add ps ports

remove d-lines
mediawiki: enable interwiki
2023-07-10 19:55:52 +01:00 · 2023-07-10 19:55:52 +01:00 · 2023-07-10 17:34:37 +02:00 · 2023-07-10 17:33:13 +02:00 · 2023-07-10 16:13:49 +02:00 · 2023-07-08 15:46:50 +02:00
84 changed files with 1589 additions and 1192 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -48,6 +48,7 @@ keys:
  - &matemat age15vmz2evhnkn26fyt4vqvgztfrsr2s8qavd2m6zfjmkh84q2g75csnc5kr6
  - &matrix age1s2ww76ll6nclz74gny27tk42xfsepl23z2k0849a8jv8xpnmpe3shgunxr
  - &mediawiki age1xjvep7hsnfefgxvuwall8nq0486qu8yknhzwhf0cskw5xlpm8qws9txc56
+  - &mobilizon age182ms3ygypflk7mtpemp4k4ks9rz4gwhvzc9jlk95u4py5q68ppxstzu2e3
  - &mucbot age1cqeh03zq0hvz5l78r678q93ey5mlw49lqy4whvgqxgenudth7g6skee6kh
  - &nfsroot age18yxgwpakrkzq8ca2enayf79py25se3d8dsed2q523869re30jcaqx6rjln
  - &nncp age15853dr2kd6r2329tkcanwnruh6zd2xvsu5twc7gnxeyu3h7t6q5scckaq8
@ -74,7 +75,9 @@ creation_rules:
    key_groups:
    - pgp: *admins
      age:
+      - *blogs
      - *buzzrelay
+      - *drone
      - *gitea
      - *hedgedoc
      - *hydra
@ -83,6 +86,7 @@ creation_rules:
      - *matemat
      - *matrix
      - *mediawiki
+      - *mobilizon
      - *ticker
      - *polygon-snowflake
  - path_regex: modules/cluster/[^/]+\.yaml$
@ -278,6 +282,12 @@ creation_rules:
      age:
      - *mediawiki
      - *polygon-snowflake
+  - path_regex: hosts/mobilizon/[^/]+\.yaml$
+    key_groups:
+    - pgp: *admins
+      age:
+      - *mobilizon
+      - *polygon-snowflake
  - path_regex: hosts/oparl/secrets\.yaml$
    key_groups:
    - pgp: *admins
@ -338,3 +348,9 @@ creation_rules:
      age:
      - *prometheus
      - *polygon-snowflake
+  - path_regex: hosts/stream/[^/]+\.yaml$
+    key_groups:
+    - pgp: *admins
+      age:
+      - *stream
+      - *polygon-snowflake
--- a/config/default.nix
+++ b/config/default.nix
@ -13,16 +13,13 @@
      assertion = lib.versions.major pkgs.ceph.version != 16;
      message = "Please pin ceph to major version 16!";
    }
-    {
-      assertion = lib.versions.majorMinor pkgs.mediawiki.version != 1.39;
-      # https://www.mediawiki.org/wiki/Version_lifecycle
-      message = "Please keep mediawiki on LTS versions which is required by the LDAP extension";
-    }
  ];

  boot = {
-    cleanTmpDir = true;
+    tmp.cleanOnBoot = true;
    kernel.sysctl = {
+      # reset 60 seconds after a kernel panic
+      "kernel.panic" = 60;
      "net.ipv4.tcp_congestion_control" = "bbr";
    };
    # recommend to turn off, only on by default for backwards compatibility
@ -30,7 +27,8 @@
  };

  c3d2 = {
-    addBinaryCache = true;
+    # NOTE: this must be off, otherwise our nix binary cache creates a loop with itself
+    addBinaryCache = lib.mkForce false;
    addKnownHosts = true;
    sshKeys = ssh-public-keys;
  };
@ -53,7 +51,7 @@
      totem
      yelp # less webkitgtk's
    ];
-    noXlibs = !lib.any (host: host == config.networking.hostName) [ "dacbert" "glotzbert" "rpi-netboot" ];
+    noXlibs = !config.services.xserver.enable;
    systemPackages = with pkgs; [
      bmon
      curl
@ -84,6 +82,12 @@
    ];
  };

+  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [
+    # proxy protocol used by public-access-proxy
+    8080
+    8443
+  ];
+
  nix = {
    deleteChannels = true;
    deleteUserProfiles = true;
@ -152,12 +156,30 @@
  security.ldap.domainComponent = [ "c3d2" "de" ];

  services = {
+    gitea.ldap = {
+      adminGroup = "gitea-admins";
+      userGroup = "gitea-users";
+    };
+
    gnome = {
      # less webkitgtk's
      evolution-data-server.enable = lib.mkForce false;
      gnome-initial-setup.enable = false;
    };

+    hedgedoc.ldap.userGroup = "hedgedoc-users";
+
+    hydra.ldap = {
+      roleMappings = [
+        { hydra-admins = "admin"; }
+      ];
+      userGroup = "hydra-users";
+    };
+
+    mastodon.ldap.userGroup = "mastodon-users";
+
+    matrix-synapse.ldap.userGroup = "matrix-users";
+
    nginx = {
      appendHttpConfig = ''
        log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] '
@ -181,8 +203,11 @@
    openssh = {
      # Required for deployment and sops
      enable = true;
-      passwordAuthentication = lib.mkIf (!config.c3d2.k-ot.enable) false;
-      permitRootLogin = lib.mkOverride 900 "prohibit-password";
+      settings = {
+        LoginGraceTime = 30; # throw out unauthenticated connections earlier than the 120 default
+        PasswordAuthentication = lib.mkIf (!config.c3d2.k-ot.enable) false;
+        PermitRootLogin = lib.mkOverride 900 "prohibit-password";
+      };
    };

    portunus = with zentralwerk.lib.config.site.net.serv; {
@ -190,6 +215,20 @@
      internalIp4 = hosts4.auth;
      internalIp6 = hosts6.up4.auth;
      ldapPreset = true;
+      seedSettings.groups = [
+        {
+          long_name = "Grafana Administrators";
+          name = "grafana-admins";
+          manage_members = false;
+          permissions = {};
+        }
+        {
+          long_name = "Home-Assistant Users";
+          name = "home-assistant-users";
+          manage_members = false;
+          permissions = {};
+        }
+      ];
    };

    postgresql.upgrade = {
@ -217,7 +256,14 @@
  '';

  systemd = {
-    services.nix-daemon.serviceConfig.KillMode = "control-group";
+    network.wait-online.anyInterface = true;
+
+    services.nix-daemon.serviceConfig = {
+      # kill all worker thread when restarting
+      KillMode = "control-group";
+      # restart if killed eg oom killed
+      Restart = "on-failure";
+    };

