lib: River IP update

devshell: Add git config safe.directory for build-n-switch
nixos/common: Disable channels
2025-01-01 19:14:04 +00:00 · 2024-12-23 10:32:13 +00:00 · 2024-12-12 12:38:01 +00:00 · 2024-12-11 17:17:33 +00:00 · 2024-11-30 19:31:58 +00:00 · 2024-11-30 19:31:43 +00:00
150 changed files with 4671 additions and 1795 deletions
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -6,11 +6,11 @@ on:
 jobs:
  check:
-    name: Check, build and cache Nix flake
+    name: Check, build and cache nixfiles
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
-      - uses: cachix/install-nix-action@v23
+      - uses: cachix/install-nix-action@v27
        with:
          # Gitea will supply a token in GITHUB_TOKEN, which this action will
          # try to pass to Nix when downloading from GitHub
@@ -18,22 +18,30 @@ jobs:
          extra_nix_config: |
            # Make sure we're using sandbox
            sandbox-fallback = false
            # Big C++ projects fill up memory...
            cores = 6
-            extra-substituters = https://nix-cache.nul.ie/main
+            extra-substituters = https://nix-cache.nul.ie
-            extra-trusted-public-keys = main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8=
+            extra-trusted-public-keys = nix-cache.nul.ie-1:BzH5yMfF4HbzY1C977XzOxoPhEc9Zbu39ftPkUbH+m4=
      - name: Set up attic
        run: |
          nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \
            login --set-default colony https://nix-cache.nul.ie "${{ secrets.NIX_CACHE_TOKEN }}"
      - name: Check flake
-        run: nix flake check
+        run: nix flake check --no-build
-      - name: Build the world
+
      - name: Build (and cache) the world
        id: build
        env:
          HARMONIA_SSH_KEY: ${{ secrets.HARMONIA_SSH_KEY }}
        run: |
-          path=$(nix build --no-link .#ci.x86_64-linux --json | jq -r .[0].outputs.out)
+          nix eval --json --apply "builtins.attrNames" .#ci.x86_64-linux | jq -cr '.[]' | while read job; do
-          echo "path=$path" >> "$GITHUB_OUTPUT"
+            echo "::group::Build $job"
-      - name: Push to cache
+            nix build --no-link .#ci.x86_64-linux."$job"
-        run: |
+            echo "::endgroup::"
-          nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \
+
-            push main ${{ steps.build.outputs.path }}
+            echo "::group::Cache $job"
            ci/push-to-cache.sh "$(nix eval --raw .#ci.x86_64-linux."$job")"
            echo "::endgroup::"
          done
          echo "Building and caching CI derivation"
          nix build --no-link .#ciDrv.x86_64-linux
          UPDATE_PROFILE=1 ci/push-to-cache.sh "$(nix eval --raw .#ciDrv.x86_64-linux)"
--- a/.gitea/workflows/installer.yaml
+++ b/.gitea/workflows/installer.yaml
@@ -14,22 +14,20 @@ jobs:
        uses: https://github.com/actions/setup-go@v4
        with:
          go-version: '>=1.20.1'
-      - uses: cachix/install-nix-action@v23
+      - uses: cachix/install-nix-action@v27
        with:
          github_access_token: ${{ secrets.GH_PULL_TOKEN }}
          extra_nix_config: |
            # Make sure we're using sandbox
            sandbox-fallback = false
-            extra-substituters = https://nix-cache.nul.ie/main
+            extra-substituters = https://nix-cache.nul.ie
-            extra-trusted-public-keys = main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8=
+            extra-trusted-public-keys = nix-cache.nul.ie-1:BzH5yMfF4HbzY1C977XzOxoPhEc9Zbu39ftPkUbH+m4=
-      - name: Set up attic
+
      - name: Set up vars
        id: setup
        run: |
          nix run .#nixpkgs.mine.x86_64-linux.attic-client -- \
            login --set-default colony https://nix-cache.nul.ie "${{ secrets.NIX_CACHE_TOKEN }}"
          echo "short_rev=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
      - name: Build installer ISO
        run: |
          nix build .#nixfiles.config.nixos.systems.installer.configuration.config.my.buildAs.iso
@@ -39,12 +37,13 @@ jobs:
        run: |
          nix build .#nixfiles.config.nixos.systems.installer.configuration.config.my.buildAs.netbootArchive
          ln -s "$(readlink result)" \
-            jackos-installer-netboot-${{ steps.setup.outputs.short_rev }}.tar
+            jackos-installer-netboot-${{ steps.setup.outputs.short_rev }}.tar.zst
      - name: Create release
        uses: https://gitea.com/actions/release-action@main
        with:
          title: Latest installer
          api_key: '${{ secrets.RELEASE_TOKEN }}'
          files: |
            jackos-installer-${{ steps.setup.outputs.short_rev }}.iso
-            jackos-installer-netboot-${{ steps.setup.outputs.short_rev }}.tar
+            jackos-installer-netboot-${{ steps.setup.outputs.short_rev }}.tar.zst
--- a/.keys/harmonia.pub
+++ b/.keys/harmonia.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXRXkYnBf2opIjN+bXE7HmhUpa4hyXJUGmBT+MRccT4 harmonia
--- a/ci/known_hosts
+++ b/ci/known_hosts
@@ -0,0 +1 @@
 object-ctr.ams1.int.nul.ie ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdHbZErWLmTPO/aEWB1Fup/aGMf31Un5Wk66FJwTz/8
--- a/ci/push-to-cache.sh
+++ b/ci/push-to-cache.sh
@@ -0,0 +1,31 @@
 #!/bin/sh
 set -e
 REMOTE_STORE=/var/lib/harmonia
 SSH_HOST="harmonia@object-ctr.ams1.int.nul.ie"
 SSH_KEY=/tmp/harmonia.key
 STORE_URI="ssh-ng://$SSH_HOST?ssh-key=$SSH_KEY&remote-store=$REMOTE_STORE"
 remote_cmd() {
  ssh -i "$SSH_KEY" "$SSH_HOST" env HOME=/run/harmonia NIX_REMOTE="$REMOTE_STORE" "$@"
 }
 umask_old=$(umask)
 umask 0066
 echo "$HARMONIA_SSH_KEY" | base64 -d > "$SSH_KEY"
 umask $umask_old
 mkdir -p ~/.ssh
 cp ci/known_hosts ~/.ssh/
 path="$1"
 echo "Pushing $path to cache..."
 nix copy --no-check-sigs --to "$STORE_URI" "$path"
 if [ -n "$UPDATE_PROFILE" ]; then
  echo "Updating profile..."
  remote_cmd nix-env -p "$REMOTE_STORE"/nix/var/nix/profiles/nixfiles --set "$path"
  echo "Collecting garbage..."
  remote_cmd nix-collect-garbage --delete-older-than 60d
 fi
--- a/devshell/commands.nix
+++ b/devshell/commands.nix
@@ -20,7 +20,7 @@ in
          [ -e "${homeFlake}" ] && echo "${homeFlake} already exists" && exit 1
          mkdir -p "$(dirname "${homeFlake}")"
-          ln -s "$(pwd)/flake.nix" "${homeFlake}"
+          ln -sf "$(pwd)/flake.nix" "${homeFlake}"
          echo "Installed link to $(pwd)/flake.nix at ${homeFlake}"
        '';
    }
@@ -52,7 +52,7 @@ in
      name = "json2nix";
      category = "utilities";
      help = "Convert JSON to formatted Nix";
-      command = "nix eval --impure --expr 'builtins.fromJSON (builtins.readFile /dev/stdin)' | ${pkgs.nixfmt}/bin/nixfmt";
+      command = "nix eval --impure --expr 'builtins.fromJSON (builtins.readFile /dev/stdin)' | ${pkgs.nixfmt-rfc-style}/bin/nixfmt";
    }
    {
@@ -77,7 +77,12 @@ in
      name = "build-n-switch";
      category = "tasks";
      help = "Shortcut to nixos-rebuild for this flake";
-      command = ''doas nixos-rebuild --flake . "$@"'';
+      command = ''
        # HACK: Upstream changes in Git + Nix makes this necessary
        # https://github.com/NixOS/nix/issues/10202
        doas git config --global --add safe.directory "$PWD"
        doas nixos-rebuild --flake . "$@"
      '';
    }
    {
      name = "run-vm";
@@ -106,8 +111,8 @@ in
    {
      name = "build-netboot";
      category = "tasks";
-      help = "Build NixOS configuration as netboot archive";
+      help = "Build NixOS configuration as netboot tree";
-      command = ''nix build "''${@:2}" ".#nixfiles.config.nixos.systems.\"$1\".configuration.config.my.buildAs.netbootArchive"'';
+      command = ''nix build "''${@:2}" ".#nixfiles.config.nixos.systems.\"$1\".configuration.config.my.buildAs.netbootTree"'';
    }
    {
      name = "build-home";
@@ -115,29 +120,17 @@ in
      help = "Build home-manager configuration";
      command = ''nix build "''${@:2}" ".#homeConfigurations.\"$1\".activationPackage"'';
    }
    {
      name = "update-inputs";
      category = "tasks";
      help = "Update flake inputs";
      command = ''
        args=()
        for f in "$@"; do
          args+=(--update-input "$f")
        done
        nix flake lock "''${args[@]}"
      '';
    }
    {
      name = "update-nixpkgs";
      category = "tasks";
      help = "Update nixpkgs flake inputs";
-      command = ''update-inputs nixpkgs-{unstable,stable,mine,mine-stable}'';
+      command = ''nix flake update nixpkgs-{unstable,stable,mine,mine-stable}'';
    }
    {
      name = "update-home-manager";
      category = "tasks";
      help = "Update home-manager flake inputs";
-      command = ''update-inputs home-manager-{unstable,stable}'';
+      command = ''nix flake update home-manager-{unstable,stable}'';
    }
    {
      name = "update-installer";
@@ -145,5 +138,15 @@ in
      help = "Update installer tag (to trigger new release)";
      command = ''git tag -f installer && git push -f origin installer'';
    }
    {
      name = "deploy-multi";
      category = "tasks";
      help = "Deploy multiple flakes at once";
      command = ''
        for f in $@; do
          deploy "$O" $f
        done
      '';
    }
  ];
 }
--- a/devshell/default.nix
+++ b/devshell/default.nix
@@ -11,7 +11,7 @@ in
    NIX_USER_CONF_FILES = toString (pkgs.writeText "nix.conf"
      ''
-        experimental-features = nix-command flakes ca-derivations repl-flake
+        experimental-features = nix-command flakes ca-derivations
        connect-timeout = 5
        fallback = true
        ${lib.my.c.nix.cache.conf}
@@ -24,10 +24,10 @@ in
    coreutils
    nixVersions.stable
    rage
    wireguard-tools
    (pkgs.writeShellScriptBin "deploy" ''
      exec ${deploy-rs.deploy-rs}/bin/deploy --skip-checks "$@"
    '')
    home-manager
    attic-client
  ];
 }
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@@ -7,24 +7,25 @@
    devshell.inputs.nixpkgs.follows = "nixpkgs-unstable";
    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
-    nixpkgs-stable.url = "nixpkgs/nixos-23.11";
+    nixpkgs-stable.url = "nixpkgs/nixos-24.11";
    nixpkgs-mine.url = "github:devplayer0/nixpkgs/devplayer0";
    nixpkgs-mine-stable.url = "github:devplayer0/nixpkgs/devplayer0-stable";
    home-manager-unstable.url = "home-manager";
    home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
-    home-manager-stable.url = "home-manager/release-23.11";
+    home-manager-stable.url = "home-manager/release-24.11";
    home-manager-stable.inputs.nixpkgs.follows = "nixpkgs-stable";
    # Stuff used by the flake for build / deployment
-    ragenix.url = "github:yaxitech/ragenix";
+    # ragenix.url = "github:yaxitech/ragenix";
    ragenix.url = "github:devplayer0/ragenix/add-rekey-one-flag";
    ragenix.inputs.nixpkgs.follows = "nixpkgs-unstable";
    deploy-rs.url = "github:serokell/deploy-rs";
    deploy-rs.inputs.nixpkgs.follows = "nixpkgs-unstable";
    # Stuff used by systems
    impermanence.url = "github:nix-community/impermanence";
-    boardie.url = "github:devplayer0/boardie";
+    boardie.url = "git+https://git.nul.ie/dev/boardie";
    boardie.inputs.nixpkgs.follows = "nixpkgs-unstable";
    nixGL.url = "github:nix-community/nixGL";
    nixGL.inputs.nixpkgs.follows = "nixpkgs-unstable";
@@ -34,9 +35,6 @@
    sharry.inputs.nixpkgs.follows = "nixpkgs-unstable";
    borgthin.url = "github:devplayer0/borg";
    borgthin.inputs.nixpkgs.follows = "nixpkgs-mine";
    attic.url = "github:zhaofengli/attic";
    attic.inputs.nixpkgs.follows = "nixpkgs-unstable";
    attic.inputs.nixpkgs-stable.follows = "nixpkgs-stable";
  };
  outputs =
@@ -51,7 +49,7 @@
      ...
    }:
    let
-      inherit (builtins) mapAttrs replaceStrings;
+      inherit (builtins) mapAttrs replaceStrings elem;
      inherit (lib) mapAttrs' filterAttrs nameValuePair recurseIntoAttrs evalModules;
      inherit (lib.flake) flattenTree eachDefaultSystem;
      inherit (lib.my) mkDefaultSystemsPkgs flakePackageOverlay;
@@ -95,7 +93,6 @@
            inputs.ragenix.overlays.default
            inputs.deploy-rs.overlay
            (flakePackageOverlay inputs.home-manager-unstable system)
            inputs.attic.overlays.default
          ];
        }))
        pkgsFlakes;
@@ -107,6 +104,16 @@
            pkgsLibOverlay
            myPkgsOverlay
          ];
          config = {
            # RMS forgive me...
            # Normally this is set modularly, but sometimes we need to use other pkgs
            allowUnfreePredicate = p: elem (lib.getName p) [
              "widevine-cdm"
              "chromium-unwrapped"
              "chromium"
            ];
          };
        }))
        pkgsFlakes;
@@ -115,9 +122,9 @@
        nixos/installer.nix
        nixos/boxes/colony
        nixos/boxes/tower
        nixos/boxes/castle
        nixos/boxes/home/stream.nix
        nixos/boxes/home/palace
        nixos/boxes/home/castle
        nixos/boxes/britway
        nixos/boxes/kelder
@@ -197,8 +204,9 @@
        systems' = mapAttrs' (n: v: nameValuePair "system-${n}" v) systems;
        packages' = mapAttrs' (n: v: nameValuePair "package-${n}" v) packages;
      in
-        pkgs.linkFarm "ci" (homes' // systems' // packages' // {
+        homes' // systems' // packages' // {
          inherit shell;
-        });
+        };
      ciDrv = pkgs.linkFarm "ci" ci;
    }));
 }
--- a/home-manager/modules/common.nix
+++ b/home-manager/modules/common.nix
@@ -199,17 +199,20 @@ in
          file
          tree
          pwgen
          minicom
          iperf3
          mosh
          wget
          hyx
          whois
          ldns
          minicom
          mtr
          hyx
          ncdu
          jq
          yq-go
          nix-tree
        ];
        sessionVariables = {
--- a/home-manager/modules/gui/alacritty-xterm.toml
+++ b/home-manager/modules/gui/alacritty-xterm.toml
@@ -0,0 +1,28 @@
 # XTerm's default colors
 # Default colors
 [colors.primary]
 background = '#000000'
 foreground = '#ffffff'
 # Normal colors
 [colors.normal]
 black   = '#000000'
 red     = '#cd0000'
 green   = '#00cd00'
 yellow  = '#cdcd00'
 blue    = '#0000ee'
 magenta = '#cd00cd'
 cyan    = '#00cdcd'
 white   = '#e5e5e5'
 # Bright colors
 [colors.bright]
 black   = '#7f7f7f'
 red     = '#ff0000'
 green   = '#00ff00'
 yellow  = '#ffff00'
 blue    = '#5c5cff'
 magenta = '#ff00ff'
 cyan    = '#00ffff'
 white   = '#ffffff'
--- a/home-manager/modules/gui/default.nix
+++ b/home-manager/modules/gui/default.nix
@@ -1,6 +1,6 @@
-{ lib, pkgs, config, ... }:
+{ lib, pkgs', pkgs, config, ... }:
 let
-  inherit (lib) genAttrs mkIf mkMerge mkForce;
+  inherit (lib) genAttrs mkIf mkMerge mkForce mapAttrs mkOptionDefault;
  inherit (lib.my) mkBoolOpt';
  cfg = config.my.gui;
@@ -10,6 +10,23 @@ let
    name = "Monocraft";
    size = 10;
  };
  doomWad = pkgs.fetchurl {
    url = "https://distro.ibiblio.org/slitaz/sources/packages/d/doom1.wad";
    hash = "sha256-HX1DvlAeZ9kn5BXguPPinDvzMHXoWXIYFvZSpSbKx3E=";
  };
  doomsaver = pkgs.runCommand "doomsaver" {
    inherit (pkgs) windowtolayer;
    chocoDoom = pkgs.chocolate-doom2xx;
    python = pkgs.python3.withPackages (ps: [ ps.filelock ]);
    inherit doomWad;
    enojy = ./enojy.jpg;
  } ''
    mkdir -p "$out"/bin
    substituteAll ${./screensaver.py} "$out"/bin/doomsaver
    chmod +x "$out"/bin/doomsaver
  '';
 in
 {
  options.my.gui = {
@@ -22,21 +39,32 @@ in
      {
        home = {
          packages = with pkgs; [
            xdg-utils
            font.package
-            (nerdfonts.override {
+            nerd-fonts.sauce-code-pro
-              fonts = [ "DroidSansMono" "SourceCodePro" ];
+            nerd-fonts.droid-sans-mono
            })
            noto-fonts-emoji
            grim
            slurp
            swappy
-            python310Packages.python-lsp-server
+            python3Packages.python-lsp-server
            nil # nix language server
            zls # zig language server
            rust-analyzer
            cowsay
            fortune
            jp2a
            terminaltexteffects
            screenfetch
            neofetch
            cmatrix
            doomsaver
            xournalpp
          ];
        };
@@ -51,7 +79,15 @@ in
          alacritty = {
            enable = true;
            settings = {
-              font.normal.family = font.name;
+              general.import = [ ./alacritty-xterm.toml ];
              font = {
                size = font.size;
                normal = {
                  family = font.name;
                  style = "Regular";
                };
              };
            };
          };
@@ -59,9 +95,29 @@ in
            enable = true;
            inherit font;
            settings = {
-              background_opacity = "0.8";
+              background_opacity = "0.65";
              tab_bar_edge = "top";
              shell_integration = "no-sudo";
              font_features = "${font.name} -liga";
            };
          };
          termite = {
            enable = true;
            font = "${font.name} ${toString font.size}";
            backgroundColor = "rgba(0, 0, 0, 0.8)";
          };
          foot = {
            enable = true;
            settings = {
              main = {
                font = "${font.name}:size=${toString font.size}";
              };
              colors = {
                alpha = 0.8;
                background = "000000";
              };
            };
          };
@@ -108,6 +164,19 @@ in
              };
              Install.RequiredBy = [ "sway-session.target" ];
            };
            activate-linux = {
              Unit = {
                Description = "Linux activation watermark";
                After = "graphical-session.target";
                PartOf = "graphical-session.target";
              };
              Service = {
                Type = "simple";
                ExecStart = "${pkgs.activate-linux}/bin/activate-linux";
              };
              Install.RequiredBy = [ "graphical-session.target" ];
            };
          };
        };
@@ -117,6 +186,7 @@ in
            wl-clipboard
            wev
            wdisplays
            swaysome
            pavucontrol
            libsecret
@@ -126,10 +196,11 @@ in
          ];
          pointerCursor = {
-            package = pkgs.vanilla-dmz;
+            package = pkgs.posy-cursors;
-            name = "Vanilla-DMZ";
+            name = "Posy_Cursor";
-            size = 16;
+            size = 32;
            gtk.enable = true;
            x11.enable = true;
          };
        };
@@ -138,9 +209,36 @@ in
        xsession.preferStatusNotifierItems = true;
        wayland = {
          windowManager = {
-            sway = {
+            sway =
            let
              cfg = config.wayland.windowManager.sway.config;
              mod = cfg.modifier;
              renameWs = pkgs.writeShellScript "sway-rename-ws" ''
                focused_ws="$(swaymsg -t get_workspaces | jq ".[] | select(.focused)")"
                focused_num="$(jq -r ".num" <<< "$focused_ws")"
                focused_name="$(jq -r ".name" <<< "$focused_ws")"
                placeholder="$(sed -E 's/[0-9]+: //' <<< "$focused_name")"
                name="$(rofi -dmenu -p "rename ws $focused_num" -theme+entry+placeholder "\"$placeholder\"")"
                if [ -n "$name" ]; then
                  swaymsg rename workspace "$focused_name" to "$focused_num: $name"
                fi
              '';
              clearWsName = pkgs.writeShellScript "sway-clear-ws-name" ''
                focused_ws="$(swaymsg -t get_workspaces | jq ".[] | select(.focused)")"
                focused_num="$(jq -r ".num" <<< "$focused_ws")"
                focused_name="$(jq -r ".name" <<< "$focused_ws")"
                swaymsg rename workspace "$focused_name" to "$focused_num"
              '';
            in
            {
              enable = true;
              xwayland = true;
              extraConfigEarly = ''
                set $mod ${mod}
              '';
              config = {
                input = {
                  "type:touchpad" = {
@@ -155,31 +253,95 @@ in
                modifier = "Mod4";
                terminal = "kitty";
-                keybindings =
+                keybindings = mapAttrs (k: mkOptionDefault) {
-                  let
+                  "${mod}+Left" = "focus left";
-                    cfg = config.wayland.windowManager.sway.config;
+                  "${mod}+Down" = "focus down";
-                    mod = cfg.modifier;
+                  "${mod}+Up" = "focus up";
-                  in
+                  "${mod}+Right" = "focus right";
                  lib.mkOptionDefault {
                    "${mod}+d" = null;
                    "${mod}+l" = "exec swaylock -i ${./lock.png} -s stretch";
                    "${mod}+x" = "exec ${cfg.menu}";
                    "${mod}+Shift+x" = "exec rofi -show drun";
                    "${mod}+q" = "kill";
                    "${mod}+Shift+q" = "exec swaynag -t warning -m 'bruh you really wanna kill sway?' -b 'ye' 'systemctl --user stop graphical-session.target && swaymsg exit'";
                    "${mod}+Shift+d" = ''exec grim - | swappy -f -'';
                    "${mod}+Shift+s" = ''exec grim -g "$(slurp)" - | swappy -f -'';
                    "${mod}+Shift+e" = "exec rofi -show emoji";
                    # Config for this doesn't seem to work :/
                    "${mod}+c" = ''exec rofi -show calc -calc-command "echo -n '{result}' | ${pkgs.wl-clipboard}/bin/wl-copy"'';
-                    "XF86AudioRaiseVolume" = "exec ${pkgs.pamixer}/bin/pamixer -i 5";
+                  "${mod}+Shift+Left" = "move left";
-                    "XF86AudioLowerVolume" = "exec ${pkgs.pamixer}/bin/pamixer -d 5";
+                  "${mod}+Shift+Down" = "move down";
-                    "XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play";
+                  "${mod}+Shift+Up" = "move up";
-                    "XF86AudioPause" = "exec ${pkgs.playerctl}/bin/playerctl pause";
+                  "${mod}+Shift+Right" = "move right";
-                    "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
+
-                    "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
+                  "${mod}+b" = "splith";
-                  };
+                  "${mod}+v" = "splitv";
                  "${mod}+f" = "fullscreen toggle";
                  "${mod}+a" = "focus parent";
                  "${mod}+s" = "layout stacking";
                  "${mod}+w" = "layout tabbed";
                  "${mod}+e" = "layout toggle split";
                  "${mod}+Shift+space" = "floating toggle";
                  "${mod}+space" = "focus mode_toggle";
                  "${mod}+1" = "workspace number 1";
                  "${mod}+2" = "workspace number 2";
                  "${mod}+3" = "workspace number 3";
                  "${mod}+4" = "workspace number 4";
                  "${mod}+5" = "workspace number 5";
                  "${mod}+6" = "workspace number 6";
                  "${mod}+7" = "workspace number 7";
                  "${mod}+8" = "workspace number 8";
                  "${mod}+9" = "workspace number 9";
                  "${mod}+0" = "workspace number 10";
                  "${mod}+Shift+1" =
                    "move container to workspace number 1";
                  "${mod}+Shift+2" =
                    "move container to workspace number 2";
                  "${mod}+Shift+3" =
                    "move container to workspace number 3";
                  "${mod}+Shift+4" =
                    "move container to workspace number 4";
                  "${mod}+Shift+5" =
                    "move container to workspace number 5";
                  "${mod}+Shift+6" =
                    "move container to workspace number 6";
                  "${mod}+Shift+7" =
                    "move container to workspace number 7";
                  "${mod}+Shift+8" =
                    "move container to workspace number 8";
                  "${mod}+Shift+9" =
                    "move container to workspace number 9";
                  "${mod}+Shift+0" =
                    "move container to workspace number 10";
                  "${mod}+Shift+minus" = "move scratchpad";
                  "${mod}+minus" = "scratchpad show";
                  "${mod}+Return" = "exec ${cfg.terminal}";
                  "${mod}+r" = "mode resize";
                  "${mod}+d" = null;
                  "${mod}+l" = "exec ${doomsaver}/bin/doomsaver";
                  "${mod}+q" = "kill";
                  "${mod}+Shift+c" = "reload";
                  "${mod}+Shift+q" = "exec swaynag -t warning -m 'bruh you really wanna kill sway?' -b 'ye' 'systemctl --user stop graphical-session.target && swaymsg exit'";
                  # rofi
                  "${mod}+x" = "exec ${cfg.menu}";
                  "${mod}+Shift+x" = "exec rofi -show drun";
                  "${mod}+Shift+e" = "exec rofi -show emoji";
                  # Config for this doesn't seem to work :/
                  "${mod}+c" = ''exec rofi -show calc -calc-command "echo -n '{result}' | ${pkgs.wl-clipboard}/bin/wl-copy"'';
                  "${mod}+Shift+r" = "exec ${renameWs}";
                  "${mod}+Shift+n" = "exec ${clearWsName}";
                  # Screenshots
                  "${mod}+Shift+d" = ''exec grim - | swappy -f -'';
                  "${mod}+Shift+s" = ''exec grim -g "$(slurp)" - | swappy -f -'';
                  "XF86MonBrightnessDown" = "exec ${pkgs.brightnessctl}/bin/brightnessctl set 5%-";
                  "XF86MonBrightnessUp" = "exec ${pkgs.brightnessctl}/bin/brightnessctl set +5%";
                  "XF86AudioRaiseVolume" = "exec ${pkgs.pamixer}/bin/pamixer -i 5";
                  "XF86AudioLowerVolume" = "exec ${pkgs.pamixer}/bin/pamixer -d 5";
                  "XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play";
                  "XF86AudioPause" = "exec ${pkgs.playerctl}/bin/playerctl pause";
                  "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
                  "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
                };
                keycodebindings = {
                  # keycode for XF86AudioPlayPause (no sym for some reason)
                  "172" = "exec ${pkgs.playerctl}/bin/playerctl play-pause";
@@ -188,6 +350,9 @@ in
                menu = "rofi -show run";
                bars = mkForce [ ];
              };
              extraConfig = ''
                include ${./swaysome.conf}
              '';
              swaynag = {
                enable = true;
@@ -210,17 +375,10 @@ in
        };
        qt = {
          enable = true;
-          platformTheme = "gtk";
+          platformTheme.name = "gtk";
        };
        services = {
          swaync = {
            enable = true;
            settings = {
              widgets = [ "title" "dnd" "mpris" "notifications" ];
            };
          };
          playerctld.enable = true;
          spotifyd = {
            enable = false;
@@ -245,6 +403,7 @@ in
            diff-so-fancy.enable = true;
            userEmail = "jackos1998@gmail.com";
            userName = "Jack O'Sullivan";
            lfs.enable = true;
            extraConfig = {
              pull.rebase = true;
            };
@@ -252,11 +411,13 @@ in
          waybar = import ./waybar.nix { inherit lib pkgs config font; };
          rofi = {
            package = pkgs.rofi-wayland;
            enable = true;
            font = "${font.name} ${toString font.size}";
-            plugins = with pkgs; [
+            plugins = with pkgs; (map (p: p.override { rofi-unwrapped = rofi-wayland-unwrapped; }) [
              rofi-calc
-              rofi-emoji
+            ]) ++ [
              rofi-emoji-wayland
            ];
            extraConfig = {
              modes = "window,run,ssh,filebrowser,calc,emoji";
@@ -271,7 +432,7 @@ in
          chromium = {
            enable = true;
-            package = (pkgs.chromium.override { enableWideVine = true; }).overrideAttrs (old: {
+            package = (pkgs'.unstable.chromium.override { enableWideVine = true; }).overrideAttrs (old: {
              buildCommand = ''
                ${old.buildCommand}
@@ -297,6 +458,15 @@ in
            ] (_: "chromium-browser.desktop");
          };
        };
        my = {
          swaync = {
            enable = true;
            settings = {
              widgets = [ "title" "dnd" "mpris" "notifications" ];
            };
          };
        };
      })
      (mkIf (cfg.standalone && !pkgs.stdenv.isDarwin) {
--- a/home-manager/modules/gui/enojy.jpg
+++ b/home-manager/modules/gui/enojy.jpg
--- a/home-manager/modules/gui/screensaver.py
+++ b/home-manager/modules/gui/screensaver.py
@@ -0,0 +1,209 @@
 #!@python@/bin/python
 import argparse
 import json
 import os
 import random
 import signal
 import subprocess
 import sys
 import filelock
 class Screensaver:
    def __init__(self, cmd, env=None, weight=1):
        self.cmd = cmd
        self.weight = weight
        if env is not None:
            self.env = os.environ.copy()
            for k, v in env.items():
                self.env[k] = v
        else:
            self.env = None
        self.proc = None
    def start(self):
        assert self.proc is None
        self.proc = subprocess.Popen(self.cmd, env=self.env)
    def wait(self):
        assert self.proc is not None
        self.proc.wait()
    def stop(self, kill=False):
        assert self.proc is not None
        if kill:
            self.proc.kill()
        else:
            self.proc.terminate()
 class DoomSaver(Screensaver):
    wad = '@doomWad@'
    def __init__(self, demo_index, weight=1.5):
        super().__init__(
            ['@chocoDoom@/bin/chocolate-doom',
             '-iwad', self.wad,
             '-demoloopi', str(demo_index)],
            env={
                'SDL_AUDIODRIVER': 'null',
                'SDL_VIDEODRIVER': 'caca',
                'CACA_DRIVER': 'ncurses',
            },
            weight=weight,
        )
    def stop(self):
        super().stop(kill=True)
 class TTESaver(Screensaver):
    effects = (
        'beams,binarypath,blackhole,bouncyballs,bubbles,burn,colorshift,crumble,'
        'decrypt,errorcorrect,expand,fireworks,middleout,orbittingvolley,overflow,'
        'pour,print,rain,randomsequence,rings,scattered,slice,slide,spotlights,'
        'spray,swarm,synthgrid,unstable,vhstape,waves,wipe'
    ).split(',')
    def __init__(self, cmd, env=None, weight=1):
        super().__init__(cmd, env=env, weight=weight)
        self.running = False
    def start(self):
        self.running = True
    def wait(self):
        while self.running:
            effect_cmd = ['tte', random.choice(self.effects)]
            print(f"$ {self.cmd} | {' '.join(effect_cmd)}")
            content = subprocess.check_output(self.cmd, shell=True, env=self.env, stderr=subprocess.DEVNULL)
            self.proc = subprocess.Popen(effect_cmd, stdin=subprocess.PIPE)
            self.proc.stdin.write(content)
            self.proc.stdin.close()
            self.proc.wait()
    def stop(self):
        self.running = False
        self.proc.terminate()
 class MultiSaver:
    savers = [
        DoomSaver(0),
        DoomSaver(1),
        DoomSaver(2),
        Screensaver(['cmatrix']),
        TTESaver('screenfetch -N'),
        TTESaver('fortune | cowsay'),
        TTESaver('top -bn1 | head -n50'),
        TTESaver('ss -nltu'),
        TTESaver('ss -ntu'),
        TTESaver('jp2a --width=100 @enojy@'),
    ]
    state_filename = 'screensaver.json'
    def __init__(self, select=None):
        self.state_path = os.path.join(f'/run/user/{os.geteuid()}', self.state_filename)
        self.lock = filelock.FileLock(f'{self.state_path}.lock')
        if select is not None:
            assert select >= 0 and select < len(self.savers), 'Invalid screensaver index'
            self.selected = self.savers[select]
        else:
            self.selected = None
        self.cleaned_up = False
    def select(self):
        with self.lock:
            if not os.path.exists(self.state_path):
                state = {'instances': []}
            else:
                with open(self.state_path) as f:
                    state = json.load(f)
            if self.selected is None:
                available = set(range(len(self.savers)))
                new_instances = []
                for instance in state['instances']:
                    if not os.path.exists(f"/proc/{instance['pid']}"):
                        continue
                    new_instances.append(instance)
                    i = instance['saver']
                    assert i in available
                    available.remove(i)
                assert available, 'No screensavers left'
                available = list(available)
                weights = []
                for i in available:
                    weights.append(self.savers[i].weight)
                selected_i = random.choices(available, weights=weights)[0]
                new_instances.append({'pid': os.getpid(), 'saver': selected_i})
                state['instances'] = new_instances
                # print(f'Selected saver {selected_i}')
                self.selected = self.savers[selected_i]
            with open(self.state_path, 'w') as f:
                json.dump(state, f)
    def cleanup(self):
        if self.cleaned_up:
            return
        self.cleaned_up = True
        with self.lock:
            with open(self.state_path) as f:
                state = json.load(f)
            for i, instance in enumerate(state['instances']):
                if instance['pid'] == os.getpid():
                    del state['instances'][i]
            with open(self.state_path, 'w') as f:
                json.dump(state, f)
    def run(self):
        assert self.selected is not None
        self.selected.start()
        signal.signal(signal.SIGINT, self._sighandler)
        signal.signal(signal.SIGTERM, self._sighandler)
        signal.signal(signal.SIGHUP, self._sighandler)
        self.selected.wait()
        self.cleanup()
    def stop(self):
        assert self.selected is not None
        print('Shutting down')
        self.selected.stop()
        self.cleanup()
    def _sighandler(self, signum, frame):
        self.stop()
 def main():
    parser = argparse.ArgumentParser(description='Wayland terminal-based lock screen')
    parser.add_argument('-l', '--locker-cmd', default='swaylock-plugin', help='swaylock-plugin command to use')
    parser.add_argument('-t', '--terminal', default='alacritty', help='Terminal emulator to use')
    parser.add_argument('-i', '--instance', action='store_true', help='Run as instance')
    parser.add_argument('-s', '--screensaver', type=int, help='Force use of specific screensaver')
    args = parser.parse_args()
    if not args.instance:
        cmd = [
            args.locker_cmd, '--command-each',
            f'@windowtolayer@/bin/windowtolayer -- {args.terminal} -e {sys.argv[0]} --instance']
        if args.screensaver is not None:
            cmd[-1] += f' --screensaver {args.screensaver}'
        subprocess.check_call(cmd)
        return
    ms = MultiSaver(select=args.screensaver)
    ms.select()
    ms.run()
 if __name__ == '__main__':
    main()
--- a/home-manager/modules/gui/stop-nixos.png
+++ b/home-manager/modules/gui/stop-nixos.png
--- a/home-manager/modules/gui/swaysome.conf
+++ b/home-manager/modules/gui/swaysome.conf
@@ -0,0 +1,66 @@
 # Use (un)bindcode or (un)bindsym, depending on what you used in your main sway config file.
 # The `--no-warn` setting is only added to shortcuts that exist in the default config. You may want to add or remove
 # that flag on some bindings depending on your config.
 # Change focus between workspaces
 bindsym $mod+Alt+1 exec "swaysome focus 1"
 bindsym $mod+Alt+2 exec "swaysome focus 2"
 bindsym $mod+Alt+3 exec "swaysome focus 3"
 bindsym $mod+Alt+4 exec "swaysome focus 4"
 bindsym $mod+Alt+5 exec "swaysome focus 5"
 bindsym $mod+Alt+6 exec "swaysome focus 6"
 bindsym $mod+Alt+7 exec "swaysome focus 7"
 bindsym $mod+Alt+8 exec "swaysome focus 8"
 bindsym $mod+Alt+9 exec "swaysome focus 9"
 bindsym $mod+Alt+0 exec "swaysome focus 0"
 # Focus workspace groups
 bindsym --no-warn $mod+1 exec "swaysome focus-group 1"
 bindsym --no-warn $mod+2 exec "swaysome focus-group 2"
 bindsym --no-warn $mod+3 exec "swaysome focus-group 3"
 bindsym --no-warn $mod+4 exec "swaysome focus-group 4"
 bindsym --no-warn $mod+5 exec "swaysome focus-group 5"
 bindsym --no-warn $mod+6 exec "swaysome focus-group 6"
 bindsym --no-warn $mod+7 exec "swaysome focus-group 7"
 bindsym --no-warn $mod+8 exec "swaysome focus-group 8"
 bindsym --no-warn $mod+9 exec "swaysome focus-group 9"
 bindsym --no-warn $mod+0 exec "swaysome focus-group 0"
 # Move containers between workspaces
 bindsym $mod+Alt+Shift+1 exec "swaysome move 1"
 bindsym $mod+Alt+Shift+2 exec "swaysome move 2"
 bindsym $mod+Alt+Shift+3 exec "swaysome move 3"
 bindsym $mod+Alt+Shift+4 exec "swaysome move 4"
 bindsym $mod+Alt+Shift+5 exec "swaysome move 5"
 bindsym $mod+Alt+Shift+6 exec "swaysome move 6"
 bindsym $mod+Alt+Shift+7 exec "swaysome move 7"
 bindsym $mod+Alt+Shift+8 exec "swaysome move 8"
 bindsym $mod+Alt+Shift+9 exec "swaysome move 9"
 bindsym $mod+Alt+Shift+0 exec "swaysome move 0"
 # Move containers to other workspace groups
 bindsym --no-warn $mod+Shift+1 exec "swaysome move-to-group 1"
 bindsym --no-warn $mod+Shift+2 exec "swaysome move-to-group 2"
 bindsym --no-warn $mod+Shift+3 exec "swaysome move-to-group 3"
 bindsym --no-warn $mod+Shift+4 exec "swaysome move-to-group 4"
 bindsym --no-warn $mod+Shift+5 exec "swaysome move-to-group 5"
 bindsym --no-warn $mod+Shift+6 exec "swaysome move-to-group 6"
 bindsym --no-warn $mod+Shift+7 exec "swaysome move-to-group 7"
 bindsym --no-warn $mod+Shift+8 exec "swaysome move-to-group 8"
 bindsym --no-warn $mod+Shift+9 exec "swaysome move-to-group 9"
 bindsym --no-warn $mod+Shift+0 exec "swaysome move-to-group 0"
 # Move focused container to next output
 bindsym $mod+Alt+Right exec "swaysome next-output"
 # Move focused container to previous output
 bindsym $mod+Alt+Left exec "swaysome prev-output"
 # Move focused workspace group to next output
 bindsym $mod+Shift+Alt+Right exec "swaysome workspace-group-next-output"
 # Move focused workspace group to previous output
 bindsym $mod+Shift+Alt+Left exec "swaysome workspace-group-prev-output"
 # Init workspaces for every screen
 exec "swaysome init 1"
--- a/home-manager/modules/gui/waybar.nix
+++ b/home-manager/modules/gui/waybar.nix
@@ -146,9 +146,9 @@ in
          dnd-none = "";
        };
        return-type = "json";
-        exec = "${config.services.swaync.package}/bin/swaync-client -swb";
+        exec = "${config.my.swaync.package}/bin/swaync-client -swb";
-        on-click = "${config.services.swaync.package}/bin/swaync-client -t -sw";
+        on-click = "${config.my.swaync.package}/bin/swaync-client -t -sw";
-        on-click-right = "${config.services.swaync.package}/bin/swaync-client -d -sw";
+        on-click-right = "${config.my.swaync.package}/bin/swaync-client -d -sw";
        escape = true;
      };
    };
--- a/home-manager/modules/swaync.nix
+++ b/home-manager/modules/swaync.nix
@@ -19,10 +19,10 @@ let
    };
  };
-  cfg = config.services.swaync;
+  cfg = config.my.swaync;
 in
 {
-  options.services.swaync = with lib.types; {
+  options.my.swaync = with lib.types; {
    enable = mkEnableOption "Sway Notification Center";
    package = mkOption {
      type = package;
--- a/lib/constants.nix
+++ b/lib/constants.nix
@@ -11,6 +11,8 @@ rec {
      jellyseerr = 402;
      atticd = 403;
      kea = 404;
      keepalived_script = 405;
      photoprism = 406;
    };
    gids = {
      matrix-syncv3 = 400;
@@ -18,12 +20,14 @@ rec {
      jellyseerr = 402;
      atticd = 403;
      kea = 404;
      keepalived_script = 405;
      photoprism = 406;
    };
  };
  kernel = {
-    lts = pkgs: pkgs.linuxKernel.packages.linux_6_1;
+    lts = pkgs: pkgs.linuxKernel.packages.linux_6_6;
-    latest = pkgs: pkgs.linuxKernel.packages.linux_6_6;
+    latest = pkgs: pkgs.linuxKernel.packages.linux_6_12;
  };
  nginx = rec {
@@ -94,10 +98,10 @@ rec {
  nix = {
    cache = rec {
      substituters = [
-        "https://nix-cache.${pubDomain}/main"
+        "https://nix-cache.${pubDomain}"
      ];
      keys = [
-        "main:mMChkG8LwXrFirVfudqjSHasK1jV31OVElYD3eImYl8="
+        "nix-cache.nul.ie-1:BzH5yMfF4HbzY1C977XzOxoPhEc9Zbu39ftPkUbH+m4="
      ];
      conf = ''
        extra-substituters = ${concatStringsSep " " substituters}
@@ -107,7 +111,7 @@ rec {
  };
  pubDomain = "nul.ie";
-  colony = {
+  colony = rec {
    domain = "ams1.int.${pubDomain}";
    pubV4 = "94.142.240.44";
    prefixes = with lib.my.net.cidr; rec {
@@ -131,6 +135,9 @@ rec {
        v4 = subnet 8 3 all.v4;
        v6 = subnet 4 3 all.v6;
      };
      qclk = {
        v4 = subnet 8 4 all.v4;
      };
      cust = {
        v4 = subnet 8 100 all.v4; # single ip for routing only
@@ -144,6 +151,10 @@ rec {
        v4 = "94.142.242.255/32";
        v6 = subnet 8 1 cust.v6;
      };
      jam = {
        v4 = subnet 8 4 cust.v4;
        v6 = subnet 8 2 cust.v6;
      };
      vip1 = "94.142.241.224/30";
      vip2 = "94.142.242.254/31";
@@ -156,6 +167,16 @@ rec {
      home.v6 = "2a0e:97c0:4d0::/48";
    };
    custRouting = with lib.my.net.cidr; {
      mail-vm = host 1 prefixes.cust.v4;
      darts-vm = host 2 prefixes.cust.v4;
      jam-ctr = host 3 prefixes.cust.v4;
    };
    qclk = {
      wgPort = 51821;
    };
    firewallForwards = aa: [
      {
        port = "http";
@@ -169,6 +190,7 @@ rec {
        port = 8448;
        dst = aa.middleman.internal.ipv4.address;
      }
      {
        port = 25565;
        dst = aa.simpcraft-oci.internal.ipv4.address;
@@ -177,6 +199,7 @@ rec {
        port = 25566;
        dst = aa.simpcraft-staging-oci.internal.ipv4.address;
      }
      {
        port = 25575;
        dst = aa.simpcraft-oci.internal.ipv4.address;
@@ -204,6 +227,23 @@ rec {
        dst = aa.simpcraft-oci.internal.ipv4.address;
        proto = "udp";
      }
      {
        port = 15636;
        dst = aa.enshrouded-oci.internal.ipv4.address;
        proto = "udp";
      }
      {
        port = 15637;
        dst = aa.enshrouded-oci.internal.ipv4.address;
        proto = "udp";
      }
      {
        port = qclk.wgPort;
        dst = aa.qclk.internal.ipv4.address;
        proto = "udp";
      }
    ];
    fstrimConfig = {
@@ -227,7 +267,7 @@ rec {
      "stream"
    ];
    routersPubV4 = [
-      "109.255.1.246"
+      "109.255.31.155"
      "109.255.252.63"
    ];
@@ -277,6 +317,8 @@ rec {
        v6 = host ((1*65536*65536*65536) + 65535) prefixes.as211024.v6;
      };
    };
    roceBootModules = [ "ib_core" "ib_uverbs" "mlx5_core" "mlx5_ib" ];
  };
  britway = {
@@ -327,6 +369,7 @@ rec {
    };
    domain = "hentai.engineer";
    ipv4MTU = 1460;
    vpn = {
      port = 51820;
    };
@@ -340,6 +383,7 @@ rec {
    deploy = ../.keys/deploy.pub;
    rsyncNet = ../.keys/zh2855.rsync.net.pub;
    mailcowAcme = ../.keys/mailcow-acme.pub;
    harmonia = ../.keys/harmonia.pub;
  };
  sshHostKeys = {
    mail-vm = ../.keys/mail-vm-host.pub;
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -5,7 +5,7 @@ let
    genAttrs mapAttrsToList filterAttrsRecursive nameValuePair types
    mkOption mkOverride mkForce mkIf mergeEqualOption optional
    showWarnings concatStringsSep flatten unique optionalAttrs
-    mkBefore;
+    mkBefore toLower;
  inherit (lib.flake) defaultSystems;
 in
 rec {
@@ -248,10 +248,37 @@ rec {
  in
  {
    trivial = prev.trivial // {
-      release = "23.12:u-${prev.trivial.release}";
+      release = "24.12:u-${prev.trivial.release}";
-      codeName = "Amogus";
+      codeName = "Epic";
      revisionWithDefault = default: self.rev or default;
      versionSuffix = ".${date}.${revCode self}:u-${revCode pkgsFlake}";
    };
  };
  netbootKeaClientClasses = { tftpIP, hostname, systems }:
  let
    testIPXE = "substring(option[user-class].hex, 0, 4) == 'iPXE'";
  in
    (mapAttrsToList (name: mac: {
      name = "nixos-${name}";
      test = "(${testIPXE}) and (hexstring(pkt4.mac, ':') == '${toLower mac}')";
      next-server = tftpIP;
      server-hostname = hostname;
      boot-file-name = "http://${hostname}/systems/${name}/menu.ipxe";
    }) systems) ++ [
    {
      name = "ipxe";
      test = testIPXE;
      next-server = tftpIP;
      server-hostname = hostname;
      boot-file-name = "http://${hostname}/boot.ipxe";
    }
    {
      name = "efi-x86_64";
      test = "option[client-system].hex == 0x0007";
      next-server = tftpIP;
      server-hostname = hostname;
      boot-file-name = "ipxe-x86_64.efi";
    }
  ];
 }
--- a/nixos/boxes/britway/default.nix
+++ b/nixos/boxes/britway/default.nix
@@ -106,7 +106,7 @@ in
                  {
                    matchConfig.Name = "as211024";
                    networkConfig.IPv6AcceptRA = mkForce false;
-                    routes = map (r: { routeConfig = r; }) [
+                    routes = [
                      {
                        Destination = lib.my.c.colony.prefixes.all.v4;
                        Gateway = allAssignments.estuary.as211024.ipv4.address;
@@ -123,7 +123,7 @@ in
                        Table = "ts-extra";
                      }
                    ];
-                    routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
+                    routingPolicyRules = [
                      {
                        IncomingInterface = "tailscale0";
                        To = lib.my.c.colony.prefixes.all.v6;
--- a/nixos/boxes/britway/nginx.nix
+++ b/nixos/boxes/britway/nginx.nix
@@ -80,7 +80,7 @@ in
              };
            };
-            "ts.${pubDomain}" = {
+            "hs.${pubDomain}" = {
              locations."/" = {
                proxyPass = "http://localhost:${toString config.services.headscale.port}";
                proxyWebsockets = true;
--- a/nixos/boxes/britway/tailscale.nix
+++ b/nixos/boxes/britway/tailscale.nix
@@ -5,18 +5,20 @@ let
  inherit (lib.my.c.britway) prefixes domain;
  # Can't use overrideAttrs because we need to override `vendorHash` within `buildGoModule`
-  headscale = pkgs.headscale.override {
+  headscale' = (pkgs.headscale.override {
    buildGoModule = args: pkgs.buildGoModule (args // rec {
-      version = "0.23.0-alpha2";
+      version = "0.23.0-alpha12";
      src = pkgs.fetchFromGitHub {
        owner = "juanfont";
        repo = "headscale";
        rev = "v${version}";
-        hash = "sha256-sz+uQyyq/5YYDe5I44x5x2nvd48swAhNlInB8KZYvDo=";
+        hash = "sha256-kZZK0cXnFARxblSMz01TDcBbTorkHGAwGpR+a4/mYfU=";
      };
-      vendorHash = "sha256-u9AmJguQ5dnJpfhOeLN43apvMHuraOrJhvlEIp9RoIc=";
+      patches = [];
      vendorHash = "sha256-EorT2AVwA3usly/LcNor6r5UIhLCdj3L4O4ilgTIC2o=";
      doCheck = false;
    });
-  };
+  });
  advRoutes = concatStringsSep "," [
    lib.my.c.home.prefixes.all.v4
@@ -39,19 +41,20 @@ in
    services = {
      headscale = {
        enable = true;
        package = headscale;
        settings = {
          disable_check_updates = true;
          unix_socket_permission = "0770";
-          server_url = "https://ts.${pubDomain}";
+          server_url = "https://hs.${pubDomain}";
-          db_type = "sqlite3";
+          database = {
-          db_path = "/var/lib/headscale/db.sqlite3";
+            type = "sqlite3";
            sqlite.path = "/var/lib/headscale/db.sqlite3";
          };
          noise.private_key_path = "/var/lib/headscale/noise_private.key";
-          ip_prefixes = with lib.my.c.tailscale.prefix; [ v4 v6 ];
+          prefixes = with lib.my.c.tailscale.prefix; { inherit v4 v6; };
-          dns_config = {
+          dns = {
            # Use IPs that will route inside the VPN to prevent interception
            # (e.g. DNS rebinding filtering)
-            restricted_nameservers = {
+            nameservers.split = {
              "${domain}" = pubNameservers;
              "${lib.my.c.colony.domain}" = with allAssignments.estuary.base; [
                ipv4.address ipv6.address
@@ -65,7 +68,6 @@ in
            };
            magic_dns = true;
            base_domain = "ts.${pubDomain}";
            override_local_dns = false;
          };
          oidc = {
            only_start_if_oidc_is_available = true;
@@ -85,7 +87,7 @@ in
        interfaceName = "tailscale0";
        extraUpFlags = [
          "--operator=${config.my.user.config.name}"
-          "--login-server=https://ts.nul.ie"
+          "--login-server=https://hs.nul.ie"
          "--netfilter-mode=off"
          "--advertise-exit-node"
          "--advertise-routes=${advRoutes}"
--- a/nixos/boxes/colony/default.nix
+++ b/nixos/boxes/colony/default.nix
@@ -1,7 +1,7 @@
 { lib, ... }:
 let
  inherit (lib.my) net;
-  inherit (lib.my.c.colony) domain prefixes firewallForwards;
+  inherit (lib.my.c.colony) domain prefixes custRouting firewallForwards;
 in
 {
  imports = [ ./vms ];
@@ -60,8 +60,8 @@ in
          kernelPackages = (lib.my.c.kernel.lts pkgs).extend (self: super: {
            kernel = super.kernel.override {
              structuredExtraConfig = with lib.kernel; {
-                #SOME_OPT = yes;
+                ACPI_APEI_PCIEAER = yes;
-                #A_MOD = module;
+                PCIEAER = yes;
              };
            };
          });
@@ -150,12 +150,12 @@ in
            "serial-getty@ttyS1".enable = true;
            lvm-activate-main = {
              description = "Activate remaining LVs";
-              before = [ "local-fs-pre.target" ];
+              unitConfig.DefaultDependencies = false;
              serviceConfig = {
                Type = "oneshot";
                ExecStart = "${pkgs.lvm2.bin}/bin/vgchange -aay main";
              };
-              wantedBy = [ "sysinit.target" ];
+              wantedBy = [ "local-fs-pre.target" ];
            };
            rsync-lvm-meta = {
@@ -252,10 +252,10 @@ in
                  };
                  ipv6Prefixes = [
                    {
-                      ipv6PrefixConfig.Prefix = prefixes.vms.v6;
+                      Prefix = prefixes.vms.v6;
                    }
                  ];
-                  routes = map (r: { routeConfig = r; }) [
+                  routes = [
                    {
                      Destination = prefixes.ctrs.v4;
                      Gateway = allAssignments.shill.routing.ipv4.address;
@@ -264,10 +264,12 @@ in
                      Destination = prefixes.ctrs.v6;
                      Gateway = allAssignments.shill.internal.ipv6.address;
                    }
                    {
                      Destination = allAssignments.shill.internal.ipv4.address;
                      Gateway = allAssignments.shill.routing.ipv4.address;
                    }
                    {
                      Destination = lib.my.c.tailscale.prefix.v4;
                      Gateway = allAssignments.shill.routing.ipv4.address;
@@ -276,6 +278,15 @@ in
                      Destination = lib.my.c.tailscale.prefix.v6;
                      Gateway = allAssignments.shill.internal.ipv6.address;
                    }
                    {
                      Destination = prefixes.qclk.v4;
                      Gateway = allAssignments.shill.routing.ipv4.address;
                    }
                    {
                      Destination = prefixes.jam.v6;
                      Gateway = allAssignments.shill.internal.ipv6.address;
                    }
                    {
                      Destination = prefixes.oci.v4;
@@ -307,7 +318,7 @@ in
              "90-vm-mail" = {
                matchConfig.Name = "vm-mail";
                address = [
-                  (net.cidr.subnet 8 1 prefixes.cust.v4)
+                  "${custRouting.mail-vm}/32"
                  prefixes.mail.v6
                ];
                networkConfig = {
@@ -316,10 +327,10 @@ in
                };
                ipv6Prefixes = [
                  {
-                    ipv6PrefixConfig.Prefix = prefixes.mail.v6;
+                    Prefix = prefixes.mail.v6;
                  }
                ];
-                routes = map (r: { routeConfig = r; }) [
+                routes = [
                  {
                    Destination = prefixes.mail.v4;
                    Scope = "link";
@@ -330,7 +341,7 @@ in
              "90-vm-darts" = {
                matchConfig.Name = "vm-darts";
                address = [
-                  (net.cidr.subnet 8 2 prefixes.cust.v4)
+                  "${custRouting.darts-vm}/32"
                  prefixes.darts.v6
                ];
                networkConfig = {
@@ -339,10 +350,10 @@ in
                };
                ipv6Prefixes = [
                  {
-                    ipv6PrefixConfig.Prefix = prefixes.darts.v6;
+                    Prefix = prefixes.darts.v6;
                  }
                ];
-                routes = map (r: { routeConfig = r; }) [
+                routes = [
                  {
                    Destination = prefixes.darts.v4;
                    Scope = "link";
--- a/nixos/boxes/colony/vms/default.nix
+++ b/nixos/boxes/colony/vms/default.nix
@@ -29,6 +29,9 @@
    };
  in
  {
    # Kernel Same-Page Merging to attempt memory usage reduction
    hardware.ksm.enable = false;
    systemd = {
      network = {
        links = {
@@ -130,7 +133,8 @@
              (vm.lvmDisk "media")
              (vm.lvmDisk "minio")
-              (vm.lvmDisk "nix-atticd")
+              (vm.lvmDisk "nix-cache")
              (vm.lvmDisk "jam")
            ]);
          };
@@ -209,6 +213,7 @@
            drives = [
              (mkMerge [ (vm.disk "darts" "root") { frontendOpts.bootindex = 0; } ])
              (vm.lvmDisk' "media" "darts-media")
              (vm.lvmDisk' "ext" "darts-ext")
            ];
          };
        };
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -9,6 +9,7 @@ in
    vpns = {
      l2 = {
        as211024 = {
          udpEncapsulation = true;
          vni = 211024;
          security.enable = true;
          peers = {
@@ -163,11 +164,9 @@ in
                    };
                    wireguardPeers = [
                      {
-                        wireguardPeerConfig = {
+                        PublicKey = "7N9YdQaCMWWIwAnW37vrthm9ZpbnG4Lx3gheHeRYz2E=";
-                          PublicKey = "7N9YdQaCMWWIwAnW37vrthm9ZpbnG4Lx3gheHeRYz2E=";
+                        AllowedIPs = [ allAssignments.kelder.estuary.ipv4.address ];
-                          AllowedIPs = [ allAssignments.kelder.estuary.ipv4.address ];
+                        PersistentKeepalive = 25;
                          PersistentKeepalive = 25;
                        };
                      }
                    ];
                  };
@@ -277,47 +276,51 @@ in
                    };
                    ipv6Prefixes = [
                      {
-                        ipv6PrefixConfig.Prefix = prefixes.base.v6;
+                        Prefix = prefixes.base.v6;
                      }
                    ];
-                    routes = map (r: { routeConfig = r; }) (flatten
+                    routes = flatten ([
-                      ([
+                      {
-                        {
+                        Destination = prefixes.vip1;
-                          Destination = prefixes.vip1;
+                        Gateway = allAssignments.colony.routing.ipv4.address;
-                          Gateway = allAssignments.colony.routing.ipv4.address;
+                      }
-                        }
+                      {
-                        {
+                        Destination = prefixes.vip3;
-                          Destination = prefixes.vip3;
+                        Gateway = allAssignments.colony.routing.ipv4.address;
-                          Gateway = allAssignments.colony.routing.ipv4.address;
+                      }
-                        }
+                      {
-                        {
+                        Destination = prefixes.darts.v4;
-                          Destination = prefixes.darts.v4;
+                        Gateway = allAssignments.colony.routing.ipv4.address;
-                          Gateway = allAssignments.colony.routing.ipv4.address;
+                      }
-                        }
+                      {
-                        {
+                        Destination = prefixes.cust.v6;
-                          Destination = prefixes.cust.v6;
+                        Gateway = allAssignments.colony.internal.ipv6.address;
-                          Gateway = allAssignments.colony.internal.ipv6.address;
+                      }
                        }
-                        {
+                      {
-                          Destination = lib.my.c.tailscale.prefix.v4;
+                        Destination = lib.my.c.tailscale.prefix.v4;
-                          Gateway = allAssignments.colony.routing.ipv4.address;
+                        Gateway = allAssignments.colony.routing.ipv4.address;
-                        }
+                      }
-                        {
+                      {
-                          Destination = lib.my.c.tailscale.prefix.v6;
+                        Destination = lib.my.c.tailscale.prefix.v6;
-                          Gateway = allAssignments.colony.internal.ipv6.address;
+                        Gateway = allAssignments.colony.internal.ipv6.address;
-                        }
+                      }
-                      ] ++
+
-                      (map (pName: [
+                      {
-                        {
+                        Destination = prefixes.qclk.v4;
-                          Gateway = allAssignments.colony.routing.ipv4.address;
+                        Gateway = allAssignments.colony.routing.ipv4.address;
-                          Destination = prefixes."${pName}".v4;
+                      }
-                        }
+                    ] ++
-                        {
+                    (map (pName: [
-                          Destination = prefixes."${pName}".v6;
+                      {
-                          Gateway = allAssignments.colony.internal.ipv6.address;
+                        Gateway = allAssignments.colony.routing.ipv4.address;
-                        }
+                        Destination = prefixes."${pName}".v4;
-                      ]) [ "vms" "ctrs" "oci" ])));
+                      }
                      {
                        Destination = prefixes."${pName}".v6;
                        Gateway = allAssignments.colony.internal.ipv6.address;
                      }
                    ]) [ "vms" "ctrs" "oci" ]));
                  }
                ];
@@ -326,7 +329,7 @@ in
                  {
                    matchConfig.Name = "as211024";
                    networkConfig.IPv6AcceptRA = mkForce false;
-                    routes = map (r: { routeConfig = r; }) [
+                    routes = [
                      {
                        Destination = lib.my.c.home.prefixes.all.v4;
                        Gateway = lib.my.c.home.vips.as211024.v4;
@@ -338,10 +341,8 @@ in
                  matchConfig.Name = "kelder";
                  routes = [
                    {
-                      routeConfig = {
+                      Destination = allAssignments.kelder.estuary.ipv4.address;
-                        Destination = allAssignments.kelder.estuary.ipv4.address;
+                      Scope = "link";
                        Scope = "link";
                      };
                    }
                  ];
                };
@@ -393,6 +394,9 @@ in
                      # Safe enough to allow all SSH
                      tcp dport ssh accept
                      # jam-ctr forwards
                      ip daddr ${aa.shill.internal.ipv4.address} tcp dport 60022 accept
                      ip6 daddr ${aa.middleman.internal.ipv6.address} tcp dport { http, https, 8448 } accept
                      ${matchInet "tcp dport { http, https } accept" "git"}
                      ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} tcp dport { 25565, 25575 } accept
@@ -403,6 +407,7 @@ in
                      ip6 daddr ${aa.valheim-oci.internal.ipv6.address} udp dport { 2456-2457 } accept
                      ip6 daddr ${aa.waffletail.internal.ipv6.address} udp dport 41641 accept
                      ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} udp dport 25565 accept
                      ip6 daddr ${aa.enshrouded-oci.internal.ipv6.address} udp dport { 15636-15637 } accept
                      return
                    }
                    chain filter-routing {
--- a/nixos/boxes/colony/vms/estuary/dns.nix
+++ b/nixos/boxes/colony/vms/estuary/dns.nix
@@ -2,7 +2,7 @@
 let
  inherit (builtins) attrNames;
  inherit (lib.my) net;
-  inherit (lib.my.c.colony) prefixes;
+  inherit (lib.my.c.colony) prefixes custRouting;
  authZones = attrNames config.my.pdns.auth.bind.zones;
 in
@@ -153,6 +153,7 @@ in
            simpcraft IN AAAA ${allAssignments.simpcraft-oci.internal.ipv6.address}
            simpcraft-staging IN A ${assignments.internal.ipv4.address}
            simpcraft-staging IN AAAA ${allAssignments.simpcraft-staging-oci.internal.ipv6.address}
            enshrouded IN A ${assignments.internal.ipv4.address}
            mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4}
            mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6}
@@ -162,6 +163,10 @@ in
            andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address}
            jam-cust IN A ${net.cidr.host 0 prefixes.jam.v4}
            jam-fwd IN A ${allAssignments.shill.internal.ipv4.address}
            jam-cust IN AAAA ${net.cidr.host 1 prefixes.jam.v6}
            $TTL 3
            _acme-challenge IN LUA TXT @@FILE@@
--- a/nixos/boxes/colony/vms/git/gitea-actions.nix
+++ b/nixos/boxes/colony/vms/git/gitea-actions.nix
@@ -35,6 +35,11 @@ in
          ];
          url = "https://git.${pubDomain}";
          tokenFile = config.age.secrets."gitea/actions-runner.env".path;
          settings = {
            runner = {
              timeout = "8h";
            };
          };
        };
      };
    };
--- a/nixos/boxes/colony/vms/shill/containers-ext.nix
+++ b/nixos/boxes/colony/vms/shill/containers-ext.nix
@@ -0,0 +1,105 @@
 { lib, pkgs, assignments, ... }:
 let
  inherit (lib.my) net;
  inherit (lib.my.c.colony) prefixes custRouting;
 in
 {
  fileSystems = {
    "/mnt/jam" = {
      device = "/dev/disk/by-label/jam";
      fsType = "ext4";
    };
    "/var/lib/machines/jam" = {
      device = "/mnt/jam";
      options = [ "bind" ];
    };
  };
  systemd = {
    nspawn = {
      jam = {
        enable = true;
        execConfig = {
          Boot = true;
          PrivateUsers = "pick";
          LinkJournal = false;
        };
        networkConfig = {
          Private = true;
          VirtualEthernet = true;
        };
      };
    };
    network.networks = {
      "50-ve-jam" = {
        matchConfig = {
          Kind = "veth";
          Name = "ve-jam";
        };
        address = [
          custRouting.jam-ctr
          prefixes.jam.v6
        ];
        networkConfig = {
          IPv6AcceptRA = false;
          IPv6SendRA = true;
        };
        ipv6Prefixes = [
          {
            Prefix = prefixes.jam.v6;
          }
        ];
        routes = [
          {
            Destination = prefixes.jam.v4;
            Scope = "link";
          }
        ];
      };
    };
    services = {
      "systemd-nspawn@jam" = {
        overrideStrategy = "asDropin";
        serviceConfig = {
          CPUQuota = "400%";
          MemoryHigh = "infinity";
          MemoryMax = "4G";
        };
        wantedBy = [ "machines.target" ];
      };
    };
  };
  my = {
    firewall =
    let
      jamIP = net.cidr.host 0 prefixes.jam.v4;
    in
    {
      nat.forwardPorts."${assignments.internal.ipv4.address}" = [
        {
          port = 60022;
          dst = jamIP;
          dstPort = "ssh";
        }
      ];
      extraRules = ''
        table inet filter {
          chain forward {
            iifname { ve-jam } oifname vms accept
            iifname vms oifname { ve-jam } accept
          }
        }
        table inet nat {
          chain postrouting {
            ip saddr ${jamIP} snat to ${assignments.internal.ipv4.address}
          }
        }
      '';
    };
  };
 }
--- a/nixos/boxes/colony/vms/shill/containers/chatterbox.nix
+++ b/nixos/boxes/colony/vms/shill/containers/chatterbox.nix
@@ -24,7 +24,7 @@ in
    configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
    let
-      inherit (lib) mkMerge mkIf mkForce;
+      inherit (lib) genAttrs mkMerge mkIf mkForce;
      inherit (lib.my) networkdAssignment;
    in
    {
@@ -45,9 +45,22 @@ in
                  owner = "matrix-synapse";
                  group = "matrix-synapse";
                };
-                "chatterbox/syncv3.env" = {
+                "chatterbox/doublepuppet.yaml" = {
-                  owner = "matrix-syncv3";
+                  owner = "matrix-synapse";
-                  group = "matrix-syncv3";
+                  group = "matrix-synapse";
                };
                "chatterbox/mautrix-whatsapp.env" = {
                  owner = "mautrix-whatsapp";
                  group = "mautrix-whatsapp";
                };
                "chatterbox/mautrix-messenger.env" = {
                  owner = "mautrix-meta-messenger";
                  group = "mautrix-meta";
                };
                "chatterbox/mautrix-instagram.env" = {
                  owner = "mautrix-meta-instagram";
                  group = "mautrix-meta";
                };
              };
            };
@@ -59,29 +72,24 @@ in
          users = with lib.my.c.ids; {
            users = {
-              matrix-syncv3 = {
+              matrix-synapse.extraGroups = [
-                isSystemUser = true;
+                "mautrix-whatsapp"
-                uid = uids.matrix-syncv3;
+              ];
                group = "matrix-syncv3";
              };
            };
            groups = {
              matrix-syncv3.gid = gids.matrix-syncv3;
            };
            groups = { };
          };
          systemd = {
            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
-            services = {
+            services = { } // (genAttrs [ "mautrix-whatsapp" "mautrix-meta-messenger" "mautrix-meta-instagram" ] (_: {
-              matrix-sliding-sync.serviceConfig = {
+              # ffmpeg needed to convert GIFs to video
-                # Needs to be able to read its secrets
+              path = with pkgs; [ ffmpeg ];
-                DynamicUser = mkForce false;
+            }));
                User = "matrix-syncv3";
                Group = "matrix-syncv3";
              };
            };
          };
          # TODO/FIXME: https://github.com/NixOS/nixpkgs/issues/336052
          nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
          services = {
            netdata.enable = true;
            matrix-synapse = {
@@ -168,18 +176,10 @@ in
                app_service_config_files = [
                  "/var/lib/heisenbridge/registration.yml"
                  config.age.secrets."chatterbox/doublepuppet.yaml".path
                ];
              };
              sliding-sync = {
                enable = true;
                createDatabase = false;
                environmentFile = config.age.secrets."chatterbox/syncv3.env".path;
                settings = {
                  SYNCV3_BINDADDR = "[::]:8009";
                  SYNCV3_SERVER = "http://localhost:8008";
                };
              };
            };
            heisenbridge = {
@@ -195,6 +195,144 @@ in
                ];
              };
            };
            mautrix-whatsapp = {
              enable = true;
              environmentFile = config.age.secrets."chatterbox/mautrix-whatsapp.env".path;
              settings = {
                homeserver = {
                  address = "http://localhost:8008";
                  domain = "nul.ie";
                };
                appservice = {
                  database = {
                    type = "postgres";
                    uri = "$MAU_WAPP_PSQL_URI";
                  };
                  id = "whatsapp2";
                  bot = {
                    username = "whatsapp2";
                    displayname = "WhatsApp Bridge Bot";
                  };
                };
                bridge = {
                  username_template = "wapp2_{{.}}";
                  displayname_template = "{{or .BusinessName .PushName .JID}} (WA)";
                  personal_filtering_spaces = true;
                  delivery_receipts = true;
                  allow_user_invite = true;
                  url_previews = true;
                  command_prefix = "!wa";
                  login_shared_secret_map."nul.ie" = "$MAU_WAPP_DOUBLE_PUPPET_TOKEN";
                  encryption = {
                    allow = true;
                    default = true;
                    require = true;
                  };
                  permissions = {
                    "@dev:nul.ie" = "admin";
                  };
                };
              };
            };
            mautrix-meta.instances = {
              messenger = {
                enable = true;
                registerToSynapse = true;
                dataDir = "mautrix-messenger";
                environmentFile = config.age.secrets."chatterbox/mautrix-messenger.env".path;
                settings = {
                  homeserver = {
                    address = "http://localhost:8008";
                    domain = "nul.ie";
                  };
                  appservice = {
                    database = {
                      type = "postgres";
                      uri = "$MAU_FBM_PSQL_URI";
                    };
                    id = "fbm2";
                    bot = {
                      username = "messenger2";
                      displayname = "Messenger Bridge Bot";
                      avatar = "mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak";
                    };
                  };
                  network = {
                    mode = "messenger";
                    displayname_template = ''{{or .DisplayName .Username "Unknown user"}} (FBM)'';
                  };
                  bridge = {
                    username_template = "fbm2_{{.}}";
                    personal_filtering_spaces = true;
                    delivery_receipts = true;
                    management_room_text.welcome = "Hello, I'm a Messenger bridge bot.";
                    command_prefix = "!fbm";
                    login_shared_secret_map."nul.ie" = "$MAU_FBM_DOUBLE_PUPPET_TOKEN";
                    backfill = {
                      history_fetch_pages = 5;
                    };
                    encryption = {
                      allow = true;
                      default = true;
                      require = true;
                    };
                    permissions = {
                      "@dev:nul.ie" = "admin";
                    };
                  };
                };
              };
              instagram = {
                enable = true;
                registerToSynapse = true;
                dataDir = "mautrix-instagram";
                environmentFile = config.age.secrets."chatterbox/mautrix-instagram.env".path;
                settings = {
                  homeserver = {
                    address = "http://localhost:8008";
                    domain = "nul.ie";
                  };
                  appservice = {
                    database = {
                      type = "postgres";
                      uri = "$MAU_IG_PSQL_URI";
                    };
                    id = "instagram";
                    bot = {
                      username = "instagram";
                      displayname = "Instagram Bridge Bot";
                      avatar = "mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv";
                    };
                  };
                  network = {
                    mode = "instagram";
                    displayname_template = ''{{or .DisplayName .Username "Unknown user"}} (IG)'';
                  };
                  bridge = {
                    username_template = "ig_{{.}}";
                    personal_filtering_spaces = true;
                    delivery_receipts = true;
                    management_room_text.welcome = "Hello, I'm an Instagram bridge bot.";
                    command_prefix = "!ig";
                    login_shared_secret_map."nul.ie" = "$MAU_IG_DOUBLE_PUPPET_TOKEN";
                    backfill = {
                      history_fetch_pages = 5;
                    };
                    encryption = {
                      allow = true;
                      default = true;
                      require = true;
                    };
                    permissions = {
                      "@dev:nul.ie" = "admin";
                    };
                  };
                };
              };
            };
          };
        }
        (mkIf config.my.build.isDevVM {
--- a/nixos/boxes/colony/vms/shill/containers/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/default.nix
@@ -8,5 +8,6 @@
    ./object.nix
    ./toot.nix
    ./waffletail.nix
    ./qclk
  ];
 }
--- a/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
@@ -1,6 +1,8 @@
 { lib, ... }:
 let
  inherit (lib) concatStringsSep;
  inherit (lib.my) net;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.colony) domain prefixes;
 in
 {
@@ -35,6 +37,9 @@ in
          secrets = {
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUv1ntVrZv5ripsKpcOAnyDQX2PHjowzyhqWK10Ml53";
            files = {
              "jackflix/photoprism-pass.txt" = {};
            };
          };
        };
@@ -50,10 +55,16 @@ in
              uid = uids.jellyseerr;
              group = "jellyseerr";
            };
            photoprism = {
              isSystemUser = true;
              uid = uids.photoprism;
              group = "photoprism";
            };
          };
          groups = {
            media.gid = 2000;
            jellyseerr.gid = gids.jellyseerr;
            photoprism.gid = gids.photoprism;
          };
        };
@@ -76,9 +87,21 @@ in
              RootDirectoryStartOnly = lib.mkForce false;
              RootDirectory = lib.mkForce "";
            };
            photoprism.serviceConfig = {
              # Needs to be able to access its data
              DynamicUser = mkForce false;
            };
          };
        };
        nixpkgs.config.permittedInsecurePackages = [
          # FIXME: This is needed for Sonarr
          "aspnetcore-runtime-wrapped-6.0.36"
          "aspnetcore-runtime-6.0.36"
          "dotnet-sdk-wrapped-6.0.428"
          "dotnet-sdk-6.0.428"
        ];
        services = {
          netdata.enable = true;
@@ -117,6 +140,24 @@ in
          };
          jellyfin.enable = true;
          photoprism = {
            enable = true;
            address = "[::]";
            port = 2342;
            originalsPath = "/mnt/media/photoprism/originals";
            importPath = "/mnt/media/photoprism/import";
            passwordFile = config.age.secrets."jackflix/photoprism-pass.txt".path;
            settings = {
              PHOTOPRISM_AUTH_MODE = "password";
              PHOTOPRISM_ADMIN_USER = "dev";
              PHOTOPRISM_APP_NAME = "/dev/player0 Photos";
              PHOTOPRISM_SITE_URL = "https://photos.${pubDomain}/";
              PHOTOPRISM_SITE_TITLE = "/dev/player0 Photos";
              PHOTOPRISM_TRUSTED_PROXY = concatStringsSep "," (with prefixes.ctrs; [ v4 v6 ]);
              PHOTOPRISM_DATABASE_DRIVER = "sqlite";
            };
          };
        };
      };
    };
--- a/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
+++ b/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
@@ -37,7 +37,7 @@ in
                tcp dport ${toString transmissionPeerPort} accept
                iifname vpn return
-                tcp dport { 19999, 9091, 9117, 7878, 8989, 8096 } accept
+                tcp dport { 19999, 9091, 9117, 7878, 8989, 8096, 2342 } accept
                return
              }
              chain input {
@@ -71,14 +71,12 @@ in
              RouteTable = routeTable;
            };
            wireguardPeers = [
              # AirVPN NL
              {
-                # AirVPN NL
+                Endpoint = "2a00:1678:1337:2329:e5f:35d4:4404:ef9f:1637";
-                wireguardPeerConfig = {
+                PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
-                  Endpoint = "2a00:1678:1337:2329:e5f:35d4:4404:ef9f:1637";
+                PresharedKeyFile = config.age.secrets."${pskFile}".path;
-                  PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
+                AllowedIPs = [ "0.0.0.0/0" "::/0" ];
                  PresharedKeyFile = config.age.secrets."${pskFile}".path;
                  AllowedIPs = [ "0.0.0.0/0" "::/0" ];
                };
              }
            ];
          };
@@ -94,7 +92,7 @@ in
              matchConfig.Name = "vpn";
              address = [ "10.182.97.37/32" "fd7d:76ee:e68f:a993:735d:ef5e:6907:b122/128" ];
              dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
-              routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
+              routingPolicyRules = [
                {
                  Family = "both";
                  SuppressPrefixLength = 0;
--- a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
@@ -239,6 +239,9 @@ in
              ];
              recommendedTlsSettings = true;
              recommendedBrotliSettings = true;
              # Uh so nginx is hanging with zstd enabled... maybe let's not for now
              # recommendedZstdSettings = true;
              clientMaxBodySize = "0";
              serverTokens = true;
              resolver = {
--- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
@@ -2,7 +2,7 @@
 let
  inherit (builtins) mapAttrs toJSON;
  inherit (lib) mkMerge mkDefault genAttrs flatten concatStringsSep;
-  inherit (lib.my.c) pubDomain;
+  inherit (lib.my.c) pubDomain home;
  inherit (lib.my.c.nginx) proxyHeaders;
  inherit (config.networking) domain;
@@ -35,7 +35,6 @@ let
      # For clients
      (mkWellKnown "matrix/client" (toJSON {
        "m.homeserver".base_url = "https://matrix.nul.ie";
        "org.matrix.msc3575.proxy".url = "https://matrix-syncv3.nul.ie";
      }))
    ];
  };
@@ -145,7 +144,7 @@ in
      "pass.${pubDomain}" =
      let
-        upstream = "http://vaultwarden-ctr.${domain}";
+        upstream = "http://vaultwarden-ctr.${domain}:8080";
      in
      {
        locations = {
@@ -182,10 +181,6 @@ in
        ];
        useACMEHost = pubDomain;
      };
      "matrix-syncv3.${pubDomain}" = {
        locations."/".proxyPass = "http://chatterbox-ctr.${domain}:8009";
        useACMEHost = pubDomain;
      };
      "element.${pubDomain}" =
      let
@@ -206,7 +201,8 @@ in
          # Currently it seems like single quotes aren't escaped like they should be...
          conf = {
            brand = "/dev/player0 Matrix";
-            showLabsSettings = true;
+            show_labs_settings = true;
            default_country_code = "IE";
            disable_guests = true;
            default_server_config = {
              "m.homeserver" = {
@@ -214,9 +210,8 @@ in
                server_name = "nul.ie";
              };
            };
-            roomDirectory.servers = [
+            room_directory.servers = [
              "nul.ie"
              "netsoc.ie"
              "matrix.org"
            ];
          };
@@ -364,7 +359,7 @@ in
        useACMEHost = pubDomain;
      };
      "mc-rail.${pubDomain}" = {
-        locations."/".proxyPass = "http://simpcraft-staging-oci.${domain}:3876";
+        locations."/".proxyPass = "http://simpcraft-oci.${domain}:3876";
        useACMEHost = pubDomain;
      };
@@ -384,6 +379,40 @@ in
        };
        useACMEHost = pubDomain;
      };
      "pb.${pubDomain}" = {
        locations."/".proxyPass = "http://object-ctr.${domain}:8088";
        useACMEHost = pubDomain;
      };
      "photos.${pubDomain}" = {
        locations."/" = {
          proxyPass = "http://jackflix-ctr.${domain}:2342";
          proxyWebsockets = true;
          extraConfig = proxyHeaders;
        };
        useACMEHost = pubDomain;
      };
      "pront.${pubDomain}" = mkMerge [
        {
          locations."/" = mkMerge [
            {
              proxyPass = "http://stream-hi.${home.domain}:5000";
              proxyWebsockets = true;
              extraConfig = proxyHeaders;
            }
            (ssoLoc "generic")
          ];
          locations."~* ^/webcam/(.*)" = mkMerge [
            {
              proxyPass = "http://stream-hi.${home.domain}:5050/$1$is_args$args";
              extraConfig = proxyHeaders;
            }
            (ssoLoc "generic")
          ];
          useACMEHost = pubDomain;
        }
        (ssoServer "generic")
      ];
    };
    minio =
@@ -395,10 +424,13 @@ in
        ignore_invalid_headers off;
      '';
-      nixCacheableRegex = ''^\/(\S+\.narinfo|nar\/\S+\.nar\.\S+)$'';
+      nixCacheableRegex = ''^\/(\S+\.narinfo|nar\/\S+\.nar.*|serve\/.+)$'';
      nixCacheHeaders = ''
        add_header Cache-Control $nix_cache_control;
        add_header Expires $nix_expires;
        brotli on;
        brotli_types application/x-nix-archive;
      '';
    in
    {
@@ -440,9 +472,11 @@ in
      "nix-cache.${pubDomain}" = {
        locations = {
-          "/".proxyPass = "http://${host}:8069";
+          "/" = {
            proxyPass = "http://${host}:5000";
          };
          "~ ${nixCacheableRegex}" = {
-            proxyPass = "http://${host}:8069";
+            proxyPass = "http://${host}:5000";
            extraConfig = nixCacheHeaders;
          };
        };
--- a/nixos/boxes/colony/vms/shill/containers/object.nix
+++ b/nixos/boxes/colony/vms/shill/containers/object.nix
@@ -31,6 +31,13 @@ in
    {
      config = mkMerge [
        {
          fileSystems = {
            "/var/lib/harmonia" = {
              device = "/mnt/nix-cache";
              options = [ "bind" ];
            };
          };
          my = {
            deploy.enable = false;
            server.enable = true;
@@ -48,7 +55,9 @@ in
                  group = config.my.user.config.group;
                };
                "object/atticd.env" = {};
                "nix-cache.key" = {};
                "object/hedgedoc.env" = {};
                "object/wastebin.env" = {};
              };
            };
@@ -57,7 +66,9 @@ in
                9000 9001
                config.services.sharry.config.bind.port
                8069
                5000
                config.services.hedgedoc.settings.port
                8088
              ];
            };
@@ -66,14 +77,26 @@ in
            };
          };
-          users = with lib.my.c.ids; let inherit (config.services.atticd) user group; in {
+          users = with lib.my.c.ids; mkMerge [
-            users."${user}" = {
+            (let inherit (config.services.atticd) user group; in {
-              isSystemUser = true;
+              users."${user}" = {
-              uid = uids.atticd;
+                isSystemUser = true;
-              group = group;
+                uid = uids.atticd;
-            };
+                group = group;
-            groups."${user}".gid = gids.atticd;
+              };
-          };
+              groups."${user}".gid = gids.atticd;
            })
            {
              users = {
                harmonia = {
                  shell = pkgs.bashInteractive;
                  openssh.authorizedKeys.keyFiles = [
                    lib.my.c.sshKeyFiles.harmonia
                  ];
                };
              };
            }
          ];
          systemd = {
            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
@@ -91,7 +114,9 @@ in
                  MINIO_BROWSER_REDIRECT_URL = "https://minio.nul.ie";
                };
              };
              sharry = awaitPostgres;
              atticd = mkMerge [
                awaitPostgres
                {
@@ -102,6 +127,15 @@ in
                  };
                }
              ];
              harmonia = {
                environment.NIX_REMOTE = "/var/lib/harmonia";
                preStart = ''
                  ${config.nix.package}/bin/nix store ping
                '';
                serviceConfig = {
                  StateDirectory = "harmonia";
                };
              };
            };
          };
@@ -181,8 +215,8 @@ in
            };
            atticd = {
-              enable = true;
+              enable = false;
-              credentialsFile = config.age.secrets."object/atticd.env".path;
+              environmentFile = config.age.secrets."object/atticd.env".path;
              settings = {
                listen = "[::]:8069";
                allowed-hosts = [ "nix-cache.${pubDomain}" ];
@@ -201,6 +235,14 @@ in
              };
            };
            harmonia = {
              enable = true;
              signKeyPaths = [ config.age.secrets."nix-cache.key".path ];
              settings = {
                priority = 30;
              };
            };
            hedgedoc = {
              enable = true;
              environmentFile = config.age.secrets."object/hedgedoc.env".path;
@@ -220,6 +262,15 @@ in
                allowEmailRegister = false;
              };
            };
            wastebin = {
              enable = true;
              settings = {
                WASTEBIN_MAX_BODY_SIZE = 67108864; # 16 MiB
                WASTEBIN_PASSWORD_SALT = "TeGhaemeer0Siez3";
              };
              secretFile = config.age.secrets."object/wastebin.env".path;
            };
          };
        }
        (mkIf config.my.build.isDevVM {
--- a/nixos/boxes/colony/vms/shill/containers/qclk/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/qclk/default.nix
@@ -0,0 +1,115 @@
 { lib, ... }:
 let
  inherit (lib.my) net;
  inherit (lib.my.c.colony) domain prefixes qclk;
 in
 {
  nixos.systems.qclk = { config, ... }: {
    system = "x86_64-linux";
    nixpkgs = "mine";
    rendered = config.configuration.config.my.asContainer;
    assignments = {
      internal = {
        name = "qclk-ctr";
        inherit domain;
        ipv4.address = net.cidr.host 10 prefixes.ctrs.v4;
        ipv6 = {
          iid = "::a";
          address = net.cidr.host 10 prefixes.ctrs.v6;
        };
      };
      qclk = {
        ipv4 = {
          address = net.cidr.host 1 prefixes.qclk.v4;
          gateway = null;
        };
      };
    };
    configuration = { lib, pkgs, config, assignments, ... }:
    let
      inherit (lib) concatStringsSep mkMerge mkIf mkForce;
      inherit (lib.my) networkdAssignment;
      apiPort = 8080;
      instances = [
        {
          host = 2;
          wgKey = "D7z1FhcdxpnrGCE0wBW5PZb5BKuhCu6tcZ/5ZaYxdwQ=";
        }
      ];
      ipFor = i: net.cidr.host i.host prefixes.qclk.v4;
    in
    {
      config = {
        environment = {
          systemPackages = with pkgs; [
            wireguard-tools
          ];
        };
        my = {
          deploy.enable = false;
          server.enable = true;
          secrets = {
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1kcfvahYmSk8IJKaUIcGkhxf/8Yse2XnU7Qqgcglyq";
            files = {
              "qclk/wg.key" = {
                group = "systemd-network";
                mode = "440";
              };
            };
          };
          firewall = {
            udp.allowed = [ qclk.wgPort ];
            extraRules = ''
              table inet filter {
                chain input {
                  iifname management tcp dport ${toString apiPort} accept
                }
                chain forward {
                  iifname host0 oifname management ip saddr { ${concatStringsSep ", " lib.my.c.as211024.trusted.v4} } accept
                }
              }
              table inet nat {
                chain postrouting {
                  iifname host0 oifname management snat ip to ${assignments.qclk.ipv4.address}
                }
              }
            '';
          };
        };
        systemd = {
          network = {
            netdevs."30-management" = {
              netdevConfig = {
                Name = "management";
                Kind = "wireguard";
              };
              wireguardConfig = {
                PrivateKeyFile = config.age.secrets."qclk/wg.key".path;
                ListenPort = qclk.wgPort;
              };
              wireguardPeers = map (i: {
                PublicKey = i.wgKey;
                AllowedIPs = [ (ipFor i) ];
              }) instances;
            };
            networks = {
              "30-container-host0" = networkdAssignment "host0" assignments.internal;
              "30-management" = networkdAssignment "management" assignments.qclk;
            };
          };
        };
        services = { };
      };
    };
  };
 }
--- a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
+++ b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
@@ -83,7 +83,7 @@ in
                DOMAIN = "https://pass.${lib.my.c.pubDomain}";
                ROCKET_ADDRESS = "::";
-                ROCKET_PORT = 80;
+                ROCKET_PORT = 8080;
                SMTP_HOST = "mail.nul.ie";
                SMTP_FROM = "pass@nul.ie";
@@ -99,6 +99,8 @@ in
            };
            borgbackup.jobs.vaultwarden = {
              readWritePaths = [ "/var/lib/borgbackup" "/var/cache/borgbackup" ];
              paths = [ vwData ];
              repo = "zh2855@zh2855.rsync.net:borg/vaultwarden2";
              doInit = true;
--- a/nixos/boxes/colony/vms/shill/containers/waffletail.nix
+++ b/nixos/boxes/colony/vms/shill/containers/waffletail.nix
@@ -86,7 +86,7 @@ in
            interfaceName = "tailscale0";
            extraUpFlags = [
              "--operator=${config.my.user.config.name}"
-              "--login-server=https://ts.nul.ie"
+              "--login-server=https://hs.nul.ie"
              "--netfilter-mode=off"
              "--advertise-exit-node"
              "--advertise-routes=${advRoutes}"
--- a/nixos/boxes/colony/vms/shill/default.nix
+++ b/nixos/boxes/colony/vms/shill/default.nix
@@ -49,7 +49,11 @@ in
        inherit (lib.my) networkdAssignment;
      in
      {
-        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
+        imports = [
          "${modulesPath}/profiles/qemu-guest.nix"
          ./containers-ext.nix
        ];
        config = mkMerge [
          {
@@ -90,8 +94,8 @@ in
                device = "/dev/disk/by-label/minio";
                fsType = "xfs";
              };
-              "/mnt/atticd" = {
+              "/mnt/nix-cache" = {
-                device = "/dev/disk/by-label/atticd";
+                device = "/dev/disk/by-label/nix-cache";
                fsType = "ext4";
              };
            };
@@ -136,10 +140,10 @@ in
                    };
                    ipv6Prefixes = [
                      {
-                        ipv6PrefixConfig.Prefix = prefixes.ctrs.v6;
+                        Prefix = prefixes.ctrs.v6;
                      }
                    ];
-                    routes = map (r: { routeConfig = r; }) [
+                    routes = [
                      {
                        Destination = lib.my.c.tailscale.prefix.v4;
                        Gateway = allAssignments.waffletail.internal.ipv4.address;
@@ -148,6 +152,11 @@ in
                        Destination = lib.my.c.tailscale.prefix.v6;
                        Gateway = allAssignments.waffletail.internal.ipv6.address;
                      }
                      {
                        Destination = prefixes.qclk.v4;
                        Gateway = allAssignments.qclk.internal.ipv4.address;
                      }
                    ];
                  }
                ];
@@ -202,11 +211,12 @@ in
                  object = {
                    bindMounts = {
                      "/mnt/minio".readOnly = false;
-                      "/mnt/atticd".readOnly = false;
+                      "/mnt/nix-cache".readOnly = false;
                    };
                  };
                  toot = {};
                  waffletail = {};
                  qclk = {};
                };
              in
              mkMerge [
--- a/nixos/boxes/colony/vms/whale2/default.nix
+++ b/nixos/boxes/colony/vms/whale2/default.nix
@@ -52,6 +52,7 @@ in
      valheim-oci = 2;
      simpcraft-oci = 3;
      simpcraft-staging-oci = 4;
      enshrouded-oci = 5;
    };
    configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
@@ -66,6 +67,7 @@ in
          ./valheim.nix
          ./minecraft
          # ./enshrouded.nix
        ];
        config = mkMerge [
@@ -108,45 +110,30 @@ in
              oci-containers = {
                backend = "podman";
              };
-              # NixOS has switched to using netavark, which is native to podman. It's currently missing an option to
+              containers.containersConf.settings.network = {
-              # disable iptables rules generation, which is very annoying.
+                network_backend = "netavark";
-              containers.containersConf.settings.network.network_backend = mkForce "cni";
+                firewall_driver = "none";
              };
            };
            environment = {
              etc = {
-                "cni/net.d/90-colony.conflist".text = toJSON {
+                "containers/networks/colony.json".text = toJSON {
                  cniVersion = "0.4.0";
                  name = "colony";
-                  plugins = [
+                  id = "0000000000000000000000000000000000000000000000000000000000000001";
                  driver = "bridge";
                  network_interface = "oci";
                  ipv6_enabled = true;
                  internal = false;
                  dns_enabled = false;
                  subnets = [
                    {
-                      type = "bridge";
+                      subnet = prefixes.oci.v4;
-                      bridge = "oci";
+                      gateway = net.cidr.host 1 prefixes.oci.v4;
-                      isGateway = true;
+                    }
-                      ipMasq = false;
+                    {
-                      hairpinMode = true;
+                      subnet = prefixes.oci.v6;
-                      ipam = {
+                      gateway = net.cidr.host 1 prefixes.oci.v6;
                        type = "host-local";
                        routes = [
                          { dst = "0.0.0.0/0"; }
                          { dst = "::/0"; }
                        ];
                        ranges = [
                          [
                            {
                              subnet = prefixes.oci.v4;
                              gateway = net.cidr.host 1 prefixes.oci.v4;
                            }
                          ]
                          [
                            {
                              subnet = prefixes.oci.v6;
                              gateway = net.cidr.host 1 prefixes.oci.v6;
                            }
                          ]
                        ];
                      };
                      capabilities.ips = true;
                    }
                  ];
                };
--- a/nixos/boxes/colony/vms/whale2/enshrouded.nix
+++ b/nixos/boxes/colony/vms/whale2/enshrouded.nix
@@ -0,0 +1,35 @@
 { lib, config, allAssignments, ... }:
 let
  inherit (lib) concatStringsSep;
  inherit (lib.my) dockerNetAssignment;
 in
 {
  config = {
    virtualisation.oci-containers.containers = {
      enshrouded = {
        image = "sknnr/enshrouded-dedicated-server@sha256:f163e8ba9caa2115d8a0a7b16c3696968242fb6fba82706d9a77a882df083497";
        environment = {
          SERVER_NAME = "UWUshrouded";
          # SERVER_IP = "::"; # no IPv6?? :(
          TZ = "Europe/Dublin";
        };
        environmentFiles = [ config.age.secrets."whale2/enshrouded.env".path ];
        volumes = [
          "enshrouded:/home/steam/enshrouded/savegame"
        ];
        extraOptions = [
          ''--network=colony:${dockerNetAssignment allAssignments "enshrouded-oci"}''
        ];
      };
    };
    my = {
      secrets.files = {
        "whale2/enshrouded.env" = {};
      };
    };
  };
 }
--- a/nixos/boxes/colony/vms/whale2/minecraft/default.nix
+++ b/nixos/boxes/colony/vms/whale2/minecraft/default.nix
@@ -1,4 +1,4 @@
-{ lib, config, allAssignments, ... }:
+{ lib, pkgs, config, allAssignments, ... }:
 let
  inherit (lib) concatStringsSep;
  inherit (lib.my) dockerNetAssignment;
@@ -18,18 +18,27 @@ let
    "d6ec4c91-5da2-44eb-b89d-71dc8fe017a0" # Eefah98
    "096a7348-fabe-4b2d-93fc-fd1fd5608fb0" # ToTheMoonStar
  ];
  fastback = {
    gitConfig = pkgs.writeText "git-config" ''
      [user]
      	email = "simpcraft@nul.ie"
      	name = "Simpcraft bot"
    '';
  };
 in
 {
  config = {
    virtualisation.oci-containers.containers = {
      simpcraft = {
-        image = "ghcr.io/itzg/minecraft-server:2023.12.2-java17-alpine";
+        image = "git.nul.ie/dev/craftblock:2024.1.0-java17-alpine";
        environment = {
          TYPE = "MODRINTH";
          EULA = "true";
          ENABLE_QUERY = "true";
          ENABLE_RCON = "true";
          MOTD = "§4§k----- §9S§ai§bm§cp§dc§er§fa§6f§5t §4§k-----";
          ICON = "/ext/icon.png";
@@ -41,15 +50,17 @@ in
          SPAWN_PROTECTION = "0";
          VIEW_DISTANCE = "20";
-          MAX_MEMORY = "6G";
+          MAX_MEMORY = "8G";
-          MODRINTH_MODPACK = "https://cdn.modrinth.com/data/CIYf3Hk8/versions/cdj2bSKg/Simpcraft-0.1.2.mrpack";
+          MODRINTH_MODPACK = "https://cdn.modrinth.com/data/CIYf3Hk8/versions/NGutsQSd/Simpcraft-0.2.1.mrpack";
          TZ = "Europe/Dublin";
        };
        environmentFiles = [ config.age.secrets."whale2/simpcraft.env".path ];
        volumes = [
          "minecraft_data:/data"
          "${./icon.png}:/ext/icon.png:ro"
          "${fastback.gitConfig}:/data/.config/git/config:ro"
        ];
        extraOptions = [
@@ -57,41 +68,72 @@ in
        ];
      };
-      simpcraft-staging = {
+      # simpcraft-staging = {
-        image = "git.nul.ie/dev/craftblock:2024.1.0-java17-alpine";
+      #   image = "git.nul.ie/dev/craftblock:2024.1.0-java17-alpine";
-        environment = {
+      #   environment = {
-          TYPE = "MODRINTH";
+      #     TYPE = "MODRINTH";
-          EULA = "true";
+      #     EULA = "true";
-          ENABLE_QUERY = "true";
+      #     ENABLE_QUERY = "true";
-          ENABLE_RCON = "true";
+      #     ENABLE_RCON = "true";
-          MOTD = "§4§k----- §9S§ai§bm§cp§dc§er§fa§6f§5t [staging] §4§k-----";
+      #     MOTD = "§4§k----- §9S§ai§bm§cp§dc§er§fa§6f§5t [staging] §4§k-----";
-          ICON = "/ext/icon.png";
+      #     ICON = "/ext/icon.png";
-          EXISTING_WHITELIST_FILE = "SYNCHRONIZE";
+      #     EXISTING_WHITELIST_FILE = "SYNCHRONIZE";
-          WHITELIST = whitelist;
+      #     WHITELIST = whitelist;
-          EXISTING_OPS_FILE = "SYNCHRONIZE";
+      #     EXISTING_OPS_FILE = "SYNCHRONIZE";
-          OPS = op;
+      #     OPS = op;
-          DIFFICULTY = "normal";
+      #     DIFFICULTY = "normal";
-          SPAWN_PROTECTION = "0";
+      #     SPAWN_PROTECTION = "0";
-          VIEW_DISTANCE = "20";
+      #     VIEW_DISTANCE = "20";
-          MAX_MEMORY = "4G";
+      #     MAX_MEMORY = "4G";
-          MODRINTH_MODPACK = "https://cdn.modrinth.com/data/CIYf3Hk8/versions/Ym3sIi6H/Simpcraft-0.2.0.mrpack";
+      #     MODRINTH_MODPACK = "https://cdn.modrinth.com/data/CIYf3Hk8/versions/Ym3sIi6H/Simpcraft-0.2.0.mrpack";
-          TZ = "Europe/Dublin";
+      #     TZ = "Europe/Dublin";
      #   };
      #   environmentFiles = [ config.age.secrets."whale2/simpcraft.env".path ];
      #   volumes = [
      #     "minecraft_staging_data:/data"
      #     "${./icon.png}:/ext/icon.png:ro"
      #   ];
      #   extraOptions = [
      #     ''--network=colony:${dockerNetAssignment allAssignments "simpcraft-staging-oci"}''
      #   ];
      # };
    };
    services = {
      borgbackup.jobs.simpcraft =
      let
        rconCommand = cmd: ''${pkgs.mcrcon}/bin/mcrcon -H simpcraft-oci -p "$RCON_PASSWORD" "${cmd}"'';
      in
      {
        paths = [ "/var/lib/containers/storage/volumes/minecraft_data/_data/world" ];
        repo = "/var/lib/containers/backup/simpcraft";
        doInit = true;
        encryption.mode = "none";
        compression = "zstd,10";
        # every ~15 minutes offset from 5 minute intervals (Minecraft seems to save at precise times?)
        startAt = "*:03,17,33,47";
        prune.keep = {
          within = "12H";
          hourly = 48;
        };
-        environmentFiles = [ config.age.secrets."whale2/simpcraft.env".path ];
+        readWritePaths = [ "/var/lib/borgbackup" "/var/cache/borgbackup" ];
-        volumes = [
+        # Avoid Minecraft poking the files while we back up
-          "minecraft_staging_data:/data"
+        preHook = rconCommand "save-off";
-          "${./icon.png}:/ext/icon.png:ro"
+        postHook = rconCommand "save-on";
-        ];
+      };
    };
-        extraOptions = [
+    systemd = {
-          ''--network=colony:${dockerNetAssignment allAssignments "simpcraft-staging-oci"}''
+      services = {
-        ];
+        borgbackup-job-simpcraft.serviceConfig.EnvironmentFile = [ config.age.secrets."whale2/simpcraft.env".path ];
      };
    };
--- a/nixos/boxes/home/castle/0001-drm-amd-display-fix-flickering-caused-by-S-G-mode.patch
+++ b/nixos/boxes/home/castle/0001-drm-amd-display-fix-flickering-caused-by-S-G-mode.patch
--- a/nixos/boxes/home/castle/default.nix
+++ b/nixos/boxes/home/castle/default.nix
@@ -1,7 +1,8 @@
 { lib, ... }:
 let
  inherit (lib.my) net;
-  inherit (lib.my.c.home) domain vlans prefixes;
+  inherit (lib.my.c) networkd;
  inherit (lib.my.c.home) domain vlans prefixes vips roceBootModules;
 in
 {
  nixos.systems.castle = {
@@ -15,7 +16,7 @@ in
        ipv4 = {
          address = net.cidr.host 40 prefixes.hi.v4;
          mask = 22;
-          gateway = null;
+          gateway = vips.hi.v4;
        };
        ipv6 = {
          iid = "::3:1";
@@ -35,7 +36,7 @@ in
          cpu = {
            amd.updateMicrocode = true;
          };
-          opengl.extraPackages = with pkgs; [
+          graphics.extraPackages = with pkgs; [
            intel-media-driver
          ];
          bluetooth.enable = true;
@@ -47,7 +48,7 @@ in
            timeout = 10;
          };
          kernelPackages = lib.my.c.kernel.latest pkgs;
-          kernelModules = [ "kvm-amd" ];
+          kernelModules = [ "kvm-amd" "dm-snapshot" ];
          kernelParams = [ "amd_iommu=on" "amd_pstate=passive" ];
          kernelPatches = [
            # {
@@ -57,27 +58,40 @@ in
            # }
          ];
          initrd = {
-            availableKernelModules = [ "thunderbolt" "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+            availableKernelModules = [
              "thunderbolt" "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sd_mod"
              "8021q"
            ] ++ roceBootModules;
            systemd.network = {
              netdevs = mkVLAN "lan-hi" vlans.hi;
              networks = {
                "10-et100g" = {
                  matchConfig.Name = "et100g";
                  vlan = [ "lan-hi" ];
                  linkConfig.RequiredForOnline = "no";
                  networkConfig = networkd.noL3;
                };
                "20-lan-hi" = networkdAssignment "lan-hi" assignments.hi;
              };
            };
          };
          binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
        };
        fileSystems = {
          "/boot" = {
            device = "/dev/disk/by-partuuid/8ce4248a-3ee4-f44f-801f-064a628b4d6e";
            fsType = "vfat";
          };
          "/nix" = {
-            device = "/dev/disk/by-partuuid/2da23a1d-2daf-d943-b91e-fc175f3dad07";
+            device = "/dev/nvmeof/nix";
            fsType = "ext4";
          };
          "/persist" = {
-            device = "/dev/disk/by-partuuid/f4c80d4f-a022-e941-b5d1-fe2e65e444b9";
+            device = "/dev/nvmeof/persist";
            fsType = "ext4";
            neededForBoot = true;
          };
          "/home" = {
-            device = "/dev/disk/by-partuuid/992a93cf-6c9c-324b-b0ce-f8eb2d1ce10d";
+            device = "/dev/nvmeof/home";
            fsType = "ext4";
          };
        };
@@ -101,6 +115,12 @@ in
            dnssec = "false";
          };
          pipewire.extraConfig.pipewire = {
            "10-buffer"."context.properties" = {
              "default.clock.quantum" = 128;
              "default.clock.max-quantum" = 128;
            };
          };
          blueman.enable = true;
        };
@@ -114,7 +134,7 @@ in
        virtualisation.libvirtd.enable = true;
        networking = {
-          domain = "h.${lib.my.c.pubDomain}";
+          inherit domain;
          firewall.enable = false;
        };
@@ -131,22 +151,17 @@ in
          qperf
          ethtool
        ];
        environment.etc = {
          "pipewire/pipewire.conf.d/sample-size.conf".text = ''
            context.properties = {
              default.clock.quantum = 128
              default.clock.max-quantum = 128
            }
          '';
        };
        nix = {
          gc.automatic = false;
          settings = {
            experimental-features = [ "recursive-nix" ];
            system-features = [ "nixos-test" "benchmark" "big-parallel" "kvm" "recursive-nix" ];
          };
        };
        systemd = {
          network = {
            wait-online.enable = false;
            netdevs = mkMerge [
              (mkVLAN "lan-hi" vlans.hi)
            ];
@@ -163,29 +178,20 @@ in
                matchConfig.PermanentMACAddress = "24:8a:07:a8:fe:3a";
                linkConfig = {
                  Name = "et100g";
-                  MTUBytes = "9000";
+                  MTUBytes = toString lib.my.c.home.hiMTU;
                };
              };
            };
            networks = {
-              "50-lan" = {
+              "30-et100g" = {
                matchConfig.Name = "et2.5g";
                DHCP = "no";
                address = [ "10.16.7.1/16" ];
              };
              "50-et100g" = {
                matchConfig.Name = "et100g";
                vlan = [ "lan-hi" ];
                networkConfig.IPv6AcceptRA = false;
              };
-              "60-lan-hi" = mkMerge [
+              "40-lan-hi" = mkMerge [
                (networkdAssignment "lan-hi" assignments.hi)
-                {
+                # So we don't drop the IP we use to connect to NVMe-oF!
-                  DHCP = "yes";
+                { networkConfig.KeepConfiguration = "static"; }
                  matchConfig.Name = "lan-hi";
                  linkConfig.MTUBytes = "9000";
                }
              ];
            };
          };
@@ -205,10 +211,7 @@ in
                packages = with pkgs; [
                  jacktrip
                  qpwgraph
-                  # TODO: seems to be borked (infinite recursion???)
+                  boardie
                  # (writeShellScriptBin "boardie" ''
                  #   exec pw-jack ${boardie}/bin/boardie "$@"
                  # '')
                ];
              };
@@ -222,6 +225,7 @@ in
                    HDMI-A-1 = {
                      transform = "270";
                      position = "0 0";
                      bg = "${./his-team-player.jpg} fill";
                    };
                    DP-1 = {
                      mode = "2560x1440@170Hz";
@@ -243,11 +247,19 @@ in
          };
          #deploy.generate.system.mode = "boot";
          deploy.node.hostname = "castle.box.${config.networking.domain}";
          secrets = {
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlVuTzKObeaUuPocCF41IO/8X+443lzUJLuCIclt2vr";
          };
-          nvme.uuid = "2230b066-a674-4f45-a1dc-f7727b3a9e7b";
+          netboot.client = {
            enable = true;
          };
          nvme = {
            uuid = "2230b066-a674-4f45-a1dc-f7727b3a9e7b";
            boot = {
              nqn = "nqn.2016-06.io.spdk:castle";
              address = "192.168.68.80";
            };
          };
          firewall = {
            enable = false;
--- a/nixos/boxes/home/castle/his-team-player.jpg
+++ b/nixos/boxes/home/castle/his-team-player.jpg
--- a/nixos/boxes/home/palace/default.nix
+++ b/nixos/boxes/home/palace/default.nix
@@ -94,7 +94,7 @@ in
            extraOptions = [ "-A /var/log/smartd/" "--interval=600" ];
          };
          udev.extraRules = ''
-            ACTION=="add", SUBSYSTEM=="net", ENV{ID_NET_DRIVER}=="mlx5_core", ENV{ID_PATH}=="pci-0000:44:00.0", ATTR{device/sriov_numvfs}="3"
+            ACTION=="add", SUBSYSTEM=="net", ENV{ID_NET_DRIVER}=="mlx5_core", ENV{ID_PATH}=="pci-0000:44:00.0", ATTR{device/sriov_numvfs}="4"
          '';
        };
@@ -188,6 +188,13 @@ in
                  VLANId=${toString vlans.hi}
                  LinkState=yes
                  MACAddress=52:54:00:ac:15:a9
                  # sfh bridge
                  [SR-IOV]
                  VirtualFunction=3
                  VLANId=${toString vlans.hi}
                  LinkState=yes
                  MACAddress=52:54:00:90:34:95
                '';
              };
              "60-lan-hi" = networkdAssignment "lan-hi" assignments.hi;
--- a/nixos/boxes/home/palace/vms/cellar/default.nix
+++ b/nixos/boxes/home/palace/vms/cellar/default.nix
@@ -66,6 +66,7 @@ in
            ];
            services = {
              fstrim.enable = true;
              netdata.enable = true;
            };
--- a/nixos/boxes/home/palace/vms/cellar/spdk.nix
+++ b/nixos/boxes/home/palace/vms/cellar/spdk.nix
@@ -129,6 +129,12 @@ in
            hostnqn =
              "nqn.2014-08.org.nvmexpress:uuid:2230b066-a674-4f45-a1dc-f7727b3a9e7b";
            serial = "SPDK00000000000002";
          }) ++ (nvmfBdev {
            bdev = "NVMeRaidp3";
            nqn = "nqn.2016-06.io.spdk:sfh";
            hostnqn =
              "nqn.2014-08.org.nvmexpress:uuid:85d7df36-0de0-431b-b06e-51f7c0a455b4";
            serial = "SPDK00000000000003";
          });
        };
      };
--- a/nixos/boxes/home/palace/vms/default.nix
+++ b/nixos/boxes/home/palace/vms/default.nix
@@ -2,6 +2,7 @@
  imports = [
    ./cellar
    ./river.nix
    ./sfh
  ];
  nixos.systems.palace.configuration = { lib, pkgs, config, systems, allAssignments, ... }:
@@ -57,11 +58,11 @@
    systemd.services =
    let
-      awaitCellar = {
+      awaitVM = system: {
-        after = [ "vm@cellar.service" ];
+        after = [ "vm@${system}.service" ];
-        bindsTo = [ "vm@cellar.service" ];
+        bindsTo = [ "vm@${system}.service" ];
        preStart = ''
-          until ${pkgs.netcat}/bin/nc -w1 -z ${allAssignments.cellar.hi.ipv4.address} 22; do
+          until ${pkgs.netcat}/bin/nc -w1 -z ${allAssignments.${system}.hi.ipv4.address} 22; do
            sleep 1
          done
        '';
@@ -81,13 +82,13 @@
        vtapUnit = "sys-subsystem-net-devices-vm\\x2det1g0.device";
      in
      mkMerge [
-        awaitCellar
+        (awaitVM "cellar")
        {
          requires = [ vtapUnit ];
          after = [ vtapUnit ];
        }
      ];
-      "vm@sfh" = awaitCellar;
+      "vm@sfh" = (awaitVM "river");
    };
    my = {
@@ -182,6 +183,10 @@
                index = 0;
                hostBDF = "44:00.3";
              };
              et100g0vf3 = {
                index = 1;
                hostBDF = "44:00.4";
              };
            };
          };
        };
--- a/nixos/boxes/home/palace/vms/river.nix
+++ b/nixos/boxes/home/palace/vms/river.nix
@@ -10,18 +10,7 @@
    let
      inherit (lib.my) networkdAssignment mkVLAN;
      inherit (lib.my.c) networkd;
-      inherit (lib.my.c.home) vlans;
+      inherit (lib.my.c.home) vlans domain prefixes roceBootModules;
      lanLink = {
        matchConfig = {
          Driver = "mlx5_core";
          PermanentMACAddress = "52:54:00:8a:8a:f2";
        };
        linkConfig = {
          Name = "lan";
          MTUBytes = toString lib.my.c.home.hiMTU;
        };
      };
    in
    {
      imports = [
@@ -30,29 +19,17 @@
      config = {
        boot = {
-          kernelModules = [ "kvm-intel" ];
+          kernelModules = [ "kvm-amd" ];
          kernelParams = [ "console=ttyS0,115200n8" ];
          initrd = {
            availableKernelModules = [
              "virtio_pci" "ahci" "sr_mod" "virtio_blk"
-              "ib_core" "ib_uverbs" "mlx5_core" "mlx5_ib" "8021q"
+              "8021q"
-              "rdma_cm" "iw_cm" "ib_cm" "nvme_core" "nvme_rdma"
+            ] ++ roceBootModules;
-            ];
+            kernelModules = [ "dm-snapshot" ];
            kernelModules = [ "dm-snapshot" "nvme-fabrics" ];
            systemd = {
              extraBin = with pkgs; {
                dmesg = "${util-linux}/bin/dmesg";
                ip = "${iproute2}/bin/ip";
              };
              extraConfig = ''
                DefaultTimeoutStartSec=50
                DefaultDeviceTimeoutSec=50
              '';
              network = {
-                enable = true;
+                # Don't need to put the link config here, they're copied from main config
                wait-online.enable = true;
                links."10-lan" = lanLink;
                netdevs = mkVLAN "lan-hi" vlans.hi;
                networks = {
                  "20-lan" = {
@@ -70,9 +47,6 @@
        hardware = {
          enableRedistributableFirmware = true;
          cpu = {
            intel.updateMicrocode = true;
          };
        };
        fileSystems = {
@@ -96,6 +70,7 @@
            boot.thin.enable = true;
            dmeventd.enable = true;
          };
          fstrim.enable = true;
        };
        systemd.network = {
@@ -114,7 +89,16 @@
              };
            };
-            "10-lan" = lanLink;
+            "10-lan" = {
              matchConfig = {
                Driver = "mlx5_core";
                PermanentMACAddress = "52:54:00:8a:8a:f2";
              };
              linkConfig = {
                Name = "lan";
                MTUBytes = toString lib.my.c.home.hiMTU;
              };
            };
          };
          # So we don't drop the IP we use to connect to NVMe-oF!
@@ -134,6 +118,14 @@
            };
          };
          netboot.server = {
            enable = true;
            ip = assignments.lo.ipv4.address;
            host = "boot.${domain}";
            allowedPrefixes = with prefixes; [ hi.v4 hi.v6 lo.v4 lo.v6 ];
            instances = [ "sfh" "castle" ];
          };
          deploy.node.hostname = "192.168.68.1";
        };
      };
--- a/nixos/boxes/home/palace/vms/sfh/containers/default.nix
+++ b/nixos/boxes/home/palace/vms/sfh/containers/default.nix
@@ -0,0 +1,5 @@
 {
  imports = [
    ./unifi.nix
  ];
 }
--- a/nixos/boxes/home/palace/vms/sfh/containers/unifi.nix
+++ b/nixos/boxes/home/palace/vms/sfh/containers/unifi.nix
@@ -0,0 +1,65 @@
 { lib, ... }:
 let
  inherit (lib.my) net;
  inherit (lib.my.c.home) domain prefixes vips hiMTU;
 in
 {
  nixos.systems.unifi = { config, ... }: {
    system = "x86_64-linux";
    nixpkgs = "mine";
    rendered = config.configuration.config.my.asContainer;
    assignments = {
      hi = {
        name = "unifi-ctr";
        inherit domain;
        mtu = hiMTU;
        ipv4 = {
          address = net.cidr.host 100 prefixes.hi.v4;
          mask = 22;
          gateway = vips.hi.v4;
        };
        ipv6 = {
          iid = "::5:1";
          address = net.cidr.host (65536*5+1) prefixes.hi.v6;
        };
      };
    };
    configuration = { lib, config, pkgs, assignments, ... }:
    let
      inherit (lib) mkMerge mkIf mkForce;
      inherit (lib.my) networkdAssignment;
    in
    {
      config = {
        my = {
          deploy.enable = false;
          server.enable = true;
          secrets = {
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdgcziQki/RH7E+NH2bYnzSVKaJ27905Yo5TcOjSh/U";
            files = { };
          };
          firewall = {
            tcp.allowed = [ 8443 ];
          };
        };
        systemd = {
          network.networks."80-container-host0" = networkdAssignment "host0" assignments.hi;
        };
        services = {
          unifi = {
            enable = true;
            openFirewall = true;
            unifiPackage = pkgs.unifi8;
            mongodbPackage = pkgs.mongodb-6_0;
          };
        };
      };
    };
  };
 }
--- a/nixos/boxes/home/palace/vms/sfh/default.nix
+++ b/nixos/boxes/home/palace/vms/sfh/default.nix
@@ -0,0 +1,157 @@
 { lib, ... }:
 let
  inherit (lib.my) net;
  inherit (lib.my.c.home) domain prefixes vips hiMTU roceBootModules;
 in
 {
  imports = [ ./containers ];
  config.nixos.systems.sfh = {
    system = "x86_64-linux";
    nixpkgs = "mine";
    home-manager = "mine";
    assignments = {
      hi = {
        inherit domain;
        mtu = hiMTU;
        ipv4 = {
          address = net.cidr.host 81 prefixes.hi.v4;
          mask = 22;
          gateway = vips.hi.v4;
        };
        ipv6 = {
          iid = "::4:2";
          address = net.cidr.host (65536*4+2) prefixes.hi.v6;
        };
      };
    };
    configuration = { lib, modulesPath, pkgs, config, assignments, allAssignments, ... }:
    let
      inherit (lib) mapAttrs mkMerge;
      inherit (lib.my) networkdAssignment;
      inherit (lib.my.c) networkd;
      inherit (lib.my.c.home) domain;
    in
    {
      imports = [
        "${modulesPath}/profiles/qemu-guest.nix"
      ];
      config = {
        boot = {
          kernelModules = [ "kvm-amd" ];
          kernelParams = [ "console=ttyS0,115200n8" ];
          initrd = {
            availableKernelModules = [
              "virtio_pci" "ahci" "sr_mod" "virtio_blk"
            ] ++ roceBootModules;
            kernelModules = [ "dm-snapshot" ];
            systemd = {
              network = {
                networks = {
                  "20-lan-hi" = networkdAssignment "lan-hi" assignments.hi;
                };
              };
            };
          };
        };
        hardware = {
          enableRedistributableFirmware = true;
        };
        fileSystems = {
          "/nix" = {
            device = "/dev/main/nix";
            fsType = "ext4";
          };
          "/persist" = {
            device = "/dev/main/persist";
            fsType = "ext4";
            neededForBoot = true;
          };
        };
        networking = { inherit domain; };
        services = {
          lvm = {
            boot.thin.enable = true;
            dmeventd.enable = true;
          };
        };
        systemd.network = {
          links = {
            "10-lan-hi" = {
              matchConfig = {
                Driver = "mlx5_core";
                PermanentMACAddress = "52:54:00:ac:15:a9";
              };
              linkConfig = {
                Name = "lan-hi";
                MTUBytes = toString lib.my.c.home.hiMTU;
              };
            };
            "10-lan-hi-ctrs" = {
              matchConfig = {
                Driver = "mlx5_core";
                PermanentMACAddress = "52:54:00:90:34:95";
              };
              linkConfig = {
                Name = "lan-hi-ctrs";
                MTUBytes = toString lib.my.c.home.hiMTU;
              };
            };
          };
          networks = {
            "30-lan-hi" = mkMerge [
              (networkdAssignment "lan-hi" assignments.hi)
              # So we don't drop the IP we use to connect to NVMe-oF!
              { networkConfig.KeepConfiguration = "static"; }
            ];
            "30-lan-hi-ctrs" = {
              matchConfig.Name = "lan-hi-ctrs";
              linkConfig.RequiredForOnline = "no";
              networkConfig = networkd.noL3;
            };
          };
        };
        my = {
          secrets = {
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAAaav5Se1E/AbqEXmADryVszYfNDscyP6jrWioN57R7";
          };
          server.enable = true;
          netboot.client = {
            enable = true;
          };
          nvme = {
            uuid = "85d7df36-0de0-431b-b06e-51f7c0a455b4";
            boot = {
              nqn = "nqn.2016-06.io.spdk:sfh";
              address = "192.168.68.80";
            };
          };
          containers.instances =
          let
            instances = {
              unifi = {};
            };
          in
          mkMerge [
            instances
            (mapAttrs (n: i: {
              networking.macVLAN = "lan-hi-ctrs";
            }) instances)
          ];
        };
      };
    };
  };
 }
--- a/nixos/boxes/home/routing-common/default.nix
+++ b/nixos/boxes/home/routing-common/default.nix
@@ -148,19 +148,33 @@ in
                };
              };
            };
            nginx.enable = true;
          };
-          networking.domain = "h.${pubDomain}";
+          networking = { inherit domain; };
-          systemd.services = {
+          systemd.services =
-            ipsec =
+          let
-            let
+            waitOnline = "systemd-networkd-wait-online@wan.service";
-              waitOnline = "systemd-networkd-wait-online@wan.service";
+          in
-            in
+          {
-            {
+            ipsec = {
              after = [ waitOnline ];
              requires = [ waitOnline ];
            };
            ipv6-clear-default-route = {
              description = "Clear IPv6 RA default route";
              after = [ waitOnline ];
              requires = [ waitOnline ];
              script = ''
                # Seems like we can sometimes pick up a default route somehow...
                ${pkgs.iproute2}/bin/ip -6 route del default via fe80::1 || true
              '';
              serviceConfig.Type = "oneshot";
              wantedBy = [ "multi-user.target" ];
            };
          };
          systemd.network = {
@@ -213,8 +227,8 @@ in
                  networkConfig = networkd.noL3;
                  extraConfig = ''
                    [CAKE]
-                    Bandwidth=235M
+                    Bandwidth=490M
-                    RTTSec=10ms
+                    RTTSec=50ms
                    PriorityQueueingPreset=besteffort
                    # DOCSIS preset
                    OverheadBytes=18
@@ -237,8 +251,8 @@ in
                    extraConfig = ''
                      [CAKE]
                      Parent=root
-                      Bandwidth=24M
+                      Bandwidth=48M
-                      RTTSec=1ms
+                      RTTSec=50ms
                    '';
                  }
                ];
@@ -262,7 +276,7 @@ in
                  {
                    matchConfig.Name = "as211024";
                    networkConfig.IPv6AcceptRA = mkForce false;
-                    routes = map (r: { routeConfig = r; }) [
+                    routes = [
                      {
                        Destination = lib.my.c.colony.prefixes.all.v4;
                        Gateway = allAssignments.estuary.as211024.ipv4.address;
@@ -287,7 +301,7 @@ in
              {
                "60-lan-hi" = {
-                  routes = map (r: { routeConfig = r; }) [
+                  routes = [
                    {
                      Destination = elemAt routersPubV4 otherIndex;
                      Gateway = net.cidr.host (otherIndex + 1) prefixes.hi.v4;
@@ -358,6 +372,16 @@ in
                    return
                  }
                  chain forward-early {
                    type filter hook forward priority -1; policy accept;
                    # MSS clamping to workaround IPv6 PMTUD being broken...
                    tcp flags syn tcp option maxseg size set rt mtu counter
                    # More Disney+ discrimination...
                    # TODO: This prefix could change (random AWS block)
                    ip6 daddr 2600:9000:2245::/48 drop
                  }
                  chain forward {
                    ${lib.my.c.as211024.nftTrust}
                    iifname lan-untrusted jump filter-untrusted
--- a/nixos/boxes/home/routing-common/dns.nix
+++ b/nixos/boxes/home/routing-common/dns.nix
@@ -61,6 +61,19 @@ in
          webserver = true;
          webserver-address = "::";
          webserver-allow-from = [ "127.0.0.1" "::1" ];
          lua-dns-script = pkgs.writeText "pdns-script.lua" ''
            -- Disney+ doesn't like our IP space...
            function preresolve(dq)
              local name = dq.qname:toString()
              if dq.qtype == pdns.AAAA and (string.find(name, "disneyplus") or string.find(name, "disney-plus") or string.find(name , "disney.api")) then
                dq.rcode = 0
                return true
              end
              return false
            end
          '';
        };
      };
    };
@@ -157,8 +170,9 @@ in
              hostname = "${otherName}.${config.networking.domain}";
              server = net.cidr.host (otherIndex + 1) prefixes.hi.v4;
            }}
-            ${elemAt routers 0} IN AAAA ${net.cidr.host 1 prefixes.hi.v6}
+            ${elemAt routers 0} IN AAAA ${allAssignments."${elemAt routers 0}".as211024.ipv6.address}
-            ${elemAt routers 1} IN AAAA ${net.cidr.host 2 prefixes.hi.v6}
+            ${elemAt routers 1} IN AAAA ${allAssignments."${elemAt routers 1}".as211024.ipv6.address}
            boot IN CNAME river-hi.${config.networking.domain}.
            @ IN NS ns1
            @ IN NS ns2
@@ -182,8 +196,10 @@ in
            dave-lo IN A ${net.cidr.host 11 prefixes.lo.v4}
            dave-lo IN AAAA ${net.cidr.host (65536+2) prefixes.lo.v6}
-            ;ap0 IN A ${net.cidr.host 12 prefixes.hi.v4}
+            shytzel IN A ${net.cidr.host 12 prefixes.core.v4}
-            ;ap0 IN AAAA ${net.cidr.host (65536+3) prefixes.hi.v6}
+
            wave IN A ${net.cidr.host 12 prefixes.hi.v4}
            ; wave IN AAAA ${net.cidr.host (65536+3) prefixes.hi.v6}
            vibe IN A ${net.cidr.host 13 prefixes.hi.v4}
            vibe IN AAAA ${net.cidr.host (65536+4) prefixes.hi.v6}
--- a/nixos/boxes/home/routing-common/kea.nix
+++ b/nixos/boxes/home/routing-common/kea.nix
@@ -1,7 +1,7 @@
-index: { lib, pkgs, assignments, ... }:
+index: { lib, pkgs, config, assignments, allAssignments, ... }:
 let
  inherit (lib) mkForce;
-  inherit (lib.my) net;
+  inherit (lib.my) net netbootKeaClientClasses;
  inherit (lib.my.c.home) domain prefixes vips hiMTU;
  dns-servers = [
@@ -26,7 +26,11 @@ in
  };
  systemd.services = {
-    kea-dhcp4-server.serviceConfig.DynamicUser = mkForce false;
+    kea-dhcp4-server.serviceConfig = {
      # Sometimes interfaces might not be ready in time and Kea doesn't like that
      Restart = "on-failure";
      DynamicUser = mkForce false;
    };
    kea-dhcp-ddns-server.serviceConfig.DynamicUser = mkForce false;
  };
@@ -59,6 +63,14 @@ in
              always-send = true;
            }
          ];
          client-classes = netbootKeaClientClasses {
            tftpIP = allAssignments.river.lo.ipv4.address;
            hostname = "boot.${domain}";
            systems = {
              sfh = "52:54:00:a5:7e:93";
              castle = "c8:7f:54:6e:17:0f";
            };
          };
          subnet4 = [
            {
              id = 1;
--- a/nixos/boxes/home/routing-common/keepalived.nix
+++ b/nixos/boxes/home/routing-common/keepalived.nix
@@ -1,52 +1,83 @@
 index: { lib, pkgs, config, ... }:
 let
-  inherit (builtins) attrNames concatMap;
+  inherit (builtins) attrNames concatMap length;
-  inherit (lib) optional;
+  inherit (lib) optional concatMapStringsSep;
  inherit (lib.my) net;
  inherit (lib.my.c.home) prefixes vips;
  pingScriptFor = name: ips:
  let
    script' = pkgs.writeShellScript
      "keepalived-ping-${name}"
      (concatMapStringsSep " || " (ip: "${pkgs.iputils}/bin/ping -qnc 1 -W 1 ${ip}") ips);
  in
  {
    script = toString script';
    interval = 1;
    timeout = (length ips) + 1;
    rise = 3;
    fall = 3;
  };
  vlanIface = vlan: if vlan == "as211024" then vlan else "lan-${vlan}";
-  vrrpIPs = family: concatMap (vlan: [
+  vrrpIPs = family: concatMap (vlan: (optional (family == "v6") {
      addr = "fe80::1/64";
      dev = vlanIface vlan;
    }) ++ [
    {
      addr = "${vips.${vlan}.${family}}/${toString (net.cidr.length prefixes.${vlan}.${family})}";
      dev = vlanIface vlan;
    }
-  ] ++ (optional (family == "v6") {
+  ]) (attrNames vips);
    addr = "fe80::1/64";
    dev = vlanIface vlan;
  })) (attrNames vips);
  mkVRRP = family: routerId: {
    state = if index == 0 then "MASTER" else "BACKUP";
    interface = "lan-core";
    priority = 255 - index;
    virtualRouterId = routerId;
    virtualIps = vrrpIPs family;
-    extraConfig = ''
+    trackScripts = [ "${family}Alive" ];
      notify_master "${config.systemd.package}/bin/systemctl start radvd.service"
      notify_backup "${config.systemd.package}/bin/systemctl stop radvd.service"
    '';
  };
 in
 {
  users = with lib.my.c.ids; {
    users.keepalived_script = {
      uid = uids.keepalived_script;
      isSystemUser = true;
      group = "keepalived_script";
    };
    groups.keepalived_script.gid = gids.keepalived_script;
  };
  services = {
    keepalived = {
      enable = true;
      enableScriptSecurity = true;
      extraGlobalDefs = ''
        vrrp_version 3
        nftables keepalived
      '';
      vrrpScripts = {
        v4Alive = pingScriptFor "v4" [ "1.1.1.1" "8.8.8.8" "216.218.236.2" ];
        v6Alive = pingScriptFor "v6" [ "2606:4700:4700::1111" "2001:4860:4860::8888" "2600::" ];
      };
      vrrpInstances = {
        v4 = mkVRRP "v4" 51;
-        v6 = mkVRRP "v6" 52;
+        v6 = (mkVRRP "v6" 52) // {
          extraConfig = ''
            notify_master "${config.systemd.package}/bin/systemctl start radvd.service" root
            notify_backup "${config.systemd.package}/bin/systemctl stop radvd.service" root
          '';
        };
      };
-      extraConfig = ''
+      # Actually disable this for now, don't want to fault IPv4 just because IPv6 is broken...
-        vrrp_sync_group main {
+      # extraConfig = ''
-          group {
+      #   vrrp_sync_group main {
-            v4
+      #     group {
-            v6
+      #       v4
-          }
+      #       v6
-        }
+      #     }
-      '';
+      #   }
      # '';
    };
  };
 }
--- a/nixos/boxes/home/stream.nix
+++ b/nixos/boxes/home/stream.nix
@@ -43,6 +43,38 @@
          };
        };
        services = {
          mjpg-streamer = {
            enable = true;
            inputPlugin = "input_uvc.so";
            outputPlugin = "output_http.so -w @www@ -n -p 5050";
          };
          octoprint = {
            enable = true;
            host = "::";
            extraConfig = {
              plugins = {
                classicwebcam = {
                  snapshot = "/webcam/?action=snapshot";
                  stream = "/webcam/?action=stream";
                  streamRatio = "4:3";
                };
              };
              serial = {
                port = "/dev/ttyACM0";
                baudrate = 115200;
              };
              temperature.profiles = [
                {
                  bed = 60;
                  extruder = 215;
                  name = "PLA";
                }
              ];
            };
          };
        };
        systemd.network = {
          netdevs = {
            "25-lan" = {
@@ -123,7 +155,7 @@
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPYTB4zeAqotrEJ8M+AiGm/s9PFsWlAodz3hYSROGuDb";
          };
          server.enable = true;
-          deploy.node.hostname = "192.168.68.2";
+          # deploy.node.hostname = "192.168.68.2";
        };
      };
    };
--- a/nixos/boxes/kelder/containers/acquisition/default.nix
+++ b/nixos/boxes/kelder/containers/acquisition/default.nix
@@ -26,7 +26,7 @@ in
      config = {
        # Hardware acceleration for Jellyfin
-        hardware.opengl = {
+        hardware.graphics = {
          enable = true;
          extraPackages = with pkgs; [
            vaapiIntel
@@ -65,13 +65,27 @@ in
        systemd = {
          services = {
            jackett.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
            transmission.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
            # https://github.com/NixOS/nixpkgs/issues/258793#issuecomment-1748168206
            transmission.serviceConfig = {
              RootDirectoryStartOnly = lib.mkForce false;
              RootDirectory = lib.mkForce "";
            };
            radarr.serviceConfig.UMask = "0002";
            sonarr.serviceConfig.UMask = "0002";
          };
        };
        nixpkgs.config.permittedInsecurePackages = [
          # FIXME: This is needed for Sonarr
          "aspnetcore-runtime-wrapped-6.0.36"
          "aspnetcore-runtime-6.0.36"
          "dotnet-sdk-wrapped-6.0.428"
          "dotnet-sdk-6.0.428"
        ];
        services = {
          transmission = {
            enable = true;
--- a/nixos/boxes/kelder/containers/acquisition/networking.nix
+++ b/nixos/boxes/kelder/containers/acquisition/networking.nix
@@ -2,6 +2,7 @@
 let
  inherit (lib) mkMerge mkIf;
  inherit (lib.my) networkdAssignment;
  inherit (lib.my.c.kelder) ipv4MTU;
  wg = {
    keyFile = "kelder/acquisition/airvpn-privkey";
@@ -72,14 +73,12 @@ in
              RouteTable = routeTable;
            };
            wireguardPeers = [
              # AirVPN IE
              {
-                # AirVPN IE
+                Endpoint = "146.70.94.2:1637";
-                wireguardPeerConfig = {
+                PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
-                  Endpoint = "146.70.94.2:1637";
+                PresharedKeyFile = config.age.secrets."${pskFile}".path;
-                  PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
+                AllowedIPs = [ "0.0.0.0/0" "::/0" ];
                  PresharedKeyFile = config.age.secrets."${pskFile}".path;
                  AllowedIPs = [ "0.0.0.0/0" "::/0" ];
                };
              }
            ];
          };
@@ -89,13 +88,14 @@ in
              (networkdAssignment "host0" assignments.internal)
              {
                networkConfig.DNSDefaultRoute = false;
                linkConfig.MTUBytes = toString ipv4MTU;
              }
            ];
            "90-vpn" = with wg; {
              matchConfig.Name = "vpn";
              address = [ "10.161.170.28/32" "fd7d:76ee:e68f:a993:b12d:6d15:c80a:9516/128" ];
              dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
-              routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
+              routingPolicyRules = [
                {
                  Family = "both";
                  SuppressPrefixLength = 0;
--- a/nixos/boxes/kelder/containers/spoder/default.nix
+++ b/nixos/boxes/kelder/containers/spoder/default.nix
@@ -92,17 +92,17 @@ in
          nextcloud = {
            enable = true;
-            package = pkgs.nextcloud28;
+            package = pkgs.nextcloud29;
            datadir = "/mnt/storage/nextcloud";
            hostName = "cloud.${domain}";
            https = true;
            config = {
              extraTrustedDomains = [ "cloud-local.${domain}" ];
              adminpassFile = config.age.secrets."kelder/nextcloud-root.txt".path;
              defaultPhoneRegion = "IE";
            };
-            extraOptions = {
+            settings = {
              updatechecker = false;
              trusted_domains = [ "cloud-local.${domain}" ];
              default_phone_region = "IE";
            };
          };
        };
--- a/nixos/boxes/kelder/containers/spoder/nginx.nix
+++ b/nixos/boxes/kelder/containers/spoder/nginx.nix
@@ -84,6 +84,7 @@ in
            c
          ];
          acquisition = "http://${allAssignments.kelder-acquisition.internal.ipv4.address}";
          # This is kinda borked because Virgin Media filters DNS responses with local IPs...
          localRedirect = to: ''
            rewrite_by_lua_block {
              if ngx.var.remote_addr == pub_ip then
@@ -103,7 +104,7 @@ in
            "monitor.${domain}" = withAuth {
              serverAliases = [ "monitor-local.${domain}" ];
-              extraConfig = localRedirect "monitor-local.${domain}";
+              # extraConfig = localRedirect "monitor-local.${domain}";
              locations = {
                "/" = {
                  proxyPass = "http://${allAssignments.kelder.ctrs.ipv4.address}:19999";
@@ -136,17 +137,17 @@ in
            };
            "torrents.${domain}" = withAuth {
              serverAliases = [ "torrents-local.${domain}" ];
-              extraConfig = localRedirect "torrents-local.${domain}";
+              # extraConfig = localRedirect "torrents-local.${domain}";
              locations."/".proxyPass = "${acquisition}:9091";
            };
            "jackett.${domain}" = withAuth {
              serverAliases = [ "jackett-local.${domain}" ];
-              extraConfig = localRedirect "jackett-local.${domain}";
+              # extraConfig = localRedirect "jackett-local.${domain}";
              locations."/".proxyPass = "${acquisition}:9117";
            };
            "radarr.${domain}" = withAuth {
              serverAliases = [ "radarr-local.${domain}" ];
-              extraConfig = localRedirect "radarr-local.${domain}";
+              # extraConfig = localRedirect "radarr-local.${domain}";
              locations."/" = {
                proxyPass = "${acquisition}:7878";
                proxyWebsockets = true;
@@ -155,7 +156,7 @@ in
            };
            "sonarr.${domain}" = withAuth {
              serverAliases = [ "sonarr-local.${domain}" ];
-              extraConfig = localRedirect "sonarr-local.${domain}";
+              # extraConfig = localRedirect "sonarr-local.${domain}";
              locations."/" = {
                proxyPass = "${acquisition}:8989";
                proxyWebsockets = true;
--- a/nixos/boxes/kelder/default.nix
+++ b/nixos/boxes/kelder/default.nix
@@ -1,7 +1,7 @@
 { lib, ... }:
 let
  inherit (lib.my) net;
-  inherit (lib.my.c.kelder) domain prefixes;
+  inherit (lib.my.c.kelder) domain prefixes ipv4MTU;
 in
 {
  imports = [ ./containers ];
@@ -121,8 +121,7 @@ in
            samba = {
              enable = true;
-              enableNmbd = true;
+              settings = {
              shares = {
                storage = {
                  path = "/mnt/storage";
                  browseable = "yes";
@@ -131,6 +130,8 @@ in
                  "directory mask" = "0775";
                };
              };
              nmbd.enable = true;
            };
            samba-wsdd.enable = true;
@@ -180,12 +181,10 @@ in
                  };
                  wireguardPeers = [
                    {
-                      wireguardPeerConfig = {
+                      PublicKey = "bP1XUNxp9i8NLOXhgPaIaRzRwi5APbam44/xjvYcyjU=";
-                        PublicKey = "bP1XUNxp9i8NLOXhgPaIaRzRwi5APbam44/xjvYcyjU=";
+                      Endpoint = "${allAssignments.estuary.internal.ipv4.address}:${toString lib.my.c.kelder.vpn.port}";
-                        Endpoint = "estuary-vm.${lib.my.c.colony.domain}:${toString lib.my.c.kelder.vpn.port}";
+                      AllowedIPs = [ "0.0.0.0/0" ];
-                        AllowedIPs = [ "0.0.0.0/0" ];
+                      PersistentKeepalive = 25;
                        PersistentKeepalive = 25;
                      };
                    }
                  ];
                };
@@ -200,6 +199,7 @@ in
                "50-lan" = {
                  matchConfig.Name = "et1g0";
                  DHCP = "yes";
                  linkConfig.MTUBytes = toString ipv4MTU;
                };
                "80-ctrs" = mkMerge [
                  (networkdAssignment "ctrs" assignments.ctrs)
@@ -212,7 +212,7 @@ in
                  address = with assignments.estuary; [
                    (with ipv4; "${address}/${toString mask}")
                  ];
-                  routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
+                  routingPolicyRules = [
                    {
                      Family = "both";
                      SuppressPrefixLength = 0;
@@ -272,7 +272,7 @@ in
              config.name = "kontent";
            };
-            #deploy.node.hostname = "10.16.9.21";
+            # deploy.node.hostname = "192.168.0.69";
            secrets = {
              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFvUdJshXkqmchEgkZDn5rgtZ1NO9vbd6Px+S6YioWi";
              files = {
--- a/nixos/boxes/tower/default.nix
+++ b/nixos/boxes/tower/default.nix
@@ -14,7 +14,7 @@
          cpu = {
            intel.updateMicrocode = true;
          };
-          opengl.extraPackages = with pkgs; [
+          graphics.extraPackages = with pkgs; [
            intel-media-driver
          ];
          bluetooth.enable = true;
@@ -129,10 +129,9 @@
            wifi = {
              backend = "wpa_supplicant";
            };
-            extraConfig = ''
+            settings = {
-              [main]
+              main.no-auto-default = "*";
-              no-auto-default=*
+            };
            '';
          };
        };
@@ -178,7 +177,7 @@
              programs = {
                fish = {
                  shellAbbrs = {
-                    tsup = "doas tailscale up --login-server=https://ts.nul.ie --accept-routes";
+                    tsup = "doas tailscale up --login-server=https://hs.nul.ie --accept-routes";
                  };
                };
              };
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -35,7 +35,7 @@ let
      system = null;
      # Put the inputs in specialArgs to avoid infinite recursion when modules try to do imports
-      specialArgs = { inherit inputs pkgsFlakes pkgsFlake allAssignments; inherit (cfg) systems; };
+      specialArgs = { inherit self inputs pkgsFlakes pkgsFlake allAssignments; inherit (cfg) systems; };
      # `baseModules` informs the manual which modules to document
      baseModules =
@@ -135,6 +135,7 @@ let
      ipv6 = mkBoolOpt' false "Whether this mesh's underlay operates over IPv6.";
      baseMTU = mkOpt' ints.unsigned 1500 "Base MTU to calculate VXLAN MTU with.";
      l3Overhead = mkOpt' ints.unsigned 40 "Overhead of L3 header (to calculate MTU).";
      udpEncapsulation = mkBoolOpt' false "Whether to encapsulate ESP frames in UDP.";
      firewall = mkBoolOpt' true "Whether to generate firewall rules.";
      vni = mkOpt' ints.unsigned 1 "VXLAN VNI.";
      peers = mkOpt' (attrsOf (submodule l2PeerOpts)) { } "Peers.";
--- a/nixos/installer.nix
+++ b/nixos/installer.nix
@@ -1,7 +1,7 @@
 {
  nixos.systems.installer = { config, ... }: {
    system = "x86_64-linux";
-    nixpkgs = "unstable";
+    nixpkgs = "mine";
    docCustom = false;
    rendered = config.configuration.config.my.asISO;
@@ -52,6 +52,8 @@
            home.shellAliases = {
              show-hw-config = "nixos-generate-config --show-hardware-config --root $INSTALL_ROOT";
            };
            my.gui.enable = false;
          };
          services = {
@@ -59,8 +61,8 @@
          };
          networking = {
-            # Will be set dynamically
+            # Will be set dynamically, but need something to satisfy `/etc/os-release` stuff
-            hostName = "";
+            hostName = "installer";
            useNetworkd = false;
          };
@@ -80,6 +82,8 @@
                ${pkgs.gawk}/bin/awk '{ print $1 }')"
            '';
          boot.supportedFilesystems.nfs = true;
          environment.systemPackages = with pkgs; [
            dhcpcd
            lm_sensors
--- a/nixos/modules/_list.nix
+++ b/nixos/modules/_list.nix
@@ -20,5 +20,6 @@
    nvme = ./nvme;
    spdk = ./spdk.nix;
    librespeed = ./librespeed;
    netboot = ./netboot;
  };
 }
--- a/nixos/modules/build.nix
+++ b/nixos/modules/build.nix
@@ -1,6 +1,6 @@
 { lib, pkgs, extendModules, modulesPath, options, config, ... }:
 let
-  inherit (lib) recursiveUpdate mkOption mkDefault mkIf mkMerge flatten optional;
+  inherit (lib) recursiveUpdate mkOption mkDefault mkIf mkMerge mkForce flatten optional;
  inherit (lib.my) mkBoolOpt' dummyOption;
  cfg = config.my.build;
@@ -43,15 +43,145 @@ let
    modules = flatten [
      "${modulesPath}/installer/netboot/netboot.nix"
      allHardware
    ];
  };
  asNetboot = extendModules {
    modules = flatten [
      allHardware
      ({ pkgs, config, ... }: {
-        system.build.netbootArchive = pkgs.runCommand "netboot-${config.system.name}-archive.tar" { } ''
+        boot = {
-          ${pkgs.gnutar}/bin/tar -rvC "${config.system.build.kernel}" \
+          loader.grub.enable = false;
-            -f "$out" "${config.system.boot.loader.kernelFile}"
+          initrd = {
-          ${pkgs.gnutar}/bin/tar -rvC "${config.system.build.netbootRamdisk}" \
+            kernelModules = [ "nbd" ];
-            -f "$out" initrd
+            availableKernelModules = [ "igb" "igc" ];
-          ${pkgs.gnutar}/bin/tar -rvC "${config.system.build.netbootIpxeScript}" \
+
-            -f "$out" netboot.ipxe
+            systemd = {
-        '';
+              storePaths = with pkgs; [
                gnused
                nbd
                netcat
              ];
              extraBin = with pkgs; {
                dmesg = "${util-linux}/bin/dmesg";
                ip = "${iproute2}/bin/ip";
                nbd-client = "${nbd}/bin/nbd-client";
              };
              extraConfig = ''
                DefaultTimeoutStartSec=20
                DefaultDeviceTimeoutSec=20
              '';
              network = {
                enable = true;
                wait-online.enable = true;
                networks."10-netboot" = {
                  matchConfig.Name = "et-boot";
                  DHCP = "yes";
                };
              };
              services = {
                nbd = {
                  description = "NBD Root FS";
                  script = ''
                    get_cmdline() {
                      ${pkgs.gnused}/bin/sed -rn "s/^.*$1=(\\S+).*\$/\\1/p" < /proc/cmdline
                    }
                    s="$(get_cmdline nbd_server)"
                    until ${pkgs.netcat}/bin/nc -zv "$s" 22; do
                      sleep 0.1
                    done
                    exec ${pkgs.nbd}/bin/nbd-client -systemd-mark -N "$(get_cmdline nbd_export)" "$s" /dev/nbd0
                  '';
                  unitConfig = {
                    IgnoreOnIsolate = "yes";
                    DefaultDependencies = "no";
                  };
                  serviceConfig = {
                    Type = "forking";
                    Restart = "on-failure";
                    RestartSec = 10;
                  };
                  wantedBy = [ "initrd-root-device.target" ];
                };
              };
            };
          };
          postBootCommands = ''
            # After booting, register the contents of the Nix store
            # in the Nix database in the COW root.
            ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration
            # nixos-rebuild also requires a "system" profile and an
            # /etc/NIXOS tag.
            touch /etc/NIXOS
            ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
          '';
        };
        programs.nbd.enable = true;
        fileSystems = {
          "/" = {
            fsType = "ext4";
            device = "/dev/nbd0";
            noCheck = true;
            autoResize = true;
          };
        };
        networking.useNetworkd = mkForce true;
        systemd = {
          network.networks."10-boot" = {
            matchConfig.Name = "et-boot";
            DHCP = "yes";
            networkConfig.KeepConfiguration = "yes";
          };
        };
        system.build = {
          rootImage = pkgs.callPackage "${modulesPath}/../lib/make-ext4-fs.nix" {
            storePaths = [ config.system.build.toplevel ];
            volumeLabel = "netboot-root";
          };
          netbootScript = pkgs.writeText "boot.ipxe" ''
            #!ipxe
            kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ifname=et-boot:''${mac} nbd_server=''${next-server} ${toString config.boot.kernelParams} ''${cmdline}
            initrd initrd
            boot
          '';
          netbootTree = pkgs.linkFarm "netboot-${config.system.name}" [
            {
              name = config.system.boot.loader.kernelFile;
              path = "${config.system.build.kernel}/${config.system.boot.loader.kernelFile}";
            }
            {
              name = "initrd";
              path = "${config.system.build.initialRamdisk}/initrd";
            }
            {
              name = "rootfs.ext4";
              path = config.system.build.rootImage;
            }
            {
              name = "boot.ipxe";
              path = config.system.build.netbootScript;
            }
          ];
          netbootArchive = pkgs.runCommand "netboot-${config.system.name}.tar.zst" { } ''
            export PATH=${pkgs.zstd}/bin:$PATH
            ${pkgs.gnutar}/bin/tar --dereference --zstd -cvC ${config.system.build.netbootTree} -f "$out" .
          '';
        };
      })
    ];
  };
@@ -77,6 +207,7 @@ in
      asISO = mkAsOpt asISO "a bootable .iso image";
      asContainer = mkAsOpt asContainer "a container";
      asKexecTree = mkAsOpt asKexecTree "a kexec-able kernel and initrd";
      asNetboot = mkAsOpt asNetboot "a netboot-able kernel initrd, and iPXE script";
      buildAs = options.system.build;
    };
@@ -110,7 +241,8 @@ in
        iso = config.my.asISO.config.system.build.isoImage;
        container = config.my.asContainer.config.system.build.toplevel;
        kexecTree = config.my.asKexecTree.config.system.build.kexecTree;
-        netbootArchive = config.my.asKexecTree.config.system.build.netbootArchive;
+        netbootTree = config.my.asNetboot.config.system.build.netbootTree;
        netbootArchive = config.my.asNetboot.config.system.build.netbootArchive;
      };
    };
  };
--- a/nixos/modules/common.nix
+++ b/nixos/modules/common.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, pkgs', inputs, config, ... }:
+{ lib, pkgsFlake, pkgs, pkgs', self, inputs, config, ... }:
 let
  inherit (lib) mkIf mkDefault mkMerge;
  inherit (lib.my) mkDefault';
@@ -12,7 +12,6 @@ in
    inputs.impermanence.nixosModule
    inputs.ragenix.nixosModules.age
    inputs.sharry.nixosModules.default
    inputs.attic.nixosModules.atticd
  ];
  config = mkMerge [
@@ -41,6 +40,7 @@ in
      nix = {
        package = pkgs'.mine.nix;
        channel.enable = false;
        settings = with lib.my.c.nix; {
          trusted-users = [ "@wheel" ];
          experimental-features = [ "nix-command" "flakes" "ca-derivations" ];
@@ -53,7 +53,7 @@ in
          pkgs = {
            to = {
              type = "path";
-              path = "${pkgs.path}";
+              path = "${pkgsFlake}";
            };
            exact = true;
          };
@@ -127,6 +127,9 @@ in
        };
      };
      environment.etc = {
        "nixos/flake.nix".source = "/run/nixfiles/flake.nix";
      };
      environment.systemPackages = with pkgs; mkMerge [
        [
          bash-completion
@@ -142,7 +145,10 @@ in
        fish.enable = mkDefault true;
        # TODO: This is expecting to look up the channel for the database...
        command-not-found.enable = mkDefault false;
-        vim.defaultEditor = true;
+        vim = {
          enable = true;
          defaultEditor = true;
        };
      };
      services = {
@@ -209,14 +215,35 @@ in
            # python.d plugin script does #!/usr/bin/env bash
            path = with pkgs; [ bash ];
          };
          nixfiles-mutable = {
            description = "Mutable nixfiles";
            serviceConfig = {
              Type = "oneshot";
              RemainAfterExit = true;
            };
            path = with pkgs; [ util-linux ];
            script = ''
              nixfilesDir="${self}"
              mkdir -p /run/nixfiles{,/.rw,/.work}
              mount -t overlay overlay -o lowerdir="$nixfilesDir",upperdir=/run/nixfiles/.rw,workdir=/run/nixfiles/.work /run/nixfiles
              chmod -R u+w /run/nixfiles
            '';
            preStop = ''
              umount /run/nixfiles
              rm -rf /run/nixfiles
            '';
            wantedBy = [ "multi-user.target" ];
          };
        };
      };
    }
    (mkIf config.services.kmscon.enable {
      fonts.fonts = with pkgs; [
-        (nerdfonts.override {
+        nerd-fonts.sauce-code-pro
          fonts = [ "SourceCodePro" ];
        })
      ];
    })
  ];
--- a/nixos/modules/containers.nix
+++ b/nixos/modules/containers.nix
@@ -1,6 +1,6 @@
 { lib, pkgs, options, config, systems, ... }:
 let
-  inherit (builtins) attrNames attrValues all hashString toJSON;
+  inherit (builtins) attrNames attrValues all hashString toJSON any;
  inherit (lib)
    groupBy' mapAttrsToList optionalString optional concatMapStringsSep filterAttrs mkOption mkDefault mkIf mkMerge;
  inherit (lib.my) mkOpt' mkBoolOpt';
@@ -98,6 +98,7 @@ let
      };
      networking = {
        bridge = mkOpt' (nullOr str) null "Network bridge to connect to.";
        macVLAN = mkOpt' (nullOr str) null "Network interface to make MACVLAN interface from.";
      };
    };
  };
@@ -115,26 +116,19 @@ in
          assertion = config.systemd.network.enable;
          message = "Containers currently require systemd-networkd!";
        }
        {
          assertion = all (i: i.networking.bridge == null || i.networking.macVLAN == null) (attrValues cfg.instances);
          message = "Only bridge OR MACVLAN can be set";
        }
      ];
      # TODO: Better security
      my.firewall.trustedInterfaces =
        mapAttrsToList
          (n: _: "ve-${n}")
-          (filterAttrs (_: c: c.networking.bridge == null) cfg.instances);
+          (filterAttrs (_: c: c.networking.bridge == null && c.networking.macVLAN == null) cfg.instances);
-      systemd = mkMerge ([
+      systemd = mkMerge (mapAttrsToList (n: c: {
        {
          # By symlinking to the original systemd-nspawn@.service for every instance we force the unit generator to
          # create overrides instead of replacing the unit entirely
          packages = [
            (pkgs.linkFarm "systemd-nspawn-containers" (map (n: {
              name = "etc/systemd/system/systemd-nspawn@${n}.service";
              path = "${pkgs.systemd}/example/systemd/system/systemd-nspawn@.service";
            }) (attrNames cfg.instances)))
          ];
        }
      ] ++ (mapAttrsToList (n: c: {
        nspawn."${n}" = {
          execConfig = {
            Boot = true;
@@ -165,6 +159,8 @@ in
          };
          networkConfig = if (c.networking.bridge != null) then {
            Bridge = c.networking.bridge;
          } else if (c.networking.macVLAN != null) then {
            MACVLAN = "${c.networking.macVLAN}:host0";
          } else {
            VirtualEthernet = true;
          };
@@ -182,6 +178,9 @@ in
            c.containerSystem;
        in
        {
          # To prevent creating a whole new unit file
          overrideStrategy = "asDropin";
          environment = {
            # systemd.nspawn units can't set the root directory directly, but /run/machines/${n} is one of the search paths
            root = "/run/machines/${n}";
@@ -247,7 +246,7 @@ in
            Bridge = c.networking.bridge;
          };
        };
-      }) cfg.instances));
+      }) cfg.instances);
    })
    # Inside container
--- a/nixos/modules/gui.nix
+++ b/nixos/modules/gui.nix
@@ -12,7 +12,7 @@ in
  config = mkIf cfg.enable {
    hardware = {
-      opengl.enable = mkDefault true;
+      graphics.enable = mkDefault true;
    };
    systemd = {
@@ -23,13 +23,13 @@ in
    security = {
      polkit.enable = true;
-      pam.services.swaylock = {};
+      pam.services.swaylock-plugin = {};
    };
    environment.systemPackages = with pkgs; [
      # for pw-jack
      pipewire.jack
-      swaylock
+      swaylock-plugin
    ];
    services = {
      pipewire = {
@@ -51,6 +51,10 @@ in
          SUBSYSTEM=="usb", ATTR{idVendor}=="0955", MODE="0664", GROUP="wheel"
          # Nintendo
          SUBSYSTEM=="usb", ATTR{idVendor}=="057e", MODE="0664", GROUP="wheel"
          # FT
          SUBSYSTEM=="usb", ATTR{idVendor}=="0403", MODE="0664", GROUP="wheel"
          # /dev/player0
          SUBSYSTEM=="usb", ATTR{idVendor}=="6969", MODE="0664", GROUP="wheel"
        '';
      };
    };
--- a/nixos/modules/l2mesh.nix
+++ b/nixos/modules/l2mesh.nix
@@ -36,18 +36,16 @@ let
        espOverhead =
          if (!mesh.security.enable) then 0
          else
-            # SPI + seq + IV + pad / header + ICV
+            # UDP encap + SPI + seq + IV + pad / header + ICV
-            4 + 4 + (if mesh.security.encrypt then 8 else 0) + 2 + 16;
+            (if mesh.udpEncapsulation then 8 else 0) + 4 + 4 + (if mesh.security.encrypt then 8 else 0) + 2 + 16;
        # UDP + VXLAN + Ethernet + L3 (IPv4/IPv6)
        overhead = espOverhead + 8 + 8 + 14 + mesh.l3Overhead;
      in
      toString (mesh.baseMTU - overhead);
      bridgeFDBs = mapAttrsToList (n: peer: {
-        bridgeFDBConfig = {
+        MACAddress = "00:00:00:00:00:00";
-          MACAddress = "00:00:00:00:00:00";
+        Destination = peer.addr;
          Destination = peer.addr;
        };
      }) otherPeers;
    };
  };
@@ -62,7 +60,11 @@ let
      chain l2mesh-${name} {
        ${optionalString mesh.security.enable ''
          udp dport isakmp accept
-          meta l4proto esp accept
+          ${if mesh.udpEncapsulation then ''
            udp dport ipsec-nat-t accept
          '' else ''
            meta l4proto esp accept
          ''}
        ''}
        ${optionalString (!mesh.security.enable) (vxlanAllow mesh.vni)}
        return
@@ -94,6 +96,7 @@ let
          esp=${if mesh.security.encrypt then "aes_gcm256" else "null-sha256"}
          ikev2=yes
          modecfgpull=no
          encapsulation=${if mesh.udpEncapsulation then "yes" else "no"}
        '';
      })
    otherPeers);
--- a/nixos/modules/netboot/default.nix
+++ b/nixos/modules/netboot/default.nix
@@ -0,0 +1,232 @@
 { lib, pkgs, config, ... }:
 let
  inherit (lib) mkMerge mkIf mkForce genAttrs concatMapStringsSep;
  inherit (lib.my) mkOpt' mkBoolOpt';
  cfg = config.my.netboot;
  ipxe = pkgs.ipxe.overrideAttrs (o: rec {
    version = "1.21.1-unstable-2024-06-27";
    src = pkgs.fetchFromGitHub {
      owner = "ipxe";
      repo = "ipxe";
      rev = "b66e27d9b29a172a097c737ab4d378d60fe01b05";
      hash = "sha256-TKZ4WjNV2oZIYNefch7E7m1JpeoC/d7O1kofoNv8G40=";
    };
  });
  tftpRoot = pkgs.linkFarm "tftp-root" [
    {
      name = "ipxe-x86_64.efi";
      path = "${ipxe}/ipxe.efi";
    }
  ];
  menuFile = pkgs.runCommand "menu.ipxe" {
    bootHost = cfg.server.host;
  } ''
    substituteAll ${./menu.ipxe} "$out"
  '';
  bootBuilder = pkgs.substituteAll {
    src = ./netboot-loader-builder.py;
    isExecutable = true;
    inherit (pkgs) python3;
    bootspecTools = pkgs.bootspec;
    nix = config.nix.package.out;
    inherit (config.system.nixos) distroName;
    systemName = config.system.name;
    inherit (cfg.client) configurationLimit;
    checkMountpoints = pkgs.writeShellScript "check-mountpoints" ''
      if ! ${pkgs.util-linuxMinimal}/bin/findmnt /boot > /dev/null; then
        echo "/boot is not a mounted partition. Is the path configured correctly?" >&2
        exit 1
      fi
    '';
  };
 in
 {
  options.my.netboot = with lib.types; {
    client = {
      enable = mkBoolOpt' false "Whether network booting should be enabled.";
      configurationLimit = mkOpt' ints.unsigned 10 "Max generations to show in boot menu.";
    };
    server = {
      enable = mkBoolOpt' false "Whether a netboot server should be enabled.";
      ip = mkOpt' str null "IP clients should connect to via TFTP.";
      host = mkOpt' str config.networking.fqdn "Hostname clients should connect to over HTTP / NFS.";
      allowedPrefixes = mkOpt' (listOf str) null "Prefixes clients should be allowed to connect from (NFS).";
      installer = {
        storeSize = mkOpt' str "16GiB" "Total allowed writable size of store.";
      };
      instances = mkOpt' (listOf str) [ ] "Systems to hold boot files for.";
    };
  };
  config = mkMerge [
    (mkIf cfg.client.enable {
      systemd = {
        services = {
          mount-boot = {
            description = "Mount /boot";
            after = [ "systemd-networkd-wait-online.service" ];
            serviceConfig = {
              Type = "oneshot";
              RemainAfterExit = true;
            };
            path = with pkgs; [ gnused ldns nfs-utils ];
            script = ''
              get_cmdline() {
                sed -rn "s/^.*$1=(\\S+).*\$/\\1/p" < /proc/cmdline
              }
              host="$(get_cmdline boothost)"
              if [ -z "$host" ]; then
                echo "boothost kernel parameter not found!" >&2
                exit 1
              fi
              until [ -n "$(drill -Q $host)" ]; do
                sleep 0.1
              done
              mkdir -p /boot
              mount.nfs $host:/srv/netboot/systems/${config.system.name} /boot
            '';
            wantedBy = [ "remote-fs.target" ];
          };
        };
      };
      boot.supportedFilesystems.nfs = true;
      boot.loader = {
        grub.enable = false;
        systemd-boot.enable = false;
      };
      system = {
        build.installBootLoader = bootBuilder;
        boot.loader.id = "ipxe-netboot";
      };
    })
    (mkIf cfg.server.enable {
      environment = {
        etc = {
          "netboot/menu.ipxe".source = menuFile;
          "netboot/shell.efi".source = "${pkgs.edk2-uefi-shell}/shell.efi";
        };
      };
      systemd = {
        tmpfiles.settings."10-netboot" = genAttrs
          (map (i: "/srv/netboot/systems/${i}") cfg.server.instances)
          (p: {
            d = {
              user = "root";
              group = "root";
              mode = "0777";
            };
          });
        services = {
          netboot-update = {
            description = "Update netboot images";
            after = [ "systemd-networkd-wait-online.service" ];
            serviceConfig.Type = "oneshot";
            path = with pkgs; [
              coreutils curl jq zstd gnutar
            ];
            script = ''
              update_nixos() {
                latestShort="$(curl -s https://git.nul.ie/api/v1/repos/dev/nixfiles/tags/installer \
                             | jq -r .commit.sha | cut -c -7)"
                if [ -f nixos-installer/tag.txt ] && [ "$(< nixos-installer/tag.txt)" = "$latestShort" ]; then
                  echo "NixOS installer is up to date"
                  return
                fi
                echo "Updating NixOS installer to $latestShort"
                mkdir -p nixos-installer
                fname="jackos-installer-netboot-$latestShort.tar.zst"
                downloadUrl="$(curl -s https://git.nul.ie/api/v1/repos/dev/nixfiles/releases/tags/installer | \
                               jq -r ".assets[] | select(.name == \"$fname\").browser_download_url")"
                curl -Lo /tmp/nixos-installer-netboot.tar.zst "$downloadUrl"
                tar -C nixos-installer --zstd -xf /tmp/nixos-installer-netboot.tar.zst
                truncate -s "${cfg.server.installer.storeSize}" nixos-installer/rootfs.ext4
                rm /tmp/nixos-installer-netboot.tar.zst
                echo "$latestShort" > nixos-installer/tag.txt
              }
              mkdir -p /srv/netboot
              cd /srv/netboot
              ln -sf ${menuFile} boot.ipxe
              ln -sf "${pkgs.edk2-uefi-shell}/shell.efi" "efi-shell-${config.nixpkgs.localSystem.linuxArch}.efi"
              update_nixos
            '';
            startAt = "06:00";
            wantedBy = [ "network-online.target" ];
          };
          nbd-server = {
            serviceConfig = {
              PrivateUsers = mkForce false;
              CacheDirectory = "netboot";
            };
          };
        };
      };
      services = {
        atftpd = {
          enable = true;
          root = tftpRoot;
        };
        nginx = {
          virtualHosts."${cfg.server.host}" = {
            locations."/" = {
              root = "/srv/netboot";
              extraConfig = ''
                autoindex on;
              '';
            };
          };
        };
        nbd.server = {
          enable = true;
          extraOptions = {
            allowlist = true;
          };
          exports = {
            nixos-installer = {
              path = "/srv/netboot/nixos-installer/rootfs.ext4";
              extraOptions = {
                copyonwrite = true;
                cowdir = "/var/cache/netboot";
                sparse_cow = true;
              };
            };
          };
        };
        nfs = {
          server = {
            enable = true;
            exports = ''
              /srv/netboot/systems ${concatMapStringsSep " " (p: "${p}(rw,all_squash)") cfg.server.allowedPrefixes}
            '';
          };
        };
      };
      my = {
        tmproot.persistence.config.directories = [
          "/srv/netboot"
          { directory = "/var/cache/netboot"; mode = "0700"; }
        ];
      };
    })
  ];
 }
--- a/nixos/modules/netboot/menu.ipxe
+++ b/nixos/modules/netboot/menu.ipxe
@@ -0,0 +1,68 @@
 #!ipxe
 set server http://@bootHost@
 # Figure out if client is 64-bit capable
 cpuid --ext 29 && set arch x86_64 || set arch i386
 isset ${menu-default} || set menu-default exit
 :start
 menu Welcome to /dev/player0's humble iPXE boot menu
 item --gap --           Operating Systems
 iseq ${arch} x86_64 &&
 item --key n nixos      NixOS installer
 # iseq ${arch} x86_64 &&
 # item --key a archlinux Arch Linux (archiso x86_64)
 # iseq ${arch} x86_64 &&
 # item --key p alpine   Alpine Linux
 item --gap --           Other Options
 item --key e efi_shell  UEFI Shell
 item --key x xyz        netboot.xyz
 item --key c config     iPXE settings
 item --key s shell      Drop to iPXE shell
 item --key r reboot     Reboot
 item --key q exit       Exit (and continue to next boot device)
 choose --timeout 0 --default ${menu-default} selected || goto cancel
 goto ${selected}
 :cancel
 echo You cancelled the menu, dropping you to an iPXE shell
 :shell
 echo Type 'exit' to go back to the menu
 shell
 set menu-default nixos
 goto start
 :failed
 echo Booting failed, dropping to shell
 goto shell
 :reboot
 reboot
 :exit
 exit
 :config
 config
 set menu-default config
 goto start
 :efi_shell
 chain ${server}/efi-shell-${arch}.efi || goto failed
 :xyz
 chain --autofree https://boot.netboot.xyz || goto failed
 :nixos
 set cmdline nbd_export=nixos-installer
 chain ${server}/nixos-installer/boot.ipxe || goto failed
 :archlinux
 # set mirrorurl https://arch.nul.ie/
 chain ${server}/arch.ipxe || goto failed
 :alpine
 chain ${server}/alpine.ipxe || goto failed
--- a/nixos/modules/netboot/netboot-loader-builder.py
+++ b/nixos/modules/netboot/netboot-loader-builder.py
@@ -0,0 +1,280 @@
 #! @python3@/bin/python3 -B
 # Based on `nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py`
 import argparse
 import datetime
 import glob
 import os
 import os.path
 import shutil
 import subprocess
 import sys
 import json
 from typing import NamedTuple, Dict, List
 from dataclasses import dataclass
 BOOT_MOUNT_POINT = '/boot'
 STORE_DIR = 'nix'
 # These values will be replaced with actual values during the package build
 BOOTSPEC_TOOLS = '@bootspecTools@'
 NIX = '@nix@'
 DISTRO_NAME = '@distroName@'
 SYSTEM_NAME = '@systemName@'
 CONFIGURATION_LIMIT = int('@configurationLimit@')
 CHECK_MOUNTPOINTS = "@checkMountpoints@"
@dataclass
 class BootSpec:
  init: str
  initrd: str
  kernel: str
  kernelParams: List[str]
  label: str
  system: str
  toplevel: str
  specialisations: Dict[str, 'BootSpec']
  sortKey: str
  initrdSecrets: str | None = None
 class SystemIdentifier(NamedTuple):
  profile: str | None
  generation: int
  specialisation: str | None
 def copy_if_not_exists(source: str, dest: str) -> None:
  if not os.path.exists(dest):
    shutil.copyfile(source, dest)
 def generation_dir(profile: str | None, generation: int) -> str:
  if profile:
    return f'/nix/var/nix/profiles/system-profiles/{profile}-{generation}-link'
  else:
    return f'/nix/var/nix/profiles/system-{generation}-link'
 def system_dir(i: SystemIdentifier) -> str:
  d = generation_dir(i.profile, i.generation)
  if i.specialisation:
    return os.path.join(d, 'specialisation', i.specialisation)
  else:
    return d
 def entry_key(i: SystemIdentifier) -> str:
  pieces = [
    'nixos',
    i.profile or None,
    'generation',
    str(i.generation),
    f'specialisation-{i.specialisation}' if i.specialisation else None,
  ]
  return '-'.join(p for p in pieces if p)
 def bootspec_from_json(bootspec_json: Dict) -> BootSpec:
  specialisations = bootspec_json['org.nixos.specialisation.v1']
  specialisations = {k: bootspec_from_json(v) for k, v in specialisations.items()}
  systemdBootExtension = bootspec_json.get('org.nixos.systemd-boot', {})
  sortKey = systemdBootExtension.get('sortKey', 'nixos')
  return BootSpec(
    **bootspec_json['org.nixos.bootspec.v1'],
    specialisations=specialisations,
    sortKey=sortKey
  )
 bootspecs = {}
 def get_bootspec(profile: str | None, generation: int) -> BootSpec:
  k = (profile, generation)
  if k in bootspecs:
    return bootspecs[k]
  system_directory = system_dir(SystemIdentifier(profile, generation, None))
  boot_json_path = os.path.realpath(f'{system_directory}/boot.json')
  if os.path.isfile(boot_json_path):
    boot_json_f = open(boot_json_path, 'r')
    bootspec_json = json.load(boot_json_f)
  else:
    boot_json_str = subprocess.check_output([
      f'{BOOTSPEC_TOOLS}/bin/synthesize',
      '--version',
      '1',
      system_directory,
      '/dev/stdout',
    ],
    universal_newlines=True)
    bootspec_json = json.loads(boot_json_str)
  bs = bootspec_from_json(bootspec_json)
  bootspecs[k] = bs
  return bs
 def copy_from_file(file: str, dry_run: bool = False) -> str:
  store_file_path = os.path.realpath(file)
  suffix = os.path.basename(store_file_path)
  store_dir = os.path.basename(os.path.dirname(store_file_path))
  dst_path = f'/{STORE_DIR}/{store_dir}-{suffix}'
  if not dry_run:
    copy_if_not_exists(store_file_path, f'{BOOT_MOUNT_POINT}{dst_path}')
  return dst_path
 MENU_ITEM = 'item {gen_key} {title} Generation {generation} {description}'
 BOOT_ENTRY = ''':{gen_key}
 kernel ${{server}}/systems/{system_name}{kernel} {kernel_params} boothost=${{boothost}}
 initrd ${{server}}/systems/{system_name}{initrd}
 boot
 '''
 def gen_entry(i: SystemIdentifier) -> (str, str):
  bootspec = get_bootspec(i.profile, i.generation)
  if i.specialisation:
    bootspec = bootspec.specialisations[i.specialisation]
  kernel = copy_from_file(bootspec.kernel)
  initrd = copy_from_file(bootspec.initrd)
  gen_key = entry_key(i)
  title = '{name}{profile}{specialisation}'.format(
    name=DISTRO_NAME,
    profile=' [' + i.profile + ']' if i.profile else '',
    specialisation=f' ({i.specialisation})' if i.specialisation else '')
  kernel_params = f'init={bootspec.init} '
  kernel_params = kernel_params + ' '.join(bootspec.kernelParams)
  build_time = int(os.path.getctime(system_dir(i)))
  build_date = datetime.datetime.fromtimestamp(build_time).strftime('%F')
  return MENU_ITEM.format(
    gen_key=gen_key,
    title=title,
    description=f'{bootspec.label}, built on {build_date}',
    generation=i.generation,
  ), BOOT_ENTRY.format(
    gen_key=gen_key,
    generation=i.generation,
    system_name=SYSTEM_NAME,
    kernel=kernel,
    kernel_params=kernel_params,
    initrd=initrd,
  )
 def get_generations(profile: str | None = None) -> list[SystemIdentifier]:
  gen_list = subprocess.check_output([
    f'{NIX}/bin/nix-env',
    '--list-generations',
    '-p',
    '/nix/var/nix/profiles/' + ('system-profiles/' + profile if profile else 'system')],
    universal_newlines=True)
  gen_lines = gen_list.split('\n')
  gen_lines.pop()
  configurationLimit = CONFIGURATION_LIMIT
  configurations = [
    SystemIdentifier(
      profile=profile,
      generation=int(line.split()[0]),
      specialisation=None
    )
    for line in gen_lines
  ]
  return configurations[-configurationLimit:]
 def remove_old_files(gens: list[SystemIdentifier]) -> None:
  known_paths = []
  for gen in gens:
    bootspec = get_bootspec(gen.profile, gen.generation)
    known_paths.append(copy_from_file(bootspec.kernel, True))
    known_paths.append(copy_from_file(bootspec.initrd, True))
  for path in glob.iglob(f'{BOOT_MOUNT_POINT}/{STORE_DIR}/*'):
    if not path in known_paths and not os.path.isdir(path):
      os.unlink(path)
 def get_profiles() -> list[str]:
  if os.path.isdir('/nix/var/nix/profiles/system-profiles/'):
    return [x
      for x in os.listdir('/nix/var/nix/profiles/system-profiles/')
      if not x.endswith('-link')]
  else:
    return []
 MENU = '''#!ipxe
 # Server hostname option
 set boothost ${{66:string}}
 set server http://${{boothost}}
 :start
 menu {distro} boot menu
 item --gap -- Generations
 {generation_items}
 item --gap -- Other
 item --key m main Main netboot menu
 choose --timeout 5000 --default {menu_default} selected || goto cancel
 goto ${{selected}}
 :cancel
 shell
 goto start
 :error
 echo Booting failed, dropping to shell
 shell
 goto start
 :main
 chain ${{server}}/boot.ipxe || goto error
 '''
 def write_menu(gens: list[SystemIdentifier], default: SystemIdentifier) -> None:
  gen_menu_items = []
  gen_cmds = []
  for g in gens:
    bootspec = get_bootspec(g.profile, g.generation)
    specialisations = [
      SystemIdentifier(profile=g.profile, generation=g.generation, specialisation=s) for s in bootspec.specialisations]
    for i in [g] + specialisations:
      mi, cmds = gen_entry(i)
      gen_menu_items.append(mi)
      gen_cmds.append(cmds)
  menu_file = f'{BOOT_MOUNT_POINT}/menu.ipxe'
  with open(f'{menu_file}.tmp', 'w') as f:
    f.write(MENU.format(
      distro=DISTRO_NAME,
      generation_items='\n'.join(gen_menu_items),
      menu_default=entry_key(default),
    ))
    print(file=f)
    print('\n\n'.join(gen_cmds), file=f)
  os.rename(f'{menu_file}.tmp', menu_file)
 def install_bootloader(args: argparse.Namespace) -> None:
  os.makedirs(f'{BOOT_MOUNT_POINT}/{STORE_DIR}', exist_ok=True)
  gens = get_generations()
  for profile in get_profiles():
    gens += get_generations(profile)
  gens = sorted(gens, key=lambda g: entry_key(g), reverse=True)
  remove_old_files(gens)
  for g in gens:
    if os.path.dirname(get_bootspec(g.profile, g.generation).init) == os.path.realpath(args.default_config):
      default = g
      break
  else:
    assert False, 'No default generation found'
  write_menu(gens, default)
 def main() -> None:
  parser = argparse.ArgumentParser(description=f'Update {DISTRO_NAME}-related netboot files')
  parser.add_argument('default_config', metavar='DEFAULT-CONFIG', help=f'The default {DISTRO_NAME} config to boot')
  args = parser.parse_args()
  subprocess.check_call(CHECK_MOUNTPOINTS)
  install_bootloader(args)
 if __name__ == '__main__':
  main()
--- a/nixos/modules/nvme/default.nix
+++ b/nixos/modules/nvme/default.nix
@@ -5,8 +5,16 @@ let
  cfg = config.my.nvme;
  nvme-cli = pkgs.nvme-cli.override {
-    libnvme = pkgs.libnvme.overrideAttrs (o: {
+    libnvme = pkgs.libnvme.overrideAttrs (o: rec {
-      patches = o.patches ++ [ ./libnvme-hostconf.patch ];
+      # TODO: Remove when 1.11.1 releases (see https://github.com/linux-nvme/libnvme/pull/914)
      version = "1.11.1";
      src = pkgs.fetchFromGitHub {
        owner = "linux-nvme";
        repo = "libnvme";
        rev = "v${version}";
        hash = "sha256-CEGr7PDOVRi210XvICH8iLYDKn8S9bGruBO4tycvsT8=";
      };
      patches = (if (o ? patches) then o.patches else [ ]) ++ [ ./libnvme-hostconf.patch ];
    });
  };
@@ -33,24 +41,43 @@ in
      etc = etc "";
    };
-    boot.initrd.systemd = mkIf (cfg.boot.nqn != null) {
+    boot = mkIf (cfg.boot.nqn != null) {
-      contents = etc "/etc/";
+      initrd = {
-      extraBin.nvme = "${nvme-cli}/bin/nvme";
+        availableKernelModules = [ "rdma_cm" "iw_cm" "ib_cm" "nvme_core" "nvme_rdma" ];
        kernelModules = [ "nvme-fabrics" ];
        systemd = {
          contents = etc "/etc/";
          extraBin = with pkgs; {
            dmesg = "${util-linux}/bin/dmesg";
            ip = "${iproute2}/bin/ip";
            nvme = "${nvme-cli}/bin/nvme";
          };
          extraConfig = ''
            DefaultTimeoutStartSec=20
            DefaultDeviceTimeoutSec=20
          '';
-      services.connect-nvme = {
+          network = {
-        description = "Connect NVMe-oF";
+            enable = true;
-        before = [ "initrd-root-device.target" ];
+            wait-online.enable = true;
-        after = [ "systemd-networkd-wait-online.service" ];
+          };
        requires = [ "systemd-networkd-wait-online.service" ];
-        serviceConfig = {
+          services.connect-nvme = {
-          Type = "oneshot";
+            description = "Connect NVMe-oF";
-          ExecStart = "${nvme-cli}/bin/nvme connect -t rdma -a ${cfg.boot.address} -n ${cfg.boot.nqn}";
+            before = [ "initrd-root-device.target" ];
-          Restart = "on-failure";
+            after = [ "systemd-networkd-wait-online.service" ];
-          RestartSec = 10;
+            requires = [ "systemd-networkd-wait-online.service" ];
            serviceConfig = {
              Type = "oneshot";
              ExecStart = "${nvme-cli}/bin/nvme connect -t rdma -a ${cfg.boot.address} -n ${cfg.boot.nqn}";
              Restart = "on-failure";
              RestartSec = 10;
            };
            wantedBy = [ "initrd-root-device.target" ];
          };
        };
        wantedBy = [ "initrd-root-device.target" ];
      };
    };
  };
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@@ -2,7 +2,7 @@
 let
  inherit (lib)
    optionalString concatStringsSep concatMap concatMapStringsSep mkIf mkDefault mkMerge mkForce mkVMOverride
-    mkAliasDefinitions;
+    mkAliasDefinitions mapAttrsToList filterAttrs;
  inherit (lib.my) mkOpt' mkBoolOpt' mkVMOverride';
  cfg = config.my.tmproot;
@@ -147,6 +147,15 @@ in
            "/var/lib/systemd"
            { directory = "/root/.cache/nix"; mode = "0700"; }
            # Including these unconditionally due to infinite recursion problems...
            {
              directory = "/etc/lvm/archive";
              mode = "0700";
            }
            {
              directory = "/etc/lvm/backup";
              mode = "0700";
            }
          ];
          files = [
            "/etc/machine-id"
@@ -260,18 +269,6 @@ in
        my.tmproot.persistence.config.files =
          concatMap (k: [ k.path "${k.path}.pub" ]) config.services.openssh.hostKeys;
      })
      (mkIf config.services.lvm.enable {
        my.tmproot.persistence.config.directories = [
          {
            directory = "/etc/lvm/archive";
            mode = "0700";
          }
          {
            directory = "/etc/lvm/backup";
            mode = "0700";
          }
        ];
      })
      (mkIf (config.security.acme.certs != { }) {
        my.tmproot.persistence.config.directories = [
          {
@@ -492,6 +489,68 @@ in
          }
        ];
      })
      (mkIf config.services.wastebin.enable {
        my.tmproot.persistence.config.directories = [ "/var/lib/private/wastebin" ];
      })
      (mkIf config.services.photoprism.enable {
        my.tmproot.persistence.config.directories = [
          {
            directory = config.services.photoprism.storagePath;
            mode = "0750";
            user = "photoprism";
            group = "photoprism";
          }
        ];
      })
      (mkIf config.services.mautrix-whatsapp.enable {
        my.tmproot.persistence.config.directories = [
          {
            directory = "/var/lib/mautrix-whatsapp";
            mode = "0750";
            user = "mautrix-whatsapp";
            group = "mautrix-whatsapp";
          }
        ];
      })
      {
        my.tmproot.persistence.config.directories = mapAttrsToList (n: i: {
          directory = "/var/lib/${i.dataDir}";
          mode = "0750";
          user = "mautrix-meta-${n}";
          group = "mautrix-meta";
        }) (filterAttrs (_: i: i.enable) config.services.mautrix-meta.instances);
      }
      (mkIf config.services.unifi.enable {
        my.tmproot.persistence.config.directories = [
          {
            directory = "/var/lib/unifi";
            mode = "0750";
            user = "unifi";
            group = "unifi";
          }
          {
            directory = "/var/cache/unifi";
            mode = "0750";
            user = "unifi";
            group = "unifi";
          }
        ];
      })
      (persistSimpleSvc "octoprint")
      (mkIf (config.services.borgbackup.jobs != { }) {
        my.tmproot.persistence.config.directories = [
          "/var/lib/borgbackup"
          "/var/cache/borgbackup"
        ];
        services.borgbackup.package = pkgs.borgbackup.overrideAttrs (o: {
          makeWrapperArgs = o.makeWrapperArgs ++ [
            "--set-default BORG_BASE_DIR /var/lib/borgbackup"
            "--set-default BORG_CONFIG_DIR /var/lib/borgbackup/config"
            "--set-default BORG_CACHE_DIR /var/cache/borgbackup"
          ];
        });
      })
    ]))
  ]);
--- a/nixos/modules/user.nix
+++ b/nixos/modules/user.nix
@@ -82,6 +82,10 @@ in
      # NOTE: As the "outermost" module is still being evaluated in NixOS land, special params (e.g. pkgs) won't be
      # passed to it
      home-manager.users.${user'.name} = mkAliasDefinitions options.my.user.homeConfig;
      systemd.services.nixfiles-mutable.script = ''
        chown -R ${user'.name} /run/nixfiles
      '';
    }
    (mkIf (cfg.passwordSecret != null) {
      my = {
--- a/pkgs/chocolate-doom2xx/default.nix
+++ b/pkgs/chocolate-doom2xx/default.nix
@@ -0,0 +1,49 @@
 { lib, stdenv, autoreconfHook, pkg-config, SDL, SDL_mixer, SDL_net
 , fetchFromGitHub, fetchpatch, python3 }:
 stdenv.mkDerivation rec {
  pname = "chocolate-doom";
  version = "2.3.0";
  src = fetchFromGitHub {
    owner = "chocolate-doom";
    repo = pname;
    rev = "${pname}-${version}";
    sha256 = "sha256-1uw/1CYKBvDNgT5XxRBY24Evt3f4Y6YQ6bScU+KNHgM=";
  };
  patches = [
    # Pull upstream patch to fix build against gcc-10:
    #   https://github.com/chocolate-doom/chocolate-doom/pull/1257
    (fetchpatch {
      name = "fno-common.patch";
      url = "https://github.com/chocolate-doom/chocolate-doom/commit/a8fd4b1f563d24d4296c3e8225c8404e2724d4c2.patch";
      sha256 = "1dmbygn952sy5n8qqp0asg11pmygwgygl17lrj7i0fxa0nrhixhj";
    })
    ./demoloopi.patch
  ];
  outputs = [ "out" "man" ];
  postPatch = ''
    patchShebangs --build man/{simplecpp,docgen}
  '';
  nativeBuildInputs = [
    autoreconfHook
    pkg-config
    # for documentation
    python3
  ];
  buildInputs = [ (SDL.override { cacaSupport = true; }) SDL_mixer SDL_net ];
  enableParallelBuilding = true;
  meta = {
    homepage = "http://chocolate-doom.org/";
    description = "A Doom source port that accurately reproduces the experience of Doom as it was played in the 1990s";
    license = lib.licenses.gpl2Plus;
    platforms = lib.platforms.unix;
    hydraPlatforms = lib.platforms.linux; # darwin times out
    maintainers = with lib.maintainers; [ ];
  };
 }
--- a/pkgs/chocolate-doom2xx/demoloopi.patch
+++ b/pkgs/chocolate-doom2xx/demoloopi.patch
@@ -0,0 +1,91 @@
 diff --git a/src/doom/d_main.c b/src/doom/d_main.c
 index 65a39a10..3f799b0f 100644
 --- a/src/doom/d_main.c
 +++ b/src/doom/d_main.c
@@ -483,6 +483,8 @@ void D_DoomLoop (void)
 //  DEMO LOOP
 //
 int             demosequence;
 +int             demoloopi;
 +char            demoloopname[9];
 int             pagetic;
 char                    *pagename;
@@ -524,6 +526,8 @@ void D_AdvanceDemo (void)
 //
 void D_DoAdvanceDemo (void)
 {
 +    int havedemo4;
 +
     players[consoleplayer].playerstate = PST_LIVE;  // not reborn
     advancedemo = false;
     usergame = false;               // no save / end game here
@@ -539,10 +543,14 @@ void D_DoAdvanceDemo (void)
     // However! There is an alternate version of Final Doom that
     // includes a fixed executable.
 -    if (gameversion == exe_ultimate || gameversion == exe_final)
 +    havedemo4 = gameversion == exe_ultimate || gameversion == exe_final;
 +    if (havedemo4)
       demosequence = (demosequence+1)%7;
     else
       demosequence = (demosequence+1)%6;
 +
 +    if (demoloopi < 0 || demoloopi > (havedemo4 ? 3 : 2))
 +      I_Error("Invalid demo loop start %d", demoloopi);
     switch (demosequence)
     {
@@ -558,17 +566,11 @@ void D_DoAdvanceDemo (void)
 	else
 	  S_StartMusic (mus_intro);
 	break;
 -      case 1:
 -	G_DeferedPlayDemo(DEH_String("demo1"));
 -	break;
       case 2:
 	pagetic = 200;
 	gamestate = GS_DEMOSCREEN;
 	pagename = DEH_String("CREDIT");
 	break;
 -      case 3:
 -	G_DeferedPlayDemo(DEH_String("demo2"));
 -	break;
       case 4:
 	gamestate = GS_DEMOSCREEN;
 	if ( gamemode == commercial)
@@ -587,12 +589,14 @@ void D_DoAdvanceDemo (void)
 	      pagename = DEH_String("HELP2");
 	}
 	break;
 +      case 1:
 +      case 3:
       case 5:
 -	G_DeferedPlayDemo(DEH_String("demo3"));
 -	break;
         // THE DEFINITIVE DOOM Special Edition demo
       case 6:
 -	G_DeferedPlayDemo(DEH_String("demo4"));
 +	DEH_snprintf(demoloopname, 9, "demo%d", demoloopi + 1);
 +	G_DeferedPlayDemo(demoloopname);
 +	demoloopi = (demoloopi+1) % (havedemo4 ? 4 : 3);
 	break;
     }
@@ -1891,7 +1895,15 @@ void D_DoomMain (void)
 	G_TimeDemo (demolumpname);
 	D_DoomLoop ();  // never returns
     }
 -	
 +
 +    p = M_CheckParmWithArgs("-demoloopi", 1);
 +    if (p)
 +    {
 +        demoloopi = atoi(myargv[p+1]);
 +    } else {
 +        demoloopi = 0;
 +    }
 +
     if (startloadgame >= 0)
     {
         M_StringCopy(file, P_SaveGameFile(startloadgame), sizeof(file));
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -7,5 +7,9 @@ in
  monocraft' = callPackage ./monocraft.nix { };
  vfio-pci-bind = callPackage ./vfio-pci-bind.nix { };
  librespeed-go = callPackage ./librespeed-go.nix { };
-  modrinth-app = callPackage ./modrinth-app { };
+  # modrinth-app = callPackage ./modrinth-app { };
  chocolate-doom2xx = callPackage ./chocolate-doom2xx { };
  windowtolayer = callPackage ./windowtolayer.nix { };
  swaylock-plugin = callPackage ./swaylock-plugin.nix { };
  terminaltexteffects = callPackage ./terminaltexteffects.nix { };
 }
--- a/pkgs/modrinth-app/default.nix
+++ b/pkgs/modrinth-app/default.nix
@@ -81,7 +81,7 @@ rustPlatform.buildRustPackage rec {
    dontFixup = true;
    outputHashMode = "recursive";
-    outputHash = "sha256-9HtTdIotG3sNIlWhd76v7Ia6P69ufp/FFqZfINXSkVc=";
+    outputHash = "sha256-Txttk8qZpDsAuiF8laKbZss/KEoT1Z+oepbj2s4XjE8=";
  };
  preBuild = ''
--- a/pkgs/swaylock-plugin.nix
+++ b/pkgs/swaylock-plugin.nix
@@ -0,0 +1,41 @@
 { lib, stdenv, fetchFromGitHub, fetchpatch
 , meson, ninja, pkg-config, scdoc, wayland-scanner
 , wayland, wayland-protocols, libxkbcommon, cairo, gdk-pixbuf, pam
 }:
 stdenv.mkDerivation rec {
  pname = "swaylock-plugin";
  version = "1dd15b6";
  src = fetchFromGitHub {
    owner = "mstoeckl";
    repo = pname;
    rev = "1dd15b6ecbe91be7a3dc4a0fa9514fb166fb2e07";
    hash = "sha256-xWyDDT8sXAL58HtA9ifzCenKMmOZquzXZaz3ttGGJuY=";
  };
  strictDeps = true;
  depsBuildBuild = [ pkg-config ];
  nativeBuildInputs = [ meson ninja pkg-config scdoc wayland-scanner ];
  buildInputs = [ wayland wayland-protocols libxkbcommon cairo gdk-pixbuf pam ];
  mesonFlags = [
    "-Dpam=enabled" "-Dgdk-pixbuf=enabled" "-Dman-pages=enabled"
  ];
  env.NIX_CFLAGS_COMPILE = "-Wno-maybe-uninitialized";
  meta = with lib; {
    description = "Screen locker for Wayland -- fork with background plugin support";
    longDescription = ''
      Fork of swaylock, a screen locking utility for Wayland compositors.
      With swaylock-plugin, you can for your lockscreen background display
      the animated output from any wallpaper program that implements the
      wlr-layer-shell-unstable-v1 protocol.
    '';
    inherit (src.meta) homepage;
    mainProgram = "swaylock";
    license = licenses.mit;
    platforms = platforms.linux;
    maintainers = with maintainers; [ devplayer0 ];
  };
 }
--- a/pkgs/terminaltexteffects.nix
+++ b/pkgs/terminaltexteffects.nix
@@ -0,0 +1,19 @@
 { lib
 , python3Packages
 , fetchPypi
 }:
 python3Packages.buildPythonApplication rec {
  pname = "terminaltexteffects";
  version = "0.10.1";
  pyproject = true;
  src = fetchPypi {
    inherit pname version;
    hash = "sha256-NyWPfdgLeXAxKPJOzB7j4aT+zjrURN59CGcv0Vt99y0=";
  };
  build-system = with python3Packages; [
    poetry-core
  ];
 }
--- a/pkgs/windowtolayer.nix
+++ b/pkgs/windowtolayer.nix
@@ -0,0 +1,18 @@
 { lib
 , fetchFromGitLab
 , rustPlatform
 }:
 rustPlatform.buildRustPackage rec {
  pname = "windowtolayer";
  version = "a5b89c3c";
  src = fetchFromGitLab {
    domain = "gitlab.freedesktop.org";
    owner = "mstoeckl";
    repo = pname;
    rev = "a5b89c3c047297fd574932860a6c89e9ea02ba5d";
    hash = "sha256-rssL2XkbTqUvJqfUFhzULeE4/VBzjeBC5iZWSJ8MJ+M=";
  };
  cargoHash = "sha256-XHmLsx9qdjlBz4xJFFiO24bR9CMw1o5368K+YMpMIBA=";
 }
--- a/secrets/britway/bgp-password-vultr.conf.age
+++ b/secrets/britway/bgp-password-vultr.conf.age
@@ -1,10 +1,10 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBJYzdr
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBrMXND
-b1d2aEtVd3lVb3NBamRwVFpTaTRjZFlCczk4MVIwQUoxWklwN0NrCmFFekpPYUlO
+Zm1ma0FoNE5lWTFNTGlyeUQzdUZxMkxyVlU0cWdrcTJEakhDVXg4ClkyczJDR1FL
-YlgvVlQ2WDR6amZDN0ZSY0Q3WWtTME5pUmhQeks1c3dGOVUKLT4gWDI1NTE5IHVK
+eXE3QWFTM0wyeDNvL1gvcmx6eGE4elNuZW9wRHhJZ3Aya2cKLT4gWDI1NTE5IDhO
-bUZvUVAvL0NmQzFkY3BuYm1wMjcwbFpLRUNpZjJCaW15SEVDUDV0REkKRXFMQ2d1
+S2JWNDhlclpERFFUTktyUG5HbnNxcVQvWmphOGp1cmNpK0NGZWVTejQKN0dybHl5
-NlFBejBvTlJrcUtCYWZxSDBkbmxIdExBNTU0aC8zRW5OVWllVQotPiBDLWdyZWFz
+eHhicFNpUHQ3WFZDQS90NG5VZW5zVm8rcUxCdkZkOFVqdVFzRQotPiBBLWdyZWFz
-ZSBkeC4oTFUgO0FtJG9+RyB2IF1QXGhxVwpJS213MXBRMWY1cXlHZwotLS0gRUF2
+ZSBaIDMiRCBYO1g6IF9EawpJZwotLS0geXhWb1FORm00RVJoMm4zQjhBT0hERyt3
-ZkswNlhvcDhTc2tybCs1dldwa2l6SDZZVmNkNUNjNGlkV1ZVa09pOAp88dxHGxVU
+ekM1YXNzdTgzUTVMeHNsNDUwbwqSjgIVhg9bqtIydYC1FCA4ly2gurTcb1SUCMG8
-vuFQO6JcroY9MF5Te/YV+wMc3hVxksibMnH1TWGh207prwcOWNOEz2iEkZY=
+XA9WAx1jv05xje+U97tRTTongJEW5vw=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/britway/cloudflare-credentials.conf.age
+++ b/secrets/britway/cloudflare-credentials.conf.age
@@ -1,15 +1,17 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBLVlg2
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBjQmZr
-ZUdtUlFUQXBLT3B5YmkycWJnMXJyKzltbyt6K2dJK1RBUm5ydWwwCmRUdjJFSEYz
+VDl4TVlzK0lCc0YwdFM3TEptU3Q3cWZ1d0FJQUI4Q1g1TVNyOENFCkU4NE5lYVhI
-Wnp4cGtzTXZwc0s0SUJQUjRlOUJlQUoyQ3BETXZmY0ppWG8KLT4gWDI1NTE5IGR5
+d3B0amFJT1A1RTRSaUdUSmZ1WmU1SkVhTU9sdFZJR0p6UXcKLT4gWDI1NTE5IG5O
-QUJzeG1DQTRLUmRwNnNSRUJRSFFtUDl5VjB0clVLYUp3R1g4TEVKaTgKb09tVlhF
+RG1SQnZtSUk0SThNYkRpOHFPS29kbjdUenZyYjBBSTJKdXNUaGpYMG8KME8waXJ0
-R0tmcmIxMHVHcG80RGxRTEhBcngvT3MrdnNPbmpCTlRyZW5xQQotPiA6RzEtZ3Jl
+NWR2NHoyUkN1UUJoaVRxYXVMZlNvTHZqRmYvS2h4QjZpZm5NZwotPiBPclJULlkt
-YXNlCldSUlN2ejB0MGpyUHYzNS9OQmJTK3MvcXRDakdBVlhuUEt6SFE4QmhnWVN0
+Z3JlYXNlIEVdKEBXIDUgXTBzIi58TwpweFJEcUFpR0x2WWhiVDlOTFArenhjNXBB
-V1JMOE1oaEp5QQotLS0gYW1OMTcxNWJrUndmR2h0ZmRDWk5CYnJjc29pSERUMnNk
+dVo2d1JQWEJyVHlTRnUzdUlFUE45RWlLU3ZRS0c4UWs5Nm1qVHorCko1RVdqOVdz
-d2VhTGdpOW4yUQrEeH2E9m0YycuW60QrdlRetO1kNU5FaKXRQt46iA9lACIWD4rC
+aVAwY09KOUx4WktIVFBQclFXdFJZMTNVWHNKcTZFbDU5Q0xLaExvNVdlZ0pTczUr
-Cx6WxhCBgz3hvm9x6iuYiiQxZzgJNK7qXcV2MBeQdivazeEbC7blAKVPhwD/dl+b
+SkVDTzhDUysKCi0tLSA2VGJMM2lrNkViaU0wcnArSG9PemJrQ3lrUFNnRDRVeE1p
-PzBDXRXG3c3jMjeZFT69fIBGJfZrrLGKpTALVE4dTVXmQmVVQDTp19IC+jUXHBti
+V3lxeG1iN3I4Ckf36lD/b7agsT0qW8eGDnxsVor8hEmLBSa35/eeAxqMd0xPvQko
-Pj6Dpc7452s8zPkzZyRbasO9b4PYTwq8IHT6X7ITwbzZZm8gexDYe2SzRZ5VcPz3
+REzIxPuEHRQM5dE4s4H/mySTC/AVsiwfcMrnOXInm4o3MNAC9PREcef4NBOP3IMl
-El+yoULZ92WbXPSQIP/Slx4BEZjmsQS+sm0N8AnBRNZkWVbHPF9IZRg3VjDAn2i8
+Mcoifar27EXs21XdXw/lLOVNDX7oDKZh1zXVX4lFTcRW0v8abbwchvuTiayKePMG
-F3un5js=
+DrcyFsj4jiwpJ5MmY/Q+n0lZmoAlAJkeTHRUptJxGMq+pWVEGMa8p1vUdrVwWq7G
 YYO5lPlms01BFJfUsysh07HY1HPkOyFHeEkviZtt4N8hopx0pP4fyAZYYdrBAIdt
 CLpQFQ==
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/britway/oidc-secret.txt.age
+++ b/secrets/britway/oidc-secret.txt.age
@@ -1,13 +1,12 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyAyMWox
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBETE9p
-cEFDWWUrVzJSM1o2azJqei9HV2xFY25oQXV5SzM3akxEaUJiN1J3CjkrQVhjWHY5
+VVVHeThGT3daNW1xZjBDblFwQWozQ2VSUmR3NlJVak12YXdWUDNNCitTWnBHd1Mv
-Uk01eGp5Q0RKNVREVXJVZytndTM0SXNZSGIvUVp1TnRiNXMKLT4gWDI1NTE5IFZn
+L2ViUWJvR0dtckpTQnRNMWZtazZHQ0tON0RhM0Z3cTlYVUUKLT4gWDI1NTE5IGhV
-WjAyR1RMajEyMnFSYnNGT2EyekROVWNoakFJQVZxaFc0YThOMHVyanMKWldrdlAv
+ZEFqcW9CcHUya0s5dmgxc1JqUWRicmpXTllIckxaWjhtYzMrOFp0R2MKNUcxVllk
-cVg0OTFHL2loeGJ3RHA0MnlnckN3czF4RUgyc1NjYXVOSXF5cwotPiBvTFQtZ3Jl
+WWJ2cEkzdXdiVFNDQVN2cUVNRnlMQ1BZWEx0QTI2M0FKSHE1ZwotPiBHaCJASk9u
-YXNlIDRsSDp6eikgT1ojIGEzOFZMIFc3MUZGCkttZ3ZLNGxucnlJc01kRXFZTGpC
+LWdyZWFzZSBsIFxuClVieGM0alFSdmttVjVsNDZIT2hjSTdWc1Z2VXRIUC9BbXNL
-eCsvRzl5WnFUMUIyTWNVWGk4SjQyN3V0bXQ4VzFuM1RjSzVMcDJkaW1JYXMKQkE4
+MXArcHI2eDM4QWwyeXhtMU41cEtLQ2tkVllJdjkKTjMvNENSNXd1UjV2bGQzbnJx
-YWI1Mmg3MkpjdVpVYWJkczJQMnM1SVMvNkZhOXBDVEZPCi0tLSB3SVIyU3M5RHBE
+U3RubVRxQXVSSzJXbG5uQmcKLS0tIFFIeEVhR29qY3FBaUlJd1M4K3FvdDNybHZB
-VFRtMFU4OUFLbkNjbkJmVmhlc2VsYzdsd0pFaFkrUmkwCs+h2KlXoyZ8U++A9wmV
+MmVMZGxyYUYxVDNydjZLbXMKiPpxBn4WtzaH2iTFfjayYgNFPa0Mi6tIH0LOqkAj
-kh4N2YyI/a84yPGDNoFdSlXaU8jxUzolnadImXSXyB4CroqQLvGEbkZZlWqPLVfh
+RyHNF/6vgWlmnivbhP+74dVaqR8IwUdFQN7S8/fx7eW/7qvtlg==
 Iav7Ja8=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/chatterbox/doublepuppet.yaml.age
+++ b/secrets/chatterbox/doublepuppet.yaml.age
@@ -0,0 +1,33 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USBSS3E0
 YWsxbHZXQXo1R3BzL1BDdERxN3d2ek5acFZWK3F6andTeGVacVNVCnhPR3I4dXFV
 dFd0N2lsTU5NOCtsM3Z1YUdIaER4YjlrdkNXT1g4dGZXNFkKLT4gWDI1NTE5IDBQ
 cHBYSG04eHA1ZG9KN1Q5bFk0eXk0T0o4c2pLVUdNbEtWaDdwckdJVmcKd3lkZmVY
 cDc3dGdXSWViNGlMVW9jZENUWXd5MVNheStiVU1adG5MNEpnNAotPiBfJWZ0eWtP
 LWdyZWFzZSA/VGRDTT5kSCB4QH05QF96eyAtfUpxQ1ggZU5FQEhZbGMKa2xDUlMw
 Wml2QldxcS96YXVJT0hPVStqelhmUEd4K2R3ZDM4Uk83MXV6VlVoKzRiMWhxVlJx
 Ykg4ZTJ6SSswTQpTdjYzUkhMWjFwblhzRWV4bFZOVnRjRGMveDFaUTJWM3diK3lj
 MUE3dFlhUEVENAotLS0gd2lKQ05PRUF1b1RzZEs0ckY0eFlPaFFBNHRQZ01rZzBV
 SW01L0VzUUpYSQrJxWuL6pjjZs+hCS0f6DTNwW6HSD33bUwdBpyTCLeLMyDT646H
 4pjAhrVjVH1kgBFmuCjTP+SrD2bie/WhkQPSYrG7qygcmXbdNXlJn1tluEedDLzK
 djbOaSuohlgneGw9Z00Zkm8rz//2NSB89+WiWuT5/6Pm/d6763FteRI1LsPOyWx2
 vmTZMIcuclmrGn611T1kKR87R5AkaZ6xyhkOrOvWrb7BktmA69Kd9r5fXyxnLRZD
 W6vPm4EJLo0b1a4DWlnIvFTy5I6e2fFT9h2+rU1qITn5fwQD5aAYdL8W8ELIEJ98
 zYNxpbepHY5fBpHOGvOKM4AAO/R2pjaDaK7DRIFhSx/1RJLJvigXFd7YKl0WWn3w
 PGK/YxXnhtxnZngEPrnwf3JPj+zQ3RwKDx/v12s+KTbfQu6sGvw3MhDwYsFrRn+J
 T/jqlcZ/RodnxDngMnJCzc+YPkCJ/yAiot1DthVdpW0mWFiPsZvzN3co7t+6nopR
 WYnSjp5igjHbO/E3zXQ8qRlOvXSp6zspOIv9AETq49felAxXF7uz28lMnBeCReVq
 4hzBII+wDTR1Y/itKcOGm5mTdyvLF4qKRZFJFiJ3ATGZDEYh2dCrO2juaL4VczCl
 +qwt9gYF+pOgY4ekOtW6BpvOGZ591LHTMWoP52O0MnZADU8GHkh66AvMDemQGumj
 7qI6kI49Rwr5CoDMds5XlUBKlzeLgZLSo46FJghWOOQaiFiXWVQ+jYZpZPkgGjkU
 wDkrnbdglkdPO93bT2drkNbPWziHRkV505lGk1s4zCvsUPMH0D6KYkA6o/hCum4B
 IK8Sj215CmjQv5LYBwzHTNRusksXDu/+Ud5FpKCNw34aKblLIEPJNSk1BWLwyLzM
 oCNTiI490ZBh3vcnXpHZorS1Hxzb536SW03l0Z6q1Izn/vfzhZ7HbFY4qS9Qe+je
 Cvx+upRzt+mIQt8edbhrC1twfo/6whuvpT1HqGQDUr62+4zqVJ3lbccmXRX6uOAq
 sfK9if7qo0wkfWqa4RutO008ocVSKt0JjDOUpGHHP9Z95NRMyKJiOlv7dgVwWEid
 J8YMxexAgkmjByzwt1CBC7XizEHl09ZyjJrzN420NMRzaG3C6PY82cnKdbXNfEM2
 0dlN/xUTaOG1dAjdlgr2oMA5o0jFptr3hTFcoOQ/va1zkkNDHvfgjzri9HSID0bP
 kE0Akj6H9457cyo+xI+gD+2CtJW37TR/A7GLrzc+BDdDNZWtJz8t7oU0STL38h0d
 rfHgC8uFj7Ozh0nvsPbviwHCw6F+Z3lOT2qaFjzWKMuhnB8s3C//vmMFCfY2XglJ
 Tmcz+A==
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/chatterbox/mautrix-instagram.env.age
+++ b/secrets/chatterbox/mautrix-instagram.env.age
@@ -0,0 +1,14 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USBBTHhU
 TVdvcWhvb0c3NjlTT1JBWlRaRXBYSlFySFJhQVZHRUsxcTFVT1ZzCmVaZW1ucTRG
 MVN0VnZEWndlVS9iclNhRlB2dkZPT241dHRxcjBRc1BpVncKLT4gWDI1NTE5IGh1
 aitYSmVudUZPS0FHbUliUjFCWXJaTWI1RzRlK1Q0ZlpQNmRwN0haemcKaHhQS1JO
 UVYxYUU1OTR0dXJhTm1EMGdER0hYUXVRd2VmNURwTEdVV09tVQotPiAnbHAtZ3Jl
 YXNlIH0gLCJ9IDwhIEB2QW0lfSkKMUJLd21ubDVQdWJOR1VvCi0tLSB3N2dJV2o1
 WGF2TENYNE8vSzI2UzVPZW01RzRtK1VCaUVKemN1RzVhaGlvChPEVtylQsq+EWK4
 X6HxFl3JY+M9clfpicNlSqUjPcB3roEMpD9BmGcG46nVSZVDguVjPzwTltAGE72Q
 Q4RP8/yhssA2rrLEuWz+JKcaASF/yEmu9QBILrWBIWz0rQyHfTRvBC9d83MdHS5f
 DQl1abC7Lv8imVm0pJ9vthvB56mXlGgm16fnsd/UhgMQSWZuVLSitaoDEFCz/LWi
 QAUKYTRVL2UcomgHsQqMx+2g3HT0RYQu1Ud3M5rT9eMSSqPG7IzyjNA3HmH5dw/4
 EdnilIaW7c6k1RAYMFY270E6qlxqdQ==
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/chatterbox/mautrix-messenger.env.age
+++ b/secrets/chatterbox/mautrix-messenger.env.age
@@ -0,0 +1,15 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USB1QUhX
 dTlNY3h2SElIMytCTGlmY2syMmlTL1VMeDFnanN2UE9QK3RvRlUwCkVMM3ZKMU52
 ZmIrZ1VxUDNWZm1lU2MrWnpkUzBLcDB5cUFCSXZmQ3RXR0UKLT4gWDI1NTE5IE5W
 cE5uSlpRd3dIRXEyRnpSZ0VHZ253OE1ZVTd1OTJQYkZVd1NRdnh2aE0KNTFTaHJM
 OE9tc0VkMHFHUGN2dFZVSGFBdTh5Tzk0TGU4SWwzYTBOb3FtdwotPiB9WnwtZ3Jl
 YXNlIHZVYHxaIEBSbmZ9XiAhfF52YCNwCld0K0RCTFlQamNLeitWM0kwUnVJdXFV
 QjNFcEYxWFBkVjJ3QlAwTGVvTE1GTkxCTEdDcmlZMC9xbUcrSHp2V3cKdzJLb011
 aEM3a0V4eXBTMjhnCi0tLSBOWHozZTRjRldrOXBmM05BZ1lPRDYwaDFCcHBPNHhQ
 SzlaWGM2RXY1THI4Cj4RzG3G1yGkmDyqxCBciqMNPAQYge4mXOib7mqOuyIbkT+k
 qrJ8fLnW7Jbnb7+Rzr7BAEC5/dpOfjkyY9JPeg0FRutlkKyPIhRMAEhSsNvUFzXg
 uwNbnSBI+9Str6nTKI5c9IWT5eT/8zsKwtK1/pr39mApRY/y6NlA5X7ZRIFeku3K
 6I/bCI5cT0qhIMJbF5D0KiCnMCnMdmRLrwLzM2zcJoisxRAvj4dNfLktsUQOauZ+
 Gta96qQkAewvrdfz8Z4lTYJQmEqeOs1vTA6sAMf4iLp5EhPE0jN0n6D8v7Lq7+2b
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/chatterbox/mautrix-whatsapp.env.age
+++ b/secrets/chatterbox/mautrix-whatsapp.env.age
@@ -0,0 +1,14 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USBJbWVs
 bkt4a1RBaU14cjJzRm9KUGhydnZlWGU0NGVYK0NmWXRsclpjVUU0CmNiVDJTODFw
 TnloNW1LMUliVmlnUGt0SFFzWmxVTWxZQ3crNWVHVy9IL0EKLT4gWDI1NTE5IDcw
 TUQva3UxN3o1MXJ5QmVmQWVmeTFLejVwOVdQZks3a0dVQUJTdUdZdzgKajBFK2dX
 R1NNR3l5d010MnJGUktNWldwVjY2cDIwbU1laEMwOWJITEg0NAotPiBeLS1ncmVh
 c2UgJjhQIF0pcSB4Ci90SVhIZzRGVlcrd0hRCi0tLSBKdVgwZ0pidC93aEFscm9w
 Mm5GbEc3RDdZRDRpeTdONHpWN0xHYXkvVU5zCjjFfwumbetHbq8MKrBIx18YXmny
 z+0ifVbksJhYLYk7hViSUDy+F3RRad23dSPvDdd7JCEpj+2PvcezBLkwfUkFdQe7
 uQhUJJ9c62oKSX7PMbQeW1tyX10SVkt/P20z6HPXvBlY715lsXspjZERi+DheZk0
 ZDc3dPYMeyoAIWicf40ZxH8C6rWl5HOLIaTMbCOKwpD+wPjpzeZHat605YWReFxR
 Yd3cKCRqSb2QdAdtZ0XUDSPl7HVwkw0xobCsvtPzmObA3YbLopBq7Dvrvh7XW5ns
 BPlTaI8WnrI03CplGP00
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/chatterbox/nul.ie.signing.key.age
+++ b/secrets/chatterbox/nul.ie.signing.key.age
@@ -1,13 +1,12 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USB2WFY2
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USAwa1k3
-MzFnVFYvb0wzc3grRDBrUi9teW1tNmx5dVBIRVc5OUdlcjdvTDJFCmpJL2tlYXND
+S3dka3ZjcVdIQ2hSN0xsb0hTNEhneXFYS3BXNWZDVlBNc2toQ25vCldqSlMrT0hB
-bVJKbzd2S3JkSFVMdG40MS84V0lPTVJSNHVBQlNXSkN1eTAKLT4gWDI1NTE5IFBM
+Rkg2aDZUYlY4U1E4Y2djMVdwT1VsbGdpUm12Z3gzditmMncKLT4gWDI1NTE5IG13
-ZGo3L2VlNUZqOEE1UHBuMHdqc1pyYlQ3R29ucE9pajU0bHMzamlXRDAKcG1Qdmw2
+YXF4WWdmNFRPR1JDWkk4OFZkSjdzRS9BbXVzSC9YNG5FRnpqUXJZVk0KV0tOSG9N
-cUlncDFWNXBOWnpIeDNZSFA3d1E1bjNaVVpKU3lMRjRaSHNtMAotPiB2XUh8eF4t
+c2VVWE10WkxUZXpqZjBZZUQyWE14TUFsdStMeWVlcFdJaTRVUQotPiBWaHxWdCYt
-Z3JlYXNlICUrO0cxIH4gaTRoIF81SEpTN0Q5CnpWdEZpb1hZa2t5YkE5RnJFMHVZ
+Z3JlYXNlIDYgdDsgcW97Ii5yIE95Clhqa3RVUmJENngwTDNoR3BCNjlaTkVYc2JR
-WkhkQ2o0eWtyOE9ueDJkeGd2aUhmLzRUUGs1aUc1NURIOTYxczZhOEVmT0EKd2xk
+ZWQwb2FOVy9sc2d5MmtkeUhkajJBOFE3TWJTOWViWVlJSTkxWQotLS0gN01aNGdm
-TXFHN051d25PQmtNUVZkVEFGUVliZjdmZDF3RWFkaEhNTzd3ZVd5N3dlNzQKLS0t
+VjR0ai96VzRqb3QzYU4yRzVCby8ycVhXVlpubVptam5mYldoOAoZnbsXB5we9BQ5
-IGZDR1Mxd24zOW05bitzQnN5WWVOOGtCNEc5aXIraEF4eXFUQm5CZUdCV2MKd44C
+AXQ08mXmMxRMg9iH7qgyCVc1ywR/uo5Fcefhuw23TyluRkYt7tZ9yiuFJIx5Znsr
-/Trgg0OEZ89/jqbj56z/Hia1Ka3ZsEv6bXPI/kcRvFDBFTgtvG3KWCgMBtTUHXzY
+QEqaBioL1UfePVyDLi8LcBvUgnnx5uN05hUvTOt6gqaE
 TKBPoQqrUf7plH7a/mTx3KR+4Y+yF+1i86s7TzYjD8d1xfFH3BsVtg==
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/chatterbox/synapse.yaml.age
+++ b/secrets/chatterbox/synapse.yaml.age
@@ -1,30 +1,28 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USBuQjBY
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USBvdjZT
-K1ZTUzR0SmFoYUZLdzUzNUt2M1B4RFdPZzFkcW8rMWJLUjVHOUN3Cjd3ZHdMSzdp
+WWFyNzdXVENweXlVT1kxNElaUDFUSG1DSGMybTZlN3VKVDNNMGdBCklDRk9oaXdT
-OWswditVWUhYNjZCdjV6M1d6U3pNak5hUlZjTHNqSkZPSk0KLT4gWDI1NTE5IGNG
+MEhrR1VTcGE2NWwzdW9NQklwcGFsd1BWSXBpa1YzREdTUUUKLT4gWDI1NTE5IFN4
-ZytHazJQWTExMjNkZWV2aDUwcnZjUGcwcXRkZWl0M0F2R2JpUVlJekUKWTFlbkEz
+Nlg1OXFNMjVzbDlRME01WW5iMTZvU05hUTExNnB4MFpUQ1QreXFXbmMKb3BzamRT
-YlN6dkgrMmFFcmlZMjQ0b2oySjlEMC85cUF5QlA4NGF3blBKRQotPiA8M1hbWS1n
+OVM0TWZIdkJnYlByRjRQUXNtQWtXS1FXRVlFTkpSNHFVTWV3OAotPiBpQy1ncmVh
-cmVhc2UgOmlZJFYmJgo3UExzUHhSVi9lbVRjNW4xTnVaUTVGSGVDNzRUNlJ2TnVu
+c2UgJT9RYi1YewpadEZzVUpqc3F4U09zUQotLS0gWkg5ZWlxYUJGMUVDd2o0TTJT
-U0wrWU5kd3dyR2phcUNVUHJCYjdzeWhjNVFOV011CmZMOVN0WDk5eUg3ajhwbStQ
+OTk0WlJ2aE96Z3FGNmQrNEx6Z3N5UkRxbwrp1nF8mtgoTEYfQ/aE7KgzFOei1PVt
-aHExT0EwblpreTBXVHh6Zk1HRkhzcmFQNnoyVUlaeStMUkgKLS0tIG1aY3Zadko3
+cLAh3v7wo7C3lxhBOL0v8ToIAVgSoGP6cj9/4k7+9GngpOgot0IOdoXsThVdcg7w
-V3pDMGswSDZCeit4SVhSRCsrZVRVZVkvQkNsQWN1MXFMUGcKcK74YULWqWw9VvkI
+soDjArsSWDYn6Th0yZf+trSXfA24BKIS5qQnAMT2ivQQtO9Kqxko2Zj6+wZO4LEj
-NH38VHfDPW5ueSiyHHKn8MI9YosPr/TmkwgKd/DOIMVB74ahPalo1QUeg+eaBVnq
+DEr7cqRCWVFfvPLJurkfbCRjGlW2rKMlJotnLMYTE+Ot5SlSwVic5Nu3inGx1U/a
-Uncsbx5ecW3JswthkAhiktWHcdHmioGD6hCcgbWtfA3VvbAYc2gtAF2plfDVH6BD
+gKjCPfWw1h0Gus6PKXpSq8wGrGp+ov4ocpDmumbgh/E0D82JtBBPoWojxuGSFzrm
-c8veai3B15ZmDmq3b62sgVA9JUgbFaB1eRqcaPXmNgQJR4c8J+CZWXGQ/TKMqtAg
+UDKrgx7MObGbjwkj5Xd+SDdKytjNqV+9g8GdRYVGhIr3muLn2JJlKKw/eD4Now86
-chCDuczjLX8IxhMPF1gdCggSt5GtMhY47fpZJRbBUw01l8koqjm63KvEeg2ejFGU
+tPB3ms/E1N0HR/LoQ/Y65WeuHKgv55CZMWauC/1ECxVS/jDAXnQ2lAqFlzmU1ItQ
-+tXonI4jm2JUxlDTqmNSrVpmAgtPoEPszHc+GsnyNjAz4IXMm5UrQAZyDPgxtwQW
+4EefV7FRWxgMeMOIVKOCus03Js4yZp+5byjJ7+O3MRrOED9/M60B60zXhvPDtwb3
-ZAn0IdOB8rSL/AnRGUpPrecuauINQjONe8CapijjJPQK7g1AHscfxr+OJD1j2eV3
+D5sFtC0ZBZT1+d4pUnEnLzSjM8DTf9as1uoNSuzh6ASiSiepAhdKMNtS8xzo85bf
-O6TNlz8vKW4t/V7CUf46ykxxExhA0mKJ53ksaXy2+HWoro2+c4nao/bEld5gt08U
+Yw2WxiXQfSyN2xWWjSH/YQUXKZRBNATxB0FRMaa1TOFKo0dDYOAu83bY7wwAwSvZ
-uCpJtjPKB64X6vdzbY21/l87VRDyxbb3poENfrXlawqS0Z7i2gAbHN5EuiMv+35o
+zCZ1QepCCjiWe7ujd9HMPWDgnvd47c8teSYgjX0T4nCEk7EbNpUcrDXcz78ZKAlm
-sBaR0BfcbTn6VagC3i8HEEOO964FrW65pkqmGJcJMgUdcZSl+Y7gHMjWyodqGPOY
+VNuu8C5oi5Lk7972SBLj6yLpj27FDMagSvX30k1sMoHcKGiKnkSkdw56B+yHwLYL
-evT6xj4iyeM49vXynV2vrJRu5rr02hOS/8rPphV9c9q9ju5n8xbhS6IiybAelPwt
+Iic2mxklXggIYLo1gNq0tQskp/I0dFGUzAF1AblLw0b9Gqj/fHwHtkx/Q5n+NE82
-sa+xM+w0n+fxVksiXeFj7qD1LDN4+kwqhYP9SlzbA4fT3AkYYrxthTww4IFAweyQ
+jSVVRTI444cMlXKnyk2sVKKOWR60WXQWs/GdH5Oln42tmFT6yZk8OV7RopLPUXx2
-IJkpVL0/IZEIEfRzpr0lWLprAaoyPc64pecl0z/gBJDgz1kSG6iEh6K4qx7ahGde
+4jwwWvVOrAMhmTwJDbzUwEIm/nfay7wzJinjNod67u0muq79OP9k0pRB6u3mSYZ4
-kBBpS2I2ZsdBkvmQxDSM7tYYBzPxcUNZlSFOIeUy3Xl+OGPlKgtMofbnjV8AFqUf
+ZX3RhRoIYiYHCDrw0e8eWKjlhzaA7tI+diHdC62SR1cUbYbRrLiXrU+ZPjG2qDTI
-tOpgKpLUEkTgXbGUKBxHLj+8pbw7zOFp4sJ00i48ZzLP5D9jom+jS19wGshRc7cH
+eAI8/wUMSHNyXdBejLRZHy7l38LKzAG3SSWBtNuCpAiP/QWCFL4UyEMlQ3Fmmzp/
-dK92CctvrfndQ85yO0vqlyOdMTqjh/z3P2KmhL5SW6P51q5mseTvj7FNM7331DTs
+FDgNLldzhOMDK8eqGAgG+qVRaK+30SJc2/ydjilg2H/KxK8C4F7Q+ul3QV+p66KF
-rq7XWaBLE61eWWQ/dZKnqh5YbkSlU1+08Rl6H/vCU5hTC8fht3KTQSWPofkrP+5f
+D0h1JpWxSRhK5St01FdtFigSsA2QBg4kP87gGFmI/y05jbj/XjG7D3BQtBbRnKVG
-We/Pe62LyhV/MbLRA0nmU7Sf4IAnpHfa4kLtlYeB3xiqKd0McM//qzjuk5NoIgE4
+uQ==
 nL0T8YXdGt8K01w+nt+j5bo5gFoRz5+1/ZZ9BgN2DOo4SClYnJWQ/x80X061yJ33
 0SGv4eAC3vFi6xE=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/chatterbox/syncv3.env.age
+++ b/secrets/chatterbox/syncv3.env.age
@@ -1,16 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USA3MEFh
 YURySHY5RjVQa1c0QmMvTkZtZElNd1BIeDFpR1U1YXZ5dndnclUwClA2M0ZYMk90
 RmlCZHVISkxZQTZXeEhZVUROSVRGRVg4TmZKZytSL05FcTgKLT4gWDI1NTE5IFY2
 V2k3S0VQdGlQZ0hkU2ZoSWdOUG9rQ0p5Ukg3ZHU3MXVvNHlWYVN5VVUKcWtoWDJh
 LzRwcktWUGQ1bnJvRzVBVlpHU3NhdzYwUDBPTmx3MFNrdWNQYwotPiBKQil6Km0t
 Z3JlYXNlIFdlRTlUU2cgVlxLIzUgJlVyQiJ8Cng3NzF2b3d6MnlEdURQWHgrSFJv
 Y1BMUkZyelJSdDJvUUUwY1k5R3ZBMnJaa1R4NWxlUll2azNseW5MQlpvVWUKYUdN
 d1ZscXVxd1dxSGpzMjBYeWhhYyt5ZlNkSjhmV1ZTTDBTCi0tLSBBTG45VUJOSXZv
 N3lYNVlyZldMVkpZdUMvS21NdSswVmU3VThZK2M2eis4CjwfWWJVR9Ty5dBXEr5s
 U+QrifXvyMJJvqOKEfMYYomFLpt/VtbDAUwNlqLnFIk1VZ2xPUBisXPtReiCK3gq
 P+i6bUONSmPYvmF82VgiuKDuz/kmWqVGg2iSBPIXAGLNIEojndQwmhnrsN9ex4Xy
 lBHkvVsN8EamUJwZ+FEZe4+PjA5yEnANWpeTELOt2gA92/jwwnNIsr07eVTlkh8X
 UmQ2owGwktXP7it6//NV3C7sAdazs2bX65WSnog2E8WPNAorKWI8RCYs33CshVFt
 zzclZ4hRmlAmqMHYqFY=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/colony/borg-pass.txt.age
+++ b/secrets/colony/borg-pass.txt.age
@@ -1,11 +1,13 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGo2N0ZYUSBoYlRq
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGo2N0ZYUSBmSkJo
-ckk2c21uMVZSR05SdlJpck5MT0FZeUpLTmpTRVN2WDkxWWxmVTBvCjlHZWtEQ2Jh
+UzFYMVBiNTRBbnliRHh1OXBpME05dUpyYjg1ZVY4WStxRXg4VTF3CkpGQ0Fia1Ew
-YUdybjJLWkNsZkxabTVIR0JnMno5YlMvVmhodDU1bktrSzgKLT4gWDI1NTE5IFZT
+RnBsLzNJZEZMaER0emt2TFVSWHBGcEo5MnYzVDlvOEFrUVkKLT4gWDI1NTE5IHh3
-Um9lWXhqRFFLTWdNaTR3Sm1acmY4N0l6WE1FSW54ZEtQcEE5RHBRRHcKcE5KYmp1
+UC80K1piWEdneVExSmQydHRqMFdTL1djd24wL2pDNFc3bjNxc3hZekkKTlI3Umh1
-WVdCVk0wMHZ2SCtUR0xKWU10N0xETXlXZmgxcmZZOFBXYWtBawotPiBlRm1gKGxU
+SmdBM0Ziak5GRm12K0pMckZ3UGZXZTNPMm5hZ3lTV0NFVlYwMAotPiBHLWdyZWFz
-LWdyZWFzZSAqXF8gOkU8Tm96IGA4IC1TCjY3NUgKLS0tIDhjaTNrbG1iQ05iTWRS
+ZSBddkFIRWdHIyBjOXwkT3MgJiBOcUkqRwp6VUMva2JWd0J5ZjBpemFFM2djTzNC
-UzIvNzA5TmVGS2ozZmYrYjlBY3J4Z1RRUGRNeWcKUTIEhWqr0fOODu86MDll7k3U
+RW5POHIzOUZFOG1zRElPMkZZZUxmbklpY1V2R3lqNUtOYnFlSUVMZXlrCnB6REdz
-ThgmS9nlcUY3fMgXzZLtpHIJ/4ZSI+miu8RmLMaeC61qv6xNThGdx+MvU4tMBWKA
+ZHFzbmRjMm5mM0RGU3NzeUl2bHBhTEx5MjhXRTJBLzJZRWgyUQotLS0gV1VlUkRD
-Hv3XGi2MYL1jdHh2KYg5PgdqchYuHrFuBPS7c/tQow==
+N1ZTZnMwTWN5SXEvQnJaK1NmcEUzMEJ6UVcvb2ptK3VYZU5zNAqgntLnLkQABERv
 HpNr21t8+KR56PZ8nQS8xALzw/FzdexGvlt4Pzx6o0daBeh4aZx4mgcyG641PsRc
 eDs4tJm8gmznr6y7B+WNC6WGrWPPIC3pHKU4g9PWzyEZcTEpL8Fp
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/colony/rsync.key.age
+++ b/secrets/colony/rsync.key.age
@@ -1,82 +1,80 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGo2N0ZYUSBZVkFh
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGo2N0ZYUSBtVUdX
-RDNNZCtySlNQTTZFbzJvZmF2TEZKVUM5VjFjQWNSeHlNc1JNZ2hNClVac2pEdWdw
+WWlWOU5Pck0zSWFETUhMZVI5bjNUUk9pc0dRVC83TEJIN0V6aHlBCjJvWkxSaGNq
-OVpOTmhWWklVRDA3UzZWWk9QVG1ySUFmTzRSVlFReVdFVFEKLT4gWDI1NTE5IDVD
+WmxJSEhFekRLSE56K0pDTkxNRlJhOGZTWC9RdEZ4ZGJQNkkKLT4gWDI1NTE5IHNy
-eWN2S29aWVNVTTdldXFxZG1vWUNYK2RrajI0OGNGaklzdFByTzlPUkUKTmsvdTE3
+S2lZdjFYM1M0dksvZlZ1NkFENkhLdHFRVm1rM3B2YmJ3REZEa3poUk0KSURPMW9F
-ZFBvalZsdENxR0VnV3FVSnFxTitBRlFWR1BzcjJWd1h0U3hpYwotPiAyOkUlJC1n
+T0pWVHh5MnBjNThRcE9WY0E0Z3JtMko4eDFiS1k4L2RBa2wxNAotPiBgWn4tZ3Jl
-cmVhc2UgIWFOMiogVDc8IFZETk9BSDVTIHEKQ01rc1ZoNXQxUDdtWGRQUlRCV3k1
+YXNlIFdRamBzSyBlP1wKSHpqbmFWZGpJbkhyRENTZlZtdFgKLS0tIENud0RDdjRt
-djNZeEtOaUl6Tkl5TDA1S2ZXWTFQZEFiV2pWMDJpZ2dkYXdBOGhSTVA2ego4UnBz
+bFhpbVhQbkxXZXJRSHpDZWovUEowUWJxaUkwNGN2aVU3ZVUKlXMwhyxmFiFHHHDQ
-ZGhXcklMd0NVWlhsc0Voem1wUzMyREViUllCRAotLS0gMU5GQjdJaVdlUFJGMG82
+FDtswK4HmApIhnW3TORhJyKIG6WBKFE1wDN5cDLppbjLdWAZecQbw0Qe8UQP50CM
-YnZCUm05ak9qcmVyUVJSS0tHaWRRTld3ZkNPMArRgojrBQvlyjMhChn8jgUNDysj
+iSZOYSSpS4J6jo2kFCIQELXjXMi7YhmkIa+Svz7kcr+vVROOikBdTr37ZOXp51Dy
-9Nh3BVqf44fiUNMKARTrFTz3wVMlioo6MmKRzJ/yj0fWkZ2h80X68Nq3rQvy+0UK
+O+Ygl8rPaDkTV1elWCgwX/Y5KM9wvS/OEVBSKyc5vz83i0lsHMTOgb0QxMrqiAUC
-4PNPRbwY5ib0nf7n3itFKjehrYr8HnOjreQps4it52bT5re2TWIC9ogZhNKBLRvB
+cmYk7crzAXmKU8VeKw97dA0ZOrzdEh80M9JVpc6k3ydliXUO1b3seKlocB5cAtnE
-qv14HjcF5bGnia8TgSU/8nUZJuIaLwHvS5sc9GOtmV4lDwiSTEJQEtGh716Jzuvs
+9OcsJV2byI0dOvRp9IZLHv3EsHw3sa5MFlw60KBHYZE1NoN2Uo5EqBc/Iz/4T2Do
-XxQLPEVVufAjZUKLp+jWUhXGkvUEeY5bxE2aOLuB8kLfHPC/5p2rl/n2sW3oEDFn
+zpQ5YwK8d2fK1tMU/FH/RWxkCXOjiShKsJXSiccHkzXskHU4uP1Y7s+KtFYxAttD
-Fw+XcNnCHWBzk3DlzKZFXwIaZL6Ocqrt+p8CBpWoNhbssuKyOtEbWQOmJxX3UPMt
+IusDOGuvKKpRuYMjRQYSm6ZHDAZc9yZsPqlKmhYg7IWlCd9lTk8p4mGoAe5b37f4
-sBFNdKSKFhoBQ4ukqkKDhgcm0i+8wG4eBbNIMIDwzPBxK0QiVriwlPQHl7RS2M/J
+JwACx8asE3lZjNLo+1cwdjhARG535qmOt4i+e0t0x5XoUkenWhbq3Nr2x9fkzt0I
-LgGeS7qrKC3SgmLu57CdUVUlnogJ4oOg7FPh6x+jQBIIv7gtYCzJb040TUZWZWvi
+4S0l5IxnxXXO9Flc7g0E+9HNZXTixG7UvhTcLH0BcK2C9CZq8WQmYdLXcbQBJdq9
-cfKWBBwLqLa+7Y6kEhcosLUgw2c9Et5P4rvNjU598q7qrZq7uK6Mr+PMwD3Pd66O
+yfLKzEBdbzPT0qjMw7hua0ceBwc6SF4gzkRVwhSw2kVERPhto15Flr0ybpDIF+tI
-SQyT4nYhhXBnaIsLXZfima2nRzPocaBmfsuXQwlnLJC8JB6yzqEViK0xYKfl0fIi
+irSwhTwi9BKJn8XpzgErS9K/Y5Zd7GENY3BdZNzHH37VXK/cEyjWXYmW4sAL0QzQ
-jxuYBw/8Y+MWQhIkF1pP8z+Kw51QdK4CIV33mlLBJnGjlizewsjj04EIgpzQ0+3I
+BA/wujUhOjHrdYKb3QdVZJnym6ErOqzrg5EJ6eXI6nFLWer+2xDRouaXJsQplcyy
-ZRyee/SzFmGBBk/pMGN0DizA8LS9yZ9DRGrc13rYVUTN6G5xT5AT1eEtFbQ6DH/n
+5Hr+L/K84/1+s+0ecNqm2XCjgCge/9dFM8Xvb+cBo/yOL5J8Nynv55WfUb3sjVel
-q13Tur4QJ8AqJmwv1cnX+faH61dXahfbinveXWqB5S95/HE3OGnZfAiS5bs1jW4U
+pTXH33APtzX4wdqsZ3KlB+OgjW9fc4vI+rWyT+Ia1ZxfP3Q6sgznspaIM1BHRW3S
-D3BLaBiFMYD+ccPedg5MLXRgEryVaOWlQ5wuXxqmaCG0KS6YLxl8o0bRR3lKXNZP
+ZKTsH1wkSQKmLMZSUCNzpCmKY2bvZMQY4i8VP0GKbEqGjItknCPp4KM15QTOWgap
-B7Ye0Px69aYtOs58dTOq0Peu039Fi5iNC0beocdKOjig4tZ6p41uz0jPGMUoDebZ
+08T3+WX1uBaHITZKIOIbKfAUd3QAoKvHQBRZalhA+0+Rlq3tu/cEcsgyMnKppCuM
-MYHax+a7Qpi5M6ZVGVpF1ieW2hqnm0lfb18cEYHuXjoI/YlgVhFPCGSzHJpuNiDU
+my41LOgtjtGi3IRnKYDsVnvu72KsbWzBBn0d/J2ZejwLoAECJN5OaLpIpWCCwody
-qJSfOuD8HUB2iXFeEgAi+V3EKTsyjlS+R1zWxkr2awqAk7Uf3svLGWZNINHNoJRe
+bHWkCYF8eymXncuTbtF0EcGeu+sl+YaATwkEHmPC0Dy6S49BCCfWMK512JE+7WfV
-CPPANHzTSHlNPSelQ1CyOhl0W/eMCEJuJ9/6kZsmUC3zvzxEMGofG+Ub9RRBW/+/
+pxI2VZ2ncr8te4ki4iZPIncx0uYGTt7Q5WoMoBlave5AemYKr7MgAK9sZx+3VP0V
-TkrVvMrQv7/Va/4dxMPCqrdOQ+3/LkVzGX7qg6tQR76Su0q7aqh38Ki9qWY47bTm
+CXcLzQ9GznWxj30U5cro578/3DbvTRrvgD9kifTQZPDhLliqgc0Eiee+2O3LMVuS
-lq5I2EcQApt/O1cGQJTFowdXVJXx/qQv436p/jL1mymQ8241iQ6XX3DUjbnqdI33
+GBjeyUcIjF2tQ7C6AeZ/qjNZTQK6/zIjd6jwVwO8UDoxLZV4w8rCNEdu7zMUMYYy
-4XcPa/B7naRkgSG1Z55Vv+IIBOzcjzUMzeQVP/WM3SFRNYT79mJnV0SsKvUFtUOM
+nhLbrdAcNgBnDT2XRT+JXXZZ2YJmJFczd7tHPpmP8mAPXiypu+VSc4M+a/A+dGyo
-1OxMGEx+ZxfNIZqdp+qo0+uIU00ciokldh4URo9u8EIHjFVcV3Eyb7EbbCxzDiU9
+K8r2p47L6dNbMnJG/lke9V3NbK+5Cqg07KNkBEbFq9e9i3RyEs4KSq9SqqRGKYKt
-iwoAAaJjwBlyaRQFWYsKhY2J3NEay142WAyAiHmnNBNhZM9TKkCpjton4ehxeRUC
+uQ7wRu0u3O7vMsw8gagpSRXeVaEtxJTq2eA6eJWCj6l6ceZ+/nlNPMXudvbD1JlD
-hoXpzh4J2lMhdcmXXZ675C3MYiLDpajgLS1dwRp+mAUXwjvQG5rmJd7UWdgpbdpJ
+rt397ucz5ih5NpRFzTWG4iT91hXvZO5yhctCxBlmhLgsfoz9TK90fnmkeWMr/i76
-K6wABNkl601XgKv3/nV9touE0KQjHg1fzo9vzmf8zVEViTgXxH3NECZHctObwgoo
+cU+F+v1wYwiZ275occmyR3LxFBT2d8Isz4BbC/yFJ+afTMbAGM+WbUHeYSA/Pq7A
-SlbUOW8vihCi2HU9G3tqH7dwkUsgB2a22JFovgwwW8ePKJQpdvwAV/jyFMLL6jyj
+YgEhFSLULlM3ChmHm1otOMyyv6bbos5SvtegUtHewWZSx54ETN80kW9bsUBZgY9w
-6Tf0Gsc/Iut6Mh5TYiTWJdCzvEBjcybOVnppj2zR32/A/vAXUrJQaq0kwKkCwG+e
+XIOG3vW6dFVjpJpAGwcDG2XJpKs31F4eLnX0zq1PJXdp1UYo0H98U/CdP7OCfdT/
-TL0hAQuA2Su27qTR9Xy2QKpQ5NppRH7V9YxCpjGfcLbcCh7XH7AEZaYfrrX8NoP5
+AY6eKzdhEMTxEaWAfZvTdbX8p9shoVu1K5TEjQNTHTsIKoVnLbpjq5/iAwn30GIQ
-zPalFA+7E1IuDRtT29wFNRVb3lAet9t5q0LUHf3x+Qk23dQ7Mdq2JIf9RIo5xZ6X
+dQVBDsU2wTTsdi3HZKEqwbGW/iwqZEhfeTgIv0P5VgcnUa5uQvApxud0y+qf4M1A
-nsKa9eBQ0O5OAv1VGWVvbrVCMpmyiklYV2rcIT+dbrhrgiTu/BvODSvtmeANIkhC
+t6IOfzM7toUNsUGL/PQD7LcpJLwdKjFKPrQl4GyIplQCB1+bIU6JyE9Rr6hfeOTG
-uF112/+QW1UNPCENioYq9OWPcEwby+s9JkQf5nTub2o/0lTFKJxNgXa1QBcKKVyC
+pbbX1J7dfM/LN4yfdAdod+xTS5VU/4htKOzviZoVfHHoi5s6BuxT57BSseucJbX6
-9aTCRhcxXsfuR7YzbCXRcK2hUW203iS8+UgAfZBVe5GhskOd0ZR0WSkse+jGzPqI
+4wEUBk9wEzTrGRZSrUI9DHkmMTxJ3qORtt2P0ht9GVCFbtAg/Mgg3v1BGlQTTgtw
-tnH5F0yQgLn9emebpL6dNFUVvssjpiMlvkijXFJv1tWSKLb3TxJd2BE/w5Zj7Haz
+y6/iBgWxTO5OqiBW4EXQCFyfh85vPegvutX4o2oXU7Mz5QRITYDaObxMhyL32rBC
-iv7Wz6o5+bY4v2YL2Ev7hGzfSaef+ip7/BYZ9TGuzSoZEHMYa7dNT8kRR18IhfXv
+wkEf0euFCKabLeutQm6bh0W15IAW/a2SO2knXJmWuP9GRxfFqzF76ZmHWE+cswal
-Y3wa2xlOhB+WE3AjtYy1oTi2c6Vmd9UKASZy/Eb++j1MSPtxZQLNaj+svCmqqfvO
+/FXJ9BA/IEkbJr+kX87+RhgH5RgsmsFsDXY/jwgUoW4gZR78yB8bq/uQubIMhhAM
-/gElVfGlgkomYwc2EfJvR1lt9u9YGepxKrafPsgvjR6bYPwLF7eHKkKyEiqGCYnW
+HLDtYIaOT1Hwrf1v6IGDeFR31zrWudt3kHH6uZBAH77Y2O6C+TuN9a0IhHwLec2S
-mcNJz/B0egxhFjoGd0U17tNuZcYRD/Tsj9ugGF+4/q+IaEV2YzZTdGzupI3lW17o
+4AIVTZEm6ZT5o7xQTVzjaxLWAdXtENrW8rArf6TH+JIruznbaeuYT6aeY4KlWlYu
-Q4H+EksxkWYDr0WRlYKn7VT1gTThuggEz77JskjNP4jK29EOIEO9IqGMh39tXsud
+rVH/s1wBTWwhecdt9EHauLftK51Uy3GrZhQ1RTvb/DB/cbXM3yz7MbSsu7uqayiG
-mhL2Z6XMX6sgxSjSkYxLpFnS1mRZ6uQnSptxHTfnG6jYhq//MTjGX7xmYBj5EoTC
+g4+0at+1nk+4sFiM505FVtBVb6qL6HQIr+g65WcAnTUGj+DgYUBAmh38uu3jJbhd
-duHuaCqjRXc3yHWoNm8jepkpbe1PPbwEbL6RDK16G3g0WVREjZopj+66C2xlY8Bq
+TMq/LqoPVyXy1CizKPIcLXTEec7Bh6HwXkn5LMU1HPdrjk9OSwzS4HgcOVR6Blhj
-ZCmHhud22QHs+5r1LLSIynsUlGIOvq30DZ0F2/f9Gm7uayIYbp8gA4z7M7RjmHoZ
+fmoDMwuVkzyD0jJ1vRF+uH2krZu3NbBNA4W90XIpZy2FtyFePaTRJQuiZGXx9eGV
-+XHYSPc4kH4a3T9MucQQGzJMl1k/bifBAWLbu9uPcDUe7Cglfz0wHnPemOu8HZXY
+AlUv8e6SV47vctqRZA2pKSPrmYLOgeHTcB3YehiOghyXnVfC4vBCoaujK6ToQ8aP
-6qS1n6PAHyyGlqX/pNWxR2vQrHJRksdTCvjl4g6256PhaMDop3QAHuQj9meYKIqP
+i4R7Q/9g8xC6oZBtaBMoiVAkL6flDXanYcMQak5x/nPQvyyld+3gSqVVkta0uYg9
-MiZexiuOW3KjPJ30Gx1Q7PnUc+w3SjjsKaZEvRgeWKa37rvj1ICTnBQUPq2HV6y8
+1V54EEiB0TgviF7Gt+7/+UXXEx1dGygRzIV0LdX9dza9VarQmrN5JNhqPePzHiex
-zaGnJcfd0ENAmFnRaCIbdU6TRonnIAAuSfE2gtLni/PJbmUpznuq82W//kxvH1tR
+k5ITcrEWbRc59BTH54s3nYRmqH6V43g4IRmu8VKRZ1QQdl59TWkwZ9gjrw1qZObM
-oPx6LuM2+hRncMoyXUTWSUVO1DAUPXgZA+j7fkkwmosi14d/5xe3wO4U3dGZ6wAY
+5m9mSeHGd4Hs0h4kpzrhiq+p16q78SAifEIK8D/MKPisL+co3A2nkHPBlhKV3M4V
-D+zlzhq4d/4vIvLIL0NoBcp8yM+xWxPTtvj7HUJ7BOVV06ICnilUlv2wjR+dZLZK
+Md23894sXGjMUJUq7lIrfChBdolwLvOqOQmLkWasn+QQ2bSixc1C+AxypTbQNgTD
-DyjWhMoqk8r2TDZbAQr8MNX+sSlp1JxQEgBijpqBvRdF/ulqraF/GFDFRLcEi7D+
+I548k4nDAgvMsd6uyftUR0rjIe85N/xbgD4uEXUx9J/u8C49AprGoMdqe6q4GdTv
-AkHPg4TrmaNB5ixsj72j0xruFJxgQJGj8fwQtemJGu8QcuJbCvJ74TI3vu0Pac/C
+lwyKsZSPwUV989d6g2C0J8ptt0+5lB9f7H15Da/BemKUeccUZGAjVe55J6hXYkJD
-MRov1TAVJB7+iVvVNEgCMlzimJCSCUYh1Zgk5Ci2CDFMFRAEcGoHywIW6v5V8j5o
+xUbYq4yEL+6BcaIo/D7jRSJSXY2xbUgkise/99fH/rdOHZQDamvI+yh2yYXVbsGR
-v30mJKZCVFc4Yibivjj1aGhQVO72vgiog4L++i7CeXHIu6Fe1Jmlve5iuxrQA2aM
+bpd2qtc1OGGA3LRQjz68TS3LBq1iXcQXe+/B3ANus/d/YUGm/pjAb56k3+4z6b9U
-9vjCbFJIi8k5vQTVcKPRcsto7/qbyxvWvahKBBbHl53XnSb0WtLUyTEaXJ+0l5gy
+HsXKdEjZ+XCkjmlvlTuCGl0TL8TLn3kOcxJyrTG9MuJ6p55i+QM44ef1Dc2hrnt+
-Epxfl6ZRNkt+YBYBqCZL9aK6TNpCR+zTC7OhrKcZntqFYCeRB25YEfc1z0lTH4SE
+qVPQLxMQMQ++JOJvW0U4YYoA4eP+HggIx3rZ93Im8tnj07/bCtLkFfNvo0O42Opx
-TPymGSMOeUX8YEIr+XNYG0H/I7ZtEdNGBEXaUrC4YUNrvojpq3PS9bhfLhAf5D11
+Kxf8W3d67NyNkA1l3XL58m9/VdfBPjc44wwdMKBy6A4VhNmxvf7Z6A45sihmUAGy
-wmI2tS9cqxAuS2zkaBr9Qo5xNEVsyGNFd1K0q0JJosiMnVZDzOA4wJTYhOw5gwcW
+nCLO0dG9tIM8njEhaXJBcT3YHQKO2xxaHXWmvR5VssOhP4Ewnup2xJioiP3FweYJ
-T1Kh/LDvK4RE0CV0jRqN81YO8V6Jq+/c2kgtwTLzrx1GCcdHRsY2kPhCEWOTLKb8
+N4Yv3eVGHLYeDH77Yqq4R9q0He1R2iCwAzFlxOahtX03CANh+vUaKhruw7jNY+L2
-Jn5nyyvOOjMIkAEYYqoRRxl05UbNWNS9SuO2g9HF6JpNJmw0cmzT8erIIjVvaUs5
+WbrnNPYkjeiU/hFeVSBVgTeVkSQJPiQFK37E9NUo4T6dibGh9VT/5TEoskeUVmfU
-dd0Bd5EgkkLq3RMPNTiidQCyIy8QtoElmxYfM11mbf+JMgxsB3sDcRGN4lauUhho
+W17FzFwjBGQXaZzvChJFbKPbIE/j6ve7RrjdOBk6IBgi1LTib/rTOcGZbDhOTvIm
-JlayuFUfrQEwtHFwyULiJwUC55faVqOQzyvcQ8C9AJezDXS7//ku1kvEgbzK0nFm
+G+1ze435mQVoBK/1MRgpfE4cpssF2TTEeJqs6PfYbqpx/o7cwZG/At3Jra+nKNhq
-3bCCiuog7pG9XlldSReYvlJtnqTmp6E5+m9YaP+yB2E+swKBORHkbCfBu1CuX6R+
+WZs6TjIvNGvO7NUUZmfj2QPktLBRKADjym3YqJy4kGUQAZey5yeDWonMhEV9llAK
-aryBYIDeLaIiJs5GWJN//37TT0hVUCipY9QISfTiZ5tIy0aNKRu9syjWphcoTJuv
+LUC40BK6XY7ySw5vTmmGR6nnWo1ltT+71XDj3nZtfGF3TTCkNxZKlsX5HBhfXB/E
-YBaRxKNdZs81ppFTa3sXB824+QXwzRJJPjBndXOtyX/a2U68NK3dqau/A5190VAn
+8PNg6Ova5jyH+IO9Lu7JLqYTh6St6NfVflD7i8ENFLf6X1CiJh6rRseb3TmM2ve
-bn7jnJ68rhcL9ewwydQRm72qwyxBbRHFXnEXpkJhzYRw6fosglqbOJMxFiy36HWD
+aj+LypLV8FJ1N7OklFseZy+gqZ7AYCknoOK3z20zL3KMilw7TwTwwfGe41qIhAHu
-RkVluvTInw8Em/DhhWgn+UrxLlQN6JnVdpkT9hwrlFWooiM56UKAPO2a1FM2XKXe
+LLa7dA0EB58T8isNdBp36H2+oQENGHAIi0kxF0HlE1x9NUoFXvoUhyVEGjEj2zcy
-TqsolY07uWnA+ouiljqIpsaFlVDBcz/sGZWqy4aKKPBTcZlreW88PMsS0c9nixVi
+Rqjb5iSCyELMRJ7qiKyD0e8auH2bQQeHoMmJlCk2E7BXTUUY67eJnNXNrD7ZQg/k
-nKnmI00HuzeL85zVHGo0IKYfktVVjuZNPzJ6+w18XpKIi8TxHpxELC9M2kVOCnuy
+Yt7OAinFP24nKn4SY2Bwm35JE60iHZ3USoYnrD4twPBbig62fUSYUqqDoNYc5L2g
-uwuntJlRty+GpXVvx2VLi1wBKyLpXUxhyg1tSi2sZyjIdVt4yEOKfajZYOp73JZx
+AtR5C2SbDOsEG7qbehziw8NLp7zbf/FAashRULc5GLTcFoC2YJHEawhb/lWjo1Az
-IcInD7Cby9olkMsa25YhloljY8YELfW8EWutF13m8tsjGP9c6aOuMIXhrrpwLgYy
+nLqXfTB7jXHVbqgjpghJ5vO7PZ+FGg8ylTdUC4aQ/lUWuSeJnjkHDkHFFIfNC4S5
-E27iFh9tHq0mjCMibwQnHld7Ccd4OqO4AKfPofHDxWoY9+ivArOBAXjsCxhxWWWp
+NYRpQIAYMdDRAP80tdAHeOG5BC1OoA51jBKqBi843tCxu8RUQxDlB5/3AYKB5ndC
-aLqLJz+JH+idcsVDlw8jJzFW6pQFbM3VxXObvCg9ou5+P+Pc5XYyALJzIlmoOrN+
+S3Pp6kYXW8wcFAFRluM+LCFzO9VFnZ8BEh5nDX4=
 ns5Z+U/2XKGyySQASUyFXUNml6csSrTd+ejz1QvEX9POU1nLmvS1+aojgnptgdpn
 sAtksQHMt1Njo1oRug3+/0iC6XWEig==
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/dhparams.pem.age
+++ b/secrets/dhparams.pem.age
@@ -1,35 +1,33 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyB3QTU1
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBqaFcw
-TEdvbFNaUmE4U1lCNzI1dlloVDBTNXdURjZ2akRMV0R6dm5ST0FNCk9YclRSakhT
+aURxK3cvaktEVkJIQ2dOOEtqbVVGRDN0SXpXdGI3NzhQV3FmaEJrCmVtclBDY2Zr
-NlV2UVJwak9Fa3dQNTNBK0xKWGlkNXdwZTBEMm4xZzc3azQKLT4gc3NoLWVkMjU1
+cVMvUld4dDNybnJ4bHZOODFpNGpJVXdRaDJKY1ZxMy8yMjQKLT4gc3NoLWVkMjU1
-MTkgakk4UkFnIGNBMHNrdG84cUQxd1lqQmJIczlScU1jNk52Y3BtR2tXeDNWdWRX
+MTkgakk4UkFnIEtDRTNkdi9VdGFnNkQvdE1UdHQyRmJXR1RtR21HTXMwa2hiK2xM
-cEFCR0UKVU5vem5MZUFPbGhoQzJTYnF4OTd3OW9jYTRkazdocVJkZ0pRRGNLek93
+Ym9xa2sKYTFVQmVCNmJId2pPQk4wd3g4N3pOc1lHcjg3YlBEa0FsQlVsb0RKRjYw
-cwotPiBzc2gtZWQyNTUxOSBnU3hQMFEgQ2RUaEUyV1ZGbGRtZnlIUEtTQXk5MUZF
+RQotPiBzc2gtZWQyNTUxOSBnU3hQMFEgOVM3K2NwalE0Vk1rbWdSL2srbXg2bkF2
-djYxZ0hBUThlV2tXTHNvdXpVSQpMdiswMy9QNUtCb1hkbGRqR0Nia3FXTzE1ajZL
+MTduekNpMFA1QkFBNHJidERpYwpCbWQreWk4cTllUnluWHZaMXZWREpqZnlwL1Ex
-UXljSTZqM2YvbzVuWUFzCi0+IHNzaC1lZDI1NTE5IFZGY3c1ZyBYL1NrRjRaRnFn
+R3k0cWhHSGg2SkJPSkNZCi0+IHNzaC1lZDI1NTE5IFZGY3c1ZyBwdS9CeklwWmpt
-RlNLdWJ3cThteDM3WmNaY210d3RmZzhCYmNpVXBwVGlVCjBkM0IzZC9zNjhmTTZV
+TkxWYnhTTjVxNVREOFBqQXhRWHlza3FLY202K0wxM1RNCi93YVFOTGJGNmYzZzhF
-R25ySkVoQWxQQ252WWFlWWZFMlc5dWtUN3VvVTgKLT4gWDI1NTE5IE8yUU1pWGFr
+WkpFMDd6V1JIcjR6ZXcwUys5UkE1ejdFOW91MWMKLT4gWDI1NTE5IEk0aGh0c09n
-NzUvZVpwalB6aklkWmJGWUQzTnJiRjNzdzY2MUp6MkY5M1UKR1VIWDVyTFpxem5F
+T3B0ZkNSc3NTa2doUGs2c0NKTTVMOENPRjJ6KzlodnBxR1EKUnB6azR1V3NHUnRR
-TmRNWE9zZStLanRTdlU5d0NOSEJKdWhDUjBCdy9vOAotPiBTJCd2NyFYey1ncmVh
+WmNrWHArZ2dmMUdEaGovYUdndDVNNlB2UW5VaVdnOAotPiAsLWdyZWFzZSAlUSA1
-c2UgfE4mYSBXfms0TC5FPiBiYmx8IGRFV35mciNoCjVZdHRiVUtMMWxEMlJ4b1F1
+WX0gJwpCMG1tNjBPMVJRMGRlQ25KLzJsblFzZkN2LzNDOGcwWEdSSXlBUjNwCi0t
-TGgxY01XTlZpTEtndkg0T0hRVjlqVUJGMUpSaE5tVlZWR3VGenpkUXY2eXJtbmkK
+LSAyY2hHNFNmWFBQWEsvb2hxTUxVUXdKL2p3ZkZWSHRDdFlkREJyaWJrVDg0Cis5
-ZCtqRVN4dnZENXdoYkpjNHRWYXkvN2laY1p4YjV0WQotLS0gOHlEVTVOSmlNemNQ
+gfdBAb92J5/DuoXUt8OirgM7bXucabAp8/U5Az0nmRkGawpSZidB9ecPYHfcdUGp
-TW5ISk1DeDlEM1RoQ2JtUFlyTXRKQjdnT0hiend2VQqrUFvr+76sKn0ldBmZMlEW
+VIv8roO6P0RbbfYXh3szT1YmEMyOXMHFM0+Yunq3u1ca1EHCZDV6Feb+i+lXIBJU
-U2k85DLo2KU+/+GtbkZwVXxxIZHMLpoJgghHk9ptdalUgLGcl0X15x9jVaw8aeta
+GST4oupwMET+ChVT1/yg7A9o4FY68+FgLjGwE1qeHN8gQr6aMz6/yml/z1WzBEXW
-hbeOHotRHY7bC3z0S74riTk3xDMR1eT0QGhDMWHjfo8SkCftOYBlFfhTftevdep3
+XEv5fVxGj39eBiq08Z/kCgt5zVDod8RxEq3S3kt1KX5JD+mpGYn2z5CMGhn7fclM
-pKMZsuQMwH9JzxgUfcxIcWE975cZzrEJ85nfWMGvdSjcg51KNxP/UUPRxDlcbCEf
+mj37LaVbcKfyVnwRlLPoN19NeqR+ltM3mu6ibjC7cOQ0E1D/zjQMIxtzNzmZRFgB
-9XX5apSzNsTI3ibGD1n6Qwq8bdVYDMHmy5pAhw4l8L+SdoU1tGdw7JOA16sMCJbx
+l/BEOsX25Zv5vJgLZBU9rMfybNVAjDroG5V1cCVDRR76TP6HVJIXSriyOW5xSFCy
-T4bV0ky/PGRonjJuCyDBj8oe9vMe1ZI1O/ITtktekS+wocxBs6QXlY7pIZMlGUn2
+Li/VyhWaUXRboGq0Nt4vXWuOTlU/tenlBnBc+d48x35VCExi9IEFpIHj1fUwM/0V
-6m59ZEEaf7R4/MdnmBDNDkQuyXaKc7SaTc6h5sKWzXdYScGUKvgUQ7U/WJ2ItUTC
+dgOfY2WRH9C2cObUc6W51FIARkp777uPXRbT4ZXRDjV18vb18CmwLQQwYupQYnZk
-N/Xq07GkZZMt5MYBlyEr+/mKWlcy+ylJPGb7EswvQWaHoeM1QF0XLZ1v+W/Xsso0
+c0hZHvoxDwg5QirWxPhuO3bWDqIvHiKy1LYgRrlvr4Wpcb1l0lAYSGX2r1+QVj8z
-seIoz+geSu9a02kwfsa8WvWXdIAT5X2pNGPClVNzjQ23pfQfQuW8ZQrGmIFR4g5A
+tA+zJcUaPkjUSpaqF4LNVWXrTWEN330gQrVk1knWqPl+hFPoyFEHP50PNYr3yxS0
-58T1K+vGLdShqqVGyJFMVrSuOzqX5FVmZalu7/++1IQfiRGUlrHKoPlKWnCfFEOu
+VxbSpg46cXyxi89ghwlXBqI4LRtWlheUoIOuNyLxvXZECwCI2kmt+XBFph5lbG7F
-AYjaPeEFX2ByxcqfMK1YVPvUufdISUQeaQOO7mXGE3FqB0oUqmRIUiWZATwhq3Pw
+UQaH+ve+trb3oYkkG8ZprCljUC7HvSyt31UIRF3l4sLsULQKHqWwVD/2M4B0N5wQ
-p5QdcySTnmMpD/w05hvwski77kCdmYuHlMlLZez/kfhTnIGXris+Vwi/V19bsZ8G
+IzIJkiuWBBE8IX/tI5vUlGx+QWSxmKdHD2mMb/GeMsbo7lOY51cWe8oxe9WcYPhB
-zwaZ/Xr6WNC+df5JqSfTGREnXZPFRDkaTt3ri5/eEm6BqliuYjGbuiKsDECi4+JX
+m4h1xPm4FLo0vHCnWIkXy2o8JYr6fmpjzslC++wYMEbIH3gRBKUVjgUGHywVIXSa
-bHpH6LBBoKQ6ms7jCAn0Ls4cUKF37PcjGAOuWnzCSBU+REht1EDfHzx4C7hNiP8X
+uwzRULUiD8uXFNT3cZ+YDnAvZkuYz528DBKjd5jNen4akah35wQ+oYoGuIhUKkGL
-87NjEqJbwE9lORho0hQJRTn8uriQcidlVoB3se2SYKbMy8UA4NNnxN9PTj0TuQjL
+K59+hTyctWyEGi+fCl1gah2JJ6aF1CXK69ON11YkCEVCI1SK1o1no/0NZj2XtepU
-OD3LtqHBElqNPbGNyyEAAJmMBmmkUvPPXlGQ0D99b1+jIdHzYSRtOLshBFykqWYQ
+MgXln0Pz+pOTZzcjCWhYTO/dNl+Xj6EeeSjjWHqDYg==
 LJD61duhGqcQqcLx4+JdQ+oVcfAI2nG7YINnHB0OmS2DOZvvwqQ7ASScSujUWIjA
 LNQxu3ruMz+bw/G0tYZBBiE=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/estuary/kelder-wg.key.age
+++ b/secrets/estuary/kelder-wg.key.age
@@ -1,11 +1,12 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBEcDNm
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBvL0hp
-ajc3a0gwYmVSdkowak1aakJ3VWZ1Rk50S1JIS0ExVktVSW9OVWljCjJqbUEySlNK
+WUs1VWxPVlpydU01cjd3Qk9qd3hvWVdvK1VMaUZNT1YzQ1BjdWhvCmJlSDRDSFBj
-a0xyT3NPK1BBMjZzN0RrLzhwVitvS0pzQ25iSnJSc3FmM0EKLT4gWDI1NTE5IHk0
+ZGVmVGV3Vmp5YitGbm50aU56VDZCc1hTdjJmSGhEa2dvZWcKLT4gWDI1NTE5IEsy
-M2pkWHgyMHR1WHc5bE4xWTFDTndKdkhRdTg5bzZIWEU2cm02UDZBQjgKUUY3dS9p
+RHVVT1F5d0kxN2VBMG56NnJWYTlEeFFXaHg2VnNqdlJKTHhoR052akEKZjNObUtk
-U3h1L1ZvTkFPdURLZ2tSYXJXOGNZZ21KVGdIbXdhSUJrd2puYwotPiAoL0RtO0lH
+RCt4Q2l2R055TnJCSDBrY1lWaUZibk5iUDhnMlhvZkxRRkhpOAotPiB2LWdyZWFz
-OS1ncmVhc2UKVGthN0ZSU0ZFTTg5YW9UOXMwa3RnSzFlMjE2VTN3Ci0tLSBwMEMx
+ZSBMdUErIHQpI01mVENmICFrK2dRdjBbIFU5UyI+KjQjCitmdU4ySDhJMDRlbklD
-Q0tQckd3SzBwUUE4SndMV01kUjVrOTdDWmxlcWs2Zy9TZk5yMzhvCrBXyLBZGuSD
+aUcvREFqdVNtb1lFZWwxZWo5VXdNUGZQWGt6SVRKaUI4cTcrWEx3NThWZ3VORkor
-dJodNI13obTM3UvX6hSgQ8Su+J3fOKr5NibkhQ0Auvlr2tUXhhDm2WOUlHjqVTq+
+cy8KbG9EaGV1dGVDQQotLS0gQlFJdWpudnkrcmQvbEhpOUM5Y3RCWWRGMEQ2TUV5
-jWLSyhioDlIEyBgk8Zrl7KGeDzBi
+eTBFSnBkd0xnYjUrUQrxdaCf14h8hqRfdnMorggnbuCDMRHY7nAnGQ1ET4CBlCog
 /Rp52aNZHfLh+BFFZazenI7qrvVvEaaB2ZVKa0Z/F8adsGHSGSwz+saqWw==
 -----END AGE ENCRYPTED FILE-----
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXRXkYnBf2opIjN+bXE7HmhUpa4hyXJUGmBT+MRccT4 harmonia`
		`@@ -0,0 +1 @@`
							`object-ctr.ams1.int.nul.ie ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdHbZErWLmTPO/aEWB1Fup/aGMf31Un5Wk66FJwTz/8`