.github/README.md

@@ -22,13 +22,8 @@
     - [nix-darwin](https://github.com/LnL7/nix-darwin)
     - [nix-on-droid](https://github.com/nix-community/nix-on-droid)
   - Streamlined configuration and deployment pipeline:
-    - Framework for [packages](https://github.com/Swarsel/.dotfiles/blob/main/nix/packages.nix), [overlays](https://github.com/Swarsel/.dotfiles/blob/main/nix/overlays.nix), [modules](https://github.com/Swarsel/.dotfiles/tree/main/modules), and [library functions](https://github.com/Swarsel/.dotfiles/blob/main/nix/lib.nix)
+    - Framework for [packages](https://github.com/Swarsel/.dotfiles/blob/main/pkgs/default.nix), [overlays](https://github.com/Swarsel/.dotfiles/blob/main/overlays/default.nix), [modules](https://github.com/Swarsel/.dotfiles/tree/main/modules), and [library functions](https://github.com/Swarsel/.dotfiles/tree/main/lib/default.nix)
-    - Dynamically generated config:
+    - Dynamically generated host configurations
-      - host configurations
-      - dns records
-      - network setup (+ wireguard mesh on systemd-networkd)
-    - Remote Builders for [x86_64,aarch64]-linux running in hydra, feeding a private nix binary cache
-    - Bootstrapping:
     - Limited local installer (no secrets handling) with a supported demo build
     - Fully autonomous remote deployment using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) and [disko](https://github.com/nix-community/disko) (with secrets handling)
     - Improved nix tooling
@@ -36,24 +31,24 @@
     - Secrets handling using [sops-nix](https://github.com/Mic92/sops-nix) (pls no pwn ❤️)
     - Management of personally identifiable information using [nix-plugins](https://github.com/shlevy/nix-plugins)
     - Full Yubikey support
-    - LUKS-encryption with support for remote disk unlock over SSH
+    - LUKS-encryption
     - Secure boot using [Lanzaboote](https://github.com/nix-community/lanzaboote)
     - BTRFS-based [Impermanence](https://github.com/nix-community/impermanence)
     - Configuration shared between configurations (configuration for one nixosConfiguration can be defined in another nixosConfiguration)
     - Global attributes shared between all configurations to reduce attribute redeclaration
-    - [Config library](https://github.com/Swarsel/.dotfiles/blob/9acfc5f93457ec14773cc0616cab616917cc8af5/modules/shared/config-lib.nix#L4) for defining config-based functions for generating service information
-    - Reduced friction between full NixOS- and home-manager-only deployments regarding secrets handling and config sharing
 
   ## Documentation
 
-  The full documentation can be found here:
+  If you are mainly interested in how I configured this system, check out this page:
 
   [SwarselSystems literate configuration](https://swarsel.github.io/.dotfiles/)
 
-  I went to great lengths in order to document the full design process of my infrastructure properly; the above document strives to serve as an introductory lecture to nix / NixOS while at the same time explaining the config in general.
+  This file will take you through my design process, in varying amounts of detail.
 
-  If you only came here for my Emacs configuration, the relevant files are here:
+  Otherwise, the files that are possibly of biggest interest are found here:
 
+  - [SwarselSystems.org](../SwarselSystems.org)
+  - [flake.nix](../flake.nix)
   - [early-init.el](../files/emacs/early-init.el)
   - [init.el](../files/emacs/init.el)
 
@@ -114,7 +109,7 @@
   ### Programs
 
   | Topic         | Program                         |
-  |---------------|-----------------------------------------------------------------------------------------------------------------------------|
+  |---------------|---------------------------------|
   |🐚 **Shell**   | [zsh](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix)                            |
   |🚪 **DM**      | [greetd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/common/login.nix)                         |
   |🪟 **WM**      | [SwayFX](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sway.nix)                         |
@@ -129,7 +124,7 @@
   ### Services
 
   | Topic                 | Program                                                                                                             |
-  |----------------------------|----------------------------------------------------------------------------------------------------------------|
+  |-----------------------|---------------------------------------------------------------------------------------------------------------------|
   |📖 **Books**           |  [Kavita](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kavita.nix)                           |
   |📼 **Videos**          | [Jellyfin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/jellyfin.nix)                        |
   |🎵 **Music**           | [Navidrome](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/navidrome.nix) +  [Spotifyd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/spotifyd.nix) +  [MPD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mpd.nix)                                                              |
@@ -152,37 +147,28 @@
   |✂️ **Paste Tool**      | [Microbin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/microbin.nix)                        |
   |📸 **Image Sharing**   | [Slink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/slink.nix)                              |
   |🔗 **Link Shortener**  | [Shlink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/shlink.nix)                            |
-  |⛏️ **Minecraft**            | [Minecraft](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/minecraft.nix)                 |
-  |☁️ **S3**                   | [Garage](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/garage.nix)                       |
-  |🕸️ **Nix Binary Cache**     | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/attic.nix)                         |
-  |🐙 **Nix Build farm**       | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/hydra.nix)                         |
-  |🔑 **Cert-based SSH**       | [OPKSSH](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/opkssh.nix)                       |
-  |🔨 **Home Asset Management**| [Homebox](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/homebox.nix)                     |
-  |👀 **DNS**                  | [NSD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nsd.nix)                             |
-  |✉️ **Mail**                 | [simple-nixos-mailserver](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mailserver.nix)  |
 
   ### Hosts
 
   | Name                | Hardware                                            | Use                                                 |
-  |---------------------|-----------------------------------------------------|-----------------------------------------------------------------|
+  |---------------------|-----------------------------------------------------|-----------------------------------------------------|
   |💻 **pyramid**       | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop                                         |
   |💻 **bakery**        | Lenovo Ideapad 720S-13IKB                           | Personal laptop                                     |
   |💻 **machpizza**     | MacBook Pro 2016                                    | MacOS reference and build sandbox                   |
   |🏠 **treehouse**     | NVIDIA DGX Spark                                    | AI Workstation, remote builder, hm-only-reference   |
   |🖥️ **summers**       | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM  | Homeserver (microvms), remote builder, datastorage  |
   |🖥️ **winters**       | ASRock J4105-ITX, 32GB RAM                          | Homeserver (IoT server in spe)                      |
-  |🖥️ **hintbooth**     | HUNSN RM02, 8GB RAM                                 | Router, DNS Resolver, home NGINX endpoint                       |
+  |🖥️ **hintbooth**     | HUNSN RM02, 8GB RAM                                 | Router                                              |
-  |☁️ **stoicclub**     | Cloud Server: 1 vCPUs, 8GB RAM                      | Authoritative DNS server                                        |
+  |☁️ **stoicclub**     | Cloud Server: 1 vCPUs, 8GB RAM                      | Authoritative dns server                            |
   |☁️ **liliputsteps**  | Cloud Server: 1 vCPUs, 8GB RAM                      | SSH bastion                                         |
   |☁️ **twothreetunnel**| Cloud Server: 2 vCPUs, 8GB RAM                      | Service proxy                                       |
   |☁️ **eagleland**     | Cloud Server: 2 vCPUs, 8GB RAM                      | Mailserver                                          |
-  |☁️ **moonside**      | Cloud Server: 4 vCPUs, 24GB RAM                     | Game servers, syncthing + other lightweight services            |
+  |☁️ **moonside**      | Cloud Server: 4 vCPUs, 24GB RAM                     | Gaming server, syncthing + lightweight services     |
   |☁️ **belchsfactory** | Cloud Server: 4 vCPUs, 24GB RAM                     | Hydra builder and nix binarycache                   |
-  |🪟 **chaostheater**  | Asus Z97-A, i7-4790k, GTX970, 32GB RAM              | Home Game Streaming Server (Windows/AtlasOS, not nix-managed)   |
   |📱 **magicant**      | Samsung Galaxy Z Flip 6                             | Phone                                               |
   |💿 **drugstore**     | -                                                   | NixOS-installer ISO for bootstrapping new hosts     |
   |💿 **brickroad**     | -                                                   | Kexec tarball for bootstrapping low-memory machines |
-  |❔ **hotel**         | -                                                   | Demo config for checking out this configuration                 |
+  |❔ **chaotheatre**   | -                                                   | Demo config for checking out this configuration     |
   |❔ **toto**          | -                                                   | Helper configuration for testing purposes           |
   </details>
 
@@ -274,8 +260,9 @@
 
   These are in random order (also known as 'the order in which I discovered them'). I would like to express my gratitude to:
 
+  - All the great people who have contributed code for the nix-community, with special mentions for (this list is unfairly incomplete):
   <details>
-    <summary>The great people who have contributed code for the nix-community, with special mentions for (this list is unfairly incomplete)</summary>
+    <summary>Click here to expand...</summary>
 
   - [guibou](https://github.com/guibou/)
   - [rycee](https://github.com/rycee)
@@ -300,8 +287,9 @@
   - [oddlama](https://github.com/oddlama)
   </details>
 
+  - All the people who have inspired me with their configurations (sadly also highly incomplete):
   <details>
-    <summary>The people who have inspired me with their configurations (sadly also highly incomplete)</summary>
+    <summary>Click here to expand...</summary>
 
   - [theSuess](https://github.com/theSuess) with their [home-manager](https://code.kulupu.party/thesuess/home-manager)
   - [hlissner](https://github.com/hlissner) with their [dotfiles](https://github.com/hlissner/dotfiles)
@@ -314,7 +302,7 @@
   - [EmergentMind](https://github.com/EmergentMind) with their [nix-config](https://github.com/EmergentMind/nix-config)
   - [librephoenix](https://github.com/librephoenix) with their [nixos-config](https://github.com/librephoenix/nixos-config)
   - [Xe](https://github.com/Xe) with their [blog](https://xeiaso.net/blog/)
-  - [oddlama](https://github.com/oddlama) with their [nix-config](https:/github.com/oddlama/nix-config)
+  - [oddlama](https://github.com/oddlama) with their absolutely incredible [nix-config](https:/github.com/oddlama/nix-config)
   </details>
 
   If you feel that I forgot to pay you tribute for code that I used in this repository, please shoot me a message and I will fix it :)

.github/workflows/build-and-deploy.yml

@@ -1,59 +0,0 @@
-name: Build and Deploy
-
-on:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
-concurrency:
-  group: "pages"
-  cancel-in-progress: false
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Install Emacs
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y emacs-nox elpa-htmlize
-
-      - name: Tangle files & export to HTML
-        run: |
-          emacs --batch \
-            --eval "(require 'org)" \
-            --eval "(setq org-confirm-babel-evaluate nil
-                     org-html-validation-link nil
-                     org-export-headline-levels 6
-                     org-export-with-broken-links 'mark)" \
-            --visit=SwarselSystems.org \
-            --funcall org-babel-tangle \
-            --funcall org-html-export-to-html
-
-      - name: Setup Pages
-        uses: actions/configure-pages@v4
-
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
-        with:
-          path: 'site'
-
-  deploy:
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-    runs-on: ubuntu-latest
-    needs: build
-    steps:
-      - name: Deploy to GitHub Pages
-        id: deployment
-        uses: actions/deploy-pages@v4

.gitignore

@@ -7,4 +7,3 @@ result
 *.bak
 .pre-commit-config.yaml
 .direnv
-/site/

.sops.yaml

@@ -6,29 +6,25 @@ keys:
   - &users
     - &swarsel 4BE7925262289B476DBBC17B76FD3810215AE097
   - &hosts
-    - &bakery age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
+    - &winters age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
-    - &summers age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl
+    - &twothreetunnel age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
+    - &liliputsteps age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
+    - &stoicclub age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
     - &belchsfactory age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
     - &eagleland age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
-    - &hintbooth age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
+    - &hintbooth age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x
-    - &liliputsteps age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
+    - &bakery age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
-    - &moonside age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
-    - &pyramid age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
-    - &stoicclub age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
     - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
-    - &twothreetunnel age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
+    - &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
-    - &winters age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
+    - &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
-    - &dgx age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns
+    - &moonside age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
-    - &hintbooth-adguardhome age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as
-    - &hintbooth-nginx age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0
 creation_rules:
-  - path_regex: secrets/repo/[^/]+\.(yaml|json|env|ini|enc)$
+  - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *winters
-      - *summers
       - *twothreetunnel
       - *liliputsteps
       - *stoicclub
@@ -37,122 +33,183 @@ creation_rules:
       - *hintbooth
       - *bakery
       - *toto
-      - *pyramid
+      - *surface
+      - *nbl
       - *moonside
-      - *dgx
+  - path_regex: secrets/repo/[^/]+$
-      - *hintbooth-adguardhome
-      - *hintbooth-nginx
-
-  - path_regex: secrets/work/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *pyramid
-
-  - path_regex: secrets/nginx/acme.json
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *twothreetunnel
-      - *eagleland
-      - *hintbooth-nginx
-
-  - path_regex: hosts/nixos/x86_64-linux/pyramid/secrets/[^/]+\.(yaml|json|env|ini|enc)$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *pyramid
-
-  - path_regex: hosts/nixos/x86_64-linux/bakery/secrets/[^/]+\.(yaml|json|env|ini|enc)$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *bakery
-
-  - path_regex: hosts/nixos/x86_64-linux/winters/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *winters
-
+      - *twothreetunnel
-  - path_regex: hosts/nixos/x86_64-linux/eagleland/secrets/[^/]+\.(yaml|json|env|ini|enc)$
+      - *liliputsteps
+      - *stoicclub
+      - *belchsfactory
+      - *eagleland
+      - *hintbooth
+      - *bakery
+      - *toto
+      - *surface
+      - *nbl
+      - *moonside
+  - path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$
     key_groups:
     - pgp:
       - *swarsel
       age:
+      - *nbl
+      - *twothreetunnel
+      - *liliputsteps
+      - *stoicclub
+      - *belchsfactory
       - *eagleland
+      - *hintbooth
+      - *bakery
+      - *toto
+      - *surface
+      - *winters
+      - *moonside
+  - path_regex: secrets/work/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *nbl
 
-  - path_regex: hosts/nixos/aarch64-linux/moonside/secrets/[^/]+\.(yaml|json|env|ini|enc)$
+  - path_regex: secrets/pyramid/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *nbl
+  - path_regex: hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *nbl
+
+  - path_regex: secrets/moonside/secrets.yaml
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *moonside
+  - path_regex: hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *moonside
 
-  - path_regex: hosts/nixos/aarch64-linux/belchsfactory/secrets/[^/]+\.(yaml|json|env|ini|enc)$
+  - path_regex: secrets/belchsfactory/secrets.yaml
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *belchsfactory
+  - path_regex: hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *belchsfactory
 
-  - path_regex: hosts/nixos/aarch64-linux/stoicclub/secrets/[^/]+\.(yaml|json|env|ini|enc)$
+  - path_regex: secrets/bakery/secrets.yaml
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *bakery
+  - path_regex: hosts/nixos/x86_64-linux/bakery/secrets/pii.nix.enc
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *bakery
+
+  - path_regex: secrets/winters/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *winters
+  - path_regex: hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *winters
+
+  - path_regex: secrets/eagleland/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *eagleland
+
+  - path_regex: hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *eagleland
+
+
+
+  - path_regex: secrets/stoicclub/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *stoicclub
+  - path_regex: hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *stoicclub
 
-  - path_regex: hosts/nixos/aarch64-linux/liliputsteps/secrets/[^/]+\.(yaml|json|env|ini|enc)$
+  - path_regex: secrets/liliputsteps/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *liliputsteps
+  - path_regex: hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *liliputsteps
 
-  - path_regex: hosts/nixos/aarch64-linux/twothreetunnel/secrets/[^/]+\.(yaml|json|env|ini|enc)$
+  - path_regex: secrets/twothreetunnel/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *twothreetunnel
+  - path_regex: hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *twothreetunnel
 
-  - path_regex: hosts/nixos/x86_64-linux/summers/secrets/[^/]+\.(yaml|json|env|ini|enc)$
+  - path_regex: hosts/nixos/x86_64-linux/summers/secrets/
     key_groups:
     - pgp:
       - *swarsel
-      age:
-      - *summers
 
-  - path_regex: hosts/nixos/x86_64-linux/hintbooth/secrets/[^/]+\.(yaml|json|env|ini|enc)$
+  - path_regex: hosts/nixos/x86_64-linux/hintbooth/secrets/
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *hintbooth
 
-  - path_regex: hosts/nixos/x86_64-linux/hintbooth/secrets/adguardhome/[^/]+\.(yaml|json|env|ini|enc)$
+  - path_regex: hosts/darwin/nbm-imba-166/secrets/pii.nix.enc
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *hintbooth
-      - *hintbooth-adguardhome
-
-  - path_regex: hosts/nixos/x86_64-linux/hintbooth/secrets/nginx/[^/]+\.(yaml|json|env|ini|enc)$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *hintbooth
-      - *hintbooth-nginx
-
-  - path_regex: hosts/darwin/x86_64-darwin/nbm-imba-166/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel

files/emacs/init.el

@@ -1117,7 +1117,7 @@ create a new one."
 
 (use-package nix-ts-mode
   :after lsp-mode
-  :mode ("\\.nix\\'" . "\\.nix\\.enc\\'")
+  :mode "\\.nix\\'"
   :ensure t
   :hook
   (nix-ts-mode . lsp-deferred) ;; So that envrc mode will work

files/scripts/swarsel-bootstrap.sh

@@ -36,7 +36,6 @@ function help_and_exit() {
 
 function cleanup() {
     rm -rf "$temp"
-    rm -rf /tmp/disko-password
 }
 trap cleanup exit
 
@@ -140,7 +139,7 @@ fi
 
 LOCKED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.node.lockFromBootstrapping)"
 if [[ $LOCKED == "true" ]]; then
-    red "THIS SYSTEM IS LOCKED FROM BOOTSTRAPPING - set 'node.lockFromBootstrapping = lib.mkForce false;' to proceed"
+    red "THIS SYSTEM IS LOCKED FROM BOOTSTRAPPING"
     exit
 fi
 
@@ -230,7 +229,6 @@ if [ "$disk_encryption" -eq 1 ]; then
         green "Please confirm passphrase:"
         read -rs luks_passphrase_confirm
         if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
-            echo "$luks_passphrase" > /tmp/disko-password
             $ssh_root_cmd "echo '$luks_passphrase' > /tmp/disko-password"
             break
         else
@@ -245,10 +243,10 @@ $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
 mkdir -p "$FLAKE"/hosts/nixos/"$target_arch"/"$target_hostname"
 $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix
 # ------------------------
-green "Generating hostkey for ssh initrd"
+# green "Generating hostkey for ssh initrd"
-$ssh_root_cmd "mkdir -p $temp/etc/secrets/initrd /etc/secrets/initrd"
+# $ssh_root_cmd "mkdir -p $temp/etc/secrets/initrd /etc/secrets/initrd"
-$ssh_root_cmd "ssh-keygen -t ed25519 -N '' -f $temp/etc/secrets/initrd/ssh_host_ed25519_key"
+# $ssh_root_cmd "ssh-keygen -t ed25519 -N '' -f $temp/etc/secrets/initrd/ssh_host_ed25519_key"
-$ssh_root_cmd "cp $temp/etc/secrets/initrd/ssh_host_ed25519_key /etc/secrets/initrd/ssh_host_ed25519_key"
+# $ssh_root_cmd "cp $temp/etc/secrets/initrd/ssh_host_ed25519_key /etc/secrets/initrd/ssh_host_ed25519_key"
 # ------------------------
 
 green "Deploying minimal NixOS installation on $target_destination"
@@ -319,7 +317,8 @@ if yes_or_no "Do you want to manually edit .sops.yaml now?"; then
     vim "${git_root}"/.sops.yaml
 fi
 green "Updating all secrets files to reflect updates .sops.yaml"
-sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/* || true
+sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml
+sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/pii.nix.enc
 # --------------------------
 green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
 sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
@@ -390,5 +389,3 @@ fi
 if yes_or_no "Reboot now?"; then
     $ssh_root_cmd "reboot"
 fi
-
-rm -rf /tmp/disko-password

files/scripts/swarsel-install.sh

@@ -96,7 +96,7 @@ green "Cloning repository from GitHub"
 git clone https://github.com/Swarsel/.dotfiles.git
 
 local_keys=$(ssh-add -L || true)
-pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/public/ssh/yubikey.pub)
+pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub)
 read -ra pub_arr <<< "$pub_key"
 
 cd .dotfiles

files/scripts/swarsel-rebuild.sh

@@ -78,7 +78,7 @@ else
 fi
 
 local_keys=$(ssh-add -L || true)
-pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/public/ssh/yubikey.pub)
+pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub)
 read -ra pub_arr <<< "$pub_key"
 
