meta: add AI agent rules and skills

Create a modular, context-aware style guide for AI code assistants. - Add nixos-architecture skill for .nix file generation and networking patterns - Add dns-management rule to enforce Bind9 SOA serial increments - Add cicd-networking rule for direct-IP runner authentication - Add git-workflow rule to enforce conventional and atomic commits
2026-03-17 22:52:15 +01:00
27 changed files with 162 additions and 253 deletions
--- a/.agent/rules/ci-cd-networking-constraints.md
+++ b/.agent/rules/ci-cd-networking-constraints.md
@ -0,0 +1,13 @@
+---
+name: cicd-networking
+description: Networking constraints for CI/CD workflow files (Gitea/GitHub Actions).
+globs: [".github/workflows/.yml", ".github/workflows/.yaml", ".gitea/workflows/.yml", ".gitea/workflows/.yaml"]
+---
+
+# Bos55 CI/CD Networking Constraints
+
+When generating or modifying CI/CD workflows, strictly follow these networking practices:
+
+1. **IP-Based Login for Reliability**
+   - When CI runners (like Gitea Actions) need to interact with internal services for authentication or deployment, always use direct IP addresses (e.g., `192.168.0.25`) for machine-to-machine login steps.
+   - **Why?** This bypasses potential DNS resolution issues or delays within the isolated runner environment, ensuring maximum robustness during automated CI/CD runs.
--- a/.agent/rules/dns-management.md
+++ b/.agent/rules/dns-management.md
@ -0,0 +1,14 @@
+---
+name: dns-management
+description: Hard constraints for modifying Bind9 DNS zone files.
+globs: ["db.", ".zone"]
+---
+
+# Bos55 DNS Management Constraints
+
+When modifying or generating Bind9 zone files, you MUST strictly adhere to the following rules:
+
+1. **Serial Increment (CRITICAL)**
+   - Every single time you modify a Bind9 zone file (e.g., `db.depeuter.dev`), you MUST increment the Serial number in the SOA record. Failure to do so will cause DNS propagation to fail.
+2. **Domain Name Specificity**
+   - Prefer a single, well-defined explicit domain (e.g., `nix-cache.depeuter.dev`) instead of creating multiple aliases or using magic values. Keep records clean and explicit.
--- a/.agent/rules/git-workflow.md
+++ b/.agent/rules/git-workflow.md
@ -0,0 +1,21 @@
+---
+name: git-workflow
+description: Rules for generating Git commit messages and managing branch workflows.
+globs: ["COMMIT_EDITMSG", ".git/*"]
+---
+
+# Git Workflow Constraints
+
+When generating commit messages, reviewing code for a commit, or planning a branch workflow, strictly follow these standards:
+
+1. **Commit Formatting**
+   - **Conventional Commits**: You MUST format all commit messages using conventional prefixes: `feat:`, `fix:`, `docs:`, `refactor:`, `ci:`, `meta:`.
+   - **Clarity**: Ensure the message clearly explains *what* changed and *why*.
+2. **Atomic Commits**
+   - Group changes by a single logical concern.
+   - NEVER mix documentation updates, core infrastructure code, and style guide changes in the same commit.
+   - Ensure that the generated commit is easily revertible without breaking unrelated features.
+3. **Branching Workflow**
+   - Always assume changes will be pushed to a feature branch to create a Pull Request.
+   - Do not suggest or generate commands that push directly to the main branch.
+
--- a/.agent/skills/nixos-architecture/SKILL.md
+++ b/.agent/skills/nixos-architecture/SKILL.md
@ -0,0 +1,47 @@
+---
+name: bos55-nix-architecture
+description: Implementation patterns for NixOS configurations, networking, and service modules.
+globs: [".nix", "hosts/**/", "modules//*", "secrets//*"]
+---
+
+# NixOS Architecture Skill
+
+When generating or modifying NixOS configuration files for the Bos55 project, strictly adhere to the following architectural patterns:
+
+## 1. Minimal Hardcoding & Dynamic Discovery
+
+- **Local IP Ownership**: Define IPv4/IPv6 addresses **only** within their respective host configuration files (e.g., `hosts/<HostName>/default.nix`). Do not use global IP mapping modules.
+- **Inter-Host Discovery**: Resolve a host's IP or port by evaluating its configuration at build time. Never hardcode another host's IP.
+  **Pattern Example**:
+  ```
+  let
+    bcConfig = inputs.self.nixosConfigurations.BinaryCache.config;
+    bcIp = (pkgs.lib.head bcConfig.networking.interfaces.ens18.ipv4.addresses).address;
+  in "http://${bcIp}:8080"
+  ```
+- **Unified Variables**: Use local variables (e.g., `let dbName = "attic"; in ...`) for shared values between host services and containers to ensure consistency.
