meta: add AI agent rules and skills

Create a modular, context-aware style guide for AI code assistants. - Add nixos-architecture skill for .nix file generation and networking patterns - Add dns-management rule to enforce Bind9 SOA serial increments - Add cicd-networking rule for direct-IP runner authentication - Add git-workflow rule to enforce conventional and atomic commits
2026-03-17 22:52:15 +01:00
27 changed files with 162 additions and 253 deletions
--- a/.agent/rules/ci-cd-networking-constraints.md
+++ b/.agent/rules/ci-cd-networking-constraints.md
@ -0,0 +1,13 @@
 ---
 name: cicd-networking
 description: Networking constraints for CI/CD workflow files (Gitea/GitHub Actions).
 globs: [".github/workflows/.yml", ".github/workflows/.yaml", ".gitea/workflows/.yml", ".gitea/workflows/.yaml"]
 ---
 # Bos55 CI/CD Networking Constraints
 When generating or modifying CI/CD workflows, strictly follow these networking practices:
 1. **IP-Based Login for Reliability**
   - When CI runners (like Gitea Actions) need to interact with internal services for authentication or deployment, always use direct IP addresses (e.g., `192.168.0.25`) for machine-to-machine login steps.
   - **Why?** This bypasses potential DNS resolution issues or delays within the isolated runner environment, ensuring maximum robustness during automated CI/CD runs.
--- a/.agent/rules/dns-management.md
+++ b/.agent/rules/dns-management.md
@ -0,0 +1,14 @@
 ---
 name: dns-management
 description: Hard constraints for modifying Bind9 DNS zone files.
 globs: ["db.", ".zone"]
 ---
 # Bos55 DNS Management Constraints
 When modifying or generating Bind9 zone files, you MUST strictly adhere to the following rules:
 1. **Serial Increment (CRITICAL)**
   - Every single time you modify a Bind9 zone file (e.g., `db.depeuter.dev`), you MUST increment the Serial number in the SOA record. Failure to do so will cause DNS propagation to fail.
 2. **Domain Name Specificity**
   - Prefer a single, well-defined explicit domain (e.g., `nix-cache.depeuter.dev`) instead of creating multiple aliases or using magic values. Keep records clean and explicit.
--- a/.agent/rules/git-workflow.md
+++ b/.agent/rules/git-workflow.md
@ -0,0 +1,21 @@
 ---
 name: git-workflow
 description: Rules for generating Git commit messages and managing branch workflows.
 globs: ["COMMIT_EDITMSG", ".git/*"]
 ---
 # Git Workflow Constraints
 When generating commit messages, reviewing code for a commit, or planning a branch workflow, strictly follow these standards:
 1. **Commit Formatting**
   - **Conventional Commits**: You MUST format all commit messages using conventional prefixes: `feat:`, `fix:`, `docs:`, `refactor:`, `ci:`, `meta:`.
   - **Clarity**: Ensure the message clearly explains *what* changed and *why*.
 2. **Atomic Commits**
   - Group changes by a single logical concern.
   - NEVER mix documentation updates, core infrastructure code, and style guide changes in the same commit.
   - Ensure that the generated commit is easily revertible without breaking unrelated features.
 3. **Branching Workflow**
   - Always assume changes will be pushed to a feature branch to create a Pull Request.
   - Do not suggest or generate commands that push directly to the main branch.
--- a/.agent/skills/nixos-architecture/SKILL.md
+++ b/.agent/skills/nixos-architecture/SKILL.md
@ -0,0 +1,47 @@
 ---
 name: bos55-nix-architecture
 description: Implementation patterns for NixOS configurations, networking, and service modules.
 globs: [".nix", "hosts/**/", "modules//*", "secrets//*"]
 ---
 # NixOS Architecture Skill
 When generating or modifying NixOS configuration files for the Bos55 project, strictly adhere to the following architectural patterns:
 ## 1. Minimal Hardcoding & Dynamic Discovery
 - **Local IP Ownership**: Define IPv4/IPv6 addresses **only** within their respective host configuration files (e.g., `hosts/<HostName>/default.nix`). Do not use global IP mapping modules.
 - **Inter-Host Discovery**: Resolve a host's IP or port by evaluating its configuration at build time. Never hardcode another host's IP.
