docs: improve docs page

.github/README.md

@@ -22,8 +22,13 @@
     - [nix-darwin](https://github.com/LnL7/nix-darwin)
     - [nix-on-droid](https://github.com/nix-community/nix-on-droid)
   - Streamlined configuration and deployment pipeline:
-    - Framework for [packages](https://github.com/Swarsel/.dotfiles/blob/main/pkgs/default.nix), [overlays](https://github.com/Swarsel/.dotfiles/blob/main/overlays/default.nix), [modules](https://github.com/Swarsel/.dotfiles/tree/main/modules), and [library functions](https://github.com/Swarsel/.dotfiles/tree/main/lib/default.nix)
+    - Framework for [packages](https://github.com/Swarsel/.dotfiles/blob/main/nix/packages.nix), [overlays](https://github.com/Swarsel/.dotfiles/blob/main/nix/overlays.nix), [modules](https://github.com/Swarsel/.dotfiles/tree/main/modules), and [library functions](https://github.com/Swarsel/.dotfiles/blob/main/nix/lib.nix)
-    - Dynamically generated host configurations
+    - Dynamically generated config:
+      - host configurations
+      - dns records
+      - network setup (+ wireguard mesh on systemd-networkd)
+    - Remote Builders for [x86_64,aarch64]-linux running in hydra, feeding a private nix binary cache
+    - Bootstrapping:
       - Limited local installer (no secrets handling) with a supported demo build
       - Fully autonomous remote deployment using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) and [disko](https://github.com/nix-community/disko) (with secrets handling)
     - Improved nix tooling
@@ -31,24 +36,24 @@
     - Secrets handling using [sops-nix](https://github.com/Mic92/sops-nix) (pls no pwn ❤️)
     - Management of personally identifiable information using [nix-plugins](https://github.com/shlevy/nix-plugins)
     - Full Yubikey support
-    - LUKS-encryption
+    - LUKS-encryption with support for remote disk unlock over SSH
     - Secure boot using [Lanzaboote](https://github.com/nix-community/lanzaboote)
     - BTRFS-based [Impermanence](https://github.com/nix-community/impermanence)
     - Configuration shared between configurations (configuration for one nixosConfiguration can be defined in another nixosConfiguration)
     - Global attributes shared between all configurations to reduce attribute redeclaration
+    - [Config library](https://github.com/Swarsel/.dotfiles/blob/9acfc5f93457ec14773cc0616cab616917cc8af5/modules/shared/config-lib.nix#L4) for defining config-based functions for generating service information
+    - Reduced friction between full NixOS- and home-manager-only deployments regarding secrets handling and config sharing
 
   ## Documentation
 
-  If you are mainly interested in how I configured this system, check out this page:
+  The full documentation can be found here:
 
   [SwarselSystems literate configuration](https://swarsel.github.io/.dotfiles/)
 
-  This file will take you through my design process, in varying amounts of detail.
+  I went to great lengths in order to document the full design process of my infrastructure properly; the above document strives to serve as an introductory lecture to nix / NixOS while at the same time explaining the config in general.
 
-  Otherwise, the files that are possibly of biggest interest are found here:
+  If you only came here for my Emacs configuration, the relevant files are here:
 
-  - [SwarselSystems.org](../SwarselSystems.org)
-  - [flake.nix](../flake.nix)
   - [early-init.el](../files/emacs/early-init.el)
   - [init.el](../files/emacs/init.el)
 
@@ -109,7 +114,7 @@
   ### Programs
 
   | Topic         | Program                                                                                                                     |
-  |---------------|---------------------------------|
+  |---------------|-----------------------------------------------------------------------------------------------------------------------------|
   |🐚 **Shell**   | [zsh](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix)                                           |
   |🚪 **DM**      | [greetd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/common/login.nix)                                     |
   |🪟 **WM**      | [SwayFX](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sway.nix)                                       |
@@ -124,7 +129,7 @@
   ### Services
 
   | Topic                      | Program                                                                                                        |
-  |-----------------------|---------------------------------------------------------------------------------------------------------------------|
+  |----------------------------|----------------------------------------------------------------------------------------------------------------|
   |📖 **Books**                |  [Kavita](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kavita.nix)                      |
   |📼 **Videos**               | [Jellyfin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/jellyfin.nix)                   |
   |🎵 **Music**                | [Navidrome](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/navidrome.nix) +  [Spotifyd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/spotifyd.nix) +  [MPD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mpd.nix)                                                              |
@@ -147,28 +152,37 @@
   |✂️ **Paste Tool**           | [Microbin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/microbin.nix)                   |
   |📸 **Image Sharing**        | [Slink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/slink.nix)                         |
   |🔗 **Link Shortener**       | [Shlink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/shlink.nix)                       |
+  |⛏️ **Minecraft**            | [Minecraft](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/minecraft.nix)                 |
+  |☁️ **S3**                   | [Garage](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/garage.nix)                       |
+  |🕸️ **Nix Binary Cache**     | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/attic.nix)                         |
+  |🐙 **Nix Build farm**       | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/hydra.nix)                         |
+  |🔑 **Cert-based SSH**       | [OPKSSH](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/opkssh.nix)                       |
+  |🔨 **Home Asset Management**| [Homebox](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/homebox.nix)                     |
+  |👀 **DNS**                  | [NSD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nsd.nix)                             |
+  |✉️ **Mail**                 | [simple-nixos-mailserver](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mailserver.nix)  |
 
   ### Hosts
 
   | Name                | Hardware                                            | Use                                                             |
-  |---------------------|-----------------------------------------------------|-----------------------------------------------------|
+  |---------------------|-----------------------------------------------------|-----------------------------------------------------------------|
   |💻 **pyramid**       | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop                                                     |
   |💻 **bakery**        | Lenovo Ideapad 720S-13IKB                           | Personal laptop                                                 |
   |💻 **machpizza**     | MacBook Pro 2016                                    | MacOS reference and build sandbox                               |
   |🏠 **treehouse**     | NVIDIA DGX Spark                                    | AI Workstation, remote builder, hm-only-reference               |
   |🖥️ **summers**       | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM  | Homeserver (microvms), remote builder, data storage             |
   |🖥️ **winters**       | ASRock J4105-ITX, 32GB RAM                          | Homeserver (IoT server in spe)                                  |
-  |🖥️ **hintbooth**     | HUNSN RM02, 8GB RAM                                 | Router                                              |
+  |🖥️ **hintbooth**     | HUNSN RM02, 8GB RAM                                 | Router, DNS Resolver, home NGINX endpoint                       |
-  |☁️ **stoicclub**     | Cloud Server: 1 vCPUs, 8GB RAM                      | Authoritative dns server                            |
+  |☁️ **stoicclub**     | Cloud Server: 1 vCPUs, 8GB RAM                      | Authoritative DNS server                                        |
   |☁️ **liliputsteps**  | Cloud Server: 1 vCPUs, 8GB RAM                      | SSH bastion                                                     |
   |☁️ **twothreetunnel**| Cloud Server: 2 vCPUs, 8GB RAM                      | Service proxy                                                   |
   |☁️ **eagleland**     | Cloud Server: 2 vCPUs, 8GB RAM                      | Mailserver                                                      |
-  |☁️ **moonside**      | Cloud Server: 4 vCPUs, 24GB RAM                     | Gaming server, syncthing + lightweight services     |
+  |☁️ **moonside**      | Cloud Server: 4 vCPUs, 24GB RAM                     | Game servers, syncthing + other lightweight services            |
   |☁️ **belchsfactory** | Cloud Server: 4 vCPUs, 24GB RAM                     | Hydra builder and nix binary cache                              |
+  |🪟 **chaostheater**  | Asus Z97-A, i7-4790k, GTX970, 32GB RAM              | Home Game Streaming Server (Windows/AtlasOS, not nix-managed)   |
   |📱 **magicant**      | Samsung Galaxy Z Flip 6                             | Phone                                                           |
   |💿 **drugstore**     | -                                                   | NixOS-installer ISO for bootstrapping new hosts                 |
   |💿 **brickroad**     | -                                                   | Kexec tarball for bootstrapping low-memory machines             |
-  |❔ **chaotheatre**   | -                                                   | Demo config for checking out this configuration     |
+  |❔ **hotel**         | -                                                   | Demo config for checking out this configuration                 |
   |❔ **toto**          | -                                                   | Helper configuration for testing purposes                       |
   </details>
 
@@ -260,9 +274,8 @@
 
   These are in random order (also known as 'the order in which I discovered them'). I would like to express my gratitude to:
 
-  - All the great people who have contributed code for the nix-community, with special mentions for (this list is unfairly incomplete):
   <details>
-    <summary>Click here to expand...</summary>
+    <summary>The great people who have contributed code for the nix-community, with special mentions for (this list is unfairly incomplete)</summary>
 
   - [guibou](https://github.com/guibou/)
   - [rycee](https://github.com/rycee)
@@ -287,9 +300,8 @@
   - [oddlama](https://github.com/oddlama)
   </details>
 
-  - All the people who have inspired me with their configurations (sadly also highly incomplete):
   <details>
-    <summary>Click here to expand...</summary>
+    <summary>The people who have inspired me with their configurations (sadly also highly incomplete)</summary>
 
   - [theSuess](https://github.com/theSuess) with their [home-manager](https://code.kulupu.party/thesuess/home-manager)
   - [hlissner](https://github.com/hlissner) with their [dotfiles](https://github.com/hlissner/dotfiles)
@@ -302,7 +314,7 @@
   - [EmergentMind](https://github.com/EmergentMind) with their [nix-config](https://github.com/EmergentMind/nix-config)
   - [librephoenix](https://github.com/librephoenix) with their [nixos-config](https://github.com/librephoenix/nixos-config)
   - [Xe](https://github.com/Xe) with their [blog](https://xeiaso.net/blog/)
-  - [oddlama](https://github.com/oddlama) with their absolutely incredible [nix-config](https:/github.com/oddlama/nix-config)
+  - [oddlama](https://github.com/oddlama) with their [nix-config](https:/github.com/oddlama/nix-config)
   </details>
 
   If you feel that I forgot to pay you tribute for code that I used in this repository, please shoot me a message and I will fix it :)

.github/workflows/build-and-deploy.yml

@@ -0,0 +1,59 @@
+name: Build and Deploy
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Emacs
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y emacs-nox elpa-htmlize
+
+      - name: Tangle files & export to HTML
+        run: |
+          emacs --batch \
+            --eval "(require 'org)" \
+            --eval "(setq org-confirm-babel-evaluate nil
+                     org-html-validation-link nil
+                     org-export-headline-levels 6
+                     org-export-with-broken-links 'mark)" \
+            --visit=SwarselSystems.org \
+            --funcall org-babel-tangle \
+            --funcall org-html-export-to-html
+
+      - name: Setup Pages
+        uses: actions/configure-pages@v4
+
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: 'site'
+
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.gitignore

@@ -7,3 +7,4 @@ result
 *.bak
 .pre-commit-config.yaml
 .direnv
+/site/

.sops.yaml

@@ -6,25 +6,29 @@ keys:
   - &users
     - &swarsel 4BE7925262289B476DBBC17B76FD3810215AE097
   - &hosts
-    - &winters age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
+    - &bakery age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
-    - &twothreetunnel age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
+    - &summers age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl
-    - &liliputsteps age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
-    - &stoicclub age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
     - &belchsfactory age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
     - &eagleland age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
-    - &hintbooth age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x
+    - &hintbooth age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
-    - &bakery age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
+    - &liliputsteps age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
-    - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
-    - &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
-    - &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
     - &moonside age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
+    - &pyramid age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
+    - &stoicclub age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
+    - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
+    - &twothreetunnel age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
+    - &winters age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
+    - &dgx age1ax5hqk6e2ekgfx5u7pl8ayc3vvhrehyvtvf07llaxhs5azpnny0qpltrns
+    - &hintbooth-adguardhome age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as
+    - &hintbooth-nginx age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0
 creation_rules:
-  - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/repo/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *winters
+      - *summers
       - *twothreetunnel
       - *liliputsteps
       - *stoicclub
@@ -33,183 +37,122 @@ creation_rules:
       - *hintbooth
       - *bakery
       - *toto
-      - *surface
+      - *pyramid
-      - *nbl
-      - *moonside
-  - path_regex: secrets/repo/[^/]+$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *winters
-      - *twothreetunnel
-      - *liliputsteps
-      - *stoicclub
-      - *belchsfactory
-      - *eagleland
-      - *hintbooth
-      - *bakery
-      - *toto
-      - *surface
-      - *nbl
-      - *moonside
-  - path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *nbl
-      - *twothreetunnel
-      - *liliputsteps
-      - *stoicclub
-      - *belchsfactory
-      - *eagleland
-      - *hintbooth
-      - *bakery
-      - *toto
-      - *surface
-      - *winters
       - *moonside
+      - *dgx
+      - *hintbooth-adguardhome
+      - *hintbooth-nginx
+
   - path_regex: secrets/work/[^/]+\.(yaml|json|env|ini)$
     key_groups:
     - pgp:
       - *swarsel
       age:
-      - *nbl
+      - *pyramid
 
-  - path_regex: secrets/pyramid/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/nginx/acme.json
     key_groups:
     - pgp:
       - *swarsel
       age:
-      - *nbl
+      - *twothreetunnel
-  - path_regex: hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc
+      - *eagleland
-    key_groups:
+      - *hintbooth-nginx
-    - pgp:
-      - *swarsel
-      age:
-      - *nbl
 
-  - path_regex: secrets/moonside/secrets.yaml
+  - path_regex: hosts/nixos/x86_64-linux/pyramid/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
       age:
-      - *moonside
+      - *pyramid
-  - path_regex: hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *moonside
 
-  - path_regex: secrets/belchsfactory/secrets.yaml
+  - path_regex: hosts/nixos/x86_64-linux/bakery/secrets/[^/]+\.(yaml|json|env|ini|enc)$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *belchsfactory
-  - path_regex: hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *belchsfactory
-
-  - path_regex: secrets/bakery/secrets.yaml
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *bakery
-  - path_regex: hosts/nixos/x86_64-linux/bakery/secrets/pii.nix.enc
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *bakery
 
-  - path_regex: secrets/winters/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: hosts/nixos/x86_64-linux/winters/secrets/[^/]+\.(yaml|json|env|ini|enc)$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *winters
-  - path_regex: hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *winters
 
-  - path_regex: secrets/eagleland/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: hosts/nixos/x86_64-linux/eagleland/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *eagleland
 
-  - path_regex: hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc
+  - path_regex: hosts/nixos/aarch64-linux/moonside/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
       age:
-      - *eagleland
+      - *moonside
 
-
+  - path_regex: hosts/nixos/aarch64-linux/belchsfactory/secrets/[^/]+\.(yaml|json|env|ini|enc)$
-
-  - path_regex: secrets/stoicclub/[^/]+\.(yaml|json|env|ini)$
     key_groups:
     - pgp:
       - *swarsel
       age:
-      - *stoicclub
+      - *belchsfactory
-  - path_regex: hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc
+
+  - path_regex: hosts/nixos/aarch64-linux/stoicclub/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *stoicclub
 
-  - path_regex: secrets/liliputsteps/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: hosts/nixos/aarch64-linux/liliputsteps/secrets/[^/]+\.(yaml|json|env|ini|enc)$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *liliputsteps
-  - path_regex: hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *liliputsteps
 
-  - path_regex: secrets/twothreetunnel/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: hosts/nixos/aarch64-linux/twothreetunnel/secrets/[^/]+\.(yaml|json|env|ini|enc)$
-    key_groups:
-    - pgp:
-      - *swarsel
-      age:
-      - *twothreetunnel
-  - path_regex: hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *twothreetunnel
 
-  - path_regex: hosts/nixos/x86_64-linux/summers/secrets/
+  - path_regex: hosts/nixos/x86_64-linux/summers/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
+      age:
+      - *summers
 
-  - path_regex: hosts/nixos/x86_64-linux/hintbooth/secrets/
+  - path_regex: hosts/nixos/x86_64-linux/hintbooth/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel
       age:
       - *hintbooth
 
-  - path_regex: hosts/darwin/nbm-imba-166/secrets/pii.nix.enc
+  - path_regex: hosts/nixos/x86_64-linux/hintbooth/secrets/adguardhome/[^/]+\.(yaml|json|env|ini|enc)$
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *hintbooth
+      - *hintbooth-adguardhome
+
+  - path_regex: hosts/nixos/x86_64-linux/hintbooth/secrets/nginx/[^/]+\.(yaml|json|env|ini|enc)$
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *hintbooth
+      - *hintbooth-nginx
+
+  - path_regex: hosts/darwin/x86_64-darwin/nbm-imba-166/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
       - *swarsel

files/emacs/init.el

@@ -1117,7 +1117,7 @@ create a new one."
 
 (use-package nix-ts-mode
   :after lsp-mode
-  :mode "\\.nix\\'"
+  :mode ("\\.nix\\'" . "\\.nix\\.enc\\'")
   :ensure t
   :hook
   (nix-ts-mode . lsp-deferred) ;; So that envrc mode will work

files/scripts/swarsel-bootstrap.sh

@@ -36,6 +36,7 @@ function help_and_exit() {
 
 function cleanup() {
     rm -rf "$temp"
+    rm -rf /tmp/disko-password
 }
 trap cleanup exit
 
@@ -139,7 +140,7 @@ fi
 
 LOCKED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.node.lockFromBootstrapping)"
 if [[ $LOCKED == "true" ]]; then
-    red "THIS SYSTEM IS LOCKED FROM BOOTSTRAPPING"
+    red "THIS SYSTEM IS LOCKED FROM BOOTSTRAPPING - set 'node.lockFromBootstrapping = lib.mkForce false;' to proceed"
     exit
 fi
 
@@ -229,6 +230,7 @@ if [ "$disk_encryption" -eq 1 ]; then
         green "Please confirm passphrase:"
         read -rs luks_passphrase_confirm
         if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
+            echo "$luks_passphrase" > /tmp/disko-password
             $ssh_root_cmd "echo '$luks_passphrase' > /tmp/disko-password"
             break
         else
@@ -243,10 +245,10 @@ $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
 mkdir -p "$FLAKE"/hosts/nixos/"$target_arch"/"$target_hostname"
 $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix
 # ------------------------
-# green "Generating hostkey for ssh initrd"
+green "Generating hostkey for ssh initrd"
-# $ssh_root_cmd "mkdir -p $temp/etc/secrets/initrd /etc/secrets/initrd"
+$ssh_root_cmd "mkdir -p $temp/etc/secrets/initrd /etc/secrets/initrd"
-# $ssh_root_cmd "ssh-keygen -t ed25519 -N '' -f $temp/etc/secrets/initrd/ssh_host_ed25519_key"
+$ssh_root_cmd "ssh-keygen -t ed25519 -N '' -f $temp/etc/secrets/initrd/ssh_host_ed25519_key"
-# $ssh_root_cmd "cp $temp/etc/secrets/initrd/ssh_host_ed25519_key /etc/secrets/initrd/ssh_host_ed25519_key"
+$ssh_root_cmd "cp $temp/etc/secrets/initrd/ssh_host_ed25519_key /etc/secrets/initrd/ssh_host_ed25519_key"
 # ------------------------
 
 green "Deploying minimal NixOS installation on $target_destination"
@@ -317,8 +319,7 @@ if yes_or_no "Do you want to manually edit .sops.yaml now?"; then
     vim "${git_root}"/.sops.yaml
 fi
 green "Updating all secrets files to reflect updates .sops.yaml"
-sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml
+sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/* || true
-sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/pii.nix.enc
 # --------------------------
 green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
 sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
@@ -389,3 +390,5 @@ fi
 if yes_or_no "Reboot now?"; then
     $ssh_root_cmd "reboot"
 fi
+
+rm -rf /tmp/disko-password

files/scripts/swarsel-install.sh

@@ -96,7 +96,7 @@ green "Cloning repository from GitHub"
 git clone https://github.com/Swarsel/.dotfiles.git
 
 local_keys=$(ssh-add -L || true)
-pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub)
+pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/public/ssh/yubikey.pub)
 read -ra pub_arr <<< "$pub_key"
 
 cd .dotfiles

files/scripts/swarsel-rebuild.sh

@@ -78,7 +78,7 @@ else
 fi
 
 local_keys=$(ssh-add -L || true)
-pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub)
+pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/public/ssh/yubikey.pub)
 read -ra pub_arr <<< "$pub_key"
 
