servo: add munin for monitoring/metrics

env: add gdb to enableDevPkgs
this is especially useful for `coredumpctl`. maybe useful enough that it should be in `environment.systemPackages`...
2022-10-21 02:15:07 -07:00 · 2022-10-20 23:55:50 -07:00 · 2022-10-20 23:55:24 -07:00 · 2022-10-20 23:41:52 -07:00 · 2022-10-20 23:20:19 -07:00 · 2022-10-20 21:16:38 -07:00
68 changed files with 1999 additions and 755 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -19,7 +19,7 @@ creation_rules:
      - *host_lappy
      - *host_servo
      - *host_moby
-  - path_regex: secrets/servo.yaml$
+  - path_regex: secrets/servo*
    key_groups:
    - age:
      - *user_desko_colin
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,20 @@
 {
  "nodes": {
    "flake-utils": {
      "locked": {
        "lastModified": 1659877975,
        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -7,11 +22,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1656169755,
+        "lastModified": 1665475263,
-        "narHash": "sha256-Nlnm4jeQWEGjYrE6hxi/7HYHjBSZ/E0RtjCYifnNsWk=",
+        "narHash": "sha256-T4at7d+KsQNWh5rfjvOtQCaIMWjSDlSgQZKvxb+LcEY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "4a3d01fb53f52ac83194081272795aa4612c2381",
+        "rev": "17208be516fc36e2ab0ceb064d931e90eb88b2a3",
        "type": "github"
      },
      "original": {
@@ -39,11 +54,11 @@
    "mobile-nixos": {
      "flake": false,
      "locked": {
-        "lastModified": 1661716773,
+        "lastModified": 1665711470,
-        "narHash": "sha256-uxf0aC+kx8av3/IT8/UecxSMElC9i4UQvH25RHFwna4=",
+        "narHash": "sha256-9cjKbTkxyWjswVExtIpglpvlR+iDY9/DWmXpZyzk5cY=",
        "owner": "nixos",
        "repo": "mobile-nixos",
-        "rev": "09e388c42298fa777caa7738cd8d8d2b6d1ac8db",
+        "rev": "e4b6f680b2a4f29f087a7c1299c11499d1a367b6",
        "type": "github"
      },
      "original": {
@@ -54,11 +69,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1663494472,
+        "lastModified": 1665732960,
-        "narHash": "sha256-fSowlaoXXWcAM8m9wA6u+eTJJtvruYHMA+Lb/tFi/qM=",
+        "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "f677051b8dc0b5e2a9348941c99eea8c4b0ff28f",
+        "rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
        "type": "github"
      },
      "original": {
@@ -69,11 +84,11 @@
    },
    "nixpkgs-22_05": {
      "locked": {
-        "lastModified": 1663433994,
+        "lastModified": 1665279158,
-        "narHash": "sha256-Bpthhv1PdZRrIFct8KbHACNvOu9bsYAMEaqoH83cvqM=",
+        "narHash": "sha256-TpbWNzoJ5RaZ302dzvjY2o//WxtOJuYT3CnDj5N69Hs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "17989edb05615c4f61803b9c427d80b84c289c6b",
+        "rev": "b3783bcfb8ec54e0de26feccfc6cc36b8e202ed5",
        "type": "github"
      },
      "original": {
@@ -83,20 +98,19 @@
        "type": "github"
      }
    },
-    "nixpkgs_2": {
+    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1663419078,
+        "lastModified": 1665613119,
-        "narHash": "sha256-cxEeMnaTGMTeDAvXnZmqcF50qoyJOsQENhYxSnW9ZMs=",
+        "narHash": "sha256-VTutbv5YKeBGWou6ladtgfx11h6et+Wlkdyh4jPJ3p0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "0cfb3c002b61807ca0bab3efe514476bdf2e5478",
+        "rev": "e06bd4b64bbfda91d74f13cb5eca89485d47528f",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "id": "nixpkgs",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-22.05",
-        "repo": "nixpkgs",
+        "type": "indirect"
        "type": "github"
      }
    },
    "root": {
@@ -105,20 +119,24 @@
        "impermanence": "impermanence",
        "mobile-nixos": "mobile-nixos",
        "nixpkgs": "nixpkgs",
-        "sops-nix": "sops-nix"
+        "nixpkgs-stable": "nixpkgs-stable",
        "sops-nix": "sops-nix",
        "uninsane": "uninsane"
      }
    },
    "sops-nix": {
      "inputs": {
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-22_05": "nixpkgs-22_05"
      },
      "locked": {
-        "lastModified": 1663475375,
+        "lastModified": 1665289655,
-        "narHash": "sha256-uIhMyLFkU8Tp0uxLd7tKn++G/yHsB9r7YRvsBdoGvsk=",
+        "narHash": "sha256-j1Q9mNBhbzeJykhObiXwEGres9qvP4vH7gxdJ+ihkLI=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "bae718a9d1e31ec478ddfcb75149f66e9625a825",
+        "rev": "0ce0449e6404c4ff9d1b7bd657794ae5ca54deb3",
        "type": "github"
      },
      "original": {
@@ -126,6 +144,27 @@
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "uninsane": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1665758541,
        "narHash": "sha256-ibR8bPwHlDjavri5cNVnoo5FmFk1IfNMmQXxat5biqs=",
        "ref": "refs/heads/master",
        "rev": "4ad1801f6cecd678bbeae5dfe5933448dd7b3360",
        "revCount": 163,
        "type": "git",
        "url": "https://git.uninsane.org/colin/uninsane"
      },
      "original": {
        "type": "git",
        "url": "https://git.uninsane.org/colin/uninsane"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -4,7 +4,7 @@
 {
  inputs = {
-    # nixpkgs.url = "nixpkgs/nixos-22.05";
+    nixpkgs-stable.url = "nixpkgs/nixos-22.05";
    nixpkgs.url = "nixpkgs/nixos-unstable";
    mobile-nixos = {
      url = "github:nixos/mobile-nixos";
@@ -14,11 +14,18 @@
      url = "github:nix-community/home-manager/release-22.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    impermanence.url = "github:nix-community/impermanence";
    uninsane = {
      url = "git+https://git.uninsane.org/colin/uninsane";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
-  outputs = { self, nixpkgs, mobile-nixos, home-manager, sops-nix, impermanence }:
+  outputs = { self, nixpkgs, nixpkgs-stable, mobile-nixos, home-manager, sops-nix, impermanence, uninsane }:
  let
    patchedPkgs = system: nixpkgs.legacyPackages.${system}.applyPatches {
      name = "nixpkgs-patched-uninsane";
@@ -48,12 +55,17 @@
          nixpkgs.config.allowUnfree = true;
          nixpkgs.overlays = [
            (import "${mobile-nixos}/overlay/overlay.nix")
            uninsane.overlay
            (import ./pkgs/overlay.nix)
-            (next: prev: {
+            (next: prev: rec {
              # non-emulated packages build *from* local *for* target.
              # for large packages like the linux kernel which are expensive to build under emulation,
              # the config can explicitly pull such packages from `pkgs.cross` to do more efficient cross-compilation.
              cross = (nixpkgsFor local target) // (customPackagesFor local target);
              stable = import nixpkgs-stable { system = target; };
              # pinned packages:
              electrum = stable.electrum;  # 2022-10-10: build break
              sequoia = stable.sequoia;    # 2022-10-13: build break
            })
          ];
        }
@@ -90,8 +102,21 @@
  in {
    nixosConfigurations = builtins.mapAttrs (name: value: value.nixosConfiguration) machines;
    imgs = builtins.mapAttrs (name: value: value.img) machines;
-    packages.x86_64-linux = customPackagesFor "x86_64-linux" "x86_64-linux";
+    packages = let
-    packages.aarch64-linux = customPackagesFor "aarch64-linux" "aarch64-linux";
+      custom-x86_64 = customPackagesFor "x86_64-linux" "x86_64-linux";
      custom-aarch64 = customPackagesFor "aarch64-linux" "aarch64-linux";
      nixpkgs-x86_64 = nixpkgsFor "x86_64-linux" "x86_64-linux";
      nixpkgs-aarch64 = nixpkgsFor "aarch64-linux" "aarch64-linux";
    in {
      x86_64-linux = custom-x86_64 // {
        nixpkgs = nixpkgs-x86_64;
        uninsane = uninsane.packages.x86_64-linux;
      };
      aarch64-linux = custom-aarch64 // {
        nixpkgs = nixpkgs-aarch64;
        uninsane = uninsane.packages.aarch64-linux;
      };
    };
  };
 }
--- a/machines/lappy/default.nix
+++ b/machines/lappy/default.nix
@@ -11,6 +11,8 @@
  boot.loader.efi.canTouchEfiVariables = false;
  sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
  users.users.colin.initialPassword = "147147";
  # default config: https://man.archlinux.org/man/snapper-configs.5
  # defaults to something like:
  #   - hourly snapshots
--- a/machines/moby/default.nix
+++ b/machines/moby/default.nix
@@ -1,13 +1,18 @@
 { config, pkgs, lib, mobile-nixos, ... }:
 {
  imports = [
    # (import "${mobile-nixos}/lib/configuration.nix" {
    #   device = "pine64-pinephone";
    # })
    ./firmware.nix
    ./fs.nix
    ./kernel.nix
  ];
  # cross-compiled documentation is *slow*.
  # no obvious way to natively compile docs (2022/09/29).
  # entrypoint is nixos/modules/misc/documentation.nix
  # doc building happens in nixos/doc/manual/default.nix
  # TODO: we could *maybe* inject pkgs.buildPackages.xyz = cross.buildPackages.xyz?
  documentation.nixos.enable = false;
  # XXX colin: phosh doesn't work well with passwordless login
  users.users.colin.initialPassword = "147147";
  services.getty.autologinUser = "root";  # allows for emergency maintenance?
@@ -17,26 +22,6 @@
    ".librewolf"
  ];
  # sane.home-manager.extraPackages = [
  #   # for web browsers see: https://forum.pine64.org/showthread.php?tid=13669
  #   pkgs.angelfish  # plasma mobile web browser; broken on phosh (poor wayland support)
  #   # pkgs.plasma5Packages.index  # file browser
  #   pkgs.plasma5Packages.konsole  # terminal
  #   # pkgs.plasma5Packages.pix  # picture viewer
  #   pkgs.plasma5Packages.kalk  # calculator; broken on phosh
  #   # pkgs.plasma5Packages.buho  # (plasma mobile?) note application
  #   pkgs.plasma5Packages.kasts  #  podcast app; works on phosh after setting QT envar
  #   pkgs.plasma5Packages.koko  # image gallery; broken on phosh
  #   pkgs.plasma5Packages.kwave  # media player.
  #   # pkgs.plasma5Packages.neochat  #  matrix client. needs qcoro => no aarch64 support
  #   # pkgs.plasma5Packages.plasma-dialer  # phone dialer
  #   # pkgs.plasma5Packages.plasma-mobile  # the whole shebang?
  #   # pkgs.plasma5Packages.plasma-settings
  #   pkgs.plasma5Packages.bomber  # arcade game; broken on phosh
  #   pkgs.plasma5Packages.kapman  # pacman
  #   pkgs.st  # suckless terminal; broken on phosh
  #   # pkgs.alacritty  # terminal; crashes phosh
  # ];
  # sane.home-packages.enableGuiPkgs = false;  # XXX faster builds/imaging for debugging
  sane.home-manager.extraPackages = [
    pkgs.plasma5Packages.konsole  # terminal
@@ -47,10 +32,21 @@
  sane.gui.phosh.enable = true;
  boot.loader.efi.canTouchEfiVariables = false;
  # /boot space is at a premium. default was 20.
  boot.loader.generic-extlinux-compatible.configurationLimit = 10;
  # mobile.bootloader.enable = false;
  # mobile.boot.stage-1.enable = false;
  # boot.initrd.systemd.enable = false;
  # boot.initrd.services.swraid.enable = false;  # attempt to fix dm_mod stuff
  # disable proximity sensor.
  # the filtering/calibration is bad that it causes the screen to go fully dark at times.
  boot.blacklistedKernelModules = [ "stk3310" ];
  # without this some GUI apps fail: `DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory`
  # this is because they can't allocate enough video ram.
  # the default CMA seems to be 32M. we could probably get by with as little as 64M, and safely with 128M.
  # `cat /proc/meminfo` to see CmaTotal/CmaFree if interested in tuning this.
  boot.kernelParams = [ "cma=256M" ];
  # mobile-nixos' /lib/firmware includes:
  #   rtl_bt          (bluetooth)
@@ -70,5 +66,14 @@
  # enable rotation sensor
  hardware.sensor.iio.enable = true;
-  users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
+  # from https://gitlab.manjaro.org/manjaro-arm/packages/community/phosh/alsa-ucm-pinephone
  # mobile-nixos does this same thing, with *slightly different settings*.
  # i trust manjaro more because the guy maintaining that is actively trying to upstream into alsa-ucm-conf.
  # an alternative may be to build a custom alsa with the PinePhone config patch applied:
  # - <https://github.com/alsa-project/alsa-ucm-conf/pull/134>
  # that would make this be not device-specific
  environment.variables.ALSA_CONFIG_UCM2 = "${./ucm2}";
  systemd.services.pulseaudio.environment.ALSA_CONFIG_UCM2 = "${./ucm2}";
  hardware.opengl.driSupport = true;
 }
--- a/machines/moby/firmware.nix
+++ b/machines/moby/firmware.nix
@@ -4,7 +4,7 @@
  # only actually need 1 MB, but better to over-allocate than under-allocate
  sane.image.extraGPTPadding = 16 * 1024 * 1024;
  sane.image.firstPartGap = 0;
-  system.build.img = pkgs.runCommandNoCC "nixos_full-disk-image.img" {} ''
+  system.build.img = pkgs.runCommand "nixos_full-disk-image.img" {} ''
    cp -v ${config.system.build.img-without-firmware}/nixos.img $out
    chmod +w $out
    dd if=${pkgs.tow-boot-pinephone}/Tow-Boot.noenv.bin of=$out bs=1024 seek=8 conv=notrunc
--- a/machines/moby/kernel.nix
+++ b/machines/moby/kernel.nix
@@ -114,7 +114,7 @@ in
  # - phone rotation sensor is off by 90 degrees
  # - ambient light sensor causes screen brightness to be shakey
  # - phosh greeter may not appear after wake from sleep
-  boot.kernelPackages = pkgs.linuxPackagesFor pkgs.cross.linux-megous;
+  boot.kernelPackages = pkgs.cross.linuxPackagesFor pkgs.cross.linux-megous;
  boot.kernelPatches = [
    (patchDefconfig (kernelConfig //
--- a/machines/moby/ucm2/PinePhone/HiFi.conf
+++ b/machines/moby/ucm2/PinePhone/HiFi.conf
@@ -0,0 +1,148 @@
 SectionVerb {
 	EnableSequence [
 		cset "name='Headphone Playback Switch' off"
 		cset "name='Headphone Source Playback Route' DAC"
 		cset "name='Line In Playback Switch' off"
 		cset "name='Line Out Playback Switch' off"
 		cset "name='Line Out Source Playback Route' Mono Differential"
 		cset "name='Mic1 Playback Switch' off"
 		cset "name='Mic2 Playback Switch' off"
 		cset "name='AIF1 DA0 Playback Volume' 160"
 		cset "name='AIF3 ADC Source Capture Route' None"
 		cset "name='AIF2 DAC Source Playback Route' AIF2"
 		cset "name='DAC Playback Switch' on"
 		cset "name='DAC Playback Volume' 160"
 		cset "name='ADC Digital DAC Playback Switch' off"
 		cset "name='AIF1 Slot 0 Digital DAC Playback Switch' on"
 		cset "name='AIF2 Digital DAC Playback Switch' off"
 		cset "name='DAC Reversed Playback Switch' off"
 		cset "name='Earpiece Playback Switch' off"
 		cset "name='Earpiece Source Playback Route' DACL"
 		cset "name='Line In Capture Switch' off"
 		cset "name='Mic1 Capture Switch' off"
 		cset "name='Mic1 Boost Volume' 7"
 		cset "name='Mic2 Capture Switch' off"
 		cset "name='Mic2 Boost Volume' 7"
 		cset "name='Mixer Capture Switch' off"
 		cset "name='Mixer Reversed Capture Switch' off"
 		cset "name='ADC Capture Volume' 160"
 		cset "name='ADC Gain Capture Volume' 7"
 		cset "name='AIF1 AD0 Capture Volume' 160"
 		cset "name='AIF1 Data Digital ADC Capture Switch' on"
 		cset "name='AIF2 ADC Mixer ADC Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF2 DAC Rev Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 	]
        DisableSequence [
        ]
 	Value {
 	}
 }
 SectionDevice."Speaker" {
 	Comment "Internal speaker"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
 		cset "name='Line Out Playback Switch' on"
 		cset "name='Line Out Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Line Out Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Line Out Playback Volume"
 		PlaybackSwitch "Line Out Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 300
 		PlaybackPCM "hw:${CardId},0"
 	}
 }
 SectionDevice."Earpiece" {
 	Comment "Internal Earpiece"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
 		cset "name='Earpiece Playback Switch' on"
 		cset "name='Earpiece Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Earpiece Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Earpiece Playback Volume"
 		PlaybackSwitch "Earpiece Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 200
 		PlaybackPCM "hw:${CardId},0"
 	}
 }
 SectionDevice."Mic" {
 	Comment "Internal Microphone"
 	ConflictingDevice [
 		"Headset"
 	]
 	EnableSequence [
 		cset "name='Mic1 Capture Switch' on"
 	]
 	DisableSequence [
 		cset "name='Mic1 Capture Switch' off"
 	]
 	Value {
 		CapturePriority 100
 		CapturePCM "hw:${CardId},0"
 		CaptureChannels 2
 		CaptureMixerElem "ADC"
 		CaptureVolume "ADC Capture Volume"
 		CaptureSwitch "Mic1 Capture Switch"
 	}
 }
 SectionDevice."Headset" {
 	Comment "Headset Microphone"
 	ConflictingDevice [
 		"Mic"
 	]
 	EnableSequence [
 		cset "name='Mic2 Capture Switch' on"
 	]
 	DisableSequence [
 		cset "name='Mic2 Capture Switch' off"
 	]
 	Value {
 		CapturePriority 500
 		CapturePCM "hw:${CardId},0"
 		CaptureChannels 2
 		CaptureMixerElem "ADC"
 		CaptureVolume "ADC Capture Volume"
 		CaptureSwitch "Mic2 Capture Switch"
 		JackControl "Headset Microphone Jack"
 	}
 }
 SectionDevice."Headphones" {
 	Comment "Headphones"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Stereo"
 		cset "name='Headphone Playback Switch' on"
 		cset "name='Headphone Playback Volume' 70%"
 	]
 	DisableSequence [
 		cset "name='Headphone Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Headphone Playback Volume"
 		PlaybackSwitch "Headphone Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 500
 		PlaybackPCM "hw:${CardId},0"
 		JackControl "Headphone Jack"
 	}
 }
--- a/machines/moby/ucm2/PinePhone/PinePhone.conf
+++ b/machines/moby/ucm2/PinePhone/PinePhone.conf
@@ -0,0 +1,11 @@
 Syntax 2
 SectionUseCase."HiFi" {
 	File "HiFi.conf"
 	Comment "Default"
 }
 SectionUseCase."Voice Call" {
 	File "VoiceCall.conf"
 	Comment "Phone call"
 }
--- a/machines/moby/ucm2/PinePhone/VoiceCall.conf
+++ b/machines/moby/ucm2/PinePhone/VoiceCall.conf
@@ -0,0 +1,153 @@
 SectionVerb {
 	EnableSequence [
 		cset "name='Headphone Playback Switch' off"
 		cset "name='Headphone Source Playback Route' DAC"
 		cset "name='Line In Playback Switch' off"
 		cset "name='Line Out Playback Switch' off"
 		cset "name='Line Out Source Playback Route' Mono Differential"
 		cset "name='Mic1 Playback Switch' off"
 		cset "name='Mic2 Playback Switch' off"
 		cset "name='AIF1 DA0 Playback Volume' 160"
 		cset "name='AIF2 DAC Playback Volume' 160"
 		cset "name='AIF3 ADC Source Capture Route' None"
 		cset "name='AIF2 DAC Source Playback Route' AIF2"
 		cset "name='DAC Playback Switch' on"
 		cset "name='DAC Playback Volume' 160"
 		cset "name='ADC Digital DAC Playback Switch' off"
 		cset "name='AIF1 Slot 0 Digital DAC Playback Switch' on"
 		cset "name='AIF2 Digital DAC Playback Switch' on"
 		cset "name='DAC Reversed Playback Switch' off"
 		cset "name='Earpiece Playback Switch' off"
 		cset "name='Earpiece Source Playback Route' DACL"
 		cset "name='Line In Capture Switch' off"
 		cset "name='Mic1 Capture Switch' off"
 		cset "name='Mic1 Boost Volume' 0"
 		cset "name='Mic1 Playback Volume' 7"
 		cset "name='Mic2 Capture Switch' off"
 		cset "name='Mic2 Boost Volume' 0"
 		cset "name='Mic2 Playback Volume' 7"
 		cset "name='Mixer Capture Switch' off"
 		cset "name='Mixer Reversed Capture Switch' off"
 		cset "name='ADC Capture Volume' 160"
 		cset "name='ADC Gain Capture Volume' 7"
 		cset "name='AIF1 AD0 Capture Volume' 160"
 		cset "name='AIF1 Data Digital ADC Capture Switch' on"
 		cset "name='AIF2 ADC Capture Volume' 160"
 		cset "name='AIF2 ADC Mixer ADC Capture Switch' on"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF2 DAC Rev Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 		cset "name='AIF2 ADC Mixer AIF1 DA0 Capture Switch' off"
 	]
        DisableSequence [
        ]
 	Value {
 		PlaybackRate 8000
 	}
 }
 SectionDevice."Speaker" {
 	Comment "Internal speaker"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
 		cset "name='Line Out Playback Switch' on"
 		cset "name='Line Out Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Line Out Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Line Out Playback Volume"
 		PlaybackSwitch "Line Out Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 300
 		PlaybackPCM "hw:${CardId},0"
 	}
 }
 SectionDevice."Earpiece" {
 	Comment "Internal Earpiece"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Mix Mono"
 		cset "name='Earpiece Playback Switch' on"
 		cset "name='Earpiece Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Earpiece Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Earpiece Playback Volume"
 		PlaybackSwitch "Earpiece Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 500
 		PlaybackPCM "hw:${CardId},0"
 	}
 }
 SectionDevice."Mic" {
 	Comment "Internal Microphone"
 	ConflictingDevice [
 		"Headset"
 	]
 	EnableSequence [
 		cset "name='Mic1 Capture Switch' on"
 	]
 	DisableSequence [
 		cset "name='Mic1 Capture Switch' off"
 	]
 	Value {
 		CapturePriority 200
 		CapturePCM "hw:${CardId},0"
 		CaptureMixerElem "ADC"
 		CaptureVolume "ADC Capture Volume"
 		CaptureSwitch "Mic1 Capture Switch"
 		CaptureChannels 2
 	}
 }
 SectionDevice."Headset" {
 	Comment "Headset Microphone"
 	ConflictingDevice [
 		"Mic"
 	]
 	EnableSequence [
 		cset "name='Mic2 Capture Switch' on"
 	]
 	DisableSequence [
 		cset "name='Mic2 Capture Switch' off"
 	]
 	Value {
 		CapturePriority 500
 		CapturePCM "hw:${CardId},0"
 		CaptureChannels 2
 		CaptureMixerElem "ADC"
 		CaptureVolume "ADC Capture Volume"
 		CaptureSwitch "Mic2 Capture Switch"
 		JackControl "Headset Microphone Jack"
 	}
 }
 SectionDevice."Headphones" {
 	Comment "Headphones"
 	EnableSequence [
 		cset "name='AIF1 DA0 Stereo Playback Route' Stereo"
 		cset "name='Headphone Playback Switch' on"
 		cset "name='Headphone Playback Volume' 100%"
 	]
 	DisableSequence [
 		cset "name='Headphone Playback Switch' off"
 	]
 	Value {
 		PlaybackVolume "Headphone Playback Volume"
 		PlaybackSwitch "Headphone Playback Switch"
 		PlaybackChannels 2
 		PlaybackPriority 500
 		PlaybackPCM "hw:${CardId},0"
 		JackControl "Headphone Jack"
 	}
 }
--- a/machines/moby/ucm2/ucm.conf
+++ b/machines/moby/ucm2/ucm.conf
@@ -0,0 +1,8 @@
 Syntax 3
 UseCasePath {
 	legacy {
 		Directory "PinePhone"
 		File "PinePhone.conf"
 	}
 }
--- a/machines/servo/default.nix
+++ b/machines/servo/default.nix
@@ -6,24 +6,14 @@
    ./hardware.nix
    ./net.nix
    ./users.nix
-    ./services/ddns-he.nix
+    ./services
    ./services/gitea.nix
    ./services/ipfs.nix
    ./services/jackett.nix
    ./services/jellyfin.nix
    ./services/matrix.nix
    ./services/navidrome.nix
    ./services/nginx.nix
    ./services/pleroma.nix
    ./services/postfix.nix
    ./services/postgres.nix
    ./services/transmission.nix
  ];
  sane.home-manager.enable = true;
  sane.home-manager.extraPackages = [
-    # for administering matrix
+    # for administering services
    pkgs.matrix-synapse
    pkgs.freshrss
  ];
  sane.impermanence.enable = true;
  sane.services.duplicity.enable = true;
--- a/machines/servo/services/default.nix
+++ b/machines/servo/services/default.nix
@@ -0,0 +1,19 @@
 { ... }:
 {
  imports = [
    ./ddns-he.nix
    ./freshrss.nix
    ./gitea.nix
    ./ipfs.nix
    ./jackett.nix
    ./jellyfin.nix
    ./matrix
    ./munin.nix
    ./navidrome.nix
    ./nginx.nix
    ./pleroma.nix
    ./postfix.nix
    ./postgres.nix
    ./transmission.nix
  ];