 cd .dotfiles

flake.lock

@@ -156,27 +156,6 @@
         "type": "github"
       }
     },
-    "dependencyDagOfSubmodule": {
-      "inputs": {
-        "nixpkgs": [
-          "nixos-nftables-firewall",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1656615370,
-        "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=",
-        "owner": "thelegy",
-        "repo": "nix-dependencyDagOfSubmodule",
-        "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "thelegy",
-        "repo": "nix-dependencyDagOfSubmodule",
-        "type": "github"
-      }
-    },
     "devshell": {
       "inputs": {
         "nixpkgs": "nixpkgs"
@@ -203,11 +182,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764011051,
+        "lastModified": 1728330715,
-        "narHash": "sha256-M7SZyPZiqZUR/EiiBJnmyUbOi5oE/03tCeFrTiUZchI=",
+        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
         "owner": "numtide",
         "repo": "devshell",
-        "rev": "17ed8d9744ebe70424659b0ef74ad6d41fc87071",
+        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
         "type": "github"
       },
       "original": {
@@ -358,7 +337,7 @@
     },
     "fenix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_15",
+        "nixpkgs": "nixpkgs_14",
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
@@ -426,11 +405,11 @@
     "flake-compat_3": {
       "flake": false,
       "locked": {
-        "lastModified": 1761588595,
+        "lastModified": 1696426674,
-        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -688,11 +667,11 @@
         "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1731533236,
+        "lastModified": 1726560853,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
         "type": "github"
       },
       "original": {
@@ -1003,29 +982,6 @@
         "type": "github"
       }
     },
-    "hydra": {
-      "inputs": {
-        "nix": "nix",
-        "nix-eval-jobs": [
-          "nix-eval-jobs"
-        ],
-        "nixpkgs": "nixpkgs_5"
-      },
-      "locked": {
-        "lastModified": 1759783173,
-        "narHash": "sha256-KShZ8ctQ0pb7BjP6z38+O++d7v2Y2KdKCSeRJEagvu8=",
-        "owner": "nixos",
-        "repo": "hydra",
-        "rev": "3059dc16a3664fecbf9437d5414f4d2bc1142ff1",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nix-2.30",
-        "repo": "hydra",
-        "type": "github"
-      }
-    },
     "impermanence": {
       "locked": {
         "lastModified": 1737831083,
@@ -1067,7 +1023,7 @@
     "lanzaboote": {
       "inputs": {
         "crane": "crane",
-        "nixpkgs": "nixpkgs_6",
+        "nixpkgs": "nixpkgs_5",
         "pre-commit": "pre-commit",
         "rust-overlay": "rust-overlay"
       },
@@ -1088,7 +1044,7 @@
     "microvm": {
       "inputs": {
         "flake-utils": "flake-utils_2",
-        "nixpkgs": "nixpkgs_7",
+        "nixpkgs": "nixpkgs_6",
         "spectrum": "spectrum"
       },
       "locked": {
@@ -1170,7 +1126,7 @@
       "inputs": {
         "niri-stable": "niri-stable",
         "niri-unstable": "niri-unstable",
-        "nixpkgs": "nixpkgs_8",
+        "nixpkgs": "nixpkgs_7",
         "nixpkgs-stable": "nixpkgs-stable_2",
         "xwayland-satellite-stable": "xwayland-satellite-stable",
         "xwayland-satellite-unstable": "xwayland-satellite-unstable"
@@ -1222,26 +1178,9 @@
         "type": "github"
       }
     },
-    "nix": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1758562014,
-        "narHash": "sha256-IazqNpt3jNldKy+rivmlGuo9pC1IczV0Xjk5+5EQEzQ=",
-        "owner": "NixOS",
-        "repo": "nix",
-        "rev": "f2b45e014b909bb5e6a9f99a8a511deed3b3e2a4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "2.30-maintenance",
-        "repo": "nix",
-        "type": "github"
-      }
-    },
     "nix-darwin": {
       "inputs": {
-        "nixpkgs": "nixpkgs_9"
+        "nixpkgs": "nixpkgs_8"
       },
       "locked": {
         "lastModified": 1763505477,
@@ -1257,23 +1196,6 @@
         "type": "github"
       }
     },
-    "nix-eval-jobs": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1752683968,
-        "narHash": "sha256-urOFgqXzs+cgd1CKFuN245vOeVx7rIldlS9Q5WcemCw=",
-        "owner": "nix-community",
-        "repo": "nix-eval-jobs",
-        "rev": "a579b1a416dc04d50c0dc2832e9da24b0d08dbac",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "ref": "v2.30.0",
-        "repo": "nix-eval-jobs",
-        "type": "github"
-      }
-    },
     "nix-formatter-pack": {
       "inputs": {
         "nixpkgs": [
@@ -1321,7 +1243,7 @@
       "inputs": {
         "flake-compat": "flake-compat_2",
         "flake-utils": "flake-utils_3",
-        "nixpkgs": "nixpkgs_10"
+        "nixpkgs": "nixpkgs_9"
       },
       "locked": {
         "lastModified": 1763776632,
@@ -1341,7 +1263,7 @@
       "inputs": {
         "home-manager": "home-manager_2",
         "nix-formatter-pack": "nix-formatter-pack",
-        "nixpkgs": "nixpkgs_11",
+        "nixpkgs": "nixpkgs_10",
         "nixpkgs-docs": "nixpkgs-docs",
         "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap",
         "nmd": "nmd_2"
@@ -1365,15 +1287,15 @@
       "inputs": {
         "devshell": "devshell_2",
         "flake-utils": "flake-utils_4",
-        "nixpkgs": "nixpkgs_12",
+        "nixpkgs": "nixpkgs_11",
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1767198021,
+        "lastModified": 1762088663,
-        "narHash": "sha256-O/7ZAy0OczYEy7zl+EegeekvRqb3JPh0btyBKtRvbVw=",
+        "narHash": "sha256-rpCvFan9Dji1Vw4HfVqYdfWesz5sKZE3uSgYR9gRreA=",
         "owner": "oddlama",
         "repo": "nix-topology",
-        "rev": "0c052d902678b592b957eac2c250e4030fe70ebc",
+        "rev": "c15f569794a0f1a437850d0ac81675bcf23ca6cb",
         "type": "github"
       },
       "original": {
@@ -1420,7 +1342,7 @@
     "nixgl": {
       "inputs": {
         "flake-utils": "flake-utils_5",
-        "nixpkgs": "nixpkgs_13"
+        "nixpkgs": "nixpkgs_12"
       },
       "locked": {
         "lastModified": 1762090880,
@@ -1455,7 +1377,7 @@
       "inputs": {
         "devshell": "devshell_3",
         "flake-parts": "flake-parts_2",
-        "nixpkgs": "nixpkgs_14",
+        "nixpkgs": "nixpkgs_13",
         "nixt": "nixt",
         "pre-commit-hooks": "pre-commit-hooks_2"
       },
@@ -1477,7 +1399,7 @@
     "nixos-generators": {
       "inputs": {
         "nixlib": "nixlib",
-        "nixpkgs": "nixpkgs_16"
+        "nixpkgs": "nixpkgs_15"
       },
       "locked": {
         "lastModified": 1751903740,
@@ -1529,25 +1451,6 @@
         "type": "github"
       }
     },
-    "nixos-nftables-firewall": {
-      "inputs": {
-        "dependencyDagOfSubmodule": "dependencyDagOfSubmodule",
-        "nixpkgs": "nixpkgs_17"
-      },
-      "locked": {
-        "lastModified": 1715521768,
-        "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=",
-        "owner": "thelegy",
-        "repo": "nixos-nftables-firewall",
-        "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "thelegy",
-        "repo": "nixos-nftables-firewall",
-        "type": "github"
-      }
-    },
     "nixos-stable": {
       "locked": {
         "lastModified": 1749237914,
@@ -1600,11 +1503,11 @@
     },
     "nixpkgs-dev": {
       "locked": {
-        "lastModified": 1767131767,
+        "lastModified": 1763648956,
-        "narHash": "sha256-APHjXWyLmNKFNXoVU7Z82L8zUeSpR1/owKFryitWSsg=",
+        "narHash": "sha256-JBATYs0HPlATioA2kYFwUAsnzWv9Bd2tXqeCOr/ix6I=",
         "owner": "Swarsel",
         "repo": "nixpkgs",
-        "rev": "449fa265ea9c67c1ea9b1c3d8121959e2ce348d3",
+        "rev": "230b56741730ede84e7e488d11cb34044f5b54c7",
         "type": "github"
       },
       "original": {
@@ -1781,22 +1684,6 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable25_11": {
-      "locked": {
-        "lastModified": 1767047869,
-        "narHash": "sha256-tzYsEzXEVa7op1LTnrLSiPGrcCY6948iD0EcNLWcmzo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "89dbf01df72eb5ebe3b24a86334b12c27d68016a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-25.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs-stable_2": {
       "locked": {
         "lastModified": 1763622513,
@@ -1815,37 +1702,21 @@
     },
     "nixpkgs-stable_3": {
       "locked": {
-        "lastModified": 1767047869,
+        "lastModified": 1763622513,
-        "narHash": "sha256-tzYsEzXEVa7op1LTnrLSiPGrcCY6948iD0EcNLWcmzo=",
+        "narHash": "sha256-1jQnuyu82FpiSxowrF/iFK6Toh9BYprfDqfs4BB+19M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "89dbf01df72eb5ebe3b24a86334b12c27d68016a",
+        "rev": "c58bc7f5459328e4afac201c5c4feb7c818d604b",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-25.11",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs_10": {
-      "locked": {
-        "lastModified": 1748929857,
-        "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_11": {
       "locked": {
         "lastModified": 1764086288,
         "narHash": "sha256-S223/Mc4Ax75PfWySz8b44jjAnz36jUk4U+XiCfMy9I=",
@@ -1860,13 +1731,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_12": {
+    "nixpkgs_11": {
       "locked": {
-        "lastModified": 1766651565,
+        "lastModified": 1730531603,
-        "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=",
+        "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539",
+        "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
         "type": "github"
       },
       "original": {
@@ -1876,7 +1747,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_13": {
+    "nixpkgs_12": {
       "locked": {
         "lastModified": 1746378225,
         "narHash": "sha256-OeRSuL8PUjIfL3Q0fTbNJD/fmv1R+K2JAOqWJd3Oceg=",
@@ -1891,7 +1762,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_14": {
+    "nixpkgs_13": {
       "locked": {
         "lastModified": 1763966396,
         "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
@@ -1907,7 +1778,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_15": {
+    "nixpkgs_14": {
       "locked": {
         "lastModified": 1677063315,
         "narHash": "sha256-qiB4ajTeAOVnVSAwCNEEkoybrAlA+cpeiBxLobHndE8=",
@@ -1923,7 +1794,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_16": {
+    "nixpkgs_15": {
       "locked": {
         "lastModified": 1763934636,
         "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=",
@@ -1939,17 +1810,33 @@
         "type": "github"
       }
     },
-    "nixpkgs_17": {
+    "nixpkgs_16": {
       "locked": {
-        "lastModified": 1692638711,
+        "lastModified": 1763835633,
-        "narHash": "sha256-J0LgSFgJVGCC1+j5R2QndadWI1oumusg6hCtYAzLID4=",
+        "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "91a22f76cd1716f9d0149e8a5c68424bb691de15",
+        "rev": "050e09e091117c3d7328c7b2b7b577492c43c134",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_17": {
+      "locked": {
+        "lastModified": 1720957393,
+        "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
         "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
@@ -1973,16 +1860,16 @@
     },
     "nixpkgs_19": {
       "locked": {
-        "lastModified": 1720957393,
+        "lastModified": 1763934636,
-        "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=",
+        "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=",
-        "owner": "nixos",
+        "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb",
+        "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -2004,38 +1891,6 @@
       }
     },
     "nixpkgs_20": {
-      "locked": {
-        "lastModified": 1763835633,
-        "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "050e09e091117c3d7328c7b2b7b577492c43c134",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_21": {
-      "locked": {
-        "lastModified": 1763934636,
-        "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_22": {
       "locked": {
         "lastModified": 1763553727,
         "narHash": "sha256-4aRqRkYHplWk0mrtoF5i3Uo73E3niOWiUZU8kmPm9hQ=",
@@ -2051,13 +1906,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_23": {
+    "nixpkgs_21": {
       "locked": {
-        "lastModified": 1764445028,
+        "lastModified": 1763618868,
-        "narHash": "sha256-ik6H/0Zl+qHYDKTXFPpzuVHSZE+uvVz2XQuQd1IVXzo=",
+        "narHash": "sha256-v5afmLjn/uyD9EQuPBn7nZuaZVV9r+JerayK/4wvdWA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a09378c0108815dbf3961a0e085936f4146ec415",
+        "rev": "a8d610af3f1a5fb71e23e08434d8d61a466fc942",
         "type": "github"
       },
       "original": {
@@ -2067,7 +1922,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_24": {
+    "nixpkgs_22": {
       "locked": {
         "lastModified": 1763966396,
         "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
@@ -2083,7 +1938,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_25": {
+    "nixpkgs_23": {
       "locked": {
         "lastModified": 1762977756,
         "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=",
@@ -2099,7 +1954,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_26": {
+    "nixpkgs_24": {
       "locked": {
         "lastModified": 1763966396,
         "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
@@ -2115,7 +1970,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_27": {
+    "nixpkgs_25": {
       "locked": {
         "lastModified": 1761236834,
         "narHash": "sha256-+pthv6hrL5VLW2UqPdISGuLiUZ6SnAXdd2DdUE+fV2Q=",
@@ -2131,7 +1986,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_28": {
+    "nixpkgs_26": {
       "locked": {
         "lastModified": 1751274312,
         "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=",
@@ -2147,7 +2002,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_29": {
+    "nixpkgs_27": {
       "locked": {
         "lastModified": 1754800730,
         "narHash": "sha256-HfVZCXic9XLBgybP0318ym3cDnGwBs/+H5MgxFVYF4I=",
@@ -2195,22 +2050,6 @@
       }
     },
     "nixpkgs_5": {
-      "locked": {
-        "lastModified": 1759652726,
-        "narHash": "sha256-2VjnimOYDRb3DZHyQ2WH2KCouFqYm9h0Rr007Al/WSA=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "06b2985f0cc9eb4318bf607168f4b15af1e5e81d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-25.05-small",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_6": {
       "locked": {
         "lastModified": 1763678758,
         "narHash": "sha256-+hBiJ+kG5IoffUOdlANKFflTT5nO3FrrR2CA3178Y5s=",
@@ -2226,7 +2065,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_7": {
+    "nixpkgs_6": {
       "locked": {
         "lastModified": 1763966396,
         "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
@@ -2242,23 +2081,23 @@
         "type": "github"
       }
     },
+    "nixpkgs_7": {
+      "locked": {
+        "lastModified": 1763966396,
+        "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs_8": {
-      "locked": {
-        "lastModified": 1763966396,
-        "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_9": {
       "locked": {
         "lastModified": 1763934636,
         "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=",
@@ -2274,6 +2113,22 @@
         "type": "github"
       }
     },
+    "nixpkgs_9": {
+      "locked": {
+        "lastModified": 1748929857,
+        "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixt": {
       "inputs": {
         "flake-compat": "flake-compat_4",
@@ -2370,7 +2225,7 @@
     "nswitch-rcm-nix": {
       "inputs": {
         "flake-parts": "flake-parts_3",
-        "nixpkgs": "nixpkgs_19"
+        "nixpkgs": "nixpkgs_17"
       },
       "locked": {
         "lastModified": 1721304043,
@@ -2389,7 +2244,7 @@
     "nur": {
       "inputs": {
         "flake-parts": "flake-parts_4",
-        "nixpkgs": "nixpkgs_20"
+        "nixpkgs": "nixpkgs_18"
       },
       "locked": {
         "lastModified": 1763996502,
@@ -2574,14 +2429,18 @@
         "nixpkgs": [
           "nix-topology",
           "nixpkgs"
+        ],
+        "nixpkgs-stable": [
+          "nix-topology",
+          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1765911976,
+        "lastModified": 1730797577,
-        "narHash": "sha256-t3T/xm8zstHRLx+pIHxVpQTiySbKqcQbK+r+01XVKc0=",
+        "narHash": "sha256-SrID5yVpyUfknUTGWgYkTyvdr9J1LxUym4om3SVGPkg=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "b68b780b69702a090c8bb1b973bab13756cc7a27",
+        "rev": "1864030ed24a2b8b4e4d386a5eeaf0c5369e50a9",
         "type": "github"
       },
       "original": {
@@ -2617,7 +2476,7 @@
       "inputs": {
         "flake-compat": "flake-compat_7",
         "gitignore": "gitignore_4",
-        "nixpkgs": "nixpkgs_21"
+        "nixpkgs": "nixpkgs_19"
       },
       "locked": {
         "lastModified": 1763988335,
@@ -2641,13 +2500,11 @@
         "emacs-overlay": "emacs-overlay",
         "flake-parts": "flake-parts",
         "home-manager": "home-manager",
-        "hydra": "hydra",
         "impermanence": "impermanence",
         "lanzaboote": "lanzaboote",
         "microvm": "microvm",
         "niri-flake": "niri-flake",
         "nix-darwin": "nix-darwin",
-        "nix-eval-jobs": "nix-eval-jobs",
         "nix-index-database": "nix-index-database",
         "nix-minecraft": "nix-minecraft",
         "nix-on-droid": "nix-on-droid",
@@ -2657,21 +2514,19 @@
         "nixos-generators": "nixos-generators",
         "nixos-hardware": "nixos-hardware",
         "nixos-images": "nixos-images",
-        "nixos-nftables-firewall": "nixos-nftables-firewall",
+        "nixpkgs": "nixpkgs_16",
-        "nixpkgs": "nixpkgs_18",
         "nixpkgs-dev": "nixpkgs-dev",
         "nixpkgs-kernel": "nixpkgs-kernel",
         "nixpkgs-stable": "nixpkgs-stable_3",
         "nixpkgs-stable24_05": "nixpkgs-stable24_05",
         "nixpkgs-stable24_11": "nixpkgs-stable24_11",
         "nixpkgs-stable25_05": "nixpkgs-stable25_05",
-        "nixpkgs-stable25_11": "nixpkgs-stable25_11",
         "nswitch-rcm-nix": "nswitch-rcm-nix",
         "nur": "nur",
         "pre-commit-hooks": "pre-commit-hooks_3",
         "simple-nixos-mailserver": "simple-nixos-mailserver",
         "smallpkgs": "smallpkgs",
-        "sops": "sops",
+        "sops-nix": "sops-nix",
         "spicetify-nix": "spicetify-nix",
         "stylix": "stylix",
         "swarsel-nix": "swarsel-nix",
@@ -2794,7 +2649,7 @@
         "blobs": "blobs",
         "flake-compat": "flake-compat_8",
         "git-hooks": "git-hooks",
-        "nixpkgs": "nixpkgs_22"
+        "nixpkgs": "nixpkgs_20"
       },
       "locked": {
         "lastModified": 1763564778,
@@ -2828,16 +2683,16 @@
         "type": "github"
       }
     },
-    "sops": {
+    "sops-nix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_23"
+        "nixpkgs": "nixpkgs_21"
       },
       "locked": {
-        "lastModified": 1764483358,
+        "lastModified": 1763870012,
-        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
+        "narHash": "sha256-AHxFfIu73SpNLAOZbu/AvpLhZ/Szhx6gRPj9ufZtaZA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
+        "rev": "4e7d74d92398b933cc0e0e25af5b0836efcfdde3",
         "type": "github"
       },
       "original": {
@@ -2864,7 +2719,7 @@
     },
     "spicetify-nix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_24",
+        "nixpkgs": "nixpkgs_22",
         "systems": "systems_5"
       },
       "locked": {
@@ -2968,7 +2823,7 @@
         "firefox-gnome-theme": "firefox-gnome-theme",
         "flake-parts": "flake-parts_5",
         "gnome-shell": "gnome-shell",
-        "nixpkgs": "nixpkgs_25",
+        "nixpkgs": "nixpkgs_23",
         "nur": "nur_2",
         "systems": "systems_6",
         "tinted-foot": "tinted-foot",
@@ -2994,7 +2849,7 @@
     "swarsel-nix": {
       "inputs": {
         "flake-parts": "flake-parts_6",
-        "nixpkgs": "nixpkgs_26",
+        "nixpkgs": "nixpkgs_24",
         "systems": "systems_7"
       },
       "locked": {
@@ -3245,7 +3100,7 @@
     },
     "treefmt-nix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_27"
+        "nixpkgs": "nixpkgs_25"
       },
       "locked": {
         "lastModified": 1762938485,
@@ -3263,7 +3118,7 @@
     },
     "vbc-nix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_28",
+        "nixpkgs": "nixpkgs_26",
         "systems": "systems_9"
       },
       "locked": {
@@ -3341,7 +3196,7 @@
       "inputs": {
         "crane": "crane_3",
         "flake-utils": "flake-utils_8",
-        "nixpkgs": "nixpkgs_29",
+        "nixpkgs": "nixpkgs_27",
         "rust-overlay": "rust-overlay_3"
       },
       "locked": {

flake.nix

@@ -11,28 +11,13 @@
   };
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-    hydra.url = "github:nixos/hydra/nix-2.30";
-    # hydra.inputs.nix.follows = "nix";
-    hydra.inputs.nix-eval-jobs.follows = "nix-eval-jobs";
-    # nix = {
-    #   url = "github:NixOS/nix/2.30-maintenance";
-    #   # We want to control the deps precisely
-    #   flake = false;
-    # };
-    nix-eval-jobs = {
-      url = "github:nix-community/nix-eval-jobs/v2.30.0";
-      # We want to control the deps precisely
-      flake = false;
-    };
-
     smallpkgs.url = "github:nixos/nixpkgs/08fcb0dcb59df0344652b38ea6326a2d8271baff?narHash=sha256-HXIQzULIG/MEUW2Q/Ss47oE3QrjxvpUX7gUl4Xp6lnc%3D&shallow=1";
     nixpkgs-dev.url = "github:Swarsel/nixpkgs/main";
     nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version
-    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11";
+    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05";
     nixpkgs-stable24_05.url = "github:NixOS/nixpkgs/nixos-24.05";
     nixpkgs-stable24_11.url = "github:NixOS/nixpkgs/nixos-24.11";
     nixpkgs-stable25_05.url = "github:NixOS/nixpkgs/nixos-25.05";
-    nixpkgs-stable25_11.url = "github:NixOS/nixpkgs/nixos-25.11";
 
     home-manager = {
       # url = "github:nix-community/home-manager";
@@ -51,7 +36,7 @@
     nur.url = "github:nix-community/NUR";
     nixgl.url = "github:guibou/nixGL";
     stylix.url = "github:danth/stylix";
-    sops.url = "github:Mic92/sops-nix";
+    sops-nix.url = "github:Mic92/sops-nix";
     lanzaboote.url = "github:nix-community/lanzaboote";
     nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05";
     nixos-generators.url = "github:nix-community/nixos-generators";
@@ -75,7 +60,6 @@
     dns.url = "github:kirelagin/dns.nix";
     nix-minecraft.url = "github:Infinidoge/nix-minecraft";
     simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
-    nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall";
   };
 
   outputs =

hosts/home/aarch64-linux/treehouse/default.nix

@@ -2,9 +2,13 @@
 {
 
   imports = [
+    # inputs.sops-nix.homeManagerModules.sops
     "${self}/modules/home"
+    "${self}/modules/nixos/common/pii.nix"
+    "${self}/modules/nixos/common/meta.nix"
   ];
 
+
   services.xcape = {
     enable = true;
     mapExpression = {

hosts/nixos/aarch64-linux/belchsfactory/default.nix

@@ -5,7 +5,6 @@
     ./disk-config.nix
 
     "${self}/modules/nixos/optional/systemd-networkd-server.nix"
-    "${self}/modules/nixos/optional/nix-topology-self.nix"
   ];
 
   node.lockFromBootstrapping = lib.mkForce false;
@@ -13,6 +12,7 @@
   topology.self = {
     icon = "devices.cloud-server";
   };
+  swarselmodules.server.nginx = false;
 
   swarselsystems = {
     flakePath = "/root/.dotfiles";
@@ -26,14 +26,7 @@
     isNixos = true;
     isLinux = true;
     isCloud = true;
-    proxyHost = "twothreetunnel";
     server = {
-      wireguard.interfaces = {
-        wgProxy = {
-          isClient = true;
-          serverName = "twothreetunnel";
-        };
-      };
       garage = {
         data_dir = {
           capacity = "150G";
@@ -56,12 +49,10 @@
   };
 
   swarselmodules.server = {
-    wireguard = true;
+    ssh-builder = lib.mkDefault true;
-    ssh-builder = true;
+    postgresql = lib.mkDefault true;
-    postgresql = true;
+    attic = lib.mkDefault true;
-    attic = true;
+    garage = lib.mkDefault true;
-    garage = true;
-    hydra = false;
   };
 
 }

hosts/nixos/aarch64-linux/liliputsteps/default.nix

@@ -1,25 +1,14 @@
-{ self, config, lib, minimal, ... }:
+{ self, lib, minimal, ... }:
 {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
 
     "${self}/modules/nixos/optional/systemd-networkd-server.nix"
-    "${self}/modules/nixos/optional/nix-topology-self.nix"
   ];
 
   topology.self = {
     icon = "devices.cloud-server";
-    interfaces.ProxyJump = {
-      virtual = true;
-      physicalConnections = [
-        (config.lib.topology.mkConnection "moonside" "lan")
-        (config.lib.topology.mkConnection "twothreetunnel" "lan")
-        (config.lib.topology.mkConnection "belchsfactory" "lan")
-        (config.lib.topology.mkConnection "stoicclub" "lan")
-        (config.lib.topology.mkConnection "eagleland" "wan")
-      ];
-    };
   };
 
   swarselsystems = {
@@ -42,6 +31,7 @@
   };
 
   swarselmodules.server = {
+    nginx = false;
     bastion = true;
     # ssh = false;
   };

hosts/nixos/aarch64-linux/moonside/default.nix

@@ -1,16 +1,80 @@
-{ self, lib, config, minimal, ... }:
+{ lib, config, minimal, ... }:
 let
   inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
+  inherit (config.swarselsystems) sopsFile;
 in
 {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
-
-    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
-    "${self}/modules/nixos/optional/nix-topology-self.nix"
   ];
 
+  sops = {
+    age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets = {
+      wireguard-private-key = { inherit sopsFile; };
+      wireguard-home-preshared-key = { inherit sopsFile; };
+    };
+  };
+
+  boot = {
+    loader.systemd-boot.enable = true;
+    tmp.cleanOnBoot = true;
+  };
+
+  environment = {
+    etc."issue".text = "\4";
+  };
+
+  topology.self = {
+    icon = "devices.cloud-server";
+    interfaces.wg = {
+      addresses = [ "192.168.3.4" ];
+      renderer.hidePhysicalConnections = true;
+      virtual = true;
+      type = "wireguard";
+    };
+  };
+
+  networking = {
+    domain = "subnet03291956.vcn03291956.oraclevcn.com";
+    firewall = {
+      allowedTCPPorts = [ 8384 ];
+    };
+    wireguard = {
+      enable = true;
+      interfaces = {
+        home-vpn = {
+          privateKeyFile = config.sops.secrets.wireguard-private-key.path;
+          # ips = [ "192.168.3.4/32" ];
+          ips = [ "192.168.178.201/24" ];
+          peers = [
+            {
+              # publicKey = "NNGvakADslOTCmN9HJOW/7qiM+oJ3jAlSZGoShg4ZWw=";
+              publicKey = "PmeFInoEJcKx+7Kva4dNnjOEnJ8lbudSf1cbdo/tzgw=";
+              presharedKeyFile = config.sops.secrets.wireguard-home-preshared-key.path;
+              name = "moonside";
+              persistentKeepalive = 25;
+              # endpoint = "${config.repo.secrets.common.ipv4}:51820";
+              endpoint = "${config.repo.secrets.common.wireguardEndpoint}";
+              # allowedIPs = [
+              #   "192.168.3.0/24"
+              #   "192.168.1.0/24"
+              # ];
+              allowedIPs = [
+                "192.168.178.0/24"
+              ];
+            }
+          ];
+        };
+      };
+    };
+  };
+
+  hardware = {
+    enableAllFirmware = lib.mkForce false;
+  };
+
   system.stateVersion = "23.11";
 
   services.syncthing = {
@@ -73,15 +137,7 @@ in
     isBtrfs = true;
     isNixos = true;
     isLinux = true;
-    isCloud = true;
-    proxyHost = "twothreetunnel";
     server = {
-      wireguard.interfaces = {
-        wgProxy = {
-          isClient = true;
-          serverName = "twothreetunnel";
-        };
-      };
       restic = {
         bucketName = "SwarselMoonside";
         paths = [
@@ -99,7 +155,7 @@ in
   };
 
   swarselmodules.server = {
-    wireguard = true;
+    oauth2-proxy = true;
     croc = true;
     microbin = true;
     shlink = true;

hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:t3En0FAhzVnLIv9tuvrTtmYMGeKvZ5e3FoVZHlEbHsmvUlVl+t1Po2uANatzIeKX3HRZJ1mURXMKh7Xk9O9DsKssadBYa2YqZTugU5m9o4+xESQlqHlnnKALaiyfSXFlhAZ6X50e8nfPCDLicjKzQnk7S/0XMaFB7XN9T4SfonVLElHSZtmOC+85WgAn4uAyfPq44UDVw116g7ogpjztsCG3deqTxP/mcY5trtk+SCEEHLHO6AiEe+Jz628Z+t+3YttQMKQulrakUzzvP07jQhW4m8X1cQOfX2xeTVTwNiqEq75Pt7g+mycKO952BVmMPYIvQAU2xUNC3YIqaFHUDS2QbooAeSJq8TT/s/zM/tjXXLsA7EsFTcduDKDGXhBFt7AlicruhymgtuGv2IwQLeprytRpwz2wcWFGLeiOKp/Zdqwf/3yhGeYlOEv+yhCXI2oZxS+8q4Vu0ejDkTtSeGzm5EtTrxzmS4X2psq2In+9Jb70TrkutAA6F50VyKJV6WQX7Q9yFU6Z6URHlxpwOUzwpto4Z3gxOn9Hm9VyrhTSJZ7sjd9sYf0WO4CJpUYrTu5/ZRcdy8i6Wu2GA/ylt+XXsG1yicgPxDvUcWSg6VfD5/tSTEHtUUVD/sAf7xl/sPcd76Z1DFfgkfA/s4BbbyZKzaZpAz1WYTuhambFpKWDY8YKCoLZdSCahP0jupm3OcnNw7ZCYu43k2JHp4X1mW0gb4TPvIGOcpC+pJvLsa2Q4AUAt4eUmlMCogJ7R89LPLy3fTYDeQV9ly6Z54N70kfsJVCuzrqOjFS4WxqJPZZ4HcRth4JmFE0mcCDsWQVOGJdJmShFxr7kijEoAyfrrZeRG29PgU+2CCcm2dvswJ8DdEtI4E8i/tOwQlHpUmWAM5dFFvKWZjxd89tofYyB/mrAQwXhD7+9Yu4KJM1C3v2IbrvkOgaSMVL7Ekn5YqU+g2BfGYQbkCYMM3DLpllTMGjiMFeOLgvHPAhA3ozR0KxJUaUVZe5B5XscA1xaKedl3hDxR6A9r/g1EQvv7F0n1rWpJvMVSZ3oo8YmzO2DKDwsfKglkR3TrmvQyPvwO/F5wnKMb2+GWh0EmeQLcxHldB6j5CpAj6O1AqfOZjZNcFc8/RfAdLS+OMXgNaWvahVjlPKqI17zLTSJCaCF8KP/T9Chj90l5XqgPsV0t6bPDueOrBOrieQD8UKOjQHR/fgSunjZQrVfYgDBTilb3UyGJ3sqlL9zcTjTgLkNSkNd41EmnCm6SdB3RpQb1fcXfzuCp4bD5Ty01PU380YWXXkAinXDP8961uexWryckhsCqkfbdDnjti3CPfEOBWc6u1R9cI6oLZRw34NpY/4z/fuLAnxgjEgwLAQLG0am/tT1ySH/Cmfy,iv:aa5FNi/z0WnPHFsLUk3odDnghUq7YyA9U6nI71ug4fI=,tag:kd3TDY3mWiEEXsB9RopnUg==,type:str]",
+	"data": "ENC[AES256_GCM,data:jGfSfCOqW+p24TaH0vlcNImiY/Pu9YhdIwri4N4RvG64f1fmfNV3z6LmoShCYBfIWF2P7DvOa92dPY2ek9UiC1bEmiMtc/scpGxpir4WNuMLUtMWb0IGmnhtzq7fRAH5FkYLJBSW7pAgVsoajRGbo8Dbk5Dqcm75Pfj2YcC79oAckYt3vSzBcskgJ+ccdCfJ6vDlnAilay/GatZbIQmbEefOi9Rplfln8Ounj/hH+Z6zat04+rI5Lj8bTPu7NOeUlUmgoApuJSFafTb3zgxqnvQL5axOgIaJqiXFWhIf5httmu0mjhJupMXxt14IXgKe+ESAZFF8hWHHUNOpE8gEt5tPRQ1hqA7eHoGSYCrEQK9rSXRweO9LCfGV1+UduXgX1hKgwKDS4A5u69MvcpXQoSYX33ZzuwY7tbykb1tbEb3jN2BOSCBB2ZKHRfsTMqAHTE1RekcBArMxp7+8BkM/oww8RTMJ3I8tcU3QAr/LoFvKwvfIVrbT9gSlKSZUeoBc0WMzmRdjXhAZmQe2pb/TOFmPm31ih/E98zKA8PXhNrqjzEVN99lfn/NKsOLd9a8LXK8XoTTueTWqENEdJRx6dHpWuqBy5GdkrDVCRzgiO3Hpkwg56nPmCGoD5o1IgnRLJItNYrIRejIRaISjlefpezCMYIGMIx+CusvAwiOuuWT6kNfDnaK1U4P3Ndk39lsz8Eg2GMruc4VZ3kpTCeQdvbl/jmFwNMPtzJYooiDualIAL95iZU+RW/K+2g3ZA/Q/gJrc+hB6I+z3PzMod5015Oj0FG97XQzn2TeBD1fuO8UtyxSNajGD3ZK3Laa5QrSNUrzlf7YONSn98Z8OqKsAz+D/vnr0Lg4kjrrhYvN6GpR/QqMnNZT7m4d/oxACDycao6ZUDNE/dvuXSA4nSJp+5cxDXjgSMhnOgS7/gCiLhEBkLwzwdexT/e5vGcqqMmyeMK8vSFsPpRoPv26nsyRalwctY2ClX5KrEEckHNf+p9djB7eJDyLxXkPRLm0yp3dcmcEyk0tUffpcJ6zqWnlm46yfAf29fmIJfQWJ8ehSY+bYwDnx2LmCPcfH+sRSSV2Y1Ay22ry9rVJU88SuRdSPsHOitCuu0TQU56Su0wG24ilh6Bq4Dk+0JxlL3wyPWsnoaYvaRiJ6cs3j0tTwwxepbwiakLzWnVcqHDSoQ+Bn0T4CmcF5ztmpuLZSe/UXA48k77JmbT8vne0ig+kVfRuKhG+qV6g+GnxTIPPXGzQ1hWTS3Fg8YBMt1XYyjX3xa218agvPwLhCru1v3dAfHKk6N8G6SN6EN78RQmJApjSHAGFO,iv:a18hH0e5s4BTTlVIkQT34z8a2jELj59ZHhBbb93o3t0=,tag:sj4baRiZic6sWnJXjhL7TQ==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-12-04T23:10:31Z",
+		"lastmodified": "2025-11-27T14:12:09Z",
-		"mac": "ENC[AES256_GCM,data:gNsVWFrs92csjnRvhtXcKLuZUiHo9dxpFRLwjWz7VQSLeOBL4iv+Hq3SNyx4F69AC2nr9HL1QTLzX+444EhDYot0jLqOH6xz/FaQPf6OXKHg+Nr05MUe8X2QsLjodOW81Vv7HqIMypU5dyt0FBr74++9oEz6072AuFl5JAUWIvo=,iv:tGX+wUKvWYOnxVCTqhra7tg+r+TT8tyAr1tlRP2FkWA=,tag:WI5D0FTguiCJcrQh47qJow==,type:str]",
+		"mac": "ENC[AES256_GCM,data:6CqpegjS90H6fAllBsvz3d/y4MpNyMUo+v1sby4hHHw36GlQvnULHuv8dhXrlYaE+L21aoz1RITl7IEtNl/R8zjGh8b0dGIc2iUa2M5dNvHNPMTuucAEQPuEEvTiwI72winpEkdB86fHFFHvBwHwmlNVFJYx5b9bNlpjCofewQI=,iv:qOv8s8j5jOtcoKzgN/HkXvIsS/sk/DFZ4lcEKBLsrKA=,tag:ifXbcFGzpJ+DSJPkvaX0pw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-13T20:12:55Z",

hosts/nixos/aarch64-linux/stoicclub/default.nix

@@ -1,16 +1,17 @@
-{ self, config, lib, minimal, ... }:
+{ self, lib, minimal, ... }:
 {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
 
