moby: patch alsa instead of special-casing PinePhone config

unfortunately, this forces us to recompile *everything* above alsa, without leveraging the nixos.org cache. several hours, and probably necessary after any nixpkgs update, so not super practical.
moby: switch to manjaro alsa UCM files
2022-09-26 03:47:35 -07:00 · 2022-09-26 01:42:31 -07:00 · 2022-09-26 01:27:09 -07:00 · 2022-09-26 00:46:38 -07:00 · 2022-09-25 22:41:56 -07:00 · 2022-09-25 20:20:31 -07:00
100 changed files with 2963 additions and 794 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -2,11 +2,11 @@ keys:
  - &user_desko_colin age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
  - &user_lappy_colin age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
  - &user_servo_colin age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu
-  - &user_moby_colin age1lt739n2tq7dmpglvntjr9j2r7426md7rat7x9w930gagtx4jyvnqwts2al
+  - &user_moby_colin age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9
  - &host_desko age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v
  - &host_lappy age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn
  - &host_servo age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
-  - &host_moby age1t957gf0z865gya0khgc9x59wy76hzps3sgejjqtwcngn2xl273msxsmpe6
+  - &host_moby age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt
 creation_rules:
  - path_regex: secrets/universal*
    key_groups:
--- a/TODO.md
+++ b/TODO.md
@@ -1,13 +1,16 @@
 # features/tweaks
 - set firefox default search engine
 - iron out video drivers
 - emoji picker application
 - find a Masto/Pleroma app which works on mobile
 - remove hardcoded uid/gids outside of allocations.nix (used in impermanence code -- replace with username/groupname)
 # speed up cross compiling
-   https://nixos.wiki/wiki/Cross_Compiling
+- <https://nixos.wiki/wiki/Cross_Compiling>
-   https://nixos.wiki/wiki/NixOS_on_ARM
+- <https://nixos.wiki/wiki/NixOS_on_ARM>
 ```nix
   overlays = [{ ... }: {
     nixpkgs.crossSystem.system = "aarch64-linux";
   }];
 ```
 - <https://github.com/nix-community/aarch64-build-box>
 	- apply for access to the community arm build box
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1646131459,
+        "lastModified": 1661933071,
-        "narHash": "sha256-GPmgxvUFvQ1GmsGfWHy9+rcxWrczeDhS9XnAIPHi9XQ=",
+        "narHash": "sha256-RFgfzldpbCvS+H2qwH+EvNejvqs+NhPVD5j1I7HQQPY=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "2f39baeb7d039fda5fc8225111bb79474138e6f4",
+        "rev": "def994adbdfc28974e87b0e4c949e776207d5557",
        "type": "github"
      },
      "original": {
@@ -39,11 +39,11 @@
    "mobile-nixos": {
      "flake": false,
      "locked": {
-        "lastModified": 1656299939,
+        "lastModified": 1661716773,
-        "narHash": "sha256-gODt71CCv0gnMNeU4GYdSBJkxsfmBy0uNv8owQC1oPs=",
+        "narHash": "sha256-uxf0aC+kx8av3/IT8/UecxSMElC9i4UQvH25RHFwna4=",
        "owner": "nixos",
        "repo": "mobile-nixos",
-        "rev": "de9a88a70f0ae5fc0839ff94bf29e8a30af399f8",
+        "rev": "09e388c42298fa777caa7738cd8d8d2b6d1ac8db",
        "type": "github"
      },
      "original": {
@@ -54,42 +54,26 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1656265786,
+        "lastModified": 1664017330,
-        "narHash": "sha256-A9RkoGrxzsmMm0vily18p92Rasb+MbdDMaSnzmywXKw=",
+        "narHash": "sha256-919WZKBTxFdTkzIK6uJXE7hwSPQb7e/ekybxxWaotR4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "cd90e773eae83ba7733d2377b6cdf84d45558780",
+        "rev": "fde244a8c7655bc28616864e2290ad9c95409c2c",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-22.05",
+        "ref": "nixos-unstable",
        "type": "indirect"
      }
    },
    "nixpkgs-21_11": {
      "locked": {
        "lastModified": 1656198488,
        "narHash": "sha256-xe81o3Kin6a0jXA3mTxcR+jeA1jLKw3TCar5LUo/B5c=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "46af3303651699dc58cfc251d9b18c0f59d857da",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-21.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-22_05": {
      "locked": {
-        "lastModified": 1656199498,
+        "lastModified": 1664063819,
-        "narHash": "sha256-/BCpM7j7y1G4het6Z3idlnv9A87/s0O1glVmH7fnWvk=",
+        "narHash": "sha256-5wXa+9uboo7UizMDeUTMoANv3pm0g9ze1NdTleY3rCE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "72a1f167077060a1a7b6e0104863245d0483fa7f",
+        "rev": "aee4db5b9eaccd3fb7f16c742685fef9dc355077",
        "type": "github"
      },
      "original": {
@@ -101,11 +85,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1656130826,
+        "lastModified": 1664028844,
-        "narHash": "sha256-g5Wo75ddDQmWnL70rJCMm+JJlvHbzPFUePUpuMNn5qk=",
+        "narHash": "sha256-wwGqnvROHW54ma0h4q6GL5toKxTVVKvAypv0CcJkraU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "72d1b0d0fac131df1ea254b65413c85609bdd2ee",
+        "rev": "72bdd03f0d5696412b25a93218acaad530570d30",
        "type": "github"
      },
      "original": {
@@ -115,43 +99,26 @@
        "type": "github"
      }
    },
    "nurpkgs": {
      "locked": {
        "lastModified": 1656313781,
        "narHash": "sha256-T3acwGi/9SnIV/giHCvN+3BqcIDo4GBBW+TBX15EaSg=",
        "owner": "nix-community",
        "repo": "NUR",
        "rev": "b3b8539bbfd02b4543d6723c547cae6edaece8b7",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "NUR",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
        "impermanence": "impermanence",
        "mobile-nixos": "mobile-nixos",
        "nixpkgs": "nixpkgs",
        "nurpkgs": "nurpkgs",
        "sops-nix": "sops-nix"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": "nixpkgs_2",
        "nixpkgs-21_11": "nixpkgs-21_11",
        "nixpkgs-22_05": "nixpkgs-22_05"
      },
      "locked": {
-        "lastModified": 1656215886,
+        "lastModified": 1664080128,
-        "narHash": "sha256-67fkBb4GUbuMZTHs08mNycg0hBzboy+5boMD76wLpj4=",
+        "narHash": "sha256-obau1+3+QiTtNGfoTcbSYB5Z4Gvf4o0Or85yLttSYt8=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "aff5d8542c9eb566a000302b22fcc10715bc2feb",
+        "rev": "17f009daf09992d2342657f9bd7b44d877cd00e1",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -1,11 +1,11 @@
 # docs:
-#   https://nixos.wiki/wiki/Flakes
+# - <https://nixos.wiki/wiki/Flakes>
-#   https://serokell.io/blog/practical-nix-flakes
+# - <https://serokell.io/blog/practical-nix-flakes>
 {
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-22.05";
+    # nixpkgs.url = "nixpkgs/nixos-22.05";
-    # pkgs-telegram.url = "nixpkgs/33775ec9a2173a08e46edf9f46c9febadbf743e8";# 2022/04/18; telegram 3.7.3. fails: nix log /nix/store/y5kv47hnv55qknb6cnmpcyraicay79fx-telegram-desktop-3.7.3.drv: g++: fatal error: cannot execute '/nix/store/njk5sbd21305bhr7gwibxbbvgbx5lxvn-gcc-9.3.0/libexec/gcc/aarch64-unknown-linux-gnu/9.3.0/cc1plus': execv: No such file or directory
+    nixpkgs.url = "nixpkgs/nixos-unstable";
    mobile-nixos = {
      url = "github:nixos/mobile-nixos";
      flake = false;
@@ -14,12 +14,11 @@
      url = "github:nix-community/home-manager/release-22.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nurpkgs.url = "github:nix-community/NUR";
    sops-nix.url = "github:Mic92/sops-nix";
    impermanence.url = "github:nix-community/impermanence";
  };
-  outputs = { self, nixpkgs, mobile-nixos, home-manager, nurpkgs, sops-nix, impermanence }:
+  outputs = { self, nixpkgs, mobile-nixos, home-manager, sops-nix, impermanence }:
  let
    patchedPkgs = system: nixpkgs.legacyPackages.${system}.applyPatches {
      name = "nixpkgs-patched-uninsane";
@@ -27,57 +26,72 @@
      patches = import ./nixpatches/list.nix nixpkgs.legacyPackages.${system}.fetchpatch;
    };
    # return something which behaves like `pkgs`, for the provided system
-    nixpkgsFor = system: import (patchedPkgs system) { inherit system; };
+    # `local` = architecture of builder. `target` = architecture of the system beying deployed to
    nixpkgsFor = local: target: import (patchedPkgs target) { crossSystem = target; localSystem = local; };
    # evaluate ONLY our overlay, for the provided system
-    customPackagesFor = system: import ./pkgs/overlay.nix (nixpkgsFor system) (nixpkgsFor system);
+    customPackagesFor = local: target: import ./pkgs/overlay.nix (nixpkgsFor local target) (nixpkgsFor local target);
-    decl-machine = { name, system }:
+    decl-machine = { name, local, target }:
    let
-      nixosSystem = import ((patchedPkgs system) + "/nixos/lib/eval-config.nix");
+      nixosSystem = import ((patchedPkgs target) + "/nixos/lib/eval-config.nix");
    in (nixosSystem {
-      inherit system;
+      # by default the local system is the same as the target, employing emulation when they differ
-      specialArgs = { inherit nixpkgs mobile-nixos home-manager nurpkgs impermanence; };
+      system = target;
      specialArgs = { inherit mobile-nixos home-manager impermanence; };
      modules = [
        ./modules
        ./machines/${name}
        (import ./helpers/set-hostname.nix name)
        home-manager.nixosModule
        impermanence.nixosModule
        sops-nix.nixosModules.sops
        {
          nixpkgs.config.allowUnfree = true;
          nixpkgs.overlays = [
            nurpkgs.overlay
            (import "${mobile-nixos}/overlay/overlay.nix")
            (import ./pkgs/overlay.nix)
            (next: prev: {
              # non-emulated packages build *from* local *for* target.
              # for large packages like the linux kernel which are expensive to build under emulation,
              # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
              cross = (nixpkgsFor local target) // (customPackagesFor local target);
            })
          ];
        }
      ];
    });
-    decl-bootable-machine = { name, system }: rec {
+    decl-bootable-machine = { name, local, target }: rec {
-      nixosConfiguration = decl-machine { inherit name system; };
+      nixosConfiguration = decl-machine { inherit name local target; };
      # this produces a EFI-bootable .img file (GPT with a /boot partition and a system (/ or /nix) partition).
      # after building this:
      #   - flash it to a bootable medium (SD card, flash drive, HDD)
      #   - resize the root partition (use cfdisk)
      #   - mount the part
-      #     chown root:nixblkd <part>/nix/store
+      #      - chown root:nixbld <part>/nix/store
-      #     chmod 775 <part>/nix/store
+      #      - chown root:root -R <part>/nix/store/*
-      #     chown root:root -R <part>/nix/store/*
+      #      - chown root:root -R <part>/persist  # if using impermanence
-      #     populate any important things (persist/, home/colin/.ssh, etc)
+      #      - populate any important things (persist/, home/colin/.ssh, etc)
      #   - boot
      #   - if fs wasn't resized automatically, then `sudo btrfs filesystem resize max /`
      #   - checkout this flake into /etc/nixos AND UPDATE THE FS UUIDS.
      #   - `nixos-rebuild --flake './#<machine>' switch`
      img = nixosConfiguration.config.system.build.img;
    };
-    machines.servo = decl-bootable-machine { name = "servo"; system = "aarch64-linux"; };
+    machines.servo = decl-bootable-machine { name = "servo"; local = "aarch64-linux"; target = "aarch64-linux"; };
-    machines.desko = decl-bootable-machine { name = "desko"; system = "x86_64-linux"; };
+    machines.desko = decl-bootable-machine { name = "desko"; local = "x86_64-linux"; target = "x86_64-linux"; };
-    machines.lappy = decl-bootable-machine { name = "lappy"; system = "x86_64-linux"; };
+    machines.lappy = decl-bootable-machine { name = "lappy"; local = "x86_64-linux"; target = "x86_64-linux"; };
-    machines.moby = decl-bootable-machine { name = "moby"; system = "aarch64-linux"; };
+    machines.moby = decl-bootable-machine { name = "moby"; local = "aarch64-linux"; target = "aarch64-linux"; };
    # special cross-compiled variant, to speed up deploys from an x86 box to the arm target
    # note that these *do* produce different store paths, because the closure for the tools used to cross compile
    # v.s. emulate differ.
    # so deploying moby-cross and then moby incurs some rebuilding.
    machines.moby-cross = decl-bootable-machine { name = "moby"; local = "x86_64-linux"; target = "aarch64-linux"; };
    machines.rescue = decl-bootable-machine { name = "rescue"; local = "x86_64-linux"; target = "x86_64-linux"; };
  in {
    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) machines;
    imgs = builtins.mapAttrs (name: value: value.img) machines;
-    packages.x86_64-linux = customPackagesFor "x86_64-linux";
+    packages.x86_64-linux = customPackagesFor "x86_64-linux" "x86_64-linux";
-    packages.aarch64-linux = customPackagesFor "aarch64-linux";
+    packages.aarch64-linux = customPackagesFor "aarch64-linux" "aarch64-linux";
  };
 }
--- a/machines/desko/default.nix
+++ b/machines/desko/default.nix
@@ -1,22 +1,22 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
  imports = [
    ./fs.nix
  ];
-  colinsane.home-manager.extraPackages = [
+  sane.gui.sway.enable = true;
-    pkgs.electron
+  sane.services.duplicity.enable = true;
-  ];
+  sane.services.nixserve.enable = true;
-  colinsane.gui.sway.enable = true;
+  sane.services.nixserve.sopsFile = ../../secrets/desko.yaml;
-  colinsane.services.duplicity.enable = true;
+  sane.impermanence.enable = true;
  colinsane.impermanence.enable = true;
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
-  colinsane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
+  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  # needed to use libimobiledevice/ifuse, for iphone sync
  services.usbmuxd.enable = true;
  users.users.usbmux.uid = config.sane.allocations.usbmux-uid;
  users.groups.usbmux.gid = config.sane.allocations.usbmux-gid;
  # default config: https://man.archlinux.org/man/snapper-configs.5
  # defaults to something like:
@@ -36,6 +36,17 @@
    sopsFile = ../../secrets/desko.yaml;
  };
  programs.steam = {
    enable = true;
    # not sure if needed: stole this whole snippet from the wiki
    remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
    dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
  };
  sane.impermanence.home-dirs = [
    ".steam"
    ".local/share/Steam"
  ];
  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
  system.stateVersion = "21.05";
 }
--- a/machines/desko/fs.nix
+++ b/machines/desko/fs.nix
@@ -11,12 +11,14 @@
      "defaults"
    ];
  };
-  # we need a /tmp of default size (half RAM) for building large nix things
+  # we need a /tmp for building large nix things.
  # a cross-compiled kernel, particularly, will easily use 30+GB of tmp
  fileSystems."/tmp" = {
    device = "none";
    fsType = "tmpfs";
    options = [
      "mode=777"
      "size=64G"
      "defaults"
    ];
  };
--- a/machines/lappy/default.nix
+++ b/machines/lappy/default.nix
@@ -4,11 +4,12 @@
    ./fs.nix
  ];
-  colinsane.gui.sway.enable = true;
+  # sane.users.guest.enable = true;
-  colinsane.impermanence.enable = true;
+  sane.gui.sway.enable = true;
-  boot.loader.generic-extlinux-compatible.enable = true;
+  sane.impermanence.enable = true;
  sane.nixcache.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
-  colinsane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
+  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  # default config: https://man.archlinux.org/man/snapper-configs.5
  # defaults to something like:
--- a/machines/moby/default.nix
+++ b/machines/moby/default.nix
@@ -1,50 +1,67 @@
-{ pkgs, mobile-nixos, ... }:
+{ config, pkgs, lib, mobile-nixos, ... }:
 {
  imports = [
-    (import "${mobile-nixos}/lib/configuration.nix" {
+    # (import "${mobile-nixos}/lib/configuration.nix" {
-      device = "pine64-pinephone";
+    #   device = "pine64-pinephone";
-    })
+    # })
    ./firmware.nix
    ./fs.nix
    ./kernel.nix
  ];
  # XXX colin: phosh doesn't work well with passwordless login
  users.users.colin.initialPassword = "147147";
  services.getty.autologinUser = "root";  # allows for emergency maintenance?
-  colinsane.home-manager.extraPackages = [
+  # usability compromises
-    # for web browsers see: https://forum.pine64.org/showthread.php?tid=13669
+  sane.impermanence.home-dirs = [
-    pkgs.angelfish  # plasma mobile web browser; broken on phosh (poor wayland support)
+    ".librewolf"
    # pkgs.plasma5Packages.index  # file browser
    pkgs.plasma5Packages.konsole  # terminal
    # pkgs.plasma5Packages.pix  # picture viewer
    pkgs.plasma5Packages.kalk  # calculator; broken on phosh
    # pkgs.plasma5Packages.buho  # (plasma mobile?) note application
    pkgs.plasma5Packages.kasts  #  podcast app; works on phosh after setting QT envar
    pkgs.plasma5Packages.koko  # image gallery; broken on phosh
    pkgs.plasma5Packages.kwave  # media player.
    # pkgs.plasma5Packages.neochat  #  matrix client. needs qcoro => no aarch64 support
    # pkgs.plasma5Packages.plasma-dialer  # phone dialer
    # pkgs.plasma5Packages.plasma-mobile  # the whole shebang?
    # pkgs.plasma5Packages.plasma-settings
    pkgs.plasma5Packages.bomber  # arcade game; broken on phosh
    pkgs.plasma5Packages.kapman  # pacman
    pkgs.w3m  # text-based web browser; works!
    pkgs.st  # suckless terminal; broken on phosh
    # pkgs.alacritty  # terminal; crashes phosh
  ];
-  colinsane.nixcache.enable = true;
+  # sane.home-manager.extraPackages = [
-  colinsane.gui.phosh.enable = true;
+  #   # for web browsers see: https://forum.pine64.org/showthread.php?tid=13669
-  boot.loader.grub.enable = false;
+  #   pkgs.angelfish  # plasma mobile web browser; broken on phosh (poor wayland support)
-  mobile.bootloader.enable = false;
+  #   # pkgs.plasma5Packages.index  # file browser
-  boot.loader.generic-extlinux-compatible.enable = true;
+  #   pkgs.plasma5Packages.konsole  # terminal
  #   # pkgs.plasma5Packages.pix  # picture viewer
  #   pkgs.plasma5Packages.kalk  # calculator; broken on phosh
  #   # pkgs.plasma5Packages.buho  # (plasma mobile?) note application
  #   pkgs.plasma5Packages.kasts  #  podcast app; works on phosh after setting QT envar
  #   pkgs.plasma5Packages.koko  # image gallery; broken on phosh
  #   pkgs.plasma5Packages.kwave  # media player.
  #   # pkgs.plasma5Packages.neochat  #  matrix client. needs qcoro => no aarch64 support
  #   # pkgs.plasma5Packages.plasma-dialer  # phone dialer
  #   # pkgs.plasma5Packages.plasma-mobile  # the whole shebang?
  #   # pkgs.plasma5Packages.plasma-settings
  #   pkgs.plasma5Packages.bomber  # arcade game; broken on phosh
  #   pkgs.plasma5Packages.kapman  # pacman
  #   pkgs.st  # suckless terminal; broken on phosh
  #   # pkgs.alacritty  # terminal; crashes phosh
  # ];
  # sane.home-packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
  sane.home-manager.extraPackages = [
    pkgs.plasma5Packages.konsole  # terminal
  ];
-  # This value determines the NixOS release from which the default
+  sane.nixcache.enable = true;
-  # settings for stateful data, like file locations and database versions
+  sane.impermanence.enable = true;
-  # on your system were taken. It‘s perfectly fine and recommended to leave
+  sane.gui.phosh.enable = true;
-  # this value at the release version of the first install of this system.
+
-  # Before changing this value read the documentation for this option
+  boot.loader.efi.canTouchEfiVariables = false;
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  # /boot space is at a premium. default was 20.
-  system.stateVersion = "21.11"; # Did you read the comment?
+  boot.loader.generic-extlinux-compatible.configurationLimit = 10;
  # mobile.bootloader.enable = false;
  # mobile.boot.stage-1.enable = false;
  # boot.initrd.systemd.enable = false;
  # boot.initrd.services.swraid.enable = false;  # attempt to fix dm_mod stuff
  # mobile-nixos' /lib/firmware includes:
  #   rtl_bt          (bluetooth)
  #   anx7688-fw.bin  (USB-C -> HDMI bridge)
  #   ov5640_af.bin   (camera module)
  # hardware.firmware = [ config.mobile.device.firmware ];
  hardware.firmware = [ pkgs.rtl8723cs-firmware ];
  system.stateVersion = "21.11";
  # defined: https://www.freedesktop.org/software/systemd/man/machine-info.html
  # XXX colin: not sure which, if any, software makes use of this
@@ -54,4 +71,6 @@
  # enable rotation sensor
  hardware.sensor.iio.enable = true;
  users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
 }
--- a/machines/moby/firmware.nix
+++ b/machines/moby/firmware.nix
@@ -2,8 +2,8 @@
 {
  # we need space in the GPT header to place tow-boot.
  # only actually need 1 MB, but better to over-allocate than under-allocate
-  colinsane.image.extraGPTPadding = 16 * 1024 * 1024;
+  sane.image.extraGPTPadding = 16 * 1024 * 1024;
-  colinsane.image.firstPartGap = 0;
+  sane.image.firstPartGap = 0;
  system.build.img = pkgs.runCommandNoCC "nixos_full-disk-image.img" {} ''
    cp -v ${config.system.build.img-without-firmware}/nixos.img $out
    chmod +w $out
--- a/machines/moby/fs.nix
+++ b/machines/moby/fs.nix
@@ -1,7 +1,18 @@
 { ... }:
 {
  # root is a tmpfs so that we have an ephemeral system ("impermanence" handles the state)
  fileSystems."/" = {
    device = "none";
    fsType = "tmpfs";
    options = [
      "mode=755"
      "size=1G"
      "defaults"
    ];
  };
  fileSystems."/nix" = {
    device = "/dev/disk/by-uuid/1f1271f8-53ce-4081-8a29-60a4a6b5d6f9";
    fsType = "btrfs";
    options = [
--- a/machines/moby/kernel.nix
+++ b/machines/moby/kernel.nix
@@ -0,0 +1,143 @@
 { lib, pkgs, ... }:
 let
  # use the last commit on the 5.18 branch (5.18.14)
  # manjaro's changes between kernel patch versions tend to be minimal if any.
  manjaroBase = "https://gitlab.manjaro.org/manjaro-arm/packages/core/linux/-/raw/25bd828cd47b1c6e09fcbcf394a649b89d2876dd";
  manjaroPatch = name: sha256: {
    inherit name;
    patch = pkgs.fetchpatch {
      inherit name;
      url = "${manjaroBase}/${name}?inline=false";
      inherit sha256;
    };
  };
  # the idea for patching off Manjaro's kernel comes from jakewaksbaum:
  # - https://git.sr.ht/~jakewaksbaum/pi/tree/af20aae5653545d6e67a459b59ee3e1ca8a680b0/item/kernel/default.nix
  # - he later abandoned this, i think because he's using the Pinephone Pro which received mainline support.
  manjaroPatches = [
    (manjaroPatch
      "1001-arm64-dts-allwinner-add-hdmi-sound-to-pine-devices.patch"
      "sha256-DApd791A+AxB28Ven/MVAyuyVphdo8KQDx8O7oxVPnc="
    )
    # these patches below are critical to enable wifi (RTL8723CS)
    # - the alternative is a wholly forked kernel by megi/megous:
    #   - https://xnux.eu/howtos/build-pinephone-kernel.html#toc-how-to-build-megi-s-pinehpone-kernel
    # - i don't know if these patches are based on megi's or original
    (manjaroPatch
      "2001-Bluetooth-Add-new-quirk-for-broken-local-ext-features.patch"
      "sha256-CExhJuUWivegxPdnzKINEsKrMFx/m/1kOZFmlZ2SEOc="
    )
    (manjaroPatch
      "2002-Bluetooth-btrtl-add-support-for-the-RTL8723CS.patch"
      "sha256-dDdvOphTcP/Aog93HyH+L9m55laTgtjndPSE4/rnzUA="
    )
    (manjaroPatch
      "2004-arm64-dts-allwinner-enable-bluetooth-pinetab-pinepho.patch"
      "sha256-o43P3WzXyHK1PF+Kdter4asuyGAEKO6wf5ixcco2kCQ="
    )
    # XXX: this one has a Makefile, which hardcodes /sbin/depmod:
    # - drivers/staging/rtl8723cs/Makefile
    # - not sure if this is problematic?
    (manjaroPatch
      "2005-staging-add-rtl8723cs-driver.patch"
      "sha256-6ywm3dQQ5JYl60CLKarxlSUukwi4QzqctCj3tVgzFbo="
    )
  ];
  # pinephone uses the linux dtb at arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi
  # - this includes sun50i-a64.dtsi
  # - and sun50i-a64-cpu-opp.dtsi
  # - no need to touch the allwinner-h6 stuff: that's the SBC pine product
  # - i think it's safe to ignore sun9i stuff, but i don't know what it is
  kernelConfig = with lib.kernel; {
    # NB: nix adds the CONFIG_ prefix to each of these.
    # if you add the prefix yourself nix will IGNORE YOUR CONFIG.
    RTL8723CS = module;
    BT_HCIUART_3WIRE = yes;
    BT_HCIUART_RTL = yes;
    RTL8XXXU_UNTESTED = yes;
    BT_BNEP_MC_FILTER = yes;
    BT_BNEP_PROTO_FILTER = yes;
    BT_HS = yes;
    BT_LE = yes;
    # relevant configs inherited from nixos defaults (or above additions):
    # CONFIG_BT=m
    # CONFIG_BT_BREDR=y
    # CONFIG_BT_RFCOMM=m
    # CONFIG_BT_RFCOMM_TTY=y
    # CONFIG_BT_BNEP=m
    # CONFIG_BT_HIDP=m
    # CONFIG_BT_RTL=m
    # CONFIG_BT_HCIBTUSB=m
    # CONFIG_BT_HCIBTUSB_BCM=y
    # CONFIG_BT_HCIBTUSB_RTL=y
    # CONFIG_BT_HCIUART=m
    # CONFIG_BT_HCIUART_SERDEV=y
    # CONFIG_BT_HCIUART_H4=y
    # CONFIG_BT_HCIUART_LL=y
    # CONFIG_RTL_CARDS=m
    # CONFIG_RTLWIFI=m
    # CONFIG_RTLWIFI_PCI=m
    # CONFIG_RTLWIFI_USB=m
    # CONFIG_RTLWIFI_DEBUG=y
    # CONFIG_RTL8723_COMMON=m
    # CONFIG_RTLBTCOEXIST=m
    # CONFIG_RTL8XXXU=m
    # CONFIG_RTLLIB=m
    # consider adding (from mobile-nixos):
    # maybe: CONFIG_BT_HCIUART_3WIRE=y
    # maybe: CONFIG_BT_HCIUART_RTL=y
    # maybe: CONFIG_RTL8XXXU_UNTESTED=y
    # consider adding (from manjaro):
    # CONFIG_BT_6LOWPAN=m  (not listed as option in nixos kernel)
    # these are referenced in the rtl8723 source, but not known to config (and not in mobile-nixos config
    # maybe: CONFIG_RTL_ODM_WLAN_DRIVER
    # maybe: CONFIG_RTL_TRIBAND_SUPPORT
    # maybe: CONFIG_SDIO_HCI
    # maybe: CONFIG_USB_HCI
  };
  # create a kernelPatch which overrides nixos' defconfig with extra options
  patchDefconfig = config: {
    # defconfig options. this method comes from here:
    # - https://discourse.nixos.org/t/the-correct-way-to-override-the-latest-kernel-config/533/9
    name = "sane-moby-defconfig";
    patch = null;
    extraStructuredConfig = config;
  };
 in
 {
  # use Megi's kernel:
  # even with the Manjaro patches, stock 5.18 has a few issues on Pinephone:
  # - no battery charging
  # - phone rotation sensor is off by 90 degrees
  # - ambient light sensor causes screen brightness to be shakey
  # - phosh greeter may not appear after wake from sleep
  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.cross.linux-megous;
  boot.kernelPatches = [
    (patchDefconfig (kernelConfig //
      (with lib.kernel; {
        # disabling the sun5i_eink driver avoids this compilation error:
        # CC [M]  drivers/video/fbdev/sun5i-eink-neon.o
        # aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfloat-abi=softfp'
        # aarch64-unknown-linux-gnu-gcc: error: unrecognized command line option '-mfpu=neon'
        # make[3]: *** [../scripts/Makefile.build:289: drivers/video/fbdev/sun5i-eink-neon.o] Error 1
        FB_SUN5I_EINK = no;
      })
    ))
  ];
  # alternatively, use nixos' kernel and add the stuff we want:
  # # cross-compilation optimization:
  # boot.kernelPackages =
  #   let p = (import nixpkgs { localSystem = "x86_64-linux"; });
  #   in p.pkgsCross.aarch64-multiplatform.linuxPackages_5_18;
  # # non-cross:
  # # boot.kernelPackages = pkgs.linuxPackages_5_18;
  # boot.kernelPatches = manjaroPatches ++ [
  #   (patchDefconfig kernelConfig)
  # ];
 }
--- a/machines/rescue/default.nix
+++ b/machines/rescue/default.nix
@@ -0,0 +1,16 @@
 { config, pkgs, ... }:
 {
  imports = [
    ./fs.nix
  ];
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  users.users.dhcpcd.uid = config.sane.allocations.dhcpcd-uid;
  users.groups.dhcpcd.gid = config.sane.allocations.dhcpcd-gid;
  # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
  system.stateVersion = "21.05";
 }
--- a/machines/rescue/fs.nix
+++ b/machines/rescue/fs.nix
@@ -0,0 +1,12 @@
 { ... }:
 {
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/44445555-6666-7777-8888-999900001111";
    fsType = "ext4";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/2222-3333";
    fsType = "vfat";
  };
 }
--- a/machines/servo/default.nix
+++ b/machines/servo/default.nix
@@ -11,27 +11,29 @@
    ./services/ipfs.nix
    ./services/jackett.nix
    ./services/jellyfin.nix
-    ./services/matrix.nix
+    ./services/matrix
    ./services/navidrome.nix
    ./services/nginx.nix
    ./services/nix-serve.nix
    ./services/pleroma.nix
    ./services/postfix.nix
    ./services/postgres.nix
    ./services/transmission.nix
  ];
-  colinsane.home-manager.enable = true;
+  sane.home-manager.enable = true;
-  colinsane.home-manager.extraPackages = [
+  sane.home-manager.extraPackages = [
    # for administering matrix
    pkgs.matrix-synapse
  ];
-  colinsane.impermanence.enable = true;
+  sane.impermanence.enable = true;
-  colinsane.services.duplicity.enable = true;
+  sane.services.duplicity.enable = true;
  sane.services.nixserve.enable = true;
-  # TODO: validate this
+  # TODO: look into the EFI stuff
  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
-  colinsane.image.extraBootFiles = [ pkgs.bootpart-u-boot-rpi-aarch64 ];
+  sane.image.extraBootFiles = [ pkgs.bootpart-u-boot-rpi-aarch64 ];
  sops.secrets.duplicity_passphrase = {
    sopsFile = ../../secrets/servo.yaml;
--- a/machines/servo/fs.nix
+++ b/machines/servo/fs.nix
@@ -16,7 +16,7 @@
    device = "none";
    fsType = "tmpfs";
    options = [
-      "size=16G"
+      "size=40G"
      "mode=777"
      "defaults"
    ];
@@ -38,16 +38,6 @@
  #   options = [ "bind" ];
  # };
  # TODO: does transmission handle symlinks?
  fileSystems."/var/lib/transmission/Downloads" = {
    device = "/var/lib/uninsane/media";
    options = [ "bind" ];
  };
  fileSystems."/var/lib/transmission/.incomplete" = {
    device = "/var/lib/uninsane/media/incomplete";
    options = [ "bind" ];
  };
  # in-memory compressed RAM (seems to be dynamically sized)
  zramSwap = {
    enable = true;
--- a/machines/servo/hardware.nix
+++ b/machines/servo/hardware.nix
@@ -3,9 +3,6 @@
 { pkgs, ... }:
 {
  # enables non-free firmware
  hardware.enableRedistributableFirmware = true;