    # Reboot on hang
    watchdog = lib.mkIf (!config.boot.isContainer) {
--- a/flake.lock
+++ b/flake.lock
@ -36,11 +36,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1672603271,
-        "narHash": "sha256-vEIqx9Wltokb5Ye7dLkQ8khmU1TYeQ4Mt7Abaia5obk=",
+        "lastModified": 1685997764,
+        "narHash": "sha256-SMIfPyGgNq7+8uChNnhIAma4QbKRTpZJnBtmggaAhiM=",
        "ref": "refs/heads/main",
-        "rev": "8722c0085c2ea1bad3a150c22c0a20637258cfd4",
-        "revCount": 20,
+        "rev": "0aaae8587303499c40b9c9ea726dbb1277a3e1c7",
+        "revCount": 23,
        "type": "git",
        "url": "https://gitea.c3d2.de/astro/alert2muc"
      },
@ -116,11 +116,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1684106318,
-        "narHash": "sha256-3f0niAAVAkraRp4BDaYFF18b/Dh/qwvuttiNKq3YhLU=",
+        "lastModified": 1687654280,
+        "narHash": "sha256-55MNOIvNnwleS4VbvEruw3oBORUsXoqsIver8QT5Yug=",
        "owner": "astro",
        "repo": "buzzrelay",
-        "rev": "56b174bd58269f2d0a1c8061c21d9c86c8513dc3",
+        "rev": "89938a7c53a3ab03c3bb0006052e106c2e699bf1",
        "type": "github"
      },
      "original": {
@ -139,11 +139,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1683754009,
-        "narHash": "sha256-O+zkiMCGHqCbB2STWvEHqSs32V79O43bgvZIfTJdbbA=",
+        "lastModified": 1688413216,
+        "narHash": "sha256-Ms0xDDb6lD9oRgkfDB7gAUldkMEwS2t3InFyRbp0ejk=",
        "ref": "refs/heads/master",
-        "rev": "9c66645cc97b9328cee86a394294339c791c5cce",
-        "revCount": 27,
+        "rev": "1209819da4566cca6abc0ca4be0347d421f3886f",
+        "revCount": 37,
        "type": "git",
        "url": "https://gitea.c3d2.de/c3d2/nix-user-module.git"
      },
@ -168,11 +168,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1683306816,
-        "narHash": "sha256-O4fQ+RWCtgfkYDgEVK6KMwNftEOtWuKEgz/xCi1mC5I=",
+        "lastModified": 1686445068,
+        "narHash": "sha256-xYf1N4u8l6rGKtui2FRlVFmGr7Q0S50Js4W8lDUYrF8=",
        "ref": "main",
-        "rev": "7b5c871647bb8a6274416986b146da7e9591cc21",
-        "revCount": 247,
+        "rev": "bedb749acc1259fecdfe6cd0490cf724c0a57847",
+        "revCount": 251,
        "type": "git",
        "url": "https://gitea.c3d2.de/astro/caveman.git"
      },
@ -231,11 +231,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1682038649,
-        "narHash": "sha256-HwGwWLMKdIT24xhDf+mRoCehA8yUlLmuJgS9JeMt4IM=",
+        "lastModified": 1688484237,
+        "narHash": "sha256-qFUn2taHGe203wm7Oio4UGFz1sAiq+kitRexY3sQ1CA=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "37b3a6dad6d6060bd305eb7d3628d3b476c87bb6",
+        "rev": "626a9e0a84010728b335f14d3982e11b99af7dc6",
        "type": "github"
      },
      "original": {
@ -250,11 +250,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1681202837,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "lastModified": 1687709756,
+        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
        "type": "github"
      },
      "original": {
@ -302,11 +302,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1684315870,
-        "narHash": "sha256-Km9p3lJ97s8JGWF+t3GoL3cCdCyFxPuqCkbE6zo/VS8=",
+        "lastModified": 1688933605,
+        "narHash": "sha256-eux5CjKmO+6GFoovtckoVo0es1FZ2mzupehDyHuCaCk=",
        "owner": "astro",
        "repo": "microvm.nix",
-        "rev": "59008a1eda995fbd844a756412f7d685086c15a2",
+        "rev": "018691bf86a70b7e5d24eb37d6aad05ce1c1b12e",
        "type": "github"
      },
      "original": {
@ -322,11 +322,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1679567394,
-        "narHash": "sha256-ZvLuzPeARDLiQUt6zSZFGOs+HZmE+3g4QURc8mkBsfM=",
+        "lastModified": 1688534083,
+        "narHash": "sha256-/bI5vsioXscQTsx+Hk9X5HfweeNZz/6kVKsbdqfwW7g=",
        "owner": "nix-community",
        "repo": "naersk",
-        "rev": "88cd22380154a2c36799fe8098888f0f59861a15",
+        "rev": "abca1fb7a6cfdd355231fc220c3d0302dbb4369a",
        "type": "github"
      },
      "original": {
@ -348,11 +348,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1677107143,
-        "narHash": "sha256-7JCxZgGFeHdOTkIOsV8vsOi3FMXHO5Yn8HnzunIeM/A=",
+        "lastModified": 1686178371,
+        "narHash": "sha256-RwyZ3ZNlkTE6O7A5Lj5JcHHNCij3ZqfmZ5Pq+PB9Sq0=",
        "owner": "astro",
        "repo": "nix-cache-cut",
-        "rev": "a69adffc2a0f5216465e5fb718b8e4ca1fc54dde",
+        "rev": "9133ed18136e6acfd591e76fe06e4c095a66c39f",
        "type": "github"
      },
      "original": {
@ -363,27 +363,11 @@
    },
    "nixos": {
      "locked": {
-        "lastModified": 1684533630,
-        "narHash": "sha256-akvMq9xjy/EuDrsP8D9zUuktKoRg/UzIUMFATA6JQPw=",
+        "lastModified": 1688998315,
+        "narHash": "sha256-4aaOQRsvbTja2to/UoNdUQJ7lFyhC7ORuWTDJi3+aQ8=",
        "owner": "SuperSandro2000",
        "repo": "nixpkgs",
-        "rev": "ce8783d28a1bc79007c9fa5616fd88bca4667300",
-        "type": "github"
-      },
-      "original": {
-        "owner": "SuperSandro2000",
-        "ref": "nixos-22.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixos-23-05": {
-      "locked": {
-        "lastModified": 1684796928,
-        "narHash": "sha256-GxF+TX2UsuiIj0rdLkovBBWnMdAccWmw/T9p6S00etU=",
-        "owner": "SuperSandro2000",
-        "repo": "nixpkgs",
-        "rev": "7582acc515fa86fb0c5797970ea987f3872a8ad6",
+        "rev": "16c5018dc2650fbad8e2625aaa08ae91092f737f",
        "type": "github"
      },
      "original": {
@ -395,11 +379,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1684169666,
-        "narHash": "sha256-N5jrykeSxLVgvm3Dd3hZ38/XwM/jU+dltqlXgrGlYxk=",
+        "lastModified": 1688966833,
+        "narHash": "sha256-9ilzbSwArZmDjT/g1XYD+KYOFfmoS0WOYXSQBvZDIv4=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "71ce85372a614d418d5e303dd5702a79d1545c04",
+        "rev": "f0984a5a303659bc9b73895c82a85fdfae40b87a",
        "type": "github"
      },
      "original": {
@ -415,11 +399,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1684273519,
-        "narHash": "sha256-TGpB+DV3WJdn4OnS0F9C8DxfFzp74GQK5DfRLy0H94Q=",
+        "lastModified": 1688823980,
+        "narHash": "sha256-KjbiwNLWsmhSRz1mP4DEVII+3eGVRprTwdEZzVFwItk=",
        "owner": "SuperSandro2000",
        "repo": "nixos-modules",
-        "rev": "75c307d7e1f7fadf644e41cf173a8cacc68205da",
+        "rev": "0000000c066529e293dc26eae24c95703b92fe54",
        "type": "github"
      },
      "original": {
@ -448,11 +432,11 @@
    "openwrt": {
      "flake": false,
      "locked": {
-        "lastModified": 1683803702,
-        "narHash": "sha256-73Sojfjmmbooo/rt6GrFeb6rrg/XxKR3ZOSeA+mTmDk=",
+        "lastModified": 1686823292,
+        "narHash": "sha256-6p65M45Hrvg/vfLZERc4Z8mbrN+3Z5melpascgHvJP0=",
        "ref": "openwrt-21.02",
-        "rev": "491b784141da22d01819196e748e955cf07fd56a",
-        "revCount": 51311,
+        "rev": "eb8cae5391ceee679140a3d8d9abbdc47d0d6461",
+        "revCount": 51313,
        "type": "git",
        "url": "https://git.openwrt.org/openwrt/openwrt.git"
      },
@ -469,11 +453,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1684494012,
-        "narHash": "sha256-Q+8j1rMAi/AXl3FIM+OALJ8gIEqVS1NHZk4cenCE/6o=",
+        "lastModified": 1688984955,
+        "narHash": "sha256-TaYPe5rzzxWmqdt+0RreA9UC9btFnPUfrcBsqfuMH34=",
        "owner": "astro",
        "repo": "nix-openwrt-imagebuilder",
-        "rev": "06d684e91397a5c14adb9b38e41869c67136276f",
+        "rev": "66d574d771e2b0c6b875ab267d1a248245e2e780",
        "type": "github"
      },
      "original": {
@ -500,7 +484,6 @@
        "naersk": "naersk",
        "nix-cache-cut": "nix-cache-cut",
        "nixos": "nixos",
-        "nixos-23-05": "nixos-23-05",
        "nixos-hardware": "nixos-hardware",
        "nixos-modules": "nixos-modules",
        "oparl-scraper": "oparl-scraper",
@ -523,11 +506,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1680267680,
-        "narHash": "sha256-atC3zkM5nBXdBFE1+Xoxpm/Ye42j/Rq12IR0qi5+/ao=",
+        "lastModified": 1688410727,
+        "narHash": "sha256-TqKZO9D64UDBCMY2sUP2ebAKP0oY7S9enrHfZaDiqBQ=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "853fb44a24b8d3341f52747caa949013121b24b4",
+        "rev": "45272efec5fcb8bc46e303d6ced8bd2ba095a667",
        "type": "github"
      },
      "original": {
@ -547,11 +530,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1682024276,
-        "narHash": "sha256-k8qmH9WG3C742OzqQfGmDqKqkqawIT7MwnAabk/OiZo=",
+        "lastModified": 1687314899,
+        "narHash": "sha256-zglbWHHXnqPUnG+oSQ0xKXR4a8hgGEwbEdGr/1Jgfm0=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "21afe9cb01cd2bb38335b09f0d0efe9cb6b0f82d",
+        "rev": "417dc5995703ea9edcce098ad59bb4511271cb73",
        "type": "github"
      },
      "original": {
@ -579,11 +562,11 @@
    },
    "secrets": {
      "locked": {
-        "lastModified": 1672104460,
-        "narHash": "sha256-y0xXyFWqiED1Nd5M+iGqHkSuhGgveDLn8qGiSdbWBH8=",
+        "lastModified": 1687907247,
+        "narHash": "sha256-5gYT9+zwgOVjtx7RwBjMbLpFQTlw6jwOuRHq0k4BJyo=",
        "ref": "refs/heads/master",
-        "rev": "38c8c4f4d128c62b63d948115801750d795ec5a6",
-        "revCount": 161,
+        "rev": "000005a0a8830c8b530ce2fd01429ce55c6a05ad",
+        "revCount": 162,
        "type": "git",
        "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
      },
@ -605,11 +588,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1684708973,
-        "narHash": "sha256-043T2U3frUkTUeTMVEKIa90Vowij4v3xsugR30Z4vOc=",
+        "lastModified": 1688934039,
+        "narHash": "sha256-Yqt4fxMVIvoY9sC2AZ6ycaAqqImkITVKjjgXASyKjWo=",
        "owner": "astro",
        "repo": "skyflake",
-        "rev": "418cd805973a8d15bdd6b0f4204b6ad2fc436326",
+        "rev": "1024f5c04024cd9af5f8b89e5c09532fed339c6a",
        "type": "github"
      },
      "original": {
@ -628,11 +611,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1684032930,
-        "narHash": "sha256-ueeSYDii2e5bkKrsSdP12JhkW9sqgYrUghLC8aDfYGQ=",
+        "lastModified": 1688873469,
+        "narHash": "sha256-9TMSXvXmrr7bDYi+WeskWe/yho9UP01dGbV9vW5bRVc=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "a376127bb5277cd2c337a9458744f370aaf2e08d",
+        "rev": "b2047c8fc963407916ad3834165309007dc5a1f7",
        "type": "github"
      },
      "original": {
@ -644,11 +627,11 @@
    "spacemsg": {
      "flake": false,
      "locked": {
-        "lastModified": 1654295718,
-        "narHash": "sha256-lO/mvXrFiJTWX5roRooHg3m6cozvWqJTOxgl5jZ5mGI=",
+        "lastModified": 1688251777,
+        "narHash": "sha256-8sM2GdQ2nJ3YCCF5+ZW0vBNTKL3/ulY1/fmyw++5UQQ=",
        "owner": "astro",
        "repo": "spacemsg",
-        "rev": "64c714df0e64de23f77aeb05d74fecf5a7469f11",
+        "rev": "a825a738544e62c285f4497c151a73d417326da2",
        "type": "github"
      },
      "original": {
@ -734,11 +717,11 @@
    "tigger": {
      "flake": false,
      "locked": {
-        "lastModified": 1682693055,
-        "narHash": "sha256-HYvV0YrQ3r04MrfUaot73xn5V+JaFVX39lADpBaXoYs=",
+        "lastModified": 1688587276,
+        "narHash": "sha256-WsLVsnBYqZxH9QXYJ0Uutqd/g2KNARVNMjd847XLP88=",
        "owner": "astro",
        "repo": "tigger",
-        "rev": "5a702c118d413ddb748c7d7225bc3e57a1ad7606",
+        "rev": "0f6a4776eabb0469ef199b65b8955b56b4b3df52",
        "type": "github"
      },
      "original": {
@ -806,11 +789,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1684513748,
-        "narHash": "sha256-7UUtvwukw/Mx3wlgfPk9k2sR1J/r3kTgCwSfD5mGezc=",
+        "lastModified": 1688592462,
+        "narHash": "sha256-Uck4ytMTwS3MdBM2NcHFDPUPfnJw25LrDVfXKnfP34Q=",
        "ref": "refs/heads/master",
-        "rev": "05a140696815d0c85c0b01196946f08a1d170735",
-        "revCount": 1771,
+        "rev": "aa19bcb24f2661fb79d538e2114aafbe65994a2f",
+        "revCount": 1800,
        "type": "git",
        "url": "https://gitea.c3d2.de/zentralwerk/network.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -8,8 +8,7 @@

  inputs = {
    # use sandro's fork full with cherry-picked fixes
-    nixos.url = "github:SuperSandro2000/nixpkgs/nixos-22.11";
-    nixos-23-05.url = "github:SuperSandro2000/nixpkgs/nixos-23.05";
+    nixos.url = "github:SuperSandro2000/nixpkgs/nixos-23.05";
    nixos-hardware.url = "github:nixos/nixos-hardware";

    affection-src = {
@ -213,14 +212,14 @@
    };
  };

-  outputs = inputs@{ self, alert2muc, c3d2-user-module, deployment, disko, fenix, heliwatch, microvm, naersk, nixos, nixos-23-05, nixos-hardware, nixos-modules, buzzrelay, caveman, oparl-scraper, scrapers, secrets, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }:
+  outputs = inputs@{ self, alert2muc, c3d2-user-module, deployment, disko, fenix, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-modules, buzzrelay, caveman, oparl-scraper, scrapers, secrets, skyflake, sshlogd, sops-nix, spacemsg, ticker, tigger, yammat, zentralwerk, ... }:
    let
      inherit (nixos) lib;

      inherit (import ./lib/network.nix { inherit lib zentralwerk; }) hostRegistry;

      libC = {
-        inherit (import ./lib/nginx.nix {}) defaultListen;
+        inherit (import ./lib/nginx.nix {}) defaultListen hqNetworkOnly;
      };

      overlayList = [
@ -240,9 +239,12 @@
        inherit system;

        modules = [
-          (_: {
+          ({ pkgs, ... }: {
            _module.args = {
              inherit hostRegistry libC nixos ssh-public-keys zentralwerk;
+
+              # TODO: drop!
+              is2305 = (lib.versions.majorMinor pkgs.lib.version) == "23.05";
            };

            nixpkgs.overlays = overlayList;
@ -352,7 +354,7 @@
            {
              # TODO: migrate to sops
              nixpkgs.overlays = with secrets.overlays; [
-                freifunk ospf
+                freifunk
              ];
            }
          ];
@ -461,7 +463,6 @@
            self.nixosModules.microvm
            ./hosts/mailtngbert
          ];
-          system = "x86_64-linux";
        };

        matrix = nixosSystem' {
@ -493,15 +494,12 @@
          ];
        };

-        mobilizon = nixosSystem' {
-          # TODO: pending https://github.com/NixOS/nixpkgs/pull/119132
-          # cherry-picked by sandro into his 22.11 fork
-          # nixpkgs = inputs.nixos-mobilizon;
-          modules = [
-            self.nixosModules.microvm
-            ./hosts/mobilizon
-          ];
-        };
+        # mobilizon = nixosSystem' {
+        #   modules = [
+        #     self.nixosModules.microvm
+        #     ./hosts/mobilizon
+        #   ];
+        # };

        mucbot = nixosSystem' {
          modules = [
@ -561,13 +559,6 @@
          ];
        };

-        oxigraph = nixosSystem' {
-          modules = [
-            self.nixosModules.cluster-options
-            ./hosts/oxigraph
-          ];
-        };
-
        pipebert = nixosSystem' {
          modules = [
            ./hosts/pipebert
@ -752,13 +743,6 @@
            ./hosts/ticker
          ];
        };
-
-        tmppleroma = nixosSystem' {
-          modules = [
-            self.nixosModules.cluster-options
-            ./hosts/tmppleroma
-          ];
-        };
      };

      nixosModules = {
@ -786,7 +770,6 @@
        cluster-network = ./modules/cluster/network.nix;
        cluster-options.imports = [
          deployment.nixosModules.deployment-options
-          microvm.nixosModules.microvm
          ./modules/microvm-defaults.nix
        ];
        microvm.imports = [
@ -832,19 +815,19 @@
          in
          lib.mapAttrs getBuildEntryPoint self.nixosConfigurations
          # NOTE: left here to have the code as reference if we need something like in the future, eg. on a stable update
-          // lib.mapAttrs' (hostname: nixosSystem: let
-            hostname' = hostname + "-23-05";
-          in lib.nameValuePair
-            hostname' # job display name
-            (getBuildEntryPoint hostname' (nixosSystem' (nixosSystem.args // (with nixosSystem.args; {
-              modules = modules ++ [
-              #   {
-              #     simd.enable = lib.mkForce true;
-              #   }
-              ];
-              nixos = nixos-23-05;
-            }))))
-          ) self.nixosConfigurations
+          # // lib.mapAttrs' (hostname: nixosSystem: let
+          #   hostname' = hostname + "-23-05";
+          # in lib.nameValuePair
+          #   hostname' # job display name
+          #   (getBuildEntryPoint hostname' (nixosSystem' (nixosSystem.args // (with nixosSystem.args; {
+          #     modules = modules ++ [
+          #     #   {
+          #     #     simd.enable = lib.mkForce true;
+          #     #   }
+          #     ];
+          #     nixos = inputs.nixos-23-05;
+          #   }))))
+          # ) self.nixosConfigurations
          // nixos.lib.filterAttrs (name: attr:
            (builtins.match ".+-tftproot" name != null && lib.isDerivation attr)
          ) self.packages.aarch64-linux
--- a/hosts/auth/default.nix
+++ b/hosts/auth/default.nix
@ -23,7 +23,7 @@
        enableACME = true;
        locations = {
          "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
-          "/dex".proxyPass ="http://localhost:${toString config.services.portunus.dex.port}";
+          "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
        };
      };
    };
@ -32,25 +32,59 @@
      enable = true;
      dex = {
        enable = true;
-        oidcClients = [ {
+        oidcClients = [{
          callbackURL = "https://grafana.hq.c3d2.de/login/generic_oauth";
          id = "grafana";
-        } ];
+        }];
      };
      ldap = {
        searchUserName = "search";
        suffix = "dc=c3d2,dc=de";
        tls = true;
      };
-      seedPath = ./seed.json;
+      removeAddGroup = true;
+      seedGroups = true;
+      seedSettings = {
+        groups = [
+          {
+            long_name = "Portunus Administrators";
+            name = "admins";
+            manage_members = false;
+            permissions.portunus.is_admin = true;
+          }
+          {
+            long_name = "Search";
+            name = "search";
+            manage_members = false;
+            permissions.ldap.can_read = true;
+          }
+        ];
+        users = [
+          {
+            family_name = "Administrator";
+            given_name = "Initial";
+            login_name = "admin";
+            password.from_command = [ "/usr/bin/env" "cat" "/run/secrets/portunus/users/admin-password" ];
+          }
+          {
+            email = "search@c3d2.de";
+            family_name = "-";
+            given_name = "Search";
+            login_name = "search";
+            password.from_command = [ "/usr/bin/env" "cat" "/run/secrets/portunus/users/search-password" ];
+          }
+        ];
+      };
    };
  };

