Unfinished attempt at packaging pia client

Flake lock file updates:

• Updated input 'nix-locate':
    'github:googlebot42/nix-index/a28bb3175d370c6cb9569e6d4b5570e9ca016a3e' (2022-05-17)
  → 'github:bennofs/nix-index/5f98881b1ed27ab6656e6d71b534f88430f6823a' (2023-01-17)
• Updated input 'nix-locate/flake-compat':
    'github:edolstra/flake-compat/b7547d3eed6f32d06102ead8991ec52ab0a4f1a7' (2022-01-03)
  → 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/836b2bed01d19dce142298e58c998f4f65057c6a' (2023-02-08)
  → 'github:NixOS/nixpkgs/32f914af34f126f54b45e482fb2da4ae78f3095f' (2023-02-08)

.gitignore

@@ -0,0 +1 @@
+result

README.md

@@ -0,0 +1,12 @@
+# My NixOS configurations
+
+### Source Layout
+- `/common` - common configuration imported into all `/machines`
+    - `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
+    - `/network` - config for tailscale, zeroteir, and NixOS container with automatic vpn tunneling via PIA
+    - `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
+    - `/server` - config that creates new nixos services or extends existing ones to meet my needs
+    - `/ssh.nix` - all ssh public host and user keys for all `/machines`
+- `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
+    - `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`
+- `/secrets` - encrypted shared secrets unlocked through `/machines` ssh host keys

TODO.md

@@ -0,0 +1,85 @@
+# A place for brain dump ideas maybe to be taken off of the shelve one day
+
+### NixOS webtools
+- Better options search https://mynixos.com/options/services 
+
+### Interesting ideas for restructuring nixos config
+- https://github.com/gytis-ivaskevicius/flake-utils-plus
+- https://github.com/divnix/digga/tree/main/examples/devos
+- https://digga.divnix.com/
+- https://nixos.wiki/wiki/Comparison_of_NixOS_setups
+
+### Housekeeping
+- Format everything here using nixfmt
+- Cleanup the line between hardware-configuration.nix and configuration.nix in machine config
+- CI https://gvolpe.com/blog/nixos-binary-cache-ci/
+- remove `options.currentSystem`
+- allow `hostname` option for webservices to be null to disable configuring nginx
+
+### NAS
+- helios64 extra led lights
+- safely turn off NAS on power disconnect
+- hardware de/encoding for rk3399 helios64 https://forum.pine64.org/showthread.php?tid=14018
+- tor unlock
+
+### bcachefs
+- bcachefs health alerts via email
+- bcachefs periodic snapshotting
+- use mount.bcachefs command for mounting
+- bcachefs native encryption
+    - just need a kernel module? https://github.com/firestack/bcachefs-tools-flake/blob/kf/dev/mvp/nixos/module/bcachefs.nix#L40
+
+### Shell Comands
+- tailexitnode = `sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true`
+
+### Services
+- setup archivebox
+- radio https://tildegit.org/tilderadio/site
+- music
+    - mopidy
+        - use the jellyfin plugin?
+    - navidrome
+        - spotify secrets for navidrome
+    - picard for music tagging
+    - alternative music software
+        - https://www.smarthomebeginner.com/best-music-server-software-options/
+        - https://funkwhale.audio/
+        - https://github.com/epoupon/lms
+        - https://github.com/benkaiser/stretto
+        - https://github.com/blackcandy-org/black_candy
+        - https://github.com/koel/koel
+        - https://airsonic.github.io/
+        - https://ampache.org/
+- replace nextcloud with seafile
+
+### VPN container
+- use wireguard for vpn
+    - https://github.com/triffid/pia-wg/blob/master/pia-wg.sh
+    - https://github.com/pia-foss/manual-connections
+    - port forwarding for vpn
+        - transmission using forwarded port
+    - https://www.wireguard.com/netns/
+    - one way firewall for vpn container
+
+### Networking
+- tailscale for p2p connections
+    - remove all use of zerotier
+
+### Archive
+- https://www.backblaze.com/b2/cloud-storage.html
+- email
+    - https://github.com/Disassembler0/dovecot-archive/blob/main/src/dovecot_archive.py
+    - http://kb.unixservertech.com/software/dovecot/archiveserver
+
+### Paranoia
+- https://christine.website/blog/paranoid-nixos-2021-07-18
+- https://nixos.wiki/wiki/Impermanence
+
+### Misc
+- https://github.com/pop-os/system76-scheduler
+- improve email a little bit https://helloinbox.email
+- remap razer keys https://github.com/sezanzeb/input-remapper
+
+### Future Interests (upon merge into nixpkgs)
+- nixos/thelounge: add users option https://github.com/NixOS/nixpkgs/pull/157477
+- glorytun: init at 0.3.4 https://github.com/NixOS/nixpkgs/pull/153356

common/default.nix

@@ -1,14 +1,11 @@
 { config, pkgs, ... }:
 
-let
+{
-  nix-locate = config.inputs.nix-locate.defaultPackage.${config.currentSystem};
-in {
   imports = [
     ./flakes.nix
-    ./pia.nix
-    ./zerotier.nix
     ./auto-update.nix
-    ./hosts.nix
+    ./shell.nix
+    ./network
     ./boot
     ./server
     ./pc
@@ -45,7 +42,6 @@ in {
     micro
     helix
     lm_sensors
-    nix-locate
   ];
 
   nixpkgs.config.allowUnfree = true;
@@ -66,25 +62,6 @@ in {
 
   nix.gc.automatic = true;
 
-  programs.command-not-found.enable = false;
+  security.acme.acceptTerms = true;
-
+  security.acme.defaults.email = "zuckerberg@neet.dev";
-  programs.fish = {
-    enable = true;
-
-    shellInit = let
-      wrapper = pkgs.writeScript "command-not-found" ''
-        #!${pkgs.bash}/bin/bash
-        source ${nix-locate}/etc/profile.d/command-not-found.sh
-        command_not_found_handle "$@"
-      '';
-    in ''
-      # use nix-locate for command-not-found functionality
-      function __fish_command_not_found_handler --on-event fish_command_not_found
-          ${wrapper} $argv
-      end
-
-      # disable annoying fish shell greeting
-      set fish_greeting
-    '';
-  };
 }

common/network/default.nix

@@ -0,0 +1,23 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.networking;
+in
+{
+  imports = [
+    ./hosts.nix
+    ./pia-openvpn.nix
+    ./tailscale.nix
+    ./vpn.nix
+    ./zerotier.nix
+  ];
+
+  options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
+
+  config = mkIf cfg.ip_forward {
+    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+    boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
+  };
+}

common/network/hosts.nix

@@ -1,7 +1,7 @@
 { config, lib, ... }:
 
 let
-  system = (import ./ssh.nix).system;
+  system = (import ../ssh.nix).system;
 in {
   networking.hosts = {
     # some DNS providers filter local ip results from DNS request

common/network/pia-openvpn.nix

@@ -0,0 +1,113 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.pia;
+  vpnfailsafe = pkgs.stdenv.mkDerivation {
+    pname = "vpnfailsafe";
+    version = "0.0.1";
+    src = ./.;
+    installPhase = ''
+      mkdir -p $out
+      cp vpnfailsafe.sh $out/vpnfailsafe.sh
+      sed -i 's|getent|${pkgs.getent}/bin/getent|' $out/vpnfailsafe.sh
+    '';
+  };
+in
+{
+  options.pia = {
+    enable = lib.mkEnableOption "Enable private internet access";
+    server = lib.mkOption {
+      type = lib.types.str;
+      default = "us-washingtondc.privacy.network";
+      example = "swiss.privacy.network";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.openvpn = {
+      servers = {
+        pia = {
+          config = ''
+            client
+            dev tun
+            proto udp
+            remote ${cfg.server} 1198
+            resolv-retry infinite
+            nobind
+            persist-key
+            persist-tun
+            cipher aes-128-cbc
+            auth sha1
+            tls-client
+            remote-cert-tls server
+
+            auth-user-pass
+            compress
+            verb 1
+            reneg-sec 0
+            <crl-verify>
+            -----BEGIN X509 CRL-----
+            MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
+            EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
+            cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
+            HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
+            ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
+            aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
+            MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
+            9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
+            jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
+            B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
+            ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
+            5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
+            MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
+            -----END X509 CRL-----
+            </crl-verify>
+
+            <ca>
+            -----BEGIN CERTIFICATE-----
+            MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
+            VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
+            BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
+            dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
+            IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
+            FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
+            MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
+            EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
+            QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
+            AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
+            ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
+            bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
+            L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
+            lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
+            cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
+            8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
+            /5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
+            OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
+            y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
+            sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
+            b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
+            A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
+            SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
+            czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
+            b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
+            a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
+            ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
+            7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
+            GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
+            1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
+            YDQ8z9v+DMO6iwyIDRiU
+            -----END CERTIFICATE-----
+            </ca>
+
+            disable-occ
+            auth-user-pass /run/agenix/pia-login.conf
+          '';
+          autoStart = true;
+          up = "${vpnfailsafe}/vpnfailsafe.sh";
+          down = "${vpnfailsafe}/vpnfailsafe.sh";
+        };
+      };
+    };
+    age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
+  };
+}

common/network/tailscale.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.tailscale;
+in
+{
+  options.services.tailscale.exitNode = mkEnableOption "Enable exit node support";
+
+  config.services.tailscale.enable = !config.boot.isContainer;
+
+  # exit node
+  config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";
+  config.networking.ip_forward = mkIf cfg.exitNode true;
+}

common/network/vpn.nix

@@ -0,0 +1,97 @@
+{ config, pkgs, lib, allModules, ... }:
+
+with lib;
+
+let
+  cfg = config.vpn-container;
+in
+{
+  options.vpn-container = {
+    enable = mkEnableOption "Enable VPN container";
+
+    containerName = mkOption {
+      type = types.str;
+      default = "vpn";
+      description = ''
+        Name of the VPN container.
+      '';
+    };
+
+    mounts = mkOption {
+      type = types.listOf types.str;
+      default = [ "/var/lib" ];
+      example = "/home/example";
+      description = ''
+        List of mounts on the host to bind to the vpn container.
+      '';
+    };
+
+    config = mkOption {
+      type = types.anything;
+      default = {};
+      example = ''
+        {
+          services.nginx.enable = true;
+        }
+      '';
+      description = ''
+        NixOS config for the vpn container.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    containers.${cfg.containerName} = {
+      ephemeral = true;
+      autoStart = true;
+
+      bindMounts = mkMerge ([{
+        "/run/agenix" = {
+          hostPath = "/run/agenix";
+          isReadOnly = true;
+        };
+      }] ++ (lists.forEach cfg.mounts (mount:
+        {
+          "${mount}" = {
+            hostPath = mount;
+            isReadOnly = false;
+          };
+        }
+      )));
+
+      enableTun = true;
+      privateNetwork = true;
+      hostAddress = "172.16.100.1";
+      localAddress = "172.16.100.2";
+
+      config = {
+        imports = allModules ++ [cfg.config];
+
+        nixpkgs.pkgs = pkgs;
+
+        networking.firewall.enable = mkForce false;
+
+        pia.enable = true;
+        pia.server = "swiss.privacy.network"; # swiss vpn
+
+        # run it's own DNS resolver
+        networking.useHostResolvConf = false;
+        services.resolved.enable = true;
+      };
+    };
+
+    # load secrets the container needs
+    age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
+
+    # forwarding for vpn container
+    networking.nat.enable = true;
+    networking.nat.internalInterfaces = [
+      "ve-${cfg.containerName}"
+    ];
+    networking.ip_forward = true;
+
+    # assumes only one potential interface
+    networking.usePredictableInterfaceNames = false;
+    networking.nat.externalInterface = "eth0";
+  };
+}

common/pc/chromium.nix

@@ -60,7 +60,6 @@ in {
         "oboonakemofpalcgghocfoadofidjkkk" # keepassxc plugin
         "cimiefiiaegbelhefglklhhakcgmhkai" # plasma integration
         "hkgfoiooedgoejojocmhlaklaeopbecg" # picture in picture
-        "fihnjjcciajhdojfnbdddfaoknhalnja" # I don't care about cookies
         "mnjggcdmjocbbbhaepdhchncahnbgone" # SponsorBlock
         "dhdgffkkebhmkfjojejmpbldmpobfkfo" # Tampermonkey
         # "ehpdicggenhgapiikfpnmppdonadlnmp" # Disable Scroll Jacking
@@ -80,7 +79,6 @@ in {
     nixpkgs.config.packageOverrides = pkgs: {
       vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
       chromium = pkgs.chromium.override {
-        gnomeKeyringSupport = true;
         enableWideVine = true;
         # ungoogled = true;
         # --enable-native-gpu-memory-buffers # fails on AMD APU

common/pc/default.nix

@@ -49,6 +49,7 @@ in {
       spotify-qt
       arduino
       yt-dlp
+      jellyfin-media-player
     ];
 
     # Networking

common/pc/pia/default.nix

@@ -0,0 +1,76 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.pia;
+in {
+  imports = [
+    ./pia.nix
+  ];
+
+  options.services.pia = {
+    enable = lib.mkEnableOption "Enable PIA Client";
+
+    dataDir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/pia";
+      description = ''
+        Path to the pia data directory
+      '';
+    };
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "root";
+      description = ''
+        The user pia should run as
+      '';
+    };
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = "piagrp";
+      description = ''
+        The group pia should run as
+      '';
+    };
+
+    users = mkOption {
+      type = with types; listOf str;
+      default = [];
+      description = ''
+        Usernames to be added to the "spotifyd" group, so that they
+        can start and interact with the userspace daemon.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    # users.users.${cfg.user} =
+    # if cfg.user == "pia" then {
+    #   isSystemUser = true;
+    #   group = cfg.group;
+    #   home = cfg.dataDir;
+    #   createHome = true;
+    # }
+    # else {};
+    users.groups.${cfg.group}.members = cfg.users;
+
+    systemd.services.pia-daemon = {
+      enable = true;
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.ExecStart = "${pkgs.pia-daemon}/bin/pia-daemon";
+      serviceConfig.PrivateTmp="yes";
+      serviceConfig.User = cfg.user;
+      serviceConfig.Group = cfg.group;
+      preStart = ''
+        mkdir -p ${cfg.dataDir}
+        chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
+      '';
+    };
+
+  };
+}

common/pc/pia/fix-pia.patch

@@ -0,0 +1,147 @@
+diff --git a/Rakefile b/Rakefile
+index fa6d771..bcd6fb1 100644
+--- a/Rakefile
++++ b/Rakefile
+@@ -151,41 +151,6 @@ end
+ # Install LICENSE.txt
+ stage.install('LICENSE.txt', :res)
+ 
+-# Download server lists to ship preloaded copies with the app.  These tasks
+-# depend on version.txt so they're refreshed periodically (whenver a new commit
+-# is made), but not for every build.
+-#
+-# SERVER_DATA_DIR can be set to use existing files instead of downloading them;
+-# this is primarily intended for reproducing a build.
+-#
+-# Create a probe for SERVER_DATA_DIR so these are updated if it changes.
+-serverDataProbe = Probe.new('serverdata')
+-serverDataProbe.file('serverdata.txt', "#{ENV['SERVER_DATA_DIR']}")
+-# JSON resource build directory
+-jsonFetched = Build.new('json-fetched')
+-# These are the assets we need to fetch and the URIs we get them from
+-{
+-    'modern_shadowsocks.json': 'https://serverlist.piaservers.net/shadow_socks',
+-    'modern_servers.json': 'https://serverlist.piaservers.net/vpninfo/servers/v6',
+-    'modern_region_meta.json': 'https://serverlist.piaservers.net/vpninfo/regions/v2'
+-}.each do |k, v|
+-    fetchedFile = jsonFetched.artifact(k.to_s)
+-    serverDataDir = ENV['SERVER_DATA_DIR']
+-    file fetchedFile => [version.artifact('version.txt'),
+-                         serverDataProbe.artifact('serverdata.txt'),
+-                         jsonFetched.componentDir] do |t|
+-        if(serverDataDir)
+-            # Use the copy provided instead of fetching (for reproducing a build)
+-            File.copy(File.join(serverDataDir, k), fetchedFile)
+-        else
+-            # Fetch from the web API (write with "binary" mode so LF is not
+-            # converted to CRLF on Windows)
+-            File.binwrite(t.name, Net::HTTP.get(URI(v)))
+-        end
+-    end
+-    stage.install(fetchedFile, :res)
+-end
+-
+ # Install version/brand/arch info in case an upgrade needs to know what is
+ # currently installed
+ stage.install(version.artifact('version.txt'), :res)
+diff --git a/common/src/posix/unixsignalhandler.cpp b/common/src/posix/unixsignalhandler.cpp
+index f820a6d..e1b6c33 100644
+--- a/common/src/posix/unixsignalhandler.cpp
++++ b/common/src/posix/unixsignalhandler.cpp
+@@ -132,7 +132,7 @@ void UnixSignalHandler::_signalHandler(int, siginfo_t *info, void *)
+     // we checked it, we can't even log because the logger is not reentrant.
+     auto pThis = instance();
+     if(pThis)
+-        ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
++        auto _ = ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
+ }
+ template<int Signal>
+ void UnixSignalHandler::setAbortAction()
+diff --git a/daemon/src/linux/linux_nl.cpp b/daemon/src/linux/linux_nl.cpp
+index fd3aced..2367a5e 100644
+--- a/daemon/src/linux/linux_nl.cpp
++++ b/daemon/src/linux/linux_nl.cpp
+@@ -642,6 +642,6 @@ LinuxNl::~LinuxNl()
+     unsigned char term = 0;
+     PosixFd killSocket = _workerKillSocket.get();
+     if(killSocket)
+-        ::write(killSocket.get(), &term, sizeof(term));
++        auto _ = ::write(killSocket.get(), &term, sizeof(term));
+     _workerThread.join();
+ }
+diff --git a/extras/support-tool/launcher/linux-launcher.cpp b/extras/support-tool/launcher/linux-launcher.cpp
+index 3f63ac2..420d54d 100644
+--- a/extras/support-tool/launcher/linux-launcher.cpp
++++ b/extras/support-tool/launcher/linux-launcher.cpp
+@@ -48,7 +48,7 @@ int fork_execv(gid_t gid, char *filename, char *const argv[])
+     if(forkResult == 0)
+     {
+         // Apply gid as both real and effective
+-        setregid(gid, gid);
++        auto _ = setregid(gid, gid);
+ 
+         int execErr = execv(filename, argv);
+         std::cerr << "exec err: " << execErr << " / " << errno << " - "
+diff --git a/rake/model/qt.rb b/rake/model/qt.rb
+index c8cd362..a6abe59 100644
+--- a/rake/model/qt.rb
++++ b/rake/model/qt.rb
+@@ -171,12 +171,7 @@ class Qt
+     end
+ 
+     def getQtRoot(qtVersion, arch)
+-        qtToolchainPtns = getQtToolchainPatterns(arch)
+-        qtRoots = FileList[*Util.joinPaths([[qtVersion], qtToolchainPtns])]
+-        # Explicitly filter for existing paths - if the pattern has wildcards
+-        # we only get existing directories, but if the patterns are just
+-        # alternates with no wildcards, we can get directories that don't exist
+-        qtRoots.find_all { |r| File.exist?(r) }.max
++        ENV['QTROOT']
+     end
+ 
+     def getQtVersionScore(minor, patch)
+@@ -192,12 +187,7 @@ class Qt
+     end
+ 
+     def getQtPathVersion(path)
+-        verMatch = path.match('^.*/Qt[^/]*/5\.(\d+)\.?(\d*)$')
+-        if(verMatch == nil)
+-            nil
+-        else
+-            [verMatch[1].to_i, verMatch[2].to_i]
+-        end
++        [ENV['QT_MAJOR'].to_i, ENV['QT_MINOR'].to_i]
+     end
+ 
+     # Build a component definition with the defaults.  The "Core" component will
+diff --git a/rake/product/linux.rb b/rake/product/linux.rb
+index f43fb3e..83505af 100644
+--- a/rake/product/linux.rb
++++ b/rake/product/linux.rb
+@@ -18,8 +18,7 @@ module PiaLinux
+     QT_BINARIES = %w(pia-client pia-daemon piactl pia-support-tool)
+ 
+     # Version of libicu (needed to determine lib*.so.## file names in deployment)
+-    ICU_VERSION = FileList[File.join(Executable::Qt.targetQtRoot, 'lib', 'libicudata.so.*')]
+-        .first.match(/libicudata\.so\.(\d+)(\..*|)/)[1]
++    ICU_VERSION = ENV['ICU_MAJOR'].to_i;
+ 
+     # Copy a directory recursively, excluding *.debug files (debugging symbols)
+     def self.copyWithoutDebug(sourceDir, destDir)
+@@ -220,16 +219,5 @@ module PiaLinux
+     # Since these are just development workflow tools, they can be skipped if
+     # specific dependencies are not available.
+     def self.defineTools(toolsStage)
+-        # Test if we have libthai-dev, for the Thai word breaking utility
+-        if(Executable::Tc.sysHeaderAvailable?('thai/thwbrk.h'))
+-            Executable.new('thaibreak')
+-                .source('tools/thaibreak')
+-                .lib('thai')
+-                .install(toolsStage, :bin)
+-            toolsStage.install('tools/thaibreak/thai_ts.sh', :bin)
+-            toolsStage.install('tools/onesky_import/import_translations.sh', :bin)
+-        else
+-            puts "skipping thaibreak utility, install libthai-dev to build thaibreak"
+-        end
+     end
+ end

common/pc/pia/pia.nix

@@ -0,0 +1,139 @@
+{ pkgs, lib, config, ... }:
+
+{
+  nixpkgs.overlays = [
+    (self: super:
+
+    with self;
+
+    let
+      # arch = builtins.elemAt (lib.strings.splitString "-" builtins.currentSystem) 0;
+      arch = "x86_64";
+
+      pia-desktop = clangStdenv.mkDerivation rec {
+        pname = "pia-desktop";
+        version = "3.3.0";
+
+        src = fetchgit {
+          url = "https://github.com/pia-foss/desktop";
+          rev = version;
+          fetchLFS = true;
+          sha256 = "D9txL5MUWyRYTnsnhlQdYT4dGVpj8PFsVa5hkrb36cw=";
+        };
+
+        patches = [
+          ./fix-pia.patch
+        ];
+
+        nativeBuildInputs = [
+          cmake
+          rake
+        ];
+
+        prePatch = ''
+          sed -i 's|/usr/include/libnl3|${libnl.dev}/include/libnl3|' Rakefile
+        '';
+
+        installPhase = ''
+          mkdir -p $out/bin $out/lib $out/share
+          cp -r ../out/pia_release_${arch}/stage/bin $out
+          cp -r ../out/pia_release_${arch}/stage/lib $out
+          cp -r ../out/pia_release_${arch}/stage/share $out
+        '';
+
+        cmakeFlags = [
+          "-DCMAKE_BUILD_TYPE=Release"
+        ];
+
+        QTROOT = "${qt5.full}";
+        QT_MAJOR = lib.versions.minor (lib.strings.parseDrvName qt5.full.name).version;
+        QT_MINOR = lib.versions.patch (lib.strings.parseDrvName qt5.full.name).version;
+        ICU_MAJOR = lib.versions.major (lib.strings.parseDrvName icu.name).version;
+
+        buildInputs = [
+          mesa
+          libsForQt5.qt5.qtquickcontrols
+          libsForQt5.qt5.qtquickcontrols2
+          icu
+          libnl
+        ];
+        
+        dontWrapQtApps = true;
+      };
+    in rec {
+      openvpn-updown = buildFHSUserEnv {
+        name = "openvpn-updown";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "openvpn-updown.sh";
+      };
+
+      pia-client = buildFHSUserEnv {
+        name = "pia-client";
+        targetPkgs = pkgs: (with pkgs; [
+          pia-desktop
+          xorg.libXau
+          xorg.libXdmcp
+        ]);
+        runScript = "pia-client";
+      };
+
+      piactl = buildFHSUserEnv {
+        name = "piactl";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "piactl";
+      };
+
+      pia-daemon = buildFHSUserEnv {
+        name = "pia-daemon";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "pia-daemon";
+      };
+
+      pia-hnsd = buildFHSUserEnv {
+        name = "pia-hnsd";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "pia-hnsd";
+      };
+
+      pia-openvpn = buildFHSUserEnv {
+        name = "pia-openvpn";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "pia-openvpn";
+      };
+
+      pia-ss-local = buildFHSUserEnv {
+        name = "pia-ss-local";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "pia-ss-local";
+      };
+
+      pia-support-tool = buildFHSUserEnv {
+        name = "pia-support-tool";
+        targetPkgs = pkgs: (with pkgs; [
+          pia-desktop
+          xorg.libXau
+          xorg.libXdmcp
+        ]);
+        runScript = "pia-support-tool";
+      };
+
+      pia-unbound = buildFHSUserEnv {
+        name = "pia-unbound";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "pia-unbound";
+      };
+
+      pia-wireguard-go = buildFHSUserEnv {
+        name = "pia-wireguard-go";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "pia-wireguard-go";
+      };
+
+      support-tool-launcher = buildFHSUserEnv {
+        name = "support-tool-launcher";
+        targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
+        runScript = "support-tool-launcher";
+      };
+    })
+  ];
+}

common/pia.nix

@@ -1,108 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  cfg = config.pia;
-  vpnfailsafe = pkgs.stdenv.mkDerivation {
-    pname = "vpnfailsafe";
-    version = "0.0.1";
-    src = ./.;
-    installPhase = ''
-      mkdir -p $out
-      cp vpnfailsafe.sh $out/vpnfailsafe.sh
-      sed -i 's|getent|${pkgs.getent}/bin/getent|' $out/vpnfailsafe.sh
-    '';
-  };
-in
-{
-  options.pia = {
-    enable = lib.mkEnableOption "Enable private internet access";
-  };
-
-  config = lib.mkIf cfg.enable {
-    services.openvpn = {
-      servers = {
-        pia = {
-          config = ''
-client
-dev tun
-proto udp
-remote us-washingtondc.privacy.network 1198
-resolv-retry infinite
-nobind
-persist-key
-persist-tun
-cipher aes-128-cbc
-auth sha1
-tls-client
-remote-cert-tls server
-
-auth-user-pass
-compress
-verb 1
-reneg-sec 0
-<crl-verify>
------BEGIN X509 CRL-----
-MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
-EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
-cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
-HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
-ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
-aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
-MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
-9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
-jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
-B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
-ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
-5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
-MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
------END X509 CRL-----
-</crl-verify>
-
-<ca>
------BEGIN CERTIFICATE-----
-MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
-VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
-BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
-dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
-IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
-FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
-MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
-EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
-QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
-AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
-ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
-bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
-L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
-lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
-cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
-8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
-/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
-OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
-y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
-sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
-b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
-A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
-SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
-czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
-b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
-a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
-ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
-7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
-GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
-1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
-YDQ8z9v+DMO6iwyIDRiU
------END CERTIFICATE-----
-</ca>
-
-disable-occ
-auth-user-pass /run/agenix/pia-login.conf
-          '';
-          autoStart = true;
-          up = "${vpnfailsafe}/vpnfailsafe.sh";
-          down = "${vpnfailsafe}/vpnfailsafe.sh";
-        };
-      };
-    };
-    age.secrets."pia-login.conf".file = ../secrets/pia-login.conf;
-  };
-}

common/server/cloudflared.nix

@@ -1,58 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.cloudflared;
-  settingsFormat = pkgs.formats.yaml { };
-in
-{
-  meta.maintainers = with maintainers; [ pmc ];
-
-  options = {
-    services.cloudflared = {
-      enable = mkEnableOption "cloudflared";
-      package = mkOption {
-        type = types.package;
-        default = pkgs.cloudflared;
-        description = "The cloudflared package to use";
-        example = literalExpression ''pkgs.cloudflared'';
-      };
-      config = mkOption {
-        type = settingsFormat.type;
-        description = "Contents of the config.yaml as an attrset; see https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file for documentation on the contents";
-        example = literalExpression ''
-          {
-            url = "http://localhost:3000";
-            tunnel = "505c8dd1-e4fb-4ea4-b909-26b8f61ceaaf";
-            credentials-file = "/var/lib/cloudflared/505c8dd1-e4fb-4ea4-b909-26b8f61ceaaf.json";
-          }
-        '';
-      };
-
-      configFile = mkOption {
-        type = types.path;
-        description = "Path to cloudflared config.yaml.";
-        example = literalExpression ''"/etc/cloudflared/config.yaml"'';
-      };
-    };
-  };
-
-  config = mkIf cfg.enable ({
-    # Prefer the config file over settings if both are set.
-    services.cloudflared.configFile = mkDefault (settingsFormat.generate "cloudflared.yaml" cfg.config);
-
-    systemd.services.cloudflared = {
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-      description = "Cloudflare Argo Tunnel";
-      serviceConfig = {
-        TimeoutStartSec = 0;
-        Type = "notify";
-        ExecStart = "${cfg.package}/bin/cloudflared --config ${cfg.configFile} --no-autoupdate tunnel run";
-        Restart = "on-failure";
-        RestartSec = "5s";
-      };
-    };
-  });
-}

common/server/default.nix

@@ -13,6 +13,6 @@
     ./privatebin/privatebin.nix
     ./radio.nix
     ./samba.nix
-    ./cloudflared.nix
+    ./owncast.nix
   ];
 }

common/server/matrix.nix

@@ -59,10 +59,11 @@ in {
   config = lib.mkIf cfg.enable {
     services.matrix-synapse = {
       enable = true;
+      settings = {
         server_name = cfg.host;
         enable_registration = cfg.enable_registration;
         listeners = [ {
-        bind_address = "127.0.0.1";
+          bind_addresses = ["127.0.0.1"];
           port = cfg.port;
           tls = false;
           resources = [ {
@@ -77,6 +78,7 @@ in {
         turn_shared_secret = cfg.turn.secret;
         turn_user_lifetime = "1h";
       };
+    };
 
     services.coturn = {
       enable = true;

common/server/owncast.nix

@@ -0,0 +1,31 @@
+{ lib, config, ... }:
+
+with lib;
+
+let
+  cfg = config.services.owncast;
+in {
+  options.services.owncast = {
+    hostname = lib.mkOption {
+      type = types.str;
+      example = "example.com";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.owncast.listen = "127.0.0.1";
+    services.owncast.port = 62419; # random port
+
+    networking.firewall.allowedTCPPorts = [ cfg.rtmp-port ];
+
+    services.nginx.enable = true;
+    services.nginx.virtualHosts.${cfg.hostname} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString cfg.port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

common/server/thelounge.nix

@@ -23,7 +23,7 @@ in {
 
   config = lib.mkIf cfg.enable {
     services.thelounge = {
-      private = true;
+      public = false;
       extraConfig = {
         reverseProxy = true;
         maxHistory = -1;

common/shell.nix

@@ -0,0 +1,46 @@
+{ config, pkgs, ... }:
+
+# Improvements to the default shell
+# - use nix-locate for command-not-found
+# - disable fish's annoying greeting message
+# - add some handy shell commands
+
+let
+  nix-locate = config.inputs.nix-locate.packages.${config.currentSystem}.default;
+in {
+  programs.command-not-found.enable = false;
+
+  environment.systemPackages = [
+    nix-locate
+  ];
+
+  programs.fish = {
+    enable = true;
+
+    shellInit = let
+      wrapper = pkgs.writeScript "command-not-found" ''
+        #!${pkgs.bash}/bin/bash
+        source ${nix-locate}/etc/profile.d/command-not-found.sh
+        command_not_found_handle "$@"
+      '';
+    in ''
+      # use nix-locate for command-not-found functionality
+      function __fish_command_not_found_handler --on-event fish_command_not_found
+          ${wrapper} $argv
+      end
+
+      # disable annoying fish shell greeting
+      set fish_greeting
+    '';
+  };
+
+  environment.shellAliases = {
+    myip = "dig +short myip.opendns.com @resolver1.opendns.com";
+
+    # https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance
+    io_seq_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
+    io_seq_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
+    io_rand_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
+    io_rand_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
+  };
+}

common/ssh.nix

@@ -11,7 +11,7 @@ rec {
     ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
     ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
     ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
-    s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkTQNPzrIhsKk3OpTHq8b7slIp9LktB49r1w/DKb/5b";
+    s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
     n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
     n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
     n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";

flake.lock

@@ -2,16 +2,17 @@
   "nodes": {
     "agenix": {
       "inputs": {
+        "darwin": "darwin",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1648942457,
+        "lastModified": 1675176355,
-        "narHash": "sha256-i29Z1t3sVfCNfpp+KAfeExvpqHQSbLO1KWylTtfradU=",
+        "narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "0d5e59ed645e4c7b60174bc6f6aac6a203dc0b01",
+        "rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28",
         "type": "github"
       },
       "original": {
@@ -32,7 +33,7 @@
       "locked": {
         "lastModified": 1648612759,
         "narHash": "sha256-SJwlpD2Wz3zFoX2mIYCQfwIOYHaOdeiWGFeDXsLGM84=",
-        "ref": "master",
+        "ref": "refs/heads/master",
         "rev": "39d338b9b24159d8ef3309eecc0d32a2a9f102b5",
         "revCount": 2,
         "type": "git",
@@ -71,7 +72,7 @@
       "locked": {
         "lastModified": 1651719222,
         "narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=",
-        "ref": "master",
+        "ref": "refs/heads/master",
         "rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34",
         "revCount": 19,
         "type": "git",
@@ -82,14 +83,36 @@
         "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1641205782,
+        "lastModified": 1668681692,
-        "narHash": "sha256-4jY7RCWUoZ9cKD8co0/4tFARpWB+57+r1bLLvXNJliY=",
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "b7547d3eed6f32d06102ead8991ec52ab0a4f1a7",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
         "type": "github"
       },
       "original": {
@@ -100,11 +123,11 @@
     },
     "flake-utils": {
       "locked": {
-        "lastModified": 1648297722,
+        "lastModified": 1667395993,
-        "narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=",
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
         "type": "github"
       },
       "original": {
@@ -121,11 +144,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1647808006,
+        "lastModified": 1673969751,
-        "narHash": "sha256-aBlJcylH7/MDiu0RVEiUwV1XufGfVk4OvsFutImCszY=",
+        "narHash": "sha256-U6aYz3lqZ4NVEGEWiti1i0FyqEo4bUjnTAnA73DPnNU=",
         "owner": "bennofs",
         "repo": "nix-index",
-        "rev": "e7c66ba52fcfba6bfe51adb5400c29a9622664a2",
+        "rev": "5f98881b1ed27ab6656e6d71b534f88430f6823a",
         "type": "github"
       },
       "original": {
@@ -136,47 +159,47 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1649117019,
+        "lastModified": 1672580127,
-        "narHash": "sha256-ID7nw/8MDgqj/cbJ0wy6AtQ9wp58hSnE6+weZwuHnso=",
+        "narHash": "sha256-3lW3xZslREhJogoOkjeZtlBtvFMyxHku7I/9IVehhT8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ccb90fb9e11459aeaf83cc28d5f8910816d90dd0",
+        "rev": "0874168639713f547c05947c76124f78441ea46c",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-21.11",
+        "ref": "nixos-22.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
-    "nixpkgs-21_05": {
+    "nixpkgs-22_05": {
       "locked": {
-        "lastModified": 1625692408,
+        "lastModified": 1654936503,
-        "narHash": "sha256-e9L3TLLDVIJpMnHtiNHJE62oOh6emRtSZ244bgYJUZs=",
+        "narHash": "sha256-soKzdhI4jTHv/rSbh89RdlcJmrPgH8oMb/PLqiqIYVQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c06613c25df3fe1dd26243847a3c105cf6770627",
+        "rev": "dab6df51387c3878cdea09f43589a15729cae9f4",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
-        "ref": "nixos-21.05",
+        "ref": "nixos-22.05",
         "type": "indirect"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1649408932,
+        "lastModified": 1675835843,
-        "narHash": "sha256-JhTW1OtS5fACcRXLqcTTQyYO5vLkO+bceCqeRms13SY=",
+        "narHash": "sha256-y1dSCQPcof4CWzRYRqDj4qZzbBl+raVPAko5Prdil28=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "42948b300670223ca8286aaf916bc381f66a5313",
+        "rev": "32f914af34f126f54b45e482fb2da4ae78f3095f",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "master",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -211,7 +234,7 @@
       "locked": {
         "lastModified": 1652121792,
         "narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
-        "ref": "master",
+        "ref": "refs/heads/master",
         "rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
         "revCount": 5,
         "type": "git",
@@ -242,23 +265,20 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "nixpkgs-21_05": "nixpkgs-21_05",
+        "nixpkgs-22_05": "nixpkgs-22_05",
-        "nixpkgs-21_11": [
-          "nixpkgs"
-        ],
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1638911354,
+        "lastModified": 1655930346,
-        "narHash": "sha256-hNhzLOp+dApEY15vwLAQZu+sjEQbJcOXCaSfAT6lpsQ=",
+        "narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "6e3a7b2ea6f0d68b82027b988aa25d3423787303",
+        "rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d",
         "type": "gitlab"
       },
       "original": {
         "owner": "simple-nixos-mailserver",
-        "ref": "nixos-21.11",
+        "ref": "nixos-22.05",
         "repo": "nixos-mailserver",
         "type": "gitlab"
       }

flake.nix

@@ -1,7 +1,7 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
 
     flake-utils.url = "github:numtide/flake-utils";
 
@@ -9,9 +9,8 @@
     nix-locate.inputs.nixpkgs.follows = "nixpkgs";
 
     # mail server
-    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-21.11";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
     simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
-    simple-nixos-mailserver.inputs.nixpkgs-21_11.follows = "nixpkgs";
 
     # agenix
     agenix.url = "github:ryantm/agenix";
@@ -42,12 +41,12 @@
       modules = system: [
         ./common
         inputs.simple-nixos-mailserver.nixosModule
-        inputs.agenix.nixosModule
+        inputs.agenix.nixosModules.default
         inputs.dailybuild_modules.nixosModule
         inputs.archivebox.nixosModule
         ({ lib, ... }: {
           config.environment.systemPackages = [
-            inputs.agenix.defaultPackage.${system}
+            inputs.agenix.packages.${system}.agenix
           ];
 
           # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
@@ -56,59 +55,21 @@
         })
       ];
 
-      mkVpnContainer = system: pkgs: mount: config: {
-        ephemeral = true;
-        autoStart = true;
-        bindMounts = {
-          "/var/lib" = {
-            hostPath = "/var/lib/";
-            isReadOnly = false;
-          };
-          "/run/agenix" = {
-            hostPath = "/run/agenix";
-            isReadOnly = true;
-          };
-          "/dev/fuse" = {
-            hostPath = "/dev/fuse";
-            isReadOnly = false;
-          };
-          "${mount}" = {
-            hostPath = mount;
-            isReadOnly = false;
-          };
-        };
-        enableTun = true;
-        privateNetwork = true;
-        hostAddress = "172.16.100.1";
-        localAddress = "172.16.100.2";
-
-        config = { lib, ... }: {
-          imports = (modules system) ++ [config];
-
-          nixpkgs.pkgs = pkgs;
-
-          networking.firewall.enable = lib.mkForce false;
-          pia.enable = true;
-
-          # run it's own DNS resolver
-          networking.useHostResolvConf = false;
-          services.resolved.enable = true;
-        };
-      };
-
       mkSystem = system: nixpkgs: path:
-        nixpkgs.lib.nixosSystem {
+        let
+          allModules = modules system;
+        in nixpkgs.lib.nixosSystem {
           inherit system;
-          modules = (modules system) ++ [path];
+          modules = allModules ++ [path];
 
           specialArgs = {
-            mkVpnContainer = (mkVpnContainer system);
+            inherit allModules;
           };
         };
     in
     {
       "reg" = mkSystem "x86_64-linux" nixpkgs ./machines/reg/configuration.nix;
-      "ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix;
+      "ray" = mkSystem "x86_64-linux" nixpkgs-unstable ./machines/ray/configuration.nix;
       "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
       "liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix;
       "ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
@@ -126,11 +87,18 @@
       mkKexec = system:
         (nixpkgs.lib.nixosSystem {
           inherit system;
-          modules = [ ./machines/kexec.nix ];
+          modules = [ ./machines/ephemeral/kexec.nix ];
         }).config.system.build.kexec_tarball;
+      mkIso = system:
+        (nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [ ./machines/ephemeral/iso.nix ];
+        }).config.system.build.isoImage;
     in {
       "x86_64-linux"."kexec" = mkKexec "x86_64-linux";
+      "x86_64-linux"."iso" = mkIso "x86_64-linux";
       "aarch64-linux"."kexec" = mkKexec "aarch64-linux";
+      "aarch64-linux"."iso" = mkIso "aarch64-linux";
     };
   };
 }

machines/ephemeral/iso.nix

@@ -0,0 +1,12 @@
+{ modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+    ./minimal.nix
+  ];
+
+  isoImage.makeUsbBootable = true;
+
+  networking.hostName = "iso";
+}

machines/ephemeral/kexec.nix

@@ -6,8 +6,11 @@
   imports = [
     (modulesPath + "/installer/netboot/netboot.nix")
     (modulesPath + "/profiles/qemu-guest.nix")
+    ./minimal.nix
   ];
 
+  networking.hostName = "kexec";
+
   # stripped down version of https://github.com/cleverca22/nix-tests/tree/master/kexec
   system.build = rec {
     image = pkgs.runCommand "image" { buildInputs = [ pkgs.nukeReferences ]; } ''
@@ -42,31 +45,4 @@
       contents = [ ];
     };
   };
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
-  boot.kernelParams = [
-    "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
-    "console=ttyS0" # enable serial console
-    "console=tty1"
-  ];
-  boot.kernel.sysctl."vm.overcommit_memory" = "1";
-
-  environment.systemPackages = with pkgs; [
-    cryptsetup
-    btrfs-progs
-  ];
-  environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
-
-  networking.useDHCP = true;
-
-  networking.hostName = "kexec";
-
-  services.openssh = {
-    enable = true;
-    challengeResponseAuthentication = false;
-    passwordAuthentication = false;
-  };
-
-  services.getty.autologinUser = "root";
-  users.users.root.openssh.authorizedKeys.keys = (import ../common/ssh.nix).users;
 }

machines/ephemeral/minimal.nix

@@ -0,0 +1,28 @@
+{ pkgs, ... }:
+
+{
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
+  boot.kernelParams = [
+    "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
+    "console=ttyS0" # enable serial console
+    "console=tty1"
+  ];
+  boot.kernel.sysctl."vm.overcommit_memory" = "1";
+
+  environment.systemPackages = with pkgs; [
+    cryptsetup
+    btrfs-progs
+  ];
+  environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
+
+  networking.useDHCP = true;
+
+  services.openssh = {
+    enable = true;
+    challengeResponseAuthentication = false;
+    passwordAuthentication = false;
+  };
+
+  services.getty.autologinUser = "root";
+  users.users.root.openssh.authorizedKeys.keys = (import ../common/ssh.nix).users;
+}

machines/liza/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, mkVpnContainer, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   imports =[
@@ -107,7 +107,4 @@
     enableACME = true;
     forceSSL = true;
   };
-
-  security.acme.acceptTerms = true;
-  security.acme.email = "zuckerberg@neet.dev";
 }

machines/ponyo/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, mkVpnContainer, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   imports =[
@@ -55,14 +55,16 @@
   };
 
   # wrap radio in a VPN
-  containers.vpn = mkVpnContainer pkgs "/dev/null" {
+  vpn-container.enable = true;
+  vpn-container.config = {
     services.radio = {
       enable = true;
       host = "radio.runyan.org";
     };
   };
-  # containers cannot unlock their own secrets right now. unlock it here
+
-  age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
+  # tailscale
+  services.tailscale.exitNode = true;
 
   # icecast endpoint + website
   services.nginx.virtualHosts."radio.runyan.org" = {
@@ -131,20 +133,16 @@
   age.secrets.iodine.file = ../../secrets/iodine.age;
   networking.firewall.allowedUDPPorts = [ 53 ];
 
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  networking.nat.enable = true;
   networking.nat.internalInterfaces = [
     "dns0" # iodine
-    "ve-vpn" # vpn container
   ];
-  networking.nat.externalInterface = "ens3";
 
   services.nginx.enable = true;
   services.nginx.virtualHosts."jellyfin.neet.cloud" = {
     enableACME = true;
     forceSSL = true;
     locations."/" = {
-      proxyPass = "http://s0.zt.neet.dev:8096";
+      proxyPass = "http://s0.zt.neet.dev";
       proxyWebsockets = true;
     };
   };
@@ -169,6 +167,6 @@
     '';
   };
 
-  security.acme.acceptTerms = true;
+  services.owncast.enable = true;
-  security.acme.email = "zuckerberg@neet.dev";
+  services.owncast.hostname = "live.neet.dev";
 }

machines/ponyo/hardware-configuration.nix

@@ -31,7 +31,7 @@
   # Per-interface useDHCP will be mandatory in the future, so this generated config
   # replicates the default behaviour.
   networking.useDHCP = lib.mkDefault false;
-  networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+  networking.interfaces.eth0.useDHCP = lib.mkDefault true;
 
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

machines/ray/ca.rsa.4096.crt

@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
+BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
+dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
+IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
+FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
+MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
+EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
+QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
+AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
+ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
+bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
+hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
+De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
+V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
+25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
+fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
+p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
+Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
+tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
+jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
+meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
+1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
+HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
+yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
+EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
+cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
+HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
+ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
+aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
+hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
+pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
+Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
+tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
+LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
+6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
+5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
+JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
+iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
+8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
++no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
+-----END CERTIFICATE-----

machines/ray/configuration.nix

@@ -1,12 +1,8 @@
 { config, pkgs, lib, ... }:
 
 {
-  disabledModules = [
-    "hardware/video/nvidia.nix"
-  ];
   imports = [
     ./hardware-configuration.nix
-    ./nvidia.nix
   ];
 
   firmware.x86_64.enable = true;
@@ -23,29 +19,94 @@
 
   hardware.enableAllFirmware = true;
 
-  # newer kernel for wifi
+  # depthai
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  services.udev.extraRules = ''
+    SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666"
+  '';
 
   # gpu
   services.xserver.videoDrivers = [ "nvidia" ];
-  services.xserver.logFile = "/var/log/Xorg.0.log";
   hardware.nvidia = {
     modesetting.enable = true; # for nvidia-vaapi-driver
     prime = {
-      #reverse_sync.enable = true;
+      reverseSync.enable = true;
-      offload.enable = true;
       offload.enableOffloadCmd = true;
-      #sync.enable = true;
       nvidiaBusId = "PCI:1:0:0";
       amdgpuBusId = "PCI:4:0:0";
     };
-    powerManagement = {
-#      enable = true;
-#      finegrained = true;
-      coarsegrained = true;
-    };
   };
 
+  # virt-manager
+  virtualisation.libvirtd.enable = true;
+  programs.dconf.enable = true;
+  virtualisation.spiceUSBRedirection.enable = true;
+  environment.systemPackages = with pkgs; [ virt-manager ];
+  users.users.googlebot.extraGroups = [ "libvirtd" ];
+
+  # vpn-container.enable = true;
+  # containers.vpn.interfaces = [ "piaw" ];
+
+  # allow traffic for wireguard interface to pass
+  # networking.firewall = {
+  #   # wireguard trips rpfilter up
+  #   extraCommands = ''
+  #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
+  #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
+  #   '';
+  #   extraStopCommands = ''
+  #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
+  #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
+  #   '';
+  # };
+
+  # systemd.services.pia-vpn-wireguard = {
+  #   enable = true;
+  #   description = "PIA VPN WireGuard Tunnel";
+  #   requires = [ "network-online.target" ];
+  #   after = [ "network.target" "network-online.target" ];
+  #   wantedBy = [ "multi-user.target" ];
+  #   environment.DEVICE = "piaw";
+  #   path = with pkgs; [ kmod wireguard-tools jq curl ];
+
+  #   serviceConfig = {
+  #     Type = "oneshot";
+  #     RemainAfterExit = true;
+  #   };
+
+  #   script = ''
+  #     WG_HOSTNAME=zurich406
+  #     WG_SERVER_IP=156.146.62.153
+
+  #     PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
+  #     PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
+  #     PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
+  #     privKey=$(wg genkey)
+  #     pubKey=$(echo "$privKey" | wg pubkey)
+  #     wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:1337/addKey`
+
+  #     echo "               
+  #     [Interface]
+  #     Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
+  #     PrivateKey = $privKey
+  #     ListenPort = 51820
+  #     [Peer]
+  #     PersistentKeepalive = 25
+  #     PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
+  #     AllowedIPs = 0.0.0.0/0
+  #     Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
+  #     " > /tmp/piaw.conf
+
+  #     # TODO make /tmp/piaw.conf ro to root
+
+  #     ${lib.optionalString (!config.boot.isContainer) "modprobe wireguard"}
+  #     wg-quick up /tmp/piaw.conf
+  #   '';
+
+  #   preStop = ''
+  #     wg-quick down /tmp/piaw.conf
+  #   '';
+  # };
+  # age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
 
   virtualisation.docker.enable = true;
 

machines/ray/nvidia.nix

@@ -1,485 +0,0 @@
-# This module provides the proprietary NVIDIA X11 / OpenGL drivers.
-
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  nvidia_x11 = let
-    drivers = config.services.xserver.videoDrivers;
-    isDeprecated = str: (hasPrefix "nvidia" str) && (str != "nvidia");
-    hasDeprecated = drivers: any isDeprecated drivers;
-  in if (hasDeprecated drivers) then
-    throw ''
-      Selecting an nvidia driver has been modified for NixOS 19.03. The version is now set using `hardware.nvidia.package`.
-    ''
-  else if (elem "nvidia" drivers) then cfg.package else null;
-
-  enabled = nvidia_x11 != null;
-  cfg = config.hardware.nvidia;
-
-  pCfg = cfg.prime;
-  syncCfg = pCfg.sync;
-  offloadCfg = pCfg.offload;
-  reverseSyncCfg = pCfg.reverse_sync;
-  primeEnabled = syncCfg.enable || reverseSyncCfg.enable || offloadCfg.enable;
-  nvidiaPersistencedEnabled =  cfg.nvidiaPersistenced;
-  nvidiaSettings = cfg.nvidiaSettings;
-in
-
-{
-  imports =
-    [
-      (mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "enable" ] [ "hardware" "nvidia" "prime" "sync" "enable" ])
-      (mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "allowExternalGpu" ] [ "hardware" "nvidia" "prime" "allowExternalGpu" ])
-      (mkRenamedOptionModule [ "hardware" "nvidia" "prime" "sync" "allowExternalGpu" ] [ "hardware" "nvidia" "prime" "allowExternalGpu" ])
-      (mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "nvidiaBusId" ] [ "hardware" "nvidia" "prime" "nvidiaBusId" ])
-      (mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "intelBusId" ] [ "hardware" "nvidia" "prime" "intelBusId" ])
-    ];
-
-  options = {
-    hardware.nvidia.powerManagement.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Experimental power management through systemd. For more information, see
-        the NVIDIA docs, on Chapter 21. Configuring Power Management Support.
-      '';
-    };
-
-    hardware.nvidia.powerManagement.finegrained = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Experimental power management of PRIME offload. For more information, see
-        the NVIDIA docs, chapter 22. PCI-Express runtime power management.
-      '';
-    };
-
-    hardware.nvidia.powerManagement.coarsegrained = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Experimental power management of PRIME offload. For more information, see
-        the NVIDIA docs, chapter 22. PCI-Express runtime power management.
-      '';
-    };
-
-    hardware.nvidia.modesetting.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Enable kernel modesetting when using the NVIDIA proprietary driver.
-
-        Enabling this fixes screen tearing when using Optimus via PRIME (see
-        <option>hardware.nvidia.prime.sync.enable</option>. This is not enabled
-        by default because it is not officially supported by NVIDIA and would not
-        work with SLI.
-      '';
-    };
-
-    hardware.nvidia.prime.nvidiaBusId = mkOption {
-      type = types.str;
-      default = "";
-      example = "PCI:1:0:0";
-      description = ''
-        Bus ID of the NVIDIA GPU. You can find it using lspci; for example if lspci
-        shows the NVIDIA GPU at "01:00.0", set this option to "PCI:1:0:0".
-      '';
-    };
-
-    hardware.nvidia.prime.intelBusId = mkOption {
-      type = types.str;
-      default = "";
-      example = "PCI:0:2:0";
-      description = ''
-        Bus ID of the Intel GPU. You can find it using lspci; for example if lspci
-        shows the Intel GPU at "00:02.0", set this option to "PCI:0:2:0".
-      '';
-    };
-
-    hardware.nvidia.prime.amdgpuBusId = mkOption {
-      type = types.str;
-      default = "";
-      example = "PCI:4:0:0";
-      description = ''
-        Bus ID of the AMD APU. You can find it using lspci; for example if lspci
-        shows the AMD APU at "04:00.0", set this option to "PCI:4:0:0".
-      '';
-    };
-
-    hardware.nvidia.prime.sync.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Enable NVIDIA Optimus support using the NVIDIA proprietary driver via PRIME.
-        If enabled, the NVIDIA GPU will be always on and used for all rendering,
-        while enabling output to displays attached only to the integrated Intel/AMD
-        GPU without a multiplexer.
-
-        Note that this option only has any effect if the "nvidia" driver is specified
-        in <option>services.xserver.videoDrivers</option>, and it should preferably
-        be the only driver there.
-
-        If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
-        be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
-        <option>hardware.nvidia.prime.intelBusId</option> or 
-        <option>hardware.nvidia.prime.amdgpuBusId</option>).
-
-        If you enable this, you may want to also enable kernel modesetting for the
-        NVIDIA driver (<option>hardware.nvidia.modesetting.enable</option>) in order
-        to prevent tearing.
-
-        Note that this configuration will only be successful when a display manager
-        for which the <option>services.xserver.displayManager.setupCommands</option>
-        option is supported is used.
-      '';
-    };
-
-    hardware.nvidia.prime.allowExternalGpu = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Configure X to allow external NVIDIA GPUs when using Prime [Reverse] Sync.
-      '';
-    };
-
-    hardware.nvidia.prime.offload.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Enable render offload support using the NVIDIA proprietary driver via PRIME.
-
-        If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
-        be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
-        <option>hardware.nvidia.prime.intelBusId</option> or 
-        <option>hardware.nvidia.prime.amdgpuBusId</option>).
-      '';
-    };
-
-    hardware.nvidia.prime.offload.enableOffloadCmd = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Adds a `nvidia-offload` convenience script to <option>environment.systemPackages</option>
-        for offloading programs to an nvidia device. To work, should have also enabled
-        <option>hardware.nvidia.prime.offload.enable</option> or <option>hardware.nvidia.prime.reverse_sync.enable</option>
-
-        Example usage `nvidia-offload sauerbraten_client`
-      '';
-    };
-
-    hardware.nvidia.prime.reverse_sync.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Warning: This feature is relatively new, depending on your system this might
-        work poorly. AMD support, especially so.
-        See: https://forums.developer.nvidia.com/t/the-all-new-outputsink-feature-aka-reverse-prime/129828
-
-        Enable NVIDIA Optimus support using the NVIDIA proprietary driver via reverse
-        PRIME. If enabled, the Intel/AMD GPU will be used for all rendering, while
-        enabling output to displays attached only to the NVIDIA GPU without a
-        multiplexer.
-
-        Note that this option only has any effect if the "nvidia" driver is specified
-        in <option>services.xserver.videoDrivers</option>, and it should preferably
-        be the only driver there.
-
-        If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
-        be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
-        <option>hardware.nvidia.prime.intelBusId</option> or 
-        <option>hardware.nvidia.prime.amdgpuBusId</option>).
-
-        If you enable this, you may want to also enable kernel modesetting for the
-        NVIDIA driver (<option>hardware.nvidia.modesetting.enable</option>) in order
-        to prevent tearing.
-
-        Note that this configuration will only be successful when a display manager
-        for which the <option>services.xserver.displayManager.setupCommands</option>
-        option is supported is used.
-      '';
-    };
-
-    hardware.nvidia.nvidiaSettings = mkOption {
-      default = true;
-      type = types.bool;
-      description = ''
-        Whether to add nvidia-settings, NVIDIA's GUI configuration tool, to
-        systemPackages.
-      '';
-    };
-
-    hardware.nvidia.nvidiaPersistenced = mkOption {
-      default = false;
-      type = types.bool;
-      description = ''
-        Update for NVIDA GPU headless mode, i.e. nvidia-persistenced. It ensures all
-        GPUs stay awake even during headless mode.
-      '';
-    };
-
-    hardware.nvidia.package = lib.mkOption {
-      type = lib.types.package;
-      default = config.boot.kernelPackages.nvidiaPackages.stable;
-      defaultText = literalExpression "config.boot.kernelPackages.nvidiaPackages.stable";
-      description = ''
-        The NVIDIA X11 derivation to use.
-      '';
-      example = literalExpression "config.boot.kernelPackages.nvidiaPackages.legacy_340";
-    };
-  };
-
-  config = let
-      igpuDriver = if pCfg.intelBusId != "" then "modesetting" else "amdgpu";
-      igpuBusId = if pCfg.intelBusId != "" then pCfg.intelBusId else pCfg.amdgpuBusId;
-  in mkIf enabled {
-    assertions = [
-      {
-        assertion = primeEnabled -> pCfg.intelBusId == "" || pCfg.amdgpuBusId == "";
-        message = ''
-          You cannot configure both an Intel iGPU and an AMD APU. Pick the one corresponding to your processor.
-        '';
-      }
-
-      {
-        assertion = offloadCfg.enableOffloadCmd -> offloadCfg.enable || reverseSyncCfg.enable;
-        message = ''
-          Offload command requires offloading or reverse prime sync to be enabled.
-        '';
-      }
-
-      {
-        assertion = primeEnabled -> pCfg.nvidiaBusId != "" && (pCfg.intelBusId != "" || pCfg.amdgpuBusId != "");
-        message = ''
-          When NVIDIA PRIME is enabled, the GPU bus IDs must configured.
-        '';
-      }
-
-      {
-        assertion = offloadCfg.enable -> versionAtLeast nvidia_x11.version "435.21";
-        message = "NVIDIA PRIME render offload is currently only supported on versions >= 435.21.";
-      }
-
-      {
-        assertion = (reverseSyncCfg.enable && pCfg.amdgpuBusId != "") -> versionAtLeast nvidia_x11.version "470.0";
-        message = "NVIDIA PRIME render offload for AMD APUs is currently only supported on versions >= 470 beta.";
-      }
-
-      {
-        assertion = !(syncCfg.enable && offloadCfg.enable);
-        message = "PRIME Sync and Offload cannot be both enabled";
-      }
-
-      {
-        assertion = !(syncCfg.enable && reverseSyncCfg.enable);
-        message = "PRIME Sync and PRIME Reverse Sync cannot be both enabled";
-      }
-
-      {
-        assertion = !(syncCfg.enable && cfg.powerManagement.finegrained && cfg.powerManagement.coarsegrained);
-        message = "Sync precludes powering down the NVIDIA GPU.";
-      }
-
-      {
-        assertion = cfg.powerManagement.finegrained -> offloadCfg.enable;
-        message = "Fine-grained power management requires offload to be enabled.";
-      }
-
-      {
-        assertion = cfg.powerManagement.coarsegrained -> offloadCfg.enable;
-        message = "Coarse-grained power management requires offload to be enabled.";
-      }
-
-      {
-        assertion = cfg.powerManagement.enable -> (
-          builtins.pathExists (cfg.package.out + "/bin/nvidia-sleep.sh") &&
-          builtins.pathExists (cfg.package.out + "/lib/systemd/system-sleep/nvidia")
-        );
-        message = "Required files for driver based power management don't exist.";
-      }
-    ];
-
-    # If Optimus/PRIME is enabled, we:
-    # - Specify the configured NVIDIA GPU bus ID in the Device section for the
-    #   "nvidia" driver.
-    # - Add the AllowEmptyInitialConfiguration option to the Screen section for the
-    #   "nvidia" driver, in order to allow the X server to start without any outputs.
-    # - Add a separate Device section for the Intel GPU, using the "modesetting"
-    #   driver and with the configured BusID.
-    # - OR add a separate Device section for the AMD APU, using the "amdgpu"
-    #   driver and with the configures BusID.
-    # - Reference that Device section from the ServerLayout section as an inactive
-    #   device.
-    # - Configure the display manager to run specific `xrandr` commands which will
-    #   configure/enable displays connected to the Intel iGPU / AMD APU.
-
-    services.xserver.useGlamor = mkDefault offloadCfg.enable;
-
-    # reverse sync implies offloading
-    hardware.nvidia.prime.offload.enable = mkDefault reverseSyncCfg.enable;
-
-    services.xserver.drivers = optional primeEnabled {
-      name = igpuDriver;
-      display = !syncCfg.enable;
-      modules = optional (igpuDriver == "amdgpu") [ pkgs.xorg.xf86videoamdgpu ];
-      deviceSection = ''
-        BusID "${igpuBusId}"
-        ${optionalString (syncCfg.enable && igpuDriver != "amdgpu") ''Option "AccelMethod" "none"''}
-      '';
-    } ++ singleton {
-      name = "nvidia";
-      modules = [ nvidia_x11.bin ];
-      display = syncCfg.enable;
-      deviceSection = optionalString primeEnabled ''
-        BusID "${pCfg.nvidiaBusId}"
-        ${optionalString pCfg.allowExternalGpu "Option \"AllowExternalGpus\""}
-      '';
-    };
-
-    services.xserver.serverLayoutSection = optionalString syncCfg.enable ''
-      Inactive "Device-${igpuDriver}[0]"
-    '' + optionalString reverseSyncCfg.enable ''
-      Inactive "Device-nvidia[0]"
-    '' + optionalString offloadCfg.enable ''
-      Option "AllowNVIDIAGPUScreens"
-    '';
-
-    services.xserver.displayManager.setupCommands = let
-      gpuProviderName = if igpuDriver == "amdgpu" then
-        # find the name of the provider if amdgpu
-        "`${pkgs.xorg.xrandr}/bin/xrandr --listproviders | ${pkgs.gnugrep}/bin/grep -i AMD | ${pkgs.gnused}/bin/sed -n 's/^.*name://p'`"
-      else
-        igpuDriver;
-      providerCmdParams = if syncCfg.enable then "\"${gpuProviderName}\" NVIDIA-0" else "NVIDIA-G0 \"${gpuProviderName}\"";
-    in optionalString (syncCfg.enable || reverseSyncCfg.enable) ''
-      # Added by nvidia configuration module for Optimus/PRIME.
-      ${pkgs.xorg.xrandr}/bin/xrandr --setprovideroutputsource ${providerCmdParams}
-      ${pkgs.xorg.xrandr}/bin/xrandr --auto
-    '';
-
-    environment.etc."nvidia/nvidia-application-profiles-rc" = mkIf nvidia_x11.useProfiles {
-      source = "${nvidia_x11.bin}/share/nvidia/nvidia-application-profiles-rc";
-    };
-
-    # 'nvidia_x11' installs it's files to /run/opengl-driver/...
-    environment.etc."egl/egl_external_platform.d".source =
-      "/run/opengl-driver/share/egl/egl_external_platform.d/";
-
-    hardware.opengl.extraPackages = [
-      nvidia_x11.out
-      # pkgs.nvidia-vaapi-driver
-    ];
-    hardware.opengl.extraPackages32 = [
-      nvidia_x11.lib32
-      # pkgs.pkgsi686Linux.nvidia-vaapi-driver
-    ];
-
-    environment.systemPackages = [ nvidia_x11.bin ]
-      ++ optionals cfg.nvidiaSettings [ nvidia_x11.settings ]
-      ++ optionals nvidiaPersistencedEnabled [ nvidia_x11.persistenced ]
-      ++ optionals offloadCfg.enableOffloadCmd [ 
-        (pkgs.writeShellScriptBin "nvidia-offload" ''
-          export __NV_PRIME_RENDER_OFFLOAD=1
-          export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0
-          export __GLX_VENDOR_LIBRARY_NAME=nvidia
-          export __VK_LAYER_NV_optimus=NVIDIA_only
-          exec -a "$0" "$@"
-        '') 
-      ];
-
-    systemd.packages = optional cfg.powerManagement.enable nvidia_x11.out;
-
-    systemd.services = let
-      baseNvidiaService = state: {
-        description = "NVIDIA system ${state} actions";
-
-        path = with pkgs; [ kbd ];
-        serviceConfig = {
-          Type = "oneshot";
-          ExecStart = "${nvidia_x11.out}/bin/nvidia-sleep.sh '${state}'";
-        };
-      };
-
-      nvidiaService = sleepState: (baseNvidiaService sleepState) // {
-        before = [ "systemd-${sleepState}.service" ];
-        requiredBy = [ "systemd-${sleepState}.service" ];
-      };
-
-      services = (builtins.listToAttrs (map (t: nameValuePair "nvidia-${t}" (nvidiaService t)) ["hibernate" "suspend"]))
-        // {
-          nvidia-resume = (baseNvidiaService "resume") // {
-            after = [ "systemd-suspend.service" "systemd-hibernate.service" ];
-            requiredBy = [ "systemd-suspend.service" "systemd-hibernate.service" ];
-          };
-        };
-    in optionalAttrs cfg.powerManagement.enable services
-      // optionalAttrs nvidiaPersistencedEnabled {
-        "nvidia-persistenced" = mkIf nvidiaPersistencedEnabled {
-          description = "NVIDIA Persistence Daemon";
-          wantedBy = [ "multi-user.target" ];
-          serviceConfig = {
-            Type = "forking";
-            Restart = "always";
-            PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid";
-            ExecStart = "${nvidia_x11.persistenced}/bin/nvidia-persistenced --verbose";
-            ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced";
-          };
-        };
-      };
-
-    systemd.tmpfiles.rules = optional config.virtualisation.docker.enableNvidia
-        "L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin"
-      ++ optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia)
-        "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced";
-
-    boot.extraModulePackages = [ nvidia_x11.bin ];
-
-    # nvidia-uvm is required by CUDA applications.
-    boot.kernelModules = [ "nvidia-uvm" ] ++
-      optionals config.services.xserver.enable [ "nvidia" "nvidia_modeset" "nvidia_drm" ];
-
-    # If requested enable modesetting via kernel parameter.
-    boot.kernelParams = optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1"
-      ++ optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1";
-
-    services.udev.extraRules =
-      ''
-        # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded.
-        KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $$(grep nvidia-frontend /proc/devices | cut -d \  -f 1) 255'"
-        KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $$(grep nvidia-frontend /proc/devices | cut -d \  -f 1) 254'"
-        KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%n c $$(grep nvidia-frontend /proc/devices | cut -d \  -f 1) %n'"
-        KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \  -f 1) 0'"
-        KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \  -f 1) 0'"
-      '' + optionalString (cfg.powerManagement.finegrained || cfg.powerManagement.coarsegrained) ''
-        # Remove NVIDIA USB xHCI Host Controller devices, if present
-        ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{remove}="1"
-
-        # Remove NVIDIA USB Type-C UCSI devices, if present
-        ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{remove}="1"
-
-        # Remove NVIDIA Audio devices, if present
-        ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{remove}="1"
-
-        # Enable runtime PM for NVIDIA VGA/3D controller devices on driver bind
-        ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="auto"
-        ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="auto"
-
-        # Disable runtime PM for NVIDIA VGA/3D controller devices on driver unbind
-        ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="on"
-        ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="on"
-      '';
-
-    boot.extraModprobeConfig = optionalString cfg.powerManagement.finegrained ''
-      options nvidia "NVreg_DynamicPowerManagement=0x02"
-    '' + optionalString cfg.powerManagement.coarsegrained ''
-      options nvidia "NVreg_DynamicPowerManagement=0x01"
-    '';
-
-    boot.blacklistedKernelModules = [ "nouveau" "nvidiafb" ];
-
-    services.acpid.enable = true;
-
-  };
-
-}

machines/storage/s0/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, mkVpnContainer, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   imports =[
@@ -29,11 +29,6 @@
 
   services.samba.enable = true;
 
-  services.jellyfin = {
-    enable = true;
-    openFirewall = true;
-  };
-
   services.navidrome = {
     enable = true;
     settings = {
@@ -44,11 +39,16 @@
   };
   networking.firewall.allowedTCPPorts = [ config.services.navidrome.settings.Port ];
 
-  users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
   users.users.googlebot.extraGroups = [ "transmission" ];
   users.groups.transmission.gid = config.ids.gids.transmission;
 
-  containers.vpn = mkVpnContainer pkgs "/data/samba/Public/Plex" {
+  vpn-container.enable = true;
+  vpn-container.mounts = [
+    "/var/lib"
+    "/data/samba/Public/Plex"
+  ];
+  vpn-container.config = {
+    # servarr services
     services.prowlarr.enable = true;
     services.sonarr.enable = true;
     services.sonarr.user = "public_data";
@@ -62,6 +62,10 @@
     services.lidarr.enable = true;
     services.lidarr.user = "public_data";
     services.lidarr.group = "public_data";
+
+    services.jellyfin.enable = true;
+    users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
+
     services.transmission = {
       enable = true;
       performanceNetParameters = true;
@@ -103,7 +107,7 @@
         # "speed-limit-up-enabled" = true;
 
         /* seeding limit */
-        "ratio-limit" = 10;
+        "ratio-limit" = 2;
         "ratio-limit-enabled" = true;
 
         "download-queue-enabled" = true;
@@ -117,15 +121,6 @@
       uid = 994;
     };
   };
-  # containers cannot unlock their own secrets right now. unlock it here
-  age.secrets."pia-login.conf".file = ../../../secrets/pia-login.conf;
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  # forwarding for vpn container
-  networking.nat.enable = true;
-  networking.nat.internalInterfaces = [
-    "ve-vpn" # vpn container
-  ];
-  networking.nat.externalInterface = "eth0";
 
   # unpackerr
   # flaresolverr
@@ -138,7 +133,11 @@
   services.nginx.virtualHosts."prowlarr.s0".locations."/".proxyPass = "http://vpn.containers:9696";
   services.nginx.virtualHosts."music.s0".locations."/".proxyPass = "http://localhost:4533";
   services.nginx.virtualHosts."jellyfin.s0".locations."/" = {
-    proxyPass = "http://localhost:8096";
+    proxyPass = "http://vpn.containers:8096";
+    proxyWebsockets = true;
+  };
+  services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = {
+    proxyPass = "http://vpn.containers:8096";
     proxyWebsockets = true;
   };
   services.nginx.virtualHosts."transmission.s0".locations."/" = {
@@ -146,6 +145,9 @@
     proxyWebsockets = true;
   };
 
+  # tailscale
+  services.tailscale.exitNode = true;
+
   nixpkgs.overlays = [
     (final: prev: {
       radarr = prev.radarr.overrideAttrs (old: rec {

secrets/iodine.age

@@ -1,38 +1,39 @@
 age-encryption.org/v1
--> ssh-ed25519 xoAm7w Hfe9WoVDvMWc8P60BreiUS9+F1PmpZwUQ/Rf1tRxIRY
+-> ssh-ed25519 xoAm7w NvgGcHYNA6WmPn3sCmMzPCib+6P7s5R/G6lSJFpih2E
-oFunT3z6xg8BRAqzcaHVxafBUJbXJSCrsge1/nEI8x4
+gLugCNcPJtAl9+2fa80OD7D7XaBkpb2bzKJclOdjGfw
--> ssh-ed25519 mbw8xA xR/jq0KjCpwusJJ60mHqt6TGBdsSjUxWHChO8dGYhzA
+-> ssh-ed25519 mbw8xA dBYbSV7QcUTOp9a5hUAZeMlL828KrRp6tB3zMIopPDA
-kFEYLlnF7g6e7Tvud8JsblOtsj2v3QrAdkjJwV0b9ng
+i4QRHxTVaN60elfiuYXuESwbphxPN4tsQ7scH0ZJjoA
--> ssh-ed25519 N240Tg DoXupPWk4YsgqpQ4yPfpz9a13Qu+ZcxavLbKjStf40E
+-> ssh-ed25519 N240Tg Xg5q74f1ylRZGLpPggkTy1QU+LWEcHpqCV6wQ2OhQlk
-+mCkreDEjo8G5Ew9TNaRp221VL6l20jG/6QVa8Cbwa4
+RubXACwdS4+xNt8nt0C0wk8XU2YIWOSRwIXUg47sNA0
--> ssh-ed25519 2a2Yhw t0BY1ZmbeSORtHRvy5c3XeIe29QSRd5wSgibjZgcmAE
+-> ssh-ed25519 2a2Yhw p5w1WsmcVHImVtolvrULgSsYXlm06g2za8zSiDf9uR8
-5+EWlrZoeg3SZ6MCaj+YN4ovWxrTbfVz5IV9gA7bcwg
+qVuj2L8jvRmINprQbYg91yoJU0XZmO7TprQv2UsvpmY
--> ssh-ed25519 dMQYog gaJXyfz3aN5CnbKGao5nxnKc6ZGyXuLI9s5DQ7zcfDA
+-> ssh-ed25519 dMQYog EFYjggjACyNwvNCG75XsceqnUrrrsX4cv7e+Mu2Z2zI
-6BdUMh7erbIXstvEPnc0jE38rL9+0QU8PYtcQp5PUNA
+Q7VPIP7iNqHxGGtRG2Q122f60ZztSRsRHRbziGAinNY
--> ssh-ed25519 G2eSCQ boj8/IRM5HG4LEHWMYzDr37Z/fVyI+ZAGbFaUzGtOS8
+-> ssh-ed25519 G2eSCQ 5Y6Tazqz2Wjl2/lrlQMUWgEnSBJpmzwXAUGEK56upgE
-tzZLK/jzjron85vLrxFALKUgGVi8ZdPnM/zcVpfp6Ps
+eVxcvshe+uecw4ORKdS/2W8p+jcrro8cDcDdmeY7Olg
--> ssh-ed25519 6AT2/g A8NtCXr6AksNJCnOLsErYIqKy2SqMza0GsUURr1YASo
+-> ssh-ed25519 6AT2/g h6E5M1uJRhqfR1bm82rXrJvmr+nkeUPbygD8S+zbAmY
-lMnDpcWZxXIIRqBtLYG6Pkd6L+/dPVGRCgyYPzRLnII
+r5yR6W2uCcR4cEnbk/1tXwhAanT2EqTsH1mIDbrVGVM
--> ssh-ed25519 yHDAQw NOqmfI7ZuSMTmEErJjHkbjGtNwJhpHTWeS/6zPsTVC4
+-> ssh-ed25519 yHDAQw lWomhFF/IyKtOUlBori7wNjrtsbqvKXXhAwF4a1y8js
-5tZLg+GbfpnCi2CbSP7lZLssYm7hR/B7PZCZZ5X3ahs
+baOAc0tKMbh6Sw0bWyynI3OMrsOPA3W1fCCIn26azeQ
--> ssh-ed25519 2+FxVg SA3lD4YzgKQWnztnaKZkkWZvooAnH3uv3o4lKn59rAI
+-> ssh-ed25519 hPp1nw ZGwi0yK0Nu+Y/uXIxnQH6Pwmw1SWBE0yQ9FOuBNKp1U
-vXkGl4IUstTQ6BZsT3c5PmPKU3lJxosX5LRUuAGVSVY
+tN8kk/0AxUIiFbEOSeIlGiBIy0d96wTG8VrGPnEHTg4
--> ssh-ed25519 CRfjsA uIa4dBktv7pMMv4U8hwlUJz+Ewh7ZjQ+j5ln7ZqxlAw
+-> ssh-ed25519 CRfjsA ntYznFouB2JWY2LZ6aycDogIFbLHOhqcx50QbJIB+RY
-WadTmmOeOlaNlejglQ3NgOk86zS/yyKKkVabIPajeCQ
+slo38Rvg+2GV2fKRlt4Yns644kd55DrDz7ivi6RTyXg
--> ssh-ed25519 vwVIvQ pg5Yv6YQh2tYXmv9PP5etAMxNN85dwQ28jXZRkQI9RY
+-> ssh-ed25519 vwVIvQ UF+Bo3Rl5OPPqqddi0bqleRJV9XTuykrl2dkPPSyRAE
-zE81eln0hmbRchzNNYXaMxI8aF/xwGXy2wm6GlKnzg8
+znn5KNsXZPHN2/E652cPhOx8RF5+uuFUyGhrI+kCou0
--> ssh-ed25519 fBrw3g gtUFDnC6CowNoKxwgLCOsSQ8rK21y327K8B94zlMHQE
+-> ssh-ed25519 fBrw3g w8EkEo1db0Po5ZhDzz/5nshsSmjy9wMSKp+XFDEuUQA
-+WepWvCmTZj+ht7U8aMD4kJ+zDSH7+c5lNSDw2JKrzA
+q50eyTDTxQULpogMbVXI2zSfu+ZZP9DOXjM+Y2/rMNI
--> ssh-ed25519 S5xQfg vsDTXbJTOjL7wVx1rA5ny0Ix/f6QFlZxxB1z6X2YcGk
+-> ssh-ed25519 S5xQfg 651xn3mNSl/3+KT5d4XD2pkMNcxi6BScqX3teoKbgio
-im/TCt3Rszp0tP8hx1CV1xqaxh/PEUmC6ZoARVJXUzo
+EOfzB+woFBWBaVKuv4t4E0Gx3vf7Lg40WXSovXs8N6s
--> ssh-ed25519 XPxfUQ OQf+JUauisYKuYtya1HlpnZKteLLJonnd8JZiVwfAQA
+-> ssh-ed25519 XPxfUQ FL+FYVsRNJBv7xEpwf0fXgJt3G/FiARQ7+aWK/sxryE
-wDSRsGMxQ2rXtej/iBX8n7KRfdLIB5q12Z6zu2I4wNw
+xneOKh3muAhjkLC2upsRrc4B0mggwm7IOMFsg+25gT8
--> ssh-ed25519 SpD5mg UlMJvnqDtRj3BTE4wAYa11D1mM5Q4vIkKIPmtODKYSc
+-> ssh-ed25519 SpD5mg f140sUr/7itxtllfcbBaNV9xhRaV/IULGVn6AaP7zkw
-RW1Brw2kCbUlBZK+UdusWAKEW5ZC5VHt49qUsyeUr+s
+FnostzjoSC/bdOu2UF+rT+0mZ0aUM8rAAoQltUXn534
--> ssh-ed25519 Kk8sng 1TYOMJBzUZrgcRE02YtFllJgV4bxsCFRrRgnoasWyVA
+-> ssh-ed25519 Kk8sng 9JnybgIcROZf+l0C9YGNb4xWkZLtdfUPm2V0WJsGPUI
-FXSNZ6U60lRRgS3EvqKZwWdwA3vIW9xe5+NcmuYorug
+fs4wBEIdK6kU1CIhI8zz/yqa4Fb6Q2u+MO6SsudQlCM
--> x'-grease dT
+-> C89-grease >Fa(j6s UN5!{
-viYi3YkLyuugYlo01uxExjHQVbq6hMoAGI64lXiE6fE0I0AV5Wr8yHiylwAH8ax2
+nb+ymnliEEKJf3IGloFQMNl/SyFjvFUqekC2YEY2qJblAUaft3Tf6hMYf7uDSjew
-4ylwQQVAA66xCEF+2QoIapO+V7oaWrjeiEVEAn1D
+5SRhESY0VucHhAK6OybwPWYRlXXv2gM/wxUicB8
---- q9OmQIHexmW/2u7d1XKjUgwp+QYHbiiPgC9ZurBY5l8
+--- t6Q6ULdQzW4/xDtZDVI/lfP5i8Cq8lnURqQSyKWHvyI
-¥qÌr
.¹s
;ñïÑïMdYŠuÜ~°#i¸ï-øÁVBCÞrå·>üADéÝÉþ83<38>ú:"î¶o+
+h,:ìüæ
+H)'’ЊÂ/²)žÒ¾ìpˆ¡Rç›2QU

secrets/nextcloud-pw.age

@@ -1,37 +1,39 @@
 age-encryption.org/v1
--> ssh-ed25519 xoAm7w ftH5Ym/ik0hpKF9/keVodc9lbrbl/tfgI7FNYvY7aCo
+-> ssh-ed25519 xoAm7w 7+DO9mI/zZfTIN/0KBMOIjMNnReyGoH/XVQa0OLdAHY
-2UxiWjJ18muZg1qcomcFEJChlebx5dvdsVfdxdVCnEQ
+qg/UIBJr8GX79d7xrIIN9GUt3pDIormlOM7IdjIytHk
--> ssh-ed25519 mbw8xA CKMJ+LK6HWZybajuHKTNkPUJWTcR/E7Pu7E0LwLljRE
+-> ssh-ed25519 mbw8xA 9KorXegEBX3PYQm+Ljdjs2hkxAIpz2CZrITNCGo0BnM
-aXgVMhoC8GEAm4YqHPAascX4CDX5D4T/uwbfdcfheI8
+QNQWGWqoudiryg/0fV2KZUuJQGp/suZun9KF9c2OTqw
--> ssh-ed25519 N240Tg WjE5EbH6nsSCsZfHBTDebdCYU4lNyEemAfqdSIpYxiU
+-> ssh-ed25519 N240Tg kfl4aaKI28cDfzX3MBisRGraQYChPdUF2WigjOFYx0Y
-Dt6ZVntKzQo65WWHRg9Bp0JJhjwMIDqfV2WMdtELhpQ
+u8dgbgJSmcJBp2Uc8qbWMbpa/cKEmx4V3psQgzqnitA
--> ssh-ed25519 2a2Yhw Nvaz150AMV7M9QuY87wPGfHCfNJ7CH3VSl6tTbNlHig
+-> ssh-ed25519 2a2Yhw MGk791xEYHlC4bYfU5CMS3rY8TVI8KYvEIwUhE7wQ3k
-U7KG+Yl8OnEFjso8s5xgHDsnHSe6IfkImG92uoo8BoQ
+iFT3QUR8PyWw4grqy7/8KfLfYNIDkgDKM2MqSr6cj0U
--> ssh-ed25519 dMQYog EMPtqpONlZ1XJycSBZJMNx2LBQEcPEcPIoJ1LstdJE4
+-> ssh-ed25519 dMQYog IW1ntuHrV85WX60GI295c197NUlQMKuo5gd3sQZl/gA
-IdewH3GF1c5hWGNQYbLYWMYFrhiFfoN811GDdoNEVlE
+gAnx0rMggqZ7Rn8tHFAXJx3z3t9MkZpmjpgI2qAtK4g
--> ssh-ed25519 G2eSCQ unDoBOz26bzNaKAoYfS+Bf6M+bGf/D38aZrGL7pifgs
+-> ssh-ed25519 G2eSCQ 7ZpZQAda0uxjIIdpLnC5JlU6cbLtJWr9LSIIdi7PUQw
-uNcXcIOaS3ZGxwmKXMqRR7kG3ErDW4VW0ZSDVkrDPVY
+PfGFrMVLCmy8SDv2nn6p6M560Xu8lte8DjbCORDM+uc
--> ssh-ed25519 6AT2/g hAm89Sp/tWm7lnSggrK0CCMEXxkBaToQ6wsXSzZifTE
+-> ssh-ed25519 6AT2/g JGE9jVFM2Wu348XIHpubyCEismpfBraxnFGTnEvqqnI
-qhRrlwPCdaAmvW+S6XdbWsKnwoO2eLgWIfSF1XKaP2c
+kDHfyJdBIGIURDJ0Nsce4DqzPzhk5p+LM1QZ44pZ4g8
--> ssh-ed25519 yHDAQw vm25bEwFJg6jY2LIHTxbOnYDE2u+8MuahtBQJpzdW3s
+-> ssh-ed25519 yHDAQw KNzCNjvErLwEJZpWWMIBFUGOC8jURyvoKzCWX0ATrRM
-/tZPXzO363LuyAQ2juZnq5S6tRXaq5RA1VsdQI6I3LU
+EyIJpn48eU8oEB5FbMhCOd16hAVrxTFLyJEoos7WGOY
--> ssh-ed25519 2+FxVg EfDKgl4yXd0MaTMOYVUwWqlujNiDJn8cUensuRHa9WY
+-> ssh-ed25519 hPp1nw kdjLNwgYQV/4NMubVpJw8QCIuKn+u3CT1boZNJEWfCM
-lmq9qcJaGm1IIlC4wZ6rcnywJrZP1XrjXGpQmRrE6WE
+FXNLqmpZB+CtSmCY9zGr+3UebEwNK3JmdP4ifdXiQL4
--> ssh-ed25519 CRfjsA eJXHwGRcgGRy7jziDsuWJlpJZ367DgmPk33vMza+PVM
+-> ssh-ed25519 CRfjsA axLQSlgVkaYmRktIP+fwHnhN2pJ55NCOW0fzTzgjFF4
-kQzmsqhxydPnO8zkQAF6V69inaIur+Jj/Y/UWSlm8bU
+ElO0byzF3PJxN9WgENIN/YfmsOR9rOhEh3xRNIIGIyk
--> ssh-ed25519 vwVIvQ g7Dbz/nR7ltZVJtfnLfNcuTl0EEmwevqx4uzE2yU9Bo
+-> ssh-ed25519 vwVIvQ LtrPXRJ0hztkWFnoKt5c0UzWQpD9CO990k52gjWcQnY
-t0kEKYGDjcjDRCnKcyLoLJigfupgSwFGNKnWZNgcEjk
+nHb1hsXhHQokcA4WoRlbZy0EFQt8Xd0cYUGqblY17Q4
--> ssh-ed25519 fBrw3g 8YAKhKpmrEqyg96QOTPjHv/Ufjzn4ebyf812/u3crB4
+-> ssh-ed25519 fBrw3g dnWs7lWY8QoWOjWHG68FSYqZDzsIaA/qU4AXrndGNTw
-joYiN6sLiz5zlp+w1nezyVLsN4cTMreL7vG2Q1BR8IA
+gh4+t6THL2mtrPUzGlYd/YxDjk3hpHxUmGq+kRcz9BQ
--> ssh-ed25519 S5xQfg PvaGUlWhWUhW8KXg9GK0Tlw4ru1M7vpeG4jdZt6HnmU
+-> ssh-ed25519 S5xQfg kEXs5hXXR4ocYYWoT2xFr4HITe9wIOOLz73zm/9bf0o
-rFb37EZYgmmmrJNxVe4S5CkFEadUNw72FWS67qlOcmM
+WpO+5/zXc+UGYJGkNNQr8UsEz2RyBUtQ4Syep718294
--> ssh-ed25519 XPxfUQ BQkn2MzbRQT32mrGK9jyvpm4e2cnZEmrFig+YVOy0TY
+-> ssh-ed25519 XPxfUQ pL4j/idFPiIPnWI7bIwn0+FuB6az/hXURAh+tvdr7Hc
-vvemmqvcsE+4MZYBltYMZyuosZy5JxDYe+a+EbeDTv8
+WWJPFYanmf3+KnjG84XlnEapI1vh0wRi9XFJRn5JVpo
--> ssh-ed25519 SpD5mg mndEjGwk50wd8+zdFao9dvscApXrQVk5HcdgBzTAzhI
+-> ssh-ed25519 SpD5mg CpGcl7ONt0juh/N2hwcxWiuc9u9wjQ4d+AAF+1BQim0
-1Bl7ixB7xYLsAYvu3HY67u48Dv4ktDwYo5oMAbr4n1k
+7Xs7qYITkCsjloA74CDGn6lZhXNTqFV05omLiCz9efg
--> ssh-ed25519 Kk8sng PR7IpsRjn/4WYchFHfkGPgNayTSJDM9rY2X1CFKN5Fo
+-> ssh-ed25519 Kk8sng DzLM7ewz+4yz5YNQfBDKcOOlqMxScGR34XfVpCUHMEM
-mHPqmcdjP1atZYLaA3phPsjrNAEbAfvpu01mfZ8qK54
+eH2ogYJO2N4cqxRibCOEoL5cXcTdWavHS3uRX7wwHxY
--> ZN_d{1-grease {~-\e[ 8c 0LUi]F)=
+-> h<Vf$Fh-grease :~Z8 qwh*'} 2*OyJh )iMU_m?t
-E+1JKauEcaaXzol/Gg4rqPJmO3+x0EU3V3evmxbZ
+u9QuYuPJEVl7Rt1cEcXZPQ0IfpOzqB59iTMch/SDoByr966PBlBfjDS/7i9U0sEI
---- hl4Pp2I55YOS97jg8WRxXI1+wylN6RvGF3P+kRxL/YE
+GMeVtXePXkKPXVvhmbZ/C9KI
-Ù$²L1ÒuðC,œ,QLÖiõØ&º`ñÍe<C38D><65>0§ÿøÙC§”„ד\7ÈP3Ñݤ,ª}U¢	üî·½î-¹R.¯îb®‰|1ò3 	ùŸ“àÚÒ
+--- 1F0kxs/7SRrpoj9q4t1eCg381LzCgrwA1DYG7zcI3dI
+ö>°cY§ÀeéEò‹ƒ\ã¯<>Ôc¸j‘½	ßÎíÃS­—XpºýG<C3BD>§$½}i¼10
+ϱ™<œ`á Œ<>, öAž¤£
~r>ø$|wˆ¿

secrets/peertube-db-pw.age

@@ -1,38 +1,39 @@
 age-encryption.org/v1
--> ssh-ed25519 xoAm7w 99ufX8x+2IWSFhunUnSeH5Li0bdNZQpnjAeoI7TBZQ4
+-> ssh-ed25519 xoAm7w 6fOw4Kh4O0WAdZG0WPBdl63ap/Xr/w+Rweylt/0mKDU
-AtecBXuKzWfxYO80lRha9uyltLExWqTTpT80HHOsW5s
+M2ZYVPz9vVGjJ6us48pXSFKKH8tK8PhkvBUJAUriimY
--> ssh-ed25519 mbw8xA ZEtocwiOLTy313asl0C9MDGPy8KTk5wo6hZHLSx0WjI
+-> ssh-ed25519 mbw8xA JBYsd9iwH4E2GfGP63DwdwT4Y+gvL31sB3rSY2GKDmQ
-wwxe3HF3P5BFfAMI5nes+dwnzM51HSY3xtia7wVBn8s
+zMHRL3bDxeAkWdKYPPtc/xyrkZlNtzBwzMyt5lb0H4o
--> ssh-ed25519 N240Tg 1tT+WIwhrNAZKiU11+rS6lo4XqII4yjwoC5h/J8GLkQ
+-> ssh-ed25519 N240Tg 9DErfKdTHuvUcw9+5yzo8kMHa+IKxspGlWb6KRvPB0o
-hLWQ7XFlmycr+J1MukhHFebYpsJVUwUz5F2+XNDU5g4
+q1FLalljaHyYxEu6JrmcXGYhYi0L7TAtV0U8UsaQ4cs
--> ssh-ed25519 2a2Yhw 5JwVo1eeVRryxYYaWznfHlIm2IbNcONOKK++ssMj2VY
+-> ssh-ed25519 2a2Yhw eDolYbro00zktVZA8xdhbjvLkcOItFU/lTBPXNYypWI
-o1P5EycNl31HBfQYZyB3KL62ZxBej/t3T30dfo3WYko
+d1MlKnVGRf2T2VFPhDnsSF8fboF+5mAdXEMeJRTjJz8
--> ssh-ed25519 dMQYog Gh9wRFQ5at0IRp7lSUxqx4cmo9khOPMfS4B+QM7JRzU
+-> ssh-ed25519 dMQYog 2y6zkr37iC5VarUPOlrXVj9XyS5pihQq6O/K20gTMnc
-zVhsUzfXDOowR2ICIEqpTfm2TjsiFmK+3k0/cHJ/o/o
+jQxtJYCH1JagBpaupGVizzk0ZCswOQvFTcxT8IeFtRI
--> ssh-ed25519 G2eSCQ iv5pDSg2yIcqCJcBHS4GL2lbCZvzPxjHbkLjZJQEWD8
+-> ssh-ed25519 G2eSCQ 8b0ZqtAxiFRfLEMHnj6LZmq5CQT7nMmfTwc+gpKbQQs
-JFGDm/7tRozdGVSdeA7kd6N8+Sj39OjJ/Aut6A/7w9A
+kl9EvBs9BpZXoomdg30ViCMBV8xEnYlCD9GFY+dNVBM
--> ssh-ed25519 6AT2/g 3aE7p8BUJ0Dt6zATjGBql9Hgv4gzpAR5zqPahLbR/j0
+-> ssh-ed25519 6AT2/g kA3H9/fN5qyPquKIBQqYSGZYhxqDc7Zyj0CrjF0Nqgg
-nfhfhAP2ZLWZPzRr2ZV7oaP2DEOGH/9Ygo0plrkmu4Y
+zXrT+jpTJo6ToVzLuLzDcqblXKdDbjxt4Zr9CvWBZc0
--> ssh-ed25519 yHDAQw KR40v7vC6hRm9QqWtlF9WX8WIzbo7b0Bukvl1dHMiRE
+-> ssh-ed25519 yHDAQw vuMN4IU9wAIAWDFEDCr1yjEPtEMCISxYTx27qh4QS3U
-2F2jAXTK2g+82Y1kSzkRruqAfsCzhYwKEbJWtg2JbMk
+2vrVYYbBlbyEOmd7cpeijKeNk6uEe/1iWQcZO8dSrWI
--> ssh-ed25519 2+FxVg JQxr5S9RIOcVzBK2tNBtIBDnncldTPk9blnuGNxrmyI
+-> ssh-ed25519 hPp1nw TwogaV1PZXUekJoqXepW8sUm+DvPCxTEL+RobecJ3ys
-4vcIXvs9seQZ3GVPIqYr41Bd9xhPA11BlLHa+YNDf9Y
+VKM1QHFM8qDW1ZCpueQEqQtQknoQ470nll7y6WTjlWA
--> ssh-ed25519 CRfjsA HjpZxl25Xu175mNcmhb6gBJkSiN0rZAHGaxChssjkVw
+-> ssh-ed25519 CRfjsA dvkLphHpCButJtI/RMlt7RvaIuMNHLbF9y663tvuvhs
-dX2D42NviiSQGCIPBPK1x4CzLf5v3fkcFM6+tVAi7k0
+VEwK/KDK93e2iwEcwmGM8vvhwqi+tNW8SYrbsehZbWE
--> ssh-ed25519 vwVIvQ a08tDilNeVsKz/SdzmI7/drnMTyh8o45JJgc27yRZG0
+-> ssh-ed25519 vwVIvQ xnd9Vgz9FCeRu6yZbbIZbSBEvSkgPzFifye5eT8kmT0
-5qiAp/6uHLIBNdG9FZQqZsa7q9pbJyzlTe0UQvWikPw
+XOCZBNTP66Wzy5Vdn4qJwzApDx3U2qNnQqEBcwfARHk
--> ssh-ed25519 fBrw3g dDA8Vy5fpfTs7b3+mAVkR1HXvtSRcyq5shCHZtwDRxo
+-> ssh-ed25519 fBrw3g 81Mv0OtBk9J2Tb7kjnT4uCGeytV7HJfOTcA5C4NoLy4
-gIk85ymB3yWjINCmlSJkaFMihCD1vDon8+OLwAh2wRU
+hiMbGjXjtvBa2Puhb8GBas3WXc0fozRD4hg73MvQumw
--> ssh-ed25519 S5xQfg ElRT4mtq4Ksv0imJ5dbvW5M5DIgdStHQdrFqzmXZXho
+-> ssh-ed25519 S5xQfg F2oOMdM1U1aT4K6pIhCnCz5EbxnEb9Q4QZ0MkhSJKnE
-QCK3xZRemQtgXczwgwEbrf9oJZ9NtSHa3a50T+nE6AE
+Pz2cyF+IGLz64466ne8np3xA7g+51S4s4mlaLRohIM4
--> ssh-ed25519 XPxfUQ l8AbR8IsS33Q99i9uC0b3eT83tAX7CFiep0V6+62hRE
+-> ssh-ed25519 XPxfUQ 3rIutnjj8fXIo3mCAL5nfzJep7q70j+AGLE3j/JxOhY
-D2YSywYJ3WzTm3VWMh4YWKBaTARQ/rexq7ked3Di9fA
+v2Xj5PbpFMsf6Tx68u7VHCRqGa3Wrnsk4E6Q08SklUc
--> ssh-ed25519 SpD5mg IQUqhLhcHQn9wfFY1RSZnv/GeQau6y2N9JOl6e8prgo
+-> ssh-ed25519 SpD5mg tmM+zaXpX+W8xsMfBCoWZc+7wPRI6yFt2W/p4O2s4lo
-K11LjHTz0VZyYj90xsbQznUBGvckPDX8jDy8md5o+8Y
+ckNxHza6ruYdIffwxDFOWnYOUgpbWNfwzU5AQJb6ZAA
--> ssh-ed25519 Kk8sng XRNVn/26tWcdLBzO3cb/XVdewgaw+b8sDIn0jDcWIU0
+-> ssh-ed25519 Kk8sng 2ddBuZ+DEVuvRmWS2O8r+xT4Qtrev78Vre+yQ3kNdEA
-r8yDTjK6W9BG18hAU/sN3G6o2jU1dyhn/no9SBNcT8s
+LojDcUOsZtA5kw8kIPC2y+G21T1uKUEUkwkJ3xPiUX4
--> P_O-grease M#%Ei0hU
+-> "JnF1%Gd-grease |=~ P
-rzNzlsj4euy4zrS7S85p
+tzG7OLiEsRVyoTBpLPGwqNBUGkz0
---- T48w5S/LYYKktHmqdc//AxHomtH3Xz7CPxRD8KOhYoA
+--- /AHllIllItlnpPXQAkywTF1UsUb7Wpec2jdYE6kOkO4
-dú6ûJ+B†·r!žøµŠC&Y1G/ÖKm½ BÞè©\ÆñSTü[l„uW
+lß´“ <>§K
-á®fÄŒ
NTõå6éÜ|5c,R"É…ÜqôÍ+;šè|€ªÜ
+^U5{Ôpœ_l9ûá7I#J¯˜Á!ë†å`Cθ^vÚÕˆEòµßŸÁˆuž¥òä×_WPæo2.<èù w}¶Ì
+(!V®

secrets/peertube-init.age

@@ -1,37 +1,41 @@
 age-encryption.org/v1
--> ssh-ed25519 xoAm7w cxa29LYBQrc3YAW5rUvS6nfkEg0j66w5wYu1PZ8Wc0E
+-> ssh-ed25519 xoAm7w N9ZPma02+vK6eoQ6X9/AufI8d9Sq0fAmbCygEAprM30
-NdsMgB5PVVsFrm7wR3xrOcMmIvP5pv6g+KYAhiRvpuI
+qUcK7qCxU/wGxssjMO3BFmiP+ZPCMMA+MPsqTS6Hau8
--> ssh-ed25519 mbw8xA CKUESfDlXNokBZDcbmCkgD16V9han/+r5dFI2rnBcRc
+-> ssh-ed25519 mbw8xA 1uhQY3YHakSRBjgVfqWc3ynGGNT+T6qR74oy7UpbdGM
-uc1sJ/OQ5gclZUSIAJ2c9VY2Xb/ArMNpSnNp+gSTWZA
+7cvBh7xPxDxZqrQURBUUnyk2YjzVY/kzAUf7dy5y/JI
--> ssh-ed25519 N240Tg 8ZUgwgnxZFMnR3F+8VSXDAYooXrJsWK5QpfSxKKSKBg
+-> ssh-ed25519 N240Tg ujiP5iMMSupxkwhY1DpkmRQOQlZSr9WjPGrY7aUKmnQ
-raQOAeM4rpFuGMtjts6AkwcFaVRNoy0byVXBDR5BYYE
+FNeXuINzgDB+gn/u76gQq7J1zYCQC0wbFyUVxvbalI4
--> ssh-ed25519 2a2Yhw ig2GjUHCFT57AldnHOWs5uQAaOoFJeoounbweJTQlwE
+-> ssh-ed25519 2a2Yhw C8/2A7AOzjyrH4Ulre9G+w1y7H1pvVZe6k5PTmGBlCI
-VARizPNxh8KHt/PxPgkagovHAVIiL8ex6XIwUM3xYLg
+9W6w4Ib0riy9sbZEQvSYeJ42LXwPruV8kPvTOP+dMqg
--> ssh-ed25519 dMQYog LQUCsEaZI+6jWrwz3HKWj4CJN1r2SeCJmc35b2/WsHc
+-> ssh-ed25519 dMQYog hIbfS8dz5LGPZ9sU+lHHnL8KB0CceM2nYV5mFV038gY
-5S4K966vu1EdRTENYLgyCdmGBln28O/j9V3uPgjaS7g
+6r14pRwszEZGVzDRZQlymlgjdp1Zd+r/O2IfjqxBZcs
--> ssh-ed25519 G2eSCQ zLkbxZbH3rsgENTIZJKDPo6ByTGjwRScgl3HVZxwu0E
+-> ssh-ed25519 G2eSCQ kvgWxBHowwVcGlm3KiWjxug+Wx3zkcMWl4wbPRrhrl8
-lHvz8F27CTG0pCW/nAJpdISuTcOiqpD2PhLOYyWCC6A
+A5VtHqvDwaa8jONXMTvVQC1ALcnsiqxllM/DrRXWFws
--> ssh-ed25519 6AT2/g 3pshwP5X6PFs8GhQVPQ5s3TSyEt/Z6mEswTvZ5ZLgUc
+-> ssh-ed25519 6AT2/g XUGBtkOcpLRKNDS3hsyXAap1DXAIeaRX9jFOfhUpMw4
-nFSzE4oF+tnXklCyacNQwBJ82s1HdmGC6mWrYqRVd+w
+sq/Ziv4RGRBmrUgS0GWTQs8AViUXBWjUxqf0V/rAN8E
--> ssh-ed25519 yHDAQw wnJ41lJounkHLnZB56fLgjles3dYOzoiFM8vOfEHPEU
+-> ssh-ed25519 yHDAQw GmscTQwu+lHC2VARJusQ606NLf6OlxITZzINjrbxf2o
-33TGDVzGFr5TSVSzK3MHYB5rHR70lBrnvpgyTVBsLl8
+LmuIU71tE+2OlF0HGNS+DdXCLdA5lAeTPXl1S+V5KCA
--> ssh-ed25519 2+FxVg NnL/Wt2gNb/0vkd9FgiZFlkbpCfwweAJUCXi94U1Jms
+-> ssh-ed25519 hPp1nw XQbGxz+YJ8RieN0HxEQz9kJfikbWTtz1hFNGQBHkXzg
-fvkC5RGNBDZ4DLVjZvAQCvnqLeQAuQn0XCS+VFSyb2Y
+1yst2YMs9XelKpIGyl+qxAgrFZ+Hq9odh6wBovbb8sc
--> ssh-ed25519 CRfjsA YC4+VW4epc3UKMDV5r6RXR4Vx8td1qCuTJwnSiHyxV4
+-> ssh-ed25519 CRfjsA 79TlEM5+g11lMOkkW/KvSTmt//ChklK3jlUHLAM/1hQ
-gRLgJqsMuTKD8SObfpR+3zWew5rjwdpEmUluyWco3Ps
+9X1VP6SYST3Q841ahE+fAeg0FhKq+/XcZdysigIOgdc
--> ssh-ed25519 vwVIvQ qr9hH+jPD/2eXesSPE9/sk51EeuNHmPe+Br1XVJpsDo
+-> ssh-ed25519 vwVIvQ 1r0/J5T1fEmOjM7ybKDPOBdE2UIDEUdkIFNWGJBzXGs
-fiRhSdMKVo4K63UAJh4jyTky0aUZZUYFDAE0abWinYs
+gAOX/3koAfQx8er8nt4dlvLbIoYfeVPENjz7wLNoFwg
--> ssh-ed25519 fBrw3g d1YdgbjHQpvTgLjN9z/0eRtEYs3x0Wht506uxogWCm8
+-> ssh-ed25519 fBrw3g 9hdWAt6qEwjAwVmTprCkR2q6GsE4dEOCiCTRfz58fTk
-d5bULkVNiFT4l9uJ/6k59dfcY5jYkv38YHjx7+07YRQ
+f24fPWUrwtt1UN2ebk7tj7gBY8EiAMwvEvztCvaNZRc
--> ssh-ed25519 S5xQfg 9Q0QgN7g9kRGiOvBGZp+3TrVuGU3oyAvK9M64aUmbSA
+-> ssh-ed25519 S5xQfg wyY1lx8QIDJy9pCi9zS3T3lNV0jQGhVC8HvyI60zrD4
-PJQPEpCM4zU5VLrqsMa9Qd2rZvQSq1vYbPc0uCwtWyk
+6+agBFHfxcaTLfZLyEeUMl9zyaFbsM9X2EXPvf6DfeM
--> ssh-ed25519 XPxfUQ qS5Y1YSx2g7ulSINPEbjm1lqL3OvGuLaj04tcPmjTiE
+-> ssh-ed25519 XPxfUQ IabbhU0TM3zImRHyKk1NLnGRUUTuQHHCMLzp9AltDVE
-hSw0TZRL+V4NinnYq37fC64zFM8CdhZFNXmd3ps0f3o
+vf+5OlycHphA0i4nB7c6OtBBahWPJR/8VSWzudM9FEc
--> ssh-ed25519 SpD5mg 6215GJh97SQIklYqTx5WPUlPbNJUMo0vhXTwtr95rGM
+-> ssh-ed25519 SpD5mg VSBErQVSLWPcA7C3p+wuL0/JaP58O5Gvy8z5eJduky0
-jklCiz/2AIAIuCKPFS8u1Bw8SXMf1AOV9X2P5UHXMUU
+jnd3tBVjqhf8oZy9h2soMZVPEa2dvYHxvrNUdKK/UwU
--> ssh-ed25519 Kk8sng F8va5sud1ck2V5MQ8ky14Eolj+YEIzoibGrty0wVQhw
+-> ssh-ed25519 Kk8sng 3gM4o/sdewPR8BZo8owBVEE2GwqnQgUeA1Uxsd8nOlM
-FQIkCvXEtPy+aek5rvU6SO/Cet+f4wzQ/ebqbLSaunU
+VpgZRzc4tN7QX8s41iKoCstfU0KgrGhWolfws8QXYr8
--> 1k-grease wE~W)OD
+-> vWbrVo-grease ,kVQ{
-DXxr4+gUdNeA2+skSQ
+PpMMMc8V/eqh5OBEcK067OIY3UQt9QTjHCVVesZediQxm/E2rRYvKm793NdgsflT
---- n9Ef7xVWYWE0Gu0h2fLzw2gP4qOHKLsCZ/6Yjfxp/xA
+mAA0Lcu8/6EPFWtK05TxkDO+JaVfrvKLKuh/E3k
-Ô…Ñ…(¾= e‘ŠjÿE‚ƒl)h·:¹žiÉ<C383>…ÂÎ(>6ð¶{ÜäêÏ:ÜlŽ,D¨º,I;þ3”˜»ªw¼¾úµ­Þþ)0“غ0ÆøXÖ{fè·—­@þƒÛꀪM­ˆÒ˜Žä!t
+--- eKZw2cOm1WsLYj/Bx14q433kkZ6altIqL0qnBSYXjn8
+>»KÝ’-B<15>vœâŒ×ôÕŽ}4©Q‹åÎ˳x
+ÅîÝÒ{ʱí­
+0U
<01>Ò

+ê¶×Ý

secrets/pia-login.conf

@@ -1,37 +1,38 @@
 age-encryption.org/v1
--> ssh-ed25519 xoAm7w 6YE8Xut+bONuueEoD3aAPn6ly0nlgHKmPhrOYmaZyys
+-> ssh-ed25519 xoAm7w SqYHa6RK3Qc2q7PnzW+2zWIc+A45lcgsGUOcloo5NCY
-OFY0cogxB/TM5ShiYG9OyAlIXJvPWrgmB4QZrdTYTGA
+YK3fq1eFLcrYyeB0jrbpaDlvZI4QXtGDB6gBsNOHRbc
--> ssh-ed25519 mbw8xA mZdtNfY4gLd31NYVhhdFqKhNh+tKTCGayG8n8CY16Xk
+-> ssh-ed25519 mbw8xA td67bdiy9OVhynehUE0t9WNhSm5mibBSouANJsb54DI
-3FVJm0Ky29mtmCo2NaeCPqcurt1oy+1kFaGzBMRFvgY
+k5Q0NYRDLuEVqi6spysZ3wczsl6KeJHnzeQs4AcfOPM
--> ssh-ed25519 N240Tg 8ldjy789NFoPb6FprQEESprs2G+tH4h59uZ1cR9OKmI
+-> ssh-ed25519 N240Tg yQxm7sk3zmluyfrHuXcfcUH4bep9yO2yasWsZL8jlm0
-527JcKENr6ddpZ1xWy+9rWgsFG/0/okHYtyZ8bnIGtU
+0uLbEiU6G+BOFnhdtQ7y1TaZun3L9cayeOJUiKmhK3I
--> ssh-ed25519 2a2Yhw CSpAusLjwTyUMR3TQEX7K6wLkEBQCTwDmDWzqa4BWE8
+-> ssh-ed25519 2a2Yhw rWgv/wgxs/G8JqWRMX4K8OMkbDDEWKXn8tr1EZHXNTg
-ZMWO6kC/xXdzeYzuMtj0PU78rjCB2SxmLW2FkEm3GwA
+//vsUBg5VSyyPOhUppiV4hkEhSVh7TUxlgRhroeMH2Y
--> ssh-ed25519 dMQYog xKjJsFoT+B3+vm+92ywinppmwbMDFqlLHLlQh56d5m0
+-> ssh-ed25519 dMQYog C231LaIgcDukZz+Q0w3BS6QoRNPYBpQnDc0iapNDACY
-c8yhBQL/umJZoAqPXJFYFZVN2CwyftPnXZbL6BEo/XA
+h053cONj1m8SP/V9oFU7MuMRNKq8KNxr9FyWoRShZ2w
--> ssh-ed25519 G2eSCQ PNecZsY2AXDMAZvPw+HMdioRE+4hiqoXViwQDAvCWn0
+-> ssh-ed25519 G2eSCQ oazxEulqB0zTHwBBZxxBvskYLENNm62hy0EMt/6BIi0
-3xemYVepW2NvII/zDuUsFfp5uBFQzU5Iz2zHpnSACfo
+rM8Evty9wq4qC/Tau0bU0LgBqNP1J6Zt+iQeYwhBJ1g
--> ssh-ed25519 6AT2/g fnRDsTvXSqLKzraCy2QUqIqCteAlVuSqrkohHoIQh1A
+-> ssh-ed25519 6AT2/g GWYlWQLxy+JjQUGGG4P2ePuqYkUov/0OV1gyAUfo7xE
-NJaoRKC8IyZcaObclNuvIJV1xtNA2Vnh6+6gylNBRko
+CT4W8xfyQyZ8LgnVWncxL9TMyf2tC1mXhjJ8/OrV/yk
--> ssh-ed25519 yHDAQw vhIaLzY3A5H4xVoWXJDFXdlX/Ddk0OCScSp72Jy+jjA
+-> ssh-ed25519 yHDAQw 5FsOvziKO7oXBvIbJ6ikUHyZsfJcwoXcXYmCCCZlUl4
-r4sj0I/Vs1/klWNa1Ud/alCCmuGGKbZ38K0UAbxOaNg
+5wywGXF9/QbqT0H3f7GY1J79ZwrFaSG6qzHll5G9Xcc
--> ssh-ed25519 2+FxVg UfBGv5v9kilraMWTgPj6reFn1Ipv8elF/Je2L8HJfzE
+-> ssh-ed25519 hPp1nw Aii3iq5LHQPAWIGj7RbK18ChTij7zYnARHqXTAcU+wo
-xeMgBC6Ao2ykXFNRbdok/gC1RXHjH4NPiv7lpFzCWGI
+218UL87Ev75zAsloHSkLlQoSLk3u+XaRgMpqFlHQEIM
--> ssh-ed25519 CRfjsA 7Zz5w+LgThJBhCeTLsT09rZnQiaLnFUuuxxFz0ui7xQ
+-> ssh-ed25519 CRfjsA AafQ3rTlpqLZqz614VPy0h0o+ha4f7gdx3zuoO7h9BI
-XCPZeaiQ9uDS7dachDEFKZXc2VI+2S3EpP8m4fWH714
+jyhVN8DsgSo58YPKb8c/eBWSgunbLgN0tnvqTaaOxTU
--> ssh-ed25519 vwVIvQ 5Bc4/BrCY4VdCabJ+XW+e3UPshgZWYFktE/QBb7+0Tk
+-> ssh-ed25519 vwVIvQ oQHpWgGDhgea9M774iyQ2gP0hvSgFr5ScM4ZdhMHD2g
-0+2IcVoyV7aX4wSBkwD0uuZlzInTXXJpJ582dQiwlME
+9vJjWXwOqpOfegf9ZtKMxAayDsn2ziHGTHGIBlAO71E
--> ssh-ed25519 fBrw3g NcGqfNA75TZK8snDZ1RV7CXDVDHzIo27CzUlisWw8X4
+-> ssh-ed25519 fBrw3g lGSzsEt5Ot/RHwJbL3fNQoR29ZQ7EsFUWv7HjWnU9wg
-s9UR8O4q4w/PbAZPSd3+hubg8GdUBYfhQ0zaRTgTx5o
+cufwuuyT/Vcf3QeJGXEcYFUQqjf0US95po7FaGMYXAE
--> ssh-ed25519 S5xQfg xtYjArK1YYAV4ts55E0jPIovtagFV7UJRb3iv1Om43U
+-> ssh-ed25519 S5xQfg CGj9qzx3vvlNnHh5RUyg4+3gVpIEcgGYbYJr61oTJgI
-SkqJ8UmlKtf+0KntLyjZ8Rgf0MtapEnEoVA+xTFbVSc
+x3TLtdaRpFtMRTC/RdngyBOeXQFEVvQIRdfAsaj8hj4
--> ssh-ed25519 XPxfUQ gy1JvMR1oy1mstVgPAc8m2haExzpEaJj+2POUNc0ZUw
+-> ssh-ed25519 XPxfUQ r1iu+mpoUVuf0AqaDsrumw8SOdiHapODcgrYRrAuSjo
-+HaGMvuuybpJaWs2yCjUyJ29jXKaDLkFBm9l1WLus/M
+1XNRKfEgm2U9DXZmNogFr9B9MqibE72NjyHiy2zZFMk
--> ssh-ed25519 SpD5mg C2BcTINChQTOMgMnn6wjJZ7ADmiqJpE4Z5dYZ3z4wwE
+-> ssh-ed25519 SpD5mg NM2MP1/5yxwQvvpiHnq1aiXQg4yxWpsNH/Isrwcz1Vo
-QgUNdg/PSj67SdNfa08YvupPfV4GWnSkwcRIt7ZgOVY
+IdWPzZg+/mwCr91bIlDMpAiii/HWsnIxTGXnetYjRPA
--> ssh-ed25519 Kk8sng +bkUV2nOzxIrwjFWNErRE3G5itxwzDKs6lG0NlSe/CI
+-> ssh-ed25519 Kk8sng 4NAaCbs1EOQpZz/qm8yW7PkFdsn8seSTgInow1zqBiE
-X8rlOeGQLzZXiIrkVFHJDHPt6ruuBs99jZ1XLZSAgBw
+2MJJNUFyBkxy26adDmoJKNndeQT+MsJGjdYiXMpMS4g
--> N+U,G!$-grease u eB<}B2q $nG@I[&z D..uu,:
+-> A-grease L''*[IU]
-E3PUEP7Z7anp0PcXD2CDpRsv
+5xdl3E2HB0Yz2TKiRucf1X/PV2JS4rc4LG4cKJ9VYIUksE5Aoj26E8h1izCrhEsp
---- FlP6ry9X2YIf++tM8sOD6wqqrmRgGNBED5RmAepRfOk
+Hnr2xC029yD3shPQ1w
-(Z‘4š¾´×Éxt-à<>¡Ø¤N9¥ÌÜÖ<í®Tû‹ÁGß.RW#kÞ'v%øã@êR‰!#Á%Ô|<7C>CùÉP€YÜÀší¹‘ Œt1Ñ¿³ †Ñ3qÑ
`
+--- OjLAmZwep6nKTZYMUuBBaMe+F3FmWqsCM2XCDqoiG/4
+ÍZΛëk²¬¨œoéG´ûCbÇÚ!Zö{ʦƒ\öO˜+PK±¬†’rîЕîA´~zÕô@ö’\Õ‘±M3G¿i’ÚGl‹èçÒ~€!þ§Á*Qõ‡ã

secrets/searx.age

@@ -1,39 +1,40 @@
 age-encryption.org/v1
--> ssh-ed25519 xoAm7w 8/Xbnl2GV2BouMzSyi9SccnOvkr9MhD16hL7mATBok0
+-> ssh-ed25519 xoAm7w CNXq63Qxe5wvwn0dr7QKcJogg9cO5+no3FcNmxkL7Gg
-IIUWe7J0BA2KtKSCV9hGHwwutyV0iDXEp4iBw2ECP1E
+w14UiCOJofq3r8VikRCOjIp29NXvoKJHyRms6tjr3/M
--> ssh-ed25519 mbw8xA ljb+MWwZ9neSLiGcRRiVV77AS887N9LrfJLi6f/XYQk
+-> ssh-ed25519 mbw8xA tzrtBUcTaOZBi2BNhgwN45MqMlQKGZU6FYm8IEQJKH8
-sNYx/g82DJC8boBMYev5HpHrBf/6d3Itr3O3C1M9nUE
+Vpc/0IHNizsxTozoVm0YZdm0qgKwx1sZ/JMIKSjQW3g
--> ssh-ed25519 N240Tg RpJNQFws7kfcXBoEjAHSZSDrxxCK+Wvd+TxAS218iUI
+-> ssh-ed25519 N240Tg F4wZmhSgHx1+tLok5IdJe+CCzWf6LmlkOFNGWqOpxXc
-Ykb4uzw9s3TYcNmV5Bv3Fos2P3L9OkKwPCP/dr5aMJI
+ZF7+t0HDmfaJnyNe3lkz5aVFezD7mAxqRiDCZCwW2sk
--> ssh-ed25519 2a2Yhw kFpleOyyyhKDq41jgohT0BCpVpasAoiIUPs3oB/kEWw
+-> ssh-ed25519 2a2Yhw rC3PH9ftW4UWPuUpP6tThaSe9AkfKUiEgQPPXerJ/SA
-9tHqujFzQ6QI8jQUEevspybHVDtzwyNoWEXUhDitlKo
+UNKobz02TnEN/oqhp7hwS46mU1IA0ehVzLqeIm9QVVk
--> ssh-ed25519 dMQYog ISBfsqV1suikFT1b/0bWj3Lk8VLR/PQrQjviWg4JmCg
+-> ssh-ed25519 dMQYog XowiBliO/PhqZFnmfnXWmw7KVT8I8Rp46RjuFd/amEM
-nDnUy5N987f/TAwanzzOKtdYLJ2ywoikugr2sGuVI7s
+eAhc4PVY/3ZjwiNihO9Yqa/au6ebkXmqbK4Zehf/FxQ
--> ssh-ed25519 G2eSCQ ygV0RkgqXQxvsmXOIjAPfopWldnsMZ8KgwRKletoGCU
+-> ssh-ed25519 G2eSCQ ann2y2LP2fIHtQRLtpLow/g2yTmcEYpUrbc0N69iJxI
-sELGgITcp3DKT1sNoUzE1Nl7tyINq06TfYP7k2yKLYo
+N1VAHkPjzxA5Vf9lKY5o7SWFy1kxlv78LSDcRt/MxaU
--> ssh-ed25519 6AT2/g EtzGUZOzofDnfd5M8wIIxaoTk34hr49PbChEqMmRHHw
+-> ssh-ed25519 6AT2/g uQhLUtHpvNoLBUs0zvdMeGTtXQH8gHzNiRfDq1x/3yA
-DvEzWA9X7OWjHAl5JCVV09R6KTA/JwlBcB/lyFVgbvU
+rhSm2KQw3k/nhrm2UmCWJ1oBcmYwP1S8hAY5xUALY5U
--> ssh-ed25519 yHDAQw +ojBBWCXn0DDBK9kfhDRYwbIQgOVE49vAZJ5skq0Wy0
+-> ssh-ed25519 yHDAQw qO/7smo6DZpW4/dBvkorYBYSGBdemDe7UrdSXDjb8zk
-MbX37CfoHI/Y9KAj39XgRfa83CzgGuTRkZ+tcKT4Icw
+xkRizpKMEbD0X3BsdSfc5DgjYG1IQLKJuQjLLSwPnzU
--> ssh-ed25519 2+FxVg 421B7+BKrkKUv4anVKUtptyCneC9lMuAuqfYtow6j3U
+-> ssh-ed25519 hPp1nw +Y+MeoeD58k8uedCeD2RbRyGlcLYEgNc2PC0Hr7MuTY
-4BDAGe7MmBPX/3c6SXnSIiZB1QzkyIDT+HKiXIB5QdI
+B3wQcio9YW1Vl6reg6APLKDbizQDxWY32CkXbuzyyt4
--> ssh-ed25519 CRfjsA aBrHk8ZZKbSLYKjjySs1Qj//e7kGIjIBVMeT7An9zkk
+-> ssh-ed25519 CRfjsA 6KxnAOe2pmjfwTiQZe8zHaeNJApPYdCCFK1OlFaE61A
-W20VN7h3QwmRJmV5J3VGl7IhqUQatVAlncfufjnPwII
+9psQfGIFCSjSYw0AKpKRFZ5qIYFOvq3FvHFyVRa/zbI
--> ssh-ed25519 vwVIvQ b9wq6xiir/uVFSbs+0pN34Ec+F47CwKAvjEDQEZJylA
+-> ssh-ed25519 vwVIvQ Zghw7uz/yR4dgsFhbeXfPvk1HmSaXV6CcRD6GlHeiGI
-CKiFnDpY0S/iZrMPNNMAT4+aZ55KNviXmCphe89bjCk
+KTM1Xu01FBcsmhJVeB6VGhMqHpnpLNmvWVBxV0+JW5Y
--> ssh-ed25519 fBrw3g F7MkD9bPZ3awfYdd3v4If+XCgtCRRS+rq/uW365mnks
+-> ssh-ed25519 fBrw3g h+wmH368BHkFp5Mu3PnbZFjyMVRBNcwU4hloIaZEaGo
-vGWy9YrSiBESG4MWxgqWZzol1YSRUGgbjY+2Q6FwLWQ
+TKPz2C3yF2wBsiT8/WhbKEg792PLcQ3YN5UWcxJnwtE
--> ssh-ed25519 S5xQfg lZDkCihzUwC7rGSeRFxvN1Yue5Ql/8MveeIMv8nXLRU
+-> ssh-ed25519 S5xQfg YZcNHfVDJ0GRF+IpLVSxOeBOSoDhDhdL7r2npRYcuEg
-5yxTfZhyk00iQnnFIsGvStPGFb4lWhn8bgDsnQvNnsY
+mPfQ+m3SGGnGO32oA917AfosSnXGqHRDdMfIypK+UOw
--> ssh-ed25519 XPxfUQ zlZV5zjm2XkSo+6CQ5nLTaw6gPTaDbu0D7VHsYmKYg0
+-> ssh-ed25519 XPxfUQ jsXVjpItFnuJiaeYIaYKsJFusASry67LiqDW3n5+QSg
-SpdQFAmBAOQVZL+kAKIQcix2+lCwvxqJvOPid6crL+o
+0KzbBSbRrq6JrpWEyTbs41b4gUUiKeZzWI3rBaa/AdM
--> ssh-ed25519 SpD5mg 4z+FHDyqILNWuc1iyqC9bLSZ43MhzdZmsMi0rnMb/wU
+-> ssh-ed25519 SpD5mg 873X6UIo87svyS+jhQGjILcVy+RjtsKwJfDyj6gmF3I
-aBGWQ7GIIkQ8gDyrFYCLBFIzaj+VY88FfTJphzprST0
+KNHCRKZ5NhJbNmrhWehpUXEv6jBGeJkRxCi9+/bgouA
--> ssh-ed25519 Kk8sng p0YQLEF0uEq1aLcaNnnCE+z1FkI0DA5QaCR7VJ3ZaXE
+-> ssh-ed25519 Kk8sng /ItiKGK46Wia6VSKa2AtEPj+PqpDtWxBhea4s3mqOVo
-djFc0xi5DqZpf+on2ytj1GuVy7SVcxey2Wzuvwy8AY4
+OPclxoc2MygKYJtahVbLfE72X4s4yVil4dugeSF/3DU
--> UuD+-grease b 4<Q0g" hgjWJo qiA
+-> U(/M3X-grease Jh[D'
-19psCQoHNTysO3fsEMnVkLahsWJPgshhy5hQKX3dWUUaNUwnVSf+WDKXKnjeupWo
+z6L8qVMUmuElYKbQViqc6tecJic8gho79RaMilbwp7uS+owmgqNMUFxv9+8bbtYY
-OaEPSmp8I5e0lpAggFZZhYwCu9fG2BZCFLeXNm2LFzUli9pgjFdYz/up2hB5C/c4
+wC+YIigf5xAKlwcOipCJ7xv3jlqt8yUFWV8hg3J0GRbkWnhFYdWGXHnPtomPFtE
-
+--- bD5IgVE3GQSnej0FLxh1nGD2q2/fuhqRL2yYw+2KMek
---- jMFadnLfkEPXvTzhx5TKtnK6Yr+r3pgpv4cz2RBok/I
+·)ˆ7&ªð„3¦ Ñ_¾â
%!2aâýÍݱQ
-Èþ
+ÿ6hêlÑ	)Í0ß}*ÌmìO(¿l8^"È‘Ì‘ù<H¡Žqr¶²û³!r<0F>ÌXóÖ˜ºxó:FF£¹áÉó§‚#.Ž™Ú"[Š9çZ„°
+C¾ÜÊ62›¥-'™ÛX$S

secrets/spotifyd.age

@@ -1,37 +1,38 @@
 age-encryption.org/v1
--> ssh-ed25519 xoAm7w oWqlikYvtZPfXQywZ/XuMW0b/w3+5D+KkaAimixxwAQ
+-> ssh-ed25519 xoAm7w F1C6i9iOvzUf6pS7eBfcsRFRn4q2YE7htxCqiLvasw0
-I4kD0+enhgNuQWC4PYaL+9yvitL471K5EiUJ5B8nAw8
+viF83MLadEfum6wQWgbl/h0l65+jAtBszhevVS4jh4k
--> ssh-ed25519 mbw8xA CBJUxWTXE8Ln/3qFqMg0FeLBc9OFsSAl2AHeeygOwEk
+-> ssh-ed25519 mbw8xA Ec2wju2txmmCHuVNDWdLQkfUNY7/okY2koAz6Jur53o
-+abHOk0hrRQDn7grE9frUJh7Wa28hW5Mak2m0mVGWpo
+JLmlpd43QO/LPvS0TW9eKh6f5zZmbVDWjYn44J5ZqMo
--> ssh-ed25519 N240Tg X2+ColuqWnXT1WRmLQ8wr8qea8uwhWteClBYBNKTIFc
+-> ssh-ed25519 N240Tg 1bl9Y+I3XGx7RiY8078wEMdaAishvW84nMrprt8jjVU
-v3YeIjzItehJKMPovIcGxOsAH3lBt7Au5GzcMFyYQME
+4lXtc1rGouF1DoTohQnSEMvNwRZaaenimEFypsfxajM
--> ssh-ed25519 2a2Yhw UJX1qygh1EOG7IR3kRTaUF+CTTmeK64K7WDlSRejoBs
+-> ssh-ed25519 2a2Yhw SDknhtgjNgNy3ktoNNvLie3OdO8bKhWW5P4s73OtLk8
-3dHllueF9JR8pirslK9KnRh5DuIg3yoI+P3xAETWgZc
+Ihl/yNw35f2CgcZX6KHRXUTpAHp6aAQR/7oeU+gq3V4
--> ssh-ed25519 dMQYog el0Oc5Er66UQiJXKbS0K1bKKb1fP3gvlaJE0PxMF60s
+-> ssh-ed25519 dMQYog dME46DZmwFnKBKlmx5AZEoaVipBmpuz66RXPQfFoXSY
-ceoXPA0zjkFcqWA2sBA7F956w0yzIH1EWTZhPAxmEOc
+eAzeaSpIL5KPQADGEeuX/bkQ014L8MeTQF2fapO2N/w
--> ssh-ed25519 G2eSCQ 4Lo9os9HsE/S8RD9hvFmMZCUZndu4u+Y5kiMMDqxEEU
+-> ssh-ed25519 G2eSCQ 8/xTD9nSXyAeZwBEdJgLcOembBwnMOgWX3jR4N2sXC8
-N7Ii/hgJ2YzyykzZYyL42xirKE7czTfhcdg59j5T090
+0BmY7u5TEcIEza2PZIJEamV2dfC0sDeVl0UXECBwDlc
--> ssh-ed25519 6AT2/g vBgK1qHPdccfAhfW+XhMuUwki5j4V34mbC1JStDy8hw
+-> ssh-ed25519 6AT2/g xSdH52Oq0TOg0D76WlDVSY5kJb0hMAWoM3XVyMtAeWk
-6dMibsL7dkzOdNFXq95iIVLZrcw1gvjX//Kv2ggNbeM
+0p2AHJDa9XK6C2g8AM/g7cWdR5DGLk6SoUL3Nah2G1M
--> ssh-ed25519 yHDAQw nu+lave53WZ3gTlQbxIbNZCQWwOgx9oHqcGmBf3YkDM
+-> ssh-ed25519 yHDAQw mQBHUkvKf+Na8pCfl2Vb7+sKLmKth0lbxDFEcTtH/ng
-aqpjYlhHa2osez/hbXlRD4nbNwAPelCWeQo7BjUYuHI
+JDPxV93vE8mKJtDp/MewHA0F78rW/0ZPYUQKkdNUivs
--> ssh-ed25519 2+FxVg W/YJBvKMT8etI3GGFNzQMne+3s3bX96+C01hqpl0QWc
+-> ssh-ed25519 hPp1nw htVxNW9zp7J38WN06jfEX417xtXt50iMTRUtrzLRO2k
-bRDwFFn4R0oVoItxfiBgtg6GIypDxVnsgjQCYDqa1/Q
+iTHjoS5eWNiQxIWtuylkqXlO8E+Dx/2CkENs16lZqhQ
--> ssh-ed25519 CRfjsA v3Mq+ywipRWdk7E0uiGkzVrTLGbKtVRKQCeENsprXFQ
+-> ssh-ed25519 CRfjsA Dqs/SAfRhgszI9pz4yZHyVp0iqPg1ssspX6ZW2QTv10
-pUNkotqQs7AdnOFq6uK+Y1Aw1XPpYOk78MrL7mYNXBs
+tA7NQXpPtJQ4mHjTDr4pTt9jrqDkMJZGMLVazOenMbs
--> ssh-ed25519 vwVIvQ ktAGql+uSv5FlTGRX/dh/i+SeNf/425Ty9EP7LvIyQA
+-> ssh-ed25519 vwVIvQ oNmVe26rEpI7nNGlI5G7Er9fu7blpHNE6NOeGkoR/TM
-uzyYPdpoY+wu8K1XphBaQUQaPUI/eaj+pN4hFQOEb1s
+vAL2gsM9NatGQpnNIh8XpCP+o9KoOnuLVt9e8+Kymcw
--> ssh-ed25519 fBrw3g 89smE2Osv+DQnmjli4erhsBx/tajT4kcUMn9BFANWHk
+-> ssh-ed25519 fBrw3g 7GVBA1eUhgxGfiiKirK/i5JUbehOJVgmc2H/tgQ+A1s
-PFVelVa6VjY/09vFwqTIrRuvEuiOjV66KzFMYrMqksE
+n3i9gtNt4aRT4EOk8C94lGmXNN538HNOqo8uCmxZz6o
--> ssh-ed25519 S5xQfg AneXz8P0Uzq9xlAhUo8NjP+4Lu98LEvVjXuI4T7nGTs
+-> ssh-ed25519 S5xQfg 2KQLClmvqWMuJDOSAkzcpJkRTJgV6ig5Cq22RcCixWA
-8maTe5Ql/BydWva8FpGqFW19yjOEwR9m3WjnHwoaP/Y
+zYULXTJL5o5uZxxi/fOCrocxZooH3KarUj8vUDkfWn8
--> ssh-ed25519 XPxfUQ tCIPHgsUCVjL8J6rel0wriavQPI8X8A+LrralWhX7XM
+-> ssh-ed25519 XPxfUQ z0v4A6O509NqQgbKFzZrY2WL1ATc9SCYckbtqaSOdk0
-tw75vmwvDkfkSsLHm7J/1G1RtXCBmmK+4/x8kszHaDk
+PbDNvSWw4QEGLUzhp8IrX0oMDJzWjeemuEDZ02YlClo
--> ssh-ed25519 SpD5mg +zS3tCZuEDPmyJJAwxd5XwHZ6Oj529ASDJncvkHiWx8
+-> ssh-ed25519 SpD5mg +A6LavFPjRHuTyk0MTZ6zmJf+CIMX69fT/HI6/0RJWI
-s4FlthCezHVAwnAxeEsaaztzmhEvsd9Rfv2BiyyQHcs
+CVgJC3y/H7MHUCMR5s77oPWA56oIEpj+7MZH+Qw/LTU
--> ssh-ed25519 Kk8sng aAfQRcv43KV2/bU4Lu+Do4KEz++WmvqjHBjpK5Frmjo
+-> ssh-ed25519 Kk8sng 4Re6/B65/TMi45/fZh7zl7dAzH4MnCnHqca1Otpaa2o
-I+fuEjPECpvC8hvEX+eDjFWWo3nOSuxApJuMmaq/ROM
+zJAlQ96vODytPwtwPSxEEi8hn052vCGcPUxECyU9Ivo
--> L((Gv+;X-grease
+-> V1&(!o4J-grease I)F/
-FJW/OLKcapzoBETajzdgteof4o4CS0SCge1G
+AQ7tCx9XyVd3QDf9Tadcz8QIOJ3bgj4kDh8YuwATAmF7M9DPAlQiW5qkkvaALloG
---- c4qHoenW7h4CZIBcFhf/jkGQFc1ztJPcC6VqwmQKZdE
+KwwV
-<EFBFBD>[qáAÚÀÛP»øK!É¥eÙAÁ¼Já1¤ãÀ<C3A3>õŽ'Ÿâ¯¢•}\±cù«vñŒJW< c•€µ~ÊÙB¾˜Ö&³?d-~¾¾f^ödæ0{hárJ÷ÝLÑ<4C>‹óB­¬†|ªPêºÈî
+--- VnZ2JJVPKnr8hDMqsZidpehwkLY9W2UmF40/5Khu7rg
+„;»­晣,‘ΧÂ<C2A7>òHµˆ›¿ˆ±‚>ê¬?þL¬Üiv?PËwùìŒímW£›­3„^¯{^ÂÆ«"ýçMÈ[…P¤$­RàüNðú…£ÄŽýÓ6LÍ Ï

secrets/wolframalpha.age

@@ -1,37 +1,38 @@
 age-encryption.org/v1
--> ssh-ed25519 xoAm7w Zhpc9RVEpY8IQHoaV7bXITknEzZvD3vhtlkyS2NiED4
+-> ssh-ed25519 xoAm7w QDzXkxhczV+ZUvEHmN1Uf7xWaEDSugv2dcisOakVPEc
-XF4a0bcetANx/Uc14yI/g4iu1rg6tilwGXS4EZDiC9M
++k9M+R98OqsfIROOedql7ksLCtejx5uzFXigxB1Dhzs
--> ssh-ed25519 mbw8xA 3y/ebluo5ydfc0dvKgfjX9d3h9oMIHB2f4zrTQZ1VRY
+-> ssh-ed25519 mbw8xA ERuMyLhLVrNwmr1wS9h0ssZYayCn0Hc1dhu3zBKzDF0
-J+QzUk3lK6Lts4xbrFB9MsZGaITH2727tZ7wP5vv6II
+pz2rEMX3MtxtVOTuEyO5K9ZE5s0C+2JL7lNE5BdUsRo
--> ssh-ed25519 N240Tg wn8PvBMhca6ZaWwSGC6QT6RU0Evkf+T0pyp0KtL4u38
+-> ssh-ed25519 N240Tg kHC1Wn8T3aUpWd4yK0+GJo+SDBXrVmTSrNz/Z+3kfGs
-7/qQJHlx0KawNp6h6UeNvhXEEZ9c2m+BBHxdYihh/Yo
+sg6A3DgaQev5ZezJeSNAR7+G4MS1rdwHd/6u1H5+0us
--> ssh-ed25519 2a2Yhw HC2B/ovIP9yOY8f1Y9vfdPqGmf2WDZOZ02o0U09CPTI
+-> ssh-ed25519 2a2Yhw 64vHNVi/UCK1aCBFu+BnSyy42DHZIFeiDekfnQeDlHE
-RlEnllYliqBORlAXMHBBJBQD2L8MUmtrCnnO37f1BfI
+19On29XUAiUsTmlqxrY8PQGderv7VzBO4a10jT5aZwY
--> ssh-ed25519 dMQYog 0iDHfwUHCba5Qybli5GDAqCtNPplS5n9j76ukk0ZBDI
+-> ssh-ed25519 dMQYog EHtR1wf5/2aWvGwkD4EBOECctp2zs2RjAUOKcncjUSI
-qCDVF47jdG5NesPRNy0IKLbJqPazoZ636Ow2WCdXTZk
+s7dfQHaLjO6Hor6xXpx8h5hox3OQA4mPRGt8ewr0jQM
--> ssh-ed25519 G2eSCQ 3QltdxVJUixiewBLgdpJDaovHIHErX3Q2mhvTH1XgVg
+-> ssh-ed25519 G2eSCQ 4L9zIv4aApkZgFneUjVm2esXp4DJYVzm94LA2sS0Qkc
-6rbVirj6LznfVZ6FcD+VoeOyj/4sduMVkWAm/pLVVwk
++iDy2G82PX6yuIyn7zITzp/jvBX2P25u26n/NuGdjVM
--> ssh-ed25519 6AT2/g Kyz9q3tPuiX6X5wUU6fyESJetkcTNgPu3KoWFFO/EE8
+-> ssh-ed25519 6AT2/g HyH+8r/SZUXilmITIsFVyr2t6rCJK9scP9TR2/rO+1M
-wQRGnXdTrFVhdUrCRfHYoIRK1Yun4QURxIdd9dBvH8s
+0Hkx2o3wlq7nj6fRSL3QNtrxKFxYlfhg7CwsyQDjIo8
--> ssh-ed25519 yHDAQw lElQZAKDD+AhsNEAIrz/3i1Z5YS0U46bQ+YHjxtX7Fc
+-> ssh-ed25519 yHDAQw vZlwV2QvrzG1Xu4XZt4Yi5aDQ8qmPQnadCJtHdtTSlc
-ez72aO1BiG6J1G4LOVQDMUh8cAhqpxc1kcXJRRkg2Qg
+4NscOK2mu+P+vrZ8FIbIYhQ/97DPo5vgsl0jnlZM0gY
--> ssh-ed25519 2+FxVg gbGEias/yB8ILGsVhhwfCNwGDCtKEa027TY5f8vAfhA
+-> ssh-ed25519 hPp1nw YWRekiOxwuK8eAGehbBfOzW7Rmw95V+A/XD4rmFxS3Y
-LcsSY9f5UI2akH5USLBMd0V9eDwd6vCpxjDPWZcXnpQ
+sd+q4ya9k/KE06GYGFV2O9P3O77aZcJl05tAvY6W1s8
--> ssh-ed25519 CRfjsA Pd2ZMD1asDSzddRD36LZUPvkYjDeHfZyEpOXMnwB8Xc
+-> ssh-ed25519 CRfjsA LfIzQhaql9b4EAotyVrvKBV1AhlMVcRarA49q7+rQXc
-aFqMTiRL7zPKc480CysFu9645UIZ0BmqBAhB3nAxb44
+v4WddjXusd/m/s/T7E+wdKm9tDR3rGj6CNE3AdVrDb8
--> ssh-ed25519 vwVIvQ LEym3BnhIR0eFb1/T3HHh+Ozo64qJ4L0L9gH3OGfLQU
+-> ssh-ed25519 vwVIvQ 53S5tWgmlVnKIHonBAmvxbv+w0j9b65NdyWvwlvgZWg
-54g4goCKamaNHNfx2kNVoMD/RmbcGMgbQ/71zdsuYhg
+xa+z7MYrJHCgILtG/3Yw1OKH1/YKvuVG2jabnv3gSoA
--> ssh-ed25519 fBrw3g rodu0fR9X+20LKQ8+FccwWpiT0LbU0KAA2NHmXbSM2A
+-> ssh-ed25519 fBrw3g GsaGAXiMo4WhEZTQPgr761gAiQHmHPSwdWF0t910+DI
-w0W9cqZ81aJcpl6GT/zCHKMy2qhAKWdVRSVTgmmq7Ec
+dmZGcEghoXi7giaxC/1UVJVAtyY5hcknUBxr0wQ4RBk
--> ssh-ed25519 S5xQfg zi2A//LI7Ot9MX1gohQxS8e6qHRozw3kEpyMU7jnfWc
+-> ssh-ed25519 S5xQfg wgkQBHQi8xY4++/quS4ZJWb9PPpg6b0KZpSwypdS7HY
-72T7ctknEgZ+nnFCgct7B8tDa1/DJqkk6LAiJ5Kqktk
++1yatx5SUanPC04jJMVVILHAwdtg2r9Bd+sj9728BnY
--> ssh-ed25519 XPxfUQ jXrYF/rcG2aJ9he1dCcmkuQtQlTAZQrqQFu4AaTESG8
+-> ssh-ed25519 XPxfUQ Hj2e1U4udGkp04dSdTSsaaJPIQ7gB1bwralXazBzpVM
-i9o+h5NcB+NYgrU+Pei2xHSF2fihw75IDM/rx9ddziw
+LPOMpbX+ndXRkQlR3GKKpwSd5zOT03j5bII8btjY52o
--> ssh-ed25519 SpD5mg 7u3lIXggJjgRZRXCkfgDb7+Sp+q+GtSKJH4gAycaSQs
+-> ssh-ed25519 SpD5mg ++/8/U9XQKg6L3SHej+mvXeZYrvoWhiwmcurC3V0aTU
-jEEdWSJHjXUsx8T4kmmjKUjWNwmLIwQzl9FXKbHhXM0
+qR3nTcugxtBgDhcbZpCe0/NUavbzV6tFJZKv3IopAO4
--> ssh-ed25519 Kk8sng VmT7aS3ggF/M21MsUMCEF6cT8C8QvIN4IQ0le2SlyWg
+-> ssh-ed25519 Kk8sng /bL56jng2lp0INyIDqUAX5L8mFmKxCBeHFWPUW6gE0U
-G8rxkI0WaA2K3T5ETrEZJNfYpmhVESo0n3sDEs5YbVE
+4v+jq2N6RIQAh0VRrBZkMjSQW6L+LYcAfYUBvfTM+Jw
--> T.{#h\gw-grease \R/D bw>~X%FP
+-> ";etw{[s-grease E;mh^R$ c8
-xW/YLhgKe2qTxlZSe836hH7hDCb40FXAQJ1VPjij02iCZEBW
+ossMGyq0gpvz9PjjLBWD+QHRKKhzY6/9Kj4b0M7YdP0OgMdpr5QlA7UIDhiGQQBL
---- KUhBgZXJA+9QxOwdJeJj4qk/rcUmTRXS8LcyaKro4c0
+dbt0YyLxbAdhqG7S3lLeedQmvzv/oIyhmV0jsTB79W1l/27FujvPRWYf
-Ä䡬Vm9ëvcHÊj¹®²ä´¶*†z;±@–óƒÖÏ1õÆKZõ/TNk\nj
+--- pYjss6AEPZn0PG7FmO6bGq1O+k1IFGzoxsitB4qgotY
+ÌÐçJö›Ç<10>>Z`´{ª<0C>
b%RW^óºñ–&<26>·ª’	­-4¥ðè¬ÙÚW…á