  # i changed this becuse linux 5.10 didn't have rpi-400 device tree blob.
  # nixos-22.05 linux 5.15 DOES have these now.
  # it should be possible to remove this if desired, but i'm not sure how the rpi-specific kernel differs.
@@ -38,16 +35,6 @@
    "xhci_pci_renesas"
  ];
  # boot.initrd.compressor = "gzip";  # defaults to zstd
  # hack in the `boot.shell_on_fail` arg since it doesn't seem to work otherwise
  boot.initrd.preFailCommands = "allowShell=1";
  # default: 4 (warn). 7 is debug
  boot.consoleLogLevel = 7;
  # boot.kernelParams = [
  #   "boot.shell_on_fail"
  #   # "boot.trace"
  #   # "systemd.log_level=debug"
  #   # "systemd.log_target=console"
  # ];
  # ondemand power scaling keeps the cpu at low frequency when idle, and sets to max frequency
  # when load is detected. (v.s. the "performance" default, which always uses the max frequency)
--- a/machines/servo/services/gitea.nix
+++ b/machines/servo/services/gitea.nix
@@ -1,6 +1,11 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? could be more granular
    { user = "git"; group = "gitea"; directory = "/var/lib/gitea"; }
  ];
  users.groups.gitea.gid = config.sane.allocations.gitea-gid;
  services.gitea.enable = true;
  services.gitea.user = "git";  # default is 'gitea'
  services.gitea.database.type = "postgres";
@@ -8,7 +13,7 @@
  services.gitea.appName = "Perfectly Sane Git";
  services.gitea.domain = "git.uninsane.org";
  services.gitea.rootUrl = "https://git.uninsane.org/";
-  services.gitea.cookieSecure = true;
+  services.gitea.settings.session.COOKIE_SECURE = true;
  # services.gitea.disableRegistration = true;
  services.gitea.settings = {
@@ -55,7 +60,7 @@
    };
  };
  # options: "Trace", "Debug", "Info", "Warn", "Error", "Critical"
-  services.gitea.log.level = "Info";
+  services.gitea.settings.log.LEVEL = "Warn";
  systemd.services.gitea.serviceConfig = {
    # nix default is AF_UNIX AF_INET AF_INET6.
--- a/machines/servo/services/ipfs.nix
+++ b/machines/servo/services/ipfs.nix
@@ -1,17 +1,29 @@
 # admin:
 # - view stats:
 #   - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ stats bw
 #   - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ stats dht
 #   - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ bitswap stat
 # - number of open peer connections:
 #   - sudo -u ipfs -g ipfs ipfs -c /var/lib/ipfs/ swarm peers | wc -l
 { ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? could be more granular
    { user = "261"; group = "261"; directory = "/var/lib/ipfs"; }
  ];
  services.ipfs.enable = true;
  services.ipfs.localDiscovery = true;
  services.ipfs.swarmAddress = [
-    "/dns4/ipfs.uninsane.org/tcp/4001"
+    # "/dns4/ipfs.uninsane.org/tcp/4001"
-    "/ip4/0.0.0.0/tcp/4001"
+    # "/ip4/0.0.0.0/tcp/4001"
    "/dns4/ipfs.uninsane.org/udp/4001/quic"
    "/ip4/0.0.0.0/udp/4001/quic"
  ];
  services.ipfs.extraConfig = {
    Addresses = {
      Announce = [
-        "/dns4/ipfs.uninsane.org/tcp/4001"
+        # "/dns4/ipfs.uninsane.org/tcp/4001"
        "/dns4/ipfs.uninsane.org/udp/4001/quic"
      ];
    };
@@ -19,5 +31,39 @@
      # the gateway can only be used to serve content already replicated on this host
      NoFetch = true;
    };
    Swarm = {
      ConnMgr = {
        # maintain between LowWater and HighWater peer connections
        # taken from: https://github.com/ipfs/ipfs-desktop/pull/2055
        # defaults are 600-900: https://github.com/ipfs/kubo/blob/master/docs/config.md#swarmconnmgr
        LowWater = 20;
        HighWater = 40;
        # default is 20s. i guess more grace period = less churn
        GracePeriod = "1m";
      };
      ResourceMgr = {
        # docs: https://github.com/libp2p/go-libp2p-resource-manager#resource-scopes
        Enabled = true;
        Limits = {
          System = {
            Conns = 196;
            ConnsInbound = 128;
            ConnsOutbound = 128;
            FD = 512;
            Memory = 1073741824;  # 1GiB
            Streams = 1536;
            StreamsInbound = 1024;
            StreamsOutbound = 1024;
          };
        };
      };
      Transports = {
        Network = {
          # disable TCP, force QUIC, for lighter resources
          TCP = false;
          QUIC = true;
        };
      };
    };
  };
 }
--- a/machines/servo/services/jackett.nix
+++ b/machines/servo/services/jackett.nix
@@ -1,6 +1,10 @@
 { ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
    { user = "root"; group = "root"; directory = "/var/lib/jackett"; }
  ];
  services.jackett.enable = true;
  systemd.services.jackett.after = ["wg0veth.service"];
--- a/machines/servo/services/jellyfin.nix
+++ b/machines/servo/services/jellyfin.nix
@@ -1,5 +1,14 @@
-{ ... }:
+{ config, ... }:
 {
-  services.jellyfin.enable = true;
+  sane.impermanence.service-dirs = [
    # TODO: mode? could be more granular
    { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
  ];
  # users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid;
  # users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid;
  # TODO: re-enable after migrating media dir to /var/lib/uninsane/media
  # else it's too spammy
  # services.jellyfin.enable = true;
 }
--- a/machines/servo/services/matrix/default.nix
+++ b/machines/servo/services/matrix/default.nix
@@ -3,7 +3,14 @@
 { config, ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode?
    # user and group are both "matrix-appservice-irc"
    { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; }
    { user = "224"; group = "224"; directory = "/var/lib/matrix-synapse"; }
  ];
  services.matrix-synapse.enable = true;
  services.matrix-synapse.settings.log_config = ./synapse-log_level.yaml;
  services.matrix-synapse.settings.server_name = "uninsane.org";
  # services.matrix-synapse.enable_registration_captcha = true;
@@ -157,7 +164,7 @@
  };
  sops.secrets.matrix_synapse_secrets = {
-    sopsFile = ../../../secrets/servo.yaml;
+    sopsFile = ../../../../secrets/servo.yaml;
    owner = config.users.users.matrix-synapse.name;
  };
 }
--- a/machines/servo/services/matrix/synapse-log_level.yaml
+++ b/machines/servo/services/matrix/synapse-log_level.yaml
@@ -0,0 +1,27 @@
 version: 1
 # In systemd's journal, loglevel is implicitly stored, so let's omit it
 # from the message text.
 formatters:
    journal_fmt:
        format: '%(name)s: [%(request)s] %(message)s'
 filters:
    context:
        (): synapse.util.logcontext.LoggingContextFilter
        request: ""
 handlers:
    journal:
        class: systemd.journal.JournalHandler
        formatter: journal_fmt
        filters: [context]
        SYSLOG_IDENTIFIER: synapse
 # default log level: INFO
 root:
    level: WARN
    handlers: [journal]
 disable_existing_loggers: False
--- a/machines/servo/services/navidrome.nix
+++ b/machines/servo/services/navidrome.nix
@@ -0,0 +1,17 @@
 { ... }:
 {
  sane.impermanence.service-dirs = [
    { user = "navidrome"; group = "navidrome"; directory = "/var/lib/private/navidrome"; }
  ];
  services.navidrome.enable = true;
  services.navidrome.settings = {
    # docs: https://www.navidrome.org/docs/usage/configuration-options/
    Address = "127.0.0.1";
    Port = 4533;
    MusicFolder = "/var/lib/uninsane/media/Music";
    CovertArtPriority = "*.jpg, *.JPG, *.png, *.PNG, embedded";
    AutoImportPlaylists = false;
    ScanSchedule = "@every 1h";
  };
 }
--- a/machines/servo/services/nginx.nix
+++ b/machines/servo/services/nginx.nix
@@ -213,6 +213,12 @@
    };
  };
  services.nginx.virtualHosts."music.uninsane.org" = {
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://127.0.0.1:4533";
  };
  services.nginx.virtualHosts."ipfs.uninsane.org" = {
    # don't default to ssl upgrades, since this may be dnslink'd from a different domain.
    # ideally we'd disable ssl entirely, but some places assume it?
@@ -254,4 +260,12 @@
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "admin.acme@uninsane.org";
  users.users.acme.uid = config.sane.allocations.acme-uid;
  users.groups.acme.gid = config.sane.allocations.acme-gid;
  sane.impermanence.service-dirs = [
    # TODO: mode?
    { user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
    { user = "colin"; group = "users"; directory = "/var/lib/uninsane"; }
  ];
 }
--- a/machines/servo/services/nix-serve.nix
+++ b/machines/servo/services/nix-serve.nix
@@ -1,15 +0,0 @@
 # docs: https://nixos.wiki/wiki/Binary_Cache
 # to copy something to this machine's nix cache, do:
 #   nix copy --to ssh://nixcache.uninsane.org PACKAGE
 { config, ... }:
 {
  services.nix-serve = {
    enable = true;
    secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
  };
  sops.secrets.nix_serve_privkey = {
    sopsFile = ../../../secrets/servo.yaml;
  };
 }
--- a/machines/servo/services/pleroma.nix
+++ b/machines/servo/services/pleroma.nix
@@ -4,18 +4,24 @@
 { config, pkgs, ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? could be more granular
    { user = "pleroma"; group = "pleroma"; directory = "/var/lib/pleroma"; }
  ];
  users.users.pleroma.uid = config.sane.allocations.pleroma-uid;
  users.groups.pleroma.gid = config.sane.allocations.pleroma-gid;
  services.pleroma.enable = true;
  services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path;
  services.pleroma.configs = [
    ''
    import Config
-    
+
    config :pleroma, Pleroma.Web.Endpoint,
      url: [host: "fed.uninsane.org", scheme: "https", port: 443],
      http: [ip: {127, 0, 0, 1}, port: 4000]
    #   secret_key_base: "{secrets.pleroma.secret_key_base}",
    #   signing_salt: "{secrets.pleroma.signing_salt}"
-    
+
    config :pleroma, :instance,
      name: "Perfectly Sane",
      description: "Single-user Pleroma instance",
@@ -41,7 +47,7 @@
      enabled: false,
      redirect_on_failure: true
      #base_url: "https://cache.pleroma.social"
-    
+
    config :pleroma, Pleroma.Repo,
      adapter: Ecto.Adapters.Postgres,
      username: "pleroma",
@@ -61,7 +67,7 @@
    #   private_key: "{secrets.pleroma.vapid_private_key}"
    # config :joken, default_signer: "{secrets.pleroma.joken_default_signer}"
-    
+
    config :pleroma, :database, rum_enabled: false
    config :pleroma, :instance, static_dir: "/var/lib/pleroma/instance/static"
    config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
@@ -80,14 +86,14 @@
    # Enable Strict-Transport-Security once SSL is working:
    config :pleroma, :http_security,
      sts: true
-    
+
    # docs: https://docs.pleroma.social/backend/configuration/cheatsheet/#logger
    config :logger,
      backends: [{ExSyslogger, :ex_syslogger}]
-    
+
    config :logger, :ex_syslogger,
-      level: :warn
+      level: :debug
-    #  level: :debug
+    #  level: :warn
    # XXX colin: not sure if this actually _does_ anything
    config :pleroma, :emoji,
--- a/machines/servo/services/postfix.nix
+++ b/machines/servo/services/postfix.nix
@@ -16,6 +16,11 @@ let
  };
 in
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? could be more granular
    { user = "221"; group = "221"; directory = "/var/lib/opendkim"; }
    { user = "root"; group = "root"; directory = "/var/lib/postfix"; }
  ];
  services.postfix.enable = true;
  services.postfix.hostname = "mx.uninsane.org";
  services.postfix.origin = "uninsane.org";
--- a/machines/servo/services/postgres.nix
+++ b/machines/servo/services/postgres.nix
@@ -1,6 +1,10 @@
 { ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode?
    { user = "71"; group = "71"; directory = "/var/lib/postgresql"; }
  ];
  services.postgresql.enable = true;
  # services.postgresql.dataDir = "/opt/postgresql/13";
  # XXX colin: for a proper deploy, we'd want to include something for Pleroma here too.
--- a/machines/servo/services/transmission.nix
+++ b/machines/servo/services/transmission.nix
@@ -1,6 +1,10 @@
 { ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? we need this specifically for the stats tracking in .config/
    { user = "70"; group = "70"; directory = "/var/lib/transmission"; }
  ];
  services.transmission.enable = true;
  services.transmission.settings = {
    rpc-bind-address = "0.0.0.0";
@@ -29,6 +33,9 @@
    # see: https://git.zknt.org/mirror/transmission/commit/cfce6e2e3a9b9d31a9dafedd0bdc8bf2cdb6e876?lang=bg-BG
    anti-brute-force-enabled = false;
    download-dir = "/var/lib/uninsane/media";
    incomplete-dir = "/var/lib/uninsane/media/incomplete";
  };
  # transmission will by default not allow the world to read its files.
  services.transmission.downloadDirPermissions = "775";
@@ -37,6 +44,7 @@
  systemd.services.transmission.serviceConfig = {
    # run this behind the OVPN static VPN
    NetworkNamespacePath = "/run/netns/ovpns";
    LogLevelMax = "warning";
  };
 }
--- a/machines/servo/users.nix
+++ b/machines/servo/users.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
 {
@@ -12,6 +12,7 @@
    home = "/var/lib/gitea";
    useDefaultShell = true;
    group = "gitea";
    uid = config.sane.allocations.git-uid;
    isSystemUser = true;
    # sendmail access (not 100% sure if this is necessary)
    extraGroups = [ "postdrop" ];
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -6,8 +6,9 @@
    ./hardware
    ./image.nix
    ./impermanence.nix
-    ./nix.nix
+    ./nixcache.nix
    ./services/duplicity.nix
    ./services/nixserve.nix
    ./universal
  ];
 }
--- a/modules/gui/default.nix
+++ b/modules/gui/default.nix
@@ -2,7 +2,7 @@
 with lib;
 let
-  cfg = config.colinsane.gui;
+  cfg = config.sane.gui;
 in
 {
  imports = [
@@ -14,13 +14,16 @@ in
  options = {
    # doesn't directly create outputs. consumed by e.g. home-manager.nix module
-    colinsane.gui.enable = mkOption {
+    sane.gui.enable = mkOption {
      default = false;
      type = types.bool;
    };
  };
  config = lib.mkIf cfg.enable {
-    colinsane.home-manager.enable = true;
+    sane.home-packages.enableGuiPkgs = lib.mkDefault true;
    sane.home-manager.enable = lib.mkDefault true;
    # all GUIs use network manager?
    users.users.nm-iodine.uid = config.sane.allocations.nm-iodine-uid;
  };
 }
--- a/modules/gui/gnome.nix
+++ b/modules/gui/gnome.nix
@@ -2,18 +2,18 @@
 with lib;
 let
-  cfg = config.colinsane.gui.gnome;
+  cfg = config.sane.gui.gnome;
 in
 {
  options = {
-    colinsane.gui.gnome.enable = mkOption {
+    sane.gui.gnome.enable = mkOption {
      default = false;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable {
-    colinsane.gui.enable = true;
+    sane.gui.enable = true;
    # start gnome/gdm on boot
    services.xserver.enable = true;
    services.xserver.desktopManager.gnome.enable = true;
--- a/modules/gui/phosh.nix
+++ b/modules/gui/phosh.nix
@@ -1,19 +1,29 @@
-{ lib, config, ... }:
+{ lib, config, pkgs, ... }:
 with lib;
 let
-  cfg = config.colinsane.gui.phosh;
+  cfg = config.sane.gui.phosh;
 in
 {
  options = {
-    colinsane.gui.phosh.enable = mkOption {
+    sane.gui.phosh.enable = mkOption {
      default = false;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable {
-    colinsane.gui.enable = true;
+    sane.gui.enable = true;
    users.users.avahi.uid = config.sane.allocations.avahi-uid;
    users.users.colord.uid = config.sane.allocations.colord-uid;
    users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
    users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
    users.groups.avahi.gid = config.sane.allocations.avahi-gid;
    users.groups.colord.gid = config.sane.allocations.colord-gid;
    users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
    users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
    # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
    services.xserver.desktopManager.phosh = {
      enable = true;
@@ -28,6 +38,15 @@ in
      };
    };
    # XXX: phosh enables networkmanager by default; can probably disable these lines
    networking.useDHCP = false;
    networking.networkmanager.enable = true;
    networking.wireless.enable = lib.mkForce false;
    # XXX: not clear if these are actually needed?
    hardware.bluetooth.enable = true;
    services.blueman.enable = true;
    hardware.opengl.enable = true;
    hardware.opengl.driSupport = true;
@@ -39,5 +58,10 @@ in
      # phocConfig.xwayland should be disabled if you do this
      NIXOS_OZONE_WL = "1";
    };
    sane.home-manager.extraPackages = with pkgs; [
      # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
      gnome.gnome-bluetooth
    ];
  };
 }
--- a/modules/gui/plasma-mobile.nix
+++ b/modules/gui/plasma-mobile.nix
@@ -2,18 +2,18 @@
 with lib;
 let
-  cfg = config.colinsane.gui.plasma-mobile;
+  cfg = config.sane.gui.plasma-mobile;
 in
 {
  options = {
-    colinsane.gui.plasma-mobile.enable = mkOption {
+    sane.gui.plasma-mobile.enable = mkOption {
      default = false;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable {
-    colinsane.gui.enable = true;
+    sane.gui.enable = true;
    # start plasma-mobile on boot
    services.xserver.enable = true;
    services.xserver.desktopManager.plasma5.mobile.enable = true;
--- a/modules/gui/sway.nix
+++ b/modules/gui/sway.nix
@@ -3,17 +3,19 @@
 # docs: https://nixos.wiki/wiki/Sway
 with lib;
 let
-  cfg = config.colinsane.gui.sway;
+  cfg = config.sane.gui.sway;
 in
 {
  options = {
-    colinsane.gui.sway.enable = mkOption {
+    sane.gui.sway.enable = mkOption {
      default = false;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable {
-    colinsane.gui.enable = true;
+    sane.gui.enable = true;
    users.users.greeter.uid = config.sane.allocations.greeter-uid;
    users.groups.greeter.gid = config.sane.allocations.greeter-gid;
    programs.sway = {
      # we configure sway with home-manager, but this enable gets us e.g. opengl and fonts
      enable = true;
@@ -47,12 +49,26 @@ in
    networking.networkmanager.enable = true;
    networking.wireless.enable = lib.mkForce false;
-    colinsane.home-manager.windowManager.sway = {
+    sane.home-manager.windowManager.sway = {
      enable = true;
      wrapperFeatures.gtk = true;
      config = rec {
        terminal = "${pkgs.kitty}/bin/kitty";
-        window.border = 3;  # pixel boundary between windows
+        window = {
          border = 3; # pixel boundary between windows
          hideEdgeBorders = "smart"; # don't show border if only window on workspace
        };
        output = {
          ### DESKTOP
          "Samsung Electric Company S22C300 0x00007F35" = { pos = "0,0"; res = "1920x1080"; };
          "Goldstar Company Ltd LG ULTRAWIDE 0x00004E94" = { pos = "1920,0"; res = "3440x1440"; };
          ### LAPTOP
          # shen TV
          "Pioneer Electronic Corporation VSX-524 0x00000101" = { pos = "0,0"; res = "1920x1080"; };
          # internal display
          "Unknown 0x0637 0x00000000" = { pos = "1920,0"; res = "1920x1080"; };
        };
        # defaults; required for keybindings decl.
        modifier = "Mod1";
@@ -64,6 +80,7 @@ in
        down = "j";
        up = "k";
        right = "l";
        # XKB key names: https://wiki.linuxquestions.org/wiki/List_of_Keysyms_Recognised_by_Xmodmap
        keybindings = {
          "${modifier}+Return" = "exec ${terminal}";
          "${modifier}+Shift+q" = "kill";
@@ -147,6 +164,9 @@ in
          XF86AudioLowerVolume = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5'";
          XF86AudioMute = "exec '${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute'";
          "${modifier}+Page_Up" = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5'";
          "${modifier}+Page_Down" = "exec '${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5'";
          "${modifier}+Print" = "exec '${pkgs.sway-contrib.grimshot}/bin/grimshot copy area'";
        };
@@ -163,7 +183,8 @@ in
            # names = [ "monospace" "Noto Color Emoji" ];
            # size = 8.0;
            # names = [ "Font Awesome 6 Free" "DejaVu Sans" "Hack" ];
-            names = with config.fonts.fontconfig.defaultFonts; (emoji ++ monospace ++ serif ++ sansSerif);
+            # names = with config.fonts.fontconfig.defaultFonts; (emoji ++ monospace ++ serif ++ sansSerif);
            names = with config.fonts.fontconfig.defaultFonts; (monospace ++ emoji);
            size = 24.0;
          };
          trayOutput = "primary";
@@ -201,9 +222,10 @@ in
      };
    };
-    colinsane.home-manager.programs.waybar = {
+    sane.home-manager.programs.waybar = {
      enable = true;
      # docs: https://github.com/Alexays/Waybar/wiki/Configuration
      # format specifiers: https://fmt.dev/latest/syntax.html#syntax
      settings = {
        mainBar = {
          layer = "top";
@@ -232,11 +254,20 @@ in
            on-scroll-down = "${pkgs.playerctl}/bin/playerctl previous";
          };
          network = {
-            interval = 1;
+            # docs: https://github.com/Alexays/Waybar/blob/master/man/waybar-network.5.scd
-            format-ethernet = "{ifname}: {ipaddr}/{cidr}   up: {bandwidthUpBits} down: {bandwidthDownBits}";
+            interval = 2;
            max-length = 40;
            # custom :> format specifier explained here: https://github.com/Alexays/Waybar/pull/472
            format-ethernet = "  {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
            tooltip-format-ethernet = "{ifname} {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
            format-wifi = "{ifname} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
            tooltip-format-wifi = "{essid} ({signalStrength}%) {bandwidthUpBits:>}▲ {bandwidthDownBits:>}▼";
            format-disconnected = "";
          };
          cpu = {
-            format = "{usage}% ";
+            format = " {usage:2}%";
            tooltip = false;
          };
          battery = {
@@ -259,6 +290,262 @@ in
          };
        };
      };
      # style docs: https://github.com/Alexays/Waybar/wiki/Styling
      style = ''
        * {
          font-family: monospace;
        }
        /* defaults below: https://github.com/Alexays/Waybar/blob/master/resources/style.css */
        window#waybar {
          background-color: rgba(43, 48, 59, 0.5);
          border-bottom: 3px solid rgba(100, 114, 125, 0.5);
          color: #ffffff;
          transition-property: background-color;
          transition-duration: .5s;
        }
        window#waybar.hidden {
          opacity: 0.2;
        }
        /*
        window#waybar.empty {
          background-color: transparent;
        }
        window#waybar.solo {
          background-color: #FFFFFF;
        }
        */
        window#waybar.termite {
          background-color: #3F3F3F;
        }
        window#waybar.chromium {
          background-color: #000000;
          border: none;
        }
        #workspaces button {
          padding: 0 5px;
          background-color: transparent;
          color: #ffffff;
          /* Use box-shadow instead of border so the text isn't offset */
          box-shadow: inset 0 -3px transparent;
          /* Avoid rounded borders under each workspace name */
          border: none;
          border-radius: 0;
        }
        /* https://github.com/Alexays/Waybar/wiki/FAQ#the-workspace-buttons-have-a-strange-hover-effect */
        #workspaces button:hover {
          background: rgba(0, 0, 0, 0.2);
          box-shadow: inset 0 -3px #ffffff;
        }
        #workspaces button.focused {
          background-color: #64727D;
          box-shadow: inset 0 -3px #ffffff;
        }
        #workspaces button.urgent {
          background-color: #eb4d4b;
        }
        #mode {
          background-color: #64727D;
          border-bottom: 3px solid #ffffff;
        }
        #clock,
        #battery,
        #cpu,
        #memory,
        #disk,
        #temperature,
        #backlight,
        #network,
        #pulseaudio,
        #custom-media,
        #tray,
        #mode,
        #idle_inhibitor,
        #mpd {
          padding: 0 10px;
          color: #ffffff;
        }
        #window,
        #workspaces {
          margin: 0 4px;
        }
        /* If workspaces is the leftmost module, omit left margin */
        .modules-left > widget:first-child > #workspaces {
          margin-left: 0;
        }
        /* If workspaces is the rightmost module, omit right margin */
        .modules-right > widget:last-child > #workspaces {
          margin-right: 0;
        }
        #clock {
          background-color: #64727D;
        }
        #battery {
          background-color: #ffffff;
          color: #000000;
        }
        #battery.charging, #battery.plugged {
          color: #ffffff;
          background-color: #26A65B;
        }
        @keyframes blink {
          to {
            background-color: #ffffff;
            color: #000000;
          }
        }
        #battery.critical:not(.charging) {
          background-color: #f53c3c;
          color: #ffffff;
          animation-name: blink;
          animation-duration: 0.5s;
          animation-timing-function: linear;
          animation-iteration-count: infinite;
          animation-direction: alternate;
        }
        label:focus {
          background-color: #000000;
        }
        #cpu {
          background-color: #2ecc71;
          color: #000000;
        }
        #memory {
          background-color: #9b59b6;
        }
        #disk {
          background-color: #964B00;
        }
        #backlight {
          background-color: #90b1b1;
        }
        #network {
          background-color: #2980b9;
        }
        #network.disconnected {
          background-color: #f53c3c;
        }
        #pulseaudio {
          background-color: #f1c40f;
          color: #000000;
        }
        #pulseaudio.muted {
          background-color: #90b1b1;
          color: #2a5c45;
        }
        #custom-media {
          background-color: #66cc99;
          color: #2a5c45;
          min-width: 100px;
        }
        #custom-media.custom-spotify {
          background-color: #66cc99;
        }
        #custom-media.custom-vlc {
          background-color: #ffa000;
        }
        #temperature {
          background-color: #f0932b;
        }
        #temperature.critical {
          background-color: #eb4d4b;
        }
        #tray {
          background-color: #2980b9;
        }
        #tray > .passive {
          -gtk-icon-effect: dim;
        }
        #tray > .needs-attention {
          -gtk-icon-effect: highlight;
          background-color: #eb4d4b;
        }
        #idle_inhibitor {
          background-color: #2d3436;
        }
        #idle_inhibitor.activated {
          background-color: #ecf0f1;
          color: #2d3436;
        }
        #mpd {
          background-color: #66cc99;
          color: #2a5c45;
        }
        #mpd.disconnected {
          background-color: #f53c3c;
        }
        #mpd.stopped {
          background-color: #90b1b1;
        }
        #mpd.paused {
          background-color: #51a37a;
        }
        #language {
          background: #00b093;
          color: #740864;
          padding: 0 5px;
          margin: 0 5px;
          min-width: 16px;
        }
        #keyboard-state {
          background: #97e1ad;
          color: #000000;
          padding: 0 0px;
          margin: 0 5px;
          min-width: 16px;
        }
        #keyboard-state > label {
          padding: 0 5px;
        }
        #keyboard-state > label.locked {
          background: rgba(0, 0, 0, 0.2);
        }
      '';
      # style = ''
      #   * {
      #     border: none;
@@ -280,7 +567,7 @@ in
      #   }
      # '';
    };
-    colinsane.home-manager.extraPackages = with pkgs; [
+    sane.home-manager.extraPackages = with pkgs; [
      swaylock
      swayidle
      wl-clipboard
@@ -290,6 +577,7 @@ in
      # pavucontrol
      sway-contrib.grimshot
      gnome.gnome-bluetooth
      gnome.gnome-control-center
    ];
  };
 }
--- a/modules/hardware/all.nix
+++ b/modules/hardware/all.nix
@@ -0,0 +1,40 @@
 { lib, pkgs, ... }:
 {
  boot.initrd.supportedFilesystems = [ "ext4" "btrfs" "ext2" "ext3" "vfat" ];
  # useful emergency utils
  boot.initrd.extraUtilsCommands = ''
    copy_bin_and_libs ${pkgs.btrfs-progs}/bin/btrfstune
  '';
  boot.kernelParams = [ "boot.shell_on_fail" ];
