temporarily disable chromium, since it doesnt build

```
• Updated input 'mobile-nixos':
    'github:nixos/mobile-nixos/c252e7bd9122704f0e0303c638f8b8412c2521c2' (2023-02-26)
  → 'github:nixos/mobile-nixos/9a0c317a027d1c085c641fe6df1f51b71880b720' (2023-03-03)
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/ac1f5b72a9e95873d1de0233fddcb56f99884b37' (2023-02-16)
  → 'github:nixos/nixpkgs/3c5319ad3aa51551182ac82ea17ab1c6b0f0df89' (2023-03-04)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/83fe25c8019db8216f5c6ffc65b394707784b4f3' (2023-02-26)
  → 'github:Mic92/sops-nix/7cff56b43952edc5a2c212076d5fc922f764240f' (2023-03-05)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/ea736343e4d4a052e023d54b23334cf685de479c' (2023-02-25)
  → 'github:NixOS/nixpkgs/d51554151a91cd4543a7620843cc378e3cbc767e' (2023-03-04)
```

flake.lock

@@ -18,11 +18,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1674880620,
-        "narHash": "sha256-JMALuC7xcoH/T66sKTVLuItHfOJBCWsNKpE49Qrvs80=",
+        "lastModified": 1677879564,
+        "narHash": "sha256-luJTRYY1zEoN5fSGwbZxq66IE1kdrqOq0/iBWzw7gOI=",
         "owner": "nixos",
         "repo": "mobile-nixos",
-        "rev": "7478a9ffad737486951186b66f6c5535dc5802e2",
+        "rev": "9a0c317a027d1c085c641fe6df1f51b71880b720",
         "type": "github"
       },
       "original": {
@@ -31,30 +31,46 @@
         "type": "github"
       }
     },
+    "nix-serve": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1675958846,
+        "narHash": "sha256-/nf09eM2vey9GrAXoqagccJrBo/fGyVKP7oNSxPqwdo=",
+        "owner": "edolstra",
+        "repo": "nix-serve",
+        "rev": "7089565e260267c9c234a81292c841958737cef6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "nix-serve",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-unpatched"
-        ]
-      },
       "locked": {
-        "lastModified": 1,
-        "narHash": "sha256-FTUAvxSeQToawyfVP9/S2143D5EgCbk88qI2PePLQQ8=",
-        "path": "/nix/store/s9v0l913m4drrddglbjqa384nxxwhxca-source/nixpatches",
-        "type": "path"
+        "lastModified": 1606086654,
+        "narHash": "sha256-VFl+3eGIMqNp7cyOMJ6TjM/+UcsLKtodKoYexrlTJMI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "19db3e5ea2777daa874563b5986288151f502e27",
+        "type": "github"
       },
       "original": {
-        "path": "/nix/store/s9v0l913m4drrddglbjqa384nxxwhxca-source/nixpatches",
-        "type": "path"
+        "id": "nixpkgs",
+        "ref": "nixos-20.09",
+        "type": "indirect"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1675556398,
-        "narHash": "sha256-5Gf5KlmFXfIGVQb2hmiiE7FQHoLd4UtEhIolLQvNB/A=",
+        "lastModified": 1677948530,
+        "narHash": "sha256-BkQjq8AGHD55RJe4PUnrWRZZ8jS64p/k0bGDck5wKwY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e32c33811815ca4a535a16faf1c83eeb4493145b",
+        "rev": "d51554151a91cd4543a7620843cc378e3cbc767e",
         "type": "github"
       },
       "original": {
@@ -66,11 +82,11 @@
     },
     "nixpkgs-unpatched": {
       "locked": {
-        "lastModified": 1675942811,
-        "narHash": "sha256-/v4Z9mJmADTpXrdIlAjFa1e+gkpIIROR670UVDQFwIw=",
+        "lastModified": 1677932085,
+        "narHash": "sha256-+AB4dYllWig8iO6vAiGGYl0NEgmMgGHpy9gzWJ3322g=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "724bfc0892363087709bd3a5a1666296759154b1",
+        "rev": "3c5319ad3aa51551182ac82ea17ab1c6b0f0df89",
         "type": "github"
       },
       "original": {
@@ -83,7 +99,7 @@
     "root": {
       "inputs": {
         "mobile-nixos": "mobile-nixos",
-        "nixpkgs": "nixpkgs",
+        "nix-serve": "nix-serve",
         "nixpkgs-unpatched": "nixpkgs-unpatched",
         "sops-nix": "sops-nix",
         "uninsane-dot-org": "uninsane-dot-org"
@@ -92,16 +108,16 @@
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-unpatched"
         ],
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1675872570,
-        "narHash": "sha256-RPH3CeTv7ixC2WcYiKyhmIgoH/9tur4Kr+3Vg/pleQk=",
+        "lastModified": 1677987270,
+        "narHash": "sha256-NRqhY8jbrmP1C6oiVqv1T0T1r560eo4ZpmEdHoQmKj4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8fec29b009c19538e68d5d814ec74e04f662fbd1",
+        "rev": "7cff56b43952edc5a2c212076d5fc922f764240f",
         "type": "github"
       },
       "original": {
@@ -114,7 +130,7 @@
       "inputs": {
         "flake-utils": "flake-utils",
         "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-unpatched"
         ]
       },
       "locked": {

flake.nix

@@ -23,10 +23,12 @@
 
     # <https://github.com/nixos/nixpkgs/tree/nixos-unstable>
     nixpkgs-unpatched.url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    nixpkgs = {
-      url = "./nixpatches";
-      inputs.nixpkgs.follows = "nixpkgs-unpatched";
-    };
+
+    # nixpkgs = {
+    #   url = "./nixpatches";
+    #   inputs.nixpkgs.follows = "nixpkgs-unpatched";
+    # };
+
     mobile-nixos = {
       # <https://github.com/nixos/mobile-nixos>
       url = "github:nixos/mobile-nixos";
@@ -35,24 +37,43 @@
     sops-nix = {
       # <https://github.com/Mic92/sops-nix>
       url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "nixpkgs";
+      # inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs-unpatched";
     };
     uninsane-dot-org = {
       url = "git+https://git.uninsane.org/colin/uninsane";
-      inputs.nixpkgs.follows = "nixpkgs";
+      # inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs-unpatched";
+    };
+    nix-serve = {
+      # <https://github.com/edolstra/nix-serve>
+      url = "github:edolstra/nix-serve";
     };
   };
 
   outputs = {
     self,
-    nixpkgs,
     nixpkgs-unpatched,
     mobile-nixos,
     sops-nix,
     uninsane-dot-org,
+    nix-serve,
     ...
   }@inputs:
     let
+      inherit (builtins) attrNames listToAttrs map mapAttrs;
+      mapAttrs' = f: set:
+        listToAttrs (map (attr: f attr set.${attr}) (attrNames set));
+      # mapAttrs but without the `name` argument
+      mapAttrValues = f: mapAttrs (_: f);
+      # rather than apply our nixpkgs patches as a flake input, do that here instead.
+      # this (temporarily?) resolves the bad UX wherein a subflake residing in the same git
+      # repo as the main flake causes the main flake to have an unstable hash.
+      nixpkgs = (import ./nixpatches/flake.nix).outputs {
+        self = nixpkgs;
+        nixpkgs = nixpkgs-unpatched;
+      };
+
       nixpkgsCompiledBy = local: nixpkgs.legacyPackages."${local}";
 
       evalHost = { name, local, target }:
@@ -65,9 +86,6 @@
           nixosSystem = import ((nixpkgsCompiledBy target).path + "/nixos/lib/eval-config.nix");
         in
           (nixosSystem {
-            # we use pkgs built for and *by* the target, i.e. emulation, by default.
-            # cross compilation only happens on explicit access to `pkgs.cross`
-            system = target;
             modules = [
               (import ./hosts/instantiate.nix { localSystem = local; hostName = name; })
               self.nixosModules.default
@@ -77,23 +95,48 @@
                   self.overlays.default
                   self.overlays.passthru
                   self.overlays.pins
+                  # self.overlays.optimizations
                 ];
+                nixpkgs.hostPlatform = target;
+                # nixpkgs.buildPlatform = local;  # set by instantiate.nix instead
+                # nixpkgs.config.replaceStdenv = { pkgs }: pkgs.ccacheStdenv;
               }
             ];
           });
     in {
-      nixosConfigurations = {
-        servo = evalHost { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
-        desko = evalHost { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
-        lappy = evalHost { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
-        moby = evalHost { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
-        # special cross-compiled variant, to speed up deploys from an x86 box to the arm target
-        # note that these *do* produce different store paths, because the closure for the tools used to cross compile
-        # v.s. emulate differ.
-        # so deploying foo-cross and then foo incurs some rebuilding.
-        moby-cross = evalHost { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
-        rescue = evalHost { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
-      };
+      nixosConfigurations =
+        let
+          hosts = {
+            servo =  { name = "servo"; local = "x86_64-linux"; target = "x86_64-linux"; };
+            desko =  { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
+            lappy =  { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
+            moby  =  { name = "moby";  local = "x86_64-linux"; target = "aarch64-linux"; };
+            rescue = { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
+          };
+          # cross-compiled builds: instead of emulating the host, build using a cross-compiler.
+          # - these are faster to *build* than the emulated variants (useful when tweaking packages),
+          # - but fewer of their packages can be found in upstream caches.
+          cross = mapAttrValues evalHost hosts;
+          emulated = mapAttrValues
+            ({name, local, target}: evalHost {
+              inherit name target;
+              local = null;
+            })
+            hosts;
+          prefixAttrs = prefix: attrs: mapAttrs'
+            (name: value: {
+              name = prefix + name;
+              inherit value;
+            })
+            attrs;
+        in
+          (prefixAttrs "cross-" cross) //
+          (prefixAttrs "emulated-" emulated) // {
+            # prefer native builds for these machines:
+            inherit (emulated) servo desko lappy rescue;
+            # prefer cross-compiled builds for these machines:
+            inherit (cross) moby;
+          };
 
       # unofficial output
       # this produces a EFI-bootable .img file (GPT with a /boot partition and a system (/ or /nix) partition).
@@ -109,14 +152,16 @@
       #   - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
       #   - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
       #   - `nixos-rebuild --flake './#<host>' switch`
-      imgs = builtins.mapAttrs (_: host-dfn: host-dfn.config.system.build.img) self.nixosConfigurations;
+      imgs = mapAttrValues (host: host.config.system.build.img) self.nixosConfigurations;
 
-      host-pkgs = builtins.mapAttrs (_: host-dfn: host-dfn.config.system.build.pkgs) self.nixosConfigurations;
+      # unofficial output
+      host-pkgs = mapAttrValues (host: host.config.system.build.pkgs) self.nixosConfigurations;
 
       overlays = rec {
         default = pkgs;
         pkgs = import ./overlays/pkgs.nix;
         pins = import ./overlays/pins.nix;  # TODO: move to `nixpatches/` input
+        optimizations = import ./overlays/optimizations.nix;
         passthru =
           let
             stable =
@@ -127,9 +172,20 @@
               ) else (next: prev: {});
             mobile = (import "${mobile-nixos}/overlay/overlay.nix");
             uninsane = uninsane-dot-org.overlay;
+            # nix-serve' = nix-serve.overlay;
+            nix-serve' = next: prev: {
+              # XXX(2023/03/02): upstream isn't compatible with modern `nix`. probably the perl bindings.
+              # - we use the package built against `nixpkgs` specified in its flake rather than use its overlay,
+              #   to get around this.
+              inherit (nix-serve.packages."${next.system}") nix-serve;
+            };
           in
             next: prev:
-              (stable next prev) // (mobile next prev) // (uninsane next prev);
+              (stable next prev)
+              // (mobile next prev)
+              // (uninsane next prev)
+              // (nix-serve' next prev)
+            ;
       };
 
       nixosModules = rec {
@@ -154,13 +210,18 @@
         };
 
       # extract only our own packages from the full set
-      packages = builtins.mapAttrs
-        (_: full: full.sane // { inherit (full) sane uninsane-dot-org; })
+      packages = mapAttrValues
+        (full: full.sane // { inherit (full) sane uninsane-dot-org; })
         self.legacyPackages;
 
       apps."x86_64-linux" =
         let
           pkgs = self.legacyPackages."x86_64-linux";
+          deployScript = action: pkgs.writeShellScript "deploy-moby" ''
+            nixos-rebuild --flake '.#cross-moby' build
+            sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)
+            nixos-rebuild --flake '.#cross-moby' ${action} --target-host colin@moby --use-remote-sudo
+          '';
         in {
           update-feeds = {
             type = "app";
@@ -172,6 +233,17 @@
             type = "app";
             program = "${pkgs.feeds.passthru.initFeedScript}";
           };
+
+          deploy-moby-test = {
+            # `nix run '.#deploy-moby-test'`
+            type = "app";
+            program = ''${deployScript "test"}'';
+          };
+          deploy-moby-switch = {
+            # `nix run '.#deploy-moby-switch'`
+            type = "app";
+            program = ''${deployScript "switch"}'';
+          };
         };
 
       templates = {

hosts/by-name/desko/default.nix

@@ -4,15 +4,18 @@
     ./fs.nix
   ];
 
+  sane.roles.build-machine = true;
   sane.roles.client = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
   sane.services.duplicity.enable = true;
-  sane.services.nixserve.enable = true;
   sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml;
   sane.persist.enable = true;
 
   sane.gui.sway.enable = true;
+  sane.programs.iphoneUtils.enableFor.user.colin = true;
+
+  sane.programs.guiApps.suggestedPrograms = [ "desktopGuiApps" ];
 
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];

hosts/by-name/lappy/default.nix

@@ -11,10 +11,14 @@
   # sane.guest.enable = true;
   sane.gui.sway.enable = true;
   sane.persist.enable = true;
-  sane.nixcache.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
+  sane.programs.guiApps.suggestedPrograms = [
+    "desktopGuiApps"
+    "stepmania"
+  ];
+
   sops.secrets.colin-passwd = {
     sopsFile = ../../../secrets/lappy.yaml;
     neededForUsers = true;

hosts/by-name/moby/default.nix

@@ -10,13 +10,6 @@
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
 
-  # cross-compiled documentation is *slow*.
-  # no obvious way to natively compile docs (2022/09/29).
-  # entrypoint is nixos/modules/misc/documentation.nix
-  # doc building happens in nixos/doc/manual/default.nix
-  # TODO: we could *maybe* inject pkgs.buildPackages.xyz = cross.buildPackages.xyz?
-  documentation.nixos.enable = false;
-
   # XXX colin: phosh doesn't work well with passwordless login,
   # so set this more reliable default password should anything go wrong
   users.users.colin.initialPassword = "147147";
@@ -41,9 +34,11 @@
     ".config/pulse"  # persist pulseaudio volume
   ];
 
-  sane.nixcache.enable = true;
   sane.persist.enable = true;
   sane.gui.phosh.enable = true;
+  # sane.programs.consoleUtils.enableFor.user.colin = false;
+  # sane.programs.guiApps.enableFor.user.colin = false;
+  sane.programs.sequoia.enableFor.user.colin = false;
 
   boot.loader.efi.canTouchEfiVariables = false;
   # /boot space is at a premium. default was 20.

hosts/by-name/moby/kernel.nix

@@ -114,7 +114,7 @@ in
   # - phone rotation sensor is off by 90 degrees
   # - ambient light sensor causes screen brightness to be shakey
   # - phosh greeter may not appear after wake from sleep
-  boot.kernelPackages = pkgs.cross.linuxPackagesFor pkgs.cross.linux-megous;
+  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux-megous;
 
   boot.kernelPatches = [
     (patchDefconfig (kernelConfig //

hosts/by-name/rescue/default.nix

@@ -7,6 +7,7 @@
   boot.loader.generic-extlinux-compatible.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
+  sane.nixcache.enable = false;  # don't want to be calling out to dead machines that we're *trying* to rescue
 
   # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
   system.stateVersion = "21.05";

hosts/by-name/servo/default.nix

@@ -15,6 +15,7 @@
     signaldctl.enableFor.user.colin = true;
   };
 
+  sane.roles.build-machine = true;
   sane.persist.enable = true;
   sane.services.dyn-dns.enable = true;
   sane.services.wg-home.enable = true;

hosts/by-name/servo/services/ejabberd.nix

@@ -38,11 +38,11 @@
   ];
   networking.firewall.allowedTCPPortRanges = [{
     from = 49152;  # TURN
-    to = 65535;
+    to = 49408;
   }];
   networking.firewall.allowedUDPPortRanges = [{
     from = 49152;  # TURN
-    to = 65535;
+    to = 49408;
   }];
 
   # provide access to certs

hosts/by-name/servo/services/trust-dns.nix

@@ -6,7 +6,7 @@
   sane.services.trust-dns.listenAddrsIPv4 = [
     # specify each address explicitly, instead of using "*".
     # this ensures responses are sent from the address at which the request was received.
-    "192.168.0.5"
+    config.sane.hosts.by-name."servo".lan-ip
     "10.0.1.5"
   ];
   sane.services.trust-dns.quiet = true;

hosts/common/cross.nix

@@ -1,22 +0,0 @@
-{ config, ... }:
-
-let
-  mkCrossFrom = localSystem: pkgs: import pkgs.path {
-    inherit localSystem;
-    crossSystem = pkgs.stdenv.hostPlatform.system;
-    inherit (config.nixpkgs) config overlays;
-  };
-in
-{
-  # the configuration of which specific package set `pkgs.cross` refers to happens elsewhere;
-  # here we just define them all.
-  nixpkgs.overlays = [
-    (next: prev: {
-      # non-emulated packages build *from* local *for* target.
-      # for large packages like the linux kernel which are expensive to build under emulation,
-      # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
-      crossFrom."x86_64-linux" = mkCrossFrom "x86_64-linux" next;
-      crossFrom."aarch64-linux" = mkCrossFrom "aarch64-linux" next;
-    })
-  ];
-}

hosts/common/cross/kitty-no-docs.patch

@@ -0,0 +1,22 @@
+diff --git a/setup.py b/setup.py
+index 2b9d240e..770bc5e7 100755
+--- a/setup.py
++++ b/setup.py
+@@ -1092,11 +1092,12 @@ def c(base_path: str, **kw: object) -> None:
+ 
+ 
+ def create_linux_bundle_gunk(ddir: str, libdir_name: str) -> None:
+-    if not os.path.exists('docs/_build/html'):
+-        make = 'gmake' if is_freebsd else 'make'
+-        run_tool([make, 'docs'])
+-    copy_man_pages(ddir)
+-    copy_html_docs(ddir)
++    if not os.getenv('KITTY_NO_DOCS'):
++        if not os.path.exists('docs/_build/html'):
++            make = 'gmake' if is_freebsd else 'make'
++            run_tool([make, 'docs'])
++        copy_man_pages(ddir)
++        copy_html_docs(ddir)
+     for (icdir, ext) in {'256x256': 'png', 'scalable': 'svg'}.items():
+         icdir = os.path.join(ddir, 'share', 'icons', 'hicolor', icdir, 'apps')
+         safe_makedirs(icdir)

hosts/common/default.nix

@@ -1,7 +1,7 @@
-{ pkgs, ... }:
+{ lib, pkgs, ... }:
 {
   imports = [
-    ./cross.nix
+    ./cross
     ./feeds.nix
     ./fs.nix
     ./hardware.nix
@@ -19,8 +19,9 @@
   ];
 
   sane.nixcache.enable-trusted-keys = true;
-  sane.programs.sysadminUtils.enableFor.system = true;
-  sane.programs.consoleUtils.enableFor.user.colin = true;
+  sane.nixcache.enable = lib.mkDefault true;
+  sane.programs.sysadminUtils.enableFor.system = lib.mkDefault true;
+  sane.programs.consoleUtils.enableFor.user.colin = lib.mkDefault true;
 
   # some services which use private directories error if the parent (/var/lib/private) isn't 700.
   sane.fs."/var/lib/private".dir.acl.mode = "0700";
@@ -42,16 +43,29 @@
 
   fonts = {
     enableDefaultFonts = true;
-    fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
+    fonts = with pkgs; [ font-awesome noto-fonts-emoji hack-font ];
     fontconfig.enable = true;
     fontconfig.defaultFonts = {
-      emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
+      emoji = [ "Font Awesome 6 Free" "Noto Color Emoji" ];
       monospace = [ "Hack" ];
       serif = [ "DejaVu Serif" ];
       sansSerif = [ "DejaVu Sans" ];
     };
   };
 
+  # XXX: twitter-color-emoji doesn't cross-compile; but not-fonts-emoji does
+  # fonts = {
+  #   enableDefaultFonts = true;
+  #   fonts = with pkgs; [ font-awesome twitter-color-emoji hack-font ];
+  #   fontconfig.enable = true;
+  #   fontconfig.defaultFonts = {
+  #     emoji = [ "Font Awesome 6 Free" "Twitter Color Emoji" ];
+  #     monospace = [ "Hack" ];
+  #     serif = [ "DejaVu Serif" ];
+  #     sansSerif = [ "DejaVu Sans" ];
+  #   };
+  # };
+
   # disable non-required packages like nano, perl, rsync, strace
   environment.defaultPackages = [];
 

hosts/common/feeds.nix

@@ -1,3 +1,9 @@
+# candidates:
+# - The Nonlinear Library (podcast): <https://forum.effectivealtruism.org/posts/JTZTBienqWEAjGDRv/listen-to-more-ea-content-with-the-nonlinear-library>
+#   - has ~10 posts per day, text-to-speech; i would need better tagging before adding this
+# - <https://www.metaculus.com/questions/11102/introducing-the-metaculus-journal-podcast/>
+#   - dead since 2022/10 - 2023/03
+
 { lib, sane-data, ... }:
 let
   hourly = { freq = "hourly"; };
@@ -50,16 +56,23 @@ let
     (fromDb "lexfridman.com/podcast" // rat)
     ## Astral Codex Ten
     (fromDb "sscpodcast.libsyn.com" // rat)
+    ## Less Wrong Curated
+    (fromDb "feeds.libsyn.com/421877" // rat)
     ## Econ Talk
     (fromDb "feeds.simplecast.com/wgl4xEgL" // rat)
     ## Cory Doctorow -- both podcast & text entries
     (fromDb "craphound.com" // pol)
     (fromDb "congressionaldish.libsyn.com" // pol)
+    (mkPod "https://podcasts.la.utexas.edu/this-is-democracy/feed/podcast/" // pol // weekly)
     ## Civboot -- https://anchor.fm/civboot
     (fromDb "anchor.fm/s/34c7232c/podcast/rss" // tech)
     ## Emerge: making sense of what's next -- <https://www.whatisemerging.com/emergepodcast>
     (mkPod "https://anchor.fm/s/21bc734/podcast/rss" // pol // infrequent)
     (fromDb "feeds.feedburner.com/80000HoursPodcast" // rat)
+    ## Daniel Huberman on sleep
+    (fromDb "feeds.megaphone.fm/hubermanlab" // uncat)
+    ## Multidisciplinary Association for Psychedelic Studies
+    (fromDb "mapspodcast.libsyn.com" // uncat)
     (fromDb "allinchamathjason.libsyn.com" // pol)
     (fromDb "acquired.libsyn.com" // tech)
     # The Intercept - Deconstructed; also available: <rss.acast.com/deconstructed>
@@ -112,6 +125,7 @@ let
 
     # DEVELOPERS
     (fromDb "uninsane.org" // tech)
+    (fromDb "ascii.textfiles.com" // tech)  # Jason Scott
     (fromDb "mg.lol" // tech)
     (fromDb "drewdevault.com" // tech)
     ## Ken Shirriff

hosts/common/home/default.nix

@@ -13,6 +13,8 @@
     ./mpv.nix
     ./neovim.nix
     ./newsflash.nix
+    ./offlineimap.nix
+    ./ripgrep.nix
     ./splatmoji.nix
     ./ssh.nix
     ./sublime-music.nix

hosts/common/home/firefox.nix

@@ -132,7 +132,7 @@ in
         sidebery.package = addon "sidebery" "{3c078156-979c-498b-8990-85f7987dd929}" "sha256-YONfK/rIjlsrTgRHIt3km07Q7KnpIW89Z9r92ZSCc6w=";
         sponsorblock.package = addon "sponsorblock" "sponsorBlocker@ajay.app" "sha256-hRsvLaAsVm3dALsTrJqHTNgRFAQcU7XSaGhr5G6+mFs=";
         ublacklist.package = addon "ublacklist" "@ublacklist" "sha256-RqY5iHzbL2qizth7aguyOKWPyINXmrwOlf/OsfqAS48=";
-        ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-a/ivUmY1P6teq9x0dt4CbgHt+3kBsEMMXlOfZ5Hx7cg=";
+        ublock-origin.package = addon "ublock-origin" "uBlock0@raymondhill.net" "sha256-52lYqMjrS3GVTaybDrH1p6VF90YVkifguCGxobI/fNQ=";
 
         browserpass-extension.enable = lib.mkDefault true;
         # bypass-paywalls-clean.enable = lib.mkDefault true;

hosts/common/home/offlineimap.nix

@@ -0,0 +1,17 @@
+# mail archiving/synchronization tool.
+#
+# manually download all emails for an account with
+# - `offlineimap -a <accountname>`
+#
+# view account names inside the secrets file, listed below.
+{ config, sane-lib, ... }:
+
+{
+  sops.secrets."offlineimaprc" = {
+    owner = config.users.users.colin.name;
+    sopsFile = ../../../secrets/universal/offlineimaprc.bin;
+    format = "binary";
+  };
+  sane.user.fs.".config/offlineimap/config" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.offlineimaprc.path;
+}
+

hosts/common/home/ripgrep.nix

@@ -0,0 +1,9 @@
+{ sane-lib, ... }:
+{
+  # .ignore file is read by ripgrep (rg), silver searcher (ag), maybe others.
+  # ignore translation files by default when searching, as they tend to have
+  # a LOT of duplicate text.
+  sane.user.fs.".ignore" = sane-lib.fs.wantedText ''
+    po/
+  '';
+}

hosts/common/home/zsh/default.nix

@@ -74,7 +74,7 @@ in
       # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
       autoload -Uz zmv
 
-      HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *)'
+      HISTORY_IGNORE='(sane-shutdown *|sane-reboot *|rm *|nixos-rebuild.* switch)'
 
       # extra aliases
       # TODO: move to `shellAliases` config?
@@ -83,6 +83,8 @@ in
         pushd "$1";
       }
 
+      ${pkgs.sane-scripts}/bin/sane-deadlines
+
       # auto-cd into any of these dirs by typing them and pressing 'enter':
       hash -d 3rd="/home/colin/dev/3rd"
       hash -d dev="/home/colin/dev"

hosts/common/ids.nix

@@ -1,4 +1,6 @@
 # TODO: migrate to nixpkgs `config.ids.uids`
+# - note that nixpkgs' `config.ids.uids` is strictly a database: it doesn't set anything by default
+#   whereas our impl sets the gid/uid of the user/group specified if they exist.
 { ... }:
 
 {
@@ -36,7 +38,7 @@
   sane.ids.sshd.uid = 2001;  # 997
   sane.ids.sshd.gid = 2001;  # 997
   sane.ids.polkituser.gid = 2002;  # 998
-  # sane.ids.systemd-coredump.gid = 2003;  # 996  # 2023/02/12: upstream now specifies this as 151
+  sane.ids.systemd-coredump.gid = 2003;  # 996  # 2023/02/12-2023/02/28: upstream temporarily specified this as 151
   sane.ids.nscd.uid = 2004;
   sane.ids.nscd.gid = 2004;
   sane.ids.systemd-oom.uid = 2005;

hosts/common/programs.nix

@@ -4,11 +4,23 @@ let
   inherit (builtins) attrNames concatLists;
   inherit (lib) mapAttrs mapAttrsToList mkDefault mkMerge optional;
 
+  flattenedPkgs = pkgs // (with pkgs; {
+    # XXX can't `inherit` a nested attr, so we move them to the toplevel
+    "cacert.unbundled" = pkgs.cacert.unbundled;
+    "gnome.cheese" = gnome.cheese;
+    "gnome.dconf-editor" = gnome.dconf-editor;
+    "gnome.file-roller" = gnome.file-roller;
+    "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
+    "gnome.gnome-maps" = gnome.gnome-maps;
+    "gnome.nautilus" = gnome.nautilus;
+    "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
+    "gnome.gnome-terminal" = gnome.gnome-terminal;
+    "gnome.gnome-weather" = gnome.gnome-weather;
+    "libsForQt5.plasmatube" = libsForQt5.plasmatube;
+  });
+
   sysadminPkgs = {
-    inherit (pkgs // {
-      # XXX can't `inherit` a nested attr, so we move them to the toplevel
-      "cacert.unbundled" = pkgs.cacert.unbundled;
-    })
+    inherit (flattenedPkgs)
       btrfs-progs
       "cacert.unbundled"  # some services require unbundled /etc/ssl/certs
       cryptsetup
@@ -43,19 +55,45 @@ let
       smartmontools
       socat
       strace
+      subversion
       tcpdump
       tree
       usbutils
       wget
     ;
   };
-
-  consolePkgs = {
+  sysadminExtraPkgs = {
+    # application-specific packages
     inherit (pkgs)
       backblaze-b2
+      duplicity
+      sqlite  # to debug sqlite3 databases
+    ;
+  };
+
+  iphonePkgs = {
+    inherit (pkgs)
+      ifuse
+      ipfs
+      libimobiledevice
+    ;
+  };
+
+  tuiPkgs = {
+    inherit (pkgs)
+      aerc  # email client
+      offlineimap  # email mailox sync
+      visidata  # TUI spreadsheet viewer/editor
+      w3m
+    ;
+  };
+
+  # TODO: split these into smaller groups.
+  # - transcoders (ffmpeg, imagemagick) only wanted on desko/lappy ("powerutils"?)
+  consolePkgs = {
+    inherit (pkgs)
       cdrtools
       dmidecode
-      duplicity
       efivar
       flashrom
       fwupd
@@ -64,17 +102,14 @@ let
       gocryptfs
       gopass
       gopass-jsonapi
-      ifuse
       imagemagick
-      ipfs
       kitty  # TODO: move to GUI, but `ssh servo` from kitty sets `TERM=xterm-kitty` in the remove and breaks things
-      libimobiledevice
       libsecret  # for managing user keyrings
       lm_sensors  # for sensors-detect
       lshw
       ffmpeg
       memtester
-      networkmanager
+      # networkmanager
       nixpkgs-review
       # nixos-generators
       # nettools
@@ -91,49 +126,27 @@ let
       sops
       sox
       speedtest-cli
-      sqlite  # to debug sqlite3 databases
       ssh-to-age
       sudo
       # tageditor  # music tagging
       unar
-      visidata
-      w3m
       wireguard-tools
+      xdg-utils  # for xdg-open
       # youtube-dl
       yt-dlp
     ;
   };
 
   guiPkgs = {
-    inherit (pkgs // (with pkgs; {
-      # XXX can't `inherit` a nested attr, so we move them to the toplevel
-      # TODO: could use some "flatten attrs" helper instead
-      "gnome.cheese" = gnome.cheese;
-      "gnome.dconf-editor" = gnome.dconf-editor;
-      "gnome.file-roller" = gnome.file-roller;
-      "gnome.gnome-disk-utility" = gnome.gnome-disk-utility;
-      "gnome.gnome-maps" = gnome.gnome-maps;
-      "gnome.nautilus" = gnome.nautilus;
-      "gnome.gnome-system-monitor" = gnome.gnome-system-monitor;
-      "gnome.gnome-terminal" = gnome.gnome-terminal;
-      "gnome.gnome-weather" = gnome.gnome-weather;
-      "libsForQt5.plasmatube" = libsForQt5.plasmatube;
-    }))
-      aerc  # email client
-      audacity
+    inherit (flattenedPkgs)
       celluloid  # mpv frontend
-      chromium
       clinfo
-      dino
-      electrum
-      element-desktop
       emote
       evince  # works on phosh
 
       # { pkg = fluffychat-moby; dir = [ ".local/share/chat.fluffy.fluffychat" ]; }  # TODO: ship normal fluffychat on non-moby?
 