     "${self}/modules/nixos/optional/systemd-networkd-server.nix"
-    "${self}/modules/nixos/optional/nix-topology-self.nix"
   ];
 
   topology.self = {
     icon = "devices.cloud-server";
   };
+  swarselmodules.server.nginx = false;
+
 
   swarselsystems = {
     flakePath = "/root/.dotfiles";
@@ -26,8 +27,6 @@
     isCloud = true;
     isBastionTarget = true;
   };
-
-  globals.general.dnsServer = config.node.name;
 } // lib.optionalAttrs (!minimal) {
   swarselprofiles = {
     server = true;
@@ -35,7 +34,6 @@
 
   swarselmodules.server = {
     nsd = true;
+    nginx = false;
   };
-
-  networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" ];
 }

hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc

@@ -3,16 +3,16 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm",
+				"recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzclI3dlQ1dUY3WGVYL29E\nSGhZV3VMcm5zYmRsTHVlM2wvNFVyMy9CRlh3CkQrZEIvMyt2TVdXQUJJT21mY0lF\nZU1oakIzOWduU3pNeWVvcFMzNDBFTTgKLS0tIDF6YTROOHBjUnBkVklPQjFRQ3pX\nQWtlYi9iOFFjNUFrSUNMZGJqT1pTVEEKFesEHZQjpenLp3oBQwxDcMv1pEAReXQs\njT8ydzfTuvIP6bXu6lcJe0J90NVZ36qBZ2fTs/RqvZbvM0oufb5/VA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZzY0QVQ4ZUxxZkdhQ2Zn\nOHpmTnRaR0R3cXh2Z2JFM1RDVDB2QnE3M3prCm43NjQyOS93UTZKaUlUUmhVcTdG\nUWp1YU1kVmZPc0tBN2FMY2FFVkI1a0UKLS0tIFovZi9FQlhMaXpvcnRYN2FiSm16\nTzJESjNyZ1NzajJRNDR6ZTd2TitoQTgKe2hC6OpYIzgqzhmeJuHWe0yXNE+/Ek26\nGt7s1B6OKnrj+S3es84ePOjAbLHr/ez282b/h0y55ws4R7jMemUIrQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-12-01T12:12:55Z",
 		"mac": "ENC[AES256_GCM,data:AhvfUvZnKSnhQCTHJpqs5OBELhGYv66on1+kSLX2lONyTbNfwHYsJHII4zHY+bS5cBkZbjtzMfJQkFWtDbU7c8wvdJnHN6H11MOEzC+GfI3R7UzwzJsUjNYE03u8FJCuLvI1SO3EObiKIgH80MV8qlXC+1+f7mKnfZNH8Kekor8=,iv:pAEz8tDZzaFee1EcNBd6zrl0yN55ywVK/eGof/B5MAU=,tag:LbjMr3rOb3By87yOfUK/3A==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-12-02T14:57:22Z",
+				"created_at": "2025-11-20T01:03:05Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//RNM47rdREvCOPQ83++DSlGWeoGlVeFvM4a1og2Nkzoq9\nLKsZh6bQP2SC01UOD4UDKBcT7PoQU86xePjV1ze6nejo+L0twrhQNT76jAw5OhFh\n1DkOVnUpcjZE3aBxDa6g79qVKfp31i6xfvgjipF4SMGpSlZuMLKL+nTL1357HXU+\nzQKPwSLymDq7EdxnCUwTGx8rVI59j4hyEwinxZhbQYiiHQpTQ3AHDu3oBO64daPh\n7WEmMShU4I9PIdvie7sRK3txZTcjM759m9B3Fm+KEWZXO/bQXjy9/Kab5WlEWwFK\nP7aHLin53wc6HMZjset3o61i/FPeQdm6IVoUujjuSI6076OqsWv7fQp9NApftCko\ns0yNY0RMgRpOQNho5Navr71eH6X8QujrEkCGzVqHm16issJUJkw95tlj9q4qghSn\na4RCUmgfToQYvL9ahNTfqP2S1xqI4hbP0elBXbrMUJ7iYOWOLwEPCgmuoTyw+RXD\nA5P/HDEvgnkVxB4vdzfcQjgVtR01nG5rAcclec9gXZg8Q3K0b+MoKOhdvTucRNek\n8+t3XEzTBBjPdaIhW8038qbCueuetsWNjb7B3Km/muQ0CnTzQ45GWozKdDC2qB69\nS9z1KIn9FrmGxCd5hrL9fbwJpisdtOD0foQKoD6X2B+h9KqORWbSGLXfxRo2uBOF\nAgwDC9FRLmchgYQBD/0Y8owdtA5dgxv6W5lej/sT7+PSc2fvIQVQvvYTrT2wJxc5\nrTX49HtIFxPwGdwBHH6Z3oLZjojpX7u8bm9+ewD7sOsvC3PLsKfrvx3naUnEZrww\nzKC762LWiYS3qlFR1QAbPWDjJSi7rDqFkQhGMP59MDOifYOLCbSQQpdTCMYC550I\nmljenkA5nm6sdYnHa54hkyiWzGSO+pAv531X5GMaTvHB3+Fy8QA5o3/+ZpNtVieG\n8RAbvqeH8PyTZsc2GW2D6WfudB4jrhvYBio4T8+5/3Fg6pWIq4pmi4o0F8I8BaAi\nuL90IEtSeFQSytg/EL0JtFxMBy8ImlE/SAfM4Y6UZAbiWBykmrD9TM5IPMUbMTT6\nxwfhcsQ97m9sRT2TWSrxp2Q+k/BQxVK+AbOaxEtWqqOUnWG4sskw8DQ+qAU5v0yC\nGH46gbklEYDmvYMY/kLXSK4iYJ0UmXNhB+DuM0WihQJ22PUPZy6YGWjwPgxjoYXZ\nbfoRjzb5N6etY/W3QjGbzhy7H+JLKXZbq+DLtH5A3Wya09ilpf2cy6FWD+o857op\nKdfybFtXZIBTZWjRQSeLOL+a157M5c6MFC/xr7E18qqL6xl6v3jgF05SZ72bcGVG\n2zvTWnAV1Y+oH8NhRb0i2uyZCEWvv8MRrHJFypcUqImAJylGnYu8lwicGXA9C9Je\nAZ6JqTMkc6Ji6AOzY75gP1lPQNv0HrIbE6RzZyAX41WDB+0okERps2IZF7HSb5/7\nVAXUR2QRmqagMf/qV3iNDQS/kuwGiv/2WTXAtm4446/mpdkaKf+gN7dgcJf84A==\n=eXQe\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//eTxMD8ZbwJUqVsi1IKK2qdprLTjE0rqdDue+OvP0V+Ns\n1uTnw+b2UBykbIofXcG4P61OxAFdEs8whiIdffQtkDTkOgzV9IQCBOSGxZGEJXMe\nrl5BZLlF98JZ5R15v8V8vMwWwtC90GZ7gZLDV+yZz40Zqm3mTrFz/3PERukwu4Gb\nLTJDOsGmpooyI8KnrIsBhfEwo7/ouAayuKQfvt2i2Tngk9Em73R91BlpcxsOEmqr\n5KWA4GCsjUOmZZKLj2vyENPgQh8t8bP5fGJ3Rf4J1MCWAB89omcE0aRWId/l5sdA\n/Nxinh3xQsiXHPzPLZQ+UjHs+MjNdUoZapoDBP84j2tHsSxh0RMRhlHpESDWq3Mm\n1acWrChyyds6Lz5ZqkioqvAZ3lslS0kPdQqfsLzYWBhA9kLOIJKYfat+vxsAPwAa\n6kceXtxSzUpThtDUPDibjomn7Mrj7ZoHhiJZup/M27glf/V4P3zk+ctpXMSIE7Ia\nQ/jgRDzpcs+u05RsP32jFbCAfi//WxRo77MoxGMJxDhYibBp+aRkFAgVYiElhxbt\n/NedcIAHSJZFyDPm0wn411+DPnUTPn9D9LCkmSG68ZeGDGZJl7Sz3bJ3obWWecTG\nBjqxMZVwRuU2gdg1IwempP9u1dP0Q+g8B3veui/gczGx3J5kvNv8hnUBTeUl2EyF\nAgwDC9FRLmchgYQBD/oCciOvXMrH9/hWIIYb1sKiuCmgdVfs7H0q92XdVNgkbPRz\nXAakX7dl5cZt748u/eCHlGUGr4q7yA1tDx9Vm/J+O2HljN3lBVCbm7HP+YcI+5g0\nvvxr0cIPtr5CXlZz6hJjTgzE4HfEKagGdjgllbHYBB+0rtq/2pZTa20fG0w4coeI\nB/D0iVFwyuM3Wxt/7gXpPtI+m/3qt8QoFIGsZkck7X5hdJwGF4DD5jKxYB28s5Hc\n4ZBG19jezjMIVJUGE58TTVDTvZvJ5Vaw2RizV8DRkFS3q0UIOapOESpZiRnoOqA1\nDQpAU26RSEj8wlYsgNrVWUpdwlYs5e3EWYNkGROTRSB/dGcCSVF31A76W7af+6uv\nwZdMCrAGlD4GBj/yojdnqstfB2Jxu99VubcImWKfaJEXYx5xoREGmK9+t896GJi+\nE8mjiMOMRZFV2n2nwTxAFMaiDJ+VpKpKGVKCOSDwqsePhY/A4kb+N1nnhutmSl/v\n1SCDDvC9+jYNLUC1IaJfFOrNClA43IdJELOAavRx2t1RdyfyOx3D8rrWhF4+NB9Z\nlAc2e7hOoP/OEtf4YjZWq3dQtWSdwePWBxD9xyvF/kEmd2NcezqdfggH3g84qBxy\nUxBDD3ojMMAXlkPU3hRiDeLd1mHxDizVxqYkIYDSeAKtuv2ECH8y7/mv3sKrFtJe\nAQvSMW7gOmIdtQaIpsXHMxzXf+Nv0l3dZeWYD/TnVvoeVOaRQ9dHrtl3J0U9UN3j\nBOJdFaptlS4SIRkva6v6srrM7dXKvjR6IabdzaWl098VW9RFD+YGJ6ZhuQ+zOA==\n=l0k2\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

hosts/nixos/aarch64-linux/twothreetunnel/default.nix

@@ -1,22 +1,16 @@
-{ self, config, lib, minimal, ... }:
+{ self, lib, minimal, ... }:
 {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
 
     "${self}/modules/nixos/optional/systemd-networkd-server.nix"
-    "${self}/modules/nixos/optional/nix-topology-self.nix"
   ];
 
   topology.self = {
     icon = "devices.cloud-server";
   };
 
-  globals.general = {
-    webProxy = config.node.name;
-    oauthServer = config.node.name;
-  };
-
   swarselsystems = {
     flakePath = "/root/.dotfiles";
     info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM";
@@ -29,20 +23,6 @@
     isNixos = true;
     isLinux = true;
     isCloud = true;
-    server = {
-      wireguard.interfaces = {
-        wgProxy = {
-          isServer = true;
-          peers = [
-            "moonside"
-            "winters"
-            "belchsfactory"
-            "eagleland"
-            "hintbooth-adguardhome"
-          ];
-        };
-      };
-    };
   };
 } // lib.optionalAttrs (!minimal) {
   swarselprofiles = {
@@ -50,18 +30,7 @@
   };
 
   swarselmodules.server = {
-    nginx = true;
+    nginx = false;
-    oauth2-proxy = true;
-    wireguard = true;
-    firezone = true;
-  };
-
-  networking.nftables = {
-    firewall.zones.untrusted.interfaces = [ "lan" ];
-    chains.forward.dnat = {
-      after = [ "conntrack" ];
-      rules = [ "ct status dnat accept" ];
-    };
   };
 
 }

hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:mQPfK2Dh2ACae0a+1GRHY/CV0JpHH8JO+td+RR17UXyq5v/OF6YDfS7loIpQvImEAs6AvIzIdyq0848Fh/34kh/K2ZAq4AknW9jQx5YyP4nbk8/q1/dk+95c0u98WnN6mw3BFHHesKYCfGy82GMnu00Ffxu7WSYzTKxq6yvROS7ugefRjsoMsuJcEeHmoIBgEIjXntGT4DxJjw4RhWPm+unSmce9SXfqbAuuizHm/S5URYvicIzalSITlfFBrpKWNxNe9fC2etDb/fB+uMpG28rmB98ov1W0X/W3JOUhASXVhB+YCau8XdIRPopEnkR4Wm1HD+exJ3CToJMgrdmv5Cj9rJoFI0jvApRpjBix5qDrTsbn3iWbv/QYuCnL8ulXY7nYtkmFjFCG3fLZ5G+6EVE+bZnh2V8KYAVM9moehNJ9Or4kGST5JWnIizFvAeeYef0xZtBMwv36Yc1JNAh3zlHP26lcXew+Ulxxcv07RmmV52jZMfWweyg4nXNumrbmy/GwingIhqN8wHrOD3Tu0HlvqmX5C5YRZg5iVU4lnAjKJc6XRn7B1GQzKeyE9HKagkrULQKGmqDlqEvEAp/9eW+rTR2Yho1QStK7J2RXFnWwpE4PH3cIfHWtwIv67yw+QWqj+lXMztHaX3RIRXGLyqnWtaLjMG+IIYytzaBt,iv:djDts0mzoVU6Cvf8KJb01CkHO+OrnIJyMhTfgJ8lZEE=,tag:JiZ2t5cBfSAKG0b1wAZCZA==,type:str]",
+	"data": "ENC[AES256_GCM,data:G3Q+Hn7QkvBZeXzNR+0Bax+Va5sK5E0K3hNTkdsNJx4C6pIwrBEBOt3IKv/c00QhpAnPqo9gbKqWU9gv7I56nEOwVtVH3lrMlbxNl9LIiSv9SvSxVkTOow2msSJV/U+1KpjNQ/LnOo2Fxebfz1yiRtgi7hSazzqzIazZAFBldlKkjLR5SFCG8t5s/nccqZU+cLmS7hJDS5LtgW1XeunqUY7jnKuh7gT2I6fPsu15Vy+YeKLmYIt0a20bWGePBIlyiGRtpnMgtIt5gk5+OpSndO8P/GMgUzRwRZEL1b8U57jbhkPLdnwwy/iV6rEFCD9i6qB0ufVW/euc+y5mN0dx8op9FwJVzkJhUIIy9Qbbc8WOjjjWlwbKJNkWfYX7pTtx+xfBKuPF+IwaoMS9j+C3etkoYe5QCr9YGYM5Xer/HL0otYNacQU5S0VqPBzDnLu7NxzB4i22,iv:aFPDBmZasoqEFCbhrRtA2QMB27khuT3rdfCGAafjov0=,tag:GQGuHL5aYPc98tzc6Bb5mA==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEhDamZTRUhQZFNDTTl4\nVVVNNGZXa2h2THVzY0JWMjE2WjNJT0ZoblV3ClYzeEt4c0dWRzlISnN3NGthR21M\nTEtDQ011dFdhRVdPWlpweS9ma0N3dmsKLS0tIHFPQzQ5VzkyODZyY1JpcE4xR2Nl\nY2MrSERXTWkvNVZCR2xHUGh4ZXMvYTgK7pxPjnh3idl4QzBkR6LHyRskgqA3apS2\nkbg7As6wlEs34TAO8reyZknKTUd3Xif1v9RXiTcu1sEKHqkcqEoDog==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-12-30T14:45:29Z",
+		"lastmodified": "2025-12-01T22:45:54Z",
-		"mac": "ENC[AES256_GCM,data:/hfp7IopUWZSMequVWcpMup9lM/e5G3Qda+8zz8ecPMdMrbUqpzi43QAbiTvMC1Wa2DKWFOsZPilClJQfG0MMEYD4GWehd2C5psK5HOxS3h9pjE/AjctaCwu8RB71paK940W6NY8sCjOi+zm+Az4KDwkOl0R3ApaUMofV4hsg6M=,iv:d5Zy4HXtoSfRN4E0FHjT2vIWMY8k3G422ygVAZ7gXrc=,tag:a6UZVjb9kTj+8FZG1FIyrg==,type:str]",
+		"mac": "ENC[AES256_GCM,data:b2sWPq+S5qqSM6lON+9A//LehgR7Wy7x8EfqeiFOFo9RT3niwaKjfp/Jnf6nKbXF43XM4dsn+dIX52fgxyd0KVLnJTqinhz97sSSs7hYFdXa2FGRhI+VwmuGVvr2ylAJODQgTn+MD7I+s/3DTfh6h0V47IZvxrUpYgg7tJrxzBc=,iv:g4XVN24+COVtRQPzTiI4iki1crjBUVc7vpnJ/vucd2A=,tag:gcnfSvPWvLqG2wTZELRMsg==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-12-01T23:06:36Z",

hosts/nixos/aarch64-linux/twothreetunnel/secrets/secrets.yaml

@@ -1,65 +0,0 @@
-#ENC[AES256_GCM,data:Zj552Ho=,iv:uOiDvsLPsT3D6A1SLgDl8jbAyz5bK8s1h7mIc6WT10k=,tag:rTD510uyO65F/qcD/UTUpw==,type:comment]
-#ENC[AES256_GCM,data:a8v9FPS8GcZOyREs74GhUpnAZlYF9Q9lRU3ZdsYERajtDiGncywKPLE61PlnH8o/h+QkkWjpsjy+,iv:Ck+7CaYym5fT4uy44b8yLw+b1FDvvjxrxql3ed+B2as=,tag:sb7vA0tVe1G+TDcJLhQ66g==,type:comment]
-acme-dns-token: ENC[AES256_GCM,data:9AvuFB/nYm2H6JK+pKY0wD658dHGZyV9w8B/+PeTKb5PkFJGlqdz0A==,iv:DeH3sRv9hCzhy38jnXVeGlAbUeXWOwf2avdINWuhJb8=,tag:jXjmtG+uoTonlXSSKLkY3g==,type:str]
-acme-creds: ENC[AES256_GCM,data:X8qOlnbaQo2RE8MyMnI/1EsyyHl5t7TemUTRYqhuHGtFP4mK5+obd/S+VzscfVJqPkCY/faGAQXtbI7x9ST3AmxiCZEbuuV85OvrM+lz5muV16YNjovPxG5BsjI/ZzYZ2V7H9CiUQLvoZ9D652mvwA10wPnKrIpZ0Z8TFeC6vFx8vyin07IOQmNnfanUVMf46/axAR9KM9ksB0uJfsEo8WFmt5q0sfXRRe+qBtdgPgvn9ebeU++Tv8JpHTPSIoagh1PslabrsgNEcM8H4kzIsOly9uYmYCZ7X732vTKLRvimJ64+MLWw3+DCy2eX5sgrSRZw8r5F19P6a+gGBTy3TsW+Ql1dI468fayltXg1hiy8bD/WEXaEalaB2w==,iv:DkX6988ls3nc5aoLP8sQOXR2alXKuogRAXCtrj8/pVs=,tag:LTwZhUWgXfbLg3YxQGlZZQ==,type:str]
-#ENC[AES256_GCM,data:/+idD/eetpnX,iv:NNXMyIt6uUfT3JVU9g39xjUL71cw5UVmESKVIf54tqc=,tag:pz+D3tUk0gWTfAirJGhlkw==,type:comment]
-wireguard-private-key: ENC[AES256_GCM,data:m8fL4Y5TusV4imzcVqTmJZB0rlb+ndoH/Bl7KvbP/7awfR0FyDTmt81+3aM=,iv:qKT+61HLz8q/0T0nKvnV+wap/cvjss8THXupPNlotAE=,tag:cKrRuJjhVYdEWfrFEhUKZQ==,type:str]
-#ENC[AES256_GCM,data:IpoTYZX4KGjPA+hZ,iv:Hd1V9//M1f/10HQ7ZEEA9ZtuO8EBtY1kn3n28krYxpg=,tag:We6WirbRgSH1qOjC4g7spg==,type:comment]
-oauth2-cookie-secret: ENC[AES256_GCM,data:ZN44Kdai0hUgx0GduynlyMHDnZpdnp1SPAGEaNaNFHGMhM9Q5HPzotiNXQM=,iv:vsYhWriY5G4KLiJ12MLm26B7aBzCL5GAr+S15klH4Bc=,tag:t+MsS0Wgo5papvoeK1nk+g==,type:str]
-kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:a90dn//LD6tvDYGSNT2neorQRfo0puo7GA==,iv:a/R6xlwGdrwJNc7qBoo0Zmlh7GkZ1+uU+RzOxRE+okc=,tag:3WpAVThFLXZFsCIl5xM0IQ==,type:str]
-#ENC[AES256_GCM,data:vm48D/CiRtw=,iv:7Vs8SfqqGEEU64ZqF3uvFIG7DnUfOT3kGqodiIbCwjQ=,tag:hdNZZUMTLIrAGydGSFfP5Q==,type:comment]
-kanidm-firezone-client: ENC[AES256_GCM,data:YD1lkGkg+HxqHrGsbIz2GRq/VMIJqOD+VQ==,iv:AJa/sVAC0s4hdfvQYf+/NaYTJaxO0fdwzNmmD7S+kc8=,tag:JSU6aX8kYbr70+YYwRV56Q==,type:str]
-#ENC[AES256_GCM,data:XS4Kqba//4tVSj8AzyLY19Milwl0w7UkTM48t8m/wyB/P8TgDerxJwOGJvz3uLZJX/EO0/4rKminMYSoMybRnNn4TVv9pa9uV3JEkUsGkFk2abMfBriAQjQgziwLbDZQJmnJs46YD5s+sYELN4MJtwFNg6NzEDATDMWuE4+loyxoqgF/lzG3OFGkDl1R2JkCIOU6NGRqTn8a4XpX+p8U5QrY2V4iBCXajGXrcqLfINYW508feq1TAUZazaNdA+RC2SMvq6Diy8mysP1p/5mGUpIATjmoDqN74Yc5uZAwaenI6jIsfcE4JP5lFy7dHWOfTQS/9MCsEsRN2LWuP0ivaKOgF79ykd4Tb19EACdhpkip8XV0hKHJMuyEr6zJ23dUNtBE,iv:lpA1sk5y4tSk6iXAjArtF4piJW5af3+tIwMos1BpPEU=,tag:479ZIsnwkSSFq+C2a0jHzQ==,type:comment]
-firezone-relay-token: ENC[AES256_GCM,data:QLQ444ocvL1yjXXslo6YzdPUasdt58Qztf6yv4UHh0AZtMVuOcDmUUXdI9Qz0i0J34zGbtcPw/Ac9CzxnF5sRj9v1D6RkfHf642vo2JxcnG+LExHzUFNEhTAXqgLvfdQhi89hQTjSfc/+ryDyf16tTJklX40VitqYLtTEW9CHSHhKrVr7Gx9u5qw1+j0voQbJEs/ojBwsnzNQ4Z7FJgWLBw9FMOQg9sap28m6fBFJNnUGaK2vIUQ1qPXQWyX1YTh6xd0nq/jyB9ctqQczYftgd+wkaEiyMjQJkNk22W/6P1M3biV4L52H7WVVhptB8yWa7TZUXD6GFi3cMTXhn0NhM5FsCJhXeGcnzNmBs8=,iv:RdVXYof5cSMM0WTAoh8SO3jTWyR+XTNmK0U4ezHu76g=,tag:nSw7ykFPYuHq/klTwlNpSQ==,type:str]
-firezone-smtp-password: ENC[AES256_GCM,data:WLj+kcidIMQIP6gPuuIrujA+fHypUpGUFg==,iv:kg96vVaGund6HcXoJltIma9ecv6tK9AxZJf8n62+9aE=,tag:g54wHPhD4qnHlKZQd+MPZw==,type:str]
-#ENC[AES256_GCM,data:aBNmUs9ZW+h5fDMVKdW3WQebJ8zmbHuYmNK9slZx5tZONTfnfnFRYjbzyqFTBKfC0bYjzLYL8AxXiEiPmBo2yLgbXtsOrVMoML3hD9Oi9T/7++BUBpbBQ31cC/EtnALumpes7+hO3DULm5tzWYc9qIz3yB9/gQzuKCqFOB6TCt/PwAKrVKNbcOihx/5xh04s6WyqfSUjWOOcHSY/ng2G7NeYRInLe6TgM6gGQGe2DjXCmNvgxJV2Mh78IWs3yA3aJ9VtrgF5R0PGoqHHZ8GfRZfYn7MBSW2dHztb0oLWux6bnO61Wnm8iDdR7xguQkNXPO0XXIIIO6AOL9duThXYjwQmieqYEEu1BmrvaQ4/tslLHX77axQCm1miwmZP9DoKor3yAziCBMa/pbU5JFlft4QZ2QGY7EreDfBVoDcPjCgA+gXuvq1VozPTiRH+y1hiulGlbGL0TmA=,iv:nsXYOxnWGceyB0aiv0Db7H+oD4hagzwQi96h4mGWD+o=,tag:n4p5Aoh7lYvCRDWRcc9tbQ==,type:comment]
-firezone-adapter-config: ENC[AES256_GCM,data:CPY6DPFJ0OZRJqY0u05rAoc9gfCvHY8fFXkSyKvC+VdjNkC4LwjSJkaBU7aBAyIVsLrLz7cS52fcFfwdnAp/6V7BUDE2qpRdpwuN0ZuTMrnFnmLIi0jy4JXcU5niiClSfulgRfY9Dw9f8oHdYiu+uziVhDdjThx61tNyW+OVMNsKv2avWKqotM/fhBf59hJDS0NwaFi10X4X9Z0Oljd9mHQw+LDJkSTX0dk=,iv:IRn5awskI2mZCzQka6VFvCaNnYATvj6yMH9UWs4vJus=,tag:3gbxkbfwS2mNLkVK9KmTUw==,type:str]
-#ENC[AES256_GCM,data:xZvu7VeZ8IVeiR94gfJR1BB34V1z8ou+YKRrIxlK+qJ8idgzEKXRiWCcdwC345UNIEuVShI8CT7+Bno9c2bllkkKwW4RhSEnMOYo3g+iouKB3p2iwRBX+OEZuWbpoZGDr1KpHLP+ypiTekNOAZgx4EmxQWFL78bBMswoPn/Tv5ahN1Gha75A9iO7nNQgjRIn62s4l+U1cMXDBBKUCIwcfg==,iv:V7G6wGFjSoKNGNuwW4i2U8+zKI8AQm+ATbSLls7688s=,tag:jQqxbMGaJ96fHvPj5Y0CTw==,type:comment]
-#ENC[AES256_GCM,data:td0zw1WORHtMvBO7IK06Of1PoG1QTMiDeJ8KSa4LpLrIgOPTdIg9TkU7UYPNxFD1bVGpU708Rs8Skmyz0v4y9S9H6PM9+4fVij5GN6uaLH/pfMXzaArD8SHbppYQGgpVqsq4kJ+sk02yAjvEM4BBfTpOEPgnu1CSmwlyjw0ysrCwq5YLOYqAQa9rT9uiVCL3FYWuuUzh7SPuRaZouGX2m/MdtQ==,iv:uetwzIK53P3ja94Jw/QDnrel61ducf907mZwB1yy6cQ=,tag:89IjmIvEQs7ayBmuvw3RFQ==,type:comment]
-sops:
-    age:
-        - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcDZzcEJTNE94amhZSEZk
-            Wlhkc0dXY0d5Y2Myd21YYURORlRnMDRlYTBzCkZ1UEhzSzdTZjJENzAvOHJBVFRH
-            MDBMb3VmTGhnUXhRRnpYS3p5NE5HYnMKLS0tIHpROEhpeDZQYUNJMkExTDBsNUh3
-            NmVFamgzKzRlV2oxS0x0UCsrc240eEEKByZ5WYf+QO8T43VLfO2ym4x7TQltS1nS
-            ckgZLorWZBWQg2vAwQktxQ0WTcjhM6tktZ7zgCIzKBLbQXtSt7VG9Q==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-31T22:00:22Z"
-    mac: ENC[AES256_GCM,data:wGGou+Jx0BV3fMI8gF3HL6VW05lz4CSBvjQF8WSbIHoykor4uthR0TN4ndanU3ZPjhU+NRNxIxTs2cFGJOH4YMIG6bGH0WIoFIfw3xkSIT/zAmfK33P7AUV8/vA45TZli5VHf6S/4CUqXfN91qezrMUiUVr+AEeqa/hbOMBO3j8=,iv:TRc4ci8KRF3ZHuqtafqP0AaRMHMlqnhB1psGbuL4zms=,tag:aTFxdF5qpkGEYvwwj7Q4SQ==,type:str]
-    pgp:
-        - created_at: "2025-12-01T23:06:35Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwDh3VI7VctTAQ/+O2d2BMDS3DVPfUHLD69K6VsdewczQkPoskMrS5JeQn0R
-            gDhR318J311UMClomIIrgDlbleoKS9tdC1rM3DoCaGFq4MyydK4MLy0+6wme1n3a
-            ZyOsQ1jSpdgkWUfbalbxL9/cWtQBwfahXve39L+ocqb34KT8jeLcRNZWORWAst7X
-            a6fHFp4gZrTnOjn26TJc7dJxYGWQIWk3WBYpzC8kpqkMaIemIy0FHaObNYy3DvM0
-            Z++AYqmwEYiz+tG1bVRUZ1ck/z8kR+Zv1Wg0uVM5Jmg6rArrz75xSS297euPZhO3
-            bQwEdJ2rcrdaz5LHC6zgsDrVz5LsfoTxilOwIgsqSGqOBIGAN6XttZXjjul6MVyE
-            XBlHqqrCVlLl+OCumWC0U6vr/bcGV6CaMJPE80Rh//wThtvyKVFRQey8EmJH7IGx
-            vHtfOaOScJc0sCCyXOx4HBeeGAYq0ogSRTlgK6Z+kXx/MkYRHiw6Vdrw0anmFF08
-            7lYB4SPafnEB4m2IPz1390ZSDXWGT5QmrhpnajuILIIcWwe0mNPfDbLQWF6CZALB
-            UJs0XvM/gfXhnqVnkayTXc9IrIHkLoKwyMh1g+st+d0fAYaUD2Wd9BI+zi22m4iR
-            J7Mw0bMBciO4MRIZEEFsCvuv4UzFjQ4mO9ib6LXI7y51sIJuYPkq3lllkntFdCuF
-            AgwDC9FRLmchgYQBD/9F+tb1K7aKNq73pk2YTmzH+WR2Dr3+MxNgnQlnIJMxdoTi
-            QE3C9U9UaO5ngdHbnG3ruBQKjGhLI8meFMTJatPwuOFcHPN+I3lEO+PkHGH0VkGQ
-            A1xkeFizc5l0tfTD9JpatOwaKKr1b4cERZP5hSTZ3MJsRJsykySKmLLpfmC1pZ7L
-            OWLdJ740YEPXXw76seRgZ66tKou1lADRBXAfHxmlj7yrt/MB2xg0FfPw6/i1HTlV
-            kwyobNlNO6whpgHjX16Qfcuj5YMRSDmyb+Ol5dheiA+DvoowhkijCGv04Mye10RI
-            bvjcmhVA+2lNP3tzF2duyIQi4nPDhQLcBs8djH8flKWDZOuz9Jt1QDTb4h6iJzfK
-            RkfU9j7/GjDiiksOdC0/yYgn90dGdPBI/iR890Uyuav/nwzF9Kz9aHQGPhCbwfRZ
-            gN7f3zyt9XPw7Qdyf5+zvaarg5xf8i3q6vhYZSGpOGC/ZrRdJcNfo5Sw4gVzrTOD
-            M9IGoeoyWkCHrjKPjYf8fVW8dDgMsddaT/ub8jh9OcM5YA6mrbeAGyf135mOurLd
-            PCsu/tNAA1GLImgc/MYplkPsOfC0+7fJ9gCSirXyRgT6Eir1VJLL7wE0zrPYfqdX
-            NOXYKdHQxfhtk33XlnxNJ73cJVGtBXy3B2kkM2DBHxY2Zj8ysO48zSri280RVdJc
-            ARILzsczZMXmJVYuR/r103j+doR/kMVEeH+gwhTSyj3yOgP06Ychawx4m8QrjF93
-            FfpVVia8JmpXAymJ93fO1HCzpQgZwX+BuhjfGcUoa3kr+lJjzU4571CCI84=
-            =lNG0
-            -----END PGP MESSAGE-----
-          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
-    unencrypted_suffix: _unencrypted
-    version: 3.11.0