  # other kernelParams:
  #   "boot.trace"
  #   "systemd.log_level=debug"
  #   "systemd.log_target=console"
  # hack in the `boot.shell_on_fail` arg since that doesn't always seem to work.
  boot.initrd.preFailCommands = "allowShell=1";
  # default: 4 (warn). 7 is debug
  boot.consoleLogLevel = 7;
  boot.loader.grub.enable = lib.mkDefault false;
  boot.loader.generic-extlinux-compatible.enable = lib.mkDefault true;
  # non-free firmware
  hardware.enableRedistributableFirmware = true;
  services.fwupd.enable = true;
  # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
  powerManagement.powertop.enable = false;
  # services.snapper.configs = {
  #   root = {
  #     subvolume = "/";
  #     extraConfig = {
  #       ALLOW_USERS = "colin";
  #     };
  #   };
  # };
  # services.snapper.snapshotInterval = "daily";
 }
--- a/modules/hardware/default.nix
+++ b/modules/hardware/default.nix
@@ -2,6 +2,7 @@
 {
  imports = [
    ./all.nix
    ./x86_64.nix
  ];
 }
--- a/modules/hardware/x86_64.nix
+++ b/modules/hardware/x86_64.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, config, ... }:
+{ lib, pkgs, ... }:
 with lib;
 {
@@ -9,62 +9,18 @@ with lib;
      "nvme"  # to boot from nvme devices
      # efi_pstore evivars
    ];
    boot.initrd.kernelModules = [ ];
    boot.initrd.supportedFilesystems = [ "ext4" "btrfs" "ext2" "ext3" "vfat" ];
    # useful emergency utils
    boot.initrd.extraUtilsCommands = ''
      copy_bin_and_libs ${pkgs.btrfs-progs}/bin/btrfstune
    '';
    boot.kernelModules = [
      "coretemp"
      "kvm-intel"
      "kvm-amd"  # desktop
      "amdgpu"   # desktop
    ];
    boot.extraModulePackages = [ ];
    boot.kernelParams = [ "boot.shell_on_fail" ];
    boot.consoleLogLevel = 7;
    boot.loader.grub.enable = false;
    # boot.loader.generic-extlinux-compatible.enable = true;
    # enable cross compilation
    boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    # nixpkgs.config.allowUnsupportedSystem = true;
    # nixpkgs.crossSystem.system = "aarch64-linux";
    powerManagement.cpuFreqGovernor = "powersave";
    hardware.enableRedistributableFirmware = true;
    hardware.cpu.amd.updateMicrocode = true;    # desktop
    hardware.cpu.intel.updateMicrocode = true;  # laptop
    services.fwupd.enable = true;
    # powertop will default to putting USB devices -- including HID -- to sleep after TWO SECONDS
    powerManagement.powertop.enable = false;
    hardware.opengl.extraPackages = [
      # laptop
      pkgs.intel-compute-runtime
      pkgs.intel-media-driver  # new
      pkgs.libvdpau-va-gl      # new
      pkgs.vaapiIntel
      # desktop
      pkgs.rocm-opencl-icd
      pkgs.rocm-opencl-runtime
    ];
    hardware.opengl.driSupport = true;
    # For 32 bit applications
    hardware.opengl.driSupport32Bit = true;
    # TODO colin: does this *do* anything?
    swapDevices = [ ];
    # services.snapper.configs = {
    #   root = {
    #     subvolume = "/";
    #     extraConfig = {
    #       ALLOW_USERS = "colin";
    #     };
    #   };
    # };
    # services.snapper.snapshotInterval = "daily";
  };
 }
--- a/modules/image.nix
+++ b/modules/image.nix
@@ -2,15 +2,29 @@
 with lib;
 let
-  cfg = config.colinsane.image;
+  cfg = config.sane.image;
 in
 {
  options = {
-    colinsane.image.extraBootFiles = mkOption {
+    # packages whose contents should be copied directly into the /boot partition.
    # e.g. EFI loaders, u-boot bootloader, etc.
    sane.image.extraBootFiles = mkOption {
      default = [];
      type = types.listOf types.package;
    };
-    colinsane.image.extraGPTPadding = mkOption {
+    # extra (empty) directories to create in the rootfs.
    # for example, /var/log might be required by the boot process, so ensure it exists.
    sane.image.extraDirectories = mkOption {
      default = [];
      type = types.listOf types.str;
    };
    # the GPT header is fixed to Logical Block Address 1,
    # but we can actually put the partition entries anywhere.
    # this option reserves so many bytes after LBA 1 but *before* the partition entries.
    # this is not universally supported, but is an easy hack to claim space near the start
    # of the disk for other purposes (e.g. firmware blobs)
    sane.image.extraGPTPadding = mkOption {
      default = 0;
      # NB: rpi doesn't like non-zero values for this.
      # at the same time, spinning disks REALLY need partitions to be aligned to 4KiB boundaries.
@@ -18,7 +32,8 @@ in
      # default = 2014 * 512;  # standard is to start part0 at sector 2048  (versus 34 if no padding)
      type = types.int;
    };
-    colinsane.image.firstPartGap = mkOption {
+    # optional space (in bytes) to leave unallocated after the GPT structure and before the first partition.
    sane.image.firstPartGap = mkOption {
      # align the first part to 16 MiB.
      # do this by inserting a gap of 16 MiB - gptHeaderSize
      # and then multiply by 1MiB and subtract 1 because mobile-nixos
@@ -26,7 +41,7 @@ in
      default = (16 * 1024 * 1024 - 34 * 512) * 1024 * 1024 - 1;
      type = types.nullOr types.int;
    };
-    colinsane.image.bootPartSize = mkOption {
+    sane.image.bootPartSize = mkOption {
      default = 512 * 1024 * 1024;
      type = types.int;
    };
@@ -37,6 +52,7 @@ in
      (builtins.substring 0 (builtins.stringLength sub) super) == sub
    );
    # return the (string) path to get from `stem` to `path`
    # or errors if not a sub-path
    relPath = stem: path: (
      builtins.head (builtins.match "^${stem}(.+)" path)
    );
@@ -47,14 +63,6 @@ in
    # resolves to e.g. "nix/store", "/store" or ""
    storeRelPath = relPath nixFs.mountPoint "/nix/store";
    # return a list of all the `device` values -- one for each fileSystems."$x"
    devices = builtins.attrValues (builtins.mapAttrs (mount: entry: entry.device) fileSystems);
    # filter the devices to just those which sit under nixFs
    subNixMounts = builtins.filter (a: startsWith (builtins.toString a) nixFs.mountPoint) devices;
    # e.g. ["/nix/persist/var"] -> ["/persist/var"] if nixFs sits at /nix
    subNixRelMounts = builtins.map (m: relPath nixFs.mountPoint m) subNixMounts;
    makeSubNixMounts = builtins.toString (builtins.map (m: "mkdir -p ./${m};") subNixRelMounts);
    uuidFromFs = fs: builtins.head (builtins.match "/dev/disk/by-uuid/(.+)" fs.device);
    vfatUuidFromFs = fs: builtins.replaceStrings ["-"] [""] (uuidFromFs fs);
@@ -104,11 +112,10 @@ in
          populateCommands =
          let
            closureInfo = buildPackages.closureInfo { rootPaths = config.system.build.toplevel; };
            extraRelPaths = builtins.toString (builtins.map (p: "./" + builtins.toString(relPath nixFs.mountPoint p)) cfg.extraDirectories);
          in
          ''
-            mkdir -p ./${storeRelPath}
+            mkdir -p ./${storeRelPath} ${extraRelPaths}
            # TODO: we should create the dirs required for boot (/var/log?). the rest are populated automatically.
            # $(makeSubNixMounts)
            echo "Copying system closure..."
            while IFS= read -r path; do
              echo "  Copying $path"
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@@ -6,63 +6,71 @@
 with lib;
 let
-  cfg = config.colinsane.impermanence;
+  cfg = config.sane.impermanence;
 in
 {
  imports = [
    # TODO: move to flake.nix?
    impermanence.nixosModule
  ];
  options = {
-    colinsane.impermanence.enable = mkOption {
+    sane.impermanence.enable = mkOption {
      default = false;
      type = types.bool;
    };
    sane.impermanence.home-dirs = mkOption {
      default = [];
      type = types.listOf (types.either types.str (types.attrsOf types.str));
    };
    sane.impermanence.service-dirs = mkOption {
      default = [];
      type = types.listOf (types.either types.str (types.attrsOf types.str));
    };
  };
-  config = mkIf cfg.enable {
+  config = let
-    environment.persistence."/nix/persist" = {
+    map-dir = defaults: dir: if isString dir then
-      directories = [
+        map-dir defaults { directory = "${defaults.directory}${dir}"; }
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/archive"; }
+      else
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/dev"; }
+        defaults // dir
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/ref"; }
+      ;
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/tmp"; }
+    map-dirs = defaults: dirs: builtins.map (map-dir defaults) dirs;
        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/use"; }
        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/Music"; }
        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/Pictures"; }
        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/Videos"; }
    map-home-dirs = map-dirs { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/"; };
    map-sys-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
    map-service-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
  in mkIf cfg.enable {
    sane.image.extraDirectories = [ "/nix/persist/var/log" ];
    environment.persistence."/nix/persist" = {
      directories = (map-home-dirs ([
        # cache is probably too big to fit on the tmpfs
        # TODO: we could bind-mount it to something which gets cleared per boot, though.
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.cache"; }
+        ".cache"
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.ssh"; }
+        ".cargo"
        ".rustup"
        ".ssh"
        # intentionally omitted:
-        # "/home/colin/.config"  # managed by home-manager
+        # ".config"  # managed by home-manager
-        # "/home/colin/.local"   # nothing useful in here
+        # ".local"   # nothing useful in here
-        # "/home/colin/.mozilla" # managed by home-manager
+      ] ++ cfg.home-dirs)) ++ (map-sys-dirs [
-        # creds. TODO: can i manage this with home-manager?
+        # TODO: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
-        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.config/spotify"; }
+        # { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
        # creds, but also 200 MB of node modules, etc
        { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/.config/discord"; }
        { user = "root"; group = "root"; mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
        # "/etc/nixos"
-        { user = "root"; group = "root"; mode = "0755"; directory = "/etc/ssh"; }
+        # "/etc/ssh"  # persist only the specific files we want, instead
        "/var/log"
        "/var/backup"  # for e.g. postgres dumps
      ]) ++ (map-service-dirs ([
        # "/var/lib/AccountsService"   # not sure what this is, but it's empty
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/alsa"; }                # preserve output levels, default devices
+        "/var/lib/alsa"                # preserve output levels, default devices
        # "/var/lib/blueman"           # files aren't human readable
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/bluetooth"; }           # preserve bluetooth handshakes
+        "/var/lib/bluetooth"           # preserve bluetooth handshakes
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/colord"; }              # preserve color calibrations (?)
+        "/var/lib/colord"              # preserve color calibrations (?)
        # "/var/lib/dhclient"          # empty on lappy; dunno about desko
        # "/var/lib/fwupd"             # not sure why this would need persistent state
        # "/var/lib/geoclue"           # empty on lappy
        # "/var/lib/lockdown"          # empty on desko; might store secrets after iOS handshake?
        # "/var/lib/logrotate.status"  # seems redundant with what's in /var/log?
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/machines"; }            # maybe not needed, but would be painful to add a VM and forget.
+        "/var/lib/machines"            # maybe not needed, but would be painful to add a VM and forget.
        # "/var/lib/misc"              # empty on lappy
        # "/var/lib/NetworkManager"    # looks to be mostly impermanent state?
        # "/var/lib/NetworkManager-fortisslvpn" # empty on lappy
-        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/nixos"; }               # has some uid/gid maps; not sure what happens if we lose this.
+        # "/var/lib/nixos"             # has some uid/gid maps, but we enforce these to be deterministic.
        # "/var/lib/PackageKit"        # wtf is this?
        # "/var/lib/power-profiles-daemon"  # redundant with nixos declarations
        # "/var/lib/private"           # empty on lappy
@@ -71,37 +79,30 @@ in
        # "/var/lib/upower"            # historic charge data. unnecessary, but maybe used somewhere?
        #
        # servo additions:
        { user = "998"; group = "996"; mode = "0755"; directory = "/var/lib/acme"; }  # TODO: mode?
        # "/var/lib/dhparams"          # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/dhparams.nix
        # "/var/lib/dovecot"
        # "/var/lib/duplicity"
-        { user = "994"; group = "993"; mode = "0755"; directory = "/var/lib/gitea"; } # TODO: mode? could be more granular
+      ] ++ cfg.service-dirs));
        { user = "261"; group = "261"; mode = "0755"; directory = "/var/lib/ipfs"; }  # TODO: mode? could be more granular
        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/jackett"; } # TODO: mode? we only need this to save Indexer creds ==> migrate to config?
        { user = "996"; group = "994"; mode = "0755"; directory = "/var/lib/jellyfin"; } # TODO: mode? could be more granular
        { user = "993"; group = "992"; mode = "0755"; directory = "/var/lib/matrix-appservice-irc"; } # TODO: mode?
        { user = "224"; group = "224"; mode = "0755"; directory = "/var/lib/matrix-synapse"; } # TODO: mode?
        { user = "221"; group = "221"; mode = "0755"; directory = "/var/lib/opendkim"; } # TODO: mode? move this to the nix config (SOPS)
        { user = "997"; group = "995"; mode = "0755"; directory = "/var/lib/pleroma"; } # TODO: mode? could be more granular
        { user = "71"; group = "71"; mode = "0755"; directory = "/var/lib/postgresql"; } # TODO: mode?
        { user = "root"; group = "root"; mode = "0755"; directory = "/var/lib/postfix"; } # TODO: mode? could be more granular
        { user = "70"; group = "70"; mode = "0755"; directory = "/var/lib/transmission"; } # TODO: mode? we need this specifically for the stats tracking in .config/
        { user = "colin"; group = "users"; mode = "0755"; directory = "/var/lib/uninsane"; }
        { user = "root"; group = "root"; mode = "0755"; directory = "/var/log"; }
        # TODO: what even GOES in /srv?
        { user = "root"; group = "root"; mode = "0755"; directory = "/srv"; }
      ];
      files = [
        "/etc/machine-id"
-        # "/home/colin/knowledge"
+        "/etc/ssh/ssh_host_ed25519_key"
        "/etc/ssh/ssh_host_ed25519_key.pub"
        "/etc/ssh/ssh_host_rsa_key"
        "/etc/ssh/ssh_host_rsa_key.pub"
        "/home/colin/.zsh_history"
        # # XXX these only need persistence because i have mutableUsers = true, i think
        # "/etc/group"
        # "/etc/passwd"
        # "/etc/shadow"
        # { file = "/home/test2"; persistentStoragePath = "/nix/persist"; }
      ];
    };
    systemd.services.sane-sops = {
      description = "sops relies on /etc/ssh being available, so re-run its activation AFTER fs-local";
      script = config.system.activationScripts.setupSecrets.text;
      after = [ "fs-local.target" ];
      wantedBy = [ "multi-user.target" ];
    };
  };
 }
--- a/modules/nixcache.nix
+++ b/modules/nixcache.nix
@@ -2,33 +2,30 @@
 with lib;
 let
-  cfg = config.colinsane.nixcache;
+  cfg = config.sane.nixcache;
 in
 {
  options = {
-    colinsane.nixcache.enable = mkOption {
+    sane.nixcache.enable = mkOption {
      default = false;
      type = types.bool;
    };
  };
-  config = {
+  config = mkIf cfg.enable {
    # use our own binary cache
-    nix.settings = mkIf cfg.enable {
+    nix.settings = {
      substituters = [
        "https://nixcache.uninsane.org"
        "http://desko:5000"
        "https://nix-community.cachix.org"
        "https://cache.nixos.org/"
      ];
      trusted-public-keys = [
        "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
        "desko:Q7mjjqoBMgNQ5P0e63sLur65A+D4f3Sv4QiycDIKxiI="
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      ];
    };
    # allow `nix flake ...` command
    nix.extraOptions = ''
      experimental-features = nix-command flakes
    '';
  };
 }
--- a/modules/services/duplicity.nix
+++ b/modules/services/duplicity.nix
@@ -3,17 +3,20 @@
 with lib;
 let
-  cfg = config.colinsane.services.duplicity;
+  cfg = config.sane.services.duplicity;
 in
 {
  options = {
-    colinsane.services.duplicity.enable = mkOption {
+    sane.services.duplicity.enable = mkOption {
      default = false;
      type = types.bool;
    };
  };
  config = mkIf cfg.enable {
    # we need this mostly because of the size of duplicity's cache
    sane.impermanence.service-dirs = [ "/var/lib/duplicity" ];
    services.duplicity.enable = true;
    services.duplicity.targetUrl = ''"$DUPLICITY_URL"'';
    services.duplicity.escapeUrl = false;
@@ -29,6 +32,7 @@ in
    services.duplicity.secretFile = config.sops.secrets.duplicity_passphrase.path;
    # NB: manually trigger with `systemctl start duplicity`
    services.duplicity.frequency = "daily";
    # TODO: this needs updating to handle impermanence changes
    services.duplicity.exclude = [
      # impermanent/inconsequential data:
      "/dev"
--- a/modules/services/nixserve.nix
+++ b/modules/services/nixserve.nix
@@ -0,0 +1,33 @@
 # docs: https://nixos.wiki/wiki/Binary_Cache
 # to copy something to this machine's nix cache, do:
 #   nix copy --to ssh://nixcache.uninsane.org PACKAGE
 { config, lib, ... }:
 with lib;
 let
  cfg = config.sane.services.nixserve;
 in
 {
  options = {
    sane.services.nixserve.enable = mkOption {
      default = false;
      type = types.bool;
    };
    sane.services.nixserve.sopsFile = mkOption {
      default = ../../secrets/servo.yaml;
      type = types.path;
    };
  };
  config = mkIf cfg.enable {
    services.nix-serve = {
      enable = true;
      secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
      openFirewall = true;  # not needed for servo; only desko
    };
    sops.secrets.nix_serve_privkey = {
      sopsFile = cfg.sopsFile;
    };
  };
 }
--- a/modules/universal/allocations.nix
+++ b/modules/universal/allocations.nix
@@ -0,0 +1,56 @@
 { lib, ... }:
 with lib;
 let
  mkId = id: mkOption {
    default = id;
    type = types.int;
  };
 in
 {
  options = {
    # legacy servo users, some are inconvenient to migrate
    sane.allocations.dhcpcd-gid = mkId 991;
    sane.allocations.dhcpcd-uid = mkId 992;
    sane.allocations.gitea-gid = mkId 993;
    sane.allocations.git-uid = mkId 994;
    sane.allocations.jellyfin-gid = mkId 994;
    sane.allocations.pleroma-gid = mkId 995;
    sane.allocations.jellyfin-uid = mkId 996;
    sane.allocations.acme-gid = mkId 996;
    sane.allocations.pleroma-uid = mkId 997;
    sane.allocations.acme-uid = mkId 998;
    sane.allocations.greeter-uid = mkId 999;
    sane.allocations.greeter-gid = mkId 999;
    sane.allocations.colin-uid = mkId 1000;
    sane.allocations.guest-uid = mkId 1100;
    # found on all machines
    sane.allocations.sshd-uid = mkId 2001;  # 997
    sane.allocations.sshd-gid = mkId 2001;  # 997
    sane.allocations.polkituser-gid = mkId 2002;  # 998
    sane.allocations.systemd-coredump-gid = mkId 2003;  # 996
    sane.allocations.nscd-uid = mkId 2004;
    sane.allocations.nscd-gid = mkId 2004;
    # found on graphical machines
    sane.allocations.nm-iodine-uid = mkId 2101;  # desko/moby/lappy
    # found on desko machine
    sane.allocations.usbmux-uid = mkId 2204;
    sane.allocations.usbmux-gid = mkId 2204;
    # originally found on moby machine
    sane.allocations.avahi-uid = mkId 2304;
    sane.allocations.avahi-gid = mkId 2304;
    sane.allocations.colord-uid = mkId 2305;
    sane.allocations.colord-gid = mkId 2305;
    sane.allocations.geoclue-uid = mkId 2306;
    sane.allocations.geoclue-gid = mkId 2306;
    sane.allocations.rtkit-uid = mkId 2307;
    sane.allocations.rtkit-gid = mkId 2307;
    sane.allocations.feedbackd-gid = mkId 2308;
  };
 }
--- a/modules/universal/default.nix
+++ b/modules/universal/default.nix
@@ -2,8 +2,10 @@
 {
  imports = [
    ./allocations.nix
    ./env
    ./fs.nix
-    ./home-manager.nix
+    ./net.nix
    ./secrets.nix
    ./users.nix
    ./vpn.nix
@@ -23,11 +25,9 @@
    };
  };
-  # programs.vim.defaultEditor = true;
+  # allow `nix flake ...` command
-  environment.variables = {
+  nix.extraOptions = ''
-    EDITOR = "vim";
+    experimental-features = nix-command flakes
-    # git claims it should use EDITOR, but it doesn't!
+  '';
    GIT_EDITOR = "vim";
  };
 }
--- a/modules/universal/env/default.nix
+++ b/modules/universal/env/default.nix
@@ -0,0 +1,22 @@
 { ... }:
 {
  imports = [
    ./feeds.nix
    ./home-manager.nix
    ./home-packages.nix
    ./system-packages.nix
  ];
  # programs.vim.defaultEditor = true;
  environment.variables = {
    EDITOR = "vim";
    # git claims it should use EDITOR, but it doesn't!
    GIT_EDITOR = "vim";
    # Electron apps should use native wayland backend:
    #   https://nixos.wiki/wiki/Slack#Wayland
    # Discord under sway crashes with this.
    # NIXOS_OZONE_WL = "1";
  };
 }
--- a/modules/universal/env/feeds.nix
+++ b/modules/universal/env/feeds.nix
@@ -0,0 +1,35 @@
 { lib, ... }:
 with lib;
 {
  options = {
    sane.feeds.podcastUrls = mkOption {
      type = types.listOf types.str;
      default = [
        "https://lexfridman.com/feed/podcast/"
        ## Astral Codex Ten
        "http://feeds.libsyn.com/108018/rss"
        ## Econ Talk
        "https://feeds.simplecast.com/wgl4xEgL"
        ## Cory Doctorow
        "https://feeds.feedburner.com/doctorow_podcast"
        "https://congressionaldish.libsyn.com/rss"
        ## Civboot
        "https://anchor.fm/s/34c7232c/podcast/rss"
        "https://feeds.feedburner.com/80000HoursPodcast"
        "https://allinchamathjason.libsyn.com/rss"
        ## Eric Weinstein
        "https://rss.art19.com/the-portal"
        "https://feeds.megaphone.fm/darknetdiaries"
        "http://feeds.wnyc.org/radiolab"
        "https://wakingup.libsyn.com/rss"
        ## 99% Invisible
        "https://feeds.simplecast.com/BqbsxVfO"
        "https://rss.acast.com/ft-tech-tonic"
        "https://feeds.feedburner.com/dancarlin/history?format=xml"
        ## 60 minutes (NB: this features more than *just* audio?)
        "https://www.cbsnews.com/latest/rss/60-minutes"
      ];
    };
  };
 }
--- a/modules/universal/env/home-manager.nix
+++ b/modules/universal/env/home-manager.nix
@@ -0,0 +1,522 @@
 # docs:
 #   https://rycee.gitlab.io/home-manager/
 #   https://rycee.gitlab.io/home-manager/options.html
 #   man home-configuration.nix
 #
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.sane.home-manager;
  vim-swap-dir = ".cache/vim-swap";
  # extract package from `extraPackages`
  pkglist = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
  # extract `dir` from `extraPackages`
  dirlist = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
 in
 {
  options = {
    sane.home-manager.enable = mkOption {
      default = false;
      type = types.bool;
    };
    # packages to deploy to the user's home
    sane.home-manager.extraPackages = mkOption {
      default = [ ];
      # each entry can be either a package, or attrs:
      #   { pkg = package; dir = optional string;
      type = types.listOf (types.either types.package types.attrs);
    };
    # attributes to copy directly to home-manager's `wayland.windowManager` option
    sane.home-manager.windowManager = mkOption {
      default = {};
      type = types.attrs;
    };
    # extra attributes to include in home-manager's `programs` option
    sane.home-manager.programs = mkOption {
      default = {};
      type = types.attrs;
    };
  };
  config = lib.mkIf cfg.enable {
    sops.secrets."aerc_accounts" = {
      owner = config.users.users.colin.name;
      sopsFile = ../../../secrets/universal/aerc_accounts.conf;
      format = "binary";
    };
    sops.secrets."sublime_music_config" = {
      owner = config.users.users.colin.name;
      sopsFile = ../../../secrets/universal/sublime_music_config.json.bin;
      format = "binary";
    };
    sane.impermanence.home-dirs = [
      "archive"
      "dev"
      "records"
      "ref"
      "tmp"
      "use"
      "Music"
      "Pictures"
      "Videos"
      vim-swap-dir
    ] ++ (dirlist cfg.extraPackages);
    home-manager.useGlobalPkgs = true;
    home-manager.useUserPackages = true;
    # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
      home.packages = pkglist cfg.extraPackages;
      wayland.windowManager = cfg.windowManager;
      home.stateVersion = "21.11";
      home.username = "colin";
      home.homeDirectory = "/home/colin";
      # XDG defines things like ~/Desktop, ~/Downloads, etc.
      # these clutter the home, so i mostly don't use them.
      xdg.userDirs = {
        enable = true;
        createDirectories = false;  # on headless systems, most xdg dirs are noise
        desktop = "$HOME/.xdg/Desktop";
        documents = "$HOME/dev";
        download = "$HOME/tmp";
        music = "$HOME/Music";
        pictures = "$HOME/Pictures";
        publicShare = "$HOME/.xdg/Public";
        templates = "$HOME/.xdg/Templates";
        videos = "$HOME/Videos";
      };
      xdg.mimeApps.enable = true;
      xdg.mimeApps.defaultApplications = {
        "text/html" = [ "librewolf.desktop" ];
        "x-scheme-handler/http" = [ "librewolf.desktop" ];
        "x-scheme-handler/https" = [ "librewolf.desktop" ];
        "x-scheme-handler/about" = [ "librewolf.desktop" ];
        "x-scheme-handler/unknown" = [ "librewolf.desktop" ];
        "image/png" = [ "org.gnome.gThumb.desktop" ];
      };
      # convenience
      home.file."knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
      home.file."nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
      # nb markdown/personal knowledge manager
      home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
      home.file.".nb/.current".text = "knowledge";
      home.file.".nbrc".text = ''
        # manage with `nb settings`
        export NB_AUTO_SYNC=0
      '';
