feat[client,server]: add remote builds, confLib

feat[server]: network management
2025-12-06 17:17:22 +01:00 · 2025-12-02 00:57:35 +01:00 · 2025-11-28 13:27:11 +01:00
139 changed files with 4425 additions and 3318 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -7,6 +7,9 @@ keys:
    - &swarsel 4BE7925262289B476DBBC17B76FD3810215AE097
  - &hosts
    - &winters age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
    - &twothreetunnel age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
    - &liliputsteps age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
    - &stoicclub age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
    - &belchsfactory age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6
    - &eagleland age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
    - &hintbooth age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x
@ -14,7 +17,6 @@ keys:
    - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
    - &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
    - &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
    - &milkywell age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h
    - &moonside age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
 creation_rules:
  - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$
@ -23,6 +25,9 @@ creation_rules:
      - *swarsel
      age:
      - *winters
      - *twothreetunnel
      - *liliputsteps
      - *stoicclub
      - *belchsfactory
      - *eagleland
      - *hintbooth
@ -30,7 +35,6 @@ creation_rules:
      - *toto
      - *surface
      - *nbl
      - *milkywell
      - *moonside
  - path_regex: secrets/repo/[^/]+$
    key_groups:
@ -38,6 +42,9 @@ creation_rules:
      - *swarsel
      age:
      - *winters
      - *twothreetunnel
      - *liliputsteps
      - *stoicclub
      - *belchsfactory
      - *eagleland
      - *hintbooth
@ -45,7 +52,6 @@ creation_rules:
      - *toto
      - *surface
      - *nbl
      - *milkywell
      - *moonside
  - path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$
    key_groups:
@ -53,6 +59,9 @@ creation_rules:
      - *swarsel
      age:
      - *nbl
      - *twothreetunnel
      - *liliputsteps
      - *stoicclub
      - *belchsfactory
      - *eagleland
      - *hintbooth
@ -149,18 +158,44 @@ creation_rules:
-  - path_regex: secrets/milkywell/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/stoicclub/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - pgp:
      - *swarsel
      age:
-      - *milkywell
+      - *stoicclub
-  - path_regex: hosts/nixos/x86_64-linux/milkywell/secrets/pii.nix.enc
+  - path_regex: hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc
    key_groups:
    - pgp:
      - *swarsel
      age:
-      - *milkywell
+      - *stoicclub
  - path_regex: secrets/liliputsteps/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - pgp:
      - *swarsel
      age:
      - *liliputsteps
  - path_regex: hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc
    key_groups:
    - pgp:
      - *swarsel
      age:
      - *liliputsteps
  - path_regex: secrets/twothreetunnel/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - pgp:
      - *swarsel
      age:
      - *twothreetunnel
  - path_regex: hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc
    key_groups:
    - pgp:
      - *swarsel
      age:
      - *twothreetunnel
  - path_regex: hosts/nixos/x86_64-linux/summers/secrets/
    key_groups:
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
--- a/files/emacs/init.el
+++ b/files/emacs/init.el
@ -1201,9 +1201,13 @@ create a new one."
 (setq elfeed-protocol-enabled-protocols '(fever))
 (setq elfeed-protocol-fever-update-unread-only t)
 (setq elfeed-protocol-fever-fetch-category-as-tag t)
-(setq elfeed-protocol-feeds '(("fever+https://Swarsel@signpost.swarsel.win"
+
-                               :api-url "https://signpost.swarsel.win/api/fever.php"
+(let ((domain (getenv "SWARSEL_RSS_DOMAIN")))
-                               :password-file "~/.emacs.d/.fever")))
+  (setq elfeed-protocol-feeds
        `((,(concat "fever+https://Swarsel@" domain)
           :api-url ,(concat "https://" domain "/api/fever.php")
           :password-file "~/.emacs.d/.fever"))))
 (define-key elfeed-show-mode-map (kbd ";") 'visual-fill-column-mode)
 (define-key elfeed-show-mode-map (kbd "j") 'elfeed-goodies/split-show-next)
@ -1711,7 +1715,7 @@ create a new one."
  :init
  ;; set org-caldav-sync-initalization
  (setq swarsel-caldav-synced 0)
-  ;; (setq org-caldav-url "https://schedule.swarsel.win/swarsel/calendar")
+  ;; (setq org-caldav-url "https://cal.example.org/swarsel/calendar")
  ;; (setq org-caldav-calendars
  ;;       '((:calendar-id "personal"
  ;;                       :inbox "~/Calendars/leon_cal.org")))
@ -1774,6 +1778,13 @@ create a new one."
  :config
  (dashboard-setup-startup-hook)
  ;; (setq initial-buffer-choice (lambda () (get-buffer-create "*dashboard*")))
  (let ((files-domain (getenv "SWARSEL_FILES_DOMAIN"))
        (music-domain (getenv "SWARSEL_MUSIC_DOMAIN"))
        (insta-domain (getenv "SWARSEL_INSTA_DOMAIN"))
        (sport-domain (getenv "SWARSEL_SPORT_DOMAIN"))
        (swarsel-domain (getenv "SWARSEL_DOMAIN"))
        )
    (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal
          dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package
          dashboard-set-file-icons t
@ -1801,32 +1812,32 @@ create a new one."
            ((,""
              "SwarselSocial"
              "Browse Swarsele"
-            (lambda (&rest _) (browse-url "instagram.com/Swarsele")))
+              (lambda (&rest _) (browse-url ,insta-domain)))
             (,""
              "SwarselSound"
              "Browse SwarselSound"
-            (lambda (&rest _) (browse-url "sound.swarsel.win")) )
+              (lambda (&rest _) (browse-url ,(concat "https://" music-domain))) )
             (,""
              "SwarselSwarsel"
              "Browse Swarsel"
-            (lambda (&rest _) (browse-url "github.com/Swarsel")) )
+              (lambda (&rest _) (browse-url "https://github.com/Swarsel")) )
             (,""
              "SwarselStash"
              "Browse SwarselStash"
-            (lambda (&rest _) (browse-url "stash.swarsel.win")) )
+              (lambda (&rest _) (browse-url ,(concat "https://" files-domain))) )
             (,"󰫑"
              "SwarselSport"
              "Browse SwarselSports"
-            (lambda (&rest _) (browse-url "social.parkour.wien/@Lenno")))
+              (lambda (&rest _) (browse-url ,sport-domain)))
             )
            (
             (,"󱄅"
-            "swarsel.win"
+              ,swarsel-domain
-            "Browse swarsel.win"
+              ,(concat "Browse " main-domain)
-            (lambda (&rest _) (browse-url "swarsel.win")))
+              (lambda (&rest _) (browse-url ,(concat "https://" swarsel-domain))))
             )
-          )))
+            ))))
 (use-package vterm
  :ensure t)
--- a/files/scripts/swarsel-bootstrap.sh
+++ b/files/scripts/swarsel-bootstrap.sh
@ -329,8 +329,8 @@ $ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519
 if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then
    green "Adding ssh host fingerprints for git{lab,hub}"
-    $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /home/$target_user/.ssh/known_hosts"
+    $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /home/$target_user/.ssh/known_hosts"
-    $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /root/.ssh/known_hosts"
+    $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /root/.ssh/known_hosts"
 fi
 # --------------------------
--- a/hosts/nixos/aarch64-linux/belchsfactory/default.nix
+++ b/hosts/nixos/aarch64-linux/belchsfactory/default.nix
@ -1,8 +1,10 @@
-{ lib, config, minimal, ... }:
+{ self, lib, minimal, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./disk-config.nix
    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
  ];
  node.lockFromBootstrapping = lib.mkForce false;
@ -24,9 +26,7 @@
    isNixos = true;
    isLinux = true;
    isCloud = true;
    proxyHost = "belchsfactory";
    server = {
      inherit (config.repo.secrets.local.networking) localNetwork;
      garage = {
        data_dir = {
          capacity = "150G";
@ -49,6 +49,7 @@
  };
  swarselmodules.server = {
    ssh-builder = lib.mkDefault true;
    postgresql = lib.mkDefault true;
    attic = lib.mkDefault true;
    garage = lib.mkDefault true;
--- a/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc
+++ b/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:asdaPhz9nquyhCH8NuvAMdgEXW/RxPCEpqwFbyCYxfjMeWjvEe8yzWJDjVlTjP+73ql/CGSRajcahRNhOd1rgGoyMm71HJGxSWA2rbn7oNmll9lOquUJkDwXLHk5ApgIrTbvUX1C5rha/L/JSli5Hiy59WU/FB4WWDizhcN3XFSVdNYIKoA992JT0GjJ1dzHvzi+rw/8Mw+BJzm592t1CxhpS8qXRTpuyPSh09IWACNSJYBuEoEwA7aB9EVwG6SskUJKvU3bwyaI9nuc0iXHGbL5VLVJ95e2fcn7K3w2OEq1oigu4q5bpNUazX+mhLv7S8HN3c6/JJn69LaCkQeXhnNmrfy8J5+6i6fnXCdvXxHy00DI2p7fIeEM/MqaymhqoxoGxQs+vBcb2iY1OmvI6zrPRPKEghAo2zvzKHQF7ykRTi3ed6V6aVMSpu1rO1Z0UwwVbvEzSHtVnEU/gp4=,iv:lSRKdYmGE/XeGcalDIM0yuU+GaXMrxJrjqfVhHd7lIY=,tag:dD9LkrzuHLsoa2UcGfXHWA==,type:str]",
+	"data": "ENC[AES256_GCM,data:8qaX0CjyxK8qoAyVyxwfXlejWyGSY579EVmmUCi9PPyB5LyPjfDvXxlRFCOlC6eYbSJ1AWLqqZ6yYgZaimUHkOTh7dL+D4wSkmGeRnxZoQhq9n9sYZPJUfqEhMwEGxlrAvchXJuruZG+Tp9+Ev0if9f9J9qdU1y+yLGQxc2vnibMg2uxdpfYjHaDWa9bybRQZxINkD//um8uxkRs0xvWgZu63ReQZMPjx9K3vNtdJTZsW5+ZUB368QA2mnry2Zf60PWJT/+NsNKIwyzjhUNJ/eTFxjNJ4zPj/AnXFezfGvpVu6XFYsLk5uPb3XfpUlCj4mTVvmVlA40lf4rOhyoRRAW8d28puJArBf3nPzIkWQUfmFwO5EE3qPDkjMlaRa/RdRx0dvrbLDv7Ujt1XaK8bl3Vkz77oumCYFPV7J4mAeu3/LFBAoWKik6Wj8WQE+QwUWo=,iv:ZQaOO2Blpqn+Xnzt4fcPu+rNAvEdluwJEYRxPVItLcU=,tag:rKJ5g27ZK1wCpcyCVfffpA==,type:str]",
 	"sops": {
 		"age": [
 			{
@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbi9PZkRob2JkcjlEMUJu\nSG5TemplWkhWVXZNWStCVXhrUlFRSUtPeWk4CjZEQVN4b1lYVkxYQmU0SEJ0QnAv\nTE9IdHZUYmVjb0hxSno1QWxGN1ZMUFEKLS0tIEwrVU5uZmZPRGdZcjVsVk1IQ1Vv\nRXdMcW0xR2g5SCswKzF5RkIwUmtocDgKVI/EMQuvfKGeJH7wFm8VP5rKLhYKOlPt\nA+QIDAdrtFogW9Swwhzxu1tIOfMXzfyW9P+ec/b6/vU96PMqJQ6ZGg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-24T23:34:04Z",
+		"lastmodified": "2025-11-28T14:15:06Z",
-		"mac": "ENC[AES256_GCM,data:O7COFKQkK6aGkX8fp/ihHBxRVV8UM3khi549O6RWMFGDxgwMTh1qr3hNIJa3B4sTfhFuvOxpfxLjR4Yw02JH6wuwuuzANFzQ9uiVsVv5UDVDD0msYneTXVbSBo92gLFr4ZXcAoTtf9AKitkjwWjLK2sTJcZ608NjQSpOo+rSJ3o=,iv:s5wB+8B+igS7PhDTHL6XS17QBdhvobXFgCzHxHu52q4=,tag:ulySxIPinWRRRY8XbE8pWg==,type:str]",
+		"mac": "ENC[AES256_GCM,data:TxnVPtRHzUEr9StM3RlOgqD11036yM74HL1Q8ZkNSU89geAaUoDj8LJD1QKglDT5UNzfKeaZD4DT6bqill+H5FUuonOgLPxNoFKMyWhppQkMWM5F/bw8JUulacmE28b2Rd5zRVOYe3TkE11kMAbxRD+CvqEFBrLsZAndr9QdfUc=,iv:uzjzk1FUN52oAE0cuw7OLLmMRxE/VLQ+tUExxYQjwTQ=,tag:+BOG6wRb0h/jhyy7l8ZA/A==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-11-25T18:32:49Z",
--- a/hosts/nixos/aarch64-linux/liliputsteps/default.nix
+++ b/hosts/nixos/aarch64-linux/liliputsteps/default.nix
@ -0,0 +1,41 @@
 { self, lib, minimal, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./disk-config.nix
    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
  ];
  topology.self = {
    icon = "devices.cloud-server";
  };
  swarselsystems = {
    flakePath = "/root/.dotfiles";
    info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM";
    isImpermanence = true;
    isSecureBoot = false;
    isCrypted = true;
    isSwap = false;
    rootDisk = "/dev/disk/by-id/scsi-360fb180663ec4f2793a763a087d46885";
    isBtrfs = true;
    isNixos = true;