hosts/nixos/x86_64-linux/bakery/default.nix

@@ -16,11 +16,6 @@ in
 
   ];
 
-  topology.self.interfaces = {
-    eth1.network = lib.mkForce "home";
-    wifi = { };
-  };
-
   swarselsystems = {
     isLaptop = true;
     isNixos = true;

hosts/nixos/x86_64-linux/eagleland/default.nix

@@ -5,7 +5,6 @@
     ./disk-config.nix
 
     "${self}/modules/nixos/optional/systemd-networkd-server.nix"
-    "${self}/modules/nixos/optional/nix-topology-self.nix"
   ];
 
   topology.self = {
@@ -26,29 +25,14 @@
     isBtrfs = true;
     isNixos = true;
     isLinux = true;
-    proxyHost = "twothreetunnel"; # mail shall not be proxied through twothreetunnel
+    proxyHost = "eagleland";
-    server = {
-      wireguard.interfaces = {
-        wgProxy = {
-          isClient = true;
-          serverName = "twothreetunnel";
-        };
-      };
-    };
   };
 } // lib.optionalAttrs (!minimal) {
 
-  swarselmodules.server = {
+  swarselmodules.server.mailserver = true;
-    mailserver = true;
-    postgresql = true;
-    nginx = true;
-    wireguard = true;
-  };
 
   swarselprofiles = {
     server = true;
   };
 
-  networking.nftables.firewall.zones.untrusted.interfaces = [ "wan" ];
-
 }

hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:sfFILq+nY2tqP2aHjJZqUZMdk+qQXSsL72ubGsu/U5G8ULqXcq73d69Op1M8ARfLgOrzoBfzyjcxFMUZiVxoSHevEtqoRBq0Yol6S+3m8vXbW6k/4tj7vRTCsnuxEbGgX2MCbpfb8GChkX2xy5ZKdOWTyXNGWIIAOkHj9NAfnKz2ppY8tFPcQseOtfbI7o/MiFtaMzI6HTpbgBqhifJHLvJyIjsFH1ZecyYjYtL6682isMGZwywUdzaE7dH4m8+sFztHiliJaCM/gID+Kl4GsWlIqZuJmCi3Ac6czCCnLf2fXk53YLXawjwkQmNWjSkOVYI5yybonySSzmyjCfB15487E/ScNlG/Cc0GesoaxkJQpgys3rjuyIUwBKhfHa0qsEd5XkUFKemlB3uQTNfst6CQ1WzZYagIGwTM4zB8HjsjG2hRX6Jck7kS+5eQAoxToe5Z/bDGworUYWRhm5To7bbWn6w2AZ0FjWsb/h2lGy3rgCpjtaaKLAcG7kzbXyUW3crjLg0NR7REKYQf/ZLDGs7a0zYiDfGHyh9+krNiZ7c4dAlCh0lwUJuWSLP3VBPlcLqvSoOg8rRvoJwmIwh9rCCuKxhhGHwwL4SiE10Gw+5rajHNfj+ZnjvVXmFdpZRQW73FF8ThVexKu0qtCmzGik8R7wIhI5AW3Pj1wBURftl+jd3vRZkU9isCE3CZit0L536ZJwawoAZ0eU5tYkRjI/7iHXAbyLEILspSdrHDneRiVLh/IYXv6BEtlZFXwQMtPRPAwx9F8JG0zG9iX4Yy,iv:js4R7cAoIFGCgURc2WyiqRwfqLLBKNWCEEAlsRYdUeA=,tag:NZD44GRRgt7B7U2oDBDjyg==,type:str]",
+	"data": "ENC[AES256_GCM,data:nIgv3b+6o5Ce9X9xZtBK62f6dgsAGLPqq7aVFCw2qjD9UiHCrAY9vTn5NSW2O2pbLAfx6h7falS3/0yU+AkJ2H3zhxBy7ZxQ0m9dLoQGrYY/E9Z45xZmdFRxtzexCaxr2DxbP8haJKomQ22cHk07HGsrEZ/CFGkyjRxUr3Y4rewgZPBXahVtM75mWbNpVGApc8cs/W4JbjuXw3qlCQcACz8sZVPHKCjbEypypo6nTmU7NO7worrAJ2QgU75oGJ9g96wp9paFMEDofVp2Y25IVYReGg8T1Qi/kTcZzfzGfSpEwnQBB/ZCW6gNYhMK3shfB8DxKy6+romVXm1K+/0yUmwsCM8xC5zJX0GsO8Uu63YFrW/Y2E6aYZfBHdIgfy4lYOFKC2o0ixirw9EO8HyfsDt47QYB970vLPjYZfKNAZBgltbV3KPsOHxmgiZbTbAl0cb9zRc+jV2voH9T5VhFiUWdfaLBY1HUAVAjU7h62uZoCsi1HWyAroEROKS96npTD+3/vHehYuEGBf1IxYnLwHnKeqsr/Bqoukf3OecOH2EkMTTFQ7E0k9s0keRypoHmeYIh2a3dRcaXXbNEgiAMfabhgUh1NNcYKSZhcIekN8WN8azXjbVIrfEakJ8S+PUf5fJdspN/3Ppm06fDLv7yLHnLc8Eae2COOR8vYKIo3Onu4doxNjisfpHujLXYaCGhWpINEGWF7fkeC1B7,iv:v9MxvhcHg+P00UnOWujSgVlMNcOnDm/gK8kNcN54E2E=,tag:XnPMzsDeGJMt9yv6GnFzqg==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJR1ZPZFUxRTh0QjB6UDJ4\nOFd2c2lFejhHck5UdUxVbmFFbVRYNEJaSzJZCkNxbndVVThObDkxUmx2WW9ESzhh\na2o0LzFCbWdJVlRIV00rTVUwTktoek0KLS0tIC9qalVvZmpGQXZsV3RIYWRPbmRY\nam80NkRkT2l0ak8wV3pTSW9kSC9nZ3cKCH8eEMmku6WMliEDdAiW2Lk1jAGH9SoP\nWQ5Y6e90jEnp8XbGE7KYiG+jy5fHSc6Y5/YyMmi/b9bF9AhmRT6rdw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-12-25T00:58:02Z",
+		"lastmodified": "2025-11-28T10:50:22Z",
-		"mac": "ENC[AES256_GCM,data:AVZqvJDOcRyUKkxxN3QkxFDiPgB7R/yI5cSGrsgZS/T+rcyi9db9fYhS60c7egLpYmO1ieBk59wwykCAP5TdTQoPXm/+O24MCXquEYuY9CR4YjYno/dBnbCWtKvIB7vs/yIyVfKBW4VQYSbnH/LpBSB6RJ0ivLU9S8hrmrgTkDw=,iv:pSbmaXMW7hqxxTNS7n9vDlVlO7zE3rqHnDAP0XaC5xw=,tag:jH1qSjGWX8bwKSk/MFmDQw==,type:str]",
+		"mac": "ENC[AES256_GCM,data:lwkkp8YSzX8NM7E65kmPpF/q9Vn+FnCTeePLswDH6AVgndo/7QOy0GtJeXmiwt2YsA4AhRqxexWl2R8tjEysP35pyfQJ4vEkVi+V2tEnoLgftriNJzpoeVuRNXLxTPhPezOZgAcTDDL4yyqJXpcFj0PE1DPHKxazT28BoilaBYE=,iv:3dcAqkw/y6rAPL8wb5iewz37S4xszYFGHxvQiQ98sLk=,tag:SEmbptei6GrTXXyb7zwrIg==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-11-23T15:25:41Z",

hosts/nixos/x86_64-linux/hintbooth/default.nix

@@ -1,33 +1,16 @@
-{ self, config, lib, minimal, confLib, globals, ... }:
+{ lib, minimal, ... }:
 {
 
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
-
-    "${self}/modules/nixos/optional/systemd-networkd-server-home.nix"
-    "${self}/modules/nixos/optional/microvm-host.nix"
   ];
 
-  topology.self = {
-    interfaces = {
-      lan2.physicalConnections = [{ node = "summers"; interface = "eth1"; }];
-      lan3.physicalConnections = [{ node = "summers"; interface = "eth2"; }];
-      lan4.physicalConnections = [{ node = "switch-bedroom"; interface = "eth1"; }];
-      lan5.physicalConnections = [{ node = "switch-livingroom"; interface = "eth1"; }];
-    };
-  };
-
-  globals.general = {
-    homeProxy = config.node.name;
-    routerServer = config.node.name;
-  };
-
   swarselsystems = {
     info = "HUNSN RM02, 8GB RAM";
     flakePath = "/root/.dotfiles";
     isImpermanence = true;
-    isSecureBoot = false;
+    isSecureBoot = true;
     isCrypted = true;
     isBtrfs = true;
     isLinux = true;
@@ -35,40 +18,19 @@
     rootDisk = "/dev/sda";
     swapSize = "8G";
     networkKernelModules = [ "igb" ];
-    withMicroVMs = true;
-    localVLANs = map (name: "${name}") (builtins.attrNames globals.networks.home-lan.vlans);
-    initrdVLAN = "home";
-    server = {
-      wireguard.interfaces = {
-        wgHome = {
-          isServer = true;
-          peers = [
-            "winters"
-            "hintbooth-adguardhome"
-            "hintbooth-nginx"
-          ];
-        };
-      };
-    };
   };
 
 } // lib.optionalAttrs (!minimal) {
 
   swarselprofiles = {
     server = true;
-    router = true;
+    router = false;
   };
 
   swarselmodules = {
     server = {
-      wireguard = true;
+      nginx = lib.mkForce false; # we get this from the server profile
     };
   };
 
-  guests = lib.mkIf (!minimal && config.swarselsystems.withMicroVMs) (
-    { }
-    // confLib.mkMicrovm "adguardhome"
-    // confLib.mkMicrovm "nginx"
-  );
-
 }

hosts/nixos/x86_64-linux/hintbooth/guests/adguardhome/default.nix

@@ -1,43 +0,0 @@
-{ self, config, lib, minimal, ... }:
-{
-  imports = [
-    "${self}/profiles/nixos/microvm"
-    "${self}/modules/nixos"
-  ];
-
-  swarselsystems = {
-    isMicroVM = true;
-    isImpermanence = true;
-    proxyHost = "twothreetunnel";
-    server = {
-      wireguard.interfaces = {
-        wgHome = {
-          isClient = true;
-          serverName = "hintbooth";
-        };
-        wgProxy = {
-          isClient = true;
-          serverName = "twothreetunnel";
-        };
-      };
-    };
-  };
-
-  globals.general.homeDnsServer = config.node.name;
-
-} // lib.optionalAttrs (!minimal) {
-
-  microvm = {
-    mem = 1024 * 1;
-    vcpu = 1;
-  };
-
-  swarselprofiles = {
-    microvm = true;
-  };
-
-  swarselmodules.server = {
-    adguardhome = true;
-  };
-
-}

hosts/nixos/x86_64-linux/hintbooth/guests/nginx/default.nix

@@ -1,60 +0,0 @@
-{ self, config, lib, minimal, globals, confLib, ... }:
-let
-  inherit (confLib.static) nginxAccessRules;
-in
-{
-  imports = [
-    "${self}/profiles/nixos/microvm"
-    "${self}/modules/nixos"
-  ];
-
-  swarselsystems = {
-    isMicroVM = true;
-    isImpermanence = true;
-    proxyHost = config.node.name;
-    server = {
-      wireguard.interfaces = {
-        wgHome = {
-          isClient = true;
-          serverName = "hintbooth";
-        };
-      };
-    };
-  };
-
-  globals.general.homeWebProxy = config.node.name;
-
-} // lib.optionalAttrs (!minimal) {
-
-  microvm = {
-    mem = 3072 * 1;
-    vcpu = 1;
-  };
-
-  swarselprofiles = {
-    microvm = true;
-  };
-
-  swarselmodules.server = {
-    nginx = true;
-  };
-
-  services.nginx = {
-    upstreams.fritzbox = {
-      servers.${globals.networks.home-lan.hosts.fritzbox.ipv4} = { };
-    };
-    virtualHosts.${globals.services.fritzbox.domain} = {
-      useACMEHost = globals.domains.main;
-      forceSSL = true;
-      acmeRoot = null;
-      locations."/" = {
-        proxyPass = "http://fritzbox";
-        proxyWebsockets = true;
-      };
-      extraConfig = ''
-        proxy_ssl_verify off;
-      '' + nginxAccessRules;
-    };
-  };
-
-}

hosts/nixos/x86_64-linux/hintbooth/secrets/adguardhome/secrets.yaml

@@ -1,57 +0,0 @@
-wireguard-private-key: ENC[AES256_GCM,data:5RdR6CvGBwaklSgiP0kmz/ShroIa1By7ZqgxKrnSGjHRyrzaeWGTuJmqKJM=,iv:D5UmcQkbRs8WVQUA8XpFCwLy8+O4+RoJLWOkHj0H7ss=,tag:feSuK9jW+wLeygqhKHycDw==,type:str]
-sops:
-    age:
-        - recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMEM4alliWlBCT3VsbVA5
-            OGt5bmQvZW1TaUNkbWtFdzVGNDNpY0hBOVhzCm84TldYNHBrU01HMlBkbGNwZFAw
-            WVk0T3FycVRHUUNtM1pTYkQ4Qmw3RTgKLS0tIE9LUlNEVjJHOGVIK1RSMmRXUDF6
-            QlRKY1hRVzNTVXhESUd3OElXL2pBZXcKDWYoOzi2b4qeIbCVCfTj0lTW+OfbnsXB
-            8MugCHu7+b+ju0v/lUP66jDW9/2AH4PzHtCNHjsafyzr2qnW8HlOzA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRWJXR2tYdEd4cTZsSi9l
-            Tm1pSC9pek5BakpEMlkwVTcrMlBuVzlXWUVrCmlnV0xJc25nL0twK3VCZ3FRK2x2
-            RW52Q1NxWUhTUGY0NnQ0WEhLMWxIcFUKLS0tIG83eVM0KzdLQ004aDRKNTYvdmVZ
-            d3ZOSStBMFpSU2ZjNWhFRkREQWlUdmcKggVvLy1mLYGf8084RQtlipS4+z4dfPsN
-            HZfid0srwYnezlQ5qOY8/HrDLWHEyuZ4xFZVi4n0k49qBpNwJdmvyQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-02T04:14:03Z"
-    mac: ENC[AES256_GCM,data:aA+oIq31QBla9hOpApaMeP7MFl/hI0kDjC1QyPkmexXuMB2pQJ6bBEmazreX2m2TPtHv1rtVUak7F6TbA+97IFb9EQFuAREi1Ca0xjz2eGVFQKu94qkS/FNemXTAkEZxC9LQ1TRqNXXNITehKUeIN65epuNbWqo+iOW0OHEXm/w=,iv:1NKL2PZBUDyHEIiB2ZpvTdCh9ZO+r8bPyJo+EO1PBmQ=,tag:5W9owm1Z+7O1CGVmH1afUw==,type:str]
-    pgp:
-        - created_at: "2026-01-02T21:12:51Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwDh3VI7VctTARAAmvkQ9V14f0BT/bNdFVZtTlY4yVon37CX32SZPUcHV7o8
-            Dya0sZd9tuVATSv79TnybscuNx95fkoZJwujBfAadexn2zY8zl1oEWEHx7p+8/mE
-            W8JbQAjbcbX9sNQYXc8kYJylBThmgNN/HXK7CGtgDFr9xnGzDBnDm/M31P1HwYBm
-            IdIQgFGErEt1K3xvw28Lk3tPuZLK3Y+H2Yna7RRF6K1blGJUvEnL6yFdA10/eFW7
-            8066mO26F2l5xFuktK0nNeniLHKa5VVYp8iM+JMhX38l0wiIi8pGyxo3uAjNpa0w
-            IfpCneEBe/yyaUPcWMjXmUG5LJe3kWUup8cSzvu01Z3W159/QsflxIMkIsklqhim
-            B2zuPdAlYsjjS/05DIHInN2IIB/rjADkQvXji1XYLhWJj4jxDeck/UIc6Q22TED+
-            autlbl8d/5sqyO5ghPpShF/s0vMTqUfpXZrDrbuyDFqCfwi0ahP03bUsv20ZEz6u
-            zG3K5HuXHh7ATSppwuMbcv7vcjF1tkbo6XhWZDv0rY0DFWqiYhnxWwlFlGLxf4zX
-            g6r7Ca/E/YXG/eOET6M9DxwHjj0D7u/ryAkCktqPL9w8oNGarZQ/xMx0+ocI3byc
-            Zvzlmd63BtgaGNSxH3stK29KN3ED8cDkG/JzAxCATWiUBBkqW/ga4sGZqtLlSO+F
-            AgwDC9FRLmchgYQBD/9JbFZie25PO2CyELlUWm5SmJcugT9SK/mIA2fe1PlA+Gnf
-            5z9iXraMSQchz4R1IoiixDhubwKeKp/auqhlOPvo58Lsi6iDR/WaLWabD+hcyAb1
-            ck/f/PUzTLhlLcfu18VPfXVzfnky3dX8P5aS0WMLAQblj2RaaiHxnPqf49kXSn3q
-            VSJ0pr0nEsPuWtoCkHUAwAJ8X5GPXN2OD4YbHsNaA9h2vrJAxNd5+HNsvg8JtI88
-            X/uMM7cWcaXcmNZOz166HUIPcJ5cabJ48Sv8sDfMPOcTiJkMiESBnRYTwdUcp08m
-            nGipSrUeW3pVOC1bGyukZb6sF84pTtCpqS+kOSfKFlxFFdAEcpzFIPuOMeo2dbKj
-            GSGPDemZFC2yFq883yk9/mZbgjOUsqrj0ZP3rCD5ZHpfUM5IxGQ+mKaOucTXYmif
-            lrTPMYnAc7pHxKZ87BgiKBYrfRAZvorLYKv8zG8YagAUw8iCtc68YUUdvLW9haQf
-            rwWCU1z+sszYSac7I57gfqICQhMUbs1n9S2Cn0C0xo4q2Lu36ysip4rEVGg6TmUu
-            znXYu+3orodw2TwC0tGxXHYKwmlr7EGnBCbdVKpDoCbV6cYkDYoPUFg0alqIPd5r
-            KCkee9MaCLLX7IdBrbLf1lkHGwSAs81GfZRMLBauM7/hn+hMUeIJnMbtJnVIB9Je
-            AdT2nSH06+POnjvxa2t0dUasnG/6ISBRSk6FgBBZ+pdVlrvaB4javgWGpiAWCUu6
-            b2CMZF3HullmLj+wwAKlsZsIOXGICN5GeQxLHYF8Kx7Doj68Owu/zGM5MS+7XQ==
-            =wYdb
-            -----END PGP MESSAGE-----
-          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
-    unencrypted_suffix: _unencrypted
-    version: 3.11.0

hosts/nixos/x86_64-linux/hintbooth/secrets/nginx/secrets.yaml

@@ -1,57 +0,0 @@
-wireguard-private-key: ENC[AES256_GCM,data:3T0ZoPAs/OIkhdZlH171d9d2Ycxtp4WfI92pTBI3vRw7BVvEgQZKu5DCvbA=,iv:gsczaGwcI3JocOazMIEsgHFruEKDPxOTUQzx+rdCaio=,tag:/Sw7QsZ4fV+BMWdfcUevBA==,type:str]
-sops:
-    age:
-        - recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySStkZDlPL3JYTFlYVXVD
-            VGx0U2xxeDNXcTdwaFZsRWZoblk5eEttZWtNCmJQa3NvUHNwYmFZUG8wMlNxWE8z
-            bkcvNTNhWnozV2Y4Wk1lZmhmMDdEZm8KLS0tIHBkalp0M0NuU3JQQ1FMRmJNQlJX
-            Zlo4akUyVW0yM3FLNG9jQnBHY1BQN2cK48vxR3pPY3LJlTIEx+dy3ZZRfwFyvQGe
-            EuUI7TuLa0ib8JnO287Ay4gp3GH38jtkGcux4yP5Q8eY/M9GNlEK8A==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHTmFTbmNBWldmY2FGSThG
-            K1E5b1RTZE5NTll6WkZvbDhxaUk4d2N5bjNBCm04YkxSTE1FdFNFMGNFREtRbFVE
-            MHFuT1VONzUxcVdoK2kvUFRkc2xXbFkKLS0tIERlWE95MXVnVWk2Tk0xdG1EZUIy
-            cEdOaXNUQmt3KzUvZmRJWkpTdVpHdW8Kv64ZWzQbpmINagumpuHXscRf9stxO4Of
-            DSkGxFyLgq7yDg1iaiWy/mwxQZVw5i4ieR2+VDgi6Web2y6t81jayw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-03T05:23:18Z"
-    mac: ENC[AES256_GCM,data:u9N7GzLPDW7cHT4mkUAC9Diq1RdV5iSwcz/fqzXQKRmic09eVydAgyk2g6NbJ+4tBbAjIfeUch8Bhf5eG0sGzeDkb1qWAMEnP8EPmQ64OdRyN2SxJgxkc8KFGxkrGz9slS2ozWth6q/tKBSsOYbo8WDlCqXhmYp+zBxvYFR30Mg=,iv:HC1e2i0E7dV9/au+A0kHd+UXDhw3xf7RbTpwJI+hjpY=,tag:dPCDh9qalNtbHIhs//cBpg==,type:str]
-    pgp:
-        - created_at: "2026-01-04T23:02:15Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwDh3VI7VctTAQ/+OHyevGNQqVV8RMOgLxV7CSBCdzCgRiEyDt8/A2twNG1x
-            8lM5boYrVJowPbqd1EV2hfZ8gl3vvWhGMQdR96J+Mt1PWG/lok/Opf8Sdjl5hzpq
-            5AjNWz8p0NQ0e2UAGDuRXy+tjeMWKox86KVhxA/L3Td4S+jV5W+3zRSkRB7g1eIH
-            NJiyFe+jl29mSSABKk5TclzoB/GoojAkO+8iXsjMZYd3upHyQdriipQKkJJGEaxH
-            8fWBYcFB3H+3nMmwi6bz8xhUpOCpKzRbvwmqWYcendqINvDU/sQxQmxcqgMiluzQ
-            ocHNba+K//ptmtJHeL/8o69ljqk49A9mZ3ukRZZ9htWewv5n5T71majA/lJseGv7
-            tsAuKYTHlSkhOVzXuBnIaGrBgF3mB0ag+9/VIlBXCZpEMdjp3C9GJBUQuxoRSwbX
-            3oREyM97O/rtOo9JaqzqX63S59aHPwt83WH6dp2n2hcXF0tpYff3Esw9Vg3Uq+Fp
-            GCSjb4jFQTu25ZbpiiUaaFib+03Y6gGrnzU7W6460cxd4iZNEPGqE1refsQGYUPC
-            6L7R/mkT0SBtC/8lyOvuIpzYHiAkCqdLbrVTmBHUG+a4fIP16IilIFBh8haVKqY0
-            pgBDyLZDVwLzslp3AK+7pusU8STqCazFISe5GPQswwjwo+J3URmQKbCNHXVRyb2F
-            AgwDC9FRLmchgYQBD/94rHN8+Rqod5qxDxa0JR2ZYKSUBdzkkEqYnjp0efn/dY8x
-            m0WUQZEy+L4ZeAmFFL/mQ/Mxk7EW2Vghwy8j8tGTogJtVS7e0GYirKAHr6fgxxpa
-            5BoaUSK75xybQTzWe/CETfpRlDEFmYt/hwMldfCHXwnqZxXNVHj1MN2kVNFbPfwo
-            Ml8RYG8ZllyOVAVgXGsV6kiJp7jKblpuKCDQPkdbE1hFBed0SKW7olUtuBE4ho7Y
-            J1g1gXOAqAWud+crA21bA7Uow7ZYaC0/WzTY2PrgAuS6kpVx52uUj0xqMfK+/Cco
-            r+KFHleJL4b8pIsImsExJv6rDKFohC7E5n5XxLLorTXB6YYie8FkpvmbWK03j+hj
-            Q7xwFLKWYLlPGtdhe+YpL9yiwHWaQbGUjarVH0UAZgSwJCt1cZoiL6++dp1USb3N
-            aV9HS0Milhbseas9YjiSoVvBXrDYEnjShJ7uWOu3Rbh4hx7jvJijLPrPcd7cym+A
-            tjaxFFeD0mTEj1JcjVMk3fEN0wj++oY/l+piVvYvZWvMscq83Sb6CxxDprVw8xt0
-            sECqmgT0yVZrbDNpANwyWMXaHs5SZm5LaW7uDIcr0egkVA6Abn6twaR12660ptjm
-            mcv5K+ubzRomwxgzr/5NcwSg/k8qZ3WMfV/yuNsKIkHK2UI0y49SuBuCGGa1wtJe
-            AenE+Zn4xyF6cpEFXNKNXFDCy2fgHQrdiQ7XawrFAPJupn1JbGXg1gBN7yQI4YW+
-            BuVCb07GtuU/faiT7cIxUQ1nhc1alSE/edfqAPAPqxA/MXhoC7xT9vFmvUPAuw==
-            =moK4
-            -----END PGP MESSAGE-----
-          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
-    unencrypted_suffix: _unencrypted
-    version: 3.11.0