      # uBlock filter list configuration.
      # specifically, enable the GDPR cookie prompt blocker.
      # data.toOverwrite.filterLists is additive (i.e. it supplements the default filters)
      # this configuration method is documented here:
      # - <https://github.com/gorhill/uBlock/issues/2986#issuecomment-364035002>
      # the specific attribute path is found via scraping ublock code here:
      # - <https://github.com/gorhill/uBlock/blob/master/src/js/storage.js>
      # - <https://github.com/gorhill/uBlock/blob/master/assets/assets.json>
      home.file.".librewolf/managed-storage/uBlock0@raymondhill.net.json".text = ''
        {
         "name": "uBlock0@raymondhill.net",
         "description": "ignored",
         "type": "storage",
         "data": {
            "toOverwrite": "{\"filterLists\": [\"fanboy-cookiemonster\"]}"
         }
        }
      '';
      # aerc TUI mail client
      xdg.configFile."aerc/accounts.conf".source =
        config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
      # make Discord usable even when client is "outdated"
      xdg.configFile."discord/settings.json".text = ''
      {
        "SKIP_HOST_UPDATE": true
      }
      '';
      # sublime music player
      xdg.configFile."sublime-music/config.json".source =
        config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.sublime_music_config.path;
      xdg.configFile."vlc/vlcrc".text =
      let
        podcastUrls = lib.strings.concatStringsSep "|" sysconfig.sane.feeds.podcastUrls;
      in ''
      [podcast]
      podcast-urls=${podcastUrls}
      [core]
      metadata-network-access=0
      [qt]
      qt-privacy-ask=0
      '';
      xdg.configFile."gpodderFeeds.opml".text =
      let
        entries = builtins.toString (builtins.map
          (url: ''\n    <outline xmlUrl="${url}" type="rss"/>'')
          sysconfig.sane.feeds.podcastUrls
        );
      in ''
        <?xml version="1.0" encoding="utf-8"?>
        <opml version="2.0">
          <body>${entries}
          </body>
        </opml>
      '';
      # gnome feeds RSS viewer
      xdg.configFile."org.gabmus.gfeeds.json".text = builtins.toJSON {
        feeds = {
          # AGGREGATORS (> 1 post/day)
          "https://www.lesswrong.com/feed.xml" = { tags = [ "hourly" "rat" ]; };
          "http://www.econlib.org/index.xml" = { tags = [ "hourly" "pol" ]; };
          # AGGREGATORS (< 1 post/day)
          "https://palladiummag.com/feed" = { tags = [ "weekly" "uncat" ]; };
          "https://profectusmag.com/feed" = { tags = [ "weekly" "uncat" ]; };
          "https://semiaccurate.com/feed" = { tags = [ "weekly" "tech" ]; };
          "https://linuxphoneapps.org/blog/atom.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://spectrum.ieee.org/rss" = { tags = [ "weekly" "tech" ]; };
          ## No Moods, Ads or Cutesy Fucking Icons
          "https://www.rifters.com/crawl/?feed=rss2" = { tags = [ "weekly" "uncat" ]; };
          # DEVELOPERS
          "https://mg.lol/blog/rss/" = { tags = [ "infrequent" "tech" ]; };
          ## Ken Shirriff
          "https://www.righto.com/feeds/posts/default" = { tags = [ "infrequent" "tech" ]; };
          ## Vitalik Buterin
          "https://vitalik.ca/feed.xml" = { tags = [ "infrequent" "tech" ]; };
          ## ian (Sanctuary)
          "https://sagacioussuricata.com/feed.xml" = { tags = [ "infrequent" "tech" ]; };
          ## Bunnie Juang
          "https://www.bunniestudios.com/blog/?feed=rss2" = { tags = [ "infrequent" "tech" ]; };
          "https://blog.danieljanus.pl/atom.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://ianthehenry.com/feed.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://bitbashing.io/feed.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://idiomdrottning.org/feed.xml" = { tags = [ "daily" "uncat" ]; };
          # (TECH; POL) COMMENTATORS
          "http://benjaminrosshoffman.com/feed" = { tags = [ "weekly" "pol" ]; };
          ## Ben Thompson
          "https://www.stratechery.com/rss" = { tags = [ "weekly" "pol" ]; };
          ## Balaji
          "https://balajis.com/rss" = { tags = [ "weekly" "pol" ]; };
          "https://www.ben-evans.com/benedictevans/rss.xml" = { tags = [ "weekly" "pol" ]; };
          "https://www.lynalden.com/feed" = { tags = [ "infrequent" "pol" ]; };
          "https://austinvernon.site/rss.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://oversharing.substack.com/feed" = { tags = [ "daily" "pol" ]; };
          ## David Rosenthal
          "https://blog.dshr.org/rss.xml" = { tags = [ "weekly" "pol" ]; };
          ## Matt Levine
          "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" = { tags = [ "weekly" "pol" ]; };
          # RATIONALITY/PHILOSOPHY/ETC
          "https://samkriss.substack.com/feed" = { tags = [ "infrequent" "uncat" ]; };  # ... satire? phil?
          "https://unintendedconsequenc.es/feed" = { tags = [ "infrequent" "rat" ]; };
          "https://applieddivinitystudies.com/atom.xml" = { tags = [ "weekly" "rat" ]; };
          "https://slimemoldtimemold.com/feed.xml" = { tags = [ "weekly" "rat" ]; };
          "https://www.richardcarrier.info/feed" = { tags = [ "weekly" "rat" ]; };
          "https://www.gwern.net/feed.xml" = { tags = [ "infrequent" "uncat" ]; };
          ## Jason Crawford
          "https://rootsofprogress.org/feed.xml" = { tags = [ "weekly" "rat" ]; };
          ## Robin Hanson
          "https://www.overcomingbias.com/feed" = { tags = [ "daily" "rat" ]; };
          ## Scott Alexander
          "https://astralcodexten.substack.com/feed.xml" = { tags = [ "daily" "rat" ]; };
          ## Paul Christiano
          "https://sideways-view.com/feed" = { tags = [ "infrequent" "rat" ]; };
          ## Sean Carroll
          "https://www.preposterousuniverse.com/rss" = { tags = [ "infrequent" "rat" ]; };
          # COMICS
          "https://www.smbc-comics.com/comic/rss" = { tags = [ "daily" "visual" ]; };
          "https://xkcd.com/atom.xml" = { tags = [ "daily" "visual" ]; };
          "http://dilbert.com/feed" = { tags = ["daily" "visual" ]; };
          # ART
          "https://miniature-calendar.com/feed" = { tags = [ "daily" "visual" ]; };
        };
        dark_reader = false;
        new_first = true;
        # windowsize = {
        #   width = 350;
        #   height = 650;
        # };
        max_article_age_days = 90;
        enable_js = false;
        max_refresh_threads = 3;
        # saved_items = {};
        # read_items = [];
        show_read_items = true;
        full_article_title = true;
        # views: "webview", "reader", "rsscont"
        default_view = "rsscont";
        open_links_externally = true;
        full_feed_name = false;
        refresh_on_startup = true;
        tags = [
          # hourly => aggregator
          # daily => prolifiq writer
          # weekly => i can keep up with most -- but maybe not all -- of their content
          # infrequent => i can read everything in this category
          "hourly" "daily" "weekly" "infrequent"
          # rat[ionality] gets used interchangably with philosophy, here.
          # pol[itical] gets used for social commentary and economics as well.
          # visual gets used for comics/art
          "uncat" "rat" "tech" "pol" "visual"
        ];
        open_youtube_externally = false;
        media_player = "vlc";  # default: mpv
      };
      programs = {
        home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
        zsh = {
          enable = true;
          enableSyntaxHighlighting = true;
          enableVteIntegration = true;
          dotDir = ".config/zsh";
          initExtraBeforeCompInit = ''
            # p10k instant prompt
            # run p10k configure to configure, but it can't write out its file :-(
            POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
          '';
          # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
          # see: https://github.com/sorin-ionescu/prezto
          prezto = {
            enable = true;
            pmodules = [
              "environment"
              "terminal"
              "editor"
              "history"
              "directory"
              "spectrum"
              "utility"
              "completion"
              "prompt"
              "git"
            ];
            prompt = {
              theme = "powerlevel10k";
            };
          };
        };
        kitty = {
          enable = true;
          # docs: https://sw.kovidgoyal.net/kitty/conf/
          settings = {
            # disable terminal bell (when e.g. you backspace too many times)
            enable_audio_bell = false;
          };
          keybindings = {
            "ctrl+n" = "new_os_window_with_cwd";
          };
          # docs: https://github.com/kovidgoyal/kitty-themes
          # theme = "1984 Light";  # dislike: awful, harsh blues/teals
          # theme = "Adventure Time";  # dislike: harsh (dark)
          # theme = "Atom One Light";  # GOOD: light theme. all color combos readable. not a huge fan of the blue.
          # theme = "Belafonte Day";  # dislike: too low contrast for text colors
          # theme = "Belafonte Night";  # better: dark theme that's easy on the eyes. all combos readable. low contrast.
          # theme = "Catppuccin";  # dislike: a bit pale/low-contrast (dark)
          # theme = "Desert";  # mediocre: colors are harsh
          # theme = "Earthsong";  # BEST: dark theme. readable, good contrast. unique, but decent colors.
          # theme = "Espresso Libre";  # better: dark theme. readable, but meh colors
          # theme = "Forest Night";  # decent: very pastel. it's workable, but unconventional and muted/flat.
          # theme = "Gruvbox Material Light Hard";  # mediocre light theme.
          # theme = "kanagawabones";  # better: dark theme. colors are too background-y
          # theme = "Kaolin Dark";  # dislike: too dark
          # theme = "Kaolin Breeze";  # mediocre: not-too-harsh light theme, but some parts are poor contrast
          # theme = "Later This Evening";  # mediocre: not-too-harsh dark theme, but cursor is poor contrast
          # theme = "Material"; # decent: light theme, few colors.
          # theme = "Mayukai";  # decent: not-too-harsh dark theme. the teal is a bit straining
          # theme = "Nord";  # mediocre: pale background, low contrast
          # theme = "One Half Light";  # better: not-too-harsh light theme. contrast could be better
          theme = "PaperColor Dark";  # BEST: dark theme, very readable still the colors are background-y
          # theme = "Parasio Dark";  # dislike: too low contrast
          # theme = "Pencil Light";  # better: not-too-harsh light theme. decent contrast.
          # theme = "Pnevma";  # dislike: too low contrast
          # theme = "Piatto Light";  # better: readable light theme. pleasing colors. powerline prompt is hard to read.
          # theme = "Rosé Pine Dawn";  # GOOD: light theme. all color combinations are readable. it is very mild -- may need to manually tweak contrast. tasteful colors
          # theme = "Rosé Pine Moon";  # GOOD: dark theme. tasteful colors. but background is a bit intense
          # theme = "Sea Shells";  # mediocre. not all color combos are readable
          # theme = "Solarized Light";  # mediocre: not-too-harsh light theme; GREAT background; but some colors are low contrast
          # theme = "Solarized Dark Higher Contrast";  # better: dark theme, decent colors
          # theme = "Sourcerer";  # mediocre: ugly colors
          # theme = "Space Gray";  # mediocre: too muted
          # theme = "Space Gray Eighties";  # better: all readable, decent colors
          # theme = "Spacemacs";  # mediocre: too muted
          # theme = "Spring";  # mediocre: readable light theme, but the teal is ugly.
          # theme = "Srcery";  # better: highly readable. colors are ehhh
          # theme = "Substrata";  # decent: nice colors, but a bit flat.
          # theme = "Sundried";  # mediocre: the solar text makes me squint
          # theme = "Symfonic";  # mediocre: the dark purple has low contrast to the black bg.
          # theme = "Tango Light";  # dislike: teal is too grating
          # theme = "Tokyo Night Day";  # medicore: too muted
          # theme = "Tokyo Night";  # better: tasteful. a bit flat
          # theme = "Tomorrow";  # GOOD: all color combinations are readable. contrast is slightly better than Rose. on the blander side
          # theme = "Treehouse";  # dislike: the orange is harsh on my eyes.
          # theme = "Urple";  # dislike: weird palette
          # theme = "Warm Neon";  # decent: not-too-harsh dark theme. the green is a bit unattractive
          # theme = "Wild Cherry";  # GOOD: dark theme: nice colors. a bit flat
          # theme = "Xcodedark";  # dislike: bad palette
          # theme = "citylights";  # decent: dark theme. some parts have just a bit low contrast
          # theme = "neobones_light"; # better light theme. the background is maybe too muted
          # theme = "vimbones";
          # theme = "zenbones_dark";  # mediocre: readable, but meh colors
          # theme = "zenbones_light";  # decent: light theme. all colors are readable. contrast is passable but not excellent. highlight color is BAD
          # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
          # extraConfig = "";
        };
        git = {
          enable = true;
          userName = "colin";
          userEmail = "colin@uninsane.org";
        };
        neovim = {
          # neovim: https://github.com/neovim/neovim
          enable = true;
          viAlias = true;
          vimAlias = true;
          plugins = with pkgs.vimPlugins; [
            # docs: surround-nvim: https://github.com/ur4ltz/surround.nvim/
            # docs: vim-surround: https://github.com/tpope/vim-surround
            vim-surround
            # docs: fzf-vim (fuzzy finder): https://github.com/junegunn/fzf.vim
            fzf-vim
            # docs: https://github.com/KeitaNakamura/tex-conceal.vim/
            ({
              plugin = tex-conceal-vim;
              type = "viml";
              config = ''
                " present prettier fractions
                let g:tex_conceal_frac=1
              '';
            })
            ({
              plugin = vim-SyntaxRange;
              type = "viml";
              config = ''
                " enable markdown-style codeblock highlighting for tex code
                autocmd BufEnter * call SyntaxRange#Include('```tex', '```', 'tex', 'NonText')
                " autocmd Syntax tex set conceallevel=2
              '';
            })
            # nabla renders inline math in any document, but it's buggy.
            #   https://github.com/jbyuki/nabla.nvim
            # ({
            #   plugin = pkgs.nabla;
            #   type = "lua";
            #   config = ''
            #     require'nabla'.enable_virt()
            #   '';
            # })
            # treesitter syntax highlighting: https://nixos.wiki/wiki/Tree_sitters
            # docs: https://github.com/nvim-treesitter/nvim-treesitter
            # config taken from: https://github.com/i077/system/blob/master/modules/home/neovim/default.nix
            # this is required for tree-sitter to even highlight
            ({
              plugin = (nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars));
              type = "lua";
              config = ''
                require'nvim-treesitter.configs'.setup {
                  highlight = {
                    enable = true,
                    -- disable treesitter on Rust so that we can use SyntaxRange
                    -- and leverage TeX rendering in rust projects
                    disable = { "rust", "tex", "latex" },
                    -- disable = { "tex", "latex" },
                    -- true to also use builtin vim syntax highlighting when treesitter fails
                    additional_vim_regex_highlighting = false
                  },
                  incremental_selection = {
                    enable = true,
                    keymaps = {
                      init_selection = "gnn",
                      node_incremental = "grn",
                      mcope_incremental = "grc",
                      node_decremental = "grm"
                    }
                  },
                  indent = {
                    enable = true,
                    disable = {}
                  }
                }
                vim.o.foldmethod = 'expr'
                vim.o.foldexpr = 'nvim_treesitter#foldexpr()'
              '';
            })
          ];
          extraConfig = ''
            " copy/paste to system clipboard
            set clipboard=unnamedplus
            " screw tabs; always expand them into spaces
            set expandtab
            " at least don't open files with sections folded by default
            set nofoldenable
            " allow text substitutions for certain glyphs.
            " higher number = more aggressive substitution (0, 1, 2, 3)
            " i only make use of this for tex, but it's unclear how to
            " apply that *just* to tex and retain the SyntaxRange stuff.
            set conceallevel=2
            " horizontal rule under the active line
            " set cursorline
            " highlight trailing space & related syntax errors (doesn't seem to work??)
            " let c_space_errors=1
            " let python_space_errors=1
            " enable highlighting of leading/trailing spaces,
            " and especially tabs
            " source: https://www.reddit.com/r/neovim/comments/chlmfk/highlight_trailing_whitespaces_in_neovim/
            set list
            set listchars=tab:▷\·,trail:·,extends:◣,precedes:◢,nbsp:○
          '';
        };
        # XXX: although home-manager calls this option `firefox`, we can use other browsers and it still mostly works.
        firefox = lib.mkIf (sysconfig.sane.gui.enable) {
          enable = true;
          package = import ./web-browser.nix pkgs;
        };
        # "command not found" will cause the command to be searched in nixpkgs
        nix-index.enable = true;
      } // cfg.programs;
      home.shellAliases = {
        ":q" = "exit";
        # common typos
        "cd.." = "cd ..";
        "cd../" = "cd ../";
      };
    };
  };
 }
--- a/modules/universal/env/home-packages.nix
+++ b/modules/universal/env/home-packages.nix
@@ -0,0 +1,153 @@
 { config, lib, pkgs, ... }:
 with lib;
 with pkgs;
 let
  cfg = config.sane.home-packages;
  universalPkgs = [
    backblaze-b2
    duplicity
    gnupg
    ifuse
    ipfs
    libimobiledevice
    lm_sensors  # for sensors-detect
    lshw
    ffmpeg
    nb
    networkmanager
    nixpkgs-review
    # nixos-generators
    # nettools
    nmon
    oathToolkit  # for oathtool
    # ponymix
    pulsemixer
    python3
    rmlint
    sane-scripts
    sequoia
    snapper
    sops
    speedtest-cli
    ssh-to-age
    sudo
    unar
    visidata
    w3m
    wireguard-tools
    # youtube-dl
    yt-dlp
  ];
  guiPkgs = [
    # GUI only
    aerc  # email client
    audacity
    chromium
    clinfo
    electrum
    # creds/session keys, etc
    { pkg = element-desktop; dir = ".config/Element"; }
    emote  # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
    evince  # works on phosh
    { pkg = fluffychat-moby; dir = ".local/share/chat.fluffy.fluffychat"; }  # TODO: ship normal fluffychat on non-moby?
    foliate
    font-manager
    gimp  # broken on phosh
    gnome.cheese
    gnome.dconf-editor
    gnome-feeds  # RSS reader (with claimed mobile support)
    gnome.file-roller
    gnome.gnome-disk-utility
    gnome.gnome-maps  # works on phosh
    gnome.nautilus
    gnome-podcasts
    gnome.gnome-system-monitor
    gnome.gnome-terminal  # works on phosh
    gpodder-configured
    gthumb
    inkscape
    krita
    libreoffice-fresh  # XXX colin: maybe don't want this on mobile
    lollypop
    mesa-demos
    networkmanagerapplet
    # settings (electron app). TODO: can i manage these settings with home-manager?
    { pkg = obsidian; dir = ".config/obsidian"; }
    pavucontrol
    playerctl
    soundconverter
    # sublime music persists any downloaded albums here.
    # it doesn't obey a conventional ~/Music/{Artist}/{Album}/{Track} notation, so no symlinking
    # config (e.g. server connection details) is persisted in ~/.config/sublime-music/config.json
    #   possible to pass config as a CLI arg (sublime-music -c config.json)
    { pkg = sublime-music; dir = ".local/share/sublime-music"; }
    tdesktop  # broken on phosh
    vlc  # works on phosh
    whalebird # pleroma client. input is broken on phosh
    xdg-utils  # for xdg-open
    xterm  # broken on phosh
  ]
  ++ (if pkgs.system == "x86_64-linux" then
  [
    # x86_64 only
    # creds, but also 200 MB of node modules, etc
    (let discord = (pkgs.discord.override {
      # XXX 2022-07-31: fix to allow links to open in default web-browser:
      #   https://github.com/NixOS/nixpkgs/issues/78961
      nss = pkgs.nss_latest;
    }); in { pkg = discord; dir = ".config/discord"; })
    # kaiteki  # Pleroma client
    # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
    logseq
    losslesscut-bin
    makemkv
    # actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
    { pkg = monero-gui; dir = ".bitmonero"; }
    # creds, media
    { pkg = signal-desktop; dir = ".config/Signal"; }
    # creds. TODO: can i manage this with home-manager?
    { pkg = spotify; dir = ".config/spotify"; }
    # hardenedMalloc solves a crash at startup
    (tor-browser-bundle-bin.override { useHardenedMalloc = false; })
    # zcash coins. safe to delete, just slow to regenerate (10-60 minutes)
    { pkg = zecwallet-lite; dir = ".zcash"; }
  ] else []);
  # useful devtools:
  # bison
  # dtc
  # flex
  # gcc
  # gcc-arm-embedded
  # gcc_multi
  # gnumake
  # mix2nix
  # rustup
  # swig
 in
 {
  options = {
    sane.home-packages.enableGuiPkgs = mkOption {
      default = false;
      type = types.bool;
    };
  };
  config = {
    sane.home-manager.extraPackages = universalPkgs
      ++ (if cfg.enableGuiPkgs then guiPkgs else []);
  };
 }
--- a/modules/universal/env/system-packages.nix
+++ b/modules/universal/env/system-packages.nix
@@ -0,0 +1,38 @@
 { pkgs, ... }:
 {
  # general-purpose utilities that we want any user to be able to access
  #   (specifically: root, in case of rescue)
  environment.systemPackages = with pkgs; [
    btrfs-progs
    cryptsetup
    dig
    efibootmgr
    fatresize
    fd
    file
    gptfdisk
    hdparm
    htop
    iftop
    inetutils  # for telnet
    iotop
    iptables
    jq
    killall
    lsof
    netcat
    nethogs
    nmap
    openssl
    parted
    pciutils
    powertop
    ripgrep
    screen
    smartmontools
    socat
    usbutils
    wget
  ];
 }
--- a/modules/universal/env/web-browser.nix
+++ b/modules/universal/env/web-browser.nix
@@ -0,0 +1,55 @@
 pkgs:
 # common settings to toggle (at runtime, in about:config):
 #   > security.ssl.require_safe_negotiation
 # librewolf is a forked firefox which patches firefox to allow more things
 # (like default search engines) to be configurable at runtime.
 # many of the settings below won't have effect without those patches.
 # see: https://gitlab.com/librewolf-community/settings/-/blob/master/distribution/policies.json
 pkgs.wrapFirefox pkgs.librewolf-unwrapped {
  # inherit the default librewolf.cfg
  # it can be further customized via ~/.librewolf/librewolf.overrides.cfg
  inherit (pkgs.librewolf-unwrapped) extraPrefsFiles;
  libName = "librewolf";
  extraPolicies = {
    NoDefaultBookmarks = true;
    SearchEngines = {
      Default = "DuckDuckGo";
    };
    AppUpdateURL = "https://localhost";
    DisableAppUpdate = true;
    OverrideFirstRunPage = "";
    OverridePostUpdatePage = "";
    DisableSystemAddonUpdate = true;
    DisableFirefoxStudies = true;
    DisableTelemetry = true;
    DisableFeedbackCommands = true;
    DisablePocket = true;
    DisableSetDesktopBackground = false;
    Extensions = {
      Install = [
        "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
        "https://addons.mozilla.org/firefox/downloads/latest/sponsorblock/latest.xpi"
        "https://addons.mozilla.org/firefox/downloads/latest/bypass-paywalls-clean/latest.xpi"
        "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi"
        "https://addons.mozilla.org/firefox/downloads/latest/ether-metamask/latest.xpi"
      ];
      # remove many default search providers
      Uninstall = [
        "google@search.mozilla.org"
        "bing@search.mozilla.org"
        "amazondotcom@search.mozilla.org"
        "ebay@search.mozilla.org"
        "twitter@search.mozilla.org"
      ];
    };
    # XXX doesn't seem to have any effect...
    # docs: https://github.com/mozilla/policy-templates#homepage
    # Homepage = {
    #   HomepageURL = "https://uninsane.org/";
    #   StartPage = "homepage";
    # };
    # NewTabPage = true;
  };
 }
--- a/modules/universal/fs.nix
+++ b/modules/universal/fs.nix
@@ -1,33 +1,58 @@
 { pkgs, ... }:
-let sshOpts = {
+let sshOpts = rec {
  fsType = "fuse.sshfs";
-  options = [
+  optionsBase = [
    "x-systemd.automount"
    "_netdev"
    "user"
    "idmap=user"
    "transform_symlinks"
    "identityfile=/home/colin/.ssh/id_ed25519"
    "allow_other"
    "default_permissions"
  ];
  optionsColin = optionsBase ++ [
    "transform_symlinks"
    "idmap=user"
    "uid=1000"
    "gid=100"
  ];
  optionsRoot = optionsBase ++ [
    # we don't transform_symlinks because that breaks the validity of remote /nix stores
    "sftp_server=/run/wrappers/bin/sudo\\040${pkgs.openssh}/libexec/sftp-server"
  ];
 };
 in
 {
  fileSystems."/mnt/servo-media-wan" = {
    device = "colin@uninsane.org:/var/lib/uninsane/media";
-    inherit (sshOpts) fsType options;
+    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
  };
  fileSystems."/mnt/servo-media-lan" = {
    device = "colin@servo:/var/lib/uninsane/media";
-    inherit (sshOpts) fsType options;
+    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
  };
  fileSystems."/mnt/servo-root-wan" = {
    device = "colin@uninsane.org:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
  };
  fileSystems."/mnt/servo-root-lan" = {
    device = "colin@servo:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
  };
  fileSystems."/mnt/desko-home" = {
    device = "colin@desko:/home/colin";
-    inherit (sshOpts) fsType options;
+    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
  };
  fileSystems."/mnt/desko-root" = {
    device = "colin@desko:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
  };
  environment.systemPackages = [
--- a/modules/universal/home-manager.nix
+++ b/modules/universal/home-manager.nix
@@ -1,295 +0,0 @@
 # docs:
 #   https://rycee.gitlab.io/home-manager/
 #   https://rycee.gitlab.io/home-manager/options.html
 #   man home-configuration.nix
 #
 { home-manager, lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.colinsane.home-manager;
 in
 {
  imports = [
    home-manager.nixosModule
  ];
  options = {
    colinsane.home-manager.enable = mkOption {
      default = false;
      type = types.bool;
    };
    colinsane.home-manager.extraPackages = mkOption {
      default = [ ];
      type = types.listOf types.package;
    };
    colinsane.home-manager.windowManager = mkOption {
      default = {};
      type = types.attrs;
    };
    colinsane.home-manager.programs = mkOption {
      default = {};
      type = types.attrs;
    };
  };
  config = lib.mkIf cfg.enable {
    sops.secrets."aerc_accounts" = {
      owner = config.users.users.colin.name;
      sopsFile = ../../secrets/universal/aerc_accounts.conf;
      format = "binary";
    };
    home-manager.useGlobalPkgs = true;
    home-manager.useUserPackages = true;
    # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
      home.stateVersion = "21.11";
      home.username = "colin";
      home.homeDirectory = "/home/colin";
      # XDG defines things like ~/Desktop, ~/Downloads, etc.
      # these clutter the home, so i mostly don't use them.
      xdg.userDirs = {
        enable = true;
        createDirectories = false;  # on headless systems, most xdg dirs are noise
        desktop = "$HOME/.xdg/Desktop";
        documents = "$HOME/dev";
        download = "$HOME/tmp";
        music = "$HOME/Music";
        pictures = "$HOME/Pictures";
        publicShare = "$HOME/.xdg/Public";
        templates = "$HOME/.xdg/Templates";
        videos = "$HOME/Videos";
      };
      # convenience
      home.file."knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
      home.file."nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
      xdg.configFile."aerc/accounts.conf".source =
        config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
      programs = {
        home-manager.enable = true;  # this lets home-manager manage dot-files in user dirs, i think
        zsh = {
          enable = true;
          enableSyntaxHighlighting = true;
          enableVteIntegration = true;
          dotDir = ".config/zsh";
          initExtraBeforeCompInit = ''
            # p10k instant prompt
            # run p10k configure to configure, but it can't write out its file :-(
            POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
          '';
          # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
          # see: https://github.com/sorin-ionescu/prezto
          prezto = {
            enable = true;
            pmodules = [
              "environment"
              "terminal"
              "editor"
              "history"
              "directory"
              "spectrum"
              "utility"
              "completion"
              "prompt"
              "git"
            ];
            prompt = {
              theme = "powerlevel10k";
            };
          };
        };
        kitty.enable = true;
        git = {
          enable = true;
          userName = "colin";
          userEmail = "colin@uninsane.org";
        };
        vim = {
          enable = true;
          extraConfig = ''
            " wtf vim project: NOBODY LIKES MOUSE FOR VISUAL MODE
            set mouse-=a
            " copy/paste to system clipboard
            set clipboard=unnamedplus
            " <tab> completion menu settings
            set wildmenu
            set wildmode=longest,list,full
            " highlight all matching searches (using / and ?)
            set hlsearch
            " allow backspace to delete empty lines in insert mode
            set backspace=indent,eol,start
            " built-in syntax highlighting
            syntax enable
            " show line/col number in bottom right
            set ruler
            " highlight trailing space & related syntax errors (does this work?)
