17 changed files with 47 additions and 254 deletions
--- a/flake.lock
+++ b/flake.lock
@ -141,11 +141,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1756733629,
-        "narHash": "sha256-dwWGlDhcO5SMIvMSTB4mjQ5Pvo2vtxvpIknhVnSz2I8=",
+        "lastModified": 1754971456,
+        "narHash": "sha256-p04ZnIBGzerSyiY2dNGmookCldhldWAu03y0s3P8CB0=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "a5c4f2ab72e3d1ab43e3e65aa421c6f2bd2e12a1",
+        "rev": "8246829f2e675a46919718f9a64b71afe3bfb22d",
        "type": "github"
      },
      "original": {
@ -162,11 +162,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1756872219,
-        "narHash": "sha256-KsX15cRMZzJlwkwgTf7JwnFqEaU80SekgHLu/3xcX10=",
+        "lastModified": 1755002386,
+        "narHash": "sha256-5Q7o8nv1EQi7oYD1k1F8/d+3WUiNDg9JOH8KWgP/6WQ=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "5512d414aa6ccd07d5c7145a85ca9bd4608f845e",
+        "rev": "170f218715e93fc36a9077a926eb8516d789138b",
        "type": "gitlab"
      },
      "original": {
@ -263,11 +263,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1756770412,
-        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
+        "lastModified": 1754487366,
+        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "4524271976b625a4a605beefd893f270620fd751",
+        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
        "type": "github"
      },
      "original": {
@ -513,11 +513,11 @@
    },
    "hardware": {
      "locked": {
-        "lastModified": 1756925795,
-        "narHash": "sha256-kUb5hehaikfUvoJDEc7ngiieX88TwWX/bBRX9Ar6Tac=",
+        "lastModified": 1754564048,
+        "narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "ba6fab29768007e9f2657014a6e134637100c57d",
+        "rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113",
        "type": "github"
      },
      "original": {
@ -577,11 +577,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1756903364,
-        "narHash": "sha256-vZh/YH2D7oDFek10r0TbGn3qJrqGv69sSP+oF8PFDqQ=",
+        "lastModified": 1755121891,
+        "narHash": "sha256-UtYkukiGnPRJ5rpd4W/wFVrLMh8fqtNkqHTPgHEtrqU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "6159629d05a0e92bb7fb7211e74106ae1d552401",
+        "rev": "279ca5addcdcfa31ac852b3ecb39fc372684f426",
        "type": "github"
      },
      "original": {
@ -656,11 +656,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1756692364,
-        "narHash": "sha256-EOJPoJfw8E+EVdGcKyVYntHnUovu6f/LhZNYWoaSdd0=",
+        "lastModified": 1755136941,
+        "narHash": "sha256-tb7d+oBwD6ZBPzAhV/eXQs42YaZuzoNczRSPD3ubuoE=",
        "owner": "fufexan",
        "repo": "nix-gaming",
-        "rev": "23deedafada335ffa29d4adccebbb491cf55e3f0",
+        "rev": "09708adbb33a6dbdb9c270131280284ad9e3be9c",
        "type": "github"
      },
      "original": {
@ -676,11 +676,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1756612744,
-        "narHash": "sha256-/glV6VAq8Va3ghIbmhET3S1dzkbZqicsk5h+FtvwiPE=",
+        "lastModified": 1754800038,
+        "narHash": "sha256-UbLO8/0pVBXLJuyRizYOJigtzQAj8Z2bTnbKSec/wN0=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "3fe768e1f058961095b4a0d7a2ba15dc9736bdc6",
+        "rev": "b65f8d80656f9fcbd1fecc4b7f0730f468333142",