hosts/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc

@@ -1,18 +1,18 @@
 {
-	"data": "ENC[AES256_GCM,data:jaTRcoqOd3SNxwmzAcsqWyuvhYO0YipQPH2K2SM5OxhWWlUHTWQXqXmuAy0+efNnZlC8xqUWIoU//XXzUq/b7Lhi9bv9WyP7aHLOQNLFZ50Rt3b7yidFA/mxcRo2ZuGUR9mGoP8e1VtiQVVuzZQbJWqTCKtxb8s1f35aZx6NjaqeBFogfhHPwsVPL0lWdaxW2aYj/iwWb65xaxhcXa5mWpYgzfvuTXCkABFhrPxYG+NZpCyG7lt8MWpJ3yYWE0OEr/1Fe0TNfBjp7cih1wvMGIBj9uZRoJWkVwn6T+nldf52WpHCRZCdLhsjXCzM5T0g6Jj1HHatiISYZY3KLVAYKj63nSS3GkHk+BfoiAnJROcE2Aak0w7Op2csbNrNz807kU0x1A3ccbc50PKOGPFAh3JaJJUc0K+pGaIZ+FJhpIT8UyfQ7/YA7CDIvQObI9X7idsWPeuU3YN8VifgsGPznLWHyIgaUW7QmUtH1+KJdO0lo68C13FFnzEoMUroxMoUdS9Bvo1ncC9cITOr3Iuvb9nWQyg+wemyTJ5AOIx7dBh81PxMBYJ3JOTmxiO8LZapyqSbNhcbpo/3Q3s8J2DhIzgR2Ty7EI2tFxoGbzvpzBpWf/c7/rWWO67YDCfmB618w31Phes0/TTK2gxjviH917Q=,iv:M+S2woApVJAglQmvr0X1ZNvezNNl/nvxKjADWWXLiGY=,tag:CT4zP0qyJtbWCBJqqS7F5w==,type:str]",
+	"data": "ENC[AES256_GCM,data:trvZ+abrf69YhdmIQ1ekgDW82PtPnJkC5bfvh6lABb1BBkPWZk8Ds7Ug4CtulspitB/Spwd0ksGHSuEpk7Xg9V+5O9nm4/8JWWh7EF4qKWeRiwqj/dpfHTtTQPOzywHQFwLg6EWS3wSwUu60dZqJ8f36rvr+KAZc71jZayZmm3TIpeDaMsCAyO+TrfzeKM8AYN4uUVr30raquNjd2XzGgufE3FFCQdo4yhvzVGHGq0+wrZGr,iv:Yx4RkCBSkB4gK1dnMGudPwPP6moR4/7ovDZ77f1WL9o=,tag:9tTUU6ax2K2CqKjxHn2ZaQ==,type:str]",
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx",
+				"recipient": "age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXc3VHa0p2MVdIdHRrbEVi\ndUwxMXA3cFpDODA0Z0MyUC9aemF4U2RXeUhrCmZjSDBLZ0twRk5rZG16blorQVVZ\nRE5SNE51bGlhYTVqcThFUVIvTWxwOW8KLS0tIEVHZ3Z6VVZHK2FUQWZQNVlOTkpL\nYUpNUSsyQllQL0lUa0FaODZiSjBDSk0KSJHdYoiOuma7YFjLpssAgw8BfBo5tl+o\nRvNt9rsXUlXEwMlcmYpkgUlsSAJnus+uE9AdBSvTyFRb9Wo696YFRg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0VHAxaWdiV1VlWEY2UktF\ncE96UHJnWGNpY0ZFUmZVSi9xSXpBMmI2S1VFCjB6cWtDTTJrNFhZRC9yUHRYdUpS\naytwOUJ4NTRxTmJmc0R0Wmh5dFVKbzQKLS0tIHQ2NUtqRjh6MVF6VHJFSHVFTFFD\nNWh0MDVjekFDUWZvTUZNK0Z4M0lJbVEKGZk1BvZsNTkIor5rTcpi2UE4W/BqNMWU\nIAe3irNN6p1si2zebrCEyiaJYuaVn7uYVwXcscJlNTfkr9szm8TjSA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-12-23T09:27:50Z",
+		"lastmodified": "2025-11-23T18:19:50Z",
-		"mac": "ENC[AES256_GCM,data:fuYSElvGFbFIdkQaTwNuXqaXxMuOmpT8moN9m/Yl+6u3e0sU9AMJLK95Azl0xffjScc79PAPXitILrK7gUwUdo4PvTpQo14IoSCzIQ4lcJFlrWXgn9dPFrc97iooMtBMk4hWmTzYL1mHkT/ab7NP3aE7j81N4HJcYwZqzVkdXaI=,iv:hpkTsdwJ+N/NVHEM5LdXC1iwZXT77OwZ+fM9mu3l3Bc=,tag:dxv4T9x9q8g8m5Imcurnag==,type:str]",
+		"mac": "ENC[AES256_GCM,data:IA71SHchjrqqU5tRlJ4Ozgx2rRxhKE42CsC7ygBLdAZcyZs+7iMpskYejIue8+JXto7zJxe38UbolnLOaTkHzSVGJkKMYQQQ/sXoDtaWlsYTN648ug4zAbgN1neifNnG+756abcg9NEuJRXBhXDzqmAecHkzv6U0HW9LHPO9W1s=,iv:dEiu6FnSqALXDOtpCZ3FiQ8D6GU0FjQAFA12SPaSIAY=,tag:/SXghsNzu8ceOQk/2w8e7w==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-12-15T22:09:23Z",
+				"created_at": "2025-11-11T17:51:27Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAqmY5oZvXtdqhGl8COqgT8PIzArT5A8HbFwrG8Sz269wi\n7naQrwQnn3jugsUsaCQUHNBICe0xR0RO49e7YnuRN4WWaC7gdn4K9PDmTc5HLJQy\nzlVhvmrZhTHI94C1mLF0032idDgw+bvAb8a05pEuG6czghz1a7e+EMkskScRTlaI\nWKVhZ13vuXfo7dv4zL2SmP2crdrCk1gMJg3UYBBhcz3ql7qDVqV2B8MLgPtsTQIV\nDSktLAuuQTPwGke0wb7ajbea88CkGGTdDSB0NdXG6O/cskSULRxw6TtmCgL42Vqp\nnBbKfnK28y5ZXl9vLPZsLDM+T/E0qdR1nYloxL0kV0D/ESwX4dSyyRYglt9yZmAS\n2N4+7rpL0UwcmiWi/iQbOzZARVEREUlnTnX/5URFks4sQayL5Mk8gHMt/aCBvlPJ\nLWdp6owZVf8XM9e72TXOu+1NvXz0UxIC/sYObMReRQmkNf05r1nt8J71TOmtyEv7\noIURLjgeShNK7PbUoIIDe23xWiNuyEATXmw/MARbc/HSu3bHlUZO+Lx7LrQaQ8aI\n8yZC00WZDgsuOKIyPMNMWhvQOjP5bdLSdbLdtAqz2+d0hUw0PlIHXk4dOqOrkiai\nGjjgGG4OKrenkMDEPFKPW9zKvZbklglGI8mjZTFYwXIi7oILqI4AXcuHXHrFZSeF\nAgwDC9FRLmchgYQBD/wISMziWFXVsP3SRpgOO7WZY9extkRQZJd8veeHzhKPShfR\niIdON6j0SvGaKLb2zhyIIsxvb0HVrExysLyqLWyUvDMobS935jCNmHb5yo+FKMNz\nrZCxzt6vurRR9Cd3K9Z0RJkPrBQ/FyJQHQR2WMTlqXg/kXobR8ob3ix9pSh3/9L3\n3HVBvrOA8eXbajwGg/8FYmimO8zuckO5BYHdVTsHb4MpdcEINpxhBgO/STyUoKfC\nAg+IW1wW0YxQl1rlmuMkcYRFAOUE1zTrxSsA4UuhdyQ8UYF5LozM6qzNFXZYbH/W\nelKZUIUe96Ap+fXwsu4hgYoVUMzVyTO0C3ZqSqzrZmFHC5CR1EcnRowU1IAUNsGT\nmpUD4SKu9aqenr1kTxsDi0kd6i5XXHEXSQdKRgZd25ov/Q++MlDrkEp+/qK4S1wl\nZvXprBBx0aHhnIMtSV2hLgh1CVaMnaWQYn0rSjR7P4p0dd5pSfR8j4aJfn+ErN2q\nRlOpy9/r2n3yLs3lQ+GML3f2KMAlVaxY0UEu2muZQI5cjKvs/MjGVmcDeo8B50oo\nlF6SBdIMssR57D2J99aivmS3VDvyTg5ha9pvpQRDWA+LQYcDvkvRITVF4kOMeQ3t\noUF1C0ndRcr9k9fRJ95QicjpVHBj9soceYd3OgtgZJ+AX/0B3gkmejYyF/jAwdJc\nAWgbKZlvBzB2Hx+c0U30K91HjI+tpVH1ivEAAh+ogbLH3Ox2doUVis7syE4AMfoe\nCCC2K+2ODEYHdJxo4g5DtcTpZL3Xla0sdlSxn8OeIuJkuvMl3oxRI0Jr4rw=\n=2r0D\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cwoYXkjChyIyDP0dmqquRMAv7AsLz2IVVKcdGzqKWR/z\nx7owbhfGFaNCU/x8TWs3mUFBNnLIUQmuSWUuI30VMmFVjXQ9sybCZUCk5oFLD53+\nVPPb/KsAO06it8T0NxAlsXqe7n9fz1P16mFpMx8N1yb5s+GYG/C3UGATwJTJQn8+\nwob0NHfN/6qsZP5PzMgKlUiqc3YF+eB71KTHNDmT3l5sGsoNi0erZwNZc4VA0zn8\nPsFYodW9Mya1XUanJvrYKo9eRfrlpaUKGzn6GVlMJsZU0gNpKZepMubbev3+B1GR\nn6V+ViYWd8U9UTatuHy+aRcwEZfpXq7uKTTTdihECjNkHYSfXmUF9mjq6u5U0Lck\nykhElFADx+YEBJuavQabvYGu8fJx9DfJseNVwIv0M6hqLdg2CNMUQ1l1Q9weizeZ\nxLjme1LTlCUinJGN07CE0J9qP8syWRJYD9seP9Qc/b1IY2D8dGdgOTzO8Fx8vI+M\nOV+Q3T0Chn/f0lw2Xzu40MphB3eamt5cq0JeLQuwQHjUml0rGpi7bIj8PxeAgMkX\nXFzSokYTHGRJz2UblLnITfMaVYcu9HYHXxXIsZliaRBs2AlscyCCSQFjnEAEywlo\n9kvh49sjWztb0yGqHRAxdmJ+Sm5fCqP0huaTMXkC3zy4h0oeJte36Us0VxKk1HqF\nAgwDC9FRLmchgYQBD/oCYXtBTr276kjOMWs3WqDYMLUDbWM8d6b86HYgYvtwQy0z\nXgASNtWQsMMyIEiReSqv2H9jtTTqbUK93ALW2X7GmEvUIvmW64g1AfHKhmPw//Li\nKMxtK6sFVS/WSEYoaZarkZDwOpNx3+BnriQEHiMi21vWxCqluZFSDdls0ca2oXvF\nK9GpBUD8v5+l2EWhq5+4nxHKrDx0g+mjtZPJPRsJ1u0tisdkhRXauOvRHEymZ3mX\nRTee3FNR1t6YpXY811lX9yemXkdsSB4pzKWNQgk6U7WDkGcVaGNw0R8pS7F3YnRE\nFSJhKnhb9Bd6CX/zEV+IwEgY1yPfiEMX0bvIrcEJYgUg618YQbQPushxVk10+c66\nZJ+99g06tdyt+u8E9GpoujnoRjRWsEqElkZntd66fPuDm99qx+RHlF/1Likp/nPL\n4oIknDJu8wwoIBCtoQcWyaiNCa0Fo/HR6txyOt6tTqpwhnDGJP9UfYlKWt07CFar\nQLgZfJbHhetjXoRHMAs+WargN8KV7QGMGbQdPE+VwlZI4bKRSipH+rdDn+v50FQG\ndvFd7WRnWmTaG2W3cOLFH4pWc2MPnnxj0IHDI3U9olcCyuWAF12yC1HYuFuWeG+K\nokxmS1T1E0jIP9u8NTJBmLdjC+6U5y1ZvSZlIWB12OzBEpP7jl8uOVbD/AR4GtJe\nAf4EdsxTBocS50aRxxAOq5t3kaoTu36n1dbGDfb8k10bsBiQb6zJ+xtNQgWxNEeO\nb6YGIyglD06Wmm6C5LOyQ46KIzuFXB8irMJexApopLwIZ+jCnn0Nb1mO6DXHUw==\n=kTmR\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

hosts/nixos/x86_64-linux/hintbooth/secrets/secrets.yaml

@@ -1,51 +0,0 @@
-wireguard-private-key: ENC[AES256_GCM,data:DBCK92h8mGxDshB5OIEbyUENc6a4jmvzKPvljUn50AM1I5vBm/bSTDRStIM=,iv:K/OiPnAlXNt3RqBiBiiZqIY8vqsIw0kmKE+aeeVhr+Q=,tag:eloCJ7yjI2tpHMxwNxZDDw==,type:str]
-#ENC[AES256_GCM,data:3lP1BqtvBwyeOvq4K5HTaQ==,iv:j1xenUUIkyJDaeLlX7LGhjFdhNlfTXF6r6v2+XbJlOU=,tag:TsGKu6VfF6D8I2p4kb63/A==,type:comment]
-#ENC[AES256_GCM,data:LItVBIEQVz0x8ZARRlMVRPa0vdEe1Kv0CZaEnauUWw3P+NZv6WZkXw0SjuW+k9oqlDOTPR6gQ0Aa4GoX51NRFFmtlCVU0YL/RmdfrC6nkSea2S5btXCG4pptSusmQx42Rn+RfttcLDIXBAOIDSA/kKiBYvDhsZe0XOHAzj7jTAshSeGlccEOUIs8SctS8b13OAiSs4ceuMRPz6J45f6RVKG6COgiUEav5U6RFa1ZOLv8A/EFsqOsEZ45aYqngLM0/7gZ5Wqwpft8a+7dLRmakUjTOxH+wtVn6CV7wItUJAoz6BjLR/jtDr9EUm/QesZSHhuxs3eu0iXPXzaQgUt5Qz2knxSvzsEKYUx5bPsNBSb4uWgG3b/vKzPUKKYP5CrOwvPxsqI=,iv:z1YrJmuMaiiQpAc8ajoa7A1GH5Z2D2holm3lBCiBqOU=,tag:ghl+1BN9Tyxpwr9KXre5jw==,type:comment]
-firezone-gateway-token: ENC[AES256_GCM,data:3vFtknbuAKk4syzNMDBWZegqyjDQWWPYXVJOs40cnEgAYnOWF2svt4mg3ueRH6b3j5E0Mrkv1PJIch5yxu9FYjfcx+jlsrqneJQrHGX3LDcW5JFOwP6H4nb2Oo8Q8BtpbpOdxAdUeFoLjRSFYy3DGzDatLG9CN3AinhIuxrTGM9Dfxvfn5ahkZ/LPLNRsKj6822C6dxSISW5QSGz+I2woyKzVd9hYoyeHzj5PB2WeaP4ty6bdQRwtA22i15ODpjMDt+AwPL9Wv+tzcv8StDpawbLrJ+0vAh8uRrIjka/W731WkAIWsgMr4mDt0dw99VgJ3mixbXEOdQRidVCeDTXwb9N17RQr5Z5pcjWqGU=,iv:+zbkWWlR0FAFIFB73TXuUwhyuhiVzaEhPeYBkJXfbmY=,tag:8NZbeFLv0FiRDVZJtmLmgQ==,type:str]
-sops:
-    age:
-        - recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwTzZxNUdxbWUzbkp5eDE4
-            a3NGaWwrRXZxaXRvTmJjQUZHZU5wY3FpTTNrCmNxN21hU0dBd2piZUNCNndNaUNo
-            K252RGYyWVpXanZiVGMveXRnc0ViOFEKLS0tIFQ1T0dXUjlYdUNOcXJYZzA2YmtN
-            YWlkK0xrclpXYTkxUXFiNGMxU1NnMGcKCZzLfTPjeeGxyD43dOGDYsQVsw24cyHI
-            jz0B9VV07p33OP448eLyLgwpVFaNG0q+hXPH+0fb3V3foBT2QSeuPA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-31T22:06:39Z"
-    mac: ENC[AES256_GCM,data:BXX6xL5AJ9Ar4le429W86bkCRQkPWiYbJxd+xvp3xfy/T0MptAMsOB7K7dJrtokdXBKK3iPxapgPZCVCSBT49Sj9X2e7wWCJq+olcNTmojMZBtgsDjHgg2rbl8jY7mKeAlGRiImc5iIengJP0cwxF2zplUkZeQmJzXE0+4P8R6c=,iv:63xUQfIl2gpDONSJUrADsRxeSFtBs3h8e8LQs8eQxEE=,tag:vQgKvv8AuW+oEh7dimPhPg==,type:str]
-    pgp:
-        - created_at: "2025-12-22T08:56:58Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwDh3VI7VctTAQ/9E8KBoKOUyeIflZzmSriaoQ2/I0EnqKd9cLLFyqFFd4Gp
-            ZyOfaTqQE9/NWOG3KkG3iuHyCEdHjP14QolJDPPfuqjVnIkc0hKJ/TqwWb5OXurZ
-            hbkFZEYtuGWXGNugL0T/BnSUqXhd5sFBJueZD0LU7xBsmaDqMFlY//iheNEgq0RA
-            a3HeQL9gH4d1eUPje9XfcJ+onj9yYgejQ905ZIOAyrYTLVjnSc9HKJ3kz+rpin1J
-            2JHULBZEzigNiFXE2XmAatIM6PNBVJ21VL7CEPTt/qauRVHLsrz4PKcR/VMTzwJ/
-            A0hdMrYbYRKOL0rHDYyjpoeuKsUDNV0Gi//WQDXN9DGMREG5P4PH7+yPBcc+vgLK
-            E7B6RJcUFyuRh/n/KPGzKk1KX3KOQMjIKUaUGy7Ru91K8rG+/EH1ker6csDpe2aY
-            bYjtPnjiIvd/dR++JLALQJfCuFC6pUhGAC71Bchr4U2Rg+s9pRZBOYco7pJMJubd
-            rkt61MYFNpcZkyQ9mYAVCd13JcmoTsAtwmUkdU098tfCVA8sMRgFF1f2DK8iyRrq
-            jfh6pX1/UqFtOug8hElBJHMQkl9eAKla6COQeGtZC3LkxkKhkNLTcMLf4I5Tzf8o
-            ftxFw1eW4174Psg9vo+/T1zcOYQTVIUfnlPuK/oiCJIAWZ2U92HnCa9pwQe8nkSF
-            AgwDC9FRLmchgYQBD/4lFaFk9tlyBnTWY5yWJmpcV1gPSwLyeMnax/89/Nnixu1/
-            205CvMGEReFEQ4CDTp+WXwp7DA3PKqhg/hEq/x9cmH0kAkQg1n9QoJcd2UzDadfp
-            89ABsW5fBZJSLdHn3P06VIihe516GnsDA/KL88PdkYXpElgfqWXC8g2URKW6QeO5
-            j/XzOXDiMdO2+K37NcbwSQsMd0pc2BAJ4mmjvjm0aZe6ddF1917WYFkOZi09clNh
-            iYW8Vk4hmOkGqEO3zNjQkzZ6Ra9Cm4qr1BG7k+n4sxuwoae2T14/DlCSYh/llSTw
-            N25tWEeXeaAtQgVwoWYLrmSdCKYtxyACPrt6uEYaGE7wbXgBgCX91HuznlHiUvnG
-            uagiFMxr0x4G2Q+C8OuptKBneBcR6a21q3HaGdl/99F3fM7C2bvzv2y+ZScBP6fH
-            LvZjF/r3qrLONCqtaQ4Kw9LPzow8wMkCkshC7K0KNRq10ww7s9kbY8io4+QVLv3p
-            ZHbN+U+9BheVOAF8uX8V+OQfeFdp0VTbPZa7v1mLdbjshPNi7SEhlCjrtB8yqRtd
-            cl2tinqfWAosYt0xdUmH9uoY7bz9+BKIZ6FVl1huP2DEa5JAjnVItyLG+n2GpIqN
-            1SBaC/OCbJFawPmZgaWou+kxpLr7hu6kmPdCcdtHa4TYuanLkOTk0r0mztzhjNJe
-            Af5UVQLJJ7tduvLAB+vh/z91qgv0ftVDq4Kkr7Ma37OYAx4VzuHwEXNLKu2C6CwE
-            M7sp4ZglesyABMbOEhwxqg/kCYGS76kThwkrJfrgf82FgnMdUyYCMhhgy6iFow==
-            =izPI
-            -----END PGP MESSAGE-----
-          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
-    unencrypted_suffix: _unencrypted
-    version: 3.11.0

hosts/nixos/x86_64-linux/hotel/default.nix

@@ -16,8 +16,6 @@ in
     WLR_RENDERER_ALLOW_SOFTWARE = 1;
   };
 
-  topology.self.interfaces."demo host" = { };
-
   services.qemuGuest.enable = true;
 
   boot = {

hosts/nixos/x86_64-linux/pyramid/default.nix

@@ -21,14 +21,6 @@ in
 
   ];
 
-  topology.self = {
-    interfaces = {
-      eth1.network = lib.mkForce "home";
-      wifi = { };
-      fritz-wg.network = "fritz-wg";
-    };
-  };
-
   swarselsystems = {
     lowResolution = "1280x800";
     highResolution = "2560x1600";
@@ -64,7 +56,7 @@ in
         main = {
           # name = "BOE 0x0BC9 Unknown";
           name = "BOE 0x0BC9";
-          mode = "2560x1600";
+          mode = "2560x1600"; # TEMPLATE
           scale = "1";
           position = "2560,0";
           workspace = "15:L";
@@ -77,9 +69,4 @@ in
   swarselprofiles = {
     personal = true;
   };
-
-  # networking.nftables = {
-  #   enable = lib.mkForce false;
-  #   firewall.enable = lib.mkForce false;
-  # };
 }

hosts/nixos/x86_64-linux/pyramid/disk-config.nix

@@ -75,7 +75,6 @@
   fileSystems = {
     "/persist".neededForBoot = true;
     "/home".neededForBoot = true;
-    "/".neededForBoot = true; # this is ok because this is not a impermanence host
     "/var/log".neededForBoot = true;
   };
 }

hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc

@@ -3,16 +3,20 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m",
+				"recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsTXhHajBUQnY4MzJuTW5u\nME4vWHJrRCtQMWhWQ1pvU3h1UWVielFQSFFRCkl2RmpTRDh5Z3Q5UWcwS3RCVHds\nM05GNi8vNnpwS3FZcDBGWVdlZEdyVEUKLS0tIEM1SWdtZGV4QjhpaktRNkw0NDl1\neWlYN0tDMUhsWG1OSm9xWlM2VWJKcXcKa9aySsFOXPdwkmrmFc6X+WZT67vcuJf0\ndd1soIklu7xRuNpGKMuZbNKKgyRZnGrcUZUwwGIlJ2KRDag2risOXw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjb21CZ0tQZlNKZkxKMGEz\nUlpMV3lSa1h5TXFNaEpvbWp3ZzZsMUFLd2hnCm9xQlo5Q3RsdW1tSFMxZjVKbjhM\nLzBaS3E1Z0lSQ2lQZEhtclBocE9CcXMKLS0tIHpaYjFIVVRWc2QyQ3hDWmNPODJR\nOFpPQlcwOERMYzhWV3J4ZmpIVUFXcGMKq/CmiIaBFfcx9Muj5LaTQ//ELHmC6WSG\ncJWyfZfrKcPDlXrz7+o9qufLogw3VIkCsTghqsbK6HOKGC5/FbnGSg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Z2tONmQxTUhZUW12Z2Jm\nUnoxSnpYcnZDNGNzSko1ckl2RDh3NG1VS2dFCmIwUXhmSk1OUk02S0JPVDR5UWJ4\na0gwWlg0V005ZWxYa29PZ0laS2VqM0kKLS0tIHN5SU9pQ090eHljeXJGWm5hRFQ4\nZ001Nzkyb29RYkNUMDNDNlo4YnVQeTQK34bNIBgxId2+DHKQNVV3Iro3KGkE03Sp\niB1+dADT6nRvGvoyPqnLq/NYfw7eQ6XqYt55zkdCta8v6L1UNUkw8g==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-10-21T19:32:24Z",
 		"mac": "ENC[AES256_GCM,data:wM862FQH/qX/abuD+krJOazli9Ci5GrpLtdcnzFgKCeNdjA2cfZ8M3DyzsBwMXjp6HxBHLyO7QXGcQkx3kIKGnRhEBuQzVOtrZhqcDi2Ho8iBV8Dh4xkhcpBYufw7xP8hGWg6ZVZ4JyM3P4NfAdxbfWTdc1VMStAafJ2SZ3pAYI=,iv:tDAKNe8LV40hRCqKzN6j6B71IV81SnrBgerxGPzU4Zk=,tag:7ZsST8pl9TjMog0dNKcUcA==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-12-02T14:58:23Z",
+				"created_at": "2025-06-14T22:31:01Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQILAwDh3VI7VctTAQ/3W4JR3l6Aiw+cfwFMgYLr/7AwJSwC1k4w2G1VCwXMBN3g\nmC6YPp67WDR1lOTb6zpviUqVTKAEy20BMJxU7JulAQPInd/zL8woaAHc1tp+cbFE\nr2mIHPKFGgA7tc2xuGxw9+WeWHzjrdjW42vWfvmjoL1crubSzWzr20onKgT/dMwJ\nbFMGEyD7gfDY8Z3TAlMGoRTNyGVzFrsKHkvL01kW4T6K+69ECSUDXyMimA4njPt0\nj+ukDmjojtyUjxHKEvyDtjfTZh8hT6f80w8o7cG+YSJF0h4lXEdvKay3WZ0RbwZg\n6ZUI9Ng9SkFEhcIDzePg3urdne+oJQQxDuFYfioh1Lm0aX1kt0GzU9r4p5pwjNoz\nAwoHuAPaVnwU553qYm6XtghzwsHGMIa4r4JFF4+/txlC21XN9u0sslIUc/CC2fyu\n1rNRgg/4TvipAFHfp0GRWMraf3FchDhFzRqPs4Ei6Vv1ffEKQGun8iykLnN7gC3f\nclCjiorc7pmh/ZVylyKuSvR+TTih3Ysttm9jCNMB3rIkCIdz4XaNYbCPUtb8sMub\niBxcqgTIDNCc5r7CnfDyalmHLZ8s+Q31H0Ci71I3EhHf+7c6KlfCLWuLHUpN4abX\nr5xv/q6kXJJHFOAirrUH8Sik1ydE9g6gLNr3udJzdDehkSflkHAd5mka+v/+n4UC\nDAML0VEuZyGBhAEP/jGuSsy8X3dCKtdbvnN+6SCspC/reKhptMGhyxLoItcyqku+\nXCjAe5yxfHEFjPzA+zMmOF2pmsc0FlZu5+eR2+karAuK+f0fzbv2krhEE06X9mpi\n3vJDoG+Vd03Wz+C/Y69xSIbGXY97msQo9XkUuuBcVjUcsFaf7je6NNLAFmj0Mmk5\nzKmXgCL0yjwFmGSGUnFIjrXlKil1gBrYHYWH+vkeFnNHbkbh1Ul7LYPkDrT81Occ\ne7D+yMp/URxTY5IjX7yVDSANCBhK3reGSSJ5M7a7K1LolGGKUtgMLKfWs9uSVqtJ\nA619Xvo19QYladZxmvhLNS4ZbZkR5mH7pcUmX9ltB6K6/kNpSdujaYALFFLnIgmv\nwBaUjZ9jmx4zkW5B0MFshh8SNrSfbPrmEJyBF/tOLGj1YGzj3TIq9Yf0OnDtmycW\narqmFyh0CWhMVfI/ekCjSCUI+LQTi22/itmfv1IFlrVXLWtWjVNN3y+MHz/9v+Cr\n5t8mWcTy01upfwNxSEcjsAFsjyAfvjdA/TZMBJWZ5ltnEQF3tZFV5WChmh++FNY+\n1GPqtEJdinTVxfv99N9CZIwZUap4+WSYVbXEmygVMUP41BVxNLjAPo4Z6PrDfnSB\nz27BqzIDnNwVz6Si+UreJDUhogGDH7lZua09Mjb+plUyBhAJEvT50Nj2XQyV0lwB\nky4gz5OsMQivfD+bWKOx0E29KnVWWSR2HW82uPaDfWI7uPxaON7YPIvI6Xd9pOUd\n7EdEmSiVVAfbqeplRRdClabiBL8Tm6QLiAnkQiImg38jGU02IeCNbXfzbA==\n=jGFv\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAA3TBZeXf6RLph9szeqCtmoXyXDMS1l7NRjhmM85YyxcRo\nTuJQrXA8gmIAen7iVjO/FnndAqd86ddCirpBr/aEKtB9v7Poxx6A/kubV2/EurY7\ngbjWsvY/x6Cqv8IMCTkVdolZNOIYlw4bK3RqERoeWXnvCEXVK2c8fqxmcVoNv6yR\n5leIyApzs7dihbdhK+8nTunIMFJSfP+HQY/wgyowgp3cFVjPe+eTUk8T1xkrir7+\ngfddOHNKnbQWpZRBVj2NE/0dwcKX/rxPHU1sCxOg1TW05jTxavsf8x1+2ST5VLI8\nvttzB8H58OMpDZ1xgoMN7SGSWdTN7BgNcLG4rsGb/GW4+2bxJQ3hS+4aTa59ugXG\nGpqY4ooUopRyOh/hE9xqZ4CXy7IEAGbiBKnwJH+CFlXNygPSURoz9wCH5sgqQ1eA\nGfHrXcGNe2flx9gHZ3g2FUKeORs45CFQLxn2HDSuzVqn9nZfWUFddk9v7G4jSsRg\ntVrSevOXTSFzaSQr5GTQocQILG8HHkg67gKXWMNnk5CiUMVojTljcCej1F5s4Lwg\nljTfTWJMUXfD3Djc2Ap/L+PfxO/Zr0Z5glAndSFQB7aijFaQOR+TVQznRNv90UOk\nwQdF6XANcFMiK3yKQ3xZ6d7lXNTCPlLi5ngakpXhMM1lP0/xFuMWB15IL4yA1FmF\nAgwDC9FRLmchgYQBEADAz9QQ92i1rObvnk3utRhxqizU1SIKhZHEzkdJ+M/9AUQl\nDqj4ge191QMWlEh9jo5ln1abxfVMEjDbomtniPsM5kxPw9qK20M2873ibkps0yNZ\nTdqI2hhB8qBtdEOD/gKq3M27/0c3O7rpsIv8kxxdnmZ9GlRjG9c+SmVqdmZ+PLcP\nOrC+Fq8kQKhINaYdpPoT6x85FW0YLvNiR72grHOKDofqBrFChxapf4HKK6T44TX4\nPKw9G2o/XtN9Z1sfh/R44XsNwTjG8EHrwQLsFYoH3+L7UoNkkNtcwleAl0tkjyVZ\nkq4g0nJKO0KbB1HAM0opamYKOsCUaXQ1MLbXKAmIKy1wuKJR9ibH7E+2Ne41fHJv\n0v243FBnebJP5wlrDY6aBNBX5lPeJBF2q9njp2OnkHWktQD47EyhPhI0hUxN3vzL\n0dSE9/LFgWtvzXqVWIYBWMHToBBiqJRgspw3Jf4Fg0l7Q9p7u2/rwgqbIWMLIDt+\n4tn0ySuiV9jV9dVG3Ho/X7owgr57PPetTvUcU6Ph8Yiv6riLZ+qBy636iGmQd9Zz\n/8nG0BRAnU0YOdWUtvOvBvI+JC5DIs2Trj7Th0AJvlAVLiiR1+0dKk+BdNo/LGE5\nRNNgJIwGHMOZXJonuYfYe15Qy+Qcx3J/NI9VOOfSmzl7A4s8NqtuAt8FNm1cDNJc\nAZp7gi3i3PxxsEXefNMtbFDLe+5yQ4lHro47BxnNAyvnYwKC/VAiwatow9kZGNWn\nc9J/PZinOYPfalwqOl0Zn+pem0hIestNplin7v6ynxa23Cg4g1xUou0ve14=\n=UG0o\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