            let c_space_errors=1
            let python_space_errors=1
          '';
        };
        firefox = lib.mkIf (sysconfig.colinsane.gui.enable) {
          enable = true;
          profiles.default = {
            bookmarks = {
              fed_uninsane.url = "https://fed.uninsane.org/";
              delightful.url = "https://delightful.club/";
              crowdsupply.url = "https://www.crowdsupply.com/";
              linux_phone_apps.url = "https://linuxphoneapps.org/mobile-compatibility/5/";
              mempool.url = "https://jochen-hoenicke.de/queue";
            };
          };
          # firefox profile support seems to be broken :shrug:
          # profiles.other = {
          #   id = 2;
          # };
          # NB: these must be manually enabled in the Firefox settings on first start
          # extensions can be found here: https://gitlab.com/rycee/nur-expressions/-/blob/master/pkgs/firefox-addons/addons.json
          extensions = let
            addons = pkgs.nur.repos.rycee.firefox-addons;
          in [
            addons.bypass-paywalls-clean
            addons.metamask
            addons.i-dont-care-about-cookies
            addons.sidebery
            addons.sponsorblock
            addons.ublock-origin
          ];
        };
        # "command not found" will cause the command to be searched in nixpkgs
        nix-index.enable = true;
      } // cfg.programs;
      home.shellAliases = {
        ":q" = "exit";
        # common typos
        "cd.." = "cd ..";
        "cd../" = "cd ../";
      };
      wayland.windowManager = cfg.windowManager;
      # devtools:
      # bison
      # dtc
      # flex
      # gcc-arm-embedded
      # gcc_multi
      # swig
      home.packages = with pkgs; [
        backblaze-b2
        btrfs-progs
        cryptsetup
        dig
        duplicity
        efibootmgr
        fatresize
        fd
        file
        gnumake
        gptfdisk
        hdparm
        htop
        iftop
        ifuse
        inetutils  # for telnet
        iotop
        ipfs
        iptables
        jq
        killall
        libimobiledevice
        lm_sensors  # for sensors-detect
        lsof
        mix2nix
        netcat
        nethogs
        networkmanager
        nixpkgs-review
        # nixos-generators
        # nettools
        nmap
        oathToolkit  # for oathtool
        obsidian
        openssl
        parted
        pciutils
        # ponymix
        powertop
        pulsemixer
        python3
        ripgrep
        rmlint
        sane-scripts
        smartmontools
        snapper
        socat
        sops
        ssh-to-age
        sudo
        usbutils
        wget
        wireguard-tools
        youtube-dl
        zola
      ]
      ++ (if sysconfig.colinsane.gui.enable then
      with pkgs;
      [
        # GUI only
        aerc  # email client
        audacity
        chromium
        clinfo
        element-desktop  # broken on phosh
        evince  # works on phosh
        font-manager
        gimp  # broken on phosh
        gnome.dconf-editor
        gnome-feeds  # RSS reader (with claimed mobile support)
        gnome.file-roller
        gnome.gnome-maps  # works on phosh
        gnome.nautilus
        gnome-podcasts
        gnome.gnome-terminal  # works on phosh
        inkscape
        libreoffice-fresh  # XXX colin: maybe don't want this on mobile
        mesa-demos
        networkmanagerapplet
        playerctl
        tdesktop  # broken on phosh
        vlc  # works on phosh
        whalebird # pleroma client. input is broken on phosh
        xterm  # broken on phosh
      ] else [])
      ++ (if sysconfig.colinsane.gui.enable && pkgs.system == "x86_64-linux" then
      with pkgs;
      [
        # x86_64 only
        discord
        kaiteki  # Pleroma client
        gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
        signal-desktop
        spotify
      ] else [])
      ++ cfg.extraPackages;
    };
  };
 }
--- a/modules/universal/net.nix
+++ b/modules/universal/net.nix
@@ -0,0 +1,47 @@
 { config, ... }:
 {
  # if using router's DNS, these mappings will already exist.
  # if using a different DNS provider (which servo does), then we need to explicity provide them.
  # ugly hack. would be better to get servo to somehow use the router's DNS
  networking.hosts = {
    "192.168.0.5" = [ "servo" ];
    "192.168.0.20" = [ "lappy" ];
    "192.168.0.22" = [ "desko" ];
    "192.168.0.48" = [ "moby" ];
  };
  sops.secrets."nm-community-university" = {
    sopsFile = ../../secrets/universal/net/community-university.nmconnection.bin;
    format = "binary";
  };
  sops.secrets."nm-friend-libertarian-dod" = {
    sopsFile = ../../secrets/universal/net/friend-libertarian-dod.nmconnection.bin;
    format = "binary";
  };
  sops.secrets."nm-friend-rationalist-empathist" = {
    sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.nmconnection.bin;
    format = "binary";
  };
  sops.secrets."nm-home-bedroom" = {
    sopsFile = ../../secrets/universal/net/home-bedroom.nmconnection.bin;
    format = "binary";
  };
  sops.secrets."nm-home-shared-24G" = {
    sopsFile = ../../secrets/universal/net/home-shared-24G.nmconnection.bin;
    format = "binary";
  };
  sops.secrets."nm-home-shared" = {
    sopsFile = ../../secrets/universal/net/home-shared.nmconnection.bin;
    format = "binary";
  };
  environment.etc = {
    "NetworkManager/system-connections/nm-community-university".source = config.sops.secrets.nm-community-university.path;
    "NetworkManager/system-connections/nm-friend-libertarian-dod".source = config.sops.secrets.nm-friend-libertarian-dod.path;
    "NetworkManager/system-connections/nm-friend-rationalist-empathist".source = config.sops.secrets.nm-friend-rationalist-empathist.path;
    "NetworkManager/system-connections/nm-home-bedroom".source = config.sops.secrets.nm-home-bedroom.path;
    "NetworkManager/system-connections/nm-home-shared-24G".source = config.sops.secrets.nm-home-shared-24G.path;
    "NetworkManager/system-connections/nm-home-shared".source = config.sops.secrets.nm-home-shared.path;
  };
 }
--- a/modules/universal/secrets.nix
+++ b/modules/universal/secrets.nix
@@ -29,7 +29,7 @@
  #   $ cat /run/secrets/example_key
  # sops.age.sshKeyPaths = [ "/home/colin/.ssh/id_ed25519_dec" ];
-  # This will add secrets.yml to the nix store
+  # This will add secrets.yaml to the nix store
  # You can avoid this by adding a string to the full path instead, i.e.
  # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
  sops.defaultSopsFile = ./../../secrets/universal.yaml;
--- a/modules/universal/users.nix
+++ b/modules/universal/users.nix
@@ -1,52 +1,120 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
 with lib;
 let
  cfg = config.sane.users;
  # see nixpkgs/nixos/modules/services/networking/dhcpcd.nix
  hasDHCP = config.networking.dhcpcd.enable &&
    (config.networking.useDHCP || any (i: i.useDHCP == true) (attrValues config.networking.interfaces));
 in
 {
-  # Users are exactly these specified here;
+  options = {
-  # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
+    sane.users.guest.enable = mkOption {
-  users.mutableUsers = false;
+      default = false;
-
+      type = types.bool;
-  # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
+    };
  users.users.colin = {
    # sets group to "users" (?)
    isNormalUser = true;
    home = "/home/colin";
    uid = 1000;
    # XXX colin: this is what the installer has, but is it necessary?
    # group = "users";
    extraGroups = [
      "wheel"
      "nixbuild"
      "networkmanager"
      # phosh/mobile. XXX colin: unsure if necessary
      "video"
      "feedbackd"
      "dialout" # required for modem access
    ];
    initialPassword = lib.mkDefault "";
    shell = pkgs.zsh;
    # shell = pkgs.bashInteractive;
    # XXX colin: create ssh key for THIS user by logging in and running:
    #   ssh-keygen -t ed25519
    openssh.authorizedKeys.keys = [
      # TODO: is this key dead?
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGSDe/y0e9PSeUwYlMPjzhW0UhNsGAGsW3lCG3apxrD5 colin@colin.desktop"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu colin@lappy"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
      # TODO: should probably only let this authenticate to my server
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGCLCA9KbjXaXNNMJJvqbPO5KQQ64JCdG8sg88AfdKzi colin@moby"
    ];
  };
-  security.sudo = {
+  config = {
-    enable = true;
+    # Users are exactly these specified here;
-    wheelNeedsPassword = false;
+    # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
-  };
+    users.mutableUsers = false;
-  services.openssh = {
+    # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
-    enable = true;
+    users.users.colin = {
-    permitRootLogin = "no";
+      # sets group to "users" (?)
-    passwordAuthentication = false;
+      isNormalUser = true;
      home = "/home/colin";
      uid = config.sane.allocations.colin-uid;
      # i don't get exactly what this is, but nixos defaults to this non-deterministically
      # in /var/lib/nixos/auto-subuid-map and i don't want that.
      subUidRanges = [
        { startUid=100000; count=1; }
      ];
      group = "users";
      extraGroups = [
        "wheel"
        "nixbuild"
        "networkmanager"
        # phosh/mobile. XXX colin: unsure if necessary
        "video"
        "feedbackd"
        "dialout" # required for modem access
      ];
      initialPassword = lib.mkDefault "";
      shell = pkgs.zsh;
      # shell = pkgs.bashInteractive;
      # XXX colin: create ssh key for THIS user by logging in and running:
      #   ssh-keygen -t ed25519
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu colin@lappy"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
        # moby doesn't need to login to any other devices yet
        # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
      ];
    };
    sane.impermanence.service-dirs = mkIf cfg.guest.enable [
      { user = "guest"; group = "users"; directory = "/home/guest"; }
    ];
    users.users.guest = mkIf cfg.guest.enable {
      isNormalUser = true;
      home = "/home/guest";
      uid = config.sane.allocations.guest-uid;
      subUidRanges = [
        { startUid=200000; count=1; }
      ];
      group = "users";
      initialPassword = lib.mkDefault "";
      shell = pkgs.zsh;
      openssh.authorizedKeys.keys = [
        # TODO: insert pubkeys that should be allowed in
      ];
    };
    users.users.dhcpcd = mkIf hasDHCP {
      uid = config.sane.allocations.dhcpcd-uid;
    };
    users.groups.dhcpcd = mkIf hasDHCP {
      gid = config.sane.allocations.dhcpcd-gid;
    };
    security.sudo = {
      enable = true;
      wheelNeedsPassword = false;
    };
    services.openssh = {
      enable = true;
      permitRootLogin = "no";
      passwordAuthentication = false;
    };
    # affix some UIDs which were historically auto-generated
    users.users.sshd.uid = config.sane.allocations.sshd-uid;
    users.groups.polkituser.gid = config.sane.allocations.polkituser-gid;
    users.groups.sshd.gid = config.sane.allocations.sshd-gid;
    users.groups.systemd-coredump.gid = config.sane.allocations.systemd-coredump-gid;
    users.users.nscd.uid = config.sane.allocations.nscd-uid;
    users.groups.nscd.gid = config.sane.allocations.nscd-gid;
    # guarantee determinism in uid/gid generation for users:
    assertions = let
      uidAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
        assertion = user.uid != null;
        message = "non-deterministic uid detected for: ${name}";
      }) config.users.users);
      gidAssertions = builtins.attrValues (builtins.mapAttrs (name: group: {
        assertion = group.gid != null;
        message = "non-deterministic gid detected for: ${name}";
      }) config.users.groups);
      autoSubAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
        assertion = !user.autoSubUidGidRange;
        message = "non-deterministic subUids/Guids detected for: ${name}";
      }) config.users.users);
    in uidAssertions ++ gidAssertions ++ autoSubAssertions;
  };
 }
--- a/modules/universal/vpn.nix
+++ b/modules/universal/vpn.nix
@@ -1,7 +1,7 @@
 { config, ... }:
 {
-  networking.wg-quick.interfaces.ovpnd = {
+  networking.wg-quick.interfaces.ovpnd-us = {
    address = [
      "172.27.237.218/32"
      "fd00:0000:1337:cafe:1111:1111:ab00:4c8f/128"
@@ -20,12 +20,39 @@
        publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
      }
    ];
-    privateKeyFile = config.sops.secrets.wg_ovpnd_privkey.path;
+    privateKeyFile = config.sops.secrets.wg_ovpnd_us_privkey.path;
-    # to start: `systemctl start wg-quick-ovpnd`
+    # to start: `systemctl start wg-quick-ovpnd-us`
    autostart = false;
  };
-  sops.secrets."wg_ovpnd_privkey" = {
+  networking.wg-quick.interfaces.ovpnd-ukr = {
    address = [
      "172.18.180.159/32"
      "fd00:0000:1337:cafe:1111:1111:ec5c:add3/128"
    ];
    dns = [
      "46.227.67.134"
      "192.165.9.158"
    ];
    peers = [
      {
        allowedIPs = [
          "0.0.0.0/0"
          "::/0"
        ];
        endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
        publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
      }
    ];
    privateKeyFile = config.sops.secrets.wg_ovpnd_ukr_privkey.path;
    # to start: `systemctl start wg-quick-ovpnd-ukr`
    autostart = false;
  };
  sops.secrets."wg_ovpnd_us_privkey" = {
    sopsFile = ../../secrets/universal.yaml;
  };
  sops.secrets."wg_ovpnd_ukr_privkey" = {
    sopsFile = ../../secrets/universal.yaml;
  };
 }
--- a/nixpatches/10-flutter-arm64.patch
+++ b/nixpatches/10-flutter-arm64.patch
@@ -0,0 +1,40 @@
 diff --git a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
 index 565c44f72e9..f20a3d4e9be 100644
 --- a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
 +++ b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix
@@ -4,13 +4,19 @@
 , olm
 , imagemagick
 , makeDesktopItem
 +, stdenv
 }:
 +let vendorHashes = {
 +  x86_64-linux = "sha256-PSZK5frmQGeiTuEJNZ6Fh8NXSLIrLnoOzQk1Xa4jqHw=";
 +  aarch64-linux = "sha256-tU83EeFwakTNkEaLo90ZJV55CnmN+NcicHgBJ0u/RKM=";
 +};
 +in
 flutter.mkFlutterApp rec {
   pname = "fluffychat";
   version = "1.6.1";
 -  vendorHash = "sha256-SelMRETFYZgTStV90gRoKhazu1NPbcSMO9mYebSQskQ=";
 +  vendorHash = vendorHashes."${stdenv.hostPlatform.system}" or (throw "unsupported system: ${stdenv.hostPlatform.system}");
   src = fetchFromGitLab {
     owner = "famedly";
 diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
 index 9eba6773448..e9d352169b2 100644
 --- a/pkgs/development/compilers/flutter/default.nix
 +++ b/pkgs/development/compilers/flutter/default.nix
@@ -19,6 +19,10 @@ let
         url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
         sha256 = "sha256-PMY6DCFQC8XrlnFzOEPcwgBAs5/cAvNd78969Z+I1Fk=";
       };
 +      "${dartVersion}-aarch64-linux" = fetchurl {
 +        url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-arm64-release.zip";
 +        sha256 = "sha256-BIK6kUx+m+/GfR/wBXv8rjVNbP6w1HFvH/RGIwiaJog=";
 +      };
     };
   };
 in {
--- a/nixpatches/list.nix
+++ b/nixpatches/list.nix
@@ -1,19 +1,29 @@
 fetchpatch: [
  # phosh: allow fractional scaling
  (fetchpatch {
    url = "https://github.com/NixOS/nixpkgs/pull/175872.diff";
    sha256 = "sha256-mEmqhe8DqlyCxkFWQKQZu+2duz69nOkTANh9TcjEOdY=";
  })
  # for raspberry pi: allow building u-boot for rpi 4{,00}
  # TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
  #   (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
  ./02-rpi4-uboot.patch
-  # alternative to https://github.com/NixOS/nixpkgs/pull/173200
+
  ./04-dart-2.7.0.patch
  # whalebird: suuport aarch64
  (fetchpatch {
-    url = "https://github.com/NixOS/nixpkgs/pull/176476.diff";
+    url = "https://github.com/NixOS/nixpkgs/pull/186839.diff";
-    sha256 = "sha256-126DljM06hqPZ3fjLZ3LBZR64nFbeTfzSazEu72d4y8=";
+    sha256 = "sha256-NdIfie+eTy4V1vgqiiRPtWdnxZ5ZHsvCMfkEDUv9SC8=";
  })
  # # # Flutter: 3.0.4->3.3.2, flutter.dart: 2.17.5->2.18.1
  # # (fetchpatch {
  # #   url = "https://github.com/NixOS/nixpkgs/pull/189338.diff";
  # #   sha256 = "sha256-MppSk1D3qQT8Z4lzEZ93UexoidT8yqM7ASPec4VvxCI=";
  # # })
  # enable aarch64 support for flutter's dart package
  ./10-flutter-arm64.patch
  # TODO: upstream
  ./07-duplicity-rich-url.patch
  # navidrome: adhoc hack to fix the build
  (fetchpatch {
    url = "https://github.com/NixOS/nixpkgs/pull/191467.diff";
    sha256 = "sha256-Np0J06RER/0GGUhL/PDuVjpYYIPzB9A3EPWwTWpS/D4=";
  })
 ]
--- a/pkgs/alsa-ucm-conf/default.nix
+++ b/pkgs/alsa-ucm-conf/default.nix
@@ -0,0 +1,13 @@
 { pkgs }:
 (pkgs.alsa-ucm-conf.overrideAttrs (upstream: {
  patches = (upstream.patches or []) ++ [
    (pkgs.fetchpatch {
      # "Add UCM for PinePhone"
      # we need this for audio to work on the Pinephone
      url = "https://github.com/alsa-project/alsa-ucm-conf/pull/134.diff";
      sha256 = "sha256-hFpp8jQo8fQRqKrSnBEi5eh1Zf/x+1o+p40ML5iuWJM=";
    })
  ];
 }))
--- a/pkgs/firefox-unwrapped/allow-searchengines-non-esr.patch
+++ b/pkgs/firefox-unwrapped/allow-searchengines-non-esr.patch
@@ -0,0 +1,13 @@
 diff --git a/browser/components/enterprisepolicies/schemas/policies-schema.json b/browser/components/enterprisepolicies/schemas/policies-schema.json
 index d436cf1ca1..ecd6e53b9e 100644
 --- a/browser/components/enterprisepolicies/schemas/policies-schema.json
 +++ b/browser/components/enterprisepolicies/schemas/policies-schema.json
@@ -1074,7 +1074,7 @@
     },
     "SearchEngines": {
 -      "enterprise_only": true,
 +      "enterprise_only": false,
       "type": "object",
       "properties": {
--- a/pkgs/firefox-unwrapped/default.nix
+++ b/pkgs/firefox-unwrapped/default.nix
@@ -0,0 +1,10 @@
 { pkgs }:
 (pkgs.firefox-unwrapped.overrideAttrs (upstream: {
  # NB: firefox takes about 1hr to build on my 24-thread ryzen desktop
  patches = (upstream.patches or []) ++ [
    # see https://gitlab.com/librewolf-community/browser/source/-/blob/main/patches/sed-patches/allow-searchengines-non-esr.patch
    ./allow-searchengines-non-esr.patch
  ];
 }))
--- a/pkgs/fluffychat-moby/default.nix
+++ b/pkgs/fluffychat-moby/default.nix
@@ -0,0 +1,20 @@
 { pkgs }:
 (pkgs.symlinkJoin {
  name = "fluffychat-moby";
  paths = [ pkgs.fluffychat ];
  buildInputs = [ pkgs.makeWrapper ];
  # ordinary fluffychat on moby displays blank window;
  # > Failed to start Flutter renderer: Unable to create a GL context
  # this is temporarily solved by using software renderer
  # - see https://github.com/flutter/flutter/issues/106941
  postBuild = ''
    wrapProgram $out/bin/fluffychat \
      --set LIBGL_ALWAYS_SOFTWARE 1
    # fix up the .desktop file to invoke our wrapped fluffychat
    orig_desktop=$(readlink $out/share/applications/Fluffychat.desktop)
    unlink $out/share/applications/Fluffychat.desktop
    sed "s:Exec=.*:Exec=$out/bin/fluffychat:" $orig_desktop > $out/share/applications/Fluffychat.desktop
  '';
 })
--- a/pkgs/gpodder-configured/default.nix
+++ b/pkgs/gpodder-configured/default.nix
@@ -0,0 +1,24 @@
 { pkgs
 , writeShellScript
 , config
 }:
 (pkgs.symlinkJoin {
  name = "gpodder-configured";
  paths = [ pkgs.gpodder ];
  buildInputs = [ pkgs.makeWrapper ];
  # gpodder keeps all its feeds in a sqlite3 database.
  # we can configure the feeds externally by wrapping gpodder and just instructing it to import
  # a feedlist every time we run it.
  # repeat imports are deduplicated -- assuming network access (not sure how it behaves when disconnected).
  postBuild = ''
    makeWrapper $out/bin/gpodder $out/bin/gpodder-configured \
      --run "$out/bin/gpo import ~/.config/gpodderFeeds.opml"
    # fix up the .desktop file to invoke our wrapped application
    orig_desktop=$(readlink $out/share/applications/gpodder.desktop)
    unlink $out/share/applications/gpodder.desktop
    sed "s:Exec=.*:Exec=$out/bin/gpodder-configured:" $orig_desktop > $out/share/applications/gpodder.desktop
  '';
 })
--- a/pkgs/jackett/default.nix
+++ b/pkgs/jackett/default.nix
@@ -1,6 +1,8 @@
 { pkgs }:
 (pkgs.jackett.overrideAttrs (upstream: {
  # 2022-07-29: check phase segfaults on arm (with or without my patches)
  doCheck = false;
  patches = (upstream.patches or []) ++ [
    # bind to an IP address which is usable behind a netns
    ./01-fix-bind-host.patch
--- a/pkgs/linux-megous/default.nix
+++ b/pkgs/linux-megous/default.nix
@@ -0,0 +1,21 @@
 { lib, buildPackages, fetchFromGitHub, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 with lib;
 buildLinux (args // rec {
  version = "6.0.0-rc4";
  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) + "-rc4" else modDirVersionArg;
  # branchVersion needs to be x.y
  extraMeta.branch = versions.majorMinor version;
  src = fetchFromGitHub {
    owner = "megous";
    repo = "linux";
    # branch: orange-pi-6.0
    rev = "6ada3caab0b37968f1257b3ea75e5b0466a77162";
    sha256 = "sha256-jIhOE0ZMuoJm7NqAEJ4OTNLHN/h8i4cOphcw3le7RSw=";
  };
 } // (args.argsOverride or { }))
--- a/pkgs/nabla/default.nix
+++ b/pkgs/nabla/default.nix
@@ -0,0 +1,14 @@
 { pkgs, fetchFromGitHub, ... }:
 # buildVimPluginFrom2Nix {
 pkgs.vimUtils.buildVimPlugin {
  pname = "nabla";
  version = "2022-08-17";
  src = fetchFromGitHub {
    owner = "jbyuki";
    repo = "nabla.nvim";
    rev = "5379635d71b9877eaa4df822e8a2a5c575d808b0";
    sha256 = "sha256-1VabgTnOSsfdhmHnfXl/h9djgNV3Gqro5VOr8ZbUlWw=";
  };
  meta.homepage = "https://github.com/jbyuki/nabla.nvim/";
 }
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -12,12 +12,24 @@
    # not sure why i can't just do pkgs = next here
    pkgs = prev // { inherit ubootRaspberryPi4_64bit; };
  };
  rtl8723cs-firmware = prev.callPackage ./rtl8723cs-firmware { };
  linux-megous = prev.callPackage ./linux-megous {
    kernelPatches = [
      prev.kernelPatches.bridge_stp_helper
      prev.kernelPatches.request_key_helper
    ];
  };
  #### customized packages
  alsa-ucm-conf = prev.callPackage ./alsa-ucm-conf { pkgs = prev; };
  fluffychat-moby = prev.callPackage ./fluffychat-moby { pkgs = prev; };
  gpodder-configured = prev.callPackage ./gpodder-configured { pkgs = prev; };
  # nixos-unstable pleroma is too far out-of-date for our db
  pleroma = prev.callPackage ./pleroma { };
  # jackett doesn't allow customization of the bind address: this will probably always be here.
  jackett = prev.callPackage ./jackett { pkgs = prev; };
  # mozilla keeps nerfing itself and removing configuration options
  firefox-unwrapped = prev.callPackage ./firefox-unwrapped { pkgs = prev; };
  # fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
  # systemd = import ./pkgs/systemd { pkgs = prev; };
@@ -26,5 +38,6 @@
  #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
  kaiteki = prev.callPackage ./kaiteki { };
  nabla = prev.callPackage ./nabla { };
 })
--- a/pkgs/pleroma/default.nix
+++ b/pkgs/pleroma/default.nix
@@ -49,6 +49,8 @@ beamPackages.mixRelease rec {
    done
  '' else "";
  stripDebug = false;
  mixNixDeps = import ./mix.nix {
    inherit beamPackages lib;
    overrides = (final: prev: {
--- a/pkgs/rtl8723cs-firmware/default.nix
+++ b/pkgs/rtl8723cs-firmware/default.nix
@@ -0,0 +1,36 @@
 { lib, stdenv, fetchFromGitHub }:
 with lib;
 stdenv.mkDerivation {
  pname = "rtl8723cs-firmware";
  version = "2020-07-05";
  src = fetchFromGitHub {
    owner = "anarsoul";
    repo = "rtl8723bt-firmware";
    rev = "8840b1052b4ee426f348cb35e4994c5cafc5fbbd";
    sha256 = "sha256-z6OZNDvGbU1g+U9aL/Pq6fB3l7Fxwq6EHSeHgrkqt78=";
  };
  dontBuild = true;
  installPhase = ''
    mkdir -p "$out/lib/firmware"
    cp -R rtl_bt "$out/lib/firmware"
  '';
  meta = with lib; {
    description = "Firmware for rtl8723bs and rtl8723cs";
    # there are many sources for this, none of them authoritative.
    # the original binaries likely come from some Realtek SDK, hardcoded into a C array
    # if consistent with other drivers, but Realtek does not list this model in their
    # downloads page.
    # other sources:
    # - <https://megous.com/git/linux-firmware>
    # - <https://github.com/armbian/firmware>
    homepage = "https://github.com/anarsoul/rtl8723bt-firmware";
    license = licenses.unfreeRedistributableFirmware;
    maintainers = with maintainers; [ colinsane ];
    platforms = with platforms; linux;
  };
 }
--- a/pkgs/sane-scripts/default.nix
+++ b/pkgs/sane-scripts/default.nix
@@ -1,19 +1,73 @@
 { lib
 , pkgs
-, stdenv
+, resholve
 }:
-stdenv.mkDerivation {
+# resholve documentation:
-  name = "sane-scripts";
+# - nix: https://github.com/nixos/nixpkgs/blob/master/pkgs/development/misc/resholve/README.md
 # - generic: https://github.com/abathur/resholve
 resholve.mkDerivation {
  pname = "sane-scripts";
  version = "0.1.0";
  src = ./src;
-  # See: https://nixos.org/nixpkgs/manual/#ssec-stdenv-dependencies
+  solutions = {
-  buildInputs = [ pkgs.rsync ];
+    default = {
      # note: `scripts` refers to the store path here
      scripts = [ "bin/*" ];
      interpreter = "${pkgs.bash}/bin/bash";
      inputs = with pkgs; [
        coreutils
        curl
        file
        findutils
        gnugrep
        ifuse
        inotifyTools
        ncurses
        oath-toolkit
        openssh
        rmlint
        rsync
        ssh-to-age
        sops
        sudo
        which
      ];
      keep = {
        # we write here: keep it
        "/tmp/rmlint.sh" = true;
        # intentionally escapes (into user code)
        "$external_cmd" = true;
      };
      fake = {
        external = [
          # https://github.com/abathur/resholve/issues/29
          "umount"
          "sudo"
          # this is actually internal; probably a better fix
          "sane-mount-servo"
        ];
      };
      # list of programs which *can* or *cannot* exec their arguments
      execer = [
        "cannot:${pkgs.ifuse}/bin/ifuse"
        "cannot:${pkgs.oath-toolkit}/bin/oathtool"
        "cannot:${pkgs.openssh}/bin/ssh-keygen"
        "cannot:${pkgs.rmlint}/bin/rmlint"
        "cannot:${pkgs.rsync}/bin/rsync"
        "cannot:${pkgs.ssh-to-age}/bin/ssh-to-age"
        "cannot:${pkgs.sops}/bin/sops"
      ];
    };
  };
  installPhase = ''
-    mkdir -p "$out"
+    mkdir -p "$out/bin"
-    cp -R * "$out"/
+    cp -R * "$out"/bin/
  '';
  meta = {
--- a/pkgs/sane-scripts/src/bin/sane-vpn-down
+++ b/pkgs/sane-scripts/src/bin/sane-vpn-down
@@ -1,4 +0,0 @@
 #!/usr/bin/env bash
 echo vpn: $(curl https://ipinfo.io/ip)
 sudo systemctl stop wg-quick-ovpnd
 echo plain:   $(curl https://ipinfo.io/ip)
--- a/pkgs/sane-scripts/src/bin/sane-vpn-up
+++ b/pkgs/sane-scripts/src/bin/sane-vpn-up
@@ -1,4 +0,0 @@
 #!/usr/bin/env bash
 echo plain: $(curl https://ipinfo.io/ip)
 sudo systemctl start wg-quick-ovpnd
 echo vpn:   $(curl https://ipinfo.io/ip)
--- a/pkgs/sane-scripts/src/sane-dev-cargo-loop
+++ b/pkgs/sane-scripts/src/sane-dev-cargo-loop
@@ -0,0 +1,30 @@
 #!/usr/bin/env bash
 # watches PWD for any changes underneath it and re-runs `cargo build --a>
 # optionally, provide your own build command as the first argument
 external_cmd="cargo build --all"
 if [ "x$1" != "x" ]
 then
        external_cmd=$1
 fi
 # run this once before starting the inotify
 $external_cmd
 # other interesting commands to monitor:
 # - -e move
 # - -e create
 # - -e delete
 # - -e close_write
 # but most (except close_write) seem to cause multiple events per vim :w
 # TODO: consider using watchman: https://facebook.github.io/watchman/
 # - watchman waits for the root to settle before invoking my command
 #   so, fewer runs
 inotifywait --monitor --recursive \
  --timefmt '%d/%m/%y %H:%M' --format '%T %w %f' \
  -e modify ./ |
 while read -r date time dir file
 do
        tput reset
        $external_cmd
 done
--- a/pkgs/sane-scripts/src/bin/sane-mount-servo
+++ b/pkgs/sane-scripts/src/bin/sane-mount-servo
--- a/pkgs/sane-scripts/src/sane-mount-servo-root
+++ b/pkgs/sane-scripts/src/sane-mount-servo-root
@@ -0,0 +1,18 @@
 #!/usr/bin/env bash
 set -ex
 mnt=/mnt/servo-root-wan
 # if lan not mounted, then try to mount it
 if ! (test -d /mnt/servo-root-lan/nix)
 then
  sudo mount /mnt/servo-root-lan && mnt=/mnt/servo-root-lan
 fi
 # if the needed mount isn't mounted, mount it
 if ! (test -d $mnt/nix)
 then
  sudo mount $mnt
 fi
 # symlink the fastest mount point into place
 sudo ln -sf $mnt /mnt/servo-root
--- a/pkgs/sane-scripts/src/bin/sane-reclaim-disk-space
+++ b/pkgs/sane-scripts/src/bin/sane-reclaim-disk-space
@@ -3,12 +3,13 @@ set -ex
 # script to reclaim some hard drive space
 sudo nix-collect-garbage
 # identify duplicate files in the nix store
-rmlint --types="duplicates" --config=sh:handler=clone --output=sh:/tmp/rmlint.sh --progress /nix/store
+rmlint --types="duplicates" --config=sh:handler=clone --output=sh:/tmp/rmlint.sh --output=json:/dev/null --progress /nix/store
 # link the dupes together (uses ioctl_fideduperange)
 #   see: https://btrfs.wiki.kernel.org/index.php/Deduplication
 #   see: https://rmlint.readthedocs.io/en/latest/tutorial.html
 sudo mount -o remount,rw /nix/store
-/tmp/rmlint.sh -d || true  # on failure, we still want to remount ro
+# XXX: does rmlint really need to be invoked as root?