 }
--- a/machines/servo/services/freshrss.nix
+++ b/machines/servo/services/freshrss.nix
@@ -0,0 +1,48 @@
 # import feeds with e.g.
 # ```console
 # $ nix build '.#nixpkgs.freshrss'
 # $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/import-for-user.php --user admin --filename /home/colin/.config/newsflashFeeds.opml
 # ```
 #
 # export feeds with
 # ```console
 # $ sudo -u freshrss -g freshrss FRESHRSS_DATA_PATH=/var/lib/freshrss ./result/cli/export-opml-for-user.php --user admin
 # ```
 { config, lib, pkgs, ... }:
 {
  sops.secrets.freshrss_passwd = {
    sopsFile = ../../../secrets/servo.yaml;
    owner = config.users.users.freshrss.name;
    mode = "400";
  };
  sane.impermanence.service-dirs = [
    { user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; }
  ];
  users.users.freshrss.uid = config.sane.allocations.freshrss-uid;
  users.groups.freshrss.gid = config.sane.allocations.freshrss-gid;
  services.freshrss.enable = true;
  services.freshrss.baseUrl = "https://rss.uninsane.org";
  services.freshrss.virtualHost = "rss.uninsane.org";
  services.freshrss.passwordFile = config.sops.secrets.freshrss_passwd.path;
  systemd.services.freshrss-import-feeds =
  let
    fresh = config.systemd.services.freshrss-config;
    feeds = import ../../../modules/universal/env/feeds.nix { inherit lib; };
    opml = pkgs.writeText "sane-freshrss.opml" (feeds.feedsToOpml feeds.all);
  in {
    inherit (fresh) wantedBy environment;
    serviceConfig = {
      inherit (fresh.serviceConfig) Type User Group StateDirectory WorkingDirectory
        # hardening options
        CapabilityBoundingSet DeviceAllow LockPersonality NoNewPrivileges PrivateDevices PrivateTmp PrivateUsers ProcSubset ProtectClock ProtectControlGroups ProtectHome ProtectHostname ProtectKernelLogs ProtectKernelModules ProtectKernelTunables ProtectProc ProtectSystem RemoveIPC RestrictNamespaces RestrictRealtime RestrictSUIDSGID SystemCallArchitectures SystemCallFilter UMask;
    };
    description = "import sane RSS feed list";
    after = [ "freshrss-config.service" ];
    script = ''
      ${pkgs.freshrss}/cli/import-for-user.php --user admin --filename ${opml}
    '';
  };
 }
--- a/machines/servo/services/gitea.nix
+++ b/machines/servo/services/gitea.nix
@@ -13,7 +13,7 @@
  services.gitea.appName = "Perfectly Sane Git";
  services.gitea.domain = "git.uninsane.org";
  services.gitea.rootUrl = "https://git.uninsane.org/";
-  services.gitea.cookieSecure = true;
+  services.gitea.settings.session.COOKIE_SECURE = true;
  # services.gitea.disableRegistration = true;
  services.gitea.settings = {
@@ -60,7 +60,7 @@
    };
  };
  # options: "Trace", "Debug", "Info", "Warn", "Error", "Critical"
-  services.gitea.log.level = "Info";
+  services.gitea.settings.log.LEVEL = "Warn";
  systemd.services.gitea.serviceConfig = {
    # nix default is AF_UNIX AF_INET AF_INET6.
--- a/machines/servo/services/ipfs.nix
+++ b/machines/servo/services/ipfs.nix
@@ -12,15 +12,15 @@
    # TODO: mode? could be more granular
    { user = "261"; group = "261"; directory = "/var/lib/ipfs"; }
  ];
-  services.ipfs.enable = true;
+  # services.ipfs.enable = true;
-  services.ipfs.localDiscovery = true;
+  services.kubo.localDiscovery = true;
-  services.ipfs.swarmAddress = [
+  services.kubo.swarmAddress = [
    # "/dns4/ipfs.uninsane.org/tcp/4001"
    # "/ip4/0.0.0.0/tcp/4001"
    "/dns4/ipfs.uninsane.org/udp/4001/quic"
    "/ip4/0.0.0.0/udp/4001/quic"
  ];
-  services.ipfs.extraConfig = {
+  services.kubo.extraConfig = {
    Addresses = {
      Announce = [
        # "/dns4/ipfs.uninsane.org/tcp/4001"
--- a/machines/servo/services/jellyfin.nix
+++ b/machines/servo/services/jellyfin.nix
@@ -5,7 +5,10 @@
    # TODO: mode? could be more granular
    { user = "jellyfin"; group = "jellyfin"; directory = "/var/lib/jellyfin"; }
  ];
-  users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid;
+
-  users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid;
+  # users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid;
-  services.jellyfin.enable = true;
+  # users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid;
  # TODO: re-enable after migrating media dir to /var/lib/uninsane/media
  # else it's too spammy
  # services.jellyfin.enable = true;
 }
--- a/machines/servo/services/matrix/default.nix
+++ b/machines/servo/services/matrix/default.nix
@@ -0,0 +1,85 @@
 # docs: https://nixos.wiki/wiki/Matrix
 # docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
 { config, lib, ... }:
 {
  imports = [
    ./discord-puppet.nix
    # ./irc.nix
  ];
  sane.impermanence.service-dirs = [
    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/matrix-synapse"; }
  ];
  services.matrix-synapse.enable = true;
  services.matrix-synapse.settings.log_config = ./synapse-log_level.yaml;
  services.matrix-synapse.settings.server_name = "uninsane.org";
  # services.matrix-synapse.enable_registration_captcha = true;
  # services.matrix-synapse.enable_registration_without_verification = true;
  services.matrix-synapse.settings.enable_registration = true;
  # services.matrix-synapse.registration_shared_secret = "<shared key goes here>";
  # default for listeners is port = 8448, tls = true, x_forwarded = false.
  # we change this because the server is situated behind nginx.
  services.matrix-synapse.settings.listeners = [
    {
      port = 8008;
      bind_addresses = [ "127.0.0.1" ];
      type = "http";
      tls = false;
      x_forwarded = true;
      resources = [
        {
          names = [ "client" "federation" ];
          compress = false;
        }
      ];
    }
  ];
  services.matrix-synapse.settings.admin_contact = "admin.matrix@uninsane.org";
  services.matrix-synapse.settings.registrations_require_3pid = [ "email" ];
  services.matrix-synapse.extraConfigFiles = [
    config.sops.secrets.matrix_synapse_secrets.path
  ];
  # services.matrix-synapse.extraConfigFiles = [builtins.toFile "matrix-synapse-extra-config" ''
  #   admin_contact: "admin.matrix@uninsane.org"
  #   registrations_require_3pid:
  #     - email
  #   email:
  #     smtp_host: "mx.uninsane.org"
  #     smtp_port: 587
  #     smtp_user: "matrix-synapse"
  #     smtp_pass: "${secrets.matrix-synapse.smtp_pass}"
  #     require_transport_security: true
  #     enable_tls: true
  #     notif_from: "%(app)s <notify.matrix@uninsane.org>"
  #     app_name: "Uninsane Matrix"
  #     enable_notifs: true
  #     validation_token_lifetime: 96h
  #     invite_client_location: "https://web.matrix.uninsane.org"
  #     subjects:
  #       email_validation: "[%(server_name)s] Validate your email"
  # ''];
  # new users may be registered on the CLI:
  #   register_new_matrix_user -c /nix/store/8n6kcka37jhmi4qpd2r03aj71pkyh21s-homeserver.yaml http://localhost:8008
  #
  # or provide an registration token then can use to register through the client.
  #   docs: https://github.com/matrix-org/synapse/blob/develop/docs/usage/administration/admin_api/registration_tokens.md
  # first, grab your own user's access token (Help & About section in Element). then:
  #   curl --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens
  # create a token with unlimited uses:
  #   curl -d '{}' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
  # create a token with limited uses:
  #   curl -d '{ "uses_allowed": 1 }' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
  sops.secrets.matrix_synapse_secrets = {
    sopsFile = ../../../../secrets/servo.yaml;
    owner = config.users.users.matrix-synapse.name;
  };
 }
--- a/machines/servo/services/matrix/discord-puppet.nix
+++ b/machines/servo/services/matrix/discord-puppet.nix
@@ -0,0 +1,52 @@
 { lib, ... }:
 {
  sane.impermanence.service-dirs = [
    { user = "matrix-synapse"; group = "matrix-synapse"; directory = "/var/lib/mx-puppet-discord"; }
  ];
  services.matrix-synapse.settings.app_service_config_files = [
    # auto-created by mx-puppet-discord service
    "/var/lib/mx-puppet-discord/discord-registration.yaml"
  ];
  services.mx-puppet-discord.enable = true;
  # schema/example: <https://gitlab.com/mx-puppet/discord/mx-puppet-discord/-/blob/main/sample.config.yaml>
  services.mx-puppet-discord.settings = {
    bridge = {
      # port = 8434
      bindAddress = "127.0.0.1";
      domain = "uninsane.org";
      homeserverUrl = "http://127.0.0.1:8008";
      # displayName = "mx-discord-puppet";  # matrix name for the bot
      # matrix "groups" were an earlier version of spaces.
      # maybe the puppet understands this, maybe not?
      enableGroupSync = false;
    };
    presence = {
      enabled = false;
      interval = 30000;
    };
    provisioning = {
      # allow these users to control the puppet
      whitelist = [ "@colin:uninsane\\.org" ];
    };
    relay = {
      whitelist = [ "@colin:uninsane\\.org" ];
    };
    selfService = {
      # who's allowed to use plumbed rooms (idk what that means)
      whitelist = [ "@colin:uninsane\\.org" ];
    };
    logging = {
      # silly, debug, verbose, info, warn, error
      console = "debug";
    };
  };
  systemd.services.mx-puppet-discord.serviceConfig = {
    # fix up to not use /var/lib/private, but just /var/lib
    DynamicUser = lib.mkForce false;
    User = "matrix-synapse";
    Group = "matrix-synapse";
  };
 }
--- a/machines/servo/services/matrix/irc.nix
+++ b/machines/servo/services/matrix/irc.nix
@@ -1,86 +1,19 @@
-# docs: https://nixos.wiki/wiki/Matrix
+{ config, lib, ... }:
 # docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
 { config, ... }:
 {
  sane.impermanence.service-dirs = [
    # TODO: mode?
    # user and group are both "matrix-appservice-irc"
    { user = "993"; group = "992"; directory = "/var/lib/matrix-appservice-irc"; }
    { user = "224"; group = "224"; directory = "/var/lib/matrix-synapse"; }
  ];
  services.matrix-synapse.enable = true;
  services.matrix-synapse.settings.server_name = "uninsane.org";
  # services.matrix-synapse.enable_registration_captcha = true;
  # services.matrix-synapse.enable_registration_without_verification = true;
  services.matrix-synapse.settings.enable_registration = true;
  # services.matrix-synapse.registration_shared_secret = "<shared key goes here>";
  # default for listeners is port = 8448, tls = true, x_forwarded = false.
  # we change this because the server is situated behind nginx.
  services.matrix-synapse.settings.listeners = [
    {
      port = 8008;
      bind_addresses = [ "127.0.0.1" ];
      type = "http";
      tls = false;
      x_forwarded = true;
      resources = [
        {
          names = [ "client" "federation" ];
          compress = false;
        }
      ];
    }
  ];
  services.matrix-synapse.settings.admin_contact = "admin.matrix@uninsane.org";
  services.matrix-synapse.settings.registrations_require_3pid = [ "email" ];
  services.matrix-synapse.extraConfigFiles = [
    config.sops.secrets.matrix_synapse_secrets.path
  ];
  # services.matrix-synapse.extraConfigFiles = [builtins.toFile "matrix-synapse-extra-config" ''
  #   admin_contact: "admin.matrix@uninsane.org"
  #   registrations_require_3pid:
  #     - email
  #   email:
  #     smtp_host: "mx.uninsane.org"
  #     smtp_port: 587
  #     smtp_user: "matrix-synapse"
  #     smtp_pass: "${secrets.matrix-synapse.smtp_pass}"
  #     require_transport_security: true
  #     enable_tls: true
  #     notif_from: "%(app)s <notify.matrix@uninsane.org>"
  #     app_name: "Uninsane Matrix"
  #     enable_notifs: true
  #     validation_token_lifetime: 96h
  #     invite_client_location: "https://web.matrix.uninsane.org"
  #     subjects:
  #       email_validation: "[%(server_name)s] Validate your email"
  # ''];
  services.matrix-synapse.settings.app_service_config_files = [
    "/var/lib/matrix-appservice-irc/registration.yml"  # auto-created by irc appservice
  ];
  # new users may be registered on the CLI:
  #   register_new_matrix_user -c /nix/store/8n6kcka37jhmi4qpd2r03aj71pkyh21s-homeserver.yaml http://localhost:8008
  #
  # or provide an registration token then can use to register through the client.
  #   docs: https://github.com/matrix-org/synapse/blob/develop/docs/usage/administration/admin_api/registration_tokens.md
  # first, grab your own user's access token (Help & About section in Element). then:
  #   curl --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens
  # create a token with unlimited uses:
  #   curl -d '{}' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
  # create a token with limited uses:
  #   curl -d '{ "uses_allowed": 1 }' --header "Authorization: Bearer <my_token>" localhost:8008/_synapse/admin/v1/registration_tokens/new
  # IRC bridging
  # note: Rizon allows only FOUR simultaneous IRC connections per IP: https://wiki.rizon.net/index.php?title=Connection/Session_Limit_Exemptions
  # Rizon supports CertFP for auth: https://wiki.rizon.net/index.php?title=CertFP
-  # services.matrix-appservice-irc.enable = true;
+  services.matrix-appservice-irc.enable = true;
  services.matrix-appservice-irc.registrationUrl = "http://127.0.0.1:8009";
  # settings documented here: https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml
  services.matrix-appservice-irc.settings = {
@@ -161,9 +94,4 @@
      };
    };
  };
  sops.secrets.matrix_synapse_secrets = {
    sopsFile = ../../../secrets/servo.yaml;
    owner = config.users.users.matrix-synapse.name;
  };
 }
--- a/machines/servo/services/matrix/synapse-log_level.yaml
+++ b/machines/servo/services/matrix/synapse-log_level.yaml
@@ -0,0 +1,27 @@
 version: 1
 # In systemd's journal, loglevel is implicitly stored, so let's omit it
 # from the message text.
 formatters:
    journal_fmt:
        format: '%(name)s: [%(request)s] %(message)s'
 filters:
    context:
        (): synapse.util.logcontext.LoggingContextFilter
        request: ""
 handlers:
    journal:
        class: systemd.journal.JournalHandler
        formatter: journal_fmt
        filters: [context]
        SYSLOG_IDENTIFIER: synapse
 # default log level: INFO
 root:
    level: WARN
    handlers: [journal]
 disable_existing_loggers: False
--- a/machines/servo/services/munin.nix
+++ b/machines/servo/services/munin.nix
@@ -0,0 +1,12 @@
 { config, ... }:
 {
  services.munin-node.enable = true;
  services.munin-cron = {
    enable = true;
    # collect data from the localhost
    hosts = ''
      [${config.networking.hostName}]
      address localhost
    '';
  };
 }
--- a/machines/servo/services/nginx.nix
+++ b/machines/servo/services/nginx.nix
@@ -6,13 +6,17 @@
  # web blog/personal site
  services.nginx.virtualHosts."uninsane.org" = {
-    root = "/var/lib/uninsane/root";
+    root = "${pkgs.uninsane-dot-org}/share/uninsane-dot-org";
    # a lot of places hardcode https://uninsane.org,
    # and then when we mix http + non-https, we get CORS violations
    # and things don't look right. so force SSL.
    forceSSL = true;
    enableACME = true;
    # uninsane.org/share/foo => /var/lib/uninsane/root/share/foo.
    # yes, nginx does not strip the prefix when evaluating against the root.
    locations."/share".root = "/var/lib/uninsane/root";
    # allow matrix users to discover that @user:uninsane.org is reachable via matrix.uninsane.org
    locations."= /.well-known/matrix/server".extraConfig =
      let
@@ -53,6 +57,13 @@
    # };
  };
  # server statistics
  services.nginx.virtualHosts."sink.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    root = "/var/www/munin";
  };
  # Pleroma server and web interface
  services.nginx.virtualHosts."fed.uninsane.org" = {
    addSSL = true;
@@ -219,6 +230,12 @@
    locations."/".proxyPass = "http://127.0.0.1:4533";
  };
  services.nginx.virtualHosts."rss.uninsane.org" = {
    addSSL = true;
    enableACME = true;
    # the routing is handled by freshrss.nix
  };
  services.nginx.virtualHosts."ipfs.uninsane.org" = {
    # don't default to ssl upgrades, since this may be dnslink'd from a different domain.
    # ideally we'd disable ssl entirely, but some places assume it?
--- a/machines/servo/services/pleroma.nix
+++ b/machines/servo/services/pleroma.nix
@@ -15,13 +15,13 @@
  services.pleroma.configs = [
    ''
    import Config
-    
+
    config :pleroma, Pleroma.Web.Endpoint,
      url: [host: "fed.uninsane.org", scheme: "https", port: 443],
      http: [ip: {127, 0, 0, 1}, port: 4000]
    #   secret_key_base: "{secrets.pleroma.secret_key_base}",
    #   signing_salt: "{secrets.pleroma.signing_salt}"
-    
+
    config :pleroma, :instance,
      name: "Perfectly Sane",
      description: "Single-user Pleroma instance",
@@ -47,7 +47,7 @@
      enabled: false,
      redirect_on_failure: true
      #base_url: "https://cache.pleroma.social"
-    
+
    config :pleroma, Pleroma.Repo,
      adapter: Ecto.Adapters.Postgres,
      username: "pleroma",
@@ -67,7 +67,7 @@
    #   private_key: "{secrets.pleroma.vapid_private_key}"
    # config :joken, default_signer: "{secrets.pleroma.joken_default_signer}"
-    
+
    config :pleroma, :database, rum_enabled: false
    config :pleroma, :instance, static_dir: "/var/lib/pleroma/instance/static"
    config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
@@ -86,11 +86,11 @@
    # Enable Strict-Transport-Security once SSL is working:
    config :pleroma, :http_security,
      sts: true
-    
+
    # docs: https://docs.pleroma.social/backend/configuration/cheatsheet/#logger
    config :logger,
      backends: [{ExSyslogger, :ex_syslogger}]
-    
+
    config :logger, :ex_syslogger,
      level: :warn
    #  level: :debug
--- a/machines/servo/services/postfix.nix
+++ b/machines/servo/services/postfix.nix
@@ -18,7 +18,7 @@ in
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? could be more granular
-    { user = "221"; group = "221"; directory = "/var/lib/opendkim"; }
+    { user = "opendkim"; group = "opendkim"; directory = "/var/lib/opendkim"; }
    { user = "root"; group = "root"; directory = "/var/lib/postfix"; }
  ];
  services.postfix.enable = true;
--- a/machines/servo/services/postgres.nix
+++ b/machines/servo/services/postgres.nix
@@ -3,7 +3,7 @@
 {
  sane.impermanence.service-dirs = [
    # TODO: mode?
-    { user = "71"; group = "71"; directory = "/var/lib/postgresql"; }
+    { user = "postgres"; group = "postgres"; directory = "/var/lib/postgresql"; }
  ];
  services.postgresql.enable = true;
  # services.postgresql.dataDir = "/opt/postgresql/13";
--- a/machines/servo/services/transmission.nix
+++ b/machines/servo/services/transmission.nix
@@ -3,7 +3,7 @@
 {
  sane.impermanence.service-dirs = [
    # TODO: mode? we need this specifically for the stats tracking in .config/
-    { user = "70"; group = "70"; directory = "/var/lib/transmission"; }
+    { user = "transmission"; group = "transmission"; directory = "/var/lib/transmission"; }
  ];
  services.transmission.enable = true;
  services.transmission.settings = {
@@ -44,6 +44,7 @@
  systemd.services.transmission.serviceConfig = {
    # run this behind the OVPN static VPN
    NetworkNamespacePath = "/run/netns/ovpns";
    LogLevelMax = "warning";
  };
 }
--- a/modules/gui/gnome.nix
+++ b/modules/gui/gnome.nix
@@ -14,6 +14,16 @@ in
  config = mkIf cfg.enable {
    sane.gui.enable = true;
    users.users.avahi.uid = config.sane.allocations.avahi-uid;
    users.groups.avahi.gid = config.sane.allocations.avahi-gid;
    users.users.colord.uid = config.sane.allocations.colord-uid;
    users.groups.colord.gid = config.sane.allocations.colord-gid;
    users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
    users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
    users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
    users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
    # start gnome/gdm on boot
    services.xserver.enable = true;
    services.xserver.desktopManager.gnome.enable = true;
--- a/modules/gui/phosh.nix
+++ b/modules/gui/phosh.nix
@@ -10,58 +10,100 @@ in
      default = false;
      type = types.bool;
    };
    sane.gui.phosh.useGreeter = mkOption {
      description = ''
        launch phosh via a greeter (like lightdm-mobile-greeter).
        phosh is usable without a greeter, but skipping the greeter means no PAM session.