  sops = {
    defaultSopsFile = ./secrets.yaml;
-    secrets."dex/environment" = libS.sops.permissionForUser "dex";
-    secrets."portunus/users/admin-password" = libS.sops.permissionForUser "portunus";
-    secrets."portunus/users/search-password" = libS.sops.permissionForUser "portunus";
+    secrets = {
+      "dex/environment".owner = "dex";
+      "portunus/users/admin-password".owner = "portunus";
+      "portunus/users/search-password".owner = "portunus";
+    };
  };

  systemd.services.dex.serviceConfig = {
--- a/hosts/auth/seed.json
+++ b/hosts/auth/seed.json
@ -1,56 +0,0 @@
-{
-  "groups": [
-    {
-      "long_name": "Portunus Administrators",
-      "name": "admins",
-      "permissions": {
-        "portunus": {
-          "is_admin": true
-        }
-      }
-    },
-    {
-      "long_name": "Search",
-      "name": "search",
-      "permissions": {
-        "ldap": {
-          "can_read": true
-        }
-      }
-    },
-    {
-      "long_name": "Gitea Administrators",
-      "name": "gitea-admins",
-      "permissions": {}
-    },
-    {
-      "long_name": "Grafana Administrators",
-      "name": "grafana-admins",
-      "permissions": {}
-    },
-    {
-      "long_name": "Hydra Administrators",
-      "name": "hydra-admins",
-      "permissions": {}
-    }
-  ],
-  "users": [
-    {
-      "family_name": "Administrator",
-      "given_name": "Initial",
-      "login_name": "admin",
-      "password": {
-        "from_command": [ "/usr/bin/env", "cat", "/run/secrets/portunus/users/admin-password" ]
-      }
-    },
-    {
-      "email": "search@c3d2.de",
-      "family_name": "-",
-      "given_name": "Search",
-      "login_name": "search",
-      "password": {
-        "from_command": [ "/usr/bin/env", "cat", "/run/secrets/portunus/users/search-password" ]
-      }
-    }
-  ]
-}
--- a/hosts/bind/default.nix
+++ b/hosts/bind/default.nix
@ -9,6 +9,7 @@ let
      ${bind}/sbin/rndc -k /etc/bind/rndc.key $@
    }

+    chmod a+rwx /var/lib/c3d2-dns/zones
    rndc freeze
    rndc reload
    rndc thaw
@ -79,12 +80,10 @@ in
    secrets = {
     "ssh-keys/c3d2-dns/private" = {
        owner = "c3d2-dns";
-        mode = "400";
        path = "/var/lib/c3d2-dns/.ssh/id_ed25519";
      };
      "ssh-keys/c3d2-dns/public" = {
        owner = "c3d2-dns";
-        mode = "440";
        path = "/var/lib/c3d2-dns/.ssh/id_ed25519.pub";
      };
    };
--- a/hosts/blogs/default.nix
+++ b/hosts/blogs/default.nix
@ -6,10 +6,20 @@

  networking.hostName = "blogs";

-  # See secrets/hosts/blogs for the .env file with all settings
-  services.plume = {
-    enable = true;
-    envFile = config.sops.secrets."plume/env".path;
+  services = {
+    nginx = {
+      enable = true;
+      virtualHosts."blogs.c3d2.de" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/".proxyPass = "http://localhost:7878";
+      };
+    };
+    plume = {
+      enable = true;
+      # See secrets/hosts/blogs for the .env file with all settings
+      envFile = config.sops.secrets."plume/env".path;
+    };
  };

  sops = {
@ -17,15 +27,8 @@
    defaultSopsFile = ./secrets.yaml;
    secrets = {
      "plume/env".owner = config.systemd.services.plume.serviceConfig.User;
-    };
-  };
-
-  services.nginx = {
-    enable = true;
-    virtualHosts."blogs.c3d2.de" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/".proxyPass = "http://localhost:7878";
+      "restic/password".owner = "root";
+      "restic/repository/server8".owner = "root";
    };
  };

--- a/hosts/blogs/secrets.yaml
+++ b/hosts/blogs/secrets.yaml
@ -1,5 +1,9 @@
 plume:
    env: ENC[AES256_GCM,data:V7pEExE5jGT7JSCejzo1m0QlMgpKuaF5CnHvR7LCvTJSgoCeeNW9ImtVk8MtqtoRngH45jgseuC5wZNzXSMG/ltQ4c3ThDcxKP5ngLmEZ3tOqSlIdV/A3S4ww4f/UAx8YpNY4c/LlL9NuCcfpHyC4zwRFrD6odCSk7BUT0BU+zxOBDpQDAHscBz+YYTbb3cJ7iGYg1fXS6wLJHutf0eXYF5VNcc80SISEfbR+bs9t2f7Dg==,iv:3n+EDT9TO5VxCS6rXZiNKpxtCWeCDi6YT3dQsrECNmU=,tag:ysWwxhR1JNJ7WUM28TIQig==,type:str]
+restic:
+    password: ENC[AES256_GCM,data:5SUmmFclsGFskWM1E0qOQN0TDB7sllEBnDFslUHTqZs=,iv:WoWtaR4byoRjnZaakBhZYHfzBFKrJ1g3ylWj6Vkom2Y=,tag:0M+MXU8Xe3Ig50rmaqwzjA==,type:str]
+    repository:
+        server8: ENC[AES256_GCM,data:rhZ8jaqrsZ8caom64m32D8O8qgr4KXJwzm8q8+UlcpXdMfcXVlzNkTW+Lq5D/nXJ6KUoBV4zeYNwzLgbjPd2xTJYAlUbGC039Fd8ZI19v+PZsypMAtbf4PpYQPwy1LtJ,iv:QkX5Iy7iB9yRj9YI6I1YHNXmdhF0FaUYJTOAXgJc8II=,tag:EanCBxAJQ0jH17tMkCo1kA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -24,8 +28,8 @@ sops:
            andNczl4SzJaeDNpQ1dhNm1PcUc0eTQKR/hEIrWWsixnW5HGb4D0Hg6RTA22NBqq
            2QeYsLP2QALu/+y+ljewr9K2nYOb70NOrx5FKD3cAgtq8871Lf59fQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2021-12-25T00:52:22Z"
-    mac: ENC[AES256_GCM,data:g6rMFoNx35MN495v1jKB13isssJ3GbKqyI7PdA796leFuRVgAlj6aUBI99vX+SpA1LpBYkUOu6OeV1EOHtpKlchbS4/FnO5oM0AOpoNux9yjQbeC3CM6soUzHn2+cJrnGMlgPC0sX0kcHVTFKF1aJsa+uLlkKD+F1SSJboz+P7c=,iv:i5I8FDU+j7l5UxgurA3Me2b/4zE7W1Ck3ckmQPqKWrM=,tag:gZCL8bo1YVoLZlxjyTupzw==,type:str]
+    lastmodified: "2023-06-05T19:00:16Z"
+    mac: ENC[AES256_GCM,data:irZqZZ3wz8N1JUcX7GSM2FTdLlek49fvF2Uh6SJiwkMTizsKBhBF3RzD8nN2eh0fFkMuK5kjc24S1GRQwfPY/mBOEXfKXUn+3RRAE99UgUfgPFc+IEMH70AOl8mrsfOUXzVmkW2gDmxL900eyMIJIjWTgKd1B/jsUDiEwSeSpU4=,iv:eziRYdbRlwD809J22CmHU462es9MD/O1z6rFBB2wNrI=,tag:3+D4ngcpbZcL50Mfq7S8qA==,type:str]
    pgp:
        - created_at: "2022-12-26T19:09:33Z"
          enc: |
@ -200,4 +204,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
    unencrypted_suffix: _unencrypted
-    version: 3.7.1
+    version: 3.7.3
--- a/hosts/buzzrelay/default.nix
+++ b/hosts/buzzrelay/default.nix
@ -6,7 +6,7 @@
  };

  microvm = {
-    mem = 1024;
+    mem = 512;
    vcpu = 8;
  };

--- a/hosts/c3d2-web/default.nix
+++ b/hosts/c3d2-web/default.nix
@ -4,8 +4,8 @@ let
 in
 {
  microvm = {
-    vcpu = 8;
-    mem = 1024;
+    vcpu = 4;
+    mem = 2 * 1024; # drone-ssh-runner clones the git repo which requires some RAM
  };
  c3d2.deployment = {
    # /tmp is to small for drone to clone the repo even with depth
@ -130,42 +130,46 @@ in
    language = "de";
  };

-  systemd.services = {
-    # lets agate access the tls certs
-    agate = {
-      requires = [ "agate-keys.service" ];
-      after = [ "agate-keys.service" ];
-      serviceConfig = {
-        Group = "keys";
+  systemd = {
+    packages = with pkgs; [ telme10 ];
+    services = {
+      # lets agate access the tls certs
+      agate = {
+        requires = [ "agate-keys.service" ];
+        after = [ "agate-keys.service" ];
+        serviceConfig = {
+          Group = "keys";
+        };
+      };
+      agate-keys = {
+        path = with pkgs; [ openssl ];
+        script =
+          let
+            stateDir = "/var/lib/agate/certificates";
+          in
+          ''
+            mkdir -p ${stateDir}
+            openssl x509 \
+                -in /var/lib/acme/www.c3d2.de/cert.pem \
+                -out ${stateDir}/cert.der \
+                -outform DER
+            openssl rsa \
+                -in /var/lib/acme/www.c3d2.de/key.pem \
+                -out ${stateDir}/key.der \
+                -outform DER
+            chown root:keys ${stateDir}/*
+            chmod 0640 ${stateDir}/*
+          '';
+        serviceConfig = {
+          Type = "oneshot";
+        };
+      };
+      telme10 = {
+        serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";
      };
    };
-    agate-keys = {
-      path = with pkgs; [ openssl ];
-      script =
-        let
-          stateDir = "/var/lib/agate/certificates";
-        in
-        ''
-          mkdir -p ${stateDir}
-          openssl x509 \
-              -in /var/lib/acme/www.c3d2.de/cert.pem \
-              -out ${stateDir}/cert.der \
-              -outform DER
-          openssl rsa \
-              -in /var/lib/acme/www.c3d2.de/key.pem \
-              -out ${stateDir}/key.der \
-              -outform DER
-          chown root:keys ${stateDir}/*
-          chmod 0640 ${stateDir}/*
-        '';
-      serviceConfig = {
-        Type = "oneshot";
-      };
-    };
-    telm10 = {
-      path = with pkgs; [ telme10 ];
-      serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";
-    };
+
+    sockets.telme10.wantedBy = [ "sockets.target" ];
  };

  users = {
--- a/hosts/dacbert/default.nix
+++ b/hosts/dacbert/default.nix
@ -90,8 +90,10 @@ in
      "compat_uts_machine=armv6l"
    ];

-    tmpOnTmpfs = true;
-    tmpOnTmpfsSize = "80%";
+    tmp = {
+      useTmpfs = true;
+      tmpfsSize = "80%";
+    };
  };
  # hardware.raspberry-pi."4" = {
  #   fkms-3d.enable = true;
@ -107,7 +109,6 @@ in
    hostName = "dacbert"; # Define your hostname.
    useDHCP = false;
    interfaces.eth0.useDHCP = true;
-    firewall.enable = false;
  };

  nix = {
--- a/hosts/drone/default.nix
+++ b/hosts/drone/default.nix
@ -6,7 +6,7 @@ in
 {
  c3d2.deployment.server = "server10";

-  microvm.mem = 4 * 1024;
+  microvm.mem = 2 * 1024;

  networking.hostName = "drone";

@ -91,6 +91,8 @@ in
    secrets = {
      "drone/runner/environmentFile".owner = "drone";
      "drone/server/environmentFile".owner = "drone";
+      "restic/password".owner = "root";
+      "restic/repository/server8".owner = "root";
    };
  };