        "type": "github"
      },
      "original": {
@ -698,11 +698,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1756864213,
-        "narHash": "sha256-eHgsQ9eoJZGnZLJtrYnCynEb5nYhysvMtFrPiTwjHA0=",
+        "lastModified": 1755137329,
+        "narHash": "sha256-9MxuOLH7jk58IVUUDWwLeqk9U4ATE6X37955Ld+4/zw=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
-        "rev": "da421c0fb247d3b1956b0cc68e73a27bcdcf77b5",
+        "rev": "d9330bc35048238597880e89fb173799de9db5e9",
        "type": "github"
      },
      "original": {
@ -717,11 +717,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1755261305,
-        "narHash": "sha256-EOqCupB5X5WoGVHVcfOZcqy0SbKWNuY3kq+lj1wHdu8=",
+        "lastModified": 1755128472,
+        "narHash": "sha256-BVjUDSHplAJKNdSVYrucM6XVYdBepv5LsuFuWcRyil8=",
        "owner": "nix-community",
        "repo": "nixos-wsl",
-        "rev": "203a7b463f307c60026136dd1191d9001c43457f",
+        "rev": "8f9cb0d5cc32c364be4348d7bf497c51361ba5bb",
        "type": "github"
      },
      "original": {
@ -778,11 +778,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1756787288,
-        "narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=",
+        "lastModified": 1755027561,
+        "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1",
+        "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3",
        "type": "github"
      },
      "original": {
@ -825,11 +825,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1756402801,
-        "narHash": "sha256-ihvTx44rW0MXeLk/dQN6FIf42yy6Uo5droF1EyCKQJE=",
+        "lastModified": 1754696412,
+        "narHash": "sha256-NphnpnnD5/hHiKRuSDeHnPSxaKf8SJjMaOL2xzXJqcs=",
        "owner": "xunuwu",
        "repo": "nvim-config",
-        "rev": "d55ac018351581ee93d89ea8859b8742628886ca",
+        "rev": "8c608d5359757b5b13a98a8fd41e7f65f4a0c080",
        "type": "github"
      },
      "original": {
@ -913,11 +913,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1757239136,
-        "narHash": "sha256-3LPKuZ26NK+UrOnB/d34iM651D9lASep71i/uDWx8fs=",
+        "lastModified": 1750164640,
+        "narHash": "sha256-50JV0gzn64VaJJoXfl6qC9BXEst5PoVf3zxQD+hOAro=",
        "owner": "xunuwu",
        "repo": "sobercookie",
-        "rev": "d6dcc68b71584725bbd074ca1d3f37000a6eb985",
+        "rev": "cb6cbee3faf89190788c60f936aac71e7490a3f1",
        "type": "github"
      },
      "original": {
@ -967,11 +967,11 @@
        "tinted-zed": "tinted-zed"
      },
      "locked": {
-        "lastModified": 1756811338,
-        "narHash": "sha256-fwgklhY9kJSTDMGuwHJUVBCuJDVvxxljjGOLhxC84ko=",
+        "lastModified": 1755027820,
+        "narHash": "sha256-hBSU7BEhd05y/pC9tliYjkFp8AblkbNEkPei229+0Pg=",
        "owner": "nix-community",
        "repo": "stylix",
-        "rev": "989312ab49e6eb1d076f9d194d43f9f9c513087e",
+        "rev": "c592717e9f713bbae5f718c784013d541346363d",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -55,7 +55,6 @@
            just
            home-manager
            sops
-            nebula
          ];
        };

--- a/hosts/hopper/default.nix
+++ b/hosts/hopper/default.nix
@ -50,7 +50,6 @@
      network.tailscale
      network.avahi
      network.networkd