      '';
      default = true;
      type = types.bool;
    };
  };
-  config = mkIf cfg.enable {
+  config = mkIf cfg.enable (mkMerge [
-    sane.gui.enable = true;
+    {
      sane.gui.enable = true;
-    users.users.avahi.uid = config.sane.allocations.avahi-uid;
+      users.users.avahi.uid = config.sane.allocations.avahi-uid;
-    users.users.colord.uid = config.sane.allocations.colord-uid;
+      users.users.colord.uid = config.sane.allocations.colord-uid;
-    users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
+      users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
-    users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
+      users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
-    users.groups.avahi.gid = config.sane.allocations.avahi-gid;
+      users.groups.avahi.gid = config.sane.allocations.avahi-gid;
-    users.groups.colord.gid = config.sane.allocations.colord-gid;
+      users.groups.colord.gid = config.sane.allocations.colord-gid;
-    users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
+      users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
-    users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
+      users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
      users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
-    # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
+      # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
-    services.xserver.desktopManager.phosh = {
+      services.xserver.desktopManager.phosh = {
-      enable = true;
+        enable = true;
-      user = "colin";
+        user = "colin";
-      group = "users";
+        group = "users";
-      phocConfig = {
+        phocConfig = {
-        # xwayland = "true";
+          # xwayland = "true";
-        # find default outputs by catting /etc/phosh/phoc.ini
+          # find default outputs by catting /etc/phosh/phoc.ini
-        outputs.DSI-1 = {
+          outputs.DSI-1 = {
-          scale = 1.5;
+            scale = 1.5;
          };
        };
      };
    };
-    # XXX: phosh enables networkmanager by default; can probably disable these lines
+      # XXX: phosh enables networkmanager by default; can probably disable these lines
-    networking.useDHCP = false;
+      networking.useDHCP = false;
-    networking.networkmanager.enable = true;
+      networking.networkmanager.enable = true;
-    networking.wireless.enable = lib.mkForce false;
+      networking.wireless.enable = lib.mkForce false;
-    # XXX: not clear if these are actually needed?
+      # XXX: not clear if these are actually needed?
-    hardware.bluetooth.enable = true;
+      hardware.bluetooth.enable = true;
-    services.blueman.enable = true;
+      services.blueman.enable = true;
-    hardware.opengl.enable = true;
+      hardware.opengl.enable = true;
-    hardware.opengl.driSupport = true;
+      hardware.opengl.driSupport = true;
-    environment.variables = {
+      environment.variables = {
-      # Qt apps won't always start unless this env var is set
+        # Qt apps won't always start unless this env var is set
-      QT_QPA_PLATFORM = "wayland";
+        QT_QPA_PLATFORM = "wayland";
-      # electron apps (e.g. Element) should use the wayland backend
+        # electron apps (e.g. Element) should use the wayland backend
-      # toggle this to have electron apps (e.g. Element) use the wayland backend.
+        # toggle this to have electron apps (e.g. Element) use the wayland backend.
-      # phocConfig.xwayland should be disabled if you do this
+        # phocConfig.xwayland should be disabled if you do this
-      NIXOS_OZONE_WL = "1";
+        NIXOS_OZONE_WL = "1";
-    };
+      };
-    sane.home-manager.extraPackages = with pkgs; [
+      sane.home-manager.extraPackages = with pkgs; [
-      # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
+        phosh-mobile-settings
-      gnome.gnome-bluetooth
+
-    ];
+        # TODO: see about removing this if the in-built gnome-settings bluetooth manager can work
-  };
+        gnome.gnome-bluetooth
      ];
    }
    (mkIf cfg.useGreeter {
      services.xserver.enable = true;
      # NB: setting defaultSession has the critical side-effect that it lets org.freedesktop.AccountsService
      # know that our user exists. this ensures lightdm succeeds when calling /org/freedesktop/AccountsServices ListCachedUsers
      # lightdm greeters get the login users from lightdm which gets it from org.freedesktop.Accounts.ListCachedUsers.
      # this requires the user we want to login as to be cached.
      services.xserver.displayManager.job.preStart = ''
        ${pkgs.systemd}/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s colin
      '';
      # services.xserver.displayManager.defaultSession = "sm.puri.Phosh";  # XXX: not sure why this doesn't propagate correctly.
      services.xserver.displayManager.lightdm.extraSeatDefaults = ''
        user-session = phosh
      '';
      services.xserver.displayManager.lightdm.greeters.gtk.enable = false;  # gtk greeter overrides our own?
      services.xserver.displayManager.lightdm.greeter = {
        enable = true;
        package = pkgs.lightdm-mobile-greeter.xgreeters;
        name = "lightdm-mobile-greeter";
      };
      # services.xserver.displayManager.lightdm.enable = true;
      # # services.xserver.displayManager.lightdm.greeters.enso.enable = true;  # tried (with reboot); got a mouse then died. next time was black
      # # services.xserver.displayManager.lightdm.greeters.gtk.enable = true;  # tried (with reboot); unusable without OSK
      # # services.xserver.displayManager.lightdm.greeters.mini.enable = true;  # tried (with reboot); unusable without OSK
      # # services.xserver.displayManager.lightdm.greeters.pantheon.enable = true; # tried (no reboot); unusable without OSK
      # services.xserver.displayManager.lightdm.greeters.slick.enable = true;  # tried; unusable without OSK (a11y -> OSK doesn't work)
      # # services.xserver.displayManager.lightdm.greeters.tiny.enable = true;  # tried; block screen
      systemd.services.phosh.wantedBy = lib.mkForce [];  # disable auto-start
    })
  ]);
 }
--- a/modules/gui/sway.nix
+++ b/modules/gui/sway.nix
@@ -21,18 +21,30 @@ in
      enable = true;
    };
-    # TODO: should be able to use SDDM to get interactive login
+    # alternatively, could use SDDM
-    services.greetd = {
+    services.greetd = let
      swayConfig = pkgs.writeText "greetd-sway-config" ''
        # `-l` activates layer-shell mode.
        exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l -c sway"
      '';
    in {
      # greetd source/docs:
      # - <https://git.sr.ht/~kennylevinsen/greetd>
      enable = true;
-      settings = rec {
+      settings = {
-        initial_session = {
+        default_session = {
-          command = "${pkgs.sway}/bin/sway";
+          command = "${pkgs.sway}/bin/sway --config ${swayConfig}";
-          user = "colin";
+          # alternatives:
          # - TTY: `command = "${pkgs.greetd.greetd}/bin/agreety --cmd ${pkgs.sway}/bin/sway";`
          # - autologin: `command = "${pkgs.sway}/bin/sway"; user = "colin";`
          # - Dumb Login (doesn't work)": `command = "${pkgs.greetd.dlm}/bin/dlm";`
        };
        default_session = initial_session;
      };
    };
    # some programs (e.g. fractal) **require** a "Secret Service Provider"
    services.gnome.gnome-keyring.enable = true;
    # unlike other DEs, sway configures no audio stack
    # administer with pw-cli, pw-mon, pw-top commands
    services.pipewire = {
@@ -85,21 +97,22 @@ in
          "${modifier}+Return" = "exec ${terminal}";
          "${modifier}+Shift+q" = "kill";
          "${modifier}+d" = "exec ${menu}";
          "${modifier}+l" = "exec ${pkgs.swaylock}/bin/swaylock --indicator-idle-visible --indicator-radius 100 --indicator-thickness 30";
-          "${modifier}+${left}" = "focus left";
+          # "${modifier}+${left}" = "focus left";
-          "${modifier}+${down}" = "focus down";
+          # "${modifier}+${down}" = "focus down";
-          "${modifier}+${up}" = "focus up";
+          # "${modifier}+${up}" = "focus up";
-          "${modifier}+${right}" = "focus right";
+          # "${modifier}+${right}" = "focus right";
          "${modifier}+Left" = "focus left";
          "${modifier}+Down" = "focus down";
          "${modifier}+Up" = "focus up";
          "${modifier}+Right" = "focus right";
-          "${modifier}+Shift+${left}" = "move left";
+          # "${modifier}+Shift+${left}" = "move left";
-          "${modifier}+Shift+${down}" = "move down";
+          # "${modifier}+Shift+${down}" = "move down";
-          "${modifier}+Shift+${up}" = "move up";
+          # "${modifier}+Shift+${up}" = "move up";
-          "${modifier}+Shift+${right}" = "move right";
+          # "${modifier}+Shift+${right}" = "move right";
          "${modifier}+Shift+Left" = "move left";
          "${modifier}+Shift+Down" = "move down";
@@ -569,7 +582,7 @@ in
    };
    sane.home-manager.extraPackages = with pkgs; [
      swaylock
-      swayidle
+      swayidle  # (unused)
      wl-clipboard
      mako # notification daemon
      xdg-utils  # for xdg-open
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@@ -14,6 +14,10 @@ in
      default = false;
      type = types.bool;
    };
    sane.impermanence.home-files = mkOption {
      default = [];
      type = types.listOf types.str;
    };
    sane.impermanence.home-dirs = mkOption {
      default = [];
      type = types.listOf (types.either types.str (types.attrsOf types.str));
@@ -35,6 +39,15 @@ in
    map-home-dirs = map-dirs { user = "colin"; group = "users"; mode = "0755"; directory = "/home/colin/"; };
    map-sys-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
    map-service-dirs = map-dirs { user = "root"; group = "root"; mode = "0755"; directory = ""; };
    map-home-files = files: builtins.map (f: {
      parentDirectory = {
        user = "colin";
        group = "users";
        mode = "0755";
      };
      file = "/home/colin/${f}";
    }) files;
  in mkIf cfg.enable {
    sane.image.extraDirectories = [ "/nix/persist/var/log" ];
    environment.persistence."/nix/persist" = {
@@ -45,12 +58,13 @@ in
        ".cargo"
        ".rustup"
        ".ssh"
        ".local/share/keyrings"
        # intentionally omitted:
        # ".config"  # managed by home-manager
        # ".local"   # nothing useful in here
      ] ++ cfg.home-dirs)) ++ (map-sys-dirs [
        # TODO: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
-        { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
+        # { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
        # "/etc/nixos"
        # "/etc/ssh"  # persist only the specific files we want, instead
        "/var/log"
@@ -94,12 +108,19 @@ in
        # "/etc/group"
        # "/etc/passwd"
        # "/etc/shadow"
-      ];
+      ] ++ map-home-files cfg.home-files;
    };
    systemd.services.sane-sops = {
      # TODO: it would be better if we could inject the right dependency into setupSecrets instead of patching like this.
      # /run/current-system/activate contains the precise ordering logic.
      # it's largely unaware of systemd.
      # maybe we could insert some activation script which simply waits for /etc/ssh to appear?
      description = "sops relies on /etc/ssh being available, so re-run its activation AFTER fs-local";
-      script = config.system.activationScripts.setupSecrets.text;
+      script = ''
      ${config.system.activationScripts.setupSecrets.text}
      ${config.system.activationScripts.linkIwdKeys.text}
      '';
      after = [ "fs-local.target" ];
      wantedBy = [ "multi-user.target" ];
    };
--- a/modules/universal/allocations.nix
+++ b/modules/universal/allocations.nix
@@ -23,6 +23,9 @@ in
    sane.allocations.greeter-uid = mkId 999;
    sane.allocations.greeter-gid = mkId 999;
    sane.allocations.freshrss-uid = mkId 2401;
    sane.allocations.freshrss-gid = mkId 2401;
    sane.allocations.colin-uid = mkId 1000;
    sane.allocations.guest-uid = mkId 1100;
@@ -33,6 +36,8 @@ in
    sane.allocations.systemd-coredump-gid = mkId 2003;  # 996
    sane.allocations.nscd-uid = mkId 2004;
    sane.allocations.nscd-gid = mkId 2004;
    sane.allocations.systemd-oom-uid = mkId 2005;
    sane.allocations.systemd-oom-gid = mkId 2005;
    # found on graphical machines
    sane.allocations.nm-iodine-uid = mkId 2101;  # desko/moby/lappy
--- a/modules/universal/env/default.nix
+++ b/modules/universal/env/default.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 {
  imports = [
@@ -12,10 +12,25 @@
    EDITOR = "vim";
    # git claims it should use EDITOR, but it doesn't!
    GIT_EDITOR = "vim";
    # TODO: these should be moved to `home.sessionVariables` (home-manager)
    # Electron apps should use native wayland backend:
    #   https://nixos.wiki/wiki/Slack#Wayland
    # Discord under sway crashes with this.
    # NIXOS_OZONE_WL = "1";
    # LIBGL_ALWAYS_SOFTWARE = "1";
  };
  # enable zsh completions
  environment.pathsToLink = [ "/share/zsh" ];
  environment.systemPackages = with pkgs; [
    # required for pam_mount
    gocryptfs
  ];
  security.pam.mount.enable = true;
  # security.pam.mount.debugLevel = 1;
  # security.pam.enableSSHAgentAuth = true; # ??
  # needed for `allow_other` in e.g. gocryptfs mounts
  # or i guess going through mount.fuse sets suid so that's not necessary?
  # programs.fuse.userAllowOther = true;
 }
--- a/modules/universal/env/feeds.nix
+++ b/modules/universal/env/feeds.nix
@@ -0,0 +1,175 @@
 { lib }:
 let
  hourly = { freq = "hourly"; };
  daily = { freq = "daily"; };
  weekly = { freq = "weekly"; };
  infrequent = { freq = "infrequent"; };
  art = { cat = "art"; };
  humor = { cat = "humor"; };
  pol = { cat = "pol"; };  # or maybe just "social"
  rat = { cat = "rat"; };
  tech = { cat = "tech"; };
  uncat = { cat = "uncat"; };
  text = { format = "text"; };
  image = { format = "image"; };
  podcast = { format = "podcast"; };
  mkRss = format: url: { inherit url format; } // uncat // infrequent;
  mkText = mkRss text;
  mkImg = mkRss image;
  mkPod = mkRss podcast;
  # merge the attrs `new` into each value of the attrs `addTo`
  addAttrs = new: addTo: builtins.mapAttrs (k: v: v // new) addTo;
  # for each value in `attrs`, add a value to the child attrs which holds its key within the parent attrs.
  withInverseMapping = key: attrs: builtins.mapAttrs (k: v: v // { "${key}" = k; }) attrs;
 in rec {
  podcasts = [
    (mkPod "https://lexfridman.com/feed/podcast/" // rat // weekly)
    ## Astral Codex Ten
    (mkPod "http://feeds.libsyn.com/108018/rss" // rat // daily)
    ## Econ Talk
    (mkPod "https://feeds.simplecast.com/wgl4xEgL" // rat // daily)
    ## Cory Doctorow
    (mkPod "https://feeds.feedburner.com/doctorow_podcast" // pol // infrequent)
    (mkPod "https://congressionaldish.libsyn.com/rss" // pol // infrequent)
    ## Civboot
    (mkPod "https://anchor.fm/s/34c7232c/podcast/rss" // tech // infrequent)
    (mkPod "https://feeds.feedburner.com/80000HoursPodcast" // rat // weekly)
    (mkPod "https://allinchamathjason.libsyn.com/rss" // pol // weekly)
    (mkPod "https://acquired.libsyn.com/rss" // tech // infrequent)
    (mkPod "https://rss.acast.com/deconstructed" // pol // infrequent)
    ## The Daily
    (mkPod "https://feeds.simplecast.com/54nAGcIl" // pol // daily)
    (mkPod "https://rss.acast.com/intercepted-with-jeremy-scahill" // pol // weekly)
    (mkPod "https://podcast.posttv.com/itunes/post-reports.xml" // pol // weekly)
    ## Eric Weinstein
    (mkPod "https://rss.art19.com/the-portal" // rat // infrequent)
    (mkPod "https://feeds.megaphone.fm/darknetdiaries" // tech // infrequent)
    (mkPod "http://feeds.wnyc.org/radiolab" // pol // infrequent)
    (mkPod "https://wakingup.libsyn.com/rss" // pol // infrequent)
    ## 99% Invisible
    (mkPod "https://feeds.simplecast.com/BqbsxVfO" // pol // infrequent)
    (mkPod "https://rss.acast.com/ft-tech-tonic" // tech // infrequent)
    (mkPod "https://feeds.feedburner.com/dancarlin/history?format=xml" // rat // infrequent)
    ## 60 minutes (NB: this features more than *just* audio?)
    (mkPod "https://www.cbsnews.com/latest/rss/60-minutes" // pol // infrequent)
  ];
  texts = [
    # AGGREGATORS (> 1 post/day)
    (mkText "https://www.lesswrong.com/feed.xml" // rat // hourly)
    (mkText "http://www.econlib.org/index.xml" // pol // hourly)
    # AGGREGATORS (< 1 post/day)
    (mkText "https://palladiummag.com/feed" // uncat // weekly)
    (mkText "https://profectusmag.com/feed" // uncat // weekly)
    (mkText "https://semiaccurate.com/feed" // tech // weekly)
    (mkText "https://linuxphoneapps.org/blog/atom.xml" // tech // infrequent)
    (mkText "https://spectrum.ieee.org/rss" // tech // weekly)
    ## No Moods, Ads or Cutesy Fucking Icons
    (mkText "https://www.rifters.com/crawl/?feed=rss2" // uncat // weekly)
    # DEVELOPERS
    (mkText "https://mg.lol/blog/rss/" // infrequent // tech)
    ## Ken Shirriff
    (mkText "https://www.righto.com/feeds/posts/default" // tech // infrequent)
    ## Vitalik Buterin
    (mkText "https://vitalik.ca/feed.xml" // tech // infrequent)
    ## ian (Sanctuary)
    (mkText "https://sagacioussuricata.com/feed.xml" // tech // infrequent)
    ## Bunnie Juang
    (mkText "https://www.bunniestudios.com/blog/?feed=rss2" // tech // infrequent)
    (mkText "https://blog.danieljanus.pl/atom.xml" // tech // infrequent)
    (mkText "https://ianthehenry.com/feed.xml" // tech // infrequent)
    (mkText "https://bitbashing.io/feed.xml" // tech // infrequent)
    (mkText "https://idiomdrottning.org/feed.xml" // uncat // daily)
    # (TECH; POL) COMMENTATORS
    (mkText "http://benjaminrosshoffman.com/feed" // pol // weekly)
    ## Ben Thompson
    (mkText "https://www.stratechery.com/rss" // pol // weekly)
    ## Balaji
    (mkText "https://balajis.com/rss" // pol // weekly)
    (mkText "https://www.ben-evans.com/benedictevans/rss.xml" // pol // weekly)
    (mkText "https://www.lynalden.com/feed" // pol // infrequent)
    (mkText "https://austinvernon.site/rss.xml" // tech // infrequent)
    (mkText "https://oversharing.substack.com/feed" // pol // daily)
    (mkText "https://doomberg.substack.com/feed" // tech // weekly)
    ## David Rosenthal
    (mkText "https://blog.dshr.org/rss.xml" // pol // weekly)
    ## Matt Levine
    (mkText "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" // pol // weekly)
    # RATIONALITY/PHILOSOPHY/ETC
    (mkText "https://samkriss.substack.com/feed" // humor // infrequent)
    (mkText "https://unintendedconsequenc.es/feed" // rat // infrequent)
    (mkText "https://applieddivinitystudies.com/atom.xml" // rat // weekly)
    (mkText "https://slimemoldtimemold.com/feed.xml" // rat // weekly)
    (mkText "https://www.richardcarrier.info/feed" // rat // weekly)
    (mkText "https://www.gwern.net/feed.xml" // uncat // infrequent)
    ## Jason Crawford
    (mkText "https://rootsofprogress.org/feed.xml" // rat // weekly)
    ## Robin Hanson
    (mkText "https://www.overcomingbias.com/feed" // rat // daily)
    ## Scott Alexander
    (mkText "https://astralcodexten.substack.com/feed.xml" // rat // daily)
    ## Paul Christiano
    (mkText "https://sideways-view.com/feed" // rat // infrequent)
    ## Sean Carroll
    (mkText "https://www.preposterousuniverse.com/rss" // rat // infrequent)
    # CODE
    (mkText "https://github.com/Kaiteki-Fedi/Kaiteki/commits/master.atom" // tech // infrequent)
  ];
  images = [
    (mkImg "https://www.smbc-comics.com/comic/rss" // humor // daily)
    (mkImg "https://xkcd.com/atom.xml" // humor // daily)
    (mkImg "http://dilbert.com/feed" // humor // daily)
    # ART
    (mkImg "https://miniature-calendar.com/feed" // art // daily)
  ];
  all = texts ++ images ++ podcasts;
  # return only the feed items which match this category (e.g. "tech")
  filterCat = cat: feeds: builtins.filter (item: item.cat == cat) feeds;
  # return only the feed items which match this format (e.g. "podcast")
  filterFormat = format: feeds: builtins.filter (item: item.format == format) feeds;
  # transform a list of feeds into an attrs mapping cat => [ feed0 feed1 ... ]
  partitionByCat = feeds: builtins.groupBy (f: f.cat) feeds;
  # represents a single RSS feed.
  opmlTerminal = feed: ''<outline xmlUrl="${feed.url}" type="rss"/>'';
  # a list of RSS feeds.
  opmlTerminals = feeds: lib.strings.concatStringsSep "\n" (builtins.map opmlTerminal feeds);
  # one node which packages some flat grouping of terminals.
  opmlGroup = title: feeds: ''
    <outline text="${title}" title="${title}">
      ${opmlTerminals feeds}
    </outline>
  '';
  # a list of groups (`groupMap` is an attrs mapping groupName => [ feed0 feed1 ... ]).
  opmlGroups = groupMap: lib.strings.concatStringsSep "\n" (
    builtins.attrValues (builtins.mapAttrs opmlGroup groupMap)
  );
  # top-level OPML file which could be consumed by something else.
  opmlTopLevel = body: ''
    <?xml version="1.0" encoding="utf-8"?>
    <opml version="2.0">
      <body>
        ${body}
      </body>
    </opml>
  '';
  # **primary API**: generate a OPML file from the provided feeds
  feedsToOpml = feeds: opmlTopLevel (opmlGroups (partitionByCat feeds));
 }
--- a/modules/universal/env/home-manager.nix
+++ b/modules/universal/env/home-manager.nix
@@ -14,6 +14,10 @@ let
  pkglist = pkgspec: builtins.map (e: e.pkg or e) pkgspec;
  # extract `dir` from `extraPackages`
  dirlist = pkgspec: builtins.concatLists (builtins.map (e: if e ? "dir" then [ e.dir ] else []) pkgspec);
  # extract `persist-files` from `extraPackages`
  persistfileslist = pkgspec: builtins.concatLists (builtins.map (e: if e ? "persist-files" then e.persist-files else []) pkgspec);
  # TODO: dirlist and persistfileslist should be folded
  feeds = import ./feeds.nix { inherit lib; };
 in
 {
  options = {
@@ -67,6 +71,7 @@ in
      "Videos"
      vim-swap-dir
    ] ++ (dirlist cfg.extraPackages);
    sane.impermanence.home-files = persistfileslist cfg.extraPackages;
    home-manager.useGlobalPkgs = true;
    home-manager.useUserPackages = true;
@@ -75,6 +80,10 @@ in
    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
      # run `home-manager-help` to access manpages
      # or `man home-configuration.nix`
      manual.html.enable = true;
      home.packages = pkglist cfg.extraPackages;
      wayland.windowManager = cfg.windowManager;
@@ -82,6 +91,14 @@ in
      home.username = "colin";
      home.homeDirectory = "/home/colin";
      home.activation = {
        initKeyring = {
          after = ["writeBoundary"];
          before = [];
          data = "${../../../scripts/init-keyring}";
        };
      };