  **Pattern Example**:
  ```
  let
    bcConfig = inputs.self.nixosConfigurations.BinaryCache.config;
    bcIp = (pkgs.lib.head bcConfig.networking.interfaces.ens18.ipv4.addresses).address;
  in "http://${bcIp}:8080"
  ```
 - **Unified Variables**: Use local variables (e.g., `let dbName = "attic"; in ...`) for shared values between host services and containers to ensure consistency.
 ## 2. Modular Service Encapsulation
 - **Self-Contained Modules**: Service modules (`modules/services/<service>/default.nix`) must manage their own configurations. Prefer `lib.mkOption` over hardcoded strings for domains, ports, and credentials.
 - **Firewall Responsibility**: Open ports (e.g., TCP 8080, SSH 22) directly within the service module based on its own options. Do not open service ports manually in host files.
 - **Remote Builders**: Define `nix.settings.trusted-users`, `builder` user, and SSH rules directly within the service module if it supports remote building (e.g., Attic).
 ## 3. Networking & Connectivity
 - **Container-to-Host**: Host services must connect to companion containers using the container name, not the bridge IP or `localhost`.
 - **Host Resolution**: Map the container name to `127.0.0.1` using `networking.extraHosts` in the host service module to route traffic seamlessly.
 - **Domain Deferral**: Client modules must defer their default domain settings to the server module's defined domain option.
 ## 4. Secrets Management
 - **Sops-Nix Exclusivity**: Manage all secrets via `sops-nix`.
 - **Centralized Config**: Rely on `modules/common/default.nix` for fleet-wide settings like `defaultSopsFile` and `age.keyFile`.
 - **References**: Always reference credentials dynamically using `config.sops.secrets."path/to/secret".path`.
 ## 5. Security & Documentation
 - **Supply Chain Protection**: Always verify and lock Nix flake inputs. Use fixed-output derivations for external resource downloads.
 - **Assumptions Documentation**: Clearly document environment assumptions (e.g., Proxmox virtualization, Tailscale networking, and specific IP ranges) in host or service READMEs.
 - **Project Structure**: Maintain the strict separation of `hosts/`, `modules/`, `users/`, and `secrets/` to ensure clear ownership and security boundaries.
--- a/README.md
+++ b/README.md
@ -1,64 +0,0 @@
 # Bos55 NixOS Config
 Automated CI/CD deployment for NixOS homelab using `deploy-rs`.
 ## Repository Structure
 - `hosts/`: Host-specific configurations.
 - `modules/`: Shared NixOS modules.
 - `users/`: User definitions (including the `deploy` user).
 - `secrets/`: Encrypted secrets via `sops-nix`.
 ## Deployment Workflow
 ### Prerequisites
 - SSH access to the `deploy` user on target hosts.
 - `deploy-rs` installed locally (`nix profile install github:serokell/deploy-rs`).
 ### Deployment Modes
 1.  **Production Deployment (main branch):**
    Triggered on push to `main`. Automatically builds and switches all hosts. bootloader is updated.
    Manual: `deploy .`
 2.  **Test Deployment (test-<hostname> branch):**
    Triggered on push to `test-<hostname>`. Builds and activates the configuration on the specific host **without** updating the bootloader. Reboots will revert to the previous generation.
    Manual: `deploy .#<hostname>.test`
 3.  **Kernel Upgrades / Maintenance:**
    Use `deploy .#<hostname>.system --boot` to update the bootloader without immediate activation, followed by a manual reboot.
 ## Local Development
 ### 1. Developer Shell
 This repository includes a standardized development environment containing all necessary tools (`deploy-rs`, `sops`, `age`, etc.).
 ```bash
 nix develop
 # or if using direnv
 direnv allow
 ```
 ### 2. Build a host VM
 You can build a QEMU VM for any host configuration to test changes locally:
 ```bash
 nix build .#nixosConfigurations.<hostname>.config.system.build.vm
 ./result/bin/run-<hostname>-vm
 ```
 > [!WARNING]
 > **Network Conflict**: Default VMs use user-mode networking (NAT) which is safe. However, if you configure the VM to use bridge networking, it will attempt to use the static IP defined in `hostIp`. Ensure you do not have a physical host with that IP active on the same bridge to avoid network interference.
 ### 3. Run Integration Tests
 Run the automated test suite:
 ```bash
 nix-build test/vm-test.nix
 ```
 ### 3. Test CI Workflows Locally
 Use `act` to test the GitHub Actions workflows:
 ```bash
 act -W .github/workflows/check.yml
 ```
 ## Security
 See [SECURITY.md](SECURITY.md) for details on the trust model and secret management.
--- a/flake.nix
+++ b/flake.nix
@ -13,85 +13,52 @@
      url = "github:gytis-ivaskevicius/flake-utils-plus";
      inputs.flake-utils.follows = "flake-utils";
    };
    deploy-rs = {
      url = "github:serokell/deploy-rs";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = inputs@{
    self, nixpkgs,
-    flake-utils, sops-nix, utils, deploy-rs,
+    flake-utils, sops-nix, utils,
    ...
  }:
  let
    system = utils.lib.system.x86_64-linux;
    lib = nixpkgs.lib;
  in
-    utils.lib.mkFlake {
+  utils.lib.mkFlake {
-      inherit self inputs;
+    inherit self inputs;
-      hostDefaults.modules = [
+    hostDefaults = {
      inherit system;
      modules = [
        ./modules
        ./users
        sops-nix.nixosModules.sops
        ({ self, ... }: {
          sops.defaultSopsFile = "${self}/secrets/secrets.yaml";
          sops.age.keyFile = "/var/lib/sops-nix/key.txt";
        })
        ({ self, ... }: {
          sops.defaultSopsFile = "${self}/secrets/secrets.yaml";
          sops.age.keyFile = "/var/lib/sops-nix/key.txt";
        })
      ];
      hosts = {
        # Infrastructure
        Niko.modules        = [ ./hosts/Niko        ];
        Ingress.modules     = [ ./hosts/Ingress     ];
        Gitea.modules       = [ ./hosts/Gitea       ];
        Vaultwarden.modules = [ ./hosts/Vaultwarden ];
        # Production
        Binnenpost.modules    = [ ./hosts/Binnenpost    ];
        Production.modules    = [ ./hosts/Production    ];
        ProductionGPU.modules = [ ./hosts/ProductionGPU ];
        ProductionArr.modules = [ ./hosts/ProductionArr ];
        ACE.modules           = [ ./hosts/ACE           ];
        # Lab
        Template.modules    = [ ./hosts/Template    ];
        Development.modules = [ ./hosts/Development ];
        Testing.modules     = [ ./hosts/Testing     ];
      };
      deploy.nodes = let
        pkg = deploy-rs.lib.${system};
        isDeployable = nixos: (nixos.config.homelab.users.deploy.enable or false) && (nixos.config.homelab.networking.hostIp != null);
      in
      builtins.mapAttrs (_: nixos: {
        hostname = nixos.config.homelab.networking.hostIp;
        sshUser  = "deploy";
        user     = "root";
        profiles.system.path = pkg.activate.nixos nixos;
        profiles.test.path   = pkg.activate.custom nixos.config.system.build.toplevel ''
          $PROFILE/bin/switch-to-configuration test
        '';
      }) (lib.filterAttrs (_: isDeployable) self.nixosConfigurations);
      checks = builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib;
      outputsBuilder = channels: {
        formatter = channels.nixpkgs.alejandra;
        devShells.default = channels.nixpkgs.mkShell {
          name = "homelab-dev";
          buildInputs = [
            deploy-rs.packages.${system}.deploy-rs
            channels.nixpkgs.sops
            channels.nixpkgs.age
          ];
          shellHook = "echo '🛡️ Homelab Development Shell Loaded'";
        };
      };
    };
    hosts = {
      # Physical hosts
      Niko.modules          = [ ./hosts/Niko          ];
      # Virtual machines
      # Single-service
      Ingress.modules       = [ ./hosts/Ingress       ];
      Gitea.modules         = [ ./hosts/Gitea         ];
      Vaultwarden.modules   = [ ./hosts/Vaultwarden   ];
      # Production multi-service
      Binnenpost.modules    = [ ./hosts/Binnenpost    ];
      Production.modules    = [ ./hosts/Production    ];
      ProductionGPU.modules = [ ./hosts/ProductionGPU ];
      ProductionArr.modules = [ ./hosts/ProductionArr ];
      ACE.modules           = [ ./hosts/ACE           ];
      # Others
      Template.modules      = [ ./hosts/Template      ];
      Development.modules   = [ ./hosts/Development   ];
      Testing.modules       = [ ./hosts/Testing       ];
    };
  };
 }
--- a/hosts/ACE/default.nix
+++ b/hosts/ACE/default.nix
@ -1,12 +1,10 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
  config = {
    homelab = {
      networking.hostIp = "192.168.0.41";
      services.actions.enable = true;
      virtualisation.guest.enable = true;
      users.deploy.enable = true;
    };
    networking = {
@ -26,7 +24,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.41";
            prefixLength = 24;
          }
        ];
--- a/hosts/Binnenpost/default.nix
+++ b/hosts/Binnenpost/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
  config = {
@ -13,14 +13,12 @@
    };
    homelab = {
      networking.hostIp = "192.168.0.89";
      apps = {
        speedtest.enable = true;
        technitiumDNS.enable = true;
        traefik.enable = true;
      };
      virtualisation.guest.enable = true;
      users.deploy.enable = true;
    };
    networking = {
@ -45,7 +43,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.89";
            prefixLength = 24;
          }
        ];
--- a/hosts/Development/default.nix
+++ b/hosts/Development/default.nix
@ -3,7 +3,6 @@
 {
  config = {
    homelab = {
      networking.hostIp = "192.168.0.91";
      apps = {
        bind9.enable = true;
        homepage = {
@ -14,7 +13,6 @@
        plex.enable = true;
      };
      virtualisation.guest.enable = true;
      users.deploy.enable = true;
    };
    networking = {
@ -38,7 +36,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.91";
            prefixLength = 24;
          }
        ];
@ -61,8 +59,7 @@
        environment = {
          # NOTE Required
          # The email address used when setting up the initial administrator account to login to pgAdmin.
-          # TODO Hugo: Populate 'pgadmin_email' in sops.
+          PGADMIN_DEFAULT_EMAIL = "kmtl.hugo+pgadmin@gmail.com";
          PGADMIN_DEFAULT_EMAIL = config.sops.placeholder.pgadmin_email or "pgadmin-admin@example.com";
          # NOTE Required
          # The password used when setting up the initial administrator account to login to pgAdmin.
          PGADMIN_DEFAULT_PASSWORD = "ChangeMe";
--- a/hosts/Gitea/default.nix
+++ b/hosts/Gitea/default.nix
@ -3,12 +3,9 @@
 {
  config = {
    homelab = {
      networking.hostIp = "192.168.0.24";
      apps.gitea.enable = true;
      virtualisation.guest.enable = true;
      users.deploy.enable = true;
      users.admin = {
        enable = true;
        authorizedKeys = [
@ -31,7 +28,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.24";
            prefixLength = 24;
          }
        ];
--- a/hosts/Ingress/default.nix
+++ b/hosts/Ingress/default.nix
@ -2,11 +2,7 @@
 {
  config = {
-    homelab = {
+    homelab.virtualisation.guest.enable = true;
      networking.hostIp = "192.168.0.10";
      virtualisation.guest.enable = true;
      users.deploy.enable = true;
    };
    networking = {
      hostName = "Ingress";
@ -23,8 +19,8 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.10";
-            prefixLength = 24;
+prefixLength = 24;
          }
        ];
      };
@ -43,7 +39,6 @@
      };
    };
    security.acme = {
      acceptTerms = true;
      defaults = {
@ -51,7 +46,7 @@
        dnsPropagationCheck = true;
        dnsProvider = "cloudflare";
        dnsResolver = "1.1.1.1:53";
-        email = config.sops.placeholder.acme_email or "acme-email@example.com";
+        email = "tibo.depeuter@telenet.be";
        credentialFiles = {
          CLOUDFLARE_DNS_API_TOKEN_FILE = "/var/lib/secrets/depeuter-dev-cloudflare-api-token";
        };
--- a/hosts/Isabel/default.nix
+++ b/hosts/Isabel/default.nix
@ -165,7 +165,7 @@ providers:
            # Certificates
            "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
            "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
-            "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
+            "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
            "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
            # Additional routes
@ -176,8 +176,8 @@ providers:
            # "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true)
          ];
          environment = {
-            # TODO Hugo: Populate 'cloudflare_dns_token' in sops.
+            # TODO Hide this!
-            "CLOUDFLARE_DNS_API_TOKEN" = config.sops.placeholder.cloudflare_dns_token or "CLOUDFLARE_TOKEN_PLACEHOLDER";
+            "CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2";
          };
          environmentFiles = [
          ];
--- a/hosts/Niko/default.nix
+++ b/hosts/Niko/default.nix
@ -7,7 +7,6 @@
  ];
  homelab = {
    networking.hostIp = "192.168.0.11";
    apps = {
      technitiumDNS.enable = true;
      traefik.enable = true;
--- a/hosts/Production/default.nix
+++ b/hosts/Production/default.nix
@ -3,13 +3,11 @@
 {
  config = {
    homelab = {
      networking.hostIp = "192.168.0.31";
      apps = {
        calibre.enable = true;
        traefik.enable = true;
      };
      virtualisation.guest.enable = true;
      users.deploy.enable = true;
    };
    networking = {
@ -33,7 +31,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.31";
            prefixLength = 24;
          }
        ];
--- a/hosts/ProductionArr/default.nix
+++ b/hosts/ProductionArr/default.nix
@ -3,13 +3,11 @@
 {
  config = {
    homelab = {
      networking.hostIp = "192.168.0.33";
      apps = {
        arr.enable = true;
        traefik.enable = true;
      };
      virtualisation.guest.enable = true;
      users.deploy.enable = true;
    };
    networking = {
@ -33,7 +31,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.33";
            prefixLength = 24;
          }
        ];
--- a/hosts/ProductionGPU/default.nix
+++ b/hosts/ProductionGPU/default.nix
@ -3,10 +3,8 @@
 {
  config = {
    homelab = {
      networking.hostIp = "192.168.0.94";
      apps.jellyfin.enable = true;
      virtualisation.guest.enable = true;
      users.deploy.enable = true;
    };
    networking = {
@ -30,7 +28,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.94";
            prefixLength = 24;
          }
        ];
--- a/hosts/Testing/default.nix
+++ b/hosts/Testing/default.nix
@ -3,13 +3,11 @@
 {
  config = {
    homelab = {
      networking.hostIp = "192.168.0.92";
      apps = {
        freshrss.enable = true;
        traefik.enable = true;
      };
      virtualisation.guest.enable = true;
      users.deploy.enable = true;
    };
    networking = {
@ -34,7 +32,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.92";
            prefixLength = 24;
          }
        ];
--- a/hosts/Vaultwarden/default.nix
+++ b/hosts/Vaultwarden/default.nix
@ -3,7 +3,6 @@
 {
  config = {
    homelab = {
      networking.hostIp = "192.168.0.22";
      apps.vaultwarden = {
        enable = true;
        domain = "https://vault.depeuter.dev";
@ -11,15 +10,11 @@
      };
      virtualisation.guest.enable = true;
-      users = {
+      users.admin = {
-        deploy.enable = true;
+        enable = true;
-
+        authorizedKeys = [
-        admin = {
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93"
-          enable = true;
+        ];
          authorizedKeys = [
            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93"
          ];
        };
      };
    };
@ -37,7 +32,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = config.homelab.networking.hostIp;
+            address = "192.168.0.22";
            prefixLength = 24;
          }
        ];
--- a/modules/apps/gitea/default.nix
+++ b/modules/apps/gitea/default.nix
@ -496,8 +496,7 @@ in {
          #FORGEJO__mailer__CLIENT_KEY_FILE = "custom/mailer/key.pem";
          # Mail from address, RFC 5322. This can be just an email address, or the
          # `"Name" <email@example.com>` format.
-          # TODO Hugo: Populate 'gitea_mailer_from' in sops.
+          FORGEJO__mailer__FROM = ''"${title}" <git@depeuter.dev>'';
          FORGEJO__mailer__FROM = config.sops.placeholder.gitea_mailer_from or "git@example.com";
          # Sometimes it is helpful to use a different address on the envelope. Set this to use
          # ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
          #FORGEJO__mailer__ENVELOPE_FROM = "";
--- a/modules/apps/traefik/default.nix
+++ b/modules/apps/traefik/default.nix
@ -72,7 +72,7 @@ in {
        # Certificates
        "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
        "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
-        "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
+        "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
        "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      ];
      volumes = [
--- a/modules/apps/vaultwarden/default.nix
+++ b/modules/apps/vaultwarden/default.nix
@ -344,7 +344,6 @@ in {
          # ORG_CREATION_USERS=none
          ## A comma-separated list means only those users can create orgs:
          # ORG_CREATION_USERS=admin1@example.com,admin2@example.com
          # TODO Hugo: Redact org creation users if needed.
          ## Invitations org admins to invite users, even when signups are disabled
          # INVITATIONS_ALLOWED=true
@ -591,7 +590,7 @@ in {
          ## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
          ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
          SMTP_HOST = "smtp.gmail.com";
-          SMTP_FROM = config.sops.placeholder.vaultwarden_smtp_from or "vaultwarden@example.com";
+          SMTP_FROM = "vault@depeuter.dev";
          SMTP_FROM_NAME = cfg.name;
          # SMTP_USERNAME=username
          # SMTP_PASSWORD=password
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@ -1,9 +1,4 @@
 {
  imports = [
    ./networking.nix
    ./secrets.nix
  ];
  config = {
    homelab = {
      services.openssh.enable = true;
--- a/modules/common/networking.nix
+++ b/modules/common/networking.nix
@ -1,19 +0,0 @@
 { config, lib, ... }:
 {
  options.homelab.networking = {
    hostIp = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = ''
        The primary IP address of the host. 
        Used for automated deployment and internal service discovery.
      '';
    };
  };
  config = lib.mkIf (config.homelab.networking.hostIp != null) {
    # If a hostIp is provided, we can potentially use it to configure 
    # networking interfaces or firewall rules automatically here in the future.
  };
 }
--- a/modules/common/secrets.nix
+++ b/modules/common/secrets.nix
@ -1,18 +0,0 @@
 { config, lib, ... }:
 {
  sops.secrets = {
    # -- User Public Keys (Anti-Fingerprinting) --
    "user_keys_admin" = { neededForUsers = true; };
    "user_keys_deploy" = { neededForUsers = true; };
    "user_keys_backup" = { neededForUsers = true; };
    # -- Infrastructure Metadata --
    # Hugo TODO: Populate these in your .sops.yaml / secrets file
    "acme_email" = {};
    "cloudflare_dns_token" = {};
    "pgadmin_email" = {};
    "gitea_mailer_from" = {};
    "vaultwarden_smtp_from" = {};
  };
 }
--- a/users/admin/default.nix
+++ b/users/admin/default.nix
@ -26,9 +26,7 @@ in {
        config.users.groups.wheel.name # Enable 'sudo' for the user.
      ];
      initialPassword = "ChangeMe";
-      openssh.authorizedKeys.keyFiles = [
+      openssh.authorizedKeys.keys = cfg.authorizedKeys;
        config.sops.secrets.user_keys_admin.path
      ];
      packages = with pkgs; [
        curl
        git
--- a/users/backup/default.nix
+++ b/users/backup/default.nix
@ -12,8 +12,9 @@ in {
      extraGroups = [
        "docker" # Allow access to the docker socket.
      ];
-      openssh.authorizedKeys.keyFiles = [
+      openssh.authorizedKeys.keys = [
-        config.sops.secrets.user_keys_backup.path
+        # Hugo
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICms6vjhE9kOlqV5GBPGInwUHAfCSVHLI2Gtzee0VXPh"
      ];
    };
  };
--- a/users/deploy/default.nix
+++ b/users/deploy/default.nix
@ -3,19 +3,7 @@
 let
  cfg = config.homelab.users.deploy;
 in {
-  options.homelab.users.deploy = {
+  options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy";
    enable = lib.mkEnableOption "user Deploy";
    authorizedKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [];
      description = ''
        Additional SSH public keys authorized for the deploy user.
        The CI runner key should be provided as a base key; personal
        workstation keys can be appended here per host or globally.
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    users = {
@ -27,15 +15,12 @@ in {
        isSystemUser = true;
        home = "/var/empty";
        shell = pkgs.bashInteractive;
-        openssh.authorizedKeys.keyFiles = [
+        openssh.authorizedKeys.keys = [
-          config.sops.secrets.user_keys_deploy.path
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
        ];
      };
    };
    # Allow the deploy user to push closures to the nix store
    nix.settings.trusted-users = [ "deploy" ];
    security.sudo.extraRules = [
      {
        groups = [