--- a/hosts/drone/secrets.yaml
+++ b/hosts/drone/secrets.yaml
@ -5,6 +5,10 @@ drone:
        environmentFile: ENC[AES256_GCM,data:XpLbXxOpCmwUGo5t6QnYCcOYko9telMXil9pbyFTkX/1MV5SE41s8+Ap0qmn5/ZvzK7BOZ+yFgi3dPJ323mFwW9v36OWD+ZwHjp0kLHHwfx+UFqinC8mbzm5SZq34JQ31IzOfOCdzhg6WG9SBD8Rf5RYnKCPQdwTDwISgGRWZZQi629KncXAU1evQ1ur98ClwBaGQ7ndasf/D5quvd/lUvks88HrCzbKTtASQDg2SjMko+gZ5YUEmeZsiEAJ3kwGi4gSsaDXvSRqmdxZhEITGNaCPcvP0hUSaVupIxPGs1hnzpXJ4NHxirP4CDKUOFXc4fKBRw1TRdYt9YE4qSaKqWaifGgLFYHKpFLtpDL2yMjIzLJIBvbyH/qV7/ygwzhH8j2oVkh7Yjll58xea3wEFpBzlbUGH4CNfFa4MGqB26hdxfXbDnjDqwbXYZo=,iv:09r5M6rfW7wXyGxRBv7MDpzrhHfdl5LK7fWljHd3nok=,tag:WgoNwv/2SdmUSux7lcPenQ==,type:str]
    #ENC[AES256_GCM,data:Afc9MGFPONPTPzLJChaf1vX5B9yPXvrV+80/MViHSaw+M7qzt7ZDjzxTd80z/HHPYO0fw8HR4HJIrIfv3a0gGA==,iv:NFNtzIOXa9Mm8iKbEpiwYEBpr9JAT2nzITlCL/Z31S8=,tag:jB9JU2UoVUH+2+aJMzGO7A==,type:comment]
    ssh-keys: ENC[AES256_GCM,data:ZIqzARLWjqCmIDDZoXkLPoxL6PIewry6ys5TeZuqrrxzmmUA57GrVQP1tJW0cfAvgW+56u/JI9ssFSFvGOFrB78Q6G3uX8nQ54gDFalzbYPbSXGWyowAbA+fZ+/b3wwrCHcFuoN/6Ej5bP7EYLOwRwqwxrwxt9AQNGvCyYNExblMT32y3Lo0gYk2wdLulwaZ+5RB47Qi9RqtQXB4dGKzTEo/UKMghO4FoHwY5wxvmmGAdPjYyIhALve6WNgULX/+JabuSlnZfxySyfXaPpaBqdHGvqrM59nTYHvX2HL90sxoyQihro0QDPVXRzvyiF35v3MfZZAPMgmlyo7Q1C2/Hs+MoB3rzPxwRNOS+MS0bbh2SfM/dM75i02QjA2B5dI6pZZThCaeg8eFs1AIxRvuXSPoRXrle8zr/Gb++GUDLZqdHlq8m4roMQtuXzJEYts59z8JOjoguXQ4jydAzPViWRAHN52IXzluaXHEvMgrtZBMG3/FazVvSSJW5x3KDUFedcsafNjeFNoVpkxdBxNCnDrWDczCHqf4Nt29z/VG7urmJrImkSMcGdTgloDI2VAFaCxAiVvGRfM4QNnGoRMPW5z2mir38yutfq7PV498K7ns1SkhaEKFu4Gx8HBhvYsV0GXSCup+xIhCPz1E,iv:a4IDvnBlgcSLlA7v5TZW6ZzlUe0UA8yU3Mp5Bzk3BHQ=,tag:ioEokhnx9jBLlL/fKDoVzg==,type:str]
+restic:
+    password: ENC[AES256_GCM,data:rBbfglIE6DAlL8SAdhGIquR7oj+qusjV1xPGWfrAADw=,iv:7mYmLy7+ymf/qsKefedx854s2/+aglrU796Bgdyi/+A=,tag:Kd2RDXOGdcKSsDhPDEbHLQ==,type:str]
+    repository:
+        server8: ENC[AES256_GCM,data:vOLtJmuwAwE/Gena0HuG0J4LtPqp41UAi1Fgy0xWLzVBkTiiR5m2Ab99w3nZKGxlK/OuWp34c/fYIn7SLjgRxJB2nzjkFIjAy4lAwcKbTVg9riXLiRZChjcLf5D5XnVL,iv:wdfE3ZeXOZa0YcvBeErGh/JpKAuvMHG7M9VsSNH2e8s=,tag:PRitZnspqA10dTGqkUmBpw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -29,8 +33,8 @@ sops:
            QUVobWZTWU1zMlhFRVVZVmZnbmRFQjAKsdNmKUyH8ThvrkFt2m2dseAhhxx9/Nr1
            PWtyKJx49hWqdq8QB/UlhdCRP4fWV/ENOLxkxx3R3YipY/439DNWLg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-03-23T00:35:14Z"
-    mac: ENC[AES256_GCM,data:l7MKr4ccaWDyjLuJz//tDP5cjnXlzhWazfhQ2lJmwiMj/Xw6xKnlIbkNisXyGRXdbRUTDU3IPkrsxOJi72ujWzjxLmzsYRMxwkn9X9vfkIadOTlQPQNqdUJEWD1rq/e1vDpX5kMOlgq5m5Qnx6V0lSIi2YDlWrhaxXdfwGWJSlc=,iv:QPgaRw3cOe58ZstztoVUpPZUwuFqojSu+7zrADpDyWc=,tag:cIacOsetiA/tZYHcmQnIAw==,type:str]
+    lastmodified: "2023-05-23T18:29:18Z"
+    mac: ENC[AES256_GCM,data:SVKmp7PQHyHZgF2Fud9ubI4Nn5j28AC8U8CxBAlJ09a6PaTT/yjTSz8Dn8rD8LEXLgf4hO95veO7WjBL6U9aNG2Wvu9ARLutE8e/CvWEzSshZJCaWX2mtkMm7IT/kC/LNW9sMsU+8Gi2WwAxFLVc2jMb6eMTfUEIABYi12dDk64=,iv:0kW6F5OL6IQV8zL5b138EjorHgi3ZFvO/54+9yNtAOQ=,tag:EOlHr8u2Toirqkwrmm9byA==,type:str]
    pgp:
        - created_at: "2023-01-29T20:31:40Z"
          enc: |
--- a/hosts/freifunk/default.nix
+++ b/hosts/freifunk/default.nix
@ -55,13 +55,15 @@ in {
    "${modulesPath}/profiles/minimal.nix"
  ];

-  boot.tmpOnTmpfs = true;
-  boot.postBootCommands = ''
-    if [ ! -c /dev/net/tun ]; then
-      mkdir -p /dev/net
-      mknod -m 666 /dev/net/tun c 10 200
-    fi
-  '';
+  boot = {
+    postBootCommands = ''
+      if [ ! -c /dev/net/tun ]; then
+        mkdir -p /dev/net
+        mknod -m 666 /dev/net/tun c 10 200
+      fi
+    '';
+    tmp.useTmpfs = true;
+  };
  c3d2 = {
    hq.statistics.enable = true;
    deployment = {
@ -123,6 +125,9 @@ in {
      group = "systemd-network";
      mode = "0440";
    };
+    secrets."bird/ospf/auth" = {
+      owner = "bird2";
+    };
  };

  # unbreak wg-vpn6 ingress path
@ -316,6 +321,7 @@ in {
  systemd.services.sysinfo-json = {
    script = ''
      ${sysinfo-json}/bin/bmxddump.sh
+      mkdir -p /run/nginx
      ${sysinfo-json}/bin/sysinfo-json.cgi > /run/nginx/sysinfo.json
    '';
  };
@ -328,6 +334,8 @@ in {
  # Advertise Freifunk routes to ZW core
  services.bird2 = {
    enable = true;
+    # nix-build cannot access /run/secrets/
+    checkConfig = false;
    config = ''
      protocol kernel K4 {
        ipv4 {
@ -385,8 +393,7 @@ in {
          interface "core" {
            hello 10;
            wait 20;
-            authentication cryptographic;
-            password "${pkgs.zentralwerk-ospf-message-digest-key}";
+            include "${config.sops.secrets."bird/ospf/auth".path}";
          };
        };
      }
@ -399,8 +406,7 @@ in {
          interface "core" instance ${toString zentralwerk.lib.config.site.hosts.freifunk.ospf.upstreamInstance} {
            hello 10;
            wait 20;
-            authentication cryptographic;
-            password "${pkgs.zentralwerk-ospf-message-digest-key}";
+            include "${config.sops.secrets."bird/ospf/auth".path}";
          };
        };
      }
@ -413,8 +419,7 @@ in {
          interface "core" {
            hello 10;
            wait 20;
-            authentication cryptographic;
-            password "${pkgs.zentralwerk-ospf-message-digest-key}";
+            include "${config.sops.secrets."bird/ospf/auth".path}";
          };
        };
      }
@ -433,8 +438,7 @@ in {
            interface "core" instance ${toString zentralwerk.lib.config.site.hosts.${upstream}.ospf.upstreamInstance} {
              hello 10;
              wait 20;
-              authentication cryptographic;
-              password "${pkgs.zentralwerk-ospf-message-digest-key}";
+              include "${config.sops.secrets."bird/ospf/auth".path}";
            };
          };
        };
@ -453,8 +457,7 @@ in {
            interface "core" instance ${toString zentralwerk.lib.config.site.hosts.${upstream}.ospf.upstreamInstance} {
              hello 10;
              wait 20;
-              authentication cryptographic;
-              password "${pkgs.zentralwerk-ospf-message-digest-key}";
+              include "${config.sops.secrets."bird/ospf/auth".path}";
            };
          };
        };
@ -479,7 +482,7 @@ in {
          sysinfo-json = {
            alias = "/run/nginx/sysinfo.json";
            extraConfig = ''
-              add_header Content-Type "application/json;charset=UTF-8";
+              default_type application/json;charset=UTF-8;
            '';
          };
        in {
--- a/hosts/freifunk/secrets.yaml
+++ b/hosts/freifunk/secrets.yaml
@ -1,6 +1,9 @@
 wireguard:
    vpn6:
        privateKey: ENC[AES256_GCM,data:5xvDSbVz2r1D8MZVMgKxIeXD5oRTfXD1RfBukHaOxBz6QaDiUjK7IfZRFlw=,iv:jXZSguJofezFvOplCrRokH9vUGP67fQPkb3fea9uKYU=,tag:JXCD+ngAtAFRmf7NhP0wCQ==,type:str]
+bird:
+    ospf:
+        auth: ENC[AES256_GCM,data:a3lfAIOZhm8oD2bcOsb3vfIh47EqRVsyuPp8EbVYqzCbTLDADj2R0D7C9E0a/vxIXa0ibrBHdFliLG8=,iv:91lsSop8QBT/rlmxE11gcU/voKkV8HJ9ESZEco5i2DU=,tag:ytzqbP75vzt0JiHW1mvD6w==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -25,8 +28,8 @@ sops:
            YklwNTFsUVZCU1RwZXlPeUJ6VW5iZ00KQqK0K0sizbBsKoZdfjo2QL3+syc5DQJq
            lL77+ChtwzssaX6d0zCwsoES28n1bNDN65n39K3gBmjTiSFSouvmtA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-06-13T19:00:35Z"
-    mac: ENC[AES256_GCM,data:RhGB+CNoIAGr6W1WxDpquG76FLZ0REF5OZwvD3DyfNxNai8XzqqDEsY6XneQ0Ac992kAcXdxleYDYC6keokvkOgnNmr+Buc4+rnASAReyRN19lIUWNjAB6oZWjqwEY2lrwklJc/yi+2LOuaigVsOLxOiMtpTs+QVtofRlmNpbGU=,iv:IqZGKWXKYTGP6m+9wb6j7sSVrSJZ++F/CcL/r2LaSYQ=,tag:6MLFHzcEayEGKtIxWZoljg==,type:str]
+    lastmodified: "2023-06-26T23:30:17Z"
+    mac: ENC[AES256_GCM,data:XmY5EdBpYIcg917fhafs4PyNQZU8qxAiSIf8oe8KUXl4//ZEuS8O4hUd21XExRlBa9hQEP2W6J7FFRkfNZLHF6xtYWVWo0qWWe+twwZ/tt/LEygZspYu5G+AH/uoPRmL5XWXzKhO4p80BUxIZzLT9hvgwSMNIYFnliBecP9R7i4=,iv:5uRHki4OpT+BmxtdOzpbvdBwYDLEB7sX0yvi/R9W0dY=,tag:taeVkVqSoy13dNDSduKbIQ==,type:str]
    pgp:
        - created_at: "2022-12-26T19:09:40Z"
          enc: |
--- a/hosts/gitea/default.nix
+++ b/hosts/gitea/default.nix
@ -42,7 +42,6 @@

      ldap = {
        enable = true;
-        adminGroup = "gitea-admins";
        bindPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path;
      };

@ -146,7 +145,7 @@
  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
-      "gitea/ldapSearchUserPassword" = libS.sops.permissionForUser "gitea";
+      "gitea/ldapSearchUserPassword".owner = "gitea";
      "restic/password".owner = "root";
      "restic/repository/server8".owner = "root";
    };
--- a/hosts/glotzbert/default.nix
+++ b/hosts/glotzbert/default.nix
@ -136,5 +136,5 @@
    extraGroups = [ "networkmanager" ];
  };

-  system.stateVersion = "22.11"; # Did you read the comment?
+  system.stateVersion = "22.11";
 }
--- a/hosts/gnunet/default.nix
+++ b/hosts/gnunet/default.nix
@ -8,10 +8,7 @@
    mem = 1024;
  };

-  networking = {
-    hostName = "gnunet";
-    firewall.enable = false;
-  };
+  networking.hostName = "gnunet";

  services.gnunet = {
    enable = true;
--- a/hosts/grafana/default.nix
+++ b/hosts/grafana/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:

 {
  microvm.mem = 4096;
@ -71,6 +71,7 @@
        users.allow_sign_up = false;
      };
    };
+
    influxdb =
      let
        collectdTypes = pkgs.runCommand "collectd-types" { } ''
@ -92,6 +93,7 @@
          }];
        };
      };
+
    nginx = {
      enable = true;
      virtualHosts = {
--- a/hosts/hedgedoc/default.nix
+++ b/hosts/hedgedoc/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:

 {
  c3d2.deployment.server = "server10";
@ -12,6 +12,7 @@

    hedgedoc = {
      enable = true;
+      ldap.enable = true;
      settings = {
        allowAnonymousEdits = true;
        allowFreeURL = true;
@ -27,16 +28,6 @@
        };
        defaultPermission = "freely";
        domain = "hedgedoc.c3d2.de";
-        # TODO: move to nixos-modules
-        ldap = {
-          url = "ldaps://auth.c3d2.de";
-          bindDn = "uid=search,ou=users,dc=c3d2,dc=de";
-          bindCredentials = "$bindCredentials";
-          searchBase = "ou=users,dc=c3d2,dc=de";
-          searchFilter = "(&(objectclass=person)(uid={{username}}))";
-          tlsca = "/etc/ssl/certs/ca-certificates.crt";
-          useridField = "uid";
-        };
        loglevel = "warn";
        protocolUseSSL = true;
        sessionSecret = "$sessionSecret";
--- a/hosts/home-assistant/default.nix
+++ b/hosts/home-assistant/default.nix
@ -1,8 +1,7 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:

 let
  c3d2MacAddress = "00:0b:ad:00:1d:ea";
-
 in
 {
  c3d2.deployment.server = "server10";
@ -93,7 +92,7 @@ in
                    ATTRS="${ldap.userField}"
                    CLIENT="ldapsearch"
                    DEBUG=0
-                    FILTER="${ldap.groupFilter "home-assistant"}"
+                    FILTER="${ldap.groupFilter "home-assistant-users"}"
                    NAME_ATTR="${ldap.userField}"
                    SCOPE="base"
                    SERVER="ldaps://${ldap.domainName}"
@ -175,9 +174,7 @@ in
    portunus.addToHosts = true;
  };