+
+## 2. Modular Service Encapsulation
+
+- **Self-Contained Modules**: Service modules (`modules/services/<service>/default.nix`) must manage their own configurations. Prefer `lib.mkOption` over hardcoded strings for domains, ports, and credentials.
+- **Firewall Responsibility**: Open ports (e.g., TCP 8080, SSH 22) directly within the service module based on its own options. Do not open service ports manually in host files.
+- **Remote Builders**: Define `nix.settings.trusted-users`, `builder` user, and SSH rules directly within the service module if it supports remote building (e.g., Attic).
+
+## 3. Networking & Connectivity
+
+- **Container-to-Host**: Host services must connect to companion containers using the container name, not the bridge IP or `localhost`.
+- **Host Resolution**: Map the container name to `127.0.0.1` using `networking.extraHosts` in the host service module to route traffic seamlessly.
+- **Domain Deferral**: Client modules must defer their default domain settings to the server module's defined domain option.
+
+## 4. Secrets Management
+
+- **Sops-Nix Exclusivity**: Manage all secrets via `sops-nix`.
+- **Centralized Config**: Rely on `modules/common/default.nix` for fleet-wide settings like `defaultSopsFile` and `age.keyFile`.
+- **References**: Always reference credentials dynamically using `config.sops.secrets."path/to/secret".path`.
+
+## 5. Security & Documentation
+
+- **Supply Chain Protection**: Always verify and lock Nix flake inputs. Use fixed-output derivations for external resource downloads.
+- **Assumptions Documentation**: Clearly document environment assumptions (e.g., Proxmox virtualization, Tailscale networking, and specific IP ranges) in host or service READMEs.
+- **Project Structure**: Maintain the strict separation of `hosts/`, `modules/`, `users/`, and `secrets/` to ensure clear ownership and security boundaries.
+
--- a/README.md
+++ b/README.md
@ -1,64 +0,0 @@
-# Bos55 NixOS Config
-
-Automated CI/CD deployment for NixOS homelab using `deploy-rs`.
-
-## Repository Structure
-
- `hosts/`: Host-specific configurations.
- `modules/`: Shared NixOS modules.
- `users/`: User definitions (including the `deploy` user).
- `secrets/`: Encrypted secrets via `sops-nix`.
-
-## Deployment Workflow
-
-### Prerequisites
- SSH access to the `deploy` user on target hosts.
- `deploy-rs` installed locally (`nix profile install github:serokell/deploy-rs`).
-
-### Deployment Modes
-
-1.  **Production Deployment (main branch):**
-    Triggered on push to `main`. Automatically builds and switches all hosts. bootloader is updated.
-    Manual: `deploy .`
-
-2.  **Test Deployment (test-<hostname> branch):**
-    Triggered on push to `test-<hostname>`. Builds and activates the configuration on the specific host **without** updating the bootloader. Reboots will revert to the previous generation.
-    Manual: `deploy .#<hostname>.test`
-
-3.  **Kernel Upgrades / Maintenance:**
-    Use `deploy .#<hostname>.system --boot` to update the bootloader without immediate activation, followed by a manual reboot.
-
-## Local Development
-
-### 1. Developer Shell
-This repository includes a standardized development environment containing all necessary tools (`deploy-rs`, `sops`, `age`, etc.).
-```bash
-nix develop
-# or if using direnv
-direnv allow
-```
-
-### 2. Build a host VM
-You can build a QEMU VM for any host configuration to test changes locally:
-```bash
-nix build .#nixosConfigurations.<hostname>.config.system.build.vm
-./result/bin/run-<hostname>-vm
-```
-
-> [!WARNING]
-> **Network Conflict**: Default VMs use user-mode networking (NAT) which is safe. However, if you configure the VM to use bridge networking, it will attempt to use the static IP defined in `hostIp`. Ensure you do not have a physical host with that IP active on the same bridge to avoid network interference.
-
-### 3. Run Integration Tests
-Run the automated test suite:
-```bash
-nix-build test/vm-test.nix
-```
-
-### 3. Test CI Workflows Locally
-Use `act` to test the GitHub Actions workflows:
-```bash
-act -W .github/workflows/check.yml
-```
-
-## Security
-See [SECURITY.md](SECURITY.md) for details on the trust model and secret management.
--- a/flake.nix
+++ b/flake.nix
@ -13,85 +13,52 @@
      url = "github:gytis-ivaskevicius/flake-utils-plus";
      inputs.flake-utils.follows = "flake-utils";
    };
-    deploy-rs = {
-      url = "github:serokell/deploy-rs";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
  };

  outputs = inputs@{
    self, nixpkgs,
-    flake-utils, sops-nix, utils, deploy-rs,
+    flake-utils, sops-nix, utils,
    ...
  }:
  let
    system = utils.lib.system.x86_64-linux;
-    lib = nixpkgs.lib;
  in
-    utils.lib.mkFlake {
-      inherit self inputs;
+  utils.lib.mkFlake {
+    inherit self inputs;

-      hostDefaults.modules = [
+    hostDefaults = {
+      inherit system;
+
+      modules = [
        ./modules
        ./users
+
        sops-nix.nixosModules.sops
-        ({ self, ... }: {
-          sops.defaultSopsFile = "${self}/secrets/secrets.yaml";
-          sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-        })
-        ({ self, ... }: {
-          sops.defaultSopsFile = "${self}/secrets/secrets.yaml";
-          sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-        })
      ];
-
-      hosts = {
-        # Infrastructure
-        Niko.modules        = [ ./hosts/Niko        ];
-        Ingress.modules     = [ ./hosts/Ingress     ];
-        Gitea.modules       = [ ./hosts/Gitea       ];
-        Vaultwarden.modules = [ ./hosts/Vaultwarden ];
-
-        # Production
-        Binnenpost.modules    = [ ./hosts/Binnenpost    ];
-        Production.modules    = [ ./hosts/Production    ];
-        ProductionGPU.modules = [ ./hosts/ProductionGPU ];
-        ProductionArr.modules = [ ./hosts/ProductionArr ];
-        ACE.modules           = [ ./hosts/ACE           ];
-
-        # Lab
-        Template.modules    = [ ./hosts/Template    ];
-        Development.modules = [ ./hosts/Development ];
-        Testing.modules     = [ ./hosts/Testing     ];
-      };
-
-      deploy.nodes = let
-        pkg = deploy-rs.lib.${system};
-        isDeployable = nixos: (nixos.config.homelab.users.deploy.enable or false) && (nixos.config.homelab.networking.hostIp != null);
-      in
-      builtins.mapAttrs (_: nixos: {
-        hostname = nixos.config.homelab.networking.hostIp;
-        sshUser  = "deploy";
-        user     = "root";
-        profiles.system.path = pkg.activate.nixos nixos;
-        profiles.test.path   = pkg.activate.custom nixos.config.system.build.toplevel ''
-          $PROFILE/bin/switch-to-configuration test
-        '';
-      }) (lib.filterAttrs (_: isDeployable) self.nixosConfigurations);
-
-      checks = builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib;
-
-      outputsBuilder = channels: {
-        formatter = channels.nixpkgs.alejandra;
-        devShells.default = channels.nixpkgs.mkShell {
-          name = "homelab-dev";
-          buildInputs = [
-            deploy-rs.packages.${system}.deploy-rs
-            channels.nixpkgs.sops
-            channels.nixpkgs.age
-          ];
-          shellHook = "echo '🛡️ Homelab Development Shell Loaded'";
-        };
-      };
    };
+
+    hosts = {
+      # Physical hosts
+      Niko.modules          = [ ./hosts/Niko          ];
+
+      # Virtual machines
+
+      # Single-service
+      Ingress.modules       = [ ./hosts/Ingress       ];
+      Gitea.modules         = [ ./hosts/Gitea         ];
+      Vaultwarden.modules   = [ ./hosts/Vaultwarden   ];
+
+      # Production multi-service
+      Binnenpost.modules    = [ ./hosts/Binnenpost    ];
+      Production.modules    = [ ./hosts/Production    ];
+      ProductionGPU.modules = [ ./hosts/ProductionGPU ];
+      ProductionArr.modules = [ ./hosts/ProductionArr ];
+      ACE.modules           = [ ./hosts/ACE           ];
+
+      # Others
+      Template.modules      = [ ./hosts/Template      ];
+      Development.modules   = [ ./hosts/Development   ];
+      Testing.modules       = [ ./hosts/Testing       ];
+    };
+  };
 }
--- a/hosts/ACE/default.nix
+++ b/hosts/ACE/default.nix
@ -1,12 +1,10 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:

 {
  config = {
    homelab = {
-      networking.hostIp = "192.168.0.41";
      services.actions.enable = true;
      virtualisation.guest.enable = true;
-      users.deploy.enable = true;
    };

    networking = {
@ -26,7 +24,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.41";
            prefixLength = 24;
          }
        ];
--- a/hosts/Binnenpost/default.nix
+++ b/hosts/Binnenpost/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:

 {
  config = {
@ -13,14 +13,12 @@
    };

    homelab = {
-      networking.hostIp = "192.168.0.89";
      apps = {
        speedtest.enable = true;
        technitiumDNS.enable = true;
        traefik.enable = true;
      };
      virtualisation.guest.enable = true;
-      users.deploy.enable = true;
    };

    networking = {
@ -45,7 +43,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.89";
            prefixLength = 24;
          }
        ];
--- a/hosts/Development/default.nix
+++ b/hosts/Development/default.nix
@ -3,7 +3,6 @@
 {
  config = {
    homelab = {
-      networking.hostIp = "192.168.0.91";
      apps = {
        bind9.enable = true;
        homepage = {
@ -14,7 +13,6 @@
        plex.enable = true;
      };
      virtualisation.guest.enable = true;
-      users.deploy.enable = true;
    };

    networking = {
@ -38,7 +36,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.91";
            prefixLength = 24;
          }
        ];
@ -61,8 +59,7 @@
        environment = {
          # NOTE Required
          # The email address used when setting up the initial administrator account to login to pgAdmin.
-          # TODO Hugo: Populate 'pgadmin_email' in sops.
-          PGADMIN_DEFAULT_EMAIL = config.sops.placeholder.pgadmin_email or "pgadmin-admin@example.com";
+          PGADMIN_DEFAULT_EMAIL = "kmtl.hugo+pgadmin@gmail.com";
          # NOTE Required
          # The password used when setting up the initial administrator account to login to pgAdmin.
          PGADMIN_DEFAULT_PASSWORD = "ChangeMe";
--- a/hosts/Gitea/default.nix
+++ b/hosts/Gitea/default.nix
@ -3,12 +3,9 @@
 {
  config = {
    homelab = {
-      networking.hostIp = "192.168.0.24";
      apps.gitea.enable = true;
      virtualisation.guest.enable = true;

-      users.deploy.enable = true;
-
      users.admin = {
        enable = true;
        authorizedKeys = [
@ -31,7 +28,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.24";
            prefixLength = 24;
          }
        ];
--- a/hosts/Ingress/default.nix
+++ b/hosts/Ingress/default.nix
@ -2,11 +2,7 @@

 {
  config = {
-    homelab = {
-      networking.hostIp = "192.168.0.10";
-      virtualisation.guest.enable = true;
-      users.deploy.enable = true;
-    };
+    homelab.virtualisation.guest.enable = true;

    networking = {
      hostName = "Ingress";
@ -23,8 +19,8 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
-            prefixLength = 24;
+            address = "192.168.0.10";
+prefixLength = 24;
          }
        ];
      };
@ -43,7 +39,6 @@
      };
    };

-
    security.acme = {
      acceptTerms = true;
      defaults = {
@ -51,7 +46,7 @@
        dnsPropagationCheck = true;
        dnsProvider = "cloudflare";
        dnsResolver = "1.1.1.1:53";
-        email = config.sops.placeholder.acme_email or "acme-email@example.com";
+        email = "tibo.depeuter@telenet.be";
        credentialFiles = {
          CLOUDFLARE_DNS_API_TOKEN_FILE = "/var/lib/secrets/depeuter-dev-cloudflare-api-token";
        };
--- a/hosts/Isabel/default.nix
+++ b/hosts/Isabel/default.nix
@ -165,7 +165,7 @@ providers:
            # Certificates
            "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
            "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
-            "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
+            "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
            "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"

            # Additional routes
@ -176,8 +176,8 @@ providers:
            # "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true)
          ];
          environment = {
-            # TODO Hugo: Populate 'cloudflare_dns_token' in sops.
-            "CLOUDFLARE_DNS_API_TOKEN" = config.sops.placeholder.cloudflare_dns_token or "CLOUDFLARE_TOKEN_PLACEHOLDER";
+            # TODO Hide this!
+            "CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2";
          };
          environmentFiles = [
          ];
--- a/hosts/Niko/default.nix
+++ b/hosts/Niko/default.nix
@ -7,7 +7,6 @@
  ];

  homelab = {
-    networking.hostIp = "192.168.0.11";
    apps = {
      technitiumDNS.enable = true;
      traefik.enable = true;
--- a/hosts/Production/default.nix
+++ b/hosts/Production/default.nix
@ -3,13 +3,11 @@
 {
  config = {
    homelab = {
-      networking.hostIp = "192.168.0.31";
      apps = {
        calibre.enable = true;
        traefik.enable = true;
      };
      virtualisation.guest.enable = true;
-      users.deploy.enable = true;
    };

    networking = {
@ -33,7 +31,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.31";
            prefixLength = 24;
          }
        ];
--- a/hosts/ProductionArr/default.nix
+++ b/hosts/ProductionArr/default.nix
@ -3,13 +3,11 @@
 {
  config = {
    homelab = {
-      networking.hostIp = "192.168.0.33";
      apps = {
        arr.enable = true;
        traefik.enable = true;
      };
      virtualisation.guest.enable = true;
-      users.deploy.enable = true;
    };

    networking = {
@ -33,7 +31,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.33";
            prefixLength = 24;
          }
        ];
--- a/hosts/ProductionGPU/default.nix
+++ b/hosts/ProductionGPU/default.nix
@ -3,10 +3,8 @@
 {
  config = {
    homelab = {
-      networking.hostIp = "192.168.0.94";
      apps.jellyfin.enable = true;
      virtualisation.guest.enable = true;
-      users.deploy.enable = true;
    };

    networking = {
@ -30,7 +28,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.94";
            prefixLength = 24;
          }
        ];
--- a/hosts/Testing/default.nix
+++ b/hosts/Testing/default.nix
@ -3,13 +3,11 @@
 {
  config = {
    homelab = {
-      networking.hostIp = "192.168.0.92";
      apps = {
        freshrss.enable = true;
        traefik.enable = true;
      };
      virtualisation.guest.enable = true;
-      users.deploy.enable = true;
    };

    networking = {
@ -34,7 +32,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.92";
            prefixLength = 24;
          }
        ];
--- a/hosts/Vaultwarden/default.nix
+++ b/hosts/Vaultwarden/default.nix
@ -3,7 +3,6 @@
 {
  config = {
    homelab = {
-      networking.hostIp = "192.168.0.22";
      apps.vaultwarden = {
        enable = true;
        domain = "https://vault.depeuter.dev";
@ -11,15 +10,11 @@
      };
      virtualisation.guest.enable = true;

-      users = {
-        deploy.enable = true;
-
-        admin = {
-          enable = true;
-          authorizedKeys = [
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93"
-          ];
-        };
+      users.admin = {
+        enable = true;
+        authorizedKeys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93"
+        ];
      };
    };

@ -37,7 +32,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.22";
            prefixLength = 24;
          }
        ];
--- a/modules/apps/gitea/default.nix
+++ b/modules/apps/gitea/default.nix
@ -496,8 +496,7 @@ in {
          #FORGEJO__mailer__CLIENT_KEY_FILE = "custom/mailer/key.pem";
          # Mail from address, RFC 5322. This can be just an email address, or the
          # `"Name" <email@example.com>` format.
-          # TODO Hugo: Populate 'gitea_mailer_from' in sops.
-          FORGEJO__mailer__FROM = config.sops.placeholder.gitea_mailer_from or "git@example.com";
+          FORGEJO__mailer__FROM = ''"${title}" <git@depeuter.dev>'';
          # Sometimes it is helpful to use a different address on the envelope. Set this to use
          # ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
          #FORGEJO__mailer__ENVELOPE_FROM = "";
--- a/modules/apps/traefik/default.nix
+++ b/modules/apps/traefik/default.nix
@ -72,7 +72,7 @@ in {
        # Certificates
        "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
        "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
-        "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
+        "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
        "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      ];
      volumes = [
--- a/modules/apps/vaultwarden/default.nix
+++ b/modules/apps/vaultwarden/default.nix
@ -344,7 +344,6 @@ in {
          # ORG_CREATION_USERS=none
          ## A comma-separated list means only those users can create orgs:
          # ORG_CREATION_USERS=admin1@example.com,admin2@example.com
-          # TODO Hugo: Redact org creation users if needed.
          
          ## Invitations org admins to invite users, even when signups are disabled
          # INVITATIONS_ALLOWED=true
@ -591,7 +590,7 @@ in {
          ## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
          ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
          SMTP_HOST = "smtp.gmail.com";
-          SMTP_FROM = config.sops.placeholder.vaultwarden_smtp_from or "vaultwarden@example.com";
+          SMTP_FROM = "vault@depeuter.dev";
          SMTP_FROM_NAME = cfg.name;
          # SMTP_USERNAME=username
          # SMTP_PASSWORD=password
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@ -1,9 +1,4 @@
 {
-  imports = [
-    ./networking.nix
-    ./secrets.nix
-  ];
-
  config = {
    homelab = {
      services.openssh.enable = true;
--- a/modules/common/networking.nix
+++ b/modules/common/networking.nix
@ -1,19 +0,0 @@
-{ config, lib, ... }:
-
-{
-  options.homelab.networking = {
-    hostIp = lib.mkOption {
-      type = lib.types.nullOr lib.types.str;
-      default = null;
-      description = ''
-        The primary IP address of the host. 
-        Used for automated deployment and internal service discovery.
-      '';
-    };
-  };
-
-  config = lib.mkIf (config.homelab.networking.hostIp != null) {
-    # If a hostIp is provided, we can potentially use it to configure 
-    # networking interfaces or firewall rules automatically here in the future.
-  };
-}
--- a/modules/common/secrets.nix
+++ b/modules/common/secrets.nix
@ -1,18 +0,0 @@
-{ config, lib, ... }:
-
-{
-  sops.secrets = {
-    # -- User Public Keys (Anti-Fingerprinting) --
-    "user_keys_admin" = { neededForUsers = true; };
-    "user_keys_deploy" = { neededForUsers = true; };
-    "user_keys_backup" = { neededForUsers = true; };
-
-    # -- Infrastructure Metadata --
-    # Hugo TODO: Populate these in your .sops.yaml / secrets file
-    "acme_email" = {};
-    "cloudflare_dns_token" = {};
-    "pgadmin_email" = {};
-    "gitea_mailer_from" = {};
-    "vaultwarden_smtp_from" = {};
-  };
-}
--- a/users/admin/default.nix
+++ b/users/admin/default.nix
@ -26,9 +26,7 @@ in {
        config.users.groups.wheel.name # Enable 'sudo' for the user.
      ];
      initialPassword = "ChangeMe";
-      openssh.authorizedKeys.keyFiles = [
-        config.sops.secrets.user_keys_admin.path
-      ];
+      openssh.authorizedKeys.keys = cfg.authorizedKeys;
      packages = with pkgs; [
        curl
        git
--- a/users/backup/default.nix
+++ b/users/backup/default.nix
@ -12,8 +12,9 @@ in {
      extraGroups = [
        "docker" # Allow access to the docker socket.
      ];
-      openssh.authorizedKeys.keyFiles = [
-        config.sops.secrets.user_keys_backup.path
+      openssh.authorizedKeys.keys = [
+        # Hugo
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICms6vjhE9kOlqV5GBPGInwUHAfCSVHLI2Gtzee0VXPh"
      ];
    };
  };
--- a/users/deploy/default.nix
+++ b/users/deploy/default.nix
@ -3,19 +3,7 @@
 let
  cfg = config.homelab.users.deploy;
 in {
-  options.homelab.users.deploy = {
-    enable = lib.mkEnableOption "user Deploy";
-
-    authorizedKeys = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      default = [];
-      description = ''
-        Additional SSH public keys authorized for the deploy user.
-        The CI runner key should be provided as a base key; personal
-        workstation keys can be appended here per host or globally.
-      '';
-    };
-  };
+  options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy";

  config = lib.mkIf cfg.enable {
    users = {
@ -27,15 +15,12 @@ in {
        isSystemUser = true;
        home = "/var/empty";
        shell = pkgs.bashInteractive;
-        openssh.authorizedKeys.keyFiles = [
-          config.sops.secrets.user_keys_deploy.path
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
        ];
      };
    };

-    # Allow the deploy user to push closures to the nix store
-    nix.settings.trusted-users = [ "deploy" ];
-
    security.sudo.extraRules = [
      {
        groups = [