chore: bump and reconfigure treefmt-nix, include just fmt

2025-02-14 16:46:28 +01:00 · 2025-02-14 16:46:28 +01:00 · c0daa9e6e9
commit c0daa9e6e9
parent e658e27576
13 changed files with 419 additions and 407 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -11,11 +11,10 @@
        "ignored": ["unused_binding", "unused_with"]
      },
      "formatting": {
-        "command": ["treefmt-nix", "--stdin", ".nil.nix"]
+        "command": ["treefmt", "--stdin", ".nil.nix"]
      }
    }
  },
-  "[nix]": {
+  "treefmt.command": "treefmt",
-    "editor.defaultFormatter": "jnoortheen.nix-ide"
+  "treefmt.config": ""
  }
 }
--- a/432
+++ b/432
@ -2,316 +2,316 @@
 # 	echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix"
 _usage:
-	just -l
+    just -l
 # Re-render the default versions
 update-default-versions:
-	nix flake update
+    nix flake update
 _get_nix_path versionsPath:
-	echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath  {{versionsPath}})
+    echo $(set -x; nix-build --no-link --show-trace {{ invocation_directory() }}/nix/default.nix -A channelSources --argstr versionsPath  {{ versionsPath }})
 _device recipe dir +moreargs="":
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -ex
+    set -ex
-	unset NIX_PATH
+    unset NIX_PATH
-	source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix)
+    source $(just -v _get_nix_path {{ invocation_directory() }}/{{ dir }}/versions.nix)
-	$(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}})
+    $(set -x; nix-build --no-link --show-trace $(dirname {{ dir }})/default.nix -A recipes.{{ recipe }} --argstr dir {{ dir }} {{ moreargs }})
 _render_templates:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -ex
+    set -ex
-	if ! ip route get 1.1.1.1; then
+    if ! ip route get 1.1.1.1; then
-		echo No route to WAN. Skipping template rendering...
+    	echo No route to WAN. Skipping template rendering...
-	else
+    else
-		source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
+    	source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix)
-		# nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
+    	# nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
-	fi
+    fi
 rebuild-remote-device device +rebuildargs="dry-activate":
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -ex
+    set -ex
-	nix run .#colmena -- apply --impure --on {{device}} {{rebuildargs}}
+    nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }}
 # Rebuild this device's NixOS
 rebuild-this-device +rebuildargs="dry-activate":
-	nix run .#colmena -- apply-local --impure --sudo {{rebuildargs}}
+    nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }}
 # Re-render the versions of a remote device and rebuild its environment
 update-remote-device devicename +rebuildargs='build':
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -e
+    set -e
-	(
+    (
-		set -xe
+    	set -xe
-		cd nix/os/devices/{{devicename}}
+    	cd nix/os/devices/{{ devicename }}
-		nix flake update
+    	nix flake update
-	)
+    )
-	just -v rebuild-remote-device {{devicename}} {{rebuildargs}}
+    just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }}
-	git commit -v nix/os/devices/{{devicename}}/flake.{nix,lock} -m "nix/os/devices/{{devicename}}: bump versions"
+    git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions"
 # Re-render the versions of the current device and rebuild its environment
 update-this-device rebuild-mode='switch' +moreargs='':
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -e
+    set -e
-	(
+    (
-		set -xe
+    	set -xe
-		cd nix/os/devices/$(hostname -s)
+    	cd nix/os/devices/$(hostname -s)
-		nix flake update
+    	nix flake update
-	)
+    )
-	just -v rebuild-this-device {{rebuild-mode}} {{moreargs}}
+    just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }}
-	git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions"
+    git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions"
 # Rebuild an offline system
 rebuild-disk device:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -xe
+    set -xe
-	just -v disk-mount {{device}}
+    just -v disk-mount {{ device }}
-	trap "set +e; just -v disk-umount {{device}}" EXIT
+    trap "set +e; just -v disk-umount {{ device }}" EXIT
-	just -v disk-install {{device}}
+    just -v disk-install {{ device }}
 # Re-render the versions of the given offline system and reinstall it in offline-mode
 update-disk dir:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -exuo pipefail
+    set -exuo pipefail
-	dir={{dir}}
+    dir={{ dir }}
-	template={{dir}}/versions.tmpl.nix
+    template={{ dir }}/versions.tmpl.nix
-	outfile={{dir}}/versions.nix
+    outfile={{ dir }}/versions.nix
-	if ! test -e ${template}; then
+    if ! test -e ${template}; then
-		template="$(just _DEFAULT_VERSION_TMPL)"
+    	template="$(just _DEFAULT_VERSION_TMPL)"
-	fi
+    fi
-	esh -o ${outfile} ${template}
+    esh -o ${outfile} ${template}
-	if ! test "$(git diff ${outfile})"; then
+    if ! test "$(git diff ${outfile})"; then
-		echo Already on latest versions
+    	echo Already on latest versions
-		exit 0
+    	exit 0
-	fi
+    fi
-	export SYSREBUILD_LOG=.{{dir}}_sysrebuild.log
+    export SYSREBUILD_LOG=.{{ dir }}_sysrebuild.log
-	just -v rebuild-disk {{dir}} || {
+    just -v rebuild-disk {{ dir }} || {
-		echo ERROR: Update of {{dir}} failed, reverting ${outfile}...
+    	echo ERROR: Update of {{ dir }} failed, reverting ${outfile}...
-		exit 1
+    	exit 1
-	}
+    }
-	git commit -v ${outfile} -m "${dir}: bump versions"
+    git commit -v ${outfile} -m "${dir}: bump versions"
 # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L)
 hm-iterate-qtile:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -xe
+    set -xe
-	home-manager switch || just -v rebuild-this-device switch
+    home-manager switch || just -v rebuild-this-device switch
-	Xephyr -ac -br -resizeable :1 &
+    Xephyr -ac -br -resizeable :1 &
-	XEPHYR_PID=$!
+    XEPHYR_PID=$!
-	echo ${XEPHYR_PID}
+    echo ${XEPHYR_PID}
-	DISPLAY=:1 $(grep qtile ~/.xsession) &
+    DISPLAY=:1 $(grep qtile ~/.xsession) &
-	echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L"
+    echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L"
-	wait $!
+    wait $!
-	kill ${XEPHYR_PID}
+    kill ${XEPHYR_PID}
 # !!! DANGERIOUS !!! This wipes the disk which is configured for the given device.
 disk-prepare dir:
-	just -v _device diskPrepare {{dir}}
+    just -v _device diskPrepare {{ dir }}
 disk-relabel dir previous:
-	just -v _device diskRelabel {{dir}} --argstr previousDiskId {{previous}}
+    just -v _device diskRelabel {{ dir }} --argstr previousDiskId {{ previous }}
 # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6'
 disk-mount dir:
-	just -v _device diskMount {{dir}}
+    just -v _device diskMount {{ dir }}
 # Unmount target disk, specified by device configuration directory
 disk-umount dir:
-	just -v _device diskUmount {{dir}}
+    just -v _device diskUmount {{ dir }}
 # Perform an offline installation on the mounted target disk, specified by device configuration directory
 disk-install dir: _render_templates
-	just -v _device diskInstall {{dir}}
+    just -v _device diskInstall {{ dir }}
 verify-n-unlock sshserver attempts="10":
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -e
+    set -e
-	env \
+    env \
-	  GETPW="just _get_pass_entry Infrastructure/VPS/{{sshserver}} DRIVE_PW" \
+      GETPW="just _get_pass_entry Infrastructure/VPS/{{ sshserver }} DRIVE_PW" \
-	  SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} SSHOPTS)" \
+      SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} SSHOPTS)" \
-	  VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCSOCK)" \
+      VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCSOCK)" \
-	  VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}}  VNCPW)" \
+      VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }}  VNCPW)" \
-	  \
+      \
-	  just _verify-n-unlock {{sshserver}} {{attempts}}
+      just _verify-n-unlock {{ sshserver }} {{ attempts }}
 _verify-n-unlock sshserver attempts:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -e
+    set -e
-	: ${VNCSOCK:?VNCSOCK must be set}
+    : ${VNCSOCK:?VNCSOCK must be set}
-	: ${VNCPW:?VNCPW must be set}
+    : ${VNCPW:?VNCPW must be set}
-	export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535"
+    export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535"
-	export TESS_ARGS="-c debug_file=/dev/null --psm 4"
+    export TESS_ARGS="-c debug_file=/dev/null --psm 4"
-	function send() {
+    function send() {
-		local what="${1:?need something to send}"
+    	local what="${1:?need something to send}"
-		ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null
+    	ssh -4 ${SSHOPTS:?need sshopts} root@{{ sshserver }} "echo -e ${what}>> /dev/tty0" &>/dev/null
-	}
+    }
-	function expect() {
+    function expect() {
-		local what="${1:?need something to expect}"
+    	local what="${1:?need something to expect}"
-		vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp
+    	vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp
-		convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff
+    	convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff
-		tesseract ${TESS_ARGS} screenshot.tiff screenshot
+    	tesseract ${TESS_ARGS} screenshot.tiff screenshot
-		grep --quiet "${what}" screenshot.txt
+    	grep --quiet "${what}" screenshot.txt
-	}
+    }
-	function send_and_expect() {
+    function send_and_expect() {
-		local send="${1:?need something to send}"
+    	local send="${1:?need something to send}"
-		local expect="${2:?need something to expect}"
+    	local expect="${2:?need something to expect}"
-		if ! send "${send}"; then
+    	if ! send "${send}"; then
-			echo warning: cannot send > /dev/stderr
+    		echo warning: cannot send > /dev/stderr
-			return -1
+    		return -1
-		fi
+    	fi
-		expect "${expect}"
+    	expect "${expect}"
-	}
+    }
-	trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT
+    trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT
-	for i in `seq 1 {{attempts}}`; do
+    for i in `seq 1 {{ attempts }}`; do
-		echo Attempt $i...
+    	echo Attempt $i...
-		expect="$(pwgen -0 12)"
+    	expect="$(pwgen -0 12)"
-		send="'\0033\0143'${expect}"
+    	send="'\0033\0143'${expect}"
-		if send_and_expect "${send}" "${expect}"; then
+    	if send_and_expect "${send}" "${expect}"; then
-			pipe=$(mktemp -u)
+    		pipe=$(mktemp -u)
-			mkfifo ${pipe}
+    		mkfifo ${pipe}
-			exec 3<>${pipe}
+    		exec 3<>${pipe}
-			rm ${pipe}
+    		rm ${pipe}
-			echo Verification succeeded at attempt $i. Unlocking remote drive...
+    		echo Verification succeeded at attempt $i. Unlocking remote drive...
-			ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null &
+    		ssh -4 ${SSHOPTS} root@{{ sshserver }} "cryptsetup-askpass" <&3 &>/dev/null &
-			eval ${GETPW} | head -n1 >&3
+    		eval ${GETPW} | head -n1 >&3
-			for j in `seq 1 120`; do
+    		for j in `seq 1 120`; do
-				sleep 0.5
+    			sleep 0.5
-				if expect '— success'; then
+    			if expect '— success'; then
-					echo Unlock successful.
+    				echo Unlock successful.
-					exit 0
+    				exit 0
-				fi
+    			fi
-			done
+    		done
-			echo Unlock failed...
+    		echo Unlock failed...
-			exit 1
+    		exit 1
-		fi
+    	fi
-	done
+    done
-	echo Verification failed {{attempts}} times. Giving up...
+    echo Verification failed {{ attempts }} times. Giving up...
-	exit 1
+    exit 1
 _get_pass_entry path key:
-	pass show {{path}}| grep -E "^{{key}}:" | sed -E 's/^[^:]+: *//g'
+    pass show {{ path }}| grep -E "^{{ key }}:" | sed -E 's/^[^:]+: *//g'
 run-with-channels +cmds:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
+    source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix)
-	{{cmds}}
+    {{ cmds }}
 install-config config root:
-	sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd
+    sudo just run-with-channels nixos-install -I nixos-config={{ invocation_directory() }}/{{ config }} --root {{ root }} --no-root-passwd
 # Switch between gpg-card capable devices which have a copy of the same key
 switch-gpg-card:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	#
+    #
-	# Derived from https://github.com/drduh/YubiKey-Guide/issues/19.
+    # Derived from https://github.com/drduh/YubiKey-Guide/issues/19.
-	#
+    #
-	# Connect the new device and then run this script to make it known to gnupg.
+    # Connect the new device and then run this script to make it known to gnupg.
-	#
+    #
-	set -xe
+    set -xe
-	KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}')
+    KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}')
-	# export pubkey and ownertrust
+    # export pubkey and ownertrust
-	gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}"
+    gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}"
-	# if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}`
+    # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}`
-	gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust
+    gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust
-	# delete the key
+    # delete the key
-	gpg --yes --delete-secret-and-public-keys "${KEY_ID}"
+    gpg --yes --delete-secret-and-public-keys "${KEY_ID}"
-	# import pubkey and ownertrust back and cleanup
+    # import pubkey and ownertrust back and cleanup
-	gpg2 --import "${KEY_ID}".pubkey
+    gpg2 --import "${KEY_ID}".pubkey
-	gpg2 --import-ownertrust < "${KEY_ID}".ownertrust
+    gpg2 --import-ownertrust < "${KEY_ID}".ownertrust
-	rm "${KEY_ID}".{pubkey,ownertrust}
+    rm "${KEY_ID}".{pubkey,ownertrust}
-	# refresh the gpg agent
+    # refresh the gpg agent
-	gpg-connect-agent "scd serialno" "learn --force" /bye
+    gpg-connect-agent "scd serialno" "learn --force" /bye
-	gpg --card-status
+    gpg --card-status
 # Connect to `remote` UUID, and turn it into a short name
 uuid-to-device-name remote:
-	#!/usr/bin/env bash
+    #!/usr/bin/env bash
-	set -e -o pipefail
+    set -e -o pipefail
-	ssh {{remote}} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}'
+    ssh {{ remote }} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}'
 test-connection:
-	#! /usr/bin/env nix-shell
+    #! /usr/bin/env nix-shell
-	#! nix-shell -p curl zsh
+    #! nix-shell -p curl zsh
-	#! nix-shell -i zsh
+    #! nix-shell -i zsh
-	#! nix-shell --pure
+    #! nix-shell --pure
-	while true; do
+    while true; do
-	  FAILURE="false"
+      FAILURE="false"
-	  output=$(
+      output=$(
-		echo "$(date)\n---"
+    	echo "$(date)\n---"
-		for url in \
+    	for url in \
-			"https://172.16.0.1:65443/0.7/gui/#/login/" \
+    		"https://172.16.0.1:65443/0.7/gui/#/login/" \
-			"https://192.168.0.1" \
+    		"https://192.168.0.1" \
-			"http://172.172.171.9" \
+    		"http://172.172.171.9" \
-			"https://172.172.171.10:65443" \
+    		"https://172.172.171.10:65443" \
-			"https://172.172.171.11:65443" \
+    		"https://172.172.171.11:65443" \
-			"https://172.172.171.13:443" \
+    		"https://172.172.171.13:443" \
-			"https://172.172.171.14:443" \
+    		"https://172.172.171.14:443" \
-			"http://172.172.171.15:22" \
+    		"http://172.172.171.15:22" \
-			"http://172.172.171.16:22" \
+    		"http://172.172.171.16:22" \
-			"https://crates.io" \
+    		"https://crates.io" \
-			"https://holo.host" \
+    		"https://holo.host" \
-			; \
+    		; \
-		do
+    	do
-		  print "trying ${url}": $(
+    	  print "trying ${url}": $(
-			curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1)
+    		curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1)
-			# if [ $? -ne 0 ]; then
+    		# if [ $? -ne 0 ]; then
-			if [[ "$curl_output" == *timeout* ]]; then
+    		if [[ "$curl_output" == *timeout* ]]; then
-			  echo failure: $(echo ${curl_output} | tail -n1)
+    		  echo failure: $(echo ${curl_output} | tail -n1)
-			  # BUG: outer FAILURE is not set by this
+    		  # BUG: outer FAILURE is not set by this
-			  FAILURE="true"
+    		  FAILURE="true"
-			else
+    		else
-			  echo success
+    		  echo success
-			fi
+    		fi
-		  )
+    	  )
-		done
+    	done
-	  )
+      )
-	  clear
+      clear
-	  echo ${output}
+      echo ${output}
-	  if [[ ${FAILURE} == "true" ]]; then
+      if [[ ${FAILURE} == "true" ]]; then
-		echo something failed
+    	echo something failed
-		tracepath -m5 -n1 172.16.0.1
+    	tracepath -m5 -n1 172.16.0.1
-		tracepath -m5 -n1 192.168.0.1
+    	tracepath -m5 -n1 192.168.0.1
-	  fi
+      fi
-	  sleep 5
+      sleep 5
-	done
+    done
 cachix-use name:
-	nix run nixpkgs/nixos-unstable#cachix -- use {{name}} -m nixos -d nix/os/
+    nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/
 update-sops-keys:
-	for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done
+    for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done
 deploy-router0-dmz0:
-	NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1
+    NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1
 ttyusb:
-	screen -fa /dev/ttyUSB0 115200
+    screen -fa /dev/ttyUSB0 115200
--- a/flake.nix
+++ b/flake.nix
@ -278,7 +278,6 @@
                    };
                  };
                local-xwayland = pkgs.writeShellScriptBin "local-xwayland" ''
                  set -x
                  ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \
@ -287,7 +286,7 @@
                    --x-display=0 \
                    # --x-unscale=3 \
                    --verbose
-                  '';
+                '';
              in
              {
                dcpj4110dwDriver = dcpj4110dw.driver;
@ -355,6 +354,13 @@
                    shellcheck.enable = true;
                    prettier.enable = true;
                    just = {
                      enable = true;
                      includes = [
                        "*/Justfile"
                        "Justfile"
                      ];
                    };
                  } // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; };
                  settings = {
@ -410,7 +416,10 @@
                    ;
                };
              in
-              all // { default = all.develop; };
+              all
              // {
                default = all.develop;
              };
          };
      }
    );
--- a/nix/devShells.nix
+++ b/nix/devShells.nix
@ -93,11 +93,11 @@
      self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin;
    shellHook = builtins.concatStringsSep "\n" [
-      (self.inputs.nixago.lib.${pkgs.system}.make {
+      # (self.inputs.nixago.lib.${pkgs.system}.make {
-        data = self'.formatter.settings;
+      #   data = self'.formatter.settings;
-        output = "treefmt.toml";
+      #   output = "treefmt.toml";
-        format = "toml";
+      #   format = "toml";
-      }).shellHook
+      # }).shellHook
    ];
  };
 }
--- a/nix/home-manager/programs/firefox.nix
+++ b/nix/home-manager/programs/firefox.nix
@ -162,7 +162,10 @@ let
        "devtools.debugger.remote-enabled" = true;
        # disable translations for some languages
-        "browser.translations.neverTranslateLanguages" = ["en" "de"];
+        "browser.translations.neverTranslateLanguages" = [
          "en"
          "de"
        ];
        "browser.translations.automaticallyPopup" = false;
        # enable pipewire (and libcamera) sources
@ -300,12 +303,14 @@ let
 in
 {
  nixpkgs.overlays = [
-      repoFlake.inputs.nur.overlay
+    repoFlake.inputs.nur.overlay
  ];
-  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+  nixpkgs.config.allowUnfreePredicate =
-    "youtube-recommended-videos"
+    pkg:
-  ];
+    builtins.elem (lib.getName pkg) [
      "youtube-recommended-videos"
    ];
  programs.librewolf = {
    enable = false;
--- a/nix/os/devices/router0-dmz0/flake.nix
+++ b/nix/os/devices/router0-dmz0/flake.nix
@ -13,12 +13,11 @@
    srvos.url = "github:numtide/srvos";
    srvos.inputs.nixpkgs.follows = "nixpkgs";
-    nixos-sbc.url =
+    nixos-sbc.url = "github:nakato/nixos-sbc"
-      "github:nakato/nixos-sbc"
+    # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.12"
-      # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.12"
+    # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.13"
-      # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.13"
+    # "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile"
-      # "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile"
+    # "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile"
      # "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile"
    # "git+file:///home/steveej/src/others/nakato_nixos-sbc/"
    ;
    nixos-sbc.inputs.nixpkgs.follows = "nixpkgs";
--- a/nix/os/devices/steveej-x13s/configuration.nix
+++ b/nix/os/devices/steveej-x13s/configuration.nix
@ -6,7 +6,6 @@
  config,
  nodeName,
  system,
  packages',
  ...
 }:
 {
--- a/nix/os/devices/steveej-x13s/flake.nix
+++ b/nix/os/devices/steveej-x13s/flake.nix
@ -15,8 +15,7 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    nixos-x13s.url =
+    nixos-x13s.url = "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump"
    "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump"
    # 6.13-rc2
    # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump&rev=c95058f8aa1b361df3874429c5dc0f694f9cba78"
    # 6.11.0
@ -89,8 +88,10 @@
        inherit mkNixosConfiguration;
      };
-      overlays.default = _final: _previous: {
+      overlays.default =
-      };
+        _final: _previous:
        {
        };
      nixosConfigurations = {
        native = mkNixosConfiguration { system = nativeSystem; };
--- a/nix/os/profiles/install-medium/iso/Justfile
+++ b/nix/os/profiles/install-medium/iso/Justfile
@ -1,2 +1,2 @@
 build:
-  nix-build '<nixpkgs/nixos>' -A config.system.build.isoImage -I nixos-config=iso.nix
+    nix-build '<nixpkgs/nixos>' -A config.system.build.isoImage -I nixos-config=iso.nix
--- a/secrets/router0-dmz0/secrets.yaml
+++ b/secrets/router0-dmz0/secrets.yaml
@ -17,37 +17,37 @@ wg1-privatekey: ENC[AES256_GCM,data:Q3zb6oLhBqW+D063S37O2vZD3PSn3yIYWWkOtZwvpmMm
 wg1-publickey: ENC[AES256_GCM,data:7svFjRVdWBmrUt2qzHSmgBo4HPwJR6I6p3rZg2U+h1uVhQwCnUCH6JATVZs=,iv:xWUKpjmmrf/U8T8XmdL4Ox+aqkftnh8oeORCkhtJoBU=,tag:+k+E13X+EbZxfiq0MoGIEg==,type:str]
 wg1-peer0-psk: ENC[AES256_GCM,data:egtyccOYD4NAUTunpvVXTJwjtSdJJT8v5O9Wl7NoCKy2eDzrQvrEEK8Zzts=,iv:D7EQkj2Oz2JJIF6slTLq3A4esKN6VfkOA+odHvjSeUE=,tag:z/blOUXX1JOyqtXgMldnlg==,type:str]
 sops:
-    kms: []
+  kms: []
-    gcp_kms: []
+  gcp_kms: []
-    azure_kv: []
+  azure_kv: []
-    hc_vault: []
+  hc_vault: []
-    age:
+  age:
-        - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0
+    - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0
-          enc: |
+      enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
+        -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRNE9VK05aYlRKcXRBak1h
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRNE9VK05aYlRKcXRBak1h
-            Sk5GS08zUE93U2VSL2FYTTllS3Fjb2I5R1ZZCjFtL1RZUWVvbzdlcnBCN1NJbE5S
+        Sk5GS08zUE93U2VSL2FYTTllS3Fjb2I5R1ZZCjFtL1RZUWVvbzdlcnBCN1NJbE5S
-            QW9paVFDaldhSVh2eitoaStpZU94T2MKLS0tIHV4ajZFdEl0TjFNNXhhTlFBaGMz
+        QW9paVFDaldhSVh2eitoaStpZU94T2MKLS0tIHV4ajZFdEl0TjFNNXhhTlFBaGMz
-            S0Y0WjA5eXovc2pUUzdUY0ZEZVN1dkUKNuvEcQ5lmVUNan4fj0tfwXc3JUfV8opV
+        S0Y0WjA5eXovc2pUUzdUY0ZEZVN1dkUKNuvEcQ5lmVUNan4fj0tfwXc3JUfV8opV
-            KCBiiPEIBRwryWg7CLo7qgFU9nRTnA7Wjjo2vnh9nLLnIjNSmc/ECQ==
+        KCBiiPEIBRwryWg7CLo7qgFU9nRTnA7Wjjo2vnh9nLLnIjNSmc/ECQ==
-            -----END AGE ENCRYPTED FILE-----
+        -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-05T09:44:59Z"
+  lastmodified: "2025-02-05T09:44:59Z"
-    mac: ENC[AES256_GCM,data:P2bEHq4ZBg2Y8RPmUSuIOxWxJdYTUpTD5nXv3vqAHOU0t5ZlyOjFUPYejGBLdvd++v+plwo4lYG4/JJ3/LFIM/n2f1kFOOPSIt6yox6oYHHzJRly2kBfyIpUz4q+1c/xhMjpcQdAlWEdIQLm80BMUpny9y2KhVYot9TvTNTSkxM=,iv:uso8kcW8gildOD7FF1Xvage2dccQ8GkMI6nDCaUw2qc=,tag:urKtsRoGqwoZzk7DuMCINw==,type:str]
+  mac: ENC[AES256_GCM,data:P2bEHq4ZBg2Y8RPmUSuIOxWxJdYTUpTD5nXv3vqAHOU0t5ZlyOjFUPYejGBLdvd++v+plwo4lYG4/JJ3/LFIM/n2f1kFOOPSIt6yox6oYHHzJRly2kBfyIpUz4q+1c/xhMjpcQdAlWEdIQLm80BMUpny9y2KhVYot9TvTNTSkxM=,iv:uso8kcW8gildOD7FF1Xvage2dccQ8GkMI6nDCaUw2qc=,tag:urKtsRoGqwoZzk7DuMCINw==,type:str]
-    pgp:
+  pgp:
-        - created_at: "2024-12-24T19:36:20Z"
+    - created_at: "2024-12-24T19:36:20Z"
-          enc: |-
+      enc: |-
-            -----BEGIN PGP MESSAGE-----
+        -----BEGIN PGP MESSAGE-----
-            hQEMA0SHG/zF3227AQf/RIzNBL+pVy3msNL8iuGdPXywQhS4JPgP9QqiYu8hqTsw
+        hQEMA0SHG/zF3227AQf/RIzNBL+pVy3msNL8iuGdPXywQhS4JPgP9QqiYu8hqTsw
-            ja/jx8ShJmLjC5i7D8nwwbUyY1DJTSdHcRblcsROgo4DgthdtuprJlSQIPZhaW5Q
+        ja/jx8ShJmLjC5i7D8nwwbUyY1DJTSdHcRblcsROgo4DgthdtuprJlSQIPZhaW5Q
-            Rbo52yT1LkzypUcSQFIDY2QFpPw2zL3ZmPyIwg7YCI3seNQckv93nZQzpLx2Ifad
+        Rbo52yT1LkzypUcSQFIDY2QFpPw2zL3ZmPyIwg7YCI3seNQckv93nZQzpLx2Ifad
-            hLU0+C8tU94z+sgqLq0OVryZb6taQP/h41niFKHZtemnykA03JIbCmyl1HZDEtRJ
+        hLU0+C8tU94z+sgqLq0OVryZb6taQP/h41niFKHZtemnykA03JIbCmyl1HZDEtRJ
-            1xSFpAKAtfzdhR5SfrGYtSBj7FysanfSEi4Gxxp7VcfqBVYTHAOsDLFnFCEwr13H
+        1xSFpAKAtfzdhR5SfrGYtSBj7FysanfSEi4Gxxp7VcfqBVYTHAOsDLFnFCEwr13H
-            sopUdgCeZdZTBFgzS+AVb0zcHti/YJ9xUNrIKJXwAdJcAS9w3Y4MqcbEdcFp/CD5
+        sopUdgCeZdZTBFgzS+AVb0zcHti/YJ9xUNrIKJXwAdJcAS9w3Y4MqcbEdcFp/CD5
-            W8w7WZjHm8ly0qm2DgyQmd3040V64mt5cDe7+8YRqu5cZILyKpRGwUx3ES0eJ+g3
+        W8w7WZjHm8ly0qm2DgyQmd3040V64mt5cDe7+8YRqu5cZILyKpRGwUx3ES0eJ+g3
-            g2P8+l5NEvzTX3ldXHObOUVebLouZrxd6UjWvUo=
+        g2P8+l5NEvzTX3ldXHObOUVebLouZrxd6UjWvUo=
-            =mYf/
+        =mYf/
-            -----END PGP MESSAGE-----
+        -----END PGP MESSAGE-----
-          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
+      fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
-    unencrypted_suffix: _unencrypted
+  unencrypted_suffix: _unencrypted
-    version: 3.9.1
+  version: 3.9.1
--- a/secrets/shared-users.yaml
+++ b/secrets/shared-users.yaml
@ -10,118 +10,118 @@ sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3x
 sharedUsers-elias: ENC[AES256_GCM,data:RsGDCguYkqegKhkO20lr8HjrTABAaNJmDiGK3DhhbX1sOLMweZwDtESvYjCfAOzWpiAaFh0BqevMkuUcEYQTBubSX+X0EZ0dFrdbVxIe7lq7Dosds98SqKLL4zWqe2y2qsphvj+oAz7Utg==,iv:JXIbyqAUt1OcB+bvgK6H2NU6Ip4nWRJ1/Hje75FfHC4=,tag:kPFALVkf1GbRj1J85SZm6Q==,type:str]
 sharedUsers-justyna: ENC[AES256_GCM,data:BGVp2QppWWaYHK3rwLlyy7SOWxSqKGsn7lemWe0KUzgiQc6D8ivYvXdGaAhJNvhgVTxlK6BZOacG4NESWf5hi7sN8AkwTT/6pa9WzhQQGNnwZIaVulXeddzFlebbh8pAt0WYV82DRejX3Q==,iv:RMysIp0pMnCLhWogWiGq4IpZA43sd0DPj3jeV0oRkY8=,tag:VvXPzyGAoATlSedvV2prJA==,type:str]
 sops:
-    kms: []
+  kms: []
-    gcp_kms: []
+  gcp_kms: []
-    azure_kv: []
+  azure_kv: []
-    hc_vault: []
+  hc_vault: []
-    age:
+  age:
-        - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
+    - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
-          enc: |
+      enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
+        -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6T2hmV3BOU0M1MTloWktK
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6T2hmV3BOU0M1MTloWktK
-            YTRXS3lTcERncjNpaFlhRlljNWlJQURmdW1FCmQzNEFFZ2VxTmdmZ21idzZEUHVZ
+        YTRXS3lTcERncjNpaFlhRlljNWlJQURmdW1FCmQzNEFFZ2VxTmdmZ21idzZEUHVZ
-            clFMZU1tTG9kWkNFVzdXK0NYQjVMMnMKLS0tIHVwRzlpR2VwcXlCdUxUbTN4YWcy
+        clFMZU1tTG9kWkNFVzdXK0NYQjVMMnMKLS0tIHVwRzlpR2VwcXlCdUxUbTN4YWcy
-            Y3dqOXlTeDZRU3YycUtqTXpKcWt4bk0KT71rTNU/kZci9u3NahgR3/fL6IHHxVdu
+        Y3dqOXlTeDZRU3YycUtqTXpKcWt4bk0KT71rTNU/kZci9u3NahgR3/fL6IHHxVdu
-            unIWav0e6cZVQXKw29Pji966zuB5Rv0vb+5LAYsXzC0E6vtiC7kwzA==
+        unIWav0e6cZVQXKw29Pji966zuB5Rv0vb+5LAYsXzC0E6vtiC7kwzA==
-            -----END AGE ENCRYPTED FILE-----
+        -----END AGE ENCRYPTED FILE-----
-        - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6
+    - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6
-          enc: |
+      enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
+        -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxM0NiZ1RIekpsY2pDVEh0
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxM0NiZ1RIekpsY2pDVEh0
-            MldzL0Zna045QVY5TnAwYU1rTitQMkxOZ1M4Ck80a2dnTlFxYkZyKzE3emFTa29R
+        MldzL0Zna045QVY5TnAwYU1rTitQMkxOZ1M4Ck80a2dnTlFxYkZyKzE3emFTa29R
-            THNTblJuU1g0Zlg1RlhMV0JsY3ZpR0UKLS0tIGhLWFZOcS9za0Riak9QUVZ1dGhZ
+        THNTblJuU1g0Zlg1RlhMV0JsY3ZpR0UKLS0tIGhLWFZOcS9za0Riak9QUVZ1dGhZ
-            SnVNUTJFWnVHTDZKZzFBME5ZZzFBWE0K6jMchwT9eJOqyBhSiyg0XS69KxWc2Xx1
+        SnVNUTJFWnVHTDZKZzFBME5ZZzFBWE0K6jMchwT9eJOqyBhSiyg0XS69KxWc2Xx1
-            SJS0acLF+Lcrw0xEr856846P/bH+l/SY4Ii7Mv0b38GOb5KPGra3cA==
+        SJS0acLF+Lcrw0xEr856846P/bH+l/SY4Ii7Mv0b38GOb5KPGra3cA==
-            -----END AGE ENCRYPTED FILE-----
+        -----END AGE ENCRYPTED FILE-----
-        - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
+    - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
-          enc: |
+      enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
+        -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBENVQ5MHZ3VXBMbUdBTHFN
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBENVQ5MHZ3VXBMbUdBTHFN
-            Z09QTDdyWFpHUG9LWGdqZXhBRm90ZnBsNFhJClJpaTFCaSt6Q0E1UlR0WEljWjVv
+        Z09QTDdyWFpHUG9LWGdqZXhBRm90ZnBsNFhJClJpaTFCaSt6Q0E1UlR0WEljWjVv
-            UE1LUDZ1by9zYmhibGJHRGpKT2RhbzQKLS0tIEhKYTlTcmw2NDBDVGluc1N0Y2Rl
+        UE1LUDZ1by9zYmhibGJHRGpKT2RhbzQKLS0tIEhKYTlTcmw2NDBDVGluc1N0Y2Rl
-            d2dsU0ZnMFVlYnJtai9UWDJROG9JTWcKeCVOvRWUJutoFOhDLni2CpgKUUvxTFUS
+        d2dsU0ZnMFVlYnJtai9UWDJROG9JTWcKeCVOvRWUJutoFOhDLni2CpgKUUvxTFUS
-            NNozeDy27P+ZZFDHxBGPoJhJmAKt7Vs4FpdAYJM1xeZWd4BgakdUZw==
+        NNozeDy27P+ZZFDHxBGPoJhJmAKt7Vs4FpdAYJM1xeZWd4BgakdUZw==
-            -----END AGE ENCRYPTED FILE-----
+        -----END AGE ENCRYPTED FILE-----
-        - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8
+    - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8
-          enc: |
+      enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
+        -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIMWxSQ3ovamNoaFovcDRi
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIMWxSQ3ovamNoaFovcDRi
-            NGVRRGNZZDJoVWdhMDBhRU9VZHNzMUkzV1RFCjgzQ1FDdSsyMWYrZC9iZXBDa1NJ
+        NGVRRGNZZDJoVWdhMDBhRU9VZHNzMUkzV1RFCjgzQ1FDdSsyMWYrZC9iZXBDa1NJ
-            dThoNms4aW5iQVBzK21URXkrQjFQR3cKLS0tIDFmR2o4OEpxZnJheGJTWHRMNDBV
+        dThoNms4aW5iQVBzK21URXkrQjFQR3cKLS0tIDFmR2o4OEpxZnJheGJTWHRMNDBV
-            djkrN0xTR25zeEVjYnpMbllZRHcySGsKvPzezvh4MF5TvrqEAg5z/nDRw8iviIx0
+        djkrN0xTR25zeEVjYnpMbllZRHcySGsKvPzezvh4MF5TvrqEAg5z/nDRw8iviIx0
-            wcnO7RQZGSZ71Cv0T11dIpAixUE90l5b6xHKdaeS8vtYFTKdw8FjKg==
+        wcnO7RQZGSZ71Cv0T11dIpAixUE90l5b6xHKdaeS8vtYFTKdw8FjKg==
-            -----END AGE ENCRYPTED FILE-----
+        -----END AGE ENCRYPTED FILE-----
-        - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
+    - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
-          enc: |
+      enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
+        -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZW9HdjNSTE5xWlVWY01R
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZW9HdjNSTE5xWlVWY01R
-            bXAyWVZhcjlkbFVneXhaVnZOQkQ5amszeDJJCjVWa3lLSWhBUDYyd1N1QlZ3T2Fs
+        bXAyWVZhcjlkbFVneXhaVnZOQkQ5amszeDJJCjVWa3lLSWhBUDYyd1N1QlZ3T2Fs
-            QkN2MDViUGwyV0w4NGJiZHhaQ0VjcW8KLS0tIFNkZnNJbXpFOVZsdjREbWFwQ1RB
+        QkN2MDViUGwyV0w4NGJiZHhaQ0VjcW8KLS0tIFNkZnNJbXpFOVZsdjREbWFwQ1RB
-            RTVML1czWWk1QkYzMlVwOWVXNVRwancKKngA02rNH1ZN2jvJ4QZcN07djYzzqoPo
+        RTVML1czWWk1QkYzMlVwOWVXNVRwancKKngA02rNH1ZN2jvJ4QZcN07djYzzqoPo
-            OFeFoOHOKNz3Obwlxv6eW1bd0AP/MT7VR+cTDdaAxwNf8I1gEC9bjw==
+        OFeFoOHOKNz3Obwlxv6eW1bd0AP/MT7VR+cTDdaAxwNf8I1gEC9bjw==
-            -----END AGE ENCRYPTED FILE-----
+        -----END AGE ENCRYPTED FILE-----
-        - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0
+    - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0
-          enc: |
+      enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
+        -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdG5NWlVURFA0TDhWak5u
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdG5NWlVURFA0TDhWak5u
-            R0tmR3JiMThtNnpqM05yQWZTdVAxZTQ4TEcwCndjSlYvMTg1NlRvSHhmdmNMRzhS
+        R0tmR3JiMThtNnpqM05yQWZTdVAxZTQ4TEcwCndjSlYvMTg1NlRvSHhmdmNMRzhS
-            MjgwMU5ZcnVnWVplY1lOc1JQNFkxMDQKLS0tIHhHenE2SmdFcC95ampNbmdOSDJX
+        MjgwMU5ZcnVnWVplY1lOc1JQNFkxMDQKLS0tIHhHenE2SmdFcC95ampNbmdOSDJX
-            ZnJLR0RKZ3FrOUxRSU11dlh5ZzBidmcK7PsJYwMJpv9YoaYiN+U20HA2opK2IUnF
+        ZnJLR0RKZ3FrOUxRSU11dlh5ZzBidmcK7PsJYwMJpv9YoaYiN+U20HA2opK2IUnF
-            elU57b01ZOZM5nfpnyZBdqZO6VRDAZC2h81z+BCNXUQus4SSNQi0aw==
+        elU57b01ZOZM5nfpnyZBdqZO6VRDAZC2h81z+BCNXUQus4SSNQi0aw==
-            -----END AGE ENCRYPTED FILE-----
+        -----END AGE ENCRYPTED FILE-----
-        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
+    - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
-          enc: |
+      enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
+        -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bzBRSi9qOEsxR0Z4RTNt
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bzBRSi9qOEsxR0Z4RTNt
-            U0VKT0o3b3I0dXJxSHRSVnFiR3BWOUNTR2ljCmlHWWZnTGJKeWNhTWxKaEVrbWdG
+        U0VKT0o3b3I0dXJxSHRSVnFiR3BWOUNTR2ljCmlHWWZnTGJKeWNhTWxKaEVrbWdG
-            M2twejZqaFU2RU8wemVxWHlpQVJYZWcKLS0tIDA5Y1Q0RWJvbUlGUHpKN1BIMGM2
+        M2twejZqaFU2RU8wemVxWHlpQVJYZWcKLS0tIDA5Y1Q0RWJvbUlGUHpKN1BIMGM2
-            cGU2bXpEaVNRcko4TVlBMG9KdnJibjQK86rJ3S+JQhD8+gCkr748z1oVy55ukOMv
+        cGU2bXpEaVNRcko4TVlBMG9KdnJibjQK86rJ3S+JQhD8+gCkr748z1oVy55ukOMv
-            c408QBFGToOuzvaRbOIb8lhci4ImuSJJE7TZUzgYsADEAaeudDKVtw==
+        c408QBFGToOuzvaRbOIb8lhci4ImuSJJE7TZUzgYsADEAaeudDKVtw==
-            -----END AGE ENCRYPTED FILE-----
+        -----END AGE ENCRYPTED FILE-----
-        - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0
+    - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0
-          enc: |
+      enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
+        -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WHJjQThud1IzSHk2Z0Zn
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WHJjQThud1IzSHk2Z0Zn
-            L2NybEJyMVdoRWszb0lZTlcyN1ppa1BOSmdzCitZa2thNkJyWWxKU0IxdnhrVXNI
+        L2NybEJyMVdoRWszb0lZTlcyN1ppa1BOSmdzCitZa2thNkJyWWxKU0IxdnhrVXNI
-            Q2dXL1BST1hzMy9PZWpVcU1lckcvdVkKLS0tIDd1VXBGRmdkdnV6UHdzbU1UMjVB
+        Q2dXL1BST1hzMy9PZWpVcU1lckcvdVkKLS0tIDd1VXBGRmdkdnV6UHdzbU1UMjVB
-            WjB5akxEeUd2eS95ZnZHSUFXSmNXWncK3VXZqfKo8jat4gbn/5YSL/cV5qILqV5b
+        WjB5akxEeUd2eS95ZnZHSUFXSmNXWncK3VXZqfKo8jat4gbn/5YSL/cV5qILqV5b
-            E/OBRFStWmfhuCZJzCDhU9a0QJocW+UkkI4XRzDDaN66gEmZe+u7mA==
+        E/OBRFStWmfhuCZJzCDhU9a0QJocW+UkkI4XRzDDaN66gEmZe+u7mA==
-            -----END AGE ENCRYPTED FILE-----
+        -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00
+    - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00
-          enc: |
+      enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
+        -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cE5lLy9ZNXdXb0owcnZk
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cE5lLy9ZNXdXb0owcnZk
-            S0JRSkc4Q2p4bGxPSG14VjlKZ3NMMUpEd2drClBGU0FyaGJ1WCtHVHRzYTFqRXpz
+        S0JRSkc4Q2p4bGxPSG14VjlKZ3NMMUpEd2drClBGU0FyaGJ1WCtHVHRzYTFqRXpz
-            VWJvTlBEcXg4TVVLZzV4djE2bUhIRVEKLS0tICtSTCtNS2dON0pIMHNzWmE5Q253
+        VWJvTlBEcXg4TVVLZzV4djE2bUhIRVEKLS0tICtSTCtNS2dON0pIMHNzWmE5Q253
-            c3loYWpFd0h6N3FpdkdpZGdHZjU0aE0K2zsQNBl1jdhLWf1PeGVo+deCc6BwnTo4
+        c3loYWpFd0h6N3FpdkdpZGdHZjU0aE0K2zsQNBl1jdhLWf1PeGVo+deCc6BwnTo4
-            tUg59pWQ5BvwMQx0kjhEoa29S1QUU4Or4erPPoHS5teK4Llv0s2gRQ==
+        tUg59pWQ5BvwMQx0kjhEoa29S1QUU4Or4erPPoHS5teK4Llv0s2gRQ==
-            -----END AGE ENCRYPTED FILE-----
+        -----END AGE ENCRYPTED FILE-----
-        - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4
+    - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4
-          enc: |
+      enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
+        -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNHNvaU5sUDEvd3JGWUFa
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNHNvaU5sUDEvd3JGWUFa
-            VjZDbm9VMXpjQWhCYTRxbUlEREErT0tDUXpRCnN4YXhVVW8zTi9ZZmVUYWwwRHhH
+        VjZDbm9VMXpjQWhCYTRxbUlEREErT0tDUXpRCnN4YXhVVW8zTi9ZZmVUYWwwRHhH
-            dXd0dnB5WE9sTDZ2R3d4MlFiWlFZcmsKLS0tIENJSTNvNWV3SlVwRk15RDRpNllQ
+        dXd0dnB5WE9sTDZ2R3d4MlFiWlFZcmsKLS0tIENJSTNvNWV3SlVwRk15RDRpNllQ
-            YmZuei9iVFMvcytqS3podTZZb2g3S0kK+qGQ8LkLO6v8T718dyD5j5CTC+UwBaCn
+        YmZuei9iVFMvcytqS3podTZZb2g3S0kK+qGQ8LkLO6v8T718dyD5j5CTC+UwBaCn
-            9dxkh9MWkKknRL89MHbV9gVG/StiOa+USGqulXEGbapiZ9q1JYCa7A==
+        9dxkh9MWkKknRL89MHbV9gVG/StiOa+USGqulXEGbapiZ9q1JYCa7A==
-            -----END AGE ENCRYPTED FILE-----
+        -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-16T19:17:41Z"
+  lastmodified: "2024-11-16T19:17:41Z"
-    mac: ENC[AES256_GCM,data:WWOWqwrUtpJWY7o7M6Aac7B9O6tw91yNiL74Fg0TKq4OH/0TGHI7YJK4c9swXs95jctFvFL9qQPTNEENgnqhJyZJGuc2qTsSaKERsSReaV4gURNEm2J2R52EQkyZXRbrn0oSoDazORqRXQo1KvULV75fyIPtsE1OcU/1/TPkWHY=,iv:XwyR6rM+0eTmKg4+vpQx26iKgKm0NL6siKxLoF3MufM=,tag:ks777fUl7uUgn7W48zBoMg==,type:str]
+  mac: ENC[AES256_GCM,data:WWOWqwrUtpJWY7o7M6Aac7B9O6tw91yNiL74Fg0TKq4OH/0TGHI7YJK4c9swXs95jctFvFL9qQPTNEENgnqhJyZJGuc2qTsSaKERsSReaV4gURNEm2J2R52EQkyZXRbrn0oSoDazORqRXQo1KvULV75fyIPtsE1OcU/1/TPkWHY=,iv:XwyR6rM+0eTmKg4+vpQx26iKgKm0NL6siKxLoF3MufM=,tag:ks777fUl7uUgn7W48zBoMg==,type:str]
-    pgp:
+  pgp:
-        - created_at: "2024-12-24T19:36:21Z"
+    - created_at: "2024-12-24T19:36:21Z"
-          enc: |-
+      enc: |-
-            -----BEGIN PGP MESSAGE-----
+        -----BEGIN PGP MESSAGE-----
-            hQEMA0SHG/zF3227AQgAqL1QC5kKDaMVQQp9Lboe3krFMW6MxBjilO3BvGYoXHKu
+        hQEMA0SHG/zF3227AQgAqL1QC5kKDaMVQQp9Lboe3krFMW6MxBjilO3BvGYoXHKu
-            kKP4hJomuF8wqkKzwsXZihIoXmc767/lKG7AIIMnMJjShGgIjSU668l0guuxlGdT
+        kKP4hJomuF8wqkKzwsXZihIoXmc767/lKG7AIIMnMJjShGgIjSU668l0guuxlGdT
-            r58W+JvA1Hu6LadQ6iPS5dVJgW0MJj5YGG0+EPljHVjFIXOKJff+09jBv2648kDh
+        r58W+JvA1Hu6LadQ6iPS5dVJgW0MJj5YGG0+EPljHVjFIXOKJff+09jBv2648kDh
-            SuuDVwFueX88qgKLnGNw/JWsmG6TRb8WPpbtK0zd30Y/guTRdx57+W4GcLz6zs98
+        SuuDVwFueX88qgKLnGNw/JWsmG6TRb8WPpbtK0zd30Y/guTRdx57+W4GcLz6zs98
-            kkU/VwAKy8ghkXlDyG/TBWipgj+xPGvOIRYiddZc6FBE14e5Miyuw4vgtLaYIWpS
+        kkU/VwAKy8ghkXlDyG/TBWipgj+xPGvOIRYiddZc6FBE14e5Miyuw4vgtLaYIWpS
-            aDB0BUbjmCaiVyZ3PF8nzJcUj3thAepkGyGIgPAgCNJcAW0hIzLoYdU9Dt5kxmGf
+        aDB0BUbjmCaiVyZ3PF8nzJcUj3thAepkGyGIgPAgCNJcAW0hIzLoYdU9Dt5kxmGf
-            tCH3/l3nOuqFZ2EFe6xlBuYEfkjCDLMnDD6W4gvJTkOjfYDWuF0TldyfXeGken+J
+        tCH3/l3nOuqFZ2EFe6xlBuYEfkjCDLMnDD6W4gvJTkOjfYDWuF0TldyfXeGken+J
-            BYeYA3OGTslhrVlXSPQeY1OqITnbqbPgwLkd7D0=
+        BYeYA3OGTslhrVlXSPQeY1OqITnbqbPgwLkd7D0=
-            =Nc6x
+        =Nc6x
-            -----END PGP MESSAGE-----
+        -----END PGP MESSAGE-----
-          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
+      fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
-    unencrypted_suffix: _unencrypted
+  unencrypted_suffix: _unencrypted
-    version: 3.8.1
+  version: 3.8.1
--- a/services/home-ch/router-family.lan/Justfile
+++ b/services/home-ch/router-family.lan/Justfile
@ -1,12 +1,12 @@
 _run_ssh_cmd cmd:
-	ssh root@router-family.lan "{{cmd}}"
+    ssh root@router-family.lan "{{ cmd }}"
 post-setup:
-	just -v _run_ssh_cmd "opkg update"
+    just -v _run_ssh_cmd "opkg update"
-	just -v _run_ssh_cmd "opkg install luci-ssl luci-app-ddns"
+    just -v _run_ssh_cmd "opkg install luci-ssl luci-app-ddns"
-	just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server"
+    just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server"
-	just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils kmod-usb-storage-uas kmod-fs-btrfs btrfs-progs"
+    just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils kmod-usb-storage-uas kmod-fs-btrfs btrfs-progs"
-	# multiuser SFTP
+    # multiuser SFTP
-	just -v _run_ssh_cmd "opkg install openssh-server openssh-sftp-server"
+    just -v _run_ssh_cmd "opkg install openssh-server openssh-sftp-server"
-	just -v _run_ssh_cmd "opkg install sudo coreutils-readlink"
+    just -v _run_ssh_cmd "opkg install sudo coreutils-readlink"
-	just -v _run_ssh_cmd "/etc/init.d/uhttpd restart"
+    just -v _run_ssh_cmd "/etc/init.d/uhttpd restart"
--- a/services/home-ch/router-wan.dmz/Justfile
+++ b/services/home-ch/router-wan.dmz/Justfile
@ -1,9 +1,9 @@
 _run_ssh_cmd cmd:
-	ssh root@router-wan.dmz "{{cmd}}"
+    ssh root@router-wan.dmz "{{ cmd }}"
 post-setup:
-	just -v _run_ssh_cmd "opkg update"
+    just -v _run_ssh_cmd "opkg update"
-	just -v _run_ssh_cmd "opkg install luci-ssl"
+    just -v _run_ssh_cmd "opkg install luci-ssl"
-	just -v _run_ssh_cmd "opkg install luci-app-mwan3"
+    just -v _run_ssh_cmd "opkg install luci-app-mwan3"
-	# multiuser SFTP
+    # multiuser SFTP
-	just -v _run_ssh_cmd "/etc/init.d/uhttpd restart"
+    just -v _run_ssh_cmd "/etc/init.d/uhttpd restart"
`@ -1,2 +1,2 @@`
	`build:`	`build:`
	`nix-build '<nixpkgs/nixos>' -A config.system.build.isoImage -I nixos-config=iso.nix`	`nix-build '<nixpkgs/nixos>' -A config.system.build.isoImage -I nixos-config=iso.nix`