From 7c53335966765cd0b8585f4bdf0e1271fd7d65ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zsolt=20Alf=C3=B6ldi?= <zsolt.alfoldi@nokia.com>
Date: Thu, 26 Feb 2026 12:40:44 +0100
Subject: [PATCH] save

---
 build-iso.sh                               |  76 ++++++++----
 scripts/post-install.sh                    | 132 ++++++++++++---------
 scripts/wifi.sh                            |  13 ++
 secrets.sops.yaml                          |  15 +--
 templates/user-data-wifi.tmpl              |  28 +++++
 user-data.tmpl => templates/user-data.tmpl |  83 ++++++-------
 6 files changed, 210 insertions(+), 137 deletions(-)
 create mode 100755 scripts/wifi.sh
 create mode 100644 templates/user-data-wifi.tmpl
 rename user-data.tmpl => templates/user-data.tmpl (62%)

diff --git a/build-iso.sh b/build-iso.sh
index cf0019b..bbc6eba 100755
--- a/build-iso.sh
+++ b/build-iso.sh
@@ -14,7 +14,7 @@
 #
 # USAGE:
 #   ./build-iso.sh
-#   ./build-iso.sh --ubuntu-iso ~/Downloads/ubuntu-24.04-live-server-amd64.iso
+#   ./build-iso.sh --ubuntu-iso ~/Downloads/ubuntu-24.04.4-live-server-amd64.iso
 
 set -euo pipefail
 
@@ -24,10 +24,14 @@ UBUNTU_ISO_URL="https://releases.ubuntu.com/${UBUNTU_VERSION}/ubuntu-${UBUNTU_VE
 WORK_DIR="$(mktemp -d /tmp/autoinstall-build.XXXXXX)"
 OUTPUT_ISO="autoinstall-$(date +%Y%m%d-%H%M).iso"
 SOPS_FILE="secrets.sops.yaml"
-TEMPLATE_FILE="user-data.tmpl"
-RENDERED_FILE="user-data.yaml"
+TEMPLATE_DIR="templates"
+# TEMPLATE_FILE="user-data.tmpl"
+# RENDERED_FILE="user-data.yaml"
 POST_INSTALL_SCRIPT="scripts/post-install.sh"
 
+NOCLOUD_DIR="$WORK_DIR/iso/nocloud"
+mkdir -p "$NOCLOUD_DIR"
+
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 RED='\033[0;31m'
@@ -52,42 +56,28 @@ done
 cleanup() {
   info "Cleaning up..."
   rm -rf "$WORK_DIR"
-  if [[ -f "$RENDERED_FILE" ]]; then
-    rm -f "$RENDERED_FILE"
-    info "Deleted plaintext $RENDERED_FILE"
-  fi
 }
 trap cleanup EXIT
 
 for cmd in sops envsubst xorriso; do
   command -v "$cmd" &>/dev/null || error "'$cmd' not found. Install it first."
 done
-[[ -f "$SOPS_FILE" ]] || error "Secrets file '$SOPS_FILE' not found."
-[[ -f "$TEMPLATE_FILE" ]] || error "Template '$TEMPLATE_FILE' not found."
-[[ -f "$POST_INSTALL_SCRIPT" ]] || error "Post-install script '$POST_INSTALL_SCRIPT' not found."
-[[ -f ".sops.yaml" ]] || error ".sops.yaml not found in current directory."
 
 export SOPS_AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-$HOME/.config/sops/age/keys.txt}"
 [[ -f "$SOPS_AGE_KEY_FILE" ]] || error "age key not found at $SOPS_AGE_KEY_FILE"
 
 # ── Decrypt secrets → render template ─────────────────────────────────────────
 info "Decrypting secrets and rendering template..."
-sops exec-env "$SOPS_FILE" "envsubst < $TEMPLATE_FILE > $RENDERED_FILE"
+sops exec-env "$SOPS_FILE" "envsubst < $TEMPLATE_DIR/user-data.tmpl > $NOCLOUD_DIR/user-data"
+sops exec-env "$SOPS_FILE" "envsubst '\$WIFI_HOUSE_PASSWORD \$NOKIA_WIFI_KEY_PASSWORD' < $TEMPLATE_DIR/user-data-wifi.tmpl > $NOCLOUD_DIR/user-data-wifi.config"
 
-if grep -qE '\$\{[A-Z_]+\}' "$RENDERED_FILE"; then
-  warn "Some variables were NOT substituted:"
-  grep -oE '\$\{[A-Z_]+\}' "$RENDERED_FILE" | sort -u | sed 's/^/    /'
-  error "Add the missing keys to secrets.yaml and re-encrypt."
-fi
 info "Template rendered."
 
+# ── Get Ubuntu ISO ─────────────────────────────────────────────────────────────
 if [[ -n "$UBUNTU_ISO" ]]; then
-  # User provided a path — validate it exists
   [[ -f "$UBUNTU_ISO" ]] || error "ISO not found: $UBUNTU_ISO"
   info "Using provided ISO: $UBUNTU_ISO"
 else
-  # Auto mode — use default name, download if missing
-  # UBUNTU_ISO="ubuntu-${UBUNTU_VERSION}-desktop-amd64.iso"
   UBUNTU_ISO="ubuntu-${UBUNTU_VERSION}-live-server-amd64.iso"
   if [[ ! -f "$UBUNTU_ISO" ]]; then
     info "Downloading Ubuntu ${UBUNTU_VERSION} server ISO..."
@@ -101,29 +91,63 @@ else
   fi
 fi
 
-# ── Extract ISO + MBR template ────────────────────────────────────────────────
+# ── Extract ISO ────────────────────────────────────────────────────────────────
 info "Extracting ISO..."
 xorriso -osirrox on -indev "$UBUNTU_ISO" -extract / "$WORK_DIR/iso" 2>/dev/null
 chmod -R u+w "$WORK_DIR/iso"
 
+# Extract MBR template directly from the original ISO (first 432 bytes)
+# boot_hybrid.img is NOT present in the extracted filesystem on 24.04
+dd if="$UBUNTU_ISO" bs=1 count=432 of="$WORK_DIR/mbr_template.bin" 2>/dev/null
+
 # ── Inject autoinstall files ───────────────────────────────────────────────────
 info "Injecting autoinstall config and post-install script..."
-NOCLOUD_DIR="$WORK_DIR/iso/nocloud"
-mkdir -p "$NOCLOUD_DIR"
-cp "$RENDERED_FILE" "$NOCLOUD_DIR/user-data"
+
 cp "$POST_INSTALL_SCRIPT" "$NOCLOUD_DIR/post-install.sh"
+cp "scripts/wifi.sh" "$NOCLOUD_DIR/wifi.sh"
 touch "$NOCLOUD_DIR/meta-data"
 
 # ── Patch GRUB ────────────────────────────────────────────────────────────────
 GRUB_CFG="$WORK_DIR/iso/boot/grub/grub.cfg"
 if [[ -f "$GRUB_CFG" ]]; then
   info "Patching GRUB for unattended boot..."
-  sed -i 's|linux\s*/casper/vmlinuz\(.*\)|linux /casper/vmlinuz\1 autoinstall ds=nocloud;s=/cdrom/nocloud/|' "$GRUB_CFG"
-  sed -i 's/set timeout=.*/set timeout=0/' "$GRUB_CFG"
+  cat >"$WORK_DIR/grub_prepend.cfg" <<'GRUBENTRY'
+set default=0
+set timeout=1
+
+menuentry "Autoinstall Ubuntu" {
+    set gfxpayload=keep
+    linux /casper/vmlinuz quiet autoinstall ds=nocloud\;s=/cdrom/nocloud/ ---
+    initrd /casper/initrd
+}
+
+GRUBENTRY
+  # Prepend our entry, then append the original (so manual install is still reachable)
+  cat "$WORK_DIR/grub_prepend.cfg" "$GRUB_CFG" >"$WORK_DIR/grub_merged.cfg"
+  mv "$WORK_DIR/grub_merged.cfg" "$GRUB_CFG"
 fi
 
 # ── Repack ISO ─────────────────────────────────────────────────────────────────
 info "Repacking ISO → $OUTPUT_ISO ..."
+xorriso -as mkisofs \
+  -r -V "Ubuntu-AutoInstall" -o "$OUTPUT_ISO" \
+  -J -joliet-long \
+  --grub2-mbr "$WORK_DIR/mbr_template.bin" \
+  --protective-msdos-label \
+  -partition_offset 16 \
+  --mbr-force-bootable \
+  -append_partition 2 28732ac11ff8d211ba4b00a0c93ec93b \
+  --interval:local_fs:1s-300s::"$UBUNTU_ISO" \
+  -appended_part_as_gpt \
+  -iso_mbr_part_type a2a0d0ebe5b9334487c068b6b72699c7 \
+  -c '/boot.catalog' \
+  -b '/boot/grub/i386-pc/eltorito.img' \
+  -no-emul-boot -boot-load-size 4 -boot-info-table \
+  --grub2-boot-info \
+  -eltorito-alt-boot \
+  -e '--interval:appended_partition_2:::' \
+  -no-emul-boot \
+  "$WORK_DIR/iso"
 
 info "Done! ✓"
 echo ""
diff --git a/scripts/post-install.sh b/scripts/post-install.sh
index 2fb1276..352de06 100755
--- a/scripts/post-install.sh
+++ b/scripts/post-install.sh
@@ -1,8 +1,4 @@
 #!/usr/bin/env bash
-# scripts/post-install.sh
-# Runs inside the installed system after base Ubuntu install.
-# Called by autoinstall late-commands as: curtin in-target -- bash /post-install.sh
-
 set -euo pipefail
 
 GREEN='\033[0;32m'
@@ -16,71 +12,93 @@ error() {
   exit 1
 }
 
-# ─── DESKTOP ─────────────────────────────────────────────────────────────────
-info "Installing GNOME desktop (minimal)..."
-DEBIAN_FRONTEND=noninteractive apt-get install -y \
-  ubuntu-desktop-minimal \
-  gnome-tweaks \
-  gnome-terminal \
-  firefox \
-  nautilus
-systemctl set-default graphical.target
-info "Desktop installed."
+function desktop() {
+  # ─── DESKTOP ─────────────────────────────────────────────────────────────────
+  info "Installing GNOME desktop (minimal)..."
+  DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    ubuntu-desktop-minimal \
+    gnome-tweaks \
+    gnome-terminal \
+    firefox \
+    nautilus
+  systemctl set-default graphical.target
+  info "Desktop installed."
+}
 
-# ─── DOCKER ──────────────────────────────────────────────────────────────────
-info "Installing Docker..."
-install -m 0755 -d /etc/apt/keyrings
-curl -fsSL https://download.docker.com/linux/ubuntu/gpg |
-  gpg --dearmor -o /etc/apt/keyrings/docker.gpg
-chmod a+r /etc/apt/keyrings/docker.gpg
+function docker() {
+  # ─── DOCKER ──────────────────────────────────────────────────────────────────
+  info "Installing Docker..."
+  install -m 0755 -d /etc/apt/keyrings
+  curl -fsSL https://download.docker.com/linux/ubuntu/gpg |
+    gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+  chmod a+r /etc/apt/keyrings/docker.gpg
 
-echo \
-  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
+  echo \
+    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
   https://download.docker.com/linux/ubuntu \
   $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
-  >/etc/apt/sources.list.d/docker.list
+    >/etc/apt/sources.list.d/docker.list
 
-apt-get update -qq
-apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+  apt-get update -qq
+  apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
 
-usermod -aG docker alfoldi
-systemctl enable docker
-info "Docker installed."
+  usermod -aG docker alfoldi
+  systemctl enable docker
+  info "Docker installed."
+}
 
-# ─── HIMMELBLAU (Azure Entra ID) ─────────────────────────────────────────────
-info "Installing Himmelblau..."
-curl -fsSL https://packages.himmelblau-idm.org/stable/himmelblau.list |
-  tee /etc/apt/sources.list.d/himmelblau.list
-apt-get update -qq
-apt-get install -y himmelblau himmelblau-sshd-config
-info "Himmelblau installed."
+function himmelblau() {
+  # ─── HIMMELBLAU (Azure Entra ID) ─────────────────────────────────────────────
+  info "Installing Himmelblau..."
+  apt install curl && curl -fsSL https://packages.himmelblau-idm.org/himmelblau.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/himmelblau.gpg
+  add-apt-repository "deb [arch=amd64] https://packages.himmelblau-idm.org/stable/latest/deb/ubuntu24.04/ ./"
+  apt install -y himmelblau pam-himmelblau nss-himmelblau
+  info "Himmelblau installed."
+}
 
-# ─── NIX + HOME-MANAGER ──────────────────────────────────────────────────────
-info "Installing Nix (single-user) for alfoldi..."
-sudo -u alfoldi bash -c \
-  "curl -L https://nixos.org/nix/install | sh -s -- --no-daemon"
+function nix_home_manager() {
+  # ─── NIX + HOME-MANAGER ──────────────────────────────────────────────────────
+  info "Installing Nix (multi-user)..."
+  sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
 
-info "Adding home-manager channel..."
-sudo -u alfoldi bash -c "
-  source /home/alfoldi/.nix-profile/etc/profile.d/nix.sh
-  nix-channel --add https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz home-manager
+  info "Sourcing Nix..."
+  source /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+
+  info "Adding home-manager channel..."
+  nix-channel --add https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz home-manager
   nix-channel --update
-"
 
-info "Installing home-manager..."
-sudo -u alfoldi bash -c "
-  source /home/alfoldi/.nix-profile/etc/profile.d/nix.sh
+  info "Installing home-manager..."
   nix-shell '<home-manager>' -A install
-"
-info "Nix + home-manager installed."
+}
 
-# ─── SSH ─────────────────────────────────────────────────────────────────────
-info "Enabling SSH..."
-systemctl enable ssh
+function main() {
+  desktop || true
+  docker || true
+  himmelblau || true
+  nix_home_manager || true
 
-# ─── SUDO (passwordless for alfoldi) ─────────────────────────────────────────
-info "Configuring sudoers..."
-echo 'alfoldi ALL=(ALL) NOPASSWD:ALL' >/etc/sudoers.d/alfoldi
-chmod 440 /etc/sudoers.d/alfoldi
+  # ─── DARK THEME ──────────────────────────────────────────────────────────────
+  info "Setting dark theme..."
+  gsettings set org.gnome.desktop.interface color-scheme prefer-dark
+  gsettings set org.gnome.desktop.interface gtk-theme Adwaita-dark
 
-info "Post-install complete ✓"
+  # ─── DASH TO PANEL ───────────────────────────────────────────────────────────
+  info "Installing Dash to Panel..."
+  # gext install dash-to-panel@jderose9.github.com
+  apt install gnome-shell-extension-dashtopanel
+  gnome-extensions enable dash-to-panel@jderose9.github.com
+
+  # ─── SSH ─────────────────────────────────────────────────────────────────────
+  info "Enabling SSH..."
+  systemctl enable ssh
+
+  # ─── (passwordless for alfoldi) ─────────────────────────────────────────
+  info "Configuring sudoers..."
+  echo 'alfoldi ALL=(ALL) NOPASSWD:ALL' >/etc/sudoers.d/alfoldi
+  chmod 440 /etc/sudoers.d/alfoldi
+
+  info "Post-install complete ✓"
+}
+
+# start main
diff --git a/scripts/wifi.sh b/scripts/wifi.sh
new file mode 100755
index 0000000..b68f5b6
--- /dev/null
+++ b/scripts/wifi.sh
@@ -0,0 +1,13 @@
+export wifi_iface=$(ls /sys/class/net 2>/dev/null | grep -E "^(wl|wlan|wlp)" | head -1)
+
+if [ -z "$wifi_iface" ]; then
+  echo "No Wi‑Fi interface found – skipping configuration."
+  exit 0
+fi
+
+echo "Configuring Wi‑Fi on $wifi_iface"
+
+envsubst < /cdrom/nocloud/user-data-wifi.config > /target/etc/netplan/99-wifi.yaml
+chmod 600 /target/etc/netplan/99-wifi.yaml
+
+# chroot /target netplan generate
diff --git a/secrets.sops.yaml b/secrets.sops.yaml
index 62c645e..a12026d 100644
--- a/secrets.sops.yaml
+++ b/secrets.sops.yaml
@@ -1,21 +1,16 @@
-#ENC[AES256_GCM,data:wpGZJQsncrAFH9RzdEfaqpzSEIp34PBACPD2SXusbSJEX8xF/KmeScnmPujYTvJk9GA7318B8PmE,iv:0Rai7ZlsIupE3ea3J8VP2rjI8jifXJWk3fhVnuPJA0w=,tag:t7pZ04slY5jiz2ycN4uw5Q==,type:comment]
-#
-#ENC[AES256_GCM,data:j+uGqLOQS9YIw55gJoH5NvV0pSpl541Ul4fe1S4lD6HILjmnJWGHMTAi29cTSbZ6Ola7Z18QZsmncKZ2Gp9zv0gYFBo0Vde2,iv:WVuQbjxYz8Oy0Edg9UlJyB1gY/tM6HrtdRmb8o/Yx7Y=,tag:zPMi8ygTRrYjC3reJV/yZA==,type:comment]
-#ENC[AES256_GCM,data:aT3Y7cLU+sBVBfXVy4ABW105XYIh9yFgPserCojJ4jNT,iv:V1s9knf0cPHhJpOmMWOb4iH98Am9V0E8U2vo7z/cgNs=,tag:Zf+GbhwcSmnAfjSZxRFDkg==,type:comment]
-#ENC[AES256_GCM,data:xz3sGCMZy2pJSd+qp6l9emRNZL8bJ4UlbTabG5FuLy9+tW0J,iv:u96jLWTH7K3AxG1Hj/+IH1SWed/tYmBjEBmIR7FuXbU=,tag:SD4YX5FUQZnhklZTqVzNfg==,type:comment]
 LUKS_PASSPHRASE: ENC[AES256_GCM,data:hQb2+WHc,iv:WlYVzMqk3TAfnjMkIYaO8KgrxmCAXrCizsdXf4tk2Uc=,tag:rHL6h3/Q1QR7UHHMVXRXAA==,type:str]
 USER_PASSWORD_HASH: ENC[AES256_GCM,data:QIuXH4DNq1Ze953ujkmN+1NnybSiy3m006fT73DKdnvl4KtZs8Vy03axndGeRI+GiKD8+qGhdEoF82jtEeYGdvmJTwVx6wG7vmnGpY8k5Fq2KVQuOcfDlS2yAMd5juAZ8juMND7NfH09YA==,iv:w11BwtmKVlracTKtRuYxMqul49DPARUdoD6uzuJaC4s=,tag:S2bFI/jSgImkOcV3TyAEsA==,type:str]
 WIFI_HOUSE_PASSWORD: ENC[AES256_GCM,data:STCwx2Qtim9M,iv:zpuaiGmlJayuYhx+/KTUa43NQVo/qYF2n3B5ql92JR8=,tag:kFfDMclnZE68/YEHM8en4A==,type:str]
 NOKIA_WIFI_KEY_PASSWORD: ENC[AES256_GCM,data:uYolfxM8L/oH/hBxo40=,iv:gykJUI636NV4UCtdfEhAJC4gIrfNWbT0qF52dMz0bnI=,tag:R77mpur+JSvNPAAbXqlXMQ==,type:str]
 #ENC[AES256_GCM,data:ITHlpbIkdSU42klskjVftV3If3h5qvQluWOnFA==,iv:4oagtL1I4Rwt8TrIcCvzqb38pMhbvf2ylRs4gYkVwSQ=,tag:yu9mCePDvmkcdFUUT/7MaA==,type:comment]
 #ENC[AES256_GCM,data:Gc/+EB+EgOtxPnDhDakbofo5pN1nDZf/7+kRMZVJNND/8J7li9uMgBKp,iv:TTbn58MYhx00q2FRrlhIo/tgPAB6SMdMd/FALg6CS38=,tag:KH7/cUE/O5Jz/f/RyUAp3g==,type:comment]
-NOKIA_CA_CERT_B64: ENC[AES256_GCM,data:aRjmJWj9WIzjAmhoy8Eawau9R27rBsGNNyrFJovlJCjp+lvBSY1846yJO7XhJ6lXitz2k9RBzB29qqrBxgR0rxxIN9xi4syFFXxzZw1MfSDT2afdGRcn6ip8fRsQyB9KjO69IFZ8NcU5vocmSZDNPExswjok7bh752+EzEAy6Aq06Oz6mM0IwuwRixHhXUxU6MKa6MXZ5W5kdvcUmFVwn99fptSX3Iv+przyB5JhWM+Vce7QQcj0DZp9zfekE1llKEjXR/NJWGlaoQh/RQE8n0bZ3W2w/XuLn6Ln1bSqiy+ADBZoU8pU6P4zkErrycfqVAE60A4WzwQ3YAg1uC2IC7IEwkrfrmRUd+DX1ZaqHgPknjQXPwBNQfN39kbgGI/OB/P86vKmsCMyAUcAf2JMhHEVaesUQJ7KU4wkLJdPe3i7C1+ADvMprOxrrLHSMG6tjAqdjHXoAxaKTZzIBYuU0lDd1qpRkCCjwEBONcY/hLYjUANl1zyPNU4Su5J2xtFWEqyOIUrZFHMvnIBDbhaGAqz9GppinIeJMyGqgWOdbl9ObZ3ZinwljOVZ8wrK9t+UPGXLnM2hrtwr2+KS3w/vUki/CWTrcMtvXyMKLZDVDHmzl6cham3uub2eMjqj5pwlV1iE7UTa/qB2UhL6Cll3MnLxRqYMw6/ZneLEcEsija7TqL0a5erA89FOGM/3lH39J1oRaA8PZj0GZBEivCwhydKqEsf7q1yFFKVVn8xe575/4iggL3/CiV/VNBh6a4AtJozQ8KpJteOx7rDDmzzgJI6Sj0Al3YFGR/L6q5NYcERp2bKmKuBPClxf/83H0dAuO0IpAhkGVO8EOr/S6oT42JW5YOnfRPfJI9SxVQTHjkA86I+uWR4qsGZwu6uCLmX09aqUno2ccty5cUslTX2UhyBjmmAwRl/wtoqDRbDGmaJznrKUDPHncCUi0pdjrDPrJufZYHti3JrWq+YB8kFRV1fgh9lNjJwGj9gI0WUo3dWm/+UEsYRnIpkqtc+nZlZSX/lU+HCUcX/ZTt474iRwA55fU8TDjAgs9+EYxYMClCNwvg54mKHt0dVZf/jSpZHyK3qhv9JWZ+/IJ6jhgasr18BogUohqgo4SZcld2ZBHEofLJDfU9cPtDPC8ZrhTu40b1SerD86wevJyDyyuL453n2iWOyiak3H8KPQozn8gDkycfo72KSzZi4zOah8FcKQvQrFE5dzQAMu/pd/7oFuq4dQMuXem+uXkvlgeSpjoJFfBbkvYWZq0nhAtkS7RYYISYhkflG2h7yl9pVURVcomOsQaDwNVnRgygJhtSswluuzPULKbQZbqjVT+p3EagSpAGSIrR8z6at/bEGH0kJ31eXm+LwKD2mVYsT9JhgbKrHoUt7DFkychHaTN9BjZH1endQSNxMUJY3kHUNjNU8zb5acX0I0q0An+rue0xibMBAH9Oe/tDuLqC8zFtb46uAPzzQFIJVRrdmZQSbLfL8NoQSBEZIM9KExoIys5i1owgHEXlzwTcLcHgvXzvyhsfrgRrRxDap3gVhCPdbxIPh3n5TlDDyLkLXIEsVXo+fX3fo0xF1DXDZ8qXFhg6jB8FuaR3kYWdKD+wkOiYI4f8Epn+HSMBPiFkU+jCQnEuoSA9EkSaQggeeM2BqKxLOdD52bqMliU/kd0j2cPSfkHiGffs9DpQZbk/gCY90fFq1Gftlnmc8TnBvBBSg2DhFKjtsnLttMD1I1A0qWV6lmxDBMBqjVbBYNhZmF93nOfE+Lh+gcVf8Elop97Ae0Cjg27Hn7ckIEB9Cfj3wJFJnTkkVUO0Fff9J0SwoCMxYM+iiD+JXqL6Rygu4A3HfLHfizOyHhYnbAH53ly3NRx51Y4tVXa7L78+LdsEzEWGKkDa53bsE1LnYgmqnCRksS4/Lx4z+5qUw9jVV7JUD7imI4q0YDrXiNa1iaYdHzc9wStvaVyFsDco1Sp8uMdr2YMH/qidBX6adcRr8tYqRkTzfQYAnMegpwPfvOnu2b8EWFtGTxgdnagtkZiYKSwxIxgeNxBuCdaNZjYRhtP0BkRIoZ2GPCeGKbVpiCEb0t53PZYeI1VhC00sFjE+iwnL4v0Y1SQNLfhOw5rM9gChyM0O9+eXjb3/8NaaFIyyr+n2JuqRWYk1BfCET/AEJZst2X91to2Z+PzUG2J5y8/9Ba9kylk/Gz2iASr8hohsK3mFORH7Ub0JxbdiSxKB9646xxykhm2nsqiuJjqjIqSKExpYj7TIGW6N3CVpE1MKV9RVLQ1D9FRTVPrYFvYgr5wdqChMHfa+CdTTHbDFPfHq1lJwB7a8Zs5PDDI/0qBK+N4w/I35k7HCF1XIjumepFPb/CSAZavvFe8NRPAZNGljr3JAlA4qhreK8pTrADASarfjzM90+WQiuLh0DaqLVb9lTwyyC0GKn384EfJAi9Z4DPGrYIbG7YgNB4OKP6HPSYcI6XcRgjRT6XiF7AFqTWwQIn/FRER7jnjhxHaPO8Tw4KMowTiDpe5PhoJurzhNjA672s/4IL0s3grDD07gwyueMBNVe8bVeXp401Ov/SW0N1EyObcuNSDtyMU05hSIyZ8L8LKlSudLyiP+ltDNDgrxGCf+OSnuDD6yutVK+FHNR7WvdncrmY5OhrfQV6TLqAmVRsScixv965BmAn5ojBEkg4k6YEMjTuzmkSYEhQy4wOJkyoESOd+QGx1biFdTB125ZE2ayVVZFdJyaFr2KIe66qI0goDn1HLi6RskgyqcWNczP97KRJJPrKefH5hYIOn2eyuRis0RxPpG30tkdHq2B40VMXOKnPWQyYdHUSmC5i,iv:A+N+CQo6WmLDWA0LeMJowF5GkxvnwGCf9QtTZXfJ860=,tag:VCMu26hh5WSnQwZ7LK1+qw==,type:str]
+NOKIA_CA_CERT_B64: ENC[AES256_GCM,data:l/8kgya2idrh8vlu9a6MrQru/yYcEtYExVCJWJCnSm9s19re7FnKP2SBybTrX+V4gCG31lupm2orJu4WbzHS0ngZeNrnivFFx5wceNttFS7bY18Vh64RN+tZ9ELKf9cqBWgwAHPNC77XdgGn9CmlN8vcAGnAHIFH8KSL5wv80rQjowy6+mSlv5MZDiUC0MezG1QmAiu2LSGaN1jp6wHLoYezgvjglo0J2zxtDiW9cza8tkpAZds9yaKYF2zJ8wOBXgva8KitY94ldE1a9ZYP/0qQR3cHAbDJC4KfFZOhq6JI5MUyl2U97Yghx5xkMrQ59DaEmUtTZQnnflNNfpNlqqIL6YDsTo60hGrHaiEcr4d+vg5SoGwODcoGSDX0U6S9TE1jE6ahQrtoBShzlfEWN7WEA+5vopa/7xX6bdrpgka9zHt4XNcbPXmVBnzdXbXw1IkUElGmpVug+JLAY1Hnr0u0XtOyw/XsFX+JRtuobAzjm8GdokLq2v41fvQOVytH6i38CtkpXFfEAuPQ/AC/zTXhES/9f7sIrxoB1dpDEDfGzkgXsi9TvTuGM3KUXomzwdQrnTDifxAq0JbjrYX8rplKI8YOm1V7xrKd2gT/TAcjWYGKnqEG0INxK+9pT4xIoHOMjyApRBgFFu9q8AxYcB4EOzW7DheX4S7ufYfLBgxVkWn+bV90SIauGEYV6OyFiaYd66hG6b1xSMsvaLCb1V4AbYCEXrV6Bv/+aGG9Zb80GbE9CHlV0XDb0yA76cRC3X3OKmZbC8QXDCNuD8ypcQ37/hHFny9+mImleAzUESY6rU/W5MEp5PK1w8oU8fmVeq01TSXraWihmUV8B2BDeOgWiE77Y/LiMIZ1r7+5fOrArmU2NxR/fAAK7OqB2RJR+QIwfg7t6YtbpXNpGCUQqynjajDCr2cIX/owqNh6VHy82ku3obiQxXYtVeOcvz2kMi+ogChCRTo8MntcYcrqSpjpr0QikLWYpLhq/i00iXtC1fam4IwwdQNUfAHcugj7VnYBRZJl+A1Q4wAZvsTFuSNB/YClkPjLcCyS5D6Ck/pmtEcYoM/pNAHs8ls5pVv7KS6dxkda68Q30Atnqa/DSSVQWxmVMAFPGLYtEkQCd9p243rj3f5TN3pSPiUA7CC36s7xw4REKENBQbGRIw+txb7s3IkC9bOVPt+P75vzI+3YU16eVhj12tjQw3/z3qJqHeJWqmmTrPHv/UZc41UxQhvyXviSt+fNHukv+jFc53msuoYL6hKtOSeuFwAxx1s0TQSA5QKWnDsbW39BwrB3osmxi1WkHJlo96phVrVDNDHJ7xY5f0hpO3hbFfgHL08erv/IjyO9CI+y16mrTUPFs5r1LxZqrSrK0M2rD8JHUa+5tfCqNOkiN6De2bbk4eElGl2TFlaQwHAatkqUDiddJXJsqmUhVGZb4qob71vI87RzYcmJRB5U6Sj4lUuJPihrGVz3HvIJoxS1KpD690FUBIyafMmiv14X/h6FwcaMQEtimUXyWLCB3NNGegjf+64cSeq+HYxTEzs4gnNKJlOyKRQsI3qYX8oxVNyd0u7MKFjxv9TjGAsOQw4n7N/Bs4LxpjRnZLT+mHrvAeu9YCJnJyy1hl7zZMlXP5hrBCZitMOk5+qjgGhid2QL7SI4sWaEz2T09xYC/bnlv3wqEWv21q5+AEA/ygVBOE3peQO4fb2tqlSqpZ2gOqGEDg38TouPQpHSD50joG1de/llRa1pf1PIy1TLXLwnM8WyrDJu/6Nyv+vMmk1F3tOP7nHs0LOrZBpsDbGPx8ErKX2+kaS6eLCQ4tcLp9UfdWywWWuQ3bKJt9tbd7aDtri2wvbSzvJJQ0swvBxrxk6r8F5un7TZBh1wdRl6/Sl4a6rU/RUYMmWYj9D967qZT90AzMQWBXfI+wf2gSFEvXo/zr3O+eB8muNO5szb0A/UnMohD8rUHNdtJSjPZmy6ZG7hXTB+J2BqEPDWvRhWP/O+TKFjl9o9MbRHjTkEDjm2L2G+Jrm1zHbC4mWz16zLTvmiZolFvOfZ71pyoPi+jWZQRLRDDwHVHXjszbZ8XJKFwSl9CE0f6hlaHXw0HfMgbdEQCNKe5KFggQ41tZTGLl7lWDvL4LJZG2rdlR1kFhUwoJYQilsPgewfA/4LBMySyXMlYIky1lgC+2Ox9YMy6/ztkwH11oE1xiB8SwwxdYvAo2j8EIlBDLHvGRfdCAFH3mBsogOM/f56G0GxSSVhqsJc7iKUbqY0xvNezvhD4kVOAr3cBaNNHGZkOxUAJRH8LIPDA+Fj5TedPU/+hEnoKyvyfPwg/FF3WPQiMhAGXkNqrlvofnyootQ6WzjpVWK9jXyUzdjvaUSwV6y6TAQaErLanDaaA/WFjfzlHk7Nn/njhhu2wC+EVdWPzdDm/el9EQZbwWDIHg3jXs2jbGoTkm1eN3ACnTEI3rfcQdb1iRh0QnTUPVQe2QMML757haTCRpeSpB8qhxLroxM8Zg7TCaSczRDUpdbLuZUsvQbNkCqKosTbJIQBilT5jWR/oZoKej2teTwMr/oteXpuxIUus006ise+lFZIze+tYcDCfQhXeeLTWOJTvEtMT6zozyWdTIOMHIIvjnoLi3gT0Y9iZNaLPNDIepdip1ab76IJZuel9RGssOhlrFp2ST+ttVrl+pNBDZwsxDABKEafNyTNlLImj/OjJ3k6rJGwlm1MyYx0gcCwLYPAeFeAU82whWZLjVhUVFXhS0GI69+HlpquxrzlxeBuSa/RfLvbbuC/9HLj,iv:ADNDMoD32ovYQ+OpgxV6z5QPmkzFgj3wc93h2Da7uv8=,tag:IpvrqdLauMs1SOCdwl7bjA==,type:str]
 #ENC[AES256_GCM,data:sKDJBHUJP28opiofiTlDIhXVw7P9mg==,iv:mdd4H99yy0UYfAm4HL1sbn+3pxjf4WB28iXavSzrPZE=,tag:3uqTCF95wn1qq8WdFfhhGA==,type:comment]
 #ENC[AES256_GCM,data:RfBjnEL11KpYmS7Go+JqjTjZgemKf2p9jVWsW+7z7P8/gC+mN1Br37VxUyqOdjG5hhF3Ew==,iv:Ytfoen/D/PAyRM6FWEIT/3d+SsFYN6zJX5RtwAzEM1U=,tag:q83JyjD1vJco/W1yqX2A8g==,type:comment]
-NOKIA_CLIENT_CERT_B64: ENC[AES256_GCM,data:blmbgZrud1oLmOoGXU2coGCOUywpPNxAnuzomXRhMjmiQVs6QKAnI9V6TmHYjM85GzPQAx3pBc08kn9EpoEv6QrOsqsbSt41AyZ5m1g2odVO/N437F+1I967R3n4uzSLFR5+i3+ESMB11dczjsbhbyogDJ0HIX049YxNEWrYy5Skmcllm0a33QMqnQc+p3SpxIs3D/l1d86rQ00Hk7nAAJTo9d03ZDlLTQD+V53rHmYRnRCaK5mrsi+4Fb8o4hCaqIDm0TQzvYIfnztyNdZ0UqKp+tGRzRQ6tS+zbdONjV//TL79YbTqMHgirgKwMS34l3c2MisfJoWVnYU9tAJLVqzQqTS1Eu4OE5vIjAu6ED1Qc/0Y5OKNbFjZVKmKfzcqy8IOaUO0Zqqj6dGT5nq75cUFcIVg2ndinIXmN4uxXcof/EJuUSEeLwaioNWDablFb81aOxtkwjub15aZ0f+JSK7Gb9jO8sc2L59izn4ZfYT9dG/7DDZgcAfQA8uxBtwpjECgzOtwHXVNR3l7Hyeu5VlXxQMQz8o1B+N/gbStwnp1P7AZ7U/x33ToAp5PjA32SL3hBf+b+0IKna5L7afh1IsVk+KnmcuL0G8NSp4wO25ocxG6O7iusWGDsNcTVTiVb3CCax2enmTqE+ayN1INLWCWdZNUTUwQ5w2/UBiNYz8I0Wq/nK6XN/nMeOgRkO8zkf089x4nkyB8toWUHsr5mhwDBHPujmz49SVTSqESFYjj4U85l0ZcLMZ1lattRqzafcWf0ny86DZUNs3RtuybmvjgLSAfRFfuh7krEWxJ5iDdv5Rh6170sPp3cjtIix1e/b1zeuQ+ye/xD7aCOAGlOu46ael1SQU4n3zv+pZIHfaxD+SAKyavzyHH1bs4AJqfr60qWS5ts8NFkHVBJKx/bb5eJc77C2h8p2MIs6VNU8ttynHPI8VW/sV92g/YQdRN1BFLhkydIx4OQEcWoee8iLbZIw3ikcqVzjKCYQdYISImfoo/1HKGTiG2azHUcXvY9fyq0KnnSXnIFt0QuQPLtpihGQ/GXRHpjrFRFKu/HdgKNozmVnxIJ5JdcZ4iZfEHvPWXkLF0ku/ilMHEgy6FrslNU/ppAktCATiE3Cp8MjZ9zgdXc6GtAUqsQZ1dhFxlzqddYM9yv0iUcjMwr0BCl8hC3D6GQxDurUTfcfqhJyX0xDbxwYe/TehVJZ9+0YvJSg5Ldqj8qBrU1OujKcWxY4LCDNPY2RTAM2f+i1M8xa1V5gJpE354uHYVXIZfMDJUBpNYreXHckrlynomZSqRoNEau4hO+uHyH3JWvri33EVKMwZ/hOr6Fpu2/iGskVs2QqI7dQU/wEl4qZhES5EADVtyvFeuwx67dfSXs8ZKCm8FpNc46ay15IhfaRsdA3DzU8LrCOAH7m4Uasl6rVasV5h2t0c/jUpz6G58yPP1mi68JSA2njM6KJtt/yc1OaW8quKydiAqQhr43MQDTCEXHfkbOYbLXzeNUt21ikYy/cmxaEfcNrTMo4X+54vVPkDpphYRqNveLucGFH6Ctl87keHK2WT3Su79IB9mlSPzWVSoiWT9kH3A2npMqjqL3nl6Bi2+kH+rHvLVO5bV7qieM33L0Plx799QSk1G+fZ7VDCurRqnYt0+Zs6R38F0ykZdzkyHeFCRLb4pJwTDwr17xUJDJHaHjg57GyYKcfBEr45/nHNDqWv86ALgTMhvtIzjP81GwiPXe7Cabh35u4jvQWrUjtouGbcav+DG+Gcx6rOel1c02WdaZg8LYxhkdM8IrHR+2AvaMSuouG2WB4k5HN5F3HnWTITyjcDBQHhWuZz/27gCcrRmr/q07reBu/rh42Edie4SQdyjNHNCS2bwkTshCtNvihyZc0hoBNds2A8wBcas5TN6vDxjqIxpnZoGOpRVCSgn5ETUSkyVZBrx3vgbRNVcCcK6GnyTK6OmuGJlHVYwoFltQTIfx9/5oPS8LjCzNE18Buf1P9VFJYBLa3Gi6EOQUGnUQuggDUJ7Y5qi97j6Ujvo98J8W6F7LBqCemCd4iZMDE92F+jg6KjrUeintczM/MlxBuFd2gCwDFG4WfewJC8jYIr2N39CtW92Qd5cwX5jBkuKL8OjRiF6vKuLTAnlXzD9BiV5J4QeqYxgQqogmOPTA+3UWDGz22TXEUP3/tfegt5hbcGzm4kysLKD3dFHymzUWlCb/QUkM9JpyxIg1iDvh/jD6xnTO4Gk26nUglHSfpQueLo5UvS7KhBCslGFAW34QlBP9QxzGw5n5CGsuFBwZRIJ/77ZWdwvVVVGNp4rOrcenPGMwJn/dLgGGlEJUhm91Xac7cQ5jJJfHd/Xt2w0GxuyT1slAUmz6G18Zzm5C+Vm1YA4f3jIVd5bIA6vL8DlBR1JsUkHZKtMnC9JPfxQ5NIFqw1VIQIDRhcg+yvjF9DSE2T7wGoIUJMC1TDs7xsc9c+oxZvr1R3e1jFxyYp/D/BotJJliFOImGbYN5Re+BIDRiYfdgkza1r/xw9PjnBA3l4iVgl039RCWLYp6KIPC4ZSr0dugYJ/0EsVX3r+PfAszOXiKX4Lm/ZiOh0kjmgGYbLfPK6wND4PzPRNA/PgjIRrRaAyWUwy7/dzpUG6Zdu305nGe2B+LPG+Yr1DKdUfKux3WnyAXriuOsjfi3MxPsQjSRHLkzBynnTU7rkMTuw6JBBuny5hqaKCJevAgQf+BUQeYg1MCxmt9P7WwwP4VFvnbGZTag5wP2uYXGILOgryUxoHxDfdvlW/2B2M+QMpENth2ja23+HWYFwVqnzyuI3TfjFD+VgltBKW89XsO6DJyx6kn6zZV22WoZuDNxKmoAWFBPOpFian,iv:jVyDAGZIkpIXtD73OvbilT/QBRIdkdcYekU1T3OpPFI=,tag:c6pyDkJdkxAS+f1GAWXjAg==,type:str]
+NOKIA_CLIENT_CERT_B64: ENC[AES256_GCM,data:q4bPEgQhYKzN7EXyJwGzT1MbnB9DNRVueWRh+cR4Zp8zcot466Z3mFQdiRUo25m7VGCgRW1Oc9MhGGv1UNjSq2oh3t+gNAcLsjhqaqOWE6K/0euWH0kmuT2hGiRpf6OmQJ2xn0rzbVBToHN9Rv+Y8ACDGWEkUjNMvNpisLa7tpJGrmFlf3oKrLpetJCn8yUo5tZqkPSOztn2qdSAGOESRwSTJwXc07KiKXLduNSfL40ntH2GYXuYhxeo8GeNkZ9LYMtWP9rSJbIt6RhMls39mij9130pm9DSIAn3TsnFwjSbITYToAne49M281PRsDn0rzmX9jJlabBljAcSXb3hdryHFmwO69AljTj6qeiDKoQ7eU/d8ieJb40kgqqQzkgUsKhdY0sJENpxyaeF1etym06gxr/HzmIMDhDQ1Mcdnt8zS9C+tL06YX7sLz4AgpX56NMpzYnPhzPapo0MQqTGTxbRdefLbrlzI5kykZh6w1AbIy6MOcSKLti1Hb4XXcHqsDbQFY/VAMaBblPYTy/3Ym6rb0bRYgSa72IVyBX5FTd89A8WPYVKQ8lvpG1OyggFYNz1drhkT66eqHkL/B2X9rFQ8v2LCyzk444QEos+6qjaf8Exv9OTlIcVJaGpMTOOJURL/ipDj9uBK3tPCEfFRxc9yUKuoRehY4XXU1R03G8pDvlY8OGBpqjmWlJexcj96UjpswTK0usIe0/8Kh60m+K+6oUFRnTAZIOPNYLlxw/ce7nJLckaKf16osGAPjg33ZdZOxF3qZeQrM7lAGEAww7yC1WYAPdvzab7HUpGdkTHJxigRM01iRQgiZAli3Bqliv653x8qu2aVYmpDNZXPp70EYs/PRT8iihOggvEMU869BsZ51Vab2zjTRwH7jQ88dGw3nmll58mWxUt7QSsjn4jdAgBPe5CvP3zqqoYidmMsK7VwrsQ/VebPpzTiVzvsEAYMshGF2guYJZIozAFCck151ZqWkE4DRKRdv/X2dBfbCGdWZGs1JcwrnU47tSzfinwt+A1JVxdzb4lHhy0wKt6WQa4a0ScIeDnwYEadtM1jo04H9pns12WHhFTgw8bI16UdVvlON8iJnrTcIjzxkWFrM+mVgrgmEJptIhfq76pEbfOxvOVPeiQphI9dEwrv49T+OBP1w4JPR1IqrJfTD1rZFtcxxPpdUGyZszjOdjLE7VfGchhHqbmNuB4Rkg7o/Ohpt/TLajTJu9zhqzN6FZx3JaKYTRzD7UyHdyfgXEW6HKuI0BKTrQDCe/fbYtJEBkaWt9Ld2wanAy/r6WrmU8VNwoGQQVsfXIfCbkvYBiW4t51VWQUXN2GqoR6ZsrFwoMawuSwo2wJkhgfsGXQ0H6vMfWrxslEz+gXzI5NqVkNeCB0urRQDhJEIg+I17a6aLI4+xq9Tn6iQaIZQxmtsY7bZ9kTXvuHmk6ww1ozc/vsPK1Sba3MD5tdtYklB3oXPlof5XMqoNWIiynPJe14DGXOYvA9wObQAM3sWL/DEYPIQUTo3d3cJSELAN8NVbNezwJTZBM+kW6YghJgbmuGM6ZnHL3AsTTnLCMKb5Os0hNeoyDA2zp24nrRDYDJ/GmBeifChipB3nZDAawbyU+gGL0Z4lmqSJ43h3kevLEgJ4e5QqT6cHy1WmtXKGyM+j8DJzCMUCht27CiWqF2eSzXvZAbKCckftjDUa85+JG/SaqySX7Do/702458GsqqHDpllNAUTQHaqnovN+Aw76uFec5J1C0DPYE/Yp9qhGoT+Hv+cwrNke0nNZ+x2dg6QP3aAe/8r0lqV1ohLvruACJUiponpElBt6MJyT4/Z0dcPg+I3eifbWxjImbA2P7YOz40+MzGp3iLlXp7bgmvqEKqP/pPrxxW7joITonu26kT000Q9Rv8EnXeCyv7u5pgxAVtI21MX8I0+WoLhw5NFNggJyNdAjzmGTjNGtdNSlxoGvycFCB9hrZoxgRg8BnmcjZitErbvossc1EtOazhYBaFKEuIiiMmgBKp0Ng2RK/OLPxTgn6qFfWwMr0WO3Dj+Ny8D839oJdoyt11lmdMoRlgBYMt9jUHNwN82YjxDdtxrCXeGf7kbtvc7csh+yrxAZlEJv2e8MTe6MSp3H8kwz1CycN9nJYIWdKiMJRUPv4p8kEVWVbG55V7Qem0a7NyGn11lZW59xO+9jc6oYJgw7WkFg1AGTZzQtIHHpk72hEmJh/xHsFODG8D/KoAPGPjihbBuaHDzemcXAJmiqwqjjkzL+4go7ZdvAeI0RQ6ihWzfJF7Bx8UNWE1Pj7AO7OZ53tc6xJM0gM6xjfVyv1HiJ/jbo3TOdE7mqv1ZasOrnGLZPS31uglGQqiu7tI9KrCJ30jFxduTbmZjjMneQ8lx/ITFWZLwMuq103TQL2kfgdSXDSA/COG//Ho3JYe9U3U+RyaNqrZ8MK94FsUUxIrdNgIAKSIbQAr8oKbMSMlKVhJw1ffE5Xwl/ujXCFWxAg3zq77bJVAxvjVFdTS8iMvRFVHNxLcDr+DhAgnhxz2fe73nBZiZbBM1o8RU+hluKxnD26yP7psqdc0DeoOhDKPhi7nocEbZPPorooYc7nOaNtX/sO0tJ3HyodmFJ49OGzG5929/lhI6tON+LlRYdRezoW5s8J99z1EdqOlo1kNY1oFp+Bxc1PWtYEZoQT/QtgW/VMfYzGTRtux/p2kQ/8n3h0CzKYBamZA0cCSj6a+Sw9c3XpEU+8id1jP/Gc7d5L1n3L2qRkSuZ2QI+/Nyf6oX5gs/KEh7A0xEvZioNQq1PZn5QGtlqKNlbSJYQ6H8SIsxCKF,iv:Hd0mEciTeOs+1yThtOUBVcEhR/aZ8OQvLqx1wF4h3L0=,tag:ICTOULZgjrc62RmZiCv+Ww==,type:str]
 #ENC[AES256_GCM,data:McHPf6prvStEESTUT3nL1ibvbUAE,iv:7rIvwrfXkyV9quKvp+8E+UJaFFW8CjlsXNyva94swis=,tag:hMy3EWsp95aQ24f97QOLTA==,type:comment]
 #ENC[AES256_GCM,data:3Xg6LEMpT76VjeoxM1ztSTJLgtC4AWHkTYywJdDVqNim5a9EO8vKgliOVLDYlUaUalifug==,iv:RV2NCmB5KKeZ/rWCF0hQ8/yak2NBstL2sv4TGmKpO3s=,tag:BxPrc00aJh1VwlglBEU8uA==,type:comment]
-NOKIA_CLIENT_KEY_B64: ENC[AES256_GCM,data:ZhNy0tvuz9oqUN1vXyuZCe39g4Z3jGVW9Hfir+dCqZMaSG8EcE8uHHYU9hUAh3fg6Fv+q7vbFCpah0QMjrlyv9fT4AntD48Bwd6FQ7XpamoSq4Fx2vcxh6Wv3nTO5pSjboOh4aDPc+3/af6pdSyH/a2P0usgrfiMbMebq/7EmaVPAm13NxnneBUIaKaa416d/KmJezJijeYz1Iy3Oule2u5PNsAqBBIFC4ClIpDoVgis8zi8LkPfaS8Fj4jmEZGYWmHKJTEq2NZK36DKaXnhBhj4Foq9dk/lIvSZAs5x20G0f7M+tovpGspVPog6RyCGa5zVN6mD+wrvWpeq9pvd2fHyg9AnECj90QGtfYhUbXplldSQP9phmVJNzShfUCexsrqPKizS/0il/4f+Nnzp/GZ/JYrXnU/TXFvg6p7WhF+q/XOfZav8aU1AgN/RlE+EcgwZ4OBvrpEnTrAECvCDEBYhIvzU3nYdYYNGz+ROz2y3FiB97N8h9p8J9Tk7qnl2UquTqJrsEXNkxxKq/lQjulgbUEeOfP3ktLlUtGJ2Fw3oMr2ly2lWSj2ifSf5zUGcE2K2WjF5XqSe2dQfwPvnQFZB/Z0WiuTv0ESoRMq2+ahBEehH/0B8lCSVp8dVzGCiyhVQcTJ2ZcUunocT1BjUE6Q8HuFYwxJf3cUM0ekKRB3bmQXMnpdrMRv0tm3IVbReMx+gglMOODxz+Lw1Jv2ZU0w/aVokIGaiWrhPrafxVyxSMQiq2szJ1DcXfkpZcRq21ppo8rt0BQEmO0chHBE/UXgpZCfU1HQAp7Ztua1v9MfudjPJK8MfNt1U3nTKTnqjUcVZj/cXRTHci8Oi2vi2MozDVToaU42nWURGOFeasRxyMqr3umCm4Gf46khnlvAM0pw7yIw/c49C7dk11Oy85JkS5D4QGEDZjiweAobY/Qs/RJmiVRYnW4Na3HJQp/ED3P0yzyJUh9t4/iB4v17AX9o3iJxeUqww+sM/FHnWOE3sLRuTz4HEEW2qzSpFz70Ltvrdm+Misk/Kbu3TmvuSHpKH7p+q8yWzSOaRLsDYyJsOT5NSAStw3dlL4Nafk2ByrbOfpVg8VnR7W1JNPawzYnbnix3VFb2K4k6csBD379aUSvmHW1FN2v88fmSItyaR3i+dsqnXspYgLEqypu/Dg0H2a2KNMXEKjsZ2sO6hoYOyoonBOY9nwMp/0m646K7VjL1gxW3RCXMfuXOWkLyBVYfP7qtD+ipxPh9A/5jiSalQXEiXyMh/EdPf9xjHok6u2CDcrG+r9qzoqcl8hEGI/U0XNJ319UhM+EKQIz//dd1igNcAZFYZCNCnPWJMf1TFvDFA08R6CFrjvh4gQ3PNUTo6cMhSVauMNyHuiV4n9MOjMYy601WZiJhXUm1WxzXRoJ3z8mXK/5P0jLliJfQpN85CdSV0SWUQjTV0/q8yR0J279o7s363TXNLzYi+EXaBXCt/3XL82S9pNSf/Y/8dyf43W7oaDB3+AJe/o4POPWqmupfXmj995QH790YxQ0cKcqq3SPt/OmRAHg346Uzx2Yz5rY2jfL/fopa3hV43QrfFq26VzgHBbRvXaOrr5BZJen1YDC2lovVPrzi+LTDo1ZL5GIZS4BhvOlHl5K76QXJJl3ieubYP5t2H7R8mYhicp1doeNoj+xtJpZAHUJkQYzXCqlsbIVry0fF1sH06nUsl8ThwEbZkW3IBGTGhK2p1xdDHslt8P1LoWUJpVQHL+lKp0jJy7vlIvkQASW/IuBj8yv/iI5zLrk/CRI/X72fph0AunCSXA9/YBOAKoz8W3Yh8FzARWY8bTSAur1bCgp2xYN76i28vkg/oFhv3b3nlIJ39BphNIDOFEFWahiatdMtDJTTJ2SaxuBj/mENViNz2VWLN/vqe3ZQNUbOlWz2UPsHW6mmDpCrX2fkGdH5d+Gka+LAyS/TeQUQUOt23rwkf8worji02jUTsudHYjLJ4WPWAmanynGG+sY/wnPFqAYYr9GpRKD954uuja9IO7zexkiC+WZreSKOg0yzb+Ye5qMkeY7ODIKigidE8MbOjoJoNWh8HsPrFzSq0qkF+BrXy7iEhVqEsUGokOFlwPDhl/X0r21g/MdTcC1FKaDIxi5oLNLJfm7azdZ4iR4LHlWvDadcNxrY3whV8WV7xIdLf0ki7Rm0rX5BUgNNMsk4WMGH+yBWqg0wLGVbNdcnPIOvfNo5QjDaxng2er6ed9i7ZyBhzsM9GT/6gWQxwi9eSqpVN795pNEGS4iQ9N5HRGUdMJ160RzmKM+UhvlJ3rEAuxSuih7hUlnJEUN4Kvn13LboVhUw125M9lbLi5N/D9j6VB64ELIZacOQdQp4UHnx3Umh1pFdKjtRHjom5mYgPJolzeInpGA/XFk23PiPP0HHElzRlgkPHrvTs3LOmvmNznArgXmb5D8Dc3+5ESi9XXdNQZ5MCSoJehfcyDdVO7eX7XVPn7R/EsEGIdLm/C9twNV1E7tWQT7OTQgc/NGswSu5lyEpJJ+Y7nBKDI4hUBZDgalrpgnTs2Afl5cqvjI0UpJGAJQm24RB2PdIGmeHxzc2iuaPdMfXTcAWIePIpe6vRaEJNNpvcUY8eONNybCjVpgsI7wPioN/L+RjF8YusP6/X8EqO0ChDaE5LKd3bfUjgIY+VCRGP+k0og/O1pScFqj2/4twnV47kd+LihFcHG8fKjVJMKmxL+vYnhzaH83KpO8f2vK5xJR/SVVntjqlNCiGR2XmxFPK0s81aMQV08VYHcuu6OKwRannsDvcYjN1W3yLSQNC4lqq0aShcg5ReNQCohGTZxpA66qvCbT8xRffdWPfngTYll2l07g3uFXGTJSxflRyYizAr6pSPnrOs8v8+wNJxdrWHvnV6X0alVd7NOQhpcUxbgFMQIMq/4dW065o4Zj7k7j/W7pUPSFFDPO/LOmgl5jmqxXU5559El6jyzcLLRplZqQq74JLTLqNXidh2g2CZ+yTVAowOkqKJCzWLCw5WHgAchsWM0oS70S+qr0j445ucra5o+ts8lbtbRdcp8AiCheOgwfTBc9qd5PcQYtuiVjxVfOZ5K63G0wpTiXVvIS+yl6SBkxiDKyrIRcI3qUq9kGdwvpeIKAh7VlCebScnNbXnsm3xYXcv4n59DXtIQlP+wcMPRxklloeJZpTzZHCPoZNol79vmSNquuANrFjE1Q4V6MhDcp29T4SVkgBJJQuyg4Ij2Y6L4rEjNXE99H1MyKZgjJkXYdlO+KvjbDw8yPySQiq1OcDR6ES6WqIr1k37OFZALGD0avAOzcwjiCE5DNUkHF6TSxLUiAHAIb1ybC1FClLEgnJU,iv:QIEqUwSfXU9vuGEz8M10tgRXXnfwpTFbHfcGphqOFqk=,tag:Q3a8oQ/eZ2L4CKotcvkHKg==,type:str]
+NOKIA_CLIENT_KEY_B64: ENC[AES256_GCM,data:y3832yCrM8sdWRo/ZmU5NEbSSi4OgO9OHXZNnlSjyfPJ4f8qG2iqG3+x0M83CWjl/jygn90QeDnKzAkrWmeCD9LxmrlKbqoRqkHlDOIm4/Eu6bt4Ia/X1a8WywT/Cy+UkKJ6X82FeTLdG8cftUYYbcQq6KvmhpWyjVxs3Q/2TBFxEc0DaVhZhOw68Tpyt/wEHndyXuUJGQH+wmP5SrFuubZtp32XT/kHWiToFcv1NmGU7XDGljT1M2oAnc9owhS0lZQZiQImz0py4HU2r43t8ctNc0hNb977GhfVREgEhz5IyMuPm121dGiWhjCILTtJfrWo4kOeeU8jfnjvl7rzf444eXU6dXmt4H6G1Q6m1oF4KsnUmVoXnxM6RSyoLlVdFAIpWHTPkTP254Nc29MRboSVP1Oji8ToXJvVTz9erYSaZCijIwIwIk15k7Y807urs23b4PgOLCvDyMCSbHog11fAWMzlpo2SlvRv5eoOjZH2yKQa/McNosWD+X/kP6zBhFSmO3kKhL/4r0p3kOh6IOi7S8UwSCmPB4kjvmjf7GPkrUP+oPWaVm7g6F6uRLWFQ2FU99x2WkTifUsnlZSdyRh1TpwULyczxYMRSuMr2PKhnKv4I0jBLenAr55QBeR5jDjnS6LnJSqpPZQjqmetYeqZ61L/GxS4x0CNpxfpObpkr4g6N4ZbxJsVcvXXCwCCjBbmv7kXcqOkcqn4g6hwqEY+9An1eDBXeN5afL67upT192RzINWwfezPEsGQMaXctjJlTNZir99q7dqhPVELAyMLzxn9UoO0fZsql0naOW4uM1vXbEXt/lPkavcsTnPQA78LwsZ2Z9yyB3jk3VznEMl0L5wWmSISF2PT/vw87q/vCtkPQWE7wPfLkl6uDJtl6bDhGSIYFekH3Q6hHDU4ze6IvR6YZqHqWYsMfyWufjCloJDZwSmHNTBk7CmbvlI16+Zjn+U/b632nJmDIs+RIe2FdGNxMITYmPM6HjiZqCwfdwCiDh6tVjrgXgJXEKiLY5oU4panyDm3HdOw3bqOEnBIC4KPuC7WLnRObySItcUV5Uc/XjcT2kvmr/NmqXw03OzSYn73vdmynkYJHAvE68x9OEnRn6/rBjH0Bod8xIqTQkOBlbipV4TJ7QaBgkDAy5+eGu9lxmCUQL4YVzxSDXncStl0tEUUSct0wmAsgZ7qZhUqzA/yy5G3OokMZpkJorgRBxWgk8GJ9BTl1XsOrPGL2PNWg1M0WaVmhbzFru1XIB+6vODgRuuTJU2hhDBUXnzI869d4QYVv4bD+FC6X66E2QiUuc5uyN0ifIDNQhK7FiM2SaAd9ygtTcfgO4+3D/Gn59jj1SUPUYKW6RLEEGQPZSxzNt26N2ThCNd+4PmjplFzGZ1Fi0YAf3BOuJCeOUu7si3GLOI8sDCOJjgQm5MuXNct1IYFnr1uda7K53cwAshIOQSgC01U9Sj0ncwdjwmxqtGz37FyMf7EUfnA8dAYdN59U/sZ0X0tX+PMGqHsTJVHkOoY1BnEIGkfnUgykGqR3P9sN1eoe1fIGlf/iKCjYIhVtVZQqXXKzxiG5ZATegfRBESk5GTSkQhYy//BU78Vbg+bT8O3uaMJ+W+a49CutmR9TjRs9CUIuid2lncWWU29XQZGjRZeyjz0dM5Ap9XQ4kkXL/SIiUBMVXvmQmk7Bms9IZPRbQIMnjTGB2RCkR5kDMermAF9Ra+eYjWnyRjBuTET5+xyup59Z7wMF+ykycjjF0w9rZMyDke5r1bA3vTiepXNxgQ6X+Dx+ACWraQAEuyMv08sXP19LzVDxnMHJARGz9fVGIVX63q393sbA636Xig0Vly0Km1PHZSrc4FlTh/+KRlIJyqW+ABQ4PuSV16UsqjvaHMXexwmPZBXosNDJ7gZHuWil3/9LmHshImw3l73EU8ZIlFtpKlOZqdTMBSx3fGo62YRc2nU5aWTnZtflLhcjRGQ5Sh3Iub0Q6QnYVBaLk1NZrZfkh5o0DUDk83VEbQ27p4U7+rm8m+hgDVMzaVtGSiznwWn2GmvGGYu2ZeHYd2CHSS/ULZAKDVOe4v8JVGf5hpPK+M1LI9MpYFbBH+uzC6Bxyww8uh1YTzv6GM+TnXxAMkeDjxjUiHdSVuzK20e1uynETnzfwyZSzAUX0055jb2DvCgJZjGAMTeQIbpHbEQl9xqXd6n7PLqfD6jenBSRGS1i6697UavU7pcc6yvBlfgiET0ZA6xSdzp6JF2CZBZ0qS48tHpeO/Kd5WGOx04UMvd/insQFxVv3G6ePPWff6x75vYyGQYUwqEdE1XqVa3zMriHSFozQ2kg4EigXYapI+91LdssnbIYEK37BsVSNE6OC2xe4b0iyI5+V2RIMa6aFzSwEZyXi5RGNqJ1JnMN0CEJNaH1rgbjN5BKC0LPMkn2AIcm3Ae/DXVN7eGH7v1Q+OX51w9nXMzdc0Q8rVLu2E7rabshk9iOcyWHWgzmydNyWbwi1/DvydAuF/vyempFY/Lqf4Deo6OUSTxN66VnnxpLFMa1ZVyYq/AtPlG8GSIfkOwrCbXU2b+OLi1ryiShTrj+3dARdeaCtL4f5pr4RJ+hB8kqF5zS2jF6Mh1I61ygw2OYAHLnWK110Xr6cCQLZfQfIH25yah2cDj85D70mkb65C3cp5Fe/ByWb+qNhWlrf59X1ut6ebgbzvBzVyaDSERagWC6RYi0C6qiiPVW16aC54eYaMwCWlvfsV+MnOvcZMJltOh8OnWsLvVkT6rf93WpIw8Efm3/GnJSf1gp3KvlsMUQ5+qWZs7XdPcX99Mov5FETpVfyuxUm80aKgfkM3r0XVGiSW6G5t9gjqsmVBxVht7x3XM5gYHst+8huIgP3+A1VnFo88rV8TGRmtbFp7syFGuxQQUN++T0DtMB8hfD1xiLk7vXQzLv2es7nSgcOcCz2a2MMTsCLegqr53US60oQ8CsKAlU9QL/5UlJJY38hmAD1bBUVy7SvBFpkcCRChe/EGD3awwUm3sUUMs7HLkigcPkN2WPoIs8jc5TTiVgQMUxQLsRuQWjEA6G7W9cYVowQ2gI2ixEsqPht8vIikcFe3o7ftj911XeqhTaF6pJjuX0dN70JUWwF8qS3AR7Id9oWuVfGxh52nGNL+WW3VO9h49/Ja+lyDyK/kfi0kdDtCK0bSrgrwGfislnNPO4dZPN1ozBb53zPxkozwRQaAijkIjcO1y74kUSi6efcz9L+AlfXl7qhxn4qRCC5aSZNj06NeNVsbbWRwKZASdVS5++rjaCyR/R+NnQx1V,iv:YI3OuNRl1Aexned0GV41RhLRKfzWLS5Cf+KVOrLFNNc=,tag:MUAhXUe1Bv86xx6OLoJEnw==,type:str]
 sops:
     age:
         - recipient: age17k7e9a8w95eu73uts6nr0fuww94kl5chrwgg0xudgmum03hv45sq9yuf4c
@@ -27,7 +22,7 @@ sops:
             WnJIZTZZZnltdXBvUmY2WnNUeUQ4UEEKd6JetWdvpQ9mqmwhHPTkScnGUErvlnY8
             qj4x80YNrnUarQnTial0gk3o5YfpS33pmpLkZFMmNtKl80QCT14cpQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-25T10:25:54Z"
-    mac: ENC[AES256_GCM,data:xPcavAwiq2ysHdmfhVxtNWcMol3WPtFYb4cnWRRL5GDTxnkBHf/1EA5mT7mxAY5STU2LNjqhRDtVGVFaExtf+SPR23NrSSh6SnzrJIFKQKK+ltYKBWXPu+baZZHnfA+NoH/Np6AqvdvL5qj3bMvryuildJyJhH4RO7QdqCRsjtc=,iv:TbB8HeKmngf59t7ADXUbomt3vtSe5At5uzWUNhqun+w=,tag:T3Rz4mUG3aLmCV2eNRFXJQ==,type:str]
+    lastmodified: "2026-02-26T09:50:00Z"
+    mac: ENC[AES256_GCM,data:+TNnpcRacAEYkM0D1Yk+cq/y4blOWqDOCZ80jkSeFY1Q0u2RFM2QyTMhnJrvufzJnZ6YkGd0IAGjwRJDOysOEjiNF+UwYgP1hMDicYg+Akw5S5VkeyohY+buhxC8ZAafl7kqtM9jCxAe/ReJ2NTagd8l/weKuM3XPb+UOcK7e4Y=,iv:U/8+9yW2aGuyFmYV5sjMHcQcohJmwGllG+3bOmUwi54=,tag:VVFDQmUfIJ12GKUWq3ZLVg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0
diff --git a/templates/user-data-wifi.tmpl b/templates/user-data-wifi.tmpl
new file mode 100644
index 0000000..3b0f0a2
--- /dev/null
+++ b/templates/user-data-wifi.tmpl
@@ -0,0 +1,28 @@
+network:
+  version: 2
+  wifis:
+    $wifi_iface:
+      dhcp4: true
+      optional: true
+      access-points:
+        "house":
+          networkmanager:
+            name: "house"
+          password: "${WIFI_HOUSE_PASSWORD}"
+        "house5":
+          networkmanager:
+            name: "house5"
+          password: "${WIFI_HOUSE_PASSWORD}"
+        "NOKIA":
+          networkmanager:
+            name: "NOKIA"
+          auth:
+            key-management: eap
+            method: tls
+            identity: "host/alfoldi.ipa.nsn-net.net"
+            ca-certificate: /nokia/vpn/NOKIA_Root_CA.crt
+            client-certificate: /nokia/vpn/alfoldi.ipa.nsn-net.net.crt
+            client-key: /nokia/vpn/alfoldi.ipa.nsn-net.net.key
+            client-key-password: "${NOKIA_WIFI_KEY_PASSWORD}"
+
+# vim: set filetype=yaml :
diff --git a/user-data.tmpl b/templates/user-data.tmpl
similarity index 62%
rename from user-data.tmpl
rename to templates/user-data.tmpl
index 00c5520..70be2b0 100644
--- a/user-data.tmpl
+++ b/templates/user-data.tmpl
@@ -1,51 +1,16 @@
-# vim: set filetype=yaml :
-
 #cloud-config
-# user-data.tmpl — plaintext template, safe to commit to git
-# Secrets are injected at build time via envsubst from secrets.sops.yaml
 autoinstall:
   version: 1
 
-  # ─── LOCALE & KEYBOARD ─────────────────────────────────────────────────────
-  locale: en_US.UTF-8
-  keyboard:
-    layout: us
-
-  # ─── NETWORK ───────────────────────────────────────────────────────────────
+  # Network configuration – Ethernet + optional Wi‑Fi
   network:
     version: 2
     ethernets:
-      any-eth:
+      all-eth:
         match:
-          name: "en*"
+          name: "en*" # matches common Ethernet interface names
         dhcp4: true
-    wifis:
-      wlp0s20f3:
-        dhcp4: true
-        access-points:
-          "house":
-            password: "${WIFI_HOUSE_PASSWORD}"
-          "house5":
-            password: "${WIFI_HOUSE_PASSWORD}"
-          "NOKIA":
-            auth:
-              key-management: eap
-              eap-method: tls
-              identity: "host/alfoldi.ipa.nsn-net.net"
-              ca-certificate: /nokia/vpn/NOKIA_Root_CA.crt
-              client-certificate: /nokia/vpn/alfoldi.ipa.nsn-net.net.crt
-              client-key: /nokia/vpn/alfoldi.ipa.nsn-net.net.key
-              client-key-password: "${NOKIA_WIFI_KEY_PASSWORD}"
-
-  # ─── DISK LAYOUT: LVM on LUKS ──────────────────────────────────────────────
-  storage:
-    layout:
-      name: lvm
-      match:
-        path: /dev/ nvme0n1
-      sizing-policy: all
-      encrypted: true
-      password: "${LUKS_PASSPHRASE}"
+        optional: true # not required; if no eth interface exists, ignore
 
   # ─── IDENTITY ──────────────────────────────────────────────────────────────
   identity:
@@ -60,26 +25,47 @@ autoinstall:
     authorized-keys:
       - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgcJfi0dZotMWa8zQvxXduM76GmQfoPvMU5FjIFZCAa alfonzso@gmail.com"
 
+  locale: en_US.UTF-8
+
+  keyboard:
+    layout: us
+
+  # ─── DISK LAYOUT: LVM on LUKS ──────────────────────────────────────────────
+  storage:
+    layout:
+      name: lvm
+      # match:
+      #   path: /dev/nvme0n1
+      sizing-policy: all
+      encrypted: true
+      password: "${LUKS_PASSPHRASE}"
+
   # ─── CERT FILES ────────────────────────────────────────────────────────────
   write_files:
     - path: /nokia/vpn/NOKIA_Root_CA.crt
-      permissions: '0600'
+      permissions: "0600"
       owner: root:root
       encoding: b64
       content: "${NOKIA_CA_CERT_B64}"
 
     - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.crt
-      permissions: '0600'
+      permissions: "0600"
       owner: root:root
       encoding: b64
       content: "${NOKIA_CLIENT_CERT_B64}"
 
     - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.key
-      permissions: '0600'
+      permissions: "0600"
       owner: root:root
       encoding: b64
       content: "${NOKIA_CLIENT_KEY_B64}"
 
+    - path: /etc/systemd/logind.conf.d/lid.conf
+      content: |
+        [Login]
+        HandleLidSwitch=ignore
+        LidSwitchIgnoreInhibited=no
+
   # ─── PACKAGES ──────────────────────────────────────────────────────────────
   packages:
     - git
@@ -94,9 +80,18 @@ autoinstall:
     - ca-certificates
     - gnupg
     - lsb-release
+    - openssh-server
+
+  early-commands:
+    - mkdir -p /nokia/vpn
+    - mkdir -p /target/nokia/vpn
 
   late-commands:
-    - curtin in-target -- bash /post-install.sh
+    # - cp /etc/resolv.conf /target/etc/resolv.conf
+    - bash -x /cdrom/nocloud/wifi.sh
+    - cp /cdrom/nocloud/post-install.sh /target/home/
 
   updates: security
-  shutdown: reboot
+  shutdown: poweroff
+
+# vim: set filetype=yaml :