-  sops = {
-    defaultSopsFile = ./secrets.yaml;
-  };
+  sops.defaultSopsFile = ./secrets.yaml;

  system.stateVersion = "22.11";
 }
--- a/hosts/hydra/default.nix
+++ b/hosts/hydra/default.nix
@ -16,8 +16,10 @@ in
  };

  boot = {
-    tmpOnTmpfs = true;
-    tmpOnTmpfsSize = "80%";
+    tmp = {
+      useTmpfs = true;
+      tmpfsSize = "80%";
+    };
    kernelModules = [ "kvm-intel" ];
    kernelParams = [ "mitigations=off" "preempt=none" ];
    loader = {
@ -29,15 +31,48 @@ in
  };

  nix = {
-    buildMachines = [{
-      hostName = "client@dacbert.hq.c3d2.de";
-      system = lib.concatStringsSep "," [
-        # "aarch64-linux" # very slow compared to gallium
-        "armv6l-linux" "armv7l-linux"
-      ];
-      supportedFeatures = [ "kvm" "nixos-test" ];
-      maxJobs = 1;
-    }];
+    buildMachines = let
+      localPlatforms = feature: !(builtins.elem feature [ "x86_64-linux" "i686-linux" ]);
+      # strips features that don't make sense on qemu-user
+      extraPlatforms = builtins.filter localPlatforms config.nix.settings.extra-platforms;
+    in [
+      {
+        hostName = "localhost";
+        maxJobs = config.nix.settings.max-jobs;
+        protocol = null;
+        speedFactor = 10;
+        supportedFeatures = config.nix.settings.system-features;
+        systems = [ "x86_64-linux" "i686-linux" ];
+      }
+      # # local container to have an extra nix daemon for binfmt
+      # # NOTE: currently very, very slow and usually builds do not finish in any amount of time
+      # {
+      #   hostName = "root@192.168.100.3";
+      #   maxJobs = 4;
+      #   speedFactors = 20;
+      #   supportedFeatures = [ "big-parallel" "nixos-test" "benchmark" ];
+      #   systems = lib.concatStringsSep "," extraPlatforms;
+      # }
+      {
+        hostName = "client@dacbert.hq.c3d2.de";
+        system = lib.concatStringsSep "," [
+          # "aarch64-linux" # very slow compared to gallium
+          "armv6l-linux" "armv7l-linux"
+        ];
+        speedFactor = 1;
+        supportedFeatures = [ "kvm" "nixos-test" ];
+        maxJobs = 1;
+      }
+      {
+        hostName = "gallium.supersandro.de";
+        maxJobs = 4;
+        speedFactor = 10;
+        sshUser = config.nix.remoteBuilder.name;
+        # kvm is not supported because /dev/kvm does not exist
+        supportedFeatures = [ "big-parallel" "nixos-test" "benchmark" ];
+        system = "aarch64-linux";
+      }
+    ];
    daemonCPUSchedPolicy = "idle";
    daemonIOSchedClass = "idle";
    daemonIOSchedPriority = 7;
@ -145,7 +180,6 @@ in
  networking = {
    hostId = "3f0c4ec4";
    hostName = "hydra";
-    firewall.enable = false;
    nameservers = [ "172.20.73.8" "9.9.9.9" ];
    # nat = {
    #   enable = true;
@ -167,12 +201,7 @@ in
        "/var/lib/hydra/machines"
      ];
      hydraURL = "https://hydra.hq.c3d2.de";
-      ldap = {
-        enable = true;
-        roleMappings = [
-          { hydra-admins = "admin"; }
-        ];
-      };
+      ldap.enable = true;
      logo = ./c3d2.svg;
      minimumDiskFree = 50;
      minimumDiskFreeEvaluator = 50;
@ -254,7 +283,6 @@ in
      "ldap/search-user-pw" = {
        mode = "440";
        owner = config.users.users.hydra-queue-runner.name;
-        inherit (config.users.users.hydra-queue-runner) group;
        path = "/var/lib/hydra/ldap-password.conf";
      };
      "machine-id" = {
@ -267,13 +295,11 @@ in
      "nix/signing-key/secretKey" = {
        mode = "440";
        owner = config.users.users.hydra-queue-runner.name;
-        inherit (config.users.users.hydra-queue-runner) group;
      };
      "restic/password".owner = "root";
      "restic/repository/server8".owner = "root";
      "ssh-keys/hydra/private" = {
        owner = "hydra";
-        mode = "400";
        path = "/var/lib/hydra/.ssh/id_ed25519";
      };
      "ssh-keys/hydra/public" = {
@ -283,7 +309,6 @@ in
      };
      "ssh-keys/root/private" = {
        owner = "hydra-queue-runner";
-        mode = "400";
        path = "/var/lib/hydra/queue-runner/.ssh/id_ed25519";
      };
      "ssh-keys/root/public" = {
@ -293,7 +318,6 @@ in
      };
      "ssh-keys/updater/private" = {
        owner = "updater";
-        mode = "400";
        path = "/var/lib/updater/.ssh/id_ed25519";
      };
      "ssh-keys/updater/public" = {
@ -314,24 +338,6 @@ in
      MemorySwapMax = "64G";
    };

-    hydra-init.preStart = let
-      localPlatforms = feature: !(builtins.elem feature [ "x86_64-linux" "i686-linux" ]);
-      # strips features that don't make sense on qemu-user
-      extraPlatforms = builtins.filter localPlatforms config.nix.settings.extra-platforms;
-    in
-    # both entries cannot have localhost alone because then hydra would merge them together but we want explictily two to not allow benchmarkts for binfmt emulated arches
-    # multiple container max-jobs by X because binfmt is very slow especially in configure scripts
-    ''
-      cat << EOF > ~/machines
-      localhost x86_64-linux,i686-linux - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," config.nix.settings.system-features} -
-      # local container to have an extra nix daemon for binfmt
-      # NOTE: currently very, very slow and usually builds do not finish in any amount of time
-      # root@192.168.100.3 ${lib.concatStringsSep "," extraPlatforms} - ${toString (config.nix.settings.max-jobs * 3)} 10 big-parallel,nixos-test -
-      # sandro's native aarch64 builder
-      ${config.nix.remoteBuilder.name}@gallium.supersandro.de aarch64-linux - 4 20 big-parallel,nixos-test,benchmark -
-      EOF
-    '';
-
    nix-daemon.serviceConfig = {
      CPUWeight = 5;
      MemoryHigh = "64G";
--- a/hosts/jabber/default.nix
+++ b/hosts/jabber/default.nix
@ -15,25 +15,27 @@ in

  networking = {
    hostName = "jabber";
-    firewall.allowedTCPPorts = [
-      # Prosody
-      5222
-      5223
-      5269
-      80
-      5280
-      443
-      5281
-      # Coturn
-      3478
-      3479
-    ];
-    firewall.allowedUDPPorts = [
-      # Coturn
-      3478
-      3479
-    ];
+    firewall = {
+      allowedTCPPorts = [
+        # Prosody
+        5222
+        5223
+        5269
+        80
+        5280
+        443
+        5281
+        # Coturn
+        3478
+        3479
+      ];
+      allowedUDPPorts = [
+        # Coturn
+        3478
+        3479
+      ];
    # TODO: allowedSCTPPorts
+    };
  };

  security.acme.certs."${domain}" = {
@ -44,6 +46,7 @@ in
    # DynDNS method
    dnsProvider = "rfc2136";
    credentialsFile = config.sops.secrets."acme/credentials-file".path;
+    reloadServices = [ "prosody" ];
    # Make keys accessible by putting them in prosody's group
    inherit (config.services.prosody) group;
  };
@ -154,7 +157,7 @@ in
      extraConfig =
        let
          prosodyFirewall = pkgs.writeText "antispam.pfw" ''
-            %ZONE spam: creep.im, default.rs, sj.ms, anonym.im, xmpp.jp, safetyjabber.com, im.hot-chilli.net, jabb3r.org, draugr.de, laba.im, xmpp.sh, jabber.bitactive.com, 404.city, jabber.cd, jabber.jc-otto.de, jabster.pl, jabber.no, anoxinon.me, ubuntu-jabber.net, anonarchy.im, jabber.freenet.de, exploit.im, 616.pub, omemo.im, rsocks.net, chatwith.xyz, jabber.cz, jabbim.cz, blabber.im, jabber.root.cz, jabb.im, jabber.infos.ru, jabbim.pl, jabbim.com, linuxlovers.at, jabbim.ru, jabber.sk, njs.netlab.cz, jabba.biz, chatterboxtown.us, crime.io, 0nl1ne.at, verdammung.org, im.apinc.org, 0day.la, 0day.im, xabber.de, conversations.im, jabber.de, chinwag.im, jabber.ccc.de, thesecure.biz, shad0w.ru, yourdata.forsale, linux.monster, xmpp.international, paranoid.network, og.im, 4ept.net, darknet.im, ubuntu-jabber.de, deshalbfrei.org, nixnet.services, marxist.club, dw.live, 01337.io, yax.im, sqli.io, breached.im, pwned.life, jabber.fr, chatterboxtown.us, xmpp.xxx, ybgood.de, ejabber.co, jabbers.one
+            %ZONE spam: creep.im, default.rs, sj.ms, anonym.im, xmpp.jp, safetyjabber.com, im.hot-chilli.net, jabb3r.org, draugr.de, laba.im, xmpp.sh, jabber.bitactive.com, 404.city, jabber.cd, jabber.jc-otto.de, jabster.pl, jabber.no, anoxinon.me, ubuntu-jabber.net, anonarchy.im, jabber.freenet.de, exploit.im, 616.pub, omemo.im, rsocks.net, chatwith.xyz, jabber.cz, jabbim.cz, blabber.im, jabber.root.cz, jabb.im, jabber.infos.ru, jabbim.pl, jabbim.com, linuxlovers.at, jabbim.ru, jabber.sk, njs.netlab.cz, jabba.biz, chatterboxtown.us, crime.io, 0nl1ne.at, verdammung.org, im.apinc.org, 0day.la, 0day.im, xabber.de, conversations.im, jabber.de, chinwag.im, jabber.ccc.de, thesecure.biz, shad0w.ru, yourdata.forsale, linux.monster, xmpp.international, paranoid.network, og.im, 4ept.net, darknet.im, ubuntu-jabber.de, deshalbfrei.org, nixnet.services, marxist.club, dw.live, 01337.io, sqli.io, breached.im, pwned.life, jabber.fr, chatterboxtown.us, xmpp.xxx, ybgood.de, ejabber.co, jabbers.one

            IN ROSTER?
            PASS.
--- a/hosts/leon/default.nix
+++ b/hosts/leon/default.nix
@ -60,11 +60,14 @@
    isNormalUser = true;
    extraGroups = [ "wheel" "docker" ];
    createHome = true;
-    openssh.authorizedKeys.keys = ssh-public-keys.leon;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPZoT83l0ogbJpviBs4VmO+NdF4NPtYAnyf8RRSoXsv leon@leon"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air"
+    ];
  };
  networking.nameservers = ["172.20.73.8" "9.9.9.9"];
 	networking.firewall = {
-    allowedTCPPorts = [ 5000 22 53 80 443 8080 12000 ];
+    allowedTCPPorts = [ 5000 22 53 80 443 8080 12000 465 993 3478 3479 3480 5223 ];
    allowedUDPPorts = [ 53 80 8080 18900 19900 ];  
  };
 #_______________________________Begin-VPN1-Server____________________________________
@ -165,33 +168,6 @@
 	  ];
  };
 };
- #-----------------------------END-VPN---------------------------------
-
-#__________________________Begin-VPN2-Server_____________________
- 
-networking.wireguard.interfaces = {
-    #Interface. Untrusted VPN
-	vpn2 = {
-      #IP address && Subnet.
-      ips = [ "10.10.100.1/24" ];
-
-      #VPN Port.
-      listenPort = 19900;
-
-	  # Path to the private key file.
-      #
-      privateKeyFile = "/etc/wireguard/privatekey";
-
-      peers = [
-        # -----------------leon-Mac-------------------------.
-        { 
-          publicKey = "6GRIp7SjHyu5sgqudtgZdN9CKbV3GYtMnwgo06F4ylo=";
-          allowedIPs = [ "10.10.100.0/24" ];
-        }
-	  ];
-    };
-  };
-  
 #-----------------------------END-VPN---------------------------------

 #-----------------------------ngin-X--------------------------------
@ -230,16 +206,7 @@ networking.wireguard.interfaces = {
        proxyWebsockets = true;
      };
 	};
-	virtualHosts."hospital-gly.c3d2.de" = {
-      forceSSL = true;
-      enableACME = true;
-	locations."/" = {
-        proxyPass = "http://10.10.11.21";
-        proxyWebsockets = true;
-      };
-	};
-
-
+	
 };
 #-----------------------------ngin-X--------------------------------

--- a/hosts/leoncloud/default.nix
+++ b/hosts/leoncloud/default.nix
@ -38,7 +38,10 @@
    isNormalUser = true;
    extraGroups = [ "wheel" "docker" ];
    createHome = true;
-    openssh.authorizedKeys.keys = ssh-public-keys.leon;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPZoT83l0ogbJpviBs4VmO+NdF4NPtYAnyf8RRSoXsv leon@leon"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air"
+    ];
 };


@ -76,9 +79,11 @@
 #<-----------------wireguard client---------------
 #>-----------------nextcloud----------------------

-services.nextcloud = {
+  services.nextcloud = {
    enable = true;
+    enableBrokenCiphersForSSE = false; # avoid dependency on openssl1.1
    hostName = "cloud";
+    package = pkgs.nextcloud25;
    config = {
      dbtype = "pgsql";
      dbuser = "nextcloud";
@ -87,7 +92,7 @@ services.nextcloud = {
      adminpassFile = "/etc/nixos/next-cloud/pass";
      adminuser = "root";
      extraTrustedDomains = ["10.10.11.4" "10.10.11.1" "45.158.40.165" "bicospacetech.cloud.c3d2.de"]; 
-   };
+    };
  };

  services.backup.enable = false;
--- a/hosts/mastodon/default.nix
+++ b/hosts/mastodon/default.nix
@ -113,6 +113,7 @@

    mastodon = {
      enable = true;
+      enableBirdUITheme = true;
      configureNginx = true;
      elasticsearch.host = "127.0.0.1";
      ldap.enable = true;
--- a/hosts/matemat/default.nix
+++ b/hosts/matemat/default.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, libC, pkgs, ... }:

 {
  c3d2.deployment.server = "server10";
@ -16,18 +16,9 @@
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:3000";
-          # ip ranges duplicated with prometheus node exporter
-          extraConfig = ''
-            satisfy any;
+          extraConfig = libC.hqNetworkOnly + ''
            auth_basic secured;
            auth_basic_user_file ${config.sops.secrets."nginx/basic-auth".path};
-            allow 2a00:8180:2c00:200::/56;
-            allow 2a0f:5382:acab:1400::/56;
-            allow fd23:42:c3d2:500::/56;
-            allow 30c:c3d2:b946:76d0::/64;
-            allow 172.22.99.0/24;
-            allow 172.20.72.0/21;
-            deny all;
          '';
        };
      };
--- a/hosts/matrix/default.nix
+++ b/hosts/matrix/default.nix
@ -9,6 +9,17 @@

  networking.hostName = "matrix";

+  #
+  nixpkgs.overlays = [
+    (final: prev: {
+      # NOTE: using config.services.matrix-synapse.package does not work because it does not override the matrix-synapse used in matrix-synapse.plugins.matrix-synapse-ldap3
+      matrix-synapse = prev.matrix-synapse.overridePythonAttrs (_: {
+        # fail and take a good amount of time
+        doCheck = false;
+      });
+    })
+  ];
+
  services = {
    backup.paths = [ "/var/lib/matrix-synapse/" ];

@ -24,7 +35,6 @@
      ldap = {
        enable = true;
        bindPasswordFile = config.sops.secrets."matrix-synapse/ldapSearchUserPassword".path;
-        userFilter = config.security.ldap.groupFilter "matrix";
      };
      settings = {
        admin_contact = "mailto:mail@c3d2.de";
@ -103,10 +113,10 @@

  sops = {
    defaultSopsFile = ./secrets.yaml;
-    secrets = with libS.sops; {
-      "matterbridge/config" = permissionForUser "matterbridge";
-      "matrix-synapse/config" = permissionForUser "matrix-synapse";
-      "matrix-synapse/ldapSearchUserPassword" = permissionForUser "matrix-synapse";
+    secrets = {
+      "matterbridge/config".owner = "matterbridge";
+      "matrix-synapse/config".owner = "matrix-synapse";
+      "matrix-synapse/ldapSearchUserPassword".owner = "matrix-synapse";
      "restic/password".owner = "root";
      "restic/repository/server8".owner = "root";
    };
--- a/hosts/mediawiki/default.nix
+++ b/hosts/mediawiki/default.nix
@ -4,6 +4,13 @@ let
  cfg = config.services.mediawiki;
 in
 {
+  assertions = [
+    {
+      assertion = lib.versions.majorMinor pkgs.mediawiki.version != 1.40;
+      # https://www.mediawiki.org/wiki/Version_lifecycle
+      message = "Please keep mediawiki on LTS versions which is required by the LDAP extension";
+    }
+  ];
  c3d2.deployment.server = "server10";

  microvm.mem = 1024;
@ -20,7 +27,7 @@ in

    mediawiki = {
      enable = true;
-      virtualHost = {
+      httpd.virtualHost = {
        adminAddr = "no-reply@c3d2.de";
        enableACME = true;
        forceSSL = true;
@ -40,21 +47,20 @@ in
      #};
      name = "C3D2";

-      extraConfig = ''
+      extraConfig = /* php */ ''
        $wgArticlePath = '/$1';

        $wgShowExceptionDetails = true;
        $wgDBserver = "${config.services.mediawiki.database.socket}";
-        $wgDBmwschema       = "mediawiki";
+        $wgDBmwschema = "mediawiki";

-        $wgLogo =  "https://www.c3d2.de/images/ck.png";
+        $wgLogo = "https://www.c3d2.de/images/ck.png";
        $wgEmergencyContact = "wiki@c3d2.de";
        $wgPasswordSender   = "wiki@c3d2.de";
        $wgLanguageCode = "de";

        $wgGroupPermissions['*']['edit'] = false;
        $wgGroupPermissions['user']['edit'] = true;
-        $wgGroupPermissions['sysop']['interwiki'] = true;
        $wgGroupPermissions['sysop']['userrights'] = true;

        define("NS_INTERN", 100);
@ -63,20 +69,20 @@ in
        $wgExtraNamespaces[NS_INTERN] = "Intern";
        $wgExtraNamespaces[NS_INTERN_TALK] = "Intern_Diskussion";

-        $wgGroupPermissions['intern']['move']             = true;
+        $wgGroupPermissions['intern']['move'] = true;
        $wgGroupPermissions['intern']['move-subpages']    = true;
        $wgGroupPermissions['intern']['move-rootuserpages'] = true; // can move root userpages
-        $wgGroupPermissions['intern']['read']             = true;
-        $wgGroupPermissions['intern']['edit']             = true;
-        $wgGroupPermissions['intern']['createpage']       = true;
-        $wgGroupPermissions['intern']['createtalk']       = true;
-        $wgGroupPermissions['intern']['writeapi']         = true;
-        $wgGroupPermissions['intern']['upload']           = true;
-        $wgGroupPermissions['intern']['reupload']         = true;
-        $wgGroupPermissions['intern']['reupload-shared']  = true;
-        $wgGroupPermissions['intern']['minoredit']        = true;
-        $wgGroupPermissions['intern']['purge']            = true; // can use ?action=purge without clicking "ok"
-        $wgGroupPermissions['intern']['sendemail']        = true;
+        $wgGroupPermissions['intern']['read'] = true;
+        $wgGroupPermissions['intern']['edit'] = true;
+        $wgGroupPermissions['intern']['createpage'] = true;
+        $wgGroupPermissions['intern']['createtalk'] = true;
+        $wgGroupPermissions['intern']['writeapi'] = true;
+        $wgGroupPermissions['intern']['upload'] = true;
+        $wgGroupPermissions['intern']['reupload'] = true;
+        $wgGroupPermissions['intern']['reupload-shared'] = true;
+        $wgGroupPermissions['intern']['minoredit'] = true;
+        $wgGroupPermissions['intern']['purge'] = true; // can use ?action=purge without clicking "ok"
+        $wgGroupPermissions['intern']['sendemail'] = true;

        $wgNamespacePermissionLockdown[NS_INTERN]['*'] = array('intern');
        $wgNamespacePermissionLockdown[NS_INTERN_TALK]['*'] = array('intern');
@ -109,13 +115,29 @@ in
        $wgCaptchaClass = 'QuestyCaptcha';
        $wgCaptchaQuestions[] = array( 'question' => 'How is C3D2 logo in ascii?', 'answer' => '<<</>>' );

+        # we are using the feature of the default extension interwiki for linking to other articles of the same domain
+        # https://www.mediawiki.org/wiki/Extension:Interwiki
+        # without loading this extension there is no page Spezial:Interwikitablle (aka Special:Interwiki) to manage the table of entries for interwiki links
+        wfLoadExtension( 'Interwiki' );
+        # all members of the sysop group should be able to manage entries for interwiki links
+        $wgGroupPermissions['sysop']['interwiki'] = true;
+
        $wgEnableAPI = true;
        $wgAllowUserCss = true;
        $wgUseAjax = true;
        $wgEnableMWSuggest = true;

-        //TODO what about $wgUpgradeKey ?
+        wfLoadExtension('Cite');
+        wfLoadExtension('CiteThisPage');
+        wfLoadExtension('ConfirmEdit');
+        wfLoadExtension('ParserFunctions');
+        wfLoadExtension('WikiEditor');

+        // TODO: what about $wgUpgradeKey ?
+
+        // TODO: does this even work?
+        // https://www.mediawiki.org/wiki/Extension:Scribunto#Requirements mentions quite some extra steps which we didn't do
+        wfLoadExtension('Scribunto');
        $wgScribuntoDefaultEngine = 'luastandalone';

        # LDAP
@ -125,58 +147,34 @@ in
      # see https://extdist.wmflabs.org/dist/extensions/ for list of extensions
      # save them on https://web.archive.org/save and copy the final URL below
      extensions = {
-        Cite = pkgs.fetchzip {
-          url = "https://web.archive.org/web/20230516204128/https://extdist.wmflabs.org/dist/extensions/Cite-REL1_39-2540df4.tar.gz";
-          sha256 = "sha256-fXE+W1nRPvMK7fOJa7q0fY3CpT0TrxDUv5R4WKPXxPc=";
-        };
-        CiteThisPage = pkgs.fetchzip {
-          url = "https://web.archive.org/web/20230516204058/https://extdist.wmflabs.org/dist/extensions/CiteThisPage-REL1_39-1c86120.tar.gz";
-          sha256 = "sha256-GU3L8rqU9RI7VDK4kcCBLDoBD26Sqk1Bu6hANhlByeQ=";
-        };
-        ConfirmEdit = pkgs.fetchzip {
-          url = "https://web.archive.org/web/20230516203822/https://extdist.wmflabs.org/dist/extensions/ConfirmEdit-REL1_39-09a7ebc.tar.gz";
-          sha256 = "sha256-G+ZYmPEva8C9arcpmvREX5yvA12PE3/zjpDpzW6dP9o=";
-        };
        Lockdown = pkgs.fetchzip {
-          url = "https://web.archive.org/web/20230516203722/https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_39-12dd618.tar.gz";
-          sha256 = "sha256-V4Tdo04YtH6g15QgAW9RPqlVOwMOAyrGGIPbs9jH45A=";
+          url = "https://web.archive.org/web/20230710141042/https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_40-7d900ed.tar.gz";
+          sha256 = "sha256-TgoL9IcwY4EBNUsoVBqpUehVO7TEDT22FoH7Ep4dMxw=";
        };
+        # TODO: replace with https://www.mediawiki.org/wiki/Extension:DynamicPageList3
        intersection = pkgs.fetchzip {
-          url = "https://web.archive.org/web/20230516203704/https://extdist.wmflabs.org/dist/extensions/intersection-REL1_39-dbb8cfd.tar.gz";
-          sha256 = "sha256-E6n+i7+SRHvmSLEIAiUR/LyGFcSkkrwTXl9INa/a4yw=";
+          url = "https://web.archive.org/web/20230710142223/https://extdist.wmflabs.org/dist/extensions/intersection-REL1_40-f3c1559.tar.gz";
+          sha256 = "sha256-DYq5CCm//rc6Mei9K6S2Ue+hzz6PYHnwpbJouFS5j+o=";
        };
        # requires PluggableAuth
        LDAPAuthentication2 = pkgs.fetchzip {
-          url = "https://web.archive.org/web/20230516203001/https://extdist.wmflabs.org/dist/extensions/LDAPAuthentication2-REL1_39-35908c0.tar.gz";
+          url = "https://web.archive.org/web/20230710142325/https://extdist.wmflabs.org/dist/extensions/LDAPAuthentication2-REL1_40-2864ae9.tar.gz";
          sha256 = "sha256-LWXpmgzUpgEaPe/4cwF2cmJxPkW8ywT7gRAlB58mDfY=";
        };
        LDAPProvider = pkgs.fetchzip {
-          url = "https://web.archive.org/web/20230516202850/https://extdist.wmflabs.org/dist/extensions/LDAPProvider-REL1_39-1b79e16.tar.gz";
-          sha256 = "sha256-rJGdS1mbmSdHUIgbNeRMJ56vTVihEgXzOvR6k1guDU8=";
-        };
-        ParserFunctions = pkgs.fetchzip {
-          url = "https://web.archive.org/web/20230516202737/https://extdist.wmflabs.org/dist/extensions/ParserFunctions-REL1_39-3eb1eb9.tar.gz";
-          sha256 = "sha256-wAoMVNerfa7FUP+NH51cYZf+QKQl+pdSBoKsbAS6LBE=";
+          url = "https://web.archive.org/web/20230710141035/https://extdist.wmflabs.org/dist/extensions/LDAPProvider-REL1_40-99edc23.tar.gz";
+          sha256 = "sha256-DYq5CCm//rc6Mei9K6S2Ue+hzz6PYHnwpbJouFS5j+o=";
        };
        PluggableAuth = pkgs.fetchzip {
-          url = "https://web.archive.org/web/20230516202627/https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-1210fc3.tar.gz";
-          sha256 = "sha256-F6bTMCzkK3kZwZGIsNE87WlZWqXXmTMhEjApO99YKR0=";
-        };
-        Scribunto = pkgs.fetchzip {
-          url = "https://web.archive.org/web/20230516202513/https://extdist.wmflabs.org/dist/extensions/Scribunto-REL1_39-ebb91f2.tar.gz";
-          sha256 = "sha256-WHgVyY2JpUp8lFpvtKYS3wNe7UzzYLtwsRqtIdZBhek=";
-        };
-        WikiEditor = pkgs.fetchzip {
-          url = "https://web.archive.org/web/20230516202249/https://extdist.wmflabs.org/dist/extensions/WikiEditor-REL1_39-ed89fa9.tar.gz";
-          sha256 = "sha256-Aypjzv0cjoJvPuqSqlvMrlvd8n5EtE4TC8eyxFGwmLQ=";
+          url = "https://web.archive.org/web/20230710142618/https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-519c6d2.tar.gz";
+          sha256 = "sha256-N1+OV1UdzvU4iXhaS/+fuEoAXqrkVyyEPDirk0vrT8A=";
        };
      };
+      # initial admin user password
      passwordFile = config.sops.secrets."mediawiki/adminPassword".path;
      database = {
        type = "postgres";
        socket = "/run/postgresql";
-        user = "mediawiki";
-        name = "mediawiki";
      };
      uploadsDir = "/var/lib/mediawiki/uploads";
    };
@ -187,14 +185,14 @@ in

    postgresql = {
      enable = true;
-      authentication = lib.mkForce ''
-        # TYPE  DATABASE        USER            ADDRESS                 METHOD
-        local   all             all                                     trust
-        host    all             all             127.0.0.1/32            trust
-        host    all             all             10.233.2.1/32           trust
-        host    all             all             ::1/128                 trust
-      '';
-      enableTCPIP = true;
+      # authentication = lib.mkForce ''
+      #   # TYPE  DATABASE        USER            ADDRESS                 METHOD
+      #   local   all             all                                     trust
+      #   host    all             all             127.0.0.1/32            trust
+      #   host    all             all             10.233.2.1/32           trust
+      #   host    all             all             ::1/128                 trust
+      # '';
+      # enableTCPIP = true;
      ensureDatabases = [ cfg.database.name ];
      ensureUsers = [{
        name = cfg.database.user;
@ -216,8 +214,8 @@ in
        path = "/var/lib/mediawiki/secret.key";
      };
      "mediawiki/upgradeKey".owner = config.systemd.services.mediawiki-init.serviceConfig.User;
-      "restic/password".owner = "root";
-      "restic/repository/server8".owner = "root";
+      "restic/password" = { };
+      "restic/repository/server8" = { };
    };
  };

--- a/hosts/mobilizon/default.nix
+++ b/hosts/mobilizon/default.nix
@ -1,50 +1,61 @@
 { config, pkgs, ... }:
 {
-  c3d2.deployment.server = "server10";
+  # FIXME: mobilizon just crashes constantly and eats resources away
+  # c3d2.deployment.server = "server10";

  microvm.mem = 2048;

  networking.hostName = "mobilizon";

-  services.mobilizon = {
-    enable = true;
-    settings.":mobilizon".":instance" = {
-      name = "C3D2 Mobilizon";
-      hostname = "mobilizon.c3d2.de";
-      registrations_open = true;
-      default_language = "de";
+  services = {
+    mobilizon = {
+      enable = true;
+      settings.":mobilizon".":instance" = {
+        name = "C3D2 Mobilizon";
+        hostname = "mobilizon.c3d2.de";
+        registrations_open = true;
+        default_language = "de";
+      };
+      settings.":mobilizon"."Mobilizon.Web.Email.Mailer" = {
+        adapter = { value = "Bamboo.SMTPAdapter"; _elixirType = "raw"; };
+        server = "mail.c3d2.de";
+        hostname = config.networking.hostName;
+        auth = false;
+        port = 587;
+        ssl = false;
+        tls = { value = ":if_available"; _elixirType = "atom"; };
+        allowed_tls_versions = { value = ''[:tlsv1, :"tlsv1.1", :"tlsv1.2"]''; _elixirType = "raw"; };
+        retries = 1;
+        no_mx_lookups = true;
+      };
+      settings.":mobilizon".":logger" = {
+        level = { value = ":all"; _elixirType = "atom"; };
+      };
    };
-    settings.":mobilizon"."Mobilizon.Web.Email.Mailer" = {
-      adapter = { value = "Bamboo.SMTPAdapter"; _elixirType = "raw"; };
-      server = "mail.c3d2.de";
-      hostname = config.networking.hostName;
-      auth = false;
-      port = 587;
-      ssl = false;
-      tls = { value = ":if_available"; _elixirType = "atom"; };
-      allowed_tls_versions = { value = ''[:tlsv1, :"tlsv1.1", :"tlsv1.2"]''; _elixirType = "raw"; };
-      retries = 1;
-      no_mx_lookups = true;
+
+    nginx = {
+      enable = true;
+      virtualHosts."mobilizon.c3d2.de" = {
+        default = true;
+        forceSSL = true;
+        enableACME = true;
+      };
    };
-    settings.":mobilizon".":logger" = {
-      level = { value = ":all"; _elixirType = "atom"; };
+
+    postgresql = {
+      extraPlugins = with config.services.postgresql.package.pkgs; [ postgis ];
+      package = pkgs.postgresql_15;
+      upgrade.stopServices = [ "mobilizon" ];
    };
  };

-  services.nginx = {
-    enable = true;
-    virtualHosts."mobilizon.c3d2.de" = {
-      default = true;
-      forceSSL = true;
-      enableACME = true;
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      "restic/password".owner = "root";
+      "restic/repository/server8".owner = "root";
    };
  };