      # XDG defines things like ~/Desktop, ~/Downloads, etc.
      # these clutter the home, so i mostly don't use them.
      xdg.userDirs = {
@@ -96,19 +113,48 @@ in
        templates = "$HOME/.xdg/Templates";
        videos = "$HOME/Videos";
      };
      # the xdg mime type for a file can be found with:
      # - `xdg-mime query filetype path/to/thing.ext`
      xdg.mimeApps.enable = true;
-      xdg.mimeApps.defaultApplications = {
+      xdg.mimeApps.defaultApplications = let
-        "text/html" = [ "librewolf.desktop" ];
+        www = "librewolf.desktop";
-        "x-scheme-handler/http" = [ "librewolf.desktop" ];
+        pdf = "org.gnome.Evince.desktop";
-        "x-scheme-handler/https" = [ "librewolf.desktop" ];
+        md = "obsidian.desktop";
-        "x-scheme-handler/about" = [ "librewolf.desktop" ];
+        thumb = "org.gnome.gThumb.desktop";
-        "x-scheme-handler/unknown" = [ "librewolf.desktop" ];
+        video = "vlc.desktop";
-        "image/png" = [ "org.gnome.gThumb.desktop" ];
+        # audio = "mpv.desktop";
        audio = "vlc.desktop";
      in {
        # HTML
        "text/html" = [ www ];
        "x-scheme-handler/http" = [ www ];
        "x-scheme-handler/https" = [ www ];
        "x-scheme-handler/about" = [ www ];
        "x-scheme-handler/unknown" = [ www ];
        # RICH-TEXT DOCUMENTS
        "application/pdf" = [ pdf ];
        "text/markdown" = [ md ];
        # IMAGES
        "image/heif" = [ thumb ];  # apple codec
        "image/png" = [ thumb ];
        "image/jpeg" = [ thumb ];
        # VIDEO
        "video/mp4" = [ video ];
        "video/quicktime" = [ video ];
        "video/x-matroska" = [ video ];
        # AUDIO
        "audio/flac" = [ audio ];
        "audio/mpeg" = [ audio ];
        "audio/x-vorbis+ogg" = [ audio ];
      };
      # convenience
      home.file."knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
      home.file."nixos".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/nixos";
      home.file."Videos/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Videos";
      home.file."Videos/servo-incomplete".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/incomplete";
      home.file."Music/servo".source = config.lib.file.mkOutOfStoreSymlink "/mnt/servo-media/Music";
      # nb markdown/personal knowledge manager
      home.file.".nb/knowledge".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/dev/knowledge";
@@ -136,6 +182,12 @@ in
         }
        }
      '';
      home.file.".librewolf/librewolf.overrides.cfg".text = ''
        // if we can't query the revocation status of a SSL cert because the issuer is offline,
        // treat it as unrevoked.
        // see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
        defaultPref("security.OCSP.require", false);
      '';
      # aerc TUI mail client
      xdg.configFile."aerc/accounts.conf".source =
@@ -154,114 +206,35 @@ in
      xdg.configFile."vlc/vlcrc".text =
      let
-        podcast_urls = lib.strings.concatStringsSep "|" [
+        podcastUrls = lib.strings.concatStringsSep "|" (
-          "https://lexfridman.com/feed/podcast/"
+          builtins.map (feed: feed.url) feeds.podcasts
-          ## Astral Codex Ten
+        );
          "http://feeds.libsyn.com/108018/rss"
          ## Econ Talk
          "https://feeds.simplecast.com/wgl4xEgL"
          ## Cory Doctorow
          "https://feeds.feedburner.com/doctorow_podcast"
          "https://congressionaldish.libsyn.com/rss"
          ## Civboot
          "https://anchor.fm/s/34c7232c/podcast/rss"
          "https://feeds.feedburner.com/80000HoursPodcast"
          "https://allinchamathjason.libsyn.com/rss"
          ## Eric Weinstein
          "https://rss.art19.com/the-portal"
          "https://feeds.megaphone.fm/darknetdiaries"
          "http://feeds.wnyc.org/radiolab"
          "https://wakingup.libsyn.com/rss"
          ## 99% Invisible
          "https://feeds.simplecast.com/BqbsxVfO"
          "https://rss.acast.com/ft-tech-tonic"
          "https://feeds.feedburner.com/dancarlin/history?format=xml"
          ## 60 minutes (NB: this features more than *just* audio?)
          "https://www.cbsnews.com/latest/rss/60-minutes"
        ];
      in ''
-      [podcast]
+        [podcast]
-      podcast-urls=${podcast_urls}
+        podcast-urls=${podcastUrls}
-      [core]
+        [core]
-      metadata-network-access=0
+        metadata-network-access=0
-      [qt]
+        [qt]
-      qt-privacy-ask=0
+        qt-privacy-ask=0
      '';
      xdg.configFile."gpodderFeeds.opml".text = with feeds;
        feedsToOpml feeds.podcasts;
      # news-flash RSS viewer
      xdg.configFile."newsflashFeeds.opml".text = with feeds;
        feedsToOpml (feeds.texts ++ feeds.images);
      # gnome feeds RSS viewer
-      xdg.configFile."org.gabmus.gfeeds.json".text = builtins.toJSON {
+      xdg.configFile."org.gabmus.gfeeds.json".text =
-        feeds = {
+      let
-          # AGGREGATORS (> 1 post/day)
+        myFeeds = feeds.texts ++ feeds.images;
-          "https://www.lesswrong.com/feed.xml" = { tags = [ "hourly" "rat" ]; };
+      in builtins.toJSON {
-          "http://www.econlib.org/index.xml" = { tags = [ "hourly" "pol" ]; };
+        # feed format is a map from URL to a dict,
-          # AGGREGATORS (< 1 post/day)
+        #   with dict["tags"] a list of string tags.
-          "https://palladiummag.com/feed" = { tags = [ "weekly" "uncat" ]; };
+        feeds = builtins.foldl' (acc: feed: acc // {
-          "https://profectusmag.com/feed" = { tags = [ "weekly" "uncat" ]; };
+          "${feed.url}".tags = [ feed.cat feed.freq ];
-
+        }) {} myFeeds;
          "https://semiaccurate.com/feed" = { tags = [ "weekly" "tech" ]; };
          "https://linuxphoneapps.org/blog/atom.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://spectrum.ieee.org/rss" = { tags = [ "weekly" "tech" ]; };
          ## No Moods, Ads or Cutesy Fucking Icons
          "https://www.rifters.com/crawl/?feed=rss2" = { tags = [ "weekly" "uncat" ]; };
          # DEVELOPERS
          "https://mg.lol/blog/rss/" = { tags = [ "infrequent" "tech" ]; };
          ## Ken Shirriff
          "https://www.righto.com/feeds/posts/default" = { tags = [ "infrequent" "tech" ]; };
          ## Vitalik Buterin
          "https://vitalik.ca/feed.xml" = { tags = [ "infrequent" "tech" ]; };
          ## ian (Sanctuary)
          "https://sagacioussuricata.com/feed.xml" = { tags = [ "infrequent" "tech" ]; };
          ## Bunnie Juang
          "https://www.bunniestudios.com/blog/?feed=rss2" = { tags = [ "infrequent" "tech" ]; };
          "https://blog.danieljanus.pl/atom.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://ianthehenry.com/feed.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://bitbashing.io/feed.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://idiomdrottning.org/feed.xml" = { tags = [ "daily" "uncat" ]; };
          # (TECH; POL) COMMENTATORS
          "http://benjaminrosshoffman.com/feed" = { tags = [ "weekly" "pol" ]; };
          ## Ben Thompson
          "https://www.stratechery.com/rss" = { tags = [ "weekly" "pol" ]; };
          ## Balaji
          "https://balajis.com/rss" = { tags = [ "weekly" "pol" ]; };
          "https://www.ben-evans.com/benedictevans/rss.xml" = { tags = [ "weekly" "pol" ]; };
          "https://www.lynalden.com/feed" = { tags = [ "infrequent" "pol" ]; };
          "https://austinvernon.site/rss.xml" = { tags = [ "infrequent" "tech" ]; };
          "https://oversharing.substack.com/feed" = { tags = [ "daily" "pol" ]; };
          ## David Rosenthal
          "https://blog.dshr.org/rss.xml" = { tags = [ "weekly" "pol" ]; };
          ## Matt Levine
          "https://www.bloomberg.com/opinion/authors/ARbTQlRLRjE/matthew-s-levine.rss" = { tags = [ "weekly" "pol" ]; };
          # RATIONALITY/PHILOSOPHY/ETC
          "https://unintendedconsequenc.es/feed" = { tags = [ "infrequent" "rat" ]; };
          "https://applieddivinitystudies.com/atom.xml" = { tags = [ "weekly" "rat" ]; };
          "https://slimemoldtimemold.com/feed.xml" = { tags = [ "weekly" "rat" ]; };
          "https://www.richardcarrier.info/feed" = { tags = [ "weekly" "rat" ]; };
          "https://www.gwern.net/feed.xml" = { tags = [ "infrequent" "uncat" ]; };
          ## Jason Crawford
          "https://rootsofprogress.org/feed.xml" = { tags = [ "weekly" "rat" ]; };
          ## Robin Hanson
          "https://www.overcomingbias.com/feed" = { tags = [ "daily" "rat" ]; };
          ## Scott Alexander
          "https://astralcodexten.substack.com/feed.xml" = { tags = [ "daily" "rat" ]; };
          ## Paul Christiano
          "https://sideways-view.com/feed" = { tags = [ "infrequent" "rat" ]; };
          ## Sean Carroll
          "https://www.preposterousuniverse.com/rss" = { tags = [ "infrequent" "rat" ]; };
          # COMICS
          "https://www.smbc-comics.com/comic/rss" = { tags = [ "daily" "visual" ]; };
          "https://xkcd.com/atom.xml" = { tags = [ "daily" "visual" ]; };
          # ART
          "https://miniature-calendar.com/feed" = { tags = [ "daily" "visual" ]; };
        };
        dark_reader = false;
        new_first = true;
        # windowsize = {
@@ -280,17 +253,9 @@ in
        open_links_externally = true;
        full_feed_name = false;
        refresh_on_startup = true;
-        tags = [
+        tags = lib.lists.unique (
-          # hourly => aggregator
+          (builtins.catAttrs "cat" myFeeds) ++ (builtins.catAttrs "freq" myFeeds)
-          # daily => prolifiq writer
+        );
          # weekly => i can keep up with most -- but maybe not all -- of their content
          # infrequent => i can read everything in this category
          "hourly" "daily" "weekly" "infrequent"
          # rat[ionality] gets used interchangably with philosophy, here.
          # pol[itical] gets used for social commentary and economics as well.
          # visual gets used for comics/art
          "uncat" "rat" "tech" "pol" "visual"
        ];
        open_youtube_externally = false;
        media_player = "vlc";  # default: mpv
      };
@@ -302,6 +267,8 @@ in
          enable = true;
          enableSyntaxHighlighting = true;
          enableVteIntegration = true;
          history.ignorePatterns = [ "rm *" ];
          # history.path = TODO
          dotDir = ".config/zsh";
          initExtraBeforeCompInit = ''
@@ -309,6 +276,11 @@ in
            # run p10k configure to configure, but it can't write out its file :-(
            POWERLEVEL9K_DISABLE_CONFIGURATION_WIZARD=true
          '';
          initExtra = ''
            # zmv is a way to do rich moves/renames, with pattern matching/substitution.
            # see for an example: <https://filipe.kiss.ink/zmv-zsh-rename/>
            autoload -Uz zmv
          '';
          # prezto = oh-my-zsh fork; controls prompt, auto-completion, etc.
          # see: https://github.com/sorin-ionescu/prezto
@@ -331,6 +303,7 @@ in
            };
          };
        };
        kitty = {
          enable = true;
          # docs: https://sw.kovidgoyal.net/kitty/conf/
@@ -397,10 +370,21 @@ in
          # theme = "zenwritten_dark";  # mediocre: looks same as zenbones_dark
          # extraConfig = "";
        };
        git = {
          enable = true;
          userName = "colin";
          userEmail = "colin@uninsane.org";
          aliases = { co = "checkout"; };
          extraConfig = {
            # difftastic docs:
            # - <https://difftastic.wilfred.me.uk/git.html>
            diff.tool = "difftastic";
            difftool.prompt = false;
            "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
            # now run `git difftool` to use difftastic git
          };
        };
        neovim = {
@@ -480,6 +464,10 @@ in
            })
          ];
          extraConfig = ''
            " let the terminal handle mouse events, that way i get OS-level ctrl+shift+c/etc
            " this used to be default, until <https://github.com/neovim/neovim/pull/19290>
            set mouse=
            " copy/paste to system clipboard
            set clipboard=unnamedplus
@@ -516,6 +504,14 @@ in
          package = import ./web-browser.nix pkgs;
        };
        mpv = {
          enable = true;
          config = {
            save-position-on-quit = true;
            keep-open = "yes";
          };
        };
        # "command not found" will cause the command to be searched in nixpkgs
        nix-index.enable = true;
      } // cfg.programs;
--- a/modules/universal/env/home-packages.nix
+++ b/modules/universal/env/home-packages.nix
@@ -6,11 +6,14 @@ let
  cfg = config.sane.home-packages;
  universalPkgs = [
    backblaze-b2
    cdrtools
    duplicity
    gnupg
    gocryptfs
    ifuse
    ipfs
    libimobiledevice
    libsecret  # for managing user keyrings
    lm_sensors  # for sensors-detect
    lshw
    ffmpeg
@@ -24,14 +27,16 @@ let
    # ponymix
    pulsemixer
    python3
-    rmlint
+    # python3Packages.eyeD3  # music tagging
    sane-scripts
    sequoia
    snapper
    sops
    speedtest-cli
    sqlite  # to debug sqlite3 databases
    ssh-to-age
    sudo
    # tageditor  # music tagging
    unar
    visidata
    w3m
@@ -53,9 +58,17 @@ let
    emote  # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
    evince  # works on phosh
-    fluffychat
+
    # { pkg = fluffychat-moby; dir = ".local/share/chat.fluffy.fluffychat"; }  # TODO: ship normal fluffychat on non-moby?
    foliate
    font-manager
    # XXX by default fractal stores its state in ~/.local/share/<UUID>.
    # after logging in, manually change ~/.local/share/keyrings/... to point it to some predictable subdir.
    # then reboot (so that libsecret daemon re-loads the keyring...?)
    { pkg = fractal-next; dir = ".local/share/fractal"; }
    gimp  # broken on phosh
    gnome.cheese
    gnome.dconf-editor
@@ -64,22 +77,34 @@ let
    gnome.gnome-disk-utility
    gnome.gnome-maps  # works on phosh
    gnome.nautilus
-    gnome-podcasts
+    # gnome-podcasts
    gnome.gnome-system-monitor
    gnome.gnome-terminal  # works on phosh
-    gpodder
+    gnome.gnome-weather
    { pkg = gpodder-configured; dir = "gPodder/Downloads"; }
    gthumb
    inkscape
    kid3  # audio tagging
    krita
    libreoffice-fresh  # XXX colin: maybe don't want this on mobile
    lollypop
    mesa-demos
    { pkg = mpv; dir = ".config/mpv/watch_later"; }
    networkmanagerapplet
    # not strictly necessary, but allows caching articles; offline use, etc.
    { pkg = newsflash; dir = ".local/share/news-flash"; }
    # settings (electron app). TODO: can i manage these settings with home-manager?
    { pkg = obsidian; dir = ".config/obsidian"; }
    pavucontrol
    picard  # music tagging
    playerctl
    soundconverter
    # sublime music persists any downloaded albums here.
@@ -88,8 +113,12 @@ let
    #   possible to pass config as a CLI arg (sublime-music -c config.json)
    { pkg = sublime-music; dir = ".local/share/sublime-music"; }
    tdesktop  # broken on phosh
-    vlc  # works on phosh
+
    # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
    { pkg = vlc; persist-files = [ ".config/vlc/vlc-qt-interface.conf" ]; }
    whalebird # pleroma client. input is broken on phosh
    xdg-utils  # for xdg-open
    xterm  # broken on phosh
  ]
  ++ (if pkgs.system == "x86_64-linux" then
@@ -103,8 +132,8 @@ let
      nss = pkgs.nss_latest;
    }); in { pkg = discord; dir = ".config/discord"; })
-    # kaiteki  # Pleroma client
+    kaiteki  # Pleroma client
-    # gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
+    gnome.zenity # for kaiteki (it will use qarma, kdialog, or zenity)
    logseq
    losslesscut-bin
@@ -127,16 +156,19 @@ let
  ] else []);
  # useful devtools:
-  # bison
+  devPkgs = [
-  # dtc
+    bison
-  # flex
+    dtc
-  # gcc
+    flex
-  # gcc-arm-embedded
+    gcc
-  # gcc_multi
+    gdb
-  # gnumake
+    # gcc-arm-embedded
-  # mix2nix
+    # gcc_multi
-  # rustup
+    gnumake
-  # swig
+    mix2nix
    rustup
    swig
  ];
 in
 {
  options = {
@@ -144,9 +176,18 @@ in
      default = false;
      type = types.bool;
    };
    sane.home-packages.enableDevPkgs = mkOption {
      description = ''
        enable packages that are useful for building other software by hand.
        you should prefer to keep this disabled except when prototyping, e.g. packaging new software.
      '';
      default = false;
      type = types.bool;
    };
  };
  config = {
    sane.home-manager.extraPackages = universalPkgs
-      ++ (if cfg.enableGuiPkgs then guiPkgs else []);
+      ++ (if cfg.enableGuiPkgs then guiPkgs else [])
      ++ (if cfg.enableDevPkgs then devPkgs else []);
  };
 }
--- a/modules/universal/fs.nix
+++ b/modules/universal/fs.nix
@@ -28,31 +28,37 @@ in
    device = "colin@uninsane.org:/var/lib/uninsane/media";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
    noCheck = true;
  };
  fileSystems."/mnt/servo-media-lan" = {
    device = "colin@servo:/var/lib/uninsane/media";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
    noCheck = true;
  };
  fileSystems."/mnt/servo-root-wan" = {
    device = "colin@uninsane.org:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
    noCheck = true;
  };
  fileSystems."/mnt/servo-root-lan" = {
    device = "colin@servo:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
    noCheck = true;
  };
  fileSystems."/mnt/desko-home" = {
    device = "colin@desko:/home/colin";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsColin;
    noCheck = true;
  };
  fileSystems."/mnt/desko-root" = {
    device = "colin@desko:/";
    inherit (sshOpts) fsType;
    options = sshOpts.optionsRoot;
    noCheck = true;
  };
  environment.systemPackages = [
--- a/modules/universal/net.nix
+++ b/modules/universal/net.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, pkgs, ... }:
 {
  # if using router's DNS, these mappings will already exist.
@@ -8,5 +8,62 @@
    "192.168.0.5" = [ "servo" ];
    "192.168.0.20" = [ "lappy" ];
    "192.168.0.22" = [ "desko" ];
    "192.168.0.48" = [ "moby" ];
  };
  # the default backend is "wpa_supplicant".
  # wpa_supplicant reliably picks weak APs to connect to.
  # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>
  # iwd is an alternative that shouldn't have this problem
  # docs:
  # - <https://nixos.wiki/wiki/Iwd>
  # - <https://iwd.wiki.kernel.org/networkmanager>
  # use `iwctl` to control
  networking.wireless.iwd.enable = true;
  networking.networkmanager.wifi.backend = "iwd";
  system.activationScripts.linkIwdKeys = let
    unwrapped = ../../scripts/install-iwd;
    install-iwd = pkgs.writeShellApplication {
      name = "install-iwd";
      runtimeInputs = with pkgs; [ coreutils gnused ];
      text = ''${unwrapped} "$@"'';
    };
  in (lib.stringAfter
    [ "setupSecrets" ]
    ''
    mkdir -p /var/lib/iwd
    ${install-iwd}/bin/install-iwd /run/secrets/iwd /var/lib/iwd
    ''
  );
  # TODO: use a glob, or a list, or something?
  sops.secrets."iwd/community-university.psk" = {
    sopsFile = ../../secrets/universal/net/community-university.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/friend-libertarian-dod.psk" = {
    sopsFile = ../../secrets/universal/net/friend-libertarian-dod.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/friend-rationalist-empathist.psk" = {
    sopsFile = ../../secrets/universal/net/friend-rationalist-empathist.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-bedroom.psk" = {
    sopsFile = ../../secrets/universal/net/home-bedroom.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-shared-24G.psk" = {
    sopsFile = ../../secrets/universal/net/home-shared-24G.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/home-shared.psk" = {
    sopsFile = ../../secrets/universal/net/home-shared.psk.bin;
    format = "binary";
  };
  sops.secrets."iwd/iphone" = {
    sopsFile = ../../secrets/universal/net/iphone.psk.bin;
    format = "binary";
  };