-      network.nebula
    ]);

  nixpkgs.config = {
--- a/hosts/hopper/profiles/lab/vaultwarden.nix
+++ b/hosts/hopper/profiles/lab/vaultwarden.nix
@ -6,7 +6,7 @@
  services.vaultwarden = {
    enable = true;
    config = {
-      DOMAIN = "https://vw.xunuwu.xyz";
+      DOMAIN = "https://${config.services.caddy.virtualHosts.vaultwarden.hostName}";
      ROCKET_ADDRESS = "0.0.0.0";
      ROCKET_PORT = 35381;
      ROCKET_LOG = "critical";
--- a/hosts/nixdesk/default.nix
+++ b/hosts/nixdesk/default.nix
@ -57,7 +57,6 @@
      network.localsend
      network.tailscale
      network.goldberg
-      network.nebula

      desktop.sway

@ -93,8 +92,6 @@
      programs.reverse-engineering
    ]);

-  services.lact.enable = true; # gpu control thing
-
  services.locate.prunePaths = lib.mkOptionDefault ["/home/xun/backup"];

  # for running waydroid as root, needed for cage-xtmapper
--- a/hosts/nixdesk/home.nix
+++ b/hosts/nixdesk/home.nix
@ -48,7 +48,7 @@
    develop.langs.zig
    develop.langs.lua
    develop.langs.c
-    # develop.langs.csharp
+    develop.langs.csharp
    develop.langs.gleam

    # programs
--- a/hosts/rackserv/default.nix
+++ b/hosts/rackserv/default.nix
@ -14,7 +14,6 @@
      ./profiles/backups.nix
      ./profiles/caddy.nix
      ./profiles/forgejo.nix
-      ./profiles/nebula.nix
      ./profiles/prometheus.nix
    ]
    ++ (with systemProfiles; [
--- a/hosts/rackserv/profiles/nebula.nix
+++ b/hosts/rackserv/profiles/nebula.nix
@ -1,27 +0,0 @@
-{config, ...}: {
-  networking.firewall.allowedTCPPorts = [3131];
-  services.nebula.networks.xunmesh = {
-    enable = true;
-    isLighthouse = true;
-    cert = config.sops.secrets.nebula-cert.path;
-    key = config.sops.secrets.nebula-key.path;
-    ca = config.sops.secrets.nebula-ca-cert.path;
-    listen.port = 3131;
-    firewall = {
-      inbound = [
-        {
-          host = "any";
-          port = "any";
-          proto = "any";
-        }
-      ];
-      outbound = [
-        {
-          host = "any";
-          port = "any";
-          proto = "any";
-        }
-      ];
-    };
-  };
-}
--- a/secrets/hopper/default.nix
+++ b/secrets/hopper/default.nix
@ -1,13 +1,6 @@
 ## TODO use defaultSopsFile mayb
 {config, ...}: {
-  sops.secrets = let
-    loadYamlKey = key: sopsFile: overrides:
-      {
-        inherit sopsFile key;
-        format = "yaml";
-      }
-      // overrides;
-  in {
+  sops.secrets = {
    wireguard = {
      format = "binary";
      sopsFile = ./wireguard;
@ -58,17 +51,5 @@
      sopsFile = ./samba-pass;
      mode = "0600";
    };
-    nebula-cert = loadYamlKey "nebula-cert" ./nebula.yaml {
-      group = "nebula-xunmesh";
-      mode = "0644";
-    };
-    nebula-key = loadYamlKey "nebula-key" ./nebula.yaml {
-      group = "nebula-xunmesh";
-      mode = "0644";
-    };
-    nebula-ca-cert = loadYamlKey "nebula-ca-cert" ./nebula.yaml {
-      group = "nebula-xunmesh";
-      mode = "0644";
-    };
  };
 }
--- a/secrets/hopper/nebula.yaml
+++ b/secrets/hopper/nebula.yaml
@ -1,27 +0,0 @@
-nebula-cert: ENC[AES256_GCM,data:iRKflLzmwH3girMrr77ye240UFFHCnwHRHU4D+/uAym3S6KEROL1e8IFMiZ6BHzKATdgbv29HpzjJu6SvgQBuN3YzTrD7plpCKWnC00s67XJb/ZG4seUXKo0oMxEaH3yEabG9srYjrVVjqlrwuSeo5P1CrHN32OfqfQeT379QwGe1I2dzbCWLFVx3yn6EoVtp0L6Yt3VhXrMugnPgBFTNFkynniBYuzq9mSJk/3THtVW+8xaD2VY2lbLbP2x/p4aHnrebh8g3h+02sEJDAO7W6dc4q8tFoN9/qrOcn03PEsiHlCIJn5TeTmN8JES0LliSoa541uVyK3KpRi3kPnbPT7JNl0o45oE/hLmtV54kGft5ODUE1pG3Hw/Hw53+6ETlCWpH1cujco=,iv:Jkc3KKLo2yXlwBhkgdmwSY+aEBFn22fIbgHA+aH/u/Y=,tag:U5k6UCbpcy0nPRL15PsQ3w==,type:str]
-nebula-key: ENC[AES256_GCM,data:8GzlBCNmAgW+H2wOwMDa4ILUoi0QMj0Dc7abIwjSUIWREKTbP9Sz26/5YoUQc4R5R2CKGJFUxrRayo3daMEah49/Jh9MdHbZqzI1e+LY8aIwVWHCDH5JOSPVNLH1Z4xxjM8p2qdb98YVhkE2fftOhBj+79cxrGAt/0Q6iJyx8Q==,iv:K5p6n9UI34NRRla+YNNWEnqwS8dnrsEx+g8WYjukT2Q=,tag:RXeANw3P1hdDzbiwEOZTNg==,type:str]
-nebula-ca-cert: ENC[AES256_GCM,data:kRtfpo0nmLsemw0ZEkoqh78wmaSSR+yTrJ6BgAWlwrjbMlDl4pz65SarXmudjkKmQKNOmpLqdAnbXFU7UJTYe+LbOgxlc0DRZyiqBvSU/Ss5emQ9i89kcgV5iTKyu6v6DQLqP+/qCzbMUk6sMwtqsrzOKtsxT4NF6/LC/pz6trEUXopd6LdeeqbQWJ25vWVKVscc7MFAOPxCc6qi1E157vOE33OWCbyiymd/9frQPoCxo3eYjb+yh9SmGsDQdtRVDwbHXmuhOjZEK8E7RXAhifeKmUWRct0SvTaYvxayTMHu+OaXYdvUNBl4zt4uHmA=,iv:20CxDFTMRm5rCg8bWYLWpFzJ1hlRVklX34mzGO3ibZ8=,tag:wsByCgFXa8KxGKkj/6zXmg==,type:str]
-sops:
-    age:
-        - recipient: age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMTZoRk5vdmhMNzl2RmVF
-            QWVxZXRxaFZ1cGxmOXpjdzlCR3pvM0M1WGhzCm1yL3VyMm5idXNyVFJDa3VMbHN3
-            eXNJaGpOYXFKUHg1VHpPd3cxMEM4K2sKLS0tIHdXcm1IdXJ0SEZjTldxSERIU0pp
-            RFFVWGhJRkpPQkN4bFlMc053TUg5YjgKQlaXoWcEjHLjEsTbwF+/24E2LCB+n5rw
-            v82sPKpcH/bZCReWLb/wFN2pasGx/TNU2/AGWTl1Hntpy63bLh6D1Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1e9nhfwfcg9krc03re4fwh0wu0cwf6jq4js5vfn26hcdqc2apgdes98fea7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVTVJkU3hmTy9zcmdZNW91
-            d3l0eGM1Sm92T2tPaWRDTzhabVpoNzlnRDFvCjB1SndhU05ISnRkWlczQ0xIdXg4
-            b0JLU3JpaWVwZDJUcHpqWDNxTUNnb1kKLS0tIDJhSXpadTd5VkxtRDFxeGlhSTNM
-            UkJYM3llMU1rejM3RGU3cDZ0OVA0a0EKX6x5YUOngDmm7sibWO7dUYYgqLrit5k7
-            H2FZVmGnecLbLXtEvU5L23BeP4L/3jUYWWRbVs6UcMSD396EZSPIMw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-27T21:01:41Z"
-    mac: ENC[AES256_GCM,data:5QGBsBjU/N7giJkvbsJ49jLSTEkGphPgMTPcBcJdw42ckBWeDUaIXWjipbHLxCa2obfFg7wFw7poEXzWNoZDXckVR8GKFODcBYhVcjCf3Vphc4pOKZ+nFxFcL7wS6bwGt1r03E5rHfgZx3eqb8mVa4AI+9DlJujXdgHYVXcKK7E=,iv:J4obkkGlI5LpxojSShQV2xcXEzLsV6I+zvOhmbtO+DA=,tag:+hOkmYO+ys+wm30KRvqDMw==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
--- a/secrets/hopper/roblox-playtime
+++ b/secrets/hopper/roblox-playtime
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:/Ze9keyUU/3GHtBWKB6a4BHB6YScxDpO9BsLJnITGmOKHawOhq2Te/Ha+ZM2fUQmwJnh5upJUjdk6Wt6+177rbJnBWRJVCZKXaOriCGrAmUjFbMae/RhF2RUTzONZBEiCl7C4Emo+LWb3sOVUo1NgjYe0iPi0RUJRlzkb225RkHOzQBlYk4zRD99G+VHpQ4u7E7zUNM2KlmfP9maYADAp00/zfleEhPeZ6FIWBJc1fZWkppYaoRq3iEnP7iZjfS2ZYojRUi0wEYYvhSEpfIWZ6A5DB7xp3aY2zJ7Z1Pd2WADKuUlPeapmpe+C4axjTw+DD4sfRmPV0CK2v719LWtG5S3BRXlAozrzOhfw6XIeyWtwgfYABfSS/ivBnyGv9xgliPN/sA1fl+GpOa4MsLV7B8hTxvBaoO3p3SKxkqG4GjFKLAgZVIFzUYg973vBYjK8/g8GDGCmh2rjaJYcC9/N0zx56oZm6/bBfCE4RNqjbSHQauD7EkGHpRtRCKffppo87//MBgbSXlkS4uX49CSfut1wtoNE0QbtK1g7UPFw6JOpibQqYt43RTeOiU3HRNPc28AGMOOFQKljwJqb8ZqcC1xF0kkPCoNrdfqBlMal5rFiQfNkeClRFBsyOenvsHYNIgmwIlhYwW6QGlqlfNoqGRLIuP3jSJ54LTCQsth7K5GFIL/uM362kMZpif2HQ2RBgAnD+qN0zaZLdtHKnyip5jRJNciGjgj4OnAdhwW9V9GCSCXPKT3SAnmg1yvR0X8gqKvf6zTQdtKm6UqfOyd8oM9PD1Wyz28jrmX56ciARrn4F2cLA9XLypFChHxwy+//i5ZOy2QxsrzIaiGwe3+RJovWGHrpC4gU6IDufvxIlgXwmi6/p5rwOw2+A3wXazKpw2frWXsBEgK+zd0akKwNe9fv6Un8Lt3PEsXOy+dhSxsVlQ0RAW4o3F7lMNfpNYqwBbdT9Du3HM6aR6tkp0d4RllJ3cJghLyddCq2gGaQbkB3bUVPIUVrj4oZihunnDDtti6jmiY8fGpxD6ePtwHUy9Mf2KxVEzcBFJ5gCe4dgXd3xvb51hHp8sV8e7lrxHnrNI16F99Ojaf0BQz6mkSWrMbcMT2fbdL9ydBWZEiutEYU0yZFmqsmlEpvryh3CGSXd0l3/Fyg/XD4ypxcEPdQkjL/JO+MCSi44TDUqL6tfSNeZ6evzpJ2gxCb8+wPla6ZiIldsTwlKB2QuZ9/aMc/zPXpTAUZliXotLeeAKnijv1nCuu7OhOQ+DRjr/hHP/y7DFvWwE0K3uhxCpk8F5DrcEqwMZznBfzutoRmwliWDXd1uSA2ZupnX1xYF18uPkumQIYSrnpG+8zLiMR9ThISOpHjLObtVLjVJ+mKRsyUoGxy2EImAirpNKuUee7t2smRNrl2Qlq5RZ+P3sPSSU2ZnmAKdlGrUTYcY4Knicsexn48+PDCrhS31swy9zhI31PiDGIRfd2ifkZRTZBTUM8nlkgHhcmbaoKT88hUShBtPDhbxt7Ni52XknZXEPdgRgSnPq5B0lj4xHqLRGzdmu+3hgcatHddOhdbGVKmNAKFD8fa/JGjgTwnRkcklx1WW+L7B+jJmKJHS3fYTv+ExWd59c1+QbHjL4QG+RdKk1fuy5HAmHOXtf2sMOueqExVGxbldCJ+kapC2xgfMRV1yq0hRpZswVsOa2RR3mxIS8nGDgJJupe70ZKlosI6Q56PX6s5OIeifA30c9sNBB2Vr3U46aL+58fvZuOiHMWD5MyUXNCFDZp9thpOvELyOmlVPS5JZ6pwDqTIzbpZevD55dPvHkTwsgYhbgwkmfXMAf6j0qLKT+fhHKR9JHscmSZh7LkHyPIRShKME+B+rkKf7I58R4T8K+gegP9kchpsa1N32GbG5QtAPmQu02Azo+lW96itShqcNQ8I5eREWO1CMthHPpSnWVsITUFkgOLREOwOlin4RluwImLimTnnW+5R4MnzlRlpamM+gVKOsauNpQmIi36Ahzj5AAQRy5jivT75Ao3Oog6yVrXwltwOn0bWooPx7KdKR1dGloO4TljCmomP6CtcxSAWtWdkkEWC1O4cdqGgbBApZjvq1ruKEMqXF+fwJm4nRB1K4V1UQuO4mWniHkl+EnuQ+5sDVNImWCBptdx3SKycBdwBj9K7FqjB86eKZnftwSa9Uu4WgVZ6l+gyi0ArBHfAAfLcWII8gXiEZrq4iFeWHr54kFnu4jwNyZ8Z9kNgu6w2FpCQWZFqdKwSyf2QDv/i7CR55I9+inb9kdbmTEudj06aE0ZcazV1K2vgshCQ457TN9m2xOoufIn7PX0BvcEuf1SPbh3n1bS49wIycOkA7j8lq5AKOHWtUNh2PKLQ3My80IXNlYEqvdNbSsiCTu8K25zKpEMDiHbBEBV1kCdjcmj/gFFbbpR8hoBmqzFWHlCRYmaWsoWY8EJ+HQkXkZ80Thh56hyEWca2e+N4mJHZOqC92X+I8CMXMVFys8gRmiHmTup2P3V4ipd2X5YuLyhAGsI6DSinKKMRVlVlUOq+7SjwE1oCPe2YaUqrH69Dcr6GHhYxzaoOWc5nUX0f3k20iXRzO/oQ+xT95spB3Nip9CkvakmSun67fJI,iv:QEWR68R4y04LIm3/Fp1S98TQUN4gATcfIdQWEWwsOPc=,tag:oPaFSFoX7SWu/o9LcMsNwQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:3brffodX6Loq7rMbjS2Oa6bXm8tljIzL3WBY2BC4H0PHF7/oVTlPqR+0TN3Oflj9htlRSLtwtZx+91mJnSvoZ6lt00QzmoeG61+ViEzv/1j3mXQcrTbSDgG51v3wZ58omeVtVw75ALThHhbTWThJA/mjtQAjzla0i82BUO1avODX5yNcCl8M2XjA2gGRAegO0HU3cxxaTgdTRWANAcghArWB/qj2ALl8KvY/hfoSIAAOLXrPslWVfwhrPVX8GwCqcRj9bwByigguBrNlXv0DbMqAZJN+cpxoW6uDARJuKlhDUl6nf/Mq1Ez3wGc1mGsISKJH7+zzP9lZtqvRO5Bby3G71DPoOQwB2FVYqzR8JOpN5GQ84Hiu0fDTJC936Bc8fQ0GOeiVTf+FrK/3Fzg1KPgV2bxhUFw2Z2CoVLSNSbdZSysoWANsW+7q8G4tVp5AHDkCzqsaN/qmh9WwIPjGA8W7WwCYwqD13q3l6+jCpHnrxUsPKvqjox9z9+ADyEP/lfmf01/+QHrgQgPDg+pj7Qs0hnzXbagjN8CQxemiNGq+IX+JIvXQaxcF32BLGI/duR4Yc5fPwqWTSQLtbv6PPZhvyTe57jUlZmlnLVLWT7zSP+5SfUIYJZwwRhho7MrWhKOQ/Jr3rifnmFJU5w2KdG0OgvfB/ZBZIB7e7T0DdrKaINCus06TN6HygI/2L9ZYlzlHmSTbvjOUEMeILc+kkzDlvZApl/uuyQvIa8Y3dpZii7jrN6swGhPdn9ZsOXcLAmzaR1cx0Io3TMdZ1hEyWTHMnyJgHTJubCfK1ojD9zC+cl1om3/j/v7vOsBvt+4IyX0dwf9PYrth/ZbXjH8d2wl/qna27sP6VtUXWnkueihUqfZ0Sjj2AwZLw70BsvOunvurO4yw5TRtCFMFSPyAPKrQNGfSh1g6SMkZFoECGAed4I1HAbXUtsbryUEskU/WVmcBxWazLSEqaoXPsgOfT73O5aevdeQXZqb1wV8egVOhR7pxv0yC6oHsMI3Nwh/9IsTy2xDID/WeEPJyrqAbXOPI+P4T1Rq7zROupOrRwz1FUhjyhVELqN2vnfiCNDF94QobSpjSvYsx17vjksR/bqufDJ+ZQZortE7HBrygn2fULEfFQ5Okz3DhTU/CUIde2rhker21TNJLG4mX9M6zoBThiy2GFh8Z+eeErHdPNx0AfL/xnA+OEy8c3OOMfH5pdJcOz5g+SwrwYIJJPobo25KzTd4P9ehvFOQ2RdM0IBAg8R9DFy21wMMZkgJmSI2B3vj2FJg83gUETMhaH9yiXeP9KV7D4dYXmYpYODpLcary+rwBdoBHF7FXl5+d7qIUZS3qzZmi4ZGwdUr8CJXztBrdoFyWtAM8djxMClLQjyNN2PCa7JDCIX3VXmab/AgS+HPwpqDv04RsgQBZSccN21n/gi44Or7Ts/kJvDFGs7KfQUD5VSr8/GMcBrS99q6dFgk5gNAOwG4Z9amQRUe5SGGgvzZSrcLxQTpxAs0VpIZ3ofHNwCuVYEDguGnQpsvmrzE4AesOsEoPPwLyG7yoXNvmeL6FE/cF4Y5NZj8Urft7pG30Zb5Cao40Mo8copG6WpYV2Jd5LMNHKRt93k4zY3mOHUNXbbc=,iv:TVQmte0FE5wpYLo1mZ5qBu5VMKP0odagH/nBxQ5wY9k=,tag:Gl7m1zn230fcQw7zqYbNbA==,type:str]",
 	"sops": {
 		"age": [
 			{
@ -11,8 +11,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpblhJQlNxb1oxWHgraUVY\nZTRtNVN5QUtSVFhyb1BHc1NEUGN4V3RWT3hVCnpDa3RBU1ozRnJiWnYrbERla1FJ\nMVZiT2JPRnlpb1A4TU0vcERMeDZtRkkKLS0tIE92Q1J1bTlHTG1ldGswTzVlZm5W\ndVhIOTl2cDErVnhuZlowZG9zRzh3ZGMKNL0P1zu07kQ5WaUSK4/AeinmrSk3sTXT\nlA+apVbdSn4wse9PVlFLwqxlwl3mxFVfqbB0xZMFkoe4KfFD0S1tpQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-08-27T21:27:17Z",
-		"mac": "ENC[AES256_GCM,data:ns3CG8PiVRpe9EXgWikJs3luP/0Bcz2mKAOdgLREZb1FbKRjlvh0HowO0CpMLn3AjckXJ5oAZpZyD7dHPd3WfM5uPrEHmLgRP+r+lhyUNcYZjx8Z/k/JUychPbQ/6NOXZraNxLiTok6S8VL8/OqjgBUoGI/PrjRhL0e5oFfqvpo=,iv:tHACeaQ4AGg6CJC3GG2qA05PSMBYGs3gZBGBENcnywk=,tag:mo8c8Lm07BAt1l7DsX1Sww==,type:str]",
+		"lastmodified": "2025-04-27T16:36:16Z",
+		"mac": "ENC[AES256_GCM,data:QN3C9XbgmX3zM6OBe9KMJYn7bazndsj5Ad/2Uw6QmvNFRPATbsDz2P4BB2DVZ2MoEbVJR9gCbhIIvfj34ibT1kSPFH/MIgWf5uGDhJcXy2SnxosCJdjQu/Y3OgfBU/haAidmA9x+UWV/ScSAbhuJpY3jshjIlFUaN6+z2+iJZf0=,iv:4WhEmEbvBtKSkT1fu/YqkMeXn6suYTROXZtwIX09j3A=,tag:55QWtCYsWElrG1eikeyfNg==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
--- a/secrets/nixdesk/default.nix
+++ b/secrets/nixdesk/default.nix
@ -1,12 +1,5 @@
 {
-  sops.secrets = let
-    loadYamlKey = key: sopsFile: overrides:
-      {
-        inherit sopsFile key;
-        format = "yaml";
-      }
-      // overrides;
-  in {
+  sops.secrets = {
    wireguard = {
      format = "binary";
      sopsFile = ./wireguard;
@ -15,17 +8,5 @@
      format = "binary";
      sopsFile = ./samba;
    };
-    nebula-cert = loadYamlKey "nebula-cert" ./nebula.yaml {
-      group = "nebula-xunmesh";
-      mode = "0644";
-    };
-    nebula-key = loadYamlKey "nebula-key" ./nebula.yaml {
-      group = "nebula-xunmesh";
-      mode = "0644";
-    };
-    nebula-ca-cert = loadYamlKey "nebula-ca-cert" ./nebula.yaml {
-      group = "nebula-xunmesh";
-      mode = "0644";
-    };
  };
 }
--- a/secrets/nixdesk/nebula.yaml
+++ b/secrets/nixdesk/nebula.yaml
@ -1,27 +0,0 @@
-nebula-cert: ENC[AES256_GCM,data:gc51WLnmdZ35IHjlfMgoDd+CeuR272OYSBZJESHOMhLForNk6KrhX4FYYbKgx2Wk90aUBa1bhWHHPV/+ZGTp9D6+gp5+Ix38v7fj/bakfA61UHtXrhRDpWIeY4uF7yFlr34+7evPo0D+2C4slTyoza3KJR51ewpLESixD5OTt9STuq8olrq7okj29+VMApLJF76YiMBSuS/faE00XV8eYnMnZ9/vKfjU6dodvO1auN3Ih/LMh+p/N6aIbHEciZinzwGGMUzRD247fPjH2+prGXif2ZUqCJxle7BDXMYvjHvMofzpd9HORRNhutR6gpjewQkckLm2hnVFbg5q6uFK/iA9cSXoJVsr1x0XpJzzoqP9VodGfnnyzQiKgdwOsTxBoVNnEd5aLGNdBDrF,iv:MeCyGh2C9ciDz1RxrDYc2w5y5jxHRhAlOsJVzhGmjP0=,tag:H22ooe4QId7ppvNoJRlUWA==,type:str]
-nebula-key: ENC[AES256_GCM,data:hBiT+8r9Vf1Tlhxi2nRRHTqOAccw0KQRpbj/jcDDw0skA58oi7QekB6X8k3bJygRps0/NIeMhQEnEtYPY1jPT3EHh4//OgNtw434c+OWLoN47/Lm7hhW6vKcRLzJVIRCrcPjVuJjQMdA6zQfanRcwXj7cZtat+8xI8+U9fTj1g==,iv:70yvhNlGTIIvPwdWibOCv7EdidSs/ja560lAPWO7X14=,tag:x6mQoWMcmPShMAL/EM97aA==,type:str]
-nebula-ca-cert: ENC[AES256_GCM,data:7u5SXwVBJYNnG8rKHgCC07mb987zGExB1rySk+kkYzd+myY5k+RjTzJmrJGAj2hzqvrqm9i7Ij0Ubwgjc6mpWZSnjWiLhAVqCeSE51T9iQOL40oHNDcemn7WTzvobWa1N05KOlrsXXOY+q3wcEw2fUPOD6b5veXPx9jMW4vXupqjtVIxQr3K3xbIvZ0mZXmQKLcDYXHz5ODj6OMeUHG0vU47f9tUvN0/Mz/vVyjQu3KeQmpcbuCwQjISa+f0oAcObmIlbb5VuGXkwYU33TW0GaCqq3FR61NgS0aug2hyDfcnLuPit5aTC8G6AuKSx5g=,iv:VYOJdJsMyXGgGnk7C8kOcJvyisyo1EWV+XCfn5s6YP8=,tag:dfP8/TiidaK/uOjDpnCAqA==,type:str]
-sops:
-    age:
-        - recipient: age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvNGx0VWlZeW44bkJqcndG
-            Qy84REZPcU1YQUQwVFZ0YmtnbG5IcUxGTWhnCld1RXNHeUF3bEhWNStQT0RlQ1dP
-            dHkwcHY3SzRpWW5jUWgrWmpScURGT1UKLS0tIDg3Z0xzcUZGQW9jRWw0SjlwbEJm
-            R1U5ZEVPbTR3SUswNk5zd1ZrNFZDRVUKjsqfv1fQ7RdIzLPhig5xEppFs0pQIGPo
-            FjzOkHqPovGpRX/nak5mJ6NBqugem0qbcC0EU18rwKW1heEI3lwWIQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age155sscpw0x36t6s9usdrz7relpxqrtqnk98mrc7s0qcv2n0v3zd7sfl2xn8
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPeU5SMVM1emk4K1F6UkRB
-            SW5zcXlaaHB5V3V0TUY3cXdmcm9GejhmRjJjCnhuR2NicGs2UEFGWDZ0RkM3YzE5
-            eEwrZ0xVdXpnTCtGdnVuU2IvZi9zbVUKLS0tIENLQ0JlZFlmaW8xd00rdW54Smdw
-            M3VsTHkxUGw3WU00S0tqQktDbmdzOUkKMXk7HjJS8LayEUTljfpLaYdg9YYoW5AT
-            ODpHY/xOPk4ZTx2g2usB8ABkD2vUATrbLd3sRjdPf6JgLwMyhmqc/w==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-27T18:07:00Z"
-    mac: ENC[AES256_GCM,data:BdzKax73638rb0wDBAB+FL93FgbkTelnxhLfPiU60O9s87lC1cZG1UzW4z2WsqgZY2G6wLsVzTiGGClXgkNZXNzQjUQ/7zML5/gl0ubRKG69oAywxg6ESaSu33jqaaM56+pRivDHJPXlqrICj+TJvBDy1e+Ppe0YUUwYnbCA6QI=,iv:NC3Y6v6hGMW9jZYsqS+S/6BiCFTezBQhzMG5FTotRoc=,tag:oFbguE6yjCINaXoEfVJrPg==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
--- a/secrets/rackserv/default.nix
+++ b/secrets/rackserv/default.nix
@ -1,12 +1,5 @@
 {
-  sops.secrets = let
-    loadYamlKey = key: sopsFile: overrides:
-      {
-        inherit sopsFile key;
-        format = "yaml";
-      }
-      // overrides;
-  in {
+  sops.secrets = {
    wireguard-privatekey = {
      format = "binary";
      sopsFile = ./wireguard-private;
@ -20,17 +13,5 @@
      format = "binary";
      sopsFile = ./cloudflare;
    };
-    nebula-cert = loadYamlKey "nebula-cert" ./nebula.yaml {
-      group = "nebula-xunmesh";
-      mode = "0644";
-    };
-    nebula-key = loadYamlKey "nebula-key" ./nebula.yaml {
-      group = "nebula-xunmesh";
-      mode = "0644";
-    };
-    nebula-ca-cert = loadYamlKey "nebula-ca-cert" ./nebula.yaml {
-      group = "nebula-xunmesh";
-      mode = "0644";
-    };
  };
 }
--- a/secrets/rackserv/nebula.yaml
+++ b/secrets/rackserv/nebula.yaml
@ -1,27 +0,0 @@
-nebula-cert: ENC[AES256_GCM,data:TXrzTe94Ju4xOo/5DfiwbNivl1qvQc0HURA+6F5rY4d3tPz05xk2Hjas2ADyZa4TneGZnweEaoCmjIBemrknSZh2RPkkxAC7CDvRkvTqzFyg1057tQrsdva7/e3Cl7cCm3kEFpkdz51NDW9ZeL+wq+yyk9VWIq4SRMDalODxjdAHj8+dus0AQKSctWfUa+lat+9nORNnu5086uWq81GVOWPJObb1pt410lneToGGtYcCi9OpgLLOOuztcdgDPVy9CJ/e7cg99gzihsP4/t+psPnODZB+wZG5eWeTYyFuWYSnbZ9t/7UVPBYTIQF8tf6YAJm46muIMbtwbOTfrwBE7EqkvWJ5B1uASIc5WtNPypnQ6Cg+BXnl5eUPQf0m+7fjx0XmipPwAfgJVfiW,iv:vOU8qUEdfek5eRpuvHUGbU1irqOkQDyYCo4GZsJ+FG8=,tag:onCjWRAMCmsn4IYtKVdhBQ==,type:str]
