fix: change click and load package name

- Migrate logind.extraConfig to logind.settings.Login
- Update dovecot alert for service rename (dovecot2 → dovecot)
- Fix sa-core buildGoModule env attribute for CGO_ENABLED

.mcp.json

@@ -0,0 +1,8 @@
+{
+  "mcpServers": {
+    "nixos": {
+      "command": "uvx",
+      "args": ["mcp-nixos"]
+    }
+  }
+}

.sops.yaml

@@ -16,6 +16,7 @@ keys:
   - &gpd-win4 age1ceg548u5ma6rgu3xgvd254y5xefqrdqfqhcjsjp3255q976fgd2qaua53d
   - &nb age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
   - &amzebs-01 age1xcgc6u7fmc2trgxtdtf5nhrd7axzweuxlg0ya9jre3sdrg6c6easecue9w
+  - &nas age1x3elhtccp4u8ha5ry32juj9fkpg0qg7qqx4gduuehgwwnnhcxp8s892hek
 
 creation_rules:
   - path_regex: ^[^/]+\.yaml$
@@ -80,6 +81,14 @@ creation_rules:
       - *dominik2
       - *nb
       - *amzebs-01
+  - path_regex: hosts/nas/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *bitwarden
+      - *dominik
+      - *dominik2
+      - *nb
+      - *nas
   - path_regex: hosts/mail/[^/]+\.yaml$
     key_groups:
     - age:
@@ -129,6 +138,7 @@ creation_rules:
       - *netboot
       - *fw
       - *fw-new
+      - *nas
       - *amzebs-01
   - path_regex: utils/modules/victoriametrics/[^/]+\.yaml$
     key_groups:
@@ -142,4 +152,5 @@ creation_rules:
       - *netboot
       - *fw
       - *fw-new
+      - *nas
       - *amzebs-01

CLAUDE.md

@@ -0,0 +1,100 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Repository Overview
+
+This is a NixOS infrastructure repository managing multiple hosts (servers and personal machines) using a modular Nix configuration approach with SOPS for secrets management and Bento for deployment.
+
+## Build and Test Commands
+
+```bash
+# Enter development shell (sets up MCP configs)
+nix-shell
+
+# Test configuration before deployment (required before PRs)
+./scripts/test-configuration <hostname>
+./scripts/test-configuration -v <hostname>  # with --show-trace
+
+# Edit encrypted secrets
+nix-shell -p sops --run 'sops hosts/<hostname>/secrets.yaml'
+
+# Update secrets keys after adding new age keys
+./scripts/update-secrets-keys
+
+# Format Nix files
+nix run nixpkgs#nixpkgs-fmt .
+
+# Compute hash for new packages
+nix hash to-sri --type sha256 $(nix-prefetch-url https://example.com/file.tar.gz)
+```
+
+## Architecture
+
+### Host Structure
+Each host in `hosts/<hostname>/` contains:
+- `configuration.nix` - Main entry point importing modules
+- `hardware-configuration.nix` - Machine-specific hardware config
+- `secrets.yaml` - SOPS-encrypted secrets
+- `modules/` - Host-specific service configurations
+- `fleet.nix` → symlink to root `fleet.nix` (SFTP user provisioning)
+- `utils/` → symlink to root `utils/` (shared modules)
+
+Current hosts: `fw` (firewall/router), `nb` (notebook), `web-arm`, `mail`, `amzebs-01`, `nas`
+
+### Shared Components (`utils/`)
+- `modules/` - Reusable NixOS modules (nginx, sops, borgbackup, lego, promtail, etc.)
+- `overlays/` - Nixpkgs overlays
+- `pkgs/` - Custom package derivations
+- `bento.nix` - Deployment helper module
+
+### Secrets Management
+- SOPS with age encryption; keys defined in `.sops.yaml`
+- Each host has its own age key derived from SSH host key
+- Host secrets in `hosts/<hostname>/secrets.yaml`
+- Shared module secrets in `utils/modules/<module>/secrets.yaml`
+
+**IMPORTANT: Never modify secrets files directly.** Instead, tell the user which secrets need to be added and where, so they can edit the encrypted files themselves using:
+```bash
+nix-shell -p sops --run 'sops hosts/<hostname>/secrets.yaml'
+```
+
+### Deployment
+The Git runner handles deployment automatically when changes merge to main. A successful `./scripts/test-configuration <host>` dry-build is the gate before pushing.
+
+## Custom Packages
+
+When creating a new package in `utils/pkgs/`, always include an `update.sh` script to automate version updates. See `utils/pkgs/claude-code/update.sh` for the pattern:
+
+1. Fetch latest version from upstream (npm, GitHub, etc.)
+2. Update version string in `default.nix`
+3. Update source hash using `nix-prefetch-url`
+4. Update dependency hashes (e.g., `npmDepsHash`) by triggering a build with a fake hash
+5. Verify the final build succeeds
+
+Example structure:
+```
+utils/pkgs/<package-name>/
+├── default.nix
+├── update.sh          # Always include this
+└── (other files like patches, lock files)
+```
+
+**IMPORTANT: When modifying a custom package** (patches, version updates, etc.), always test by building the package directly, not just running `test-configuration`. The configuration test only checks that the Nix expression evaluates, but doesn't verify the package actually builds:
+
+```bash
+# Build a custom package directly to verify it works
+nix-build -E 'with import <nixpkgs> { overlays = [ (import ./utils/overlays/packages.nix) ]; config.allowUnfree = true; }; <package-name>'
+```
+
+## Workflow
+
+**IMPORTANT: Always run `./scripts/test-configuration <hostname>` after making any changes** to verify the NixOS configuration builds successfully. This is required before committing.
+
+## Conventions
+
+- Nix files: two-space indentation, lower kebab-case naming
+- Commits: Conventional Commits format (`fix:`, `feat:`, `chore:`), scope by host when relevant (`fix(mail):`). Do not add "Generated with Claude Code" or "Co-Authored-By: Claude" footers.
+- Modules import via explicit paths, not wildcards
+- Comments explain non-obvious decisions (open ports, unusual service options)
+- **Never update `system.stateVersion`** - it should remain at the original installation version. To upgrade NixOS, update the `channel` file instead.

README.md

@@ -39,7 +39,7 @@ cat ~/.ssh/id_rsa.pub | ssh -p23 u149513-subx@u149513-subx.your-backup.de instal
 
 # 4. Add new Host
 ```console
-sftp host.cloonar.com@git.cloonar.com:/config/bootstrap.sh ./
+sftp host@git.cloonar.com:/config/bootstrap.sh ./
 ```
 
 # 5. Yubikey

fleet.nix

@@ -47,6 +47,11 @@
       username = "gpd-win4";
       key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILjfS2DtS8PQgkf86dU+EVu5t+r/QlCWmY7+RPYprQrO";
     }
+    {
+      username = "nas";
+      key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICS6b97LPUpr7/kWvOcI40s5e+gfbfz0I2/hAPL6zTmU";
+    }
+
     {
       username = "amzebs-01";
       key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMkFZ60SPl8pzEtGrFq1+n6ZkDuNe3xJaccJMjr3y/q";

hosts/amzebs-01/channel

@@ -0,0 +1 @@
+https://channels.nixos.org/nixos-25.11

hosts/amzebs-01/configuration.nix

@@ -3,10 +3,12 @@
     ./utils/bento.nix
     ./utils/modules/sops.nix
     ./utils/modules/nginx.nix
+    ./utils/modules/set-nix-channel.nix
 
     ./modules/mysql.nix
     ./modules/web/stack.nix
     ./modules/laravel-storage.nix
+    ./modules/laravel-scheduler.nix
     ./modules/blackbox-exporter.nix
     ./modules/postfix.nix
     ./modules/rspamd.nix
@@ -67,7 +69,7 @@
 
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 22 80 443 ];
+    allowedTCPPorts = [ 22 80 443 3306 ];
 
     # Allow MariaDB access only from specific IP
     extraCommands = ''
@@ -75,5 +77,5 @@
     '';
   };
 
-  system.stateVersion = "23.11";
+  system.stateVersion = "25.11";
 }

hosts/amzebs-01/modules/laravel-scheduler.nix

@@ -0,0 +1,51 @@
+{ config, lib, pkgs, ... }:
+
+# Daily scheduled Laravel artisan jobs
+# Runs artisan finish:reports at 01:00 for production and staging APIs
+
+let
+  php = pkgs.php82;
+
+  sites = [
+    {
+      domain = "api.ebs.amz.at";
+      user = "api_ebs_amz_at";
+    }
+    {
+      domain = "api.stage.ebs.amz.at";
+      user = "api_stage_ebs_amz_at";
+    }
+  ];
+
+  mkArtisanService = site: {
+    name = "artisan-finish-reports-${site.domain}";
+    value = {
+      description = "Laravel artisan finish:reports for ${site.domain}";
+      after = [ "network.target" "mysql.service" "phpfpm-${site.domain}.service" ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = site.user;
+        Group = "nginx";
+        WorkingDirectory = "/var/www/${site.domain}";
+        ExecStart = "${php}/bin/php artisan finish:reports";
+      };
+    };
+  };
+
+  mkArtisanTimer = site: {
+    name = "artisan-finish-reports-${site.domain}";
+    value = {
+      description = "Daily timer for artisan finish:reports on ${site.domain}";
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "*-*-* 01:00:00";
+        Persistent = true;
+      };
+    };
+  };
+
+in
+{
+  systemd.services = builtins.listToAttrs (map mkArtisanService sites);
+  systemd.timers = builtins.listToAttrs (map mkArtisanTimer sites);
+}

hosts/amzebs-01/modules/postfix.nix

@@ -3,15 +3,16 @@
 , config
 , ...
 }:
-{
+let
-  # Header checks file for validating email headers
+  headerChecksFile = pkgs.writeText "header_checks" ''
-  environment.etc."postfix/header_checks".text = ''
     # Warn about missing critical headers (but don't reject from localhost)
     # These help identify misconfigured applications
     /^$/  WARN Missing headers detected
   '';
-
+in
+{
   services.postfix = {
+    mapFiles."header_checks" = headerChecksFile;
     enable = true;
     hostname = "amzebs-01.amz.at";
     domain = "amz.at";
@@ -34,20 +35,20 @@
       compatibility_level = "2";
 
       # Only accept mail from localhost
-      mynetworks = "127.0.0.0/8 [::1]/128";
+      mynetworks = [ "127.0.0.0/8" "[::1]/128" ];
 
       # Larger message size limits for attachments
-      mailbox_size_limit = "202400000"; # ~200MB
+      mailbox_size_limit = 202400000; # ~200MB
-      message_size_limit = "51200000";  # ~50MB
+      message_size_limit = 51200000;  # ~50MB
 
       # Ensure proper header handling
       # Reject mail that's missing critical headers
-      header_checks = "regexp:/etc/postfix/header_checks";
+      header_checks = "regexp:/var/lib/postfix/conf/header_checks";
 
       # Rate limiting to prevent spam-like behavior
       # Allow reasonable sending rates for applications
-      smtpd_client_message_rate_limit = "100";
+      smtpd_client_message_rate_limit = 100;
-      smtpd_client_recipient_rate_limit = "200";
+      smtpd_client_recipient_rate_limit = 200;
 
       # Milter configuration is handled automatically by rspamd.postfix.enable
     };

hosts/fw/channel

@@ -1 +1 @@
-https://channels.nixos.org/nixos-25.05
+https://channels.nixos.org/nixos-25.11

hosts/fw/configuration.nix

@@ -7,8 +7,10 @@
     ./utils/modules/nginx.nix
 
     ./utils/modules/autoupgrade.nix
+    ./utils/modules/victoriametrics
     ./utils/modules/promtail
     ./utils/modules/borgbackup.nix
+    ./utils/modules/set-nix-channel.nix
 
     # fw
     ./modules/network-prefix.nix
@@ -25,7 +27,6 @@
     ./modules/podman.nix
     ./modules/omada.nix
     ./modules/ddclient.nix
-    ./utils/modules/victoriametrics
     # ./modules/wol.nix
 
 
@@ -49,7 +50,7 @@
 
     ./modules/firefox-sync.nix
     ./modules/fivefilters.nix
-    ./modules/pyload.nix
+    # ./modules/pyload
 
     # home assistant
     ./modules/home-assistant
@@ -103,7 +104,7 @@
 
   time.timeZone = "Europe/Vienna";
 
-  services.logind.extraConfig = "RuntimeDirectorySize=2G";
+  services.logind.settings.Login.RuntimeDirectorySize = "2G";
 
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.defaultSopsFile = ./secrets.yaml;

hosts/fw/modules/ai-mailer.nix

@@ -104,6 +104,8 @@
 
     restartTriggers = [
       "/etc/ai-mailer/config.yaml"
+      config.sops.secrets.ai-mailer-imap-password.path
+      config.sops.secrets.ai-mailer-openrouter-key.path
     ];
   };
 }

hosts/fw/modules/dnsmasq.nix

@@ -73,6 +73,7 @@
         "02:00:00:00:00:04,${config.networkPrefix}.97.6,matrix"
         "ea:db:d4:c1:18:ba,${config.networkPrefix}.97.50,git"
         "c2:4f:64:dd:13:0c,${config.networkPrefix}.97.20,home-assistant"
+        "6c:1f:f7:8e:a9:86,${config.networkPrefix}.97.11,nas"
         "1a:c4:04:6e:29:02,${config.networkPrefix}.101.25,deconz"
 
         "c4:a7:2b:c7:ea:30,${config.networkPrefix}.99.10,metz"

hosts/fw/modules/home-assistant/light.nix

@@ -396,7 +396,13 @@
         all = true;
         entities = [
           "light.livingroom_switch"
-          "light.living_room"
+          "light.living_bulb_1"
+          "light.living_bulb_2"
+          "light.living_bulb_3"
+          "light.living_bulb_4"
+          "light.living_bulb_5"
+          "light.living_bulb_6"
+          # "light.living_room"
         ];
       }
       {
@@ -410,6 +416,7 @@
         all = true;
         entities = [
           "light.kitchen_switch"
+          "light.kitchen_bulb_1"
           "light.kitchen"
         ];
       }

hosts/fw/modules/pyload.nix

@@ -1,300 +0,0 @@
-{ config, pkgs, ... }:
-let
-  cids = import ./staticids.nix;
-  networkPrefix = config.networkPrefix;
-
-  # FileBot post-processing script
-  filebotScript = pkgs.writeShellScript "filebot-process.sh" ''
-    #!/usr/bin/env bash
-    set -euo pipefail
-
-    # FileBot AMC script for automated media organization
-    # Arguments: $1 = download directory (passed by pyload)
-
-    DOWNLOAD_DIR="''${1:-/downloads}"
-    OUTPUT_DIR="/multimedia"
-    LOG_FILE="/var/lib/filebot/amc.log"
-    EXCLUDE_LIST="/var/lib/filebot/amc-exclude-list.txt"
-
-    # Ensure log directory exists
-    mkdir -p "$(dirname "$LOG_FILE")"
-    touch "$EXCLUDE_LIST"
-
-    echo "$(date): Starting FileBot processing for: $DOWNLOAD_DIR" >> "$LOG_FILE"
-
-    # Run FileBot AMC script
-    ${pkgs.filebot}/bin/filebot \
-      -script fn:amc \
-      --output "$OUTPUT_DIR" \
-      --action move \
-      --conflict auto \
-      -non-strict \
-      --log-file "$LOG_FILE" \
-      --def \
-        excludeList="$EXCLUDE_LIST" \
-        movieFormat="$OUTPUT_DIR/movies/{n} ({y})/{n} ({y}) - {vf}" \
-        seriesFormat="$OUTPUT_DIR/tv-shows/{n}/Season {s.pad(2)}/{n} - {s00e00} - {t}" \
-        ut_dir="$DOWNLOAD_DIR" \
-        ut_kind=multi \
-        clean=y \
-        skipExtract=y
-
-    # Clean up empty directories
-    find "$DOWNLOAD_DIR" -type d -empty -delete 2>/dev/null || true
-
-    echo "$(date): FileBot processing completed" >> "$LOG_FILE"
-  '';
-
-  pyloadUser = {
-    isSystemUser = true;
-    uid = cids.uids.pyload;
-    group = "pyload";
-    home = "/var/lib/pyload";
-    createHome = true;
-  };
-  pyloadGroup = {
-    gid = cids.gids.pyload;
-  };
-
-  jellyfinUser = {
-    isSystemUser = true;
-    uid = cids.uids.jellyfin;
-    group = "jellyfin";
-    home = "/var/lib/jellyfin";
-    createHome = true;
-    extraGroups = [ "render" "video" ];
-  };
-  jellyfinGroup = {
-    gid = cids.gids.jellyfin;
-  };
-
-  filebotUser = {
-    isSystemUser = true;
-    uid = cids.uids.filebot;
-    group = "filebot";
-    home = "/var/lib/filebot";
-    createHome = true;
-    extraGroups = [ "pyload" "jellyfin" ];  # Access to both download and media directories
-  };
-  filebotGroup = {
-    gid = cids.gids.filebot;
-  };
-in
-{
-  users.users.pyload = pyloadUser;
-  users.groups.pyload = pyloadGroup;
-  users.users.jellyfin = jellyfinUser;
-  users.groups.jellyfin = jellyfinGroup;
-  users.users.filebot = filebotUser;
-  users.groups.filebot = filebotGroup;
-
-  # Create the directory structure on the host
-  systemd.tmpfiles.rules = [
-    "d /var/lib/downloads 0755 pyload pyload - -"
-    "d /var/lib/multimedia 0775 root jellyfin - -"
-    "d /var/lib/multimedia/movies 0775 jellyfin jellyfin - -"
-    "d /var/lib/multimedia/tv-shows 0775 jellyfin jellyfin - -"
-    "d /var/lib/multimedia/music 0755 jellyfin jellyfin - -"
-    "d /var/lib/jellyfin 0755 jellyfin jellyfin - -"
-    "d /var/lib/filebot 0755 filebot filebot - -"
-  ];
-
-  # FileBot license secret
-  sops.secrets.filebot-license = {
-    mode = "0440";
-    owner = config.users.users.root.name;
-    group = config.users.groups.root.name;
-  };
-
-  containers.pyload = {
-    autoStart = true;
-    ephemeral = false;
-    privateNetwork = true;
-    hostBridge = "server";
-    hostAddress = "${networkPrefix}.97.1";
-    localAddress = "${networkPrefix}.97.11/24";
-
-    # GPU device passthrough for hardware transcoding
-    allowedDevices = [
-      {
-        modifier = "rwm";
-        node = "/dev/dri/card0";
-      }
-      {
-        modifier = "rwm";
-        node = "/dev/dri/renderD128";
-      }
-    ];
-
-    bindMounts = {
-      "/dev/dri" = {
-        hostPath = "/dev/dri";
-        isReadOnly = false;
-      };
-      "/run/opengl-driver" = {
-        hostPath = "/run/opengl-driver";
-        isReadOnly = true;
-      };
-      "/nix/store" = {
-        hostPath = "/nix/store";
-        isReadOnly = true;
-      };
-      "/var/lib/pyload" = {
-        hostPath = "/var/lib/pyload";
-        isReadOnly = false;
-      };
-      "/var/lib/jellyfin" = {
-        hostPath = "/var/lib/jellyfin";
-        isReadOnly = false;
-      };
-      "/downloads" = {
-        hostPath = "/var/lib/downloads";
-        isReadOnly = false;
-      };
-      "/multimedia" = {
-        hostPath = "/var/lib/multimedia";
-        isReadOnly = false;
-      };
-      "/var/lib/filebot" = {
-        hostPath = "/var/lib/filebot";
-        isReadOnly = false;
-      };
-      "/var/lib/filebot/license.psm" = {
-        hostPath = config.sops.secrets.filebot-license.path;
-        isReadOnly = true;
-      };
-    };
-
-    config = { lib, config, pkgs, ... }: {
-      nixpkgs.overlays = [
-        (import ../utils/overlays/packages.nix)
-      ];
-
-
-      nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
-        "unrar"
-        "filebot"
-      ];
-
-      environment.systemPackages = with pkgs; [
-        unrar    # Required for RAR archive extraction
-        filebot  # Automated media file organization
-      ];
-
-      # Intel graphics support for hardware transcoding
-      hardware.graphics = {
-        enable = true;
-        extraPackages = with pkgs; [
-          intel-media-driver
-          vpl-gpu-rt
-          intel-compute-runtime
-        ];
-      };
-
-      # Set VA-API driver to iHD (modern Intel driver for N100)
-      environment.sessionVariables = {
-        LIBVA_DRIVER_NAME = "iHD";
-      };
-
-      networking = {
-        hostName = "pyload";
-        useHostResolvConf = false;
-        defaultGateway = {
-          address = "${networkPrefix}.97.1";
-          interface = "eth0";
-        };
-        nameservers = [ "${networkPrefix}.97.1" ];
-        firewall.enable = false;
-      };
-
-      services.pyload = {
-        enable = true;
-        downloadDirectory = "/downloads";
-        listenAddress = "0.0.0.0";
-        port = 8000;
-      };
-
-      services.jellyfin = {
-        enable = true;
-        openFirewall = true;
-      };
-
-      # Override systemd hardening for GPU access
-      systemd.services.jellyfin = {
-        serviceConfig = {
-          PrivateUsers = lib.mkForce false;  # Disable user namespacing - breaks GPU device access
-          DeviceAllow = [
-            "/dev/dri/card0 rw"
-            "/dev/dri/renderD128 rw"
-          ];
-          SupplementaryGroups = [ "render" "video" ];  # Critical: Explicit group membership for GPU access
-        };
-        environment = {
-          LIBVA_DRIVER_NAME = "iHD";  # Ensure service sees this variable
-        };
-      };
-
-      # Disable SSL certificate verification
-      systemd.services.pyload = {
-        environment = {
-          PYLOAD__GENERAL__SSL_VERIFY = "0";
-
-          # Enable ExtractArchive plugin
-          PYLOAD__EXTRACTARCHIVE__ENABLED = "1";
-          PYLOAD__EXTRACTARCHIVE__DELETE = "1";
-          PYLOAD__EXTRACTARCHIVE__DELTOTRASH = "0";
-          PYLOAD__EXTRACTARCHIVE__REPAIR = "1";
-          PYLOAD__EXTRACTARCHIVE__RECURSIVE = "1";
-          PYLOAD__EXTRACTARCHIVE__FULLPATH = "1";
-        };
-
-        # Bind-mount DNS configuration files and system tools into the chroot
-        serviceConfig = {
-          BindReadOnlyPaths = [
-            "/etc/resolv.conf"
-            "/etc/nsswitch.conf"
-            "/etc/hosts"
-            "/etc/ssl"
-            "/etc/static/ssl"
-            # Make all system packages (including unrar and filebot) accessible
-            "/run/current-system/sw/bin"
-          ];
-        };
-      };
-
-      # FileBot processing service
-      systemd.services.filebot-process = {
-        description = "FileBot media file processing";
-        serviceConfig = {
-          Type = "oneshot";
-          User = "filebot";
-          Group = "filebot";
-          ExecStart = "${filebotScript}";
-        };
-      };
-
-      # Watch for completed downloads and trigger FileBot
-      systemd.paths.filebot-watch = {
-        description = "Watch for completed downloads";
-        wantedBy = [ "multi-user.target" ];
-        pathConfig = {
-          PathModified = "/downloads";
-          Unit = "filebot-process.service";
-        };
-      };
-
-      # Ensure render/video groups exist with consistent GIDs for GPU access
-      users.groups.render = { gid = 303; };
-      users.groups.video = { gid = 26; };
-
-      users.users.pyload = pyloadUser;
-      users.groups.pyload = pyloadGroup;
-      users.users.jellyfin = jellyfinUser;
-      users.groups.jellyfin = jellyfinGroup;
-      users.users.filebot = filebotUser;
-      users.groups.filebot = filebotGroup;
-
-      system.stateVersion = "24.05";
-    };
-  };
-}

hosts/fw/modules/pyload/default.nix

@@ -0,0 +1,153 @@
+{ config, pkgs, ... }:
+let
+  cids = import ../staticids.nix;
+  networkPrefix = config.networkPrefix;
+  filebotScript = pkgs.callPackage ./filebot-process.nix {};
+
+  pyloadUser = {
+    isSystemUser = true;
+    uid = cids.uids.pyload;
+    group = "pyload";
+    home = "/var/lib/pyload";
+    createHome = true;
+    extraGroups = [ "jellyfin" ];  # Access to multimedia directories
+  };
+  pyloadGroup = {
+    gid = cids.gids.pyload;
+  };
+
+  jellyfinUser = {
+    isSystemUser = true;
+    uid = cids.uids.jellyfin;
+    group = "jellyfin";
+    home = "/var/lib/jellyfin";
+    createHome = true;
+    extraGroups = [ "render" "video" ];
+  };
+  jellyfinGroup = {
+    gid = cids.gids.jellyfin;
+  };
+in
+{
+  users.users.pyload = pyloadUser;
+  users.groups.pyload = pyloadGroup;
+  users.users.jellyfin = jellyfinUser;
+  users.groups.jellyfin = jellyfinGroup;
+
+  # Create the directory structure on the host
+  systemd.tmpfiles.rules = [
+    "d /var/lib/downloads 0755 pyload pyload - -"
+    "d /var/lib/multimedia 0775 root jellyfin - -"
+    "d /var/lib/multimedia/movies 0775 jellyfin jellyfin - -"
+    "d /var/lib/multimedia/tv-shows 0775 jellyfin jellyfin - -"
+    "d /var/lib/multimedia/music 0755 jellyfin jellyfin - -"
+    "d /var/lib/jellyfin 0755 jellyfin jellyfin - -"
+
+    # PyLoad hook scripts directory
+    "d /var/lib/pyload/config 0755 pyload pyload - -"
+    "d /var/lib/pyload/config/scripts 0755 pyload pyload - -"
+    "d /var/lib/pyload/config/scripts/package_extracted 0755 pyload pyload - -"
+    "L+ /var/lib/pyload/config/scripts/package_extracted/filebot-process.sh - - - - ${filebotScript}/bin/filebot-process"
+  ];
+
+  # FileBot license secret
+  sops.secrets.filebot-license = {
+    mode = "0440";
+    owner = "pyload";
+    group = "pyload";
+  };
+
+  containers.pyload = {
+    autoStart = true;
+    ephemeral = false;
+    privateNetwork = true;
+    hostBridge = "server";
+    hostAddress = "${networkPrefix}.97.1";
+    localAddress = "${networkPrefix}.97.11/24";
+
+    # GPU device passthrough for hardware transcoding
+    allowedDevices = [
+      {
+        modifier = "rwm";
+        node = "/dev/dri/card0";
+      }
+      {
+        modifier = "rwm";
+        node = "/dev/dri/renderD128";
+      }
+    ];
+
+    bindMounts = {
+      "/dev/dri" = {
+        hostPath = "/dev/dri";
+        isReadOnly = false;
+      };
+      "/run/opengl-driver" = {
+        hostPath = "/run/opengl-driver";
+        isReadOnly = true;
+      };
+      "/nix/store" = {
+        hostPath = "/nix/store";
+        isReadOnly = true;
+      };
+      "/var/lib/pyload" = {
+        hostPath = "/var/lib/pyload";
+        isReadOnly = false;
+      };
+      "/var/lib/jellyfin" = {
+        hostPath = "/var/lib/jellyfin";
+        isReadOnly = false;
+      };
+      "/downloads" = {
+        hostPath = "/var/lib/downloads";
+        isReadOnly = false;
+      };
+      "/multimedia" = {
+        hostPath = "/var/lib/multimedia";
+        isReadOnly = false;
+      };
+      "/var/lib/pyload/filebot-license.psm" = {
+        hostPath = config.sops.secrets.filebot-license.path;
+        isReadOnly = true;
+      };
+    };
+
+    config = { lib, config, pkgs, ... }: {
+      nixpkgs.overlays = [
+        (import ../../utils/overlays/packages.nix)
+      ];
+
+      imports = [
+        ./pyload.nix
+        ./jellyfin.nix
+      ];
+
+      nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+        "unrar"
+        "filebot"
+      ];
+
+      networking = {
+        hostName = "pyload";
+        useHostResolvConf = false;
+        defaultGateway = {
+          address = "${networkPrefix}.97.1";
+          interface = "eth0";
+        };
+        nameservers = [ "${networkPrefix}.97.1" ];
+        firewall.enable = false;
+      };
+
+      # Ensure render/video groups exist with consistent GIDs for GPU access
+      users.groups.render = { gid = 303; };
+      users.groups.video = { gid = 26; };
+
+      users.users.pyload = pyloadUser;
+      users.groups.pyload = pyloadGroup;
+      users.users.jellyfin = jellyfinUser;
+      users.groups.jellyfin = jellyfinGroup;
+
+      system.stateVersion = "24.05";
+    };
+  };
+}

hosts/fw/modules/pyload/filebot-process.nix

@@ -0,0 +1,89 @@
+{ pkgs }:
+
+pkgs.writeShellScriptBin "filebot-process" ''
+  #!/usr/bin/env bash
+  set -euo pipefail
+
+  # FileBot AMC script for automated media organization
+  # Called by PyLoad's package_extracted hook with parameters:
+  # $1 = package_id
+  # $2 = package_name
+  # $3 = download_folder (actual path to extracted files)
+  # $4 = password (optional)
+
+  PACKAGE_ID="''${1:-}"
+  PACKAGE_NAME="''${2:-unknown}"
+  DOWNLOAD_DIR="''${3:-/downloads}"
+  PASSWORD="''${4:-}"
+
+  OUTPUT_DIR="/multimedia"
+  LOG_FILE="/var/lib/pyload/filebot-amc.log"
+  EXCLUDE_LIST="/var/lib/pyload/filebot-exclude-list.txt"
+
+  # Ensure FileBot data directory exists
+  mkdir -p /var/lib/pyload/.local/share/filebot/data
+  mkdir -p "$(dirname "$LOG_FILE")"
+  touch "$EXCLUDE_LIST"
+
+  # Install FileBot license if not already installed
+  if [ ! -f /var/lib/pyload/.local/share/filebot/data/.license ]; then
+    echo "$(date): Installing FileBot license..." >> "$LOG_FILE"
+    ${pkgs.filebot}/bin/filebot --license /var/lib/pyload/filebot-license.psm || true
+  fi
+
+  echo "===========================================" >> "$LOG_FILE"
+  echo "$(date): PyLoad package extracted hook triggered" >> "$LOG_FILE"
+  echo "Package ID: $PACKAGE_ID" >> "$LOG_FILE"
+  echo "Package Name: $PACKAGE_NAME" >> "$LOG_FILE"
+  echo "Download Directory: $DOWNLOAD_DIR" >> "$LOG_FILE"
+  echo "===========================================" >> "$LOG_FILE"
+
+  # Check if download directory exists and has media files
+  if [ ! -d "$DOWNLOAD_DIR" ]; then
+    echo "$(date): Download directory does not exist: $DOWNLOAD_DIR" >> "$LOG_FILE"
+    exit 0
+  fi
+
+  # Check if there are any video/media files to process
+  if ! find "$DOWNLOAD_DIR" -type f \( -iname "*.mkv" -o -iname "*.mp4" -o -iname "*.avi" -o -iname "*.m4v" -o -iname "*.mov" \) -print -quit | grep -q .; then
+    echo "$(date): No media files found in: $DOWNLOAD_DIR" >> "$LOG_FILE"
+    echo "$(date): Skipping FileBot processing" >> "$LOG_FILE"
+    exit 0
+  fi
+
+  echo "$(date): Starting FileBot processing" >> "$LOG_FILE"
+
+  # Run FileBot AMC script
+  set +e  # Temporarily disable exit on error to capture exit code
+  ${pkgs.filebot}/bin/filebot \
+    -script fn:amc \
+    --output "$OUTPUT_DIR" \
+    --action move \
+    --conflict auto \
+    -non-strict \
+    --log-file "$LOG_FILE" \
+    --def \
+      excludeList="$EXCLUDE_LIST" \
+      movieFormat="$OUTPUT_DIR/movies/{n} ({y})/{n} ({y}) - {vf}" \
+      seriesFormat="$OUTPUT_DIR/tv-shows/{n}/Season {s.pad(2)}/{n} - {s00e00} - {t}" \
+      ut_dir="$DOWNLOAD_DIR" \
+      ut_kind=multi \
+      clean=y \
+      skipExtract=y
+
+  FILEBOT_EXIT_CODE=$?
+  set -e  # Re-enable exit on error
+
+  if [ $FILEBOT_EXIT_CODE -ne 0 ]; then
+    echo "$(date): FileBot processing failed with exit code $FILEBOT_EXIT_CODE" >> "$LOG_FILE"
+    exit 0  # Don't fail the hook even if FileBot fails
+  fi
+
+  echo "$(date): FileBot processing completed successfully" >> "$LOG_FILE"
+
+  # Clean up any remaining empty directories
+  find "$DOWNLOAD_DIR" -type d -empty -delete 2>/dev/null || true
+
+  echo "$(date): All processing completed" >> "$LOG_FILE"
+  exit 0
+''

hosts/fw/modules/pyload/jellyfin.nix

@@ -0,0 +1,36 @@
+{ lib, pkgs, ... }: {
+  # Intel graphics support for hardware transcoding
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      vpl-gpu-rt
+      intel-compute-runtime
+    ];
+  };
+
+  # Set VA-API driver to iHD (modern Intel driver for N100)
+  environment.sessionVariables = {
+    LIBVA_DRIVER_NAME = "iHD";
+  };
+
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  # Override systemd hardening for GPU access
+  systemd.services.jellyfin = {
+    serviceConfig = {
+      PrivateUsers = lib.mkForce false;  # Disable user namespacing - breaks GPU device access
+      DeviceAllow = [
+        "/dev/dri/card0 rw"
+        "/dev/dri/renderD128 rw"
+      ];
+      SupplementaryGroups = [ "render" "video" ];  # Critical: Explicit group membership for GPU access
+    };
+    environment = {
+      LIBVA_DRIVER_NAME = "iHD";  # Ensure service sees this variable
+    };
+  };
+}

hosts/fw/modules/pyload/pyload.nix

@@ -0,0 +1,69 @@
+{ pkgs, lib, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    unrar    # Required for RAR archive extraction
+    p7zip    # Required for 7z and other archive formats
+  ];
+
+  services.pyload = {
+    enable = true;
+    downloadDirectory = "/downloads";
+    listenAddress = "0.0.0.0";
+    port = 8000;
+  };
+
+  # Configure pyload service
+  systemd.services.pyload = {
+    # Add extraction tools to service PATH
+    path = with pkgs; [
+      unrar    # For RAR extraction
+      p7zip    # For 7z extraction
+    ];
+
+    environment = {
+      # Disable SSL certificate verification
+      PYLOAD__GENERAL__SSL_VERIFY = "0";
+
+      # Download speed limiting (150 Mbit/s = 19200 KiB/s)
+      PYLOAD__DOWNLOAD__LIMIT_SPEED = "1";
+      PYLOAD__DOWNLOAD__MAX_SPEED = "19200";
+
+      # Enable ExtractArchive plugin
+      PYLOAD__EXTRACTARCHIVE__ENABLED = "1";
+      PYLOAD__EXTRACTARCHIVE__DELETE = "1";
+      PYLOAD__EXTRACTARCHIVE__DELTOTRASH = "0";
+      PYLOAD__EXTRACTARCHIVE__REPAIR = "1";
+      PYLOAD__EXTRACTARCHIVE__RECURSIVE = "1";
+      PYLOAD__EXTRACTARCHIVE__FULLPATH = "1";
+
+      # Enable ExternalScripts plugin for hooks
+      PYLOAD__EXTERNALSCRIPTS__ENABLED = "1";
+      PYLOAD__EXTERNALSCRIPTS__UNLOCK = "1";  # Run hooks asynchronously
+    };
+
+    # Bind-mount DNS configuration files into the chroot
+    serviceConfig = {
+      BindReadOnlyPaths = [
+        "/etc/resolv.conf"
+        "/etc/nsswitch.conf"
+        "/etc/hosts"
+        "/etc/ssl"
+        "/etc/static/ssl"
+      ];
+      # Bind mount multimedia directory as writable for FileBot hook scripts
+      BindPaths = [ "/multimedia" ];
+
+      # Override SystemCallFilter to allow @resources syscalls
+      # FileBot (Java) needs resource management syscalls like setpriority
+      # during cleanup operations. Still block privileged syscalls for security.
+      # Use mkForce to completely replace the NixOS module's default filter.
+      SystemCallFilter = lib.mkForce [
+        "@system-service"
+        "@resources"       # Explicitly allow resource management syscalls
+        "~@privileged"     # Still block privileged operations
+        "fchown"           # Re-allow fchown for FileBot file operations
+        "fchown32"         # 32-bit compatibility
+      ];
+    };
+  };
+}

hosts/fw/modules/web/n8n.nix

@@ -19,21 +19,19 @@
   };
 
   # n8n service configuration
-  services.n8n = {
+  services.n8n.enable = true;
-    enable = true;
-    settings = {
-      database.type = "postgresdb";
-      database.postgresdb.host = "/run/postgresql";
-      database.postgresdb.database = "n8n";
-      database.postgresdb.user = "n8n";
-      executions.pruneData = true;
-      executions.pruneDataMaxAge = 168; # 7 days
-    };
-  };
 
-  # Configure git integration via environment variables
+  # Configure n8n via environment variables
   systemd.services.n8n = {
     environment = lib.mkForce {
+      # Database configuration (migrated from services.n8n.settings)
+      DB_TYPE = "postgresdb";
+      DB_POSTGRESDB_HOST = "/run/postgresql";
+      DB_POSTGRESDB_DATABASE = "n8n";
+      DB_POSTGRESDB_USER = "n8n";
+      EXECUTIONS_DATA_PRUNE = "true";
+      EXECUTIONS_DATA_MAX_AGE = "168"; # 7 days
+      # Other settings
       N8N_ENCRYPTION_KEY = ""; # Will be set via environmentFile
       N8N_VERSION_NOTIFICATIONS_ENABLED = "false";
       N8N_DIAGNOSTICS_ENABLED = "false";

hosts/fw/modules/web/proxies.nix

@@ -41,6 +41,7 @@
     # Restrict to internal LAN only
     extraConfig = ''
       allow ${config.networkPrefix}.96.0/24;
+      allow ${config.networkPrefix}.97.0/24;
       allow ${config.networkPrefix}.98.0/24;
       deny all;
     '';
@@ -59,6 +60,7 @@
     # Restrict to internal LAN only
     extraConfig = ''
       allow ${config.networkPrefix}.96.0/24;
+      allow ${config.networkPrefix}.97.0/24;
       allow ${config.networkPrefix}.98.0/24;
       allow ${config.networkPrefix}.99.0/24;
       deny all;

hosts/fw/secrets.yaml

@@ -1,69 +1,69 @@
-ai-mailer-imap-password: ENC[AES256_GCM,data:mZrq13pJLpscWxNRAm5B/nU60w==,iv:Y6DV+5upNLg5csxqCWKPV8dHXhl+eGJNBI5tar7OV3o=,tag:enTXX8Y2ZM30UmGA6h+8rA==,type:str]
+ai-mailer-imap-password: ENC[AES256_GCM,data:q9eJ9Tom+X6KxQJhWQTUB61k5A==,iv:FH+IUWi2yZBBgMiL/kNW470GEVHEG3fImf0bel9og/c=,tag:RSlcpXwmNyLB8Oc/K2Epvw==,type:str]
-ai-mailer-openrouter-key: ENC[AES256_GCM,data:6zeI8NlawmLppsaGY9V1tY8ExfAXNMRHDcthKpSSyaKcaGGh6Mrb2ZxB4IWNnyzziI1VPLE7MAW/rrszIi2y6bFayENZXMlJoA==,iv:bVNQGwN7c7KxuH3D70ScB9SR+82iFxAZyUPD6qCDjkE=,tag:gO0Vbb7Ac79DiGdjeNPFQw==,type:str]
+ai-mailer-openrouter-key: ENC[AES256_GCM,data:EvI0BuCBA1uYOderjAVcB8RSk7un7tiKmgsSe70KQcmfu3CxmQerP/2kQsRTJ0/6pWf4QqNpaes691O3nf+UG1qgG2CUcIaYRQ==,iv:OYEy0xMs+vkGa0qMtY4UP/iol5JPQ0eFVyPpPXLAmUE=,tag:5PeXZcI8TRSUOyuKs0STWg==,type:str]
-borg-passphrase: ENC[AES256_GCM,data:M3dTj9TYbpB89gJSAGy0Q2mfb6OijFGN/lQsSsws4Ggy1AzLlMyP/l1YTADOS/j7enBYyoatQ2x/Bxm7inM5OK7LCO8=,iv:CMKjg7Oa9GlpeqSg1WsYfB26Fy2C2n8FOzpx3ryfn+A=,tag:OdENe09TTLOdMXbw0tzU+Q==,type:str]
+borg-passphrase: ENC[AES256_GCM,data:GGmf09zX5wQ8Fih1EyP1p3up9ckFjVKsktU6ZFwvuZnG/O2OyOod66qXc/IXx8GQordubZ3TgisOeMLNnSowp2qylh8=,iv:fFgw/x8Ww9cInkNlPIoE3stUfISbfk46PBj7aimuXNA=,tag:hnNYrkLgt1qJc+gN5s9L2Q==,type:str]
-borg-ssh-key: ENC[AES256_GCM,data:TtaSmHzEaTPV+U4EwMupHh9pjUWDoNPoxSjmLLP0KvUEHMrkLLlF1WRi3M5+uM8eLZAtjiezuNOa0yndevG5WisuBZd3dgOkojEoyoIrjbmW+ZYe4/z0TLmdmG8NofnV8Tl9Ygu2bTwLdGGQYhXxz0dmeaiilzM6l6uA6gjdQ43aqQGY87BMIDRgMoHLraebF6NL9k+LcFv2S9UPah3ovK2zx6aoaFxul5nvZjZ1Kj8bTrGuTWsK35McTjJAiXHYtTG5rTMSISOc/AZSmleDcfVZ28bT15I11pnB5ZUEo9ugNqGiRcwFhnqsoAqck4ke0H72ieecnZUVSot5Jk1ebA1fAgRvkCdruFzfw0TSgPJ4bjj3FILNKDazYIjTbIo5ApKbo04ZjrUCILeUFDEFtLlt2cLLYrk/aAqHdh1wmu5YBcRGvALWClymG0GDPxYiqSd+rNCwBJgbgS2O+fbmH1NpbhiGzVnLTSmw/RhHizoK7LXwPHaJ/EGaFHv+AoHLbB9XyOPWqxJKLCo/7Zc7VzahvKNIJZIXjuz3pSVHAcCJngTqeZ5Giwxm84wqgf3ewLthG2PH1WRM/L+u1fuM+e1xo+QSndBjXc+54Hvd+e8Bh9g93PgCK9gGChaFQRgnwySx3WA0IyjoRvUsAfSZ2Ev0CwX6BPQHsf3HZxzCyGUD/z0ndpl5YGz36c3huMQ0tvz9okOg7ZBAeN/VL4kypWr8auaXH2vDlJoSmid3EbwLXBJ6i3//gF8b13zJSEzCdqOfdHdYgyhSAVl4UF4yptcZmX0Q8BhFuw6RXb/HU/ZPN9cxrYBhUFszzjazA1ZLP/uhSni2AkOBpeki2uBbmdJecTStEBFK6RmtIShhF1hVWcE2pbXMkQM4xj9yG0wvlPK8Qy60W89gK5gXhyMPY+WrOFiBx5O0YboO1SLMrxRAOIrGulNQKGhF8cAmR1O7Qhr8lA6o9K+KpN8QGxYayOVnxML+DZuqxa/eqp92Gequi4KOH8WHtGthEom9fmozS6DvIEf1m/sL2f41WhzClDTDrb7SvAxmuk1Cr2afzWpODCrx1GRtF2OdsPee4B2Kt2L6gInMzUrsGHW/ve+1SOJ1gJ8PN7MTk64wu/6Jw4BpUtICAwQuchKYFkP8Dg+vqa3C7c7QNB0HdEuaQI18wY2oxe83wfckVPf8ZH2yBdxHVlksW8pOnwGTqZIRWZzejmCQoZaQsjnXm0MxN4eXfcgQ1rxPP8D5Dsdn/xQbj0ydCK6dBJY4sj2eTTSWoW06kHYZVwNoPrk3mLEc0jQJ1WsEzD8GHMcaxYVkFZ4WHC88Kt3WurYGhNCBNSP8B+trcUi0HrSf+m/9mgjwfbv5NLByON49uNNyJZfc8sxOlvXzqTpn6gLh5gvkX/ABBBjdNElh9MwmiOiyi7V3+aypYfg/VPTUWipSY6VVYNuFVVklHirS8ZSUQc2U0IpyIUTrYeCKX9+kjTpT+jFm+KW63AhioFah9ndNGrGmyng8qJB69rwTxxbS5XCFmx5jbu+wD8AB6hZmaUv4rxOWM8ztUK6ZMnQhe61dojd8YFZif3G2+dtJ3wdr3YuHCRObuGCwrcnLImgdCnkIKDdMpwpKSi4qIiyk/w2kKzJyZvCYdVyLl3XLfYuvdNtCkM7L+EXklWPpdYIda7+wp2QUB6txdU6/6PNrwZNr4jQZ6oGpLd/rz1wdFJQIyf9QLXxzNwmDMrCTkeYV/nVw8PQUo0gH6qthYufdPFckzomUcCLXyHexPlRWzU2/sEUqDfE3lhghC6kzUrBfnRVglOkDi4xct0FdDx3i1VXJ9YmvhWgt45aLRr7aeOWXF98XMKuFDuP3ooIhOybAVK9JJxKo0oWStc8Llxy7hK5lb3c9l+UT7cC2sv5rJZ94fNPcCQ5ylCyT9qPvWgOgagA4oxqsZLlLNm2xk+8Zn1gS7yCEXB5nfGbFGZ8O8rm17C1JUgpNEFmtlZqNasbfh+DrSGIK494M/GJnenL7Ufhor4eBYd7oi+Zg4jvvOsxSB/P3jRPkISrtsdRr5ccLxQOaLTQRcROaJF8zTqiBA0axo/cnKgziuuJ3FmzbAG4pao0ftEWw+awim290F3KfNOPEWbtcCXDoU0GSdcsGdM1MNcmDfFyPrtrLBIsszTLt9PVDlOxIVFLhyj93tq6ZMull4U9+fjYvMmSqwdyk3u/DFQSYWUoEILJU4bFkS+QvNYwh0WuPRmvubAaEH/+DaEeFPi68yBr8VgmkmMH14CHGVrB2K1C6Fqy5PzA109BVakn4egT6gTWsnySTTqjF6vlHgk3CDikQeiA6A0sbk8Bq8SIj/RskAEiVXy3SRU9Q2CDoK+uYEIKOt2+NsBFyCwoMRNcwV1HojIK85xwq6Nf5Up0qKhLbTD+cw4Dd2Zto4M2W3lnmQiM2wF/JCHx4hDvVMVh1CCfbUG28d1Mn8LTtXaLxYi7rl57itttPxnVwnGSGNtL3WFoI12pfzkbAl6Qjjs+m4dP1j9cQFStzzGPJ2gWivH6CLftKROGph3dmH+bgXwgMM16XOMPzj5/+DQrcdPh9yApdasCoYCeg2GALWExgWjFFQYDK7RL3SKMWvDg7jrUpVKkzrdz8DEPcBS8qHgWaZFieJkbNJFv6URxiOBMka658LYLyXrneHgQiC1R55xV6j0SnvGZ4iRnvTUcr8sxQApeL9XOn45ce5ccWu6bokgxdPIe/NjkzhGNC+4C051uw+DCNPnIE4OqTr0gjVWWhim+rcDneP5L9Xc4DtyYMh84oplacwRiTTM4hduhQu5nZBZeHrYFU141R7CW4nHGJSkJMCKfiXSPkid4sxfGY4VS3Jc6mMT5PBb5dazbDrPwVQl6S0Yg+e3mQZ/N1KKWEPNSzgBnbb6S0u4pyJVM9F3ZwQsUNb4+dP/I399nPVKjqz06FpdkewcNG8wnrgH82GktJRi6A657vMcq1xP2lWPFE1IB4KyAzSmXfDircX29ItoIyvTFm3T9wUqHsc59/YKk8ztOiieQkul+83boe31R/Henb20q3SQ7x0cZ7kS1wZpaxE3+LedlGj16o96nd77gda98/rRUpFoc825aV9ttt2kW7MxGeVwJ1fuNrA0mdWVgSGSI2HL2r4chU3H8dTFOagzetnYlf7ho8W8ytThvumIYqiP4LEFHiGeZbxhPl+LnAlTw+w+ANKzlYEV1Q4ZkGoboY9AnKsudR2ePIKSeApRv/lo8X2PZpBDasLCHz4UOo1iq8eRhZTBnXH/GeL2S94Zxm1iagjnTnNdoMFG6MR1dwHh4cZgky5BUjVnZqgjkpZfXEQijf4T4i/O7UILa3EmeWdioRKES+gevof5hvOkWNg9YMINcZv9sRL6VL46KfhvFrqOVDfL2f7gE1c2ILuJOgAWSQxvCKdJ7z/G8vFxYbFVjerFprQsTD19rLN+q1c+tTwsXCJ94How==,iv:j9VYSEdwLNYw2vWFOvCldUQPxyoDP4LmTd6hh1gvOKs=,tag:ITNYqqAqVRIjd/tK3PBquw==,type:str]
+borg-ssh-key: ENC[AES256_GCM,data:I7hErgUwWDIxKLdw2FPKuTx9aOcqF/EhOIyU3pfd5QA9sQZkZT/c+IU3b0rNdi6OL6KYDQ8+pMhFuDB7Tcna17etB5HQYnWR6L/QDv5rZTHAHbhTNUEk8w+4zIsvffKJlfObM6qnKZhZbCZT4CvbbvFqmg1KxkFqhpMZSOfR4hpvsNVqEmagygYxuPUSamWgb0y8+CFBxgR8FVEz36tJW8bH7110ZupfkF3P/DNgw9Mci5tYHdrzu6CU5YhbpW+hx88U62rvenWc4T0r7gVcEZYjkVExPJRKs994UVCZO22e8Kx8cy9OZo0S4FBgFfT8Kx8HkYX5viBnwxZrWRsw1ober2LIa48Yc9Sh1cuf1HqD3HSwEc90LuXP0EFKwJLm8MJ3Y26fLLz+NMQhVtug6lAt2cUZj1qapgMiSznw1RJv7nEJNKRx4rKGDdzf4gJ1Nn1DcuS1gPe+WMd2K1WoGB+QiBRIvCvv8f6YrnanNS5YDt5W11vrh2YK6u4JVjehbScoG32ikv2YAYD6HxkNmIyPAwKXM1hIdk91d55bk/feXDLSGsnlBcSdQ7AgBDKEy4UDLEvUPKwNgxur2t9PgEa+AHXZSjhQOpYVEHQI7qzALgSR5v9lEpPLvz4Oa26VwglMwyKcCxB6vYhz5CXnRXXuypBi0TAEtnWsQaUQrcYNduEkNTi5BwtGYJSwD0nVxOFQhqxwbCvQSbW4iT1QBHbvfEGhKtsDIetZrx2DL96aQ0maj9B08O5ODsiQsZzyc68vyS80Ctn6dd/7BIeJka1ciCbXrZiWXHa4Ibrfp4pdjTfLVXhvqocNolLQupwqxXdCMI7pmZYrcQEY6VmyYmuePWOQr76/ed4QG3mhmAJN16SZw3SlDo02LxF7qiQV1oCojpeqxdWnr0jh+tG8z2hzK4cODvwnNx1XCq8O1P8A2vcuk7mzCnB3tTMtLdIGh6kF0V8I6l4zidJkDPRhqB/LonbK6Gj1OixqgL9aJ3Od0ahF3rOq/SnMQWg+MJkJUv0CV9KJCJZ5FoHv9JfChzTG76PsrXtAFGoXwHMsrjJi/1E1UxSFV7TuD48FB1fRleWrt1Zhbefaq6aDfYPCiRLbpNbQlepnX8mRzMfXleq/ESZqXHKaG2dza9R7hiaJFOd5OTXrqoaf3spIRCdhSAhvd6ChpD+NtFssqUWaAXmZuVQhg/udVOGGW+mOgd6pRKoFjOXkD5bnVf27KY+w1EHTOUNoKWtZlLWmmsbJBF8MGc3E5XIGM+Mlq0E5mNSWB/XwnionuUTGg1+gUUCcCbcmOm7P6J3k4l3ZLhuu4ilw+wV31pjednAnw/IIw9r4lMGL0RN+zJL7leE6FT+fFqdjRx3ZCdCFGxjrmJgugtfZECjgR6nHQWk2zLv81fi6OD38wBFeeMe7Bm7fV0A7+oHYrTXyvxuo5aXfv3pOacAGnUulbhWUIcsN/GTFzcGio5iBlIOI7yI6EeW6VcLbXm+ISw2YHv/zhMFCDrOeXn5jYCI5zwi31+T+XTIuku0DOr+k7WnS8WKWQhdlhuLUp8XpNdUVwegfrZoU3xWo46WbUWrtOcpBoQguvjGvVYelb/FHWx6k8mQy/9Ke7juaPXgrhKclAA1pyKuOvFjO8UuUI/KBMZGTWtnAxrS+cOTdf8CBhw5smJ782wyvYkxQJfddfcUU42TWGLSpLUJUYc0kAjbbAEfKkWQw73tCPH68VPSq4/3nWH6lS95bMayn5yj9B8pnl5Ml1Fv7q1SAj/F5FrC5uLB7QBUP8alKQoLvpCCkXwRQn6FHPzTPoKMmkmRCuqrVmG0blyyY1PtZq+hzfYw2oM7kPwElXKUMo+Pd7bJKerRcTRir0odIMyKXNXCu+OC2/WhcLLfwuiW9PH5clbCt3gjjM4XSMsz/vxxwasuN+WnzFHuTlL2DN21rSFNKjPR7b9FfifQObQQCfEE+GBAeid8OsLU+7Uk+0PvjWq072HOMU+fkbgdISLp1wmafOjjt68hsnxx/dtsqTxaE+mBCTnLlBdSJOHi9JvcAC8QZD/fHUVGd0EpItUQJCePaWSVjkg3Sd5wYR5zko7WHAW0iuGXqZUQkNJpMm93w8cygkAiNJMffM4FkCM3yXpSwBqpjN6+OHNtcHzDIjwwUCMigyqHKvCkalcsgSLus0451Z7m6FsUnOvlkIZxWovQEQVqVDwa42g7EqPyaVghaUmIsUo23Dlz/eNPM/HmgqtdQN6+vJTgK4kdkX2HBqEpPvNn7Faa1hW/gfLIVl2cknNUNDNnkmqkvJLPSUS8Fi9lNhM5HDt0hCr4JmmGJrvgo2TlxnMpBGUPi4UkfxEuFIgxmzvpNhSpyDJNF+nFp0UD0ztcCdtAta1lpoGQ0zZEiTr6Mwwc0fozxerGtxFLPm2pTSgjXKI65JyRGJjNHAHG2XeOC/7dWnwo4GthFCZBKPB8/W5EsaOeuSsWfDAP8n3GW0AIVwIh8Pmf3tdml7dKU1J7ciVnLqoHE9NcXfmnRW6liJ05Ca1UUgcrtQasQKETbSEIBBM/hvZAMd8aaazyIBRJwNc67TIEkKBpvC6dRxpUYEJ5ZwVvWGrJIkh4WekDEV+fFZDyH6V8sngTmnT6Z3GCyRContJLg8Gx+CE6fLnZ69OUXVZ0FU6C0K7GUqueB8l60ccJa5AniiEqhRk/5WQAJBrcpYAYrYU/WTEKkyt7EtBnxeWPCyb7CpnF/11i2JOk33WAcYeXUK0IIfVaPmW5cBQFDVZ9JX5W/kfEMwufizXqjWSMXIKnON3ICD74iOJRmnMevaT9/ruVtMlXx/7M4iQVMeIl8+0He5S5+U/1kUZVvx4OmvQBdfgIQrjso6fTDeGMziM5jeQeCUUWJg/cBV9VGrMsGlELiZiCWvVI3Ysa/H2LkutKa1dIRHtvhZNBan4y1GYq7hcDpkmBJ6e0WHV2gQxhgbwgWpOrf0nww+KUivUJySz2uTdRunrujkwCMDIt7zDXHrItuI0xAfrENYWXvp+KyOMeWUbjUrOUc0IdeAD4DIBywKVgZD/2j5xtew53d0wv8LmcBe89dKSyMHWm09ZPjbwm5FL+qafFLFZZYSlfr/7f+MFg0kK1Fd51rh1pmO9vpgha15MrzgK1KQ7FBsShG5UZ/7l57CPGV7+TS8B6ujDbFvX3vvmwJ9LMhPsOkeh2f8yQGjZppaOjx7WorqCnjP7K4HP5gfbz+GC90jZ8xEabm5p95t3tnOw0NBG8peE0bObUosd5phJN3PuahcCYGNF9WBtCAsDR9WzC4vJgwpSRl1qVZydm/F5c5N29cszRViM2yG1vIqzbUo3uGkN4+Dvr82YB5rRhn25pdV7Z79xroJMnx9mDGAM5ShQPDloEZeG32i/rGB3PKruyfCYNaWUT48qrvt8S9FTrt0etZVJrxFp1v9M7Ct4ojw+OQPW+bh+bTIWd1UqY4TGhAeg==,iv:f7rBK8aNqX8dGyzjoeRX6yl20XsnLU8b4gitaw9+O+0=,tag:WvfUw1JgFBAtS3vsVIvM6Q==,type:str]
-ddclient: ENC[AES256_GCM,data:FlO5vdUYS4AZPxnoebpjd5SqfDA35DPPc7+idiFFhTQ=,iv:WqoNjfQ6OPJ4GVYI3/o0LoYjZIW5kqbf2rVGQyBtxxQ=,tag:yvKAakq2+a4Wl6H1ZT/qhA==,type:str]
+ddclient: ENC[AES256_GCM,data:dS6TVVNb6R7EE1JVMDfSnRYCZyHHqEPvwaYpkTSj+VA=,iv:9uMo+9X7dFdVW4wuSgrqIAaQelXuA4cek2oif0GRHow=,tag:ncQq4UeUzWtjPNxEUOlqNA==,type:str]
-filebot-license: ENC[AES256_GCM,data:sV2yaCnSja67UqHVFQJlUHXDvxqv2FeJzXvslinr8ucFvUsoxI07gtFjlk+R0cw2BMtlKaqNK5XKuCtCF/MdGIPHymhpZGgxF3OUfv0f9OXPhIOxuI5o5WBSbgY+WngrLz3E3gMcJ4CKhwkg4CpAgdSRcQqTbYEWCA8/MDbsA5fbOuZJvzZnWNgaq0qNLUntOUzRB3Ae2C/nMaxL0PEMw5NriuauHohvqeKcZ/XMZXgEewHhKlSFSXWRVXnqCcd/kOrYVKfD85N6XL67SAkijlyIoFDRUnb1bBiUlAnVEAVO/hoeKg2IANdcnRtuyP1BY4/fCsdOVMCQcO8SaqbkJke/fiEXu9vr52dqzeJYwrHDIs7G7aRkKmoq7wF4dhg8NPoWEh/UULbGhhArXpgJOON+9xSQm0aMbtj/7pAPoT6Na1gFK1zO0yg6mG32mkogy//hCqtdCZL47JrbvIhWzlDz6z3hW1mHDJ74uf12buvv9bAdhjwFFjSNr5QCI6fhpA//mwD8JIfdQfylwcMmH0t0fCWOyG1vGvhFCscC/MFMzuH6EyZx8nJfzPGutdbuaMmzGBD57u9G25VDpu/G91AWGsXTXFUG/CdZg+k1JsCDKpoE7CeQoGTsJidcg+WmLRfmQz+v5oG5fslOTHMWYj9sSAE9m4d4dYxscLvpUGwsyL+p9MQWqc5p18iMW7TtJFJZa3dPYswmBkumYgAxFQaCBEAjsr5llFMnt+2NBcz+u7lidh2AergETf5jSrZ4DDI+UhVrgBEF/kmsiVV3i2Yiz+DZ/CqqrKUPKSSmfVJ1lAteUPUhSZJuqJdRPA06Z9aTx7J4JFEPGg+tgB0NQCUoz6iHemeTYsHEw22g7ObGsg/kiFGzxopJtw9eoJM=,iv:tTaw+Hy0HPuOSf7Gl2S+fR/YrQtUrQo8hAhc9S1bOL8=,tag:jG8skiISKFNenuut8aCFkw==,type:str]
+filebot-license: ENC[AES256_GCM,data:jY7E29fFJ/h9NIgIjuX++WBhnLk6Mm4iRfMh4P0pUDdqH231gXDsTZ6pJ1rpFXdEHSuNN4LfznDTKgZ2azKid4WprDUzGkN0uJD6CfSR8gTIx5Rq0M8vkRah51LC36bop4hTMzECYQd1YA47hOBV/gfyg3RIw95coWamV9FebnQjIBgWYxE+wTvO5iRvWpiCHd6VZQfkiiR0KF1DrkYkuxlX0piGEKmIgyYCiKMFZ4nrrIe58x5lEQA9uPVjE7vmq3c3ge6tJzjVVaaNocbJhxhA18GLMqTSHfnBsOLRlA8qSQ3xX/VRzKQmaYQHIM77Ylb9ZQsvFt6EDlzQMl5NqT7OJZUW/0jwNaEXHURjeTOC3Hr1HugiDGm+uLXEraaJ6Na2AbFDn28o+3J22p9xNg6vWL0FElzKuaz5TFDzdZLZsD9HOPQm95/ZM8JymDjN4qxkkd2o9rEKY6to1MVDarj+lDxIHhf4pL23YhZsn3esNlEbFswzHQiH7nMsu9Jg6a0rPu7IYylDnH/soBjxSKmf2dhH1LLsDm8It9K/7NnXwmvncFXaqNBqm/e7JzCDBCCyVUf/BXbBc3xwLwZf5MiirZ/iYiYnRtUssveh7BV7ICigRj5Ewtr+n97+IGI+FyonkvOgM0bn8nHf79ZzJCKMuntcw3FlGd1nIkmcehkC79PlKIS95oV/wypl1OmU0CVel+D8hsMuONmF9NPHgFk/ztp4GF+XXRO4ExNotX1XrUlvLOccoHDsl1TedUOISzgAK71edxfI8y110shIe9OfsCEUAbmWMmjGVWH2fKu/IrYYQTry6pYFOjG2bIEUXMaiIP0lALbq/QNgleqMNPY8wGzFbP+/jaYzTbw9KXH4bwYQCl1hSI8THfV7lLE=,iv:4ik/aQqi/hIqH8ix3ejgUiXGY7ycw0ymdVrV+CEQe1o=,tag:7ymc4QZEezJVPlYTlU4H/g==,type:str]
-gitea-mailer-password: ENC[AES256_GCM,data:We58w80t0CfxdGXe2eGjLop/Eg/46u5jNAtBvnJznTJ9CB4U9+0A+KvsimNowqrhKzCEaLsXzy9wMtEmfj79tZTR,iv:f1QE2i6NrCWs1qcmbO2j5WjuH4p8324DsPR206nK8cE=,tag:ccX/W5bsfsi0CHa4lPUuxQ==,type:str]
+gitea-mailer-password: ENC[AES256_GCM,data:lEv5euTCHG6pyNqrVtKK7oE8wLvk+q8ABXOzFSizQ2TVFi35lyGPzOTel/dCCC0Je5GAHE1KQQ4Y4/iHghZgb5Ft,iv:gt/mCzLbDrHFNqW+Lkd2dy9nRIBKO+rqsVuXM45zJ8k=,tag:gCxTSzY7GZ+jQP9SCsdUtw==,type:str]
-gitea-runner: ENC[AES256_GCM,data:9v3IWNyf8JxX4GbXPSCKHInhnaBqjbs0CpIHtu97+TtKTCZQ/1tU6SmX3KzNLtc8LtQnOiHo5Zq8M9yI32b32/yrL9460CwRmUVfhSiFb+JoLFWpSIlsDfHjSY6ciPWyBvuf41Iy3BuvJpV/r/8YdrqkcO5ceevk3qfRhgbWI05ODS4+786OlGFXZnDJ7i2u4eilmb4S5uye5fgHMGS2yTZgNWWThz8K2W9XSwWggdvQ2g/pgKPqEndLrPMmKtmCa6wXqECArKhkvM2MTH/AHz8=,iv:TMEL9bD/Uir8B2k+ASyWPaDwlCi1CvN3hCkvTzh+eNE=,tag:6pjHIYTUEVffAVR9yBXufQ==,type:str]
+gitea-runner: ENC[AES256_GCM,data:HLjSETmu2C2ROf6kqUuIzQl/t4Fe5EOVkMqdTeLNnb6AJ95l6M/WUk//dnPMrWVvEq7rV07awUiyvyJcYQzMgPNddCrfcn2Xr0dYK4XFenz/sdhknVex9uS/RhK8fOqdYJ6djpynikMKddZMQr9AOVfpF5mea//87+Az9rOrlzLdgNtf5HyBEAFKaOFbkZboAsP+jlxyyYurGHPr8LxxikewDVxnpB+XzMc6RAnesrZPOTDQlkMiPZ2t2o0klhD/4VomgiHEklULxCCmIAHaqDo=,iv:1FwTespqVTnKFbyf9Unbbod08D36MKsVbDhIBNGBkHg=,tag:rgVvyxUCwzYB2CqWm2fwgg==,type:str]
-gitea-runner-token: ENC[AES256_GCM,data:tC9YVqv2lBvPdem2j++HvNtqYYaFLWgy+nNgrjNvrubbenRjcB77EXT2g2k6CvI=,iv:8bhDPdsF72QAiacS3MuZBTv75mMWtxTAxTiENFxHo9M=,tag:meY+r5AMpdotR06l9IMIBA==,type:str]
+gitea-runner-token: ENC[AES256_GCM,data:pzJp7j1Ktz+27oU+qtESk7D32w7+BSEUkPSX4xuFml0i10z12Gzu0QHXL9s3734=,iv:U77b5515H1URfz5BCdzuY03zVkhSRsL9d+HdHUJFx9U=,tag:QvooaT4TS/X5R5KGdaVpVQ==,type:str]
-home-assistant-ldap: ENC[AES256_GCM,data:X5rz/mJG9A9wfaHkZy7cDoNRD9eR3mRX5+ROCdWJrA8ka81+gdofn9oSha2IjwdPoxikAAhYR73n5hZIEdZKbQ==,iv:Ol31hI+XKRjbZVS4GPiMyzdKvJVe9aQDjnWYQl7uJrw=,tag:IMt5ZCZnDdBz9kcG8Khi7A==,type:str]
+home-assistant-ldap: ENC[AES256_GCM,data:4kofJzPbiLXILxjuAZWiTb9hu2Gver/IHBCXDnrmrKuCSII6SJ9FrSi67nl7SHdoA6xe22GSMfmPrKzy5sGiow==,iv:F8mIHhWHpaI6kzRV9du6uW/Fj07PbEIU1goSDmeSD5E=,tag:6NIC6sN8OclinribZhrLLw==,type:str]
-home-assistant-secrets.yaml: ENC[AES256_GCM,data:AQ8gs3glsTWw/UyiBu2eNzP7dFy/SHPP7T0e1gyevx5JQTYbKwbOMjTqv55hM50Qoiy1RKoYyyvTkc9B9BcRpX82S+joEZx8K3eV7yrXpVAk4/JbFk++mDT8Ty38sb+/dszi+D9Tv0p7m6HfrtZCup7ojCOaF6TwMIdYjG9MJ7IyT+4m0lTZv2/1Sr24gaIYRyZ+vrlJ8mSpe1ZWWtKeGZys1aE6OwzR0TrCqg0wEf0m9VUNeVr9uZYZseWQtE/RiDOpN112vv5c1A==,iv:sJjWPZUFvFxAgTmKsOclW1x3tvef9SfTUrDvqgYh/hE=,tag:1prKFB8iNgoBhr4C7gFAwA==,type:str]
+home-assistant-secrets.yaml: ENC[AES256_GCM,data:rns9heAmVMxB6WWlGMXvF/ianFUnja3FObiLTEKJmodePNsJ8ah3OhuCAX5jON+/7NZ+3JN/hIJjXsORC5WYhr01DvO9meykf0aMpbmAnYI+cmPEPvcunF4NNInl96rpcI519nMiHDSh5J7pD74CxHZcXSV4c9ZR5UBymchrwmHyZMF6dVrD9Jbr9yph1r7iq6S5wlI2ZImWRjaoGDZ1x+ZU8XnsUmYcP4pa1Yt8JBxSnyUw5gxgBkVCh4eSZBsUCt0cd9P0i7qWVg==,iv:YXQsawXZsQb9ZUt1/lkpfTa4tfKIQrLkkyShFtBRaIQ=,tag:/vSnipGiMntdMqHLePSEQw==,type:str]
-piped-db-password: ENC[AES256_GCM,data:rF9jfxZtfyEPG1W2k6SgcS58Z7Z/wEhZtPnjpmB/ngbYVynUXuYmL5bOVMc=,iv:mF6tCzyMEj4ZOIuODi9v+Z8aUICfWxZYRzdD5lVbx04=,tag:FDlMlXvhvfmXa3t6jMqX2A==,type:str]
+piped-db-password: ENC[AES256_GCM,data:5atQccdHYDEf638bpiON9VO14jqNDtzZ8nnXVW0/cqtWkZJc8RYn9N7QhAw=,iv:Gwyf1R+mpmX+TFuoYLPHjXwSDwzJhSEpnj5ZsJgmrtk=,tag:zm4zNkzbqbCyTN6o3lQQfg==,type:str]
-pushover-api-token: ENC[AES256_GCM,data:nni7mP/oQ3qvyBfbQF141/FkOZispnon/iaw9LU2,iv:FXpPAPv0hms0dfusil2Plk2BJYslqv0OwmJltkUUDY0=,tag:GYMw2k6Mz93cBoWGkZOVHw==,type:str]
+pushover-api-token: ENC[AES256_GCM,data:cMBDdySEBQ7vS7FUC2DsCcSvEMpapWvMFmnuCsY6,iv:SVDrrDm2pcAfwUVAC5j47YwF4s/FWNARlZdIZ1Wgwgw=,tag:w7ZeNMPXWc9j+zVaSxq1cQ==,type:str]
-pushover-user-key: ENC[AES256_GCM,data:q/Cr+Y104tZADBgoTSnocaiRaNPox2Z4zMgQwpYE,iv:MmoX3zCs60Uwc2Sijv/weny6bBVVUFTpphXzWtMo4ww=,tag:bG2BdC+CQXa9slLEcFQ6hw==,type:str]
+pushover-user-key: ENC[AES256_GCM,data:fjoA2YQxmeWEbSKWWE5iyi+CUh1vtW9usVCm5EGk,iv:p4YwYIhpgn/bY9t61//CDrDmZrsj9B/naZit62lCpwo=,tag:pqEw3pDlX7i87tE0Nsy0/Q==,type:str]
-wrwks_vpn_key: ENC[AES256_GCM,data:oiRzOI1qXesCVG9X4c+sNVpCdfa9rTahJVQaLsi7+bsfc2Kc50tioBJ4YJrggGYI2KSjBe7Q4Sy1zhUKvuTmbA==,iv:KVa3tJJ0NeR4MM+LcL0IwysH/NvH8HvlbVoLOUdkp3w=,tag:lMHRTA9wsMbpfAJdJaBc+g==,type:str]
+wrwks_vpn_key: ENC[AES256_GCM,data:VEHqnr/bDtmyLzs0wnmZ0jCWS0BGJWu6Wjq0ZHJuEz8PH3j/E54S9NUe6WRIo+BJCsh1PlRqw/PD9xSqlW5uPg==,iv:OMP0s8Lc2CmFgwRuwB3UWJVuQFqvpy+BiyhnIKbVIb8=,tag:x1LvSf6i8khd8jKgv/284g==,type:str]
-wg_cloonar_key: ENC[AES256_GCM,data:tg+dVsUfK/XodSs0rcUGjg+J/uNmhdWcTFImFKsPDprkCy6JldVF4opsYb0=,iv:kWXpVp3xn80S2JaRnbW/qp75tTI47Mvrn5fHYkjuNEE=,tag:8748Qu8hG4/dmdFC1pvlYA==,type:str]
+wg_cloonar_key: ENC[AES256_GCM,data:1OfHD8yX+pgCXqqxn7cddnnCA9HBjGra4eht7uLxdcbdG9vDvxUoE1x6aWg=,iv:/NBEbmA3wP/zwrqCeBKDzaoSMqz3f4ZeMlWbu81R5Pg=,tag:Apt8x/j0qiJAKR4UEVSkrA==,type:str]
-wg_epicenter_works_key: ENC[AES256_GCM,data:izKZBqbLUrziALVK88LOkDDU2oVfClpCc7t8kJmQHaq+gKmUJzep1Eqic4M=,iv:KBQcHarvWLONLgyEm7O/4uiShNYAKWFx0Z41G1zMyXk=,tag:Mg4QgntbapqdDOYagoXjTw==,type:str]
+wg_epicenter_works_key: ENC[AES256_GCM,data:CTZkVGEVRlCdt6W0BGPmX0SZbuBBH5IIlUsi44SGXi7gdmrZNwv2zDv6zjA=,iv:4ZDDKqR6pBq8cjX763tBxOvWFaS2IiGaBxJu6L2JYig=,tag:H8p63BvXSx1SKPFw5gnptw==,type:str]
-wg_epicenter_works_psk: ENC[AES256_GCM,data:kVXJk/lPHV8RM72BSmursA2HDLc2DsSzutDBy/LIY9AXwa8hqFUdY1/h6aE=,iv:9fwIGtOefdAUFpvARLhhmycbwd5wf0SeynLZtFhNm+A=,tag:vuHXT7HPnZqNI0FQxDAf3A==,type:str]
+wg_epicenter_works_psk: ENC[AES256_GCM,data:K0SDlDWfUk9vIGP5U1j8p6TJ9GsydJTuKPb4kMgde1CILOia0S9/+4AkMWY=,iv:ITwLoWZXR6NxRFF3eBvOogiWHLmXnf7S1e2FW0ofr/M=,tag:2OVi3OBFYT0nlCx8gf2AdA==,type:str]
-wg_ghetto_at_key: ENC[AES256_GCM,data:KKYAWcW0xcBLvZedJdQlifE0lSkachW2H5dwEQmpsDF9ViBayYOkkgL36jc=,iv:6NgbeaHoptvsLTA81IyF9THPvu0BwFrTOzhhRI4/PRo=,tag:BvjfBVgxdfG1f13jgghC3w==,type:str]
+wg_ghetto_at_key: ENC[AES256_GCM,data:+bonpVjV1hxwaqtR7ywshmoDxCnFPD11q0OiNLzxUJIaYrDeS1srpyo6rlE=,iv:Djn16kuXTWqJZy/AT77GpH8RcNtUMZ6zcIdKIMHv+PM=,tag:LP2JCaPKpzeOKvBc2bMr4w==,type:str]
-matrix-shared-secret: ENC[AES256_GCM,data:FK0PAhskPL7fjwTrjHTjnr/lpIS4bxETRMrtM0SeVEcw6CRtLCAiSgXvZqdn58CoFZvpd9iRvpFAe4FZdA==,iv:I793hCj1FkluSy/EYISde5h+b3Tsm7FJL9SIXjBxLkM=,tag:2J1vAEjuUIIG74gh/916ng==,type:str]
+matrix-shared-secret: ENC[AES256_GCM,data:nVSHwPa8xYUaDCxL+5neFtzc11DDNzJtoDCSHYXZ+bZXVAAbp6/Pjx6UkTdAA8B2GOM09nFAsBuLnQfJ3w==,iv:WU3hnRlWVwx7Qin3ejw7V4VhAmYLf6oXzVk6xQgZPgA=,tag:O2hJ2q8XDxYF+rHPNgATgA==,type:str]
-phpldapadmin: ENC[AES256_GCM,data:IpZCNla1mejWKF5o1bomeh92Pji6HBc7OJSoVS7vZFn/GVreJmLzFceML1cMGHCT3veFdI+epJ/R4dtY/R4Efyb3zkpNnEeLnwOBnOq3KC9oYB7btyTQAs+zIwZXo9Kot2rVe84OtwkccdwaeA51/LZqvM4MnCTP76SeBhqk7Z4bHahbqTznJ7hkcBg3608RJmI7n3TcXJhrwDO7AiaQrm18LKMLhmpycyljyD2lvlF6FnB9kdXI2DRt/uYHHO02/XlgFt9e3fDT7mj8N9Cu5YO1Y3rjq0+oc0W2VLsYS5eNS786p2JM1JgNLae9WmulVRpT5enwg39JzL/S9bWqVvkuzLyliMNA,iv:vjtMwMRu9xODXJmiVnq7/Zj0kD8m7p6wJxjfpLTWRFc=,tag:RED3fQqc2jRMqYDIU9fJ8w==,type:str]
+phpldapadmin: ENC[AES256_GCM,data:94jCcgGJ89Er5ENLqhFZ1qY44Qp709SuUhBUuED6v/a7mPPjrJGDmi0Gm3r1Hb4CDPGkWf+x4NStY7LSQ2bHEzjyMPMS23wvSLTmC5b2TVca1UI8vZRTD1R7OvdWo8d1oNweSpYEnAXGv3USYF0NZo8DrPLM5G8lG5Tk/rKS/mxU5ZRhPyA60rbmIiy3Mk4yNcs1tvTEckxU/zMVl7zUPAsOOlmYGuwJrHmmh9p7YIWHGIgZNiLs3U0BvSKzN7WktmlwqjfWpeLn4dusqgov4SSQ2otAkxLHIH8mGhyotd1wgXJDZc6tilMe+WPHQDz9db7FT0VdeKggQ94FD+8rP0OsIjR4AdjZ,iv:C8X10wtA9jPgS41pxasaZJTO/XFcRymOyTDZCWJlhmg=,tag:xkMJsGubny+Di+GucAqypQ==,type:str]
-palworld: ENC[AES256_GCM,data:J+HADBl7JmGxWiDf5HjYHt+mFrimm8yNxFG1AGol+R7FFimwqJYfq4ObxUUPDdaJacqwjalQVDylz/NDuxQrFtkeeQOZ0gExpKkkgPVFQjnKPFIBc8yafC1F4SNCegDpMQOdDSaQLWWS2Q0UNMl0W8+Zj1ofuKAsZrpIbojeSWKAfFrdu1vGV+uJm7ftf23BK/moKBl+AUQhDEGVJiynXUAlA2i1YxqBoxeweKu1f6hMJc6nu4iXEDPpHF9cHPPPPkfIJypwbWR3aIqSJAvfhKy3QyJBeHdtuMKrAxZxC/N6T0H/SijEIvkUSt5JzAU6V5gTPRWMjs4BdaMI+EcdYMQzTc++pNjYwvDG0hOl5Fbny8klHDXTTMuWzMoCgI4Rg8QbvlhATd3ueCc4e8JtIC+4ANL93UHh7uBhc/Ya0QbRVCGL17Vt/mZCuuelwSAh3dkm58aafIvQrRJz4sA4FVNeoC5JGPUzL3e82AbIrZFELvWRQqmcnk9ehqHcLCICXsIukAYU5dlO9oogobsLXR/Dft2uVJeq9NLpu2H5ZGUNg0EegxwchS4xhNjCWQga5DBDmhpvrJYSeaH/py+5+er+s+tPzZcm6qA8AgpduqJVDJcbNDE5maFanncU0p2ELphVTaIkcp9ED9qeLL4Agi9K+oMndtPZzqzAlPluZFr/5Ni+t2rcryvNiXpXnmDT+ChxXAO9Qv0dnF35VQ==,iv:cYXRFxXGjXKLbmokEn8MhkoyT52wI/mpW/FgpLjyu34=,tag:O53Q8pnAtv/2EC2ubuXgfw==,type:str]
+palworld: ENC[AES256_GCM,data:iR9nceVotLKrFHnPIVskCYVLev9OzGLLlmfCGQq5hqB1HveXjhjkfm/NMmqnSi9o776+Ezy7l3kkS0R+0cFJ2B9kaWGsdJtdYDwQevmf6Nq5eaBYmvu8kTnaatqZ5e/1BQzcF3to6MA061XL54YGqsAV5FpnDVLhyyzIvaR3gMvMqJ748NL7K+hbBqMFuWcSH3hKXwxtDK7SLtcgx93W5ZgXkZMMumtlH9hSSlZL4yxuQDAQUwHrEBL+rdphA0m27dyS87DA3Av5ZL1MZ+Vlm4uAHM68T+rtVYXTakNImDTc0WrhIP8FZD/UKTAhVYAbA9oz6cbeC574vchuEY1z19SY9+2HshZZBOiPDMqdvrqyszMQCo5I9dUzAJCemQQTlYG8ekREQ0wxARnBYi3iy5PbmgDQWdM3+ff4yhMmGiHtiMQLHzrquKy8nvS9lDp9uT7njkaI0QAt3eNWa2DAQRqXQAtmuRVob5+GS2Nt6XMTWRkbeEb1phwbTqZD5mH4p2TiyMKCn6KOXsgQTxqGr35Izbe+bfptCmUeyscTKq01IZg77w/dvg3AX4iHAcMNgJ9LIHDLibGHQzu9fGN6alpeyy788GDwRY4glYyKxPhCasKkBSj/uhcDAtdg+c63vDTBhqRjNr6+v1NeRW6lVBzrgq+f9QvO5RVKrvdsVHnTA3CMGQzUPAaluNZMpzV5KqxqIrpAAPXnN0ktig==,iv:kkcm/alLHwC84IKK//OJpa36ec9ddOARTIM+KJlOHHs=,tag:jV1DjfNzRgNaCGgJTKIy5g==,type:str]
-ark: ENC[AES256_GCM,data:MIoUBI3iImXLozkgcVszqfjlofNAWp7BRnLmQvM+gXAyJ/OUaQiQETeMH48FVL9Y2AzPcILQ1ocIeXUClXU1XxYo5ItqRMQY8XWTApF4MKedyen+eVPtB7L14zlCZR3HwhA8Mb8AWhg+vhpDyD3ANTP4bETVjcxFlxqQ5n3YaCL6jGWSWAkwiuzQU2uQsFQzrJia8ybx/wrKGUhX4+SKDbupSzvkRzLkOsa7PT6chL8/REO7WYlFbwj0Wex6BdtoVAYb7NMTCQR8VqrU,iv:h/qId8ZHbpT0Bkql871Sv9yZfw5DKbsp94vAh0HMxQ0=,tag:sZYfTi9kiFATGT7trNreDQ==,type:str]
+ark: ENC[AES256_GCM,data:TRTwxqkeUGbtgrWuj1YEFr73+nxCXmt/fR5vVnYR+k4FpNBB2FoY/gXl0kqeFKPDcajwn8nYBs8YE9vmYtAX/Qs4g5OyU9qC/pkmSV7/gbGfqLLqcbIlbWrZzeM8gRW0fp6h1TMPsGO8/iYdF4bmInfuZW+fKr0i7ZRgrtOpPiRCOI/ztPGkFaduuwGIy+yVoS64b9r7ZLRnOZT7ghVv80GKorJuuOQIipNAJMzEqtSA2IqaxWeb13v8wdQoKuMNcD6dCYVJnvgwf4R+,iv:+F9+yJUZBzPSSIt4uLHxjjXAjzRojLxKAyrd8grMXkk=,tag:VrIr4FFbIGTq9RBJMz8/Ig==,type:str]
-firefox-sync: ENC[AES256_GCM,data:8zD3QcZmex4F2EBSyUc7Lw0teWpz0o/R6mK8utuvgVjWKW6JkdsbtI5+IvH5TQtJHmwwq1Mh2Q2VZk5HsVA38dST4XM/XVlA15tIveQCprTaQrOxw8jHqJ/DLxw2xGz+2OlFagof46eu9lcsrYg4uLdfmLVcuhjhTHM5z72GxFiE/QIcoZLllhdTb7/1dqs=,iv:KBHX4iSlMASmEKjJNdH7gX6QBTvMmHUtubNErK2PsVY=,tag:G1CJkdLe3a9mnSG4PFByGA==,type:str]
+firefox-sync: ENC[AES256_GCM,data:guNgEVi9n8uJuLkkX2Z3tMY/NVqzQ2tdIutZAqleah9qBri0/3dzVHF2xvztLeAgm/59tN7TtAlAH2SMK6gcfAZDasAWOJ/rGEASxLi6VRjqCe25glDMp2YrA0/mcqZVYMCg+QZ5OPA56b55WDqPHPoBJkPDuTm9axwm6AOxdNi5BkDzMw12fVBxlJL/Rm8=,iv:yD+MkZK5vvZ85vYGd9X2Dv6KkSvMUsMGLrwlJ1pRqlk=,tag:YA379QupHh7aJZKcQxB7bA==,type:str]
-knot-tsig-key: ENC[AES256_GCM,data:MXA1qLfUJ9O3Fvd0WGi2wInuVjgYkfH2cVRLogLQ+B0TRG1YbnVqVEp7P+s=,iv:zxBCr/hSHH1zqxBGzQ53nArcUfBcq/LIpqgWllTi6ks=,tag:6G5eL4i9Cjrw0CF5JJotCg==,type:str]
+knot-tsig-key: ENC[AES256_GCM,data:CBFaRKPr+HRVM01fA9/OLWeD1O33axQKEKJuqDRfcGmuDeP3oXf+ccEJhQE=,iv:2O5y24YenpiMc9txPx8kz8x0aO37LpLjIcwlNywPEak=,tag:J4bVZ7RNSR9fiOBQ2HKpnQ==,type:str]
-mopidy-spotify: ENC[AES256_GCM,data:ow7WgSwgbGqxRFWkDXsgKBvxMx2uF7lH2DHUDXhGVz1kLORGqp7wQl04SiYxnYpWJoFl+Suxia7hZ0riQF0bgMDi3SqQQrDimQZI6U2m04QAGJyBoaxratnwyFNe246GWiYgXxvtjPi10N6skPQBym6sJquBF/gE,iv:70hs89+g2dr/dmI3YPyIL+3B49ol7ltByk3kKCz3ASg=,tag:jy9Sn9dAYfs6wk3KoX3ylg==,type:str]
+mopidy-spotify: ENC[AES256_GCM,data:irBeIh2FieNkdf6Hls/Oj+qYxj1U7R7/Ffq6dx+JCS0PdOiFWIHXtccY+PXPKP7RhhaQOgZtIcgPyqTiML52P0c8AwN6UHMl7kgUcKnk60AI0IUZNWorCBZluHhEpf2e2OISlFzDGjSHk+zAzh2eDS1lJ9lCRYEC,iv:r6aZmlVHdRsA9DxkelcIVVpwwm32jaOgP429h61NL/U=,tag:FvPIr0HX/V7+G9kal4nO8w==,type:str]
-lms-spotify: ENC[AES256_GCM,data:RcoVtWO6kt1Lx6sK15tLsr8GOL1j304UmLE4CCzNMTLFyN29dKvpC/Sn5CsxWf9TCclYlNJsuz9kZ/ZiL2qVCGYWyoH9vIs+o1iINkYJzhZT8wwsNpN7Y41OuB2tm+mCjm3hKuDnciI+bX9W8TC/szJ+W9pbgYdK1ggIPOyl99NiLKeDNz4ELpc8eCqtBjung1hPbM7OkJcDMwC9txEBIXL+dDjuoi5MMZoQp8NnbM6BaKgalMzrxUpkUBf/1+G05C1NWzIBXA==,iv:sIgS6I0Vto1v564wbJU6HFoSo4/aoRxmJjfJ7w/ZZQ8=,tag:BFGn+eGm6Gc9cEua+auUjw==,type:str]
+lms-spotify: ENC[AES256_GCM,data:E53aUSNxE30SSrG6Y6SWKVzmsv0lu8aZvjk1RBgSj3q4m65dPLwGM9HcagN3BPoVTc0tKJaccrjoL2k5FOMnwcTXIz3qgiZGbnB6hVCoOhMrrkoFRN2JzSIA5WxKOT8VuMoC4/a6WaWbY8SWAdhgRQb9uq1hUxdkMCoNRLNJnPqR/0w07lCDVHvkj8XuBV4rGl93VVT3rCzjVTL+Vigv38WZ2il2aANkCz3joNeN8Uod3K/HA5uXLw3cLFmD7eI7LBDSTHpMEg==,iv:iRKrij3TRaufB5BXy7Xhiu3asClZ6hpkbMV14aod7jk=,tag:hpUwP/OHygqfgI6j6q2sKQ==,type:str]
 sops:
     age:
         - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkT0thSi85UWJlREkyNVVC
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTDFvM2l3Tm5lU0paWXpF
-            NWtzSU9DWXRqbWhYSW82aUtyb29LZGswV1ZVCjFPZXIvcDBIVXFzOSt2UUxiM2kv
+            cjVBSFhENW5mNG9DSFM1NXh3UHdaKzlKMGlZCnRmNFBFVWY4N0FqLzF1bUMyUDdL
-            MXFoY2NWSE9lVnRzYlNsYndLYVZnOFkKLS0tIFlLMExqYkt5ZlpUK1lJOCtQZW9t
+            U091VENiVFhYeEJ5K0xodXlHVkhHKzgKLS0tIGxta3A2TjJiMUtiR2RzcU02Rys5
-            MVZSV0JwUW9GWVIzekV3a1RibGF1bEkKBoNNseldjYfL8QPSFnOa3f5IlQ+0Tntm
+            U1c0SjRKK2UwbTVIQUMrT1pOOVFmOVkKY3UyGNIPZJLE8GG124y0pLgqGub9SMCq
-            kOTf0oH380WM5856TQchND26wX0rHAMllx40yWBzjlkJMX5wvXBYWg==
+            plK5H+kASOB1X6pK+3PBFuDYT1AbsRxXvWgAEMvVI7eBcxQlSrrB4Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYW9NeGo1a09oVjVBTGFr
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaXBqMGl1UytNL3BkZEhQ
-            V3JWc3NHRDcvYXVDMFVMNUl1Q0h5ZXJ5dzFnClZGbGhyME1Id0RETEdtMkN3RWZt
+            S3RFL3lZRVZKTGVRTGFMNlFlWFRCNDNvRTM4CnpWZWovSDZaclQvN2Vwa0dWZGgz
-            VVFVOEphZEpJQ29YRjd2WGltWkdmYUkKLS0tIFBOOVdhM2RMSTdWM1lKT2hGTHYz
+            Q1ZLM0sveXBxOVpvNHkycWJWWXdmVE0KLS0tIHl2bFk3RE03N01IdDJPWk5HT1Np
-            c1FGaE1KZkhxbmRmVEFCRGUzR3gyZXcKMvtkOvb35ocdQHfq/cN0wuu59d8e6GM2
+            Qm82Sit3Q0haaDdnbzFjendMUm04Wk0KYp09dxXjzvC4IlH6Ilip8YjTz0mFeu/0
-            9AqDummh/D0NQ69X2Hoojgmt9tl5TKnhYwvfWU6gwAd5RKYIAcRghQ==
+            5IDMYjT1BuW5YiKgIJVd+UgOd6ysZLFFwk+Us2AcV7z110xk/askqQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRTJvZkNoYjVMaCtkZEN2
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Wkd0YnBQRnExeVdUTGFu
-            OEpMRUZ3TE9SSHplZjRMaFhESXJNZjk4MUM4CmVBVWNrakxvdEtGVFZmMiszVjBz
+            N3o3MnF2aTY2NlBmdDJYT01zRytWZ2w1dFg0ClAzcnJ0NFYrVWlBM2JQU1B0SEJi
-            aTNJK1pHNXVpcnZNbjg2QWYwcXFZQlUKLS0tIDdIK01VVDRSZlB4ZFB4WHpaZG1N
+            MGE5aVh6KzNmaEoxaHFOTW90K0VmMGsKLS0tIDNkOGZyVmMzME80TlBWMzI5UVR2
-            Z1ZGVUROeXZGMm0xclF4N1A0S3BIeTgKVYwnDmneB4dljyvmxgXxTu/ftk0b1Z9I
+            djB3Y2FIRDFKWlEwTnRBUnRIT3M2OXcK+SIt/7DRdQi6H1AZooJN2Pt2g1EwVTZe
-            ENyOiKIgN0YPOq1a1GOr9OCUOoNM5onTB0fkrUFzkChSB/3xDpUHlA==
+            Q14cEt0sLyVYzLJugfz2JWRHDZX6wPueYcTSEs7w3wAPVwvJWju8bg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKRVlHQ1h3eDlKd3FuN2Q4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQXhNSFBnNUtMdkpwR0th
-            Q2RuUVpKeHJqYldWRlNlWDFPQ2U2TzQ4MG5ZClFLVlBwYy9xU1lzbGMvNE9kdVI3
+            M1NmOVorcUdlZTFDM3dVRHZlYWpJcDZiakVnCit6eTFOeW92SzhPYzJxR0VTem9r
-            VHpxeEtwOHgvS3NhZWdKaVp3RHh6aUUKLS0tIHUrOWRibGhJckFycVJwalJsSFA3
+            MSs4cWxRbzVBQmlWaHIwMjB5RUlJMXcKLS0tIHNSVTloOEVVVndDWkVrWmQrYXlD
-            UXEzSHMxVVc4b0FOU0NycElaV3VMOWMKpq9KFfdu0kEWhlT7Of5aOrAhM8FmOuzo
+            NTd1WGFJWHVLTnFNT3hYbDdtSnMzTTAKBmJOayZLbjmBejwVzVtUSYPki+qPkYwG
-            1RRxsDAtpfjw3dYbvS8ISrFP+nEr84qi4Hdrr1Y35ye5fR30gvQycw==
+            xdO3L7n0Z8Cv/kVYZpkuG5GqOUL+nCJuYDjF0g4PaLb6WWd0W8ZGFA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-25T19:16:56Z"
+    lastmodified: "2025-12-01T11:01:54Z"
-    mac: ENC[AES256_GCM,data:kaeDCxG+z6NqzcaZTBsEkPhlXts47iEhQp7MGsRrYMP9X4vYsLBkzKgeHugcN2VnaZI+Uw27Tn1Fgt4Eaqty7j07iZKa33B/SOnFu3fKacP3Ae3vGAgzda/5HyOPsPxEgiHUEbJqTnhahh9sYckwdaMPg/PdSEAJyJN1b2WYy+0=,iv:E65Baxjw2mV6Tm59Ka4l1Q640PoS7IDLggNLmO9ij0k=,tag:+5Rx9nUEWsLIsLfEg/TcfA==,type:str]
+    mac: ENC[AES256_GCM,data:taGX5HHZCL7Zo4taS2Jz/5WxhvpBNNKZ13ZCtS3x/P17tC1Nrk2UDcxbOZ1pPVbVvvaAHJtDb3owFvBOM4nr2Eve0M9zT4HbXh3hke7AviQ6U7CT1ru6LjY7W8lBjbQ6uCt+Ldxd1PRPPGiyKdK5GAUPKg6avFjpJbhEikh8Gww=,iv:NNs5usVJ5izYvHKnNm1IgjSt4dg0QFQ7cClJ6zh+3wM=,tag:sYYbEWIUgOWthEItdy5PFg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

hosts/mail/channel

@@ -1 +1 @@
-https://channels.nixos.org/nixos-25.05
+https://channels.nixos.org/nixos-25.11

hosts/mail/modules/dovecot.nix

@@ -240,11 +240,11 @@ in
 
   sops.secrets.dovecot-ldap-password = { };
 
-  systemd.services.dovecot2.preStart = ''
+  systemd.services.dovecot.preStart = ''
     sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${ldapConfig} > /run/dovecot2/ldap.conf
   '';
 
-  systemd.services.dovecot2 = {
+  systemd.services.dovecot = {
     wants = [ "acme-imap.${domain}.service" ];
     after = [ "acme-imap.${domain}.service" ];
   };
@@ -257,7 +257,7 @@ in
       "imap-test.${domain}"
       "imap-02.${domain}"
     ];
-    postRun = "systemctl --no-block restart dovecot2.service";
+    postRun = "systemctl --no-block restart dovecot.service";
   };
 
   networking.firewall.allowedTCPPorts = [

hosts/mail/modules/openldap.nix

@@ -17,10 +17,10 @@ in {
       olcTLSCACertificateFile = "/var/lib/acme/ldap.${domain}/full.pem";
       olcTLSCertificateFile = "/var/lib/acme/ldap.${domain}/cert.pem";
       olcTLSCertificateKeyFile = "/var/lib/acme/ldap.${domain}/key.pem";
-      olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
+      olcTLSCipherSuite = "HIGH:!aNULL:!MD5:!3DES:!RC4";
       olcTLSCRLCheck = "none";
       olcTLSVerifyClient = "never";
-      olcTLSProtocolMin = "3.1";
+      olcTLSProtocolMin = "3.3";
       olcSecurity = "tls=1";
     };
 

hosts/mail/modules/postfix.nix

@@ -128,16 +128,16 @@ in
       compatibility_level = "2";
 
       # bigger attachement size
-      mailbox_size_limit = "202400000";
+      mailbox_size_limit = 202400000;
-      message_size_limit = "51200000";
+      message_size_limit = 51200000;
       smtpd_helo_required = "yes";
       smtpd_delay_reject = "yes";
       strict_rfc821_envelopes = "yes";
 
       # send Limit
       smtpd_error_sleep_time = "1s";
-      smtpd_soft_error_limit = "10";
+      smtpd_soft_error_limit = 10;
-      smtpd_hard_error_limit = "20";
+      smtpd_hard_error_limit = 20;
 
       smtpd_use_tls = "yes";
       smtp_tls_note_starttls_offer = "yes";
@@ -151,14 +151,13 @@ in
       smtpd_tls_key_file = "/var/lib/acme/mail.cloonar.com/key.pem";
       smtpd_tls_CAfile = "/var/lib/acme/mail.cloonar.com/fullchain.pem";
 
-      smtpd_tls_dh512_param_file = config.security.dhparams.params.postfix512.path;
       smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix2048.path;
 
       smtpd_tls_session_cache_database = ''btree:''${data_directory}/smtpd_scache'';
       smtpd_tls_mandatory_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1";
       smtpd_tls_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1";
       smtpd_tls_mandatory_ciphers = "medium";
-      tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
+      tls_medium_cipherlist = "ECDHE+AESGCM:DHE+AESGCM:ECDHE+CHACHA20:DHE+CHACHA20";
 
       # authentication
       smtpd_sasl_auth_enable = "yes";
@@ -225,8 +224,7 @@ in
 
   security.dhparams = {
     enable = true;
-    params.postfix512.bits = 512;
+    params.postfix2048.bits = 2048;
-    params.postfix2048.bits = 1024;
   };
 
   security.acme.certs."mail.${domain}" = {

hosts/mail/modules/rspamd.nix

@@ -119,7 +119,7 @@ in
 
   # systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "redis-rspamd" ];
 
-  systemd.services.dovecot2.preStart = ''
+  systemd.services.dovecot.preStart = ''
     mkdir -p /var/lib/dovecot/sieve/
     for i in ${sieve-spam-filter}/share/sieve-rspamd-filter/*.sieve; do
       dest="/var/lib/dovecot/sieve/$(basename $i)"

hosts/nas/STORAGE.md

@@ -0,0 +1,60 @@
+# NAS Storage Notes
+
+## Current Issue: XFS Metadata Overhead
+
+The XFS filesystem on `/var/lib/multimedia` uses ~100GB more than the actual file data due to metadata overhead.
+
+### Root Cause
+
+The filesystem was created with advanced features enabled:
+
+```
+rmapbt=1    # Reverse mapping btree - tracks block ownership
+reflink=1   # Copy-on-write support
+```
+
+These features add metadata that scales with **filesystem size**, not file count. On a 5TB filesystem with 700GB of data, this results in ~100GB (~2%) overhead.
+
+### Diagnostic Commands
+
+```bash
+# Compare file data vs filesystem usage
+du -sh /var/lib/multimedia           # Actual file data
+df -h /var/lib/multimedia            # Filesystem reports
+
+# Check XFS features
+xfs_info /var/lib/multimedia
+
+# Verify block allocation
+xfs_db -r -c "freesp -s" /dev/mapper/vg--data-lv--multimedia
+```
+
+## Recommendation: LVM + ext4
+
+For media storage (write-once, read-many), ext4 with minimal reserved space offers the lowest overhead:
+
+```bash
+# Create filesystem with 0% reserved blocks
+mkfs.ext4 -m 0 /dev/vg/lv
+
+# Or adjust existing ext4
+tune2fs -m 0 /dev/vg/lv
+```
+
+### Why ext4 over XFS for this use case
+
+| Consideration | ext4 | XFS (current) |
+|---------------|------|---------------|
+| Reserved space | 0% with `-m 0` | N/A |
+| Metadata overhead | ~0.5% | ~2% (with rmapbt) |
+| Shrink support | Yes | No |
+| Performance for 4K stream | Identical | Identical |
+
+A single 4K remux stream requires ~12 MB/s. Any filesystem handles this trivially.
+
+## Migration Path
+
+1. Backup data from XFS volumes
+2. Recreate LVs with ext4 (`mkfs.ext4 -m 0`)
+3. Restore data
+4. Update `/etc/fstab` or NixOS `fileSystems` config

hosts/nas/channel

@@ -0,0 +1 @@
+https://channels.nixos.org/nixos-25.11

hosts/nas/configuration.nix

@@ -0,0 +1,100 @@
+# NAS host configuration
+{ config, lib, pkgs, ... }:
+let
+  impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
+in {
+  nixpkgs.config.allowUnfree = true;
+
+  imports = [
+    "${impermanence}/nixos.nix"
+    ./utils/bento.nix
+    ./utils/modules/sops.nix
+    ./utils/modules/set-nix-channel.nix
+    ./utils/modules/victoriametrics
+    ./utils/modules/promtail
+
+    # ./modules/cyberghost.nix
+    ./modules/pyload.nix
+    ./modules/jellyfin.nix
+    ./modules/power-management.nix
+    ./modules/disk-monitoring.nix
+    ./modules/ugreen-leds.nix
+
+    ./hardware-configuration.nix
+  ];
+
+  nixpkgs.overlays = [
+    (import ./utils/overlays/packages.nix)
+  ];
+
+  # Hostname
+  networking.hostName = "nas";
+
+  # Timezone
+  time.timeZone = "Europe/Vienna";
+  console.keyMap = "de";
+
+  # SSH server
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
+  ];
+
+  # Firewall
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
+  # SOPS configuration
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.defaultSopsFile = ./secrets.yaml;
+
+  # Btrfs maintenance
+  services.btrfs.autoScrub = {
+    enable = true;
+    interval = "monthly";
+    fileSystems = [ "/nix" ];
+  };
+
+  # Impermanence - persist important directories
+  # Note: /var/lib/downloads and /var/lib/multimedia are mounted from LVM on RAID
+  environment.persistence."/nix/persist/system" = {
+    hideMounts = true;
+    directories = [
+      "/var/lib/pyload"
+      "/var/lib/jellyfin"
+      "/var/log"
+      "/var/lib/nixos"
+      "/var/bento"
+      "/root/.ssh"
+    ];
+    files = [
+      "/etc/machine-id"
+      { file = "/etc/ssh/ssh_host_ed25519_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+      { file = "/etc/ssh/ssh_host_ed25519_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+      { file = "/etc/ssh/ssh_host_rsa_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+      { file = "/etc/ssh/ssh_host_rsa_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+    ];
+  };
+
+  # System packages
+  environment.systemPackages = with pkgs; [
+    vim
+    screen
+  ];
+
+  # Nix settings
+  nix = {
+    settings = {
+      auto-optimise-store = true;
+      experimental-features = [ "nix-command" "flakes" ];
+    };
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 14d";
+    };
+  };
+
+  system.stateVersion = "24.05";
+}

hosts/nas/fleet.nix

@@ -0,0 +1 @@
+../../fleet.nix

hosts/nas/hardware-configuration.nix

@@ -0,0 +1,103 @@
+# Hardware configuration for NAS
+# TODO: Update disk labels/UUIDs after installation
+{ config, lib, pkgs, modulesPath, ... }:
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.loader.systemd-boot = {
+    enable = true;
+    configurationLimit = 5;
+  };
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Power management kernel parameters
+  boot.kernelParams = [
+    "intel_pstate=passive"    # Better with powersave governor
+    "i915.enable_rc6=1"       # GPU deep sleep states
+    "i915.enable_dc=2"        # Display C-states (deepest)
+    "i915.enable_fbc=1"       # Frame buffer compression
+  ];
+
+  # RAID 1 arrays for data storage
+  boot.swraid = {
+    enable = true;
+    mdadmConf = ''
+      DEVICE /dev/disk/by-id/nvme-KIOXIA-EXCERIA_PLUS_G3_SSD_7FJKS1MAZ0E7-part1
+      DEVICE /dev/disk/by-id/nvme-KIOXIA-EXCERIA_PLUS_G3_SSD_7FJKS1M9Z0E7-part1
+      DEVICE /dev/disk/by-id/ata-TOSHIBA_MG10ACA20TE_8582A01SF4MJ-part1
+      DEVICE /dev/disk/by-id/ata-TOSHIBA_MG10ACA20TE_75V2A0H3F4MJ-part1
+    '';
+  };
+
+  # Tmpfs root filesystem (ephemeral - resets on reboot)
+  fileSystems."/" = {
+    device = "none";
+    fsType = "tmpfs";
+    options = [ "size=8G" "mode=755" ];
+  };
+
+  # Boot partition - EFI
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-partlabel/BOOT";
+    fsType = "vfat";
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-partlabel/NIXOS";
+    fsType = "btrfs";
+    neededForBoot = true;
+    options = [
+      "subvol=@"
+      "compress=zstd:1"
+      "noatime"
+      "commit=120"
+    ];
+  };
+
+  fileSystems."/nix/store" = {
+    device = "/dev/disk/by-partlabel/NIXOS";
+    fsType = "btrfs";
+    neededForBoot = true;
+    options = [
+      "subvol=@nix-store"
+      "compress=zstd:1"
+      "noatime"
+      "commit=120"
+    ];
+  };
+
+  fileSystems."/nix/persist" = {
+    device = "/dev/disk/by-partlabel/NIXOS";
+    fsType = "btrfs";
+    neededForBoot = true;
+    options = [
+      "subvol=@nix-persist"
+      "compress=zstd:1"
+      "noatime"
+      "commit=120"
+    ];
+  };
+
+  # LVM volumes on RAID array
+  fileSystems."/var/lib/downloads" = {
+    device = "/dev/vg-data-fast/downloads";
+    fsType = "ext4";
+  };
+
+  fileSystems."/var/lib/multimedia" = {
+    device = "/dev/vg-data-slow/multimedia";
+    fsType = "ext4";
+    options = [ "noatime" ];
+  };
+
+  # DHCP networking
+  networking.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/nas/modules/cyberghost.nix

@@ -0,0 +1,103 @@
+{ config, pkgs, ... }:
+let
+  localNetwork = "10.42.96.0/20";
+in
+{
+  # SOPS secrets for CyberGhost credentials
+  sops.secrets.cyberghost-auth = {
+    mode = "0400";
+    owner = "root";
+  };
+  sops.secrets.cyberghost-ca = {
+    mode = "0400";
+    owner = "root";
+  };
+  sops.secrets.cyberghost-cert = {
+    mode = "0400";
+    owner = "root";
+  };
+  sops.secrets.cyberghost-key = {
+    mode = "0400";
+    owner = "root";
+  };
+
+  environment.systemPackages = [ pkgs.openvpn ];
+
+  # OpenVPN client service
+  services.openvpn.servers.cyberghost = {
+    autoStart = true;
+    updateResolvConf = true;
+    config = ''
+      client
+      dev tun
+      proto udp
+      remote 87-1-hu.cg-dialup.net 443
+      resolv-retry infinite
+      nobind
+      persist-key
+      persist-tun
+
+      # Authentication
+      auth-user-pass ${config.sops.secrets.cyberghost-auth.path}
+      ca ${config.sops.secrets.cyberghost-ca.path}
+      cert ${config.sops.secrets.cyberghost-cert.path}
+      key ${config.sops.secrets.cyberghost-key.path}
+
+      # Security
+      data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
+      data-ciphers-fallback AES-256-CBC
+      auth SHA256
+      remote-cert-tls server
+      script-security 2
+
+      # Connection
+      ping 5
+      explicit-exit-notify 2
+      route-delay 5
+
+      # Split tunnel: Don't pull routes from server, we'll set our own
+      route-nopull
+
+      # Route all traffic through VPN except local network
+      route 0.0.0.0 128.0.0.0 vpn_gateway
+      route 128.0.0.0 128.0.0.0 vpn_gateway
+
+      # Keep local network route direct
+      route ${localNetwork} net_gateway
+
+      verb 4
+    '';
+  };
+
+  # Kill switch: Block outgoing traffic if VPN is down
+  networking.firewall = {
+    extraCommands = ''
+      # Allow traffic to local network
+      iptables -A OUTPUT -d ${localNetwork} -j ACCEPT
+
+      # Allow traffic through VPN tunnel
+      iptables -A OUTPUT -o tun+ -j ACCEPT
+
+      # Allow loopback
+      iptables -A OUTPUT -o lo -j ACCEPT
+
+      # Allow established connections (for responses)
+      iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+      # Allow OpenVPN to establish connection (UDP 443)
+      iptables -A OUTPUT -p udp --dport 443 -j ACCEPT
+
+      # Drop all other outgoing internet traffic (kill switch)
+      iptables -A OUTPUT ! -d ${localNetwork} -j DROP
+    '';
+
+    extraStopCommands = ''
+      iptables -D OUTPUT -d ${localNetwork} -j ACCEPT 2>/dev/null || true
+      iptables -D OUTPUT -o tun+ -j ACCEPT 2>/dev/null || true
+      iptables -D OUTPUT -o lo -j ACCEPT 2>/dev/null || true
+      iptables -D OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
+      iptables -D OUTPUT -p udp --dport 443 -j ACCEPT 2>/dev/null || true
+      iptables -D OUTPUT ! -d ${localNetwork} -j DROP 2>/dev/null || true
+    '';
+  };
+}

hosts/nas/modules/disk-monitoring.nix

@@ -0,0 +1,199 @@
+# Disk monitoring for NAS
+# - S.M.A.R.T. metrics collection (respects disk spindown)
+# - mdadm RAID array status
+# - Exports metrics via node_exporter textfile collector
+{ config, lib, pkgs, ... }:
+
+let
+  # Disk identifiers from hardware-configuration.nix
+  disks = [
+    "/dev/disk/by-id/ata-ST18000NM000J-2TV103_ZR52TBSB"
+    "/dev/disk/by-id/ata-ST18000NM000J-2TV103_ZR52V9QX"
+    "/dev/disk/by-id/ata-TOSHIBA_MG10ACA20TE_8582A01SF4MJ"
+    "/dev/disk/by-id/ata-TOSHIBA_MG10ACA20TE_75V2A0H3F4MJ"
+    "/dev/disk/by-id/nvme-KIOXIA-EXCERIA_PLUS_G3_SSD_7FJKS1MAZ0E7"
+    "/dev/disk/by-id/nvme-KIOXIA-EXCERIA_PLUS_G3_SSD_7FJKS1M9Z0E7"
+  ];
+
+  textfileDir = "/var/lib/prometheus-node-exporter";
+
+  # Script to collect S.M.A.R.T. and mdadm metrics
+  collectMetricsScript = pkgs.writeShellScript "collect-disk-metrics" ''
+    set -euo pipefail
+
+    TEXTFILE_DIR="${textfileDir}"
+    METRICS_FILE="$TEXTFILE_DIR/disk_health.prom"
+    TEMP_FILE="$TEXTFILE_DIR/disk_health.prom.tmp"
+
+    mkdir -p "$TEXTFILE_DIR"
+    : > "$TEMP_FILE"
+
+    # Timestamp of collection
+    echo "# HELP disk_metrics_last_update Unix timestamp of last metrics collection" >> "$TEMP_FILE"
+    echo "# TYPE disk_metrics_last_update gauge" >> "$TEMP_FILE"
+    echo "disk_metrics_last_update $(date +%s)" >> "$TEMP_FILE"
+
+    echo "" >> "$TEMP_FILE"
+    echo "# HELP smart_device_active Whether the disk was active (1) or sleeping (0) when checked" >> "$TEMP_FILE"
+    echo "# TYPE smart_device_active gauge" >> "$TEMP_FILE"
+
+    # S.M.A.R.T. metrics for each disk
+    for disk in ${lib.concatStringsSep " " disks}; do
+      if [[ ! -e "$disk" ]]; then
+        echo "Warning: Disk $disk not found, skipping" >&2
+        continue
+      fi
+
+      # Resolve symlink to get actual device (needed for hdparm/smartctl)
+      device=$(readlink -f "$disk")
+
+      # Extract model+serial from disk-by-id path for stable labeling
+      # ata-ST18000NM000J-2TV103_ZR52TBSB → ST18000NM000J-2TV103-ZR52TBSB
+      # nvme-KIOXIA-EXCERIA_PLUS_G3_SSD_7FJKS1MAZ0E7 → KIOXIA-EXCERIA_PLUS_G3_SSD-7FJKS1MAZ0E7
+      disk_id=$(basename "$disk")
+      serial=$(echo "$disk_id" | sed 's/.*_//')
+      model=$(echo "$disk_id" | sed 's/^[^-]*-//; s/_[^_]*$//')
+      short_name="$model-$serial"
+
+      # Check power state without waking disk
+      power_state=$(${pkgs.hdparm}/bin/hdparm -C "$device" 2>/dev/null | grep -oP '(standby|active/idle|active|idle)' | head -1 || echo "unknown")
+
+      if [[ "$power_state" == "standby" ]]; then
+        # Disk is sleeping - don't wake it, report inactive
+        echo "smart_device_active{device=\"$short_name\",serial=\"$serial\"} 0" >> "$TEMP_FILE"
+        echo "Disk $short_name is in standby, skipping S.M.A.R.T. collection" >&2
+        continue
+      fi
+
+      # Disk is active - collect S.M.A.R.T. data
+      echo "smart_device_active{device=\"$short_name\",serial=\"$serial\"} 1" >> "$TEMP_FILE"
+
+      # Get S.M.A.R.T. health status
+      if ${pkgs.smartmontools}/bin/smartctl -H "$device" 2>/dev/null | grep -q "PASSED"; then
+        health=1
+      else
+        health=0
+      fi
+
+      # Get S.M.A.R.T. attributes
+      smartctl_output=$(${pkgs.smartmontools}/bin/smartctl -A "$device" 2>/dev/null || true)
+
+      # Parse key attributes
+      # Format: ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE
+
+      get_raw_value() {
+        local attr_id="$1"
+        echo "$smartctl_output" | awk -v id="$attr_id" '$1 == id { print $10 }' | head -1
+      }
+
+      reallocated=$(get_raw_value "5")
+      power_on_hours=$(get_raw_value "9")
+      temperature=$(get_raw_value "194")
+      reallocated_event=$(get_raw_value "196")
+      pending_sector=$(get_raw_value "197")
+      offline_uncorrectable=$(get_raw_value "198")
+      udma_crc_error=$(get_raw_value "199")
+
+      # Output metrics
+      cat >> "$TEMP_FILE" << EOF
+
+# S.M.A.R.T. metrics for $short_name
+smart_health_passed{device="$short_name",serial="$serial"} $health
+EOF
+
+      [[ -n "$reallocated" ]] && echo "smart_reallocated_sector_ct{device=\"$short_name\",serial=\"$serial\"} $reallocated" >> "$TEMP_FILE"
+      [[ -n "$power_on_hours" ]] && echo "smart_power_on_hours{device=\"$short_name\",serial=\"$serial\"} $power_on_hours" >> "$TEMP_FILE"
+      [[ -n "$temperature" ]] && echo "smart_temperature_celsius{device=\"$short_name\",serial=\"$serial\"} $temperature" >> "$TEMP_FILE"
+      [[ -n "$reallocated_event" ]] && echo "smart_reallocated_event_count{device=\"$short_name\",serial=\"$serial\"} $reallocated_event" >> "$TEMP_FILE"
+      [[ -n "$pending_sector" ]] && echo "smart_current_pending_sector{device=\"$short_name\",serial=\"$serial\"} $pending_sector" >> "$TEMP_FILE"
+      [[ -n "$offline_uncorrectable" ]] && echo "smart_offline_uncorrectable{device=\"$short_name\",serial=\"$serial\"} $offline_uncorrectable" >> "$TEMP_FILE"
+      [[ -n "$udma_crc_error" ]] && echo "smart_udma_crc_error_count{device=\"$short_name\",serial=\"$serial\"} $udma_crc_error" >> "$TEMP_FILE"
+    done
+
+    # mdadm RAID array status (doesn't access disks)
+    echo "" >> "$TEMP_FILE"
+    echo "# HELP mdadm_array_state RAID array state (1=clean/active/resyncing, 0=degraded/other)" >> "$TEMP_FILE"
+    echo "# TYPE mdadm_array_state gauge" >> "$TEMP_FILE"
+    echo "# HELP mdadm_array_devices_total Total devices in RAID array" >> "$TEMP_FILE"
+    echo "# TYPE mdadm_array_devices_total gauge" >> "$TEMP_FILE"
+    echo "# HELP mdadm_array_devices_active Active devices in RAID array" >> "$TEMP_FILE"
+    echo "# TYPE mdadm_array_devices_active gauge" >> "$TEMP_FILE"
+
+    # Find RAID arrays
+    for md_device in /dev/md/*; do
+      [[ -e "$md_device" ]] || continue
+
+      array_name=$(basename "$md_device")
+
+      # Get array details
+      mdadm_output=$(${pkgs.mdadm}/bin/mdadm --detail "$md_device" 2>/dev/null || continue)
+
+      # Parse state
+      state=$(echo "$mdadm_output" | grep "State :" | sed 's/.*State : //' | tr -d ' ')
+      if [[ "$state" == *clean* ]] || [[ "$state" == *active* ]]; then
+        state_value=1
+      else
+        state_value=0
+      fi
+
+      # Parse device counts
+      total_devices=$(echo "$mdadm_output" | grep "Raid Devices" | awk '{print $4}')
+      active_devices=$(echo "$mdadm_output" | grep "Active Devices" | awk '{print $4}')
+
+      echo "mdadm_array_state{array=\"$array_name\",state=\"$state\"} $state_value" >> "$TEMP_FILE"
+      [[ -n "$total_devices" ]] && echo "mdadm_array_devices_total{array=\"$array_name\"} $total_devices" >> "$TEMP_FILE"
+      [[ -n "$active_devices" ]] && echo "mdadm_array_devices_active{array=\"$array_name\"} $active_devices" >> "$TEMP_FILE"
+    done
+
+    # Atomically replace the metrics file
+    mv "$TEMP_FILE" "$METRICS_FILE"
+
+    echo "Disk metrics collection complete"
+  '';
+in
+{
+  # Required packages
+  environment.systemPackages = with pkgs; [
+    smartmontools
+    hdparm
+    mdadm
+  ];
+
+  # Node exporter with textfile collector
+  services.prometheus.exporters.node = {
+    enable = true;
+    enabledCollectors = [
+      "textfile"
+    ];
+    extraFlags = [
+      "--collector.textfile.directory=${textfileDir}"
+    ];
+  };
+
+  # Systemd service to collect metrics
+  systemd.services.disk-metrics = {
+    description = "Collect S.M.A.R.T. and RAID metrics";
+    path = with pkgs; [ coreutils gawk gnugrep gnused ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${collectMetricsScript}";
+      # Run as root to access disk devices
+      User = "root";
+    };
+  };
+
+  # Timer to run every 20 minutes (5min buffer for 15min spindown)
+  systemd.timers.disk-metrics = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "*:0/20";  # Every 20 minutes
+      RandomizedDelaySec = "1min";
+      Persistent = true;
+    };
+  };
+
+  # Ensure textfile directory exists and is persisted
+  systemd.tmpfiles.rules = [
+    "d ${textfileDir} 0755 root root -"
+  ];
+}

hosts/nas/modules/filebot-process.nix

@@ -0,0 +1,186 @@
+{ pkgs }:
+
+pkgs.writeShellScriptBin "filebot-process" ''
+  #!/usr/bin/env bash
+  set -euo pipefail
+
+  # FileBot AMC script for automated media organization
+  # Called by PyLoad's package_extracted hook with parameters:
+  # $1 = package_id
+  # $2 = package_name
+  # $3 = download_folder (actual path to extracted files)
+  # $4 = password (optional)
+
+  PACKAGE_ID="''${1:-}"
+  PACKAGE_NAME="''${2:-unknown}"
+  DOWNLOAD_DIR="''${3:-/var/lib/downloads}"
+  PASSWORD="''${4:-}"
+
+  OUTPUT_DIR="/var/lib/multimedia"
+  LOG_FILE="/var/lib/pyload/filebot-amc.log"
+  EXCLUDE_LIST="/var/lib/pyload/filebot-exclude-list.txt"
+  PASSWORD_FILE="/var/lib/pyload/extraction-passwords.txt"
+
+  # Ensure FileBot data directory exists
+  mkdir -p /var/lib/pyload/.local/share/filebot/data
+  mkdir -p "$(dirname "$LOG_FILE")"
+  touch "$EXCLUDE_LIST"
+
+  # Install FileBot license if not already installed
+  if [ ! -f /var/lib/pyload/.local/share/filebot/data/.license ]; then
+    echo "$(date): Installing FileBot license..." >> "$LOG_FILE"
+    ${pkgs.filebot}/bin/filebot --license /var/lib/pyload/filebot-license.psm || true
+  fi
+
+  echo "===========================================" >> "$LOG_FILE"
+  echo "$(date): PyLoad package hook triggered" >> "$LOG_FILE"
+  echo "Package ID: $PACKAGE_ID" >> "$LOG_FILE"
+  echo "Package Name: $PACKAGE_NAME" >> "$LOG_FILE"
+  echo "Download Directory: $DOWNLOAD_DIR" >> "$LOG_FILE"
+  echo "===========================================" >> "$LOG_FILE"
+
+  # Check if download directory exists
+  if [ ! -d "$DOWNLOAD_DIR" ]; then
+    echo "$(date): Download directory does not exist: $DOWNLOAD_DIR" >> "$LOG_FILE"
+    exit 0
+  fi
+
+  # --- Archive Extraction ---
+
+  # Try extraction with passwords, then without
+  try_extract() {
+    local archive="$1"
+    local outdir
+    outdir="$(dirname "$archive")"
+
+    # Try each password from file
+    if [ -f "$PASSWORD_FILE" ]; then
+      while IFS= read -r pass || [ -n "$pass" ]; do
+        [ -z "$pass" ] && continue
+        case "$archive" in
+          *.rar) ${pkgs.unrar}/bin/unrar x -p"$pass" -o+ "$archive" "$outdir/" >/dev/null 2>&1 && return 0 ;;
+          *.7z)  ${pkgs.p7zip}/bin/7z x -p"$pass" -aoa -o"$outdir" "$archive" >/dev/null 2>&1 && return 0 ;;
+          *.zip) ${pkgs.p7zip}/bin/7z x -p"$pass" -aoa -o"$outdir" "$archive" >/dev/null 2>&1 && return 0 ;;
+        esac
+      done < "$PASSWORD_FILE"
+    fi
+
+    # Try without password
+    case "$archive" in
+      *.rar) ${pkgs.unrar}/bin/unrar x -o+ "$archive" "$outdir/" >/dev/null 2>&1 && return 0 ;;
+      *.7z)  ${pkgs.p7zip}/bin/7z x -aoa -o"$outdir" "$archive" >/dev/null 2>&1 && return 0 ;;
+      *.zip) ${pkgs.p7zip}/bin/7z x -aoa -o"$outdir" "$archive" >/dev/null 2>&1 && return 0 ;;
+    esac
+    return 1
+  }
+
+  # Delete all parts of a split RAR archive
+  delete_rar_parts() {
+    local first_part="$1"
+    local base dir
+
+    dir="$(dirname "$first_part")"
+    # Extract base name: "foo.part1.rar" -> "foo", "foo.part01.rar" -> "foo"
+    base="$(basename "$first_part" | ${pkgs.gnused}/bin/sed -E 's/\.part[0-9]+\.rar$//')"
+
+    # Delete all parts matching the pattern
+    find "$dir" -maxdepth 1 -type f -iname "''${base}.part*.rar" -delete
+    echo "$(date): Deleted all parts: ''${base}.part*.rar" >> "$LOG_FILE"
+  }
+
+  # Extract archives in directory
+  extract_archives() {
+    local dir="$1"
+    local extracted=0
+
+    # 1. Handle split RAR archives (*.part1.rar or *.part01.rar - first part only)
+    while IFS= read -r -d "" archive; do
+      echo "$(date): Extracting split RAR: $archive" >> "$LOG_FILE"
+      if try_extract "$archive"; then
+        echo "$(date): Extraction successful" >> "$LOG_FILE"
+        delete_rar_parts "$archive"
+        extracted=1
+      else
+        echo "$(date): Extraction FAILED: $archive" >> "$LOG_FILE"
+      fi
+    done < <(find "$dir" -type f \( -iname "*.part1.rar" -o -iname "*.part01.rar" \) -print0 2>/dev/null)
+
+    # 2. Handle single RAR files (not part of split archive)
+    while IFS= read -r -d "" archive; do
+      echo "$(date): Extracting RAR: $archive" >> "$LOG_FILE"
+      if try_extract "$archive"; then
+        echo "$(date): Extraction successful, deleting: $archive" >> "$LOG_FILE"
+        rm -f "$archive"
+        extracted=1
+      else
+        echo "$(date): Extraction FAILED: $archive" >> "$LOG_FILE"
+      fi
+    done < <(find "$dir" -type f -iname "*.rar" ! -iname "*.part*.rar" -print0 2>/dev/null)
+
+    # 3. Handle 7z and zip archives
+    while IFS= read -r -d "" archive; do
+      echo "$(date): Extracting: $archive" >> "$LOG_FILE"
+      if try_extract "$archive"; then
+        echo "$(date): Extraction successful, deleting: $archive" >> "$LOG_FILE"
+        rm -f "$archive"
+        extracted=1
+      else
+        echo "$(date): Extraction FAILED: $archive" >> "$LOG_FILE"
+      fi
+    done < <(find "$dir" -type f \( -iname "*.7z" -o -iname "*.zip" \) -print0 2>/dev/null)
+
+    [ "$extracted" -eq 1 ] && return 0 || return 1
+  }
+
+  # Run extraction (loop to handle nested archives)
+  echo "$(date): Starting archive extraction..." >> "$LOG_FILE"
+  for i in 1 2 3; do
+    extract_archives "$DOWNLOAD_DIR" || break
+  done
+  echo "$(date): Archive extraction complete" >> "$LOG_FILE"
+
+  # --- Media Processing ---
+
+  # Check if there are any video/media files to process
+  if ! find "$DOWNLOAD_DIR" -type f \( -iname "*.mkv" -o -iname "*.mp4" -o -iname "*.avi" -o -iname "*.m4v" -o -iname "*.mov" \) -print -quit | grep -q .; then
+    echo "$(date): No media files found in: $DOWNLOAD_DIR" >> "$LOG_FILE"
+    echo "$(date): Skipping FileBot processing" >> "$LOG_FILE"
+    exit 0
+  fi
+
+  echo "$(date): Starting FileBot processing" >> "$LOG_FILE"
+
+  # Run FileBot AMC script
+  set +e  # Temporarily disable exit on error to capture exit code
+  ${pkgs.filebot}/bin/filebot \
+    -script fn:amc \
+    --output "$OUTPUT_DIR" \
+    --action move \
+    --conflict auto \
+    -non-strict \
+    --log-file "$LOG_FILE" \
+    --def \
+      excludeList="$EXCLUDE_LIST" \
+      movieFormat="$OUTPUT_DIR/movies/{n} ({y})/{n} ({y}) - {vf}" \
+      seriesFormat="$OUTPUT_DIR/tv-shows/{n}/Season {s.pad(2)}/{n} - {s00e00} - {t}" \
+      ut_dir="$DOWNLOAD_DIR" \
+      ut_kind=multi \
+      clean=y \
+      skipExtract=y
+
+  FILEBOT_EXIT_CODE=$?
+  set -e  # Re-enable exit on error
+
+  if [ $FILEBOT_EXIT_CODE -ne 0 ]; then
+    echo "$(date): FileBot processing failed with exit code $FILEBOT_EXIT_CODE" >> "$LOG_FILE"
+    exit 0  # Don't fail the hook even if FileBot fails
+  fi
+
+  echo "$(date): FileBot processing completed successfully" >> "$LOG_FILE"
+
+  # Clean up any remaining empty directories
+  find "$DOWNLOAD_DIR" -type d -empty -delete 2>/dev/null || true
+
+  echo "$(date): All processing completed" >> "$LOG_FILE"
+  exit 0
+''

hosts/nas/modules/jellyfin.nix

@@ -0,0 +1,51 @@
+{ lib, pkgs, ... }: {
+  # Intel graphics support for hardware transcoding
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      vpl-gpu-rt
+      intel-compute-runtime
+    ];
+  };
+
+  # Set VA-API driver to iHD (modern Intel driver)
+  environment.sessionVariables = {
+    LIBVA_DRIVER_NAME = "iHD";
+  };
+
+  # Jellyfin user with render/video groups for GPU access
+  users.users.jellyfin = {
+    isSystemUser = true;
+    group = "jellyfin";
+    home = "/var/lib/jellyfin";
+    createHome = true;
+    extraGroups = [ "render" "video" ];
+  };
+  users.groups.jellyfin = {};
+
+  # Create jellyfin directory
+  systemd.tmpfiles.rules = [
+    "d /var/lib/jellyfin 0755 jellyfin jellyfin - -"
+  ];
+
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  # Override systemd hardening for GPU access
+  systemd.services.jellyfin = {
+    serviceConfig = {
+      PrivateUsers = lib.mkForce false;  # Disable user namespacing - breaks GPU device access
+      DeviceAllow = [
+        "/dev/dri/card0 rw"
+        "/dev/dri/renderD128 rw"
+      ];
+      SupplementaryGroups = [ "render" "video" ];  # Critical: Explicit group membership for GPU access
+    };
+    environment = {
+      LIBVA_DRIVER_NAME = "iHD";  # Ensure service sees this variable
+    };
+  };
+}

hosts/nas/modules/power-management.nix

@@ -0,0 +1,24 @@
+# Power management for NAS
+# - CPU powersave governor (scales up on demand for transcoding)
+# - Disk spindown after 15 minutes idle
+{ config, lib, pkgs, ... }:
+
+{
+  # CPU Power Management - powersave scales up on demand for transcoding
+  powerManagement.cpuFreqGovernor = "powersave";
+
+  # Disk spindown - hdparm for Seagate 18TB drives
+  environment.systemPackages = [ pkgs.hdparm ];
+
+  services.udev.extraRules = ''
+    # Seagate 18TB NAS drives - APM 127 allows spindown, -S 180 = 15 min
+    ACTION=="add", KERNEL=="sd[a-z]", SUBSYSTEM=="block", \
+      ATTRS{model}=="ST18000NM000J*", \
+      RUN+="${pkgs.hdparm}/bin/hdparm -B 127 -S 180 /dev/%k"
+
+    # Toshiba 20TB NAS drives - same settings
+    ACTION=="add", KERNEL=="sd[a-z]", SUBSYSTEM=="block", \
+      ATTRS{model}=="TOSHIBA MG10ACA2*", \
+      RUN+="${pkgs.hdparm}/bin/hdparm -B 127 -S 180 /dev/%k"
+  '';
+}

hosts/nas/modules/pyload.nix

@@ -0,0 +1,120 @@
+{ config, pkgs, lib, ... }:
+let
+  filebotScript = pkgs.callPackage ./filebot-process.nix {};
+in
+{
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+    "unrar"
+    "filebot"
+  ];
+
+  environment.systemPackages = with pkgs; [
+    unrar    # Required for RAR archive extraction
+    p7zip    # Required for 7z and other archive formats
+  ];
+
+  # Create directory structure
+  systemd.tmpfiles.rules = [
+    "d /var/lib/downloads 0755 pyload pyload - -"
+    "d /var/lib/multimedia 0775 root jellyfin - -"
+    "d /var/lib/multimedia/movies 0775 jellyfin jellyfin - -"
+    "d /var/lib/multimedia/tv-shows 0775 jellyfin jellyfin - -"
+    "d /var/lib/multimedia/music 0755 jellyfin jellyfin - -"
+    "d /var/lib/multimedia/audiobooks 0775 jellyfin jellyfin - -"
+
+    # PyLoad hook scripts directory (package_finished triggers after download completes)
+    "d /var/lib/pyload/config 0755 pyload pyload - -"
+    "d /var/lib/pyload/config/scripts 0755 pyload pyload - -"
+    "d /var/lib/pyload/config/scripts/package_finished 0755 pyload pyload - -"
+    "L+ /var/lib/pyload/config/scripts/package_finished/filebot-process.sh - - - - ${filebotScript}/bin/filebot-process"
+  ];
+
+  # FileBot license secret (only if secrets.yaml exists)
+  sops.secrets.filebot-license = {
+    mode = "0440";
+    owner = "pyload";
+    group = "pyload";
+    path = "/var/lib/pyload/filebot-license.psm";
+  };
+
+  # Extraction passwords for filebot-process script (one password per line)
+  sops.secrets.pyload-extraction-passwords = {
+    mode = "0440";
+    owner = "pyload";
+    group = "pyload";
+    path = "/var/lib/pyload/extraction-passwords.txt";
+  };
+
+  # PyLoad user with jellyfin group membership for multimedia access
+  users.users.pyload = {
+    isSystemUser = true;
+    group = "pyload";
+    home = "/var/lib/pyload";
+    createHome = true;
+    extraGroups = [ "jellyfin" ];
+  };
+  users.groups.pyload = {};
+
+  services.pyload = {
+    enable = true;
+    downloadDirectory = "/var/lib/downloads";
+    listenAddress = "0.0.0.0";
+    port = 8000;
+  };
+
+  # Configure pyload service
+  systemd.services.pyload = {
+    # Add extraction tools to service PATH
+    path = with pkgs; [
+      unrar    # For RAR extraction
+      p7zip    # For 7z extraction
+    ];
+
+    environment = {
+      # Disable SSL certificate verification
+      PYLOAD__GENERAL__SSL_VERIFY = "0";
+
+      # Download speed limiting (150 Mbit/s = 19200 KiB/s)
+      PYLOAD__DOWNLOAD__LIMIT_SPEED = "1";
+      PYLOAD__DOWNLOAD__MAX_SPEED = "19200";
+
+      # Disable ExtractArchive plugin (extraction handled by filebot-process script)
+      PYLOAD__EXTRACTARCHIVE__ENABLED = "0";
+
+      # Enable ExternalScripts plugin for hooks
+      PYLOAD__EXTERNALSCRIPTS__ENABLED = "1";
+      PYLOAD__EXTERNALSCRIPTS__UNLOCK = "1";  # Run hooks asynchronously
+
+      # DdownloadCom plugin: don't fall back to free if premium fails
+      PYLOAD__DDOWNLOADCOM__FALLBACK = "0";
+    };
+
+    serviceConfig = {
+      # Bind-mount DNS configuration files into the sandboxed service
+      BindReadOnlyPaths = [
+        "/etc/resolv.conf"
+        "/etc/nsswitch.conf"
+        "/etc/hosts"
+        "/etc/ssl"
+        "/etc/static/ssl"
+        "/run/secrets"  # SOPS secrets access for FileBot license
+      ];
+      # Bind mount multimedia directory as writable for FileBot hook scripts
+      BindPaths = [ "/var/lib/multimedia" ];
+
+      # Override SystemCallFilter to allow @resources syscalls
+      # FileBot (Java) needs resource management syscalls like setpriority
+      # during cleanup operations. Still block privileged syscalls for security.
+      SystemCallFilter = lib.mkForce [
+        "@system-service"
+        "@resources"       # Explicitly allow resource management syscalls
+        "~@privileged"     # Still block privileged operations
+        "fchown"           # Re-allow fchown for FileBot file operations
+        "fchown32"         # 32-bit compatibility
+      ];
+    };
+  };
+
+  # Open firewall for PyLoad web interface
+  networking.firewall.allowedTCPPorts = [ 8000 ];
+}

hosts/nas/modules/ugreen-leds.nix

@@ -0,0 +1,285 @@
+# UGREEN DXP4800 LED control
+# Based on https://github.com/miskcoo/ugreen_leds_controller
+{ config, lib, pkgs, ... }:
+
+let
+  # Disk mapping: ata port -> LED name
+  # DXP4800 has bays 1-4, all populated
+  diskMapping = {
+    "1" = "disk1";
+    "2" = "disk2";
+    "3" = "disk3";
+    "4" = "disk4";
+  };
+
+  # LED colors (R G B)
+  colors = {
+    healthy = "0 255 0";      # Green
+    activity = "0 255 0";     # Green blink
+    standby = "0 0 255";      # Dim blue when sleeping
+    fail = "255 0 0";         # Red
+    network = "0 255 0";      # Green
+    power = "255 255 255";    # White
+  };
+
+  brightness = 255;
+  standbyBrightness = 30;     # Dim when in standby
+  refreshInterval = "0.1";    # Seconds between activity checks
+  powerCheckInterval = 30;    # Seconds between power state checks
+
+  # Script to initialize LEDs on boot
+  initLedsScript = pkgs.writeShellScript "ugreen-leds-init" ''
+    set -euo pipefail
+    PATH="${lib.makeBinPath [ pkgs.ugreen-leds-cli ]}:$PATH"
+
+    # Wait for i2c device to be available
+    for i in $(seq 1 30); do
+      if [ -e /dev/i2c-0 ]; then
+        break
+      fi
+      sleep 1
+    done
+
+    # Initialize power LED - solid white
+    ugreen_leds_cli power -on -color ${colors.power} -brightness ${toString brightness} || true
+
+    # Initialize network LED - will be controlled by netdevmon
+    ugreen_leds_cli netdev -off || true
+
+    # Initialize disk LEDs based on mapping
+    ${lib.concatStringsSep "\n" (lib.mapAttrsToList (ata: led: ''
+      ugreen_leds_cli ${led} -off || true
+    '') diskMapping)}
+
+    echo "UGREEN LEDs initialized"
+  '';
+
+  # Disk activity monitoring script
+  diskMonitorScript = pkgs.writeShellScript "ugreen-diskiomon" ''
+    set -euo pipefail
+    PATH="${lib.makeBinPath [ pkgs.ugreen-leds-cli pkgs.coreutils pkgs.gnugrep pkgs.gawk pkgs.smartmontools pkgs.hdparm ]}:$PATH"
+
+    # Build device -> LED mapping by checking ata ports
+    declare -A devices
+    declare -A diskio_data
+    declare -A disk_healthy
+    declare -A disk_standby
+
+    # Discover disks based on ata port mapping
+    for path in /dev/disk/by-path/pci-*-ata-*; do
+      [ -e "$path" ] || continue
+      # Skip partitions
+      [[ "$path" == *-part* ]] && continue
+
+      # Extract ata port number (e.g., ata-2 -> 2)
+      ata_port=$(echo "$path" | grep -oP 'ata-\K[0-9]+' | head -1)
+
+      case "$ata_port" in
+        ${lib.concatStringsSep "\n        " (lib.mapAttrsToList (ata: led: ''
+          ${ata})
+            device=$(readlink -f "$path")
+            short_name=$(basename "$device")
+            devices["${led}"]="$short_name"
+            echo "Mapped $short_name (ata-${ata}) -> ${led}"
+            ;;'') diskMapping)}
+      esac
+    done
+
+    if [ ''${#devices[@]} -eq 0 ]; then
+      echo "No disks found matching ATA ports, exiting"
+      exit 1
+    fi
+
+    # Set initial LED state for discovered disks
+    for led in "''${!devices[@]}"; do
+      device="''${devices[$led]}"
+
+      # Check SMART health (this will wake the disk at boot, which is acceptable)
+      if smartctl -H "/dev/$device" 2>/dev/null | grep -q "PASSED"; then
+        disk_healthy["$led"]=1
+        ugreen_leds_cli "$led" -on -color ${colors.healthy} -brightness ${toString brightness} || true
+      else
+        disk_healthy["$led"]=0
+        ugreen_leds_cli "$led" -on -color ${colors.fail} -brightness ${toString brightness} || true
+      fi
+
+      # Initialize tracking
+      diskio_data["$led"]=""
+      disk_standby["$led"]=0
+    done
+
+    echo "Starting disk activity monitoring for ''${#devices[@]} disk(s)"
+
+    # Function to update LED based on current state
+    update_led() {
+      local led="$1"
+      local device="''${devices[$led]}"
+
+      # Check power state without waking disk
+      local power_state
+      power_state=$(hdparm -C "/dev/$device" 2>/dev/null | grep -oP '(standby|active/idle|active|idle)' | head -1 || echo "unknown")
+
+      if [[ "$power_state" == "standby" ]]; then
+        if [[ "''${disk_standby[$led]}" != "1" ]]; then
+          # Disk just went to standby - dim the LED
+          disk_standby["$led"]=1
+          ugreen_leds_cli "$led" -on -color ${colors.standby} -brightness ${toString standbyBrightness} || true
+          echo "Disk $device entered standby, dimming LED"
+        fi
+      else
+        if [[ "''${disk_standby[$led]}" == "1" ]]; then
+          # Disk woke up - restore health-based color
+          disk_standby["$led"]=0
+          if [[ "''${disk_healthy[$led]}" == "1" ]]; then
+            ugreen_leds_cli "$led" -on -color ${colors.healthy} -brightness ${toString brightness} || true
+          else
+            ugreen_leds_cli "$led" -on -color ${colors.fail} -brightness ${toString brightness} || true
+          fi
+          echo "Disk $device woke up, restoring LED"
+        fi
+      fi
+    }
+
+    # Background power state checker
+    check_power_states() {
+      while true; do
+        sleep ${toString powerCheckInterval}
+        for led in "''${!devices[@]}"; do
+          update_led "$led"
+        done
+      done
+    }
+
+    # Start power state checker in background
+    check_power_states &
+    POWER_CHECK_PID=$!
+    trap "kill $POWER_CHECK_PID 2>/dev/null || true" EXIT
+
+    # Main activity monitoring loop
+    while true; do
+      for led in "''${!devices[@]}"; do
+        device="''${devices[$led]}"
+        stat_file="/sys/block/$device/stat"
+
+        if [ -f "$stat_file" ]; then
+          new_stat=$(cat "$stat_file" 2>/dev/null || echo "")
+
+          if [ -n "$new_stat" ] && [ "''${diskio_data[$led]}" != "$new_stat" ]; then
+            # Activity detected - disk must be awake now
+            if [[ "''${disk_standby[$led]}" == "1" ]]; then
+              disk_standby["$led"]=0
+              if [[ "''${disk_healthy[$led]}" == "1" ]]; then
+                ugreen_leds_cli "$led" -on -color ${colors.healthy} -brightness ${toString brightness} || true
+              else
+                ugreen_leds_cli "$led" -on -color ${colors.fail} -brightness ${toString brightness} || true
+              fi
+            fi
+
+            # Trigger LED blink for activity
+            if [ -e "/sys/class/leds/$led/shot" ]; then
+              echo 1 > "/sys/class/leds/$led/shot" 2>/dev/null || true
+            else
+              ugreen_leds_cli "$led" -blink 100 100 2>/dev/null || true
+              sleep 0.05
+              ugreen_leds_cli "$led" -on 2>/dev/null || true
+            fi
+          fi
+
+          diskio_data["$led"]="$new_stat"
+        fi
+      done
+
+      sleep ${refreshInterval}
+    done
+  '';
+
+  # Network activity monitoring script
+  netMonitorScript = pkgs.writeShellScript "ugreen-netdevmon" ''
+    set -euo pipefail
+    PATH="${lib.makeBinPath [ pkgs.ugreen-leds-cli pkgs.coreutils pkgs.iproute2 ]}:$PATH"
+
+    INTERFACE="$1"
+    CHECK_INTERVAL=60
+
+    echo "Starting network monitoring on $INTERFACE"
+
+    # Configure LED to trigger on network activity
+    led_path="/sys/class/leds/netdev"
+
+    while true; do
+      # Check if interface is up
+      if ip link show "$INTERFACE" 2>/dev/null | grep -q "state UP"; then
+        # Link is up - set green
+        ugreen_leds_cli netdev -on -color ${colors.network} -brightness ${toString brightness} || true
+
+        # Try to enable hardware trigger for activity indication
+        if [ -e "$led_path/device_name" ]; then
+          echo "$INTERFACE" > "$led_path/device_name" 2>/dev/null || true
+        fi
+        if [ -e "$led_path/rx" ]; then
+          echo 1 > "$led_path/rx" 2>/dev/null || true
+        fi
+        if [ -e "$led_path/tx" ]; then
+          echo 1 > "$led_path/tx" 2>/dev/null || true
+        fi
+      else
+        # Link is down - turn off
+        ugreen_leds_cli netdev -off || true
+      fi
+
+      sleep $CHECK_INTERVAL
+    done
+  '';
+
+in
+{
+  # Load i2c-dev kernel module for LED controller communication
+  boot.kernelModules = [ "i2c-dev" ];
+
+  # Install CLI tool
+  environment.systemPackages = [ pkgs.ugreen-leds-cli ];
+
+  # LED initialization service - runs once at boot
+  systemd.services.ugreen-leds-init = {
+    description = "Initialize UGREEN NAS LEDs";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "local-fs.target" "systemd-modules-load.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${initLedsScript}";
+    };
+  };
+
+  # Disk activity monitoring service
+  systemd.services.ugreen-diskiomon = {
+    description = "UGREEN disk activity LED monitor";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "ugreen-leds-init.service" "local-fs.target" ];
+    requires = [ "ugreen-leds-init.service" ];
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${diskMonitorScript}";
+      Restart = "always";
+      RestartSec = "5s";
+    };
+  };
+
+  # Network activity monitoring service (template for interface)
+  systemd.services."ugreen-netdevmon@" = {
+    description = "UGREEN network LED monitor for %i";
+    after = [ "ugreen-leds-init.service" "network-online.target" ];
+    requires = [ "ugreen-leds-init.service" ];
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${netMonitorScript} %i";
+      Restart = "always";
+      RestartSec = "10s";
+    };
+  };
+
+  # Enable network monitoring for primary interface
+  systemd.services."ugreen-netdevmon@enp2s0" = {
+    wantedBy = [ "multi-user.target" ];
+  };
+}

hosts/nas/secrets.yaml

@@ -0,0 +1,48 @@
+pyload-extraction-passwords: ENC[AES256_GCM,data:zOvPYcnvcg2OwJaCZovYQz87ZN9DdpKX1Re1/v24daw0WGBG3sGeJn1q+LDfjPIMy487CdY=,iv:loWfUcIw30kVXchmXwAts10FNUGxSsTY2UVRKs0RTJ8=,tag:WlTYugSv2ApR496Uc1KPEg==,type:str]
+cyberghost-auth: ENC[AES256_GCM,data:v8PlO2qi06p2FZR1iFbHAVPr0k+X/A==,iv:oEzIIZ7KiVJ5EpMT2YMgvMZSJZwtIsnTWwkMXxl/R4w=,tag:+NOMggSKloW0SOYxopHrYA==,type:str]
+cyberghost-ca: ENC[AES256_GCM,data:BAYpZ2xQgD05MNn4ZNmIGPByF0ERMLaIIC+iY6MDFC1rbfy50zqDKvzx8fdSYJp0hmUd7M+QnJUDDtq9dJkNcY90A1jiXhWK43gxBSeklcEhj5+l8tzmXuYGe7XtALu7D+Kee2NIUBEY7NHZOYP0Tj9BVFVzmyAKhgu6vs7UEwNt518LeIlH33eDO/809/vXVW2VhX3HoMytit9kkhczDRh/oCnMzmC7SKsKwouCQAcOSLLaNyAHy3jOFi78CPqBPuuv3i6wsAgKByvdQ3QpMGO7xx9MbEZsRZJiDJRRhP5BOy4DX/H6PwsR89E4QqqL0fU9P82p+3FlmVyHED8MJO905T0SC4PPVKAUlbtCbOvoAZOSXTouKhLNLY7WMiwXEEVhrBlu/Ml40yCwUJ7QCiU7DQBEBvOvo8l8pBU1nx1JzbzGopDsOVE9csF6H5g6Dxf24YqAsDeB6cmeDXNuDXJcr+6AeDtMyw8d+SiTLKmPa58eTqM6JEYY2yn/1DNkRyyyc5bFykdRUacWOUuqXKnzT/oSxfrEZHMN2YMRJU4Vo/K5WQ0ymiSv5miFSnZnm60Ha7G+S54swjFaUUmcMh15Rva3LUw4N0uM9QuXiLko1VqJlPtzv+eveCBCM7UiET9d45PAOjbk4FCjmzONSCNdjQhI0B6OwuZ6G0aP9rrGV+vOCijfBBqy6Y/wLKV166OZ4GYXkdBuQJ8VnSjoxA0vbtLOXA/L8PdvVMbRbZ7kYTFbtLQJsO+gCpEJOKB3VxnEVXcnLqyCpwEOtYVf8e9haTOVr09WvYJ1xLx0kjDKlp5g3X3s1CLAJiBnm97bLH8T/j6FCqijSLZwVjZtF6HEM+gn9G6nT78QastOOIfGE9YTWTPEl4t4dQRwK/Sv0OoaLokYN18gXEtAHxGLhHjzjeCeTZz8o1dE2ILA0t/xk56nzPWb8KzJFvjyWfUpyZuWNvEftxWhtV9c4i+Na3uyt8JAAySljpEcefWDYn10lr9RrixDgpU094Z34PMZCoLvViIn8Winxe1WIjQlchUlgTyBKse0A/q0Xr52jyOuMms2GUS2ssDnBIocER3RT6EetJzLvTjFh5EeQbRr6EgdXsvWzrN46n10WfqyN85DzBZneKLPT/XWlYSZPE4aJj2KGPT9Gic8Yoouf5y22exXnQkfRZsCM32THg5ug075Qzkf77aQLPx7gFzGEWrJo/hjRb178yJW/Hhc8IYPPK9HdA6iRZm0LKfrEWi3gUFzkQO76fj9/wbYe57bHuYJW8B1516fyjvWPaz0fqdA//xLIfEgV6QS/iE122TYAqPk4OCraR7RbQ4stVutrI6o+ZJDSkCc4FI8McECtReVe7TN+pEzeVGlOa5s49L0QxEhP4ne5Y0gfJy5vBsD5HKSrLpZxww0P73UTUZdDCjKAnAhCFfYBmk8+VOFybazZS6Rv4zF2fvNPQ11Hacx1V2NGHA1uxrRpr+nUdeCIMPR6dtX67WTv4juIbr0oQBuJMsutzX265JQ+Rt2aC12FFpfN9TCBprFgkgRdgBUJWRcFfRwjD6jjzyQZGQ+nGuibogi7TIn3QPpVMNuwbe8a2Ks9BC5XjVhmym0mhS01DUmITLD1DPyVh3wGodB+4OQ5miJOwJeA11HBq1B44sTjC7vTSom4Dk/AOH91WnJrW1bG7Yw+j/DH/bc5efXlho3cHOQoQSWC7EQdLMzV5TXqY06idTwOQ+wo9l61qPCh9gqJLPlnNUrUqyEfc0zkwWvIt7gu26qykjET2Mt4cyXoFyHORqNywff37e3WSroo+meAVtO+xDPIJ5fI0AOsfwXRKiT+B/nmtE3VGL7duZt7yIbav7WnKn3zU+dEGdeQSt6cYNVGUtaVvsTO7RKermIIkA/8g/q+OVihf7MvCG5WTYBspu51swP9tN0NRcmmoRyI0bs6DEv8qHplpiC5eUUmyZU3wbhrXXLcyCDpNfwjq4vrotM1BG8maR2BLtVuTzpfKO0NMHA99pT0tateSLNC8YARCIjY/9njmHlVti/XHnjWm977syI3SGf06FUcTK52Vrxaoyp3x96VzGhdPLye8dDQ4MD9B8+B5qdzHF+m6rOeDZpbJmDMea6L4W+LiJLNSq6QolmM+aya3sQvQyCcSve2d+i7QLtIPKPmJkPPnwrbjCn6PHzE8KCAa7jmmd4pfUOAayp2NEWn5AS5qSGMZ4etUMde7BdHWWR3i632XCzrllMzOdOsLu9WF8SlcC4Nt6WQxDLXqhkl8pIeBe6rmy+AXc5wgkj/q60qYK96M12EHaB3dDfwYx/Ijx3Q1qqmMRFR8LGrmsryUsQm2sxQZUeE6I3EJqHD1vbQSZdt7TjLUaITOiRka/BNxQ4frThhiyUvm9zWaZKcoF/mdNdinxYxDE243535Yv/cquQFgKwoZ2/mU83CWyd3D9/8gYOJqrw6acNn1zlFXc4JSWnDaSqn1mSGZyw5PMPPKL1Pv2M9acV0t3d1asB5agohfVVpHgGp6/fQ7xbF/q5/07MaN/XRgbJHwo39q25Q1uec7PP/0qT0XlS0fPYEnDr9m9odfisw7Ku1MSJgic+eaNHXtkIRy3K5tLM9AM793Usn5PJeyS3+imOkit59gSAUlZzv2+IyJeZJIpgptPxVvvLzMpZ3+2PLvFNkmwlsJi+Nn7Fk7+BdzggNkIQMyBApWrZARbMhHxrtVLj3k1XoRciiEwNz11xFDwlyeXnxkikkt8pMQQIW/OMZJoenjbHlMdm4FM+gQ27cHbOu2OVFqeGAlgxIQJK66MglG52M4tHhSgvbdEReHY79AWXjGyy3nXpJx2CSB+Rvlvhsfgb21MjyGxChygxh1wTuKtHVz3F/ya60NLWRAHKQskZB5S6VgsZlgslan4v0mJzBemlh8AUp6g/P8skhLzeNh4JV4vshwIq9+mzTjUli1gzhKA8JP4WbNq+45DMwmURiB1sMalmT91uq9REage2Jx+pQ1PjC5DweFe8y6Bd4G4=,iv:mWBG6fP3do+VzwyBlCVXsWiywRNiyMiWNaxlYFTkms0=,tag:94YPWZtVy1viq0KbclF6LA==,type:str]
+cyberghost-cert: ENC[AES256_GCM,data:U2QtxwqqPpuTvawmbUmaFjM4muDJptsdAp1GJrxiFsEtQJJYWJWf2zSNL857asH8/yzTkkaHNAHn8fHpN5GgDqXsHn7A9L1gWQ40OVDYoY8C3KevgyPlqQQgmgpk+F/ogWC6ZSBZIk2ayTe8E1qtOI/KpVjzPoteiXB6akD6OBBsysXAEr56MvdU1c9OnqxauHsFZr1BskYM9fqFXm6b7KzMpzA2BPfxtpuGrnTDzMwciRuQXqJM95h2tDs4KoHMGwhgQjyIrti2eZrXb5GK1N54Hi+fmTCRvEDYrYiOE058uROdYV0oCmXJmZ9LFu+ti7zTZzoIq3jqshLh6QAEBxxi1eWqQ8Qq/zkjZDdOOQIacURBK6UGYRzZTqEQB34m/5+NCuyTq+bhFORNXuEDPf+JYWlvnqDGQ6FAnM+Wg4LmSFALnDL7UHPIHWas+VU/EZ2QwVQQ46AZ8tnyWwsp/0VSZepZuPXOyle/tp7jHOT1aTVFAD5AdUIgB5g5CjTo0Aw4tBVAGfnQEcjClZU/ccpTHeS3agDNte+fvpodIC548hm1tHDHJL98ZsxcE6C4zzc5Kq7nIl4Pqc6bDurHtmk+/O9stDqZGTpb4NERTsFBLaQYgWd1bbQEXXx4YFnoSKQZZVNxVqG0mVHwYuYSLZiGIwj/msKsIqZW7RRZfnfNfc9Er5/KC4SJbQLKcwbJY00gGKHCr+WQZ4wtxFoEefyefabyJkFjQonvVcAN1yjJGq9fN9ZaVrQ92vxFQy3rNHuTyvWvTDhZLedu0ukK3jC/Fc1yuzEcvv308gvoJROS5O8Jk/nfVtfPDZeSkIY52sYKpTQP4gAyn4+56RO2HROBnFvmvIFq/4jb4AZR/GUWV6v2u1zvHw/gX84uI7WyqG6TvC5tPuQKQ5se+xg+bbt3xL+8h+ieBB/a26asFk8M5CnweHB1rg4NkcqrSa4vU9wf7Kd20HH8Odrb4Q9xc876s4HhSqPAE22ZAvTDhGUO4R+pAU86YZzKt2TuPXlR1S7l3v1gzyMgMq95G/VzxOVkV2zY63KjGc72U/u6ia4oIida8QMASckchB7+V+Uas8YUJj22VVvxYq38Nm2e/wUDSLFUoPk/k05D1hGvkoejcfbwmnVoBWDC+sifjuImOLwZ0V2EV1S3Qgxf5OnAbjPKe+gfqnmrVvF+67jJUyRpNmxhq1TBnn28X3QMVu3/cW6kxpaYPXT1OgPdTZ0OeKonnXGAh314XSWH9kTrTgIB2f6xBOD95Xquu1UDMTaMZopljjplX6y63xoRIugeOIXS5wxL+jQz7fTH6l6DCHN9yPp+YM+lKqyLx4KerpjDwB43QOaiqFdk3wEj6u0N+UvHWDaKjhHi5K5FQP+VekuHbBgbj/kG1u6HPZNyeiJ11h4LDvV3ZCdZetUOzTcn4g2S+ai5SryOKKXh9+lVb467swTCtCrE+3+7dplE82HYbTaF7A4k0jwOXvWYLS3EW93pIZsYwsanxNRWInQk85GO+9hSkJSD3InTDUaFWs4m6Y8wbZCr6kQ9XMsjCJlGcJ89k5ump8m+IWhDjEWlKv8+8Fves/ktF2TS2Nij+eL/GUaUSLm8EkRj7vKTsKOfFk8uyn9z6dxjDQ04jhJDPLZ/h4UtiQhQntGAjCuTX9psRiNTHr+b3uge3UszH43+F0SUuqMS6+ytGNeQvC5jSE6CAi1I4DP9bQXUIKm0UC6gPuStgUnWnszy/wf785Ryt6X6Wbj+v65iPfb365AifDozhD99NKabiIvzRfqAP7sVLUh1e9dMa2NjagnC092oNrgkoIJuLlpjaxu9KszRRP38b4KwMbz8A99Y/Rom/BUIU6n0jzzvbAEAw6/mdng7E1GTUXMUQF1lrm4ZBuhanX72akG6fx4mFzaTZuN2a+psuwJYtbl9ewBkWYu8pif3K9mBe/eJ2eoxA6jR1wmjfmDXYTINd/HDjZK2n90j0ZgdxySa1bgqoBWf2VftxWhm+jkVQDXJixZTj4FKfGBmvl2lvkQBMyo1l/tifqAkpzQa6BJFfPBy167B1OuhhEFpQlXgW+e7Hs70htjp3izTRg8/0msDfMTcB/f3kBODpRxnUbZdfNu3adYjzo2DMdBLfJ+DSR08aMVueSXij9sNShXqEWEkX+XKL0lQYKeErqQlwpoy13CjjxpDzmI2M0OaQ9Ow9aIs4H60CTPM2vg9KsyJR+RrgpP2kFFaDnd6+pY4rdE8/yUcTs94tQ6QEouF3/Pvvz0t66+unQT23i1zMEUENiJXUaznhtLRpfj+NJyCh/2CAHRTu95oBg89wqxDfG3B23SuiWwzXqAFnj/GMgXo0O27H2GplYW8rgXnzYwMeEDlbK4V+BtzOUN2sEOZOq1Gu4GY5Dw60V5vL2P0RUsUOyDEeSnAFoEioLU2quswjZMl1/3NCXF5dYV1jUTn3WDEZhE1VF7LRNT/dCG+8+QUf9KiFrkTG+DfY6X3qOSIWXtGWtDMk1Cmj321+NyWdtV78eEg0E3BYDz8B0DndRm/oxBA6UOU+wAcdVRS+zKKOQykdS89NhofqFyAAA8nQY2TwdwrETQOYIjjJAEnIB9C77IkwDvMwK0RO0X5r4RlNlFPaFgFF5yu8NdYTUKmr/kcR0aM5x9rPllRFaYWGCN2EHYTrqin3dflgBooFkNbTEo8J3Mo8agTFfonR3o4YBaCxbxTS0AMo7QoKj6Jm8t4fFl48YKFgtAJX/x2QRm5sTQ6KKsz/rz6beLia7iP8ookdoNkkTkDAmNZJTZMOTeLmGGh4AvGbZz0H8GjGBnhRajl37eed81m5lEVRJUowv9lK2cp/e5rWKheUOpFSULIvj5xnmhTcS+77jLXoUcdMZLwJlceeDaF+HanqaKKgvrKFa6g6xpe4WyuK1+0gE7x9HAmdn+aoUqCDChzCBXgBo9jkuBYviYJTGfLgDx7ZCptdl5xEX4wLbGChjaVCeXsOEqRdewnV3TnQRBAnd/IMlSSgrtWljSQCp667wuSvl40SHQ5zgb0hjcsep5av5u+Cx+L4J8VeKQjSmk383c/2drqC9V+SZaR3rK4p8Hb0qFnDreS4KOT3VQqtshJOrwUfa1EYPqeLXqZ6Ar9YcUpZTFAgcWf3oDLXQ==,iv:kavsBNAUcK7vHOJnj9nyX4D9dHzgP3aBwCLQb9umBJo=,tag:aeTpc2vpO72R45cjBR+cFw==,type:str]
+cyberghost-key: ENC[AES256_GCM,data:135n9JkLyNluYlINp4j8/R1gMn8dGX9YPpdpvq8y/KYT7x1Yr/MzD9ogfXFDWTcrfkcRIu+sSeSLFLSifgRQ0oje33VNLUGIBXAN68sLvA1UybBrZzKdOywVHiCl0DDjQ20Mjk0fA9rTAV6+zm3KfutNtjjpBojNmrujosZC8YBbb3O189aiy7Ppq4DF8Q3gF5iaOiDDtgdjH9ASW7yAz5ufcTy9vX9qtbEItShE6spvjbQJ47wUyhDQ2M9eSK85EGSX7VjoMSGgxtKs+XVORXHSoSErtlhXSt8wNJoY7Nl6uB5iz7BdlfVKqsx4ab4aVnenZ1v1boTsUNQ3+ABXNFlgG2FEpGiu3Vnx0yqfc224ogxIOa3hf+IaMdysI1xCkdCOv1Ix7kf6osJ2kspU/DsZNobDZvRsGJQjjHDD45WIVxnI7efnJORVOcWlU67/XmpH16KhN1RKCG6vgXSPwvcjq4SDFhgUNktqD7DaZlRdkEvat/7nMjRT/ReysyBLzsu0HXesewjYw1WskOtdza+nctv47GtBwWwk+PrbmylDe31Iv8k1w0FcyxkhpOTANneeLW1u1EGOo7+sTK2Oei83xmIFHK1ODsP6WflRaELoLE09PrXERk/ohfDzTb515oKAJKd4Wso6vXFYK87CZCnIou+/bAUlk6tl0fXPNTPDUH82KuoEnUEgkyjvthBOq+st7vUbJG4eVoELG95vh9iCjJg5U4ldCd37s3YSH3osJRtNziW5/ZityMRCuePZs35fWGGviRZnhqOM4obz1hz3a5no9UXBWfgOO08nYbpQsVEAPg2qKo7ljRnBhtiQJcxP6/+Kcr0ZXEfVjfmENxhRWUO9IscUJ+ZCk09J4JnvAcgALy6qmIAjgBAvVAIEeJ89KM/972XuFPj7ebTfBmCInYq41hahs8AaPanQAywQTx5Av4ir0G5KpaDt5k8eda5BKANuTPAjZRDxGq+dCXczLjVIk0TTfwHnHlFt7twyxKnQlUCOI+v3dnVVbzjNWdVhp5Gdw7Jij/woEep/zLLHLONmD9qznEczr6sIl/wECJXNcLAMrsNqo70rZ529e0S0+ym3x2TI30jwMhhk/7br+1voku8CBdAEZign+3+GxPGCxQHQOWnHkPslQgm0Uyxu736e8/OKJWNDlC3U/UygPtv6fEnrbb/1BjV9NG1+SErR84Aau44YbCMnBofI7LhJsDXle/XD6FCHlURWPtJi2Tl5tm00sVQhap0LnYb6JunDECbJDwOprOfjqc+fmd2Ja9nj7s5c7ywrHeV4SXbml+FQMCXwh5PAQ/QGM21OShUh9wDkrt37K23d2zginG7ua2c5tPhu2ZOQS7XBBzGDPLUQUb0acPQhd6mFl5DLCt3P6p/o7uiQB48b4OfQRlgSlxoaTCrD3M58zNQYoJ+aa+dY9OxQBL49/bIhf8i9j2uA4mtwzLHE3cBN9A0s+t4VoXeeNz/telVebNlCNpWVM8oFpMAsK8qRtRxGMpsgH1usp9yzL3tzpSkFChXMjL/uKDK8N6VJauBPpnKNcWVPATMI77/apAYV9bttMj+LmR2tzjsetYELqES5MVcxOKENvRtSdX7Xdm71uQH1pIoG0bPVMF/BpysTGoOSBNjG0Sm47B5XzUSsEFavgHFo26a4vi2tRV5RcjEQOC4NxC3uMNc7IkFg0s94EIy5uDEn9r6AXpONG+/kGV0LCPgh4W5a3PTHeHd9Zczq6ZwoAANSVsCH9VHlUUH4Gaz1/HVotsJJWarM/8zVbVTUpSesW3L2DRh8948LP51scIgi05jBLOJq4pmXK3bQNjjFtVU2sVYMUicSGi19hpCsimqm467RKh0ynfATknyruudD9/98Ug8EnXy9scPWNaVeNHPkKidD0vFmoh2I9JpfTrH4Q4z/UCAPyBLG8IWLZnWHysu3w1TW+ro/pkYqCC9HkVXxDbPsfHhKwZsonV6cuZ7JEfjzKWwOZqs5CbtEamOegVtFOUgW4FMwyUYgIQdkKdtidnIINQk0JhfGtnK1MR/oxAB6jsuA4i3XL+cdnCqdncH9HqfEkSA3NhczmEQbY0Nm814gaItORFlXXUgp2TzccOETJETBegCVIwNp1mQ70FKgLu2xAxNrOQwloizJh5aiLLJJ2E8/OFjDUpLLxGDwJfrhzV/kY8b+e6U2BFY4qM8DIXjy4Ris7NBkwgwrgN9Xp3FtP2IGxP4jWvRP6JdW0vP9OnN+nxoE928eQj0Pmh2ZTPwC2ZOJPcKVr8YWXn0BW7SeAcS/vCl3J8KjDLXofFchg94K41J3l17STVlvPTXzLVcED9zzcNIZalDj5KYI7vDC3L9C3gdqtOzT4vO1BEf5GaCSz3xDVYAmS4LoRmXprsNZ4VqEYSQQsuLwFBRwyP1JyNVKa4XGSJDqhhEUYkNB1hQ5llDdLANXz1vsD1DYP57snJxJjgFRIw8paTZdSqA1kOeY8iMtetA62+jKvazyoFmYm6r+TCcVY67qujHODr5eNf9yjqvcV0FX6CcxIcnKsU08k2CWl3E3AqqK8C9Pkw3amVXsHXCgo00ubrZXcNpVxYruuDbrHSr6irLBcXMik9QZuiYj8afaD2sxGjRFsWwMGS0X2f/DJLR8qXLaqh0wrZvf4P75UtBp2mBZJoZGu3Y5AThJyLW2lsdGU5Ij0YLsbEQN17W0oGMgR17+5blOiiWLG7WvRW858odxCPmUcamsQxWdIAIVxfbqpyaxnIX5/Cqnm2ZvU54ULq2SgIPh30yJ/xm1TfDGmHrcawx+wMULcx4GL63OQ5SIp6/UEY4WNtCAHyHB1Ft9qgmuH+S83PkqFR+7cZ7eAxBNhdMwYPPfB4N8F7zB21/f6oMbb8H13fpxtpCRfItf9NLqvEULy1stacaI93ClrpAzS2T7er8Vgr1WS8O3kWRdQH1Bhxxil/xfTTXqXuXYm3BdGr2qOK6AkX+16aaQcTmaGt+LSAFHsezKUKrfBK6xAElR6+7qIeyfJQeZyi08G6kuTj54HpEHJXgOV7Rm2i2Z2cXaBPPLwFrASeCKqGTYXOzP2uI0LC+rl0zyzD7rbwtoqssc9HldMaUDHNrs8ijZ8QrTgwYj4b/QOQU3s549pP16PeGy1GR7catxWJiAACv7VyEq99mMzVMvf2r6QJCIO01DwCRdZswqhRZO1h6Q8S2W3HGdy0rzAWnPoCAQzPKHtKqX9TvgF3NcSL3hfUfDX/vLeLQE35G+xI6IrMT00KYUt5tyK6NKIJ/F29zgF9hZRxWirIf4tsIVxDWRLFAsrB5Kk1Rf4cWCygQ7vJHZBTP7tcWZim1AqXXIJsgdyJcBZ+5FKclIokG45e9La3kbviuevsIuDXsGXvUSuUN5QO9liSe2ZAHcQdEgg9XqMiiJ9xnIi9I+RyE5r7sFSSBGGdsv+OhXDuG7XbOGALfsaGxs3CGAC3JTgDBXxW1xCcSkcFT0pGa1a/FDSH/BVklOt70g4hbp4m36oPa2JCq1dcLqcFqLP1A5aXow7nlRCag64ssG7qAtnTA7/Q7WUj3XXmYFMtNWdIfO0PkcDWcx0BOrmaCbSgp0O6wX8PT9II4tZ/E0KokVqvFEwRCG+IfQzzPW8Il8+52RNFePjPFXnFss+mu/nzDhb+tRi6nviArXMmmSK9fj81JqbnIAS+3qZvow18fbU1uNc2smmmT2tAHyLqefokafqehwIaTXuAI+aeJs/gwG5JlIqcAcrU5lFhYfy2pyUld1nRd3N5ejDInNgdqbpdMTIehgU2MDQBsa87ian8ZDUsoiBu5zKzHn3opoG+tHQYyzifZEF0nSTXfchAJwiTMusy4JeEgIsquQOB6MJJgaPueHiwwuOCfOAuSL8tC+EJI7GyhfXesSO+sfpVfBPnZDeWty14rQarT/3gxB75IaXnkubJuOOXZ2oeq81iqNXl9G8nLenhXFg9GQjl695YsF6DgqMsYwsB9I0Z5wM2RLP28d245tJ8Fw4pMxPf4jfUgFcpuqGKXJZyS5/X1eUiVhz3JU5aUahZvolmPPASGMZL2HJdyyb7/4KdBZVESSE2dM9rXcJITgB7UbNccF8EamFUr053hBCYiwN/W80H+4pKhIRUjwTPgXs0S0spakIngHGcCnvr5tpV7gru51ghyJnnD68JzUxvjZoihJUIzqkyYqRC/YVpV6Q9WMIbWefIcDIadqU+deOX05p5pVNkJEHeRQMIywrkW8mjdpHP0yDQdN2rPNQrmCQZwPKFt0ye1HaRVte9BGfCjsIdKWS+KoF++dXYVzGDjJr0/hjQWQYSZmPloX9Q5M+fUPKFzW0LWcKVfeUdsXXOcCqfRRX24=,iv:DmcNUOhsi9doTYta+s65BFpuIgiK7QAjAorfVq/VGLA=,tag:c/mZS7ZnasX5XX4HIx80AA==,type:str]
+filebot-license: ENC[AES256_GCM,data:Ib+NXsb0dJfBqm5GYvXxGMOQk3zL28oeS3VXsk4pFIGV5XsakqZRZb307X1oJnafMVXva/eQppraI8CqjwBDzy3AZSnwpFgj96/zvPWZi12IWemnqhFUDFZGaMG4Scg6Ugcq8hwJqU39Mf5JehSbJ/PoULg/Ovekj8R0nG7WlmQsqxpZWXWeAdfYZHw1/4MQTX/IGZG82SdsdFc4J9jTedks0yvW5MLkS3azZSFDqY2WXAMVa5J9jXEcie58k6p0QqAUpWGltoXz1tdN/mTnVV7PA35wReS/Ejm11KS5AsjkTIZRLeJ14BL0vALUh3z6JSdr8kPG1S31MMYxarzGBqjI78LfFmFynGonAlqj/jPoxA7AXOew5xRfoEqnxf8lSUf2F2n7PF+B1SgY/hwFvwUeoaA4ep8uFugT7pCvg3N+FmfsV4TAP6tfU75WjwZ07UKQ0t63C/aDI1lZZjfKDzXDFqliD6omhFPUVxhGIo9gBkvOZj6ujdn7ErWohxAc7JSVsDJ8nBKqVGXMMgecWHyqU5LB9+3CKkE32vMy6fbGVlHhgRI4EofVCiuCn2Opg8txCz7Rh8eU297xotIjfCzhPjaY0CmD0dm/8SVLT9Tt3qQMDzlzolcWg+9o3e4bbjSOzliR+4c4fCGBPxZvBPd4kZ87eo22m6WqtS18tMTD1tq+8nVjpHFyrsyyMZtfv9/QXug0SFhJpUz6izCcl+iiNiQIb+DBi4Oifhr88Ji+Y4iQrj7mPUGzNr/T1x/uSBabv83HPsZUa5+OBrlbvp/Ya2ktIagiyv+JrHmcFMkVGYvFK4idLsREcvteduP7XeWaOXuJZJ5GOPZPDM+8DSxv3eOULH1B25J1/838vaVKZM3ukQkiybYTJWVV2co=,iv:G6bhfqx0go6vbJ2zwXkSbHLt5WdDRwu2o4BsCXw5Rlw=,tag:msCGdlefM3M8lbQWJPcOgA==,type:str]
+sops:
+    age:
+        - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvemExcjFLT2tjTlhtMlFl
+            UFlCQWhtUDc5YmFHU21SdDBoMXNCV2dlbXl3CnJzVmpMcXUwbWx1a1VLUVRhSnFu
+            MmtmYjVESVJpdFh1UmtwSWl5WE5WZFkKLS0tIE5wZzQ0MENna2EwMzVDUU9QcDlk
+            bitkdVVwM0l4ajJVYldWM2JqV05tUzgKsJem/g4ckwrmiTJgwtHc98zALWlwmVgH
+            +O0nH3kcU54SjDQYVRKUWdaCNbsXHEN9wqICS9q0Ill7pD2K0ElZLg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEb1dtSlJMKzFreWtmclBE
+            YUgvYXBQb1FtaFhZRjlqTWk1aUZkcjhCbjBFCi9rSUMzdWFkL3I3c3E0bUxERkVN
+            TDFaUCtHWE5xNEN4NzNXTlBWWnpYR2sKLS0tIDQ5dTM3S0JQdGJvaE0rTkZYWXNN
+            aTJQNUZuMW5kZVNJQ0lObkZRdzVyZ3MKwfD8PgUM1kHCa1aaDAp0Iv3zaSGsOWS8
+            f3W8gUMV2Qv1FC4hBccbYH2bHuq5ENVhkleIyE51GT+Ckwt5oR14vw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0dE5zaEpBSEYvVE5QTjVF
+            dldFY2t3YThTalowbkMrckhUWjhGdXFVNG1BCldqV2lOS280Z0xjQXo4THlPenQ2
+            WVRiWDAxSFgzQUkvSjVZUEpBNzZkR0kKLS0tIC9rOHAvSUZadCs5OXhheFpERzlx
+            QmRCYldBUW9zeTF3cmtUOXVuV2pOMEEKDJC7lyekw9TQmuwfPRb9UsUgqdbAVaxy
+            tZYmhSYhUFBOUyJ7xwiIfMgOu5A4D2p/q+T2MPCmeOSLUDyycE8Zuw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1x3elhtccp4u8ha5ry32juj9fkpg0qg7qqx4gduuehgwwnnhcxp8s892hek
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdkUramxKVFVZQVJVMU9E
+            a1pYck8yOEhpZWZGcktxYkR0U290dll6VmdnCnZWZU9uWXFWZ2ZrVnp0cDBteGdr
+            azVGVHg5Y0VuZi82UUtkWUtLeDA3UWcKLS0tIDNJZGJQNmpHdFpQUVdiMHh3djhP
+            WURRbGNNWWJvKzZabGxyd3NXN3lKZ2cKryVInc722ZsjoiYel0YYAQZUsgXDx0by
+            Ds65yQDcI0ttbmMyFN8oYqD7pnOaD1aZYg6cxqzUVPen9iqCkclMwg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-08T12:02:01Z"
+    mac: ENC[AES256_GCM,data:K1kelYSO6R1kU3hLQVmlPI3vn9p4uEHDQnb7eVgn5PH/HFlqJrRj9HfagD/yKT0hBIehC3R8rxv73SeXacBcCaBx+A1Ty1fj/K18oQdEpFlOWxYhIvRX23NHaaqudFdVRiVg23spOoTgP48+mSzJdE4dk3jQcm94yxiUQy9kBSw=,iv:iSL9knAzk0SLXDJ1m6xy+Vkv6RqtUP2lzcluQTdKG5g=,tag:Z8I+UY/taf/uq4sQ7qIUEg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/nas/utils

@@ -0,0 +1 @@
+../../utils

hosts/nb/channel

@@ -1 +1 @@
-https://channels.nixos.org/nixos-25.05
+https://channels.nixos.org/nixos-25.11

hosts/nb/configuration.nix

@@ -35,6 +35,8 @@ in {
       ./cachix.nix
       ./users
 
+      ./modules/epicenter.nix
+
       # ./modules/steam.nix
       ./modules/fingerprint.nix
       ./modules/set-nix-channel.nix
@@ -305,7 +307,7 @@ in {
     '';
   };
 
-  services.xserver.desktopManager.gnome.extraGSettingsOverrides = ''
+  services.desktopManager.gnome.extraGSettingsOverrides = ''
     [org.gnome.desktop.interface]
     cursor-size=24
   '';

hosts/nb/hardware-configuration.nix

@@ -115,7 +115,7 @@
   hardware.graphics = {
     enable = true;
     extraPackages = with pkgs; [
-      vaapiVdpau
+      libva-vdpau-driver
       libvdpau-va-gl
       libva
       libva-utils

hosts/nb/modules/desktop/bitwarden.nix

@@ -26,14 +26,13 @@ in
     description = "Bitwarden Desktop";
     after = [ "graphical-session.target" "network-online.target" ];
     wantedBy = [ "graphical-session.target" ];
-    serviceConfig.ExecStart = "${pkgs.bitwarden}/bin/bitwarden";
+    serviceConfig.ExecStart = "${pkgs.bitwarden-desktop}/bin/bitwarden-desktop";
     serviceConfig.Restart = "on-abort";
   };
 
   #### Handy tools #############################################################
   environment.systemPackages = with pkgs; [
-    goldwarden
+    bitwarden-desktop
-    bitwarden
     bitwarden-cli
     fprintd
     lxqt.lxqt-policykit

hosts/nb/modules/desktop/default.nix

@@ -9,7 +9,6 @@ in {
     ./thunderbird.nix
     ./bitwarden.nix
     ./rustdesk.nix
-    ./rustdesk-epicenter.nix
     ./flatpak-packages.nix
   ];
 
@@ -58,10 +57,10 @@ in {
     netflix
     networkmanagerapplet
     nextcloud-client
-    onlyoffice-bin
+    onlyoffice-desktopeditors
     obs-studio
     pavucontrol
-    pinentry
+    pinentry-gnome3
     rbw
     rofi-rbw
     swayimg
@@ -104,7 +103,7 @@ in {
   fonts.packages = with pkgs; [
     noto-fonts
     noto-fonts-cjk-sans
-    noto-fonts-emoji
+    noto-fonts-color-emoji
     nerd-fonts._0xproto
     nerd-fonts.droid-sans-mono
     open-sans

hosts/nb/modules/desktop/rustdesk-epicenter.nix

@@ -1,38 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  wrapperScript = pkgs.writeShellScriptBin "rustdesk-wrapper" ''
-    CONFIG_FILE="$HOME/.config/rustdesk/RustDesk2.toml"
-    CONFIG_DIR="$(dirname "$CONFIG_FILE")"
-
-    if [ ! -f "$CONFIG_FILE" ]; then
-        ${pkgs.rustdesk-flutter}/bin/rustdesk &
-        RUSTDESK_PID=$!
-        sleep 3
-        kill $RUSTDESK_PID 2>/dev/null || true
-        sleep 1
-    fi
-
-    if [ -f "$CONFIG_FILE" ]; then
-        sed -i "s|^rendezvous_server = .*|rendezvous_server = 'tools.epicenter.works:21116'|" "$CONFIG_FILE"
-        sed -i "s|^custom-rendezvous-server = .*|custom-rendezvous-server = 'tools.epicenter.works'|" "$CONFIG_FILE"
-        sed -i "/^key\s*=.*/d" "$CONFIG_FILE"
-    fi
-
-    # Launch RustDesk
-    exec ${pkgs.rustdesk-flutter}/bin/rustdesk "$@"
-  '';
-
-  rustdeskEpicenterDesktopItem = pkgs.makeDesktopItem {
-    name = "rustdesk-epicenter";
-    desktopName = "RustDesk Epicenter";
-    exec = "${wrapperScript}/bin/rustdesk-wrapper";
-    icon = "rustdesk";  # Using the standard rustdesk icon
-    categories = [ "Network" "RemoteAccess" ];
-    comment = "Remote desktop software configured for Epicenter";
-  };
-in {
-  environment.systemPackages = [
-    rustdeskEpicenterDesktopItem
-  ];
-}

hosts/nb/modules/development/claude-code.nix

@@ -20,14 +20,24 @@ in {
       fi
     '';
 
-    home.activation.addChromeDevtoolsMCP = lib.hm.dag.entryAfter [ "installClaudeCli" ] ''
+    # Disabled: chrome-devtools MCP spawns headless Chromium for every Claude session.
-      # Add via STDIO transport: Claude spawns `npx -y chrome-devtools-mcp ...`
+    # For frontend projects, enable per-project with:
-      # Browser must be running with remote debugging on 127.0.0.1:9222.
+    #   claude mcp add --scope project chrome-devtools \
-      if ${config.home.homeDirectory}/.nix-profile/bin/claude mcp add --help >/dev/null 2>&1; then
+    #     -- npx -y chrome-devtools-mcp \
-        ${config.home.homeDirectory}/.nix-profile/bin/claude mcp add --scope user chrome-devtools \
+    #     --executablePath=${pkgs.ungoogled-chromium}/bin/chromium \
-          -- npx -y chrome-devtools-mcp --executablePath=${pkgs.ungoogled-chromium}/bin/chromium --isolated=true --headless=true --chromeArg=--ozone-platform=wayland --chromeArg=--enable-features=UseOzonePlatform --chromeArg=--force-device-scale-factor=1 || true
+    #     --isolated=true --headless=true \
-      fi
+    #     --chromeArg=--ozone-platform=wayland \
-    '';
+    #     --chromeArg=--enable-features=UseOzonePlatform \
+    #     --chromeArg=--force-device-scale-factor=1
+    #
+    # home.activation.addChromeDevtoolsMCP = lib.hm.dag.entryAfter [ "installClaudeCli" ] ''
+    #   # Add via STDIO transport: Claude spawns `npx -y chrome-devtools-mcp ...`
+    #   # Browser must be running with remote debugging on 127.0.0.1:9222.
+    #   if ${config.home.homeDirectory}/.nix-profile/bin/claude mcp add --help >/dev/null 2>&1; then
+    #     ${config.home.homeDirectory}/.nix-profile/bin/claude mcp add --scope user chrome-devtools \
+    #       -- npx -y chrome-devtools-mcp --executablePath=${pkgs.ungoogled-chromium}/bin/chromium --isolated=true --headless=true --chromeArg=--ozone-platform=wayland --chromeArg=--enable-features=UseOzonePlatform --chromeArg=--force-device-scale-factor=1 || true
+    #   fi
+    # '';
   };
 
 }

hosts/nb/modules/development/coding.nix

@@ -5,7 +5,7 @@ let
   };
 in {
   environment.systemPackages = with pkgs; [
-    unstable.claude-code
+    claude-code  # Using custom overlay with version 2.0.55
     unstable.code-cursor
     unstable.vscode
     # android-studio-full
@@ -20,7 +20,7 @@ in {
   nixpkgs.config.android_sdk.accept_license = true;
 
   programs.adb.enable = true;                     # sets up udev + adb group
-  services.udev.packages = [ pkgs.android-udev-rules ];
+  # android-udev-rules removed in 25.11 - superseded by built-in systemd uaccess rules
 
   users.users.dominik.extraGroups = [ "adbusers" ];
 }

hosts/nb/modules/development/default.nix

@@ -38,6 +38,7 @@ in {
     rbw
     sops
     unzip
+    uv
     vim
     wget
     wireguard-tools
@@ -52,11 +53,6 @@ in {
     # Socket activation - only start when needed to save battery
     onBoot = "ignore";
     onShutdown = "shutdown";
-    qemu = {
+    # qemu.swtpm.enable = true;        # enable if you need TPM emulation, etc.
-      ovmf = {
-        enable   = true;               # Enable OVMF firmware support
-      };
-      # swtpm.enable = true;           # enable if you need TPM emulation, etc.
-    };
   };
 }

hosts/nb/modules/development/nvim/config/init.lua

@@ -1,3 +1,6 @@
+-- Set leader key before any other mappings
+vim.g.mapleader = " "
+
 -- vim.opt.expandtab = true
 -- vim.opt.hidden = true
 -- vim.opt.incsearch = true

hosts/nb/modules/development/nvim/config/lspconfig.lua

@@ -1,54 +1,31 @@
-local status, lspc = pcall(require, 'lspconfig')
+-- LSP Capabilities (for nvim-cmp integration)
-if (not status) then return end
-
-lspc.clangd.setup{}
-
-local buf_map = function(bufnr, mode, lhs, rhs, opts)
-    vim.api.nvim_buf_set_keymap(bufnr, mode, lhs, rhs, opts or {
-        silent = true,
-    })
-end
-
-local protocol = require('vim.lsp.protocol')
-
-local on_attach = function(client, buffnr)
-  if client.server.capabilities.documentFormattingProvider then
-    vim.api.nvim_create_autocmd("BufWritePre", {
-      group = vim.api.nvim_create_augroup("format", { clear = true }),
-      buffer = buffnr,
-      callback = function() vim.lsp.buf.formatting_seq_sync() end
-    })
-  end
-end
-
 local capabilities = vim.lsp.protocol.make_client_capabilities()
 capabilities.textDocument.completion.completionItem.snippetSupport = true
 capabilities = require('cmp_nvim_lsp').default_capabilities(capabilities)
 
-local servers = { 'ts_ls', 'lua_ls', 'cssls', 'yamlls', 'intelephense', 'gopls' }
+-- Global LSP configuration
-for _, lsp in pairs(servers) do
+vim.lsp.config('*', {
-  require('lspconfig')[lsp].setup {
+  capabilities = capabilities,
-    -- on_attach = on_attach,
+})
-    capabilities = capabilities,
-  }
-end
 
-lspc.yamlls.setup({
+-- Server-specific configurations
+vim.lsp.config('clangd', {})
+
+vim.lsp.config('yamlls', {
   settings = {
     yaml = {
       keyOrdering = false,
     },
   },
-});
-
--- autoformat json files with jq
-vim.api.nvim_create_autocmd("FileType", {
-    pattern = "json",
-    callback = function(ev)
-        vim.bo[ev.buf].formatprg = "jq"
-        print("It's a json file")
-    end,
 })
 
+-- Enable all LSP servers
+vim.lsp.enable({ 'clangd', 'ts_ls', 'lua_ls', 'cssls', 'yamlls', 'intelephense', 'gopls' })
 
--- lspc.intelephense.setup()
+-- JSON file formatting with jq
+vim.api.nvim_create_autocmd("FileType", {
+  pattern = "json",
+  callback = function(ev)
+    vim.bo[ev.buf].formatprg = "jq"
+  end,
+})

hosts/nb/modules/development/nvim/config/project.lua

@@ -1,41 +1,13 @@
-config = {
+local status_ok, project = pcall(require, "project")
-  ---@usage set to false to disable project.nvim.
-  --- This is on by default since it's currently the expected behavior.
-  active = true,
-
-  on_config_done = nil,
-
-  ---@usage set to true to disable setting the current-woriking directory
-  --- Manual mode doesn't automatically change your root directory, so you have
-  --- the option to manually do so using `:ProjectRoot` command.
-  manual_mode = false,
-
-  ---@usage Methods of detecting the root directory
-  --- Allowed values: **"lsp"** uses the native neovim lsp
-  --- **"pattern"** uses vim-rooter like glob pattern matching. Here
-  --- order matters: if one is not detected, the other is used as fallback. You
-  --- can also delete or rearangne the detection methods.
-  -- detection_methods = { "lsp", "pattern" }, -- NOTE: lsp detection will get annoying with multiple langs in one project
-  detection_methods = { "pattern" },
-
-  ---@usage patterns used to detect root dir, when **"pattern"** is in detection_methods
-  patterns = { ".git", "_darcs", ".hg", ".bzr", ".svn", "Makefile", "package.json", "pom.xml" },
-
-  ---@ Show hidden files in telescope when searching for files in a project
-  show_hidden = false,
-
-  ---@usage When set to false, you will get a message when project.nvim changes your directory.
-  -- When set to false, you will get a message when project.nvim changes your directory.
-  silent_chdir = true,
-
-  ---@usage list of lsp client names to ignore when using **lsp** detection. eg: { "efm", ... }
-  ignore_lsp = {},
-}
-
-local status_ok, project = pcall(require, "project_nvim")
 if not status_ok then
   return
 end
 
-project.setup(config)
+project.setup({
-
+  use_lsp = false,  -- Use pattern matching only (equivalent to old detection_methods = { "pattern" })
+  manual_mode = false,
+  patterns = { ".git", "_darcs", ".hg", ".bzr", ".svn", "Makefile", "package.json", "pom.xml" },
+  show_hidden = false,
+  silent_chdir = true,
+  ignore_lsp = {},
+})

hosts/nb/modules/development/nvim/config/sops.lua

@@ -44,7 +44,7 @@ vim.api.nvim_create_autocmd("BufReadPre", {
   pattern = secrets_patterns,
   callback = function(args)
     -- Set filetype to yaml before the file is read so syntax highlighting works
-    vim.bo.filetype = "yaml"
+    vim.bo[args.buf].filetype = "yaml"
   end,
 })
 
@@ -53,7 +53,7 @@ vim.api.nvim_create_autocmd("BufReadPost", {
   group = sops_group,
   pattern = secrets_patterns,
   callback = function(args)
-    local filepath = vim.fn.expand("%:p")
+    local filepath = vim.api.nvim_buf_get_name(args.buf)
 
     -- Only decrypt if file exists and has content
     if vim.fn.filereadable(filepath) == 1 and vim.fn.getfsize(filepath) > 0 then
@@ -98,26 +98,27 @@ vim.api.nvim_create_autocmd("BufReadPost", {
           return
         end
 
+        -- Detach LSP clients BEFORE replacing buffer to prevent sync errors
+        detach_lsp_clients(args.buf)
+
         -- Replace buffer content with decrypted content
-        vim.api.nvim_buf_set_lines(0, 0, -1, false, vim.split(result, "\n"))
+        -- Strip trailing newline to avoid adding extra empty line
+        vim.api.nvim_buf_set_lines(args.buf, 0, -1, false, vim.split(result:gsub("\n$", ""), "\n"))
 
         -- Mark buffer as not modified (since we just loaded it)
-        vim.bo.modified = false
+        vim.bo[args.buf].modified = false
 
         -- Restore cursor position
         pcall(vim.api.nvim_win_set_cursor, 0, cursor_pos)
 
         -- Disable swap, backup, and undo files for security
-        vim.bo.swapfile = false
+        vim.bo[args.buf].swapfile = false
-        vim.bo.backup = false
+        vim.bo[args.buf].backup = false
-        vim.bo.writebackup = false
+        vim.bo[args.buf].writebackup = false
-        vim.bo.undofile = false
+        vim.bo[args.buf].undofile = false
 
         -- Ensure filetype is set to yaml for syntax highlighting
-        vim.bo.filetype = "yaml"
+        vim.bo[args.buf].filetype = "yaml"
-
-        -- Detach LSP clients to prevent sync errors when buffer content is replaced
-        detach_lsp_clients(0)
 
         vim.notify("SOPS: File decrypted successfully", vim.log.levels.INFO)
       else
@@ -132,17 +133,22 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
   group = sops_group,
   pattern = secrets_patterns,
   callback = function(args)
-    local filepath = vim.fn.expand("%:p")
+    local filepath = vim.api.nvim_buf_get_name(args.buf)
 
-    if is_secrets_file(filepath) then
+    if not is_secrets_file(filepath) then
-      -- Guard against double-execution
+      return
-      if currently_saving[filepath] then
+    end
-        return
-      end
-      currently_saving[filepath] = true
 
+    -- Guard against double-execution
+    if currently_saving[filepath] then
+      return
+    end
+    currently_saving[filepath] = true
+
+    -- Use pcall to ensure guard is always cleared, even on unexpected errors
+    local ok, err = pcall(function()
       -- Get current buffer content
-      local lines = vim.api.nvim_buf_get_lines(0, 0, -1, false)
+      local lines = vim.api.nvim_buf_get_lines(args.buf, 0, -1, false)
       local content = table.concat(lines, "\n")
 
       -- Check buffer content size before encrypting
@@ -153,8 +159,6 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
           string.format("SOPS: Buffer content too large (%sMB > %sMB limit). Cannot encrypt.", size_mb, limit_mb),
           vim.log.levels.ERROR
         )
-        -- Don't write anything, leave buffer marked as modified
-        currently_saving[filepath] = nil
         return
       end
 
@@ -162,22 +166,21 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
       -- This avoids /dev/stdin issues while keeping secrets secure (not in /tmp)
       local dir = vim.fn.fnamemodify(filepath, ":h")
       local filename = vim.fn.fnamemodify(filepath, ":t")
-      local temp_file = string.format("%s/.%s.sops_tmp_%d", dir, filename, os.time())
+      local temp_file = string.format("%s/.%s.sops_tmp_%d_%d", dir, filename, os.time(), vim.loop.hrtime() % 1000000)
 
       -- Write plaintext content to temp file
       local temp_f, temp_err = io.open(temp_file, "w")
       if not temp_f then
         vim.notify("SOPS: Failed to create temp file: " .. (temp_err or "unknown error"), vim.log.levels.ERROR)
-        -- Don't write anything, leave buffer marked as modified
-        currently_saving[filepath] = nil
         return
       end
-      temp_f:write(content)
+      temp_f:write(content .. "\n")
       temp_f:close()
 
       -- Encrypt temp file with filename override so SOPS matches .sops.yaml rules
       -- Uses real filepath for rule matching, temp file for content
-      local cmd = string.format("sops --encrypt --filename-override %s %s",
+      local cmd = string.format("timeout %d sops --encrypt --filename-override %s %s",
+        SOPS_TIMEOUT,
         vim.fn.shellescape(filepath),
         vim.fn.shellescape(temp_file))
       local encrypted = vim.fn.system(cmd)
@@ -186,16 +189,25 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
       -- Always clean up temp file, even on error
       os.remove(temp_file)
 
+      -- Check for timeout (exit code 124 from timeout command)
+      if sops_exit_code == 124 then
+        vim.notify(
+          string.format("SOPS: Encryption timed out after %d seconds.", SOPS_TIMEOUT),
+          vim.log.levels.ERROR
+        )
+        return
+      end
+
       if sops_exit_code == 0 then
         -- Write encrypted content directly to file
-        local file, err = io.open(filepath, "w")
+        local file, file_err = io.open(filepath, "w")
         if file then
           local success, write_err = file:write(encrypted)
           file:close()
 
           if success then
             -- Mark buffer as saved
-            vim.bo.modified = false
+            vim.bo[args.buf].modified = false
             vim.notify("SOPS: File encrypted and saved successfully", vim.log.levels.INFO)
 
             -- Re-decrypt to show plaintext in buffer
@@ -207,37 +219,38 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
               -- Save cursor position
               local cursor_pos = vim.api.nvim_win_get_cursor(0)
 
+              -- Detach LSP clients BEFORE replacing buffer to prevent sync errors
+              detach_lsp_clients(args.buf)
+
               -- Replace buffer with decrypted content
-              vim.api.nvim_buf_set_lines(0, 0, -1, false, vim.split(decrypted, "\n"))
+              -- Strip trailing newline to avoid adding extra empty line
+              vim.api.nvim_buf_set_lines(args.buf, 0, -1, false, vim.split(decrypted:gsub("\n$", ""), "\n"))
 
               -- Mark as not modified since we just saved
-              vim.bo.modified = false
+              vim.bo[args.buf].modified = false
 
               -- Restore cursor position
               pcall(vim.api.nvim_win_set_cursor, 0, cursor_pos)
-
-              -- Detach LSP clients to prevent sync errors when buffer content is replaced
-              detach_lsp_clients(0)
             else
               vim.notify("SOPS: Could not re-decrypt after save. Buffer may show encrypted content.", vim.log.levels.WARN)
             end
-            -- Clear guard after successful save
-            currently_saving[filepath] = nil
           else
             vim.notify("SOPS: Failed to write encrypted content: " .. (write_err or "unknown error"), vim.log.levels.ERROR)
-            -- Don't mark as saved, keep buffer marked as modified
-            currently_saving[filepath] = nil
           end
         else
-          vim.notify("SOPS: Failed to open file for writing: " .. (err or "unknown error"), vim.log.levels.ERROR)
+          vim.notify("SOPS: Failed to open file for writing: " .. (file_err or "unknown error"), vim.log.levels.ERROR)
-          -- Don't mark as saved, keep buffer marked as modified
-          currently_saving[filepath] = nil
         end
       else
         vim.notify("SOPS: Failed to encrypt file - NOT SAVED! Error: " .. encrypted, vim.log.levels.ERROR)
-        -- Don't write anything, leave buffer marked as modified
-        currently_saving[filepath] = nil
       end
+    end)
+
+    -- Always clear guard, even if pcall caught an error
+    currently_saving[filepath] = nil
+
+    -- Re-throw unexpected errors so they're visible
+    if not ok then
+      vim.notify("SOPS: Unexpected error during save: " .. tostring(err), vim.log.levels.ERROR)
     end
   end,
 })
@@ -247,7 +260,7 @@ vim.api.nvim_create_autocmd("BufLeave", {
   group = sops_group,
   pattern = secrets_patterns,
   callback = function(args)
-    if vim.bo.modified then
+    if vim.bo[args.buf].modified then
       vim.notify("Warning: Unsaved changes in secrets file!", vim.log.levels.WARN)
     end
   end,

hosts/nb/modules/development/nvim/config/utils.lua

@@ -1,7 +1,7 @@
--- none-ls
+-- none-ls (module is still named "null-ls" for backward compatibility)
-local status_ok_nls, none_ls_module = pcall(require, "none-ls")
+local status_ok_nls, none_ls_module = pcall(require, "null-ls")
 if not status_ok_nls then
-  vim.notify("none-ls plugin not found or failed to load. Check Nix config and plugin paths.", vim.log.levels.WARN)
+  vim.notify("null-ls plugin not found or failed to load. Check Nix config and plugin paths.", vim.log.levels.WARN)
 else
   local nb = none_ls_module.builtins
   none_ls_module.setup({

hosts/nb/modules/development/nvim/config/which-key.lua

@@ -1,5 +1,3 @@
-vim.g.mapleader = " "
-
 local function smart_quit()
   local bufnr = vim.api.nvim_get_current_buf()
   local modified = vim.api.nvim_buf_get_option(bufnr, "modified")
@@ -27,122 +25,77 @@ end
 
 local wk = require("which-key")
 
-wk.setup({})
+wk.setup({
-
+  preset = "classic",
-wk.register({
+  delay = 0,
-  ["<leader>"] = {
+  triggers = {
-
+    { "<auto>", mode = "nxso" },
-    [";"] = { "<cmd>Alpha<CR>", "Dashboard" },
+    { " ", mode = "n" },  -- literal space character
-    ["w"] = { "<cmd>w!<CR>", "Save" },
+  },
-    ["q"] = { "<cmd>smart_quit()<CR>", "Quit" },
-    ["/"] = { "<Plug>(comment_toggle_linewise_current)", "Comment toggle current line" },
-    ["c"] = { "<cmd>BufferKill<CR>", "Close Buffer" },
-    ["f"] = { find_project_files, "Find File" },
-    ["h"] = { "<cmd>nohlsearch<CR>", "No Highlight" },
-    ["t"] = { "<cmd>TodoTelescope keywords=TODO,FIX<CR>", "Find TODO,FIX" },
-    b = {
-      name = "Buffers",
-      j = { "<cmd>BufferLinePick<cr>", "Jump" },
-      f = { "<cmd>Telescope buffers<cr>", "Find" },
-      b = { "<cmd>BufferLineCyclePrev<cr>", "Previous" },
-      n = { "<cmd>BufferLineCycleNext<cr>", "Next" },
-      -- w = { "<cmd>BufferWipeout<cr>", "Wipeout" }, -- TODO: implement this for bufferline
-      e = {
-        "<cmd>BufferLinePickClose<cr>",
-        "Pick which buffer to close",
-      },
-      h = { "<cmd>BufferLineCloseLeft<cr>", "Close all to the left" },
-      l = {
-        "<cmd>BufferLineCloseRight<cr>",
-        "Close all to the right",
-      },
-      D = {
-        "<cmd>BufferLineSortByDirectory<cr>",
-        "Sort by directory",
-      },
-      L = {
-        "<cmd>BufferLineSortByExtension<cr>",
-        "Sort by language",
-      },
-    },
-    -- " Available Debug Adapters:
-    -- "   https://microsoft.github.io/debug-adapter-protocol/implementors/adapters/
-    -- " Adapter configuration and installation instructions:
-    -- "   https://github.com/mfussenegger/nvim-dap/wiki/Debug-Adapter-installation
-    -- " Debug Adapter protocol:
-    -- "   https://microsoft.github.io/debug-adapter-protocol/
-    -- " Debugging
-    g = {
-      name = "Git",
-      g = { Lazygit_toggle, "Lazygit" },
-      j = { "<cmd>lua require 'gitsigns'.next_hunk({navigation_message = false})<cr>", "Next Hunk" },
-      k = { "<cmd>lua require 'gitsigns'.prev_hunk({navigation_message = false})<cr>", "Prev Hunk" },
-      l = { "<cmd>lua require 'gitsigns'.blame_line()<cr>", "Blame" },
-      p = { "<cmd>lua require 'gitsigns'.preview_hunk()<cr>", "Preview Hunk" },
-      r = { "<cmd>lua require 'gitsigns'.reset_hunk()<cr>", "Reset Hunk" },
-      R = { "<cmd>lua require 'gitsigns'.reset_buffer()<cr>", "Reset Buffer" },
-      s = { "<cmd>lua require 'gitsigns'.stage_hunk()<cr>", "Stage Hunk" },
-      u = {
-        "<cmd>lua require 'gitsigns'.undo_stage_hunk()<cr>",
-        "Undo Stage Hunk",
-      },
-      o = { "<cmd>Telescope git_status<cr>", "Open changed file" },
-      b = { "<cmd>Telescope git_branches<cr>", "Checkout branch" },
-      c = { "<cmd>Telescope git_commits<cr>", "Checkout commit" },
-      C = {
-        "<cmd>Telescope git_bcommits<cr>",
-        "Checkout commit(for current file)",
-      },
-      d = {
-        "<cmd>Gitsigns diffthis HEAD<cr>",
-        "Git Diff",
-      },
-    },
-    l = {
-      name = "LSP",
-      a = { "<cmd>lua vim.lsp.buf.code_action()<cr>", "Code Action" },
-      d = { "<cmd>Telescope diagnostics bufnr=0 theme=get_ivy<cr>", "Buffer Diagnostics" },
-      w = { "<cmd>Telescope diagnostics<cr>", "Diagnostics" },
-      -- f = { require("lvim.lsp.utils").format, "Format" },
-      i = { "<cmd>LspInfo<cr>", "Info" },
-      I = { "<cmd>Mason<cr>", "Mason Info" },
-      j = {
-        vim.diagnostic.goto_next,
-        "Next Diagnostic",
-      },
-      k = {
-        vim.diagnostic.goto_prev,
-        "Prev Diagnostic",
-      },
-      l = { vim.lsp.codelens.run, "CodeLens Action" },
-      q = { vim.diagnostic.setloclist, "Quickfix" },
-      r = { vim.lsp.buf.rename, "Rename" },
-      s = { "<cmd>Telescope lsp_document_symbols<cr>", "Document Symbols" },
-      S = {
-        "<cmd>Telescope lsp_dynamic_workspace_symbols<cr>",
-        "Workspace Symbols",
-      },
-      e = { "<cmd>Telescope quickfix<cr>", "Telescope Quickfix" },
-    },
-
-
-    a = { "<cmd>lua require('telescope.builtin').lsp_code_actions()<cr>", "Code Actions" },
-    d = { "<cmd>lua require('telescope.builtin').lsp_document_diagnostics()<cr>", "LSP Diagnostics" },
-    k = { "<cmd>lua vim.lsp.buf.signature_help()<cr>", "Signature Help" },
-    P = { "<cmd>lua require'telescope'.extensions.projects.projects{}<cr>", "Signature Help" },
-  }
 })
 
-wk.register(
+wk.add({
-  {
+  -- Single key mappings
-    ["/"] = { "<Plug>(comment_toggle_linewise_visual)", "Comment toggle linewise (visual)" },
+  { "<leader>;", "<cmd>Alpha<CR>", desc = "Dashboard" },
-  },
+  { "<leader>w", "<cmd>w!<CR>", desc = "Save" },
-  {
+  { "<leader>q", smart_quit, desc = "Quit" },
-    mode = "v", -- VISUAL mode
+  { "<leader>/", "<Plug>(comment_toggle_linewise_current)", desc = "Comment toggle current line" },
-    prefix = "<leader>",
+  { "<leader>c", "<cmd>BufferKill<CR>", desc = "Close Buffer" },
-    buffer = nil, -- Global mappings. Specify a buffer number for buffer local mappings
+  { "<leader>f", find_project_files, desc = "Find File" },
-    silent = true, -- use `silent` when creating keymaps
+  { "<leader>h", "<cmd>nohlsearch<CR>", desc = "No Highlight" },
-    noremap = true, -- use `noremap` when creating keymaps
+  { "<leader>t", "<cmd>TodoTelescope keywords=TODO,FIX<CR>", desc = "Find TODO,FIX" },
-    nowait = true, -- use `nowait` when creating keymaps
+
-  }
+  -- Buffers group
-)
+  { "<leader>b", group = "Buffers" },
+  { "<leader>bj", "<cmd>BufferLinePick<cr>", desc = "Jump" },
+  { "<leader>bf", "<cmd>Telescope buffers<cr>", desc = "Find" },
+  { "<leader>bb", "<cmd>BufferLineCyclePrev<cr>", desc = "Previous" },
+  { "<leader>bn", "<cmd>BufferLineCycleNext<cr>", desc = "Next" },
+  { "<leader>be", "<cmd>BufferLinePickClose<cr>", desc = "Pick which buffer to close" },
+  { "<leader>bh", "<cmd>BufferLineCloseLeft<cr>", desc = "Close all to the left" },
+  { "<leader>bl", "<cmd>BufferLineCloseRight<cr>", desc = "Close all to the right" },
+  { "<leader>bD", "<cmd>BufferLineSortByDirectory<cr>", desc = "Sort by directory" },
+  { "<leader>bL", "<cmd>BufferLineSortByExtension<cr>", desc = "Sort by language" },
+
+  -- Git group
+  { "<leader>g", group = "Git" },
+  { "<leader>gg", Lazygit_toggle, desc = "Lazygit" },
+  { "<leader>gj", "<cmd>lua require 'gitsigns'.next_hunk({navigation_message = false})<cr>", desc = "Next Hunk" },
+  { "<leader>gk", "<cmd>lua require 'gitsigns'.prev_hunk({navigation_message = false})<cr>", desc = "Prev Hunk" },
+  { "<leader>gl", "<cmd>lua require 'gitsigns'.blame_line()<cr>", desc = "Blame" },
+  { "<leader>gp", "<cmd>lua require 'gitsigns'.preview_hunk()<cr>", desc = "Preview Hunk" },
+  { "<leader>gr", "<cmd>lua require 'gitsigns'.reset_hunk()<cr>", desc = "Reset Hunk" },
+  { "<leader>gR", "<cmd>lua require 'gitsigns'.reset_buffer()<cr>", desc = "Reset Buffer" },
+  { "<leader>gs", "<cmd>lua require 'gitsigns'.stage_hunk()<cr>", desc = "Stage Hunk" },
+  { "<leader>gu", "<cmd>lua require 'gitsigns'.undo_stage_hunk()<cr>", desc = "Undo Stage Hunk" },
+  { "<leader>go", "<cmd>Telescope git_status<cr>", desc = "Open changed file" },
+  { "<leader>gb", "<cmd>Telescope git_branches<cr>", desc = "Checkout branch" },
+  { "<leader>gc", "<cmd>Telescope git_commits<cr>", desc = "Checkout commit" },
+  { "<leader>gC", "<cmd>Telescope git_bcommits<cr>", desc = "Checkout commit(for current file)" },
+  { "<leader>gd", "<cmd>Gitsigns diffthis HEAD<cr>", desc = "Git Diff" },
+
+  -- LSP group
+  { "<leader>l", group = "LSP" },
+  { "<leader>la", "<cmd>lua vim.lsp.buf.code_action()<cr>", desc = "Code Action" },
+  { "<leader>ld", "<cmd>Telescope diagnostics bufnr=0 theme=get_ivy<cr>", desc = "Buffer Diagnostics" },
+  { "<leader>lw", "<cmd>Telescope diagnostics<cr>", desc = "Diagnostics" },
+  { "<leader>li", "<cmd>LspInfo<cr>", desc = "Info" },
+  { "<leader>lI", "<cmd>Mason<cr>", desc = "Mason Info" },
+  { "<leader>lj", vim.diagnostic.goto_next, desc = "Next Diagnostic" },
+  { "<leader>lk", vim.diagnostic.goto_prev, desc = "Prev Diagnostic" },
+  { "<leader>ll", vim.lsp.codelens.run, desc = "CodeLens Action" },
+  { "<leader>lq", vim.diagnostic.setloclist, desc = "Quickfix" },
+  { "<leader>lr", vim.lsp.buf.rename, desc = "Rename" },
+  { "<leader>ls", "<cmd>Telescope lsp_document_symbols<cr>", desc = "Document Symbols" },
+  { "<leader>lS", "<cmd>Telescope lsp_dynamic_workspace_symbols<cr>", desc = "Workspace Symbols" },
+  { "<leader>le", "<cmd>Telescope quickfix<cr>", desc = "Telescope Quickfix" },
+
+  -- Direct LSP shortcuts
+  { "<leader>a", "<cmd>lua require('telescope.builtin').lsp_code_actions()<cr>", desc = "Code Actions" },
+  { "<leader>d", "<cmd>lua require('telescope.builtin').lsp_document_diagnostics()<cr>", desc = "LSP Diagnostics" },
+  { "<leader>k", "<cmd>lua vim.lsp.buf.signature_help()<cr>", desc = "Signature Help" },
+  { "<leader>P", "<cmd>lua require'telescope'.extensions.projects.projects{}<cr>", desc = "Projects" },
+
+  -- Visual mode mappings
+  { "<leader>/", "<Plug>(comment_toggle_linewise_visual)", desc = "Comment toggle linewise (visual)", mode = "v" },
+})

hosts/nb/modules/development/nvim/default.nix

@@ -13,7 +13,7 @@ in
 
   environment.systemPackages = with pkgs; [
     nodePackages.typescript-language-server
-    sumneko-lua-language-server
+    lua-language-server
     nest
     nodePackages.intelephense
     nodePackages.vscode-langservers-extracted
@@ -105,9 +105,9 @@ in
             "sops"
           ]);
         in ''
-          lua << EOF
+lua << EOF
-          ${luaConfig}
+${luaConfig}
-          EOF
+EOF
         '';
       };
       extraLuaPackages = luaPackages: [ luaPackages.lyaml ];

hosts/nb/modules/epicenter.nix

@@ -0,0 +1,78 @@
+{ lib, pkgs, ... }: 
+let
+  wrapperScript = pkgs.writeShellScriptBin "rustdesk-epicenter-wrapper" ''
+    # Grant epicenter user access to the Wayland socket
+    ${pkgs.acl}/bin/setfacl -m u:epicenter:x "$XDG_RUNTIME_DIR"
+    ${pkgs.acl}/bin/setfacl -m u:epicenter:rwx "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
+
+    # Run rustdesk as epicenter user with absolute path to Wayland socket
+    exec /run/wrappers/bin/sudo -u epicenter \
+      WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" \
+      XDG_RUNTIME_DIR=/run/user/1001 \
+      ${pkgs.rustdesk-flutter}/bin/rustdesk "$@"
+  '';
+
+  rustdeskEpicenterDesktopItem = pkgs.makeDesktopItem {
+    name = "rustdesk-epicenter";
+    desktopName = "RustDesk Epicenter";
+    exec = "${wrapperScript}/bin/rustdesk-epicenter-wrapper";
+    icon = "rustdesk";
+    categories = [ "Network" "RemoteAccess" ];
+    comment = "Remote desktop software for office user (Epicenter)";
+  };
+in {
+  environment.systemPackages = [
+    rustdeskEpicenterDesktopItem
+  ];
+
+  users.users.epicenter = {
+    isNormalUser = true;
+    extraGroups = [ ];  # Minimal groups
+  };
+
+  users.groups.epicenter = {};
+
+  # Allow dominik to run rustdesk as epicenter user without password
+  security.sudo.extraRules = [
+    {
+      users = [ "dominik" ];
+      runAs = "epicenter";
+      commands = [
+        {
+          command = "${pkgs.rustdesk-flutter}/bin/rustdesk";
+          options = [ "NOPASSWD" "SETENV" ];
+        }
+      ];
+    }
+  ];
+
+  home-manager.users.epicenter = {
+    home.stateVersion = "24.05";
+    home.username = "epicenter";
+    home.homeDirectory = "/home/epicenter";
+
+    # Add rustdesk to the epicenter user's packages
+    home.packages = with pkgs; [
+      rustdesk-flutter
+    ];
+
+    # Declaratively configure RustDesk for Epicenter server
+    home.file.".config/rustdesk/RustDesk2.toml" = {
+      force = true;
+      text = ''
+rendezvous_server = 'rustdesk.helsinki.tools:21116'
+nat_type = 1
+serial = 0
+unlock_pin = '''
+trusted_devices = '''
+
+[options]
+av1-test = 'N'
+key = '8jkD3HoWK+flkWcAMIqRnyn0jr4r9VPb+JYIbBtb+7k='
+api-server = 'https://rustdesk.helsinki.tools'
+custom-rendezvous-server = 'rustdesk.helsinki.tools'
+      '';
+    };
+  };
+
+}

hosts/nb/secrets.yaml

@@ -1,46 +1,47 @@
-epicenter_vpn_ca: ENC[AES256_GCM,data:DUvpuL92zpQkK0auXGdHDw+f5gzjMARMroBknmgR+eq1LV5aISdA0XOCw7d3VFpMtHY+tPM4pDEWlnGJDoHDJBSFAUdmbLkDq2DvoDR1RBbsidmlXpvu7UnL4OyCgrN9G3I65HQmCh64/453T0Y5MZKUiFZXn9SZJgOU3h0qOnAiIKTQADXmUo6imhLuUdPxjwiLkNp8zHNystbfUuZkF15J+TXV9yndy/E8E4sFs4uysK9E+VM84v0q75zTf48cheE+cBGI9xOP5QMvSND6MloyGYUTPZOiQyz8M9AmJObvQFryysKf5Q1W1GBiTz9FVuSsr1IM7meljdBYwfxQaA5MurdsXVFYfdRgL6NyL5x7WOd367pgtBBwuVyT+cygg5ITIBc6YTuT8thp/q0BsJkq1OdVQrLa4PK12Tg2IOUg2Za/tLJxxiNWqs1gAmTWEIGAeJWmNgCZAjJIISwTGcdbpdWqhjAEgaaLf9ZD0hUXQ5MmSO+KXzP7lIGgqCXoMEc7W7rn3R2VkIrvaVgCBK3psTg6+CxoPQwnYbUKgPLG7ys54eECJyRfc8YPH1957Q67pYkVD166ZP/sDJfplOGH19QyFnaaSLRLoXCAfWuO72NwO/fSljN4+pmB6Ev1cRCe4mXicz7TTqGG740VOam/JW4OJCrnHVs67cs9/MsVSNZOsI+x44TKJjaFph4onaodDh5P7e52IkfRnHnjK6FjEvYPasUr9YDqUR3ucHxhD9UqvINDwhp3L/zyFb2HRuO1KzEQLzmG96xiJpJxBVl8GOTeNrK2owOf6cCuh6o3iPaAFjFok26gI1ujX/mPbBigOxB6S0cLOLoA7oA+E6L22nsoYdIwjU4b6Y/DQvndgsZFnycLsSA4TRYHUH1Q51fGU3S/zAlB66rYchsw3JqODD51axxEdo5uu/2a6K9c8BSDo+stHBPmGvty6IorhM+17IGwSVrnxBFbSICja/Mi9eHmkUuUQWaXe5iWiNGYOIe0Xsbu4PQANhDE0f4U1LboVdI46uVhBV36zLSRJ5hUYARdmaz+aUSfNSE20xwCQiqd4U1cb2W6ZRER5WOfNFa8LCjk1YyhDY1yKCbo5tZrYZtmo4T47EuH/2uyW9vPtDlAhpZWmJJ0LEbZMhl9hIEAgGYmhnxPIVItJWHgq4O+YavYWvu1qgbdBC/FZJ8xx0uSy48oKCbuTUbIBUHQ37/6wp+IC+FAoYc2CDgCKzYvYjGrjMr+l/bhWE6KqI2DE/8yG4sOZIyrKNOYRq/aqDRkaeu96bLSYZECoLpohEKRNLTFQ+J8btjGX+xak0HRNEX9bxx8Zs3ml8mDKfh11uy05zPMVU4jaLrc5VtvmNdCg1EffbtEIRhi88aP5K2flRLxvSsYODd8iisqJ3CEqa8/C/FoHhWqgs7vk9UeRs46CJjGQ2Nx7UeQhAK8ey8FwqqSPQ6hp6jFnAv5ha583GZm3G8CsapajioHOpNcyYRhUW/ekdQ1E7DafOLRRO0hdWws8fsP/96uuWJ1Ir1ec2pepmh8s9zCZl/CKSU6+PUjX03Y9buZDnAYao5nDFsF5hgi2nLCTRbHnCh/S5C4NL/Lss2gi/9HdQUWr3KNONgoGbdRNS4MHtK/t9MtxQT8FOS54fM76XLygYZhQEQuDHUr3vaihOPKXncPNx+M4IGd+tsOoGADfpZk7W4OLd5jl8OiCulKvmRXzGCrmyofifh6XBE/EDa97j4eXt/fZPhUh+kv7i39mLKiccPUqpq9WYA/pqlMc84PAsewRerk3Z7jygFb2oX8LwYX2vDer565q+74n/y+oqz/CQ7jypoGBC8f9a16h2e2ZuvjQZ2sUdBB0xKwmLHC5mXLRkJYZ8Myt0Bzp0iVnC8P,iv:0GfL3sG36nsg/4BPw32kKMB78TmbN+mLq/mqEFp0yas=,tag:x+kxJsS+Fn7VO3MlOmqgwQ==,type:str]
+clicknload-proxy-config: ENC[AES256_GCM,data:lGoX0iItw21nFT6n5qZRddiz9O0KGjaktXzHamSBmpE7nZv0INhIic1etwrluOnv4n4+0pn6qGeqLcEYsN3S9zDDshdYgrxmPl1xwpVUkvCIA8MGMSg1rdLByYjMOA==,iv:F0sBov54Rk8te34n70s4pPitQXjCfrKQT1+SgQO4ZZk=,tag:x50kpNEr5hYipdIknRQ99A==,type:str]
-epicenter_vpn_cert: ENC[AES256_GCM,data:y94SNCZISKCGbG3dtMZKPntzHvmvAK9fr0+TASNUPp+RG0o7sWRZHrAk+zs4x6tTJpRMCN3VJUzH0bkSHrsKHsYLwVOT5Sb3l7y0CUjjT463NWj1ZipaMU94NRbtDC6Q4sMkFQPaLEefaOhjQu2a2qMx0FkQ9OA3T4f4u5GVN72/PTftHw3SybhptlF5L1e3Q69J3H0uVGRuXmmrws6HcLb2th9sAYPAi82yEimdzPa154DKIRcBY78QVkRz4X7VVyLFY3X34TMvGTmKP7MsW5lApVd/qoML0MkqvrWdEClMWG7i4jMRjSUSRIVr33DE8ds4aBx565tKQ9rVZT7KPZU7IbFqgKP6TQN8w7g5mY3aImPlRMB/xb7V8a+qBScOgBiwCgdAnz+PKGaCwcaBba80q0m/gONkxgVy+QKLLdALjb3iUpKiGvWFLwsKr/hQ1O0h7MBFDTGqWniiXZbyb39HABZNVtKAC/4qouG/G+hP6fpk/+TMtjRNSh6wWtyiYvTeFOtCWfi6YEC7IZFautr3vcu24soA+Q4vFwYr6lIEPnQYlpBCr/TLVzEvxWEjsR8G2RaBSWGm2E0tre8qVSFkJwz+niL8FQgaQTjnsYmJGHFS8sxseGuAakuSH+gzopc75H6y2pEnZrpQMOMyDq0GMkIW8xGk7x5Ewq1DZ8ji13Y8xtnbLqiJkhPc19JDoXdpls/40K4Ymrz6dOO8zxzvW8SHF47gOYvp+a5d3vqwXFZH2qDUvdScV5eATmK8ltfGod9PbZWgFzhp336dkba5aAspXlyzAlRRqrVhvpff+V8cyHTIz9qA8fhXv+v2pN0E/Es1NTJhtQo09OGnZn82lfVyR93hLtr6AgbDggwhvAOlJr/pAt0YZ5FhehhhnH0+ekUJC0YemUMj0QVbpxIWc4rt5n7nqewSHC8feo6Zfc4NHfE8sWemGGm2sUOdf6C2F9k0h+Snwfyu95XIWccMAC/Ii14ciu/nj0L67bbj8XAECjWCIlhhCJcMXlpxfU3lZX7zEy4WH+IqV1399KmtvUssuObBb9uAMwHjZl0l2GVQPo3clDea2ZP5HDO9B3kWRqpvIrjawh4IM73O43jbIDgjNXMijnH0GJu8FH8igS+7JOhRHrOBQiNc0unx6EgAfXHo3v6o8ktzbtRcUwU8k+wldU1cu9ugpVpG9j8O+zvPYkaH+0xfdAdxDKXz+4e8462O5zr3IVRp63CBBNtnTn6fcwnxgD9ouhgyyLBylzrwCmRAODHyukJovkNARWmhcYCAnYhrYf9KqaCoeRLmFq8sLMeiYGDTJ/+PTyheZMHboaoZbUbnRtrvuXQiCHqDKxSan0OACW+oXgCBgZSshj8lb58A+zjpMVy4Wis8s6K9HFpiPSP4tmHxXvOod2+qL/eZBV4LhLoahO0gg3+DUPTeJVO+4I7YZYLVXBhf0OC7z8jMGf8Q4SjO8p6Vufx2KXIEpcITto0IJFsIAv9UVfsKVyvVeuGaGGi8VQWhexdQxjDtoURRts91EFNpJ86o9HPbQCAWXBx9hlnBH2zZntqPd5eVA57s67i1dWpuudD/oBzGn3fBv3Fck9tpArMNSrOtbtl3sBc6Calo/5+HWSY4tz1Hnrlv0/IxD2EcgzH5dFu6klTn3gaMdgd288/kRPDzfdcVGqlvV8rQJjTD1XN48FK/Zp2ydCede+SKLidqrqz1ISXOwsya0ivfc4Vdk3hhnnkTnqZT3qR88Z69X+9QkYCVNaoojTiBoRCekqNDI3Ev8MKp1eX0E3rXT3AG3E7xEFGulhe2C9RdMwQg0QG/Ws7n/CtTeVwpv+JG73TlDnBzoVHN6fqKBVchbGPtcObM90N2itJ/wf3jXefhrrsQudLch+Mwp72YcvCKqOMsrO3egvNxIiLKrrVOI8buo0NJrPoQE3/+rZQFzx2r0AHkrwEUHGUvr2oHDJyXwSY2/7zCYbewN44Zjo7n5ofOhSUsaGJNySHgC6V74gyU0UCUEBnF8fZK/Y6QgdtT9gApHVtJwXRvLig2P11bIlyWZjISRaAVAUAMKdS8ir8l+P3NL8kBZstfpH2eeYFHIWeZ7VrVTs4CaHDzkyMizui0EBfvf5irWeJvIekCWnetfo047QKJvrKr+6239QxH5ni7wlzWxiZNcewaOfCK2SqOvYz6NIRp+/blZuxL2pXhTInB/XxbP2zHH64dC8AVvViU8bI2DR/HhzbbpEylzD4ttvil7hLt6AMpugFrmAgWd6JU5yM9lXoTSprmXZ7awYTLcQlCQu9cUNXF0JdtELA/oQipEEUz+2lRt3B+0abYGVWb,iv:MVId1jgmyhY/iUxnjca5IpYwlzUAsa6Nwchg52AKgRc=,tag:1RASj3dFAYVNphJ4zjXxtA==,type:str]
+epicenter_vpn_ca: ENC[AES256_GCM,data:qWq8Y2JRQIdEzVOKki8YmSMhpxFmFougQSJtGTaSgak2uP4MRzgrwpKGqDqhkPfqXeD1GSHRJNPe4plIv6//en0IEjV4vvupUrJuSp5cwmjhvbJLWWpUSQOhhDM/sN/ODDPLy+JucUoQRIt3bgrOoWRWro3cPuorGcFJfOedOy2tc7oTrpQBYNyx32kDfh3IHzuaasSFtCAnE2y5TVEXsLcMzkzvBIpTGzHUOG+9tn/nR5Ro7EodQKXfs11pL3mvr/iMlRX4QTSGYfl3pJE4O+Jssn1+/zDd0bNrSU1kKunDsuKDlv9Nkp0hIjpCzc55v74Jrda+UATB3f0muLLgULbsFA3JfaqqufLP/rgYjkFZ14qidjby55Z2+IkoH6U6et2jL1O6BcUaxYo7dbsE8kbNPdk4XPoV+5WYSOKOQrx0xXiW33fQnWq0R1x3k6YJ1oVO1CoxMLadbaAkjhoZeAP+VFviKHoX/GqMGlkox5KgdO4dUz4UcJon6F69wG/LzXf+gb1VBacqx1MltrdN+nUFNTowFor0AofUofWMM6xpn4Xy+gLy3AFQi2+3hkBmPbtgcWEWnTuekhixuPUrO8h7CwXMRgpiBBqeJTQVVoQ1puY/1Rw+K1KXY4QdRwd5laynkU4owvJtgHk1jogUIBpfAOtIq18gOznS1HhgH8s0Af0eU7lSAAPDfRoe5awydb9Wejpjed2LypMwtYE0qEC+tR0cq+NTYnINg9bcAwDz5iRSpKtGPmy8Xj320LAlH5eDyhcxQjF4ZHCtJ9/3QcpbBJoIwWlS2+R0fk4qOLq1/q4RqnP2aDc0CLd0MKx+tJs9yBZyMU8dLJtqTnd7z28odhrZ9E7PmJ/Ky2t7WsLNZF9lOWWbJ2og2Mxsu85HCmntQxjX8Jk17Eyl6jOl5NFnFEWMTPfSsaf3J5HcwffGV3RjdM/XAleHCoNP+ydM/hPra+HsFqoyMYqT/HuZPv6ZMLY1KogBy/17OdgO6Pava7kB717v6t9/eO2FH0LGKYrPUJBha8Yq7vUJFhpABO29vTJSdG6gfrRpPafgKjZig5z8BXNU+R03DiGrL9LdraFUFnu+HSF4YVXd0EGrVfQF7mw7KrH/TsAOc1KOtlHaXFkP/SgZ+etwyC48xCy1sgQi/7t2kozPtM+RcAQJMhF0DHGFQUWwj1HesHsKaOl/HdM+eU7DcMwN01is2lD1HUp63HC5OBItET374DcdqfVUBBjiOt3srd1OWuE+FkrqKpCaxLihu2dHP8SR3DYMlSIrGwy8U09Q3iIe1hD863HVOCcn3uQZHj+g1GOXpUytouUhE9EEC0THEaPNwygNQvSu9AmG+YnFaXn6ZWVokbvf4xfttSc9KUD50qK54gd7Aa32fvzsPH9O6gMtQ18wPmeCzTzVEMBFUO33BI38UKpmKB4/r5k6F53L5YOOvVsD6R5H/0ABoIjXPF8gFW2f8RkGuAH+8dOS3VdOWFvk7ZUQxa8QjMrg09n+khjZ4kPPz42W9uaRVQeXAWLhcNOBeT7U/pT23Z0M3Qfs+NK6JRXhIOj1Os77uSkLYVKuf8yfhbI+1J1/Y7WVe7/W3BkHi7SN7Unyt30QntY+FrAfbFb59aqNptkSlmDX0TbVTWxAeD7NGi/nBnZSJyE40iJ86YzqDjv2E/oS3BWRV023tfp8iljRKKD3lLinheKwaFoZE5s+h2MY1tGkO/LeZlRhxsBznouCinQoqxdxinNxCiSpP8tTxcZ1VW5W9/JxWwoRhTR/WyDVa38vVHaVMVmhCruMDCHlckHMU5qo1+5xNkDNM2kirADqIJ5CygRI+qc5CLVWqmmve/ICG5cGff3JvMTENnptNhkWIzHDemMukJpaPCF5pmH9mP6b,iv:HiTBKc+JD2NETPL4JYOfYCHjNmagZXscpWV0o1QXyfE=,tag:SM+tAq6NfBG5xDnrfqN96A==,type:str]
-epicenter_vpn_key: ENC[AES256_GCM,data:Kt33OLiauTrkzSwib2px/rZoQO6tlCzsy2exxIrZb91ukUDo716+JaZ2dB6FEjx/z0jaUEiU8u3lZbq4gkhwXe/hwUnr7pIW+V1InJhuGOAENfnusDkSu6P5pVpE5FNBKYF6u77/h5pdWwI/bHo7Hfi7f1xVtPkAeSqDScprUOVIoEYeJ0AXo0L9xCQVPSIAsdrh2jZQPe1S4iCLqQTTYK5CvP4/1wjwA2C4PheXEK5Z74Xkxd3pRI0cogpt711+ujMbh01siQNs9tk5+pk8vbXV6M5duzQlJar6iF47GsaomFkLNsk4QvTVZ7kKIMWEfOzwgwniI8YGtDgjxCvd13H1agaeDjsboFxR3i5aI0ZKC4sP7aTASDQbWwTQxoFdMlHjbkMvVWAT1CxUw/phUfwA8L5xLBxzauvHgE0B/R2rW5FU+qaDZfyUts9RyIJzaF+bESz6YKV27i1ZQNp00YPH9jy05uYDjPldLo2PLzgLQHMsSwZ60KKlHU68gGtVI7qtH9fpy34h0/6IsCRAJF1mRHEHHzC8Ny4Q7dtN3GenMPVT07dwgEYczONjbtrpyKoLDHnAf5JguUydLIKvcxDwNmfXlaAcOzX9seEO0L+Wy2sjG5SCKjPA0wTwIvpWuthTpTaptde0KDBauzJZZvkx3FnABF5Ho2VHCY9MkQxnc61488rQXv15FNM2WaTKcI97b/kc+PXK0XbvKD1OKJ/fyNloaLPAJKB7Q+Nu9sSK91nyM5WOALhkp/5PiKQhSO75X1qsd2S35mWY6upES887He2rdmNjt0YPVzETVXhDk48OHwNNcqKTG0qs354/bF00lQJ7asQaHZ9vnomZTy3F+vWdadmUntu3r0lz/74ZEA1rWe+CIyINkuGcT0q48FMwlzms6XXYe4qnVjG1Yu/PknI6XfIpEAHN3aR/dVkpvwSDKzJD9mUr18IoXf7mcbRmhc0yAz7dmoT+Z5x+/z4G5u5xmMa9lvtHOnaXn0RhbMQP/Gziy9hB7GySGyztnBxOLghO6pnY17Etxcd+RDGkHb+PAZY2tJi3ObTry10dT3Zcx4aHNp69EcOjTQ1+629jFatFB2dhgIt2JdWbpgwppE2QB0g5cFY3e8s3rdriHfXsZNFt1xF7aaBYBUb/Z29EeC3EGUyV1fjhG0ZMDuZAw/7UEOObWS1Mx+z707OWWwGXy+5BYdSC/sYzUF9aMfGXjfttsqr36Cza9aSia6Qin5vMmJtpLYl1WGA3TjcgnglVhgKmg9DvEijm/pa1gy5hMX9SQgV0SuHtWfGIo+uleBr3n38CGJ8BOVJbZ4pHR4JQWrAjxE5MHIzZRF1UmbxWUoqL73IyTGZQovPrLO+z6rl+Djd7bGcQgpsBd8nJaOG5qoSH3Y40+onrlAz4WmKWPaSAclSgSPdHE4OEHIPzzrzLOaJWrI9B04LG9qMfhtpMNse/O4XT76QBfgaeDtKHO4Pv7T9PjIHYC4dPljkvrthEPQeJwo1zywDw2uu+I+WyxWuEGuR9JByJ8s7vaSLcDSP1BRkAq+i+YDDB4/a9iWmF4db/mKjVn6c+NRJjmugoCPeVbzyAfkxBm0nXVjQpOAsYGvGneAN53xHJmZ4kO91wrx+i+lXfRsnU3pgYYfHOePEhCUZoFXSVCFy0ksZKSHQSZb+v4x6CsvtpomUP6u0LIukZgZEgNsrpHXn4oQ0uzrts9LwKECAjGpgRINdJ6XCD8uxcIE+uuS5wyOWg/m1TmC5MThTwe4UfpxD0erMiqgGSSJ+xWuwmnjSS62XmLHnfe+VWEiLOk/7vWQxLy3bdHSfSXCee76isRcFpRKY+x59/Tj02I3F5onVuqAehtLkL4zUgdavmLmKI/81uKRTcMtXdFnYuCR+4xBZYauVtL3t7yhozhZwSZe/02mBahe61dwhZIIbAbAqivbrw210H5cKi9R9i+dR85ISJTrGFlXwT1EX/kD8BWdWPZrg9s5JD2jzrl56dKu+oeNPCZNuD6qlCaFBytJOixj/WkggyMGtOcy2do7MZZfuswbLLdD8ClzUx2D+nrRfae7Mze0s7KhyArmtjRyAfh8xqD+vTR7/yh8mgp2k5XOBw2bdCqH79ctq50drdBnpLuILKuruO/A1isS6YkjD0vxXQZh3yt5D3iqlAAOHdIzaWf8q0zUQsHp0aOgZG0WSlVPg44oHEG40O+laDu62fgcI4JisL6KwdJIPidw==,iv:pB/cNgmHi14ugi6kd+J6poWXX79LMHiiakNa03ibZ0Q=,tag:nLfjOesXDm5/QtwHznJROw==,type:str]
+epicenter_vpn_cert: ENC[AES256_GCM,data:rjeAhg3/0eVfxryVw5ToSAo7IAlV2CPprM4uPPZxyy96fH2YyXLdcz4Pajn6XHRS69bfFJY3Vq0zJwI7t+RJR3lpCdg46fis5lcjlWx20WVPzbkmwhvGIf4JqZsoTKkAT8PKwMsjS2BGjIo5uq3Fw9u17szBkBdijDwgFXJ3lcQhXstF8lvbPLD6lgJPULwX82MoqTMh+WwVBYEihPpP0HOJJpDyZ0Tk/YasrNM0Dvdc7sQBaTTir4OefJeLMpM1U/dEyvKpiP0PjEa1tos7rPWuxfDb80oMTBQGrZE9Nh+Mg7moXurAktqImcbQNFLjsIjTd12zzXdFq1x7oKrNMNCMIi4J8rt47TxGth2vY/Cn1rclI68rcd97s1MCAYGUJ43zsjDpUQLsbcDTAGevsvvXyehT2hRhX+rvWKDsXgz15n8EWbv49yDyCPGAl/KRu/gfZpF4Xbfmg4rTCYFgMO20XLqGjZybdmpexsrni4s+1DsCzp5xi/j3PNWHQEmL873tWd7iapbHcJtjE8UzazdT4Q9/Zog/10iS7NFhCCEWodO0/qZtKWLDDipDstRAoGh6CAPV7hv4ECCI8X9BuMA3H3OOGRKCNTo9a0ipJEY6h8UhqXV+ZtJiqp3UjYU9QH6Ve52oOLQhuBDfTrhsgDGkchZ+AZpsjxQl8bxa8RmOXt/0sFSnR/u4aYNzJupeVk7abvHGnVRdWUrpqdPXVmLjk/yk1qgwxavW6mDWUh36h8xd70cGXqTxUXGb4gQeK/GGxr94XscB5yy/F2wtxc/9T14xQ/mOTG17S+oDCxtTAJNEoDwbmhlzwUKrCUm4Mi7fd/WFJeodBU9mvwomRCvI2mq1sp/1dkV5X1+5c+f00o5Bn+Yrx+QmZosby/wiV5i0c/4OqrueO571c8+FsenD/xVSoEY4q395A6yfwEbblRRA0y1KSF9DmFxLqW2Rokt47XLfKjV5Q3lrmiUJrkzBNrdd5cppLwH1YEoE0rPUCWEJHM3G6+62hcT/XRdN5Ky1BVSH5QplbxrGb0ojUf1MwsO8KepvQNwfXNdJx5k72eUOhLa24LD/Mh3IWHuwJB0fM/BulLxZWjaKFNWrhunH2wBHycTHrp9YuBuX7A3KLhuWS6aZuEHWxwcTO//MmGx0bfVwkd12Xoi9HCFWfVsBqJ4hhdS1i4IXBOqg4HhvAOr984/S7eOfkpqN8Qh2z/5ZyxZPkIWZT2/R7Zb+WdHCpS73P/GJwMXPO0ptBj6dJgHhlkM+GGePvY56zkj6u6e1FtUHZjVgwZmCNSoY9QExgCLnhS5A6duKFWDO3jUR0NVEyexQZ+WKpG8wHaKCqzaP5+IJ5ptLvH0eQ41uUHKovVsK5GkhRFiu6aYfvgpMb9VaB2npv+0UgDgFQYg8ryinfFMr8ZpzOQi4YlS0H6wXf2ty1ysuEwV73amhpX9sqdNtVvagixqmLGm6KicDQLcW65x0UB0Ea926SMG1FTH/6Hh1AbPyHRQCVqebK8gM7LmbzK+oR+Xc+TF/HrMEu4a6CJm9cc+Sq3GiWXUpxp+NkaXg6MmI6ES3xC8jonibg6BtPAgBq23Wb1v1peLtbmgXB5a1YCHqvpapbp/tLcGqp1NNt7DMj9kqMMnO+1asQLryK5Hux1F0rniRz1ZqfERj4FP2gPtMZnvEknePvdpMqHnkWDFtdYNoJnxvyehN7kbFKugQuI4MXyzjymM+U5kVfGanX1is5WUmTtablF/cPxI3u4xHGq/hs+UHHwwlYK3MkEWI1WESkMOgvBxMqypDDQtmOHvffuQqAfjr30CdUDz40IHhvosvg84W/ciV/CNheMY31XDlcvrM3u7+i/5jNSup5vFL8c2tWwh7MVgAwrtoSr3YmKiTOrD74RVTwyHUaz/GPAHXCKGlGsyyhj0sxLV/yaZabJE7CPdIT/iCqX8K5/q51XAhlZ2zC4BhDM9KwBlasI8RRez6Sb2e/B4LxuwK12b2c49fqz/O/dAKWG4GVEDr2xGIUNC/MQI7Yw8UwIXweAMDbpZ8o8mLaxoGsBkaZlC5NDnwctUHehARasST+r99zRNNMIi+F5XykpazmK6VFxkB38zBWdwCqFJqlJ7/Q0dKig5o0kNom7p1SI/ewKmyIX+ojGt0pLW3VkEpGg+C2bZvyGI6gLSCZ6BjLAVIEaHFbBgQyu4uMDPeboa08+JPTUPKj5r3GHLeMSI3N60puG2t1Fl60L6AihwJM+XyAmKlbAht7GFlNlvbcI+Rpy+3zVAk8qLziuftSMVBq1Fm34wyPd/0cTni4CFuKXydZwajjFMf2gl48j+bUc9Z,iv:jUlERMQxELOGGZBu9ZZ5Z3pIaNdpiV38BnSCfvkS5wg=,tag:k7I+eceH9Kuk45yHjV9EHA==,type:str]
-wg_private_key: ENC[AES256_GCM,data:A80vGf9aMxowC2xME4FIVTmKpSRLNB2tWiUQeP1v8vCRk6Gt8BKYOuXYt04=,iv:vr7qvfr78syrI5pIytjLouPwZcw4xvBTvEUzzv7ibnQ=,tag:qjALlFkd8JocLJqMKFERaw==,type:str]
+epicenter_vpn_key: ENC[AES256_GCM,data:7soGqQhQgGN53fCb9CmF3+NlXoI6fcihnNPFNBYlNPpdg8Ww8mCZmAmKMR50HZ0/dxeveyi0YMuUPYqFYBBJxZHIEHvYe1Jzwq6/IZs5Glh1TcWHU/Uz7I5mY21GG6eH1ob1sxSF+QHDmTa5/+FiLqf2EsOW6fOkTiVO6fCWlCp81j+Xc7VWuBy0eSYaIohab0IeUDOJyY9Vj4xgwSULgVh/hywbSUcucGUFPDAoNFJ/B00eQgfjpPv7QLrv2F6CPBjj6rJSo/WVii0qhQJC2B0NZ9ZNbcvZbsMAkRIf3F2uXi2L9w7lAtIFsA+oKe+hr+Uft8kpB2qO+YY1n2enh75lCM62lZJKb2FRV5Pl1VuSfPP+Tjymv0kLJmFTCM6TCyArNQVSSFf3fAqo70dzAHVvIrHhP2DdW0E5tzHgTlD+M7R77T78reHjui1wiwL3brOx42tMzLYqIlwLNnh7JJIvyC7b2BuLOi0mjG1bvBg6f5sUiRl9jV+wdepdmHTwwgQxRp1swatzRP5/5qd+fJ0ldg4a6lG8R95LERvnyc90GyJzAcubNEI261n+g2J3DnnWI9ryfOuBSO7aoPU1yHK6fWpC4l9bZc1zYl6xdoWjJGw9awCipujK03V9iNLGwCk1u6O0ZBmDuPQGTVhVVK7rfSdi0fDpml+2pLTfzLg6FG7Ribx7F/B3UQ1X+h3JNpuqwvla1a0D8eEbi8f0p6LPVN3RfTmAngGQIGtqX5FrC6zceN30yy2qHOPLNzbB9nSvE78zCiyNLLFlywM+hTq9m1GpIqqtofDdZ/iOSQJYhI3D/sCFX+BUDOujAJfe7rTKZLo3ZfGc8OjnNLOqBzMZOCpONMgcWZnYxQIlIx7C26XrZxdYf9dprfquF2A4aaQNTqBP/K+p124piimxLaFx+aERxnjVOFC5DnL1tduvKEDagky4og3wls0Q27P/KY0qo7ILyOYKzaUGIjYH2lwHH+7CGHXNJO8PA44RKw1t9VEnHNBfFijEcOct6hHCQo3F83MLA4qFq2HWb3sEtWTyq8uJf5iNuMUy/kEHtm+IQ4NjMkXLZJ3Us2VvPYosZrK04BpXHftHknHoQhSVm80llRdxOb6KbFqFRZYxbxp+ODXam5/GLFS+W3MTC4cTgAP6Njz6N5WClPZqEoTiun1tVWEiwHNC6hPZfqYVtIkqCv0SQ9QO0iBR0Ss1DQTSJJrA6sT/+Mh5PPwaZeh871aQWg7uzczmZXjfL3HPVgcerEPrKEfES0lJ6NVXSW5rNjUOkyF7lZqbOQ7uVutZ7pOUYzj3VflZApCUj1rIUejORJ09FO+A6XhENztL548PKerHk0Y+t30rOHtrQkRo2BXDL6wm9AegPJge8b7sVeMdfoLP8DNn5eM+1ID2WeQKxwfGp4izxwFehe28xjGKR4p49ruzkG4kwmaKT9ZeO3qszLMVSNbduO7OEnU/EuFfaoaQL6L9LOV3p57cqOx80VKAlMwJd9hztXJAHWDlDLfBRFJsW4nNkOxETBLMucCanX+y4ByoEKanXaq2pdLssUW1nc4HMrHCXTi+Oo2d3HxKRedx/pbjeKJJVY0NP+BoWWrLDZa75efPuspc2fKWMzmiBjMALCq5EqsN8JzWrwZF1Kf6AxTRSSlXhp7TL20nnN5uZLtexOpjJH1p3F97qVF94bPaU0gZcxbIEKXcg9MULn89NknVVIINV1gvpj27sLCX6BLKugItgP68TGLJvUyKnuynx6ucDjLgC3RnQ73LFniHFktBSQipDQm8x97td+xc6++qiNDhidzfWweTl9Sz/O9cERmvbhfyTMXMk+jwB0pp3pmbpnGCg/Echll2/gQEiE4ugq1BnbGCq08C7jYnZVNzWEkaiBNRW6vTcBcNRkcJ047Xcj+zDNioph/zrNq7wshgh/aKmEsxN84LKSluyLzYkqYTXUy3FQUDvVhF28wzB9Hz2hd/FyVOC/COnbbFQdqA0/ynGJ4L60PlFekAN2LCVXc2BCR4HTpjIIPDDfJ/O/jKs+EV+oe7GOFPJ5WgmXoOCfBTfoXJzMWOxE1GNnYPsdLAuyH/5iSQnAFUtC86WLktny2KXXwW/CrLkpYDb5ZKDEHHhLCiwoqpe23ebi1AzADFr6U285MLSzbgfKdRmDr19b5w7AwncAbgXH/D7ySO08d0zLu1jtkFMXwADJxunvc4SSBtnpouvbsDmVmZuRKP7mj+DQ==,iv:IAxV9RV1hqq1Fn6e78a1Iv353mVZ1Qb/yFpzkeFtvjQ=,tag:deb0M9hJPqzsL0shaDJ1Pg==,type:str]
-wg_preshared_key: ENC[AES256_GCM,data:bhXoD95ahDRawoHd5Z35FY0G6Xv0PHwWJf300fHQ5jNsGN1TQKHsIswx8YI=,iv:fBsIWkVZUt8pahuO9daaRBIEEIWsSnFW5Velj9uP2ZY=,tag:RvbCYhnRv0OrjTxjsNFW6g==,type:str]
+wg_private_key: ENC[AES256_GCM,data:XJ2dZINMd+gKlqdQtI9XZw7nQ5UIx0IWbYdj+HWIa4x/zERGPZy35EWcK4c=,iv:6YWnWwuHHw69S1gq4xrS3p0DXpF6lJt1lmZZ7NJ4uGU=,tag:gpgMkD/e2p7XOy7uacv1WA==,type:str]
-wg-cloonar-key: ENC[AES256_GCM,data:ZMEeIZApOD0ij3nPMZeQRwJ4MwVx0sHu08F+m/u6IMHBGid5YwMgxZ7qbLk=,iv:OfIZ9TqBLjToIQi7zRUBATrynBtu0bzXeGVI/EAUPhQ=,tag:mJICT/ak5U76JE/IxJsCKw==,type:str]
+wg_preshared_key: ENC[AES256_GCM,data:k7NdIMYTes35HKKCpDcPCCoGo3SdO5KlwB8C2EvSAJmRM7VFOfum6TYNae8=,iv:gbYR7OTOsIaFQtchYxblHcoj7dc9D5qz+N8F4+Ru9os=,tag:FfxMVal5j1593s/HHprlYg==,type:str]
-cyberghost_user_pass: ENC[AES256_GCM,data:Eaz8iEV9vNZh/bJePmacQ06zU8FfIA==,iv:GcnU10VLVJsoeIU6t6eVjopLsBamvk12DpMbM9BsBv0=,tag:rLYoghkD8O9JepnopJfiuw==,type:str]
+wg-cloonar-key: ENC[AES256_GCM,data:lHJdTGPA+XexVKA3JCckUkGXQm+ev2p5VhPnHpsYfRiao+rr5+N3byoBw3I=,iv:q2djx79niGelafKNl03OBPfMAcIAyPhEqsiN0UUum3k=,tag:96CU7iCd+Dd1iAKmHWcEkw==,type:str]
-cyberghost_ca: ENC[AES256_GCM,data:9PHq2qHLsCvAmJR3S4J2ccNk6ec/LDauR6KoIpvvHX2v7w87m9aoADw9nSbQtuBwJWjSGi/hqUAz4fa/pT6y1TjLiJxUDBmr7axjsc7b9IQMmQCO6zmCK4XR7TkVFWorwdQxJ0HVdXBFAkbzet1EZ4zv9QtwXuXK8MkH50dzI0HVLgX7EtHljnrANJ/EtJ6TsxBvMr7HMhNITUy7iHbiUQvFKanZ3FmwLgCO/K443szXa3+qKQmr4YxKOUqF41QnmpikjksgMw5rfJOhuxe2YTdswt3urWTOtVfRACUjkcivqjWZIz7PCULvJHTwqDDLR+mc1bxxgkyIfElx7Tv7+tjbZxCsWarekPmjg/lETRFxTkg30yyBsgXqFjYbxwBFTjZkkozpnBJbxZDq7VkgEIi3hl1ts1gUsj5Y9v4CDffKwAST18iDgq/Rb831878kujdiMH1qeMOgHVpFtrfjleK2MPjDYcTkXY0sOdOCzkFgFE92/dp2q50er3FTaIq69c8dYR3DkSt/KPVb5Og7j1hKRtGaBpgfEYVqKzB1aMm45ORfmUR9ZPzTZvGzk8jecFL5wxFK69QmP5/cMr29SASdm8repcE002hUJYKp6RALcRpo/e+Cvc5yetvwdFUwnghLgvmyW6CTzn87OsJQJPgl2X/b/iDJrlzaa56QCrH4rmulDf54RS4tQZol2tRAgnSrxhvKOlqSeuVRwczxqOeGNi2Mfel/HIHoc26GONUtHtF0dqCm1ZJvKPr5JOKRguEXcLo4ZSqcMCNg9PcfPBVV7C69K6kmA7+vqRr0I8Qv9Ls8ZDoywZ3L5CsaXYMFaOcTeDaKdmZiQnLPr+NjPuFmHn04EgjgWuk2VHCENB7w7m8nh35xDQaPaZbU0RdNahGJrVdUHKBs43dgCor+SNhnnV0UjjLLpD5off5xdgpxNNXEeNfxq3Y//XoNM4TQzk91em+KScuPW108Rylk0IYavOxIgNettmr7tTEb59UTK92ogEnQKNZOv0S1lEGwzQnD8R6tNUoESWIpyMc2FDlEd7UAuPNXGIebQnleMTNdp0FkJHSKXjhcKXf0WOD36RGw6D6KiX6A/tkO4EvBt0hn3pJ1nfqcZdhrRUivx9quyEWYbiosLduT1jj1q5jy/1nq+sA7bkNrx2af2Hp0h1+8nteWV/4kWCwpX7aEfv7oraoFQM52luF707caKX5hRr3sRK/Kw8ad589EZxDn+R9L9tx+T5ItPBNItNS+1T/dFxDeEEhiIPB5qeubVrwSTo6e+lJ7QErMOfsyIbG8vuIhj3J0nc6Iy6lvdPkCQi3J4/w0WRqLU9X2h0RiQhiwDdogE1bE1oPFUje07uk5FEwyzmfKQxx/4s1hBvFklKtV5LHcXAo+QkirwZYOpyIrNalmIK1CeQ/GGW57AcBNaCLd5W0MXzpai8h2wWtltezqzCz1izGV1SZpgXBqGhi+s7aVgIW4aNiBVhnf2JoIvIuLyZvbAo+45wk2Hh0WXgAxHaZ/mReRyT8BWbjWtIqQKCw4UTbl0kS+xsl2mblRD0nhv7K6d7xuuq+5BnBPhn07aOowwW8qcqzsvcJPMesErpzQy0umg4ODX3J7GEfjjMIoUosRP8gAE+4ReT9y9ApoB3krb5W9WTAfKt1nnMJxiycM0QU2DVaad57N+RNF4MhjyPXDvOM57xDbfzFmoRun+TqGNzmBsblnPkRXqvunRrTW7U+fn8fRBxZAVgrD5LQoUbp9hA1aY0xsM+D8l8xpFH7PRTDqItTkIP7J1IXbVSlc9hkLHVnz9MbdiE+ihjTVXjzkMCVwbMgFza+fSZw0bnnOLNsX5zXl8H5Z6jbkDmoFcaABEQdABY5kgTtE3Hizzzz8rUt9mxku3/Way3mDF5t96qi3rR+CByOz9JIRiAAEXJci2JG9tIgnFM31OA/zmshFVlBO0IYeRvSIF+QYd9ACH2ZUfeUPdQ/Js7fwLFqa9N0yyWIuj/8X8sSLO8b7kk7/2aotdK9RolMRj5pj0+lrr1Gdxk+EdcviHfL8Uig5snIR/tegZIZJLYT9HOIdrFYkTHds7/dQs92EqJNvKZmsA3H8CJoOIST1JyB5AAPn7Ad/qN9f33T6++RUKJTnMDnV/HfEkpIrkjAwQ4mLT+Mc6R1JBaLVPJ1qaH5rzkaZNyI/DX7g0DaMC2FOyAGPLYb2PieOPWXpoRSTvA18UidYu8msk77u/M/S4S4EqAT1dZgmkg9DvetgQ9GGRGQ4t/F2Evr6lGHdZQKC5aAF9GDPAHXbjv9zLllb+dlZR5TLmzrspgBcCzdKhpjKTCEpxLOyFhPzfzzDzOdHI2iQlKkFRmmPC22fKk+OqNFM58dA6qiPEMDcIcKWZ0kCyH0rV4Fpzx8WlBPLD1SoU2HADmz/1CePRK0jywWCd529wvjdEjFYaiWOmqAywxJQG7bvkx+68P4AosqUVvv6mso7L0maQVVFsSPiuR91b7al4luq/QZulZcOG/I8fLDJ3YvQIXHW11NlljHCCKiTh9Q80bJrx/pJxjKz1Ct6AffZshUq5l3TZrC0XWZNg8erO4QnKjSZ3yYivg/77BGj3WQTS6lkhHFNsQe29+seIwbV1zZQNc7l4WNkuiYBDAgXiN4xAthHZZmETWFU/Wqd2gAosTiOstxvN+GMXSjotRxnAMn+Pew5Jly4uh7EvOnGa1k1oq+CzVcTnh1bV6U1br3I55P1saN0QkyC1ua8ATlcEP8tB89IK+SeXOeXk/koSnjoAAuuTFFwsxdBjq+D2SGQ/YXoUkohG4ULvMyPq8CfCKOWWKAS7xAXiVgGrBDIZZ32I9sC+2vJkglKkCX+fr+j9eh8lokqTsfmUB07kTEsl2GmBEEpLwikeEVhM2ZFWzPcBEZS8+pfSe6dm1n6nfUqo1lOi23/FL6AlrfbbjX3iAqBE6vt77RFMqi58RnH8GmR7Zyg3CXfGSPQwqgCiBdymXZaSdi/ybLKhsQ642bb37XceVjtlu4=,iv:8uQbG4ObsDSS0DeKx24lt1vpfeSms2v7KGRQrKoWwds=,tag:2RoiW5VWLXfMgXA4cbnKBg==,type:str]
+cyberghost_user_pass: ENC[AES256_GCM,data:ogaoPZDUosjpoCVmiIrvSnVEcCYSUg==,iv:QS8HQbcv4t/Utv3RwVi2xS2mSvnr44z0YwaqKGHGXPk=,tag:bwh91qZDkE4N0So2dbd8iQ==,type:str]
-cyberghost_cert: ENC[AES256_GCM,data:hXplfGZvyQDf6m0YFWgtdHCLy0178BZNbDFxoAvj6J/R2Dv27YZQ+kn7au6Z11xFNA1A0K3pQCfzuSeuNtLm6OqHU/QAsXcYF3DQnfrotod1i8FTT+UqLvFTXGp5smUQzpKzzJQHxfMOsXXMMyHwLiytCbpWHapyVJuG2EDdai4MScHqtepqaWsHAj0TYaED3QJFfn6vC3VqHlfe3WMY/fpy7brpAyccjbTYEdYiUOzYzzgjk00Jw1zByLNld5CeuXsiYto+Ce66CK/i7aN9OlDF7F/hibosk1AAPwqAvboGGcervEO1qtNVoKkprzvyHAQyf4HRpSNbsaEFPrzog3YW4vvu6dQlXujQuYF1ZRqCejgUGYSihC/NaZW2O8F3eJKkXVnRQkcbr2GzLRpawQZ6E5i0X5PgSHaFQsGJ5UsANbWY2tJJomQdtmQEsjJDbwG1RTBW9VvMLAdTj2daasixA13inqxbUK2o23tp9HRscSbho2de0lOH+JT+j0j+Mi4VOoCQMWc0Ln1YDFvjZMfUNtlR7Qd1Q2MySAUcGRf4w8Wf3waIb6x+BhBYghdJGsAiV1jyq+Pp8bOLuoTXYhdDI1H4gemtCSemsojPuvXgKQky75uZBRvuGSwHTCFu3WA42xU/bMNaRg8mRZSxQLMqWkWHVLBBFyiHAHjCXicTfsKhU9YQMEm9sA2Ecc3osM38guXU3/jqh0AbEGt4QOy6WMhV/xDy+eLU63vtR7YSD/DY0Nij7OnTG3GbQuyMu22j0zFW1UbX26m/pxESkPv9zQ8ilz6lNj2yxfIJz71pIjWLRrC/797Bdah+bRTeyfAQXsT3AoBuogNARNamcrdPkKQHQGEMY5UjNn/4VoFClXzeZGGeABjxLIk2hvWU10n2OiDmnj30YTrPQvRIXJQGtBNrrlPKwR1FPt8QCkeoFXwxbHQTf+rBllbAgAlfic3yUoT/foqy4c+lbXByaC0aJmwmgA1mJ9j8sFkX2znNtnbkKxesNRXWqeorUUhEafIF3lJ/tg+lwaUNtmy0Ig9NAS59iNklbNASyKjXzMzflI6H7SRsKkFeO48LMWtGH6Jo4QMvZ5sWvZSVaqWOlh1QAMZMxVzpz1eXv5TAsTpfc4anv+MgrpeHsXs3vQv2ytkale2YdukuGBuqlIQcZrw8yC8u+TvAPqDFZUAiyh8uOAwETOvQvNuttRF2qbjiIA8ZVp2Utf+ggaIPf+vE1mtWit4/rrqBSCT0XuR75duWSIS109B4iZer3rhINqIk1XTAzqO0fmyCZriw1c8T/87N4y9Z2MqIXNaLLk+UbYFd4NWuvuHUGSbsQZ8EtkWzaUPPHx/wzIVWu3ajmjUv6QFgSY9PS4eY8xKqqHxt2i98ePwfivhM6G1eBedAutLWF1m1Omjw9k72z30coa/UcfzF0fo2kQVcw8z1kJBuH1WYfk13D77soxcWLFWZ2ropRzFI52XfvXwxiyyd/sVByWt7ZyNDuUyyuyDeU7Tpzbf4N0ek2qfwBlllfTLCePqWcGAJ3zn1vYajyXFYm35YzWZh3oj0CEN1p1udyxUQ3YIvtUHHk4FPSYjuHSu3Hn8vft2gR3CYa4RvkvcxHbmH4WiSBlAlt6Lcv6TYkZ98K0/Z2bX2FMhItFE8bQoy7C+hUXek55aAwB/UQ4Fjf+2xTsckrCig+eSvM0ZJDnon4K+eUbOF6hSGbRzcX1VfqPStyHhtCUxOckccVLbWFv6sYyzuDZyvo/Nmljx3M0CjDZ5u16aVBxk3ycnlSM7WcSl5h7bjbZkZv8W0sWke/bXakBuelcvfpnzkcT0NmRT0awusSxQk+WH2iiiAT8NTijbQC3F6OPB43M9tad14WXg9cyroEcPgsm4hDwl6wsrZeWlQZ4dDwtLPF8mB5Q3cWsttUJHLrTmZJ1HyXThD8Vp9JO4jF10pE+MsDbu6vqSNOFa/X2tho24NkXElZqUXG4wZYrU964wr+pgxEvFsRx0hqeZ4OUThosJJdFGEW50RBP6UPEw7mWelpi3Q/kbVL4ulZ3And2U5N1faQIFbvWk2Kx4RP3Don78I/LLzqI9q6WAQ8HES6ulieDNu81DBd0u9128j3ZVhEBmnKpRHdGqCjA704zidAl8/+wrpgt7GdOW9AD42jU1F0aDuQujsPRszpFagmdlR6psFDOOBA4e1vTqovIrmWxbFtTr1d9oi6Bv5vDmg9d/RzS6Cu6DoSped+9uCATwRBlqP+QCO5Lz2cBuzVcqf8jAkdUlHBJxcz21xPzOJJOnR/Mx70E9h+BVfwWC9S+8REi+lFNq9nvWaAcOcDL3Pnj/GpYbO+quIGtE1RuJqW2uFd4wXiwbrk4qcVbxds0gH5DDQjOtsF9zRgV/Vmno07jJ8dZmpNq/it3Ou5eErZ/Y9BHerRCUBpWQn2r1XhgLV7Uslhunde387/ohQQeT9GlNLm6wyLLa9thhqLFxlvzRWRg+7HkutPlA2N9c/xvixs45SCfWWWKC7QTCVZR2OIxQFB0prfcmRC80nCxBi3ZdX1Oselgi1iEi3+FnqP7DNCjkXJWIasFhiRNcOw91IGKs5yaiFvCIe7kprf8Ew1xun+39H1W0AWdjaBWFSQU7kelyql4qsxh+skLuT4nss5wXh5InrYALZbvJBpBGmUAPNHGPkvcCSCaMeayqpiKoUUW7Wy8EPWY9kI1we+rpN3KhueQHqtus8nLEABduXpi1w6AGfDsslm6nRysllADNB76p/v0j2q5i/lQxM/Ks7pIA/hJGp6RKKmUZg3VlZ/GI/TXz89Ha6XHI4IOGzx15UhHPq5xuCDk2THIy0ryeHIBteVuU8uj+uoZVYMCfjqUxSe4Kvzk1QBrxntAWFb4ObVt+Mdw84YR9p33EQXPiX5JfsUULdsc2VlR7ccvL57c45GFPNGFjUJfR968GJLw3DGx65jtQWHQgUElB7Oy/UJVhdTSReZTULoh0qD0Ol473SmVx6EOcXQSVjfmBGjVkaurs8TY+OFwUQaBBCBN2T/jT+V+Y+qWf18uwaE/w+Nwe+E0QqK6uMYXvBP86QM/pSvjNJKHZZNJfnUOCx0EFml4bRUQROvucJzQLolui/DR4PP2MBRKi6rjhwMTYYCGLGjgSDsQ==,iv:vYJer+NYyRo/jcpGb66askFA42T+TmSfWTm3DKOIIt4=,tag:RlvqzLfvtJN0HloJZTJb1Q==,type:str]
+cyberghost_ca: ENC[AES256_GCM,data:hLsCa+H7RYQio6J5O+6TqWE/Ug1URHBXrgl+WNqrBYJJDNFr1ibDE57+LAdPfSWDVISjkuadfvleIzkDIe1RSlfMVN5oFoIoSDhzm3t/CZlMUjoAOU6QsutrzM6/Obfh/B70SideuBbG3IPm//6bgQ0eiiKvYmR1vyYGGyK8tFm26t3WVLdMKUde2SGRUA/Iexmcejmy1lXm+320vA9YD1BfMeOqtRJMAnrvyNPMKkWNV2hK6E+BXxiWCQK12k1RBw1Y7Y2uLfdImAWHzM4S9XZpy/Jqdi3EcSjKIA7IRXjtQQ/aaeU7JkMlbfHCOs+NElcJWlwtvsgfloMCvvljFtzALPSPbqRkpD6VqiknDvS1bWBW/8Tzz16Z+DP0UPnlSJOiiqEbuhmC8a0v5DilH/MZroKHqIzySwtG80JvHDiAFsN+OborWITefaHCl/oaOjDwM6jT6O61GbqJbwUgiCVKRcCv0gKuDrl1n05XEejCAyTE8z6y5Oo6ULd3unBvr3tn7GO6nVzFWzGSb7WY5Hw8pY1/1uJP9xufkkhY/YdYvoi1xdE2P2x1CEF6c7jgEFB0K/T2I4BfxPGLve9Rn6O7jZQEALHxj0B+JR8EBf7frK4WweyBOLz2pXLctA0OM9kpdutzfzS5tODgsC66/FZsHVyuY8VWnv368V6vXPhJOFZDMeLawXrv2BjMRHiHxI9Q4fWPutoF/4l6LVLBV/Ci8QU+gJvVZuzAcBSYSJXL40GcKQnRG7U2WWgF5ChAUSdSDUMd/NXQU0YhqHoxOmXTwM//tHVv2fo8xy+x++zKW+91H3VxVWa8nBVdI1c7d/uifHhjf0fTUyTXdbVmEo+EM7P13Pt6vnr9RmnWA1ZPo7KBe3m0+OUslwL+TK2wrCP3TaxhRy6xcpZdNZUnLeByIn+ck6PJOVfl3bObOIcmrzx+KbX0D6IYAlMF4P90B+miYe2cw2XFDmtaLDzc2U9JyxtmsfW+TzQqSFgrQyGiIEUZ78l0DrIcCIhaZv374ItMpW4vExpYsZbjk6+Ard0ZhkKuV4bOWwh0kpa3cZ+1sKi/6fd1ChkrbjNryLCRDU+ByrxRq3RaKhffG/tiJ8d6XESkMHODy6CwFTEDsxCbVfguwKiu91cWm/2P8fc5d1PjrKcljboSGgs9CX8c7MzWsGiNzCMJSFUMqB+kdH8W3Wz8lZzmvxSQ9n/5SIbvEz8gmEBxcwCW7imLegigwySVyEKO/NVi6HwETKXSAG5rZQgLtzRkiLLJWAL6PluoDXOlH2y/TLrmYINncYe2+36z1mFxnNqNVMLLIvkPihP+fA2P2CU7BFMzZ+GP36B4QuoDvW/o9YKLHQvQqOeVWbEBXSmp3ve5iisWS2CxiCICIXTrRgeg8jjMpVppuHIdIFgar6S3/T/0Lz2BlVacA78n/NG9dy4IDtlfKFYw3MOH5J0p5xd9bOx0TcZlzrPEcIwnw3lDms3DWiFLdeX6eOrXTM7F3UTYqIDUVjKTfI/YCZPupTOXkmPcuMcPiyrsAg58IsREN6KEsbhXuUD49J5oJWhrr2UPkxLwb87jiELIvWr2XIWBvsdwTfs/J5jh1hYJ8Pis52inxcJdmyxsoBH8W16xMj6EfG24HUpGc42H4puAkCVkKsrF/k4RAZXsSwWT+zkOnoNyIgnwAURICZl6LlR9Bfw5veXqSztQLzc/GsJnQEQYap3cxNxO39oGUunYWYZYqUI9tIotNr7VLr8Y02cu77xRGk9e8EzSX6IS3KF/9p4PRao2Jr/ZPHPl/pCtb1yy6g72kV8ymLTtWlHV4pvZSl6W4AMPo/c6V3s1Rh83+04H5qjFX8mSV6ePTdrojfq/QUjaUAbrhYzKWVW9a8TfA/BakoywEnNaUzItfs+X0RWrTIqoGeHaDO7kst1DDi/0fTZSCwIEPOMGSaPI668/0mgCZ1Dp4joAM9TZPDJVeFLySaD606PXTR2NHO0FoAwN6+dNo7L8ZSuyPVfbQi4DfHNQt5rFlHsTP9Iotw40632XmrHnz2xmTH5gqFm+FeV2s0ZDVvDigz7b7OXGtJ1m85qBP1vfTaEoF2jrpA6OJbBWxa/oEET5uC7al2gSFkTHqcUlP1UMzC0WlqddH1Bm8Jsk6rIlVyrx6SQgZ86lOoS65U65oZJbaLB3LtJFsIlHEBCokqwUugvvNYcw22II85cql6A4n1U7nfdmNwy0+iAreKg7ZuPJcSLhLT5uc1VRm2pyLN2WF0RPSeg3T0kPKyGuVE6/9+EKFOLzCJ/ECI828saUJslcOInOUSBUG7PFvqpEkChcajPTtllIgtUVode7dezTXkuyhv2SdfImwV7SXI2Q5j35ApXYg6dmS1ny4u1Z667qoeWuecTH0cTSun74zCa/GrT27JB4MhPHXk6CCmZpiupTcHLyylfwtP09f8MRwpE7k67+6pBQpKCRwDFJAtgSQlP4nklqNUGSQxMqwSQUg3EzwiVqk246vGimlYELBn+riO2pzFj/I/49thuHtmAe/1mXq3rjUYEg/NFKZrcJWIlwd9rP/XYr0FbAX5V7GeYoYk3pOKQWusUiWWmtkRaE0YKYemwOyMCu0L2Omi6mFNF9bQoTrfQ3WID8PDHMyzPlWYViUnq/iB1scox9fMRZLmnu8O3318YOMR9O4/ipDYkgrClX1T0qu4m8u2ETQ7OSh2G2OeYOpUby47MG0VTHSXNYV0ey3rJVa42Crs0ixRWHdBJxHk3JxJ8mlR4voOECPl6Ydge9cXfaP9S5m9CXslSPdRt5azXihhAJGHnCYaHNVutecbVVe7EoI4+zi+blr1KxTrAHX84a9Jz9jpDL6OJJorwEgSYqzJP+EG/Vx9EU0787JSr/axF5NQVcaR+rMZqlh+S+cwt6waaYf9k5trdSrsHh0N5uTOzUjHOIDloDTGqgzwbHIx2XYw0tmHsNq+qUTRCnHmxaLhURyrTbFd7ygj7VWiFNpbDhKJOP1PJ8zxrBSdKfzE2AElc=,iv:n1d++hy58nH4kZHEyXrELMCdQ3botkc3tHUA/Czm6iw=,tag:Fcd9qGgOwqQ5uZGbbObhLg==,type:str]
-cyberghost_key: ENC[AES256_GCM,data:qfPwy1DSooR6eo9O7j6h43wILh4PzxE2X0pdbzh3gw1D98rR8GWEj8sukK/L0TzfGYqYWDPy15OeymaGdm6p1WtevBOlkZtQcXmo7jg3+k0TFUnUctNDm2cOjuKck7CGDFtwbMsOHtCxwhwYouCmes9sQ6KSfolVkutVcvEfI1qhjOvJabsZt4O0P5wB4dQUMQfcPwXYKLuW3xlP2MvIn+Q6XZzfLOqoHnAwQhyxfGsOeMkPV2GXzMsqcCuDhfItU7d1GHzMCOLQsWspwNr1jJd0a56YhY+oPHs+yRSEvzFeL08ZyQjPr7YX/p5w84aJrY7THDlBcAK3d35EQOPvAEghrbmas/aKSxDXPL2W3GKKhok9ztpX6QDywkgwUbetXs+oVUF3sHK+UlyiW4RLPsKoQQPtHYBvgIwtT9ym21PJvgFy4dOJF+XW3CfpZcAOONB2L2mxrhB04CV0is3i+SnQE4tVIqGfQBVrDeuGB/+7Pjy2cW0zkEOAHrwGbdlqG0kgdHFOdbDp2fJl5zTRd9hBhYeXT9mbFtlJ+50KyGOAkJZf9a3O0BwgYRR0sdaEWfOLDMsz5L1DlvzidrChGBwFbHAyuFkjE/hkhddAH+1xiCfRCb+mGqs03rDhIpJbEMZLRZFsLWu+hlXKZ4AXamkuOvkk9KvrYL8KVjkVk1GIIeQqVFE1tiSCtlGeODYblA/5HPTCH1wPrLBNCRS6xkxEwHs/qZx6J0qN6j94lWDWa/Q83g7L3OKL8JTlsyr+D9100veMUVhvo8RiJy85Z7tTqXXEckEWKgnC53dZ1ruILNzupytUYa9rYjNcQ1KXy0dwYbMDQ4kvLCpJtO47pXo1i9V9bDFrYCLipCtyg+s2RUzYOnW4GXpn+de9MDEJ5oOp0pMZ25HG3fpnZDvaIyPyytpyj7apx3VDf62Eq5Rodd49uKuDjlbWDezaaU6MjRqhmpv8dbs7c/7pogZmaztxKTbs+EZ/6l66cek24GS7GjQj0e+N32vY1ACcQUCjg9smCGvhKs0H5kL1YOJkopN9ZWVV9p32p0IsbQHsRebSOHablHT8q6tyYfP6ctHH6BNfoUlfZjHtR52VEiY0OstmnjsJxE2hYPX+l4tpUGNGv18nQ4C2ez3baMWHNXzRTXo+g4zjVkW0Ggi0ecd7I5vR5vUNNA74Hv5Mrd+oAYkf/65XGlTJu5VIM0f7IvlSintmmM0pLB1rmCgnZenlhhbY+0862xS2j1YcZIapox8JT/W2IRUYKnJ7j7B3bc/57JWDzaBM/AukhZvERqdm12fhh9jNrNDjK25HmNwdh4Bsf7IyVqXh/nSsH5MtTCASonn/DG+6pGLwOCxKiQdNmlYD8yiZ2RkSfFs14glr0frUYcgCEOFb18IeF/e6srzKSocRVJqKAoCQhnu4qNMy7YDXpmucnzhWuwcFeKC6gaTKBPj6pxM8OSXM7uqe27So4flZIbNU8yvDp0Ub0LYco/EJGUEL9lwitMydSV0F3gjc8zvEbYMs7qlYg9dD1jxJd5vaPkx59DHCpEMOHn1CjVxazZNvexJLG7j4FBkM6PhF131/C7C4cly8ASLQd5E6nZb54GZdKqDp6MVgipeKJ1Z8A/onBC/Glal1bl6ASeAO2Mkfq7PBJ54CKXaxiQ+TFpCfy7DrOArQzaBJ9s/Gy14EoGfb/o0VuXhj4vwChig16x7vu5MnEFdItPjkfRa638KkILeS4OXm0ae+KKxBUchCwXdRyGK+wn7Kz9E9xOjcKMI/kiDnAB/mTkLC+IA5wRuXgtVyFk3BuvrJaYIHsJVZofP5lYz0JLmXXtPyytI3r/IwSL3B0jupo/KHUZx6MBwjBYG/fKJgTQvvbGDePNFHfk5y/At96P7QZIVO+QlmQg1em0pRpYbO30GVhcDko9LvNG5rLPB7a6SNB/pllOgBjbEKWoNPVwFVe17ILzA2Hl/egkW+wxiJM39bG7Ll1bMN5Q32yNZlUAzWBHDSd4DhM14ock9irRGtLqrhHH0QyMr1WlVoMRXTGT7aMLUBc4IEY7kXnx4Sw/RILqOFZsML6Kz5EEroTR/gzDpr1xYxcIRrRmaBS2YMc6wgfIRstsspMT2kUUT5n3MBJlur2CpyNEpqh5o0oRpACQyqdc9P35BVc5NYdAIg6zYKHtiTpl3I/Py+XDSDT/wC1OrKRJjuw0ES/wgDoygbPxieqdUGCqDkEjuM/UZqmIILAHBBvqniMVB5QLO53NO4lhrTbhmBWDXzw9dpJ77O6In8DmQ6cmuBsOAC1JqlGhFHpp1YMKtlQlOpwsORZSdwc/sfMkai/dXjhoh9Ptpk1fUKH+3AHzd+Ulb6Y7daInVgutnO/XFj832l8WwHzyZPLBTpbRbHeeSQevIHM/x/jLDZlUGVktrN04Dj4CJJstyeETIegzILTrXUhIq/W9cEd9vEdlSRRwTn5Z/E8zfET5fxLWSrMRTTQWOh1jIh7FI+P9d3x0K0fk0CR+vclyvVm506zAgF8KCBPjljDZYgeXyPMJ/icU9QhA72++IGo/XoT81fpB34Zt513PQk4WGmUGhAgiQP1EObnQ/YNaTcdUU8fhvq7YcyUlRA+vfaKMS1S18a8RKfYs0yWxCG4CuCb9pWhRK2ALjNeqYS70dFeeiAHI7UKjV+I5CbtLdIt0/oGDFKokH5xRVl6JkLq8iVPCaCyCOc0FCfBVyPBF3Qaisvh3GyIpCPbx0mp8fDRsiXLJShyqaqC6hpD88PnTDE2mvMyB/bH8Quzh5OrLp2CTDeOvWtg1GxYowiL0CC77ogUQhfM1ut8g+tvjgsmuiXU1uEzpHCsIXnSnUvwJW6tV37S0YUePoVAi6hVJTr60M2s4+0J2IxDnb9h2GVZqmusyQU74cKXJrEOC6r5apkhH2GG2jdVQGn2ETY/b/cbFtI38EtT4IbOa/OQDLf9F0UJPuYi5Ne0mII4asEmWdfco9P5oU4Ssr39WmTfmrBLvEQ0IhPSwKmtZlA1x85FSv5+wKauBYw3GTZa/tsp7E2MHhkyRWG1eMMziceCOrTD7NgRRLQIgN+ejm43i+OdMzi9vjzf1vg+barXOOd34yjY6zqpX9hEAJuxYgT2s8fGj59ljZsqp/qSICBIiImOyjxgKou1nh+AJY0Qs4fIGVTstf7aG540IiOGNTy41sVWdtKBeeahez9FB2lxMZ+A/83IRtmlnMcqXKhIgS7c3ajaRrgjesO/fbHnE557Ocz2A6SdoOn9rqVXD6VGvM2fkbj8no0ooCnvNtQ8JEMu6hyVipSqgRxcZlnW05NGOTtWxV3xRI3RK5tNguYgqqLIQvSARDDgm/HtJoJgom8lqSkLXswGjbxpJ1GP9lWpyov+muy9viwLQZQgEma7w2M0gIB84s3FOuYMIz7pKEDntUO7jRUl5+T8gJoJ9ex32InELTLWgksB8mb4ZuSCOmoISEEaBsPYtSG9wo5bWg5uz0/ToudFf+WRA9JT/MesSzVhehqFx1eMGAKHoRd02oMOtwIzQuc0Xp0DuYBTWOk/aHyRDxfluaFSIyAR/KBkO7fc9jKTu1JJifPCXZWInRXvPogmafCyYicC3gc2ITNumezK+oD8fjbWHW0gDIvk9qQjxhQJz99N0XYiRLTl1SssGMKADMzauPWSMDwn1VQ8t9Yc+NvT9i+9TB5YL7E3XhD3aqqwLbLOlIjvlaEhWeMjoaGlaVaz7u2n6g4zAGcVG5/uocZ2QI7byppVE/8rpjBAs1zQr3A/ajvcgCQ3+3g+sy+3w6C1KmYJj3kyF14FhTDLWekAyX1VlEQCB1BUeB7lc3CuPftTDSRKLU/vOygvIdzLMJdsQu/98qjOawsKwEVSXtSrrLXTcyhHRKvkRhUOOD6z1WRl0UTmSrqnzGraEV737vDQrMzMyq06r3mlV6xnho19F4aH2pHgI0uJcFB7efPz7nxOKtlhoc1BiAb88+sDksRJd7/+4+32hSkFQ/2MfC+wwlryo9NXtgSbUnMBYZqQIW0PfoArFTY6La9mrhPpAZ5HLmj3H6xRGhSyLJGBoW+jDltI6pic6G7oBODfUOmUei+CeQ2JKYGfjMcXmndU1qmR2Wj8ytS7yK/J2SxWRGAgmUiGI0gv5nnoe+aHa20yOL54k9XZLSMin5sghcXzTxtLcNz5sfBUIF3sQzhwYUGR9UfNYx3OkeL0HOXQlcICC6cUFan/zIc+8GXHhxLd6NabTiZiTXdYRuAoJeIt1qNUeK0xvLNm08fHiT3eGXbS7NVjtPTw/nYUx6Ca8LaM9eZBfgNowfn47LvoAuliQP2vLAjuatyjlcC/hFfu9Surfcb9LUM/ZsyMFM=,iv:EgSXZvyWmcBxBkAe6asJ2B12FKaLQPy4tRAtCvkys3M=,tag:B0lyX7IRNHX1CqlvBZaSpg==,type:str]
+cyberghost_cert: ENC[AES256_GCM,data:s9vDBZHY4Qq/i+er92w5q426t1xqoV/hXUNV/6JSEuT1yE7Welv2BIAmvRNriWESCgYO/IzHGARekwL8sflEumLBylkIsMV8ijk5VGkN+ppzOMPH33NYTxQa1r2H2cXLpePZTEpkIZ4cbaJe3LlIcpndFEgU3BF2pgAa8gF2whLwNNOYTy4BhK+ztMJKF8G7JCNOSiSQXPyvX7ybrjaf68u+q0mZYq6CHDhTjAmhpUvOkRw4ldZLhmG6Dut79MXkx5T/SoDtPVEwA0FC1wd6DuM3GiIvi9mtLJP09zY5sBvv9YW+YMcQLzCb7lg+EH7CddaLBjYrQPlkL+0T00lpYzXyrnJQuXxYRA5iPpmxpWQ+4SF+95Bfm9NUQ/i+UUkkjWxrJ8L4QlgJcwv7EQM+aR0kCyexjrbiv2JSI1OBtQP59ugCrOCPSb5BkbVTZu9mEg6PT1jCqp+3hPO709dNkugUni/xybdGY3syH51EjfIRanrBublCBEQnYJVBnF0U8lzTehNfcEvkiYV+x+RivE+OE3v3dEIPQ4LjuzWGUA+8KmK+MqQaP9buFth5eP/XtvbWIFxvvT4y6jhz1TlI2LGjLNUANr0Y5vVa9LdbEq3ao79iiNowPgPx02VNy68gUhcLcyjnCxFnDxtFp/03aHrsUYUP8rmqNRbtvfTSqP/CWLl1C9W7vpZPTUk7YrfUVH6DBtFjw2EyGnB+qAflbBDkLS4zWZNk1RYSssF/P1TUxys6lSlRU5CXw/2RxJN8c4mRTv1QP+rkoEGibFwlLr2aGCZqdU7aDBHBbMO8HZpMkeo9rne/VkbqNbiMjuUnizsdPxSSv/btJ7DLobD0ujehr/B+5MH6x5j4u8t3PICp6Wnu+DS6yDa0K5o5MGfymoc2KqZiWAeV5kvO3JeUqqBuQnO2ufuY2bpmpXjDa8HT6TZLxWAHbFMvV0F/g3lk/jdiY8xj/G5/x0O+LZYnGQm/JJnIV1/lAhK14leKs0kphOrZuTK8afSE/ybE+1B7B+YxLKA6ACnYf3WrJOOQT7Ghr+iinl1flcD3AaY0OkoVXaKwSRbup4pxJ6IvZweYPvLHE/oTh9kp56G4X6rc3OCqBPQB068exc+M3awrtAI3CBZy94c1u2Wu8Qv1ebUmMRtDO1o2N3g6Pa/6Yr5Aa/pbrOKZAA+WRr8Tad9Pr+PUszhPO9u9D1QVRJkY0LmDN/UG8gH8idaHBP+/SH16YDMYHYR1lYjGMAUY3437sAyJdRWtLiyyE7TAEwiEsjUH76hXgAAbovLHrwNqVfTu5ZmoaJbnWz1sn4U1gu0nfouNNypgXV+CbeQmpD59PHLGdBGcDbusVsM/sbfFiMJM1mK835t2mV/wHsKi9itXKiBaYNXk3qhFTovl0cr3PwygNy07w8N+RadwsneHJwxHWOpkV6bfE6fFPuzadkc925mu+kbr67ozEguSTcNfvttn3aVCbheYUHVPGjBhn295vV38EPmCkV2F4nDzWzabsxXIB/P+quDtkAIVBBj43GD7GtnhqKAEAXw8oJvvQhqd4yYFmHC0yQnhCv/cYoshO9StTdE+bo9TfAQ8c2HBJkloXNs98B5kb62d7eKjw8tJtD4dnsq3HPuQEOImhGlsL6arT8U9LtBBAqjkYy1YE7H2ySQihchqqdNLe57On4S1x0HuGfx3LybUkhY8oYcBU0sWmF/d0k6/wSnQfE72j87Oe+CG5kCI8jPKIczo1tx3uWhBlCw48tJ+CI7fCEpMwECOPxl1AjhE5wEQocdr3xVU2f2Ufh3O4QS+Vve1axHSuVwG7sPDrRydqaiwXNYO2RpYwsW0AYhuySDi/ezBFHrrl6tvGfixSWscn4uk7xECDb6IBW/9BZs27M9w/VdDD0HqS5jm8rlr80Gtlq1yziFezWElDJ8ZaMPmzSzuJ5uUK4/6uao/3bBJ71JLrTaJZsicZdTDDJxQc9mA1RQZBgYo/lYvFN7UrnS+RQHtOvCuwMGWv6IwkYJBfllbJIEZ54eZmruzjtt5xyhOtQbrp8lnhHm4ft6p7TjUigfPuuKerAQMDwsZnkl/KNdyqdZmN7FjsTiNwBf5wr7NEWHobaW8+pUD97j8unqifHC5HHee0ZdX7R3IP3qP3j1TmHeCoyHX2B38on7s4T0Yg/ZTT159UyC/bXJh4nAeNq4TgfDURZ+lxR1wv6BIszLkt7gpQa965rjlZguFxguMbDqjCDRX1DgoY8kgMoS7OcCjwrfwdrbpyARS6IBuCD8WJTXqhCHNcgSmvrK6fB60WE3BHdP69uIdrhAVXXW6uJwC4MwOXsGllq/Pzl9zPuGDLSDEjn/aqDWs+RPK5eCuczMBS0SMuz7X18cuJ7+c4XDXDiNaZkjFLiajfd/Y5ODXxkIKlMWohnl4eGeHhxbrJZJWp0SOmQ9pl59HwFqIK4sgwZPx1md/iGE8T5eqr0H+gdTYwBMuqvu8R38O/t10KotLYgF9MgD8aXhWuGNYHEiIfKSIIZaoOOmcS4SWmKrI+fk31o2YBPt97W9oCalEeikMFt+iCOeNm/tmvg3bORNo5GNPCCk+uPhXvVems8fe2xekUkrH5Z8+auxMQE4QyzR5KoiJgHRMK3Xa4XGo6X1NyJp2rNL0cQotJHQHmKThpAZ0q62evO0nhRJW658NefW91Pc/oBi/p/HOjVOrJWdCvid9pQeTc6GJqyuR3M/twccfZK8YawJ7i25KByX8jeQxdXl3qoYhySJI2SIi3y79qmnLeJ1u+PKIHRc8CkUSgWumFtrOFsTjznsIqPUs5kTRImTP964go5HBP87bRbfnBJ07MD4pqtV7SZc/5Sr6MmdMTwkGyTbG5/kg6Zook9pCrSww9YQodrWhTOtk5xZnFtxB0zucF1SpWOk5UjaqB/C3JjobEUrFCmeQRIQoeNwnDD47N/HTEhufngp9bspwswjuBH3fm9rK/o9PBLvz9PDKNGO6MbV/8pGL/SXOZhndRsMMeGdxkblhgWjClhm7BBqZOXvJHVxsRa67v2GdGXztAHm6ngDk/YlioDgh5+VQdIwm57Sn2GALKUspAeAaidQJWEPpSzSO0BXPgrxHbp3zIMRJ9NhM0Ynx7DIkv36L6Mgmky8Enh5H1mUUAA==,iv:YokQRmSP1F43BhS51wOry5iiQa3f78Rvs50STxeyphY=,tag:k+ZxxVSmurIr2PiJJIoFjQ==,type:str]
-openai_api_key: ENC[AES256_GCM,data:lH5Jf/xvtRRwuGYPM3g39J5DTQJowSKVqLtObgXRo+GOfpY/BKb46/R25rkWrOUv5pYK8PXmSm7obEkVBfoaYG0WufR6SzGH+R7hjrNgCzBA6g5pxmlE7CWPlPy6C6XqVgblL8aP2vD9qxJmIw8FYCLRgFHt5hK4d+Gd23BeBnkmPWIH23xyRFhCcb891CoiEEdXL5p1LNAOAW5ePmAyavc/Dlk=,iv:lWXy8/LlWeRVSect87/qsG2nOkmL5W7jpw/DVSnAbEs=,tag:n3pWUJ5uEMXtgt/kHG8J8w==,type:str]
+cyberghost_key: ENC[AES256_GCM,data:756vFyRjKUgh2mZYadTUaxGA5KwAe7NriRYGS59e5a0uWxPLe5VNeYV01V4z6nHgWVolsEmTDglsLwRZnMwkHhfBbRM4D3JU5py6t0ANznwclOdTy/5vpFML5uujSv3MsloqUXmpR0Bmt0QZRSfa0GNKzXI+q3HZoiQrlDW11oInBVH5wg3Pi5eemAb5f/+wJ7m1i6Je7AaHAwOwPDIumUQc8OzgxJB/R1CFEXg4UgQ7Kkd0fqiVyzxNm/G40+07LV8hqenA/qE6KgdGjR4hE3Jj5BCeSnYJsQ4dIjpDE0s5etxWAg/apZMQUvnvp626ZXhGhzbzOyOYVUaLML3hrCnIYYz6ipdpQCXEtK+Elx/fXz4R+fkmqTuASqRVenEwDwQBl8zGBeyURYP29DqFJtIhDrmLRJLlU6hI3v4PpZaInQbVy10LQmvMX2M1zeW7hL84z9UBW4Gr8i4SzDc6B2xypLCGdUdmThW9jDeQEEkNIbAF3W0LNDZFghxsDeTnIh7fiyrUPWvCJtY92kr+L2v/4bkuJbyC6Ag4dEVnpfdg58qJTW/z7EgqaG/gaB1tWPG8bwXNJeD7IJWLSrTDPG0XJkbQbFH5Ihar8kw+bIUa+0SH/IYVOGzcYkVsvmXEHp5x4akH0bekd3bA+MsRvQc858KAaUcaStQQLYYeWH8azQrGtWdfqlYhT8uqYQk35G2Uti38hTXeiUmm/KkEGUTmoDrdvYRF0C3E6pkxBwcZa0CTvF1oeXptUz8Uk+xrLC+svp8C9fLNb3eWJQ0fgwKiM5t37mJwDw4uH6qhA9ujshrZhATdkSHGT3ZfDYrgBnM1yEAtf591OzKzMsMXTKZmEx4HaVhpTFBk1gi7WF5lFm5NYYFcTN5btDt7CUZDvYZKGYyxWJukg797sR5SLdcjNTNFNdKFJHWfRgTfojOE5KIXZ5GN5TekAL1fE8890zGRsb2lVJF6Nr8aCuluMhZvghPu5Qn554mxaeAx8TVLjSikjgFDAMjca1bhv+5d2CemHx1K4zBrEPBtdttCl4wnJjwLBePIHj5qxzQXsXdSvCxeP7y3KwV3pweGcuNzXZrHgynIAx7NVw9abrtyftIEaUzQvBl9UFQYJDHEsYO5VHISlLtpbN+1TJpOGP3fJwtMfCHAtfvFxzg4O6B8esIl2VSYeA/bNbaYBL2RsA3XPmCwPf3VBfyI/At2DXbHUFIzcgmsKTs7q5fkZUQgCGHvf+eobiaWGRuFDrUulpeQfAE/KpCkkO/dBgUDfWaeoJE46KK9Yo901eIWycPwpTCNtuA+7esjnZpjmV/hyOaF2bi9XTbHKeM+mQRZ96LepyCr1cUhAblDP+F6tI+TdUyRv7iV7sPcikV7p9EOHS9nw6miPTDGNBUKCVXHnWH/SHkMnUMikDbu/FvzTJwnULucaEbHHpFt31xOqWM3T4KdyZiKIQnHUvNQEQCTQwr1u1uj6GPqW/xTKKjIKsd4Gxzws4GsEvr6hE23fy6eHwqab/RvGLBMZkUpvIAqwN1otkL1H3WbkiaYTeaIucuB/QxQu1xigmSrmfW0sv5qFmhRy1Ry+mIvjXs6IG3TYWb31kcLy5xmJRssdhgHSPCnPqHLzetNxMyZ7pd+X/4otlypzyLjuY8BZWp3wst2HXHzq9eqmeclecsCXlVvKOEmIW8Vdd31bJbGeczBgU433ZPmlAmcGO0okFzHsMnBBopHr5cU/18xitGwKGcC6rM0fpnGGQ8+4QUYjlUOl1kms0B7hqlrTOkv7gKEMazChuuB9Mpgw6xmD2cFS7ZW68QbtxUvsXGAOkRMIOpzKviV1aERabCIIccuFyNAdNwgsHopblkdvg5EIE2MH3tRTS2uaJsixrZ1xTDjLql7J2n0FqM1D1iTRK8moi8NFrFWt/ahiCZgj9sQ7HNFU1EdmA11G1F4AFkFHiOQHzHu2k5SiOmN2uY4TO5dlooJefud9aiuGGqk/uX2YiexrYi2XukLAFg9cToG48WOS8HJMKziyxBG5c+bn3uWrgFOC0bqJ7+be7rZGINdxMQXz9xJj3cPayRZFkhS6EP4kBLnJ6OhTR3xBeDNUC3F4QZIqnkEEAT0wHQ6TbgkZpkKgGP2Scs37zb1Q8/ubqniwdg9RdQbCvNOQiyDsX14yTXSAUpJUhF1GGPlTXVuO0gXO0tLxu/SBj0SdZciNyKRP8tDTZYB7/mU35t0v1ZgU47j6HKKrNXR10Ioewmf+ggrKTXzyKbgsBgZpYX8VZVb63rMsOFBQWIsaypiEGmNd9o5wF36/R5IBb8yfHmSdsTbQ9PbY9Bf6BHa2oc8oUW9QzQoUdpCLmnfmX0NIzykhyxFSnL+t1vR6cezPdqEqu3FfIqGJlCkhROKnNTXhQEz0j7BjHoDJjNIBk5kUohR5EsTB1CPUVriHdVtXbpfrLDDgbl/NNOCyEcu4cUHDt1BX2gtZSWd//EzrrYzNgD7jHUlM7VpfhiX1TWnexEGe6VMdGzxVNYyNOHaK7mpL0E5y0tBcJPym1MuYHM3nx7D2RmF6wd4P11qaVHp7qhQvYzcAikjQmk1QeHdxV2Bzva8ZM59N+DTuMQG+G76LH1XkYwHTl7S6ipZeKWaSzCKwkzCUvwHFUBGQqe8xT66ILoqhBO6ECooxbSg2DHP8lPO+yCmuFaVT2yS3j6BVGKiKKKhhKXJqmBAq3SJpKNCag+jBEyB0xjpNNi0NKTN6n1TNhYnsyGIMwK141/8T+D95lKt82smF6KgizrYB/HjQmc8gDJolf1+robTOFV0oqg0vNuLA8iVw1I5b1wkbGwkh5P9//Mxdpi4dVT5zXJwmAzgHNylsNU9IGD7AbQdc50PptILxbdQIRxcVK5+B14iysYMOsnOIOEysp+f24eGx806HTWUBtHjNZFo5iOKMmNgbwy0u3HGL2019bdmwc4gOtRMXLNMKSWHuNeHPbjd82xGoBkgFwnYQPdd12JKOrZTF4sgFfcSRkabd1L0cK+Qac+L0m9pGSCQiIP/uqZPOZtYS49zXiRdIj/TL29dMSm05tsPi+q8qAj9eqg6Tpodnpp4v9lY6RscY7Oj+qYvzxo9ZX0a0YhljE2G2hduip+Fmy5WWqYI8c4l08eecQgBgl7qr/BfCQdkWuM+XQEn+cUuOqGMiCPUnGGO3t/Cs5BjH2jvsIA7p7U+wI/1WkIEH0c3pEfNp32kvL9gIrK7uriERh29Qt+pYFX8m8lsMn8F5VOl4KKhvG3JSzsa/HvyE9PzCQ9Hui5vVqPIQnc66Fw+ra66KQ7GhiRYHfl2cqSR7PSacG1SDdUToFsBpY7LxFBkmJtV5Y6BzTKMKKGMwJ88QKv+2OQe+1vgMhKejUztbLCYUG5lhDmGVPadpQTfwjwImSh/3HAV8zWxI+nqlTCo23ojjGJcqrvK6+7IxMHL/xNYkYwmODg5+q4Fq00/qKomq4U0xUJyoThN3E+pgKoEyWJE0WeJod3EVHw6gl6/XaA/JaDCtzJ+DTG9RityVuEk8DP2u0I4zEg5KpFEOz1h485Gk5xcqAARR3oWs3KpG6mQ3j2zZEckFqpkXvZNFlzjV9tCVyOd8VDx6kypJnm70U1bSEjjBnHw8FREtusT4R1FCRKmuNMyYFHwz08tY8E9kQl3loUuXXxnLS7N8cpeibcRLAPGMIO6MBzYZb6ra3Ttkgqzk1bSY5Er/1rrKq+0HRSBYUkiCsbRKyYPOJ2mBTunu1ah8T5Pc34+x9IKhKPfl2wuaUDHEyY05JXkIs+9eacr+iCZIp2VObkM62KRPA7UZq+57mhJ8KzNu0mXTIMGD8qS1ozBk9JC4nP+AGFoYAVJ10cOfWXbt9lIiAB9oTVQ9IKiw3rehedOirLitmBYKaMIYfG01LDu+4mL6IdTa4SsVkxfSxuHFUylfHixbAQT/m3qZtb/qqX+GvIH+awhGvWG5Y63U9lZvvCl4405vRuxmnQ++fMpv0DHgGj8sQnzIJJ6u0qscxG7MkvKND4F0Pdk+aeiJQaE8Ak7BPdUStTXoqhE3znFbTw+CR1d79rzkAk0OPMbnN3KDd0ZuercIemCkpstE7apIaayUYPkgDgPp2nKEqlnKCp1tz8NRDvf6oU1V43LLE1atMkXmHsG7lzH6oLVdKvlGtl2Hf4kJaxVuJtqdFHiAhZF0roKW+S/W2yXjRgr3zQmEiowNT4VCljwm30OC8GpwsvsCX0RoSrTFKeVq8eOIs6mIMul66zLb4CRJtR9/XHaKMTqf6aMhnsVqhuIkriHdsOC0Bn6+pYVTwy9ck1DidN46VwZ+avybsxXjxZrxCpkwiirso1yjicLoMjiLe0J5gjElOw=,iv:LPskqYo7V7SMKD8HdEXDNwxyiLFLaLr5AdrU5x53R4Q=,tag:zhEYACY4xhl0ba+dBUBT1A==,type:str]
-mcp-brave-env: ENC[AES256_GCM,data:FND006AIjGjSkJqx12RVd8NnyDIhqdUBgZxucaAOFlnt7ZRYAHj4xQqgSJuFxg==,iv:Fn/663cGELKYQWg+Ok1uCtNCeIP7zZBJgxhhcsR/Q8M=,tag:v8K6JQ15CYwcLj7vSjyN6g==,type:str]
+openai_api_key: ENC[AES256_GCM,data:Z5AiYIRQoFSmjErwgJ7mxkxmp5BVOgVy72xwag+PJeRiQAddgNMeeqOh1ka0nP/HLPnbbWgSBgzdXxD+Kx4m6dX3W2AtzO0QE68XDyuM+PKts2pUSDYDmFSWZ7FFlQSQrpuHgnit1xjorpQqRjgVkHXgNObYGvs1wUZwhfUg4zPd9UdTU7daXcUdJ1c9t5G6FuJLMNF3gmqr6j7hMYXPcCGrx18=,iv:SMy/19Jw1CX9OYEQ3VABisZ61fYyVVbGzgeIwlqdtRs=,tag:oakwiviNCiu5jWIwuAQP6Q==,type:str]
-rustdesk-cloonar-key: ENC[AES256_GCM,data:nn1PKpOvhs3E1Lqtbx+W3oWon8+j74CrB4KuB+BqjfaHAaKdj+KMstYAv+0=,iv:UGjTZ9LauAALRMvJnqKkHYqGH6rjZMTZPQs0O7/aDd0=,tag:g6IZMCsE1dqZh3QYRuitzw==,type:str]
+mcp-brave-env: ENC[AES256_GCM,data:JAMYqb9rOYDLM8y8HABGQIvEGZUUKWt/iRJXwLZ/UftHd5iMPLDAHDcRva1MpQ==,iv:wFWJr74H6nX2nOaCUWHdeQkjBDYTEltxE84BTQfqy7I=,tag:cAj9Cjjo9WBVot2rklRWZQ==,type:str]
+rustdesk-cloonar-key: ENC[AES256_GCM,data:genBO0paccI1pcH8//X8q+88yBeBFfgEd8jKmglEHbvnf2f9DDxfWVrHlX8=,iv:FEHkJ2wPBAKZFhoRRBbLzjkv28DRDJ4npBkTGVEK6l4=,tag:hx9FPzlyDf96BuMhrEXLEQ==,type:str]
 sops:
     age:
         - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYYWRBbk1wckFYbkZxQllS
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByeDBlZ00wSDkxaVc1K3Qr
-            T09LUEljM0VKbUw2cW5hLys1OUZZdFBBSXlnClRvc3YyRFpaQW9GOTVjR1dpdU1Q
+            aGt2YXlHdXJ5UXNhM3R4dnRQT2ZiNGdvcmtNCmxmdDZYQWt6NktVdGNwQjlUOEZG
-            TWVsYmwyZ3Nxb29HZVdTSXhmV3F2MWMKLS0tIGNZM0cyWmRiMUNFUkhVUkJhUjRR
+            My9mUHFBT3lWOFc0N0JNcWh2dm00a0kKLS0tIFhud215VVA1SWVFdVZDZHZjY3ZK
-            SHpCTVR6VW9pdzFTMDBtWkxxY2VIWmMKrReAwG9+6W/R1AoUr8JFw2QQ9WZ+e+Pn
+            ektUZVQ0aTVKRUFnQWUyUUtzYUs5QkUKkLJ2e2+a3VYcVepB2QIrD4Dsv/Vw0WiV
-            wuTlcKayDrNHuM1ldW6BEYQAV+8Z4Nhbj1ygo+2tqOsXm2YL6uzlBA==
+            ZXqudx8UqY4xbsYaWehEVrIBIaQ/cLqVP+0YKaS6CFvIWHhP+lu/2Q==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCYk9zVTZUUUl3YWJobFNu
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4R1I0RjBxUWdrelAwY1Nt
-            bndaSGJyTWdoOWxUZHZYVDNMTjdkQVdyaFY4ClFEUjZuaTJRdVdlcEU5UFIzbmlC
+            Qjk2UXRqVS91MHhDY0xFaVR4THFLVXM2MGhJCmNaeHhwQ0I4bGNsMi9ySi9YMkg1
-            OE44MFhLOGh4ZkJmeFl1QlNCM05kYVkKLS0tIFNCWnJhMFJ3MG1hKzZVRXlpODl5
+            NWVrb0pKN0FaZ3QxUkJSSDd0VWQ4M2MKLS0tIHIwYnEvYVhONDhGazZ2ekJ3TnVx
-            R1dpWnZKNHR4RERSdm5OclI1SncvYkUKBDZKeh6xlTn3tRnZOCD6oe2uFP1NeQe9
+            WE44dU43QmxPTncycHVGNHNlTG83MU0KQPJWz3YF8RXwxp8SUFRuo39NN/2tSzw2
-            b7JuigPRPnhah0rWZ6jPjnk38Jp6z/I1Oqh5UJ94H4KNi/h3HKqMSw==
+            bMuv5JWSI8i3TNiWmOELF/Lt34Z4p5yZZ7OA8mfx1bbTsZOJ35I0LA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTkdSM3hoTWdlcE9McDFt
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJcUFXVi8yOTBWWVhLbjZ4
-            engvOU5hZUtKaVZjUEFnT0huNWpMWnBjUFZnClZxZ1JrMThrT2kyejFkUnlUVUhU
+            VU9YazRzWW8zTmNzalArcVNtQXpLdVJ0U2kwCnY0ci9nSE5qZTZpSk93MlNpR2pp
-            bVhTNUovM0ZRZVRRemRsNml2RXcrNk0KLS0tIDZWYWJUTHlXWUFMcE82YlZBby9E
+            WGVENTdWbHUrdTN0K1ZHaTZEUkdpemcKLS0tIFhseFdlL3BpZHFQbE0rNlo3c1dO
-            clM4RXI2V1pIRVZNeWdaM24xZlFJSjQKY1+Nw3X0FynI6BhhLE5caUpDENqa6S6d
+            SmtzUnk3V0pCakpXcmhvZWVTWURKK3MKuB/3RDvEZh1o7WHmJHFh5njBdjICO34G
-            HMRhiL7SIZQrmkdIeCSikjRCkvqBFIgn7sff3S+7neYxgGkFp1nzGg==
+            o8KdfkLcAwTnSbOy0mEVLhQjLayhRq/ifMWwJfN4/MUZo1cSBwO+iQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-05T16:28:03Z"
+    lastmodified: "2025-12-07T23:35:10Z"
-    mac: ENC[AES256_GCM,data:NNYwveO78Q4cWOPPt3Pyqh6AtbfRj/ax6D4t2KlVXWSLzKTUZKKaULXGY5PBp/jI2pyhPp5yEMhEyjRPWC8Xhvxjv+NLb6KltgaMfzIBS/jfSNk3dcYx6i8Y2oSG1efLJrRMc2Q/uACeztyivtjV9A7JCrEtb84Wb9HzkI4nZVs=,iv:Q8cTw+/RMJ3WHrkB9lyaAyI2K3O1ZhDnAMUYMJ4JMRk=,tag:JvrLiaKKYXiOmud4oZZZ1w==,type:str]
+    mac: ENC[AES256_GCM,data:5tRkzTUeiKf3WQBFJZBBCa3vnPGVLspbCF/bf+rQEGuQ0ehA5uZXLlc3nBlC3fBqQh3JQUyVw1xcqYJc8Ziu1a5pcG28Mdls6IWr8JOzh+h2fAgqWbn9UGqEU9fNJE0aSzHSptpKA5fqgJYqmb3voz8tFn3jMNrPsGenHFn20C0=,iv:s6lOchFabWnyW2gkoYaXBhOkJyhhXyh2ZbnFTwj83bs=,tag:HosULSsgllcEzoBifQLYSA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

hosts/nb/users/default.nix

@@ -1,6 +1,6 @@
 { config, pkgs, ... }:
 let
-  home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-24.11.tar.gz";
+  home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz";
 
     
 in

hosts/nb/users/dominik.nix

@@ -7,6 +7,8 @@ let
     config = { allowUnfree = true; };
   };
 
+  clicknload-proxy = pkgs.callPackage ../utils/pkgs/clicknload-proxy {};
+
   thunderbirdSettings = {
     "extensions.activeThemeID" = "thunderbird-compact-dark@mozilla.org";
     "browser.theme.content-theme" = 0;
@@ -135,11 +137,11 @@ let
             { name = "q"; value = "{searchTerms}"; }
           ];
         }];
-        iconUpdateURL = "https://perplexity.ai/favicon.ico";
+        icon = "https://perplexity.ai/favicon.ico";
         definedAliases = [ "@perplexity" ];
       };
-      "Google".metaData.hidden = true;
+      "google".metaData.hidden = true;
-      "Bing".metaData.hidden = true;
+      "bing".metaData.hidden = true;
     };
   };
 
@@ -160,6 +162,9 @@ in
   sops.secrets.openai_api_key = {
     owner = "dominik";
   };
+  sops.secrets.clicknload-proxy-config = {
+    owner = "dominik";
+  };
   programs.fuse.userAllowOther = true;
 
   programs.zsh = {
@@ -172,7 +177,7 @@ in
   home-manager.users.dominik = { lib, pkgs, ... }: {
     # imports = [ "${impermanence}/home-manager.nix" ];
     /* The home.stateVersion option does not have a default and must be set */
-    home.stateVersion = "24.05";
+    home.stateVersion = "25.05";
     home.enableNixpkgsReleaseCheck = false;
     home.sessionVariables = {
       MOZ_ENABLE_WAYLAND = "1";
@@ -228,9 +233,9 @@ in
           Restart = "always";
         };
       };
-      pyload-tunnel = {
+      clicknload-proxy = {
         Unit = {
-          Description = "SSH tunnel for pyLoad Click'n'Load";
+          Description = "Click'n'Load proxy for pyLoad";
           After = [ "graphical-session-pre.target" ];
           PartOf = [ "graphical-session.target" ];
         };
@@ -238,7 +243,7 @@ in
           WantedBy = [ "graphical-session.target" ];
         };
         Service = {
-          ExecStart = "${pkgs.openssh}/bin/ssh -N -L 9666:10.42.97.11:9666 -o ServerAliveInterval=60 -o ServerAliveCountMax=3 root@fw.cloonar.com";
+          ExecStart = "${clicknload-proxy}/bin/clicknload-proxy --config ${config.sops.secrets.clicknload-proxy-config.path}";
           Restart = "always";
           RestartSec = "10s";
         };
@@ -301,26 +306,23 @@ in
     programs.git = {
       enable = true;
       lfs.enable = true;
-      package = pkgs.gitAndTools.gitFull;
+      package = pkgs.gitFull;
-      userName  = "Dominik Polakovics";
-      userEmail = "dominik.polakovics@cloonar.com";
       # signing = {
       #   key = "dominik.polakovics@cloonar.com";
       #   signByDefault = false;
       # };
-      iniContent = {
+      settings = {
+        user.name = "Dominik Polakovics";
+        user.email = "dominik.polakovics@cloonar.com";
         # Branch with most recent change comes first
         branch.sort = "-committerdate";
         # Remember and auto-resolve merge conflicts
         # https://git-scm.com/book/en/v2/Git-Tools-Rerere
         rerere.enabled = true;
-      };
+        "url \"gitea@git.cloonar.com:\"" = {
-      extraConfig = {
-        "url.gitea@git.cloonar.com:" = {
           insteadOf = "https://git.cloonar.com/";
         };
       };
-
     };
 
     programs.thunderbird = {
@@ -525,7 +527,7 @@ in
           settings = firefoxSettings;
           # userChrome = firefoxUserChrome;
           search = firefoxSearchSettings;
-          extensions = firefoxExtensions;
+          extensions.packages = firefoxExtensions;
         };
         social = {
           id = 1;
@@ -560,7 +562,7 @@ in
               id = 3;
             };
           };
-          extensions = firefoxExtensions;
+          extensions.packages = firefoxExtensions;
         };
       };
     };

hosts/web-arm/channel

@@ -1 +1 @@
-https://channels.nixos.org/nixos-25.05
+https://channels.nixos.org/nixos-25.11

hosts/web-arm/configuration.nix

@@ -63,7 +63,7 @@
 
   time.timeZone = "Europe/Vienna";
 
-  services.logind.extraConfig = "RuntimeDirectorySize=2G";
+  services.logind.settings.Login.RuntimeDirectorySize = "2G";
 
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.defaultSopsFile = ./secrets.yaml;

hosts/web-arm/modules/grafana/alerting/service/dovecot_down.nix

@@ -15,7 +15,7 @@
           datasourceUid = "vm-datasource-uid";
           model = {
             editorMode = "code";
-            expr = "node_systemd_unit_state{state=\"active\", name=\"dovecot2.service\"} OR on() vector(0)";
+            expr = "node_systemd_unit_state{state=\"active\", name=\"dovecot.service\"} OR on() vector(0)";
             hide = false;
             intervalMs = 1000;
             legendFormat = "__auto";

hosts/web-arm/modules/grafana/alerting/storage/default.nix

@@ -0,0 +1,17 @@
+{ lib, pkgs, config, ... }:
+let
+  smartAlertRules = (import ./smart_alerts.nix { inherit lib pkgs config; }).grafanaAlertRuleDefinitions;
+  raidAlertRules = (import ./raid_alerts.nix { inherit lib pkgs config; }).grafanaAlertRuleDefinitions;
+
+  allStorageRules = smartAlertRules ++ raidAlertRules;
+in
+{
+  services.grafana.provision.alerting.rules.settings.groups = [
+    {
+      name = "Storage Alerts";
+      folder = "Storage Alerts";
+      interval = "5m";  # Check every 5 minutes (metrics collected every 20 min)
+      rules = allStorageRules;
+    }
+  ];
+}

hosts/web-arm/modules/grafana/alerting/storage/raid_alerts.nix

@@ -0,0 +1,102 @@
+{ lib, pkgs, config, ... }:
+{
+  grafanaAlertRuleDefinitions = [
+    # RAID array degraded - critical
+    {
+      uid = "raid-array-degraded-uid";
+      title = "RaidArrayDegraded";
+      condition = "D";
+      data = [
+        {
+          refId = "A";
+          datasourceUid = "vm-datasource-uid";
+          relativeTimeRange = { from = 300; to = 0; };
+          model = {
+            expr = ''mdadm_array_state == 0'';
+            instant = false;
+          };
+        }
+        {
+          refId = "C";
+          datasourceUid = "__expr__";
+          model = {
+            type = "reduce";
+            expression = "A";
+            reducer = "last";
+          };
+        }
+        {
+          refId = "D";
+          datasourceUid = "__expr__";
+          model = {
+            type = "math";
+            expression = "$C == 0";
+          };
+        }
+      ];
+      for = "0s";
+      noDataState = "NoData";
+      execErrState = "Error";
+      annotations = {
+        summary = "RAID array {{ $labels.array }} is degraded";
+        description = ''
+          RAID array {{ $labels.array }} on {{ $labels.instance }} is in state "{{ $labels.state }}".
+          The array is not in a healthy state. Check for failed disks immediately!
+        '';
+      };
+      labels = {
+        severity = "critical";
+        category = "storage";
+      };
+    }
+
+    # RAID missing devices - critical
+    {
+      uid = "raid-missing-devices-uid";
+      title = "RaidMissingDevices";
+      condition = "D";
+      data = [
+        {
+          refId = "A";
+          datasourceUid = "vm-datasource-uid";
+          relativeTimeRange = { from = 300; to = 0; };
+          model = {
+            expr = ''mdadm_array_devices_active < mdadm_array_devices_total'';
+            instant = false;
+          };
+        }
+        {
+          refId = "C";
+          datasourceUid = "__expr__";
+          model = {
+            type = "reduce";
+            expression = "A";
+            reducer = "last";
+          };
+        }
+        {
+          refId = "D";
+          datasourceUid = "__expr__";
+          model = {
+            type = "math";
+            expression = "$C > 0";
+          };
+        }
+      ];
+      for = "0s";
+      noDataState = "NoData";
+      execErrState = "Error";
+      annotations = {
+        summary = "RAID array {{ $labels.array }} has missing devices";
+        description = ''
+          RAID array {{ $labels.array }} on {{ $labels.instance }} has fewer active devices than expected.
+          A disk may have failed or been removed. Check array status immediately!
+        '';
+      };
+      labels = {
+        severity = "critical";
+        category = "storage";
+      };
+    }
+  ];
+}

hosts/web-arm/modules/grafana/alerting/storage/smart_alerts.nix

@@ -0,0 +1,298 @@
+{ lib, pkgs, config, ... }:
+{
+  grafanaAlertRuleDefinitions = [
+    # S.M.A.R.T. overall health failed - critical
+    {
+      uid = "smart-health-failed-uid";
+      title = "DiskSmartHealthFailed";
+      condition = "D";
+      data = [
+        {
+          refId = "A";
+          datasourceUid = "vm-datasource-uid";
+          relativeTimeRange = { from = 300; to = 0; };
+          model = {
+            expr = ''smart_health_passed == 0'';
+            instant = false;
+          };
+        }
+        {
+          refId = "C";
+          datasourceUid = "__expr__";
+          model = {
+            type = "reduce";
+            expression = "A";
+            reducer = "last";
+          };
+        }
+        {
+          refId = "D";
+          datasourceUid = "__expr__";
+          model = {
+            type = "math";
+            expression = "$C == 0";
+          };
+        }
+      ];
+      for = "0s";
+      noDataState = "NoData";
+      execErrState = "Error";
+      annotations = {
+        summary = "S.M.A.R.T. health check FAILED on {{ $labels.device }}";
+        description = ''
+          Disk {{ $labels.device }} ({{ $labels.serial }}) on {{ $labels.instance }} has failed its S.M.A.R.T. health check.
+          This indicates imminent disk failure. Replace the disk immediately!
+        '';
+      };
+      labels = {
+        severity = "critical";
+        category = "storage";
+      };
+    }
+
+    # Reallocated sectors - warning (any count > 0 is concerning)
+    {
+      uid = "smart-reallocated-sectors-uid";
+      title = "DiskReallocatedSectors";
+      condition = "D";
+      data = [
+        {
+          refId = "A";
+          datasourceUid = "vm-datasource-uid";
+          relativeTimeRange = { from = 300; to = 0; };
+          model = {
+            expr = ''smart_reallocated_sector_ct > 0'';
+            instant = false;
+          };
+        }
+        {
+          refId = "C";
+          datasourceUid = "__expr__";
+          model = {
+            type = "reduce";
+            expression = "A";
+            reducer = "last";
+          };
+        }
+        {
+          refId = "D";
+          datasourceUid = "__expr__";
+          model = {
+            type = "math";
+            expression = "$C > 0";
+          };
+        }
+      ];
+      for = "0s";
+      noDataState = "NoData";
+      execErrState = "Error";
+      annotations = {
+        summary = "Reallocated sectors detected on {{ $labels.device }}";
+        description = ''
+          Disk {{ $labels.device }} ({{ $labels.serial }}) on {{ $labels.instance }} has reallocated sectors.
+          This indicates disk surface damage. Monitor closely and plan replacement.
+        '';
+      };
+      labels = {
+        severity = "warning";
+        category = "storage";
+      };
+    }
+
+    # Current pending sectors
+    {
+      uid = "smart-pending-sectors-uid";
+      title = "DiskPendingSectors";
+      condition = "D";
+      data = [
+        {
+          refId = "A";
+          datasourceUid = "vm-datasource-uid";
+          relativeTimeRange = { from = 300; to = 0; };
+          model = {
+            expr = ''smart_current_pending_sector > 0'';
+            instant = false;
+          };
+        }
+        {
+          refId = "C";
+          datasourceUid = "__expr__";
+          model = {
+            type = "reduce";
+            expression = "A";
+            reducer = "last";
+          };
+        }
+        {
+          refId = "D";
+          datasourceUid = "__expr__";
+          model = {
+            type = "math";
+            expression = "$C > 0";
+          };
+        }
+      ];
+      for = "0s";
+      noDataState = "NoData";
+      execErrState = "Error";
+      annotations = {
+        summary = "Pending sectors detected on {{ $labels.device }}";
+        description = ''
+          Disk {{ $labels.device }} ({{ $labels.serial }}) on {{ $labels.instance }} has pending sectors.
+          These sectors could not be read and may be reallocated. Monitor for increase.
+        '';
+      };
+      labels = {
+        severity = "warning";
+        category = "storage";
+      };
+    }
+
+    # Offline uncorrectable errors
+    {
+      uid = "smart-offline-uncorrectable-uid";
+      title = "DiskOfflineUncorrectable";
+      condition = "D";
+      data = [
+        {
+          refId = "A";
+          datasourceUid = "vm-datasource-uid";
+          relativeTimeRange = { from = 300; to = 0; };
+          model = {
+            expr = ''smart_offline_uncorrectable > 0'';
+            instant = false;
+          };
+        }
+        {
+          refId = "C";
+          datasourceUid = "__expr__";
+          model = {
+            type = "reduce";
+            expression = "A";
+            reducer = "last";
+          };
+        }
+        {
+          refId = "D";
+          datasourceUid = "__expr__";
+          model = {
+            type = "math";
+            expression = "$C > 0";
+          };
+        }
+      ];
+      for = "0s";
+      noDataState = "NoData";
+      execErrState = "Error";
+      annotations = {
+        summary = "Offline uncorrectable errors on {{ $labels.device }}";
+        description = ''
+          Disk {{ $labels.device }} ({{ $labels.serial }}) on {{ $labels.instance }} has offline uncorrectable errors.
+          This indicates data integrity issues. Consider replacement.
+        '';
+      };
+      labels = {
+        severity = "warning";
+        category = "storage";
+      };
+    }
+
+    # High temperature (Seagate enterprise: warning at 50C)
+    {
+      uid = "smart-high-temperature-uid";
+      title = "DiskHighTemperature";
+      condition = "D";
+      data = [
+        {
+          refId = "A";
+          datasourceUid = "vm-datasource-uid";
+          relativeTimeRange = { from = 600; to = 0; };
+          model = {
+            expr = ''smart_temperature_celsius > 50'';
+            instant = false;
+          };
+        }
+        {
+          refId = "C";
+          datasourceUid = "__expr__";
+          model = {
+            type = "reduce";
+            expression = "A";
+            reducer = "last";
+          };
+        }
+        {
+          refId = "D";
+          datasourceUid = "__expr__";
+          model = {
+            type = "math";
+            expression = "$C > 0";
+          };
+        }
+      ];
+      for = "10m";
+      noDataState = "NoData";
+      execErrState = "Error";
+      annotations = {
+        summary = "High temperature on {{ $labels.device }}";
+        description = ''
+          Disk {{ $labels.device }} ({{ $labels.serial }}) on {{ $labels.instance }} temperature exceeds 50°C.
+          Check cooling and ventilation.
+        '';
+      };
+      labels = {
+        severity = "warning";
+        category = "storage";
+      };
+    }
+
+    # UDMA CRC errors (cable/connection issues)
+    {
+      uid = "smart-udma-crc-errors-uid";
+      title = "DiskUDMACRCErrors";
+      condition = "D";
+      data = [
+        {
+          refId = "A";
+          datasourceUid = "vm-datasource-uid";
+          relativeTimeRange = { from = 86400; to = 0; };
+          model = {
+            expr = ''increase(smart_udma_crc_error_count[24h]) > 0'';
+            instant = false;
+          };
+        }
+        {
+          refId = "C";
+          datasourceUid = "__expr__";
+          model = {
+            type = "reduce";
+            expression = "A";
+            reducer = "last";
+          };
+        }
+        {
+          refId = "D";
+          datasourceUid = "__expr__";
+          model = {
+            type = "math";
+            expression = "$C > 0";
+          };
+        }
+      ];
+      for = "0s";
+      noDataState = "NoData";
+      execErrState = "Error";
+      annotations = {
+        summary = "UDMA CRC errors on {{ $labels.device }}";
+        description = ''
+          Disk {{ $labels.device }} ({{ $labels.serial }}) on {{ $labels.instance }} has new CRC errors.
+          This typically indicates SATA cable or connection issues. Check cables.
+        '';
+      };
+      labels = {
+        severity = "warning";
+        category = "storage";
+      };
+    }
+  ];
+}

hosts/web-arm/modules/grafana/dashboards/default.nix

@@ -0,0 +1,17 @@
+{ lib, pkgs, ... }:
+let
+  smartDashboard = import ./smart-dashboard.nix { inherit lib pkgs; };
+  dashboardDir = pkgs.linkFarm "grafana-dashboards" [
+    { name = "smart.json"; path = smartDashboard; }
+  ];
+in
+{
+  services.grafana.provision.dashboards.settings = {
+    apiVersion = 1;
+    providers = [{
+      name = "nix-dashboards";
+      type = "file";
+      options.path = dashboardDir;
+    }];
+  };
+}

hosts/web-arm/modules/grafana/dashboards/smart-dashboard.nix

@@ -0,0 +1,463 @@
+{ lib, pkgs }:
+let
+  datasourceUid = "vm-datasource-uid";
+
+  # Helper to create a panel with common defaults
+  mkPanel = { id, title, type, gridPos, targets, options ? { }, fieldConfig ? { }, ... }@args:
+    {
+      inherit id title type gridPos targets;
+      datasource = { uid = datasourceUid; type = "prometheus"; };
+      options = options;
+      fieldConfig = {
+        defaults = fieldConfig.defaults or { };
+        overrides = fieldConfig.overrides or [ ];
+      };
+    } // (builtins.removeAttrs args [ "id" "title" "type" "gridPos" "targets" "options" "fieldConfig" ]);
+
+  # Dashboard definition
+  dashboard = {
+    uid = "smart-disk-health";
+    title = "S.M.A.R.T Disk Health";
+    description = "S.M.A.R.T metrics and RAID array status";
+    tags = [ "disk" "smart" "storage" "nas" ];
+    timezone = "browser";
+    editable = false;
+    refresh = "5m";
+    schemaVersion = 39;
+    version = 1;
+
+    # Variables
+    templating.list = [
+      {
+        name = "host";
+        label = "Host";
+        type = "query";
+        datasource = { uid = datasourceUid; type = "prometheus"; };
+        query = "label_values(smart_health_passed, instance)";
+        regex = "";
+        sort = 1;
+        refresh = 1;
+        includeAll = true;
+        multi = false;
+        current = { selected = true; text = "All"; value = "$__all"; };
+      }
+    ];
+
+    # Panels
+    panels = [
+      # === OVERVIEW ROW ===
+      {
+        id = 1;
+        type = "row";
+        title = "Overview";
+        collapsed = false;
+        gridPos = { x = 0; y = 0; w = 24; h = 1; };
+        panels = [ ];
+      }
+
+      # Alert Status - Shows firing disk alerts
+      {
+        id = 5;
+        title = "Alert Status";
+        type = "alertlist";
+        gridPos = { x = 0; y = 1; w = 6; h = 5; };
+        options = {
+          alertInstanceLabelFilter = "";
+          alertName = "Disk";
+          dashboardAlerts = false;
+          groupBy = [ ];
+          groupMode = "default";
+          maxItems = 20;
+          sortOrder = 1;
+          stateFilter = {
+            "error" = true;
+            firing = true;
+            noData = false;
+            normal = false;
+            pending = false;
+          };
+          viewMode = "list";
+        };
+      }
+
+      # Health Status - Stat panel
+      (mkPanel {
+        id = 2;
+        title = "Disk Health Status";
+        type = "stat";
+        gridPos = { x = 6; y = 1; w = 6; h = 5; };
+        targets = [{
+          expr = ''smart_health_passed{instance=~"$host"}'';
+          legendFormat = "{{device}}";
+          refId = "A";
+        }];
+        options = {
+          reduceOptions = { values = false; calcs = [ "lastNotNull" ]; fields = ""; };
+          orientation = "horizontal";
+          textMode = "auto";
+          colorMode = "background";
+          graphMode = "none";
+        };
+        fieldConfig = {
+          defaults = {
+            mappings = [
+              { type = "value"; options."1" = { text = "PASSED"; color = "green"; index = 0; }; }
+              { type = "value"; options."0" = { text = "FAILED"; color = "red"; index = 1; }; }
+            ];
+            thresholds = {
+              mode = "absolute";
+              steps = [
+                { color = "red"; value = null; }
+                { color = "green"; value = 1; }
+              ];
+            };
+          };
+        };
+      })
+
+      # Temperature Gauge
+      (mkPanel {
+        id = 3;
+        title = "Disk Temperatures";
+        type = "gauge";
+        gridPos = { x = 12; y = 1; w = 6; h = 8; };
+        targets = [{
+          expr = ''smart_temperature_celsius{instance=~"$host"}'';
+          legendFormat = "{{device}}";
+          refId = "A";
+        }];
+        options = {
+          reduceOptions = { values = false; calcs = [ "lastNotNull" ]; fields = ""; };
+          orientation = "auto";
+          showThresholdLabels = false;
+          showThresholdMarkers = true;
+        };
+        fieldConfig = {
+          defaults = {
+            unit = "celsius";
+            min = 0;
+            max = 70;
+            thresholds = {
+              mode = "absolute";
+              steps = [
+                { color = "green"; value = null; }
+                { color = "yellow"; value = 45; }
+                { color = "red"; value = 55; }
+              ];
+            };
+          };
+        };
+      })
+
+      # RAID Status - Stat panel
+      (mkPanel {
+        id = 4;
+        title = "RAID Array Status";
+        type = "stat";
+        gridPos = { x = 18; y = 1; w = 6; h = 8; };
+        targets = [{
+          expr = ''mdadm_array_state{instance=~"$host"}'';
+          legendFormat = "{{array}}";
+          refId = "A";
+        }];
+        options = {
+          reduceOptions = { values = false; calcs = [ "lastNotNull" ]; fields = ""; };
+          orientation = "horizontal";
+          textMode = "auto";
+          colorMode = "background";
+          graphMode = "none";
+        };
+        fieldConfig = {
+          defaults = {
+            mappings = [
+              { type = "value"; options."1" = { text = "Healthy"; color = "green"; index = 0; }; }
+              { type = "value"; options."0" = { text = "Degraded"; color = "red"; index = 1; }; }
+            ];
+            thresholds = {
+              mode = "absolute";
+              steps = [
+                { color = "red"; value = null; }
+                { color = "green"; value = 1; }
+              ];
+            };
+          };
+        };
+      })
+
+      # Sector Health Table - Promoted to overview for visibility
+      (mkPanel {
+        id = 13;
+        title = "Sector Health";
+        type = "table";
+        gridPos = { x = 0; y = 6; w = 12; h = 4; };
+        targets = [
+          {
+            expr = ''smart_reallocated_sector_ct{instance=~"$host"}'';
+            legendFormat = "{{device}}";
+            refId = "A";
+            format = "table";
+            instant = true;
+          }
+          {
+            expr = ''smart_current_pending_sector{instance=~"$host"}'';
+            legendFormat = "{{device}}";
+            refId = "B";
+            format = "table";
+            instant = true;
+          }
+          {
+            expr = ''smart_offline_uncorrectable{instance=~"$host"}'';
+            legendFormat = "{{device}}";
+            refId = "C";
+            format = "table";
+            instant = true;
+          }
+        ];
+        options = {
+          showHeader = true;
+          cellHeight = "sm";
+        };
+        transformations = [
+          { id = "merge"; options = { }; }
+          {
+            id = "organize";
+            options = {
+              excludeByName = { Time = true; __name__ = true; instance = true; job = true; serial = true; };
+              renameByName = {
+                device = "Device";
+                "Value #A" = "Reallocated Sectors";
+                "Value #B" = "Pending Sectors";
+                "Value #C" = "Offline Uncorrectable";
+              };
+            };
+          }
+        ];
+        fieldConfig = {
+          defaults = {
+            thresholds = {
+              mode = "absolute";
+              steps = [
+                { color = "green"; value = null; }
+                { color = "yellow"; value = 1; }
+                { color = "red"; value = 10; }
+              ];
+            };
+            custom = { displayMode = "color-background-solid"; };
+          };
+        };
+      })
+
+      # === DETAILED METRICS ROW ===
+      {
+        id = 10;
+        type = "row";
+        title = "Detailed Metrics";
+        collapsed = false;
+        gridPos = { x = 0; y = 10; w = 24; h = 1; };
+        panels = [ ];
+      }
+
+      # Temperature Time Series
+      (mkPanel {
+        id = 11;
+        title = "Temperature Over Time";
+        type = "timeseries";
+        gridPos = { x = 0; y = 11; w = 12; h = 8; };
+        targets = [{
+          expr = ''smart_temperature_celsius{instance=~"$host"}'';
+          legendFormat = "{{device}}";
+          refId = "A";
+        }];
+        options = {
+          legend = { displayMode = "list"; placement = "bottom"; showLegend = true; };
+          tooltip = { mode = "multi"; sort = "desc"; };
+        };
+        fieldConfig = {
+          defaults = {
+            unit = "celsius";
+            custom = {
+              drawStyle = "line";
+              lineInterpolation = "smooth";
+              fillOpacity = 10;
+              pointSize = 5;
+              showPoints = "auto";
+            };
+            thresholds = {
+              mode = "absolute";
+              steps = [
+                { color = "green"; value = null; }
+                { color = "yellow"; value = 45; }
+                { color = "red"; value = 55; }
+              ];
+            };
+          };
+        };
+      })
+
+      # Power On Hours
+      (mkPanel {
+        id = 12;
+        title = "Power On Hours";
+        type = "stat";
+        gridPos = { x = 12; y = 11; w = 12; h = 8; };
+        targets = [{
+          expr = ''smart_power_on_hours{instance=~"$host"}'';
+          legendFormat = "{{device}}";
+          refId = "A";
+        }];
+        options = {
+          reduceOptions = { values = false; calcs = [ "lastNotNull" ]; fields = ""; };
+          orientation = "horizontal";
+          textMode = "value_and_name";
+          colorMode = "none";
+          graphMode = "none";
+        };
+        fieldConfig = {
+          defaults = {
+            unit = "h";
+          };
+        };
+      })
+
+      # === RAID DETAILS ROW ===
+      {
+        id = 20;
+        type = "row";
+        title = "RAID Details";
+        collapsed = false;
+        gridPos = { x = 0; y = 19; w = 24; h = 1; };
+        panels = [ ];
+      }
+
+      # RAID Devices
+      (mkPanel {
+        id = 21;
+        title = "RAID Array Devices";
+        type = "stat";
+        gridPos = { x = 0; y = 20; w = 12; h = 4; };
+        targets = [
+          {
+            expr = ''mdadm_array_devices_active{instance=~"$host"}'';
+            legendFormat = "{{array}} Active";
+            refId = "A";
+          }
+          {
+            expr = ''mdadm_array_devices_total{instance=~"$host"}'';
+            legendFormat = "{{array}} Total";
+            refId = "B";
+          }
+        ];
+        options = {
+          reduceOptions = { values = false; calcs = [ "lastNotNull" ]; fields = ""; };
+          orientation = "horizontal";
+          textMode = "value_and_name";
+          colorMode = "value";
+          graphMode = "none";
+        };
+        fieldConfig = {
+          defaults = {
+            unit = "short";
+          };
+        };
+      })
+
+      # UDMA CRC Errors
+      (mkPanel {
+        id = 22;
+        title = "UDMA CRC Errors";
+        type = "timeseries";
+        gridPos = { x = 12; y = 20; w = 12; h = 4; };
+        targets = [{
+          expr = ''smart_udma_crc_error_count{instance=~"$host"}'';
+          legendFormat = "{{device}}";
+          refId = "A";
+        }];
+        options = {
+          legend = { displayMode = "list"; placement = "bottom"; showLegend = true; };
+          tooltip = { mode = "multi"; sort = "desc"; };
+        };
+        fieldConfig = {
+          defaults = {
+            unit = "short";
+            custom = {
+              drawStyle = "line";
+              lineInterpolation = "stepAfter";
+              fillOpacity = 0;
+              pointSize = 5;
+              showPoints = "auto";
+            };
+          };
+        };
+      })
+
+      # Last Update Timestamp
+      (mkPanel {
+        id = 30;
+        title = "Last Metrics Update";
+        type = "stat";
+        gridPos = { x = 0; y = 24; w = 6; h = 5; };
+        targets = [{
+          expr = ''time() - disk_metrics_last_update{instance=~"$host"}'';
+          legendFormat = "Age";
+          refId = "A";
+        }];
+        options = {
+          reduceOptions = { values = false; calcs = [ "lastNotNull" ]; fields = ""; };
+          orientation = "horizontal";
+          textMode = "value";
+          colorMode = "value";
+          graphMode = "none";
+        };
+        fieldConfig = {
+          defaults = {
+            unit = "s";
+            thresholds = {
+              mode = "absolute";
+              steps = [
+                { color = "green"; value = null; }
+                { color = "yellow"; value = 1800; }
+                { color = "red"; value = 3600; }
+              ];
+            };
+          };
+        };
+      })
+
+      # Device Activity Status
+      (mkPanel {
+        id = 31;
+        title = "Device Activity";
+        type = "stat";
+        gridPos = { x = 6; y = 24; w = 18; h = 5; };
+        targets = [{
+          expr = ''smart_device_active{instance=~"$host"}'';
+          legendFormat = "{{device}}";
+          refId = "A";
+        }];
+        options = {
+          reduceOptions = { values = false; calcs = [ "lastNotNull" ]; fields = ""; };
+          orientation = "horizontal";
+          textMode = "auto";
+          colorMode = "background";
+          graphMode = "none";
+        };
+        fieldConfig = {
+          defaults = {
+            mappings = [
+              { type = "value"; options."1" = { text = "Active"; color = "green"; index = 0; }; }
+              { type = "value"; options."0" = { text = "Standby"; color = "blue"; index = 1; }; }
+            ];
+            thresholds = {
+              mode = "absolute";
+              steps = [
+                { color = "blue"; value = null; }
+                { color = "green"; value = 1; }
+              ];
+            };
+          };
+        };
+      })
+    ];
+  };
+in
+pkgs.writeText "smart-dashboard.json" (builtins.toJSON dashboard)

hosts/web-arm/modules/grafana/default.nix

@@ -31,10 +31,13 @@ in
     ./alerting/system/default.nix
     ./alerting/service/default.nix
     ./alerting/websites/default.nix
+    ./alerting/storage/default.nix
 
     ./datasources/victoriametrics.nix
     ./datasources/loki.nix
 
+    ./dashboards/default.nix
+
     ./alert-cleanup.nix
   ];
 
@@ -102,27 +105,44 @@ in
         contactPoints = {
           settings = {
             apiVersion = 1;
-            contactPoints = [{
+            contactPoints = [
-              orgId = 1;
+              {
-              name = "cp_dominik";
+                orgId = 1;
-              receivers = [{
+                name = "cp_dominik_emergency";
-                uid = "dominik_pushover_cp_receiver";
+                receivers = [{
-                type = "pushover";
+                  uid = "dominik_pushover_emergency";
-                settings = {
+                  type = "pushover";
-                  apiToken = "\${PUSHOVER_API_TOKEN}";
+                  settings = {
-                  userKey = "\${PUSHOVER_USER_KEY}";
+                    apiToken = "\${PUSHOVER_API_TOKEN}";
-                  device = "iphone";
+                    userKey = "\${PUSHOVER_USER_KEY}";
-                  priority = 2;
+                    device = "iphone";
-                  retry = "30s";
+                    priority = 2;
-                  expire = "2m";
+                    retry = "30s";
-                  sound = "siren";
+                    expire = "2m";
-                  okSound = "magic";
+                    sound = "siren";
-                  message = ''
+                    okSound = "magic";
-                    {{ template "default.message" . }}
+                    message = ''{{ template "default.message" . }}'';
-                  '';
+                  };
-                };
+                }];
-              }];
+              }
-            }];
+              {
+                orgId = 1;
+                name = "cp_dominik_normal";
+                receivers = [{
+                  uid = "dominik_pushover_normal";
+                  type = "pushover";
+                  settings = {
+                    apiToken = "\${PUSHOVER_API_TOKEN}";
+                    userKey = "\${PUSHOVER_USER_KEY}";
+                    device = "iphone";
+                    priority = 1;
+                    sound = "siren";
+                    okSound = "magic";
+                    message = ''{{ template "default.message" . }}'';
+                  };
+                }];
+              }
+            ];
           };
         };
 
@@ -130,7 +150,15 @@ in
           settings = {
             apiVersion = 1;
             policies = [{
-              receiver = "cp_dominik";
+              receiver = "cp_dominik_normal";
+              repeat_interval = "999d";
+              routes = [
+                {
+                  receiver = "cp_dominik_emergency";
+                  matchers = [ "alertname = HostDown" ];
+                  repeat_interval = "999d";
+                }
+              ];
             }];
           };
         };

hosts/web-arm/pkgs/sa-core.nix

@@ -17,7 +17,7 @@ buildGoModule rec {
   subPackages = [ "." ];
 
   # Optional tuning
-  CGO_ENABLED = 0;
+  env.CGO_ENABLED = "0";
   ldflags = [ "-s" "-w" ];
   doCheck = false;
 

scripts/test-configuration

@@ -19,9 +19,9 @@ fi
 
 HOSTNAME="$1"
 
-# Check if 'nixos-rebuild' command is available
+# Check if 'nix-instantiate' command is available
-if ! command -v nixos-rebuild > /dev/null; then
+if ! command -v nix-instantiate > /dev/null; then
-  echo "ERROR: 'nixos-rebuild' command not found. Please ensure it is installed and in your PATH." >&2
+  echo "ERROR: 'nix-instantiate' command not found. Please ensure Nix is installed and in your PATH." >&2
   exit 1
 fi
 
@@ -38,27 +38,42 @@ if [ ! -f "$CONFIG_PATH" ]; then
   exit 1
 fi
 
+# Check for host-specific channel file
+CHANNEL_PATH="$SCRIPT_DIR/../hosts/$HOSTNAME/channel"
+CHANNEL_OPT=""
+
+if [ -f "$CHANNEL_PATH" ]; then
+  CHANNEL_URL=$(cat "$CHANNEL_PATH")
+  # Append /nixexprs.tar.xz to get the actual tarball URL
+  TARBALL_URL="${CHANNEL_URL}/nixexprs.tar.xz"
+  echo "INFO: Using channel '$TARBALL_URL' from '$CHANNEL_PATH'."
+  CHANNEL_OPT="-I nixpkgs=$TARBALL_URL"
+else
+  echo "WARNING: No channel file found at '$CHANNEL_PATH'. Using system default." >&2
+fi
+
 echo "INFO: Attempting dry-build for host '$HOSTNAME' using configuration '$CONFIG_PATH'..."
 if [ "$VERBOSE" = true ]; then
   echo "INFO: Verbose mode enabled, --show-trace will be used."
 fi
 
-# Execute nixos-rebuild dry-build
+# Execute nix-instantiate to evaluate the configuration
-# Store the output and error streams, and the exit code
+# nix-instantiate fetches fresh tarballs and catches all evaluation errors
-NIX_OUTPUT_ERR=$(nixos-rebuild dry-build $SHOW_TRACE_OPT -I nixos-config="$CONFIG_PATH" --show-trace 2>&1)
+# unlike nixos-rebuild which may use cached results
+NIX_OUTPUT_ERR=$(nix-instantiate $SHOW_TRACE_OPT $CHANNEL_OPT -I nixos-config="$CONFIG_PATH" '<nixpkgs/nixos>' -A system 2>&1)
 NIX_EXIT_STATUS=$?
 
 # Check the exit status
 if [ "$NIX_EXIT_STATUS" -eq 0 ]; then
   echo "INFO: Dry-build for host '$HOSTNAME' completed successfully."
   if [ "$VERBOSE" = true ]; then
-    echo "Output from nixos-rebuild:"
+    echo "Output from nix-instantiate:"
     echo "$NIX_OUTPUT_ERR"
   fi
   exit 0
 else
-  echo "ERROR: Dry-build for host '$HOSTNAME' failed. 'nixos-rebuild' exited with status $NIX_EXIT_STATUS." >&2
+  echo "ERROR: Dry-build for host '$HOSTNAME' failed. 'nix-instantiate' exited with status $NIX_EXIT_STATUS." >&2
-  echo "Output from nixos-rebuild:" >&2
+  echo "Output from nix-instantiate:" >&2
   echo "$NIX_OUTPUT_ERR" >&2
   exit "$NIX_EXIT_STATUS"
 fi

utils/modules/promtail/secrets.yaml

@@ -1,88 +1,97 @@
-promtail-password: ENC[AES256_GCM,data:DykxIRTXttQgJ6vv3oBOhX1h2PrPimLz+dEHZwjFvg34UEGWfQu5nODw7h6qAJrKIGR5217LgTGZzg1HedbM4Dsb2OJW9c39bXIga730eVvGCm6RcMbpv8GDHPuVCfO1NwQox9Fba8veDWDNqNisHQuYDRQrNZrg1QEiKsujZdY=,iv:kM5Ec376USXMoXCVF/4g7F1NbJNbWfTMVd7LKsTnTuE=,tag:y8aEF+Q6/Cm16W2LYF+orA==,type:str]
+promtail-password: ENC[AES256_GCM,data:jooCw16EEw9JC+W19bXvoOjnCo/KP0H1Bpc0UqfGN+mCqFLK98TDU80hNu54pYQowcAtgjB5ZM64gWt+stqFKWVWihF0d4A3KuTTfpxmXGdGi6ThRcAXhMmXLH5SYR4N96d4WsvHNsFTRGItnUlp2juQMKHnZ2At9RQWgBQqK6Q=,iv:HFttRHz2fIU9qZzP5r24/AKMHTWwDhhIrgQpxw6Ol/Q=,tag:umq2lzodL2nijayGms7ciw==,type:str]
 sops:
     age:
         - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQTkrMDlpM3RnZ0pNZVlM
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFT21QaTZ5ditZekVmaitY
-            dkNya243OFlycmRRS1o3c3Z1Vm1UNWxBbkVBCmw4dDUrQkg0NExaTHJaSk1JYnpY
+            b2locXR6M1NNSXhIL0pjK3Y4dzlYcjRXMlFNCnVtelpDdWovc0FiUGQwWm5TRlk1
-            UDNHa09Rd081N1FVbXgyRHVWbUtna1EKLS0tICszQ2Z4aWpNV1U5RVNibllGdGlY
+            b1pka2paQ1NBd2c3WG12U0N3N24vbHMKLS0tIHgrMHdxS3J1WWZNdGdiaVRaWjBm
-            alFRNFZVNDlOUTJRbVQ0T3dRTTlJZUEKx+ftKJc+RMmxXoRxLd6gsvN6Jfnn5Xre
+            cmh0VEx3UDRocFVlckFUN21YblpEb0kKKF7CPzXn6e9o1+BctLSHcLZTWYdYiXQs
-            48TolLwPoBSr6uSmfWfcXIL+2uzo5cTGhMReCEQrlHOWGxhk+XDmfw==
+            dwX8ohGJc/Q5Ewrrdmm77gu3ttg7Ml/70ToG/yTBExH1lwGb1z7Qag==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSjAvWC9haUh3blQ2bHJj
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3R2hwWmtZVjlTSFZTMUd5
-            cnh5YkkvUWhEYXFFV3RNbURwVlROZk1yUmc0CjdMdXExWE52WWNyRGdyVFRzT1o1
+            cXpqbXkwTmQrYS9TT1NYaXZ4azFjRTlOZ0Y0ClBIUGk5R0JGenBrSXhNbExLaWkr
-            Umo4OWhMYTZjTkJvbW9UaHJVaE1YNG8KLS0tIHBSOEdmQjFCZ25jNGlHMmZoalpW
+            eUJLUVBYYzBFbHg3Z2l4N2JINTBSVjAKLS0tIHFTa3JKUTVPNFM2TktUbm9mSkVo
-            c0FZUzBVYXRTMHFZSGYxVDdzS2d5a0kK1a/FQ841bIKuXHjVAjV2YPTpkmI0R7fX
+            Vno4TER6SFR4bDM3L3FYSkw1UHJoeXcK0mR/ysz38ZhEAqhEZZXmuH3rykMUeFk4
-            ohkPSQneoOnwZPXby69PJLSYwX0IcQCckkGXa1z6KLr6iueSpyM6JA==
+            tPvIV3LpRXpU+yiT3zpLJXVi3GDy9vaq/h/uG7rDhE/nPoaIIVBBhg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYUNabzVBcFpIdFhUTW85
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtV2tlLzhqQWlDd2FaZ0lJ
-            ZlVjamVZUERSMGNMUkhlUUVVd2ozUkFLWHlzCnh0c2gweU1ud2cxS2p1eXUxNy9j
+            dEt5Q2YvTWR6Q3pBUHl1elJEN3lJcE01YTBrCm1IWlVVd1poVk1Gazd3NnBCa21L
-            d2tCTVR0YjY5bktQa09tUmFvM0F3aEkKLS0tIFVWMVFUU1RMV1FoaklnS3Z0VzBJ
+            UXByN05KNGdUTW9uckhvNUE4bFVMME0KLS0tIDVSRCtJNnRSdmFzcWVNNHEzV092
-            bitzcStWdzM3TXBMbGJKNGVZQTNVZ0EK0qjI7PKk9lUDG+0ZeCL/9ILI9KRIEU+z
+            NHFYYTFRdUVXNFh5Tlc0U2twYWpuWDQKTqRXFxn/OuYrjVSlGNyHWtCwmaV+4PMr
-            6o4AcdGcd44QkUjYboLTwGvdf4QdKZvyfBk6xliUIzn0tbX0CrEHOA==
+            +wpjkS+3pEWYaMtRhoBKJmPXhbE9e0SSzFV/HEYILswUfIWuQNpNUQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ylrpaytkm0k5kcecsxvyv5xd9ts4md0uap48g6wsmj9pwm4lf5esffu0gw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQdmhqdXpIblh0QVRuSGdl
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RFl5UHpOcUIrdEVoREFn
-            WmpaV20za2d5MFdYbTNTRTEzR3BUVFJLU2tRCkdHT1JFNmVEZGNkRGJ1S1cwU1Ru
+            ZmloRG5nb2d3eHpScmRWVjVLUXpveW9pZzJrClRVa3h1Y2dIL0RCZFJpM3NvTndu
-            MEp3ck1MN0tYRXBPY2xQR3JIMURpWkEKLS0tIEF2UERsV2J6UzZYUm5sTFdPWGlo
+            VzVMT1dwbWJEOXFKZDNVdEgwV3RHZE0KLS0tIElkTUk1SHRGcFp2d3BpUDgxZWVG
-            NjVGSDdndDRsQkx4V3U3N3FjNldUTTgKY8ohcy0H+fxkmBksfWzVLZsbfqDfWUzA
+            RE5UQktjTEtzd2I1SmVZWE8xWm5SSDAKOfrr3seS8+UqGZXiJfraGh9wTqx7zFnH
-            5FUdmqCHdg47Mct3K8qXHSEbvegn/8Hp4vSgkVQcEA2YFcf4J5GRpw==
+            GMBBlCj2SLAHP56efITiPJ6kFISFoc6QgBj024oUXop2HT3CQh5hJw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbFMrNzVMYmlHWE1yb1hj
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoMWhoa1lKWU8yRHZnSUNm
-            eGw2SS9qNTdKTDdSQUlTNjhnS1dZaTd4NFFzCll6SEhzVnY5UnJUbUtlUzJzZS9N
+            cVhycko2MFczWE56UlNDUGlNdndXNnY0blhvCmlIeGRHUjRuODhCNk5lVlVqZmR1
-            cUZMYnV0bU5DRjU0MW8vSFpIN2pNT00KLS0tIFdTTlBPT3J0cmF6Y0lnaGRpQW4r
+            ZEpMTUl6dnpoUkhGbTBsOUNzdDliM0UKLS0tIDRHWjllMEZyaDN1OTY0RXpzWUVZ
-            TjRsa2dlR3hrZkVQTFFWQm1xR1pLQUkK2Kio6ShvcsbJ2n1UG97gxt5AcdqKolMq
+            WklqZW5DT09DclBBOUZ4VmpIMVdCRU0K5c8JtZ5dfzxmtMlnL+3637/6YBWN9qdP
-            3sdoF7b87Crd3QSzDKx2Rm97EjeQskOBOgpasF2W8GoRYCol05Y0bQ==
+            +/l78vhb0KVt1SOI2d6ZnfkKEXSO/PyBpOkz+AOubxdpQMNOyQsgcA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOZGZobW1aaThidmkxSEk1
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3N1BEMjFsZG03K3gxUVli
-            VXVzdEdIMENnRC9sTGpXQUNwSElPWVlLTVFNClRuQ2pYanFibEJoSllXYVhmSk90
+            b1hEUEY0NDRRc0xDUkErOXExa05uMkdDK1J3Cm1WUFNRNzZGMWdOOU5kb2kyOFNs
-            QVlGUVBjMkN4RG9BempCRDlFZHJPancKLS0tIEc3Q29tUzhzYzViMkpzS1RNczBE
+            Y2I1aC90SEZqSER3TXU0RTlVd3VOTHMKLS0tIGFMdDM0YWpJVTFFVEFYcUl3b1Nl
-            djdYNVdvZHRkOHBWMGk1N3dlb3JLUFEKiruFC9YV3gloPaP9+wY0Sir2xA9NUcPN
+            dlEwNWRmVllHSmtsRWVvb2h3ZGJaZUkKrEzfrlYGgB05NWxc3h6olIzGmdRCYDWj
-            matBs8oPjlB5dlrCoiHi8kl1i5ROnlu4tlNpLB0PcO9fCUMP1ypAQQ==
+            mr5PEAWo0KGcvPK61lxwpHdThp3NGV0pqAHUU5+7Td/PbguHvaEPhA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJcFNWb2EvQWF3czQrVVg3
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBandodFZnbU05SVN5cVlO
-            Wm1hVm16bEtYS2pnM0R4elhGMUlqRUZXcUdvCnlJN3dxU2VKUk9JTk10SjdubmVO
+            V1BVaWtLNWdJMmRtUWxaMGdITmNKUDdXdHlRCk5HbGdSWlFnKytTVWxOcWtPZ3VJ
-            NlgwU3hqMEp2cmF6R0pmdU9EZllJVTAKLS0tIFNwMC9jdjh0MXJpYzU5cE5mc0Jr
+            bi9EZ2p3VURkeEZuN2xsbEhkcWovUUEKLS0tIGtzTnJFOXFsTittUlZ1eCtjWTVX
-            KzJoVGlKTUNZYXhpV1NMcVVuVXI3SHcK7PIY6HznGsckYauyFGVxmU344FqkPYhm
+            SXdWczV0ZnI2a24zeElIZUsvU0ZSeUEKNX9qLko/2aFcrwW5LaMjvg9IJlNszSKi
-            1x74NydHuGLAkMd3H7AchnxP9tVzSX3sOD9AqYqgg3nRS7yaIet+sw==
+            7nl1d1fTLGCeMUvgwZU1uBIyCm/p0HTikBaDob5L5fJAVlSQNZxiBQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age12msc2c6drsaw0yk2hjlaw0q0lyq0emjx5e8rq7qc7ql689k593kqfmhss2
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBROTV4Y1dQMkZtM1RUQ1lD
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdDdBTEpMZEI4NFc2aU1F
-            QVdyUXY1TVRxWURBZlRsZWVYTEhnQ0lMYUU4ClFLcVdUZ01YcDc1OUYwMWpJRUpy
+            aGlwcDk3ajd6NjE0UUhXbW5WT1RCSmR0M1hzCk1zVVV5V3UvUmx5REZuRk1RT3pW
-            NHVMM1FrK1B4TEU1QUhsbjdCL3M0dmMKLS0tIFRFSndnZ0V0a2VKV2VXY0N2Qjgz
+            WUVocW9iOXppWFBqRkVlZE1TZzFUbmMKLS0tIDlzLzdnWEhkWWFFQm1seVJlVHBw
-            dFZQbm13d3JOWlZiSXZTcUpkSSsyVTgKI1GJ1uRRcTH/13lkAiUxNhBNmDgf4MFA
+            THlweWtPcFNyT2RCNk9UQVc3Y0lnNFEK/d2fvmsIrRTHc3kBH2sAUBg0MCp4nXNT
-            5nk6z1/nJglnvajYyGXlAlZF7XofbUtUWZeBbtWwbeWImjIa/+KaSw==
+            imm7SINgt6aH390yL7BWHMBKzdgNHO6hn3plLV8EW8upsETwJCbrfA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1x3elhtccp4u8ha5ry32juj9fkpg0qg7qqx4gduuehgwwnnhcxp8s892hek
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvc3ZteDRVQ0xsRUpxY24x
+            Wmt4MS9ZL1cybUY4cHdPbC9rQU16WGtESkU4ClhoMnhuY2NrT0xyNzl6Z2hJR3dt
+            VHhLa2hCeUhCcjFPZTkxeUVaazFWa1kKLS0tIEVndkhYaS9GbDJKSzFIb0xQUzQ0
+            V2EzOXNWNnYwaXc5dkg5b0RDdjBpa1EKfIC1OigtPBRWIgXUyb4SSjpbO2Koqaiw
+            TQT+hnR+VkThbcfyWPZ+Zpe4lZzfcdMGfr3m7tdv/xY8epwrThInjA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1xcgc6u7fmc2trgxtdtf5nhrd7axzweuxlg0ya9jre3sdrg6c6easecue9w
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTUhiU0RnMTAyV0xycnNL
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0WHdpbGJNcmZhK3ExRi9t
-            V2xSWEttejB0SWhJR0FoNTZKL2x6MEJkcUZzCnFjVUVWNGV2SW1NZEpkN24rUVpX
+            K3ZHTld5QmxMYnZXTFZmNFVIbEZtS0pFRDM4CmJPK1BURU83UmFVdVNoam1reG0x
-            dUJ3Wkx5aUlsWDByOTlpaERpNEpIa0UKLS0tIDExTVVJeDFEUStzamw3RGU5cHdE
+            NlpLbDVQY1FNR1RyWm1TWkQrUHcrNUUKLS0tIFpVVGVscFFPclVTMG5IblkvWXlr
-            WlNqQm1jRnpLWXBzRVRZUjc3Z0c4dncKonlHRgH7P4da+RJkGdWHRPiN76oPbH5U
+            ek5lNTFkMVUvSU5McTFDS2tWWmZ1UmsKyhUXdaSGxKFFZnATRlTh7GzDu7eZ/mkq
-            DzNuS7mPsRAuajnCAGeqodzqllsGJatZUOVKFem8Of56Wm3pw3yLhg==
+            V+9pqaob2fshwQ3tNVZtXmWTHv1geyIBxmQCFVSOaHIPVLpiC4Bhow==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-14T11:28:03Z"
+    lastmodified: "2025-11-29T19:44:44Z"
-    mac: ENC[AES256_GCM,data:PBPNSGj6UaGoxH1Jq25bD4q/d42HrnBNhe5KFo1MoQCp/bzsphN8v6+tbHIdGh/VAoU7auRZVWXYALOl/3cGnpL52zvJGDaMlPlDVdzz6wHkl24z1ousWM7FKPwBtvGuAWAknYQW7KpQTtpobbBr8QHy/O4dB/NqxXTj/MSsbxY=,iv:1QOFK1LiKPnAuXeXNBJbeL0d73nsMq+DJCpeVruDumE=,tag:hJH3S3ZurYd0hcoWyWOocw==,type:str]
+    mac: ENC[AES256_GCM,data:pRol7WdkK+Vr3fEc7UaEhoHlLvwwm0KdGOCReS6Rz12gD0Fw2UuNYsPnaj1XTdSLSfJITpEorFTmt455BpC6wMCszICSkqRn+EBgu4WWFZrv5v1m6BjSOTsU8bj1iAggiqsx57WS9opMThCzCOSIJD/EEzQmk5/qva/aBIJni/c=,iv:jorZE1XG0xJDGsXgw8EvuX7AL7yCuSynrqaeveCF4SE=,tag:btZHuaiPdZhdRj/+JU9dSA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

utils/modules/victoriametrics/secrets.yaml

@@ -1,88 +1,97 @@
-victoria-agent-env: ENC[AES256_GCM,data:m+o9GgDSm2qYVk90199H6J+RqE0fZH92G7uFjP0Al1JlvclOFjHnNlFJ7y8YfgBcPUFutIU45HN4+I2X2k0+GFyKlrKxevH3wUKNIWG/l/6VlOmZr7SMRQAlVv88aT0EeBIEh+AOilCcWsD4egQPS/faP5yolsqrm/sXltsdbdI6i7EVXBKUUryBjogE6tv5nroN0ter0hXtyspkV4oBxcZIqTK4/t6staEq1OcY/augdpqz6z1aBFVun3c0q70vS5VBP1KIKd+nKVABWWwt,iv:7mnSPuP3jh06uIFQbWUI2VRFF5wbGFLoTS4rf7PUF7M=,tag:BtVruJm2+9pGNYOzQOV32A==,type:str]
+victoria-agent-env: ENC[AES256_GCM,data:kkbtEi4nVqv7jvL0Y3XCsil0InrVsL1zasBcOSKpA32ix73q0bRIwT8JVXX5hI6G8REYvp1oGNRlMBmSPy7H5YxxUd3RsK/5SbLkPfifTAxl8qz1STKPOmq6dZn016809AIkBiDWuu4FOHvzoSVkaO5EXluzb9wVwGH1HM/5pYBDFzqtkgWbCGbeGRXComgD4bqlFjDg/HRX2CaZf0sBByFQxH+NFvXCwdBeEZ82x5gBmXsaPnsAmh8fJotK7Eyu4+Urnahcp8V/4cTadhvg,iv:eizMQCL7vuTn3F0lY23fQfsvxiE8P3CdHqImth9X4JA=,tag:BMltfLO93YMEKv3sycDF2A==,type:str]
 sops:
     age:
         - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaFZ6dXVqbHppZ21NeWFi
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSjNMUlh2TFB4L2JBSWU3
-            NU1kV2FOUkVDWlc4RVdUdGNZU21jODdUUXpVCnU4aDdTbXlWNlZ2OUVaOGEwcDkr
+            U2xyQTVoUmlQYUV5R1Y5MWtOa3VSVkkyTURzClN6QVFpZjZDdXdrU2ZUWDUyZDN0
-            aGNrSzVuZTVyU1BMNXArZTBSWnBacG8KLS0tIFVCMUNDeWdTL0VxLzdYNjgyMHY3
+            S2RIY1pjdk9vSjg2cUZyTUpQbE51a28KLS0tIDFxSUNiZTQ3UWMySnNCWVZ0MzNZ
-            QmNCNGdaeFRHOTY4S2Z4RE9LZVB4TG8KQAe6ensRM4QVJKnDgbnFk9ZYoLk4L7iQ
+            NnI1RFhXN3pqdTYyQ0NFZG95UHdvWkUKD23hIRYhZ0BRamLcjfKOpcHIzeatwEFb
-            4V8jODObt9m2WDCqASJdt/8m/l84E7FTw4g9aimr4fBOU4zOqpGe2w==
+            0dvIm8RWcZEYK4w96GY5EQPkJsvcoBNWIyMFrJkgtcRfie3+W6kdag==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCYnhvamdLYjN2SG9DRVl1
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5dlY4c1FPU21VbkI2bzMx
-            aEdGSWxQTUwrSTBtQURLS3RiQjl3by8xN1hzCjVLc2hQV1dCbTd1UkRaUC9ZN25V
+            WS9BNDJSU0JyTEVvY1VFQkU4L3J4U0hrd0NZCmlkQWw1N3RxU1MyZVVuNVZpVStk
-            aDJMczFSNGhCZTZFWnpLSW9sSENoWUEKLS0tIG5wRnBvRytKTXo5TXZ3bEdlVkVX
+            UXlyLzlUaFlWTEdDdUZBV2Q5RGpvV28KLS0tIFRHTkwxWTRuMlFJWTV1SVQwU0Ji
-            bDF4UUR5bE1JK0tGejJWanFkVDJCMUUKuIbnEMXPsDkJ2eDriJ6gKmwC4gj4ijfU
+            c3JnQmlPd1JMQU9pcnVoaG9teVlBWWcKMOIDN36cLqOemzP62uRgKe/myhRs4F4g
-            vmuAEsdpjo2UzP2Sjvm6tFSK85LvZi9lDu5NXdVTdwcq13+OYX1TLw==
+            MiNVYUL+d3WR3HQEvhovUU5RowlCD84U6Za8z+ss2sApJ6jdUcSP5A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1aHJlbDFBZlAvbjhRNHkr
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMS9CbzFrZENWam5BOW5t
-            angxd01kWkpVckZHcXA3VzJCa0xRSEpuZWlRCjNrUVV5NnM5VWV0YkRmQnE4aU1y
+            K3ExNGplNWZLNTVqMndnQ2ZSOFVIL2YvdHlvClkyS1RvZ3FaQWVkNjlWWExkbDZQ
-            SDc1eXBDM1hsZHh4UkFYREZmTTFLMW8KLS0tIEJZSmhWa1l2SFpqdXVQWHZuWkc2
+            NFVPWmkyNkdoTXdjY0xvS3QrMmFLeXMKLS0tIDhHV2hmMmIzY3dKeTVsUnB5ZGhR
-            ZFNPcDhyc3dIaWx6TlhTMlIrK1NLWmsKhMpNkZEvlaIKWauZsVoLzwYWx0k1sbmk
+            cXpPcklDUDRkcytIcytDY1NYYXNQcTAKvjGjCCrj//KRijPCLOEDAxiexY0CnnqY
-            KO+pNAUz2RMX+N4ykCRgFfeV6SDMxbaOACFm1/6yyDXHgvaI7zrQTQ==
+            80l7bSnQPOOs27HO/9YlJerQlhPBRZo/KJ+cY3T2fAIfad/f7XN04g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ylrpaytkm0k5kcecsxvyv5xd9ts4md0uap48g6wsmj9pwm4lf5esffu0gw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1WkQxb3h1aUVDVGJTMUd1
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaMHUrQWZMNmxtSWtxVllM
-            RWdXMUQvWUk2TDYwbzd3ZW5ZSEVGZFhUOVg0CmxEd0lOV3EvN014NUFQUEdaWjNq
+            U1VsMGxVOGt4UmtJSTE5TUdQaEdXUVRIc1FBCk1vTlU2c0lHUDh4VmYwMlFwZU44
-            ZVE5MGZ4SVpXNTRwRnplMHhrQlBHMm8KLS0tIFpUeWZQZmQvWlBrcG9oNERIVEZt
+            Q1p6N1l5ZWlveGY3VFZJNDNpTFpqNEEKLS0tIHJxdlJtTDkrWHFTcmZXbnVCQ0ti
-            UlBxcFgxVlc2WFRxVkhjWmZCdUdjSEUKPbadYyvWy0Kfbs5EovcpL3Aukj7wiZPJ
+            K2ovOUo4UTN0Y0dubllQM013SW05QmMKQUN03J+ju/JVs6geEMWLnnnlzjPfZOqS
-            VlDkELrTtbvFYp1aAASFZOQb+0NYUyOCtM/OI5qNYigR7TgJBAf/Ig==
+            rn3ldZv1aC7ckAp2JiVoznkpsBHFOV8T0pxE9vnmDipAU263k/4ktg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwcnZrUklWYUZBbm11S2RX
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwa1hoalhrQVdsc0NrNzN6
-            b0F6UjNGQVlXQm83NDBCTFoybHhhTWd6NWs4ClM2dXNXT3pPZkpOYnpRR1BwV1k1
+            ZU5JVTdDRjhBWFUzMXhJM2FiaU5HcmlvZzE4CnJ5NDlUYmZmbzZsdC9jYXJBc3Rx
-            NWlXNXpBeFJHalhxaExybTJ5NG5nMlkKLS0tIDdXa09CKzdVeVp6TFdpei9PempS
+            c1RDZDFOdnVHYjZSc2VNc2tOTGF4aTgKLS0tIFhEK1JaRWk3VzhtUE1GYUxoOVJD
-            dVNPL051aXpYN09EVVErZkV6czI2dkEK2UZPimVhLwjgjXjj1m7Qc/w36xYDe7sQ
+            ODRHRUxheVRuaEVoZ01sQkNOZGkzMUEKUBpUd30EjSkRFK2cbCARdycf9hHamoVG
-            D/5gub0EFuycIQj3lw0y59Jds4GoxBImExC0AKIaX9XBGW1BfBFtPQ==
+            XjCfIf1BLGe76+c88zDKaPvp/iAWfGypQkA71tRUoe6pEtrAT8sRgQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKM29sYklYMDUxTGJRZGlw
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4a1d1UVVmNDVkaWtiOWlN
-            V2tVQTFaZXhoa0xSb2VNZldpUER5a0hWQVVVCktiVDRORDBPM25xSjVucTFsOUha
+            enA5RS9WSGgyT0ZqNWNvZ0lVbGpkcWxESzNJClFMMlJJRDJDSnRyVVZmRUZIU0JU
-            dHdVMjMxWDcvbVVoTDR5czFrMnVXd00KLS0tIEc2V3RtUVJBbHpKWkhneFRzcCti
+            RFlTUm1nSzBFWVFEOGtROFVWMit1R1UKLS0tIEtRRXZvZFBKa0kxaDRXazJEcW1P
-            NkN5SkZNWlp2dFBmclNjcW1iWXZZY2cK6fqN6xbVFLSTRPfDhvRALVt1yxizvyzI
+            ajdFVHVpSWtjVU1ZSmlmUmxIY2NxMmcKVMc+JpeCxXs9RGjg7RN6c1TC9ndIOvWw
-            C32AxiKQo9XrXGBmD5Zi6dtTy+Kdm4PqZjk7M1vW0LOJCErlVI0AjQ==
+            uFCTBRbTZJHyDC5fYrQQdhMQprm8UT3Fr51i1RWVWjsHz8GZEBwQVg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNT1dBY3kycWVINUV1Wm93
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtTm8xeUlpbC8xRndpSGQw
-            VEMvNTRSQzV5U2N4ODhiSERHcnVVK3c3Q0hFCmxwWXE3Q1BCRFpIMUlFemRQOTRB
+            S2RDSE93ZG8wcnlHZFBXbjNzMXlpeWRIVjBBCnlVRDMzL2paRmFWL2toZVFBOFRk
-            TERiVzdOZGZDbmxXT2ZYZHdhY0FpOEEKLS0tIHRVVkYvVW9nYnJ3WkFhNEQ4UkVY
+            bi9LRjhWM2ZBcTBFMk9ydTFhaTdrblEKLS0tIFQzUjRpSGR5NzNYcFNVNUNVUks0
-            US96T0JUUlJjVFcxc1ZSUjY1aVg4NmMKc4jD2CtrKc43wArBm566h117ko1vrsHG
+            R3AreG1Cd3d1NDNIWnlkcm94L3h6NGcKurqFEsNJklMgu3G7mDNq449o2vMX/2t1
-            ONq9zOp4z90WPvY9octFOEn9cZ2tJvcGYDhWyBGH3rVRYN5hzTRLdg==
+            aUOLRLzi5GTJoQzmuJbveQA+HIgv/B9aNC762YH6df4N0Yk1GRt7pw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age12msc2c6drsaw0yk2hjlaw0q0lyq0emjx5e8rq7qc7ql689k593kqfmhss2
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUd241b3c1MFUvUTRRc2R3
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUHZ0Yk14c2NBQm9SelNR
-            dFNLREZ0Qi9kcWlVait0bVhJZ05PZ21ScEFjCitab1NaWDlEWkEwZlpzTmFFQ3RV
+            cjY0K0xYUWREUkhWQVNRUVFUczlvZjZ4V1VnClV2b3hhMnlhTUt2U1FLTERlVThv
-            YTVWUmx4VEJ2Q1J1TllZZ2VTaVF0OFUKLS0tIGZxdGNaM1Q0Z1JEbkFpQm0xaW5T
+            K2Nqd0dPVWZLTXI2Y2VhaG9Yano1d1kKLS0tIExRY3NlZ0x2VWtDZWhJc0dyM0ow
-            bHkyeHVtbCtzb2pKOTUvcm91MnBockkKCrwgT0auKuuRYNwajiqBVzpgG13li8KO
+            dlp5SzFqZmNncGQzYzR0THkyeVR6WXcKUb9DJ1u3/VnYKXIgzpTdImSgE2lWdCOD
-            W52Fy9lIc9poyxEnvyIqpPz29gQdL4aqGHX735f2+n2fq/SIgiKHfw==
+            yVOJXwY5IrU6NJgBYbZlbIysIS+ihO9pLodjaYhbZduNCasdrhwu7A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1x3elhtccp4u8ha5ry32juj9fkpg0qg7qqx4gduuehgwwnnhcxp8s892hek
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cFJka2xuSDhyaXowSzVw
+            cXJSR1ZUWnhDdWRwbFpmenJDZURmbXhDNVhRCm1GMTZ3VHA1S0o3ekVsR2loS3Bi
+            SmJrOEFBUzJZVUlxazh1TVhkZ0kzVm8KLS0tIDZwajVOUWlIS1FHWHNpZy9jSXhK
+            RHBjNjRBRzVaUlMrL0d5ZGZTdUcvYkUK0hf09zou0OqZSV81G8HMeNRx+uz9Nade
+            dhyQ1CRVWT5Q5HW/4t/abB0hSxFId8+X7ufJIjjVSbywLZ7WHLKCSw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1xcgc6u7fmc2trgxtdtf5nhrd7axzweuxlg0ya9jre3sdrg6c6easecue9w
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNzB5bHVMU2MySmtaOHA4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndjYrRnFRd2RDeTRDQ2Uz
-            K0N3RnZINWpTbkxiTWJnVTZ4Z3d1L1N3T0hjCmxieHdhc1VFWXM1WHExdWNPdW16
+            UXk2WE1ORERTOWtOcXI3eXVHZzJJQ2RMRTMwClBPR2J6cmMzSzR1cXJWaHJJUlJa
-            ZVQwTzdGcFVWamMva1RpZGV6U2hpSUEKLS0tIER1T3ZJYUQ0RE5TVTk2dVdmYXhU
+            ZVd1S3hpWEdFYXpvUXd3ZUs3SVJrZHcKLS0tIGN5MUFET0M3WWZkcHRlV1QyTEQx
-            eUNKWkczb3dwMnB3SS8rVjRHU1VBQkkKOdh1+qrx9WX0NGSVrGdptFNU8C1ZZFNi
+            eTFJUnZpM2haMUZBekh3SjBQRGFsQUUKUI4laym7zGzu1iIlMYnnKjyDHUqblcn6
-            3lJmzNvJRyVMxXNjWqpXUfCDWQONvCKEGuAvt7Zra+z7/2GtcFTNZw==
+            K49AdBT+U8WUnVNwAOc5Irf86GfNvJ0S0qk6+v4CpPDgKFksc3flFg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-14T12:05:25Z"
+    lastmodified: "2025-11-28T22:51:04Z"
-    mac: ENC[AES256_GCM,data:DuD/sqYIwfW2XW+QojfuwLOKI+Y3lXCYOmI5ayCqQlWU9F0W3H1WSnVyfp4YanwY9zjNJukZy9vQNB7wk7DoPGrYTgPihEFmt1GWV10kCFhOxQCMaB9Pt8a7JucF1k8+4jbT4SW282KLAoITDqIAe4qXBPEKKx1+SH34VhKZh3Y=,iv:j5U41i0LHVntwyhTjHExkS65K/gWpBdNy68Cb+bIXmg=,tag:Wu46HI+T+ZzeTb4Rf35vdg==,type:str]
+    mac: ENC[AES256_GCM,data:pXXNkrHSC4mp+K2NfiJ7RucJ299BkVv7wQiWlV2SboLwS7le753CKf2yBGsOYEgxelhLAnIFW3biDR/v+P+7kvUinRUPIYyxeYzMT864Rz8Fb+FBjf4Bd/j/oBdSWk1QM6aOPQRcAiNAol+AcdajhSmy68prUp/lR0gvDPGuczA=,iv:t18AtziHtA58uMoVSsDXsn4PPQUSJCNCG6jg9VBvM0w=,tag:RKQRWjI3NE3Rzb+JdMrOng==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

utils/overlays/packages.nix

@@ -5,16 +5,18 @@ self: super: {
   openaudible = (super.callPackage ../pkgs/openaudible.nix { });
   openmanus = (super.callPackage ../pkgs/openmanus.nix { });
   ai-mailer = self.callPackage ../pkgs/ai-mailer.nix { };
+  claude-code = self.callPackage ../pkgs/claude-code { claude-code = super.claude-code; };
 
   # Python packages
   python3 = super.python3.override {
     packageOverrides = pself: psuper: {
+      aia-chaser = pself.callPackage ../pkgs/aia-chaser { };
       mini-racer = pself.callPackage ../pkgs/mini-racer.nix { };
     };
   };
   python3Packages = self.python3.pkgs;
 
-  pyload-ng = self.callPackage ../pkgs/pyload-ng-updated.nix { pyload-ng = super.pyload-ng; };
+  pyload-ng = self.callPackage ../pkgs/pyload-ng { pyload-ng = super.pyload-ng; };
 
   # vscode-insiders = (super.callPackage ../pkgs/vscode-insiders.nix { });
 }

utils/pkgs/aia-chaser/default.nix

@@ -0,0 +1,32 @@
+{ lib
+, buildPythonPackage
+, fetchPypi
+, cryptography
+}:
+
+buildPythonPackage rec {
+  pname = "aia-chaser";
+  version = "3.3.0";
+  format = "wheel";
+
+  src = fetchPypi {
+    pname = "aia_chaser";
+    inherit version format;
+    dist = "py3";
+    python = "py3";
+    hash = "sha256-L0aBV3kfAVI1aJH7VgiiEXzGBSP/HU2zAlahkHeT8hk=";
+  };
+
+  dependencies = [
+    cryptography
+  ];
+
+  pythonImportsCheck = [ "aia_chaser" ];
+
+  meta = with lib; {
+    description = "Retrieve missing certificates to complete SSL certificate chains";
+    homepage = "https://github.com/dirkjanm/aia-chaser";
+    license = licenses.mit;
+    maintainers = [ ];
+  };
+}

utils/pkgs/claude-code/default.nix

@@ -0,0 +1,30 @@
+{ lib, pkgs, runCommand, claude-code }:
+
+let
+  version = "2.0.55";
+
+  src = pkgs.fetchzip {
+    url = "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-${version}.tgz";
+    hash = "sha256-wsjOkNxuBLMYprjaZQyUZHiqWl8UG7cZ1njkyKZpRYg=";
+  };
+
+  # Create a modified source with our package-lock.json
+  srcWithLock = runCommand "claude-code-src-${version}" {} ''
+    cp -r ${src} $out
+    chmod -R +w $out
+    cp ${./package-lock.json} $out/package-lock.json
+  '';
+
+in
+(claude-code.override {}).overrideAttrs (oldAttrs: {
+  inherit version;
+  src = srcWithLock;
+
+  npmDeps = pkgs.fetchNpmDeps {
+    src = srcWithLock;
+    hash = "sha256-cFvPoCmh3XpJe/5LPZizfBz6F6xAPYnBNimrK4+VbPw=";
+  };
+
+  # Remove the old postPatch since srcWithLock already includes package-lock.json
+  postPatch = "";
+})

utils/pkgs/claude-code/package-lock.json

@@ -0,0 +1,319 @@
+{
+  "name": "claude-code",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "dependencies": {
+        "@anthropic-ai/claude-code": "^2.0.55"
+      }
+    },
+    "node_modules/@anthropic-ai/claude-code": {
+      "version": "2.0.55",
+      "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-2.0.55.tgz",
+      "integrity": "sha512-IVY6J2KgTP5BiCbLmuP3kAl8jbXfd6yGoXtvc0L0eiZwxJUMa+cubUU0U8qHRnVkNmDAis+O4P00KmeuGzSLWg==",
+      "license": "SEE LICENSE IN README.md",
+      "bin": {
+        "claude": "cli.js"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      },
+      "optionalDependencies": {
+        "@img/sharp-darwin-arm64": "^0.33.5",
+        "@img/sharp-darwin-x64": "^0.33.5",
+        "@img/sharp-linux-arm": "^0.33.5",
+        "@img/sharp-linux-arm64": "^0.33.5",
+        "@img/sharp-linux-x64": "^0.33.5",
+        "@img/sharp-linuxmusl-arm64": "^0.33.5",
+        "@img/sharp-linuxmusl-x64": "^0.33.5",
+        "@img/sharp-win32-x64": "^0.33.5"
+      }
+    },
+    "node_modules/@img/sharp-darwin-arm64": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-arm64/-/sharp-darwin-arm64-0.33.5.tgz",
+      "integrity": "sha512-UT4p+iz/2H4twwAoLCqfA9UH5pI6DggwKEGuaPy7nCVQ8ZsiY5PIcrRvD1DzuY3qYL07NtIQcWnBSY/heikIFQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-darwin-arm64": "1.0.4"
+      }
+    },
+    "node_modules/@img/sharp-darwin-x64": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-x64/-/sharp-darwin-x64-0.33.5.tgz",
+      "integrity": "sha512-fyHac4jIc1ANYGRDxtiqelIbdWkIuQaI84Mv45KvGRRxSAa7o7d1ZKAOBaYbnepLC1WqxfpimdeWfvqqSGwR2Q==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-darwin-x64": "1.0.4"
+      }
+    },
+    "node_modules/@img/sharp-libvips-darwin-arm64": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-arm64/-/sharp-libvips-darwin-arm64-1.0.4.tgz",
+      "integrity": "sha512-XblONe153h0O2zuFfTAbQYAX2JhYmDHeWikp1LM9Hul9gVPjFY427k6dFEcOL72O01QxQsWi761svJ/ev9xEDg==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-darwin-x64": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-x64/-/sharp-libvips-darwin-x64-1.0.4.tgz",
+      "integrity": "sha512-xnGR8YuZYfJGmWPvmlunFaWJsb9T/AO2ykoP3Fz/0X5XV2aoYBPkX6xqCQvUTKKiLddarLaxpzNe+b1hjeWHAQ==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-arm": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm/-/sharp-libvips-linux-arm-1.0.5.tgz",
+      "integrity": "sha512-gvcC4ACAOPRNATg/ov8/MnbxFDJqf/pDePbBnuBDcjsI8PssmjoKMAz4LtLaVi+OnSb5FK/yIOamqDwGmXW32g==",
+      "cpu": [
+        "arm"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-arm64": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm64/-/sharp-libvips-linux-arm64-1.0.4.tgz",
+      "integrity": "sha512-9B+taZ8DlyyqzZQnoeIvDVR/2F4EbMepXMc/NdVbkzsJbzkUjhXv/70GQJ7tdLA4YJgNP25zukcxpX2/SueNrA==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-x64": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-x64/-/sharp-libvips-linux-x64-1.0.4.tgz",
+      "integrity": "sha512-MmWmQ3iPFZr0Iev+BAgVMb3ZyC4KeFc3jFxnNbEPas60e1cIfevbtuyf9nDGIzOaW9PdnDciJm+wFFaTlj5xYw==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linuxmusl-arm64": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-arm64/-/sharp-libvips-linuxmusl-arm64-1.0.4.tgz",
+      "integrity": "sha512-9Ti+BbTYDcsbp4wfYib8Ctm1ilkugkA/uscUn6UXK1ldpC1JjiXbLfFZtRlBhjPZ5o1NCLiDbg8fhUPKStHoTA==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linuxmusl-x64": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-x64/-/sharp-libvips-linuxmusl-x64-1.0.4.tgz",
+      "integrity": "sha512-viYN1KX9m+/hGkJtvYYp+CCLgnJXwiQB39damAO7WMdKWlIhmYTfHjwSbQeUK/20vY154mwezd9HflVFM1wVSw==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-linux-arm": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm/-/sharp-linux-arm-0.33.5.tgz",
+      "integrity": "sha512-JTS1eldqZbJxjvKaAkxhZmBqPRGmxgu+qFKSInv8moZ2AmT5Yib3EQ1c6gp493HvrvV8QgdOXdyaIBrhvFhBMQ==",
+      "cpu": [
+        "arm"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-arm": "1.0.5"
+      }
+    },
+    "node_modules/@img/sharp-linux-arm64": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm64/-/sharp-linux-arm64-0.33.5.tgz",
+      "integrity": "sha512-JMVv+AMRyGOHtO1RFBiJy/MBsgz0x4AWrT6QoEVVTyh1E39TrCUpTRI7mx9VksGX4awWASxqCYLCV4wBZHAYxA==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-arm64": "1.0.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-x64": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-x64/-/sharp-linux-x64-0.33.5.tgz",
+      "integrity": "sha512-opC+Ok5pRNAzuvq1AG0ar+1owsu842/Ab+4qvU879ippJBHvyY5n2mxF1izXqkPYlGuP/M556uh53jRLJmzTWA==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-x64": "1.0.4"
+      }
+    },
+    "node_modules/@img/sharp-linuxmusl-arm64": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-arm64/-/sharp-linuxmusl-arm64-0.33.5.tgz",
+      "integrity": "sha512-XrHMZwGQGvJg2V/oRSUfSAfjfPxO+4DkiRh6p2AFjLQztWUuY/o8Mq0eMQVIY7HJ1CDQUJlxGGZRw1a5bqmd1g==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linuxmusl-arm64": "1.0.4"
+      }
+    },
+    "node_modules/@img/sharp-linuxmusl-x64": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-x64/-/sharp-linuxmusl-x64-0.33.5.tgz",
+      "integrity": "sha512-WT+d/cgqKkkKySYmqoZ8y3pxx7lx9vVejxW/W4DOFMYVSkErR+w7mf2u8m/y4+xHe7yY9DAXQMWQhpnMuFfScw==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linuxmusl-x64": "1.0.4"
+      }
+    },
+    "node_modules/@img/sharp-win32-x64": {
+      "version": "0.33.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-win32-x64/-/sharp-win32-x64-0.33.5.tgz",
+      "integrity": "sha512-MpY/o8/8kj+EcnxwvrP4aTJSWw/aZ7JIGR4aBeZkZw5B7/Jn+tY9/VNwtcoGmdT7GfggGIU4kygOMSbYnOrAbg==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "Apache-2.0 AND LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    }
+  }
+}

utils/pkgs/claude-code/update.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p nodejs nix-prefetch cacert
+
+set -euo pipefail
+
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+# Get latest version from npm
+version=$(npm view @anthropic-ai/claude-code version)
+echo "Latest version: $version"
+
+# Update version in default.nix
+sed -i "s/version = \".*\";/version = \"$version\";/" default.nix
+
+# Fetch and update source hash
+echo "Fetching source tarball..."
+url="https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-${version}.tgz"
+hash=$(nix-prefetch-url --unpack --type sha256 "$url" 2>/dev/null)
+sri_hash=$(nix-hash --type sha256 --to-sri "$hash")
+# Update only the source hash (in fetchzip block)
+sed -i "/src = pkgs.fetchzip/,/};/ s|hash = \"sha256-.*\";|hash = \"$sri_hash\";|" default.nix
+
+# Generate new package-lock.json
+echo "Generating package-lock.json..."
+npm i --package-lock-only @anthropic-ai/claude-code@"$version"
+rm -f package.json
+
+# Set placeholder for npmDepsHash only (in fetchNpmDeps block)
+sed -i "/npmDeps = pkgs.fetchNpmDeps/,/};/ s|hash = \"sha256-.*\";|hash = \"sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\";|" default.nix
+
+echo ""
+echo "Updated to version $version"
+echo "Source hash: $sri_hash"
+echo ""
+
+# Go to repo root (3 levels up from utils/pkgs/claude-code)
+repo_root="$(cd ../../.. && pwd)"
+cd "$repo_root"
+
+# Build to get the correct npmDepsHash
+echo "Building package to determine npmDepsHash..."
+build_output=$(NIXPKGS_ALLOW_UNFREE=1 nix build --impure --no-link --expr 'with import <nixpkgs> {}; callPackage ./utils/pkgs/claude-code { inherit lib pkgs runCommand claude-code; }' 2>&1 || true)
+
+# Extract the hash from build output
+npm_deps_hash=$(echo "$build_output" | grep -oP "got:\s+sha256-[A-Za-z0-9+/=]+" | tail -1 | awk '{print $2}')
+
+if [ -z "$npm_deps_hash" ]; then
+    echo "Error: Could not determine npmDepsHash from build output"
+    echo "Build output:"
+    echo "$build_output"
+    exit 1
+fi
+
+echo "npmDepsHash: $npm_deps_hash"
+
+# Update npmDepsHash in default.nix
+cd "$repo_root/utils/pkgs/claude-code"
+sed -i "/npmDeps = pkgs.fetchNpmDeps/,/};/ s|hash = \"sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\";|hash = \"$npm_deps_hash\";|" default.nix
+
+# Verify the build works
+echo ""
+echo "Verifying build..."
+cd "$repo_root"
+if NIXPKGS_ALLOW_UNFREE=1 nix build --impure --no-link --expr 'with import <nixpkgs> {}; callPackage ./utils/pkgs/claude-code { inherit lib pkgs runCommand claude-code; }'; then
+    echo ""
+    echo "✓ Successfully updated claude-code to version $version"
+    echo "  Source hash: $sri_hash"
+    echo "  npmDepsHash: $npm_deps_hash"
+else
+    echo ""
+    echo "✗ Build failed after updating hashes"
+    exit 1
+fi

utils/pkgs/clicknload-proxy/clicknload-proxy.py

@@ -0,0 +1,297 @@
+#!/usr/bin/env python3
+"""
+Click'n'Load proxy - receives CNL requests and forwards to pyLoad API.
+
+Implements the Click'n'Load protocol:
+1. GET /jdcheck.js -> responds with jdownloader=true
+2. POST /flash/addcrypted2 -> decrypts links and sends to pyLoad
+"""
+
+import argparse
+import base64
+import html
+import json
+import re
+import sys
+import traceback
+import urllib.request
+import urllib.parse
+from http.server import HTTPServer, BaseHTTPRequestHandler
+from Crypto.Cipher import AES
+
+
+def log(msg):
+    """Log with immediate flush for systemd journal visibility."""
+    print(f"[CNL] {msg}", flush=True)
+
+
+def fetch_package_name(url):
+    """Fetch package name from source page by extracting <h2> tag (like JDownloader)."""
+    if not url or not url.startswith("http"):
+        return None
+
+    try:
+        log(f"Fetching package name from {url}")
+        req = urllib.request.Request(
+            url,
+            headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"}
+        )
+        with urllib.request.urlopen(req, timeout=10) as resp:
+            content = resp.read().decode("utf-8", errors="ignore")
+
+        # Extract <h2> content like JDownloader does
+        match = re.search(r'<h2[^>]*>([^<]+)<', content)
+        if match:
+            name = html.unescape(match.group(1)).strip()
+            log(f"Extracted package name: {name}")
+            return name
+
+        log("No <h2> tag found on page")
+        return None
+    except Exception as e:
+        log(f"Failed to fetch package name: {e}")
+        return None
+
+
+def extract_package_name_from_links(links):
+    """Extract package name from common prefix of link filenames."""
+    if not links:
+        return None
+
+    # Extract filenames from URLs
+    filenames = []
+    for link in links:
+        parsed = urllib.parse.urlparse(link)
+        path = urllib.parse.unquote(parsed.path)
+        filename = path.split("/")[-1] if path else ""
+        # Remove extension
+        if "." in filename:
+            filename = filename.rsplit(".", 1)[0]
+        if filename:
+            filenames.append(filename)
+
+    if not filenames:
+        return None
+
+    if len(filenames) == 1:
+        # Single file - use its name
+        name = filenames[0]
+        log(f"Single file, using name: {name}")
+        return name
+
+    # Find common prefix among all filenames
+    prefix = filenames[0]
+    for filename in filenames[1:]:
+        while prefix and not filename.startswith(prefix):
+            # Remove last character or segment
+            if "." in prefix:
+                prefix = prefix.rsplit(".", 1)[0]
+            elif "-" in prefix:
+                prefix = prefix.rsplit("-", 1)[0]
+            elif "_" in prefix:
+                prefix = prefix.rsplit("_", 1)[0]
+            else:
+                prefix = prefix[:-1]
+
+    # Clean up trailing separators
+    prefix = prefix.rstrip(".-_ ")
+
+    if prefix and len(prefix) >= 3:
+        log(f"Common prefix from {len(filenames)} files: {prefix}")
+        return prefix
+
+    # Fallback: use first filename
+    name = filenames[0]
+    log(f"No common prefix, using first filename: {name}")
+    return name
+
+
+class ClickNLoadHandler(BaseHTTPRequestHandler):
+    pyload_url = None
+    pyload_user = None
+    pyload_pass = None
+
+    def log_message(self, format, *args):
+        log(f"{self.command} {self.path}")
+
+    def send_cors_headers(self):
+        """Add CORS headers to allow cross-origin requests."""
+        self.send_header("Access-Control-Allow-Origin", "*")
+        self.send_header("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
+        self.send_header("Access-Control-Allow-Headers", "Content-Type")
+
+    def do_OPTIONS(self):
+        """Handle CORS preflight requests."""
+        self.send_response(200)
+        self.send_cors_headers()
+        self.end_headers()
+
+    def do_GET(self):
+        if self.path == "/jdcheck.js":
+            self.send_response(200)
+            self.send_header("Content-Type", "text/javascript")
+            self.send_cors_headers()
+            self.end_headers()
+            self.wfile.write(b"jdownloader=true;")
+        else:
+            self.send_response(404)
+            self.send_cors_headers()
+            self.end_headers()
+
+    def do_POST(self):
+        if self.path == "/flash/addcrypted2":
+            content_length = int(self.headers.get("Content-Length", 0))
+            post_data = self.rfile.read(content_length).decode("utf-8")
+            params = urllib.parse.parse_qs(post_data)
+
+            jk = params.get("jk", [""])[0]
+            crypted = params.get("crypted", [""])[0]
+            source = params.get("source", ["Click'n'Load"])[0]
+
+            # Get actual page URL from Referer header
+            referer = self.headers.get("Referer", "")
+
+            log(f"Received addcrypted2: source={source}, referer={referer}")
+            log(f"  jk_len={len(jk)}, crypted_len={len(crypted)}")
+
+            try:
+                links = self.decrypt_links(jk, crypted)
+                if links:
+                    # Try to get package name: referer page -> link filenames -> source
+                    package_name = (
+                        fetch_package_name(referer) or
+                        extract_package_name_from_links(links) or
+                        source
+                    )
+                    self.add_to_pyload(links, package_name)
+                    self.send_response(200)
+                    self.send_cors_headers()
+                    self.end_headers()
+                    self.wfile.write(b"success")
+                else:
+                    log("Error: No links found after decryption")
+                    self.send_response(500)
+                    self.send_cors_headers()
+                    self.end_headers()
+                    self.wfile.write(b"No links found")
+            except Exception as e:
+                log(f"Error: {e}")
+                log(traceback.format_exc())
+                self.send_response(500)
+                self.send_cors_headers()
+                self.end_headers()
+                self.wfile.write(str(e).encode())
+        else:
+            self.send_response(404)
+            self.send_cors_headers()
+            self.end_headers()
+
+    def decrypt_links(self, jk, crypted):
+        """Decrypt Click'n'Load encrypted links."""
+        # Extract hex key from JavaScript function
+        # Format: function f(){ return '...hex...'; }
+        match = re.search(r"return\s*['\"]([0-9a-fA-F]+)['\"]", jk)
+        if not match:
+            log(f"Could not extract key from jk: {jk[:100]}...")
+            raise ValueError("Could not extract key from jk")
+
+        key_hex = match.group(1)
+        key = bytes.fromhex(key_hex)
+        log(f"Extracted key: {len(key)} bytes")
+
+        # Decrypt (AES-128-CBC, key is also IV)
+        cipher = AES.new(key, AES.MODE_CBC, iv=key)
+        encrypted = base64.b64decode(crypted)
+        decrypted = cipher.decrypt(encrypted)
+
+        # Remove PKCS7 padding
+        pad_len = decrypted[-1]
+        decrypted = decrypted[:-pad_len]
+
+        # Split into links
+        links = decrypted.decode("utf-8").strip().split("\n")
+        links = [l.strip() for l in links if l.strip()]
+
+        log(f"Decrypted {len(links)} links")
+        return links
+
+    def add_to_pyload(self, links, package_name):
+        """Add links to pyLoad via API using HTTP Basic Auth."""
+        if not self.pyload_url:
+            log("No pyLoad URL configured, printing links:")
+            for link in links:
+                log(f"  {link}")
+            return
+
+        log(f"Adding package to pyLoad at {self.pyload_url}")
+
+        # Build Basic Auth header
+        credentials = f"{self.pyload_user}:{self.pyload_pass}"
+        auth_header = base64.b64encode(credentials.encode()).decode()
+
+        # Add package using new API endpoint with HTTP Basic Auth
+        add_url = f"{self.pyload_url}/api/add_package"
+        add_data = json.dumps({
+            "name": package_name or "Click'n'Load",
+            "links": links
+        }).encode()
+
+        req = urllib.request.Request(
+            add_url,
+            data=add_data,
+            headers={
+                "Content-Type": "application/json",
+                "Authorization": f"Basic {auth_header}"
+            }
+        )
+        try:
+            with urllib.request.urlopen(req, timeout=10) as resp:
+                result = resp.read().decode()
+                log(f"Added package to pyLoad: {result}")
+        except urllib.error.HTTPError as e:
+            body = e.read().decode() if e.fp else ""
+            log(f"Failed to add package: {e.code} {e.reason} - {body}")
+            raise
+        except urllib.error.URLError as e:
+            log(f"Failed to add package: {e}")
+            raise
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Click'n'Load proxy for pyLoad")
+    parser.add_argument("--port", type=int, default=9666, help="Port to listen on")
+    parser.add_argument("--host", default="127.0.0.1", help="Host to bind to")
+    parser.add_argument("--pyload-url", help="pyLoad URL (e.g., https://pyload.example.com)")
+    parser.add_argument("--pyload-user", help="pyLoad username")
+    parser.add_argument("--pyload-pass", help="pyLoad password")
+    parser.add_argument("--config", help="Config file with pyLoad credentials (JSON)")
+    args = parser.parse_args()
+
+    # Load config from file if provided
+    if args.config:
+        with open(args.config) as f:
+            config = json.load(f)
+            args.pyload_url = config.get("pyloadUrl", args.pyload_url)
+            args.pyload_user = config.get("pyloadUser", args.pyload_user)
+            args.pyload_pass = config.get("pyloadPW", args.pyload_pass)
+
+    ClickNLoadHandler.pyload_url = args.pyload_url
+    ClickNLoadHandler.pyload_user = args.pyload_user
+    ClickNLoadHandler.pyload_pass = args.pyload_pass
+
+    server = HTTPServer((args.host, args.port), ClickNLoadHandler)
+    log(f"Click'n'Load proxy listening on {args.host}:{args.port}")
+    if args.pyload_url:
+        log(f"Forwarding to pyLoad at {args.pyload_url}")
+    else:
+        log("No pyLoad URL configured, will print links to stdout")
+
+    try:
+        server.serve_forever()
+    except KeyboardInterrupt:
+        log("Shutting down")
+        server.shutdown()
+
+
+if __name__ == "__main__":
+    main()

utils/pkgs/clicknload-proxy/default.nix

@@ -0,0 +1,34 @@
+{ lib
+, python3
+, makeWrapper
+}:
+
+let
+  python = python3.withPackages (ps: [ ps.pycryptodome ]);
+in
+python3.pkgs.buildPythonApplication {
+  pname = "clicknload-proxy";
+  version = "1.0.0";
+  format = "other";
+
+  src = ./.;
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  propagatedBuildInputs = [ python3.pkgs.pycryptodome ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp clicknload-proxy.py $out/bin/clicknload-proxy
+    chmod +x $out/bin/clicknload-proxy
+
+    wrapProgram $out/bin/clicknload-proxy \
+      --prefix PYTHONPATH : "${python}/${python.sitePackages}"
+  '';
+
+  meta = with lib; {
+    description = "Click'n'Load proxy that forwards links to pyLoad";
+    license = licenses.mit;
+    mainProgram = "clicknload-proxy";
+  };
+}

utils/pkgs/pyload-ng/default.nix

@@ -6,12 +6,17 @@ pyload-ng.overridePythonAttrs (oldAttrs: rec {
   src = fetchFromGitHub {
     owner = "pyload";
     repo = "pyload";
-    rev = "3115740a2210fd57b5d050cd0850a0e61ec493ed"; # [DdownloadCom] fix #4537
+    rev = "71f2700184ee9344dc313d9833ca7a6bb36007db"; # [DdownloadCom] fix #4537
-    hash = "sha256-g1eEeNnr3Axtr+0BJzMcNQomTEX4EsUG1Jxt+huPyoc=";
+    hash = "sha256-XAa+XbC3kko+zvEMZkPXRoaHAmEFGsNBDxysX+X06Jc=";
   };
 
+  patches = [
+    ./patches/declarative-env-config.patch
+  ];
+
   # Add new dependencies required in newer versions
   propagatedBuildInputs = (oldAttrs.propagatedBuildInputs or []) ++ (with python3Packages; [
+    aia-chaser
     mini-racer
     packaging
     pydantic

utils/pkgs/pyload-ng/patches/declarative-env-config.patch

@@ -0,0 +1,38 @@
+--- a/src/pyload/core/__init__.py
++++ b/src/pyload/core/__init__.py
+@@ -130,6 +130,14 @@ class Core:
+         else:
+             self._debug = max(0, int(debug))
+ 
++        # Process core config environment variables (NixOS declarative config)
++        for env, value in os.environ.items():
++            if not env.startswith("PYLOAD__"):
++                continue
++            parts = env.removeprefix("PYLOAD__").lower().split("__", 1)
++            if len(parts) == 2 and parts[0] in self.config.config:
++                self.config.set(parts[0], parts[1], value)
++
+         # If no argument set, read storage dir from config file,
+         # otherwise save setting to config dir
+         if storagedir is None:
+@@ -226,6 +234,20 @@ class Core:
+         self.acm = self.account_manager = AccountManager(self)
+         self.thm = self.thread_manager = ThreadManager(self)
+         self.cpm = self.captcha_manager = CaptchaManager(self)
++
++        # Process plugin config environment variables BEFORE AddonManager (NixOS declarative config)
++        # This must happen before AddonManager reads the enabled flag to decide which addons to start
++        # Build case-insensitive lookup map for plugin names
++        plugin_name_map = {name.lower(): name for name in self.config.plugin.keys()}
++
++        for env, value in os.environ.items():
++            if not env.startswith("PYLOAD__"):
++                continue
++            parts = env.removeprefix("PYLOAD__").lower().split("__", 1)
++            if len(parts) == 2 and parts[0] in plugin_name_map:
++                actual_plugin_name = plugin_name_map[parts[0]]
++                self.config.set_plugin(actual_plugin_name, parts[1], value)
++
+         self.adm = self.addon_manager = AddonManager(self)
+ 
+     def _setup_permissions(self):

utils/pkgs/pyload-ng/update.sh

@@ -7,9 +7,10 @@ GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 NC='\033[0m' # No Color
 
-# Script directory
+# Script and repo directories
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+cd "$(dirname "${BASH_SOURCE[0]}")"
-REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+PKG_DIR="$(pwd)"
+REPO_ROOT="$(cd ../../.. && pwd)"
 
 # Check if commit SHA is provided
 if [ $# -ne 1 ]; then
@@ -34,7 +35,7 @@ fi
 echo -e "${GREEN}==> Updating pyload-ng to commit: ${COMMIT_SHA}${NC}"
 
 # File to update
-PKG_FILE="$REPO_ROOT/utils/pkgs/pyload-ng-updated.nix"
+PKG_FILE="$PKG_DIR/default.nix"
 
 if [ ! -f "$PKG_FILE" ]; then
     echo -e "${RED}Error: Package file not found: $PKG_FILE${NC}"
@@ -53,7 +54,8 @@ echo "  ✓ Updated hash in $PKG_FILE"
 
 # Step 3: Build package to discover the correct hash
 echo -e "${YELLOW}Step 3: Building package to discover hash...${NC}"
-BUILD_OUTPUT=$(nix-build --impure -E "with import <nixpkgs> { overlays = [ (import $REPO_ROOT/utils/overlays/packages.nix) ]; }; callPackage $PKG_FILE { }" 2>&1 || true)
+cd "$REPO_ROOT"
+BUILD_OUTPUT=$(nix-build --impure -E "with import <nixpkgs> { overlays = [ (import ./utils/overlays/packages.nix) ]; }; callPackage ./utils/pkgs/pyload-ng { }" 2>&1 || true)
 
 # Extract hash from error message
 HASH=$(echo "$BUILD_OUTPUT" | grep -oP '\s+got:\s+\Ksha256-[A-Za-z0-9+/=]+' | head -1)
@@ -74,7 +76,7 @@ echo "  ✓ Updated hash in $PKG_FILE"
 
 # Step 5: Verify the build succeeds
 echo -e "${YELLOW}Step 5: Verifying build with correct hash...${NC}"
-if nix-build --impure -E "with import <nixpkgs> { overlays = [ (import $REPO_ROOT/utils/overlays/packages.nix) ]; }; callPackage $PKG_FILE { }" > /dev/null 2>&1; then
+if nix-build --impure -E "with import <nixpkgs> { overlays = [ (import ./utils/overlays/packages.nix) ]; }; callPackage ./utils/pkgs/pyload-ng { }" > /dev/null 2>&1; then
     echo "  ✓ Build verification successful"
 else
     echo -e "${RED}Error: Build verification failed${NC}"
@@ -83,7 +85,6 @@ fi
 
 # Step 6: Test configuration for fw host (which uses pyload)
 echo -e "${YELLOW}Step 6: Testing fw configuration...${NC}"
-cd "$REPO_ROOT"
 if ./scripts/test-configuration fw > /dev/null 2>&1; then
     echo "  ✓ Configuration test passed"
 else