stuff

.gitignore

@@ -1,2 +1,2 @@
-/result*
+/result
 .nixos-test-history

.sops.yaml

@@ -0,0 +1,26 @@
+shel_keys: &shel_keys
+  - &pixel-termux age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
+  - &t460s age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
+  - &pixel-nix age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
+  - &compute-deck-user age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
+machine_host_keys:
+  - &trip age10lv32k2guszr5y69sez3z5xj92wzmdxvfejd6hm8xr0pmclw2cvq0hk6pe
+  - &compute-deck-host age1hcqem868xhjdj3lzsvgf0duylwrdp9nqs06a9d0043cpsuhms4as7cqnv4
+  - &liam age1hkve3khk7fthyrwxjqdf4r37lrqpmnkz6mke7psuphvu2ykynqaq9g6ja5
+the_test_key: &test_key age1eqv5759uknu7d46rqyyzsmgt43qumsge33yp2xygapprnt8zu3sqx6kt8w
+creation_rules:
+  - path_regex: secrets/[^/]+$
+    key_groups:
+    - age: *shel_keys
+  - path_regex: ^secrets/liam/
+    key_groups:
+    - age:
+      - *pixel-termux
+      - *t460s
+      - *pixel-nix
+      - *compute-deck-user
+      - *liam
+  - path_regex: ^tests/test_secrets/
+    key_groups:
+    - age:
+      - *test_key

README.md

@@ -1,31 +1,13 @@
 more just notes for now
 
----
-
 deploy:
 
 ```sh
 nixos-rebuild switch --flake .#triple-dezert --target-host trip.shelvacu.com --use-remote-sudo
 ```
 
----
-
 build flake on remote machine, including eval:
 
 ```sh
 git add . && ssh trip nix flake check $(nix flake archive --to ssh://trip --json | jq .path -r)
-```
-
----
-
-search for string in closure
-
-```sh
-rg search_str $(nix path-info --recursive ./result)
-```
-
-or
-
-```sh
-rg search_str $(nix path-info --recursive .#qb.trip)
-```
+```

common/acmeDependencies.nix

@@ -1,31 +0,0 @@
-{
-  config,
-  lib,
-  utils,
-  vacuModuleType,
-  ...
-}:
-let
-  for-systemd-services = lib.concatMapAttrs (cert: units: {
-    "acme-selfsigned-${cert}" = {
-      wantedBy = units;
-      before = units;
-    };
-  }) config.vacu.acmeCertDependencies;
-  for-security-acme-certs = lib.concatMapAttrs (cert: units: {
-    ${cert}.reloadServices = units;
-  }) config.vacu.acmeCertDependencies;
-in
-lib.optionalAttrs (vacuModuleType == "nixos") {
-  options.vacu.acmeCertDependencies = lib.mkOption {
-    default = { };
-    example = ''
-      vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
-    '';
-    type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
-  };
-  config = {
-    systemd.services = for-systemd-services;
-    security.acme.certs = for-security-acme-certs;
-  };
-}

common/assertions.nix

@@ -1,48 +0,0 @@
-{
-  lib,
-  vacuModuleType,
-  config,
-  ...
-}:
-let
-  inherit (lib) mkOption types filter;
-  fatalAssertions = map (x: x.message) (filter (x: !x.assertion && x.fatal) config.vacu.assertions);
-  triggeredWarnings = map (x: x.message) (
-    filter (x: !x.assertion && !x.fatal) config.vacu.assertions
-  );
-  withAsserts =
-    x:
-    if fatalAssertions != [ ] then
-      throw "\nFailed assertions:\n${lib.concatStringsSep "\n" (map (x: "- ${x}") fatalAssertions)}"
-    else
-      lib.showWarnings triggeredWarnings x;
-
-  adapter = {
-    config = {
-      assertions = map (x: { inherit (x) assertion message; }) (
-        filter (x: x.fatal) config.vacu.assertions
-      );
-      warnings = map (x: x.message) (filter (x: !x.assertion && !x.fatal) config.vacu.assertions);
-    };
-  };
-in
-{
-  options.vacu.assertions = mkOption {
-    default = [ ];
-    type = types.listOf (
-      types.submodule {
-        options.assertion = mkOption { type = types.bool; };
-        options.message = mkOption { type = types.str; };
-        options.fatal = mkOption {
-          type = types.bool;
-          default = true;
-        };
-      }
-    );
-  };
-  options.vacu.withAsserts = mkOption {
-    readOnly = true;
-    default = withAsserts;
-  };
-}
-// (if vacuModuleType != "plain" then adapter else { })

common/commands.nix

@@ -0,0 +1,29 @@
+{ config, lib, ... }: let
+  inherit (lib) mkOption types;
+in {
+  options = {
+    vacu.commands = mkOption {
+      default = {};
+      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
+        options = {
+          content = mkOption {
+	    type = types.str;
+	    default = "";
+	  };
+	  enable = mkOption {
+            type = types.bool;
+	    default = config.content != "";
+	    defaultText = ''${name}.content != ""'';
+	  };
+	  kind = mkOption {
+	    type = types.enum [ "alias" "function" ];
+	    default = "alias";
+	  };
+	};
+      }));
+    };
+  };
+  config = {
+    #todo
+  };
+}

common/common-but-not.nix

@@ -1,14 +0,0 @@
-# todo: rename this module
-# stuff that does actual configuring (so can't be in ./module.nix) but works in nixos module, home-manager modules, and nix-on-droid modules
-{
-  inputs,
-  vacuModuleType,
-  lib,
-  ...
-}:
-lib.optionalAttrs (vacuModuleType != "plain") {
-  nix.registry.vacu.to = {
-    type = "path";
-    path = inputs.self.outPath;
-  };
-}

common/default.nix

@@ -1,321 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  inputs,
-  vacuModuleType,
-  ...
-}:
-let
-  inherit (lib) mkOption types;
-  inherit (inputs) self;
-  expectedModuleTypes = [
-    "nixos"
-    "nix-on-droid"
-    "plain"
-  ];
-in
-if !builtins.elem vacuModuleType expectedModuleTypes then
-  builtins.throw "error: unrecognized vacuModuleType ${builtins.toString vacuModuleType}"
-else
-  {
-    imports = [
-      ./package-set.nix
-      ./shell
-      ./nixvim.nix
-      ./ssh.nix
-      ./nix.nix
-      ./verify-system
-      ./defaultPackages.nix
-      ./lib
-      ./sops.nix
-      ./dns
-      ./assertions.nix
-      ./common-but-not.nix
-      ./nixos.nix
-      ./nix-on-droid.nix
-      ./nixos-rebuild.nix
-      ./minimal-nixos.nix
-      ./acmeDependencies.nix
-      ./nix-on-droid.nix
-      ./remapCapsLock.nix
-      ./sourceTree.nix
-      ./units-impl.nix
-      ./units-config.nix
-      ./lix.nix
-      ./git.nix
-      ./repos-options.nix
-      ./repos-impl.nix
-    ];
-    options = {
-      vacu.rootCAs = mkOption { type = types.listOf types.str; };
-      vacu.versionId = mkOption {
-        type = types.str;
-        readOnly = true;
-      };
-      vacu.versionInfo = mkOption { readOnly = true; };
-      vacu.hostName = mkOption {
-        type = types.nullOr types.str;
-        default = null;
-      };
-      vacu.shortHostName = mkOption {
-        type = types.nullOr types.str;
-        default = config.vacu.hostName;
-      };
-      vacu.nixvimPkg = mkOption { readOnly = true; };
-      vacu.systemKind = mkOption {
-        type = types.enum [
-          "minimal"
-          "desktop" # need a better name for this; should include laptops; everything I intend to get computery-stuff done on.
-          "container"
-          "server"
-        ];
-      };
-      vacu.vnopnCA = mkOption {
-        readOnly = true;
-        type = types.str;
-      };
-    };
-    config = {
-      # vacu.systemKind = lib.mkIf (vacuModuleType == "plain") ("server"); #TODO: should be mkDefault, removed for debugging
-      vacu.versionId = toString (self.shortRev or self.dirtyShortRev);
-      vacu.versionInfo = {
-        id = self.rev or self.dirtyRev;
-        flakePath = self.outPath;
-        inherit inputs;
-        inherit vacuModuleType;
-      } // (if config.nixpkgs ? flake then { nixpkgs = config.nixpkgs.flake.source; } else { });
-
-      vacu.nix.caches.nixcache-shelvacu = {
-        url = "https://nixcache.shelvacu.com/";
-        keys = [ "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM=" ];
-      };
-      vacu.nix.caches.nix-community = {
-        url = "https://nix-community.cachix.org/";
-        keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
-      };
-      vacu.nix.caches.nix-on-droid = {
-        url = "https://nix-on-droid.cachix.org/";
-        keys = [ "nix-on-droid.cachix.org-1:56snoMJTXmDRC1Ei24CmKoUqvHJ9XCp+nidK7qkMQrU=" ];
-      };
-      vacu.nix.caches.nixos = {
-        url = "https://cache.nixos.org/";
-        keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
-      };
-      vacu.git.enable = config.vacu.systemKind == "server" || config.vacu.systemKind == "desktop";
-      vacu.git.config = {
-        init.defaultBranch = "master";
-        pull.rebase = false;
-        user.name = "Shelvacu";
-        user.email = "git@shelvacu.com";
-        author.name = "Shelvacu";
-        author.email = "git@shelvacu.com";
-        committer.name = "Shelvacu on ${config.vacu.hostName}";
-        committer.email = "git@shelvacu.com";
-        user.useConfigOnly = true;
-        checkout.workers = 0;
-        # We *could* use atomic writes, but those are slow! Are you sure????? - git, still living in the 90s
-        # Yes git, I'm sure
-        core.fsync = "all";
-        diff.mnemonicPrefix = true;
-        gc.reflogExpire = "never";
-        gc.reflogExpireUnreachable = "never";
-
-        url."https://github.com/".insteadOf = [ "hgh:" "github-http:" "github-https:" ];
-        url."git@github.com:".insteadOf = [ "sgh:" "gh:" "github-ssh:" ];
-        url."git@github.com:shelvacu/".insteadOf = [ "vgh:" ];
-        url."https://gitlab.com/".insteadOf = [ "hgl:" "gitlab-http:" "gitlab-https:" ];
-        url."git@gitlab.com:".insteadOf = [ "sgl:" "gl:" "gitlab-ssh:" ];
-        url."git@gitlab.com:shelvacu/".insteadOf = [ "vgl:" ];
-        url."https://git.uninsane.org/".insteadOf = [ "hu:" "uninsane-http:" "uninsane-https:" ];
-        url."git@git.uninsane.org:".insteadOf = [ "u:" "su:" "uninsane-ssh" ];
-        url."git@git.uninsane.org:shelvacu/".insteadOf = [ "vu:" ];
-      };
-      vacu.vnopnCA = ''
-        -----BEGIN CERTIFICATE-----
-        MIIBnjCCAUWgAwIBAgIBBTAKBggqhkjOPQQDAjAgMQswCQYDVQQGEwJVUzERMA8G
-        A1UEAxMIdm5vcG4gQ0EwHhcNMjQwODEyMjExNTQwWhcNMzQwODEwMjExNTQwWjAg
-        MQswCQYDVQQGEwJVUzERMA8GA1UEAxMIdm5vcG4gQ0EwWTATBgcqhkjOPQIBBggq
-        hkjOPQMBBwNCAARqRbSeq00FfYUGeCHVkzwrjrydI56T12xy+iut0c4PemSuhyxC
-        AgfdKYtDqMNZmSqMaLihzkBenD0bN5i0ndjho3AwbjAPBgNVHRMBAf8EBTADAQH/
-        MCwGA1UdHgEB/wQiMCCgGDAKhwgKTkwA///8ADAKgggudDJkLmxhbqEEMAKBADAO
-        BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFAjSkbJQCQc1WP6nIP5iLDIKGFrdMAoG
-        CCqGSM49BAMCA0cAMEQCIFtyawkZqFhvzgmqG/mYNNO6DdsQTPQ46x/08yrEiiF4
-        AiA+FwAPqX+CBkaSdIhuhv1kIecmvacnDL5kpyB+9nDodw==
-        -----END CERTIFICATE-----
-      '';
-      vacu.rootCAs = [ config.vacu.vnopnCA ];
-
-      vacu.ssh.authorizedKeys = {
-        # pixel6pro-termux = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86";
-        # t460s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp";
-        # pixel6pro-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W";
-        compute-deck = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug";
-        triple-dezert = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g";
-        triple-dezert-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8";
-        compute-deck-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I";
-        pro1x-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX";
-        fw-root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m";
-        fw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C";
-        pixel9pro-nod = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINznGot+L8kYoVQqdLV/R17XCd1ILMoDCILOg+I3s5wC";
-        legtop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOre0FnYDm3arsFj9c/l5H2Q8mdmv7kmvq683pL4heru";
-      };
-      vacu.ssh.config = ''
-        Host deckvacu
-          User deck
-
-        Host rsb
-          User user
-          HostName finaltask.xyz
-          Port 2222
-
-        Host awoo
-          HostName 45.142.157.71
-
-        Host trip
-          HostName trip.shelvacu.com
-          Port 6922
-
-        Host liam
-          HostName 178.128.79.152
-
-        Host pluto
-          HostName pluto.somevideogam.es
-
-        Host sdf
-          HostName tty.sdf.org
-
-        Host u
-          User git
-          HostName git.uninsane.org
-
-        Host gl
-          User git
-          HostName gitlab.com
-
-        Host gh
-          User git
-          HostName github.com
-
-        Host *
-          User shelvacu
-          GlobalKnownHostsFile ${pkgs.writeText "known_hosts" config.vacu.ssh.knownHostsText}
-      '';
-
-      vacu.ssh.knownHosts = {
-        #public hosts
-        "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-        "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
-        "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
-        "sdf.org" = {
-          extraHostNames = [ "tty.sdf.org" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJk3a190w/1TZkzVKORvz/kwyKmFY144lVeDFm80p17";
-        };
-
-        #colin's stuff
-        "uninsane.org" = {
-          extraHostNames = [ "git.uninsane.org" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
-        };
-        "desko" = {
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
-        };
-
-        #daymocker's stuff
-        "pluto" = {
-          extraHostNames = [ "74.208.184.137" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
-        };
-
-        #powerhouse hosts
-        "ostiary" = {
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSYyd1DGPXGaV4mD34tUbXvbtIi/Uv2otoMUsCkxRse";
-        };
-        "habitat" = {
-          # previously known as zigbee-hub
-          extraHostNames = [ "10.78.79.114" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN";
-        };
-        "vnopn" = {
-          extraHostNames = [
-            "10.78.79.1"
-            "vnopn.t2d.lan"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMgJE8shlTYF3nxKR/aILd1SzwDwhtCrjz9yHL7lgSZ";
-        };
-
-        #work laptop
-        "tebbs-MBP" = {
-          extraHostNames = [ "10.244.10.3" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKO/ks07zSByDH/qmDrghtBSFwWnze2s62zEmtXwaMJe";
-        };
-
-        #personal hosts
-        trip = {
-          extraHostNames = [
-            "triple-dezert"
-            "trip.shelvacu.com"
-            "[trip.shelvacu.com]:6922"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
-        };
-        servacu = {
-          extraHostNames = [
-            "mail.dis8.net"
-            "servacu.shelvacu.com"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
-        };
-        finaltask = {
-          extraHostNames = [
-            "rsb"
-            "finaltask.xyz"
-            "[finaltask.xyz]:2222"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
-        };
-        compute-deck = {
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
-        };
-        "2esrever" = {
-          extraHostNames = [
-            "10.4.5.218"
-            "10.244.46.71"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
-        };
-        awoo = {
-          extraHostNames = [ "45.142.157.71" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
-        };
-        deckvacu = {
-          publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
-        };
-        liam = {
-          extraHostNames = [
-            "liam.dis8.net"
-            "178.128.79.152"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
-        };
-        fw = {
-          extraHostNames = [ "fw.t2d.lan" ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
-        };
-        legtop = {
-          extraHostNames = [
-            "lt"
-            "legtop.t2d.lan"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKvunOGsmHg8igMGo0FpoXaegYI20wZylG8nsMFY4+JL";
-        };
-        mmm = {
-          extraHostNames = [
-            "mmm.t2d.lan"
-            "10.78.79.11"
-          ];
-          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsorkZ3rIZ2lLigwQWfA64xZRlt5lk6QPzypg55eLlD";
-        };
-      };
-    };
-  }

common/defaultPackages.nix

@@ -1,85 +0,0 @@
-{
-  pkgs,
-  config,
-  inputs,
-  lib,
-  ...
-}:
-lib.mkMerge [
-  (lib.mkIf (config.vacu.systemKind != "minimal" && config.vacu.systemKind != "container") {
-    vacu.packages =
-      (with pkgs; [
-        home-manager
-        nix-index
-        rclone
-        termscp
-        man
-        neovim
-        nmap
-        ruby
-        (p7zip.override { enableUnfree = true; })
-        tcpdump
-        cargo
-      ])
-      ++ [
-        inputs.nix-search-cli.packages.${pkgs.system}.default
-        inputs.nix-inspect.packages.${pkgs.system}.default
-      ];
-  })
-  {
-    vacu.packages = (with pkgs; [
-      nixos-rebuild
-      which
-      nano
-      vim
-      wget
-      screen
-      tmux
-      lsof
-      htop
-      mosh
-      dnsutils
-      iperf3
-      rsync
-      ethtool
-      sshfs
-      ddrescue
-      pciutils
-      ncdu
-      pv
-      unzip
-      file
-      ripgrep
-      jq
-      tree
-      iputils
-      ssh-to-age
-      sops
-      inetutils
-      diffutils
-      findutils
-      util-linux
-      tzdata
-      hostname
-      gnugrep
-      gnused
-      gnutar
-      bzip2
-      gzip
-      xz
-      zip
-      unzip
-      openssh
-      dig
-      bash
-      usbutils
-      psutils
-      killall
-      git
-      curl
-      gnutls
-    ]) ++ [
-      (config.vacu.units.finalPackage)
-    ];
-  }
-]

common/dns/default.nix

@@ -1,15 +0,0 @@
-{
-  dns,
-  lib,
-  ...
-}:
-let
-  inherit (lib) mkOption types;
-in
-{
-  imports = [ ./jean-luc.org.nix ];
-  options.vacu.dns = mkOption {
-    default = { };
-    type = types.attrsOf dns.lib.types.zone;
-  };
-}

common/dns/jean-luc.org.nix

@@ -1,27 +0,0 @@
-{
-  dns,
-  ...
-}:
-let
-  inherit (dns.lib.combinators) spf mx;
-in
-{
-  vacu.dns."jean-luc.org" = {
-    SOA = {
-      nameServer = "ns51.cloudns.net";
-      adminEmail = "test@example.com";
-      serial = 123456;
-    };
-    NS = [
-      "ns51.cloudns.net"
-      "ns52.cloudns.net"
-      "ns53.cloudns.net"
-      "ns54.cloudns.net"
-    ];
-    A = [ "1.2.3.4" ];
-    TXT = [
-      (spf.strict [ "1.2.3.4" ])
-    ];
-    subdomains."in".MX = [ (mx.mx 0 "a.b") ];
-  };
-}

common/generic.nix

@@ -0,0 +1,186 @@
+{ config, pkgs, lib, inputs, ... }: let
+  inherit (lib) mkOption types flip concatMapStringsSep optionalString concatStringsSep readFile mapAttrsToList literalExpression;
+  inherit (builtins) attrValues;
+  cfg = config.vacu;
+  packageNames = lib.splitString "\n" ''
+    ruby_3_3
+    nixos-rebuild
+    nano
+    vim
+    wget
+    screen
+    tmux
+    lsof
+    htop
+    mosh
+    dnsutils
+    iperf3
+    nmap
+    rsync
+    ethtool
+    sshfs
+    ddrescue
+    pciutils
+    ncdu
+    nix-index
+    git
+    pv
+    unzip
+    file
+    ripgrep
+    jq
+    units
+    tree
+    rclone
+    iputils
+    ssh-to-age
+    sops
+    inetutils
+    neovim
+    diffutils
+    findutils
+    utillinux
+    tzdata
+    hostname
+    man
+    gnugrep
+    gnused
+    gnutar
+    bzip2
+    gzip
+    xz
+    zip
+    unzip
+    openssh
+    dig
+    bash
+    git'';
+  plainPackageOpts = map (name: { name = name; value = { enable = lib.mkDefault true; }; }) packageNames;
+  packageOpts = lib.recursiveUpdate (builtins.listToAttrs plainPackageOpts) {
+    nix-search-cli.package = inputs.nix-search-cli.packages.${pkgs.system}.default;
+    nix-search-cli.enable = lib.mkDefault true;
+    nix-inspect.package = inputs.nix-inspect.packages.${pkgs.system}.default;
+    nix-inspect.enable = lib.mkDefault true;
+  };
+in {
+  imports = [ ./package-set.nix ./ssh.nix ./commands.nix ];
+  options = {
+    vacu.nix.extraSubstituters = mkOption { type = types.listOf types.str; };
+    vacu.nix.extraTrustedKeys = mkOption { type = types.listOf types.str; };
+  };
+  config = {
+    vacu.packages = packageOpts;
+    vacu.nix.extraSubstituters = [
+      "https://nixcache.shelvacu.com/"
+      "https://nix-community.cachix.org/"
+    ];
+    vacu.nix.extraTrustedKeys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "nixcache.shelvacu.com:73u5ZGBpPRoVZfgNJQKYYBt9K9Io/jPwgUfuOLsJbsM="
+    ];
+    vacu.ssh.authorizedKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4LYvUe9dsQb9OaTDFI4QKPtMmOHOGLwWsXsEmcJW86" # Termux on pixel6pro
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcYwYy9/0Gu/GsqS72Nkz6OkId+zevqXA/aTIcvqflp" # t460s windows
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsErA6M9LSHj2hPlLuHD8Lpei7WjMup1JxI1vxA6B8W" # pixel6pro nix-on-droid
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoy1TrmfhBGWtVedgOM1FB1oD2UdodN3LkBnnLx6Tug" # compute-deck
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVeSzDkGTueZijB0xUa08e06ovAEwwZK/D+Cc7bo91g" # triple-dezert
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtwtao/TXbiuQOYJbousRPVesVcb/2nP0PCFUec0Nv8" # triple-dezert (root)
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxAFFxQMXAgi+0cmGaNE/eAkVfEl91wafUqFIuAkI5I" # compute-deck (root)
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcRDekd8ZOYfQS5X95/yNof3wFYIbHqWeq4jY0+ywQX" # pro1x nix-on-droid
+	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExSObd1lZprdqAFLqFhtxDEckV0q/vZZIYqrYFKfkoC" # devver
+	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHLPOxRd68+DJ/bYmqn0wsgwwIcMSMyuU1Ya16hCb/m" # fw (root)
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ2c0GzlVMjV06CS7bWbCaAbzG2+7g5FCg/vClJPe0C" # fw
+    ];
+    vacu.ssh.config = ''
+      Host deckvacu
+        User deck
+      
+      Host rsb
+        User user
+        HostName finaltask.xyz
+        Port 2222
+      
+      Host awoo
+        HostName 45.142.157.71
+
+      Host trip
+        HostName trip.shelvacu.com
+        Port 6922
+      
+      Host liam
+        HostName 178.128.79.152
+
+      Host pluto
+        HostName pluto.somevideogam.es
+
+      Host *
+        User shelvacu
+        GlobalKnownHostsFile ${pkgs.writeText "known_hosts" knownHostsText}
+    '';
+
+    vacu.ssh.knownHosts = {
+      #public hosts
+      "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+      "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+
+      #colin's stuff
+      "uninsane.org" = {
+        extraHostNames = [ "git.uninsane.org" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
+      };
+      "desko" = {
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
+      };
+
+      #daymocker's stuff
+      "pluto" = {
+        extraHostNames = [ "74.208.184.137" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpHY4fLZ1hNuB2oRQM7R3b4eQyIHbFB45ZYp3XCELLg";
+      };
+
+      #personal hosts
+      "zigbee-hub" = {
+        extraHostNames = [ "10.78.79.114" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJxwUYddOxgViJDOiokfaQ6CsCx/Sw+b3IisdJv8zFN root@zigbee-hub";
+      };
+      trip = {
+        extraHostNames = [ "triple-dezert" "trip.shelvacu.com" "[trip.shelvacu.com]:6922" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUQux9V0mSF5IauoO1z311NXR7ymEbwRMzT+OaaNQr+";
+      };
+      servacu = {
+        extraHostNames = [ "mail.dis8.net" "servacu.shelvacu.com" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+E6na7np0HnBV2X7owno+Fg+bNNRSHLxO6n1JzdUTV";
+      };
+      finaltask = {
+        extraHostNames = [ "rsb" "finaltask.xyz" "[finaltask.xyz]:2222" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTx8WBNNKBVRV98HgDChpd59SHbreJ87SXU+zOKan6y";
+      };
+      compute-deck = {
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGt43GmXCxkl5QjgPQ/QimW11lKfXmV4GFWvlxQSf4TQ";
+      };
+      "2esrever" = {
+        extraHostNames = [ "10.4.5.218" "10.244.46.71" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0LnPrJxAdffZ//uRe3NBiIfFCBNMLqKVylkyU0llvT";
+      };
+      awoo = {
+        extraHostNames = [ "45.142.157.71" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQaDjjfSK8jnk9aFIiYH9LZO4nLY/oeAc7BKIPUXMh1";
+      };
+      deckvacu = {
+        publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEa8qpFkIlLLJkH8rmEAn6/MZ9ilCGmEQWC3CeFae7r1kOqfwRk0nq0oyOGJ50uIh+PpwEh3rbgq6mLfpRfsFmM=";
+      };
+      liam = {
+        extraHostNames = [ "liam.dis8.net" "178.128.79.152" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOqJYVHOIFmEA5uRbbirIupWvyBLAFwic/8EZQRdN/c";
+      };
+      devver = {
+        extraHostNames = [ "devver.t2d.lan" "10.78.79.10" ];
+	publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeFaH2tzWIiCPdKNmxl3NqCnPTdmVIOBinauUAEl+UU";
+      };
+      fw = {
+        extraHostNames = [ "fw.t2d.lan" ];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6lX25mCy35tf1NpcHMAdeRgvT7l0Dw0FWBH3eX4TE2";
+      };
+    };
+  };
+}

common/git.nix

@@ -1,77 +0,0 @@
-{ 
-  lib,
-  config,
-  pkgs,
-  vacuModuleType,
-  ...
-}:
-let
-  inherit (lib) types;
-  cfg = config.vacu.git;
-in
-{ imports = [
-{
-  # https://github.com/NixOS/nixpkgs/blob/e8c38b73aeb218e27163376a2d617e61a2ad9b59/nixos/modules/programs/git.nix#L16
-  options.vacu.git = {
-    package = lib.mkPackageOption pkgs "git" {};
-    enable = lib.mkEnableOption "git";
-    config = lib.mkOption {
-      type =
-        let
-          gitini = types.attrsOf (types.attrsOf types.anything);
-        in
-        types.either gitini (types.listOf gitini) // {
-          merge = loc: defs:
-            let
-              config = builtins.foldl'
-                (acc: { value, ... }@x: acc // (if builtins.isList value then {
-                  ordered = acc.ordered ++ value;
-                } else {
-                  unordered = acc.unordered ++ [ x ];
-                }))
-                {
-                  ordered = [ ];
-                  unordered = [ ];
-                }
-                defs;
-            in
-            [ (gitini.merge loc config.unordered) ] ++ config.ordered;
-        };
-      default = [];
-    };
-    lfs.enable = lib.mkEnableOption "git lfs";
-    lfs.package = lib.mkPackageOption pkgs "git-lfs" {};
-    configText = lib.mkOption {
-      readOnly = true;
-      type = types.str;
-    };
-  };
-
-  config.vacu.git.configText = lib.concatMapStringsSep "\n" lib.generators.toGitINI cfg.config;
-}
-(lib.mkIf cfg.enable { vacu.packages.git = { enable = true; package = cfg.package; }; })
-(lib.mkIf (cfg.enable && cfg.lfs.enable) {
-  vacu.packages.git-lfs = { enable = true; package = cfg.lfs.package; };
-  vacu.git.config = let bin = lib.getExe cfg.lfs.package; in {
-    filter.lfs = {
-      clean = "${bin} clean -- %f";
-      smudge = "${bin} smudge -- %f";
-      process = "${bin} filter-process";
-      required = true;
-    };
-  };
-})
-(lib.optionalAttrs (vacuModuleType == "nixos") {
-  vacu.assertions = [
-    {
-      assertion = !(cfg.enable && config.programs.git.enable);
-      message = "vacu.git and programs.git should not both be enabled";
-    }
-  ];
-})
-(lib.optionalAttrs (vacuModuleType == "nixos" || vacuModuleType == "nix-on-droid") {
-  environment = lib.mkIf (cfg.enable && cfg.config != []) {
-    etc.gitconfig.text = cfg.configText;
-  };
-})
-]; }

common/home.nix

@@ -1,7 +0,0 @@
-{ ... }:
-let
-
-in
-{
-  imports = [ ./common-but-not.nix ];
-}

common/lib/default.nix

@@ -1,40 +0,0 @@
-{ lib, config, ... }:
-let
-  inherit (builtins) isList;
-  mkOutOption =
-    val:
-    lib.mkOption {
-      readOnly = true;
-      default = val;
-    }
-  ;
-  listToIndexAttrs = list:
-    let
-      thing = lib.foldl (acc: val:
-        { 
-          index = acc.index + 1;
-          result = acc.result // { ${toString acc.index} = val; };
-        }
-      ) { result = {}; index = 0; } list;
-    in
-    assert isList list;
-    thing.result
-  ;
-in
-{
-  imports = [
-    ./makeWrapper.nix
-    ./duplicates.nix
-  ];
-
-  options.vacu.vaculib = lib.mkOption {
-    type = lib.types.anything;
-  };
-
-  config._module.args.vaculib = config.vacu.vaculib;
-
-  config.vacu.vaculib = {
-    inherit mkOutOption;
-    inherit listToIndexAttrs;
-  };
-}

common/lib/duplicates.nix

@@ -1,85 +0,0 @@
-{
-  lib,
-  config,
-  vaculib,
-  ...
-}:
-let
-  inherit (builtins) isString isList isFunction isAttrs;
-  pathFromStr = str:
-    assert isString str;
-    if str == "" then [] else
-    lib.splitString "." str
-  ;
-  /**
-    For each value, make a list of each attr name that has that value.
-
-    Values must be `toString`able, and are deduped based on the output of `toString`.
-
-    # Type
-    ```
-    findDuplicates :: { a :: b } -> { String :: [ a ] }
-    ```
-
-    # Examples
-    :::{.example}
-    ## `vaculib.findDuplicates` usage example
-
-    ```nix
-    findDuplicates { a = 1; b = 2; c = 3; x = 1; y = 2; }
-    => { "1" = [ "a" "x" ]; "2" = [ "b" "y" ]; }
-    ```
-
-    :::
-  */
-  findDuplicates = attrs:
-    let
-      occurances = lib.foldl (acc: name: value:
-        let
-          key = toString value;
-        in
-        acc // { ${key} = (acc.${key} or []) ++ [ name ]; }
-      ) {} attrs;
-    in
-    assert isAttrs attrs;
-    lib.filterAttrs (_: names: (builtins.length names) > 1) occurances
-  ;
-
-  # returns a list of attrSets suitable for vacu.assertions
-  assertNoDuplicatesModule = among: attr:
-    let
-      list_or_attrs = lib.getAttrFromPath (pathFromStr among) config;
-      attrs =
-        if isAttrs list_or_attrs
-        then list_or_attrs
-        else vaculib.listToIndexAttrs list_or_attrs
-      ;
-      innerPath = pathFromStr attr;
-      valueMap = (v: lib.getAttrFromPath innerPath v);
-      duplicates = findDuplicates (lib.mapAttrs (_: valueMap) attrs);
-      valueName = if attr == "" then "value" else "`${attr}`";
-      messages = lib.mapAttrsToList (duplicate: names:
-        let
-          pretty = name: "`${name}`";
-          prettyNames = map pretty names;
-        in
-        "Duplicate found in ${among}: ${lib.concatStringsSep ", " prettyNames} all have the same ${valueName}: ${duplicate}"
-      ) duplicates;
-    in
-    assert isString among;
-    assert isString attr;
-    assert (isList list_or_attrs) || (isAttrs list_or_attrs);
-    {
-      config.vacu.assertions = map (message: {
-        assertion = false;
-        inherit message;
-      }) messages;
-    }
-  ;
-in
-{
-  config.vacu.vaculib = {
-    inherit findDuplicates;
-    inherit assertNoDuplicatesModule;
-  };
-}

common/lib/makeWrapper.nix

@@ -1,97 +0,0 @@
-{
-  pkgs,
-  lib,
-  ...