hosts/nixos/x86_64-linux/pyramid/secrets/secrets.yaml

@@ -1,48 +0,0 @@
-home-wireguard-client-private-key: ENC[AES256_GCM,data:YL/nP4DGGjVc0wRrbJ0x+iyJfdqhE90Ws92QBl/lr3RnJzA+stcz0ey/Rk4=,iv:Ek/RVzDpcT7fqVh7OnNc9QXD3Tk/2bm6vSQDA38j+DI=,tag:G2dSpA3KZmbKAfIN+2d45w==,type:str]
-sops:
-    age:
-        - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcVdIU1MwTlQrVlRMbDkw
-            WXZlclBlYmp4elMrTkFPZHRpMGlGZXBDNWc4CkliYkNuTnNuZzRieGlvSHV3SCs1
-            S1Nmb0VJaVd4MFQzTU5XVVBuQldIVzQKLS0tIFpGUjNaSy93MDVQVEFvbXZzQnJp
-            Z1AzcVZpVlQ0WU9pNDNoTXoyR1RGUEEK0dfAegOiBXCnLakgBtWCYb7+hDqWFYUK
-            rXlXTBtICLgSzLWTtPbSVzrrZgT0SAM6vnLO/iNfAIXZlxjeOZrP8w==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-05T10:37:12Z"
-    mac: ENC[AES256_GCM,data:RcvRagYaFGwMwrV63tffmYcA/m1GRjXpefR8Ab65jaldcWjfERiCWLFha9aQ1QlWUgSvCWbgC9/zFJkBBca1qVIvLOK1+nkI/ZjQ5rdUOJaP7mukLC3tcm+5f0Fe+GjTCDHGIZd/dUgkF+xVhN2XnFW1ExzRRt6q4a4pKvL6Ml0=,iv:EISJGqa2hQfjpu0X5wMJNZXzv0Loejj0Eb6kosXjU64=,tag:S81dIphr1rqQSO8jAZCABQ==,type:str]
-    pgp:
-        - created_at: "2025-12-02T14:59:04Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwDh3VI7VctTARAAlcSjeRYoj2Hhff3PbKtUdIisAyRHtX84+m5BYeRmcx5k
-            gwMmitFaYQO9IL8EJHXfwIlx+7gubTCHKVDEIJPT6+jwNjWPvdvRSdmelY+xIhPE
-            rISqzUlbpKdkhRco0vKNX1bqfLWPqcWPREyHLg0WsnPJjAmNHNz3GKDnqFJG4tip
-            CDMTp16dJWAnGF9uCPDZ6CcpuP7U4CHDBH5KcGnZFJoZg0VvQhqW1uTwmqI99j5G
-            pB54n/nhCuNbL2vktBZQp+vrwiykb4+1rZw+CcK2awcD2Ugk0d/7KieRSxRIKEbW
-            COIkJRxXkc3JbLjdVIZBQGUSNTtjG3Q6pUaPuECUhb+5SyUDIpiUmpR+/3iIitjo
-            OY+1nDWji5Q2d0BSkoRFiH9KeZn65vduQyEQRX6B0yrElBNk7etkvPdJ3bGoJ2WX
-            Qwlkx0YP+a2dwEtvlKav2D6aJ+uCH2MTAVVL6wEK5a6s2QYkc39qpGhzRv83nbsU
-            Bp0QnJ6ZSjf/C5fAealZldXO1ZDIDpbH5xObaanrYgZ5ufnUl2Q1sKUXNljTYigB
-            tN5z28AiDeV/INr7e1tPV+C6RtHDYi5Rxo9lfoehvdAWkbfdl/iucV2LkwWTKFLO
-            istGzbaxnPtJmlx6FXq+fk6g3GQcPvuv64ZqnIv76VclWcPZDYUK/EU87LAO8NiF
-            AgwDC9FRLmchgYQBD/4maY4LhehaKtNMt6r331YjlsnZxcv/4L5zJRc43XLeJJjf
-            3xjU+TZ9RvjwsTaJ4bTeoVxu8OkFgugvRVhp9sQuu/tGfWbCpn3hWIxebivarQdI
-            7L0SkuHg1Die2g3YqdbpDIzvnLueSvuNDJNmyUgekR8TdWJ0A/pwl/poAu8nZgtw
-            hiIXBdLt5xEUOihXVJwYIoHu8yjL6aZttDyZfHuDDTcCwXdqYqMHyTYmcNdGakrl
-            DG+x2TgsJMtipvYHT4WqcVtOYlVAH4VfgxfmcWvEIXT5u1ZpizntFqGAgsTwQwCS
-            vs8vbZ5WFqQTYZL2t1U0cX7ExWWdY7LZ+ap3uZ5/2R2VkT+FdplRz12DsobWMP9z
-            mjveWhiZx1TPa1rf5pigcvtFSQLllrLhS79Per37EoGUArS9iM6Iyhd9avHAqNTp
-            ywZnJ5JpQKVDeRsMZfpoKdN/C/wqSAl6O6NQX06aY3EIYvxKF8h6qK7u/4WdlVd5
-            Ml4Yn18HyeTkbz616TlMLlGQMNuloDc+XVORVutVphvxI50faIwi4I4q06+7+yuX
-            A87uJatXS8K20mDkzygP/j+T3eSzEMB69mPLo+cbhOfcmk29x7Sg5pf/JYAOuYMS
-            XGlIpa/VmqHOVcbD32sm2/M3AOgZBz3D2Tr2tI2JyK4ZqW/7AIFYNhnv7siTXNJe
-            AXNBE4bU/FRXGOH4vOqoVFvBwYOd7Jlr8QnMpFQuBDMz/408lkIojd5njvLsu/4n
-            qE0HKP9Sq3XY8dP4012GbkN9U/m/ca2oqVUy7rrEhGc1gLddlISHMMjNa7GsBw==
-            =fGF1
-            -----END PGP MESSAGE-----
-          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2

hosts/nixos/x86_64-linux/summers/default.nix

@@ -8,33 +8,21 @@
     "${self}/modules/nixos/optional/microvm-host.nix"
   ];
 
-  topology.self = {
-    interfaces = {
-      "eth1" = { };
-      "eth2" = { };
-    };
-  };
-
   boot = {
     loader.systemd-boot.enable = true;
     loader.efi.canTouchEfiVariables = true;
   };
 
-  node.lockFromBootstrapping = lib.mkForce false;
-
   swarselsystems = {
     info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM";
     flakePath = "/root/.dotfiles";
     isImpermanence = true;
-    isSecureBoot = false;
+    isSecureBoot = true;
     isCrypted = true;
     isBtrfs = true;
     isLinux = true;
     isNixos = true;
-    isSwap = false;
-    rootDisk = "/dev/disk/by-id/ata-TS128GMTS430S_H537280456";
     withMicroVMs = false;
-    server.localNetwork = "lan";
   };
 
 } // lib.optionalAttrs (!minimal) {
@@ -43,6 +31,41 @@
     server = true;
   };
 
+  swarselmodules = {
+    server = {
+      diskEncryption = lib.mkForce false; # TODO: disable
+      nfs = false;
+      nginx = false;
+      kavita = false;
+      restic = false;
+      jellyfin = false;
+      navidrome = false;
+      spotifyd = false;
+      mpd = false;
+      postgresql = false;
+      matrix = false;
+      nextcloud = false;
+      immich = false;
+      paperless = false;
+      transmission = false;
+      syncthing = false;
+      grafana = false;
+      emacs = false;
+      freshrss = false;
+      jenkins = false;
+      kanidm = false;
+      firefly-iii = false;
+      koillection = false;
+      radicale = false;
+      atuin = false;
+      forgejo = false;
+      ankisync = false;
+      homebox = false;
+      opkssh = false;
+      garage = false;
+    };
+  };
+
   microvm.vms =
     let
       mkMicrovm = guestName: {

hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc

@@ -1,18 +1,22 @@
 {
-	"data": "ENC[AES256_GCM,data:xPgUMSYz77DhqS8Vvv5FawLGZOaoI+yVqyK6NIqqF5Z+eVN1FyYjg6tPRB56rq4/yPtI69fKpQyEvnrtOZRFp1L6R+blweXobmeG762a/FxoWmh2CaF1QutFKtS94xfJmci7De5h67miKRy7rGWOeMs8gvjspvLtGrmDJQj+NQCwTvUDcibMKL59GttYTUhTxeGyN2R3utEQeIkI0Sf0mJmQUWXXMsjiMrQGhGx1iS9KJHlU2izl4pZMDsGr01d/seV7O2xspfhf5saJk9yiTwxyKLAW0ueSAnstfQJU+CD4zDXxbxcl94dzLFkJm+WTYV1X+IZJtMODLYf2XgVsz4Ihf7CuzYXHGw==,iv:3eohgv4d8CUuGPb8ODmEeAGeBsfwZsmFG2ZuxWkbKRk=,tag:31eaWzlcCslHMTeq3kEvJg==,type:str]",
+	"data": "ENC[AES256_GCM,data:umKGtD7jTa+ex3ADPs1zR2o9YU2j3y3zCEupCGOsdJyicM7u0efXDI0g755RdPeNJiB/z1DPy+mAkePPq/m93CCppTq0BYyt0JJw53/j3ghCMJj7N3wUVstMUB01jewDSUc7SLay0lkhMCWbrTKsR1pwnfFRAG8C3rWXQB2EkU9FViCo8VaOfEF6Cq9ev/r+SEepT85wvoMxxIg=,iv:bgJXEoj7nRUsi4fA+bYVYvJYavS+BoDuQt2SCrX/2W8=,tag:lmOjPU0J0Qf/vcnO0owTZg==,type:str]",
 	"sops": {
 		"age": [
 			{
-				"recipient": "age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl",
+				"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RjVhWERrSGtvYUhYOFpo\naDZ2UGZ3RlQwYVJaR1cxbVRRYVBVellBWXpnCjcyYjFYdG9YNk5mNWdIYnN3d1M0\nWTVLM0RyWmtyejg4T0YxNFdsTElLTGMKLS0tIGR3d21SS0Y1MHBsQjdJaEpzUUNk\nVmhjRHJ3RDhDSEdTWlpoNDlWaHJxM1kK3KsLvzB4QGCqKS1pq5jQjXU0tkS6CDat\nL8emFbAPLKPEafb/dZP+AXupztod9R0feSaDxTre5m8ljplEnE5Lew==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBET1RmRTM5OUxJMGNyWUZK\nMXFqUWF2ZHhOZ1pxa0RDbkNzWnVzVFFCbTJrCm1oU25haDl5eFg5T1VzOXByai84\ndTR6TGREVnBHNlV4S254dzh2Z1lvK2sKLS0tIGFLaWJFQ2VwaWtxaURqNDU2ekRQ\na09Hbm4vNnVQaEV1aGtqTTVOUWN2b28KQaoPc/UKaeQ72GdlbtWFdALywHcUkewf\nK5pEz41pzDKOjatypm9X8ZEIEarjOHIZgMpazVM4i1PRUUefSE0phw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGtTZ0ZSV0trWlQrS2dV\nSFo0dytGYXhRTjl6cDZrUU0wZ1IybDVRaFZrCmZmRmxJNmdwS0xodHdEOGU4bldU\nR1JScHAvZHhlVTBJbWExb0VpR0h2MXMKLS0tIDYwQmZpMjdYRmpBeXFNOXArN0h5\nVGN1THljeCtVV0hXenMyRVJkMjlHNEEKm+yZTT48nYr3H0Bd1OKw/CYk1kwnrBzk\nTgSQHsGXhmOyDag9cSZ4wAOmqtqSjA9bouFBuhl2lSbgpjnarvFaXQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-12-17T22:56:04Z",
+		"lastmodified": "2025-11-10T01:10:33Z",
-		"mac": "ENC[AES256_GCM,data:+UeKJoKrYLGMU0LMOVvBTYCrwS5gs4dWIIi4ceUnnbs3Q2vqtyn52Ht8ECH6EAHnEtk9G5IBj72NmLgu8Hr24mDc0SFpJKqFuemvJHef9t6eB3ZGYFNwbEJ6HOjmmp6+Xrt25b/C1q7mw/ysnb0g1Fs1I0GzsyQAjDeYWYTh6Y4=,iv:ndTm8UuVgt/O44vlKafu7F9knSNNO2+RoH/GoEhTCqA=,tag:PQMhJlANkxAgngIdzuGEdQ==,type:str]",
+		"mac": "ENC[AES256_GCM,data:4vPX9TdAGGBwzEc3W6pQj+BVKjp2kSAMB/L3QVXZbDHfvyKFWUOqwG8u8P7XDcuIrrpx65YuJp6zwexpJjg5zkU4favJt+uHD1wWC3TZcCpda6v3hGW3RduQAwVy+18JJ+PdSxHzrC4jmj+t/HIKp6Bt7qB0Z1ynrt/CdGIVxh0=,iv:zQQrl19jK823UynE3EXLgazehpWW5ltRCWKdnElVh5k=,tag:zIIgbyXSw6f6xW2CaVW88g==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-12-17T23:34:30Z",
+				"created_at": "2025-08-24T23:36:17Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAA2WAZd8mTmgXn8X+MmMTgSXZX0TJSV7gI1U98+F6ewg7Q\nDB0Q36UVEtbpYaQi+vdP0g7lzPo9ubEaO4U38LYiumxlYZASmn3faYLvgikSpDM5\nnE9Huhff5Z9gP7tY0Kq37xEOVLNx5hI019ULk9r/7T1g2bOh4fWyBVvCseQ+8r3i\nR1IN2QPCWP39evzL/FUHtiFH2XD/dFtHRLqV2Zd7JXJ57FOdwROc5omKh1bN2Q92\n9BCJ5vE32gpPcBxmAz5VY4lgF2SYps3Er9ObgTv5ux7hmqspQZayIvpYeERXTeUp\nePAqzmbbcG/MabpjuUboy5KoWsbEi4SsohzJC5r/oCnRCbu0PCz2Ip8f7CyMUyhB\neOjAJ7zrY8XW/ee6X0BYIZwUZhZw8Z/Qf2x+GSamamkhEA9AhbQcyW+c2D99vM0P\ntAqVqaPNqNeMVpmUJtgprZP5VjbckIkLsgtRRqopKjM7FkzHykwhI7hNJWJmUnC6\nrI/y+xGTQ16kge0NMbgwRuGyxFQbB9FKB5VP4vsJ227XjrEZ5HaOd+XOgj7Us29q\nkIl9ZGKbEUn3I5sxI/0ijTG/pPN+H3ROvXs9cRBkBa/T3uL4Gdvideet7IxIAOU7\neamskzNS5OosEyafAibD3ctB4wI/E19HS0JKoRNsA7CUqzVXhx5ipeLXec5tHMmF\nAgwDC9FRLmchgYQBD/9V20QCxpY8lFdhbiN5n3dnlsGAIQtYTYKXWqTWb/iq6Mhu\nUU+/2Czu1fpjOEmPcvKk3XxM2wclzpTG+7NWvtHuDLe9HCai6eujY+1Jrek95AqL\nDzm83PDONp61nGj0mCHDgyEcnDK6ViCglofjjAN5HmfZxw6NI71GIk+c3qLx1pem\nUR7ETjjBbBW3gv9BXAqe+NYRbFx173lf6er4ogqYWRFCRlN7IQGlMLhAbbYfiwIz\nsnyyCj9UEekFcsVkQHoIHFeuP8xmsOjL7AAtKAMXVL1UdHfgJjK7bI669tzmcJJV\nakECPeKDwk1/C6CwHtKrnAHoUHPLw99WEPThQ4yselDBkf7yFibnHc6dNd77xIEG\n7lVyZFFq/a+gOOWdN/6mxqumD6LgQexoatY+8shQEJ7tfcNKs3ptJZX6zLiA1A1e\nzLxpVqtAmU7H399M8Q7Q5wiJh7wlF2ssADnAMws9ybCzKqBAsbBDhlwrXvZW5lic\nQTMZoeYBgZp6l59hHppcaUXTFOCR0fW10VNyyKJa0/fRegptxGAmvVQzSLLJODw+\nXHxabaeuF8IcU00GqIC/7OuUY3yN2IHYjxkB90F+rOHYj6nF6zFxBVRplqvgbzbq\nSpx9/JEuzVqv7cwmix0osmru2NrY/xvmtJq+8VZooU6JcXk+wY5MtD7sIG/yFNJc\nARwQJ1fSiUBvXVBM46O+XQIPk4aP10cxhz0NF0LTCXttJJnHqgjjI3SAGvpAq2mH\nCGPu49vKjzW5l3Y8SfHGPe1vU11l0KZeXfPSijhupM6V45N+YBkwDLNj0Qs=\n=zt+q\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAwf7TLx0TR1HBhh57CyIQLw8ztc9oblKAW/V7bSlQM/wR\nIwQTcTi3azdI9yewDRO30rIr++FEapdGVdpXoqQ8zcl49VjwDux6wzF3bsmR5Goc\nlTkDd0bmz8RBfsK+6efXiRqo3C0yP2ZTOh3PSOvsXKbYS6wY3TvNBdGnAYrfOvEw\nmBFRhn6uakw3zjVUngB1di07DH3y0wEb/r6+Mzoswzg4DqT1SAdDkfS9dpn9h3MW\n3NBesYlOukLrNA5Toi6x/fmE2lrPHt5QxPdvfvKe5ye4myZ/gBn1mdejB6U9nOsk\nRCJFMosjBH7jIpwokTjUT6Vs+zs8yrF+gbP82H4RVfZymMfdZoU/pTfYe1Mwg6Yi\ntlHyiRBgSPBY8Doa2hM8/yvmfHVMqSQf8uXltz2VC7JUGD6P0QbDLpqY3URmHg/q\nwN3zYJLlSIkU6Z7oivTjfg0dR32Z80lCdZDQf+OQsRtCUi169Fgxr7+HhdxJyj49\nFIb6CR0DHW4vsEj1GPAa0Q4uMfCxLiSZfesY8myoCtlVo7oeqx787KicJB5PryHr\nyZweKd7tXO9g8LNJtECTZ81y2/sCfSZPBia6M4oz56pIFK4jhYCY3iPnWIS77axu\n5MmqZNOP06obp87nt1ea51BmXkaYxmSPoQ5R29CeYU+m9q+kKvizncgsCl/O7U6F\nAgwDC9FRLmchgYQBEADJo2kPzrxLHptsr6aoIxfYNrQ7JJM3FAZ7do5YvAbQsl5t\ny45qZ4+qWIEMRXwji2TvgSg8/ylnZfN2+rTHdtNJkDdJ2sX+RDr8pm7L3VS2Zhjf\nIp1SdPd5cm/3QupegzUR+kcPa+gPM4asGSytIkAnnpev/DCnLsrqiejdosTDj9dn\nFtPKJKSUBzJSNRxBSpM9L+cTU1qyMT024D5Qvq6vBOjFI1YV3LSfVXQe7OZxxxVX\naChkGR1v3UjndQ4Yv9hamJJ81lRLeIcVEOpOPxLHJX76AJUqP3fR/+m2Poah8bFF\n+yIdSp2jyWOoU60We72fvlEwxsTLl8Zani+xX2ckkUCe+wsiGJLch4Df1pepxpef\nb95wZ9L0msRdHY8vRQYapde/ju8CUHgywVX7+YH3EF1bJSnUOBmyOA76v9ir09am\n49g+VomkWUuzPJ2VYQXXH6d/qn/sm9Z9yxy7e1eh5m+9cd42b4sMdW6ZCTMAtGJF\nPX0SiOMR6S0hjKVBcfcyNoT/wo7wqEl4mYDpoCy10K0nYRn+ggJnIZEJzBWibMYH\nDWUDyuQIYLjOBAchFatXyMtbc8qDorYelLX7amPRDSiDhhj6Y5nYMJtUSwfTLwkN\nrI0Q4bjE+fgNACCqPoq/BDFZotcr1b664ZUJqgnTBPKZ5OnmW/iFkOfzu4fF9tJe\nAcekEPwsFbugu2bZ0Hs5Rl/Dh9p4L9gceuMiwJ3oYGA5cwXFCeVZLNqSDLy4upVX\nnXRaMzBNGgWo4geDq5JL10Mh7/1d4GGVxdts8RGdI8zUFTPV3GOaPEHeNyIO+g==\n=2UMI\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

hosts/nixos/x86_64-linux/toto/default.nix

@@ -6,8 +6,6 @@
     ./hardware-configuration.nix
   ];
 
-  topology.self.interfaces."bootstrapper" = { };
-
   networking = {
     hostName = "toto";
     firewall.enable = false;

hosts/nixos/x86_64-linux/winters/default.nix

@@ -1,24 +1,20 @@
-{ self, lib, minimal, globals, ... }:
+{ lib, minimal, ... }:
 {
 
   imports = [
     ./hardware-configuration.nix
-
-    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
-    "${self}/modules/nixos/optional/nix-topology-self.nix"
   ];
 
-  topology.self.interfaces."eth1" = { };
-
   boot = {
     loader.systemd-boot.enable = true;
     loader.efi.canTouchEfiVariables = true;
   };
 
-  networking.hosts = {
+  # globals.hosts.${config.node.name}.ipv4 = config.repo.secrets.local.ipv4;
-    ${globals.networks.home-lan.hosts.hintbooth.ipv4} = [ "server.hintbooth.${globals.domains.main}" ];
+  # globals.networks.home.hosts.${config.node.name} = {
-    ${globals.networks.home-lan.hosts.hintbooth.ipv6} = [ "server.hintbooth.${globals.domains.main}" ];
+  #   ipv4 = config.repo.secrets.local.home-ipv4;
-  };
+  #   mac = config.repo.secrets.local.home-mac;
+  # };
 
   swarselsystems = {
     info = "ASRock J4105-ITX, 32GB RAM";
@@ -29,18 +25,8 @@
     isBtrfs = false;
     isLinux = true;
     isNixos = true;
-    proxyHost = "twothreetunnel";
+    proxyHost = "moonside";
     server = {
-      wireguard.interfaces = {
-        wgProxy = {
-          isClient = true;
-          serverName = "twothreetunnel";
-        };
-        wgHome = {
-          isClient = true;
-          serverName = "hintbooth";
-        };
-      };
       restic = {
         bucketName = "SwarselWinters";
         paths = [
@@ -72,37 +58,36 @@
 
   swarselmodules.server = {
     diskEncryption = lib.mkForce false;
-    nginx = true; # for php stuff
+    nfs = lib.mkDefault true;
-    acme = false; # cert handled by proxy
+    nginx = lib.mkDefault true;
-    wireguard = true;
+    kavita = lib.mkDefault true;
-
+    restic = lib.mkDefault true;
-    nfs = true;
+    jellyfin = lib.mkDefault true;
-    kavita = true;
+    navidrome = lib.mkDefault true;
-    restic = true;
+    spotifyd = lib.mkDefault true;
-    jellyfin = true;
+    mpd = lib.mkDefault true;
-    navidrome = true;
+    postgresql = lib.mkDefault true;
-    spotifyd = true;
+    matrix = lib.mkDefault true;
-    mpd = true;
+    nextcloud = lib.mkDefault true;
-    postgresql = true;
+    immich = lib.mkDefault true;
-    matrix = true;
+    paperless = lib.mkDefault true;
-    nextcloud = true;
+    transmission = lib.mkDefault true;
-    immich = true;
+    syncthing = lib.mkDefault true;
-    paperless = true;
+    grafana = lib.mkDefault true;
-    transmission = true;
+    emacs = lib.mkDefault true;
-    syncthing = true;
+    freshrss = lib.mkDefault true;
-    grafana = true;
+    jenkins = lib.mkDefault false;
-    freshrss = true;
+    kanidm = lib.mkDefault true;
-    kanidm = true;
+    firefly-iii = lib.mkDefault true;
-    firefly-iii = true;
+    koillection = lib.mkDefault true;
-    koillection = true;
+    radicale = lib.mkDefault true;
-    radicale = true;
+    atuin = lib.mkDefault true;
-    atuin = true;
+    forgejo = lib.mkDefault true;
-    forgejo = true;
+    ankisync = lib.mkDefault true;
-    ankisync = true;
+    # snipeit = lib.mkDefault false;
-    homebox = true;
+    homebox = lib.mkDefault true;
-    opkssh = true;
+    opkssh = lib.mkDefault true;
+    garage = lib.mkDefault false;
   };
 
-  networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" "enp3s0" ];
-
 }

hosts/nixos/x86_64-linux/winters/secrets/acme.json

@@ -1,28 +0,0 @@
-{
-	"swarsel.win": {
-		"fulldomain": "ENC[AES256_GCM,data:CVasUSMRn/KWzVRlcYfTO/RL+W5Cz2JpDj0JLAKITXrDZrl+Wsg46X8zv4hX6NLj/wAyvXQ=,iv:N3DL4JPX8vWTbllFWcpNulwtDJ57xpHrAwoUxWhTzxs=,tag:CYWoK9uT121rFXQ5h69CZA==,type:str]",
-		"subdomain": "ENC[AES256_GCM,data:uM457vEJa10IV4SovBDUzLLlW+mPwh1SiWr8thQisFoe6zAk,iv:Tdbd5a20Gv/thkPfsvNiAbI86JjcDs70MAfk4yCZLgs=,tag:MulJiRWPs215x0bc+1jBiA==,type:str]",
-		"username": "ENC[AES256_GCM,data:ePE2BEKL5uaXqzGngW9ArhwP3qwDzwULtfwUfb5Q56VGGURp,iv:/GZRbyXHorcq1PIYlhfOmUVwCg0I/N4ZraEzSrc8qmA=,tag:wM5B1U0BsRsBAJg3qNOXpA==,type:str]",
-		"password": "ENC[AES256_GCM,data:RGzdi8IMqm+rtiuU4RtWGQ4N/7FYBbp5Pir8/k2V1QEdM8z7SIn0FQ==,iv:ThFbY9eZuEZoyzcWV5DwtSi8ugNwM49JfRof560Qx/Y=,tag:sgMaLrPB8WgpXWPzaCwOBQ==,type:str]",
-		"server_url": "ENC[AES256_GCM,data:zJdXoO7ED7qeskYJ9Wu0Rdprbvj/uP+Z,iv:ce+QXocqCjNKCsZRyVt6koUyc2lsTwPNMcfQyqbktN0=,tag:bQSE4/6va+V0TORWANLdUA==,type:str]"
-	},
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZ2Fhcnd4RnNIbExibGlr\nMGNoLzltYStyQjNDSG5jbCs2WkpqR0VINHhnClF0eW91OUVvSzhackNPS2JaUitJ\nSW9VSnEyWjRHM29hT0xHUUIwTkFQamMKLS0tIDJqRERxQ0l2NElxeUhScUQ4R2hS\nT1dhQnRTVWM0Y3dUMUxLTGRhZ1h0NkkKJI58M5YOldaj0gy67WywMK1vTNqBLz+T\nK+/0PuEooKZkcdd92+UUoMMU9JcfvnvzKmC8Ot9xwiaLaupb2Fb7Lw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-12-04T19:04:02Z",
-		"mac": "ENC[AES256_GCM,data:nWV/knCo/MeWTBrfq1VlV6SPEQ2i2P+le82S2So0BIxPfz8tqan0MdaIaKLFlapsT9VRJOv8ZCCXSLWeGcbEvfmEz4MP1E4iHcU/4YaO+n895D1JrjeyP1cgGisnXqe01xMXCsDY178sqxHcnDDlXp9foCem+mGjIlKGPYGu5Oo=,iv:qbavbW3MF4fx+E3aybBYaz/T/Hb63ggWml4Oe9WFz+I=,tag:05vBbBGDGRNaXJWoZn1bVw==,type:str]",
-		"pgp": [
-			{
-				"created_at": "2025-12-04T21:07:49Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/+Owp3VI6TVHSb6hxNioVb4P/e80pnf2LZQxhLUOb4QAfd\nkXGJLcdC3rIDF7b0qfJJrH+hCHSZBqrE6in43wDXe3Cj2CzOWaU8kABqMWKoRhG8\nd5Lbrn5uMN9sOWQugjFwtDPQo/g38wkHjJRwtpp57K3W7t7A1Np1Hma9APLwf6NV\n4t/A5vkib6n3Ilyc8e4eNlZu2yV+9fkygcSQYd9QxCRdqAbH9yCgtQ/iYpW4wNXW\nB18ENwOi9KiyWO8zMtGdj8Modaw3yLo9qku2u5BkBnbvE/SDD2QzxVEy8dc2P2/9\nkT3GLI14WaoTc0uCHQfGG6FOKbyD8P7VMdk6K7LuBrAANEaqwb77NlsIulekCuff\nRHjWYzzLv14wumO8+3dXvSWwdG3or0/caH4oKfifTbwSOwSTVru6WAWBGx0reqwO\n4+CQ1WmqHM68aFzlQY40dcT6i0jCZpvL+kMncbOn40oZt2+7T6h6zfa/YyWN9n1Z\nc3LhbHTYjA/gyjc+hD88SKCyn1tFK076209KeOpAJnu37Vb/O0BB9T8cxe9KVkMa\nz7SBXE7BEq+vc1BKpHN51zVmCP9REbQ//2RS2JwfxuKxj5ti7xQNBfliCVn/04bj\nEYnortuIFKjXGhZBBrgWKddS7zaU4Ux+1Nj8NAou4u+Cpi+EwFfpVvp11136H5OF\nAgwDC9FRLmchgYQBD/9fuQYiGbtsS6dm4kQzS6Ptmx4+Yi1QYywY0aU/S0wz+LBc\nn3ECc3AypbLEemNU7OeoveOtPj7TyJ9Wth2AqeWSEizgA/xCttiX311+emK5LqjM\n4KtlxJe8P0Hun9vxbcGRVXIN9IKDk07MWPBVQ0nUPnPlNTzZtlu/ahW+Rsyxm8wY\nq035Wtyr97Ak+gtB72EU3sEJ7INpNbIsbfa+AAbda1drrhvtde5kgnVKsSdC3oBy\nTo6rgSjRT91MZoiY+L3oR1lwmxtu6snajhnCWHe/u4iuMMK8a3b3WAUNBxG/tbQd\ni9qOLYyjtdfuqRsNvSK6WsgpAqabfUmvBCYsvKlNUGx4LDMmKsMwLC5DfPSGk8FS\n1haVyfmMNoCkcG2RuT+mwDm4I6aX1VbeKbIFrCYBEAYuWh8Hdobw3TYNrjGvHScq\nVE47Q7bCsUeiMybmtHTcHH6WNI+LWx9EHVZCaccqT19FV1PAUDvU3Z9HO48kcrjs\nX2UM3HtmU84p+zgQQzk7I1ociHqFBnKQmVd5KVs52V3Sj0a4EhRMDrWOjoucgUqD\nqMPk9HpO8A8gL/Xoaxbs3EdaQJsy30aVKaeDUyTcTqTLvEAocUQApi1QQCKgoc5K\nT9Y2EqfC/ArWSJOtylcQk0sJfKSo317lBb50+h1XcFXC3gNcXgipxURTwUSqb9Jc\nATpFH2B+AS7/fG22KpHsop4b3Mwm4nNZKTnJ+5IY2iu1hg/96AYe+njp+7BtbrbH\nTxOiYyszqQ+E8WykRO7QwPxgGtlGkgW2fXRFmAxvCHMbnNVvf2YSQLefUPg=\n=MyHr\n-----END PGP MESSAGE-----",
-				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
-			}
-		],
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}

hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc

@@ -1,18 +1,22 @@
 {
-	"data": "ENC[AES256_GCM,data:xI9xiEWeszsdkCyGaaFxO3neMHj3f8kjiKyDJwVjQIVyBD+X+13vj5HoE1WsOOxNAOI8iXsE/Wpb08hIBLPxJjaip6Ordntl/kmv61uxEErQ4i8Kj9U+k7mTpPi/MOv5qlBBY3qhca4pW37UwRMUMl/BbM4YzCqUMGQfbkxuevNoIoeQPEQnbHtQDdVkFG8Ql4xv5tQ71IPAx9ktH5iVKqKumrPEL8/d3i4jmHg74Y9A2xHtX1D7/5FiNUGpo5nCEKVLB9RmY0QqKiC8V20VONld1q3b2K52A6cS6IYvFpWR7/IaBpitAKTbMldxK4cl1Llpy8CNeLNGlolFqEnv3As2bx/gdWagjLZ3/TWZIBq5xu/Am/5hrLnSlhvEGx6ZSJujIZS7htuADK9KjGn1NFFLxAWxRB0TUQmbN8jKsHxtk1QuwyWeRSV7WN8ybvE5uj/dnL61A9/dHvmqT6YY43TAIX70ahlEqCsHNLaPqEsFioBlP5Vl3+dRatFp2GMytL0MZsITwpq1Qx+sJilAJZESCZpwFBcEFzHrpjLm7WkyFXiLvdGPUlVDhpTA/R89xQzaNcLOte5A7OdyeV87X5awCdXJhk/csRXHTuZzaa00mTv5tEZnKJk9lvn6h6Pcy4wObSbRRFlsQQBmrm9TkG/E/i73C0o8FbB3AXth8dHdQVBoO6GlH9eQKh4y9j1zrTvjMh6YVRqt+i28NabYjBS8HehbcuWpZfhSqmgiVaaG4oXIe+40kEDrhyhxSHnRymy2lNtD2IXzE3T5ixEgvv52HxglUDATc2ydL9r7Vdyfypv6RK8EVUtcFWoxUKFs2W+Eev8cMHspfuwNee91sf4exRCA4Xdl17cQUYsy2l/tz+biI2nrQKLzq49J/guN++n1xWOnZyzyNjcrID1/Cbab1k07hCspxzgenlykaUeYCLvyB3K+AKGtKcf2/sv3Zq9TVumLzYgK4y2VNDV/fpqeAzFXagPXnBmEW8BEA2kJGcFLxEeMQnYVZI/pViwpFBZXXSwnHGBr1GbLG9D3D/OwrFJgCr0baE3hmQFm6EjK24hWTDvxKWzGUeetxNIt2hBWiaFuOcc+RNnItuTREYaKq7BW6I8h9FQR3igl3K6iN/y/ZGzjVq/15Jop1ZSj2h6jagRdq2u2uObmoMmrmkHKutR9nKqjQDRZp4K8TAq51xpXnNXI+avNFjMJqL4/zmaPVzibW4sJ0YUCf832cWmIt4pSZW+z2Q6UdbJXAjzlZ4GicIQAzgh5jQpYlpW8yVgUVJKyb8HEUQJ2KIep0PhRZDqhclyBGXoOdGk/IrRaw0sqNsMWx+uLh/wWO+fn6/3CrQd1WpJldHCFQIT1OF6sZ0DylYmIPAJb/pbiImes3df5VCIO2PrBILGJUDA1XTW53L7LovhQB+Pydeu4qjNVueUwHr6DEkBSvKdTBC7vJqSm2hAXdEG1/OYTliY2VdoqK4DfsmwapelLKzkQJ1k4neUt0N6A0wc+/Hpfg53u1gC4RFqvnYSXM1eW0BlvdxIwWbq48G3jqvrkLaxVsqeclGSE5I4pisxrMivj4iFjWG/z0vkAMQSoJTyveSUXxyA9f7uWArV79Usj0B7+2F/rK1Ej1KJEcKusji6Wl3QR2ZXBMZKlCrOPL6o0p2w2iZ/ovkJAHg2CYD6njg+OkigKYFj1rb6FhPhFSSuzxKsmEq7eJ7ABrs3NHE/MA7F/C6uZTnJNxiK3nxc+JLPb3CLoEgULT4DFvomDpbM+J6+frnblzCYirgq6bdpU5eTMhrd/pwVC0HOCJFsG4xDv2JwdYTKiOnoNr//4wyHF0xfyRb4g40Hit5dB5F5m3krTu7fIIGw7RuczSbV/LFd1vobomMwe1/GbWMAHLpiABAwYRz4e/6nNZtRrPfNMWTQ8ixNEZNAI8LW7VY2RwLF46feJIxuc4UfBRlg4EdxO2FdXjDSp47m1HgdtmXBmgyneGnIyeiWvgSYsSEClG0F7/6PWDMwiWsVO+KinaJ67nWG3OmO3bXu5JjxZi76vyAe5YdQx2O85vptUzs9EExile6s1+F1gTtUFytg183dpAkBc+ml9iEHv+5nGl/MOUMiu4CPFjyWlhp1Eo6Lm94ycAfI1ItqkOZg3v7sMTc12YBfX35ql62+C3DcqpCJiBreNytZnnF1l2lEPIAUVJ8pjsrblz38=,iv:kkH/Hy/0PNzkVdTfYTgKBAN6nYslP0OFIndsmORZVEg=,tag:j/fMiT9DCog0CHnM74MNMw==,type:str]",
+	"data": "ENC[AES256_GCM,data:vevuVfscWMiD3Lzc/bAS+jAqpzgkfBfcFAB7ChacGaj/PJfoi5AzpmlkDhm11GBcvUXcveMnbLbQexaF3dgPVwvbD9xr6e+mcMJjIry5c5a5wOcZkyGxXgPuPg415An9AQrO56XeTTSaUL+ScQB3kv6eIyzCtxZag7pRLnOgwFuGYqfwcDIcX8QHCc0ijf3XLPaM6dEgiFYDeOMFhOF4+Z8/d9eHoEQ3tOkWTmkoVqZFz80ZicEraliWnWMvCBhRLKo3gb7KFRce/AAEZQaS3CZOJz7v7var4Ds1+PZnU282aSU/xsY5Dq1vOrsZuoYqXA5WrdC9HaXAYLGaGFCzLwRTAfJvigV4PNwOePskCSa/qRlOGpyO1t1B01Y4pghdERNlS+1ltEz8nKVfIi4DR6dKy8NIhLl3huJQy6KHsLrjDHnmxeypo2sJ+NeyuNTKqwJo9x3krcIBt8SaUoFIDkBgshcDCp2eBcKvRIOFIa8r3rsxQ7gwG3YV7hS+NR0nwsUXodGXVzrdehDNddr+mI4GEMl8TTP9sdVSaPhKpN+QB3GGGoYwX2HJYXdY9CKIIlYcgFiDfPz9x4HqGnGfSpeB6QgTK40pmRmG6jQyIFZiW+hQBS4XHtKQ8CJx4zUNpiUArYzustw6riPkfYDex21SzsUIjpRYxB8uGHFvJlJVgr4FkQQg6frebKf2EjIhjc9Mjdw+g7cGb5+WavUfy+fIXztYwRI0l8aftosfCMdGsSChntKCymz0kpGREx00HF5blA6oyifHaVxRYoqraxCwbe+p1RTFlGonaYtb0gBWpdrQU+24HVQU1rMhc8HFHPjcWofE/ymEPkhRzkxIXMmNQFi/18KvZWoy2qOVtPmsEc4mOVRtC6w9AZZpcxI9CXhhuyDZlJ/k4bJzkZFrcNW8I7OjEXTNmsYkzJDSVzD3Od/1zhubU8LYZBBXuejzeH0TXNsXbS6tQXCJ2D7Gzrcx8LpXL/a1IjAUmIXguVtPT9nGallXO9jHV9g7GGjF7weTaEMb/eNSuLgQOpq8vziN1XLWhVo0WEQ8zU97KSVJS5moaTEPAEUlHC4PfM3AQHpWMW4EL7FZu5r1yw+EDOUA4k9u9HIVbn5XVZbWb18aVVkYZoulLIVU7I74LJlYE/BSYhGzp6Ff1k6qzPNTbVgXEtiNuLQKa//8gHoQUCsu019MEVAU4LhZ+nt4genG4qFUTuBujTriO4Vhdel9Qsoq95FLXDzdwRInUzfUhbLli/rKv+LDW7wIdh/peWslq5XkWBeMqJC97OSGzM/MaWIzzMY68FjCJfYX6I2nskFD1xZiECKukn0LV/wqQhrkmUuyG6RsZGAZuOoStWJMs8v+x+ZIMHzg1jItXO2ozt8P73EvdgOExJi5/aSf8sQwX7H5lesDtnGYU5+xV9k6R8icsIqG/TLuFAiqK1hmFQv7H/9pFkRq1LUXFmJXoKDfDByG6xUjMeyYOwT6yLShhH3MMWvh3yjflwzGo7uTU1BTpNbKT0LEh3Q9C1txZ0uKROhWKu70iH+kHRFVlhUbyYpZovu3BPB3WDhLiLuXIOss5+dVv5RBSYUtxpzp7Oq7mbMRIGCY1hOVCiCcUEvcXXiQ8JBCklWUEEJ15BAIewetgDiVci4USgZZYrALplmSFkKTZbFjYEIrf3ghKFXfVTkMixRmzTHoxKpYXzvB3TZnkmAXVhvJbGEiHsAaHpcfycAXygQAWsIFYzYSDrqYXmRhwEy/A5cqy8dYx+UA3bBAi4v0QPMoro3UtdI2ipM=,iv:+QSRj/TyZl6xbwLDbuwb83RkBiLUi85VYcpss8Jn8fk=,tag:uPqu0GaUGmChLweOGN10yQ==,type:str]",
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza",
+				"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3UFZTaXFNdjF2UmRFd3VL\nY2pZZ3ZaRkhZSjdVUjIraHV5ZlNaNGtwM3k0CkZ4OVRFcmR3MFBDcmdsbWFId3Iy\nVzQyUGI1eG44d3JFL2NvZEg4NnduT2cKLS0tIEdhOEZETk9nRTlVbmJ5UW9GalVx\nS00yaUpJZVFVNThFei8yRzJYejRkYk0Kf6Z8WnG8phRtFIUWIPys3PW0OImhAcF+\nUFLuL4Qr7zWaeItCRieYCs1yBn7KbUJHZNkJcvnkYW50NYvlEa8wBw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBET1RmRTM5OUxJMGNyWUZK\nMXFqUWF2ZHhOZ1pxa0RDbkNzWnVzVFFCbTJrCm1oU25haDl5eFg5T1VzOXByai84\ndTR6TGREVnBHNlV4S254dzh2Z1lvK2sKLS0tIGFLaWJFQ2VwaWtxaURqNDU2ekRQ\na09Hbm4vNnVQaEV1aGtqTTVOUWN2b28KQaoPc/UKaeQ72GdlbtWFdALywHcUkewf\nK5pEz41pzDKOjatypm9X8ZEIEarjOHIZgMpazVM4i1PRUUefSE0phw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGtTZ0ZSV0trWlQrS2dV\nSFo0dytGYXhRTjl6cDZrUU0wZ1IybDVRaFZrCmZmRmxJNmdwS0xodHdEOGU4bldU\nR1JScHAvZHhlVTBJbWExb0VpR0h2MXMKLS0tIDYwQmZpMjdYRmpBeXFNOXArN0h5\nVGN1THljeCtVV0hXenMyRVJkMjlHNEEKm+yZTT48nYr3H0Bd1OKw/CYk1kwnrBzk\nTgSQHsGXhmOyDag9cSZ4wAOmqtqSjA9bouFBuhl2lSbgpjnarvFaXQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2026-01-02T22:52:45Z",
+		"lastmodified": "2025-11-23T18:03:21Z",
-		"mac": "ENC[AES256_GCM,data:p/m76sd+5HhD+tz7oSnoSzVRCnB1czTUTF90LSyLQuL6aVyTpVZp+p6/CnYc/fG+L/8wBUsLrwwajl22S2+MZAqvQFoYQwY/AiFb10wZNK2fzPEURW3P+QYzaf62nb4G3GlckjAcGxGyeGcU4TnL1qZEDgp/KcdZpsUwvVQvV/U=,iv:k7m4dOr13gczZTGlz7uHIQB/uFPEQJX19uHuLB1fupg=,tag:mzpbLMV5aun7IOvPIJv0ng==,type:str]",
+		"mac": "ENC[AES256_GCM,data:8KSKQH7qF2vLnR17a3XhYGAqYq4YNgf7XEkpeNVHD39Aj8MzdlsGPr9vI2o/N1yTpQyJrPW1ntKVvI9rHwcJhm5nyaQiHVwKHWcxcn7li6AeztV4HUqwKxQwf3MHfZ4fhWJrI7NYAuMAbmK6epa/ROGsIGnT6vQh3SImcn+Kkcg=,iv:dT8dBuSsYRxGe93/9ie/6/X4Ru5NDycz2pgMVI83wbc=,tag:r1mPjG/JOQsRDzCktIlisQ==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-12-02T14:59:33Z",
+				"created_at": "2025-08-24T23:36:17Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//Qx2BW0k3Q/pAvbKZScmhoIoFpV5nb+ZB72J6+f2HQLSv\nVQP72XDoYyIfW7ERsY09gkNIJejZ5n/fgB5KkyEqsBRP4fYDXl+XfAvPTu3YuQOo\n9mA2baJ0HkBnsrikycaUQAIXMMCAUBS6Ooi1blQeYA9khqr5Kc361IwB4bv8WcIz\nGcBPSWBc3B86qK/v8l0Kle1mcUu9RFxNZkitjxKdf9GDn6gKo3yBWt+/8NJLDUTq\nHjrBH4WpqB8mVDupg/p6OUASc8y0pnNmbU0GK3is4IO/bk9QqPX/t2y4CUhlE3Bh\nnxYGYauohXGs/IbCGXtkd/wRcMwsXtgkZYT/wfu44/O2VW7V7MpBGVlTXmOWK5yI\n2dkqpAt2T5tFVDDX8bqDfZ2xbGgSLsY/XWwNzl60WSvcAnFoZSf4mu2RJFLAK5QZ\nGDz+N8shR8BgkzIWIjMwzBbUB+3snYkJVA7wm/idhernkB0E83JAOOHk+UGuHFWA\nkrrWPHRWf4Gy5ZEmkzVACfhzH9AbPP8yHbTh5y33I7Yv4E+4qjoVEwTNA1LSYy17\nlaMI410x7htrzxv8M06LlE47HrJPLu3+YHUPKQC/LzV831LB9IYymskYL3rYUHzn\n7BS+9Njfg+7cdHXjRABZk2yz2+XZlSLIyCC82Kbmybd3F+s8u/pP0N0TcBDTPrSF\nAgwDC9FRLmchgYQBEACaz79q7F+YshiA4MSiKoiwgVnq0HWruMtQ+exE9Ky/hTfT\nCnNn43KSE/s4KytcB8KPkXPpZ/BHSv+oxY/XGh1dNWnKQocyCHqEOax/QruAu7VS\n/CbxyUFYQS4sJIbfmQLkx/FEnaHenSOTjOBatlnVFQ3qn6MjXyq1LThyfGaMlH84\ntAUYnNG3MQsz/U7Pj2nkScfDZ0XGIu2rvB2ddVdkjr1H3acQVplAlw88yGD+lDOA\nqnafNS8FgUtXoXCPVe6SRdpqfWPGmn1jhvjCiCUtzZG3RPew2AV50RAlxP2AEXY0\n6cMeL+NJdqIGaP3Ttyn9oVbroW4N7p3rb/AGj4ZRy4QOXPkWI088qmhYgIpjJZM5\nI3g80gnkBfFrOaVM1RVfn1smT9KlCR/8noKTE3ajBaTZZJrzBclzATdkGi7rIaqS\nvAWH9LnEGFs30W/mj9avis8aJwiPYsO+1ah5sVMnNKMo8KND2MMy+EI6AvgwJKz1\nNQoIP7jHB3h8sw91Z9YhB0RTQ8yCG+IrpXnWGAVAcswtTtJbBQlXxc/h0jpT4Yw0\nV+J6xX5/PI/ZQbIbj/i5hgh+8lsvG3gRRh0zH8nSNf7yMTYQe6iAe9xHRH/kSHX/\nOwObvvrCzZcsX8b6gTXn9AzXYGST3j3wBa8sQH0NRkcZFsCh30FhEDApItQA8tJe\nAbaLVOZ9WKJCCVkTJCOBCus1zInXbFr1ZQjTciJ4WjnqedH6SVvPC9HmI9vDCXw4\nzonohAH+mjtmoRfwMGdiJO74IfX81p5MwOX94TwYB2gAp6ycyCHjZgUtpAFPKw==\n=wNQ4\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAwf7TLx0TR1HBhh57CyIQLw8ztc9oblKAW/V7bSlQM/wR\nIwQTcTi3azdI9yewDRO30rIr++FEapdGVdpXoqQ8zcl49VjwDux6wzF3bsmR5Goc\nlTkDd0bmz8RBfsK+6efXiRqo3C0yP2ZTOh3PSOvsXKbYS6wY3TvNBdGnAYrfOvEw\nmBFRhn6uakw3zjVUngB1di07DH3y0wEb/r6+Mzoswzg4DqT1SAdDkfS9dpn9h3MW\n3NBesYlOukLrNA5Toi6x/fmE2lrPHt5QxPdvfvKe5ye4myZ/gBn1mdejB6U9nOsk\nRCJFMosjBH7jIpwokTjUT6Vs+zs8yrF+gbP82H4RVfZymMfdZoU/pTfYe1Mwg6Yi\ntlHyiRBgSPBY8Doa2hM8/yvmfHVMqSQf8uXltz2VC7JUGD6P0QbDLpqY3URmHg/q\nwN3zYJLlSIkU6Z7oivTjfg0dR32Z80lCdZDQf+OQsRtCUi169Fgxr7+HhdxJyj49\nFIb6CR0DHW4vsEj1GPAa0Q4uMfCxLiSZfesY8myoCtlVo7oeqx787KicJB5PryHr\nyZweKd7tXO9g8LNJtECTZ81y2/sCfSZPBia6M4oz56pIFK4jhYCY3iPnWIS77axu\n5MmqZNOP06obp87nt1ea51BmXkaYxmSPoQ5R29CeYU+m9q+kKvizncgsCl/O7U6F\nAgwDC9FRLmchgYQBEADJo2kPzrxLHptsr6aoIxfYNrQ7JJM3FAZ7do5YvAbQsl5t\ny45qZ4+qWIEMRXwji2TvgSg8/ylnZfN2+rTHdtNJkDdJ2sX+RDr8pm7L3VS2Zhjf\nIp1SdPd5cm/3QupegzUR+kcPa+gPM4asGSytIkAnnpev/DCnLsrqiejdosTDj9dn\nFtPKJKSUBzJSNRxBSpM9L+cTU1qyMT024D5Qvq6vBOjFI1YV3LSfVXQe7OZxxxVX\naChkGR1v3UjndQ4Yv9hamJJ81lRLeIcVEOpOPxLHJX76AJUqP3fR/+m2Poah8bFF\n+yIdSp2jyWOoU60We72fvlEwxsTLl8Zani+xX2ckkUCe+wsiGJLch4Df1pepxpef\nb95wZ9L0msRdHY8vRQYapde/ju8CUHgywVX7+YH3EF1bJSnUOBmyOA76v9ir09am\n49g+VomkWUuzPJ2VYQXXH6d/qn/sm9Z9yxy7e1eh5m+9cd42b4sMdW6ZCTMAtGJF\nPX0SiOMR6S0hjKVBcfcyNoT/wo7wqEl4mYDpoCy10K0nYRn+ggJnIZEJzBWibMYH\nDWUDyuQIYLjOBAchFatXyMtbc8qDorYelLX7amPRDSiDhhj6Y5nYMJtUSwfTLwkN\nrI0Q4bjE+fgNACCqPoq/BDFZotcr1b664ZUJqgnTBPKZ5OnmW/iFkOfzu4fF9tJe\nAcekEPwsFbugu2bZ0Hs5Rl/Dh9p4L9gceuMiwJ3oYGA5cwXFCeVZLNqSDLy4upVX\nnXRaMzBNGgWo4geDq5JL10Mh7/1d4GGVxdts8RGdI8zUFTPV3GOaPEHeNyIO+g==\n=2UMI\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

install/flake.nix

@@ -1,5 +1,5 @@
 {
-  description = "Minimal installer flake - automatically generated by SwarselSystems.org";
+  description = "Minimal installer flake - not to be used manually";
 
   inputs.swarsel.url = "./..";
 

install/installer-config.nix

@@ -1,6 +1,6 @@
 { self, config, pkgs, lib, ... }:
 let
-  pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/public/ssh";
+  pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh";
   stateVersion = lib.mkDefault "23.05";
   homeFiles = {
     ".bash_history" = {

modules/home/common/anki.nix

@@ -1,4 +1,4 @@
-{ lib, config, pkgs, globals, confLib, type, ... }:
+{ lib, config, pkgs, globals, inputs, confLib, ... }:
 let
   moduleName = "anki";
   inherit (config.swarselsystems) isPublic isNixos;
@@ -54,7 +54,7 @@ in
               })
           ];
       };
-    } // lib.optionalAttrs (type != "nixos") {
+    } // lib.optionalAttrs (inputs ? sops) {
       sops = lib.mkIf (!isPublic && !isNixos) {
         secrets = {
           anki-user = { };

modules/home/common/attic-store-push.nix

@@ -1,24 +0,0 @@
-{ lib, config, pkgs, ... }:
-{
-  options.swarselmodules.attic-store-push = lib.mkEnableOption "enable automatic attic store push";
-  config = lib.mkIf config.swarselmodules.attic-store-push {
-
-    systemd.user.services.attic-store-push = {
-      Unit = {
-        Description = "Attic store pusher";
-        Requires = [ "graphical-session.target" ];
-        After = [ "graphical-session.target" ];
-        PartOf = [ "graphical-session.target" ];
-      };
-
-      Install = {
-        WantedBy = [ "graphical-session.target" ];
-      };
-
-      Service = {
-        ExecStart = "${lib.getExe pkgs.attic-client} watch-store ${config.swarselsystems.mainUser}:${config.swarselsystems.mainUser}";
-      };
-    };
-  };
-
-}

modules/home/common/custom-packages.nix

@@ -32,10 +32,6 @@
       sshrm
       endme
       git-replace
-      prstatus
-      swarsel-gens
-      swarsel-switch
-      swarsel-sops
     ];
   };
 }

modules/home/common/emacs.nix

@@ -1,4 +1,4 @@
-{ self, lib, config, pkgs, globals, inputs, type, ... }:
+{ self, lib, config, pkgs, globals, inputs, ... }:
 let
   inherit (config.swarselsystems) homeDir mainUser isPublic isNixos;
   inherit (config.repo.secrets.common.emacs) radicaleUser;
@@ -103,7 +103,7 @@ in
       startWithUserSession = "graphical";
     };
 
-  } // lib.optionalAttrs (type != "nixos") {
+  } // lib.optionalAttrs (inputs ? sops) {
 
     sops = lib.mkIf (!isPublic && !isNixos) {
       secrets = {

modules/home/common/firezone-tray.nix

@@ -1,29 +0,0 @@
-{ lib, config, pkgs, ... }:
-{
-  options.swarselmodules.firezone-tray = lib.mkEnableOption "enable firezone applet for tray";
-  config = lib.mkIf config.swarselmodules.firezone-tray {
-
-    systemd.user.services.firezone-applet = {
-      Unit = {
-        Description = "Firezone applet";
-        Requires = [
-          "tray.target"
-        ];
-        After = [
-          "graphical-session.target"
-          "tray.target"
-        ];
-        PartOf = [ "graphical-session.target" ];
-      };
-
-      Install = {
-        WantedBy = [ "graphical-session.target" ];
-      };
-
-      Service = {
-        ExecStart = "${pkgs.firezone-gui-client}/bin/firezone-client-gui";
-      };
-    };
-  };
-
-}

modules/home/common/gpg-agent.nix

@@ -30,7 +30,7 @@ in
       enable = true;
       publicKeys = [
         {
-          source = "${self}/secrets/public/gpg/gpg-public-key-0x76FD3810215AE097.asc";
+          source = "${self}/secrets/keys/gpg/gpg-public-key-0x76FD3810215AE097.asc";
           trust = 5;
         }
       ];

modules/home/common/mail.nix

@@ -1,4 +1,4 @@
-{ lib, config, globals, confLib, type, ... }:
+{ lib, config, inputs, globals, confLib, ... }:
 let
   inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
   inherit (confLib.getConfig.repo.secrets.common) fullName;
@@ -200,7 +200,7 @@ in
             };
           };
       };
-    } // lib.optionalAttrs (type != "nixos") {
+    } // lib.optionalAttrs (inputs ? sops) {
       sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
         address1-token = { path = "${xdgDir}/secrets/address1-token"; };
         address2-token = { path = "${xdgDir}/secrets/address2-token"; };

modules/home/common/packages.nix

@@ -61,7 +61,7 @@
       nix-visualize
       nix-init
       nix-inspect
-      (nixpkgs-review.override { nix = config.nix.package; })
+      nixpkgs-review
       manix
 
       # shellscripts
@@ -90,7 +90,7 @@
       # element-desktop
 
       nicotine-plus
-      stable25_05.transmission_3
+      stable.transmission_3
       mktorrent
       hugo
 

modules/home/common/settings.nix

@@ -43,11 +43,11 @@ in
           trusted-users = [
             "@wheel"
             "${mainUser}"
-            (lib.mkIf ((config.swarselmodules ? server) ? ssh-builder) "builder")
+            (lib.mkIf config.swarselmodules.server.ssh-builder "builder")
           ];
           connect-timeout = 5;
-          bash-prompt-prefix = lib.mkIf config.swarselsystems.isClient "$SHLVL:\\w ";
+          bash-prompt-prefix = "$SHLVL:\\w ";
-          bash-prompt = lib.mkIf config.swarselsystems.isClient "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
+          bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
           fallback = true;
           min-free = 128000000;
           max-free = 1000000000;

modules/home/common/sops.nix

@@ -1,14 +1,13 @@
-{ self, config, lib, type, ... }:
+{ config, lib, inputs, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
 {
   options.swarselmodules.sops = lib.mkEnableOption "sops settings";
-  config = lib.optionalAttrs (type != "nixos") {
+  config = lib.optionalAttrs (inputs ? sops) {
-    sops = lib.mkIf (!config.swarselsystems.isNixos) {
+    sops = {
-      age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/sops" ];
+      age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/ssh_host_ed25519_key" ];
-      # defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/repo/common.yaml";
+      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/general/secrets.yaml";
-      defaultSopsFile = self + "/secrets/repo/common.yaml";
 
       validateSopsFiles = false;
     };

modules/home/common/ssh.nix

@@ -1,4 +1,4 @@
-{ lib, config, confLib, type, ... }:
+{ inputs, lib, config, confLib, ... }:
 {
   options.swarselmodules.ssh = lib.mkEnableOption "ssh settings";
   config = lib.mkIf config.swarselmodules.ssh ({
@@ -18,13 +18,13 @@
           serverAliveCountMax = 3;
           hashKnownHosts = false;
           userKnownHostsFile = "~/.ssh/known_hosts";
-          controlMaster = "no";
+          controlMaster = "auto";
           controlPath = "~/.ssh/master-%r@%n:%p";
-          controlPersist = "no";
+          controlPersist = "5m";
         };
       } // confLib.getConfig.repo.secrets.common.ssh.hosts;
     };
-  } // lib.optionalAttrs (type != "nixos") {
+  } // lib.optionalAttrs (inputs ? sops) {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
       builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; };
     };

modules/home/common/waybar.nix

@@ -1,4 +1,4 @@
-{ self, config, lib, pkgs, type, ... }:
+{ self, config, lib, inputs, pkgs, ... }:
 let
   inherit (config.swarselsystems) xdgDir;
   generateIcons = n: lib.concatStringsSep " " (builtins.map (x: "{icon" + toString x + "}") (lib.range 0 (n - 1)));
@@ -320,7 +320,7 @@ in
       };
       style = builtins.readFile (self + /files/waybar/style.css);
     };
-  } // lib.optionalAttrs (type != "nixos") {
+  } // lib.optionalAttrs (inputs ? sops) {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
       github-notifications-token = { path = "${xdgDir}/secrets/github-notifications-token"; };
     };

modules/home/common/yubikey.nix

@@ -1,4 +1,4 @@
-{ lib, config, confLib, type, ... }:
+{ lib, config, inputs, confLib, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
@@ -13,7 +13,7 @@ in
         confLib.getConfig.secrets.common.yubikeys.dev2
       ];
     };
-  } // lib.optionalAttrs (type != "nixos") {
+  } // lib.optionalAttrs (inputs ? sops) {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
       u2f-keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
     };

modules/home/common/zsh.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, minimal, globals, confLib, type, ... }:
+{ config, pkgs, lib, minimal, inputs, globals, confLib, ... }:
 let
   inherit (config.swarselsystems) flakePath isNixos;
   crocDomain = globals.services.croc.domain;
@@ -133,9 +133,9 @@ in
           # QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox";
         };
       };
-    } // lib.optionalAttrs (type != "nixos") {
+    } // lib.optionalAttrs (inputs ? sops) {
 
-      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
+      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
         croc-password = { };
         github-nixpkgs-review-token = { };
       };

modules/home/default.nix

@@ -1,4 +1,3 @@
-# @ future me: dont panic, this file is not read in by readNix
 { lib, ... }:
 let
   importNames = lib.swarselsystems.readNix "modules/home";

modules/home/optional/work.nix

@@ -1,10 +1,10 @@
-{ self, config, pkgs, lib, vars, confLib, type, ... }:
+{ self, inputs, config, pkgs, lib, vars, confLib, ... }:
 let
   inherit (config.swarselsystems) homeDir mainUser;
   inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses;
   inherit (confLib.getConfig.repo.secrets.local.work) mailAddress;
 
-  certsSopsFile = self + /secrets/repo/certs.yaml;
+  certsSopsFile = self + /secrets/certs/secrets.yaml;
 in
 {
   options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption;
@@ -308,29 +308,20 @@ in
             };
           }
           {
-            # work side screen
+            # work main screen
             output = {
               criteria = "HP Inc. HP 732pk CNC4080YL5";
               scale = 1.0;
               mode = "3840x2160";
-              transform = "270";
             };
           }
-          # {
-          #   # work side screen
-          #   output = {
-          #     criteria = "Hewlett Packard HP Z24i CN44250RDT";
-          #     scale = 1.0;
-          #     mode = "1920x1200";
-          #     transform = "270";
-          #   };
-          # }
           {
-            # work main screen
+            # work side screen
             output = {
-              criteria = "HP Inc. HP Z32 CN41212T55";
+              criteria = "Hewlett Packard HP Z24i CN44250RDT";
               scale = 1.0;
-              mode = "3840x2160";
+              mode = "1920x1200";
+              transform = "270";
             };
           }
           {
@@ -338,29 +329,29 @@ in
               name = "lidopen";
               exec = [
                 "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
-                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP Z32 CN41212T55' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
               ];
               outputs = [
                 {
                   criteria = config.swarselsystems.sharescreen;
                   status = "enable";
                   scale = 1.5;
-                  position = "2560,0";
+                  position = "1462,0";
                 }
                 {
                   criteria = "HP Inc. HP 732pk CNC4080YL5";
-                  scale = 1.0;
+                  scale = 1.4;
-                  mode = "3840x2160";
-                  position = "-3440,-1050";
-                  transform = "270";
-                }
-                {
-                  criteria = "HP Inc. HP Z32 CN41212T55";
-                  scale = 1.0;
                   mode = "3840x2160";
                   position = "-1280,0";
                 }
+                {
+                  criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                  scale = 1.0;
+                  mode = "1920x1200";
+                  transform = "90";
+                  position = "-2480,0";
+                }
               ];
             };
           }
@@ -396,8 +387,8 @@ in
             profile = {
               name = "lidclosed";
               exec = [
-                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP Z32 CN41212T55'  --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
               ];
               outputs = [
                 {
@@ -406,17 +397,17 @@ in
                 }
                 {
                   criteria = "HP Inc. HP 732pk CNC4080YL5";
-                  scale = 1.0;
+                  scale = 1.4;
-                  mode = "3840x2160";
-                  position = "-3440,-1050";
-                  transform = "270";
-                }
-                {
-                  criteria = "HP Inc. HP Z32 CN41212T55";
-                  scale = 1.0;
                   mode = "3840x2160";
                   position = "-1280,0";
                 }
+                {
+                  criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                  scale = 1.0;
+                  mode = "1920x1200";
+                  transform = "270";
+                  position = "-2480,0";
+                }
               ];
             };
           }
@@ -492,7 +483,7 @@ in
         };
 
         Service = {
-          ExecStart = "${pkgs._1password-gui-beta}/bin/1password";
+          ExecStart = "${pkgs._1password-gui}/bin/1password";
         };
       };
 
@@ -600,35 +591,25 @@ in
           # output = "DP-7";
           output = name;
         };
-        work_middle_middle_main = rec {
+        work_back_right = rec {
           name = "HP Inc. HP Z32 CN41212T55";
           mode = "3840x2160";
           scale = "1";
-          position = "-1280,0";
+          position = "5120,0";
           workspace = "1:一";
           # output = "DP-3";
           output = name;
         };
-        # work_middle_middle_main = rec {
+        work_middle_middle_main = rec {
-        #   name = "HP Inc. HP 732pk CNC4080YL5";
-        #   mode = "3840x2160";
-        #   scale = "1";
-        #   position = "-1280,0";
-        #   workspace = "11:M";
-        #   # output = "DP-8";
-        #   output = name;
-        # };
-        work_middle_middle_side = rec {
           name = "HP Inc. HP 732pk CNC4080YL5";
           mode = "3840x2160";
-          transform = "270";
           scale = "1";
-          position = "-3440,-1050";
+          position = "-1280,0";
-          workspace = "12:S";
+          workspace = "11:M";
           # output = "DP-8";
           output = name;
         };
-        work_middle_middle_old = rec {
+        work_middle_middle_side = rec {
           name = "Hewlett Packard HP Z24i CN44250RDT";
           mode = "1920x1200";
           transform = "270";
@@ -671,7 +652,7 @@ in
       };
 
     };
-  } // lib.optionalAttrs (type != "nixos") {
+  } // lib.optionalAttrs (inputs ? sops) {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
       harica-root-ca = {
         sopsFile = certsSopsFile;

modules/nixos/client/firezone-client.nix

@@ -1,15 +0,0 @@
-{ lib, config, ... }:
-let
-  moduleName = "firezone-client";
-  inherit (config.swarselsystems) mainUser;
-in
-{
-  options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings";
-  config = lib.mkIf config.swarselmodules.${moduleName} {
-    services.firezone.gui-client = {
-      enable = true;
-      inherit (config.node) name;
-      allowedUsers = [ mainUser ];
-    };
-  };
-}

modules/nixos/client/network.nix

@@ -1,7 +1,7 @@
 { self, lib, pkgs, config, globals, ... }:
 let
-  certsSopsFile = self + /secrets/repo/certs.yaml;
+  certsSopsFile = self + /secrets/certs/secrets.yaml;
-  clientSopsFile = config.node.secretsDir + "/secrets.yaml";
+  clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
 
   inherit (config.repo.secrets.common.network) wlan1 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
 
@@ -47,10 +47,8 @@ in
       };
     };
 
-    services.resolved.enable = true;
-
     networking = {
-      hostName = config.node.name;
+      inherit (config.swarselsystems) hostName;
       hosts = {
         "${globals.networks.home-lan.hosts.winters.ipv4}" = [ globals.services.transmission.domain ];
       };
@@ -82,11 +80,9 @@ in
         ];
       };
 
-
       networkmanager = {
         enable = true;
         wifi.backend = "iwd";
-        dns = "systemd-resolved";
         plugins = [
           # list of plugins: https://search.nixos.org/packages?query=networkmanager-
           # docs https://networkmanager.dev/docs/vpn/

modules/nixos/client/polkit.nix

@@ -4,9 +4,6 @@
   config = lib.mkIf config.swarselmodules.security {
 
     security = {
-      # pki.certificateFiles = [
-      #   config.sops.secrets.harica-root-ca.path
-      # ];
       pam.services = lib.mkIf (!minimal) {
         login.u2fAuth = true;
         sudo.u2fAuth = true;

modules/nixos/client/remotebuild.nix

@@ -37,7 +37,6 @@ in
         }
       ];
     };
-
     programs.ssh = {
       knownHosts = {
         nixbuild = {

modules/nixos/client/sops.nix

@@ -1,13 +1,12 @@
-{ self, config, lib, ... }:
+{ config, lib, ... }:
 {
   options.swarselmodules.sops = lib.mkEnableOption "sops config";
   config = lib.mkIf config.swarselmodules.sops {
     sops = {
 
       # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-      age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
+      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
-      # defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml";
+      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
-      defaultSopsFile = self + "/secrets/repo/common.yaml";
 
       validateSopsFiles = false;
 

modules/nixos/client/stylix.nix

@@ -1,4 +1,4 @@
-{ self, lib, config, vars, withHomeManager, ... }:
+{ self, lib, config, vars, ... }:
 {
   options.swarselmodules.stylix = lib.mkEnableOption "stylix config";
   config = {
@@ -12,7 +12,6 @@
           image = config.swarselsystems.wallpaper;
         }
         vars.stylix);
-  } // lib.optionalAttrs withHomeManager {
     home-manager.users."${config.swarselsystems.mainUser}" = {
       stylix = {
         targets = vars.stylixHomeTargets;

modules/nixos/client/sway.nix

@@ -1,11 +1,10 @@
-{ lib, config, pkgs, withHomeManager, ... }:
+{ lib, config, pkgs, ... }:
 let
   inherit (config.swarselsystems) mainUser;
 in
 {
   options.swarselmodules.sway = lib.mkEnableOption "sway config";
-  config = lib.mkIf config.swarselmodules.sway
+  config = lib.mkIf config.swarselmodules.sway {
-    {
     programs.sway = {
       enable = true;
       package = pkgs.swayfx;
@@ -13,8 +12,8 @@ in
         base = true;
         gtk = true;
       };
-      };
+
-    } // lib.optionalAttrs withHomeManager {
       inherit (config.home-manager.users.${mainUser}.wayland.windowManager.sway) extraSessionCommands;
     };
+  };
 }

modules/nixos/common/globals.nix

@@ -5,29 +5,6 @@ let
     types
     ;
 
-  firewallOptions = {
-    allowedTCPPorts = mkOption {
-      type = types.listOf types.port;
-      default = [ ];
-      description = "Convenience option to open specific TCP ports for traffic from the network.";
-    };
-    allowedUDPPorts = mkOption {
-      type = types.listOf types.port;
-      default = [ ];
-      description = "Convenience option to open specific UDP ports for traffic from the network.";
-    };
-    allowedTCPPortRanges = mkOption {
-      type = lib.types.listOf (lib.types.attrsOf lib.types.port);
-      default = [ ];
-      description = "Convenience option to open specific TCP port ranges for traffic from another node.";
-    };
-    allowedUDPPortRanges = mkOption {
-      type = lib.types.listOf (lib.types.attrsOf lib.types.port);
-      default = [ ];
-      description = "Convenience option to open specific UDP port ranges for traffic from another node.";
-    };
-  };
-
   networkOptions = netSubmod: {
     cidrv4 = mkOption {
       type = types.nullOr types.net.cidrv4;
@@ -48,20 +25,6 @@ let
       default = null;
     };
 
-    firewallRuleForAll = mkOption {
-      default = { };
-      description = ''
-        If this is a wireguard network: Allows you to set specific firewall rules for traffic originating from any participant in this
-        wireguard network. A corresponding rule `<network-name>-to-<local-zone-name>` will be created to easily expose
-        services to the network.
-      '';
-      type = types.submodule {
-        options = firewallOptions;
-      };
-    };
-
-
-
     hosts = mkOption {
       default = { };
       type = types.attrsOf (
@@ -122,20 +85,6 @@ let
                 # if we use the /32 wan address as local address directly, do not use the network address in ipv6
                   lib.net.cidr.hostCidr (if hostSubmod.config.id == 0 then 1 else hostSubmod.config.id) netSubmod.config.cidrv6;
             };
-
-            firewallRuleForNode = mkOption {
-              default = { };
-              description = ''
-                If this is a wireguard network: Allows you to set specific firewall rules just for traffic originating from another network node.
-                A corresponding rule `<network-name>-node-<node-name>-to-<local-zone-name>` will be created to easily expose
-                services to that node.
-              '';
-              type = types.attrsOf (
-                types.submodule {
-                  options = firewallOptions;
-                }
-              );
-            };
           };
         })
       );
@@ -189,10 +138,6 @@ in
                     type = types.nullOr types.str;
                     default = null;
                   };
-                  isHome = mkOption {
-                    type = types.bool;
-                    default = false;
-                  };
                 };
               })
             );
@@ -243,9 +188,6 @@ in
                   wanAddress6 = mkOption {
                     type = types.nullOr types.net.ipv6;
                   };
-                  isHome = mkOption {
-                    type = types.bool;
-                  };
                 };
               }
             );
@@ -260,16 +202,8 @@ in
               description = "List of external dns nameservers";
             };
           };
-
-          general = lib.mkOption {
-            type = types.submodule {
-              freeformType = types.unspecified;
         };
       };
-
-        };
-
-      };
     };
 
     _globalsDefs = mkOption {

modules/nixos/common/home-manager-secrets.nix

@@ -1,18 +1,16 @@
-{ self, lib, config, globals, withHomeManager, ... }:
+{ self, lib, config, globals, ... }:
 let
   inherit (config.swarselsystems) mainUser homeDir;
   inherit (config.repo.secrets.common.emacs) radicaleUser;
-
-  certsSopsFile = self + /secrets/repo/certs.yaml;
-in
-{
-  config = { } // lib.optionalAttrs withHomeManager {
-    sops =
-      let
   modules = config.home-manager.users.${mainUser}.swarselmodules;
+
+  certsSopsFile = self + /secrets/certs/secrets.yaml;
 in
 {
-        secrets = (lib.optionalAttrs modules.mail {
+  config = lib.mkIf config.swarselsystems.withHomeManager {
+    sops = {
+      secrets = (lib.optionalAttrs modules.mail
+        {
           address1-token = { owner = mainUser; };
           address2-token = { owner = mainUser; };
           address3-token = { owner = mainUser; };

modules/nixos/common/home-manager.nix

@@ -1,8 +1,8 @@
-{ self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, arch, type, withHomeManager, ... }:
+{ self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, ... }:
 {
   options.swarselmodules.home-manager = lib.mkEnableOption "home-manager";
   config = lib.mkIf config.swarselmodules.home-manager {
-    home-manager = lib.mkIf withHomeManager {
+    home-manager = lib.mkIf config.swarselsystems.withHomeManager {
       useGlobalPkgs = true;
       useUserPackages = true;
       verbose = true;
@@ -10,7 +10,7 @@
       overwriteBackup = true;
       users.${config.swarselsystems.mainUser}.imports = [
         inputs.nix-index-database.homeModules.nix-index
-        # inputs.sops.homeManagerModules.sops # this is not needed!! we add these secrets in nixos scope
+        inputs.sops-nix.homeManagerModules.sops
         inputs.spicetify-nix.homeManagerModules.default
         inputs.swarsel-nix.homeModules.default
         {
@@ -31,7 +31,7 @@
       ];
       extraSpecialArgs = {
         inherit (inputs) self nixgl;
-        inherit inputs outputs globals nodes minimal configName arch type;
+        inherit inputs outputs globals nodes minimal configName;
         lib = homeLib;
       };
     };

modules/nixos/common/impermanence.nix

@@ -1,7 +1,7 @@
 { config, lib, ... }:
 let
   mapperTarget = lib.swarselsystems.mkIfElse config.swarselsystems.isCrypted "/dev/mapper/cryptroot" "/dev/disk/by-label/nixos";
-  inherit (config.swarselsystems) isImpermanence isCrypted isBtrfs;
+  inherit (config.swarselsystems) isImpermanence isCrypted;
 in
 {
   options.swarselmodules.impermanence = lib.mkEnableOption "impermanence config";
@@ -17,7 +17,7 @@ in
     # So if it doesn't run, the btrfs system effectively acts like a normal system
     # Taken from https://github.com/NotAShelf/nyx/blob/2a8273ed3f11a4b4ca027a68405d9eb35eba567b/modules/core/common/system/impermanence/default.nix
     boot.tmp.useTmpfs = lib.mkIf (!isImpermanence) true;
-    boot.initrd.systemd = lib.mkIf (isImpermanence && isBtrfs) {
+    boot.initrd.systemd = lib.mkIf isImpermanence {
       enable = true;
       services.rollback = {
         description = "Rollback BTRFS root subvolume to a pristine state";

modules/nixos/common/meta.nix

@@ -7,18 +7,8 @@
         type = lib.types.path;
         default = ./.;
       };
-      configDir = lib.mkOption {
-        description = "Path to the base directory for this node.";
-        type = lib.types.path;
-        default = ./.;
-      };
       name = lib.mkOption {
-        type = lib.types.str;
+        description = "Node Name.";
-      };
-      arch = lib.mkOption {
-        type = lib.types.str;
-      };
-      type = lib.mkOption {
         type = lib.types.str;
       };
       lockFromBootstrapping = lib.mkOption {

modules/nixos/common/nodes.nix

@@ -1,5 +1,5 @@
 # adapted from https://github.com/oddlama/nix-config/blob/main/modules/distributed-config.nix
-{ config, lib, nodes, ... }:
+{ config, lib, outputs, ... }:
 let
   nodeName = config.node.name;
   mkForwardedOption =
@@ -23,22 +23,23 @@ let
       '';
     };
 
-  expandOptions = basePath: optionNames: map (option: basePath ++ [ option ]) optionNames;
-  splitPath = path: lib.splitString "." path;
-
   forwardedOptions = [
-    (splitPath "boot.kernel.sysctl")
+    [
-    (splitPath "networking.nftables.chains.postrouting")
+      "services"
-    (splitPath "services.kanidm.provision.groups")
+      "nginx"
-    (splitPath "services.kanidm.provision.systems.oauth2")
+      "upstreams"
-    (splitPath "sops.secrets")
-    (splitPath "swarselsystems.server.dns")
-    (splitPath "topology.self.services")
     ]
-  ++ expandOptions (splitPath "networking.nftables.firewall") [ "zones" "rules" ]
+    [
-  ++ expandOptions (splitPath "services.firezone.gateway") [ "enable" "name" "apiUrl" "tokenFile" "package" "logLevel" ]
+      "services"
-  ++ expandOptions (splitPath "services.nginx") [ "upstreams" "virtualHosts" ]
+      "nginx"
-  ;
+      "virtualHosts"
+    ]
+    [
+      "swarselsystems"
+      "server"
+      "dns"
+    ]
+  ];
 
   attrsForEachOption =
     f: lib.foldl' (acc: path: lib.recursiveUpdate acc (lib.setAttrByPath path (f path))) { } forwardedOptions;
@@ -59,10 +60,10 @@ in
       getConfig =
         path: otherNode:
         let
-          cfg = nodes.${otherNode}.config.nodes.${nodeName} or null;
+          cfg = outputs.nixosConfigurations.${otherNode}.config.nodes.${nodeName} or null;
         in
         lib.optionals (cfg != null) (lib.getAttrFromPath path cfg);
-      mergeConfigFromOthers = path: lib.mkMerge (lib.concatMap (getConfig path) (lib.attrNames nodes));
+      mergeConfigFromOthers = path: lib.mkMerge (lib.concatMap (getConfig path) (lib.attrNames outputs.nixosConfigurations));
     in
     attrsForEachOption mergeConfigFromOthers;
 }

modules/nixos/common/pii.nix

@@ -1,5 +1,5 @@
 # largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix
-{ config, inputs, lib, nodes, ... }:
+{ config, inputs, lib, ... }:
 let
   # If the given expression is a bare set, it will be wrapped in a function,
   # so that the imported file can always be applied to the inputs, similar to
@@ -53,7 +53,7 @@ in
 
       secrets = lib.mkOption {
         readOnly = true;
-        default = lib.mapAttrs (_: x: importEncrypted x { inherit lib nodes inputs; }) config.repo.secretFiles;
+        default = lib.mapAttrs (_: x: importEncrypted x inputs) config.repo.secretFiles;
         type = lib.types.unspecified;
         description = "Exposes the loaded repo secrets. This option is read-only.";
       };

modules/nixos/common/settings.nix

@@ -1,4 +1,4 @@
-{ self, lib, pkgs, config, outputs, inputs, minimal, globals, withHomeManager, ... }:
+{ self, lib, pkgs, config, outputs, inputs, minimal, globals, ... }:
 let
   inherit (config.swarselsystems) mainUser;
   inherit (config.repo.secrets.common) atticPublicKey;
@@ -122,19 +122,18 @@ in
         nixpkgs = {
           overlays = [
             outputs.overlays.default
-          ] ++ lib.optionals withHomeManager [
             (final: prev:
               let
                 additions = final: _: import "${self}/pkgs/config" {
                   inherit self config lib;
                   pkgs = final;
-                  homeConfig = config.home-manager.users.${config.swarselsystems.mainUser} or { };
+                  homeConfig = config.home-manager.users.${config.swarselsystems.mainUser};
                 };
               in
               additions final prev
             )
           ];
-          config = lib.mkIf (!config.swarselsystems.isMicroVM) {
+          config = {
             allowUnfree = true;
           };
         };