-nebula-key: ENC[AES256_GCM,data:bsQjSZKDFcOLbRyUZ7CjmaZdRISwq7EPb+nWLmoLTieN9cImwIDMFPAX/nY/xR22IhXoxWQNsNNUEJjAnG8+Ab1UeJhPIcLvlP2zhawpKyuvAeIL4rUpGGe6xPvfcg6RQErlWeFGEAWkeZUQU69jza3nVYaF5DjyvKFuyHx/CQ==,iv:6qdkFrz/3F0/fvh04VWsQNnXDxumh0SetpIErhlJDNY=,tag:6FdOEFsHwyONGUyQAAMuKg==,type:str]
-nebula-ca-cert: ENC[AES256_GCM,data:AnLS3fVL6pZQuhsuM+2axcSnwZZVXbAMXHYxcmd4UY6cDDDY0xIFmlbI0AU5Mnpc6eTm2ayfzDYaUiMaw9eiG+HmeoYWvPR4ZlO9WX6QFB6BWZ3U2nCrgpx8DvGmu/Luxew/iUghBAN+eYNKrBZq5kKJzSRlndkcymGs1y/7smRIzzhfV7DS+OXuD/UbQFV5ILsCwka2Xd5/RqhgwyZaPNc6ZDFjm6MHSSd2PepGrpZd3m8+nN9PahjujKnwd34AwtjEKukE/aknV0juyQhZVidQkxdueWiagGV5O/GIt2RIVzjRr3YbqMtYTC9tCGI=,iv:sJhA5EuIypj+GRbNk0ubu8T/ekdYV4+7/ksQfH7tssg=,tag:3lVxSszGv6vxIX4Ru8z3VQ==,type:str]
-sops:
-    age:
-        - recipient: age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2TGNJSDBEZ3Z3OW9FWU5G
-            YWZFOER6N2o3emJCQ2I5R0kvTVpvcW90UlQ0Cm5USVhwckNOUE9PT1pwOWlBakJR
-            QzI1U0RjV2N5Uk1Hb3FUY0RuMnRnWTgKLS0tIHh5aWw0b2JSWnRyREFvTzh1Y2M0
-            TnJWcU1mNmlZLzgyYWgrM1NTc0l0d28KGm+JaAUcKvrqaEayHZjv/f1JcJY7x2m6
-            lys3PDLcKhhTk3BRiv4GP6nbzhTcK8hRQKRgnm8JzTWsH0F1TIfuTQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1zutg3s4nth679a6av9xqw4km0ezmfkxlnusu78demf0rzazqn3pqk9exgj
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnclVjYWpkTThwd2NPRW8x
-            WDJhVWFyTUp0OFErM0ZaUjVISDJnMHdwbFNJCi9QcXpQZ3M0YTdoTmdoK29vdi91
-            cll5ZG9ZY0ZjU011N2dOaUZtSXVmZ1UKLS0tIHlZbnFQZjd0SVgyaUxWbnNKVUp5
-            QTU4YzRMd3lnN3pXcXJTVWhDazhkeVUK3TOmX/YG2A1m7eM5n61HJEWFxspd2YSN
-            36j6iP3ybCNEKkphksPyXnjW3//jfV6nfU10iJ8wvxdNyKzUS6ZYyg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-27T18:04:52Z"
-    mac: ENC[AES256_GCM,data:MNVAT0YyCCi2j4YtFQAfjBTsA9CR/Y6yoRCpppnEybWjKjubUOaMtDhDEh5mgEz++iu/gLU+SEwF7NbWb7HSH2xLmhToq+NN09wLsdE77QHC6TEVdW4joHi49PP06ritNp32xlbDGJaDOoeiO6ub9IQEAM9TM+jdlNWc555yhM8=,iv:HfA4Li0NlBAXKoT/3FG6xctoJdlJyVtyK8d9N1Q2YmY=,tag:xUSFbvbGP4nZzNAyhwQV7A==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
--- a/sys/profiles/network/nebula.nix
+++ b/sys/profiles/network/nebula.nix
@ -1,35 +0,0 @@
-{config, ...}: {
-  services.nebula.networks.xunmesh = {
-    enable = true;
-    staticHostMap = {
-      "30.0.0.1" = ["172.245.52.19:3131"];
-    };
-    cert = config.sops.secrets.nebula-cert.path;
-    key = config.sops.secrets.nebula-key.path;
-    ca = config.sops.secrets.nebula-ca-cert.path;
-    listen.port = 3131;
-    firewall = {
-      inbound = [
-        {
-          host = "any";
-          port = "any";
-          proto = "any";
-        }
-      ];
-      outbound = [
-        {
-          host = "any";
-          port = "any";
-          proto = "any";
-        }
-      ];
-    };
-    settings = {
-      preferred_ranges = ["192.168.50.0/24"];
-      lighthouse.hosts = ["30.0.0.1"];
-      punchy.punch = true;
-    };
-  };
-
-  networking.firewall.trustedInterfaces = ["nebula.xunmesh"]; # bypass nixos firewall
-}
--- a/sys/profiles/network/tailscale.nix
+++ b/sys/profiles/network/tailscale.nix
@ -3,7 +3,6 @@
    enable = true;
    openFirewall = true;
    useRoutingFeatures = "client";
-    extraSetFlags = ["--advertise-exit-node"];
  };

  environment.persistence."/persist".directories = ["/var/lib/tailscale"];