-}:
-let
-  inherit (lib)
-    optionals
-    optional
-    mapAttrsToList
-    concatMap
-    escapeShellArg
-    escapeShellArgs
-    ;
-in
-{
-  config.vacu.vaculib.makeWrapper =
-    {
-      original,
-      new,
-      argv0 ? null,
-      inherit_argv0 ? false,
-      resolve_argv0 ? false,
-      set ? { },
-      set_default ? { },
-      unset ? [ ],
-      chdir ? null,
-      run ? [ ],
-      prepend_flags ? [ ],
-      add_flags ? [ ],
-      append_flags ? [ ],
-      runtimeHook ? null,
-    }@args:
-    let
-      prependFlags = prepend_flags ++ add_flags;
-      escapeFlags = escapeShellArgs;
-      # escapeFlags = flags: builtins.concatStringsSep " " (map escapeShellArg flags);
-      originalBin = if lib.isDerivation original then lib.getExe original else original;
-      makeWrapperFlags =
-        (optionals (argv0 != null) [
-          "--argv0"
-          argv0
-        ])
-        ++ (optional inherit_argv0 "--inherit-argv0")
-        ++ (optional resolve_argv0 "--resolve-argv0")
-        ++ (mapAttrsToList (k: v: [
-          "--set"
-          k
-          v
-        ]) set)
-        ++ (mapAttrsToList (k: v: [
-          "--set-default"
-          k
-          v
-        ]) set_default)
-        ++ (concatMap (k: [
-          "--unset"
-          k
-        ]) unset)
-        ++ (optionals (chdir != null) [
-          "--chdir"
-          chdir
-        ])
-        ++ (concatMap (k: [
-          "--run"
-          k
-        ]) run)
-        ++ (optionals (prependFlags != [ ]) [
-          "--add-flags"
-          (escapeFlags prependFlags)
-        ])
-        ++ (optionals (append_flags != [ ]) [
-          "--append-flags"
-          (escapeFlags append_flags)
-        ]);
-    in
-    pkgs.stdenvNoCC.mkDerivation {
-      name = new;
-
-      nativeBuildInputs = [ pkgs.makeWrapper ];
-
-      phases = [ "installPhase" ];
-
-      installPhase = ''
-        runHook preInstall
-
-        mkdir -p $out/bin
-        makeWrapper ${escapeShellArg originalBin} $out/bin/${escapeShellArg new} ${escapeShellArgs makeWrapperFlags}
-
-        runHook postInstall
-      '';
-
-      inherit runtimeHook;
-
-      meta.mainProgram = new;
-    };
-}

common/lix.nix

@@ -1,7 +0,0 @@
-{
-  inputs,
-  vacuModuleType,
-  ...
-}: if vacuModuleType == "nixos" then {
-  imports = [ inputs.lix-module.nixosModules.default ];
-} else {}

common/minimal-nixos.nix

@@ -1,47 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  vacuModuleType,
-  ...
-}:
-let
-  inherit (lib) mkIf mkDefault;
-in
-lib.optionalAttrs (vacuModuleType == "nixos") {
-  config = mkIf (config.vacu.systemKind == "minimal") {
-    programs.git.lfs.enable = false;
-    programs.git.package = pkgs.gitMinimal;
-    # mostly copied from nixos's /profiles/minimal.nix
-    environment.noXlibs = mkDefault true;
-
-    documentation.enable = mkDefault false;
-
-    documentation.doc.enable = mkDefault false;
-
-    documentation.info.enable = mkDefault false;
-
-    documentation.man.enable = mkDefault false;
-
-    documentation.nixos.enable = mkDefault false;
-
-    # Perl is a default package.
-    environment.defaultPackages = mkDefault [ ];
-
-    environment.stub-ld.enable = false;
-
-    # The lessopen package pulls in Perl.
-    programs.less.lessopen = mkDefault null;
-
-    programs.command-not-found.enable = mkDefault false;
-
-    services.logrotate.enable = mkDefault false;
-
-    services.udisks2.enable = mkDefault false;
-
-    xdg.autostart.enable = mkDefault false;
-    xdg.icons.enable = mkDefault false;
-    xdg.mime.enable = mkDefault false;
-    xdg.sounds.enable = mkDefault false;
-  };
-}

common/nix-on-droid.nix

@@ -1,22 +0,0 @@
-{
-  config,
-  lib,
-  vacuModuleType,
-  ...
-}:
-let
-  inherit (lib) mkDefault;
-in
-lib.optionalAttrs (vacuModuleType == "nix-on-droid") {
-  environment.packages = config.vacu.packageList;
-  environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
-  nix.substituters = lib.mkForce config.vacu.nix.substituterUrls;
-  nix.trustedPublicKeys = lib.mkForce config.vacu.nix.trustedKeys;
-  vacu.shell.functionsDir = "${config.user.home}/.nix-profile/share/vacufuncs";
-  environment.etc.bashrc.text = config.vacu.shell.interactiveLines;
-  environment.etc.profile.text = config.vacu.shell.interactiveLines;
-  environment.etc."vacu/info.json".text = builtins.toJSON config.vacu.versionInfo;
-
-  vacu.hostName = mkDefault "nix-on-droid";
-  vacu.shortHostName = mkDefault "nod";
-}

common/nix.nix

@@ -1,36 +0,0 @@
-{ lib, config, ... }:
-let
-  inherit (lib) mkOption types;
-  caches = builtins.attrValues config.vacu.nix.caches;
-  enabledCaches = builtins.filter (c: c.enable) caches;
-in
-{
-  options = {
-    vacu.nix.caches = mkOption {
-      type = types.attrsOf (
-        types.submodule (
-          { name, ... }:
-          {
-            options = {
-              url = mkOption { type = types.str; };
-              keys = mkOption {
-                type = types.listOf types.str;
-                default = [ ];
-              };
-              enable = mkOption {
-                default = true;
-                type = types.bool;
-              };
-            };
-          }
-        )
-      );
-    };
-    vacu.nix.substituterUrls = mkOption { readOnly = true; };
-    vacu.nix.trustedKeys = mkOption { readOnly = true; };
-    vacu.nix.plainOptions = mkOption { };
-  };
-  config.vacu.nix.substituterUrls = map (c: c.url) enabledCaches;
-  config.vacu.nix.trustedKeys = builtins.concatMap (c: c.keys) enabledCaches;
-  config.vacu.nix.plainOptions.allowUnfree = true;
-}

common/nixos-rebuild.nix

@@ -1,34 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  vacuModuleType,
-  ...
-}:
-let
-  nixos-rebuild = pkgs.nixos-rebuild.override { nix = config.nix.package.out; };
-in
-lib.optionalAttrs (vacuModuleType == "nixos") {
-  options.vacu.alwaysUseRemoteSudo =
-    (lib.mkEnableOption "always deploy to this machine with --use-remote-sudo")
-    // {
-      default = true;
-    };
-  config = lib.mkIf config.vacu.alwaysUseRemoteSudo {
-    system.build.nixos-rebuild = lib.mkForce (
-      pkgs.runCommandLocal "nixos-rebuild-wrapped"
-        {
-          nativeBuildInputs = [ pkgs.makeShellWrapper ];
-          meta.mainProgram = "nixos-rebuild";
-        }
-        ''
-          runHook preInstall
-
-          mkdir -p $out/bin
-          makeShellWrapper ${lib.getExe nixos-rebuild} $out/bin/nixos-rebuild --add-flags "--use-remote-sudo"
-
-          runHook postInstall
-        ''
-    );
-  };
-}

common/nixos.nix

@@ -1,55 +1,51 @@
+{ lib, pkgs, config, inputs, utils, ... }:
 {
-  lib,
-  pkgs,
-  config,
-  vacuModuleType,
-  ...
-}:
-lib.optionalAttrs (vacuModuleType == "nixos") {
-  options.vacu.underTest = lib.mkOption {
-    default = false;
-    type = lib.types.bool;
+  imports = [ ./generic.nix ];
+  options.vacu.acmeCertDependencies = lib.mkOption {
+    default = {};
+    example = ''
+      vacu.acmeCertDependencies."mail.example.com" = [ "postfix.service" ];
+    '';
+    type = lib.types.attrsOf (lib.types.listOf utils.systemdUtils.lib.unitNameType);
   };
-  config = {
-    # the security warning might as well have said "its insecure maybe but there's nothing you can do about it"
-    # presumably needed by nheko
-    nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
-    # nixpkgs.overlays = [ inputs.self.overlays.default ];
-
+  config = let
+    for-systemd-services = lib.concatMapAttrs
+      (cert: units:
+        {
+          "acme-selfsigned-${cert}" = {
+            wantedBy = units;
+            before = units;
+          };
+        }
+      )
+      config.vacu.acmeCertDependencies;
+    for-security-acme-certs = lib.concatMapAttrs
+      (cert: units:
+        {
+          ${cert}.reloadServices = units;
+        }
+      )
+      config.vacu.acmeCertDependencies;
+  in {
     console = {
       keyMap = lib.mkDefault "us";
     };
-    networking = if config.vacu.hostName == null then { } else { hostName = config.vacu.hostName; };
     vacu.packages."xorg-xev" = {
       enable = config.services.xserver.enable;
       package = pkgs.xorg.xev;
     };
     environment.systemPackages = config.vacu.packageList;
-    programs.nix-ld.enable = true;
-    system.nixos.tags = [
-      "vacu${config.vacu.versionId}"
-      config.vacu.hostName
-    ];
-    environment.etc."vacu/info.json".text = builtins.toJSON config.vacu.versionInfo;
-    environment.etc."chromium" = lib.mkIf (config.vacu.systemKind == "desktop") {
-      source = "/run/current-system/sw/etc/chromium";
-    };
 
     i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
     time.timeZone = "America/Los_Angeles";
 
-    users.users.shelvacu = lib.mkIf (config.vacu.systemKind != "container") {
-      openssh.authorizedKeys.keys = lib.attrValues config.vacu.ssh.authorizedKeys;
+    users.users.shelvacu = {
+      openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
       isNormalUser = true;
       extraGroups = [ "wheel" ];
     };
-    # # safety user: if something is super fucked up with my shell stuff, I can ssh in as shelvac2
-    # users.users.shelvac2 = {
-    #   openssh.authorizedKeys.keys = config.vacu.ssh.authorizedKeys;
-    #   isNormalUser = true;
-    #   extraGroups = [ "wheel" ];
-    #   shell = pkgs.bash;
-    # };
+    systemd.services = for-systemd-services;
+    security.acme.certs = for-security-acme-certs;
     services.openssh = {
       # require public key authentication for better security
       settings.PasswordAuthentication = false;
@@ -57,48 +53,29 @@ lib.optionalAttrs (vacuModuleType == "nixos") {
       settings.PermitRootLogin = "prohibit-password";
     };
 
-    nix.settings.trusted-users = lib.mkIf (config.vacu.systemKind != "container") [ "shelvacu" ];
+    nix.settings.trusted-users = [ "shelvacu" ];
     security.sudo.wheelNeedsPassword = lib.mkDefault false;
 
     programs.screen = {
-      enable = true;
       screenrc = ''
         defscrollback 10000
         termcapinfo xterm* ti@:te@
-        maptimeout 5
       '';
-    };
+    } // (if config.system.nixos.release == "23.11" then {} else { enable = true; });
 
-    programs.tmux = lib.mkIf (config.vacu.systemKind != "container") {
-      enable = true;
-      extraConfig = "setw mouse";
-      clock24 = true;
-    };
+    programs.tmux.enable = true;
+    programs.tmux.extraConfig = "setw mouse";
+    programs.tmux.clock24 = true;
 
     nix.settings = {
-      experimental-features = [
-        "nix-command"
-        "flakes"
-      ];
-      substituters = lib.mkForce config.vacu.nix.substituterUrls;
-      extra-substituters = lib.mkForce [ ];
-      trusted-public-keys = lib.mkForce config.vacu.nix.trustedKeys;
-      extra-trusted-public-keys = lib.mkForce [ ];
+      experimental-features = [ "nix-command" "flakes" ];
+      substituters = config.vacu.nix.extraSubstituters;
+      trusted-public-keys = config.vacu.nix.extraTrustedKeys;
     };
     nixpkgs.config.allowUnfree = lib.mkDefault true;
 
-    programs.mosh.enable = lib.mkIf (config.vacu.systemKind != "container") (lib.mkDefault true);
+    programs.mosh.enable = lib.mkDefault true;
 
     programs.ssh.extraConfig = config.vacu.ssh.config;
-
-    security.pki.certificates = config.vacu.rootCAs;
-
-    # commands.nix
-    environment.pathsToLink = [
-      "/share/vacufuncs"
-      "/etc/chromium"
-    ];
-    programs.bash.interactiveShellInit = config.vacu.shell.interactiveLines;
-    programs.bash.promptInit = lib.mkForce "";
   };
 }

common/nixvim.nix

@@ -1,17 +0,0 @@
-{
-  pkgs,
-  config,
-  inputs,
-  lib,
-  ...
-}:
-{
-  vacu.nixvimPkg = inputs.self.packages.${pkgs.system}.nixvim;
-  vacu.shell.functions =
-    lib.mkIf (config.vacu.systemKind != "minimal" && config.vacu.systemKind != "container")
-      {
-        nvim-plain = ''${pkgs.neovim}/bin/nvim "$@"'';
-        nvim-nixvim = ''${config.vacu.nixvimPkg}/bin/nvim "$@"'';
-        nvim = ''nvim-nixvim "$@"'';
-      };
-}

common/package-set.nix

@@ -1,65 +1,26 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
+{ config, pkgs, lib, ... }: let
   inherit (lib) mkOption types;
   pkgOptions = builtins.attrValues config.vacu.packages;
   enabledOptions = builtins.filter (o: o.enable) pkgOptions;
   enabledPkgs = builtins.map (o: o.package) enabledOptions;
-  packagesSetType = types.attrsOf (
-    types.submodule (
-      { name, ... }:
-      {
-        options = {
-          enable = mkOption {
-            type = types.bool;
-            description = "Will this package be installed (included in environment.systemPackages)";
-          };
-          package = mkOption {
-            type = types.package;
-            default = pkgs.${name};
-            defaultText = "pkgs.${name}";
-          };
-        };
-      }
-    )
-  );
-  packageListToSet = (
-    from:
-    let
-      keyvals = map (
-        val:
-        if builtins.isString val then
-          {
-            name = val;
-            value = {
-              package = pkgs."${val}";
-              enable = lib.mkDefault true;
-            };
-          }
-        else
-          {
-            name = val.pname or val.name;
-            value = {
-              package = lib.mkDefault val;
-              enable = lib.mkDefault true;
-            };
-          }
-      ) from;
-    in
-    builtins.listToAttrs keyvals
-  );
-in
-{
+in {
   options = {
     vacu.packages = mkOption {
-      default = { };
-      type = types.coercedTo (types.listOf (
-        types.either types.str types.package
-      )) packageListToSet packagesSetType;
+      default = {};
+      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
+        options = {
+	  enable = mkOption {
+	    type = types.bool;
+	    default = true;
+	    description = "Will this package be installed (included in environment.systemPackages)";
+	  };
+	  package = mkOption {
+	    type = types.package;
+	    default = pkgs.${name};
+	    defaultText = "pkgs.${name}";
+	  };
+	};
+      }));
     };
     vacu.packageList = mkOption {
       type = types.listOf types.package;

common/remapCapsLock.nix

@@ -1,35 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  vacuModuleType,
-  ...
-}:
-let
-  inherit (lib) mkOption types;
-in
-lib.optionalAttrs (vacuModuleType == "nixos") {
-  options.vacu.enableCapsLockRemap = mkOption {
-    type = types.bool;
-    default = config.vacu.systemKind == "desktop";
-  };
-  config = lib.mkIf config.vacu.enableCapsLockRemap {
-    # https://discourse.nixos.org/t/best-way-to-remap-caps-lock-to-esc-with-wayland/39707/6
-    services.interception-tools =
-      let
-        itools = pkgs.interception-tools;
-        itools-caps = pkgs.interception-tools-plugins.caps2esc;
-      in
-      {
-        enable = true;
-        plugins = [ itools-caps ];
-        # requires explicit paths: https://github.com/NixOS/nixpkgs/issues/126681
-        udevmonConfig = pkgs.lib.mkDefault ''
-          - JOB: "${itools}/bin/intercept -g $DEVNODE | ${itools-caps}/bin/caps2esc -m 1 | ${itools}/bin/uinput -d $DEVNODE"
-            DEVICE:
-              EVENTS:
-                EV_KEY: [KEY_CAPSLOCK, KEY_ESC]
-        '';
-      };
-  };
-}

common/repos-impl.nix

@@ -1,55 +0,0 @@
-{
-  config,
-  lib,
-  vacuModuleType,
-  ...
-}:
-{
-  imports = [
-    (lib.optionalAttrs (vacuModuleType == "nixos") {
-      config.vacu.repos.path = lib.mkIf (config.users.users ? shelvacu) (lib.mkDefault "${config.users.users.shelvacu.home}/dev");
-    })
-    (lib.optionalAttrs (vacuModuleType == "nix-on-droid") {
-      config.vacu.repos.path = lib.mkDefault "${config.user.home}";
-    })
-  ];
-
-  vacu.repos = {
-    enable = lib.mkDefault true;
-    forges.uninsane.baseUrl = "git@git.uninsane.org:";
-    forges.github.baseUrl = "git@github.com";
-    forges.gitlab.basrUrl = "git@gitlab.com";
-    defaultOrigin = "uninsane";
-    repos.colin-nix-files = {
-      owner = "colin";
-      repoName = "nix-files";
-      origin = "uninsane";
-    };
-    # gh:Isaac0-dev/coopnet
-    repos.coopnet = {
-      owner = "Isaac0-dev";
-      origin = "github";
-    };
-    repos.metadl = {};
-    repos.nixos-apple-silicon = {
-      origin = "github";
-      owner = "tpwrules";
-    };
-    repos.nixpkgs = {
-      origin = "github";
-      owner = "nixos";
-      remotes = [
-        {
-          forge = "uninsane";
-          owner = "colin";
-        }
-      ];
-    };
-    repos.nix-stuff = {};
-    repos.numberlink-solver = {};
-    repos.sm64coopdx = {
-      origin = "github";
-      owner = "coop-deluxe";
-    };
-  };
-}

common/repos-options.nix

@@ -1,132 +0,0 @@
-{
-  lib,
-  config,
-  vaculib,
-  ...
-}:
-let
-  inherit (lib) mkOption types;
-  cfg = config.vacu.repos;
-  forgeModule = {
-    name,
-    config,
-    ...
-  }: {
-    options = {
-      name = mkOption {
-        type = types.str;
-        default = name;
-      };
-
-      remoteName = mkOption {
-        type = types.str;
-        default = config.name;
-      };
-
-      url = mkOption {
-        type = types.str;
-      };
-    };
-  };
-  remoteModule = {
-    name,
-    config,
-    ...
-  }: {
-    options = {
-      name = mkOption { type = types.str; default = name; };
-      baseUrl = mkOption { type = types.str; };
-      path = mkOption { type = types.str; };
-      url = mkOption { type = types.str; default = config.baseUrl + config.path; };
-    };
-  };
-  repoModule = let outercfg = cfg; in {
-    name,
-    config,
-    ...
-  }: 
-  let
-    remoteType = (
-      types.coercedTo
-        types.str
-        (from: { name = from; baseUrl = config.vacu.repos.forges.${from}.url; }) 
-        (types.subModuleWith {
-          modules = [
-            remoteModule
-            {
-              config.path = lib.mkDefault config.remotePath;
-            }
-          ];
-        })
-    );
-  in
-  {
-    options = {
-      name = mkOption {
-        type = types.str;
-        default = name;
-      };
-
-      localDir = mkOption {
-        type = types.strMatching "[^/]+";
-        default = config.name;
-      };
-
-      localPath = mkOption {
-        type = types.path;
-        default = "${outercfg.path}/${config.localDir}";
-      };
-
-      owner = mkOption {
-        type = types.str;
-        default = "shelvacu";
-      };
-
-      remoteName = mkOption {
-        type = types.str;
-        default = config.name;
-      };
-
-      remotePath = mkOption {
-        type = types.str;
-        default = "${config.owner}/${config.remoteName}";
-      };
-
-      origin = mkOption {
-        type = remoteType;
-      };
-
-      remotes = mkOption {
-        type = types.listOf remoteType;
-        default = [];
-      };
-    };
-  };
-in
-{
-  imports = [
-    # (vaculib.assertNoDuplicatesModule "vacu.repos" "name")
-    # (vaculib.assertNoDuplicatesModule "vacu.repos" "localPath")
-  ];
-
-  options.vacu.repos = {
-    enable = lib.mkEnableOption "manage repos";
-    path = mkOption {
-      type = types.path;
-    };
-    defaultOrigin = mkOption { type = types.str; };
-    forges = mkOption {
-      default = {};
-      type = types.attrsOf (types.submoduleWith {
-        modules = [ forgeModule ];
-      });
-    };
-    repos = mkOption {
-      type = types.attrsOf (types.submoduleWith { modules = [
-        repoModule
-        { config.origin = cfg.defaultOrigin; }
-      ]; });
-      default = {};
-    };
-  };
-}

common/shell/default.nix

@@ -1,193 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  vaculib,
-  ...
-}:
-let
-  inherit (lib) mkOption types;
-  cfg = config.vacu.shell;
-  writeShellFunction =
-    name: text:
-    pkgs.writeTextFile {
-      inherit name;
-      executable = false;
-      destination = "/share/vacufuncs/${name}";
-      text = ''
-        ${text}
-      '';
-      checkPhase = ''
-        ${pkgs.stdenv.shellDryRun} "$target"
-      '';
-    };
-  functionPackages = lib.mapAttrsToList writeShellFunction cfg.functions;
-  vacuInitFile = pkgs.writeText "vacu.shell.interactiveLines.sh" cfg.interactiveLines;
-  wrappedBashPkg = vaculib.makeWrapper {
-    original = pkgs.bash;
-    new = "vacuinit-bash";
-    prepend_flags = [
-      "--init-file"
-      vacuInitFile
-    ];
-  };
-  wrappedBash = lib.getExe wrappedBashPkg;
-in
-{
-  imports = [
-    ./not-aliases.nix
-    ./ps1.nix
-  ];
-  options = {
-    vacu.shell.functionsDir = mkOption {
-      type = types.path;
-      default = "/run/current-system/sw/share/vacufuncs";
-    };
-    vacu.shell.interactiveLines = mkOption {
-      type = types.lines;
-      readOnly = true;
-    };
-    vacu.shell.wrappedBash = mkOption {
-      readOnly = true;
-    };
-    vacu.shell.idempotentShellLines = mkOption {
-      type = types.lines;
-      default = "";
-    };
-    vacu.shell.color = mkOption {
-      type = types.enum (builtins.attrNames vaculib.shellColors);
-      default = "white";
-    };
-    vacu.shell.functions = mkOption {
-      type = types.attrsOf types.str;
-    };
-  };
-  config.vacu = {
-    vaculib = {
-      # https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
-      shellColors = {
-        black = 30;
-        red = 31;
-        green = 32;
-        yellow = 33;
-        blue = 34;
-        magenta = 35;
-        cyan = 36;
-        white = 37;
-      };
-    };
-    shell.interactiveLines = ''
-      if [[ $- == *i* ]] && [[ -f ${cfg.functionsDir}/vacureload ]]; then
-        function __vacushell_load() { eval "$(cat ${cfg.functionsDir}/vacureload)"; }
-        __vacushell_load
-        unset __vacushell_load
-      fi
-    '';
-    shell.wrappedBash = wrappedBash;
-    shell.functions = {
-      "vacureload" = ''
-        declare -gA vacuShellFunctionsLoaded
-        if ! [[ -f ${cfg.functionsDir}/vacureload ]]; then
-          echo "vacureload: I think that's my cue to leave (${cfg.functionsDir}/vacureload not found, assuming vacureload-less config has been loaded and unloading myself)" 1>&2
-          for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
-            unset -f $funcname
-          done
-          return
-        fi
-        for funcname in "''${!vacuShellFunctionsLoaded[@]}"; do
-          if ! [[ -f ${cfg.functionsDir}/$funcname ]]; then
-            unset -f $funcname
-          fi
-        done
-        for fullPath in ${cfg.functionsDir}/*; do
-          local funcname="$(basename "$fullPath")"
-          local followedPath="$(readlink -f "$fullPath")"
-          if [[ "''${vacuShellFunctionsLoaded[$funcname]}" != "$followedPath" ]]; then
-            unset -f $funcname
-            eval "function ''${funcname}() { if [[ -f '$fullPath' ]]; then eval "'"$'"(cat '$fullPath')"'"'"; else echo '$funcname is no longer there, kindly removing myself.' 1>&2; unset $funcname; return 1; fi }"
-            vacuShellFunctionsLoaded[$funcname]=$followedPath
-          fi
-          unset followedPath
-          unset funcname
-        done
-        __set_idempotents
-      '';
-      "__set_idempotents" = cfg.idempotentShellLines;
-      vhich = ''
-        if [[ $# != 1 ]]; then
-          echo "expected exactly one arg" 1>&2
-          return 1
-        fi
-        query="$1"
-        quote='`'"$query'"
-        kind="$(type -t "$query")"
-        if [[ "$kind" == "" ]]; then
-          echo "could not find any command $quote" 1>&2
-          return 1
-        fi
-        echo "$quote is a $kind"
-        case "$kind" in
-          "alias")
-            alias "$query"
-            return 0
-            ;;
-          "keyword")
-            echo "See https://www.gnu.org/software/bash/manual/html_node/Reserved-Word-Index.html"
-            return 0
-            ;;
-          "function")
-            if [[ -v vacuShellFunctionsLoaded["$query"] ]]; then
-              echo "$quote is a vacufunc"
-              path="''${vacuShellFunctionsLoaded[$query]}"
-              # continue to below
-            else
-              declare -f "$query"
-              return 0
-            fi
-            ;;
-          "builtin")
-            echo "Docs: https://www.gnu.org/software/bash/manual/html_node/Bash-Builtins.html#index-$query"
-            return 0
-            ;;
-          "file")
-            path="$(which "$query")"
-            # continue to below
-            ;;
-          *)
-            echo 'ERR: unexpected return from `type -t`: '"$kind" 1>&2
-            return 1
-        esac
-        echo "path:"
-        while [[ -L "$path" ]]; do
-          dest="$(readlink "$path")"
-          echo "  $path is a symlink to $dest"
-          if [[ "$dest" != /* ]]; then
-            dest="$(dirname "$path")/$dest"
-          fi
-          path="$dest"
-        done
-        echo "  $path"
-        if ! [[ -e "$path" ]]; then
-          echo "$path does not exist!"
-          return 1
-        fi
-        canon="$(readlink -f "$path")"
-        if [[ "$path" != "$canon" ]]; then
-          echo "  $path canonicalizes to $canon"
-          path="$canon"
-        fi
-        magic_parse="$(file --brief --mime "$path")"
-        echo "magic: $magic_parse"
-        case "$magic_parse" in
-          'text/x-shellscript;'* | 'text/plain;'*)
-            echo "initial contents:"
-            echo
-            cat "$path" | head --lines=10 | head --bytes=2000
-            echo "..."
-            ;;
-        esac
-      '';
-    };
-    packages = functionPackages;
-  };
-}

common/shell/not-aliases.nix

@@ -1,101 +0,0 @@
-# These are the things that might in a simpler time go in ~/.bashrc as aliases. But they're not aliases, cuz aliases are bad
-{ pkgs, lib, ... }:
-let
-  inherit (pkgs) writeScriptBin;
-  ms_text = with_sudo: ''
-    set -eo pipefail
-    if [[ $# -gt 3 ]] || [[ $# == 0 ]]; then
-      echo "wrong number of args" 1>&2
-      exit 1
-    fi
-    host="$1"
-    session_name="''${2:-main}"
-    set -x
-    mosh -- "$host" ${lib.optionalString with_sudo "sudo"} screen -RdS "$session_name"
-  '';
-  msl_text = ''
-    set -eo pipefail
-    if [[ $# != 1 ]]; then
-      echo "wrong number of args" 1>&2
-      exit 1
-    fi
-    host="$1"
-    echo 'echo "user:"; screen -ls; echo; echo "root:"; sudo screen -ls' | ssh -T "$host"
-  '';
-in
-{
-  vacu.packages = [
-    (writeScriptBin "ms" (ms_text false))
-    (writeScriptBin "mss" (ms_text true))
-    (writeScriptBin "msl" msl_text)
-    (writeScriptBin "rmln" ''
-      set -eo pipefail
-      for arg in "$@"; do
-        if [[ "$arg" != "-*" ]] && [[ ! -L "$arg" ]]; then
-          echo "$0: $arg is not a symlink" 1>&2
-          exit 1
-        fi
-      done
-      rm "$@"
-    '')
-    (writeScriptBin "nr" ''
-      # nix run nixpkgs#<thing> -- <args>
-      set -eo pipefail
-      if [[ $# == 0 ]]; then
-        echo "need at least one arg" 1>&2
-        exit 1
-      fi
-      installable="$1"
-      shift
-      if [[ "$installable" != *'#'* ]]; then
-        installable="nixpkgs#$installable"
-      fi
-      nix run "$installable" -- "$@"
-    '')
-    (writeScriptBin "nb" ''
-      # nix build nixpkgs#<thing> <args>
-      set -eo pipefail
-      if [[ $# == 0 ]]; then
-        echo "need at least one arg" 1>&2
-        exit 1
-      fi
-      installable="$1"
-      shift
-      if [[ "$installable" != *'#'* ]]; then
-        installable="nixpkgs#$installable"
-      fi
-      nix build "$installable" "$@"
-    '')
-    (writeScriptBin "ns" ''
-      # nix shell nixpkgs#<thing>
-      set -eo pipefail
-      new_args=( )
-      for arg in "$@"; do
-        if [[ "$arg" != *'#'* ]] && [[ "$arg" != -* ]]; then
-          arg="nixpkgs#$arg"
-        fi
-        new_args+=("$arg")
-      done
-      nix shell "''${new_args[@]}"
-    '')
-  ];
-  vacu.shell.functions = {
-    nd = ''
-      declare -a args
-      args=("$@")
-      lastarg="''${args[-1]}"
-      if [[ "$lastarg" == "-*" ]]; then
-        echo "$0: last argument must be the directory" 1>&2
-        return 1
-      fi
-      for arg in "''${args[@]::''${#args[@]}-1}}"; do
-        if [[ "$arg" != "-*" ]]; then
-          echo "$0: last argument must be the directory" 1>&2
-          return 1
-        fi
-      done
-      mkdir "''${args[@]}" && cd "''${args[-1]}"
-    '';
-    nt = ''pushd $(mktemp -d "$@")'';
-  };
-}

common/shell/ps1.nix

@@ -1,77 +0,0 @@
-{
-  config,
-  lib,
-  vaculib,
-  vacuModuleType,
-  ...
-}:
-let
-  cfg = config.vacu.shell;
-  # https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
-  colors = vaculib.shellColors;
-
-  # TODO: reset_without_clear doesn't fully work
-  # thanks colin https://git.uninsane.org/colin/nix-files/src/commit/7f5b2628016c8ca1beec417766157c7676a9c5e5/hosts/common/programs/zsh/starship.nix#L24
-  set = opt: ''\e[?${opt}h'';
-  clear = opt: ''\e[?${opt}l'';
-  reset_without_clear = builtins.concatStringsSep "" [
-    # reset terminal mode (in case the previous command screwed with it)
-    # 'l' = turn option of, 'h' = turn option on.
-    #
-    # options are enumerated in Alacritty's VTE library's `PrivateMode` type:
-    # - <https://github.com/alacritty/vte/blob/ebc4a4d7259678a8626f5c269ea9348dfc3e79b2/src/ansi.rs#L845>
-    # see also the reset code path (does a bit too much, like clearing the screen):
-    # - <https://github.com/alacritty/alacritty/blob/6067787763e663bd308e5b724a5efafc2c54a3d1/alacritty_terminal/src/term/mod.rs#L1802>
-    # and the crucial TermMode::default: <https://github.com/alacritty/alacritty/blob/master/alacritty_terminal/src/term/mod.rs#L113>
-    #
-    # query the state of any mode bit `<n>` with `printf '\033[?<n>$p'`
-    # e.g. `printf '\033[?7$p'` returns `^[[?7;1$y` with the `1` indicating it's **set**,
-    #      `printf '\033[?1000$p'` returns `^[[?1000;2$y` with the `2` indicating it's **unset**.
-    #
-    # TODO: unset Line mode and Insert mode?
-    (clear "1") # Cursor Keys
-    # (clear "3") # Column Mode (i.e. clear screen/history)
-    (clear "6") # Origin
-    (set "7") # Line Wrap
-    (clear "12") # Blinking Cursor
-    (set "25") # Show Cursor
-    (clear "1000") # Report Mouse Clicks
-    (clear "1002") # Report Cell Mouse Motion
-    (clear "1003") # Report All Mouse Motion
-    (clear "1004") # Report Focus In/Out
-    (clear "1005") # UTF8 Mouse
-    (clear "1006") # Sgr Mouse
-    (set "1007") # Alternate Scroll
-    (set "1042") # Urgency Hints
-    # (clear "1049") # Swap Screen And Set Restore Cursor
-    (clear "2004") # Bracketed Paste
-    (clear "2026") # Sync Update
-  ];
-  # https://man.archlinux.org/man/bash.1#PROMPTING
-  # \[ and \] begins and ends "a sequence of non-printing characters"
-  set_color = colornum: ''\[\e[1;${toString colornum}m\]'';
-  set_inverted_color = colornum: ''\[\e[1;37;${toString (colornum + 10)}m\]'';
-  reset_color = ''\[\e[0m\]'';
-  colornum = colors.${cfg.color};
-  root_text = root: lib.optionalString root "ROOT@";
-  final = root: if root then (set_inverted_color colors.red) + "!!" else "$";
-  hostName = if vacuModuleType == "plain" then ''\h'' else config.vacu.shortHostName;
-  default_ps1 =
-    root:
-    ''\n''
-    # + ''\[${reset_without_clear}\]''
-    + (set_color colornum)
-    + ''${root_text root}${hostName}:\w''
-    + (final root)
-    + reset_color
-    + " ";
-in
-{
-  vacu.shell.idempotentShellLines = ''
-    if [ $UID = 0 ]; then
-      export PS1=${lib.escapeShellArg (default_ps1 true)}
-    else
-      export PS1=${lib.escapeShellArg (default_ps1 false)}
-    fi
-  '';
-}

common/sops.nix

@@ -1,54 +0,0 @@
-{
-  lib,
-  pkgs,
-  config,
-  vaculib,
-  ...
-}:
-let
-  userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
-  liamKey = config.vacu.ssh.knownHosts.liam.publicKey;
-  ssh-to-age = lib.getExe pkgs.ssh-to-age;
-  sopsConfig =
-    pkgs.runCommand "sops.yaml" { env.sshUserKeys = lib.concatStringsSep "\n" userKeys; }
-      ''
-        set -e
-        liamKey="$(echo "${liamKey}" | ${ssh-to-age})"
-        declare -a userKeys
-        mapfile -t userKeys < <(echo "$sshUserKeys" | ${ssh-to-age})
-        declare -p userKeys
-        cat <<END >> $out
-        creation_rules:
-          - path_regex: secrets/misc/[^/]+$
-            key_groups:
-              - age: [$(printf '"%s", ' "''${userKeys[@]}")]
-          - path_regex: secrets/liam/[^/]+$
-            key_groups:
-              - age: ["$liamKey",$(printf '"%s", ' "''${userKeys[@]}")]
-          - path_regex: /tests/test_secrets/
-            key_groups:
-              - age: ["age1eqv5759uknu7d46rqyyzsmgt43qumsge3makeWrapp3yp2xygapprnt8zu3sqx6kt8w"]
-        END
-      '';
-  testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
-  wrappedSops = vaculib.makeWrapper {
-    original = lib.getExe pkgs.sops;
-    new = "vacu-nix-stuff-sops";
-    add_flags = [
-      "--config"
-      sopsConfig
-    ];
-    run = lib.singleton ''
-      set -e
-      age_keys=("${testAgeSecret}" "$(cat $HOME/.ssh/id_ed25519 | ${lib.getExe pkgs.ssh-to-age} -private-key)")
-
-      export SOPS_AGE_KEY
-      printf -v SOPS_AGE_KEY "%s\n" "''${age_keys[@]}"
-      # declare -p SOPS_AGE_KEY
-    '';
-  };
-in
-{
-  options.vacu.sopsConfig = vaculib.mkOutOption sopsConfig;
-  options.vacu.wrappedSops = vaculib.mkOutOption wrappedSops;
-}

common/sourceTree.nix

@@ -1,51 +0,0 @@
-{
-  inputs,
-  pkgs,
-  lib,
-  config,
-  vacuModuleType,
-  ...
-}:
-let
-  inherit (builtins) isString isAttrs;
-  inherit (lib) mkOption types;
-  traverseInputs =
-    linkDir: unfilteredInputs:
-    assert isString linkDir;
-    assert isAttrs unfilteredInputs;
-    let
-      inputs = removeAttrs unfilteredInputs [ "self" ];
-    in
-    lib.concatStringsSep "\n" (
-      lib.mapAttrsToList (
-        inputName: inputAttrs:
-        let
-          thisDir = linkDir + "/" + inputName;
-        in
-        assert isAttrs inputAttrs;
-        assert isAttrs (inputAttrs.inputs or { });
-        ''
-          mkdir -p ${thisDir}
-          ln -s ${inputAttrs} ${thisDir}/self
-          ${traverseInputs thisDir (inputAttrs.inputs or { })}
-        ''
-      ) inputs
-    );
-in
-{
-  options.vacu.sourceTree = mkOption {
-    readOnly = true;
-    type = types.package;
-  };
-  config =
-    {
-      vacu.sourceTree = pkgs.runCommand "inputs-tree" { } ''
-        mkdir -p $out
-        ln -s ${inputs.self} $out/self
-        ${traverseInputs "$out" inputs}
-      '';
-    }
-    // (lib.optionalAttrs (vacuModuleType == "nixos" || vacuModuleType == "nix-on-droid") {
-      environment.etc."vacu/sources".source = "${config.vacu.sourceTree}";
-    });
-}

common/ssh.nix

@@ -1,120 +1,85 @@
-{
-  lib,
-  config,
-  ...
-}:
-let
-  inherit (lib)
-    mkOption
-    types
-    flip
-    concatMapStringsSep
-    optionalString
-    concatStringsSep
-    readFile
-    literalExpression
-    ;
+{ config, pkgs, lib, inputs, ... }: let
+  inherit (lib) mkOption types flip concatMapStringsSep optionalString concatStringsSep readFile mapAttrsToList literalExpression;
   inherit (builtins) attrValues;
   cfg = config.vacu;
   knownHosts = attrValues cfg.ssh.knownHosts;
-  knownHostsText =
-    (flip (concatMapStringsSep "\n") knownHosts (
-      h:
-      assert h.hostNames != [ ];
-      optionalString h.certAuthority "@cert-authority "
-      + concatStringsSep "," h.hostNames
-      + " "
-      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
-    ))
-    + "\n";
-in
-{
+  knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
+  (h: assert h.hostNames != [];
+    optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
+    + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
+  )) + "\n";
+in {
   options = {
-    vacu.ssh.knownHostsText = mkOption {
-      type = types.str;
-      readOnly = true;
-      default = knownHostsText;
-    };
-    #vacu.ssh.authorizedKeys = mkOption { type = types.listOf types.str; };
     vacu.ssh.authorizedKeys = mkOption {
-      type = types.attrsOf types.str;
-      default = { };
+      type = types.listOf types.str;
+    };
+    vacu.ssh.config = mkOption {
+      type = types.lines;
     };
-    vacu.ssh.config = mkOption { type = types.lines; };
     # Straight copied from nixpkgs 
     # https://github.com/NixOS/nixpkgs/blob/46397778ef1f73414b03ed553a3368f0e7e33c2f/nixos/modules/programs/ssh.nix
     vacu.ssh.knownHosts = mkOption {
-      default = { };
-      type = types.attrsOf (
-        types.submodule (
-          {
-            name,
-            config,
-            options,
-            ...
-          }:
-          {
-            options = {
-              certAuthority = mkOption {
-                type = types.bool;
-                default = false;
-                description = ''
-                  This public key is an SSH certificate authority, rather than an
-                  individual host's key.
-                '';
-              };
-              hostNames = mkOption {
-                type = types.listOf types.str;
-                default = [ name ] ++ config.extraHostNames;
-                defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
-                description = ''
-                  A list of host names and/or IP numbers used for accessing
-                  the host's ssh service. This list includes the name of the
-                  containing `knownHosts` attribute by default
-                  for convenience. If you wish to configure multiple host keys
-                  for the same host use multiple `knownHosts`
-                  entries with different attribute names and the same
-                  `hostNames` list.
-                '';
-              };
-              extraHostNames = mkOption {
-                type = types.listOf types.str;
-                default = [ ];
-                description = ''
-                  A list of additional host names and/or IP numbers used for
-                  accessing the host's ssh service. This list is ignored if
-                  `hostNames` is set explicitly.
-                '';
-              };
-              publicKey = mkOption {
-                default = null;
-                type = types.nullOr types.str;
-                example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
-                description = ''
-                  The public key data for the host. You can fetch a public key
-                  from a running SSH server with the {command}`ssh-keyscan`
-                  command. The public key should not include any host names, only
-                  the key type and the key itself.
-                '';
-              };
-              publicKeyFile = mkOption {
-                default = null;
-                type = types.nullOr types.path;
-                description = ''
-                  The path to the public key file for the host. The public
-                  key file is read at build time and saved in the Nix store.
-                  You can fetch a public key file from a running SSH server
-                  with the {command}`ssh-keyscan` command. The content
-                  of the file should follow the same format as described for
-                  the `publicKey` option. Only a single key
-                  is supported. If a host has multiple keys, use
-                  {option}`programs.ssh.knownHostsFiles` instead.
-                '';
-              };
-            };
-          }
-        )
-      );
+      default = {};
+      type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
+        options = {
+          certAuthority = mkOption {
+            type = types.bool;
+            default = false;
+            description = ''
+              This public key is an SSH certificate authority, rather than an
+              individual host's key.
+            '';
+          };
+          hostNames = mkOption {
+            type = types.listOf types.str;
+            default = [ name ] ++ config.extraHostNames;
+            defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
+            description = ''
+              A list of host names and/or IP numbers used for accessing
+              the host's ssh service. This list includes the name of the
+              containing `knownHosts` attribute by default
+              for convenience. If you wish to configure multiple host keys
+              for the same host use multiple `knownHosts`
+              entries with different attribute names and the same
+              `hostNames` list.
+            '';
+          };
+          extraHostNames = mkOption {
+            type = types.listOf types.str;
+            default = [];
+            description = ''
+              A list of additional host names and/or IP numbers used for
+              accessing the host's ssh service. This list is ignored if
+              `hostNames` is set explicitly.
+            '';
+          };
+          publicKey = mkOption {
+            default = null;
+            type = types.nullOr types.str;
+            example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
+            description = ''
+              The public key data for the host. You can fetch a public key
+              from a running SSH server with the {command}`ssh-keyscan`
+              command. The public key should not include any host names, only
+              the key type and the key itself.
+            '';
+          };
+          publicKeyFile = mkOption {
+            default = null;
+            type = types.nullOr types.path;
+            description = ''
+              The path to the public key file for the host. The public
+              key file is read at build time and saved in the Nix store.
+              You can fetch a public key file from a running SSH server
+              with the {command}`ssh-keyscan` command. The content
+              of the file should follow the same format as described for
+              the `publicKey` option. Only a single key
+              is supported. If a host has multiple keys, use
+              {option}`programs.ssh.knownHostsFiles` instead.
+            '';
+          };
+        };
+      }));
       description = ''
         The set of system-wide known SSH hosts. To make simple setups more
         convenient the name of an attribute in this set is used as a host name
@@ -138,12 +103,11 @@ in
       '';
     };
   };
-  config.vacu.assertions = lib.flip lib.mapAttrsToList config.vacu.ssh.knownHosts (
-    name: data: {
-      assertion =
-        (data.publicKey == null && data.publicKeyFile != null)
-        || (data.publicKey != null && data.publicKeyFile == null);
+  config = {
+    assertions = flip mapAttrsToList cfg.ssh.knownHosts (name: data: {
+      assertion = (data.publicKey == null && data.publicKeyFile != null) ||
+                  (data.publicKey != null && data.publicKeyFile == null);
       message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
-    }
-  );
-}
+    });
+  };
+};

common/units-config.nix

@@ -1,34 +0,0 @@
-{
-  vacu.units.extraUnits = {
-    b = "bit";
-    B = "byte";
-    kibi- = "1024";
-    Ki- = "kibi";
-    mebi- = "1024 kibi";
-    Mi- = "mebi";
-    gibi- = "1024 mebi";
-    Gi- = "gibi";
-    tebi- = "1024 gibi";
-    Ti- = "tebi";
-    pebi- = "1024 tebi";
-    Pi- = "pebi";
-    baud = "bit/s";
-    kbps = "kilobit/s";
-    kibps = "kibibit/s";
-    mbps = "megabit/s";
-    mibps = "mebibit/s";
-    gbps = "gigabit/s";
-    gibps = "gibibit/s";
-    tbps = "terabit/s";
-    tibps = "tebibit/s";
-    pbps = "petabit/s";
-    pibps = "pebibit/s";
-
-    month = "year/12";
-    mo = "month";
-    usd = "USD";
-    dollar = "USD";
-    cent = "0.01 USD";
-    "$" = "USD";
-  };
-}

common/units-impl.nix

@@ -1,117 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  vaculib,
-  ...
-}:
-let
-  inherit (lib) mkOption types;
-  unitNameRegex = let
-    # Unit  names cannot begin or end with an underscore (‘_’), a comma (‘,’) or a decimal point (‘.’).  Names must not contain any of the operator characters ‘+’, ‘-’, ‘*’, ‘/’, ‘|’, ‘^’, ‘;’, ‘~’, the comment character ‘#’, or parentheses.  To facilitate copying and pasting from documents, several typographical characters are converted to operators: the figure dash (U+2012), minus (‘-’; U+2212), and en dash (‘–’; U+2013) are converted to the operator ‘-’; the multiplication sign (‘×’; U+00D7), N-ary times operator (U+2A09), dot operator (‘⋅’; U+22C5), and middle dot (‘·’; U+00B7) are converted to the operator ‘*’; the division sign (‘÷’; U+00F7) is converted to the operator ‘/’; and the fraction slash (U+2044) is converted to the operator ‘|’; accordingly, none of these characters can appear in unit names.
-    disallowedAnywhere = "+*/|^;~#()" + (builtins.fromJSON ''"\u2012\u2212\u2013\u00d7\u2a09\u22c5\u00b7\u00f7\u2044"'');
-    disallowedMiddle = "-" + disallowedAnywhere;
-    disallowedAtEnd = "23456789_,." + disallowedAnywhere;
-    disallowedAtBegin = "-01" + disallowedAtEnd;
-    anyExcept = chars: ''[^${lib.escapeRegex chars}]'';
-    singleChar = anyExcept disallowedAtBegin;
-    multiChar = ''${anyExcept disallowedAtBegin}${anyExcept disallowedMiddle}*${anyExcept disallowedAtEnd}'';
-    numberSuffix = regex: ''${regex}_[0-9\.,]+'';
-    fullRegex = ''${singleChar}|${multiChar}|${numberSuffix singleChar}|${numberSuffix multiChar}'';
-  in fullRegex;
-  unitsAttrsType = types.addCheck (types.attrsOf types.str) (attrs:
-    builtins.all (name: (builtins.match unitNameRegex name) != null) (builtins.attrNames attrs)
-  );
-  unitsDir = pkgs.stdenvNoCC.mkDerivation {
-    name = "vacu-units-files";
-
-    src = pkgs.units.src;
-
-    phases = [ "unpackPhase" "installPhase" ];
-
-    installPhase = ''
-      mkdir -p $out
-      cp {definitions,elements}.units $out
-      ln -s ${../units/currency.units} $out/currency.units
-      ln -s ${../units/cpi.units} $out/cpi.units
-      echo ${lib.escapeShellArg config.vacu.units.lines} > $out/vacu.units
-    '';
-  };
-in
-{
-  options.vacu.units = {
-    originalPackage = mkOption {
-      type = types.package;
-      default = pkgs.units;
-    };
-    finalPackage = mkOption {
-      type = types.package;
-      readOnly = true;
-    };
-    check = mkOption {
-      type = types.package;
-      readOnly = true;
-    };
-    generatedConfigDir = mkOption {
-      readOnly = true;
-      type = types.package;
-    };
-    generatedConfigFile = mkOption {
-      readOnly = true;
-      type = types.pathInStore;
-    };
-    lines = mkOption {
-      default = "";
-      type = types.lines;
-    };
-    extraUnits = mkOption {
-      type = unitsAttrsType;
-      default = {};
-    };
-  };
-  config = lib.mkMerge [
-    {
-      vacu.units = {
-        finalPackage = vaculib.makeWrapper {
-          original = config.vacu.units.originalPackage;
-          new = "units";
-          prepend_flags = [
-            "--file" config.vacu.units.generatedConfigFile
-          ];
-        };
-        check = pkgs.runCommand "check-units" { } ''
-          # `units --check` returns success (exit code 0) regardless of success >:(
-          # example output:
-          
-          # $ result/bin/units --check
-          # Currency exchange rates from exchangerate-api.com (USD base) on 2024-11-14 
-          # Consumer price index data from US BLS, 2024-02-18 
-          # 7247 units, 125 prefixes, 134 nonlinear units
-          #
-
-          output="$(${lib.getExe config.vacu.units.finalPackage} --check)"
-          echo "$output"
-          filteredLines="$(echo "$output" \
-            | grep -v '^\s*$' \
-            | grep -v 'Currency exchange rates from' \
-            | grep -v 'Consumer price index data from' \
-            | grep -vE '[0-9]+ units, [0-9]+ prefixes, [0-9]+ nonlinear units' || true
-          )"
-          if [[ -n "$filteredLines" ]]; then
-            exit 1
-          fi
-          touch $out
-        '';
-        generatedConfigDir = unitsDir;
-        generatedConfigFile = "${unitsDir}/vacu.units";
-        lines = lib.mkOrder 750 ''
-          # default units file, includes elements.units, currency.units, cpi.units
-          !include definitions.units
-        '';
-      };
-    }
-    {
-      vacu.units.lines = lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "+${name}\t${value}") config.vacu.units.extraUnits);
-    }
-  ];
-}

common/verify-system/default.nix

@@ -1,63 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}:
-let
-  inherit (lib) mkOption mkEnableOption types;
-  cfg = config.vacu.verifySystem;
-in
-{
-  imports = [
-    ./nixos.nix
-  ];
-  options.vacu.verifySystem = {
-    enable = (mkEnableOption "verify system is what is expected") // {
-      default = true;
-    };
-    verifiers = mkOption {
-      default = { };
-      type = types.attrsOf (
-        types.submodule (
-          { name, config, ... }:
-          {
-            options = {
-              enable = mkEnableOption "Enable system ident check ${name}";
-              name = mkOption {
-                type = types.str;
-                default = name;
-              };
-              script = mkOption {
-                type = types.lines;
-                default = "## system ident check ${config.name}";
-              };
-            };
-          }
-        )
-      );
-    };
-
-    verifyAllScript =
-      let
-        verifiers = (builtins.attrValues cfg.verifiers);
-        enabled = builtins.filter (s: s.enable) verifiers;
-        files = map (s: pkgs.writeText "vacu-verify-system-${s.name}.sh" s.script) enabled;
-        script = ''
-                  ## vacu verify-system
-          	for f in ${lib.concatStringsSep " " files}; do
-          	  echo "verifying system with $f"
-          	  if ! source $f; then
-          	    echo "ERR: $f failed" >&2
-          	    return 1
-          	  fi
-          	done
-        '';
-        scriptFile = pkgs.writeText "vacu-verify-system-all.sh" script;
-      in
-      mkOption {
-        readOnly = true;
-        default = scriptFile;
-      };
-  };
-}

common/verify-system/nixos.nix

@@ -1,66 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  vacuModuleType,
-  ...
-}:
-let
-  inherit (lib) mkOption types;
-in
-lib.optionalAttrs (vacuModuleType == "nixos") {
-  options.vacu.verifySystem.expectedMac = mkOption {
-    type = types.nullOr (types.strMatching "[A-Fa-f0-9]{2}(:[A-Fa-f0-9]{2}){5}");
-    default = null;
-  };
-  config = lib.mkIf config.vacu.verifySystem.enable {
-    # system.activationScripts."00-verify-system" = {
-    #   text = "if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit $?; fi";
-    #   supportsDryActivation = true;
-    # };
-
-    system.extraSystemBuilderCmds = ''
-      mv $out/bin/switch-to-configuration $out/bin/.switch-to-configuration-unverified
-      cat <<EOF > $out/bin/switch-to-configuration
-      #!${pkgs.bash}/bin/bash
-      oldpath="$PATH"
-      export PATH="${pkgs.coreutils}/bin"
-      if ! source ${config.vacu.verifySystem.verifyAllScript}; then exit \$?; fi
-      export PATH="$oldpath"
-      exec $out/bin/.switch-to-configuration-unverified "\$@"
-      EOF
-
-      ${pkgs.coreutils}/bin/chmod a+x $out/bin/switch-to-configuration
-    '';
-
-    vacu.verifySystem.verifiers = {
-      hostname = {
-        enable = lib.mkDefault config.vacu.verifySystem.expectedMac == null;
-        script = ''
-          expected=${config.networking.hostName}
-          actual=$(cat /proc/sys/kernel/hostname)
-          if [[ "$expected" != "$actual" ]]; then
-            echo "ERR: unexpected hostname; Trying to deploy to $expected but this is $actual" >&2
-            return 1
-          fi
-        '';
-      };
-      expectedMac = {
-        enable = config.vacu.verifySystem.expectedMac != null;
-        script = ''
-          	   expected=${lib.toUpper config.vacu.verifySystem.expectedMac}
-          	   declare -a actual=($(${pkgs.iproute2}/bin/ip -j link | ${pkgs.jq}/bin/jq 'map([.permaddr, .address] | map(strings | ascii_upcase)) | flatten | join("\n")' -r))
-          	   for ifMac in "''${actual[@]}"; do
-                       if [[ "$ifMac" == "$expected" ]]; then
-          	       # all is well
-          	       return 0
-          	      fi
-          	   done
-          	   echo "ERR: Interface MAC address $expected not present, this may not be the system you intend to deploy to." >&2
-          	   echo "     Found MAC addresses: ''${actual[*]}" >&2
-          	   return 1
-          	 '';
-      };
-    };
-  };
-}

compute-deck/bluetooth.nix

@@ -1,7 +1,6 @@
-{ ... }:
-{
-  hardware.bluetooth.enable = true;
-  hardware.bluetooth.powerOnBoot = true;
+{ ... }: {
+hardware.bluetooth.enable = true;
+hardware.bluetooth.powerOnBoot = true;
 
-  services.blueman.enable = true;
+services.blueman.enable = true;
 }

compute-deck/default.nix

@@ -1,20 +1,18 @@
-{
-  pkgs,
-  inputs,
-  ...
-}:
+{ config, pkgs, lib, jovian, inputs, ... }:
 
 {
   imports = [
     inputs.jovian.nixosModules.jovian
-    # inputs.disko.nixosModules.default
-    inputs.home-manager.nixosModules.default
+    inputs.disko.nixosModules.default
+    inputs.homeManager.nixosModules.default
     ./hardware.nix
+    ./partitioning.nix
     ./home.nix
     ./bluetooth.nix
-    ./partitioning.nix
     ./padtype.nix
+    ../common-nixos-config.nix
   ];
+  system.nixos.tags = [ "host-${config.networking.hostName}" ];
 
   boot.loader.systemd-boot.enable = false;
   boot.loader.efi.efiSysMountPoint = "/boot/EFI";
@@ -25,10 +23,7 @@
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
-  vacu.hostName = "compute-deck";
-  vacu.shortHostName = "cd";
-  vacu.shell.color = "blue";
-  vacu.systemKind = "desktop";
+  networking.hostName = "compute-deck";
   networking.hostId = "e595d9b0";
 
   boot.supportedFilesystems = [ "zfs" ];
@@ -60,22 +55,22 @@
     rustup
   ];
 
-  # boot.kernelPatches = [
-  #   {
-  #     name = "gadget";
-  #     patch = null;
-  #     extraStructuredConfig = with lib.kernel; {
-  #       USB_ETH=module;
-  #       USB_GADGET=yes;
-  #       USB_LIBCOMPOSITE=yes;
-  #       USB_CONFIGFS=yes;
-  #       USB_DWC3=module;
-  #       USB_DWC3_PCI=module;
-  #       USB_DWC3_DUAL_ROLE=yes;
-  #       USB_DWC3_HOST=no;
-  #       USB_DWC3_GADGET=no;
-  #       USB_ROLE_SWITCH=yes;
-  #     };
-  #   }
-  # ];
+  boot.kernelPatches = [
+    {
+      name = "gadget";
+      patch = null;
+      extraStructuredConfig = with lib.kernel; {
+        USB_ETH=module;
+        USB_GADGET=yes;
+        USB_LIBCOMPOSITE=yes;
+        USB_CONFIGFS=yes;
+        USB_DWC3=module;
+        USB_DWC3_PCI=module;
+        USB_DWC3_DUAL_ROLE=yes;
+        USB_DWC3_HOST=no;
+        USB_DWC3_GADGET=no;
+        USB_ROLE_SWITCH=yes;
+      };
+    }
+  ];
 }

compute-deck/hardware.nix

@@ -1,60 +1,51 @@
-{
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}:
+{ config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
 
-  boot.initrd.availableKernelModules = [
-    "nvme"
-    "xhci_pci"
-    "usbhid"
-    "sdhci_pci"
-    "dwc3_pci"
-  ];
+  boot.initrd.availableKernelModules = [ "nvme" "usbhid" "sdhci_pci" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  /*
-    fileSystems."/" =
-      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-        fsType = "btrfs";
-        options = [ "subvol=root" ];
-      };
+/*
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+      fsType = "btrfs";
+      options = [ "subvol=root" ];
+    };
 
-    fileSystems."/home" =
-      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-        fsType = "btrfs";
-        options = [ "subvol=home" ];
-      };
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+      fsType = "btrfs";
+      options = [ "subvol=home" ];
+    };
 
-    fileSystems."/nix" =
-      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-        fsType = "btrfs";
-        options = [ "subvol=nix" ];
-      };
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
 
-    fileSystems."/boot" =
-      { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
-        fsType = "btrfs";
-        options = [ "subvol=boot" ];
-      };
-  */
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/63f25199-ee0b-4991-8861-c3ba3b464ef2";
+      fsType = "btrfs";
+      options = [ "subvol=boot" ];
+    };
+*/
 
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
-    fsType = "ext4";
-  };
 
-  fileSystems."/boot/EFI" = {
-    device = "/dev/disk/by-uuid/C268-79C8";
-    fsType = "vfat";
-  };
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/2aad8cab-7b97-47de-8608-fe9f12e211a4";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot/EFI" =
+    { device = "/dev/disk/by-uuid/C268-79C8";
+      fsType = "vfat";
+    };
 
   swapDevices = [ ];
 

compute-deck/home.nix

@@ -2,7 +2,9 @@
 {
   home-manager.users.shelvacu = {
     # these make vscode-remote work
-    imports = [ inputs.vscode-server.homeModules.default ];
+    imports = [
+      inputs.vscode-server.homeModules.default
+    ];
     services.vscode-server.enable = true;
 
     home.stateVersion = "23.11";

compute-deck/padtype.nix

@@ -1,10 +1,8 @@
-{ inputs, ... }:
-let
+{ inputs, ... }: let
   padtype-pkg = inputs.padtype.packages."x86_64-linux".default;
-in
-{
+in {
   environment.systemPackages = [ padtype-pkg ];
-
+  
   systemd.services."padtype" = {
     wantedBy = [ "multi-user.target" ];
     script = "${padtype-pkg}/bin/padtype";

compute-deck/partitioning.nix

@@ -1,6 +1,5 @@
-{ inputs, ... }:
+{ ... }:
 {
-  imports = [ inputs.disko.nixosModules.default ];
   disko.devices.disk.blarg = {
     device = "/dev/disk/by-id/nvme-Micron_2400_MTFDKBK2T0QFM_230341951668_1-part11";
     content = {
@@ -14,29 +13,20 @@
         subvolumes = {
           "/root" = {
             mountpoint = "/";
-            mountOptions = [
-              "compress=zstd"
-              "noatime"
-            ];
+            mountOptions = [ "compress=zstd" "noatime" ];
           };
           "/home" = {
             mountpoint = "/home";
-            mountOptions = [
-              "compress=zstd"
-              "noatime"
-            ];
+            mountOptions = [ "compress=zstd" "noatime" ];
           };
           "/nix" = {
             mountpoint = "/nix";
-            mountOptions = [
-              "compress=zstd"
-              "noatime"
-            ];
+            mountOptions = [ "compress=zstd" "noatime" ];
           };
-          #           "/swap" = {
-          #             mountpoint = "/.swapvol";
-          #             swap.swapfile.size = "20M";
-          #           };
+#           "/swap" = {
+#             mountpoint = "/.swapvol";
+#             swap.swapfile.size = "20M";
+#           };
         };
       };
     };

coopdx.nix

@@ -1,104 +0,0 @@
-{
-  callPackage,
-  fetchFromGitHub,
-  autoPatchelfHook,
-  zlib,
-  curl,
-  libcxx,
-  stdenvNoCC,
-  nixpkgs ? <nixpkgs>,
-  writeTextFile,
-  lib,
-  bash,
-
-  enableTextureFix ? true,
-  enableDiscord ? false,
-}:
-let
-  libc_hack = writeTextFile {
-    name = "libc-hack";
-    # https://stackoverflow.com/questions/21768542/libc-h-no-such-file-or-directory-when-compiling-nanomsg-pipeline-sample
-    text = ''
-      #include <unistd.h>
-      #include <string.h>
-      #include <pthread.h>
-    '';
-    destination = "/include/libc.h";
-  };
-  target = stdenvNoCC.targetPlatform;
-  bits =
-    if target.is64bit then
-      "64"
-    else if target.is32bit then
-      "32"
-    else
-      throw "unspported bits";
-  pname = "sm64coopdx";
-  version = "1.0.3";
-  region = "us"; # dx removed support for other regions
-in
-(callPackage "${nixpkgs}/pkgs/games/sm64ex/generic.nix" {
-  inherit pname version region;
-
-  src = fetchFromGitHub {
-    owner = "coop-deluxe";
-    repo = pname;
-    rev = "v${version}";
-    hash = "sha256-cIH3escLFMcHgtFxeSKIo5nZXvaknti+EVt72uB4XXc=";
-  };
-
-  extraNativeBuildInputs = [ autoPatchelfHook ];
-
-  extraBuildInputs = [
-    zlib
-    curl
-    libcxx
-    libc_hack
-  ];
-
-  # Normally there's no need to set TARGET_ARCH, but if we don't it adds -march=native which is impure
-  compileFlags = [
-    "BREW_PREFIX=/not-exist"
-    "TARGET_ARCH=generic"
-    "TARGET_BITS=${bits}"
-    "DISCORD_SDK=${if enableDiscord then "1" else "0"}"
-    "TEXTURE_FIX=${if enableTextureFix then "1" else "0"}"
-  ];
-
-  extraMeta = {
-    mainProgram = pname;
-    homepage = "https://sm64coopdx.com/";
-    description = "Super Mario 64 online co-op mod, forked from sm64ex";
-  };
-}).overrideAttrs
-  {
-    installPhase =
-      let
-        sharedLib = target.extensions.sharedLibrary;
-      in
-      ''
-              runHook preInstall
-
-              local built=$PWD/build/${region}_pc
-
-              share=$out/share/${pname}
-              mkdir -p $share
-              cp $built/${pname} $share/${pname}-unwrapped
-              cp -r $built/{dynos,lang,mods,palettes} $share
-              cp ./baserom.*.z64 $share
-
-              ${lib.optionalString enableDiscord ''
-                cp $built/libdiscord_game_sdk${sharedLib} $share
-              ''}
-
-              mkdir -p $out/bin
-              (
-                echo '#!${bash}/bin/bash'
-        	echo "cd $out/share/${pname}"
-        	echo 'exec ./${pname}-unwrapped "$@"'
-              ) > $out/bin/${pname}
-              chmod a+x $out/bin/${pname}
-
-              runHook postInstall
-      '';
-  }

coopdx2.nix

@@ -1,106 +0,0 @@
-{
-  # callPackage,
-  fetchFromGitHub,
-  autoPatchelfHook,
-  zlib,
-  curl,
-  SDL2,
-  hexdump,
-  stdenv,
-  writeTextFile,
-  lib,
-  bash,
-  python3,
-  sm64baserom,
-
-  enableTextureFix ? true,
-  enableDiscord ? false,
-  enableCoopNet ? true,
-}:
-let
-  libc_hack = writeTextFile {
-    name = "libc-hack";
-    # https://stackoverflow.com/questions/21768542/libc-h-no-such-file-or-directory-when-compiling-nanomsg-pipeline-sample
-    text = ''
-      #include <unistd.h>
-      #include <string.h>
-      #include <pthread.h>
-    '';
-    destination = "/include/libc.h";
-  };
-  target = stdenv.targetPlatform;
-  bits =
-    if target.is64bit then
-      "64"
-    else if target.is32bit then
-      "32"
-    else
-      throw "unspported bits";
-  pname = "sm64coopdx";
-  version = "1.0.3";
-in
-stdenv.mkDerivation {
-  inherit pname version;
-
-  src = fetchFromGitHub {
-    owner = "coop-deluxe";
-    repo = pname;
-    rev = "v${version}";
-    hash = "sha256-cIH3escLFMcHgtFxeSKIo5nZXvaknti+EVt72uB4XXc=";
-  };
-
-  buildInputs = [
-    python3
-    zlib
-    curl
-    libc_hack
-    SDL2
-    hexdump
-  ];
-
-  enableParallelBuilding = true;
-
-  # Normally there's no need to set TARGET_ARCH, but if we don't it adds -march=native which is impure
-  makeFlags = [
-    "BREW_PREFIX=/not-exist"
-    "DISCORD_SDK=${if enableDiscord then "1" else "0"}"
-    "TEXTURE_FIX=${if enableTextureFix then "1" else "0"}"
-    "COOPNET=${if enableCoopNet then "1" else "0"}"
-  ];
-
-  preBuild = ''
-    ln -s ${sm64baserom} baserom.us.z64
-    substituteInPlace Makefile \
-      --replace-fail ' -march=$(TARGET_ARCH) ' ' '
-    # workaround a bug in the build
-    # see https://github.com/coop-deluxe/sm64coopdx/issues/186#issuecomment-2216163935
-    # this can likely be removed when the next version releases
-    make build/us_pc/sound/sequences.bin
-  '';
-
-  installPhase = ''
-    runHook preInstall
-
-    local built=$PWD/build/us_pc
-
-    share=$out/share/${pname}
-    mkdir -p $share
-    cp $built/${pname} $share/${pname}-unwrapped
-    cp -r $built/{dynos,lang,mods,palettes} $share
-    ln -s ${sm64baserom} $share/baserom.us.z64
-
-    ${lib.optionalString enableDiscord ''
-      cp $built/libdiscord_game_sdk* $share
-    ''}
-
-    mkdir -p $out/bin
-    (
-      echo '#!${bash}/bin/bash'
-      echo "cd $out/share/${pname}"
-      echo 'exec ./${pname}-unwrapped "$@"'
-    ) > $out/bin/${pname}
-    chmod a+x $out/bin/${pname}
-
-    runHook postInstall
-  '';
-}

dcd

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-git add . && nixos-rebuild --flake .#compute-deck --build-host trip --target-host shelvacu@compute-deck --use-remote-sudo "$@"
+git add . && nixos-rebuild --flake .#compute-deck --build-host trip --target-host shelvacu@compute-deck --use-remote-sudo $@

deterministic-certs.nix

@@ -1,93 +0,0 @@
-{
-  nixpkgs ? import <nixpkgs>,
-}:
-let
-  pkgs = nixpkgs;
-  lib = nixpkgs.lib;
-  defaultCertTemplate = {
-    serial = 1;
-    activation_date = "1970-01-01 00:00:00 UTC";
-    expiration_date = "2500-01-01 00:00:00 UTC";
-  };
-  keyValToConfigLines = (
-    key: value:
-    if (builtins.isString value) || (builtins.isPath value) then
-      "${key} = \"${value}\""
-    else if builtins.isInt value then
-      "${key} = ${builtins.toString value}"
-    else if builtins.isList value then
-      map (innerValue: keyValToConfigLines key innerValue)
-    else if builtins.isBool value then
-      (if value then "${key}" else "# no ${key}")
-    else
-      throw "don't know how to handle ${builtins.typeOf value}"
-  );
-  mkTemplateConfig =
-    config:
-    lib.concatStringsSep "\n" (
-      lib.lists.flatten (lib.attrsets.mapAttrsToList keyValToConfigLines config)
-    );
-  certCfg = pkgs.writeText "deterministic-cert.cfg" ''
-    serial = 1
-    activation_date = "1970-01-01 00:00:00 UTC"
-    expiration_date = "2500-01-01 00:00:00 UTC"
-  '';
-  privKeyFile =
-    name:
-    let
-      keySizeBits = 256;
-      keySizeHex = builtins.toString (keySizeBits / 4);
-    in
-    pkgs.runCommand "deterministic-privkey-${name}.pem" { } ''
-      seed=$(echo ${lib.escapeShellArg (builtins.toJSON name)} | ${pkgs.ruby_3_2}/bin/ruby -rjson -e 'name = JSON.parse(STDIN.gets); print name.unpack("H*")[0].ljust(${keySizeHex}, "0")')
-      ${pkgs.gnutls}/bin/certtool --generate-privkey --outfile=$out --key-type=rsa --sec-param=high --seed=$seed
-    '';
-  generateCert =
-    {
-      name,
-      config,
-      args,
-      preCommands ? "",
-    }:
-    let
-      deriv = pkgs.runCommand "deterministic-cert-${name}" { } ''
-        mkdir -p $out
-        cd $out
-        ln -s ${privKeyFile name} privkey.pem
-        ln -s ${
-          pkgs.writeText "${name}-template.cfg" (mkTemplateConfig (defaultCertTemplate // config))
-        } template.cfg
-        ${preCommands}
-        ${pkgs.gnutls}/bin/certtool ${lib.escapeShellArgs args} --load-privkey=privkey.pem --outfile=cert.pem --template=template.cfg
-      '';
-    in
-    deriv
-    // {
-      privateKeyPath = "${deriv}/privkey.pem";
-      certificatePath = "${deriv}/cert.pem";
-    };
-
-in
-{
-  inherit privKeyFile;
-  selfSigned =
-    name: config:
-    generateCert {
-      inherit name config;
-      args = [ "--generate-self-signed" ];
-    };
-  caSigned =
-    name: ca: config:
-    generateCert {
-      inherit name config;
-      preCommands = ''
-        ln -s ${ca.privateKeyPath} ca-privkey.pem
-        ln -s ${ca.certificatePath} ca-cert.pem
-      '';
-      args = [
-        "--generate-certificate"
-        "--load-ca-certificate=ca-cert.pem"
-        "--load-ca-privkey=ca-privkey.pem"
-      ];
-    };
-}

devver/default.nix

@@ -0,0 +1,57 @@
+{ config, pkgs, lib, inputs, modulesPath, ... }:
+
+{
+  imports = [
+    inputs.homeManager.nixosModules.default
+    ../common-nixos-config.nix
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+
+  boot.initrd.availableKernelModules = [ "virtio_pci" "usbhid" "virtio_blk" "9pnet_virtio" "9p" "autofs4" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" "9pnet_virtio" "9p" "autofs4" ];
+  boot.extraModulePackages = [ ];
+
+  system.nixos.tags = [ "host-${config.networking.hostName}" ];
+  networking.hostName = "devver";
+  boot.loader.external.enable = true;
+  boot.loader.external.installHook = pkgs.writeShellScript "vacuDirectBootInstaller" ''
+    PATH="$PATH:${pkgs.coreutils}/bin:${pkgs.gnused}/bin"
+    set -xev
+    mkdir -p /boot
+    cp $1/kernel /boot/kernel
+    cp $1/initrd /boot/initrd
+    cp $1/kernel-params /boot/kernel-params
+    sed -i "1 s|$| init=$1/sw/bin/init|" /boot/kernel-params
+  '';
+
+  users.users.root.shell = pkgs.bashInteractive;
+
+  fileSystems."/boot" = {
+    fsType = "9p";
+    device = "boot";
+    options = [
+      "trans=virtio"
+      "access=any"
+      "version=9p2000.L"
+      "posixacl"
+      "cache=mmap"
+      "nofail"
+      "noauto"
+    ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/a373835d-b942-4232-85fe-922cb1880af3";
+    fsType = "ext4";
+  };
+
+  #boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+  services.openssh.enable = true;
+
+  vacu.packages.nix-inspect.enable = false; #its broken for some reason I don't understand
+
+  system.stateVersion = "23.11";
+}

dliam

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-git add . && nixos-rebuild --flake .#liam --build-host trip --target-host shelvacu@liam --use-remote-sudo "$@"
+git add . && nixos-rebuild --flake .#liam --build-host trip --target-host shelvacu@liam --use-remote-sudo $@

dmmm

@@ -1,3 +0,0 @@
-#!/bin/sh
-
-git add . && nixos-rebuild --flake .#mmm --build-host trip --target-host mmm --use-remote-sudo "$@"

dtrip

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-git add . && nixos-rebuild --flake .#triple-dezert --build-host trip --target-host trip --use-remote-sudo "$@"
+git add . && nixos-rebuild --flake .#triple-dezert --build-host trip --target-host trip --use-remote-sudo $@

flake.nix

@@ -2,446 +2,140 @@
   description = "Config for triple-dezert server";
 
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.05-small";
-    # nixpkgs.url = "github:nixos/nixpkgs/be0ec1a45fe1a6f6534c451b935724ab48405f26";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
-
-    flake-utils.url = "github:numtide/flake-utils";
-    nixvim = {
-      url = "github:nix-community/nixvim/nixos-24.05";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.home-manager.follows = "home-manager";
-    };
-    nixvim-unstable = {
-      url = "github:nix-community/nixvim";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-      inputs.home-manager.follows = "home-manager-unstable";
-    };
+    nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; #todo: put this back to -small once jovian-nixos is fixed
+    nixpkgs.url = "nixpkgs/nixos-23.11-small";
+    nixpkgs2405.url = "nixpkgs/nixos-24.05-small";
     nix-inspect = {
       url = "github:bluskript/nix-inspect";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    nix-inspect-unstable = {
-      url = "github:bluskript/nix-inspect";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-    };
-    vscode-server-unstable = {
-      url = "github:nix-community/nixos-vscode-server";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-      inputs.flake-utils.follows = "flake-utils";
+      #inputs.nixpkgs.follows = "nixpkgs";
     };
     vscode-server = {
       url = "github:nix-community/nixos-vscode-server";
       inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
     };
     nix-on-droid = {
-      url = "github:nix-community/nix-on-droid";
+      url = "github:nix-community/nix-on-droid/release-23.05";
       inputs.nixpkgs.follows = "nixpkgs";
-      inputs.home-manager.follows = "home-manager";
     };
-    jovian-unstable = {
-      # there is no stable jovian :cry:
+    jovian = {
       url = "github:Jovian-Experiments/Jovian-NixOS";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    disko-unstable = {
+    disko = {
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    home-manager = {
-      url = "github:nix-community/home-manager/release-24.05";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    home-manager-unstable = {
-      url = "github:nix-community/home-manager";
+    homeManager = {
+      url = "github:nix-community/home-manager/master";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
-    nix-search-cli-unstable = {
-      url = "github:peterldowns/nix-search-cli";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-      inputs.flake-utils.follows = "flake-utils";
-    };
     nix-search-cli = {
       url = "github:peterldowns/nix-search-cli";
       inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
     };
-    padtype-unstable = {
+    padtype = {
       url = "gitlab:shelvacu/padtype";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    nixos-hardware.url = "github:nixos/nixos-hardware";
-    most-winningest = {
-      url = "github:captain-jean-luc/most-winningest";
+    microvm = {
+      url = "github:astro/microvm.nix";
       inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    nixos-apple-silicon-unstable = {
-      url = "github:tpwrules/nixos-apple-silicon";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-    };
-    sm64baserom.url = "git+https://git.uninsane.org/shelvacu/sm64baserom.git";
-    dns = {
-      url = "github:nix-community/dns.nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
-    };
-    lix-module = {
-      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=stable";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    lix-module-unstable = {
-      url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=stable";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
   };
 
-  outputs =
-    {
-      self,
-      nixpkgs,
-      nix-on-droid,
-      ...
-    }@inputs:
-    let
-      x86 = "x86_64-linux";
-      arm = "aarch64-linux";
-      lib = import "${nixpkgs}/lib";
-      mkPlain = pkgs: lib.evalModules {
-        modules = [
-          ./common
-          { vacu.systemKind = "server"; }
-        ];
-        specialArgs = {
-          inherit pkgs;
-          inherit lib;
-          inherit (inputs) dns;
-          vacuModuleType = "plain";
-          inherit inputs;
-        };
-      };
-      mkPkgs =
-        arg:
-        let
-          argAttr = if builtins.isString arg then { system = arg; } else arg;
-          config = {
-            allowUnfree = true;
-          } // (argAttr.config or { });
-        in
-        import nixpkgs (argAttr // { inherit config; });
-      pkgs = mkPkgs x86;
-      defaultInputs = [
-          "nix-search-cli"
-          "nix-inspect"
-          "nixvim"
-          "lix-module"
-      ];
-      mkNixosConfig =
-        {
-          unstable ? false,
-          module,
-          system ? "x86_64-linux",
-          inp ? [ ],
-        }@args:
-        let
-          suffix = if unstable then "-unstable" else "";
-          nixpkgs = inputs.${"nixpkgs" + suffix};
-          inp' = inp ++ defaultInputs;
-          thisInputs = builtins.listToAttrs (map (name: lib.nameValuePair name inputs.${name + suffix}) inp');
-        in
-        nixpkgs.lib.nixosSystem {
-          specialArgs = {
-            inputs = thisInputs // {
-              inherit (inputs) self;
-            };
-            inherit (inputs) dns;
-            vacuModuleType = "nixos";
-          };
-          inherit system;
-          modules = [
-            ./common
-            module
-          ];
-        };
-    in
-    {
-      debug.isoDeriv = (
-        import "${inputs.nixpkgs}/nixos/release-small.nix" {
-          nixpkgs = ({ revCount = 0; } // inputs.nixpkgs);
-        }
-      );
-      # overlays.requireFileSub = (
-      #   curr: prev: { requireFile = { ... }@args: (prev args).overrideAttrs { allowSubstitutes = true; }; }
-      # );
-      # overlays.default = self.overlays.requireFileSub;
-      nixosConfigurations = {
-        triple-dezert = mkNixosConfig {
-          module = ./triple-dezert;
-          inp = [ "most-winningest" ];
-        };
-        compute-deck = mkNixosConfig {
-          module = ./compute-deck;
-          inp = [
-            "jovian"
-            "home-manager"
-            "vscode-server"
-            "disko"
-            "padtype"
-          ];
-          unstable = true;
-        };
-        liam = mkNixosConfig {
-          module = ./liam;
-          inp = [ "sops-nix" ];
-        };
-        lp0 = mkNixosConfig { module = ./lp0; };
-        shel-installer = mkNixosConfig { module = ./installer.nix; };
-        fw = mkNixosConfig {
-          module = ./fw;
-          inp = [ "nixos-hardware" ];
-        };
-        legtop = mkNixosConfig {
-          module = ./legtop;
-          inp = [ "nixos-hardware" ];
-        };
-        mmm = mkNixosConfig {
-          module = ./mmm;
-          inp = [ "nixos-apple-silicon" ];
-          system = "aarch64-linux";
-          unstable = true;
-        };
-      };
+  outputs = { self, nixpkgs, nix-on-droid, ... }@inputs: {
+    debug.isoDeriv = (import "${inputs.nixpkgs}/nixos/release-small.nix" { nixpkgs = ({ revCount = 0; } // inputs.nixpkgs); });
+    nixosConfigurations.triple-dezert = nixpkgs.lib.nixosSystem {
+      system =  "x86_64-linux";
+      modules = [ ./triple-dezert ];
+      specialArgs = { inherit inputs; };
+    };
 
-      nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
-        modules = [
-          ./common
-          ./nix-on-droid
-        ];
-        extraSpecialArgs = {
-          inputs = {
-            inherit (inputs)
-              nixpkgs
-              self
-              nixvim
-              nix-search-cli
-              nix-inspect
-              ;
-          };
-          inherit (inputs) dns;
-          vacuModuleType = "nix-on-droid";
-        };
-        pkgs = mkPkgs {
-          system = arm;
-          overlays = [ inputs.lix-module.overlays.default ];
-        };
-      };
+    nixosConfigurations.compute-deck = inputs.nixpkgs-unstable.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [ ./compute-deck ];
+      specialArgs = { inherit inputs; };
+    };
 
-      checks = nixpkgs.lib.genAttrs [ x86 ] (
-        system:
-        let
-          pkgs = mkPkgs system;
-          plain = mkPlain pkgs;
-          config = {
-            node.pkgs = pkgs;
-            node.pkgsReadOnly = false;
-            node.specialArgs.selfPackages = self.packages.${system};
-            node.specialArgs.vacuModuleType = "nixos";
-          };
-        in
-        {
-          units = plain.config.vacu.units.check;
-          liam = nixpkgs.lib.nixos.runTest {
-            hostPkgs = pkgs;
-            imports = [
-              config
-              ./tests/liam.nix
-              { node.specialArgs.inputs = self.nixosConfigurations.liam._module.specialArgs.inputs; }
-            ];
-          };
-          trip = nixpkgs.lib.nixos.runTest {
-            hostPkgs = pkgs;
-            imports = [
-              config
-              ./tests/triple-dezert.nix
-              { node.specialArgs.inputs = self.nixosConfigurations.triple-dezert._module.specialArgs.inputs; }
-            ];
-          };
-        }
-      );
+    nixosConfigurations.liam = nixpkgs.lib.nixosSystem {
+      system =  "x86_64-linux";
+      modules = [ ./liam ];
+      specialArgs = { inherit inputs; };
+    };
 
-      qb = # qb is "quick build"
-        let
-          toplevelOf = name: self.nixosConfigurations.${name}.config.system.build.toplevel;
-          deterministicCerts = import ./deterministic-certs.nix { nixpkgs = mkPkgs x86; };
-          renamedAarchPackages = lib.mapAttrs' (
-            name: value: lib.nameValuePair (name + "-aarch64") value
-          ) self.packages.aarch64-linux;
-          packages = self.packages.x86_64-linux // renamedAarchPackages;
-        in
-        rec {
-          fw = toplevelOf "fw";
-          triple-dezert = toplevelOf "triple-dezert";
-          trip = triple-dezert;
-          compute-deck = toplevelOf "compute-deck";
-          cd = compute-deck;
-          liam = toplevelOf "liam";
-          lp0 = toplevelOf "lp0";
-          legtop = toplevelOf "legtop";
-          lt = legtop;
-          mmm = toplevelOf "mmm";
-          shel-installer = toplevelOf "shel-installer";
-          iso = self.nixosConfigurations.shel-installer.config.system.build.isoImage;
-          check-triple-dezert = self.checks.x86_64-linux.trip.driver;
-          check-trip = check-triple-dezert;
-          check-liam = self.checks.x86_64-linux.liam.driver;
+    nixosConfigurations.lp0 = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [ ./lp0 ];
+      specialArgs = { inherit inputs; };
+    };
+    
+    nixosConfigurations.shel-installer = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [ ./installer.nix ];
+      specialArgs = { inherit inputs; };
+    };
 
-          nix-on-droid = self.nixOnDroidConfigurations.default.activationPackage;
-          nod = nix-on-droid;
+    nixosConfigurations.devver = nixpkgs.lib.nixosSystem {
+      system =  "x86_64-linux";
+      modules = [ ./devver ];
+      specialArgs = { inherit inputs; };
+    };
 
-          nod-bootstrap-x86_64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-x86_64;
-          nod-bootstrap-aarch64 = inputs.nix-on-droid.packages.x86_64-linux.bootstrapZip-aarch64;
+    nixosConfigurations.fw = inputs.nixpkgs2405.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [ ./fw ];
+      specialArgs = { inherit inputs; };
+    };
 
-          dc-priv = deterministicCerts.privKeyFile "test";
-          dc-cert = deterministicCerts.selfSigned "test" { };
+    nixOnDroidConfigurations.default = nix-on-droid.lib.nixOnDroidConfiguration {
+      modules = [ ./nix-on-droid.nix ];
+      extraSpecialArgs = { inherit inputs; };
+    };
 
-          sm64 = packages.sm64coopdx;
-          ak = packages.authorizedKeys;
-          my-sops = packages.wrappedSops;
+    diskoConfigurations.compute-deck = import ./compute-deck/partitioning.nix;
 
-          inherit (inputs.nixos-apple-silicon-unstable.packages.aarch64-linux)
-            m1n1
-            uboot-asahi
-            installer-bootstrap
-            ;
-          installer-bootstrap-cross =
-            inputs.nixos-apple-silicon-unstable.packages.x86_64-linux.installer-bootstrap;
-        }
-        // packages;
-
-      brokenBuilds = [
-        "sm64coopdx-aarch64"
-        "installer-bootstrap"
-      ];
-
-      all =
-        let
-          linksNoContext = removeAttrs self.qb self.brokenBuilds;
-          links = builtins.mapAttrs (
-            name: val: builtins.addErrorContext "while evaluating link ${name}" val
-          ) linksNoContext;
-        in
-        pkgs.runCommand "nix-stuff-all"
-          {
-            __structuredAttrs = true;
-            inherit links;
-          }
-          ''
-            mkdir $out
-            cd $out
-            eval "$(${pkgs.jq}/bin/jq '.links | to_entries | map("ln -s "+.value+" "+.key) | join("\n")' /build/.attrs.json -r)"
-          '';
-
-      allPure = self.all.overrideAttrs (prev: {
-        links = removeAttrs prev.links [
-          "nix-on-droid"
-          "nod"
-          "nod-bootstrap-x86_64"
-          "nod-bootstrap-aarch64"
-        ];
-      });
-
-      archive =
-        let
-          # We don't want iso/img derivations here because they de-dupe terribly. Any change anywhere requires generating a new iso/img file.
-          allButImgs = self.all.overrideAttrs (prev: {
-            links = removeAttrs prev.links [ "iso" ];
-          });
-          isoContents = lib.concatStringsSep "\n" (
-            map (
-              c: "${c.source} => ${c.target}"
-            ) self.nixosConfigurations.shel-installer.config.isoImage.contents
-          );
-          isoContentsPkg = pkgs.writeText "iso-contents" isoContents;
-          info = pkgs.closureInfo { rootPaths = [ allButImgs.drvPath ]; };
-        in
-        allButImgs.overrideAttrs (prev: {
-          links = prev.links // {
-            iso-contents = isoContentsPkg;
-            build-deps = info;
-          };
-        });
-    }
-    // (inputs.flake-utils.lib.eachDefaultSystem (
-      system:
+    checks = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (system:
       let
-        pkgs = import inputs.nixpkgs-unstable {
-          inherit system;
-          config.allowUnfree = true;
-          overlays = [ inputs.sm64baserom.overlays.default ];
+        pkgs = nixpkgs.legacyPackages.${system};
+        config = {
+          node.pkgs = pkgs;
+          node.pkgsReadOnly = false;
+          node.specialArgs.selfPackages = self.packages.${system};
+          node.specialArgs.inputs = inputs;
         };
-        _plain = mkPlain pkgs;
-        inherit (_plain.config.vacu) withAsserts;
-        plain = _plain.config.vacu.withAsserts _plain;
-        # dnsModule = lib.evalModules {
-        #   modules = [
-        #     {
-        #       config._module.check = false;
-        #       options.vacu.dns = lib.mkOption {
-        #         default = { };
-        #         type = lib.types.attrsOf inputs.dns.lib.types.zone;
-        #       };
-        #     }
-        #   ];
-        # };
       in
       {
-        formatter = pkgs.nixfmt-rfc-style;
-        apps.sops = {
-          type = "app";
-          program = lib.getExe self.packages.${system}.wrappedSops;
+        liam = nixpkgs.lib.nixos.runTest {
+          hostPkgs = pkgs;
+          imports = [ config ./tests/liam.nix ];
         };
-        vacuconfig = plain.config;
-        packages = rec {
-          nix-inspect = inputs.nix-inspect.packages.${system}.default;
-          nix-search-cli = inputs.nix-search-cli.packages.${system}.default;
-          units = plain.config.vacu.units.finalPackage;
-          sourceTree = plain.config.vacu.sourceTree;
-          z3 = pkgs.callPackage ./packages/z3 { };
-          bandcamp-collection-downloader = pkgs.callPackage ./packages/bcd { };
-          bcd = bandcamp-collection-downloader;
-          sm64coopdx = pkgs.callPackage ./coopdx2.nix { };
-          # snmpb = pkgs.libsForQt5.callPackage ./packages/snmpb/package.nix { };
-          # snmp-mibs-downloader = pkgs.callPackage ./packages/snmp-mibs-downloader.nix { };
-          authorizedKeys = pkgs.writeText "authorizedKeys" (
-            lib.concatStringsSep "\n" (
-              lib.mapAttrsToList (k: v: "${v} ${k}") (withAsserts plain.config.vacu.ssh.authorizedKeys)
-            )
-          );
-          update-git-keys = withAsserts pkgs.callPackage ./scripts/update-git-keys.nix {
-            inherit (plain) config;
-          };
-          sopsConfig = withAsserts plain.config.vacu.sopsConfig;
-          wrappedSops = withAsserts plain.config.vacu.wrappedSops;
-          dns = withAsserts import ./scripts/dns {
-            inherit pkgs lib inputs;
-            inherit (plain) config;
-          };
-          # dnsOptions = (pkgs.nixosOptionsDoc { options = dnsModule.options; }).optionsCommonMark;
-          vnopnCA = pkgs.writeText "vnopnCA.cert" plain.config.vacu.vnopnCA;
-          nixvim = inputs.nixvim.legacyPackages.${system}.makeNixvimWithModule {
-            extraSpecialArgs = {
-              inputs = { };
-            };
-            module = {
-              imports = [ ./nixvim ];
-            };
-          };
+        trip = nixpkgs.lib.nixos.runTest {
+          hostPkgs = pkgs;
+          imports = [ config ./tests/triple-dezert.nix ];
         };
+        # trip_haproxy_config = let
+        #   hacfg = self.nixosConfigurations.triple-dezert.config.containers.frontproxy.config.services.haproxy;
+        # in pkgs.stdenvNoCC.mkDerivation {
+        #   name = "trip-haproxy-config-check";
+        #   script = ''
+        #     mkdir -p certs/shelvacu.com/
+        #     touch certs/shelvacu.com/full.pem
+        #     ${hacfg.package}/bin/haproxy \
+        #       -f ${pkgs.writeText "haproxy-config" hacfg.config} \
+        #       -c \
+        #       -dW \
+        #       -dD \
+        #       -C $PWD
+        #   '';
+        # };
       }
-    ));
+    );
+
+    nixosModules.common = import ./common-config.nix;
+    packages.x86_64-linux.digitalOceanImage = import ./generic-digitalocean-nixos.nix { inherit inputs; };
+  };
 }

fw/android.nix

@@ -1,5 +0,0 @@
-{ pkgs, ... }:
-{
-  vacu.packages = pkgs.androidStudioPackages.stable.all;
-  users.users.shelvacu.extraGroups = [ "kvm" ];
-}

fw/apex.nix

@@ -1,69 +0,0 @@
-# everything to interact with my apex flex, pcsc stuff, fido2 stuff, etc
-{ pkgs, config, ... }:
-let
-  # to match package used in config.services.pcscd, unfortunately not exposed like usual
-  pcsclite-pkg = if config.security.polkit.enable then pkgs.pcscliteWithPolkit else pkgs.pcsclite;
-in
-{
-  # apparently this is already enabled??
-  # nixpkgs.overlays = [ ( final: prev: {
-  #   libfido2 = prev.libfido2.override { withPcsclite = true; };
-  # } ) ];
-  vacu.packages =
-    (with pkgs; [
-      libfido2
-      pcsc-tools
-      scmccid
-      opensc
-    ])
-    ++ [ pcsclite-pkg ];
-
-  services.pcscd.enable = true;
-  # conflicts with pcscd, see https://stackoverflow.com/questions/55144458/unable-to-claim-usb-interface-device-or-resource-busy-stuck
-  boot.blacklistedKernelModules = [
-    "pn533_usb"
-    "pn533"
-    "nfc"
-  ];
-
-  # bunch of stuff from https://wiki.nixos.org/wiki/Web_eID
-
-  # Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
-  # (PIN1 for authentication/decryption, PIN2 for signing).
-  # environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
-  #   module: ${pkgs.opensc}/lib/opensc-pkcs11.so
-  # '';
-
-  # environment.etc."opensc.conf".text = ''
-  #   app default {
-  #     reader_driver pcsc {
-  #       enable_pinpad = false;
-  #     }
-  #   }
-  # '';
-
-  environment.systemPackages = [
-    # Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
-    # security devices, so they can be used for TLS client auth.
-    # Each user needs to run this themselves, it does not work on a system level
-    # due to a bug in Chromium:
-    #
-    # https://bugs.chromium.org/p/chromium/issues/detail?id=16387
-    (pkgs.writeShellScriptBin "setup-browser-eid" ''
-      NSSDB="''${HOME}/.pki/nssdb"
-      mkdir -p ''${NSSDB}
-
-      ${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
-        -libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so
-    '')
-  ];
-
-  programs.firefox.enable = true;
-  #programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
-
-  # trying CTAP-bridge
-  services.udev.extraRules = ''
-    KERNEL=="hidg[0-9]", SUBSYSTEM=="hidg", SYMLINK+="ctaphid", MODE+="0666", TAG+="uaccess"
-    KERNEL=="ccidg[0-9]", SUBSYSTEM=="ccidg", SYMLINK+="ccidsc", MODE+="0666", TAG+="uaccess"
-  '';
-}

fw/default.nix

@@ -1,77 +1,24 @@
-{
-  inputs,
-  pkgs,
-  ...
-}:
-{
-  imports = [
-    inputs.nixos-hardware.nixosModules.framework-16-7040-amd
-    ./apex.nix
-    ./android.nix
-    ./thunderbolt.nix
-    ./fwupd.nix
-    ./zfs.nix
-    ./virtualbox.nix
+{ config, inputs, pkgs, lib, ... }: {
+  imports = [ 
+    ../common-nixos-config.nix
   ];
-
-  vacu.hostName = "fw";
-  vacu.shell.color = "magenta";
-  vacu.verifySystem.expectedMac = "e8:65:38:52:5c:59";
-  vacu.systemKind = "desktop";
-
+  system.nixos.tags = [ "host-${config.networking.hostName}" ];
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
   networking.networkmanager.enable = true;
-  # boot.kernelParams = [ "nvme.noacpi=1" ]; # DONT DO IT: breaks shit even more
 
-  services.fprintd.enable = false; # kinda broken
-
-  users.users.shelvacu.extraGroups = [ "dialout" ];
-
-  vacu.packages =
-    (with pkgs; [
-      bitwarden-desktop
-      nheko
-      librewolf
-      brave
-      thunderbird
-      wl-clipboard
-      nextcloud-client
-      signal-desktop
-      fw-ectool
-      framework-tool
-      iio-sensor-proxy
-      power-profiles-daemon
-      acpi
-      jellyfin-media-player
-      vlc
-      dmidecode
-      prismlauncher
-      ffmpeg_7-full
-      wireshark
-      obsidian
-      dino
-      aircrack-ng
-      libreoffice-qt6-fresh
-      gimp
-      # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
-      (inkscape-with-extensions.override { inkscapeExtensions = null; })
-      libsmi
-      net-snmp
-      android-tools
-      ghidra
-      wineWowPackages.stableFull
-      wineWowPackages.fonts
-      winetricks
-      tremotesf
-      smartmontools
-      nvme-cli
-      arduino-ide
-      headsetcontrol
-      OSCAR
-    ])
-    ++ [ inputs.self.packages.${pkgs.system}.sm64coopdx ];
-
-  networking.firewall.enable = false;
+  vacu.packages.bitwarden-desktop.enable = true;
+  vacu.packages.nheko.enable = true;
+  vacu.packages.librewolf.enable = true;
+  vacu.packages.brave.enable = true;
+  vacu.packages.thunderbird.enable = true;
+  vacu.packages.wl-clipboard.enable = true;
+  vacu.packages.nextcloud-client.enable = true;
+  vacu.packages.signal-desktop.enable = true;
+  vacu.packages.fw-ectool.enable = true;
+  vacu.packages.framework-tool.enable = true;
+  vacu.packages.iio-sensor-proxy.enable = true;
+  vacu.packages.power-profiles-daemon.enable = true;
+  vacu.packages.acpi.enable = true;
 
   services.xserver.enable = true;
   services.displayManager.sddm.enable = true;
@@ -93,54 +40,41 @@
     }
   ];
 
+  networking.hostName = "fw"; # Define your hostname.
   networking.hostId = "c6e309d5";
+  boot.zfs.extraPools = [ "fw" ];
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  systemd.services.zfs-mount.enable = false;
 
   services.openssh.enable = true;
   system.stateVersion = "23.11"; # Did you read the comment?
-  boot.initrd.availableKernelModules = [
-    "nvme"
-    "xhci_pci"
-    "thunderbolt"
-    "usb_storage"
-    "usbhid"
-    "sd_mod"
-  ];
-  #boot.initrd.kernelModules = [ ];
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
-  #boot.extraModulePackages = [ ];
+  boot.extraModulePackages = [ ];
 
-  fileSystems."/" = {
-    device = "fw/root";
-    fsType = "zfs";
-  };
+  fileSystems."/" =
+    { device = "fw/root";
+      fsType = "zfs";
+    };
 
-  fileSystems."/boot0" = {
-    device = "/dev/disk/by-label/BOOT0";
-    fsType = "vfat";
-    options = [
-      "fmask=0022"
-      "dmask=0022"
-    ];
-  };
+  fileSystems."/boot0" =
+    { device = "/dev/disk/by-label/BOOT0";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
 
-  fileSystems."/boot1" = {
-    device = "/dev/disk/by-label/BOOT1";
-    fsType = "vfat";
-    options = [
-      "fmask=0022"
-      "dmask=0022"
-    ];
-  };
+  fileSystems."/boot1" =
+    { device = "/dev/disk/by-label/BOOT1";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
 
   hardware.cpu.amd.updateMicrocode = true;
   hardware.enableAllFirmware = true;
   hardware.opengl = {
     driSupport = true;
     driSupport32Bit = true;
-    extraPackages = [
-      pkgs.rocmPackages.clr.icd
-      pkgs.amdvlk
-    ];
   };
   programs.nix-ld.enable = true;
   programs.steam = {
@@ -157,8 +91,4 @@
   hardware.bluetooth.enable = true;
   hardware.bluetooth.powerOnBoot = true;
   services.blueman.enable = true;
-
-  services.postgresql.enable = true; # for development
-
-  virtualisation.waydroid.enable = true;
 }

fw/experiment.nix

@@ -1,43 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-let
-  version = "6.10.4";
-  hash = "sha256:1y2m2pqrvsgr9ng72nnh4yvsprkvkznhnmn4p8g78350bzyrvip2";
-  customKernel = pkgs.linux_6_10.override {
-    inherit version;
-    src = pkgs.fetchurl {
-      url = "mirror://kernel/linux/kernel/v${lib.versions.major version}.x/linux-${version}.tar.xz";
-      inherit hash;
-    };
-    modDirVersion = lib.versions.pad 3 version;
-  };
-  customKernelPackages = pkgs.linuxPackagesFor customKernel;
-in
-{
-  system.nixos.tags = [
-    "EXPERIMENT"
-    "kernel-${config.boot.kernelPackages.kernel.version}"
-  ];
-
-  boot.kernelPackages = lib.mkForce customKernelPackages;
-  # boot.zfs.extraPools = lib.mkForce [];
-  # fileSystems."/".fsType = lib.mkForce "ext4";
-
-  vacu.packages.sm64coopdx.enable = false;
-  vacu.verifySystem.expectedMac = lib.mkForce null;
-}
-
-# good: 
-#  Linux fw 6.6.50 #1-NixOS SMP PREEMPT_DYNAMIC Sun Sep  8 05:54:49 UTC 2024 x86_64 GNU/Linux
-#  Linux fw 6.8.12 #1-NixOS SMP PREEMPT_DYNAMIC Thu May 30 07:49:53 UTC 2024 x86_64 GNU/Linux
-#  linux-6.9.12
-#  6.10.4 (maybe?? sus)
-# Linux fw 6.10.10 #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 12 09:13:13 UTC 2024 x86_64 GNU/Linux (but this was supposed to be 6.10.4....)
-
-# bad:
-# Linux fw 6.10.10-gnu #1-NixOS SMP PREEMPT_DYNAMIC Tue Jan  1 00:00:00 UTC 1980 x86_64 GNU/Linux
-#  linux linux-6.10.10

fw/fwupd.nix

@@ -1,8 +0,0 @@
-{ config, lib, ... }:
-{
-  vacu.packages = [ config.services.fwupd.package ];
-  services.fwupd.enable = true;
-  #fwupd gets confused by the multiple EFI partitions, I think I just have to pick one
-  #update: it didn't work, I dunno why. Leaving this here anyways
-  services.fwupd.daemonSettings.EspLocation = lib.mkForce "/boot0";
-}

fw/thunderbolt.nix

@@ -1,10 +0,0 @@
-{ pkgs, config, ... }:
-{
-  services.hardware.bolt.enable = true;
-
-  vacu.packages = [
-    pkgs.thunderbolt
-    config.services.hardware.bolt.package
-    pkgs.kdePackages.plasma-thunderbolt
-  ];
-}

fw/virtualbox.nix

@@ -1,8 +0,0 @@
-{ ... }:
-{
-  virtualisation.virtualbox.host = {
-    enable = true;
-    enableExtensionPack = true;
-  };
-  users.extraGroups.vboxusers.members = [ "shelvacu" ];
-}

fw/zfs.nix

@@ -1,12 +0,0 @@
-{
-  pkgs,
-  ...
-}:
-{
-  boot.zfs.extraPools = [ "fw" ];
-  # config.boot.zfs.package.latestCompatibleLinuxPackages is fucked, if there are multiple compatible linuxes of the same version, it picks effectively an arbitrary one
-  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_6;
-  systemd.services.zfs-mount.enable = false;
-
-  # see also fileSystems."/"
-}

generic-digitalocean-nixos.nix

@@ -0,0 +1,10 @@
+{ inputs, system ? "x86_64-linux" }:
+let
+pkgs = inputs.nixpkgs.legacyPackages.${system};
+config = { config, ... }: {
+  imports = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix" ];
+
+  system.stateVersion = config.system.nixos.release;
+};
+in
+(pkgs.nixos config).digitalOceanImage

home/nix-on-droid.nix

@@ -1,7 +0,0 @@
-{ ... }:
-{
-  imports = [ ../common/home.nix ];
-  home.stateVersion = "24.05";
-  home.homeDirectory = "/data/data/com.termux.nix/files/home";
-  home.username = "nix-on-droid";
-}

installer.nix

@@ -1,18 +1,18 @@
-{
-  config,
-  modulesPath,
-  lib,
-  ...
-}:
-{
+{ config, inputs, modulesPath, lib, ... }: {
   imports = [
     "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
+    ./common-nixos-config.nix
   ];
   # this is an installer image, created anew every time. There's no state we need to worry about messing up
-  system.stateVersion = config.system.nixos.version;
+  system.stateVersion = config.system.nixos.version; 
   isoImage.isoBaseName = "nixos-shel-installer";
   services.openssh.settings.PermitRootLogin = lib.mkForce "yes";
-  vacu.hostName = "vacuInstaller";
-  vacu.shell.color = "red";
-  vacu.systemKind = "server";
+  # boot.kernelPatches = [{
+  #   name = "foo";
+  #   patch = null;
+  #   extraStructuredConfig = {
+  #     VIRTIO = lib.kernel.yes;
+  #     VIRTIO_BLK = lib.kernel.yes;
+  #   };
+  # }];
 }

legtop/bluetooth.nix

@@ -1,7 +0,0 @@
-{ ... }:
-{
-  hardware.bluetooth.enable = true;
-  hardware.bluetooth.powerOnBoot = true;
-
-  services.blueman.enable = true;
-}

legtop/default.nix

@@ -1,80 +0,0 @@
-{ pkgs, inputs, ... }:
-{
-  imports = [
-    ../common/nixos.nix
-    inputs.nixos-hardware.nixosModules.gpd-micropc
-    ./hardware.nix
-    ./bluetooth.nix
-  ];
-
-  vacu.hostName = "legtop";
-  vacu.shortHostName = "lt";
-  vacu.shell.color = "blue";
-  vacu.verifySystem.expectedMac = "30:9e:90:33:01:07";
-  vacu.systemKind = "desktop";
-
-  system.stateVersion = "24.05";
-
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-  networking.networkmanager.enable = true;
-  vacu.packages =
-    (with pkgs; [
-      bitwarden-desktop
-      nheko
-      librewolf
-      brave
-      thunderbird
-      wl-clipboard
-      nextcloud-client
-      signal-desktop
-      iio-sensor-proxy
-      power-profiles-daemon
-      acpi
-      jellyfin-media-player
-      vlc
-      dmidecode
-      prismlauncher
-      ffmpeg_7-full
-      wireshark
-      obsidian
-      dino
-      aircrack-ng
-      libreoffice-qt6-fresh
-      gimp
-      # null actually means everything https://github.com/NixOS/nixpkgs/commit/5efd65b2d94b0ac0cf155e013b6747fa22bc04c3
-      (inkscape-with-extensions.override { inkscapeExtensions = null; })
-      libsmi
-      net-snmp
-      android-tools
-      ghidra
-      wineWowPackages.stableFull
-      wineWowPackages.fonts
-      winetricks
-      lutris
-    ])
-    ++ [ inputs.self.packages.${pkgs.system}.sm64coopdx ];
-
-  services.openssh.enable = true;
-
-  services.xserver.enable = true;
-  services.displayManager.sddm.enable = true;
-  services.desktopManager.plasma6.enable = true;
-
-  boot.loader.grub.enable = true;
-  boot.loader.grub.efiSupport = true;
-  boot.loader.grub.device = "nodev";
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  hardware.cpu.intel.updateMicrocode = true;
-  hardware.enableAllFirmware = true;
-
-  services.fwupd.enable = true;
-
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-  };
-  programs.steam.enable = true;
-}

legtop/hardware.nix

@@ -1,32 +0,0 @@
-{ ... }:
-{
-  boot.initrd.availableKernelModules = [
-    "ahci"
-    "xhci_pci"
-    "usbhid"
-    "usb_storage"
-    "sd_mod"
-    "sdhci_pci"
-  ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/e3aebf24-be76-4064-a9f5-3930c8cd1382";
-    fsType = "ext4";
-  };
-
-  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/7fd2ca2d-7faf-4d40-8cde-ce531fa679b5";
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/4C47-D9A3";
-    fsType = "vfat";
-    options = [
-      "fmask=0022"
-      "dmask=0022"
-    ];
-  };
-  nixpkgs.hostPlatform = "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = true;
-}

liam/default.nix

@@ -1,73 +1,57 @@
-{
-  modulesPath,
-  config,
-  lib,
-  ...
-}:
-{
+{ modulesPath, config, lib, ... }: {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
     (modulesPath + "/virtualisation/digital-ocean-config.nix")
+    ../common-nixos-config.nix
     ./nginx.nix
     ./sops.nix
     ./dovecot.nix
     ./mail.nix
     ./dkim.nix
     ./sieve.nix
-    ./network.nix
   ];
 
-  options =
-    let
-      mkReadOnly =
-        val:
-        lib.options.mkOption {
-          default = val;
-          readOnly = true;
-        };
-    in
-    {
-      vacu.liam = {
-        shel_domains = mkReadOnly [
-          "shelvacu.com"
-          "dis8.net"
-          "mail.dis8.net"
-          "jean-luc.org"
-          "in.jean-luc.org"
-          "vacu.store"
-        ];
-        julie_domains = mkReadOnly [
-          "violingifts.com"
-          "theviolincase.com"
-          "shop.theviolincase.com"
-        ];
-        domains = mkReadOnly (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
-        relayhost = lib.options.mkOption {
-          type = lib.types.str;
-          # mailhop is duocircle
-          default = "[outbound.mailhop.org]:587 [relay.dynu.com]:587";
-        };
-        reservedIpLocal = mkReadOnly "10.46.0.7";
-      };
+  options = let
+    mkReadOnly = val: lib.options.mkOption { default = val; readOnly = true; };
+  in {
+    vacu.liam = {
+      shel_domains = mkReadOnly [
+        "shelvacu.com"
+        "dis8.net"
+        "mail.dis8.net"
+        "jean-luc.org"
+        "in.jean-luc.org"
+        "vacu.store"
+      ];
+      julie_domains = mkReadOnly [
+        "violingifts.com"
+        "theviolincase.com"
+        "shop.theviolincase.com"
+      ];
+      domains = mkReadOnly (config.vacu.liam.shel_domains ++ config.vacu.liam.julie_domains);
+      reservedIpLocal = mkReadOnly "10.46.0.7";
     };
+  };
 
   config = {
-    vacu.hostName = "liam";
-    vacu.shell.color = "cyan";
+    system.nixos.tags = [ "host-${config.networking.hostName}" ];
+    networking.hostName = "liam";
     networking.domain = "dis8.net";
-    vacu.systemKind = "minimal";
-
-    hardware.enableAllFirmware = false;
-    hardware.enableRedistributableFirmware = false;
 
     # networking.interfaces."ens3".useDHCP = false;
+    # from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
+    # {
+    #   "ip_address": "10.46.0.7",
+    #   "netmask": "255.255.0.0",
+    #   "gateway": "10.46.0.1"
+    # }
+
     services.openssh.enable = true;
 
     virtualisation.digitalOcean.setSshKeys = false;
 
-    users.users.root.openssh.authorizedKeys.keys =
-      config.users.users.shelvacu.openssh.authorizedKeys.keys;
+    users.users.root.openssh.authorizedKeys.keys = config.users.users.shelvacu.openssh.authorizedKeys.keys;
 
     system.stateVersion = "23.11";
   };
-}
+}

liam/dkim.nix

@@ -1,13 +1,7 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
+{ config, pkgs, lib, ... }: 
 let
-  inherit (config.vacu.liam) domains;
-in
-{
+inherit (config.vacu.liam) domains;
+in {
   services.opendkim = {
     enable = true;
     keyPath = "/run/secrets/dkimkeys";
@@ -21,4 +15,4 @@ in
   systemd.services.postfix.after = [ "opendkim.service" ];
 }
 # 2024-03-liam._domainkey
-# v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==
+# v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==

liam/dovecot.nix

@@ -1,9 +1,4 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
+{ config, pkgs, lib, ... }:
 {
   networking.firewall.allowedTCPPorts = [ 993 ];
   systemd.tmpfiles.settings.whatever."/var/lib/mail".d = {
@@ -22,11 +17,7 @@
     sslServerKey = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
     sslServerCert = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
     enablePAM = false;
-    protocols = lib.mkForce [
-      "imap"
-      "lmtp"
-      "sieve"
-    ];
+    protocols = lib.mkForce [ "imap" "lmtp" "sieve" ];
     modules = [ pkgs.dovecot_pigeonhole ];
     mailUser = "vmail";
     mailGroup = "vmail";
@@ -84,13 +75,13 @@
 
       userdb {
         driver = passwd-file
-        args = username_format=%n ${config.sops.secrets."dovecot-passwd".path}
+        args = username_format=%n /run/secrets/dovecot-passwd
         override_fields = uid=${config.services.dovecot2.mailUser} gid=${config.services.dovecot2.mailGroup} user=%n
       }
 
       passdb {
         driver = passwd-file
-        args = username_format=%n ${config.sops.secrets."dovecot-passwd".path}
+        args = username_format=%n /run/secrets/dovecot-passwd
         override_fields = user=%n
       }
 
@@ -102,4 +93,4 @@
       # mail_debug = yes
     '';
   };
-}
+}

liam/mail.nix

@@ -1,36 +1,10 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
+{ config, lib, pkgs, ... }:
 let
-  inherit (config.vacu.liam)
-    shel_domains
-    julie_domains
-    domains
-    relayhost
-    ;
-  debug = false;
-  fqdn = config.networking.fqdn;
-  dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
-  reject_spam_sources = [
-    "reject-spam-test@example.com"
-    "buyerservice@made-in-china.com"
-    "upgrade-plans@asuswebstorage.com"
-    "info@rfidlabel.com"
-  ];
-  banned_ips = [
-    "210.242.134.20/26"
-  ];
-  # must be bigger than gmail's 25MB "attachment limit" which after base64 encoding (x 1.33) is ~33MB
-  mailSizeLimit = 35 * 1024 * 1024;
-in
-{
-  networking.firewall.allowedTCPPorts = [
-    25
-    465
-  ];
+inherit (config.vacu.liam) shel_domains julie_domains domains;
+fqdn = config.networking.fqdn;
+dovecot_transport = "lmtp:unix:private/dovecot-lmtp";
+in {
+  networking.firewall.allowedTCPPorts = [ 25 465 ];
 
   vacu.acmeCertDependencies."liam.dis8.net" = [ "postfix.service" ];
   services.postfix = {
@@ -39,15 +13,12 @@ in
 
     # this goes into virtual_alias_maps
     # "Note: for historical reasons, virtual_alias_maps apply to recipients in all domain classes, not only the virtual alias domain class."
-    virtual =
-      ''
-        julie@shelvacu.com julie
-        mom@shelvacu.com julie
-        psv@shelvacu.com psv
-      ''
-      + (lib.concatMapStringsSep "\n" (d: "@${d} shelvacu") shel_domains)
-      + "\n"
-      + (lib.concatMapStringsSep "\n" (d: "@${d} julie") julie_domains);
+    virtual = ''
+      julie@shelvacu.com julie
+      mom@shelvacu.com julie
+      psv@shelvacu.com psv
+    '' + (lib.concatMapStringsSep "\n" (d: "@${d} shelvacu") shel_domains) + "\n"
+    + (lib.concatMapStringsSep "\n" (d: "@${d} julie") julie_domains);
 
     transport = ''
       shelvacu@${fqdn} ${dovecot_transport}
@@ -62,40 +33,19 @@ in
     rootAlias = "shelvacu";
     enableSubmission = false;
     enableSubmissions = true;
-    mapFiles.header_checks = pkgs.writeText "header-checks" (
-      "/./ INFO checker headers\n"
-      + (lib.concatMapStringsSep "\n" (
-        d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT"
-      ) domains)
-    );
-    mapFiles.sender_access = pkgs.writeText "sender-access" (
-      lib.concatMapStringsSep "\n" (pattern: "${pattern} REJECT spam") (domains ++ reject_spam_sources)
-    );
-    mapFiles.banned_ips = pkgs.writeText "banned-ips" (
-      lib.concatMapStringsSep "\n" (ip: "${ip} REJECT spam") banned_ips
-    );
+    mapFiles.header_checks = pkgs.writeText "header-checks" ("/./ INFO checker headers\n" + (lib.concatMapStringsSep "\n" (d: "/^(from|x-original-from|return-path|mail-?from):.*@${lib.escape [ "." ] d}\\s*>?\\s*$/ REJECT") domains));
+    mapFiles.sender_access = pkgs.writeText "sender-access" (lib.concatMapStringsSep "\n" (d: "${d} REJECT") domains);
     # hack to get postfix to add a X-Original-To header
     mapFiles.add_envelope_to = pkgs.writeText "addenvelopeto" "/(.+)/ PREPEND X-Envelope-To: $1";
-    mapFiles.sender_transport = pkgs.writeText "sender-transport" "@shelvacu.com relayservice";
-    mapFiles.sender_relay = pkgs.writeText "sender-relay" "@shelvacu.com ${relayhost}";
 
     # verbatim appended to main.cf
     extraConfig = ''
-      smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
-      inet_protocols = ipv4
       virtual_alias_domains =
         ${lib.concatStringsSep ",\n  " domains}
 
-      message_size_limit = ${toString mailSizeLimit}
-
-      sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
-      sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
-
       header_checks = pcre:/etc/postfix/header_checks
-      smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access permit
-      smtpd_client_restrictions = check_client_access cidr:/etc/postfix/banned_ips permit
-      smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to permit
-      recipient_delimiter = +
+      smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
+      smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/add_envelope_to
 
       #we should never use these transport methods unless thru transport map
       # RFC3463:
@@ -103,8 +53,8 @@ in
       # X.3.X = mail system failure
       # X.3.5 = System incorrectly configured
       # I would've never thought there'd be a standard way to specifically say "you found an error in my config"
-      local_transport   = error:5.3.5 how did this even happen?? (e-local)
-      virtual_transport = error:5.3.5 how did this even happen?? (e-virtual)
+      local_transport   = error:5.3.5 how did this even hapenn??
+      virtual_transport = error:5.3.5 how did this even happenn??
       # X.7.1 = Delivery not authorized, message refused
       relay_transport = error:5.7.1 relay is so very disabled
 
@@ -116,38 +66,13 @@ in
       smtpd_tls_dh1024_param_file = ${lib.optionalString config.services.dovecot2.enableDHE config.security.dhparams.params.dovecot2.path}
 
       # smtp_bind_address = 10.46.0.7
-      # inet_interfaces = all
-      # inet_protocols = ipv4
-      ${lib.optionalString config.services.opendkim.enable (
-        assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock");
-        ''
-          smtpd_milters = unix:/run/opendkim/opendkim.sock
-          non_smtpd_milters = unix:/run/opendkim/opendkim.sock
-        ''
-      )}
+
+      ${lib.optionalString config.services.opendkim.enable (assert (config.services.opendkim.socket == "local:/run/opendkim/opendkim.sock"); ''
+        smtpd_milters = unix:/run/opendkim/opendkim.sock
+        non_smtpd_milters = unix:/run/opendkim/opendkim.sock
+      '')}
     '';
 
-    masterConfig."relayservice" = {
-      command = "smtp";
-      type = "unix";
-      args = [
-        "-o"
-        "smtp_sasl_auth_enable=yes"
-        "-o"
-        "smtp_sasl_security_options=noanonymous"
-        "-o"
-        "smtp_tls_security_level=secure"
-        "-o"
-        "smtp_sasl_password_maps=texthash:${config.sops.secrets.relay_creds.path}"
-        "-o"
-        "smtp_tls_wrappermode=no"
-        #"-o" "relayhost=${relayhost}"
-      ] ++ (if debug then [ "-v" ] else [ ]);
-    };
-
-    masterConfig.qmgr = lib.mkIf debug { args = [ "-v" ]; };
-    masterConfig.cleanup = lib.mkIf debug { args = [ "-v" ]; };
-    masterConfig.smtpd = lib.mkIf debug { args = [ "-v" ]; };
     submissionsOptions = {
       smtpd_tls_key_file = config.security.acme.certs."liam.dis8.net".directory + "/key.pem";
       smtpd_tls_cert_file = config.security.acme.certs."liam.dis8.net".directory + "/full.pem";
@@ -174,5 +99,6 @@ in
       tls_preempt_cipherlist = "no";
     };
 
+
   };
-}
+}

liam/network.nix

@@ -1,32 +0,0 @@
-{ lib, config, ... }:
-let
-  # from `curl -fsSL http://169.254.169.254/metadata/v1.json | jq '.interfaces.public[0].anchor_ipv4'`
-  # {
-  #   "ip_address": "10.46.0.7",
-  #   "netmask": "255.255.0.0",
-  #   "gateway": "10.46.0.1"
-  # }
-  interface_conf = {
-    useDHCP = true;
-    ipv4.addresses = [
-      {
-        address = "10.46.0.7";
-        prefixLength = 24;
-      }
-    ];
-    ipv4.routes = [
-      {
-        address = "0.0.0.0";
-        prefixLength = 0;
-        via = "10.46.0.1";
-        options.scope = "global";
-        options.src = "10.46.0.7";
-        options.metric = "1200";
-      }
-    ];
-  };
-in
-{
-  networking.interfaces."ens3" = lib.mkIf (!config.vacu.underTest) interface_conf;
-  networking.interfaces."eth0" = lib.mkIf (config.vacu.underTest) interface_conf;
-}

liam/nginx.nix

@@ -1,19 +1,16 @@
 { config, ... }:
 let
-  domains = [
-    "smtp.shelvacu.com"
-    "imap.shelvacu.com"
-    "mail.shelvacu.com"
-    "autoconfig.shelvacu.com"
-    "mail.dis8.net"
-    "liam.dis8.net"
-  ];
+domains = [
+  "smtp.shelvacu.com"
+  "imap.shelvacu.com"
+  "mail.shelvacu.com"
+  "autoconfig.shelvacu.com"
+  "mail.dis8.net"
+  "liam.dis8.net"
+];
 in
 {
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
   security.acme.acceptTerms = true;
   security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
   security.acme.defaults.email = "shelvacu@gmail.com";
@@ -34,4 +31,4 @@ in
       default = true;
     };
   };
-}
+}

liam/sieve.nix

@@ -1,17 +1,4 @@
-{
-  pkgs,
-  lib,
-  ...
-}:
-let
-  inherit (lib.strings)
-    concatStringsSep
-    splitString
-    match
-    replaceStrings
-    concatStrings
-    ;
-  inherit (lib.lists) reverseList length elemAt;
+{ config, pkgs, lib, ... }: with lib.strings; with lib.lists; let
   email_folders = [
     "24nm-domain@shelvacu.com"
     "agora@shelvacu.com"
@@ -20,7 +7,6 @@ let
     "paxful@shelvacu.com"
     "postgres-lists@shelvacu.com"
     "cpapsupplies@shelvacu.com"
-    "jork@shelvacu.com"
 
     "bob@dis8.net"
     "fresh.avocado@dis8.net"
@@ -32,7 +18,7 @@ let
     "jean-luc@jean-luc.org"
     "mariceayukawa@jean-luc.org"
     "snow@jean-luc.org"
-
+  
     "capt@in.jean-luc.org"
   ];
   domain_folders = [
@@ -46,70 +32,42 @@ let
     "xn--tulp-yoa.info"
   ];
   valid_ish_domain = domain: match "[a-z0-9][a-z0-9-]*(\\.[a-z0-9][a-z0-9-]*)+" domain != null;
-  mk_domain_folder_name =
-    domain:
-    assert valid_ish_domain domain;
-    concatStringsSep "." (reverseList (splitString "." domain));
-  mk_email_folder_name =
-    email:
-    let
-      parts = splitString "@" email;
-      domain_part =
-        assert (length parts) == 2;
-        elemAt parts 1;
-      user_part =
-        assert (length parts) == 2;
-        elemAt parts 0;
-      domain_folder = mk_domain_folder_name domain_part;
-      folder_name = domain_folder + ".@" + user_part;
-    in
-    folder_name;
+  mk_domain_folder_name = domain: assert valid_ish_domain domain; concatStringsSep "." (reverseList (splitString "." domain));
+  mk_email_folder_name = email: let
+    parts = splitString "@" email;
+    domain_part = assert (length parts) == 2; elemAt parts 1;
+    user_part = assert (length parts) == 2; elemAt parts 0;
+    domain_folder = mk_domain_folder_name domain_part;
+    folder_name = domain_folder + ".@" + user_part;
+  in folder_name;
   is_quoteable = s: match "[ -~]*" s != null;
-  sieve_quote_string =
-    s:
-    assert is_quoteable s;
-    "\""
-    + (replaceStrings
-      [
-        "\""
-        "\\"
-      ]
-      [
-        "\\\""
-        "\\\\"
-      ]
-      s
-    )
-    + "\"";
-  email_filters = map (e: ''
-    elsif header :is "X-Envelope-To" ${sieve_quote_string e} {
-      fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
-    }
-  '') email_folders;
-  domain_filters = map (d: ''
-    elsif header :matches "X-Envelope-To" ${sieve_quote_string ("*@" + d)} {
-      fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
-    }
-  '') domain_folders;
+  sieve_quote_string = s: assert is_quoteable s; "\"" + (replaceStrings ["\"" "\\"] ["\\\"" "\\\\"] s) + "\"";
+  email_filters = map (e: 
+    ''
+      elsif header :is "X-Envelope-To" ${sieve_quote_string e} {
+        fileinto :create ${sieve_quote_string (mk_email_folder_name e)};
+      }
+    ''
+  ) email_folders;
+  domain_filters = map (d:
+    ''
+      elsif header :matches "X-Envelope-To" ${sieve_quote_string ("*@" + d)} {
+        fileinto :create ${sieve_quote_string (mk_domain_folder_name d)};
+      }
+    ''
+  ) domain_folders;
   sieve_text = ''
     require ["fileinto", "mailbox"];
 
-    if header :is "Delivered-To" "shelvacu@liam.dis8.net" {
-      if header :is "X-Envelope-To" "brandcrowd@shelvacu.com" {
-        discard;
-      }
-      elsif header :is "X-Envelope-To" "gmailfwd-fc2e10bec8b2@shelvacu.com" {
-        fileinto :create "gmail";
-      }
-      ${concatStrings email_filters}
-      ${concatStrings domain_filters}
+    if header :is "X-Envelope-To" "brandcrowd@shelvacu.com" {
+      discard;
     }
+    elsif header :is "X-Envelope-To" "gmailfwd-fc2e10bec8b2@shelvacu.com" {
+      fileinto :create "gmail";
+    }
+    ${concatStrings email_filters}
+    ${concatStrings domain_filters}
   '';
-in
-{
-  services.dovecot2.sieve.extensions = [
-    "fileinto"
-    "mailbox"
-  ];
-  services.dovecot2.sieve.scripts.before = pkgs.writeText "blargsieve" sieve_text;
-}
+in {
+  services.dovecot2.sieveScripts.before = pkgs.writeText "blargsieve" sieve_text;
+}

liam/sops.nix

@@ -1,11 +1,8 @@
+{ inputs, lib, config, ... }:
 {
-  inputs,
-  lib,
-  config,
-  ...
-}:
-{
-  imports = [ inputs.sops-nix.nixosModules.sops ];
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
 
   options.vacu.secretsFolder = lib.mkOption {
     type = lib.types.path;
@@ -23,9 +20,5 @@
       restartUnits = [ "opendkim.service" ];
       owner = config.services.opendkim.user;
     };
-    sops.secrets.relay_creds = {
-      restartUnits = [ "postfix.service" ];
-      owner = config.services.postfix.user;
-    };
   };
-}
+}

lp0/default.nix

@@ -1,6 +1,7 @@
 { config, pkgs, ... }:
 {
   imports = [
+    ../common-nixos-config.nix
     ./hardware-config.nix
   ];
 
@@ -8,10 +9,7 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  vacu.hostName = "lp0onfire"; # Define your hostname.
-  vacu.shortHostName = "lp0";
-  vacu.shell.color = "green";
-  vacu.systemKind = "server";
+  networking.hostName = "lp0onfire"; # Define your hostname.
 
   # Set your time zone.
   time.timeZone = "America/Los_Angeles";
@@ -55,7 +53,7 @@
   # system.autoUpgrade.enable = true;
   # system.autoUpgrade.allowReboot = true;
   # system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05-small;
-
+  
   nixpkgs.config.allowUnfree = true;
   services.zerotierone = {
     enable = true;
@@ -75,3 +73,4 @@
   #   internalInterfaces = [ "ztrf26rjvk" ];
   # };
 }
+

lp0/hardware-config.nix

@@ -1,37 +1,27 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}:
+{ config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
 
-  boot.initrd.availableKernelModules = [
-    "xhci_pci"
-    "ahci"
-    "usb_storage"
-    "usbhid"
-    "sd_mod"
-  ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/51a9c6de-3231-469f-a292-ada7d2531d63";
-    fsType = "ext4";
-  };
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/51a9c6de-3231-469f-a292-ada7d2531d63";
+      fsType = "ext4";
+    };
 
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/36B4-78A2";
-    fsType = "vfat";
-  };
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/36B4-78A2";
+      fsType = "vfat";
+    };
 
   swapDevices = [ ];
 

mmm/default.nix

@@ -1,23 +0,0 @@
-{ inputs, ... }:
-{
-  imports = [
-    ../common/nixos.nix
-    inputs.nixos-apple-silicon.nixosModules.default
-    ./hardware.nix
-  ];
-
-  vacu.hostName = "mmm";
-  vacu.shell.color = "red";
-  vacu.verifySystem.enable = false;
-  vacu.verifySystem.expectedMac = "14:98:77:3f:b8:2e";
-  vacu.systemKind = "server";
-
-  # asahi recommends systemd-boot
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = false;
-  hardware.asahi.peripheralFirmwareDirectory = ./firmware;
-
-  services.openssh.enable = true;
-
-  system.stateVersion = "24.05";
-}

mmm/hardware.nix

@@ -1,68 +0,0 @@
-{ lib, ... }:
-let
-  btrfsopts = [
-    "noatime"
-    "compress=zstd"
-  ];
-in
-{
-  boot.initrd.availableKernelModules = [
-    "xhci_pci"
-    "usbhid"
-    "usb_storage"
-    "xhci_hcd"
-    "uas"
-  ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
-    fsType = "btrfs";
-    options = [ "subvol=root" ] ++ btrfsopts;
-  };
-
-  boot.initrd.luks.devices."cryptroot" = {
-    device = "/dev/disk/by-uuid/4e75b9ed-ac4f-48a2-b38c-c5026723171f";
-    # note: creation requires --new-key-file-size not --key-file-size
-    keyFileSize = 2048;
-    keyFile = "/dev/disk/by-partuuid/9d171b52-329e-4e21-9399-dcc66ff572cd";
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/4407-1EF3";
-    fsType = "vfat";
-    options = [
-      "fmask=0022"
-      "dmask=0022"
-    ];
-  };
-
-  fileSystems."/nix/store" = {
-    device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
-    fsType = "btrfs";
-    options = [ "subvol=nix-store" ] ++ btrfsopts;
-  };
-
-  fileSystems."/btrfs-root" = {
-    device = "/dev/disk/by-uuid/2f8b5094-94ab-4634-b11b-d4bcd2dc3f24";
-    fsType = "btrfs";
-    options = [
-      "subvol=/"
-      "noauto"
-    ] ++ btrfsopts;
-  };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
-}

nix-on-droid.nix

@@ -1,24 +1,19 @@
-{
-  lib,
-  ...
-}:
+{ config, lib, pkgs, inputs, ... }:
 
 {
-  imports = [
-    ./flake-registry.nix
-  ];
-
-  vacu.shell.color = "white";
-  vacu.systemKind = "server";
+  imports = [ ./common-config.nix ];
+  environment.packages = config.vacu.packageList;
 
   environment.etc."resolv.conf".text = lib.mkForce ''
-    # nameserver 10.78.79.1
+    nameserver 10.78.79.1
     nameserver 9.9.9.10
     nameserver 149.112.112.10
 
     options timeout:1 attempts:5
   '';
 
+  environment.etc."ssh/ssh_config".text = config.vacu.ssh.config;
+
   # Backup etc files instead of failing to activate generation if a file already exists in /etc
   environment.etcBackupExtension = ".bak";
 
@@ -29,12 +24,14 @@
   nix.extraOptions = ''
     experimental-features = nix-command flakes
   '';
+  nix.substituters = config.vacu.nix.extraSubstituters;
+  nix.trustedPublicKeys = config.vacu.nix.extraTrustedKeys;
+
+  environment.sessionVariables."PS1" = "\\w $ ";
 
   # Set your time zone
   time.timeZone = "America/Los_Angeles";
 
-  vacu.packages.yt-dlp.enable = true;
-
   #specific to the particular install; avoids impurity
   #user.gid = 10287;
   #user.uid = 10287;

nix-on-droid/flake-registry.nix

@@ -1,9 +0,0 @@
-# To make `nix run nixpkgs#hello` and such use the same nixpkgs used to build this, so that it doesn't take forever
-{ inputs, ... }:
-{
-  nix.registry.nixpkgs.to = {
-    type = "path";
-    path = inputs.nixpkgs.outPath;
-  };
-  nix.nixPath = [ "nixpkgs=flake:nixpkgs" ];
-}

nixvim/default.nix

@@ -1,35 +0,0 @@
-{ ... }:
-let
-in
-{
-  opts = {
-    smartindent = true;
-    expandtab = true;
-    shiftwidth = 2;
-    softtabstop = -1;
-  };
-  plugins.comment.enable = true;
-  plugins.surround.enable = true;
-  plugins.lsp = {
-    enable = true;
-    onAttach = builtins.readFile ./nixd-init.lua;
-    servers = {
-      bashls.enable = true;
-      jsonls.enable = true;
-      # nil-ls.enable = true;
-      nixd = {
-        enable = true;
-      };
-      pyright.enable = true;
-      tsserver.enable = true;
-      lua-ls.enable = true;
-      rust-analyzer = {
-        enable = true;
-        installCargo = false;
-        installRustc = false;
-      };
-      html.enable = true;
-      yamlls.enable = true;
-    };
-  };
-}

nixvim/nixd-init.lua

@@ -1,22 +0,0 @@
---@param client vim.lsp.Client
-local function init_per_dir_nixd(client)
-  if client.workspace_folders == nil then
-    return
-  end
-  local path = client.workspace_folders[1].name
-  local command = client.config.cmd[1]
-  local name = string.gsub(command, "(.*/)(.*)", "%2")
-  local is_nixd = name == "nixd"
-  local is_nix_stuff = (path == '/home/shelvacu/dev/nix-stuff' or path == '/home/shelvacu/nix-stuff' or path == '/data/data/com.termux.nix/files/home/nix-stuff')
-  if is_nixd and is_nix_stuff then
-    local get_flake = "(builtins.getFlake \"" .. path .. "\")"
-    client.config.settings["nixd"].options = {
-      nixos = { expr = get_flake .. ".nixosConfigurations.fw.options", },
-      ["home-manager"] = { expr = get_flake .. ".homeConfigurations.\"nix-on-droid\".options", },
-      ["nix-on-droid"] = { expr = get_flake .. ".nixOnDroidConfigurations.default.options", },
-    }
-    client.notify("workspace/didChangeConfiguration", { settings = client.config.settings, })
-  end
-end
-
-init_per_dir_nixd(client)

packages/bcd/default.nix

@@ -1,52 +0,0 @@
-{
-  lib,
-  jdk,
-  gradle_7,
-
-  makeWrapper,
-  stdenv,
-  fetchFromGitLab,
-}:
-let
-  gradle = gradle_7;
-  self = stdenv.mkDerivation rec {
-    pname = "bandcamp-collection-downloader";
-    version = "v2021-12-05";
-
-    nativeBuildInputs = [
-      gradle
-      makeWrapper
-    ];
-
-    src = fetchFromGitLab {
-      domain = "framagit.org";
-      owner = "Ezwen";
-      repo = "bandcamp-collection-downloader";
-      rev = version;
-      hash = "sha256-uvfpTFt92mp4msm06Y/1Ynwx6+DiE+bR8O2dntTzj9I=";
-    };
-
-    mitmCache = gradle.fetchDeps {
-      pkg = self;
-      data = ./deps.json;
-    };
-
-    # tests want to talk to bandcamp
-    doCheck = false;
-
-    gradleBuildTask = "fatjar";
-
-    installPhase = ''
-      runHook preInstall
-
-      mkdir -p $out/{bin,share/java/bandcamp-collection-downloader}
-      cp build/libs/bandcamp-collection-downloader.jar $out/share/java/bandcamp-collection-downloader/bandcamp-collection-downloader.jar
-
-      makeWrapper ${lib.getExe jdk} $out/bin/bandcamp-collection-downloader \
-        --add-flags "-jar $out/share/java/bandcamp-collection-downloader/bandcamp-collection-downloader.jar"
-
-      runHook postInstall
-    '';
-  };
-in
-self

packages/bcd/deps.json

@@ -1,338 +0,0 @@
-{
- "!comment": "This is a nixpkgs Gradle dependency lockfile. For more details, refer to the Gradle section in the nixpkgs manual.",
- "!version": 1,
- "https://plugins.gradle.org/m2": {
-  "com/github/gundy#semver4j/0.16.4": {
-   "pom": "sha256-MgAdskQ7M53SH1t5/ynRreci0boIDCFL3oGfD3LRYE0="
-  },
-  "com/github/gundy#semver4j/0.16.4/nodeps": {
-   "jar": "sha256-P1nspRY3TM1P01UWJb9Q+KSxkfcAUI985IZkYKYSivA="
-  },
-  "com/google/code/findbugs#jsr305/3.0.2": {
-   "jar": "sha256-dmrSoHg/JoeWLIrXTO7MOKKLn3Ki0IXuQ4t4E+ko0Mc=",
-   "pom": "sha256-GYidvfGyVLJgGl7mRbgUepdGRIgil2hMeYr+XWPXjf4="
-  },
-  "com/google/code/gson#gson-parent/2.8.6": {
-   "pom": "sha256-NzZGOFnsGSZyleiUlAroKo9oRBMDESL+Nc58/34wp3Q="
-  },
-  "com/google/code/gson#gson/2.8.6": {
-   "jar": "sha256-yPtIOQVNKAswM/gA0fWpfeLwKOuLoutFitKH5Tbz8l8=",
-   "pom": "sha256-IXRBWmRzMtMP2gS9HPxwij7MhOr3UX9ZYYjYJE4QORE="
-  },
-  "com/google/errorprone#error_prone_annotations/2.3.4": {
-   "jar": "sha256-uvfW6pfOYGxT4RtoVLpfLOfvXCTd3wr6GNEmC9JbACw=",
-   "pom": "sha256-EyZziktPfMrPYHuGahH7hRk+9g9qWUYRh85yZfm+W+0="
-  },
-  "com/google/errorprone#error_prone_parent/2.3.4": {
-   "pom": "sha256-QElbQ3pg0jmPD9/AVLidnDlKgjR6J0oHIcLpUKQwIYY="
-  },
-  "com/google/guava#failureaccess/1.0.1": {
-   "jar": "sha256-oXHuTHNN0tqDfksWvp30Zhr6typBra8x64Tf2vk2yiY=",
-   "pom": "sha256-6WBCznj+y6DaK+lkUilHyHtAopG1/TzWcqQ0kkEDxLk="
-  },
-  "com/google/guava#guava-parent/26.0-android": {
-   "pom": "sha256-+GmKtGypls6InBr8jKTyXrisawNNyJjUWDdCNgAWzAQ="
-  },
-  "com/google/guava#guava-parent/29.0-jre": {
-   "pom": "sha256-alf54C9436L0vaNBYGWmRCauG2beIoz24Zbi4ZElU78="
-  },
-  "com/google/guava#guava/29.0-jre": {
-   "jar": "sha256-sixftm1h57lSJTHQSy+RW1FY6AqgtA7nKCyL+wew2iU=",
-   "pom": "sha256-kCfpNAmJA9KH8bphyLZfAdHR4dp6b7zAS/PeBUQBRCY="
-  },
-  "com/google/guava#listenablefuture/9999.0-empty-to-avoid-conflict-with-guava": {
-   "jar": "sha256-s3KgN9QjCqV/vv/e8w/WEj+cDC24XQrO0AyRuXTzP5k=",
-   "pom": "sha256-GNSx2yYVPU5VB5zh92ux/gXNuGLvmVSojLzE/zi4Z5s="
-  },
-  "com/google/j2objc#j2objc-annotations/1.3": {
-   "jar": "sha256-Ia8wySJnvWEiwOC00gzMtmQaN+r5VsZUDsRx1YTmSns=",
-   "pom": "sha256-X6yoJLoRW+5FhzAzff2y/OpGui/XdNQwTtvzD6aj8FU="
-  },
-  "de/undercouch#gradle-download-task/4.1.1": {
-   "jar": "sha256-6wi1cOQI1GRnBecKlJYU1DnqKxFFXxZSqwMw3olU2rk=",
-   "pom": "sha256-EQnx9xpUJU1ZAzfYudRD+d/AhyjJwdgzVlXMHcyIwLk="
-  },
-  "org/checkerframework#checker-qual/2.11.1": {
-   "jar": "sha256-AVIkpLHcbebaBTJz1Np9Oc/qIOYwOBafxFrA0dycWTg=",
-   "pom": "sha256-zy4MkNj3V0VfSiWOpglzkFNmO9XaannZvVP5NaR955w="
-  },
-  "org/jetbrains/intellij/deps#trove4j/1.0.20181211": {
-   "jar": "sha256-r/t8haPIe9z2n/HbuE3hH2PckxKTk0vAjNerGN4INgE=",
-   "pom": "sha256-MQpqotkFNMMrj0bx/JjNDtrpXc38oj4oR+Xvqa4MAZo="
-  },
-  "org/jetbrains/kotlin#kotlin-android-extensions/1.5.31": {
-   "jar": "sha256-aO1mp5A4wtK1Tu7KFpXUuXCV4jW5DT0/WKHE3hme0lU=",
-   "pom": "sha256-LgIHPvU+pggMAM+KqkdItBkXpNpsSdKNaDLWoSmnzEY="
-  },
-  "org/jetbrains/kotlin#kotlin-annotation-processing-gradle/1.5.31": {
-   "jar": "sha256-4nC48GUtl5pjrKTUohJwmGqvBjeOLrg48Azgk5D1q0w=",
-   "pom": "sha256-bBvZhwcdN3Qu809UrUQ5nmuQiR4/uLDCz0qMN3Y7jVA="
-  },
-  "org/jetbrains/kotlin#kotlin-build-common/1.5.31": {
-   "jar": "sha256-N4s/SEMiUQ1ozWlPksWuASxrssatmVhShVOWkptVOEk=",
-   "pom": "sha256-ta6dsXnXsWsa9u3FHwX5rA1u+fYUm8CNiVhIphLSCY4="
-  },
-  "org/jetbrains/kotlin#kotlin-compiler-embeddable/1.5.31": {
-   "jar": "sha256-45gRqeTBAud5xlnu/pCwQcZs6HV4wb/awHz1BNFVF0U=",
-   "pom": "sha256-1Ess6vKEuuky15hYHkIrtr0sjln084u9H+Kh2lo8dTQ="
-  },
-  "org/jetbrains/kotlin#kotlin-compiler-runner/1.5.31": {
-   "jar": "sha256-/UvVYjtsKVsHYhlumb5xVPHvCtM4zXm7r6T7wvHACwg=",
-   "pom": "sha256-N16wYQP23mQGWw9CwtZtEHFZs+kvXqLhzrJRfia6yCw="
-  },
-  "org/jetbrains/kotlin#kotlin-daemon-client/1.5.31": {
-   "jar": "sha256-6oITtcl0wSVzoYu7dZV5hztt8XgAvbjYsFL8NS4R+cA=",
-   "pom": "sha256-cA50WnFGgWov+xJmkZymNq2dAioH4doKVlibE5R+ST8="
-  },
-  "org/jetbrains/kotlin#kotlin-daemon-embeddable/1.5.31": {
-   "jar": "sha256-9h6vieXjhIYxZQslzftm/oyuAoGgVNnZhnFgAKFbqNY=",
-   "pom": "sha256-alUadKuKIMrt+a281OvpYzPqq13+NV+RuwFRbMMct3Y="
-  },
-  "org/jetbrains/kotlin#kotlin-gradle-plugin-api/1.5.31": {
-   "jar": "sha256-j9I46omSPn3xs3X5GHEApxTH4lP3hskqrJH/BGfu8tQ=",
-   "pom": "sha256-QBBV9PNHv/N03+YeO9et0gvB5+YhW0RZDZRtDEfOXog="
-  },
-  "org/jetbrains/kotlin#kotlin-gradle-plugin-model/1.5.31": {
-   "jar": "sha256-Tl42xb32B1GAXBveqDQRBmeOYj8KrLbaKz0gTN9BBmE=",
-   "pom": "sha256-x/F3wK/XKh+7yWtS1V/QzsgfCMm2Sln09FFaV9+Sy7s="
-  },
-  "org/jetbrains/kotlin#kotlin-gradle-plugin/1.5.31": {
-   "jar": "sha256-EsFFQSMeiBzbBKw0lgV1X/D3hY0VsZ9TbAELGxPDbAw=",
-   "pom": "sha256-YGdxue42D9zlv4aOrVLhRcUwy0tly7VrWwImbWxsU/w="
-  },
-  "org/jetbrains/kotlin#kotlin-klib-commonizer-api/1.5.31": {
-   "jar": "sha256-EDlqWVu4xeJUkDAxDTDNUWd8WIBCFqUoI6SAaBnLD9c=",
-   "pom": "sha256-6g+LFK3jOqvoJEhLpnA3UV5OuId0zVfneQqFQbWHQpk="
-  },
-  "org/jetbrains/kotlin#kotlin-native-utils/1.5.31": {
-   "jar": "sha256-cSfgacEGNt54QsP4TC7G4/W3dk+m3f3rE5XLvxrlUcQ=",
-   "pom": "sha256-aFn8z6JTCGmRPaiac3gOpgCqaXFfFHRZdvL7BbLj3oc="
-  },
-  "org/jetbrains/kotlin#kotlin-project-model/1.5.31": {
-   "jar": "sha256-rcqYHKsdnQUtjiNnMAJ2bUp5TMeOtfb+skEstpy8HNE=",
-   "pom": "sha256-3wmxdZNSUpS80PdsR4eGcuAKLhsYH3B0lrHUE5C8Ruk="
-  },
-  "org/jetbrains/kotlin#kotlin-scripting-common/1.5.31": {
-   "jar": "sha256-IZ7fAK7YKIxx2AAvFZhS1TXsmveuv7B9+DboR5qDR+8=",
-   "pom": "sha256-LSB1cya+WOSOs2EE1i0LyL/Z3Ogm2M3QXLThlgnFlTI="
-  },
-  "org/jetbrains/kotlin#kotlin-scripting-compiler-embeddable/1.5.31": {
-   "jar": "sha256-yGIfrjb42bhJFqpMBH0pgWX6Mv09ID0W0mUd5JGoRT0=",
-   "pom": "sha256-CYeCsKIsAhdU0NKXANquyn/HYEIIL+HZDcY8lfJiYlE="
-  },
-  "org/jetbrains/kotlin#kotlin-scripting-compiler-impl-embeddable/1.5.31": {
-   "jar": "sha256-elvIU0hD4LAcY1+Ys8WLLQMDx/GocxW39EImuTry5nM=",
-   "pom": "sha256-GMfKFcag0wZNkA5sxntadv3pMNA5PdNCzOTUN76wc/c="
-  },
-  "org/jetbrains/kotlin#kotlin-scripting-jvm/1.5.31": {
-   "jar": "sha256-b65w7F2DcwrUfQEt3iMNbdSXXD2MDomt7Jq9Q/pv5t4=",
-   "pom": "sha256-HPr0zKwkDc2NC2xhM7vGVAgc28CDJx+Pn8lxH4BctPA="
-  },
-  "org/jetbrains/kotlin#kotlin-tooling-metadata/1.5.31": {
-   "jar": "sha256-DdebRc2fJw+N9e68t8jWriNOmCdNGhm+aiSu4SpOOr4=",
-   "pom": "sha256-n8mlg2Mc6fd9bWFK35erK4IM/X71Xa5LFRqDlre6bps="
-  },
-  "org/jetbrains/kotlin#kotlin-util-io/1.5.31": {
-   "jar": "sha256-LCbUBlmFc+qr1XUCnw/+G807aZvwJScJNYSo0nbPUmo=",
-   "pom": "sha256-+pgbeSjlucTwdec+CBgsXj236IWpEPNl+2Ku+I5aNVo="
-  },
-  "org/jetbrains/kotlin#kotlin-util-klib/1.5.31": {
-   "jar": "sha256-+RcvLoQZS9Wp1Al8f/3Pf/wLwiMi0OH+FwG2KsM613A=",
-   "pom": "sha256-O5q77lvcFo+l8EOXgLdIBWm6DRjbNPdJHoqsX/1odjM="
-  },
-  "org/jetbrains/kotlin/jvm#org.jetbrains.kotlin.jvm.gradle.plugin/1.5.31": {
-   "pom": "sha256-TwiJBgIxZmuJn35gfMdxmxvrMMxt7Opn00q97RO2lBM="
-  },
-  "org/jetbrains/kotlinx#kotlinx-coroutines-core-jvm/1.5.0": {
-   "jar": "sha256-eNbMcTX4TWkv83Uvz9H6G74JQNffcGUuTx6u7Ax4r7s=",
-   "module": "sha256-yIXdAoEHbFhDgm3jF+PLzcPYhZ2+71OuHPrNG5xg+W4=",
-   "pom": "sha256-U2IuA3eN+EQPwBIgGjW7S9/kAWTv7GErvvze7LL/wqs="
-  },
-  "org/jetbrains/kotlinx#kotlinx-coroutines-core/1.5.0": {
-   "module": "sha256-2KJqiW2jL7H4w/E/5By3mKYSocHd86VV2C7h/xbvE9M=",
-   "pom": "sha256-/8k2P3ybw40mHJOM23+kXO5WiU1xq7Kd+/23CzVY1FI="
-  },
-  "org/sonatype/oss#oss-parent/7": {
-   "pom": "sha256-tR+IZ8kranIkmVV/w6H96ne9+e9XRyL+kM5DailVlFQ="
-  },
-  "org/sonatype/oss#oss-parent/9": {
-   "pom": "sha256-+0AmX5glSCEv+C42LllzKyGH7G8NgBgohcFO8fmCgno="
-  }
- },
- "https://repo.maven.apache.org/maven2": {
-  "com/google/code/gson#gson-parent/2.8.8": {
-   "pom": "sha256-IRPa1JelW3F03dXKUG9C4RKZHP7Mdt9icd8RWOPwmm8="
-  },
-  "com/google/code/gson#gson/2.8.8": {
-   "jar": "sha256-xvMVKww5wbfr4mfplgSnUOnVWFsvPy4Z1vvX7JCA0Ps=",
-   "pom": "sha256-NmyNW7OsBqHbLU7189l5bjCBuz+fDzmMxX+a+82cWDM="
-  },
-  "com/sun/mail#all/1.6.2": {
-   "pom": "sha256-S36Dqpt31l4AfpfLUPm4nNt1T6rxZBHl/ZTR49q3brM="
-  },
-  "com/sun/mail#javax.mail/1.6.2": {
-   "jar": "sha256-RbUV5xBJRMCeRbnHuxzl3/ZASGN0hS3SsugMw3Ut+hE=",
-   "pom": "sha256-xCKcBbWDbwAlITY9NDXz0HJmJ0RUi/F+fnreyv5ouf0="
-  },
-  "info/picocli#picocli/4.6.1": {
-   "jar": "sha256-Km4DMQ2xSfihHrBYqnjndcIp74FjM8loc3l2LSKDOtY=",
-   "pom": "sha256-sQOC7VBz9mKP84EayWFEkbHv8wLDz55Cmo81P2w75M8="
-  },
-  "javax/activation#activation/1.1": {
-   "jar": "sha256-KIHHnJ1u8BxY5ivuoT6dGsi4uqFvL8GYrW5ndt79zdM=",
-   "pom": "sha256-1JDlQKEVBLnXFxixyF/vez3mgCNhKQgkU5sHbVj6qKA="
-  },
-  "net/java#jvnet-parent/1": {
-   "pom": "sha256-KBRAgRJo5l2eJms8yJgpfiFOBPCXQNA4bO60qJI9Y78="
-  },
-  "org/apiguardian#apiguardian-api/1.1.2": {
-   "jar": "sha256-tQlEisUG1gcxnxglN/CzXXEAdYLsdBgyofER5bW3Czg=",
-   "module": "sha256-4IAoExN1s1fR0oc06aT7QhbahLJAZByz7358fWKCI/w=",
-   "pom": "sha256-MjVQgdEJCVw9XTdNWkO09MG3XVSemD71ByPidy5TAqA="
-  },
-  "org/ini4j#ini4j/0.5.4": {
-   "jar": "sha256-qtYGNe7lZyVO0p8Y+xjA+eTE2s9RyCKRKCAxg7s14t0=",
-   "pom": "sha256-XMYUkRJoPvybUbn9k3h307NQPfboBdMHHOTbOb41mY8="
-  },
-  "org/jetbrains#annotations/13.0": {
-   "jar": "sha256-rOKhDcji1f00kl7KwD5JiLLA+FFlDJS4zvSbob0RFHg=",
-   "pom": "sha256-llrrK+3/NpgZvd4b96CzuJuCR91pyIuGN112Fju4w5c="
-  },
-  "org/jetbrains/intellij/deps#trove4j/1.0.20181211": {
-   "jar": "sha256-r/t8haPIe9z2n/HbuE3hH2PckxKTk0vAjNerGN4INgE=",
-   "pom": "sha256-MQpqotkFNMMrj0bx/JjNDtrpXc38oj4oR+Xvqa4MAZo="
-  },
-  "org/jetbrains/kotlin#kotlin-compiler-embeddable/1.5.31": {
-   "jar": "sha256-45gRqeTBAud5xlnu/pCwQcZs6HV4wb/awHz1BNFVF0U=",
-   "pom": "sha256-1Ess6vKEuuky15hYHkIrtr0sjln084u9H+Kh2lo8dTQ="
-  },
-  "org/jetbrains/kotlin#kotlin-daemon-embeddable/1.5.31": {
-   "jar": "sha256-9h6vieXjhIYxZQslzftm/oyuAoGgVNnZhnFgAKFbqNY=",
-   "pom": "sha256-alUadKuKIMrt+a281OvpYzPqq13+NV+RuwFRbMMct3Y="
-  },
-  "org/jetbrains/kotlin#kotlin-klib-commonizer-embeddable/1.5.31": {
-   "jar": "sha256-hQ3nvEsAp4jnRUPZRAlrcHkLvL6XaNQtAQRbMhBXbnE=",
-   "pom": "sha256-EtXpQVih6CA4YFUeyuUiiiM75NrhtRmvJLDEUui7wsc="
-  },
-  "org/jetbrains/kotlin#kotlin-reflect/1.5.31": {
-   "jar": "sha256-bg9UkOa5ZJ3dJnBTTk06A70oPDNYuO710TBP1filpPs=",
-   "pom": "sha256-VitLqu6sfHJYlKEF/FHNPWfgolnnEUDVVUJsMycLMBQ="
-  },
-  "org/jetbrains/kotlin#kotlin-script-runtime/1.5.31": {
-   "jar": "sha256-JORQ/udkXtNZCYHd3M85fA2eu3JYFclMT1Vcw9svn5Y=",
-   "pom": "sha256-+MNYzwUXT+VmQWKGI7oxfJ3DcODp3oBbCLnRGMPFhbc="
-  },
-  "org/jetbrains/kotlin#kotlin-scripting-common/1.5.31": {
-   "jar": "sha256-IZ7fAK7YKIxx2AAvFZhS1TXsmveuv7B9+DboR5qDR+8=",
-   "pom": "sha256-LSB1cya+WOSOs2EE1i0LyL/Z3Ogm2M3QXLThlgnFlTI="
-  },
-  "org/jetbrains/kotlin#kotlin-scripting-compiler-embeddable/1.5.31": {
-   "jar": "sha256-yGIfrjb42bhJFqpMBH0pgWX6Mv09ID0W0mUd5JGoRT0=",
-   "pom": "sha256-CYeCsKIsAhdU0NKXANquyn/HYEIIL+HZDcY8lfJiYlE="
-  },
-  "org/jetbrains/kotlin#kotlin-scripting-compiler-impl-embeddable/1.5.31": {
-   "jar": "sha256-elvIU0hD4LAcY1+Ys8WLLQMDx/GocxW39EImuTry5nM=",
-   "pom": "sha256-GMfKFcag0wZNkA5sxntadv3pMNA5PdNCzOTUN76wc/c="
-  },
-  "org/jetbrains/kotlin#kotlin-scripting-jvm/1.5.31": {
-   "jar": "sha256-b65w7F2DcwrUfQEt3iMNbdSXXD2MDomt7Jq9Q/pv5t4=",
-   "pom": "sha256-HPr0zKwkDc2NC2xhM7vGVAgc28CDJx+Pn8lxH4BctPA="
-  },
-  "org/jetbrains/kotlin#kotlin-stdlib-common/1.5.31": {
-   "jar": "sha256-36KhjiawKDiO4ZaNGZv28Wb3N6twScJaXi2mFEBOIq0=",
-   "pom": "sha256-thXpRrjD0r6pllLs2pfVfs+Dv180xl0oZ5CvI+USg8I="
-  },
-  "org/jetbrains/kotlin#kotlin-stdlib-jdk7/1.5.0": {
-   "jar": "sha256-rBLwkvErV1wfngq1AlseYQsP6VZj4mNxwWwyiJVxG64=",
-   "pom": "sha256-7T5s00w9Onc9oOAHuxLhZFSHJUZOWtthZEqY+yklStE="
-  },
-  "org/jetbrains/kotlin#kotlin-stdlib-jdk7/1.5.31": {
-   "jar": "sha256-olv0c1POiZ2EPL3e5RbWIac0c+f7qX+NAwHntK7XwV8=",
-   "pom": "sha256-IxOEie4pOmgZcGiHd0X3AL+hGvmJGHvtPDB0zYwHl3g="
-  },
-  "org/jetbrains/kotlin#kotlin-stdlib-jdk8/1.5.0": {
-   "jar": "sha256-FebIG56EXu/ljVGgRnC7kEGARvRYJk7A5h7pvbwb+uc=",
-   "pom": "sha256-0Ls+nTxj4e2bB3lPhWtyIEJwVxffMFEOTM4RPuLKWU0="
-  },
-  "org/jetbrains/kotlin#kotlin-stdlib-jdk8/1.5.31": {
-   "jar": "sha256-tUj3dnqs8CnSQX5HRAdCvW0+vt4ZtgOG4jVUzlxMX9w=",
-   "pom": "sha256-RREKqwB0eSuBWAewKy2vGNKzfodHrAaSqteg0C2ok98="
-  },
-  "org/jetbrains/kotlin#kotlin-stdlib/1.5.31": {
-   "jar": "sha256-SADOrLLsC7mVmghxVLjjUxjq0epOujLUuxuXNCIqfmg=",
-   "pom": "sha256-j3Z2AQSsTocwCcnwM90brXW507j5Uh1j2xJk2ESFLmw="
-  },
-  "org/jetbrains/kotlinx#kotlinx-coroutines-core-jvm/1.5.0": {
-   "jar": "sha256-eNbMcTX4TWkv83Uvz9H6G74JQNffcGUuTx6u7Ax4r7s=",
-   "module": "sha256-yIXdAoEHbFhDgm3jF+PLzcPYhZ2+71OuHPrNG5xg+W4=",
-   "pom": "sha256-U2IuA3eN+EQPwBIgGjW7S9/kAWTv7GErvvze7LL/wqs="
-  },
-  "org/jetbrains/kotlinx#kotlinx-coroutines-core/1.5.0": {
-   "module": "sha256-2KJqiW2jL7H4w/E/5By3mKYSocHd86VV2C7h/xbvE9M=",
-   "pom": "sha256-/8k2P3ybw40mHJOM23+kXO5WiU1xq7Kd+/23CzVY1FI="
-  },
-  "org/jsoup#jsoup/1.14.3": {
-   "jar": "sha256-kq8Z7FfMd2N9tEkPD1AR8ERNNTIJzjYIO6xCj5uBo5w=",
-   "pom": "sha256-UsW86oFXCKOWqs6xQZm5Z5j8MhmtBSNvAaKttMhekGE="
-  },
-  "org/junit#junit-bom/5.8.1": {
-   "module": "sha256-a4LLpSoTSxPBmC8M+WIsbUhTcdQLmJJG8xJOOwpbGFQ=",
-   "pom": "sha256-733Ef45KFoZPR3lyjofteFOYGeT7iSdoqdprjvkD+GM="
-  },
-  "org/junit/jupiter#junit-jupiter-api/5.8.1": {
-   "jar": "sha256-zjN0p++6YF4tK2mj/vkBNAMrqz7MPthXmkhxscLEcpw=",
-   "module": "sha256-DWnbwja33Kq0ynNpqlYOmwqbvvf5WIgv+0hTPLunwJ0=",
-   "pom": "sha256-d61+1KYwutH8h0agpuZ1wj+2lAsnq2LMyzTk/Pz+Ob8="
-  },
-  "org/junit/jupiter#junit-jupiter-engine/5.8.1": {
-   "jar": "sha256-Rom8kCJVoZ/pgndoO6MjHAlNEHxUyNNfK2+cl9ImQY4=",
-   "module": "sha256-aHkP7DP5ew7IQM9HrEDuDHLgVvEiyg88ZkZ0M0mTdpk=",
-   "pom": "sha256-qjIKMYpyceMyYsSA/POZZbmobap2Zm63dTQrgOnN1F4="
-  },
-  "org/junit/platform#junit-platform-commons/1.8.1": {
-   "jar": "sha256-+k+mjIvVTdDLScP8vpsuQvTaa+2+fnzPKgXxoeYJtZM=",
-   "module": "sha256-aY/QVBrLfv/GZZhI/Qx91QEKSfFfDBy6Q+U1gH+Q9ms=",
-   "pom": "sha256-4ZcoLlLnANEriJie3FSJh0aTUC5KqJB6zwgpgBq6bUQ="
-  },
-  "org/junit/platform#junit-platform-engine/1.8.1": {
-   "jar": "sha256-cCho7X6GubRnLt4PHhhekFusqa+rV3RqfGUL48e8oEc=",
-   "module": "sha256-2fQgpkU5o+32D4DfDG/XIrdQcldEx5ykD30lrlbKS6Q=",
-   "pom": "sha256-hqrU5ld1TkOgDfIm3VTIrsHsarZTP1ASGQfkZi3i5fI="
-  },
-  "org/opentest4j#opentest4j/1.2.0": {
-   "jar": "sha256-WIEt5giY2Xb7ge87YtoFxmBMGP1KJJ9QRCgkefwoavI=",
-   "pom": "sha256-qW5nGBbB/4gDvex0ySQfAlvfsnfaXStO4CJmQFk2+ZQ="
-  },
-  "org/slf4j#slf4j-api/1.6.6": {
-   "pom": "sha256-cxmZMiteIokinNntRiTJQexXG3xh0qJ9alB+9zuXyho="
-  },
-  "org/slf4j#slf4j-api/1.7.32": {
-   "jar": "sha256-NiT4R0wa9G11+YvAl9eGSjI8gbOAiqQ2iabhxgHAJ74=",
-   "pom": "sha256-ABzeWzxrqRBwQlz+ny5pXkrri8KQotTNllMRJ6skT+U="
-  },
-  "org/slf4j#slf4j-parent/1.6.6": {
-   "pom": "sha256-QrjCR2CP2OENW2Zs98gKW1nSseEoRQ97bZ0sIM+2sxs="
-  },
-  "org/slf4j#slf4j-parent/1.7.32": {
-   "pom": "sha256-WrNJ0PTHvAjtDvH02ThssZQKL01vFSFQ4W277MC4PHA="
-  },
-  "org/slf4j#slf4j-simple/1.7.32": {
-   "jar": "sha256-0v3XtzyiAZogYtFFoNhheaWPmMjD41ynxzWieztWIcM=",
-   "pom": "sha256-VVTmGS0A/7oRfST9+HBIj50DkABH6Lq1XgDugzgvQdg="
-  },
-  "org/sonatype/oss#oss-parent/7": {
-   "pom": "sha256-tR+IZ8kranIkmVV/w6H96ne9+e9XRyL+kM5DailVlFQ="
-  },
-  "org/sonatype/oss#oss-parent/9": {
-   "pom": "sha256-+0AmX5glSCEv+C42LllzKyGH7G8NgBgohcFO8fmCgno="
-  },
-  "org/xerial#sqlite-jdbc/3.36.0.2": {
-   "jar": "sha256-D++S/Lco+7Tw88ua2+cIgjuGB0zef46jkd/AZiwz7Lo=",
-   "pom": "sha256-IQG6KV0YmqEcASDMVuEs4WoyC5EE9gBer03ud4gXAkk="
-  },
-  "org/zeroturnaround#zt-zip/1.14": {
-   "jar": "sha256-lkDsuPjrnDFVsVbtu0BJyT3uXaKz31U6UdlGmK+3aNk=",
-   "pom": "sha256-esRAYySqeauHFiEV/lpCdp4yB8eCFbvCMZ2ZNeNV5hg="
-  }
- }
-}

packages/snmp-mibs-downloader.nix

@@ -1,124 +0,0 @@
-{
-  bash,
-  coreutils,
-  gzip,
-  gnutar,
-  unzip,
-  wget,
-  gnupatch,
-
-  fetchFromGitLab,
-  fetchurl,
-  #libsmi,
-  #resholve,
-  stdenv,
-  writeText,
-  lib,
-}@args:
-stdenv.mkDerivation (
-  self:
-  let
-    # this script depends on an old version of libsmi's smistrip
-    libsmi = stdenv.mkDerivation rec {
-      pname = "libsmi";
-      version = "0.4.8";
-
-      src = fetchurl {
-        url = "https://www.ibr.cs.tu-bs.de/projects/libsmi/download/${pname}-${version}.tar.gz";
-        hash = "sha256-8EilJw9BvIiww7Co/nDKTXFqRrUxoOyqqHxGL0nXSEk=";
-      };
-
-      env.NIX_CFLAGS_COMPILE = "-std=gnu90";
-      #env.CFLAGS="-Wno-error";
-      #env.NIX_DEBUG="7";
-
-      hardeningDisable = [ "format" ];
-
-      meta = with lib; {
-        description = "A Library to Access SMI MIB Information";
-        homepage = "https://www.ibr.cs.tu-bs.de/projects/libsmi/index.html";
-        license = licenses.free;
-        platforms = lib.platforms.linux ++ lib.platforms.darwin;
-      };
-    };
-  in
-  rec {
-    pname = "snmp-mibs-downloader";
-    version = "1.6";
-
-    src = fetchFromGitLab {
-      domain = "salsa.debian.org";
-      owner = "debian";
-      repo = "${pname}";
-      rev = "debian/${version}";
-      hash = "sha256-W2VW3EJWmHwlqMoL12dFcfkYmAADLOtUWCydcL5qUKc=";
-    };
-
-    # installPhase = ''
-    #   install -Dm755 download-mibs $out/bin
-    #   install -Dm644 *.conf *list $out/etc/snmp-mips-downloader
-    #   cp mibrfcs/* $out/share/snmp/mibs-downloader/mibrfcs
-    #   cp mibiana/* $out/share/snmp/mibs-downloader/mibiana
-    #   gzip -9 $out/share/snmp/mibs-downloader/*/*
-
-    # '';
-    postPatch = ''
-      substituteInPlace download-mibs \
-        --replace-fail SMISTRIP=/usr/bin/smistrip "" \
-        --replace-fail CONFDIR=/etc/snmp-mibs-downloader "BASEDIR=/var/lib/mibs; AUTOLOAD='rfc ianarfc iana'" \
-        --replace-fail '. $CONFDIR/snmp-mibs-downloader.conf' ""
-    '';
-    preInstall = ''
-      mkdir -p $out/usr/bin $out/etc/snmp-mibs-downloader $out/usr/share/snmp/mibs-downloader/mib{rfcs,iana} $out/usr/share/snmp/mibs
-    '';
-    installFlags = [
-      "INSTALL=install"
-      "DESTDIR=$(out)"
-    ];
-    postInstall = ''
-      mv $out/usr/* $out
-      rmdir $out/usr
-      substituteInPlace $out/etc/snmp-mibs-downloader/* \
-        --replace-quiet 'DIR=/usr/share/snmp/mibs-downloader' 'DIR='$out'/share/snmp/mibs-downloader'
-      mv $out/bin/download-mibs $out/bin/.download-mibs-unwrapped
-      cat <<EOF > $out/bin/download-mibs
-        #!${bash}/bin/bash
-        PATH=${
-          lib.escapeShellArg (
-            lib.concatStringsSep ":" (
-              lib.flip map [
-                coreutils
-                gzip
-                gnutar
-                unzip
-                wget
-                gnupatch
-              ] (p: "${p}/bin")
-            )
-          )
-        }
-        SMISTRIP=${libsmi}/bin/smistrip
-        CONFDIR=$out/etc/snmp-mibs-downloader
-        source $out/bin/.download-mibs-unwrapped
-      EOF
-      chmod u+x $out/bin/download-mibs
-    '';
-
-    env.NIX_DEBUG = "7";
-    # solutions.default = {
-    #   scripts = [ "bin/download-mibs" ];
-    #   interpreter = "${bash}/bin/bash";
-    #   inputs = [ coreutils gzip gnutar unzip wget gnupatch ]; 
-    #   keep = {
-    #     "$archive_fetcher" = true;
-    #     source = [ "$CONFDIR/$i.conf" ];
-    #     "${wget}/bin/wget" = true;
-    #   };
-    #   fix = { "$SMISTRIP" = [ "${libsmi}/bin/smistrip" ]; };
-    # };
-
-    meta = {
-      mainProgram = "download-mibs";
-    };
-  }
-)

packages/snmpb/package.nix

@@ -1,133 +0,0 @@
-{
-  fetchgit,
-  lib,
-  libsmi,
-  libtomcrypt,
-  qmake,
-  qtbase,
-  qwt,
-  stdenv,
-  wrapQtAppsHook,
-
-  breakpointHook,
-}@args:
-
-stdenv.mkDerivation (
-  finalAttrs:
-  let
-    # ./configure --disable-shared --disable-yang --with-pathseparator=';' --with-dirseparator='/' --with-smipath=${INSTALL_PREFIX}'/${SHARE}/snmpb/mibs;'${INSTALL_PREFIX}'/${SHARE}/snmpb/pibs'
-    libsmi = finalAttrs.passthru.libsmi;
-    # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/iana/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
-    # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/ietf/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
-    # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/mibs/tubs/* ${INSTALL_PREFIX}/${SHARE}/snmpb/mibs
-    # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/pibs/ietf/* ${INSTALL_PREFIX}/${SHARE}/snmpb/pibs
-    # $(INSTALL) -m 444 ${ROOT_OWNER} libsmi/pibs/tubs/* ${INSTALL_PREFIX}/${SHARE}/snmpb/pibs
-
-  in
-  {
-    pname = "snmpb";
-    version = "0.9pre1";
-
-    # __structuredAttrs = true;
-
-    passthru = {
-      proFile = "${finalAttrs.pname}.pro";
-      makeFile = "makefile.${finalAttrs.pname}";
-      smipath = "${finalAttrs.passthru.libsmi-data}/share/snmpb/mibs;${finalAttrs.passthru.libsmi-data}/share/snmpb/pibs";
-      libsmi = args.libsmi.overrideAttrs (
-        final: prev: {
-          #preConfigure = (prev.preConfigure or "") + "\n" + ''
-          #  appendToVar configureFlags --prefix=$out/ --disable-yang --with-pathseparator=';' --with-dirseparator='/'
-          #'';
-          configureFlags = (prev.configureFlags or [ ]) ++ [
-            "--with-pathseparator=;"
-            "--with-smipath=${finalAttrs.passthru.smipath}"
-          ];
-          env.NIX_DEBUG = "2";
-          pname = prev.pname + "-for-snmpb";
-        }
-      );
-      libsmi-data = stdenv.mkDerivation {
-        name = "libsmi-snmpb-data";
-        phases = "unpackPhase installPhase";
-        src = libsmi.src;
-        installPhase = ''
-                  mkdir -p $out/share/snmpb/{mibs,pibs}
-          	shopt -s globstar
-          	for foo in mibs pibs; do
-          	  for node in $foo/**/*; do
-          	    [[ -f $node ]] && install -m444 $node $out/share/snmpb/$foo/
-          	  done
-          	done
-          	rm $out/share/snmpb/*/Makefile*
-        '';
-      };
-    };
-
-    src = fetchgit {
-      url = "https://git.code.sf.net/p/snmpb/code";
-      rev = "a092855bfd201778f87be578b91aeb062726e329";
-      hash = "sha256-nlS1pqv2ERZGkk0SJ8ByXqBHHho1GTSq/oxrXL2tytM=";
-    };
-
-    patches = [ ./unvendor.patch ];
-
-    buildInputs = [
-      qwt
-      qtbase
-      libtomcrypt
-      libsmi
-    ];
-
-    nativeBuildInputs = [
-      wrapQtAppsHook
-      qmake
-      breakpointHook
-    ];
-
-    #setSourceRoot = "sourceRoot=$(echo */app)";
-
-    #NIX_DEBUG="7";
-    #installFlags = "INSTALL_PREFIX=$(out) NO_ROOT=1";
-    installPhase = ''
-      popd
-      install -Dm 555 -s app/snmpb $out/bin/snmpb
-      #mkdir -p $out/share/snmpb/{mibs,pibs}
-      #for foo in mibs pibs; do
-      #  for file in ${libsmi}/share/$foo/*; do
-      #    ln -s $file $out/share/snmpb/$foo/
-      #  done
-      #done
-      install -Dm 444 app/snmpb.desktop $out/share/applications
-      install -Dm 444 app/snmpb.xml $out/share/mime/packages
-      install -Dm 444 app/images/snmpb.png $out/share/icons/hicolor/128x128/apps
-      install -Dm 444 app/images/snmpb.png $out/share/pixmaps
-      install -Dm 444 app/images/snmpb.svg $out/share/icons/hicolor/scalable/apps
-    '';
-    postPatch = ''
-      rm -rf libsmi libtomcrypt qwt #ensures un-vendoring worked correctly
-      #smipath_parts=(${libsmi}/share/{mibs,pibs}/*)
-      #smipath=$(IFS=";" ; echo "''${smipath_parts[*]}")
-      substituteInPlace app/preferences.cpp --subst-var smipath
-      substituteInPlace app/*.pro \
-        --subst-var libs \
-        --subst-var include
-      pushd app
-    '';
-    env = {
-      include = "${qwt.dev}/include ${libsmi}/include ${libtomcrypt}/include";
-      libs = "${qwt}/lib/libqwt.so ${libsmi}/lib/libsmi.so ${libtomcrypt}/lib/libtomcrypt.so -lqwt -lsmi -ltomcrypt";
-      inherit (finalAttrs.passthru) smipath;
-    };
-
-    preConfigure = ''
-      qmakeFlags+=( "${finalAttrs.passthru.proFile}" "-o" "${finalAttrs.passthru.makeFile}" )
-    '';
-    makefile = finalAttrs.passthru.makeFile;
-
-    meta = {
-      description = "GUI SNMP browser and MIB editor wrtten with Qt";
-
-    };
-  }
-)

packages/snmpb/unvendor.patch

@@ -1,61 +0,0 @@
-diff --git a/app/preferences.cpp b/app/preferences.cpp
-index 29fa8c8..98e842f 100644
---- a/app/preferences.cpp
-+++ b/app/preferences.cpp
-@@ -22,13 +22,6 @@
- #include <qfileinfo.h>
- #include <qtextstream.h>
- 
--// For DEFAULT_SMIPATH
--#ifdef WIN32
--#include "../libsmi/win/config.h"
--#else
--#include "../libsmi/config.h"
--#endif
--
- #include "mibmodule.h"
- #include "preferences.h"
- 
-@@ -288,7 +281,7 @@ void Preferences::MibPathRefresh()
- void Preferences::MibPathReset()
- {
-     // "Reset to default" for MIB paths
--    QStringList defaultpaths = QString(DEFAULT_SMIPATH).split(SMI_PATH_SEPARATOR);
-+    QStringList defaultpaths = QString("@smipath@").split(SMI_PATH_SEPARATOR);
- 
-     QSettings settings;
-     settings.beginWriteArray("mibpaths");
-diff --git a/app/snmpb.h b/app/snmpb.h
-index 63f0d6e..c1da1b8 100644
---- a/app/snmpb.h
-+++ b/app/snmpb.h
-@@ -20,6 +20,7 @@
- #ifndef SNMPB_H
- #define SNMPB_H
- 
-+#include <qwt_text.h>
- #include "ui_mainw.h"
- 
- #define SNMPB_VERSION_STRING "1.0"
-diff --git a/app/snmpb.pro b/app/snmpb.pro
-index b6ee631..a5ff14a 100644
---- a/app/snmpb.pro
-+++ b/app/snmpb.pro
-@@ -83,14 +83,9 @@ FORMS += \
- INCLUDEPATH += \
- 	../snmp++/include \
- 	../snmp++/ \
--	../libtomcrypt/src/headers \
--	../libsmi/lib \
--	../qwt/src
--LIBS	+= \
--	-L../libtomcrypt \
--	-L../libsmi/lib/.libs \
--	-L../qwt/lib \
--	-lsmi -ltomcrypt -lqwt
-+        @include@
-+
-+LIBS	+= @libs@
- 
- RESOURCES	= snmpb.qrc
- 

packages/z3/default.nix

@@ -1,27 +0,0 @@
-{
-  stdenv,
-  cmake,
-  gnumake,
-  python3,
-  fetchFromGitHub,
-}:
-stdenv.mkDerivation rec {
-  pname = "z3";
-  version = "4.13.2";
-  nativeBuildInputs = [
-    cmake
-    gnumake
-    python3
-  ];
-
-  patches = [ ./pkg-config-fix.patch ];
-
-  src = fetchFromGitHub {
-    owner = "Z3Prover";
-    repo = "z3";
-    rev = "z3-${version}";
-    hash = "sha256-9OpiMhO+75aHo3Nf7qcjC0QBXxxcvT8t7Mqc8bnjZoM=";
-  };
-
-  # CMAKE_ARGS = [ "-DCMAKE_BUILD_TYPE=Release" ];
-}

packages/z3/pkg-config-fix.patch

@@ -1,22 +0,0 @@
-diff --git a/z3.pc.cmake.in b/z3.pc.cmake.in
-index 436dd6208..4aa515b4a 100644
---- a/z3.pc.cmake.in
-+++ b/z3.pc.cmake.in
-@@ -1,13 +1,12 @@
- prefix=@CMAKE_INSTALL_PREFIX@
- exec_prefix=@CMAKE_INSTALL_PREFIX@
--libdir=${exec_prefix}/@CMAKE_INSTALL_LIBDIR@
--sharedlibdir=${exec_prefix}/@CMAKE_INSTALL_LIBDIR@
--includedir=${prefix}/@CMAKE_INSTALL_INCLUDEDIR@
-+libdir=@CMAKE_INSTALL_FULL_LIBDIR@
-+includedir=@CMAKE_INSTALL_FULL_INCLUDEDIR@
- 
- Name: z3
- Description: The Z3 Theorem Prover
- Version: @Z3_VERSION@
- 
- Requires:
--Libs: -L${libdir} -L${sharedlibdir} -lz3
-+Libs: -L${libdir} -lz3
- Cflags: -I${includedir}
-

scripts/dns/default.nix

@@ -1,41 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-let
-  pythEscape =
-    x:
-    builtins.replaceStrings
-      [
-        ''"''
-        "\n"
-        ''\''
-      ]
-      [
-        ''\"''
-        ''\n''
-        ''\\''
-      ]
-      x;
-  pythonScript =
-    builtins.replaceStrings
-      [
-        "@sops@"
-        "@dns_secrets_file@"
-        "@data@"
-      ]
-      (map pythEscape [
-        (lib.getExe config.vacu.wrappedSops)
-        (builtins.toString ../../secrets/misc/cloudns.json)
-        (builtins.toJSON config.vacu.dns)
-      ])
-      (builtins.readFile ./script.py);
-in
-pkgs.writers.writePython3Bin "dns-update" {
-  libraries = with pkgs.python3Packages; [
-    httpx
-    dnspython
-  ];
-} pythonScript

scripts/dns/script.py

@@ -1,44 +0,0 @@
-# flake8: noqa
-import os
-import subprocess
-import json
-from pprint import pp
-import httpx
-import dns.zone
-
-# todo: dnspython to read builtins.toString vacuconfig.x86_64-linux.vacu.dns."jean-luc.org"
-
-SOPS_BIN = "@sops@"
-DNS_SECRETS_FILE = "@dns_secrets_file@"
-data_str = "@data@"
-DATA = json.loads(data_str)
-
-secrets_json = subprocess.check_output([SOPS_BIN, "-d", DNS_SECRETS_FILE])
-secrets = json.loads(secrets_json)
-
-AUTH_ID = secrets["auth_id"]
-AUTH_PASSWORD = secrets["auth_password"]
-
-BASE_URL = "https://api.cloudns.net"
-
-def req(path, **kwargs):
-    auth_params = {
-      "auth-id": AUTH_ID,
-      "auth-password": AUTH_PASSWORD,
-    }
-
-    params = { k.replace("_","-"): v for k, v in kwargs.items() }
-
-    return httpx.get(BASE_URL + path, params={**auth_params, **params}).json()
-
-for name, zone_str in DATA.items():
-    zone = dns.zone.from_text(zone_str, origin=name)
-    pp(zone)
-    for name in zone:
-        node = zone.find_node(name)
-        pp(node)
-        for smth in node:
-            pp(smth)
-# res = req("/dns/records.json", domain_name = "jean-luc.org", rows_per_page = 100)
-#records = [x for x in res.values()]
-# pp(res.get("status"))

scripts/update-git-keys.nix

@@ -1,60 +0,0 @@
-{
-  config,
-  writers,
-  curl,
-  lib,
-  ...
-}:
-writers.writeBashBin "update-git-keys" ''
-  set -xev
-  domain="$1"
-  api_key="$(${lib.getExe config.vacu.wrappedSops} --extract '["'$domain'"]' -d ${../secrets/misc/git-keys.json})"
-  if [ $domain = github.com ]; then
-    url_base="https://api.github.com"
-  elif [ $domain = gitlab.com ]; then
-    url_base="https://$domain/api/v4"
-  else
-    url_base="https://$domain/api/v1"
-  fi
-  url_keys="$url_base/user/keys"
-  if [ $domain = "git.uninsane.org" ]; then
-    authorization_name="token"
-  else
-    authorization_name="Bearer"
-  fi
-  curl_common=( \
-    ${lib.getExe curl} \
-    --fail \
-    --header "Authorization: $authorization_name $api_key" \
-    --header "Content-Type: application/json" \
-  )
-  if [ $domain = "github.com" ]; then
-    curl_common+=(\
-      --header "Accept: application/vnd.github+json" \
-      --header "X-GitHub-Api-Version: 2022-11-28" \
-    )
-  fi
-  # declare -p curl_common
-  echo GET "$url_keys"
-  resp="$("''${curl_common[@]}" "$url_keys")"
-  for url in $(echo "$resp" | jq .[].url -r); do
-    echo DELETE "$url"
-    "''${curl_common[@]}" "$url" -X DELETE
-  done
-
-  new_keys=(${
-    lib.escapeShellArgs (
-      lib.mapAttrsToList (
-        label: sshKey:
-        builtins.toJSON {
-          key = sshKey;
-          title = label;
-        }
-      ) config.vacu.ssh.authorizedKeys
-    )
-  })
-  for keydata in "''${new_keys[@]}"; do
-    echo POST "$api_keys"
-    "''${curl_common[@]}" "$url_keys" -X POST --data "$keydata"
-  done
-''

secrets/liam/main.yaml

@@ -1,105 +1,59 @@
-dovecot-passwd: ENC[AES256_GCM,data:pcj7T1AKqZfMBGiHiihW0WxVKzAiy6xsGGlOhOV4IeHPEn+SXNoQjTQQVhZoNxYsENptH54SgWwlMETCcQrQzq6prrktlT3iZCnwlwvzaNRXrMe1mk/WT+OiTpaQ0PWGfrhVkQXj4bxWKCRc2i3NJxm1AtYfE0nNL/1dUk9rzwYTH6zjiQFYmZHbwzjtxiE3YbZCwYnpNR3Ql08S4kNf5TtsecFtTY1VOPFRycjEfIIIUbVLUM06DZ5savKVNRdgaVMUuXyPoOxy65YbkwZ9vkoBleRShY0v6FOgG1YLmQmr7f8QtiHlFbA0NJ0vUkg8bgSTsw27jC/JQU0qTSNVrMHgzfApw6GUQgGTYZK24tFCVNBJ3sxvTbuVOcShy01yJA==,iv:5gTo8ySgq//ZaY88F7AcAa2CEe2hXR415EqqSsYIbF8=,tag:DOf4yEXW5kzYAL89KQOAdQ==,type:str]
+dovecot-passwd: ENC[AES256_GCM,data:cZt43pgPNbORpqX6KyXvzVt1Q8tNz1cMF9YVUyL7saZyFqA5XA+uywU5yVerjdsTXfx4QeoYbA+bDE7qwdjTQBpEoEMm99WBb77rac652VGXXCas4nrbwMmZbUY2Z57PKd4GPN/i57VAD6eHiTV8HCd5OwiX7AlpmHXImgL9jr4P9skyTPIEnLF3NUVxktmAjn+X7IwmBH1mtn5Gesc5Q+6hoTQMwLn7ilYWfcOvaf5UOsHS6zvuTlGPuISaLPEvx2CLBccu7I38kKafCLTc1FOhdrFRu2n9/6gD1yIxUnbCkDWpcIV1e/3FlU5aQM7c7duQFVuIW9KpY2U0R2Y5Miv0ciU2D1GaJWMud7S/HCxPrQo=,iv:Arppozvg9+bjNCIJl7kRwbwGm2fuf7CjBfEfDT45+MQ=,tag:+PeAznYRW9S0Ok5uEn/qpQ==,type:str]
 dkim_key: ENC[AES256_GCM,data:CZC/1U1cJUIyNhXAWp+YFJd0pZZKvZClJxOh3uZ3YyfEQBiK9nEQryAJHirpFXAmZTcGhsuotkAuJvVQtoh/pM9YGkrncCKlw+P96hiafHGoSOnqd77DazcVERwGEGYBPK7fIZfhpAaYiIvjwq6FbMzkkZ4vLcYRNRj+LCtrXu4K5cy5ZJaRFkLCiaIVHhrOfjyhDFCkFBd3pZ/oCGH57teisjFl+LWFqGOQFyGs3Vkv0bY1fUTUtFvpYcTdrRe6A7yI3OGveX3Q9JnDKD+PBqHhd/a/OjBF0Xme6BeipRnv6/Md2F5LNDfUWugOtDy0xigtWAp/mbVel8GYgTXEQYv+sxVu0kFM7bX8fa/A/BHNx98HFoScwLCt8VmCc26asfGvGFfADrJMBIk2IbmqjQ2NV7/ejB6Zym7tjLLpYI24LBAyZDH/Rtw7CqGPmpHXCQ9xILFxLMdqMSmgPPJtF/75qFICCQH2p3CHj7b/TmTpu8RLIVu2pxG48u4VnUgJE1zPBeaY5EY1uS7L5sF37CI+vMy1mY/3m5ZsWeOu9YigZouYy/Y6OrdtOzaEVaipQ2cYirD00MOYqO57izmjuUdw47OJ5zK7XInR4MHoLX0PfdJiw5Oq8OVir6KJf9UWPSXBbSZlj6PMkqbvQ+7VWJmDT0jKTbRg2M1eZCbcRrJAnE/YenMqYFXiVY1dOGjcrrxUn0zcnJ51UJmfDU2+UQc7urBVtqm7jfegudQ+Em735ynclMfYRWvRXQGQUm2YCUFXTwd6RhY4hHb32j6x00hi6iLjt1gjlMx8pHAcVbqcOdHFoLvNe1DlBsl/7jmL7otyY5m1VF3+H0tksDTSYfil5oudMEECTPypsZfp8iLU4xgjuh/+fXjZf4hQJMiA6OaGMw7R2cwvfiuSaHL/iz57ZtlHFW6TMWK77UBU2xZACVfylnqEaaIgzhYX0/wAsVQI+gqt03EsUx/AqlCFOCrOSwjov06k2bTDzSDcITayLkf9UjwOo/lmRz+7fCfvCaw26wZCEsEtRBfLrZc+Ibwq9uvNDsrV1hthi0qh1ngZonQOA1Y2NURDom3VMKkfu++nFIV+CGrAI5n0CVlVLkJn4RbPCDcmNGd9Kr8pYv7rU4MnMmD2n2M1OzAJbScrbb+f4Z8hEOIUk0dMVxOr/clrg+7F3vqceZC8VTzBbBAH4QuBAf67VwmZTpDB5bobFv/UwEC8pJ4HWmKcBN+s1QihtD7x+WYz+8pSNucr+oN56fiY8xAyvFFyTE7/zNWlXVi94E0is30q3/ZB/Gog5eOQT21tOI4Ak0N4y+ElfNIXSqtEUGhck2DIjfegygpvwiuu8ktEZwje9Q4SAYK8/0THT8ANyzDunwSocMdztL1zF6/ZhDub8hmOuaRJWotXzmL/zCXSGR0nEPXVSmyXKwHt/4MMGkasXOXetrENKIwDqYdm1eZBMCl8EGnyAbAo21LAfVTI0GLrNoFWNTPkpBIo3dKoBofmdRei/jHtQmBtvaILUv6UsIAyjJ+x2cpARW+yMIrv/0g8MnDMj4cCiIFk+AIXI279BvMrkVP1cOA7ESJkLe1hsL6+b7lmrhAWK1cpDnIWTXJG+v9aKlc0jz9D47gr7kD/ePC8sMaI95aQBbA93ftzYhKzsU9hINsU/IKGmT0rXS4j/BPZ0o8uC1HRaMjdE5Z0KHsebS9tn8lXfHFgX5wTDMaES9h+usUJrjc6F1lj2zYP5oTOjM8YmN6YQedo3wmi/PnA/8YMXz0tRFAZvg8VAYYtsfdV/2GLtjfD2YRK3iHsg5+GSEwqFafmWGgr+uhsl4JmKiASWJvx0Ron8RwdEzK2MC6WD1JERLU4UojOfx2xy5v15eveNnEufb7o1MJSAbjuRbVYiABqNFjIwe9hquIyTYVsiqiXi6fLeIV4fsTtiI5LLKx/6dOw31nFg/WfFWzvzLiLJ6b0NZowECP+Rsvzl3U0Qo/LbePyY/o8UYOo7u1zLpzxIOPyTqdKh64WqGYnqXmWy1ga57vnyl9mWhzr9ZlEuhM+0U8bVelIXmLTZp1Nredrs8E5ERdVnKmThbrLr8GvJAl4B7g5BIrGhSBB841wMm9h/SheKdq8SN9gUDRNgW0QNFkflBhX5ZsAHlPiJxddePbbAxfChv+ClG0oDuFDoSwSElCRR9GRayLRiws6CCDhviU8ub5JApSPTI9p/UjSJePSj+GqyqljTge0J/wgxRL2pAHk1HDQyOnv4kFZ5UhMFjU6GvbuPl2W2lqICJOcK9UuKdvivGsYkSSrOfke3mZMh52/f+03ciZ4xlwjDGV91kGONq5GME8dFEPD093xg0KbScfWanRWSoV3fOxitPWpcJ+xuNnDDOHjzLOYgt07u1QQs62rg/6BII+1XKBowLwG9Z5aWexZ3yCzrOR70pLRWPbOJNCAggEIaTkIa0ukOlaPbGzSZ6LuIyup7ex0Uabd2cOuvmAdMqGwnIB7fhtkdR7G4iDbnUqu7hbFurJn/3IZalJvbyZUuvC5X4oGU/CTWzDtdSgv5jQQ9qnr9ehCNCWjdg9T05v65XsW/OwHnRUN8A+1vxBIZ884lvFoOhJYeKXMufdAg4bCzUE/kdctRPwAVt3OjLnykXYcJV/3Ch+YIwv2vNA4pXqsMw8wgxX7DCvrCrVpkZAC1JIE32aKCXrN4tRUMrc0mnqUXa9M1rc6HCGa/vFCMj5ZW8xP9mOG+HEJFiJaV6ydxvhI7NMyXW2YDSxVh5RMMjXHUBq/bKMHPrLN57qmzvtcKUNcmS+VTvjS64wZlUsA1PEVwaJ/EQVAaY6ZeZi0CJ2A3YpklXYJpNqYhv8ICtFK2Uf6STfNYGaLTW2bgfZpWhic1y/V4wAWKa5A/XALXec+ioFr0foQR2ADiUycQYhMLZPSKPnWhcmwUPY+KPrjP11raVSM4ehtKdDlrbL3vmw6SlwowveyC3aqiceYzISWAw9o+ccvLs/bedEBeC2af2V53/vIuN4XYWjtZArRyqpzeeqlnTOb7vhpI84plXJdGHlmw0bml0yV3r3ucgB50wbAMRvQtJQ6ePPfOLOYLpDYFLPZJci8Vc3vRInskPOF39m9tSTT1noUSRZ3IxGi4LiUT76nAgI8BeTp3bqNuA6Of6I4yYS4Jmmby5C5eel0Ozl3gkMk1xuM5UTwcE7EDkr9rnzxs6rbx3CpQB3y6QB3tAe00zPpMm5YKJq1AKqvSzPco58g1vVu06e3l+tcGyt85t5wQTco3OX2kgBBxsiA629yAWcSIqKFZ+o7nTpA+zZmQrjVganWflbOhVNkvRSkLpThkYVlnkqBU9ixzQa79xVOF3WmNYBhdWfnO9VxFwE4MqgpOyL7sz0PsV5/ZsOy8m7DadM3GCS2mFtWZiM1RnGCayZvyY2KFNj3I8qM1HGMMfeF+3KXjyCBSyBkD25in85M0QaPlMzBxFZupSoleJLLwqd4BfsLk+POiZjLQQseSDVSqrjqWyE6d+baiy+m6d+z6sx4ojRf+q9wlMjZ2oRa+wsLnhbCrdHsZi6Q9eZawU6Vlsy3/KjarJABnapJsMbHYTlwPHlPYU6Du9T3lO2aJuTewOzA42Aoqm2Tlm4xh0GRV6Rx7najkMjc3cex1DAu0PNaFzWVBD7yPuv9FS+DzdEneEj9Tx81v245I9U8Oc6yacu72Ry2CG03ONld70oEU2BHrIgswoyMNg72hnhot9jfDutjJrB10b65pP5WZOAUGtwDh2a2KrdnYG/TGId+ehnkkwS2Sd87/CM4aaSYlsVneId6bXYpUcxSLroXUAHsigA3rjMpNpvR8XRiQZUfLWRQ+d8gyL5PVLp1H7R6LEDO4sZP8IuDJfxDzlP0Rh6GOQgu+dlkcxWGVHQxcexBThMURJYVMhTDoYopEfUqo3j+q7Fla4Q3HdypKg17VyVfEA/J7Nie+eDZvTEuvX0jWQmGAFdC9GbkVuT7hlzYx4kZ6/B81kVyQi8e3L3ZBAYHQXbHeK4GhSWQDwHG6ZBU16KrD6dhjIvn4HlXaGYaPMvv0Rp+yjeiur/n0NOWyvx0R1RrksbsyeaLIEDhOS19wXP4kiDrTR2qJN4LHcWu3m/hYuB4Fj72qyr2K7osXvbC/up2bSpY0IOcei8Nc/hIhqoe7uM4Jg3cpXt0hTpcDZ74HNIsd/6f592BqpoXIy5Cr1ZOxmnpkHdgZIyJ3KqwZEhYa7pSkOIIEAY9EnTPm3ViBHQdqjUpghYNzntO8EomNNw0sXUFFrwlGAY+ntLYUty0kREWt4l8Iot+XblCc8FX1gKYSqhnJOGjHHjOHO22Cr6NPJdcHfgkIBCknwwFWWMRPwZOomE=,iv:7LF3l52m6YRKGd/8rxDady3AbSEcXuVRsIaLlgNfKOs=,tag:UCjMRgFZFHQyXY5NfbZRcg==,type:str]
 dkim_pub: ENC[AES256_GCM,data:XLYRTAviK+r6DnRU4+lc58elI3FJ+FPsB1A5sQOk+pb+fNu7zFCiZdz/MwTVkE9izDP1Onv+VhV8sRgmxacTv4nW5GcukCrm3FmCp2jm6QF1/40/WRv6Lkbek0tV1bMOQPy9Zj8wdO9M05XCXUVXk4x17rj+lw8ApwJS2pJMoultMFx34tx2pNEnmO3MFtuBOxzeU2yP+NhF2sJNA62to78AiH5EblkoF0a6sUYk553U+sv3Ob0lo1nSv6c8zwl7y1WSNQnLK+/3WxSVGfePHVsVM8Zze1KFTVLQQggIzWTdcr7AgcTGbk3kaYCeucfQ60pVlqOyPnkJoUJ8HR1RSajFk6Ylzw0xBpY85qAXNT2YIRiq0HTUc1s5lD0luXLQEP+g+XUwZfzFRZgt1nWBlPmpbj2Ylj1FfrA7EXsIK9nyo+rf0qRn/4HusJATr9ddYmZdxwazl1FXkOKLHPyu1NlzwoTNSQQgMHlzxzUvrrv7+mI2nQvXRx82TSRytqrMvoBTF1NFX+pRjhNg9fcq0oPJ2ORqOVQsxzhLhB+tw7Cg+UHGWlnKnkqaKH1JDmOFyJDB96aPUnSQT2J8qkyb+hMBXz9mme8rZopkHrA4WyDXv3zpEi0P5Sj0DDwdRxKMdDdZ4hw79YQIrd63cIorN8XG6Icevb25LfekLEq/C2FS8+kADagyOM0uzCw2p/qacNz37ZNGqPK6gYkjnyoAfSm14zbgoLX/5dnf7eCuMatevTm4AcE53RawQfzz0YNJuEv5uqD/WUy+UIKHIwxPYY9FWBBPmH+8eaPC1mMPh54I444b39FwpnPU8GwxEPsjRg8TSnohawNmmhEWEpmlawEKw+C+BE6A2DmVJzyeBvVRwe/W6CPgyYxgSGWUuvfZFm1GrzwZDjCOEMRn7qMwMBxh1nr2BOAiNxA38UtsymaZO5ZOknClWlKIkIFl8NJdVITNNsI48KMuSY20o1puzkxMaAUH3OrGEhtoHrEOeIq+KCFzH2gZo6L5hbv9CHM7QgCYsbtVIMwL+cRZZaSNubS3K48OmWJnHNuqkcrSI4lqfjLhz1DbnQ==,iv:/cNMmlpq9LSOk0MwVq8NaWvp47q68lKWTx4s5nkwF5c=,tag:ZNX+yZsSxdhFsavDpX380g==,type:str]
-relay_creds: ENC[AES256_GCM,data:yWG53NaiA2s5aUudZWecDS1+fOURTHd0D0rNxZ9Tud9TsTO2F/6+5i3vRz/4qP4FoBexEVoW5Xhkqo8o8OaGOpZHh/Nla7TJTnaSCgJw9QPfFoRNiE9f46LytXYThiCGBdy3Z3gtNmSX5BQk1zNI1TiHBFG4IYfauq7e6jJ4Bp/9z3LRknDITdlLjzAPjIO5kUG95IrQQCl3SeAjS+LwxPFRuV1+zWNdOXJLmSeWv1JcAcyhkwutMhQYRGMaS09bbXp29N8DX3lsAK9pYZLr5F3gXwOrZN7nG4+K0KOqfMI4UcLpIOlCPdj9XjgAYcWC+LL5bA0W53e7je3IDVebevDheKPowKK/A6le2TfqXKfhOVi4qXaEsjOBIJzLylOqXoAb1ZCM3nTHCC3M/r3/il+6RnFgISOCHezTiEYM,iv:0kAJzoV/HEIRuEAxzWAaQqwlzWlBSwklipWquF9WeoY=,tag:SCQOQCXm6kmLSYhkT6dubQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age:
-        - recipient: age1hkve3khk7fthyrwxjqdf4r37lrqpmnkz6mke7psuphvu2ykynqaq9g6ja5
+        - recipient: age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvNDFQQ3lMbGtBVjdBR0t2
-            MjJvcmpjQmtYR1VkSVYzTzJFZDZibmFKc1dNCkZpWUsvcEM2MnA2OWdOdXVsZzJi
-            VjFDOVNjdkVIZDgwWE5pQmpKWkxSb3MKLS0tIDlSbXZFY1R0dkl3NHdvSTlWYTZ6
-            bDV6UGVHd2RVKzVycHJUWllTMk1HU2MKkDag+K62PydC3jcvLaIxy0vOuANbA65P
-            hzaTNzv8iotafjFDYLWim7PLnxv+IeywKoL+Pnn4o3+e0617omx1mA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3S0FqZWxDYmxHYU5FZVQz
+            V2FZMFFSVXJubVRaNDZORDJPSXhHMnludmpRCjJrendscEdqU0p6K1R6eE9FUGtj
+            RVB4Z3dlNHlBSHRhZ0ZMODdDRkN6ZFEKLS0tIFlzUStVWmhlYWExV1JscHE0KzhG
+            Vm1uUmhQRzAvL1YzTWVVbllRUlE2Z0EKwg6SBat+CG8E7/j7K0sakqGSyJYNzXqt
+            b0DMsGq9GnHE1Ph6gGVVWO+pos/FGuunSDyL0lcXk9xJE02FErnw+w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNVl3ZTNGWGdMT280MnhQ
+            R2RHTGRWVFpjMWltMDVIWk1YSUc2eEhjbWwwCnNiTjA4dUZuOU1tNTZtd240VXpU
+            c0FKY3VoR1dYUVo1MDZjMEJ5MmhjeEEKLS0tIGhuT3k2VlFpTWpJdFJYM0JhZWtS
+            dzNFb0FDcERGTFVUOTgxN3czTmRUME0KihoqiXkph3sNWTwn6tFi29z9jnht6JRT
+            zOMNiaWjMHQ7GiR+Yv1JMWrEvKRrEjNaFXt89z0Ebx4llTtyH8W2fw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWE91QUFmTzdEUjJ3TTFX
+            Y2o0Yy9BZjdkc2VVcis4a3FlcDVScDF5eGwwCkZocDFIN3B5dHdNTDNaVXI2WHBF
+            dDVXMDdvOXVBM3V1NW01YngzclJ1RXMKLS0tIDV5M2JURHkvWWFlbGtUNEhxZ2ZE
+            RVlDMDgvNVFOamlFR1BZMUtrMzJ4N1UK6r7QbX3nEBu+S8e7oqCk3ys6hqXHkyW4
+            z4hWz1rr/23JpGR2ENRS+DpHRCRo4KKRhUx2hLc6C2XijNgD4YsUCA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbWUrNTN0Y2lzSjR1ckc1
-            cW03WXZFVzBSUzdpUzVLMWJzRjhqaWRFODFBClJGSno0QUpQaGpVSzJ0Y3h5eXFj
-            aGpoNGIycG80NkxhWEFGeU9IMk1tWFEKLS0tIDI3Q3lHNGI1VWJBcFZDRDBqNGpD
-            RDFNajdSSWQ1ZWNNcXl0T3lLcm1YUWMKm7w5OXFeuk7Sby68ODrk9EC8SbvCTxoO
-            oQueOepqeeh4wip3SQpHACvtUp4s85M6ZXE96uYioRlzy3zg39tIpQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqelVSdDFFcVZxODBiVkEv
+            QUhYUzM5SDZLVWQ4YlB2UGorZWlidUhIa1N3Ck96TXFGTXBtSVFLdFY1b3BKK3g5
+            ejZFTkZOTDdqdHFsWmRKNEcyaUZZWW8KLS0tIDJtL2JaRE5XaHNvYW9HMFYrbTFP
+            NUFlUTVvQVdiTlBZOVZqSjA1ODNhUHcK8hnqUuHjUgjF8nbZgY4BTkk58BbRCYWV
+            NOPw/jUdEZBRoTJqoEdOLAtW/x1h7Xo+mpVuDW0K7h07LiaU7FL8xQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2
+        - recipient: age1hkve3khk7fthyrwxjqdf4r37lrqpmnkz6mke7psuphvu2ykynqaq9g6ja5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsMUVLVWpHaksvZkJIb0U4
-            RnVTZ0k0L0VlMjFNNFg4RVZjTmk1OHEwbGpnCkIxTXN5aWMwTlZEWERYRXV5dHEx
-            UVFVVEczRFhWRDJPN3g0QVh2NXlZUjAKLS0tIGNRbkk3R1RYVCs2Y2x4UmZhTXdx
-            UVUrQStXTU9yUWJ0SnlIbDBIRUdSb00K9oPKVn1RzK0DVtaeXnfURea9k1lNzpor
-            3ex6hSyrfzNazFlInCuptIFIpf5o1eeiiV2PL85w9wvpMh4MEG7peg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UDNVSG9Fb01YSWJTdXRD
+            UFB1dWhpRUFhWmMwTzdHeTNRdlg2YXd1ZnlnCndBRXBpMTJWdFRsMVNYeDBBY2g2
+            ZEZKTEw4dHpHSlFNT1BsSXQvaCs4MDQKLS0tIDg3YUlJYU1nUjRTTGtIeTJBVEhR
+            SjZLWG4xNmxoSmtaTFZweEd3TDJ2QUkKcI4MdgglGFJT58ugHebiE6YQUehEomnH
+            qPZdH0SZAtJxBPqt78wJqvndR5INt5HBmLtXMDLLEk8o43lqfIkK5Q==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MHUxcU9tR3JKSjk5TGRm
-            c2I3S0lrV1RJZHFkN1JyNHlqc2hXbGtPVlVzCk9pMmVRdC92bld6SW0rNFVyRmJs
-            QmVOMXRrb3FvVUNUYnVuczg5MklEL1kKLS0tIEE2YkRmeWFONVpDTk02S3kwSWNI
-            Ty9PdGYxUnRNSUIxN21RWWJUQnVqWjAKp1KybOk5/5xHHggBwE7zyuOw17GwxPCw
-            UR2R5wuc0d1Uyb/z/QvRI4lbpjAhjb749JgLE2IYTYLfPsJv59K8BA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2c2cyOWh3bEtBMUF6a3hx
-            UjVIYkN5cE1ZcWNZM1V3Y3lhR05JYUt4Q3djCk9XNWF1dnhveVlLNWxJSVcxcVRK
-            V2d2aWx5ZXdrYUw0TFN3VGVZTE5RTTAKLS0tIDNnWm5nbDZUbmh3QTBCWXp6aUE0
-            ZFhoeXRTOEhDT2NpOXM2L3NCdVNEQmMKBp4e23mcqrJdlcqbf6mUjitYq7MxkeoX
-            jX8LQTucw9dhLu/SCxymRxg9/Q2+PfhUvDR2L51tdlbr77dRhic3/A==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vla9w33lsp03s46p9p6gc2mvr844vthdqhc2hzau2ph6h60gmyqqh9sf57
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeWltSkV6aGJ1WkJOVTBp
-            Q24wMEFuWlVQYXMrKzRrSHN2THB3TWtYQ0VvCldHUmlpUGdNTlp4QkluZjRzK0J3
-            U0ZGYWM2eFZyZHhuT2dWSnBJdzA0dmMKLS0tIHg0citENmY1QkpXNURzY2x4QkZM
-            bG9DUTFkd2t3YXFXVElKK3JsK216Rm8KGvXixYViOUwrVarBMZeUI5HlCBtoL5bp
-            7uZ9JFKQMh9EtiUk+Pr2xr4r9Mah0Gk3AmmVKWvaQaC/bkEIhe30Eg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1jy8mxcndkw6zd6q99tjgz3gsynn78x2lwtrff85u6ud9g9y9z5mspvhufl
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYmhVb0FsdUc5RjdPWnA5
-            ZmpaMi9Rek5WM1AvSVl3Nk1maG1YanJaS0RzCjM3VEJKM3dVclZxK2FSMENKTUUz
-            d0dleUU2Rk5namdUdFl4ZjNSM05xdnMKLS0tIHRzYldRM0I4MytMcGFMUnZ3QXA0
-            MGtKcDMyejNFNktCL2I4RUI3Qkk1TWMKsxjqBw5J91f3T9TDHNAKFI2cTT4i7zJw
-            N33KbrskOaOXjCsoENnqdRl9Y7v/JbOh5YQ2/oPwZEfuwgHG9lcXqw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdWRCdnNybjdzSFpacjNj
-            eFNJNjBzYmpsRkw4czN2aWJzSnBDeFYweDM4CmZCcnZCTEJQTGtoSlo3VW45T0ZJ
-            bmpUMHhFMy9mSUxaTWVCcFBnQlAramsKLS0tIGV3eHcxRlJZc3BxQUU3TUhsRVAr
-            VXdheGpVRFF2UFBKQTF0OFMrVzdYcjQKaEs1irVwO0OoXbBhYd1AgCCPPF3sFH3a
-            go3jAHOCnwkYQMVRd24FGZx28XuEgeXQALk7JqEEy5eCS6nKDEVqcg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcWZxa3NHR0Z4TmlNNHVU
-            aFNvN2tycVd2THhFMGtMckhGOXBuZXNMSkFFCm1VR1ZwUHdabFdBWmUxUXVxTVR5
-            eFVvakFDZUV2WHByU2pRU3hrWXVaMGcKLS0tIHRjbElYOU8xaW1lVFlrL0YwMDlQ
-            MEwvd1RQd1hlNVNZL3VveUkydVNjVE0KFsyjr38WdXu4R0038Dum0VeVw+LNcI6q
-            4R0ft0KsfLLmPgoNIdK5Dq5hUxyGVe8Ej/9KaN0UrqIRsLHCHimYyQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QW9yVk9zN2RrZkpTWXZU
-            U080M1pDdzV1bDFSR2UrY0o2dnoyYlpNZXc0CmJCSE84L1ZRdUVZc21GbWc3cG9t
-            NHRGQUFVS3U1TjFVYWl1Q1FyODY3UjgKLS0tIGhrY1dMa251R1hCc0F5eDhtWnc2
-            bXpqNkVobzgwMHJIdHBFZ0xDZ2RzcmcK0m4awMUrdwYvXO14L1hvhcaGgLOW3FCq
-            UU1Vc/vX32Lsu1BN4aXlTZ1jHD6R6CnV5TbUTcM/jxFRKoRzDwdJig==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-10T20:44:49Z"
-    mac: ENC[AES256_GCM,data:tSTKCP7HUUCSCrbeiLutPghjfbL9TsxuCmbARUqwQBH8pyeOsyFHyPCqmqjCDSu2ha0QTldNGM9baiIQa/05DV5KNmFfVuoWy6dd4/3L5yNd3FPkzR2SvBua1g09YZpC1G2IaGrOcqBEOY9baILeBGgXfxRtcpMVAR2C3bOqJyQ=,iv:4phBdZ/4u5DAbUn4Z7pdrJym+iG9oxZSsIPZqoDEqco=,tag:RJn0416yl+0FV9bTu5tA5w==,type:str]
+    lastmodified: "2024-03-21T22:00:22Z"
+    mac: ENC[AES256_GCM,data:wnRif4PVGh1P29ZXv1XPF4GdFFhrsRkYmdlun4WsLDFs0Y3xIjPQRScAbDzPnhY6vaiGKZfx0+RZHHMMFyVCz4bmo85MzGuF9H2QECBfWBNgCNCKXqz7pLQHA4c0u9jiatuc9PVc42RokJ+rITn1cWV9tLGot98ealpYkJbN91w=,iv:EL2Y5WZtWB6IRwnrGmWV5QO3XiPOB8IJkATbZTY1/oY=,tag:/z3ULuFshOw/ed+G3W8OmQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

secrets/misc/cloudns.json

@@ -1,53 +0,0 @@
-{
-	"auth_password": "ENC[AES256_GCM,data:UD8l+CrofmN9g439uTOtCyP5378VX+f856dxuFDTzfCa8B+7,iv:6hgG+py3EC4cMLkhG72O5HJfbQF5Q+APq6wBsMQVRjw=,tag:KA4AupZKFdHEBzEBnd3/1A==,type:str]",
-	"auth_id": "ENC[AES256_GCM,data:4cBXpVc=,iv:WPh6+xp02CMBohmxWu6UdNA3KMRSghbSQYuU0lZyUMo=,tag:+zU0EBEwLgqYC0NmW31Qtw==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3YW9haUtvVVRkZWVqa1Zv\nOERucllIenc3VFJkMzAvM1paTWxNaVA4MlhRCmZVNGpvdmhrUnJDYTMyWExNVVNW\nQWw2MDBPUnozTWpzTERiaExYVkJUd0kKLS0tIEFPRUhjZVdBTXZQdFFUQ0NnYU5P\nYlkvaUgzQjVORTNvTDFKYXJJYW1pTGMKW2rUNzNWsvQ9vzf+jwSBOC8OjVL30HDZ\nK8QC30Z4PUtKTk5HA7KcFfGVT8UbJc6Z4IRm6dIV6lczmctZiuAXLQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdGxOMkNFcnRWd2EzaGVV\nNGdxTDUzM1FnY21tUUtJOEhaM0RFU2ZZbXc0CkIzVXBNY0Z4dmlVRnpHZGt6dzY4\ncW80b0lCdCtJMnQ2aXJyclpiT1BlWG8KLS0tIE4vV2gwZjBVSmc0Y3ExZUdXQnJL\nMU9EOWNNRDJualAvUjNOWlZCMjdHSU0K33nP6rM7k9er+8gC2cozXF3M7WNAPb3y\ny5ecWeGnIJe1Q3BwpqXUmxWswE95VYq6g4RCJ2TbHIJWgK6HLJoamg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzM0kyMHZ2UEpaYzMzMFRo\nV3IvYVI0RTVUM29pSnhYUFBpUlVnM3BUcEZBClpCL1c1cmFaRzZDU2tQY2hJQzNx\nb2ZvdTRBMVNTS01XdTJiYnljMzhiUFkKLS0tIGFuR05CYTZhbVdZMERCVUcrRTFO\nQWREQW9DU3pmOFRJczVBdTA0VFdwZ0UKuhijkZjfHrOrQ28WF0lsrh1YYcDjohJF\nHimoJrsMFf21bsWMPGsRXvvQWouMhhzDtp3ZzaR/jhwzqnNp6I2gWw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcHlmTVJ1d3ZRc09WMU5p\nbmd4TzZNVisyWm1PZFBmMXpBcmd6N3ZmL0JBCnBqZzZCNVFObHpZZzd3cXBuaEVR\nZjJCdTRLalhBTnpEN21NYzRQUnFrbjgKLS0tIDJIVDlFZzJuK1pnYklaZnRWOEgz\nNkxLNSsxbzR4cUo0TVVsajNLeXZvZEkKCqo8Hw+CoO+lpKXxI1+3Pkw6iNcaJlzU\n7HE78dhMH2C01Phn9BOFY3FATxo68wYxzLWUt90iGwtnxT1K509GGg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1vla9w33lsp03s46p9p6gc2mvr844vthdqhc2hzau2ph6h60gmyqqh9sf57",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWnlkYUI3ZFIxR1dBZzNi\nNDRGT2xIZFhyWCs3SHk5Q0toWmZUc3F3RTFVCnZtZUFzNDdOMnlQWVlYVjJnYlJN\nV2xXM3F4N3RVTzVFZE5Zb1BkcjI1cUUKLS0tIHdiQTJTQlpJQlNycElCamN5MGth\nWnNKMnlEQTExbis3dktsWDliaU9IelUK/fxqRPnRbD+KCvYMI4m5K17cLI2/xEbL\nbsGdj8E0TAtzqRL4iBOQfb6xJC5AqcmHEhvFnnxEouNUXMsw5/1Ggg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1jy8mxcndkw6zd6q99tjgz3gsynn78x2lwtrff85u6ud9g9y9z5mspvhufl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Zi80ZHU0WnVjMlpycVov\nWE9UNldKRmdMR2xkNVNuQ0NPWHNzTUg4cEU0CmhjdGhEdG5GWkxKUUdRUzMzN0RL\nRHo1QkdSaDNxTy9RVDd5TGtpZUpaRmMKLS0tIG1TTFdrNC9MREd2K0NIdmNscjB5\nQlpGMVdmK2wvQnVxMXJkeTdYbXJtZ0EK12lVIHRp/GxD4F0oMsiOmy4RC5iJEkle\ngvTGPFJkiJJJe36vMx34WdKq++6fwma624E75S4P5qmiVIeadDihGw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUYm5Ca0NId3AyRUwxRU1q\nR0NvSUk3YmJvOVRvbTVkVjZ0ZzVxaEFtcGpFCjg3V2ZhUk9RM09ZNVRGVEhUZHZ0\nekNid3NtUVZyTTlZSFU1QkQ0amtEcUkKLS0tIDlTdTBpdDE3VHkyVHhHekZDUEdP\nRUNpdm9ENHhCWCsxbk9aOVFmeFBwUzQKJzTxCMPaYYsmjoGyEbuimDWpq5Oq8oMx\n2LXkQHYdmBi090o4ocfkHiR1SS3w6XNI8IBcQK1flobXYejI9E5yKA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvR21LYis4SXFxcE1PeXQ3\nelpxRTJ3Y2svRnc1ZTkvVk9lTUhFSmVneWc4CnJMT05ZQnBySDBuZ2lqcnc3eHlv\neWdKUi81aWlhY3pySzhoSjdwUlhMN0kKLS0tIDRWWFR5Q0oyZ09GdlF1a0JmeVdl\nOTV4TUhWdVBVRFhxQlB0ajFSS1FnNHcKMq1FSE3OecwHopvkShKQYSFQihzFkMrG\nFRpPqWcUzaXpib8f4YQrYmLJiihGCpfovv5+NHEQB8BMEu7UNY/emw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1YnJVMmpSNDlicUh6UEJR\nL1JUZVlxeUhmTGpUeXNtUmc2NmZGc3NObldVCitHOUgyOXFibnR3WUZRdjc3TExZ\nK0lxRUJCY3ozZExlNzRack5jTTR4aFkKLS0tIGVoOTRCNW5Yb2NVd09ZU0kzSlNV\nVWxuYjVCM3lvZHhQeU05R09WNWQwU2MKNM9VU6KE/0AUzww/qdMQoXMpZ9MT5rIK\nOvltRcVvQR1lZqiox4W1zYfw3JTlficQ31C+wSMHy4aBSlnik7hzxw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2024-10-24T06:58:19Z",
-		"mac": "ENC[AES256_GCM,data:P5ipojcOVW0V/4J7Txj9v4RONAzqIIG71guYkqHZ/yJNrFIjVn+db3qLNbNmeKz73rbPdXYpZGM5dIwXiF9pzLAW+t3pYABGvnBT/l1cN1tYS4BCs+e6n0KqKho/Aust/QTDIuYkoAyRwD7HD/OXW8V5SJtiuaqAlX9gzDLILs8=,iv:oUxrQbPTgL/RfdGvw9rnx/mU4RklD2uet/3XRQH0pq4=,tag:wj3ehRASFcW1g6Yf8XxSKQ==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.1"
-	}
-}

secrets/misc/git-keys.json

@@ -1,54 +0,0 @@
-{
-	"git.uninsane.org": "ENC[AES256_GCM,data:g1oZA7s16sl6tBsUy+aAUChYBomgxht08dzghBakmJ/13YrM/Pf7WQ==,iv:v3CXUaLwIdEtg6ZWiCqqZ1JSkWOlnWnGSOzNVAx5gvs=,tag:jkQGgxRMBggokRNUdW2jLQ==,type:str]",
-	"gitlab.com": "ENC[AES256_GCM,data:A2+dsAgvVJsqgGOHcPsw7F5bSTg8H3icd+g=,iv:v9QVy7vP/XEHw0lHBjedvWFrsGvyDlAEF+yFL1voiQc=,tag:0kqgQOIn90MBjiNRHjiRrg==,type:str]",
-	"github.com": "ENC[AES256_GCM,data:fpY8KxwIYGvIWAHKH7cmwCO4j7fPx+625Buvhu4OdJIpcDXJrpjTsQ==,iv:4W2YvZ01XjzJUX3yXx9H+kxtylYRma4wA/YWL2W6kPc=,tag:WswVoBWgzjrpz9nPQfVV3w==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5VzNHZnJwVmdKNnN6Qjc4\na21FT0hTR29PSE9PR05uZjRuTHR2TWZVK1Q4CmQ0c3lXcW90eVhtVlk0Q1NheWRm\nUnBLS3p4RXVUZ0dneXM1dFNRLzVlUGcKLS0tIG5uWE1NdSswU0ZodW8rdEg5ZDZw\nQ3J4T3ZHcjc4YmpsYmVnS2w1VzRKOGsKE3QwbGADwS/pbnQrtmaZ7w2oVEBB4pPk\n+ZMYWwEF80FF9iCRnvb9qotKRPDE4bE64xgv+eAP/fuKSvENb0Umjw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TlhYc2VieVZrdXQ5M01j\nYjNwMFJKSVQ3bkdxQTVYRmU1dHN2QUd0dDFNCjg2NnRLNVFYK3B0b1F0b0huLzMw\najFvL0E5S2ZuWWwydmxNZ2xmZFUxU2cKLS0tIEp2YzlqQmFwRysrb1N2WjVPbXRJ\nTkMvMkFRMlBMWjd4WjhKZy8vclFNRUUK62LABvyUbhlOrWP88CbCG9gTBrGPUNiZ\nz+/fheIYKQdvgZOWJsa/TsciaBPPdm+XF4Y+zc6Rzrd0qlZNZVSsXg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSUzFCaHMvUy9Wb0xDRU0z\nMzNXOGdPSmxjT0VBSFY1NzZoUGpJUHE1YVZrCk02cDRyd0FGOHlXZE9Md2J5djlE\nVE9PeHMyL25YSktlT0w1dk1mT1c5UWMKLS0tIHoyc2c5cEtOaWU2VFhtK2dUTW43\nelFYNG5XeFJscnlINFhLRWUrazcyRkkKql2yUeNuqA1yOAA7BsqSDTXw7tSc2Wt6\nD0ajblyUP+HxzvJILs0LiTruaiVw8LGYHV9a+oUuMV6UJGthf7w25Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOVE3VUR4aUd4QWtTck5S\nR1lmTlJRck5ncFNZcjJ3RkNPL1JWTWVyMW5NCnQ1dmIvUXV4U1ZaN3lLa01uYUdr\nU3d4dEg4QkNqTFYrdXlKRk1XdWtReWMKLS0tIEpuTUZVUnVGOGdobTdaNGJhaFpC\nWWRPYXBFYzYvakc0NnI1ODl6QzZ2K0EKlX4Xa2DyeasnuDVTQ0MjcnQ8suQZaAuw\nvu29LJOCtOx+EdjFiMXtNMR6jw1HWFeUvhoR6/EkPMHX52Ai9rBLwA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1vla9w33lsp03s46p9p6gc2mvr844vthdqhc2hzau2ph6h60gmyqqh9sf57",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCV1prUUxCeWlLMm0rTHI5\neW40U1ZoRll5d0JCUm9LSnVBWmZWRnc0NGlZCjlqYUc4bXZ1OWYxQnNFWFl6MEM2\nZ20rKzEySTVMUlo0VUtBYUdqd2hETU0KLS0tIFpBN3BZTW9mc3lRbHBPUEN3SzVo\nRFRUOUtseGl6YWpFOVZ0Tk9tVGNwNzAKNKdHEE1XwW4aqc4Vdj8qc/yqtB6JUJcB\nB5mD80Nff6QJzVWCSSZAxe6c6UET5eFFfZW7h9lJeFn2NOSmuM2adA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1jy8mxcndkw6zd6q99tjgz3gsynn78x2lwtrff85u6ud9g9y9z5mspvhufl",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3VDlVZXZvSHlWcDF5cDFQ\nUlF4TnAwV3BsbGkrNmgrdzdQTk93TE5mYWtvCkd2YzdaU2tQSk41SmN5N0dPRjlI\nNXVLWDNlQkkzb1Z4Y3AwZ3Q4Q3RzVjgKLS0tIDkzZEZIWDRKTlUvSXBkaUtHc3hp\nVUo4NitVSStOeE5vamJFTjNMdStFMzQKZKckoNsPO85FznhBAuH/9GGVzWyJjq/5\nF1WU+5PrqdvQ6cQWZ/AVGxhuxD0L7Uy7Rt1iheQ971ML+3L/iquD0w==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWejk3Wk56dWFKNnFqYk9m\nSTJEcHZxRkh5ZVZFMk5HcEo0YzRCYk5JYUJZCkEzRkJEZDBQOU5aeG55UDhuc0w0\nNFRlZXp3TnI5cVM4U3FiQitJREF6aTAKLS0tIGVucTNxRk9OQmd1cjdlZHBUa2ZV\najdXdEIzQWlWQmZkbnQzMzVPb0hCaGsKQvAUO3k8QFBWAki96WJum6jO1Yu2Uua4\nvJbDDCth5FhSIXdu5Gw1m0iiuSqcj+9huSC9zuX9w9vbqLxISmesFg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3NndrQnZRbnAvUEhua2No\nRm5KL0NRRUhwbUd2ZXptL2dsK0xIK0xEQ0dvCklpWmEyWXptYmVnNksyY0NuSFR4\nWG1kbjlVTDJ3SzhCaEFad0pWeDVCS28KLS0tIHVDdmhiS0ZmMDYzTlhTb3BVcXR0\nS1ZVTGc3OHFZS3lZbXAzYTVCejFnRFEKITQHLZqOvAmoKjkQt8KOYWhTUE+DGy9r\nFdtHmTfv/4UKDpqv/WqkTIvi5AUWApWJ+5YCm2Fv0Y2sFXhBK3kF4Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPek9CVk5pQW1EUUhabW5E\nTWFjdFdlVVFnZlcvQWlOTk5YZTVTRWdMMmtRCkJwWjlWREdjRUhEL2R4bFRBQ3Aw\nZjdJMCtVZDErZE5wcnloR2lvVnJHSDgKLS0tIDAwajE2YTA4UFo1SmJEVUtpN2hX\nMkkzYjZOVDYvSlRGT3RJTzdySlJleXMKor4NR2gIkfvDi25eKrzLki+biWf3dVZS\niCSBxy+tpbtiO9fK8LPrz9jJp1tBism7VTIF6WBuj97GjMGHIOz43Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2024-10-24T05:55:24Z",
-		"mac": "ENC[AES256_GCM,data:ntQuFNOlw0CqRQO6hLOwocSyNs04KzlPlpr4k+Vxw5BOoRhDeLAvyrcrfduDw2vh9OUhHaNyc15j5J8s5akAVsf1DSfnK5HUbBB6Qp4W8YkCCAP+S8d6/iBniqlWsJeioVAX/mNXwUaFe7zZ2WDp1s/LebO2hSld1MHkW+uZGXQ=,iv:7pgK+ZqWEgWY01ugIzR5EuK4TljdFkrRvayN5AOh0Qs=,tag:zt1EaL86geu0ucHZR6WHIQ==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.1"
-	}
-}

sops

@@ -1,2 +0,0 @@
-#!/bin/sh
-nix run "$(dirname "$0")#sops" -- "$@"