fix: added example of usage, fixed formatting

2025-08-25 13:39:58 -04:00
72 changed files with 647 additions and 9193 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -12,9 +12,6 @@ members = [
  "harmony_cli",
  "k3d",
  "harmony_composer",
-  "harmony_inventory_agent",
-  "harmony_secret_derive",
-  "harmony_secret",
 ]

 [workspace.package]
@@ -23,7 +20,7 @@ readme = "README.md"
 license = "GNU AGPL v3"

 [workspace.dependencies]
-log = { version = "0.4", features = ["kv"] }
+log = "0.4"
 env_logger = "0.11"
 derive-new = "0.7"
 async-trait = "0.1"
@@ -56,12 +53,6 @@ chrono = "0.4"
 similar = "2"
 uuid = { version = "1.11", features = ["v4", "fast-rng", "macro-diagnostics"] }
 pretty_assertions = "1.4.1"
-tempfile = "3.20.0"
 bollard = "0.19.1"
 base64 = "0.22.1"
 tar = "0.4.44"
-lazy_static = "1.5.0"
-directories = "6.0.0"
-thiserror = "2.0.14"
-serde = { version = "1.0.209", features = ["derive", "rc"] }
-serde_json = "1.0.127"
--- a/data/pxe/okd/README.md
+++ b/data/pxe/okd/README.md
@@ -1,3 +0,0 @@
-Here lies all the data files required for an OKD cluster PXE boot setup.
-
-This inclues ISO files, binary boot files, ipxe, etc.
--- a/data/pxe/okd/tftpboot/ipxe.efi
+++ b/data/pxe/okd/tftpboot/ipxe.efi
--- a/data/pxe/okd/tftpboot/undionly.kpxe
+++ b/data/pxe/okd/tftpboot/undionly.kpxe
--- a/docs/pxe_test/README.md
+++ b/docs/pxe_test/README.md
@@ -1,108 +0,0 @@
-# OPNsense PXE Lab Environment
-
-This project contains a script to automatically set up a virtual lab environment for testing PXE boot services managed by an OPNsense firewall.
-
-## Overview
-
-The `pxe_vm_lab_setup.sh` script will create the following resources using libvirt/KVM:
-
-1.  **A Virtual Network**: An isolated network named `harmonylan` (`virbr1`) for the lab.
-2.  **Two Virtual Machines**:
-    *   `opnsense-pxe`: A firewall VM that will act as the gateway and PXE server.
-    *   `pxe-node-1`: A client VM configured to boot from the network.
-
-## Prerequisites
-
-Ensure you have the following software installed on your Arch Linux host:
-
-*   `libvirt`
-*   `qemu`
-*   `virt-install` (from the `virt-install` package)
-*   `curl`
-*   `bzip2`
-
-## Usage
-
-### 1. Create the Environment
-
-Run the `up` command to download the necessary images and create the network and VMs.
-
-```bash
-sudo ./pxe_vm_lab_setup.sh up
-```
-
-### 2. Install and Configure OPNsense
-
-The OPNsense VM is created but the OS needs to be installed manually via the console.
-
-1.  **Connect to the VM console**:
-    ```bash
-    sudo virsh console opnsense-pxe
-    ```
-
-2.  **Log in as the installer**:
-    *   Username: `installer`
-    *   Password: `opnsense`
-
-3.  **Follow the on-screen installation wizard**. When prompted to assign network interfaces (`WAN` and `LAN`):
-    *   Find the MAC address for the `harmonylan` interface by running this command in another terminal:
-        ```bash
-        virsh domiflist opnsense-pxe
-        # Example output:
-        # Interface   Type      Source       Model    MAC
-        # ---------------------------------------------------------
-        # vnet18      network   default      virtio   52:54:00:b5:c4:6d
-        # vnet19      network   harmonylan   virtio   52:54:00:21:f9:ba
-        ```
-    *   Assign the interface connected to `harmonylan` (e.g., `vtnet1` with MAC `52:54:00:21:f9:ba`) as your **LAN**.
-    *   Assign the other interface as your **WAN**.
-
-4.  After the installation is complete, **shut down** the VM from the console menu.
-
-5.  **Detach the installation media** by editing the VM's configuration:
-    ```bash
-    sudo virsh edit opnsense-pxe
-    ```
-    Find and **delete** the entire `<disk>` block corresponding to the `.img` file (the one with `<target ... bus='usb'/>`).
-
-6.  **Start the VM** to boot into the newly installed system:
-    ```bash
-    sudo virsh start opnsense-pxe
-    ```
-
-### 3. Connect to OPNsense from Your Host
-
-To configure OPNsense, you need to connect your host to the `harmonylan` network.
-
-1.  By default, OPNsense configures its LAN interface with the IP `192.168.1.1`.
-2.  Assign a compatible IP address to your host's `virbr1` bridge interface:
-    ```bash
-    sudo ip addr add 192.168.1.5/24 dev virbr1
-    ```
-3.  You can now access the OPNsense VM from your host:
-    *   **SSH**: `ssh root@192.168.1.1` (password: `opnsense`)
-    *   **Web UI**: `https://192.168.1.1`
-
-### 4. Configure PXE Services with Harmony
-
-With connectivity established, you can now use Harmony to configure the OPNsense firewall for PXE booting. Point your Harmony OPNsense scores to the firewall using these details:
-
-*   **Hostname/IP**: `192.168.1.1`
-*   **Credentials**: `root` / `opnsense`
-
-### 5. Boot the PXE Client
-
-Once your Harmony configuration has been applied and OPNsense is serving DHCP/TFTP, start the client VM. It will automatically attempt to boot from the network.
-
-```bash
-sudo virsh start pxe-node-1
-sudo virsh console pxe-node-1
-```
-
-## Cleanup
-
-To destroy all VMs and networks created by the script, run the `clean` command:
-
-```bash
-sudo ./pxe_vm_lab_setup.sh clean
-```
--- a/docs/pxe_test/pxe_vm_lab_setup.sh
+++ b/docs/pxe_test/pxe_vm_lab_setup.sh
@@ -1,191 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# --- Configuration ---
-LAB_DIR="/var/lib/harmony_pxe_test"
-IMG_DIR="${LAB_DIR}/images"
-STATE_DIR="${LAB_DIR}/state"
-VM_OPN="opnsense-pxe"
-VM_PXE="pxe-node-1"
-NET_HARMONYLAN="harmonylan"
-
-# Network settings for the isolated LAN
-VLAN_CIDR="192.168.150.0/24"
-VLAN_GW="192.168.150.1"
-VLAN_MASK="255.255.255.0"
-
-# VM Specifications
-RAM_OPN="2048"
-VCPUS_OPN="2"
-DISK_OPN_GB="10"
-OS_VARIANT_OPN="freebsd14.0" # Updated to a more recent FreeBSD variant
-
-RAM_PXE="4096"
-VCPUS_PXE="2"
-DISK_PXE_GB="40"
-OS_VARIANT_LINUX="centos-stream9"
-
-OPN_IMG_URL="https://mirror.ams1.nl.leaseweb.net/opnsense/releases/25.7/OPNsense-25.7-serial-amd64.img.bz2"
-OPN_IMG_PATH="${IMG_DIR}/OPNsense-25.7-serial-amd64.img"
-CENTOS_ISO_URL="https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/images/boot.iso"
-CENTOS_ISO_PATH="${IMG_DIR}/CentOS-Stream-9-latest-boot.iso"
-
-CONNECT_URI="qemu:///system"
-
-download_if_missing() {
-  local url="$1"
-  local dest="$2"
-  if [[ ! -f "$dest" ]]; then
-    echo "Downloading $url to $dest"
-    mkdir -p "$(dirname "$dest")"
-    local tmp
-    tmp="$(mktemp)"
-    curl -L --progress-bar "$url" -o "$tmp"
-    case "$url" in
-      *.bz2) bunzip2 -c "$tmp" > "$dest" && rm -f "$tmp" ;;
-      *) mv "$tmp" "$dest" ;;
-    esac
-  else
-    echo "Already present: $dest"
-  fi
-}
-
-# Ensures a libvirt network is defined and active
-ensure_network() {
-  local net_name="$1"
-  local net_xml_path="$2"
-  if virsh --connect "${CONNECT_URI}" net-info "${net_name}" >/dev/null 2>&1; then
-    echo "Network ${net_name} already exists."
-  else
-    echo "Defining network ${net_name} from ${net_xml_path}"
-    virsh --connect "${CONNECT_URI}" net-define "${net_xml_path}"
-  fi
-
-  if ! virsh --connect "${CONNECT_URI}" net-info "${net_name}" | grep "Active: *yes"; then
-    echo "Starting network ${net_name}..."
-    virsh --connect "${CONNECT_URI}" net-start "${net_name}"
-    virsh --connect "${CONNECT_URI}" net-autostart "${net_name}"
-  fi
-}
-
-# Destroys a VM completely
-destroy_vm() {
-  local vm_name="$1"
-  if virsh --connect "${CONNECT_URI}" dominfo "$vm_name" >/dev/null 2>&1; then
-    echo "Destroying and undefining VM: ${vm_name}"
-    virsh --connect "${CONNECT_URI}" destroy "$vm_name" || true
-    virsh --connect "${CONNECT_URI}" undefine "$vm_name" --nvram
-  fi
-}
-
-# Destroys a libvirt network
-destroy_network() {
-  local net_name="$1"
-  if virsh --connect "${CONNECT_URI}" net-info "$net_name" >/dev/null 2>&1; then
-    echo "Destroying and undefining network: ${net_name}"
-    virsh --connect "${CONNECT_URI}" net-destroy "$net_name" || true
-    virsh --connect "${CONNECT_URI}" net-undefine "$net_name"
-  fi
-}
-
-# --- Main Logic ---
-create_lab_environment() {
-  # Create network definition files
-  cat > "${STATE_DIR}/default.xml" <<EOF
-<network>
-  <name>default</name>
-  <forward mode='nat'/>
-  <bridge name='virbr0' stp='on' delay='0'/>
-  <ip address='192.168.122.1' netmask='255.255.255.0'>
-    <dhcp>
-      <range start='192.168.122.100' end='192.168.122.200'/>
-    </dhcp>
-  </ip>
-</network>
-EOF
-
-  cat > "${STATE_DIR}/${NET_HARMONYLAN}.xml" <<EOF
-<network>
-  <name>${NET_HARMONYLAN}</name>
-  <bridge name='virbr1' stp='on' delay='0'/>
-</network>
-EOF
-
-  # Ensure both networks exist and are active
-  ensure_network "default" "${STATE_DIR}/default.xml"
-  ensure_network "${NET_HARMONYLAN}" "${STATE_DIR}/${NET_HARMONYLAN}.xml"
-
-  # --- Create OPNsense VM (MODIFIED SECTION) ---
-  local disk_opn="${IMG_DIR}/${VM_OPN}.qcow2"
-  if [[ ! -f "$disk_opn" ]]; then
-    qemu-img create -f qcow2 "$disk_opn" "${DISK_OPN_GB}G"
-  fi
-
-  echo "Creating OPNsense VM using serial image..."
-  virt-install \
-    --connect "${CONNECT_URI}" \
-    --name "${VM_OPN}" \
-    --ram "${RAM_OPN}" \
-    --vcpus "${VCPUS_OPN}" \
-    --cpu host-passthrough \
-    --os-variant "${OS_VARIANT_OPN}" \
-    --graphics none \
-    --noautoconsole \
-    --disk path="${disk_opn}",device=disk,bus=virtio,boot.order=1 \
-    --disk path="${OPN_IMG_PATH}",device=disk,bus=usb,readonly=on,boot.order=2 \
-    --network network=default,model=virtio \
-    --network network="${NET_HARMONYLAN}",model=virtio \
-    --boot uefi,menu=on
-
-  echo "OPNsense VM created. Connect with: sudo virsh console ${VM_OPN}"
-  echo "The VM will boot from the serial installation image."
-  echo "Login with user 'installer' and password 'opnsense' to start the installation."
-  echo "Install onto the VirtIO disk (vtbd0)."
-  echo "After installation, shutdown the VM, then run 'sudo virsh edit ${VM_OPN}' and remove the USB disk block to boot from the installed system."
-
-  # --- Create PXE Client VM ---
-  local disk_pxe="${IMG_DIR}/${VM_PXE}.qcow2"
-  if [[ ! -f "$disk_pxe" ]]; then
-    qemu-img create -f qcow2 "$disk_pxe" "${DISK_PXE_GB}G"
-  fi
-
-  echo "Creating PXE client VM..."
-  virt-install \
-    --connect "${CONNECT_URI}" \
-    --name "${VM_PXE}" \
-    --ram "${RAM_PXE}" \
-    --vcpus "${VCPUS_PXE}" \
-    --cpu host-passthrough \
-    --os-variant "${OS_VARIANT_LINUX}" \
-    --graphics none \
-    --noautoconsole \
-    --disk path="${disk_pxe}",format=qcow2,bus=virtio \
-    --network network="${NET_HARMONYLAN}",model=virtio \
-    --pxe \
-    --boot uefi,menu=on
-
-  echo "PXE VM created. It will attempt to netboot on ${NET_HARMONYLAN}."
-}
-
-# --- Script Entrypoint ---
-case "${1:-}" in
-  up)
-    mkdir -p "${IMG_DIR}" "${STATE_DIR}"
-    download_if_missing "$OPN_IMG_URL" "$OPN_IMG_PATH"
-    download_if_missing "$CENTOS_ISO_URL" "$CENTOS_ISO_PATH"
-    create_lab_environment
-    echo "Lab setup complete. Use 'sudo virsh list --all' to see VMs."
-    ;;
-  clean)
-    destroy_vm "${VM_PXE}"
-    destroy_vm "${VM_OPN}"
-    destroy_network "${NET_HARMONYLAN}"
-    # Optionally destroy the default network if you want a full reset
-    # destroy_network "default"
-    echo "Cleanup complete."
-    ;;
-  *)
-    echo "Usage: sudo $0 {up|clean}"
-    exit 1
-    ;;
-esac
--- a/examples/application_monitoring_with_tenant/harmony
+++ b/examples/application_monitoring_with_tenant/harmony
--- a/examples/nanodc/src/main.rs
+++ b/examples/nanodc/src/main.rs
@@ -8,6 +8,7 @@ use harmony::{
    hardware::{FirewallGroup, HostCategory, Location, PhysicalHost, SwitchGroup},
    infra::opnsense::OPNSenseManagementInterface,
    inventory::Inventory,
+    maestro::Maestro,
    modules::{
        http::StaticFilesHttpScore,
        ipxe::IpxeScore,
@@ -125,26 +126,20 @@ async fn main() {
        harmony::modules::okd::load_balancer::OKDLoadBalancerScore::new(&topology);

    let tftp_score = TftpScore::new(Url::LocalFolder("./data/watchguard/tftpboot".to_string()));
-    let http_score = StaticFilesHttpScore {
-        folder_to_serve: Some(Url::LocalFolder("./data/watchguard/pxe-http-files".to_string())),
-        files: vec![],
-    };
+    let http_score = StaticFilesHttpScore::new(Url::LocalFolder(
+        "./data/watchguard/pxe-http-files".to_string(),
+    ));
    let ipxe_score = IpxeScore::new();
-
-    harmony_tui::run(
-        inventory,
-        topology,
-        vec![
-            Box::new(dns_score),
-            Box::new(bootstrap_dhcp_score),
-            Box::new(bootstrap_load_balancer_score),
-            Box::new(load_balancer_score),
-            Box::new(tftp_score),
-            Box::new(http_score),
-            Box::new(ipxe_score),
-            Box::new(dhcp_score),
-        ],
-    )
-    .await
-    .unwrap();
+    let mut maestro = Maestro::initialize(inventory, topology).await.unwrap();
+    maestro.register_all(vec![
+        Box::new(dns_score),
+        Box::new(bootstrap_dhcp_score),
+        Box::new(bootstrap_load_balancer_score),
+        Box::new(load_balancer_score),
+        Box::new(tftp_score),
+        Box::new(http_score),
+        Box::new(ipxe_score),
+        Box::new(dhcp_score),
+    ]);
+    harmony_tui::init(maestro).await.unwrap();
 }
--- a/examples/okd_pxe/Cargo.toml
+++ b/examples/okd_pxe/Cargo.toml
@@ -1,18 +0,0 @@
-[package]
-name = "example-pxe"
-edition = "2024"
-version.workspace = true
-readme.workspace = true
-license.workspace = true
-publish = false
-
-[dependencies]
-harmony = { path = "../../harmony" }
-harmony_cli = { path = "../../harmony_cli" }
-harmony_types = { path = "../../harmony_types" }
-cidr = { workspace = true }
-tokio = { workspace = true }
-harmony_macros = { path = "../../harmony_macros" }
-log = { workspace = true }
-env_logger = { workspace = true }
-url = { workspace = true }
--- a/examples/okd_pxe/src/main.rs
+++ b/examples/okd_pxe/src/main.rs
@@ -1,50 +0,0 @@
-mod topology;
-
-use harmony::{
-    data::{FileContent, FilePath},
-    modules::{dhcp::DhcpScore, http::StaticFilesHttpScore, tftp::TftpScore},
-    score::Score,
-    topology::{HAClusterTopology, Url},
-};
-
-use crate::topology::{get_inventory, get_topology};
-
-#[tokio::main]
-async fn main() {
-    let inventory = get_inventory();
-    let topology = get_topology().await;
-    let gateway_ip = topology.router.get_gateway();
-
-    // TODO this should be a single IPXEScore instead of having the user do this step by step
-    let scores: Vec<Box<dyn Score<HAClusterTopology>>> = vec![
-        Box::new(DhcpScore {
-            host_binding: vec![],
-            next_server: Some(topology.router.get_gateway()),
-            boot_filename: None,
-            filename: Some("undionly.kpxe".to_string()),
-            filename64: Some("ipxe.efi".to_string()),
-            filenameipxe: Some(format!("http://{gateway_ip}:8080/boot.ipxe").to_string()),
-        }),
-        Box::new(TftpScore {
-            files_to_serve: Url::LocalFolder("./data/pxe/okd/tftpboot/".to_string()),
-        }),
-        Box::new(StaticFilesHttpScore {
-            folder_to_serve: None,
-            files: vec![FileContent {
-                path: FilePath::Relative("boot.ipxe".to_string()),
-                content: format!(
-                    "#!ipxe
-
-set base-url http://{gateway_ip}:8080
-set hostfile ${{base-url}}/byMAC/01-${{mac:hexhyp}}.ipxe
-
-chain ${{hostfile}} || chain ${{base-url}}/default.ipxe"
-                ),
-            }],
-        }),
-    ];
-
-    harmony_cli::run(inventory, topology, scores, None)
-        .await
-        .unwrap();
-}
--- a/examples/okd_pxe/src/topology.rs
+++ b/examples/okd_pxe/src/topology.rs
@@ -1,65 +0,0 @@
-use std::{
-    net::{IpAddr, Ipv4Addr},
-    sync::Arc,
-};
-
-use cidr::Ipv4Cidr;
-use harmony::{
-    hardware::{FirewallGroup, HostCategory, Location, PhysicalHost, SwitchGroup},
-    infra::opnsense::OPNSenseManagementInterface,
-    inventory::Inventory,
-    topology::{HAClusterTopology, LogicalHost, UnmanagedRouter},
-};
-use harmony_macros::{ip, ipv4};
-
-pub async fn get_topology() -> HAClusterTopology {
-    let firewall = harmony::topology::LogicalHost {
-        ip: ip!("192.168.1.1"),
-        name: String::from("opnsense-1"),
-    };
-
-    let opnsense = Arc::new(
-        harmony::infra::opnsense::OPNSenseFirewall::new(firewall, None, "root", "opnsense").await,
-    );
-    let lan_subnet = ipv4!("192.168.1.0");
-    let gateway_ipv4 = ipv4!("192.168.1.1");
-    let gateway_ip = IpAddr::V4(gateway_ipv4);
-    harmony::topology::HAClusterTopology {
-        domain_name: "demo.harmony.mcd".to_string(),
-        router: Arc::new(UnmanagedRouter::new(
-            gateway_ip,
-            Ipv4Cidr::new(lan_subnet, 24).unwrap(),
-        )),
-        load_balancer: opnsense.clone(),
-        firewall: opnsense.clone(),
-        tftp_server: opnsense.clone(),
-        http_server: opnsense.clone(),
-        dhcp_server: opnsense.clone(),
-        dns_server: opnsense.clone(),
-        control_plane: vec![LogicalHost {
-            ip: ip!("10.100.8.20"),
-            name: "cp0".to_string(),
-        }],
-        bootstrap_host: LogicalHost {
-            ip: ip!("10.100.8.20"),
-            name: "cp0".to_string(),
-        },
-        workers: vec![],
-        switch: vec![],
-    }
-}
-
-pub fn get_inventory() -> Inventory {
-    Inventory {
-        location: Location::new(
-            "Some virtual machine or maybe a physical machine if you're cool".to_string(),
-            "testopnsense".to_string(),
-        ),
-        switch: SwitchGroup::from([]),
-        firewall: FirewallGroup::from([PhysicalHost::empty(HostCategory::Firewall)
-            .management(Arc::new(OPNSenseManagementInterface::new()))]),
-        storage_host: vec![],
-        worker_host: vec![],
-        control_plane_host: vec![],
-    }
-}
--- a/examples/opnsense/src/main.rs
+++ b/examples/opnsense/src/main.rs
@@ -8,6 +8,7 @@ use harmony::{
    hardware::{FirewallGroup, HostCategory, Location, PhysicalHost, SwitchGroup},
    infra::opnsense::OPNSenseManagementInterface,
    inventory::Inventory,
+    maestro::Maestro,
    modules::{
        dummy::{ErrorScore, PanicScore, SuccessScore},
        http::StaticFilesHttpScore,
@@ -80,31 +81,23 @@ async fn main() {
    let load_balancer_score = OKDLoadBalancerScore::new(&topology);

    let tftp_score = TftpScore::new(Url::LocalFolder("./data/watchguard/tftpboot".to_string()));
-    let http_score = StaticFilesHttpScore {
-        folder_to_serve: Some(Url::LocalFolder(
-            "./data/watchguard/pxe-http-files".to_string(),
-        )),
-        files: vec![],
-    };
-
-    harmony_tui::run(
-        inventory,
-        topology,
-        vec![
-            Box::new(dns_score),
-            Box::new(dhcp_score),
-            Box::new(load_balancer_score),
-            Box::new(tftp_score),
-            Box::new(http_score),
-            Box::new(OPNsenseShellCommandScore {
-                opnsense: opnsense.get_opnsense_config(),
-                command: "touch /tmp/helloharmonytouching".to_string(),
-            }),
-            Box::new(SuccessScore {}),
-            Box::new(ErrorScore {}),
-            Box::new(PanicScore {}),
-        ],
-    )
-    .await
-    .unwrap();
+    let http_score = StaticFilesHttpScore::new(Url::LocalFolder(
+        "./data/watchguard/pxe-http-files".to_string(),
+    ));
+    let mut maestro = Maestro::initialize(inventory, topology).await.unwrap();
+    maestro.register_all(vec![
+        Box::new(dns_score),
+        Box::new(dhcp_score),
+        Box::new(load_balancer_score),
+        Box::new(tftp_score),
+        Box::new(http_score),
+        Box::new(OPNsenseShellCommandScore {
+            opnsense: opnsense.get_opnsense_config(),
+            command: "touch /tmp/helloharmonytouching".to_string(),
+        }),
+        Box::new(SuccessScore {}),
+        Box::new(ErrorScore {}),
+        Box::new(PanicScore {}),
+    ]);
+    harmony_tui::init(maestro).await.unwrap();
 }
--- a/examples/remove_rook_osd/Cargo.toml
+++ b/examples/remove_rook_osd/Cargo.toml
@@ -0,0 +1,12 @@
+[package]
+name = "example_remove_rook_osd"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+
+[dependencies]
+harmony = { version = "0.1.0", path = "../../harmony" }
+harmony_cli = { version = "0.1.0", path = "../../harmony_cli" }
+harmony_tui = { version = "0.1.0", path = "../../harmony_tui" }
+tokio.workspace = true
--- a/examples/remove_rook_osd/src/main.rs
+++ b/examples/remove_rook_osd/src/main.rs
@@ -0,0 +1,18 @@
+use harmony::{
+    inventory::Inventory, modules::storage::ceph::ceph_remove_osd_score::CephRemoveOsd,
+    topology::K8sAnywhereTopology,
+};
+
+#[tokio::main]
+async fn main() {
+    let ceph_score = CephRemoveOsd {
+        osd_deployment_name: "rook-ceph-osd-2".to_string(),
+        rook_ceph_namespace: "rook-ceph".to_string(),
+    };
+
+    let topology = K8sAnywhereTopology::from_env();
+    let inventory = Inventory::autoload();
+    harmony_cli::run(inventory, topology, vec![Box::new(ceph_score)], None)
+        .await
+        .unwrap();
+}
--- a/examples/tui/src/main.rs
+++ b/examples/tui/src/main.rs
@@ -2,6 +2,7 @@ use std::net::{SocketAddr, SocketAddrV4};

 use harmony::{
    inventory::Inventory,
+    maestro::Maestro,
    modules::{
        dns::DnsScore,
        dummy::{ErrorScore, PanicScore, SuccessScore},
@@ -15,19 +16,18 @@ use harmony_macros::ipv4;

 #[tokio::main]
 async fn main() {
-    harmony_tui::run(
-        Inventory::autoload(),
-        DummyInfra {},
-        vec![
-            Box::new(SuccessScore {}),
-            Box::new(ErrorScore {}),
-            Box::new(PanicScore {}),
-            Box::new(DnsScore::new(vec![], None)),
-            Box::new(build_large_score()),
-        ],
-    )
-    .await
-    .unwrap();
+    let inventory = Inventory::autoload();
+    let topology = DummyInfra {};
+    let mut maestro = Maestro::initialize(inventory, topology).await.unwrap();
+
+    maestro.register_all(vec![
+        Box::new(SuccessScore {}),
+        Box::new(ErrorScore {}),
+        Box::new(PanicScore {}),
+        Box::new(DnsScore::new(vec![], None)),
+        Box::new(build_large_score()),
+    ]);
+    harmony_tui::init(maestro).await.unwrap();
 }

 fn build_large_score() -> LoadBalancerScore {
--- a/harmony/Cargo.toml
+++ b/harmony/Cargo.toml
@@ -16,8 +16,8 @@ reqwest = { version = "0.11", features = ["blocking", "json"] }
 russh = "0.45.0"
 rust-ipmi = "0.1.1"
 semver = "1.0.23"
-serde.workspace = true
-serde_json.workspace = true
+serde = { version = "1.0.209", features = ["derive", "rc"] }
+serde_json = "1.0.127"
 tokio.workspace = true
 derive-new.workspace = true
 log.workspace = true
@@ -38,8 +38,8 @@ serde-value.workspace = true
 helm-wrapper-rs = "0.4.0"
 non-blank-string-rs = "1.0.4"
 k3d-rs = { path = "../k3d" }
-directories.workspace = true
-lazy_static.workspace = true
+directories = "6.0.0"
+lazy_static = "1.5.0"
 dockerfile_builder = "0.1.5"
 temp-file = "0.1.9"
 convert_case.workspace = true
@@ -59,7 +59,7 @@ similar.workspace = true
 futures-util = "0.3.31"
 tokio-util = "0.7.15"
 strum = { version = "0.27.1", features = ["derive"] }
-tempfile.workspace = true
+tempfile = "3.20.0"
 serde_with = "3.14.0"
 schemars = "0.8.22"
 kube-derive = "1.1.0"
@@ -67,7 +67,6 @@ bollard.workspace = true
 tar.workspace = true
 base64.workspace = true
 once_cell = "1.21.3"
-harmony-secret-derive = { version = "0.1.0", path = "../harmony_secret_derive" }

 [dev-dependencies]
 pretty_assertions.workspace = true
--- a/harmony/harmony.rlib
+++ b/harmony/harmony.rlib
--- a/harmony/src/domain/data/file.rs
+++ b/harmony/src/domain/data/file.rs
@@ -1,22 +0,0 @@
-use serde::{Deserialize, Serialize};
-
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct FileContent {
-    pub path: FilePath,
-    pub content: String,
-}
-
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub enum FilePath {
-    Relative(String),
-    Absolute(String),
-}
-
-impl std::fmt::Display for FilePath {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        match self {
-            FilePath::Relative(path) => f.write_fmt(format_args!("./{path}")),
-            FilePath::Absolute(path) => f.write_fmt(format_args!("/{path}")),
-        }
-    }
-}
--- a/harmony/src/domain/data/mod.rs
+++ b/harmony/src/domain/data/mod.rs
@@ -1,6 +1,4 @@
 mod id;
 mod version;
-mod file;
 pub use id::*;
 pub use version::*;
-pub use file::*;
--- a/harmony/src/domain/topology/ha_cluster.rs
+++ b/harmony/src/domain/topology/ha_cluster.rs
@@ -1,12 +1,9 @@
 use async_trait::async_trait;
 use harmony_macros::ip;
 use harmony_types::net::MacAddress;
-use log::debug;
 use log::info;

-use crate::data::FileContent;
 use crate::executors::ExecutorError;
-use crate::topology::PxeOptions;

 use super::DHCPStaticEntry;
 use super::DhcpServer;
@@ -52,10 +49,9 @@ impl Topology for HAClusterTopology {
        "HAClusterTopology"
    }
    async fn ensure_ready(&self) -> Result<PreparationOutcome, PreparationError> {
-        debug!(
+        todo!(
            "ensure_ready, not entirely sure what it should do here, probably something like verify that the hosts are reachable and all services are up and ready."
-        );
-        Ok(PreparationOutcome::Noop)
+        )
    }
 }

@@ -157,10 +153,12 @@ impl DhcpServer for HAClusterTopology {
    async fn list_static_mappings(&self) -> Vec<(MacAddress, IpAddress)> {
        self.dhcp_server.list_static_mappings().await
    }
-    async fn set_pxe_options(&self, options: PxeOptions) -> Result<(), ExecutorError> {
-        self.dhcp_server.set_pxe_options(options).await
+    async fn set_next_server(&self, ip: IpAddress) -> Result<(), ExecutorError> {
+        self.dhcp_server.set_next_server(ip).await
+    }
+    async fn set_boot_filename(&self, boot_filename: &str) -> Result<(), ExecutorError> {
+        self.dhcp_server.set_boot_filename(boot_filename).await
    }
-
    fn get_ip(&self) -> IpAddress {
        self.dhcp_server.get_ip()
    }
@@ -170,6 +168,16 @@ impl DhcpServer for HAClusterTopology {
    async fn commit_config(&self) -> Result<(), ExecutorError> {
        self.dhcp_server.commit_config().await
    }
+
+    async fn set_filename(&self, filename: &str) -> Result<(), ExecutorError> {
+        self.dhcp_server.set_filename(filename).await
+    }
+    async fn set_filename64(&self, filename64: &str) -> Result<(), ExecutorError> {
+        self.dhcp_server.set_filename64(filename64).await
+    }
+    async fn set_filenameipxe(&self, filenameipxe: &str) -> Result<(), ExecutorError> {
+        self.dhcp_server.set_filenameipxe(filenameipxe).await
+    }
 }

 #[async_trait]
@@ -213,21 +221,17 @@ impl HttpServer for HAClusterTopology {
        self.http_server.serve_files(url).await
    }

-    async fn serve_file_content(&self, file: &FileContent) -> Result<(), ExecutorError> {
-        self.http_server.serve_file_content(file).await
-    }
-
    fn get_ip(&self) -> IpAddress {
-        self.http_server.get_ip()
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
    }
    async fn ensure_initialized(&self) -> Result<(), ExecutorError> {
-        self.http_server.ensure_initialized().await
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
    }
    async fn commit_config(&self) -> Result<(), ExecutorError> {
-        self.http_server.commit_config().await
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
    }
    async fn reload_restart(&self) -> Result<(), ExecutorError> {
-        self.http_server.reload_restart().await
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
    }
 }

@@ -237,7 +241,7 @@ pub struct DummyInfra;
 #[async_trait]
 impl Topology for DummyInfra {
    fn name(&self) -> &str {
-        "DummyInfra"
+        todo!()
    }

    async fn ensure_ready(&self) -> Result<PreparationOutcome, PreparationError> {
@@ -295,7 +299,19 @@ impl DhcpServer for DummyInfra {
    async fn list_static_mappings(&self) -> Vec<(MacAddress, IpAddress)> {
        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
    }
-    async fn set_pxe_options(&self, _options: PxeOptions) -> Result<(), ExecutorError> {
+    async fn set_next_server(&self, _ip: IpAddress) -> Result<(), ExecutorError> {
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+    }
+    async fn set_boot_filename(&self, _boot_filename: &str) -> Result<(), ExecutorError> {
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+    }
+    async fn set_filename(&self, _filename: &str) -> Result<(), ExecutorError> {
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+    }
+    async fn set_filename64(&self, _filename: &str) -> Result<(), ExecutorError> {
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+    }
+    async fn set_filenameipxe(&self, _filenameipxe: &str) -> Result<(), ExecutorError> {
        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
    }
    fn get_ip(&self) -> IpAddress {
@@ -365,9 +381,6 @@ impl HttpServer for DummyInfra {
    async fn serve_files(&self, _url: &Url) -> Result<(), ExecutorError> {
        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
    }
-    async fn serve_file_content(&self, _file: &FileContent) -> Result<(), ExecutorError> {
-        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
-    }
    fn get_ip(&self) -> IpAddress {
        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
    }
--- a/harmony/src/domain/topology/http.rs
+++ b/harmony/src/domain/topology/http.rs
@@ -1,4 +1,4 @@
-use crate::{data::FileContent, executors::ExecutorError};
+use crate::executors::ExecutorError;
 use async_trait::async_trait;

 use super::{IpAddress, Url};
@@ -6,7 +6,6 @@ use super::{IpAddress, Url};
 #[async_trait]
 pub trait HttpServer: Send + Sync {
    async fn serve_files(&self, url: &Url) -> Result<(), ExecutorError>;
-    async fn serve_file_content(&self, file: &FileContent) -> Result<(), ExecutorError>;
    fn get_ip(&self) -> IpAddress;

    // async fn set_ip(&self, ip: IpAddress) -> Result<(), ExecutorError>;
--- a/harmony/src/domain/topology/network.rs
+++ b/harmony/src/domain/topology/network.rs
@@ -46,19 +46,16 @@ pub trait K8sclient: Send + Sync {
    async fn k8s_client(&self) -> Result<Arc<K8sClient>, String>;
 }

-pub struct PxeOptions {
-    pub ipxe_filename: String,
-    pub bios_filename: String,
-    pub efi_filename: String,
-    pub tftp_ip: Option<IpAddress>,
-}
-
 #[async_trait]
 pub trait DhcpServer: Send + Sync + std::fmt::Debug {
    async fn add_static_mapping(&self, entry: &DHCPStaticEntry) -> Result<(), ExecutorError>;
    async fn remove_static_mapping(&self, mac: &MacAddress) -> Result<(), ExecutorError>;
    async fn list_static_mappings(&self) -> Vec<(MacAddress, IpAddress)>;
-    async fn set_pxe_options(&self, pxe_options: PxeOptions) -> Result<(), ExecutorError>;
+    async fn set_next_server(&self, ip: IpAddress) -> Result<(), ExecutorError>;
+    async fn set_boot_filename(&self, boot_filename: &str) -> Result<(), ExecutorError>;
+    async fn set_filename(&self, filename: &str) -> Result<(), ExecutorError>;
+    async fn set_filename64(&self, filename64: &str) -> Result<(), ExecutorError>;
+    async fn set_filenameipxe(&self, filenameipxe: &str) -> Result<(), ExecutorError>;
    fn get_ip(&self) -> IpAddress;
    fn get_host(&self) -> LogicalHost;
    async fn commit_config(&self) -> Result<(), ExecutorError>;
--- a/harmony/src/infra/opnsense/dhcp.rs
+++ b/harmony/src/infra/opnsense/dhcp.rs
@@ -1,10 +1,10 @@
 use async_trait::async_trait;
 use harmony_types::net::MacAddress;
-use log::{debug, info};
+use log::debug;

 use crate::{
    executors::ExecutorError,
-    topology::{DHCPStaticEntry, DhcpServer, IpAddress, LogicalHost, PxeOptions},
+    topology::{DHCPStaticEntry, DhcpServer, IpAddress, LogicalHost},
 };

 use super::OPNSenseFirewall;
@@ -26,7 +26,7 @@ impl DhcpServer for OPNSenseFirewall {
                .unwrap();
        }

-        info!("Registered {:?}", entry);
+        debug!("Registered {:?}", entry);
        Ok(())
    }

@@ -46,25 +46,57 @@ impl DhcpServer for OPNSenseFirewall {
        self.host.clone()
    }

-    async fn set_pxe_options(&self, options: PxeOptions) -> Result<(), ExecutorError> {
-        let mut writable_opnsense = self.opnsense_config.write().await;
-        let PxeOptions {
-            ipxe_filename,
-            bios_filename,
-            efi_filename,
-            tftp_ip,
-        } = options;
-        writable_opnsense
-            .dhcp()
-            .set_pxe_options(
-                tftp_ip.map(|i| i.to_string()),
-                bios_filename,
-                efi_filename,
-                ipxe_filename,
-            )
-            .await
-            .map_err(|dhcp_error| {
-                ExecutorError::UnexpectedError(format!("Failed to set_pxe_options : {dhcp_error}"))
-            })
+    async fn set_next_server(&self, ip: IpAddress) -> Result<(), ExecutorError> {
+        let ipv4 = match ip {
+            std::net::IpAddr::V4(ipv4_addr) => ipv4_addr,
+            std::net::IpAddr::V6(_) => todo!("ipv6 not supported yet"),
+        };
+        {
+            let mut writable_opnsense = self.opnsense_config.write().await;
+            writable_opnsense.dhcp().set_next_server(ipv4);
+            debug!("OPNsense dhcp server set next server {ipv4}");
+        }
+
+        Ok(())
+    }
+
+    async fn set_boot_filename(&self, boot_filename: &str) -> Result<(), ExecutorError> {
+        {
+            let mut writable_opnsense = self.opnsense_config.write().await;
+            writable_opnsense.dhcp().set_boot_filename(boot_filename);
+            debug!("OPNsense dhcp server set boot filename {boot_filename}");
+        }
+
+        Ok(())
+    }
+
+    async fn set_filename(&self, filename: &str) -> Result<(), ExecutorError> {
+        {
+            let mut writable_opnsense = self.opnsense_config.write().await;
+            writable_opnsense.dhcp().set_filename(filename);
+            debug!("OPNsense dhcp server set filename {filename}");
+        }
+
+        Ok(())
+    }
+
+    async fn set_filename64(&self, filename: &str) -> Result<(), ExecutorError> {
+        {
+            let mut writable_opnsense = self.opnsense_config.write().await;
+            writable_opnsense.dhcp().set_filename64(filename);
+            debug!("OPNsense dhcp server set filename {filename}");
+        }
+
+        Ok(())
+    }
+
+    async fn set_filenameipxe(&self, filenameipxe: &str) -> Result<(), ExecutorError> {
+        {
+            let mut writable_opnsense = self.opnsense_config.write().await;
+            writable_opnsense.dhcp().set_filenameipxe(filenameipxe);
+            debug!("OPNsense dhcp server set filenameipxe {filenameipxe}");
+        }
+
+        Ok(())
    }
 }
--- a/harmony/src/infra/opnsense/http.rs
+++ b/harmony/src/infra/opnsense/http.rs
@@ -2,23 +2,23 @@ use async_trait::async_trait;
 use log::info;

 use crate::{
-    data::FileContent,
    executors::ExecutorError,
    topology::{HttpServer, IpAddress, Url},
 };

 use super::OPNSenseFirewall;
-const OPNSENSE_HTTP_ROOT_PATH: &str = "/usr/local/http";