 sudo /tmp/rmlint.sh -d || true  # on failure, we still want to remount ro
 # XXX this doesn't work: 'mount point is busy.'
 sudo mount -o remount,ro /nix/store
--- a/pkgs/sane-scripts/src/bin/sane-secrets-dump
+++ b/pkgs/sane-scripts/src/bin/sane-secrets-dump
--- a/pkgs/sane-scripts/src/bin/sane-secrets-unlock
+++ b/pkgs/sane-scripts/src/bin/sane-secrets-unlock
--- a/pkgs/sane-scripts/src/bin/sane-secrets-update-keys
+++ b/pkgs/sane-scripts/src/bin/sane-secrets-update-keys
--- a/pkgs/sane-scripts/src/bin/sane-stop-all-servo
+++ b/pkgs/sane-scripts/src/bin/sane-stop-all-servo
--- a/pkgs/sane-scripts/src/bin/sane-sync-from-iphone
+++ b/pkgs/sane-scripts/src/bin/sane-sync-from-iphone
--- a/pkgs/sane-scripts/src/bin/sane-sync-from-servo
+++ b/pkgs/sane-scripts/src/bin/sane-sync-from-servo
--- a/pkgs/sane-scripts/src/bin/sane-test
+++ b/pkgs/sane-scripts/src/bin/sane-test
--- a/pkgs/sane-scripts/src/sane-vpn-down
+++ b/pkgs/sane-scripts/src/sane-vpn-down
@@ -0,0 +1,16 @@
 #!/usr/bin/env bash
 # first arg should be the region, e.g. `us` or `ukr`
 case $1 in
 ukr)
  iface=wg-quick-ovpnd-ukr;;
 us)
  iface=wg-quick-ovpnd-us;;
 *)
  echo "invalid vpn name '$1'"; exit 1;;
 esac
 echo vpn: $(curl https://ipinfo.io/ip)
 sudo systemctl stop $iface
 echo plain:   $(curl https://ipinfo.io/ip)
--- a/pkgs/sane-scripts/src/sane-vpn-up
+++ b/pkgs/sane-scripts/src/sane-vpn-up
@@ -0,0 +1,16 @@
 #!/usr/bin/env bash
 # first arg should be the region, e.g. `us` or `ukr`
 case $1 in
 ukr)
  iface=wg-quick-ovpnd-ukr;;
 us)
  iface=wg-quick-ovpnd-us;;
 *)
  echo "invalid vpn name '$1'"; exit 1;;
 esac
 echo plain: $(curl https://ipinfo.io/ip)
 sudo systemctl start $iface
 echo vpn:   $(curl https://ipinfo.io/ip)
--- a/pkgs/sane-scripts/src/sane-which
+++ b/pkgs/sane-scripts/src/sane-which
@@ -0,0 +1,24 @@
 #!/usr/bin/env bash
 # traces a PATH lookup by printing the source, resolution, and any symlinks traversed
 # finally, prints the content of the file
 echo $1
 v=$(which $1)
 # this probably doesn't handle paths with spaces
 while [ "$(readlink $v || echo $v)" != "$v" ]
 do
  # TODO: this doesn't handle relative symlinks
  echo '->' "$v"
  v=$(readlink "$v")
 done
 echo '->' "$v"
 echo ''
 case $(file --brief --mime "$v") in
  (*text*)
    cat "$v"
    ;;
  (*)
    echo $(file "$v")
    ;;
 esac
--- a/pkgs/zecwallet-lite/default.nix
+++ b/pkgs/zecwallet-lite/default.nix
@@ -0,0 +1,30 @@
 { lib, fetchurl, appimageTools }:
 appimageTools.wrapType2 rec {
  pname = "zecwallet-lite";
  version = "1.7.13";
  src = fetchurl {
    url = "https://github.com/adityapk00/zecwallet-lite/releases/download/v${version}/Zecwallet.Lite-${version}.AppImage";
    hash = "sha256-uBiLGHBgm0vurfvOJjJ+RqVoGnVccEHTFO2T7LDqUzU=";
  };
  extraInstallCommands =
    let contents = appimageTools.extract { inherit pname version src; };
    in ''
      mv $out/bin/${pname}-${version} $out/bin/${pname}
      install -m 444 -D ${contents}/${pname}.desktop -t $out/share/applications
      substituteInPlace $out/share/applications/${pname}.desktop \
        --replace 'Exec=AppRun' 'Exec=${pname}'
      cp -r ${contents}/usr/share/icons $out/share
    '';
  meta = with lib; {
    description = "A fully featured shielded wallet for Zcash";
    homepage = "https://www.zecwallet.co/";
    license = licenses.mit;
    maintainers = with maintainers; [ colinsane ];
    platforms = [ "x86_64-linux" ];
  };
 }
--- a/readme.md
+++ b/readme.md
@@ -9,7 +9,7 @@ nix flake show
 ```
-# secrets
+## secrets
 i use [sops](https://github.com/Mic92/sops-nix) for secrets.
 see `modules/universal/secrets.nix` for some tips.
@@ -24,3 +24,10 @@ this can then be `dd`'d onto a disk and directly booted from a EFI system.
 there's some post-processing to do before running a rebuild on the deployed system (deploying ssh keys, optionally changing fs UUIDs, etc).
 refer to flake.nix for more details.
 ## building packages
 to build one of the custom sane packages, just name it:
 ```
 nix build ./#fluffychat-moby
 ```
--- a/secrets/desko.yaml
+++ b/secrets/desko.yaml
@@ -1,4 +1,6 @@
 duplicity_passphrase: ENC[AES256_GCM,data:rzUfcxe5YPloOrqgVwdCjsccexWc5RvmFf1i3Xs459iVTfWHlVJeT/IqReY6ZqdAkPJteTtrUZzak2GXyRUkE13+W0kE8isnDjPX/YDQwoK2sa+dwc4xGTekboc0gf6HH3vQpF1aiJDBfb3GtGyDVLH9MVIRPJGXSztZBduUDezA2wAx2wI=,iv:EHJg8kE/07v+ySSFDtW4FA4y1y/+fcGxfNCWoainwBI=,tag:S3ecM4DbDl8jqXLRKipZmQ==,type:str]
 #ENC[AES256_GCM,data:yU9cr6MXjS4m69BeIUjUw477wt4c1djYof3Qlfr4Dytv8hWqCuqThDwQTMY5jfHdv5ipS0aEjf7GWu2M2t9W88fYdxnTN2m8IfYZp76YcjxO4fup5BXiLGIjnm+qI0g=,iv:nPo8FyGiyLRQozE4kZ6Rei6CObvbVynOs3jdMvdkpZw=,tag:+4esxPiewSsjwao6ZhAMxA==,type:comment]
 nix_serve_privkey: ENC[AES256_GCM,data:/Ph9J00cV7PcfpJw/NWcBpkQR+a0SQyHv1jmF4CkH+Uj8l+cRcXWynAc2APenMSfHdighXMqjsXuwRbGo0S57YuMXQjFbI8jhbXEhhAWlmET1q7uRaaZRSgq34qABw==,iv:LLYgLauPsD+3mx1GTjEUkiXgdWsnqixCJl4UfSdS5Ac=,tag:S7V6GKezS/JsbZVfq9DjjA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -32,8 +34,8 @@ sops:
            Si9kT0ZMUnJJWlhUZ3FFakZFaDlPdEEKXtWfh6wdGPin1h/UUs21cdspddpW1YDq
            rCKS2DI2KWdgciih9FnmWGAwGUhB3uhimUr6hgho4z+dZfLrpoP1PA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-06-10T08:41:13Z"
+    lastmodified: "2022-09-14T21:34:55Z"
-    mac: ENC[AES256_GCM,data:51N4a+P+eXVAdPFAI3h4TFKsR6IOGBnyusW4k7ZrMOleH1l4C3khYaUmCoE1nnLlmD2q+kmtdGdU6FWyB7BYiSytjqvQa0WumEhf5PpOtj5k+55c1sljvtK58BxQd7N5Th+R4VmlqZ7LXviwzIb8OkoiCf0yC+jxZRi/2MQiKC4=,iv:Jjrrnp7isbmEP9vAYZ+lVRit2RNbrq2unXzuZD8C/2Q=,tag:HvKUFKdhE3O75o8hX+hIsA==,type:str]
+    mac: ENC[AES256_GCM,data:Zex69KG2a2Rxyodyci40azr9qGbA5XwH4Qhip0BDbrJymHjZzqCeRDKjdHjAWXPdPyglvUY0kADfm7xxlE1zU84oOahI9FldADtQrGUWS0elU+a3F93LVNGlhlKc+g8JGzUyBvPr6Toi52L2hI18K5bmWFPesczWedL07r85s9M=,iv:W+SMAX0HY5GbAqqgXWbSxm4wbzXZt5PEsLhwWcxkRWY=,tag:VPnw2X+6i0EyiFB3rkon8Q==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/secrets/universal.yaml
+++ b/secrets/universal.yaml
@@ -1,4 +1,5 @@
-wg_ovpnd_privkey: ENC[AES256_GCM,data:qmyCOcD5TA7SKqSDCTZOTahkfYVZMJUGuyselmQbqj1uer3e4cBRSMuIiRI=,iv:jnHvGgVu/8HWT8MkI2wtGqlCs6wTu0C8huHpkdDmBYk=,tag:a0r0f/6LTBUuhvLGu+SFug==,type:str]
+wg_ovpnd_us_privkey: ENC[AES256_GCM,data:5YkQ4r7HNWiRr/5pa1XfexxtJAz6kDjX+hNiZcheUWCXVIuK0/AuyzcdQ/0=,iv:vr1UHSlsWFnTwEfZj3pBLxvaibQxhSum3SL0Uaqtceo=,tag:dN2U+TkQAgJejgDDYIWdOA==,type:str]
 wg_ovpnd_ukr_privkey: ENC[AES256_GCM,data:5zfhsZnBk0Kb9Nb/3igsV/fN0ZDjwTAGTKyMLMly/l7MlJe6MEmd5Lv+JT8=,iv:Mov9eUP8WfvzfZ6NljgLolJ49GSqR7eSV+k0dgE1+1I=,tag:O9UtGX2qt+qEvabcsA0vIA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -8,77 +9,77 @@ sops:
        - recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMUNtRnRkSXhlK0tOM0x2
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUWc2dnNnWDVVZCtlNUJ6
-            Qlc4cFdFc3FvVERDWXF2ajkzZlhOcGlMclhvCndWL0FYY0plMFllcVJkeHh0UXpa
+            d3JCYU9CZ0prMEVUM3piWENIdVl6WEIzQVJZCjZaeUNoU2ZiZGR4YWpQMlQ3am5W
-            eGtYZ0VLK0ZRVHZhWFNqSmVTdnpScW8KLS0tIHZkOGIwSEVVQStrSmowM3JlSzdo
+            OFdBVjZiaUpjeG43ZGRoUjBHOFlRNDQKLS0tIHVaMXVnZ3VodHBpb1M0V0wxeXRD
-            WElESWFBZ3U2UEFSdGVpSzZFcFJIZjQKXsem6B+/so57tcfM8itjmisnaMeWI39w
+            TklUbXp3RE50ZnlEQ08wVVlHWHJGc0kKMEG/wxRp4WoQfRqUQFu0vQzKkVObWk6s
-            kL53mQMod2eu01XnDdMtLqNTTJM1dw6Sn0ggEUoTYXyUDvEkLjaTzA==
+            UuJzzD53Hvi2rtLY8oquYLL66dDqS02+DnSxwsiYRGxo6jXHmomTgQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSUXdGcC8vb3hiWm0rTFVF
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqaFBMbTg0dUVVc0NLcjVN
-            cTR3QlRMZEhoV3FkYy83eDY3WldZQmJyMUNBCjJvTHpqL1loWUdrQUd6TDlUQmZU
+            R1o5T3NQQXNXNVZ3ZGhEZjVnSWlWbTNocUJZCll6UkcxRjVSSkVuSjNMd0lSUlFO
-            MmhlUmE0WjUzK1ZaNzJzUE5DK3FVZlEKLS0tIHRFQ0RIWmovSVdWRWF1cEQxQXkx
+            WGcvaHhRenNwVzN6MmtxWXJGR1g3dDAKLS0tIEZ0b2wzRW50ZGJiVUdXT2xnMTJt
-            TVBoZXhVV2IxVVNRNDY4S1cwNjZlU3cK783VjOQA2vOHDLMa9gfgKBv9rXr28XEA
+            dW1OK3ZoR3NjM1NObmZieGpCdnVvWGMKFOSOMKler0bl30njGwuInTYWwaTL7iW1
-            +0uIeCZMkxpBWsRCt+enFKOHzuqYwYR/bpaaUH85okCTmrPRjPJmyQ==
+            U0KYCklGRCG+rLiBFbzjnde4iOvtwnJQQymnzv68W7OzXN6VxZN0SA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1UGR4Zi9ydlEwS2I1TjFt
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOFMwa0lpVlRXMzMwcDBP
-            d2I1cURUemxZTGJ3VE9ZemMyT2RwbVliSWhFCk1XVXp3V1REMTlNWW45ZUg3c2N6
+            MG1YQnF1TXZTaTRYTW5nZUJ5YmlzZHBMK0ZRCm9GMmNRRmF0OWVBbTRwQ2VLQ1o5
-            WDkrczZsb3ZGMW5XeW8zWHdtNnl4ajQKLS0tIE8zdm05RXNmWGJsZGVxRXl2bmI3
+            T2QvMUlNQkx4V1lPY3VGekhKQWNyd2sKLS0tIDdxcHk3NUhPck14aGEzTGJJNzdw
-            OEZxTTh0UE9QRXhwYTAyejZWNlFiVG8KYVwqMlwGkOaKh/6ISi+FOz9Tn5eeZR0t
+            TjJtRXVQdUlHb1IwaHUzYmR1MndkY1kKSDpEwnjNwLA8EU1jB1lC6Fe4/sK7+Dj4
-            XGU5OoYuJg7OEgxLYkuXxro0eGYrgAQQVIGPP4W8eOHeQDLiUnXoqg==
+            DMCj/RIyhaNgMhdo0MRv8iFxGy1kl+sOOMuaCiTgNq00bmem1ulz9g==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1lt739n2tq7dmpglvntjr9j2r7426md7rat7x9w930gagtx4jyvnqwts2al
+        - recipient: age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Zk4vYyswbzNFdDRyaUdS
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZE1vMlBPSk5qVWkzTXF4
-            ckt2eGd4ckhLS0tsOWluOEo3WnN0Y3pWekZNCitDYktFbm1Rd1RnWFZnNnYvbU1Y
+            L1huNEUyVHRLQk5lWEhuNFdUR3U5ZnBtdmpvCitSZEZQbzR5NkhDMzNJMFpVQXlh
-            ZTh2SFI3MGI1ZDBmTEt4cENHd3JNOEkKLS0tIHozY1dlZFpHam9ERHkzZFZtUndV
+            MXNnTU9wVUpQZmJGdDBsVGREODNDUVEKLS0tIExkSU9rNTZEcloxUVY2OFJ6UkpP
-            aHFFdDF0YXpxczZsQy9KcUx4bjZubzQKVn+jFIqSgUl6unVNdey7l358Sq5v0XyD
+            eWhKUDN5SVFBdWg0VG9oRVFzSGxWaHcKdU0Z6MRA8660aH350a5fNBSeuqCCIvcA
-            OIY2ICPC6Y/jQ6GttvA5eJveCUq5OGmZ3csFSXH6Vk5RUS/p9Qc3Jw==
+            y94690xSN5jMHJsk+mAta8kW8mXxM8sjjFtGRDB40lAUqD0AapcTNg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDNkhPKzU4Q0pmWUl0YUNP
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWVZ0bDlMbnN1eDVUN2du
-            WHowVGtHZUdHU0dnNTE5K25pRnh6NXZkLzA4CmV3MTdrNWlINmxaN0RwbDNsaXla
+            cnRDWFdPN1Z0VXI3QkpPUElGU2lCTEdSSW1jCmRFbVFvaDZXcHZ0V1kxWSt3cCsv
-            ZzJ0NUpRVVVpNnE4bE84eXp4UHM1aWsKLS0tIGxWVVdGSTdycGVXeTJhZEgwOTZs
+            TEd1VWd1N0RqM0djd0d4U3RJOU8yQWcKLS0tIDlQUTR2aHl1NTdVYTRjR0tQNzY2
-            cEU3dzZ5c2JLblg0QW5JN0owT0ZISmMK63ZpM6CfYAIo7syEnhOzbRaQ6mBx4D9f
+            VUIxaVRMd2FaM3VVNDZyWGJmaXMwY00Kjlk53H34uejwIWcVpSlZsg62LTglUz2i
-            RaGl7KhnSCSHPMWPzlKSrvk76nEUdZUWvgEwE4aGLrqL4hcpoW7fsg==
+            Emqwl9X+71lsa7GOplp1AWpoJKaGOaR6ntrDhUnx0z0TdDTbjFCSvw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQllDVUh1NHJ6Slcrcjlo
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZUzk1SExjbEFKaFlqVjRJ
-            WWVlTWxMa09TTysydmY5aVdRelEvYlBUWFhNCkNlbmNKUHZodHRsZVdXZGhkanEr
+            RExoNVVKOGVjZFVaT29BRElLaVMxcVpsN1I4CkVuTURZNXhHU2w0RFNrMjJyQllM
-            bzhyNEUzWk0xT0xsbHVtUDdEY2Z3V2sKLS0tIHE0dmZUNXQ1YjNIL1FXTDNxbW41
+            VzBhbFZ0Nk8yMDlaWnF4MzVwbUFFOVUKLS0tIG91NXJnRHI3eFlHNVU5QXcvYnpZ
-            bWQrMzBXV3l3UVJWVVU2V2RQK3VwZUUKdJob/7tk8vPwIlfVU66fIW9ft2Y+7JCr
+            enJHQmV3c3hZWWNHakNTTEMxYk1iL28KeKadqZ3dflo4hCv75OgvYvFQzKnyka4T
-            L9f+AFgy0XD8e+DfQlJGNDeEm5Yu6cW0vWlbJtrRWes4gIF52bq9YA==
+            WDI9j31vyiGgmzzb4uE+2B6MxHJcs3isnmeeFFxNGbWScTdteKE03A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTOU5sL29KTVQ0VS92QzN2
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUaHNCSTgvdXV1S1dRTVBp
-            K2liNmxMdGN4TDdaQWp0ZHlyWjBwQStXQjMwCmNuMUZJMmZncFlRVE9GUFlkV1NT
+            Yng3OVgyQWhSUEF4bkxaUlBOZEd6bUVhV2pFCjNwRDNDNjV3ZVFQUG0vcXlEQy9Y
-            cHEvcUgyY2F4bG9ITks0OVZZVkFOUGMKLS0tIG5yeS85T0FqeGZrUEg1WlJnMUUz
+            aFNiYzhESjFNdHAzSE83RWtYdi9sbU0KLS0tIFMwRFRVWnNGWkp1YzJFdHVBdGtO
-            d1poZjE0TkFqbVNFZDl0cm5sWmJmMzAK/S7ePeCRqeZLJvk49CoatP5J6la4yfEN
+            OTBvNm1QS3pXN00xOHlMVFZlTHBwM00KY0hXHQ81uc+XunH2cQvBMzJeq+ERqTLr
-            C81ivlh7SVDfyW8nJPLw+DIX4SU6e66zva/T+RQO3QnNJSDuw+gHAA==
+            RVTInNt42xAto/DE0wbUDBi0MdFie9LgrP8CkLPN8CDjv5BUC+Lk0Q==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1t957gf0z865gya0khgc9x59wy76hzps3sgejjqtwcngn2xl273msxsmpe6
+        - recipient: age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZ25CaGtiY0tDVnIyWkIz
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUYVdrcXp1N2FtTDBLTnhz
-            QzFlQXhHMkhUMDlIemxzdUhrVTJtSzhkRTNvCmhDdUdqdml0VWd0TmluSGF5QStG
+            UU5XaXNFMzJ4dmxTamNrdG42RFArT3pJSmxJCnhCdmpOc3hZdUx6WWEweTVaSnZn
-            Rk1leW1ac09LMGZhaHpva2NMS2Z2a00KLS0tIFBwNTRwQm15UFNEdkJNTmh3eTJh
+            OVlEVHptb0NEOFFvNzRGdEt3UWpYazAKLS0tIEFNU21XYlNnd3o4SXhjUlM5N2Vh
-            T1ZLaWRwWFJkNE82NC80QTdjZ1l1Zm8K7QhAMCO/65Z0N4coN+sc7WYNVI+BvV01
+            YmhsY0FaSW5oWVNJMlhUSDRCeWQ4KzAKaQp321XYtAZ98f4QMl5PxivAYm6VMF43
-            q5DXWTtePrPRQ8ZCqT7gWdSQc8iS410HEZ2Nya5IA+ktGxMO9h1EXA==
+            wCThiQgvYAP59jvVDTZngvfWAD5PyWVVvMNbjHGvAzK5WnsTPmxlsg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-06-21T09:01:02Z"
+    lastmodified: "2022-07-09T07:48:24Z"
-    mac: ENC[AES256_GCM,data:G6crbY/fKKHjiCI7m+uOIRHrW2CJFM6DPD598h/vqRwYI0laIkasr7vUMuV72RyqAW52F90kIYyLY5qhu4uTOBqHK5aJHAxNo55knHrpXYQemMMt5UGC3AwgswLWkqze43EhIj7NrA6LTFF4MX+rD3yhFC+IAQOgZ1HiIk9h0sY=,iv:kDDHyNlaCCq9AVSr5qaF1OYZxNAGgxSGL5bxYL3Q79w=,tag:5FNaXMHjTyjyPScOXgep6Q==,type:str]
+    mac: ENC[AES256_GCM,data:j5Rvh2EcWyi42lWhiKF5/t6isowgPZPqwHQIW+H6T7eb1YCRUusqnK69KSIBUvk/19ZXQXxcYqFSxilAEiuinKglXqmK5Tq2hSF+vJjqW9cunuPgeQl58GeA9PyjxrRo+HNjsXqGND9/fcZf+cqvZEQnhQdPE7mCzZaJ3kAXMKY=,iv:BsDIVtzO8nSStlKYYoFktZs2sRwVk5EgQ3GBkCk+1UE=,tag:pxQyFn6Y8bbDF9hQMJqTvA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/secrets/universal/aerc_accounts.conf
+++ b/secrets/universal/aerc_accounts.conf
@@ -8,35 +8,35 @@
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmQXFUV0NVb0I3UjF6d2lx\nQXlCZURBai9qSERxWlYyQ3k2VGNhVnhPWGxRCk01aVZPbE96NDZ3WVUyRkp1UzFm\ndWNGb1JPNFBWS2hzTEVnTzFsOFRPWFEKLS0tIHVVT2Q0bDkvcmZOYzZqQVZJclVO\nWEpHRS9jUFpuVHZrS2paWHNuRzN4ZzAKOioqqTsqyD4Wa+amWaRNgb/6ZspWDI1K\nKvrIZ8uqunnUjjjNSJJlM8dl1OfyJlrRWEi8QOkqD21FcBTQiljVgg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdDR3YitDWkxvVFpOWTFS\nQXNrbHZHSzZzanpnR1Z0bE82aFpiUmNMR3djCitYT0J4K0daZmlXTzhJbWR3K0tY\nZFA0QS9rdXV5bVVXRXVuUStVd3RMeUEKLS0tIExicUdTcEFMZHZEOEFmdkV1T0tE\nc01seHdzS3RyMjc4dXF0ME1seEUzUFUKvctFuHiqCIBYGqIKQhMO7imfylxlKXBY\nezzfi0MMlfoSMmz8XqkCYT1kdgYVM1cCOwtBBmTzE2muhWK7o0zPCQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtT2gwSnJENUgrcUZQS21K\nL05BOW15ajJDVkhGajNzZE1pQTc5WVlwM3hVCjJMVFJDT1laOTlUNk9qM2ppMDZn\ndEdNOXBmMmw4Z1hMMFhIcjlsbFAzNFkKLS0tIFdIS0xzZm5vOGg0S0x5SzJXL1Bt\nWHcyeTVBRkdwS0FzTWU1eTJ6dGhiNkUK6YycEWUOh8M9iYF+2SSnU6cTcxtsFctD\nPcOfrTp+OBX18yXjRraWNLq2+jNj+IQtoRVFBUv2VsZAFFjz7d2oyQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxWnhldzk0UFdIcU03UUtE\nZ0VRVzBBRHp2cFA5Q2RjbU9kT3V4eHR1SFE0CkJRSndMZ3JOVjFRVytXSXBIbEk1\nKzBUR2pZWTVXTTRhQ2J5VlR0ejRpa00KLS0tIDZveWl3dUJZL0tIVUhKTDJPalBF\nVFVWcDBDdUt4ZlBZejQ4MGNJTGNzSGcKM9jHMEkRCmil2GO4DRVJMdPd4wikyNyP\nbI86+Z7llsMSWZdl+M/ZcTuJSq9Lh69hVNzKObuuW2GgApwoju9Lsg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZGZBN1FSQno0bmcrdmJs\nZFBFb3RRUitZVGFDQkh6S05xSUxGS3l2Z1dFCmNSL3VxZjY1MFNnMlpZbW1MQmUx\nS0FCbnNCREZlSzJiTE1WUDN2U2RQS1UKLS0tICtjeHhzY01XSE4ydFJsLzYrZlND\nOUFURnA4WHhySVBnc0I1cUNwWVlETlkKmvoUt+hvm9QknH12NTEKvilnBUaN8uhx\nYhPEbZkOr1QC8Eakn+b4G8A//COsxzm6cQW10FAiEBOrUybQGopW0g==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5NUJpc2hpY0Vwb09GbHUv\nRWRjbjRHS2xxWWNhN3BlbHlOcUgranYxZG5jCnhQOWdBM1dKdGNTL2ZuamxjSlNS\nU2VCYTZQZVJTOE1sWEYvV0cyZUlNMmcKLS0tIHk0WXNyZHIxaHJ1Wm1xVk5ZZ1lj\nL1JnTjZrK3JjK25FdEFEdzlvTURrV0UKL0HMaRQBg4KJTW+pb8RWe6iZVMJhtwrI\naH83tABhElaf1JKx8YiCG9+RHkis35nzxqSoJDN0bN5jRgVVG6C1iw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