-      foliate  # e-book reader
-      font-manager
+      # foliate  # e-book reader
 
       # XXX by default fractal stores its state in ~/.local/share/<UUID>.
       # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
@@ -141,14 +154,11 @@ let
       # { pkg = fractal-latest; private = [ ".local/share/fractal" ]; }
       # { pkg = fractal-next; private = [ ".local/share/fractal" ]; }
 
-      gajim  # XMPP client
-      gimp  # broken on phosh
-      "gnome.cheese"
+      # "gnome.cheese"
       "gnome.dconf-editor"
       gnome-feeds  # RSS reader (with claimed mobile support)
       "gnome.file-roller"
-      "gnome.gnome-disk-utility"
-      "gnome.gnome-maps"  # works on phosh
+      # "gnome.gnome-maps"  # works on phosh
       "gnome.nautilus"
       # gnome-podcasts
       "gnome.gnome-system-monitor"
@@ -156,21 +166,15 @@ let
       "gnome.gnome-weather"
       gpodder-configured
       gthumb
-      inkscape
-      kdenlive
-      kid3  # audio tagging
-      krita
-      libreoffice-fresh  # XXX colin: maybe don't want this on mobile
-      lollypop
+      # lollypop
       mpv
       networkmanagerapplet
-      newsflash
+      # newsflash
       nheko
-      obsidian
       pavucontrol
       # picard  # music tagging
       playerctl
-      "libsForQt5.plasmatube"  # Youtube player
+      # "libsForQt5.plasmatube"  # Youtube player
       soundconverter
       # sublime music persists any downloaded albums here.
       # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
@@ -178,15 +182,35 @@ let
       #   possible to pass config as a CLI arg (sublime-music -c config.json)
       # { pkg = sublime-music; dir = [ ".local/share/sublime-music" ]; }
       sublime-music-mobile
-      tdesktop  # broken on phosh
-      tokodon
+      # tdesktop  # broken on phosh
+      # tokodon
       vlc
       # pleroma client (Electron). input is broken on phosh. TODO(2023/02/02): fix electron19 input (insecure)
       # whalebird
-      xdg-utils  # for xdg-open
       xterm  # broken on phosh
     ;
   };
+  desktopGuiPkgs = {
+    inherit (flattenedPkgs)
+      audacity
+      brave  # for the integrated wallet -- as a backup
+      chromium
+      dino
+      electrum
+      element-desktop
+      font-manager
+      gajim  # XMPP client
+      gimp  # broken on phosh
+      "gnome.gnome-disk-utility"
+      handbrake
+      inkscape
+      kdenlive
+      kid3  # audio tagging
+      krita
+      libreoffice-fresh  # XXX colin: maybe don't want this on mobile
+      obsidian
+    ;
+  };
   x86GuiPkgs = {
     inherit (pkgs)
       discord
@@ -195,9 +219,6 @@ let
       # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
       # gpt2tc  # XXX: unreliable mirror
 
-      # TODO(unpin): handbrake is broken on aarch64-linux 2023/01/29
-      handbrake
-
       logseq
       losslesscut-bin
       makemkv
@@ -209,6 +230,13 @@ let
     ;
   };
 
+  # packages not part of any package set
+  otherPkgs = {
+    inherit (pkgs)
+      stepmania
+    ;
+  };
+
   # define -- but don't enable -- the packages in some attrset.
   # use `mkDefault` for the package here so we can customize some of them further down this file
   declarePkgs = pkgsAsAttrs: mapAttrs (_n: p: {
@@ -218,25 +246,47 @@ in
 {
   config = {
     sane.programs = mkMerge [
-      (declarePkgs sysadminPkgs)
       (declarePkgs consolePkgs)
+      (declarePkgs desktopGuiPkgs)
       (declarePkgs guiPkgs)
+      (declarePkgs iphonePkgs)
+      (declarePkgs sysadminPkgs)
+      (declarePkgs sysadminExtraPkgs)
+      (declarePkgs tuiPkgs)
       (declarePkgs x86GuiPkgs)
+      (declarePkgs otherPkgs)
       {
         # link the various package sets into their own meta packages
-        sysadminUtils = {
-          package = null;
-          suggestedPrograms = attrNames sysadminPkgs;
-        };
         consoleUtils = {
           package = null;
           suggestedPrograms = attrNames consolePkgs;
         };
+        desktopGuiApps = {
+          package = null;
+          suggestedPrograms = attrNames desktopGuiPkgs;
+        };
         guiApps = {
           package = null;
           suggestedPrograms = (attrNames guiPkgs)
+            ++ [ "tuiApps" ]
             ++ optional (pkgs.system == "x86_64-linux") "x86GuiApps";
         };
+        iphoneUtils = {
+          package = null;
+          suggestedPrograms = attrNames iphonePkgs;
+        };
+        sysadminUtils = {
+          package = null;
+          suggestedPrograms = attrNames sysadminPkgs;
+        };
+        sysadminExtraUtils = {
+          package = null;
+          suggestedPrograms = attrNames sysadminExtraPkgs;
+        };
+        tuiApps = {
+          package = null;
+          suggestedPrograms = attrNames tuiPkgs;
+        };
         x86GuiApps = {
           package = null;
           suggestedPrograms = attrNames x86GuiPkgs;

hosts/common/secrets.nix

@@ -99,18 +99,26 @@
     sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.psk.bin;
     format = "binary";
   };
-  sops.secrets."iwd/home-bedroom.psk" = {
-    sopsFile = ../../secrets/universal/net/home-bedroom.psk.bin;
-    format = "binary";
-  };
-  sops.secrets."iwd/home-shared-24G.psk" = {
-    sopsFile = ../../secrets/universal/net/home-shared-24G.psk.bin;
-    format = "binary";
-  };
   sops.secrets."iwd/home-shared.psk" = {
     sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
     format = "binary";
   };
+  sops.secrets."iwd/makespace-south.psk" = {
+    sopsFile = ../../secrets/universal/net/makespace-south.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/archive-2023-02-home-bedroom.psk" = {
+    sopsFile = ../../secrets/universal/net/archive/2023-02-home-bedroom.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/archive-2023-02-home-shared-24G.psk" = {
+    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared-24G.psk.bin;
+    format = "binary";
+  };
+  sops.secrets."iwd/archive-2023-02-home-shared.psk" = {
+    sopsFile = ../../secrets/universal/net/archive/2023-02-home-shared.psk.bin;
+    format = "binary";
+  };
   sops.secrets."iwd/iphone" = {
     sopsFile = ../../secrets/universal/net/iphone.psk.bin;
     format = "binary";

hosts/instantiate.nix

@@ -4,7 +4,7 @@
 { hostName, localSystem }:
 
 # module args
-{ config, ... }:
+{ config, lib, ... }:
 
 {
   imports = [
@@ -14,14 +14,16 @@
   ];
 
   networking.hostName = hostName;
+  nixpkgs.buildPlatform = lib.mkIf (localSystem != null) localSystem;
+  sane.cross.enablePatches = localSystem != null;
 
-  nixpkgs.overlays = [
-    (next: prev: {
-      # for local != target we by default just emulate the target while building.
-      # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
-      # to explicitly opt into non-emulated cross compilation for any specific package.
-      # this is most beneficial for large packages with few pre-requisites -- like Linux.
-      cross = prev.crossFrom."${localSystem}";
-    })
-  ];
+  # nixpkgs.overlays = [
+  #   (next: prev: {
+  #     # for local != target we by default just emulate the target while building.
+  #     # provide a `pkgs.cross.<pkg>` alias that consumers can use instead of `pkgs.<foo>`
+  #     # to explicitly opt into non-emulated cross compilation for any specific package.
+  #     # this is most beneficial for large packages with few pre-requisites -- like Linux.
+  #     cross = prev.crossFrom."${localSystem}";
+  #   })
+  # ];
 }

hosts/modules/gui/phosh.nix

@@ -29,7 +29,7 @@ in
           # TODO: see about removing gnome-bluetooth if the in-built gnome-settings bluetooth manager can work
           "gnome.gnome-bluetooth"
           "phosh-mobile-settings"
-          "plasma5Packages.konsole"  # more reliable terminal
+          # "plasma5Packages.konsole"  # more reliable terminal
         ];
       };
     }
@@ -49,6 +49,12 @@ in
     (mkIf cfg.enable {
       sane.programs.phoshApps.enableFor.user.colin = true;
 
+      # TODO(2023/02/28): remove this qt.style = "gtk2" override.
+      # gnome by default tells qt to stylize its apps similar to gnome.
+      # but the package needed for that doesn't cross-compile, hence i disable that here.
+      # qt.platformTheme = "gtk2";
+      # qt.style = "gtk2";
+
       # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
       services.xserver.desktopManager.phosh = {
         enable = true;
@@ -63,6 +69,26 @@ in
         };
       };
 
+      # phosh enables `services.gnome.{core-os-services, core-shell}`
+      # and this in turn enables some default apps we don't really care about.
+      # see <nixos/modules/services/x11/desktop-managers/gnome.nix>
+      environment.gnome.excludePackages = with pkgs; [
+        # gnome.gnome-menus  # unused outside gnome classic, but probably harmless
+        gnome-tour
+      ];
+      services.dleyna-renderer.enable = false;
+      services.dleyna-server.enable = false;
+      services.gnome.gnome-browser-connector.enable = false;
+      services.gnome.gnome-initial-setup.enable = false;
+      services.gnome.gnome-online-accounts.enable = false;
+      services.gnome.gnome-remote-desktop.enable = false;
+      services.gnome.gnome-user-share.enable = false;
+      services.gnome.rygel.enable = false;
+
+      # gnome doesn't use mkDefault for these -- unclear why not
+      services.gnome.evolution-data-server.enable = mkForce false;
+      services.gnome.gnome-online-miners.enable = mkForce false;
+
       # XXX: phosh enables networkmanager by default; can probably disable these lines
       networking.useDHCP = false;
       networking.networkmanager.enable = true;
@@ -85,6 +111,7 @@ in
       };
 
       programs.dconf.packages = [
+        # org.kde.konsole.desktop
         (pkgs.writeTextFile {
           name = "dconf-phosh-settings";
           destination = "/etc/dconf/db/site.d/00_phosh_settings";
@@ -97,7 +124,7 @@ in
             sleep-inactive-battery-timeout=5400
 
             [sm/puri/phosh]
-            favorites=['gpodder.desktop', 'nheko.desktop', 'sublime-music.desktop', 'firefox.desktop', 'org.kde.konsole.desktop']
+            favorites=['gpodder.desktop', 'nheko.desktop', 'sublime-music.desktop', 'firefox.desktop', 'org.gnome.Terminal.desktop']
           '';
         })
       ];

hosts/modules/gui/sway.nix

@@ -133,6 +133,7 @@ in
           # # "pavucontrol"
           "gnome.gnome-bluetooth"
           "gnome.gnome-control-center"
+          "sway-contrib.grimshot"
         ];
       };
     }
@@ -141,6 +142,7 @@ in
         inherit (pkgs // {
           "gnome.gnome-bluetooth" = pkgs.gnome.gnome-bluetooth;
           "gnome.gnome-control-center" = pkgs.gnome.gnome-control-center;
+          "sway-contrib.grimshot" = pkgs.sway-contrib.grimshot;
         })
           swaylock
           swayidle
@@ -148,6 +150,7 @@ in
           mako
           "gnome.gnome-bluetooth"
           "gnome.gnome-control-center"
+          "sway-contrib.grimshot"
         ;
       };
     }

hosts/modules/hardware/x86_64.nix

@@ -9,11 +9,6 @@
       # efi_pstore evivars
     ];
 
-    # enable cross compilation
-    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-    # nixpkgs.config.allowUnsupportedSystem = true;
-    # nixpkgs.crossSystem.system = "aarch64-linux";
-
     powerManagement.cpuFreqGovernor = "powersave";
     hardware.cpu.amd.updateMicrocode = true;    # desktop
     hardware.cpu.intel.updateMicrocode = true;  # laptop

hosts/modules/hosts.nix

@@ -69,7 +69,7 @@ in
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
       wg-home.pubkey = "17PMZssYi0D4t2d0vbmhjBKe1sGsE8kT8/dod0Q2CXc=";
       wg-home.ip = "10.0.10.22";
-      lan-ip = "192.168.0.22";
+      lan-ip = "192.168.15.16";
     };
 
     sane.hosts.by-name."lappy" = {
@@ -77,7 +77,7 @@ in
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
       wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
       wg-home.ip = "10.0.10.20";
-      lan-ip = "192.168.0.20";
+      lan-ip = "192.168.15.11";
     };
 
     sane.hosts.by-name."moby" = {
@@ -85,7 +85,7 @@ in
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
       wg-home.pubkey = "I7XIR1hm8bIzAtcAvbhWOwIAabGkuEvbWH/3kyIB1yA=";
       wg-home.ip = "10.0.10.48";
-      lan-ip = "192.168.0.48";
+      lan-ip = "192.168.15.17";
     };
 
     sane.hosts.by-name."servo" = {
@@ -94,7 +94,7 @@ in
       wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
       wg-home.ip = "10.0.10.5";
       wg-home.endpoint = "uninsane.org:51820";
-      lan-ip = "192.168.0.5";
+      lan-ip = "192.168.15.28";
     };
   };
 }

hosts/modules/nixcache.nix

@@ -13,6 +13,7 @@
 with lib;
 let
   cfg = config.sane.nixcache;
+  hostName = config.networking.hostName;
 in
 {
   options = {
@@ -24,6 +25,16 @@ in
       default = config.sane.nixcache.enable;
       type = types.bool;
     };
+    sane.nixcache.substituters = mkOption {
+      type = types.listOf types.string;
+      default =
+        (lib.optional (hostName != "servo") "https://nixcache.uninsane.org")
+        ++ (lib.optional (hostName != "desko") "http://desko:5000")
+        ++ [
+          "https://nix-community.cachix.org"
+          "https://cache.nixos.org/"
+        ];
+    };
   };
 
   config = {
@@ -31,12 +42,7 @@ in
     # to explicitly build from a specific cache (in case others are down):
     # - `nixos-rebuild ... --option substituters https://cache.nixos.org`
     # - `nix build ... --substituters http://desko:5000`
-    nix.settings.substituters = mkIf cfg.enable [
-      "https://nixcache.uninsane.org"
-      "http://desko:5000"
-      "https://nix-community.cachix.org"
-      "https://cache.nixos.org/"
-    ];
+    nix.settings.substituters = mkIf cfg.enable cfg.substituters;
     # always trust our keys (so one can explicitly use a substituter even if it's not the default
     nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
       "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="

hosts/modules/roles/build-machine.nix

@@ -0,0 +1,59 @@
+{ config, lib, sane-lib, ... }:
+
+let
+  inherit (lib) mkIf mkMerge mkOption types;
+  inherit (config.programs.ccache) cacheDir;
+in
+{
+  options.sane.roles.build-machine = mkOption {
+    type = types.bool;
+    default = false;
+  };
+
+  config = mkMerge [
+    {
+      # programs.ccache.cacheDir = "/var/cache/ccache";  # nixos default
+      # programs.ccache.cacheDir = "/homeless-shelter/.ccache";  # ccache default (~/.ccache)
+
+      # if the cache doesn't reside at ~/.ccache, then CCACHE_DIR has to be set.
+      # we can do that manually as commented out below, or let nixos do it for us by telling it to use ccache on a dummy package:
+      programs.ccache.packageNames = [ "dummy-pkg-to-force-ccache-config" ];
+      # nixpkgs.overlays = [
+      #   (self: super: {
+      #     # XXX: if the cache resides not at ~/.ccache (i.e. /homeless-shelter/.ccache)
+      #     # then we need to explicitly tell ccache where that is.
+      #     ccacheWrapper = super.ccacheWrapper.override {
+      #       extraConfig = ''
+      #         export CCACHE_DIR="${cacheDir}"
+      #       '';
+      #     };
+      #   })
+      # ];
+    }
+    (mkIf config.sane.roles.build-machine {
+      # serve packages to other machines that ask for them
+      sane.services.nixserve.enable = true;
+
+      # enable cross compilation
+      boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+      # nixpkgs.config.allowUnsupportedSystem = true;
+
+      # granular compilation cache
+      # docs: <https://nixos.wiki/wiki/CCache>
+      # investigate the cache with:
+      # - `nix-ccache --show-stats`
+      # - `build '.#ccache'
+      #   - `sudo CCACHE_DIR=/var/cache/ccache ./result/bin/ccache --show-stats -v`
+      # TODO: whitelist `--verbose` in <nixpkgs:nixos/modules/programs/ccache.nix>
+      # TODO: configure without compression (leverage fs-level compression), and enable file-clone (i.e. hardlinks)
+      programs.ccache.enable = true;
+      nix.settings.extra-sandbox-paths = [ cacheDir ];
+      sane.persist.sys.plaintext = [
+        { group = "nixbld"; mode = "0775"; directory = config.programs.ccache.cacheDir; }
+      ];
+      sane.fs."${cacheDir}/ccache.conf" = sane-lib.fs.wantedText ''
+        max_size = 50G
+      '';
+    })
+  ];
+}

hosts/modules/roles/default.nix

@@ -1,6 +1,7 @@
 { ... }:
 {
   imports = [
+    ./build-machine.nix
     ./client
   ];
 }

modules/data/feeds/sources/feeds.libsyn.com/421877/default.json

@@ -0,0 +1,23 @@
+{
+  "bozo": 0,
+  "content_length": 272569,
+  "content_type": "text/xml; charset=utf-8",
+  "description": "Audio version of the posts shared in the LessWrong Curated newsletter.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [
+    "https://pubsubhubbub.appspot.com/"
+  ],
+  "is_podcast": true,
+  "is_push": true,
+  "item_count": 56,
+  "last_updated": "2023-03-08T08:00:00+00:00",
+  "score": 32,
+  "self_url": "https://feeds.buzzsprout.com/2037297.rss",
+  "site_name": "",
+  "site_url": "",
+  "title": "LessWrong Curated Podcast",
+  "url": "https://feeds.buzzsprout.com/2037297.rss",
+  "velocity": 0.192,
+  "version": "rss20"
+}

modules/data/feeds/sources/feeds.megaphone.fm/hubermanlab/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 1377252,
+  "content_type": "application/xml; charset=utf-8",
+  "description": "Andrew Huberman, Ph.D.",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 129,
+  "last_updated": "2023-03-06T09:00:00+00:00",
+  "score": 14,
+  "self_url": "https://feeds.megaphone.fm/hubermanlab",
+  "site_name": "",
+  "site_url": "",
+  "title": "Huberman Lab",
+  "url": "https://feeds.megaphone.fm/hubermanlab",
+  "velocity": 0.159,
+  "version": "rss20"
+}

modules/data/feeds/sources/mapspodcast.libsyn.com/default.json

@@ -0,0 +1,21 @@
+{
+  "bozo": 0,
+  "content_length": 256360,
+  "content_type": "application/rss+xml; charset=utf-8",
+  "description": "Hosted by Zach Leary, the intent of the podcast is to bring you the listener an easily accessible resource for a variety of topics all related to psychedelic research. There is a lot to learn about new research into the therapeutic potential of psychedelics and marijuana. Over the years, the Multidisciplinary Association for Psychedelic Studies (MAPS) has amassed an incredible treasure trove of audio archives sourced from the amazing talks, presentations and panels that have taken place at past Psychedelic Science conferences and other unique events. By selecting some of that content and then bringing it to you in a podcast we hope to create a centralized location for the greater MAPS community. If you're a researcher, scientist, medical professional or just a curiosity seeker we hope that you'll find this content a valuable resource tool.\n\nPlease visit the MAPS website at https://maps.org",
+  "favicon": "",
+  "favicon_data_uri": "",
+  "hubs": [],
+  "is_podcast": true,
+  "is_push": false,
+  "item_count": 62,
+  "last_updated": "2023-03-06T20:20:00+00:00",
+  "score": 0,
+  "self_url": "https://feeds.libsyn.com/95610/rss",
+  "site_name": "",
+  "site_url": "",
+  "title": "MAPS Podcast",
+  "url": "https://feeds.libsyn.com/95610/rss",
+  "velocity": 0.028,
+  "version": "rss20"
+}

modules/services/dyn-dns.nix

@@ -3,6 +3,11 @@
 with lib;
 let
   cfg = config.sane.services.dyn-dns;
+  getIp = pkgs.writeShellScript "dyn-dns-query-wan" ''
+    # preferred method and fallback
+    ${pkgs.sane-scripts}/bin/sane-ip-check-router-wan || \
+      ${pkgs.sane-scripts}/bin/sane-ip-check
+  '';
 in
 {
   options = {
@@ -19,7 +24,7 @@ in
       };
 
       ipCmd = mkOption {
-        default = "${pkgs.sane-scripts}/bin/sane-ip-check-router-wan";
+        default = "${getIp}";
         type = types.path;
         description = "command to run to query the current WAN IP";
       };

nixpatches/2023-01-25-signald-update.patch

@@ -1,78 +0,0 @@
-diff --git a/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch b/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch
-index 1d9ca8d838d..d2cf9dd4315 100644
---- a/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch
-+++ b/pkgs/applications/networking/instant-messengers/signald/0001-Fetch-buildconfig-during-gradle-build-inside-Nix-FOD.patch
-@@ -11,25 +11,15 @@ diff --git a/build.gradle b/build.gradle
- index 799e782..caceaac 100644
- --- a/build.gradle
- +++ b/build.gradle
--@@ -83,6 +83,9 @@ static String getVersion() {
-- 
-- repositories {
--     maven {url "https://gitlab.com/api/v4/groups/6853927/-/packages/maven"} // https://gitlab.com/groups/signald/-/packages
--+    maven {
--+      url "https://plugins.gradle.org/m2/"
--+    }
--     mavenCentral()
-- }
-- 
--@@ -104,6 +107,8 @@ dependencies {
--     implementation 'io.prometheus:simpleclient_httpserver:0.16.0'
--     implementation 'com.squareup.okhttp3:logging-interceptor:4.9.3'
--     implementation 'io.sentry:sentry:6.4.0'
--+    implementation 'com.github.gmazzo.buildconfig:com.github.gmazzo.buildconfig.gradle.plugin:3.1.0'
--+    implementation 'org.jetbrains.kotlin:kotlin-scripting-jvm:1.7.10'
--     testImplementation 'org.junit.jupiter:junit-jupiter:5.8.2'
-+@@ -87,7 +86,7 @@ repositories {
-  }
-  
-+ dependencies {
-+-    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_1'
-++    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_2'
-+     implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
-+     implementation 'com.kohlschutter.junixsocket:junixsocket-common:2.6.1'
-+     implementation 'com.kohlschutter.junixsocket:junixsocket-native-common:2.6.1'
- @@ -171,4 +176,4 @@ allprojects {
-  runtime {
-      options = ['--strip-java-debug-attributes', '--compress', '2', '--no-header-files', '--no-man-pages']
-diff --git a/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch b/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch
-index 96a7d6d2ef3..2f0f6e73159 100644
---- a/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch
-+++ b/pkgs/applications/networking/instant-messengers/signald/0002-buildconfig-local-deps-fixes.patch
-@@ -47,15 +47,15 @@ index 799e782..6ecef3e 100644
-  }
-  
-  dependencies {
--@@ -104,6 +117,8 @@ dependencies {
--     implementation 'io.prometheus:simpleclient_httpserver:0.16.0'
--     implementation 'com.squareup.okhttp3:logging-interceptor:4.9.3'
--     implementation 'io.sentry:sentry:6.4.0'
--+    implementation 'com.github.gmazzo.buildconfig:com.github.gmazzo.buildconfig.gradle.plugin:3.1.0'
--+    implementation 'org.jetbrains.kotlin:kotlin-scripting-jvm:1.7.10'
--     testImplementation 'org.junit.jupiter:junit-jupiter:5.8.2'
-+@@ -87,7 +86,7 @@ repositories {
-  }
-  
-+ dependencies {
-+-    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_1'
-++    implementation 'org.signald:signal-service-java-' + getTarget() + ':2.15.3_unofficial_50_signald_2'
-+     implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
-+     implementation 'com.kohlschutter.junixsocket:junixsocket-common:2.6.1'
-+     implementation 'com.kohlschutter.junixsocket:junixsocket-native-common:2.6.1'
- @@ -167,8 +182,3 @@ allprojects {
-          }
-      }
-diff --git a/pkgs/applications/networking/instant-messengers/signald/default.nix b/pkgs/applications/networking/instant-messengers/signald/default.nix
-index a9e023cdf63..8847707e137 100644
---- a/pkgs/applications/networking/instant-messengers/signald/default.nix
-+++ b/pkgs/applications/networking/instant-messengers/signald/default.nix
-@@ -54,8 +54,8 @@ let
-     outputHashMode = "recursive";
-     # Downloaded jars differ by platform
-     outputHash = {
--      x86_64-linux = "sha256-ANiNDdTuCuDEH5zUPsrVF6Uegdq3zVsMv+uMtYRX0jE=";
--      aarch64-linux = "sha256-V9zn4v/ZeLELAwFJ5y7OVAeJwZp4DmHm4KWxE6KpwGs=";
-+      x86_64-linux = "sha256-B2T8bM8xdob5507oS1CVO+sszEg9VWL8QKUEanIlXvk=";
-+      aarch64-linux = "sha256-I314eLUQP8HPbwc+10ZDKzcn9WsqLGuBtfoiCEYZRck=";
-     }.${stdenv.system} or (throw "Unsupported platform");
-   };

nixpatches/2023-01-30-mesa-cma-leak.patch

@@ -0,0 +1,22 @@
+diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
+index 56fa74e5c0c..3573bb0af49 100644
+--- a/pkgs/development/libraries/mesa/default.nix
++++ b/pkgs/development/libraries/mesa/default.nix
+@@ -88,7 +88,7 @@
+ let
+   # Release calendar: https://www.mesa3d.org/release-calendar.html
+   # Release frequency: https://www.mesa3d.org/releasing.html#schedule
+-  version = "22.3.4";
++  version = "22.3.2";
+   branch  = lib.versions.major version;
+ 
+   withLibdrm = lib.meta.availableOn stdenv.hostPlatform libdrm;
+@@ -120,7 +120,7 @@ self = stdenv.mkDerivation {
+       "ftp://ftp.freedesktop.org/pub/mesa/${version}/mesa-${version}.tar.xz"
+       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
+     ];
+-    sha256 = "37a1ddaf03f41919ee3c89c97cff41e87de96e00e9d3247959cc8279d8294593";
++    sha256 = "c15df758a8795f53e57f2a228eb4593c22b16dffd9b38f83901f76cd9533140b";
+   };
+ 
+   # TODO:

nixpatches/2023-02-28-mesa-22.3.6.patch

@@ -0,0 +1,23 @@
+diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
+index 52633a6d21649..20d839b74c2ea 100644
+--- a/pkgs/development/libraries/mesa/default.nix
++++ b/pkgs/development/libraries/mesa/default.nix
+@@ -88,7 +88,7 @@
+ let
+   # Release calendar: https://www.mesa3d.org/release-calendar.html
+   # Release frequency: https://www.mesa3d.org/releasing.html#schedule
+-  version = "22.3.5";
++  version = "22.3.6";
+   branch  = lib.versions.major version;
+ 
+   withLibdrm = lib.meta.availableOn stdenv.hostPlatform libdrm;
+@@ -120,7 +120,7 @@ self = stdenv.mkDerivation {
+       "ftp://ftp.freedesktop.org/pub/mesa/${version}/mesa-${version}.tar.xz"
+       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
+     ];
+-    sha256 = "3eed2ecae2bc674494566faab9fcc9beb21cd804c7ba2b59a1694f3d7236e6a9";
++    hash = "sha256-TsjsZdvbHulETbpylwiQEooZVDpYzwWTG9b1TxJOEX8=";
+   };
+ 
+   # TODO:
+

nixpatches/2023-03-03-qtbase-cross-compile.patch

@@ -0,0 +1,34 @@
+diff --git a/pkgs/development/libraries/qt-6/modules/qtbase.nix b/pkgs/development/libraries/qt-6/modules/qtbase.nix
+index e71b0a7613d..72779ac57a5 100644
+--- a/pkgs/development/libraries/qt-6/modules/qtbase.nix
++++ b/pkgs/development/libraries/qt-6/modules/qtbase.nix
+@@ -5,6 +5,7 @@
+ , version
+ , coreutils
+ , bison
++, buildPackages
+ , flex
+ , gdb
+ , gperf
+@@ -224,6 +225,8 @@ stdenv.mkDerivation rec {
+   ] ++ lib.optionals stdenv.isDarwin [
+     # error: 'path' is unavailable: introduced in macOS 10.15
+     "-DQT_FEATURE_cxx17_filesystem=OFF"
++  ] ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
++    "-DQT_HOST_PATH=${buildPackages.qt6.full}"
+   ];
+ 
+   NIX_LDFLAGS = toString (lib.optionals stdenv.isDarwin [
+diff --git a/pkgs/development/libraries/qt-6/qtModule.nix b/pkgs/development/libraries/qt-6/qtModule.nix
+index 28180d3b0ca..f14c73b10ee 100644
+--- a/pkgs/development/libraries/qt-6/qtModule.nix
++++ b/pkgs/development/libraries/qt-6/qtModule.nix
+@@ -61,7 +61,7 @@ stdenv.mkDerivation (args // {
+       if [[ -z "$dontSyncQt" && -f sync.profile ]]; then
+         # FIXME: this probably breaks crosscompiling as it's not from nativeBuildInputs
+         # I don't know how to get /libexec from nativeBuildInputs to work, it's not under /bin
+-        ${lib.getDev self.qtbase}/libexec/syncqt.pl -version "''${version%%-*}"
++        perl ${lib.getDev self.qtbase}/libexec/syncqt.pl -version "''${version%%-*}"
+       fi
+     '';
+ 

nixpatches/2023-03-04-ccache-cross-fix.patch

@@ -0,0 +1,65 @@
+diff --git a/pkgs/development/tools/misc/ccache/default.nix b/pkgs/development/tools/misc/ccache/default.nix
+index cad25a942d6..9130097ab07 100644
+--- a/pkgs/development/tools/misc/ccache/default.nix
++++ b/pkgs/development/tools/misc/ccache/default.nix
+@@ -2,7 +2,7 @@
+ , stdenv
+ , fetchFromGitHub
+ , substituteAll
+-, binutils
++, buildPackages
+ , asciidoctor
+ , cmake
+ , perl
+@@ -33,7 +33,7 @@ let ccache = stdenv.mkDerivation rec {
+     # Darwin.
+     (substituteAll {
+       src = ./force-objdump-on-darwin.patch;
+-      objdump = "${binutils.bintools}/bin/objdump";
++      objdump = "${buildPackages.binutils.bintools}/bin/objdump";
+     })
+   ];
+ 
+@@ -71,11 +71,12 @@ let ccache = stdenv.mkDerivation rec {
+   passthru = {
+     # A derivation that provides gcc and g++ commands, but that
+     # will end up calling ccache for the given cacheDir
+-    links = {unwrappedCC, extraConfig}: stdenv.mkDerivation {
++    links = {unwrappedCC, extraConfig, targetPrefix ? ""}: stdenv.mkDerivation {
+       name = "ccache-links";
+       passthru = {
+         isClang = unwrappedCC.isClang or false;
+         isGNU = unwrappedCC.isGNU or false;
++        cc = unwrappedCC;
+       };
+       inherit (unwrappedCC) lib;
+       nativeBuildInputs = [ makeWrapper ];
+@@ -83,7 +84,7 @@ let ccache = stdenv.mkDerivation rec {
+         mkdir -p $out/bin
+ 
+         wrap() {
+-          local cname="$1"
++          local cname="${targetPrefix}$1"
+           if [ -x "${unwrappedCC}/bin/$cname" ]; then
+             makeWrapper ${ccache}/bin/ccache $out/bin/$cname \
+               --run ${lib.escapeShellArg extraConfig} \
+diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
+index cb6fd2f0c4d..da4aadff3cb 100644
+--- a/pkgs/top-level/all-packages.nix
++++ b/pkgs/top-level/all-packages.nix
+@@ -17383,10 +17383,12 @@ with pkgs;
+   # should be owned by user root, group nixbld with permissions 0770.
+   ccacheWrapper = makeOverridable ({ extraConfig, cc }:
+     cc.override {
+-      cc = ccache.links {
++      cc = ccache.links ({
+         inherit extraConfig;
+         unwrappedCC = cc.cc;
+-      };
++      } // lib.optionalAttrs (cc ? targetPrefix) {
++        inherit (cc) targetPrefix;
++      });
+     }) {
+       extraConfig = "";
+       inherit (stdenv) cc;
+

nixpatches/flake.lock

@@ -2,16 +2,15 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1673163619,
-        "narHash": "sha256-B33PFBL64ZgTWgMnhFL3jgheAN/DjHPsZ1Ih3z0VE5I=",
+        "lastModified": 1675123384,
+        "narHash": "sha256-RpU+kboEWlIYwbRMGIPBIcztH63CvmqWN1B8GpJogd4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8c54d842d9544361aac5f5b212ba04e4089e8efe",
+        "rev": "e0fa1ece2f3929726c9b98c539ad14b63ae8e4fd",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
-        "ref": "nixos-22.11",
         "type": "indirect"
       }
     },

nixpatches/list.nix

@@ -13,19 +13,29 @@
     hash = "sha256-IvsIcd2wPdz4b/7FMrDrcVlIZjFecCQ9uiL0Umprbx0=";
   })
 
-  # fix handbrake build by: handbrake: 1.5.1 -> 1.6.1
-  # PR opened 2023/01/23
   # (fetchpatch {
-  #   # see alternate fix: <https://github.com/NixOS/nixpkgs/pull/211834>
-  #   url = "https://github.com/NixOS/nixpkgs/pull/212306.diff";
-  #   hash = "sha256-PnPzvJymafa+zjkauQW0LzFsJC7S+7D9JRszTE3in+w=";
+  #   # stdenv: fix cc for pseudo-crosscompilation
+  #   # closed because it breaks pkgsStatic (as of 2023/02/12)
+  #   url = "https://github.com/NixOS/nixpkgs/pull/196497.diff";
+  #   hash = "sha256-eTwEbVULYjmOW7zUFcTUqvBZqUFjHTKFhvmU2m3XQeo=";
   # })
 
   ./2022-12-19-i2p-aarch64.patch
 
-  # fix for <https://gitlab.com/signald/signald/-/issues/345>
-  # allows to actually run signald
-  ./2023-01-25-signald-update.patch
+  # fix for CMA memory leak in mesa: <https://gitlab.freedesktop.org/mesa/mesa/-/issues/8198>
+  # fixed in mesa 22.3.6: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21330/diffs>
+  # only necessary on aarch64.
+  # it's a revert of nixpkgs commit dcf630c172df2a9ecaa47c77f868211e61ae8e52
+  # ./2023-01-30-mesa-cma-leak.patch
+  # upgrade to 22.3.6 instead
+  ./2023-02-28-mesa-22.3.6.patch
+
+  # fix qt6.qtbase and qt6.qtModule to cross-compile.
+  # unfortunately there's some tangle that makes that difficult to do via the normal `override` facilities
+  ./2023-03-03-qtbase-cross-compile.patch
+
+  # let ccache cross-compile
+  ./2023-03-04-ccache-cross-fix.patch
 
   # # kaiteki: init at 2022-09-03
   # vendorHash changes too frequently (might not be reproducible).

overlays/disable-flakey-tests.nix

@@ -0,0 +1,187 @@
+# disable tests for packages which flake.
+# tests will fail for a variety of reasons:
+# - they were coded with timeouts that aren't reliable under heavy load.
+# - they assume a particular architecture (e.g. x86) whereas i compile on multiple archs.
+# - they assume too much about their environment and fail under qemu.
+#
+(next: prev: {
+  ell = prev.ell.overrideAttrs (_upstream: {
+    # 2023/02/11
+    # fixes "TEST FAILED in get_random_return_callback at unit/test-dbus-message-fds.c:278: !l_dbus_message_get_error(message, ((void *)0), ((void *)0))"
+    # unclear *why* this test fails.
+    doCheck = false;
+  });
+  fish = prev.fish.overrideAttrs (_upstream: {
+    # 2023/02/28
+    # The following tests FAILED:
+    #     177 - sigint.fish (Failed)
+    #     241 - torn_escapes.py (Failed)
+    doCheck = false;
+  });
+  gjs = prev.gjs.overrideAttrs (_upstream: {
+    # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
+    doCheck = false;
+  });
+  gssdp = prev.gssdp.overrideAttrs (_upstream: {
+    # 2023/02/11
+    # fixes "ERROR:../tests/test-regression.c:429:test_ggo_7: assertion failed (error == NULL): Failed to set multicast interfaceProtocol not available (gssdp-error, 1)"
+    doCheck = false;
+  });
+  gupnp = prev.gupnp.overrideAttrs (_upstream: {
+    # 2023/02/22
+    # fixes "Bail out! ERROR:../tests/test-bugs.c:205:test_bgo_696762: assertion failed (error == NULL): Failed to set multicast interfaceProtocol not available (gssdp-erro>"
+    doCheck = false;
+  });
+  json-glib = prev.json-glib.overrideAttrs (_upstream: {
+    # 2023/02/11
+    # fixes: "15/15 json-glib:docs / doc-check    TIMEOUT        30.52s   killed by signal 15 SIGTERM"
+    doCheck = false;
+  });
+  lapack-reference = prev.lapack-reference.overrideAttrs (_upstream: {
+    # 2023/02/11: test timeouts
+    # > The following tests FAILED:
+    # >       93 - LAPACK-xlintstz_ztest_in (Timeout)
+    # >        98 - LAPACK-xeigtstz_svd_in (Timeout)
+    # >          99 - LAPACK-xeigtstz_zec_in (Timeout)
+    doCheck = false;
+  });
+  libadwaita = prev.libadwaita.overrideAttrs (_upstream: {
+    # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
+    doCheck = false;
+  });
+  libsecret = prev.libsecret.overrideAttrs (_upstream: {
+    # 2023/01/30: one test times out. probably flakey test that only got built because i patched mesa.
+    doCheck = false;
+  });
+  libuv = prev.libuv.overrideAttrs (_upstream: {
+    # 2023/02/11
+    # 2 tests fail:
+    # - not ok 261 - tcp_bind6_error_addrinuse
+    # - not ok 267 - tcp_bind_error_addrinuse_listen
+    doCheck = false;
+  });
+
+  llvmPackages_12 =
+    let
+      tools = prev.llvmPackages_12.tools.extend (self: super: {
+        libllvm = super.libllvm.overrideAttrs (upstream: {
+          # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/MCJITTest.return_global (2857 of 42084)"
+          # - nix log /nix/store/6vydavlxh1gvs0vmrkcx9qp67g3h7kcz-llvm-12.0.1.drv
+          # - wanted by sequoia, rav1e, rustc-1.66.1  (is this right?)
+          doCheck = false;
+          # upstream sets this with `rec`; TODO: have upstream refer to the final overrideAttrs version of the derivation instead of using rec.
+          cmakeFlags = next.lib.remove "-DLLVM_BUILD_TESTS=ON" upstream.cmakeFlags;
+        });
+      });
+    in
+      # see <nixpkgs:pkgs/development/compilers/llvm/12/default.nix>
+      # - we copy their strategy / attrset mutilation
+      prev.llvmPackages_12 // { inherit tools; } // tools;
+
+  llvmPackages_14 =
+    let
+      tools = prev.llvmPackages_14.tools.extend (self: super: {
+        libllvm = super.libllvm.overrideAttrs (upstream: {
+          # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/MCJITMultipleModuleTest.two_module_global_variables_case (43769 of 46988)"
+          # - nix log /nix/store/ib2yw6sajnhlmibxkrn7lj7chllbr85h-llvm-14.0.6.drv
+          # - wanted by clang-11-12-LLVMgold-path, compiler-rt-libc-12.0.1, clang-wrapper-12.0.1  (is this right?)
+          doCheck = false;
+          # upstream sets this with `rec`; TODO: have upstream refer to the final overrideAttrs version of the derivation instead of using rec.
+          cmakeFlags = next.lib.remove "-DLLVM_BUILD_TESTS=ON" upstream.cmakeFlags;
+        });
+      });
+    in
+      # see <nixpkgs:pkgs/development/compilers/llvm/14/default.nix>
+      # - we copy their strategy / attrset mutilation
+      prev.llvmPackages_14 // { inherit tools; } // tools;
+
+  llvmPackages_15 =
+    let
+      tools = prev.llvmPackages_15.tools.extend (self: super: {
+        libllvm = super.libllvm.override {
+          # 2023/02/21: fix: "FAIL: LLVM-Unit :: ExecutionEngine/MCJIT/./MCJITTests/..."
+          # llvm15 passes doCheck as a call arg, so we don't need to set cmakeFlags explicitly as in previous versions
+          doCheck = false;
+        };
+      });
+    in
+      prev.llvmPackages_15 // { inherit tools; } // tools;
+
+  modemmanager = prev.modemmanager.overrideAttrs (_upstream: {
+    # 2023/02/25
+    # "ERROR:test-modem-helpers.c:257:test_cmgl_response: assertion failed: (list != NULL)"
+    doCheck = false;
+    doInstallCheck = false;  # tests are run during install check??
+  });
+
+  pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
+    (py-next: py-prev: {
+      ipython = py-prev.ipython.overridePythonAttrs (upstream: {
+        # > FAILED IPython/core/tests/test_debugger.py::test_xmode_skip - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+        # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+        # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip_disabled - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+        # > FAILED IPython/core/tests/test_debugger.py::test_decorator_skip_with_breakpoint - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+        # > FAILED IPython/core/tests/test_debugger.py::test_where_erase_value - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+        # > FAILED IPython/terminal/tests/test_debug_magic.py::test_debug_magic_passes_through_generators - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+        # > FAILED IPython/terminal/tests/test_embed.py::test_nest_embed - pexpect.exceptions.TIMEOUT: Timeout exceeded.
+        disabledTestPaths = upstream.disabledTestPaths or [] ++ [
+          "IPython/core/tests/test_debugger.py"
+          "IPython/terminal/tests/test_debug_magic.py"
+          "IPython/terminal/tests/test_embed.py"
+        ];
+      });
+      pytest-xdist = py-prev.pytest-xdist.overridePythonAttrs (upstream: {
+        # 2023/02/19
+        # 4 tests fail:
+        # - FAILED: testing/test_remote.py::TestWorkInteractor::* - execnet.gateway_base.TimeoutError: no item after 10.0 seconds
+        # doCheck = false;
+        disabledTestPaths = upstream.disabledTestPaths or [] ++ [
+          "testing/test_remote.py"
+        ];
+        # disabledTests = upstream.disabledTests or [] ++ [
+        #   "test_basic_collect_and_runtests"
+        #   "test_remote_collect_fail"
+        #   "test_remote_collect_skip"
+        #   "test_runtests_all"
+        # ];
+      });
+      twisted = py-prev.twisted.overridePythonAttrs (upstream: {
+        # 2023/02/25
+        # ```
+        # [ERROR]
+        # Traceback (most recent call last):
+        #   File "/nix/store/dcnsxrn8rsfk1dghah7md5glbbnfysq3-python3.10-twisted-22.10.0/lib/python3.10/site-packages/twisted/test/test_udp.py", line 645, in test_interface
+        #     self.assertEqual(self.client.transport.getOutgoingInterface(), "0.0.0.0")
+        #   File "/nix/store/dcnsxrn8rsfk1dghah7md5glbbnfysq3-python3.10-twisted-22.10.0/lib/python3.10/site-packages/twisted/internet/udp.py", line 449, in getOutgoingInterface
+        #     i = self.socket.getsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_IF)
+        # builtins.OSError: [Errno 92] Protocol not available
+        #
+        # twisted.test.test_udp.MulticastTests.test_interface
+        # ```
+        postPatch = upstream.postPatch + ''
+          echo 'MulticastTests.test_interface.skip = "Protocol not available"'>> src/twisted/test/test_udp.py
+        '';
+      });
+    })
+  ];
+  strp = prev.srtp.overrideAttrs (_upstream: {
+    # 2023/02/11
+    # roc_driver test times out after 30s
+    doCheck = false;
+  });
+  tracker = prev.tracker.overrideAttrs (_upstream: {
+    # 2023/02/22
+    # "27/37 tracker:core / service                          TIMEOUT         60.37s   killed by signal 15 SIGTERM"
+    doCheck = false;
+  });
+  udisks2 = prev.udisks2.overrideAttrs (_upstream: {
+    # 2023/02/25
+    # "udisks-test:ERROR:test.c:61:on_completed_expect_failure: assertion failed (message == expected_message): ("Command-line `./udisks-test-helper 4' was signaled with signal SIGSEGV (11):\nstdout: `OK, deliberately causing a segfault\n'\nstderr: `qemu: uncaught target signal 11 (Segmentation fault) - core dumped\n'" == "Command-line `./udisks-test-helper 4' was signaled with signal SIGSEGV (11): OK, deliberately causing a segfault\n")"
+    doCheck = false;
+  });
+  upower = prev.upower.overrideAttrs (_upstream: {
+    # 2023/02/25
+    # "Tests.test_battery_state_guessing                          TIMEOUT        60.80s   killed by signal 15 SIGTERM"
+    doCheck = false;
+  });
+})

overlays/optimizations.nix

@@ -0,0 +1,32 @@
+(self: super:
+with self;
+let
+  # ccache-able = drv: drv.override { stdenv = builtins.trace "with ccache ${drv.name}" ccacheStdenv; };
+  ccache-able = drv: drv.override { stdenv = builtins.trace "with ccache: ${drv.name}" ccacheStdenv; };
+in {
+  # TODO: if we link /homeless-shelter/.ccache into the nix environment,
+  # then maybe we get better use of upstream caches?
+  # ccacheWrapper = super.ccacheWrapper.override {
+  #   extraConfig = ''
+  #     export CCACHE_DIR="/var/cache/ccache"
+  #   '';
+  # };
+  # ccacheStdenv = super.ccacheStdenv.override {
+  #   extraConfig = ''
+  #     export CCACHE_DIR="/homeless-shelter/.ccache"
+  #   '';
+  # };
+  # firefox-esr = ccache-able super.firefox-esr;
+  # firefox/librewolf distribution is wacky: it grabs the stdenv off of `rustc.llvmPackages`, and really wants those to match.
+  # buildMozillaMach = opts: ccache-able (super.buildMozillaMach opts);
+  # webkitgtk = ccache-able super.webkitgtk;
+  # mesa = ccache-able super.mesa;
+
+  webkitgtk = super.webkitgtk.overrideAttrs (_upstream: {
+    # means we drop debug info when linking.
+    # this is a trade-off to require less memory when linking, since
+    # building `webkitgtk` otherwise requires about 40G+ of RAM.
+    # <https://github.com/NixOS/nixpkgs/issues/153528>
+    separateDebugInfo = false;
+  });
+})

overlays/pins.nix

@@ -4,9 +4,17 @@
 # - if it's broken by that upstream builder, then pin it: somebody will come along and fix the package.
 # - otherwise, search github issues/PRs for knowledge of it before pinning.
 # - if nobody's said anything about it yet, probably want to root cause it or hold off on updating.
+#
+# note that these pins apply to *all* platforms:
+# - natively compiled packages
+# - cross compiled packages
+# - qemu-emulated packages
+
 (next: prev: {
   # XXX: when invoked outside our flake (e.g. via NIX_PATH) there is no `next.stable`,
   # so just forward the unstable packages.
   inherit (next.stable or prev)
   ;
+  # TODO(2023/03/09): chromium 110.0.5481.177 build hangs. next flake update should resolve?
+  chromium = next.emptyDirectory;
 })

pkgs/feeds/default.nix

@@ -26,16 +26,23 @@
       passthru.initFeedScript = pkgs.writeShellScript
         "init-feed"
         ''
+          # this is the `nix run '.#init-feed' <url>` script`
           sources_dir=modules/data/feeds/sources
-          name="$1"
-          url="https://$name"
+          # prettify the URL, by default
+          name=$( \
+            echo "$1" \
+            | sed 's|^https://||' \
+            | sed 's|^http://||' \
+            | sed 's|^www\.||' \
+            | sed 's|/+$||' \
+          )
           json_path="$sources_dir/$name/default.json"
 
           # the name could have slashes in it, so we want to mkdir -p that
           # but in a way where the least could go wrong.
           pushd "$sources_dir"; mkdir -p "$name"; popd
 
-          ${./update.py} "$url" "$json_path"
+          ${./update.py} "$name" "$json_path"
           cat "$json_path"
         '';
     }

pkgs/feeds/update.py

@@ -13,9 +13,13 @@ logging.getLogger().setLevel(logging.DEBUG)
 logging.getLogger().addHandler(logging.StreamHandler(sys.stdout))
 logging.getLogger(__name__).debug("logging enabled")
 
-url = coerce_url(url, default_scheme="https")
-items = search(url, total_timeout=180, request_timeout=90, max_content_length=100*1024*1024)
-items = sort_urls(items)
+def try_scheme(url: str, scheme: str):
+    url = coerce_url(url, default_scheme=scheme)
+    print(f"trying {url}")
+    items = search(url, total_timeout=180, request_timeout=90, max_content_length=100*1024*1024)
+    return sort_urls(items)
+
+items = try_scheme(url, "https") or try_scheme(url, "http")
 
 # print all results
 serialized = [item.serialize() for item in items]

pkgs/gpodder-configured/default.nix

@@ -1,19 +1,35 @@
-{ makeWrapper
+{ stdenv
+, gnome-feeds
 , gpodder
-, linkFarm
+, makeWrapper
+, python3
 , symlinkJoin
 }:
 
 let
-  remove-extra = linkFarm "gpodder-remove-extra" [
-    { name = "bin/gpodder-remove-extra"; path = ./remove_extra.py; }
-  ];
+  pyEnv = python3.withPackages (_ps: [ gnome-feeds.listparser ]);
+  remove-extra = stdenv.mkDerivation {
+    pname = "gpodder-remove-extra";
+    version = "0.1.0";
+
+    src = ./.;
+
+    patchPhase = ''
+      substituteInPlace ./remove_extra.py \
+        --replace "#!/usr/bin/env nix-shell" "#!${pyEnv.interpreter}"
+    '';
+
+    installPhase = ''
+      mkdir -p $out/bin
+      mv remove_extra.py $out/bin/gpodder-remove-extra
+    '';
+  };
 in
 # we use a symlinkJoin so that we can inherit the .desktop and icon files from the original gPodder
 (symlinkJoin {
   name = "gpodder-configured";
   paths = [ gpodder remove-extra ];
-  buildInputs = [ makeWrapper ];
+  nativeBuildInputs = [ makeWrapper ];
 
   # gpodder keeps all its feeds in a sqlite3 database.
   # we can configure the feeds externally by wrapping gpodder and just instructing it to import
@@ -29,4 +45,8 @@ in
     unlink $out/share/applications/gpodder.desktop
     sed "s:Exec=.*:Exec=$out/bin/gpodder-configured:" $orig_desktop > $out/share/applications/gpodder.desktop
   '';
+
+  passthru = {
+    remove-extra = remove-extra;
+  };
 })

pkgs/sane-scripts/src/sane-deadlines

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# processes a tab-separated "deadlines" file and alerts for any upcoming events.
+#
+# deadlines.tsv file format:
+# - <date>\t<reminder-interval>\t<event>
+# - no header
+# - one line per entry
+# - <event> may contain any non-newline and non-tab characters
+# - <notice-interval> is the number of days before the event to start alerting, followed by 'd', e.g. `14d`
+# - <date> should be lexicographically orderable and machine-parsable, e.g. `2023-03-14`
+#
+# example `deadlines.tsv`
+# 2023-03-14	1d	celebrate pi day!
+# 2023-04-18	14d	taxes due
+# 2023-04-01	7d	the other pie day :o
+
+# configurables:
+deadlines=~/knowledge/planner/deadlines.tsv
+
+if ! test -f "$deadlines"; then
+        echo "WARNING: $deadlines sane-deadlines file not found"
+        exit 1
+fi
+
+now=$(date +%s)
+sort "$deadlines" | while read line; do
+        # parse line
+        deadline_field=$(echo "$line" | cut -f 1)
+        threshold_field=$(echo "$line" | cut -f 2)
+        description_field=$(echo "$line" | cut -f 3)
+
+        # normalize dates into seconds since unix epoch
+        deadline=$(date -d "$deadline_field" +%s)
+        threshold=$(echo "$threshold_field" | sed 's/d/day /g')
+        birthtime=$(date -d "$deadline_field - ($threshold)" +%s)
+
+        # show the event iff it's near
+        if test "$now" -ge "$birthtime"; then
+                days_until=$(( ($deadline - $now) / (24*60*60) ))
+                echo "in $days_until day(s): $description_field"
+        fi
+done

pkgs/sane-scripts/src/sane-ip-check

@@ -1,3 +1,4 @@
 #!/usr/bin/env bash
-curl https://ipinfo.io/ip
-echo
+ip=$(curl --silent https://ipinfo.io/ip)
+echo "$ip" | grep -P " *^\d+\.\d+\.\d+\.\d+ *$"
+exit $?

pkgs/sane-scripts/src/sane-ip-check-router-wan

@@ -3,13 +3,16 @@
 # requires creds
 passwd=$(sudo cat /run/secrets/router_passwd)
 cookie=$(mktemp)
+curlflags="curl --silent --insecure --cookie-jar $cookie --connect-timeout 5"
 
 # authenticate
-curl -s --insecure --cookie-jar $cookie \
+curl $curlflags \
   --data "username=admin&password=$passwd" \
   https://192.168.0.1
 # query the WAN IP
-curl -s --insecure --cookie $cookie \
+ip=$(curl $curlflags \
   -H "X-Requested-With: XMLHttpRequest" \
   "https://192.168.0.1/cgi/cgi_action?Action=GetConnectionStatus" \
-  | jq -r .wan_status.ipaddr
+  | jq -r .wan_status.ipaddr)
+echo "$ip" | grep -P " *^\d+\.\d+\.\d+\.\d+ *$"
+exit $?

readme.md

@@ -32,6 +32,13 @@ this can then be `dd`'d onto a disk and directly booted from a EFI system.
 there's some post-processing to do before running a rebuild on the deployed system (deploying ssh keys, optionally changing fs UUIDs, etc).
 refer to flake.nix for more details.
 
+## remote deployment
+
+some of my systems support cross compilation (i.e. building from x86-64 for an aarch64 host without using emulation).
+- `nixos-rebuild --flake '.#cross-moby' build`
+- `sudo nix sign-paths -r -k /run/secrets/nix_serve_privkey $(readlink ./result)`
+- `nixos-rebuild --flake '.#cross-moby' switch --target-host colin@moby --use-remote-sudo`
+
 ## building packages
 
 build anything with
@@ -45,11 +52,15 @@ on the other hand the `packages` output contains only my own packages.
 
 in addition, my packages are placed into both the global scope and a `sane` scope.
 so use the scoped path when you want to be explicit.
-
 ```
 nix build sane.linux-megous
 ```
 
+to build a package precisely how a specific host would see it (in case the host's config customizes it):
+```
+nix build '.#host-pkgs.moby-cross.xdg-utils'
+```
+
 ## using this repo in your own config
 
 this should be a pretty "standard" flake. just reference it, and import either

secrets/universal/net/README.md

@@ -0,0 +1,5 @@
+## to add a new network
+- connect to it (via GUI or `iwctl` TUI)
+- find it under `/var/lib/iwd`
+- `sops ./<NETWORK_NICKNAME>.psk.bin` and paste the contents from `/var/lib/iwd/SSID.psk`
+        - in same file: add `# SSID=UNQUOTED_NETWORK_NAME` to the top

secrets/universal/net/archive/2023-02-home-shared.psk.bin

@@ -0,0 +1,48 @@
+{
+	"data": "ENC[AES256_GCM,data:OaFr+OOaBxi0PaApOYLUjJ0NgD5ABBQOaf6KpR9rheE2d1pQNa0jqnD4/ttqJrq8JjZT2Y6GDSwM5gPM,iv:TuyQPPDXM8cJU/GhJpdvxwB8+v6JavHcA+vmLHA3/74=,tag:V6RTKw6Cot4B4sK1JcRGmA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNzNHZWcvTmVVaGFabUU3\ndnZwVFdVcFBXZkoxTFA5WEZMMnRvUDBsS1NrCnRKUTNDZExFL1drSjBTakw1VmZW\nYWJzTUtVN0lrWXdiRk9QaVNmZmRqSjAKLS0tIGtHTzNUUnlnU2duNDF6UUlzUUJa\nSXhxQmRXZEZKK2htenF6N1kzV1VvancKP8jZotJe9188kId6cwVzITNwtELegpzi\nOKrWPWuIveSdMGmMsRDAcQbL0xVN0qd+Y4qsZ9l6e+cVAT3cHb1vDg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLemhLZUwzSVJLNUhYQXQ3\nY3ExU1BJUzY4a24vUjRmazhtc1RIcVpyem1jCmFEVzlIZkxjSUc0RTdqQWRLTGNS\nL3FaRFhjdnZqNFk0WDFSY0xOTENxMkEKLS0tIDVzK1lPM1FlWmZLZFA0ZDlPKzla\naXRqTk90aVNTRHlNZ2FmcVY3b1JKbEkKTu8tiEKyab1bOsgdsRlEWeG9wzdg/d/s\nPfh7rnvf7Ex8Jl6qSq6xMPkv+19EbSpfSq0FRtCue/Wcce3cUmGToA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZUY4OW5UNXFjOXQrUklu\nK3poU3RNVnBtc251TmRtMGJ6Z0ordDFhUGhjCms2a1o1Z1plNlpwSlYrUEEzRDZm\naHdEVVIzRnExNVhzci8vN0ZIODh3QzgKLS0tIGUxZ2gvbGM3YnMwVXU1RnNOSlBO\nVE94UFdKaDkwbmV5YjlBWm9ZZkk4Q0UK6CaPAtRrXKUzR29ZfXV8MvqszTu8LkT2\nQPlNJ4ckgTyivyseukR8X5fPKrrXIVtE+C6Xk5mJ6nGKD+oLprhpag==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUk1yL3dLUnBpNWNxMzQw\ncDdVa0szNjBVNnNXdmZwNVNEK1RwUzJTMlhZCm9oV3NaZ3k0SERKMEZCQTRtRUI2\nVmdzWndQT1c4UUh2MzQyMEErdm96NG8KLS0tIG1aUElzK2VjUTNYOGRpbkpZTDVz\ncG9jR0VzNi9jYmdCTU1qMmJtNFNUaU0KkrIx2BKjj7l+52Kk/L8rNZYAsa87z9UH\nDtxhLTnQu8DPtm5o2sbGdEZgt9qKPJiylLNKVne3EyscMaehdB17RA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSUtONWlzZ0JQbDB0L1FU\nWlhCL0p4d3lpamg3YWdIUVhDc1hVRWR1MVhFCkdZbEhnUG0vYTJVZnphdTZNSXBW\nVGdpemc5Q3hSenN4V09ZbTFOK3kzK0UKLS0tIG9ZWkdSMHhzTGJleFF5L2RsdUxK\nSEdtSlB0L2d4TTVWcDJWaE13NjFiTkkKWgfem58/ZKqVaXiL0UGVTjA7AhSkD8Fq\ne/i5HKN1Pvgv8TVPnZ9mtGP2gwwkoFYgxM8/0jBjJUm4QDbTkocVJw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNR05jQnJZZDNndmZnOVNO\nRFhVU3pLUzBxeC9rQlRoVWFCN1Y0bjhBM25VCmJKSzhkMjF1L3pGRjZmOURNeUZE\nTU8vN2pYVmZzdWdpaVdqcXloNGhTSlUKLS0tIGovSG84amhyTFZHZ2FNdTl3SzJj\nN1dObkd6K2J0Y2Q5bG5DR0VaUk1uSlUKxShDW7BD6sENlFjqp7/wFbV4g4gD7u5d\npidF9F+vXhpoBIwLlhruzvwyNXG4hQcKfWCnliXhVvNYbgaooDDhRw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MkJ1RkVBeHJnR1FGeDVi\nN0htdHZ3cVNCcTJabnlkSUQ4aHUxRndvbVhZClk2d2ZRTlJIVTg1T3dkKzdMRXJt\nNXh5OWtud3gvNWNkRWI1UE1kSytYOUUKLS0tIHhhQVpmRWtTYVFjSUN5aEVYWDJx\nS3hDMlFkVGQyM2U5QjlJMko4OGRWdkEKG98s0QVSs1o4MQ9937okXDS4WH41S1Aq\nUSL8idmlPUJzgdHshuLv2Ic2RXVjJu8V508trO8bTymrqkNAQ0miMA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAraXJQOHR6ZzE5TjNQYmpB\nSStEQS9mcUpMSXlFQ05DcllFSjNOT1pWdVJZCmtSL3FkZ2Q1cU1Fc1dZbG13eXJC\nTXJkN0NzWTlDOEFMRGNQUG5HQUNUVDgKLS0tIGRwcmVxS0lNQ09GdmxKY2pkQ2Yz\nSkpZam1ZQUN1L1FZZ010ZlhUV1N4VlkKqsFAE+xZ24IMzIFjbsgANdjiGwVZk5rq\n66y00bjw+uj6WOwQuE1I9WcYDhCXEUQB9u4Q+hzejaFzCJ90N/WF4w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-01-07T03:06:02Z",
+		"mac": "ENC[AES256_GCM,data:L3wY2ZdR1ASbLbKXiipWfBiQ5cumItuiL1+TwTJhU5ZtxLe6SMUyhckvuX8hczlFPUlJQJDCwpgVBs9C6GRAU45jzHYmpcfF30auiRT2dF/2doH9yiYZoF7JtbTas0Kvt1yxlPfuTi5mFuJGAKDOw6+a5ayQHYlK3/RxAUn0yPc=,iv:U/vlmvI1l4u92eUDXRphS0tscLOlWorOdmT7wDwGbAM=,tag:bQayboRgsMKT6akDq+rzQw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

secrets/universal/net/home-shared.psk.bin

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:OaFr+OOaBxi0PaApOYLUjJ0NgD5ABBQOaf6KpR9rheE2d1pQNa0jqnD4/ttqJrq8JjZT2Y6GDSwM5gPM,iv:TuyQPPDXM8cJU/GhJpdvxwB8+v6JavHcA+vmLHA3/74=,tag:V6RTKw6Cot4B4sK1JcRGmA==,type:str]",
+	"data": "ENC[AES256_GCM,data:HB8H4esi1JeRDvcvcAm9WAqr5L3Tre0aWQ/erwKro6q960NYJMNO0xbUSbp/QBd/u5zjuR56a+Jjhw+SWtxdjtMW2Iu2yFScQBoVTggeL4i1p7q4/HO2F4EMW8Q3pSu9AAa5RbXzCkHHvpB+eceQQIAYjVUC+9lFuUvCpBTfcqomNsonqfPmyGCu2iiK4VYV5uH56kwJMhRQCY+KpWXpdCE2pr3u1ikWHmBY/5Gr8r5srPVbpsb0JJG8+puPPiQ98Fplev9+kfw4KJHbgZ7CoQbL8Lg5eFqEJag7cTO2AlBWcA/oMfn1mOAffMhLXSDHxoOei2Ty5NXKe5oooeRCBd2PNxWMCRz+uprdkIlW9CBxppaP4S4c5g0bcotLjm7P9ms9DNEgHi89Qgjlu7yIQVEP7mp15g/srgvodURrjEQSnNvLZhlLNuncO4TzWM/9HgC2M+wzSt2ypJRp8nAkWfw1IuZ9Oz9BO6zOvPhNUJy361EGdOXwC435zUAydZakBTrlNd/Rw5+WFiFfJdTFeOzeQvqyQy+WrNS0jg91tMw8oNDf1p1iJ0j6D0Br3DYSNK0TxfdUXGyDLUpVpQpbVvMBbvwozTinuLkQzmXuqqb74nd0aBon8g4BJJSeVHFl13/eFdNKfbLLvD/ubIdKtg==,iv:OtYRb1AfJLVyZ9rmnUoCkzXHtO6yk7RZFcmnZYvHLek=,tag:I2wMiheAxY/j1jG0Rhying==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -8,39 +8,39 @@
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNzNHZWcvTmVVaGFabUU3\ndnZwVFdVcFBXZkoxTFA5WEZMMnRvUDBsS1NrCnRKUTNDZExFL1drSjBTakw1VmZW\nYWJzTUtVN0lrWXdiRk9QaVNmZmRqSjAKLS0tIGtHTzNUUnlnU2duNDF6UUlzUUJa\nSXhxQmRXZEZKK2htenF6N1kzV1VvancKP8jZotJe9188kId6cwVzITNwtELegpzi\nOKrWPWuIveSdMGmMsRDAcQbL0xVN0qd+Y4qsZ9l6e+cVAT3cHb1vDg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSRGdDWXc2eW5VYVkxbXJp\nSWE1VE8wdEZVK2x3MHdmeEk1dWZyU1Q1QUVvCjJCV05ZV3FZdjl5VkNvMGkreWt0\nZTVWY1FwV21mQlIrVFFIWVFjOWw0TkUKLS0tIGRNRWlEaTdMM1l5M3MramVtZ0dh\nelh6RVM5TTh0MENOamsxRng5SnVpU3MKRwrQBe1PSYidsYakba+53yy1DoJb3Ppq\nDBhsYOBrkdQrS/0yG1ojm+VonVdZfBo53lUb+eGhroibhbOLZytdaQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLemhLZUwzSVJLNUhYQXQ3\nY3ExU1BJUzY4a24vUjRmazhtc1RIcVpyem1jCmFEVzlIZkxjSUc0RTdqQWRLTGNS\nL3FaRFhjdnZqNFk0WDFSY0xOTENxMkEKLS0tIDVzK1lPM1FlWmZLZFA0ZDlPKzla\naXRqTk90aVNTRHlNZ2FmcVY3b1JKbEkKTu8tiEKyab1bOsgdsRlEWeG9wzdg/d/s\nPfh7rnvf7Ex8Jl6qSq6xMPkv+19EbSpfSq0FRtCue/Wcce3cUmGToA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZSXU2TnQyT2JtUDRKMVhZ\nclNtNHNEWTlXY2JNN2ZVcXY5OVlNcWhHNFNrCjJnTUlpaDVmcHo1NUJpUk5GMldz\nSzQ2QWhHN2VSeGlPSmtMSSt2TG1CN00KLS0tIGY0U3UzN0NwWE96b3kwUU9tbW5U\ncjhETWV0R3lJSHcydXQ1bTVOYnVHN2cKs35cc525DpaAnsNzDa/ooq53QSaquMxW\nvjI/+9I+q4MP+XrRTPNSl0YRyy7ZZyDQaGgj6ljOFEb66irMEotKGw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZUY4OW5UNXFjOXQrUklu\nK3poU3RNVnBtc251TmRtMGJ6Z0ordDFhUGhjCms2a1o1Z1plNlpwSlYrUEEzRDZm\naHdEVVIzRnExNVhzci8vN0ZIODh3QzgKLS0tIGUxZ2gvbGM3YnMwVXU1RnNOSlBO\nVE94UFdKaDkwbmV5YjlBWm9ZZkk4Q0UK6CaPAtRrXKUzR29ZfXV8MvqszTu8LkT2\nQPlNJ4ckgTyivyseukR8X5fPKrrXIVtE+C6Xk5mJ6nGKD+oLprhpag==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvVWZMU3RoTDNqc0ZtcDBQ\nUllueVdFRjJhRGQ0MG5oMjNVUmt3SDgxMHhRCk10cCtGMUdEMW8zVFMvckJ5aXF5\nRjB5eHE3K1lIeGNOWFVRQVA1SkRRbVkKLS0tIDZJRDNCOW9iZFBISDg1OWtWcWto\nV3VUSmtzUXdtQ2Zsa2F5eWVXUXFZUG8KsqIQV7vKqbC1LKbDHJzQCbKmBqKLWZrI\nyt/mK0jfpQGS4vucmitMoEMsACrV1vG8hLC1yrt+gHudZX9zvtVLSw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUk1yL3dLUnBpNWNxMzQw\ncDdVa0szNjBVNnNXdmZwNVNEK1RwUzJTMlhZCm9oV3NaZ3k0SERKMEZCQTRtRUI2\nVmdzWndQT1c4UUh2MzQyMEErdm96NG8KLS0tIG1aUElzK2VjUTNYOGRpbkpZTDVz\ncG9jR0VzNi9jYmdCTU1qMmJtNFNUaU0KkrIx2BKjj7l+52Kk/L8rNZYAsa87z9UH\nDtxhLTnQu8DPtm5o2sbGdEZgt9qKPJiylLNKVne3EyscMaehdB17RA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbi9kSnUvdDdlWVBBQXY5\ncy9DYjNBNlMxd2tXMHRDUjl2WFZTd3NySVRZClZJendtditxZVluQUNXM1VlS0tz\nSFBMQ1FHbks1VFgvM0ExQmw5SkYwZE0KLS0tIHUvVGkrV3VmZ2RodDhFMktYcTYv\nRGhxL1hQMDlPZHhXRTdRcnVnZjdxQ1EKFcSljMApXgz3sKoiBTstm9BErhlLL5HR\n7LTocTL1s2s0yLFHedNmbad4kRA3mTAywwNtfAEZ3vWx+WB4NOhS7A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSUtONWlzZ0JQbDB0L1FU\nWlhCL0p4d3lpamg3YWdIUVhDc1hVRWR1MVhFCkdZbEhnUG0vYTJVZnphdTZNSXBW\nVGdpemc5Q3hSenN4V09ZbTFOK3kzK0UKLS0tIG9ZWkdSMHhzTGJleFF5L2RsdUxK\nSEdtSlB0L2d4TTVWcDJWaE13NjFiTkkKWgfem58/ZKqVaXiL0UGVTjA7AhSkD8Fq\ne/i5HKN1Pvgv8TVPnZ9mtGP2gwwkoFYgxM8/0jBjJUm4QDbTkocVJw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUU5VenRYVTBQT0o0dFdz\nRHFjNGpRQ3VkaWF4a3p5ZitrY1JWTnVuckUwClFjZG96VVVDaWZPNnJaK0Q5VG83\nUkpGME5KQk1IL0tQendPSEwwZGptMVEKLS0tIHJDZTg2UFBJNytPL285cy8wcVFL\ncjRYZXVoamUwRVZwK3JnQUxhM3lEOVkK6obmbqk+5PNp1dflUb1l12hfat33JOFD\nFfr7iCU16nGeNYKqQ6VWXkPeRmr7xLi4FKHSgG0q/KFjlpEikBwD/g==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNR05jQnJZZDNndmZnOVNO\nRFhVU3pLUzBxeC9rQlRoVWFCN1Y0bjhBM25VCmJKSzhkMjF1L3pGRjZmOURNeUZE\nTU8vN2pYVmZzdWdpaVdqcXloNGhTSlUKLS0tIGovSG84amhyTFZHZ2FNdTl3SzJj\nN1dObkd6K2J0Y2Q5bG5DR0VaUk1uSlUKxShDW7BD6sENlFjqp7/wFbV4g4gD7u5d\npidF9F+vXhpoBIwLlhruzvwyNXG4hQcKfWCnliXhVvNYbgaooDDhRw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEaTZOdWtsWFRoVktXSjJF\nRHBQTVd3OXFBbkRJZzZiQXFIRlRrdFh0M2lFCnpmS1pxYzFvSmlZSTIrMTgvangy\nWDhySUdpUXExRnphazNBcjg0cktSN1EKLS0tIG03dTlqQ25EV0dRWHJvUy96TzRU\nRVFOL2ZZMmVLc1g5SGgrc2VHTlNMeGcKqy+ulNsanMLch1oMq/gSlPO0gy/NO6Gn\ndX1hAe4UPo05nxf58rEDd3ejXliU4ZEvk9p999nFcg85vTvyw9/K/A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MkJ1RkVBeHJnR1FGeDVi\nN0htdHZ3cVNCcTJabnlkSUQ4aHUxRndvbVhZClk2d2ZRTlJIVTg1T3dkKzdMRXJt\nNXh5OWtud3gvNWNkRWI1UE1kSytYOUUKLS0tIHhhQVpmRWtTYVFjSUN5aEVYWDJx\nS3hDMlFkVGQyM2U5QjlJMko4OGRWdkEKG98s0QVSs1o4MQ9937okXDS4WH41S1Aq\nUSL8idmlPUJzgdHshuLv2Ic2RXVjJu8V508trO8bTymrqkNAQ0miMA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpYXYzVEJyYUs2a0s2aW84\neHZwbWhUSmpTbFg5c3RiV2N0OE05R21IeGhvClRzTDk1M1VPMFZpWlNPcEp3Q0tJ\nUjlWMHVBbUtiRmlwZUpKZWlPdHYxaWMKLS0tIDBVOUNxbW8yM1JJRk81QmdBOWp5\nL0xsL2U2VDdMR1YrWHpEQVNWU3YySG8KceuhQOvfHl3EDlxXbUT9PR0CAxP5+iDs\ngEBnRKpCfhq+Fr84fmlZmIBF9R5fmAn1Aq290U0ak3eHz+GWLlTgjA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAraXJQOHR6ZzE5TjNQYmpB\nSStEQS9mcUpMSXlFQ05DcllFSjNOT1pWdVJZCmtSL3FkZ2Q1cU1Fc1dZbG13eXJC\nTXJkN0NzWTlDOEFMRGNQUG5HQUNUVDgKLS0tIGRwcmVxS0lNQ09GdmxKY2pkQ2Yz\nSkpZam1ZQUN1L1FZZ010ZlhUV1N4VlkKqsFAE+xZ24IMzIFjbsgANdjiGwVZk5rq\n66y00bjw+uj6WOwQuE1I9WcYDhCXEUQB9u4Q+hzejaFzCJ90N/WF4w==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmTU1tT2cvUEpQWnpOWE1x\nNXlENUgvckd1dzZHU21PbVprOUpnVVA1OHpnCjZjOFJBR3hRbHBlbkMrbUFNa0Fl\nNDVKZ0IxWkgyWUhvckQxaW5wbEIxWmsKLS0tIGxTdUVWcEh2K3g2NFFIb2FmZG5a\nOWkwRUtlMVpRMWFOb25QVWF1bU9QZzgKcjkcHLqSSncBsmaricXdAzSWeaKlgbmb\nMbU1lXSZymzmNiu7J1O4MsgWgZv8N/E1HTFqcRv2+wPz8FVDLPL0Fg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2023-01-07T03:06:02Z",
-		"mac": "ENC[AES256_GCM,data:L3wY2ZdR1ASbLbKXiipWfBiQ5cumItuiL1+TwTJhU5ZtxLe6SMUyhckvuX8hczlFPUlJQJDCwpgVBs9C6GRAU45jzHYmpcfF30auiRT2dF/2doH9yiYZoF7JtbTas0Kvt1yxlPfuTi5mFuJGAKDOw6+a5ayQHYlK3/RxAUn0yPc=,iv:U/vlmvI1l4u92eUDXRphS0tscLOlWorOdmT7wDwGbAM=,tag:bQayboRgsMKT6akDq+rzQw==,type:str]",
+		"lastmodified": "2023-02-15T01:53:52Z",
+		"mac": "ENC[AES256_GCM,data:C0zS4XzJ4HHaOZiZrZnd3fbdoEoMcWTQmJnyu0irYo9UGbXzs58EoHC1PJjoxdauD7zIby5DqW88Y9tzG0j5Wc8AveAHZ97XQs/9vHMBI2PeBrduUDVPZL7UwBxKSimaXcJLBylUvpO5/j1Ceg+/nf4lzD0OJksJP5B2MFWIH0A=,iv:DEiGZyvc0ugiJ9DHDNqkA6+D2r7PvTi5qsCzpvzxXdM=,tag:wFzeFvrrK8FqQ3LapHCB9Q==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"

secrets/universal/net/makespace-south.psk.bin

@@ -0,0 +1,48 @@
+{
+	"data": "ENC[AES256_GCM,data:tNQEuMx+Cp8vRELzeQoWLQail2jy5TEBSqJM1o+tV5mSStTLQFMR+L/cnKQYqEpNWJgZ3kSaqkAUqvY5yG/y7TIUZDWqeLLnOJDrmahku0CFPmC3BC8yjrTaISaDRT0FlLH7Osdk2pbDlmcerPwRaEtptovgHvMeJC9cMrfFUOF6LXdNIh7zslWyYvEzrAPtnxKiyIA7pan8sua2FG6AIfMj10c+p/ck29pqhtxAGJvmMMCjMBB1XNjaYjzRzEddbry84cJjhF2Hyr0j/W4U0SLDdD9cfh8idwmrBAP9zI1/nlHjO1labI+U9WGdyyeoPFY+Phm8qm7WxpFsDZnk4B5IGaN1yB9I7KP4tneSw8VOmz5L7BBJszJRUEOQ95Q7D7gos+ytfbnzIBeHh55eSuRzj5xSqG4dPSp8biBGEC9Y4gShCvxNa7r7tGF82jrI32Xe3MFz5zRsx5HvbpB/xytBS0fguxgtnFm8OJf7j3vyGwQoCCJT4pLpHmhei0JpmicbAIgKCcmz//sSUZKXNMV+rb58ntjvNu/Cy9TgOaNTpmeIpe60Gg5ONXypM8Zdmv+cY3NATg9ukdXpdtjW0+SMTTOC+Ug2z9D0Wy4NUQOsNevVUr/22155v+SGcSImVJtiOZ3xYgjND1n/smoUs7tvOVxb1Qjwty40VLwHi+Od3w==,iv:cBgkFEs/bUBRdQnmxqYiJwqQWMXoJ61lHEnMwkfQ6YQ=,tag:E/Vj1nwF1VrxjSyo55W/Ag==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBieFRHNnN3L2FzMGcraHds\ndDFYU2dwUUU1OVh3WnhtWWk5QlZJNmFLd1Q4CkVaNTYreVRGOXdLWitSc2pleDly\nQjRBbERydFFZbkRpekN5T2xCM2x0bkEKLS0tIFhvNnc5M2x0Q2FvUkRXUVNHOXR5\ncThGazRYaHhrdjlCSFE3TWJ6L09jR2cK50dHVdb6XAsgB9WGlfnbIeYluFNFcfSb\n1m+ElNfsE9VOdEzeEI8sNHvfNtleEv0i1CwdRA48mmMc1LetiDgV+g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhOStKYTkvYTFZWkFJZk9F\nbW55RTZLWHJXK1lwSE9OSERrdlRQZWdzbDFzCjcycDdsaVNtVTlPYkh5QVZScExl\nbjNzaVRHaVdlU0dHOTRxS1VvSkRjS1kKLS0tIE1zZkJ2K2FxZFpmeEVxdGVkSXEv\nSklmYmJ0TWx6K0FGc2FqejRQQjNmM1UKwInOj1HG+4zKMkocVI7japkdc1FHNORF\nAMfAlEaB36alown3NmxBVD7zZexEU6Stsvv9eKE6clX/vj7Ny+dKgA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTby9zMm5UTmpGS0JMNlNj\nYVlES0RpVWxsV1ZQZm5NTHZzV0pzdjZFS3o4CkRLWVJGU2g5WjN0eWdDMTIvTzE5\naDJnNjJNNitIaDZaaURxVnhacldtODAKLS0tIDNnRWhlN3ZJNklWUVFkOXdCVjVl\nRkdLcTVsb09oemhxWWZEWENsTlFZM00KQRYOR6rD7pOFSWl9KfNRxbWPVwLnMMXW\nLYRReL1xvK+UdYpae/rKbmExoo94W6IZSxoxeB2BFR9Bna5obbFNjA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQU2k1WkRVZW1paS9id0hw\ncXhucTlCeThjYm5Fb3A1RnNzREN4eFA5OGh3Cmg2Ym9nOEF3Y0FGYVlra0RuTXh3\nZFVKUnVlSEZGaXlMdVJuZno5K3RTL00KLS0tIHNDV3FJOVhybWpGZ1h3TTZDWGtj\nNEhQQ1A0SGFYNnVzQUhFa25tOW82NWcKTX/QwhOVAWL9tgfzopMAdWuBmzCni1mg\nTfI9R6ZP6gdBESUk7+kLc8uiEJIxuiWCivp9gWr7Xletbm00Pnkglg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZVjN6Q2gvNVFwQ3hjOElE\ndXVUVDdQQWNCdTB0Y1VuVnlsNjg3UlhyMWdRCmpEQ3pZUyswditHd2s2dUlMRmFa\nY3lFc0FwdzNrZzdyZ2hOYzJXdWVXUUUKLS0tIHV4dWcyb0dnWVJnY1pudUxUK1Y0\nbWVhRzdLMjNpc2xxaWQ5U2x0SVdHck0K2gB1itweNVt0kKZj2gO+ek7hlJoxfkoY\ndMCEH+kWxhtXuXHznCZb+Itrm7vGgqWQdXlqilMEYuhLbPHvs5jXMw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxNVhjK3hWSVNnb1Y5SUFy\nRWt6TDByWFphNnhNbThubnpIaHc0RERpTlhFCk5reUIzanIvVUxuSEg3RWhZNTBL\nUlNMc2hvejZSUUtXZFFDQ0M0QzBiTjQKLS0tIHhtUjd6ZUVpM2JXaXdsejU3bmFE\nQklLL0NwNjFzOGpGUHoxd2drNUVyTnMKGOEhPALGhyvDBPpuib1R425JBih3cBzs\nofk+eL5cRTwfLe7a/kOeNudNtamKLR8IEfJKgokjtBEaYBNo1P+Vuw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOVVwZUM5ODNsNFFzOWdo\nS2RiejlsQVVrSmJ2SVFGbklsSUpCckVnSlZ3CjlmSTJZaE9pMlRiamNtUmxyK3Na\nMFljczFnNktCaUs0eC90M0c1akNxdWcKLS0tIDFoRlNyZVo2R243WGNHR3B3cDI5\nRHZYK2lBM1ZLZWFWM3hzdnR2cTM4aTgK67Ik3qwQEuOuL60BRRGmpmVgdIv/Bavi\njeC4BTwBanXxbhZodFfdtHmgxkqE3w2Eu5ojwFje+obUagj8B3PmNA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcndDbG03cW0ycTlNeFBT\nbEhxcWVDb2N0MkwxNlN5Tjk0T2NTaEw3bFdFCmJYZnZXZ2xYblBtTi9MWEN5amVa\neDFEN01sTHgxLzNrcVB5OC9TU0ViYUEKLS0tIG8rQ21kU0xlcUEvZkVObFJhRUdp\nNG1EYXBZNVpKUGUxK2xXdFpieVBNZ3MK+bGQrmaY1bE23iuKu1UPoChOOnuSBl9d\ncQlr+Wh4CoKp8YTnTTkFAVrWoXcM0eAVapR7f89GqO2vgefo6bnFHg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-02-27T01:05:22Z",
+		"mac": "ENC[AES256_GCM,data:QWj5rcyT9xBLdVCkf1mo0lnpeNR3o+HK6MP1n/XWwSWzMM794+byWDWEfjJIq5EuNL3YirbB5ANrGjdWTzL3UU1WsW3kr0pan2dSrBs9wR4d9RNS1TcFXvxhC0WEEVP1n3wwfOb/TKd9irpv8n2M973atQKJXSTecqOFgDxDa0M=,iv:TcjQuwW9SZlMbHtEj2O+76qnvPsvhrJ3mNmsobEA6rU=,tag:GeVf5bPecUNn8TQ1C12aFA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

secrets/universal/offlineimaprc.bin

@@ -0,0 +1,48 @@
+{
+	"data": "ENC[AES256_GCM,data:YQ3g+zqZoOv6+cjsxahFLlzzJsyNmIzOf0UW/V5Q8WJ5BlfJem/u9SJd9HbYfAZuTGkSzRVTvC3woivV0WOCf+EZ1SPSOLwCFtNKh0kgIsSbZRHJqfMQPzZkd93tAARXj7Gtgi2yGGvIhW9MTDvUDDW1umho46fP61f9JRPflAXRu9JwEDpwVIIkAqk4Jdq3G3wnrkjK7fNQkpULAYqDJzH7IeUUNFbt1/tsI8uj1bzpYzjLkZ9r8grgSO7mpt2h4vPdGrd+XVRT0WG/MLZnukN9rXDfHkrqFtn4XBkp+biQj4RFflNr9/FyZUEqb5wvB5pMMatRdv+PUdgtuSQubfKPHdYXic0Bi+Lgm3gA8FlYnel6dP5I8DXgo4Jupyhw/KMTySn3nhHrhFieSmTItZZ1KKtaQxFGNdnYVcCJCUkwKNM6M5nX+LryxD9MkAn+L2o11QYW6q9HhxO+hXi0IWfq9aRRtU/mw2Og7nA9oesoJqmid7zXVsErsRhnFlEHt7Z6qCbnhcC9lyT/KhK4E0+sJpeukyDVmNAb31040zIKEOQMFyMHw1nRFHxth4Kw2AGIRA/UiB1JxR/QW+1tZSB8MPS6GtklXE6GAlphAnssrkIc+5L+bWJTOwSYsw6T6SYCMO5I/0OEgZTys6/dYVLSl6GVmYb5Ck8GEzOx7W1fnFQt7KepZUTGstMQ0CsI1zktmXzJel1C+MBga7IC6+P8mB42GZv1mBRiEGs8fjo3HqaoF3omC/7FUrc6UlQnExMEXqgm7jbENL5mfk04zS1YzbMHR6JZapVSD8ykHMkGSYbpqhzgcam0c6aQLD7mGcMZ4L+2FZtgnSPmmfjKxlZJIQE66NWq586N7e+7SWSi9rqEstXGhAahM1RWIog4EW3npOUmNBbz152QaYZeNNTYE+L/9n+oVeWT0evlHxiCpATxgo+DoR6z66U5QYN5EFXcsR/I1s2UUc8xTwwjgEfXkM/IEZUkEHH/kZNJPdmqtpA=,iv:HYjtUSGs1JgxE8HzZ+xYUZoPYanOC6HAVlIdJR8O77o=,tag:teJOFIMtHLs9yzDQIPV0oA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Wmx4QUZSZVFYM1NjRGxO\nRzhmSGV1RTViTjljM0kyaitsV05Jc1dQcXpNCjdFR1FWTFY0L1NkclVJQ2t2bk1P\nNk1WeDA4TE9Zcjc2MkNTeDltQk5TSW8KLS0tIGIvcmNVdDN6eldMamxrWUJ0ekZF\nWlcyN0haZFpmQVcyWS9vOFBHVmFiamMKwROo4FD5Y6TiSDK8byxAq4T9Rtvy1Dr+\nExZFzLeJxXBukLJgzxV8UpBNbcGejetyOZiH+GPwdwO4QKlMGiCsog==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYzhiZjFVWEZidGJpRkpl\nOSszdUNiWDlIMVVTaGFVdi9oZjFoYVhwOFM0CjFNR0ZadExxZDBnOEU1eEJXaHda\nK0NyWmhHZzdSOHFHbEYrQnhwMTcxdVUKLS0tIGd0WjFOczRCSkpkZFpOSDdlTFhG\nQUFQMlRDa1YwM0F0N2U2ZFdxa3YrMFEKXNdULEzPEh3Wk+PxgRt0fypVNAaa682u\nMZBfQbNnAOVU5xlM66+YGWXY/ENWwr3nEauNKq7pWLZqQOCA9RnvvQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1TFcvWll5RGZDeU5RYnpS\nb1hHcG4vbzBxL3RiRjl2eUhGbHFjSTJYZ0hBCkhyQUtacktuR0ZZNkM3cEdyMTd1\nVnpMZlNPL1NzcUZzWnd0VC9veW1jL0UKLS0tIHdQalI4N3ZRVFdsMEtCUllBREZG\nUmdQYVVqUGZ0QXJKODFvblgvYnRnZTgKKMmEswejP1HdEtg9hK10pRlt89Iz2iF8\npcZTBFjMnahLvxI4M8HCF7ESxI46jebyna43ZzELQQLPGLuZG0n3Bg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBScXJpV2NkMFhJaDNGVHRZ\nVlRCZVkzSWFyTFRCUktYNFNYekwrNkpITUMwCkZlZm14Q2dZVGlFd2VZZWpmSFU4\nelhNVmE1b015YWYzcGRRa2VMS1ErMDQKLS0tIHFxaEJ4M3cxSHlNV2ppaFUzcTlk\nZWVuN085TnRES0ZGZko3Ym9vOXRhSEEKU8YZFKtDzokS1OXlqA3vBe2C5N7Em+Oq\nDh5N+2qrvqKUzT/YVg9j/YIPswrn2WMJ2xgMgT5VVK+2kn38fk4n4A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZWWFFZGVPTEVlc1hvQ3Qy\nUTNrc1Y0ek9ONlQ0RzlkbTNWangrdnFVZ0hNCkovNCtkaG9JUlpnRFJBMFE0Nmkz\nNXByUjlLRUd6RUV1OU53UjBEZnNjTUUKLS0tIDd4S3VrVDkvanlzZStkYllQT3NN\nYWxyYW1pVmt3djIyWVhtdEZCVlducmMKI94q+UTXpUGa/up0lVbWqmBYcPpuoLZD\neW2KbX2MTzotJVXlJyckYvaylEyyN1pKO37OViPnzik2cJYCyD8QSQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhN2ZkbzB1K0g4V0NPQ21x\nckQ3MFVwZzBwNDMzVk9mb0YvVmJxYm5hTTB3CkgzWTR1dUkrdkFKeDBjNWpCcnl2\nY2lCU0dPcUh1VXdWbExST29nRFFQcHMKLS0tIEFucEpGc2s4VGhGYWlQQW9Kd1pt\nTGY5YURVa1NYUit1UHpPVm4zTHNTVVUKTyKPabMpXBkiV9MSfoJr41DfJjzW6FVP\nHWVfUwoVeKEYVJEPYIcso4kywroBWJ5tBpeOdsbth9en3TOHHlBXCQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvN2dvUDRXUWc2eVVoQ2xK\ndXc2anJZVjhobjJrODVlbXNuZjNhZ2lpNERnCkN6V0Y2QmlGNHVJM3JoQ3hwbHJo\nTncrVVN3R0wvQVAzb293WFpCV29BNUEKLS0tIFdhV3RSbkZQVVBxVWpuYzk4bzZt\nekhxSEFFMHRBZWZaOWxUVnFUbkluUFUK53HBDttykEO7lB/86d/ey4I4AZsLrvLm\n7J/rItqQeNJ1qYp/J3HSilbDZmQBI8jM95SP75tUPsmWndK1i9gHlA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNXB2dkJoMzlJRlJxbGRS\nNTl2YmRUb3YxdEcwRnhuT1RHMTJMNm1MQUZjCkMrNGEzV05sdWc1OUROU2V2UVlJ\nSGl1bGxNSzBZalRZd0YyMElEbGlXZWsKLS0tIFRVQmpqRGNmTW9YaTN2Y0JtNHp6\nbkw0dTlmNVFwQkl6Q1ZIcUNxTGp2TzAKaZawNzF3mYl/m0X/IbfWL8WhLllF6fkT\nl5BQg3uMLC4pTnRcZHmBLrzRHhoOy9qLLkiimkQaseUhI+hAUt9bAQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-03-03T08:41:07Z",
+		"mac": "ENC[AES256_GCM,data:cxu1p3O0CLiIrqD7HrFUiDPrbF7N3puR3C6VKLfmWa0liHIrkwylOHhyP2WYL1GnbXrMdSZEZ9W487yqsFMiVLyVYmvrg6/TB0I936+PdPgb3miBlb1aE+g23FHQNbpTthbdLJow2tbw1n152ZwtjHPZ+swQhoexeZrpNJipBZ4=,iv:/uua9R2uXvJISgETRBaAREFW3+DsAi+dN4DoMMYHKi8=,tag:wUITr1eIhndhK6EVEyOmog==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}