    isLinux = true;
    isCloud = true;
    mainUser = "jump";
  };
 } // lib.optionalAttrs (!minimal) {
  swarselprofiles = {
    server = true;
  };
  swarselmodules.server = {
    nginx = false;
    bastion = true;
    # ssh = false;
  };
  # users.users.swarsel.enable = lib.mkForce false;
  # home-manager.users.swarsel.enable = lib.mkForce false
 }
--- a/hosts/nixos/aarch64-linux/liliputsteps/disk-config.nix
+++ b/hosts/nixos/aarch64-linux/liliputsteps/disk-config.nix
--- a/hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix
+++ b/hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix
@ -0,0 +1,15 @@
 { lib, modulesPath, ... }:
 {
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
  boot = {
    initrd = {
      availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
      kernelModules = [ ];
    };
    kernelModules = [ ];
    extraModulePackages = [ ];
  };
  nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
 }
--- a/hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc
+++ b/hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc
@ -0,0 +1,22 @@
 {
 	"data": "ENC[AES256_GCM,data:GntHmFTkr7OKUlAVPP1aPeGJEoM1/W9xoZzdXG/udBrKB8eadaOsdsT9/I4Q4zydLnAUZAb+k+/pu3inqiGPClNWU0LUMj7wTwPuVe57EyLaO2oaN4z2nvWhJnwfatvdLrFICz3MN7XLnpEe3D+3ovN2hmys1pd6cAJtEKDtmLJ3RNAhEXrMwOZ0MSzylApoi9yXULH8PqNBX7jPOZYYZ0jlnIbZB267Ln19ES0bZcK7L0608NdB+Q3xb3TQ+oSfnvsdxKyPkPqjxAto40feG97UYVW6AgYV1KlRp9etjEhIRZgn1qDvigGM/Y4HLgLxPM83h79LIVHDj1OySMyYR4bfwAR1U+Ij2nX0Wv6Q/nKx0Nmghen40AqLYp762ACLVRd30DALthhtMxhsiYIT6za3dNFRNnL1Lfss1+IwDm+XHBehBQsjXbs06nZcQURfszW03Y9KH1h5ePIS93gmkdUyH5Ya1JT609s8faukz4fcNmnXlZcnCW4fUawW3YS1zpWPGDNm54GFI06vii5JuVORrf6m2HJEIyYSzeYASC+rZOfEF8gXGjyaeh/B9nAzSq2Q/Nfm+fsceXfOkhD+ZD/nYg+whYPPfA38B5oWvwnSNRNipJLYVvdLLd6M9pTV2FHuEsFKpXwumuwMAhl287jpDVb5B6gYPnWm4zOXYX3KXd68KVFNOGCC1XrrlqVBwQqraozD+1e77eCK4OEyF8R2Wt+mCFDwrMp5hKiiFCHEX67RYqWwmZVx2hS1bovBfacoXknUaSQnfpUd5GYIVYqonyqo6cdn6LKR/0d+7wR+JuL+PO83XcEQvegfHXAXmxIEzPdsL2PqVWGL2B/qyyAZGb3hoY7hmrpEeCCefYhSkxewVDCuvL7xLBCFjq0PsPJw0CqYE0KDIgXxcGLQ5f+pn6O07YDfN+7PVPrPAaN/UTwd+2Xa9UfVELdKKhAWiywsiDCUVO9vkpvgSoYYSrtB8Ceg3RXWohbO8VrjF6UhUxnslAw8TBnBx4FtaSuI73UiJnkg9V1es47NmOA7,iv:JYRzdtAYu24aWIL/hfWLbkS8xpcPw3ylZROuuUMVmIY=,tag:Ot7G/QiTLhmnlYe7Z9aOTQ==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVU5HTGhyL0ZBRXkzZ3hq\ndzBMd1JZTktZbWNFMGRzcXhFK3RHb090cFdBCmpMa0FNMWFCenBjYk9FaDIrTkFS\nSnN6S210ejN5SVVhd2FWRG1SUHB4WWcKLS0tIDV2K0h1QWxwUXkwVnZlYnR6eEtl\nUVR0UGJOR1hadUtNcjYyWE9wblAwWFUKVM+J/pqtZFADYTQHfWCdvPzlhtgR6zAy\nu0EWk77+K2J0GeBuDr1W5yblUCknht6WZCJZcO6fW7AuWSQK3e/EVA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-12-01T16:51:40Z",
 		"mac": "ENC[AES256_GCM,data:SWLGPgFcdiGSvN5BTmE8Nq7+pBiNJM05H1hhqJY6wJqYZehKhQrQRj6/DSlYWPvYE/DdWo5Tiuc3RNY3NANwhki+7kl0OBxHoaHqBgOTa96rdPwe6V3s55v++jtm0xg/qLHEPCqrKqw/aiBAQLJkDOh/IykeEXBMW3S6EM+aQ0U=,iv:2wn4jQHdWWhIzOyGhZxow8WG6W0VgA2gwhb5X+k9ja0=,tag:8g4wQb0u7vbIPkVX8Ey0eA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-12-01T15:59:42Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cl6I+s/JLwwTCX7WKdzeOIkrsK9DpY3pXBuzoZRSRSJE\nwFJO99Uc7/uH1DSsEB/25CWI6eWx7k6l7YDbcbXQgi5ZNoAt7BePeCu2LK/3coZB\nJe4SManP0sPqxrSd92Tnm6Zl9EL4cJ/5D2C2RBTWOaOtZHR8gyxx5+rzCotCoTXA\nJseGE4B8r/M0O7PAS9+oD14AwCndhuvkmFOq0Y1/wXldV6yCdgc//0oJBSTCBJUZ\nYMSQLovEYGvF9bFfpWYU8J53WqlGn7QKVccDN0/gfi8IVGVZGccUA58VaVqkzR41\ndYlRZ/sjtd+VXmOg8Fx79bOlzTn+RBCp9y+q5yKnzUKGe0/Lrnt6+j7+ieIowi76\npBd0bEaoh6wqdCJ7GSjsj5kdSXRop3Ae0ff+J0pBQNctehpcWj5/TpeA1zyslwEC\nD1B/KVN+Gh0XBCg636dUkt2E4NPNDckSRuvTLy+8IkTm7aQqTjqDu3WUOSPzZiZK\nBUGZWwXAS+xPPMH26X6gPTfZj+7Gdv6yxTVIwkphDbWfihxIP//WNbKX1QN4VSHf\nCmoPOrriIdgZ7d2olZEJxPgEVzavkRkiMSFQbQgzjx5Af3ccdav3mxlubjXldmpe\n689Joj8cgBPg1Yfk/yl7tVK9TFJgYXTqKfsXwscrSlsV+dRAN0pHuq1uo9cTE/SF\nAgwDC9FRLmchgYQBEADCJ5IVMNp+PgUDOiajCfpNq3/HsntzIWG0tIjCb5L9TFWQ\nMA2LQWhcU5CRBh7Sakf8IFi/U40SD+dILUh8JR/7g2i9mCS+1e0pkUwSIYxzAI+z\nQeycuyOrdQJFrk+nFbTdZVAerElxew/wQUiC2uoI8tA5+XyNeNfipaptPh9FpFuz\nXhFbkZDJ4kapGzsAn4FgUdmdqAgZ5n2W46WAmDmVKM0W1F0zZdkBEdkEKkv1gRpZ\nRntb/mVEiGAdXv6yAzvHrxgIBkxazzstRmCMXa252RUIakXqvkP1vw7B6ChSFQR+\nq9WNo9x0EYXivd/+ROjHT7WNhEToWems/3CQpQd1LEFXajLdpAWd875acqhBJqtY\nkpKqUG5F4JmTZ7hMuGI0g30nOofMtmFhDX/gCpJ97lEudHyNrHe0KWaQAwtRknz+\nrcPrZQmGRRcf4xcBVe/EDUNlkp9fPWEhFAwKMsVkkvCAADZbvdhLR6URJMmUj5KG\nOuwglHnSOMxCovAQUd3vCtNkkAnRPNOW/WMThr+qfjq8oKdDIaYBxjzjSz1FIsho\nKiz4W3flRzUcALjKTXadQl/jJEhpP3C6Ivh0d29SiKyrWG+Y4KlDIRctub9UjH46\nb2wqbnBzSrC8u9xJINIB4yryXsZiQyP5b39guSKIPjURebus7LBxq+0I7Z1OptJe\nAYk5htmFDe9Sgc+Do1L0kdxjblaoWOc0OiwYshQ9cMv+/IsU0U6T7w2A+8QkzPFc\nGVEmrW1Jyz2O3eMpq/Nl2IsmPDYTEPqhkRtAshBuYsoZJUz73/EovcSxyJ2moA==\n=o5Pw\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.11.0"
 	}
 }
--- a/hosts/nixos/aarch64-linux/moonside/default.nix
+++ b/hosts/nixos/aarch64-linux/moonside/default.nix
@ -137,9 +137,7 @@ in
    isBtrfs = true;
    isNixos = true;
    isLinux = true;
    proxyHost = "moonside";
    server = {
      inherit (config.repo.secrets.local.networking) localNetwork;
      restic = {
        bucketName = "SwarselMoonside";
        paths = [
--- a/hosts/nixos/aarch64-linux/stoicclub/default.nix
+++ b/hosts/nixos/aarch64-linux/stoicclub/default.nix
@ -0,0 +1,39 @@
 { self, lib, minimal, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./disk-config.nix
    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
  ];
  topology.self = {
    icon = "devices.cloud-server";
  };
  swarselmodules.server.nginx = false;
  swarselsystems = {
    flakePath = "/root/.dotfiles";
    info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM";
    isImpermanence = true;
    isSecureBoot = false;
    isCrypted = true;
    isSwap = false;
    rootDisk = "/dev/disk/by-id/scsi-360e1a5236f034316a10a97cc703ce9e3";
    isBtrfs = true;
    isNixos = true;
    isLinux = true;
    isCloud = true;
    isBastionTarget = true;
  };
 } // lib.optionalAttrs (!minimal) {
  swarselprofiles = {
    server = true;
  };
  swarselmodules.server = {
    nsd = true;
    nginx = false;
  };
 }
--- a/hosts/nixos/aarch64-linux/stoicclub/disk-config.nix
+++ b/hosts/nixos/aarch64-linux/stoicclub/disk-config.nix
@ -0,0 +1,121 @@
 { lib, pkgs, config, ... }:
 let
  type = "btrfs";
  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
  subvolumes = {
    "/root" = {
      mountpoint = "/";
      mountOptions = [
        "subvol=root"
        "compress=zstd"
        "noatime"
      ];
    };
    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
      mountpoint = "/home";
      mountOptions = [
        "subvol=home"
        "compress=zstd"
        "noatime"
      ];
    };
    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
      mountpoint = "/persist";
      mountOptions = [
        "subvol=persist"
        "compress=zstd"
        "noatime"
      ];
    };
    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
      mountpoint = "/var/log";
      mountOptions = [
        "subvol=log"
        "compress=zstd"
        "noatime"
      ];
    };
    "/nix" = {
      mountpoint = "/nix";
      mountOptions = [
        "subvol=nix"
        "compress=zstd"
        "noatime"
      ];
    };
    "/swap" = lib.mkIf config.swarselsystems.isSwap {
      mountpoint = "/.swapvol";
      swap.swapfile.size = config.swarselsystems.swapSize;
    };
  };
 in
 {
  disko = {
    imageBuilder.extraDependencies = [ pkgs.kmod ];
    devices = {
      disk = {
        disk0 = {
          type = "disk";
          device = config.swarselsystems.rootDisk;
          content = {
            type = "gpt";
            partitions = {
              ESP = {
                priority = 1;
                name = "ESP";
                size = "512M";
                type = "EF00";
                content = {
                  type = "filesystem";
                  format = "vfat";
                  mountpoint = "/boot";
                  mountOptions = [ "defaults" ];
                };
              };
              root = lib.mkIf (!config.swarselsystems.isCrypted) {
                size = "100%";
                content = {
                  inherit type subvolumes extraArgs;
                  postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
                    MNTPOINT=$(mktemp -d)
                    mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
                  '';
                };
              };
              luks = lib.mkIf config.swarselsystems.isCrypted {
                size = "100%";
                content = {
                  type = "luks";
                  name = "cryptroot";
                  passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
                  settings = {
                    allowDiscards = true;
                    # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
                    crypttabExtraOpts = [
                      "fido2-device=auto"
                      "token-timeout=10"
                    ];
                  };
                  content = {
                    inherit type subvolumes extraArgs;
                    postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
                      MNTPOINT=$(mktemp -d)
                      mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
                      trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
                      btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
                    '';
                  };
                };
              };
            };
          };
        };
      };
    };
  };
  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
 }
--- a/hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix
+++ b/hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix
@ -0,0 +1,15 @@
 { lib, modulesPath, ... }:
 {
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
  boot = {
    initrd = {
      availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
      kernelModules = [ ];
    };
    kernelModules = [ ];
    extraModulePackages = [ ];
  };
  nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
 }
--- a/hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc
+++ b/hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:pikVONWg81bulGRM+enUyBGxFw4C51177O3WrhRzvCiWpulc9RHVH12AfVh4uAkoOANrPyLZuEUGdu8hvFgcTWBzJXPSPZ2sMfAjx593RhSsW+VM58IS0Oa+N9XxwpYnKiUBHrvAxgJD3vhVgCIrL+1LSylZG/RF4Wj6fw4dkttlCqioRkyNPufBtpMEN+MTw9IFsAKaCV5LTFnetIzm6wUPepExaPOpdFhf61JYyzsHkKZslA4FKs1cWgK5ggJkfQS1aA3KCh8pU8vU6uXRgl4ixyUzn/l1HnGZRhFxjcc0x4RqrJYFW9Qyj7oehHU6AxuzD2bf0vuVxZn7nQy8MrDfsvYL5yU34MSdokwrvg3IBXvPogbmjWoBLl6+0WSlV5s6o8GbTkhFi0kWv5H9AKcywY54ltyzoxAQ/9hsZa9IIGCNMFjVfcrKPQKAfrdLbYQxdioq62lHX0LbXKWU9WPRhiG9eRsETudIPan8VRMvHx/6qS6bXSaEjYkKsVSmUOhcVYp7bp58wl9JKu4qYUOLyE2T00IdmbUWrQ+MP14lj6XKNyLN6//8qFyTyhDBLPBJ5DxOMt6qn1qe/lqD4R8Iqvvj63IFq3/psdDXHu+WNmq2/LQH3Y8GTxIoEQ+uPK/I7Tqdh2DXQgKYK162ybczcqsQwGwQWe+DWtno8fauypNrFp6Wgd7c62pxY+8nJzTU9gYSyAIHWEHmRW1LV231X+7kB+JwB2AxfDFXRChuNtJkOK9pdwo4SSS/tGDS5RLmsO4VpE2mPmhxA78IuU88c0LF/e4fC8N5hteecXjMMsSswbC1VUO/3B0JfN8nI0/BnE5Hhau8McSZ1Z06/GsxC+6ArX+zIXthcLIr95nAnLDgJUOKOU7XvLQ9Y22u4lmYWedSTg+vjdljjUG3aBNyp5ZI2xXQmOOgL21aE9aQgBN27GQGqgzECrNEbK0osBefjw14sxv/aZlWU9hHlVROLVbpyWl3edN9ZEMYSJDCpMPwFkEOshlkZ78IfQw7fWRKoBW3W9uHyRPEFeldy8KQ2Lux8A5KwokgFFrp4JI92gjUSubfFsCZp/NHrV5k5UltfMz50QdaKw==,iv:5tRqYZwfz4AeC/HSetPfDaysniUoAgklLl7mEiWBqiM=,tag:7TnVeBMtP8Q81eqeRu02gg==,type:str]",
