2023-07-10 13:21:11 +00:00
73 changed files with 1477 additions and 607 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,43 @@
 # This example uses YAML anchors which allows reuse of multiple keys 
 # without having to repeat yourself.
 # Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
 # for a more complex example.
 keys:
  - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
  - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
  - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
  - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8
  - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
  - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
 creation_rules:
  - path_regex: ^(.+/|)secrets/[^/]+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *steveej-t14
      - *sj-vps-htz0
      - *srv0-dmz0
      - *elias-e525
      - *justyna-p300
  - path_regex: ^secrets/steveej-t14/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *steveej-t14
  - path_regex: ^secrets/servers/.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *sj-vps-htz0
  - path_regex: ^nix/os/containers/.+_secrets.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *sj-vps-htz0
--- a/35
+++ b/35
@ -28,44 +28,29 @@ _render_templates:
 		# nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
 	fi
-rebuild-remote-device device target rebuildarg="dry-activate" :
+rebuild-remote-device device +rebuildargs="dry-activate":
 	#!/usr/bin/env bash
 	set -ex
-	just -v _rebuild-device nix/os/devices/{{device}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'"
+	nix run .#colmena -- apply --on {{device}} {{rebuildargs}}
 # Rebuild this device's NixOS
 rebuild-this-device +rebuildargs="dry-activate":
 	nix run .#colmena -- apply-local --sudo {{rebuildargs}}
 # Re-render the versions of a remote device and rebuild its environment
-update-remote-device devicename target rebuildmode='switch':
+update-remote-device devicename +rebuildargs='build':
 	#!/usr/bin/env bash
 	set -e
-	template=nix/os/devices/{{ devicename }}/versions.tmpl.nix
+	(
-	outfile=nix/os/devices/{{ devicename }}/versions.nix
+		set -xe
-	
+		cd nix/os/devices/{{devicename}}
-	if ! test -e ${template}; then
+		nix flake update
-		template="$(just _DEFAULT_VERSION_TMPL)"
+	)
 	fi
-	esh -o ${outfile} ${template}
+	just -v rebuild-remote-device {{devicename}} {{rebuildargs}}
 	if ! test "$(git diff ${outfile})"; then
 		echo Already on latest versions
 		exit 0
 	fi
-	just -v rebuild-remote-device {{ devicename }} {{target}} dry-activate || {
+	git commit -v nix/os/devices/{{devicename}}/flake.{nix,lock} -m "nix/os/devices/{{devicename}}: bump versions"
 		echo ERROR: rebuild in mode 'dry-active' failed after updating ${outfile}
 		exit 1
 	}
 	just -v rebuild-remote-device {{ devicename }} {{ target }} {{ rebuildmode }} || {
 		echo ERROR: rebuild in mode '{{ rebuildmode }}' failed after updating ${outfile}
 		exit 1
 	}
 	git commit -v ${outfile} -m "nix/os/devices/{{ devicename }}: bump versions"
 # Re-render the versions of the current device and rebuild its environment
 update-this-device rebuild-mode='switch':
--- a/flake.lock
+++ b/flake.lock
@ -27,11 +27,11 @@
        "stable": "stable"
      },
      "locked": {
-        "lastModified": 1684127527,
+        "lastModified": 1688224393,
-        "narHash": "sha256-tAzgb2jgmRaX9HETry38h2OvBf9YkHEH1fFvIJQV9A0=",
+        "narHash": "sha256-rsAvFNhRFzTF7qyb6WprLFghJnRxMFjvD2e5/dqMp4I=",
        "owner": "zhaofengli",
        "repo": "colmena",
-        "rev": "caf33af7d854c8d9b88a8f3dae7adb1c24c1407b",
+        "rev": "19384f3ee2058c56021e4465a3ec57e84a47d8dd",
        "type": "github"
      },
      "original": {
@ -50,11 +50,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1684468982,
+        "lastModified": 1688690832,
-        "narHash": "sha256-EoC1N5sFdmjuAP3UOkyQujSOT6EdcXTnRw8hPjJkEgc=",
+        "narHash": "sha256-RJIYuOn9FaQWVzj6ytaKsHyur0KsYO9tOgaMz1XHtpQ=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "99de890b6ef4b4aab031582125b6056b792a4a30",
+        "rev": "bfc1c3dca576e2f9e02eb0176e4058305192afe3",
        "type": "github"
      },
      "original": {
@ -71,11 +71,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1684003056,
+        "lastModified": 1687747614,
-        "narHash": "sha256-zl11zyRNKzAW7YLvTkxmFjSBqxZbEvfwZqNCT91ELfU=",
+        "narHash": "sha256-KXspKgtdO2YRL12Jv0sUgkwOwHrAFwdIG/90pDx8Ydg=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "8f95856432e091e5ac56fea2df81e905ddd02d27",
+        "rev": "fef67a1ddc293b595d62a660f57deabbcb70ff95",
        "type": "github"
      },
      "original": {
@ -93,11 +93,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1684650006,
+        "lastModified": 1688624761,
-        "narHash": "sha256-cIWPr9nCddVu3DITyHBNWy9tBbfc86u+BxPEnRWslMM=",
+        "narHash": "sha256-VMvhdWPCLUFhyssTSZXCxFkA9bZ05VgXZVsuYlJcZBg=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "fb17fb7db07709d2aca1efc1000fb1cf60b00b4e",
+        "rev": "a2ea120926a1234ec804c090f90312e0ec2d4541",
        "type": "github"
      },
      "original": {
@ -140,11 +140,11 @@
    },
    "flake-compat_3": {
      "locked": {
-        "lastModified": 1680531544,
+        "lastModified": 1688025799,
-        "narHash": "sha256-8qbiDTYb1kGaDADRXTItpcMKQ1TeQVkuof6oEwHUvVA=",
+        "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
        "owner": "nix-community",
        "repo": "flake-compat",
-        "rev": "95e78dc12268c5e4878621845c511077f3798729",
+        "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
        "type": "github"
      },
      "original": {
@ -158,11 +158,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1683560683,
+        "lastModified": 1688466019,
-        "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=",
+        "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "006c75898cf814ef9497252b022e91c946ba8e17",
+        "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec",
        "type": "github"
      },
      "original": {
@ -179,11 +179,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1683560683,
+        "lastModified": 1687762428,
-        "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=",
+        "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "006c75898cf814ef9497252b022e91c946ba8e17",
+        "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836",
        "type": "github"
      },
      "original": {
@ -201,11 +201,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1680392223,
+        "lastModified": 1688466019,
-        "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
+        "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
+        "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec",
        "type": "github"
      },
      "original": {
@ -234,11 +234,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1681202837,
+        "lastModified": 1687709756,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
        "type": "github"
      },
      "original": {
@ -252,11 +252,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1681202837,
+        "lastModified": 1687709756,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
        "type": "github"
      },
      "original": {
@ -317,11 +317,11 @@
        "nixpkgs-lib": "nixpkgs-lib_2"
      },
      "locked": {
-        "lastModified": 1681214977,
+        "lastModified": 1688299754,
-        "narHash": "sha256-pBaG4iKzF/YJQA06f87IZokB15Z13DYd6zsT/wlbWfI=",
+        "narHash": "sha256-ElNJ28wfORNv8JaCOFb/mniLiQe0cpuaj2DdD/dqdKw=",
        "owner": "nix-community",
        "repo": "lib-aggregate",
-        "rev": "19d70ca7a81956bd01a768297b84798f301e150f",
+        "rev": "6107c923522c233458760d0c7f31ad71bf1d2146",
        "type": "github"
      },
      "original": {
@ -330,14 +330,26 @@
        "type": "github"
      }
    },
    "logseqNightly": {
      "flake": false,
      "locked": {
        "narHash": "sha256-nVE7Ke2sNYK7dOZCkzABm7OFQQ3V1vcj/y5QJteacTI=",
        "type": "file",
        "url": "https://github.com/logseq/logseq/releases/download/nightly/Logseq-linux-x64-0.9.10-nightly.20230706.AppImage"
      },
      "original": {
        "type": "file",
        "url": "https://github.com/logseq/logseq/releases/download/nightly/Logseq-linux-x64-0.9.10-nightly.20230706.AppImage"
      }
    },
    "magmawm": {
      "flake": false,
      "locked": {
-        "lastModified": 1684662176,
+        "lastModified": 1687543996,
-        "narHash": "sha256-jgTAHe4JYAHjm6araJlPJZoLlnz6q/Y21bKrx/kBetk=",
+        "narHash": "sha256-S8vRKXCHF7OHestoGNe6fqqxJIc8slhaOFjvGS3oflc=",
        "owner": "MagmaWM",
        "repo": "MagmaWM",
-        "rev": "e228ed1ff6b6c6181a8b05e1c4e0d74f2634e14b",
+        "rev": "c16fa624b2c86328081a1647f483273e131df29d",
        "type": "github"
      },
      "original": {
@ -349,14 +361,14 @@
    "nix-eval-jobs": {
      "inputs": {
        "flake-parts": "flake-parts_3",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1682480188,
+        "lastModified": 1688608231,
-        "narHash": "sha256-4LG8Vl/fLWsJg+QAb5/PvZTdLtPFsYFxuGDfEAR5szA=",
+        "narHash": "sha256-RQeR/tirHIa5jhZYLCK7KnQiYTG/kq/vWdgDFLi+4+g=",
        "owner": "nix-community",
        "repo": "nix-eval-jobs",
-        "rev": "73ee1712faeb5db609fc9f991e2dc1de265acff5",
+        "rev": "477d7196a493dd011f05704fc7b42cbe95f5b30d",
        "type": "github"
      },
      "original": {
@ -365,18 +377,18 @@
        "type": "github"
      }
    },
-    "nixos-2211": {
+    "nixos-2305": {
      "locked": {
-        "lastModified": 1684141842,
+        "lastModified": 1687938137,
-        "narHash": "sha256-sbdzOwBDcyzz/Dr1ztdF+tElMyM/cgx+4XxVgz+NLRM=",
+        "narHash": "sha256-Z00c0Pk3aE1aw9x44lVcqHmvx+oX7dxCXCvKcUuE150=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "2eb0795720849ae19c068e39b17362d3ebcd585c",
+        "rev": "ba2ded3227a2992f2040fad4ba6f218a701884a5",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "release-22.11",
+        "ref": "release-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -385,7 +397,7 @@
      "inputs": {
        "disko": "disko",
        "flake-parts": "flake-parts_2",
-        "nixos-2211": "nixos-2211",
+        "nixos-2305": "nixos-2305",
        "nixos-images": "nixos-images",
        "nixpkgs": [
          "nixpkgs"
@ -393,11 +405,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1684473129,
+        "lastModified": 1687941964,
-        "narHash": "sha256-Nmqas06HVswtASU0kwY4tD/dOtKgMIo7OlJaIGrHYwA=",
+        "narHash": "sha256-/Gr4tOq+tMBbE46njUt1aJGbsB9lpwnK99/oeC9uTXE=",
        "owner": "numtide",
        "repo": "nixos-anywhere",
-        "rev": "0586b4da4f58f0d02d94fceb06fa7e15d8d03fff",
+        "rev": "22a2964bef34f92fe1c093ae54a8ab52eefdd5df",
        "type": "github"
      },
      "original": {
@ -409,9 +421,9 @@
    },
    "nixos-images": {
      "inputs": {
-        "nixos-2211": [
+        "nixos-2305": [
          "nixos-anywhere",
-          "nixos-2211"
+          "nixos-2305"
        ],
        "nixos-unstable": [
          "nixos-anywhere",
@ -419,11 +431,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1684151031,
+        "lastModified": 1686819168,
-        "narHash": "sha256-6bBOxHIRCn4WQBsjsnaLL7bwcHuCLQj1Xd3gnmbZ9LQ=",
+        "narHash": "sha256-IbRVStbKoMC2fUX6TxNO82KgpVfI8LL4Cq0bTgdYhnY=",
        "owner": "nix-community",
        "repo": "nixos-images",
-        "rev": "3758c6481cd8ad9571c0401fc634eda05a86489b",
+        "rev": "ccc1a2c08ce2fc38bcece85d2a6e7bf17bac9e37",
        "type": "github"
      },
      "original": {
@ -434,11 +446,27 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1684580438,
+        "lastModified": 1688607075,
-        "narHash": "sha256-LUPswmDn6fXP3lEBJFA2Id8PkcYDgzUilevWackYVvQ=",
+        "narHash": "sha256-KDWpwZ4xl4au5R+A+Ka+uVbyiwMDVczjwRTSqBOyqWM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "ff81c24d1dd4dc3698aeb27d2cc3991124e627e6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "master",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-2211": {
      "locked": {
        "lastModified": 1688392541,
        "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "7dc71aef32e8faf065cb171700792cf8a65c152d",
+        "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b",
        "type": "github"
      },
      "original": {
@ -448,14 +476,30 @@
        "type": "github"
      }
    },
    "nixpkgs-2305": {
      "locked": {
        "lastModified": 1688594934,
        "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "e11142026e2cef35ea52c9205703823df225c947",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-lib": {
      "locked": {
        "dir": "lib",
-        "lastModified": 1682879489,
+        "lastModified": 1688049487,
-        "narHash": "sha256-sASwo8gBt7JDnOOstnps90K1wxmVfyhsTPPNTGBPjjg=",
+        "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "da45bf6ec7bbcc5d1e14d3795c025199f28e0de0",
+        "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
        "type": "github"
      },
      "original": {
@ -468,11 +512,11 @@
    },
    "nixpkgs-lib_2": {
      "locked": {
-        "lastModified": 1681001314,
+        "lastModified": 1688259758,
-        "narHash": "sha256-5sDnCLdrKZqxLPK4KA8+f4A3YKO/u6ElpMILvX0g72c=",
+        "narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "367c0e1086a4eb4502b24d872cea2c7acdd557f4",
+        "rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6",
        "type": "github"
      },
      "original": {
@ -481,19 +525,35 @@
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1688256355,
        "narHash": "sha256-/E+OSabu4ii5+ccWff2k4vxDsXYhpc4hwnm0s6JOz7Y=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "f553c016a31277246f8d3724d3b1eee5e8c0842c",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-wayland": {
      "inputs": {
        "flake-compat": "flake-compat_3",
        "lib-aggregate": "lib-aggregate",
        "nix-eval-jobs": "nix-eval-jobs",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1684595659,
+        "lastModified": 1688653033,
-        "narHash": "sha256-B1NtPXWF3Xax1FDeMRYyUDr2e30blTiXLKaUSpegq0E=",
+        "narHash": "sha256-iRtkfin+7PLWd0ce/pQ8bDSo1v6N+nfgjFDFCFEKUCA=",
        "owner": "nix-community",
        "repo": "nixpkgs-wayland",
-        "rev": "031ace86d48def582fb8f7e098dc9a94fc25c3f7",
+        "rev": "bc84572c913933dbb49df2746dc8669f562da454",
        "type": "github"
      },
      "original": {
@ -504,27 +564,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1681347147,
+        "lastModified": 1688590700,
-        "narHash": "sha256-B+hTioRc3Jdf4SJyeCiO0fW5ShIznJk2OTiW2vOV+mc=",
+        "narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "1a9d9175ecc48ecd033062fa09b1834d13ae9c69",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "master",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1684570954,
        "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3",
+        "rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b",
        "type": "github"
      },
      "original": {
@ -537,11 +581,11 @@
    "ofi-pass": {
      "flake": false,
      "locked": {
-        "lastModified": 1627767117,
+        "lastModified": 1687009458,
-        "narHash": "sha256-JUXW1M4sYWL1Mahy4AXgNzIUM+3T0nshnoKPwBzAkis=",
+        "narHash": "sha256-SgndtGEd3zDztqLJYSdun6IbOqgXsvw0Q8flicPHonY=",
        "owner": "sereinity",
        "repo": "ofi-pass",
-        "rev": "6dc6938b0d45f05e307539c6c5a4609427a2747c",
+        "rev": "e99b15857438bbb6013f7f65513c13ea3f5ebdfa",
        "type": "github"
      },
      "original": {
@ -555,27 +599,38 @@
        "aphorme_launcher": "aphorme_launcher",
        "colmena": "colmena",
        "crane": "crane",
        "disko": [
          "nixos-anywhere",
          "disko"
        ],
        "fenix": "fenix",
        "flake-parts": "flake-parts",
        "get-flake": "get-flake",
        "jay": "jay",
        "logseqNightly": "logseqNightly",
        "magmawm": "magmawm",
        "nixos-anywhere": "nixos-anywhere",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": [
          "nixpkgs-2305"
        ],
        "nixpkgs-2211": "nixpkgs-2211",
        "nixpkgs-2305": "nixpkgs-2305",
        "nixpkgs-wayland": "nixpkgs-wayland",
        "ofi-pass": "ofi-pass",
        "salut": "salut",
        "sops-nix": "sops-nix",
        "srvos": "srvos",
        "yofi": "yofi"
      }
    },
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1684616122,
+        "lastModified": 1688576197,
-        "narHash": "sha256-PLQN+e93BC1Yiqt4QNCj3cJ4mHtsO7Xlgn0VprgxiX4=",
+        "narHash": "sha256-flxGk5OXBfXqlS/ZWNyT23slfPjTCkza3CV/EIfvdSU=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "a04d8456be1d289c814846178cc1ff63b4fc297b",
+        "rev": "aa91eda9028758839487ad0f0eb120944a549ff3",
        "type": "github"
      },
      "original": {
@ -597,11 +652,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1683080331,
+        "lastModified": 1688351637,
-        "narHash": "sha256-nGDvJ1DAxZIwdn6ww8IFwzoHb2rqBP4wv/65Wt5vflk=",
+        "narHash": "sha256-CLTufJ29VxNOIZ8UTg0lepsn3X03AmopmaLTTeHDCL4=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "d59c3fa0cba8336e115b376c2d9e91053aa59e56",
+        "rev": "f9b92316727af9e6c7fee4a761242f7f46880329",
        "type": "github"
      },
      "original": {
@ -626,6 +681,47 @@
        "type": "gitlab"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
        "lastModified": 1688268466,
        "narHash": "sha256-fArazqgYyEFiNcqa136zVYXihuqzRHNOOeVICayU2Yg=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "5ed3c22c1fa0515e037e36956a67fe7e32c92957",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "srvos": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1688619474,
        "narHash": "sha256-mPPR4iZxOoq3LB2EZTgo72UunV4UWdtaBTiTc3x+iPI=",
        "owner": "numtide",
        "repo": "srvos",
        "rev": "bf8ce44e0d1a380565c51bd6a707a75ac21c1a9a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "srvos",