 #[async_trait]
 impl HttpServer for OPNSenseFirewall {
    async fn serve_files(&self, url: &Url) -> Result<(), ExecutorError> {
+        let http_root_path = "/usr/local/http";
+
        let config = self.opnsense_config.read().await;
-        info!("Uploading files from url {url} to {OPNSENSE_HTTP_ROOT_PATH}");
+        info!("Uploading files from url {url} to {http_root_path}");
        match url {
            Url::LocalFolder(path) => {
                config
-                    .upload_files(path, OPNSENSE_HTTP_ROOT_PATH)
+                    .upload_files(path, http_root_path)
                    .await
                    .map_err(|e| ExecutorError::UnexpectedError(e.to_string()))?;
            }
@@ -27,29 +27,8 @@ impl HttpServer for OPNSenseFirewall {
        Ok(())
    }

-    async fn serve_file_content(&self, file: &FileContent) -> Result<(), ExecutorError> {
-        let path = match &file.path {
-            crate::data::FilePath::Relative(path) => {
-                format!("{OPNSENSE_HTTP_ROOT_PATH}/{}", path.to_string())
-            }
-            crate::data::FilePath::Absolute(path) => {
-                return Err(ExecutorError::ConfigurationError(format!(
-                    "Cannot serve file from http server with absolute path : {path}"
-                )));
-            }
-        };
-
-        let config = self.opnsense_config.read().await;
-        info!("Uploading file content to {}", path);
-        config
-            .upload_file_content(&path, &file.content)
-            .await
-            .map_err(|e| ExecutorError::UnexpectedError(e.to_string()))?;
-        Ok(())
-    }
-
    fn get_ip(&self) -> IpAddress {
-        OPNSenseFirewall::get_ip(self)
+        todo!();
    }

    async fn commit_config(&self) -> Result<(), ExecutorError> {
--- a/harmony/src/infra/opnsense/tftp.rs
+++ b/harmony/src/infra/opnsense/tftp.rs
@@ -28,7 +28,7 @@ impl TftpServer for OPNSenseFirewall {
    }

    fn get_ip(&self) -> IpAddress {
-        OPNSenseFirewall::get_ip(self)
+        todo!()
    }

    async fn set_ip(&self, ip: IpAddress) -> Result<(), ExecutorError> {
--- a/harmony/src/modules/dhcp.rs
+++ b/harmony/src/modules/dhcp.rs
@@ -7,7 +7,7 @@ use crate::{
    domain::{data::Version, interpret::InterpretStatus},
    interpret::{Interpret, InterpretError, InterpretName, Outcome},
    inventory::Inventory,
-    topology::{DHCPStaticEntry, DhcpServer, HostBinding, IpAddress, PxeOptions, Topology},
+    topology::{DHCPStaticEntry, DhcpServer, HostBinding, IpAddress, Topology},
 };

 use crate::domain::score::Score;
@@ -98,14 +98,69 @@ impl DhcpInterpret {
        _inventory: &Inventory,
        dhcp_server: &D,
    ) -> Result<Outcome, InterpretError> {
-        let pxe_options = PxeOptions {
-            ipxe_filename: self.score.filenameipxe.clone().unwrap_or_default(),
-            bios_filename: self.score.filename.clone().unwrap_or_default(),
-            efi_filename: self.score.filename64.clone().unwrap_or_default(),
-            tftp_ip: self.score.next_server,
+        let next_server_outcome = match self.score.next_server {
+            Some(next_server) => {
+                dhcp_server.set_next_server(next_server).await?;
+                Outcome::new(
+                    InterpretStatus::SUCCESS,
+                    format!("Dhcp Interpret Set next boot to {next_server}"),
+                )
+            }
+            None => Outcome::noop(),
        };

-        dhcp_server.set_pxe_options(pxe_options).await?;
+        let boot_filename_outcome = match &self.score.boot_filename {
+            Some(boot_filename) => {
+                dhcp_server.set_boot_filename(boot_filename).await?;
+                Outcome::new(
+                    InterpretStatus::SUCCESS,
+                    format!("Dhcp Interpret Set boot filename to {boot_filename}"),
+                )
+            }
+            None => Outcome::noop(),
+        };
+
+        let filename_outcome = match &self.score.filename {
+            Some(filename) => {
+                dhcp_server.set_filename(filename).await?;
+                Outcome::new(
+                    InterpretStatus::SUCCESS,
+                    format!("Dhcp Interpret Set filename to {filename}"),
+                )
+            }
+            None => Outcome::noop(),
+        };
+
+        let filename64_outcome = match &self.score.filename64 {
+            Some(filename64) => {
+                dhcp_server.set_filename64(filename64).await?;
+                Outcome::new(
+                    InterpretStatus::SUCCESS,
+                    format!("Dhcp Interpret Set filename64 to {filename64}"),
+                )
+            }
+            None => Outcome::noop(),
+        };
+
+        let filenameipxe_outcome = match &self.score.filenameipxe {
+            Some(filenameipxe) => {
+                dhcp_server.set_filenameipxe(filenameipxe).await?;
+                Outcome::new(
+                    InterpretStatus::SUCCESS,
+                    format!("Dhcp Interpret Set filenameipxe to {filenameipxe}"),
+                )
+            }
+            None => Outcome::noop(),
+        };
+
+        if next_server_outcome.status == InterpretStatus::NOOP
+            && boot_filename_outcome.status == InterpretStatus::NOOP
+            && filename_outcome.status == InterpretStatus::NOOP
+            && filename64_outcome.status == InterpretStatus::NOOP
+            && filenameipxe_outcome.status == InterpretStatus::NOOP
+        {
+            return Ok(Outcome::noop());
+        }

        Ok(Outcome::new(
            InterpretStatus::SUCCESS,
--- a/harmony/src/modules/http.rs
+++ b/harmony/src/modules/http.rs
@@ -3,7 +3,7 @@ use derive_new::new;
 use serde::Serialize;

 use crate::{
-    data::{FileContent, Id, Version},
+    data::{Id, Version},
    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
    inventory::Inventory,
    score::Score,
@@ -23,8 +23,7 @@ use crate::{
 /// ```
 #[derive(Debug, new, Clone, Serialize)]
 pub struct StaticFilesHttpScore {
-    pub folder_to_serve: Option<Url>,
-    pub files: Vec<FileContent>,
+    files_to_serve: Url,
 }

 impl<T: Topology + HttpServer> Score<T> for StaticFilesHttpScore {
@@ -51,20 +50,12 @@ impl<T: Topology + HttpServer> Interpret<T> for StaticFilesHttpInterpret {
    ) -> Result<Outcome, InterpretError> {
        http_server.ensure_initialized().await?;
        // http_server.set_ip(topology.router.get_gateway()).await?;
-        if let Some(folder) = self.score.folder_to_serve.as_ref() {
-            http_server.serve_files(folder).await?;
-        }
-
-        for f in self.score.files.iter() {
-            http_server.serve_file_content(&f).await?
-        }
-
+        http_server.serve_files(&self.score.files_to_serve).await?;
        http_server.commit_config().await?;
        http_server.reload_restart().await?;
        Ok(Outcome::success(format!(
-            "Http Server running and serving files from folder {:?} and content for {}",
-            self.score.folder_to_serve,
-            self.score.files.iter().map(|f| f.path.to_string()).collect::<Vec<String>>().join(",")
+            "Http Server running and serving files from {}",
+            self.score.files_to_serve
        )))
    }

--- a/harmony/src/modules/storage/ceph/ceph_osd_replacement_score.rs
+++ b/harmony/src/modules/storage/ceph/ceph_osd_replacement_score.rs
@@ -19,8 +19,8 @@ use crate::{

 #[derive(Debug, Clone, Serialize)]
 pub struct CephRemoveOsd {
-    osd_deployment_name: String,
-    rook_ceph_namespace: String,
+    pub osd_deployment_name: String,
+    pub rook_ceph_namespace: String,
 }

 impl<T: Topology + K8sclient> Score<T> for CephRemoveOsd {
--- a/harmony/src/modules/storage/ceph/mod.rs
+++ b/harmony/src/modules/storage/ceph/mod.rs
@@ -1 +1 @@
-pub mod ceph_osd_replacement_score;
+pub mod ceph_remove_osd_score;
--- a/harmony/src/modules/tftp.rs
+++ b/harmony/src/modules/tftp.rs
@@ -12,7 +12,7 @@ use crate::{

 #[derive(Debug, new, Clone, Serialize)]
 pub struct TftpScore {
-    pub files_to_serve: Url,
+    files_to_serve: Url,
 }

 impl<T: Topology + TftpServer + Router> Score<T> for TftpScore {
--- a/harmony_cli/Cargo.toml
+++ b/harmony_cli/Cargo.toml
@@ -22,7 +22,6 @@ indicatif = "0.18.0"
 lazy_static = "1.5.0"
 log.workspace = true
 indicatif-log-bridge = "0.2.3"
-chrono.workspace = true

 [dev-dependencies]
 harmony = { path = "../harmony", features = ["testing"] }
--- a/harmony_cli/src/cli_logger.rs
+++ b/harmony_cli/src/cli_logger.rs
@@ -1,17 +1,22 @@
-use chrono::Local;
-use console::style;
 use harmony::{
    instrumentation::{self, HarmonyEvent},
    modules::application::ApplicationFeatureStatus,
    topology::TopologyStatus,
 };
-use log::{error, info, log_enabled};
-use std::io::Write;
-use std::sync::{Arc, Mutex};
+use indicatif::MultiProgress;
+use indicatif_log_bridge::LogWrapper;
+use log::error;
+use std::{
+    sync::{Arc, Mutex},
+    thread,
+    time::Duration,
+};
+
+use crate::progress::{IndicatifProgressTracker, ProgressTracker};

 pub fn init() -> tokio::task::JoinHandle<()> {
-    configure_logger();
-    let handle = tokio::spawn(handle_events());
+    let base_progress = configure_logger();
+    let handle = tokio::spawn(handle_events(base_progress));

    loop {
        if instrumentation::instrument(HarmonyEvent::HarmonyStarted).is_ok() {
@@ -22,76 +27,28 @@ pub fn init() -> tokio::task::JoinHandle<()> {
    handle
 }

-fn configure_logger() {
-    env_logger::Builder::from_env(env_logger::Env::default().default_filter_or("info"))
-        .format(|buf, record| {
-            let debug_mode = log_enabled!(log::Level::Debug);
-            let timestamp = Local::now().format("%Y-%m-%d %H:%M:%S");
+fn configure_logger() -> MultiProgress {
+    let logger =
+        env_logger::Builder::from_env(env_logger::Env::default().default_filter_or("info")).build();
+    let level = logger.filter();
+    let progress = MultiProgress::new();

-            let level = match record.level() {
-                log::Level::Error => style("ERROR").red(),
-                log::Level::Warn => style("WARN").yellow(),
-                log::Level::Info => style("INFO").green(),
-                log::Level::Debug => style("DEBUG").blue(),
-                log::Level::Trace => style("TRACE").magenta(),
-            };
-            if let Some(status) = record.key_values().get(log::kv::Key::from("status")) {
-                let status = status.to_borrowed_str().unwrap();
-                let emoji = match status {
-                    "finished" => style(crate::theme::EMOJI_SUCCESS.to_string()).green(),
-                    "skipped" => style(crate::theme::EMOJI_SKIP.to_string()).yellow(),
-                    "failed" => style(crate::theme::EMOJI_ERROR.to_string()).red(),
-                    _ => style("".into()),
-                };
-                if debug_mode {
-                    writeln!(
-                        buf,
-                        "[{} {:<5} {}] {} {}",
-                        timestamp,
-                        level,
-                        record.target(),
-                        emoji,
-                        record.args()
-                    )
-                } else {
-                    writeln!(buf, "[{:<5}] {} {}", level, emoji, record.args())
-                }
-            } else if let Some(emoji) = record.key_values().get(log::kv::Key::from("emoji")) {
-                if debug_mode {
-                    writeln!(
-                        buf,
-                        "[{} {:<5} {}] {} {}",
-                        timestamp,
-                        level,
-                        record.target(),
-                        emoji,
-                        record.args()
-                    )
-                } else {
-                    writeln!(buf, "[{:<5}] {} {}", level, emoji, record.args())
-                }
-            } else if debug_mode {
-                writeln!(
-                    buf,
-                    "[{} {:<5} {}] {}",
-                    timestamp,
-                    level,
-                    record.target(),
-                    record.args()
-                )
-            } else {
-                writeln!(buf, "[{:<5}] {}", level, record.args())
-            }
-        })
-        .init();
+    LogWrapper::new(progress.clone(), logger)
+        .try_init()
+        .unwrap();
+    log::set_max_level(level);
+
+    progress
 }

-async fn handle_events() {
+async fn handle_events(base_progress: MultiProgress) {
+    let progress_tracker = Arc::new(IndicatifProgressTracker::new(base_progress.clone()));
    let preparing_topology = Arc::new(Mutex::new(false));
    let current_score: Arc<Mutex<Option<String>>> = Arc::new(Mutex::new(None));

    instrumentation::subscribe("Harmony CLI Logger", {
        move |event| {
+            let progress_tracker = Arc::clone(&progress_tracker);
            let preparing_topology = Arc::clone(&preparing_topology);
            let current_score = Arc::clone(&current_score);

@@ -102,57 +59,90 @@ async fn handle_events() {
                match event {
                    HarmonyEvent::HarmonyStarted => {}
                    HarmonyEvent::HarmonyFinished => {
-                        let emoji = crate::theme::EMOJI_HARMONY.to_string();
-                        info!(emoji = emoji.as_str(); "Harmony completed");
+                        progress_tracker.add_section(
+                            "harmony-summary",
+                            &format!("\n{} Harmony completed\n\n", crate::theme::EMOJI_HARMONY),
+                        );
+                        progress_tracker.add_section("harmony-finished", "\n\n");
+                        thread::sleep(Duration::from_millis(200));
                        return false;
                    }
                    HarmonyEvent::TopologyStateChanged {
                        topology,
                        status,
                        message,
-                    } => match status {
-                        TopologyStatus::Queued => {}
-                        TopologyStatus::Preparing => {
-                            let emoji = format!("{}", style(crate::theme::EMOJI_TOPOLOGY.to_string()).yellow());
-                            info!(emoji = emoji.as_str(); "Preparing environment: {topology}...");
-                            (*preparing_topology) = true;
-                        }
-                        TopologyStatus::Success => {
-                            (*preparing_topology) = false;
-                            if let Some(message) = message {
-                                info!(status = "finished"; "{message}");
+                    } => {
+                        let section_key = topology_key(&topology);
+
+                        match status {
+                            TopologyStatus::Queued => {}
+                            TopologyStatus::Preparing => {
+                                progress_tracker.add_section(
+                                    &section_key,
+                                    &format!(
+                                        "\n{} Preparing environment: {topology}...",
+                                        crate::theme::EMOJI_TOPOLOGY
+                                    ),
+                                );
+                                (*preparing_topology) = true;
+                            }
+                            TopologyStatus::Success => {
+                                (*preparing_topology) = false;
+                                progress_tracker.add_task(&section_key, "topology-success", "");
+                                progress_tracker
+                                    .finish_task("topology-success", &message.unwrap_or("".into()));
+                            }
+                            TopologyStatus::Noop => {
+                                (*preparing_topology) = false;
+                                progress_tracker.add_task(&section_key, "topology-skip", "");
+                                progress_tracker
+                                    .skip_task("topology-skip", &message.unwrap_or("".into()));
+                            }
+                            TopologyStatus::Error => {
+                                progress_tracker.add_task(&section_key, "topology-error", "");
+                                (*preparing_topology) = false;
+                                progress_tracker
+                                    .fail_task("topology-error", &message.unwrap_or("".into()));
                            }
                        }
-                        TopologyStatus::Noop => {
-                            (*preparing_topology) = false;
-                            if let Some(message) = message {
-                                info!(status = "skipped"; "{message}");
-                            }
-                        }
-                        TopologyStatus::Error => {
-                            (*preparing_topology) = false;
-                            if let Some(message) = message {
-                                error!(status = "failed"; "{message}");
-                            }
-                        }
-                    },
+                    }
                    HarmonyEvent::InterpretExecutionStarted {
-                        execution_id: _,
-                        topology: _,
+                        execution_id: task_key,
+                        topology,
                        interpret: _,
                        score,
                        message,
                    } => {
-                        if *preparing_topology || current_score.is_some() {
-                            info!("{message}");
+                        let is_key_topology = (*preparing_topology)
+                            && progress_tracker.contains_section(&topology_key(&topology));
+                        let is_key_current_score = current_score.is_some()
+                            && progress_tracker
+                                .contains_section(&score_key(&current_score.clone().unwrap()));
+                        let is_key_score = progress_tracker.contains_section(&score_key(&score));
+
+                        let section_key = if is_key_topology {
+                            topology_key(&topology)
+                        } else if is_key_current_score {
+                            score_key(&current_score.clone().unwrap())
+                        } else if is_key_score {
+                            score_key(&score)
                        } else {
                            (*current_score) = Some(score.clone());
-                            let emoji = format!("{}", style(crate::theme::EMOJI_SCORE).blue());
-                            info!(emoji = emoji.as_str(); "Interpreting score: {score}...");
-                        }
+                            let key = score_key(&score);
+                            progress_tracker.add_section(
+                                &key,
+                                &format!(
+                                    "{} Interpreting score: {score}...",
+                                    crate::theme::EMOJI_SCORE
+                                ),
+                            );
+                            key
+                        };
+
+                        progress_tracker.add_task(&section_key, &task_key, &message);
                    }
                    HarmonyEvent::InterpretExecutionFinished {
-                        execution_id: _,
+                        execution_id: task_key,
                        topology: _,
                        interpret: _,
                        score,
@@ -165,17 +155,16 @@ async fn handle_events() {
                        match outcome {
                            Ok(outcome) => match outcome.status {
                                harmony::interpret::InterpretStatus::SUCCESS => {
-                                    info!(status = "finished"; "{}", outcome.message);
+                                    progress_tracker.finish_task(&task_key, &outcome.message);
                                }
                                harmony::interpret::InterpretStatus::NOOP => {
-                                    info!(status = "skipped"; "{}", outcome.message);
-                                }
-                                _ => {
-                                    error!(status = "failed"; "{}", outcome.message);
+                                    progress_tracker.skip_task(&task_key, &outcome.message);
                                }
+                                _ => progress_tracker.fail_task(&task_key, &outcome.message),
                            },
                            Err(err) => {
-                                error!(status = "failed"; "{}", err);
+                                error!("Interpret error: {err}");
+                                progress_tracker.fail_task(&task_key, &err.to_string());
                            }
                        }
                    }
@@ -184,17 +173,30 @@ async fn handle_events() {
                        application,
                        feature,
                        status,
-                    } => match status {
-                        ApplicationFeatureStatus::Installing => {
-                            info!("Installing feature '{}' for '{}'...", feature, application);
+                    } => {
+                        if let Some(score) = &(*current_score) {
+                            let section_key = score_key(score);
+                            let task_key = app_feature_key(&application, &feature);
+
+                            match status {
+                                ApplicationFeatureStatus::Installing => {
+                                    let message = format!("Feature '{}' installing...", feature);
+                                    progress_tracker.add_task(&section_key, &task_key, &message);
+                                }
+                                ApplicationFeatureStatus::Installed => {
+                                    let message = format!("Feature '{}' installed", feature);
+                                    progress_tracker.finish_task(&task_key, &message);
+                                }
+                                ApplicationFeatureStatus::Failed { details } => {
+                                    let message = format!(
+                                        "Feature '{}' installation failed: {}",
+                                        feature, details
+                                    );
+                                    progress_tracker.fail_task(&task_key, &message);
+                                }
+                            }
                        }
-                        ApplicationFeatureStatus::Installed => {
-                            info!(status = "finished"; "Feature '{}' installed", feature);
-                        }
-                        ApplicationFeatureStatus::Failed { details } => {
-                            error!(status = "failed"; "Feature '{}' installation failed: {}", feature, details);
-                        }
-                    },
+                    }
                }
                true
            }
@@ -202,3 +204,15 @@ async fn handle_events() {
    })
    .await;
 }
+
+fn topology_key(topology: &str) -> String {
+    format!("topology-{topology}")
+}
+
+fn score_key(score: &str) -> String {
+    format!("score-{score}")
+}
+
+fn app_feature_key(application: &str, feature: &str) -> String {
+    format!("app-{application}-{feature}")
+}
--- a/harmony_cli/src/lib.rs
+++ b/harmony_cli/src/lib.rs
@@ -90,37 +90,13 @@ pub async fn run<T: Topology + Send + Sync + 'static>(
    topology: T,
    scores: Vec<Box<dyn Score<T>>>,
    args_struct: Option<Args>,
-) -> Result<(), Box<dyn std::error::Error>> {
-    let args = match args_struct {
-        Some(args) => args,
-        None => Args::parse(),
-    };
-
-    #[cfg(not(feature = "tui"))]
-    if args.interactive {
-        return Err("Not compiled with interactive support".into());
-    }
-
-    #[cfg(feature = "tui")]
-    if args.interactive {
-        return harmony_tui::run(inventory, topology, scores).await;
-    }
-
-    run_cli(inventory, topology, scores, args).await
-}
-
-pub async fn run_cli<T: Topology + Send + Sync + 'static>(
-    inventory: Inventory,
-    topology: T,
-    scores: Vec<Box<dyn Score<T>>>,
-    args: Args,
 ) -> Result<(), Box<dyn std::error::Error>> {
    let cli_logger_handle = cli_logger::init();

    let mut maestro = Maestro::initialize(inventory, topology).await.unwrap();
    maestro.register_all(scores);

-    let result = init(maestro, args).await;
+    let result = init(maestro, args_struct).await;

    instrumentation::instrument(instrumentation::HarmonyEvent::HarmonyFinished).unwrap();
    let _ = tokio::try_join!(cli_logger_handle);
@@ -129,8 +105,23 @@ pub async fn run_cli<T: Topology + Send + Sync + 'static>(

 async fn init<T: Topology + Send + Sync + 'static>(
    maestro: harmony::maestro::Maestro<T>,
-    args: Args,
+    args_struct: Option<Args>,
 ) -> Result<(), Box<dyn std::error::Error>> {
+    let args = match args_struct {
+        Some(args) => args,
+        None => Args::parse(),
+    };
+
+    #[cfg(feature = "tui")]
+    if args.interactive {
+        return harmony_tui::init(maestro).await;
+    }
+
+    #[cfg(not(feature = "tui"))]
+    if args.interactive {
+        return Err("Not compiled with interactive support".into());
+    }
+
    let _ = env_logger::builder().try_init();

    let scores_vec = maestro_scores_filter(&maestro, args.all, args.filter, args.number);
@@ -202,14 +193,14 @@ mod tests {
        let maestro = init_test_maestro();
        let res = crate::init(
            maestro,
-            crate::Args {
+            Some(crate::Args {
                yes: true,
                filter: Some("SuccessScore".to_owned()),
                interactive: false,
                all: true,
                number: 0,
                list: false,
-            },
+            }),
        )
        .await;

@@ -222,14 +213,14 @@ mod tests {

        let res = crate::init(
            maestro,
-            crate::Args {
+            Some(crate::Args {
                yes: true,
                filter: Some("ErrorScore".to_owned()),
                interactive: false,
                all: true,
                number: 0,
                list: false,
-            },
+            }),
        )
        .await;

@@ -242,14 +233,14 @@ mod tests {

        let res = crate::init(
            maestro,
-            crate::Args {
+            Some(crate::Args {
                yes: true,
                filter: None,
                interactive: false,
                all: false,
                number: 0,
                list: false,
-            },
+            }),
        )
        .await;

--- a/harmony_inventory_agent/Cargo.toml
+++ b/harmony_inventory_agent/Cargo.toml
@@ -1,12 +0,0 @@
-[package]
-name = "harmony_inventory_agent"
-version = "0.1.0"
-edition = "2024"
-
-[dependencies]
-actix-web = "4.4"
-sysinfo = "0.30"
-serde.workspace = true
-serde_json.workspace = true
-log.workspace = true
-env_logger.workspace = true
--- a/harmony_inventory_agent/README.md
+++ b/harmony_inventory_agent/README.md
@@ -1,22 +0,0 @@
-## Compiling :
-
-```bash
-cargo build -p harmony_inventory_agent --release --target x86_64-unknown-linux-musl
-```
-
-This will create a statically linked binary that can run on pretty much any x86_64 system.
-
-This requires installation of the target
-
-```
-rustup target add x86_64-unknown-linux-musl
-```
-
-And installation of the musl tools too.
-
-On Archlinux, they can be installed with :
-
-```
-pacman -S musl
-```
-
--- a/harmony_inventory_agent/src/hwinfo.rs
+++ b/harmony_inventory_agent/src/hwinfo.rs
@@ -1,825 +0,0 @@
-use log::debug;
-use serde::{Deserialize, Serialize};
-use serde_json::Value;
-use std::fs;
-use std::path::Path;
-use std::process::Command;
-use sysinfo::System;
-
-#[derive(Serialize, Deserialize, Debug)]
-pub struct PhysicalHost {
-    pub storage_drives: Vec<StorageDrive>,
-    pub storage_controller: StorageController,
-    pub memory_modules: Vec<MemoryModule>,
-    pub cpus: Vec<CPU>,
-    pub chipset: Chipset,
-    pub network_interfaces: Vec<NetworkInterface>,
-    pub management_interface: Option<ManagementInterface>,
-    pub host_uuid: String,
-}
-
-#[derive(Serialize, Deserialize, Debug)]
-pub struct StorageDrive {
-    pub name: String,
-    pub model: String,
-    pub serial: String,
-    pub size_bytes: u64,
-    pub logical_block_size: u32,
-    pub physical_block_size: u32,
-    pub rotational: bool,
-    pub wwn: Option<String>,
-    pub interface_type: String,
-    pub smart_status: Option<String>,
-}
-
-#[derive(Serialize, Deserialize, Debug)]
-pub struct StorageController {
-    pub name: String,
-    pub driver: String,
-}
-
-#[derive(Serialize, Deserialize, Debug)]
-pub struct MemoryModule {
-    pub size_bytes: u64,
-    pub speed_mhz: Option<u32>,
-    pub manufacturer: Option<String>,
-    pub part_number: Option<String>,
-    pub serial_number: Option<String>,
-    pub rank: Option<u8>,
-}
-
-#[derive(Serialize, Deserialize, Debug)]
-pub struct CPU {
-    pub model: String,
-    pub vendor: String,
-    pub cores: u32,
-    pub threads: u32,
-    pub frequency_mhz: u64,
-}
-
-#[derive(Serialize, Deserialize, Debug)]
-pub struct Chipset {
-    pub name: String,
-    pub vendor: String,
-}
-
-#[derive(Serialize, Deserialize, Debug)]
-pub struct NetworkInterface {
-    pub name: String,
-    pub mac_address: String,
-    pub speed_mbps: Option<u32>,
-    pub is_up: bool,
-    pub mtu: u32,
-    pub ipv4_addresses: Vec<String>,
-    pub ipv6_addresses: Vec<String>,
-    pub driver: String,
-    pub firmware_version: Option<String>,
-}
-
-#[derive(Serialize, Deserialize, Debug)]
-pub struct ManagementInterface {
-    pub kind: String,
-    pub address: Option<String>,
-    pub firmware: Option<String>,
-}
-
-impl PhysicalHost {
-    pub fn gather() -> Result<Self, String> {
-        let mut sys = System::new_all();
-        sys.refresh_all();
-
-        Self::all_tools_available()?;
-
-        Ok(Self {
-            storage_drives: Self::gather_storage_drives()?,
-            storage_controller: Self::gather_storage_controller()?,
-            memory_modules: Self::gather_memory_modules()?,
-            cpus: Self::gather_cpus(&sys)?,
-            chipset: Self::gather_chipset()?,
-            network_interfaces: Self::gather_network_interfaces()?,
-            management_interface: Self::gather_management_interface()?,
-            host_uuid: Self::get_host_uuid()?,
-        })
-    }
-
-    fn all_tools_available() -> Result<(), String> {
-        let required_tools = [
-            ("lsblk", "--version"),
-            ("lspci", "--version"),
-            ("lsmod", "--version"),
-            ("dmidecode", "--version"),
-            ("smartctl", "--version"),
-            ("ip", "route"), // No version flag available
-        ];
-
-        let mut missing_tools = Vec::new();
-
-        for (tool, tool_arg) in required_tools.iter() {
-            // First check if tool exists in PATH using which(1)
-            let exists = if let Ok(output) = Command::new("which").arg(tool).output() {
-                output.status.success()
-            } else {
-                // Fallback: manual PATH search if which(1) is unavailable
-                if let Ok(path_var) = std::env::var("PATH") {
-                    path_var.split(':').any(|dir| {
-                        let tool_path = std::path::Path::new(dir).join(tool);
-                        tool_path.exists() && Self::is_executable(&tool_path)
-                    })
-                } else {
-                    false
-                }
-            };
-
-            if !exists {
-                missing_tools.push(*tool);
-                continue;
-            }
-
-            // Verify tool is functional by checking version/help output
-            let mut cmd = Command::new(tool);
-            cmd.arg(tool_arg);
-            cmd.stdout(std::process::Stdio::null());
-            cmd.stderr(std::process::Stdio::null());
-
-            if let Ok(status) = cmd.status() {
-                if !status.success() {
-                    missing_tools.push(*tool);
-                }
-            } else {
-                missing_tools.push(*tool);
-            }
-        }
-
-        if !missing_tools.is_empty() {
-            let missing_str = missing_tools
-                .iter()
-                .map(|s| s.to_string())
-                .collect::<Vec<String>>()
-                .join(", ");
-            return Err(format!(
-                "The following required tools are not available: {}. Please install these tools to use PhysicalHost::gather()",
-                missing_str
-            ));
-        }
-
-        Ok(())
-    }
-
-    #[cfg(unix)]
-    fn is_executable(path: &std::path::Path) -> bool {
-        use std::os::unix::fs::PermissionsExt;
-
-        match std::fs::metadata(path) {
-            Ok(meta) => meta.permissions().mode() & 0o111 != 0,
-            Err(_) => false,
-        }
-    }
-
-    #[cfg(not(unix))]
-    fn is_executable(_path: &std::path::Path) -> bool {
-        // On non-Unix systems, we assume existence implies executability
-        true
-    }
-
-    fn gather_storage_drives() -> Result<Vec<StorageDrive>, String> {
-        let mut drives = Vec::new();
-
-        // Use lsblk with JSON output for robust parsing
-        let output = Command::new("lsblk")
-            .args([
-                "-d",
-                "-o",
-                "NAME,MODEL,SERIAL,SIZE,ROTA,WWN",
-                "-n",
-                "-e",
-                "7",
-                "--json",
-            ])
-            .output()
-            .map_err(|e| format!("Failed to execute lsblk: {}", e))?;
-
-        if !output.status.success() {
-            return Err(format!(
-                "lsblk command failed: {}",
-                String::from_utf8_lossy(&output.stderr)
-            ));
-        }
-
-        let json: Value = serde_json::from_slice(&output.stdout)
-            .map_err(|e| format!("Failed to parse lsblk JSON output: {}", e))?;
-
-        let blockdevices = json
-            .get("blockdevices")
-            .and_then(|v| v.as_array())
-            .ok_or("Invalid lsblk JSON: missing 'blockdevices' array")?;
-
-        for device in blockdevices {
-            let name = device
-                .get("name")
-                .and_then(|v| v.as_str())
-                .ok_or("Missing 'name' in lsblk device")?
-                .to_string();
-
-            if name.is_empty() {
-                continue;
-            }
-
-            let model = device
-                .get("model")
-                .and_then(|v| v.as_str())
-                .map(|s| s.trim().to_string())
-                .unwrap_or_default();
-
-            let serial = device
-                .get("serial")
-                .and_then(|v| v.as_str())
-                .map(|s| s.trim().to_string())
-                .unwrap_or_default();
-
-            let size_str = device
-                .get("size")
-                .and_then(|v| v.as_str())
-                .ok_or("Missing 'size' in lsblk device")?;
-            let size_bytes = Self::parse_size(size_str)?;
-
-            let rotational = device
-                .get("rota")
-                .and_then(|v| v.as_bool())
-                .ok_or("Missing 'rota' in lsblk device")?;
-
-            let wwn = device
-                .get("wwn")
-                .and_then(|v| v.as_str())
-                .map(|s| s.trim().to_string())
-                .filter(|s| !s.is_empty() && s != "null");
-
-            let device_path = Path::new("/sys/block").join(&name);
-
-            let logical_block_size = Self::read_sysfs_u32(
-                &device_path.join("queue/logical_block_size"),
-            )
-            .map_err(|e| format!("Failed to read logical block size for {}: {}", name, e))?;
-
-            let physical_block_size = Self::read_sysfs_u32(
-                &device_path.join("queue/physical_block_size"),
-            )
-            .map_err(|e| format!("Failed to read physical block size for {}: {}", name, e))?;
-
-            let interface_type = Self::get_interface_type(&name, &device_path)?;
-            let smart_status = Self::get_smart_status(&name)?;
-
-            let mut drive = StorageDrive {
-                name: name.clone(),
-                model,
-                serial,
-                size_bytes,
-                logical_block_size,
-                physical_block_size,
-                rotational,
-                wwn,
-                interface_type,
-                smart_status,
-            };
-
-            // Enhance with additional sysfs info if available
-            if device_path.exists() {
-                if drive.model.is_empty() {
-                    drive.model = Self::read_sysfs_string(&device_path.join("device/model"))
-                        .map_err(|e| format!("Failed to read model for {}: {}", name, e))?;
-                }
-                if drive.serial.is_empty() {
-                    drive.serial = Self::read_sysfs_string(&device_path.join("device/serial"))
-                        .map_err(|e| format!("Failed to read serial for {}: {}", name, e))?;
-                }
-            }
-
-            drives.push(drive);
-        }
-
-        Ok(drives)
-    }
-
-    fn gather_storage_controller() -> Result<StorageController, String> {
-        let mut controller = StorageController {
-            name: "Unknown".to_string(),
-            driver: "Unknown".to_string(),
-        };
-
-        // Use lspci with JSON output if available
-        let output = Command::new("lspci")
-            .args(["-nn", "-d", "::0100", "-J"]) // Storage controllers class with JSON
-            .output()
-            .map_err(|e| format!("Failed to execute lspci: {}", e))?;
-
-        if output.status.success() {
-            let json: Value = serde_json::from_slice(&output.stdout)
-                .map_err(|e| format!("Failed to parse lspci JSON output: {}", e))?;
-
-            if let Some(devices) = json.as_array() {
-                for device in devices {
-                    if let Some(device_info) = device.as_object()
-                        && let Some(name) = device_info
-                            .get("device")
-                            .and_then(|v| v.as_object())
-                            .and_then(|v| v.get("name"))
-                            .and_then(|v| v.as_str())
-                    {
-                        controller.name = name.to_string();
-                        break;
-                    }
-                }
-            }
-        }
-
-        // Fallback to text output if JSON fails or no device found
-        if controller.name == "Unknown" {
-            let output = Command::new("lspci")
-                .args(["-nn", "-d", "::0100"]) // Storage controllers class
-                .output()
-                .map_err(|e| format!("Failed to execute lspci (fallback): {}", e))?;
-
-            if output.status.success() {
-                let output_str = String::from_utf8_lossy(&output.stdout);
-                if let Some(line) = output_str.lines().next() {
-                    let parts: Vec<&str> = line.split(':').collect();
-                    if parts.len() > 2 {
-                        controller.name = parts[2].trim().to_string();
-                    }
-                }
-            }
-        }
-
-        // Try to get driver info from lsmod
-        let output = Command::new("lsmod")
-            .output()
-            .map_err(|e| format!("Failed to execute lsmod: {}", e))?;
-
-        if output.status.success() {
-            let output_str = String::from_utf8_lossy(&output.stdout);
-            for line in output_str.lines() {
-                if line.contains("ahci")
-                    || line.contains("nvme")
-                    || line.contains("megaraid")
-                    || line.contains("mpt3sas")
-                {
-                    let parts: Vec<&str> = line.split_whitespace().collect();
-                    if !parts.is_empty() {
-                        controller.driver = parts[0].to_string();
-                        break;
-                    }
-                }
-            }
-        }
-
-        Ok(controller)
-    }
-
-    fn gather_memory_modules() -> Result<Vec<MemoryModule>, String> {
-        let mut modules = Vec::new();
-
-        let output = Command::new("dmidecode")
-            .arg("--type")
-            .arg("17")
-            .output()
-            .map_err(|e| format!("Failed to execute dmidecode: {}", e))?;
-
-        if !output.status.success() {
-            return Err(format!(
-                "dmidecode command failed: {}",
-                String::from_utf8_lossy(&output.stderr)
-            ));
-        }
-
-        let output_str = String::from_utf8(output.stdout)
-            .map_err(|e| format!("Failed to parse dmidecode output: {}", e))?;
-
-        let sections: Vec<&str> = output_str.split("Memory Device").collect();
-
-        for section in sections.into_iter().skip(1) {
-            let mut module = MemoryModule {
-                size_bytes: 0,
-                speed_mhz: None,
-                manufacturer: None,
-                part_number: None,
-                serial_number: None,
-                rank: None,
-            };
-
-            for line in section.lines() {
-                let line = line.trim();
-                if let Some(size_str) = line.strip_prefix("Size: ") {
-                    if size_str != "No Module Installed"
-                        && let Some((num, unit)) = size_str.split_once(' ')
-                        && let Ok(num) = num.parse::<u64>()
-                    {
-                        module.size_bytes = match unit {
-                            "MB" => num * 1024 * 1024,
-                            "GB" => num * 1024 * 1024 * 1024,
-                            "KB" => num * 1024,
-                            _ => 0,
-                        };
-                    }
-                } else if let Some(speed_str) = line.strip_prefix("Speed: ") {
-                    if let Some((num, _unit)) = speed_str.split_once(' ') {
-                        module.speed_mhz = num.parse().ok();
-                    }
-                } else if let Some(man) = line.strip_prefix("Manufacturer: ") {
-                    module.manufacturer = Some(man.to_string());
-                } else if let Some(part) = line.strip_prefix("Part Number: ") {
-                    module.part_number = Some(part.to_string());
-                } else if let Some(serial) = line.strip_prefix("Serial Number: ") {
-                    module.serial_number = Some(serial.to_string());
-                } else if let Some(rank) = line.strip_prefix("Rank: ") {
-                    module.rank = rank.parse().ok();
-                }
-            }
-
-            if module.size_bytes > 0 {
-                modules.push(module);
-            }
-        }
-
-        Ok(modules)
-    }
-
-    fn gather_cpus(sys: &System) -> Result<Vec<CPU>, String> {
-        let mut cpus = Vec::new();
-        let global_cpu = sys.global_cpu_info();
-
-        cpus.push(CPU {
-            model: global_cpu.brand().to_string(),
-            vendor: global_cpu.vendor_id().to_string(),
-            cores: sys.physical_core_count().unwrap_or(1) as u32,
-            threads: sys.cpus().len() as u32,
-            frequency_mhz: global_cpu.frequency(),
-        });
-
-        Ok(cpus)
-    }
-
-    fn gather_chipset() -> Result<Chipset, String> {
-        Ok(Chipset {
-            name: Self::read_dmi("baseboard-product-name")?,
-            vendor: Self::read_dmi("baseboard-manufacturer")?,
-        })
-    }
-
-    fn gather_network_interfaces() -> Result<Vec<NetworkInterface>, String> {
-        let mut interfaces = Vec::new();
-        let sys_net_path = Path::new("/sys/class/net");
-
-        let entries = fs::read_dir(sys_net_path)
-            .map_err(|e| format!("Failed to read /sys/class/net: {}", e))?;
-
-        for entry in entries {
-            let entry = entry.map_err(|e| format!("Failed to read directory entry: {}", e))?;
-            let iface_name = entry
-                .file_name()
-                .into_string()
-                .map_err(|_| "Invalid UTF-8 in interface name")?;
-            let iface_path = entry.path();
-
-            // Skip virtual interfaces
-            if iface_name.starts_with("lo")
-                || iface_name.starts_with("docker")
-                || iface_name.starts_with("virbr")
-                || iface_name.starts_with("veth")
-                || iface_name.starts_with("br-")
-                || iface_name.starts_with("tun")
-                || iface_name.starts_with("wg")
-            {
-                continue;
-            }
-
-            // Check if it's a physical interface by looking for device directory
-            if !iface_path.join("device").exists() {
-                continue;
-            }
-
-            let mac_address = Self::read_sysfs_string(&iface_path.join("address"))
-                .map_err(|e| format!("Failed to read MAC address for {}: {}", iface_name, e))?;
-
-            let speed_mbps = if iface_path.join("speed").exists() {
-                match Self::read_sysfs_u32(&iface_path.join("speed")) {
-                    Ok(speed) => Some(speed),
-                    Err(e) => {
-                        debug!(
-                            "Failed to read speed for {}: {} . This is expected to fail on wifi interfaces.",
-                            iface_name, e
-                        );
-                        None
-                    }
-                }
-            } else {
-                None
-            };
-
-            let operstate = Self::read_sysfs_string(&iface_path.join("operstate"))
-                .map_err(|e| format!("Failed to read operstate for {}: {}", iface_name, e))?;
-
-            let mtu = Self::read_sysfs_u32(&iface_path.join("mtu"))
-                .map_err(|e| format!("Failed to read MTU for {}: {}", iface_name, e))?;
-
-            let driver =
-                Self::read_sysfs_symlink_basename(&iface_path.join("device/driver/module"))
-                    .map_err(|e| format!("Failed to read driver for {}: {}", iface_name, e))?;
-
-            let firmware_version = Self::read_sysfs_opt_string(
-                &iface_path.join("device/firmware_version"),
-            )
-            .map_err(|e| format!("Failed to read firmware version for {}: {}", iface_name, e))?;
-
-            // Get IP addresses using ip command with JSON output
-            let (ipv4_addresses, ipv6_addresses) = Self::get_interface_ips_json(&iface_name)
-                .map_err(|e| format!("Failed to get IP addresses for {}: {}", iface_name, e))?;
-
-            interfaces.push(NetworkInterface {
-                name: iface_name,
-                mac_address,
-                speed_mbps,
-                is_up: operstate == "up",
-                mtu,
-                ipv4_addresses,
-                ipv6_addresses,
-                driver,
-                firmware_version,
-            });
-        }
-
-        Ok(interfaces)
-    }
-
-    fn gather_management_interface() -> Result<Option<ManagementInterface>, String> {
-        if Path::new("/dev/ipmi0").exists() {
-            Ok(Some(ManagementInterface {
-                kind: "IPMI".to_string(),
-                address: None,
-                firmware: Some(Self::read_dmi("bios-version")?),
-            }))
-        } else if Path::new("/sys/class/misc/mei").exists() {
-            Ok(Some(ManagementInterface {
-                kind: "Intel ME".to_string(),
-                address: None,
-                firmware: None,
-            }))
-        } else {
-            Ok(None)
-        }
-    }
-
-    fn get_host_uuid() -> Result<String, String> {
-        Self::read_dmi("system-uuid")
-    }
-
-    // Helper methods
-    fn read_sysfs_string(path: &Path) -> Result<String, String> {
-        fs::read_to_string(path)
-            .map(|s| s.trim().to_string())
-            .map_err(|e| format!("Failed to read {}: {}", path.display(), e))
-    }
-
-    fn read_sysfs_opt_string(path: &Path) -> Result<Option<String>, String> {
-        match fs::read_to_string(path) {
-            Ok(s) => {
-                let s = s.trim().to_string();
-                Ok(if s.is_empty() { None } else { Some(s) })
-            }
-            Err(e) if e.kind() == std::io::ErrorKind::NotFound => Ok(None),
-            Err(e) => Err(format!("Failed to read {}: {}", path.display(), e)),
-        }
-    }
-
-    fn read_sysfs_u32(path: &Path) -> Result<u32, String> {
-        fs::read_to_string(path)
-            .map_err(|e| format!("Failed to read {}: {}", path.display(), e))?
-            .trim()
-            .parse()
-            .map_err(|e| format!("Failed to parse {}: {}", path.display(), e))
-    }
-
-    fn read_sysfs_symlink_basename(path: &Path) -> Result<String, String> {
-        match fs::read_link(path) {
-            Ok(target_path) => match target_path.file_name() {
-                Some(name_osstr) => match name_osstr.to_str() {
-                    Some(name_str) => Ok(name_str.to_string()),
-                    None => Err(format!(
-                        "Symlink target basename is not valid UTF-8: {}",
-                        target_path.display()
-                    )),
-                },
-                None => Err(format!(
-                    "Symlink target has no basename: {} -> {}",
-                    path.display(),
-                    target_path.display()
-                )),
-            },
-            Err(e) if e.kind() == std::io::ErrorKind::NotFound => Err(format!(
-                "Could not resolve symlink for path : {}",
-                path.display()
-            )),
-            Err(e) => Err(format!("Failed to read symlink {}: {}", path.display(), e)),
-        }
-    }
-
-    fn read_dmi(field: &str) -> Result<String, String> {
-        let output = Command::new("dmidecode")
-            .arg("-s")
-            .arg(field)
-            .output()
-            .map_err(|e| format!("Failed to execute dmidecode for field {}: {}", field, e))?;
-
-        if !output.status.success() {
-            return Err(format!(
-                "dmidecode command failed for field {}: {}",
-                field,
-                String::from_utf8_lossy(&output.stderr)
-            ));
-        }
-
-        String::from_utf8(output.stdout)
-            .map(|s| s.trim().to_string())
-            .map_err(|e| {
-                format!(
-                    "Failed to parse dmidecode output for field {}: {}",
-                    field, e
-                )
-            })
-    }
-
-    fn get_interface_type(device_name: &str, device_path: &Path) -> Result<String, String> {
-        if device_name.starts_with("nvme") {
-            Ok("NVMe".to_string())
-        } else if device_name.starts_with("sd") {
-            Ok("SATA".to_string())
-        } else if device_name.starts_with("hd") {
-            Ok("IDE".to_string())
-        } else if device_name.starts_with("vd") {
-            Ok("VirtIO".to_string())
-        } else {
-            // Try to determine from device path
-            let subsystem = Self::read_sysfs_string(&device_path.join("device/subsystem"))?;
-            Ok(subsystem
-                .split('/')
-                .next_back()
-                .unwrap_or("Unknown")
-                .to_string())
-        }
-    }
-
-    fn get_smart_status(device_name: &str) -> Result<Option<String>, String> {
-        let output = Command::new("smartctl")
-            .arg("-H")
-            .arg(format!("/dev/{}", device_name))
-            .output()
-            .map_err(|e| format!("Failed to execute smartctl for {}: {}", device_name, e))?;
-
-        if !output.status.success() {
-            return Ok(None);
-        }
-
-        let stdout = String::from_utf8(output.stdout)
-            .map_err(|e| format!("Failed to parse smartctl output for {}: {}", device_name, e))?;
-
-        for line in stdout.lines() {
-            if line.contains("SMART overall-health self-assessment") {
-                if let Some(status) = line.split(':').nth(1) {
-                    return Ok(Some(status.trim().to_string()));
-                }
-            }
-        }
-
-        Ok(None)
-    }
-
-    fn parse_size(size_str: &str) -> Result<u64, String> {
-        debug!("Parsing size_str '{size_str}'");
-        let size;
-        if size_str.ends_with('T') {
-            size = size_str[..size_str.len() - 1]
-                .parse::<f64>()
-                .map(|t| t * 1024.0 * 1024.0 * 1024.0 * 1024.0)
-                .map_err(|e| format!("Failed to parse T size '{}': {}", size_str, e))
-        } else if size_str.ends_with('G') {
-            size = size_str[..size_str.len() - 1]
-                .parse::<f64>()
-                .map(|g| g * 1024.0 * 1024.0 * 1024.0)
-                .map_err(|e| format!("Failed to parse G size '{}': {}", size_str, e))
-        } else if size_str.ends_with('M') {
-            size = size_str[..size_str.len() - 1]
-                .parse::<f64>()
-                .map(|m| m * 1024.0 * 1024.0)
-                .map_err(|e| format!("Failed to parse M size '{}': {}", size_str, e))
-        } else if size_str.ends_with('K') {
-            size = size_str[..size_str.len() - 1]
-                .parse::<f64>()
-                .map(|k| k * 1024.0)
-                .map_err(|e| format!("Failed to parse K size '{}': {}", size_str, e))
-        } else if size_str.ends_with('B') {
-            size = size_str[..size_str.len() - 1]
-                .parse::<f64>()
-                .map_err(|e| format!("Failed to parse B size '{}': {}", size_str, e))
-        } else {
-            size = size_str
-                .parse::<f64>()
-                .map_err(|e| format!("Failed to parse size '{}': {}", size_str, e))
-        }
-
-        size.map(|s| s as u64)
-    }
-
-    fn get_interface_ips_json(iface_name: &str) -> Result<(Vec<String>, Vec<String>), String> {
-        let mut ipv4 = Vec::new();
-        let mut ipv6 = Vec::new();
-
-        // Get IPv4 addresses using JSON output
-        let output = Command::new("ip")
-            .args(["-j", "-4", "addr", "show", iface_name])
-            .output()
-            .map_err(|e| {
-                format!(
-                    "Failed to execute ip command for IPv4 on {}: {}",
-                    iface_name, e
-                )
-            })?;
-
-        if !output.status.success() {
-            return Err(format!(
-                "ip command for IPv4 on {} failed: {}",
-                iface_name,
-                String::from_utf8_lossy(&output.stderr)
-            ));
-        }
-
-        let json: Value = serde_json::from_slice(&output.stdout).map_err(|e| {
-            format!(
-                "Failed to parse ip JSON output for IPv4 on {}: {}",
-                iface_name, e
-            )
-        })?;
-
-        if let Some(addrs) = json.as_array() {
-            for addr_info in addrs {
-                if let Some(addr_info_obj) = addr_info.as_object()
-                    && let Some(addr_info) =
-                        addr_info_obj.get("addr_info").and_then(|v| v.as_array())
-                {
-                    for addr in addr_info {
-                        if let Some(addr_obj) = addr.as_object()
-                            && let Some(ip) = addr_obj.get("local").and_then(|v| v.as_str())
-                        {
-                            ipv4.push(ip.to_string());
-                        }
-                    }
-                }
-            }
-        }
-
-        // Get IPv6 addresses using JSON output
-        let output = Command::new("ip")
-            .args(["-j", "-6", "addr", "show", iface_name])
-            .output()
-            .map_err(|e| {
-                format!(
-                    "Failed to execute ip command for IPv6 on {}: {}",
-                    iface_name, e
-                )
-            })?;
-
-        if !output.status.success() {
-            return Err(format!(
-                "ip command for IPv6 on {} failed: {}",
-                iface_name,
-                String::from_utf8_lossy(&output.stderr)
-            ));
-        }
-
-        let json: Value = serde_json::from_slice(&output.stdout).map_err(|e| {
-            format!(
-                "Failed to parse ip JSON output for IPv6 on {}: {}",
-                iface_name, e
-            )
-        })?;
-
-        if let Some(addrs) = json.as_array() {
-            for addr_info in addrs {
-                if let Some(addr_info_obj) = addr_info.as_object()
-                    && let Some(addr_info) =
-                        addr_info_obj.get("addr_info").and_then(|v| v.as_array())
-                {
-                    for addr in addr_info {
-                        if let Some(addr_obj) = addr.as_object()
-                            && let Some(ip) = addr_obj.get("local").and_then(|v| v.as_str())
-                        {
-                            // Skip link-local addresses
-                            if !ip.starts_with("fe80::") {
-                                ipv6.push(ip.to_string());
-                            }
-                        }
-                    }
-                }
-            }
-        }
-
-        Ok((ipv4, ipv6))
-    }
-}
--- a/harmony_inventory_agent/src/main.rs
+++ b/harmony_inventory_agent/src/main.rs
@@ -1,37 +0,0 @@
-// src/main.rs
-use actix_web::{App, HttpServer, Responder, get};
-use hwinfo::PhysicalHost;
-use std::env;
-
-mod hwinfo;
-
-#[get("/inventory")]
-async fn inventory() -> impl Responder {
-    log::info!("Received inventory request");
-    let host = PhysicalHost::gather();
-    match host {
-        Ok(host) => {
-            log::info!("Inventory data gathered successfully");
-            actix_web::HttpResponse::Ok().json(host)
-        }
-        Err(error) => {
-            log::error!("Inventory data gathering FAILED");
-            actix_web::HttpResponse::InternalServerError().json(error)
-        }
-    }
-}
-
-#[actix_web::main]
-async fn main() -> std::io::Result<()> {
-    env_logger::init();
-
-    let port = env::var("HARMONY_INVENTORY_AGENT_PORT").unwrap_or_else(|_| "8080".to_string());
-    let bind_addr = format!("0.0.0.0:{}", port);
-
-    log::info!("Starting inventory agent on {}", bind_addr);
-
-    HttpServer::new(|| App::new().service(inventory))
-        .bind(&bind_addr)?
-        .run()
-        .await
-}
--- a/harmony_secret/Cargo.toml
+++ b/harmony_secret/Cargo.toml
@@ -1,23 +0,0 @@
-[package]
-name = "harmony-secret"
-edition = "2024"
-version.workspace = true
-readme.workspace = true
-license.workspace = true
-
-[dependencies]
-harmony-secret-derive = { version = "0.1.0", path = "../harmony_secret_derive" }
-serde = { version = "1.0.209", features = ["derive", "rc"] }
-serde_json = "1.0.127"
-thiserror.workspace = true
-lazy_static.workspace = true
-directories.workspace = true
-log.workspace = true
-infisical = "0.0.2"
-tokio.workspace = true
-async-trait.workspace = true
-http.workspace = true
-
-[dev-dependencies]
-pretty_assertions.workspace = true
-tempfile.workspace = true
--- a/harmony_secret/src/config.rs
+++ b/harmony_secret/src/config.rs
@@ -1,18 +0,0 @@
-use lazy_static::lazy_static;
-
-lazy_static! {
-    pub static ref SECRET_NAMESPACE: String =
-        std::env::var("HARMONY_SECRET_NAMESPACE").expect("HARMONY_SECRET_NAMESPACE environment variable is required, it should contain the name of the project you are working on to access its secrets");
-    pub static ref SECRET_STORE: Option<String> =
-        std::env::var("HARMONY_SECRET_STORE").ok();
-    pub static ref INFISICAL_URL: Option<String> =
-        std::env::var("HARMONY_SECRET_INFISICAL_URL").ok();
-    pub static ref INFISICAL_PROJECT_ID: Option<String> =
-        std::env::var("HARMONY_SECRET_INFISICAL_PROJECT_ID").ok();
-    pub static ref INFISICAL_ENVIRONMENT: Option<String> =
-        std::env::var("HARMONY_SECRET_INFISICAL_ENVIRONMENT").ok();
-    pub static ref INFISICAL_CLIENT_ID: Option<String> =
-        std::env::var("HARMONY_SECRET_INFISICAL_CLIENT_ID").ok();
-    pub static ref INFISICAL_CLIENT_SECRET: Option<String> =
-        std::env::var("HARMONY_SECRET_INFISICAL_CLIENT_SECRET").ok();
-}
--- a/harmony_secret/src/lib.rs
+++ b/harmony_secret/src/lib.rs
@@ -1,166 +0,0 @@
-pub mod config;
-mod store;
-
-use crate::config::SECRET_NAMESPACE;
-use async_trait::async_trait;
-use config::INFISICAL_CLIENT_ID;
-use config::INFISICAL_CLIENT_SECRET;
-use config::INFISICAL_ENVIRONMENT;
-use config::INFISICAL_PROJECT_ID;
-use config::INFISICAL_URL;
-use config::SECRET_STORE;
-use serde::{Serialize, de::DeserializeOwned};
-use std::fmt;
-use store::InfisicalSecretStore;
-use store::LocalFileSecretStore;
-use thiserror::Error;
-use tokio::sync::OnceCell;
-
-pub use harmony_secret_derive::Secret;
-
-// The Secret trait remains the same.
-pub trait Secret: Serialize + DeserializeOwned + Sized {
-    const KEY: &'static str;
-}
-
-// The error enum remains the same.
-#[derive(Debug, Error)]
-pub enum SecretStoreError {
-    #[error("Secret not found for key '{key}' in namespace '{namespace}'")]
-    NotFound { namespace: String, key: String },
-    #[error("Failed to deserialize secret for key '{key}': {source}")]
-    Deserialization {
-        key: String,
-        source: serde_json::Error,
-    },
-    #[error("Failed to serialize secret for key '{key}': {source}")]
-    Serialization {
-        key: String,
-        source: serde_json::Error,
-    },
-    #[error("Underlying storage error: {0}")]
-    Store(#[from] Box<dyn std::error::Error + Send + Sync>),
-}
-
-// The trait is now async!
-#[async_trait]
-pub trait SecretStore: fmt::Debug + Send + Sync {
-    async fn get_raw(&self, namespace: &str, key: &str) -> Result<Vec<u8>, SecretStoreError>;
-    async fn set_raw(
-        &self,
-        namespace: &str,
-        key: &str,
-        value: &[u8],
-    ) -> Result<(), SecretStoreError>;
-}
-
-// Use OnceCell for async-friendly, one-time initialization.
-static SECRET_MANAGER: OnceCell<SecretManager> = OnceCell::const_new();
-
-/// Initializes and returns a reference to the global SecretManager.
-async fn get_secret_manager() -> &'static SecretManager {
-    SECRET_MANAGER.get_or_init(init_secret_manager).await
-}
-
-/// The async initialization function for the SecretManager.
-async fn init_secret_manager() -> SecretManager {
-    let default_secret_score = "infisical".to_string();
-    let store_type = SECRET_STORE.as_ref().unwrap_or(&default_secret_score);
-
-    let store: Box<dyn SecretStore> = match store_type.as_str() {
-        "file" => Box::new(LocalFileSecretStore::default()),
-        "infisical" | _ => {
-            let store = InfisicalSecretStore::new(
-                INFISICAL_URL.clone().expect("Infisical url must be set, see harmony_secret config for ways to provide it. You can try with HARMONY_SECRET_INFISICAL_URL"),
-                INFISICAL_PROJECT_ID.clone().expect("Infisical project id must be set, see harmony_secret config for ways to provide it. You can try with HARMONY_SECRET_INFISICAL_PROJECT_ID"),
-                INFISICAL_ENVIRONMENT.clone().expect("Infisical environment must be set, see harmony_secret config for ways to provide it. You can try with HARMONY_SECRET_INFISICAL_ENVIRONMENT"),
-                INFISICAL_CLIENT_ID.clone().expect("Infisical client id must be set, see harmony_secret config for ways to provide it. You can try with HARMONY_SECRET_INFISICAL_CLIENT_ID"),
-                INFISICAL_CLIENT_SECRET.clone().expect("Infisical client secret must be set, see harmony_secret config for ways to provide it. You can try with HARMONY_SECRET_INFISICAL_CLIENT_SECRET"),
-            )
-            .await
-            .expect("Failed to initialize Infisical secret store");
-            Box::new(store)
-        }
-    };
-
-    SecretManager::new(SECRET_NAMESPACE.clone(), store)
-}
-
-/// Manages the lifecycle of secrets, providing a simple static API.
-#[derive(Debug)]
-pub struct SecretManager {
-    namespace: String,
-    store: Box<dyn SecretStore>,
-}
-
-impl SecretManager {
-    fn new(namespace: String, store: Box<dyn SecretStore>) -> Self {
-        Self { namespace, store }
-    }
-
-    /// Retrieves and deserializes a secret.
-    pub async fn get<T: Secret>() -> Result<T, SecretStoreError> {
-        let manager = get_secret_manager().await;
-        let raw_value = manager.store.get_raw(&manager.namespace, T::KEY).await?;
-        serde_json::from_slice(&raw_value).map_err(|e| SecretStoreError::Deserialization {
-            key: T::KEY.to_string(),
-            source: e,
-        })
-    }
-
-    /// Serializes and stores a secret.
-    pub async fn set<T: Secret>(secret: &T) -> Result<(), SecretStoreError> {
-        let manager = get_secret_manager().await;
-        let raw_value =
-            serde_json::to_vec(secret).map_err(|e| SecretStoreError::Serialization {
-                key: T::KEY.to_string(),
-                source: e,
-            })?;
-        manager
-            .store
-            .set_raw(&manager.namespace, T::KEY, &raw_value)
-            .await
-    }
-}
-
-#[cfg(test)]
-mod test {
-    use super::*;
-    use pretty_assertions::assert_eq;
-    use serde::{Deserialize, Serialize};
-
-    #[derive(Serialize, Deserialize, Debug, PartialEq)]
-    struct TestUserMeta {
-        labels: Vec<String>,
-    }
-
-    #[derive(Secret, Serialize, Deserialize, Debug, PartialEq)]
-    struct TestSecret {
-        user: String,
-        password: String,
-        metadata: TestUserMeta,
-    }
-
-    #[cfg(secrete2etest)]
-    #[tokio::test]
-    async fn set_and_retrieve_secret() {
-        let secret = TestSecret {
-            user: String::from("user"),
-            password: String::from("password"),
-            metadata: TestUserMeta {
-                labels: vec![
-                    String::from("label1"),
-                    String::from("label2"),
-                    String::from(
-                        "some longet label with \" special @#%$)(udiojcia[]]] \"'asdij'' characters Nдs はにほへとちり าฟันพัฒนา yağız şoföre ç <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20>  👩‍👩‍👧‍👦  /span>  👩‍👧‍👦 and why not emojis ",
-                    ),
-                ],
-            },
-        };
-
-        SecretManager::set(&secret).await.unwrap();
-        let value = SecretManager::get::<TestSecret>().await.unwrap();
-
-        assert_eq!(value, secret);
-    }
-}
--- a/harmony_secret/src/store/infisical.rs
+++ b/harmony_secret/src/store/infisical.rs
@@ -1,129 +0,0 @@
-use crate::{SecretStore, SecretStoreError};
-use async_trait::async_trait;
-use infisical::{
-    AuthMethod, InfisicalError,
-    client::Client,
-    secrets::{CreateSecretRequest, GetSecretRequest, UpdateSecretRequest},
-};
-use log::{info, warn};
-
-#[derive(Debug)]
-pub struct InfisicalSecretStore {
-    client: Client,
-    project_id: String,
-    environment: String,
-}
-
-impl InfisicalSecretStore {
-    /// Creates a new, authenticated Infisical client.
-    pub async fn new(
-        base_url: String,
-        project_id: String,
-        environment: String,
-        client_id: String,
-        client_secret: String,
-    ) -> Result<Self, InfisicalError> {
-        info!("INFISICAL_STORE: Initializing client for URL: {base_url}");
-
-        // The builder and login logic remains the same.
-        let mut client = Client::builder().base_url(base_url).build().await?;
-        let auth_method = AuthMethod::new_universal_auth(client_id, client_secret);
-        client.login(auth_method).await?;
-
-        info!("INFISICAL_STORE: Client authenticated successfully.");
-        Ok(Self {
-            client,
-            project_id,
-            environment,
-        })
-    }
-}
-
-#[async_trait]
-impl SecretStore for InfisicalSecretStore {
-    async fn get_raw(&self, _environment: &str, key: &str) -> Result<Vec<u8>, SecretStoreError> {
-        let environment = &self.environment;
-        info!("INFISICAL_STORE: Getting key '{key}' from environment '{environment}'");
-
-        let request = GetSecretRequest::builder(key, &self.project_id, environment).build();
-
-        match self.client.secrets().get(request).await {
-            Ok(secret) => Ok(secret.secret_value.into_bytes()),
-            Err(e) => {
-                // Correctly match against the actual InfisicalError enum.
-                match e {
-                    // The specific case for a 404 Not Found error.
-                    InfisicalError::HttpError { status, .. }
-                        if status == http::StatusCode::NOT_FOUND =>
-                    {
-                        Err(SecretStoreError::NotFound {
-                            namespace: environment.to_string(),
-                            key: key.to_string(),
-                        })
-                    }
-                    // For all other errors, wrap them in our generic Store error.
-                    _ => Err(SecretStoreError::Store(Box::new(e))),
-                }
-            }
-        }
-    }
-
-    async fn set_raw(
-        &self,
-        _environment: &str,
-        key: &str,
-        val: &[u8],
-    ) -> Result<(), SecretStoreError> {
-        info!(
-            "INFISICAL_STORE: Setting key '{key}' in environment '{}'",
-            self.environment
-        );
-        let value_str =
-            String::from_utf8(val.to_vec()).map_err(|e| SecretStoreError::Store(Box::new(e)))?;
-
-        // --- Upsert Logic ---
-        // First, attempt to update the secret.
-        let update_req = UpdateSecretRequest::builder(key, &self.project_id, &self.environment)
-            .secret_value(&value_str)
-            .build();
-
-        match self.client.secrets().update(update_req).await {
-            Ok(_) => {
-                info!("INFISICAL_STORE: Successfully updated secret '{key}'.");
-                Ok(())
-            }
-            Err(e) => {
-                // If the update failed, check if it was because the secret doesn't exist.
-                match e {
-                    InfisicalError::HttpError { status, .. }
-                        if status == http::StatusCode::NOT_FOUND =>
-                    {
-                        // The secret was not found, so we create it instead.
-                        warn!(
-                            "INFISICAL_STORE: Secret '{key}' not found for update, attempting to create it."
-                        );
-                        let create_req = CreateSecretRequest::builder(
-                            key,
-                            &value_str,
-                            &self.project_id,
-                            &self.environment,
-                        )
-                        .build();
-
-                        // Handle potential errors during creation.
-                        self.client
-                            .secrets()
-                            .create(create_req)
-                            .await
-                            .map_err(|create_err| SecretStoreError::Store(Box::new(create_err)))?;
-
-                        info!("INFISICAL_STORE: Successfully created secret '{key}'.");
-                        Ok(())
-                    }
-                    // Any other error during update is a genuine failure.
-                    _ => Err(SecretStoreError::Store(Box::new(e))),
-                }
-            }
-        }
-    }
-}
--- a/harmony_secret/src/store/local_file.rs
+++ b/harmony_secret/src/store/local_file.rs
@@ -1,105 +0,0 @@
-use async_trait::async_trait;
-use log::info;
-use std::path::{Path, PathBuf};
-
-use crate::{SecretStore, SecretStoreError};
-
-#[derive(Debug, Default)]
-pub struct LocalFileSecretStore;
-
-impl LocalFileSecretStore {
-    /// Helper to consistently generate the secret file path.
-    fn get_file_path(base_dir: &Path, ns: &str, key: &str) -> PathBuf {
-        base_dir.join(format!("{ns}_{key}.json"))
-    }
-}
-
-#[async_trait]
-impl SecretStore for LocalFileSecretStore {
-    async fn get_raw(&self, ns: &str, key: &str) -> Result<Vec<u8>, SecretStoreError> {
-        let data_dir = directories::BaseDirs::new()
-            .expect("Could not find a valid home directory")
-            .data_dir()
-            .join("harmony")
-            .join("secrets");
-
-        let file_path = Self::get_file_path(&data_dir, ns, key);
-        info!(
-            "LOCAL_STORE: Getting key '{key}' from namespace '{ns}' at {}",
-            file_path.display()
-        );
-
-        tokio::fs::read(&file_path)
-            .await
-            .map_err(|_| SecretStoreError::NotFound {
-                namespace: ns.to_string(),
-                key: key.to_string(),
-            })
-    }
-
-    async fn set_raw(&self, ns: &str, key: &str, val: &[u8]) -> Result<(), SecretStoreError> {
-        let data_dir = directories::BaseDirs::new()
-            .expect("Could not find a valid home directory")
-            .data_dir()
-            .join("harmony")
-            .join("secrets");
-
-        let file_path = Self::get_file_path(&data_dir, ns, key);
-        info!(
-            "LOCAL_STORE: Setting key '{key}' in namespace '{ns}' at {}",
-            file_path.display()
-        );
-
-        if let Some(parent_dir) = file_path.parent() {
-            tokio::fs::create_dir_all(parent_dir)
-                .await
-                .map_err(|e| SecretStoreError::Store(Box::new(e)))?;
-        }
-
-        tokio::fs::write(&file_path, val)
-            .await
-            .map_err(|e| SecretStoreError::Store(Box::new(e)))
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use tempfile::tempdir;
-
-    #[tokio::test]
-    async fn test_set_and_get_raw_successfully() {
-        let dir = tempdir().unwrap();
-        let store = LocalFileSecretStore::default();
-        let ns = "test-ns";
-        let key = "test-key";
-        let value = b"{\"data\":\"test-value\"}";
-
-        // To test the store directly, we override the base directory logic.
-        // For this test, we'll manually construct the path within our temp dir.
-        let file_path = LocalFileSecretStore::get_file_path(dir.path(), ns, key);
-
-        // Manually write to the temp path to simulate the store's behavior
-        tokio::fs::create_dir_all(file_path.parent().unwrap())
-            .await
-            .unwrap();
-        tokio::fs::write(&file_path, value).await.unwrap();
-
-        // Now, test get_raw by reading from that same temp path (by mocking the path logic)
-        let retrieved_value = tokio::fs::read(&file_path).await.unwrap();
-        assert_eq!(retrieved_value, value);
-    }
-
-    #[tokio::test]
-    async fn test_get_raw_not_found() {
-        let dir = tempdir().unwrap();
-        let ns = "test-ns";
-        let key = "non-existent-key";
-
-        // We need to check if reading a non-existent file gives the correct error
-        let file_path = LocalFileSecretStore::get_file_path(dir.path(), ns, key);
-        let result = tokio::fs::read(&file_path).await;
-
-        assert!(matches!(result, Err(_)));
-    }
-}
--- a/harmony_secret/src/store/mod.rs
+++ b/harmony_secret/src/store/mod.rs
@@ -1,4 +0,0 @@
-mod infisical;
-mod local_file;
-pub use infisical::*;
-pub use local_file::*;
--- a/harmony_secret/test_harmony_secret_infisical.sh
+++ b/harmony_secret/test_harmony_secret_infisical.sh
@@ -1,8 +0,0 @@
-export HARMONY_SECRET_NAMESPACE=harmony_test_secrets
-export HARMONY_SECRET_INFISICAL_URL=http://localhost
-export HARMONY_SECRET_INFISICAL_PROJECT_ID=eb4723dc-eede-44d7-98cc-c8e0caf29ccb
-export HARMONY_SECRET_INFISICAL_ENVIRONMENT=dev
-export HARMONY_SECRET_INFISICAL_CLIENT_ID=dd16b07f-0e38-4090-a1d0-922de9f44d91
-export HARMONY_SECRET_INFISICAL_CLIENT_SECRET=bd2ae054e7759b11ca2e908494196337cc800bab138cb1f59e8d9b15ca3f286f
-
-cargo test
--- a/harmony_secret_derive/Cargo.toml
+++ b/harmony_secret_derive/Cargo.toml
@@ -1,13 +0,0 @@
-[package]
-name = "harmony-secret-derive"
-version = "0.1.0"
-edition = "2024"
-
-[lib]
-proc-macro = true
-
-[dependencies]
-quote = "1.0"
-proc-macro2 = "1.0"
-proc-macro-crate = "3.3"
-syn = "2.0"
--- a/harmony_secret_derive/src/lib.rs
+++ b/harmony_secret_derive/src/lib.rs
@@ -1,38 +0,0 @@
-use proc_macro::TokenStream;
-use proc_macro_crate::{FoundCrate, crate_name};
-use quote::quote;
-use syn::{DeriveInput, Ident, parse_macro_input};
-
-#[proc_macro_derive(Secret)]
-pub fn derive_secret(input: TokenStream) -> TokenStream {
-    let input = parse_macro_input!(input as DeriveInput);
-    let struct_ident = &input.ident;
-
-    // The key for the secret will be the stringified name of the struct itself.
-    // e.g., `struct OKDClusterSecret` becomes key `"OKDClusterSecret"`.
-    let key = struct_ident.to_string();
-
-    // Find the path to the `harmony_secret` crate.
-    let secret_crate_path = match crate_name("harmony-secret") {
-        Ok(FoundCrate::Itself) => quote!(crate),
-        Ok(FoundCrate::Name(name)) => {
-            let ident = Ident::new(&name, proc_macro2::Span::call_site());
-            quote!(::#ident)
-        }
-        Err(e) => {
-            return syn::Error::new(proc_macro2::Span::call_site(), e.to_string())
-                .to_compile_error()
-                .into();
-        }
-    };
-
-    // The generated code now implements `Secret` for the struct itself.
-    // The struct must also derive `Serialize` and `Deserialize` for this to be useful.
-    let expanded = quote! {
-        impl #secret_crate_path::Secret for #struct_ident {
-            const KEY: &'static str = #key;
-        }
-    };
-
-    TokenStream::from(expanded)
-}
--- a/harmony_tui/src/lib.rs
+++ b/harmony_tui/src/lib.rs
@@ -9,13 +9,7 @@ use widget::{help::HelpWidget, score::ScoreListWidget};
 use std::{panic, sync::Arc, time::Duration};

 use crossterm::event::{Event, EventStream, KeyCode, KeyEventKind};
-use harmony::{
-    instrumentation::{self, HarmonyEvent},
-    inventory::Inventory,
-    maestro::Maestro,
-    score::Score,
-    topology::Topology,
-};
+use harmony::{maestro::Maestro, score::Score, topology::Topology};
 use ratatui::{
    self, Frame,
    layout::{Constraint, Layout, Position},
@@ -45,62 +39,22 @@ pub mod tui {
 ///
 /// #[tokio::main]
 /// async fn main() {
-///     harmony_tui::run(
-///         Inventory::autoload(),
-///         HAClusterTopology::autoload(),
-///         vec![
-///             Box::new(SuccessScore {}),
-///             Box::new(ErrorScore {}),
-///             Box::new(PanicScore {}),
-///         ]
-///     ).await.unwrap();
+///     let inventory = Inventory::autoload();
+///     let topology = HAClusterTopology::autoload();
+///     let mut maestro = Maestro::new_without_initialization(inventory, topology);
+///
+///     maestro.register_all(vec![
+///         Box::new(SuccessScore {}),
+///         Box::new(ErrorScore {}),
+///         Box::new(PanicScore {}),
+///     ]);
+///     harmony_tui::init(maestro).await.unwrap();
 /// }
 /// ```
-pub async fn run<T: Topology + Send + Sync + 'static>(
-    inventory: Inventory,
-    topology: T,
-    scores: Vec<Box<dyn Score<T>>>,
-) -> Result<(), Box<dyn std::error::Error>> {
-    let handle = init_instrumentation().await;
-
-    let mut maestro = Maestro::initialize(inventory, topology).await.unwrap();
-    maestro.register_all(scores);
-
-    let result = init(maestro).await;
-
-    let _ = tokio::try_join!(handle);
-    result
-}
-
-async fn init<T: Topology + Send + Sync + 'static>(
+pub async fn init<T: Topology + Send + Sync + 'static>(
    maestro: Maestro<T>,
 ) -> Result<(), Box<dyn std::error::Error>> {
-    let result = HarmonyTUI::new(maestro).init().await;
-
-    instrumentation::instrument(HarmonyEvent::HarmonyFinished).unwrap();
-    result
-}
-
-async fn init_instrumentation() -> tokio::task::JoinHandle<()> {
-    let handle = tokio::spawn(handle_harmony_events());
-
-    loop {
-        if instrumentation::instrument(HarmonyEvent::HarmonyStarted).is_ok() {
-            break;
-        }
-    }
-
-    handle
-}
-
-async fn handle_harmony_events() {
-    instrumentation::subscribe("Harmony TUI Logger", async |event| {
-        if let HarmonyEvent::HarmonyFinished = event {
-            return false;
-        };
-        true
-    })
-    .await;
+    HarmonyTUI::new(maestro).init().await
 }

 pub struct HarmonyTUI<T: Topology> {
--- a/iobench/Cargo.toml
+++ b/iobench/Cargo.toml
@@ -1,17 +0,0 @@
-[package]
-name = "iobench"
-edition = "2024"
-version = "1.0.0"
-license = "AGPL-3.0-or-later"
-description = "A small command line utility to run fio benchmarks on localhost or remote ssh or kubernetes host. Was born out of a need to benchmark various ceph configurations!"
-
-
-[dependencies]
-clap = { version = "4.0", features = ["derive"] }
-chrono = "0.4"
-serde = { version = "1.0", features = ["derive"] }
-serde_json = "1.0"
-csv = "1.1"
-num_cpus = "1.13"
-
-[workspace]
--- a/iobench/dash/README.md
+++ b/iobench/dash/README.md
@@ -1,10 +0,0 @@
-This project was generated mostly by Gemini but it works so... :)
-
-## To run iobench dashboard 
-
-```bash
-virtualenv venv
-source venv/bin/activate
-pip install -r requirements_freeze.txt
-python iobench-dash-v4.py 
-```
--- a/iobench/dash/iobench-dash.py
+++ b/iobench/dash/iobench-dash.py
@@ -1,229 +0,0 @@
-import dash
-from dash import dcc, html, Input, Output, State, clientside_callback, ClientsideFunction
-import plotly.express as px
-import pandas as pd
-import dash_bootstrap_components as dbc
-import io
-
-# --- Data Loading and Preparation ---
-# csv_data = """label,test_name,iops,bandwidth_kibps,latency_mean_ms,latency_stddev_ms
-# Ceph HDD Only,read-4k-sync-test,1474.302,5897,0.673,0.591
-# Ceph HDD Only,write-4k-sync-test,14.126,56,27.074,7.046
-# Ceph HDD Only,randread-4k-sync-test,225.140,900,4.436,6.918
-# Ceph HDD Only,randwrite-4k-sync-test,13.129,52,34.891,10.859
-# Ceph HDD Only,multiread-4k-sync-test,6873.675,27494,0.578,0.764
-# Ceph HDD Only,multiwrite-4k-sync-test,57.135,228,38.660,11.293
-# Ceph HDD Only,multirandread-4k-sync-test,2451.376,9805,1.626,2.515
-# Ceph HDD Only,multirandwrite-4k-sync-test,54.642,218,33.492,13.111
-# Ceph 2 Hosts WAL+DB SSD and 1 Host HDD,read-4k-sync-test,1495.700,5982,0.664,1.701
-# Ceph 2 Hosts WAL+DB SSD and 1 Host HDD,write-4k-sync-test,16.990,67,17.502,9.908
-# Ceph 2 Hosts WAL+DB SSD and 1 Host HDD,randread-4k-sync-test,159.256,637,6.274,9.232
-# Ceph 2 Hosts WAL+DB SSD and 1 Host HDD,randwrite-4k-sync-test,16.693,66,24.094,16.099
-# Ceph 2 Hosts WAL+DB SSD and 1 Host HDD,multiread-4k-sync-test,7305.559,29222,0.544,1.338
-# Ceph 2 Hosts WAL+DB SSD and 1 Host HDD,multiwrite-4k-sync-test,52.260,209,34.891,17.576
-# Ceph 2 Hosts WAL+DB SSD and 1 Host HDD,multirandread-4k-sync-test,700.606,2802,5.700,10.429
-# Ceph 2 Hosts WAL+DB SSD and 1 Host HDD,multirandwrite-4k-sync-test,52.723,210,29.709,25.829
-# Ceph 2 Hosts WAL+DB SSD Only,randwrite-4k-sync-test,90.037,360,3.617,8.321
-# Ceph WAL+DB SSD During Rebuild,randwrite-4k-sync-test,41.008,164,10.138,19.333
-# Ceph WAL+DB SSD OSD HDD,read-4k-sync-test,1520.299,6081,0.654,1.539
-# Ceph WAL+DB SSD OSD HDD,write-4k-sync-test,78.528,314,4.074,9.101
-# Ceph WAL+DB SSD OSD HDD,randread-4k-sync-test,153.303,613,6.518,9.036
-# Ceph WAL+DB SSD OSD HDD,randwrite-4k-sync-test,48.677,194,8.785,20.356
-# Ceph WAL+DB SSD OSD HDD,multiread-4k-sync-test,6804.880,27219,0.584,1.422
-# Ceph WAL+DB SSD OSD HDD,multiwrite-4k-sync-test,311.513,1246,4.978,9.458
-# Ceph WAL+DB SSD OSD HDD,multirandread-4k-sync-test,581.756,2327,6.869,10.204
-# Ceph WAL+DB SSD OSD HDD,multirandwrite-4k-sync-test,120.556,482,13.463,25.440
-# """
-#
-# df = pd.read_csv(io.StringIO(csv_data))
-df = pd.read_csv("iobench.csv")  # Replace with the actual file path
-df['bandwidth_mbps'] = df['bandwidth_kibps'] / 1024
-
-# --- App Initialization and Global Settings ---
-app = dash.Dash(__name__, external_stylesheets=[dbc.themes.FLATLY])
-
-# Create master lists of options for checklists
-unique_labels = sorted(df['label'].unique())
-unique_tests = sorted(df['test_name'].unique())
-
-# Create a consistent color map for each unique label
-color_map = {label: color for label, color in zip(unique_labels, px.colors.qualitative.Plotly)}
-
-# --- App Layout ---
-app.layout = dbc.Container([
-    # Header
-    dbc.Row(dbc.Col(html.H1("Ceph iobench Performance Dashboard", className="text-primary"),), className="my-4 text-center"),
-
-    # Controls and Graphs Row
-    dbc.Row([
-        # Control Panel Column
-        dbc.Col([
-            dbc.Card([
-                dbc.CardBody([
-                    html.H4("Control Panel", className="card-title"),
-                    html.Hr(),
-                    
-                    # Metric Selection
-                    dbc.Label("1. Select Metrics to Display:", html_for="metric-checklist", className="fw-bold"),
-                    dcc.Checklist(
-                        id='metric-checklist',
-                        options=[
-                            {'label': 'IOPS', 'value': 'iops'},
-                            {'label': 'Latency (ms)', 'value': 'latency_mean_ms'},
-                            {'label': 'Bandwidth (MB/s)', 'value': 'bandwidth_mbps'}
-                        ],
-                        value=['iops', 'latency_mean_ms', 'bandwidth_mbps'], # Default selection
-                        labelClassName="d-block"
-                    ),
-                    html.Hr(),
-
-                    # Configuration Selection
-                    dbc.Label("2. Select Configurations:", html_for="config-checklist", className="fw-bold"),
-                    dbc.ButtonGroup([
-                        dbc.Button("All", id="config-select-all", n_clicks=0, color="primary", outline=True, size="sm"),
-                        dbc.Button("None", id="config-select-none", n_clicks=0, color="primary", outline=True, size="sm"),
-                    ], className="mb-2"),
-                    dcc.Checklist(
-                        id='config-checklist',
-                        options=[{'label': label, 'value': label} for label in unique_labels],
-                        value=unique_labels, # Select all by default
-                        labelClassName="d-block"
-                    ),
-                    html.Hr(),
-                    
-                    # Test Name Selection
-                    dbc.Label("3. Select Tests:", html_for="test-checklist", className="fw-bold"),
-                    dbc.ButtonGroup([
-                        dbc.Button("All", id="test-select-all", n_clicks=0, color="primary", outline=True, size="sm"),
-                        dbc.Button("None", id="test-select-none", n_clicks=0, color="primary", outline=True, size="sm"),
-                    ], className="mb-2"),
-                    dcc.Checklist(
-                        id='test-checklist',
-                        options=[{'label': test, 'value': test} for test in unique_tests],
-                        value=unique_tests, # Select all by default
-                        labelClassName="d-block"
-                    ),
-                ])
-            ], className="mb-4")
-        ], width=12, lg=4),
-
-        # Graph Display Column
-        dbc.Col(id='graph-container', width=12, lg=8)
-    ])
-], fluid=True)
-
-
-# --- Callbacks ---
-
-# Callback to handle "Select All" / "Select None" for configurations
-@app.callback(
-    Output('config-checklist', 'value'),
-    Input('config-select-all', 'n_clicks'),
-    Input('config-select-none', 'n_clicks'),
-    prevent_initial_call=True
-)
-def select_all_none_configs(all_clicks, none_clicks):
-    ctx = dash.callback_context
-    if not ctx.triggered:
-        return dash.no_update
-    
-    button_id = ctx.triggered[0]['prop_id'].split('.')[0]
-    if button_id == 'config-select-all':
-        return unique_labels
-    elif button_id == 'config-select-none':
-        return []
-    return dash.no_update
-
-# Callback to handle "Select All" / "Select None" for tests
-@app.callback(
-    Output('test-checklist', 'value'),
-    Input('test-select-all', 'n_clicks'),
-    Input('test-select-none', 'n_clicks'),
-    prevent_initial_call=True
-)
-def select_all_none_tests(all_clicks, none_clicks):
-    ctx = dash.callback_context
-    if not ctx.triggered:
-        return dash.no_update
-    
-    button_id = ctx.triggered[0]['prop_id'].split('.')[0]
-    if button_id == 'test-select-all':
-        return unique_tests
-    elif button_id == 'test-select-none':
-        return []
-    return dash.no_update
-
-
-# Main callback to update graphs based on all selections
-@app.callback(
-    Output('graph-container', 'children'),
-    [Input('metric-checklist', 'value'),
-     Input('config-checklist', 'value'),
-     Input('test-checklist', 'value')]
-)
-def update_graphs(selected_metrics, selected_configs, selected_tests):
-    """
-    This function is triggered when any control's value changes.
-    It generates and returns a list of graphs based on all user selections.
-    """
-    # Handle cases where no selection is made to prevent errors and show a helpful message
-    if not all([selected_metrics, selected_configs, selected_tests]):
-        return dbc.Alert(
-            "Please select at least one item from each category (Metric, Configuration, and Test) to view data.",
-            color="info",
-            className="mt-4"
-        )
-
-    # Filter the DataFrame based on all selected criteria
-    filtered_df = df[df['label'].isin(selected_configs) & df['test_name'].isin(selected_tests)]
-    
-    # If the filtered data is empty after selection, inform the user
-    if filtered_df.empty:
-        return dbc.Alert("No data available for the current selection.", color="warning", className="mt-4")
-
-    graph_list = []
-    metric_titles = {
-        'iops': 'IOPS Comparison (Higher is Better)',
-        'latency_mean_ms': 'Mean Latency (ms) Comparison (Lower is Better)',
-        'bandwidth_mbps': 'Bandwidth (MB/s) Comparison (Higher is Better)'
-    }
-
-    for metric in selected_metrics:
-        sort_order = 'total ascending' if metric == 'latency_mean_ms' else 'total descending'
-        error_y_param = 'latency_stddev_ms' if metric == 'latency_mean_ms' else None
-
-        fig = px.bar(
-            filtered_df,
-            x='test_name',
-            y=metric,
-            color='label',
-            barmode='group',
-            color_discrete_map=color_map,
-            error_y=error_y_param,
-            title=metric_titles.get(metric, metric),
-            labels={
-                "test_name": "Benchmark Test Name",
-                "iops": "IOPS",
-                "latency_mean_ms": "Mean Latency (ms)",
-                "bandwidth_mbps": "Bandwidth (MB/s)",
-                "label": "Cluster Configuration"
-            }
-        )
-
-        fig.update_layout(
-            height=500,
-            xaxis_title=None,
-            legend_title="Configuration",
-            title_x=0.5,
-            xaxis={'categoryorder': sort_order},
-            xaxis_tickangle=-45,
-            margin=dict(b=120) # Add bottom margin to prevent tick labels from being cut off
-        )
-        
-        graph_list.append(dbc.Row(dbc.Col(dcc.Graph(figure=fig)), className="mb-4"))
-
-    return graph_list
-
-# --- Run the App ---
-if __name__ == '__main__':
-    app.run(debug=True)
--- a/iobench/dash/requirements_freeze.txt
+++ b/iobench/dash/requirements_freeze.txt
@@ -1,29 +0,0 @@
-blinker==1.9.0
-certifi==2025.7.14
-charset-normalizer==3.4.2
-click==8.2.1
-dash==3.2.0
-dash-bootstrap-components==2.0.3
-Flask==3.1.1
-idna==3.10
-importlib_metadata==8.7.0
-itsdangerous==2.2.0
-Jinja2==3.1.6
-MarkupSafe==3.0.2
-narwhals==2.0.1
-nest-asyncio==1.6.0
-numpy==2.3.2
-packaging==25.0
-pandas==2.3.1
-plotly==6.2.0
-python-dateutil==2.9.0.post0
-pytz==2025.2
-requests==2.32.4
-retrying==1.4.1
-setuptools==80.9.0
-six==1.17.0
-typing_extensions==4.14.1
-tzdata==2025.2
-urllib3==2.5.0
-Werkzeug==3.1.3
-zipp==3.23.0
--- a/iobench/deployment.yaml
+++ b/iobench/deployment.yaml
@@ -1,41 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: iobench
-  labels:
-    app: iobench
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: iobench
-  template:
-    metadata:
-      labels:
-        app: iobench
-    spec:
-      containers:
-      - name: fio
-        image: juicedata/fio:latest # Replace with your preferred fio image
-        imagePullPolicy: IfNotPresent
-        command: [ "sleep", "infinity" ] # Keeps the container running for kubectl exec
-        volumeMounts:
-        - name: iobench-pvc
-          mountPath: /data # Mount the PVC at /data
-      volumes:
-      - name: iobench-pvc
-        persistentVolumeClaim:
-          claimName: iobench-pvc # Matches your PVC name
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: iobench-pvc
-spec:
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 5Gi
-  storageClassName: ceph-block
-
--- a/iobench/src/main.rs
+++ b/iobench/src/main.rs
@@ -1,253 +0,0 @@
-use std::fs;
-use std::io::{self, Write};
-use std::process::{Command, Stdio};
-use std::thread;
-use std::time::Duration;
-
-use chrono::Local;
-use clap::Parser;
-use serde::{Deserialize, Serialize};
-
-/// A simple yet powerful I/O benchmarking tool using fio.
-#[derive(Parser, Debug)]
-#[command(author, version, about, long_about = None)]
-struct Args {
-    /// Target for the benchmark.
-    /// Formats:
-    ///   - localhost (default)
-    ///   - ssh/{user}@{host}
-    ///   - ssh/{user}@{host}:{port}
-    ///   - k8s/{namespace}/{pod}
-    #[arg(short, long, default_value = "localhost")]
-    target: String,
-
-    #[arg(short, long, default_value = ".")]
-    benchmark_dir: String,
-
-    /// Comma-separated list of tests to run.
-    /// Available tests: read, write, randread, randwrite,
-    /// multiread, multiwrite, multirandread, multirandwrite.
-    #[arg(long, default_value = "read,write,randread,randwrite,multiread,multiwrite,multirandread,multirandwrite")]
-    tests: String,
-
-    /// Duration of each test in seconds.
-    #[arg(long, default_value_t = 15)]
-    duration: u64,
-
-    /// Output directory for results.
-    /// Defaults to ./iobench-{current_datetime}.
-    #[arg(long)]
-    output_dir: Option<String>,
-
-    /// The size of the test file for fio.
-    #[arg(long, default_value = "1G")]
-    size: String,
-
-    /// The block size for I/O operations.
-    #[arg(long, default_value = "4k")]
-    block_size: String,
-}
-
-#[derive(Debug, Serialize, Deserialize)]
-struct FioOutput {
-    jobs: Vec<FioJobResult>,
-}
-
-#[derive(Debug, Serialize, Deserialize)]
-struct FioJobResult {
-    jobname: String,
-    read: FioMetrics,
-    write: FioMetrics,
-}
-
-#[derive(Debug, Serialize, Deserialize)]
-struct FioMetrics {
-    bw: f64,
-    iops: f64,
-    clat_ns: LatencyMetrics,
-}
-
-#[derive(Debug, Serialize, Deserialize)]
-struct LatencyMetrics {
-    mean: f64,
-    stddev: f64,
-}
-
-#[derive(Debug, Serialize)]
-struct BenchmarkResult {
-    test_name: String,
-    iops: f64,
-    bandwidth_kibps: f64,
-    latency_mean_ms: f64,
-    latency_stddev_ms: f64,
-}
-
-fn main() -> io::Result<()> {
-    let args = Args::parse();
-
-    let output_dir = args.output_dir.unwrap_or_else(|| {
-        format!("./iobench-{}", Local::now().format("%Y-%m-%d-%H%M%S"))
-    });
-    fs::create_dir_all(&output_dir)?;
-
-    let tests_to_run: Vec<&str> = args.tests.split(',').collect();
-    let mut results = Vec::new();
-
-    for test in tests_to_run {
-        println!("--------------------------------------------------");
-        println!("Running test: {}", test);
-
-        let (rw, numjobs) = match test {
-            "read" => ("read", 1),
-            "write" => ("write", 1),
-            "randread" => ("randread", 1),
-            "randwrite" => ("randwrite", 1),
-            "multiread" => ("read", 4),
-            "multiwrite" => ("write", 4),
-            "multirandread" => ("randread", 4),
-            "multirandwrite" => ("randwrite", 4),
-            _ => {
-                eprintln!("Unknown test: {}. Skipping.", test);
-                continue;
-            }
-        };
-
-        let test_name = format!("{}-{}-sync-test", test, args.block_size);
-        let fio_command = format!(
-            "fio --filename={}/iobench_testfile --direct=1 --fsync=1 --rw={} --bs={} --numjobs={} --iodepth=1 --runtime={} --time_based --group_reporting --name={} --size={} --output-format=json",
-            args.benchmark_dir, rw, args.block_size, numjobs, args.duration, test_name, args.size
-        );
-
-        println!("Executing command:\n{}\n", fio_command);
-
-        let output = match run_command(&args.target, &fio_command) {
-            Ok(out) => out,
-            Err(e) => {
-                eprintln!("Failed to execute command for test {}: {}", test, e);
-                continue;
-            }
-        };
-
-
-        let result = parse_fio_output(&output, &test_name, rw);
-        // TODO store raw fio output and print it
-        match result {
-            Ok(res) => {
-                results.push(res);
-            }
-            Err(e) => {
-                eprintln!("Error parsing fio output for test {}: {}", test, e);
-                eprintln!("Raw output:\n{}", output);
-            }
-        }
-
-        println!("{output}");
-        println!("Test {} completed.", test);
-        // A brief pause to let the system settle before the next test.
-        thread::sleep(Duration::from_secs(2));
-    }
-    
-    // Cleanup the test file on the target
-    println!("--------------------------------------------------");
-    println!("Cleaning up test file on target...");
-    let cleanup_command = "rm -f ./iobench_testfile";
-    if let Err(e) = run_command(&args.target, cleanup_command) {
-        eprintln!("Warning: Failed to clean up test file on target: {}", e);
-    } else {
-        println!("Cleanup successful.");
-    }
-
-
-    if results.is_empty() {
-        println!("\nNo benchmark results to display.");
-        return Ok(());
-    }
-
-    // Output results to a CSV file for easy analysis
-    let csv_path = format!("{}/summary.csv", output_dir);
-    let mut wtr = csv::Writer::from_path(&csv_path)?;
-    for result in &results {
-        wtr.serialize(result)?;
-    }
-    wtr.flush()?;
-
-    println!("\nBenchmark summary saved to {}", csv_path);
-    println!("\n--- Benchmark Results Summary ---");
-    println!("{:<25} {:>10} {:>18} {:>20} {:>22}", "Test Name", "IOPS", "Bandwidth (KiB/s)", "Latency Mean (ms)", "Latency StdDev (ms)");
-    println!("{:-<98}", "");
-    for result in results {
-        println!("{:<25} {:>10.2} {:>18.2} {:>20.4} {:>22.4}", result.test_name, result.iops, result.bandwidth_kibps, result.latency_mean_ms, result.latency_stddev_ms);
-    }
-
-    Ok(())
-}
-
-fn run_command(target: &str, command: &str) -> io::Result<String> {
-    let (program, args) = if target == "localhost" {
-        ("sudo", vec!["sh".to_string(), "-c".to_string(), command.to_string()])
-    } else if target.starts_with("ssh/") {
-        let target_str = target.strip_prefix("ssh/").unwrap();
-        let ssh_target;
-        let mut ssh_args = vec!["-o".to_string(), "StrictHostKeyChecking=no".to_string()];
-        let port_parts: Vec<&str> = target_str.split(':').collect();
-        if port_parts.len() == 2 {
-            ssh_target = port_parts[0].to_string();
-            ssh_args.push("-p".to_string());
-            ssh_args.push(port_parts[1].to_string());
-        } else {
-            ssh_target = target_str.to_string();
-        }
-        ssh_args.push(ssh_target);
-        ssh_args.push(format!("sudo sh -c '{}'", command));
-        ("ssh", ssh_args)
-    } else if target.starts_with("k8s/") {
-        let parts: Vec<&str> = target.strip_prefix("k8s/").unwrap().split('/').collect();
-        if parts.len() != 2 {
-            return Err(io::Error::new(io::ErrorKind::InvalidInput, "Invalid k8s target format. Expected k8s/{namespace}/{pod}"));
-        }
-        let namespace = parts[0];
-        let pod = parts[1];
-        ("kubectl", vec!["exec".to_string(), "-n".to_string(), namespace.to_string(), pod.to_string(), "--".to_string(), "sh".to_string(), "-c".to_string(), command.to_string()])
-    } else {
-        return Err(io::Error::new(io::ErrorKind::InvalidInput, "Invalid target format"));
-    };
-
-    let mut cmd = Command::new(program);
-    cmd.args(&args);
-    cmd.stdout(Stdio::piped()).stderr(Stdio::piped());
-
-    let child = cmd.spawn()?;
-    let output = child.wait_with_output()?;
-
-    if !output.status.success() {
-        eprintln!("Command failed with status: {}", output.status);
-        io::stderr().write_all(&output.stderr)?;
-        return Err(io::Error::new(io::ErrorKind::Other, "Command execution failed"));
-    }
-
-    String::from_utf8(output.stdout)
-        .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))
-}
-
-fn parse_fio_output(output: &str, test_name: &str, rw: &str) -> Result<BenchmarkResult, String> {
-    let fio_data: FioOutput = serde_json::from_str(output)
-        .map_err(|e| format!("Failed to deserialize fio JSON: {}", e))?;
-
-    let job_result = fio_data.jobs.iter()
-        .find(|j| j.jobname == test_name)
-        .ok_or_else(|| format!("Could not find job result for '{}' in fio output", test_name))?;
-
-    let metrics = if rw.contains("read") {
-        &job_result.read
-    } else {
-        &job_result.write
-    };
-
-    Ok(BenchmarkResult {
-        test_name: test_name.to_string(),
-        iops: metrics.iops,
-        bandwidth_kibps: metrics.bw,
-        latency_mean_ms: metrics.clat_ns.mean / 1_000_000.0,
-        latency_stddev_ms: metrics.clat_ns.stddev / 1_000_000.0,
-    })
-}
--- a/opnsense-config-xml/Cargo.toml
+++ b/opnsense-config-xml/Cargo.toml
@@ -12,7 +12,7 @@ env_logger = { workspace = true }
 yaserde = { git = "https://github.com/jggc/yaserde.git" }
 yaserde_derive = { git = "https://github.com/jggc/yaserde.git" }
 xml-rs = "0.8"
-thiserror.workspace = true
+thiserror = "1.0"
 async-trait = { workspace = true }
 tokio = { workspace = true }
 uuid = { workspace = true }
--- a/opnsense-config-xml/src/data/caddy.rs
+++ b/opnsense-config-xml/src/data/caddy.rs
@@ -30,15 +30,15 @@ pub struct CaddyGeneral {
    #[yaserde(rename = "TlsDnsApiKey")]
    pub tls_dns_api_key: MaybeString,
    #[yaserde(rename = "TlsDnsSecretApiKey")]
-    pub tls_dns_secret_api_key: Option<MaybeString>,
+    pub tls_dns_secret_api_key: MaybeString,
    #[yaserde(rename = "TlsDnsOptionalField1")]
-    pub tls_dns_optional_field1: Option<MaybeString>,
+    pub tls_dns_optional_field1: MaybeString,
    #[yaserde(rename = "TlsDnsOptionalField2")]
-    pub tls_dns_optional_field2: Option<MaybeString>,
+    pub tls_dns_optional_field2: MaybeString,
    #[yaserde(rename = "TlsDnsOptionalField3")]
-    pub tls_dns_optional_field3: Option<MaybeString>,
+    pub tls_dns_optional_field3: MaybeString,
    #[yaserde(rename = "TlsDnsOptionalField4")]
-    pub tls_dns_optional_field4: Option<MaybeString>,
+    pub tls_dns_optional_field4: MaybeString,
    #[yaserde(rename = "TlsDnsPropagationTimeout")]
    pub tls_dns_propagation_timeout: Option<MaybeString>,
    #[yaserde(rename = "TlsDnsPropagationTimeoutPeriod")]
@@ -47,8 +47,6 @@ pub struct CaddyGeneral {
    pub tls_dns_propagation_delay: Option<MaybeString>,
    #[yaserde(rename = "TlsDnsPropagationResolvers")]
    pub tls_dns_propagation_resolvers: MaybeString,
-    #[yaserde(rename = "TlsDnsEchDomain")]
-    pub tls_dns_ech_domain: MaybeString,
    pub accesslist: MaybeString,
    #[yaserde(rename = "DisableSuperuser")]
    pub disable_superuser: Option<i32>,
@@ -58,10 +56,6 @@ pub struct CaddyGeneral {
    pub http_version: Option<MaybeString>,
    #[yaserde(rename = "HttpVersions")]
    pub http_versions: Option<MaybeString>,
-    pub timeout_read_body: Option<MaybeString>,
-    pub timeout_read_header: Option<MaybeString>,
-    pub timeout_write: Option<MaybeString>,
-    pub timeout_idle: Option<MaybeString>,
    #[yaserde(rename = "LogCredentials")]
    pub log_credentials: MaybeString,
    #[yaserde(rename = "LogAccessPlain")]
--- a/opnsense-config-xml/src/data/dnsmasq.rs
+++ b/opnsense-config-xml/src/data/dnsmasq.rs
@@ -1,113 +0,0 @@
-use yaserde::{MaybeString, RawXml};
-use yaserde_derive::{YaDeserialize, YaSerialize};
-
-// This is the top-level struct that represents the entire <dnsmasq> element.
-#[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
-pub struct DnsMasq {
-    #[yaserde(attribute = true)]
-    pub version: String,
-    #[yaserde(attribute = true)]
-    pub persisted_at: Option<String>,
-
-    pub enable: u8,
-    pub regdhcp: u8,
-    pub regdhcpstatic: u8,
-    pub dhcpfirst: u8,
-    pub strict_order: u8,
-    pub domain_needed: u8,
-    pub no_private_reverse: u8,
-    pub no_resolv: Option<u8>,
-    pub log_queries: u8,
-    pub no_hosts: u8,
-    pub strictbind: u8,
-    pub dnssec: u8,
-    pub regdhcpdomain: MaybeString,
-    pub interface: Option<String>,
-    pub port: Option<u32>,
-    pub dns_forward_max: MaybeString,
-    pub cache_size: MaybeString,
-    pub local_ttl: MaybeString,
-    pub add_mac: Option<MaybeString>,
-    pub add_subnet: Option<u8>,
-    pub strip_subnet: Option<u8>,
-    pub no_ident: Option<u8>,
-    pub dhcp: Option<Dhcp>,
-    pub dhcp_ranges: Vec<DhcpRange>,
-    pub dhcp_options: Vec<DhcpOptions>,
-    pub dhcp_boot: Vec<DhcpBoot>,
-    pub dhcp_tags: Vec<RawXml>,
-}
-
-// Represents the <dhcp> element and its nested fields.
-#[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
-#[yaserde(rename = "dhcp")]
-pub struct Dhcp {
-    pub no_interface: MaybeString,
-    pub fqdn: u8,
-    pub domain: MaybeString,
-    pub local: Option<MaybeString>,
-    pub lease_max: MaybeString,
-    pub authoritative: u8,
-    pub default_fw_rules: u8,
-    pub reply_delay: MaybeString,
-    pub enable_ra: u8,
-    pub nosync: u8,
-}
-
-// Represents a single <dhcp_ranges> element.
-#[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
-#[yaserde(rename = "dhcp_ranges")]
-pub struct DhcpRange {
-    #[yaserde(attribute = true)]
-    pub uuid: String,
-    pub interface: String,
-    pub set_tag: MaybeString,
-    pub start_addr: String,
-    pub end_addr: String,
-    pub subnet_mask: MaybeString,
-    pub constructor: MaybeString,
-    pub mode: MaybeString,
-    pub prefix_len: MaybeString,
-    pub lease_time: MaybeString,
-    pub domain_type: String,
-    pub domain: MaybeString,
-    pub nosync: u8,
-    pub ra_mode: MaybeString,
-    pub ra_priority: MaybeString,
-    pub ra_mtu: MaybeString,
-    pub ra_interval: MaybeString,
-    pub ra_router_lifetime: MaybeString,
-    pub description: MaybeString,
-}
-
-// Represents a single <dhcp_boot> element.
-#[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
-#[yaserde(rename = "dhcp_boot")]
-pub struct DhcpBoot {
-    #[yaserde(attribute = true)]
-    pub uuid: String,
-    pub interface: MaybeString,
-    pub tag: MaybeString,
-    pub filename: Option<String>,
-    pub servername: String,
-    pub address: String,
-    pub description: Option<String>,
-}
-
-// Represents a single <dhcp_options> element.
-#[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
-#[yaserde(rename = "dhcp_options")]
-pub struct DhcpOptions {
-    #[yaserde(attribute = true)]
-    pub uuid: String,
-    #[yaserde(rename = "type")]
-    pub _type: String,
-    pub option: MaybeString,
-    pub option6: MaybeString,
-    pub interface: MaybeString,
-    pub tag: MaybeString,
-    pub set_tag: MaybeString,
-    pub value: String,
-    pub force: u8,
-    pub description: MaybeString,
-}
--- a/opnsense-config-xml/src/data/interfaces.rs
+++ b/opnsense-config-xml/src/data/interfaces.rs
@@ -8,12 +8,10 @@ pub struct Interface {
    #[yaserde(rename = "if")]
    pub physical_interface_name: String,
    pub descr: Option<MaybeString>,
-    pub mtu: Option<MaybeString>,
    pub enable: MaybeString,
    pub lock: Option<MaybeString>,
    #[yaserde(rename = "spoofmac")]
    pub spoof_mac: Option<MaybeString>,
-    pub mss: Option<MaybeString>,
    pub ipaddr: Option<MaybeString>,
    pub dhcphostname: Option<MaybeString>,
    #[yaserde(rename = "alias-address")]
--- a/opnsense-config-xml/src/data/mod.rs
+++ b/opnsense-config-xml/src/data/mod.rs
@@ -3,7 +3,6 @@ mod dhcpd;
 mod haproxy;
 mod interfaces;
 mod opnsense;
-pub mod dnsmasq;
 pub use caddy::*;
 pub use dhcpd::*;
 pub use haproxy::*;
--- a/opnsense-config-xml/src/data/opnsense.rs
+++ b/opnsense-config-xml/src/data/opnsense.rs
@@ -1,4 +1,3 @@
-use crate::dnsmasq::DnsMasq;
 use crate::HAProxy;
 use crate::{data::dhcpd::DhcpInterface, xml_utils::to_xml_str};
 use log::error;
@@ -23,7 +22,7 @@ pub struct OPNsense {
    pub load_balancer: Option<LoadBalancer>,
    pub rrd: Option<RawXml>,
    pub ntpd: Ntpd,
-    pub widgets: Option<Widgets>,
+    pub widgets: Widgets,
    pub revision: Revision,
    #[yaserde(rename = "OPNsense")]
    pub opnsense: OPNsenseXmlSection,
@@ -46,7 +45,7 @@ pub struct OPNsense {
    #[yaserde(rename = "Pischem")]
    pub pischem: Option<Pischem>,
    pub ifgroups: Ifgroups,
-    pub dnsmasq: Option<DnsMasq>,
+    pub dnsmasq: Option<RawXml>,
 }

 impl From<String> for OPNsense {
@@ -166,9 +165,9 @@ pub struct Sysctl {

 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct SysctlItem {
-    pub descr: Option<MaybeString>,
-    pub tunable: Option<String>,
-    pub value: Option<MaybeString>,
+    pub descr: MaybeString,
+    pub tunable: String,
+    pub value: MaybeString,
 }

 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
@@ -183,8 +182,8 @@ pub struct System {
    pub domain: String,
    pub group: Vec<Group>,
    pub user: Vec<User>,
-    pub nextuid: Option<u32>,
-    pub nextgid: Option<u32>,
+    pub nextuid: u32,
+    pub nextgid: u32,
    pub timezone: String,
    pub timeservers: String,
    pub webgui: WebGui,
@@ -243,7 +242,6 @@ pub struct Ssh {
    pub passwordauth: u8,
    pub keysig: MaybeString,
    pub permitrootlogin: u8,
-    pub rekeylimit: Option<MaybeString>,
 }

 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
@@ -273,7 +271,6 @@ pub struct Group {
    pub member: Vec<u32>,
    #[yaserde(rename = "priv")]
    pub priv_field: String,
-    pub source_networks: Option<MaybeString>,
 }

 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
@@ -1509,7 +1506,7 @@ pub struct Vlans {

 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct Bridges {
-    pub bridged: Option<MaybeString>,
+    pub bridged: MaybeString,
 }

 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
--- a/opnsense-config/Cargo.toml
+++ b/opnsense-config/Cargo.toml
@@ -20,7 +20,6 @@ russh-sftp = "2.0.6"
 serde_json = "1.0.133"
 tokio-util = { version = "0.7.13", features = ["codec"] }
 tokio-stream = "0.1.17"
-uuid.workspace = true

 [dev-dependencies]
 pretty_assertions.workspace = true
--- a/opnsense-config/src/config/config.rs
+++ b/opnsense-config/src/config/config.rs
@@ -4,7 +4,8 @@ use crate::{
    config::{SshConfigManager, SshCredentials, SshOPNSenseShell},
    error::Error,
    modules::{
-        caddy::CaddyConfig, dhcp_legacy::DhcpConfigLegacyISC, dns::DnsConfig, dnsmasq::DhcpConfigDnsMasq, load_balancer::LoadBalancerConfig, tftp::TftpConfig
+        caddy::CaddyConfig, dhcp::DhcpConfig, dns::DnsConfig, load_balancer::LoadBalancerConfig,
+        tftp::TftpConfig,
    },
 };
 use log::{debug, info, trace, warn};
@@ -42,12 +43,8 @@ impl Config {
        })
    }

-    pub fn dhcp_legacy_isc(&mut self) -> DhcpConfigLegacyISC {
-        DhcpConfigLegacyISC::new(&mut self.opnsense, self.shell.clone())
-    }
-
-    pub fn dhcp(&mut self) -> DhcpConfigDnsMasq {
-        DhcpConfigDnsMasq::new(&mut self.opnsense, self.shell.clone())
+    pub fn dhcp(&mut self) -> DhcpConfig {
+        DhcpConfig::new(&mut self.opnsense, self.shell.clone())
    }

    pub fn dns(&mut self) -> DnsConfig {
@@ -70,10 +67,6 @@ impl Config {
        self.shell.upload_folder(source, destination).await
    }

-    pub async fn upload_file_content(&self, path: &str, content: &str) -> Result<String, Error> {
-        self.shell.write_content_to_file(content, path).await
-    }
-
    /// Checks in config file if system.firmware.plugins csv field contains the specified package
    /// name.
    ///
@@ -207,7 +200,7 @@ impl Config {
 #[cfg(test)]
 mod tests {
    use crate::config::{DummyOPNSenseShell, LocalFileConfigManager};
-    use crate::modules::dhcp_legacy::DhcpConfigLegacyISC;
+    use crate::modules::dhcp::DhcpConfig;
    use std::fs;
    use std::net::Ipv4Addr;

@@ -222,9 +215,6 @@ mod tests {
            "src/tests/data/config-vm-test.xml",
            "src/tests/data/config-structure.xml",
            "src/tests/data/config-full-1.xml",
-            "src/tests/data/config-full-ncd0.xml",
-            "src/tests/data/config-full-25.7.xml",
-            "src/tests/data/config-full-25.7-dummy-dnsmasq-options.xml",
        ] {
            let mut test_file_path = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
            test_file_path.push(path);
@@ -267,7 +257,7 @@ mod tests {

        println!("Config {:?}", config);

-        let mut dhcp_config = DhcpConfigLegacyISC::new(&mut config.opnsense, shell);
+        let mut dhcp_config = DhcpConfig::new(&mut config.opnsense, shell);
        dhcp_config
            .add_static_mapping(
                "00:00:00:00:00:00",
--- a/opnsense-config/src/config/shell/mod.rs
+++ b/opnsense-config/src/config/shell/mod.rs
@@ -9,7 +9,6 @@ use crate::Error;
 pub trait OPNsenseShell: std::fmt::Debug + Send + Sync {
    async fn exec(&self, command: &str) -> Result<String, Error>;
    async fn write_content_to_temp_file(&self, content: &str) -> Result<String, Error>;
-    async fn write_content_to_file(&self, content: &str, filename: &str) -> Result<String, Error>;
    async fn upload_folder(&self, source: &str, destination: &str) -> Result<String, Error>;
 }

@@ -26,14 +25,6 @@ impl OPNsenseShell for DummyOPNSenseShell {
    async fn write_content_to_temp_file(&self, _content: &str) -> Result<String, Error> {
        unimplemented!("This is a dummy implementation");
    }
-
-    async fn write_content_to_file(
-        &self,
-        _content: &str,
-        _filename: &str,
-    ) -> Result<String, Error> {
-        unimplemented!("This is a dummy implementation");
-    }
    async fn upload_folder(&self, _source: &str, _destination: &str) -> Result<String, Error> {
        unimplemented!("This is a dummy implementation");
    }
--- a/opnsense-config/src/config/shell/ssh.rs
+++ b/opnsense-config/src/config/shell/ssh.rs
@@ -1,6 +1,5 @@
 use std::{
    net::IpAddr,
-    path::Path,
    sync::Arc,
    time::{SystemTime, UNIX_EPOCH},
 };
@@ -45,10 +44,6 @@ impl OPNsenseShell for SshOPNSenseShell {
                .unwrap()
                .as_millis()
        );
-        self.write_content_to_file(content, &temp_filename).await
-    }
-
-    async fn write_content_to_file(&self, content: &str, filename: &str) -> Result<String, Error> {
        let channel = self.get_ssh_channel().await?;
        channel
            .request_subsystem(true, "sftp")
@@ -58,18 +53,10 @@ impl OPNsenseShell for SshOPNSenseShell {
            .await
            .expect("Should acquire sftp subsystem");

-        if let Some(parent) = Path::new(filename).parent() {
-            if let Some(parent_str) = parent.to_str() {
-                if !parent_str.is_empty() {
-                    self.ensure_remote_dir_exists(&sftp, parent_str).await?;
-                }
-            }
-        }
-
-        let mut file = sftp.create(filename).await.unwrap();
+        let mut file = sftp.create(&temp_filename).await.unwrap();
        file.write_all(content.as_bytes()).await?;

-        Ok(filename.to_string())
+        Ok(temp_filename)
    }

    async fn upload_folder(&self, source: &str, destination: &str) -> Result<String, Error> {
@@ -82,7 +69,10 @@ impl OPNsenseShell for SshOPNSenseShell {
            .await
            .expect("Should acquire sftp subsystem");

-        self.ensure_remote_dir_exists(&sftp, destination).await?;
+        if !sftp.try_exists(destination).await? {
+            info!("Creating remote directory {destination}");
+            sftp.create_dir(destination).await?;
+        }

        info!("Reading local directory {source}");
        let mut entries = read_dir(source).await?;
@@ -159,18 +149,6 @@ impl SshOPNSenseShell {
        wait_for_completion(&mut channel).await
    }

-    async fn ensure_remote_dir_exists(
-        &self,
-        sftp: &SftpSession,
-        path: &str,
-    ) -> Result<(), Error> {
-        if !sftp.try_exists(path).await? {
-            info!("Creating remote directory {path}");
-            sftp.create_dir(path).await?;
-        }
-        Ok(())
-    }
-
    pub fn new(host: (IpAddr, u16), credentials: SshCredentials, ssh_config: Arc<Config>) -> Self {
        info!("Initializing SshOPNSenseShell on host {host:?}");
        Self {
--- a/opnsense-config/src/modules/dhcp.rs
+++ b/opnsense-config/src/modules/dhcp.rs
@@ -1,3 +1,19 @@
+use log::info;
+use opnsense_config_xml::MaybeString;
+use opnsense_config_xml::StaticMap;
+use std::net::Ipv4Addr;
+use std::sync::Arc;
+
+use opnsense_config_xml::OPNsense;
+
+use crate::config::OPNsenseShell;
+use crate::Error;
+
+pub struct DhcpConfig<'a> {
+    opnsense: &'a mut OPNsense,
+    opnsense_shell: Arc<dyn OPNsenseShell>,
+}
+
 #[derive(Debug)]
 pub enum DhcpError {
    InvalidMacAddress(String),
@@ -5,7 +21,6 @@ pub enum DhcpError {
    IpAddressAlreadyMapped(String),
    MacAddressAlreadyMapped(String),
    IpAddressOutOfRange(String),
-    Configuration(String),
 }

 impl std::fmt::Display for DhcpError {
@@ -22,9 +37,158 @@ impl std::fmt::Display for DhcpError {
            DhcpError::IpAddressOutOfRange(ip) => {
                write!(f, "IP address {} is out of interface range", ip)
            }
-            DhcpError::Configuration(msg) => f.write_str(&msg),
        }
    }
 }

 impl std::error::Error for DhcpError {}
+
+impl<'a> DhcpConfig<'a> {
+    pub fn new(opnsense: &'a mut OPNsense, opnsense_shell: Arc<dyn OPNsenseShell>) -> Self {
+        Self {
+            opnsense,
+            opnsense_shell,
+        }
+    }
+
+    pub fn remove_static_mapping(&mut self, mac: &str) {
+        let lan_dhcpd = self.get_lan_dhcpd();
+        lan_dhcpd
+            .staticmaps
+            .retain(|static_entry| static_entry.mac != mac);
+    }
+
+    fn get_lan_dhcpd(&mut self) -> &mut opnsense_config_xml::DhcpInterface {
+        &mut self
+            .opnsense
+            .dhcpd
+            .elements
+            .iter_mut()
+            .find(|(name, _config)| name == "lan")
+            .expect("Interface lan should have dhcpd activated")
+            .1
+    }
+
+    pub fn add_static_mapping(
+        &mut self,
+        mac: &str,
+        ipaddr: Ipv4Addr,
+        hostname: &str,
+    ) -> Result<(), DhcpError> {
+        let mac = mac.to_string();
+        let hostname = hostname.to_string();
+        let lan_dhcpd = self.get_lan_dhcpd();
+        let existing_mappings: &mut Vec<StaticMap> = &mut lan_dhcpd.staticmaps;
+
+        if !Self::is_valid_mac(&mac) {
+            return Err(DhcpError::InvalidMacAddress(mac));
+        }
+
+        // TODO validate that address is in subnet range
+
+        if existing_mappings.iter().any(|m| {
+            m.ipaddr
+                .parse::<Ipv4Addr>()
+                .expect("Mapping contains invalid ipv4")
+                == ipaddr
+                && m.mac == mac
+        }) {
+            info!("Mapping already exists for {} [{}], skipping", ipaddr, mac);
+            return Ok(());
+        }
+
+        if existing_mappings.iter().any(|m| {
+            m.ipaddr
+                .parse::<Ipv4Addr>()
+                .expect("Mapping contains invalid ipv4")
+                == ipaddr
+        }) {
+            return Err(DhcpError::IpAddressAlreadyMapped(ipaddr.to_string()));
+        }
+
+        if existing_mappings.iter().any(|m| m.mac == mac) {
+            return Err(DhcpError::MacAddressAlreadyMapped(mac));
+        }
+
+        let static_map = StaticMap {
+            mac,
+            ipaddr: ipaddr.to_string(),
+            hostname,
+            descr: Default::default(),
+            winsserver: Default::default(),
+            dnsserver: Default::default(),
+            ntpserver: Default::default(),
+        };
+
+        existing_mappings.push(static_map);
+        Ok(())
+    }
+
+    fn is_valid_mac(mac: &str) -> bool {
+        let parts: Vec<&str> = mac.split(':').collect();
+        if parts.len() != 6 {
+            return false;
+        }
+
+        parts
+            .iter()
+            .all(|part| part.len() <= 2 && part.chars().all(|c| c.is_ascii_hexdigit()))
+    }
+
+    pub async fn get_static_mappings(&self) -> Result<Vec<StaticMap>, Error> {
+        let list_static_output = self
+            .opnsense_shell
+            .exec("configctl dhcpd list static")
+            .await?;
+
+        let value: serde_json::Value = serde_json::from_str(&list_static_output)
+            .unwrap_or_else(|_| panic!("Got invalid json from configctl {list_static_output}"));
+        let static_maps = value["dhcpd"]
+            .as_array()
+            .ok_or(Error::Command(format!(
+                "Invalid DHCP data from configctl command, got {list_static_output}"
+            )))?
+            .iter()
+            .map(|entry| StaticMap {
+                mac: entry["mac"].as_str().unwrap_or_default().to_string(),
+                ipaddr: entry["ipaddr"].as_str().unwrap_or_default().to_string(),
+                hostname: entry["hostname"].as_str().unwrap_or_default().to_string(),
+                descr: entry["descr"].as_str().map(MaybeString::from),
+                winsserver: MaybeString::default(),
+                dnsserver: MaybeString::default(),
+                ntpserver: MaybeString::default(),
+            })
+            .collect();
+
+        Ok(static_maps)
+    }
+    pub fn enable_netboot(&mut self) {
+        self.get_lan_dhcpd().netboot = Some(1);
+    }
+
+    pub fn set_next_server(&mut self, ip: Ipv4Addr) {
+        self.enable_netboot();
+        self.get_lan_dhcpd().nextserver = Some(ip.to_string());
+        self.get_lan_dhcpd().tftp = Some(ip.to_string());
+    }
+
+    pub fn set_boot_filename(&mut self, boot_filename: &str) {
+        self.enable_netboot();
+        self.get_lan_dhcpd().bootfilename = Some(boot_filename.to_string());
+    }
+
+    pub fn set_filename(&mut self, filename: &str) {
+        self.enable_netboot();
+        self.get_lan_dhcpd().filename = Some(filename.to_string());
+    }
+
+    pub fn set_filename64(&mut self, filename64: &str) {
+        self.enable_netboot();
+        self.get_lan_dhcpd().filename64 = Some(filename64.to_string());
+    }
+
+    pub fn set_filenameipxe(&mut self, filenameipxe: &str) {
+        self.enable_netboot();
+        self.get_lan_dhcpd().filenameipxe = Some(filenameipxe.to_string());
+    }
+}
--- a/opnsense-config/src/modules/dhcp_legacy.rs
+++ b/opnsense-config/src/modules/dhcp_legacy.rs
@@ -1,166 +0,0 @@
-use crate::modules::dhcp::DhcpError;
-use log::info;
-use opnsense_config_xml::MaybeString;
-use opnsense_config_xml::StaticMap;
-use std::net::Ipv4Addr;
-use std::sync::Arc;
-
-use opnsense_config_xml::OPNsense;
-
-use crate::config::OPNsenseShell;
-use crate::Error;
-
-pub struct DhcpConfigLegacyISC<'a> {
-    opnsense: &'a mut OPNsense,
-    opnsense_shell: Arc<dyn OPNsenseShell>,
-}
-
-impl<'a> DhcpConfigLegacyISC<'a> {
-    pub fn new(opnsense: &'a mut OPNsense, opnsense_shell: Arc<dyn OPNsenseShell>) -> Self {
-        Self {
-            opnsense,
-            opnsense_shell,
-        }
-    }
-
-    pub fn remove_static_mapping(&mut self, mac: &str) {
-        let lan_dhcpd = self.get_lan_dhcpd();
-        lan_dhcpd
-            .staticmaps
-            .retain(|static_entry| static_entry.mac != mac);
-    }
-
-    fn get_lan_dhcpd(&mut self) -> &mut opnsense_config_xml::DhcpInterface {
-        &mut self
-            .opnsense
-            .dhcpd
-            .elements
-            .iter_mut()
-            .find(|(name, _config)| name == "lan")
-            .expect("Interface lan should have dhcpd activated")
-            .1
-    }
-
-    pub fn add_static_mapping(
-        &mut self,
-        mac: &str,
-        ipaddr: Ipv4Addr,
-        hostname: &str,
-    ) -> Result<(), DhcpError> {
-        let mac = mac.to_string();
-        let hostname = hostname.to_string();
-        let lan_dhcpd = self.get_lan_dhcpd();
-        let existing_mappings: &mut Vec<StaticMap> = &mut lan_dhcpd.staticmaps;
-
-        if !Self::is_valid_mac(&mac) {
-            return Err(DhcpError::InvalidMacAddress(mac));
-        }
-
-        // TODO validate that address is in subnet range
-
-        if existing_mappings.iter().any(|m| {
-            m.ipaddr
-                .parse::<Ipv4Addr>()
-                .expect("Mapping contains invalid ipv4")
-                == ipaddr
-                && m.mac == mac
-        }) {
-            info!("Mapping already exists for {} [{}], skipping", ipaddr, mac);
-            return Ok(());
-        }
-
-        if existing_mappings.iter().any(|m| {
-            m.ipaddr
-                .parse::<Ipv4Addr>()
-                .expect("Mapping contains invalid ipv4")
-                == ipaddr
-        }) {
-            return Err(DhcpError::IpAddressAlreadyMapped(ipaddr.to_string()));
-        }
-
-        if existing_mappings.iter().any(|m| m.mac == mac) {
-            return Err(DhcpError::MacAddressAlreadyMapped(mac));
-        }
-
-        let static_map = StaticMap {
-            mac,
-            ipaddr: ipaddr.to_string(),
-            hostname,
-            descr: Default::default(),
-            winsserver: Default::default(),
-            dnsserver: Default::default(),
-            ntpserver: Default::default(),
-        };
-
-        existing_mappings.push(static_map);
-        Ok(())
-    }
-
-    fn is_valid_mac(mac: &str) -> bool {
-        let parts: Vec<&str> = mac.split(':').collect();
-        if parts.len() != 6 {
-            return false;
-        }
-
-        parts
-            .iter()
-            .all(|part| part.len() <= 2 && part.chars().all(|c| c.is_ascii_hexdigit()))
-    }
-
-    pub async fn get_static_mappings(&self) -> Result<Vec<StaticMap>, Error> {
-        let list_static_output = self
-            .opnsense_shell
-            .exec("configctl dhcpd list static")
-            .await?;
-
-        let value: serde_json::Value = serde_json::from_str(&list_static_output)
-            .unwrap_or_else(|_| panic!("Got invalid json from configctl {list_static_output}"));
-        let static_maps = value["dhcpd"]
-            .as_array()
-            .ok_or(Error::Command(format!(
-                "Invalid DHCP data from configctl command, got {list_static_output}"
-            )))?
-            .iter()
-            .map(|entry| StaticMap {
-                mac: entry["mac"].as_str().unwrap_or_default().to_string(),
-                ipaddr: entry["ipaddr"].as_str().unwrap_or_default().to_string(),
-                hostname: entry["hostname"].as_str().unwrap_or_default().to_string(),
-                descr: entry["descr"].as_str().map(MaybeString::from),
-                winsserver: MaybeString::default(),
-                dnsserver: MaybeString::default(),
-                ntpserver: MaybeString::default(),
-            })
-            .collect();
-
-        Ok(static_maps)
-    }
-    pub fn enable_netboot(&mut self) {
-        self.get_lan_dhcpd().netboot = Some(1);
-    }
-
-    pub fn set_next_server(&mut self, ip: Ipv4Addr) {
-        self.enable_netboot();
-        self.get_lan_dhcpd().nextserver = Some(ip.to_string());
-        self.get_lan_dhcpd().tftp = Some(ip.to_string());
-    }
-
-    pub fn set_boot_filename(&mut self, boot_filename: &str) {
-        self.enable_netboot();
-        self.get_lan_dhcpd().bootfilename = Some(boot_filename.to_string());
-    }
-
-    pub fn set_filename(&mut self, filename: &str) {
-        self.enable_netboot();
-        self.get_lan_dhcpd().filename = Some(filename.to_string());
-    }
-
-    pub fn set_filename64(&mut self, filename64: &str) {
-        self.enable_netboot();
-        self.get_lan_dhcpd().filename64 = Some(filename64.to_string());
-    }
-
-    pub fn set_filenameipxe(&mut self, filenameipxe: &str) {
-        self.enable_netboot();
-        self.get_lan_dhcpd().filenameipxe = Some(filenameipxe.to_string());
-    }
-}
--- a/opnsense-config/src/modules/dnsmasq.rs
+++ b/opnsense-config/src/modules/dnsmasq.rs
@@ -1,198 +0,0 @@
-// dnsmasq.rs
-use crate::modules::dhcp::DhcpError;
-use log::{debug, info};
-use opnsense_config_xml::dnsmasq::{DhcpBoot, DhcpOptions, DnsMasq};
-use opnsense_config_xml::{MaybeString, StaticMap};
-use std::net::Ipv4Addr;
-use std::sync::Arc;
-use uuid::Uuid;
-
-use opnsense_config_xml::OPNsense;
-
-use crate::config::OPNsenseShell;
-use crate::Error;
-
-pub struct DhcpConfigDnsMasq<'a> {
-    opnsense: &'a mut OPNsense,
-    opnsense_shell: Arc<dyn OPNsenseShell>,
-}
-
-const DNS_MASQ_PXE_CONFIG_FILE: &str = "/usr/local/etc/dnsmasq.conf.d/pxe.conf";
-
-impl<'a> DhcpConfigDnsMasq<'a> {
-    pub fn new(opnsense: &'a mut OPNsense, opnsense_shell: Arc<dyn OPNsenseShell>) -> Self {
-        Self {
-            opnsense,
-            opnsense_shell,
-        }
-    }
-
-    /// Removes a static mapping by its MAC address.
-    /// Static mappings are stored in the <dhcpd> section of the config, shared with the ISC module.
-    pub fn remove_static_mapping(&mut self, mac: &str) {
-        let lan_dhcpd = self.get_lan_dhcpd();
-        lan_dhcpd
-            .staticmaps
-            .retain(|static_entry| static_entry.mac != mac);
-    }
-
-    /// Retrieves a mutable reference to the LAN interface's DHCP configuration.
-    /// This is located in the shared <dhcpd> section of the config.
-    fn get_lan_dhcpd(&mut self) -> &mut opnsense_config_xml::DhcpInterface {
-        &mut self
-            .opnsense
-            .dhcpd
-            .elements
-            .iter_mut()
-            .find(|(name, _config)| name == "lan")
-            .expect("Interface lan should have dhcpd activated")
-            .1
-    }
-
-    fn dnsmasq(&mut self) -> &mut DnsMasq {
-        self.opnsense
-            .dnsmasq
-            .as_mut()
-            .expect("Dnsmasq config should exist. Maybe it is not installed yet")
-    }
-
-    /// Adds a new static DHCP mapping.
-    /// Validates the MAC address and checks for existing mappings to prevent conflicts.
-    pub fn add_static_mapping(
-        &mut self,
-        mac: &str,
-        ipaddr: Ipv4Addr,
-        hostname: &str,
-    ) -> Result<(), DhcpError> {
-        let mac = mac.to_string();
-        let hostname = hostname.to_string();
-        let lan_dhcpd = self.get_lan_dhcpd();
-        let existing_mappings: &mut Vec<StaticMap> = &mut lan_dhcpd.staticmaps;
-
-        if !Self::is_valid_mac(&mac) {
-            return Err(DhcpError::InvalidMacAddress(mac));
-        }
-
-        // TODO: Validate that the IP address is within a configured DHCP range.
-
-        if existing_mappings
-            .iter()
-            .any(|m| m.ipaddr == ipaddr.to_string() && m.mac == mac)
-        {
-            info!("Mapping already exists for {} [{}], skipping", ipaddr, mac);
-            return Ok(());
-        }
-
-        if existing_mappings
-            .iter()
-            .any(|m| m.ipaddr == ipaddr.to_string())
-        {
-            return Err(DhcpError::IpAddressAlreadyMapped(ipaddr.to_string()));
-        }
-
-        if existing_mappings.iter().any(|m| m.mac == mac) {
-            return Err(DhcpError::MacAddressAlreadyMapped(mac));
-        }
-
-        let static_map = StaticMap {
-            mac,
-            ipaddr: ipaddr.to_string(),
-            hostname: hostname,
-            ..Default::default()
-        };
-
-        existing_mappings.push(static_map);
-        Ok(())
-    }
-
-    /// Helper function to validate a MAC address format.
-    fn is_valid_mac(mac: &str) -> bool {
-        let parts: Vec<&str> = mac.split(':').collect();
-        if parts.len() != 6 {
-            return false;
-        }
-        parts
-            .iter()
-            .all(|part| part.len() <= 2 && part.chars().all(|c| c.is_ascii_hexdigit()))
-    }
-
-    /// Retrieves the list of current static mappings by shelling out to `configctl`.
-    /// This provides the real-time state from the running system.
-    pub async fn get_static_mappings(&self) -> Result<Vec<StaticMap>, Error> {
-        let list_static_output = self
-            .opnsense_shell
-            .exec("configctl dhcpd list static")
-            .await?;
-
-        let value: serde_json::Value = serde_json::from_str(&list_static_output)
-            .unwrap_or_else(|_| panic!("Got invalid json from configctl {list_static_output}"));
-        let static_maps = value["dhcpd"]
-            .as_array()
-            .ok_or(Error::Command(format!(
-                "Invalid DHCP data from configctl command, got {list_static_output}"
-            )))?
-            .iter()
-            .map(|entry| StaticMap {
-                mac: entry["mac"].as_str().unwrap_or_default().to_string(),
-                ipaddr: entry["ipaddr"].as_str().unwrap_or_default().to_string(),
-                hostname: entry["hostname"].as_str().unwrap_or_default().to_string(),
-                descr: entry["descr"].as_str().map(MaybeString::from),
-                ..Default::default()
-            })
-            .collect();
-
-        Ok(static_maps)
-    }
-
-    pub async fn set_pxe_options(
-        &self,
-        tftp_ip: Option<String>,
-        bios_filename: String,
-        efi_filename: String,
-        ipxe_filename: String,
-    ) -> Result<(), DhcpError> {
-        // As of writing this opnsense does not support negative tags, and the dnsmasq config is a
-        // bit complicated anyways. So we are writing directly a dnsmasq config file to
-        // /usr/local/etc/dnsmasq.conf.d
-        let tftp_str = tftp_ip.map_or(String::new(), |i| format!(",{i},{i}"));
-
-        let config = format!(
-            "
-# Add tag ipxe to dhcp requests with user class (77) = iPXE
-dhcp-match=set:ipxe,77,iPXE
-# Add tag bios to dhcp requests with arch (93) = 0
-dhcp-match=set:bios,93,0
-# Add tag efi to dhcp requests with arch (93) = 7
-dhcp-match=set:efi,93,7
-
-# Provide ipxe efi file to uefi but NOT ipxe clients
-dhcp-boot=tag:efi,tag:!ipxe,{efi_filename}{tftp_str}
-
-# Provide ipxe boot script to ipxe clients
-dhcp-boot=tag:ipxe,{ipxe_filename}{tftp_str}
-
-# Provide undionly to legacy bios clients
-dhcp-boot=tag:bios,{bios_filename}{tftp_str}
-"
-        );
-        info!("Writing configuration file to {DNS_MASQ_PXE_CONFIG_FILE}");
-        debug!("Content:\n{config}");
-        self.opnsense_shell
-            .write_content_to_file(&config, DNS_MASQ_PXE_CONFIG_FILE)
-            .await
-            .map_err(|e| {
-                DhcpError::Configuration(format!(
-                    "Could not configure pxe for dhcp because of : {e}"
-                ))
-            })?;
-
-        info!("Restarting dnsmasq to apply changes");
-        self.opnsense_shell.exec("configctl dnsmasq restart").await
-            .map_err(|e| {
-                DhcpError::Configuration(format!(
-                    "Restarting dnsmasq failed : {e}"
-                ))
-            })?;
-        Ok(())
-    }
-}
--- a/opnsense-config/src/modules/mod.rs
+++ b/opnsense-config/src/modules/mod.rs
@@ -1,7 +1,5 @@
 pub mod caddy;
-pub mod dhcp_legacy;
+pub mod dhcp;
 pub mod dns;
 pub mod load_balancer;
 pub mod tftp;
-pub mod dhcp;
-pub mod dnsmasq;
--- a/opnsense-config/src/tests/data/config-full-25.7-dnsmasq-options.xml
+++ b/opnsense-config/src/tests/data/config-full-25.7-dnsmasq-options.xml
@@ -1,896 +0,0 @@
-<?xml version="1.0"?>
-<opnsense>
-  <theme>opnsense</theme>
-  <sysctl>
-    <item/>
-  </sysctl>
-  <system>
-    <serialspeed>115200</serialspeed>
-    <primaryconsole>serial</primaryconsole>
-    <optimization>normal</optimization>
-    <hostname>OPNsense</hostname>
-    <domain>testpxe.harmony.mcd</domain>
-    <group>
-      <name>admins</name>
-      <description>System Administrators</description>
-      <scope>system</scope>
-      <gid>1999</gid>
-      <member>0</member>
-      <priv>page-all</priv>
-      <source_networks/>
-    </group>
-    <user>
-      <name>root</name>
-      <descr>System Administrator</descr>
-      <scope>system</scope>
-      <password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
-      <pwd_changed_at/>
-      <uid>0</uid>
-      <disabled>0</disabled>
-      <landing_page/>
-      <comment/>
-      <email/>
-      <apikeys/>
-      <priv/>
-      <language/>
-      <expires/>
-      <authorizedkeys/>
-      <dashboard/>
-      <otp_seed/>
-      <shell/>
-    </user>
-    <timezone>Etc/UTC</timezone>
-    <timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
-    <webgui>
-      <protocol>https</protocol>
-      <ssl-certref>68a72b6f7f776</ssl-certref>
-      <port/>
-      <ssl-ciphers/>
-      <interfaces/>
-      <compression/>
-    </webgui>
-    <usevirtualterminal>1</usevirtualterminal>
-    <disablenatreflection>yes</disablenatreflection>
-    <disableconsolemenu>1</disableconsolemenu>
-    <disablevlanhwfilter>1</disablevlanhwfilter>
-    <disablechecksumoffloading>1</disablechecksumoffloading>
-    <disablesegmentationoffloading>1</disablesegmentationoffloading>
-    <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
-    <ipv6allow>1</ipv6allow>
-    <powerd_ac_mode>hadp</powerd_ac_mode>
-    <powerd_battery_mode>hadp</powerd_battery_mode>
-    <powerd_normal_mode>hadp</powerd_normal_mode>
-    <bogons>
-      <interval>monthly</interval>
-    </bogons>
-    <pf_share_forward>1</pf_share_forward>
-    <lb_use_sticky>1</lb_use_sticky>
-    <ssh>
-      <group>admins</group>
-      <noauto>1</noauto>
-      <interfaces/>
-      <kex/>
-      <ciphers/>
-      <macs/>
-      <keys/>
-      <enabled>enabled</enabled>
-      <passwordauth>1</passwordauth>
-      <keysig/>
-      <permitrootlogin>1</permitrootlogin>
-      <rekeylimit/>
-    </ssh>
-    <rrdbackup>-1</rrdbackup>
-    <netflowbackup>-1</netflowbackup>
-    <firmware version="1.0.1">
-      <mirror/>
-      <flavour/>
-      <plugins>os-tftp</plugins>
-      <type/>
-      <subscription/>
-      <reboot>0</reboot>
-    </firmware>
-    <language>en_US</language>
-    <dnsserver/>
-    <dnsallowoverride>1</dnsallowoverride>
-    <dnsallowoverride_exclude/>
-  </system>
-  <interfaces>
-    <wan>
-      <if>vtnet0</if>
-      <mtu/>
-      <enable>1</enable>
-      <spoofmac/>
-      <mss/>
-      <ipaddr>dhcp</ipaddr>
-      <dhcphostname/>
-      <blockpriv>0</blockpriv>
-      <blockbogons>1</blockbogons>
-      <subnet/>
-      <ipaddrv6>dhcp6</ipaddrv6>
-      <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
-      <gateway/>
-      <media/>
-      <mediaopt/>
-    </wan>
-    <lan>
-      <if>vtnet1</if>
-      <enable>1</enable>
-      <ipaddr>192.168.1.1</ipaddr>
-      <subnet>24</subnet>
-      <ipaddrv6>track6</ipaddrv6>
-      <subnetv6>64</subnetv6>
-      <media/>
-      <mediaopt/>
-      <track6-interface>wan</track6-interface>
-      <track6-prefix-id>0</track6-prefix-id>
-    </lan>
-    <lo0>
-      <internal_dynamic>1</internal_dynamic>
-      <if>lo0</if>
-      <descr>Loopback</descr>
-      <enable>1</enable>
-      <ipaddr>127.0.0.1</ipaddr>
-      <type>none</type>
-      <virtual>1</virtual>
-      <subnet>8</subnet>
-      <ipaddrv6>::1</ipaddrv6>
-      <subnetv6>128</subnetv6>
-    </lo0>
-  </interfaces>
-  <dhcpd/>
-  <snmpd>
-    <syslocation/>
-    <syscontact/>
-    <rocommunity>public</rocommunity>
-  </snmpd>
-  <syslog/>
-  <nat>
-    <outbound>
-      <mode>automatic</mode>
-    </outbound>
-  </nat>
-  <filter>
-    <rule>
-      <type>pass</type>
-      <interface>lan</interface>
-      <ipprotocol>inet</ipprotocol>
-      <descr>Default allow LAN to any rule</descr>
-      <source>
-        <network>lan</network>
-      </source>
-      <destination>
-        <any/>
-      </destination>
-    </rule>
-    <rule>
-      <type>pass</type>
-      <interface>lan</interface>
-      <ipprotocol>inet6</ipprotocol>
-      <descr>Default allow LAN IPv6 to any rule</descr>
-      <source>
-        <network>lan</network>
-      </source>
-      <destination>
-        <any/>
-      </destination>
-    </rule>
-  </filter>
-  <rrd>
-    <enable/>
-  </rrd>
-  <ntpd>
-    <prefer>0.opnsense.pool.ntp.org</prefer>
-  </ntpd>
-  <revision>
-    <username>root@192.168.1.5</username>
-    <description>/api/dnsmasq/settings/set made changes</description>
-    <time>1755800176.40</time>
-  </revision>
-  <OPNsense>
-    <captiveportal version="1.0.4">
-      <zones/>
-      <templates/>
-    </captiveportal>
-    <cron version="1.0.4">
-      <jobs/>
-    </cron>
-    <Netflow version="1.0.1">
-      <capture>
-        <interfaces/>
-        <egress_only/>
-        <version>v9</version>
-        <targets/>
-      </capture>
-      <collect>
-        <enable>0</enable>
-      </collect>
-      <activeTimeout>1800</activeTimeout>
-      <inactiveTimeout>15</inactiveTimeout>
-    </Netflow>
-    <Firewall>
-      <Lvtemplate version="0.0.1">
-        <templates/>
-      </Lvtemplate>
-      <Category version="1.0.0">
-        <categories/>
-      </Category>
-      <Filter version="1.0.4">
-        <rules/>
-        <snatrules/>
-        <npt/>
-        <onetoone/>
-      </Filter>
-      <Alias version="1.0.1">
-        <geoip>
-          <url/>
-        </geoip>
-        <aliases/>
-      </Alias>
-    </Firewall>
-    <IDS version="1.1.0">
-      <rules/>
-      <policies/>
-      <userDefinedRules/>
-      <files/>
-      <fileTags/>
-      <general>
-        <enabled>0</enabled>
-        <ips>0</ips>
-        <promisc>0</promisc>
-        <interfaces>wan</interfaces>
-        <homenet>192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</homenet>
-        <defaultPacketSize/>
-        <UpdateCron/>
-        <AlertLogrotate>W0D23</AlertLogrotate>
-        <AlertSaveLogs>4</AlertSaveLogs>
-        <MPMAlgo/>
-        <detect>
-          <Profile/>
-          <toclient_groups/>
-          <toserver_groups/>
-        </detect>
-        <syslog>0</syslog>
-        <syslog_eve>0</syslog_eve>
-        <LogPayload>0</LogPayload>
-        <verbosity/>
-        <eveLog>
-          <http>
-            <enable>0</enable>
-            <extended>0</extended>
-            <dumpAllHeaders/>
-          </http>
-          <tls>
-            <enable>0</enable>
-            <extended>0</extended>
-            <sessionResumption>0</sessionResumption>
-            <custom/>
-          </tls>
-        </eveLog>
-      </general>
-    </IDS>
-    <IPsec version="1.0.4">
-      <general>
-        <enabled/>
-        <preferred_oldsa>0</preferred_oldsa>
-        <disablevpnrules>0</disablevpnrules>
-        <passthrough_networks/>
-        <user_source/>
-        <local_group/>
-      </general>
-      <keyPairs/>
-      <preSharedKeys/>
-      <charon>
-        <max_ikev1_exchanges/>
-        <threads>16</threads>
-        <ikesa_table_size>32</ikesa_table_size>
-        <ikesa_table_segments>4</ikesa_table_segments>
-        <init_limit_half_open>1000</init_limit_half_open>
-        <ignore_acquire_ts>1</ignore_acquire_ts>
-        <install_routes>0</install_routes>
-        <cisco_unity>0</cisco_unity>
-        <make_before_break>0</make_before_break>
-        <retransmit_tries/>
-        <retransmit_timeout/>
-        <retransmit_base/>
-        <retransmit_jitter/>
-        <retransmit_limit/>
-        <syslog>
-          <daemon>
-            <ike_name>1</ike_name>
-            <log_level>0</log_level>
-            <app>1</app>
-            <asn>1</asn>
-            <cfg>1</cfg>
-            <chd>1</chd>
-            <dmn>1</dmn>
-            <enc>1</enc>
-            <esp>1</esp>
-            <ike>1</ike>
-            <imc>1</imc>
-            <imv>1</imv>
-            <job>1</job>
-            <knl>1</knl>
-            <lib>1</lib>
-            <mgr>1</mgr>
-            <net>1</net>
-            <pts>1</pts>
-            <tls>1</tls>
-            <tnc>1</tnc>
-          </daemon>
-        </syslog>
-        <plugins>
-          <attr>
-            <subnet/>
-            <split-include/>
-            <x_28674/>
-            <x_28675/>
-            <x_28672/>
-            <x_28673>0</x_28673>
-            <x_28679/>
-            <dns/>
-            <nbns/>
-          </attr>
-          <eap-radius>
-            <servers/>
-            <accounting>0</accounting>
-            <class_group>0</class_group>
-          </eap-radius>
-          <xauth-pam>
-            <pam_service>ipsec</pam_service>
-            <session>0</session>
-            <trim_email>1</trim_email>
-          </xauth-pam>
-        </plugins>
-      </charon>
-    </IPsec>
-    <Interfaces>
-      <vxlans version="1.0.2"/>
-      <loopbacks version="1.0.0"/>
-      <neighbors version="1.0.0"/>
-    </Interfaces>
-    <Kea>
-      <dhcp4 version="1.0.4" persisted_at="1755786069.95">
-        <general>
-          <enabled>0</enabled>
-          <manual_config>0</manual_config>
-          <interfaces/>
-          <valid_lifetime>4000</valid_lifetime>
-          <fwrules>1</fwrules>
-          <dhcp_socket_type>raw</dhcp_socket_type>
-        </general>
-        <ha>
-          <enabled>0</enabled>
-          <this_server_name/>
-          <max_unacked_clients>2</max_unacked_clients>
-        </ha>
-        <subnets/>
-        <reservations/>
-        <ha_peers/>
-      </dhcp4>
-      <ctrl_agent version="0.0.1" persisted_at="1755786069.95">
-        <general>
-          <enabled>0</enabled>
-          <http_host>127.0.0.1</http_host>
-          <http_port>8000</http_port>
-        </general>
-      </ctrl_agent>
-      <dhcp6 version="1.0.0" persisted_at="1755786069.95">
-        <general>
-          <enabled>0</enabled>
-          <manual_config>0</manual_config>
-          <interfaces/>
-          <valid_lifetime>4000</valid_lifetime>
-          <fwrules>1</fwrules>
-        </general>
-        <ha>
-          <enabled>0</enabled>
-          <this_server_name/>
-          <max_unacked_clients>2</max_unacked_clients>
-        </ha>
-        <subnets/>
-        <reservations/>
-        <pd_pools/>
-        <ha_peers/>
-      </dhcp6>
-    </Kea>
-    <monit version="1.0.13">
-      <general>
-        <enabled>0</enabled>
-        <interval>120</interval>
-        <startdelay>120</startdelay>
-        <mailserver>127.0.0.1</mailserver>
-        <port>25</port>
-        <username/>
-        <password/>
-        <ssl>0</ssl>
-        <sslversion>auto</sslversion>
-        <sslverify>1</sslverify>
-        <logfile/>
-        <statefile/>
-        <eventqueuePath/>
-        <eventqueueSlots/>
-        <httpdEnabled>0</httpdEnabled>
-        <httpdUsername>root</httpdUsername>
-        <httpdPassword/>
-        <httpdPort>2812</httpdPort>
-        <httpdAllow/>
-        <mmonitUrl/>
-        <mmonitTimeout>5</mmonitTimeout>
-        <mmonitRegisterCredentials>1</mmonitRegisterCredentials>
-      </general>
-      <alert uuid="ce8ca7d9-66ab-41d5-acea-598f4803e8ba">
-        <enabled>0</enabled>
-        <recipient>root@localhost.local</recipient>
-        <noton>0</noton>
-        <events/>
-        <format/>
-        <reminder/>
-        <description/>
-      </alert>
-      <service uuid="dc3b9298-4a56-4c45-bd61-be2fdb103383">
-        <enabled>1</enabled>
-        <name>$HOST</name>
-        <description/>
-        <type>system</type>
-        <pidfile/>
-        <match/>
-        <path/>
-        <timeout>300</timeout>
-        <starttimeout>30</starttimeout>
-        <address/>
-        <interface/>
-        <start/>
-        <stop/>
-        <tests>cfed35dc-f74b-417d-9ed9-682c5de96495,f961277a-07f1-49a4-90ee-bb15738d9ebb,30b2cce2-f650-4e44-a3e2-ee53886cda3f,3c86136f-35a4-4126-865b-82732c6542d9</tests>
-        <depends/>
-        <polltime/>
-      </service>
-      <service uuid="b4d5bdb4-206d-4afe-8d86-377ffbbdb2ec">
-        <enabled>1</enabled>
-        <name>RootFs</name>
-        <description/>
-        <type>filesystem</type>
-        <pidfile/>
-        <match/>
-        <path>/</path>
-        <timeout>300</timeout>
-        <starttimeout>30</starttimeout>
-        <address/>
-        <interface/>
-        <start/>
-        <stop/>
-        <tests>fbb8dfe2-b9ad-4730-a0f3-41d7ecda6289</tests>
-        <depends/>
-        <polltime/>
-      </service>
-      <service uuid="f96e3cbb-6c98-4d20-8337-bab717d4ab54">
-        <enabled>0</enabled>
-        <name>carp_status_change</name>
-        <description/>
-        <type>custom</type>
-        <pidfile/>
-        <match/>
-        <path>/usr/local/opnsense/scripts/OPNsense/Monit/carp_status</path>
-        <timeout>300</timeout>
-        <starttimeout>30</starttimeout>
-        <address/>
-        <interface/>
-        <start/>
-        <stop/>
-        <tests>11ceca8a-dff8-45e0-9dc5-ed80dc4b3947</tests>
-        <depends/>
-        <polltime/>
-      </service>
-      <service uuid="69bbd4d5-3a50-42a7-ab64-050450504038">
-        <enabled>0</enabled>
-        <name>gateway_alert</name>
-        <description/>
-        <type>custom</type>
-        <pidfile/>
-        <match/>
-        <path>/usr/local/opnsense/scripts/OPNsense/Monit/gateway_alert</path>
-        <timeout>300</timeout>
-        <starttimeout>30</starttimeout>
-        <address/>
-        <interface/>
-        <start/>
-        <stop/>
-        <tests>fad1f465-4a92-4b93-be66-59d7059b8779</tests>
-        <depends/>
-        <polltime/>
-      </service>
-      <test uuid="2bd5d8c0-6a4a-430b-b953-34214a107ccf">
-        <name>Ping</name>
-        <type>NetworkPing</type>
-        <condition>failed ping</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="0f06ffff-9bfa-463d-b75e-f7195cd8dcab">
-        <name>NetworkLink</name>
-        <type>NetworkInterface</type>
-        <condition>failed link</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="79b119ce-10e0-4a6a-bd1a-b0be371d0fd7">
-        <name>NetworkSaturation</name>
-        <type>NetworkInterface</type>
-        <condition>saturation is greater than 75%</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="cfed35dc-f74b-417d-9ed9-682c5de96495">
-        <name>MemoryUsage</name>
-        <type>SystemResource</type>
-        <condition>memory usage is greater than 75%</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="f961277a-07f1-49a4-90ee-bb15738d9ebb">
-        <name>CPUUsage</name>
-        <type>SystemResource</type>
-        <condition>cpu usage is greater than 75%</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="30b2cce2-f650-4e44-a3e2-ee53886cda3f">
-        <name>LoadAvg1</name>
-        <type>SystemResource</type>
-        <condition>loadavg (1min) is greater than 4</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="3c86136f-35a4-4126-865b-82732c6542d9">
-        <name>LoadAvg5</name>
-        <type>SystemResource</type>
-        <condition>loadavg (5min) is greater than 3</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="27e91c6f-3e8e-4570-bb3a-27f46dd301a7">
-        <name>LoadAvg15</name>
-        <type>SystemResource</type>
-        <condition>loadavg (15min) is greater than 2</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="fbb8dfe2-b9ad-4730-a0f3-41d7ecda6289">
-        <name>SpaceUsage</name>
-        <type>SpaceUsage</type>
-        <condition>space usage is greater than 75%</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="11ceca8a-dff8-45e0-9dc5-ed80dc4b3947">
-        <name>ChangedStatus</name>
-        <type>ProgramStatus</type>
-        <condition>changed status</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="fad1f465-4a92-4b93-be66-59d7059b8779">
-        <name>NonZeroStatus</name>
-        <type>ProgramStatus</type>
-        <condition>status != 0</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-    </monit>
-    <OpenVPNExport version="0.0.1">
-      <servers/>
-    </OpenVPNExport>
-    <Syslog version="1.0.2">
-      <general>
-        <enabled>1</enabled>
-        <loglocal>1</loglocal>
-        <maxpreserve>31</maxpreserve>
-        <maxfilesize/>
-      </general>
-      <destinations/>
-    </Syslog>
-    <TrafficShaper version="1.0.3" persisted_at="1755786069.77">
-      <pipes/>
-      <queues/>
-      <rules/>
-    </TrafficShaper>
-    <unboundplus version="1.0.12">
-      <general>
-        <enabled>1</enabled>
-        <port>53</port>
-        <stats>0</stats>
-        <active_interface/>
-        <dnssec>0</dnssec>
-        <dns64>0</dns64>
-        <dns64prefix/>
-        <noarecords>0</noarecords>
-        <regdhcp>0</regdhcp>
-        <regdhcpdomain/>
-        <regdhcpstatic>0</regdhcpstatic>
-        <noreglladdr6>0</noreglladdr6>
-        <noregrecords>0</noregrecords>
-        <txtsupport>0</txtsupport>
-        <cacheflush>0</cacheflush>
-        <local_zone_type>transparent</local_zone_type>
-        <outgoing_interface/>
-        <enable_wpad>0</enable_wpad>
-      </general>
-      <advanced>
-        <hideidentity>0</hideidentity>
-        <hideversion>0</hideversion>
-        <prefetch>0</prefetch>
-        <prefetchkey>0</prefetchkey>
-        <dnssecstripped>0</dnssecstripped>
-        <aggressivensec>1</aggressivensec>
-        <serveexpired>0</serveexpired>
-        <serveexpiredreplyttl/>
-        <serveexpiredttl/>
-        <serveexpiredttlreset>0</serveexpiredttlreset>
-        <serveexpiredclienttimeout/>
-        <qnameminstrict>0</qnameminstrict>
-        <extendedstatistics>0</extendedstatistics>
-        <logqueries>0</logqueries>
-        <logreplies>0</logreplies>
-        <logtagqueryreply>0</logtagqueryreply>
-        <logservfail>0</logservfail>
-        <loglocalactions>0</loglocalactions>
-        <logverbosity>1</logverbosity>
-        <valloglevel>0</valloglevel>
-        <privatedomain/>
-        <privateaddress>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</privateaddress>
-        <insecuredomain/>
-        <msgcachesize/>
-        <rrsetcachesize/>
-        <outgoingnumtcp/>
-        <incomingnumtcp/>
-        <numqueriesperthread/>
-        <outgoingrange/>
-        <jostletimeout/>
-        <discardtimeout/>
-        <cachemaxttl/>
-        <cachemaxnegativettl/>
-        <cacheminttl/>
-        <infrahostttl/>
-        <infrakeepprobing>0</infrakeepprobing>
-        <infracachenumhosts/>
-        <unwantedreplythreshold/>
-      </advanced>
-      <acls>
-        <default_action>allow</default_action>
-      </acls>
-      <dnsbl>
-        <enabled>0</enabled>
-        <safesearch>0</safesearch>
-        <type/>
-        <lists/>
-        <whitelists/>
-        <blocklists/>
-        <wildcards/>
-        <address/>
-        <nxdomain>0</nxdomain>
-      </dnsbl>
-      <forwarding>
-        <enabled>0</enabled>
-      </forwarding>
-      <dots/>
-      <hosts/>
-      <aliases/>
-    </unboundplus>
-    <DHCRelay version="1.0.1" persisted_at="1755786069.97"/>
-    <trust>
-      <general version="1.0.1" persisted_at="1755786070.08">
-        <store_intermediate_certs>0</store_intermediate_certs>
-        <install_crls>0</install_crls>
-        <fetch_crls>0</fetch_crls>
-        <enable_legacy_sect>1</enable_legacy_sect>
-        <enable_config_constraints>0</enable_config_constraints>
-        <CipherString/>
-        <Ciphersuites/>
-        <SignatureAlgorithms/>
-        <groups/>
-        <MinProtocol/>
-        <MinProtocol_DTLS/>
-      </general>
-    </trust>
-    <tftp>
-      <general version="0.0.1">
-        <enabled>1</enabled>
-        <listen>192.168.1.1</listen>
-      </general>
-    </tftp>
-    <wireguard>
-      <general version="0.0.1">
-        <enabled>0</enabled>
-      </general>
-      <server version="1.0.0">
-        <servers/>
-      </server>
-      <client version="1.0.0">
-        <clients/>
-      </client>
-    </wireguard>
-    <Swanctl version="1.0.0">
-      <Connections/>
-      <locals/>
-      <remotes/>
-      <children/>
-      <Pools/>
-      <VTIs/>
-      <SPDs/>
-    </Swanctl>
-    <OpenVPN version="1.0.1">
-      <Overwrites/>
-      <Instances/>
-      <StaticKeys/>
-    </OpenVPN>
-    <Gateways version="1.0.0" persisted_at="1755786217.76"/>
-  </OPNsense>
-  <staticroutes version="1.0.0"/>
-  <ca/>
-  <cert>
-    <refid>68a72b6f7f776</refid>
-    <descr>Web GUI TLS certificate</descr>
-    <crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUhFakNDQlBxZ0F3SUJBZ0lVUkZqWUQ0Z1U0bzRNZGdiN2pIc29KNU9GVGFnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZWXhHakFZQmdOVkJBTU1FVTlRVG5ObGJuTmxMbWx1ZEdWeWJtRnNNUXN3Q1FZRFZRUUdFd0pPVERFVgpNQk1HQTFVRUNBd01XblZwWkMxSWIyeHNZVzVrTVJVd0V3WURWUVFIREF4TmFXUmtaV3hvWVhKdWFYTXhMVEFyCkJnTlZCQW9NSkU5UVRuTmxibk5sSUhObGJHWXRjMmxuYm1Wa0lIZGxZaUJqWlhKMGFXWnBZMkYwWlRBZUZ3MHkKTlRBNE1qRXhOREl4TXpaYUZ3MHlOakE1TWpJeE5ESXhNelphTUlHR01Sb3dHQVlEVlFRRERCRlBVRTV6Wlc1egpaUzVwYm5SbGNtNWhiREVMTUFrR0ExVUVCaE1DVGt3eEZUQVRCZ05WQkFnTURGcDFhV1F0U0c5c2JHRnVaREVWCk1CTUdBMVVFQnd3TVRXbGtaR1ZzYUdGeWJtbHpNUzB3S3dZRFZRUUtEQ1JQVUU1elpXNXpaU0J6Wld4bUxYTnAKWjI1bFpDQjNaV0lnWTJWeWRHbG1hV05oZEdVd2dnSWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUNEd0F3Z2dJSwpBb0lDQVFDbENkeFJ3ZWJQQkxvYlVORnYvL2t3TEdKWExweDl6OFFHV2lyWTNpamVDeUxDQ0FwczBLaE1adTNRClhkczMranppbDRnSE96L0hvUEo5Z0xxMy9FYnR4cE9ENWkvQzZwbXc3SGM1M2tTQ3JCK2tlWUFnVWZ1aDU3MzAKZyt3cGc5RDQzaHFBNzF1L3F0ZC95eitnTVJnTWdZMndEK3ZWQWRrdGxVSWlmN2piTmR1RDRGMmdkL0gwbzljWApEUm5zMzNNQVptTkZwajN4QWFwQi9RWnhKV1JMZ1J5K1A5MWcyZEZFNzhNaWY4ZTRNSCtrU29ndzIwVG1JbmpzCitKdEVTc0xQZmx2eUZUa0lkTVdFbURWOG1HUk5hNXVoYXlEbVNEUU9xV0NUTlZHV3ZVWjZTRnJRZ1Q1MDBEdXgKWnRtYlhGdEVqRzlIaGd5SW5QT0dKbWYzTWVzS3dYclVNMW1BenVCRVBFR0lwOTc3UTY2SitpTDYzWTUvTTB3aAphMGVVNGppNTVRQnJOQjlaWjJsa080bGU2TXdmZm50c29JakMrVDh5RW5tbW5nQTlTdWNPRW9CcFFhd3cvRGhOCmtSNGk4TUptR1JNdmpLazlHVzZ3Z2VNVThJVDhKZDRjTmJOVzdFSGpzV08xN1luTVhIMEUxOVZqa2d1R3dIODAKZ3ZROGtzTmV4WVA3WWo0b0VycnRKbWVhWU8wbFVkV0tGektNdS8va0UvNG5HK0h4emlRUnA5QmdyTURNYks4ZgpkM29mY2tqZFZTTW9Vc1FJaWlmdTFMK1I4V1Y3K3hsTzdTWS80dGk3Y28zcjNXRTYyVlE4Vk9QMVphcStWRFpvClNIMVRCa0lTSU5paVJFRzhZSDQvRHJwNWZ2dHBPcERBRGN1TGdDNDJHcExmS1pwVEtRSURBUUFCbzRJQmREQ0MKQVhBd0NRWURWUjBUQkFJd0FEQVJCZ2xnaGtnQmh2aENBUUVFQkFNQ0JrQXdOQVlKWUlaSUFZYjRRZ0VOQkNjVwpKVTlRVG5ObGJuTmxJRWRsYm1WeVlYUmxaQ0JUWlhKMlpYSWdRMlZ5ZEdsbWFXTmhkR1V3SFFZRFZSME9CQllFCkZIdUVQK05yYlorZWdMdWZVSUFKaUo2M1c4SDFNSUd3QmdOVkhTTUVnYWd3Z2FXaGdZeWtnWWt3Z1lZeEdqQVkKQmdOVkJBTU1FVTlRVG5ObGJuTmxMbWx1ZEdWeWJtRnNNUXN3Q1FZRFZRUUdFd0pPVERFVk1CTUdBMVVFQ0F3TQpXblZwWkMxSWIyeHNZVzVrTVJVd0V3WURWUVFIREF4TmFXUmtaV3hvWVhKdWFYTXhMVEFyQmdOVkJBb01KRTlRClRuTmxibk5sSUhObGJHWXRjMmxuYm1Wa0lIZGxZaUJqWlhKMGFXWnBZMkYwWllJVVJGallENGdVNG80TWRnYjcKakhzb0o1T0ZUYWd3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQ0FJQ01Bc0dBMVVkRHdRRQpBd0lGb0RBY0JnTlZIUkVFRlRBVGdoRlBVRTV6Wlc1elpTNXBiblJsY201aGJEQU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBZ0VBV2JzM2MwSXYwcEd3Y0wvUmRlbnBiZVJHQ3FsODY0V1ZITEtMZzJIR3BkKytJdmRFcHJEZkZ3SCsKdHdOd2VrZTlXUEtYa20vUkZDWE5DQmVLNjkxeURVWCtCNUJOMjMvSks5N1lzRVdtMURIV3FvSDE1WmdqelZ0QQp2d2JmbnRQdlhCWU1wV2ZQY0Zua0hjN3pxUjI3RzBEZHFUeGg2TjhFenV1S3JRWXFtaWhJUXFkNU9HRVhteW9ZCmdPVjdoZ0lWSUR6a1Z0QkRiS3dFV3VFN2pKYzViMXR4Mk1FUFRsVklEZGo0Zm5vdURWemdkczA2RER4aFM4eXAKbXJOSXhxb045ekEzYXVtTnRNZ2haSHVZRHdjbm5GSnBNZHlJSEdHZ1dlNnZZNHFtdEFSVDd3a0x6MTZnUG9LMAo5bFhVU0RmV3YwUDJGUXFHZTJjaXQ3VVE2ZGtsUWsrVGVtUEFwNnhEV09HR3oxRkdmUUoxN040b3AvOGtlOUo2Cm96RVp3QTh1aDVYTUl2N3loM2dobjV1d1R6RDUyZ1BBZFdaekEyaHVWV3p5cVM0WVc0N3ZkaGV6TTFTUndabVEKUmYzNDk0UVFydWd0bzdycWdMUlRTSXN4WEtkU21MaHZjT0hsSlhISW1XNTRzeFlXNm9NUStpRExFT29ZVVdpcgp1aUJvT1RsNEJaOG5Xcm9pV0JtWlFLaVRPYlFRczVWTkIwYnVybmRISTJVdmtIRTE3QTM0bFYySjY5Q0dNNzJ2CjQ5aE9TN3B2Tzg4cEVKZm90d01YYlRhdkR2WTBHazZxbERFMVBud1U2Wm8ySEprcFdUTUxOSzh1alZ1RkhlMGkKR2JvZi9va08vZW4rUi9PUXNyd1JYbzFwVTRiWnlyWGVQeUdqSSsrdFYzemhjd0IwWjNJPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</crt>
-    <prv>LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRUUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Nzd2dna25BZ0VBQW9JQ0FRQ2xDZHhSd2ViUEJMb2IKVU5Gdi8va3dMR0pYTHB4OXo4UUdXaXJZM2lqZUN5TENDQXBzMEtoTVp1M1FYZHMzK2p6aWw0Z0hPei9Ib1BKOQpnTHEzL0VidHhwT0Q1aS9DNnBtdzdIYzUza1NDckIra2VZQWdVZnVoNTczMGcrd3BnOUQ0M2hxQTcxdS9xdGQvCnl6K2dNUmdNZ1kyd0QrdlZBZGt0bFVJaWY3amJOZHVENEYyZ2QvSDBvOWNYRFJuczMzTUFabU5GcGozeEFhcEIKL1FaeEpXUkxnUnkrUDkxZzJkRkU3OE1pZjhlNE1IK2tTb2d3MjBUbUluanMrSnRFU3NMUGZsdnlGVGtJZE1XRQptRFY4bUdSTmE1dWhheURtU0RRT3FXQ1ROVkdXdlVaNlNGclFnVDUwMER1eFp0bWJYRnRFakc5SGhneUluUE9HCkptZjNNZXNLd1hyVU0xbUF6dUJFUEVHSXA5NzdRNjZKK2lMNjNZNS9NMHdoYTBlVTRqaTU1UUJyTkI5WloybGsKTzRsZTZNd2ZmbnRzb0lqQytUOHlFbm1tbmdBOVN1Y09Fb0JwUWF3dy9EaE5rUjRpOE1KbUdSTXZqS2s5R1c2dwpnZU1VOElUOEpkNGNOYk5XN0VIanNXTzE3WW5NWEgwRTE5VmprZ3VHd0g4MGd2UThrc05leFlQN1lqNG9FcnJ0CkptZWFZTzBsVWRXS0Z6S011Ly9rRS80bkcrSHh6aVFScDlCZ3JNRE1iSzhmZDNvZmNramRWU01vVXNRSWlpZnUKMUwrUjhXVjcreGxPN1NZLzR0aTdjbzNyM1dFNjJWUThWT1AxWmFxK1ZEWm9TSDFUQmtJU0lOaWlSRUc4WUg0LwpEcnA1ZnZ0cE9wREFEY3VMZ0M0MkdwTGZLWnBUS1FJREFRQUJBb0lDQUFTSHc4Tit4aDR5ckFVcDc4WGFTZlhYCmtnK0FtUTBmRWV0MnVDeGgxTTlia09Xd29OQ2gzYXpUT24zNHhaYkF5TUVUbGNsVkNBZ3IwOXc4RjJRTGljcm4KSTQrQVZ4bExwVkprKzFUY1ZCY2VNSFFzWGFjRmVSblZxYkkzbU5qKzVGS2dqaXV4NWx2WmpiYlZWbmJJUWplOQpxcTBGa3R5ekEwb3NDYmUydDlWVW9pVDVtTGhaOG90Ym9BRGkvQzR6YUEyL3djUGNyMkNaUWhvem51U21PUjJWCmVydUNOMHA4VURGTFA1a0gxdXlvY0NpTFh6ZXdIVEVRQ3krK0YwMEZuRmxqeDVSYW5za3JvMnhqWFR5QlZtZUYKcDYwRHF0Q0hkTjVlS2VlQWxDL0dIRlFvL2swdzd3ejMxbHVsVGgza3FDQzJsaXRwYzVpZ2JsTGxaUDgxSUpXTQp0bkhlczNsTXk1RGNDWUx3L3huZFdmVDZFMTB4WlhFNWI0QTdxYjF4Yjhsd1FoNHFJckhDZ2p1NDVPYXNCMERJClBYZ3E2eWkwL2FKWXV6SU5kcjRTeFRibExGUkp6MXlQaGZTZDVGbjdWQVBYU1JNTDlDbzJrL0M1SDlwdG1HMjYKZHBLQVNib1ZMcStrbXg3anVKYXc0a1JNNHZmYndHZGNMZEhqMXByZ08xNkd1ckpQOVRRQ0x5YzhaR0xOekcvaApIMzBpU2FlclJOUmtDRlhmeTEzWWJJZTZHTE12KzVmODlYSENGNmZrZ1JkZjVrbTA3cEc3SCtMZytmZFdtd2lZCm0waExNSFVZeHJ3WkFma2tvZjhlSllscEVQVmQ3ZytCVjd2eTZhYW0yQituUTdHYk84WUprSnlJME04amlSaDEKeGdjRmFZaGZlT21RZGtVbi9BcUJBb0lCQVFEU1JZbDl0SnJyQk5UOXlZN0twWTJiOGVURFJqdDByU1NQRUJvNgppeWoyVWR5S1ZSbHFFdzRma2IrejV3WWt2bnBpMW1uS3NjNFlLZmoyaDVSdXVDbzVzTUNLbmpDUXBpbll4bWRFCk45Z3l6SWRYMmlzRUh6dXNSZkZiajBVSWU1dHc0TE9pL3cyVzFYWGJUc3liOFdhTmhkbVQ4TGxDNjQ5WkNNUWQKeDZkeTdOWS9uYnVWVVQ0KzM3WmV0VlR1eDg1ekl5OTdnMWp4dFZhaXZrd2hQVWtLcWpXWDYzaUZidjFuY1FVdgpiQURrWkFoOXRWYWV2UGZ2NURDeDZITldiVFlObjVRZWd3OTRyVndoSjhYb1V5ZDRqWFB0VmdXU2VkN0tWd2U5CmNkNW9CZWFBOVhDdnJxdkNIRjI4QXg2OUI2YWQrQlk1S0dVcGU2LythQnlKdlQwUkFvSUJBUURJN2c3c0dMc3AKVWJ4dGhJQm9yRzF5MDRKWWlnaE5VMlF4YjdzSkxocnRTc2NtRkxSZU5DYy8zOTBCV3ZrbVFIazFnZkpxV3hDLwp2R0VMT0Iwd3U5VFBBRWFsS25IZ2RhNkFTMURuM3NTWTltcFBRRjYvbEY2cm00cDlNUU1TTFo1V3ZsL0ZNRklHCjUvaXVSVjJaOVdkeTV4QVFWNG5uZmdMOWJDNzhPa2k3VnFPTDJDZk0vcEJEMHdzRUZmOGZiejFSZXo4dEFRZ2QKVXY4cEpFTWdDTCtQeEdkdG5DYUcxYm5obXhEUUxiWmQ4TTFOQkpKOWZLZFgzVWtLcTlDdmFJVXBIZlduSFBWVAprVWNwMUVTYnEzOFVhTzFSS1NBNUtQd1ZiNkVPVGJBSGtlaEN4ZVhpN2F3YkZwYXlTelpIaWl4Y05QQjk1YUtSCkpJQ0J5ekFwQTVTWkFvSUJBRlZKYXlrWGxqWjVNVUwyKy9ucUNIUVdPeW1SVlJCUUlpSDg4QWFLNTBSeGs3aHcKSit6RWFkZ1lMOTl5ZHlWME5RUGQzKzhkQzNEMXBVdXBWbVZLUWFaQXNQZ0lqYjQrQjM4cmlqczdRMi9uVVlZcQpzWVBzZnpHeTlPQ2tUZVhRN1ExdHRxOElNS1RiVkFCdUI4UEF1RTN5Mm51TkNqZkFmOVluSGhUT0pIY1M1UnZNCmlJZForcHRaOWdpWUdDajUxaDBSU25NWXBYejBobjFnSGxUbEhMazhySnhBSUJSUEhtMVVoRHZsM0w3R2JFTkEKeUM5K2lqbzlIaHNySTQwTW92NEhtZlorUmtvMlZzWUQ4ZHYzem15eFF6SWkwQVBIZHJ3dmJLNUVmMmRGN1dhbApKdDI3UldOb1NnUzJaME5ZMVJZQnlGSEt0cTJLdzZtMjVNeGhlMkVDZ2dFQVhSNFdSRXhoMEpCVXB0eVZOZTFTCis3Z1IzRDU4QW5uM0lRSUt5QUpaOEVhTGJKYUQwSFNUREFNUFJTV0grYlkvZGhDMjY1c3djK3MxZmlHUFJacUcKMFRmcmhYZmFOby9UUXhta2NSRElRNnRQTVZNL2xjR0k3amF6UTdtSEZ0R1ZZOVh1UkZCVWMyYmwxTDNJMXlUbgp3RlJkR1hXNEwxUXl4b2R3YnV3RDhPNEI5VGxEbUxrUTJwM2ZxUkVZbnRUS3NneFFCdWRIZjIrTFdPRzVTZ3RECjI3akZ4Z0pyeUdrY0wvWFJJT2xPYnRLK0VrZGdMRStzcmdlYlpocWlKK2hrYmQyNGpxM1k4OVdNQ1ZLYVNScDkKVmxRYVIxYXIzRkdtSWJrT0JyYnlNVS9wTjZqSEZSZllmdVZGQ1hQWnYrWEZFU1pubmJEaVdpbDBkTEpacTJoQgpZUUtDQVFBOVlTcE1wS3dhVGwrTmhTZlovMXU0NjZiMkpZcmJPYlRJM2VCZUowMnFwNXdQTjZYUHJ5aVZaZ1FXClh5cG04a3M5MEJIblBPNUczNFJnKzhLRFlONU1Ed1hBclJubDdSeTEySG5oV3lSaHNKYmdZOEh1c2d4SEROMU8KMEcwSFBpVWtIbTYydlRNYll6bkhPeE5sS1hFdFhBcTlZM3dQYkFjb01rRXZ0MzEwdEdLSUNtdTdEWkpXRlVvTAp1Y3RVS3Boc0V5VWdHbHIwRjJKekVoQWdMRXplczB0S1JpRWdlaFdnbXdlMEhlTEhCdW5oRFBTMmFJY2lCME1pCjY2SGc3cVZyMDlneXpFeGxrY3RLRzhsSm9WbU8vdlhucWQrWDB5M21YTUVZbkFIWHpIeG1Pd2JCNnF3Y3VWTlEKZytqRXliUWF3d3A2OC9id0JncFREQUhORGxrRQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==</prv>
-  </cert>
-  <dhcpdv6/>
-  <virtualip version="1.0.1">
-    <vip/>
-  </virtualip>
-  <openvpn/>
-  <ppps>
-    <ppp/>
-  </ppps>
-  <vlans version="1.0.0">
-    <vlan/>
-  </vlans>
-  <bridges>
-    <bridged/>
-  </bridges>
-  <gifs version="1.0.0">
-    <gif/>
-  </gifs>
-  <gres version="1.0.0">
-    <gre/>
-  </gres>
-  <laggs version="1.0.0">
-    <lagg/>
-  </laggs>
-  <wireless>
-    <clone/>
-  </wireless>
-  <hasync version="1.0.2">
-    <pfsyncinterface/>
-    <synchronizetoip/>
-    <verifypeer>0</verifypeer>
-    <username/>
-    <password/>
-    <disablepreempt>0</disablepreempt>
-    <disconnectppps>0</disconnectppps>
-    <pfsyncpeerip/>
-    <pfsyncversion>1400</pfsyncversion>
-    <syncitems/>
-  </hasync>
-  <ifgroups version="1.0.0"/>
-  <dnsmasq version="1.0.7" persisted_at="1755800176.40">
-    <enable>1</enable>
-    <regdhcp>0</regdhcp>
-    <regdhcpstatic>0</regdhcpstatic>
-    <dhcpfirst>0</dhcpfirst>
-    <strict_order>0</strict_order>
-    <domain_needed>0</domain_needed>
-    <no_private_reverse>0</no_private_reverse>
-    <no_resolv>0</no_resolv>
-    <log_queries>0</log_queries>
-    <no_hosts>0</no_hosts>
-    <strictbind>0</strictbind>
-    <dnssec>0</dnssec>
-    <regdhcpdomain/>
-    <interface>lan</interface>
-    <port>0</port>
-    <dns_forward_max/>
-    <cache_size/>
-    <local_ttl/>
-    <add_mac/>
-    <add_subnet>0</add_subnet>
-    <strip_subnet>0</strip_subnet>
-    <dhcp>
-      <no_interface/>
-      <fqdn>1</fqdn>
-      <domain/>
-      <lease_max/>
-      <authoritative>0</authoritative>
-      <default_fw_rules>1</default_fw_rules>
-      <reply_delay/>
-      <enable_ra>0</enable_ra>
-      <nosync>0</nosync>
-    </dhcp>
-    <no_ident>1</no_ident>
-    <dhcp_tags uuid="8d190cf3-8d2d-47db-ab9b-fa21016b533e">
-      <tag>ipxe</tag>
-    </dhcp_tags>
-    <dhcp_tags uuid="0b2982da-198c-4ca4-9a3e-95813667047c">
-      <tag>pxeEfi</tag>
-    </dhcp_tags>
-    <dhcp_tags uuid="993e079f-09b9-4a0f-a70f-8898872b9983">
-      <tag>pxeBios</tag>
-    </dhcp_tags>
-    <dhcp_ranges uuid="843574fc-4c3f-4f81-9e86-56be45f4ba49">
-      <interface>lan</interface>
-      <set_tag/>
-      <start_addr>192.168.1.41</start_addr>
-      <end_addr>192.168.1.245</end_addr>
-      <subnet_mask/>
-      <constructor/>
-      <mode/>
-      <prefix_len/>
-      <lease_time/>
-      <domain_type>range</domain_type>
-      <domain/>
-      <nosync>0</nosync>
-      <ra_mode/>
-      <ra_priority/>
-      <ra_mtu/>
-      <ra_interval/>
-      <ra_router_lifetime/>
-      <description/>
-    </dhcp_ranges>
-    <dhcp_options uuid="1e8d6f0f-7c2c-4873-8960-95a5c9447318">
-      <type>match</type>
-      <option>77</option>
-      <option6/>
-      <interface/>
-      <tag/>
-      <set_tag>8d190cf3-8d2d-47db-ab9b-fa21016b533e</set_tag>
-      <value>iPXE</value>
-      <force/>
-      <description/>
-    </dhcp_options>
-    <dhcp_options uuid="9b54181b-aa68-4fd6-9d59-10a77c291fcb">
-      <type>match</type>
-      <option>93</option>
-      <option6/>
-      <interface/>
-      <tag/>
-      <set_tag>993e079f-09b9-4a0f-a70f-8898872b9983</set_tag>
-      <value>0</value>
-      <force/>
-      <description/>
-    </dhcp_options>
-    <dhcp_options uuid="26402b93-91bb-48a9-92da-b567a91ed4d8">
-      <type>match</type>
-      <option>93</option>
-      <option6/>
-      <interface/>
-      <tag/>
-      <set_tag>0b2982da-198c-4ca4-9a3e-95813667047c</set_tag>
-      <value>7</value>
-      <force/>
-      <description/>
-    </dhcp_options>
-    <dhcp_boot uuid="57436655-6f95-4590-bcdc-dfe542347560">
-      <interface/>
-      <tag>0b2982da-198c-4ca4-9a3e-95813667047c</tag>
-      <filename>ipxe.efi</filename>
-      <servername>192.168.1.1</servername>
-      <address>192.168.1.1</address>
-      <description/>
-    </dhcp_boot>
-    <dhcp_boot uuid="dcc00bf2-5148-40ef-9f79-1f17bf572f6c">
-      <interface/>
-      <tag>8d190cf3-8d2d-47db-ab9b-fa21016b533e</tag>
-      <filename>http://192.168.1.1:8080/boot.ipxe</filename>
-      <servername>192.168.1.1</servername>
-      <address>192.168.1.1</address>
-      <description/>
-    </dhcp_boot>
-    <dhcp_boot uuid="8b9263a4-d242-4c41-8ff2-6f1af5001c41">
-      <interface/>
-      <tag>993e079f-09b9-4a0f-a70f-8898872b9983</tag>
-      <filename>undionly.kpxe</filename>
-      <servername>192.168.1.1</servername>
-      <address>192.168.1.1</address>
-      <description/>
-    </dhcp_boot>
-  </dnsmasq>
-</opnsense>
--- a/opnsense-config/src/tests/data/config-full-25.7-dummy-dnsmasq-options.xml
+++ b/opnsense-config/src/tests/data/config-full-25.7-dummy-dnsmasq-options.xml
@@ -1,867 +0,0 @@
-<?xml version="1.0"?>
-<opnsense>
-  <theme>opnsense</theme>
-  <sysctl version="1.0.1" persisted_at="1755708111.39">
-    <item/>
-  </sysctl>
-  <system>
-    <serialspeed>115200</serialspeed>
-    <primaryconsole>serial</primaryconsole>
-    <optimization>normal</optimization>
-    <hostname>OPNsense</hostname>
-    <domain>internal</domain>
-    <dnsallowoverride>1</dnsallowoverride>
-    <dnsallowoverride_exclude/>
-    <group uuid="67305f6f-7f7a-454d-8a4e-65cb8f072d81">
-      <gid>1999</gid>
-      <name>admins</name>
-      <scope>system</scope>
-      <description>System Administrators</description>
-      <priv>page-all</priv>
-      <member>0</member>
-      <source_networks/>
-    </group>
-    <user uuid="1d2ed537-5d1a-4772-9600-37b93f9f798b">
-      <uid>0</uid>
-      <name>root</name>
-      <disabled>0</disabled>
-      <scope>system</scope>
-      <expires/>
-      <authorizedkeys/>
-      <otp_seed/>
-      <shell/>
-      <password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
-      <pwd_changed_at/>
-      <landing_page/>
-      <comment/>
-      <email/>
-      <apikeys/>
-      <priv/>
-      <language/>
-      <descr>System Administrator</descr>
-      <dashboard/>
-    </user>
-    <timezone>Etc/UTC</timezone>
-    <timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
-    <webgui>
-      <protocol>https</protocol>
-      <ssl-certref>68a5faf1685db</ssl-certref>
-      <port/>
-      <ssl-ciphers/>
-      <interfaces/>
-      <compression/>
-    </webgui>
-    <disablenatreflection>yes</disablenatreflection>
-    <usevirtualterminal>1</usevirtualterminal>
-    <disableconsolemenu>1</disableconsolemenu>
-    <disablevlanhwfilter>1</disablevlanhwfilter>
-    <disablechecksumoffloading>1</disablechecksumoffloading>
-    <disablesegmentationoffloading>1</disablesegmentationoffloading>
-    <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
-    <ipv6allow>1</ipv6allow>
-    <powerd_ac_mode>hadp</powerd_ac_mode>
-    <powerd_battery_mode>hadp</powerd_battery_mode>
-    <powerd_normal_mode>hadp</powerd_normal_mode>
-    <bogons>
-      <interval>monthly</interval>
-    </bogons>
-    <pf_share_forward>1</pf_share_forward>
-    <lb_use_sticky>1</lb_use_sticky>
-    <ssh>
-      <group>admins</group>
-      <noauto>1</noauto>
-      <interfaces/>
-      <kex/>
-      <ciphers/>
-      <macs/>
-      <keys/>
-      <keysig/>
-      <rekeylimit/>
-      <enabled>enabled</enabled>
-      <passwordauth>1</passwordauth>
-      <permitrootlogin>1</permitrootlogin>
-    </ssh>
-    <rrdbackup>-1</rrdbackup>
-    <netflowbackup>-1</netflowbackup>
-    <firmware version="1.0.1" persisted_at="1755708111.32">
-      <mirror/>
-      <flavour/>
-      <plugins/>
-      <type/>
-      <subscription/>
-      <reboot>0</reboot>
-    </firmware>
-    <dnsserver/>
-    <language>en_US</language>
-  </system>
-  <interfaces>
-    <wan>
-      <enable>1</enable>
-      <if>vtnet0</if>
-      <mtu/>
-      <ipaddr>dhcp</ipaddr>
-      <ipaddrv6>dhcp6</ipaddrv6>
-      <subnet/>
-      <gateway/>
-      <blockpriv>0</blockpriv>
-      <blockbogons>1</blockbogons>
-      <media/>
-      <mediaopt/>
-      <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
-      <dhcphostname/>
-      <spoofmac/>
-      <mss/>
-    </wan>
-    <lan>
-      <enable>1</enable>
-      <if>vtnet1</if>
-      <ipaddr>192.168.1.1</ipaddr>
-      <subnet>24</subnet>
-      <ipaddrv6>track6</ipaddrv6>
-      <subnetv6>64</subnetv6>
-      <media/>
-      <mediaopt/>
-      <track6-interface>wan</track6-interface>
-      <track6-prefix-id>0</track6-prefix-id>
-    </lan>
-    <lo0>
-      <internal_dynamic>1</internal_dynamic>
-      <descr>Loopback</descr>
-      <enable>1</enable>
-      <if>lo0</if>
-      <ipaddr>127.0.0.1</ipaddr>
-      <ipaddrv6>::1</ipaddrv6>
-      <subnet>8</subnet>
-      <subnetv6>128</subnetv6>
-      <type>none</type>
-      <virtual>1</virtual>
-    </lo0>
-  </interfaces>
-  <dnsmasq version="1.0.7" persisted_at="1755723263.06">
-    <enable>1</enable>
-    <regdhcp>0</regdhcp>
-    <regdhcpstatic>0</regdhcpstatic>
-    <dhcpfirst>0</dhcpfirst>
-    <strict_order>0</strict_order>
-    <domain_needed>0</domain_needed>
-    <no_private_reverse>0</no_private_reverse>
-    <no_resolv>0</no_resolv>
-    <log_queries>0</log_queries>
-    <no_hosts>0</no_hosts>
-    <strictbind>0</strictbind>
-    <dnssec>0</dnssec>
-    <regdhcpdomain/>
-    <interface>lan</interface>
-    <port>0</port>
-    <dns_forward_max/>
-    <cache_size/>
-    <local_ttl/>
-    <add_mac/>
-    <add_subnet>0</add_subnet>
-    <strip_subnet>0</strip_subnet>
-    <dhcp>
-      <no_interface/>
-      <fqdn>1</fqdn>
-      <domain/>
-      <lease_max/>
-      <authoritative>0</authoritative>
-      <default_fw_rules>1</default_fw_rules>
-      <reply_delay/>
-      <enable_ra>0</enable_ra>
-      <nosync>0</nosync>
-    </dhcp>
-    <no_ident>1</no_ident>
-    <dhcp_ranges uuid="78b5c4a4-565d-4cd7-af10-29050f29e494">
-      <interface>lan</interface>
-      <set_tag/>
-      <start_addr>192.168.1.41</start_addr>
-      <end_addr>192.168.1.245</end_addr>
-      <subnet_mask/>
-      <constructor/>
-      <mode/>
-      <prefix_len/>
-      <lease_time/>
-      <domain_type>range</domain_type>
-      <domain/>
-      <nosync>0</nosync>
-      <ra_mode/>
-      <ra_priority/>
-      <ra_mtu/>
-      <ra_interval/>
-      <ra_router_lifetime/>
-      <description/>
-    </dhcp_ranges>
-    <dhcp_options uuid="b05f2b57-bad8-4072-8f51-d051671832fe">
-      <type>set</type>
-      <option>67</option>
-      <option6/>
-      <interface>lan</interface>
-      <tag/>
-      <set_tag/>
-      <value>test/boot/filename</value>
-      <force>0</force>
-      <description/>
-    </dhcp_options>
-    <dhcp_options uuid="5a5a7854-ec44-4631-95a9-85b4897588d5">
-      <type>set</type>
-      <option>128</option>
-      <option6/>
-      <interface>lan</interface>
-      <tag/>
-      <set_tag/>
-      <value>test some pxe setting vendor specific 128</value>
-      <force>0</force>
-      <description/>
-    </dhcp_options>
-    <dhcp_options uuid="7706861d-1851-420f-9b50-891ad413663e">
-      <type>set</type>
-      <option>208</option>
-      <option6/>
-      <interface/>
-      <tag/>
-      <set_tag/>
-      <value>pxelinux magic what is this (on any interface)</value>
-      <force>0</force>
-      <description/>
-    </dhcp_options>
-    <dhcp_boot uuid="748c0bd2-ef58-4cba-8486-bbf142f53859">
-      <interface/>
-      <tag/>
-      <filename>boot options filename</filename>
-      <servername>boot servername</servername>
-      <address>boot server address</address>
-      <description>boot description</description>
-    </dhcp_boot>
-  </dnsmasq>
-  <snmpd>
-    <syslocation/>
-    <syscontact/>
-    <rocommunity>public</rocommunity>
-  </snmpd>
-  <nat>
-    <outbound>
-      <mode>automatic</mode>
-    </outbound>
-  </nat>
-  <filter>
-    <rule>
-      <type>pass</type>
-      <ipprotocol>inet</ipprotocol>
-      <descr>Default allow LAN to any rule</descr>
-      <interface>lan</interface>
-      <source>
-        <network>lan</network>
-      </source>
-      <destination>
-        <any/>
-      </destination>
-    </rule>
-    <rule>
-      <type>pass</type>
-      <ipprotocol>inet6</ipprotocol>
-      <descr>Default allow LAN IPv6 to any rule</descr>
-      <interface>lan</interface>
-      <source>
-        <network>lan</network>
-      </source>
-      <destination>
-        <any/>
-      </destination>
-    </rule>
-  </filter>
-  <rrd>
-    <enable/>
-  </rrd>
-  <ntpd>
-    <prefer>0.opnsense.pool.ntp.org</prefer>
-  </ntpd>
-  <revision>
-    <username>root@192.168.1.5</username>
-    <description>/api/dnsmasq/settings/set made changes</description>
-    <time>1755723263.06</time>
-  </revision>
-  <OPNsense>
-    <wireguard>
-      <client version="1.0.0" persisted_at="1755708111.04">
-        <clients/>
-      </client>
-      <general version="0.0.1" persisted_at="1755708111.05">
-        <enabled>0</enabled>
-      </general>
-      <server version="1.0.0" persisted_at="1755708111.05">
-        <servers/>
-      </server>
-    </wireguard>
-    <IPsec version="1.0.4" persisted_at="1755708111.06">
-      <general>
-        <enabled/>
-        <preferred_oldsa>0</preferred_oldsa>
-        <disablevpnrules>0</disablevpnrules>
-        <passthrough_networks/>
-        <user_source/>
-        <local_group/>
-      </general>
-      <charon>
-        <max_ikev1_exchanges/>
-        <threads>16</threads>
-        <ikesa_table_size>32</ikesa_table_size>
-        <ikesa_table_segments>4</ikesa_table_segments>
-        <init_limit_half_open>1000</init_limit_half_open>
-        <ignore_acquire_ts>1</ignore_acquire_ts>
-        <install_routes>0</install_routes>
-        <cisco_unity>0</cisco_unity>
-        <make_before_break>0</make_before_break>
-        <retransmit_tries/>
-        <retransmit_timeout/>
-        <retransmit_base/>
-        <retransmit_jitter/>
-        <retransmit_limit/>
-        <syslog>
-          <daemon>
-            <ike_name>1</ike_name>
-            <log_level>0</log_level>
-            <app>1</app>
-            <asn>1</asn>
-            <cfg>1</cfg>
-            <chd>1</chd>
-            <dmn>1</dmn>
-            <enc>1</enc>
-            <esp>1</esp>
-            <ike>1</ike>
-            <imc>1</imc>
-            <imv>1</imv>
-            <job>1</job>
-            <knl>1</knl>
-            <lib>1</lib>
-            <mgr>1</mgr>
-            <net>1</net>
-            <pts>1</pts>
-            <tls>1</tls>
-            <tnc>1</tnc>
-          </daemon>
-        </syslog>
-        <plugins>
-          <attr>
-            <subnet/>
-            <split-include/>
-            <x_28674/>
-            <x_28675/>
-            <x_28672/>
-            <x_28673>0</x_28673>
-            <x_28679/>
-            <dns/>
-            <nbns/>
-          </attr>
-          <eap-radius>
-            <servers/>
-            <accounting>0</accounting>
-            <class_group>0</class_group>
-          </eap-radius>
-          <xauth-pam>
-            <pam_service>ipsec</pam_service>
-            <session>0</session>
-            <trim_email>1</trim_email>
-          </xauth-pam>
-        </plugins>
-      </charon>
-      <keyPairs/>
-      <preSharedKeys/>
-    </IPsec>
-    <Swanctl version="1.0.0" persisted_at="1755708111.08">
-      <Connections/>
-      <locals/>
-      <remotes/>
-      <children/>
-      <Pools/>
-      <VTIs/>
-      <SPDs/>
-    </Swanctl>
-    <OpenVPNExport version="0.0.1" persisted_at="1755708111.40">
-      <servers/>
-    </OpenVPNExport>
-    <OpenVPN version="1.0.1" persisted_at="1755708111.40">
-      <Overwrites/>
-      <Instances/>
-      <StaticKeys/>
-    </OpenVPN>
-    <captiveportal version="1.0.4" persisted_at="1755708111.41">
-      <zones/>
-      <templates/>
-    </captiveportal>
-    <cron version="1.0.4" persisted_at="1755708111.43">
-      <jobs/>
-    </cron>
-    <DHCRelay version="1.0.1" persisted_at="1755708111.43"/>
-    <Firewall>
-      <Lvtemplate version="0.0.1" persisted_at="1755708111.45">
-        <templates/>
-      </Lvtemplate>
-      <Alias version="1.0.1" persisted_at="1755708111.65">
-        <geoip>
-          <url/>
-        </geoip>
-        <aliases/>
-      </Alias>
-      <Category version="1.0.0" persisted_at="1755708111.65">
-        <categories/>
-      </Category>
-      <Filter version="1.0.4" persisted_at="1755708111.70">
-        <rules/>
-        <snatrules/>
-        <npt/>
-        <onetoone/>
-      </Filter>
-    </Firewall>
-    <Netflow version="1.0.1" persisted_at="1755708111.45">
-      <capture>
-        <interfaces/>
-        <egress_only/>
-        <version>v9</version>
-        <targets/>
-      </capture>
-      <collect>
-        <enable>0</enable>
-      </collect>
-      <activeTimeout>1800</activeTimeout>
-      <inactiveTimeout>15</inactiveTimeout>
-    </Netflow>
-    <IDS version="1.1.0" persisted_at="1755708111.90">
-      <rules/>
-      <policies/>
-      <userDefinedRules/>
-      <files/>
-      <fileTags/>
-      <general>
-        <enabled>0</enabled>
-        <ips>0</ips>
-        <promisc>0</promisc>
-        <interfaces>wan</interfaces>
-        <homenet>192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</homenet>
-        <defaultPacketSize/>
-        <UpdateCron/>
-        <AlertLogrotate>W0D23</AlertLogrotate>
-        <AlertSaveLogs>4</AlertSaveLogs>
-        <MPMAlgo/>
-        <detect>
-          <Profile/>
-          <toclient_groups/>
-          <toserver_groups/>
-        </detect>
-        <syslog>0</syslog>
-        <syslog_eve>0</syslog_eve>
-        <LogPayload>0</LogPayload>
-        <verbosity/>
-        <eveLog>
-          <http>
-            <enable>0</enable>
-            <extended>0</extended>
-            <dumpAllHeaders/>
-          </http>
-          <tls>
-            <enable>0</enable>
-            <extended>0</extended>
-            <sessionResumption>0</sessionResumption>
-            <custom/>
-          </tls>
-        </eveLog>
-      </general>
-    </IDS>
-    <Interfaces>
-      <loopbacks version="1.0.0" persisted_at="1755708111.95"/>
-      <neighbors version="1.0.0" persisted_at="1755708111.96"/>
-      <vxlans version="1.0.2" persisted_at="1755708111.99"/>
-    </Interfaces>
-    <Kea>
-      <ctrl_agent version="0.0.1" persisted_at="1755708111.99">
-        <general>
-          <enabled>0</enabled>
-          <http_host>127.0.0.1</http_host>
-          <http_port>8000</http_port>
-        </general>
-      </ctrl_agent>
-      <dhcp4 version="1.0.4" persisted_at="1755708112.00">
-        <general>
-          <enabled>0</enabled>
-          <manual_config>0</manual_config>
-          <interfaces/>
-          <valid_lifetime>4000</valid_lifetime>
-          <fwrules>1</fwrules>
-          <dhcp_socket_type>raw</dhcp_socket_type>
-        </general>
-        <ha>
-          <enabled>0</enabled>
-          <this_server_name/>
-          <max_unacked_clients>2</max_unacked_clients>
-        </ha>
-        <subnets/>
-        <reservations/>
-        <ha_peers/>
-      </dhcp4>
-      <dhcp6 version="1.0.0" persisted_at="1755708112.00">
-        <general>
-          <enabled>0</enabled>
-          <manual_config>0</manual_config>
-          <interfaces/>
-          <valid_lifetime>4000</valid_lifetime>
-          <fwrules>1</fwrules>
-        </general>
-        <ha>
-          <enabled>0</enabled>
-          <this_server_name/>
-          <max_unacked_clients>2</max_unacked_clients>
-        </ha>
-        <subnets/>
-        <reservations/>
-        <pd_pools/>
-        <ha_peers/>
-      </dhcp6>
-    </Kea>
-    <monit version="1.0.13" persisted_at="1755708112.02">
-      <general>
-        <enabled>0</enabled>
-        <interval>120</interval>
-        <startdelay>120</startdelay>
-        <mailserver>127.0.0.1</mailserver>
-        <port>25</port>
-        <username/>
-        <password/>
-        <ssl>0</ssl>
-        <sslversion>auto</sslversion>
-        <sslverify>1</sslverify>
-        <logfile/>
-        <statefile/>
-        <eventqueuePath/>
-        <eventqueueSlots/>
-        <httpdEnabled>0</httpdEnabled>
-        <httpdUsername>root</httpdUsername>
-        <httpdPassword/>
-        <httpdPort>2812</httpdPort>
-        <httpdAllow/>
-        <mmonitUrl/>
-        <mmonitTimeout>5</mmonitTimeout>
-        <mmonitRegisterCredentials>1</mmonitRegisterCredentials>
-      </general>
-      <alert uuid="76cd5195-a487-4f4f-8ef5-4f9815bf19e5">
-        <enabled>0</enabled>
-        <recipient>root@localhost.local</recipient>
-        <noton>0</noton>
-        <events/>
-        <format/>
-        <reminder/>
-        <description/>
-      </alert>
-      <service uuid="11610907-f700-4f0a-9926-c25a47709493">
-        <enabled>1</enabled>
-        <name>$HOST</name>
-        <description/>
-        <type>system</type>
-        <pidfile/>
-        <match/>
-        <path/>
-        <timeout>300</timeout>
-        <starttimeout>30</starttimeout>
-        <address/>
-        <interface/>
-        <start/>
-        <stop/>
-        <tests>02014be3-fc31-4af3-a0d5-061eaa67d28a,ebfd0d97-ae21-45d5-8b42-5220c75ce46f,d37f25f0-89e3-44b6-8ad2-280ac83a8904,37afd0d9-990c-4f03-a817-45691461e3d0</tests>
-        <depends/>
-        <polltime/>
-      </service>
-      <service uuid="dcc7e42f-a878-49a3-8b90-67faf21d67bd">
-        <enabled>1</enabled>
-        <name>RootFs</name>
-        <description/>
-        <type>filesystem</type>
-        <pidfile/>
-        <match/>
-        <path>/</path>
-        <timeout>300</timeout>
-        <starttimeout>30</starttimeout>
-        <address/>
-        <interface/>
-        <start/>
-        <stop/>
-        <tests>b44b859c-bc72-4c2e-82c9-4f56d84a5497</tests>
-        <depends/>
-        <polltime/>
-      </service>
-      <service uuid="5ca544d4-846a-4f61-9d6f-c191eafcd9fb">
-        <enabled>0</enabled>
-        <name>carp_status_change</name>
-        <description/>
-        <type>custom</type>
-        <pidfile/>
-        <match/>
-        <path>/usr/local/opnsense/scripts/OPNsense/Monit/carp_status</path>
-        <timeout>300</timeout>
-        <starttimeout>30</starttimeout>
-        <address/>
-        <interface/>
-        <start/>
-        <stop/>
-        <tests>0909801b-cd11-41c8-afeb-369396247308</tests>
-        <depends/>
-        <polltime/>
-      </service>
-      <service uuid="6e16e26e-e732-4b9b-ac92-2086b84f3158">
-        <enabled>0</enabled>
-        <name>gateway_alert</name>
-        <description/>
-        <type>custom</type>
-        <pidfile/>
-        <match/>
-        <path>/usr/local/opnsense/scripts/OPNsense/Monit/gateway_alert</path>
-        <timeout>300</timeout>
-        <starttimeout>30</starttimeout>
-        <address/>
-        <interface/>
-        <start/>
-        <stop/>
-        <tests>56e67d76-cef6-4167-a51e-2c69a921ebc9</tests>
-        <depends/>
-        <polltime/>
-      </service>
-      <test uuid="b7671673-5cf1-4123-a58c-37f57a8e9d59">
-        <name>Ping</name>
-        <type>NetworkPing</type>
-        <condition>failed ping</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="30cf3664-5c6f-4ac5-a52a-36023270c6fb">
-        <name>NetworkLink</name>
-        <type>NetworkInterface</type>
-        <condition>failed link</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="a7c0836a-b102-4f37-a73b-2a50903ffcc8">
-        <name>NetworkSaturation</name>
-        <type>NetworkInterface</type>
-        <condition>saturation is greater than 75%</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="02014be3-fc31-4af3-a0d5-061eaa67d28a">
-        <name>MemoryUsage</name>
-        <type>SystemResource</type>
-        <condition>memory usage is greater than 75%</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="ebfd0d97-ae21-45d5-8b42-5220c75ce46f">
-        <name>CPUUsage</name>
-        <type>SystemResource</type>
-        <condition>cpu usage is greater than 75%</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="d37f25f0-89e3-44b6-8ad2-280ac83a8904">
-        <name>LoadAvg1</name>
-        <type>SystemResource</type>
-        <condition>loadavg (1min) is greater than 4</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="37afd0d9-990c-4f03-a817-45691461e3d0">
-        <name>LoadAvg5</name>
-        <type>SystemResource</type>
-        <condition>loadavg (5min) is greater than 3</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="608d2888-9df5-486d-bbfb-bf17fad75a7e">
-        <name>LoadAvg15</name>
-        <type>SystemResource</type>
-        <condition>loadavg (15min) is greater than 2</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="b44b859c-bc72-4c2e-82c9-4f56d84a5497">
-        <name>SpaceUsage</name>
-        <type>SpaceUsage</type>
-        <condition>space usage is greater than 75%</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="0909801b-cd11-41c8-afeb-369396247308">
-        <name>ChangedStatus</name>
-        <type>ProgramStatus</type>
-        <condition>changed status</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="56e67d76-cef6-4167-a51e-2c69a921ebc9">
-        <name>NonZeroStatus</name>
-        <type>ProgramStatus</type>
-        <condition>status != 0</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-    </monit>
-    <Gateways version="1.0.0" persisted_at="1755721633.53"/>
-    <Syslog version="1.0.2" persisted_at="1755708112.05">
-      <general>
-        <enabled>1</enabled>
-        <loglocal>1</loglocal>
-        <maxpreserve>31</maxpreserve>
-        <maxfilesize/>
-      </general>
-      <destinations/>
-    </Syslog>
-    <TrafficShaper version="1.0.3" persisted_at="1755708112.06">
-      <pipes/>
-      <queues/>
-      <rules/>
-    </TrafficShaper>
-    <trust>
-      <general version="1.0.1" persisted_at="1755708112.22">
-        <store_intermediate_certs>0</store_intermediate_certs>
-        <install_crls>0</install_crls>
-        <fetch_crls>0</fetch_crls>
-        <enable_legacy_sect>1</enable_legacy_sect>
-        <enable_config_constraints>0</enable_config_constraints>
-        <CipherString/>
-        <Ciphersuites/>
-        <SignatureAlgorithms/>
-        <groups/>
-        <MinProtocol/>
-        <MinProtocol_DTLS/>
-      </general>
-    </trust>
-    <unboundplus version="1.0.12" persisted_at="1755708112.29">
-      <general>
-        <enabled>1</enabled>
-        <port>53</port>
-        <stats>0</stats>
-        <active_interface/>
-        <dnssec>0</dnssec>
-        <dns64>0</dns64>
-        <dns64prefix/>
-        <noarecords>0</noarecords>
-        <regdhcp>0</regdhcp>
-        <regdhcpdomain/>
-        <regdhcpstatic>0</regdhcpstatic>
-        <noreglladdr6>0</noreglladdr6>
-        <noregrecords>0</noregrecords>
-        <txtsupport>0</txtsupport>
-        <cacheflush>0</cacheflush>
-        <local_zone_type>transparent</local_zone_type>
-        <outgoing_interface/>
-        <enable_wpad>0</enable_wpad>
-      </general>
-      <advanced>
-        <hideidentity>0</hideidentity>
-        <hideversion>0</hideversion>
-        <prefetch>0</prefetch>
-        <prefetchkey>0</prefetchkey>
-        <dnssecstripped>0</dnssecstripped>
-        <aggressivensec>1</aggressivensec>
-        <serveexpired>0</serveexpired>
-        <serveexpiredreplyttl/>
-        <serveexpiredttl/>
-        <serveexpiredttlreset>0</serveexpiredttlreset>
-        <serveexpiredclienttimeout/>
-        <qnameminstrict>0</qnameminstrict>
-        <extendedstatistics>0</extendedstatistics>
-        <logqueries>0</logqueries>
-        <logreplies>0</logreplies>
-        <logtagqueryreply>0</logtagqueryreply>
-        <logservfail>0</logservfail>
-        <loglocalactions>0</loglocalactions>
-        <logverbosity>1</logverbosity>
-        <valloglevel>0</valloglevel>
-        <privatedomain/>
-        <privateaddress>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</privateaddress>
-        <insecuredomain/>
-        <msgcachesize/>
-        <rrsetcachesize/>
-        <outgoingnumtcp/>
-        <incomingnumtcp/>
-        <numqueriesperthread/>
-        <outgoingrange/>
-        <jostletimeout/>
-        <discardtimeout/>
-        <cachemaxttl/>
-        <cachemaxnegativettl/>
-        <cacheminttl/>
-        <infrahostttl/>
-        <infrakeepprobing>0</infrakeepprobing>
-        <infracachenumhosts/>
-        <unwantedreplythreshold/>
-      </advanced>
-      <acls>
-        <default_action>allow</default_action>
-      </acls>
-      <dnsbl>
-        <enabled>0</enabled>
-        <safesearch>0</safesearch>
-        <type/>
-        <lists/>
-        <whitelists/>
-        <blocklists/>
-        <wildcards/>
-        <address/>
-        <nxdomain>0</nxdomain>
-      </dnsbl>
-      <forwarding>
-        <enabled>0</enabled>
-      </forwarding>
-      <dots/>
-      <hosts/>
-      <aliases/>
-    </unboundplus>
-  </OPNsense>
-  <hasync version="1.0.2" persisted_at="1755708111.35">
-    <disablepreempt>0</disablepreempt>
-    <disconnectppps>0</disconnectppps>
-    <pfsyncinterface/>
-    <pfsyncpeerip/>
-    <pfsyncversion>1400</pfsyncversion>
-    <synchronizetoip/>
-    <verifypeer>0</verifypeer>
-    <username/>
-    <password/>
-    <syncitems/>
-  </hasync>
-  <openvpn/>
-  <ifgroups version="1.0.0" persisted_at="1755708111.71"/>
-  <bridges version="1.0.0" persisted_at="1755708111.91">
-    <bridged/>
-  </bridges>
-  <gifs version="1.0.0" persisted_at="1755708111.92">
-    <gif/>
-  </gifs>
-  <gres version="1.0.0" persisted_at="1755708111.93">
-    <gre/>
-  </gres>
-  <laggs version="1.0.0" persisted_at="1755708111.95">
-    <lagg/>
-  </laggs>
-  <virtualip version="1.0.1" persisted_at="1755708111.96">
-    <vip/>
-  </virtualip>
-  <vlans version="1.0.0" persisted_at="1755708111.98">
-    <vlan/>
-  </vlans>
-  <staticroutes version="1.0.0" persisted_at="1755708112.03"/>
-  <ppps>
-    <ppp/>
-  </ppps>
-  <wireless>
-    <clone/>
-  </wireless>
-  <ca/>
-  <dhcpd/>
-  <dhcpdv6/>
-  <cert uuid="d60972af-642c-411f-abb6-43e0d680fefd">
-    <refid>68a5faf1685db</refid>
-    <descr>Web GUI TLS certificate</descr>
-    <caref/>
-    <crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUhFakNDQlBxZ0F3SUJBZ0lVQlpQYjUwMXNaM3hhTTZzSDVUM1ZNRG9mcnlNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZWXhHakFZQmdOVkJBTU1FVTlRVG5ObGJuTmxMbWx1ZEdWeWJtRnNNUXN3Q1FZRFZRUUdFd0pPVERFVgpNQk1HQTFVRUNBd01XblZwWkMxSWIyeHNZVzVrTVJVd0V3WURWUVFIREF4TmFXUmtaV3hvWVhKdWFYTXhMVEFyCkJnTlZCQW9NSkU5UVRuTmxibk5sSUhObGJHWXRjMmxuYm1Wa0lIZGxZaUJqWlhKMGFXWnBZMkYwWlRBZUZ3MHkKTlRBNE1qQXhOalF5TWpaYUZ3MHlOakE1TWpFeE5qUXlNalphTUlHR01Sb3dHQVlEVlFRRERCRlBVRTV6Wlc1egpaUzVwYm5SbGNtNWhiREVMTUFrR0ExVUVCaE1DVGt3eEZUQVRCZ05WQkFnTURGcDFhV1F0U0c5c2JHRnVaREVWCk1CTUdBMVVFQnd3TVRXbGtaR1ZzYUdGeWJtbHpNUzB3S3dZRFZRUUtEQ1JQVUU1elpXNXpaU0J6Wld4bUxYTnAKWjI1bFpDQjNaV0lnWTJWeWRHbG1hV05oZEdVd2dnSWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUNEd0F3Z2dJSwpBb0lDQVFEQVozZk1lakdOckZYVFhZd24vTUp5YXBYMDdVOTVWZ0JERzZmWU1wZkZEU1NXeFRValRLRlNvR3JRCkpDb0ZyQ0NRQ3BsWnlua0ZjVFZvWVAraGszcndWWmxHZVFyL0RyR2ZiM1lPc2RGbEtublo5YzRTOGVrSkc2WTIKYWI0eFJTcnBja0hoTWQ4MHNENUFRdks1Skc2MS9UMEhNRXVMcGlraUF3MFpCempWbjlVUUpSRTJiS29kOW9IdgpEbG5DVGNTV1FUNWYrV3A0Sll0anVBVHBZMUlRVW4wbkxuWDBHUC9JRGtsWjFrdEZOczRPOGcrQmRVWFU0MUdvCjNGTFpCc1hQVm90WFVrRVl2R0ZldjJRMlBwSnNib25aWEpoR255amREUlZkZFZGOGhacGJua0wwU2xJTVFNeFQKSTRXK051ZmUvUTZGRDdmZnFRa0toemZ3SlJ2N0dGM2RTRlEwWldPUGNTZVZXY3lWTlVVMTMvcnBteUpvNXZhWQpYR000THcxb1d2c1FjUWxaUllnSkxhSWMzM0dnMGQySHhvZTIvdytIeFRXOEw4ZldqbzgxK250YWJXTlZhV0IwCnd6TXNFNGRBOWtxR2dmcWZjbm96ckovamJtNEFBTTB6QTlVZFh0SUJtRGdpeFNkVzB4eHNQNlZWRTdMdnlURTgKWnBJTjRoL1FCYURyc2hhRXJ6TXhUd01IZXJ1RlV4bFpxZEdSa3ErQXRJU1VwRE05VXB0YWZZMk5ydzgxVDFhSwoycFduVFlFQktCUnVwdk00TzFHNXN5NU5GZm13NFRTc0pqRUhtMFEvVTZ4ZU45bVg0OFhIYUZFNnhvQTJEZEMrCjJHS2lKWFlrYi9nZm13cmp1Y3NGWGpBS2tDNWF6ZXFqaERXeGxDbmJNS1YwSTQxOWp3SURBUUFCbzRJQmREQ0MKQVhBd0NRWURWUjBUQkFJd0FEQVJCZ2xnaGtnQmh2aENBUUVFQkFNQ0JrQXdOQVlKWUlaSUFZYjRRZ0VOQkNjVwpKVTlRVG5ObGJuTmxJRWRsYm1WeVlYUmxaQ0JUWlhKMlpYSWdRMlZ5ZEdsbWFXTmhkR1V3SFFZRFZSME9CQllFCkZMK2YzU0tCM0tMSi9nWStBUTJIZDBhTzVPRU1NSUd3QmdOVkhTTUVnYWd3Z2FXaGdZeWtnWWt3Z1lZeEdqQVkKQmdOVkJBTU1FVTlRVG5ObGJuTmxMbWx1ZEdWeWJtRnNNUXN3Q1FZRFZRUUdFd0pPVERFVk1CTUdBMVVFQ0F3TQpXblZwWkMxSWIyeHNZVzVrTVJVd0V3WURWUVFIREF4TmFXUmtaV3hvWVhKdWFYTXhMVEFyQmdOVkJBb01KRTlRClRuTmxibk5sSUhObGJHWXRjMmxuYm1Wa0lIZGxZaUJqWlhKMGFXWnBZMkYwWllJVUJaUGI1MDFzWjN4YU02c0gKNVQzVk1Eb2ZyeU13SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQ0FJQ01Bc0dBMVVkRHdRRQpBd0lGb0RBY0JnTlZIUkVFRlRBVGdoRlBVRTV6Wlc1elpTNXBiblJsY201aGJEQU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBZ0VBY3F3VEN0RmVwWDlFOEFMYXRaWEE4dkN2b1YwZkxuaElPM0lWT2tZNEhYMTRRRU9NUGo4KzVXMXoKc3hyUGNscEJQVU5tbXJRb0hWUHBuWTRFM2hFanlYY1JWSzZtTEFrSkpRUDJPOEE2NFFpL3FNSkhCYUlEU0MzKwpqMHdkMGYyODRvcEppQ0F2UnF0SGh1bDd3akd4QzNZUXRxWTFMODNWUHBOWGRjOVVsZExTUGZ6WWluMlBPekMrClFDWU9qN3VQUDlCVGExTURudkdPdkdrOHdQeUJGaFZQWVFBWjYwb1ZaS2psOUI2R1piRzF1SG1ON3p3a3k0eEIKNk1RSlF3cHFscDdXQ09QSHJlZTFiVGZaMkJMZFQrZzJHakVMT0xNRGJMTHAzNUw0blBDUmNGRkJZNEszMHBncQpVWjdncEtNTmhuR3huQ29lR3dHUk54ZHFoZnNlT3FqaURVM0hBVDEya3FReU1vOEZNT1g1bG9EaVpXSGZTS0JrClVRaG5Tc1BTMG0vZ2dSRVgwNVQzYWM2NUxNOVVXMEs2MXppZUs5WFhTcjNXWlQ1TkhNV2JmU0VScUR4SGRtZ0YKeGt3YXkxZWpCZTFoZzdGMGpicTVDMGo1ZXB5ZDNOc1BTVUtDY2FDNi9aWTNkUHVYWVZZL0J2dnFsZHZJSzRBeAo0R1BLQ0xzaStGRjliSXZRWG4zbTV2KzJoQWF2WlpxcmJOTFUzVFQ0aDd2QllBOVRNcXpwd3lEaW5BR3RhaEE3CnhDSW5IU01kZXpQcnNkZDJrTW5TckhPdWtGeGdKb2lNZ3krVlJmdTdvZk9NMjhYQ1FySWF6djBFYmFhTU1ZMTcKRzlXOFd3SXZUb2lYY1ZWNTk3K1NUNHRsSTVIM3lDZFBtSk1kRm5GcDg1K2JzbW42MFQwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</crt>
-    <csr/>
-    <prv>LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRREFaM2ZNZWpHTnJGWFQKWFl3bi9NSnlhcFgwN1U5NVZnQkRHNmZZTXBmRkRTU1d4VFVqVEtGU29HclFKQ29GckNDUUNwbFp5bmtGY1RWbwpZUCtoazNyd1ZabEdlUXIvRHJHZmIzWU9zZEZsS25uWjljNFM4ZWtKRzZZMmFiNHhSU3JwY2tIaE1kODBzRDVBClF2SzVKRzYxL1QwSE1FdUxwaWtpQXcwWkJ6alZuOVVRSlJFMmJLb2Q5b0h2RGxuQ1RjU1dRVDVmK1dwNEpZdGoKdUFUcFkxSVFVbjBuTG5YMEdQL0lEa2xaMWt0Rk5zNE84ZytCZFVYVTQxR28zRkxaQnNYUFZvdFhVa0VZdkdGZQp2MlEyUHBKc2JvblpYSmhHbnlqZERSVmRkVkY4aFpwYm5rTDBTbElNUU14VEk0VytOdWZlL1E2RkQ3ZmZxUWtLCmh6ZndKUnY3R0YzZFNGUTBaV09QY1NlVldjeVZOVVUxMy9ycG15Sm81dmFZWEdNNEx3MW9XdnNRY1FsWlJZZ0oKTGFJYzMzR2cwZDJIeG9lMi93K0h4VFc4TDhmV2pvODErbnRhYldOVmFXQjB3ek1zRTRkQTlrcUdnZnFmY25vegpySi9qYm00QUFNMHpBOVVkWHRJQm1EZ2l4U2RXMHh4c1A2VlZFN0x2eVRFOFpwSU40aC9RQmFEcnNoYUVyek14ClR3TUhlcnVGVXhsWnFkR1JrcStBdElTVXBETTlVcHRhZlkyTnJ3ODFUMWFLMnBXblRZRUJLQlJ1cHZNNE8xRzUKc3k1TkZmbXc0VFNzSmpFSG0wUS9VNnhlTjltWDQ4WEhhRkU2eG9BMkRkQysyR0tpSlhZa2IvZ2Ztd3JqdWNzRgpYakFLa0M1YXplcWpoRFd4bENuYk1LVjBJNDE5andJREFRQUJBb0lDQUNVVkRBTE4zalVXN09leTFPdDBES251Cm52NDRxcU9SRHJYZ1k2WUlnalhKUmE4RlRTdURmbWdsWU5EQzE1S0dUVFJWeHA2R3BuS0ZFaTBPM05Yd1RiWjYKV1BNN0t3SmplNXBsNmhRRTgzMlRCUzhiNzk2NDN4Z1JTeVNibHJ0NlFENEQ5bXlIcHlSSmY0WDFJVURMbzhiUgppdXlTdzB5ajlyT0djUVRNM29oVnFNUFcwUTF6UGdwT1UxYVdwbmdMY3dNZWlmNEhYUnpRNTUrTmZPemFacHVjCnVtQk4xUS81clhxS1BscmhNVnFpcUc0Nit3QVJjU2NKdE5oZHRsMzdyeTQ1Mk5zNGtERkxSVnowZUVUNEpGSmYKcjVQRUE5bEFuYWlVOS9RdVEwbERtcTlqdmpYRkNURXhYKy82SGJHK2RVd0Y2OEY3ZVEzVFQxbkhHK0hkMVJsbgpOWm1JM0p2d0Z1cG9JeU9VdlpJb3VGVmo2ak8ra0JLejkza1BHWmdMbnNmUUw5WDhRbTU3cjh4K3Z1eFNudGI1CjV4WVBxRkdrOWQrbDUwbTlQakdkekxGT3UwYnJ5TmQ4MFVMS2tuUlFtUVpvTngxck5GTUxpSjNlZENWUS9lclUKT1BDQ0Z0WEJMemJGTjR2ZzVWRjZMUkhvZGxqcEgxRzJOSXNoSzJhc1FuWS9RWDFpUUNLSk1tWERSUndMTWVsNQp3MUF4T2FqYVkzbWx2ZlRVd2xqdkE3a0tFUDBvZzRPeXZldDA2WTVRWk1EQXc1V00yT0pZVDVxcmFlYjZDbTdMCjlNckk4bG50TGp3WFVSZG4yU3U2RCtCWXNpcC9KK3BvOFNqYlJBaGJIc0lJbkJ1QWJnbGxqdTB2QXRXZmFkQlQKOTg4YnUwK3VUb1Q2T1Jkbk84Y1JBb0lCQVFEcStWYkVUQWVpSHN6K29jZnFWV3VwVHJrc2FNNm1wUUMwb0tqZApwb1FzWGVuTmNiNThHQ3FhWHkvdTJHWmNKUnR1QXRHamEyUVpEUUFUSjQyVTFmaTFhWm90Y053eXhPdmlud1NjCmVLZyt0ZGcwdW9LeGs2aXJKRFptaDBIK3Ewblg2RFJYK25RNDVmWVNmRkRFK0ZLd1lac0dQMkhYV3dKaVZ6OE0KU2NkL2pETTFRTWV2OXIzZWx1dS9DWFlvZ1N0N00wMklyczVoNjRuNjFmdVZjNHI4YmUwdFkrUTVsUnlwWk9NVwpkQ2VkWGFOV3RaNjF2bEFxamNiWkpkdXFBUjJjNzAyR3NML201TXA4Zmd3YmY2aG51TXJLaVlpQjlZalZxalc2CmYyUW1PclZtMUk0MFJBMC9OaFBTR2NXejBkNXZrdXY0VHUra2JFbERZTCsxaHY1M0FvSUJBUURSbnZaTmJaa1UKTXpmUTRLWEdML3dLUXJEbjNvL0RENWVBR1ZDTGcwTUkyYlAxYWpubHNVTjE4NCs1UWF6cVVOaWlZT3laODczeQpQYkw0cTBOZWFDYXdxby9WbjJMSkVIUFVTTVhUWjB4ckxTa1hPUjFuMDUwT2tDWXhVbFpOUXFvZU1xcHJGNXZLCm1NNlJxalN4NS8ydU9IUlR1SDRVV2RETEpwTDVUN2RpUCtXcFUwSDlSUWhrNDdkQUJaUjZEZjNxaDJEYmVxUWoKdWcxY0hWUVNqaldhUGpVZGlLR2dHemdvdlE2UkdNZDA1UVUzdkRMdzBCSkNPQ25XV2x0VXkvMW1jMUpPUHR2ZQp4UGltV2tRNmlkRHZ4RGZFRGg5U05zY1FPMnBTVjZxNnhCTWlqVGgvTldGN2NsOU1LYUhJWGxzTmt0RFVXWHZyCmNKRlM4eE1TcDhlcEFvSUJBUUNtWktVTjRxMHhIOUNZckdYT1Nta3Yvc0JnYzJPTFhLTXdSZWp1OVFENkRoTUgKMmZsREZUWHVGV1B6SmlqdUxaVE1CWkVBd1lhanVySUgzbVdETlRhbStMNG1XWnFGRlMvWlRqUk12YUNlcjlVSQpHZDk4OG94cGpQNDlBcUU0UDRIT00vQUZNU1ZtT1dwVTB0VzdkZ0hRUjM0cElXOGV1cUxva3RIaDJNaytTRURuCkFCV29SUGxWaTlncmN2N0tWaFk5YXlvSGxZb3VpMFl0YTZSNXc5VnpSa0REZU01Zi9Iak1kOVhieTZ0VjQ3NU0KSTliYzZvVUliVmVYNUJnMnZnMkRXVzZ6NTZ3dFRHMGJWWU1yWWU0V2JTU2w0bGpaZHM5TVJ2ay9OUUR0bFh0cAo4ekUwVDlCMXA4ekhabHE3S08zMFlyMVpIRVRWVVoxYjZrSTN3UDJuQW9JQkFFZ1VGKzlCMjF4RnpGQ0hucGtLClVPa2FTNGcvVUVHcmI5VzlYcVBLUzllVVBEd0wvY0tNZEh6dmRpRW1neFhESE9xZzExcU1wR2pTYkdMelNPUUMKZmlOTFV0QUswVVgvNFVSQ2pidUdqcEZmNHZ3NFNITTJJWkFyWXVhY3dFNHF1U0pQRzZoZFl0V0VPNnQ4MGtmRwpWTVYrWmdtUHE5TEZtM1R2VzZSY2s5czF5M3V3eEVVWllxeUdYTEduK1lrS25KL3pVd3ZGSFFHbjdRWWFrNWtaCnl6YXhZMFEzZ2hQeXFCbmlBRXRHTVBkeDlKeFltMCtRekdaMnQzUWNkOEV0cjRGMTcvdzF3eGJUdGdoRmk2WngKVXlYTzI3b1BmUmVnL0V3SmtpS2tRSEdlRUZKV0t2SWE0ZDAzMDZyMXVjcVRIMDRJaU1RcnpOK0ZRb002VC9tZgpOWmtDZ2dFQUsrRVJNVVdJZTE3V1k3VDIycy9lOEplN0xxSXlUcU9mSGovaWFUUjhHbXhqcU1HNEdod1RpVXJsCkh0Skhud3BMVGFjVmdYUjV3UmtYcEhRT2JqSUFzeVNBUGxwSzBvZUkyK2kvS0cyQjZ2U0cza0V2b1VZY0RlRk4KdzhHd0oxNDNTd21LQXM4eUtWMmd1RjhmRXNNVitEQzNzVHFlZXJmMy82bFprMUVCVFF0QTZqVHdqK0picXgwVgpaalZJUXBwUE8vc1VHdi9LZVE3MW5ockJpT0lXclJ0dDRTUDJ2aWx2em9DUTQxVjFqZ09wS3VwU3E1Y2J3VDRxCmp1bkJIMkx5VnNQaUc4M0Vha1JSUEhDK0craTk1MFJxckxVRUJOeVdHNGlMNTdUdU9xYVJuSmRnN2ZFb2lVLzMKNld4TjlvR2VRWjV0NjZkdTJEL01WSUZ4ZzJ1cXRBPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=</prv>
-  </cert>
-  <syslog/>
-</opnsense>
--- a/opnsense-config/src/tests/data/config-full-25.7.xml
+++ b/opnsense-config/src/tests/data/config-full-25.7.xml
@@ -1,826 +0,0 @@
-<?xml version="1.0"?>
-<opnsense>
-  <theme>opnsense</theme>
-  <sysctl version="1.0.1" persisted_at="1755708111.39">
-    <item/>
-  </sysctl>
-  <system>
-    <serialspeed>115200</serialspeed>
-    <primaryconsole>serial</primaryconsole>
-    <optimization>normal</optimization>
-    <hostname>OPNsense</hostname>
-    <domain>internal</domain>
-    <dnsallowoverride>1</dnsallowoverride>
-    <dnsallowoverride_exclude/>
-    <group uuid="67305f6f-7f7a-454d-8a4e-65cb8f072d81">
-      <gid>1999</gid>
-      <name>admins</name>
-      <scope>system</scope>
-      <description>System Administrators</description>
-      <priv>page-all</priv>
-      <member>0</member>
-      <source_networks/>
-    </group>
-    <user uuid="1d2ed537-5d1a-4772-9600-37b93f9f798b">
-      <uid>0</uid>
-      <name>root</name>
-      <disabled>0</disabled>
-      <scope>system</scope>
-      <expires/>
-      <authorizedkeys/>
-      <otp_seed/>
-      <shell/>
-      <password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
-      <pwd_changed_at/>
-      <landing_page/>
-      <comment/>
-      <email/>
-      <apikeys/>
-      <priv/>
-      <language/>
-      <descr>System Administrator</descr>
-      <dashboard/>
-    </user>
-    <timezone>Etc/UTC</timezone>
-    <timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
-    <webgui>
-      <protocol>https</protocol>
-      <ssl-certref>68a5faf1685db</ssl-certref>
-      <port/>
-      <ssl-ciphers/>
-      <interfaces/>
-      <compression/>
-    </webgui>
-    <disablenatreflection>yes</disablenatreflection>
-    <usevirtualterminal>1</usevirtualterminal>
-    <disableconsolemenu>1</disableconsolemenu>
-    <disablevlanhwfilter>1</disablevlanhwfilter>
-    <disablechecksumoffloading>1</disablechecksumoffloading>
-    <disablesegmentationoffloading>1</disablesegmentationoffloading>
-    <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
-    <ipv6allow>1</ipv6allow>
-    <powerd_ac_mode>hadp</powerd_ac_mode>
-    <powerd_battery_mode>hadp</powerd_battery_mode>
-    <powerd_normal_mode>hadp</powerd_normal_mode>
-    <bogons>
-      <interval>monthly</interval>
-    </bogons>
-    <pf_share_forward>1</pf_share_forward>
-    <lb_use_sticky>1</lb_use_sticky>
-    <ssh>
-      <group>admins</group>
-      <noauto>1</noauto>
-      <interfaces/>
-      <kex/>
-      <ciphers/>
-      <macs/>
-      <keys/>
-      <keysig/>
-      <rekeylimit/>
-      <enabled>enabled</enabled>
-      <passwordauth>1</passwordauth>
-      <permitrootlogin>1</permitrootlogin>
-    </ssh>
-    <rrdbackup>-1</rrdbackup>
-    <netflowbackup>-1</netflowbackup>
-    <firmware version="1.0.1" persisted_at="1755708111.32">
-      <mirror/>
-      <flavour/>
-      <plugins/>
-      <type/>
-      <subscription/>
-      <reboot>0</reboot>
-    </firmware>
-    <dnsserver/>
-    <language>en_US</language>
-  </system>
-  <interfaces>
-    <wan>
-      <enable>1</enable>
-      <if>vtnet0</if>
-      <mtu/>
-      <ipaddr>dhcp</ipaddr>
-      <ipaddrv6>dhcp6</ipaddrv6>
-      <subnet/>
-      <gateway/>
-      <blockpriv>0</blockpriv>
-      <blockbogons>1</blockbogons>
-      <media/>
-      <mediaopt/>
-      <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
-      <dhcphostname/>
-      <spoofmac/>
-      <mss/>
-    </wan>
-    <lan>
-      <enable>1</enable>
-      <if>vtnet1</if>
-      <ipaddr>192.168.1.1</ipaddr>
-      <subnet>24</subnet>
-      <ipaddrv6>track6</ipaddrv6>
-      <subnetv6>64</subnetv6>
-      <media/>
-      <mediaopt/>
-      <track6-interface>wan</track6-interface>
-      <track6-prefix-id>0</track6-prefix-id>
-    </lan>
-    <lo0>
-      <internal_dynamic>1</internal_dynamic>
-      <descr>Loopback</descr>
-      <enable>1</enable>
-      <if>lo0</if>
-      <ipaddr>127.0.0.1</ipaddr>
-      <ipaddrv6>::1</ipaddrv6>
-      <subnet>8</subnet>
-      <subnetv6>128</subnetv6>
-      <type>none</type>
-      <virtual>1</virtual>
-    </lo0>
-  </interfaces>
-  <dnsmasq version="1.0.7" persisted_at="1755721633.54">
-    <enable>1</enable>
-    <regdhcp>0</regdhcp>
-    <regdhcpstatic>0</regdhcpstatic>
-    <dhcpfirst>0</dhcpfirst>
-    <strict_order>0</strict_order>
-    <domain_needed>0</domain_needed>
-    <no_private_reverse>0</no_private_reverse>
-    <no_resolv>0</no_resolv>
-    <log_queries>0</log_queries>
-    <no_hosts>0</no_hosts>
-    <strictbind>0</strictbind>
-    <dnssec>0</dnssec>
-    <regdhcpdomain/>
-    <interface>lan</interface>
-    <port>0</port>
-    <dns_forward_max/>
-    <cache_size/>
-    <local_ttl/>
-    <add_mac/>
-    <add_subnet>0</add_subnet>
-    <strip_subnet>0</strip_subnet>
-    <dhcp>
-      <no_interface/>
-      <fqdn>1</fqdn>
-      <domain/>
-      <lease_max/>
-      <authoritative>0</authoritative>
-      <default_fw_rules>1</default_fw_rules>
-      <reply_delay/>
-      <enable_ra>0</enable_ra>
-      <nosync>0</nosync>
-    </dhcp>
-    <no_ident>1</no_ident>
-    <dhcp_ranges uuid="78b5c4a4-565d-4cd7-af10-29050f29e494">
-      <interface>lan</interface>
-      <set_tag/>
-      <start_addr>192.168.1.41</start_addr>
-      <end_addr>192.168.1.245</end_addr>
-      <subnet_mask/>
-      <constructor/>
-      <mode/>
-      <prefix_len/>
-      <lease_time/>
-      <domain_type>range</domain_type>
-      <domain/>
-      <nosync>0</nosync>
-      <ra_mode/>
-      <ra_priority/>
-      <ra_mtu/>
-      <ra_interval/>
-      <ra_router_lifetime/>
-      <description/>
-    </dhcp_ranges>
-  </dnsmasq>
-  <snmpd>
-    <syslocation/>
-    <syscontact/>
-    <rocommunity>public</rocommunity>
-  </snmpd>
-  <nat>
-    <outbound>
-      <mode>automatic</mode>
-    </outbound>
-  </nat>
-  <filter>
-    <rule>
-      <type>pass</type>
-      <ipprotocol>inet</ipprotocol>
-      <descr>Default allow LAN to any rule</descr>
-      <interface>lan</interface>
-      <source>
-        <network>lan</network>
-      </source>
-      <destination>
-        <any/>
-      </destination>
-    </rule>
-    <rule>
-      <type>pass</type>
-      <ipprotocol>inet6</ipprotocol>
-      <descr>Default allow LAN IPv6 to any rule</descr>
-      <interface>lan</interface>
-      <source>
-        <network>lan</network>
-      </source>
-      <destination>
-        <any/>
-      </destination>
-    </rule>
-  </filter>
-  <rrd>
-    <enable/>
-  </rrd>
-  <ntpd>
-    <prefer>0.opnsense.pool.ntp.org</prefer>
-  </ntpd>
-  <revision>
-    <username>root@192.168.1.5</username>
-    <description>/system_advanced_admin.php made changes</description>
-    <time>1755721653.06</time>
-  </revision>
-  <OPNsense>
-    <wireguard>
-      <client version="1.0.0" persisted_at="1755708111.04">
-        <clients/>
-      </client>
-      <general version="0.0.1" persisted_at="1755708111.05">
-        <enabled>0</enabled>
-      </general>
-      <server version="1.0.0" persisted_at="1755708111.05">
-        <servers/>
-      </server>
-    </wireguard>
-    <IPsec version="1.0.4" persisted_at="1755708111.06">
-      <general>
-        <enabled/>
-        <preferred_oldsa>0</preferred_oldsa>
-        <disablevpnrules>0</disablevpnrules>
-        <passthrough_networks/>
-        <user_source/>
-        <local_group/>
-      </general>
-      <charon>
-        <max_ikev1_exchanges/>
-        <threads>16</threads>
-        <ikesa_table_size>32</ikesa_table_size>
-        <ikesa_table_segments>4</ikesa_table_segments>
-        <init_limit_half_open>1000</init_limit_half_open>
-        <ignore_acquire_ts>1</ignore_acquire_ts>
-        <install_routes>0</install_routes>
-        <cisco_unity>0</cisco_unity>
-        <make_before_break>0</make_before_break>
-        <retransmit_tries/>
-        <retransmit_timeout/>
-        <retransmit_base/>
-        <retransmit_jitter/>
-        <retransmit_limit/>
-        <syslog>
-          <daemon>
-            <ike_name>1</ike_name>
-            <log_level>0</log_level>
-            <app>1</app>
-            <asn>1</asn>
-            <cfg>1</cfg>
-            <chd>1</chd>
-            <dmn>1</dmn>
-            <enc>1</enc>
-            <esp>1</esp>
-            <ike>1</ike>
-            <imc>1</imc>
-            <imv>1</imv>
-            <job>1</job>
-            <knl>1</knl>
-            <lib>1</lib>
-            <mgr>1</mgr>
-            <net>1</net>
-            <pts>1</pts>
-            <tls>1</tls>
-            <tnc>1</tnc>
-          </daemon>
-        </syslog>
-        <plugins>
-          <attr>
-            <subnet/>
-            <split-include/>
-            <x_28674/>
-            <x_28675/>
-            <x_28672/>
-            <x_28673>0</x_28673>
-            <x_28679/>
-            <dns/>
-            <nbns/>
-          </attr>
-          <eap-radius>
-            <servers/>
-            <accounting>0</accounting>
-            <class_group>0</class_group>
-          </eap-radius>
-          <xauth-pam>
-            <pam_service>ipsec</pam_service>
-            <session>0</session>
-            <trim_email>1</trim_email>
-          </xauth-pam>
-        </plugins>
-      </charon>
-      <keyPairs/>
-      <preSharedKeys/>
-    </IPsec>
-    <Swanctl version="1.0.0" persisted_at="1755708111.08">
-      <Connections/>
-      <locals/>
-      <remotes/>
-      <children/>
-      <Pools/>
-      <VTIs/>
-      <SPDs/>
-    </Swanctl>
-    <OpenVPNExport version="0.0.1" persisted_at="1755708111.40">
-      <servers/>
-    </OpenVPNExport>
-    <OpenVPN version="1.0.1" persisted_at="1755708111.40">
-      <Overwrites/>
-      <Instances/>
-      <StaticKeys/>
-    </OpenVPN>
-    <captiveportal version="1.0.4" persisted_at="1755708111.41">
-      <zones/>
-      <templates/>
-    </captiveportal>
-    <cron version="1.0.4" persisted_at="1755708111.43">
-      <jobs/>
-    </cron>
-    <DHCRelay version="1.0.1" persisted_at="1755708111.43"/>
-    <Firewall>
-      <Lvtemplate version="0.0.1" persisted_at="1755708111.45">
-        <templates/>
-      </Lvtemplate>
-      <Alias version="1.0.1" persisted_at="1755708111.65">
-        <geoip>
-          <url/>
-        </geoip>
-        <aliases/>
-      </Alias>
-      <Category version="1.0.0" persisted_at="1755708111.65">
-        <categories/>
-      </Category>
-      <Filter version="1.0.4" persisted_at="1755708111.70">
-        <rules/>
-        <snatrules/>
-        <npt/>
-        <onetoone/>
-      </Filter>
-    </Firewall>
-    <Netflow version="1.0.1" persisted_at="1755708111.45">
-      <capture>
-        <interfaces/>
-        <egress_only/>
-        <version>v9</version>
-        <targets/>
-      </capture>
-      <collect>
-        <enable>0</enable>
-      </collect>
-      <activeTimeout>1800</activeTimeout>
-      <inactiveTimeout>15</inactiveTimeout>
-    </Netflow>
-    <IDS version="1.1.0" persisted_at="1755708111.90">
-      <rules/>
-      <policies/>
-      <userDefinedRules/>
-      <files/>
-      <fileTags/>
-      <general>
-        <enabled>0</enabled>
-        <ips>0</ips>
-        <promisc>0</promisc>
-        <interfaces>wan</interfaces>
-        <homenet>192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</homenet>
-        <defaultPacketSize/>
-        <UpdateCron/>
-        <AlertLogrotate>W0D23</AlertLogrotate>
-        <AlertSaveLogs>4</AlertSaveLogs>
-        <MPMAlgo/>
-        <detect>
-          <Profile/>
-          <toclient_groups/>
-          <toserver_groups/>
-        </detect>
-        <syslog>0</syslog>
-        <syslog_eve>0</syslog_eve>
-        <LogPayload>0</LogPayload>
-        <verbosity/>
-        <eveLog>
-          <http>
-            <enable>0</enable>
-            <extended>0</extended>
-            <dumpAllHeaders/>
-          </http>
-          <tls>
-            <enable>0</enable>
-            <extended>0</extended>
-            <sessionResumption>0</sessionResumption>
-            <custom/>
-          </tls>
-        </eveLog>
-      </general>
-    </IDS>
-    <Interfaces>
-      <loopbacks version="1.0.0" persisted_at="1755708111.95"/>
-      <neighbors version="1.0.0" persisted_at="1755708111.96"/>
-      <vxlans version="1.0.2" persisted_at="1755708111.99"/>
-    </Interfaces>
-    <Kea>
-      <ctrl_agent version="0.0.1" persisted_at="1755708111.99">
-        <general>
-          <enabled>0</enabled>
-          <http_host>127.0.0.1</http_host>
-          <http_port>8000</http_port>
-        </general>
-      </ctrl_agent>
-      <dhcp4 version="1.0.4" persisted_at="1755708112.00">
-        <general>
-          <enabled>0</enabled>
-          <manual_config>0</manual_config>
-          <interfaces/>
-          <valid_lifetime>4000</valid_lifetime>
-          <fwrules>1</fwrules>
-          <dhcp_socket_type>raw</dhcp_socket_type>
-        </general>
-        <ha>
-          <enabled>0</enabled>
-          <this_server_name/>
-          <max_unacked_clients>2</max_unacked_clients>
-        </ha>
-        <subnets/>
-        <reservations/>
-        <ha_peers/>
-      </dhcp4>
-      <dhcp6 version="1.0.0" persisted_at="1755708112.00">
-        <general>
-          <enabled>0</enabled>
-          <manual_config>0</manual_config>
-          <interfaces/>
-          <valid_lifetime>4000</valid_lifetime>
-          <fwrules>1</fwrules>
-        </general>
-        <ha>
-          <enabled>0</enabled>
-          <this_server_name/>
-          <max_unacked_clients>2</max_unacked_clients>
-        </ha>
-        <subnets/>
-        <reservations/>
-        <pd_pools/>
-        <ha_peers/>
-      </dhcp6>
-    </Kea>
-    <monit version="1.0.13" persisted_at="1755708112.02">
-      <general>
-        <enabled>0</enabled>
-        <interval>120</interval>
-        <startdelay>120</startdelay>
-        <mailserver>127.0.0.1</mailserver>
-        <port>25</port>
-        <username/>
-        <password/>
-        <ssl>0</ssl>
-        <sslversion>auto</sslversion>
-        <sslverify>1</sslverify>
-        <logfile/>
-        <statefile/>
-        <eventqueuePath/>
-        <eventqueueSlots/>
-        <httpdEnabled>0</httpdEnabled>
-        <httpdUsername>root</httpdUsername>
-        <httpdPassword/>
-        <httpdPort>2812</httpdPort>
-        <httpdAllow/>
-        <mmonitUrl/>
-        <mmonitTimeout>5</mmonitTimeout>
-        <mmonitRegisterCredentials>1</mmonitRegisterCredentials>
-      </general>
-      <alert uuid="76cd5195-a487-4f4f-8ef5-4f9815bf19e5">
-        <enabled>0</enabled>
-        <recipient>root@localhost.local</recipient>
-        <noton>0</noton>
-        <events/>
-        <format/>
-        <reminder/>
-        <description/>
-      </alert>
-      <service uuid="11610907-f700-4f0a-9926-c25a47709493">
-        <enabled>1</enabled>
-        <name>$HOST</name>
-        <description/>
-        <type>system</type>
-        <pidfile/>
-        <match/>
-        <path/>
-        <timeout>300</timeout>
-        <starttimeout>30</starttimeout>
-        <address/>
-        <interface/>
-        <start/>
-        <stop/>
-        <tests>02014be3-fc31-4af3-a0d5-061eaa67d28a,ebfd0d97-ae21-45d5-8b42-5220c75ce46f,d37f25f0-89e3-44b6-8ad2-280ac83a8904,37afd0d9-990c-4f03-a817-45691461e3d0</tests>
-        <depends/>
-        <polltime/>
-      </service>
-      <service uuid="dcc7e42f-a878-49a3-8b90-67faf21d67bd">
-        <enabled>1</enabled>
-        <name>RootFs</name>
-        <description/>
-        <type>filesystem</type>
-        <pidfile/>
-        <match/>
-        <path>/</path>
-        <timeout>300</timeout>
-        <starttimeout>30</starttimeout>
-        <address/>
-        <interface/>
-        <start/>
-        <stop/>
-        <tests>b44b859c-bc72-4c2e-82c9-4f56d84a5497</tests>
-        <depends/>
-        <polltime/>
-      </service>
-      <service uuid="5ca544d4-846a-4f61-9d6f-c191eafcd9fb">
-        <enabled>0</enabled>
-        <name>carp_status_change</name>
-        <description/>
-        <type>custom</type>
-        <pidfile/>
-        <match/>
-        <path>/usr/local/opnsense/scripts/OPNsense/Monit/carp_status</path>
-        <timeout>300</timeout>
-        <starttimeout>30</starttimeout>
-        <address/>
-        <interface/>
-        <start/>
-        <stop/>
-        <tests>0909801b-cd11-41c8-afeb-369396247308</tests>
-        <depends/>
-        <polltime/>
-      </service>
-      <service uuid="6e16e26e-e732-4b9b-ac92-2086b84f3158">
-        <enabled>0</enabled>
-        <name>gateway_alert</name>
-        <description/>
-        <type>custom</type>
-        <pidfile/>
-        <match/>
-        <path>/usr/local/opnsense/scripts/OPNsense/Monit/gateway_alert</path>
-        <timeout>300</timeout>
-        <starttimeout>30</starttimeout>
-        <address/>
-        <interface/>
-        <start/>
-        <stop/>
-        <tests>56e67d76-cef6-4167-a51e-2c69a921ebc9</tests>
-        <depends/>
-        <polltime/>
-      </service>
-      <test uuid="b7671673-5cf1-4123-a58c-37f57a8e9d59">
-        <name>Ping</name>
-        <type>NetworkPing</type>
-        <condition>failed ping</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="30cf3664-5c6f-4ac5-a52a-36023270c6fb">
-        <name>NetworkLink</name>
-        <type>NetworkInterface</type>
-        <condition>failed link</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="a7c0836a-b102-4f37-a73b-2a50903ffcc8">
-        <name>NetworkSaturation</name>
-        <type>NetworkInterface</type>
-        <condition>saturation is greater than 75%</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="02014be3-fc31-4af3-a0d5-061eaa67d28a">
-        <name>MemoryUsage</name>
-        <type>SystemResource</type>
-        <condition>memory usage is greater than 75%</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="ebfd0d97-ae21-45d5-8b42-5220c75ce46f">
-        <name>CPUUsage</name>
-        <type>SystemResource</type>
-        <condition>cpu usage is greater than 75%</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="d37f25f0-89e3-44b6-8ad2-280ac83a8904">
-        <name>LoadAvg1</name>
-        <type>SystemResource</type>
-        <condition>loadavg (1min) is greater than 4</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="37afd0d9-990c-4f03-a817-45691461e3d0">
-        <name>LoadAvg5</name>
-        <type>SystemResource</type>
-        <condition>loadavg (5min) is greater than 3</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="608d2888-9df5-486d-bbfb-bf17fad75a7e">
-        <name>LoadAvg15</name>
-        <type>SystemResource</type>
-        <condition>loadavg (15min) is greater than 2</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="b44b859c-bc72-4c2e-82c9-4f56d84a5497">
-        <name>SpaceUsage</name>
-        <type>SpaceUsage</type>
-        <condition>space usage is greater than 75%</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="0909801b-cd11-41c8-afeb-369396247308">
-        <name>ChangedStatus</name>
-        <type>ProgramStatus</type>
-        <condition>changed status</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-      <test uuid="56e67d76-cef6-4167-a51e-2c69a921ebc9">
-        <name>NonZeroStatus</name>
-        <type>ProgramStatus</type>
-        <condition>status != 0</condition>
-        <action>alert</action>
-        <path/>
-      </test>
-    </monit>
-    <Gateways version="1.0.0" persisted_at="1755721633.53"/>
-    <Syslog version="1.0.2" persisted_at="1755708112.05">
-      <general>
-        <enabled>1</enabled>
-        <loglocal>1</loglocal>
-        <maxpreserve>31</maxpreserve>
-        <maxfilesize/>
-      </general>
-      <destinations/>
-    </Syslog>
-    <TrafficShaper version="1.0.3" persisted_at="1755708112.06">
-      <pipes/>
-      <queues/>
-      <rules/>
-    </TrafficShaper>
-    <trust>
-      <general version="1.0.1" persisted_at="1755708112.22">
-        <store_intermediate_certs>0</store_intermediate_certs>
-        <install_crls>0</install_crls>
-        <fetch_crls>0</fetch_crls>
-        <enable_legacy_sect>1</enable_legacy_sect>
-        <enable_config_constraints>0</enable_config_constraints>
-        <CipherString/>
-        <Ciphersuites/>
-        <SignatureAlgorithms/>
-        <groups/>
-        <MinProtocol/>
-        <MinProtocol_DTLS/>
-      </general>
-    </trust>
-    <unboundplus version="1.0.12" persisted_at="1755708112.29">
-      <general>
-        <enabled>1</enabled>
-        <port>53</port>
-        <stats>0</stats>
-        <active_interface/>
-        <dnssec>0</dnssec>
-        <dns64>0</dns64>
-        <dns64prefix/>
-        <noarecords>0</noarecords>
-        <regdhcp>0</regdhcp>
-        <regdhcpdomain/>
-        <regdhcpstatic>0</regdhcpstatic>
-        <noreglladdr6>0</noreglladdr6>
-        <noregrecords>0</noregrecords>
-        <txtsupport>0</txtsupport>
-        <cacheflush>0</cacheflush>
-        <local_zone_type>transparent</local_zone_type>
-        <outgoing_interface/>
-        <enable_wpad>0</enable_wpad>
-      </general>
-      <advanced>
-        <hideidentity>0</hideidentity>
-        <hideversion>0</hideversion>
-        <prefetch>0</prefetch>
-        <prefetchkey>0</prefetchkey>
-        <dnssecstripped>0</dnssecstripped>
-        <aggressivensec>1</aggressivensec>
-        <serveexpired>0</serveexpired>
-        <serveexpiredreplyttl/>
-        <serveexpiredttl/>
-        <serveexpiredttlreset>0</serveexpiredttlreset>
-        <serveexpiredclienttimeout/>
-        <qnameminstrict>0</qnameminstrict>
-        <extendedstatistics>0</extendedstatistics>
-        <logqueries>0</logqueries>
-        <logreplies>0</logreplies>
-        <logtagqueryreply>0</logtagqueryreply>
-        <logservfail>0</logservfail>
-        <loglocalactions>0</loglocalactions>
-        <logverbosity>1</logverbosity>
-        <valloglevel>0</valloglevel>
-        <privatedomain/>
-        <privateaddress>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</privateaddress>
-        <insecuredomain/>
-        <msgcachesize/>
-        <rrsetcachesize/>
-        <outgoingnumtcp/>
-        <incomingnumtcp/>
-        <numqueriesperthread/>
-        <outgoingrange/>
-        <jostletimeout/>
-        <discardtimeout/>
-        <cachemaxttl/>
-        <cachemaxnegativettl/>
-        <cacheminttl/>
-        <infrahostttl/>
-        <infrakeepprobing>0</infrakeepprobing>
-        <infracachenumhosts/>
-        <unwantedreplythreshold/>
-      </advanced>
-      <acls>
-        <default_action>allow</default_action>
-      </acls>
-      <dnsbl>
-        <enabled>0</enabled>
-        <safesearch>0</safesearch>
-        <type/>
-        <lists/>
-        <whitelists/>
-        <blocklists/>
-        <wildcards/>
-        <address/>
-        <nxdomain>0</nxdomain>
-      </dnsbl>
-      <forwarding>
-        <enabled>0</enabled>
-      </forwarding>
-      <dots/>
-      <hosts/>
-      <aliases/>
-    </unboundplus>
-  </OPNsense>
-  <hasync version="1.0.2" persisted_at="1755708111.35">
-    <disablepreempt>0</disablepreempt>
-    <disconnectppps>0</disconnectppps>
-    <pfsyncinterface/>
-    <pfsyncpeerip/>
-    <pfsyncversion>1400</pfsyncversion>
-    <synchronizetoip/>
-    <verifypeer>0</verifypeer>
-    <username/>
-    <password/>
-    <syncitems/>
-  </hasync>
-  <openvpn/>
-  <ifgroups version="1.0.0" persisted_at="1755708111.71"/>
-  <bridges version="1.0.0" persisted_at="1755708111.91">
-    <bridged/>
-  </bridges>
-  <gifs version="1.0.0" persisted_at="1755708111.92">
-    <gif/>
-  </gifs>
-  <gres version="1.0.0" persisted_at="1755708111.93">
-    <gre/>
-  </gres>
-  <laggs version="1.0.0" persisted_at="1755708111.95">
-    <lagg/>
-  </laggs>
-  <virtualip version="1.0.1" persisted_at="1755708111.96">
-    <vip/>
-  </virtualip>
-  <vlans version="1.0.0" persisted_at="1755708111.98">
-    <vlan/>
-  </vlans>
-  <staticroutes version="1.0.0" persisted_at="1755708112.03"/>
-  <ppps>
-    <ppp/>
-  </ppps>
-  <wireless>
-    <clone/>
-  </wireless>
-  <ca/>
-  <dhcpd/>
-  <dhcpdv6/>
-  <cert uuid="d60972af-642c-411f-abb6-43e0d680fefd">
-    <refid>68a5faf1685db</refid>
-    <descr>Web GUI TLS certificate</descr>
-    <caref/>
-    <crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUhFakNDQlBxZ0F3SUJBZ0lVQlpQYjUwMXNaM3hhTTZzSDVUM1ZNRG9mcnlNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZWXhHakFZQmdOVkJBTU1FVTlRVG5ObGJuTmxMbWx1ZEdWeWJtRnNNUXN3Q1FZRFZRUUdFd0pPVERFVgpNQk1HQTFVRUNBd01XblZwWkMxSWIyeHNZVzVrTVJVd0V3WURWUVFIREF4TmFXUmtaV3hvWVhKdWFYTXhMVEFyCkJnTlZCQW9NSkU5UVRuTmxibk5sSUhObGJHWXRjMmxuYm1Wa0lIZGxZaUJqWlhKMGFXWnBZMkYwWlRBZUZ3MHkKTlRBNE1qQXhOalF5TWpaYUZ3MHlOakE1TWpFeE5qUXlNalphTUlHR01Sb3dHQVlEVlFRRERCRlBVRTV6Wlc1egpaUzVwYm5SbGNtNWhiREVMTUFrR0ExVUVCaE1DVGt3eEZUQVRCZ05WQkFnTURGcDFhV1F0U0c5c2JHRnVaREVWCk1CTUdBMVVFQnd3TVRXbGtaR1ZzYUdGeWJtbHpNUzB3S3dZRFZRUUtEQ1JQVUU1elpXNXpaU0J6Wld4bUxYTnAKWjI1bFpDQjNaV0lnWTJWeWRHbG1hV05oZEdVd2dnSWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUNEd0F3Z2dJSwpBb0lDQVFEQVozZk1lakdOckZYVFhZd24vTUp5YXBYMDdVOTVWZ0JERzZmWU1wZkZEU1NXeFRValRLRlNvR3JRCkpDb0ZyQ0NRQ3BsWnlua0ZjVFZvWVAraGszcndWWmxHZVFyL0RyR2ZiM1lPc2RGbEtublo5YzRTOGVrSkc2WTIKYWI0eFJTcnBja0hoTWQ4MHNENUFRdks1Skc2MS9UMEhNRXVMcGlraUF3MFpCempWbjlVUUpSRTJiS29kOW9IdgpEbG5DVGNTV1FUNWYrV3A0Sll0anVBVHBZMUlRVW4wbkxuWDBHUC9JRGtsWjFrdEZOczRPOGcrQmRVWFU0MUdvCjNGTFpCc1hQVm90WFVrRVl2R0ZldjJRMlBwSnNib25aWEpoR255amREUlZkZFZGOGhacGJua0wwU2xJTVFNeFQKSTRXK051ZmUvUTZGRDdmZnFRa0toemZ3SlJ2N0dGM2RTRlEwWldPUGNTZVZXY3lWTlVVMTMvcnBteUpvNXZhWQpYR000THcxb1d2c1FjUWxaUllnSkxhSWMzM0dnMGQySHhvZTIvdytIeFRXOEw4ZldqbzgxK250YWJXTlZhV0IwCnd6TXNFNGRBOWtxR2dmcWZjbm96ckovamJtNEFBTTB6QTlVZFh0SUJtRGdpeFNkVzB4eHNQNlZWRTdMdnlURTgKWnBJTjRoL1FCYURyc2hhRXJ6TXhUd01IZXJ1RlV4bFpxZEdSa3ErQXRJU1VwRE05VXB0YWZZMk5ydzgxVDFhSwoycFduVFlFQktCUnVwdk00TzFHNXN5NU5GZm13NFRTc0pqRUhtMFEvVTZ4ZU45bVg0OFhIYUZFNnhvQTJEZEMrCjJHS2lKWFlrYi9nZm13cmp1Y3NGWGpBS2tDNWF6ZXFqaERXeGxDbmJNS1YwSTQxOWp3SURBUUFCbzRJQmREQ0MKQVhBd0NRWURWUjBUQkFJd0FEQVJCZ2xnaGtnQmh2aENBUUVFQkFNQ0JrQXdOQVlKWUlaSUFZYjRRZ0VOQkNjVwpKVTlRVG5ObGJuTmxJRWRsYm1WeVlYUmxaQ0JUWlhKMlpYSWdRMlZ5ZEdsbWFXTmhkR1V3SFFZRFZSME9CQllFCkZMK2YzU0tCM0tMSi9nWStBUTJIZDBhTzVPRU1NSUd3QmdOVkhTTUVnYWd3Z2FXaGdZeWtnWWt3Z1lZeEdqQVkKQmdOVkJBTU1FVTlRVG5ObGJuTmxMbWx1ZEdWeWJtRnNNUXN3Q1FZRFZRUUdFd0pPVERFVk1CTUdBMVVFQ0F3TQpXblZwWkMxSWIyeHNZVzVrTVJVd0V3WURWUVFIREF4TmFXUmtaV3hvWVhKdWFYTXhMVEFyQmdOVkJBb01KRTlRClRuTmxibk5sSUhObGJHWXRjMmxuYm1Wa0lIZGxZaUJqWlhKMGFXWnBZMkYwWllJVUJaUGI1MDFzWjN4YU02c0gKNVQzVk1Eb2ZyeU13SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQ0FJQ01Bc0dBMVVkRHdRRQpBd0lGb0RBY0JnTlZIUkVFRlRBVGdoRlBVRTV6Wlc1elpTNXBiblJsY201aGJEQU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBZ0VBY3F3VEN0RmVwWDlFOEFMYXRaWEE4dkN2b1YwZkxuaElPM0lWT2tZNEhYMTRRRU9NUGo4KzVXMXoKc3hyUGNscEJQVU5tbXJRb0hWUHBuWTRFM2hFanlYY1JWSzZtTEFrSkpRUDJPOEE2NFFpL3FNSkhCYUlEU0MzKwpqMHdkMGYyODRvcEppQ0F2UnF0SGh1bDd3akd4QzNZUXRxWTFMODNWUHBOWGRjOVVsZExTUGZ6WWluMlBPekMrClFDWU9qN3VQUDlCVGExTURudkdPdkdrOHdQeUJGaFZQWVFBWjYwb1ZaS2psOUI2R1piRzF1SG1ON3p3a3k0eEIKNk1RSlF3cHFscDdXQ09QSHJlZTFiVGZaMkJMZFQrZzJHakVMT0xNRGJMTHAzNUw0blBDUmNGRkJZNEszMHBncQpVWjdncEtNTmhuR3huQ29lR3dHUk54ZHFoZnNlT3FqaURVM0hBVDEya3FReU1vOEZNT1g1bG9EaVpXSGZTS0JrClVRaG5Tc1BTMG0vZ2dSRVgwNVQzYWM2NUxNOVVXMEs2MXppZUs5WFhTcjNXWlQ1TkhNV2JmU0VScUR4SGRtZ0YKeGt3YXkxZWpCZTFoZzdGMGpicTVDMGo1ZXB5ZDNOc1BTVUtDY2FDNi9aWTNkUHVYWVZZL0J2dnFsZHZJSzRBeAo0R1BLQ0xzaStGRjliSXZRWG4zbTV2KzJoQWF2WlpxcmJOTFUzVFQ0aDd2QllBOVRNcXpwd3lEaW5BR3RhaEE3CnhDSW5IU01kZXpQcnNkZDJrTW5TckhPdWtGeGdKb2lNZ3krVlJmdTdvZk9NMjhYQ1FySWF6djBFYmFhTU1ZMTcKRzlXOFd3SXZUb2lYY1ZWNTk3K1NUNHRsSTVIM3lDZFBtSk1kRm5GcDg1K2JzbW42MFQwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</crt>
-    <csr/>
-    <prv>LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRREFaM2ZNZWpHTnJGWFQKWFl3bi9NSnlhcFgwN1U5NVZnQkRHNmZZTXBmRkRTU1d4VFVqVEtGU29HclFKQ29GckNDUUNwbFp5bmtGY1RWbwpZUCtoazNyd1ZabEdlUXIvRHJHZmIzWU9zZEZsS25uWjljNFM4ZWtKRzZZMmFiNHhSU3JwY2tIaE1kODBzRDVBClF2SzVKRzYxL1QwSE1FdUxwaWtpQXcwWkJ6alZuOVVRSlJFMmJLb2Q5b0h2RGxuQ1RjU1dRVDVmK1dwNEpZdGoKdUFUcFkxSVFVbjBuTG5YMEdQL0lEa2xaMWt0Rk5zNE84ZytCZFVYVTQxR28zRkxaQnNYUFZvdFhVa0VZdkdGZQp2MlEyUHBKc2JvblpYSmhHbnlqZERSVmRkVkY4aFpwYm5rTDBTbElNUU14VEk0VytOdWZlL1E2RkQ3ZmZxUWtLCmh6ZndKUnY3R0YzZFNGUTBaV09QY1NlVldjeVZOVVUxMy9ycG15Sm81dmFZWEdNNEx3MW9XdnNRY1FsWlJZZ0oKTGFJYzMzR2cwZDJIeG9lMi93K0h4VFc4TDhmV2pvODErbnRhYldOVmFXQjB3ek1zRTRkQTlrcUdnZnFmY25vegpySi9qYm00QUFNMHpBOVVkWHRJQm1EZ2l4U2RXMHh4c1A2VlZFN0x2eVRFOFpwSU40aC9RQmFEcnNoYUVyek14ClR3TUhlcnVGVXhsWnFkR1JrcStBdElTVXBETTlVcHRhZlkyTnJ3ODFUMWFLMnBXblRZRUJLQlJ1cHZNNE8xRzUKc3k1TkZmbXc0VFNzSmpFSG0wUS9VNnhlTjltWDQ4WEhhRkU2eG9BMkRkQysyR0tpSlhZa2IvZ2Ztd3JqdWNzRgpYakFLa0M1YXplcWpoRFd4bENuYk1LVjBJNDE5andJREFRQUJBb0lDQUNVVkRBTE4zalVXN09leTFPdDBES251Cm52NDRxcU9SRHJYZ1k2WUlnalhKUmE4RlRTdURmbWdsWU5EQzE1S0dUVFJWeHA2R3BuS0ZFaTBPM05Yd1RiWjYKV1BNN0t3SmplNXBsNmhRRTgzMlRCUzhiNzk2NDN4Z1JTeVNibHJ0NlFENEQ5bXlIcHlSSmY0WDFJVURMbzhiUgppdXlTdzB5ajlyT0djUVRNM29oVnFNUFcwUTF6UGdwT1UxYVdwbmdMY3dNZWlmNEhYUnpRNTUrTmZPemFacHVjCnVtQk4xUS81clhxS1BscmhNVnFpcUc0Nit3QVJjU2NKdE5oZHRsMzdyeTQ1Mk5zNGtERkxSVnowZUVUNEpGSmYKcjVQRUE5bEFuYWlVOS9RdVEwbERtcTlqdmpYRkNURXhYKy82SGJHK2RVd0Y2OEY3ZVEzVFQxbkhHK0hkMVJsbgpOWm1JM0p2d0Z1cG9JeU9VdlpJb3VGVmo2ak8ra0JLejkza1BHWmdMbnNmUUw5WDhRbTU3cjh4K3Z1eFNudGI1CjV4WVBxRkdrOWQrbDUwbTlQakdkekxGT3UwYnJ5TmQ4MFVMS2tuUlFtUVpvTngxck5GTUxpSjNlZENWUS9lclUKT1BDQ0Z0WEJMemJGTjR2ZzVWRjZMUkhvZGxqcEgxRzJOSXNoSzJhc1FuWS9RWDFpUUNLSk1tWERSUndMTWVsNQp3MUF4T2FqYVkzbWx2ZlRVd2xqdkE3a0tFUDBvZzRPeXZldDA2WTVRWk1EQXc1V00yT0pZVDVxcmFlYjZDbTdMCjlNckk4bG50TGp3WFVSZG4yU3U2RCtCWXNpcC9KK3BvOFNqYlJBaGJIc0lJbkJ1QWJnbGxqdTB2QXRXZmFkQlQKOTg4YnUwK3VUb1Q2T1Jkbk84Y1JBb0lCQVFEcStWYkVUQWVpSHN6K29jZnFWV3VwVHJrc2FNNm1wUUMwb0tqZApwb1FzWGVuTmNiNThHQ3FhWHkvdTJHWmNKUnR1QXRHamEyUVpEUUFUSjQyVTFmaTFhWm90Y053eXhPdmlud1NjCmVLZyt0ZGcwdW9LeGs2aXJKRFptaDBIK3Ewblg2RFJYK25RNDVmWVNmRkRFK0ZLd1lac0dQMkhYV3dKaVZ6OE0KU2NkL2pETTFRTWV2OXIzZWx1dS9DWFlvZ1N0N00wMklyczVoNjRuNjFmdVZjNHI4YmUwdFkrUTVsUnlwWk9NVwpkQ2VkWGFOV3RaNjF2bEFxamNiWkpkdXFBUjJjNzAyR3NML201TXA4Zmd3YmY2aG51TXJLaVlpQjlZalZxalc2CmYyUW1PclZtMUk0MFJBMC9OaFBTR2NXejBkNXZrdXY0VHUra2JFbERZTCsxaHY1M0FvSUJBUURSbnZaTmJaa1UKTXpmUTRLWEdML3dLUXJEbjNvL0RENWVBR1ZDTGcwTUkyYlAxYWpubHNVTjE4NCs1UWF6cVVOaWlZT3laODczeQpQYkw0cTBOZWFDYXdxby9WbjJMSkVIUFVTTVhUWjB4ckxTa1hPUjFuMDUwT2tDWXhVbFpOUXFvZU1xcHJGNXZLCm1NNlJxalN4NS8ydU9IUlR1SDRVV2RETEpwTDVUN2RpUCtXcFUwSDlSUWhrNDdkQUJaUjZEZjNxaDJEYmVxUWoKdWcxY0hWUVNqaldhUGpVZGlLR2dHemdvdlE2UkdNZDA1UVUzdkRMdzBCSkNPQ25XV2x0VXkvMW1jMUpPUHR2ZQp4UGltV2tRNmlkRHZ4RGZFRGg5U05zY1FPMnBTVjZxNnhCTWlqVGgvTldGN2NsOU1LYUhJWGxzTmt0RFVXWHZyCmNKRlM4eE1TcDhlcEFvSUJBUUNtWktVTjRxMHhIOUNZckdYT1Nta3Yvc0JnYzJPTFhLTXdSZWp1OVFENkRoTUgKMmZsREZUWHVGV1B6SmlqdUxaVE1CWkVBd1lhanVySUgzbVdETlRhbStMNG1XWnFGRlMvWlRqUk12YUNlcjlVSQpHZDk4OG94cGpQNDlBcUU0UDRIT00vQUZNU1ZtT1dwVTB0VzdkZ0hRUjM0cElXOGV1cUxva3RIaDJNaytTRURuCkFCV29SUGxWaTlncmN2N0tWaFk5YXlvSGxZb3VpMFl0YTZSNXc5VnpSa0REZU01Zi9Iak1kOVhieTZ0VjQ3NU0KSTliYzZvVUliVmVYNUJnMnZnMkRXVzZ6NTZ3dFRHMGJWWU1yWWU0V2JTU2w0bGpaZHM5TVJ2ay9OUUR0bFh0cAo4ekUwVDlCMXA4ekhabHE3S08zMFlyMVpIRVRWVVoxYjZrSTN3UDJuQW9JQkFFZ1VGKzlCMjF4RnpGQ0hucGtLClVPa2FTNGcvVUVHcmI5VzlYcVBLUzllVVBEd0wvY0tNZEh6dmRpRW1neFhESE9xZzExcU1wR2pTYkdMelNPUUMKZmlOTFV0QUswVVgvNFVSQ2pidUdqcEZmNHZ3NFNITTJJWkFyWXVhY3dFNHF1U0pQRzZoZFl0V0VPNnQ4MGtmRwpWTVYrWmdtUHE5TEZtM1R2VzZSY2s5czF5M3V3eEVVWllxeUdYTEduK1lrS25KL3pVd3ZGSFFHbjdRWWFrNWtaCnl6YXhZMFEzZ2hQeXFCbmlBRXRHTVBkeDlKeFltMCtRekdaMnQzUWNkOEV0cjRGMTcvdzF3eGJUdGdoRmk2WngKVXlYTzI3b1BmUmVnL0V3SmtpS2tRSEdlRUZKV0t2SWE0ZDAzMDZyMXVjcVRIMDRJaU1RcnpOK0ZRb002VC9tZgpOWmtDZ2dFQUsrRVJNVVdJZTE3V1k3VDIycy9lOEplN0xxSXlUcU9mSGovaWFUUjhHbXhqcU1HNEdod1RpVXJsCkh0Skhud3BMVGFjVmdYUjV3UmtYcEhRT2JqSUFzeVNBUGxwSzBvZUkyK2kvS0cyQjZ2U0cza0V2b1VZY0RlRk4KdzhHd0oxNDNTd21LQXM4eUtWMmd1RjhmRXNNVitEQzNzVHFlZXJmMy82bFprMUVCVFF0QTZqVHdqK0picXgwVgpaalZJUXBwUE8vc1VHdi9LZVE3MW5ockJpT0lXclJ0dDRTUDJ2aWx2em9DUTQxVjFqZ09wS3VwU3E1Y2J3VDRxCmp1bkJIMkx5VnNQaUc4M0Vha1JSUEhDK0craTk1MFJxckxVRUJOeVdHNGlMNTdUdU9xYVJuSmRnN2ZFb2lVLzMKNld4TjlvR2VRWjV0NjZkdTJEL01WSUZ4ZzJ1cXRBPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=</prv>
-  </cert>
-  <syslog/>
-</opnsense>
--- a/opnsense-config/src/tests/data/config-full-ncd0.xml
+++ b/opnsense-config/src/tests/data/config-full-ncd0.xml