 cd .dotfiles

flake.lock

@@ -156,6 +156,27 @@
         "type": "github"
       }
     },
+    "dependencyDagOfSubmodule": {
+      "inputs": {
+        "nixpkgs": [
+          "nixos-nftables-firewall",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1656615370,
+        "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=",
+        "owner": "thelegy",
+        "repo": "nix-dependencyDagOfSubmodule",
+        "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "thelegy",
+        "repo": "nix-dependencyDagOfSubmodule",
+        "type": "github"
+      }
+    },
     "devshell": {
       "inputs": {
         "nixpkgs": "nixpkgs"
@@ -182,11 +203,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1728330715,
+        "lastModified": 1764011051,
-        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
+        "narHash": "sha256-M7SZyPZiqZUR/EiiBJnmyUbOi5oE/03tCeFrTiUZchI=",
         "owner": "numtide",
         "repo": "devshell",
-        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
+        "rev": "17ed8d9744ebe70424659b0ef74ad6d41fc87071",
         "type": "github"
       },
       "original": {
@@ -337,7 +358,7 @@
     },
     "fenix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_14",
+        "nixpkgs": "nixpkgs_15",
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
@@ -405,11 +426,11 @@
     "flake-compat_3": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1761588595,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
         "type": "github"
       },
       "original": {
@@ -667,11 +688,11 @@
         "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1726560853,
+        "lastModified": 1731533236,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -982,6 +1003,29 @@
         "type": "github"
       }
     },
+    "hydra": {
+      "inputs": {
+        "nix": "nix",
+        "nix-eval-jobs": [
+          "nix-eval-jobs"
+        ],
+        "nixpkgs": "nixpkgs_5"
+      },
+      "locked": {
+        "lastModified": 1759783173,
+        "narHash": "sha256-KShZ8ctQ0pb7BjP6z38+O++d7v2Y2KdKCSeRJEagvu8=",
+        "owner": "nixos",
+        "repo": "hydra",
+        "rev": "3059dc16a3664fecbf9437d5414f4d2bc1142ff1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nix-2.30",
+        "repo": "hydra",
+        "type": "github"
+      }
+    },
     "impermanence": {
       "locked": {
         "lastModified": 1737831083,
@@ -1023,7 +1067,7 @@
     "lanzaboote": {
       "inputs": {
         "crane": "crane",
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_6",
         "pre-commit": "pre-commit",
         "rust-overlay": "rust-overlay"
       },
@@ -1044,7 +1088,7 @@
     "microvm": {
       "inputs": {
         "flake-utils": "flake-utils_2",
-        "nixpkgs": "nixpkgs_6",
+        "nixpkgs": "nixpkgs_7",
         "spectrum": "spectrum"
       },
       "locked": {
@@ -1126,7 +1170,7 @@
       "inputs": {
         "niri-stable": "niri-stable",
         "niri-unstable": "niri-unstable",
-        "nixpkgs": "nixpkgs_7",
+        "nixpkgs": "nixpkgs_8",
         "nixpkgs-stable": "nixpkgs-stable_2",
         "xwayland-satellite-stable": "xwayland-satellite-stable",
         "xwayland-satellite-unstable": "xwayland-satellite-unstable"
@@ -1178,9 +1222,26 @@
         "type": "github"
       }
     },
+    "nix": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1758562014,
+        "narHash": "sha256-IazqNpt3jNldKy+rivmlGuo9pC1IczV0Xjk5+5EQEzQ=",
+        "owner": "NixOS",
+        "repo": "nix",
+        "rev": "f2b45e014b909bb5e6a9f99a8a511deed3b3e2a4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "2.30-maintenance",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
     "nix-darwin": {
       "inputs": {
-        "nixpkgs": "nixpkgs_8"
+        "nixpkgs": "nixpkgs_9"
       },
       "locked": {
         "lastModified": 1763505477,
@@ -1196,6 +1257,23 @@
         "type": "github"
       }
     },
+    "nix-eval-jobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1752683968,
+        "narHash": "sha256-urOFgqXzs+cgd1CKFuN245vOeVx7rIldlS9Q5WcemCw=",
+        "owner": "nix-community",
+        "repo": "nix-eval-jobs",
+        "rev": "a579b1a416dc04d50c0dc2832e9da24b0d08dbac",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v2.30.0",
+        "repo": "nix-eval-jobs",
+        "type": "github"
+      }
+    },
     "nix-formatter-pack": {
       "inputs": {
         "nixpkgs": [
@@ -1243,7 +1321,7 @@
       "inputs": {
         "flake-compat": "flake-compat_2",
         "flake-utils": "flake-utils_3",
-        "nixpkgs": "nixpkgs_9"
+        "nixpkgs": "nixpkgs_10"
       },
       "locked": {
         "lastModified": 1763776632,
@@ -1263,7 +1341,7 @@
       "inputs": {
         "home-manager": "home-manager_2",
         "nix-formatter-pack": "nix-formatter-pack",
-        "nixpkgs": "nixpkgs_10",
+        "nixpkgs": "nixpkgs_11",
         "nixpkgs-docs": "nixpkgs-docs",
         "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap",
         "nmd": "nmd_2"
@@ -1287,15 +1365,15 @@
       "inputs": {
         "devshell": "devshell_2",
         "flake-utils": "flake-utils_4",
-        "nixpkgs": "nixpkgs_11",
+        "nixpkgs": "nixpkgs_12",
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1762088663,
+        "lastModified": 1767198021,
-        "narHash": "sha256-rpCvFan9Dji1Vw4HfVqYdfWesz5sKZE3uSgYR9gRreA=",
+        "narHash": "sha256-O/7ZAy0OczYEy7zl+EegeekvRqb3JPh0btyBKtRvbVw=",
         "owner": "oddlama",
         "repo": "nix-topology",
-        "rev": "c15f569794a0f1a437850d0ac81675bcf23ca6cb",
+        "rev": "0c052d902678b592b957eac2c250e4030fe70ebc",
         "type": "github"
       },
       "original": {
@@ -1342,7 +1420,7 @@
     "nixgl": {
       "inputs": {
         "flake-utils": "flake-utils_5",
-        "nixpkgs": "nixpkgs_12"
+        "nixpkgs": "nixpkgs_13"
       },
       "locked": {
         "lastModified": 1762090880,
@@ -1377,7 +1455,7 @@
       "inputs": {
         "devshell": "devshell_3",
         "flake-parts": "flake-parts_2",
-        "nixpkgs": "nixpkgs_13",
+        "nixpkgs": "nixpkgs_14",
         "nixt": "nixt",
         "pre-commit-hooks": "pre-commit-hooks_2"
       },
@@ -1399,7 +1477,7 @@
     "nixos-generators": {
       "inputs": {
         "nixlib": "nixlib",
-        "nixpkgs": "nixpkgs_15"
+        "nixpkgs": "nixpkgs_16"
       },
       "locked": {
         "lastModified": 1751903740,
@@ -1451,6 +1529,25 @@
         "type": "github"
       }
     },
+    "nixos-nftables-firewall": {
+      "inputs": {
+        "dependencyDagOfSubmodule": "dependencyDagOfSubmodule",
+        "nixpkgs": "nixpkgs_17"
+      },
+      "locked": {
+        "lastModified": 1715521768,
+        "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=",
+        "owner": "thelegy",
+        "repo": "nixos-nftables-firewall",
+        "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "thelegy",
+        "repo": "nixos-nftables-firewall",
+        "type": "github"
+      }
+    },
     "nixos-stable": {
       "locked": {
         "lastModified": 1749237914,
@@ -1503,11 +1600,11 @@
     },
     "nixpkgs-dev": {
       "locked": {
-        "lastModified": 1763648956,
+        "lastModified": 1767131767,
-        "narHash": "sha256-JBATYs0HPlATioA2kYFwUAsnzWv9Bd2tXqeCOr/ix6I=",
+        "narHash": "sha256-APHjXWyLmNKFNXoVU7Z82L8zUeSpR1/owKFryitWSsg=",
         "owner": "Swarsel",
         "repo": "nixpkgs",
-        "rev": "230b56741730ede84e7e488d11cb34044f5b54c7",
+        "rev": "449fa265ea9c67c1ea9b1c3d8121959e2ce348d3",
         "type": "github"
       },
       "original": {
@@ -1684,6 +1781,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable25_11": {
+      "locked": {
+        "lastModified": 1767047869,
+        "narHash": "sha256-tzYsEzXEVa7op1LTnrLSiPGrcCY6948iD0EcNLWcmzo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "89dbf01df72eb5ebe3b24a86334b12c27d68016a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable_2": {
       "locked": {
         "lastModified": 1763622513,
@@ -1702,21 +1815,37 @@
     },
     "nixpkgs-stable_3": {
       "locked": {
-        "lastModified": 1763622513,
+        "lastModified": 1767047869,
-        "narHash": "sha256-1jQnuyu82FpiSxowrF/iFK6Toh9BYprfDqfs4BB+19M=",
+        "narHash": "sha256-tzYsEzXEVa7op1LTnrLSiPGrcCY6948iD0EcNLWcmzo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c58bc7f5459328e4afac201c5c4feb7c818d604b",
+        "rev": "89dbf01df72eb5ebe3b24a86334b12c27d68016a",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-25.05",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs_10": {
+      "locked": {
+        "lastModified": 1748929857,
+        "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_11": {
       "locked": {
         "lastModified": 1764086288,
         "narHash": "sha256-S223/Mc4Ax75PfWySz8b44jjAnz36jUk4U+XiCfMy9I=",
@@ -1731,13 +1860,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_11": {
+    "nixpkgs_12": {
       "locked": {
-        "lastModified": 1730531603,
+        "lastModified": 1766651565,
-        "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
+        "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
+        "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539",
         "type": "github"
       },
       "original": {
@@ -1747,7 +1876,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_12": {
+    "nixpkgs_13": {
       "locked": {
         "lastModified": 1746378225,
         "narHash": "sha256-OeRSuL8PUjIfL3Q0fTbNJD/fmv1R+K2JAOqWJd3Oceg=",
@@ -1762,7 +1891,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_13": {
+    "nixpkgs_14": {
       "locked": {
         "lastModified": 1763966396,
         "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
@@ -1778,7 +1907,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_14": {
+    "nixpkgs_15": {
       "locked": {
         "lastModified": 1677063315,
         "narHash": "sha256-qiB4ajTeAOVnVSAwCNEEkoybrAlA+cpeiBxLobHndE8=",
@@ -1794,7 +1923,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_15": {
+    "nixpkgs_16": {
       "locked": {
         "lastModified": 1763934636,
         "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=",
@@ -1810,33 +1939,17 @@
         "type": "github"
       }
     },
-    "nixpkgs_16": {
-      "locked": {
-        "lastModified": 1763835633,
-        "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "050e09e091117c3d7328c7b2b7b577492c43c134",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs_17": {
       "locked": {
-        "lastModified": 1720957393,
+        "lastModified": 1692638711,
-        "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=",
+        "narHash": "sha256-J0LgSFgJVGCC1+j5R2QndadWI1oumusg6hCtYAzLID4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb",
+        "rev": "91a22f76cd1716f9d0149e8a5c68424bb691de15",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
         "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
@@ -1860,16 +1973,16 @@
     },
     "nixpkgs_19": {
       "locked": {
-        "lastModified": 1763934636,
+        "lastModified": 1720957393,
-        "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=",
+        "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=",
-        "owner": "NixOS",
+        "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261",
+        "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
+        "owner": "nixos",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -1891,6 +2004,38 @@
       }
     },
     "nixpkgs_20": {
+      "locked": {
+        "lastModified": 1763835633,
+        "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "050e09e091117c3d7328c7b2b7b577492c43c134",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_21": {
+      "locked": {
+        "lastModified": 1763934636,
+        "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_22": {
       "locked": {
         "lastModified": 1763553727,
         "narHash": "sha256-4aRqRkYHplWk0mrtoF5i3Uo73E3niOWiUZU8kmPm9hQ=",
@@ -1906,13 +2051,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_21": {
+    "nixpkgs_23": {
       "locked": {
-        "lastModified": 1763618868,
+        "lastModified": 1764445028,
-        "narHash": "sha256-v5afmLjn/uyD9EQuPBn7nZuaZVV9r+JerayK/4wvdWA=",
+        "narHash": "sha256-ik6H/0Zl+qHYDKTXFPpzuVHSZE+uvVz2XQuQd1IVXzo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a8d610af3f1a5fb71e23e08434d8d61a466fc942",
+        "rev": "a09378c0108815dbf3961a0e085936f4146ec415",
         "type": "github"
       },
       "original": {
@@ -1922,7 +2067,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_22": {
+    "nixpkgs_24": {
       "locked": {
         "lastModified": 1763966396,
         "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
@@ -1938,7 +2083,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_23": {
+    "nixpkgs_25": {
       "locked": {
         "lastModified": 1762977756,
         "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=",
@@ -1954,7 +2099,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_24": {
+    "nixpkgs_26": {
       "locked": {
         "lastModified": 1763966396,
         "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
@@ -1970,7 +2115,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_25": {
+    "nixpkgs_27": {
       "locked": {
         "lastModified": 1761236834,
         "narHash": "sha256-+pthv6hrL5VLW2UqPdISGuLiUZ6SnAXdd2DdUE+fV2Q=",
@@ -1986,7 +2131,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_26": {
+    "nixpkgs_28": {
       "locked": {
         "lastModified": 1751274312,
         "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=",
@@ -2002,7 +2147,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_27": {
+    "nixpkgs_29": {
       "locked": {
         "lastModified": 1754800730,
         "narHash": "sha256-HfVZCXic9XLBgybP0318ym3cDnGwBs/+H5MgxFVYF4I=",
@@ -2050,6 +2195,22 @@
       }
     },
     "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1759652726,
+        "narHash": "sha256-2VjnimOYDRb3DZHyQ2WH2KCouFqYm9h0Rr007Al/WSA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "06b2985f0cc9eb4318bf607168f4b15af1e5e81d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_6": {
       "locked": {
         "lastModified": 1763678758,
         "narHash": "sha256-+hBiJ+kG5IoffUOdlANKFflTT5nO3FrrR2CA3178Y5s=",
@@ -2065,39 +2226,39 @@
         "type": "github"
       }
     },
-    "nixpkgs_6": {
-      "locked": {
-        "lastModified": 1763966396,
-        "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs_7": {
       "locked": {
         "lastModified": 1763966396,
         "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
-        "owner": "NixOS",
+        "owner": "nixos",
         "repo": "nixpkgs",
         "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
+        "owner": "nixos",
         "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs_8": {
+      "locked": {
+        "lastModified": 1763966396,
+        "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_9": {
       "locked": {
         "lastModified": 1763934636,
         "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=",
@@ -2113,22 +2274,6 @@
         "type": "github"
       }
     },
-    "nixpkgs_9": {
-      "locked": {
-        "lastModified": 1748929857,
-        "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixt": {
       "inputs": {
         "flake-compat": "flake-compat_4",
@@ -2225,7 +2370,7 @@
     "nswitch-rcm-nix": {
       "inputs": {
         "flake-parts": "flake-parts_3",
-        "nixpkgs": "nixpkgs_17"
+        "nixpkgs": "nixpkgs_19"
       },
       "locked": {
         "lastModified": 1721304043,
@@ -2244,7 +2389,7 @@
     "nur": {
       "inputs": {
         "flake-parts": "flake-parts_4",
-        "nixpkgs": "nixpkgs_18"
+        "nixpkgs": "nixpkgs_20"
       },
       "locked": {
         "lastModified": 1763996502,
@@ -2429,18 +2574,14 @@
         "nixpkgs": [
           "nix-topology",
           "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "nix-topology",
-          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1730797577,
+        "lastModified": 1765911976,
-        "narHash": "sha256-SrID5yVpyUfknUTGWgYkTyvdr9J1LxUym4om3SVGPkg=",
+        "narHash": "sha256-t3T/xm8zstHRLx+pIHxVpQTiySbKqcQbK+r+01XVKc0=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "1864030ed24a2b8b4e4d386a5eeaf0c5369e50a9",
+        "rev": "b68b780b69702a090c8bb1b973bab13756cc7a27",
         "type": "github"
       },
       "original": {
@@ -2476,7 +2617,7 @@
       "inputs": {
         "flake-compat": "flake-compat_7",
         "gitignore": "gitignore_4",
-        "nixpkgs": "nixpkgs_19"
+        "nixpkgs": "nixpkgs_21"
       },
       "locked": {
         "lastModified": 1763988335,
@@ -2500,11 +2641,13 @@
         "emacs-overlay": "emacs-overlay",
         "flake-parts": "flake-parts",
         "home-manager": "home-manager",
+        "hydra": "hydra",
         "impermanence": "impermanence",
         "lanzaboote": "lanzaboote",
         "microvm": "microvm",
         "niri-flake": "niri-flake",
         "nix-darwin": "nix-darwin",
+        "nix-eval-jobs": "nix-eval-jobs",
         "nix-index-database": "nix-index-database",
         "nix-minecraft": "nix-minecraft",
         "nix-on-droid": "nix-on-droid",
@@ -2514,19 +2657,21 @@
         "nixos-generators": "nixos-generators",
         "nixos-hardware": "nixos-hardware",
         "nixos-images": "nixos-images",
-        "nixpkgs": "nixpkgs_16",
+        "nixos-nftables-firewall": "nixos-nftables-firewall",
+        "nixpkgs": "nixpkgs_18",
         "nixpkgs-dev": "nixpkgs-dev",
         "nixpkgs-kernel": "nixpkgs-kernel",
         "nixpkgs-stable": "nixpkgs-stable_3",
         "nixpkgs-stable24_05": "nixpkgs-stable24_05",
         "nixpkgs-stable24_11": "nixpkgs-stable24_11",
         "nixpkgs-stable25_05": "nixpkgs-stable25_05",
+        "nixpkgs-stable25_11": "nixpkgs-stable25_11",
         "nswitch-rcm-nix": "nswitch-rcm-nix",
         "nur": "nur",
         "pre-commit-hooks": "pre-commit-hooks_3",
         "simple-nixos-mailserver": "simple-nixos-mailserver",
         "smallpkgs": "smallpkgs",
-        "sops-nix": "sops-nix",
+        "sops": "sops",
         "spicetify-nix": "spicetify-nix",
         "stylix": "stylix",
         "swarsel-nix": "swarsel-nix",
@@ -2649,7 +2794,7 @@
         "blobs": "blobs",
         "flake-compat": "flake-compat_8",
         "git-hooks": "git-hooks",
-        "nixpkgs": "nixpkgs_20"
+        "nixpkgs": "nixpkgs_22"
       },
       "locked": {
         "lastModified": 1763564778,
@@ -2683,16 +2828,16 @@
         "type": "github"
       }
     },
-    "sops-nix": {
+    "sops": {
       "inputs": {
-        "nixpkgs": "nixpkgs_21"
+        "nixpkgs": "nixpkgs_23"
       },
       "locked": {
-        "lastModified": 1763870012,
+        "lastModified": 1764483358,
-        "narHash": "sha256-AHxFfIu73SpNLAOZbu/AvpLhZ/Szhx6gRPj9ufZtaZA=",
+        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "4e7d74d92398b933cc0e0e25af5b0836efcfdde3",
+        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
         "type": "github"
       },
       "original": {
@@ -2719,7 +2864,7 @@
     },
     "spicetify-nix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_22",
+        "nixpkgs": "nixpkgs_24",
         "systems": "systems_5"
       },
       "locked": {
@@ -2823,7 +2968,7 @@
         "firefox-gnome-theme": "firefox-gnome-theme",
         "flake-parts": "flake-parts_5",
         "gnome-shell": "gnome-shell",
-        "nixpkgs": "nixpkgs_23",
+        "nixpkgs": "nixpkgs_25",
         "nur": "nur_2",
         "systems": "systems_6",
         "tinted-foot": "tinted-foot",
@@ -2849,7 +2994,7 @@
     "swarsel-nix": {
       "inputs": {
         "flake-parts": "flake-parts_6",
-        "nixpkgs": "nixpkgs_24",
+        "nixpkgs": "nixpkgs_26",
         "systems": "systems_7"
       },
       "locked": {
@@ -3100,7 +3245,7 @@
     },
     "treefmt-nix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_25"
+        "nixpkgs": "nixpkgs_27"
       },
       "locked": {
         "lastModified": 1762938485,
@@ -3118,7 +3263,7 @@
     },
     "vbc-nix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_26",
+        "nixpkgs": "nixpkgs_28",
         "systems": "systems_9"
       },
       "locked": {
@@ -3196,7 +3341,7 @@
       "inputs": {
         "crane": "crane_3",
         "flake-utils": "flake-utils_8",
-        "nixpkgs": "nixpkgs_27",
+        "nixpkgs": "nixpkgs_29",
         "rust-overlay": "rust-overlay_3"
       },
       "locked": {

flake.nix

@@ -11,13 +11,28 @@
   };
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    hydra.url = "github:nixos/hydra/nix-2.30";
+    # hydra.inputs.nix.follows = "nix";
+    hydra.inputs.nix-eval-jobs.follows = "nix-eval-jobs";
+    # nix = {
+    #   url = "github:NixOS/nix/2.30-maintenance";
+    #   # We want to control the deps precisely
+    #   flake = false;
+    # };
+    nix-eval-jobs = {
+      url = "github:nix-community/nix-eval-jobs/v2.30.0";
+      # We want to control the deps precisely
+      flake = false;
+    };
+
     smallpkgs.url = "github:nixos/nixpkgs/08fcb0dcb59df0344652b38ea6326a2d8271baff?narHash=sha256-HXIQzULIG/MEUW2Q/Ss47oE3QrjxvpUX7gUl4Xp6lnc%3D&shallow=1";
     nixpkgs-dev.url = "github:Swarsel/nixpkgs/main";
     nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version
-    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11";
     nixpkgs-stable24_05.url = "github:NixOS/nixpkgs/nixos-24.05";
     nixpkgs-stable24_11.url = "github:NixOS/nixpkgs/nixos-24.11";
     nixpkgs-stable25_05.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs-stable25_11.url = "github:NixOS/nixpkgs/nixos-25.11";
 
     home-manager = {
       # url = "github:nix-community/home-manager";
@@ -36,7 +51,7 @@
     nur.url = "github:nix-community/NUR";
     nixgl.url = "github:guibou/nixGL";
     stylix.url = "github:danth/stylix";
-    sops-nix.url = "github:Mic92/sops-nix";
+    sops.url = "github:Mic92/sops-nix";
     lanzaboote.url = "github:nix-community/lanzaboote";
     nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05";
     nixos-generators.url = "github:nix-community/nixos-generators";
@@ -60,6 +75,7 @@
     dns.url = "github:kirelagin/dns.nix";
     nix-minecraft.url = "github:Infinidoge/nix-minecraft";
     simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
+    nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall";
   };
 
   outputs =

hosts/home/aarch64-linux/treehouse/default.nix

@@ -2,13 +2,9 @@
 {
 
   imports = [
-    # inputs.sops-nix.homeManagerModules.sops
     "${self}/modules/home"
-    "${self}/modules/nixos/common/pii.nix"
-    "${self}/modules/nixos/common/meta.nix"
   ];
 
-
   services.xcape = {
     enable = true;
     mapExpression = {

hosts/nixos/aarch64-linux/belchsfactory/default.nix

@@ -5,6 +5,7 @@
     ./disk-config.nix
 
     "${self}/modules/nixos/optional/systemd-networkd-server.nix"
+    "${self}/modules/nixos/optional/nix-topology-self.nix"
   ];
 
   node.lockFromBootstrapping = lib.mkForce false;
@@ -12,7 +13,6 @@
   topology.self = {
     icon = "devices.cloud-server";
   };
-  swarselmodules.server.nginx = false;
 
   swarselsystems = {
     flakePath = "/root/.dotfiles";
@@ -26,7 +26,14 @@
     isNixos = true;
     isLinux = true;
     isCloud = true;
+    proxyHost = "twothreetunnel";
     server = {
+      wireguard.interfaces = {
+        wgProxy = {
+          isClient = true;
+          serverName = "twothreetunnel";
+        };
+      };
       garage = {
         data_dir = {
           capacity = "150G";
@@ -49,10 +56,12 @@
   };
 
   swarselmodules.server = {
-    ssh-builder = lib.mkDefault true;
+    wireguard = true;
-    postgresql = lib.mkDefault true;
+    ssh-builder = true;
-    attic = lib.mkDefault true;
+    postgresql = true;
-    garage = lib.mkDefault true;
+    attic = true;
+    garage = true;
+    hydra = false;
   };
 
 }

hosts/nixos/aarch64-linux/liliputsteps/default.nix

@@ -1,14 +1,25 @@
-{ self, lib, minimal, ... }:
+{ self, config, lib, minimal, ... }:
 {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
 
     "${self}/modules/nixos/optional/systemd-networkd-server.nix"
+    "${self}/modules/nixos/optional/nix-topology-self.nix"
   ];
 
   topology.self = {
     icon = "devices.cloud-server";
+    interfaces.ProxyJump = {
+      virtual = true;
+      physicalConnections = [
+        (config.lib.topology.mkConnection "moonside" "lan")
+        (config.lib.topology.mkConnection "twothreetunnel" "lan")
+        (config.lib.topology.mkConnection "belchsfactory" "lan")
+        (config.lib.topology.mkConnection "stoicclub" "lan")
+        (config.lib.topology.mkConnection "eagleland" "wan")
+      ];
+    };
   };
 
   swarselsystems = {
@@ -31,7 +42,6 @@
   };
 
   swarselmodules.server = {
-    nginx = false;
     bastion = true;
     # ssh = false;
   };

hosts/nixos/aarch64-linux/moonside/default.nix

@@ -1,80 +1,16 @@
-{ lib, config, minimal, ... }:
+{ self, lib, config, minimal, ... }:
 let
   inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
-  inherit (config.swarselsystems) sopsFile;
 in
 {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
+    "${self}/modules/nixos/optional/nix-topology-self.nix"
   ];
 
-  sops = {
-    age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
-    secrets = {
-      wireguard-private-key = { inherit sopsFile; };
-      wireguard-home-preshared-key = { inherit sopsFile; };
-    };
-  };
-
-  boot = {
-    loader.systemd-boot.enable = true;
-    tmp.cleanOnBoot = true;
-  };
-
-  environment = {
-    etc."issue".text = "\4";
-  };
-
-  topology.self = {
-    icon = "devices.cloud-server";
-    interfaces.wg = {
-      addresses = [ "192.168.3.4" ];
-      renderer.hidePhysicalConnections = true;
-      virtual = true;
-      type = "wireguard";
-    };
-  };
-
-  networking = {
-    domain = "subnet03291956.vcn03291956.oraclevcn.com";
-    firewall = {
-      allowedTCPPorts = [ 8384 ];
-    };
-    wireguard = {
-      enable = true;
-      interfaces = {
-        home-vpn = {
-          privateKeyFile = config.sops.secrets.wireguard-private-key.path;
-          # ips = [ "192.168.3.4/32" ];
-          ips = [ "192.168.178.201/24" ];
-          peers = [
-            {
-              # publicKey = "NNGvakADslOTCmN9HJOW/7qiM+oJ3jAlSZGoShg4ZWw=";
-              publicKey = "PmeFInoEJcKx+7Kva4dNnjOEnJ8lbudSf1cbdo/tzgw=";
-              presharedKeyFile = config.sops.secrets.wireguard-home-preshared-key.path;
-              name = "moonside";
-              persistentKeepalive = 25;
-              # endpoint = "${config.repo.secrets.common.ipv4}:51820";
-              endpoint = "${config.repo.secrets.common.wireguardEndpoint}";
-              # allowedIPs = [
-              #   "192.168.3.0/24"
-              #   "192.168.1.0/24"
-              # ];
-              allowedIPs = [
-                "192.168.178.0/24"
-              ];
-            }
-          ];
-        };
-      };
-    };
-  };
-
-  hardware = {
-    enableAllFirmware = lib.mkForce false;
-  };
-
   system.stateVersion = "23.11";
 
   services.syncthing = {
@@ -137,7 +73,15 @@ in
     isBtrfs = true;
     isNixos = true;
     isLinux = true;
+    isCloud = true;
+    proxyHost = "twothreetunnel";
     server = {
+      wireguard.interfaces = {
+        wgProxy = {
+          isClient = true;
+          serverName = "twothreetunnel";
+        };
+      };
       restic = {
         bucketName = "SwarselMoonside";
         paths = [
@@ -155,7 +99,7 @@ in
   };
 
   swarselmodules.server = {
-    oauth2-proxy = true;
+    wireguard = true;
     croc = true;
     microbin = true;
     shlink = true;

hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:jGfSfCOqW+p24TaH0vlcNImiY/Pu9YhdIwri4N4RvG64f1fmfNV3z6LmoShCYBfIWF2P7DvOa92dPY2ek9UiC1bEmiMtc/scpGxpir4WNuMLUtMWb0IGmnhtzq7fRAH5FkYLJBSW7pAgVsoajRGbo8Dbk5Dqcm75Pfj2YcC79oAckYt3vSzBcskgJ+ccdCfJ6vDlnAilay/GatZbIQmbEefOi9Rplfln8Ounj/hH+Z6zat04+rI5Lj8bTPu7NOeUlUmgoApuJSFafTb3zgxqnvQL5axOgIaJqiXFWhIf5httmu0mjhJupMXxt14IXgKe+ESAZFF8hWHHUNOpE8gEt5tPRQ1hqA7eHoGSYCrEQK9rSXRweO9LCfGV1+UduXgX1hKgwKDS4A5u69MvcpXQoSYX33ZzuwY7tbykb1tbEb3jN2BOSCBB2ZKHRfsTMqAHTE1RekcBArMxp7+8BkM/oww8RTMJ3I8tcU3QAr/LoFvKwvfIVrbT9gSlKSZUeoBc0WMzmRdjXhAZmQe2pb/TOFmPm31ih/E98zKA8PXhNrqjzEVN99lfn/NKsOLd9a8LXK8XoTTueTWqENEdJRx6dHpWuqBy5GdkrDVCRzgiO3Hpkwg56nPmCGoD5o1IgnRLJItNYrIRejIRaISjlefpezCMYIGMIx+CusvAwiOuuWT6kNfDnaK1U4P3Ndk39lsz8Eg2GMruc4VZ3kpTCeQdvbl/jmFwNMPtzJYooiDualIAL95iZU+RW/K+2g3ZA/Q/gJrc+hB6I+z3PzMod5015Oj0FG97XQzn2TeBD1fuO8UtyxSNajGD3ZK3Laa5QrSNUrzlf7YONSn98Z8OqKsAz+D/vnr0Lg4kjrrhYvN6GpR/QqMnNZT7m4d/oxACDycao6ZUDNE/dvuXSA4nSJp+5cxDXjgSMhnOgS7/gCiLhEBkLwzwdexT/e5vGcqqMmyeMK8vSFsPpRoPv26nsyRalwctY2ClX5KrEEckHNf+p9djB7eJDyLxXkPRLm0yp3dcmcEyk0tUffpcJ6zqWnlm46yfAf29fmIJfQWJ8ehSY+bYwDnx2LmCPcfH+sRSSV2Y1Ay22ry9rVJU88SuRdSPsHOitCuu0TQU56Su0wG24ilh6Bq4Dk+0JxlL3wyPWsnoaYvaRiJ6cs3j0tTwwxepbwiakLzWnVcqHDSoQ+Bn0T4CmcF5ztmpuLZSe/UXA48k77JmbT8vne0ig+kVfRuKhG+qV6g+GnxTIPPXGzQ1hWTS3Fg8YBMt1XYyjX3xa218agvPwLhCru1v3dAfHKk6N8G6SN6EN78RQmJApjSHAGFO,iv:a18hH0e5s4BTTlVIkQT34z8a2jELj59ZHhBbb93o3t0=,tag:sj4baRiZic6sWnJXjhL7TQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:t3En0FAhzVnLIv9tuvrTtmYMGeKvZ5e3FoVZHlEbHsmvUlVl+t1Po2uANatzIeKX3HRZJ1mURXMKh7Xk9O9DsKssadBYa2YqZTugU5m9o4+xESQlqHlnnKALaiyfSXFlhAZ6X50e8nfPCDLicjKzQnk7S/0XMaFB7XN9T4SfonVLElHSZtmOC+85WgAn4uAyfPq44UDVw116g7ogpjztsCG3deqTxP/mcY5trtk+SCEEHLHO6AiEe+Jz628Z+t+3YttQMKQulrakUzzvP07jQhW4m8X1cQOfX2xeTVTwNiqEq75Pt7g+mycKO952BVmMPYIvQAU2xUNC3YIqaFHUDS2QbooAeSJq8TT/s/zM/tjXXLsA7EsFTcduDKDGXhBFt7AlicruhymgtuGv2IwQLeprytRpwz2wcWFGLeiOKp/Zdqwf/3yhGeYlOEv+yhCXI2oZxS+8q4Vu0ejDkTtSeGzm5EtTrxzmS4X2psq2In+9Jb70TrkutAA6F50VyKJV6WQX7Q9yFU6Z6URHlxpwOUzwpto4Z3gxOn9Hm9VyrhTSJZ7sjd9sYf0WO4CJpUYrTu5/ZRcdy8i6Wu2GA/ylt+XXsG1yicgPxDvUcWSg6VfD5/tSTEHtUUVD/sAf7xl/sPcd76Z1DFfgkfA/s4BbbyZKzaZpAz1WYTuhambFpKWDY8YKCoLZdSCahP0jupm3OcnNw7ZCYu43k2JHp4X1mW0gb4TPvIGOcpC+pJvLsa2Q4AUAt4eUmlMCogJ7R89LPLy3fTYDeQV9ly6Z54N70kfsJVCuzrqOjFS4WxqJPZZ4HcRth4JmFE0mcCDsWQVOGJdJmShFxr7kijEoAyfrrZeRG29PgU+2CCcm2dvswJ8DdEtI4E8i/tOwQlHpUmWAM5dFFvKWZjxd89tofYyB/mrAQwXhD7+9Yu4KJM1C3v2IbrvkOgaSMVL7Ekn5YqU+g2BfGYQbkCYMM3DLpllTMGjiMFeOLgvHPAhA3ozR0KxJUaUVZe5B5XscA1xaKedl3hDxR6A9r/g1EQvv7F0n1rWpJvMVSZ3oo8YmzO2DKDwsfKglkR3TrmvQyPvwO/F5wnKMb2+GWh0EmeQLcxHldB6j5CpAj6O1AqfOZjZNcFc8/RfAdLS+OMXgNaWvahVjlPKqI17zLTSJCaCF8KP/T9Chj90l5XqgPsV0t6bPDueOrBOrieQD8UKOjQHR/fgSunjZQrVfYgDBTilb3UyGJ3sqlL9zcTjTgLkNSkNd41EmnCm6SdB3RpQb1fcXfzuCp4bD5Ty01PU380YWXXkAinXDP8961uexWryckhsCqkfbdDnjti3CPfEOBWc6u1R9cI6oLZRw34NpY/4z/fuLAnxgjEgwLAQLG0am/tT1ySH/Cmfy,iv:aa5FNi/z0WnPHFsLUk3odDnghUq7YyA9U6nI71ug4fI=,tag:kd3TDY3mWiEEXsB9RopnUg==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-27T14:12:09Z",
+		"lastmodified": "2025-12-04T23:10:31Z",
-		"mac": "ENC[AES256_GCM,data:6CqpegjS90H6fAllBsvz3d/y4MpNyMUo+v1sby4hHHw36GlQvnULHuv8dhXrlYaE+L21aoz1RITl7IEtNl/R8zjGh8b0dGIc2iUa2M5dNvHNPMTuucAEQPuEEvTiwI72winpEkdB86fHFFHvBwHwmlNVFJYx5b9bNlpjCofewQI=,iv:qOv8s8j5jOtcoKzgN/HkXvIsS/sk/DFZ4lcEKBLsrKA=,tag:ifXbcFGzpJ+DSJPkvaX0pw==,type:str]",
+		"mac": "ENC[AES256_GCM,data:gNsVWFrs92csjnRvhtXcKLuZUiHo9dxpFRLwjWz7VQSLeOBL4iv+Hq3SNyx4F69AC2nr9HL1QTLzX+444EhDYot0jLqOH6xz/FaQPf6OXKHg+Nr05MUe8X2QsLjodOW81Vv7HqIMypU5dyt0FBr74++9oEz6072AuFl5JAUWIvo=,iv:tGX+wUKvWYOnxVCTqhra7tg+r+TT8tyAr1tlRP2FkWA=,tag:WI5D0FTguiCJcrQh47qJow==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-13T20:12:55Z",

hosts/nixos/aarch64-linux/stoicclub/default.nix

@@ -1,17 +1,16 @@
-{ self, lib, minimal, ... }:
+{ self, config, lib, minimal, ... }:
 {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
 
     "${self}/modules/nixos/optional/systemd-networkd-server.nix"
+    "${self}/modules/nixos/optional/nix-topology-self.nix"
   ];
 
   topology.self = {
     icon = "devices.cloud-server";
   };
-  swarselmodules.server.nginx = false;
-
 
   swarselsystems = {
     flakePath = "/root/.dotfiles";
@@ -27,6 +26,8 @@
     isCloud = true;
     isBastionTarget = true;
   };
+
+  globals.general.dnsServer = config.node.name;
 } // lib.optionalAttrs (!minimal) {
   swarselprofiles = {
     server = true;
@@ -34,6 +35,7 @@
 
   swarselmodules.server = {
     nsd = true;
-    nginx = false;
   };
+
+  networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" ];
 }

hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc

@@ -3,16 +3,16 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h",
+				"recipient": "age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZzY0QVQ4ZUxxZkdhQ2Zn\nOHpmTnRaR0R3cXh2Z2JFM1RDVDB2QnE3M3prCm43NjQyOS93UTZKaUlUUmhVcTdG\nUWp1YU1kVmZPc0tBN2FMY2FFVkI1a0UKLS0tIFovZi9FQlhMaXpvcnRYN2FiSm16\nTzJESjNyZ1NzajJRNDR6ZTd2TitoQTgKe2hC6OpYIzgqzhmeJuHWe0yXNE+/Ek26\nGt7s1B6OKnrj+S3es84ePOjAbLHr/ez282b/h0y55ws4R7jMemUIrQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzclI3dlQ1dUY3WGVYL29E\nSGhZV3VMcm5zYmRsTHVlM2wvNFVyMy9CRlh3CkQrZEIvMyt2TVdXQUJJT21mY0lF\nZU1oakIzOWduU3pNeWVvcFMzNDBFTTgKLS0tIDF6YTROOHBjUnBkVklPQjFRQ3pX\nQWtlYi9iOFFjNUFrSUNMZGJqT1pTVEEKFesEHZQjpenLp3oBQwxDcMv1pEAReXQs\njT8ydzfTuvIP6bXu6lcJe0J90NVZ36qBZ2fTs/RqvZbvM0oufb5/VA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-12-01T12:12:55Z",
 		"mac": "ENC[AES256_GCM,data:AhvfUvZnKSnhQCTHJpqs5OBELhGYv66on1+kSLX2lONyTbNfwHYsJHII4zHY+bS5cBkZbjtzMfJQkFWtDbU7c8wvdJnHN6H11MOEzC+GfI3R7UzwzJsUjNYE03u8FJCuLvI1SO3EObiKIgH80MV8qlXC+1+f7mKnfZNH8Kekor8=,iv:pAEz8tDZzaFee1EcNBd6zrl0yN55ywVK/eGof/B5MAU=,tag:LbjMr3rOb3By87yOfUK/3A==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-11-20T01:03:05Z",
+				"created_at": "2025-12-02T14:57:22Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//eTxMD8ZbwJUqVsi1IKK2qdprLTjE0rqdDue+OvP0V+Ns\n1uTnw+b2UBykbIofXcG4P61OxAFdEs8whiIdffQtkDTkOgzV9IQCBOSGxZGEJXMe\nrl5BZLlF98JZ5R15v8V8vMwWwtC90GZ7gZLDV+yZz40Zqm3mTrFz/3PERukwu4Gb\nLTJDOsGmpooyI8KnrIsBhfEwo7/ouAayuKQfvt2i2Tngk9Em73R91BlpcxsOEmqr\n5KWA4GCsjUOmZZKLj2vyENPgQh8t8bP5fGJ3Rf4J1MCWAB89omcE0aRWId/l5sdA\n/Nxinh3xQsiXHPzPLZQ+UjHs+MjNdUoZapoDBP84j2tHsSxh0RMRhlHpESDWq3Mm\n1acWrChyyds6Lz5ZqkioqvAZ3lslS0kPdQqfsLzYWBhA9kLOIJKYfat+vxsAPwAa\n6kceXtxSzUpThtDUPDibjomn7Mrj7ZoHhiJZup/M27glf/V4P3zk+ctpXMSIE7Ia\nQ/jgRDzpcs+u05RsP32jFbCAfi//WxRo77MoxGMJxDhYibBp+aRkFAgVYiElhxbt\n/NedcIAHSJZFyDPm0wn411+DPnUTPn9D9LCkmSG68ZeGDGZJl7Sz3bJ3obWWecTG\nBjqxMZVwRuU2gdg1IwempP9u1dP0Q+g8B3veui/gczGx3J5kvNv8hnUBTeUl2EyF\nAgwDC9FRLmchgYQBD/oCciOvXMrH9/hWIIYb1sKiuCmgdVfs7H0q92XdVNgkbPRz\nXAakX7dl5cZt748u/eCHlGUGr4q7yA1tDx9Vm/J+O2HljN3lBVCbm7HP+YcI+5g0\nvvxr0cIPtr5CXlZz6hJjTgzE4HfEKagGdjgllbHYBB+0rtq/2pZTa20fG0w4coeI\nB/D0iVFwyuM3Wxt/7gXpPtI+m/3qt8QoFIGsZkck7X5hdJwGF4DD5jKxYB28s5Hc\n4ZBG19jezjMIVJUGE58TTVDTvZvJ5Vaw2RizV8DRkFS3q0UIOapOESpZiRnoOqA1\nDQpAU26RSEj8wlYsgNrVWUpdwlYs5e3EWYNkGROTRSB/dGcCSVF31A76W7af+6uv\nwZdMCrAGlD4GBj/yojdnqstfB2Jxu99VubcImWKfaJEXYx5xoREGmK9+t896GJi+\nE8mjiMOMRZFV2n2nwTxAFMaiDJ+VpKpKGVKCOSDwqsePhY/A4kb+N1nnhutmSl/v\n1SCDDvC9+jYNLUC1IaJfFOrNClA43IdJELOAavRx2t1RdyfyOx3D8rrWhF4+NB9Z\nlAc2e7hOoP/OEtf4YjZWq3dQtWSdwePWBxD9xyvF/kEmd2NcezqdfggH3g84qBxy\nUxBDD3ojMMAXlkPU3hRiDeLd1mHxDizVxqYkIYDSeAKtuv2ECH8y7/mv3sKrFtJe\nAQvSMW7gOmIdtQaIpsXHMxzXf+Nv0l3dZeWYD/TnVvoeVOaRQ9dHrtl3J0U9UN3j\nBOJdFaptlS4SIRkva6v6srrM7dXKvjR6IabdzaWl098VW9RFD+YGJ6ZhuQ+zOA==\n=l0k2\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//RNM47rdREvCOPQ83++DSlGWeoGlVeFvM4a1og2Nkzoq9\nLKsZh6bQP2SC01UOD4UDKBcT7PoQU86xePjV1ze6nejo+L0twrhQNT76jAw5OhFh\n1DkOVnUpcjZE3aBxDa6g79qVKfp31i6xfvgjipF4SMGpSlZuMLKL+nTL1357HXU+\nzQKPwSLymDq7EdxnCUwTGx8rVI59j4hyEwinxZhbQYiiHQpTQ3AHDu3oBO64daPh\n7WEmMShU4I9PIdvie7sRK3txZTcjM759m9B3Fm+KEWZXO/bQXjy9/Kab5WlEWwFK\nP7aHLin53wc6HMZjset3o61i/FPeQdm6IVoUujjuSI6076OqsWv7fQp9NApftCko\ns0yNY0RMgRpOQNho5Navr71eH6X8QujrEkCGzVqHm16issJUJkw95tlj9q4qghSn\na4RCUmgfToQYvL9ahNTfqP2S1xqI4hbP0elBXbrMUJ7iYOWOLwEPCgmuoTyw+RXD\nA5P/HDEvgnkVxB4vdzfcQjgVtR01nG5rAcclec9gXZg8Q3K0b+MoKOhdvTucRNek\n8+t3XEzTBBjPdaIhW8038qbCueuetsWNjb7B3Km/muQ0CnTzQ45GWozKdDC2qB69\nS9z1KIn9FrmGxCd5hrL9fbwJpisdtOD0foQKoD6X2B+h9KqORWbSGLXfxRo2uBOF\nAgwDC9FRLmchgYQBD/0Y8owdtA5dgxv6W5lej/sT7+PSc2fvIQVQvvYTrT2wJxc5\nrTX49HtIFxPwGdwBHH6Z3oLZjojpX7u8bm9+ewD7sOsvC3PLsKfrvx3naUnEZrww\nzKC762LWiYS3qlFR1QAbPWDjJSi7rDqFkQhGMP59MDOifYOLCbSQQpdTCMYC550I\nmljenkA5nm6sdYnHa54hkyiWzGSO+pAv531X5GMaTvHB3+Fy8QA5o3/+ZpNtVieG\n8RAbvqeH8PyTZsc2GW2D6WfudB4jrhvYBio4T8+5/3Fg6pWIq4pmi4o0F8I8BaAi\nuL90IEtSeFQSytg/EL0JtFxMBy8ImlE/SAfM4Y6UZAbiWBykmrD9TM5IPMUbMTT6\nxwfhcsQ97m9sRT2TWSrxp2Q+k/BQxVK+AbOaxEtWqqOUnWG4sskw8DQ+qAU5v0yC\nGH46gbklEYDmvYMY/kLXSK4iYJ0UmXNhB+DuM0WihQJ22PUPZy6YGWjwPgxjoYXZ\nbfoRjzb5N6etY/W3QjGbzhy7H+JLKXZbq+DLtH5A3Wya09ilpf2cy6FWD+o857op\nKdfybFtXZIBTZWjRQSeLOL+a157M5c6MFC/xr7E18qqL6xl6v3jgF05SZ72bcGVG\n2zvTWnAV1Y+oH8NhRb0i2uyZCEWvv8MRrHJFypcUqImAJylGnYu8lwicGXA9C9Je\nAZ6JqTMkc6Ji6AOzY75gP1lPQNv0HrIbE6RzZyAX41WDB+0okERps2IZF7HSb5/7\nVAXUR2QRmqagMf/qV3iNDQS/kuwGiv/2WTXAtm4446/mpdkaKf+gN7dgcJf84A==\n=eXQe\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

hosts/nixos/aarch64-linux/twothreetunnel/default.nix

@@ -1,16 +1,22 @@
-{ self, lib, minimal, ... }:
+{ self, config, lib, minimal, ... }:
 {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
 
     "${self}/modules/nixos/optional/systemd-networkd-server.nix"
+    "${self}/modules/nixos/optional/nix-topology-self.nix"
   ];
 
   topology.self = {
     icon = "devices.cloud-server";
   };
 
+  globals.general = {
+    webProxy = config.node.name;
+    oauthServer = config.node.name;
+  };
+
   swarselsystems = {
     flakePath = "/root/.dotfiles";
     info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM";
@@ -23,6 +29,20 @@
     isNixos = true;
     isLinux = true;
     isCloud = true;
+    server = {
+      wireguard.interfaces = {
+        wgProxy = {
+          isServer = true;
+          peers = [
+            "moonside"
+            "winters"
+            "belchsfactory"
+            "eagleland"
+            "hintbooth-adguardhome"
+          ];
+        };
+      };
+    };
   };
 } // lib.optionalAttrs (!minimal) {
   swarselprofiles = {
@@ -30,7 +50,18 @@
   };
 
   swarselmodules.server = {
-    nginx = false;
+    nginx = true;
+    oauth2-proxy = true;
+    wireguard = true;
+    firezone = true;
+  };
+
+  networking.nftables = {
+    firewall.zones.untrusted.interfaces = [ "lan" ];
+    chains.forward.dnat = {
+      after = [ "conntrack" ];
+      rules = [ "ct status dnat accept" ];
+    };
   };
 
 }

hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:G3Q+Hn7QkvBZeXzNR+0Bax+Va5sK5E0K3hNTkdsNJx4C6pIwrBEBOt3IKv/c00QhpAnPqo9gbKqWU9gv7I56nEOwVtVH3lrMlbxNl9LIiSv9SvSxVkTOow2msSJV/U+1KpjNQ/LnOo2Fxebfz1yiRtgi7hSazzqzIazZAFBldlKkjLR5SFCG8t5s/nccqZU+cLmS7hJDS5LtgW1XeunqUY7jnKuh7gT2I6fPsu15Vy+YeKLmYIt0a20bWGePBIlyiGRtpnMgtIt5gk5+OpSndO8P/GMgUzRwRZEL1b8U57jbhkPLdnwwy/iV6rEFCD9i6qB0ufVW/euc+y5mN0dx8op9FwJVzkJhUIIy9Qbbc8WOjjjWlwbKJNkWfYX7pTtx+xfBKuPF+IwaoMS9j+C3etkoYe5QCr9YGYM5Xer/HL0otYNacQU5S0VqPBzDnLu7NxzB4i22,iv:aFPDBmZasoqEFCbhrRtA2QMB27khuT3rdfCGAafjov0=,tag:GQGuHL5aYPc98tzc6Bb5mA==,type:str]",
+	"data": "ENC[AES256_GCM,data:mQPfK2Dh2ACae0a+1GRHY/CV0JpHH8JO+td+RR17UXyq5v/OF6YDfS7loIpQvImEAs6AvIzIdyq0848Fh/34kh/K2ZAq4AknW9jQx5YyP4nbk8/q1/dk+95c0u98WnN6mw3BFHHesKYCfGy82GMnu00Ffxu7WSYzTKxq6yvROS7ugefRjsoMsuJcEeHmoIBgEIjXntGT4DxJjw4RhWPm+unSmce9SXfqbAuuizHm/S5URYvicIzalSITlfFBrpKWNxNe9fC2etDb/fB+uMpG28rmB98ov1W0X/W3JOUhASXVhB+YCau8XdIRPopEnkR4Wm1HD+exJ3CToJMgrdmv5Cj9rJoFI0jvApRpjBix5qDrTsbn3iWbv/QYuCnL8ulXY7nYtkmFjFCG3fLZ5G+6EVE+bZnh2V8KYAVM9moehNJ9Or4kGST5JWnIizFvAeeYef0xZtBMwv36Yc1JNAh3zlHP26lcXew+Ulxxcv07RmmV52jZMfWweyg4nXNumrbmy/GwingIhqN8wHrOD3Tu0HlvqmX5C5YRZg5iVU4lnAjKJc6XRn7B1GQzKeyE9HKagkrULQKGmqDlqEvEAp/9eW+rTR2Yho1QStK7J2RXFnWwpE4PH3cIfHWtwIv67yw+QWqj+lXMztHaX3RIRXGLyqnWtaLjMG+IIYytzaBt,iv:djDts0mzoVU6Cvf8KJb01CkHO+OrnIJyMhTfgJ8lZEE=,tag:JiZ2t5cBfSAKG0b1wAZCZA==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEhDamZTRUhQZFNDTTl4\nVVVNNGZXa2h2THVzY0JWMjE2WjNJT0ZoblV3ClYzeEt4c0dWRzlISnN3NGthR21M\nTEtDQ011dFdhRVdPWlpweS9ma0N3dmsKLS0tIHFPQzQ5VzkyODZyY1JpcE4xR2Nl\nY2MrSERXTWkvNVZCR2xHUGh4ZXMvYTgK7pxPjnh3idl4QzBkR6LHyRskgqA3apS2\nkbg7As6wlEs34TAO8reyZknKTUd3Xif1v9RXiTcu1sEKHqkcqEoDog==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-12-01T22:45:54Z",
+		"lastmodified": "2025-12-30T14:45:29Z",
-		"mac": "ENC[AES256_GCM,data:b2sWPq+S5qqSM6lON+9A//LehgR7Wy7x8EfqeiFOFo9RT3niwaKjfp/Jnf6nKbXF43XM4dsn+dIX52fgxyd0KVLnJTqinhz97sSSs7hYFdXa2FGRhI+VwmuGVvr2ylAJODQgTn+MD7I+s/3DTfh6h0V47IZvxrUpYgg7tJrxzBc=,iv:g4XVN24+COVtRQPzTiI4iki1crjBUVc7vpnJ/vucd2A=,tag:gcnfSvPWvLqG2wTZELRMsg==,type:str]",
+		"mac": "ENC[AES256_GCM,data:/hfp7IopUWZSMequVWcpMup9lM/e5G3Qda+8zz8ecPMdMrbUqpzi43QAbiTvMC1Wa2DKWFOsZPilClJQfG0MMEYD4GWehd2C5psK5HOxS3h9pjE/AjctaCwu8RB71paK940W6NY8sCjOi+zm+Az4KDwkOl0R3ApaUMofV4hsg6M=,iv:d5Zy4HXtoSfRN4E0FHjT2vIWMY8k3G422ygVAZ7gXrc=,tag:a6UZVjb9kTj+8FZG1FIyrg==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-12-01T23:06:36Z",

hosts/nixos/aarch64-linux/twothreetunnel/secrets/secrets.yaml

@@ -0,0 +1,65 @@
+#ENC[AES256_GCM,data:Zj552Ho=,iv:uOiDvsLPsT3D6A1SLgDl8jbAyz5bK8s1h7mIc6WT10k=,tag:rTD510uyO65F/qcD/UTUpw==,type:comment]
+#ENC[AES256_GCM,data:a8v9FPS8GcZOyREs74GhUpnAZlYF9Q9lRU3ZdsYERajtDiGncywKPLE61PlnH8o/h+QkkWjpsjy+,iv:Ck+7CaYym5fT4uy44b8yLw+b1FDvvjxrxql3ed+B2as=,tag:sb7vA0tVe1G+TDcJLhQ66g==,type:comment]
+acme-dns-token: ENC[AES256_GCM,data:9AvuFB/nYm2H6JK+pKY0wD658dHGZyV9w8B/+PeTKb5PkFJGlqdz0A==,iv:DeH3sRv9hCzhy38jnXVeGlAbUeXWOwf2avdINWuhJb8=,tag:jXjmtG+uoTonlXSSKLkY3g==,type:str]
+acme-creds: ENC[AES256_GCM,data:X8qOlnbaQo2RE8MyMnI/1EsyyHl5t7TemUTRYqhuHGtFP4mK5+obd/S+VzscfVJqPkCY/faGAQXtbI7x9ST3AmxiCZEbuuV85OvrM+lz5muV16YNjovPxG5BsjI/ZzYZ2V7H9CiUQLvoZ9D652mvwA10wPnKrIpZ0Z8TFeC6vFx8vyin07IOQmNnfanUVMf46/axAR9KM9ksB0uJfsEo8WFmt5q0sfXRRe+qBtdgPgvn9ebeU++Tv8JpHTPSIoagh1PslabrsgNEcM8H4kzIsOly9uYmYCZ7X732vTKLRvimJ64+MLWw3+DCy2eX5sgrSRZw8r5F19P6a+gGBTy3TsW+Ql1dI468fayltXg1hiy8bD/WEXaEalaB2w==,iv:DkX6988ls3nc5aoLP8sQOXR2alXKuogRAXCtrj8/pVs=,tag:LTwZhUWgXfbLg3YxQGlZZQ==,type:str]
+#ENC[AES256_GCM,data:/+idD/eetpnX,iv:NNXMyIt6uUfT3JVU9g39xjUL71cw5UVmESKVIf54tqc=,tag:pz+D3tUk0gWTfAirJGhlkw==,type:comment]
+wireguard-private-key: ENC[AES256_GCM,data:m8fL4Y5TusV4imzcVqTmJZB0rlb+ndoH/Bl7KvbP/7awfR0FyDTmt81+3aM=,iv:qKT+61HLz8q/0T0nKvnV+wap/cvjss8THXupPNlotAE=,tag:cKrRuJjhVYdEWfrFEhUKZQ==,type:str]
+#ENC[AES256_GCM,data:IpoTYZX4KGjPA+hZ,iv:Hd1V9//M1f/10HQ7ZEEA9ZtuO8EBtY1kn3n28krYxpg=,tag:We6WirbRgSH1qOjC4g7spg==,type:comment]
+oauth2-cookie-secret: ENC[AES256_GCM,data:ZN44Kdai0hUgx0GduynlyMHDnZpdnp1SPAGEaNaNFHGMhM9Q5HPzotiNXQM=,iv:vsYhWriY5G4KLiJ12MLm26B7aBzCL5GAr+S15klH4Bc=,tag:t+MsS0Wgo5papvoeK1nk+g==,type:str]
+kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:a90dn//LD6tvDYGSNT2neorQRfo0puo7GA==,iv:a/R6xlwGdrwJNc7qBoo0Zmlh7GkZ1+uU+RzOxRE+okc=,tag:3WpAVThFLXZFsCIl5xM0IQ==,type:str]
+#ENC[AES256_GCM,data:vm48D/CiRtw=,iv:7Vs8SfqqGEEU64ZqF3uvFIG7DnUfOT3kGqodiIbCwjQ=,tag:hdNZZUMTLIrAGydGSFfP5Q==,type:comment]
+kanidm-firezone-client: ENC[AES256_GCM,data:YD1lkGkg+HxqHrGsbIz2GRq/VMIJqOD+VQ==,iv:AJa/sVAC0s4hdfvQYf+/NaYTJaxO0fdwzNmmD7S+kc8=,tag:JSU6aX8kYbr70+YYwRV56Q==,type:str]
+#ENC[AES256_GCM,data:XS4Kqba//4tVSj8AzyLY19Milwl0w7UkTM48t8m/wyB/P8TgDerxJwOGJvz3uLZJX/EO0/4rKminMYSoMybRnNn4TVv9pa9uV3JEkUsGkFk2abMfBriAQjQgziwLbDZQJmnJs46YD5s+sYELN4MJtwFNg6NzEDATDMWuE4+loyxoqgF/lzG3OFGkDl1R2JkCIOU6NGRqTn8a4XpX+p8U5QrY2V4iBCXajGXrcqLfINYW508feq1TAUZazaNdA+RC2SMvq6Diy8mysP1p/5mGUpIATjmoDqN74Yc5uZAwaenI6jIsfcE4JP5lFy7dHWOfTQS/9MCsEsRN2LWuP0ivaKOgF79ykd4Tb19EACdhpkip8XV0hKHJMuyEr6zJ23dUNtBE,iv:lpA1sk5y4tSk6iXAjArtF4piJW5af3+tIwMos1BpPEU=,tag:479ZIsnwkSSFq+C2a0jHzQ==,type:comment]
+firezone-relay-token: ENC[AES256_GCM,data:QLQ444ocvL1yjXXslo6YzdPUasdt58Qztf6yv4UHh0AZtMVuOcDmUUXdI9Qz0i0J34zGbtcPw/Ac9CzxnF5sRj9v1D6RkfHf642vo2JxcnG+LExHzUFNEhTAXqgLvfdQhi89hQTjSfc/+ryDyf16tTJklX40VitqYLtTEW9CHSHhKrVr7Gx9u5qw1+j0voQbJEs/ojBwsnzNQ4Z7FJgWLBw9FMOQg9sap28m6fBFJNnUGaK2vIUQ1qPXQWyX1YTh6xd0nq/jyB9ctqQczYftgd+wkaEiyMjQJkNk22W/6P1M3biV4L52H7WVVhptB8yWa7TZUXD6GFi3cMTXhn0NhM5FsCJhXeGcnzNmBs8=,iv:RdVXYof5cSMM0WTAoh8SO3jTWyR+XTNmK0U4ezHu76g=,tag:nSw7ykFPYuHq/klTwlNpSQ==,type:str]
+firezone-smtp-password: ENC[AES256_GCM,data:WLj+kcidIMQIP6gPuuIrujA+fHypUpGUFg==,iv:kg96vVaGund6HcXoJltIma9ecv6tK9AxZJf8n62+9aE=,tag:g54wHPhD4qnHlKZQd+MPZw==,type:str]
+#ENC[AES256_GCM,data:aBNmUs9ZW+h5fDMVKdW3WQebJ8zmbHuYmNK9slZx5tZONTfnfnFRYjbzyqFTBKfC0bYjzLYL8AxXiEiPmBo2yLgbXtsOrVMoML3hD9Oi9T/7++BUBpbBQ31cC/EtnALumpes7+hO3DULm5tzWYc9qIz3yB9/gQzuKCqFOB6TCt/PwAKrVKNbcOihx/5xh04s6WyqfSUjWOOcHSY/ng2G7NeYRInLe6TgM6gGQGe2DjXCmNvgxJV2Mh78IWs3yA3aJ9VtrgF5R0PGoqHHZ8GfRZfYn7MBSW2dHztb0oLWux6bnO61Wnm8iDdR7xguQkNXPO0XXIIIO6AOL9duThXYjwQmieqYEEu1BmrvaQ4/tslLHX77axQCm1miwmZP9DoKor3yAziCBMa/pbU5JFlft4QZ2QGY7EreDfBVoDcPjCgA+gXuvq1VozPTiRH+y1hiulGlbGL0TmA=,iv:nsXYOxnWGceyB0aiv0Db7H+oD4hagzwQi96h4mGWD+o=,tag:n4p5Aoh7lYvCRDWRcc9tbQ==,type:comment]
+firezone-adapter-config: ENC[AES256_GCM,data:CPY6DPFJ0OZRJqY0u05rAoc9gfCvHY8fFXkSyKvC+VdjNkC4LwjSJkaBU7aBAyIVsLrLz7cS52fcFfwdnAp/6V7BUDE2qpRdpwuN0ZuTMrnFnmLIi0jy4JXcU5niiClSfulgRfY9Dw9f8oHdYiu+uziVhDdjThx61tNyW+OVMNsKv2avWKqotM/fhBf59hJDS0NwaFi10X4X9Z0Oljd9mHQw+LDJkSTX0dk=,iv:IRn5awskI2mZCzQka6VFvCaNnYATvj6yMH9UWs4vJus=,tag:3gbxkbfwS2mNLkVK9KmTUw==,type:str]
+#ENC[AES256_GCM,data:xZvu7VeZ8IVeiR94gfJR1BB34V1z8ou+YKRrIxlK+qJ8idgzEKXRiWCcdwC345UNIEuVShI8CT7+Bno9c2bllkkKwW4RhSEnMOYo3g+iouKB3p2iwRBX+OEZuWbpoZGDr1KpHLP+ypiTekNOAZgx4EmxQWFL78bBMswoPn/Tv5ahN1Gha75A9iO7nNQgjRIn62s4l+U1cMXDBBKUCIwcfg==,iv:V7G6wGFjSoKNGNuwW4i2U8+zKI8AQm+ATbSLls7688s=,tag:jQqxbMGaJ96fHvPj5Y0CTw==,type:comment]
+#ENC[AES256_GCM,data:td0zw1WORHtMvBO7IK06Of1PoG1QTMiDeJ8KSa4LpLrIgOPTdIg9TkU7UYPNxFD1bVGpU708Rs8Skmyz0v4y9S9H6PM9+4fVij5GN6uaLH/pfMXzaArD8SHbppYQGgpVqsq4kJ+sk02yAjvEM4BBfTpOEPgnu1CSmwlyjw0ysrCwq5YLOYqAQa9rT9uiVCL3FYWuuUzh7SPuRaZouGX2m/MdtQ==,iv:uetwzIK53P3ja94Jw/QDnrel61ducf907mZwB1yy6cQ=,tag:89IjmIvEQs7ayBmuvw3RFQ==,type:comment]
+sops:
+    age:
+        - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcDZzcEJTNE94amhZSEZk
+            Wlhkc0dXY0d5Y2Myd21YYURORlRnMDRlYTBzCkZ1UEhzSzdTZjJENzAvOHJBVFRH
+            MDBMb3VmTGhnUXhRRnpYS3p5NE5HYnMKLS0tIHpROEhpeDZQYUNJMkExTDBsNUh3
+            NmVFamgzKzRlV2oxS0x0UCsrc240eEEKByZ5WYf+QO8T43VLfO2ym4x7TQltS1nS
+            ckgZLorWZBWQg2vAwQktxQ0WTcjhM6tktZ7zgCIzKBLbQXtSt7VG9Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-31T22:00:22Z"
+    mac: ENC[AES256_GCM,data:wGGou+Jx0BV3fMI8gF3HL6VW05lz4CSBvjQF8WSbIHoykor4uthR0TN4ndanU3ZPjhU+NRNxIxTs2cFGJOH4YMIG6bGH0WIoFIfw3xkSIT/zAmfK33P7AUV8/vA45TZli5VHf6S/4CUqXfN91qezrMUiUVr+AEeqa/hbOMBO3j8=,iv:TRc4ci8KRF3ZHuqtafqP0AaRMHMlqnhB1psGbuL4zms=,tag:aTFxdF5qpkGEYvwwj7Q4SQ==,type:str]
+    pgp:
+        - created_at: "2025-12-01T23:06:35Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTAQ/+O2d2BMDS3DVPfUHLD69K6VsdewczQkPoskMrS5JeQn0R
+            gDhR318J311UMClomIIrgDlbleoKS9tdC1rM3DoCaGFq4MyydK4MLy0+6wme1n3a
+            ZyOsQ1jSpdgkWUfbalbxL9/cWtQBwfahXve39L+ocqb34KT8jeLcRNZWORWAst7X
+            a6fHFp4gZrTnOjn26TJc7dJxYGWQIWk3WBYpzC8kpqkMaIemIy0FHaObNYy3DvM0
+            Z++AYqmwEYiz+tG1bVRUZ1ck/z8kR+Zv1Wg0uVM5Jmg6rArrz75xSS297euPZhO3
+            bQwEdJ2rcrdaz5LHC6zgsDrVz5LsfoTxilOwIgsqSGqOBIGAN6XttZXjjul6MVyE
+            XBlHqqrCVlLl+OCumWC0U6vr/bcGV6CaMJPE80Rh//wThtvyKVFRQey8EmJH7IGx
+            vHtfOaOScJc0sCCyXOx4HBeeGAYq0ogSRTlgK6Z+kXx/MkYRHiw6Vdrw0anmFF08
+            7lYB4SPafnEB4m2IPz1390ZSDXWGT5QmrhpnajuILIIcWwe0mNPfDbLQWF6CZALB
+            UJs0XvM/gfXhnqVnkayTXc9IrIHkLoKwyMh1g+st+d0fAYaUD2Wd9BI+zi22m4iR
+            J7Mw0bMBciO4MRIZEEFsCvuv4UzFjQ4mO9ib6LXI7y51sIJuYPkq3lllkntFdCuF
+            AgwDC9FRLmchgYQBD/9F+tb1K7aKNq73pk2YTmzH+WR2Dr3+MxNgnQlnIJMxdoTi
+            QE3C9U9UaO5ngdHbnG3ruBQKjGhLI8meFMTJatPwuOFcHPN+I3lEO+PkHGH0VkGQ
+            A1xkeFizc5l0tfTD9JpatOwaKKr1b4cERZP5hSTZ3MJsRJsykySKmLLpfmC1pZ7L
+            OWLdJ740YEPXXw76seRgZ66tKou1lADRBXAfHxmlj7yrt/MB2xg0FfPw6/i1HTlV
+            kwyobNlNO6whpgHjX16Qfcuj5YMRSDmyb+Ol5dheiA+DvoowhkijCGv04Mye10RI
+            bvjcmhVA+2lNP3tzF2duyIQi4nPDhQLcBs8djH8flKWDZOuz9Jt1QDTb4h6iJzfK
+            RkfU9j7/GjDiiksOdC0/yYgn90dGdPBI/iR890Uyuav/nwzF9Kz9aHQGPhCbwfRZ
+            gN7f3zyt9XPw7Qdyf5+zvaarg5xf8i3q6vhYZSGpOGC/ZrRdJcNfo5Sw4gVzrTOD
+            M9IGoeoyWkCHrjKPjYf8fVW8dDgMsddaT/ub8jh9OcM5YA6mrbeAGyf135mOurLd
+            PCsu/tNAA1GLImgc/MYplkPsOfC0+7fJ9gCSirXyRgT6Eir1VJLL7wE0zrPYfqdX
+            NOXYKdHQxfhtk33XlnxNJ73cJVGtBXy3B2kkM2DBHxY2Zj8ysO48zSri280RVdJc
+            ARILzsczZMXmJVYuR/r103j+doR/kMVEeH+gwhTSyj3yOgP06Ychawx4m8QrjF93
+            FfpVVia8JmpXAymJ93fO1HCzpQgZwX+BuhjfGcUoa3kr+lJjzU4571CCI84=
+            =lNG0
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/nixos/x86_64-linux/bakery/default.nix

@@ -16,6 +16,11 @@ in
 
   ];
 
+  topology.self.interfaces = {
+    eth1.network = lib.mkForce "home";
+    wifi = { };
+  };
+
   swarselsystems = {
     isLaptop = true;
     isNixos = true;

hosts/nixos/x86_64-linux/eagleland/default.nix

@@ -5,6 +5,7 @@
     ./disk-config.nix
 
     "${self}/modules/nixos/optional/systemd-networkd-server.nix"
+    "${self}/modules/nixos/optional/nix-topology-self.nix"
   ];
 
   topology.self = {
@@ -25,14 +26,29 @@
     isBtrfs = true;
     isNixos = true;
     isLinux = true;
-    proxyHost = "eagleland";
+    proxyHost = "twothreetunnel"; # mail shall not be proxied through twothreetunnel
+    server = {
+      wireguard.interfaces = {
+        wgProxy = {
+          isClient = true;
+          serverName = "twothreetunnel";
+        };
+      };
+    };
   };
 } // lib.optionalAttrs (!minimal) {
 
-  swarselmodules.server.mailserver = true;
+  swarselmodules.server = {
+    mailserver = true;
+    postgresql = true;
+    nginx = true;
+    wireguard = true;
+  };
 
   swarselprofiles = {
     server = true;
   };
 
+  networking.nftables.firewall.zones.untrusted.interfaces = [ "wan" ];
+
 }

hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:nIgv3b+6o5Ce9X9xZtBK62f6dgsAGLPqq7aVFCw2qjD9UiHCrAY9vTn5NSW2O2pbLAfx6h7falS3/0yU+AkJ2H3zhxBy7ZxQ0m9dLoQGrYY/E9Z45xZmdFRxtzexCaxr2DxbP8haJKomQ22cHk07HGsrEZ/CFGkyjRxUr3Y4rewgZPBXahVtM75mWbNpVGApc8cs/W4JbjuXw3qlCQcACz8sZVPHKCjbEypypo6nTmU7NO7worrAJ2QgU75oGJ9g96wp9paFMEDofVp2Y25IVYReGg8T1Qi/kTcZzfzGfSpEwnQBB/ZCW6gNYhMK3shfB8DxKy6+romVXm1K+/0yUmwsCM8xC5zJX0GsO8Uu63YFrW/Y2E6aYZfBHdIgfy4lYOFKC2o0ixirw9EO8HyfsDt47QYB970vLPjYZfKNAZBgltbV3KPsOHxmgiZbTbAl0cb9zRc+jV2voH9T5VhFiUWdfaLBY1HUAVAjU7h62uZoCsi1HWyAroEROKS96npTD+3/vHehYuEGBf1IxYnLwHnKeqsr/Bqoukf3OecOH2EkMTTFQ7E0k9s0keRypoHmeYIh2a3dRcaXXbNEgiAMfabhgUh1NNcYKSZhcIekN8WN8azXjbVIrfEakJ8S+PUf5fJdspN/3Ppm06fDLv7yLHnLc8Eae2COOR8vYKIo3Onu4doxNjisfpHujLXYaCGhWpINEGWF7fkeC1B7,iv:v9MxvhcHg+P00UnOWujSgVlMNcOnDm/gK8kNcN54E2E=,tag:XnPMzsDeGJMt9yv6GnFzqg==,type:str]",
+	"data": "ENC[AES256_GCM,data:sfFILq+nY2tqP2aHjJZqUZMdk+qQXSsL72ubGsu/U5G8ULqXcq73d69Op1M8ARfLgOrzoBfzyjcxFMUZiVxoSHevEtqoRBq0Yol6S+3m8vXbW6k/4tj7vRTCsnuxEbGgX2MCbpfb8GChkX2xy5ZKdOWTyXNGWIIAOkHj9NAfnKz2ppY8tFPcQseOtfbI7o/MiFtaMzI6HTpbgBqhifJHLvJyIjsFH1ZecyYjYtL6682isMGZwywUdzaE7dH4m8+sFztHiliJaCM/gID+Kl4GsWlIqZuJmCi3Ac6czCCnLf2fXk53YLXawjwkQmNWjSkOVYI5yybonySSzmyjCfB15487E/ScNlG/Cc0GesoaxkJQpgys3rjuyIUwBKhfHa0qsEd5XkUFKemlB3uQTNfst6CQ1WzZYagIGwTM4zB8HjsjG2hRX6Jck7kS+5eQAoxToe5Z/bDGworUYWRhm5To7bbWn6w2AZ0FjWsb/h2lGy3rgCpjtaaKLAcG7kzbXyUW3crjLg0NR7REKYQf/ZLDGs7a0zYiDfGHyh9+krNiZ7c4dAlCh0lwUJuWSLP3VBPlcLqvSoOg8rRvoJwmIwh9rCCuKxhhGHwwL4SiE10Gw+5rajHNfj+ZnjvVXmFdpZRQW73FF8ThVexKu0qtCmzGik8R7wIhI5AW3Pj1wBURftl+jd3vRZkU9isCE3CZit0L536ZJwawoAZ0eU5tYkRjI/7iHXAbyLEILspSdrHDneRiVLh/IYXv6BEtlZFXwQMtPRPAwx9F8JG0zG9iX4Yy,iv:js4R7cAoIFGCgURc2WyiqRwfqLLBKNWCEEAlsRYdUeA=,tag:NZD44GRRgt7B7U2oDBDjyg==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJR1ZPZFUxRTh0QjB6UDJ4\nOFd2c2lFejhHck5UdUxVbmFFbVRYNEJaSzJZCkNxbndVVThObDkxUmx2WW9ESzhh\na2o0LzFCbWdJVlRIV00rTVUwTktoek0KLS0tIC9qalVvZmpGQXZsV3RIYWRPbmRY\nam80NkRkT2l0ak8wV3pTSW9kSC9nZ3cKCH8eEMmku6WMliEDdAiW2Lk1jAGH9SoP\nWQ5Y6e90jEnp8XbGE7KYiG+jy5fHSc6Y5/YyMmi/b9bF9AhmRT6rdw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-28T10:50:22Z",
+		"lastmodified": "2025-12-25T00:58:02Z",
-		"mac": "ENC[AES256_GCM,data:lwkkp8YSzX8NM7E65kmPpF/q9Vn+FnCTeePLswDH6AVgndo/7QOy0GtJeXmiwt2YsA4AhRqxexWl2R8tjEysP35pyfQJ4vEkVi+V2tEnoLgftriNJzpoeVuRNXLxTPhPezOZgAcTDDL4yyqJXpcFj0PE1DPHKxazT28BoilaBYE=,iv:3dcAqkw/y6rAPL8wb5iewz37S4xszYFGHxvQiQ98sLk=,tag:SEmbptei6GrTXXyb7zwrIg==,type:str]",
+		"mac": "ENC[AES256_GCM,data:AVZqvJDOcRyUKkxxN3QkxFDiPgB7R/yI5cSGrsgZS/T+rcyi9db9fYhS60c7egLpYmO1ieBk59wwykCAP5TdTQoPXm/+O24MCXquEYuY9CR4YjYno/dBnbCWtKvIB7vs/yIyVfKBW4VQYSbnH/LpBSB6RJ0ivLU9S8hrmrgTkDw=,iv:pSbmaXMW7hqxxTNS7n9vDlVlO7zE3rqHnDAP0XaC5xw=,tag:jH1qSjGWX8bwKSk/MFmDQw==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-11-23T15:25:41Z",

hosts/nixos/x86_64-linux/eagleland/secrets/secrets.yaml

@@ -1,9 +1,11 @@
+wireguard-private-key: ENC[AES256_GCM,data:grHYayd0/og7SZhnkemUE9NySA8M2Pev5C/GgXH/UMnRXJLDQiJameGMZuQ=,iv:FyJJeDpGu3OqV0YihVUnBNcgHVH4yFOR4KkVxM0qQzU=,tag:MTGgQ+RT5boa85gHNkWBwg==,type:str]
 #ENC[AES256_GCM,data:TeJxdPs=,iv:M76JVBlBfgjjm1SuT/0tG/98FXpkIPpGng4u4F5p07I=,tag:RXAqa2R0HmEOjW0dD1treA==,type:comment]
 #ENC[AES256_GCM,data:YczkPHAlYVsdVPPGyuByxK9wvRVbAuR6rR9rSFjMvMGxg0QUdIa/yo8o0ppe8I2ywwlLSROp3WLJ,iv:ltLRGMLZsOte9jQEi/VW4Diu/Od8kHPbzsmvPqVgLCE=,tag:YbtxLcYhvPZrC+QFfxtMrA==,type:comment]
 acme-dns-token: ENC[AES256_GCM,data:5U/74jeGpQH39kyjuVwLU3WBYk5MrCMZSFouRFRVbB5FhOkiJtqYBA==,iv:f1TgdiVVbAB+580AtQAe8mCXU0WuS9JX7AWukKbDYj4=,tag:Ut0tbtiNcV/NxfStyZA9XA==,type:str]
 #ENC[AES256_GCM,data:dZiEtGPKsbsd9g==,iv:lNgXQHx/w7pm3EUTBwyFnqv2j0T7zQ59nFLom8F0hQ8=,tag:1cF89QMfjipYZgfl08qSOA==,type:comment]
 user1-hashed-pw: ENC[AES256_GCM,data:uPyDpGOVIqE6cCyvhXIM6v8sTqEx9dV96oqMYS7fRMLiR0kYlCmgNBEeDFmTNRskqwW/WGXrOBn555ZH,iv:KbHW2mOGzOw4t9aOrKLOIobkUNLWj69dk7fFuy1x3aQ=,tag:51+qAavIiM6K256MkhBaZw==,type:str]
-user2-hashed-pw: ENC[AES256_GCM,data:+BES2HwH+Jj6wl7MVzsdmPGxp6AuiPLx+XuOpJClksm9SlbAyqATAHeNokAHmj7yLS79rJF5C3YBBtT4,iv:bSX0PLcriKal3eir24DTyePfropgVhh83U0JdR6/2Cs=,tag:TiSKjApnJg3di+77vV9l6Q==,type:str]
+#ENC[AES256_GCM,data:brmNZZpgXixukd/wVGB+aedAR69Lw97B/vJIJndX6gSZXmv85ioXOE+INhdXFzCjUA2FDZlWOVmBLbtWSsgF9bqV/4WTBOwk8Cy4fInU,iv:x1aYveoBXS48OodS+4MtW74oUdCS9EFdaFZBgpmmfSU=,tag:FlGm89rFi5ZLoRq8Uxnpbg==,type:comment]
+user2-hashed-pw: ENC[AES256_GCM,data:B2gK16sr8GqnngSyhG3vdGb9x8M3j0A/KDF6Vak+ZHO8hOsFAriKHnHEyvcJCE9p6oi+9cqPzcbL6VT7gYQf3KJrid+Ejzl4EQ==,iv:PVG04/i7xAokvcjcedXOEYuTwfdt0Jofev0Eit9kD+8=,tag:zCV4JPQHRArqW48lkhCzfw==,type:str]
 user3-hashed-pw: ENC[AES256_GCM,data:sr7jv7PppT5Ub8VsvipXdZZWTZ31GFscmZ/CcHzYE4vsfIYYHpFElHGMjlbcTSLjyqfVOcXAKNvabcoO,iv:C22sZLrUUc3G80yyYr1snuwqtAa8USZd8FRtua5hllw=,tag:lu0hPo24CXNI2kE7C8g3Eg==,type:str]
 sops:
     age:
@@ -16,8 +18,8 @@ sops:
             SmZrb2xuVW5VVjM0b244U0lkVmlkVGcKin/6A8ONfW72fbQmvJWiNCzAZfGUtxCI
             WV0DaPvO7sO5y7q37QxVUOxgJgF0WpKiNel4Y9E06xbl3TK6jXk2MA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-28T17:45:38Z"
+    lastmodified: "2025-12-25T01:03:31Z"
-    mac: ENC[AES256_GCM,data:dQYfZvGJukraN3/rPbu4JxItMxrsEIY2mkLf3ZWmC+wNZ1qLaI+EuqmLRDicNJqQ9cGljystJvrZouUhJXQNwsg4WNck5+WAfFZ4MRevxbZre+LqFfsFi4of6b65iwRTGIahtiLApNoSI6SfcjCt28i1CIofjuQIEk8LBrBlEys=,iv:fKeo9Ot8sG6qYOBE3gt06VqoYKM1/aXMs/jj9dNNFhs=,tag:sOuhoIO4SBUITo8WfCmwaw==,type:str]
+    mac: ENC[AES256_GCM,data:phjkITBZVZ9Mk0y1FL2dZNgrxyIPbLIXmoTYSlRdHslHg0+hBViLnXAvS0QN/HvsvAldzH8THyACQrXDZQSFBHljIy2wqZr5bu7ByIlRc8FhwNePXNOUs7HH7bQISvFuDWrXl2KQn8OirfJjpIpwQIi5d44pa4Fs1+tpWAg+OiI=,iv:k7brMvP64XV5eNYdm1OJqpjEJ3xEhhfOqErBIG7xMNs=,tag:EhXT3gZrZg2QkYzVCUQKlw==,type:str]
     pgp:
         - created_at: "2025-11-24T12:05:01Z"
           enc: |-

hosts/nixos/x86_64-linux/hintbooth/default.nix

@@ -1,16 +1,33 @@
-{ lib, minimal, ... }:
+{ self, config, lib, minimal, confLib, globals, ... }:
 {
 
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server-home.nix"
+    "${self}/modules/nixos/optional/microvm-host.nix"
   ];
 
+  topology.self = {
+    interfaces = {
+      lan2.physicalConnections = [{ node = "summers"; interface = "eth1"; }];
+      lan3.physicalConnections = [{ node = "summers"; interface = "eth2"; }];
+      lan4.physicalConnections = [{ node = "switch-bedroom"; interface = "eth1"; }];
+      lan5.physicalConnections = [{ node = "switch-livingroom"; interface = "eth1"; }];
+    };
+  };
+
+  globals.general = {
+    homeProxy = config.node.name;
+    routerServer = config.node.name;
+  };
+
   swarselsystems = {
     info = "HUNSN RM02, 8GB RAM";
     flakePath = "/root/.dotfiles";
     isImpermanence = true;
-    isSecureBoot = true;
+    isSecureBoot = false;
     isCrypted = true;
     isBtrfs = true;
     isLinux = true;
@@ -18,19 +35,40 @@
     rootDisk = "/dev/sda";
     swapSize = "8G";
     networkKernelModules = [ "igb" ];
+    withMicroVMs = true;
+    localVLANs = map (name: "${name}") (builtins.attrNames globals.networks.home-lan.vlans);
+    initrdVLAN = "home";
+    server = {
+      wireguard.interfaces = {
+        wgHome = {
+          isServer = true;
+          peers = [
+            "winters"
+            "hintbooth-adguardhome"
+            "hintbooth-nginx"
+          ];
+        };
+      };
+    };
   };
 
 } // lib.optionalAttrs (!minimal) {
 
   swarselprofiles = {
     server = true;
-    router = false;
+    router = true;
   };
 
   swarselmodules = {
     server = {
-      nginx = lib.mkForce false; # we get this from the server profile
+      wireguard = true;
     };
   };
 
+  guests = lib.mkIf (!minimal && config.swarselsystems.withMicroVMs) (
+    { }
+    // confLib.mkMicrovm "adguardhome"
+    // confLib.mkMicrovm "nginx"
+  );
+
 }

hosts/nixos/x86_64-linux/hintbooth/guests/adguardhome/default.nix

@@ -0,0 +1,43 @@
+{ self, config, lib, minimal, ... }:
+{
+  imports = [
+    "${self}/profiles/nixos/microvm"
+    "${self}/modules/nixos"
+  ];
+
+  swarselsystems = {
+    isMicroVM = true;
+    isImpermanence = true;
+    proxyHost = "twothreetunnel";
+    server = {
+      wireguard.interfaces = {
+        wgHome = {
+          isClient = true;
+          serverName = "hintbooth";
+        };
+        wgProxy = {
+          isClient = true;
+          serverName = "twothreetunnel";
+        };
+      };
+    };
+  };
+
+  globals.general.homeDnsServer = config.node.name;
+
+} // lib.optionalAttrs (!minimal) {
+
+  microvm = {
+    mem = 1024 * 1;
+    vcpu = 1;
+  };
+
+  swarselprofiles = {
+    microvm = true;
+  };
+
+  swarselmodules.server = {
+    adguardhome = true;
+  };
+
+}

hosts/nixos/x86_64-linux/hintbooth/guests/nginx/default.nix

@@ -0,0 +1,60 @@
+{ self, config, lib, minimal, globals, confLib, ... }:
+let
+  inherit (confLib.static) nginxAccessRules;
+in
+{
+  imports = [
+    "${self}/profiles/nixos/microvm"
+    "${self}/modules/nixos"
+  ];
+
+  swarselsystems = {
+    isMicroVM = true;
+    isImpermanence = true;
+    proxyHost = config.node.name;
+    server = {
+      wireguard.interfaces = {
+        wgHome = {
+          isClient = true;
+          serverName = "hintbooth";
+        };
+      };
+    };
+  };
+
+  globals.general.homeWebProxy = config.node.name;
+
+} // lib.optionalAttrs (!minimal) {
+
+  microvm = {
+    mem = 3072 * 1;
+    vcpu = 1;
+  };
+
+  swarselprofiles = {
+    microvm = true;
+  };
+
+  swarselmodules.server = {
+    nginx = true;
+  };
+
+  services.nginx = {
+    upstreams.fritzbox = {
+      servers.${globals.networks.home-lan.hosts.fritzbox.ipv4} = { };
+    };
+    virtualHosts.${globals.services.fritzbox.domain} = {
+      useACMEHost = globals.domains.main;
+      forceSSL = true;
+      acmeRoot = null;
+      locations."/" = {
+        proxyPass = "http://fritzbox";
+        proxyWebsockets = true;
+      };
+      extraConfig = ''
+        proxy_ssl_verify off;
+      '' + nginxAccessRules;
+    };
+  };
+
+}

hosts/nixos/x86_64-linux/hintbooth/secrets/adguardhome/secrets.yaml

@@ -0,0 +1,57 @@
+wireguard-private-key: ENC[AES256_GCM,data:5RdR6CvGBwaklSgiP0kmz/ShroIa1By7ZqgxKrnSGjHRyrzaeWGTuJmqKJM=,iv:D5UmcQkbRs8WVQUA8XpFCwLy8+O4+RoJLWOkHj0H7ss=,tag:feSuK9jW+wLeygqhKHycDw==,type:str]
+sops:
+    age:
+        - recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMEM4alliWlBCT3VsbVA5
+            OGt5bmQvZW1TaUNkbWtFdzVGNDNpY0hBOVhzCm84TldYNHBrU01HMlBkbGNwZFAw
+            WVk0T3FycVRHUUNtM1pTYkQ4Qmw3RTgKLS0tIE9LUlNEVjJHOGVIK1RSMmRXUDF6
+            QlRKY1hRVzNTVXhESUd3OElXL2pBZXcKDWYoOzi2b4qeIbCVCfTj0lTW+OfbnsXB
+            8MugCHu7+b+ju0v/lUP66jDW9/2AH4PzHtCNHjsafyzr2qnW8HlOzA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRWJXR2tYdEd4cTZsSi9l
+            Tm1pSC9pek5BakpEMlkwVTcrMlBuVzlXWUVrCmlnV0xJc25nL0twK3VCZ3FRK2x2
+            RW52Q1NxWUhTUGY0NnQ0WEhLMWxIcFUKLS0tIG83eVM0KzdLQ004aDRKNTYvdmVZ
+            d3ZOSStBMFpSU2ZjNWhFRkREQWlUdmcKggVvLy1mLYGf8084RQtlipS4+z4dfPsN
+            HZfid0srwYnezlQ5qOY8/HrDLWHEyuZ4xFZVi4n0k49qBpNwJdmvyQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-01-02T04:14:03Z"
+    mac: ENC[AES256_GCM,data:aA+oIq31QBla9hOpApaMeP7MFl/hI0kDjC1QyPkmexXuMB2pQJ6bBEmazreX2m2TPtHv1rtVUak7F6TbA+97IFb9EQFuAREi1Ca0xjz2eGVFQKu94qkS/FNemXTAkEZxC9LQ1TRqNXXNITehKUeIN65epuNbWqo+iOW0OHEXm/w=,iv:1NKL2PZBUDyHEIiB2ZpvTdCh9ZO+r8bPyJo+EO1PBmQ=,tag:5W9owm1Z+7O1CGVmH1afUw==,type:str]
+    pgp:
+        - created_at: "2026-01-02T21:12:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTARAAmvkQ9V14f0BT/bNdFVZtTlY4yVon37CX32SZPUcHV7o8
+            Dya0sZd9tuVATSv79TnybscuNx95fkoZJwujBfAadexn2zY8zl1oEWEHx7p+8/mE
+            W8JbQAjbcbX9sNQYXc8kYJylBThmgNN/HXK7CGtgDFr9xnGzDBnDm/M31P1HwYBm
+            IdIQgFGErEt1K3xvw28Lk3tPuZLK3Y+H2Yna7RRF6K1blGJUvEnL6yFdA10/eFW7
+            8066mO26F2l5xFuktK0nNeniLHKa5VVYp8iM+JMhX38l0wiIi8pGyxo3uAjNpa0w
+            IfpCneEBe/yyaUPcWMjXmUG5LJe3kWUup8cSzvu01Z3W159/QsflxIMkIsklqhim
+            B2zuPdAlYsjjS/05DIHInN2IIB/rjADkQvXji1XYLhWJj4jxDeck/UIc6Q22TED+
+            autlbl8d/5sqyO5ghPpShF/s0vMTqUfpXZrDrbuyDFqCfwi0ahP03bUsv20ZEz6u
+            zG3K5HuXHh7ATSppwuMbcv7vcjF1tkbo6XhWZDv0rY0DFWqiYhnxWwlFlGLxf4zX
+            g6r7Ca/E/YXG/eOET6M9DxwHjj0D7u/ryAkCktqPL9w8oNGarZQ/xMx0+ocI3byc
+            Zvzlmd63BtgaGNSxH3stK29KN3ED8cDkG/JzAxCATWiUBBkqW/ga4sGZqtLlSO+F
+            AgwDC9FRLmchgYQBD/9JbFZie25PO2CyELlUWm5SmJcugT9SK/mIA2fe1PlA+Gnf
+            5z9iXraMSQchz4R1IoiixDhubwKeKp/auqhlOPvo58Lsi6iDR/WaLWabD+hcyAb1
+            ck/f/PUzTLhlLcfu18VPfXVzfnky3dX8P5aS0WMLAQblj2RaaiHxnPqf49kXSn3q
+            VSJ0pr0nEsPuWtoCkHUAwAJ8X5GPXN2OD4YbHsNaA9h2vrJAxNd5+HNsvg8JtI88
+            X/uMM7cWcaXcmNZOz166HUIPcJ5cabJ48Sv8sDfMPOcTiJkMiESBnRYTwdUcp08m
+            nGipSrUeW3pVOC1bGyukZb6sF84pTtCpqS+kOSfKFlxFFdAEcpzFIPuOMeo2dbKj
+            GSGPDemZFC2yFq883yk9/mZbgjOUsqrj0ZP3rCD5ZHpfUM5IxGQ+mKaOucTXYmif
+            lrTPMYnAc7pHxKZ87BgiKBYrfRAZvorLYKv8zG8YagAUw8iCtc68YUUdvLW9haQf
+            rwWCU1z+sszYSac7I57gfqICQhMUbs1n9S2Cn0C0xo4q2Lu36ysip4rEVGg6TmUu
+            znXYu+3orodw2TwC0tGxXHYKwmlr7EGnBCbdVKpDoCbV6cYkDYoPUFg0alqIPd5r
+            KCkee9MaCLLX7IdBrbLf1lkHGwSAs81GfZRMLBauM7/hn+hMUeIJnMbtJnVIB9Je
+            AdT2nSH06+POnjvxa2t0dUasnG/6ISBRSk6FgBBZ+pdVlrvaB4javgWGpiAWCUu6
+            b2CMZF3HullmLj+wwAKlsZsIOXGICN5GeQxLHYF8Kx7Doj68Owu/zGM5MS+7XQ==
+            =wYdb
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/nixos/x86_64-linux/hintbooth/secrets/nginx/secrets.yaml

@@ -0,0 +1,57 @@
+wireguard-private-key: ENC[AES256_GCM,data:3T0ZoPAs/OIkhdZlH171d9d2Ycxtp4WfI92pTBI3vRw7BVvEgQZKu5DCvbA=,iv:gsczaGwcI3JocOazMIEsgHFruEKDPxOTUQzx+rdCaio=,tag:/Sw7QsZ4fV+BMWdfcUevBA==,type:str]
+sops:
+    age:
+        - recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySStkZDlPL3JYTFlYVXVD
+            VGx0U2xxeDNXcTdwaFZsRWZoblk5eEttZWtNCmJQa3NvUHNwYmFZUG8wMlNxWE8z
+            bkcvNTNhWnozV2Y4Wk1lZmhmMDdEZm8KLS0tIHBkalp0M0NuU3JQQ1FMRmJNQlJX
+            Zlo4akUyVW0yM3FLNG9jQnBHY1BQN2cK48vxR3pPY3LJlTIEx+dy3ZZRfwFyvQGe
+            EuUI7TuLa0ib8JnO287Ay4gp3GH38jtkGcux4yP5Q8eY/M9GNlEK8A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHTmFTbmNBWldmY2FGSThG
+            K1E5b1RTZE5NTll6WkZvbDhxaUk4d2N5bjNBCm04YkxSTE1FdFNFMGNFREtRbFVE
+            MHFuT1VONzUxcVdoK2kvUFRkc2xXbFkKLS0tIERlWE95MXVnVWk2Tk0xdG1EZUIy
+            cEdOaXNUQmt3KzUvZmRJWkpTdVpHdW8Kv64ZWzQbpmINagumpuHXscRf9stxO4Of
+            DSkGxFyLgq7yDg1iaiWy/mwxQZVw5i4ieR2+VDgi6Web2y6t81jayw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-01-03T05:23:18Z"
+    mac: ENC[AES256_GCM,data:u9N7GzLPDW7cHT4mkUAC9Diq1RdV5iSwcz/fqzXQKRmic09eVydAgyk2g6NbJ+4tBbAjIfeUch8Bhf5eG0sGzeDkb1qWAMEnP8EPmQ64OdRyN2SxJgxkc8KFGxkrGz9slS2ozWth6q/tKBSsOYbo8WDlCqXhmYp+zBxvYFR30Mg=,iv:HC1e2i0E7dV9/au+A0kHd+UXDhw3xf7RbTpwJI+hjpY=,tag:dPCDh9qalNtbHIhs//cBpg==,type:str]
+    pgp:
+        - created_at: "2026-01-04T23:02:15Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTAQ/+OHyevGNQqVV8RMOgLxV7CSBCdzCgRiEyDt8/A2twNG1x
+            8lM5boYrVJowPbqd1EV2hfZ8gl3vvWhGMQdR96J+Mt1PWG/lok/Opf8Sdjl5hzpq
+            5AjNWz8p0NQ0e2UAGDuRXy+tjeMWKox86KVhxA/L3Td4S+jV5W+3zRSkRB7g1eIH
+            NJiyFe+jl29mSSABKk5TclzoB/GoojAkO+8iXsjMZYd3upHyQdriipQKkJJGEaxH
+            8fWBYcFB3H+3nMmwi6bz8xhUpOCpKzRbvwmqWYcendqINvDU/sQxQmxcqgMiluzQ
+            ocHNba+K//ptmtJHeL/8o69ljqk49A9mZ3ukRZZ9htWewv5n5T71majA/lJseGv7
+            tsAuKYTHlSkhOVzXuBnIaGrBgF3mB0ag+9/VIlBXCZpEMdjp3C9GJBUQuxoRSwbX
+            3oREyM97O/rtOo9JaqzqX63S59aHPwt83WH6dp2n2hcXF0tpYff3Esw9Vg3Uq+Fp
+            GCSjb4jFQTu25ZbpiiUaaFib+03Y6gGrnzU7W6460cxd4iZNEPGqE1refsQGYUPC
+            6L7R/mkT0SBtC/8lyOvuIpzYHiAkCqdLbrVTmBHUG+a4fIP16IilIFBh8haVKqY0
+            pgBDyLZDVwLzslp3AK+7pusU8STqCazFISe5GPQswwjwo+J3URmQKbCNHXVRyb2F
+            AgwDC9FRLmchgYQBD/94rHN8+Rqod5qxDxa0JR2ZYKSUBdzkkEqYnjp0efn/dY8x
+            m0WUQZEy+L4ZeAmFFL/mQ/Mxk7EW2Vghwy8j8tGTogJtVS7e0GYirKAHr6fgxxpa
+            5BoaUSK75xybQTzWe/CETfpRlDEFmYt/hwMldfCHXwnqZxXNVHj1MN2kVNFbPfwo
+            Ml8RYG8ZllyOVAVgXGsV6kiJp7jKblpuKCDQPkdbE1hFBed0SKW7olUtuBE4ho7Y
+            J1g1gXOAqAWud+crA21bA7Uow7ZYaC0/WzTY2PrgAuS6kpVx52uUj0xqMfK+/Cco
+            r+KFHleJL4b8pIsImsExJv6rDKFohC7E5n5XxLLorTXB6YYie8FkpvmbWK03j+hj
+            Q7xwFLKWYLlPGtdhe+YpL9yiwHWaQbGUjarVH0UAZgSwJCt1cZoiL6++dp1USb3N
+            aV9HS0Milhbseas9YjiSoVvBXrDYEnjShJ7uWOu3Rbh4hx7jvJijLPrPcd7cym+A
+            tjaxFFeD0mTEj1JcjVMk3fEN0wj++oY/l+piVvYvZWvMscq83Sb6CxxDprVw8xt0
+            sECqmgT0yVZrbDNpANwyWMXaHs5SZm5LaW7uDIcr0egkVA6Abn6twaR12660ptjm
+            mcv5K+ubzRomwxgzr/5NcwSg/k8qZ3WMfV/yuNsKIkHK2UI0y49SuBuCGGa1wtJe
+            AenE+Zn4xyF6cpEFXNKNXFDCy2fgHQrdiQ7XawrFAPJupn1JbGXg1gBN7yQI4YW+
+            BuVCb07GtuU/faiT7cIxUQ1nhc1alSE/edfqAPAPqxA/MXhoC7xT9vFmvUPAuw==
+            =moK4
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc

@@ -1,18 +1,18 @@
 {
-	"data": "ENC[AES256_GCM,data:trvZ+abrf69YhdmIQ1ekgDW82PtPnJkC5bfvh6lABb1BBkPWZk8Ds7Ug4CtulspitB/Spwd0ksGHSuEpk7Xg9V+5O9nm4/8JWWh7EF4qKWeRiwqj/dpfHTtTQPOzywHQFwLg6EWS3wSwUu60dZqJ8f36rvr+KAZc71jZayZmm3TIpeDaMsCAyO+TrfzeKM8AYN4uUVr30raquNjd2XzGgufE3FFCQdo4yhvzVGHGq0+wrZGr,iv:Yx4RkCBSkB4gK1dnMGudPwPP6moR4/7ovDZ77f1WL9o=,tag:9tTUU6ax2K2CqKjxHn2ZaQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:jaTRcoqOd3SNxwmzAcsqWyuvhYO0YipQPH2K2SM5OxhWWlUHTWQXqXmuAy0+efNnZlC8xqUWIoU//XXzUq/b7Lhi9bv9WyP7aHLOQNLFZ50Rt3b7yidFA/mxcRo2ZuGUR9mGoP8e1VtiQVVuzZQbJWqTCKtxb8s1f35aZx6NjaqeBFogfhHPwsVPL0lWdaxW2aYj/iwWb65xaxhcXa5mWpYgzfvuTXCkABFhrPxYG+NZpCyG7lt8MWpJ3yYWE0OEr/1Fe0TNfBjp7cih1wvMGIBj9uZRoJWkVwn6T+nldf52WpHCRZCdLhsjXCzM5T0g6Jj1HHatiISYZY3KLVAYKj63nSS3GkHk+BfoiAnJROcE2Aak0w7Op2csbNrNz807kU0x1A3ccbc50PKOGPFAh3JaJJUc0K+pGaIZ+FJhpIT8UyfQ7/YA7CDIvQObI9X7idsWPeuU3YN8VifgsGPznLWHyIgaUW7QmUtH1+KJdO0lo68C13FFnzEoMUroxMoUdS9Bvo1ncC9cITOr3Iuvb9nWQyg+wemyTJ5AOIx7dBh81PxMBYJ3JOTmxiO8LZapyqSbNhcbpo/3Q3s8J2DhIzgR2Ty7EI2tFxoGbzvpzBpWf/c7/rWWO67YDCfmB618w31Phes0/TTK2gxjviH917Q=,iv:M+S2woApVJAglQmvr0X1ZNvezNNl/nvxKjADWWXLiGY=,tag:CT4zP0qyJtbWCBJqqS7F5w==,type:str]",
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x",
+				"recipient": "age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0VHAxaWdiV1VlWEY2UktF\ncE96UHJnWGNpY0ZFUmZVSi9xSXpBMmI2S1VFCjB6cWtDTTJrNFhZRC9yUHRYdUpS\naytwOUJ4NTRxTmJmc0R0Wmh5dFVKbzQKLS0tIHQ2NUtqRjh6MVF6VHJFSHVFTFFD\nNWh0MDVjekFDUWZvTUZNK0Z4M0lJbVEKGZk1BvZsNTkIor5rTcpi2UE4W/BqNMWU\nIAe3irNN6p1si2zebrCEyiaJYuaVn7uYVwXcscJlNTfkr9szm8TjSA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXc3VHa0p2MVdIdHRrbEVi\ndUwxMXA3cFpDODA0Z0MyUC9aemF4U2RXeUhrCmZjSDBLZ0twRk5rZG16blorQVVZ\nRE5SNE51bGlhYTVqcThFUVIvTWxwOW8KLS0tIEVHZ3Z6VVZHK2FUQWZQNVlOTkpL\nYUpNUSsyQllQL0lUa0FaODZiSjBDSk0KSJHdYoiOuma7YFjLpssAgw8BfBo5tl+o\nRvNt9rsXUlXEwMlcmYpkgUlsSAJnus+uE9AdBSvTyFRb9Wo696YFRg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-23T18:19:50Z",
+		"lastmodified": "2025-12-23T09:27:50Z",
-		"mac": "ENC[AES256_GCM,data:IA71SHchjrqqU5tRlJ4Ozgx2rRxhKE42CsC7ygBLdAZcyZs+7iMpskYejIue8+JXto7zJxe38UbolnLOaTkHzSVGJkKMYQQQ/sXoDtaWlsYTN648ug4zAbgN1neifNnG+756abcg9NEuJRXBhXDzqmAecHkzv6U0HW9LHPO9W1s=,iv:dEiu6FnSqALXDOtpCZ3FiQ8D6GU0FjQAFA12SPaSIAY=,tag:/SXghsNzu8ceOQk/2w8e7w==,type:str]",
+		"mac": "ENC[AES256_GCM,data:fuYSElvGFbFIdkQaTwNuXqaXxMuOmpT8moN9m/Yl+6u3e0sU9AMJLK95Azl0xffjScc79PAPXitILrK7gUwUdo4PvTpQo14IoSCzIQ4lcJFlrWXgn9dPFrc97iooMtBMk4hWmTzYL1mHkT/ab7NP3aE7j81N4HJcYwZqzVkdXaI=,iv:hpkTsdwJ+N/NVHEM5LdXC1iwZXT77OwZ+fM9mu3l3Bc=,tag:dxv4T9x9q8g8m5Imcurnag==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-11-11T17:51:27Z",
+				"created_at": "2025-12-15T22:09:23Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cwoYXkjChyIyDP0dmqquRMAv7AsLz2IVVKcdGzqKWR/z\nx7owbhfGFaNCU/x8TWs3mUFBNnLIUQmuSWUuI30VMmFVjXQ9sybCZUCk5oFLD53+\nVPPb/KsAO06it8T0NxAlsXqe7n9fz1P16mFpMx8N1yb5s+GYG/C3UGATwJTJQn8+\nwob0NHfN/6qsZP5PzMgKlUiqc3YF+eB71KTHNDmT3l5sGsoNi0erZwNZc4VA0zn8\nPsFYodW9Mya1XUanJvrYKo9eRfrlpaUKGzn6GVlMJsZU0gNpKZepMubbev3+B1GR\nn6V+ViYWd8U9UTatuHy+aRcwEZfpXq7uKTTTdihECjNkHYSfXmUF9mjq6u5U0Lck\nykhElFADx+YEBJuavQabvYGu8fJx9DfJseNVwIv0M6hqLdg2CNMUQ1l1Q9weizeZ\nxLjme1LTlCUinJGN07CE0J9qP8syWRJYD9seP9Qc/b1IY2D8dGdgOTzO8Fx8vI+M\nOV+Q3T0Chn/f0lw2Xzu40MphB3eamt5cq0JeLQuwQHjUml0rGpi7bIj8PxeAgMkX\nXFzSokYTHGRJz2UblLnITfMaVYcu9HYHXxXIsZliaRBs2AlscyCCSQFjnEAEywlo\n9kvh49sjWztb0yGqHRAxdmJ+Sm5fCqP0huaTMXkC3zy4h0oeJte36Us0VxKk1HqF\nAgwDC9FRLmchgYQBD/oCYXtBTr276kjOMWs3WqDYMLUDbWM8d6b86HYgYvtwQy0z\nXgASNtWQsMMyIEiReSqv2H9jtTTqbUK93ALW2X7GmEvUIvmW64g1AfHKhmPw//Li\nKMxtK6sFVS/WSEYoaZarkZDwOpNx3+BnriQEHiMi21vWxCqluZFSDdls0ca2oXvF\nK9GpBUD8v5+l2EWhq5+4nxHKrDx0g+mjtZPJPRsJ1u0tisdkhRXauOvRHEymZ3mX\nRTee3FNR1t6YpXY811lX9yemXkdsSB4pzKWNQgk6U7WDkGcVaGNw0R8pS7F3YnRE\nFSJhKnhb9Bd6CX/zEV+IwEgY1yPfiEMX0bvIrcEJYgUg618YQbQPushxVk10+c66\nZJ+99g06tdyt+u8E9GpoujnoRjRWsEqElkZntd66fPuDm99qx+RHlF/1Likp/nPL\n4oIknDJu8wwoIBCtoQcWyaiNCa0Fo/HR6txyOt6tTqpwhnDGJP9UfYlKWt07CFar\nQLgZfJbHhetjXoRHMAs+WargN8KV7QGMGbQdPE+VwlZI4bKRSipH+rdDn+v50FQG\ndvFd7WRnWmTaG2W3cOLFH4pWc2MPnnxj0IHDI3U9olcCyuWAF12yC1HYuFuWeG+K\nokxmS1T1E0jIP9u8NTJBmLdjC+6U5y1ZvSZlIWB12OzBEpP7jl8uOVbD/AR4GtJe\nAf4EdsxTBocS50aRxxAOq5t3kaoTu36n1dbGDfb8k10bsBiQb6zJ+xtNQgWxNEeO\nb6YGIyglD06Wmm6C5LOyQ46KIzuFXB8irMJexApopLwIZ+jCnn0Nb1mO6DXHUw==\n=kTmR\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAqmY5oZvXtdqhGl8COqgT8PIzArT5A8HbFwrG8Sz269wi\n7naQrwQnn3jugsUsaCQUHNBICe0xR0RO49e7YnuRN4WWaC7gdn4K9PDmTc5HLJQy\nzlVhvmrZhTHI94C1mLF0032idDgw+bvAb8a05pEuG6czghz1a7e+EMkskScRTlaI\nWKVhZ13vuXfo7dv4zL2SmP2crdrCk1gMJg3UYBBhcz3ql7qDVqV2B8MLgPtsTQIV\nDSktLAuuQTPwGke0wb7ajbea88CkGGTdDSB0NdXG6O/cskSULRxw6TtmCgL42Vqp\nnBbKfnK28y5ZXl9vLPZsLDM+T/E0qdR1nYloxL0kV0D/ESwX4dSyyRYglt9yZmAS\n2N4+7rpL0UwcmiWi/iQbOzZARVEREUlnTnX/5URFks4sQayL5Mk8gHMt/aCBvlPJ\nLWdp6owZVf8XM9e72TXOu+1NvXz0UxIC/sYObMReRQmkNf05r1nt8J71TOmtyEv7\noIURLjgeShNK7PbUoIIDe23xWiNuyEATXmw/MARbc/HSu3bHlUZO+Lx7LrQaQ8aI\n8yZC00WZDgsuOKIyPMNMWhvQOjP5bdLSdbLdtAqz2+d0hUw0PlIHXk4dOqOrkiai\nGjjgGG4OKrenkMDEPFKPW9zKvZbklglGI8mjZTFYwXIi7oILqI4AXcuHXHrFZSeF\nAgwDC9FRLmchgYQBD/wISMziWFXVsP3SRpgOO7WZY9extkRQZJd8veeHzhKPShfR\niIdON6j0SvGaKLb2zhyIIsxvb0HVrExysLyqLWyUvDMobS935jCNmHb5yo+FKMNz\nrZCxzt6vurRR9Cd3K9Z0RJkPrBQ/FyJQHQR2WMTlqXg/kXobR8ob3ix9pSh3/9L3\n3HVBvrOA8eXbajwGg/8FYmimO8zuckO5BYHdVTsHb4MpdcEINpxhBgO/STyUoKfC\nAg+IW1wW0YxQl1rlmuMkcYRFAOUE1zTrxSsA4UuhdyQ8UYF5LozM6qzNFXZYbH/W\nelKZUIUe96Ap+fXwsu4hgYoVUMzVyTO0C3ZqSqzrZmFHC5CR1EcnRowU1IAUNsGT\nmpUD4SKu9aqenr1kTxsDi0kd6i5XXHEXSQdKRgZd25ov/Q++MlDrkEp+/qK4S1wl\nZvXprBBx0aHhnIMtSV2hLgh1CVaMnaWQYn0rSjR7P4p0dd5pSfR8j4aJfn+ErN2q\nRlOpy9/r2n3yLs3lQ+GML3f2KMAlVaxY0UEu2muZQI5cjKvs/MjGVmcDeo8B50oo\nlF6SBdIMssR57D2J99aivmS3VDvyTg5ha9pvpQRDWA+LQYcDvkvRITVF4kOMeQ3t\noUF1C0ndRcr9k9fRJ95QicjpVHBj9soceYd3OgtgZJ+AX/0B3gkmejYyF/jAwdJc\nAWgbKZlvBzB2Hx+c0U30K91HjI+tpVH1ivEAAh+ogbLH3Ox2doUVis7syE4AMfoe\nCCC2K+2ODEYHdJxo4g5DtcTpZL3Xla0sdlSxn8OeIuJkuvMl3oxRI0Jr4rw=\n=2r0D\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

hosts/nixos/x86_64-linux/hintbooth/secrets/secrets.yaml

@@ -0,0 +1,51 @@
+wireguard-private-key: ENC[AES256_GCM,data:DBCK92h8mGxDshB5OIEbyUENc6a4jmvzKPvljUn50AM1I5vBm/bSTDRStIM=,iv:K/OiPnAlXNt3RqBiBiiZqIY8vqsIw0kmKE+aeeVhr+Q=,tag:eloCJ7yjI2tpHMxwNxZDDw==,type:str]
+#ENC[AES256_GCM,data:3lP1BqtvBwyeOvq4K5HTaQ==,iv:j1xenUUIkyJDaeLlX7LGhjFdhNlfTXF6r6v2+XbJlOU=,tag:TsGKu6VfF6D8I2p4kb63/A==,type:comment]
+#ENC[AES256_GCM,data:LItVBIEQVz0x8ZARRlMVRPa0vdEe1Kv0CZaEnauUWw3P+NZv6WZkXw0SjuW+k9oqlDOTPR6gQ0Aa4GoX51NRFFmtlCVU0YL/RmdfrC6nkSea2S5btXCG4pptSusmQx42Rn+RfttcLDIXBAOIDSA/kKiBYvDhsZe0XOHAzj7jTAshSeGlccEOUIs8SctS8b13OAiSs4ceuMRPz6J45f6RVKG6COgiUEav5U6RFa1ZOLv8A/EFsqOsEZ45aYqngLM0/7gZ5Wqwpft8a+7dLRmakUjTOxH+wtVn6CV7wItUJAoz6BjLR/jtDr9EUm/QesZSHhuxs3eu0iXPXzaQgUt5Qz2knxSvzsEKYUx5bPsNBSb4uWgG3b/vKzPUKKYP5CrOwvPxsqI=,iv:z1YrJmuMaiiQpAc8ajoa7A1GH5Z2D2holm3lBCiBqOU=,tag:ghl+1BN9Tyxpwr9KXre5jw==,type:comment]
+firezone-gateway-token: ENC[AES256_GCM,data:3vFtknbuAKk4syzNMDBWZegqyjDQWWPYXVJOs40cnEgAYnOWF2svt4mg3ueRH6b3j5E0Mrkv1PJIch5yxu9FYjfcx+jlsrqneJQrHGX3LDcW5JFOwP6H4nb2Oo8Q8BtpbpOdxAdUeFoLjRSFYy3DGzDatLG9CN3AinhIuxrTGM9Dfxvfn5ahkZ/LPLNRsKj6822C6dxSISW5QSGz+I2woyKzVd9hYoyeHzj5PB2WeaP4ty6bdQRwtA22i15ODpjMDt+AwPL9Wv+tzcv8StDpawbLrJ+0vAh8uRrIjka/W731WkAIWsgMr4mDt0dw99VgJ3mixbXEOdQRidVCeDTXwb9N17RQr5Z5pcjWqGU=,iv:+zbkWWlR0FAFIFB73TXuUwhyuhiVzaEhPeYBkJXfbmY=,tag:8NZbeFLv0FiRDVZJtmLmgQ==,type:str]
+sops:
+    age:
+        - recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwTzZxNUdxbWUzbkp5eDE4
+            a3NGaWwrRXZxaXRvTmJjQUZHZU5wY3FpTTNrCmNxN21hU0dBd2piZUNCNndNaUNo
+            K252RGYyWVpXanZiVGMveXRnc0ViOFEKLS0tIFQ1T0dXUjlYdUNOcXJYZzA2YmtN
+            YWlkK0xrclpXYTkxUXFiNGMxU1NnMGcKCZzLfTPjeeGxyD43dOGDYsQVsw24cyHI
+            jz0B9VV07p33OP448eLyLgwpVFaNG0q+hXPH+0fb3V3foBT2QSeuPA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-31T22:06:39Z"
+    mac: ENC[AES256_GCM,data:BXX6xL5AJ9Ar4le429W86bkCRQkPWiYbJxd+xvp3xfy/T0MptAMsOB7K7dJrtokdXBKK3iPxapgPZCVCSBT49Sj9X2e7wWCJq+olcNTmojMZBtgsDjHgg2rbl8jY7mKeAlGRiImc5iIengJP0cwxF2zplUkZeQmJzXE0+4P8R6c=,iv:63xUQfIl2gpDONSJUrADsRxeSFtBs3h8e8LQs8eQxEE=,tag:vQgKvv8AuW+oEh7dimPhPg==,type:str]
+    pgp:
+        - created_at: "2025-12-22T08:56:58Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTAQ/9E8KBoKOUyeIflZzmSriaoQ2/I0EnqKd9cLLFyqFFd4Gp
+            ZyOfaTqQE9/NWOG3KkG3iuHyCEdHjP14QolJDPPfuqjVnIkc0hKJ/TqwWb5OXurZ
+            hbkFZEYtuGWXGNugL0T/BnSUqXhd5sFBJueZD0LU7xBsmaDqMFlY//iheNEgq0RA
+            a3HeQL9gH4d1eUPje9XfcJ+onj9yYgejQ905ZIOAyrYTLVjnSc9HKJ3kz+rpin1J
+            2JHULBZEzigNiFXE2XmAatIM6PNBVJ21VL7CEPTt/qauRVHLsrz4PKcR/VMTzwJ/
+            A0hdMrYbYRKOL0rHDYyjpoeuKsUDNV0Gi//WQDXN9DGMREG5P4PH7+yPBcc+vgLK
+            E7B6RJcUFyuRh/n/KPGzKk1KX3KOQMjIKUaUGy7Ru91K8rG+/EH1ker6csDpe2aY
+            bYjtPnjiIvd/dR++JLALQJfCuFC6pUhGAC71Bchr4U2Rg+s9pRZBOYco7pJMJubd
+            rkt61MYFNpcZkyQ9mYAVCd13JcmoTsAtwmUkdU098tfCVA8sMRgFF1f2DK8iyRrq
+            jfh6pX1/UqFtOug8hElBJHMQkl9eAKla6COQeGtZC3LkxkKhkNLTcMLf4I5Tzf8o
+            ftxFw1eW4174Psg9vo+/T1zcOYQTVIUfnlPuK/oiCJIAWZ2U92HnCa9pwQe8nkSF
+            AgwDC9FRLmchgYQBD/4lFaFk9tlyBnTWY5yWJmpcV1gPSwLyeMnax/89/Nnixu1/
+            205CvMGEReFEQ4CDTp+WXwp7DA3PKqhg/hEq/x9cmH0kAkQg1n9QoJcd2UzDadfp
+            89ABsW5fBZJSLdHn3P06VIihe516GnsDA/KL88PdkYXpElgfqWXC8g2URKW6QeO5
+            j/XzOXDiMdO2+K37NcbwSQsMd0pc2BAJ4mmjvjm0aZe6ddF1917WYFkOZi09clNh
+            iYW8Vk4hmOkGqEO3zNjQkzZ6Ra9Cm4qr1BG7k+n4sxuwoae2T14/DlCSYh/llSTw
+            N25tWEeXeaAtQgVwoWYLrmSdCKYtxyACPrt6uEYaGE7wbXgBgCX91HuznlHiUvnG
+            uagiFMxr0x4G2Q+C8OuptKBneBcR6a21q3HaGdl/99F3fM7C2bvzv2y+ZScBP6fH
+            LvZjF/r3qrLONCqtaQ4Kw9LPzow8wMkCkshC7K0KNRq10ww7s9kbY8io4+QVLv3p
+            ZHbN+U+9BheVOAF8uX8V+OQfeFdp0VTbPZa7v1mLdbjshPNi7SEhlCjrtB8yqRtd
+            cl2tinqfWAosYt0xdUmH9uoY7bz9+BKIZ6FVl1huP2DEa5JAjnVItyLG+n2GpIqN
+            1SBaC/OCbJFawPmZgaWou+kxpLr7hu6kmPdCcdtHa4TYuanLkOTk0r0mztzhjNJe
+            Af5UVQLJJ7tduvLAB+vh/z91qgv0ftVDq4Kkr7Ma37OYAx4VzuHwEXNLKu2C6CwE
+            M7sp4ZglesyABMbOEhwxqg/kCYGS76kThwkrJfrgf82FgnMdUyYCMhhgy6iFow==
+            =izPI
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/nixos/x86_64-linux/hotel/default.nix

@@ -16,6 +16,8 @@ in
     WLR_RENDERER_ALLOW_SOFTWARE = 1;
   };
 
+  topology.self.interfaces."demo host" = { };
+
   services.qemuGuest.enable = true;
 
   boot = {

hosts/nixos/x86_64-linux/pyramid/default.nix

@@ -21,6 +21,14 @@ in
 
   ];
 
+  topology.self = {
+    interfaces = {
+      eth1.network = lib.mkForce "home";
+      wifi = { };
+      fritz-wg.network = "fritz-wg";
+    };
+  };
+
   swarselsystems = {
     lowResolution = "1280x800";
     highResolution = "2560x1600";
@@ -56,7 +64,7 @@ in
         main = {
           # name = "BOE 0x0BC9 Unknown";
           name = "BOE 0x0BC9";
-          mode = "2560x1600"; # TEMPLATE
+          mode = "2560x1600";
           scale = "1";
           position = "2560,0";
           workspace = "15:L";
@@ -69,4 +77,9 @@ in
   swarselprofiles = {
     personal = true;
   };
+
+  # networking.nftables = {
+  #   enable = lib.mkForce false;
+  #   firewall.enable = lib.mkForce false;
+  # };
 }

hosts/nixos/x86_64-linux/pyramid/disk-config.nix

@@ -75,6 +75,7 @@
   fileSystems = {
     "/persist".neededForBoot = true;
     "/home".neededForBoot = true;
+    "/".neededForBoot = true; # this is ok because this is not a impermanence host
     "/var/log".neededForBoot = true;
   };
 }

hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc

@@ -3,20 +3,16 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy",
+				"recipient": "age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjb21CZ0tQZlNKZkxKMGEz\nUlpMV3lSa1h5TXFNaEpvbWp3ZzZsMUFLd2hnCm9xQlo5Q3RsdW1tSFMxZjVKbjhM\nLzBaS3E1Z0lSQ2lQZEhtclBocE9CcXMKLS0tIHpaYjFIVVRWc2QyQ3hDWmNPODJR\nOFpPQlcwOERMYzhWV3J4ZmpIVUFXcGMKq/CmiIaBFfcx9Muj5LaTQ//ELHmC6WSG\ncJWyfZfrKcPDlXrz7+o9qufLogw3VIkCsTghqsbK6HOKGC5/FbnGSg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsTXhHajBUQnY4MzJuTW5u\nME4vWHJrRCtQMWhWQ1pvU3h1UWVielFQSFFRCkl2RmpTRDh5Z3Q5UWcwS3RCVHds\nM05GNi8vNnpwS3FZcDBGWVdlZEdyVEUKLS0tIEM1SWdtZGV4QjhpaktRNkw0NDl1\neWlYN0tDMUhsWG1OSm9xWlM2VWJKcXcKa9aySsFOXPdwkmrmFc6X+WZT67vcuJf0\ndd1soIklu7xRuNpGKMuZbNKKgyRZnGrcUZUwwGIlJ2KRDag2risOXw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Z2tONmQxTUhZUW12Z2Jm\nUnoxSnpYcnZDNGNzSko1ckl2RDh3NG1VS2dFCmIwUXhmSk1OUk02S0JPVDR5UWJ4\na0gwWlg0V005ZWxYa29PZ0laS2VqM0kKLS0tIHN5SU9pQ090eHljeXJGWm5hRFQ4\nZ001Nzkyb29RYkNUMDNDNlo4YnVQeTQK34bNIBgxId2+DHKQNVV3Iro3KGkE03Sp\niB1+dADT6nRvGvoyPqnLq/NYfw7eQ6XqYt55zkdCta8v6L1UNUkw8g==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-10-21T19:32:24Z",
 		"mac": "ENC[AES256_GCM,data:wM862FQH/qX/abuD+krJOazli9Ci5GrpLtdcnzFgKCeNdjA2cfZ8M3DyzsBwMXjp6HxBHLyO7QXGcQkx3kIKGnRhEBuQzVOtrZhqcDi2Ho8iBV8Dh4xkhcpBYufw7xP8hGWg6ZVZ4JyM3P4NfAdxbfWTdc1VMStAafJ2SZ3pAYI=,iv:tDAKNe8LV40hRCqKzN6j6B71IV81SnrBgerxGPzU4Zk=,tag:7ZsST8pl9TjMog0dNKcUcA==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-06-14T22:31:01Z",
+				"created_at": "2025-12-02T14:58:23Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAA3TBZeXf6RLph9szeqCtmoXyXDMS1l7NRjhmM85YyxcRo\nTuJQrXA8gmIAen7iVjO/FnndAqd86ddCirpBr/aEKtB9v7Poxx6A/kubV2/EurY7\ngbjWsvY/x6Cqv8IMCTkVdolZNOIYlw4bK3RqERoeWXnvCEXVK2c8fqxmcVoNv6yR\n5leIyApzs7dihbdhK+8nTunIMFJSfP+HQY/wgyowgp3cFVjPe+eTUk8T1xkrir7+\ngfddOHNKnbQWpZRBVj2NE/0dwcKX/rxPHU1sCxOg1TW05jTxavsf8x1+2ST5VLI8\nvttzB8H58OMpDZ1xgoMN7SGSWdTN7BgNcLG4rsGb/GW4+2bxJQ3hS+4aTa59ugXG\nGpqY4ooUopRyOh/hE9xqZ4CXy7IEAGbiBKnwJH+CFlXNygPSURoz9wCH5sgqQ1eA\nGfHrXcGNe2flx9gHZ3g2FUKeORs45CFQLxn2HDSuzVqn9nZfWUFddk9v7G4jSsRg\ntVrSevOXTSFzaSQr5GTQocQILG8HHkg67gKXWMNnk5CiUMVojTljcCej1F5s4Lwg\nljTfTWJMUXfD3Djc2Ap/L+PfxO/Zr0Z5glAndSFQB7aijFaQOR+TVQznRNv90UOk\nwQdF6XANcFMiK3yKQ3xZ6d7lXNTCPlLi5ngakpXhMM1lP0/xFuMWB15IL4yA1FmF\nAgwDC9FRLmchgYQBEADAz9QQ92i1rObvnk3utRhxqizU1SIKhZHEzkdJ+M/9AUQl\nDqj4ge191QMWlEh9jo5ln1abxfVMEjDbomtniPsM5kxPw9qK20M2873ibkps0yNZ\nTdqI2hhB8qBtdEOD/gKq3M27/0c3O7rpsIv8kxxdnmZ9GlRjG9c+SmVqdmZ+PLcP\nOrC+Fq8kQKhINaYdpPoT6x85FW0YLvNiR72grHOKDofqBrFChxapf4HKK6T44TX4\nPKw9G2o/XtN9Z1sfh/R44XsNwTjG8EHrwQLsFYoH3+L7UoNkkNtcwleAl0tkjyVZ\nkq4g0nJKO0KbB1HAM0opamYKOsCUaXQ1MLbXKAmIKy1wuKJR9ibH7E+2Ne41fHJv\n0v243FBnebJP5wlrDY6aBNBX5lPeJBF2q9njp2OnkHWktQD47EyhPhI0hUxN3vzL\n0dSE9/LFgWtvzXqVWIYBWMHToBBiqJRgspw3Jf4Fg0l7Q9p7u2/rwgqbIWMLIDt+\n4tn0ySuiV9jV9dVG3Ho/X7owgr57PPetTvUcU6Ph8Yiv6riLZ+qBy636iGmQd9Zz\n/8nG0BRAnU0YOdWUtvOvBvI+JC5DIs2Trj7Th0AJvlAVLiiR1+0dKk+BdNo/LGE5\nRNNgJIwGHMOZXJonuYfYe15Qy+Qcx3J/NI9VOOfSmzl7A4s8NqtuAt8FNm1cDNJc\nAZp7gi3i3PxxsEXefNMtbFDLe+5yQ4lHro47BxnNAyvnYwKC/VAiwatow9kZGNWn\nc9J/PZinOYPfalwqOl0Zn+pem0hIestNplin7v6ynxa23Cg4g1xUou0ve14=\n=UG0o\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQILAwDh3VI7VctTAQ/3W4JR3l6Aiw+cfwFMgYLr/7AwJSwC1k4w2G1VCwXMBN3g\nmC6YPp67WDR1lOTb6zpviUqVTKAEy20BMJxU7JulAQPInd/zL8woaAHc1tp+cbFE\nr2mIHPKFGgA7tc2xuGxw9+WeWHzjrdjW42vWfvmjoL1crubSzWzr20onKgT/dMwJ\nbFMGEyD7gfDY8Z3TAlMGoRTNyGVzFrsKHkvL01kW4T6K+69ECSUDXyMimA4njPt0\nj+ukDmjojtyUjxHKEvyDtjfTZh8hT6f80w8o7cG+YSJF0h4lXEdvKay3WZ0RbwZg\n6ZUI9Ng9SkFEhcIDzePg3urdne+oJQQxDuFYfioh1Lm0aX1kt0GzU9r4p5pwjNoz\nAwoHuAPaVnwU553qYm6XtghzwsHGMIa4r4JFF4+/txlC21XN9u0sslIUc/CC2fyu\n1rNRgg/4TvipAFHfp0GRWMraf3FchDhFzRqPs4Ei6Vv1ffEKQGun8iykLnN7gC3f\nclCjiorc7pmh/ZVylyKuSvR+TTih3Ysttm9jCNMB3rIkCIdz4XaNYbCPUtb8sMub\niBxcqgTIDNCc5r7CnfDyalmHLZ8s+Q31H0Ci71I3EhHf+7c6KlfCLWuLHUpN4abX\nr5xv/q6kXJJHFOAirrUH8Sik1ydE9g6gLNr3udJzdDehkSflkHAd5mka+v/+n4UC\nDAML0VEuZyGBhAEP/jGuSsy8X3dCKtdbvnN+6SCspC/reKhptMGhyxLoItcyqku+\nXCjAe5yxfHEFjPzA+zMmOF2pmsc0FlZu5+eR2+karAuK+f0fzbv2krhEE06X9mpi\n3vJDoG+Vd03Wz+C/Y69xSIbGXY97msQo9XkUuuBcVjUcsFaf7je6NNLAFmj0Mmk5\nzKmXgCL0yjwFmGSGUnFIjrXlKil1gBrYHYWH+vkeFnNHbkbh1Ul7LYPkDrT81Occ\ne7D+yMp/URxTY5IjX7yVDSANCBhK3reGSSJ5M7a7K1LolGGKUtgMLKfWs9uSVqtJ\nA619Xvo19QYladZxmvhLNS4ZbZkR5mH7pcUmX9ltB6K6/kNpSdujaYALFFLnIgmv\nwBaUjZ9jmx4zkW5B0MFshh8SNrSfbPrmEJyBF/tOLGj1YGzj3TIq9Yf0OnDtmycW\narqmFyh0CWhMVfI/ekCjSCUI+LQTi22/itmfv1IFlrVXLWtWjVNN3y+MHz/9v+Cr\n5t8mWcTy01upfwNxSEcjsAFsjyAfvjdA/TZMBJWZ5ltnEQF3tZFV5WChmh++FNY+\n1GPqtEJdinTVxfv99N9CZIwZUap4+WSYVbXEmygVMUP41BVxNLjAPo4Z6PrDfnSB\nz27BqzIDnNwVz6Si+UreJDUhogGDH7lZua09Mjb+plUyBhAJEvT50Nj2XQyV0lwB\nky4gz5OsMQivfD+bWKOx0E29KnVWWSR2HW82uPaDfWI7uPxaON7YPIvI6Xd9pOUd\n7EdEmSiVVAfbqeplRRdClabiBL8Tm6QLiAnkQiImg38jGU02IeCNbXfzbA==\n=jGFv\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

hosts/nixos/x86_64-linux/pyramid/secrets/secrets.yaml

@@ -0,0 +1,48 @@
+home-wireguard-client-private-key: ENC[AES256_GCM,data:YL/nP4DGGjVc0wRrbJ0x+iyJfdqhE90Ws92QBl/lr3RnJzA+stcz0ey/Rk4=,iv:Ek/RVzDpcT7fqVh7OnNc9QXD3Tk/2bm6vSQDA38j+DI=,tag:G2dSpA3KZmbKAfIN+2d45w==,type:str]
+sops:
+    age:
+        - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcVdIU1MwTlQrVlRMbDkw
+            WXZlclBlYmp4elMrTkFPZHRpMGlGZXBDNWc4CkliYkNuTnNuZzRieGlvSHV3SCs1
+            S1Nmb0VJaVd4MFQzTU5XVVBuQldIVzQKLS0tIFpGUjNaSy93MDVQVEFvbXZzQnJp
+            Z1AzcVZpVlQ0WU9pNDNoTXoyR1RGUEEK0dfAegOiBXCnLakgBtWCYb7+hDqWFYUK
+            rXlXTBtICLgSzLWTtPbSVzrrZgT0SAM6vnLO/iNfAIXZlxjeOZrP8w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-05T10:37:12Z"
+    mac: ENC[AES256_GCM,data:RcvRagYaFGwMwrV63tffmYcA/m1GRjXpefR8Ab65jaldcWjfERiCWLFha9aQ1QlWUgSvCWbgC9/zFJkBBca1qVIvLOK1+nkI/ZjQ5rdUOJaP7mukLC3tcm+5f0Fe+GjTCDHGIZd/dUgkF+xVhN2XnFW1ExzRRt6q4a4pKvL6Ml0=,iv:EISJGqa2hQfjpu0X5wMJNZXzv0Loejj0Eb6kosXjU64=,tag:S81dIphr1rqQSO8jAZCABQ==,type:str]
+    pgp:
+        - created_at: "2025-12-02T14:59:04Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTARAAlcSjeRYoj2Hhff3PbKtUdIisAyRHtX84+m5BYeRmcx5k
+            gwMmitFaYQO9IL8EJHXfwIlx+7gubTCHKVDEIJPT6+jwNjWPvdvRSdmelY+xIhPE
+            rISqzUlbpKdkhRco0vKNX1bqfLWPqcWPREyHLg0WsnPJjAmNHNz3GKDnqFJG4tip
+            CDMTp16dJWAnGF9uCPDZ6CcpuP7U4CHDBH5KcGnZFJoZg0VvQhqW1uTwmqI99j5G
+            pB54n/nhCuNbL2vktBZQp+vrwiykb4+1rZw+CcK2awcD2Ugk0d/7KieRSxRIKEbW
+            COIkJRxXkc3JbLjdVIZBQGUSNTtjG3Q6pUaPuECUhb+5SyUDIpiUmpR+/3iIitjo
+            OY+1nDWji5Q2d0BSkoRFiH9KeZn65vduQyEQRX6B0yrElBNk7etkvPdJ3bGoJ2WX
+            Qwlkx0YP+a2dwEtvlKav2D6aJ+uCH2MTAVVL6wEK5a6s2QYkc39qpGhzRv83nbsU
+            Bp0QnJ6ZSjf/C5fAealZldXO1ZDIDpbH5xObaanrYgZ5ufnUl2Q1sKUXNljTYigB
+            tN5z28AiDeV/INr7e1tPV+C6RtHDYi5Rxo9lfoehvdAWkbfdl/iucV2LkwWTKFLO
+            istGzbaxnPtJmlx6FXq+fk6g3GQcPvuv64ZqnIv76VclWcPZDYUK/EU87LAO8NiF
+            AgwDC9FRLmchgYQBD/4maY4LhehaKtNMt6r331YjlsnZxcv/4L5zJRc43XLeJJjf
+            3xjU+TZ9RvjwsTaJ4bTeoVxu8OkFgugvRVhp9sQuu/tGfWbCpn3hWIxebivarQdI
+            7L0SkuHg1Die2g3YqdbpDIzvnLueSvuNDJNmyUgekR8TdWJ0A/pwl/poAu8nZgtw
+            hiIXBdLt5xEUOihXVJwYIoHu8yjL6aZttDyZfHuDDTcCwXdqYqMHyTYmcNdGakrl
+            DG+x2TgsJMtipvYHT4WqcVtOYlVAH4VfgxfmcWvEIXT5u1ZpizntFqGAgsTwQwCS
+            vs8vbZ5WFqQTYZL2t1U0cX7ExWWdY7LZ+ap3uZ5/2R2VkT+FdplRz12DsobWMP9z
+            mjveWhiZx1TPa1rf5pigcvtFSQLllrLhS79Per37EoGUArS9iM6Iyhd9avHAqNTp
+            ywZnJ5JpQKVDeRsMZfpoKdN/C/wqSAl6O6NQX06aY3EIYvxKF8h6qK7u/4WdlVd5
+            Ml4Yn18HyeTkbz616TlMLlGQMNuloDc+XVORVutVphvxI50faIwi4I4q06+7+yuX
+            A87uJatXS8K20mDkzygP/j+T3eSzEMB69mPLo+cbhOfcmk29x7Sg5pf/JYAOuYMS
+            XGlIpa/VmqHOVcbD32sm2/M3AOgZBz3D2Tr2tI2JyK4ZqW/7AIFYNhnv7siTXNJe
+            AXNBE4bU/FRXGOH4vOqoVFvBwYOd7Jlr8QnMpFQuBDMz/408lkIojd5njvLsu/4n
+            qE0HKP9Sq3XY8dP4012GbkN9U/m/ca2oqVUy7rrEhGc1gLddlISHMMjNa7GsBw==
+            =fGF1
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

hosts/nixos/x86_64-linux/summers/default.nix

@@ -8,21 +8,33 @@
     "${self}/modules/nixos/optional/microvm-host.nix"
   ];
 
+  topology.self = {
+    interfaces = {
+      "eth1" = { };
+      "eth2" = { };
+    };
+  };
+
   boot = {
     loader.systemd-boot.enable = true;
     loader.efi.canTouchEfiVariables = true;
   };
 
+  node.lockFromBootstrapping = lib.mkForce false;
+
   swarselsystems = {
     info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM";
     flakePath = "/root/.dotfiles";
     isImpermanence = true;
-    isSecureBoot = true;
+    isSecureBoot = false;
     isCrypted = true;
     isBtrfs = true;
     isLinux = true;
     isNixos = true;
+    isSwap = false;
+    rootDisk = "/dev/disk/by-id/ata-TS128GMTS430S_H537280456";
     withMicroVMs = false;
+    server.localNetwork = "lan";
   };
 
 } // lib.optionalAttrs (!minimal) {
@@ -31,41 +43,6 @@
     server = true;
   };
 
-  swarselmodules = {
-    server = {
-      diskEncryption = lib.mkForce false; # TODO: disable
-      nfs = false;
-      nginx = false;
-      kavita = false;
-      restic = false;
-      jellyfin = false;
-      navidrome = false;
-      spotifyd = false;
-      mpd = false;
-      postgresql = false;
-      matrix = false;
-      nextcloud = false;
-      immich = false;
-      paperless = false;
-      transmission = false;
-      syncthing = false;
-      grafana = false;
-      emacs = false;
-      freshrss = false;
-      jenkins = false;
-      kanidm = false;
-      firefly-iii = false;
-      koillection = false;
-      radicale = false;
-      atuin = false;
-      forgejo = false;
-      ankisync = false;
-      homebox = false;
-      opkssh = false;
-      garage = false;
-    };
-  };
-
   microvm.vms =
     let
       mkMicrovm = guestName: {

hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc

@@ -1,22 +1,18 @@
 {
-	"data": "ENC[AES256_GCM,data:umKGtD7jTa+ex3ADPs1zR2o9YU2j3y3zCEupCGOsdJyicM7u0efXDI0g755RdPeNJiB/z1DPy+mAkePPq/m93CCppTq0BYyt0JJw53/j3ghCMJj7N3wUVstMUB01jewDSUc7SLay0lkhMCWbrTKsR1pwnfFRAG8C3rWXQB2EkU9FViCo8VaOfEF6Cq9ev/r+SEepT85wvoMxxIg=,iv:bgJXEoj7nRUsi4fA+bYVYvJYavS+BoDuQt2SCrX/2W8=,tag:lmOjPU0J0Qf/vcnO0owTZg==,type:str]",
+	"data": "ENC[AES256_GCM,data:xPgUMSYz77DhqS8Vvv5FawLGZOaoI+yVqyK6NIqqF5Z+eVN1FyYjg6tPRB56rq4/yPtI69fKpQyEvnrtOZRFp1L6R+blweXobmeG762a/FxoWmh2CaF1QutFKtS94xfJmci7De5h67miKRy7rGWOeMs8gvjspvLtGrmDJQj+NQCwTvUDcibMKL59GttYTUhTxeGyN2R3utEQeIkI0Sf0mJmQUWXXMsjiMrQGhGx1iS9KJHlU2izl4pZMDsGr01d/seV7O2xspfhf5saJk9yiTwxyKLAW0ueSAnstfQJU+CD4zDXxbxcl94dzLFkJm+WTYV1X+IZJtMODLYf2XgVsz4Ihf7CuzYXHGw==,iv:3eohgv4d8CUuGPb8ODmEeAGeBsfwZsmFG2ZuxWkbKRk=,tag:31eaWzlcCslHMTeq3kEvJg==,type:str]",
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
+				"recipient": "age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBET1RmRTM5OUxJMGNyWUZK\nMXFqUWF2ZHhOZ1pxa0RDbkNzWnVzVFFCbTJrCm1oU25haDl5eFg5T1VzOXByai84\ndTR6TGREVnBHNlV4S254dzh2Z1lvK2sKLS0tIGFLaWJFQ2VwaWtxaURqNDU2ekRQ\na09Hbm4vNnVQaEV1aGtqTTVOUWN2b28KQaoPc/UKaeQ72GdlbtWFdALywHcUkewf\nK5pEz41pzDKOjatypm9X8ZEIEarjOHIZgMpazVM4i1PRUUefSE0phw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RjVhWERrSGtvYUhYOFpo\naDZ2UGZ3RlQwYVJaR1cxbVRRYVBVellBWXpnCjcyYjFYdG9YNk5mNWdIYnN3d1M0\nWTVLM0RyWmtyejg4T0YxNFdsTElLTGMKLS0tIGR3d21SS0Y1MHBsQjdJaEpzUUNk\nVmhjRHJ3RDhDSEdTWlpoNDlWaHJxM1kK3KsLvzB4QGCqKS1pq5jQjXU0tkS6CDat\nL8emFbAPLKPEafb/dZP+AXupztod9R0feSaDxTre5m8ljplEnE5Lew==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGtTZ0ZSV0trWlQrS2dV\nSFo0dytGYXhRTjl6cDZrUU0wZ1IybDVRaFZrCmZmRmxJNmdwS0xodHdEOGU4bldU\nR1JScHAvZHhlVTBJbWExb0VpR0h2MXMKLS0tIDYwQmZpMjdYRmpBeXFNOXArN0h5\nVGN1THljeCtVV0hXenMyRVJkMjlHNEEKm+yZTT48nYr3H0Bd1OKw/CYk1kwnrBzk\nTgSQHsGXhmOyDag9cSZ4wAOmqtqSjA9bouFBuhl2lSbgpjnarvFaXQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-10T01:10:33Z",
+		"lastmodified": "2025-12-17T22:56:04Z",
-		"mac": "ENC[AES256_GCM,data:4vPX9TdAGGBwzEc3W6pQj+BVKjp2kSAMB/L3QVXZbDHfvyKFWUOqwG8u8P7XDcuIrrpx65YuJp6zwexpJjg5zkU4favJt+uHD1wWC3TZcCpda6v3hGW3RduQAwVy+18JJ+PdSxHzrC4jmj+t/HIKp6Bt7qB0Z1ynrt/CdGIVxh0=,iv:zQQrl19jK823UynE3EXLgazehpWW5ltRCWKdnElVh5k=,tag:zIIgbyXSw6f6xW2CaVW88g==,type:str]",
+		"mac": "ENC[AES256_GCM,data:+UeKJoKrYLGMU0LMOVvBTYCrwS5gs4dWIIi4ceUnnbs3Q2vqtyn52Ht8ECH6EAHnEtk9G5IBj72NmLgu8Hr24mDc0SFpJKqFuemvJHef9t6eB3ZGYFNwbEJ6HOjmmp6+Xrt25b/C1q7mw/ysnb0g1Fs1I0GzsyQAjDeYWYTh6Y4=,iv:ndTm8UuVgt/O44vlKafu7F9knSNNO2+RoH/GoEhTCqA=,tag:PQMhJlANkxAgngIdzuGEdQ==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-08-24T23:36:17Z",
+				"created_at": "2025-12-17T23:34:30Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAwf7TLx0TR1HBhh57CyIQLw8ztc9oblKAW/V7bSlQM/wR\nIwQTcTi3azdI9yewDRO30rIr++FEapdGVdpXoqQ8zcl49VjwDux6wzF3bsmR5Goc\nlTkDd0bmz8RBfsK+6efXiRqo3C0yP2ZTOh3PSOvsXKbYS6wY3TvNBdGnAYrfOvEw\nmBFRhn6uakw3zjVUngB1di07DH3y0wEb/r6+Mzoswzg4DqT1SAdDkfS9dpn9h3MW\n3NBesYlOukLrNA5Toi6x/fmE2lrPHt5QxPdvfvKe5ye4myZ/gBn1mdejB6U9nOsk\nRCJFMosjBH7jIpwokTjUT6Vs+zs8yrF+gbP82H4RVfZymMfdZoU/pTfYe1Mwg6Yi\ntlHyiRBgSPBY8Doa2hM8/yvmfHVMqSQf8uXltz2VC7JUGD6P0QbDLpqY3URmHg/q\nwN3zYJLlSIkU6Z7oivTjfg0dR32Z80lCdZDQf+OQsRtCUi169Fgxr7+HhdxJyj49\nFIb6CR0DHW4vsEj1GPAa0Q4uMfCxLiSZfesY8myoCtlVo7oeqx787KicJB5PryHr\nyZweKd7tXO9g8LNJtECTZ81y2/sCfSZPBia6M4oz56pIFK4jhYCY3iPnWIS77axu\n5MmqZNOP06obp87nt1ea51BmXkaYxmSPoQ5R29CeYU+m9q+kKvizncgsCl/O7U6F\nAgwDC9FRLmchgYQBEADJo2kPzrxLHptsr6aoIxfYNrQ7JJM3FAZ7do5YvAbQsl5t\ny45qZ4+qWIEMRXwji2TvgSg8/ylnZfN2+rTHdtNJkDdJ2sX+RDr8pm7L3VS2Zhjf\nIp1SdPd5cm/3QupegzUR+kcPa+gPM4asGSytIkAnnpev/DCnLsrqiejdosTDj9dn\nFtPKJKSUBzJSNRxBSpM9L+cTU1qyMT024D5Qvq6vBOjFI1YV3LSfVXQe7OZxxxVX\naChkGR1v3UjndQ4Yv9hamJJ81lRLeIcVEOpOPxLHJX76AJUqP3fR/+m2Poah8bFF\n+yIdSp2jyWOoU60We72fvlEwxsTLl8Zani+xX2ckkUCe+wsiGJLch4Df1pepxpef\nb95wZ9L0msRdHY8vRQYapde/ju8CUHgywVX7+YH3EF1bJSnUOBmyOA76v9ir09am\n49g+VomkWUuzPJ2VYQXXH6d/qn/sm9Z9yxy7e1eh5m+9cd42b4sMdW6ZCTMAtGJF\nPX0SiOMR6S0hjKVBcfcyNoT/wo7wqEl4mYDpoCy10K0nYRn+ggJnIZEJzBWibMYH\nDWUDyuQIYLjOBAchFatXyMtbc8qDorYelLX7amPRDSiDhhj6Y5nYMJtUSwfTLwkN\nrI0Q4bjE+fgNACCqPoq/BDFZotcr1b664ZUJqgnTBPKZ5OnmW/iFkOfzu4fF9tJe\nAcekEPwsFbugu2bZ0Hs5Rl/Dh9p4L9gceuMiwJ3oYGA5cwXFCeVZLNqSDLy4upVX\nnXRaMzBNGgWo4geDq5JL10Mh7/1d4GGVxdts8RGdI8zUFTPV3GOaPEHeNyIO+g==\n=2UMI\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAA2WAZd8mTmgXn8X+MmMTgSXZX0TJSV7gI1U98+F6ewg7Q\nDB0Q36UVEtbpYaQi+vdP0g7lzPo9ubEaO4U38LYiumxlYZASmn3faYLvgikSpDM5\nnE9Huhff5Z9gP7tY0Kq37xEOVLNx5hI019ULk9r/7T1g2bOh4fWyBVvCseQ+8r3i\nR1IN2QPCWP39evzL/FUHtiFH2XD/dFtHRLqV2Zd7JXJ57FOdwROc5omKh1bN2Q92\n9BCJ5vE32gpPcBxmAz5VY4lgF2SYps3Er9ObgTv5ux7hmqspQZayIvpYeERXTeUp\nePAqzmbbcG/MabpjuUboy5KoWsbEi4SsohzJC5r/oCnRCbu0PCz2Ip8f7CyMUyhB\neOjAJ7zrY8XW/ee6X0BYIZwUZhZw8Z/Qf2x+GSamamkhEA9AhbQcyW+c2D99vM0P\ntAqVqaPNqNeMVpmUJtgprZP5VjbckIkLsgtRRqopKjM7FkzHykwhI7hNJWJmUnC6\nrI/y+xGTQ16kge0NMbgwRuGyxFQbB9FKB5VP4vsJ227XjrEZ5HaOd+XOgj7Us29q\nkIl9ZGKbEUn3I5sxI/0ijTG/pPN+H3ROvXs9cRBkBa/T3uL4Gdvideet7IxIAOU7\neamskzNS5OosEyafAibD3ctB4wI/E19HS0JKoRNsA7CUqzVXhx5ipeLXec5tHMmF\nAgwDC9FRLmchgYQBD/9V20QCxpY8lFdhbiN5n3dnlsGAIQtYTYKXWqTWb/iq6Mhu\nUU+/2Czu1fpjOEmPcvKk3XxM2wclzpTG+7NWvtHuDLe9HCai6eujY+1Jrek95AqL\nDzm83PDONp61nGj0mCHDgyEcnDK6ViCglofjjAN5HmfZxw6NI71GIk+c3qLx1pem\nUR7ETjjBbBW3gv9BXAqe+NYRbFx173lf6er4ogqYWRFCRlN7IQGlMLhAbbYfiwIz\nsnyyCj9UEekFcsVkQHoIHFeuP8xmsOjL7AAtKAMXVL1UdHfgJjK7bI669tzmcJJV\nakECPeKDwk1/C6CwHtKrnAHoUHPLw99WEPThQ4yselDBkf7yFibnHc6dNd77xIEG\n7lVyZFFq/a+gOOWdN/6mxqumD6LgQexoatY+8shQEJ7tfcNKs3ptJZX6zLiA1A1e\nzLxpVqtAmU7H399M8Q7Q5wiJh7wlF2ssADnAMws9ybCzKqBAsbBDhlwrXvZW5lic\nQTMZoeYBgZp6l59hHppcaUXTFOCR0fW10VNyyKJa0/fRegptxGAmvVQzSLLJODw+\nXHxabaeuF8IcU00GqIC/7OuUY3yN2IHYjxkB90F+rOHYj6nF6zFxBVRplqvgbzbq\nSpx9/JEuzVqv7cwmix0osmru2NrY/xvmtJq+8VZooU6JcXk+wY5MtD7sIG/yFNJc\nARwQJ1fSiUBvXVBM46O+XQIPk4aP10cxhz0NF0LTCXttJJnHqgjjI3SAGvpAq2mH\nCGPu49vKjzW5l3Y8SfHGPe1vU11l0KZeXfPSijhupM6V45N+YBkwDLNj0Qs=\n=zt+q\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

hosts/nixos/x86_64-linux/toto/default.nix

@@ -6,6 +6,8 @@
     ./hardware-configuration.nix
   ];
 
+  topology.self.interfaces."bootstrapper" = { };
+
   networking = {
     hostName = "toto";
     firewall.enable = false;

hosts/nixos/x86_64-linux/winters/default.nix

@@ -1,20 +1,24 @@
-{ lib, minimal, ... }:
+{ self, lib, minimal, globals, ... }:
 {
 
   imports = [
     ./hardware-configuration.nix
+
+    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
+    "${self}/modules/nixos/optional/nix-topology-self.nix"
   ];
 
+  topology.self.interfaces."eth1" = { };
+
   boot = {
     loader.systemd-boot.enable = true;
     loader.efi.canTouchEfiVariables = true;
   };
 
-  # globals.hosts.${config.node.name}.ipv4 = config.repo.secrets.local.ipv4;
+  networking.hosts = {
-  # globals.networks.home.hosts.${config.node.name} = {
+    ${globals.networks.home-lan.hosts.hintbooth.ipv4} = [ "server.hintbooth.${globals.domains.main}" ];
-  #   ipv4 = config.repo.secrets.local.home-ipv4;
+    ${globals.networks.home-lan.hosts.hintbooth.ipv6} = [ "server.hintbooth.${globals.domains.main}" ];
-  #   mac = config.repo.secrets.local.home-mac;
+  };
-  # };
 
   swarselsystems = {
     info = "ASRock J4105-ITX, 32GB RAM";
@@ -25,8 +29,18 @@
     isBtrfs = false;
     isLinux = true;
     isNixos = true;
-    proxyHost = "moonside";
+    proxyHost = "twothreetunnel";
     server = {
+      wireguard.interfaces = {
+        wgProxy = {
+          isClient = true;
+          serverName = "twothreetunnel";
+        };
+        wgHome = {
+          isClient = true;
+          serverName = "hintbooth";
+        };
+      };
       restic = {
         bucketName = "SwarselWinters";
         paths = [
@@ -58,36 +72,37 @@
 
   swarselmodules.server = {
     diskEncryption = lib.mkForce false;
-    nfs = lib.mkDefault true;
+    nginx = true; # for php stuff
-    nginx = lib.mkDefault true;
+    acme = false; # cert handled by proxy
-    kavita = lib.mkDefault true;
+    wireguard = true;
-    restic = lib.mkDefault true;
+
-    jellyfin = lib.mkDefault true;
+    nfs = true;
-    navidrome = lib.mkDefault true;
+    kavita = true;
-    spotifyd = lib.mkDefault true;
+    restic = true;
-    mpd = lib.mkDefault true;
+    jellyfin = true;
-    postgresql = lib.mkDefault true;
+    navidrome = true;
-    matrix = lib.mkDefault true;
+    spotifyd = true;
-    nextcloud = lib.mkDefault true;
+    mpd = true;
-    immich = lib.mkDefault true;
+    postgresql = true;
-    paperless = lib.mkDefault true;
+    matrix = true;
-    transmission = lib.mkDefault true;
+    nextcloud = true;
-    syncthing = lib.mkDefault true;
+    immich = true;
-    grafana = lib.mkDefault true;
+    paperless = true;
-    emacs = lib.mkDefault true;
+    transmission = true;
-    freshrss = lib.mkDefault true;
+    syncthing = true;
-    jenkins = lib.mkDefault false;
+    grafana = true;
-    kanidm = lib.mkDefault true;
+    freshrss = true;
-    firefly-iii = lib.mkDefault true;
+    kanidm = true;
-    koillection = lib.mkDefault true;
+    firefly-iii = true;
-    radicale = lib.mkDefault true;
+    koillection = true;
-    atuin = lib.mkDefault true;
+    radicale = true;
-    forgejo = lib.mkDefault true;
+    atuin = true;
-    ankisync = lib.mkDefault true;
+    forgejo = true;
-    # snipeit = lib.mkDefault false;
+    ankisync = true;
-    homebox = lib.mkDefault true;
+    homebox = true;
-    opkssh = lib.mkDefault true;
+    opkssh = true;
-    garage = lib.mkDefault false;
   };
 
+  networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" "enp3s0" ];
+
 }

hosts/nixos/x86_64-linux/winters/secrets/acme.json

@@ -0,0 +1,28 @@
+{
+	"swarsel.win": {
+		"fulldomain": "ENC[AES256_GCM,data:CVasUSMRn/KWzVRlcYfTO/RL+W5Cz2JpDj0JLAKITXrDZrl+Wsg46X8zv4hX6NLj/wAyvXQ=,iv:N3DL4JPX8vWTbllFWcpNulwtDJ57xpHrAwoUxWhTzxs=,tag:CYWoK9uT121rFXQ5h69CZA==,type:str]",
+		"subdomain": "ENC[AES256_GCM,data:uM457vEJa10IV4SovBDUzLLlW+mPwh1SiWr8thQisFoe6zAk,iv:Tdbd5a20Gv/thkPfsvNiAbI86JjcDs70MAfk4yCZLgs=,tag:MulJiRWPs215x0bc+1jBiA==,type:str]",
+		"username": "ENC[AES256_GCM,data:ePE2BEKL5uaXqzGngW9ArhwP3qwDzwULtfwUfb5Q56VGGURp,iv:/GZRbyXHorcq1PIYlhfOmUVwCg0I/N4ZraEzSrc8qmA=,tag:wM5B1U0BsRsBAJg3qNOXpA==,type:str]",
+		"password": "ENC[AES256_GCM,data:RGzdi8IMqm+rtiuU4RtWGQ4N/7FYBbp5Pir8/k2V1QEdM8z7SIn0FQ==,iv:ThFbY9eZuEZoyzcWV5DwtSi8ugNwM49JfRof560Qx/Y=,tag:sgMaLrPB8WgpXWPzaCwOBQ==,type:str]",
+		"server_url": "ENC[AES256_GCM,data:zJdXoO7ED7qeskYJ9Wu0Rdprbvj/uP+Z,iv:ce+QXocqCjNKCsZRyVt6koUyc2lsTwPNMcfQyqbktN0=,tag:bQSE4/6va+V0TORWANLdUA==,type:str]"
+	},
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZ2Fhcnd4RnNIbExibGlr\nMGNoLzltYStyQjNDSG5jbCs2WkpqR0VINHhnClF0eW91OUVvSzhackNPS2JaUitJ\nSW9VSnEyWjRHM29hT0xHUUIwTkFQamMKLS0tIDJqRERxQ0l2NElxeUhScUQ4R2hS\nT1dhQnRTVWM0Y3dUMUxLTGRhZ1h0NkkKJI58M5YOldaj0gy67WywMK1vTNqBLz+T\nK+/0PuEooKZkcdd92+UUoMMU9JcfvnvzKmC8Ot9xwiaLaupb2Fb7Lw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-12-04T19:04:02Z",
+		"mac": "ENC[AES256_GCM,data:nWV/knCo/MeWTBrfq1VlV6SPEQ2i2P+le82S2So0BIxPfz8tqan0MdaIaKLFlapsT9VRJOv8ZCCXSLWeGcbEvfmEz4MP1E4iHcU/4YaO+n895D1JrjeyP1cgGisnXqe01xMXCsDY178sqxHcnDDlXp9foCem+mGjIlKGPYGu5Oo=,iv:qbavbW3MF4fx+E3aybBYaz/T/Hb63ggWml4Oe9WFz+I=,tag:05vBbBGDGRNaXJWoZn1bVw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-12-04T21:07:49Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/+Owp3VI6TVHSb6hxNioVb4P/e80pnf2LZQxhLUOb4QAfd\nkXGJLcdC3rIDF7b0qfJJrH+hCHSZBqrE6in43wDXe3Cj2CzOWaU8kABqMWKoRhG8\nd5Lbrn5uMN9sOWQugjFwtDPQo/g38wkHjJRwtpp57K3W7t7A1Np1Hma9APLwf6NV\n4t/A5vkib6n3Ilyc8e4eNlZu2yV+9fkygcSQYd9QxCRdqAbH9yCgtQ/iYpW4wNXW\nB18ENwOi9KiyWO8zMtGdj8Modaw3yLo9qku2u5BkBnbvE/SDD2QzxVEy8dc2P2/9\nkT3GLI14WaoTc0uCHQfGG6FOKbyD8P7VMdk6K7LuBrAANEaqwb77NlsIulekCuff\nRHjWYzzLv14wumO8+3dXvSWwdG3or0/caH4oKfifTbwSOwSTVru6WAWBGx0reqwO\n4+CQ1WmqHM68aFzlQY40dcT6i0jCZpvL+kMncbOn40oZt2+7T6h6zfa/YyWN9n1Z\nc3LhbHTYjA/gyjc+hD88SKCyn1tFK076209KeOpAJnu37Vb/O0BB9T8cxe9KVkMa\nz7SBXE7BEq+vc1BKpHN51zVmCP9REbQ//2RS2JwfxuKxj5ti7xQNBfliCVn/04bj\nEYnortuIFKjXGhZBBrgWKddS7zaU4Ux+1Nj8NAou4u+Cpi+EwFfpVvp11136H5OF\nAgwDC9FRLmchgYQBD/9fuQYiGbtsS6dm4kQzS6Ptmx4+Yi1QYywY0aU/S0wz+LBc\nn3ECc3AypbLEemNU7OeoveOtPj7TyJ9Wth2AqeWSEizgA/xCttiX311+emK5LqjM\n4KtlxJe8P0Hun9vxbcGRVXIN9IKDk07MWPBVQ0nUPnPlNTzZtlu/ahW+Rsyxm8wY\nq035Wtyr97Ak+gtB72EU3sEJ7INpNbIsbfa+AAbda1drrhvtde5kgnVKsSdC3oBy\nTo6rgSjRT91MZoiY+L3oR1lwmxtu6snajhnCWHe/u4iuMMK8a3b3WAUNBxG/tbQd\ni9qOLYyjtdfuqRsNvSK6WsgpAqabfUmvBCYsvKlNUGx4LDMmKsMwLC5DfPSGk8FS\n1haVyfmMNoCkcG2RuT+mwDm4I6aX1VbeKbIFrCYBEAYuWh8Hdobw3TYNrjGvHScq\nVE47Q7bCsUeiMybmtHTcHH6WNI+LWx9EHVZCaccqT19FV1PAUDvU3Z9HO48kcrjs\nX2UM3HtmU84p+zgQQzk7I1ociHqFBnKQmVd5KVs52V3Sj0a4EhRMDrWOjoucgUqD\nqMPk9HpO8A8gL/Xoaxbs3EdaQJsy30aVKaeDUyTcTqTLvEAocUQApi1QQCKgoc5K\nT9Y2EqfC/ArWSJOtylcQk0sJfKSo317lBb50+h1XcFXC3gNcXgipxURTwUSqb9Jc\nATpFH2B+AS7/fG22KpHsop4b3Mwm4nNZKTnJ+5IY2iu1hg/96AYe+njp+7BtbrbH\nTxOiYyszqQ+E8WykRO7QwPxgGtlGkgW2fXRFmAxvCHMbnNVvf2YSQLefUPg=\n=MyHr\n-----END PGP MESSAGE-----",
+				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}

hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc

@@ -1,22 +1,18 @@
 {
-	"data": "ENC[AES256_GCM,data:vevuVfscWMiD3Lzc/bAS+jAqpzgkfBfcFAB7ChacGaj/PJfoi5AzpmlkDhm11GBcvUXcveMnbLbQexaF3dgPVwvbD9xr6e+mcMJjIry5c5a5wOcZkyGxXgPuPg415An9AQrO56XeTTSaUL+ScQB3kv6eIyzCtxZag7pRLnOgwFuGYqfwcDIcX8QHCc0ijf3XLPaM6dEgiFYDeOMFhOF4+Z8/d9eHoEQ3tOkWTmkoVqZFz80ZicEraliWnWMvCBhRLKo3gb7KFRce/AAEZQaS3CZOJz7v7var4Ds1+PZnU282aSU/xsY5Dq1vOrsZuoYqXA5WrdC9HaXAYLGaGFCzLwRTAfJvigV4PNwOePskCSa/qRlOGpyO1t1B01Y4pghdERNlS+1ltEz8nKVfIi4DR6dKy8NIhLl3huJQy6KHsLrjDHnmxeypo2sJ+NeyuNTKqwJo9x3krcIBt8SaUoFIDkBgshcDCp2eBcKvRIOFIa8r3rsxQ7gwG3YV7hS+NR0nwsUXodGXVzrdehDNddr+mI4GEMl8TTP9sdVSaPhKpN+QB3GGGoYwX2HJYXdY9CKIIlYcgFiDfPz9x4HqGnGfSpeB6QgTK40pmRmG6jQyIFZiW+hQBS4XHtKQ8CJx4zUNpiUArYzustw6riPkfYDex21SzsUIjpRYxB8uGHFvJlJVgr4FkQQg6frebKf2EjIhjc9Mjdw+g7cGb5+WavUfy+fIXztYwRI0l8aftosfCMdGsSChntKCymz0kpGREx00HF5blA6oyifHaVxRYoqraxCwbe+p1RTFlGonaYtb0gBWpdrQU+24HVQU1rMhc8HFHPjcWofE/ymEPkhRzkxIXMmNQFi/18KvZWoy2qOVtPmsEc4mOVRtC6w9AZZpcxI9CXhhuyDZlJ/k4bJzkZFrcNW8I7OjEXTNmsYkzJDSVzD3Od/1zhubU8LYZBBXuejzeH0TXNsXbS6tQXCJ2D7Gzrcx8LpXL/a1IjAUmIXguVtPT9nGallXO9jHV9g7GGjF7weTaEMb/eNSuLgQOpq8vziN1XLWhVo0WEQ8zU97KSVJS5moaTEPAEUlHC4PfM3AQHpWMW4EL7FZu5r1yw+EDOUA4k9u9HIVbn5XVZbWb18aVVkYZoulLIVU7I74LJlYE/BSYhGzp6Ff1k6qzPNTbVgXEtiNuLQKa//8gHoQUCsu019MEVAU4LhZ+nt4genG4qFUTuBujTriO4Vhdel9Qsoq95FLXDzdwRInUzfUhbLli/rKv+LDW7wIdh/peWslq5XkWBeMqJC97OSGzM/MaWIzzMY68FjCJfYX6I2nskFD1xZiECKukn0LV/wqQhrkmUuyG6RsZGAZuOoStWJMs8v+x+ZIMHzg1jItXO2ozt8P73EvdgOExJi5/aSf8sQwX7H5lesDtnGYU5+xV9k6R8icsIqG/TLuFAiqK1hmFQv7H/9pFkRq1LUXFmJXoKDfDByG6xUjMeyYOwT6yLShhH3MMWvh3yjflwzGo7uTU1BTpNbKT0LEh3Q9C1txZ0uKROhWKu70iH+kHRFVlhUbyYpZovu3BPB3WDhLiLuXIOss5+dVv5RBSYUtxpzp7Oq7mbMRIGCY1hOVCiCcUEvcXXiQ8JBCklWUEEJ15BAIewetgDiVci4USgZZYrALplmSFkKTZbFjYEIrf3ghKFXfVTkMixRmzTHoxKpYXzvB3TZnkmAXVhvJbGEiHsAaHpcfycAXygQAWsIFYzYSDrqYXmRhwEy/A5cqy8dYx+UA3bBAi4v0QPMoro3UtdI2ipM=,iv:+QSRj/TyZl6xbwLDbuwb83RkBiLUi85VYcpss8Jn8fk=,tag:uPqu0GaUGmChLweOGN10yQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:xI9xiEWeszsdkCyGaaFxO3neMHj3f8kjiKyDJwVjQIVyBD+X+13vj5HoE1WsOOxNAOI8iXsE/Wpb08hIBLPxJjaip6Ordntl/kmv61uxEErQ4i8Kj9U+k7mTpPi/MOv5qlBBY3qhca4pW37UwRMUMl/BbM4YzCqUMGQfbkxuevNoIoeQPEQnbHtQDdVkFG8Ql4xv5tQ71IPAx9ktH5iVKqKumrPEL8/d3i4jmHg74Y9A2xHtX1D7/5FiNUGpo5nCEKVLB9RmY0QqKiC8V20VONld1q3b2K52A6cS6IYvFpWR7/IaBpitAKTbMldxK4cl1Llpy8CNeLNGlolFqEnv3As2bx/gdWagjLZ3/TWZIBq5xu/Am/5hrLnSlhvEGx6ZSJujIZS7htuADK9KjGn1NFFLxAWxRB0TUQmbN8jKsHxtk1QuwyWeRSV7WN8ybvE5uj/dnL61A9/dHvmqT6YY43TAIX70ahlEqCsHNLaPqEsFioBlP5Vl3+dRatFp2GMytL0MZsITwpq1Qx+sJilAJZESCZpwFBcEFzHrpjLm7WkyFXiLvdGPUlVDhpTA/R89xQzaNcLOte5A7OdyeV87X5awCdXJhk/csRXHTuZzaa00mTv5tEZnKJk9lvn6h6Pcy4wObSbRRFlsQQBmrm9TkG/E/i73C0o8FbB3AXth8dHdQVBoO6GlH9eQKh4y9j1zrTvjMh6YVRqt+i28NabYjBS8HehbcuWpZfhSqmgiVaaG4oXIe+40kEDrhyhxSHnRymy2lNtD2IXzE3T5ixEgvv52HxglUDATc2ydL9r7Vdyfypv6RK8EVUtcFWoxUKFs2W+Eev8cMHspfuwNee91sf4exRCA4Xdl17cQUYsy2l/tz+biI2nrQKLzq49J/guN++n1xWOnZyzyNjcrID1/Cbab1k07hCspxzgenlykaUeYCLvyB3K+AKGtKcf2/sv3Zq9TVumLzYgK4y2VNDV/fpqeAzFXagPXnBmEW8BEA2kJGcFLxEeMQnYVZI/pViwpFBZXXSwnHGBr1GbLG9D3D/OwrFJgCr0baE3hmQFm6EjK24hWTDvxKWzGUeetxNIt2hBWiaFuOcc+RNnItuTREYaKq7BW6I8h9FQR3igl3K6iN/y/ZGzjVq/15Jop1ZSj2h6jagRdq2u2uObmoMmrmkHKutR9nKqjQDRZp4K8TAq51xpXnNXI+avNFjMJqL4/zmaPVzibW4sJ0YUCf832cWmIt4pSZW+z2Q6UdbJXAjzlZ4GicIQAzgh5jQpYlpW8yVgUVJKyb8HEUQJ2KIep0PhRZDqhclyBGXoOdGk/IrRaw0sqNsMWx+uLh/wWO+fn6/3CrQd1WpJldHCFQIT1OF6sZ0DylYmIPAJb/pbiImes3df5VCIO2PrBILGJUDA1XTW53L7LovhQB+Pydeu4qjNVueUwHr6DEkBSvKdTBC7vJqSm2hAXdEG1/OYTliY2VdoqK4DfsmwapelLKzkQJ1k4neUt0N6A0wc+/Hpfg53u1gC4RFqvnYSXM1eW0BlvdxIwWbq48G3jqvrkLaxVsqeclGSE5I4pisxrMivj4iFjWG/z0vkAMQSoJTyveSUXxyA9f7uWArV79Usj0B7+2F/rK1Ej1KJEcKusji6Wl3QR2ZXBMZKlCrOPL6o0p2w2iZ/ovkJAHg2CYD6njg+OkigKYFj1rb6FhPhFSSuzxKsmEq7eJ7ABrs3NHE/MA7F/C6uZTnJNxiK3nxc+JLPb3CLoEgULT4DFvomDpbM+J6+frnblzCYirgq6bdpU5eTMhrd/pwVC0HOCJFsG4xDv2JwdYTKiOnoNr//4wyHF0xfyRb4g40Hit5dB5F5m3krTu7fIIGw7RuczSbV/LFd1vobomMwe1/GbWMAHLpiABAwYRz4e/6nNZtRrPfNMWTQ8ixNEZNAI8LW7VY2RwLF46feJIxuc4UfBRlg4EdxO2FdXjDSp47m1HgdtmXBmgyneGnIyeiWvgSYsSEClG0F7/6PWDMwiWsVO+KinaJ67nWG3OmO3bXu5JjxZi76vyAe5YdQx2O85vptUzs9EExile6s1+F1gTtUFytg183dpAkBc+ml9iEHv+5nGl/MOUMiu4CPFjyWlhp1Eo6Lm94ycAfI1ItqkOZg3v7sMTc12YBfX35ql62+C3DcqpCJiBreNytZnnF1l2lEPIAUVJ8pjsrblz38=,iv:kkH/Hy/0PNzkVdTfYTgKBAN6nYslP0OFIndsmORZVEg=,tag:j/fMiT9DCog0CHnM74MNMw==,type:str]",
 	"sops": {
 		"age": [
 			{
-				"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
+				"recipient": "age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBET1RmRTM5OUxJMGNyWUZK\nMXFqUWF2ZHhOZ1pxa0RDbkNzWnVzVFFCbTJrCm1oU25haDl5eFg5T1VzOXByai84\ndTR6TGREVnBHNlV4S254dzh2Z1lvK2sKLS0tIGFLaWJFQ2VwaWtxaURqNDU2ekRQ\na09Hbm4vNnVQaEV1aGtqTTVOUWN2b28KQaoPc/UKaeQ72GdlbtWFdALywHcUkewf\nK5pEz41pzDKOjatypm9X8ZEIEarjOHIZgMpazVM4i1PRUUefSE0phw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3UFZTaXFNdjF2UmRFd3VL\nY2pZZ3ZaRkhZSjdVUjIraHV5ZlNaNGtwM3k0CkZ4OVRFcmR3MFBDcmdsbWFId3Iy\nVzQyUGI1eG44d3JFL2NvZEg4NnduT2cKLS0tIEdhOEZETk9nRTlVbmJ5UW9GalVx\nS00yaUpJZVFVNThFei8yRzJYejRkYk0Kf6Z8WnG8phRtFIUWIPys3PW0OImhAcF+\nUFLuL4Qr7zWaeItCRieYCs1yBn7KbUJHZNkJcvnkYW50NYvlEa8wBw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGtTZ0ZSV0trWlQrS2dV\nSFo0dytGYXhRTjl6cDZrUU0wZ1IybDVRaFZrCmZmRmxJNmdwS0xodHdEOGU4bldU\nR1JScHAvZHhlVTBJbWExb0VpR0h2MXMKLS0tIDYwQmZpMjdYRmpBeXFNOXArN0h5\nVGN1THljeCtVV0hXenMyRVJkMjlHNEEKm+yZTT48nYr3H0Bd1OKw/CYk1kwnrBzk\nTgSQHsGXhmOyDag9cSZ4wAOmqtqSjA9bouFBuhl2lSbgpjnarvFaXQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-23T18:03:21Z",
+		"lastmodified": "2026-01-02T22:52:45Z",
-		"mac": "ENC[AES256_GCM,data:8KSKQH7qF2vLnR17a3XhYGAqYq4YNgf7XEkpeNVHD39Aj8MzdlsGPr9vI2o/N1yTpQyJrPW1ntKVvI9rHwcJhm5nyaQiHVwKHWcxcn7li6AeztV4HUqwKxQwf3MHfZ4fhWJrI7NYAuMAbmK6epa/ROGsIGnT6vQh3SImcn+Kkcg=,iv:dT8dBuSsYRxGe93/9ie/6/X4Ru5NDycz2pgMVI83wbc=,tag:r1mPjG/JOQsRDzCktIlisQ==,type:str]",
+		"mac": "ENC[AES256_GCM,data:p/m76sd+5HhD+tz7oSnoSzVRCnB1czTUTF90LSyLQuL6aVyTpVZp+p6/CnYc/fG+L/8wBUsLrwwajl22S2+MZAqvQFoYQwY/AiFb10wZNK2fzPEURW3P+QYzaf62nb4G3GlckjAcGxGyeGcU4TnL1qZEDgp/KcdZpsUwvVQvV/U=,iv:k7m4dOr13gczZTGlz7uHIQB/uFPEQJX19uHuLB1fupg=,tag:mzpbLMV5aun7IOvPIJv0ng==,type:str]",
 		"pgp": [
 			{
-				"created_at": "2025-08-24T23:36:17Z",
+				"created_at": "2025-12-02T14:59:33Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAwf7TLx0TR1HBhh57CyIQLw8ztc9oblKAW/V7bSlQM/wR\nIwQTcTi3azdI9yewDRO30rIr++FEapdGVdpXoqQ8zcl49VjwDux6wzF3bsmR5Goc\nlTkDd0bmz8RBfsK+6efXiRqo3C0yP2ZTOh3PSOvsXKbYS6wY3TvNBdGnAYrfOvEw\nmBFRhn6uakw3zjVUngB1di07DH3y0wEb/r6+Mzoswzg4DqT1SAdDkfS9dpn9h3MW\n3NBesYlOukLrNA5Toi6x/fmE2lrPHt5QxPdvfvKe5ye4myZ/gBn1mdejB6U9nOsk\nRCJFMosjBH7jIpwokTjUT6Vs+zs8yrF+gbP82H4RVfZymMfdZoU/pTfYe1Mwg6Yi\ntlHyiRBgSPBY8Doa2hM8/yvmfHVMqSQf8uXltz2VC7JUGD6P0QbDLpqY3URmHg/q\nwN3zYJLlSIkU6Z7oivTjfg0dR32Z80lCdZDQf+OQsRtCUi169Fgxr7+HhdxJyj49\nFIb6CR0DHW4vsEj1GPAa0Q4uMfCxLiSZfesY8myoCtlVo7oeqx787KicJB5PryHr\nyZweKd7tXO9g8LNJtECTZ81y2/sCfSZPBia6M4oz56pIFK4jhYCY3iPnWIS77axu\n5MmqZNOP06obp87nt1ea51BmXkaYxmSPoQ5R29CeYU+m9q+kKvizncgsCl/O7U6F\nAgwDC9FRLmchgYQBEADJo2kPzrxLHptsr6aoIxfYNrQ7JJM3FAZ7do5YvAbQsl5t\ny45qZ4+qWIEMRXwji2TvgSg8/ylnZfN2+rTHdtNJkDdJ2sX+RDr8pm7L3VS2Zhjf\nIp1SdPd5cm/3QupegzUR+kcPa+gPM4asGSytIkAnnpev/DCnLsrqiejdosTDj9dn\nFtPKJKSUBzJSNRxBSpM9L+cTU1qyMT024D5Qvq6vBOjFI1YV3LSfVXQe7OZxxxVX\naChkGR1v3UjndQ4Yv9hamJJ81lRLeIcVEOpOPxLHJX76AJUqP3fR/+m2Poah8bFF\n+yIdSp2jyWOoU60We72fvlEwxsTLl8Zani+xX2ckkUCe+wsiGJLch4Df1pepxpef\nb95wZ9L0msRdHY8vRQYapde/ju8CUHgywVX7+YH3EF1bJSnUOBmyOA76v9ir09am\n49g+VomkWUuzPJ2VYQXXH6d/qn/sm9Z9yxy7e1eh5m+9cd42b4sMdW6ZCTMAtGJF\nPX0SiOMR6S0hjKVBcfcyNoT/wo7wqEl4mYDpoCy10K0nYRn+ggJnIZEJzBWibMYH\nDWUDyuQIYLjOBAchFatXyMtbc8qDorYelLX7amPRDSiDhhj6Y5nYMJtUSwfTLwkN\nrI0Q4bjE+fgNACCqPoq/BDFZotcr1b664ZUJqgnTBPKZ5OnmW/iFkOfzu4fF9tJe\nAcekEPwsFbugu2bZ0Hs5Rl/Dh9p4L9gceuMiwJ3oYGA5cwXFCeVZLNqSDLy4upVX\nnXRaMzBNGgWo4geDq5JL10Mh7/1d4GGVxdts8RGdI8zUFTPV3GOaPEHeNyIO+g==\n=2UMI\n-----END PGP MESSAGE-----",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//Qx2BW0k3Q/pAvbKZScmhoIoFpV5nb+ZB72J6+f2HQLSv\nVQP72XDoYyIfW7ERsY09gkNIJejZ5n/fgB5KkyEqsBRP4fYDXl+XfAvPTu3YuQOo\n9mA2baJ0HkBnsrikycaUQAIXMMCAUBS6Ooi1blQeYA9khqr5Kc361IwB4bv8WcIz\nGcBPSWBc3B86qK/v8l0Kle1mcUu9RFxNZkitjxKdf9GDn6gKo3yBWt+/8NJLDUTq\nHjrBH4WpqB8mVDupg/p6OUASc8y0pnNmbU0GK3is4IO/bk9QqPX/t2y4CUhlE3Bh\nnxYGYauohXGs/IbCGXtkd/wRcMwsXtgkZYT/wfu44/O2VW7V7MpBGVlTXmOWK5yI\n2dkqpAt2T5tFVDDX8bqDfZ2xbGgSLsY/XWwNzl60WSvcAnFoZSf4mu2RJFLAK5QZ\nGDz+N8shR8BgkzIWIjMwzBbUB+3snYkJVA7wm/idhernkB0E83JAOOHk+UGuHFWA\nkrrWPHRWf4Gy5ZEmkzVACfhzH9AbPP8yHbTh5y33I7Yv4E+4qjoVEwTNA1LSYy17\nlaMI410x7htrzxv8M06LlE47HrJPLu3+YHUPKQC/LzV831LB9IYymskYL3rYUHzn\n7BS+9Njfg+7cdHXjRABZk2yz2+XZlSLIyCC82Kbmybd3F+s8u/pP0N0TcBDTPrSF\nAgwDC9FRLmchgYQBEACaz79q7F+YshiA4MSiKoiwgVnq0HWruMtQ+exE9Ky/hTfT\nCnNn43KSE/s4KytcB8KPkXPpZ/BHSv+oxY/XGh1dNWnKQocyCHqEOax/QruAu7VS\n/CbxyUFYQS4sJIbfmQLkx/FEnaHenSOTjOBatlnVFQ3qn6MjXyq1LThyfGaMlH84\ntAUYnNG3MQsz/U7Pj2nkScfDZ0XGIu2rvB2ddVdkjr1H3acQVplAlw88yGD+lDOA\nqnafNS8FgUtXoXCPVe6SRdpqfWPGmn1jhvjCiCUtzZG3RPew2AV50RAlxP2AEXY0\n6cMeL+NJdqIGaP3Ttyn9oVbroW4N7p3rb/AGj4ZRy4QOXPkWI088qmhYgIpjJZM5\nI3g80gnkBfFrOaVM1RVfn1smT9KlCR/8noKTE3ajBaTZZJrzBclzATdkGi7rIaqS\nvAWH9LnEGFs30W/mj9avis8aJwiPYsO+1ah5sVMnNKMo8KND2MMy+EI6AvgwJKz1\nNQoIP7jHB3h8sw91Z9YhB0RTQ8yCG+IrpXnWGAVAcswtTtJbBQlXxc/h0jpT4Yw0\nV+J6xX5/PI/ZQbIbj/i5hgh+8lsvG3gRRh0zH8nSNf7yMTYQe6iAe9xHRH/kSHX/\nOwObvvrCzZcsX8b6gTXn9AzXYGST3j3wBa8sQH0NRkcZFsCh30FhEDApItQA8tJe\nAbaLVOZ9WKJCCVkTJCOBCus1zInXbFr1ZQjTciJ4WjnqedH6SVvPC9HmI9vDCXw4\nzonohAH+mjtmoRfwMGdiJO74IfX81p5MwOX94TwYB2gAp6ycyCHjZgUtpAFPKw==\n=wNQ4\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],

hosts/nixos/x86_64-linux/winters/secrets/secrets.yaml

@@ -38,6 +38,7 @@ kanidm-grafana: ENC[AES256_GCM,data:61PEA1fBcaRy8+x0dn9WrH9P0D+NOkbeZw==,iv:kbR3
 kanidm-nextcloud: ENC[AES256_GCM,data:9FjsOzBos18ouHBeuzrzHIpCDowFt0Aktw==,iv:iqUQUsWsO5N+KZqHyqNxMxSija/yPrrrAqvz4b1NG1M=,tag:/WC3wg/eYXV3hLJPRVWLog==,type:str]
 kanidm-oauth2-proxy: ENC[AES256_GCM,data:DQ5tj7N+P1b8vFnF+MGhaUBvbVQoE4sVhQ==,iv:Xy4bdi8fSFuFHsQKgZ3PswFFYsqtiAeqeSRam1k/H0E=,tag:9W4LRPPYtDOrSpxRDK/7sg==,type:str]
 kanidm-freshrss: ENC[AES256_GCM,data:4y0X3sSOfs5pKNCmZGJhxlAKH7GD1UACdw==,iv:LuQQCfOpsTqglwQvohHMFpNGaOjoZ8PKDgG50qBP02k=,tag:Z5mVYP/9nToerQ1qui1eWQ==,type:str]
+kanidm-firezone: ENC[AES256_GCM,data:hQWySw7EZZN2AT7rM4R2go8DAGYHph32tQ==,iv:vASPrP7qM1G5c4tC1aaAbCigglXt4keThMYOJdRYhOg=,tag:f5jevrQtiHAQTbMY07iIrQ==,type:str]
 #ENC[AES256_GCM,data:M9U+Mr1cAhlt7NpW,iv:LY19BZEwDdQD1Nhbmgdt9/9VNJjcTkOGP7SwEDE3Xwk=,tag:TlYrhu5dBj1D+Qd72r7Ofg==,type:comment]
 firefly-iii-app-key: ENC[AES256_GCM,data:hzgl8eRL0irNRP5TO7G1rNtNM7fXCkmbcaX4QoTsM0xA1rgyKwiy6a4lYDjoXZyOMy5p,iv:q5eepIELwIecyQ56A6THUOu+rebK3irKVYb7/gNHlU8=,tag:+M/KTX1JzPzXeK4TRzW42w==,type:str]
 #ENC[AES256_GCM,data:mBlfyJvQyrhTnpkJ,iv:hHnTCsHfzCgKuBO82JjNbjYYjWV8e7+0VRkbTGw+WRE=,tag:7Dp77Q2VjWJM5LydvpbJnQ==,type:comment]
@@ -47,49 +48,60 @@ koillection-db-password: ENC[AES256_GCM,data:5Ue4l8CMZpjRpcryEtzPyR2Zf7M=,iv:Ol/
 anki-pw: ENC[AES256_GCM,data:h4RBhKV6ZzDQk7s=,iv:r21zH3sDKwRxfi8A1DPNEVhKTbb35qWv2mTGaXJxynM=,tag:kT4pVhz6pHxyBZ0iXdGx7w==,type:str]
 #ENC[AES256_GCM,data:5jJoV7vZl1A=,iv:Uc9/nyvdzgH6USVxhDhVs6aDqy/k9D53AJP2AvTj3ZQ=,tag:K4zDz5RoLuHevTeLqxw/XQ==,type:comment]
 kanidm-forgejo-client: ENC[AES256_GCM,data:2iXE/dmOQtY2NEsBgDqkqwD/brF0vJs+Ag==,iv:PBQ03z/E6R+u7Y56fPzJSnsoCa5PUYSiezZFOMLz4eo=,tag:jThgOC6h2hHJUclDju/MtQ==,type:str]
+#ENC[AES256_GCM,data:JwCES+wj/NRGTw==,iv:sKjF9r+7FlHyzY0MTfzvrV4B49T6+50AxBuXXh8PNUc=,tag:WvSqYTR7yDuqbZKaPWfvvw==,type:comment]
+wireguard-private-key: ENC[AES256_GCM,data:TdZwS+qF/sI8WV92N+pe/w8GYs3RmPgc8AABQ9FhpPPAcPTAHoUVo1Y3TkU=,iv:lgJyqYdtsuPzAKRUdnjiw5inHNAL2yMHFJwtUC8WB34=,tag:ub3PQ+xU7EmxohAL8GvuRA==,type:str]
+#ENC[AES256_GCM,data:m0bvaZ5XHR4p,iv:4uMJCmguAIu1533g0g666BS0Hx4otlhzjVQT5Ny8DKU=,tag:jDuowQCXWJBJ3a2/pAxvGg==,type:comment]
+radicale-user: ENC[AES256_GCM,data:UZaQbgYKjZxxBqw=,iv:ekmZvvOITSC37eNzy8WId7zeG9HPgVQ2Q/v8jezHuw0=,tag:YB41QXdZjIbEaFS4l+yuJw==,type:str]
+#ENC[AES256_GCM,data:2IlXs0WZnFsribQ=,iv:KL+5KM8bEFiERA/SA6FwudqFJziax7pdbDdOex7aaFM=,tag:TAOlu5N/B2YyVFnFgJG/oQ==,type:comment]
+prometheus-admin-hash: ENC[AES256_GCM,data:X9nTcdg+W08kT3aDfXQAf9luzPszZdz70ELkoTEoWoUrh5+Dv0D++OA4QKyBi4MMAGK5USdVZECKGa/0,iv:t9PmR6IsuEJuqdj0Zn0vbVCH+Ijz31t5vC7+9MkxB8A=,tag:bH9Zd1E3RpsU3QzwGouoXQ==,type:str]
+snipe-it-appkey: ENC[AES256_GCM,data:3CZRYxbhXfw9VrbZPXuUbxmcy+FxUuOGNTxsdU7RNsx++GAbrqSNxppXCf8=,iv:/bI9mKan6mMlu9Pts976FFCboRD3nnjkePqTAEbvl+E=,tag:XMjs8hkXG1TYRK7UN1lFlA==,type:str]
+snipe-it-db-password: ENC[AES256_GCM,data:ePhz/cE8kP3GVryiCfJwyuIljYc9cOmeg4q2Vi5cyiNWX0M=,iv:SHAG/TNaHx9/4wg5A19/LOnHYHq2Lnlc72b5WooHp1c=,tag:Kw9/PSEG2Bg726R8FCVSFA==,type:str]
+#ENC[AES256_GCM,data:HluZDLxPjQ==,iv:Gjd8lM7gFu8c1EshHXD6nJvCkZJoRhh26IPIOn2fQnQ=,tag:/7wXjcLCGNa8Td8ELeH4pw==,type:comment]
+garage-admin-token: ENC[AES256_GCM,data:RB1KaPCJkWNL6CSN5d2ClWedHCUgEMlTrb8DSLIN2guEJrMLyTIGRjXpwEs=,iv:2u/XszX7avx9m+0Ne7CbQjLpireP2pzKmKhuh/9RZRk=,tag:vf8XxjlTaE5/T0ccK1FTfQ==,type:str]
+garage-rpc-secret: ENC[AES256_GCM,data:GiXPUfNYbmJJovSXO6qgeNQ5+jHJFSOc5392RzRmyseSXjImMxenQ1OPyLDga2b7I2dt3KgIu+f56qr52LKyuA==,iv:6RiK1eTQr1PR1M7TV84kjHSQtNXBiM94uBQffk5c8W8=,tag:KcJh/UQ6i0nSsmD+7dzJUQ==,type:str]
 sops:
     age:
-        - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
+        - recipient: age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRkpkWUJicWZkVStiWkZm
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVL1FJNlFQeXBJWEoydWEy
-            d2lYR0o2dXFsUDdHUjI3YjJSc2FDM3FDS1dFCnE4TDRCTUg2OUlocGVaL1lNd0dT
+            dDZiNTYvSE9ZWE1Sb2xXZjRWMzhRYWQ1UENJCmkrSFNsZk51aGZtSnJoWlQzbURS
-            cUFBbDQ0c1hHTmlBbnNsR0hjNFdidDQKLS0tIHNWSzUwSkdZZWZiOFpiVVVGNXlh
+            aGJQTVpQMVJFTldwYldzN0l0cnVTeWcKLS0tIDlSb3BwV1ViYU4ySWc1dzdPbTMx
-            MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl
+            c0lDa2EvQkUwM1ZIc1ppY1REZnlPKzQKJRXSl8SYQwzgPw+twNAFy3y+S2r7JwS0
-            qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA==
+            xESNBdFS4Ntg9gXENRBzCaGmoOJfiFtGditBlvWUwbDYwLdn/y3kIQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-28T17:45:19Z"
+    lastmodified: "2025-12-24T13:09:23Z"
-    mac: ENC[AES256_GCM,data:lIdIP+Js+FzjJCoClGxqP1epl5fVkPzfJmOVauFNlXKRxx90/E3478oQHi/KbP7eFgPoy+0hAbMwnBmo/1tOKb2ky80/6IMEkbftiO7YZqy8opbSbCtj6ypOOwwPf5rgtXHn0LV+EtDQZzIBY6GhcERO6IQpFRAXeIkSGcpM3TE=,iv:sphhFBg1xgupLGQzRovea0wvsTolzfW/z+gjj9CyklM=,tag:bdo9FlPPYKdl87lsBsiEsQ==,type:str]
+    mac: ENC[AES256_GCM,data:BNaX6zXAxEzarm0+X5qDIIOOfLoUFIlhhLN7QATzHIYoujZaJCGFWlM/+k9cnnIcGak22b0hwydjCF+opgH2bbau8P4NFPbWGxJHVry1Nu+EyB+Qb4QnVZZDWMcDxEMChR5eZvLAFC/K2f6oLtJeL2kGtedb079jhwpJt9nr87s=,iv:90SerUCkSoBqDYH4J6SV7cRXwGeinW44NxhSnfJ0r2k=,tag:8VnRp2oAuctwp7Nk3U7OWw==,type:str]
     pgp:
-        - created_at: "2024-12-17T16:24:32Z"
+        - created_at: "2025-12-02T14:59:44Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwDh3VI7VctTAQ//XSGUC2tN5WFAcjrJK9uj7gh5l5vrpPxhQZWI+rBGukeG
+            hQIMAwDh3VI7VctTAQ/+N3ZPYAsZ2e/nJZAxuSJd+kmlAk+JHJFrf0K4e/u6Cpct
-            dQZKiLtmdxS3XcLYRfTOEpuBj5ThKwR51Nw+W6HAXWl76Z8BFON7J8dJCmVMvqZy
+            T/UmlYpX4w3LMjkctSzNvBbih/aQgrSTlBfalffxh+B/NBqnWZQn3BfgcRtJYdxq
-            UJN+PpeLWpmtNIP9ZlVEYcvz4kaPV5Z/1WoApNEi5ean6W1nyWEHDsFfrXwtDYes
+            Oov3bCNXuJuvQvvc+J6FAZ3hJUnSOfZX//KAgO6osYQ0UePkE6a5mWjsflO0u7d7
-            vNehJG/HnNCo89MEgp6rpnART5Q/lu1h8kYFMvTMPAcGS2I7C/P2vyT/9zklaNpC
+            H8iPt0T9O427sN7mi6D3Nx4okjeRPLWEAyel1i4Obcr+w4xMTsDQJyTvCT9EnIfA
-            kWDla4QUFutnDkqtIWJtAfX5etJ+sgs+qCU/YhBAW7goOGetORklhlCvpL4Izddl
+            STTUAhIIbNYW9UU9OLhx5du+uar4TrEMzw0x709WXxyX5hZpjEsJ1XefqI62utLb
-            o/7y9S+qK2IEDm2IOCqvOtNgiGRyodvfrE1GeCT5UHoSpwXIfpqY/+zMLQN6LAVi
+            LseYg1XXkBtfnkbUzVGHjCzi2pifGaBYklZOlgYnd2gCIwxqlp8QQrBSsViPhSTw
-            3k/gLBSk1t0linguBElV79mxasymXpoIvm5obuUazz/yTei7PJpy9e37hbxQVSIq
+            p3Iee+FfAVeJLfk6Nn9M25j4v0WymyM5DcWVkHfG3X3Jmh0ZpvKeyN0PMl3OnwFd
-            fCA5q8kulhyNaQjs5TtzzVLtIUcWrXoypgxDbBB/GCr3DaRmoww0RHhxlZEsVjKf
+            Ol8gZGAvfj1d38XzP5RcG/ezDPXSKE2BMju+KpTlWCVSO2o5mJhN9DrDzgv4TaBj
-            I0zMAz/dzfjey85OVommkCGQ48yvF4B1jXfn82ebdo8JzgMbnBZx0z5mLChq3Tfw
+            QVOkA+XmeT3UXoU7qUPFm4pLGxLm2hSPLDDOSjRxSMcG9QmsRs3fK4FaxQ6+NELi
-            8aDvgRc3XwoyoyAxDbcYswWVHvBznXfKcd4141V1ESsJYR0ucDokyG5PeMK3oe0d
+            RtG3xY3ZtdIeMKGsrclaRI2TTDeXsO66IzRbfEh6Kb40IoXcEjMQB+EMGw6qVs1S
-            boyQ8z8oby+4b+HNhwquos/kbVyvIya78UK+OMsJVddR4Wxfzg5MPozmjQCDVzSF
+            1m81oKNquiN+MCyZST7WbGsQAGcW0h815V+1O0oBTzXvgNIvGIFBu2k2WjqsT/KF
-            AgwDC9FRLmchgYQBEAC7UHMJIQveWcvTh0T5gqaYig7R8GToFAe4gXRFbE66pbWJ
+            AgwDC9FRLmchgYQBEADAP8JaZPeXM9n2rkVuiPijTBD8cutEbXQh6orb8susSzqS
-            WrzbnvpWPejHyLLRPz92eO0cFx1kGIx5pU8GRzVv8ZNUPhfrxnZanpt1OM2XhPrO
+            ukflPweamJRFdWUkxzCFLZGbnx/Hxx+wjwyPTeYFJDGTafYj9Qbls+jlVPYycUJ7
-            rXrYI7tjhKV6arkgufr7zoUp1uvPt74PAdtcjxyOzel+YJTnGVxDnw9SE1fZwz4o
+            Mp0XaqTDBDKGJF6n2Qyl2RSrl1j2fB/94Z3eQLMmdR2ojuyAMUcVK3+/NtooV7yH
-            UGujT/5TANf2W2b934PW+jgvLzIBFBK8z1dk1FRsRaYepAE8P3GzFh1MkJTog5Xi
+            WcB89pIhLeRU+D+qvn6Yr64m0lc65FIVo4zYxGEVCf/RRYrC2nGEeAUxjfEAnAJo
-            4QMUtx5603/TAxaR3PoLqZ8URr4mu9Nuzjdufz2VUT5NzHF/tjJ11kL9YV5Cztll
+            OvO+yKPvmzL+Xn9Ecc/OC6axuzuxuDm/X89b0QE+TuvzqEPwm45s9RUkdco8nDJX
-            i7AHdEOWObruayFlFlz7p+cf/MvGWLrBzx0mrjjj9xabOZngjBzlkntfGQF2Z6NA
+            23Ds5BhuX0h++2SjfWXUOAfj4VCgTPTUE+hWor96FDGdneKvpIt3rUVdEg/ggRae
-            ai7/lgylY7UzenmXScDYiHBBKvUhZlo/aRm/P0DXvcPgay4TyG59mwVGw37eRlp6
+            SOpn5f0dXtin0K1QQZENcj38ldr4AremCaQVc0vg3IEl/3Qz0xNSX//YjJxUbHmC
-            050B0shFW0Q0zpyaCDBvLk1MpGzEOk4rwxmGnlgkN+ucdnIEBbaaAWKytUWLqhPL
+            5WvFMXTrIbpnnEoVdk+UavAsaL9mOOhRRU8feyMSawztLV2mJLBDz91hQP7UE520
-            v8y9ACBeKhmTCUbaPx8ZrRYMGSNR++D6CaS/evFOXCKmKk9vVpCHC8oNUYEEmh0u
+            4k3DWf+6KF3D9V0B9WCfapTPWjiJZrHWI2jBZzJ2KAZx8LLoRrNlVDUJ79lYI/y+
-            6brYvlWHDCP+iBrU3kWvVi9tQNw8uA7484a25nPl3nXaIvZMnDqZz9TR5R3Y0iPr
+            Xk3s9O0jq9BrLSLm/CLar5JwUY26ZxUb8buvzXovABqggjtWI+uUPdNR8CGrcFgH
-            RFCnoh+dxz3eFyNApoixi3TeE84HFS+vBJW6ltL9bGcUtTTkPvpZaYpfYk/sj9Je
+            4pcyrzkUc0YqR+SkI/xVAAXuD3LqLA2OkJGCI47duEkv2GyHvLe/ZRh0/K66n9Je
-            ARU3lavfUxnA09R5Rg+JV8VQIN5Alir93aiqir2hN+qk8PDnL/vM5LqL3OW1GM5G
+            AW0Rgbbszs5H51MG5OKM8PYg/fP9wkMlAjEoSvk7I853CFibR5frNhDwYY859Xsf
-            yx+BAO+JfvOdZf+L1EwKtA7RqJPp7pxGtdgvzO+9lpUVdGN1A3wLwekp6obNpA==
+            YEHROhyEE+2nCui16IJ2DkyEXK+yO33cPLyXJ0Z+kRb5toRALr5o3iOgo1x5rA==
-            =O/2K
+            =SXse
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted

install/flake.nix

@@ -1,5 +1,5 @@
 {
-  description = "Minimal installer flake - not to be used manually";
+  description = "Minimal installer flake - automatically generated by SwarselSystems.org";
 
   inputs.swarsel.url = "./..";
 

install/installer-config.nix

@@ -1,6 +1,6 @@
 { self, config, pkgs, lib, ... }:
 let
-  pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh";
+  pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/public/ssh";
   stateVersion = lib.mkDefault "23.05";
   homeFiles = {
     ".bash_history" = {

modules/home/common/anki.nix

@@ -1,4 +1,4 @@
-{ lib, config, pkgs, globals, inputs, confLib, ... }:
+{ lib, config, pkgs, globals, confLib, type, ... }:
 let
   moduleName = "anki";
   inherit (config.swarselsystems) isPublic isNixos;
@@ -54,7 +54,7 @@ in
               })
           ];
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
       sops = lib.mkIf (!isPublic && !isNixos) {
         secrets = {
           anki-user = { };

modules/home/common/attic-store-push.nix

@@ -0,0 +1,24 @@
+{ lib, config, pkgs, ... }:
+{
+  options.swarselmodules.attic-store-push = lib.mkEnableOption "enable automatic attic store push";
+  config = lib.mkIf config.swarselmodules.attic-store-push {
+
+    systemd.user.services.attic-store-push = {
+      Unit = {
+        Description = "Attic store pusher";
+        Requires = [ "graphical-session.target" ];
+        After = [ "graphical-session.target" ];
+        PartOf = [ "graphical-session.target" ];
+      };
+
+      Install = {
+        WantedBy = [ "graphical-session.target" ];
+      };
+
+      Service = {
+        ExecStart = "${lib.getExe pkgs.attic-client} watch-store ${config.swarselsystems.mainUser}:${config.swarselsystems.mainUser}";
+      };
+    };
+  };
+
+}

modules/home/common/custom-packages.nix

@@ -32,6 +32,10 @@
       sshrm
       endme
       git-replace
+      prstatus
+      swarsel-gens
+      swarsel-switch
+      swarsel-sops
     ];
   };
 }

modules/home/common/emacs.nix

@@ -1,4 +1,4 @@
-{ self, lib, config, pkgs, globals, inputs, ... }:
+{ self, lib, config, pkgs, globals, inputs, type, ... }:
 let
   inherit (config.swarselsystems) homeDir mainUser isPublic isNixos;
   inherit (config.repo.secrets.common.emacs) radicaleUser;
@@ -103,7 +103,7 @@ in
       startWithUserSession = "graphical";
     };
 
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
 
     sops = lib.mkIf (!isPublic && !isNixos) {
       secrets = {

modules/home/common/firezone-tray.nix

@@ -0,0 +1,29 @@
+{ lib, config, pkgs, ... }:
+{
+  options.swarselmodules.firezone-tray = lib.mkEnableOption "enable firezone applet for tray";
+  config = lib.mkIf config.swarselmodules.firezone-tray {
+
+    systemd.user.services.firezone-applet = {
+      Unit = {
+        Description = "Firezone applet";
+        Requires = [
+          "tray.target"
+        ];
+        After = [
+          "graphical-session.target"
+          "tray.target"
+        ];
+        PartOf = [ "graphical-session.target" ];
+      };
+
+      Install = {
+        WantedBy = [ "graphical-session.target" ];
+      };
+
+      Service = {
+        ExecStart = "${pkgs.firezone-gui-client}/bin/firezone-client-gui";
+      };
+    };
+  };
+
+}

modules/home/common/gpg-agent.nix

@@ -30,7 +30,7 @@ in
       enable = true;
       publicKeys = [
         {
-          source = "${self}/secrets/keys/gpg/gpg-public-key-0x76FD3810215AE097.asc";
+          source = "${self}/secrets/public/gpg/gpg-public-key-0x76FD3810215AE097.asc";
           trust = 5;
         }
       ];

modules/home/common/mail.nix

@@ -1,4 +1,4 @@
-{ lib, config, inputs, globals, confLib, ... }:
+{ lib, config, globals, confLib, type, ... }:
 let
   inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
   inherit (confLib.getConfig.repo.secrets.common) fullName;
@@ -200,7 +200,7 @@ in
             };
           };
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
       sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
         address1-token = { path = "${xdgDir}/secrets/address1-token"; };
         address2-token = { path = "${xdgDir}/secrets/address2-token"; };

modules/home/common/packages.nix

@@ -61,7 +61,7 @@
       nix-visualize
       nix-init
       nix-inspect
-      nixpkgs-review
+      (nixpkgs-review.override { nix = config.nix.package; })
       manix
 
       # shellscripts
@@ -90,7 +90,7 @@
       # element-desktop
 
       nicotine-plus
-      stable.transmission_3
+      stable25_05.transmission_3
       mktorrent
       hugo
 

modules/home/common/settings.nix

@@ -43,11 +43,11 @@ in
           trusted-users = [
             "@wheel"
             "${mainUser}"
-            (lib.mkIf config.swarselmodules.server.ssh-builder "builder")
+            (lib.mkIf ((config.swarselmodules ? server) ? ssh-builder) "builder")
           ];
           connect-timeout = 5;
-          bash-prompt-prefix = "$SHLVL:\\w ";
+          bash-prompt-prefix = lib.mkIf config.swarselsystems.isClient "$SHLVL:\\w ";
-          bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
+          bash-prompt = lib.mkIf config.swarselsystems.isClient "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
           fallback = true;
           min-free = 128000000;
           max-free = 1000000000;

modules/home/common/sops.nix

@@ -1,13 +1,14 @@
-{ config, lib, inputs, ... }:
+{ self, config, lib, type, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
 {
   options.swarselmodules.sops = lib.mkEnableOption "sops settings";
-  config = lib.optionalAttrs (inputs ? sops) {
+  config = lib.optionalAttrs (type != "nixos") {
-    sops = {
+    sops = lib.mkIf (!config.swarselsystems.isNixos) {
-      age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/ssh_host_ed25519_key" ];
+      age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/sops" ];
-      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/general/secrets.yaml";
+      # defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/repo/common.yaml";
+      defaultSopsFile = self + "/secrets/repo/common.yaml";
 
       validateSopsFiles = false;
     };

modules/home/common/ssh.nix

@@ -1,4 +1,4 @@
-{ inputs, lib, config, confLib, ... }:
+{ lib, config, confLib, type, ... }:
 {
   options.swarselmodules.ssh = lib.mkEnableOption "ssh settings";
   config = lib.mkIf config.swarselmodules.ssh ({
@@ -18,13 +18,13 @@
           serverAliveCountMax = 3;
           hashKnownHosts = false;
           userKnownHostsFile = "~/.ssh/known_hosts";
-          controlMaster = "auto";
+          controlMaster = "no";
           controlPath = "~/.ssh/master-%r@%n:%p";
-          controlPersist = "5m";
+          controlPersist = "no";
         };
       } // confLib.getConfig.repo.secrets.common.ssh.hosts;
     };
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
       builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; };
     };

modules/home/common/waybar.nix

@@ -1,4 +1,4 @@
-{ self, config, lib, inputs, pkgs, ... }:
+{ self, config, lib, pkgs, type, ... }:
 let
   inherit (config.swarselsystems) xdgDir;
   generateIcons = n: lib.concatStringsSep " " (builtins.map (x: "{icon" + toString x + "}") (lib.range 0 (n - 1)));
@@ -320,7 +320,7 @@ in
       };
       style = builtins.readFile (self + /files/waybar/style.css);
     };
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
       github-notifications-token = { path = "${xdgDir}/secrets/github-notifications-token"; };
     };

modules/home/common/yubikey.nix

@@ -1,4 +1,4 @@
-{ lib, config, inputs, confLib, ... }:
+{ lib, config, confLib, type, ... }:
 let
   inherit (config.swarselsystems) homeDir;
 in
@@ -13,7 +13,7 @@ in
         confLib.getConfig.secrets.common.yubikeys.dev2
       ];
     };
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
       u2f-keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
     };

modules/home/common/zsh.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, minimal, inputs, globals, confLib, ... }:
+{ config, pkgs, lib, minimal, globals, confLib, type, ... }:
 let
   inherit (config.swarselsystems) flakePath isNixos;
   crocDomain = globals.services.croc.domain;
@@ -133,9 +133,9 @@ in
           # QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox";
         };
       };
-    } // lib.optionalAttrs (inputs ? sops) {
+    } // lib.optionalAttrs (type != "nixos") {
 
-      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
+      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
         croc-password = { };
         github-nixpkgs-review-token = { };
       };

modules/home/default.nix

@@ -1,3 +1,4 @@
+# @ future me: dont panic, this file is not read in by readNix
 { lib, ... }:
 let
   importNames = lib.swarselsystems.readNix "modules/home";

modules/home/optional/work.nix

@@ -1,10 +1,10 @@
-{ self, inputs, config, pkgs, lib, vars, confLib, ... }:
+{ self, config, pkgs, lib, vars, confLib, type, ... }:
 let
   inherit (config.swarselsystems) homeDir mainUser;
   inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses;
   inherit (confLib.getConfig.repo.secrets.local.work) mailAddress;
 
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  certsSopsFile = self + /secrets/repo/certs.yaml;
 in
 {
   options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption;
@@ -308,20 +308,29 @@ in
             };
           }
           {
-            # work main screen
+            # work side screen
             output = {
               criteria = "HP Inc. HP 732pk CNC4080YL5";
               scale = 1.0;
               mode = "3840x2160";
+              transform = "270";
             };
           }
+          # {
+          #   # work side screen
+          #   output = {
+          #     criteria = "Hewlett Packard HP Z24i CN44250RDT";
+          #     scale = 1.0;
+          #     mode = "1920x1200";
+          #     transform = "270";
+          #   };
+          # }
           {
-            # work side screen
+            # work main screen
             output = {
-              criteria = "Hewlett Packard HP Z24i CN44250RDT";
+              criteria = "HP Inc. HP Z32 CN41212T55";
               scale = 1.0;
-              mode = "1920x1200";
+              mode = "3840x2160";
-              transform = "270";
             };
           }
           {
@@ -329,28 +338,28 @@ in
               name = "lidopen";
               exec = [
                 "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
-                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP Z32 CN41212T55' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
               ];
               outputs = [
                 {
                   criteria = config.swarselsystems.sharescreen;
                   status = "enable";
                   scale = 1.5;
-                  position = "1462,0";
+                  position = "2560,0";
                 }
                 {
                   criteria = "HP Inc. HP 732pk CNC4080YL5";
-                  scale = 1.4;
+                  scale = 1.0;
                   mode = "3840x2160";
-                  position = "-1280,0";
+                  position = "-3440,-1050";
+                  transform = "270";
                 }
                 {
-                  criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                  criteria = "HP Inc. HP Z32 CN41212T55";
                   scale = 1.0;
-                  mode = "1920x1200";
+                  mode = "3840x2160";
-                  transform = "90";
+                  position = "-1280,0";
-                  position = "-2480,0";
                 }
               ];
             };
@@ -387,8 +396,8 @@ in
             profile = {
               name = "lidclosed";
               exec = [
-                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP Z32 CN41212T55'  --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}"
-                "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
+                "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}"
               ];
               outputs = [
                 {
@@ -397,16 +406,16 @@ in
                 }
                 {
                   criteria = "HP Inc. HP 732pk CNC4080YL5";
-                  scale = 1.4;
+                  scale = 1.0;
                   mode = "3840x2160";
-                  position = "-1280,0";
+                  position = "-3440,-1050";
+                  transform = "270";
                 }
                 {
-                  criteria = "Hewlett Packard HP Z24i CN44250RDT";
+                  criteria = "HP Inc. HP Z32 CN41212T55";
                   scale = 1.0;
-                  mode = "1920x1200";
+                  mode = "3840x2160";
-                  transform = "270";
+                  position = "-1280,0";
-                  position = "-2480,0";
                 }
               ];
             };
@@ -483,7 +492,7 @@ in
         };
 
         Service = {
-          ExecStart = "${pkgs._1password-gui}/bin/1password";
+          ExecStart = "${pkgs._1password-gui-beta}/bin/1password";
         };
       };
 
@@ -591,25 +600,35 @@ in
           # output = "DP-7";
           output = name;
         };
-        work_back_right = rec {
+        work_middle_middle_main = rec {
           name = "HP Inc. HP Z32 CN41212T55";
           mode = "3840x2160";
           scale = "1";
-          position = "5120,0";
+          position = "-1280,0";
           workspace = "1:一";
           # output = "DP-3";
           output = name;
         };
-        work_middle_middle_main = rec {
+        # work_middle_middle_main = rec {
+        #   name = "HP Inc. HP 732pk CNC4080YL5";
+        #   mode = "3840x2160";
+        #   scale = "1";
+        #   position = "-1280,0";
+        #   workspace = "11:M";
+        #   # output = "DP-8";
+        #   output = name;
+        # };
+        work_middle_middle_side = rec {
           name = "HP Inc. HP 732pk CNC4080YL5";
           mode = "3840x2160";
+          transform = "270";
           scale = "1";
-          position = "-1280,0";
+          position = "-3440,-1050";
-          workspace = "11:M";
+          workspace = "12:S";
           # output = "DP-8";
           output = name;
         };
-        work_middle_middle_side = rec {
+        work_middle_middle_old = rec {
           name = "Hewlett Packard HP Z24i CN44250RDT";
           mode = "1920x1200";
           transform = "270";
@@ -652,7 +671,7 @@ in
       };
 
     };
-  } // lib.optionalAttrs (inputs ? sops) {
+  } // lib.optionalAttrs (type != "nixos") {
     sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
       harica-root-ca = {
         sopsFile = certsSopsFile;

modules/nixos/client/firezone-client.nix

@@ -0,0 +1,15 @@
+{ lib, config, ... }:
+let
+  moduleName = "firezone-client";
+  inherit (config.swarselsystems) mainUser;
+in
+{
+  options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings";
+  config = lib.mkIf config.swarselmodules.${moduleName} {
+    services.firezone.gui-client = {
+      enable = true;
+      inherit (config.node) name;
+      allowedUsers = [ mainUser ];
+    };
+  };
+}

modules/nixos/client/network.nix

@@ -1,7 +1,7 @@
 { self, lib, pkgs, config, globals, ... }:
 let
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  certsSopsFile = self + /secrets/repo/certs.yaml;
-  clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
+  clientSopsFile = config.node.secretsDir + "/secrets.yaml";
 
   inherit (config.repo.secrets.common.network) wlan1 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
 
@@ -47,8 +47,10 @@ in
       };
     };
 
+    services.resolved.enable = true;
+
     networking = {
-      inherit (config.swarselsystems) hostName;
+      hostName = config.node.name;
       hosts = {
         "${globals.networks.home-lan.hosts.winters.ipv4}" = [ globals.services.transmission.domain ];
       };
@@ -80,9 +82,11 @@ in
         ];
       };
 
+
       networkmanager = {
         enable = true;
         wifi.backend = "iwd";
+        dns = "systemd-resolved";
         plugins = [
           # list of plugins: https://search.nixos.org/packages?query=networkmanager-
           # docs https://networkmanager.dev/docs/vpn/

modules/nixos/client/polkit.nix

@@ -4,6 +4,9 @@
   config = lib.mkIf config.swarselmodules.security {
 
     security = {
+      # pki.certificateFiles = [
+      #   config.sops.secrets.harica-root-ca.path
+      # ];
       pam.services = lib.mkIf (!minimal) {
         login.u2fAuth = true;
         sudo.u2fAuth = true;

modules/nixos/client/remotebuild.nix

@@ -37,6 +37,7 @@ in
         }
       ];
     };
+
     programs.ssh = {
       knownHosts = {
         nixbuild = {

modules/nixos/client/sops.nix

@@ -1,12 +1,13 @@
-{ config, lib, ... }:
+{ self, config, lib, ... }:
 {
   options.swarselmodules.sops = lib.mkEnableOption "sops config";
   config = lib.mkIf config.swarselmodules.sops {
     sops = {
 
       # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
+      age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+      # defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml";
+      defaultSopsFile = self + "/secrets/repo/common.yaml";
 
       validateSopsFiles = false;
 

modules/nixos/client/stylix.nix

@@ -1,4 +1,4 @@
-{ self, lib, config, vars, ... }:
+{ self, lib, config, vars, withHomeManager, ... }:
 {
   options.swarselmodules.stylix = lib.mkEnableOption "stylix config";
   config = {
@@ -12,6 +12,7 @@
           image = config.swarselsystems.wallpaper;
         }
         vars.stylix);
+  } // lib.optionalAttrs withHomeManager {
     home-manager.users."${config.swarselsystems.mainUser}" = {
       stylix = {
         targets = vars.stylixHomeTargets;

modules/nixos/client/sway.nix

@@ -1,10 +1,11 @@
-{ lib, config, pkgs, ... }:
+{ lib, config, pkgs, withHomeManager, ... }:
 let
   inherit (config.swarselsystems) mainUser;
 in
 {
   options.swarselmodules.sway = lib.mkEnableOption "sway config";
-  config = lib.mkIf config.swarselmodules.sway {
+  config = lib.mkIf config.swarselmodules.sway
+    {
       programs.sway = {
         enable = true;
         package = pkgs.swayfx;
@@ -12,8 +13,8 @@ in
           base = true;
           gtk = true;
         };
-
+      };
+    } // lib.optionalAttrs withHomeManager {
     inherit (config.home-manager.users.${mainUser}.wayland.windowManager.sway) extraSessionCommands;
   };
-  };
 }

modules/nixos/common/globals.nix

@@ -5,6 +5,29 @@ let
     types
     ;
 
+  firewallOptions = {
+    allowedTCPPorts = mkOption {
+      type = types.listOf types.port;
+      default = [ ];
+      description = "Convenience option to open specific TCP ports for traffic from the network.";
+    };
+    allowedUDPPorts = mkOption {
+      type = types.listOf types.port;
+      default = [ ];
+      description = "Convenience option to open specific UDP ports for traffic from the network.";
+    };
+    allowedTCPPortRanges = mkOption {
+      type = lib.types.listOf (lib.types.attrsOf lib.types.port);
+      default = [ ];
+      description = "Convenience option to open specific TCP port ranges for traffic from another node.";
+    };
+    allowedUDPPortRanges = mkOption {
+      type = lib.types.listOf (lib.types.attrsOf lib.types.port);
+      default = [ ];
+      description = "Convenience option to open specific UDP port ranges for traffic from another node.";
+    };
+  };
+
   networkOptions = netSubmod: {
     cidrv4 = mkOption {
       type = types.nullOr types.net.cidrv4;
@@ -25,6 +48,20 @@ let
       default = null;
     };
 
+    firewallRuleForAll = mkOption {
+      default = { };
+      description = ''
+        If this is a wireguard network: Allows you to set specific firewall rules for traffic originating from any participant in this
+        wireguard network. A corresponding rule `<network-name>-to-<local-zone-name>` will be created to easily expose
+        services to the network.
+      '';
+      type = types.submodule {
+        options = firewallOptions;
+      };
+    };
+
+
+
     hosts = mkOption {
       default = { };
       type = types.attrsOf (
@@ -85,6 +122,20 @@ let
                 # if we use the /32 wan address as local address directly, do not use the network address in ipv6
                   lib.net.cidr.hostCidr (if hostSubmod.config.id == 0 then 1 else hostSubmod.config.id) netSubmod.config.cidrv6;
             };
+
+            firewallRuleForNode = mkOption {
+              default = { };
+              description = ''
+                If this is a wireguard network: Allows you to set specific firewall rules just for traffic originating from another network node.
+                A corresponding rule `<network-name>-node-<node-name>-to-<local-zone-name>` will be created to easily expose
+                services to that node.
+              '';
+              type = types.attrsOf (
+                types.submodule {
+                  options = firewallOptions;
+                }
+              );
+            };
           };
         })
       );
@@ -138,6 +189,10 @@ in
                     type = types.nullOr types.str;
                     default = null;
                   };
+                  isHome = mkOption {
+                    type = types.bool;
+                    default = false;
+                  };
                 };
               })
             );
@@ -188,6 +243,9 @@ in
                   wanAddress6 = mkOption {
                     type = types.nullOr types.net.ipv6;
                   };
+                  isHome = mkOption {
+                    type = types.bool;
+                  };
                 };
               }
             );
@@ -202,8 +260,16 @@ in
               description = "List of external dns nameservers";
             };
           };
+
+          general = lib.mkOption {
+            type = types.submodule {
+              freeformType = types.unspecified;
             };
           };
+
+        };
+
+      };
     };
 
     _globalsDefs = mkOption {