 }
--- a/modules/universal/secrets.nix
+++ b/modules/universal/secrets.nix
@@ -29,7 +29,7 @@
  #   $ cat /run/secrets/example_key
  # sops.age.sshKeyPaths = [ "/home/colin/.ssh/id_ed25519_dec" ];
-  # This will add secrets.yml to the nix store
+  # This will add secrets.yaml to the nix store
  # You can avoid this by adding a string to the full path instead, i.e.
  # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
  sops.defaultSopsFile = ./../../secrets/universal.yaml;
--- a/modules/universal/users.nix
+++ b/modules/universal/users.nix
@@ -52,9 +52,19 @@ in
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu colin@lappy"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
-        # moby doesn't need to login to any other devices yet
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
        # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
      ];
      pamMount = {
        # mount encrypted stuff at login
        # requires that login password == fs encryption password
        # fstype = "fuse";
        # path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
        fstype = "fuse.gocryptfs";
        path = "/nix/persist/home/colin/private";
        mountpoint = "/home/colin/private";
        options="nodev,nosuid,quiet,allow_other";
      };
    };
    sane.impermanence.service-dirs = mkIf cfg.guest.enable [
@@ -100,6 +110,8 @@ in
    users.groups.systemd-coredump.gid = config.sane.allocations.systemd-coredump-gid;
    users.users.nscd.uid = config.sane.allocations.nscd-uid;
    users.groups.nscd.gid = config.sane.allocations.nscd-gid;
    users.users.systemd-oom.uid = config.sane.allocations.systemd-oom-uid;
    users.groups.systemd-oom.gid = config.sane.allocations.systemd-oom-gid;
    # guarantee determinism in uid/gid generation for users:
    assertions = let
--- a/nixpatches/04-dart-2.7.0.patch
+++ b/nixpatches/04-dart-2.7.0.patch
@@ -1,302 +0,0 @@
 diff --git a/pkgs/development/compilers/flutter/default.nix b/pkgs/development/compilers/flutter/default.nix
 index 9eba6773448..f51aeb8b624 100644
 --- a/pkgs/development/compilers/flutter/default.nix
 +++ b/pkgs/development/compilers/flutter/default.nix
@@ -4,20 +4,20 @@ let
   getPatches = dir:
     let files = builtins.attrNames (builtins.readDir dir);
     in map (f: dir + ("/" + f)) files;
 -  version = "2.10.1";
 +  version = "3.0.0";
   channel = "stable";
   filename = "flutter_linux_${version}-${channel}.tar.xz";
   # Decouples flutter derivation from dart derivation,
   # use specific dart version to not need to bump dart derivation when bumping flutter.
 -  dartVersion = "2.16.1";
 +  dartVersion = "2.17.0";
   dartSourceBase = "https://storage.googleapis.com/dart-archive/channels";
   dartForFlutter = dart.override {
     version = dartVersion;
     sources = {
       "${dartVersion}-x86_64-linux" = fetchurl {
         url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-x64-release.zip";
 -        sha256 = "sha256-PMY6DCFQC8XrlnFzOEPcwgBAs5/cAvNd78969Z+I1Fk=";
 +        sha256 = "57b8fd964e47c81d467aeb95b099a670ab7e8f54a1cd74d45bcd1fdc77913d86";
       };
     };
   };
@@ -29,7 +29,7 @@ in {
     pname = "flutter";
     src = fetchurl {
       url = "https://storage.googleapis.com/flutter_infra_release/releases/${channel}/linux/${filename}";
 -      sha256 = "sha256-rSfwcglDV2rvJl10j7FByAWmghd2FYxrlkgYnvRO54Y=";
 +      sha256 = "e96d75ec8e7dc2a46bc8dad5a9e01c391ab9310ad01c4e3940c963dd263788a0";
     };
     patches = getPatches ./patches;
   };
 diff --git a/pkgs/development/compilers/flutter/flutter.nix b/pkgs/development/compilers/flutter/flutter.nix
 index 43538ede339..ece25c14b55 100644
 --- a/pkgs/development/compilers/flutter/flutter.nix
 +++ b/pkgs/development/compilers/flutter/flutter.nix
@@ -56,12 +56,15 @@ let
       export STAMP_PATH="$FLUTTER_ROOT/bin/cache/flutter_tools.stamp"
       export DART_SDK_PATH="${dart}"
 +      export DART="${dart}/bin/dart"
       HOME=../.. # required for pub upgrade --offline, ~/.pub-cache
                  # path is relative otherwise it's replaced by /build/flutter
 +      # mkdir -p "$HOME/.cache"
 +      # ln -sf "$FLUTTER_ROOT" "$HOME/.cache/flutter"
       pushd "$FLUTTER_TOOLS_DIR"
 -      ${dart}/bin/pub get --offline
 +      ${dart}/bin/dart pub get --offline
       popd
       local revision="$(cd "$FLUTTER_ROOT"; git rev-parse HEAD)"
 diff --git a/pkgs/development/compilers/flutter/patches/git-dir.patch b/pkgs/development/compilers/flutter/patches/git-dir.patch
 new file mode 100644
 index 00000000000..0c736f945ea
 --- /dev/null
 +++ b/pkgs/development/compilers/flutter/patches/git-dir.patch
@@ -0,0 +1,102 @@
 +diff --git a/dev/bots/prepare_package.dart b/dev/bots/prepare_package.dart
 +index 468a91a954..5def6897ce 100644
 +--- a/dev/bots/prepare_package.dart
 ++++ b/dev/bots/prepare_package.dart
 +@@ -525,7 +525,7 @@ class ArchiveCreator {
 + 
 +   Future<String> _runGit(List<String> args, {Directory? workingDirectory}) {
 +     return _processRunner.runProcess(
 +-      <String>['git', ...args],
 ++      <String>['git', '--git-dir', '.git', ...args],
 +       workingDirectory: workingDirectory ?? flutterRoot,
 +     );
 +   }
 +diff --git a/packages/flutter_tools/lib/src/commands/downgrade.dart b/packages/flutter_tools/lib/src/commands/downgrade.dart
 +index bb0eb428a9..4a2a48bb5e 100644
 +--- a/packages/flutter_tools/lib/src/commands/downgrade.dart
 ++++ b/packages/flutter_tools/lib/src/commands/downgrade.dart
 +@@ -118,7 +118,7 @@ class DowngradeCommand extends FlutterCommand {
 +     // Detect unknown versions.
 +     final ProcessUtils processUtils = _processUtils!;
 +     final RunResult parseResult = await processUtils.run(<String>[
 +-      'git', 'describe', '--tags', lastFlutterVersion,
 ++      'git', '--git-dir', '.git', 'describe', '--tags', lastFlutterVersion,
 +     ], workingDirectory: workingDirectory);
 +     if (parseResult.exitCode != 0) {
 +       throwToolExit('Failed to parse version for downgrade:\n${parseResult.stderr}');
 +@@ -191,7 +191,7 @@ class DowngradeCommand extends FlutterCommand {
 +         continue;
 +       }
 +       final RunResult parseResult = await _processUtils!.run(<String>[
 +-        'git', 'describe', '--tags', sha,
 ++        'git', '--git-dir', '.git', 'describe', '--tags', sha,
 +       ], workingDirectory: workingDirectory);
 +       if (parseResult.exitCode == 0) {
 +         buffer.writeln('Channel "${getNameForChannel(channel)}" was previously on: ${parseResult.stdout}.');
 +diff --git a/packages/flutter_tools/lib/src/version.dart b/packages/flutter_tools/lib/src/version.dart
 +index f2068a6ca2..99b161689e 100644
 +--- a/packages/flutter_tools/lib/src/version.dart
 ++++ b/packages/flutter_tools/lib/src/version.dart
 +@@ -106,7 +106,7 @@ class FlutterVersion {
 +     String? channel = _channel;
 +     if (channel == null) {
 +       final String gitChannel = _runGit(
 +-        'git rev-parse --abbrev-ref --symbolic @{u}',
 ++        'git --git-dir .git rev-parse --abbrev-ref --symbolic @{u}',
 +         globals.processUtils,
 +         _workingDirectory,
 +       );
 +@@ -114,7 +114,7 @@ class FlutterVersion {
 +       if (slash != -1) {
 +         final String remote = gitChannel.substring(0, slash);
 +         _repositoryUrl = _runGit(
 +-          'git ls-remote --get-url $remote',
 ++          'git --git-dir .git ls-remote --get-url $remote',
 +           globals.processUtils,
 +           _workingDirectory,
 +         );
 +@@ -326,7 +326,7 @@ class FlutterVersion {
 +   /// the branch name will be returned as `'[user-branch]'`.
 +   String getBranchName({ bool redactUnknownBranches = false }) {
 +     _branch ??= () {
 +-      final String branch = _runGit('git rev-parse --abbrev-ref HEAD', globals.processUtils);
 ++      final String branch = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', globals.processUtils);
 +       return branch == 'HEAD' ? channel : branch;
 +     }();
 +     if (redactUnknownBranches || _branch!.isEmpty) {
 +@@ -359,7 +359,7 @@ class FlutterVersion {
 +   /// wrapper that does that.
 +   @visibleForTesting
 +   static List<String> gitLog(List<String> args) {
 +-    return <String>['git', '-c', 'log.showSignature=false', 'log'] + args;
 ++    return <String>['git', '-c', 'log.showSignature=false', '--git-dir', '.git', 'log'] + args;
 +   }
 + 
 +   /// Gets the release date of the latest available Flutter version.
 +@@ -730,7 +730,7 @@ class GitTagVersion {
 + 
 +   static GitTagVersion determine(ProcessUtils processUtils, {String? workingDirectory, bool fetchTags = false, String gitRef = 'HEAD'}) {
 +     if (fetchTags) {
 +-      final String channel = _runGit('git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
 ++      final String channel = _runGit('git --git-dir .git rev-parse --abbrev-ref HEAD', processUtils, workingDirectory);
 +       if (channel == 'dev' || channel == 'beta' || channel == 'stable') {
 +         globals.printTrace('Skipping request to fetchTags - on well known channel $channel.');
 +       } else {
 +@@ -739,7 +739,7 @@ class GitTagVersion {
 +     }
 +     // find all tags attached to the given [gitRef]
 +     final List<String> tags = _runGit(
 +-      'git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
 ++      'git --git-dir .git tag --points-at $gitRef', processUtils, workingDirectory).trim().split('\n');
 + 
 +     // Check first for a stable tag
 +     final RegExp stableTagPattern = RegExp(r'^\d+\.\d+\.\d+$');
 +@@ -760,7 +760,7 @@ class GitTagVersion {
 +     // recent tag and number of commits past.
 +     return parse(
 +       _runGit(
 +-        'git describe --match *.*.* --long --tags $gitRef',
 ++        'git --git-dir .git describe --match *.*.* --long --tags $gitRef',
 +         processUtils,
 +         workingDirectory,
 +       )
 diff --git a/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch b/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch
 new file mode 100644
 index 00000000000..f68029eb7a1
 --- /dev/null
 +++ b/pkgs/development/compilers/flutter/patches/revert-frontend_server_cache.patch
@@ -0,0 +1,130 @@
 +diff --git a/packages/flutter_tools/lib/src/artifacts.dart b/packages/flutter_tools/lib/src/artifacts.dart
 +index 2aac9686e8..32c4b98b88 100644
 +--- a/packages/flutter_tools/lib/src/artifacts.dart
 ++++ b/packages/flutter_tools/lib/src/artifacts.dart
 +@@ -346,10 +346,10 @@ class CachedArtifacts implements Artifacts {
 +   ) {
 +     switch (artifact) {
 +       case HostArtifact.engineDartSdkPath:
 +-        final String path = _dartSdkPath(_cache);
 ++        final String path = _dartSdkPath(_fileSystem);
 +         return _fileSystem.directory(path);
 +       case HostArtifact.engineDartBinary:
 +-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
 ++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', _hostArtifactToFileName(artifact, _platform.isWindows));
 +         return _fileSystem.file(path);
 +       case HostArtifact.flutterWebSdk:
 +         final String path = _getFlutterWebSdkPath();
 +@@ -398,7 +398,7 @@ class CachedArtifacts implements Artifacts {
 +       case HostArtifact.dart2jsSnapshot:
 +       case HostArtifact.dartdevcSnapshot:
 +       case HostArtifact.kernelWorkerSnapshot:
 +-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
 ++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
 +         return _fileSystem.file(path);
 +       case HostArtifact.iosDeploy:
 +         final String artifactFileName = _hostArtifactToFileName(artifact, _platform.isWindows);
 +@@ -461,11 +461,13 @@ class CachedArtifacts implements Artifacts {
 +   String _getAndroidArtifactPath(Artifact artifact, TargetPlatform platform, BuildMode mode) {
 +     final String engineDir = _getEngineArtifactsPath(platform, mode)!;
 +     switch (artifact) {
 ++      case Artifact.frontendServerSnapshotForEngineDartSdk:
 ++        assert(mode != BuildMode.debug, 'Artifact $artifact only available in non-debug mode.');
 ++        return _fileSystem.path.join(engineDir, _artifactToFileName(artifact));
 +       case Artifact.genSnapshot:
 +         assert(mode != BuildMode.debug, 'Artifact $artifact only available in non-debug mode.');
 +         final String hostPlatform = getNameForHostPlatform(getCurrentHostPlatform());
 +         return _fileSystem.path.join(engineDir, hostPlatform, _artifactToFileName(artifact));
 +-      case Artifact.frontendServerSnapshotForEngineDartSdk:
 +       case Artifact.constFinder:
 +       case Artifact.flutterFramework:
 +       case Artifact.flutterMacOSFramework:
 +@@ -497,13 +499,13 @@ class CachedArtifacts implements Artifacts {
 +     switch (artifact) {
 +       case Artifact.genSnapshot:
 +       case Artifact.flutterXcframework:
 ++      case Artifact.frontendServerSnapshotForEngineDartSdk:
 +         final String artifactFileName = _artifactToFileName(artifact)!;
 +         final String engineDir = _getEngineArtifactsPath(platform, mode)!;
 +         return _fileSystem.path.join(engineDir, artifactFileName);
 +       case Artifact.flutterFramework:
 +         final String engineDir = _getEngineArtifactsPath(platform, mode)!;
 +         return _getIosEngineArtifactPath(engineDir, environmentType, _fileSystem);
 +-      case Artifact.frontendServerSnapshotForEngineDartSdk:
 +       case Artifact.constFinder:
 +       case Artifact.flutterMacOSFramework:
 +       case Artifact.flutterMacOSPodspec:
 +@@ -594,14 +596,10 @@ class CachedArtifacts implements Artifacts {
 +         // For script snapshots any gen_snapshot binary will do. Returning gen_snapshot for
 +         // android_arm in profile mode because it is available on all supported host platforms.
 +         return _getAndroidArtifactPath(artifact, TargetPlatform.android_arm, BuildMode.profile);
 +-      case Artifact.frontendServerSnapshotForEngineDartSdk:
 +-        return _fileSystem.path.join(
 +-          _dartSdkPath(_cache), 'bin', 'snapshots',
 +-          _artifactToFileName(artifact),
 +-        );
 +       case Artifact.flutterTester:
 +       case Artifact.vmSnapshotData:
 +       case Artifact.isolateSnapshotData:
 ++      case Artifact.frontendServerSnapshotForEngineDartSdk:
 +       case Artifact.icuData:
 +         final String engineArtifactsPath = _cache.getArtifactDirectory('engine').path;
 +         final String platformDirName = _enginePlatformDirectoryName(platform);
 +@@ -797,7 +795,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
 +         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
 +         return _fileSystem.file(path);
 +       case HostArtifact.dartdevcSnapshot:
 +-        final String path = _fileSystem.path.join(_dartSdkPath(_cache), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
 ++        final String path = _fileSystem.path.join(_dartSdkPath(_fileSystem), 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
 +         return _fileSystem.file(path);
 +       case HostArtifact.kernelWorkerSnapshot:
 +         final String path = _fileSystem.path.join(_hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', _hostArtifactToFileName(artifact, _platform.isWindows));
 +@@ -922,9 +920,7 @@ class CachedLocalEngineArtifacts implements LocalEngineArtifacts {
 +       case Artifact.windowsUwpCppClientWrapper:
 +         return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
 +       case Artifact.frontendServerSnapshotForEngineDartSdk:
 +-        return _fileSystem.path.join(
 +-          _hostEngineOutPath, 'dart-sdk', 'bin', 'snapshots', artifactFileName,
 +-        );
 ++        return _fileSystem.path.join(_hostEngineOutPath, 'gen', artifactFileName);
 +       case Artifact.uwptool:
 +         return _fileSystem.path.join(_hostEngineOutPath, artifactFileName);
 +     }
 +@@ -1034,8 +1030,8 @@ class OverrideArtifacts implements Artifacts {
 + }
 + 
 + /// Locate the Dart SDK.
 +-String _dartSdkPath(Cache cache) {
 +-  return cache.getRoot().childDirectory('dart-sdk').path;
 ++String _dartSdkPath(FileSystem fileSystem) {
 ++  return fileSystem.path.join(Cache.flutterRoot!, 'bin', 'cache', 'dart-sdk');
 + }
 + 
 + class _TestArtifacts implements Artifacts {
 +diff --git a/packages/flutter_tools/test/general.shard/artifacts_test.dart b/packages/flutter_tools/test/general.shard/artifacts_test.dart
 +index d906511a15..adfdd4bb42 100644
 +--- a/packages/flutter_tools/test/general.shard/artifacts_test.dart
 ++++ b/packages/flutter_tools/test/general.shard/artifacts_test.dart
 +@@ -153,10 +153,6 @@ void main() {
 +         artifacts.getArtifactPath(Artifact.windowsUwpDesktopPath, platform: TargetPlatform.windows_uwp_x64, mode: BuildMode.release),
 +         fileSystem.path.join('root', 'bin', 'cache', 'artifacts', 'engine', 'windows-uwp-x64-release'),
 +       );
 +-      expect(
 +-        artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
 +-        fileSystem.path.join('root', 'bin', 'cache', 'dart-sdk', 'bin', 'snapshots', 'frontend_server.dart.snapshot')
 +-      );
 +     });
 + 
 +     testWithoutContext('precompiled web artifact paths are correct', () {
 +@@ -322,11 +318,6 @@ void main() {
 +         artifacts.getHostArtifact(HostArtifact.engineDartSdkPath).path,
 +         fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk'),
 +       );
 +-      expect(
 +-        artifacts.getArtifactPath(Artifact.frontendServerSnapshotForEngineDartSdk),
 +-        fileSystem.path.join('/out', 'host_debug_unopt', 'dart-sdk', 'bin',
 +-          'snapshots', 'frontend_server.dart.snapshot')
 +-      );
 +     });
 + 
 +     testWithoutContext('getEngineType', () {
--- a/nixpatches/10-flutter-arm64.patch
+++ b/nixpatches/10-flutter-arm64.patch
@@ -10,8 +10,8 @@ index 565c44f72e9..f20a3d4e9be 100644
 }:
 +let vendorHashes = {
-+  x86_64-linux = "sha256-PSZK5frmQGeiTuEJNZ6Fh8NXSLIrLnoOzQk1Xa4jqHw=";
+  x86_64-linux = "sha256-p5EJP2zSvWyRV1uyTHw0EpFsEwAGtX5B9WVjpLmnVew=";
-+  aarch64-linux = "sha256-gPz/j7oHO2f3DVNNy7DpY/8XTjWt2Kcf3XjFmH81HDs=";
+  aarch64-linux = "sha256-Ps0HmDI6BFxHrLRq3KWNk4hw0qneq5hqB/Mp99f+hO4=";
 +};
 +in
 flutter.mkFlutterApp rec {
@@ -33,7 +33,7 @@ index 9eba6773448..e9d352169b2 100644
       };
 +      "${dartVersion}-aarch64-linux" = fetchurl {
 +        url = "${dartSourceBase}/stable/release/${dartVersion}/sdk/dartsdk-linux-arm64-release.zip";
-+        sha256 = "sha256-3p0cUoNn+Du9GSvVZa9bfZ1I9295uqTA5M9kcj4/uL4=";
+        sha256 = "sha256-BIK6kUx+m+/GfR/wBXv8rjVNbP6w1HFvH/RGIwiaJog=";
 +      };
     };
   };
--- a/nixpatches/list.nix
+++ b/nixpatches/list.nix
@@ -1,24 +1,54 @@
 fetchpatch: [
  # phosh-mobile-settings: init at 0.21.1
  (fetchpatch {
    url = "http://git.uninsane.org/colin/nixpkgs/commit/0c1a7e8504291eb0076bbee3f8ebf693f4641112.diff";
    # url = "https://github.com/NixOS/nixpkgs/pull/193845.diff";
    sha256 = "sha256-OczjlQcG7sTM/V9Y9VL/qdwaWPKfjAJsh3czqqhRQig=";
  })
  # # kaiteki: init at 2022-09-03
  # vendorHash changes too frequently (might not be reproducible).
  # using local package defn until stabilized
  # (fetchpatch {
  #   url = "https://git.uninsane.org/colin/nixpkgs/commit/e2c7f5f4870fcb0e5405e9001b39a64c516852d4.diff";
  #   # url = "https://github.com/NixOS/nixpkgs/pull/193169.diff";
  #   sha256 = "sha256-UWnfS+stVpUZ3Sfaym9XtVBlwvHWJVMaW7cYIcf3M5Q=";
  # })
  # freshrss: patchShebangs instead of specifying interpreter in the service
  (fetchpatch {
    # url = "https://git.uninsane.org/colin/nixpkgs/commit/9443d83e6fee728c1926a783647b45011bd3b514.diff";
    url = "https://github.com/NixOS/nixpkgs/pull/196140.diff";
    sha256 = "sha256-Lngle5YTE7ymQyUarKbebMjiaTlY5cJBoaeZk7AgbXE=";
  })
  # nautilus: look for the gtk4 FileChooser settings instead of the gtk4 one
  (fetchpatch {
    # original version (include the patch in nixpkgs)
    # url = "https://git.uninsane.org/colin/nixpkgs/commit/4636a04c1c4982a0e71ae77d3aa6f52d1a3170f1.diff";
    # sha256 = "sha256-XKfXStdcveYuk58rlORVJOv0a9Q5aRj1bYT5k79rL0g=";
    # v2 (fetchpatch from upstream PR)
    # url = "https://git.uninsane.org/colin/nixpkgs/commit/730a802808c549220144e4e62aa419bb07c5ae29.diff";
    url = "https://github.com/NixOS/nixpkgs/pull/195985.diff";
    sha256 = "sha256-zd7WGOTm3ygh0Wk3uiA+1S+RqD9yWDSXvo7veHs0K00=";
  })
  # Fix mk flutter app
  # closed (not merged). updates fluffychat 1.2.0 -> 1.6.1, but unstable hashing
  # (fetchpatch {
  #   url = "https://github.com/NixOS/nixpkgs/pull/186839.diff";
  #   sha256 = "sha256-NdIfie+eTy4V1vgqiiRPtWdnxZ5ZHsvCMfkEDUv9SC8=";
  # })
  # for raspberry pi: allow building u-boot for rpi 4{,00}
  # TODO: remove after upstreamed: https://github.com/NixOS/nixpkgs/pull/176018
  #   (it's a dupe of https://github.com/NixOS/nixpkgs/pull/112677 )
  ./02-rpi4-uboot.patch
  (fetchpatch {
    url = "https://github.com/NixOS/nixpkgs/pull/186839.diff";
    sha256 = "sha256-NdIfie+eTy4V1vgqiiRPtWdnxZ5ZHsvCMfkEDUv9SC8=";
  })
  # # # Flutter: 3.0.4->3.3.2, flutter.dart: 2.17.5->2.18.1
  # # (fetchpatch {
  # #   url = "https://github.com/NixOS/nixpkgs/pull/189338.diff";
  # #   sha256 = "sha256-MppSk1D3qQT8Z4lzEZ93UexoidT8yqM7ASPec4VvxCI=";
  # # })
  # enable aarch64 support for flutter's dart package
  ./10-flutter-arm64.patch
  # TODO: upstream
  ./07-duplicity-rich-url.patch
  # enable aarch64 support for flutter's dart package
  # ./10-flutter-arm64.patch
 ]
--- a/pkgs/fluffychat-moby/default.nix
+++ b/pkgs/fluffychat-moby/default.nix
@@ -0,0 +1,20 @@
 { pkgs }:
 (pkgs.symlinkJoin {
  name = "fluffychat-moby";
  paths = [ pkgs.fluffychat ];
  buildInputs = [ pkgs.makeWrapper ];
  # ordinary fluffychat on moby displays blank window;
  # > Failed to start Flutter renderer: Unable to create a GL context
  # this is temporarily solved by using software renderer
  # - see https://github.com/flutter/flutter/issues/106941
  postBuild = ''
    wrapProgram $out/bin/fluffychat \
      --set LIBGL_ALWAYS_SOFTWARE 1
    # fix up the .desktop file to invoke our wrapped fluffychat
    orig_desktop=$(readlink $out/share/applications/Fluffychat.desktop)
    unlink $out/share/applications/Fluffychat.desktop
    sed "s:Exec=.*:Exec=$out/bin/fluffychat:" $orig_desktop > $out/share/applications/Fluffychat.desktop
  '';
 })
--- a/pkgs/gocryptfs/default.nix
+++ b/pkgs/gocryptfs/default.nix
@@ -0,0 +1,15 @@
 { pkgs, lib, ... }:
 (pkgs.gocryptfs.overrideAttrs (upstream: {
  # XXX `su colin` hangs when pam_mount tries to mount a gocryptfs system
  # unless `logger` (util-linux) is accessible from gocryptfs.
  # this is surprising: the code LOOKS like it's meant to handle logging failures.
  # propagating util-linux through either `environment.systemPackages` or `security.pam.mount.additionalSearchPaths` DOES NOT WORK.
  #
  # TODO: see about upstreaming this
  postInstall = ''
    wrapProgram $out/bin/gocryptfs \
      --suffix PATH : ${lib.makeBinPath [ pkgs.fuse pkgs.util-linux ]}
    ln -s $out/bin/gocryptfs $out/bin/mount.fuse.gocryptfs
  '';
 }))
--- a/pkgs/gpodder-configured/default.nix
+++ b/pkgs/gpodder-configured/default.nix
@@ -0,0 +1,24 @@
 { pkgs
 , writeShellScript
 , config
 }:
 (pkgs.symlinkJoin {
  name = "gpodder-configured";
  paths = [ pkgs.gpodder ];
  buildInputs = [ pkgs.makeWrapper ];
  # gpodder keeps all its feeds in a sqlite3 database.
  # we can configure the feeds externally by wrapping gpodder and just instructing it to import
  # a feedlist every time we run it.
  # repeat imports are deduplicated -- assuming network access (not sure how it behaves when disconnected).
  postBuild = ''
    makeWrapper $out/bin/gpodder $out/bin/gpodder-configured \
      --run "$out/bin/gpo import ~/.config/gpodderFeeds.opml"
    # fix up the .desktop file to invoke our wrapped application
    orig_desktop=$(readlink $out/share/applications/gpodder.desktop)
    unlink $out/share/applications/gpodder.desktop
    sed "s:Exec=.*:Exec=$out/bin/gpodder-configured:" $orig_desktop > $out/share/applications/gpodder.desktop
  '';
 })
--- a/pkgs/kaiteki/default.nix
+++ b/pkgs/kaiteki/default.nix
@@ -2,39 +2,63 @@
 , fetchFromGitHub
 , flutter
 , makeDesktopItem
 , imagemagick
 , xdg-user-dirs
 }:
 flutter.mkFlutterApp rec {
  pname = "kaiteki";
-  version = "unstable-2022-06-03";
+  version = "unstable-2022-09-03";
-  # this hash seems unstable -- depends on other nixpkgs, perhaps?
+  vendorHash = "sha256-CXEaQeXEY5PYpcoqmPcRfcyaFsEDZ8bq1pgApmjyp0c=";
  vendorHash = "sha256-IC3FAPFASuMcNOpUuaB+MDcm9nqGCtq/6A2dCxIXHEg=";
  src = fetchFromGitHub {
    owner = "Kaiteki-Fedi";
    repo = "Kaiteki";
-    rev = "0a322313071e4391949d23d9b006d74de65f58d9";
+    rev = "fd1e26c98f37ad6a98ed549da879c91721f997d0";
-    hash = "sha256-ggDIbVwueS162m15TFaC6Tcg+0lpcVGi4x/O691sxR8";
+    hash = "sha256-N7n6o/B9s0DCYf9HFMZSCPShpE65wKl9FaQ5dbFnr1E=";
    fetchSubmodules = true;
  };
-  desktopItems = [ (makeDesktopItem {
+  nativeBuildInputs = [ imagemagick ];
  desktopItem = makeDesktopItem {
    name = "Kaiteki";
-    exec = "kaiteki";
+    exec = "@out@/bin/kaiteki";
    icon = "kaiteki";
    desktopName = "Kaiteki";
    genericName = "Micro-blogging client";
    comment = meta.description;
    categories = [ "Network" "InstantMessaging" "GTK" ];
-  }) ];
+  };
  sourceRoot = "source/src/kaiteki";
  postInstall = ''
    wrapProgram $out/bin/kaiteki \
      --prefix PATH : "${xdg-user-dirs}/bin"
    FAV=$out/app/data/flutter_assets/assets/icon.png
    ICO=$out/share/icons
    install -D $FAV $ICO/kaiteki.png
    for s in 24 32 42 64 128 256 512; do
      D=$ICO/hicolor/''${s}x''${s}/apps
      mkdir -p $D
      convert $FAV -resize ''${s}x''${s} $D/kaiteki.png
    done
    mkdir $out/share/applications
    cp $desktopItem/share/applications/*.desktop $out/share/applications
    substituteInPlace $out/share/applications/*.desktop \
      --subst-var out
  '';
  meta = with lib; {
    description = "The comfy Fediverse client";
    homepage = "https://craftplacer.moe/projects/kaiteki/";
    license = licenses.agpl3Plus;
-    # maintainers = with maintainers; [ colinsane ];
+    maintainers = with maintainers; [ colinsane ];
    platforms = platforms.linux;
  };
 }
--- a/pkgs/lightdm-mobile-greeter/default.nix
+++ b/pkgs/lightdm-mobile-greeter/default.nix
@@ -0,0 +1,53 @@
 { lib
 , fetchFromGitea
 , gtk3
 , libhandy_0
 , lightdm
 , pkgs
 , linkFarm
 , pkg-config
 , rustPlatform
 }:
 rustPlatform.buildRustPackage rec {
  pname = "lightdm-mobile-greeter";
  version = "0.1.2";
  src = fetchFromGitea {
    domain = "git.uninsane.org";
    owner = "colin";
    repo = "lightdm-mobile-greeter";
    rev = "v${version}";
    hash = "sha256-x7tpaHYDg6BPIc3k3zzPvZma0RYuGAMQ/z6vAP0wbWs=";
  };
  cargoHash = "sha256-5WJGnLdZd4acKPEkkTS71n4gfxhlujHWnwiMsomTYck=";
  buildInputs = [
    gtk3
    libhandy_0
    lightdm
  ];
  nativeBuildInputs = [
    pkg-config
  ];
  postInstall = ''
    mkdir -p $out/share/applications
    substitute lightdm-mobile-greeter.desktop \
      $out/share/applications/lightdm-mobile-greeter.desktop \
      --replace lightdm-mobile-greeter $out/bin/lightdm-mobile-greeter
  '';
  passthru.xgreeters = linkFarm "lightdm-mobile-greeter-xgreeters" [{
    path = "${pkgs.lightdm-mobile-greeter}/share/applications/lightdm-mobile-greeter.desktop";
    name = "lightdm-mobile-greeter.desktop";
  }];
  meta = with lib; {
    description = "A simple log in screen for use on touch screens.";
    homepage = "https://git.uninsane.org/colin/lightdm-mobile-greeter";
    maintainers = with maintainers; [ colinsane ];
    platforms = platforms.linux;
    license = licenses.mit;
  };
 }
--- a/pkgs/linux-megous/default.nix
+++ b/pkgs/linux-megous/default.nix
@@ -3,7 +3,7 @@
 with lib;
 buildLinux (args // rec {
-  version = "5.18.14";
+  version = "6.0.0";
  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -14,8 +14,8 @@ buildLinux (args // rec {
  src = fetchFromGitHub {
    owner = "megous";
    repo = "linux";
-    # branch: orange-pi-5.18
+    # branch: orange-pi-6.0
-    rev = "3ef835b665191e4833ae1363245be48e96013df6";
+    rev = "b16232c6156de17e1dfdb63fdaea8e317baa07a7";
-    sha256 = "sha256-nQsBXeGLZhpem1p7Vnc8z7XB354AO1mn7VTj/hH5twY=";
+    sha256 = "sha256-Tb05IQKFdX/T7elGNnXTLVmgGLvXoeBFBq/8Q7jQhX0=";
  };
 } // (args.argsOverride or { }))
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -21,6 +21,8 @@
  };
  #### customized packages
  fluffychat-moby = prev.callPackage ./fluffychat-moby { pkgs = prev; };
  gpodder-configured = prev.callPackage ./gpodder-configured { pkgs = prev; };
  # nixos-unstable pleroma is too far out-of-date for our db
  pleroma = prev.callPackage ./pleroma { };
  # jackett doesn't allow customization of the bind address: this will probably always be here.
@@ -33,8 +35,13 @@
  # patch rpi uboot with something that fixes USB HDD boot
  ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; };
  gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
  #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
  kaiteki = prev.callPackage ./kaiteki { };
  lightdm-mobile-greeter = prev.callPackage ./lightdm-mobile-greeter { pkgs = next; };
  # kaiteki = prev.kaiteki;
  # TODO: upstream, or delete nabla
  nabla = prev.callPackage ./nabla { };
 })
--- a/pkgs/pleroma/default.nix
+++ b/pkgs/pleroma/default.nix
@@ -49,6 +49,8 @@ beamPackages.mixRelease rec {
    done
  '' else "";
  stripDebug = false;
  mixNixDeps = import ./mix.nix {
    inherit beamPackages lib;
    overrides = (final: prev: {
--- a/pkgs/sane-scripts/default.nix
+++ b/pkgs/sane-scripts/default.nix
@@ -23,8 +23,9 @@ resholve.mkDerivation {
        file
        findutils
        gnugrep
        gocryptfs
        ifuse
-        inotifyTools
+        inotify-tools
        ncurses
        oath-toolkit
        openssh
@@ -33,6 +34,7 @@ resholve.mkDerivation {
        ssh-to-age
        sops
        sudo
        util-linux
        which
      ];
      keep = {
@@ -53,14 +55,15 @@ resholve.mkDerivation {
      };
      # list of programs which *can* or *cannot* exec their arguments
-      execer = [
+      execer = with pkgs; [
-        "cannot:${pkgs.ifuse}/bin/ifuse"
+        "cannot:${gocryptfs}/bin/gocryptfs"
-        "cannot:${pkgs.oath-toolkit}/bin/oathtool"
+        "cannot:${ifuse}/bin/ifuse"
-        "cannot:${pkgs.openssh}/bin/ssh-keygen"
+        "cannot:${oath-toolkit}/bin/oathtool"
-        "cannot:${pkgs.rmlint}/bin/rmlint"
+        "cannot:${openssh}/bin/ssh-keygen"
-        "cannot:${pkgs.rsync}/bin/rsync"
+        "cannot:${rmlint}/bin/rmlint"
-        "cannot:${pkgs.ssh-to-age}/bin/ssh-to-age"
+        "cannot:${rsync}/bin/rsync"
-        "cannot:${pkgs.sops}/bin/sops"
+        "cannot:${sops}/bin/sops"
        "cannot:${ssh-to-age}/bin/ssh-to-age"
      ];
    };
  };
--- a/pkgs/sane-scripts/src/sane-mount-servo
+++ b/pkgs/sane-scripts/src/sane-mount-servo
@@ -15,4 +15,5 @@ then
 fi
 # symlink the fastest mount point into place
 # uncomment if i see the bug again: sudo unlink /mnt/servo-media  # XXX ln gets confused if the destination is a symlink to a stale mount
 sudo ln -sf $mnt /mnt/servo-media
--- a/pkgs/sane-scripts/src/sane-mount-servo-root
+++ b/pkgs/sane-scripts/src/sane-mount-servo-root
@@ -15,4 +15,5 @@ then
 fi
 # symlink the fastest mount point into place
 # uncomment if i see the bug again: sudo unlink /mnt/servo-root  # XXX ln gets confused if the destination is a symlink to a stale mount
 sudo ln -sf $mnt /mnt/servo-root
--- a/pkgs/sane-scripts/src/sane-private-init
+++ b/pkgs/sane-scripts/src/sane-private-init
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 set -ex
 # configure persistent, encrypted storage that is auto-mounted on login.
 # this is a one-time setup and user should log out/back in after running it.
 p=/nix/persist/home/colin/private
 mkdir -p $p
 gocryptfs -init $p
--- a/pkgs/sane-scripts/src/sane-reclaim-disk-space
+++ b/pkgs/sane-scripts/src/sane-reclaim-disk-space
@@ -1,17 +1,41 @@
 #!/usr/bin/env bash
 set -ex
 # script to reclaim some hard drive space
 set -e
 options=$(getopt -l "fast" -o "f" -- "$@")
 do_rmlint=true
 for arg in $options; do
  case $arg in
    -f|--fast)
      do_rmlint=false
      ;;
    --)
      ;;
  esac
 done
 set -x
 # always claim nix garbage
 sudo nix-collect-garbage
-# identify duplicate files in the nix store
+
-rmlint --types="duplicates" --config=sh:handler=clone --output=sh:/tmp/rmlint.sh --output=json:/dev/null --progress /nix/store
+if [ $do_rmlint = true ]
-# link the dupes together (uses ioctl_fideduperange)
+then
-#   see: https://btrfs.wiki.kernel.org/index.php/Deduplication
+  # identify duplicate files in the nix store
-#   see: https://rmlint.readthedocs.io/en/latest/tutorial.html
+  rmlint --types="duplicates" --config=sh:handler=clone --output=sh:/tmp/rmlint.sh --output=json:/dev/null --progress /nix/store
-sudo mount -o remount,rw /nix/store
+  # link the dupes together (uses ioctl_fideduperange)
-# XXX: does rmlint really need to be invoked as root?
+  #   see: https://btrfs.wiki.kernel.org/index.php/Deduplication
-sudo /tmp/rmlint.sh -d || true  # on failure, we still want to remount ro
+  #   see: https://rmlint.readthedocs.io/en/latest/tutorial.html
-# XXX this doesn't work: 'mount point is busy.'
+fi
-sudo mount -o remount,ro /nix/store
+
 if [ $do_rmlint = true ]
 then
  sudo mount -o remount,rw /nix/store
  # XXX: does rmlint really need to be invoked as root?
  sudo /tmp/rmlint.sh -d || true  # on failure, we still want to remount ro
  # XXX this doesn't work: 'mount point is busy.'
  sudo mount -o remount,ro /nix/store
 fi
 # TODO: instead of using rmlint, could use dduper: https://github.com/Lakshmipathi/dduper
 #   better perf for btrfs (checksum tests)
--- a/pkgs/zecwallet-lite/default.nix
+++ b/pkgs/zecwallet-lite/default.nix
@@ -1,30 +0,0 @@
 { lib, fetchurl, appimageTools }:
 appimageTools.wrapType2 rec {
  pname = "zecwallet-lite";
  version = "1.7.13";
  src = fetchurl {
    url = "https://github.com/adityapk00/zecwallet-lite/releases/download/v${version}/Zecwallet.Lite-${version}.AppImage";
    hash = "sha256-uBiLGHBgm0vurfvOJjJ+RqVoGnVccEHTFO2T7LDqUzU=";
  };
  extraInstallCommands =
    let contents = appimageTools.extract { inherit pname version src; };
    in ''
      mv $out/bin/${pname}-${version} $out/bin/${pname}
      install -m 444 -D ${contents}/${pname}.desktop -t $out/share/applications
      substituteInPlace $out/share/applications/${pname}.desktop \
        --replace 'Exec=AppRun' 'Exec=${pname}'
      cp -r ${contents}/usr/share/icons $out/share
    '';
  meta = with lib; {
    description = "A fully featured shielded wallet for Zcash";
    homepage = "https://www.zecwallet.co/";
    license = licenses.mit;
    maintainers = with maintainers; [ colinsane ];
    platforms = [ "x86_64-linux" ];
  };
 }
--- a/readme.md
+++ b/readme.md
@@ -1,9 +1,11 @@
 to deploy:
 ```sh
 nixos-rebuild --flake "./#servo" {build,switch}
 ```
 more options (like building packages defined in this repo):
 ```sh
 nix flake show
 ```
@@ -24,3 +26,22 @@ this can then be `dd`'d onto a disk and directly booted from a EFI system.
 there's some post-processing to do before running a rebuild on the deployed system (deploying ssh keys, optionally changing fs UUIDs, etc).
 refer to flake.nix for more details.
 ## building packages
 to build one of the custom sane packages, just name it:
 ```sh
 nix build ./#fluffychat-moby
 ```
 to build a nixpkg:
 ```sh
 nix build ./#nixpkgs.curl
 ```
 to build a package for another platform:
 ```sh
 nix build ./#packages.aarch64-linux.nixpkgs.ubootRaspberryPi4_64bit
 ```
--- a/scripts/init-keyring
+++ b/scripts/init-keyring
@@ -0,0 +1,18 @@
 #!/bin/sh
 # initializes the default libsecret keyring (used by gnome-keyring) if not already initialized.
 # this initializes it to be plaintext/unencrypted.
 if [ -f ~/.local/share/keyrings/default ]
 then
        echo 'keyring already initialized: not doing anything'
        exit 0
 fi
 keyring=~/.local/share/keyrings/Default_keyring.keyring
 echo 'initializing default user keyring:' "$keyring"
 echo '[keyring]' > "$keyring"
 echo 'display-name=Default keyring' >> "$keyring"
 echo 'lock-on-idle=false' >> "$keyring"
 echo 'lock-after=false' >> "$keyring"
 echo -n "Default_keyring" > ~/.local/share/keyrings/default
--- a/scripts/install-iwd
+++ b/scripts/install-iwd
@@ -0,0 +1,20 @@
 #!/bin/sh
 # usage: install-iwd.sh <source_dir> <dest_dir>
 # source_dir contains plain-text .psk files of any filename.
 # for each file, this extracts the SSID and creates a symlink in dest_dir which
 # points to the original file, using the SSID name as filename.
 #
 # this is because iwd extracts the SSID from the filename, but users might
 # prefer the SSID be kept separate from the filename.
 src_dir="$1"
 dest_dir="$2"
 for f in $(ls "$src_dir")
 do
        ssid=$(sed -rn 's/# SSID=(.*)/\1/p' "$src_dir/$f")
        # not sure that iwd can deal with un-writeable symlinks
        # ln -sf "$src_dir/$f" "$dest_dir/$ssid.psk"
        cp "$src_dir/$f" "$dest_dir/$ssid.psk"
        # not strictly necessary, but iwd does default to rw
        chmod 600 "$dest_dir/$ssid.psk"
 done
--- a/secrets/servo.yaml
+++ b/secrets/servo.yaml
@@ -7,6 +7,7 @@ wg_ovpns_privkey: ENC[AES256_GCM,data:+SdnhsPyg6Vbl0itNLq4fBPONLBknkjFCr/4shTr2H
 #ENC[AES256_GCM,data:857w7AqbAbVTOKFLxKcMkcQjJ7EkHZFwBRwtCJFspOk8do2f,iv:bIrXzdrhRYk79ZV+JCdIw4UVxq11/tTZUDL6Bwf+NoE=,tag:igMRz5UPX//JrF9NGCOwHQ==,type:comment]
 #ENC[AES256_GCM,data:KzCOrdCiXHrVx+oGj2mz/+zkZ8eRRnFhHadx6FlXj8OXQDMvDkSPi6G2f6j5FE//G2F321mZCiMJ1Mf32tItGb0SxoEhyO9wxTesNn45hmA7M0z5HqTxACU=,iv:ksdz8j2fq1W/xnzu0y1JaIgbKzjiqj2KHCEYhkEKsrM=,tag:dbH/vy4JgL1eUeNpv7afSQ==,type:comment]
 dovecot_passwd: ENC[AES256_GCM,data:GsXT6PQjCibzyr5G4W3IOIRL4xBuYqFYHpRJOjS2TvXIlTSwVrHbx5Vw5wLHI0zN14rvYy5sycJvEMiCC1YPVphAYNm7VHdo97sUGLpjZ1BpUaJ2KBx77jErxbPrJUSpAroojQFtXFYA2t2bTpOSjZGH7UeyZoLckZtdDqXmnBDvirwVDPNaPv04RrhnqehGyh8EN+b2b5KAm99U9H1oyxIL6mAMJo6FtduVejiVqJB2sl/myI5fJ+bvwkW1CLRmVi0JdVHs4BlTQpi5Q8Kx2SMOH02TP+QDSHv/O8ROpbZ8m0oTk2YbgAG7U8K0t55j8jjWX/7OD4nMv485PgzAMINdzI46g9l9afzo,iv:8MqpUkRPpGJiuWtrdTJAIDXrKZMI73LcwzOiqVMWR88=,tag:+zXmEPV90loAMJtL/+v3vA==,type:str]
 freshrss_passwd: ENC[AES256_GCM,data:MilteAOk+MZjta+E7Zhxq80y,iv:VigZk0nNHvQNlm36jVN5YXY7bhxmx2CFBizbVFCA8O0=,tag:DKsxGsv53SsJsp3J7UIsgg==,type:str]
 #ENC[AES256_GCM,data:1zQ8X9W4ZGquYEjEsN8YNLhwBt6kaRCKYMjM8GiZbKzsaqwt/cFk+4cC85+QKWF0FNlX38Uba7bI2FvC8fTIO8eoZ5VymJ9Du3NcExE1976FSIze44FhtkSKQkm/vQw5cb2sPNKBGFLSNV/IpdPu,iv:xwv2+Fns0k2STkS760v9p1XZ5s2HAz3wLb8xyIOGTGA=,tag:OGtHxQgyWxGKtg5I9nJAag==,type:comment]
 nix_serve_privkey: ENC[AES256_GCM,data:JlLuslwyjKARo3Mo36SeRz6ctVuV+jzDMXACekaGs/UjP+Jm8PoxZsWjMcN+qq0tJB9xGMfi7TKHDi+XnK2k60h+7+yDyeqJQfjID6axMYmgxYUivq4CugutFVB27FmDPljUs2M7CRqe1IHrdjc=,iv:1iQVr9rP80hHCRSVD95KW7bpOWj3oZReJAvqa9TllJ8=,tag:6DDGtHF4suOyy2kcnqSDsQ==,type:str]
 #ENC[AES256_GCM,data:cyptbs4VfXY4P4+W5e2LRZOHkpqvWzn2JEpV80w8cIaQ0lTZa/Hg7IwDNQcsYobmBFO2yLrKawHDKlDos2fMy0KgIhUrw4f8WksxdC06oMqS0mDtgA==,iv:StB34bvA8GWR+7nwOOpsiJ3yqGgeSg5frAgRMhff8nw=,tag:b1LYFzII2Ik1nmGXxgMZuw==,type:comment]
@@ -46,8 +47,8 @@ sops:
            U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce
            xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-06-10T08:38:03Z"
+    lastmodified: "2022-10-14T00:37:52Z"
-    mac: ENC[AES256_GCM,data:DroE9KGyV6hba0aPVYmwxpL8yXDa+AFsjyF5ttImW5bKzE9EM2I76APoGOyvOnnnbBRrOditWXA2HQzhf4M/7hq0CmLLph1J3I8xgEsaiJiExaKZQpQTBS/ZAHeygR/fvRcMmAY9VZRubv1iQ94rDkZ3C3UJ+8SMuwpdmdlaPYc=,iv:KkY0Kmd02QYx0Ds0LUY9tXz+AayKj6Y5p/rUO8sLYCc=,tag:gZDe+GOw2ULJ1yHONlt7bw==,type:str]
+    mac: ENC[AES256_GCM,data:qKr1aKWxuJWwjUYX+JWAdwHFAwApHm9hOYBgZxAIXbXHhOo04K1MFBDTsAvtvN1a11QtCJYDNuVNpuRu3bf/5Ji5ROTaKfQCgPk+ZScJuWpLsxchYV+TnlREwQI+qgvogyMKMlPInozgd7RNnsePdg7DtYFfGMAvUtX9OidxAXI=,iv:EAkNQkIqoXtRy+uSb7ccl9T5b6hiyRll/m76nhir9AI=,tag:kCDEBJDW34VgLQPd4V+uYA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/secrets/universal/net/community-university.psk.bin
+++ b/secrets/universal/net/community-university.psk.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:JJk6bnHkxhfMNecslbm/iA2hdnC/C1DdeiesZrkUpJru8DMBs9ExhcHcYSRfxwzcZ1FDPLv3a9Mnickgb9uIz9UWbNZBfPUg2xEIHIs=,iv:dWqSRR+tCSXch0OebLQPzaBtNJieMHLFUeR7yXe4NTA=,tag:C/kAerUFRhugyf91puhKYg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQnVZQ3NvWUhMSy8wQzJM\nWkZnc09UaldLc3M4RjlKZjN4ZWY3NC8ybWk0CnRwTUtmZ0NMU2tCMmM5SzRnUHht\nSUg5MWpGV010b3N3WWU5UkljV0VBWU0KLS0tIHRjUER0RkhwbmVKOXBYR0RnbCtC\nd0hUd0VuZm1wQjNhclpTL0RLZnBybE0KA1ZTaq3D3UgV4g/mhwgss4uBE0LPuPNC\niFs7ixvRBF591VWvraVWUpTqOZW5dMybMBu5EjGHYtHl7f9dbhY5aA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdCtBd0tjWmtyVGZmbHNJ\ncTZwa2xzd3VoN3RFcjZ6TUtLcUdhMm01Tm1nCnVvaDBnNG9jOVd5SFNiTjJzZnV1\nZkltV0RtYS8zays1ZVdKcENGV2J3N1kKLS0tIDF4V2gxdEoySDR2azR6THVGY3BQ\nTFE1ZE9rZ0JFZWd2TDd0Z0pQc0VZWmsKgFEfMB2W76AVPOTkGszqDLiw8aTGJ3Ym\n1Tv+OXtdaqcgD+MY67Fa396oJiD/K2zY5CfQvH2YV+VYNeAfZsRM+g==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCbGErdE5idTNnZzVtcXJy\neUJIbDBncytYVlcwandMUU9nRXB6TE1IUVEwCjFrZEU3VVltbVlkNW1MTk1LQkZB\nTGZ1Z3hJSFBsNEtQZVZFemZBKzZGUmsKLS0tIERpY29zZWkzcnJsRU00SDhhWXYw\nSE9tK1JJSlZpTTJ0ZUtoV0RlQ2xkOE0KCBuW93P3rgeaFewybt27fmA6BE9HY08f\n+0kix/idWFkdxtzS/v+WFHnaac2lhIl+X3EQQoU6PJGVrlV4q/qqAw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiNGZZQlowTXhtZkRMNGx0\nQ0xUL1hkaWtUTkY3Ti9BMHhKS2NtTEd6MmlZCjg1WFJVZkFwOE1yQzhQbWs1bThP\nQlU4dFZWZnJOWjM5aTZZLytiMnNEdTgKLS0tIGFuRFkrakZWMmNPSmVycEdYUnVs\nTk96RWdOYmlLUmYwNGJIZ1IxVk92R2sKARCSlcel/yqCPKDXSNNDV+ej8jU3CiPI\nMktemcTe9FjEpQzRDEQQJ1izlHIqpSwlOSx0UZsUgQOFFP+fwQGUaA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZnorZkFYTkJ3d1pXMWor\ndnpjSGJYYlhCMWJaSnJJUXRLMlIzNjZhOW53CjZQdWVPdTN3eldFN3FvWW9VNmdk\nYnp1QkpoaW56bFdnL2Z3RjJERWZlK2cKLS0tIG9vUFJzNTNZVklob2hnWnMxaDNF\nWW9tV2ZJcVEyS0QvbGZaK0d4MzBIVXMKMtIMAwa+HJwAHhbM4NhLiPYgXbIZUzD8\nGwjFTyRi6K1vOw2/c+w0BYb1ZIvaChrsl9ISfU4+e3gjvSX1MP0Cyw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQenF0YnRscjJSQUFTbHNI\nSGNTS21LNklxaW9uTGlxT2pDTE5SZmJMUkRNCnBwYXRDUHJ2TDh5QXMvWjVYRWFs\nL1FjRFJyQ0hkVkpRWjNnQlVNczZjb0UKLS0tIGk0U1RFVVRMcHBLU1VtaHdxeXRj\nblRlekhIQmRYZnczcGNqNFQ0RG9UcDAKAbFvm1CGCqbd8FBbubfJNCjEFTO4LdfX\ncUBaV9xFvFD5Gy/576KBNUO4NjIEnd14JL93TC/okakJAsxnHMG/iA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQmh1dE1LZGI4SlUza2Zq\nVTc4K2NWeHFxNXVmUzgvNUNDanlQOTZXOVd3CkthcWZRby9ZbzFlang0RytsZEI1\nczVodG52MFV6RklhVGNBcUxjQXZJWVUKLS0tIFExRjM2N3N1MUtHRWpGN3I0bjEy\nWHlJN2phSW9FMUVhQ05iSDM0dUkxdkEKoNIaw3OW2JfoPL6viItBWRwm78x5j12v\nlV0/Ui3MBKoKwxbzti25mxwGRshw7dwStuGpkCVRbp1Gx3JQbggrLw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWU9YcEs3Zzk3L0RNZTFJ\ndDJleXZlOHFKNk5KUlp1REllNTFaZTlSYUY0CmdaYzU2aE40cnZUYm4xajdzK3NO\ncXlnalFZVHZ5bnlSc0RpQjBEMHBEV0kKLS0tIHNYSks5QUI0WkxJc3VBVjFmbGhP\nR1RIaDk0RnN3VXBBcmY2L1JBamx0RUUKnTymF1GRV1Zz7q0XNGLz61xkMXGuhoRs\nPpE3hFbQNrap+vf8NhpElJJ7dTnrndfZNftBco+YsocOxlVXWw52Fg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-09-29T11:34:03Z",
 		"mac": "ENC[AES256_GCM,data:ozFWkM2SFgTicicB1l2pMCfKVvVxoUV7k93VyR9OWtVhUqH7DYgrKWFzFCwGbR6xBSMSIZU7haeVJP8r7n3S9wwQNu7FsS/PfqVcsTfpT+g5Q83vfdVFcFnV4VsalsZ8HvTQ3OiVbNVLn3J8M94KL+5ya8mf1oNHwq8xbAYcM6U=,iv:AtHuh1VIAdUqmazPbesmmYq6gXEBE241Ejos73AFkUQ=,tag:bM9Z//NV43U5buXJ7VMSlw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/net/friend-libertarian-dod.psk.bin
+++ b/secrets/universal/net/friend-libertarian-dod.psk.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:iRxcs8VpOA6dFng9B3wHwxpEx0hhLpKUb+Eu09CFzPiZKPfQ00pecfbpQeXJpT4uvVxmkl5zuGkksSzBEJDBIA==,iv:Ii65q3V8dGz1TfhQNxKa7gSM3w8T9mnP3C8vUJpBbrg=,tag:ge94QompXmUtdl9o7306sg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZQURjcVlTRDNRM0IwbDdB\nRXJOM3BkTWNhSXBYRkRicWlFbkR2QWJtVUFNCmZMeEs2SmpuN0RDK0JFQ1VUOHdk\nSnNxSkxPR2R2cHNZZ0c0SGtNWXVTZGsKLS0tIG93T3JCU0dTUEFRNzg1L3NlTEpr\nWlpHcHhKcTRKM0tZd1dXdGxlMTlyVEEKt8dheToHMyd/kGnQoUoerdIaexgY1jb6\ndOYZfwizrTE5mhYFzcApkChnjSHWfPTlWE0EzG4pBkTGkmoAx8LU0w==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAraUp0eHVGYnBZOUtMOVdu\nMTI5ZjBraEY1aFk1ajVLcmdqcGhhRzZ4UzBvCjVXWGtBaytkdWVnMDBEb1R3VWh2\nZnNYVzljMWRGYjVzZng5c0p4aVFXTzgKLS0tIDlVTzdrZENZaXFLWEtZWXUzQWFR\nTTFLYnR0WUgzcFhMU0V0VzcwQzQyV2MKdPvZdrfidA+k+PO9q7ruNlAbLkj3Hcvm\nvDcsTlYUA1ZG5SBsEhsztzNa7dSDX4EYrf5j1WSPu0/a0UYXkrR20g==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNzZUc0hVWVhsKzVFcng5\nQ0VnbWZyL2RwT0FIMDhtR1FBNmxEZzR3OFhzCmRTTnpxcCsvZ1dvaE10NHppVW14\nVk95bUlRck5jUU5kWUZ1ZDVFUkdVdDAKLS0tIDduSWMydy9Gc0hmQWU4ZkI3VktN\nd0xUeUdYbExYREcvazlZZk9uSjJtZzAKkTW5axKqwBuo75Z6bGI3+4wXf5ilAXaO\nQOhyWWTLTdnCq0TOPt5eZlFgMleOsJD66wHTQR5Eb+Cw0+9w+XZmag==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLWlBSald4czhxRGNoR1Np\nOElFNGJsT1M1NWRpbXF1bmJ3eE54UGVNbUFRCnV4K2pQMzR6ZXdqVU9yWXNqMTQ3\nQ2NzUkpNdkcrSldqNks3YXlyS20wTW8KLS0tIGVaVzIydEtHeWZiVXRZbnNiNEJR\ndXp4WmxmRVppYWNDaTNoUTVZZ2N2LzQKPRFZQD6TJXBewxurVsHlazTE0HsygOVD\nRuTjEj+F9DRVc4scne8GhHkQYUJSe1iVsb31WK9/JNpXBpOaSNvZUQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZlEyMEJOay93blhnUGZ0\neEhreE14b01Wdk1CTW9TVHVTV0pmZ1crNVFzCitiaVd5TjNiZWIwaVcyL3FaSmtl\nSzBJZVVGSi9tU0lUMk54UTZIZm9YMjgKLS0tIHpoK0ZVVUY3enZoNDhXSlVoUi9p\nUmxtU0ZBU05iVjdpSDVYc0tuamdHcDgKUzf5zX9oN63tHY2fYFAUKShS+rJIg6/2\nMX/QUGUDT44TBSw6forKS5qrlyuMkxr3PpgB1+P2isZNR9UK+dOcmw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeStqei9pSmcvYU9FMDlQ\nQ2lNWXhjaFBTK3p3WjdoMmhKcFptYXA2eHdFCnFHSnZ1ckRNUUFDa2l5L0tJM2pD\naC9LZjY3N053Y3g0RFNKYnhIdUsveUEKLS0tIGFHZDJrdXRReElxcTRXY3JNK0dH\nSG9TNHFFUmtidWpDV29ZZlcvNERRdW8KUqP2zeYjBv1JhAjZMIY2LByZahRwhAzo\nLsCb2/kp1uWF/2jYllFmP3mtxJE3cijeHuN/1cwaMkJfFr5pyR1feA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMcEVzZWhoZzYvbVBCd0lD\nQzJPMmlvN2F4dlJUN1pQMTNKQ3lkb01XaWdZCmhHMHh5Q25aeVpZN0pNWVAvUmpr\nMGg0cXNyNFRuTVUySG5pUEJuTXJLYU0KLS0tIEk4NXNGV1RWYTdvZWU3QllnSXNN\nZ2JPNkZHMFpxRHE1Q09KN3kxbEFaQmMKAgmnPBq25Be+v4UJcYZXG6Cg4RNUI1yu\nw3HK1X1TcI1M4f7PuChbPzhp9+LVgWNkftDoSTjq0WFKsBlW95alRw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSTFlZ2s3dGlxNi9pV081\nSjI3Q2U2Z0pxR0RhUFJ6cmZWTFVnNFFUdURJCjJkRkRody9KZ1EvMTRNOG4yaXNa\nTHliSmE1Y3dKRTIrNjFzMnpuSmdYVkkKLS0tIGxaYW8rUHk4clo3aGt0VTJlcGZ4\nZTdVTkxrNFRYS01Wb0ZYUTRoU1JocVUKX6VXkWHWma+3D8Vd6OC72mIelgXWMbrj\nwRIO2fHsy9M+TBQzHHxhdCdKefAYMu/hfXEFL47/Wn5yBJmSWjYEeg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-09-29T11:27:51Z",
 		"mac": "ENC[AES256_GCM,data:dgJ/bcxkcCrTSAPKDa4T1djvZVTnWofmb1nTx+V3X0C0g0xCYrffpcieSPusKoQC+AzaZSy4H/RyLlW9We8+t41hrWdjdPkGcLd7n2u2e5o/AIgdSv/ODdFnX2E13ZTKMnfI7kUHsSaNLUF7TvitdXCO/hICGkGoJwRFwbV8bxU=,iv:WeQByrD8To8wqOwfbZYonci2gTm42Mv94zKKKNufq2k=,tag:avhJCmvNdZhkd3mTtx7cRQ==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/net/friend-rationalist-empathist.psk.bin
+++ b/secrets/universal/net/friend-rationalist-empathist.psk.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:zhMmmsRibiS5Akobs2hEZnyFZRitEyXguYolhUmXNSMdhybLWealGNPF5D0v5MzEV0dhncmvXs8oz3k=,iv:xtQtYnbXfndMyB/I1ruL/F4k0omQeShDP8QuaK2SVkU=,tag:MfxdSbk3OR6mBVggsw2I6w==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1T29tc1Y3RElhY1hCR3JO\nMDMrV0VGdUVLNVBsV1VWenlXRCtucDhZbHdZCjdnU0ZjOGN5Vit5OGxqL1RMaUJo\nT0ttZDFLaTAzd3g1Nk5VMVgrMEt3c1EKLS0tIFJEakR1cTNETGpVdGxqTE5xVVU3\nWGlDZkY4dGZPVFIxRGJmdXF0WFoxS3MK7xGioj8OTPTL+WGYRjJbXEHbgU20qoA4\n/usblY/fawOBNbAGttpSEWyHb1qlQTWwVl00XNb/LqUd/Qa6O1uoiA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySmQxSTJOVmtVVFhTMmxN\nWUFpekVqZzVZSXQrRW1ZYWk4bWpSbUJvV2dRCjlBLzR3YmxlWGQxYXI4MzdQVkZW\nSlU5QVhNUTNrMFM0VVV0dkRnLzhHVDAKLS0tIE0va3hhNlJCR0VzVVVNQlk2bTFV\nZXpNS0JvS290TlA3MXYxWWVueE5TNU0K9cq49fk1ip9CBAoPkifyZfY8NqFo5zgo\n2UsL9qla2F/DzA8Kl2l2DXaU9PaRngrj8AoFdvtUtO67r0NwmQ3zaQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxNGVmWGJmUzZweXVCUzlK\neEI4VUl0V2t0WFFoRDAxZjZvd1dJRnZ2VmdBClVXZVZpd2lhMEdTUFlpMUZjVmNi\nV2xKaktRbmRtVzA2UlhJVmZtcnErYlEKLS0tIHlyME1OdHIrWG5uODQzbmt1Q0Zp\nRXJLTithVXBnditUc0tPd0dJYXZjMlEKWOL7CXR0wn8TkQtuBssx6cErNZQdonxr\nzcDUJeAQ6SPFsnyCZ6BH972z0izmRkHYaqVRj5Pl2Ogrr+UHIxSqeQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1T2VFTlZHSDdvWWFaS3pO\nVHg2aEdZNDd1ZnFwbGpQWE5MYkdPZ1lkRWswCjRuQU5zN1cyTXRwa0ZaWEs2Qkg4\nMHZGWDBqSE5kNHVCVzRqb2JEb0lrSFEKLS0tIFJ4Vm9RUm1WZXdXcHVqYjNBMU1W\nT2srSGZNUUFZSlpaM2RyREk1aHJab1UKBpY37flWrKKeRgjs2BzWof/6E3k3DZp9\n1b/Ctvyebvxx0C9jxBzajqgbVahN/167JGwHrz87vTqp8907sFEbkQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDN2IzVExDUXNwTlBDVndz\nZERnUmxTK0Jqeng3d2xWMVgvS3h4M1dYbm44Cmh0YnZ3UmltaFlxTXY1VFN5dTNT\nSzY4cjBkVldESXZSZndrMUdMZDJNQmsKLS0tIGlUOHZoMXBjNFFXbno1WWxsVEJm\nakUvSzBST0t1a2o0RG9zVXpOWlU2NWsKRJ80nHXMzEwPS0BZIAT4KKTDYtxufC3s\nFlcLzDQVVN+JLAdu9viayUrLrKfAaKvPKGY0YUFgIV3YyA4/vBLIpg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWUmxSS0U5bE8xdHVmQkpz\nZ1JrdlVHMFF2VFJiMFVMejJGNU1xbStJWXh3CllRYWxyT0dORHlSWFVMeGcyMXI2\nRy9lM0N4L0w5VDRMK0dueVV6OUE5WlEKLS0tICsrQ21FU3d2Q1hoNGZuSGdzUkxD\nalhRTkNZNCtoQ0xmRzBYMzlvRnlNNEEKzL4v1ZRwfJ9aYHYZZNwrsHzXeZdQzk/R\nw5BdRWOqrTpk8DLwCxYO/bwxieidocaBhUufDZFPqooxSz/s6HaawQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByVTg0MzMrcEZobzFFaVVv\ndytJeVFjRnVuR21vTlJIUk9rUHVBbFFiREFNCmxxMHQ5bjRqQ2x6Mm1yeFN3Q0Yr\nY056bXZmSWVuQUxWaitIN0Q1RE91SjAKLS0tIGZCZm9yTE1tcHZoblBrekcvQndn\nZWgrN0FyQklCUHBFSWpheS82M3ZKR1UKD5UpmL6mPXVDyOP++o7+MTRq85omDmbg\nINDnSX/CiPfLb09GukRLMymcaVvBJqKTmySalgHSC+EKTo5uXBHehA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NU94L3BTczBuekoxQkxZ\nMnQ2T0ZYcTdrYWZqYSt0RFB1Z0ZRODBHUnlFCjVob3JuVHJ0UXFBQmVaT0ZJRHVq\nZ09ScWpxaXl0Y2ZJZnpkVk9HSE1FKzAKLS0tIHA4YWJ2Um1QeUNlaFhuQksxQ25I\nM0VSbmlLVktWYW9aWmcyS3U2WnRiTWsKqa31gg1zZ6qTkwTsgmqM/Rbd0PSk44fA\nxVN8wL4dQNM/JvSYLggxV1vPvUW9Y6f+Ch+moFrtcKdOy8NDipNHKQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-09-29T11:28:38Z",
 		"mac": "ENC[AES256_GCM,data:SvIBnGuNXzR4ZWlsIJ8e1J5UoYciQ+howQmFFqEDcu/lZupvv3Ns+YZ/J5nm3Zpl0j0YGoAXUBBvENfi4TS38AMqkA0ZxX7fqfd7I9+RgCMaKyo/JGLwO7Ef6+7wvwiNVV4y3OpPkZC8AB7157d4QEczb32X1aQtRdisWQnaBBs=,iv:huJ6Rr8dWW2GiYv06DU133iFUHpxzpzI50QRlFbaeb0=,tag:of3scYamp2AFXN6h/cY1bg==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/net/home-bedroom.psk.bin
+++ b/secrets/universal/net/home-bedroom.psk.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:X5RxPa26vyMk6+z0HB6xwXqTmPeR0MJ6nR5oA4GSEL+s/7SrCn8wWbdaM8iGE2U4ljyC1LJgyd4lZc4r1V/u3Gg5Ynmr3tIRhQ==,iv:rlguW/Aev3Q64lda2bxES7RbZjngVGo8l8CX50nuESQ=,tag:6kqdDV3f7QHiIEif16EEUw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZzg4QXpkSExIYUptNkRC\nMGFuNHEzN3drcEZTbEl0alBpS2FDM2ljV0hnClZJMkc5Yko5TTI3Q0twQi9UNE02\nemV5RTNNL3N2S1pOcXVqNGVKWWp5c1kKLS0tIEYrMElhM09zSFdCMnV0SnRBMkQr\nWitjSktQSHJDV2lhajhlaHVXdkYxTkEKPK7SY2zesUHKmLHrt62vFwm8mOZ8n2DY\nb2hZFcA8r2Ozc6+BY62k+rr4PTkE1sTeeTPY4nvL7+k5lvFPqwZ34Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArb2cvN2VaTnMzRW5IWGpU\nRm9KZWVpcXNTZVhGWXpMNmZGNFdCc3dJTDJjClVhcVlhQmpLRmZSRWJEQVJWMVk5\neUdOWEtUZGs2UWRXZXhZTlFPY0swd2MKLS0tIENKKzlEaFB5b1VGbEIrT2RjUzNU\ncHFvbEJ1a2JnZDBmd2llOHptUXBERGsKMzgbI0h4ewsb3dmgXEjqKHLxr0ZzQGiH\nX85GwYTDh/UU8mol5xMHEj//uJnKumCaPdNZeM8uoHOCOnMZcOBj2w==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZmlYY1p0UE9Oa3BZYldk\nUmpWbVZHWVdtRG1NK2U1eXdjdHYybTdFM0J3CklFdWZBM01BTUY0ZzU0eG9KZjBE\nd3lucWw1aFlhYUJzT3JQK0FOS1o4OWsKLS0tIHV0dVJMdFlVL1BXTkJUWnlDaFlN\nc3QyOC90NmVTTDlEOFZxMUNSWTR4QTAKQ2I2cYMJOzGHaou84UQ8jsEBlcZK+4nS\nVEBkcArZpfxDlYSajr1ZJ9Io5rdFFOs5gEjHh43ScLf88+Qs/QW9TA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTHRtb1R4QThKd1c3cnZx\nbDFVbzM2azRabEdzZFVQbzlpcGV1U292RlhrCllBWWN3UXc4U3loQUg0M0RUVDlp\nalNFcVg0eUF3Rmc3NVF3UkNRUUF6NnMKLS0tIHV0bzFsUzAyY2Q1WWRIWWhDSnFU\nMGtxT0JmWmUvQnVQOEw5V3ovNGpsUDgKbYso2M273aaZhvlRQuRcGHq/9g3IK1Od\nqBXpSmEzPI033gVo5x0r3ShloXzG5/7j0Oy/JdWQifQZuzhUTYsA5A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdmFndHY5Y1NnWk9zMys4\ndGw3eXM4UFRNVUZQTkNCdndWSHFxYjFjZnlZClI1ZlBlTlpkREhKOTRXTmJJSHht\ncFhSOEs4aDloVWZ1R241NTJVNnRhV0kKLS0tIGFIbGtSMFVZKzc0MUlIajIyRHI1\ndUs2YUN0Q3pnN0Z0N0ZTcTZidzVobVkKUvE9wpyUnG59isJfoAzrKP+wqIO871XQ\njV27WpKOqwtCq6Jv3Fv43soGITpb6Tylv1pYCBvL83knlGNMzvvZnA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VG1CeU9WQURrZDIwdXlD\nb05iOGIxNzZTVmZlTGxyZ0pFd1ZhdGU5ZTMwCml5Z2s1aWp5NGJNdFcycmVGR1pK\nN1dwOCtkNHlWbmNGQW80ek9LR2R3YlEKLS0tIDlZRElhMktiUzhKUEQ5Tk0vVU9F\nRGJrZ2IyaGxmOVlEKytSOFlDaThZU3cK9zUGyA+0FDXnh1MhO6oM91DODp0Fpb1M\nGhO0uCxk9k23IumgWvRfE9bwM+bQ0QToBSIxfbdFq1QVdqgz3Z44IQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVS3BiVUdFSTg3UW5nSWQ0\nRWFZQXZMZ1lxN1hPeU1kWng4QU9EVkNhMFNRCkRuSXJBdFo1N1NPdmNCM2VjcHRk\nOEdzTWdDZ1F2clRmTHFqRTRNb3MreHcKLS0tIDJZZDlQdWNSNVJ3SEdWbkVPSnM2\nM2lqMTFmN0VBRHQ3bUNGdDJMSmlBNTgKqVXysfSFxrdMUDVv66JZRPape/M6Im6S\nj1f9VN/ZNrwnRU0ZzPtFWeMyYWIc6c726cweP9xB7ZGoGw2Qfiy8EQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsRk5qdktjQnFJNTgrcUR4\nL0VhcHZCT2VjMDNZeWRSUlZoMXRiY1FEYlVJCjVSK0J4WGFOcUErTE9GWFAzNFNY\ndkIyRXZYVUlHTmJ0L0t5TnIzbS9sYnMKLS0tIFY3NDZBY0IwU2kxSmhvZEJ3Uk5N\ncDdDTVZTWi9pTmR3dkdMVTR3cWRzZ2sKfsRBXdxnjflGnfMexej0rJDRVfnKsPYO\nVGHcl26QJ+7aF3eVhiNmReuQn0i8mqbrcNMKSp+XXLiFyfu89IfoIA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-09-29T11:29:10Z",
 		"mac": "ENC[AES256_GCM,data:DPQZVQfAh002aE2X/qgVTuQoWD3AkcbxNU8NAuVY5sgPFhoLtjbm0vNtN0ql2h1HUVENS+BpNsHpLQej7musTL+mJ9KSlHtoUfK0sY56Gx/B0OxMzHF8EHQyYmM/IOtWLuzzMYpFVM2gCeQWgHYZo0W7zNDwZaBVLTAyWN1lAhI=,iv:bTdE+Hma+IIzwy3vMhYW8Rc3sfDkQamW1QQK+bBzELE=,tag:Zd56FoS15pmuoNhCvjckwQ==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/net/home-shared-24G.psk.bin
+++ b/secrets/universal/net/home-shared-24G.psk.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:eB7lM7gzQVRrs31/vb4D19N0xvmau5mp77scLaj6h9HHI/6sJ9LTu+gfSGQIOID7xJA4m1T77aYLC6wC9tXBOAVwcdFcXrFsoYuVU2COtRPWTjeMWiK3t5eQ6TLrgru6OUcC0bpeCtZhQbXYkBTBViMNOfXdah0t9NxGPrSn0pNwMs22Ndcc1zRJFPqvjcaVWCxRsfWWBZfDx+AK0PWwxCbHaDMx9Vw5vJltmF1NVc37dTqIVRY/n4xNbqA1pEs4Ese8rjojU9VZFObpJb0k,iv:JAJIuOzPM3/jw/3APWPCCwuhXaFlKABFqch8GUDFX9E=,tag:S7Tk3T+/8H7pIWMKkrfGSg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d1JLZkNZeHBFNGVTalk4\nNkRDYytGUXFYQVNSNWlOV0ttYTgzZ0lQZ1VBClZKaTVadjFlVnJPRWZXWm5hdjJh\nTGgyNG9sd2hha242dzZ3dkRPYklVQU0KLS0tIDZzNGpTMFZKMzJYeUpnV0NqSjI1\nRm4rY2ZVZ29UdFhXZEZUWENVNkFCYVEKbmeZAn5yA6N8WrftBqpnfdtA1UHFyT4s\nTjQ4uDBGBNAYZzG3X1Dj/W9BBOqT/ErOVKcgeP/oSTsno4kjCnW4kw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOWTRwazVzRTVuUkFRQmdy\nNmpMeHdxQk9WeEg1SHJxMncxT3l0SnBqUzJZClpoN1RLdlVBRmNWMTRSOUNOY1E1\nOEJEYWdta285czhCRTJ5cCsvY2NrT00KLS0tIEVIMFE3aEFWb2VHc3pXNjQzSE14\nQUhjTTBURVBGYW5PSGh0QUdnd3R6SXMKqyBEOod76LFDheCl5FHlj8eqBEW6b5AT\nDkc83TH9DRm9g7Y3sgVBJAm1mPOhTlnAQuYvd70P3t2Joj33yO4AyQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRFF5WTk1blRQWHdjbnRt\ncVFLZGlyWkdTSzNrb1k5ZTdWRm5xN3ExdUJJCng4ejdIZytsSzBaZmxsRUlwNEZW\nVnJoZlMySnVFUWFsZnRTWDF2V3pSREEKLS0tIFRuM28raTJkaENneDJFQVpxNGNx\nY0tiY0NpS05XTXpVdzJJMHJaRHg4UzQK/YPArPdC8KwdAz4lui6zhhjbJJNWgp3X\n/CfdVr405/xuNJxnshVr81a/wEog5HmuosAGEy60d/mFh4gs2BTmjg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJNGp4NDlaR2E5WXFJWTJ4\nN2cwS3Q1cjJSaU1aQ2k1VGpFTlRxN09YNkNJCjdGL2dGcHZzS0lxMzF3UXBMbXg3\nVjVrS295ekExb056cHZ1UVVvZThjd1UKLS0tIGZsRkR0TXlEaHpST1dMZHE3UWNX\nZGpGOEE0WnB3MlZISzdWVGMxclZkdDAKSo5iN8AuUYGgmCIMx89ou9muZkW71FRb\noX4Zkht/v9RtxKp0TGjujQeXnjC1iT97wFdR0iNTWjxLyUl9TtkIXg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwaTNhdmhSSXFrcWhUMkQv\nSlByVkh1akw2RU1rSEkzdjJ4bUp5Wnpjd0VFCkJIZmJZZEdXNEtkaWw1OWM5OXdn\nWHV5NE9JNnc3QXpyay9mOVN3QXNrcU0KLS0tIDRMOFpTL0JuNWlUWUNwTDNjNEVy\nNnZQVUVlQmRyaE11eU5KZUw4azlTRXcK50EEoR+iOQmgMNNI79bVd02UkOr8hEDL\n1KTy4s3MErfv8kGH8du12iNvCPRNYOulyk/CQEkYaUksP59g6k7mgQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZ3VNcmJ2T2dzaUNGU2FY\nZGcvUHI2OHdrNTNad2Zoc1ZtUk5HNzV4ckY4Cm5YSzdRWDdXRUdFOXBqZGE2YkZE\nS0ROVDJFL3ZOWEZBM3FUME1tdm45U0UKLS0tIC9xNDRTdTJFcURPT3RvQ1J0MDZ1\nRnllMVdiNmU4ZDRLclZVL1lubGp1aXMKskqFVf8FPrBOaW9GPfm2gLnE5Zyq7Dq2\ntBGN6U4wXivLdC10e6BO4MrGjyCIeiuOJyE5f3XpkQ6RqkGl4P/P0A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrdU82c0EwSUR2aFJYMVhS\nZ2c0WkJOUzJjb1Q2N1BZakdZZnhyQWdERVdvClJmMkREQlROZi9TdVhGR1lndUhi\na1FOSFdjWmdybHRVaDFFTDlIN21GTzgKLS0tIHFKK2VUUjIyRExwUDFGUjkreVhh\nSjdGcGpUU1NFRXRHcFNXSEJuS0gyMmcK6oMgKmwsstDNCyoVuhXU9z257+a5Hs4e\n9NsiKSd6BJVtfUBrBOAgRlkij9/x/zC5BvTd3tCNqNL0HUWxhdXPyw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVTQyV0o3eWtQTEsxTXNZ\ndGJjcjQwWjA2QXFubmJSdGwyRHliRmtQSW1VCmh1K2l0NnVmNUlMUjdmd09IeG5a\nTVgvOWh1RWZZZnB1RkNHMjVSMG1pVG8KLS0tIElNbk53dnJxRE90WHZSbFVYRVAr\nNjcraVhhWVdpTDZJOG9uaUVmWFF2T00KGyNISTg/g7v1+VFlCg0MjDTjbcahdSQk\nQpxdjvqQ3qtcfOS/+OO5CZYEJIVp6YybXyHJ4SSbaED22YtTJGmRNw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-10-10T06:28:09Z",
 		"mac": "ENC[AES256_GCM,data:GnYn/2ZxpiaNiS/nXITkyETliL8HLnhP7iIlagna7xEnng5ttWTRvrzvF2P2ehUcCb7t7c0M7DPhA4rqLZlqvNNP+qi9UKkZ+Skn9e7d67hPmIrp6bOPpY+UGFmIA71xWjGUehtT7AfbHqYo26VjaYzP/OPrVT3uuAMkw8xsRo8=,iv:ISQUmG3speflSfQoU9eefYmfPw3Sq0cJPzIirk7W9rA=,tag:LkSnOJfBca/8KQggXmvYdA==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/net/home-shared.psk.bin
+++ b/secrets/universal/net/home-shared.psk.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:ou55VGY+beKMouNj4qQaBOAZK/5UKu6A521lNW2i0KlSmgJ8qQ501lesy0bEmDkZqqhluP8XE5FZLwEXvqqMh/TBuN1OkCsQis53/M1s0g==,iv:Ir5uD1P8OlHlcjGCHVkUHr0AjoXzd7kOcAeajo66hUE=,tag:m+rReK9o/8TG4LBkNN1ZZQ==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNzNHZWcvTmVVaGFabUU3\ndnZwVFdVcFBXZkoxTFA5WEZMMnRvUDBsS1NrCnRKUTNDZExFL1drSjBTakw1VmZW\nYWJzTUtVN0lrWXdiRk9QaVNmZmRqSjAKLS0tIGtHTzNUUnlnU2duNDF6UUlzUUJa\nSXhxQmRXZEZKK2htenF6N1kzV1VvancKP8jZotJe9188kId6cwVzITNwtELegpzi\nOKrWPWuIveSdMGmMsRDAcQbL0xVN0qd+Y4qsZ9l6e+cVAT3cHb1vDg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLemhLZUwzSVJLNUhYQXQ3\nY3ExU1BJUzY4a24vUjRmazhtc1RIcVpyem1jCmFEVzlIZkxjSUc0RTdqQWRLTGNS\nL3FaRFhjdnZqNFk0WDFSY0xOTENxMkEKLS0tIDVzK1lPM1FlWmZLZFA0ZDlPKzla\naXRqTk90aVNTRHlNZ2FmcVY3b1JKbEkKTu8tiEKyab1bOsgdsRlEWeG9wzdg/d/s\nPfh7rnvf7Ex8Jl6qSq6xMPkv+19EbSpfSq0FRtCue/Wcce3cUmGToA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZUY4OW5UNXFjOXQrUklu\nK3poU3RNVnBtc251TmRtMGJ6Z0ordDFhUGhjCms2a1o1Z1plNlpwSlYrUEEzRDZm\naHdEVVIzRnExNVhzci8vN0ZIODh3QzgKLS0tIGUxZ2gvbGM3YnMwVXU1RnNOSlBO\nVE94UFdKaDkwbmV5YjlBWm9ZZkk4Q0UK6CaPAtRrXKUzR29ZfXV8MvqszTu8LkT2\nQPlNJ4ckgTyivyseukR8X5fPKrrXIVtE+C6Xk5mJ6nGKD+oLprhpag==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUk1yL3dLUnBpNWNxMzQw\ncDdVa0szNjBVNnNXdmZwNVNEK1RwUzJTMlhZCm9oV3NaZ3k0SERKMEZCQTRtRUI2\nVmdzWndQT1c4UUh2MzQyMEErdm96NG8KLS0tIG1aUElzK2VjUTNYOGRpbkpZTDVz\ncG9jR0VzNi9jYmdCTU1qMmJtNFNUaU0KkrIx2BKjj7l+52Kk/L8rNZYAsa87z9UH\nDtxhLTnQu8DPtm5o2sbGdEZgt9qKPJiylLNKVne3EyscMaehdB17RA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSUtONWlzZ0JQbDB0L1FU\nWlhCL0p4d3lpamg3YWdIUVhDc1hVRWR1MVhFCkdZbEhnUG0vYTJVZnphdTZNSXBW\nVGdpemc5Q3hSenN4V09ZbTFOK3kzK0UKLS0tIG9ZWkdSMHhzTGJleFF5L2RsdUxK\nSEdtSlB0L2d4TTVWcDJWaE13NjFiTkkKWgfem58/ZKqVaXiL0UGVTjA7AhSkD8Fq\ne/i5HKN1Pvgv8TVPnZ9mtGP2gwwkoFYgxM8/0jBjJUm4QDbTkocVJw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNR05jQnJZZDNndmZnOVNO\nRFhVU3pLUzBxeC9rQlRoVWFCN1Y0bjhBM25VCmJKSzhkMjF1L3pGRjZmOURNeUZE\nTU8vN2pYVmZzdWdpaVdqcXloNGhTSlUKLS0tIGovSG84amhyTFZHZ2FNdTl3SzJj\nN1dObkd6K2J0Y2Q5bG5DR0VaUk1uSlUKxShDW7BD6sENlFjqp7/wFbV4g4gD7u5d\npidF9F+vXhpoBIwLlhruzvwyNXG4hQcKfWCnliXhVvNYbgaooDDhRw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MkJ1RkVBeHJnR1FGeDVi\nN0htdHZ3cVNCcTJabnlkSUQ4aHUxRndvbVhZClk2d2ZRTlJIVTg1T3dkKzdMRXJt\nNXh5OWtud3gvNWNkRWI1UE1kSytYOUUKLS0tIHhhQVpmRWtTYVFjSUN5aEVYWDJx\nS3hDMlFkVGQyM2U5QjlJMko4OGRWdkEKG98s0QVSs1o4MQ9937okXDS4WH41S1Aq\nUSL8idmlPUJzgdHshuLv2Ic2RXVjJu8V508trO8bTymrqkNAQ0miMA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAraXJQOHR6ZzE5TjNQYmpB\nSStEQS9mcUpMSXlFQ05DcllFSjNOT1pWdVJZCmtSL3FkZ2Q1cU1Fc1dZbG13eXJC\nTXJkN0NzWTlDOEFMRGNQUG5HQUNUVDgKLS0tIGRwcmVxS0lNQ09GdmxKY2pkQ2Yz\nSkpZam1ZQUN1L1FZZ010ZlhUV1N4VlkKqsFAE+xZ24IMzIFjbsgANdjiGwVZk5rq\n66y00bjw+uj6WOwQuE1I9WcYDhCXEUQB9u4Q+hzejaFzCJ90N/WF4w==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-10-08T03:39:12Z",
 		"mac": "ENC[AES256_GCM,data:4Rr2iqmzLtE9i45Hn10wuf8unKt+YNAYTF3RWwEW1AjN+pF7ZvwMbrUutRCb6uMxCQUyNl+adfFRu8Xae0/SqFBfdAPxzeQZGrBjb384seLrNS0XyUacfdoSCczrRUF8+F3mIHetaJCd2jOpoh5HotoSN3fx+nZNhD+56XmJBr0=,iv:YlDMimhG+a9Wzq0ZN0tnZ1gH69e7olyHGWhIV2/4K64=,tag:GjVzbNa/NdzVmdPyE5etXw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/universal/net/iphone.psk.bin
+++ b/secrets/universal/net/iphone.psk.bin
@@ -0,0 +1,48 @@
 {
 	"data": "ENC[AES256_GCM,data:fFb8QudY/dQNjrEtPMs7fnJxywLrSN1A4mgpZRw0Bicz5kFlr70qSSAd3jOg1YJm/x7nRLWLcEAv9Nn99bLywkLiiWaVhWmVGp6jTI3Mj0SX5lET7Xt0slcrJm6qUt6rTkH2dGueOm37m0rU7iR44bs/rWStNBbmuQRurRGo3zaxRSC0djyQ1wwbALJ1zhHQhf4=,iv:58ZLkQra5PJ6u4Xc1aztZ1ywlAmbudRSrk23MEbNv64=,tag:Nr4SNsqUytUMlM3i/nf0LA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWUdWVkN2UGNBUzBqV0hK\nb0hnc1YxZWoyYkNIOVhreHlzOUJKVEdjdVJJCnRVSXYzWkl5ZktHdnJqTjIyUE9O\nQ2Jya0NuLzlDWDVoR3JTQVB3STJYSk0KLS0tIHllNisyMmJSNTBsZU85U0FuRWpU\ncnEvdGVhZlBXMjIzVUV3YTdQOXJjcE0Km66SgSPKbEC5bkCZI7l00QuPvgAH8kuD\no0A9w/lRBgcP787lqyUwULA+gu4YwvNIupvuABXm9KaFHtVqYDVJJw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsMXJYUytzRFVMYjNyZ0ZM\nb3dsVjV6blJ0K0JmcU1QYjNVY1JvSXQzTFQ0ClI5SG1tOTFYOWxuMWF3bFNxaWxL\nRDBiR2FZMVdOOVhoc1Via2xRd0t6SlkKLS0tIGUrRGZCZmxwOVl5dnVqVzJSdDNU\nUWE1VnkzSjJJZU9aOVdETklRa3VyeDgKqQpyc7UR7ValJuTD+NKIUSjKHNNAkPsS\nEgqI8DxjCvaSERKOYH/6pMSdRGklzS0ECuW5TNm0d4BvlbaFEiozlg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWVRINUFUa1lqZHZybHR5\nWmRuYmQyUTB5Z1RPaXJNc3VMUkFQZmhGMGhrCklaa3ZaNVYxYlAzaWsxRXN3c2E4\nNnB5S3VXa01ZdExzazRFcnRmdmNaQncKLS0tIEFpTksxUkVrMldSbDdPcXFMbnhB\nUGJyOVB5TFI3TU5hRXdKK25ORzIrUlUKjDGNOoLb7N+UKCEOwMXWklyQt0xapeMr\nKDFMcuxTX7WouiCF+GCXegQYfsXLsrETbbz+L6BOsV6O4uNNtYMZNA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5dnFSRVlvc293MWJlTC9k\nMGtLVmNlbWlXZVczdDlnQVhXTDJjZHE1U2tzClFucGhya1M1SFpheFVEM3JmWDlG\nSzZCd1JwalNYVVZqQWdKVWNhRDUwbE0KLS0tIGtpd3huNUtld0V0SzBJK0FXMkxC\nT3VJckV3aHFMc3c0K1V6S1d0NitNaVEKe73p65j2fb4Hd7TLJqiX6NUyKbv7K2te\nNzPxOZQCBrSogqbnT2qDt5Yptr2nk5qK4CkoELw1/Iha8xLg96qcRA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSmJGNTNpTS9QKzc0dUNt\ndGxxbnY3eTYzc1lPcXRrdjBJdlZwNm50R0hNCjE0OWdDdEdvb0ZMNlA3SkZERWhs\ndk5FMTdQc3VUTUgwQ0t5NTVZZWEzc1UKLS0tIEJNNjVrN0h2Qjl5UVh3KzRVNzBR\ndS9nL2U3T2l4MG5XNndjYkg3WnQ3cHMKUcW4kwhoqw/2VRO+qD65Hy789fppwpLg\n7PZ2YZTa/OWufYweYQnSDCtRC1dCdtOUE3mhjtBsGaqKp0pOzOmNwg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4SElrMkprWXk3OUExaGEz\nQXBOM0Z1cHQzUUd3Q2ZWWC92bVJ0dmtSNGtnCk04d2E1NDkyUDhFNW5tSUtGMFQy\nMkMxR3p0QVNCUSs5UkE2Rjg1cStmc1kKLS0tIEhTS3hUcTNlT0lxRmdlK0VRSzNP\nUllGcHJ1TkpHTGVyaXFEUmhoZURVVlUKidC2z1cN6iwswN5+FKYEXSpif82MW5oC\nR1axSWsIJc7P2hPf4ua5BVoDqEn/Vei92NOcbQNfYUtEdkCGFbkYzw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNjN1cHhtYUlOQngzYjhH\nUEZzbTVwT3dSalJBQlc1b2ZBRmwwSHoyZURNCjd4WllKSTE0OElFSGd3K1dzR2oz\ncWprejcrOUJuOVZWdDBkMXNVejJsaFkKLS0tIHkvNHZ0SVdnOUlTTnBvdVZLcUFp\nNTlXSlU0UGh6NFZUYUIraEpSRTJVaGsKb85V2N1dgP65R/xdjq7vEKO+b9NdJ9D+\nh7pVfx9ghSKdmcADWxyRhpmjc7Yyfx5wzpWbuV0mAibPLS9RdLry5Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYlJWZ2t6WDlRdUJqU2pG\nYkE3T005bUhCcUJ0TEw0MEdDY1JFUzJjcVMwCkhCckRzcldLWTJPSEVjbHk3VE1p\nY21rRWR3cUVscmNiL29NL3M1QjZsYlUKLS0tIDJ4M3JtdGFRbUhFR2FtSGVuZk9n\nL1VjS1hnbzZwT1lQalJBbFU0SjFOWkUKUkGyPmpilSZdupNlR+cD4+HUOwyNm8WF\nu3vS7Ec4FJcjnx2t185yXEStZSVGptw/wKTxJiJ5P9by75XkAJZFmg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2022-10-10T11:53:54Z",
 		"mac": "ENC[AES256_GCM,data:CnF1ePN5hPJU37H0Qx7R1K9qvLDJuTv0hppv+sIjYyetVUjxVduS6e8szGPmZz4uBgglmtSIEOSc+j2MCrQ2AIkJmS9LoGH2FX1lzId4h8KdBs+aJZmngNPiO6apcVsNDKBmcQnw1gweJefpTKgJnhVbo9cw/bwRqs9hJMrQDDU=,iv:G5Hwonp9AB12xOxPFFVK1+xo5JSYOGacSbAZ2RFy5wo=,tag:p5zHaSzjZcVaIgTsBb0Ohw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }