diff --git a/.github/README.md b/.github/README.md index d5d7313..a8e9428 100644 --- a/.github/README.md +++ b/.github/README.md @@ -149,17 +149,16 @@ Alternatively, to install this from any NixOS live ISO, run `nix run --experimen | Name | Hardware | Use | |--------------------|-----------------------------------------------------|------------------------------------------------------| -|πŸ’» **pyramid** | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop | -|πŸ’» **bakery** | Lenovo Ideapad 720S-13IKB | Personal lapto | -|πŸ’» **machpizza** | MacBook Pro 2016 | MacOS sandbox | +|πŸ’» **nbl-imba-2** | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop | +|πŸ’» **nbm-imba-166** | MacBook Pro 2016 | MacOS Sandbox | |πŸ–₯️ **winters** | ASRock J4105-ITX, 32GB RAM | Main homeserver and data storgae | -|πŸ–₯️ **milkywell** | Oracle Cloud: VM.Standard.E2.1.Micro | Server for lightweight synchronization tasks | +|πŸ–₯️ **milkywell** | Oracle Cloud: VM.Standard.E2.1.Micro | Server for lightweight synchronization tasks | |πŸ–₯️ **moonside** | Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Proxy for local services, some lightweight services | |πŸ“± **magicant** | Samsung Galaxy Z Flip 6 | Phone | |πŸ’Ώ **drugstore** | - | ISO installer configuration | |❔ **chaotheatre** | - | Demo config for checking out my configurtion | |❔ **toto** | - | Helper configuration for bootstrapping a new system | -|🏠 **treehouse** | - | Reference configuration for a home-manager only host | +|🏠 **Treehouse** | - | Reference configuration for a home-manager only host | ## General Nix tips & useful links diff --git a/.sops.yaml b/.sops.yaml index a8bf631..e4e01e0 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,7 +7,6 @@ keys: - &swarsel 4BE7925262289B476DBBC17B76FD3810215AE097 - &hosts - &winters age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 - - &bakery age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl - &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy @@ -20,7 +19,6 @@ creation_rules: - *swarsel age: - *winters - - *bakery - *toto - *surface - *nbl @@ -32,7 +30,6 @@ creation_rules: - *swarsel age: - *winters - - *bakery - *toto - *surface - *nbl @@ -44,7 +41,6 @@ creation_rules: - *swarsel age: - *nbl - - *bakery - *toto - *surface - *winters @@ -61,12 +57,6 @@ creation_rules: - *swarsel age: - *moonside - - path_regex: secrets/bakery/secrets.yaml - key_groups: - - pgp: - - *swarsel - age: - - *bakery - path_regex: secrets/winters/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: @@ -103,12 +93,6 @@ creation_rules: - *swarsel age: - *milkywell - - path_regex: hosts/nixos/bakery/secrets/pii.nix.enc - key_groups: - - pgp: - - *swarsel - age: - - *bakery - path_regex: hosts/nixos/moonside/secrets/pii.nix.enc key_groups: - pgp: diff --git a/SwarselSystems.org b/SwarselSystems.org index 14d08ba..29cd94b 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -221,17 +221,16 @@ Here I give a brief overview over the hostmachines that I am using. This is held #+begin_src markdown :tangle no :noweb-ref hosts | Name | Hardware | Use | |--------------------|-----------------------------------------------------|------------------------------------------------------| - |πŸ’» **pyramid** | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop | - |πŸ’» **bakery** | Lenovo Ideapad 720S-13IKB | Personal lapto | - |πŸ’» **machpizza** | MacBook Pro 2016 | MacOS sandbox | + |πŸ’» **nbl-imba-2** | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop | + |πŸ’» **nbm-imba-166** | MacBook Pro 2016 | MacOS Sandbox | |πŸ–₯️ **winters** | ASRock J4105-ITX, 32GB RAM | Main homeserver and data storgae | - |πŸ–₯️ **milkywell** | Oracle Cloud: VM.Standard.E2.1.Micro | Server for lightweight synchronization tasks | + |πŸ–₯️ **milkywell** | Oracle Cloud: VM.Standard.E2.1.Micro | Server for lightweight synchronization tasks | |πŸ–₯️ **moonside** | Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Proxy for local services, some lightweight services | |πŸ“± **magicant** | Samsung Galaxy Z Flip 6 | Phone | |πŸ’Ώ **drugstore** | - | ISO installer configuration | |❔ **chaotheatre** | - | Demo config for checking out my configurtion | |❔ **toto** | - | Helper configuration for bootstrapping a new system | - |🏠 **treehouse** | - | Reference configuration for a home-manager only host | + |🏠 **Treehouse** | - | Reference configuration for a home-manager only host | #+end_src ** Programs @@ -452,6 +451,11 @@ When setting this option normally, the password would normally be written world- url = "github:cachix/git-hooks.nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + nix-secrets = { + url = "git+ssh://git@github.com/Swarsel/nix-secrets.git?ref=main&shallow=1"; + flake = false; + inputs = { }; + }; vbc-nix = { url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main"; inputs.nixpkgs.follows = "nixpkgs"; @@ -788,92 +792,90 @@ The structure of =globals.nix.enc= requires a toplevel =globals=. # lib = (inputs.nixpkgs.lib // inputs.home-manager.lib).extend (_: _: { swarselsystems = import "${self}/lib" { inherit self lib inputs outputs; inherit (inputs) systems; }; }); mkNixosHost = { minimal }: configName: - lib.nixosSystem { - specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; }; - modules = [ - inputs.disko.nixosModules.disko - inputs.sops-nix.nixosModules.sops - inputs.impermanence.nixosModules.impermanence - inputs.lanzaboote.nixosModules.lanzaboote - inputs.nix-topology.nixosModules.default - inputs.home-manager.nixosModules.home-manager - inputs.stylix.nixosModules.stylix - inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm - "${self}/hosts/nixos/${configName}" - "${self}/profiles/nixos" - "${self}/modules/nixos" - { - node = { - name = configName; - secretsDir = ../hosts/nixos/${configName}/secrets; - }; - } - ]; - }; + lib.nixosSystem { + specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; }; + modules = [ + inputs.disko.nixosModules.disko + inputs.sops-nix.nixosModules.sops + inputs.impermanence.nixosModules.impermanence + inputs.lanzaboote.nixosModules.lanzaboote + inputs.nix-topology.nixosModules.default + inputs.home-manager.nixosModules.home-manager + "${self}/hosts/nixos/${configName}" + "${self}/profiles/nixos" + "${self}/modules/nixos" + { + node = { + name = configName; + secretsDir = ../hosts/nixos/${configName}/secrets; + }; + } + ]; + }; mkDarwinHost = { minimal }: configName: - inputs.nix-darwin.lib.darwinSystem { - specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; }; - modules = [ - # inputs.disko.nixosModules.disko - # inputs.sops-nix.nixosModules.sops - # inputs.impermanence.nixosModules.impermanence - # inputs.lanzaboote.nixosModules.lanzaboote - # inputs.fw-fanctrl.nixosModules.default - # inputs.nix-topology.nixosModules.default - inputs.home-manager.darwinModules.home-manager - "${self}/hosts/darwin/${configName}" - "${self}/modules/nixos/darwin" - # needed for infrastructure - "${self}/modules/nixos/common/meta.nix" - "${self}/modules/nixos/common/globals.nix" - { - node.name = configName; - node.secretsDir = ../hosts/darwin/${configName}/secrets; - } - ]; - }; + inputs.nix-darwin.lib.darwinSystem { + specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; }; + modules = [ + # inputs.disko.nixosModules.disko + # inputs.sops-nix.nixosModules.sops + # inputs.impermanence.nixosModules.impermanence + # inputs.lanzaboote.nixosModules.lanzaboote + # inputs.fw-fanctrl.nixosModules.default + # inputs.nix-topology.nixosModules.default + inputs.home-manager.darwinModules.home-manager + "${self}/hosts/darwin/${configName}" + "${self}/modules/nixos/darwin" + # needed for infrastructure + "${self}/modules/nixos/common/meta.nix" + "${self}/modules/nixos/common/globals.nix" + { + node.name = configName; + node.secretsDir = ../hosts/darwin/${configName}/secrets; + } + ]; + }; mkHalfHost = configName: type: pkgs: { ${configName} = let systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration; in - systemFunc - { - inherit pkgs; - extraSpecialArgs = { inherit inputs outputs lib self configName; }; - modules = [ "${self}/hosts/${type}/${configName}" ]; - }; + systemFunc + { + inherit pkgs; + extraSpecialArgs = { inherit inputs outputs lib self configName; }; + modules = [ "${self}/hosts/${type}/${configName}" ]; + }; }; mkHalfHostConfigs = hosts: type: pkgs: lib.foldl (acc: set: acc // set) { } (lib.map (name: mkHalfHost name type pkgs) hosts); nixosHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/nixos")); darwinHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/darwin")); in - { - nixosConfigurations = lib.genAttrs nixosHosts (mkNixosHost { - minimal = false; - }); - nixosConfigurationsMinimal = lib.genAttrs nixosHosts (mkNixosHost { - minimal = true; - }); - darwinConfigurations = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = false; - }); - darwinConfigurationsMinimal = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = true; - }); + { + nixosConfigurations = lib.genAttrs nixosHosts (mkNixosHost { + minimal = false; + }); + nixosConfigurationsMinimal = lib.genAttrs nixosHosts (mkNixosHost { + minimal = true; + }); + darwinConfigurations = lib.genAttrs darwinHosts (mkDarwinHost { + minimal = false; + }); + darwinConfigurationsMinimal = lib.genAttrs darwinHosts (mkDarwinHost { + minimal = true; + }); - # TODO: Build these for all architectures - homeConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "home") "home" lib.swarselsystems.pkgsFor.x86_64-linux; - nixOnDroidConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "android") "android" lib.swarselsystems.pkgsFor.aarch64-linux; + # TODO: Build these for all architectures + homeConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "home") "home" lib.swarselsystems.pkgsFor.x86_64-linux; + nixOnDroidConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "android") "android" lib.swarselsystems.pkgsFor.aarch64-linux; - diskoConfigurations.default = import "${self}/files/templates/hosts/nixos/disk-config.nix"; + diskoConfigurations.default = import "${self}/files/templates/hosts/nixos/disk-config.nix"; - nodes = config.nixosConfigurations // config.darwinConfigurations; + nodes = config.nixosConfigurations // config.darwinConfigurations; - }; + }; } #+end_src @@ -1008,7 +1010,7 @@ The structure of =globals.nix.enc= requires a toplevel =globals=. connections = { eth2 = mkConnection "nswitch" "eth1"; eth7 = mkConnection "pc" "eth1"; - eth8 = mkConnection "pyramid" "eth1"; + eth8 = mkConnection "nbl-imba-2" "eth1"; }; }; @@ -1024,7 +1026,7 @@ The structure of =globals.nix.enc= requires a toplevel =globals=. interfaces.eth1 = { }; }; - pyramid.interfaces.eth1 = { }; + nbl-imba-2.interfaces.eth1 = { }; switch-bedroom = mkSwitch "Switch Bedroom" { info = "TL-SG1005D"; @@ -1440,9 +1442,6 @@ Lastly, I add some of my own library functions to be used alongside the function } #+end_src ** Installer iso -:PROPERTIES: -:CUSTOM_ID: h:1d1ccae5-62ca-4d37-a28e-c59987850ed2 -:END: #+begin_src nix-ts :tangle nix/iso.nix { self, inputs, ... }: @@ -1468,9 +1467,6 @@ Lastly, I add some of my own library functions to be used alongside the function } #+end_src ** Installer flake -:PROPERTIES: -:CUSTOM_ID: h:1d4514b4-e952-4faf-b30e-d89e73a526c6 -:END: #+begin_src nix-ts :tangle install/flake.nix { @@ -1709,7 +1705,7 @@ Acceptance of arbitraty argumments is here needed because =disko= passes =diskoF This is a list of all physical machines that I maintain. -**** pyramid (Framework Laptop 16) +**** nbl-imba-2 (Framework Laptop 16) :PROPERTIES: :CUSTOM_ID: h:6c6e9261-dfa1-42d8-ab2a-8b7c227be6d9 :END: @@ -1720,7 +1716,7 @@ My work machine. Built for more security, this is the gold standard of my config :PROPERTIES: :CUSTOM_ID: h:567c0055-f5f7-4e53-8f13-d767d7166e9d :END: -#+begin_src nix-ts :tangle hosts/nixos/pyramid/default.nix +#+begin_src nix-ts :tangle hosts/nixos/nbl-imba-2/default.nix { self, config, inputs, lib, minimal, ... }: let primaryUser = config.swarselsystems.mainUser; @@ -1809,7 +1805,7 @@ My work machine. Built for more security, this is the gold standard of my config :CUSTOM_ID: h:25115a54-c634-4896-9a41-254064ce9fcc :END: -#+begin_src nix-ts :tangle hosts/nixos/pyramid/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/nbl-imba-2/hardware-configuration.nix { config, lib, pkgs, modulesPath, ... }: { imports = @@ -1886,7 +1882,7 @@ My work machine. Built for more security, this is the gold standard of my config :CUSTOM_ID: h:e0da04c7-4199-44b0-b525-6cfc64072b45 :END: -#+begin_src nix-ts :tangle hosts/nixos/pyramid/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/nbl-imba-2/disk-config.nix { disko.devices = { disk = { @@ -1968,249 +1964,6 @@ My work machine. Built for more security, this is the gold standard of my config }; } -#+end_src -**** Bakery (Lenovo ThinkPad) -:PROPERTIES: -:CUSTOM_ID: h:a320569e-7bf0-4552-9039-b2a8e0939a12 -:END: - -My personal laptop. - -***** Main Configuration -:PROPERTIES: -:CUSTOM_ID: h:6f80d614-d76a-433b-8956-78d7b323b68c -:END: -#+begin_src nix-ts :tangle hosts/nixos/bakery/default.nix - { self, config, inputs, lib, minimal, ... }: - let - primaryUser = config.swarselsystems.mainUser; - sharedOptions = { - isLaptop = true; - isNixos = true; - isBtrfs = true; - isLinux = true; - sharescreen = "eDP-1"; - profiles = { - reduced = lib.mkIf (!minimal) true; - minimal = lib.mkIf minimal true; - }; - }; - in - { - - imports = [ - inputs.nixos-hardware.nixosModules.common-cpu-intel - - ./disk-config.nix - ./hardware-configuration.nix - - ]; - - - swarselsystems = lib.recursiveUpdate - { - info = "Lenovo ThinkPad"; - firewall = lib.mkForce true; - wallpaper = self + /files/wallpaper/lenovowp.png; - hasBluetooth = true; - hasFingerprint = true; - isImpermanence = true; - isSecureBoot = false; - isCrypted = true; - isSwap = true; - rootDisk = "/dev/nvme0n1"; - swapSize = "4G"; - hostName = config.node.name; - profiles = { - btrfs = true; - }; - } - sharedOptions; - - home-manager.users."${primaryUser}" = { - # home.stateVersion = lib.mkForce "23.05"; - swarselsystems = lib.recursiveUpdate - { - lowResolution = "1280x800"; - highResolution = "1920x1080"; - monitors = { - main = { - name = "LG Display 0x04EF Unknown"; - mode = "1920x1080"; # TEMPLATE - scale = "1"; - position = "1920,0"; - workspace = "15:L"; - output = "eDP-1"; - }; - }; - } - sharedOptions; - }; - } - - - -#+end_src - -***** hardware-configuration -:PROPERTIES: -:CUSTOM_ID: h:bbba1646-fb5f-4d04-baf0-f606037a8b39 -:END: - -#+begin_src nix-ts :tangle hosts/nixos/bakery/hardware-configuration.nix - # Do not modify this file! It was generated by β€˜nixos-generate-config’ - # and may be overwritten by future invocations. Please make changes - # to /etc/nixos/configuration.nix instead. - { config, lib, modulesPath, ... }: - - { - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot = { - initrd = { - availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; - kernelModules = [ ]; - }; - kernelModules = [ ]; - extraModulePackages = [ ]; - }; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - } -#+end_src -***** disko -:PROPERTIES: -:CUSTOM_ID: h:72444f85-7951-47c0-858f-b51d8299de8c -:END: - -#+begin_src nix-ts :tangle hosts/nixos/bakery/disk-config.nix - { lib, pkgs, config, rootDisk, ... }: - let - type = "btrfs"; - extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "subvol=root" - "compress=zstd" - "noatime" - ]; - }; - "/home" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/home"; - mountOptions = [ - "subvol=home" - "compress=zstd" - "noatime" - ]; - }; - "/persist" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/persist"; - mountOptions = [ - "subvol=persist" - "compress=zstd" - "noatime" - ]; - }; - "/log" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/var/log"; - mountOptions = [ - "subvol=log" - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "subvol=nix" - "compress=zstd" - "noatime" - ]; - }; - "/swap" = lib.mkIf config.swarselsystems.isSwap { - mountpoint = "/.swapvol"; - swap.swapfile.size = config.swarselsystems.swapSize; - }; - }; - in - { - disko.devices = { - disk = { - disk0 = { - type = "disk"; - device = config.swarselsystems.rootDisk; - content = { - type = "gpt"; - partitions = { - ESP = { - priority = 1; - name = "ESP"; - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - root = lib.mkIf (!config.swarselsystems.isCrypted) { - size = "100%"; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - luks = lib.mkIf config.swarselsystems.isCrypted { - size = "100%"; - content = { - type = "luks"; - name = "cryptroot"; - passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh - settings = { - allowDiscards = true; - # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 - crypttabExtraOpts = [ - "fido2-device=auto" - "token-timeout=10" - ]; - }; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - }; - }; - }; - }; - }; - }; - - fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - - environment.systemPackages = [ - pkgs.yubikey-manager - ]; - } - #+end_src **** Winters (Server) :PROPERTIES: @@ -2230,7 +1983,6 @@ This is my main server that I run at home. It handles most tasks that require bi sharedOptions = { isBtrfs = false; isLinux = true; - isNixos = true; profiles = { server.local = true; }; @@ -2327,14 +2079,14 @@ This is my main server that I run at home. It handles most tasks that require bi hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } #+end_src -**** machpizza (MacBook Pro) +**** nbm-imba-166 (MacBook Pro) :PROPERTIES: :CUSTOM_ID: h:28e1a7eb-356b-4015-83f7-9c552c8c0e9d :END: A Mac notebook that I have received from work. I use this machine for getting accustomed to the Apple ecosystem as well as as a sandbox for nix-darwin configurations. -#+begin_src nix-ts :tangle hosts/darwin/machpizza/default.nix +#+begin_src nix-ts :tangle hosts/darwin/nbm-imba-166/default.nix { lib, config, ... }: let inherit (config.repo.secrets.local) workUser; @@ -2446,49 +2198,168 @@ This machine mainly acts as an external sync helper. It manages the following th :END: #+begin_src nix-ts :tangle hosts/nixos/milkywell/default.nix - { lib, config, minimal, ... }: + { lib, config, globals, ... }: let primaryUser = config.swarselsystems.mainUser; sharedOptions = { - isBtrfs = true; + isBtrfs = false; isLinux = true; - isNixos = true; - }; - profiles = { - minimal = lib.mkIf minimal true; }; + inherit (config.repo.secrets.common) workHostName; + inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1; + serviceDomain = config.repo.secrets.common.services.domains.syncthing2; in { imports = [ ./hardware-configuration.nix - ./disk-config.nix ]; - boot = { - loader.systemd-boot.enable = true; - tmp.cleanOnBoot = true; + sops = { + defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/milkywell/secrets.yaml"; }; + boot = { + tmp.cleanOnBoot = true; + loader.grub.device = "nodev"; + }; + zramSwap.enable = false; + networking = { nftables.enable = lib.mkForce false; hostName = "milkywell"; - enableIPv6 = true; + enableIPv6 = false; domain = "subnet03112148.vcn03112148.oraclevcn.com"; + firewall = { + allowedTCPPorts = [ 80 443 8384 9812 22000 27701 ]; + allowedUDPPorts = [ 21027 22000 ]; + extraCommands = '' + iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT + iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT + iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT + ''; + }; }; hardware = { enableAllFirmware = lib.mkForce false; }; + system.stateVersion = "23.11"; + + globals.services."syncthing-${config.networking.hostName}".domain = serviceDomain; + + services = { + nginx = { + virtualHosts = { + ${serviceDomain} = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://localhost:8384"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + }; + }; + + syncthing = { + enable = true; + guiAddress = "0.0.0.0:8384"; + openDefaultPorts = true; + relay.enable = false; + settings = { + urAccepted = -1; + devices = { + "magicant" = { + id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO"; + }; + "winters" = { + id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; + }; + "${workHostName}" = { + id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB"; + }; + "${dev1}" = { + id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7"; + }; + "${dev2}" = { + id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH"; + }; + "${dev3}" = { + id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR"; + }; + }; + folders = { + "Default Folder" = lib.mkForce { + path = "/var/lib/syncthing/Sync"; + type = "receiveonly"; + versioning = null; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "default"; + }; + "Obsidian" = { + path = "/var/lib/syncthing/Obsidian"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "yjvni-9eaa7"; + }; + "Org" = { + path = "/var/lib/syncthing/Org"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "a7xnl-zjj3d"; + }; + "Vpn" = { + path = "/var/lib/syncthing/Vpn"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "hgp9s-fyq3p"; + }; + "${loc1}" = { + path = "/var/lib/syncthing/${loc1}"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "3"; + }; + devices = [ dev1 dev2 dev3 ]; + id = "5gsxv-rzzst"; + }; + }; + }; + }; + }; + swarselsystems = lib.recursiveUpdate { info = "VM.Standard.E2.1.Micro"; - isImpermanence = true; + flakePath = "/root/.dotfiles"; + isImpermanence = false; isSecureBoot = false; - isCrypted = true; - isSwap = true; - rootDisk = "/dev/sda"; - swapSize = "4G"; + isCrypted = false; profiles = { server.syncserver = true; }; @@ -2496,6 +2367,7 @@ This machine mainly acts as an external sync helper. It manages the following th sharedOptions; home-manager.users."${primaryUser}" = { + home.stateVersion = lib.mkForce "23.05"; swarselsystems = lib.recursiveUpdate { } sharedOptions; @@ -2522,6 +2394,22 @@ This machine mainly acts as an external sync helper. It manages the following th extraModulePackages = [ ]; }; + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a"; + fsType = "xfs"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/2B75-2AD5"; + fsType = "vfat"; + }; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/f0126a93-753e-4769-ada8-7499a1efb3a9"; } + ]; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction @@ -2532,113 +2420,6 @@ This machine mainly acts as an external sync helper. It manages the following th nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } -#+end_src -***** disko -:PROPERTIES: -:CUSTOM_ID: h:cec82b06-39ca-4c0e-b4f5-c1fda9b14e6d -:END: - -#+begin_src nix-ts :tangle hosts/nixos/milkywell/disk-config.nix - # NOTE: ... is needed because dikso passes diskoFile - { lib - , config - , rootDisk - , ... - }: - let - type = "btrfs"; - extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "subvol=root" - "compress=zstd" - "noatime" - ]; - }; - "/home" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/home"; - mountOptions = [ - "subvol=home" - "compress=zstd" - "noatime" - ]; - }; - "/persist" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/persist"; - mountOptions = [ - "subvol=persist" - "compress=zstd" - "noatime" - ]; - }; - "/log" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/var/log"; - mountOptions = [ - "subvol=log" - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "subvol=nix" - "compress=zstd" - "noatime" - ]; - }; - "/swap" = lib.mkIf config.swarselsystems.isSwap { - mountpoint = "/.swapvol"; - swap.swapfile.size = config.swarselsystems.swapSize; - }; - }; - in - { - disko.devices = { - disk = { - disk0 = { - type = "disk"; - device = config.swarselsystems.rootDisk; - content = { - type = "gpt"; - partitions = { - ESP = { - priority = 1; - name = "ESP"; - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - root = { - size = "100%"; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - }; - }; - }; - }; - }; - - fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - } - - #+end_src **** Moonside (OCI) :PROPERTIES: @@ -2655,12 +2436,10 @@ This machine mainly acts as an external sync helper. It manages the following th primaryUser = config.swarselsystems.mainUser; inherit (config.repo.secrets.common) workHostName; inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1; - inherit (config.swarselsystems) sopsFile; serviceDomain = config.repo.secrets.common.services.domains.syncthing3; sharedOptions = { isBtrfs = true; - isNixos = true; isLinux = true; }; in @@ -2672,9 +2451,9 @@ This machine mainly acts as an external sync helper. It manages the following th sops = { age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; - # defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml"; + defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml"; secrets = { - wireguard-private-key = { inherit sopsFile; }; + wireguard-private-key = { }; }; }; @@ -2864,6 +2643,7 @@ This machine mainly acts as an external sync helper. It manages the following th swarselsystems = lib.recursiveUpdate { info = "VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM"; + flakePath = "/home/swarsel/.dotfiles"; isImpermanence = true; isSecureBoot = false; isCrypted = false; @@ -3341,7 +3121,6 @@ This is a live environment ISO that I use to bootstrap new systems. It only load curl git gnupg - networkmanager rsync ssh-to-age sops @@ -4066,9 +3845,7 @@ A breakdown of the flags being set: config = lib.mkIf config.swarselsystems.modules.general (lib.recursiveUpdate { - sops.secrets.github-api-token = lib.mkIf (!minimal) { - sopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml"; - }; + sops.secrets.github-api-token = lib.mkIf (!minimal) { }; nix = { package = pkgs.nixVersions.nix_2_28; @@ -4127,24 +3904,23 @@ We enable the use of =home-manager= as a NixoS module. A nice trick here is the useGlobalPkgs = true; useUserPackages = true; verbose = true; - users.swarsel.imports = [ + sharedModules = [ inputs.nix-index-database.hmModules.nix-index inputs.sops-nix.homeManagerModules.sops - # inputs.stylix.homeModules.stylix { imports = [ "${self}/profiles/home" "${self}/modules/home" - # "${self}/modules/nixos/common/pii.nix" - # "${self}/modules/nixos/common/meta.nix" + "${self}/modules/nixos/common/pii.nix" + "${self}/modules/nixos/common/meta.nix" ]; - # node = { - # secretsDir = if (!config.swarselsystems.isNixos) then ../../../hosts/home/${configName}/secrets else ../../../hosts/nixos/${configName}/secrets; - # }; + node = { + secretsDir = if config.swarselsystems.isNixos then ../../../hosts/nixos/${configName}/secrets else ../../../hosts/home/${configName}/secrets; + }; home.stateVersion = lib.mkDefault config.system.stateVersion; } ]; - extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal configName; }; + extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal; }; }; }; } @@ -4333,15 +4109,10 @@ This is also exposed to home-manager configurations, in case this ever breaks, I This dynamically uses systemd boot or Lanzaboote depending on the minimal system state and `config.swarselsystems.isSecureBoot`. #+begin_src nix-ts :tangle modules/nixos/common/lanzaboote.nix - { lib, pkgs, config, minimal, ... }: + { lib, config, minimal, ... }: { options.swarselsystems.modules.lanzaboote = lib.mkEnableOption "lanzaboote config"; config = lib.mkIf config.swarselsystems.modules.lanzaboote { - - environment.systemPackages = lib.mkIf config.swarselsystems.isSecureBoot [ - pkgs.sbctl - ]; - boot = { loader = { efi.canTouchEfiVariables = true; @@ -4475,12 +4246,15 @@ Normally, doing that also resets the lecture that happens on the first use of =s This section is for setting things that should be used on hosts that are using the default NixOS configuration. This means that servers should NOT import this, as much of these imported modules are user-configured. #+begin_src nix-ts :tangle modules/nixos/client/default.nix - { lib, ... }: + { lib, inputs, ... }: let importNames = lib.swarselsystems.readNix "modules/nixos/client"; in { - imports = lib.swarselsystems.mkImports importNames "modules/nixos/client"; + imports = lib.swarselsystems.mkImports importNames "modules/nixos/client" ++ [ + inputs.stylix.nixosModules.stylix + inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm + ]; } #+end_src @@ -4570,7 +4344,6 @@ Mostly used to install some compilers and lsp's that I want to have available wh elk-to-svg ] ++ lib.optionals minimal [ - networkmanager curl git gnupg @@ -4793,10 +4566,11 @@ Here I only enable =networkmanager= and a few default networks. The rest of the { self, lib, pkgs, config, ... }: let certsSopsFile = self + /secrets/certs/secrets.yaml; - clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml; + clientSopsFile = self + /secrets/${config.networking.hostName}/secrets.yaml; inherit (config.swarselsystems) mainUser; inherit (config.repo.secrets.common.network) wlan1 wlan2 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon; + inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips; iwd = config.networking.networkmanager.wifi.backend == "iwd"; in @@ -4882,10 +4656,7 @@ Here I only enable =networkmanager= and a few default networks. The rest of the environmentFiles = [ "${config.sops.templates."network-manager.env".path}" ]; - profiles = let - inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips; - in - { + profiles = { ${wlan1} = { connection = { id = wlan1; @@ -5150,20 +4921,16 @@ By default, [[https://github.com/danth/stylix][stylix]] wants to style GRUB as w =theme= is defined in [[#h:5bc1b0c9-dc59-4c81-b5b5-e60699deda78][Theme (stylix)]]. #+begin_src nix-ts :noweb yes :tangle modules/nixos/client/stylix.nix - { self, lib, config, ... }: + { lib, config, ... }: { options.swarselsystems.modules.stylix = lib.mkEnableOption "stylix config"; - config = { - stylix = { - enable = true; - base16Scheme = "${self}/files/stylix/swarsel.yaml"; - } // lib.optionalAttrs config.swarselsystems.modules.stylix - (lib.recursiveUpdate - { - targets.grub.enable = false; # the styling makes grub more ugly - image = config.swarselsystems.wallpaper; - } - config.swarselsystems.stylix); + config = lib.mkIf config.swarselsystems.modules.stylix { + stylix = lib.recursiveUpdate + { + targets.grub.enable = false; # the styling makes grub more ugly + image = config.swarselsystems.wallpaper; + } + config.swarselsystems.stylix; home-manager.users."${config.swarselsystems.mainUser}" = { stylix = { targets = config.swarselsystems.stylixHomeTargets; @@ -5447,8 +5214,8 @@ Most of the time I am using =power-saver=, however, it is good to be able to cho { options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings"; config = lib.mkIf config.swarselsystems.modules.swayosd { - environment.systemPackages = [ pkgs.dev.swayosd ]; - services.udev.packages = [ pkgs.dev.swayosd ]; + environment.systemPackages = [ pkgs.swayosd ]; + services.udev.packages = [ pkgs.swayosd ]; systemd.services.swayosd-libinput-backend = { description = "SwayOSD LibInput backend for listening to certain keys like CapsLock, ScrollLock, VolumeUp, etc."; documentation = [ "https://github.com/ErikReider/SwayOSD" ]; @@ -5459,7 +5226,7 @@ Most of the time I am using =power-saver=, however, it is good to be able to cho serviceConfig = { Type = "dbus"; BusName = "org.erikreider.swayosd"; - ExecStart = "${pkgs.dev.swayosd}/bin/swayosd-libinput-backend"; + ExecStart = "${pkgs.swayosd}/bin/swayosd-libinput-backend"; Restart = "on-failure"; }; }; @@ -5718,11 +5485,6 @@ This snipped is added to the activation script that is run after every rebuild a { options.swarselsystems.modules.nvd = lib.mkEnableOption "nvd config"; config = lib.mkIf config.swarselsystems.modules.nvd { - - environment.systemPackages = [ - pkgs.nvd - ]; - system.activationScripts.diff = { supportsDryActivation = true; text = '' @@ -6067,7 +5829,6 @@ Here we just define some aliases for rebuilding the system, and we allow some in vim sops swarsel-deploy - tmux ]; }; } @@ -6145,7 +5906,6 @@ Here we just define some aliases for rebuilding the system, and we allow some in let inherit (config.repo.secrets.common) dnsProvider; inherit (config.repo.secrets.common.mail) address3; - in { options.swarselsystems.modules.server.nginx = lib.mkEnableOption "enable nginx on server"; @@ -6155,9 +5915,10 @@ Here we just define some aliases for rebuilding the system, and we allow some in ]; sops = { - secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; }; + # secrets.dnstokenfull = { owner = "acme"; }; + secrets.dnstokenfull = { }; templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token} + CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} ''; }; @@ -6234,8 +5995,6 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t #+begin_src nix-ts :tangle modules/nixos/server/kavita.nix { self, lib, config, pkgs, ... }: let - inherit (config.swarselsystems) sopsFile; - servicePort = 8080; serviceName = "kavita"; serviceUser = "kavita"; @@ -6252,7 +6011,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t extraGroups = [ "users" ]; }; - sops.secrets.kavita-token = { inherit sopsFile; owner = serviceUser; }; + sops.secrets.kavita = { owner = serviceUser; }; networking.firewall.allowedTCPPorts = [ servicePort ]; @@ -6267,7 +6026,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t enable = true; user = serviceUser; settings.Port = servicePort; - tokenKeyFile = config.sops.secrets.kavita-token.path; + tokenKeyFile = config.sops.secrets.kavita.path; dataDir = "/Vault/data/${serviceName}"; }; @@ -6570,8 +6329,6 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t #+begin_src nix-ts :tangle modules/nixos/server/mpd.nix { self, lib, config, pkgs, ... }: let - inherit (config.swarselsystems) sopsFile; - servicePort = 3254; serviceUser = "mpd"; serviceGroup = serviceUser; @@ -6595,7 +6352,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t }; sops = { - secrets.mpd-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + secrets.mpdpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; }; environment.systemPackages = with pkgs; [ @@ -6621,7 +6378,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t }; credentials = [ { - passwordFile = config.sops.secrets.mpd-pw.path; + passwordFile = config.sops.secrets.mpdpass.path; permissions = [ "read" "add" @@ -6697,8 +6454,6 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t #+begin_src nix-ts :tangle modules/nixos/server/matrix.nix { lib, config, pkgs, ... }: let - inherit (config.swarselsystems) sopsFile; - servicePort = 8008; serviceName = "matrix"; serviceDomain = config.repo.secrets.common.services.domains.matrix; @@ -6728,29 +6483,29 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t sops = { secrets = { - matrix-shared-secret = { inherit sopsFile; owner = serviceUser; }; - mautrix-telegram-as-token = { inherit sopsFile; owner = serviceUser; }; - mautrix-telegram-hs-token = { inherit sopsFile; owner = serviceUser; }; - mautrix-telegram-api-id = { inherit sopsFile; owner = serviceUser; }; - mautrix-telegram-api-hash = { inherit sopsFile; owner = serviceUser; }; + matrixsharedsecret = { owner = serviceUser; }; + mautrixtelegram_as = { owner = serviceUser; }; + mautrixtelegram_hs = { owner = serviceUser; }; + mautrixtelegram_api_id = { owner = serviceUser; }; + mautrixtelegram_api_hash = { owner = serviceUser; }; }; templates = { "matrix_user_register.sh".content = '' - register_new_matrix_user -k ${config.sops.placeholder.matrix-shared-secret} http://localhost:${builtins.toString servicePort} + register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:${builtins.toString servicePort} ''; matrixshared = { owner = serviceUser; content = '' - registration_shared_secret: ${config.sops.placeholder.matrix-shared-secret} + registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} ''; }; mautrixtelegram = { owner = serviceUser; content = '' - MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrix-telegram-as-token} - MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrix-telegram-hs-token} - MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrix-telegram-api-id} - MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrix-telegram-api-hash} + MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as} + MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} + MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} + MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} ''; }; }; @@ -7053,7 +6808,6 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t { pkgs, lib, config, ... }: let inherit (config.repo.secrets.local.nextcloud) adminuser; - inherit (config.swarselsystems) sopsFile; servicePort = 80; serviceUser = "nextcloud"; @@ -7066,8 +6820,16 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t config = lib.mkIf config.swarselsystems.modules.server.${serviceName} { sops.secrets = { - nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + nextcloudadminpass = { + owner = serviceUser; + group = serviceGroup; + mode = "0440"; + }; + kanidm-nextcloud-client = { + owner = serviceUser; + group = serviceGroup; + mode = "0440"; + }; }; @@ -7093,7 +6855,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t extraAppsEnable = true; config = { inherit adminuser; - adminpassFile = config.sops.secrets.nextcloud-admin-pw.path; + adminpassFile = config.sops.secrets.nextcloudadminpass.path; dbtype = "sqlite"; }; }; @@ -7212,8 +6974,6 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= #+begin_src nix-ts :tangle modules/nixos/server/paperless.nix { lib, pkgs, config, globals, ... }: let - inherit (config.swarselsystems) sopsFile; - servicePort = 28981; serviceUser = "paperless"; serviceGroup = serviceUser; @@ -7233,8 +6993,12 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= }; sops.secrets = { - paperless-admin-pw = { inherit sopsFile; owner = serviceUser; }; - kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + paperless_admin = { owner = serviceUser; }; + kanidm-paperless-client = { + owner = serviceUser; + group = serviceGroup; + mode = "0440"; + }; }; networking.firewall.allowedTCPPorts = [ servicePort ]; @@ -7248,7 +7012,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= dataDir = "/Vault/data/${serviceName}"; user = serviceUser; port = servicePort; - passwordFile = config.sops.secrets.paperless-admin-pw.path; + passwordFile = config.sops.secrets.paperless_admin.path; address = "0.0.0.0"; settings = { PAPERLESS_OCR_LANGUAGE = "deu+eng"; @@ -7680,17 +7444,17 @@ This manages backups for my pictures and obsidian files. #+begin_src nix-ts :tangle modules/nixos/server/restic.nix { lib, pkgs, config, ... }: let - inherit (config.swarselsystems) sopsFile; - in + inherit (config.repo.secrets.local) resticRepo; + in { options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server"; config = lib.mkIf config.swarselsystems.modules.server.restic { sops = { secrets = { - resticpw = { inherit sopsFile; }; - resticaccesskey = { inherit sopsFile; }; - resticsecretaccesskey = { inherit sopsFile; }; + resticpw = { }; + resticaccesskey = { }; + resticsecretaccesskey = { }; }; templates = { "restic-env".content = '' @@ -7700,39 +7464,35 @@ This manages backups for my pictures and obsidian files. }; }; - services.restic = - let - inherit (config.repo.secrets.local) resticRepo; - in - { - backups = { - SwarselWinters = { - environmentFile = config.sops.templates."restic-env".path; - passwordFile = config.sops.secrets.resticpw.path; - paths = [ - "/Vault/data/paperless" - "/Vault/Eternor/Paperless" - "/Vault/Eternor/Bilder" - "/Vault/Eternor/Immich" - ]; - pruneOpts = [ - "--keep-daily 3" - "--keep-weekly 2" - "--keep-monthly 3" - "--keep-yearly 100" - ]; - backupPrepareCommand = '' - ${pkgs.restic}/bin/restic prune - ''; - repository = "${resticRepo}"; - initialize = true; - timerConfig = { - OnCalendar = "03:00"; - }; + services.restic = { + backups = { + SwarselWinters = { + environmentFile = config.sops.templates."restic-env".path; + passwordFile = config.sops.secrets.resticpw.path; + paths = [ + "/Vault/data/paperless" + "/Vault/Eternor/Paperless" + "/Vault/Eternor/Bilder" + "/Vault/Eternor/Immich" + ]; + pruneOpts = [ + "--keep-daily 3" + "--keep-weekly 2" + "--keep-monthly 3" + "--keep-yearly 100" + ]; + backupPrepareCommand = '' + ${pkgs.restic}/bin/restic prune + ''; + repository = "${resticRepo}"; + initialize = true; + timerConfig = { + OnCalendar = "03:00"; }; - }; + }; + }; }; } @@ -7748,6 +7508,7 @@ This section exposes several metrics that I use to check the health of my server #+begin_src nix-ts :tangle modules/nixos/server/monitoring.nix { self, lib, config, globals, ... }: let + servicePort = 3000; serviceUser = "grafana"; serviceGroup = serviceUser; @@ -7757,12 +7518,11 @@ This section exposes several metrics that I use to check the health of my server prometheusPort = 9090; prometheusUser = "prometheus"; prometheusGroup = prometheusUser; + nextcloudUser = config.repo.secrets.local.nextcloud.adminuser; grafanaUpstream = "grafana"; prometheusUpstream = "prometheus"; prometheusWebRoot = "prometheus"; kanidmDomain = globals.services.kanidm.domain; - - inherit (config.swarselsystems) sopsFile; in { options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7770,9 +7530,9 @@ This section exposes several metrics that I use to check the health of my server sops = { secrets = { - grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + grafanaadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; + prometheusadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; + kanidm-grafana-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; }; }; @@ -7832,7 +7592,7 @@ This section exposes several metrics that I use to check the health of my server incrementalQueryOverlapWindow = "10m"; }; secureJsonData = { - basicAuthPassword = "$__file{/run/secrets/prometheus-admin-pw}"; + basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}"; }; } ]; @@ -7843,7 +7603,7 @@ This section exposes several metrics that I use to check the health of my server analytics.reporting_enabled = false; users.allow_sign_up = false; security = { - admin_password = "$__file{/run/secrets/grafana-admin-pw}"; + admin_password = "$__file{/run/secrets/grafanaadminpass}"; cookie_secure = true; disable_gravatar = true; }; @@ -7878,78 +7638,74 @@ This section exposes several metrics that I use to check the health of my server }; }; - prometheus = - let - nextcloudUser = config.repo.secrets.local.nextcloud.adminuser; - in - { - enable = true; - webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}"; - port = prometheusPort; - listenAddress = "0.0.0.0"; - globalConfig = { - scrape_interval = "10s"; + prometheus = { + enable = true; + webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}"; + port = prometheusPort; + listenAddress = "0.0.0.0"; + globalConfig = { + scrape_interval = "10s"; + }; + webConfigFile = config.sops.templates.web-config.path; + scrapeConfigs = [ + { + job_name = "node"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + } + { + job_name = "zfs"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ]; + }]; + } + { + job_name = "nginx"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ]; + }]; + } + { + job_name = "nextcloud"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ]; + }]; + } + ]; + exporters = { + node = { + enable = true; + port = 9000; + enabledCollectors = [ "systemd" ]; + extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ]; }; - webConfigFile = config.sops.templates.web-config.path; - scrapeConfigs = [ - { - job_name = "node"; - static_configs = [{ - targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; - }]; - } - { - job_name = "zfs"; - static_configs = [{ - targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ]; - }]; - } - { - job_name = "nginx"; - static_configs = [{ - targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ]; - }]; - } - { - job_name = "nextcloud"; - static_configs = [{ - targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ]; - }]; - } - ]; - exporters = { - node = { - enable = true; - port = 9000; - enabledCollectors = [ "systemd" ]; - extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ]; - }; - zfs = { - enable = true; - port = 9134; - pools = [ - "Vault" - ]; - }; - restic = { - enable = false; - port = 9753; - }; - nginx = { - enable = true; - port = 9113; - sslVerify = false; - scrapeUri = "http://localhost/nginx_status"; - }; - nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud { - enable = true; - port = 9205; - url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info"; - username = nextcloudUser; - passwordFile = config.sops.secrets.nextcloud-admin-pw.path; - }; + zfs = { + enable = true; + port = 9134; + pools = [ + "Vault" + ]; + }; + restic = { + enable = false; + port = 9753; + }; + nginx = { + enable = true; + port = 9113; + sslVerify = false; + scrapeUri = "http://localhost/nginx_status"; + }; + nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud { + enable = true; + port = 9205; + url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info"; + username = nextcloudUser; + passwordFile = config.sops.secrets.nextcloudadminpass.path; }; }; + }; }; @@ -8095,13 +7851,13 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with #+begin_src nix-ts :tangle modules/nixos/server/freshrss.nix { self, lib, config, ... }: let + inherit (config.repo.secrets.local.freshrss) defaultUser; + servicePort = 80; serviceName = "freshrss"; serviceUser = "freshrss"; serviceGroup = serviceName; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - - inherit (config.swarselsystems) sopsFile; in { options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -8117,9 +7873,9 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with sops = { secrets = { - freshrss-pw = { inherit sopsFile; owner = serviceUser; }; - kanidm-freshrss-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - # freshrss-oidc-crypto-key = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; + fresh = { owner = serviceUser; }; + "kanidm-freshrss-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; + "oidc-crypto-key" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; }; # templates = { @@ -8150,19 +7906,15 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with globals.services.${serviceName}.domain = serviceDomain; - services.${serviceName} = - let - inherit (config.repo.secrets.local.freshrss) defaultUser; - in - { - inherit defaultUser; - enable = true; - virtualHost = serviceDomain; - baseUrl = "https://${serviceDomain}"; - authType = "form"; - dataDir = "/Vault/data/tt-rss"; - passwordFile = config.sops.secrets.freshrss-pw.path; - }; + services.${serviceName} = { + inherit defaultUser; + enable = true; + virtualHost = serviceDomain; + baseUrl = "https://${serviceDomain}"; + authType = "form"; + dataDir = "/Vault/data/tt-rss"; + passwordFile = config.sops.secrets.fresh.path; + }; # systemd.services.freshrss-config.serviceConfig.EnvironmentFile = [ # config.sops.templates.freshrss-env.path @@ -8208,9 +7960,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with #+begin_src nix-ts :tangle modules/nixos/server/forgejo.nix { lib, config, pkgs, globals, ... }: let - inherit (config.swarselsystems) sopsFile; - - servicePort = 3004; + servicePort = 3000; serviceUser = "forgejo"; serviceGroup = serviceUser; serviceName = "forgejo"; @@ -8232,14 +7982,13 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with users.groups.${serviceGroup} = { }; sops.secrets = { - kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; }; globals.services.${serviceName}.domain = serviceDomain; services.${serviceName} = { enable = true; - stateDir = "/Vault/data/${serviceName}"; user = serviceUser; group = serviceGroup; lfs.enable = lib.mkDefault true; @@ -8336,7 +8085,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with ''; }; - nodes.moonside.services.nginx = { + services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -8373,8 +8122,6 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with #+begin_src nix-ts :tangle modules/nixos/server/ankisync.nix { self, lib, config, globals, ... }: let - inherit (config.swarselsystems) sopsFile; - servicePort = 27701; serviceName = "ankisync"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; @@ -8387,11 +8134,11 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with networking.firewall.allowedTCPPorts = [ servicePort ]; - sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; }; + sops.secrets.swarsel = { owner = "root"; }; - topology.self.services.anki = { + topology.self.services.${serviceName} = { name = lib.mkForce "Anki Sync Server"; - icon = lib.mkForce "${self}/files/topology-images/${serviceName}.png"; + icon = "${self}/files/topology-images/${serviceName}.png"; info = "https://${serviceDomain}"; }; @@ -8405,12 +8152,12 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with users = [ { username = ankiUser; - passwordFile = config.sops.secrets.anki-pw.path; + passwordFile = config.sops.secrets.swarsel.path; } ]; }; - nodes.moonside.services.nginx = { + services.nginx = { upstreams = { ${serviceName} = { servers = { @@ -8455,7 +8202,6 @@ To get other URLs (token, etc.), use https:///oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid/ toolkit.legacyUserProfileCustomizations.styleshe Sets environment variables. Here I am only setting the EDITOR variable, most variables are set in the [[#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20][Sway]] section. #+begin_src nix-ts :tangle modules/home/common/env.nix - { lib, config, globals, nixosConfig, ... }: + { lib, config, globals, ... }: let - inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; - inherit (nixosConfig.repo.secrets.common) fullName; + inherit (config.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; + inherit (config.repo.secrets.common) fullName; crocDomain = globals.services.croc.domain; in { @@ -11485,10 +11210,10 @@ Eza provides me with a better =ls= command and some other useful aliases. Here I set up my git config, automatic signing of commits, useful aliases for my ost used commands (for when I am not using [[#h:d2c7323d-f8c6-4f23-b70a-930e3e4ecce5][Magit]]) as well as a git template defined in [[#h:5ef03803-e150-41bc-b603-e80d60d96efc][Linking dotfiles]]. #+begin_src nix-ts :tangle modules/home/common/git.nix - { lib, config, globals, minimal, nixosConfig, ... }: + { lib, config, globals, minimal, ... }: let - inherit (nixosConfig.repo.secrets.common.mail) address1; - inherit (nixosConfig.repo.secrets.common) fullName; + inherit (config.repo.secrets.common.mail) address1; + inherit (config.repo.secrets.common) fullName; gitUser = globals.user.name; in @@ -12026,10 +11751,10 @@ Currently I only use it as before with =initExtra= though. Normally I use 4 mail accounts - here I set them all up. Three of them are Google accounts (sadly), which are a chore to setup. The last is just a sender account that I setup SMTP for here. #+begin_src nix-ts :tangle modules/home/common/mail.nix - { lib, config, nixosConfig, ... }: + { lib, config, ... }: let - inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host; - inherit (nixosConfig.repo.secrets.common) fullName; + inherit (config.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host; + inherit (config.repo.secrets.common) fullName; inherit (config.swarselsystems) xdgDir; in { @@ -12873,13 +12598,12 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi :END: #+begin_src nix-ts :tangle modules/home/common/swayosd.nix - { lib, pkgs, config, ... }: + { lib, config, ... }: { options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings"; config = lib.mkIf config.swarselsystems.modules.swayosd { services.swayosd = { enable = true; - package = pkgs.dev.swayosd; topMargin = 0.5; }; }; @@ -13500,9 +13224,9 @@ Settinfs that are needed for the gpg-agent. Also we are enabling emacs support f This service changes the screen hue at night. I am not sure if that really does something, but I like the color anyways. #+begin_src nix-ts :tangle modules/home/common/gammastep.nix - { lib, config, nixosConfig, ... }: + { lib, config, ... }: let - inherit (nixosConfig.repo.secrets.common.location) latitude longitude; + inherit (config.repo.secrets.common.location) latitude longitude; in { options.swarselsystems.modules.gammastep = lib.mkEnableOption "gammastep settings"; @@ -13663,9 +13387,10 @@ The rest of the settings is at [[#h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431][gaming The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]]. Here, I am setting up the different firefox profiles that I need for the SSO sites that I need to access at work as well as a few ssh shorthands. #+begin_src nix-ts :tangle modules/home/optional/work.nix :noweb yes - { self, config, pkgs, lib, nixosConfig, ... }: + { self, config, pkgs, lib, ... }: let inherit (config.swarselsystems) homeDir; + inherit (config.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail; in { options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings"; @@ -13703,141 +13428,131 @@ The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]] }; }; - stylix = { - targets.firefox.profileNames = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3; - in - [ - "${user1}" - "${user2}" - "${user3}" - "work" + stylix.targets.firefox.profileNames = [ + "${user1}" + "${user2}" + "${user3}" + "work" + ]; + + programs = { + git.userEmail = lib.mkForce gitMail; + + zsh = { + shellAliases = { + dssh = "ssh -l ${user1Long}"; + cssh = "ssh -l ${user2Long}"; + wssh = "ssh -l ${user3Long}"; + }; + cdpath = [ + "~/Documents/Work" ]; - }; - - programs = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail; - in - { - git.userEmail = lib.mkForce gitMail; - - zsh = { - shellAliases = { - dssh = "ssh -l ${user1Long}"; - cssh = "ssh -l ${user2Long}"; - wssh = "ssh -l ${user3Long}"; - }; - cdpath = [ - "~/Documents/Work" - ]; - dirHashes = { - d = "$HOME/.dotfiles"; - w = "$HOME/Documents/Work"; - s = "$HOME/.dotfiles/secrets"; - pr = "$HOME/Documents/Private"; - ac = path1; - }; - }; - - ssh = { - matchBlocks = { - "${loc1}" = { - hostname = "${loc1}.${domain2}"; - user = user4; - }; - "${loc1}.stg" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.staging" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.dev" = { - hostname = "${loc1}.${lifecycle2}.${domain2}"; - user = user4; - }; - "${loc2}" = { - hostname = "${loc2}.${domain1}"; - user = user1Long; - }; - "${loc2}.stg" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "${loc2}.staging" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "*.${domain1}" = { - user = user1Long; - }; - }; - }; - - firefox = { - profiles = - let - isDefault = false; - in - { - "${user1}" = lib.recursiveUpdate - { - inherit isDefault; - id = 1; - settings = { - "browser.startup.homepage" = "${site1}|${site2}"; - }; - } - config.swarselsystems.firefox; - "${user2}" = lib.recursiveUpdate - { - inherit isDefault; - id = 2; - settings = { - "browser.startup.homepage" = "${site3}"; - }; - } - config.swarselsystems.firefox; - "${user3}" = lib.recursiveUpdate - { - inherit isDefault; - id = 3; - } - config.swarselsystems.firefox; - work = lib.recursiveUpdate - { - inherit isDefault; - id = 4; - settings = { - "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}"; - }; - } - config.swarselsystems.firefox; - }; - }; - - chromium = { - enable = true; - package = pkgs.chromium; - - extensions = [ - # 1password - "gejiddohjgogedgjnonbofjigllpkmbf" - # dark reader - "eimadpbcbfnmbkopoojfekhnkhdbieeh" - # ublock origin - "cjpalhdlnbpafiamejdnhcphjbkeiagm" - # i still dont care about cookies - "edibdbjcniadpccecjdfdjjppcpchdlm" - # browserpass - "naepdomgkenhinolocfifgehidddafch" - ]; + dirHashes = { + d = "$HOME/.dotfiles"; + w = "$HOME/Documents/Work"; + s = "$HOME/.dotfiles/secrets"; + pr = "$HOME/Documents/Private"; + ac = path1; }; }; + ssh = { + matchBlocks = { + "${loc1}" = { + hostname = "${loc1}.${domain2}"; + user = user4; + }; + "${loc1}.stg" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.staging" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.dev" = { + hostname = "${loc1}.${lifecycle2}.${domain2}"; + user = user4; + }; + "${loc2}" = { + hostname = "${loc2}.${domain1}"; + user = user1Long; + }; + "${loc2}.stg" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "${loc2}.staging" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "*.${domain1}" = { + user = user1Long; + }; + }; + }; + + firefox = { + profiles = + let + isDefault = false; + in + { + "${user1}" = lib.recursiveUpdate + { + inherit isDefault; + id = 1; + settings = { + "browser.startup.homepage" = "${site1}|${site2}"; + }; + } + config.swarselsystems.firefox; + "${user2}" = lib.recursiveUpdate + { + inherit isDefault; + id = 2; + settings = { + "browser.startup.homepage" = "${site3}"; + }; + } + config.swarselsystems.firefox; + "${user3}" = lib.recursiveUpdate + { + inherit isDefault; + id = 3; + } + config.swarselsystems.firefox; + work = lib.recursiveUpdate + { + inherit isDefault; + id = 4; + settings = { + "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}"; + }; + } + config.swarselsystems.firefox; + }; + }; + + chromium = { + enable = true; + package = pkgs.chromium; + + extensions = [ + # 1password + "gejiddohjgogedgjnonbofjigllpkmbf" + # dark reader + "eimadpbcbfnmbkopoojfekhnkhdbieeh" + # ublock origin + "cjpalhdlnbpafiamejdnhcphjbkeiagm" + # i still dont care about cookies + "edibdbjcniadpccecjdfdjjppcpchdlm" + # browserpass + "naepdomgkenhinolocfifgehidddafch" + ]; + }; + }; + services = { kanshi = { settings = [ @@ -13956,53 +13671,49 @@ The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]] }; }; - xdg = - let - inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3; - in - { - mimeApps = { - defaultApplications = { - "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; - }; + xdg = { + mimeApps = { + defaultApplications = { + "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; }; - desktopEntries = - let - terminal = false; - categories = [ "Application" ]; - icon = "firefox"; - in - { - firefox_work = { - name = "Firefox (work)"; - genericName = "Firefox work"; - exec = "firefox -p work"; - inherit terminal categories icon; - }; - "firefox_${user1}" = { - name = "Firefox (${user1})"; - genericName = "Firefox ${user1}"; - exec = "firefox -p ${user1}"; - inherit terminal categories icon; - }; - - "firefox_${user2}" = { - name = "Firefox (${user2})"; - genericName = "Firefox ${user2}"; - exec = "firefox -p ${user2}"; - inherit terminal categories icon; - }; - - "firefox_${user3}" = { - name = "Firefox (${user3})"; - genericName = "Firefox ${user3}"; - exec = "firefox -p ${user3}"; - inherit terminal categories icon; - }; - - - }; }; + desktopEntries = + let + terminal = false; + categories = [ "Application" ]; + icon = "firefox"; + in + { + firefox_work = { + name = "Firefox (work)"; + genericName = "Firefox work"; + exec = "firefox -p work"; + inherit terminal categories icon; + }; + "firefox_${user1}" = { + name = "Firefox (${user1})"; + genericName = "Firefox ${user1}"; + exec = "firefox -p ${user1}"; + inherit terminal categories icon; + }; + + "firefox_${user2}" = { + name = "Firefox (${user2})"; + genericName = "Firefox ${user2}"; + exec = "firefox -p ${user2}"; + inherit terminal categories icon; + }; + + "firefox_${user3}" = { + name = "Firefox (${user3})"; + genericName = "Firefox ${user3}"; + exec = "firefox -p ${user3}"; + inherit terminal categories icon; + }; + + + }; + }; swarselsystems = { startup = [ # { command = "nextcloud --background"; } @@ -14978,7 +14689,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man green "Please confirm passphrase:" read -rs luks_passphrase_confirm if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then - $ssh_root_cmd "echo '$luks_passphrase' > /tmp/disko-password" + $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'" break else red "Passwords do not match" @@ -15055,7 +14766,6 @@ This program sets up a new NixOS host remotely. It also takes care of secret man fi green "Updating all secrets files to reflect updates .sops.yaml" sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml - sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_hostname"/secrets/pii.nix.enc # -------------------------- green "Making ssh_host_ed25519_key available to home-manager for user $target_user" sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts @@ -15128,10 +14838,6 @@ This program sets up a new NixOS host remotely. It also takes care of secret man fi #+end_src -#+RESULTS: -| trap: | undefined | signal: | exit | | | | | -| [ | Babel | evaluation | exited | with | code | 1 | ] | - #+begin_src nix-ts :tangle pkgs/swarsel-bootstrap/default.nix { self, name, writeShellApplication, openssh }: @@ -16089,74 +15795,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a #+end_src -**** Reduced -:PROPERTIES: -:CUSTOM_ID: h:2d0eac3b-6e2e-4006-9032-59f2ba7e98ec -:END: - -#+begin_src nix-ts :tangle profiles/nixos/reduced/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselsystems.profiles.reduced = lib.mkEnableOption "is this a reduced personal host"; - config = lib.mkIf config.swarselsystems.profiles.reduced { - swarselsystems.modules = { - packages = lib.mkDefault true; - pii = lib.mkDefault true; - general = lib.mkDefault true; - home-manager = lib.mkDefault true; - xserver = lib.mkDefault true; - users = lib.mkDefault true; - env = lib.mkDefault true; - security = lib.mkDefault true; - systemdTimeout = lib.mkDefault true; - hardware = lib.mkDefault true; - pulseaudio = lib.mkDefault true; - pipewire = lib.mkDefault true; - network = lib.mkDefault true; - time = lib.mkDefault true; - sops = lib.mkDefault true; - stylix = lib.mkDefault true; - programs = lib.mkDefault true; - zsh = lib.mkDefault true; - syncthing = lib.mkDefault true; - blueman = lib.mkDefault true; - networkDevices = lib.mkDefault true; - gvfs = lib.mkDefault true; - interceptionTools = lib.mkDefault true; - swayosd = lib.mkDefault true; - ppd = lib.mkDefault true; - yubikey = lib.mkDefault true; - ledger = lib.mkDefault true; - keyboards = lib.mkDefault true; - login = lib.mkDefault true; - nix-ld = lib.mkDefault true; - impermanence = lib.mkDefault true; - nvd = lib.mkDefault true; - gnome-keyring = lib.mkDefault true; - sway = lib.mkDefault true; - xdg-portal = lib.mkDefault true; - distrobox = lib.mkDefault true; - appimage = lib.mkDefault true; - lid = lib.mkDefault true; - lowBattery = lib.mkDefault true; - lanzaboote = lib.mkDefault true; - autologin = lib.mkDefault true; - - server = { - ssh = lib.mkDefault true; - }; - }; - - }; - - } - -#+end_src - **** Minimal -:PROPERTIES: -:CUSTOM_ID: h:b926f0c8-7968-4079-924c-a5d0ae4d3a45 -:END: #+begin_src nix-ts :tangle profiles/nixos/minimal/default.nix :mkdirp yes { lib, config, ... }: @@ -16459,8 +16098,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a koillection = lib.mkDefault true; radicale = lib.mkDefault true; atuin = lib.mkDefault true; - forgejo = lib.mkDefault true; - ankisync = lib.mkDefault true; }; }; }; @@ -16494,8 +16131,8 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a packages = lib.mkDefault true; nginx = lib.mkDefault true; ssh = lib.mkDefault true; - forgejo = lib.mkDefault false; - ankisync = lib.mkDefault false; + forgejo = lib.mkDefault true; + ankisync = lib.mkDefault true; }; }; }; @@ -16570,6 +16207,7 @@ This holds modules that are to be used on most hosts. These are also the most im config = lib.mkIf config.swarselsystems.profiles.personal { swarselsystems.modules = { packages = lib.mkDefault true; + pii = lib.mkDefault true; ownpackages = lib.mkDefault true; general = lib.mkDefault true; nixgl = lib.mkDefault true; @@ -16617,62 +16255,6 @@ This holds modules that are to be used on most hosts. These are also the most im #+end_src -**** Reduced -:PROPERTIES: -:CUSTOM_ID: h:0554a271-f8ec-4885-b46f-2a02dfd967bd -:END: - -#+begin_src nix-ts :tangle profiles/home/reduced/default.nix :mkdirp yes - { lib, config, ... }: - { - options.swarselsystems.profiles.reduced = lib.mkEnableOption "is this a reduced personal host"; - config = lib.mkIf config.swarselsystems.profiles.reduced { - swarselsystems.modules = { - packages = lib.mkDefault true; - ownpackages = lib.mkDefault true; - general = lib.mkDefault true; - nixgl = lib.mkDefault true; - sops = lib.mkDefault true; - yubikey = lib.mkDefault true; - ssh = lib.mkDefault true; - stylix = lib.mkDefault true; - desktop = lib.mkDefault true; - symlink = lib.mkDefault true; - env = lib.mkDefault true; - programs = lib.mkDefault true; - nix-index = lib.mkDefault true; - passwordstore = lib.mkDefault true; - direnv = lib.mkDefault true; - eza = lib.mkDefault true; - atuin = lib.mkDefault true; - git = lib.mkDefault true; - fuzzel = lib.mkDefault true; - starship = lib.mkDefault true; - kitty = lib.mkDefault true; - zsh = lib.mkDefault true; - zellij = lib.mkDefault true; - tmux = lib.mkDefault true; - mail = lib.mkDefault true; - emacs = lib.mkDefault true; - waybar = lib.mkDefault true; - firefox = lib.mkDefault true; - gnome-keyring = lib.mkDefault true; - kdeconnect = lib.mkDefault true; - mako = lib.mkDefault true; - swayosd = lib.mkDefault true; - yubikeytouch = lib.mkDefault true; - sway = lib.mkDefault true; - kanshi = lib.mkDefault false; - gpgagent = lib.mkDefault true; - gammastep = lib.mkDefault true; - - }; - }; - - } - -#+end_src - **** Minimal :PROPERTIES: :CUSTOM_ID: h:26512487-8c29-4b92-835b-d67394c3f5ef @@ -18814,8 +18396,8 @@ This adds a rudimentary nix-mode to Emacs. I have not really tried this out, as (setq lsp-nix-nixd-server-path "nixd" lsp-nix-nixd-formatting-command [ "nixpkgs-fmt" ] lsp-nix-nixd-nixpkgs-expr "import (builtins.getFlake \"/home/swarsel/.dotfiles\").inputs.nixpkgs { }" - lsp-nix-nixd-nixos-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.pyramid.options" - lsp-nix-nixd-home-manager-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.pyramid.options.home-manager.users.type.getSubOptions []" + lsp-nix-nixd-nixos-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.nbl-imba-2.options" + lsp-nix-nixd-home-manager-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.nbl-imba-2.options.home-manager.users.type.getSubOptions []" )) (use-package nix-ts-mode @@ -18830,8 +18412,8 @@ This adds a rudimentary nix-mode to Emacs. I have not really tried this out, as (setq lsp-nix-nixd-server-path "nixd" lsp-nix-nixd-formatting-command [ "nixpkgs-fmt" ] lsp-nix-nixd-nixpkgs-expr "import (builtins.getFlake \"/home/swarsel/.dotfiles\").inputs.nixpkgs { }" - lsp-nix-nixd-nixos-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.pyramid.options" - lsp-nix-nixd-home-manager-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.pyramid.options.home-manager.users.type.getSubOptions []" + lsp-nix-nixd-nixos-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.nbl-imba-2.options" + lsp-nix-nixd-home-manager-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.nbl-imba-2.options.home-manager.users.type.getSubOptions []" )) diff --git a/files/emacs/init.el b/files/emacs/init.el index e1e6cd9..1dbe854 100644 --- a/files/emacs/init.el +++ b/files/emacs/init.el @@ -1019,8 +1019,8 @@ create a new one." (setq lsp-nix-nixd-server-path "nixd" lsp-nix-nixd-formatting-command [ "nixpkgs-fmt" ] lsp-nix-nixd-nixpkgs-expr "import (builtins.getFlake \"/home/swarsel/.dotfiles\").inputs.nixpkgs { }" - lsp-nix-nixd-nixos-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.pyramid.options" - lsp-nix-nixd-home-manager-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.pyramid.options.home-manager.users.type.getSubOptions []" + lsp-nix-nixd-nixos-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.nbl-imba-2.options" + lsp-nix-nixd-home-manager-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.nbl-imba-2.options.home-manager.users.type.getSubOptions []" )) (use-package nix-ts-mode @@ -1035,8 +1035,8 @@ create a new one." (setq lsp-nix-nixd-server-path "nixd" lsp-nix-nixd-formatting-command [ "nixpkgs-fmt" ] lsp-nix-nixd-nixpkgs-expr "import (builtins.getFlake \"/home/swarsel/.dotfiles\").inputs.nixpkgs { }" - lsp-nix-nixd-nixos-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.pyramid.options" - lsp-nix-nixd-home-manager-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.pyramid.options.home-manager.users.type.getSubOptions []" + lsp-nix-nixd-nixos-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.nbl-imba-2.options" + lsp-nix-nixd-home-manager-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.nbl-imba-2.options.home-manager.users.type.getSubOptions []" )) diff --git a/files/scripts/swarsel-bootstrap.sh b/files/scripts/swarsel-bootstrap.sh index 46ea715..02899e8 100644 --- a/files/scripts/swarsel-bootstrap.sh +++ b/files/scripts/swarsel-bootstrap.sh @@ -200,7 +200,7 @@ if [ "$disk_encryption" -eq 1 ]; then green "Please confirm passphrase:" read -rs luks_passphrase_confirm if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then - $ssh_root_cmd "echo '$luks_passphrase' > /tmp/disko-password" + $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'" break else red "Passwords do not match" @@ -277,7 +277,6 @@ if yes_or_no "Do you want to manually edit .sops.yaml now?"; then fi green "Updating all secrets files to reflect updates .sops.yaml" sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml -sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_hostname"/secrets/pii.nix.enc # -------------------------- green "Making ssh_host_ed25519_key available to home-manager for user $target_user" sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts diff --git a/flake.lock b/flake.lock index 233156d..7d75b88 100644 --- a/flake.lock +++ b/flake.lock @@ -755,6 +755,24 @@ "type": "github" } }, + "nix-secrets": { + "flake": false, + "locked": { + "lastModified": 1749481004, + "narHash": "sha256-UmA5Dx+tzYXaqPMtKucijTwV7l+U2/+fD0Twb/edcxY=", + "ref": "main", + "rev": "f7e7b03ea03dbfc8471689f0ba7a7221240e93df", + "shallow": true, + "type": "git", + "url": "ssh://git@github.com/Swarsel/nix-secrets.git" + }, + "original": { + "ref": "main", + "shallow": true, + "type": "git", + "url": "ssh://git@github.com/Swarsel/nix-secrets.git" + } + }, "nix-topology": { "inputs": { "devshell": "devshell_2", @@ -865,11 +883,11 @@ }, "nixpkgs-dev": { "locked": { - "lastModified": 1752440522, - "narHash": "sha256-CInQkEG3f8XwIBQxYFhuFCT+T++JPstThfifAMD0yRk=", + "lastModified": 1751913235, + "narHash": "sha256-4iJDKcKd57CuisFTQRMTS1EfiBlwbyUzXlCkQQ63g54=", "owner": "Swarsel", "repo": "nixpkgs", - "rev": "1f569e3bd49502cb4ec312214662d93619cf2c54", + "rev": "2c18d068b3df6bc0fb461583c327b7b94ff4df08", "type": "github" }, "original": { @@ -1369,6 +1387,7 @@ "nix-darwin": "nix-darwin", "nix-index-database": "nix-index-database_2", "nix-on-droid": "nix-on-droid", + "nix-secrets": "nix-secrets", "nix-topology": "nix-topology", "nixgl": "nixgl", "nixos-generators": "nixos-generators", diff --git a/flake.nix b/flake.nix index 6f82b3c..708e8eb 100644 --- a/flake.nix +++ b/flake.nix @@ -73,6 +73,11 @@ url = "github:cachix/git-hooks.nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + nix-secrets = { + url = "git+ssh://git@github.com/Swarsel/nix-secrets.git?ref=main&shallow=1"; + flake = false; + inputs = { }; + }; vbc-nix = { url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/darwin/machpizza/default.nix b/hosts/darwin/nbm-imba-166/default.nix similarity index 100% rename from hosts/darwin/machpizza/default.nix rename to hosts/darwin/nbm-imba-166/default.nix diff --git a/hosts/darwin/machpizza/secrets/pii.nix.enc b/hosts/darwin/nbm-imba-166/secrets/pii.nix.enc similarity index 100% rename from hosts/darwin/machpizza/secrets/pii.nix.enc rename to hosts/darwin/nbm-imba-166/secrets/pii.nix.enc diff --git a/hosts/nixos/bakery/default.nix b/hosts/nixos/bakery/default.nix deleted file mode 100644 index 1e0b9bf..0000000 --- a/hosts/nixos/bakery/default.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ self, config, inputs, lib, minimal, ... }: -let - primaryUser = config.swarselsystems.mainUser; - sharedOptions = { - isLaptop = true; - isNixos = true; - isBtrfs = true; - isLinux = true; - sharescreen = "eDP-1"; - profiles = { - reduced = lib.mkIf (!minimal) true; - minimal = lib.mkIf minimal true; - }; - }; -in -{ - - imports = [ - inputs.nixos-hardware.nixosModules.common-cpu-intel - - ./disk-config.nix - ./hardware-configuration.nix - - ]; - - - swarselsystems = lib.recursiveUpdate - { - info = "Lenovo ThinkPad"; - firewall = lib.mkForce true; - wallpaper = self + /files/wallpaper/lenovowp.png; - hasBluetooth = true; - hasFingerprint = true; - isImpermanence = true; - isSecureBoot = false; - isCrypted = true; - isSwap = true; - rootDisk = "/dev/nvme0n1"; - swapSize = "4G"; - hostName = config.node.name; - profiles = { - btrfs = true; - }; - } - sharedOptions; - - home-manager.users."${primaryUser}" = { - # home.stateVersion = lib.mkForce "23.05"; - swarselsystems = lib.recursiveUpdate - { - lowResolution = "1280x800"; - highResolution = "1920x1080"; - monitors = { - main = { - name = "LG Display 0x04EF Unknown"; - mode = "1920x1080"; # TEMPLATE - scale = "1"; - position = "1920,0"; - workspace = "15:L"; - output = "eDP-1"; - }; - }; - } - sharedOptions; - }; -} diff --git a/hosts/nixos/bakery/disk-config.nix b/hosts/nixos/bakery/disk-config.nix deleted file mode 100644 index 5605eb2..0000000 --- a/hosts/nixos/bakery/disk-config.nix +++ /dev/null @@ -1,122 +0,0 @@ -{ lib, pkgs, config, rootDisk, ... }: -let - type = "btrfs"; - extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "subvol=root" - "compress=zstd" - "noatime" - ]; - }; - "/home" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/home"; - mountOptions = [ - "subvol=home" - "compress=zstd" - "noatime" - ]; - }; - "/persist" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/persist"; - mountOptions = [ - "subvol=persist" - "compress=zstd" - "noatime" - ]; - }; - "/log" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/var/log"; - mountOptions = [ - "subvol=log" - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "subvol=nix" - "compress=zstd" - "noatime" - ]; - }; - "/swap" = lib.mkIf config.swarselsystems.isSwap { - mountpoint = "/.swapvol"; - swap.swapfile.size = config.swarselsystems.swapSize; - }; - }; -in -{ - disko.devices = { - disk = { - disk0 = { - type = "disk"; - device = config.swarselsystems.rootDisk; - content = { - type = "gpt"; - partitions = { - ESP = { - priority = 1; - name = "ESP"; - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - root = lib.mkIf (!config.swarselsystems.isCrypted) { - size = "100%"; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - luks = lib.mkIf config.swarselsystems.isCrypted { - size = "100%"; - content = { - type = "luks"; - name = "cryptroot"; - passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh - settings = { - allowDiscards = true; - # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 - crypttabExtraOpts = [ - "fido2-device=auto" - "token-timeout=10" - ]; - }; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - }; - }; - }; - }; - }; - }; - - fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - - environment.systemPackages = [ - pkgs.yubikey-manager - ]; -} diff --git a/hosts/nixos/bakery/hardware-configuration.nix b/hosts/nixos/bakery/hardware-configuration.nix deleted file mode 100644 index 8322c04..0000000 --- a/hosts/nixos/bakery/hardware-configuration.nix +++ /dev/null @@ -1,23 +0,0 @@ -# Do not modify this file! It was generated by β€˜nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot = { - initrd = { - availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; - kernelModules = [ ]; - }; - kernelModules = [ ]; - extraModulePackages = [ ]; - }; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/hosts/nixos/bakery/secrets/pii.nix.enc b/hosts/nixos/bakery/secrets/pii.nix.enc deleted file mode 100644 index 903f22f..0000000 --- a/hosts/nixos/bakery/secrets/pii.nix.enc +++ /dev/null @@ -1,22 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:M8uEE2uxhHHh5UdLO+J18EMVWm+9FCR2BHMJ3P0Il4h+0CqWOS27aVWPjI2lIt+jw5svt5kVbTIzwvw1GmEdcXzJrE9yZ0eKkXSm/TYQQZhlmcPcNeJyDf/bLivwExKicRy2JR2KNyAoiW5gISF7nkUv10EnM60mzH2RftPijvdgSTmdoNu/9Q0J3M46k+EVGO370NXT89eSbhFMS4r6M94vKaA=,iv:C4ELLFaF9yFfDH+g/TwQtRm1DuRtIAxcI55I0mpKd70=,tag:jLWAD2pLkqzekJipf/Rc5Q==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaGtCbDBYaDZTMUhhbTY2\nbk45NWRPZU5nWmh5M0ZDNGF2Q09rNHNzRGhzCjh1d3pLRnRtZjVnaG1oN0daOXRy\nUzVFd3QzVTBib29QbGN4cXNheVRCNWcKLS0tIFlielcwODk4MjFsS29ybXNDMm5y\nN01aaHBFN0VPdTNrMzJNaE9NRG9KRnMKNV4rqYphPTyXF5m+qNq10aIov8quVh2Y\nALelTPRpD/hMYou/s8Ro49GHNNNKeV9J+4Tvq1QEmIIdvjFLy9AS9A==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-07-10T15:25:21Z", - "mac": "ENC[AES256_GCM,data:pMWJo+JuSgs7RE+rc6vB1u/V3kfQzRjknxIMkNNJCcBp2WVoz84BZ23oruaB2Z/ZSO9zpaQMHkuAqGZU7CuvZ1JvECHWov5fRkXDPeaeIVw3dtof1XzH5plRmAUzabrmEzrGSnwJrJ6DRlAhrq2gDyyIY4qmUeySc7zgR7QVf0o=,iv:iCM7ulRAP5FYyR/z7CSDRYMsm2Gjs7qWLChtslGfzO4=,tag:QJ2Lxmwvgd+ILHeYhMvmwg==,type:str]", - "pgp": [ - { - "created_at": "2025-07-10T23:51:27Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAmKgk+exHX36+IkSQC03yiRpEKpmkqt+FcGsbDMonTyow\nmvhmwSc7UscNOgOQYDYA66vMCWE2Ij9gxFJNpPG3rXFiC11XN1/pq+Jy3Qvk3DNV\ntnXgwDvSt7Ry7FThXnPiJAkcjwYNeTniyjzKcUmXA+yEJAlswjGjH6uP/Nvkeo2n\np+OvRQc0cXHBSTbnIq4dHaqVlp1JWOQgtZVrIgwN/rv3xvDPE2E2dmCc9hUg83vk\naUT7fDo8v5hWwJJO7Q6OvECKw/D4jWTxnBP1nS3a66shkpcC7lpYQjE6AtAM3AbY\nB84rat/Tff6ZcmtxMvIa62vfwrfSh/00DmRlPkIe1KlbjrV1kafzbySjI7q1vy2l\neZL7/Zi49fy/KudQ+/OOMC/PlhGLYGtEo3sNmLY7pfBNuMmwjYQ0K/1kKQ8XXJDw\nbWQDP+8aeIKKciLy07NW5Fd5gc5S1exSFHDQyhCXjdUcPk3cTfnEvMP/T1bCNCaD\nGxy6IEifdJvYNeWyaxgbKzsLmz8kTd6wPj/v0BIdL+dy3/a/4SVLR9r7Qn3bMgkc\nb1wVY4XDyt6LPnwVY3UOFPSCVckGb8NRnciKOj1TnsaYI6xEQ0ObuuAedVJQj0wF\n5OqYrwnH+riiLFMVzsEspNQNlMTRY86zPIxuNe8qPDdVL5CotAoobzdmr9cc75uF\nAgwDC9FRLmchgYQBD/4ntfP9dGtNzb9BjR6NEmdqJDIS37lHCc6ts/f86VCiy0tk\nhdtVdZ7sYdFvzkGimfmcbsVJ5VOPK6S82L0xUlROCax1bVkjK8VjqppUbTxQMgWh\nek7pPzE66MJzXlpqGgmRHgLuV0yhTqz9TGbTetjYYlWiOGMGYHwvxMLnvTvQIbJb\nBwtpbK0SEu7ODMn1mGtWpzkVI9rDeCW/FT0bBj1KvkWBWbCVFCSVGjmxuWcFgRs/\nc3aNA/DLQMsX7TzvqiY+dXLdp9/vuyqIf+qzC8IIrI5fskzaVfjP+OzeAVTXeI/f\nYsgvF31Z+DfMAFQ7dnAQ56Ys/oSdNTaAnhfFjI4S40qw0SfZdTWzUm9IjhnZKgaU\nNV9V3b2D7nr64JxutHzYiJemlB4Oy+HhqMQR3AYeMDX3hEG1Xt7splkBLdXccIEe\nGTOoaIffV1QUAB2M9PVyidpLf98Ii9s8Mr2OUcQsYiJy7jNXTudx50mnIhmBSDPN\nk/RSFoMo0+v7jC7lWkfWhvunUJrJ37zNSEHZcJo7Wj+SflqZDI/QRQAez6xRF6ih\nzgFfAgNSDAkbymvju7I6V9TEOw8rLdlXLlBNd+GAy0S2HfNIN8lx2tVnP++zP54C\nhdEDMU+uKp98Wu1fVuMipzjfPqJ0lpNj9M2+ma3q3w1L4YbMa+nVEK4/mmP0e9Jc\nAdvTsgHHFgN5KOwmZkQdAhKJ89cwcGUwZwn/gO7pEGoOw6WaHIIE6ueOiThfkXm/\nWIe1AC/JQapdMlvmF+2Rf51RmSkWX3/vtFPNkWvgkGgCely/eDXRK/si+kk=\n=ep9e\n-----END PGP MESSAGE-----", - "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.10.2" - } -} diff --git a/hosts/nixos/milkywell/default.nix b/hosts/nixos/milkywell/default.nix index 2554037..5b18239 100644 --- a/hosts/nixos/milkywell/default.nix +++ b/hosts/nixos/milkywell/default.nix @@ -1,46 +1,165 @@ -{ lib, config, minimal, ... }: +{ lib, config, globals, ... }: let primaryUser = config.swarselsystems.mainUser; sharedOptions = { - isBtrfs = true; + isBtrfs = false; isLinux = true; - isNixos = true; - }; - profiles = { - minimal = lib.mkIf minimal true; }; + inherit (config.repo.secrets.common) workHostName; + inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1; + serviceDomain = config.repo.secrets.common.services.domains.syncthing2; in { imports = [ ./hardware-configuration.nix - ./disk-config.nix ]; - boot = { - loader.systemd-boot.enable = true; - tmp.cleanOnBoot = true; + sops = { + defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/milkywell/secrets.yaml"; }; + boot = { + tmp.cleanOnBoot = true; + loader.grub.device = "nodev"; + }; + zramSwap.enable = false; + networking = { nftables.enable = lib.mkForce false; hostName = "milkywell"; - enableIPv6 = true; + enableIPv6 = false; domain = "subnet03112148.vcn03112148.oraclevcn.com"; + firewall = { + allowedTCPPorts = [ 80 443 8384 9812 22000 27701 ]; + allowedUDPPorts = [ 21027 22000 ]; + extraCommands = '' + iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT + iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT + iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT + ''; + }; }; hardware = { enableAllFirmware = lib.mkForce false; }; + system.stateVersion = "23.11"; + + globals.services."syncthing-${config.networking.hostName}".domain = serviceDomain; + + services = { + nginx = { + virtualHosts = { + ${serviceDomain} = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://localhost:8384"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + }; + }; + + syncthing = { + enable = true; + guiAddress = "0.0.0.0:8384"; + openDefaultPorts = true; + relay.enable = false; + settings = { + urAccepted = -1; + devices = { + "magicant" = { + id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO"; + }; + "winters" = { + id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; + }; + "${workHostName}" = { + id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB"; + }; + "${dev1}" = { + id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7"; + }; + "${dev2}" = { + id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH"; + }; + "${dev3}" = { + id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR"; + }; + }; + folders = { + "Default Folder" = lib.mkForce { + path = "/var/lib/syncthing/Sync"; + type = "receiveonly"; + versioning = null; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "default"; + }; + "Obsidian" = { + path = "/var/lib/syncthing/Obsidian"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "yjvni-9eaa7"; + }; + "Org" = { + path = "/var/lib/syncthing/Org"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "a7xnl-zjj3d"; + }; + "Vpn" = { + path = "/var/lib/syncthing/Vpn"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "hgp9s-fyq3p"; + }; + "${loc1}" = { + path = "/var/lib/syncthing/${loc1}"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "3"; + }; + devices = [ dev1 dev2 dev3 ]; + id = "5gsxv-rzzst"; + }; + }; + }; + }; + }; + swarselsystems = lib.recursiveUpdate { info = "VM.Standard.E2.1.Micro"; - isImpermanence = true; + flakePath = "/root/.dotfiles"; + isImpermanence = false; isSecureBoot = false; - isCrypted = true; - isSwap = true; - rootDisk = "/dev/sda"; - swapSize = "4G"; + isCrypted = false; profiles = { server.syncserver = true; }; @@ -48,6 +167,7 @@ in sharedOptions; home-manager.users."${primaryUser}" = { + home.stateVersion = lib.mkForce "23.05"; swarselsystems = lib.recursiveUpdate { } sharedOptions; diff --git a/hosts/nixos/milkywell/disk-config.nix b/hosts/nixos/milkywell/disk-config.nix deleted file mode 100644 index c557fa3..0000000 --- a/hosts/nixos/milkywell/disk-config.nix +++ /dev/null @@ -1,98 +0,0 @@ -# NOTE: ... is needed because dikso passes diskoFile -{ lib -, config -, rootDisk -, ... -}: -let - type = "btrfs"; - extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "subvol=root" - "compress=zstd" - "noatime" - ]; - }; - "/home" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/home"; - mountOptions = [ - "subvol=home" - "compress=zstd" - "noatime" - ]; - }; - "/persist" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/persist"; - mountOptions = [ - "subvol=persist" - "compress=zstd" - "noatime" - ]; - }; - "/log" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/var/log"; - mountOptions = [ - "subvol=log" - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "subvol=nix" - "compress=zstd" - "noatime" - ]; - }; - "/swap" = lib.mkIf config.swarselsystems.isSwap { - mountpoint = "/.swapvol"; - swap.swapfile.size = config.swarselsystems.swapSize; - }; - }; -in -{ - disko.devices = { - disk = { - disk0 = { - type = "disk"; - device = config.swarselsystems.rootDisk; - content = { - type = "gpt"; - partitions = { - ESP = { - priority = 1; - name = "ESP"; - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - root = { - size = "100%"; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - }; - }; - }; - }; - }; - - fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; -} diff --git a/hosts/nixos/milkywell/hardware-configuration.nix b/hosts/nixos/milkywell/hardware-configuration.nix index 7e5e589..38606e5 100644 --- a/hosts/nixos/milkywell/hardware-configuration.nix +++ b/hosts/nixos/milkywell/hardware-configuration.nix @@ -10,6 +10,22 @@ extraModulePackages = [ ]; }; + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a"; + fsType = "xfs"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/2B75-2AD5"; + fsType = "vfat"; + }; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/f0126a93-753e-4769-ada8-7499a1efb3a9"; } + ]; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction diff --git a/hosts/nixos/moonside/default.nix b/hosts/nixos/moonside/default.nix index ba84c3b..31edc7b 100644 --- a/hosts/nixos/moonside/default.nix +++ b/hosts/nixos/moonside/default.nix @@ -3,12 +3,10 @@ let primaryUser = config.swarselsystems.mainUser; inherit (config.repo.secrets.common) workHostName; inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1; - inherit (config.swarselsystems) sopsFile; serviceDomain = config.repo.secrets.common.services.domains.syncthing3; sharedOptions = { isBtrfs = true; - isNixos = true; isLinux = true; }; in @@ -20,9 +18,9 @@ in sops = { age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; - # defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml"; + defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml"; secrets = { - wireguard-private-key = { inherit sopsFile; }; + wireguard-private-key = { }; }; }; @@ -212,6 +210,7 @@ in swarselsystems = lib.recursiveUpdate { info = "VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM"; + flakePath = "/home/swarsel/.dotfiles"; isImpermanence = true; isSecureBoot = false; isCrypted = false; diff --git a/hosts/nixos/moonside/secrets/pii.nix.enc b/hosts/nixos/moonside/secrets/pii.nix.enc index 05564b0..b82de98 100644 --- a/hosts/nixos/moonside/secrets/pii.nix.enc +++ b/hosts/nixos/moonside/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:Wk3OGKwcuY72VLL+SBYXZUqxTQ8SlYroF4H81YDGMUZu6gt6ialXNvAsZSmYyFNh+3p+ejvzqMO5mxbvAI9tKAvbdamtfO4Pi3A+sNvJ9XSLE9iLAdfWeoT2qLqGPgkXI1SGDof+FP5yIb36C8Um9P4hE3zaE+UdJBk0qgzlc1Zlq2Pdg0TGU6wwJQkRhZIDun1wabeqGWjLrBqUa9VPfNB1El63q/1rhP5v3m6tI7dXt0SQArTtbPWkkHHYPehObG6Q5s4Cm2QrWGpbK+R6xe5F+nEv4+dOuSkZgOB2HsOjzenjp/slqoZTCJYnKT5IDkFQaj5G8YftySyNE/OguMW6atCgulSygwaeuFsnjMNxxsHssrTndNe22jpTTrh2Odp9BT7oRiZPPR8zj/Z3hpLYca24X4oSlZLD0PFEExQNir6V7eT0gH6Paj7wz2rYeYKB8focatLNAwug7L6lWxnr/pw8IXCrfx4ZHw7VYn4hf/KF4isrPju6XW0u2wuiIVlJfOUXZXONmJULB6biftgZapveIMy1oHaabyuIIxkKGParhSUfj6/8/qPVftVFYotdlAy9oNRpZ8JG8z8Sf34etu9Fi7uzcZySKU9e8cU43o6kAo+r39RHRDuhUmYP0ocN2bdlTAkhPoFccK2A1Qx+W/+EwQr55mb5NCH95AVh2QX0SwWgD79FV7EYGN7iVEc+duV5YH8Qy37f6ebehQy+mZGFqCZ5s7Cqy7ChypB476qDqh82qp4K5Uv2NwoF7TT9REzjU0cbRseFbC77AgEUNvfHpHvLBTsw5Y4963GefSKltNHxKROboBfLkaGFHNOlQ8sHIY+vd5Y=,iv:g9iNn/sH7CtxcT4SeI8/DFG8BPIIoseYTuprGEQPqJ8=,tag:SuV+seYm30JAMN7QbdDl9g==,type:str]", + "data": "ENC[AES256_GCM,data:CmkNQJe2siUanybNt9Nv8JSsOnJuoLUOpAPXbACPQFLc4YL9u5R9wImwbbOOgXGfVl8hQwYS5dc+2nu4kj11zdT4mCe62/fO+HgIMBEbU/c0zGZj2hjArJYBkOCHQYu1IzgXdACyamJ9s3MVe0xGJUkwK93X+89YQpc=,iv:9tzNWIk10A4w986fo6pkpaUvo4+y5+RD+OmBksy9TbU=,tag:r5Dlv/HGwtlAdKp3HsKiMg==,type:str]", "sops": { "age": [ { @@ -7,8 +7,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-07-08T00:23:59Z", - "mac": "ENC[AES256_GCM,data:Db2w9giZy+TyXp2hpMN1h7ZgBaJ4WiAN2P6IFaoXufOlxT2uwulbzDMYFoUm9jcdFc8zqnYCvttosJIzyjevY5up9gDarzTu+43XFrTxYqPdgRBzzvxSeXmKqDnngAvv/qOWfzt7TG1IzpyytHX/DEPHvPM9dWgut/1K6Eq94Hs=,iv:WoWAAjse1kyn9IGX4kqCl3zvq4kXEMkfTjAi2j5OCFs=,tag:xco/8fudn2kCLnFa8mUIsA==,type:str]", + "lastmodified": "2025-06-13T17:33:11Z", + "mac": "ENC[AES256_GCM,data:/PDAd2LB2n3gwnaYaUHDHT/Ze1YxXTA0wDxAZEc72B9DQO8trN0XISSqQ3YbopOy8J7wZu/HveX5nx4zoCPKcrMtqtFtlyviAE5Afl+3XcgKcNOGK/0yCq1fAD6q8Lfsl/t/5/4qXA5jlhobVmsDFfXJ8woYqCLijZXNNkc3X+w=,iv:Q9yngw0Z6aS1aB/iF6+oFoCYg1yN+mNKEsv8zaX4ba0=,tag:470JaIY68O3NublQLYw7GA==,type:str]", "pgp": [ { "created_at": "2025-06-13T20:12:55Z", diff --git a/hosts/nixos/pyramid/default.nix b/hosts/nixos/nbl-imba-2/default.nix similarity index 100% rename from hosts/nixos/pyramid/default.nix rename to hosts/nixos/nbl-imba-2/default.nix diff --git a/hosts/nixos/pyramid/disk-config.nix b/hosts/nixos/nbl-imba-2/disk-config.nix similarity index 100% rename from hosts/nixos/pyramid/disk-config.nix rename to hosts/nixos/nbl-imba-2/disk-config.nix diff --git a/hosts/nixos/pyramid/hardware-configuration.nix b/hosts/nixos/nbl-imba-2/hardware-configuration.nix similarity index 100% rename from hosts/nixos/pyramid/hardware-configuration.nix rename to hosts/nixos/nbl-imba-2/hardware-configuration.nix diff --git a/hosts/nixos/pyramid/secrets/pii.nix.enc b/hosts/nixos/nbl-imba-2/secrets/pii.nix.enc similarity index 62% rename from hosts/nixos/pyramid/secrets/pii.nix.enc rename to hosts/nixos/nbl-imba-2/secrets/pii.nix.enc index 7feeec1..f8cb576 100644 --- a/hosts/nixos/pyramid/secrets/pii.nix.enc +++ b/hosts/nixos/nbl-imba-2/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:SEQIHMS8xUj6vsC1+1zTRG+h5BbqL0miA77UEh0UbiFOP7RgqhUlZgq+LmO7BRiIf4RHO13BZ5PXdKiZ96lgGcaquVnaEEQqv2NvkstXpwm3eLjUTJryMxfVupeir5g/FNXHETzhN425KD93EyMr4g7INJW4N4mHXmDnHJOJgS8rlKnSLG64cpgrlef8GAsGfp+i3ky2dig4jNQG8Ijdc46qtiyH9bs7k0d/YuNNmcZSaSIukNyyIMVTqlt6MV+9iUQ4Lj5h0pxgDLfjM1TNQAHRkWW4eozt7SO17U9td1DxvBF9TUdj3xbFCVo4c1OGw4hrjahvUAF8u1TEXBhhJfLqApDUBddRMxybk8Dy98jOHcb6Qwu3qUcgRt9XgkOktwgovS/B2WWAIWMTIZhyKm5ENriaTZWSp6n7hzkw1C1wXyCaP6YT0A4SSPPJt/DuTcBZ5BOFM10237NNgZA0Q7B5J5C57W88bhtzZ2aJZexyQYqQPrr5c38RwR00OAVGJeCgcq70JqeA5EpTuud20rBE0/dHHEPeVUBkrq8pjBHh4SYeMOh8g85CnlF31cxAcnrVJbO14hQQ8sQd4ZmkRNcY3EL981ruDy6Okd3K5AifmF/E9IEZwbvCSLY8EYANA+NV97ZsL4zJOWC6tnA1QHFDoqCR/POsupvGQetYpembrUY0WoB5XkfAvMicQCeLJe2H7S6pOVMDOIIZLx57vcO855LlIJiCpMw2ytqbBXRZolM2WXEBZDEL6BnrEydUnoiUCxqsUrdvQE3HTzktXKQww9jc6HLfBV1MvfScWq2fisGDlkrC2rI5VcWamm8Xbke4uTVcdbKlDpgbpC8NaWmmgNhFe50VNf7M/L5etnvuWWbY68epLZo7dsaaWVE584pdVFT+2K2GwWmGnMHKW+KKA6O9hFfdPUOsJj+eJiF9JX7OwLPAJILTjesWfHXivILBwjDyY5CBCHg91fsrPF37222O/HPPukveY/u6WBOt+co3Ch9mq9usdD7fhieo59IZ7aOJb7dxHSa99nBD8NZbwn6nJkgn3hpLfP9q/2TWcF/zSD1oGY7f1GVbEKEHj2hHv+OHMhFzgRhi5NtvGOO4l0aa1QE1eyRJgHLeqS5aL119Fh1+PSSN9/+v1q6l2JjYuQAV1BqzVdG2GS64J4PBxVqmZ3M9Qv2ZvH0Zwjs64M3MDUMNa5+HZAkPpThvrUWSCEFivIfiOi4Bt/h+HmyQb04LB5QuNFSiRpuF+fQcA+MmMQ==,iv:PL7Z5mKqbNbPfptREw9xFTiOQ1qiVkyxLPvDSoPvbbY=,tag:OPlhVLtN5IDdL/nkkj8+CQ==,type:str]", + "data": "ENC[AES256_GCM,data:M+eOn0Sw85cFlTD3SwkbOKwYDovKbOjyHdqp1Z+sCdWrc4Ewo7upSoBozeotp7SRzXkw1rMhTWZSah/1emjtIoXK54w/tB5R4sNXKCcastC8ptkFdVAW9r7rTP7rwiS+qenPq35tO9whe3ejPeODyBnG6CPSWm0jnZVCyMGN00Jlxsa7FtP1k11OgvfxQ+gZ4NVDDCe55NSFVIlqSB5MfKsQ9d9yws5j8TY3afJQZ2hSSjhQrIpyy3DIKswljqfYKeKFoy9Akd7D9biV3t6rTzXBk8NLLC4CpjOYuatjouUntuIFQmk9JwTBox1dAU86hQxv5BxiIPRU1LElWWYlyEw7Wb80izlnMDlZvi6mrHPGJBySplY11idIVI0AruzV2UjgZcNc5ofVjWMkqJ72ma4XQiVioVs7iBBVHvo+hFMlxRchFCoKA87MfEjWqBKVH7P4ZtTvP3ss1QmRffh2ME/oPMGHFcuTwEa44clhlNP84vwKb2BnLn71akbXjQHRsny39+4S0DpCQRHw/CWqXGR3rpJpQ0xDfDd/NTgsz2EmyiDYj6FavuZ6mtVuVzVkwC+nXouCMpVqJe3J1O8PgjGoG5hjVw0IxbSV0JwSbAMryLjxWgr6FLPbhxQesT8JenHlYDN11kTj2amgGQiUbVzI6oBV9GjnKAkER8FbKR17XekDW6vP6obDY2qWuY3h+wHE/tGzaYN+8TGSqUK4+iGiCJTMLHOY+w/0qPcX2G6Y6vfDyGL/dAmCaZsEqGjh1Ajxjj1RJFDInDBJbpqjbOylojFKv6nieImAWvWGoQHmUI8uV+i+B6cd07u24G8xNp3DPiCZ+LYS0V+va/c6SqZfXzr1P/3wC+jxgo81opD2czsx4k52obL1/sh+2l5ExVWTtEmwlsIoLkK6q9n9ZZ0rVJFR7WHxUHrBYn0/ZpeuSy9svjEePIHXSfqswBg0fYCbOaXl5UXgNIa90CYrXVBomGpi00es3utGBmDHAdA6Noo9vSzagkAgz5HVP8VSZF0cSBUIFmW4rrKHSAllVrvUVNxlOuJNDC+8OlKrb+QwydEiZvrjqlYcVMNQjMrmY5uWNYNAng+10FCctpttWV2k0siemiSJ7Z7ivCLJghErk7EimSq5KKGYuKSYsc8eBPPMIVTNUOThfkDSHbmlsBCaTKsDRmgq0g+C1mbMkB6yfJMiRgwCIoIsOLQ16q/pmMopEX7t7FUCOb8SiOSfQikK2EE72A8oSTdoYnUsrBNzl8y1NSGQVA==,iv:zbR0Sq8Ka8HEQw+8H71OFv3Yv6CL1zR55jHbZg7oSYs=,tag:y97EhzsNkSZhk8TldYW+og==,type:str]", "sops": { "age": [ { @@ -11,8 +11,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Z2tONmQxTUhZUW12Z2Jm\nUnoxSnpYcnZDNGNzSko1ckl2RDh3NG1VS2dFCmIwUXhmSk1OUk02S0JPVDR5UWJ4\na0gwWlg0V005ZWxYa29PZ0laS2VqM0kKLS0tIHN5SU9pQ090eHljeXJGWm5hRFQ4\nZ001Nzkyb29RYkNUMDNDNlo4YnVQeTQK34bNIBgxId2+DHKQNVV3Iro3KGkE03Sp\niB1+dADT6nRvGvoyPqnLq/NYfw7eQ6XqYt55zkdCta8v6L1UNUkw8g==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-07-13T23:20:32Z", - "mac": "ENC[AES256_GCM,data:ibG9NVwVLf4UgdxnHbAToq5n12v4PPgPmnTn8PYg0LZfU2x6GaxRtNvWoFxDa9bEWMRzrlC5oV+hXsTxzJdYliafNTOxWjtOI/ME/HgEE8cU17HuJViWkR+CL+kzCelgFjCD3XajbTRzdTBtcI9icsUvnaManjlSvsgWmqNP36Y=,iv:uCy8Mv5HM611Qd4cvvEiDovnv1uuLZVSN7p7SV10zRA=,tag:fRjfyRkIIh5L97WVyNyxSQ==,type:str]", + "lastmodified": "2025-07-05T10:52:55Z", + "mac": "ENC[AES256_GCM,data:qqct7oB1UmnwAnJ64U4eV7nCQIGGVU82ROidWlexNCb/zrl5+1mzJ1d5oeHojoi42g2jlKU8fAdTKdpewaOsmG+udiqwxsjrlxeXok6vvvVKBfeusA7rhqhQoF2Ct24PSY9PMGD8Nnwd43bVSlZLbHFfQyRtUbzsQ5YkivJtUo4=,iv:hle/CYmxHx1IcH7z4cxZmqMHE5VotOg/ethipEtsXoo=,tag:uM8luDulFJrZm3OfiSRH5Q==,type:str]", "pgp": [ { "created_at": "2025-06-14T22:31:01Z", diff --git a/hosts/nixos/winters/default.nix b/hosts/nixos/winters/default.nix index 6b65107..d622812 100644 --- a/hosts/nixos/winters/default.nix +++ b/hosts/nixos/winters/default.nix @@ -4,7 +4,6 @@ let sharedOptions = { isBtrfs = false; isLinux = true; - isNixos = true; profiles = { server.local = true; }; diff --git a/index.html b/index.html index 3b60c2e..2669981 100644 --- a/index.html +++ b/index.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + SwarselSystems: NixOS + Emacs Configuration @@ -230,8 +230,7 @@
  • 2.11. Modules
  • 2.12. Apps
  • 2.13. Overlays
    • -
  • 2.14. Installer iso
    • -
  • 2.15. Installer flake
    • +
  • 2.14. Installer iso
  • 3. System @@ -253,30 +252,22 @@
  • 3.1.2.1.3. disko
    • -
  • 3.1.2.2. Bakery (Lenovo ThinkPad) +
  • 3.1.2.2. Winters (Server)
    • -
  • 3.1.2.3. Winters (Server) - -
    • -
  • 3.1.2.4. nbm-imba-166 (MacBook Pro)
    • -
  • 3.1.2.5. Magicant (Phone)
    • +
  • 3.1.2.3. nbm-imba-166 (MacBook Pro)
    • +
  • 3.1.2.4. Magicant (Phone)
  • 3.1.3. Virtual hosts
    • -
  • 3.1.4.2. Drugstore (ISO installer config)
    • -
  • 3.1.4.3. Treehouse (home-manager only example)
    • +
  • 3.1.4.2. drugstore (ISO)
    • +
  • 3.1.4.3. Home-manager only (default non-NixOS)
  • 3.1.4.4. ChaosTheatre (Demo Physical/VM) @@ -782,7 +769,7 @@

    -This file has 85605 words spanning 22598 lines and was last revised on 2025-07-14 01:07:45 +0200. +This file has 83754 words spanning 22016 lines and was last revised on 2025-07-04 18:25:33 +0200.

    @@ -835,7 +822,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry

    -My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-07-14 01:07:45 +0200) +My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-07-04 18:25:33 +0200)

    • @@ -847,7 +834,7 @@ system-configuration-options 
    ---prefix=/nix/store/sjapaaf7z48pzml6dw2njyfdgvpp1nn7-emacs-git-pgtk-20250707.0 --disable-build-details --with-modules --with-pgtk --with-compress-install --with-toolkit-scroll-bars --with-native-compilation --without-imagemagick --with-mailutils --without-small-ja-dic --with-tree-sitter --without-xinput2 --without-xwidgets --with-dbus --with-selinux
+--prefix=/nix/store/903l8w4515jym9sq67wdg4zqsi7wn654-emacs-git-pgtk-20250626.0 --disable-build-details --with-modules --with-pgtk --with-compress-install --with-toolkit-scroll-bars --with-native-compilation --without-imagemagick --with-mailutils --without-small-ja-dic --with-tree-sitter --without-xinput2 --without-xwidgets --with-dbus --with-selinux
    @@ -1074,13 +1061,13 @@ Here I give a brief overview over the hostmachines that I am using. This is held |πŸ’» **nbl-imba-2** | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop | |πŸ’» **nbm-imba-166** | MacBook Pro 2016 | MacOS Sandbox | |πŸ–₯️ **winters** | ASRock J4105-ITX, 32GB RAM | Main homeserver and data storgae | -|πŸ–₯️ **milkywell** | Oracle Cloud: VM.Standard.E2.1.Micro | Server for lightweight synchronization tasks | +|πŸ–₯️ **sync** | Oracle Cloud: VM.Standard.E2.1.Micro | Server for lightweight synchronization tasks | |πŸ–₯️ **moonside** | Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Proxy for local services, some lightweight services | |πŸ“± **magicant** | Samsung Galaxy Z Flip 6 | Phone | |πŸ’Ώ **drugstore** | - | ISO installer configuration | |❔ **chaotheatre** | - | Demo config for checking out my configurtion | |❔ **toto** | - | Helper configuration for bootstrapping a new system | -|🏠 **Treehouse** | - | Reference configuration for a home-manager only host | +|🏠 **home** | - | Reference configuration for a home-manager only host | @@ -1276,7 +1263,6 @@ This automatically creates a topology diagram of my configuration. }; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs-dev.url = "github:Swarsel/nixpkgs/main"; nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05"; nixpkgs-stable24_05.url = "github:NixOS/nixpkgs/nixos-24.05"; @@ -1336,6 +1322,11 @@ This automatically creates a topology diagram of my configuration. url = "github:cachix/git-hooks.nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + nix-secrets = { + url = "git+ssh://git@github.com/Swarsel/nix-secrets.git?ref=main&shallow=1"; + flake = false; + inputs = { }; + }; vbc-nix = { url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main"; inputs.nixpkgs.follows = "nixpkgs"; @@ -1689,93 +1680,89 @@ The structure of globals.nix.enc requires a toplevel globals< inherit (outputs) lib; # lib = (inputs.nixpkgs.lib // inputs.home-manager.lib).extend (_: _: { swarselsystems = import "${self}/lib" { inherit self lib inputs outputs; inherit (inputs) systems; }; }); - mkNixosHost = { minimal }: configName: - lib.nixosSystem { - specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; }; - modules = [ - inputs.disko.nixosModules.disko - inputs.sops-nix.nixosModules.sops - inputs.impermanence.nixosModules.impermanence - inputs.lanzaboote.nixosModules.lanzaboote - inputs.nix-topology.nixosModules.default - inputs.home-manager.nixosModules.home-manager - inputs.stylix.nixosModules.stylix - inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm - "${self}/hosts/nixos/${configName}" - "${self}/profiles/nixos" - "${self}/modules/nixos" - { - node = { - name = configName; - secretsDir = ../hosts/nixos/${configName}/secrets; - }; - } - ]; - }; + mkNixosHost = { minimal }: name: + lib.nixosSystem { + specialArgs = { inherit inputs outputs lib self minimal; inherit (config) globals nodes; }; + modules = [ + inputs.disko.nixosModules.disko + inputs.sops-nix.nixosModules.sops + inputs.impermanence.nixosModules.impermanence + inputs.lanzaboote.nixosModules.lanzaboote + inputs.nix-topology.nixosModules.default + inputs.home-manager.nixosModules.home-manager + "${self}/hosts/nixos/${name}" + "${self}/profiles/nixos" + "${self}/modules/nixos" + { + node.name = name; + node.secretsDir = ../hosts/nixos/${name}/secrets; + } + ]; + }; - mkDarwinHost = { minimal }: configName: - inputs.nix-darwin.lib.darwinSystem { - specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; }; - modules = [ - # inputs.disko.nixosModules.disko - # inputs.sops-nix.nixosModules.sops - # inputs.impermanence.nixosModules.impermanence - # inputs.lanzaboote.nixosModules.lanzaboote - # inputs.fw-fanctrl.nixosModules.default - # inputs.nix-topology.nixosModules.default - inputs.home-manager.darwinModules.home-manager - "${self}/hosts/darwin/${configName}" - "${self}/modules/nixos/darwin" - # needed for infrastructure - "${self}/modules/nixos/common/meta.nix" - "${self}/modules/nixos/common/globals.nix" - { - node.name = configName; - node.secretsDir = ../hosts/darwin/${configName}/secrets; - } - ]; - }; + mkDarwinHost = { minimal }: name: + inputs.nix-darwin.lib.darwinSystem { + specialArgs = { inherit inputs outputs lib self minimal; inherit (config) globals nodes; }; + modules = [ + # inputs.disko.nixosModules.disko + # inputs.sops-nix.nixosModules.sops + # inputs.impermanence.nixosModules.impermanence + # inputs.lanzaboote.nixosModules.lanzaboote + # inputs.fw-fanctrl.nixosModules.default + # inputs.nix-topology.nixosModules.default + inputs.home-manager.darwinModules.home-manager + "${self}/hosts/darwin/${name}" + "${self}/modules/nixos/darwin" + # needed for infrastructure + "${self}/modules/nixos/common/meta.nix" + "${self}/modules/nixos/common/globals.nix" + { + node.name = name; + node.secretsDir = ../hosts/darwin/${name}/secrets; + } + ]; + }; - mkHalfHost = configName: type: pkgs: { - ${configName} = + mkHalfHost = name: type: pkgs: { + ${name} = let systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration; in - systemFunc - { - inherit pkgs; - extraSpecialArgs = { inherit inputs outputs lib self configName; }; - modules = [ "${self}/hosts/${type}/${configName}" ]; - }; + systemFunc + { + inherit pkgs; + extraSpecialArgs = { inherit inputs outputs lib self; }; + modules = [ "${self}/hosts/${type}/${name}" ]; + }; }; mkHalfHostConfigs = hosts: type: pkgs: lib.foldl (acc: set: acc // set) { } (lib.map (name: mkHalfHost name type pkgs) hosts); nixosHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/nixos")); darwinHosts = builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir "${self}/hosts/darwin")); in - { - nixosConfigurations = lib.genAttrs nixosHosts (mkNixosHost { - minimal = false; - }); - nixosConfigurationsMinimal = lib.genAttrs nixosHosts (mkNixosHost { - minimal = true; - }); - darwinConfigurations = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = false; - }); - darwinConfigurationsMinimal = lib.genAttrs darwinHosts (mkDarwinHost { - minimal = true; - }); + { + nixosConfigurations = lib.genAttrs nixosHosts (mkNixosHost { + minimal = false; + }); + nixosConfigurationsMinimal = lib.genAttrs nixosHosts (mkNixosHost { + minimal = true; + }); + darwinConfigurations = lib.genAttrs darwinHosts (mkDarwinHost { + minimal = false; + }); + darwinConfigurationsMinimal = lib.genAttrs darwinHosts (mkDarwinHost { + minimal = true; + }); - # TODO: Build these for all architectures - homeConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "home") "home" lib.swarselsystems.pkgsFor.x86_64-linux; - nixOnDroidConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "android") "android" lib.swarselsystems.pkgsFor.aarch64-linux; + # TODO: Build these for all architectures + homeConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "home") "home" lib.swarselsystems.pkgsFor.x86_64-linux; + nixOnDroidConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "android") "android" lib.swarselsystems.pkgsFor.aarch64-linux; - diskoConfigurations.default = import "${self}/files/templates/hosts/nixos/disk-config.nix"; + diskoConfigurations.default = import "${self}/files/templates/hosts/nixos/disk-config.nix"; - nodes = config.nixosConfigurations // config.darwinConfigurations; + nodes = config.nixosConfigurations // config.darwinConfigurations; - }; + }; } @@ -1821,7 +1808,7 @@ The structure of globals.nix.enc requires a toplevel globals< connections = [ (mkConnection "moonside" "wan") (mkConnection "pfsense" "wan") - (mkConnection "milkywell" "wan") + (mkConnection "sync" "wan") (mkConnection "toto" "bootstrapper") (mkConnection "chaostheatre" "demo host") ]; @@ -1829,7 +1816,7 @@ The structure of globals.nix.enc requires a toplevel globals< chaostheatre.interfaces."demo host" = { }; toto.interfaces."bootstrapper" = { }; - milkywell.interfaces.wan = { }; + sync.interfaces.wan = { }; moonside.interfaces.wan = { }; pfsense = mkRouter "pfSense" { @@ -2309,13 +2296,6 @@ in }; }; - nixpkgs-dev = final: _: { - dev = import inputs.nixpkgs-dev { - inherit (final) system; - config.allowUnfree = true; - }; - }; - nixpkgs-kernel = final: _: { kernel = import inputs.nixpkgs-kernel { inherit (final) system; @@ -2345,7 +2325,6 @@ in (additions final prev) // (modifications final prev) // (nixpkgs-stable final prev) - // (nixpkgs-dev final prev) // (nixpkgs-kernel final prev) // (nixpkgs-stable24_05 final prev) // (nixpkgs-stable24_11 final prev) @@ -2362,21 +2341,20 @@ in -
    -

    2.14. Installer iso

    -
    +
    +

    2.14. Installer iso

    +
    -
    { self, inputs, ... }:
+
    { inputs, ... }:
 {
   perSystem = { pkgs, system, ... }:
     {
       # nix build --print-out-paths --no-link .#images.<target-system>.live-iso
       packages.live-iso = inputs.nixos-generators.nixosGenerate {
         inherit pkgs;
-        specialArgs = { inherit self; };
         modules = [
           inputs.home-manager.nixosModules.home-manager
-          "${self}/install/installer-config.nix"
+          ./installer-config.nix
         ];
         format =
           {
@@ -2391,21 +2369,6 @@ in
    -
    -

    2.15. Installer flake

    -
    -
    -
    {
-  description = "Minimal installer flake - not to be used manually";
-
-  inputs.swarsel.url = "./..";
-
-  outputs = { swarsel, ... }: { nixosConfigurations = swarsel.nixosConfigurationsMinimal; };
-}
-
    -
    -
    -

    3. System

    @@ -2433,13 +2396,13 @@ This is the template that I use for new deployments of personal machines. Server
    3.1.1.1. Main Configuration
    -
    { self, config, inputs, pkgs, lib, ... }:
+
    { self, inputs, pkgs, lib, globals, ... }:
 let
-  primaryUser = config.swarselsystems.mainUser;
   modulesPath = "${self}/modules";
   sharedOptions = {
     isBtrfs = true;
   };
+  primaryUser = globals.user.name;
 in
 {
 
@@ -2651,20 +2614,17 @@ My work machine. Built for more security, this is the gold standard of my config
 
    3.1.2.1.1. Main Configuration
    
 
    
 
    
-
    { self, config, inputs, lib, minimal, ... }:
+
    { self, config, inputs, lib, globals, ... }:
 let
-  primaryUser = config.swarselsystems.mainUser;
+  primaryUser = globals.user.name;
   sharedOptions = {
-    isLaptop = true;
-    isNixos = true;
     isBtrfs = true;
     isLinux = true;
     sharescreen = "eDP-2";
     profiles = {
-      personal = lib.mkIf (!minimal) true;
-      minimal = lib.mkIf minimal true;
-      work = lib.mkIf (!minimal) true;
-      framework = lib.mkIf (!minimal) true;
+      personal = true;
+      work = true;
+      framework = true;
     };
   };
 in
@@ -2705,6 +2665,8 @@ in
     # home.stateVersion = lib.mkForce "23.05";
     swarselsystems = lib.recursiveUpdate
       {
+        isLaptop = true;
+        isNixos = true;
         isSecondaryGpu = true;
         SecondaryGpuCard = "pci-0000_03_00_0";
         cpuCount = 16;
@@ -2892,258 +2854,8 @@ in
     };
   };
 
-  fileSystems = {
-    "/persist".neededForBoot = true;
-    "/home".neededForBoot = true;
-    "/var/log".neededForBoot = true;
-  };
-}
-
-
    
-
    
-
    
-
    -
    -
    -
    3.1.2.2. Bakery (Lenovo ThinkPad)
    -
    -

    -My personal laptop. -

    -
    -
    -
    3.1.2.2.1. Main Configuration
    -
    -
    -
    { self, config, inputs, lib, minimal, ... }:
-let
-  primaryUser = config.swarselsystems.mainUser;
-  sharedOptions = {
-    isLaptop = true;
-    isNixos = true;
-    isBtrfs = true;
-    isLinux = true;
-    sharescreen = "eDP-1";
-    profiles = {
-      reduced = lib.mkIf (!minimal) true;
-      minimal = lib.mkIf minimal true;
-    };
-  };
-in
-{
-
-  imports = [
-    inputs.nixos-hardware.nixosModules.common-cpu-intel
-
-    ./disk-config.nix
-    ./hardware-configuration.nix
-
-  ];
-
-
-  swarselsystems = lib.recursiveUpdate
-    {
-      info = "Lenovo ThinkPad";
-      firewall = lib.mkForce true;
-      wallpaper = self + /files/wallpaper/lenovowp.png;
-      hasBluetooth = true;
-      hasFingerprint = true;
-      isImpermanence = true;
-      isSecureBoot = false;
-      isCrypted = true;
-      isSwap = true;
-      rootDisk = "/dev/nvme0n1";
-      swapSize = "4G";
-      hostName = config.node.name;
-      profiles = {
-        btrfs = true;
-      };
-    }
-    sharedOptions;
-
-  home-manager.users."${primaryUser}" = {
-    # home.stateVersion = lib.mkForce "23.05";
-    swarselsystems = lib.recursiveUpdate
-      {
-        lowResolution = "1280x800";
-        highResolution = "1920x1080";
-        monitors = {
-          main = {
-            name = "LG Display 0x04EF Unknown";
-            mode = "1920x1080"; # TEMPLATE
-            scale = "1";
-            position = "1920,0";
-            workspace = "15:L";
-            output = "eDP-1";
-          };
-        };
-      }
-      sharedOptions;
-  };
-}
-
-
-
-
    -
    -
    -
    -
    -
    3.1.2.2.2. hardware-configuration
    -
    -
    -
    # Do not modify this file!  It was generated by β€˜nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
-
-{
-  imports =
-    [
-      (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot = {
-    initrd = {
-      availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
-      kernelModules = [ ];
-    };
-    kernelModules = [ ];
-    extraModulePackages = [ ];
-  };
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}
-
    -
    -
    -
    -
    -
    3.1.2.2.3. disko
    -
    -
    -
    { lib, pkgs, config, rootDisk, ... }:
-let
-  type = "btrfs";
-  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
-  subvolumes = {
-    "/root" = {
-      mountpoint = "/";
-      mountOptions = [
-        "subvol=root"
-        "compress=zstd"
-        "noatime"
-      ];
-    };
-    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
-      mountpoint = "/home";
-      mountOptions = [
-        "subvol=home"
-        "compress=zstd"
-        "noatime"
-      ];
-    };
-    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
-      mountpoint = "/persist";
-      mountOptions = [
-        "subvol=persist"
-        "compress=zstd"
-        "noatime"
-      ];
-    };
-    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
-      mountpoint = "/var/log";
-      mountOptions = [
-        "subvol=log"
-        "compress=zstd"
-        "noatime"
-      ];
-    };
-    "/nix" = {
-      mountpoint = "/nix";
-      mountOptions = [
-        "subvol=nix"
-        "compress=zstd"
-        "noatime"
-      ];
-    };
-    "/swap" = lib.mkIf config.swarselsystems.isSwap {
-      mountpoint = "/.swapvol";
-      swap.swapfile.size = config.swarselsystems.swapSize;
-    };
-  };
-in
-{
-  disko.devices = {
-    disk = {
-      disk0 = {
-        type = "disk";
-        device = config.swarselsystems.rootDisk;
-        content = {
-          type = "gpt";
-          partitions = {
-            ESP = {
-              priority = 1;
-              name = "ESP";
-              size = "512M";
-              type = "EF00";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-                mountOptions = [ "defaults" ];
-              };
-            };
-            root = lib.mkIf (!config.swarselsystems.isCrypted) {
-              size = "100%";
-              content = {
-                inherit type subvolumes extraArgs;
-                postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
-                  MNTPOINT=$(mktemp -d)
-                  mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
-                  trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
-                  btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
-                '';
-              };
-            };
-            luks = lib.mkIf config.swarselsystems.isCrypted {
-              size = "100%";
-              content = {
-                type = "luks";
-                name = "cryptroot";
-                passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
-                settings = {
-                  allowDiscards = true;
-                  # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
-                  crypttabExtraOpts = [
-                    "fido2-device=auto"
-                    "token-timeout=10"
-                  ];
-                };
-                content = {
-                  inherit type subvolumes extraArgs;
-                  postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
-                    MNTPOINT=$(mktemp -d)
-                    mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
-                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
-                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
-                  '';
-                };
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-
-  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
-  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
-
-  environment.systemPackages = [
-    pkgs.yubikey-manager
-  ];
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/var/log".neededForBoot = true;
 }
    @@ -3152,23 +2864,22 @@ in
    -
    3.1.2.3. Winters (Server)
    +
    3.1.2.2. Winters (Server)

    This is my main server that I run at home. It handles most tasks that require bigger amounts of storage than I can receive for free at OCI. Also it houses some data that I find too sensitive to hand over to Oracle.

    -
    3.1.2.3.1. Main Configuration
    +
    3.1.2.2.1. Main Configuration
    -
    { lib, config, ... }:
+
    { lib, config, globals, ... }:
 let
-  primaryUser = config.swarselsystems.mainUser;
+  primaryUser = globals.user.name;
   sharedOptions = {
     isBtrfs = false;
     isLinux = true;
-    isNixos = true;
     profiles = {
       server.local = true;
     };
@@ -3217,7 +2928,7 @@ in
    -
    3.1.2.3.2. hardware-configuration
    +
    3.1.2.2.2. hardware-configuration
    { config, lib, modulesPath, ... }:
@@ -3271,7 +2982,7 @@ in
    -
    3.1.2.4. nbm-imba-166 (MacBook Pro)
    +
    3.1.2.3. nbm-imba-166 (MacBook Pro)

    A Mac notebook that I have received from work. I use this machine for getting accustomed to the Apple ecosystem as well as as a sandbox for nix-darwin configurations. @@ -3306,7 +3017,7 @@ in

    -
    3.1.2.5. Magicant (Phone)
    +
    3.1.2.4. Magicant (Phone)

    My phone. I use only a minimal config for remote debugging here. @@ -3377,7 +3088,7 @@ I have removed most of the machines from this section. What remains are some hos

    -
    3.1.3.1. MilkyWell (OCI)
    +
    3.1.3.1. Sync (OCI)

    This machine mainly acts as an external sync helper. It manages the following things: @@ -3399,56 +3110,176 @@ All of these are processes that use little cpu but can take a lot of storage. Fo

    3.1.3.1.1. Main configuration
    -
    { lib, config, minimal, ... }:
+
    { lib, config, globals, ... }:
 let
-  primaryUser = config.swarselsystems.mainUser;
+  primaryUser = globals.user.name;
   sharedOptions = {
-    isBtrfs = true;
+    isBtrfs = false;
     isLinux = true;
-    isNixos = true;
-  };
-  profiles = {
-    minimal = lib.mkIf minimal true;
   };
+  inherit (config.repo.secrets.common) workHostName;
+  inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
+  serviceDomain = config.repo.secrets.common.services.domains.syncthing2;
 in
 {
   imports = [
     ./hardware-configuration.nix
-    ./disk-config.nix
   ];
 
-  boot = {
-    loader.systemd-boot.enable = true;
-    tmp.cleanOnBoot = true;
+  sops = {
+    defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/sync/secrets.yaml";
   };
 
+  boot = {
+    tmp.cleanOnBoot = true;
+    loader.grub.device = "nodev";
+  };
+  zramSwap.enable = false;
+
   networking = {
     nftables.enable = lib.mkForce false;
-    hostName = "milkywell";
-    enableIPv6 = true;
+    hostName = "sync";
+    enableIPv6 = false;
     domain = "subnet03112148.vcn03112148.oraclevcn.com";
+    firewall = {
+      allowedTCPPorts = [ 80 443 8384 9812 22000 27701 ];
+      allowedUDPPorts = [ 21027 22000 ];
+      extraCommands = ''
+        iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
+        iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
+        iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
+        iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
+        iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
+        iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
+        iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
+        iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
+        iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT
+      '';
+    };
   };
 
   hardware = {
     enableAllFirmware = lib.mkForce false;
   };
 
+  system.stateVersion = "23.11";
+
+  globals.services."syncthing-${config.networking.hostName}".domain = serviceDomain;
+
+  services = {
+    nginx = {
+      virtualHosts = {
+        ${serviceDomain} = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          locations = {
+            "/" = {
+              proxyPass = "http://localhost:8384";
+              extraConfig = ''
+                client_max_body_size 0;
+              '';
+            };
+          };
+        };
+      };
+    };
+
+    syncthing = {
+      enable = true;
+      guiAddress = "0.0.0.0:8384";
+      openDefaultPorts = true;
+      relay.enable = false;
+      settings = {
+        urAccepted = -1;
+        devices = {
+          "magicant" = {
+            id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
+          };
+          "winters" = {
+            id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
+          };
+          "${workHostName}" = {
+            id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB";
+          };
+          "${dev1}" = {
+            id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7";
+          };
+          "${dev2}" = {
+            id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH";
+          };
+          "${dev3}" = {
+            id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR";
+          };
+        };
+        folders = {
+          "Default Folder" = lib.mkForce {
+            path = "/var/lib/syncthing/Sync";
+            type = "receiveonly";
+            versioning = null;
+            devices = [ "winters" "magicant" "${workHostName}" ];
+            id = "default";
+          };
+          "Obsidian" = {
+            path = "/var/lib/syncthing/Obsidian";
+            type = "receiveonly";
+            versioning = {
+              type = "simple";
+              params.keep = "5";
+            };
+            devices = [ "winters" "magicant" "${workHostName}" ];
+            id = "yjvni-9eaa7";
+          };
+          "Org" = {
+            path = "/var/lib/syncthing/Org";
+            type = "receiveonly";
+            versioning = {
+              type = "simple";
+              params.keep = "5";
+            };
+            devices = [ "winters" "magicant" "${workHostName}" ];
+            id = "a7xnl-zjj3d";
+          };
+          "Vpn" = {
+            path = "/var/lib/syncthing/Vpn";
+            type = "receiveonly";
+            versioning = {
+              type = "simple";
+              params.keep = "5";
+            };
+            devices = [ "winters" "magicant" "${workHostName}" ];
+            id = "hgp9s-fyq3p";
+          };
+          "${loc1}" = {
+            path = "/var/lib/syncthing/${loc1}";
+            type = "receiveonly";
+            versioning = {
+              type = "simple";
+              params.keep = "3";
+            };
+            devices = [ dev1 dev2 dev3 ];
+            id = "5gsxv-rzzst";
+          };
+        };
+      };
+    };
+  };
+
   swarselsystems = lib.recursiveUpdate
     {
       info = "VM.Standard.E2.1.Micro";
-      isImpermanence = true;
+      flakePath = "/root/.dotfiles";
+      isImpermanence = false;
       isSecureBoot = false;
-      isCrypted = true;
-      isSwap = true;
-      rootDisk = "/dev/sda";
-      swapSize = "4G";
+      isCrypted = false;
       profiles = {
-        server.syncserver = true;
+        server.sync = true;
       };
     }
     sharedOptions;
 
   home-manager.users."${primaryUser}" = {
+    home.stateVersion = lib.mkForce "23.05";
     swarselsystems = lib.recursiveUpdate
       { }
       sharedOptions;
@@ -3476,6 +3307,22 @@ in
     extraModulePackages = [ ];
   };
 
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a";
+      fsType = "xfs";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/2B75-2AD5";
+      fsType = "vfat";
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/f0126a93-753e-4769-ada8-7499a1efb3a9"; }
+  ];
+
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
@@ -3486,114 +3333,6 @@ in
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
-
    
-
    -
    -
    -
    -
    3.1.3.1.3. disko
    -
    -
    -
    # NOTE: ... is needed because dikso passes diskoFile
-{ lib
-, config
-, rootDisk
-, ...
-}:
-let
-  type = "btrfs";
-  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
-  subvolumes = {
-    "/root" = {
-      mountpoint = "/";
-      mountOptions = [
-        "subvol=root"
-        "compress=zstd"
-        "noatime"
-      ];
-    };
-    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
-      mountpoint = "/home";
-      mountOptions = [
-        "subvol=home"
-        "compress=zstd"
-        "noatime"
-      ];
-    };
-    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
-      mountpoint = "/persist";
-      mountOptions = [
-        "subvol=persist"
-        "compress=zstd"
-        "noatime"
-      ];
-    };
-    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
-      mountpoint = "/var/log";
-      mountOptions = [
-        "subvol=log"
-        "compress=zstd"
-        "noatime"
-      ];
-    };
-    "/nix" = {
-      mountpoint = "/nix";
-      mountOptions = [
-        "subvol=nix"
-        "compress=zstd"
-        "noatime"
-      ];
-    };
-    "/swap" = lib.mkIf config.swarselsystems.isSwap {
-      mountpoint = "/.swapvol";
-      swap.swapfile.size = config.swarselsystems.swapSize;
-    };
-  };
-in
-{
-  disko.devices = {
-    disk = {
-      disk0 = {
-        type = "disk";
-        device = config.swarselsystems.rootDisk;
-        content = {
-          type = "gpt";
-          partitions = {
-            ESP = {
-              priority = 1;
-              name = "ESP";
-              size = "512M";
-              type = "EF00";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-                mountOptions = [ "defaults" ];
-              };
-            };
-            root = {
-              size = "100%";
-              content = {
-                inherit type subvolumes extraArgs;
-                postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
-                  MNTPOINT=$(mktemp -d)
-                  mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
-                  trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
-                  btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
-                '';
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-
-  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
-  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
-}
-
-
    @@ -3609,15 +3348,13 @@ in 
    { lib, config, globals, ... }:
 let
-  primaryUser = config.swarselsystems.mainUser;
+  primaryUser = globals.user.name;
   inherit (config.repo.secrets.common) workHostName;
   inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
-  inherit (config.swarselsystems) sopsFile;
   serviceDomain = config.repo.secrets.common.services.domains.syncthing3;
 
   sharedOptions = {
     isBtrfs = true;
-    isNixos = true;
     isLinux = true;
   };
 in
@@ -3629,9 +3366,9 @@ in
 
   sops = {
     age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
-    # defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml";
+    defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml";
     secrets = {
-      wireguard-private-key = { inherit sopsFile; };
+      wireguard-private-key = { };
     };
   };
 
@@ -3821,6 +3558,7 @@ in
   swarselsystems = lib.recursiveUpdate
     {
       info = "VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM";
+      flakePath = "/home/swarsel/.dotfiles";
       isImpermanence = true;
       isSecureBoot = false;
       isCrypted = false;
@@ -4019,15 +3757,14 @@ This is a slim setup for developing base configuration. I do not track the hardw
 
    3.1.4.1.1. Main Configuration
    
 
    
 
    
-
    { self, config, lib, minimal, ... }:
+
    { self, inputs, pkgs, lib, ... }:
 let
-  primaryUser = config.swarselsystems.mainUser;
+  modulesPath = "${self}/modules";
   sharedOptions = {
     isBtrfs = true;
     isLinux = true;
     profiles = {
-      toto = lib.mkIf (!minimal) true;
-      minimal = lib.mkIf minimal true;
+      toto = true;
     };
   };
 in
@@ -4036,9 +3773,41 @@ in
   imports = [
     ./disk-config.nix
     ./hardware-configuration.nix
+
+    "${modulesPath}/nixos/common/sharedsetup.nix"
+    "${modulesPath}/home/common/sharedsetup.nix"
+    "${self}/profiles/nixos"
+
+    inputs.home-manager.nixosModules.home-manager
+    {
+      home-manager.users."setup".imports = [
+        inputs.sops-nix.homeManagerModules.sops
+        "${modulesPath}/home/common/sharedsetup.nix"
+        "${self}/profiles/home"
+      ];
+    }
   ];
 
 
+  environment.systemPackages = with pkgs; [
+    curl
+    git
+    gnupg
+    rsync
+    ssh-to-age
+    sops
+    vim
+    just
+    sbctl
+  ];
+
+  system.stateVersion = lib.mkForce "23.05";
+
+  boot = {
+    supportedFilesystems = [ "btrfs" ];
+    kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+  };
+
 
   networking = {
     hostName = "toto";
@@ -4050,18 +3819,17 @@ in
       info = "~SwarselSystems~ remote install helper";
       wallpaper = self + /files/wallpaper/lenovowp.png;
       isImpermanence = true;
-      isCrypted = true;
+      isCrypted = false;
       isSecureBoot = false;
-      isSwap = true;
-      swapSize = "2G";
+      isSwap = false;
+      swapSize = "8G";
       # rootDisk = "/dev/nvme0n1";
-      rootDisk = "/dev/vda";
-      profiles.btrfs = true;
+      rootDisk = "/dev/sda";
       # rootDisk = "/dev/vda";
     }
     sharedOptions;
 
-  home-manager.users.${primaryUser} = {
+  home-manager.users."setup" = {
     home.stateVersion = lib.mkForce "23.05";
     swarselsystems = lib.recursiveUpdate
       {
@@ -4217,7 +3985,7 @@ in
 
    
 
    
 
    
-
    3.1.4.2. Drugstore (ISO installer config)
    
+
    3.1.4.2. drugstore (ISO)
    
 
    
 
    
 This is a live environment ISO that I use to bootstrap new systems. It only loads a minimal configuration and no graphical interface. After booting this image on a host, find out its IP and bootstrap the system using the bootstrap utility.
@@ -4225,11 +3993,8 @@ This is a live environment ISO that I use to bootstrap new systems. It only load
 
 
 
    
-
    { self, config, pkgs, lib, ... }:
-let
-  pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh";
-in
-  {
+
    { pkgs, lib, ... }:
+{
 
   config = {
     home-manager.users.root.home = {
@@ -4242,48 +4007,9 @@ in
         };
       };
     };
-    home-manager.users.swarsel = {
-      home = {
-        username = "swarsel";
-        homeDirectory = lib.mkDefault "/home/swarsel";
-        stateVersion = lib.mkDefault "23.05";
-        keyboard.layout = "us";
-        sessionVariables = {
-          FLAKE = "/home/swarsel/.dotfiles";
-        };
-        file = {
-          ".bash_history" = {
-            text = ''
-              swarsel-install -n chaostheatre
-            '';
-          };
-        };
-      };
-    };
 
-    security.sudo.extraConfig = ''
-      Defaults    env_keep+=SSH_AUTH_SOCK
-      Defaults lecture = never
-    '';
-    security.pam = {
-      sshAgentAuth.enable = true;
-      services = {
-        sudo.u2fAuth = true;
-      };
-    };
-
-    nix = {
-      channel.enable = false;
-      package = pkgs.nixVersions.nix_2_28;
-      extraOptions = ''
-        plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
-          buildInputs = [pkgs.nixVersions.nix_2_28 pkgs.boost];
-          patches = (o.patches or []) ++ [ ../nix/nix-plugins.patch ];
-        })}/lib/nix/plugins
-        extra-builtins-file = ${../nix/extra-builtins.nix}
-      '';
-
-      settings.experimental-features = [ "nix-command" "flakes" ];
+    nix.settings = {
+      experimental-features = [ "nix-command" "flakes" ];
     };
 
     boot = {
@@ -4308,7 +4034,6 @@ in
       curl
       git
       gnupg
-      networkmanager
       rsync
       ssh-to-age
       sops
@@ -4325,16 +4050,16 @@ in
 
     environment.etc."issue".text = ''
       ~SwarselSystems~
-      IP of primary interface: \4
-      The Password for all users & root is 'setup'.
-      Install the system remotely by running 'bootstrap -n <CONFIGURATION_NAME> -d <IP_FROM_ABOVE> ' on a machine with deployed secrets.
-      Alternatively, run 'swarsel-install -n <CONFIGURATION_NAME>' for a local install. For your convenience, an example call is in the bash history (press up on the keyboard to access).
+                               IP of primary interface: \4
+                                                                   The Password for all users & root is 'setup'.
+                                                                   Install the system remotely by running 'bootstrap -n <CONFIGURATION_NAME> -d <IP_FROM_ABOVE> ' on a machine with deployed secrets.
+                                                                   Alternatively, run 'swarsel-install -n <CONFIGURATION_NAME>' for a local install. For your convenience, an example call is in the bash history (press up on the keyboard to access).
     '';
 
     networking = {
       hostName = "drugstore";
       wireless.enable = false;
-      # dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload";
+      dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload";
       networkmanager.enable = true;
     };
 
@@ -4342,20 +4067,11 @@ in
 
     users = {
       allowNoPasswordLogin = true;
-      groups.swarsel = { };
       users = {
-        swarsel = {
-          name = "swarsel";
-          group = "swarsel";
-          isNormalUser = true;
-          password = "setup"; # this is overwritten after install
-          openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
-          extraGroups = [ "wheel" ];
-        };
         root = {
+          password = "setup"; # this is overwritten after install
           initialHashedPassword = lib.mkForce null;
-          password = lib.mkForce config.users.users.swarsel.password; # this is overwritten after install
-          openssh.authorizedKeys.keys = config.users.users.swarsel.openssh.authorizedKeys.keys;
+          openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDd0XXoLfRE0AyasxscEBwMqOnLWPqwz+etGqzVNeSw/RcgnxOi903mlVjCH+jzWMSe2GVSgzgM20j/r9sfE2P1z+wq/RODFS04JM0ltUoFkkm/IDZXQ2piOk7AoVi5ajdx4EiBnXY87jvxh5cCgQltkj3ouPF7FVN/MaN21IgWYB8NgkaVGft//OplodlDQNot17c0sFMibY0HcquwmHhqKOtKM1gT98+jZl0rd1rCqXFOvkesW6FPC4nzirPai+Hizp5gncrkJOZmLLqrjVx6PfpQzqzIhoUn1YS5CpyfXnKZUgx2Oi8SENmWOZ9DxYvDklgEttob37E2bIXbUhOw/u4I3olGFgCsKL6jg0N+d5teEaCZFnzlOp0UMWiUo7lVqq7Bwl3rNka2pxEdZ9v/1+m9cJiP7h6pnKmccVGku57iGIDnsnoTrmo1qbAje+EsmPYbc+qMnTDvOdSHTOXnjsyTd+ADklvMHCUAuf6ku4ktQEhlZxU3PvYvKHa1cTCEXxLWjytIgHgTgab9M5IH29Q55LSRRQBzUdkwjOG6KhsqG+xEE6038EbXr0MGKTm01AFmeVZWewmkSLu2UdoOMiw8mTSQhQFfp2QruYHnh7oJCo7ttKT1sLoRX+TfgQm1ryn/orhReg2GFfmbiLGxaJGVNvjqCxqrIFQXx4ZDHw== cardno:22_412_399" ];
         };
       };
     };
@@ -4366,10 +4082,10 @@ in
 
     system.activationScripts.cache = {
       text = ''
-        mkdir -p -m=0777 /home/swarsel/.local/state/nix/profiles
-        mkdir -p -m=0777 /home/swarsel/.local/state/home-manager/gcroots
-        mkdir -p -m=0777 /home/swarsel/.local/share/nix/
-        printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /home/swarsel/.local/share/nix/trusted-settings.json > /dev/null
+          mkdir -p -m=0777 /home/setup/.local/state/nix/profiles
+        mkdir -p -m=0777 /home/setup/.local/state/home-manager/gcroots
+        mkdir -p -m=0777 /home/setup/.local/share/nix/
+        printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /home/setup/.local/share/nix/trusted-settings.json > /dev/null
         mkdir -p /root/.local/share/nix/
         printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json > /dev/null
       '';
@@ -4395,7 +4111,7 @@ in
 
    
 
    
 
    
-
    3.1.4.3. Treehouse (home-manager only example)
    
+
    3.1.4.3. Home-manager only (default non-NixOS)
    
 
    
 
    
 This is the "reference implementation" of a setup that runs without NixOS, only relying on home-manager. I try to test this every now and then and keep it supported. However, manual steps are needed to get the system to work fully, depending on what distribution you are running on.
@@ -4460,7 +4176,7 @@ I also set the WLR_RENDERER_ALLOW_SOFTWARE=1 to allow this configur
 
    3.1.4.4.1. Main configuration
    
 
    
 
    
-
    { self, config, pkgs, lib, minimal, ... }:
+
    { self, inputs, config, pkgs, lib, ... }:
 let
   mainUser = "demo";
   sharedOptions = {
@@ -4469,8 +4185,7 @@ let
     isLinux = true;
     isPublic = true;
     profiles = {
-      chaostheatre = lib.mkIf (!minimal) true;
-      minimal = lib.mkIf minimal true;
+      chaostheatre = true;
     };
   };
 in
@@ -4482,6 +4197,15 @@ in
       {
         _module.args.diskDevice = config.swarselsystems.rootDisk;
       }
+      "${self}/hosts/nixos/chaostheatre/options.nix"
+      inputs.home-manager.nixosModules.home-manager
+      {
+        home-manager.users."${mainUser}".imports = [
+          "${self}/modules/home/common/settings.nix"
+          "${self}/hosts/nixos/chaostheatre/options-home.nix"
+          "${self}/modules/home/common/sharedsetup.nix"
+        ];
+      }
     ];
 
     environment.variables = {
@@ -4505,13 +4229,13 @@ in
       {
         info = "~SwarselSystems~ demo host";
         wallpaper = self + /files/wallpaper/lenovowp.png;
+        initialSetup = true;
         isImpermanence = true;
         isCrypted = true;
         isSecureBoot = false;
         isSwap = true;
         swapSize = "4G";
         rootDisk = "/dev/vda";
-        profiles.btrfs = true;
       }
       sharedOptions;
 
@@ -4927,6 +4651,7 @@ I usually use mutableUsers = false in my NixOS configuration. Howev
         default = "";
       };
       isCrypted = lib.mkEnableOption "uses full disk encryption";
+      initialSetup = lib.mkEnableOption "initial setup (no sops keys available)";
 
       isImpermanence = lib.mkEnableOption "use impermanence on this system";
       isSecureBoot = lib.mkEnableOption "use secure boot on this system";
@@ -5001,9 +4726,17 @@ A breakdown of the flags being set:
 
 
 
    
-
    { self, lib, pkgs, config, outputs, inputs, minimal, ... }:
-let
-  settings = if minimal then { } else {
+
    { lib, pkgs, config, outputs, inputs, ... }:
+{
+  options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
+  config = lib.mkIf config.swarselsystems.modules.general {
+    nixpkgs = {
+      overlays = [ outputs.overlays.default ];
+      config = {
+        allowUnfree = true;
+      };
+    };
+
     environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
       assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
       { }
@@ -5013,56 +4746,7 @@ let
       let
         flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
       in
-      {
-        settings = {
-          connect-timeout = 5;
-          bash-prompt-prefix = "$SHLVL:\\w ";
-          bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)Ξ» ";
-          fallback = true;
-          min-free = 128000000;
-          max-free = 1000000000;
-          flake-registry = "";
-          auto-optimise-store = true;
-          warn-dirty = false;
-          max-jobs = 1;
-          use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
-        };
-        gc = {
-          automatic = true;
-          dates = "weekly";
-          options = "--delete-older-than 10d";
-        };
-        optimise = {
-          automatic = true;
-          dates = "weekly";
-        };
-        channel.enable = false;
-        registry = rec {
-          nixpkgs.flake = inputs.nixpkgs;
-          p = nixpkgs;
-        };
-        nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
-      };
-
-    services.dbus.implementation = "broker";
-
-    systemd.services.nix-daemon = {
-      environment.TMPDIR = "/var/tmp";
-    };
-
-  };
-in
-{
-  options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
-  config = lib.mkIf config.swarselsystems.modules.general
-    (lib.recursiveUpdate
-      {
-        sops.secrets.github-api-token = lib.mkIf (!minimal) {
-          sopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
-        };
-
-        nix = {
-          package = pkgs.nixVersions.nix_2_28;
+        {
           settings = {
             experimental-features = [
               "nix-command"
@@ -5072,33 +4756,43 @@ in
               "pipe-operators"
             ];
             trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
+            connect-timeout = 5;
+            bash-prompt-prefix = "$SHLVL:\\w ";
+            bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]Ξ»\[\e[0m\] ";
+            fallback = true;
+            min-free = 128000000;
+            max-free = 1000000000;
+            flake-registry = "";
+            auto-optimise-store = true;
+            warn-dirty = false;
+            max-jobs = 1;
+            use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
           };
-          # extraOptions = ''
-          #   plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
-          #   extra-builtins-file = ${self + /nix/extra-builtins.nix}
-          # '';
-          extraOptions = ''
-            plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
-              buildInputs = [pkgs.nixVersions.nix_2_28 pkgs.boost];
-              patches = (o.patches or []) ++ ["${self}/nix/nix-plugins.patch"];
-            })}/lib/nix/plugins
-            extra-builtins-file = ${self + /nix/extra-builtins.nix}
-          '' + lib.optionalString (!minimal) ''
-            !include ${config.sops.secrets.github-api-token.path}
-          '';
+          gc = {
+            automatic = true;
+            dates = "weekly";
+            options = "--delete-older-than 10d";
+          };
+          optimise = {
+            automatic = true;
+            dates = "weekly";
+          };
+          channel.enable = false;
+          registry = rec {
+            nixpkgs.flake = inputs.nixpkgs;
+            p = nixpkgs;
+          };
+          nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
         };
 
-        system.stateVersion = lib.mkDefault "23.05";
+    services.dbus.implementation = "broker";
 
-        nixpkgs = {
-          overlays = [ outputs.overlays.default ];
-          config = {
-            allowUnfree = true;
-          };
-        };
+    systemd.services.nix-daemon = {
+      environment.TMPDIR = "/var/tmp";
+    };
 
-      }
-      settings);
+    system.stateVersion = lib.mkDefault "23.05";
+  };
 }
 
    
 
    
@@ -5112,7 +4806,10 @@ We enable the use of home-manager as a NixoS module. A nice trick h
 
    
 
 
    
-
    { self, inputs, config, lib, outputs, globals, nodes, minimal, configName, ... }:
+
    { self, inputs, config, lib, outputs, globals, nodes, ... }:
+let
+  mainUser = globals.user.name;
+in
   {
     options.swarselsystems.modules.home-manager = lib.mkEnableOption "home-manager";
     config = lib.mkIf config.swarselsystems.modules.home-manager {
@@ -5120,24 +4817,18 @@ We enable the use of home-manager as a NixoS module. A nice trick h
         useGlobalPkgs = true;
         useUserPackages = true;
         verbose = true;
-        users.swarsel.imports = [
+        users."${mainUser}".imports = [
+          "${self}/profiles/home"
+          "${self}/modules/home"
+        ];
+        sharedModules = [
           inputs.nix-index-database.hmModules.nix-index
           inputs.sops-nix.homeManagerModules.sops
-          # inputs.stylix.homeModules.stylix
           {
-            imports = [
-              "${self}/profiles/home"
-              "${self}/modules/home"
-              # "${self}/modules/nixos/common/pii.nix"
-              # "${self}/modules/nixos/common/meta.nix"
-            ];
-            # node = {
-            #   secretsDir = if (!config.swarselsystems.isNixos) then ../../../hosts/home/${configName}/secrets else ../../../hosts/nixos/${configName}/secrets;
-            # };
             home.stateVersion = lib.mkDefault config.system.stateVersion;
           }
         ];
-        extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal configName; };
+        extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes; };
       };
     };
   }
@@ -5154,27 +4845,27 @@ In case of using a fully setup system, this makes also sure that no further user
 
    
 
 
    
-For that reason, make sure that sops-nix is properly working before finishing the minimal setup, otherwise we might lose user access. The bootstrapping script takes care of this.
+For that reason, make sure that sops-nix is properly working before setting the initialSetup flag, otherwise you might lose user access.
 
    
 
 
    
-
    { self, pkgs, config, lib, minimal, ... }:
+
    { self, pkgs, config, lib, ... }:
 let
   sopsFile = self + /secrets/general/secrets.yaml;
 in
   {
     options.swarselsystems.modules.users = lib.mkEnableOption "user config";
     config = lib.mkIf config.swarselsystems.modules.users {
-      sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; };
+      sops.secrets.swarseluser = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; };
 
       users = {
-        mutableUsers = lib.mkIf (!minimal) false;
+        mutableUsers = lib.mkIf (!config.swarselsystems.initialSetup) false;
         users."${config.swarselsystems.mainUser}" = {
           isNormalUser = true;
           description = "Leon S";
-          password = lib.mkIf minimal "setup";
-          hashedPasswordFile = lib.mkIf (!minimal) config.sops.secrets.main-user-hashed-pw.path;
-          extraGroups = [ "wheel" ] ++ lib.optionals (!minimal) [ "networkmanager" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
+          password = lib.mkIf config.swarselsystems.initialSetup "setup";
+          hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup) config.sops.secrets.swarseluser.path;
+          extraGroups = [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
           packages = with pkgs; [ ];
         };
       };
@@ -5248,14 +4939,11 @@ Setup timezone and locale. I want to use the US layout, but have the rest adapte
 
    
 
    3.2.1.12. PII management
    
 
    
-
    
-This is also exposed to home-manager configurations, in case this ever breaks, I can also go back to importing nixosConfig as an attribute in the input attribute set and call the secrets using nixosConfig.repo.secrets.
-
    
-
 
    
 
    # largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix
-{ config, inputs, lib, minimal, ... }:
+{ config, inputs, lib, ... }:
 let
+
   # If the given expression is a bare set, it will be wrapped in a function,
   # so that the imported file can always be applied to the inputs, similar to
   # how modules can be functions or sets.
@@ -5280,51 +4968,51 @@ let
 in
 {
   options = {
-      repo = {
-        secretFiles = lib.mkOption {
-          default = { };
-          type = lib.types.attrsOf lib.types.path;
-          example = lib.literalExpression "{ local = ./pii.nix.enc; }";
-          description = ''
-            This file manages the origin for this machine's repository-secrets. Anything that is
-            technically not a secret in the classical sense (i.e. that it has to be protected
-            after it has been deployed), but something you want to keep secret from the public;
-            Anything that you wouldn't want people to see on GitHub, but that can live unencrypted
-            on your own devices. Consider it a more ergonomic nix alternative to using git-crypt.
+    repo = {
+      secretFiles = lib.mkOption {
+        default = { };
+        type = lib.types.attrsOf lib.types.path;
+        example = lib.literalExpression "{ local = ./pii.nix.enc; }";
+        description = ''
+        This file manages the origin for this machine's repository-secrets. Anything that is
+        technically not a secret in the classical sense (i.e. that it has to be protected
+        after it has been deployed), but something you want to keep secret from the public;
+        Anything that you wouldn't want people to see on GitHub, but that can live unencrypted
+        on your own devices. Consider it a more ergonomic nix alternative to using git-crypt.
 
-            All of these secrets may (and probably will be) put into the world-readable nix-store
-            on the build and target hosts. You'll most likely want to store personally identifiable
-            information here, such as:
-              - MAC Addreses
-              - Static IP addresses
-              - Your full name (when configuring your users)
-              - Your postal address (when configuring e.g. home-assistant)
-              - ...
+        All of these secrets may (and probably will be) put into the world-readable nix-store
+        on the build and target hosts. You'll most likely want to store personally identifiable
+        information here, such as:
+          - MAC Addreses
+          - Static IP addresses
+          - Your full name (when configuring your users)
+          - Your postal address (when configuring e.g. home-assistant)
+          - ...
 
-            Each path given here must be an sops-encrypted .nix file. For each attribute `<name>`,
-            the corresponding file will be decrypted, imported and exposed as {option}`repo.secrets.<name>`.
-          '';
-        };
-
-        secrets = lib.mkOption {
-          readOnly = true;
-          default = lib.mapAttrs (_: x: importEncrypted x inputs) config.repo.secretFiles;
-          type = lib.types.unspecified;
-          description = "Exposes the loaded repo secrets. This option is read-only.";
-        };
+        Each path given here must be an sops-encrypted .nix file. For each attribute `<name>`,
+        the corresponding file will be decrypted, imported and exposed as {option}`repo.secrets.<name>`.
+      '';
+      };
+
+      secrets = lib.mkOption {
+        readOnly = true;
+        default = lib.mapAttrs (_: x: importEncrypted x inputs) config.repo.secretFiles;
+        type = lib.types.unspecified;
+        description = "Exposes the loaded repo secrets. This option is read-only.";
       };
-      swarselsystems.modules.pii = lib.mkEnableOption "enable pii management";
     };
+    swarselsystems.modules.pii = lib.mkEnableOption "enable pii management";
+  };
   config = lib.mkIf config.swarselsystems.modules.pii {
     repo.secretFiles =
       let
         local = config.node.secretsDir + "/pii.nix.enc";
       in
-      (lib.optionalAttrs (lib.pathExists local && !minimal ) { inherit local; }) // lib.optionalAttrs (!minimal) {
-        common = ../../../secrets/repo/pii.nix.enc;
+        (lib.optionalAttrs (lib.pathExists local) { inherit local; }) // {
+         common = ../../../secrets/repo/pii.nix.enc;
       };
   };
-}
+  }
 
 
    
 
    
@@ -5334,25 +5022,20 @@ in
 
    3.2.1.13. Lanzaboote (secure boot)
    
 
    
 
    
-This dynamically uses systemd boot or Lanzaboote depending on the minimal system state and `config.swarselsystems.isSecureBoot`.
+This dynamically uses systemd boot or Lanzaboote depending on `config.swarselsystems.initialSetup` and `config.swarselsystems.isSecureBoot`.
 
    
 
 
    
-
    { lib, pkgs, config, minimal, ... }:
+
    { lib, config, ... }:
 {
   options.swarselsystems.modules.lanzaboote = lib.mkEnableOption "lanzaboote config";
   config = lib.mkIf config.swarselsystems.modules.lanzaboote {
-
-    environment.systemPackages = lib.mkIf config.swarselsystems.isSecureBoot [
-      pkgs.sbctl
-    ];
-
     boot = {
       loader = {
         efi.canTouchEfiVariables = true;
-        systemd-boot.enable = lib.swarselsystems.mkIfElse (minimal || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
+        systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
       };
-      lanzaboote = lib.mkIf (!minimal && config.swarselsystems.isSecureBoot) {
+      lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
         enable = true;
         pkiBundle = "/var/lib/sbctl";
         configurationLimit = 6;
@@ -5487,12 +5170,15 @@ This section is for setting things that should be used on hosts that are using t
 
    
 
 
    
-
    { lib, ... }:
+
    { lib, inputs, ... }:
 let
   importNames = lib.swarselsystems.readNix "modules/nixos/client";
 in
 {
-  imports = lib.swarselsystems.mkImports importNames "modules/nixos/client";
+  imports = lib.swarselsystems.mkImports importNames "modules/nixos/client" ++ [
+    inputs.stylix.nixosModules.stylix
+    inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
+  ];
 }
 
 
    
@@ -5507,12 +5193,11 @@ Mostly used to install some compilers and lsp's that I want to have available wh
 
    
 
 
    
-
    { lib, config, pkgs, minimal, ... }:
+
    { lib, config, pkgs, ... }:
 {
   options.swarselsystems.modules.packages = lib.mkEnableOption "install packages";
   config = lib.mkIf config.swarselsystems.modules.packages {
-
-    environment.systemPackages = with pkgs; lib.optionals (!minimal) [
+    environment.systemPackages = with pkgs; [
       # yubikey packages
       gnupg
       yubikey-personalization
@@ -5583,20 +5268,9 @@ Mostly used to install some compilers and lsp's that I want to have available wh
 
       elk-to-svg
 
-    ] ++ lib.optionals minimal [
-      networkmanager
-      curl
-      git
-      gnupg
-      rsync
-      ssh-to-age
-      sops
-      vim
-      just
-      sbctl
     ];
 
-    nixpkgs.config.permittedInsecurePackages = lib.mkIf (!minimal) [
+    nixpkgs.config.permittedInsecurePackages = [
       "jitsi-meet-1.0.8043"
       "electron-29.4.6"
       "SDL_ttf-2.0.11"
@@ -5639,33 +5313,32 @@ Next, we will setup some environment variables that need to be set on the system
 
    
 
    
 
    
-
    3.2.2.4. Security (polkit)
    
+
    3.2.2.4. Security
    
 
    
 
    
 Needed for control over system-wide privileges etc. Also I make sure that the root user has access to SSH_AUTH_SOCK (without this, root will not be able to read my nix-secrets repository).
 
    
 
 
    
-
    { lib, config, minimal, ... }:
+
    { lib, config, ... }:
 {
   options.swarselsystems.modules.security = lib.mkEnableOption "security config";
   config = lib.mkIf config.swarselsystems.modules.security {
 
     security = {
-      pam.services = lib.mkIf (!minimal) {
+      pam.services = {
         login.u2fAuth = true;
         sudo.u2fAuth = true;
         swaylock.u2fAuth = true;
         swaylock.fprintAuth = false;
       };
-      polkit.enable = lib.mkIf (!minimal) true;
+      polkit.enable = true;
 
       sudo.extraConfig = ''
         Defaults    env_keep+=SSH_AUTH_SOCK
-      '' + lib.optionalString (!minimal) ''
-          Defaults    env_keep+=XDG_RUNTIME_DIR
-          Defaults    env_keep+=WAYLAND_DISPLAY
-        '';
+        Defaults    env_keep+=XDG_RUNTIME_DIR
+        Defaults    env_keep+=WAYLAND_DISPLAY
+      '';
     };
   };
 }
@@ -5820,14 +5493,10 @@ Here I only enable networkmanager and a few default networks. The r
 
    
 
 
    
-
    { self, lib, pkgs, config, ... }:
+
    { self, lib, config, ... }:
 let
   certsSopsFile = self + /secrets/certs/secrets.yaml;
-  clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
-
   inherit (config.swarselsystems) mainUser;
-  inherit (config.repo.secrets.common.network) wlan1 wlan2 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
-
   iwd = config.networking.networkmanager.wifi.backend == "iwd";
 in
 {
@@ -5839,33 +5508,39 @@ in
 
     sops = {
       secrets = lib.mkIf (!config.swarselsystems.isPublic) {
-        wlan1-pw = { };
-        wlan2-pw = { };
-        laptop-hotspot-pw = { };
-        mobile-hotspot-pw = { };
-        eduroam-user = { };
-        eduroam-pw = { };
-        pia-vpn-user = { };
-        pia-vpn-pw = { };
-        home-wireguard-client-private-key = { sopsFile = clientSopsFile; };
-        home-wireguard-server-public-key = { };
-        home-wireguard-endpoint = { };
-        pia-vpn1-crl-pem = { sopsFile = certsSopsFile; };
-        pia-vpn1-ca-pem = { sopsFile = certsSopsFile; };
+        ernest = { };
+        frauns = { };
+        hotspot = { };
+        eduid = { };
+        edupass = { };
+        handyhotspot = { };
+        vpnuser = { };
+        vpnpass = { };
+        wireguardpriv = { };
+        wireguardpub = { };
+        wireguardendpoint = { };
+        stashuser = { };
+        stashpass = { };
+        githubforgeuser = { };
+        githubforgepass = { };
+        gitlabforgeuser = { };
+        gitlabforgepass = { };
+        "sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
+        "sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
       };
       templates = lib.mkIf (!config.swarselsystems.isPublic) {
         "network-manager.env".content = ''
-          WLAN1_PW=${config.sops.placeholder.wlan1-pw}
-          WLAN2_PW=${config.sops.placeholder.wlan2-pw}
-          LAPTOP_HOTSPOT_PW=${config.sops.placeholder.laptop-hotspot-pw}
-          MOBILE_HOTSPOT_PW=${config.sops.placeholder.mobile-hotspot-pw}
-          EDUROAM_USER=${config.sops.placeholder.eduroam-user}
-          EDUROAM_PW=${config.sops.placeholder.eduroam-pw}
-          PIA_VPN_USER=${config.sops.placeholder.pia-vpn-user}
-          PIA_VPN_PW=${config.sops.placeholder.pia-vpn-pw}
-          HOME_WIREGUARD_CLIENT_PRIVATE_KEY=${config.sops.placeholder.home-wireguard-client-private-key}
-          HOME_WIREGUARD_SERVER_PUBLIC_KEY=${config.sops.placeholder.home-wireguard-server-public-key}
-          HOME_WIREGUARD_ENDPOINT=${config.sops.placeholder.home-wireguard-endpoint}
+          ERNEST=${config.sops.placeholder.ernest}
+          FRAUNS=${config.sops.placeholder.frauns}
+          HOTSPOT=${config.sops.placeholder.hotspot}
+          EDUID=${config.sops.placeholder.eduid}
+          EDUPASS=${config.sops.placeholder.edupass}
+          HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
+          VPNUSER=${config.sops.placeholder.vpnuser}
+          VPNPASS=${config.sops.placeholder.vpnpass}
+          WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
+          WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
+          WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
         '';
       };
     };
@@ -5902,23 +5577,14 @@ in
       networkmanager = {
         enable = true;
         wifi.backend = "iwd";
-        plugins = [
-          # list of plugins: https://search.nixos.org/packages?query=networkmanager-
-          # docs https://networkmanager.dev/docs/vpn/
-          pkgs.networkmanager-openconnect
-          pkgs.networkmanager-openvpn
-        ];
         ensureProfiles = lib.mkIf (!config.swarselsystems.isPublic) {
           environmentFiles = [
             "${config.sops.templates."network-manager.env".path}"
           ];
-          profiles = let
-            inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
-          in
-            {
-            ${wlan1} = {
+          profiles = {
+            "Ernest Routerford" = {
               connection = {
-                id = wlan1;
+                id = "Ernest Routerford";
                 permissions = "";
                 type = "wifi";
               };
@@ -5934,12 +5600,12 @@ in
               wifi = {
                 mac-address-blacklist = "";
                 mode = "infrastructure";
-                ssid = wlan1;
+                ssid = "Ernest Routerford";
               };
               wifi-security = {
                 auth-alg = "open";
                 key-mgmt = "wpa-psk";
-                psk = "WLAN1_PW";
+                psk = "$ERNEST";
               };
             };
 
@@ -5952,6 +5618,7 @@ in
               ethernet = {
                 auto-negotiate = "true";
                 cloned-mac-address = "preserve";
+                mac-address = "90:2E:16:D0:A1:87";
               };
               ipv4 = { method = "shared"; };
               ipv6 = {
@@ -5964,10 +5631,10 @@ in
             eduroam = {
               "802-1x" = {
                 eap = if (!iwd) then "ttls;" else "peap;";
-                identity = "$EDUROAM_USER";
-                password = "$EDUROAM_PW";
+                identity = "$EDUID";
+                password = "$EDUPASS";
                 phase2-auth = "mschapv2";
-                anonymous-identity = lib.mkIf iwd eduroam-anon;
+                anonymous-identity = lib.mkIf iwd "anonymous@student.tuwien.ac.at";
               };
               connection = {
                 id = "eduroam";
@@ -6007,9 +5674,9 @@ in
               proxy = { };
             };
 
-            ${wlan2} = {
+            HH40V_39F5 = {
               connection = {
-                id = wlan2;
+                id = "HH40V_39F5";
                 type = "wifi";
               };
               ipv4 = { method = "auto"; };
@@ -6021,17 +5688,17 @@ in
               wifi = {
                 band = "bg";
                 mode = "infrastructure";
-                ssid = wlan2;
+                ssid = "HH40V_39F5";
               };
               wifi-security = {
                 key-mgmt = "wpa-psk";
-                psk = "$WLAN2_PW";
+                psk = "$FRAUNS";
               };
             };
 
-            ${mobile1} = {
+            magicant = {
               connection = {
-                id = mobile1;
+                id = "magicant";
                 type = "wifi";
               };
               ipv4 = { method = "auto"; };
@@ -6042,30 +5709,30 @@ in
               proxy = { };
               wifi = {
                 mode = "infrastructure";
-                ssid = mobile1;
+                ssid = "magicant";
               };
               wifi-security = {
                 auth-alg = "open";
                 key-mgmt = "wpa-psk";
-                psk = "$MOBILE_HOTSPOT_PW";
+                psk = "$HANDYHOTSPOT";
               };
             };
 
-            home-wireguard = {
+            wireguardvpn = {
               connection = {
                 id = "HomeVPN";
                 type = "wireguard";
                 autoconnect = "false";
                 interface-name = "wg1";
               };
-              wireguard = { private-key = "$HOME_WIREGUARD_CLIENT_PRIVATE_KEY"; };
-              "wireguard-peer.$HOME_WIREGURARD_SERVER_PUBLIC_KEY" = {
-                endpoint = "$HOME_WIREGUARD_ENDPOINT";
-                allowed-ips = home-wireguard-allowed-ips;
+              wireguard = { private-key = "$WIREGUARDPRIV"; };
+              "wireguard-peer.$WIREGUARDPUB" = {
+                endpoint = "$WIREGUARDENDPOINT";
+                allowed-ips = "0.0.0.0/0";
               };
               ipv4 = {
                 method = "ignore";
-                address1 = home-wireguard-address;
+                address1 = "192.168.3.3/32";
               };
               ipv6 = {
                 addr-gen-mode = "stable-privacy";
@@ -6074,10 +5741,10 @@ in
               proxy = { };
             };
 
-            pia-vpn1 = {
+            "sweden-aes-128-cbc-udp-dns" = {
               connection = {
                 autoconnect = "false";
-                id = "PIA ${vpn1-location}";
+                id = "PIA Sweden";
                 type = "vpn";
               };
               ipv4 = { method = "auto"; };
@@ -6088,21 +5755,21 @@ in
               proxy = { };
               vpn = {
                 auth = "sha1";
-                ca = config.sops.secrets."pia-vpn1-ca-pem".path;
+                ca = config.sops.secrets."sweden-aes-128-cbc-udp-dns-ca.pem".path;
                 challenge-response-flags = "2";
-                cipher = vpn1-cipher;
+                cipher = "aes-128-cbc";
                 compress = "yes";
                 connection-type = "password";
-                crl-verify-file = config.sops.secrets."pia-vpn1-crl-pem".path;
+                crl-verify-file = config.sops.secrets."sweden-aes-128-cbc-udp-dns-crl-verify.pem".path;
                 dev = "tun";
                 password-flags = "0";
-                remote = vpn1-address;
+                remote = "sweden.privacy.network:1198";
                 remote-cert-tls = "server";
                 reneg-seconds = "0";
                 service-type = "org.freedesktop.NetworkManager.openvpn";
-                username = "$PIA_VPN_USER";
+                username = "$VPNUSER";
               };
-              vpn-secrets = { password = "$PIA_VPN_PW"; };
+              vpn-secrets = { password = "$VPNPASS"; };
             };
 
             Hotspot = {
@@ -6126,7 +5793,7 @@ in
                 key-mgmt = "wpa-psk";
                 pairwise = "ccmp;";
                 proto = "rsn;";
-                psk = "$MOBILE_HOTSPOT_PW";
+                psk = "$HOTSPOT";
               };
             };
 
@@ -6186,20 +5853,16 @@ By default, stylix wants to style
 
    
 
 
    
-
    { self, lib, config, ... }:
+
    { lib, config, ... }:
 {
   options.swarselsystems.modules.stylix = lib.mkEnableOption "stylix config";
-  config = {
-    stylix = {
-      enable = true;
-      base16Scheme = "${self}/files/stylix/swarsel.yaml";
-    } // lib.optionalAttrs config.swarselsystems.modules.stylix
-      (lib.recursiveUpdate
-        {
-          targets.grub.enable = false; # the styling makes grub more ugly
-          image = config.swarselsystems.wallpaper;
-        }
-        config.swarselsystems.stylix);
+  config = lib.mkIf config.swarselsystems.modules.stylix {
+    stylix = lib.recursiveUpdate
+      {
+        targets.grub.enable = false; # the styling makes grub more ugly
+        image = config.swarselsystems.wallpaper;
+      }
+      config.swarselsystems.stylix;
     home-manager.users."${config.swarselsystems.mainUser}" = {
       stylix = {
         targets = config.swarselsystems.stylixHomeTargets;
@@ -6505,8 +6168,8 @@ Most of the time I am using power-saver, however, it is good to be
 {
   options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings";
   config = lib.mkIf config.swarselsystems.modules.swayosd {
-    environment.systemPackages = [ pkgs.dev.swayosd ];
-    services.udev.packages = [ pkgs.dev.swayosd ];
+    environment.systemPackages = [ pkgs.swayosd ];
+    services.udev.packages = [ pkgs.swayosd ];
     systemd.services.swayosd-libinput-backend = {
       description = "SwayOSD LibInput backend for listening to certain keys like CapsLock, ScrollLock, VolumeUp, etc.";
       documentation = [ "https://github.com/ErikReider/SwayOSD" ];
@@ -6517,7 +6180,7 @@ Most of the time I am using power-saver, however, it is good to be
       serviceConfig = {
         Type = "dbus";
         BusName = "org.erikreider.swayosd";
-        ExecStart = "${pkgs.dev.swayosd}/bin/swayosd-libinput-backend";
+        ExecStart = "${pkgs.swayosd}/bin/swayosd-libinput-backend";
         Restart = "on-failure";
       };
     };
@@ -6800,11 +6463,6 @@ This snipped is added to the activation script that is run after every rebuild a
 {
   options.swarselsystems.modules.nvd = lib.mkEnableOption "nvd config";
   config = lib.mkIf config.swarselsystems.modules.nvd {
-
-    environment.systemPackages = [
-      pkgs.nvd
-    ];
-
     system.activationScripts.diff = {
       supportsDryActivation = true;
       text = ''
@@ -6855,7 +6513,7 @@ This is used to better integrate Sway into the system on NixOS hosts. On the hom
   config = lib.mkIf config.swarselsystems.modules.sway {
     programs.sway = {
       enable = true;
-      package = pkgs.dev.swayfx;
+      package = pkgs.swayfx;
       wrapperFeatures = {
         base = true;
         gtk = true;
@@ -7175,7 +6833,6 @@ in
       vim
       sops
       swarsel-deploy
-      tmux
     ];
   };
 }
@@ -7253,7 +6910,6 @@ in
 let
   inherit (config.repo.secrets.common) dnsProvider;
   inherit (config.repo.secrets.common.mail) address3;
-
 in
 {
   options.swarselsystems.modules.server.nginx = lib.mkEnableOption "enable nginx on server";
@@ -7263,9 +6919,10 @@ in
     ];
 
     sops = {
-      secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
+      # secrets.dnstokenfull = { owner = "acme"; };
+      secrets.dnstokenfull = { };
       templates."certs.secret".content = ''
-        CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token}
+        CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
       '';
     };
 
@@ -7344,8 +7001,6 @@ Here I am forcing startWhenNeeded to false so that the value will n
 
    
 
    { self, lib, config, pkgs, ... }:
 let
-  inherit (config.swarselsystems) sopsFile;
-
   servicePort = 8080;
   serviceName = "kavita";
   serviceUser = "kavita";
@@ -7362,7 +7017,7 @@ in
       extraGroups = [ "users" ];
     };
 
-    sops.secrets.kavita-token = { inherit sopsFile; owner = serviceUser; };
+    sops.secrets.kavita = { owner = serviceUser; };
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
@@ -7377,7 +7032,7 @@ in
       enable = true;
       user = serviceUser;
       settings.Port = servicePort;
-      tokenKeyFile = config.sops.secrets.kavita-token.path;
+      tokenKeyFile = config.sops.secrets.kavita.path;
       dataDir = "/Vault/data/${serviceName}";
     };
 
@@ -7680,8 +7335,6 @@ in
 
    
 
    { self, lib, config, pkgs, ... }:
 let
-  inherit (config.swarselsystems) sopsFile;
-
   servicePort = 3254;
   serviceUser = "mpd";
   serviceGroup = serviceUser;
@@ -7705,7 +7358,7 @@ in
     };
 
     sops = {
-      secrets.mpd-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      secrets.mpdpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
     environment.systemPackages = with pkgs; [
@@ -7731,7 +7384,7 @@ in
       };
       credentials = [
         {
-          passwordFile = config.sops.secrets.mpd-pw.path;
+          passwordFile = config.sops.secrets.mpdpass.path;
           permissions = [
             "read"
             "add"
@@ -7807,8 +7460,6 @@ in
 
    
 
    { lib, config, pkgs, ... }:
 let
-  inherit (config.swarselsystems) sopsFile;
-
   servicePort = 8008;
   serviceName = "matrix";
   serviceDomain = config.repo.secrets.common.services.domains.matrix;
@@ -7838,29 +7489,29 @@ in
 
     sops = {
       secrets = {
-        matrix-shared-secret = { inherit sopsFile; owner = serviceUser; };
-        mautrix-telegram-as-token = { inherit sopsFile; owner = serviceUser; };
-        mautrix-telegram-hs-token = { inherit sopsFile; owner = serviceUser; };
-        mautrix-telegram-api-id = { inherit sopsFile; owner = serviceUser; };
-        mautrix-telegram-api-hash = { inherit sopsFile; owner = serviceUser; };
+        matrixsharedsecret = { owner = serviceUser; };
+        mautrixtelegram_as = { owner = serviceUser; };
+        mautrixtelegram_hs = { owner = serviceUser; };
+        mautrixtelegram_api_id = { owner = serviceUser; };
+        mautrixtelegram_api_hash = { owner = serviceUser; };
       };
       templates = {
         "matrix_user_register.sh".content = ''
-          register_new_matrix_user -k ${config.sops.placeholder.matrix-shared-secret} http://localhost:${builtins.toString servicePort}
+          register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:${builtins.toString servicePort}
         '';
         matrixshared = {
           owner = serviceUser;
           content = ''
-            registration_shared_secret: ${config.sops.placeholder.matrix-shared-secret}
+            registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
           '';
         };
         mautrixtelegram = {
           owner = serviceUser;
           content = ''
-            MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrix-telegram-as-token}
-            MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrix-telegram-hs-token}
-            MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrix-telegram-api-id}
-            MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrix-telegram-api-hash}
+            MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
+            MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
+            MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
+            MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
           '';
         };
       };
@@ -8163,7 +7814,6 @@ in
 
    { pkgs, lib, config, ... }:
 let
   inherit (config.repo.secrets.local.nextcloud) adminuser;
-  inherit (config.swarselsystems) sopsFile;
 
   servicePort = 80;
   serviceUser = "nextcloud";
@@ -8176,8 +7826,16 @@ in
   config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
 
     sops.secrets = {
-      nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-      kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      nextcloudadminpass = {
+        owner = serviceUser;
+        group = serviceGroup;
+        mode = "0440";
+      };
+      kanidm-nextcloud-client = {
+        owner = serviceUser;
+        group = serviceGroup;
+        mode = "0440";
+      };
     };
 
 
@@ -8203,7 +7861,7 @@ in
         extraAppsEnable = true;
         config = {
           inherit adminuser;
-          adminpassFile = config.sops.secrets.nextcloud-admin-pw.path;
+          adminpassFile = config.sops.secrets.nextcloudadminpass.path;
           dbtype = "sqlite";
         };
       };
@@ -8326,8 +7984,6 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of 
 
    
 
    { lib, pkgs, config, globals, ... }:
 let
-  inherit (config.swarselsystems) sopsFile;
-
   servicePort = 28981;
   serviceUser = "paperless";
   serviceGroup = serviceUser;
@@ -8347,8 +8003,12 @@ in
     };
 
     sops.secrets = {
-      paperless-admin-pw = { inherit sopsFile; owner = serviceUser; };
-      kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      paperless_admin = { owner = serviceUser; };
+      kanidm-paperless-client = {
+        owner = serviceUser;
+        group = serviceGroup;
+        mode = "0440";
+      };
     };
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
@@ -8362,7 +8022,7 @@ in
         dataDir = "/Vault/data/${serviceName}";
         user = serviceUser;
         port = servicePort;
-        passwordFile = config.sops.secrets.paperless-admin-pw.path;
+        passwordFile = config.sops.secrets.paperless_admin.path;
         address = "0.0.0.0";
         settings = {
           PAPERLESS_OCR_LANGUAGE = "deu+eng";
@@ -8694,7 +8354,7 @@ in
           "magicant" = {
             id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
           };
-          "milkywell@oracle" = {
+          "sync@oracle" = {
             id = "ETW6TST-NPK7MKZ-M4LXMHA-QUPQHDT-VTSHH5X-CR5EIN2-YU7E55F-MGT7DQB";
           };
           "${workHostName}" = {
@@ -8709,7 +8369,7 @@ in
             path = "${cfg.dataDir}/Sync";
             type = "receiveonly";
             versioning = null;
-            devices = [ "milkywell@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
+            devices = [ "sync@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
             id = "default";
           };
           "Obsidian" = {
@@ -8719,7 +8379,7 @@ in
               type = "simple";
               params.keep = "5";
             };
-            devices = [ "milkywell@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
+            devices = [ "sync@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
             id = "yjvni-9eaa7";
           };
           "Org" = {
@@ -8729,7 +8389,7 @@ in
               type = "simple";
               params.keep = "5";
             };
-            devices = [ "milkywell@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
+            devices = [ "sync@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
             id = "a7xnl-zjj3d";
           };
           "Vpn" = {
@@ -8739,7 +8399,7 @@ in
               type = "simple";
               params.keep = "5";
             };
-            devices = [ "milkywell@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
+            devices = [ "sync@oracle" "magicant" "${workHostName}" "moonside@oracle" ];
             id = "hgp9s-fyq3p";
           };
           # "Documents" = {
@@ -8796,17 +8456,17 @@ This manages backups for my pictures and obsidian files.
 
    
 
    { lib, pkgs, config, ... }:
 let
-  inherit (config.swarselsystems) sopsFile;
-  in
+  inherit (config.repo.secrets.local) resticRepo;
+in
 {
   options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server";
   config = lib.mkIf config.swarselsystems.modules.server.restic {
 
     sops = {
       secrets = {
-        resticpw = { inherit sopsFile; };
-        resticaccesskey = { inherit sopsFile; };
-        resticsecretaccesskey = { inherit sopsFile; };
+        resticpw = { };
+        resticaccesskey = { };
+        resticsecretaccesskey = { };
       };
       templates = {
         "restic-env".content = ''
@@ -8816,39 +8476,35 @@ let
       };
     };
 
-    services.restic =
-      let
-        inherit (config.repo.secrets.local) resticRepo;
-      in
-      {
-        backups = {
-          SwarselWinters = {
-            environmentFile = config.sops.templates."restic-env".path;
-            passwordFile = config.sops.secrets.resticpw.path;
-            paths = [
-              "/Vault/data/paperless"
-              "/Vault/Eternor/Paperless"
-              "/Vault/Eternor/Bilder"
-              "/Vault/Eternor/Immich"
-            ];
-            pruneOpts = [
-              "--keep-daily 3"
-              "--keep-weekly 2"
-              "--keep-monthly 3"
-              "--keep-yearly 100"
-            ];
-            backupPrepareCommand = ''
-              ${pkgs.restic}/bin/restic prune
-            '';
-            repository = "${resticRepo}";
-            initialize = true;
-            timerConfig = {
-              OnCalendar = "03:00";
-            };
+    services.restic = {
+      backups = {
+        SwarselWinters = {
+          environmentFile = config.sops.templates."restic-env".path;
+          passwordFile = config.sops.secrets.resticpw.path;
+          paths = [
+            "/Vault/data/paperless"
+            "/Vault/Eternor/Paperless"
+            "/Vault/Eternor/Bilder"
+            "/Vault/Eternor/Immich"
+          ];
+          pruneOpts = [
+            "--keep-daily 3"
+            "--keep-weekly 2"
+            "--keep-monthly 3"
+            "--keep-yearly 100"
+          ];
+          backupPrepareCommand = ''
+            ${pkgs.restic}/bin/restic prune
+          '';
+          repository = "${resticRepo}";
+          initialize = true;
+          timerConfig = {
+            OnCalendar = "03:00";
           };
-
         };
+
       };
+    };
 
   };
 }
@@ -8866,6 +8522,7 @@ This section exposes several metrics that I use to check the health of my server
 
    
 
    { self, lib, config, globals, ... }:
 let
+
   servicePort = 3000;
   serviceUser = "grafana";
   serviceGroup = serviceUser;
@@ -8875,12 +8532,11 @@ let
   prometheusPort = 9090;
   prometheusUser = "prometheus";
   prometheusGroup = prometheusUser;
+  nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
   grafanaUpstream = "grafana";
   prometheusUpstream = "prometheus";
   prometheusWebRoot = "prometheus";
   kanidmDomain = globals.services.kanidm.domain;
-
-  inherit (config.swarselsystems) sopsFile;
 in
 {
   options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -8888,9 +8544,9 @@ in
 
     sops = {
       secrets = {
-        grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        grafanaadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        prometheusadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        kanidm-grafana-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
         prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
 
       };
@@ -8950,7 +8606,7 @@ in
                   incrementalQueryOverlapWindow = "10m";
                 };
                 secureJsonData = {
-                  basicAuthPassword = "$__file{/run/secrets/prometheus-admin-pw}";
+                  basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}";
                 };
               }
             ];
@@ -8961,7 +8617,7 @@ in
           analytics.reporting_enabled = false;
           users.allow_sign_up = false;
           security = {
-            admin_password = "$__file{/run/secrets/grafana-admin-pw}";
+            admin_password = "$__file{/run/secrets/grafanaadminpass}";
             cookie_secure = true;
             disable_gravatar = true;
           };
@@ -8996,78 +8652,74 @@ in
         };
       };
 
-      prometheus =
-        let
-          nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
-        in
-        {
-          enable = true;
-          webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
-          port = prometheusPort;
-          listenAddress = "0.0.0.0";
-          globalConfig = {
-            scrape_interval = "10s";
+      prometheus = {
+        enable = true;
+        webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
+        port = prometheusPort;
+        listenAddress = "0.0.0.0";
+        globalConfig = {
+          scrape_interval = "10s";
+        };
+        webConfigFile = config.sops.templates.web-config.path;
+        scrapeConfigs = [
+          {
+            job_name = "node";
+            static_configs = [{
+              targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
+            }];
+          }
+          {
+            job_name = "zfs";
+            static_configs = [{
+              targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
+            }];
+          }
+          {
+            job_name = "nginx";
+            static_configs = [{
+              targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
+            }];
+          }
+          {
+            job_name = "nextcloud";
+            static_configs = [{
+              targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
+            }];
+          }
+        ];
+        exporters = {
+          node = {
+            enable = true;
+            port = 9000;
+            enabledCollectors = [ "systemd" ];
+            extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
           };
-          webConfigFile = config.sops.templates.web-config.path;
-          scrapeConfigs = [
-            {
-              job_name = "node";
-              static_configs = [{
-                targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
-              }];
-            }
-            {
-              job_name = "zfs";
-              static_configs = [{
-                targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
-              }];
-            }
-            {
-              job_name = "nginx";
-              static_configs = [{
-                targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
-              }];
-            }
-            {
-              job_name = "nextcloud";
-              static_configs = [{
-                targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
-              }];
-            }
-          ];
-          exporters = {
-            node = {
-              enable = true;
-              port = 9000;
-              enabledCollectors = [ "systemd" ];
-              extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
-            };
-            zfs = {
-              enable = true;
-              port = 9134;
-              pools = [
-                "Vault"
-              ];
-            };
-            restic = {
-              enable = false;
-              port = 9753;
-            };
-            nginx = {
-              enable = true;
-              port = 9113;
-              sslVerify = false;
-              scrapeUri = "http://localhost/nginx_status";
-            };
-            nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud {
-              enable = true;
-              port = 9205;
-              url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
-              username = nextcloudUser;
-              passwordFile = config.sops.secrets.nextcloud-admin-pw.path;
-            };
+          zfs = {
+            enable = true;
+            port = 9134;
+            pools = [
+              "Vault"
+            ];
+          };
+          restic = {
+            enable = false;
+            port = 9753;
+          };
+          nginx = {
+            enable = true;
+            port = 9113;
+            sslVerify = false;
+            scrapeUri = "http://localhost/nginx_status";
+          };
+          nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud {
+            enable = true;
+            port = 9205;
+            url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
+            username = nextcloudUser;
+            passwordFile = config.sops.secrets.nextcloudadminpass.path;
           };
         };
+      };
     };
 
 
@@ -9225,13 +8877,13 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
 
    
 
    { self, lib, config, ... }:
 let
+  inherit (config.repo.secrets.local.freshrss) defaultUser;
+
   servicePort = 80;
   serviceName = "freshrss";
   serviceUser = "freshrss";
   serviceGroup = serviceName;
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-
-  inherit (config.swarselsystems) sopsFile;
 in
 {
   options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -9247,9 +8899,9 @@ in
 
     sops = {
       secrets = {
-        freshrss-pw = { inherit sopsFile; owner = serviceUser; };
-        kanidm-freshrss-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        # freshrss-oidc-crypto-key = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        fresh = { owner = serviceUser; };
+        "kanidm-freshrss-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "oidc-crypto-key" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
 
       #   templates = {
@@ -9280,19 +8932,15 @@ in
 
     globals.services.${serviceName}.domain = serviceDomain;
 
-    services.${serviceName} =
-      let
-        inherit (config.repo.secrets.local.freshrss) defaultUser;
-      in
-      {
-        inherit defaultUser;
-        enable = true;
-        virtualHost = serviceDomain;
-        baseUrl = "https://${serviceDomain}";
-        authType = "form";
-        dataDir = "/Vault/data/tt-rss";
-        passwordFile = config.sops.secrets.freshrss-pw.path;
-      };
+    services.${serviceName} = {
+      inherit defaultUser;
+      enable = true;
+      virtualHost = serviceDomain;
+      baseUrl = "https://${serviceDomain}";
+      authType = "form";
+      dataDir = "/Vault/data/tt-rss";
+      passwordFile = config.sops.secrets.fresh.path;
+    };
 
     # systemd.services.freshrss-config.serviceConfig.EnvironmentFile = [
     #   config.sops.templates.freshrss-env.path
@@ -9338,9 +8986,7 @@ in
 
    
 
    { lib, config, pkgs, globals, ... }:
 let
-  inherit (config.swarselsystems) sopsFile;
-
-  servicePort = 3004;
+  servicePort = 3000;
   serviceUser = "forgejo";
   serviceGroup = serviceUser;
   serviceName = "forgejo";
@@ -9362,14 +9008,13 @@ in
     users.groups.${serviceGroup} = { };
 
     sops.secrets = {
-      kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
     globals.services.${serviceName}.domain = serviceDomain;
 
     services.${serviceName} = {
       enable = true;
-      stateDir = "/Vault/data/${serviceName}";
       user = serviceUser;
       group = serviceGroup;
       lfs.enable = lib.mkDefault true;
@@ -9466,7 +9111,7 @@ in
         '';
     };
 
-    nodes.moonside.services.nginx = {
+    services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -9503,8 +9148,6 @@ in
 
    
 
    { self, lib, config, globals, ... }:
 let
-  inherit (config.swarselsystems) sopsFile;
-
   servicePort = 27701;
   serviceName = "ankisync";
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
@@ -9517,11 +9160,11 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; };
+    sops.secrets.swarsel = { owner = "root"; };
 
-    topology.self.services.anki = {
+    topology.self.services.${serviceName} = {
       name = lib.mkForce "Anki Sync Server";
-      icon = lib.mkForce "${self}/files/topology-images/${serviceName}.png";
+      icon = "${self}/files/topology-images/${serviceName}.png";
       info = "https://${serviceDomain}";
     };
 
@@ -9535,12 +9178,12 @@ in
       users = [
         {
           username = ankiUser;
-          passwordFile = config.sops.secrets.anki-pw.path;
+          passwordFile = config.sops.secrets.swarsel.path;
         }
       ];
     };
 
-    nodes.moonside.services.nginx = {
+    services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
@@ -9591,7 +9234,6 @@ To get other URLs (token, etc.), use { self, lib, pkgs, config, globals, ... }:
 let
   certsSopsFile = self + /secrets/certs/secrets.yaml;
-  inherit (config.swarselsystems) sopsFile;
 
   servicePort = 8300;
   serviceUser = "kanidm";
@@ -9621,15 +9263,15 @@ in
       secrets = {
         "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-idm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-immich" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-paperless" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-forgejo" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-grafana" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-nextcloud" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-freshrss" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-oauth2-proxy" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-admin-pw" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-idm-admin-pw" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-immich" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-paperless" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-forgejo" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-grafana" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-nextcloud" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-freshrss" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-oauth2-proxy" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
     };
 
@@ -9860,8 +9502,6 @@ let
 
   kanidmDomain = globals.services.kanidm.domain;
   mainDomain = globals.domains.main;
-
-  inherit (config.swarselsystems) sopsFile;
 in
 {
   options = {
@@ -9977,8 +9617,8 @@ in
 
     sops = {
       secrets = {
-        "oauth2-cookie-secret" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-oauth2-proxy-client" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "oauth2-cookie-secret" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-oauth2-proxy-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
 
       templates = {
@@ -10092,7 +9732,6 @@ let
 
   nginxGroup = "nginx";
 
-  inherit (config.swarselsystems) sopsFile;
   cfg = config.services.firefly-iii;
 in
 {
@@ -10110,7 +9749,7 @@ in
 
     sops = {
       secrets = {
-        "firefly-iii-app-key" = { inherit sopsFile; owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
+        "firefly-iii-app-key" = { owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
       };
     };
 
@@ -10212,16 +9851,14 @@ let
   postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
   postgresPort = config.services.postgresql.settings.port; # 5432
   containerRev = "sha256:96693e41a6eb2aae44f96033a090378270f024ddf4e6095edf8d57674f21095d";
-
-  inherit (config.swarselsystems) sopsFile;
 in
 {
   options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
 
     sops.secrets = {
-      koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
-      koillection-env-file = { inherit sopsFile; };
+      koillection-db-password = { owner = postgresUser; group = postgresUser; mode = "0440"; };
+      koillection-env-file = { };
     };
 
     topology.self.services.${serviceName} = {
@@ -10275,7 +9912,7 @@ in
         passwordPath = config.sops.secrets.koillection-db-password.path;
       in
       ''
-        ${config.services.postgresql.package}/bin/psql -tA <<'EOF'
+        $PSQL -tA <<'EOF'
           DO $$
           DECLARE password TEXT;
           BEGIN
@@ -10391,6 +10028,7 @@ in
 
    
 
    { self, lib, config, ... }:
 let
+  inherit (config.repo.secrets.local.radicale) user1;
   sopsFile = self + /secrets/winters/secrets2.yaml;
 
   servicePort = 8000;
@@ -10408,20 +10046,16 @@ in
     sops = {
       secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
 
-      templates =
-        let
-          inherit (config.repo.secrets.local.radicale) user1;
-        in
-        {
-          "radicale-users" = {
-            content = ''
-              ${user1}:${config.sops.placeholder.radicale-user}
-            '';
-            owner = serviceUser;
-            group = serviceGroup;
-            mode = "0440";
-          };
+      templates = {
+        "radicale-users" = {
+          content = ''
+            ${user1}:${config.sops.placeholder.radicale-user}
+          '';
+          owner = serviceUser;
+          group = serviceGroup;
+          mode = "0440";
         };
+      };
     };
 
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
@@ -10436,12 +10070,11 @@ in
             "[::]:${builtins.toString servicePort}"
           ];
         };
-        auth =
-          {
-            type = "htpasswd";
-            htpasswd_filename = config.sops.templates.radicale-users.path;
-            htpasswd_encryption = "autodetect";
-          };
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = config.sops.templates.radicale-users.path;
+          htpasswd_encryption = "autodetect";
+        };
         storage = {
           filesystem_folder = "/Vault/data/radicale/collections";
         };
@@ -10521,8 +10154,6 @@ let
   serviceName = "croc";
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
 
-  inherit (config.swarselsystems) sopsFile;
-
   cfg = config.services.croc;
 in
 {
@@ -10531,7 +10162,7 @@ in
 
     sops = {
       secrets = {
-        croc-password = { inherit sopsFile; };
+        croc-password = { };
       };
 
       templates = {
@@ -10593,8 +10224,6 @@ let
   serviceGroup = serviceUser;
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
 
-  inherit (config.swarselsystems) sopsFile;
-
   cfg = config.services.${serviceName};
 in
 {
@@ -10612,9 +10241,9 @@ in
 
     sops = {
       secrets = {
-        microbin-admin-username = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        microbin-admin-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        microbin-uploader-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        microbin-admin-username = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        microbin-admin-password = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        microbin-uploader-password = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
 
       templates = {
@@ -10731,8 +10360,6 @@ let
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
 
   containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
-
-  inherit (config.swarselsystems) sopsFile;
 in
 {
   options = {
@@ -10742,7 +10369,7 @@ in
 
     sops = {
       secrets = {
-        shlink-api = { inherit sopsFile; };
+        shlink-api = { };
       };
 
       templates = {
@@ -11362,7 +10989,7 @@ in
       govc
       terraform
       opentofu
-      dev.terragrunt
+      terragrunt
       graphviz
       azure-cli
 
@@ -11503,7 +11130,7 @@ This is where the theme for the whole OS is defined. Originally, this noweb-ref
 
    
 
 
    
-
    { self, config, lib, pkgs, globals, minimal, ... }:
+
    { self, lib, pkgs, ... }:
 {
   options.swarselsystems = {
     isLaptop = lib.mkEnableOption "laptop host";
@@ -11514,11 +11141,7 @@ This is where the theme for the whole OS is defined. Originally, this noweb-ref
     isBtrfs = lib.mkEnableOption "use btrfs filesystem";
     mainUser = lib.mkOption {
       type = lib.types.str;
-      default = if (!minimal) then globals.user.name else "swarsel" ;
-    };
-    sopsFile = lib.mkOption {
-      type = lib.types.str;
-      default = "${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
+      default = "swarsel";
     };
     homeDir = lib.mkOption {
       type = lib.types.str;
@@ -11552,6 +11175,8 @@ This is where the theme for the whole OS is defined. Originally, this noweb-ref
     stylix = lib.mkOption {
       type = lib.types.attrs;
       default = {
+        enable = true;
+        base16Scheme = "${self}/files/stylix/swarsel.yaml";
         polarity = "dark";
         opacity.popups = 0.5;
         cursor = {
@@ -11784,7 +11409,7 @@ Again, we adapt nix to our needs, enable the home-manager command f
 
    
 
 
    
-
    { self, lib, pkgs, config, ... }:
+
    { lib, config, ... }:
 let
   inherit (config.swarselsystems) mainUser;
 in
@@ -11792,14 +11417,6 @@ in
   options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
   config = lib.mkIf config.swarselsystems.modules.general {
     nix = lib.mkIf (!config.swarselsystems.isNixos) {
-      package = lib.mkForce pkgs.nixVersions.nix_2_28;
-      extraOptions = ''
-        plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
-          buildInputs = [pkgs.nixVersions.nix_2_28 pkgs.boost];
-          patches = (o.patches or []) ++ ["${self}/nix/nix-plugins.patch"];
-        })}/lib/nix/plugins
-        extra-builtins-file = ${self + /nix/extra-builtins.nix}
-      '';
       settings = {
         experimental-features = [
           "nix-command"
@@ -11811,7 +11428,7 @@ in
         trusted-users = [ "@wheel" "${mainUser}" ];
         connect-timeout = 5;
         bash-prompt-prefix = "$SHLVL:\\w ";
-        bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)Ξ» ";
+        bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]Ξ»\[\e[0m\] ";
         fallback = true;
         min-free = 128000000;
         max-free = 1000000000;
@@ -11943,7 +11560,7 @@ This holds packages that I can use as provided, or with small modifications (as
       (aspellWithDicts (dicts: with dicts; [ de en en-computers en-science ]))
 
       # browser
-      stable24_11.vieb
+      vieb
       mgba
 
       # utilities
@@ -12174,16 +11791,24 @@ Since we are using the home-manager implementation here, we need to specify the
 
    
 
    { config, lib, ... }:
 let
-  inherit (config.swarselsystems) homeDir;
+  inherit (config.swarselsystems) homeDir xdgDir;
 in
 {
   options.swarselsystems.modules.sops = lib.mkEnableOption "sops settings";
   config = lib.mkIf config.swarselsystems.modules.sops {
     sops = {
       age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${homeDir}/.ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
+      defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
 
       validateSopsFiles = false;
+      secrets = lib.mkIf (!config.swarselsystems.isPublic) {
+        mrswarsel = { path = "${xdgDir}/secrets/mrswarsel"; };
+        nautilus = { path = "${xdgDir}/secrets/nautilus"; };
+        leon = { path = "${xdgDir}/secrets/leon"; };
+        swarselmail = { path = "${xdgDir}/secrets/swarselmail"; };
+        github_notif = { path = "${xdgDir}/secrets/github_notif"; };
+        u2f_keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
+      };
     };
   };
 }
@@ -12196,18 +11821,10 @@ in
 
    
 
    
 
    { lib, config, nixosConfig, ... }:
-let
-  inherit (config.swarselsystems) homeDir;
-in
 {
   options.swarselsystems.modules.yubikey = lib.mkEnableOption "yubikey settings";
 
   config = lib.mkIf config.swarselsystems.modules.yubikey {
-
-    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
-      u2f-keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
-    };
-
     pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
       ids = [
         nixosConfig.repo.secrets.common.yubikeys.dev1
@@ -12244,10 +11861,6 @@ It is very convenient to have SSH aliases in place for machines that I use. This
           hostname = "192.168.1.1";
           user = "root";
         };
-        "bakery" = {
-          hostname = "192.168.1.136";
-          user = "root";
-        };
         "winters" = {
           hostname = "192.168.1.2";
           user = "root";
@@ -12256,7 +11869,7 @@ It is very convenient to have SSH aliases in place for machines that I use. This
           hostname = "130.61.119.129";
           user = "opc";
         };
-        "milkywell" = {
+        "sync" = {
           hostname = "193.122.53.173";
           user = "root";
         };
@@ -12492,7 +12105,7 @@ Sets environment variables. Here I am only setting the EDITOR variable, most var
 
    
 
 
    
-
    { lib, config, globals, nixosConfig, ... }:
+
    { lib, config, nixosConfig, globals, ... }:
 let
   inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
   inherit (nixosConfig.repo.secrets.common) fullName;
@@ -12710,7 +12323,7 @@ Here I set up my git config, automatic signing of commits, useful aliases for my
 
    
 
 
    
-
    { lib, config, globals, minimal, nixosConfig, ... }:
+
    { lib, config, nixosConfig, globals, ... }:
 let
   inherit (nixosConfig.repo.secrets.common.mail) address1;
   inherit (nixosConfig.repo.secrets.common) fullName;
@@ -12722,7 +12335,6 @@ in
   config = lib.mkIf config.swarselsystems.modules.git {
     programs.git = {
       enable = true;
-      } // lib.optionalAttrs (!minimal) {
       aliases = {
         a = "add";
         c = "commit";
@@ -13004,7 +12616,7 @@ Currently I only use it as before with initExtra though.
 
    
 
 
    
-
    { config, lib, minimal, ... }:
+
    { config, lib, ... }:
 let
   inherit (config.swarselsystems) flakePath;
 in
@@ -13016,120 +12628,117 @@ in
       default = { };
     };
   };
-  config = lib.mkIf config.swarselsystems.modules.zsh
-    {
+  config = lib.mkIf config.swarselsystems.modules.zsh {
 
-      sops.secrets = {
-        croc-password = { };
-      };
-
-      programs.zsh = {
-        enable = true;
-      }
-      // lib.optionalAttrs (!minimal) {
-        shellAliases = lib.recursiveUpdate
-          {
-            hg = "history | grep";
-            hmswitch = "home-manager --flake ${flakePath}#$(whoami)@$(hostname) switch |& nom";
-            # nswitch = "sudo nixos-rebuild --flake ${flakePath}#$(hostname) --show-trace --log-format internal-json -v switch |& nom --json";
-            nswitch = "swarsel-deploy $(hostname) switch";
-            # nboot = "sudo nixos-rebuild --flake ${flakePath}#$(hostname) --show-trace --log-format internal-json -v boot |& nom --json";
-            nboot = "swarsel-deploy $(hostname) boot";
-            magit = "emacsclient -nc -e \"(magit-status)\"";
-            config = "git --git-dir=$HOME/.cfg/ --work-tree=$HOME";
-            g = "git";
-            c = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/";
-            passpush = "cd ~/.local/share/password-store; git add .; git commit -m 'pass file changes'; git push; cd -;";
-            passpull = "cd ~/.local/share/password-store; git pull; cd -;";
-            hotspot = "nmcli connection up local; nmcli device wifi hotspot;";
-            youtube-dl = "yt-dlp";
-            cat-orig = "cat";
-            cdr = "cd \"$( (find $DOCUMENT_DIR_WORK $DOCUMENT_DIR_PRIV -maxdepth 1 && echo $FLAKE) | fzf )\"";
-            nix-ldd-ldd = "LD_LIBRARY_PATH=$NIX_LD_LIBRARY_PATH ldd";
-            nix-ldd = "LD_LIBRARY_PATH=$NIX_LD_LIBRARY_PATH ldd";
-            nix-ldd-locate = "nix-locate --minimal --top-level -w ";
-            nix-store-search = "ls /nix/store | grep";
-            fs-diff = "sudo mount -o subvol=/ /dev/mapper/cryptroot /mnt ; fs-diff";
-            lt = "eza -las modified --total-size";
-            boot-diff = "nix store diff-closures /run/*-system";
-            gen-diff = "nix profile diff-closures --profile /nix/var/nix/profiles/system";
-            cc = "wl-copy";
-          }
-          config.swarselsystems.shellAliases;
-        autosuggestion.enable = true;
-        enableCompletion = true;
-        syntaxHighlighting.enable = true;
-        autocd = false;
-        cdpath = [
-          "~/.dotfiles"
-          # "~/Documents/GitHub"
-        ];
-        defaultKeymap = "emacs";
-        dirHashes = {
-          dl = "$HOME/Downloads";
-          gh = "$HOME/Documents/GitHub";
-        };
-        history = {
-          expireDuplicatesFirst = true;
-          path = "$HOME/.histfile";
-          save = 100000;
-          size = 100000;
-        };
-        historySubstringSearch = {
-          enable = true;
-          searchDownKey = "^[OB";
-          searchUpKey = "^[OA";
-        };
-        plugins = [
-          # {
-          #   name = "fzf-tab";
-          #   src = pkgs.zsh-fzf-tab;
-          # }
-        ];
-        initContent = lib.mkIf (!config.swarselsystems.isPublic) ''
-          my-forward-word() {
-            local WORDCHARS=$WORDCHARS
-            WORDCHARS="''${WORDCHARS//:}"
-            WORDCHARS="''${WORDCHARS//\/}"
-            WORDCHARS="''${WORDCHARS//.}"
-            zle forward-word
-          }
-          zle -N my-forward-word
-          # ctrl + right
-          bindkey "^[[1;5C" my-forward-word
-
-          # shift + right
-          bindkey "^[[1;2C" forward-word
-
-          my-backward-word() {
-            local WORDCHARS=$WORDCHARS
-            WORDCHARS="''${WORDCHARS//:}"
-            WORDCHARS="''${WORDCHARS//\/}"
-            WORDCHARS="''${WORDCHARS//.}"
-            zle backward-word
-          }
-          zle -N my-backward-word
-          # ctrl + left
-          bindkey "^[[1;5D" my-backward-word
-
-          # shift + left
-          bindkey "^[[1;2D" backward-word
-
-          my-backward-delete-word() {
-            local WORDCHARS=$WORDCHARS
-            WORDCHARS="''${WORDCHARS//:}"
-            WORDCHARS="''${WORDCHARS//\/}"
-            WORDCHARS="''${WORDCHARS//.}"
-            zle backward-delete-word
-          }
-          zle -N my-backward-delete-word
-          # ctrl + del
-          bindkey '^H' my-backward-delete-word
-
-          export CROC_PASS="$(cat ${config.sops.secrets.croc-password.path})"
-        '';
-      };
+    sops.secrets = {
+      croc-password = { };
     };
+
+    programs.zsh = {
+      enable = true;
+      shellAliases = lib.recursiveUpdate
+        {
+          hg = "history | grep";
+          hmswitch = "home-manager --flake ${flakePath}#$(whoami)@$(hostname) switch |& nom";
+          # nswitch = "sudo nixos-rebuild --flake ${flakePath}#$(hostname) --show-trace --log-format internal-json -v switch |& nom --json";
+          nswitch = "swarsel-deploy $(hostname) switch";
+          # nboot = "sudo nixos-rebuild --flake ${flakePath}#$(hostname) --show-trace --log-format internal-json -v boot |& nom --json";
+          nboot = "swarsel-deploy $(hostname) boot";
+          magit = "emacsclient -nc -e \"(magit-status)\"";
+          config = "git --git-dir=$HOME/.cfg/ --work-tree=$HOME";
+          g = "git";
+          c = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/";
+          passpush = "cd ~/.local/share/password-store; git add .; git commit -m 'pass file changes'; git push; cd -;";
+          passpull = "cd ~/.local/share/password-store; git pull; cd -;";
+          hotspot = "nmcli connection up local; nmcli device wifi hotspot;";
+          youtube-dl = "yt-dlp";
+          cat-orig = "cat";
+          cdr = "cd \"$( (find $DOCUMENT_DIR_WORK $DOCUMENT_DIR_PRIV -maxdepth 1 && echo $FLAKE) | fzf )\"";
+          nix-ldd-ldd = "LD_LIBRARY_PATH=$NIX_LD_LIBRARY_PATH ldd";
+          nix-ldd = "LD_LIBRARY_PATH=$NIX_LD_LIBRARY_PATH ldd";
+          nix-ldd-locate = "nix-locate --minimal --top-level -w ";
+          nix-store-search = "ls /nix/store | grep";
+          fs-diff = "sudo mount -o subvol=/ /dev/mapper/cryptroot /mnt ; fs-diff";
+          lt = "eza -las modified --total-size";
+          boot-diff = "nix store diff-closures /run/*-system";
+          gen-diff = "nix profile diff-closures --profile /nix/var/nix/profiles/system";
+          cc = "wl-copy";
+        }
+        config.swarselsystems.shellAliases;
+      autosuggestion.enable = true;
+      enableCompletion = true;
+      syntaxHighlighting.enable = true;
+      autocd = false;
+      cdpath = [
+        "~/.dotfiles"
+        # "~/Documents/GitHub"
+      ];
+      defaultKeymap = "emacs";
+      dirHashes = {
+        dl = "$HOME/Downloads";
+        gh = "$HOME/Documents/GitHub";
+      };
+      history = {
+        expireDuplicatesFirst = true;
+        path = "$HOME/.histfile";
+        save = 100000;
+        size = 100000;
+      };
+      historySubstringSearch = {
+        enable = true;
+        searchDownKey = "^[OB";
+        searchUpKey = "^[OA";
+      };
+      plugins = [
+        # {
+        #   name = "fzf-tab";
+        #   src = pkgs.zsh-fzf-tab;
+        # }
+      ];
+      initContent = lib.mkIf (!config.swarselsystems.isPublic) ''
+        my-forward-word() {
+          local WORDCHARS=$WORDCHARS
+          WORDCHARS="''${WORDCHARS//:}"
+          WORDCHARS="''${WORDCHARS//\/}"
+          WORDCHARS="''${WORDCHARS//.}"
+          zle forward-word
+        }
+        zle -N my-forward-word
+        # ctrl + right
+        bindkey "^[[1;5C" my-forward-word
+
+        # shift + right
+        bindkey "^[[1;2C" forward-word
+
+        my-backward-word() {
+          local WORDCHARS=$WORDCHARS
+          WORDCHARS="''${WORDCHARS//:}"
+          WORDCHARS="''${WORDCHARS//\/}"
+          WORDCHARS="''${WORDCHARS//.}"
+          zle backward-word
+        }
+        zle -N my-backward-word
+        # ctrl + left
+        bindkey "^[[1;5D" my-backward-word
+
+        # shift + left
+        bindkey "^[[1;2D" backward-word
+
+        my-backward-delete-word() {
+          local WORDCHARS=$WORDCHARS
+          WORDCHARS="''${WORDCHARS//:}"
+          WORDCHARS="''${WORDCHARS//\/}"
+          WORDCHARS="''${WORDCHARS//.}"
+          zle backward-delete-word
+        }
+        zle -N my-backward-delete-word
+        # ctrl + del
+        bindkey '^H' my-backward-delete-word
+
+        export CROC_PASS="$(cat ${config.sops.secrets.croc-password.path})"
+      '';
+    };
+  };
 }
 
    
 
    
@@ -13282,21 +12891,12 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
 
    
 
    { lib, config, nixosConfig, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host;
+  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 add2Name address3 add3Name address4;
   inherit (nixosConfig.repo.secrets.common) fullName;
-  inherit (config.swarselsystems) xdgDir;
 in
 {
   options.swarselsystems.modules.mail = lib.mkEnableOption "mail settings";
   config = lib.mkIf config.swarselsystems.modules.mail {
-
-    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
-      address1-token = { path = "${xdgDir}/secrets/address1-token"; };
-      address2-token = { path = "${xdgDir}/secrets/address2-token"; };
-      address3-token = { path = "${xdgDir}/secrets/address3-token"; };
-      address4-token = { path = "${xdgDir}/secrets/address4-token"; };
-    };
-
     programs = {
       mbsync = {
         enable = true;
@@ -13324,7 +12924,7 @@ in
             address = address1;
             userName = address1;
             realName = fullName;
-            passwordCommand = "cat ${config.sops.secrets.address1-token.path}";
+            passwordCommand = "cat ${config.sops.secrets.leon.path}";
             gpg = {
               key = "0x76FD3810215AE097";
               signByDefault = true;
@@ -13354,11 +12954,11 @@ in
 
           swarsel = {
             address = address4;
-            userName = address4-user;
+            userName = "8227dc594dd515ce232eda1471cb9a19";
             realName = fullName;
-            passwordCommand = "cat ${config.sops.secrets.address4-token.path}";
+            passwordCommand = "cat ${config.sops.secrets.swarselmail.path}";
             smtp = {
-              host = address4-host;
+              host = "in-v3.mailjet.com";
               port = 587;
               tls = {
                 enable = true;
@@ -13378,8 +12978,8 @@ in
             primary = false;
             address = address2;
             userName = address2;
-            realName = address2-name;
-            passwordCommand = "cat ${config.sops.secrets.address2-token.path}";
+            realName = add2Name;
+            passwordCommand = "cat ${config.sops.secrets.nautilus.path}";
             imap.host = "imap.gmail.com";
             smtp.host = "smtp.gmail.com";
             msmtp.enable = true;
@@ -13405,8 +13005,8 @@ in
             primary = false;
             address = address3;
             userName = address3;
-            realName = address3-name;
-            passwordCommand = "cat ${config.sops.secrets.address3-token.path}";
+            realName = add3Name;
+            passwordCommand = "cat ${config.sops.secrets.mrswarsel.path}";
             imap.host = "imap.gmail.com";
             smtp.host = "smtp.gmail.com";
             msmtp.enable = true;
@@ -13457,7 +13057,7 @@ in
   options.swarselsystems.modules.emacs = lib.mkEnableOption "emacs settings";
   config = lib.mkIf config.swarselsystems.modules.emacs {
     # needed for elfeed
-    sops.secrets.fever-pw = lib.mkIf (!isPublic) { path = "${homeDir}/.emacs.d/.fever"; };
+    sops.secrets.fever = lib.mkIf (!isPublic) { path = "${homeDir}/.emacs.d/.fever"; };
 
     # enable emacs overlay for bleeding edge features
     # also read init.el file and install use-package packages
@@ -13558,7 +13158,6 @@ The rest of the related configuration is found here:
 
    
 
    { self, config, lib, pkgs, ... }:
 let
-  inherit (config.swarselsystems) xdgDir;
   generateIcons = n: lib.concatStringsSep " " (builtins.map (x: "{icon" + toString x + "}") (lib.range 0 (n - 1)));
   modulesLeft = [
     "custom/outer-left-arrow-dark"
@@ -13611,17 +13210,11 @@ in
     };
   };
   config = lib.mkIf config.swarselsystems.modules.waybar {
-
     swarselsystems = {
       waybarModules = lib.mkIf config.swarselsystems.isLaptop (modulesLeft ++ [
         "battery"
       ] ++ modulesRight);
     };
-
-    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
-      github-notifications-token = { path = "${xdgDir}/secrets/github-notifications-token"; };
-    };
-
     programs.waybar = {
       enable = true;
       systemd = {
@@ -14157,13 +13750,12 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 
    3.3.1.30.4. SwayOSD
    
 
    
 
    
-
    { lib, pkgs, config, ... }:
+
    { lib, config, ... }:
 {
   options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings";
   config = lib.mkIf config.swarselsystems.modules.swayosd {
     services.swayosd = {
       enable = true;
-      package = pkgs.dev.swayosd;
       topMargin = 0.5;
     };
   };
@@ -14972,6 +14564,7 @@ The rest of the settings is at { self, config, pkgs, lib, nixosConfig, ... }:
 let
   inherit (config.swarselsystems) homeDir;
+  inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
 in
 {
   options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings";
@@ -15009,141 +14602,131 @@ in
       };
     };
 
-    stylix = {
-      targets.firefox.profileNames =
-        let
-          inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
-        in
-        [
-          "${user1}"
-          "${user2}"
-          "${user3}"
-          "work"
+    stylix.targets.firefox.profileNames = [
+      "${user1}"
+      "${user2}"
+      "${user3}"
+      "work"
+    ];
+
+    programs = {
+      git.userEmail = lib.mkForce gitMail;
+
+      zsh = {
+        shellAliases = {
+          dssh = "ssh -l ${user1Long}";
+          cssh = "ssh -l ${user2Long}";
+          wssh = "ssh -l ${user3Long}";
+        };
+        cdpath = [
+          "~/Documents/Work"
         ];
-    };
-
-    programs =
-      let
-        inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
-      in
-      {
-        git.userEmail = lib.mkForce gitMail;
-
-        zsh = {
-          shellAliases = {
-            dssh = "ssh -l ${user1Long}";
-            cssh = "ssh -l ${user2Long}";
-            wssh = "ssh -l ${user3Long}";
-          };
-          cdpath = [
-            "~/Documents/Work"
-          ];
-          dirHashes = {
-            d = "$HOME/.dotfiles";
-            w = "$HOME/Documents/Work";
-            s = "$HOME/.dotfiles/secrets";
-            pr = "$HOME/Documents/Private";
-            ac = path1;
-          };
-        };
-
-        ssh = {
-          matchBlocks = {
-            "${loc1}" = {
-              hostname = "${loc1}.${domain2}";
-              user = user4;
-            };
-            "${loc1}.stg" = {
-              hostname = "${loc1}.${lifecycle1}.${domain2}";
-              user = user4;
-            };
-            "${loc1}.staging" = {
-              hostname = "${loc1}.${lifecycle1}.${domain2}";
-              user = user4;
-            };
-            "${loc1}.dev" = {
-              hostname = "${loc1}.${lifecycle2}.${domain2}";
-              user = user4;
-            };
-            "${loc2}" = {
-              hostname = "${loc2}.${domain1}";
-              user = user1Long;
-            };
-            "${loc2}.stg" = {
-              hostname = "${loc2}.${lifecycle1}.${domain2}";
-              user = user1Long;
-            };
-            "${loc2}.staging" = {
-              hostname = "${loc2}.${lifecycle1}.${domain2}";
-              user = user1Long;
-            };
-            "*.${domain1}" = {
-              user = user1Long;
-            };
-          };
-        };
-
-        firefox = {
-          profiles =
-            let
-              isDefault = false;
-            in
-            {
-              "${user1}" = lib.recursiveUpdate
-                {
-                  inherit isDefault;
-                  id = 1;
-                  settings = {
-                    "browser.startup.homepage" = "${site1}|${site2}";
-                  };
-                }
-                config.swarselsystems.firefox;
-              "${user2}" = lib.recursiveUpdate
-                {
-                  inherit isDefault;
-                  id = 2;
-                  settings = {
-                    "browser.startup.homepage" = "${site3}";
-                  };
-                }
-                config.swarselsystems.firefox;
-              "${user3}" = lib.recursiveUpdate
-                {
-                  inherit isDefault;
-                  id = 3;
-                }
-                config.swarselsystems.firefox;
-              work = lib.recursiveUpdate
-                {
-                  inherit isDefault;
-                  id = 4;
-                  settings = {
-                    "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
-                  };
-                }
-                config.swarselsystems.firefox;
-            };
-        };
-
-        chromium = {
-          enable = true;
-          package = pkgs.chromium;
-
-          extensions = [
-            # 1password
-            "gejiddohjgogedgjnonbofjigllpkmbf"
-            # dark reader
-            "eimadpbcbfnmbkopoojfekhnkhdbieeh"
-            # ublock origin
-            "cjpalhdlnbpafiamejdnhcphjbkeiagm"
-            # i still dont care about cookies
-            "edibdbjcniadpccecjdfdjjppcpchdlm"
-            # browserpass
-            "naepdomgkenhinolocfifgehidddafch"
-          ];
+        dirHashes = {
+          d = "$HOME/.dotfiles";
+          w = "$HOME/Documents/Work";
+          s = "$HOME/.dotfiles/secrets";
+          pr = "$HOME/Documents/Private";
+          ac = path1;
         };
       };
 
+      ssh = {
+        matchBlocks = {
+          "${loc1}" = {
+            hostname = "${loc1}.${domain2}";
+            user = user4;
+          };
+          "${loc1}.stg" = {
+            hostname = "${loc1}.${lifecycle1}.${domain2}";
+            user = user4;
+          };
+          "${loc1}.staging" = {
+            hostname = "${loc1}.${lifecycle1}.${domain2}";
+            user = user4;
+          };
+          "${loc1}.dev" = {
+            hostname = "${loc1}.${lifecycle2}.${domain2}";
+            user = user4;
+          };
+          "${loc2}" = {
+            hostname = "${loc2}.${domain1}";
+            user = user1Long;
+          };
+          "${loc2}.stg" = {
+            hostname = "${loc2}.${lifecycle1}.${domain2}";
+            user = user1Long;
+          };
+          "${loc2}.staging" = {
+            hostname = "${loc2}.${lifecycle1}.${domain2}";
+            user = user1Long;
+          };
+          "*.${domain1}" = {
+            user = user1Long;
+          };
+        };
+      };
+
+      firefox = {
+        profiles =
+          let
+            isDefault = false;
+          in
+          {
+            "${user1}" = lib.recursiveUpdate
+              {
+                inherit isDefault;
+                id = 1;
+                settings = {
+                  "browser.startup.homepage" = "${site1}|${site2}";
+                };
+              }
+              config.swarselsystems.firefox;
+            "${user2}" = lib.recursiveUpdate
+              {
+                inherit isDefault;
+                id = 2;
+                settings = {
+                  "browser.startup.homepage" = "${site3}";
+                };
+              }
+              config.swarselsystems.firefox;
+            "${user3}" = lib.recursiveUpdate
+              {
+                inherit isDefault;
+                id = 3;
+              }
+              config.swarselsystems.firefox;
+            work = lib.recursiveUpdate
+              {
+                inherit isDefault;
+                id = 4;
+                settings = {
+                  "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
+                };
+              }
+              config.swarselsystems.firefox;
+          };
+      };
+
+      chromium = {
+        enable = true;
+        package = pkgs.chromium;
+
+        extensions = [
+          # 1password
+          "gejiddohjgogedgjnonbofjigllpkmbf"
+          # dark reader
+          "eimadpbcbfnmbkopoojfekhnkhdbieeh"
+          # ublock origin
+          "cjpalhdlnbpafiamejdnhcphjbkeiagm"
+          # i still dont care about cookies
+          "edibdbjcniadpccecjdfdjjppcpchdlm"
+          # browserpass
+          "naepdomgkenhinolocfifgehidddafch"
+        ];
+      };
+    };
+
     services = {
       kanshi = {
         settings = [
@@ -15262,53 +14845,49 @@ in
       };
     };
 
-    xdg =
-      let
-        inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
-      in
-      {
-        mimeApps = {
-          defaultApplications = {
-            "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
-          };
+    xdg = {
+      mimeApps = {
+        defaultApplications = {
+          "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
         };
-        desktopEntries =
-          let
-            terminal = false;
-            categories = [ "Application" ];
-            icon = "firefox";
-          in
-          {
-            firefox_work = {
-              name = "Firefox (work)";
-              genericName = "Firefox work";
-              exec = "firefox -p work";
-              inherit terminal categories icon;
-            };
-            "firefox_${user1}" = {
-              name = "Firefox (${user1})";
-              genericName = "Firefox ${user1}";
-              exec = "firefox -p ${user1}";
-              inherit terminal categories icon;
-            };
-
-            "firefox_${user2}" = {
-              name = "Firefox (${user2})";
-              genericName = "Firefox ${user2}";
-              exec = "firefox -p ${user2}";
-              inherit terminal categories icon;
-            };
-
-            "firefox_${user3}" = {
-              name = "Firefox (${user3})";
-              genericName = "Firefox ${user3}";
-              exec = "firefox -p ${user3}";
-              inherit terminal categories icon;
-            };
-
-
-          };
       };
+      desktopEntries =
+        let
+          terminal = false;
+          categories = [ "Application" ];
+          icon = "firefox";
+        in
+        {
+          firefox_work = {
+            name = "Firefox (work)";
+            genericName = "Firefox work";
+            exec = "firefox -p work";
+            inherit terminal categories icon;
+          };
+          "firefox_${user1}" = {
+            name = "Firefox (${user1})";
+            genericName = "Firefox ${user1}";
+            exec = "firefox -p ${user1}";
+            inherit terminal categories icon;
+          };
+
+          "firefox_${user2}" = {
+            name = "Firefox (${user2})";
+            genericName = "Firefox ${user2}";
+            exec = "firefox -p ${user2}";
+            inherit terminal categories icon;
+          };
+
+          "firefox_${user3}" = {
+            name = "Firefox (${user3})";
+            genericName = "Firefox ${user3}";
+            exec = "firefox -p ${user3}";
+            inherit terminal categories icon;
+          };
+
+
+        };
+    };
     swarselsystems = {
       startup = [
         # { command = "nextcloud --background"; }
@@ -16046,7 +15625,7 @@ writeShellApplication {
   inherit name;
   runtimeInputs = [ jq ];
   text = ''
-    count=$(curl -u Swarsel:"$(cat "$XDG_RUNTIME_DIR/secrets/github-notifications-token")" https://api.github.com/notifications | jq '. | length')
+    count=$(curl -u Swarsel:"$(cat "$XDG_RUNTIME_DIR/secrets/github_notif")" https://api.github.com/notifications | jq '. | length')
 
     if [[ "$count" != "0" ]]; then
         echo "{\"text\":\"$count\"}"
@@ -16306,7 +15885,6 @@ if [ ! -d "$FLAKE" ]; then
 fi
 
 cd "$FLAKE"
-rm install/flake.lock || true
 git_root=$(git rev-parse --show-toplevel)
 # ------------------------
 green "Wiping known_hosts of $target_destination"
@@ -16332,7 +15910,7 @@ if [ "$disk_encryption" -eq 1 ]; then
         green "Please confirm passphrase:"
         read -rs luks_passphrase_confirm
         if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
-            $ssh_root_cmd "echo '$luks_passphrase' > /tmp/disko-password"
+            $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'"
             break
         else
             red "Passwords do not match"
@@ -16343,12 +15921,15 @@ fi
 green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
 $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
 
+green "Injecting initialSetup"
+$ssh_root_cmd "sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
+
 mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname"
 $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
 # ------------------------
 
 green "Deploying minimal NixOS installation on $target_destination"
-nix run github:nix-community/nixos-anywhere/1.10.0 -- --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination"
+SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --ssh-port "$ssh_port" --extra-files "$temp" --flake .#"$target_hostname" root@"$target_destination"
 
 echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
 ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
@@ -16374,6 +15955,8 @@ if [[ $SECUREBOOT == "true" ]]; then
     $ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
 fi
 # ------------------------
+green "Disabling initialSetup"
+sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
 
 if [ -n "$persist_dir" ]; then
     $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"
@@ -16409,19 +15992,17 @@ if yes_or_no "Do you want to manually edit .sops.yaml now?"; then
 fi
 green "Updating all secrets files to reflect updates .sops.yaml"
 sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml
-sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_hostname"/secrets/pii.nix.enc
 # --------------------------
 green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
 sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
-$ssh_root_cmd "mkdir -p /home/$target_user/.ssh; chown -R $target_user:users /home/$target_user/.ssh/"
 $scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key
-$ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key"
+$ssh_root_cmd "mkdir -p /home/$target_user/.ssh; chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key"
 # __________________________
 
 if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then
     green "Adding ssh host fingerprints for git{lab,hub}"
-    $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /home/$target_user/.ssh/known_hosts"
-    $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /root/.ssh/known_hosts"
+    $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >> /home/$target_user/.ssh/known_hosts"
+    $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >> /root/.ssh/known_hosts"
 fi
 # --------------------------
 
@@ -16438,48 +16019,35 @@ if yes_or_no "Do you want to copy your full nix-config and nix-secrets to $targe
     fi
 
     if yes_or_no "Do you want to rebuild immediately?"; then
-        green "Building nix-config for $target_hostname"
-        # yellow "Reminder: The password is 'setup'"
-        $ssh_root_cmd "mkdir -p /root/.local/share/nix/; printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json"
-        # $ssh_cmd -oForwardAgent=yes "cd .dotfiles && sudo nixos-rebuild --show-trace --flake .#$target_hostname switch"
-        store_path=$(nix build --no-link --print-out-paths .#nixosConfigurations."$target_hostname".config.system.build.toplevel)
-        green "Copying generation to $target_hostname"
-        nix copy --to "ssh://root@$target_destination" "$store_path"
-        # prev_system=$($ssh_root_cmd " readlink -e /nix/var/nix/profiles/system")
-        green "Linking generation in bootloader"
-        $ssh_root_cmd "/run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set $store_path"
-        green "Setting generation to activate upon next boot"
-        $ssh_root_cmd "$store_path/bin/switch-to-configuration boot"
-    else
-        echo
-        green "NixOS was successfully installed!"
-        echo "Post-install config build instructions:"
-        echo "To copy nix-config from this machine to the $target_hostname, run the following command from ~/nix-config"
-        echo "just sync $target_user $target_destination"
-        echo "To rebuild, sign into $target_hostname and run the following command from ~/nix-config"
-        echo "cd nix-config"
-        # see above FIXME:(bootstrap)
-        echo "sudo nixos-rebuild .pre-commit-config.yaml show-trace --flake .#$target_hostname switch"
-        # echo "just rebuild"
-        echo
+        green "Rebuilding nix-config on $target_hostname"
+        yellow "Reminder: The password is 'setup'"
+        $ssh_root_cmd "mkdir -p /root/.local/share/nix/; printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' > /root/.local/share/nix/trusted-settings.json"
+        $ssh_cmd -oForwardAgent=yes "cd .dotfiles && sudo nixos-rebuild --show-trace --flake .#$target_hostname switch"
     fi
+else
+    echo
+    green "NixOS was successfully installed!"
+    echo "Post-install config build instructions:"
+    echo "To copy nix-config from this machine to the $target_hostname, run the following command from ~/nix-config"
+    echo "just sync $target_user $target_destination"
+    echo "To rebuild, sign into $target_hostname and run the following command from ~/nix-config"
+    echo "cd nix-config"
+    # see above FIXME:(bootstrap)
+    echo "sudo nixos-rebuild --show-trace --flake .#$target_hostname switch"
+    # echo "just rebuild"
+    echo
 fi
 
-green "NixOS was successfully installed!"
 if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then
     cd "${git_root}"
     deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe
-    nixpkgs--fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix
-    (.pre-commit-config.yaml mit run --all-files 2> /dev/null || true) &&
+    nixpkgs-fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix
+    (pre-commit run --all-files 2> /dev/null || true) &&
         git add "$git_root/hosts/nixos/$target_hostname/hardware-configuration.nix" &&
         git add "$git_root/.sops.yaml" &&
         git add "$git_root/secrets" &&
         (git commit -m "feat: deployed $target_hostname" || true) && git push
 fi
-
-if yes_or_no "Reboot now?"; then
-    $ssh_root_cmd "reboot"
-fi
 
    
 
    
 
@@ -16584,7 +16152,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     rm modules/home/common/mail.nix
     rm modules/home/common/yubikey.nix
     rm modules/nixos/server/restic.nix
-    rm hosts/nixos/milkywell/default.nix
+    rm hosts/nixos/sync/default.nix
     rm -rf modules/nixos/server
     rm -rf modules/home/server
     nix flake update vbc-nix
@@ -16716,8 +16284,34 @@ cd .dotfiles
 if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     yellow "The ssh key for this configuration is not available."
     green "Adjusting flake.nix so that the configuration is buildable ..."
+    sed -i '/nix-secrets = {/,/^[[:space:]]*};/d' flake.nix
     sed -i '/vbc-nix = {/,/^[[:space:]]*};/d' flake.nix
     sed -i '/[[:space:]]*\/\/ (inputs.vbc-nix.overlays.default final prev)/d' overlays/default.nix
+    rm modules/home/common/env.nix
+    rm modules/home/common/gammastep.nix
+    rm modules/home/common/git.nix
+    rm modules/home/common/mail.nix
+    rm modules/home/common/yubikey.nix
+    rm modules/nixos/server/restic.nix
+    rm hosts/nixos/sync/default.nix
+    rm -rf modules/nixos/server
+    rm -rf modules/home/server
+    cat > hosts/nixos/chaostheatre/options-home.nix << EOF
+        { self, lib, ... }:
+        {
+        options = {
+          swarselsystems = {
+            modules = {
+              yubikey = lib.mkEnableOption "dummy option for chaostheatre";
+              env = lib.mkEnableOption "dummy option for chaostheatre";
+              git = lib.mkEnableOption "dummy option for chaostheatre";
+              mail = lib.mkEnableOption "dummy option for chaostheatre";
+              gammastep = lib.mkEnableOption "dummy option for chaostheatre";
+            };
+          };
+        };
+        }
+EOF
     nix flake update vbc-nix
     git add .
 else
@@ -16788,18 +16382,15 @@ sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user"
 green "Generating hardware configuration ..."
 sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/
 
+green "Injecting initialSetup ..."
+sudo sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
+
 git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
 sudo mkdir -p /root/.local/share/nix/
 printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | sudo tee /root/.local/share/nix/trusted-settings.json > /dev/null
 green "Installing flake $target_config"
-
-store_path=$(nix build --no-link --print-out-paths .#nixosConfigurationsMinimal."$target_config".config.system.build.toplevel)
-green "Linking generation in bootloader"
-sudo "/run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set $store_path"
-green "Setting generation to activate upon next boot"
-sudo "$store_path/bin/switch-to-configuration boot"
+sudo nixos-install --flake .#"$target_config"
 green "Installation finished! Reboot to see changes"
-
 
    
 
    
 
@@ -16890,6 +16481,8 @@ if [[ $SECUREBOOT == "true" ]]; then
     sbctl enroll-keys --ignore-immutable --microsoft || true
 fi
 
+green "Disabling initialSetup"
+sed -i '/swarselsystems\.initialSetup = true;/d' /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
 sudo nixos-rebuild --flake .#"$target_config" switch
 green "Post-install finished!"
 
    
@@ -17397,7 +16990,6 @@ in
   config = lib.mkIf config.swarselsystems.profiles.personal {
     swarselsystems.modules = {
       packages = lib.mkDefault true;
-      pii = lib.mkDefault true;
       general = lib.mkDefault true;
       home-manager = lib.mkDefault true;
       xserver = lib.mkDefault true;
@@ -17411,6 +17003,7 @@ in
       network = lib.mkDefault true;
       time = lib.mkDefault true;
       sops = lib.mkDefault true;
+      pii = lib.mkDefault true;
       stylix = lib.mkDefault true;
       programs = lib.mkDefault true;
       zsh = lib.mkDefault true;
@@ -17453,112 +17046,12 @@ in
 
 }
 
-
    
-
    
-
    
-
    
-
    
-
    3.5.1.2. Reduced
    
-
    
-
    
-
    { lib, config, ... }:
-{
-  options.swarselsystems.profiles.reduced = lib.mkEnableOption "is this a reduced personal host";
-  config = lib.mkIf config.swarselsystems.profiles.reduced {
-    swarselsystems.modules = {
-      packages = lib.mkDefault true;
-      pii = lib.mkDefault true;
-      general = lib.mkDefault true;
-      home-manager = lib.mkDefault true;
-      xserver = lib.mkDefault true;
-      users = lib.mkDefault true;
-      env = lib.mkDefault true;
-      security = lib.mkDefault true;
-      systemdTimeout = lib.mkDefault true;
-      hardware = lib.mkDefault true;
-      pulseaudio = lib.mkDefault true;
-      pipewire = lib.mkDefault true;
-      network = lib.mkDefault true;
-      time = lib.mkDefault true;
-      sops = lib.mkDefault true;
-      stylix = lib.mkDefault true;
-      programs = lib.mkDefault true;
-      zsh = lib.mkDefault true;
-      syncthing = lib.mkDefault true;
-      blueman = lib.mkDefault true;
-      networkDevices = lib.mkDefault true;
-      gvfs = lib.mkDefault true;
-      interceptionTools = lib.mkDefault true;
-      swayosd = lib.mkDefault true;
-      ppd = lib.mkDefault true;
-      yubikey = lib.mkDefault true;
-      ledger = lib.mkDefault true;
-      keyboards = lib.mkDefault true;
-      login = lib.mkDefault true;
-      nix-ld = lib.mkDefault true;
-      impermanence = lib.mkDefault true;
-      nvd = lib.mkDefault true;
-      gnome-keyring = lib.mkDefault true;
-      sway = lib.mkDefault true;
-      xdg-portal = lib.mkDefault true;
-      distrobox = lib.mkDefault true;
-      appimage = lib.mkDefault true;
-      lid = lib.mkDefault true;
-      lowBattery = lib.mkDefault true;
-      lanzaboote = lib.mkDefault true;
-      autologin = lib.mkDefault true;
-
-      server = {
-        ssh = lib.mkDefault true;
-      };
-    };
-
-  };
-
-}
-
-
    
-
    
-
    
-
    
-
    
-
    3.5.1.3. Minimal
    
-
    
-
    
-
    { lib, config, ... }:
-{
-  options.swarselsystems.profiles.minimal = lib.mkEnableOption "declare this a minimal host";
-  config = lib.mkIf config.swarselsystems.profiles.minimal {
-    swarselsystems.modules = {
-      general = lib.mkDefault true;
-      home-manager = lib.mkDefault true;
-      xserver = lib.mkDefault true;
-      lanzaboote = lib.mkDefault true;
-      time = lib.mkDefault true;
-      users = lib.mkDefault true;
-      impermanence = lib.mkDefault true;
-      security = lib.mkDefault true;
-      sops = lib.mkDefault true;
-      pii = lib.mkDefault true;
-      zsh = lib.mkDefault true;
-      yubikey = lib.mkDefault true;
-      autologin = lib.mkDefault true;
-
-      server = {
-        ssh = lib.mkDefault true;
-      };
-    };
-
-  };
-
-}
-
 
    
 
    
 
    
 
    
 
    
-
    3.5.1.4. Chaostheatre
    
+
    3.5.1.2. Chaostheatre
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17617,7 +17110,7 @@ in
 
    
 
    
 
    
-
    3.5.1.5. toto
    
+
    3.5.1.3. toto
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17626,7 +17119,6 @@ in
   config = lib.mkIf config.swarselsystems.profiles.toto {
     swarselsystems.modules = {
       general = lib.mkDefault true;
-      packages = lib.mkDefault true;
       home-manager = lib.mkDefault true;
       xserver = lib.mkDefault true;
       users = lib.mkDefault true;
@@ -17634,7 +17126,6 @@ in
       impermanence = lib.mkDefault true;
       lanzaboote = lib.mkDefault true;
       autologin = lib.mkDefault true;
-      pii = lib.mkDefault true;
       server = {
         ssh = lib.mkDefault true;
       };
@@ -17649,7 +17140,7 @@ in
 
    
 
    
 
    
-
    3.5.1.6. Work
    
+
    3.5.1.4. Work
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17671,7 +17162,7 @@ in
 
    
 
    
 
    
-
    3.5.1.7. Framework
    
+
    3.5.1.5. Framework
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17693,7 +17184,7 @@ in
 
    
 
    
 
    
-
    3.5.1.8. AMD CPU
    
+
    3.5.1.6. AMD CPU
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17715,7 +17206,7 @@ in
 
    
 
    
 
    
-
    3.5.1.9. AMD GPU
    
+
    3.5.1.7. AMD GPU
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17737,7 +17228,7 @@ in
 
    
 
    
 
    
-
    3.5.1.10. Hibernation
    
+
    3.5.1.8. Hibernation
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17759,7 +17250,7 @@ in
 
    
 
    
 
    
-
    3.5.1.11. BTRFS
    
+
    3.5.1.9. BTRFS
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17781,7 +17272,7 @@ in
 
    
 
    
 
    
-
    3.5.1.12. Local Server
    
+
    3.5.1.10. Local Server
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17825,8 +17316,6 @@ in
           koillection = lib.mkDefault true;
           radicale = lib.mkDefault true;
           atuin = lib.mkDefault true;
-          forgejo = lib.mkDefault true;
-          ankisync = lib.mkDefault true;
         };
       };
     };
@@ -17839,13 +17328,13 @@ in
 
    
 
    
 
    
-
    3.5.1.13. OCI Sync Server
    
+
    3.5.1.11. OCI Sync Server
    
 
    
 
    
 
    { lib, config, ... }:
 {
-  options.swarselsystems.profiles.server.syncserver = lib.mkEnableOption "is this a oci syncserver server";
-  config = lib.mkIf config.swarselsystems.profiles.server.syncserver {
+  options.swarselsystems.profiles.server.sync = lib.mkEnableOption "is this a oci sync server";
+  config = lib.mkIf config.swarselsystems.profiles.server.sync {
     swarselsystems = {
       modules = {
         general = lib.mkDefault true;
@@ -17861,8 +17350,8 @@ in
           packages = lib.mkDefault true;
           nginx = lib.mkDefault true;
           ssh = lib.mkDefault true;
-          forgejo = lib.mkDefault false;
-          ankisync = lib.mkDefault false;
+          forgejo = lib.mkDefault true;
+          ankisync = lib.mkDefault true;
         };
       };
     };
@@ -17875,7 +17364,7 @@ in
 
    
 
    
 
    
-
    3.5.1.14. Moonside
    
+
    3.5.1.12. Moonside
    
 
    
 
    
 
    { lib, config, ... }:
@@ -17986,91 +17475,12 @@ in
 
 }
 
-
    
-
    
-
    
-
    
-
    
-
    3.5.2.2. Reduced
    
-
    
-
    
-
    { lib, config, ... }:
-{
-  options.swarselsystems.profiles.reduced = lib.mkEnableOption "is this a reduced personal host";
-  config = lib.mkIf config.swarselsystems.profiles.reduced {
-    swarselsystems.modules = {
-      packages = lib.mkDefault true;
-      ownpackages = lib.mkDefault true;
-      general = lib.mkDefault true;
-      nixgl = lib.mkDefault true;
-      sops = lib.mkDefault true;
-      yubikey = lib.mkDefault true;
-      ssh = lib.mkDefault true;
-      stylix = lib.mkDefault true;
-      desktop = lib.mkDefault true;
-      symlink = lib.mkDefault true;
-      env = lib.mkDefault true;
-      programs = lib.mkDefault true;
-      nix-index = lib.mkDefault true;
-      passwordstore = lib.mkDefault true;
-      direnv = lib.mkDefault true;
-      eza = lib.mkDefault true;
-      atuin = lib.mkDefault true;
-      git = lib.mkDefault true;
-      fuzzel = lib.mkDefault true;
-      starship = lib.mkDefault true;
-      kitty = lib.mkDefault true;
-      zsh = lib.mkDefault true;
-      zellij = lib.mkDefault true;
-      tmux = lib.mkDefault true;
-      mail = lib.mkDefault true;
-      emacs = lib.mkDefault true;
-      waybar = lib.mkDefault true;
-      firefox = lib.mkDefault true;
-      gnome-keyring = lib.mkDefault true;
-      kdeconnect = lib.mkDefault true;
-      mako = lib.mkDefault true;
-      swayosd = lib.mkDefault true;
-      yubikeytouch = lib.mkDefault true;
-      sway = lib.mkDefault true;
-      kanshi = lib.mkDefault false;
-      gpgagent = lib.mkDefault true;
-      gammastep = lib.mkDefault true;
-
-    };
-  };
-
-}
-
-
    
-
    
-
    
-
    
-
    
-
    3.5.2.3. Minimal
    
-
    
-
    
-
    { lib, config, ... }:
-{
-  options.swarselsystems.profiles.minimal = lib.mkEnableOption "is this a personal host";
-  config = lib.mkIf config.swarselsystems.profiles.minimal {
-    swarselsystems.modules = {
-      general = lib.mkDefault true;
-      sops = lib.mkDefault true;
-      kitty = lib.mkDefault true;
-      zsh = lib.mkDefault true;
-      git = lib.mkDefault true;
-    };
-  };
-
-}
-
 
    
 
    
 
    
 
    
 
    
-
    3.5.2.4. Chaostheatre
    
+
    3.5.2.2. Chaostheatre
    
 
    
 
    
 
    { lib, config, ... }:
@@ -18123,7 +17533,7 @@ in
 
    
 
    
 
    
-
    3.5.2.5. toto
    
+
    3.5.2.3. toto
    
 
    
 
    
 
    { lib, config, ... }:
@@ -18134,8 +17544,6 @@ in
       general = lib.mkDefault true;
       sops = lib.mkDefault true;
       ssh = lib.mkDefault true;
-      kitty = lib.mkDefault true;
-      git = lib.mkDefault true;
     };
   };
 
@@ -18146,7 +17554,7 @@ in
 
    
 
    
 
    
-
    3.5.2.6. Work
    
+
    3.5.2.4. Work
    
 
    
 
    
 
    { lib, config, ... }:
@@ -18167,7 +17575,7 @@ in
 
    
 
    
 
    
-
    3.5.2.7. Framework
    
+
    3.5.2.5. Framework
    
 
    
 
    
 
    { lib, config, ... }:
@@ -18189,7 +17597,7 @@ in
 
    
 
    
 
    
-
    3.5.2.8. Darwin
    
+
    3.5.2.6. Darwin
    
 
    
 
    
 
    { lib, config, ... }:
@@ -18208,7 +17616,7 @@ in
 
    
 
    
 
    
-
    3.5.2.9. Local Server
    
+
    3.5.2.7. Local Server
    
 
    
 
    
 
    { lib, config, ... }:
@@ -24307,13 +23715,13 @@ Alternatively, to install this from any NixOS live ISO, run `nix run --experimen
 |πŸ’» **nbl-imba-2**   | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop                                          |
 |πŸ’» **nbm-imba-166** | MacBook Pro 2016                                    | MacOS Sandbox                                        |
 |πŸ–₯️ **winters**      | ASRock J4105-ITX, 32GB RAM                          | Main homeserver and data storgae                     |
-|πŸ–₯️ **milkywell**         | Oracle Cloud: VM.Standard.E2.1.Micro                | Server for lightweight synchronization tasks         |
+|πŸ–₯️ **sync**         | Oracle Cloud: VM.Standard.E2.1.Micro                | Server for lightweight synchronization tasks         |
 |πŸ–₯️ **moonside**     | Oracle Cloud: VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM| Proxy for local services, some lightweight services  |
 |πŸ“± **magicant**     | Samsung Galaxy Z Flip 6                             | Phone                                                |
 |πŸ’Ώ **drugstore**    | -                                                   | ISO installer configuration                          |
 |❔ **chaotheatre**  | -                                                   | Demo config for checking out my configurtion         |
 |❔ **toto**         | -                                                   | Helper configuration for bootstrapping a new system  |
-|🏠 **Treehouse**         | -                                                   | Reference configuration for a home-manager only host |
+|🏠 **home**         | -                                                   | Reference configuration for a home-manager only host |
 </details>
 
 ## General Nix tips & useful links
@@ -24442,7 +23850,7 @@ If you feel that I forgot to pay you tribute for code that I used in this reposi
 
    
 
    
 
    Author: Leon SchwarzΓ€ugl
    
-
    Created: 2025-07-14 Mo 01:07
    
+
    Created: 2025-07-04 Fr 18:25
    
 
    Validate
    
 
    
 
diff --git a/install/installer-config.nix b/install/installer-config.nix
index f720a1c..19874d6 100644
--- a/install/installer-config.nix
+++ b/install/installer-config.nix
@@ -81,7 +81,6 @@ in
       curl
       git
       gnupg
-      networkmanager
       rsync
       ssh-to-age
       sops
diff --git a/modules/home/common/env.nix b/modules/home/common/env.nix
index a8acacd..3021bd8 100644
--- a/modules/home/common/env.nix
+++ b/modules/home/common/env.nix
@@ -1,7 +1,7 @@
-{ lib, config, globals, nixosConfig, ... }:
+{ lib, config, globals, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
-  inherit (nixosConfig.repo.secrets.common) fullName;
+  inherit (config.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
+  inherit (config.repo.secrets.common) fullName;
   crocDomain = globals.services.croc.domain;
 in
 {
diff --git a/modules/home/common/gammastep.nix b/modules/home/common/gammastep.nix
index e6d9e73..0ce6d40 100644
--- a/modules/home/common/gammastep.nix
+++ b/modules/home/common/gammastep.nix
@@ -1,6 +1,6 @@
-{ lib, config, nixosConfig, ... }:
+{ lib, config, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.location) latitude longitude;
+  inherit (config.repo.secrets.common.location) latitude longitude;
 in
 {
   options.swarselsystems.modules.gammastep = lib.mkEnableOption "gammastep settings";
diff --git a/modules/home/common/git.nix b/modules/home/common/git.nix
index 97632a1..bb16547 100644
--- a/modules/home/common/git.nix
+++ b/modules/home/common/git.nix
@@ -1,7 +1,7 @@
-{ lib, config, globals, minimal, nixosConfig, ... }:
+{ lib, config, globals, minimal, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1;
-  inherit (nixosConfig.repo.secrets.common) fullName;
+  inherit (config.repo.secrets.common.mail) address1;
+  inherit (config.repo.secrets.common) fullName;
 
   gitUser = globals.user.name;
 in
diff --git a/modules/home/common/mail.nix b/modules/home/common/mail.nix
index ad5d529..ec1ab97 100644
--- a/modules/home/common/mail.nix
+++ b/modules/home/common/mail.nix
@@ -1,7 +1,7 @@
-{ lib, config, nixosConfig, ... }:
+{ lib, config, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host;
-  inherit (nixosConfig.repo.secrets.common) fullName;
+  inherit (config.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host;
+  inherit (config.repo.secrets.common) fullName;
   inherit (config.swarselsystems) xdgDir;
 in
 {
diff --git a/modules/home/common/sharedsetup.nix b/modules/home/common/sharedsetup.nix
index ce37e10..3110029 100644
--- a/modules/home/common/sharedsetup.nix
+++ b/modules/home/common/sharedsetup.nix
@@ -1,4 +1,4 @@
-{ self, config, lib, pkgs, globals, minimal, ... }:
+{ self, lib, pkgs, globals, minimal, ... }:
 {
   options.swarselsystems = {
     isLaptop = lib.mkEnableOption "laptop host";
@@ -11,10 +11,6 @@
       type = lib.types.str;
       default = if (!minimal) then globals.user.name else "swarsel";
     };
-    sopsFile = lib.mkOption {
-      type = lib.types.str;
-      default = "${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
-    };
     homeDir = lib.mkOption {
       type = lib.types.str;
       default = "/home/swarsel";
@@ -47,6 +43,8 @@
     stylix = lib.mkOption {
       type = lib.types.attrs;
       default = {
+        enable = true;
+        base16Scheme = "${self}/files/stylix/swarsel.yaml";
         polarity = "dark";
         opacity.popups = 0.5;
         cursor = {
diff --git a/modules/home/common/ssh.nix b/modules/home/common/ssh.nix
index dd7361a..2e61fb9 100644
--- a/modules/home/common/ssh.nix
+++ b/modules/home/common/ssh.nix
@@ -14,10 +14,6 @@
           hostname = "192.168.1.1";
           user = "root";
         };
-        "bakery" = {
-          hostname = "192.168.1.136";
-          user = "root";
-        };
         "winters" = {
           hostname = "192.168.1.2";
           user = "root";
diff --git a/modules/home/common/swayosd.nix b/modules/home/common/swayosd.nix
index e422fc2..9af1ac8 100644
--- a/modules/home/common/swayosd.nix
+++ b/modules/home/common/swayosd.nix
@@ -1,10 +1,9 @@
-{ lib, pkgs, config, ... }:
+{ lib, config, ... }:
 {
   options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings";
   config = lib.mkIf config.swarselsystems.modules.swayosd {
     services.swayosd = {
       enable = true;
-      package = pkgs.dev.swayosd;
       topMargin = 0.5;
     };
   };
diff --git a/modules/home/common/yubikey.nix b/modules/home/common/yubikey.nix
index 04e21f0..2e8cb29 100644
--- a/modules/home/common/yubikey.nix
+++ b/modules/home/common/yubikey.nix
@@ -1,4 +1,4 @@
-{ lib, config, nixosConfig, ... }:
+{ lib, config, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
@@ -13,8 +13,8 @@ in
 
     pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
       ids = [
-        nixosConfig.repo.secrets.common.yubikeys.dev1
-        nixosConfig.repo.secrets.common.yubikeys.dev2
+        config.repo.secrets.common.yubikeys.dev1
+        config.repo.secrets.common.yubikeys.dev2
       ];
     };
   };
diff --git a/modules/home/optional/work.nix b/modules/home/optional/work.nix
index bbd5201..bd8e0c9 100644
--- a/modules/home/optional/work.nix
+++ b/modules/home/optional/work.nix
@@ -1,6 +1,7 @@
-{ self, config, pkgs, lib, nixosConfig, ... }:
+{ self, config, pkgs, lib, ... }:
 let
   inherit (config.swarselsystems) homeDir;
+  inherit (config.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
 in
 {
   options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings";
@@ -38,141 +39,131 @@ in
       };
     };
 
-    stylix = {
-      targets.firefox.profileNames =
-        let
-          inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
-        in
-        [
-          "${user1}"
-          "${user2}"
-          "${user3}"
-          "work"
+    stylix.targets.firefox.profileNames = [
+      "${user1}"
+      "${user2}"
+      "${user3}"
+      "work"
+    ];
+
+    programs = {
+      git.userEmail = lib.mkForce gitMail;
+
+      zsh = {
+        shellAliases = {
+          dssh = "ssh -l ${user1Long}";
+          cssh = "ssh -l ${user2Long}";
+          wssh = "ssh -l ${user3Long}";
+        };
+        cdpath = [
+          "~/Documents/Work"
         ];
-    };
-
-    programs =
-      let
-        inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
-      in
-      {
-        git.userEmail = lib.mkForce gitMail;
-
-        zsh = {
-          shellAliases = {
-            dssh = "ssh -l ${user1Long}";
-            cssh = "ssh -l ${user2Long}";
-            wssh = "ssh -l ${user3Long}";
-          };
-          cdpath = [
-            "~/Documents/Work"
-          ];
-          dirHashes = {
-            d = "$HOME/.dotfiles";
-            w = "$HOME/Documents/Work";
-            s = "$HOME/.dotfiles/secrets";
-            pr = "$HOME/Documents/Private";
-            ac = path1;
-          };
-        };
-
-        ssh = {
-          matchBlocks = {
-            "${loc1}" = {
-              hostname = "${loc1}.${domain2}";
-              user = user4;
-            };
-            "${loc1}.stg" = {
-              hostname = "${loc1}.${lifecycle1}.${domain2}";
-              user = user4;
-            };
-            "${loc1}.staging" = {
-              hostname = "${loc1}.${lifecycle1}.${domain2}";
-              user = user4;
-            };
-            "${loc1}.dev" = {
-              hostname = "${loc1}.${lifecycle2}.${domain2}";
-              user = user4;
-            };
-            "${loc2}" = {
-              hostname = "${loc2}.${domain1}";
-              user = user1Long;
-            };
-            "${loc2}.stg" = {
-              hostname = "${loc2}.${lifecycle1}.${domain2}";
-              user = user1Long;
-            };
-            "${loc2}.staging" = {
-              hostname = "${loc2}.${lifecycle1}.${domain2}";
-              user = user1Long;
-            };
-            "*.${domain1}" = {
-              user = user1Long;
-            };
-          };
-        };
-
-        firefox = {
-          profiles =
-            let
-              isDefault = false;
-            in
-            {
-              "${user1}" = lib.recursiveUpdate
-                {
-                  inherit isDefault;
-                  id = 1;
-                  settings = {
-                    "browser.startup.homepage" = "${site1}|${site2}";
-                  };
-                }
-                config.swarselsystems.firefox;
-              "${user2}" = lib.recursiveUpdate
-                {
-                  inherit isDefault;
-                  id = 2;
-                  settings = {
-                    "browser.startup.homepage" = "${site3}";
-                  };
-                }
-                config.swarselsystems.firefox;
-              "${user3}" = lib.recursiveUpdate
-                {
-                  inherit isDefault;
-                  id = 3;
-                }
-                config.swarselsystems.firefox;
-              work = lib.recursiveUpdate
-                {
-                  inherit isDefault;
-                  id = 4;
-                  settings = {
-                    "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
-                  };
-                }
-                config.swarselsystems.firefox;
-            };
-        };
-
-        chromium = {
-          enable = true;
-          package = pkgs.chromium;
-
-          extensions = [
-            # 1password
-            "gejiddohjgogedgjnonbofjigllpkmbf"
-            # dark reader
-            "eimadpbcbfnmbkopoojfekhnkhdbieeh"
-            # ublock origin
-            "cjpalhdlnbpafiamejdnhcphjbkeiagm"
-            # i still dont care about cookies
-            "edibdbjcniadpccecjdfdjjppcpchdlm"
-            # browserpass
-            "naepdomgkenhinolocfifgehidddafch"
-          ];
+        dirHashes = {
+          d = "$HOME/.dotfiles";
+          w = "$HOME/Documents/Work";
+          s = "$HOME/.dotfiles/secrets";
+          pr = "$HOME/Documents/Private";
+          ac = path1;
         };
       };
 
+      ssh = {
+        matchBlocks = {
+          "${loc1}" = {
+            hostname = "${loc1}.${domain2}";
+            user = user4;
+          };
+          "${loc1}.stg" = {
+            hostname = "${loc1}.${lifecycle1}.${domain2}";
+            user = user4;
+          };
+          "${loc1}.staging" = {
+            hostname = "${loc1}.${lifecycle1}.${domain2}";
+            user = user4;
+          };
+          "${loc1}.dev" = {
+            hostname = "${loc1}.${lifecycle2}.${domain2}";
+            user = user4;
+          };
+          "${loc2}" = {
+            hostname = "${loc2}.${domain1}";
+            user = user1Long;
+          };
+          "${loc2}.stg" = {
+            hostname = "${loc2}.${lifecycle1}.${domain2}";
+            user = user1Long;
+          };
+          "${loc2}.staging" = {
+            hostname = "${loc2}.${lifecycle1}.${domain2}";
+            user = user1Long;
+          };
+          "*.${domain1}" = {
+            user = user1Long;
+          };
+        };
+      };
+
+      firefox = {
+        profiles =
+          let
+            isDefault = false;
+          in
+          {
+            "${user1}" = lib.recursiveUpdate
+              {
+                inherit isDefault;
+                id = 1;
+                settings = {
+                  "browser.startup.homepage" = "${site1}|${site2}";
+                };
+              }
+              config.swarselsystems.firefox;
+            "${user2}" = lib.recursiveUpdate
+              {
+                inherit isDefault;
+                id = 2;
+                settings = {
+                  "browser.startup.homepage" = "${site3}";
+                };
+              }
+              config.swarselsystems.firefox;
+            "${user3}" = lib.recursiveUpdate
+              {
+                inherit isDefault;
+                id = 3;
+              }
+              config.swarselsystems.firefox;
+            work = lib.recursiveUpdate
+              {
+                inherit isDefault;
+                id = 4;
+                settings = {
+                  "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
+                };
+              }
+              config.swarselsystems.firefox;
+          };
+      };
+
+      chromium = {
+        enable = true;
+        package = pkgs.chromium;
+
+        extensions = [
+          # 1password
+          "gejiddohjgogedgjnonbofjigllpkmbf"
+          # dark reader
+          "eimadpbcbfnmbkopoojfekhnkhdbieeh"
+          # ublock origin
+          "cjpalhdlnbpafiamejdnhcphjbkeiagm"
+          # i still dont care about cookies
+          "edibdbjcniadpccecjdfdjjppcpchdlm"
+          # browserpass
+          "naepdomgkenhinolocfifgehidddafch"
+        ];
+      };
+    };
+
     services = {
       kanshi = {
         settings = [
@@ -291,53 +282,49 @@ in
       };
     };
 
-    xdg =
-      let
-        inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
-      in
-      {
-        mimeApps = {
-          defaultApplications = {
-            "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
-          };
+    xdg = {
+      mimeApps = {
+        defaultApplications = {
+          "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
         };
-        desktopEntries =
-          let
-            terminal = false;
-            categories = [ "Application" ];
-            icon = "firefox";
-          in
-          {
-            firefox_work = {
-              name = "Firefox (work)";
-              genericName = "Firefox work";
-              exec = "firefox -p work";
-              inherit terminal categories icon;
-            };
-            "firefox_${user1}" = {
-              name = "Firefox (${user1})";
-              genericName = "Firefox ${user1}";
-              exec = "firefox -p ${user1}";
-              inherit terminal categories icon;
-            };
-
-            "firefox_${user2}" = {
-              name = "Firefox (${user2})";
-              genericName = "Firefox ${user2}";
-              exec = "firefox -p ${user2}";
-              inherit terminal categories icon;
-            };
-
-            "firefox_${user3}" = {
-              name = "Firefox (${user3})";
-              genericName = "Firefox ${user3}";
-              exec = "firefox -p ${user3}";
-              inherit terminal categories icon;
-            };
-
-
-          };
       };
+      desktopEntries =
+        let
+          terminal = false;
+          categories = [ "Application" ];
+          icon = "firefox";
+        in
+        {
+          firefox_work = {
+            name = "Firefox (work)";
+            genericName = "Firefox work";
+            exec = "firefox -p work";
+            inherit terminal categories icon;
+          };
+          "firefox_${user1}" = {
+            name = "Firefox (${user1})";
+            genericName = "Firefox ${user1}";
+            exec = "firefox -p ${user1}";
+            inherit terminal categories icon;
+          };
+
+          "firefox_${user2}" = {
+            name = "Firefox (${user2})";
+            genericName = "Firefox ${user2}";
+            exec = "firefox -p ${user2}";
+            inherit terminal categories icon;
+          };
+
+          "firefox_${user3}" = {
+            name = "Firefox (${user3})";
+            genericName = "Firefox ${user3}";
+            exec = "firefox -p ${user3}";
+            inherit terminal categories icon;
+          };
+
+
+        };
+    };
     swarselsystems = {
       startup = [
         # { command = "nextcloud --background"; }
diff --git a/modules/nixos/client/default.nix b/modules/nixos/client/default.nix
index 84ef47c..b6b0e59 100644
--- a/modules/nixos/client/default.nix
+++ b/modules/nixos/client/default.nix
@@ -1,7 +1,10 @@
-{ lib, ... }:
+{ lib, inputs, ... }:
 let
   importNames = lib.swarselsystems.readNix "modules/nixos/client";
 in
 {
-  imports = lib.swarselsystems.mkImports importNames "modules/nixos/client";
+  imports = lib.swarselsystems.mkImports importNames "modules/nixos/client" ++ [
+    inputs.stylix.nixosModules.stylix
+    inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
+  ];
 }
diff --git a/modules/nixos/client/network.nix b/modules/nixos/client/network.nix
index 40ebbd0..e8eceb6 100644
--- a/modules/nixos/client/network.nix
+++ b/modules/nixos/client/network.nix
@@ -1,10 +1,11 @@
 { self, lib, pkgs, config, ... }:
 let
   certsSopsFile = self + /secrets/certs/secrets.yaml;
-  clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
+  clientSopsFile = self + /secrets/${config.networking.hostName}/secrets.yaml;
 
   inherit (config.swarselsystems) mainUser;
   inherit (config.repo.secrets.common.network) wlan1 wlan2 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
+  inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
 
   iwd = config.networking.networkmanager.wifi.backend == "iwd";
 in
@@ -90,226 +91,222 @@ in
           environmentFiles = [
             "${config.sops.templates."network-manager.env".path}"
           ];
-          profiles =
-            let
-              inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
-            in
-            {
-              ${wlan1} = {
-                connection = {
-                  id = wlan1;
-                  permissions = "";
-                  type = "wifi";
-                };
-                ipv4 = {
-                  dns-search = "";
-                  method = "auto";
-                };
-                ipv6 = {
-                  addr-gen-mode = "stable-privacy";
-                  dns-search = "";
-                  method = "auto";
-                };
-                wifi = {
-                  mac-address-blacklist = "";
-                  mode = "infrastructure";
-                  ssid = wlan1;
-                };
-                wifi-security = {
-                  auth-alg = "open";
-                  key-mgmt = "wpa-psk";
-                  psk = "WLAN1_PW";
-                };
+          profiles = {
+            ${wlan1} = {
+              connection = {
+                id = wlan1;
+                permissions = "";
+                type = "wifi";
               };
-
-              LAN-Party = {
-                connection = {
-                  autoconnect = "false";
-                  id = "LAN-Party";
-                  type = "ethernet";
-                };
-                ethernet = {
-                  auto-negotiate = "true";
-                  cloned-mac-address = "preserve";
-                };
-                ipv4 = { method = "shared"; };
-                ipv6 = {
-                  addr-gen-mode = "stable-privacy";
-                  method = "auto";
-                };
-                proxy = { };
+              ipv4 = {
+                dns-search = "";
+                method = "auto";
               };
-
-              eduroam = {
-                "802-1x" = {
-                  eap = if (!iwd) then "ttls;" else "peap;";
-                  identity = "$EDUROAM_USER";
-                  password = "$EDUROAM_PW";
-                  phase2-auth = "mschapv2";
-                  anonymous-identity = lib.mkIf iwd eduroam-anon;
-                };
-                connection = {
-                  id = "eduroam";
-                  type = "wifi";
-                };
-                ipv4 = { method = "auto"; };
-                ipv6 = {
-                  addr-gen-mode = "default";
-                  method = "auto";
-                };
-                proxy = { };
-                wifi = {
-                  mode = "infrastructure";
-                  ssid = "eduroam";
-                };
-                wifi-security = {
-                  auth-alg = "open";
-                  key-mgmt = "wpa-eap";
-                };
+              ipv6 = {
+                addr-gen-mode = "stable-privacy";
+                dns-search = "";
+                method = "auto";
               };
-
-              local = {
-                connection = {
-                  autoconnect = "false";
-                  id = "local";
-                  type = "ethernet";
-                };
-                ethernet = { };
-                ipv4 = {
-                  address1 = "10.42.1.1/24";
-                  method = "shared";
-                };
-                ipv6 = {
-                  addr-gen-mode = "stable-privacy";
-                  method = "auto";
-                };
-                proxy = { };
+              wifi = {
+                mac-address-blacklist = "";
+                mode = "infrastructure";
+                ssid = wlan1;
               };
-
-              ${wlan2} = {
-                connection = {
-                  id = wlan2;
-                  type = "wifi";
-                };
-                ipv4 = { method = "auto"; };
-                ipv6 = {
-                  addr-gen-mode = "stable-privacy";
-                  method = "auto";
-                };
-                proxy = { };
-                wifi = {
-                  band = "bg";
-                  mode = "infrastructure";
-                  ssid = wlan2;
-                };
-                wifi-security = {
-                  key-mgmt = "wpa-psk";
-                  psk = "$WLAN2_PW";
-                };
+              wifi-security = {
+                auth-alg = "open";
+                key-mgmt = "wpa-psk";
+                psk = "WLAN1_PW";
               };
-
-              ${mobile1} = {
-                connection = {
-                  id = mobile1;
-                  type = "wifi";
-                };
-                ipv4 = { method = "auto"; };
-                ipv6 = {
-                  addr-gen-mode = "default";
-                  method = "auto";
-                };
-                proxy = { };
-                wifi = {
-                  mode = "infrastructure";
-                  ssid = mobile1;
-                };
-                wifi-security = {
-                  auth-alg = "open";
-                  key-mgmt = "wpa-psk";
-                  psk = "$MOBILE_HOTSPOT_PW";
-                };
-              };
-
-              home-wireguard = {
-                connection = {
-                  id = "HomeVPN";
-                  type = "wireguard";
-                  autoconnect = "false";
-                  interface-name = "wg1";
-                };
-                wireguard = { private-key = "$HOME_WIREGUARD_CLIENT_PRIVATE_KEY"; };
-                "wireguard-peer.$HOME_WIREGURARD_SERVER_PUBLIC_KEY" = {
-                  endpoint = "$HOME_WIREGUARD_ENDPOINT";
-                  allowed-ips = home-wireguard-allowed-ips;
-                };
-                ipv4 = {
-                  method = "ignore";
-                  address1 = home-wireguard-address;
-                };
-                ipv6 = {
-                  addr-gen-mode = "stable-privacy";
-                  method = "ignore";
-                };
-                proxy = { };
-              };
-
-              pia-vpn1 = {
-                connection = {
-                  autoconnect = "false";
-                  id = "PIA ${vpn1-location}";
-                  type = "vpn";
-                };
-                ipv4 = { method = "auto"; };
-                ipv6 = {
-                  addr-gen-mode = "stable-privacy";
-                  method = "auto";
-                };
-                proxy = { };
-                vpn = {
-                  auth = "sha1";
-                  ca = config.sops.secrets."pia-vpn1-ca-pem".path;
-                  challenge-response-flags = "2";
-                  cipher = vpn1-cipher;
-                  compress = "yes";
-                  connection-type = "password";
-                  crl-verify-file = config.sops.secrets."pia-vpn1-crl-pem".path;
-                  dev = "tun";
-                  password-flags = "0";
-                  remote = vpn1-address;
-                  remote-cert-tls = "server";
-                  reneg-seconds = "0";
-                  service-type = "org.freedesktop.NetworkManager.openvpn";
-                  username = "$PIA_VPN_USER";
-                };
-                vpn-secrets = { password = "$PIA_VPN_PW"; };
-              };
-
-              Hotspot = {
-                connection = {
-                  autoconnect = "false";
-                  id = "Hotspot";
-                  type = "wifi";
-                };
-                ipv4 = { method = "shared"; };
-                ipv6 = {
-                  addr-gen-mode = "default";
-                  method = "ignore";
-                };
-                proxy = { };
-                wifi = {
-                  mode = "ap";
-                  ssid = "Hotspot-${config.swarselsystems.mainUser}";
-                };
-                wifi-security = {
-                  group = "ccmp;";
-                  key-mgmt = "wpa-psk";
-                  pairwise = "ccmp;";
-                  proto = "rsn;";
-                  psk = "$MOBILE_HOTSPOT_PW";
-                };
-              };
-
             };
+
+            LAN-Party = {
+              connection = {
+                autoconnect = "false";
+                id = "LAN-Party";
+                type = "ethernet";
+              };
+              ethernet = {
+                auto-negotiate = "true";
+                cloned-mac-address = "preserve";
+              };
+              ipv4 = { method = "shared"; };
+              ipv6 = {
+                addr-gen-mode = "stable-privacy";
+                method = "auto";
+              };
+              proxy = { };
+            };
+
+            eduroam = {
+              "802-1x" = {
+                eap = if (!iwd) then "ttls;" else "peap;";
+                identity = "$EDUROAM_USER";
+                password = "$EDUROAM_PW";
+                phase2-auth = "mschapv2";
+                anonymous-identity = lib.mkIf iwd eduroam-anon;
+              };
+              connection = {
+                id = "eduroam";
+                type = "wifi";
+              };
+              ipv4 = { method = "auto"; };
+              ipv6 = {
+                addr-gen-mode = "default";
+                method = "auto";
+              };
+              proxy = { };
+              wifi = {
+                mode = "infrastructure";
+                ssid = "eduroam";
+              };
+              wifi-security = {
+                auth-alg = "open";
+                key-mgmt = "wpa-eap";
+              };
+            };
+
+            local = {
+              connection = {
+                autoconnect = "false";
+                id = "local";
+                type = "ethernet";
+              };
+              ethernet = { };
+              ipv4 = {
+                address1 = "10.42.1.1/24";
+                method = "shared";
+              };
+              ipv6 = {
+                addr-gen-mode = "stable-privacy";
+                method = "auto";
+              };
+              proxy = { };
+            };
+
+            ${wlan2} = {
+              connection = {
+                id = wlan2;
+                type = "wifi";
+              };
+              ipv4 = { method = "auto"; };
+              ipv6 = {
+                addr-gen-mode = "stable-privacy";
+                method = "auto";
+              };
+              proxy = { };
+              wifi = {
+                band = "bg";
+                mode = "infrastructure";
+                ssid = wlan2;
+              };
+              wifi-security = {
+                key-mgmt = "wpa-psk";
+                psk = "$WLAN2_PW";
+              };
+            };
+
+            ${mobile1} = {
+              connection = {
+                id = mobile1;
+                type = "wifi";
+              };
+              ipv4 = { method = "auto"; };
+              ipv6 = {
+                addr-gen-mode = "default";
+                method = "auto";
+              };
+              proxy = { };
+              wifi = {
+                mode = "infrastructure";
+                ssid = mobile1;
+              };
+              wifi-security = {
+                auth-alg = "open";
+                key-mgmt = "wpa-psk";
+                psk = "$MOBILE_HOTSPOT_PW";
+              };
+            };
+
+            home-wireguard = {
+              connection = {
+                id = "HomeVPN";
+                type = "wireguard";
+                autoconnect = "false";
+                interface-name = "wg1";
+              };
+              wireguard = { private-key = "$HOME_WIREGUARD_CLIENT_PRIVATE_KEY"; };
+              "wireguard-peer.$HOME_WIREGURARD_SERVER_PUBLIC_KEY" = {
+                endpoint = "$HOME_WIREGUARD_ENDPOINT";
+                allowed-ips = home-wireguard-allowed-ips;
+              };
+              ipv4 = {
+                method = "ignore";
+                address1 = home-wireguard-address;
+              };
+              ipv6 = {
+                addr-gen-mode = "stable-privacy";
+                method = "ignore";
+              };
+              proxy = { };
+            };
+
+            pia-vpn1 = {
+              connection = {
+                autoconnect = "false";
+                id = "PIA ${vpn1-location}";
+                type = "vpn";
+              };
+              ipv4 = { method = "auto"; };
+              ipv6 = {
+                addr-gen-mode = "stable-privacy";
+                method = "auto";
+              };
+              proxy = { };
+              vpn = {
+                auth = "sha1";
+                ca = config.sops.secrets."pia-vpn1-ca-pem".path;
+                challenge-response-flags = "2";
+                cipher = vpn1-cipher;
+                compress = "yes";
+                connection-type = "password";
+                crl-verify-file = config.sops.secrets."pia-vpn1-crl-pem".path;
+                dev = "tun";
+                password-flags = "0";
+                remote = vpn1-address;
+                remote-cert-tls = "server";
+                reneg-seconds = "0";
+                service-type = "org.freedesktop.NetworkManager.openvpn";
+                username = "$PIA_VPN_USER";
+              };
+              vpn-secrets = { password = "$PIA_VPN_PW"; };
+            };
+
+            Hotspot = {
+              connection = {
+                autoconnect = "false";
+                id = "Hotspot";
+                type = "wifi";
+              };
+              ipv4 = { method = "shared"; };
+              ipv6 = {
+                addr-gen-mode = "default";
+                method = "ignore";
+              };
+              proxy = { };
+              wifi = {
+                mode = "ap";
+                ssid = "Hotspot-${config.swarselsystems.mainUser}";
+              };
+              wifi-security = {
+                group = "ccmp;";
+                key-mgmt = "wpa-psk";
+                pairwise = "ccmp;";
+                proto = "rsn;";
+                psk = "$MOBILE_HOTSPOT_PW";
+              };
+            };
+
+          };
         };
       };
     };
diff --git a/modules/nixos/client/nvd-rebuild.nix b/modules/nixos/client/nvd-rebuild.nix
index 36f6188..9b2b482 100644
--- a/modules/nixos/client/nvd-rebuild.nix
+++ b/modules/nixos/client/nvd-rebuild.nix
@@ -2,11 +2,6 @@
 {
   options.swarselsystems.modules.nvd = lib.mkEnableOption "nvd config";
   config = lib.mkIf config.swarselsystems.modules.nvd {
-
-    environment.systemPackages = [
-      pkgs.nvd
-    ];
-
     system.activationScripts.diff = {
       supportsDryActivation = true;
       text = ''
diff --git a/modules/nixos/client/packages.nix b/modules/nixos/client/packages.nix
index d613402..6d7b65e 100644
--- a/modules/nixos/client/packages.nix
+++ b/modules/nixos/client/packages.nix
@@ -75,7 +75,6 @@
       elk-to-svg
 
     ] ++ lib.optionals minimal [
-      networkmanager
       curl
       git
       gnupg
diff --git a/modules/nixos/client/stylix.nix b/modules/nixos/client/stylix.nix
index 8caa08d..849f295 100644
--- a/modules/nixos/client/stylix.nix
+++ b/modules/nixos/client/stylix.nix
@@ -1,17 +1,13 @@
-{ self, lib, config, ... }:
+{ lib, config, ... }:
 {
   options.swarselsystems.modules.stylix = lib.mkEnableOption "stylix config";
-  config = {
-    stylix = {
-      enable = true;
-      base16Scheme = "${self}/files/stylix/swarsel.yaml";
-    } // lib.optionalAttrs config.swarselsystems.modules.stylix
-      (lib.recursiveUpdate
-        {
-          targets.grub.enable = false; # the styling makes grub more ugly
-          image = config.swarselsystems.wallpaper;
-        }
-        config.swarselsystems.stylix);
+  config = lib.mkIf config.swarselsystems.modules.stylix {
+    stylix = lib.recursiveUpdate
+      {
+        targets.grub.enable = false; # the styling makes grub more ugly
+        image = config.swarselsystems.wallpaper;
+      }
+      config.swarselsystems.stylix;
     home-manager.users."${config.swarselsystems.mainUser}" = {
       stylix = {
         targets = config.swarselsystems.stylixHomeTargets;
diff --git a/modules/nixos/client/swayosd.nix b/modules/nixos/client/swayosd.nix
index e0dcaeb..f1c0cdf 100644
--- a/modules/nixos/client/swayosd.nix
+++ b/modules/nixos/client/swayosd.nix
@@ -2,8 +2,8 @@
 {
   options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings";
   config = lib.mkIf config.swarselsystems.modules.swayosd {
-    environment.systemPackages = [ pkgs.dev.swayosd ];
-    services.udev.packages = [ pkgs.dev.swayosd ];
+    environment.systemPackages = [ pkgs.swayosd ];
+    services.udev.packages = [ pkgs.swayosd ];
     systemd.services.swayosd-libinput-backend = {
       description = "SwayOSD LibInput backend for listening to certain keys like CapsLock, ScrollLock, VolumeUp, etc.";
       documentation = [ "https://github.com/ErikReider/SwayOSD" ];
@@ -14,7 +14,7 @@
       serviceConfig = {
         Type = "dbus";
         BusName = "org.erikreider.swayosd";
-        ExecStart = "${pkgs.dev.swayosd}/bin/swayosd-libinput-backend";
+        ExecStart = "${pkgs.swayosd}/bin/swayosd-libinput-backend";
         Restart = "on-failure";
       };
     };
diff --git a/modules/nixos/common/home-manager.nix b/modules/nixos/common/home-manager.nix
index fb0b3ed..37da96f 100644
--- a/modules/nixos/common/home-manager.nix
+++ b/modules/nixos/common/home-manager.nix
@@ -6,24 +6,23 @@
       useGlobalPkgs = true;
       useUserPackages = true;
       verbose = true;
-      users.swarsel.imports = [
+      sharedModules = [
         inputs.nix-index-database.hmModules.nix-index
         inputs.sops-nix.homeManagerModules.sops
-        # inputs.stylix.homeModules.stylix
         {
           imports = [
             "${self}/profiles/home"
             "${self}/modules/home"
-            # "${self}/modules/nixos/common/pii.nix"
-            # "${self}/modules/nixos/common/meta.nix"
+            "${self}/modules/nixos/common/pii.nix"
+            "${self}/modules/nixos/common/meta.nix"
           ];
-          # node = {
-          #   secretsDir = if (!config.swarselsystems.isNixos) then ../../../hosts/home/${configName}/secrets else ../../../hosts/nixos/${configName}/secrets;
-          # };
+          node = {
+            secretsDir = if config.swarselsystems.isNixos then ../../../hosts/nixos/${configName}/secrets else ../../../hosts/home/${configName}/secrets;
+          };
           home.stateVersion = lib.mkDefault config.system.stateVersion;
         }
       ];
-      extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal configName; };
+      extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal; };
     };
   };
 }
diff --git a/modules/nixos/common/lanzaboote.nix b/modules/nixos/common/lanzaboote.nix
index b4c671e..7d149c5 100644
--- a/modules/nixos/common/lanzaboote.nix
+++ b/modules/nixos/common/lanzaboote.nix
@@ -1,12 +1,7 @@
-{ lib, pkgs, config, minimal, ... }:
+{ lib, config, minimal, ... }:
 {
   options.swarselsystems.modules.lanzaboote = lib.mkEnableOption "lanzaboote config";
   config = lib.mkIf config.swarselsystems.modules.lanzaboote {
-
-    environment.systemPackages = lib.mkIf config.swarselsystems.isSecureBoot [
-      pkgs.sbctl
-    ];
-
     boot = {
       loader = {
         efi.canTouchEfiVariables = true;
diff --git a/modules/nixos/common/settings.nix b/modules/nixos/common/settings.nix
index 22347bd..65ab5e8 100644
--- a/modules/nixos/common/settings.nix
+++ b/modules/nixos/common/settings.nix
@@ -54,9 +54,7 @@ in
   config = lib.mkIf config.swarselsystems.modules.general
     (lib.recursiveUpdate
       {
-        sops.secrets.github-api-token = lib.mkIf (!minimal) {
-          sopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
-        };
+        sops.secrets.github-api-token = lib.mkIf (!minimal) { };
 
         nix = {
           package = pkgs.nixVersions.nix_2_28;
diff --git a/modules/nixos/server/ankisync.nix b/modules/nixos/server/ankisync.nix
index b7b3c6e..d3db63a 100644
--- a/modules/nixos/server/ankisync.nix
+++ b/modules/nixos/server/ankisync.nix
@@ -1,7 +1,5 @@
 { self, lib, config, globals, ... }:
 let
-  inherit (config.swarselsystems) sopsFile;
-
   servicePort = 27701;
   serviceName = "ankisync";
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
@@ -14,11 +12,11 @@ in
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
-    sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; };
+    sops.secrets.swarsel = { owner = "root"; };
 
-    topology.self.services.anki = {
+    topology.self.services.${serviceName} = {
       name = lib.mkForce "Anki Sync Server";
-      icon = lib.mkForce "${self}/files/topology-images/${serviceName}.png";
+      icon = "${self}/files/topology-images/${serviceName}.png";
       info = "https://${serviceDomain}";
     };
 
@@ -32,12 +30,12 @@ in
       users = [
         {
           username = ankiUser;
-          passwordFile = config.sops.secrets.anki-pw.path;
+          passwordFile = config.sops.secrets.swarsel.path;
         }
       ];
     };
 
-    nodes.moonside.services.nginx = {
+    services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/croc.nix b/modules/nixos/server/croc.nix
index c3d9f1d..86dbe89 100644
--- a/modules/nixos/server/croc.nix
+++ b/modules/nixos/server/croc.nix
@@ -10,8 +10,6 @@ let
   serviceName = "croc";
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
 
-  inherit (config.swarselsystems) sopsFile;
-
   cfg = config.services.croc;
 in
 {
@@ -20,7 +18,7 @@ in
 
     sops = {
       secrets = {
-        croc-password = { inherit sopsFile; };
+        croc-password = { };
       };
 
       templates = {
diff --git a/modules/nixos/server/firefly-iii.nix b/modules/nixos/server/firefly-iii.nix
index ce5e8ee..2b5c313 100644
--- a/modules/nixos/server/firefly-iii.nix
+++ b/modules/nixos/server/firefly-iii.nix
@@ -8,7 +8,6 @@ let
 
   nginxGroup = "nginx";
 
-  inherit (config.swarselsystems) sopsFile;
   cfg = config.services.firefly-iii;
 in
 {
@@ -26,7 +25,7 @@ in
 
     sops = {
       secrets = {
-        "firefly-iii-app-key" = { inherit sopsFile; owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
+        "firefly-iii-app-key" = { owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
       };
     };
 
diff --git a/modules/nixos/server/forgejo.nix b/modules/nixos/server/forgejo.nix
index a0ea0d5..0745438 100644
--- a/modules/nixos/server/forgejo.nix
+++ b/modules/nixos/server/forgejo.nix
@@ -1,8 +1,6 @@
 { lib, config, pkgs, globals, ... }:
 let
-  inherit (config.swarselsystems) sopsFile;
-
-  servicePort = 3004;
+  servicePort = 3000;
   serviceUser = "forgejo";
   serviceGroup = serviceUser;
   serviceName = "forgejo";
@@ -24,14 +22,13 @@ in
     users.groups.${serviceGroup} = { };
 
     sops.secrets = {
-      kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
     globals.services.${serviceName}.domain = serviceDomain;
 
     services.${serviceName} = {
       enable = true;
-      stateDir = "/Vault/data/${serviceName}";
       user = serviceUser;
       group = serviceGroup;
       lfs.enable = lib.mkDefault true;
@@ -128,7 +125,7 @@ in
         '';
     };
 
-    nodes.moonside.services.nginx = {
+    services.nginx = {
       upstreams = {
         ${serviceName} = {
           servers = {
diff --git a/modules/nixos/server/freshrss.nix b/modules/nixos/server/freshrss.nix
index 2e6e657..6454fb7 100644
--- a/modules/nixos/server/freshrss.nix
+++ b/modules/nixos/server/freshrss.nix
@@ -1,12 +1,12 @@
 { self, lib, config, ... }:
 let
+  inherit (config.repo.secrets.local.freshrss) defaultUser;
+
   servicePort = 80;
   serviceName = "freshrss";
   serviceUser = "freshrss";
   serviceGroup = serviceName;
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
-
-  inherit (config.swarselsystems) sopsFile;
 in
 {
   options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -22,9 +22,9 @@ in
 
     sops = {
       secrets = {
-        freshrss-pw = { inherit sopsFile; owner = serviceUser; };
-        kanidm-freshrss-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        # freshrss-oidc-crypto-key = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        fresh = { owner = serviceUser; };
+        "kanidm-freshrss-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "oidc-crypto-key" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
 
       #   templates = {
@@ -55,19 +55,15 @@ in
 
     globals.services.${serviceName}.domain = serviceDomain;
 
-    services.${serviceName} =
-      let
-        inherit (config.repo.secrets.local.freshrss) defaultUser;
-      in
-      {
-        inherit defaultUser;
-        enable = true;
-        virtualHost = serviceDomain;
-        baseUrl = "https://${serviceDomain}";
-        authType = "form";
-        dataDir = "/Vault/data/tt-rss";
-        passwordFile = config.sops.secrets.freshrss-pw.path;
-      };
+    services.${serviceName} = {
+      inherit defaultUser;
+      enable = true;
+      virtualHost = serviceDomain;
+      baseUrl = "https://${serviceDomain}";
+      authType = "form";
+      dataDir = "/Vault/data/tt-rss";
+      passwordFile = config.sops.secrets.fresh.path;
+    };
 
     # systemd.services.freshrss-config.serviceConfig.EnvironmentFile = [
     #   config.sops.templates.freshrss-env.path
diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix
index 6096297..90eed84 100644
--- a/modules/nixos/server/kanidm.nix
+++ b/modules/nixos/server/kanidm.nix
@@ -1,7 +1,6 @@
 { self, lib, pkgs, config, globals, ... }:
 let
   certsSopsFile = self + /secrets/certs/secrets.yaml;
-  inherit (config.swarselsystems) sopsFile;
 
   servicePort = 8300;
   serviceUser = "kanidm";
@@ -31,15 +30,15 @@ in
       secrets = {
         "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
         "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-idm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-immich" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-paperless" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-forgejo" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-grafana" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-nextcloud" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-freshrss" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-oauth2-proxy" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-admin-pw" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-idm-admin-pw" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-immich" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-paperless" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-forgejo" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-grafana" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-nextcloud" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-freshrss" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-oauth2-proxy" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
     };
 
diff --git a/modules/nixos/server/kavita.nix b/modules/nixos/server/kavita.nix
index e24fdb7..2fe9752 100644
--- a/modules/nixos/server/kavita.nix
+++ b/modules/nixos/server/kavita.nix
@@ -1,7 +1,5 @@
 { self, lib, config, pkgs, ... }:
 let
-  inherit (config.swarselsystems) sopsFile;
-
   servicePort = 8080;
   serviceName = "kavita";
   serviceUser = "kavita";
@@ -18,7 +16,7 @@ in
       extraGroups = [ "users" ];
     };
 
-    sops.secrets.kavita-token = { inherit sopsFile; owner = serviceUser; };
+    sops.secrets.kavita = { owner = serviceUser; };
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
 
@@ -33,7 +31,7 @@ in
       enable = true;
       user = serviceUser;
       settings.Port = servicePort;
-      tokenKeyFile = config.sops.secrets.kavita-token.path;
+      tokenKeyFile = config.sops.secrets.kavita.path;
       dataDir = "/Vault/data/${serviceName}";
     };
 
diff --git a/modules/nixos/server/koillection.nix b/modules/nixos/server/koillection.nix
index d022495..07b45b1 100644
--- a/modules/nixos/server/koillection.nix
+++ b/modules/nixos/server/koillection.nix
@@ -9,16 +9,14 @@ let
   postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
   postgresPort = config.services.postgresql.settings.port; # 5432
   containerRev = "sha256:96693e41a6eb2aae44f96033a090378270f024ddf4e6095edf8d57674f21095d";
-
-  inherit (config.swarselsystems) sopsFile;
 in
 {
   options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
   config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
 
     sops.secrets = {
-      koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
-      koillection-env-file = { inherit sopsFile; };
+      koillection-db-password = { owner = postgresUser; group = postgresUser; mode = "0440"; };
+      koillection-env-file = { };
     };
 
     topology.self.services.${serviceName} = {
@@ -72,7 +70,7 @@ in
         passwordPath = config.sops.secrets.koillection-db-password.path;
       in
       ''
-        ${config.services.postgresql.package}/bin/psql -tA <<'EOF'
+        $PSQL -tA <<'EOF'
           DO $$
           DECLARE password TEXT;
           BEGIN
diff --git a/modules/nixos/server/matrix.nix b/modules/nixos/server/matrix.nix
index b95f03f..06a73c5 100644
--- a/modules/nixos/server/matrix.nix
+++ b/modules/nixos/server/matrix.nix
@@ -1,7 +1,5 @@
 { lib, config, pkgs, ... }:
 let
-  inherit (config.swarselsystems) sopsFile;
-
   servicePort = 8008;
   serviceName = "matrix";
   serviceDomain = config.repo.secrets.common.services.domains.matrix;
@@ -31,29 +29,29 @@ in
 
     sops = {
       secrets = {
-        matrix-shared-secret = { inherit sopsFile; owner = serviceUser; };
-        mautrix-telegram-as-token = { inherit sopsFile; owner = serviceUser; };
-        mautrix-telegram-hs-token = { inherit sopsFile; owner = serviceUser; };
-        mautrix-telegram-api-id = { inherit sopsFile; owner = serviceUser; };
-        mautrix-telegram-api-hash = { inherit sopsFile; owner = serviceUser; };
+        matrixsharedsecret = { owner = serviceUser; };
+        mautrixtelegram_as = { owner = serviceUser; };
+        mautrixtelegram_hs = { owner = serviceUser; };
+        mautrixtelegram_api_id = { owner = serviceUser; };
+        mautrixtelegram_api_hash = { owner = serviceUser; };
       };
       templates = {
         "matrix_user_register.sh".content = ''
-          register_new_matrix_user -k ${config.sops.placeholder.matrix-shared-secret} http://localhost:${builtins.toString servicePort}
+          register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:${builtins.toString servicePort}
         '';
         matrixshared = {
           owner = serviceUser;
           content = ''
-            registration_shared_secret: ${config.sops.placeholder.matrix-shared-secret}
+            registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
           '';
         };
         mautrixtelegram = {
           owner = serviceUser;
           content = ''
-            MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrix-telegram-as-token}
-            MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrix-telegram-hs-token}
-            MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrix-telegram-api-id}
-            MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrix-telegram-api-hash}
+            MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
+            MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
+            MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
+            MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
           '';
         };
       };
diff --git a/modules/nixos/server/microbin.nix b/modules/nixos/server/microbin.nix
index 06dc4f5..99efa1a 100644
--- a/modules/nixos/server/microbin.nix
+++ b/modules/nixos/server/microbin.nix
@@ -6,8 +6,6 @@ let
   serviceGroup = serviceUser;
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
 
-  inherit (config.swarselsystems) sopsFile;
-
   cfg = config.services.${serviceName};
 in
 {
@@ -25,9 +23,9 @@ in
 
     sops = {
       secrets = {
-        microbin-admin-username = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        microbin-admin-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        microbin-uploader-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        microbin-admin-username = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        microbin-admin-password = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        microbin-uploader-password = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
 
       templates = {
diff --git a/modules/nixos/server/monitoring.nix b/modules/nixos/server/monitoring.nix
index 183cb90..8fe35f0 100644
--- a/modules/nixos/server/monitoring.nix
+++ b/modules/nixos/server/monitoring.nix
@@ -1,5 +1,6 @@
 { self, lib, config, globals, ... }:
 let
+
   servicePort = 3000;
   serviceUser = "grafana";
   serviceGroup = serviceUser;
@@ -9,12 +10,11 @@ let
   prometheusPort = 9090;
   prometheusUser = "prometheus";
   prometheusGroup = prometheusUser;
+  nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
   grafanaUpstream = "grafana";
   prometheusUpstream = "prometheus";
   prometheusWebRoot = "prometheus";
   kanidmDomain = globals.services.kanidm.domain;
-
-  inherit (config.swarselsystems) sopsFile;
 in
 {
   options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@@ -22,9 +22,9 @@ in
 
     sops = {
       secrets = {
-        grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        grafanaadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        prometheusadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        kanidm-grafana-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
         prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
 
       };
@@ -84,7 +84,7 @@ in
                   incrementalQueryOverlapWindow = "10m";
                 };
                 secureJsonData = {
-                  basicAuthPassword = "$__file{/run/secrets/prometheus-admin-pw}";
+                  basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}";
                 };
               }
             ];
@@ -95,7 +95,7 @@ in
           analytics.reporting_enabled = false;
           users.allow_sign_up = false;
           security = {
-            admin_password = "$__file{/run/secrets/grafana-admin-pw}";
+            admin_password = "$__file{/run/secrets/grafanaadminpass}";
             cookie_secure = true;
             disable_gravatar = true;
           };
@@ -130,78 +130,74 @@ in
         };
       };
 
-      prometheus =
-        let
-          nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
-        in
-        {
-          enable = true;
-          webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
-          port = prometheusPort;
-          listenAddress = "0.0.0.0";
-          globalConfig = {
-            scrape_interval = "10s";
+      prometheus = {
+        enable = true;
+        webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
+        port = prometheusPort;
+        listenAddress = "0.0.0.0";
+        globalConfig = {
+          scrape_interval = "10s";
+        };
+        webConfigFile = config.sops.templates.web-config.path;
+        scrapeConfigs = [
+          {
+            job_name = "node";
+            static_configs = [{
+              targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
+            }];
+          }
+          {
+            job_name = "zfs";
+            static_configs = [{
+              targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
+            }];
+          }
+          {
+            job_name = "nginx";
+            static_configs = [{
+              targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
+            }];
+          }
+          {
+            job_name = "nextcloud";
+            static_configs = [{
+              targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
+            }];
+          }
+        ];
+        exporters = {
+          node = {
+            enable = true;
+            port = 9000;
+            enabledCollectors = [ "systemd" ];
+            extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
           };
-          webConfigFile = config.sops.templates.web-config.path;
-          scrapeConfigs = [
-            {
-              job_name = "node";
-              static_configs = [{
-                targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
-              }];
-            }
-            {
-              job_name = "zfs";
-              static_configs = [{
-                targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
-              }];
-            }
-            {
-              job_name = "nginx";
-              static_configs = [{
-                targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
-              }];
-            }
-            {
-              job_name = "nextcloud";
-              static_configs = [{
-                targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
-              }];
-            }
-          ];
-          exporters = {
-            node = {
-              enable = true;
-              port = 9000;
-              enabledCollectors = [ "systemd" ];
-              extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
-            };
-            zfs = {
-              enable = true;
-              port = 9134;
-              pools = [
-                "Vault"
-              ];
-            };
-            restic = {
-              enable = false;
-              port = 9753;
-            };
-            nginx = {
-              enable = true;
-              port = 9113;
-              sslVerify = false;
-              scrapeUri = "http://localhost/nginx_status";
-            };
-            nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud {
-              enable = true;
-              port = 9205;
-              url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
-              username = nextcloudUser;
-              passwordFile = config.sops.secrets.nextcloud-admin-pw.path;
-            };
+          zfs = {
+            enable = true;
+            port = 9134;
+            pools = [
+              "Vault"
+            ];
+          };
+          restic = {
+            enable = false;
+            port = 9753;
+          };
+          nginx = {
+            enable = true;
+            port = 9113;
+            sslVerify = false;
+            scrapeUri = "http://localhost/nginx_status";
+          };
+          nextcloud = lib.mkIf config.swarselsystems.modules.server.nextcloud {
+            enable = true;
+            port = 9205;
+            url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
+            username = nextcloudUser;
+            passwordFile = config.sops.secrets.nextcloudadminpass.path;
           };
         };
+      };
     };
 
 
diff --git a/modules/nixos/server/mpd.nix b/modules/nixos/server/mpd.nix
index 454fbb1..9212229 100644
--- a/modules/nixos/server/mpd.nix
+++ b/modules/nixos/server/mpd.nix
@@ -1,7 +1,5 @@
 { self, lib, config, pkgs, ... }:
 let
-  inherit (config.swarselsystems) sopsFile;
-
   servicePort = 3254;
   serviceUser = "mpd";
   serviceGroup = serviceUser;
@@ -25,7 +23,7 @@ in
     };
 
     sops = {
-      secrets.mpd-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      secrets.mpdpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
     };
 
     environment.systemPackages = with pkgs; [
@@ -51,7 +49,7 @@ in
       };
       credentials = [
         {
-          passwordFile = config.sops.secrets.mpd-pw.path;
+          passwordFile = config.sops.secrets.mpdpass.path;
           permissions = [
             "read"
             "add"
diff --git a/modules/nixos/server/nextcloud.nix b/modules/nixos/server/nextcloud.nix
index 143c677..f18274b 100644
--- a/modules/nixos/server/nextcloud.nix
+++ b/modules/nixos/server/nextcloud.nix
@@ -1,7 +1,6 @@
 { pkgs, lib, config, ... }:
 let
   inherit (config.repo.secrets.local.nextcloud) adminuser;
-  inherit (config.swarselsystems) sopsFile;
 
   servicePort = 80;
   serviceUser = "nextcloud";
@@ -14,8 +13,16 @@ in
   config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
 
     sops.secrets = {
-      nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-      kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      nextcloudadminpass = {
+        owner = serviceUser;
+        group = serviceGroup;
+        mode = "0440";
+      };
+      kanidm-nextcloud-client = {
+        owner = serviceUser;
+        group = serviceGroup;
+        mode = "0440";
+      };
     };
 
 
@@ -41,7 +48,7 @@ in
         extraAppsEnable = true;
         config = {
           inherit adminuser;
-          adminpassFile = config.sops.secrets.nextcloud-admin-pw.path;
+          adminpassFile = config.sops.secrets.nextcloudadminpass.path;
           dbtype = "sqlite";
         };
       };
diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix
index 354e444..adc741b 100644
--- a/modules/nixos/server/nginx.nix
+++ b/modules/nixos/server/nginx.nix
@@ -2,7 +2,6 @@
 let
   inherit (config.repo.secrets.common) dnsProvider;
   inherit (config.repo.secrets.common.mail) address3;
-
 in
 {
   options.swarselsystems.modules.server.nginx = lib.mkEnableOption "enable nginx on server";
@@ -12,9 +11,10 @@ in
     ];
 
     sops = {
-      secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
+      # secrets.dnstokenfull = { owner = "acme"; };
+      secrets.dnstokenfull = { };
       templates."certs.secret".content = ''
-        CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token}
+        CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
       '';
     };
 
diff --git a/modules/nixos/server/oauth2-proxy.nix b/modules/nixos/server/oauth2-proxy.nix
index 401cd6b..69cb302 100644
--- a/modules/nixos/server/oauth2-proxy.nix
+++ b/modules/nixos/server/oauth2-proxy.nix
@@ -8,8 +8,6 @@ let
 
   kanidmDomain = globals.services.kanidm.domain;
   mainDomain = globals.domains.main;
-
-  inherit (config.swarselsystems) sopsFile;
 in
 {
   options = {
@@ -125,8 +123,8 @@ in
 
     sops = {
       secrets = {
-        "oauth2-cookie-secret" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
-        "kanidm-oauth2-proxy-client" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "oauth2-cookie-secret" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
+        "kanidm-oauth2-proxy-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
       };
 
       templates = {
diff --git a/modules/nixos/server/packages.nix b/modules/nixos/server/packages.nix
index 136245a..1781091 100644
--- a/modules/nixos/server/packages.nix
+++ b/modules/nixos/server/packages.nix
@@ -13,7 +13,6 @@
       vim
       sops
       swarsel-deploy
-      tmux
     ];
   };
 }
diff --git a/modules/nixos/server/paperless.nix b/modules/nixos/server/paperless.nix
index 9d52754..2749099 100644
--- a/modules/nixos/server/paperless.nix
+++ b/modules/nixos/server/paperless.nix
@@ -1,7 +1,5 @@
 { lib, pkgs, config, globals, ... }:
 let
-  inherit (config.swarselsystems) sopsFile;
-
   servicePort = 28981;
   serviceUser = "paperless";
   serviceGroup = serviceUser;
@@ -21,8 +19,12 @@ in
     };
 
     sops.secrets = {
-      paperless-admin-pw = { inherit sopsFile; owner = serviceUser; };
-      kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
+      paperless_admin = { owner = serviceUser; };
+      kanidm-paperless-client = {
+        owner = serviceUser;
+        group = serviceGroup;
+        mode = "0440";
+      };
     };
 
     networking.firewall.allowedTCPPorts = [ servicePort ];
@@ -36,7 +38,7 @@ in
         dataDir = "/Vault/data/${serviceName}";
         user = serviceUser;
         port = servicePort;
-        passwordFile = config.sops.secrets.paperless-admin-pw.path;
+        passwordFile = config.sops.secrets.paperless_admin.path;
         address = "0.0.0.0";
         settings = {
           PAPERLESS_OCR_LANGUAGE = "deu+eng";
diff --git a/modules/nixos/server/radicale.nix b/modules/nixos/server/radicale.nix
index 4d22aae..046dffe 100644
--- a/modules/nixos/server/radicale.nix
+++ b/modules/nixos/server/radicale.nix
@@ -1,5 +1,6 @@
 { self, lib, config, ... }:
 let
+  inherit (config.repo.secrets.local.radicale) user1;
   sopsFile = self + /secrets/winters/secrets2.yaml;
 
   servicePort = 8000;
@@ -17,20 +18,16 @@ in
     sops = {
       secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
 
-      templates =
-        let
-          inherit (config.repo.secrets.local.radicale) user1;
-        in
-        {
-          "radicale-users" = {
-            content = ''
-              ${user1}:${config.sops.placeholder.radicale-user}
-            '';
-            owner = serviceUser;
-            group = serviceGroup;
-            mode = "0440";
-          };
+      templates = {
+        "radicale-users" = {
+          content = ''
+            ${user1}:${config.sops.placeholder.radicale-user}
+          '';
+          owner = serviceUser;
+          group = serviceGroup;
+          mode = "0440";
         };
+      };
     };
 
     topology.self.services.${serviceName}.info = "https://${serviceDomain}";
@@ -45,12 +42,11 @@ in
             "[::]:${builtins.toString servicePort}"
           ];
         };
-        auth =
-          {
-            type = "htpasswd";
-            htpasswd_filename = config.sops.templates.radicale-users.path;
-            htpasswd_encryption = "autodetect";
-          };
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = config.sops.templates.radicale-users.path;
+          htpasswd_encryption = "autodetect";
+        };
         storage = {
           filesystem_folder = "/Vault/data/radicale/collections";
         };
diff --git a/modules/nixos/server/restic.nix b/modules/nixos/server/restic.nix
index 804b18a..4044808 100644
--- a/modules/nixos/server/restic.nix
+++ b/modules/nixos/server/restic.nix
@@ -1,6 +1,6 @@
 { lib, pkgs, config, ... }:
 let
-  inherit (config.swarselsystems) sopsFile;
+  inherit (config.repo.secrets.local) resticRepo;
 in
 {
   options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server";
@@ -8,9 +8,9 @@ in
 
     sops = {
       secrets = {
-        resticpw = { inherit sopsFile; };
-        resticaccesskey = { inherit sopsFile; };
-        resticsecretaccesskey = { inherit sopsFile; };
+        resticpw = { };
+        resticaccesskey = { };
+        resticsecretaccesskey = { };
       };
       templates = {
         "restic-env".content = ''
@@ -20,39 +20,35 @@ in
       };
     };
 
-    services.restic =
-      let
-        inherit (config.repo.secrets.local) resticRepo;
-      in
-      {
-        backups = {
-          SwarselWinters = {
-            environmentFile = config.sops.templates."restic-env".path;
-            passwordFile = config.sops.secrets.resticpw.path;
-            paths = [
-              "/Vault/data/paperless"
-              "/Vault/Eternor/Paperless"
-              "/Vault/Eternor/Bilder"
-              "/Vault/Eternor/Immich"
-            ];
-            pruneOpts = [
-              "--keep-daily 3"
-              "--keep-weekly 2"
-              "--keep-monthly 3"
-              "--keep-yearly 100"
-            ];
-            backupPrepareCommand = ''
-              ${pkgs.restic}/bin/restic prune
-            '';
-            repository = "${resticRepo}";
-            initialize = true;
-            timerConfig = {
-              OnCalendar = "03:00";
-            };
+    services.restic = {
+      backups = {
+        SwarselWinters = {
+          environmentFile = config.sops.templates."restic-env".path;
+          passwordFile = config.sops.secrets.resticpw.path;
+          paths = [
+            "/Vault/data/paperless"
+            "/Vault/Eternor/Paperless"
+            "/Vault/Eternor/Bilder"
+            "/Vault/Eternor/Immich"
+          ];
+          pruneOpts = [
+            "--keep-daily 3"
+            "--keep-weekly 2"
+            "--keep-monthly 3"
+            "--keep-yearly 100"
+          ];
+          backupPrepareCommand = ''
+            ${pkgs.restic}/bin/restic prune
+          '';
+          repository = "${resticRepo}";
+          initialize = true;
+          timerConfig = {
+            OnCalendar = "03:00";
           };
-
         };
+
       };
+    };
 
   };
 }
diff --git a/modules/nixos/server/shlink.nix b/modules/nixos/server/shlink.nix
index e388ad3..d1615a9 100644
--- a/modules/nixos/server/shlink.nix
+++ b/modules/nixos/server/shlink.nix
@@ -5,8 +5,6 @@ let
   serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
 
   containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
-
-  inherit (config.swarselsystems) sopsFile;
 in
 {
   options = {
@@ -16,7 +14,7 @@ in
 
     sops = {
       secrets = {
-        shlink-api = { inherit sopsFile; };
+        shlink-api = { };
       };
 
       templates = {
diff --git a/nix/hosts.nix b/nix/hosts.nix
index 192c521..fe51c40 100644
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@@ -16,8 +16,6 @@
             inputs.lanzaboote.nixosModules.lanzaboote
             inputs.nix-topology.nixosModules.default
             inputs.home-manager.nixosModules.home-manager
-            inputs.stylix.nixosModules.stylix
-            inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
             "${self}/hosts/nixos/${configName}"
             "${self}/profiles/nixos"
             "${self}/modules/nixos"
diff --git a/nix/topology.nix b/nix/topology.nix
index 9d1afd2..dd9ed27 100644
--- a/nix/topology.nix
+++ b/nix/topology.nix
@@ -123,7 +123,7 @@
             connections = {
               eth2 = mkConnection "nswitch" "eth1";
               eth7 = mkConnection "pc" "eth1";
-              eth8 = mkConnection "pyramid" "eth1";
+              eth8 = mkConnection "nbl-imba-2" "eth1";
             };
           };
 
@@ -139,7 +139,7 @@
             interfaces.eth1 = { };
           };
 
-          pyramid.interfaces.eth1 = { };
+          nbl-imba-2.interfaces.eth1 = { };
 
           switch-bedroom = mkSwitch "Switch Bedroom" {
             info = "TL-SG1005D";
diff --git a/profiles/home/personal/default.nix b/profiles/home/personal/default.nix
index 767629b..e64605e 100644
--- a/profiles/home/personal/default.nix
+++ b/profiles/home/personal/default.nix
@@ -4,6 +4,7 @@
   config = lib.mkIf config.swarselsystems.profiles.personal {
     swarselsystems.modules = {
       packages = lib.mkDefault true;
+      pii = lib.mkDefault true;
       ownpackages = lib.mkDefault true;
       general = lib.mkDefault true;
       nixgl = lib.mkDefault true;
diff --git a/profiles/home/reduced/default.nix b/profiles/home/reduced/default.nix
deleted file mode 100644
index 48ca3ce..0000000
--- a/profiles/home/reduced/default.nix
+++ /dev/null
@@ -1,47 +0,0 @@
-{ lib, config, ... }:
-{
-  options.swarselsystems.profiles.reduced = lib.mkEnableOption "is this a reduced personal host";
-  config = lib.mkIf config.swarselsystems.profiles.reduced {
-    swarselsystems.modules = {
-      packages = lib.mkDefault true;
-      ownpackages = lib.mkDefault true;
-      general = lib.mkDefault true;
-      nixgl = lib.mkDefault true;
-      sops = lib.mkDefault true;
-      yubikey = lib.mkDefault true;
-      ssh = lib.mkDefault true;
-      stylix = lib.mkDefault true;
-      desktop = lib.mkDefault true;
-      symlink = lib.mkDefault true;
-      env = lib.mkDefault true;
-      programs = lib.mkDefault true;
-      nix-index = lib.mkDefault true;
-      passwordstore = lib.mkDefault true;
-      direnv = lib.mkDefault true;
-      eza = lib.mkDefault true;
-      atuin = lib.mkDefault true;
-      git = lib.mkDefault true;
-      fuzzel = lib.mkDefault true;
-      starship = lib.mkDefault true;
-      kitty = lib.mkDefault true;
-      zsh = lib.mkDefault true;
-      zellij = lib.mkDefault true;
-      tmux = lib.mkDefault true;
-      mail = lib.mkDefault true;
-      emacs = lib.mkDefault true;
-      waybar = lib.mkDefault true;
-      firefox = lib.mkDefault true;
-      gnome-keyring = lib.mkDefault true;
-      kdeconnect = lib.mkDefault true;
-      mako = lib.mkDefault true;
-      swayosd = lib.mkDefault true;
-      yubikeytouch = lib.mkDefault true;
-      sway = lib.mkDefault true;
-      kanshi = lib.mkDefault false;
-      gpgagent = lib.mkDefault true;
-      gammastep = lib.mkDefault true;
-
-    };
-  };
-
-}
diff --git a/profiles/nixos/localserver/default.nix b/profiles/nixos/localserver/default.nix
index 6cb9a55..0239082 100644
--- a/profiles/nixos/localserver/default.nix
+++ b/profiles/nixos/localserver/default.nix
@@ -39,8 +39,6 @@
           koillection = lib.mkDefault true;
           radicale = lib.mkDefault true;
           atuin = lib.mkDefault true;
-          forgejo = lib.mkDefault true;
-          ankisync = lib.mkDefault true;
         };
       };
     };
diff --git a/profiles/nixos/reduced/default.nix b/profiles/nixos/reduced/default.nix
deleted file mode 100644
index 3993fac..0000000
--- a/profiles/nixos/reduced/default.nix
+++ /dev/null
@@ -1,55 +0,0 @@
-{ lib, config, ... }:
-{
-  options.swarselsystems.profiles.reduced = lib.mkEnableOption "is this a reduced personal host";
-  config = lib.mkIf config.swarselsystems.profiles.reduced {
-    swarselsystems.modules = {
-      packages = lib.mkDefault true;
-      pii = lib.mkDefault true;
-      general = lib.mkDefault true;
-      home-manager = lib.mkDefault true;
-      xserver = lib.mkDefault true;
-      users = lib.mkDefault true;
-      env = lib.mkDefault true;
-      security = lib.mkDefault true;
-      systemdTimeout = lib.mkDefault true;
-      hardware = lib.mkDefault true;
-      pulseaudio = lib.mkDefault true;
-      pipewire = lib.mkDefault true;
-      network = lib.mkDefault true;
-      time = lib.mkDefault true;
-      sops = lib.mkDefault true;
-      stylix = lib.mkDefault true;
-      programs = lib.mkDefault true;
-      zsh = lib.mkDefault true;
-      syncthing = lib.mkDefault true;
-      blueman = lib.mkDefault true;
-      networkDevices = lib.mkDefault true;
-      gvfs = lib.mkDefault true;
-      interceptionTools = lib.mkDefault true;
-      swayosd = lib.mkDefault true;
-      ppd = lib.mkDefault true;
-      yubikey = lib.mkDefault true;
-      ledger = lib.mkDefault true;
-      keyboards = lib.mkDefault true;
-      login = lib.mkDefault true;
-      nix-ld = lib.mkDefault true;
-      impermanence = lib.mkDefault true;
-      nvd = lib.mkDefault true;
-      gnome-keyring = lib.mkDefault true;
-      sway = lib.mkDefault true;
-      xdg-portal = lib.mkDefault true;
-      distrobox = lib.mkDefault true;
-      appimage = lib.mkDefault true;
-      lid = lib.mkDefault true;
-      lowBattery = lib.mkDefault true;
-      lanzaboote = lib.mkDefault true;
-      autologin = lib.mkDefault true;
-
-      server = {
-        ssh = lib.mkDefault true;
-      };
-    };
-
-  };
-
-}
diff --git a/profiles/nixos/syncserver/default.nix b/profiles/nixos/syncserver/default.nix
index a784c87..b1ce625 100644
--- a/profiles/nixos/syncserver/default.nix
+++ b/profiles/nixos/syncserver/default.nix
@@ -17,8 +17,8 @@
           packages = lib.mkDefault true;
           nginx = lib.mkDefault true;
           ssh = lib.mkDefault true;
-          forgejo = lib.mkDefault false;
-          ankisync = lib.mkDefault false;
+          forgejo = lib.mkDefault true;
+          ankisync = lib.mkDefault true;
         };
       };
     };
diff --git a/secrets/bakery/secrets.yaml b/secrets/bakery/secrets.yaml
deleted file mode 100644
index 429dee6..0000000
--- a/secrets/bakery/secrets.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-home-wireguard-client-private-key: ENC[AES256_GCM,data:ozkjvpAAo33495w2c06Iu1ZFvh+IGNXUDYuWVWACBoNRQSKaBX00c3Ynd10=,iv:wbeYJFEopuANyiKnWoCBESxa1dB/insEFJChEqxm/Pk=,tag:QfvICpbK5fiNEDhRLxQYGQ==,type:str]
-sops:
-    age:
-        - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Q0Z6VUR4VjgremM4UHBZ
-            Tk5vSm1Ma1RzMkZNRVE5NHBtMG8vNFVXR2l3Ck1yN3NoS1UyOWMyRXZTdndwaXdW
-            MHRkU0d0YThST1VEdVJXQ2IyMDlwaUUKLS0tIENrV0tLK2QrK2t3d3FlZU1WMVIw
-            aVN2eEE2WDE0RHZxNTN0aXVZbGJoUXMKjje3viWHrfHFnxoXOS3R1/TEEr2nV2Dv
-            2Tepz+F/vrNkH705fVePD+SmPXv0j+bEH5Lf3vLi/9zFqhrqgFDExw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-13T11:20:48Z"
-    mac: ENC[AES256_GCM,data:vqg0HHoDSLlPFh++CZZBpALrIOrnBtLL30XWzoXpYXMBKM/XCKGhjFPmna/ew5stK7ylNjIiAmvX8rZB3ynG5Si1/4zfGV8aKvVKhcrUjB1Upkphq7jFb0MI2JoJN9dv4SDVwKtiog8T9aYImNXe62/nMI/5xHlF1moY6JXDE0s=,iv:LprVDQU9KeSwuC/cmy06YQeCMYhaEygb44I+GkvnbiI=,tag:fodgL725veQmxsLuA57nDA==,type:str]
-    pgp:
-        - created_at: "2025-07-13T11:20:41Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwDh3VI7VctTARAAtBAhSfBmcZqHKU+JiBPcs8WftmIZ1L48ERCyWAfh5iHJ
-            lfGyM61PVxb7qAFbXf+sXsZX2QtMVjobqYgAlibGLnlUl6f1RaFHdfkbUIr2NGY+
-            gjCZEGUmunwRzd9hozXj12B1juop8nB5kAdeGhJ/H9CIJofYalkqlU33YNLcROa/
-            lGqV4Xu89QfMm+tXzz8JpsXnW+1z1j/9j0Om3KNQYN7t04BmNAYwSymFuubFEnFR
-            Y+tvBPqDPhpxT3YvRIkbPGhnWZBlr60owL8S1nKujVLQmSr/DjwS+om12kPl+Tpy
-            s0jAVB5ja6FCIE6pa5WMV3wNUinis/a/P6xJGiFxS47ZLoVjQjuF2y0pW3N8O/8v
-            mm7Q7J5rWjF4odZfDyfpPdh3+Gmb2cUERpK0i0BDT8xAo+6F4EkcsWrTb8BrI56X
-            NaTPFLenluIedqqewgN6AVjX0WaxZRdQIKupmujeWefhBgDwX++5misZdCErqLcX
-            uG0R8ziHGi13dm7mhn+PorFEMRcAHhQqVIA9Ck/Eg48W3GQcbGlOl6e/0S84g+YU
-            ndfz2J4qbJtJk/RmarpbSE2kI3edfs1DC0nM1YUIUHm91UxXZ/yhXSiR0BsW0BpG
-            YRtyT6TpseAfBhyMgFjeyiDk3ngLHogJT8ov706X+jG2IGz1n6MldM8EMKry8amF
-            AgwDC9FRLmchgYQBD/wLPUOWXyhPfuXkPuC4wOdH8q7uvIpDCJM1QfegvM0Vbfaa
-            BcqU8V0uC2+XirM3nLYjfgEuLtXpDnPnGx26jYXiAwO2rzurWW3Z9BJzyp+n5fBb
-            uoWCfTlihAznDOW5TvPTUpgosZShFKGs4Gh8Nvcm2lqx8wQfOjSYJnLdotmOYEJi
-            t38OTIFDobNATXvsuNHSocue5TjgCHwLvSFUPg+o0s1Xx3DSMytX83slXuYd+WRx
-            GbA0wQDxV03kH27AkhsvYefcsntxOW/FsZk5XzARtkCRdtBfiRb4bRRWsrrnzNBT
-            6hCb8+MCmnCeFFJRkj0izsA00j0Q6tE8s+NlhpeNIB0p1bxOvjyeJyOEBwI+G/s+
-            vE1mewutNnPYploy+E+zsmszSrWwGe97QL1rKmVgYMirLKtGo2CBHlRsgmpdhoNZ
-            ADrgwNCAUPD5K4eEi1Dl87p1LbdjCd4CY+c50NWpnJP//LAvTVjZFqkQr7xgnBqO
-            maPzDbHCQgjboSWHA/bBDlv0b164NsWJtpDrf+z9R92bhCvjTtQxQdcJ4ZXz8HWU
-            Z32ilAALR+uySN9gLoaVMMZyQ5vELWvFK66zMBpk3wLWPEus0e9zOA764+JYXbUG
-            25T6DbKNNBDtnT9w2ZRrmrK/B2CsFbZDQ4R+pom8Q8IeSke90d+jDAZzHF1erdJe
-            AYZ0wZtqJgw+IJL4TI9QEgFBGa1z/+83ZFuztRmwQJIawEHisWt+3cj+mbZKSHRS
-            aRRmLWPtvK9w/RSeoI7op7s3rUdpl/FabzcIudRYqtRiP9/Syly52YkRD7503w==
-            =hhjd
-            -----END PGP MESSAGE-----
-          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
diff --git a/secrets/certs/secrets.yaml b/secrets/certs/secrets.yaml
index 3f54024..30ca906 100644
--- a/secrets/certs/secrets.yaml
+++ b/secrets/certs/secrets.yaml
@@ -7,89 +7,80 @@ sops:
         - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBieGlsd0NScm5WYldITTJ2
-            cG9mcnBKSGo2eXlFaURNa2FxNkZ1MGNVTjJZCldROGZiWGp0dXlMc3cwbFh0cG5H
-            RDNPNUtWNFBlTG1lOUo5QVJMdncxYUEKLS0tIDNJKzc1WExlTW5ycTQyVFlXQVAz
-            cTRDK1h5Z3NjK0h1QnhNSm51YjA4VUkKUlshWYOQLs1z8AOsFvjfl+RJBvmJWU39
-            oVVvBEkCF6pw/yZp7Zp6ejLpVQojqT0JvLzSMA0tJBt9QvNmdTT1xQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcEh3MGxWRGJPeEQvNGlh
-            bEc5T3ZRYkhkdkZFQy9zRHBNeksrRG56T1R3CjUxMUxhbDduRWo0N3FwaUYrUFpu
-            S0t6bGdXYTZGMmcyeElXcDJ1Z3QzVGMKLS0tIGRUWG9GYi9vT3dzSFh1aFRKNWhH
-            M2pGTzR6T29tcVltS21RMkNCcFpPc0kKkXGoVCNU72f8efjJvtz7cbUpPcfVG3Dl
-            puffE6poAyeevdSW5cAFGNgJMMWzyweUf5QvX0lu9i0CpuLFFTdacQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcmpISEJCeDFtaHlMaUp6
+            RlI5QnVSQ01OSVViMHZROFozWE03QU1ob2pjCk1ySzZDSUtoaTN0TSswN1R4Q1Q5
+            azB0Y1RUWTc4dXN2OE00cFBNeGY2ZVEKLS0tIHM1ZTFON2k1eW1MNzFWUWs4Vmwv
+            SjhWM3daU3ZGUE1Ud293NENxVVUyRHMK3beWpg6G/gn8kT+ZZtnlnCw+K4Pr5O06
+            UNFlbnWIxNzJ7ML5Rd3u88XOLmD7OO4sxwQCNZgFCFfljiyl3UW27A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZzFNdmJpTDVFTlJPN3ZV
-            cWNNaGE1bzNmbjQ0TUh3bVJXZm85R1hDOEh3Cm1GQmxsTWJxWWl5eDUvUk9DTkRP
-            L3pNVEovc2FLSFgxZHQ5L051VlptSlUKLS0tIHVUSUZsMm9SRE1INDExR3djMmR5
-            dlJMc1ladVduUExXZVdHNlY4TU9UOHcKh9lzumXbRm2lkNPw39EQ990cNznX6Hj2
-            s2dMmqHIbanQ0VCGW2Bwi542sII7qT4YW87EX+0LpUN+6bHKCR/YhQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0c3pjTmFPZzF3NTFla0c5
+            QmEwa3R5NG9NVnNQUVZWTjY3VkxtaWlFRXdFCnpwSnpJU0RMSkxrUVpIdk5ycVF1
+            c0ZTbGNRK2RqNTVtb1ozSUZjeTYwbHMKLS0tIFEzcG1xdCt1Wmw0S2NtMHk2TGJ6
+            bU13M2NvNVQxbnJGTEl1Q09YcE5Mb1EKpCJSyUVvDndc7/RkPGcutcfOz1lM6WWp
+            lRBXFELXRmdRFAF4F+7sEICIu+3zJ/bpycQPGBIfjD8uYNSa5GRbng==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cHpkZFBES3B0bGNUYjU3
-            Yi9kTVNNNDNSTG4xK3NMMmxFSTd3VEJtdEVJCnFYengyY291ZFNyNE1hQ3ZVSDA1
-            SXVkNDdVUjRDNHorZGlOQWM3V1QzcUkKLS0tIDZmekswRXB3OWRDVi9icUw1ZVFs
-            NytRZVZXTzhhRmZqeGxRZ1lQdVBYMzgKs8tR6IlB84pbS9/T4fixD43hDIrHeDIY
-            Bk0d64w2bkUJk7xKjxY+SNk9RHqLYmaHSudLVSlbSZ96exNBt/L9jA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWY3JVbU5OSithUVJSaERk
+            V25zbmJ4Z3NkNkxaeFZMRmZLTG1RWG1OdzA4CklvZ2lTMGZXSHRpMzkrSGdIdSs2
+            N0NTZzI1YjVCVzFkNDJJMld1Vmt5QUEKLS0tIE9uUDY0WDM5RzVQUFN4WGFZL3M4
+            YUtnZjBwTi80VURBNmhBQjNxMmE1UlEKsMUniG4+/nvrqXH0AoB7I0sVRBfevGov
+            bqbZWhQoxo2lCly9RVT1EjJdk6pbes1qy4/H4vNMmjsUn0Pac4FE+A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOaUFqYVFHcnM0ZllNYUR5
-            a09mZVA0OWhNSnI0aUw5WFZlaHUzN2lRR0NvCkhaaUVSWUxuQU9qRHpSdTROSVJi
-            SS9YQTdtdzdWNnhRd2FSdFpVTHVvWlEKLS0tIGVkN3Q1UE9NSXZGWHRGRGwzZGRh
-            Ni8rbWRWSkdtc1BwdGlaVGlNZExBWWcKbHXUCrg7c1Ekq2bQs/m22TwBijcG+3WP
-            vNp6a5V0wDgoDP49W4AodMarygePJzW/NgndlUXqIWuIbm6VFUEHRQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNGdEZEI5QlVmQXp2MWp1
+            YkRnUWM0S2k4ZEk4R21rc3ZsTGdzUjlOY25nCkg2OEZ3blpzem5QTktoTVB6eXNS
+            NzRVejNuS1NpbzN0ZDE2dzBldUR6bm8KLS0tIHJmT2t1UGZGVWFMNTN3WmRVOVZm
+            QVpQS1ZGbWdOYXNsNmlFYTNhUnIyZFEKBQaXEuhKe/qvqmXK6G/Ew+gwY8NgvyVm
+            Kd13hqsHcllaiAwg2lZ7RMl8gbKY9Sa6iQ1laV+0LHiEc/1hbg9sWg==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
+        - recipient: age1gj6uhy8lx9asjhwmqcmm4rtu6wptrd9dr42lhf9xreet6tra4fpswkvket
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLdlF3bzF4d004VS9NcHNH
-            ZnBEa2xHd3ZUYW5NUlVGd2JxRGJPcW9lT2tRCnVSUWx4Z1g2U2pyNjhaWnVxdDEx
-            SGtSNTdrMmtHeUtuL1lWQi9FUTZyZW8KLS0tIE1tNTdoOFdQV1p4MGNUYWtRQ0N5
-            bFNpdm00MXJIMCtxelVIMXVtNG5XWlUKtkL3P6x2rafYSTCW5zv/54tgU20FYwhi
-            RFc5sZRkgXhoXw+zrKkhDc28Xn+Aby2pUth9ihs1ngVB8OUqAZbrXg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQ1J4SFQ4K3RVTUlGRGxx
+            UzZhMnBXUGNYZ1dvbFozS3krVjBLUGFGQm1BCmdBQjhlcFhPaFk4RmtIRGFSUSsz
+            R2ZIR2VwQUZIaUZ4RWRLN01XdndURDQKLS0tIGg0eG9tVlB1WDhoRUpnZXhlQ21w
+            M3FXei9menJlNjB4ZFFoQURhdHFCUjgKmkTR92+6hZ705u9I5VPyJVfD5HrLxk7m
+            7O1EPw9oPNSihFhl85PbQTAJWVMjRmJFFdDxz/I0XuHKE/XaNW+ijA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-07-05T11:01:02Z"
     mac: ENC[AES256_GCM,data:XnLmZ65mZqoTHQfSKdvPVr+IGb1mb0nFRQLBiVPSyKfg9ABlqwsht3sykR+enDkmIk1urRewpKvPRr1YyLKAezHaE2I5CQdRwMViGTxbtN18SCqlKcL6CgGzC7UzAI8A2jVqB6D9swCx63TEOwnaWySBFnQuOog58R43rhxcJJc=,iv:U0ZMZZyuRJVAE0el0tRAdvHS7qtqU+z2kN78XEZOW2k=,tag:TrPIoG7cxLBDgG4vXJ5NiQ==,type:str]
     pgp:
-        - created_at: "2025-07-10T23:51:25Z"
+        - created_at: "2025-06-13T18:41:14Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTAQ//R2fMRdWshY0+/feMDAF7t/Z0YwwAT63gzfqKG8aKC3cf
-            skGJtXBZ4CFW/tK0J62nS0qUIYrkWokACJk72luYg61u1KX1wUaEEqnRcEzZsxQC
-            Ib6hYXyKl87WYv99QUDaItBBBoSd9BhiDCnWv5nrstZSDy+RwlIYPhQy9KgeDt0H
-            6pRnPEL3VU41AYt6YKl4yLBOjweftLwZkDgKyaJalwbLmFHWOvmvESL0kBj83hyX
-            Lw/XZlh9KUi+xEeYmHUCjO9xDgvJsMGTUY7m52U0W0faarzy59yYWnENROwm9jCK
-            XoYDu903CtxqSybKJ2AtGHWx2cuOmTjsHPEefqmK7M3XsVpsHgvx1Jo1eQYO1mPI
-            ZiryTsN1YMYXUkgGfFePmqA9X2iC/meboCWPcRt8lUIfmWx7uMGsv+mGXT37lWyu
-            wYl9Y2x0qwfAOyg3wNdojE5t4rlr/XaQ+k8Ep1ud37pgXFryQtnNhwgtYuPVWiFK
-            jnnUDCZrbsWbMmL88ZGYPNIcrBGAgmfYWzkWrU6fICYWIzJdgiWg91ANRHX9vnwG
-            5YjZHoHnBRMQg32MInjBJrm/4r38DFQBm67bI1Ol6RMDp/wD5hLrbC6gnq0hGRJt
-            GzsRPphwrecifIBtck5/vs/f134Y+6BIADJHNEHTA/LnJC8K1VYRW5aBiFvyUWqF
-            AgwDC9FRLmchgYQBEADKxwFZHBejt2dr2w83XZcLCV/0Mf64DOk7I16VKZ5gBNXA
-            4N4W8Q/of2/EH1a8eZ5A8DZPkVZMavdXkQnww8+if6yx0e4moBusUAzeKP0XtY7T
-            ABUueS7B9Ou3yhdVynpOfmU+EBwQXEuYhVsOlWUJGpfESoOBRyQv12P7ToOS4pz+
-            panGeOMo5tzU/8vfkbRIF+9WWKPy/JfsufXGNQkdErgnTAdRCUegPO8kVpwZ5hE/
-            7IGtddUUnwC+kIlkv4N4eM9QabjWmU70L+THveJ4q7JJCmsimYPocbikVhPK7pb0
-            mqU9hUMxJbBq6sPjLIq4QaSkSSipbiUUdZjoWuKuIbMjm6M7oWR2uGfQO3d5R+VZ
-            3N3xkWPVnzoChq3zB35gkF6RniMhFMCjhYOPidYQ8QH68zN7pe3YzE0HkXgirjs1
-            Zux8KlR/Vmh7wQjzWEfv3yK7Rjj8ePt4cdAfozFf7YMUPQWSr+BJ+1CVfI3X5Gb0
-            RrWwJm59MicK7mONCDB59LMKUYciQc9JGlpl6oSkbdsy49OToPtuShsoBN/nmgVE
-            yU8BWhJt02KFLKvs+v+HXuxXgrUfl1zNAtzH0PrB40nuyoCFuvomUExCJiTTEMgs
-            YBwXdecgwcRta0/Q368DZqJzxiiYIy5xlZxFFMkA62JfJLUFy9/Suy+mReWBLdJc
-            Acr8AJq92TiCmHED4Rc78SaFDYjJYfvc6JLJDHxU0r2ucoMwKAR15gDDOaARt3B5
-            Af7fxGWQ40sY56YgjgpBRaoXYDySuQ9Ylegd33hUzEOfOqKHFNAE+aH54QM=
-            =Enyz
+            hQIMAwDh3VI7VctTAQ//bvg76FopkB85Na1yjedNZjDbfg5R0H5sNOvJi/KkZRaB
+            siZZHUN1jrrYH9WJxhrYhE6wmtqhClWI0r0I/prcJj2gvJWs1EAC5HoJYCNQEZjA
+            jVqyPWveL+1AxLze9kGcHpb/YKO++XclmbjRB7RkW9oS8h3RN+BWgjoL379fygFn
+            tcYhB1zn2k1pvKovq6KQiBThGgaATShCh65sl10NXrEEzR37TBRubseC/Bhj6oDG
+            SoviST+7tbMETKDoDvXHzKE+tVvQPi1qCagbk1FL681ldjcvTFhsLEQc7brlskoC
+            w3H3BLKLrfpWPnsfeavMOghK6ctztwuOd6qbZCcdS0QRPbSlOWY27gzLg9nCoVYm
+            3ZS4o+OIOBKCkaCiWqwORqa6MTNNOgzJHmrpXygehrhyy+RCvPyV1MUgo9YyfABb
+            uoRZxoY3svvm1mUcwJwySj0fKljF8YBOxmYHAq+cO1jPe3282Mbh8haOFxVF34c/
+            sB7q8AJHTks9KZdO/wfMt//e3oN+IVFEsgEE8d0ecScIyVcqyEGYGcloQ+m/cUSF
+            onfJKz/WhgHUh4VngDF4HTMS2L4IRPnPFTebRNBirnM7ruQut9Q+NqYHF//UmlIa
+            6CWifbSdcDujd4P5O9FIG7/bRhRf5CsUdn137o9vF9hBnX5KtdrRwyYzy4dp4HGF
+            AgwDC9FRLmchgYQBEAC2KYQRNAYxczza6nmW6n2bkGDypvKwDWV34GKtL1hy3mla
+            Dfh/k1yv0o/I6ebnbgh6yFzyFq2GRi+yNkTPF1mpGboyex4Ot3d3y7gurs0Y1p8g
+            oYYniqtQmuRmkplU6EFFZf4LgQvcArmLFCzp0SbZ37AaXYFjk/pY1hSrfDbiExVV
+            OK1pkE82vYXWm2bkFRE6YVNUf4lp7Q41CmDq+H+mf4DLfgw9J4TnseNi+ZsGldSj
+            4jFEtxvO/t2vhNHvbXJoSVKeLKn4mUEpJdfi843XWwo0VEk0JcnzfReYUbqjLChv
+            gV13mqwGmrDY28IWzyCr4h8FURWUMJSFqkVnrEoHQ303ujX5qV3JSadl6ham4h4o
+            s3gS2F4m0h9YAJnxj4/ahbBLk8go4IQ7FA+rmjVhMLRuTyUcEyPPCiY8tRJm7p/X
+            vpkZdT2hVyYeLtK/mP5ieDArDVYUa3QTkJ3knjSfdZWBv3MtrXsTAK/C4frnOxoM
+            inMpCnJtCnVQ8/xbtyXMhJWnz72vbEwDblaLId9nVtU9p9GqHB2OT1CflJBhDjb6
+            a49C0mIGS6xBkW3YBSJxf7szUK/lL2qXSW+aI4dg5naci62jChtagnkXbN2afhOR
+            91hpJ2oohMkB8rbbi2uXN0wIBUO9t8GTUKKaTjCOOTWm5nXNOCW5CtamYASeetJc
+            AeW10mAZSNUyh8FWs9XeLtppGEdERSqWs3gPvGO+TJ9o/8v+BPIwLEu0POoUuRWo
+            3Lkqrl4JHC01T7buQU3vzRfWrdranL0Ll8H2iYvsyfaJrsO01weS2jGqmgg=
+            =PGCv
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
diff --git a/secrets/general/secrets.yaml b/secrets/general/secrets.yaml
index 88d54c0..5247a7d 100644
--- a/secrets/general/secrets.yaml
+++ b/secrets/general/secrets.yaml
@@ -25,98 +25,89 @@ sops:
         - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhU2M0UFVMOXFONzN5WVU5
-            TExjNEkxbnhEOWJPemtqcW92WDVJTXlNRDNBCnVoMTFreXBZVjdFMWpxUzZhaU5j
-            d0xZYUQxdUx4ZFZteHlsM2pJZXZQQ28KLS0tIEJjdjlHdklmalRUUGhLSEFDTmkx
-            cjZNZnRVSmcxNnFCRzgrWnhOMlYzc2sKK13rGMFVsXQkNERYQLrhgYHbDn0jPYbl
-            H1pQPZdWw+LXw1Z+Y9nj74KTPPLnPckVTwETUfvs9EFkcFIyhzGK6w==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWM01DeFcvQjM2bW5DcFM4
-            YzF5TTlURkxRYVdVbjdReG9LbUdYNjMwMFNBCmZJckdBM1YyZEFDT2RhT3g5bHJo
-            eVVISmhqQUZJTm1WQjNvOUE5MytiTU0KLS0tIEwrVGFwVEE2ODQwb2RyNzdselJa
-            b2tiTzZCcHB1NVJWS3Z6VTdMelcvTlEKdW6kkCiI1YhV7Da6SrCQxP0zdUc2ICSC
-            voGlNOnPb5iACvgLnX/a6EBKKO7PScKIFAzsWROC9MlLoF7ERnZdSA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybmk3azNkM1A0MHBJZElF
+            Y244UzIvQmtSWThPbksrVmNnVEErSldLM3hFCmUxZ3hNaTkxQStNNkwxV2pkdWEr
+            bVQ3U2kzL0ZlOGp1NDJIaTNMYVRZd28KLS0tIFFZUENYdkRIVW1Gb2pjMjdFcG5h
+            TGRYcFpicXpFdjU4ZEk4RVpnODdBVE0Kq/i8NDtYB3L+kBs0q3NYlzRa22mWG7hi
+            lZZtwXjxTpoWacZgkNnxr/YjiOZLV7wt22TpFSKew1sfs77HvosPRw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNNnF1N25qMUkyL0N1RSt4
-            ZlRPVGpsY2hkbWZKREg4cU92Y2MwM0twaXdJCmJwTWl2NjlETXJ6WFNwN2JpT3Fm
-            WjRqVlc4SW9DejV0Q0JGNkJpQm1NOGMKLS0tIHpQRGc5eHQ3bHFnRzBNRGx0ckFV
-            czdKU1p0WXQ0enRyWXpaT0k2NHBzZkEKqLRezUd0z2PF0wakJe39NAz/MkpXIRAl
-            hvIqWsWyXHUU4a+mXwX8XWgs/uejuyXmHa7TgavqkHs9s4/p+KtNnw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQmFSM3lPRHN3eE9Gd0Jr
+            T2hVb2t2NTEwbVVlNGNhZFZCekRrOEVSbmlvClAra2pnS0NPTXE5aTArZnQrcXNQ
+            bVY2cnhUeCt0N1ZQRGNDYTZETDFMVmsKLS0tIDRsV1hDM05KcWRFbE5ITGttVk9u
+            ek8rTHZYenNzbXVVYnhIUU1DY3h3VEUK5iRHq7pIa4tbYo4mrFUwPT50CWzCLnqK
+            X8Je+8lzkrVZ/M4RNXlgFxyD62LHycOZx342KVVdgl2b8w83xVud1Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWTFhTlMyVkZpeFRqaG4y
-            RDBhMEtpSXYyMGFnN3pkVGljSGN6MVlTaFMwCjlJd1UwbXVDT2M2R0hsQStqeEQ1
-            YmNTNjdTRkU5aDZZd01DYjNaOWhKMFEKLS0tIFFKS1dXc2ZjVWlRR2ppSDRaRHRJ
-            cGwzMUFNTHZzcjZVTFNCcmp6VmdFNDQKNVeV1BGVuaUbSHHBOZzb/RJP4umX45RR
-            14RInoF9i1ByEzY6KS2nyP83EQzbAgfdaUkPKkIpzytj+3gvlnI/RQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNGxsQU1wcFpIYUxLcnFK
+            bjhubFRxMGwzQlpqeWpIbnZBNTQ1cGxVb1M4CmNFTFlCczJMUXJpd09zT3phMHRm
+            OE9sRC8zQ3FDUXoraG9jNUFITHVOYzAKLS0tIEtPSmhVVFNRdEd3d1RobEZMUlhV
+            OU9tWkNlSTZWcVZZbk00SjkxSEFZeGMK9Uq8oBYa7TJiaSOv5AIfPqnfH+lM8jeY
+            QEvT/llQqNHo2h1PbzoCd0W+WN81/yVvWhweJUO5GcA4cqE0Ed15yQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiWk81ZXFRQnRnMjhVZmZL
-            N1p0eTRSQWt5akJ2ZjZid2VUNW1ndFNWeFQ4CjBlZndkV0pKeFpZUjlzdHJsQTlR
-            VXE1K0p3TlhJdkdPMFRTL29BaUd5bmMKLS0tIDVlS0FmRUFjTTBpd3pGRVZMbWxF
-            cjlaR0xvUmZvdlFlZlFwam5IU1hYZ2MKOMW/ZsXOLtYnYCVf0JIxlfXNTDjSuscn
-            l1p2HspWo7J1RfJbOQgScy6rmUB/9HRMHlnwpnjgOYWE4EmuKcMYSA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYK3FyVzkwZEZLNU5hamMr
+            d0ViS3FnVHVjcEtYVlM3VFp5S2dlNXQwQ1EwCjQ5dmhJenpFZmt3aUZsM0J0UFJY
+            SXhNdHVRbjNYZ2YrYmF1QVVMS1hBbnMKLS0tIDUyRkhTSjVhUnhBTEdtNGNqS2Vi
+            cWIrcmxRUFpKM3V3d2ZwVm1STGlpSFkK+VMJXgzdehOUhdevVIfO68wo6VF0Lfj1
+            gsHJHH6GmQbUsCt+F+fPaXUlrdN+BlCnk4ZMNKutTm2g4thAeiAeng==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArOUhETXZpTWs5dWw1VVhX
-            Zi85OU9PekJQSHBIbHpNMVh6b2doa0wvSHc0CitvanJBOFgwb3V1TEpjQ2xXa2Fq
-            UGtzdTB1OEwxSWJKVkZJWjBDV2MwMncKLS0tIERpTlE1cWRaemZFZDAvcGx6QTNK
-            amtUQkgvTEJFblFUWTE0RWg1cUVUbmsKx35Yu+wpJwlVd2JrXCT/qybmLjCmT+/0
-            v99LzVDWiiAPx8ryU2FeAZ/umDDIQfkzyLbi2f460ATKZhVfqhNDDw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RVRBOHo0ekVGakVadHBZ
+            SWhKcDVjNHNUcGhlYkxkenovcDdpWUpwdFNzCkt6SlVCaHgxK28xQmtrR045T3Br
+            MEJjbXhKUTRSREV6YUo5d1RKenR2TUkKLS0tIHhnZW85VHRraWRXZjhWMHI4SUpD
+            SUp3cUNwN1NXaXpjSm05UkFCcGw2d00K7Ai/uCOnqonQCy20hNjV8YALVlFZFbac
+            C8QIpfo5FEiONRZNOB2tlr7+ziGC+1ia1DXRvobHOKzgVfmW0VP86A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycEx1eUR0TnRVL0tsN1lV
-            amN2M0VlUHVpNjJvM0x3UVVhUzY5QTRObG5VCndkblVGdExHZDBMbVZmU3J4K2JI
-            dHZoVDZHTHJldTFLMDdlMUFTNGtjbEUKLS0tIExKVVd1UGtvelRsQldnMTBXTll3
-            SjV6L3crUkdLWTlsNFgyRHBla2FFam8KILYsNbLdCirfoC/Vex8yEYpS2G4O0EQP
-            wa1xzPk3Ue0/g67dv5UZFhUn0ZB2XGFC3kEPWpptTj0VL+9Z/r0zKA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzeUVtUXZuTVl2SEhVMWdl
+            RTNsNU1pWmZVeTZ4YzR6RkVwSUc0YVo1VzE0CjNvKzl0QTROUEVnOWNObnFNLzRm
+            aStSOVIvNC8rOEE4WnRoUHlwV29hTFEKLS0tIG5NM1F5OVIwQUtraURRdW1hT0Ji
+            azY5dGFTUWhiQ083VlBzdVRrSmZFNTQKqoJy8eP+beb/86Dg7BLaYEmZJG2oMS/I
+            y1tSw+Ij5TfghzbtKcK++88L7ZPJLRocnKXftFbjutHNKmWW3+oW7Q==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-07-07T15:40:09Z"
     mac: ENC[AES256_GCM,data:IgodPXcdFB7zYwt1dbRXkuQ2Ko2cAy4L6BvObuP8sWRO26Sn0CRvBtfwEtJLRMoXyS3hXJ25hzTeQOUaTVRw/5GEViM4SxdUuE9b5rX1J7tRftgdI45f12tsBMJQhk4NDtxpm4CSUvh11XqNdBkBjFUMxfZVweXFhoZ7tJ3oElg=,iv:9WNevYqRUe5DtCWN6mMNNwQvxB4Z8ac/zKPocjMa33A=,tag:n/DL3B8WB/YKfcbo6ArMDw==,type:str]
     pgp:
-        - created_at: "2025-07-10T23:51:26Z"
+        - created_at: "2025-06-14T18:15:57Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTAQ/+OG92tnH/dwXLTdqlvN6sEPREG/oZTLGvjPiM0Ipqyrcz
-            rgTrso9MjBf0xZkxjH49CWqBpTBoOsxopdSU2cvte2IdQEQCgCJcqff3okBsT/Cm
-            3yz10DNTdI17cc2tLFJtvcWubf+amRXTM8IbDozkc4ttuhCbCRcFMaJ0NTVMz+rV
-            pff9UQWGmAWBKK/u26prf6NeCU2C/v3vLAxAxVjuPBxNpXFZEuu88DdE0lIMy1rO
-            ZAsYz7O6/flf3qbl74HXhNUhWwDTUJtU0beGSv/sziAPSEV0lpScZbq5HdFvNUk6
-            rH8Tf1IdV6n0lvDqVdnY7XbmXlF0neSLJedWf6eAmcvnedCTVzMGSNAIVhiW9Y2f
-            IURsyK8NXnZTw2G5J4BOwx082Z1wroH0cJgQz1IcfU/I78DUaysH87mYfUQAGPV7
-            cLICS/2n+olgkC9nAz9ZQO7+98Ylk1n4EKkhW2hzR5av8LSu5rs9uTkO1KWz5mTT
-            QjsWNlD8+1OvEFxELJtdMLnTpMTZqPouwRhDhJLoh6to2/HT48xCpUu4sMyj1AY+
-            ECGsXzNbfb6dlAvuloNq9DoEP3nP4KJ6DKv7gnsbS1WVT6LoG9Yg6s00YnWiMomd
-            0ByLH5KZdlBkZFV0K/WGWpj3c3H0IIM32+w2yYSCVQEY8UeSTQ54bI0ao+ISPLCF
-            AgwDC9FRLmchgYQBEAC2x72z23cpRyfiQD32Pzb4cDheSawiXSolOZMAExsRDmYl
-            IhMyMOwWmetg4HOwfGhq1PuM7t1k7maVa8ulWQcmD7eSmehiaMzYpA/gctf8GFQ6
-            4mmQ1siBC1qArfMgFgd9yS126NUGqXAWsrnptnlIbYuY/OsiS7W2JKLQUcx8TZqx
-            6NC2zIi5+h+ZbRugpz4ZG8OjFnUwbLdZeDJ1M6i/TVuDJjGC1JkEePjY3IvcmB7P
-            QTzGCsYKwYSeUuAKel9ueqvznNqACQ78/NC/mYy8xTMiyjnhOqOFvmlHLZLy8cFs
-            m0eLlEfQycwGOIPZa7xo98AZ0Ohvykqy8SBcp6JSEoWcXi//lLfG2z5agfd7bEUP
-            X0rOKwmFL1l3w1sAUzmKTa29G8b2+rrCoKCHyByDQXyhgLa3aCx7tKS1iNwGdXmc
-            emvV15+jf/xQ8FrDDZFJGRuCVyuCGphEN8VxFR2BWRjEHEsy9gRMaJlo8gIw54Oe
-            ciMEBRjT+3l9B4Qipvm8V+okrdHQ56k9AbpbsAnpyHQ6A8AN7oJ19uzBq1nzRU9p
-            yE4lKNIjOIJmghvUcL8jwld6+w6iMkk7Ss0ClavTA06hWld6mDoRvfrQl+t4nogT
-            xypUidp/KtILrorNEVwaCsuXrqe5AspOcr8SqA77t9+Yj6b9x8gdJNZwvcMIB9Je
-            AXC4iun4BpIMdbg2beONi0Iwq+IeYOTdvpo8HKk1qrQCN4zHGaO6iZLrDFqN01DA
-            IyppFwRhJ60d5TjKweEn03KAT9oVsjN4nwpazd4JkLANXrxXX2wDYOVlnfYyng==
-            =jNoq
+            hQIMAwDh3VI7VctTAQ/+JiUgauFwbjrUsmGPseQJMraVr3cILCN05ufXeZLWXeuj
+            ZJV+7IecJa4BpCtaMD/xhvXiH7KNjlvlbN04AOHX/gGgJ3mENxHGtNOPb41RBzrH
+            5FK1icAGt8xaXi8VdEwEDitKhRBnP2VzVC8ETrD+aQjVQM5DkJtvijvU3i0qsDnY
+            Y/oE56IWhldeXZcsXylW8x3NfskGbOQQ4hOmRamvi5ubrfAVkMlbzCS01rXTP4tu
+            8MMbHtjZZcAeWrsj3rzlRw8SG/GRubn3lEd5nI7gfxHzyK6uv4sdaapw+5Y1vjbv
+            hB0wESidhzheIQmKeuLGTe6S+RTo+G8RNIqmrMXawFdmBoexKMFtJMXCca4LNawK
+            TE2UWbniQqMX53XM31EW1MrkjvM325E0p5TWz3JcA3JPqkmTJQSyccuJizvf2Bdi
+            M6stq6RPl9n5feSJJSfROP1IX1+fpQOLfToOJpOm5MPCrm0YhY5h1uSTKemfVGkO
+            cV1B2SGkN+w80eEhUX/EskNagROZBHn5cuZXldCcBzEIsA4G2ZsIuVujXTcL8wmn
+            EL/HiEB6UQ8P5TrAREbNw6wOXVdlfkUovyfmI02NFL6wr0xY07a3Nn9qADKQzhpE
+            5fFudXWe6mLx/bRcuhl2ozCBk9fTcVkb5SF43Pp5fmQKzKvqN8GjEHtdFrN5vfuF
+            AgwDC9FRLmchgYQBD/wNVDcCYqGdZ/J4wt7BEx3bG/QOkpacnQXGqo0Xv69BjOi0
+            tOsylTe+Nqge2ImCgu2lNlOYMjfhHCcnLILdriZX0KpEiEM4lzbpB2ntm+p2wMjg
+            TqMhzupy7iPZbPg12rtr71Mc7pLYKn6DRTBYv+HsMY8E24T3bMnGPOn31VP1N+0k
+            U0rySjg6Tuqo/F1Usi5wMG/zvLqSTJ5Sev0tHj0K8yKcmoHmSy62SdkrOd5S9xBt
+            KtGqHmJrPnKKb84BdSQThp+WfK1E3Vmsj7bd4TdqYlvo2GWMBj/bV7CuCOQvonnB
+            x27GEOCoFOn4ySIyTn3LrqGOVyRmQBELLXXCQASwWBKeruh70GN1XsfPYVxBXjWQ
+            ydOTCZNqBufQzakUFdly6WyaBOr1m6p9rbW0icA17ot7tVqgC5DsvVkPlgqXgI1W
+            oMhq8KvURlsflLJJ8ovI4wrpNZfDmIXZiFGTSVRcdJF6jDEYbypN34IRi5Idf9rg
+            SsH3tSLemJG5FZdztmStGTX9zWnfsCk7ivqJJpIgj7feWIr3WD1Y9Rt9KRZpJ05c
+            zHnGaXJYLX378q6L03C3klBhGfzBLTikApo/dmEy3DMSgsrtQt5vF7B6w4aHd318
+            Gn+neiFXDxOsUVA+nFKkEPSFVR3XKzWE3TeO8AYJ80KYoywDAqeB9//p/MefeNJe
+            AZlxqdyhUqqzW2/95RC7sznoU/zVYvQ9ORfZ1K85xjAvahGWn50q2w4OKIs/gLBE
+            W7s8fkHqU71bMp7Al6Mx6RFK67x3OM1srb+jAR1OCFy4WTqPDkW7bSbQTNsAkQ==
+            =NdF8
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
diff --git a/secrets/milkywell/secrets.yaml b/secrets/milkywell/secrets.yaml
index 1177071..63b9413 100644
--- a/secrets/milkywell/secrets.yaml
+++ b/secrets/milkywell/secrets.yaml
@@ -1,6 +1,6 @@
-#ENC[AES256_GCM,data:VljHjyZqPvnVxhuoEMhGrWA=,iv:nCHj+sdhAOJx37fGFkRzfrK+PsEP+tRELBhnP3bfoIU=,tag:fH5QNt5TeM3K4nXkeIC4wA==,type:comment]
-anki-pw: ENC[AES256_GCM,data:TR3roG7I1213Lj8=,iv:bK3WIC8Q4Cm6cccXPFx4K25GRRUq7Le6bEAVdEZdNPA=,tag:LLC/agUxZT0MIKxk+TSevw==,type:str]
-#ENC[AES256_GCM,data:EUHyFduvRqc=,iv:RHW3wsx8P1V4hkwnrl456qMgi9uz/1qoSOg5AvqwmhM=,tag:p26hGYMn5fbuNJ7Qr98E0Q==,type:comment]
+swarsel: ENC[AES256_GCM,data:WzMlNzg5iAu823s=,iv:U8ZutlrzBqq7z445kSnvluejtta4X/0YMIIOdcQuftg=,tag:IE0WMuXlNwnBHzXtrbVHKA==,type:str]
+dnstokenfull: ENC[AES256_GCM,data:hxgxSm6pcXOEHZHdSwQkfZryFccQXrCu9idULJhWK/tQ44FyRIU4Yg==,iv:ObKf1M1qkgCltkKJX+URaPSiK5Itd3xlfBXPjf1iVak=,tag:PASR0pgBdcDYjdTZ2eEUCg==,type:str]
+swarseluser: ENC[AES256_GCM,data:e/p76dBuM7eLIrO0HBeJMs8eMCAGAklGcA==,iv:r+e9GGMDCCjh1eWnB4AJMFdMuXbVXxoLMefooq0SOlE=,tag:auRo+JnwH+EardJQbKek0A==,type:str]
 kanidm-forgejo-client: ENC[AES256_GCM,data:LuOFq+bj9TIbaN6Arz/etcjEO0WnjswJNw==,iv:eqACcjjr7usTl7Dv8HTqH53cHDa0+HV5IYN8Rh5aChg=,tag:upBfWOUOEoZRPgUtlMZE4Q==,type:str]
 sops:
     age:
@@ -13,8 +13,8 @@ sops:
             cUUxYkVGN0hVZ3UrNHdmSXBQbVpkNTQK7yfeX133PekxsK/2BXxsx0pxmWBcZkZY
             UO4ZHCcZQQKMg22BY/3pPz/Ui+uUfZ7AIdLjQb6WQvUbmgz5Lb0M9w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-09T13:41:17Z"
-    mac: ENC[AES256_GCM,data:9SntfZTrKnCMwrQAncIcGO9qPXM4PT+ZWnmk0F6S0Lb2xx5O35/i39P9vYN/QMPMzKc5KmmLCzhictWvBE8mr4+17pfJBH0KgiAqaOm9Vgy8Zg79/xH4fCia8bwYDfKe5uNwvRwknM3u5/eXLNcr6MnkDspDYTusXhw/qTQav54=,iv:P+fHF35oMNP24vadFA/rAYDm6n0ieAMB43ovP+7vJCo=,tag:4gJqIhqRg+3P84aUgRIPbA==,type:str]
+    lastmodified: "2025-06-09T14:53:33Z"
+    mac: ENC[AES256_GCM,data:SphJHK+OP0IyBWAAr5FDWhg7VBdD8isL0QsswGI6bpSV/7FTRpd6Ehp+kvmCPcdTwpQlmVIyA5r7DpL0F+F0BQGFtMDnESXVldmsBVpvYL/Q62zvlCq1hsm24tLxHbBssSCCpDNq8b5uCp3qklCQCISBYEFeI28dnFapxl5YI/g=,iv:MbMYmCqhQw9O6VdjjBULa2PBciiNk7AJzSrFTnDhMaI=,tag:2VaUX28dyxhyxYVHinESzA==,type:str]
     pgp:
         - created_at: "2024-12-17T11:38:27Z"
           enc: |-
diff --git a/secrets/moonside/secrets.yaml b/secrets/moonside/secrets.yaml
index cc08428..a966591 100644
--- a/secrets/moonside/secrets.yaml
+++ b/secrets/moonside/secrets.yaml
@@ -1,6 +1,6 @@
-#ENC[AES256_GCM,data:HCHFN2Q=,iv:Z3tD7Hn5eudPR9DuX6etamkpNnYB/NRYGppWdyuUDuM=,tag:tbuWEFDmh4HAyksOZOihLw==,type:comment]
-acme-dns-token: ENC[AES256_GCM,data:lW/XJCHwApvIofSZHL5h7AUPISjARfmDnpSnprDBHQYzj0u5ZlZS5A==,iv:/y3gjgC9AEU3r+l8Uq6P7DAU2C8i+qTQ9DP4t0g8ZhE=,tag:v24WRudw8NB84b3XBFupHQ==,type:str]
-#ENC[AES256_GCM,data:XdLlonkGBN0b,iv:wimLW/7+a4MJCVg4zazY0ogakxXjdyPNZmZt0CzpXao=,tag:rg7FEi1qaYMkCXX+dwjFLA==,type:comment]
+swarsel: ENC[AES256_GCM,data:AnxZLN+3ta2Dmg0=,iv:S25Xbbj5K3tWynO4/7XGRp/+XexxoUofHjlPNDo5el8=,tag:uov6okR56P324TYA3/YN/g==,type:str]
+dnstokenfull: ENC[AES256_GCM,data:z9gi0pwfbDyHkKw8rhiGOIlaLUzepAAxQfAH4esla2NkSCx/S0VAiQ==,iv:qtCE+V4vHImViCquHwUEADEzl6dj7PB16PoRqYEgQ6o=,tag:jVfWgt3cx+bpYeMuyesjrA==,type:str]
+swarseluser: ENC[AES256_GCM,data:s09lyp9yRPJaSsDXj19s1mosF3O39Fk7Eg==,iv:tVBEFqTQPreul617EU6CfBUhz3Fmt37VAi3GzezeEmA=,tag:9sbJ465VxKoW3/q6ju7hpg==,type:str]
 wireguard-private-key: ENC[AES256_GCM,data:GCi+otqW06yoBKnG0WCIN4Wu9VKDsOUv8WRm240cHBnSAoW/ycd2WgDWsYY=,iv:TYj38C00fMIhg8LEGz6HPWxg11xUdwGgnxOmy+1SG9k=,tag:CQr9phCmU5it2EYjzqhAlA==,type:str]
 #ENC[AES256_GCM,data:u/O2rHXqOoTNpOSm,iv:hqhZC9R76P3sPkpQMximrvcTC15IM99QaRZErC9AIc4=,tag:wc2w7iwtfazlwWpnQJV63w==,type:comment]
 oauth2-cookie-secret: ENC[AES256_GCM,data:cbNVAkBAWJCN4fLmkYUFhy8v9iE5fB30hFI3nTpZuVIFCnmXPBtlftI58Zg=,iv:q9xjUDOH9M4pW+9YB9dEYSqEu9gpsezbxcGbpORNljU=,tag:KoGNcssD608huewmHeJOxw==,type:str]
@@ -24,8 +24,8 @@ sops:
             bURRem1aY203VW0ya0tZWUY3WTJLQ3MKonflaevgNP91G1cVgzoE6/K800kyG6BK
             Goe81HCYFfm86pzv5wV3/38j7fTZNeZnKwPFkMgEUueF1kA8J9V5CA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-09T13:40:12Z"
-    mac: ENC[AES256_GCM,data:B1pkubTJuLU1pCprTHtANC58sfgbvjgnDtztF4g7M4cIgj4pasrPGjOXLw5hrRwpYKffuciOogDOJx1/DekpFG0rydc5+R46saCtzGYVBEXWpH+SuaiHGBokTq0zIwnNEDpMpQ2xKTDiv3yKJBNUXOPugEYgDuvmg1wRyZ9iWBY=,iv:ZUij0KY74PEYo2IcCQoFiHFB/uOF6CxyHIpL4yJyFlg=,tag:srWW114VV3oCMjSLG9lVwA==,type:str]
+    lastmodified: "2025-06-28T20:39:53Z"
+    mac: ENC[AES256_GCM,data:eJf8SlsN5lxPLVnN0m+LAd6twJ2QnnmUK3h3ueAFV96oTsG7wUCJ/M/cqMGUkG3hy38OKk/BFDAHDmmjc02stWf14HiN02fm5CYjROLhJMaeXuSXOLQSPuo72s45YiKZL1x3ph//cgO3CQP+mvElywYDy4LQRTVKm9Eajq5Q/ZU=,iv:Ch9dS9Vkk8ag/3BIsxoWyJ3ksbh8oIjHZJJjoQSGGHA=,tag:PjNd3256sSb6o/6iUIjjyQ==,type:str]
     pgp:
         - created_at: "2025-06-13T21:18:31Z"
           enc: |-
diff --git a/secrets/pyramid/secrets.yaml b/secrets/nbl-imba-2/secrets.yaml
similarity index 100%
rename from secrets/pyramid/secrets.yaml
rename to secrets/nbl-imba-2/secrets.yaml
diff --git a/secrets/winters/secrets.yaml b/secrets/winters/secrets.yaml
index 9c3883a..b35d486 100644
--- a/secrets/winters/secrets.yaml
+++ b/secrets/winters/secrets.yaml
@@ -1,29 +1,51 @@
-#ENC[AES256_GCM,data:2coSbGjKAg==,iv:QXAGBCUEBypVs93R6p9DpWsZ6i6VMmdlmeffQxPTGWI=,tag:2sfSIFT9W8anEunXHxP7oA==,type:comment]
-kavita-token: ENC[AES256_GCM,data:T59wnJO0CClMP+jGd6LFtIDihYxDEZ6OATN1LizmLqYyPZ0Sxqoavgm3B3VWywLEIpSXyHfH3+qZKahnUA5/3c9okEbI1X3FFkiOYM0tVHe/E3lLQhHujw==,iv:ojm6RKZbxDjnGE377tjqZ6Zu3jkR6GHpxjZ7uZ3I5Y4=,tag:Y7KliDHxx2QIWoUdLbtH1A==,type:str]
+#ENC[AES256_GCM,data:ZDHvt3C3,iv:7zsB088YWliEbEvDSaiYS/Tf54PtkQ/G/4/gSE0PbhU=,tag:YFDfhVQdYc6CnM9UaeKXXw==,type:comment]
+smbuser: ENC[AES256_GCM,data:KWW6VBGTh/Y=,iv:laYedVHB/aK8VKKsTk8BViTG7xQ3VSCEoh0bcsZzzCE=,tag:0TBFVELPpsNhJPhvtBhCjg==,type:str]
+smbpassword: ENC[AES256_GCM,data:qKQQQtat2Rf6ETzb1AdxhzoD10VUi2U=,iv:yUGL4TPvFtDy7FHSQM9YfgK54ZvhnWFYQyVIQiBUzl0=,tag:aWVzJ4hVitMJRrfCaifJpg==,type:str]
+smbdomain: ENC[AES256_GCM,data:hbK/MXee6gI=,iv:X+NapRDPAYqhi+CQOWSKwNpP0lCGmGe3vvKDQFkq32M=,tag:L8dDN+WgmaB1rqIes0WHKQ==,type:str]
+#ENC[AES256_GCM,data:GCIBk7ouxPsX18czYCrhOQahUG3JSV83l2ujNxKQK8LAlBInFeSpjWOyYHuS2XWhYiJrW4I=,iv:jgYXl2DnDqUjLBpXjRNbxydktY65IvD2JcUb2SPwQjM=,tag:Wpnhf1NGf/AELvmPpjgM7g==,type:comment]
+kavita: ENC[AES256_GCM,data:2dQNwfRXw6SPhNbP0fRaVryhc64dxJOZuMw6ZpeFzwY7LVB6Oo6PJCzfL0S+Gr3od31d6yeOo/64Z5hJ8h6rXjnkqNU/46jUpChzOfihwkNzhcJZgdFzIQ==,iv:kNxQgqjxDXvNXvlEiXfFoBs69CzuzMNB1ka/7ywxUiw=,tag:ZEwbJu/86LIKuvtfKcx2Qw==,type:str]
 #ENC[AES256_GCM,data:EnKPtPHaMw==,iv:6bKMTGB7CFBGzpcXv5bq1pPoN2dcfSsQn8CIAuawAEE=,tag:B7s6b5A1W8cr+rk12sfnzw==,type:comment]
-matrix-shared-secret: ENC[AES256_GCM,data:ykgD+w6nxfegBhzVZmXmuxxsf1lIdV+0OOHlEt9V7YgmFFjHPw+SUxOsGnpwfTXB6Bwo70MDC9fLMSWZxtfIlQ==,iv:LoKIuJYvdKTE7QKrbJvAaKXucesrGgCZpVfmMNt1WhA=,tag:Q8EQSF28Cx/UMCBp5k+vCg==,type:str]
-mautrix-telegram-as-token: ENC[AES256_GCM,data:nVragL+I4Fl0+0gG0nnSFoVt6PrDGCic8nh7AneOiJ8ktpsmq3wkuMzeg3aQkfM27HXTkkdhKBmCy/W+i9G2XA==,iv:ozhwDo8H87UCHIPEHCjWfnUtdK8L2jChz6y3NIO5j6Y=,tag:H2geLETkaUnM3xM/2Jvp7Q==,type:str]
-mautrix-telegram-hs-token: ENC[AES256_GCM,data:bsuGGKASj65MkSri1MbZDEppRlr5qXzdRnpTF9gDshj4ahpvt0R1aLyr/dIaHk+OKdDvaeJ8JHkr2AVsJxMAzQ==,iv:ESnTEmOjkkOAJTJZq4CjPtPs17dBoc06fgI4T41Z1Hs=,tag:EC6CukTgFIDzlmeuOvLIWA==,type:str]
-mautrix-telegram-api-id: ENC[AES256_GCM,data:GLaYJupsuA==,iv:EZ7i3jregI2puUAQbbkUK7OWA9Dnk0GdXRQuF/crD0Y=,tag:FL86Xji+YEkBPIm7m6sStw==,type:str]
-mautrix-telegram-api-hash: ENC[AES256_GCM,data:vikwgZLPV7YBdKlzf8+LEUnNIMx950CfBMGXKOga2cs=,iv:16+qS4L1LEKyWQKC2+a9l4OugWLJou2I2t9oRfKjS24=,tag:zhjD2dyGkqfMQlAt/LTCzw==,type:str]
+matrixsharedsecret: ENC[AES256_GCM,data:P9dO+qmeKAtRL482s/Z4Zdmfo1KN9hB21b6zJsi4C29DQlpFwyMRwd7bCNB78I6r2NNQIdnsOtZvcy5Wy4mLCw==,iv:H7eqV7DqvGNfmwN95AjPAgecZE+xGeXMF1r/VpxAHaQ=,tag:pZB2SaxHx60Enn+ycbZ25w==,type:str]
+mautrixtelegram_as: ENC[AES256_GCM,data:twr126P6/7zRPntbgPqpIerNgg4bw6pwmMUjyzwMlMJCdPOP3TVaaXkXccOnkyZY80U3e89WZ5MA+sIEbZb98g==,iv:92dtW8lRLXdOIx/iTmb27Er55XY6p2Rne/14TzYGfJA=,tag:zEGPFhsQCU3RniY7rC+5pw==,type:str]
+mautrixtelegram_hs: ENC[AES256_GCM,data:C4amampQPckSWZCpYANfXjLHZV64smadRAUUlJnLNPlMUuoFja4m5rPjKdu6p2bqTAmPO92wSeCuqi2kMZycuw==,iv:h33AR1d7QA++uFC3VcJKuJmOOEvG+5zooLGhkYUMRgY=,tag:oNZXsvwWlTaoJ98BODav4w==,type:str]
+mautrixtelegram_api_id: ENC[AES256_GCM,data:DR5GoVM2Dg==,iv:PYIHS65piMhXppV4vL54lxtsb8Mmw5BIAXkFixgfvNM=,tag:4JgwEvTckNuOmb+Jjn6IBg==,type:str]
+mautrixtelegram_api_hash: ENC[AES256_GCM,data:M3qA63nhw5tIQfqgtnAth/O1COrtpli7dfKuC7wFGIk=,iv:uppaVZDpqY7d3LhKqO/b/3WInkiKkaDFM/gZnlPGTZA=,tag:J986Cd6p2BrEq60LYoe4iw==,type:str]
 #ENC[AES256_GCM,data:3ZJfIpB7,iv:bS0q1SvUfAX8s6/R1z9IWoJ1vIitIDc2lGZUjS6P+Ao=,tag:Hc1HVrtkT6gNceN87PF/YA==,type:comment]
-acme-dns-token: ENC[AES256_GCM,data:QyOHnPFiNiOXBK41pr6XfG9KCWRysTxzW4cjuUesbGdFOOFi8W4lCQ==,iv:Iuc77X4t5V1xFPu2F1njo93l4oaciou7UfOLBm18gaM=,tag:+40ELYAGxaQfwiTKPPwI4w==,type:str]
+dnsmail: ENC[AES256_GCM,data:fsmv/CVSpVJ2ZwBibs6PzCTKtA0g,iv:Pdy91cL2jxRLpMfzeveAbjr/mpQ+iWVPXK7eLQg6mMM=,tag:CbgTXpf6G0gz6YTjlV7AqQ==,type:str]
+dnstoken: ENC[AES256_GCM,data:mRVmT1B1xzQWLRjwJUPBoYKSzr4Np3BJiV7psARFKcOZJlBAW38ztw==,iv:YEKdzGBRlwPv0baJ28uRJvWkFSmF2+VHP5VHJtMn4nM=,tag:1S5l0HMpqvY9llveT1dTmw==,type:str]
+dnstokenfull: ENC[AES256_GCM,data:nIFYEO0KMXWBQyLsfM0v7xPSCbmW9Z4qKiGVh38b3mhWklYdMtarqQ==,iv:aQfxbBolEpMkfWHC+5/c5a/xiDhlz8BfJuuKicjVCzo=,tag:LoDgjcR6/VwKVy8DubLdew==,type:str]
 #ENC[AES256_GCM,data:ZbWnE+gcmtR47A==,iv:a/WxLMGb2Y+lenUfUk8c73o/QUB6ImBVRUkHQjfWoq8=,tag:7FHXVb7qBGSXv3oO5f2M1w==,type:comment]
-paperless-admin-pw: ENC[AES256_GCM,data:8s2WunvnlL0xE8XNN1Re6/9nBAM57AgM9g==,iv:Pol+RjNMKpNYCQWY0BZamRnob+MO/e/14jc8uArtDz4=,tag:FXRrlhR3DpZ+7lSlXb7wsw==,type:str]
+paperless_admin: ENC[AES256_GCM,data:IbZxJzscc2z77RTYTBt5ZdCgtEgTSq5k0A==,iv:lrmP3rOLMuV04H+E0nsKF+KhNKAGHCFyaQnT+gg0wM0=,tag:lNbMYqAdjn0K1AhJKvhB9w==,type:str]
 kanidm-paperless-client: ENC[AES256_GCM,data:1lpf9LzAZeAe0ZJiXPE6KRDZxhi24CQmoA==,iv:eZKA/2JJzojPDJc/I8V4tw9tA7zK9Y7wrpgLww7sigg=,tag:YjlH+hHdzJHqMBdkxTZVwQ==,type:str]
-#ENC[AES256_GCM,data:RamYuA==,iv:4/LaPYi4hIvg2/ftF8Dh5eEVrsgtuOkmB75Cpm5oHJc=,tag:blCudo/EVHesDdUs1nLBhQ==,type:comment]
-mpd-pw: ENC[AES256_GCM,data:/j++A2IrOwNse4+lvq7OI3Wde4KsdQ5UkQ==,iv:e0mjQyeefB3FFVsYQvTtjO9mewlmtQ8pl7O/ZmEllSU=,tag:SwbWBN8PqUrXTpKILhLquw==,type:str]
+#ENC[AES256_GCM,data:+dReUV9p,iv:gmVwWra3sP+9I0KVxzTXGzdbZEyRiT7p2BwE34ZDttM=,tag:jse7bGtSva6llqjSOCY/KA==,type:comment]
+mpdpass: ENC[AES256_GCM,data:OXDL8eyfBpX2gXB8aODahA5wNK7laaCQUg==,iv:zSQUtu1j+Z7SnYMA3jNvIFbG9LEbiB7uJ4y9xEmnvJY=,tag:ZKgtccYWT/k4q6Qc2y5WEg==,type:str]
+#ENC[AES256_GCM,data:pn5jSPCWhDl+,iv:f7dyv+83dT3azAuY+/+6i/KzX2a4JIEi+PLeYamORmg=,tag:c5doNQBt6A7fRXl26dWsEg==,type:comment]
+username: ENC[AES256_GCM,data:ONoDSJL0VTqts6n8yAEwOPFyJFbC,iv:soHSy4FV0JiXNqqj/zL+52e9tGOKOtG3iCni8FQpTBk=,tag:1iHXNP0l5fQ0S3wUZrFWbg==,type:str]
+password: ENC[AES256_GCM,data:xFb/oOmzJmUN37Q=,iv:Jb/gAWJdHOm+8Nd2r3CyXeH72ex11L3AqcjbkZMs/oE=,tag:Zx3As+yV3N3R0njzGzRLhg==,type:str]
+#ENC[AES256_GCM,data:hEEbuFI=,iv:wO77BmvRu5EgQPKQZTQm4nd4Hr0AG5Ws6QQzjclen4I=,tag:ZU31DwdIbsQHBlNPLhFldg==,type:comment]
+swarsel: ENC[AES256_GCM,data:20UAUTx54IX7LV4=,iv:odWk+VMnMahH8Uue21S8PAv9mW6T5c1eUjftZMe4JJw=,tag:gLnjqQsHWmkytpq6x4iIEQ==,type:str]
+#ENC[AES256_GCM,data:MKBsVnZ42nZ+9Xy0Cg==,iv:Myk1h9p6zGLiW6/UHkI9yLKb+HKY+wH5AcqAoQVBppM=,tag:Cu9TkUZTs6qZ6htxQpHEbA==,type:comment]
+vpnuser: ENC[AES256_GCM,data:NipHQzuXa2o=,iv:3SnaJGVpcazJYQmbqgKv33ZfZBBQ+N+A8OzXNN9ayNU=,tag:IWrIoWJiMYEyI1Xhrcb2uQ==,type:str]
+rpcuser: ENC[AES256_GCM,data:o1BipxnQTg==,iv:edlFbnE20p6ub/N1Ko/wplMwNQRsB6yNaJ6h8cI/1QE=,tag:1XwbOzO/QF0KJpwkSy0B0A==,type:str]
+vpnpass: ENC[AES256_GCM,data:fnnvxcRXM5AsnA==,iv:OP4A1qyyUc73zUB4+5wJ4yk+xff4WEFDDWrBldFn9QE=,tag:/L4GXKpIL4Mhb29wZTj5Wg==,type:str]
+rpcpass: ENC[AES256_GCM,data:2kHNLnsSsndOZ6xaKFY0QQFD3i43NOt2,iv:8IQEIgPdRT6gqkPZsrs5c5D0iamUaZGrWNag4fDoUkU=,tag:R5d1uMGwvxFt0i2Y1DPmbA==,type:str]
+vpnprot: ENC[AES256_GCM,data:/NV2,iv:wVvlcdisq2PdLeNpaxE7cwBsKEJgoi/MAmWoTgHFMbQ=,tag:9wZXcI1AsSH/mHUFwiwRGw==,type:str]
+vpnloc: ENC[AES256_GCM,data:U8ModKho4vSHnMo9BOE978V6ZlMeQEoLaFW/,iv:Sw06YsWSZ4tGt/TRhRGkU4KdLBcmZTCY4mGqQbpEh7Q=,tag:kDoTkpzXZKEUIa1CSh3Pwg==,type:str]
+#ENC[AES256_GCM,data:yp7ApA4YLSk=,iv:O/SQxKe9EWqExHbeKsTXvbst0pjCxy3yiOjmeCVjmdY=,tag:RMkAOLOLCodnPSDEuImwRw==,type:comment]
+swarseluser: ENC[AES256_GCM,data:XvmOHYFNhb/bAYAZ/kmUWbbmRy/WrxSYri/Y5k+SH4N7ZIjuZDHOkWk93ERFuTb77HvhbPX/NRQraUoJoFsxGGg5co/gJnyfRg==,iv:J50PeDcC4PM3+yQ/YQNb8TW4kubwi2kjjSFU0RVFM30=,tag:ydLYkz1YKyguGZZZD/JcLA==,type:str]
 #ENC[AES256_GCM,data:7UtHAqAZLmzT,iv:xBbdv1aHFrSc5/H6o3VujZdtAN7JwHbpckDcoZ5z78M=,tag:0ZEFJcPa6RIwv+kIgNHj4A==,type:comment]
-nextcloud-admin-pw: ENC[AES256_GCM,data:PN1K4gyosG9YQUbXrLt7okDe,iv:HpAQOmTXnixm3cd/gNOzICrR4xoSKxsYWavJReKnhvM=,tag:KhCQ+8HpTaFfzn7dFSwE+Q==,type:str]
+nextcloudadminpass: ENC[AES256_GCM,data:ZOCsu4/ijfheBfY9ZR5DBXSB,iv:bNlTLKQblnt2eYJqVgXwCaGAyAw2yhlb9Whsz0LBhm4=,tag:VQAWP/b8IghzXDFLJxXZ4Q==,type:str]
 kanidm-nextcloud-client: ENC[AES256_GCM,data:RJ5XSYvnJS6r2zzs2SOBZYx+GV7EVjB7XQ==,iv:KfinHenUiYgWrZtMBSGTuVUd5aZlfxvM7Rf8ocFv64k=,tag:WiknAlc29ohsLwnBCXzHpQ==,type:str]
 #ENC[AES256_GCM,data:dyEwvFDSvI0=,iv:4LPFthS73mIYQt6MRLBTeNxCwKnJGc7sNFJfZCpMU3Y=,tag:X2mBwG1++2gcFIOi/xIgFA==,type:comment]
-grafana-admin-pw: ENC[AES256_GCM,data:FBF/YEPTL7HAfLybMqg=,iv:SctfD7uRKeclHr7R831Ns87/ASCfhFE0yfDQrNxWOMU=,tag:UuaSMMs/y4h4ASueseywYA==,type:str]
-prometheus-admin-pw: ENC[AES256_GCM,data:onPtYsfFbE1LFRpeDC5ipGJ7xnLRLbAPqQ==,iv:CDxzBfIzgF9naCQ0UDyTYWQGZ/J0Noia56YASsHLz3I=,tag:xs+PiGk5dfvUpGXVsDnAFQ==,type:str]
+grafanaadminpass: ENC[AES256_GCM,data:TBu0WOdvE+9CAH8EVm8=,iv:/usKOYscSXpo8tiSV/Las9eucBeYnpwG5DM9gJg8bfU=,tag:/LZqwuPWQyjSZURnsqq3hA==,type:str]
 kanidm-grafana-client: ENC[AES256_GCM,data:tV25k0XoFZ9wLF0UWvAabgigayowr3wo0g==,iv:p0y/UyIrFBTvWZKHbfdOSEpbMun7dZ8FyB5W7VS0oSY=,tag:+jKD+d9cRGKJkapGYxUEnw==,type:str]
+prometheusadminpass: ENC[AES256_GCM,data:NYUbSnAl0f3FUtvCjvJHFr2wMRsVsbVIeg==,iv:TP4NMwJsft8aEixxJBJCX/0I6BJVBnltFYJDKuXq1hM=,tag:yMY+KZsRjbn8ItgKgjzqSA==,type:str]
 #ENC[AES256_GCM,data:QnIF/xhWguX5tw==,iv:yTUBtPaZk6BXi+SC1P/OOtnc2x9UZ/jXirD5oaxhyQY=,tag:c33L5r5BaPZN6zkwduBCwQ==,type:comment]
-freshrss-pw: ENC[AES256_GCM,data:GU5rHmJCAb27pWo=,iv:f1YcUsf2jznGAk0zSX3L01lbB9kXiFKAKSgB/RMaq0U=,tag:xsB1QxhDQPX/B2VJV3Wi9g==,type:str]
-freshrss-oidc-crypto-key: ENC[AES256_GCM,data:FvkaTTfOIo2wn5SnOCiMqy/g/4vcjSX7BjX6GIJrPsQUkqWHvL4LmQ==,iv:930d5Cgb6jly8NAdr21XO0lkWWCXujCho6fW+RYNlRI=,tag:fidIhKA25mwsxpORJOVeTA==,type:str]
+fresh: ENC[AES256_GCM,data:aPF8D96BvgDXhcc=,iv:Ubq3/sUmBipRanLgkAXXeAfXAz51AuR+NojMifsy8S0=,tag:mHf0YYYxulLXAIByqmnOsA==,type:str]
 kanidm-freshrss-client: ENC[AES256_GCM,data:jBplXWOX/mRTQf6cKmP3C5PZJoBAmb3mhg==,iv:5hcLNGuEQ0T9FiczznGKMul38Ftv8PmG3q0Vaao10oI=,tag:tpx+EDvA31HCnG1/XJOBWg==,type:str]
+oidc-crypto-key: ENC[AES256_GCM,data:O48Va8j2L/GDdTZRQEtVsoy1jsZSCLx0IxFYnCBGhoGRwDW+t0LKPw==,iv:DLCeGhRqRp/JfFaY3vva86OzMwGlcXxiBbQ4Tayjyq4=,tag:We5W8cIntW3D/5vdC/t8IA==,type:str]
+#ENC[AES256_GCM,data:+lbLElpVOYo=,iv:DaVuudlnW+vy2PZOs9eiwZhOyILnqEX9KUehFlX2gWE=,tag:lvM6r0JM0DZir4y7iVTeKg==,type:comment]
+kanidm-forgejo-client: ENC[AES256_GCM,data:pitJ6re5xm2w1MSs5Ul7Tl1/H1KSR7Ps7w==,iv:4k8/cxpLqWxCgJuk/y9K3OAMCkzu8gb8CDxY+gUuOvg=,tag:OocTFS54teDUfHaHAHZiHw==,type:str]
 #ENC[AES256_GCM,data:Ur0/rfBv5g==,iv:eH+KbbkmtBWbobqAIUFF0jIrGhbHnk9g8hLZoxE3swI=,tag:3dnoA+O5GXW5Dvxcx4jiTw==,type:comment]
 resticpw: ENC[AES256_GCM,data:0oHhUFH+2W7FONA=,iv:jT6o3H4pIkGTANriDVCBvnOsc/XITEGCayb6A86NlGg=,tag:qU3tAvIWFSFIf1krWAJ0+Q==,type:str]
 resticaccesskey: ENC[AES256_GCM,data:3EshJOZpoHqGrKdERYBtUcQZ6taZEe8PBA==,iv:3np3ASFhJrYT1ig3uSpb48lSdZOFl9kFyLJSkYHBnqo=,tag:TqjgnO1XRPZUGjLI20FqUg==,type:str]
@@ -38,15 +60,14 @@ kanidm-grafana: ENC[AES256_GCM,data:61PEA1fBcaRy8+x0dn9WrH9P0D+NOkbeZw==,iv:kbR3
 kanidm-nextcloud: ENC[AES256_GCM,data:9FjsOzBos18ouHBeuzrzHIpCDowFt0Aktw==,iv:iqUQUsWsO5N+KZqHyqNxMxSija/yPrrrAqvz4b1NG1M=,tag:/WC3wg/eYXV3hLJPRVWLog==,type:str]
 kanidm-oauth2-proxy: ENC[AES256_GCM,data:DQ5tj7N+P1b8vFnF+MGhaUBvbVQoE4sVhQ==,iv:Xy4bdi8fSFuFHsQKgZ3PswFFYsqtiAeqeSRam1k/H0E=,tag:9W4LRPPYtDOrSpxRDK/7sg==,type:str]
 kanidm-freshrss: ENC[AES256_GCM,data:4y0X3sSOfs5pKNCmZGJhxlAKH7GD1UACdw==,iv:LuQQCfOpsTqglwQvohHMFpNGaOjoZ8PKDgG50qBP02k=,tag:Z5mVYP/9nToerQ1qui1eWQ==,type:str]
+#ENC[AES256_GCM,data:5wFeVBBdeDlAHZwUdA==,iv:mAmgS9gbPklWPFu425MPngjGm3SNGnUSNyR5oG4EK+E=,tag:nNUTTbs+aWAU1qNgtTsBgA==,type:comment]
+oauth2-cookie-secret: ENC[AES256_GCM,data:l8BPYA7t9NG9MPFs/LDlFHqwbnwsvie7FM5v613358E+jLf2wD+tipyUb6c=,iv:1kZ6G6Z0cSQS53kc/hygh/1Ke491agWDlYHR9Yq0jT0=,tag:mi7Un2JBnrq1dnP3jZX4ng==,type:str]
+kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:+mcA/sz3AZuw+I44iIdOEfDmtjEVdxi2fg==,iv:m4NpieUicS7xsR+F5AgPqkcUFRF+CGOA8IK6GeS9tgM=,tag:1wypxpiHPdQBD8Td/PSdMw==,type:str]
 #ENC[AES256_GCM,data:M9U+Mr1cAhlt7NpW,iv:LY19BZEwDdQD1Nhbmgdt9/9VNJjcTkOGP7SwEDE3Xwk=,tag:TlYrhu5dBj1D+Qd72r7Ofg==,type:comment]
 firefly-iii-app-key: ENC[AES256_GCM,data:hzgl8eRL0irNRP5TO7G1rNtNM7fXCkmbcaX4QoTsM0xA1rgyKwiy6a4lYDjoXZyOMy5p,iv:q5eepIELwIecyQ56A6THUOu+rebK3irKVYb7/gNHlU8=,tag:+M/KTX1JzPzXeK4TRzW42w==,type:str]
 #ENC[AES256_GCM,data:mBlfyJvQyrhTnpkJ,iv:hHnTCsHfzCgKuBO82JjNbjYYjWV8e7+0VRkbTGw+WRE=,tag:7Dp77Q2VjWJM5LydvpbJnQ==,type:comment]
 koillection-env-file: ENC[AES256_GCM,data:X1dndR7XIhGCwbRQzET5MbzW71PT7WmyryNbOhCKx2I=,iv:bP/90aJT+eA8EmwoFZ7uXxOWfOprpHfc9CvL/A9Os5M=,tag:ZxFDInJBtFrulvOL9PwNJQ==,type:str]
 koillection-db-password: ENC[AES256_GCM,data:5Ue4l8CMZpjRpcryEtzPyR2Zf7M=,iv:Ol/G6nFY5H/SIY7l4o5woqFVeLfnv3FJfaAZIqI4NHA=,tag:hYorZv2nyLvsJ8AT2xTkBA==,type:str]
-#ENC[AES256_GCM,data:oTo0OgB8QQyPVxzEoEw38eM=,iv:V8UJrZvlAEUVxajLjty56LoiHqi9mvX2NxlZeYr0P0g=,tag:gSiHry8iRcYWAFi5Lt1GiQ==,type:comment]
-anki-pw: ENC[AES256_GCM,data:h4RBhKV6ZzDQk7s=,iv:r21zH3sDKwRxfi8A1DPNEVhKTbb35qWv2mTGaXJxynM=,tag:kT4pVhz6pHxyBZ0iXdGx7w==,type:str]
-#ENC[AES256_GCM,data:5jJoV7vZl1A=,iv:Uc9/nyvdzgH6USVxhDhVs6aDqy/k9D53AJP2AvTj3ZQ=,tag:K4zDz5RoLuHevTeLqxw/XQ==,type:comment]
-kanidm-forgejo-client: ENC[AES256_GCM,data:2iXE/dmOQtY2NEsBgDqkqwD/brF0vJs+Ag==,iv:PBQ03z/E6R+u7Y56fPzJSnsoCa5PUYSiezZFOMLz4eo=,tag:jThgOC6h2hHJUclDju/MtQ==,type:str]
 sops:
     age:
         - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
@@ -58,8 +79,8 @@ sops:
             MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl
             qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-09T20:28:09Z"
-    mac: ENC[AES256_GCM,data:tLAljNEDR4Ab27OXVJhvDuGmfuxE/L9KSFsJGDo25Vs3P56/HnjrI77y+ytLuf2sK/OHup7jXnlwBWUDAfNWIQzUdjIBtr/OiggkPHgWhr4rH55ayLM1IfZU1ex6MPvliz2yi0nU6jqHXoSlBCqu+hdfyTQri1EmZ9Bh811YDqs=,iv:4VmwBcmQIjQ16mwxYjgud3OUjQE0rH0wN72sAXXs3to=,tag:OQNYvxLZg+0hapvUYsexuA==,type:str]
+    lastmodified: "2025-07-01T23:25:43Z"
+    mac: ENC[AES256_GCM,data:TS1UWyZGQ1zgzHGVlcWhWgWgo56zaSbhcB3KryS6Ya5clgyFt4vY0R4dC+uYnjmY1QCXAFPVLQU24ufKFDz94fEm0sQCPEWF2d1n156IpMce4wtCUqc0sXJOqTI3OA8ty91EWSUXTaapXEG2Pd9MSKr6XXpAVVbhzXKU1rFd1zc=,iv:xeOThqJ0tWUu55O8JAQMi0D6YzkrrHe7AshSATgpQ2U=,tag:VvtzsK1/06BD39bfQUr7Mg==,type:str]
     pgp:
         - created_at: "2024-12-17T16:24:32Z"
           enc: |-