        "type": "github"
      }
    },
    "stable": {
      "locked": {
        "lastModified": 1669735802,
@ -680,11 +776,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1684070360,
+        "lastModified": 1687940979,
-        "narHash": "sha256-WaXr9ayqjp0R2+j9MrE1Ufdujw0vEA0o1G/0CrTt4Ns=",
+        "narHash": "sha256-D4ZFkgIG2s9Fyi78T3fVG9mqMD+/UnFDB62jS4gjZKY=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "27107cf3dfdc3c809d2477954d92fc2cc68b4401",
+        "rev": "0a4f06c27610a99080b69433873885df82003aae",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -2,11 +2,17 @@
 {
  inputs = {
    # flake and infra basics
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
+    nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11";
    nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05";
    nixpkgs.follows = "nixpkgs-2305";
    flake-parts.url = "github:hercules-ci/flake-parts";
    get-flake.url = "github:ursi/get-flake";
    srvos.url = "github:numtide/srvos";
    srvos.inputs.nixpkgs.follows = "nixpkgs";
    nixos-anywhere.url = github:numtide/nixos-anywhere/main;
    nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs";
    disko.follows = "nixos-anywhere/disko";
    nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
@ -25,6 +31,9 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    # applications
    aphorme_launcher = {
      url = "github:Iaphetes/aphorme_launcher/main";
@ -56,6 +65,12 @@
      url = "gitlab:snakedye/salut";
      flake = false;
    };
    logseqNightly = {
      # url = "file:///dev/null";
      url = "https://github.com/logseq/logseq/releases/download/nightly/Logseq-linux-x64-0.9.10-nightly.20230706.AppImage";
      flake = false;
    };
  };
  outputs = inputs @ {
@ -71,7 +86,8 @@
      "aarch64-linux"
    ];
  in
-    flake-parts.lib.mkFlake {inherit inputs;} {
+    flake-parts.lib.mkFlake {inherit inputs;}
    ({withSystem, ...}: {
      flake.colmena =
        lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur)
        {
@ -83,12 +99,15 @@
        # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
        (builtins.map (nodeName:
          import ./nix/os/devices/${nodeName} {
            inherit nodeName;
            repoFlake = self;
            repoFlakeWithSystem = withSystem;
            nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName};
          }) [
          "sj-vps-htz0"
          "steveej-t14"
          "srv0-dmz0"
          "elias-e525"
          "vmd102066.contaboserver.net"
          "sj-vps-htz0.infra.stefanjunker.de"
          "justyna-p300"
        ]);
@ -128,24 +147,25 @@
          dcpj4110dwDriver = dcpj4110dw.driver;
          dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
-          aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;};
+          # broken as of 2023-04-27 because it doesn't load without a config
-          yofi = inputs'.yofi.packages.default;
+          # aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;};
-          ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;};
+          # yofi = inputs'.yofi.packages.default;
          # ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;};
          inherit (inputs'.colmena.packages) colmena;
-          jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) {
+          # jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) {
-            src = inputs.jay;
+          #   src = inputs.jay;
-            rustPlatform = pkgs.makeRustPlatform {
+          #   rustPlatform = pkgs.makeRustPlatform {
-              cargo = inputs'.fenix.packages.stable.toolchain;
+          #     cargo = inputs'.fenix.packages.stable.toolchain;
-              rustc = inputs'.fenix.packages.stable.toolchain;
+          #     rustc = inputs'.fenix.packages.stable.toolchain;
-            };
+          #   };
-          };
+          # };
-          magmawm = pkgs.callPackage (self + /nix/pkgs/magmawm.nix) {
+          # magmawm = pkgs.callPackage (self + /nix/pkgs/magmawm.nix) {
-            inherit craneLib;
+          #   inherit craneLib;
-            src = inputs.magmawm;
+          #   src = inputs.magmawm;
-          };
+          # };
          salut = craneLib.buildPackage {
            src = inputs.salut;
@ -165,5 +185,5 @@
          packages' = packages;
        };
      };
-    };
+    });
 }
--- a/nix/devShells.nix
+++ b/nix/devShells.nix
@ -20,6 +20,7 @@ pkgs.stdenv.mkDerivation {
      nixos-install-tools
      dconf2nix
      inputs'.nixos-anywhere.packages.nixos-anywhere
      nurl
      just
      git-crypt
@ -32,10 +33,12 @@ pkgs.stdenv.mkDerivation {
      prs
      fuzzel
      wofi
-      # broken as of 2023-04-27 because it doesn't load without a config
+      age
-      # packages'.aphorme_launcher
+      age-plugin-yubikey
-      packages'.yofi
+      ssh-to-age
-      # packages'.ofi-pass
+      yubico-piv-tool
      inputs'.sops-nix.packages.default
      sops
      apacheHttpd
--- a/nix/home-manager/configuration/graphical-fullblown.nix
+++ b/nix/home-manager/configuration/graphical-fullblown.nix
@ -4,10 +4,14 @@
  # these come in via home-manager.extraSpecialArgs and are specific to each node
  nodeFlake,
  packages',
  repoFlake,
  # repoFlakeInputs',
  ...
 }: let
-  pkgsMaster = nodeFlake.inputs.nixpkgs-master.${pkgs.system};
+  pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system};
  pkgsUnstableSmall = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system};
  pkgs2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system};
  # pkgs2211 = repoFlakeInputs'.nixpkgs-2211.legacyPackages;
 in {
  imports = [
    ../profiles/common.nix
@ -22,6 +26,7 @@ in {
    ../programs/redshift.nix
    ../programs/gpg-agent.nix
    # ../programs/espanso.nix
    ../programs/firefox.nix
    ../programs/chromium.nix
@ -31,18 +36,16 @@ in {
    ../programs/pass.nix
    ../programs/vscode
-    # TODO: broken since nixos-23.05
+    # TODO: bump these to 23.05 and make it work
-    # ../programs/radicale.nix
+    (args: import ../programs/radicale.nix (args // {pkgs = pkgs2211;}))
-    # ../programs/espanso.nix
+    # (args: import ../programs/espanso.nix (args // {pkgs = pkgs2211;}))
  ];
  home.sessionVariables.HM_CONFIG = "graphical-fullblown";
  home.sessionVariables.GOPATH = "$HOME/src/go";
  home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"];
  # required by logseq as of 2023-05-24
  nixpkgs.config.permittedInsecurePackages = [
    "electron-20.3.11"
  ];
  home.packages =
@ -89,8 +92,9 @@ in {
      yubikey-personalization
      yubikey-personalization-gui
-      # gnome.gnome-keyring 
+      # gnome.gnome-keyring
-      gcr gnome.seahorse
+      gcr
      gnome.seahorse
      # Language Support
      hunspellDicts.en-us
@ -110,6 +114,59 @@ in {
      # FIXME: depends on insecure openssl 1.1.1t
      # kotatogram-desktop
      tdesktop
      (let
        version = "6.20.0-beta.1";
      in
        pkgsUnstableSmall.signal-desktop-beta.overrideAttrs (old: {
          inherit version;
          src = builtins.fetchurl {
            url = "https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop-beta/signal-desktop-beta_${version}_amd64.deb";
            sha256 = "0xkagnldagfxnpv4c23yd9w0kz1y719m1sj9vqn8mnr1zfn7j62a";
          };
          preFixup =
            old.preFixup
            + ''
              gappsWrapperArgs+=(
                --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}"
                --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
              )
            '';
        }))
      # --add-flags "--enable-features=UseOzonePlatform"
      # --add-flags "--ozone-platform=wayland"
      (pkgsUnstableSmall.session-desktop.overrideAttrs (old: {
        nativeBuildInputs =
          old.nativeBuildInputs
          ++ [
            pkgs.wrapGAppsHook
          ];
        preFixup =
          (old.preFixup or "")
          + ''
            gappsWrapperArgs+=(
              --add-flags "--enable-features=UseOzonePlatform"
              --add-flags "--ozone-platform=wayland"
              # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}"
              # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=WaylandWindowDecorations}}"
              # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
            )
          '';
      }))
      #(pkgsUnstableSmall.session-desktop.overrideAttrs(old: {
      #    nativeBuildInputs = old.nativeBuildInputs ++ [
      #      pkgs.wrapGAppsHook
      #    ];
      #
      #    preFixup = (old.preFixup or "") + ''
      #      gappsWrapperArgs+=(
      #        --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform=wayland}}"
      #        --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
      #      )
      #    '';
      #  }))
      thunderbird
      # gnome.cheese
@ -129,7 +186,8 @@ in {
      vlc
      audacity
      spotify
-      # youtube-dl-light
+      yt-dlp
      (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}")
      libwebcam
      # Network Tools
@ -177,12 +235,22 @@ in {
      cdrtools
      # Document Processing and Management
-      mendeley
+      gnome.nautilus
      xfce.thunar
      pcmanfm
      # mendeley
      evince
-      (logseq.override (_: {electron = pkgs.electron_20;}))
+      ((pkgsMaster.logseq.overrideAttrs (finalAttrs: previousAttrs: {
          version = "nightly";
          src = repoFlake.inputs.logseqNightly;
        }))
        .override (_: {
          electron = pkgs.electron_24;
        }))
      # File Synchronzation
-      dropbox
+      maestral
      maestral-gui
      rsync
      # Filesystem Tools
@ -236,4 +304,32 @@ in {
  systemd.user.startServices = true;
  services.syncthing.enable = true;
  services.udiskie = {
    enable = true;
    automount = true;
    notify = true;
  };
  # FIXME: doesn't work as the service can't seem to control its started PID
  services.dropbox = {
    enable = false;
    path = "${config.home.homeDirectory}/Dropbox-Hm";
  };
  # TODO: uncomment this when it's in stable home-manger
  # programs.joshuto = {
  #   enable = true;
  # };
  # systemd.user.services.maestral = {
  #   Unit.Description = "Maestral daemon";
  #   Install.WantedBy = ["default.target"];
  #   Service = {
  #     ExecStart = "${pkgs.maestral}/bin/maestral start -f";
  #     ExecStop = "${pkgs.maestral}/bin/maestral stop";
  #     Restart = "on-failure";
  #     Nice = 10;
  #   };
  # };
 }
--- a/nix/home-manager/profiles/sway-desktop.nix
+++ b/nix/home-manager/profiles/sway-desktop.nix
@ -11,12 +11,11 @@
  displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'";
  displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'";
  swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh;
 in {
  imports = [
-      ../profiles/wayland-desktop.nix
+    ../profiles/wayland-desktop.nix
-      ../programs/waybar.nix
+    ../programs/waybar.nix
-      ../programs/salut.nix
+    ../programs/salut.nix
  ];
  # TODO: autostart
@ -44,7 +43,7 @@ in {
    pkgs.gnome-icon-theme
    ## fonts
-    pkgs.dejavu_fonts   # just a basic good fond
+    pkgs.dejavu_fonts # just a basic good fond
    pkgs.font-awesome_5 # needed by i3status-rust
    pkgs.nerdfonts
    pkgs.font-awesome
@ -73,16 +72,16 @@ in {
    pkgs.iosevka-comfy.comfy-fixed
    # experimental stuff
    packages'.yofi
    pkgs.fuzzel
  ];
  wayland.windowManager.sway = {
    enable = true;
    systemdIntegration = true;
    # systemd.enable = true;
    xwayland = false;
-    config = let 
+    config = let
      modifier = "Mod4";
      inherit (config.wayland.windowManager.sway.config) left right up down;
    in {
@ -90,12 +89,14 @@ in {
      bars = [];
      input = {
-        "type:keyboard" = {
+        "type:keyboard" =
-          xkb_layout = config.home.keyboard.layout;
+          {
-          xkb_variant = config.home.keyboard.variant;
+            xkb_layout = config.home.keyboard.layout;
-        } // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) {
+            xkb_variant = config.home.keyboard.variant;
-          xkb_options = builtins.concatStringsSep "," config.home.keyboard.options;
+          }
-        };
+          // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) {
            xkb_options = builtins.concatStringsSep "," config.home.keyboard.options;
          };
        "type:touchpad" = {
          natural_scroll = "enabled";
@ -105,8 +106,8 @@ in {
      keybindings = lib.mkOptionDefault {
        # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi
        # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps";
-        "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel";
+        "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions";
-      
+
        # only 1-9 exist on the default config
        "${modifier}+0" = "workspace number 0";
        "${modifier}+Shift+0" = "move container to workspace number 0";
@ -118,15 +119,15 @@ in {
        # move workspace to output
        "${modifier}+Control+Shift+${left}" = "move workspace to output left";
        "${modifier}+Control+Shift+${right}" = "move workspace to output right";
-        "${modifier}+Control+Shift+${up}" =  "move workspace to output up";
+        "${modifier}+Control+Shift+${up}" = "move workspace to output up";
        "${modifier}+Control+Shift+${down}" = "move workspace to output down";
        # move workspace to output with arrow keys
-        "${modifier}+Control+Shift+Left" =  "move workspace to output left";
+        "${modifier}+Control+Shift+Left" = "move workspace to output left";
        "${modifier}+Control+Shift+Right" = "move workspace to output right";
-        "${modifier}+Control+Shift+Up" =    "move workspace to output up";
+        "${modifier}+Control+Shift+Up" = "move workspace to output up";
-        "${modifier}+Control+Shift+Down" =  "move workspace to output down";
+        "${modifier}+Control+Shift+Down" = "move workspace to output down";
-        "${modifier}+Shift+e" =  "exec ${pkgs.sway}/bin/swaymsg exit";
+        "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
        "${modifier}+q" = "kill";
        "${modifier}+x" = "exec ${swapOutputWorkspaces}";
@ -140,20 +141,31 @@ in {
        "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
        "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
-        # TODO: screenshot util, flameshot doesn't work in the packaged version
+        "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region";
        "Print" = "exec ${pkgs.flameshot}/bin/flameshot gui";
      };
      terminal = "alacritty";
-      startup = [
+      startup =
-        {command = builtins.toString(pkgs.writeShellScript "ensure-graphical-session" ''
+        [
-            (
+          {
-              ${pkgs.coreutils}/bin/sleep 0.2
+            command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
-              ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
+              (
-            ) &
+                ${pkgs.coreutils}/bin/sleep 0.2
-          ''); 
+                ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
-        }
+              ) &
-      ];
+            '');
          }
        ]
        ++ lib.optionals config.services.swayidle.enable [
          {
            command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
              (
                ${pkgs.coreutils}/bin/sleep 0.2
                ${pkgs.systemd}/bin/systemctl --user restart swayidle
              ) &
            '');
          }
        ];
      colors.focused = lib.mkOptionDefault {
        childBorder = lib.mkForce "#ffa500";
@ -166,19 +178,37 @@ in {
  services.swayidle = {
    enable = true;
    timeouts = [
-      { timeout = 10; command = "if ${pkgs.procps}/bin/pgrep -x swaylock; then ${displayOffCmd}; fi"; resumeCommand = displayOnCmd; }
+      {
-      { timeout = 60 * 5; command = lockCmd; }
+        timeout = 10;
-      { timeout = 60 * 6; command = displayOffCmd; resumeCommand = displayOnCmd; }
+        command = "if ${pkgs.procps}/bin/pgrep -x swaylock; then ${displayOffCmd}; fi";
        resumeCommand = displayOnCmd;
      }
      {
        timeout = 60 * 5;
        command = lockCmd;
      }
      {
        timeout = 60 * 6;
        command = displayOffCmd;
        resumeCommand = displayOnCmd;
      }
    ];
    events = [
-      { event = "before-sleep"; 
+      {
        event = "before-sleep";
        command = builtins.concatStringsSep "; " [
          lockCmd
          "${pkgs.playerctl}/bin/playerctl pause"
-        ]; 
+        ];
      }
      {
        event = "after-resume";
        command = displayOnCmd;
      }
      {
        event = "lock";
        command = lockCmd;
      }
      { event = "after-resume"; command = displayOnCmd; }
      { event = "lock"; command = lockCmd; }
    ];
  };
 }
--- a/nix/home-manager/profiles/wayland-desktop.nix
+++ b/nix/home-manager/profiles/wayland-desktop.nix
@ -54,37 +54,13 @@ in {
    pavucontrol
    playerctl
    pasystray
-    qt5.qtwayland
+    # qt5.qtwayland
-    qt6.qtwayland
+    # qt6.qtwayland
    # probably required by flameshot
    # xdg-desktop-portal xdg-desktop-portal-wlr 
    # grim
    (nixpkgs-unstable-small.signal-desktop.overrideAttrs (old: {
      preFixup = old.preFixup + ''
        gappsWrapperArgs+=(
          --add-flags "--enable-features=UseOzonePlatform"
          --add-flags "--ozone-platform=wayland"
        )
      '';
    }))
    ((nixpkgs-unstable-small.session-desktop.override (old: {
        inherit (nixpkgs-2211) appimageTools;
      }))
        .overrideAttrs(old: {
        nativeBuildInputs = old.nativeBuildInputs ++ [
          pkgs.wrapGAppsHook
        ];
        preFixup = (old.preFixup or "") + ''
          gappsWrapperArgs+=(
            --add-flags "--enable-features=UseOzonePlatform"
            --add-flags "--ozone-platform=wayland"
          )
        '';
      }))
  ];
  home.sessionVariables = {
--- a/nix/home-manager/programs/espanso.nix
+++ b/nix/home-manager/programs/espanso.nix
@ -2,10 +2,11 @@
  pkgs,
  config,
  ...
-}: let
+}: {
  passwords = import ../../variables/passwords.crypt.nix;
 in {
  services.espanso = {
    # package = pkgs.espanso.overrideAttrs(_: {
    #   # src =
    # })
    enable = true;
    settings = {
      matches = let
--- a/nix/home-manager/programs/firefox.nix
+++ b/nix/home-manager/programs/firefox.nix
@ -1,4 +1,5 @@
 {pkgs, ...}: {
  programs.librewolf = {enable = true;};
  programs.firefox = {enable = true;};
  programs.browserpass = {
--- a/nix/home-manager/programs/radicale.nix
+++ b/nix/home-manager/programs/radicale.nix
@ -1,11 +1,10 @@
 {
  config,
  pkgs,
  lib,
  pkgs,
  osConfig,
  ...
 }: let
  passwords = import ../../variables/passwords.crypt.nix;
  libdecsync = pkgs.python3Packages.buildPythonPackage rec {
    pname = "libdecsync";
    version = "2.2.1";
@ -16,9 +15,8 @@
    };
    propagatedBuildInputs = [
-      pkgs.libxcrypt-legacy
+      # pkgs.libxcrypt-legacy
    ];
  };
  radicale-storage-decsync = pkgs.python3Packages.buildPythonPackage rec {
    pname = "radicale_storage_decsync";
@ -31,13 +29,13 @@
    buildInputs = [
      pkgs.radicale
-      pkgs.libxcrypt-legacy
+      # pkgs.libxcrypt-legacy
-      pkgs.libxcrypt
+      # pkgs.libxcrypt
    ];
    nativeCheckInputs = [
-      pkgs.libxcrypt-legacy
+      # pkgs.libxcrypt-legacy
-      pkgs.libxcrypt
+      # pkgs.libxcrypt
    ];
    propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools];
@ -48,18 +46,17 @@
      ++ [radicale-storage-decsync];
  });
-  mkRadicaleService = { suffix, port }: let
+  mkRadicaleService = {
    suffix,
    port,
  }: let
    radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
      [server]
-      hosts = localhost:${builtins.toString(port)}
+      hosts = localhost:${builtins.toString port}
      [auth]
      type = htpasswd
-      htpasswd_filename = ${
+      htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path}
        pkgs.writeText "radicale" ''
          radicale:${passwords.users.radicale}
        ''
      }
      htpasswd_encryption = bcrypt
      [storage]
@ -77,7 +74,14 @@
      Install.WantedBy = ["default.target"];
    };
  };
-in builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [
+in
-  {suffix = "personal"; port = 5232;}
+  builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [
-  {suffix = "family"; port = 5233;}
+    {
-]
+      suffix = "personal";
      port = 5232;
    }
    {
      suffix = "family";
      port = 5233;
    }
  ]
--- a/nix/home-manager/programs/waybar.nix
+++ b/nix/home-manager/programs/waybar.nix
@ -1,6 +1,9 @@
 { pkgs, config, repoFlake, ... }:
 {
  pkgs,
  config,
  repoFlake,
  ...
 }: {
  home.packages = [
    # required by any bar that has a tray plugin
    pkgs.libappindicator-gtk3
@ -10,8 +13,9 @@
  programs.waybar = {
    enable = true;
    package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
-    style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css"
+    style =
-          + pkgs.lib.readFile ./waybar.css;
+      pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css"
      + pkgs.lib.readFile ./waybar.css;
    systemd.enable = true;
    settings = {
      mainBar = {
@ -35,12 +39,12 @@
          all-outputs = false;
        };
-        modules-center = [ 
+        modules-center = [
          "sway/window"
          # "custom/hello-from-waybar"
        ];
-        modules-right = [ 
+        modules-right = [
          "tray"
          "cpu"
@ -55,22 +59,22 @@
        tray.spacing = 10;
-        cpu.format = "  {}%";
+        cpu.format = "  {usage}%";
        memory.format = "  {}%";
-        "temperature" =  {
+        "temperature" = {
          hwmon-path = "/sys/class/hwmon/hwmon3/temp1_input";
          format = " {temperatureC} °C";
        };
        "custom/cputemp" = {
-            format = " {}";
+          format = " {}";
-            exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/CPU:/ {print $2}'";
+          exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/CPU:/ {print $2}'";
-            interval = 2;
+          interval = 2;
        };
        "custom/fan" = {
-            format = "   {} rpm  ";
+          format = "   {} rpm  ";
-            exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/fan1:/ {print $2}'";
+          exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/fan1:/ {print $2}'";
-            interval = 2;
+          interval = 2;
        };
        battery.format = "🔋 {}%";
        pulseaudio = {
--- a/nix/os/containers/mailserver.nix
+++ b/nix/os/containers/mailserver.nix
@ -1,16 +1,41 @@
 {
  repoFlake,
  hostAddress,
  localAddress,
  imapsPort ? 993,
  sievePort ? 4190,
  autoStart ? false,
-}: let
+}: {
-  passwords = import ../../variables/passwords.crypt.nix;
+  config = {
-in {
+    pkgs,
-  config = {pkgs, ...}: {
+    config,
    ...
  }: {
    system.stateVersion = "21.11"; # Did you read the comment?
-    imports = [../profiles/containers/configuration.nix ../profiles/common/user.nix];
+    imports = [
      ../profiles/containers/configuration.nix
      repoFlake.inputs.sops-nix.nixosModules.sops
      ../profiles/common/user.nix
    ];
    # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately
    # sops.defaultSopsFile = ./mailserver_secrets.yaml;
    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
    sops.secrets.email_mailStefanjunkerDe = {
      sopsFile = ./mailserver_secrets.yaml;
      owner = config.users.users.steveej.name;
    };
    sops.secrets.email_schtifATwebDe = {
      sopsFile = ./mailserver_secrets.yaml;
      owner = config.users.users.steveej.name;
    };
    sops.secrets.email_dovecot_steveej = {
      sopsFile = ./mailserver_secrets.yaml;
      owner = config.users.users.dovecot2.name;
    };
    networking.firewall.enable = false;
@ -19,6 +44,15 @@ in {
      domain = "mailserver.svc.stefanjunker.de";
    };
    # TODO: switch to a let's encrypt certificate
    sops.secrets.dovecotSslServerCert = {
      sopsFile = ./mailserver_secrets.yaml;
      owner = config.users.users.dovecot2.name;
    };
    sops.secrets.dovecotSslServerKey = {
      sopsFile = ./mailserver_secrets.yaml;
      owner = config.users.users.dovecot2.name;
    };
    services.dovecot2 = {
      enable = true;
@ -30,8 +64,8 @@ in {
      enablePAM = true;
      showPAMFailure = true;
      mailLocation = "maildir:~/.maildir";
-      sslServerCert = "/etc/secrets/server.pem";
+      sslServerCert = config.sops.secrets.dovecotSslServerCert.path;
-      sslServerKey = "/etc/secrets/server.key";
+      sslServerKey = config.sops.secrets.dovecotSslServerKey.path;
      #configFile = "/etc/dovecot/dovecot2_manual.conf";
      extraConfig = ''
@ -54,9 +88,7 @@ in {
      '';
    };
-    environment.etc."dovecot/users".text = ''
+    environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;
      steveej:${passwords.email.steveej}
    '';
    systemd.services.steveej-getmail-stefanjunker = {
      enable = true;
@ -79,7 +111,7 @@ in {
          server = ssl0.ovh.net
          port = 993
          username = mail@stefanjunker.de
-          password = ${passwords.email.mailStefanjunkerDe}
+          password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
          mailboxes = ('INBOX',)
          [destination]
@ -112,7 +144,7 @@ in {
          server = imap.web.de
          port = 993
          username = schtif
-          password = ${passwords.email.schtifATwebDe}
+          password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
          mailboxes = ('INBOX',)
          [destination]
@ -128,10 +160,9 @@ in {
  inherit autoStart;
  bindMounts = {
-    "/etc/secrets/" = {
+    # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host
-      hostPath = "/var/lib/container-volumes/mailserver/etc-secrets";
+    "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
-      isReadOnly = false;
+    "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;
    };
    "/home" = {
      hostPath = "/var/lib/container-volumes/mailserver/home";
--- a/nix/os/containers/mailserver_secrets.yaml
+++ b/nix/os/containers/mailserver_secrets.yaml
@ -0,0 +1,40 @@
 email_mailStefanjunkerDe: ENC[AES256_GCM,data:sSBunuv4wipvl720vBrObPVlwMqf8MCWPA==,iv:57SPbRgdO1OtCunFbRJ9rLadWfrCF072lv27ond6qQ0=,tag:DpTeij/rGCK2NQMre5xBsw==,type:str]
 email_schtifATwebDe: ENC[AES256_GCM,data:OOmxkHcM25A+rSmPE1lmvUylv0TT2qWWeA==,iv:ysnRyv4WwbnovgEZcwmk1Rdo6U7gBWDFvGIxgF/m/5A=,tag:9b7q+mceiDx5y8qVVHjBhw==,type:str]
 email_dovecot_steveej: ENC[AES256_GCM,data:nZJX2ZIe2pJTzBIU/XRZaiiy9NmUtJydaOvSAQT3icCEeLTvgah48mgrz14eGPuOEupVqKII5jpHw3Xid+QWzdIels0B9M4+GgVT85yVAaPQKw==,iv:vb2bKtgeJI4fvRfKoR8AoBpv9WOkAAKQ3DzMInGF4SA=,tag:p6q0rfyG0g1hF8PR476TZQ==,type:str]
 dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2rwHhuSoirnADu+k6pYrH4UUTB9BQsDpCzuU4vb4Rz2pQuB0PJ9iZ3XI2fTxft+UxZI4wwAkvHXeJWxLnEvySQW3mnk2uJBaeAxhkXZ55SrKA0h1u/luiXlCoLD197yqJsaR7ldlTImfiIwZPoSRJvo33/UsEIfxlmNMrJk6kgWp9Ay1pT+K3ymWTzBaxzMypUM+Wb4BulgR62qCBxoVjXPP4tVsBwRN6LREeKpP6zIZSjNNU5SWkf2GVDuRl6AMfh8UUq5aRQqNrorRm0p9FR5CXvJZH6gOxh1jSaXGFRbyfEwlaBrzU3NYqXA4tVTh6jKeRy6tmkw3KHhV3kOeJhJ5YQy4IM4Tv03zp5M/rCCIDoZLZsmNKYpLHYKfKORBYt/XlOfnXFVW/dp+q7lMiy2vPPNaVzH6aFrlzIEUyQBfawbHPBnIN09rmW9cIzZC5n3owzq8jj8aWDILqgun7RFOnBWBaG2JE9imXoS66cKAvzGf1wpjN2pELQOpSI1dVuENxMC+K8dTu/2RN2Xe0t6x6FlHK7PHB+JNGsGOHjrga+Z2rWTqcOtY30XZpBSqoZ4XxhcFtp+gxwBuW6zjzS4hEBz1/BJTYLD0dolTp3Vzo93bsezAr+iUfNrfzESTfg8fRH89tdPCeSPv4lfi+Bo4un41x6+x14Kf66Sz5AR7dBQzypNC3ChGCKtp29ZBBee+5oQWvrYBVybbOdD+uaS6pRC/Uydubx+cDGyU1vn50Iq4XTkmiy0m8joHa7gwgOggSeDoZK8lSnwCEwssWZaxzWfO8/8gxEDJD74ki+0GzkGCSIW7EIDiEEBSuL971bqgmKOgKmzqeHYxMpO3DbrFSQVIBUzlcPMoL9GuMHnF9UWT8u3Oo4eIh8rgwJQ4tbIdIbOop1LKLSKjtt/ny4+fGjrF1gzYWHu6RDMHkl9h/AplsHH6r8x3L3rM40O8mOG/SVgqA2GTN+0pviLAPzvQ+Xb0xRQH3vfXXMkufpQtb2o0xlh4pgJw+6a4QrjSq6ZJ3saA8TeC3F6BzIEr6nAwljBMSY4v8wBQivquENBCbqo4St5h+eleKpqbpyLJQYgCyvrUST8kNa014eZjNMLnJ1XBmPO9vpUk/2FJkSpaPAPQ7thqhRBEhe+GsnkScqqrq7gLpNIX4o/HR2b70T/8/4G7uZ3KPScW25TX9D9cI7LFON3Sfprn5LK6hm2nxTmjhaD0rWNnDCkfqDfzRJeQV9kW5Hfn0rBOIsmUoQEcgeCqNKenr/lalRRiifsHDdTUwzSJLgHm09RJI4CVZ+ovPHENRW02VPP9YBupemrZazN3ttj3pin8QRRcOM0w7jeGjfSyih0E4JfiC8NzLWhBpFtBSSxi79QD2vkz17ububf37p5XMg0KfClubQgnNKxlbQ/Me7xxp1X0JlmyxpwIhaaLoz9f+268/9n4RKBGDjAY9D0jZ2zcNm+MpkoG1IIWzPBtBiGTfs+HZPH3GKiEcnkEVcUbDZis9zERamYKDMMPqfAm3KsQLXxUVyuy3cuikGxg7ab+41b1s4MtyoeoUIeRruc60Gg+rSv+d0Jl/YP9Lb5/WBGwNKzm/1R70hJnbTWRt/kKZRKsVY2rcb+FH6vXBjFAHgiszFns5oXS0Q3jhVHH4i3IUn+M6HsbqDIaJ4t4Jvtcx+ESNC2NHKCSxKe4UePng8xJ+91jB04DxdJFlTrZ7RBgjmmiMR8DPF6XiYi+awZtUaTKjZev8SPl4vSobu5aqnct0F5O6aPGB/T8nHlXevdkuQ//7BXc0RwN1ZBZzGqzc8+NzIBa9aB96XnlXPDek1C5Cc9/yVWelM9dWwTzUECBWanTRFt1uz7hpoeemGI0X7IV4DXe26yZot2PlRLFBGL/5lnoSZcjfjym1yyjd5guLdRSHOihPoDDV0JR88BDzDSS/Fx4tRCxKCuaQos+QiMlZ+yJnY9v/K88NtX9X+cRr1ZFS9Li1+uBhbJamWgtWpSJireAGZkLFSEu5GpmfcofuzDsuSYsG6wDLMpJGgRvGJeDuZ4pJTMz1dhjjWUw3blpoJW99zHVDwuSMUNEOFnFgu9BNsoq2caoDcNcm7yA0dsNl1sS3ECsBAg18KsMHA5bL6gXhAkCGOzUVBzW0NRUm8SvHloB73LvfBiFHkpqkqS8KsQZkGts+vBcVAjfDYHYy+TvcaiO0I7xEOUZMdkjuZFOkh2Q0x7pQzCarYs=,iv:6zMCqVVdsbJmEr9YDQ5FqYhRcV36aM585YZz/Dd+b3c=,tag:LCDn6L/VJvW8St1CHXcObw==,type:str]
 dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn
            R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2
            dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj
            bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl
            T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-07-09T17:29:20Z"
    mac: ENC[AES256_GCM,data:EUW7B78IB2vRGOwPM4bRoz7kYO9xHGMepF0aCOUVBFL0JCmzZyP9/bWWHYVR2SrQ29P8YgvpF32gWPEdidPReW59QRU1IXpMxnZ20Xoa+8y8H2Pj5w9cs+km6jXtphTcxDdZhQVJfXVyQH6qNb9Ypc9myhVypA2Dp/GLQ8SokoY=,iv:PDhP1TGvSS73RhkjsM2Zc0cGT8o06QVsxwO6tPKFzuQ=,tag:cy6fi3BHIN0c/c2sLVVmhg==,type:str]
    pgp:
        - created_at: "2023-07-02T20:30:30Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds
            0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf
            SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb
            5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc
            Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc
            RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx
            44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5
            uGcEfsNiUXPngkNrh/Nvhh9w
            =yHDZ
            -----END PGP MESSAGE-----
          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/nix/os/containers/webserver.nix
+++ b/nix/os/containers/webserver.nix
@ -1,12 +1,11 @@
 {
  repoFlake,
  hostAddress,
  localAddress,
  httpPort ? 80,
  httpsPort ? 443,
  autoStart ? false,
-}: let
+}: {
  passwords = import ../../variables/passwords.crypt.nix;
 in {
  config = {
    config,
    pkgs,
@ -15,7 +14,11 @@ in {
  }: {
    system.stateVersion = "22.05"; # Did you read the comment?
-    imports = [../profiles/containers/configuration.nix];
+    imports = [
      ../profiles/containers/configuration.nix
      repoFlake.inputs.sops-nix.nixosModules.sops
    ];
    networking.firewall.enable = false;
@ -33,6 +36,12 @@ in {
      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    };
    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
    sops.secrets.hedgedoc_environment_file = {
      sopsFile = ./webserver_secrets.yaml;
      owner = config.users.users.hedgedoc.name;
    };
    services.nginx.enable = true;
    services.nginx.recommendedProxySettings = true;
    services.nginx.virtualHosts."www.stefanjunker.de" = {
@ -81,21 +90,26 @@ in {
        defaultPermission = "private";
        allowEmailRegister = false;
-        # oauth2 provider config
+        # these are set via the `environmentFile`
-        inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox;
+        dropbox = {
          appKey = "$DROPBOX_APPKEY";
          clientID = "$DROPBOX_CLIENTID";
          clientSecret = "$DROPBOX_CLIENTSECRET";
        };
        uploadsPath = "/var/lib/hedgedoc/uploads";
      };
      environmentFile = config.sops.secrets.hedgedoc_environment_file.path;
    };
  };
  inherit autoStart;
  bindMounts = {
-    "/etc/secrets/" = {
+    # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host
-      hostPath = "/var/lib/container-volumes/webserver/etc-secrets";
+    "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
-      isReadOnly = true;
+    "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;
    };
    "/var/www" = {
      hostPath = "/var/lib/container-volumes/webserver/var-www";
--- a/nix/os/containers/webserver_secrets.yaml
+++ b/nix/os/containers/webserver_secrets.yaml
@ -0,0 +1,36 @@
 hedgedoc_environment_file: ENC[AES256_GCM,data:yPR7lnSssSTc3lvN4fSI5UXIfZHL8bMS0lcHC61aBz2ozjkSOTVUgYOD5XJbijfMCW9UWKLvItboo/nd8iLb3S+/DX4XZfAq8Bt+ootKsneIj9rJgw7bH3HYQnzmtWoFjoXSmLM=,iv:CVbXTlAafaXpo5G6F5CtJiq2LDa/48972kRnGOmhDJI=,tag:FaoL/8SdspZWXbATXPOazg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh
            U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh
            YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP
            eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc
            KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-07-09T17:55:21Z"
    mac: ENC[AES256_GCM,data:RIJuExrlGxcMMY2oofqyC9tZxqi/Tnt548cfrVe6UZ7HthlkaU/XkzGH/tw7kk28iiV5fbDRycg3xuOsh30BuHwVzguEdOH5RU8GivAOxRbEr1vxdCUs6x5Zs7PcQktRXXIv6rjJ70uVIO34f15oVE8Ag5nlUHc3lZLabCWs7Ag=,iv:lVD903ph9Mx/wbwsPIcqJi9yfgmX97XNgGB7F6N7xOE=,tag:IhdYpIgV4UzVRtwUs4wf+Q==,type:str]
    pgp:
        - created_at: "2023-07-09T17:51:27Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD
            gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO
            8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+
            XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w
            YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku
            bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI
            F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i
            g+ZF+9NNqOTKsBzEnuGsZRnI
            =iXfo
            -----END PGP MESSAGE-----
          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/nix/os/devices/default.nix
+++ b/nix/os/devices/default.nix
@ -1,7 +1,7 @@
 {
  dir,
  pkgs ? import <channels-nixos-stable> {},
-  ownLib ? import ../lib/default.nix {},
+  ownLib ? import ../lib/default.nix {inherit (pkgs) lib;},
  gitRoot ? "$(git rev-parse --show-toplevel)",
  # FIXME: why do these need explicit mentioning?
  moreargs ? "",
--- a/nix/os/devices/elias-e525/default.nix
+++ b/nix/os/devices/elias-e525/default.nix
@ -1,11 +1,13 @@
-{repoFlake}: let
+{
-  nodeName = "elias-e525";
+  nodeName,
  repoFlake,
  nodeFlake,
  ...
 }: let
  system = "x86_64-linux";
  nodeFlake = repoFlake.inputs.get-flake ./.;
 in {
  meta.nodeSpecialArgs.${nodeName} = {
-    inherit nodeName nodeFlake;
+    inherit repoFlake nodeName nodeFlake;
    packages' = repoFlake.packages.${system};
  };
@ -13,17 +15,15 @@ in {
    inherit system;
  };
  # TODO: build a module with "meta" and "freeformtype" for all the others
  ${nodeName} = {
-    deployment.targetHost = nodeName;
+    deployment.targetHost = "192.168.15.198";
    deployment.replaceUnknownProfiles = false;
    # deployment.allowLocalDeployment = true;
    imports = [
      (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix")
      nodeFlake.inputs.home-manager.nixosModules.home-manager
      ./configuration.nix
    ];
  };
 }
--- a/nix/os/devices/elias-e525/flake.lock
+++ b/nix/os/devices/elias-e525/flake.lock
@ -4,36 +4,35 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1681092193,
+        "lastModified": 1687871164,
-        "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
+        "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
+        "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-22.11",
+        "ref": "release-23.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1681696129,
+        "lastModified": 1688868408,
-        "narHash": "sha256-Ba2y1lmsWmmAOAoTD5G9UnTS/UqV0ZFyzysgdfu7qag=",
+        "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "de66115c552acc4e0c0f92c5a5efb32e37dfa216",
+        "rev": "510d721ce097150ae3b80f84b04b13b039186571",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -43,21 +42,6 @@
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs"
      }
    },
    "utils": {
      "locked": {
        "lastModified": 1667395993,
        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/nix/os/devices/elias-e525/flake.nix
+++ b/nix/os/devices/elias-e525/flake.nix
@ -1,8 +1,8 @@
 {
-  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
+  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
  inputs.home-manager = {
-    url = "github:nix-community/home-manager/release-22.11";
+    url = "github:nix-community/home-manager/release-23.05";
    inputs.nixpkgs.follows = "nixpkgs";
  };
--- a/nix/os/devices/elias-e525/pkg.nix
+++ b/nix/os/devices/elias-e525/pkg.nix
@ -17,15 +17,9 @@
    home.keyboard = keyboard;
    home.packages = with pkgs; [
      rhythmbox
      lollypop
      dia
      rustdesk
      kotatogram-desktop
      jitsi-meet-electron
      signal-desktop
    ];
  };
 in {
--- a/nix/os/devices/elias-e525/system.nix
+++ b/nix/os/devices/elias-e525/system.nix
@ -43,4 +43,6 @@ in {
  services.xserver.videoDrivers = ["modesetting"];
  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
  nix.gc = {automatic = true;};
 }
--- a/nix/os/devices/elias-e525/user.nix
+++ b/nix/os/devices/elias-e525/user.nix
@ -1,21 +1,33 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: let
  passwords = import ../../../variables/passwords.crypt.nix;
  keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {}) mkUser;
+  inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
 in {
  sops.secrets.sharedUsers-elias = {
    sopsFile = ../../../../secrets/shared-users.yaml;
    neededForUsers = true;
    format = "yaml";
  };
  sops.secrets.sharedUsers-justyna = {
    sopsFile = ../../../../secrets/shared-users.yaml;
    neededForUsers = true;
    format = "yaml";
  };
  users.extraUsers.elias = mkUser {
    uid = 1001;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
-    hashedPassword = passwords.users.elias;
+    passwordFile = config.sops.secrets.sharedUsers-elias.path;
  };
  users.extraUsers.justyna = mkUser {
    uid = 1002;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
-    hashedPassword = passwords.users.justyna;
+    passwordFile = config.sops.secrets.sharedUsers-justyna.path;
  };
 }
--- a/nix/os/devices/fwhost2/user.nix
+++ b/nix/os/devices/fwhost2/user.nix
@ -5,7 +5,7 @@
 }: let
  passwords = import ../../../variables/passwords.crypt.nix;
  keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {}) mkUser;
+  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
 in {
  # users.extraUsers.steveej2 = mkUser {
  #   uid = 1001;
--- a/nix/os/devices/justyna-p300/default.nix
+++ b/nix/os/devices/justyna-p300/default.nix
@ -1,12 +1,13 @@
-{repoFlake}: let
+{
-  nodeName = "justyna-p300";
+  nodeName,
-  # system = "i686-linux";
+  repoFlake,
  nodeFlake,
  ...
 }: let
  system = "x86_64-linux";
  nodeFlake = repoFlake.inputs.get-flake ./.;
 in {
  meta.nodeSpecialArgs.${nodeName} = {
-    inherit nodeName nodeFlake;
+    inherit repoFlake nodeName nodeFlake;
    packages' = repoFlake.packages.${system};
  };
@ -14,17 +15,15 @@ in {
    inherit system;
  };
  # TODO: build a module with "meta" and "freeformtype" for all the others
  ${nodeName} = {
    deployment.targetHost = nodeName;
    deployment.replaceUnknownProfiles = false;
    # deployment.allowLocalDeployment = true;
    imports = [
      (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix")
      nodeFlake.inputs.home-manager.nixosModules.home-manager
      ./configuration.nix
    ];
  };
 }
--- a/nix/os/devices/justyna-p300/flake.lock
+++ b/nix/os/devices/justyna-p300/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1682299489,
+        "lastModified": 1688544596,
-        "narHash": "sha256-bqHo0/82KB+IyBMyjBd6QdyZWJl/YZeGggjBsAgRFlY=",
+        "narHash": "sha256-/rbDM71Qpj4gMp54r9mQ2AdD10jEMtnrQ3b2Xf+HYTU=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "8ab9e5609929379ab15f03fd3bdc1f85419e5a3a",
+        "rev": "fc3c3817c9f1fcd405463c6a7f0f98baab97c692",
        "type": "github"
      },
      "original": {
@ -24,36 +24,35 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1681092193,
+        "lastModified": 1687871164,
-        "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
+        "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
+        "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-22.11",
+        "ref": "release-23.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1682303062,
+        "lastModified": 1688939073,
-        "narHash": "sha256-x+KAADp27lbxeoPXLUMxKcRsUUHDlg+qVjt5PjgBw9A=",
+        "narHash": "sha256-jYhYjeK5s6k8QS3i+ovq9VZqBJaWbxm7awTKNhHL9d0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "f5364316e314436f6b9c8fd50592b18920ab18f9",
+        "rev": "8df7a67abaf8aefc8a2839e0b48f92fdcf69a38b",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -64,21 +63,6 @@
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs"
      }
    },
    "utils": {
      "locked": {
        "lastModified": 1667395993,
        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/nix/os/devices/justyna-p300/flake.nix
+++ b/nix/os/devices/justyna-p300/flake.nix
@ -1,8 +1,8 @@
 {
-  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
+  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
  inputs.home-manager = {
-    url = "github:nix-community/home-manager/release-22.11";
+    url = "github:nix-community/home-manager/release-23.05";
    inputs.nixpkgs.follows = "nixpkgs";
  };
--- a/nix/os/devices/justyna-p300/pkg.nix
+++ b/nix/os/devices/justyna-p300/pkg.nix
@ -18,15 +18,9 @@
    home.keyboard = keyboard;
    home.packages = with pkgs; [
      rhythmbox
      lollypop
      dia
      rustdesk
      kotatogram-desktop
      jitsi-meet-electron
      signal-desktop
    ];
  };
 in {
@ -55,11 +49,15 @@ in {
    variant = "";
  };
-  home-manager.users.justyna = homeEnv {
+  home-manager.users.justyna =
-    layout = "de";
+    lib.attrsets.recursiveUpdate (homeEnv {
-    options = [];
+      layout = "de";
-    variant = "";
+      options = [];
-  };
+      variant = "";
    }) {
      services.syncthing.enable = true;
      services.syncthing.tray = true;
    };
  system.stateVersion = "21.11";
 }
--- a/nix/os/devices/justyna-p300/system.nix
+++ b/nix/os/devices/justyna-p300/system.nix
@ -41,4 +41,6 @@ in {
  services.xserver.videoDrivers = ["modesetting"];
  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
  nix.gc = {automatic = true;};
 }
--- a/nix/os/devices/justyna-p300/user.nix
+++ b/nix/os/devices/justyna-p300/user.nix
@ -3,19 +3,30 @@
  pkgs,
  ...
 }: let
  passwords = import ../../../variables/passwords.crypt.nix;
  keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {}) mkUser;
+  inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
 in {
  sops.secrets.sharedUsers-elias = {
    sopsFile = ../../../../secrets/shared-users.yaml;
    neededForUsers = true;
    format = "yaml";
  };
  sops.secrets.sharedUsers-justyna = {
    sopsFile = ../../../../secrets/shared-users.yaml;
    neededForUsers = true;
    format = "yaml";
  };
  users.extraUsers.elias = mkUser {
    uid = 1001;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
-    hashedPassword = passwords.users.elias;
+    passwordFile = config.sops.secrets.sharedUsers-elias.path;
  };
  users.extraUsers.justyna = mkUser {
    uid = 1002;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
-    hashedPassword = passwords.users.justyna;
+    passwordFile = config.sops.secrets.sharedUsers-justyna.path;
  };
 }
--- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.nix
+++ b/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.nix
@ -1,36 +0,0 @@
 let
  nixpkgs = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "nixos-22.11";
    rev = ''
      a7cc81913bb3cd1ef05ed0ece048b773e1839e51'';
  };
 in {
  inherit nixpkgs;
  nixos = nixpkgs // {suffix = "/nixos";};
  "channels-nixos-stable" = nixpkgs;
  "channels-nixos-unstable" = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "nixos-unstable";
    rev = ''
      c707238dc262923da5a53a5a11914117caac07a2'';
  };
  "channels-nixos-unstable-small" = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "nixos-unstable-small";
    rev = ''
      09c509a5075931382582dee69f3e44bf1535c092'';
  };
  "nixpkgs-master" = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "master";
    rev = ''
      3d57138bd9abe31bae25704cebaab7527010cc5e'';
  };
  "home-manager-module" = {
    url = "https://github.com/nix-community/home-manager";
    ref = "release-22.11";
    rev = ''
      b0be47978de5cfd729a79c3f57ace4c86364ff45'';
  };
 }
--- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.tmpl.nix
+++ b/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.tmpl.nix
@ -1,41 +0,0 @@
 let
  nixpkgs = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "nixos-22.11";
    rev = ''
      <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d '
      ' -%>'';
  };
 in {
  inherit nixpkgs;
  nixos = nixpkgs // {suffix = "/nixos";};
  "channels-nixos-stable" = nixpkgs;
  "channels-nixos-unstable" = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "nixos-unstable";
    rev = ''
      <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '
      ' -%>'';
  };
  "channels-nixos-unstable-small" = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "nixos-unstable-small";
    rev = ''
      <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable-small | awk '{ print $1 }' | tr -d '
      ' -%>'';
  };
  "nixpkgs-master" = {
    url = "https://github.com/NixOS/nixpkgs/";
    ref = "master";
    rev = ''
      <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '
      ' -%>'';
  };
  "home-manager-module" = {
    url = "https://github.com/nix-community/home-manager";
    ref = "release-22.11";
    rev = ''
      <% git ls-remote https://github.com/nix-community/home-manager.git release-22.11 | awk '{ print $1 }' | tr -d '
      ' -%>'';
  };
 }
--- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/README.md
+++ b/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/README.md
--- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/boot.nix
+++ b/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/boot.nix
--- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/configuration.nix
+++ b/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/configuration.nix
--- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/default.nix
+++ b/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/default.nix
@ -1,11 +1,13 @@
-{repoFlake}: let
+{
-  nodeName = "sj-vps-htz0.infra.stefanjunker.de";
+  nodeName,
  repoFlake,
  nodeFlake,
  ...
 }: let
  system = "x86_64-linux";
  nodeFlake = repoFlake.inputs.get-flake ./.;
 in {
  meta.nodeSpecialArgs.${nodeName} = {
-    inherit nodeName nodeFlake;
+    inherit repoFlake nodeName nodeFlake;
    packages' = repoFlake.packages.${system};
  };
@ -14,13 +16,13 @@ in {
  };
  ${nodeName} = {
-    deployment.targetHost = nodeName;
+    deployment.targetHost = "${nodeName}.infra.stefanjunker.de";
-    deployment.replaceUnknownProfiles = true;
+    deployment.replaceUnknownProfiles = false;
    imports = [
      (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix")
      nodeFlake.inputs.home-manager.nixosModules.home-manager
      ./configuration.nix
    ];
  };
 }
--- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/flake.lock
+++ b/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/flake.lock
@ -4,47 +4,46 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1681092193,
+        "lastModified": 1687871164,
-        "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
+        "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
+        "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-22.11",
+        "ref": "release-23.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1681759395,
+        "lastModified": 1688868408,
-        "narHash": "sha256-7aaRtLxLAy8qFVIA26ulB+Q5nDVzuQ71qi0s0wMjAws=",
+        "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "cd749f58ba83f7155b7062dd49d08e5e47e44d50",
+        "rev": "510d721ce097150ae3b80f84b04b13b039186571",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1681895322,
+        "lastModified": 1688925019,
-        "narHash": "sha256-dtduardGFljEIh0Whlnhzda7Au0s1WnnSdzh2ZhCu9c=",
+        "narHash": "sha256-281HjmJycKt8rZ0/vpYTtJuZrQl6mpGNlUFf8cebmeA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "57aad37a2eab85fb5522cbc8568fe27872071a1c",
+        "rev": "2b356dae6208d422236c4cdc48f3bed749f9daea",
        "type": "github"
      },
      "original": {
@ -56,11 +55,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1681770396,
+        "lastModified": 1688891216,
-        "narHash": "sha256-tq+GZOkRA3uF3I/jIzuBGfnTRQFT4QnnRCWJ8DKSaMg=",
+        "narHash": "sha256-ZUQs8C5N6aw/QeBhUFGcX89OoYoP9jbdmbR6aSbvaHg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "4df48038a44e9f3a3da8e9b42ca182726b743de4",
+        "rev": "e4a12fdac2a313b18e7f66a097108412b07c5f00",
        "type": "github"
      },
      "original": {
@ -77,21 +76,6 @@
        "nixpkgs-master": "nixpkgs-master",
        "nixpkgs-unstable": "nixpkgs-unstable"
      }
    },
    "utils": {
      "locked": {
        "lastModified": 1667395993,
        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/flake.nix
+++ b/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/flake.nix
@ -1,10 +1,10 @@
 {
-  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
+  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
  inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
  inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master";
  inputs.home-manager = {
-    url = "github:nix-community/home-manager/release-22.11";
+    url = "github:nix-community/home-manager/release-23.05";
    inputs.nixpkgs.follows = "nixpkgs";
  };
--- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/hw.nix
+++ b/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/hw.nix
--- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/pkg.nix
+++ b/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/pkg.nix
--- a/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/system.nix
+++ b/nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/system.nix
@ -2,10 +2,9 @@
  pkgs,
  lib,
  config,
  repoFlake,
  ...
-}: let
+}: {
  keys = import ../../../variables/keys.nix;
 in {
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [
    # iperf3
@ -58,12 +57,10 @@ in {
  nix.gc = {automatic = true;};
  # networking.useHostResolvConf = true;
  services.openssh.forwardX11 = true;
  containers = {
    mailserver = import ../../containers/mailserver.nix {
      inherit repoFlake;
      autoStart = true;
      hostAddress = "192.168.100.10";
@ -76,6 +73,8 @@ in {
    webserver =
      import ../../containers/webserver.nix
      {
        inherit repoFlake;
        autoStart = true;
        hostAddress = "192.168.100.12";
--- a/nix/os/devices/srv0-dmz0/README.md
+++ b/nix/os/devices/srv0-dmz0/README.md
@ -0,0 +1,7 @@
 ## bootstrapping
 ```
 # TODO: generate an SSH host-key and deploy it via --extra-files 
 nixos-anywhere --flake .\#srv0-dmz0 root@srv0.dmz0.noosphere.life
 ```
--- a/nix/os/devices/srv0-dmz0/configuration.nix
+++ b/nix/os/devices/srv0-dmz0/configuration.nix
@ -0,0 +1,133 @@
 {
  modulesPath,
  repoFlake,
  pkgs,
  config,
  ...
 }: let
  disk = "/dev/disk/by-id/ata-Corsair_Voyager_GTX_21488170000126002051";
 in {
  disabledModules = [];
  imports = [
    repoFlake.inputs.disko.nixosModules.disko
    repoFlake.inputs.srvos.nixosModules.server
    (modulesPath + "/profiles/all-hardware.nix")
    repoFlake.inputs.srvos.nixosModules.mixins-terminfo
    repoFlake.inputs.srvos.nixosModules.mixins-systemd-boot
    repoFlake.inputs.sops-nix.nixosModules.sops
    ../../profiles/common/user.nix
  ];
  ## bare-metal machines
  srvos.boot.consoles = ["tty0"];
  boot.loader.grub.enable = false;
  boot.loader.efi.canTouchEfiVariables = false;
  disko.devices.disk.main = {
    device = disk;
    type = "disk";
    content = {
      type = "table";
      format = "gpt";
      partitions = [
        {
          name = "boot";
          start = "0";
          end = "1M";
          part-type = "primary";
          flags = ["bios_grub"];
        }
        {
          name = "ESP";
          start = "1M";
          end = "512M";
          bootable = true;
          content = {
            type = "filesystem";
            format = "vfat";
            mountpoint = "/boot";
          };
        }
        {
          name = "root";
          start = "512M";
          end = "100%";
          part-type = "primary";
          bootable = true;
          content = {
            type = "btrfs";
            extraArgs = ["-f"]; # Override existing partition
            subvolumes = {
              # Subvolume name is different from mountpoint
              "/rootfs" = {
                mountpoint = "/";
              };
              "/nix" = {
                mountOptions = ["noatime"];
              };
            };
          };
        }
      ];
    };
  };
  hardware.enableAllFirmware = true;
  nixpkgs.config.allowUnfree = true;
  hardware.enableRedistributableFirmware = true;
  hardware.cpu.intel.updateMicrocode = true;
  services.openssh.enable = true;
  systemd.network.enable = true;
  systemd.network.networks."10-lan" = {
    matchConfig.Name = "eth*";
    networkConfig = {
      # enable DHCP for IPv4 *and* IPv6
      DHCP = "yes";
      # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
      IPv6AcceptRA = true;
    };
  };
  networking.dhcpcd.enable = false;
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [
    22
    # iperf3
    5201
  ];
  networking.firewall.logRefusedConnections = false;
  networking.usePredictableInterfaceNames = false;
  networking.nat = {
    enable = true;
    internalInterfaces = ["ve-+"];
    externalInterface = "eth0";
  };
  # Kubernetes
  # services.kubernetes.roles = ["master" "node"];
  # virtualization
  # virtualisation = {docker.enable = true;};
  nix.gc = {automatic = true;};
  containers = {
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/nix/os/devices/srv0-dmz0/default.nix
+++ b/nix/os/devices/srv0-dmz0/default.nix
@ -0,0 +1,30 @@
 {
  nodeName,
  repoFlake,
  nodeFlake,
  ...
 }: let
  system = "x86_64-linux";
 in {
  meta.nodeSpecialArgs.${nodeName} = {
    inherit repoFlake nodeName nodeFlake;
    packages' = repoFlake.packages.${system};
  };
  meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
    inherit system;
  };
  ${nodeName} = {
    deployment.targetHost = "srv0.dmz0.noosphere.life";
    deployment.replaceUnknownProfiles = false;
    imports = [
      nodeFlake.inputs.home-manager.nixosModules.home-manager
      ./configuration.nix
    ];
    networking.hostName = nodeName;
  };
 }
--- a/nix/os/devices/srv0-dmz0/flake.lock
+++ b/nix/os/devices/srv0-dmz0/flake.lock
@ -0,0 +1,83 @@
 {
  "nodes": {
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1687871164,
        "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-23.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1688594934,
        "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "e11142026e2cef35ea52c9205703823df225c947",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-master": {
      "locked": {
        "lastModified": 1688668881,
        "narHash": "sha256-q5QIxsX5UR+P2uq8RyaJA/GI5z3yZiKl3Q35gVyr9UM=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "0ffe9cc640d092e6abd8c0adec483acfd2ed7cda",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "master",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1688640665,
        "narHash": "sha256-bpNl3nTFDZqrLiRU0bO6vdIT5Ww13nNCVsOLLKEqGuE=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "88faf206ce0d5cfda760539a367daf6cde5b3712",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
        "nixpkgs-master": "nixpkgs-master",
        "nixpkgs-unstable": "nixpkgs-unstable"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/nix/os/devices/srv0-dmz0/flake.nix
+++ b/nix/os/devices/srv0-dmz0/flake.nix
@ -0,0 +1,12 @@
 {
  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
  inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
  inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master";
  inputs.home-manager = {
    url = "github:nix-community/home-manager/release-23.05";
    inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs = _: {};
 }
--- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix
+++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix
@ -5,7 +5,7 @@
 }: let
  passwords = import ../../../variables/passwords.crypt.nix;
  keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {}) mkUser;
+  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
 in {
  users.extraUsers.sjunker = mkUser {
    uid = 1001;
--- a/nix/os/devices/steveej-pa600/user.nix
+++ b/nix/os/devices/steveej-pa600/user.nix
@ -5,7 +5,7 @@
 }: let
  passwords = import ../../../variables/passwords.crypt.nix;
  keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {}) mkUser;
+  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
 in {
  users.extraUsers.steveej2 = mkUser {
    uid = 1001;
--- a/nix/os/devices/steveej-t14/boot.nix
+++ b/nix/os/devices/steveej-t14/boot.nix
@ -8,7 +8,8 @@
  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
  # boot.tmpOnTmpfs = lib.mkForce false;
-  boot.tmpOnTmpfsSize = "100%";
+  boot.tmp.tmpfsSize = "100%";
  # TODO: make this work
  # systemd.tmpfiles.rules = lib.mkForce [ "d /tmp 1777 root root 1d" ];
 }
--- a/nix/os/devices/steveej-t14/configuration.nix
+++ b/nix/os/devices/steveej-t14/configuration.nix
@ -10,5 +10,6 @@
    ./pkg.nix
    ./user.nix
    ./boot.nix
    ./secrets.nix
  ];
 }
--- a/nix/os/devices/steveej-t14/default.nix
+++ b/nix/os/devices/steveej-t14/default.nix
@ -1,12 +1,15 @@
-{repoFlake}: let
+{
-  nodeName = "steveej-t14";
+  nodeName,
  repoFlake,
  repoFlakeWithSystem,
  nodeFlake,
 }: let
  system = "x86_64-linux";
  nodeFlake = repoFlake.inputs.get-flake ./.;
 in {
  meta.nodeSpecialArgs.${nodeName} = {
    inherit repoFlake nodeName nodeFlake;
    packages' = repoFlake.packages.${system};
    repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs');
  };
  meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
--- a/nix/os/devices/steveej-t14/flake.lock
+++ b/nix/os/devices/steveej-t14/flake.lock
@ -23,11 +23,11 @@
    },
    "nixpkgs-2211": {
      "locked": {
-        "lastModified": 1688043300,
+        "lastModified": 1688392541,
-        "narHash": "sha256-UmpvFT0v4U4jxXhrfr+x1NuaOFULkIyCfS/WT6N6T7s=",
+        "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "c6643a93d25abf3cf5d40a4e05bcf904b9f0e586",
+        "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b",
        "type": "github"
      },
      "original": {
@ -39,11 +39,11 @@
    },
    "nixpkgs-2305": {
      "locked": {
-        "lastModified": 1688109178,
+        "lastModified": 1688868408,
-        "narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=",
+        "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "b72aa95f7f096382bff3aea5f8fde645bca07422",
+        "rev": "510d721ce097150ae3b80f84b04b13b039186571",
        "type": "github"
      },
      "original": {
@ -55,11 +55,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1688203387,
+        "lastModified": 1688969282,
-        "narHash": "sha256-2xQBKKoSTdGPubp7M000aP9ccO+Z3DMcpq2ZX5Hj6XQ=",
+        "narHash": "sha256-Ti0dejGXXvhEDATY5nJB0GdKM6AdVwJNTp6LWx8pHyw=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "cbb87f134682b20dc218b529fe95030468d67a0d",
+        "rev": "9d6e454b857fb472fa35fc8b098fa5ac307a0d7d",
        "type": "github"
      },
      "original": {
@ -71,11 +71,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1688049487,
+        "lastModified": 1688918189,
-        "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
+        "narHash": "sha256-f8ZlJ67LgEUDnN7ZsAyd1/Fyby1VdOXWg4XY/irSGrQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
+        "rev": "408c0e8c15a1c9cf5c3226931b6f283c9867c484",
        "type": "github"
      },
      "original": {
@ -87,11 +87,11 @@
    },
    "nixpkgs-unstable-small": {
      "locked": {
-        "lastModified": 1688180391,
+        "lastModified": 1688951312,
-        "narHash": "sha256-oTUSZepWQ7AYQKvNPkf8QyxkfoVpEhGioVji0hd3p8U=",
+        "narHash": "sha256-0oG4uv60m5+oOMqgYYQ3ao3OK3YP3n3t7nWFtuyR/uQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "1353de5923daba8462cfc3624d8c2d70cbafafcd",
+        "rev": "2a5f6cac357616d2596167d0631b4ca729e9a3ea",
        "type": "github"
      },
      "original": {
--- a/nix/os/devices/steveej-t14/hw.nix
+++ b/nix/os/devices/steveej-t14/hw.nix
@ -20,48 +20,47 @@ in {
  services.tlp = {
    enable = true;
    settings = {
-      CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
+      # CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
      CPU_SCALING_GOVERNOR_ON_BAT = "schedutil";
-      CPU_ENERGY_PERF_POLICY_ON_AC="balance_power";
+      # CPU_ENERGY_PERF_POLICY_ON_AC="balance_power";
      CPU_ENERGY_PERF_POLICY_ON_BAT="power";
-      SCHED_POWERSAVE_ON_AC="1";
+      # SCHED_POWERSAVE_ON_AC="1";
      SCHED_POWERSAVE_ON_BAT="1";
      CPU_BOOST_ON_AC="0";
      CPU_BOOST_ON_BAT="0";
-
+      # RADEON_DPM_PERF_LEVEL_ON_AC="auto";
      RADEON_DPM_PERF_LEVEL_ON_AC="auto";
      RADEON_DPM_PERF_LEVEL_ON_BAT="low";
-      RADEON_DPM_STATE_ON_AC="balanced";
+      # RADEON_DPM_STATE_ON_AC="balanced";
      RADEON_DPM_STATE_ON_BAT="battery";
-      SOUND_POWER_SAVE_ON_AC="1";
+      # SOUND_POWER_SAVE_ON_AC="1";
      SOUND_POWER_SAVE_ON_BAT="1";
-      # PLATFORM_PROFILE_ON_AC="low-power";
+      # # PLATFORM_PROFILE_ON_AC="low-power";
-      # PLATFORM_PROFILE_ON_BAT="low-power";
+      # # PLATFORM_PROFILE_ON_BAT="low-power";
-      PLATFORM_PROFILE_ON_AC="balanced";
+      # PLATFORM_PROFILE_ON_AC="balanced";
      PLATFORM_PROFILE_ON_BAT="low-power";
-      RUNTIME_PM_ON_AC = "auto";
+      # RUNTIME_PM_ON_AC = "auto";
      RUNTIME_PM_ON_BAT = "auto";
-      PCIE_ASPM_ON_AC="default";
+      # PCIE_ASPM_ON_AC="default";
      PCIE_ASPM_ON_BAT="powersave";
      START_CHARGE_THRESH_BAT0 = "75";
      STOP_CHARGE_THRESH_BAT0 = "80";
      WOL_DISABLE="Y";
-      WIFI_PWR_ON_AC="on";
+      # WIFI_PWR_ON_AC="on";
      WIFI_PWR_ON_BAT="on";
      DEVICES_TO_DISABLE_ON_STARTUP="wwan";
-      #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan";
+      # #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan";
-      #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan";
+      # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan";
-      #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi";
+      # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi";
    };
  };
@ -71,12 +70,13 @@ in {
      [0    0      55]
      [1    55     65]
      [1    65     75]
-      [3    75     78]
+      [2    75     78]
-      [4    78     80]
+      [3    78     80]
-      [5    80     82]
+      [4    80     82]
-      [6    82     84]
+      [5    82     84]
-      [7    84     86]
+      [6    84     86]
-      ["level full-speed"    86     999]
+      [7    86     88]
      ["level full-speed"    88     999]
    ];
  };
--- a/nix/os/devices/steveej-t14/pkg.nix
+++ b/nix/os/devices/steveej-t14/pkg.nix
@ -9,6 +9,9 @@
        ];
      })
    ];
    home.sessionVariables = {
    };
  };
  # TODO: fix the following errors with regreet
--- a/nix/os/devices/steveej-t14/secrets.nix
+++ b/nix/os/devices/steveej-t14/secrets.nix
@ -0,0 +1,7 @@
 {config, ...}: {
  sops.secrets.radicale_htpasswd = {
    sopsFile = ../../../../secrets/steveej-t14/radicale_htpasswd;
    format = "binary";
    owner = config.users.users.steveej.name;
  };
 }
--- a/nix/os/devices/steveej-t14/system.nix
+++ b/nix/os/devices/steveej-t14/system.nix
@ -3,6 +3,7 @@
  lib,
  config,
  nodeName,
  repoFlake,
  ...
 }: let
  passwords = import ../../../variables/passwords.crypt.nix;
@ -10,18 +11,21 @@ in {
  nix.settings = {
    substituters = [
      "https://holochain-ci.cachix.org"
-      # "https://cache.holo.host/"
+      "https://cache.holo.host/"
    ];
    trusted-public-keys = [
      "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8="
-      # "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE="
+      "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE="
-      # "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ="
+      "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ="
    ];
    extra-experimental-features = ["impure-derivations"];
    system-features = ["recursive-nix" "big-parallel"];
  };
  networking.extraHosts = ''
  '';
  networking.bridges."virbr1".interfaces = [];
  networking.interfaces."virbr1".ipv4.addresses = [
    {
@ -35,7 +39,7 @@ in {
  # TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
  networking.firewall.interfaces."eth+".allowedTCPPorts = [
-    22 
+    22
    # syncthing
    22000
@ -43,9 +47,10 @@ in {
    # iperf3
    5201
  ];
-  networking.firewall.interfaces."eth+".allowedUDPPorts = [ 
+  networking.firewall.interfaces."eth+".allowedUDPPorts = [
    # syncthing
-    22000 21027
+    22000
    21027
  ];
  networking.firewall.logRefusedConnections = false;
@ -96,8 +101,50 @@ in {
  services.zerotierone = {
    enable = true;
    joinNetworks = [
-      "93afae5963c547f1"
+      # moved to the service below as it's now secret
      passwords.zerotier.dweb2023.networkId
    ];
  };
  systemd.services.zerotieroneSecretNetworks = {
    enable = true;
    requiredBy = ["zerotierone.service"];
    partOf = ["zerotierone.service"];
    serviceConfig.Type = "oneshot";
    serviceConfig.RemainAfterExit = true;
    script = let
      secret = config.sops.secrets.zerotieroneNetworks;
    in ''
      # include the secret's hash to trigger a restart on change
      # ${builtins.hashString "sha256" (builtins.toJSON secret)}
      ${config.systemd.services.zerotierone.preStart}
      rm -rf /var/lib/zerotier-one/networks.d/*.conf
      for network in `grep -v '#' ${secret.path}`; do
        touch /var/lib/zerotier-one/networks.d/''${network}.conf
      done
    '';
  };
  sops.secrets.zerotieroneNetworks = {
    sopsFile = ../../../../secrets/zerotierone.txt;
    format = "binary";
  };
  sops.secrets.nomad-holochain-agent-ca = {
    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
    owner = config.users.extraUsers.steveej.name;
  };
  sops.secrets.nomad-holochain-cli-cert = {
    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
    owner = config.users.extraUsers.steveej.name;
  };
  sops.secrets.nomad-holochain-cli-key = {
    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
    owner = config.users.extraUsers.steveej.name;
  };
 }
--- a/nix/os/devices/steveej-t14/user.nix
+++ b/nix/os/devices/steveej-t14/user.nix
@ -1,16 +1,20 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: let
  passwords = import ../../../variables/passwords.crypt.nix;
  keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {}) mkUser;
+  inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
 in {
  users.extraUsers.steveej2 = mkUser {
    uid = 1001;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
    passwordFile = config.sops.secrets.sharedUsers-steveej.path;
  };
  nix.settings.trusted-users = ["steveej"];
  security.pam.u2f.enable = true;
  security.pam.services.steveej.u2fAuth = true;
 }
--- a/nix/os/devices/steveej-utilitepro/configuration.nix
+++ b/nix/os/devices/steveej-utilitepro/configuration.nix
@ -269,6 +269,7 @@ in {
  users.mutableUsers = false;
  users.extraUsers.root = {
    # FIXME: this is deprecated but so is this device probably
    hashedPassword = passwords.users.root;
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"
@ -279,6 +280,7 @@ in {
    isNormalUser = true;
    home = "/home/steveej";
    extraGroups = ["wheel" "libvirtd"];
    # FIXME: this is deprecated but so is this device probably
    hashedPassword = passwords.users.steveej;
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"
--- a/nix/os/devices/vmd102066.contaboserver.net/default.nix
+++ b/nix/os/devices/vmd102066.contaboserver.net/default.nix
@ -1,4 +1,4 @@
-{repoFlake}: let
+{repoFlake, ...}: let
  nodeName = "vmd102066.contaboserver.net";
  system = "x86_64-linux";
--- a/nix/os/lib/default.nix
+++ b/nix/os/lib/default.nix
@ -1,21 +1,11 @@
 {
-  keys ? import ../../variables/keys.nix,
+  lib,
-  passwords ? import ../../variables/passwords.crypt.nix,
+  config,
-}: {
+}: let
-  mkRoot = {} @ args:
+  keys = import ../../variables/keys.nix;
-    {
+in {
-      hashedPassword = passwords.users.root;
+  mkUser = args: (
-      openssh.authorizedKeys.keys = keys.users.steveej.openssh;
+    lib.attrsets.recursiveUpdate {
    }
    // args;
  mkUser = {
    uid,
    hashedPassword ? passwords.users.steveej,
    ...
  } @ args:
    {
      inherit uid hashedPassword;
      isNormalUser = true;
      extraGroups = [
        "docker"
@ -31,8 +21,14 @@
        "adbusers"
      ];
      openssh.authorizedKeys.keys = keys.users.steveej.openssh;
      # TODO: investigate why this secret cannot be found
      # openssh.authorizedKeys.keyFiles = [
      #   config.sops.secrets.sharedSshKeys-steveej.path
      # ];
    }
-    // args;
+    args
  );
  disk = rec {
    # TODO: verify the GPT PARTLABEL cap at 36 chars
--- a/nix/os/modules/ddclient-ovh.nix
+++ b/nix/os/modules/ddclient-ovh.nix
@ -4,8 +4,6 @@
  ...
 }: let
  cfg = config.services.ddclientovh;
  passwords = import ../../variables/passwords.crypt.nix;
 in {
  options.services.ddclientovh = with lib; {
    enable = mkEnableOption "Enable ddclient-ovh";
@ -20,10 +18,6 @@ in {
      ssl = true;
      domains = [cfg.domain];
      use = "web";
      inherit (passwords.dyndns.${cfg.domain}) username;
      passwordFile =
        builtins.toFile passwords.dyndns._filename
        passwords.dyndns.${cfg.domain}.password;
    };
  };
 }
--- a/nix/os/modules/opinionatedDisk.nix
+++ b/nix/os/modules/opinionatedDisk.nix
@ -1,11 +1,12 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 with lib; let
  cfg = config.hardware.opinionatedDisk;
-  ownLib = import ../lib/default.nix {};
+  ownLib = pkgs.callPackage ../lib/default.nix {};
 in {
  options.hardware.opinionatedDisk = {
    enable = mkEnableOption "Enable opinionated filesystem layout";
--- a/nix/os/profiles/common/boot.nix
+++ b/nix/os/profiles/common/boot.nix
@ -4,12 +4,11 @@
    enable = true;
    efiSupport = true;
    efiInstallAsRemovable = false;
    version = 2;
  };
  boot.loader.systemd-boot.enable = false;
  boot.loader.efi.canTouchEfiVariables = true;
-  boot.tmpOnTmpfs = true;
+  boot.tmp.useTmpfs = true;
  # Workaround for nm-pptp to enforce module load
  boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"];
--- a/nix/os/profiles/common/configuration.nix
+++ b/nix/os/profiles/common/configuration.nix
@ -1,3 +1,17 @@
-{...}: {
+{
-  imports = [./boot.nix ./pkg.nix ./user.nix ./system.nix ./hw.nix];
+  config,
  pkgs,
  repoFlake,
  ...
 }: {
  imports = [
    ./boot.nix
    ./pkg.nix
    ./system.nix
    ./hw.nix
    ./user.nix
    repoFlake.inputs.sops-nix.nixosModules.sops
  ];
 }
--- a/nix/os/profiles/common/pkg.nix
+++ b/nix/os/profiles/common/pkg.nix
@ -1,7 +1,9 @@
 {
  config,
  pkgs,
  # these come in via nodeSpecialArgs and are expected to be defined for every node
  repoFlake,
  repoFlakeInputs',
  nodeFlake,
  packages',
  ...
@ -20,9 +22,12 @@
  home-manager.extraSpecialArgs = {
    inherit
      repoFlake
      repoFlakeInputs'
      packages'
      nodeFlake
      ;
    osConfig = config;
  };
  nixpkgs.config = {
--- a/nix/os/profiles/common/user.nix
+++ b/nix/os/profiles/common/user.nix
@ -3,14 +3,47 @@
  pkgs,
  ...
 }: let
-  passwords = import ../../../variables/passwords.crypt.nix;
+  keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {}) mkUser mkRoot;
+  inherit
    (import ../../lib/default.nix {
      inherit (pkgs) lib;
      inherit config;
    })
    mkUser
    ;
 in {
  sops.secrets.sharedUsers-root = {
    sopsFile = ../../../../secrets/shared-users.yaml;
    neededForUsers = true;
    format = "yaml";
  };
  sops.secrets.sharedUsers-steveej = {
    sopsFile = ../../../../secrets/shared-users.yaml;
    neededForUsers = true;
    format = "yaml";
  };
  sops.secrets.sharedSshKeys-steveej = {
    sopsFile = ../../../../secrets/shared-users.yaml;
    # neededForUsers = true;
    format = "yaml";
  };
  users.mutableUsers = false;
-  users.extraUsers.root = mkRoot {};
+  users.extraUsers.root = {
-  users.extraUsers.steveej = mkUser {uid = 1000;};
+    passwordFile = config.sops.secrets.sharedUsers-root.path;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
-  security.pam.u2f.enable = true;
+    # TODO: investigate why this secret cannot be found
-  security.pam.services.steveej.u2fAuth = true;
+    # openssh.authorizedKeys.keyFiles = [
    #   config.sops.secrets.sharedSshKeys-steveej.path
    # ];
  };
  users.extraUsers.steveej = mkUser {
    uid = 1000;
    passwordFile = config.sops.secrets.sharedUsers-steveej.path;
  };
 }
--- a/nix/os/profiles/graphical/system.nix
+++ b/nix/os/profiles/graphical/system.nix
@ -21,7 +21,7 @@
  # hardware related services
  services.illum.enable = true;
-  services.pcscd.enable = false;
+  services.pcscd.enable = true;
  hardware.opengl.enable = true;
  hardware.bluetooth.enable = true;
  # required for running blueman-applet in user sessions
--- a/nix/variables/passwords.crypt.nix
+++ b/nix/variables/passwords.crypt.nix
--- a/secrets/holochain-infra/nomad.yaml
+++ b/secrets/holochain-infra/nomad.yaml
@ -0,0 +1,38 @@
 nomad-holochain-agent-ca: ENC[AES256_GCM,data:1nJmWFCt+HflrX3W+8mpxprH9XjaC8194z8QX0PCPeh+CbmF3oOvXNInGpoI4FQx6tFY7vFVkDoDQv7ap5f3y/6o1j7LKEKbUeWixzIiOEi7+Gop3lewjoF7UrHPl8ulRVnZSXZvEQXmaE0upwqXmmEBBocunIl0D43Umkf7g6GZ2mYQ6lPIVVcQ6lOccshjuLHZ+RjvrlMSqmpkLey1lICfTci2+S/rJp9QHclkKyU53JnCoDLchEZE4gVlDE2BJ8RUe5VWZoQoBJbw08KoUtk1zr0MdHwe0RWCoYLCaJ6+U7JUVBiT5QIT2tK8vLFY8v4p517KFb8b651Tmy/W1Zt2nEKoQUyFv101xyAp6ctlWuxvXj/2ilWgm1RtEwW5Iy54/Lkolk9NzKW3niS5zxH9PaX6Qu8bUT7HYrbTGgYPIgP7CVnjAWtCCNIy30dzAW5KUqGLvuDaQq4mfps/Mp5K8rwAJ9vg/Tof08kurc2kqyjFFaJgaOlDq5/neNjuwKsitx6drdN6pzuufclojPbULqkTiWEXeEAyaGs61Ht2/SLfMC/l9E+4kvKXYg2RMo/PAk5j/KS3D87L6xCLU1s+1JSZ/FeYAFpaBaenCQtnPiYHgmZu7PeY9If/KAjI7lFsA2SP7g2dftr9utIOzRL5YtAYvBU6LEnhi97jq7Gpq6pXxDV4On0s//ZxlVV1IuuFpu+guFexrWyfebHYxMpnmo4TyB0ZCGZbIY1z2ECaMWAtZjN9ov4lpgMmTm/Gdhovf2+0uYuedCqyqfu+3rxGoxuiyZ7W5IOWpK48KkgZZ0hPifFWXPmb9Q5JLPZdkIIRkOL/GMTsFOrrc75jDavbM1mBM0ta7kVBSYIlk4ER/ntY2HETDT86eMiHz7vmmzas5s5gfL8d5BJ+/49zPC5H8C05QCPlPdqE+UTtNGJnZ+n8lgepxpoTR2x2kKTaaeWUsWhiUQe98YAI3itWe1ZcmEqSZlMp6st2Mvu3O/p89DT+CaCKkZKNZVgr/XCoHJL23CHoPzLpBmKAtpHXJdAiY6cHYA4EQLNGx7E2IgOH8WzZ24MulcOs1yqW0+NxKB0JYbmVu4O1oyBTkcOUZLl/QfUW7B8bFgVLT//KFLUBjyOfNU7bT0Mbdsh++ipBwWs61+78dqk5ITaF92kXXE+ZcPLFe7wpQAPm80UNMRuAmabWcAiT708cs4t+h894txyr07s6JrSRUQnDhI0LvhqEvKEJH6TsbwcwFXZaqup8vHifF52FR4bXM/Xeo2Jk2731Nnhicj/VajVWQ/UKpJBiPD0H6b3c5E5s8k/du8jnwI9yh/RdaCs1mkoTL+67pL/BXzDcTlvSfZFD/bn/Mp5fziCqJrjL74TskxhVCW9077SH/hVGWupLRxek4xCUn3Zqc64ENEOSt1aogc/4uDxj,iv:QgOfg6sSs1zYtqHFCKy+94qx6edQ3iEt/JtCIoUEqGI=,tag:vSzK1bNTRZA0ytKLITXF9Q==,type:str]
 nomad-holochain-cli-cert: ENC[AES256_GCM,data:+SMQfO1zyJ6EW44IIe3uouLJ4lkwlX5y1PFpNMFLXVySsAQpwlLLXCRvTlt8r53xXJglQ4vI+CpNyaE++0A+a7/cXa0rOmxweJjN+LNI9kRR+DdAtR0tGPDiSge+tc7/penx1LJd81SIahoMjZj8Q0Ua3YO8VKKLZKq+jCfTYsWWkGYFVmrUjBZMc6X6l49mo8efmKUbOVvhZ350qfTKDuXjRewcI5vJdW1tm7Gcb5nMA+31lgXgWPOURJIOHnicuHLEYLUEEspRYy3IRuonQHrCeydrKTjRW7YTDr8GgjVBz/HwuoFdCSZ3iqf4YkxSloYfxAzG1y9/FEf2xNF2xOp3w3Pygkb8YtN6ZBX3UJOcisouyYmLc7s7FXfnrDyOlozQmb0IYBUUfrtFWTE/uvWKsRiyaWBkqgfPkf1BH/zFuhwm0nPFH5meC7ILaD71mCXG7cESo2en52AGe3i1fec+kLmtpeGAad6iET9nZxXE13bHI3WycfgpAnBjyyWVwQ6zblZMz6f0U3PgJ/l0HydgFuWE275ClE5M4o/IN+HJNk9/ehM7V/aII7v3eKVhFljNI1elF2OsDag995CyyipZ8gw2PU10XVVBBW4UZuwRpJDkKyoQI9+IR8iC4JHJ7dZpV+Wsv08KY1HHWqtW63bVrrgh7fruMZJ2OX1bgAWwTyeYkCljjm+h3A+xvhoG8Hu4FjBAb0k6FD2emwR5YkjZA9hw1gYZjvDt71X0N2Zz9n/LHZdgNvK6iVN9XRgF7h4w5oRTCVX9wjCASuTE/K01HNMOFBZZA2PdE+dCRgg4ybvtCwvmOQWE/GEzOZ1PRVdxmc3YEru/rUNDRqeTaje/buQCk7RM3mg/s+y6Gl0nrQ05UnUNKPn802bR2fyRi6SohES39O7Xp8IERFOqhzZMqliKvmamAbk4oQ0sfWnp61gGOOpd79hI9Cecxcr+AMlCeIF9RJeywgMbONGrt6uONsd92aMKr9zCaltiWa8A9dH2D3c5rNB5l/qvQVU5RVSDAwo6sCulbpmy6tn+6EAWLjxrTjciK3li/GT6bfO1HVlx+V32YgZ3pPdkH3VQzpDOaCEqpX0gkgbXWIRWQoFBNp6jgLHcB7+DBgV9DFrmThqQsqQzB3PY1s+Kyeejo8xTRmKf6YwjfbP3z3ZhUfkbP1Au7xw5/baSPf7+2u49aUNSa6j46DPzahIym9wT,iv:Spx29A5n1kLZqE6EHw+3N3Om7V1kgnM2PVk7d7wJzqM=,tag:LCvfCpldN29iRPhxzbsU0Q==,type:str]
 nomad-holochain-cli-key: ENC[AES256_GCM,data:G633C4SWwAoM9NyBEX7+xGzEondw/FY5XXqbRZxPtO8if+pWHnLRSkc9/fIs4mmCJxB89C2RAxb4tvuwCXJUZyWVQ1xEMwYXCDvJ56ggtrcDyw48iRnF/kNTIIkkHO3mWbpf6OALekcSNRZlznCUcq5K6gSgYECGuVeqcTA/NVH7q8mmBxEicUEyeO6bHopge4bz0o5Bnbpy86Ux2aw2HzSS1qreMpzEVcXIPgo4vlhaeaHj37rUHos2gKGD+GR/wD1n/D12qMsxRXlSz9N0vC50BI2QkqKtlVsv0PNib/MqjiA=,iv:SrPwR1EGCYh846luAX3RMJq+vG88NO3g/IqcjKcFi+o=,tag:ytA4ZwZ2wXz9K2trL6MU+Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVTlaZTA2WVZWWXIwMkFu
            d0lMN0tEaUVMeHY1SnBwTVVFbnVPRlFEalVRClliR05oclI5eDVnclBrY2tKK3JS
            NjhTOG11Nkh0UWF5Z2g5SzdFT2NpaUUKLS0tIENPU3RHSEVVdzhKV2lQYkR3RnM1
            c2tjQjk0TG1IeTRYdjlPeER2ZlNHMlEKMlWrDV9aNY9AbLp3BsIUZ8W1b94ue4dh
            uBPpeMLHB0T2q3C1MxnfBa8h9lZyePd3L4zYFUAX+I8CGECZNx9C3A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-07-05T08:26:42Z"
    mac: ENC[AES256_GCM,data:g3wOkP8M9eLwhccPLV2WbpsnNUyYxILstOqkmyPQ5JPaOQJpGLr0AesN8E+wVPb2cVuUJ38+/xVdWubuFXx0ptZtLoEItnXEwmTxfvRk1veyknxMvX9f4XGfeSunoOFCMNnD+C5tZncJuIeHPcSz4bObHBRbCflMblmz0cthF78=,iv:oxEeAiHqZHEkvs7OxGwO+quxj+yD8nAH2pTGSs/eNes=,tag:VFgDVJOt9qYd4k6j1t0GdA==,type:str]
    pgp:
        - created_at: "2023-07-05T08:19:26Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            wcBMA0SHG/zF3227AQf+M3metU+UqXIGIVmdw5qLqw6H1h4JPk0DFWzJRZqtt5U7
            BBdvoGr6COYFjYx3CRzXVkC/0ldNTsCnM1D2QZTbnqivP5P7L5Bp/y6jHxacBtq/
            erv3doofU54weKBFvm0xh564P7uL5+IRxbSidJhYAKAwYzvptuhEA3R1Y6szzlKY
            l6kYgROiRnOfWk8iOKBYCbcxZ8VrmRoohuky6PKaCewESNRiOR3vzkumDE8mbnLH
            /QuufFhZbg2wA8ZkG54tSBIRz8gjanQDNhh9sYtPp+PWnuDiyyZhSJef6ruT9v1f
            IUP1ybuVsMyRmMKAL0NAbW3UleoIY/GcH9nVaeT+TNJRAXS5BVX/guduIFWqqbwQ
            3fbN7k5JS/VwKCIf8kI6DOVee78F0o/C7rA02CZU9PqeX0hc47wEFvlgNn/TepON
            eFWOScb0W7O0Ug+3lRnVdLHO
            =8m42
            -----END PGP MESSAGE-----
          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/secrets/servers/dyndns.yaml
+++ b/secrets/servers/dyndns.yaml
@ -0,0 +1,47 @@
 dyndns_www.stefanjunker.de: ENC[AES256_GCM,data:xHpC/V9OWCMpTKs1,iv:gW6f6kQedbdxbz1zJAY6xceoeG/LqPG/Ss3DaBm/Ta0=,tag:v2V/hzRg+xgO8zpwyIBVXA==,type:str]
 dyndns_mailserver.svc.stefanjunker.de: ENC[AES256_GCM,data:auVHa5n4335mNXAy,iv:WZMOA+Z7/w+Jsu5193WwERXZrt/5JDiMUKIZo8ieT7w=,tag:YmEDp/0gjgPY2kg9GNKmxQ==,type:str]
 dyndns_container-backup.svc.stefanjunker.de: ENC[AES256_GCM,data:eVRz5btXqtFwLfud,iv:D7QmO003/xgDytsU4a3dBuY2zalIHq/4+CwMkLwLVRA=,tag:fd4NZ/fOkBW1keMgqXkroA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhT0t1U2hOR2RpVU5HWVU2
            aWpSNklwak9HYUYwSEltaWlUNyt1OENLdTNRCkxyTGZZQ0ZncmZnYTdTMC90RnpT
            dlRpWGVtNWhtUS9IeEJsb0VpU3greEUKLS0tIHNBQlh4NEFsZC9NQ3hRSTBTdC9W
            TjVwOWJVQkZIc2RuWEU3QkxyVnc0UXcKIQm61AimM7hch3tT/KownHqZT7NyLNv+
            H69zogFe63Oj27a5OK5cdcy9W6u4ew7b35ybkpeooMBuy2WbUld5LQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SWZSRHF6L1d6dVd1dTVB
            elBvaGR4V1ZySW03S2Z4SWliZDVscjZQM1JJCjNscTJRM29HUXVxOWhUU0tZZllm
            dHRKUlpqTDdjd3paWjViYlIrL2g5RUEKLS0tIEJLdDJVbkVYTDVRd0toZGZVOGxu
            Vm8rS25SbE56c2RiRFFtM29pRm1ZR1kK4yKaQ5VP+X+WnIPNpVWniCX+NisVBhaO
            DM4Tz7OJuDSSWZ19kVIN+eXrLftQbKCj8+9QgbzzjgoIpER+N2Z28A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-07-01T21:10:42Z"
    mac: ENC[AES256_GCM,data:8peJxGulSe3XROk0uwjUeRJA3bY7LoR1xQB+D+NUCVFOjIqy8ROu9ZC+IAVxgDL0Y6jpO8Ob06qQ3yvGA1lgnLnDBQ9NeKLKI5KDBcY4mNChS3C5DsB7WlPZMrlp4u9dp+wbVnba6CFiSqCEvp1+D1gi6Da/QVdN/EY55Vv8l0s=,iv:GNxJf/cfA9NrhbEwzHTm/UH+jIMWBSSDF58eQjm4xd8=,tag:+WhthtHSUNzan+p9RNBD2Q==,type:str]
    pgp:
        - created_at: "2023-07-01T21:42:42Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            wcBMA0SHG/zF3227AQf/XI/S30xYCkzBweU75bCZBYDwR7hprSygW4xCI5qc8xax
            dpT5RpIrfPOelxrtjuDvkWCMa5Xfu/A6eQAF0EABZVMNiy1PpMTuarU1Np1Zfgoo
            vhYJDCe329/kQBlMFT8/6wyxQRi7bEjK19wsYrsFbKA9wSXIpz2Drx6DG5Zck4bU
            5RvAdeWgZUcnuPAlc0SYZOfl/8EBqKG83U7NW8VdoJpphifYHK2HMJpOD0mxzZ8V
            sR93tVdRA856O8ZhxdC1l1HkSSnR+0B+Dku8t4Bmy+4H6Y4KqmMhbKUIMFY+0pW9
            MDIPJ8zVGkU4PyCjDwCqoYu/XgoJvTCAYgZFpyCyPdJRAftjWvzD59u31zjJKwiG
            eyU7I73Q+jDIJDYPIrt8K7+CpEmDBpIZBQxsfmP5xFznNt4LPB07HFgC/yPDmjiC
            Vu3cIGSwFgRRdXUYnLTQCQM/
            =g1+E
            -----END PGP MESSAGE-----
          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/secrets/shared-users.yaml
+++ b/secrets/shared-users.yaml
@ -0,0 +1,80 @@
 #ENC[AES256_GCM,data:aqlLlXgwwtjBYxytS2H33KbN0z8pHijFXKBAPQyQ7cxE8iO6tDfn/3kEVaEa1YaiYUMXACX2Ow==,iv:uKTUsccWAqrBkdG/ymCZB1pcumRreGv/2rIn6YG8Y7c=,tag:NWDO4dPRA45Ki4ymGblGIg==,type:comment]
 sharedUsers-root: ENC[AES256_GCM,data:RhMqzHmMzsPZnskGAKQ5GEagkAmtCqbp3FI4XPWweq6U8WcML+XEOKBfRoemK6yMHpSobBUPEHudNDeVxhGLH1VREmO6+JVZ/3dz44qWudhyuAj2CHiVkVgMlSfOKIbY9FLLxXxfySnEsQ==,iv:EYWeRKI+nFpEkxtBJ57xH6V4arE+hVAHy5ht9v8P1oQ=,tag:I5WA5+FjJ3lF30dth3H2ug==,type:str]
 sharedUsers-steveej: ENC[AES256_GCM,data:vuvklQJFb0kziB/qr7LNiTB30T/1UmZUV3YE3fFpKLZSlxqwYR7e8pnj94hFMhCtPquw3qdtB8vFAIQSb2LxXUgsfNo1bmkGJU86vz3Vy9Js7oua7KlLyZjoFNpMBgbD7swyXns=,iv:nsymZS1wQ7QSL5ZqoVx/ygaP4UR/e0cYIXHg+UyhbYs=,tag:+/N1QRESOUUK/XJXgiyFfg==,type:str]
 sharedSshKeys-steveej: ENC[AES256_GCM,data:Cj8aoHYN95kOuFwMIr+gYTtvE2MNMT6WhHg+r5cEvfgLbI6EJQdMBU30nhJZ8S7uRwJwyVEnqw9qgaZYVorXrIh4oZoQBT6g0UGQ5b5lhtfj86omP7w/NukvpjUPBJEUL+JgvaNGsAbAmExPb1yQY9f/kn2QuyY31pTywcV6qeSHHlK8I2cpei5RxtuG2IX+EjvDXZ3CtQwLY7YrhLvv0K+N8XlEusnytNkXLfjRgd0dJqNLQdkuzrjFPQnuzkxoBBmwfheO8CaTpmH1C5z/dbmeIP5H9GY2gnBCu5xB2zp8ZerVi2E3teW5EZ+Sh+lz/5DOuVpPn3G8W7l4fTM8iX2IHeakjlpYewx1wmW9SZdV/zxyt5rQUtmMj3F+IVktbOWsOyXwSz0CDUlKkVKJdvzATlWdIjteKTwKEgS8RWjg5H7mGylfxyg6YrHYAHTZjC4J1Qz2CwWmAFxzpFCkHvF6QwAOUg+ST+crfw4DiSamb6SKjIg7LNz6VZTOeji6+71Q59u6g2RcdgNowzgrrQCAw7qHnewbFX/2IOW+pdASCB/q9/7218yM6fzMtcPHPiDpZ2tLHQd+45zxZpbUXXCNdNm5v9OTjjK+uA0ARLOVCw5gtd2FbKsJcwyMhXY/h028tgdRhsXIalLolorrYBPx9hR+UHU0TNihspajoNYJCTuJccMiwo8N9AT1DIdUXcOxrQL80RvWY0S6rBzES3q7a91aC/lGEmS/beO7MDgOKaEV+qwPZOLOZXWAesqsR3sKzpOdPx1gFrLvX6vIhAtzuteH0KvKujIAhCg0sEz3Ct/A1S2uNtohz8CstvEEqP6GiR6/X+sQRgxOcXGPQglz68FFKOErIz5XZJBz5+14u/lady1jxhXnVW0cxZDgmqmAvNbrQ9JjNgBvremaDUvuO5R5V5K4MHAMsNQ5yxE9iScXEfwmEvo+Gj4huJwXvwLDE/1TqIaQWX6LfZKOOZ93ivhj7eEiAz7TsLojdNUeDhnWGOYcWbEkMNzYyPb7obN/HgKzcuSixpYm+IZu4sOzXyoO5Lblzd7OObtG4P9jIj4cdxF+vm/s6MYYxtst7jRwzcv9vMLETDXx40IOSqTo2e8New2e/D003T4jx2sis0+68Iyg9m8ltEYb85v6oGFshIdafIGKBaNHm/zIL4Dw03M8kxxfuVuWZD8S2P3bnfryfA4lbOZttv2DnlPZf/Dfb+Ax5qTe5yn4uzLYDTqq9rIqdoNYUmx1OaxGa69oTIqCpL7FC6xe+9NnTEdojl9svZUhtGfThiphYcK72lryqrTyYVuAOa3WjZtHgUJ5lU8x79eExXyDexmC4RNDszar+qMiwlzMC977qsKczfTGe2audm5PLaLTYhWSOZ1p83d/xhFWhLmqjqHrPF5kYrnG+W4ZuVIqxJOrLHQhseKc4fFZrF/XCusgIcoDEq81M/EmHeEDcuWEYldn1pjbE8yzb2ZgfG8mycNh8z41lKsalKmesyZs0k0IvWmrdCpLXqWl/TgsPSO1q+zbQHyfiNewoZec3GC8k1k64zrG3CNI8bP40L6i4Uo/GFPS/y0OjgQhww+He0bWY7yP9MKqdbahpdYQE9kYU5yoJTUG+ZYRir6h6o/JmTJQy4QIvwmcx2jiiA5XXpj3cYAJ9/3eHDFCeg==,iv:QeYNlLR97tdC9i5N909GnoNyBwNNiuljF/eVbdhvGXg=,tag:lBWDaaZMQRPX/4Ln+oUQPA==,type:str]
 #ENC[AES256_GCM,data:8u2UAE6lXi0e6qKJxB3VP1k7hmfUYRcejXoR7K6NIQ9E7AqOlMiLDyQFw77NBlqpy0G6mPVOnC+XskGAscm3TLFzs7+o+/i0IxH7uDPwoh+U,iv:n4wheHkpPbnKeXb4DTxwks2bph4LO6xQW6LcrlA4jKU=,tag:mgwa7rYvqoubFdQDXJADZQ==,type:comment]
 sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3xQz3oR14CqSVy3hjQEkqcezwj/v2ELrLWid2hK+lDtY,iv:TNoJ7Kq3WDkkPBLG3a+N/A8yBZcx7Gc0jaBToYX3Y5M=,tag:VU5P4YtzMv1FVc3ugig8TA==,type:str]
 #ENC[AES256_GCM,data:685Grzm+Qw==,iv:sswI1QEvU3nXgQCJcF/O4n3a1z3r6fAVAOSF7W24PZw=,tag:cH/AroGEBfCnnepyqtjt0Q==,type:comment]
 sharedUsers-elias: ENC[AES256_GCM,data:RsGDCguYkqegKhkO20lr8HjrTABAaNJmDiGK3DhhbX1sOLMweZwDtESvYjCfAOzWpiAaFh0BqevMkuUcEYQTBubSX+X0EZ0dFrdbVxIe7lq7Dosds98SqKLL4zWqe2y2qsphvj+oAz7Utg==,iv:JXIbyqAUt1OcB+bvgK6H2NU6Ip4nWRJ1/Hje75FfHC4=,tag:kPFALVkf1GbRj1J85SZm6Q==,type:str]
 sharedUsers-justyna: ENC[AES256_GCM,data:BGVp2QppWWaYHK3rwLlyy7SOWxSqKGsn7lemWe0KUzgiQc6D8ivYvXdGaAhJNvhgVTxlK6BZOacG4NESWf5hi7sN8AkwTT/6pa9WzhQQGNnwZIaVulXeddzFlebbh8pAt0WYV82DRejX3Q==,iv:RMysIp0pMnCLhWogWiGq4IpZA43sd0DPj3jeV0oRkY8=,tag:VvXPzyGAoATlSedvV2prJA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1RUdSYmxFdXI2R25OZ0ov
            TlEwOStVeUxkbE1sbTJWZG5VZFRPNkNOeWlnCm0xMWFCdm4zMjVlcjB1ZXFZVVho
            TCtVYW84WGh2ZmdsWHBlUFJVcm8vZFkKLS0tIGFYaWptakozYVVvQ0ZmbUFjMFR3
            b0VBVTV3R2tlckJLQzlvWFVKK1h6aGsKCekGZ/RZ7nNa5yXHfgXGpSrh3J3C95mh
            7YFgjgd9ey3BGNoMNxm5E++JzxBN0d2tY7sW/G6ub+kOJIt0rAEAkg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYy9FL3pnNmdUa0VEdlV4
            aFVNTkhGWTZJcUo0YTlORmdINGkxMTlVdHkwClVyakJoZTdxVlF6UTVBbm45d1Bo
            RUl2S3BaU0NYYmtsSGhHWGxrWjVuemcKLS0tIHlqbXhXN0RUbm9sL09mbjhaSnBP
            V0hQTUJuUnlOQ1hycDJ4RlY1aCtjOFEKuDt6KRxX7+yYIHxtD0prLdxJSlHwQtxH
            8U/Q8hoE+L3lBFSE3+syMt1/pu5vHrreIOVTXAxSENsDxcE6noxQvA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDK080NlJKYkZyREFpc1JM
            ZWxlV2Z5YjZRSnBFMy9CbUs2aHJkcjNVR2dJCjN5SXQzbWtiZlZBK0g0Y1ZPcHJK
            cXRCTStRSG1lamUvOFBxSFViWmFVeW8KLS0tIDFUNlRkS2RLMGdULzhzdSt5Uk02
            TjZZN1lFZ3g3YzVxQUlyQ1Y5S1NWeFEKGjqEPuxaUR/WQc+4OhUzLgtSCatVmtx+
            q4Y/wC1eqUKJHzqIMa3qeWXwrGbf6ScL3s0bNc9sxvPmWQ3NLvjUfg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Uk9zWHJCY2dnamN1S1hU
            ZWhoTkptaVArOGlHZ01Nd0ZkaGpFQ2dUU0hzCnR3WGtCVkJtSzlncVVhVU11K2d1
            SVpHa1RXN1dWMDE4cExiV2ordkhTSTAKLS0tIFBkV3oyS2VVVU92b0hnRG1nQytW
            QU5IR2FaVGswZkhIOWhzWGh4YmUyMk0KVJEFNmm57SSUreilhuzLofZIlnILnO7F
            rWASlGDi4YSGquM3lEfdn5rwqqJ3d77hSeRQEnaGhnClDYSH3nzjZQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldnVDczdmVUd3OS9jTnpB
            dDkrQS9JcUY5b3YxY0lzVFEyUTlPNk5rM1VVCk9qMzJHWitrY0pjU0NCMWI0ODhG
            S29DL0tPNWtkTStPTWRZdzlQWFJsTWcKLS0tIDdWZ1lVejcyVW5mcTgyR3ZMWlJq
            RTdBNkRINWN3MTZOSXdPMXovNDNSQUEKJZhJFN6zmdCtzoCdKiKfYQf4vU8AXRvz
            wHnPO2H8SAMK8XqjdXvIrRK6iXQIjonHO2ilTDxAGNPAFN5BpbGrWQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-07-06T20:14:22Z"
    mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str]
    pgp:
        - created_at: "2023-07-10T08:17:16Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            wcBMA0SHG/zF3227AQf8DDe0qysI5DL1xc6IbIQ+a2oKtiNyL0P4pwrdfsCcudMm
            dfhnap8JHPfVssucbA7Gicpg8iZxy9+M1o5E4es1EUBWun+tf+9utHmRKLkAJb98
            OPm+vvp/fzRU0bAtvwchskCc4REWbsq82UQdQl8uPhGoCweyWDusmAmXjjECBWmP
            sW1pSb0tGvtHM7m0cpLYepWHUZ/VOcNBeuv3fGDuI3M0fv+lCTgYQJOtIrJv+xFf
            q9dB1HGJaePsKLxmQTJW1gFdoWkc3ndfBwytY00iho1xPbrKAPSZojE0Wj227DPx
            YynEy8ruLWIVcFZsjfEm961kRiwb8MwK1xB7ov/d79JRAXrovFTT3EfFZ+2pY2FW
            w8TKQjGol/+vJ2mzlQV0LFtAxjUvgNgoAC/cJgl5c+N4qXz4ChgiT38yZ7JW2e2c
            OUwOtIhmRp4PNBU+402xfgYI
            =X23Q
            -----END PGP MESSAGE-----
          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/secrets/steveej-t14/radicale_htpasswd
+++ b/secrets/steveej-t14/radicale_htpasswd
@ -0,0 +1,26 @@
 {
 	"data": "ENC[AES256_GCM,data:4Oo7a4iL9ry9qFnzd/uwllP8UZ1re+RglnvkEO11XvSqqGhGOCUX0k0kOVD/CYbdLNq7jqVI8h5Fw5grSb6SCDzlknV0bJ70mmBQ9wEhRA82P1M/T50KH6V6XIVR7IlVhjMKkdW6YH0XAyrqaVh3fJUbOk9hJVvrylLvPF4vpc9+aYdzUCvn5jbecpywYY7NRKLI7H7xUmnW,iv:vvyS08x5yXTmlZo1A+Z2zsW9Mj6JrIkNt+CvB7VZJ38=,tag:MrjYVpS+SyYLUAbin85fkw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmTVMxdkpjQllIZlRpQjEr\nc0RqNzNnOGplcDR6by9aL0JQY0ZmZjV3OUhrCm1sbHEvQ3hFZVg1YU5wOU5kaGpI\nK25zckJNaXhWd21kUHIyTm8yVW0reWsKLS0tIHVvbDhYZjRSbVRjOWZNaWkwcm1z\neVJyTTRNNTJBeVYxdDFCL1ozQjhQUkUK09k0LVNUugbxtZJB1JEXWmB2Q35mK1MW\nY12rpx4QwFUf1uhZDGmHMU0mrmaZRhkiTXTW+MtbHHtiGCxI8JrgLQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2023-07-01T17:49:07Z",
 		"mac": "ENC[AES256_GCM,data:DLKp0oBRgqoC1vm7Gt8IgTXQZBVhFMzRlP2CeWUHCi0PhOFFDCQCbJMJ4GnLeVAMgn1PTQXxDBJsqx1dd99oR3xXOqV6s9RUrg7BNql6G1PRnROnvGavVq+K8Oqyc6K3RDMK95Fwd20Svvyplc7fvvJVYA7XE8oVyPCj7adgIzA=,iv:0T60zdgBXTNEUyzWNH2gRJsH7D/mofiBQKD4XpaTdf4=,tag:9s0g5W0fu7PrKybYNQMfxA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2023-07-01T17:45:58Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf/e3rEGHYLdAQ3t5Ye7EY8HGj3zplmEm6yX/OD6atnIH56\n1n+buBEsCnj6OMJ8IPBI1KMlR3agvrTcP1U428VaJKEqMAfAbmTxHvuYv17r4z3c\nuxtvnK4BUC0BIgf3b9FP1uQBvmwSR3bIV1JuD1or88j9iY3dO7KbwbAEF+HMqj9/\nz+NM9ZGi/mpdFHLCKp52FgKi+eiNyGiJS1a8VSda/X8GwcmQYUzSkUxOcjGVTmYr\nBzie319eutOq6zf9+8WGO+Jd8XDlFdmucXyb5kkJkKv0kUeEMKePktpxjh/SUH2E\nVWLDa3rLPEZWvvLtDeOgAWdxNVBsvAhFwyUl7hJ+INJRAbgK7jJpGJuNUmN48P/Y\nKj1/x5hKlBOQpqWyoB751Sq2hAITS/UyvpIEL7cH9ASq369SVa7tI6KL0Ut5wSDb\n1681kueTerz2szUe6DPcAC4U\n=Bu6s\n-----END PGP MESSAGE-----",
 				"fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }
--- a/secrets/zerotierone.txt
+++ b/secrets/zerotierone.txt
@ -0,0 +1,30 @@
 {
 	"data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybUlwMVhVSTlxWjk0aXV1\nRkFKN0d2TWdTNGxFK1o3QitpTG5JN1FUNEVFCmRZdVYrSlJYbVF2NFlkRHBQNFgx\nM2dGOE5yaWl0VnJVU1MzNGJ1VUZYK1kKLS0tIEh4dkI2Vk9yUStHRlNzVUVPeWVB\nVmw0V0MxWWdudE1ONkszRSs5MEtUT28KkIW7Y+9AfxbPu1V0YoL5Brdv+2AaTAn0\nXmJmn8qwOtuyWRR3sJfDfkR2eW85mrMmhJnNa1aHg5lDQUGA/eqinQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFOGdQN0xOVzYvOFdzbUgy\ncStsYXdxUkY4OEJ5TGhVWitoQnpsSGYxS1VjCkhaYmxOOEh6eS8yeGViZjJZZ3o5\nUVBSYXFOSkJHQnB3aHVTeEk1VWNhblEKLS0tIG9NRTFpZFJlRUVYeHpVN2ljVngv\nRzJNZnZMRlJsL0F0eVIzcnhEbSszSGsKnK0SfJe7hQKyslklwvvFlBX9GjGWf6md\nl7AZLivBP67A0GbD2DztUaiS8NsPtlV899xqIH4/YUIIUGG9M2XHew==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2023-07-01T20:19:12Z",
 		"mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2023-07-01T20:50:27Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf+JijZCf20beuFsUX5Qjt9IVmeA1VG+iRiSncX6Q9NQWqc\nRlxZP3gZz9a/SQDaG3v7S0v5FBmbCScan2xrHSrJne6ljVkxlsiE4SE9Mq1wczF7\n0gdt1pnmjKMjhVVeG2jzNqL3bPGlhIBIIBB+Sv3FHftiXwfBYP5OJh9MTaokwj5/\ntd2x9LxBi6seH+RShrFk33wKJ3gMA2cF9aFEsbvmdXPHs91glwLD1NHN3vp0lGNX\nm4otFLZ0e36aqSVyAiwpoIgLwInZxtx6nnMWVk25s0fj+fKfgnHE3RNh9BntQ19d\nZDpQn7b2DqrKozUnycwpPRojPkmaqpom5XmbuurrA9JRAQYWSmeOuJXUBfZclzLJ\nERYPWDJIN7bmYPFoMkZ2YdV/GCin6lwFfl6u74VAkpU+AMgB+0c51nEHZcO5UaWT\nLRcMPADwjmk35oiltQYOvOpm\n=CGsu\n-----END PGP MESSAGE-----",
 				"fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"
 	}
 }