-				"recipient": "age1lt739n2tq7dmpglvntjr9j2r7426md7rat7x9w930gagtx4jyvnqwts2al",
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsYm5qaVhqb2t6c2ZFUVBr\nYUlSb3FsS3FyTWhOL3prblBSK08zMmRmckdFCmxmK2NabGVmMWZiQnRUNHRDdUhK\nejlwbnZvbm1ndmIvdzIxR0k4U3M5TFkKLS0tIFYyRFhJQXhkdEN5TDN2d1M3Rytq\nc2tZNjQxVGNnUnFvayttbzBPN2dYRjgK2vKIWq3BMn2v+FgZ+F13703FPGMsEGsr\nHYtrnbDnd2fnPz4PTFUwvKldBTOtEymnRd5nfxqAAz9OdZBsahzRxA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbGt3d0k1SlZCemd2V01z\nd2R2NVAxZVlJdWpkVVh3bXBUcTZ0T05kTmtFCkQzWFVqd2pQelAzNGE5MnFSeVQr\nbjRjaUJKVVN6aGlQSWdTUGdHRjR1QWcKLS0tIGdrTTF6eUl6UHFlaTlQMENiMzFP\nQlJJWlZwMjdvNUdhVnBiRlRKL3hzcXMKNF9IEoY0seK15jiJqxWrOtMSPmBUU0jS\ndSY9KXeYLQNHuCzSC2T01UHmq5FDxDszRH3O8JQ+rBSLxNx3dLpetg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZlBQR0txRVh2YUFmdjBJ\naG50NU5FVjY2S20rM3I4ZlVrOTVrdHRTZ1NnCklUVGYxUDdza1hmbW5Gc2sxUmw4\nb0hDS3MxbENqclU2QWxic2d4RC9KZVUKLS0tIFhwaURkelNUdlFMWWJlTUN0dUJo\nWWhQaEVmTTJlNE5qS2wvcmtuK2pNSEEKuKeGKXPLLTA9RWoOSacIVEZ2l3/uW96s\nM91c2ezYFOTV6Md23jYAmAnje7dTivTCmFPnPuWdbEGXYbHLzz/O9Q==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCMEdCbHhFNWNuODRSNDU2\na0FzK09MME8rUWw0QnhpNG9NK0twNVp5RWcwCnBxZXJrZCtMRkFSR0lnRzl0TC9s\nUkpoQjFiU2t4djJNamt4NzQweUdOR1UKLS0tIFNoQTB4ODM1RTkrdGJxaCtSOG1D\nbFNUWktMRWZueWpDc2dkL2I0OTA3V0kKhWPOoRDueGpQntCeofze8yKgMtXH7Hn9\n04tlU0BFAWML7Rv2n9OeHAFcPe+n1DBoIZDF6U7ChItomIVmsYQZcg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFUVN4WEpEcnpjdkFucXlE\nVTRjRlZHM0k2SVVXTkh1V0hLTXl0TVpZSG5rCnl0N2JuR2NsV1BUeXRPZStqRnJl\nR0wzb3l3Ymc2NytlZkw4ZmpoN09kcDAKLS0tIDRVTll5VmdFOWpPV1UwTithNElp\nWnVzU0s2YXR2Y25HcmZ4VUpleFM4TGcKFxi53+wTYdoaIMGvgcy0C6yTPDDPgZps\naWZcXfkberil26xNhRsRV6KwBje61Qd6vwU8hEa7P+hDcbBEavXwhw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cFRvc3BVOVFwb3QyaFBs\ndURLUlFWRGhqV2lpRkRrdDA3dFQ5c2V3aEhvCno2QmFDWEt1SGVRTGtkWnhHRUJn\nWTNmVlh4Tm8wZUpYSG11czBxS0hIRmMKLS0tIGZmd2NHWlhmTTVhSVVmS25XL1dp\naFVsQmJPdTF4K1g2WnBCKzJ4aDg4R3cK27ztxAUVvTFhaKvO4RorZaHNFtJ3LPv4\nFzpsko2dXTaksBHukBLsESCF89NlvxIJosgOMSqJzHwhODUeBPYwIQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYjZWaXJpdVoyZHpVbkhW\nbEErbUNQa0M4Ty9iakkwblE4TDVBY2ozVFZvCnpiNlRPRTFxbTBQR1E0cGxYdmN2\nUUhSQVFWZ3VyV2VVR2lPNWhpY28rWTQKLS0tIDhLQlFGTncrKzErNnVCTDZZb0NW\nTFZxR2RFR3pBQkY0aVl5bWw2ZDlwOGMKakhqNNF7R4pgXEsXSaO7F5LGCw3yE53d\nItWXIoyCa0c78xk+YdMUNUOlzn39y8itXXpZAH2ZAC1sUrvq0elRew==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4SXZDNFgzL1VBMFRlWlhx\nY21SYyt6aVdSdW41a0RYU3dIOXM4OThPMXlVCjllbk1VbVNpRmc0QkZwMGtmZERR\nMitjWjI0bkQ3ZlVLcWhjaE95Y3lFdnMKLS0tIGxYTnlEclhkc3dub2kvalVyUHZC\nak5IVTdaTjI5NHU2VHVWSWw3K004OG8KK2E91q5yKGXCqtjC49f7snkvZtfSRQhM\nh7d7ZcudW4OzrFaPFzmoj9OdD1kBMHR5QQQHu/aCV+ObFrp+by0utw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
-				"recipient": "age1t957gf0z865gya0khgc9x59wy76hzps3sgejjqtwcngn2xl273msxsmpe6",
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzdHpmNks0Q3FLV3NiRThx\ncTVTODdYTStiUmdpM0gyaGZCdzNLRUlqalZnClNXbVI2dU9XMGNXTlh1U2trTnFi\ncEkvZllmM09WZDBBKzFTNDVuUjBpTE0KLS0tIDc5ZGJPTHJ6b2ZOaVdWUWl0Tng5\ndm1jRTRrZnltVm5sbW1uVjhTNnRyZGsKq9o7VkxWsf8k9wGi7ICC1M782MMdvQrY\nDDVlH7ITiDpJ1GGRDWAbfxB4izyb3MWoRqkhvcvcHt0WXR51FNa5NA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWU0xDUFRJZXVocGwreEVo\nSVFqRWpLSktBaFpoTXYvMTNYMHEzZjRraTI0CmoyN2pHL003TnBUdnFpSE1NdnJZ\nd0k3Q1ZvaXk3aWZtNEo2dWpTU1N5Y1EKLS0tIHdRNklxOWI4YytWcC9NSVVxTkhn\nTnZ5SzZaMnV5Rms5Q2NrZFkrSGRtT1UK/yBKQzkC+HQveQJtAJ+qulDCxjEhwJ1/\nSqEojNY/OV8q7YSR+PNJBsllQYS64z72hCyPpkQ67v5C2Xk5LCd+PQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-06-21T07:13:52Z",
--- a/secrets/universal/net/community-university.nmconnection.bin
+++ b/secrets/universal/net/community-university.nmconnection.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:Ei6XDLQznlR+FZjdpc/4Ff1yk386tvUw+v8eYyEVhlYWMbf3Im4uqdD2aylcthkLr/ypzTUBW/o6XVV/e2VtWLA/QBTM1uQKbuGKrlCxkW0uFt/L+ZzAGm6mc0EHBbRmiOLLbbZzQF3kxRlHsAUFwmuixjzjftv4ejo5jTKyK7r1DBt7Y4M8jb9paiBHGDxWmuc8wIkiTcLAlvKX7qySfl7zRO8EURI2h5YzQdcXqGLaZEpy22ktH5j8prAi2RYLGbCikKYqk3UmM/3c6Q4zI+BpF0eTpieUuUkzgv68lg/ek4PEeLa6cpPJrD/zuVlFKjVTzoo6779TFg==,iv:/8FfgfH173YrEDk9zGPUCfPjGvjEww1Q21/E1bL+YeI=,tag:0wGtRM5gGREWTefq2SGv8A==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxU0VtNFBIVlNxMCtLVXBJ\nZ0lTaXY5NnJvOElGV0dHWkUyK2V1blBOR0ZFCnJxWkhkVmRnR1FYVnMybUVHb3E1\nZHhGazFTaXFRRmh5Y3dDczJnWEZ6SEkKLS0tIGY0R2FiZlV2OHpSclA3RUdPa2tM\na1pPbUh2cGFibmFidUtQdFpMSGVrcEUKG81db/ZBzHNGV49Rgwc5hfeWc6uNbbLi\nZpPjZS6y14ZVMFoyE7XPD1+D7OL3BEP+rOwICrFXLAGKpyLEvBngBA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2MzlvUTdzK096ZkswUEJv\nRlF1c3ltKzBDQmVCcUgySVRhK0xMZFlhVGxvCnFIalFJb0lxMGlIdE51WXAvMVB6\nTkNjT0hKeTB5TDl3d1hnMXNoN1p2djAKLS0tIGNmcTUzZnIrVXl6aUhVYkpPUVRi\neFV1UWtwdHZvTlNEeDg0NG10bXV3dmsK4y9+g2cxRQvePeKhKjWvtO4/KZ7dG2Kn\nXGFLEUJAI9BG4PiJoIPjvXvugHndfahqmFtdbXA8mdso99QxbW4Few==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTFQrMkdGc3ZBTFgwNVRO\nM1FOTHZ1VnVsWXlXMFBKR2NQajhmRnM0RXpzCmZ2QStTUllSelRIN3g3VnJQRG1Y\nalRKa1BaYzRPUXlwa2p5ZkxxVVBLNkEKLS0tIGd6TFNRZkVTRHA2NHNybWt3eDY3\nd2tkeXFMeVl5NDkxK3hOQkRJTXNiUlUKMrXMYYy+pGVmVW/ebmcKsAf2Xxjh0mJ4\nrWSUDmAb9sm2N9yCkkl5oQ9GRHHr3/HmS6Xek5Y8aJNdvuFJzkz8Og==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVeW5neXUxdDVjaGFKL0VX\nUDFCOFhta3Zpek1qVG9yQkYwdmlhU2N2T0VnCnJuai9qOFhIdGxzUlJjSkNaNFdI\nY0dOa1FaRTRGNU84YlNIWmg0dS9XNzAKLS0tIHdiYjlhWmNWUkhNY09nK2pPSEFV\nN1V4ZlZNU3JlQWdEVWZXTXh6UmNkWjQKD87Fm/TZGY33wqBedwHgkIhziUrKpSdw\nc8mRAUqjNdp4avomtoSAyhThPdilpKO0ES0NJiu9q8mqqK/aRwungg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTjRjSXdVUDk2eTI5cm1X\ncDlhWUJVcWdEWk1jMVdUVEd1bytYY2tCSlNRClBsTVEwQmZ6cDZlbWpSd0NZMkt5\nMzhEVU93WVdkbGZDWEdoN1FvejJwZzQKLS0tIHVJKytaUStRaDV3Q01ZL29Eellv\ndGVMU25GWFdiT0FPVW9oYXdZbGJqNXMK0vdn85DKuobJo0baVLy+0hFvTonPJzoS\nD29tcM29rea+haH/EDRLXTKEXeOgQm99SBDaumgaUAraIiwlpDB9SQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlYUp2Zjdkbi9HTUh4RUZN\nemx0VUV0QUNFTitlNVV5YUFQUDErcTI5UFNnCmYySjFRcU5jMTJQOGNwdWtWU3lC\nWmxnVmxmWEhpbjZsZlRkdnNUQ0hTaEEKLS0tIGNCY05PSUhtTEZQejhDL01wbHY0\nSkNnNFVRTGpDbEJnMGUvdDlBQmV0L3cKBswixkjiGmJZP2sZ3kT+eJus4fxzORy3\nbM+6dRYu6O+1886gWVGjqcPNBnA9YPii0ClX8vhPWS/dPN0/k421tA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRU00OG82bTZvbVBBNFdG\neTNOK3h6QWZEWWtlOUJEU2w0T28wcGVlakJZClZxR2VzajFpTmJLVWFQa1VUckdU\nOVhaeGcrYlZjY0c1RC9NWWY3cVhuVk0KLS0tIEY2SW5EY0I1N3RnM1h3VGxYMTNh\naUFXaWJoc3drMnFQNS9NTzYyK3VMbTgKGjnfsWmn8YfE9VqA4zMiALxfV1XW5FEr\nHsG3mTRnShcxiOO8XvH1cUO2tDZ3ekTz++DbA4xRvrd9aD87t56gww==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpL1ZpUGNJSkNBRUdkSEIz\nSXM1cnRwa1ovVG5NVE5URDlNeGkrSy9WOTBBCjIrTzhHZ29veGtMV1ZRUU9Xd2xF\nU2o2ckdSL3JjeEJuc0JEMjlGVXRuZ2MKLS0tIDFjVjVyMnFVVytNQVh2ZGJJUjhv\nMU1IZzNjaXJDa1lPWnUxTEtlRUYwODgKKWr698/3WsEmCrHSHFEG8LCsuQ/KyWmm\nDOMwUW6YBdF29X8tzA8845MTaOaWrPiK5f/i7RZRhZTekv1CiOZAWw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-09-26T01:01:07Z",
 		"mac": "ENC[AES256_GCM,data:RUWSeeRnF7sI5Rn748V5h1NYPrk488gMwf7lTJRjzJTGQJBuu+hxAeJsoeG7gWPxGYJp9C362dFyHzUYWyFmJqk+JK0p2wh6mFIDerfZS8lTxAEP9qtDcA1ZMFRJVm9X3IYq8CyOb/DHdQ1+ih7Oxbo5XDOyXMuDGvCCWD71N9o=,iv:Myy4VHpuWgS8mOJVFNkcbN3QyRIDl/h5V/YeOtPQ0kU=,tag:HaRPPUG4o2HRN0v70He0pw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/net/friend-libertarian-dod.nmconnection.bin
+++ b/secrets/universal/net/friend-libertarian-dod.nmconnection.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:gHFfxCihZwMfkgoTjRL4kKduzV6IbNIlIFPqjFHOFYBSOER0Olr/nxOahL3yNCcvKtriGa5zfBkAUQYpsGuknkUta6FfOLNNmyb1b5qajlLClaDWTR7q4ZAUacrdbFOjPtv1ljawADD7BWIgYPPtqwhHq354r5LpziF6bnmPkBU4PQYftSYrBzsOu3Ko1OyRogRWB3VzmMbEKyvBk84A9enNHOSHZDLv297AN3XC7n01oyr6l5kdu8TSwqIW+5lkLcQAujl4iq0n17LSdsZthYKOmkmlxLtJXNzlpBLROejr7PstQNuEhM1fgvPswIl72qiCsu00I5QOTW7sxkIjK2XnVVeMpIJS/ciy6Hrf7n+n8yVUHOq3gEC9YLwBvSZD,iv:fPze55Cmr7Pm3YEsU+dnwloEwjRPSx4DNSF969K+ijA=,tag:FmZFMbE8Sx1ix44kYoOVSw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5RzBlN2VsUHV5RkZJdStF\ncFpiREpWeWlWMzV5Qk9Lay93U25TS3FMQ1hjCld1aWFjRGc2bXV4NHVFTVhYVDBR\nZDRIVFFRN05aQ0dVVkdxZHY3b0Z2TEUKLS0tIDF6NTFUM1ViSHFrSHlxS2FaR2tE\ncko3L3d0QTdYc1Y4V25ZdEVReWZkOTQKR7UzugT3eRyymjY8nT62OhLjScOv1BYj\ntmWjrK3y/DJcngFw/w+/xHGRJnMK73r90pgyukXXTJsbOJQmD/+G/A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDV2FUemlkKzJTUGpmVmJw\nNlJ5RGRGTlptY3VhQUtPdTRpRVNsU1lHaGxrCncwbnVtNlQvbE1pYkNvaHQvZisw\nZGNTMGpHcUhuRXMwRFRZY21NeEtTTEkKLS0tIGVORGpUVHpuZS9KMWFNVDZ6bktU\ndERnWm0yK0ZtN1hDUmZxOG11ZzJkc2cKgGiR1ZMbRTRvNBSwTNxemOepggOgaSn+\nnNf/2E+YY4i9dO1H5E2daqZQ9V6ohCpXC9v5NGMdPOzTkfXqOGwngQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAveGlKbUd0bENaSThaWE9C\nTXE1U29aazV1N0JsKzNiTG1KYS9Jd3I2NGdzClV3Y3FLK1JVcnlUWkJlUnErZnc5\namRMRm0xYTI0cnM5UzY0NnBteXFnM1EKLS0tIGZLdVRacHhoZkZnSUMvNndMQzdy\nUEtVL3NVb1B0ZnkvZjZYSGJvYk5zTmcK1niMCVoVFlBnkXn8zPDUNAuLBwxKpBAS\nP34gwYWst5Eo6lfPbC/R/3DIVWMgPnPmKxzwO1QQcRPS8wu2iw++EA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUkZ6WldkS1NwMmc5ZVBI\nSWlVSmp0eFFVbVl5SDJGb1NSUTFlTU1NVDBBCm5jSi9HSTJTSFhvQVJmS2lDY1ZD\nSjdyNWlMZi82Y0FBWmEweVYyU3dBdmsKLS0tIDNNUWw2UWNPZXR2QjZGMWFpdXVK\nczF0RXNBR01QY0xwV2MzUzc0SkQ2SU0K9ZT4/l89s9kB0SrK+1STUnlMUgnGVtH1\noV6Xu4berh8t09paiqzKwjsCMUYAIhm12K67YJpiJfZiua9CK9fQcg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvYVZMR0RCM3hmWEdmcVBy\nYVJzcjBwZUZlUTNscUlWbDJQWk5RSnIwdENFCnBYRHQ5SDVFcGRBTjhRMTgwUjBk\nQzFEYVFxMTNHc29xSTJuS3o4Q1ZFdFkKLS0tIC9UZjc0MWJKa2VKMGRvdkhFbHo4\nd094RFlyL0psU3ZqMmpqK2NVLzZuSHcKwmaO5Z+qlZGZumjg8IBlr7cQZYsSzVoD\nYW1sohyOabz04Wto6IwL2XFJIG2rJMrynY6JY4Np++w2hjgwbVXkEw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdy9vNmtsM3hjOTRkS014\nTWtORmxmQ0NIUHRScXh1aS9sZGNTQUF1MkJjCnBBODZUWlVFUDFCUmJQZCtsdy84\nUHZ6SDVqMmRrZlRFcWwyRHYxbCtraHMKLS0tIEU3Z1hjQ0VQeGZNYmhSK1RFU2xv\nWUNiVjFhLzRrMHFvdFJYUU40bzlmclUKI+Jjl5h+GANpSEoldLlxs1tggxAqtatF\ndpvt8Boa7mSDgEMrzI43XTVmMoz6Co2NJzaryie+jlnEsmxlxZiC6A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVk0wSXJPRi9UYWd1a3FG\nTGpTN0tOejRMVUhzRDRvZzRnTDN4eG04TjE4CnNsRXZ0UC9ucWFWZ0tPVjFXNERn\nRFRWOTF5RGNEdFhGbXI2eFBrcEZLN0kKLS0tIGVNazZ4N2FFNFYxWEtqMFJucXlS\nRnNaQWNFMVIwaDlWUnhnOElxOVg5Y3MKgLbtex6wdbgjDhT+/wFs6KrZjMsR3gpo\nhqtt4zhTJnxjdaqMyn92ESQ8t1Fs4a74zpdzABYqEdDgYd2ORQim0A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZlJQMXFBcEFDWDBhWTFa\nSUVId0V3RzV5VExhOEdLTTlUd2Uyd3M1d3dFClkwWWhJSWpoUmJzMW4yN1p1cDV2\nUDRTNUprdGlacWRiVUJGSXQ2R29YZ0EKLS0tIGthOU9TTTY4SjEyYVlCYzdzbm9X\nMkhSTGx4TjdrUDBRNVIxbm5meWVxRVUKdGNdKElkDW/kmyoJ/QM522A15XFqmUlA\nRkbszSXVAqWRJ9GsLYnvH+9D8Vt68dV/F2tN+IqRSn2ri7+fmf2ayQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-09-26T01:01:37Z",
 		"mac": "ENC[AES256_GCM,data:Y0OiO9/jbF1q2IAUxXZ+Ku6i+quG3pQwVc6h0P0xM8M8m3E3aDqrxloJgcuC0GxXhDresLERWSzlNLQOUsNjDmztSezTGqlYUjuezO3YXtpmAkdVMqQOIoC4lg9SnociVSn71WpxNOYNaPpwwuYuuieuvAq6k+Ny847dlkARPts=,iv:f3R7QxsjfgI94g1PwZ+R4+wC4P9wb23kp8U79e0Z2+E=,tag:pB+glpdh3/kcxw7cJbUPeA==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/net/friend-rationalist-empathist.nmconnection.bin
+++ b/secrets/universal/net/friend-rationalist-empathist.nmconnection.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:0EjWtJmTwjKtNX4fV4SMWgeTFwvDbUBmiEdkVLhd62EU5Tk8hkKLlFLeZtkS7bvCxUDZnowRtIYuWz29Gv/beydtHmcLZjDHgB5Rew2VSo7uVTkOJtfeHuVs/qj3soYN6DrIY0qJbI+biL8WfkExxvodgzN55oGcQRx0+PLrpn6mCoDdxdVXHgUxhWKedOVxSiK8YaYSO7uspRMhe0ukJrIysUgIPZue2KCh0Lr01jryYCEe2JgTkz6wv/vGMB6vN8P7MZ5N3DqYwKaz7wGCmcQogXJJzSFxRCIwusWs5pmHzZ3pkloK+xR26JGR8/4nlPIi0wulP2wuFNQMam2okSvv60TqEodBBgoP5xk=,iv:ahlaBYrX8lR61f3qlAY7TDS8k+qxpIXjrHUUaTDsWFo=,tag:mO78yMIWUXBkM+P6UIiJxQ==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUTEvZFhXaUdaaUVNMW1v\nYUxLMHF3RmRuWXpzT3lRSlltcHJDV0N6aUY0ClFzMVkzNy9YM200aUhqaCtlNG9q\nYS9zalcrOTJodXN2UkxFZXltYXZSancKLS0tIEFrdzFsNnVGUFlmMjJYZjh2Rmpj\ndHR0aFpUQmR6M3RsL3RxcHBzeldoWVUKdrg1fyXCXaKsadvyLni/sb9nQHHEXyMb\n0CS8SSxc3XE8qtOr+KDG81NnEKagz8CwfJThuNom6uPShFeuIrXr4w==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXVDNiM1lOdUF1Qk5SMzVa\nQ3ArL1hxdHREY0UxanF6amsrWWpBbDlVMTBrCnd2dHhXMnJHWmFuSUNsYTJ5Vy85\nZitZOEhxY095U3pJSG9ZVU5mSk9NTmcKLS0tIHEwclJSZm9MMzlQVHNtUTJHaGox\nazlxODNjcnFnYmd6SzNlMjhncHRWYVEKdaHIg9/POjzVu5PDVGsL3hbFV5vG+kCA\nNpEKnOYD7qNvGFVffVXmWKbid7Djl+hllVA1p60qcMD6mKujObBbyA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOL0t2LzBONmpOOEh2N0pM\naHBKRzkvUmJMdURrRlNhUHJDMVlNdTBTOVRjCmN6aUhLc3VyZjkvMHh6RWs0cWl3\naStabGxieEJKeHZiaWQ2YmJIREpKencKLS0tIGFSMmVrMjBnbEdnVzAzMk9FWm1T\nV09qazRMMEVrb1ZsWTQ0NEQycW9YSTAKF2AfmSY0AyK2IBcs8KLY9qPem0fMqafn\nQP/ZYnZ8HxUdTFn8O8WAo9tPGd8FPIwa7h4cjHSCgeIE2vsp44Ggqw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZWhhUEd6aUFGUmhMcHNM\nZ282WFJHZlM0UmI5SWkzbmRHY1FtRmFyVXlnCkJNRU51ZnFRVkFWNUt5OHZ3ZlZh\nQW9sVGZPQUQvUytVYzBMdm1KdnQ3UU0KLS0tIGtOSUpXNngvUEswWVNxSjdqZ3NK\nUzR0ZUZWN0VILzdnbTcrWkxRVThGczQKHY+9t84/DHfL9A8xuH4ywJOft86E9IMw\nTzuXWaNuveew7lm6ftyLCIDyPKuPAbHML6GGZ/eTntYvihm/HtQOPQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEM1VDYjQwTTA5R3FBTzZs\ndXN6M2ZjSXRiMXNzUVJadFJNUU9xWmVjTFdZCitLTlVZOW1YMERXaURFN2JXRUhv\neHFIRUFwTFVteW5BTzdHZnJEczQybFkKLS0tIFhiQk8raHZsRTRmTWRRNUpLcG15\nRGVzRVJIdEl2VzdOVmt1RlJHSFpKbXMKATMXl7FxIZjxHB8CDywi9w7oObw6KJNm\nc/3/z8Sd44jVuJF4caihhz5s2zqRCkZX97g78aGRJJkDUSuVpukk8Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArazV1bFpvL2NhQ2M1OUk3\ndE9pbjhzRHJtSEtvLy9IQ05GdlFBamVUTFI0CjNpbUN4YnlDS0R3b2lEb29SRmJu\nczN4SXBueUoxNmV4MjlwR3FIdHNET2MKLS0tIEQzUUxVRCtvTW9vNTNHenYyRnd1\nTUU5THN2TnBuYTNLZkc5ZzVYaGVaNm8KjJv+na2x8y9W0zrCnImInLIPwQz3sAAV\nRSW+9FCsQg6XoVtzZNHKKWMgtwLUnwLKxD4MbnWOJl+gJVYtArKryw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTEFpTW5UWDBpOWlOS29C\nN2ZFOWd5OHpxdzB2UDY4WVRjVWhUdFdGdkZzCkdtejVzREo1dkkxVHNiaUZ4Z0FV\nOEZRbUlvQ0l3WE11L0NCVXA4NUUyVE0KLS0tIGgvc3FIMFI5UjFBa3lidUgvVTZl\nMnRIN1Z0YjZUQ2dMdFlxRmRmdlkwSjAKTFYzmzEAD+WoZ90BRYBgXNGaAypL7aao\nKHMB0cdIEg7ynxB8cEeA1VynYQ/H8SKau7s9CKjGJEN2kqQ3R16l0w==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZmtmUm5adzBUT1NHZTJw\nNmFZZ3pHNG5vRFgyQkFRWVNnTU9jNExKZkhrClk1OFFBdDlyalFNMzQwemt3UjRD\nRkRqUlI3eE1RVUhkdjBYOStKNm1qYzQKLS0tIGRtTHA0YlFCMjNLNllBZUp5NFRk\nNGl4VmdxRmg0K2JJc2ZQY1FSZXhOVE0Kfz3g/XU5NloEqn+rpvYBNRXk7bF5D1Mh\n6PqvdxzDBWODLSpC4gDenwHAukCANdR5khZRuP2TQXXHof0ckYegmw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-09-26T01:02:04Z",
 		"mac": "ENC[AES256_GCM,data:/EkX5suKDBUSs2SqJDh7+juCdzDh57qmfUMNVFjLW8ASOt3ltRuUyYykNTiDrN3BNlzepFZi/1Fu8C7GZGjB4j/6YweT8oAz3cBQlcNcal4AWG1Q5JG3izoEPs7b7+ouBHrRR523FacPTKYftAiASOK2z5/Bbf3LZUN2zwBQy1U=,iv:2HNBbJiXBNbhHZbcTYEuV3SZP4f71hiNYWes4Tbhj2k=,tag:fgMjYlHaFBfujuJuu9iu6w==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/net/home-bedroom.nmconnection.bin
+++ b/secrets/universal/net/home-bedroom.nmconnection.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:CxIMcl3XWttHWj+itIiQLg10SCZnODo9ORLxfRpkktoMMk7/Uk72ndjOM4TQX+vSnNkjm5Pb7i3dIsmX6jJCtUXjEEJMZou3DjDLcQh4TkXJ/yoEJkZhcucNmI8Q9lhtEtlVarM8B9l2DU6Ltl1feTDv4CqELw+ai38dBoZsw6DHFQfUuavNR/yc4rQjlh9ZzJrhGtMD3Pv0DLPrrD2O/IiGHgFxUmRktiNZGmH2QS9hUq6zYdiT3VY8ApIKnyCWGoxBxT/JIwggvLBuYOT1R+50WCpATR4H6i5QSiHAzdVYihtpZBOydpiI2BpP5yXUH6kIOKQ+NYihiAAQ+jgF8hCx2cVU8879zRrywFrKlaYEAxcifjwrx1TQBY9hGRdthkeTDVe+/71Rl0DEhKJ5s65nmMtRx26gKp2UMBNMRJ4kuslfjTk=,iv:t5vjs2uKDETv8xrQrlz6J8YQKnVmpiIxcAHLcmTASW0=,tag:wjiIsqT53lwNEmo1NThJVw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVWo5QmZ6ZzJpMG1oLytJ\nZDVsQzU0VnN6Y052QmduRHBMM21wWXdmaEM0CllhZzZxVkhBMFNBZDUxSnhJaUtL\nRndYd1NPaENJUGxFWUN0Q2c2OGlJcGcKLS0tIGF3Q011SXRWTCt0MUljMk5KZnlS\nS2ZQcGVobGJ2cWZjVDFNNU4yZUFRQlUKYsIGUx7V6pwKBzI507ibtc2UfehwaYkJ\naiGoTk0awOF1Dh+QJ9iIix0yvlFVR1b58gzV8L/IzoP862x3nV5Ixw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYSs3WThMNVVSV04wczZt\nVVFJOXR6M0lvSXNTREcxeTlnTDFFUTQ0Y0RjCkVzMEEyWUl1eEg2Um83bXFGSENU\nT0xpUTRPUzNBbUxDc1FJd0RoZTFZTVkKLS0tIC9JNk52bGVUa3pIZ3lSb1hYd2dz\nMUN1aTVKMldGUXFQVGVkWXRORzFGeU0KMXI0kKQ+LUjpfnijok5IFeU4eGJy3EgE\nWzyHN1e5BgyqsXHgayTKcM+PPghKje7W1MFQm4CFJlDfdkAOpY2TYQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbWpVMVNpNEtXbUswdnV5\nOTl0VDUyamhmUGxNenRNRmZXTjVseCt6RndnCnBVWjBDOFJZNTZMeE5tWXF5TVBj\ndHV1N0EwUHhzNmpCSWF2RVd3NFFvdUkKLS0tIFgxVW5sWFBFZm5tdzVMejBwWEE1\nalc5aEErcmZYMVkzKzY4QzdIbXNUZUEKzjNtuYud4Nzeut9eDU0qXF+Gvcn4sOlu\npDL1ptq7/roDblMeM1YmBU3MDyxqdy0MKrsCUymRwOxndmBhV3hDnQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5S1hmQ2E5YTB0dE8ySit5\ncDRlLzhDV2FIMHcyVGhvQjNiUFZ0WFlyUUdBClpMMXhlQ0ZISitMV3VnS2JBVldD\nT1RPSXRlcXhoZVdRVFdiWm4vQ2duRFkKLS0tIHFhRTg2Z0UzWld3dXFvSFVaYkdS\nVC9MeVFUdW04U2h0UE1VV1p6VkpHYmsK60UwN8gc1Beo/y7SwTmP9A/d8fDzWC+z\nEy5etxod2CBfJ8RfDJutsQH0otyEbWYqz6FfLqaLWn8KG1m0x8rnUQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYSU5WTHZLUHJYVmg1UkpL\ncjJscFJ6NnNkclFrT1FJSjNtdUxLVmFvWnc0ClRZZzRCVmxpWktyaGNVdkk0WUpm\neEpLdDRLNG5iK0o2c3A1R2xPTndwMncKLS0tIEY1R09FenZOcTFFYm5ucHFGSWxB\nbmloZVlZc2RERHJxOTNVNzZkVWN5ZHMKXfZq2ko7IiazDukSRvRn4floHMa82utc\nco/sx/saIf11UaKrsEnEzsAMCRatR+YHb9GNlVof7ZFEDUsQ3tToOA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWR1VjaE1CSjJkdkpYVE1G\nSTMxRENkSzg3bWZjNXBkS0FaYWYxRklnRWg4Cjhua0xZR1gzVGxBZjdTc1JvN2sv\nZkhhbUlzNXg0QTQ4ak9ETHNNb1ZPUE0KLS0tIGh5SHh4YXNMUndnN042eHliU013\nTGpKNzc3b09CUWQzRHBjK2RVTmJ6c1UKNu8SdhNZoNsbisjKvg9KbkluMAjblkaL\nnR0SJ8QlNvBa6wc/mj9y5pSaCgj9zROvjpDd9zQgy71WdMXVhHN7Hg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzY3M1dnZUcVg5eDRUTTFZ\nQWM5TXloUGhCNk9jeFZWcDhqSlNWVGFrVHlFCnNiVW1XekxnNlVqb0phVzgzb2pv\nR292NmNBMjIyY2YvSTBMY2IrOFNLNXcKLS0tICtKdWVzbzNrWENLQTUwUTVNRXV2\nckFBeHFady8xYmFBR0VjbS9Xdk1IaVUKJfC8jx/iCkgHa4nPW8uv2H1F9W/RhYGt\n0y2rDSklVYx574Oh1mMSpps0GOjEXiOgbGPyfz5eqgycpU6q5PprDQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Y2s0Z0NHL3VxMVpWSTZ5\nSzByWDAvSzNDOU9OQzBaMmR3OVJWWGdsR1Q0CkdmN1RITUc0b095SVBiRDhKSUNP\ndmhRWVFaRklVL0o1V0szcGFtUEROczgKLS0tIGtDeEVLcGlKVktqME9idUovcXVU\nVEQxWUV3Wmt4Rkphb05YSGJ1bWlCeEEKdAuxFMMYSnzt5vSwst7ZfxZcc8O241u2\nJJt+b2uU8iaHcLoW7FkaEUh+42+yit++uCzTlYh+m2Mt9H0UHXg1SQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-09-26T00:37:28Z",
 		"mac": "ENC[AES256_GCM,data:u1Dox97kcWqhqLPtXGF6lbkn7oSMVkX1Ls4CRNebKNO6gO84WpO+Bqcvx2Zy+OYrh+o3iJ2W3IM6Sot5LiTgamiCAoiZmYxgNSI6IJPy3b0+F+0RtlaZG9mUrV7r1NEeq84iMKqxjglafTlZbFAsrl4C/sOac1KK8/OigxNHl6k=,iv:Y9JYeRNFcwxWR6qhTTMwDc0hh5Y6eX66djABynaBMEM=,tag:pJDUProGl+flqA4sVpR+4A==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/net/home-shared-24G.nmconnection.bin
+++ b/secrets/universal/net/home-shared-24G.nmconnection.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:xk7sFZVtyR9hg5Rm4gidqH7JfvPa1xCKOE2lAm51oPRVq/A2EKrLrnLyJTJ9dwF9D5yqkxv9QA9SbCHV6QKH/HDdLr6+f3CSsCbgt3SIR5ol3CBPfiMMNQs14dE46ZH9sqo8BWCjzQxS2UU9KdpVz579fvMCSk+uDUE4H5JHiCnyi7f56BTOGhV5sPdsMjX0ktKzNPeQPYe1RtNtzVljlZWTM7L9AYCFhY4nnhJ7abqBZM8u0Do14pkdKj08HofzYZONAyb7U+4JPcNOYwsAWuXNPbTD6UMduw9mVF9rqjb42IGvB1v3mH3a/hhTfJfymaXI4NhJQLkpIahwCfxzZdK2yH03eYcw44kAAcwji7VW5tTurl4I1A9EnwouJ6HEBM2RUqfhlaVN5nu0AlHPuK8/0Vd6wuesUfntszl037yPCbB9ItrC5xVK/+BZRJujm14fYCUmMXHmtyMdZIFL,iv:v9xkoM9ed0nVkXj1Nw3MrF0b5qDktrA6tuEaHNDaJbo=,tag:knNHMNx5pJC6E+wFyh9qsQ==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOZTAzUFZnWkM2YUpJSXV3\nVlFZdDBvN3hxK29GYUZYWnlMQVQ3Rm1JaG04CkhsL28rM2p5RGdNNW9CVkdWS0k1\nT2NsZ0M0bXE3U1dIaUdaMm45V3JISUkKLS0tIG9kT0kxbi9BVUFRRDRNZjNhbTlQ\neVo5dTJLVFlkWEhmZTgzMEtoR3dvRzgKvdrs0hNdQWMpwmeq3D4SU9PIHeUVymj3\nqK/vewO9NR0EDTDxjJvDY9CE1Hqs5KjbTWNBJt6e7r78OCGfeNpUAQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUlFXUXJnOHdmTnJDSkll\nb20zeERzRitXRHhpTzA2OGlYTVRvZGpDV2swCkZmcWJJODZZcitrTnBxK0k3SXB3\nc0NJUVRwUkp3cVJjenkwMFNKZGhnMVkKLS0tIDRmNGVXRFduRG43Qm9IempCSlRk\nN0xSSG53czZJazJKaFBRZHBJdjZDa0kKGbgdNG2ErBrMRZpojH8PMoLAt3m25Q6p\nuEzWTiksKCU/FS6DnAn7tvB+mOBzpbhjcb+m6c+E3eggCdFKgqW+YA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSRm45SFd3cDIyNUpwSGdP\nNVg2cnZiTzBIQ3dpem9VQjJLNU1BQnFLU1I4CkR6NnZOSENrdzhlUUc1T2s3c3Bj\nYWhXYWtCNkVrY0hHell3RUg1YjI0dTgKLS0tIE1rS1FkSnNpRHdPNGtra0lKbmRt\nV1hRNDVzeVZGZmlhMElsdFkvWkZ0WnMKqsZ5UKR3eoz3392OB9485y4/TjNM3D5M\nm67Abn6pQPjLiZsham8G5eoiGwKgJAeXIiUBxg5ihahKKGy5L9No8w==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOellsejZiT3crbFhNM0J0\nQld4RUxFbVdWa0VsL1V5djhlbE94bFFoT1dBCjBFSFhnK1hwR1RxQzlmY0ZIblEx\nd2lWZ1c2UENqVDU2KzlwR2VTeE4rcUEKLS0tIHdwWDRHRHBvZ0FxNnJyMUQrdE1V\nVDlpSGVrU3JyRTR3dy9UaVU1cExBbjAKqGFpzoOJcWDpRQiXhpPV4FTkq97VWxHr\nlIUefxXABGKXnA5p24/bN1jYVeP5s3WO2w2laO/JQmD/bTknjUVj3A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBac2xBRkhJUllSemhGVU1E\nRjJHSFBwbEVRYUVPZndSQjZvK1l1ZVFicTA4Ckt1a0wvdVAyV0s0WmZUeWxxZ1FL\nU2RyVnpCMVVBb29oYmxuMTl2VERhejAKLS0tIGtNK3k3dkJKSk15YmRhZXVPblRa\nWjhCWDFtakhpY2ZJYk9zQ0NYM0RjMzQKAa8NF7fsNnYLDLS8exAZd6GttvLOV2hL\ni1sCoCr+MD3Y2XJvD2yoWaPwMtlbJD1QxnjZ/Ac0gDDSNdPA425yBQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQkVJSWNlaWZxRnlJKzdQ\nTFVvWVhyNURlYlRTWFRsbVU3dllFWkxtdFE4CjQ4WDQ1T2k2Tk5yZk4xNnJmRmMr\nUjE5VlNDb3dLOGZwRnR4SDZFRXBqa28KLS0tIDVqWXphcGpmVTdxOVpFaWhaZEZw\nMnprWVZna05wVzh4T1JMRnNGS254dWMKXRFXOQkDhnZbansO8zBIpoTLx0dk1gKw\nylEJR7uaC7QWBG8Flb5Jfyy2SDMYNZqujTWm3eaZy0CkgTp2Z3bJvw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdEFQenp3OGJWS1FnZ09n\nZUZKVVZQeEp3ZFFYYXBZcVM3MXdEYkZ0TmpJCjZncHdTOTUzbnNOYVNGUzBPSW03\nc2NSbjhRSG8wK1J1d3V2SVdSU3BHUkkKLS0tIGZsalBtdEtWSktEVGdYSnFTVHZq\nYkFlc3FDdFBtNThKdzJwTlF0Nk9Wc3cKn5nRJPjhKLNmq4DSl8CGN6BhmTrelN5r\noran8wSzaDPpELSFdhnvF8ljW1ETafZavck8y9I429W31n/xq21n8g==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcE5lTExBaWNkdzVwcU9x\nSmtxTUJjbUZkb0p1NDMzTyswTGdMOUNlVEI0CkVEZU1PMk44UExqdk45VEppKzZq\nQUtaYUQxQlY5cWVTaUdMWlhKODdhdUkKLS0tIEQvd0hFcTJmT3RkWEh6RTIwWFlx\ndGZHQmIrZkJuaEozVnFOK0ZXRXBiRzAK53/YP1rQ9VVuLzRYCGmmo9HqLpZmgOAj\nImFr+OpzdNpXDMN0JRorJfZ0p4CRob62zDIt1FDZb6jxmHa4PwLfhQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-09-26T01:02:32Z",
 		"mac": "ENC[AES256_GCM,data:y/9UiwCrOwC0BzcBj8pdeLTKrbsivyY2X3y7CbB+loRvFINql6VVgJ3n5Bu+kIwwErdfzCeouhD0RBv8pf1ygzG3tj7H8nhzeqFXrnUGuKCYb0Co0HJD5ZdprHyIq5jUxi/btRNKuvRkno+GSitE3uu1IPGUeu3viLl42SCCBKM=,iv:TfofNHw5MnhsJ+l8ZWVCz6gTGvhupsnfaRZKYTPY29M=,tag:IwN8TuJA4SPJgyEraU+8Bg==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/net/home-shared.nmconnection.bin
+++ b/secrets/universal/net/home-shared.nmconnection.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:dAvCfwoUc5h+WXdRKjSQWWLwhQmEzH4qEcSpmmlVY/Bec2fMSmO9R8i0S1XiYs2e9kk/DXP2BiDTDQbhpYBsFa0+nTv3jJ372XoNyInQoAvbiQpIZqWN2hpBcK0RnfpYXrsXw1vnCgB4EYDXBmrXc0uJ4db3WuFfab7zTaKBegpGJstY9KthBTKMacbLvDTXvmm9ozvSrrHnWV14a7z2+Qz0MF5vYkJm463vocTpw8chak1N7eWTBY+sqJ8AMAGCIh3+rUxJN87D77/jCDiefYIB73nLLdsuo4fz8eNlA7Xi29tujDEcjVnE9iYhu4YNB3EPRSdTCiEj5p2oh7bqL/rOkWzkrPaGSJ+kp/XnmmKoUhf7owSlAzHC9qxpxOZltK3rvgVWYCyczI2khtAmhX+lgsZJ1LEYM+dOP/Msfa9SvN94aFDq3chmr6Hd2ookAVSqN10ECV7zHLeeGPZhLhI=,iv:8pNdSXfPeRvH/W3+qkQXySkpz29/yqIqGwMOl42XYbk=,tag:2d1ImDpxL8gikl3q6H7HLw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkeGs1RHhHQkxLZVNDbVhV\nRG1oMVJRdkpnZlptakNkL0ZpT1FIUFdoNzBRClFqUXZDVyt2M0RkVFVXVE0wQVY2\nWUJ1Q0l3OGwrOWRKK2VOQ2pMSjZUdjgKLS0tIE5INjNkUWFiS215YzEzcFpPQ28z\nVzE3cEJBTGY5M2JtdHBScWVqZGc2NkUKoVw4Tz7keycFG4OWkz3QKOKwyLbnjooj\nxiLKkFhebTypzNhBdd0zPHZBHbbkbkugGHJRUM3vf2IT8DEAEdNQ4w==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZDZkTmxDQ0crOTRxR3dY\nVDlEK21UUGx1Q1pTVGdPSkl2MVJOaTJoQlVRCnd1aUhQeUxYZmhpSmRVYkNHUXNW\nYlI1QitlSkhxNjZHektDTzdNTjlYUk0KLS0tIFBDNGFKUkhRWTVZb0ZOcithUGZh\nakFETjdTb0JDblRjcWlJeHROeURpVU0KCkSsGQCIIKcdeKKUFcTDW+05kTAl3YR+\nEgXnCFI8TlADKlCGu3UmlpAJ0IVSsBbHviLlCn41W/0yOSyRTZi3zw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNndPNks2REdPaytZQXVF\nRzFBWm9OYzJSRzRnNS95TXlFbVVjaEJ6emh3CjNQSytLNWVUOW4zak9aeHpqb09r\nbXYyY3NNUGI1ZnJyd0Nzbm5xOUk4eU0KLS0tIDhRRnVzRnk2OXRNSlBPQS9CZUhz\nUE5MMzdVNFpoTmtXQVZzdkVUUzRhbVkKRrDRkSqwbslLhNgHU4qyInL+LZvIc5RA\n0PC61EK7qIhgueZfxW8AMp5Zxs7id9jdfkKJw43cbxqGQbhdCUNSGQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBd09oRFlxVDdXT1V0N0sv\naEhxUlFFcVF6VXh6d2hEWUtQRGN4VnpCSWlvCiswbHdQMFkxNmZJbUFyNm51YXVt\nVndKSTErdXUvV0kxcGtrWm43VUo3WWMKLS0tIEcwOWFpeC9ROFMreGV5ckUwSm9R\naUpRTnBNcjRYaFhJRnpkQ3RKMUhOWjAKUTEsTX2H0pAii7O9Ftcy8uVazM12wiEN\nhB4Lt4uAeYOYr3wZ85IevVkamdPQC8N/Q8F+MtUHOklx4jWFti4jbw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVnZGd2o5VDZaMFpQZUZn\nKzdhR3A5ZkxjM3M5SE5DSjFDMXRrOG91Z2lNCmFqYUJTZHlCUzcyVkFlTy9HUXo4\nM1JrL1BLRENpRFNCeEdCeVBzaXlQS3MKLS0tIEp4blVxcFludEZRSUNSRFhjZE9I\neDFpQ3NubzZTZVVJbTNHY0ptVVcrQmcKDBmc98NY0UczeMlJm8nrTVbUmcsWjcwn\nK+oSVmPXJzaGylVsjfgaxopfshnQnGoJ3Uh6LLCA7NYZFsrwmqKFqA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIRitVYTIrY1k1S0ZUT0c0\neTJzRHBnNnFGMHN0QjhRU3UzU2NnZGVaZVRjCmphT3l0T2JrVmVDSXB6T0YvaE1D\nTmVLREJ4RmxlK1hwNG03ZWh6amVWSWsKLS0tIDMrekdmZCt0c0Ewbzk5MzdMckJx\nSG9vWFh5NDluKzlQTnh3cjlUOW5RYXMKfOUdWQoAyFMFltYIt2lwjyUQLsr7BEyV\ny35DGau+yZiZPhxmGXPU09y+zmlyjXj3njIgsUkDTOnTJVvPmm4iJw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZE4vdWdIZnZ1OGVhK3Zo\nQ29jcThwSnkrZzhoWU9kR1l1Uzc1MC9CMGg0Ci9PQ21ndVpQNGwyRDVuZFpWcnRx\neDVTMWZCV0FOWjh3K1l0MC9sdkxkKzAKLS0tIHRoOE53NWdnQXNBWEFDTFp4U0pP\nU1djU3NoMUVhM3cvT05kbVVPSHNHNTAKZ5MR2SGFvr0lU2FvxsqveX3PPk8B3aXJ\nQgNIg8chqVpycYTU4tLMBUUHFinX1e5WueBWOnd8OrBowMmb1UZtbQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuL2lOMmt4OVNkTEwwbmtI\nY3ZOb3A1andqNTRKcytoVjQ4OEY5M1lJL0NnCkR5RC9DYVM2c0hSaGpEbHVZWjNQ\nZ2hjaHk3WmhZSXhjNzE0VVJheVNTS2sKLS0tIGU2V1FqTjZ5YUFqL0pSd3U4bHNy\nUW9tRFc5Ym9wam4yNDFLdDN6V0w3ZnMKc5RCncbzmEKdAjaYFDq5UALIYkkszrwu\nBKlaUqpJf78muazrIcDZkaFtlZGWRjwE3d78e97ZJLYigi81Q8xRRw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-09-26T01:02:52Z",
 		"mac": "ENC[AES256_GCM,data:Rq50r2L4ABsmblGfeWI/9/nN6wvsX1Nz+GaAN3ph/8ScrzMhy/l8sMZhthaNGn1ENC+UMhuakgwwgwKic0Ut8Y+cS5ZazUWH5M9pqINEtdFYT+wZrw9dGaeEISdROxa+/oknAXeaRb8LNQKpOTja7/Lj0NidnrpOoqzv22ZVWGE=,iv:9tR8K89thHaJd5LFEmBtCAb8FjSYwbsETJjeNSAbUnM=,tag:tLBDl4+LGQY0MvDgTv88vQ==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/sublime_music_config.json.bin
+++ b/secrets/universal/sublime_music_config.json.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:ZoBVQMh7lhApeM3jmGARDienH0WjooHQ0EDuYTKWcZMHcQK8EFu80rvN4sRofAeAA5hx95nuTn3PtdlTFOlJJFOqJFOq4hhQVnDjLwJUMPE5tltDiZzsDJwUr3REvOffwrtFjw/OBjGDdKFUHmPKLWZh9tT6Fl6fxm58HL7cYirqAaHEhtt51KjR32afr5RtW5oPAdd4xtDHlI9GSKv82rlHnckiYBQ/rpKb8Vz+rVdGXkZtFzahgL612hyeRj6nd7FfSsb5SWUdSIcDqlHn1EWV5gqvz6OS8mmuRI8q40EUAlE+R2576BbqW13dIbV68BB84wxWZtZ7flkAo3VfaJFBeZ8WLr27bfL+RzEeuJsBn2ajmMHfsYcJmOA6+N7NQre6SFxV1ZKGWJybfpkVuVKfHCQM1g8uqCat92ObEbwPNan5JtUshtmvilxAuQI1sxsGi6BJjNcSZ+0pLSFqajYSqo/3dgkLesk2kVu81l2ytoRQXwERU0zm8b4dtfAvWLbEcJYntjC+a9MnOtdfRW7yTgbsbdG0vy3CmQpLNrTkV7Mdq+k3zUz/kAZ8yJ11tGFNjWmNCZ97CLZPWwkZBKuuhwmitYBACqBkYzZovtGW+VkhjgBdi4M58jDo8ry4c6n5aJXJ5y17t9XyZcvl2PNNNDwse4Oz0QEq+b2DTimVsczHB6q91Ht/gkcsELrAYVUaGcG8e9pk3/o7GYfBdATNmcEZpx00U3HNF205HdN2ieCGqFIxRNI1iNAKlUWxUTRTCrbYYwdsa+NHuyFbCGtWBhWoqpUA6Th3u8Fk2g1G3gyk2OYTauseZvb1p4rioSHCwiYMYrTIrHGwY5x/xQ4w4ma/WLLABsnNA/ECj57cKq2Ecjt1FhkymCPs5qIFOEg1kcrVV7DWapWOZ+QKQVoZKz1N0uVkIHZCGe+hBykp1Wr7nXNvdnuFvbD3NTHDuUQoYcuriHP8UVu6aCcchYqt+/Gg47QIKzqBJ98iKQ56XNxxCuH097U/nilyvC6Epgo5JEkdnyUTODT3htVyFjl6GxwTgIFsxIh7ORAdx6Z2Y+DQ+y90HGpV/qx2EXnCIA7XEXZpEgXiUyCZh+Ve6gzRgaZ4x7cN+IJYWh33vb4LlUpe8oJsSJ3fwMWJQ1o4aB5n96f7ZGY94ycsnWkfFVlUPmv2iwGQUPUEcPI8etzlFQScXJLWHjLDqIlhyakiVweQdJYtWT7S+CFilp1wod+ySXXxlPw6FVJsGPebPTUk8W/VuQ9ZwABHeyD99KOqpHBNisG+1z5+efHOY8225vWpIxmSMtLN2ja49d1QhE2m9tLlMtLOTvd/SYKuySXj0AW9eMrJ7HBFtUQzMn/zz2jnvBv6WGbKWtp/f0vZ/8+zJJzchTcOV6rcSACcwUCfBb/Wgboxxj0E3Qc6KybhiRWSGPeQPJBk4njLSe1mF441qBRVH1QNqO9K2f+4bPj+eBawopp07lqxUEx4nPqtPNgB8HlHG6e4bNC5xJ5+y05YNBes29jMr8PtKHCzbkbVKUkPDqw92mM85b7DdoUHmJo0erDbEgZ+4QztCIH1t2ngcqEIERScdPAYZRkoXhQbcAZuf+Qrrhvm6UaUy2QilP68dVOQezPOFPnikeXPeLX0G8vObtC28bKqlaK9j/eu7Me6JbR45qOu3oFofvDy2NHqMiu2RSqCPUYbBWb0ppB5WgA=,iv:hyiFjL6HhFgw2gFbUlZo5GuMCmIg0PTfMa//c0lxxII=,tag:HBvxO8dl+hRrr4/wm+XKyA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxYmxWMDZoQXR4ZjN2aDV0\nN1pZaXpJTGJyOTdnY0ZjN2tPclJrTnlGRFY4CmNZazlOVDNYY0pSWm1LcFdXcUhk\nZjgzSndHdFFBNXlhZTRhRlhiLzZwc2sKLS0tIEN0SWRJMUJyWnRPZnhvZVkvUDN1\nMXBVWUVFMExaVFdEUFZxa0RvZjRQdlEKqpUPDwN9fqB66LZuDd51ANl6o+OXoIe1\nSYb8n/hOUC1QOTLb1i1k+Myzbdu+SVs2Wn25sBi4z66nhnOBcCF39Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWDZSZi9paGxVbnpML2xq\nSDRaS1ZMQVhSYkJNbGJlK2dGNkozRlNCOXdNClBidFN6WlYyaktmWHNMemJFY1I5\nSW5adU13aDNpa2lyVkNFR2hzV1RnV1EKLS0tIHYzdVdGWHY1MW5mbXUxbzh3OFZL\nV1FUbzlDb3ZRMWNXQkZzdW53TDdrVEUKVzyl9Rsado15s4Qe8rPQ0lXKP0ENS5C8\nBHu260eP+AhH+iR76Lfs41cvEV4VfnLUUi8u+9wtd8QvJBPfpUS0fA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Q0l3RDlvdGVkVjVBU2FB\nUDc5cXo0WlJpZHZ6SDdrQWMzaVR0Wm5wVzBjClVSNWV0UGFvWTBPMzFUU3ZpbDBr\nTFdPOVhtMnUyZTJvYi84dURhVllFTjgKLS0tIDZnNlZGbWY1QUdqL1ZUaDJpTzA4\nb05FMExLT3Y0M2xNeGh3Qng1bjFLOXcKdimvuj6pfppDHmPVZFxDsn/J2uBifgRk\nk7KxjgM/xyjnMa+rnFBWymONwJhuoXmKROrwcS7XGlx7IyrXERG0vg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbFJ4VkhQSXNZenpDbHVI\nVk9ZblNhTnZIMXNidTVYT0pMTnJqV093YlZzCk1JcXJJeVZTUHdrZlZaQ1MzamtJ\nWGVJS1lIZlMxVFlHMHhhNzRIcERWZHMKLS0tIFJRR2NLOFZUTTVtdE9VSFRSMmpl\nZ1JZWDFKSEtpTVBXMXRqd1ZPakVXVUUKd3EwiIlwtHTNvjqtZdP3h6k0h61l5hlO\n+/631VWCccAxWwDHNRVVJZFmZUuPCEhrJEduZVdr5woxtLB852ZiEg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByc0IvUE1DSWIzM21XU3JW\nVHpHYTJyM3diUWErOEY4YWE3a3RhMVUwcjNvCmpFdU1vNnpHZ3R1Z0hkQVpRSC9N\nRXVRYTJKQmE5aHF6TEdBOURMRkYzYjgKLS0tIHhoNmk5Q2NJNkN3bDYxWmFvWi82\neVErNDZuWDRwYVJzYUFROElDYzRXUHcKiYg+LkqEtzqLvMtGjCkNbcbqy0F3anKR\nhF81aQfbEoQhARy5sPG9L8xccbp1E0GHnmNSUt21VVVz3gk8tui21A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxeFpHMmJDYUpTMmpzYUlV\nMVRxd3JJRGE3ajdHMFB1UFI1a1BlaGd0bnlzClpNL29HNm1XYVhvNHV6N05NMEQx\nenZuM2pMS2krN2hLNTV4bEtiM1VHQUEKLS0tIGgxcHNPT2hoaGFRa1lpU0tBbmRm\nTDJyellYNm5objR4TnVLSEFjQ1EwTTQKsByLYLgw1g7ILxai9eKGkMKiV/gdsZXT\nzLwTAfOTMOzbSyOHnAr+CJMhc6V+sFUYf0XLE5y1DceGKEL2JzqdpQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyUzJmRWxlTTBqT3NZcFhZ\nNmhETmNaMWJPdkVGMWhqWFZjK2EvZlRqbFM4CnRabVJ4QTdRSzVRc0RiQ3ZzSkFr\nUzdDL3NNMkZtTEtabFhHRjZLTlo1NHcKLS0tIGxDaEtTcEwxMnBPdFVuRzUzTGth\nMWk3emZYNkt2ck80THloQkpsbG02UlkKBIG/UVQPa68k5S0PduqWa6mc2WNQOFtQ\nj9sSBcK0lWMwIuW+rs7aZJ1ZZ6i6F0KwTaRXSJTUZAFgF0jlWN0oPw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqczE0RnlXb2NnUVJEQVZD\nQmw3ZU5kYnd4Q29yTU91dzJaOVlTTTFFNmswCi9aYlM1ZjFXa1VmUXNOZjczeC9U\nRWFjR2Fzd1NlL1NEeHNob3NRTVNNeGsKLS0tIG5qcFJxTWpEQ0JVVFc5MW9IZCtq\nZHQrRkdvWWpWVWRLZ2tlS1NCVDRYL1kKx2ZuKMdvtQkN/x7TLg+deDxPFqXjPYNc\nUVrryXoei8/4LCJXIvouugnUe0Fz7SQekiymgd7aP35lgXn1yVSCsg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-08-10T06:12:46Z",
 		"mac": "ENC[AES256_GCM,data:OYtBbqUPCvFfraXhOLNOAHPMJQhRN+9PZQrpl84fB5lLuhTRtwcnjKwEytia8JkwZTJy79UzvhK0ePHFMx+ompSIOFCvEN8+Bra4BEKtyYU1JebxDor2k9eQJR4Y2pY6GQe/sCnNbeXVtgPj2Dvac/Id3XmOaNC6ZT7J7Rlp9so=,iv:7RiXcuYeafNL3MQjD6mFJSoqF8KNhu0M6bZBOYJqS20=,tag:he0Y4SavRVKdi4XxI3XvJA==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }