/Documents/Work";
-                  s = "$HOME/.dotfiles/secrets";
-                  pr = "$HOME/Documents/Private";
-                  ac = path1;
-                };
-
-                sessionVariables = {
-                  VSPHERE_USER = "$(cat ${nixosConfig.sops.secrets.vcuser.path})";
-                  VSPHERE_PW = "$(cat ${nixosConfig.sops.secrets.vcpw.path})";
-                  GOVC_USERNAME = "$(cat ${nixosConfig.sops.secrets.govcuser.path})";
-                  GOVC_PASSWORD = "$(cat ${nixosConfig.sops.secrets.govcpw.path})";
-                  GOVC_URL = "$(cat ${nixosConfig.sops.secrets.govcurl.path})";
-                  GOVC_DATACENTER = "$(cat ${nixosConfig.sops.secrets.govcdc.path})";
-                  GOVC_DATASTORE = "$(cat ${nixosConfig.sops.secrets.govcds.path})";
-                  GOVC_HOST = "$(cat ${nixosConfig.sops.secrets.govchost.path})";
-                  GOVC_RESOURCE_POOL = "$(cat ${nixosConfig.sops.secrets.govcpool.path})";
-                  GOVC_NETWORK = "$(cat ${nixosConfig.sops.secrets.govcnetwork.path})";
-                };
-              };
-
-              ssh = {
-                matchBlocks = {
-                  "${loc1}" = {
-                    hostname = "${loc1}.${domain2}";
-                    user = user4;
-                  };
-                  "${loc1}.stg" = {
-                    hostname = "${loc1}.${lifecycle1}.${domain2}";
-                    user = user4;
-                  };
-                  "${loc1}.staging" = {
-                    hostname = "${loc1}.${lifecycle1}.${domain2}";
-                    user = user4;
-                  };
-                  "${loc1}.dev" = {
-                    hostname = "${loc1}.${lifecycle2}.${domain2}";
-                    user = user4;
-                  };
-                  "${loc2}" = {
-                    hostname = "${loc2}.${domain1}";
-                    user = user1Long;
-                  };
-                  "${loc2}.stg" = {
-                    hostname = "${loc2}.${lifecycle1}.${domain2}";
-                    user = user1Long;
-                  };
-                  "${loc2}.staging" = {
-                    hostname = "${loc2}.${lifecycle1}.${domain2}";
-                    user = user1Long;
-                  };
-                  "*.${domain1}" = {
-                    user = user1Long;
-                  };
-                };
-              };
-
-              firefox = {
-                profiles =
-                  let
-                    isDefault = false;
-                  in
+                outputs = [
                   {
-                    "${user1}" = lib.recursiveUpdate
-                      {
-                        inherit isDefault;
-                        id = 1;
-                        settings = {
-                          "browser.startup.homepage" = "${site1}|${site2}";
-                        };
-                      }
-                      vars.firefox;
-                    "${user2}" = lib.recursiveUpdate
-                      {
-                        inherit isDefault;
-                        id = 2;
-                        settings = {
-                          "browser.startup.homepage" = "${site3}";
-                        };
-                      }
-                      vars.firefox;
-                    "${user3}" = lib.recursiveUpdate
-                      {
-                        inherit isDefault;
-                        id = 3;
-                      }
-                      vars.firefox;
-                    work = lib.recursiveUpdate
-                      {
-                        inherit isDefault;
-                        id = 4;
-                        settings = {
-                          "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
-                        };
-                      }
-                      vars.firefox;
-                  };
-              };
-
-              chromium = {
-                enable = true;
-                package = pkgs.chromium;
-
-                extensions = [
-                  # 1password
-                  "gejiddohjgogedgjnonbofjigllpkmbf"
-                  # dark reader
-                  "eimadpbcbfnmbkopoojfekhnkhdbieeh"
-                  # ublock origin
-                  "cjpalhdlnbpafiamejdnhcphjbkeiagm"
-                  # i still dont care about cookies
-                  "edibdbjcniadpccecjdfdjjppcpchdlm"
-                  # browserpass
-                  "naepdomgkenhinolocfifgehidddafch"
+                    criteria = config.swarselsystems.sharescreen;
+                    status = "enable";
+                    scale = 1.5;
+                    position = "1462,0";
+                  }
+                  {
+                    criteria = "HP Inc. HP 732pk CNC4080YL5";
+                    scale = 1.4;
+                    mode = "3840x2160";
+                    position = "-1280,0";
+                  }
+                  {
+                    criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                    scale = 1.0;
+                    mode = "1920x1200";
+                    transform = "90";
+                    position = "-2480,0";
+                  }
                 ];
               };
-            };
-
-          services = {
-            kanshi = {
-              settings = [
+            }
+            {
+              profile =
+                let
+                  monitor = "Applied Creative Technology Transmitter QUATTRO201811";
+                in
                 {
-                  # seminary room
-                  output = {
-                    criteria = "Applied Creative Technology Transmitter QUATTRO201811";
-                    scale = 1.0;
-                    mode = "1280x720";
-                  };
-                }
-                {
-                  # work main screen
-                  output = {
+                  name = "lidopen";
+                  exec = [
+                    "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
+                    "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
+                    "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'"
+                  ];
+                  outputs = [
+                    {
+                      criteria = config.swarselsystems.sharescreen;
+                      status = "enable";
+                      scale = 1.7;
+                      position = "2560,0";
+                    }
+                    {
+                      criteria = "Applied Creative Technology Transmitter QUATTRO201811";
+                      scale = 1.0;
+                      mode = "1280x720";
+                      position = "10000,10000";
+                    }
+                  ];
+                };
+            }
+            {
+              profile = {
+                name = "lidclosed";
+                exec = [
+                  "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                  "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+                ];
+                outputs = [
+                  {
+                    criteria = config.swarselsystems.sharescreen;
+                    status = "disable";
+                  }
+                  {
                     criteria = "HP Inc. HP 732pk CNC4080YL5";
-                    scale = 1.0;
+                    scale = 1.4;
                     mode = "3840x2160";
-                  };
-                }
-                {
-                  # work side screen
-                  output = {
+                    position = "-1280,0";
+                  }
+                  {
                     criteria = "Hewlett Packard HP Z24i CN44250RDT";
                     scale = 1.0;
                     mode = "1920x1200";
                     transform = "270";
-                  };
-                }
-                {
-                  profile = {
-                    name = "lidopen";
-                    exec = [
-                      "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
-                      "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                      "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
-                    ];
-                    outputs = [
-                      {
-                        criteria = config.swarselsystems.sharescreen;
-                        status = "enable";
-                        scale = 1.5;
-                        position = "1462,0";
-                      }
-                      {
-                        criteria = "HP Inc. HP 732pk CNC4080YL5";
-                        scale = 1.4;
-                        mode = "3840x2160";
-                        position = "-1280,0";
-                      }
-                      {
-                        criteria = "Hewlett Packard HP Z24i CN44250RDT";
-                        scale = 1.0;
-                        mode = "1920x1200";
-                        transform = "90";
-                        position = "-2480,0";
-                      }
-                    ];
-                  };
-                }
-                {
-                  profile =
-                    let
-                      monitor = "Applied Creative Technology Transmitter QUATTRO201811";
-                    in
-                    {
-                      name = "lidopen";
-                      exec = [
-                        "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
-                        "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
-                        "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'"
-                      ];
-                      outputs = [
-                        {
-                          criteria = config.swarselsystems.sharescreen;
-                          status = "enable";
-                          scale = 1.7;
-                          position = "2560,0";
-                        }
-                        {
-                          criteria = "Applied Creative Technology Transmitter QUATTRO201811";
-                          scale = 1.0;
-                          mode = "1280x720";
-                          position = "10000,10000";
-                        }
-                      ];
-                    };
-                }
-                {
-                  profile = {
-                    name = "lidclosed";
-                    exec = [
-                      "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                      "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
-                    ];
-                    outputs = [
-                      {
-                        criteria = config.swarselsystems.sharescreen;
-                        status = "disable";
-                      }
-                      {
-                        criteria = "HP Inc. HP 732pk CNC4080YL5";
-                        scale = 1.4;
-                        mode = "3840x2160";
-                        position = "-1280,0";
-                      }
-                      {
-                        criteria = "Hewlett Packard HP Z24i CN44250RDT";
-                        scale = 1.0;
-                        mode = "1920x1200";
-                        transform = "270";
-                        position = "-2480,0";
-                      }
-                    ];
-                  };
-                }
-                {
-                  profile =
-                    let
-                      monitor = "Applied Creative Technology Transmitter QUATTRO201811";
-                    in
-                    {
-                      name = "lidclosed";
-                      exec = [
-                        "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
-                      ];
-                      outputs = [
-                        {
-                          criteria = config.swarselsystems.sharescreen;
-                          status = "disable";
-                        }
-                        {
-                          criteria = "Applied Creative Technology Transmitter QUATTRO201811";
-                          scale = 1.0;
-                          mode = "1280x720";
-                          position = "10000,10000";
-                        }
-                      ];
-                    };
-                }
-              ];
-            };
-          };
-
-          systemd.user.services = {
-            pizauth.Service = {
-              ExecStartPost = [
-                "${pkgs.toybox}/bin/sleep 1"
-                "//bin/sh -c '${lib.getExe pkgs.pizauth} restore &lt; ${homeDir}/.pizauth.state'"
-              ];
-            };
-
-            teams-applet = {
-              Unit = {
-                Description = "teams applet";
-                Requires = [ "tray.target" ];
-                After = [
-                  "graphical-session.target"
-                  "tray.target"
+                    position = "-2480,0";
+                  }
                 ];
-                PartOf = [ "graphical-session.target" ];
               };
-
-              Install = {
-                WantedBy = [ "graphical-session.target" ];
-              };
-
-              Service = {
-                ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true";
-              };
-            };
-
-            onepassword-applet = {
-              Unit = {
-                Description = "1password applet";
-                Requires = [ "tray.target" ];
-                After = [
-                  "graphical-session.target"
-                  "tray.target"
-                ];
-                PartOf = [ "graphical-session.target" ];
-              };
-
-              Install = {
-                WantedBy = [ "graphical-session.target" ];
-              };
-
-              Service = {
-                ExecStart = "${pkgs._1password-gui}/bin/1password";
-              };
-            };
-
-          };
-
-          swarselservices.pizauth = {
-            enable = true;
-            extraConfig = ''
-              auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi";
-              error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\"";
-              token_event_cmd = "pizauth dump &gt; ${homeDir}/.pizauth.state";
-            '';
-            accounts = {
-              work = {
-                authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
-                tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
-                clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
-                clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
-                scopes = [
-                  "https://outlook.office365.com/IMAP.AccessAsUser.All"
-                  "https://outlook.office365.com/SMTP.Send"
-                  "offline_access"
-                ];
-                loginHint = "${nixosConfig.repo.secrets.local.work.mailAddress}";
-              };
-            };
-
-          };
-
-          xdg =
-            let
-              inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
-            in
+            }
             {
-              mimeApps = {
-                defaultApplications = {
-                  "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
-                };
-              };
-              desktopEntries =
+              profile =
                 let
-                  terminal = false;
-                  categories = [ "Application" ];
-                  icon = "firefox";
+                  monitor = "Applied Creative Technology Transmitter QUATTRO201811";
                 in
                 {
-                  firefox_work = {
-                    name = "Firefox (work)";
-                    genericName = "Firefox work";
-                    exec = "firefox -p work";
-                    inherit terminal categories icon;
-                  };
-                  "firefox_${user1}" = {
-                    name = "Firefox (${user1})";
-                    genericName = "Firefox ${user1}";
-                    exec = "firefox -p ${user1}";
-                    inherit terminal categories icon;
-                  };
-
-                  "firefox_${user2}" = {
-                    name = "Firefox (${user2})";
-                    genericName = "Firefox ${user2}";
-                    exec = "firefox -p ${user2}";
-                    inherit terminal categories icon;
-                  };
-
-                  "firefox_${user3}" = {
-                    name = "Firefox (${user3})";
-                    genericName = "Firefox ${user3}";
-                    exec = "firefox -p ${user3}";
-                    inherit terminal categories icon;
-                  };
-
-
+                  name = "lidclosed";
+                  exec = [
+                    "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}"
+                  ];
+                  outputs = [
+                    {
+                      criteria = config.swarselsystems.sharescreen;
+                      status = "disable";
+                    }
+                    {
+                      criteria = "Applied Creative Technology Transmitter QUATTRO201811";
+                      scale = 1.0;
+                      mode = "1280x720";
+                      position = "10000,10000";
+                    }
+                  ];
                 };
-            };
-          swarselsystems = {
-            startup = [
-              # { command = "nextcloud --background"; }
-              # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; }
-              # { command = "element-desktop --hidden  --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; }
-              # { command = "anki"; }
-              # { command = "obsidian"; }
-              # { command = "nm-applet"; }
-              # { command = "feishin"; }
-              # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }
-              # { command = "1password"; }
-            ];
-            monitors = {
-              work_back_middle = rec {
-                name = "LG Electronics LG Ultra HD 0x000305A6";
-                mode = "2560x1440";
-                scale = "1";
-                position = "5120,0";
-                workspace = "1:一";
-                # output = "DP-10";
-                output = name;
-              };
-              work_front_left = rec {
-                name = "LG Electronics LG Ultra HD 0x0007AB45";
-                mode = "3840x2160";
-                scale = "1";
-                position = "5120,0";
-                workspace = "1:一";
-                # output = "DP-7";
-                output = name;
-              };
-              work_back_right = rec {
-                name = "HP Inc. HP Z32 CN41212T55";
-                mode = "3840x2160";
-                scale = "1";
-                position = "5120,0";
-                workspace = "1:一";
-                # output = "DP-3";
-                output = name;
-              };
-              work_middle_middle_main = rec {
-                name = "HP Inc. HP 732pk CNC4080YL5";
-                mode = "3840x2160";
-                scale = "1";
-                position = "-1280,0";
-                workspace = "11:M";
-                # output = "DP-8";
-                output = name;
-              };
-              work_middle_middle_side = rec {
-                name = "Hewlett Packard HP Z24i CN44250RDT";
-                mode = "1920x1200";
-                transform = "270";
-                scale = "1";
-                position = "-2480,0";
-                workspace = "12:S";
-                # output = "DP-9";
-                output = name;
-              };
-              work_seminary = rec {
-                name = "Applied Creative Technology Transmitter QUATTRO201811";
-                mode = "1280x720";
-                scale = "1";
-                position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse
-                workspace = "14:T";
-                # output = "DP-4";
-                output = name;
-              };
-            };
-            inputs = {
-              "1133:45081:MX_Master_2S_Keyboard" = {
-                xkb_layout = "us";
-                xkb_variant = "altgr-intl";
-              };
-              # "2362:628:PIXA3854:00_093A:0274_Touchpad" = {
-              #   dwt = "enabled";
-              #   tap = "enabled";
-              #   natural_scroll = "enabled";
-              #   middle_emulation = "enabled";
-              #   drag_lock = "disabled";
-              # };
-              "1133:50504:Logitech_USB_Receiver" = {
-                xkb_layout = "us";
-                xkb_variant = "altgr-intl";
-              };
-              "1133:45944:MX_KEYS_S" = {
-                xkb_layout = "us";
-                xkb_variant = "altgr-intl";
-              };
-            };
+            }
+          ];
+        };
+      };
 
+      systemd.user.services = {
+        pizauth.Service = {
+          ExecStartPost = [
+            "${pkgs.toybox}/bin/sleep 1"
+            "//bin/sh -c '${lib.getExe pkgs.pizauth} restore &lt; ${homeDir}/.pizauth.state'"
+          ];
+        };
+
+        teams-applet = {
+          Unit = {
+            Description = "teams applet";
+            Requires = [ "tray.target" ];
+            After = [
+              "graphical-session.target"
+              "tray.target"
+            ];
+            PartOf = [ "graphical-session.target" ];
+          };
+
+          Install = {
+            WantedBy = [ "graphical-session.target" ];
+          };
+
+          Service = {
+            ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true";
           };
         };
 
-    }
+        onepassword-applet = {
+          Unit = {
+            Description = "1password applet";
+            Requires = [ "tray.target" ];
+            After = [
+              "graphical-session.target"
+              "tray.target"
+            ];
+            PartOf = [ "graphical-session.target" ];
+          };
+
+          Install = {
+            WantedBy = [ "graphical-session.target" ];
+          };
+
+          Service = {
+            ExecStart = "${pkgs._1password-gui}/bin/1password";
+          };
+        };
+
+      };
+
+      swarselservices.pizauth = {
+        enable = true;
+        extraConfig = ''
+          auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi";
+          error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\"";
+          token_event_cmd = "pizauth dump &gt; ${homeDir}/.pizauth.state";
+        '';
+        accounts = {
+          work = {
+            authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+            tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
+            clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
+            clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
+            scopes = [
+              "https://outlook.office365.com/IMAP.AccessAsUser.All"
+              "https://outlook.office365.com/SMTP.Send"
+              "offline_access"
+            ];
+            loginHint = "${nixosConfig.repo.secrets.local.work.mailAddress}";
+          };
+        };
+
+      };
+
+      xdg =
+        let
+          inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
+        in
+        {
+          mimeApps = {
+            defaultApplications = {
+              "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
+            };
+          };
+          desktopEntries =
+            let
+              terminal = false;
+              categories = [ "Application" ];
+              icon = "firefox";
+            in
+            {
+              firefox_work = {
+                name = "Firefox (work)";
+                genericName = "Firefox work";
+                exec = "firefox -p work";
+                inherit terminal categories icon;
+              };
+              "firefox_${user1}" = {
+                name = "Firefox (${user1})";
+                genericName = "Firefox ${user1}";
+                exec = "firefox -p ${user1}";
+                inherit terminal categories icon;
+              };
+
+              "firefox_${user2}" = {
+                name = "Firefox (${user2})";
+                genericName = "Firefox ${user2}";
+                exec = "firefox -p ${user2}";
+                inherit terminal categories icon;
+              };
+
+              "firefox_${user3}" = {
+                name = "Firefox (${user3})";
+                genericName = "Firefox ${user3}";
+                exec = "firefox -p ${user3}";
+                inherit terminal categories icon;
+              };
+
+
+            };
+        };
+      swarselsystems = {
+        startup = [
+          # { command = "nextcloud --background"; }
+          # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; }
+          # { command = "element-desktop --hidden  --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; }
+          # { command = "anki"; }
+          # { command = "obsidian"; }
+          # { command = "nm-applet"; }
+          # { command = "feishin"; }
+          # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }
+          # { command = "1password"; }
+        ];
+        monitors = {
+          work_back_middle = rec {
+            name = "LG Electronics LG Ultra HD 0x000305A6";
+            mode = "2560x1440";
+            scale = "1";
+            position = "5120,0";
+            workspace = "1:一";
+            # output = "DP-10";
+            output = name;
+          };
+          work_front_left = rec {
+            name = "LG Electronics LG Ultra HD 0x0007AB45";
+            mode = "3840x2160";
+            scale = "1";
+            position = "5120,0";
+            workspace = "1:一";
+            # output = "DP-7";
+            output = name;
+          };
+          work_back_right = rec {
+            name = "HP Inc. HP Z32 CN41212T55";
+            mode = "3840x2160";
+            scale = "1";
+            position = "5120,0";
+            workspace = "1:一";
+            # output = "DP-3";
+            output = name;
+          };
+          work_middle_middle_main = rec {
+            name = "HP Inc. HP 732pk CNC4080YL5";
+            mode = "3840x2160";
+            scale = "1";
+            position = "-1280,0";
+            workspace = "11:M";
+            # output = "DP-8";
+            output = name;
+          };
+          work_middle_middle_side = rec {
+            name = "Hewlett Packard HP Z24i CN44250RDT";
+            mode = "1920x1200";
+            transform = "270";
+            scale = "1";
+            position = "-2480,0";
+            workspace = "12:S";
+            # output = "DP-9";
+            output = name;
+          };
+          work_seminary = rec {
+            name = "Applied Creative Technology Transmitter QUATTRO201811";
+            mode = "1280x720";
+            scale = "1";
+            position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse
+            workspace = "14:T";
+            # output = "DP-4";
+            output = name;
+          };
+        };
+        inputs = {
+          "1133:45081:MX_Master_2S_Keyboard" = {
+            xkb_layout = "us";
+            xkb_variant = "altgr-intl";
+          };
+          # "2362:628:PIXA3854:00_093A:0274_Touchpad" = {
+          #   dwt = "enabled";
+          #   tap = "enabled";
+          #   natural_scroll = "enabled";
+          #   middle_emulation = "enabled";
+          #   drag_lock = "disabled";
+          # };
+          "1133:50504:Logitech_USB_Receiver" = {
+            xkb_layout = "us";
+            xkb_variant = "altgr-intl";
+          };
+          "1133:45944:MX_KEYS_S" = {
+            xkb_layout = "us";
+            xkb_variant = "altgr-intl";
+          };
+        };
+
+      };
+    };
+
+}
 
 </pre>
 </div>
@@ -19713,8 +19808,8 @@ writeShellApplication {
 </div>
 </div>
 </div>
-<div id="outline-container-org6a36b50" class="outline-4">
-<h4 id="org6a36b50"><span class="section-number-4">3.5.34.</span> endme</h4>
+<div id="outline-container-orgc62e7de" class="outline-4">
+<h4 id="orgc62e7de"><span class="section-number-4">3.5.34.</span> endme</h4>
 <div class="outline-text-4" id="text-3-5-34">
 <p>
 Sometimes my DE crashes after putting it to suspend - to be precise, it happens when I put it into suspend when I have multiple screens plugged in. I have never taken the time to debug the issue, but instead just switch to a different TTY and then use this script to kill the hanging session.
@@ -19735,8 +19830,8 @@ writeShellApplication {
 </div>
 </div>
 </div>
-<div id="outline-container-orgb3faf9e" class="outline-4">
-<h4 id="orgb3faf9e"><span class="section-number-4">3.5.35.</span> git-replace</h4>
+<div id="outline-container-orge3590e8" class="outline-4">
+<h4 id="orge3590e8"><span class="section-number-4">3.5.35.</span> git-replace</h4>
 <div class="outline-text-4" id="text-3-5-35">
 <p>
 This script allows for quick git replace of a string.
@@ -19898,8 +19993,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgefd2161" class="outline-5">
-<h5 id="orgefd2161"><span class="section-number-5">3.6.1.3.</span> Optionals</h5>
+<div id="outline-container-org30fc974" class="outline-5">
+<h5 id="org30fc974"><span class="section-number-5">3.6.1.3.</span> Optionals</h5>
 <div class="outline-text-5" id="text-3-6-1-3">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -23807,6 +23902,40 @@ This adds the simple utility of sending desktop notifications whenever a new mai
 (add-hook 'after-init-hook #'mu4e-alert-enable-notifications)
 
 (mu4e t)
+</pre>
+</div>
+</div>
+</div>
+<div id="outline-container-org234e39c" class="outline-5">
+<h5 id="org234e39c"><span class="section-number-5">4.4.39.3.</span> Work: Signing Mails (S/MIME, smime)</h5>
+<div class="outline-text-5" id="text-4-4-39-3">
+<p>
+Used to automatically sign messages sent from my work email address using S/MIME certificate.
+</p>
+
+<div class="org-src-container">
+<pre class="src src-emacs-lisp">(let ((work (getenv "SWARSEL_MAIL_WORK")))
+  (when (and work (not (string-empty-p work)))
+
+    (setq swarsel-smime-cert-path "~/.Certificates/$SWARSEL_MAIL_WORK.pem")
+    (setq swarsel-smime-cert-path (substitute-env-vars swarsel-smime-cert-path))
+    (setq mml-secure-prefer-scheme 'smime)
+    (setq mml-secure-smime-sign-with-sender t)
+    (add-hook 'mu4e-compose-mode-hook
+              (lambda ()
+                (when (and (boundp 'user-mail-address)
+                           (stringp user-mail-address)
+                           (string-equal user-mail-address (getenv "SWARSEL_MAIL_WORK")))
+                  (mml-secure-message-sign-smime))))
+
+    (setq smime-keys
+          `((,(getenv "SWARSEL_MAIL_WORK")
+             ,swarsel-smime-cert-path
+             ("~/Certificates/harica-root.pem"
+              "~/Certificates/harica-intermediate.pem"
+              ))))
+    ))
+
 </pre>
 </div>
 </div>
@@ -24062,6 +24191,20 @@ Also see `prot-window-delete-popup-frame'." command)
 This sections is no longer used really. An introduction can be found in <a href="#h:bcc3ebbe-df8a-46bd-b42d-73aad6fc66e5">Structure of this file</a> under the historical note. The little noweb-ref blocks that I still use are found in <a href="#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02">Hosts</a> and <a href="#h:3bb92528-c61c-4b8d-8214-bf2a40baaa32">Services</a>.
 </p>
 </div>
+<div id="outline-container-orge8ed16b" class="outline-3">
+<h3 id="orge8ed16b"><span class="section-number-3">5.1.</span> General steps when setting up a new machine</h3>
+<div class="outline-text-3" id="text-5-1">
+<p>
+These general steps are needed when setting up a new machine and do not fit into another block well:
+</p>
+
+<div class="org-src-container">
+<pre class="src src-markdown">- setup yubikey (automatic yubikey enrollment is not yet supported by `disko`):
+  - `systemd-cryptenroll --fido2-device=auto /dev/&lt;device, e.g. 'nvme0n1p2'&gt;`
+</pre>
+</div>
+</div>
+</div>
 </div>
 <div id="outline-container-h:8fc9f66a-7412-4091-8dee-a06f897baf67" class="outline-2">
 <h2 id="h:8fc9f66a-7412-4091-8dee-a06f897baf67"><span class="section-number-2">6.</span> Appendix B: Supplementary Files</h2>
@@ -24303,7 +24446,7 @@ set allowautofocus false
 jsb browser.webRequest.onHeadersReceived.addListener(tri.request.clobberCSP,{urls:["&lt;all_urls&gt;"],types:["main_frame"]},["blocking","responseHeaders"])
 
 " default is 300ms
-set hintdelay 100
+set hintdelay 500
 
 " Some pages like github break on the tridactyl quick search. have this as a fallback
 unbind &lt;C-f&gt;
@@ -26993,7 +27136,7 @@ similarly, there exists an version that starts from the right.
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: Leon Schwarzäugl</p>
-<p class="date">Created: 2025-10-21 Di 13:09</p>
+<p class="date">Created: 2025-10-21 Di 21:37</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>

From da56b4ea644090f3fcfb3557e022d0673687889e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?=
 <leon.schwarzaeugl@imba.oeaw.ac.at>
Date: Tue, 21 Oct 2025 21:56:00 +0200
Subject: [PATCH 6/7] fix[work]: reply using S/MIME when appropriate

---
 SwarselSystems.org  |   6 +-
 files/emacs/init.el |   6 +-
 index.html          | 170 +++++++++++++++++++++++---------------------
 3 files changed, 97 insertions(+), 85 deletions(-)

diff --git a/SwarselSystems.org b/SwarselSystems.org
index cda52c9..a965aca 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -19054,6 +19054,10 @@ Used here: [[#h:b92a18cf-eec3-4605-a8c2-37133ade3574][mu4e]]
         (when-let ((dest (swarsel/mu4e-rfs--matching-address)))
           (cl-destructuring-bind (from-user from-addr) dest
             (setq user-mail-address from-addr)
+            (when (and (boundp 'user-mail-address)
+                       (stringp user-mail-address)
+                       (string-equal user-mail-address (getenv "SWARSEL_MAIL_WORK")))
+              (mml-secure-message-sign-smime))
             (message-position-on-field "From")
             (message-beginning-of-line)
             (delete-region (point) (line-end-position))
@@ -21832,7 +21836,7 @@ The hook functions are defined here: [[#h:34506761-06b9-43b5-a818-506d9b3faf28][
     (setq mu4e-mu-binary (executable-find "mu"))
     (setq mu4e-hide-index-messages t)
 
-    (setq mu4e-update-interval 180)
+    (setq mu4e-update-interval 60)
     (setq mu4e-get-mail-command "mbsync -a")
     (setq mu4e-maildir "~/Mail")
 
diff --git a/files/emacs/init.el b/files/emacs/init.el
index e8d147e..ef36c52 100644
--- a/files/emacs/init.el
+++ b/files/emacs/init.el
@@ -30,6 +30,10 @@
       (when-let ((dest (swarsel/mu4e-rfs--matching-address)))
         (cl-destructuring-bind (from-user from-addr) dest
           (setq user-mail-address from-addr)
+          (when (and (boundp 'user-mail-address)
+                     (stringp user-mail-address)
+                     (string-equal user-mail-address (getenv "SWARSEL_MAIL_WORK")))
+            (mml-secure-message-sign-smime))
           (message-position-on-field "From")
           (message-beginning-of-line)
           (delete-region (point) (line-end-position))
@@ -1560,7 +1564,7 @@ create a new one."
   (setq mu4e-mu-binary (executable-find "mu"))
   (setq mu4e-hide-index-messages t)
 
-  (setq mu4e-update-interval 180)
+  (setq mu4e-update-interval 60)
   (setq mu4e-get-mail-command "mbsync -a")
   (setq mu4e-maildir "~/Mail")
 
diff --git a/index.html b/index.html
index 07f172c..b6bd78d 100644
--- a/index.html
+++ b/index.html
@@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2025-10-21 Di 21:37 -->
+<!-- 2025-10-21 Di 21:55 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>SwarselSystems: NixOS + Emacs Configurationo</title>
@@ -209,7 +209,7 @@
 <li><a href="#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02">1.4. Hosts</a></li>
 <li><a href="#h:3bb92528-c61c-4b8d-8214-bf2a40baaa32">1.5. Programs</a></li>
 <li><a href="#h:191e82b6-6ae5-4ec8-ae6d-dc683ce325d9">1.6. Services</a></li>
-<li><a href="#org1e210f0">1.7. Manual steps when setting up a new machine</a></li>
+<li><a href="#org36875c7">1.7. Manual steps when setting up a new machine</a></li>
 </ul>
 </li>
 <li><a href="#h:c7588c0d-2528-485d-b2df-04d6336428d7">2. flake.nix</a>
@@ -444,8 +444,8 @@
 <li><a href="#h:15b581ab-09fe-4f84-af26-2f1fbf7d726b">3.2.5.8. Hibernation</a></li>
 <li><a href="#h:86fb3236-9e18-43f0-8a08-3a2acd61cc98">3.2.5.9. BTRFS</a></li>
 <li><a href="#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf">3.2.5.10. work</a></li>
-<li><a href="#org3b29611">3.2.5.11. microvm-host</a></li>
-<li><a href="#org5500ccc">3.2.5.12. microvm-guest</a></li>
+<li><a href="#org23c703f">3.2.5.11. microvm-host</a></li>
+<li><a href="#orgcfb6a06">3.2.5.12. microvm-guest</a></li>
 </ul>
 </li>
 </ul>
@@ -473,7 +473,7 @@
 <li><a href="#h:4486b02f-4fb8-432b-bfa2-2e786206341d">3.3.1.12. Sourcing environment variables</a></li>
 <li><a href="#h:f0e0b580-2e1c-4ca6-a983-f05d3ebbbcde">3.3.1.13. General Programs: bottom, imv, less, lesspipe, sioyek, bat, carapace, wlogout, swayr, yt-dlp, mpv, jq, nix-index, ripgrep, pandoc, fzf, zoxide, timidity</a></li>
 <li><a href="#h:64dbbb9e-8097-4c1b-813c-8c10cf9b9748">3.3.1.14. nix-index</a></li>
-<li><a href="#orgef57e77">3.3.1.15. nix-your-shell</a></li>
+<li><a href="#orgf81635c">3.3.1.15. nix-your-shell</a></li>
 <li><a href="#h:ac0e5e62-0dbf-4782-9a96-9e558eae86ae">3.3.1.16. password-store</a></li>
 <li><a href="#h:1ab84307-b3fb-4c32-9def-4b89a53a8547">3.3.1.17. direnv</a></li>
 <li><a href="#h:1bd6b0c7-f201-43e2-9624-6c50de00a1f6">3.3.1.18. eza</a></li>
@@ -496,12 +496,12 @@
 <li><a href="#h:99d05729-df35-4958-9940-3319d6a41359">3.3.1.31.3. Mako</a></li>
 <li><a href="#h:388e71be-f00a-4d45-ade1-218ce942057d">3.3.1.31.4. SwayOSD</a></li>
 <li><a href="#h:1598c90b-f195-41a0-9132-94612edf3586">3.3.1.31.5. yubikey-touch-detector</a></li>
-<li><a href="#org44c9877">3.3.1.31.6. blueman-applet</a></li>
-<li><a href="#org163a2af">3.3.1.31.7. network-manager-applet</a></li>
-<li><a href="#orgd6b832c">3.3.1.31.8. obsidian service for tray</a></li>
-<li><a href="#org7b3c601">3.3.1.31.9. anki service for tray</a></li>
-<li><a href="#orgaea42f4">3.3.1.31.10. element service for tray</a></li>
-<li><a href="#org030b0b2">3.3.1.31.11. vesktop service for tray</a></li>
+<li><a href="#org0c2d462">3.3.1.31.6. blueman-applet</a></li>
+<li><a href="#org65c057e">3.3.1.31.7. network-manager-applet</a></li>
+<li><a href="#org194e70e">3.3.1.31.8. obsidian service for tray</a></li>
+<li><a href="#org080d87e">3.3.1.31.9. anki service for tray</a></li>
+<li><a href="#org89d97b2">3.3.1.31.10. element service for tray</a></li>
+<li><a href="#orgbf0d5d2">3.3.1.31.11. vesktop service for tray</a></li>
 </ul>
 </li>
 <li><a href="#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20">3.3.1.32. Sway</a></li>
@@ -510,17 +510,17 @@
 <li><a href="#h:7d384e3b-1be7-4644-b304-ada4af0b692b">3.3.1.35. gpg-agent</a></li>
 <li><a href="#h:74e236be-a977-4d38-b8c5-0b9feef8af91">3.3.1.36. gammastep</a></li>
 <li><a href="#h:d1fb3075-ad52-4c1b-ba45-5ddbd0d3b708">3.3.1.37. Spicetify</a></li>
-<li><a href="#org2444730">3.3.1.38. Obsidian</a></li>
-<li><a href="#org7ee88af">3.3.1.39. Anki</a></li>
-<li><a href="#org4137b9c">3.3.1.40. Element-desktop</a></li>
-<li><a href="#orge83b29c">3.3.1.41. Hexchat</a></li>
-<li><a href="#orgc6e077d">3.3.1.42. obs-studio</a></li>
-<li><a href="#org61af274">3.3.1.43. spotify-player</a></li>
-<li><a href="#orga884d29">3.3.1.44. vesktop</a></li>
-<li><a href="#org86c0973">3.3.1.45. batsignal</a></li>
-<li><a href="#org503cbe5">3.3.1.46. autotiling</a></li>
-<li><a href="#orgf1d300b">3.3.1.47. swayidle</a></li>
-<li><a href="#org3b0dfc9">3.3.1.48. swaylock</a></li>
+<li><a href="#org0fd890d">3.3.1.38. Obsidian</a></li>
+<li><a href="#org3633af4">3.3.1.39. Anki</a></li>
+<li><a href="#orge6e7054">3.3.1.40. Element-desktop</a></li>
+<li><a href="#org5b44f01">3.3.1.41. Hexchat</a></li>
+<li><a href="#org1a7342e">3.3.1.42. obs-studio</a></li>
+<li><a href="#org17f157b">3.3.1.43. spotify-player</a></li>
+<li><a href="#orgcc87d9f">3.3.1.44. vesktop</a></li>
+<li><a href="#org4ee72a0">3.3.1.45. batsignal</a></li>
+<li><a href="#org0e92abf">3.3.1.46. autotiling</a></li>
+<li><a href="#orgaa61d53">3.3.1.47. swayidle</a></li>
+<li><a href="#org6d6098e">3.3.1.48. swaylock</a></li>
 </ul>
 </li>
 <li><a href="#h:b1a00339-6e9b-4ae4-b5dc-6fd5669a2ddb">3.3.2. Server</a>
@@ -585,8 +585,8 @@
 <li><a href="#h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e">3.5.31. swarsel-build</a></li>
 <li><a href="#h:95ebfd13-1f6b-427f-950d-e30c1ed6f9fa">3.5.32. swarsel-instantiate</a></li>
 <li><a href="#h:02842543-caca-4d4c-a4d2-7ac749b5c136">3.5.33. sshrm</a></li>
-<li><a href="#orgc62e7de">3.5.34. endme</a></li>
-<li><a href="#orge3590e8">3.5.35. git-replace</a></li>
+<li><a href="#orgd874e4c">3.5.34. endme</a></li>
+<li><a href="#org0eb85f0">3.5.35. git-replace</a></li>
 </ul>
 </li>
 <li><a href="#h:f0f1c961-3e7a-47b8-99ab-1654bb45dffc">3.6. Profiles</a>
@@ -595,7 +595,7 @@
 <ul>
 <li><a href="#h:32d654de-8db2-403a-9a27-4c46d7b9172d">3.6.1.1. Personal</a></li>
 <li><a href="#h:b926f0c8-7968-4079-924c-a5d0ae4d3a45">3.6.1.2. Minimal</a></li>
-<li><a href="#org30fc974">3.6.1.3. Optionals</a></li>
+<li><a href="#orgc7b0115">3.6.1.3. Optionals</a></li>
 <li><a href="#h:b79fbb59-9cf2-48eb-b469-2589223dda95">3.6.1.4. Chaostheatre</a></li>
 <li><a href="#h:cb3631a8-9c1b-42f2-ab01-502c7b4c273d">3.6.1.5. Work</a></li>
 <li><a href="#h:87a83b10-3c2f-407c-89aa-922ad77748a4">3.6.1.6. Uni</a></li>
@@ -776,7 +776,7 @@
 <ul>
 <li><a href="#h:b92a18cf-eec3-4605-a8c2-37133ade3574">4.4.39.1. mu4e</a></li>
 <li><a href="#h:43209eeb-5d46-472e-b7c2-58a3fb465199">4.4.39.2. mu4e-alert</a></li>
-<li><a href="#org234e39c">4.4.39.3. Work: Signing Mails (S/MIME, smime)</a></li>
+<li><a href="#org86f5cec">4.4.39.3. Work: Signing Mails (S/MIME, smime)</a></li>
 </ul>
 </li>
 <li><a href="#h:c760f04e-622f-4b3e-8916-53ca8cce6edc">4.4.40. Calendar</a></li>
@@ -791,7 +791,7 @@
 </li>
 <li><a href="#h:dae0c5bb-edb7-4fe4-ae31-9f8f064cc53c">5. Appendix A: Noweb-Ref blocks</a>
 <ul>
-<li><a href="#orge8ed16b">5.1. General steps when setting up a new machine</a></li>
+<li><a href="#orga485a52">5.1. General steps when setting up a new machine</a></li>
 </ul>
 </li>
 <li><a href="#h:8fc9f66a-7412-4091-8dee-a06f897baf67">6. Appendix B: Supplementary Files</a>
@@ -843,7 +843,7 @@
 </div>
 </div>
 <p>
-<b>This file has 96609 words spanning 24942 lines and was last revised on 2025-10-21 21:36:59 +0200.</b>
+<b>This file has 96633 words spanning 24946 lines and was last revised on 2025-10-21 21:55:49 +0200.</b>
 </p>
 
 <p>
@@ -912,7 +912,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
 </p>
 
 <p>
-My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-10-21 21:36:59 +0200)
+My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-10-21 21:55:49 +0200)
 </p></li>
 </ul>
 
@@ -1215,8 +1215,8 @@ Here I give a brief overview over the hostmachines that I am using. This is held
 </div>
 </div>
 </div>
-<div id="outline-container-org1e210f0" class="outline-3">
-<h3 id="org1e210f0"><span class="section-number-3">1.7.</span> Manual steps when setting up a new machine</h3>
+<div id="outline-container-org36875c7" class="outline-3">
+<h3 id="org36875c7"><span class="section-number-3">1.7.</span> Manual steps when setting up a new machine</h3>
 <div class="outline-text-3" id="text-1-7">
 <div class="org-src-container">
 <pre class="src src-markdown">
@@ -12178,8 +12178,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org3b29611" class="outline-5">
-<h5 id="org3b29611"><span class="section-number-5">3.2.5.11.</span> microvm-host</h5>
+<div id="outline-container-org23c703f" class="outline-5">
+<h5 id="org23c703f"><span class="section-number-5">3.2.5.11.</span> microvm-host</h5>
 <div class="outline-text-5" id="text-3-2-5-11">
 <p>
 Some standard options that should be set for every microvm host.
@@ -12205,8 +12205,8 @@ Some standard options that should be set for every microvm host.
 </div>
 </div>
 </div>
-<div id="outline-container-org5500ccc" class="outline-5">
-<h5 id="org5500ccc"><span class="section-number-5">3.2.5.12.</span> microvm-guest</h5>
+<div id="outline-container-orgcfb6a06" class="outline-5">
+<h5 id="orgcfb6a06"><span class="section-number-5">3.2.5.12.</span> microvm-guest</h5>
 <div class="outline-text-5" id="text-3-2-5-12">
 <p>
 Some standard options that should be set vor every microvm guest. We set the default
@@ -13276,8 +13276,8 @@ nix-index provides a way to find out which packages are provided by which deriva
 </div>
 </div>
 </div>
-<div id="outline-container-orgef57e77" class="outline-5">
-<h5 id="orgef57e77"><span class="section-number-5">3.3.1.15.</span> nix-your-shell</h5>
+<div id="outline-container-orgf81635c" class="outline-5">
+<h5 id="orgf81635c"><span class="section-number-5">3.3.1.15.</span> nix-your-shell</h5>
 <div class="outline-text-5" id="text-3-3-1-15">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -14990,8 +14990,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org44c9877" class="outline-6">
-<h6 id="org44c9877"><span class="section-number-6">3.3.1.31.6.</span> blueman-applet</h6>
+<div id="outline-container-org0c2d462" class="outline-6">
+<h6 id="org0c2d462"><span class="section-number-6">3.3.1.31.6.</span> blueman-applet</h6>
 <div class="outline-text-6" id="text-3-3-1-31-6">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -15005,8 +15005,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org163a2af" class="outline-6">
-<h6 id="org163a2af"><span class="section-number-6">3.3.1.31.7.</span> network-manager-applet</h6>
+<div id="outline-container-org65c057e" class="outline-6">
+<h6 id="org65c057e"><span class="section-number-6">3.3.1.31.7.</span> network-manager-applet</h6>
 <div class="outline-text-6" id="text-3-3-1-31-7">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -15021,8 +15021,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-orgd6b832c" class="outline-6">
-<h6 id="orgd6b832c"><span class="section-number-6">3.3.1.31.8.</span> obsidian service for tray</h6>
+<div id="outline-container-org194e70e" class="outline-6">
+<h6 id="org194e70e"><span class="section-number-6">3.3.1.31.8.</span> obsidian service for tray</h6>
 <div class="outline-text-6" id="text-3-3-1-31-8">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -15056,8 +15056,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org7b3c601" class="outline-6">
-<h6 id="org7b3c601"><span class="section-number-6">3.3.1.31.9.</span> anki service for tray</h6>
+<div id="outline-container-org080d87e" class="outline-6">
+<h6 id="org080d87e"><span class="section-number-6">3.3.1.31.9.</span> anki service for tray</h6>
 <div class="outline-text-6" id="text-3-3-1-31-9">
 <p>
 Sets up a systemd user service for anki that does not stall the shutdown process. Note that the outcommented <code>ExecStart</code> does not work because the home-manager anki package builds a separate anki package that - I think - cannot be referenced as no such expression exists in the module.
@@ -15104,8 +15104,8 @@ Sets up a systemd user service for anki that does not stall the shutdown process
 </div>
 </div>
 </div>
-<div id="outline-container-orgaea42f4" class="outline-6">
-<h6 id="orgaea42f4"><span class="section-number-6">3.3.1.31.10.</span> element service for tray</h6>
+<div id="outline-container-org89d97b2" class="outline-6">
+<h6 id="org89d97b2"><span class="section-number-6">3.3.1.31.10.</span> element service for tray</h6>
 <div class="outline-text-6" id="text-3-3-1-31-10">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -15139,8 +15139,8 @@ Sets up a systemd user service for anki that does not stall the shutdown process
 </div>
 </div>
 </div>
-<div id="outline-container-org030b0b2" class="outline-6">
-<h6 id="org030b0b2"><span class="section-number-6">3.3.1.31.11.</span> vesktop service for tray</h6>
+<div id="outline-container-orgbf0d5d2" class="outline-6">
+<h6 id="orgbf0d5d2"><span class="section-number-6">3.3.1.31.11.</span> vesktop service for tray</h6>
 <div class="outline-text-6" id="text-3-3-1-31-11">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -16068,8 +16068,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org2444730" class="outline-5">
-<h5 id="org2444730"><span class="section-number-5">3.3.1.38.</span> Obsidian</h5>
+<div id="outline-container-org0fd890d" class="outline-5">
+<h5 id="org0fd890d"><span class="section-number-5">3.3.1.38.</span> Obsidian</h5>
 <div class="outline-text-5" id="text-3-3-1-38">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, nixosConfig ? config, ... }:
@@ -16226,8 +16226,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org7ee88af" class="outline-5">
-<h5 id="org7ee88af"><span class="section-number-5">3.3.1.39.</span> Anki</h5>
+<div id="outline-container-org3633af4" class="outline-5">
+<h5 id="org3633af4"><span class="section-number-5">3.3.1.39.</span> Anki</h5>
 <div class="outline-text-5" id="text-3-3-1-39">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, globals, nixosConfig ? config, ... }:
@@ -16299,8 +16299,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org4137b9c" class="outline-5">
-<h5 id="org4137b9c"><span class="section-number-5">3.3.1.40.</span> Element-desktop</h5>
+<div id="outline-container-orge6e7054" class="outline-5">
+<h5 id="orge6e7054"><span class="section-number-5">3.3.1.40.</span> Element-desktop</h5>
 <div class="outline-text-5" id="text-3-3-1-40">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16336,8 +16336,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orge83b29c" class="outline-5">
-<h5 id="orge83b29c"><span class="section-number-5">3.3.1.41.</span> Hexchat</h5>
+<div id="outline-container-org5b44f01" class="outline-5">
+<h5 id="org5b44f01"><span class="section-number-5">3.3.1.41.</span> Hexchat</h5>
 <div class="outline-text-5" id="text-3-3-1-41">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, nixosConfig ? config, ... }:
@@ -16361,8 +16361,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgc6e077d" class="outline-5">
-<h5 id="orgc6e077d"><span class="section-number-5">3.3.1.42.</span> obs-studio</h5>
+<div id="outline-container-org1a7342e" class="outline-5">
+<h5 id="org1a7342e"><span class="section-number-5">3.3.1.42.</span> obs-studio</h5>
 <div class="outline-text-5" id="text-3-3-1-42">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16382,8 +16382,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org61af274" class="outline-5">
-<h5 id="org61af274"><span class="section-number-5">3.3.1.43.</span> spotify-player</h5>
+<div id="outline-container-org17f157b" class="outline-5">
+<h5 id="org17f157b"><span class="section-number-5">3.3.1.43.</span> spotify-player</h5>
 <div class="outline-text-5" id="text-3-3-1-43">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16403,8 +16403,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orga884d29" class="outline-5">
-<h5 id="orga884d29"><span class="section-number-5">3.3.1.44.</span> vesktop</h5>
+<div id="outline-container-orgcc87d9f" class="outline-5">
+<h5 id="orgcc87d9f"><span class="section-number-5">3.3.1.44.</span> vesktop</h5>
 <div class="outline-text-5" id="text-3-3-1-44">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16490,8 +16490,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org86c0973" class="outline-5">
-<h5 id="org86c0973"><span class="section-number-5">3.3.1.45.</span> batsignal</h5>
+<div id="outline-container-org4ee72a0" class="outline-5">
+<h5 id="org4ee72a0"><span class="section-number-5">3.3.1.45.</span> batsignal</h5>
 <div class="outline-text-5" id="text-3-3-1-45">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16523,8 +16523,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org503cbe5" class="outline-5">
-<h5 id="org503cbe5"><span class="section-number-5">3.3.1.46.</span> autotiling</h5>
+<div id="outline-container-org0e92abf" class="outline-5">
+<h5 id="org0e92abf"><span class="section-number-5">3.3.1.46.</span> autotiling</h5>
 <div class="outline-text-5" id="text-3-3-1-46">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -16545,8 +16545,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgf1d300b" class="outline-5">
-<h5 id="orgf1d300b"><span class="section-number-5">3.3.1.47.</span> swayidle</h5>
+<div id="outline-container-orgaa61d53" class="outline-5">
+<h5 id="orgaa61d53"><span class="section-number-5">3.3.1.47.</span> swayidle</h5>
 <div class="outline-text-5" id="text-3-3-1-47">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -16587,8 +16587,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org3b0dfc9" class="outline-5">
-<h5 id="org3b0dfc9"><span class="section-number-5">3.3.1.48.</span> swaylock</h5>
+<div id="outline-container-org6d6098e" class="outline-5">
+<h5 id="org6d6098e"><span class="section-number-5">3.3.1.48.</span> swaylock</h5>
 <div class="outline-text-5" id="text-3-3-1-48">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@@ -19808,8 +19808,8 @@ writeShellApplication {
 </div>
 </div>
 </div>
-<div id="outline-container-orgc62e7de" class="outline-4">
-<h4 id="orgc62e7de"><span class="section-number-4">3.5.34.</span> endme</h4>
+<div id="outline-container-orgd874e4c" class="outline-4">
+<h4 id="orgd874e4c"><span class="section-number-4">3.5.34.</span> endme</h4>
 <div class="outline-text-4" id="text-3-5-34">
 <p>
 Sometimes my DE crashes after putting it to suspend - to be precise, it happens when I put it into suspend when I have multiple screens plugged in. I have never taken the time to debug the issue, but instead just switch to a different TTY and then use this script to kill the hanging session.
@@ -19830,8 +19830,8 @@ writeShellApplication {
 </div>
 </div>
 </div>
-<div id="outline-container-orge3590e8" class="outline-4">
-<h4 id="orge3590e8"><span class="section-number-4">3.5.35.</span> git-replace</h4>
+<div id="outline-container-org0eb85f0" class="outline-4">
+<h4 id="org0eb85f0"><span class="section-number-4">3.5.35.</span> git-replace</h4>
 <div class="outline-text-4" id="text-3-5-35">
 <p>
 This script allows for quick git replace of a string.
@@ -19993,8 +19993,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org30fc974" class="outline-5">
-<h5 id="org30fc974"><span class="section-number-5">3.6.1.3.</span> Optionals</h5>
+<div id="outline-container-orgc7b0115" class="outline-5">
+<h5 id="orgc7b0115"><span class="section-number-5">3.6.1.3.</span> Optionals</h5>
 <div class="outline-text-5" id="text-3-6-1-3">
 <div class="org-src-container">
 <pre class="src src-nix-ts">{ lib, config, ... }:
@@ -20737,6 +20737,10 @@ Used here: <a href="#h:b92a18cf-eec3-4605-a8c2-37133ade3574">mu4e</a>
       (when-let ((dest (swarsel/mu4e-rfs--matching-address)))
         (cl-destructuring-bind (from-user from-addr) dest
           (setq user-mail-address from-addr)
+          (when (and (boundp 'user-mail-address)
+                     (stringp user-mail-address)
+                     (string-equal user-mail-address (getenv "SWARSEL_MAIL_WORK")))
+            (mml-secure-message-sign-smime))
           (message-position-on-field "From")
           (message-beginning-of-line)
           (delete-region (point) (line-end-position))
@@ -23846,7 +23850,7 @@ The hook functions are defined here: <a href="#h:34506761-06b9-43b5-a818-506d9b3
   (setq mu4e-mu-binary (executable-find "mu"))
   (setq mu4e-hide-index-messages t)
 
-  (setq mu4e-update-interval 180)
+  (setq mu4e-update-interval 60)
   (setq mu4e-get-mail-command "mbsync -a")
   (setq mu4e-maildir "~/Mail")
 
@@ -23906,8 +23910,8 @@ This adds the simple utility of sending desktop notifications whenever a new mai
 </div>
 </div>
 </div>
-<div id="outline-container-org234e39c" class="outline-5">
-<h5 id="org234e39c"><span class="section-number-5">4.4.39.3.</span> Work: Signing Mails (S/MIME, smime)</h5>
+<div id="outline-container-org86f5cec" class="outline-5">
+<h5 id="org86f5cec"><span class="section-number-5">4.4.39.3.</span> Work: Signing Mails (S/MIME, smime)</h5>
 <div class="outline-text-5" id="text-4-4-39-3">
 <p>
 Used to automatically sign messages sent from my work email address using S/MIME certificate.
@@ -24191,8 +24195,8 @@ Also see `prot-window-delete-popup-frame'." command)
 This sections is no longer used really. An introduction can be found in <a href="#h:bcc3ebbe-df8a-46bd-b42d-73aad6fc66e5">Structure of this file</a> under the historical note. The little noweb-ref blocks that I still use are found in <a href="#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02">Hosts</a> and <a href="#h:3bb92528-c61c-4b8d-8214-bf2a40baaa32">Services</a>.
 </p>
 </div>
-<div id="outline-container-orge8ed16b" class="outline-3">
-<h3 id="orge8ed16b"><span class="section-number-3">5.1.</span> General steps when setting up a new machine</h3>
+<div id="outline-container-orga485a52" class="outline-3">
+<h3 id="orga485a52"><span class="section-number-3">5.1.</span> General steps when setting up a new machine</h3>
 <div class="outline-text-3" id="text-5-1">
 <p>
 These general steps are needed when setting up a new machine and do not fit into another block well:
@@ -27136,7 +27140,7 @@ similarly, there exists an version that starts from the right.
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: Leon Schwarzäugl</p>
-<p class="date">Created: 2025-10-21 Di 21:37</p>
+<p class="date">Created: 2025-10-21 Di 21:55</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>

From 4c06f0055554b889fe830b74652a801a7d2256ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?=
 <leon.schwarzaeugl@imba.oeaw.ac.at>
Date: Tue, 21 Oct 2025 22:19:08 +0200
Subject: [PATCH 7/7] fix[client]: make emacs mail notifications work

---
 SwarselSystems.org  | 19 +++++++++++++++++--
 files/emacs/init.el | 19 +++++++++++++++++--
 2 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/SwarselSystems.org b/SwarselSystems.org
index a965aca..66cfd59 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -21836,6 +21836,10 @@ The hook functions are defined here: [[#h:34506761-06b9-43b5-a818-506d9b3faf28][
     (setq mu4e-mu-binary (executable-find "mu"))
     (setq mu4e-hide-index-messages t)
 
+    ;; this is so that messages that target multiple addresses still are individually shown in the unreads
+    ;; this is needed because otherwise after closing the view there will still be an unread message
+    (setq mu4e-search-skip-duplicates nil)
+
     (setq mu4e-update-interval 60)
     (setq mu4e-get-mail-command "mbsync -a")
     (setq mu4e-maildir "~/Mail")
@@ -21885,9 +21889,20 @@ This adds the simple utility of sending desktop notifications whenever a new mai
 
   (use-package mu4e-alert
     :config
-    (setq mu4e-alert-set-default-style 'libnotify))
+    (mu4e-alert-enable-notifications)
+    (mu4e-alert-set-default-style 'libnotify)
+    (setq mu4e-alert-interesting-mail-query
+          (concat "(maildir:/leon/Inbox AND date:today..now"
+                  " OR maildir:/work/Inbox AND date:today..now)"
+                  " AND flag:unread"))
+    (alert-add-rule
+     :category "mu4e-alert"
+     :predicate (lambda (_) (string-match-p "^mu4e-" (symbol-name major-mode)))
+     :continue t)
 
-  (add-hook 'after-init-hook #'mu4e-alert-enable-notifications)
+
+    (add-hook 'after-init-hook #'mu4e-alert-enable-notifications)
+    )
 
   (mu4e t)
 #+end_src
diff --git a/files/emacs/init.el b/files/emacs/init.el
index ef36c52..6c07bbb 100644
--- a/files/emacs/init.el
+++ b/files/emacs/init.el
@@ -1564,6 +1564,10 @@ create a new one."
   (setq mu4e-mu-binary (executable-find "mu"))
   (setq mu4e-hide-index-messages t)
 
+  ;; this is so that messages that target multiple addresses still are individually shown in the unreads
+  ;; this is needed because otherwise after closing the view there will still be an unread message
+  (setq mu4e-search-skip-duplicates nil)
+
   (setq mu4e-update-interval 60)
   (setq mu4e-get-mail-command "mbsync -a")
   (setq mu4e-maildir "~/Mail")
@@ -1603,9 +1607,20 @@ create a new one."
 
 (use-package mu4e-alert
   :config
-  (setq mu4e-alert-set-default-style 'libnotify))
+  (mu4e-alert-enable-notifications)
+  (mu4e-alert-set-default-style 'libnotify)
+  (setq mu4e-alert-interesting-mail-query
+        (concat "(maildir:/leon/Inbox AND date:today..now"
+                " OR maildir:/work/Inbox AND date:today..now)"
+                " AND flag:unread"))
+  (alert-add-rule
+   :category "mu4e-alert"
+   :predicate (lambda (_) (string-match-p "^mu4e-" (symbol-name major-mode)))
+   :continue t)
 
-(add-hook 'after-init-hook #'mu4e-alert-enable-notifications)
+
+  (add-hook 'after-init-hook #'mu4e-alert-enable-notifications)
+  )
 
 (mu4e t)