+	"data": "ENC[AES256_GCM,data:4C3fdXBKI/x/7B56b2n6OshGRaGgwYc4HQv4CRgXi+Y83hQj6wfbcqA55Xm9cXOfGAm2NNGIcUrVyuGHKlur7lUkvoNYe+a5A4GEkXVxiAoJKGcHa2nqfmR+GQJRAE6gNm9wgUL24CfKonEb09NgFBFfL7srXtkU8R1TMduUiYvzH7eNy45jQnWdQ3xgNYkb65iIZ3KCkcbjKrlOtN1Qu8+PuQmMl175gUVJcaLmpMgsz5IPetyHUWIkmqjgwhim4CyTZGwOaQW376Xq2mZUf9IOhdqLyR8GcKFLsY/GLDzp1eGfx9xUpAu3NMmjblHDdIyRcv0EjS+Cj/EUQwTrw3R2szXAb1m33sIVyloGT8RyVsu1J+RSIQOEKpVLaTxsCoulIfyBj5h9vajMVFdMmyqAFPJTVF8fNmy57VuBiDR1WYY5WT2QkBwe4A5ZZLpRmudeZAqEjD+R8Itcin4Ce8K4LtkpfLZeCUpnoaWk1u0CH5QuFCyd+s2+S2DBnFqfBmhTVzEtwXyd6zEeLo+LGCh2Eu2XwYi+DV5Xfdp4leTwEXQ+63MB2ZtOQkoxT6pi/w1rSlEcVknJJIc0HRhrRSx685i29qmcWGfjw765ECxCM2RKJKdwtYHwyLQGyTkGgzNlWr/EzskD7wwtanR0K0NUBS3MGbBaSmeI+bJ+B1ld2n7Efp1eg8AdMz/VHywvFQpS6HY5ItPCWNcDB9DMerUQINO1EtP1Dd57vafzQGGcduUKW+ywuwUdOU/XTXPaVP7VWdX9EFIlv/RMK4UX/l3Yy/Vf6iciT45zouIgoFECRe59Uz0185BHTn9xeE9oYGiLfKzlnxhNpXNaNmYGVRxKxKwfMNrA+hRtuoGrD0uE/Ev6F5ytMYMZGsQ5D6TJOHXPfAVWo5MzPA1Q2dgoCF9zZvYgCaOcSZTntoJY9X1MiwMkYIbtOtTQ4jJOI9DfXX+kOp/fejHrQEyAasCvh2zxCW2FjMckREdqtYxPEDsHGc8+0BDGgj+00a5wC19U60jolvdLsUwy41inmirgxBMaQhuavMXEpFXT0hEecZfJn8eJqPVPDVLC8LvlB+C593ByHeoR3VOIfFVv3bgCP+cQudAR+U/b8YO4gSpuVV4WF7JXLCwRCi0Flw7EzAuhuR9JYd8GKUEDctGmAYiPy1YiQCLFnAWmZvHQ2q6TeVDTQ5LPmjqM1b4iqoqn3AHhMu9HWswy4LFNujZblSo0hSHRZ+2P/+Xjrgfz2d3QF66ngEjW1tanw7hxGmiZJXXyPN+2bdB04B8ZnL/gBzQ2661fGYGYCBU=,iv:mU4ydooaOySi7MTe+b/DGfs1fzpDXbkASUo1cDsh4O8=,tag:Jh18+kJPLJFlGx5HymywOw==,type:str]",
 	"sops": {
 		"age": [
 			{
@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZzY0QVQ4ZUxxZkdhQ2Zn\nOHpmTnRaR0R3cXh2Z2JFM1RDVDB2QnE3M3prCm43NjQyOS93UTZKaUlUUmhVcTdG\nUWp1YU1kVmZPc0tBN2FMY2FFVkI1a0UKLS0tIFovZi9FQlhMaXpvcnRYN2FiSm16\nTzJESjNyZ1NzajJRNDR6ZTd2TitoQTgKe2hC6OpYIzgqzhmeJuHWe0yXNE+/Ek26\nGt7s1B6OKnrj+S3es84ePOjAbLHr/ez282b/h0y55ws4R7jMemUIrQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-25T15:37:26Z",
+		"lastmodified": "2025-12-01T12:12:55Z",
-		"mac": "ENC[AES256_GCM,data:nZoyO4iZKAgecFiQ0tBdTEogMIDhe+Tg28L73DLVGCDTaG4QTR4ulvh77R3+Guun6eV5CsH86hTgENgDvybEVJV9bZmJWVbVQ0a+QYsZKIVDcH+o1ZK5EiOoaUb+Tfze1CGey2aw8zBgz3hl7ZeVjb5XNsKOhQz00Oc8xQ7z2CQ=,iv:x7oSgep++DVe2JQ1PPORcqfgBpCRbjO+MNPpDVSlzeI=,tag:JlibH3nTCf64bqxpnCxJAg==,type:str]",
+		"mac": "ENC[AES256_GCM,data:AhvfUvZnKSnhQCTHJpqs5OBELhGYv66on1+kSLX2lONyTbNfwHYsJHII4zHY+bS5cBkZbjtzMfJQkFWtDbU7c8wvdJnHN6H11MOEzC+GfI3R7UzwzJsUjNYE03u8FJCuLvI1SO3EObiKIgH80MV8qlXC+1+f7mKnfZNH8Kekor8=,iv:pAEz8tDZzaFee1EcNBd6zrl0yN55ywVK/eGof/B5MAU=,tag:LbjMr3rOb3By87yOfUK/3A==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-11-20T01:03:05Z",
--- a/hosts/nixos/aarch64-linux/twothreetunnel/default.nix
+++ b/hosts/nixos/aarch64-linux/twothreetunnel/default.nix
@ -0,0 +1,36 @@
 { self, lib, minimal, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./disk-config.nix
    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
  ];
  topology.self = {
    icon = "devices.cloud-server";
  };
  swarselsystems = {
    flakePath = "/root/.dotfiles";
    info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM";
    isImpermanence = true;
    isSecureBoot = false;
    isCrypted = true;
    isSwap = false;
    rootDisk = "/dev/disk/by-id/scsi-3608deb9b0d4244de95c6620086ff740d";
    isBtrfs = true;
    isNixos = true;
    isLinux = true;
    isCloud = true;
  };
 } // lib.optionalAttrs (!minimal) {
  swarselprofiles = {
    server = true;
  };
  swarselmodules.server = {
    nginx = false;
  };
 }
--- a/hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix
+++ b/hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix
@ -0,0 +1,121 @@
 { lib, pkgs, config, ... }:
 let
  type = "btrfs";
  extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
  subvolumes = {
    "/root" = {
      mountpoint = "/";
      mountOptions = [
        "subvol=root"
        "compress=zstd"
        "noatime"
      ];
    };
    "/home" = lib.mkIf config.swarselsystems.isImpermanence {
      mountpoint = "/home";
      mountOptions = [
        "subvol=home"
        "compress=zstd"
        "noatime"
      ];
    };
    "/persist" = lib.mkIf config.swarselsystems.isImpermanence {
      mountpoint = "/persist";
      mountOptions = [
        "subvol=persist"
        "compress=zstd"
        "noatime"
      ];
    };
    "/log" = lib.mkIf config.swarselsystems.isImpermanence {
      mountpoint = "/var/log";
      mountOptions = [
        "subvol=log"
        "compress=zstd"
        "noatime"
      ];
    };
    "/nix" = {
      mountpoint = "/nix";
      mountOptions = [
        "subvol=nix"
        "compress=zstd"
        "noatime"
      ];
    };
    "/swap" = lib.mkIf config.swarselsystems.isSwap {
      mountpoint = "/.swapvol";
      swap.swapfile.size = config.swarselsystems.swapSize;
    };
  };
 in
 {
  disko = {
    imageBuilder.extraDependencies = [ pkgs.kmod ];
    devices = {
      disk = {
        disk0 = {
          type = "disk";
          device = config.swarselsystems.rootDisk;
          content = {
            type = "gpt";
            partitions = {
              ESP = {
                priority = 1;
                name = "ESP";
                size = "512M";
                type = "EF00";
                content = {
                  type = "filesystem";
                  format = "vfat";
                  mountpoint = "/boot";
                  mountOptions = [ "defaults" ];
                };
              };
              root = lib.mkIf (!config.swarselsystems.isCrypted) {
                size = "100%";
                content = {
                  inherit type subvolumes extraArgs;
                  postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
                    MNTPOINT=$(mktemp -d)
                    mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
                    trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
                    btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
                  '';
                };
              };
              luks = lib.mkIf config.swarselsystems.isCrypted {
                size = "100%";
                content = {
                  type = "luks";
                  name = "cryptroot";
                  passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
                  settings = {
                    allowDiscards = true;
                    # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
                    crypttabExtraOpts = [
                      "fido2-device=auto"
                      "token-timeout=10"
                    ];
                  };
                  content = {
                    inherit type subvolumes extraArgs;
                    postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
                      MNTPOINT=$(mktemp -d)
                      mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
                      trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
                      btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
                    '';
                  };
                };
              };
            };
          };
        };
      };
    };
  };
  fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
  fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
 }
--- a/hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix
+++ b/hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix
@ -0,0 +1,15 @@
 { lib, modulesPath, ... }:
 {
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
  boot = {
    initrd = {
      availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
      kernelModules = [ ];
    };
    kernelModules = [ ];
    extraModulePackages = [ ];
  };
  nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
 }
--- a/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc
+++ b/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc
@ -0,0 +1,22 @@
 {
 	"data": "ENC[AES256_GCM,data:G3Q+Hn7QkvBZeXzNR+0Bax+Va5sK5E0K3hNTkdsNJx4C6pIwrBEBOt3IKv/c00QhpAnPqo9gbKqWU9gv7I56nEOwVtVH3lrMlbxNl9LIiSv9SvSxVkTOow2msSJV/U+1KpjNQ/LnOo2Fxebfz1yiRtgi7hSazzqzIazZAFBldlKkjLR5SFCG8t5s/nccqZU+cLmS7hJDS5LtgW1XeunqUY7jnKuh7gT2I6fPsu15Vy+YeKLmYIt0a20bWGePBIlyiGRtpnMgtIt5gk5+OpSndO8P/GMgUzRwRZEL1b8U57jbhkPLdnwwy/iV6rEFCD9i6qB0ufVW/euc+y5mN0dx8op9FwJVzkJhUIIy9Qbbc8WOjjjWlwbKJNkWfYX7pTtx+xfBKuPF+IwaoMS9j+C3etkoYe5QCr9YGYM5Xer/HL0otYNacQU5S0VqPBzDnLu7NxzB4i22,iv:aFPDBmZasoqEFCbhrRtA2QMB27khuT3rdfCGAafjov0=,tag:GQGuHL5aYPc98tzc6Bb5mA==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEhDamZTRUhQZFNDTTl4\nVVVNNGZXa2h2THVzY0JWMjE2WjNJT0ZoblV3ClYzeEt4c0dWRzlISnN3NGthR21M\nTEtDQ011dFdhRVdPWlpweS9ma0N3dmsKLS0tIHFPQzQ5VzkyODZyY1JpcE4xR2Nl\nY2MrSERXTWkvNVZCR2xHUGh4ZXMvYTgK7pxPjnh3idl4QzBkR6LHyRskgqA3apS2\nkbg7As6wlEs34TAO8reyZknKTUd3Xif1v9RXiTcu1sEKHqkcqEoDog==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-12-01T22:45:54Z",
 		"mac": "ENC[AES256_GCM,data:b2sWPq+S5qqSM6lON+9A//LehgR7Wy7x8EfqeiFOFo9RT3niwaKjfp/Jnf6nKbXF43XM4dsn+dIX52fgxyd0KVLnJTqinhz97sSSs7hYFdXa2FGRhI+VwmuGVvr2ylAJODQgTn+MD7I+s/3DTfh6h0V47IZvxrUpYgg7tJrxzBc=,iv:g4XVN24+COVtRQPzTiI4iki1crjBUVc7vpnJ/vucd2A=,tag:gcnfSvPWvLqG2wTZELRMsg==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-12-01T23:06:36Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//RhpX1uVa49yA8FIfj/y/2C92Z7iBl+l1TGjaYMnuLAp5\nYybqAHwi1gzbnhKvpqO3ndm7qHNwbPBuYBDhu1ZDkQnzyzIthx3JA2G+je4Jem+N\nF8XWUglO+lEUpHD62s9JdOSS2dNRHSd/mcu/GV+k0/DzkXDn3TzzOciKBLn1u03+\n6T3mipG5cm00EEstR+iX46FSzOPX3M2+hYY+HY9rQa1RKUrUUsBBdCEYWgMsQOA9\nDGyweibxkcyxIGZIc882gxa06QxM07ON7NuZjW7vvUz3k7CI3bf5IBfaCvDywaDL\n0AKeTAVGVLnzdapZoP9lZmu6T639wu8BKMxSHiGeUenOrhs/Gl+CA2iCU5XimZCw\nbwPvKRbOGLu2eiBL/BHEMg1XpRw6bh24o3vNIchGRqDKbXICgkKr2gXhvli3qPrH\nCXokXF48e51bERfr9YWi0ryW5tgVEMwyubRi85cYnslwqfT78xzKMNRwF8wJ6PxG\ngwT6bEJ/f7QzXkw9VPY2HbaBBhe7XUBRDhLnV5sPBiZW2JDOt9rXH1LqWQLo7Ot6\nLWvOicAtmY5vnRIm9x1pPFKipmTWj7NzRCLEq5yt0borQsPO5RTC6fvhL/1Lpe1B\nzjAIjJBfQptEn4xjA0unZk6x45UDp9KpJz5zdKF43DSvGOkEF8NuTdEXNpeYHzCF\nAgwDC9FRLmchgYQBEADA36phB2C1d2DvEzi7AB7lK5gGExmaYSCzMJkSfjNQ4SO5\nwMhvRZZyIf5PT9wdJ6hCtOSqqhh0cubmZadrFnz/qjXLVSv9aTD4PFshF5lYgT0x\n2GkiIOkrVZ6vuP6/iIW/p+CqztDymVRR6DAhNNX6gx2NARdhii2K/hitW0QejoJk\nWY07qUIb2z0fPVp5TfAf3Nr87u3faYr0usW8GGABFA7IzJwCK1VA1284UZm4zj6Z\naHm+0wK/1g7Ck2sjzbhqzK3HlZVKd6lBIhmwdzcG1y0Ua5L7PIauLR6ArZkFD3WO\naHyyZ5hyNmoyOMjuTvPCIhiZ3T+aQK2f8pzyOApEWX4piCNhIvcSSy9AQ/f5hvVd\nWLG68dIMnmOWYxHX68jdNttSCcc9oJKNboOPKDdmEblZxGx5HZpYYL7X+Q0JKoMO\nqCXVc7GlIVLX0GghAvgC9Xww8XMQTWgJJJAVOa0tlTDJ4ybvCiyy850+ZPTevlHV\nfvlKSSCGHtjVIuZ5b+jMtBqg0aPDY0OqNFSvJ6x6wk0uICMesv2LNAKF7tUkMvHF\ncHljW96IOLocW96bwVR+nQG7U/ZY7/P6+2Nva8AgbrCd0erEZ/2lIvRV4IEzCk2g\nVzuzg+7pjkh1iHYUX+VX6CbyIPyx2Ic+VNaMrbqtC1YiPK6Bx+SF3eYHw9DYJ9Jc\nASJeqALtG3vg/TOKZwOfTp1GNvSExTUKqhEHpcCCty1UxIpNCPByvvsUqY0Q63DA\nyJ4TVO1QLCLwKz8nK8NWSRGrZ29jNJfAjcNDV/FrPiFqSPHVAErd4Vnbeu8=\n=Yn71\n-----END PGP MESSAGE-----",
 				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.11.0"
 	}
 }
--- a/hosts/nixos/x86_64-linux/bakery/default.nix
+++ b/hosts/nixos/x86_64-linux/bakery/default.nix
@ -10,6 +10,10 @@ in
    ./disk-config.nix
    ./hardware-configuration.nix
    "${self}/modules/nixos/optional/gaming.nix"
    "${self}/modules/nixos/optional/nswitch-rcm.nix"
    "${self}/modules/nixos/optional/virtualbox.nix"
  ];
  swarselsystems = {
@ -31,7 +35,6 @@ in
    isSwap = true;
    rootDisk = "/dev/nvme0n1";
    swapSize = "4G";
    hostName = config.node.name;
  };
  home-manager.users."${primaryUser}" = {
--- a/hosts/nixos/x86_64-linux/eagleland/default.nix
+++ b/hosts/nixos/x86_64-linux/eagleland/default.nix
@ -1,60 +1,16 @@
-{ lib, config, minimal, ... }:
+{ self, lib, minimal, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./disk-config.nix
    "${self}/modules/nixos/optional/systemd-networkd-server.nix"
  ];
  topology.self = {
    icon = "devices.cloud-server";
  };
  networking = {
    useDHCP = lib.mkForce false;
    useNetworkd = true;
    dhcpcd.enable = false;
    renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (
      config.repo.secrets.local.networking.networks or { }
    );
  };
  boot.initrd.systemd.network = {
    enable = true;
    networks = {
      inherit (config.systemd.network.networks) "10-wan";
    };
  };
  systemd = {
    network = {
      enable = true;
      wait-online.enable = false;
      networks =
        let
          netConfig = config.repo.secrets.local.networking;
        in
        {
          "10-wan" = {
            address = [
              "${netConfig.wanAddress4}/32"
              "${netConfig.wanAddress6}/64"
            ];
            gateway = [ "fe80::1" ];
            routes = [
              { Destination = netConfig.defaultGateway4; }
              {
                Gateway = netConfig.defaultGateway4;
                GatewayOnLink = true;
              }
            ];
            matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac;
            networkConfig.IPv6PrivacyExtensions = "yes";
            linkConfig.RequiredForOnline = "routable";
          };
        };
    };
  };
  swarselmodules.server.mailserver = true;
  swarselsystems = {
    flakePath = "/root/.dotfiles";
@ -70,11 +26,11 @@
    isNixos = true;
    isLinux = true;
    proxyHost = "eagleland";
    server = {
      inherit (config.repo.secrets.local.networking) localNetwork;
    };
  };
 } // lib.optionalAttrs (!minimal) {
  swarselmodules.server.mailserver = true;
  swarselprofiles = {
    server = true;
  };
--- a/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc
+++ b/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:vLTAWtyZJVHtXifwicSRYRYj1PjoEiumhE3bcsMuhj5P0PjyT9f2wzse7GDtusUFXDNWQXNWMNwk1V0auQmWayJa0zvpfRGtnGJrwdl/dImK+UN7ddJ6x6tNU6kjNZ05UplaUsJAJ9tm4eg050muY7KLBuEw1E4Ki9clDDxhxULXv4bdv5QpXaYSiK33ZORnD2EWcYvqUJayU/d8zSRTHV456ePHDIJPfXo22XQSLY7//q1v44ZMKDptOwlktxVQr9/asvE4eLDjdDTA5DXHTfsAGBDZCHqPI33CxZbHENM9UOHw7S0qYpKW2f232Huwv4J7llmsOIT8Axppz6fC8neBKOFPH+n4bZQTaZUL/xSLCQrF/T8k8k84lKJ3eBJdfyTpU8oInu8VAe/w+s2lC+n/zAjGoSGIF412xQ5VS0fsG1Wi/veRDr50KybYUuYQNjwtIXle3fUibUaMGFwd4Y9uSlxrWwWQxJhFpoZhoPPfeNMrT+7BSpVax27HvM7p9+VKkLfWtHiwuSZNSI3HKRmrsxHJVUxuJdXO87TCbabQAvPWoqR6qKMwixN/gvN1JNZ6Ml59HPSe6SKBAh5SI95kzXaBMZ9d7Yy7bUy/xkbbFHNYLwXR62H89XyK3yW6CMr+M7JLSC0WErAVHkUEuIEkWILBIiTeqU3Q,iv:KoTbJUnhbZp7jX/jPmX8gBobDJDoLPAvhBU9j9RYr/g=,tag:qhd6OAHNkbn0xN7wJhF1Fw==,type:str]",
+	"data": "ENC[AES256_GCM,data:nIgv3b+6o5Ce9X9xZtBK62f6dgsAGLPqq7aVFCw2qjD9UiHCrAY9vTn5NSW2O2pbLAfx6h7falS3/0yU+AkJ2H3zhxBy7ZxQ0m9dLoQGrYY/E9Z45xZmdFRxtzexCaxr2DxbP8haJKomQ22cHk07HGsrEZ/CFGkyjRxUr3Y4rewgZPBXahVtM75mWbNpVGApc8cs/W4JbjuXw3qlCQcACz8sZVPHKCjbEypypo6nTmU7NO7worrAJ2QgU75oGJ9g96wp9paFMEDofVp2Y25IVYReGg8T1Qi/kTcZzfzGfSpEwnQBB/ZCW6gNYhMK3shfB8DxKy6+romVXm1K+/0yUmwsCM8xC5zJX0GsO8Uu63YFrW/Y2E6aYZfBHdIgfy4lYOFKC2o0ixirw9EO8HyfsDt47QYB970vLPjYZfKNAZBgltbV3KPsOHxmgiZbTbAl0cb9zRc+jV2voH9T5VhFiUWdfaLBY1HUAVAjU7h62uZoCsi1HWyAroEROKS96npTD+3/vHehYuEGBf1IxYnLwHnKeqsr/Bqoukf3OecOH2EkMTTFQ7E0k9s0keRypoHmeYIh2a3dRcaXXbNEgiAMfabhgUh1NNcYKSZhcIekN8WN8azXjbVIrfEakJ8S+PUf5fJdspN/3Ppm06fDLv7yLHnLc8Eae2COOR8vYKIo3Onu4doxNjisfpHujLXYaCGhWpINEGWF7fkeC1B7,iv:v9MxvhcHg+P00UnOWujSgVlMNcOnDm/gK8kNcN54E2E=,tag:XnPMzsDeGJMt9yv6GnFzqg==,type:str]",
 	"sops": {
 		"age": [
 			{
@ -7,8 +7,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJR1ZPZFUxRTh0QjB6UDJ4\nOFd2c2lFejhHck5UdUxVbmFFbVRYNEJaSzJZCkNxbndVVThObDkxUmx2WW9ESzhh\na2o0LzFCbWdJVlRIV00rTVUwTktoek0KLS0tIC9qalVvZmpGQXZsV3RIYWRPbmRY\nam80NkRkT2l0ak8wV3pTSW9kSC9nZ3cKCH8eEMmku6WMliEDdAiW2Lk1jAGH9SoP\nWQ5Y6e90jEnp8XbGE7KYiG+jy5fHSc6Y5/YyMmi/b9bF9AhmRT6rdw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-11-25T15:44:12Z",
+		"lastmodified": "2025-11-28T10:50:22Z",
-		"mac": "ENC[AES256_GCM,data:EqEvcd75Si3I0Tgxm0ffeVRKrKNqaFNI+NqZcB02mKPYPWTR6fX4VT2oVhLIxvn+5MQY2BBR/VzSxblcX6K149REpk/22aGuHfk45giq8q1xBnZeNzEQDuhoY8XZd8dzqxk1pHmQFS+jL/zl42a2Qib/jVmlnPof0bcwa/HlZDU=,iv:5V2zSQOCG/XkRF7zgFe1oDuzrP3dx6pWZpsvdVT8hz8=,tag:DYHQIFEedflw43aCTT/ACA==,type:str]",
+		"mac": "ENC[AES256_GCM,data:lwkkp8YSzX8NM7E65kmPpF/q9Vn+FnCTeePLswDH6AVgndo/7QOy0GtJeXmiwt2YsA4AhRqxexWl2R8tjEysP35pyfQJ4vEkVi+V2tEnoLgftriNJzpoeVuRNXLxTPhPezOZgAcTDDL4yyqJXpcFj0PE1DPHKxazT28BoilaBYE=,iv:3dcAqkw/y6rAPL8wb5iewz37S4xszYFGHxvQiQ98sLk=,tag:SEmbptei6GrTXXyb7zwrIg==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-11-23T15:25:41Z",
--- a/hosts/nixos/x86_64-linux/hintbooth/default.nix
+++ b/hosts/nixos/x86_64-linux/hintbooth/default.nix
@ -1,4 +1,4 @@
-{ lib, config, minimal, ... }:
+{ lib, minimal, ... }:
 {
  imports = [
@ -18,9 +18,6 @@
    rootDisk = "/dev/sda";
    swapSize = "8G";
    networkKernelModules = [ "igb" ];
    server = {
      inherit (config.repo.secrets.local.networking) localNetwork;
    };
  };
 } // lib.optionalAttrs (!minimal) {
--- a/hosts/nixos/x86_64-linux/milkywell/default.nix
+++ b/hosts/nixos/x86_64-linux/milkywell/default.nix
@ -1,46 +0,0 @@
 { lib, config, minimal, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./disk-config.nix
  ];
  node.lockFromBootstrapping = false;
  sops = {
    age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
  };
  topology.self = {
    icon = "devices.cloud-server";
  };
  networking = {
    domain = "subnet03112148.vcn03112148.oraclevcn.com";
    firewall = {
      allowedTCPPorts = [ 53 ];
    };
  };
  system.stateVersion = "23.11";
  swarselsystems = {
    flakePath = "/root/.dotfiles";
    info = "VM.Standard.E2.1.Micro";
    isImpermanence = true;
    isSecureBoot = false;
    isCrypted = false;
    isSwap = true;
    swapSize = "8G";
    rootDisk = "/dev/sda";
    isBtrfs = true;
    isNixos = true;
    isLinux = true;
    server = {
      inherit (config.repo.secrets.local.networking) localNetwork;
    };
  };
 } // lib.optionalAttrs (!minimal) {
  swarselprofiles = {
    server = true;
  };
 }
--- a/hosts/nixos/x86_64-linux/milkywell/hardware-configuration.nix
+++ b/hosts/nixos/x86_64-linux/milkywell/hardware-configuration.nix
@ -1,26 +0,0 @@
 { lib, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot = {
    initrd = {
      availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
      kernelModules = [ "dm-snapshot" ];
    };
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/nixos/x86_64-linux/pyramid/default.nix
+++ b/hosts/nixos/x86_64-linux/pyramid/default.nix
@ -10,15 +10,16 @@ in
    ./disk-config.nix
    ./hardware-configuration.nix
-  ];
+    "${self}/modules/nixos/optional/amdcpu.nix"
    "${self}/modules/nixos/optional/amdgpu.nix"
    "${self}/modules/nixos/optional/framework.nix"
    "${self}/modules/nixos/optional/gaming.nix"
    "${self}/modules/nixos/optional/hibernation.nix"
    "${self}/modules/nixos/optional/nswitch-rcm.nix"
    "${self}/modules/nixos/optional/virtualbox.nix"
    "${self}/modules/nixos/optional/work.nix"
-  swarselmodules = {
+  ];
    optional = {
      amdcpu = true;
      amdgpu = true;
      hibernation = true;
    };
  };
  swarselsystems = {
    lowResolution = "1280x800";
@ -67,9 +68,5 @@ in
 } // lib.optionalAttrs (!minimal) {
  swarselprofiles = {
    personal = true;
    optionals = true;
    work = true;
    uni = true;
    framework = true;
  };
 }
--- a/hosts/nixos/x86_64-linux/summers/default.nix
+++ b/hosts/nixos/x86_64-linux/summers/default.nix
@ -1,9 +1,11 @@
-{ inputs, lib, config, minimal, nodes, globals, ... }:
+{ self, inputs, lib, config, minimal, nodes, globals, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ./disk-config.nix
    "${self}/modules/nixos/optional/microvm-host.nix"
  ];
  boot = {
@ -30,9 +32,6 @@
  };
  swarselmodules = {
    optional = {
      microvmHost = true;
    };
    server = {
      diskEncryption = lib.mkForce false; # TODO: disable
      nfs = false;
--- a/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix
+++ b/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix
@ -1,5 +1,8 @@
-{ lib, minimal, ... }:
+{ self, lib, minimal, ... }:
 {
  imports = [
    "${self}/modules/nixos/optional/microvm-guest.nix"
  ];
  swarselsystems = {
    info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM";
@ -11,12 +14,6 @@
    server = false;
  };
  swarselmodules = {
    optional = {
      microvmGuest = false;
    };
  };
  microvm = {
    mem = 1024 * 4;
    vcpu = 2;
--- a/hosts/nixos/x86_64-linux/winters/default.nix
+++ b/hosts/nixos/x86_64-linux/winters/default.nix
@ -1,4 +1,4 @@
-{ lib, config, minimal, ... }:
+{ lib, minimal, ... }:
 {
  imports = [
@ -27,7 +27,6 @@
    isNixos = true;
    proxyHost = "moonside";
    server = {
      inherit (config.repo.secrets.local.networking) localNetwork;
      restic = {
        bucketName = "SwarselWinters";
        paths = [
--- a/modules/home/common/anki.nix
+++ b/modules/home/common/anki.nix
@ -1,4 +1,4 @@
-{ lib, config, pkgs, globals, inputs, nixosConfig ? config, ... }:
+{ lib, config, pkgs, globals, inputs, confLib, ... }:
 let
  moduleName = "anki";
  inherit (config.swarselsystems) isPublic isNixos;
@ -23,11 +23,11 @@ in
          syncMedia = true;
          autoSyncMediaMinutes = 5;
          url = "https://${globals.services.ankisync.domain}";
-          usernameFile = nixosConfig.sops.secrets.anki-user.path;
+          usernameFile = confLib.getConfig.sops.secrets.anki-user.path;
          # this is not the password but the syncKey
          # get it by logging in or out, saving preferences and then
          # show details on the "settings wont be saved" dialog
-          keyFile = nixosConfig.sops.secrets.anki-pw.path;
+          keyFile = confLib.getConfig.sops.secrets.anki-pw.path;
        };
        addons =
          let
--- a/modules/home/common/element.nix
+++ b/modules/home/common/element.nix
@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ lib, config, globals, ... }:
 let
  moduleName = "element-desktop";
 in
@ -10,7 +10,7 @@ in
      settings = {
        default_server_config = {
          "m.homeserver" = {
-            base_url = "https://swatrix.swarsel.win/";
+            base_url = "https://${globals.services.matrix.domain}/";
          };
        };
        UIFeature = {
--- a/modules/home/common/env.nix
+++ b/modules/home/common/env.nix
@ -1,8 +1,8 @@
-{ lib, config, nixosConfig ? config, ... }:
+{ lib, config, confLib, globals, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
+  inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
-  inherit (nixosConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name;
+  inherit (confLib.getConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name;
-  inherit (nixosConfig.repo.secrets.common) fullName openrouterApi;
+  inherit (confLib.getConfig.repo.secrets.common) fullName openrouterApi instaDomain sportDomain;
  inherit (config.swarselsystems) isPublic homeDir;
  DISPLAY = ":0";
@ -18,6 +18,12 @@ in
      DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private";
      FLAKE = "${config.home.homeDirectory}/.dotfiles";
    } // lib.optionalAttrs (!isPublic) {
      SWARSEL_DOMAIN = globals.domains.main;
      SWARSEL_RSS_DOMAIN = globals.services.freshrss.domain;
      SWARSEL_MUSIC_DOMAIN = globals.services.navidrome.domain;
      SWARSEL_FILES_DOMAIN = globals.services.nextcloud.domain;
      SWARSEL_INSTA_DOMAIN = instaDomain;
      SWARSEL_SPORT_DOMAIN = sportDomain;
      SWARSEL_MAIL1 = address1;
      SWARSEL_MAIL2 = address2;
      SWARSEL_MAIL3 = address3;
@ -30,7 +36,7 @@ in
      SWARSEL_CAL3NAME = source3-name;
      SWARSEL_FULLNAME = fullName;
      SWARSEL_MAIL_ALL = lib.mkDefault allMailAddresses;
-      GITHUB_NOTIFICATION_TOKEN_PATH = nixosConfig.sops.secrets.github-notifications-token.path;
+      GITHUB_NOTIFICATION_TOKEN_PATH = confLib.getConfig.sops.secrets.github-notifications-token.path;
      OPENROUTER_API_KEY = openrouterApi;
    };
  };
--- a/modules/home/common/gammastep.nix
+++ b/modules/home/common/gammastep.nix
@ -1,6 +1,6 @@
-{ lib, config, nixosConfig ? config, ... }:
+{ lib, config, confLib, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.location) latitude longitude;
+  inherit (confLib.getConfig.repo.secrets.common.location) latitude longitude;
 in
 {
  options.swarselmodules.gammastep = lib.mkEnableOption "gammastep settings";
--- a/modules/home/common/git.nix
+++ b/modules/home/common/git.nix
@ -1,7 +1,7 @@
-{ lib, config, globals, minimal, nixosConfig ? config, ... }:
+{ lib, config, globals, minimal, confLib, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1;
+  inherit (confLib.getConfig.repo.secrets.common.mail) address1;
-  inherit (nixosConfig.repo.secrets.common) fullName;
+  inherit (confLib.getConfig.repo.secrets.common) fullName;
  gitUser = globals.user.name;
 in
--- a/modules/home/common/hexchat.nix
+++ b/modules/home/common/hexchat.nix
@ -1,7 +1,7 @@
-{ lib, config, nixosConfig ? config, ... }:
+{ lib, config, confLib, ... }:
 let
  moduleName = "hexchat";
-  inherit (nixosConfig.repo.secrets.common.irc) irc_nick1;
+  inherit (confLib.getConfig.repo.secrets.common.irc) irc_nick1;
 in
 {
  options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
--- a/modules/home/common/mail.nix
+++ b/modules/home/common/mail.nix
@ -1,7 +1,7 @@
-{ lib, config, inputs, globals, nixosConfig ? config, ... }:
+{ lib, config, inputs, globals, confLib, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
+  inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
-  inherit (nixosConfig.repo.secrets.common) fullName;
+  inherit (confLib.getConfig.repo.secrets.common) fullName;
  inherit (config.swarselsystems) xdgDir;
 in
 {
@ -140,7 +140,7 @@ in
                address = address4;
                userName = address4;
                realName = fullName;
-                passwordCommand = "cat ${nixosConfig.sops.secrets.address4-token.path}";
+                passwordCommand = "cat ${confLib.getConfig.sops.secrets.address4-token.path}";
                mu.enable = true;
                msmtp = {
                  enable = true;
@ -169,7 +169,7 @@ in
                  address = address1;
                  userName = address1;
                  realName = fullName;
-                  passwordCommand = "cat ${nixosConfig.sops.secrets.address1-token.path}";
+                  passwordCommand = "cat ${confLib.getConfig.sops.secrets.address1-token.path}";
                  gpg = {
                    key = "0x76FD3810215AE097";
                    signByDefault = true;
@ -183,7 +183,7 @@ in
                  address = address2;
                  userName = address2;
                  realName = address2-name;
-                  passwordCommand = "cat ${nixosConfig.sops.secrets.address2-token.path}";
+                  passwordCommand = "cat ${confLib.getConfig.sops.secrets.address2-token.path}";
                }
                defaultSettings;
@ -193,7 +193,7 @@ in
                  address = address3;
                  userName = address3;
                  realName = address3-name;
-                  passwordCommand = "cat ${nixosConfig.sops.secrets.address3-token.path}";
+                  passwordCommand = "cat ${confLib.getConfig.sops.secrets.address3-token.path}";
                }
                defaultSettings;
--- a/modules/home/common/obsidian.nix
+++ b/modules/home/common/obsidian.nix
@ -1,7 +1,7 @@
-{ lib, config, pkgs, nixosConfig ? config, ... }:
+{ lib, config, pkgs, confLib, ... }:
 let
  moduleName = "obsidian";
-  inherit (nixosConfig.repo.secrets.common.obsidian) userIgnoreFilters;
+  inherit (confLib.getConfig.repo.secrets.common.obsidian) userIgnoreFilters;
  name = "Main";
 in
 {
--- a/modules/home/common/opkssh.nix
+++ b/modules/home/common/opkssh.nix
@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ lib, config, globals, ... }:
 let
  moduleName = "opkssh";
 in
@ -13,7 +13,7 @@ in
        providers = [
          {
            alias = "kanidm";
-            issuer = "https://sso.swarsel.win/oauth2/openid/opkssh";
+            issuer = "https://${globals.services.kanidm.domain}/oauth2/openid/opkssh";
            client_id = "opkssh";
            scopes = "openid email profile";
            redirect_uris = [
--- a/modules/home/common/settings.nix
+++ b/modules/home/common/settings.nix
@ -40,7 +40,11 @@ in
          trusted-public-keys = [
            atticPublicKey
          ];
-          trusted-users = [ "@wheel" "${mainUser}" ];
+          trusted-users = [
            "@wheel"
            "${mainUser}"
            (lib.mkIf config.swarselmodules.server.ssh-builder "builder")
          ];
          connect-timeout = 5;
          bash-prompt-prefix = "[33m$SHLVL:\\w [0m";
          bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"[31m\"; else printf \"[32m\"; fi)λ [0m";
--- a/modules/home/common/ssh.nix
+++ b/modules/home/common/ssh.nix
@ -1,7 +1,7 @@
-{ lib, config, nixosConfig ? config, ... }:
+{ inputs, lib, config, confLib, ... }:
 {
  options.swarselmodules.ssh = lib.mkEnableOption "ssh settings";
-  config = lib.mkIf config.swarselmodules.ssh {
+  config = lib.mkIf config.swarselmodules.ssh ({
    programs.ssh = {
      enable = true;
      enableDefaultConfig = false;
@ -18,11 +18,15 @@
          serverAliveCountMax = 3;
          hashKnownHosts = false;
          userKnownHostsFile = "~/.ssh/known_hosts";
-          controlMaster = "no";
+          controlMaster = "auto";
          controlPath = "~/.ssh/master-%r@%n:%p";
-          controlPersist = "no";
+          controlPersist = "5m";
        };
-      } // nixosConfig.repo.secrets.common.ssh.hosts;
+      } // confLib.getConfig.repo.secrets.common.ssh.hosts;
    };
  } // lib.optionalAttrs (inputs ? sops) {
    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
      builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; };
    };
  });
 }
--- a/modules/home/common/sway.nix
+++ b/modules/home/common/sway.nix
@ -1,4 +1,4 @@
-{ config, lib, vars, nixosConfig ? config, ... }:
+{ config, lib, vars, confLib, ... }:
 let
  eachOutput = _: monitor: {
    inherit (monitor) name;
@ -381,7 +381,7 @@ in
        export XDG_CURRENT_DESKTOP=sway;
        export XDG_SESSION_DESKTOP=sway;
        export _JAVA_AWT_WM_NONREPARENTING=1;
-        export GITHUB_NOTIFICATION_TOKEN_PATH=${nixosConfig.sops.secrets.github-notifications-token.path};
+        export GITHUB_NOTIFICATION_TOKEN_PATH=${confLib.getConfig.sops.secrets.github-notifications-token.path};
      '' + vars.waylandExports;
      # extraConfigEarly = "
      # exec systemctl --user import-environment DISPLAY WAYLAND_DISPLAY SWAYSOCK
--- a/modules/home/common/yubikey.nix
+++ b/modules/home/common/yubikey.nix
@ -1,4 +1,4 @@
-{ lib, config, inputs, nixosConfig ? config, ... }:
+{ lib, config, inputs, confLib, ... }:
 let
  inherit (config.swarselsystems) homeDir;
 in
@ -9,8 +9,8 @@ in
    pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
      ids = [
-        nixosConfig.repo.secrets.common.yubikeys.dev1
+        confLib.getConfig.repo.secrets.common.yubikeys.dev1
-        nixosConfig.repo.secrets.common.yubikeys.dev2
+        confLib.getConfig.secrets.common.yubikeys.dev2
      ];
    };
  } // lib.optionalAttrs (inputs ? sops) {
--- a/modules/home/common/zsh.nix
+++ b/modules/home/common/zsh.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, minimal, inputs, globals, nixosConfig ? config, ... }:
+{ config, pkgs, lib, minimal, inputs, globals, confLib, ... }:
 let
  inherit (config.swarselsystems) flakePath isNixos;
  crocDomain = globals.services.croc.domain;
@ -127,8 +127,8 @@ in
        '';
        sessionVariables = lib.mkIf (!config.swarselsystems.isPublic) {
          CROC_RELAY = crocDomain;
-          CROC_PASS = "$(cat ${nixosConfig.sops.secrets.croc-password.path or ""})";
+          CROC_PASS = "$(cat ${confLib.getConfig.sops.secrets.croc-password.path or ""})";
-          GITHUB_TOKEN = "$(cat ${nixosConfig.sops.secrets.github-nixpkgs-review-token.path or ""})";
+          GITHUB_TOKEN = "$(cat ${confLib.getConfig.sops.secrets.github-nixpkgs-review-token.path or ""})";
          QT_QPA_PLATFORM_PLUGIN_PATH = "${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins";
          # QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox";
        };
--- a/modules/home/optional/framework.nix
+++ b/modules/home/optional/framework.nix
@ -1,7 +1,6 @@
-{ lib, config, ... }:
+_:
 {
-  options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings";
+  config = {
  config = lib.mkIf config.swarselmodules.optional.framework {
    swarselsystems = {
      inputs = {
        "12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = {
--- a/modules/home/optional/gaming.nix
+++ b/modules/home/optional/gaming.nix
@ -1,10 +1,9 @@
-{ lib, config, pkgs, nixosConfig ? config, ... }:
+{ config, pkgs, confLib, ... }:
 let
  inherit (config.swarselsystems) isNixos;
 in
 {
-  options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings";
+  config = {
  config = lib.mkIf config.swarselmodules.optional.gaming {
    # specialisation = {
    #   gaming.configuration = {
    home.packages = with pkgs; [
@ -44,7 +43,7 @@ in
        gamescope
        umu-launcher
      ];
-      steamPackage = if isNixos then nixosConfig.programs.steam.package else pkgs.steam;
+      steamPackage = if isNixos then confLib.getConfig.programs.steam.package else pkgs.steam;
      winePackages = with pkgs; [
        wineWow64Packages.waylandFull
      ];
--- a/modules/home/optional/niri.nix
+++ b/modules/home/optional/niri.nix
@ -1,5 +1,8 @@
-{ config, pkgs, lib, vars, ... }:
+{ inputs, config, pkgs, lib, vars, ... }:
 {
  imports = [
    inputs.niri-flake.homeModules.niri
  ];
  options.swarselmodules.niri = lib.mkEnableOption "niri settings";
  config = lib.mkIf config.swarselmodules.niri
    {
--- a/modules/home/optional/uni.nix
+++ b/modules/home/optional/uni.nix
@ -1,8 +1,6 @@
-{ config, lib, nixosConfig ? config, ... }:
+{ confLib, ... }:
 {
-  options.swarselmodules.optional.uni = lib.mkEnableOption "optional uni settings";
+  config = {
  config = lib.mkIf config.swarselmodules.optional.uni
    {
    services.pizauth = {
      enable = true;
      accounts = {
@ -16,7 +14,7 @@
            "https://outlook.office365.com/SMTP.Send"
            "offline_access"
          ];
-            loginHint = "${nixosConfig.repo.secrets.local.uni.mailAddress}";
+          loginHint = "${confLib.getConfig.repo.secrets.local.uni.mailAddress}";
        };
      };
    };
--- a/modules/home/optional/work.nix
+++ b/modules/home/optional/work.nix
@ -1,15 +1,14 @@
-{ self, inputs, config, pkgs, lib, vars, nixosConfig ? config, ... }:
+{ self, inputs, config, pkgs, lib, vars, confLib, ... }:
 let
  inherit (config.swarselsystems) homeDir mainUser;
-  inherit (nixosConfig.repo.secrets.local.mail) allMailAddresses;
+  inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses;
-  inherit (nixosConfig.repo.secrets.local.work) mailAddress;
+  inherit (confLib.getConfig.repo.secrets.local.work) mailAddress;
  certsSopsFile = self + /secrets/certs/secrets.yaml;
 in
 {
-  options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
+  options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption;
-  config = lib.mkIf config.swarselmodules.optional.work
+  config = {
    ({
    home = {
      packages = with pkgs; [
        stable.teams-for-linux
@ -29,7 +28,7 @@ in
        rustdesk-vbc
      ];
      sessionVariables = {
-          AWS_CA_BUNDLE = nixosConfig.sops.secrets.harica-root-ca.path;
+        AWS_CA_BUNDLE = confLib.getConfig.sops.secrets.harica-root-ca.path;
      };
    };
    systemd.user.sessionVariables = {
@ -41,7 +40,7 @@ in
    accounts.email.accounts.work =
      let
-          inherit (nixosConfig.repo.secrets.local.work) mailName;
+        inherit (confLib.getConfig.repo.secrets.local.work) mailName;
      in
      {
        primary = false;
@ -116,7 +115,7 @@ in
    wayland.windowManager.sway =
      let
-          inherit (nixosConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress;
+        inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress;
      in
      {
        config = {
@ -134,7 +133,7 @@ in
    stylix = {
      targets.firefox.profileNames =
        let
-            inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
+          inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3;
        in
        [
          "${user1}"
@ -146,7 +145,7 @@ in
    programs =
      let
-          inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds;
+        inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds;
      in
      {
        openstackclient = {
@ -187,16 +186,16 @@ in
          };
          sessionVariables = {
-              VSPHERE_USER = "$(cat ${nixosConfig.sops.secrets.vcuser.path})";
+            VSPHERE_USER = "$(cat ${confLib.getConfig.sops.secrets.vcuser.path})";
-              VSPHERE_PW = "$(cat ${nixosConfig.sops.secrets.vcpw.path})";
+            VSPHERE_PW = "$(cat ${confLib.getConfig.sops.secrets.vcpw.path})";
-              GOVC_USERNAME = "$(cat ${nixosConfig.sops.secrets.govcuser.path})";
+            GOVC_USERNAME = "$(cat ${confLib.getConfig.sops.secrets.govcuser.path})";
-              GOVC_PASSWORD = "$(cat ${nixosConfig.sops.secrets.govcpw.path})";
+            GOVC_PASSWORD = "$(cat ${confLib.getConfig.sops.secrets.govcpw.path})";
-              GOVC_URL = "$(cat ${nixosConfig.sops.secrets.govcurl.path})";
+            GOVC_URL = "$(cat ${confLib.getConfig.sops.secrets.govcurl.path})";
-              GOVC_DATACENTER = "$(cat ${nixosConfig.sops.secrets.govcdc.path})";
+            GOVC_DATACENTER = "$(cat ${confLib.getConfig.sops.secrets.govcdc.path})";
-              GOVC_DATASTORE = "$(cat ${nixosConfig.sops.secrets.govcds.path})";
+            GOVC_DATASTORE = "$(cat ${confLib.getConfig.sops.secrets.govcds.path})";
-              GOVC_HOST = "$(cat ${nixosConfig.sops.secrets.govchost.path})";
+            GOVC_HOST = "$(cat ${confLib.getConfig.sops.secrets.govchost.path})";
-              GOVC_RESOURCE_POOL = "$(cat ${nixosConfig.sops.secrets.govcpool.path})";
+            GOVC_RESOURCE_POOL = "$(cat ${confLib.getConfig.sops.secrets.govcpool.path})";
-              GOVC_NETWORK = "$(cat ${nixosConfig.sops.secrets.govcnetwork.path})";
+            GOVC_NETWORK = "$(cat ${confLib.getConfig.sops.secrets.govcnetwork.path})";
          };
        };
@ -508,7 +507,7 @@ in
            "https://outlook.office365.com/SMTP.Send"
            "offline_access"
          ];
-            loginHint = "${nixosConfig.repo.secrets.local.work.mailAddress}";
+          loginHint = "${confLib.getConfig.repo.secrets.local.work.mailAddress}";
        };
      };
@ -516,7 +515,7 @@ in
    xdg =
      let
-          inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
+        inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3;
      in
      {
        mimeApps = {
@ -662,6 +661,6 @@ in
      };
    };
-    });
+  };
 }
--- a/modules/nixos/client/remotebuild.nix
+++ b/modules/nixos/client/remotebuild.nix
@ -0,0 +1,85 @@
 { lib, config, globals, ... }:
 let
  inherit (config.swarselsystems) homeDir mainUser isClient;
 in
 {
  options.swarselmodules.remotebuild = lib.mkEnableOption "enable remote builds on this machine";
  config = lib.mkIf config.swarselmodules.remotebuild {
    sops.secrets = {
      builder-key = lib.mkIf isClient { owner = mainUser; path = "${homeDir}/.ssh/builder"; mode = "0600"; };
      nixbuild-net-key = { owner = mainUser; path = "${homeDir}/.ssh/nixbuild-net"; mode = "0600"; };
    };
    nix = {
      settings.builders-use-substitutes = true;
      distributedBuilds = true;
      buildMachines = [
        (lib.mkIf isClient {
          hostName = config.repo.secrets.common.builder1-ip;
          system = "aarch64-linux";
          maxJobs = 20;
          speedFactor = 10;
        })
        (lib.mkIf isClient {
          hostName = globals.hosts.belchsfactory.wanAddress4;
          system = "aarch64-linux";
          maxJobs = 4;
          speedFactor = 2;
          protocol = "ssh-ng";
        })
        {
          hostName = "eu.nixbuild.net";
          system = "x86_64-linux";
          maxJobs = 100;
          speedFactor = 2;
          supportedFeatures = [ "big-parallel" ];
        }
      ];
    };
    programs.ssh = {
      knownHosts = {
        nixbuild = {
          hostNames = [ "eu.nixbuild.net" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM";
        };
        builder1 = lib.mkIf isClient {
          hostNames = [ config.repo.secrets.common.builder1-ip ];
          publicKey = config.repo.secrets.common.builder1-pubHostKey;
        };
        jump = lib.mkIf isClient {
          hostNames = [ globals.hosts.liliputsteps.wanAddress4 ];
          publicKey = config.repo.secrets.common.jump-pubHostKey;
        };
        builder2 = lib.mkIf isClient {
          hostNames = [ globals.hosts.belchsfactory.wanAddress4 ];
          publicKey = config.repo.secrets.common.builder2-pubHostKey;
        };
      };
      extraConfig = ''
        Host eu.nixbuild.net
          ConnectTimeout 1
          PubkeyAcceptedKeyTypes ssh-ed25519
          ServerAliveInterval 60
          IPQoS throughput
          IdentityFile ${config.sops.secrets.nixbuild-net-key.path}
      '' + lib.optionalString isClient ''
        Host ${config.repo.secrets.common.builder1-ip}
          ConnectTimeout 1
          User ${mainUser}
          IdentityFile ${config.sops.secrets.builder-key.path}
        Host ${globals.hosts.belchsfactory.wanAddress4}
          ConnectTimeout 5
          ProxyJump ${globals.hosts.liliputsteps.wanAddress4}
          User builder
          IdentityFile ${config.sops.secrets.builder-key.path}
        Host ${globals.hosts.liliputsteps.wanAddress4}
          ConnectTimeout 1
          User jump
          IdentityFile ${config.sops.secrets.builder-key.path}
      '';
    };
  };
 }
--- a/modules/nixos/client/uwsm.nix
+++ b/modules/nixos/client/uwsm.nix
@ -13,7 +13,7 @@ in
          comment = "Sway compositor managed by UWSM";
          binPath = "/run/current-system/sw/bin/sway";
        };
-        niri = {
+        niri = lib.mkIf (config.swarselmodules ? niri) {
          prettyName = "Niri";
          comment = "Niri compositor managed by UWSM";
          binPath = "/run/current-system/sw/bin/niri-session";
--- a/modules/nixos/common/globals.nix
+++ b/modules/nixos/common/globals.nix
@ -82,7 +82,8 @@ let
                if netSubmod.config.cidrv6 == null then
                  null
                else
-                  lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv6;
+                # if we use the /32 wan address as local address directly, do not use the network address in ipv6
                  lib.net.cidr.hostCidr (if hostSubmod.config.id == 0 then 1 else hostSubmod.config.id) netSubmod.config.cidrv6;
            };
          };
        })
@ -196,6 +197,10 @@ in
            main = mkOption {
              type = types.str;
            };
            externalDns = mkOption {
              type = types.listOf types.str;
              description = "List of external dns nameservers";
            };
          };
        };
      };
--- a/modules/nixos/common/home-manager-secrets.nix
+++ b/modules/nixos/common/home-manager-secrets.nix
@ -25,7 +25,7 @@ in
      }) // (lib.optionalAttrs modules.emacs {
        emacs-radicale-pw = { owner = mainUser; };
        github-forge-token = { owner = mainUser; };
-      }) // (lib.optionalAttrs modules.optional.work {
+      }) // (lib.optionalAttrs (modules ? optional-work) {
        harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; };
      }) // (lib.optionalAttrs modules.anki {
        anki-user = { owner = mainUser; };
--- a/modules/nixos/common/nodes.nix
+++ b/modules/nixos/common/nodes.nix
@ -34,6 +34,11 @@ let
      "nginx"
      "virtualHosts"
    ]
    [
      "swarselsystems"
      "server"
      "dns"
    ]
  ];
  attrsForEachOption =
--- a/modules/nixos/common/settings.nix
+++ b/modules/nixos/common/settings.nix
@ -59,8 +59,8 @@ in
  config = lib.mkIf config.swarselmodules.general
    (lib.recursiveUpdate
      {
-        sops.secrets.github-api-token = lib.mkIf (!minimal) {
+        sops.secrets = lib.mkIf (!minimal) {
-          owner = mainUser;
+          github-api-token = { owner = mainUser; };
        };
        nix =
@ -83,7 +83,11 @@ in
              trusted-public-keys = [
                atticPublicKey
              ];
-              trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
+              trusted-users = [
                "@wheel"
                "${config.swarselsystems.mainUser}"
                (lib.mkIf config.swarselmodules.server.ssh-builder "builder")
              ];
            };
            # extraOptions = ''
            #   plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins
--- a/modules/nixos/optional/amdcpu.nix
+++ b/modules/nixos/optional/amdcpu.nix
@ -1,7 +1,6 @@
-{ lib, config, ... }:
+_:
 {
-  options.swarselmodules.optional.amdcpu = lib.mkEnableOption "optional amd cpu settings";
+  config = {
  config = lib.mkIf config.swarselmodules.optional.amdcpu {
    hardware = {
      cpu.amd.updateMicrocode = true;
    };
--- a/modules/nixos/optional/amdgpu.nix
+++ b/modules/nixos/optional/amdgpu.nix
@ -1,7 +1,6 @@
-{ lib, config, ... }:
+_:
 {
-  options.swarselmodules.optional.amdgpu = lib.mkEnableOption "optional amd gpu settings";
+  config = {
  config = lib.mkIf config.swarselmodules.optional.amdgpu {
    hardware = {
      amdgpu = {
        opencl.enable = true;
--- a/modules/nixos/optional/framework.nix
+++ b/modules/nixos/optional/framework.nix
@ -1,7 +1,13 @@
-{ lib, config, ... }:
+{ self, config, ... }:
 {
-  options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings";
+  config = {
-  config = lib.mkIf config.swarselmodules.optional.framework {
+
    home-manager.users."${config.swarselsystems.mainUser}" = {
      imports = [
        "${self}/modules/home/optional/framework.nix"
      ];
    };
    services = {
      fwupd = {
        enable = true;
--- a/modules/nixos/optional/gaming.nix
+++ b/modules/nixos/optional/gaming.nix
@ -1,7 +1,13 @@
-{ pkgs, lib, config, ... }:
+{ self, pkgs, config, ... }:
 {
-  options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings";
+  config = {
-  config = lib.mkIf config.swarselmodules.optional.gaming {
+
    home-manager.users."${config.swarselsystems.mainUser}" = {
      imports = [
        "${self}/modules/home/optional/gaming.nix"
      ];
    };
    programs.steam = {
      enable = true;
      package = pkgs.steam;
--- a/modules/nixos/optional/hibernation.nix
+++ b/modules/nixos/optional/hibernation.nix
@ -1,6 +1,5 @@
 { lib, config, ... }:
 {
  options.swarselmodules.optional.hibernation = lib.mkEnableOption "optional amd gpu settings";
  options.swarselsystems = {
    hibernation = {
      offset = lib.mkOption {
@ -13,7 +12,7 @@
      };
    };
  };
-  config = lib.mkIf config.swarselmodules.optional.hibernation {
+  config = {
    boot = {
      kernelParams = [
        "resume_offset=${builtins.toString config.swarselsystems.hibernation.offset}"
--- a/modules/nixos/optional/microvm-guest.nix
+++ b/modules/nixos/optional/microvm-guest.nix
@ -1,11 +1,9 @@
-{ lib, config, ... }:
+_:
 {
  options.swarselmodules.optional.microvmGuest = lib.mkEnableOption "optional microvmGuest settings";
  # imports = [
  #   inputs.microvm.nixosModules.microvm
  #   "${self}/profiles/nixos"
  #   "${self}/modules/nixos"
  # ];
-  config = lib.mkIf config.swarselmodules.optional.microvmGuest
+
  config =
    { };
 }
--- a/modules/nixos/optional/microvm-host.nix
+++ b/modules/nixos/optional/microvm-host.nix
@ -1,8 +1,5 @@
-{ lib, config, ... }:
+{ config, lib, ... }:
 {
  options = {
    swarselmodules.optional.microvmHost = lib.mkEnableOption "optional microvmHost settings";
  };
  # imports = [
  # inputs.microvm.nixosModules.host
  # ];
--- a/modules/nixos/optional/niri.nix
+++ b/modules/nixos/optional/niri.nix
@ -1,8 +1,11 @@
-{ lib, config, pkgs, ... }:
+{ inputs, lib, config, pkgs, ... }:
 let
  moduleName = "niri";
 in
 {
  imports = [
    inputs.niri-flake.nixosModules.niri
  ];
  options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings";
  config = lib.mkIf config.swarselmodules.${moduleName}
    {
--- a/modules/nixos/optional/nswitch-rcm.nix
+++ b/modules/nixos/optional/nswitch-rcm.nix
@ -1,7 +1,6 @@
-{ lib, config, pkgs, ... }:
+{ pkgs, ... }:
 {
-  options.swarselmodules.optional.nswitch-rcm = lib.mkEnableOption "optional nswitch-rcm settings";
+  config = {
  config = lib.mkIf config.swarselmodules.optional.nswitch-rcm {
    services.nswitch-rcm = {
      enable = true;
      package = pkgs.fetchurl {
--- a/modules/nixos/optional/systemd-networkd-server.nix
+++ b/modules/nixos/optional/systemd-networkd-server.nix
@ -0,0 +1,50 @@
 { lib, config, globals, ... }:
 {
  networking = {
    useDHCP = lib.mkForce false;
    useNetworkd = true;
    dhcpcd.enable = false;
    renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (
      config.repo.secrets.local.networking.networks or { }
    );
  };
  boot.initrd.systemd.network = {
    enable = true;
    networks."10-${config.swarselsystems.server.localNetwork}" = config.systemd.network.networks."10-${config.swarselsystems.server.localNetwork}";
  };
  systemd = {
    network = {
      enable = true;
      wait-online.enable = false;
      networks =
        let
          netConfig = config.repo.secrets.local.networking;
        in
        {
          "10-${config.swarselsystems.server.localNetwork}" = {
            address = [
              "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv4}"
              "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv6}"
            ];
            routes = [
              {
                Gateway = netConfig.defaultGateway6;
                GatewayOnLink = true;
              }
              {
                Gateway = netConfig.defaultGateway4;
                GatewayOnLink = true;
              }
            ];
            networkConfig = {
              IPv6PrivacyExtensions = true;
              IPv6AcceptRA = false;
            };
            matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac;
            linkConfig.RequiredForOnline = "routable";
          };
        };
    };
  };
 }
--- a/modules/nixos/optional/uni.nix
+++ b/modules/nixos/optional/uni.nix
@ -0,0 +1,11 @@
 { self, config, ... }:
 {
  config = {
    home-manager.users."${config.swarselsystems.mainUser}" = {
      imports = [
        "${self}/modules/home/optional/work.nix"
      ];
    };
  };
 }
--- a/modules/nixos/optional/virtualbox.nix
+++ b/modules/nixos/optional/virtualbox.nix
@ -1,7 +1,6 @@
 { lib, config, pkgs, ... }:
 {
-  options.swarselmodules.optional.virtualbox = lib.mkEnableOption "optional VBox settings";
+  config = {
  config = lib.mkIf config.swarselmodules.optional.virtualbox {
    # specialisation = {
    #   VBox.configuration = {
    virtualisation.virtualbox = {
--- a/modules/nixos/optional/vmware.nix
+++ b/modules/nixos/optional/vmware.nix
@ -1,8 +1,7 @@
-{ lib, config, ... }:
+_:
 {
-  options.swarselmodules.optional.vmware = lib.mkEnableOption "optional vmware settings";
+  config = {
  config = lib.mkIf config.swarselmodules.optional.vmware {
    virtualisation.vmware.host.enable = true;
    virtualisation.vmware.guest.enable = true;
  };
--- a/modules/nixos/optional/work.nix
+++ b/modules/nixos/optional/work.nix
@ -1,4 +1,4 @@
-{ self, lib, pkgs, config, configName, ... }:
+{ self, lib, pkgs, config, ... }:
 let
  inherit (config.swarselsystems) mainUser homeDir;
  iwd = config.networking.networkmanager.wifi.backend == "iwd";
@ -6,18 +6,24 @@ let
  sopsFile = self + /secrets/work/secrets.yaml;
 in
 {
  options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
  options.swarselsystems = {
    hostName = lib.mkOption {
      type = lib.types.str;
-      default = configName;
+      default = config.node.name;
    };
    fqdn = lib.mkOption {
      type = lib.types.str;
      default = "";
    };
  };
-  config = lib.mkIf config.swarselmodules.optional.work {
+  config = {
    home-manager.users."${config.swarselsystems.mainUser}" = {
      imports = [
        "${self}/modules/home/optional/work.nix"
      ];
    };
    sops =
      let
        secretNames = [
--- a/modules/nixos/server/ankisync.nix
+++ b/modules/nixos/server/ankisync.nix
@ -9,7 +9,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/attic.nix
+++ b/modules/nixos/server/attic.nix
@ -10,7 +10,7 @@ in
  };
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/atuin.nix
+++ b/modules/nixos/server/atuin.nix
@ -6,7 +6,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/bastion.nix
+++ b/modules/nixos/server/bastion.nix
@ -0,0 +1,67 @@
 { self, lib, config, ... }:
 {
  options.swarselmodules.server.bastion = lib.mkEnableOption "enable bastion on server";
  config = lib.mkIf config.swarselmodules.server.bastion {
    users = {
      groups = {
        jump = { };
      };
      users = {
        "jump" = {
          isNormalUser = true;
          useDefaultShell = true;
          group = lib.mkForce "jump";
          createHome = lib.mkForce true;
          openssh.authorizedKeys.keyFiles = [
            (self + /secrets/keys/ssh/yubikey.pub)
            (self + /secrets/keys/ssh/magicant.pub)
            (self + /secrets/keys/ssh/builder.pub)
          ];
        };
      };
    };
    services.openssh = {
      enable = true;
      startWhenNeeded = lib.mkForce false;
      authorizedKeysInHomedir = false;
      extraConfig = ''
        Match User jump
          PermitTTY no
          X11Forwarding no
          PermitTunnel no
          GatewayPorts no
          AllowAgentForwarding no
      '';
      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
        PermitRootLogin = lib.mkDefault "no";
        AllowUsers = [
          "jump"
        ];
      };
      hostKeys = lib.mkIf (!config.swarselmodules.server.ssh) [
        {
          path = "/etc/ssh/ssh_host_ed25519_key";
          type = "ed25519";
        }
      ];
    };
    home-manager.users.jump.config = {
      home.stateVersion = lib.mkDefault "23.05";
      programs.ssh = {
        enable = true;
        enableDefaultConfig = false;
        matchBlocks = {
          "*" = {
            forwardAgent = false;
          };
        } // config.repo.secrets.local.ssh.hosts;
      };
    };
  };
 }
--- a/modules/nixos/optional/btrfs.nix
+++ b/modules/nixos/optional/btrfs.nix
--- a/modules/nixos/server/croc.nix
+++ b/modules/nixos/server/croc.nix
@ -17,7 +17,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/disk-encrypt.nix
+++ b/modules/nixos/server/disk-encrypt.nix
@ -1,7 +1,7 @@
 { self, pkgs, lib, config, globals, minimal, ... }:
 let
-  localIp = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4;
+  localIp = globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4;
-  subnetMask = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".subnetMask4;
+  subnetMask = globals.networks.${config.swarselsystems.server.netConfigName}.subnetMask4;
  gatewayIp = globals.hosts.${config.node.name}.defaultGateway4;
  hostKeyPathBase = "/etc/secrets/initrd/ssh_host_ed25519_key";
@ -36,7 +36,7 @@ in
      files = [ hostKeyPathBase ];
    };
-    boot = lib.mkIf (!config.swarselsystems.isLaptop) {
+    boot = lib.mkIf (!config.swarselsystems.isClient) {
      kernelParams = lib.mkIf (!config.swarselsystems.isCloud) [
        "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none"
      ];
--- a/modules/nixos/server/firefly-iii.nix
+++ b/modules/nixos/server/firefly-iii.nix
@ -11,7 +11,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/forgejo.nix
+++ b/modules/nixos/server/forgejo.nix
@ -9,7 +9,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/freshrss.nix
+++ b/modules/nixos/server/freshrss.nix
@ -8,7 +8,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/garage.nix
+++ b/modules/nixos/server/garage.nix
@ -54,11 +54,11 @@ in
    assertions = [
      {
        assertion = config.swarselsystems.server.${serviceName}.buckets != [ ];
-        message = "If Garage is enabled, at least one bucket must be specified in atro.garage.buckets";
+        message = "If Garage is enabled, at least one bucket must be specified in swarselsystems.server.${serviceName}.buckets";
      }
      {
        assertion = builtins.length (lib.attrsToList config.swarselsystems.server.${serviceName}.keys) > 0;
-        message = "If Garage is enabled, at least one key must be specified in atro.garage.keys";
+        message = "If Garage is enabled, at least one key must be specified in swarselsystems.server.${serviceName}.keys";
      }
      {
        assertion =
@ -71,7 +71,7 @@ in
      }
    ];
-    swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
      "${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
      "${subDomain}admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
      "${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
@ -121,7 +121,7 @@ in
        rpc_bind_addr = "[::]:${builtins.toString garageRpcPort}";
        # we are not joining our nodes, just use the private ipv4
-        rpc_public_addr = "${globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4}:${builtins.toString garageRpcPort}";
+        rpc_public_addr = "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4}:${builtins.toString garageRpcPort}";
        rpc_secret_file = config.sops.secrets.garage-rpc-secret.path;
--- a/modules/nixos/server/homebox.nix
+++ b/modules/nixos/server/homebox.nix
@ -6,7 +6,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/immich.nix
+++ b/modules/nixos/server/immich.nix
@ -6,7 +6,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/jellyfin.nix
+++ b/modules/nixos/server/jellyfin.nix
@ -6,7 +6,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/jenkins.nix
+++ b/modules/nixos/server/jenkins.nix
@ -6,7 +6,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/kanidm.nix
+++ b/modules/nixos/server/kanidm.nix
@ -31,7 +31,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/kavita.nix
+++ b/modules/nixos/server/kavita.nix
@ -11,7 +11,7 @@ in
      calibre
    ];
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/koillection.nix
+++ b/modules/nixos/server/koillection.nix
@ -14,7 +14,7 @@ in
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
    sops.secrets = {
--- a/modules/nixos/server/mailserver.nix
+++ b/modules/nixos/server/mailserver.nix
@ -11,7 +11,7 @@ in
  };
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/matrix.nix
+++ b/modules/nixos/server/matrix.nix
@ -20,7 +20,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/microbin.nix
+++ b/modules/nixos/server/microbin.nix
@ -10,7 +10,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/minecraft/default.nix
+++ b/modules/nixos/server/minecraft/default.nix
@ -8,7 +8,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/monitoring.nix
+++ b/modules/nixos/server/monitoring.nix
@ -16,7 +16,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/navidrome.nix
+++ b/modules/nixos/server/navidrome.nix
@ -6,7 +6,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/network.nix
+++ b/modules/nixos/server/network.nix
@ -1,28 +1,40 @@
 { lib, config, ... }:
 let
-  inherit (config.swarselsystems.server) localNetwork;
+  netConfig = config.repo.secrets.local.networking;
  netName = "${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}";
 in
 {
-  options.swarselmodules.server.network = lib.mkEnableOption "enable server network config";
+  options = {
-  options.swarselsystems.server.localNetwork = lib.mkOption {
+    swarselmodules.server.network = lib.mkEnableOption "enable server network config";
    swarselsystems.server = {
      localNetwork = lib.mkOption {
        type = lib.types.str;
-    default = "home";
+        default = "";
      };
      netConfigName = lib.mkOption {
        type = lib.types.str;
        default = netName;
        readOnly = true;
      };
    };
  };
  config = lib.mkIf config.swarselmodules.server.network {
-    globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${localNetwork}".hosts.${config.node.name} = {
+    swarselsystems.server.localNetwork = netConfig.localNetwork or "";
-      inherit (config.repo.secrets.local.networking.networks.${localNetwork}) id;
+
-      mac = config.repo.secrets.local.networking.networks.${localNetwork}.mac or null;
+    globals.networks.${netName}.hosts.${config.node.name} = {
      inherit (netConfig.networks.${netConfig.localNetwork}) id;
      mac = netConfig.networks.${netConfig.localNetwork}.mac or null;
    };
    globals.hosts.${config.node.name} = {
      inherit (config.repo.secrets.local.networking) defaultGateway4;
-      wanAddress4 = config.repo.secrets.local.networking.wanAddress4 or null;
+      wanAddress4 = netConfig.wanAddress4 or null;
-      wanAddress6 = config.repo.secrets.local.networking.wanAddress6 or null;
+      wanAddress6 = netConfig.wanAddress6 or null;
    };
    networking = {
-      inherit (config.repo.secrets.local.networking) hostId;
+      inherit (netConfig) hostId;
      hostName = config.node.name;
      nftables.enable = lib.mkDefault false;
      enableIPv6 = lib.mkDefault true;
--- a/modules/nixos/server/nextcloud.nix
+++ b/modules/nixos/server/nextcloud.nix
@ -10,7 +10,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/nginx.nix
+++ b/modules/nixos/server/nginx.nix
@ -1,6 +1,6 @@
 { pkgs, lib, config, ... }:
 let
-  inherit (config.repo.secrets.common) dnsProvider;
+  inherit (config.repo.secrets.common) dnsProvider dnsBase;
  inherit (config.repo.secrets.common.mail) address3;
  serviceUser = "nginx";
@ -63,9 +63,12 @@ in
    ];
    sops = {
-      secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
+      secrets = {
        acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
      };
      templates."certs.secret".content = ''
-        CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token}
+        ACME_DNS_API_BASE=${dnsBase}
        ACME_DNS_STORAGE_PATH=${config.sops.placeholder.acme-dns-token}
      '';
    };
--- a/modules/nixos/server/nsd/default.nix
+++ b/modules/nixos/server/nsd/default.nix
@ -1,10 +1,7 @@
-{ inputs, lib, config, globals, dns, confLib, ... }:
+{ lib, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName;
+  inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName servicePort proxyAddress4 proxyAddress6;
-  # servicePort = 53;
+  inherit (config.swarselsystems) sopsFile;
  # serviceDomain = config.repo.secrets.common.services.domains."${serviceName}";
  # serviceAddress = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4;
 in
 {
  options = {
@ -14,7 +11,7 @@ in
        lib.types.submodule {
          options = {
            subdomainRecords = lib.mkOption {
-              type = lib.types.attrsOf inputs.dns.subzone;
+              type = lib.types.attrsOf dns.lib.types.subzone;
              default = { };
            };
          };
@ -23,13 +20,68 @@ in
    };
  };
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
    sops.secrets = {
      tsig-key = { inherit sopsFile; };
    };
    # services.resolved.enable = false;
    networking = {
      # nameservers = [ "1.1.1.1" "8.8.8.8" ];
      firewall = {
        allowedUDPPorts = [ servicePort ];
        allowedTCPPorts = [ servicePort ];
      };
    };
    services.nsd = {
      enable = true;
-      zones = {
+      keys = {
        "${globals.domains.main}.${proxyAddress4}" = {
          algorithm = "hmac-sha256";
          keyFile = config.sops.secrets.tsig-key.path;
        };
        "${globals.domains.main}.${proxyAddress6}" = {
          algorithm = "hmac-sha256";
          keyFile = config.sops.secrets.tsig-key.path;
        };
        "${globals.domains.main}" = {
-          # provideXFR = [ ... ];
+          algorithm = "hmac-sha256";
-          # notify = [ ... ];
+          keyFile = config.sops.secrets.tsig-key.path;
-          data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns; });
+        };
      };
      interfaces = [
        "10.1.2.157"
        "2603:c020:801f:a0cc::9d"
      ];
      zones = {
        "${globals.domains.main}" =
          let
            keyName4 = "${globals.domains.main}.${proxyAddress4}";
            keyName6 = "${globals.domains.main}.${proxyAddress6}";
            keyName = "${globals.domains.main}";
            transferList = [
              "213.239.242.238 ${keyName4}"
              "2a01:4f8:0:a101::a:1 ${keyName6}"
              "213.133.100.103 ${keyName4}"
              "2a01:4f8:0:1::5ddc:2 ${keyName6}"
              "193.47.99.3 ${keyName4}"
              "2001:67c:192c::add:a3 ${keyName6}"
            ];
          in
          {
            outgoingInterface = "2603:c020:801f:a0cc::9d";
            notify = transferList ++ [
              "216.218.130.2 ${keyName}"
            ];
            provideXFR = transferList ++ [
              "216.218.133.2 ${keyName}"
              "2001:470:600::2 ${keyName}"
            ];
            # dnssec = true;
            data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns proxyAddress4 proxyAddress6; });
          };
      };
    };
--- a/modules/nixos/server/nsd/site1.nix
+++ b/modules/nixos/server/nsd/site1.nix
@ -1,40 +1,35 @@
-{ config, globals, dns, ... }:
+{ config, globals, dns, proxyAddress4, proxyAddress6, ... }:
 with dns.lib.combinators; {
  SOA = {
    nameServer = "soa";
-    adminEmail = "admin@${globals.domains.main}";
+    adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin")
-    serial = 2025112101;
+    serial = 2025120201; # update this on changes for secondary dns
  };
  useOrigin = false;
  NS = [
-    "soa.${globals.domains.name}."
+    "soa"
-    "ns1.he.net"
+    "srv"
-    "ns2.he.net"
+  ] ++ globals.domains.externalDns;
    "ns3.he.net"
    "ns4.he.net"
    "ns5.he.net"
    "oxygen.ns.hetzner.com"
    "pola.ns.cloudflare.com"
  ];
-  A = [ "75.2.60.5" ];
+
  A = [ config.repo.secrets.local.dns.homepage-ip ];
  SRV = [
    {
      service = "_matrix";
      proto = "_tcp";
      port = 443;
-      target = "${globals.services.matrix.baseDomain}.${globals.domains.main}";
+      target = "${globals.services.matrix.subDomain}";
      priority = 10;
-      wweight = 5;
+      weight = 5;
    }
    {
      service = "_submissions";
      proto = "_tcp";
      port = 465;
-      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      target = "${globals.services.mailserver.subDomain}";
      priority = 5;
      weight = 0;
      ttl = 3600;
@ -43,7 +38,7 @@ with dns.lib.combinators; {
      service = "_submission";
      proto = "_tcp";
      port = 587;
-      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      target = "${globals.services.mailserver.subDomain}";
      priority = 5;
      weight = 0;
      ttl = 3600;
@ -52,7 +47,7 @@ with dns.lib.combinators; {
      service = "_imap";
      proto = "_tcp";
      port = 143;
-      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      target = "${globals.services.mailserver.subDomain}";
      priority = 5;
      weight = 0;
      ttl = 3600;
@ -61,7 +56,7 @@ with dns.lib.combinators; {
      service = "_imaps";
      proto = "_tcp";
      port = 993;
-      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      target = "${globals.services.mailserver.subDomain}";
      priority = 5;
      weight = 0;
      ttl = 3600;
@ -71,13 +66,7 @@ with dns.lib.combinators; {
  MX = [
    {
      preference = 10;
-      exchange = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      exchange = "${globals.services.mailserver.subDomain}";
    }
  ];
  CNAME = [
    {
      cname = "www.${glovals.domains.main}";
    }
  ];
@ -90,28 +79,22 @@ with dns.lib.combinators; {
    }
  ];
  DMARC = [
    {
      p = "none";
      ttl = 10800;
    }
  ];
  TXT = [
-    (with spf; strict [ "a:${globals.services.mailserver.baseDomain}.${globals.domains.main}" ])
+    (with spf; strict [ "a:${globals.services.mailserver.subDomain}.${globals.domains.main}" ])
    "google-site-verification=${config.repo.secrets.local.dns.google-site-verification}"
  ];
  DMARC = [
    {
      selector = "mail";
      k = "rsa";
      p = "none";
      ttl = 10800;
    }
  ];
-  subdomains = config.swarselsystems.server.dns.${globals.domain.main}.subdomainRecords // {
+  subdomains = config.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords // {
-    "minecraft" = host "130.61.119.12" null;
+    "www".CNAME = [ "${globals.domains.main}." ];
    "_acme-challenge".CNAME = [ "${config.repo.secrets.local.dns.acme-challenge-domain}." ];
    "soa" = host proxyAddress4 proxyAddress6;
    "srv" = host proxyAddress4 proxyAddress6;
  };
 }
--- a/modules/nixos/server/oauth2-proxy.nix
+++ b/modules/nixos/server/oauth2-proxy.nix
@ -119,7 +119,7 @@ in
  };
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/paperless.nix
+++ b/modules/nixos/server/paperless.nix
@ -11,7 +11,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/modules/nixos/server/radicale.nix
+++ b/modules/nixos/server/radicale.nix
@ -9,7 +9,7 @@ in
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+    nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
    };
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Leon Schwarzäugl	f2674bee48	feat[client,server]: add remote builds, confLib	2025-12-02 00:57:35 +01:00
Leon Schwarzäugl	626d990b4a	feat[server]: network management	2025-11-28 13:27:11 +01:00