-  services.postgresql = {
-    extraPlugins = with config.services.postgresql.package.pkgs; [ postgis ];
-    package = pkgs.postgresql_15;
-    upgrade.stopServices = [ "mobilizon" ];
-  };
-
  system.stateVersion = "22.05";
 }
--- a/hosts/mobilizon/secrets.yaml
+++ b/hosts/mobilizon/secrets.yaml
@ -0,0 +1,205 @@
+restic:
+    password: ENC[AES256_GCM,data:VzlrvaX6A/TIPZHrFqQokAIB6nMWTJ1fvlANg+RkNjs=,iv:xcczjX3rDpJAmnOjQ4jvcmuAYAfoR4qRhhOVNZBn8qE=,tag:sI3hpyWOqjKi92oscWBTaw==,type:str]
+    repository:
+        server8: ENC[AES256_GCM,data:es9pjz9tIaoxxrjF3aGr+gqNQRKg2kgTATBcMcRzSvnnU7CTlOI7jZ5ij2ViGGW4FxPGOIM7Yakn5rUJipjqu3Bc5keDKDsgdsQ284v9URXMWw1t+dKKbUq3Pe73mB4v+HFH1gjqJtk=,iv:6b+HLJYa9uPpKYdDJtpqOxfjcbGVMX+jt5BU3qXJ2iQ=,tag:l2jen4ynpN9U4YMW4RWlJg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age182ms3ygypflk7mtpemp4k4ks9rz4gwhvzc9jlk95u4py5q68ppxstzu2e3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZjJDK2dLTlFBQWFaNE1G
+            VEM3NlF4OW55c3RuYlkvdHppUlNBY0U3dFh3CjhkZDVCeVFXSkxJbm1JbjZhT1hG
+            OWJlV2I2L1JYWGZRaUZCdGQycngxS3MKLS0tIFFNK05rT3RybkFzZncxN3pVUnd1
+            czZrQXJBOTd3TjM0WGlsS2lnYWQ1SXcKxOubvoavH0isoFu6Ov5CutSkR3XuzjKp
+            2QmjyMoBBiZWlJNxhDGjKc87Kh6/lgRHTWaQs3zMJNIk1T4VfCqUag==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5bW5GQ2Y4VG1rYXIrRmZa
+            eHhmUjFGRmtQcUY1LzBXYkpNQm9kOXhWb1NJCmR3RSt2U2FFVXFHWnBIQ29kMWpN
+            akRVYnhKTVRsNDlncEN2aDg3TnhRWlEKLS0tIG55VVBmbnN3aDY1T1RZUXJTdkdr
+            bnFuRXlycEE1cXlmNERDWjZROG16TzgKnbKHCu8FRFCej1YCtd9zueUM/n8K3F39
+            tU/NFH/sJwqZ7jem/Ljs5Bcp5939zyGmN0RF5MsBre6YrS740YopSg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-06-05T18:26:48Z"
+    mac: ENC[AES256_GCM,data:SO7Q8L7PvEcB9YHeLEUOHARnKOpP6fISMhEU0cFaPICDu3HyaNga+UzUz/5qnQa9qPxtny7NpzAFw3q/McrpShUaNkD6b8sMr7QqeGomKiGE2UVOEwdO0yZSF7dCpwTdONUlDCMDz3Ze68XlYXGsKwE3x9dpToFNBVey3avzqM4=,iv:sLjS1+5vC/E7RqGiDMLNGNlwKTyZN0P5h0biGNWWSyk=,tag:VtxzO4NANM6iRAaw/Lqe8w==,type:str]
+    pgp:
+        - created_at: "2023-06-05T19:07:55Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6j84+xkv3y7ARAA5BAoiF2l4pnglaW4WiedezZUhqxyMi+JMsIyw2b9PDTW
+            gP9OpJoRypZQMOvAyALi7VHnHlo88gKGD4rgfwIcGwYENyjgQapWatqlVp+oqOX0
+            rANNZR4Q86kpFfvDIhooEK4YZpjX4CcJznEePuFGr9/hTwPfgf1jo2sbOGxGWoRJ
+            LYegbWosxrEHZTielLBslVZp9Ml+845lkTcZmSNEZLsdkBx7VuaVaKbhkniENb09
+            t393RuUEw8vH+anKIabXVSl5xvRj9s7VCWsI9GIhD0NMkfDFZZzpAClKvlDEHvob
+            0wFe0DplRReYRc1QkqtJW5LOG0clttg5GPpDGoAp7KIYHjLj/srrWzaSB7tGx6d6
+            kze+Mkz1JCNAb7KKCLf9FLKO9XffRCH0+uweoFd00HiNpwH0wph4WHFL7EoKkx1O
+            0naRIrZJDG2/xNvKRzB/TbpiY1+pQP5+hXGpAnzumDhHNSNOqpvaADLzFOh+zPiM
+            RQZqkGo623+gcsjG3FQ482QESO/a0QH+grrRH2zpKEPa/3AvjIBMz3QHdcWb/0lE
+            aIV1Pdwg8CuF2bOY5lcfciSOG12B82F++XGR44D5RCWR4saxpXjzvQGKXmOZxQg6
+            uR/Uj++BDt1D30sw2X7469FhPIjONLGaJmNNdfB2p5bvF7B+247G3htnk58ATpbS
+            XgFAGebWJOowmPDARVpUKjKPX0Z6mtr+7Di4/L5AQpHNAbUntRMmyzho/Xn4/H7g
+            lU+aoT4nJDVuhYYHCCX1uXZegPe7QJeiAAoqyrqBCtLuoTdtPTnmETCbaW3jqyM=
+            =ff3q
+            -----END PGP MESSAGE-----
+          fp: A5EE826D645DBE35F9B0993358512AE87A69900F
+        - created_at: "2023-06-05T19:07:55Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA8zMZ+ak7y/zAQ/+OFGIlR31q2h+nEm1hw0nduYIAcmqMuwtV8QSajj5vqBN
+            7cxQvqnypmm1MwZJIIN/DoW1QoXgvJSt4kCu+SS8GOzlOiKhC583lnijDLTWA5Yo
+            wziT7bymTOOH7lQW9XVQeOHZ0EAnOn+oYqRDf1olMnu7ZX0Lm7oRRjeqK9mLBFfn
+            M+2jGaF83lhdQp1ezRI//Wn405AvLyZIzQyHOiYDj/aDFLbHJjo8X8RO0MtD47nP
+            3kE4UT9SJLPUbRB6aKRSwHgC2sntXi0v3H6Qw9CWAR+guoPsAIwtLjQ9+0FUn6pw
+            j2LY4S40Gk5FRNS97PTXzTA8k/Vc4WllNKk+SsvgWhvsP+eiieCR11hkoFKxXzJW
+            bxjWtDF6pkHPT/Xk97QPbNaV7EsIRt7WJs82VDGWIJ3cGImCWQNQ8HIDMYYth4VF
+            Iq7ITeyVqosT2l6CKYq3RdjYgapRfDP8LweeLrBD9+erehO1fL+9yPuabTBNEfFi
+            oh7GeB5WxCKhC5jOnH3qjnAcTsvh+OyxuHqS2+7cw5rp+Mg1DaIvShB48HmhAsph
+            e8P/AYQfWY5qWsGjWcEPm/vXzYkSzEFMzOFpFwLzB416X1N5y5WCsUpGKoSMJ5tx
+            0y6gNutU5Nb7q40+ssv4hi1rwyQONb0OSr4sM4QKQiycwASspZ1KpffZYGy50dDS
+            XgEvTN4s0gBZEU3NlPkVVYrzN9FvDjvFgVAnRFy5E9rDGvKIdJESoRXEEqmKU/hM
+            7ij2L7RrFBJSnJ1i1EJyoKOPA1fEd1VHqMIm/oGRWzgzxjubBR+MVhdUibt99Kg=
+            =popK
+            -----END PGP MESSAGE-----
+          fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A
+        - created_at: "2023-06-05T19:07:55Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA45bZkLXmBFpAQf/XcXIDOyhfczmp51I2Ij8RtDJxhBJ+B65yHKz48s8Me2k
+            f5ausZzOFlsydmm0doIahy87cOHa3ABaVjK8J3Lsl9iP53uLpAGToqPJGcmPgA31
+            D0Hpo/aXCmM37WLjmn8kfyxExrl1vVHsDIXpgifDlZrAL7yQrWl40Xz90DgkgZgz
+            wmObdzPA/ye/sA0nByQgcjpiYizTRxuZV3ExfcmbyTvqnDhH9B/aoLJeBAzR4+oc
+            1y+cEuMWNJF4m23FtE2rq7Z/8TPDgpYnwBWghUPKd9yCHbgse3hkUZZpQoYWuqa5
+            ws2i6sZLsOT5gYm3QfcLaR1ntyWqOVgZ2cqG9ZVzXdJeAbmdjTn9wuM1hbKEnq3y
+            RXB494vGK8eib6668Z9rQjHis/oE5a5mtZj49fEaVhnq8SqF9UBGzGuCD9FOTfWv
+            ha1roV1gjt6cdk3S8ThifLm5l4dJaTRXIGfDMt4Q/w==
+            =uaBx
+            -----END PGP MESSAGE-----
+          fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
+        - created_at: "2023-06-05T19:07:55Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwMCBBrc/JA6ARAAr7CVjMAGpWq8n7wyUNFQdD1IKKAmELa5TgloNFLPFjtP
+            ReHitI7rjg+j5kDa/T2drkfvcYqYtZk6qtCRzoUTkpoGF6qB4ZaCmRzupOhclPnF
+            KbtQlIMTBr9PcnzHUoxd3BKgCmRBPLknPBIsnHfsv8kJ6yWsoNIw6EdKRkx1AsXt
+            tyKg6lcpZcLH2OvSGMZAeMLfzIMepJ/+YrzatC90nhjxcriG1/RCPk6UvvijU3CL
+            Y+L+bllIsKqZCIWYh3ekrz+IwwTQgXa8oR0O7DcKp3s1zEQv4ynZX8Wo1r6wOoXi
+            YnAnbtn1SeJ3/10ZOPq6GcewUney/BgcMnZTeo4wscfNJkYBUkguTUE94IYroM4P
+            Z0CEjxBqt+Xfqwp5gvnxEZbDwt2oraPhUdmq7Iph+dQWghwyqRH7Nx63DXXpjNB1
+            jtB8bbMdZDRdLZVuNbMmGJ2ApdZG84DgeRzGKOgLqk6QhDry5upcLddgfvFsUFIU
+            Y9v5hlUlIqtJ2NtE0ftntg0qgwbqEcfqaOTs74IVttzpoSN2JMaUG/S++pDN4B1s
+            zI4V8tYnFNW9ib4oN2PlkSTuAKjd0+8QLKVV4kSgFzmD3Jkuq6k9EC13wvl6OpAD
+            mKxA5Q+dKB4np5YsZNz5VNVftNPf87rvz6i7BEHIV6CoktvvqRTA116Tpd6i7AHS
+            lAEiN4gfqphOVax/HTmOwgUEHcHk2NbYCTijPHgq0eLHPaaayt49TFWVZulD+uPF
+            wXg67qFPiivmtsb191tfDMjCOxH+RsJQ7s7l5MMoGKOn43pE3HBLx6xhQNSeSZyl
+            H3WRcH+IU+mp6SBel9f3tVU/The1QEzaOJKPkmDuhX+x8RpAzuOpltqWx4Be/FHi
+            Dsp4Bco=
+            =aY2m
+            -----END PGP MESSAGE-----
+          fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
+        - created_at: "2023-06-05T19:07:55Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA9XEenRNYVGHAQ/9Gsmfr1QkwkbvASwfXG7uPHcYKyGSkRxULSTL7vQv9GKs
+            fVjjRrbiFTiiKYX/tSqgIknNowMaiyTwrOLpYZSwzyYqCV9TL8gAcTVfhLvfnWI0
+            9qVS76I1mybIRNKJw0Pght7DpwlrNfweGSPxKfS//U6D0pXj8kLtaMRnCk4osqwe
+            LmJ8ql8OHOIoXjcri9aq/0Vbu3Us5CE8X+ox7+I6k/0UsEORJ4tilFn4HF2cIEjH
+            pizR/UteTznXxomaglzOYweSxepDeyqwI898vJgS5SbWGOVOS/ovvle0xPmi1ByB
+            O1Ukc3vUF+a92bMKAsO/WoNheGiJZDa0Olk7eLeoFPkfAyL9zYJP/S/1ipQrDpME
+            ClW1ZWnU/UpSV+YJYzemxMY8+4Fe3r8N2A0AomyOYcB0y7bClp/Yoty4SZBTTA8j
+            +RsU9rNbl8YHIjHE2XJLgmNqVq2WTXiTqzG37Z9Seh2WH+5djMX/zL2QcqVFG9Z7
+            k+tYRw84HEzEpvEbCZv9woJXr7yrjc/jTDZVKkFtPSUDUZ0NK5NTw29FW0nNYeAH
+            dvXYFBi3hS7+8EzqqSHyV38gYjcZkOt7ou3MRDtm97gaaSJfKNLjwY4JPdPGdUqe
+            mdhN/xlb4yVIISojx6z5u6GdVyl2wVUEZWDB3DseO3i2bKcTLvS9mYOSA1uJA9TS
+            XgHrzWGL/wPCDrfbHJfgGo29vtyBGdkx0wtTHVpokwOzOP1xCWJkwNTW8BXqvttJ
+            Kknrz734huuDuVfnvj4HwosjRzZlHD6eWfpaMZSb0AqgcQPtgueMmy71L8I5Czg=
+            =0RHc
+            -----END PGP MESSAGE-----
+          fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
+        - created_at: "2023-06-05T19:07:55Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMA/Z87ylQaotQAQf+MIXZYLPhLLZ6PXgLkA5ADPRzAWyxCOXzGHuOthuyjTJ/
+            7tn88URcLY4YYRdAjD4kMpf3xAWhS4nucS3vBw8dvjezxChxrPeHRfEOC2CkF0yJ
+            SzDIAT71YXqXLyoFuDZvqZaCCPow/y3zhf2w67H0EQOw4VoOXERnSIhLDIiRenFR
+            Q1STNDYUmQP3J/WauDXpcM9npva8UlHVednxfFgvyzO5SeEUiyF6nCFtmwE98gJo
+            Xh0WCjMKBjN1UVtzu11SHCNhsAtIBSovEM13/x6jLmWtf92MiS9yDA2HNimq6Tbz
+            sHp6ayTyc4Zaa7Rx6HD16GC9hgzyTjaQFYg4GHIvddJRASZW2cmZkf653hCWqEQu
+            jlPb5a6AdCVIcEzXKTnTF7VKm+cGDpYPH4SjxR6CDZVfWEjppKCuImeU+YzbWMYq
+            GqpwTMBO2uniVD795gJGQJFu
+            =XguT
+            -----END PGP MESSAGE-----
+          fp: 9EA68B7F21204979645182E4287B083353C3241C
+        - created_at: "2023-06-05T19:07:55Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA9qJIVK2WMV7AQ/7BDJoOnR3DX/WyptS60gb4y1Ln37ZpQGO/kGH+XY2GqRU
+            0ueVs6lC5GMMubrCGImZdTH1kt6oZUTurQKaiuJkaRTsDcttGqSfns16VSBdWT3d
+            3ElPbBYbwH+cLqT2IryzjwIj3Gj7OTrgw5N8NH94jNbBaWsMEM6+FNtbTPlx3xf7
+            UVPifzmMDd+OFGtZAULPDce/ROSKm/goaJdgEfaf6LPtIeoL15MH5Ls4JQD1j8TB
+            NvPKjamPY01iVaHi33I38Zl9VvBF0TQEiIu11vCjb7JhGUslns20q+WpAkICZvmn
+            K+Is0EaAQMEFVEmFUeh6uPUTXepHgBUCE6qzQveR68KsKM19HvOtRLokLsYuBXOk
+            8QT5HI9657wjZpU4k9YUHZ2aTiVr70O8IC6uo2fP3W32V4BKBCToj6HOHrmtvGx9
+            6xnK/Q6pAo/e6zhh5NF5gd1Ue72HBLKNkSIagU0BVIFYVcWOXjQq+Ap07KApplbs
+            2lyYhgliSLW//75v01hFqzBexFBfurcCe2GF/TC+36CFLiQztPmGjFjecavQ8k22
+            6aN15ejUAY4JYdNAzkgdWACFFyy3gTY7vpzvrJIVDMneN04XHXJDJOtA9dR1WsaW
+            ddY0xyyhbdJVCMggWZ0DqMJ0HzLhd69OZhvPuabFGdvrVu5Rkhm2fw4tjGE31ZTS
+            UQGhwB+y6ZdMx56uPhPvhW6Qn6n9Otyp0fwf7uA2y6Fbykp4M+q47C1thRVBAD64
+            by/rl/mUn0jxC99qG0zIDNOe1kyea+xBX/TwqKXcgXTWDw==
+            =ZIm2
+            -----END PGP MESSAGE-----
+          fp: 53B26AEDC08246715E15504B236B6291555E8401
+        - created_at: "2023-06-05T19:07:55Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA/YLzOYaRIJJAQ/8DN8XmixXlZPwU3MsuF7Ti6SM0nagoXVnzVOzkSKcF2zX
+            wY82QFCOzeM40BCOFkcFYt8Ego0pGfE4Y6trIZ74DQ+hzgs8k61Y3b53mgTx/FPX
+            BRJPyc5Pm1fjcViBGK5MYEM+WtYAzDUQkUIu/rF71pcI0+wZWTDnlQwkoA2R0YxR
+            U9g8Njt4kV8BM4qrV6RDBz+v4xoJmopK3vhPInLNBz47XpMjo+9HBN4zUOagH5zw
+            13+v3dIg5KiO6It8xm+j8KLjy8eZmtVP+A80LnjUUOOMcwGNDk/iNE/AW3h8W99N
+            a8VebXzQYYa2oQZXUUNNAXy0auvFJjo8luczXRolITSI+j1YBVD45j4FsOjLD8i9
+            YupiSU9DxCOFYao/GVDXPUlr7MLlKyhoxcZNiPqldUlZBhBy3UEUVeFn6CbKw1mX
+            nXuqvyvHe1KkCLzjeJum6jeQftgfF6kZ1kSEGBgaHkyS+p837DVF0YqOkRE79FTR
+            2JZPczAmkE2sLXfNHRecXzP2qjD3oiRpMkYbLvvuzgM19lCUIxavuoRDOm5+JYJx
+            SxTXcRMpaZRX5a9dlccxKnwfNpt7qcx1deKHn7sjbz2xuJV5t27srnDKWXILPFeA
+            Di0Rv/i71uuvvpzCARHlRqb75tIMuQS2qKL1wHl+8t83BztwVB9JCyd4OOvHgO3S
+            XgHRt/r5xT7eKPzGRENFGw44AeB1bmVJ4p3Blsd1L+cxAV03i7UVnWdpzWwOtlQ3
+            Qi04Yi1vCWyL1JF5eAT+GQrHJmQYFXbFDYMuGn1E0X5LlfItb3WB1yb92vEhSzI=
+            =bwYC
+            -----END PGP MESSAGE-----
+          fp: 91EBE87016391323642A6803B966009D57E69CC6
+        - created_at: "2023-06-05T19:07:55Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7zUOKwzpAE7AQ//Zr7w6D+KQkUbE/Zn9r++iNkcMhrnVcV51QA1SejlkrtT
+            9k2NXFxnciuNkkUiqqp2mkSpHYixrMiZVa6bnaVydTcDTx9nzZuhYGPR3GL8k7WS
+            1+KrNMUPr2fdRF6KJeHduHRruUAjZJJBQdKDaXVRBPCx0TgjI9vfyE7A5WA0tPDc
+            WJG6+lQc1akh22wwGDtkKQdHsPIoRCYu5kgpproqpsB7xzGkN+WeGNSYd4czyhId
+            9FH5MvAEeVY04t5QSK19G8SM8Bty5INMN2rLZOxUaFvWOPnRiMOxgjz7CD2ELuZZ
+            RsnkVsXb/vZyyGhVqLWAsf2zC7CWmCkWZzv3u+ASKW1iQSBLNah+ncwC7pY2zkEn
+            67EajsWkJVzvpRguyQcmEBS0eQPNOeFtCCyXFNiv2HDnO7iGHZYxof2s5xFbCaIP
+            +FddIlCqmUUMQQ+4I4Kurlrm2Sicn01BEDsNbORtHPKp4XIAoGnmX7GY8Xk8crLI
+            oonYB10/4YdEyBnsoy7vfYVNMcCyYx/ACrS56aydF6TwJsUYfEaC8+i8XTPFws9A
+            1csWkp0ELni7VaHsyHy2awyjgRlMhC+6mdub5E6OkwX6NXCSYhnxNJgh+wM/PK99
+            c2WPKadUIN3NEXPKgUVMJb7Yf4iiOg8RFO8ZOj9y87lJZP83DZrAmdnJxbUZnjHS
+            UQFxayY+jt1mxe6AJiO39VsdhBdRQmjjwkU2xSJMTjbKUE58PJcm0qBAzjRpbdKh
+            5FXB2lK2whkwPUEHWdgUhaAjrTHC8PUdQ+DKnqSekN9Trg==
+            =aTKf
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/hosts/nfsroot/default.nix
+++ b/hosts/nfsroot/default.nix
@ -17,7 +17,7 @@ in {

    # shares break nfs
    shares = lib.mkForce [];
-    bootDiskType = "erofs";
+    storeDiskType = "erofs";

    volumes = map (export: {
      mountPoint = "/${export}";
@ -32,11 +32,7 @@ in {
    "/${export}".options = [ "relatime" "discard" ];
  }) {} nfsExports;

-  networking = {
-    hostName = "nfsroot";
-
-    firewall.enable = false;
-  };
+  networking.hostName = "nfsroot";

  system.stateVersion = "22.05";
 }
--- a/hosts/nfsroot/nfs.nix
+++ b/hosts/nfsroot/nfs.nix
@ -45,4 +45,10 @@
        }
    '';
  };
+
+  systemd.services.nfs-mountd.requires = [
+    "var-lib-nfsroot-riscbert.mount"
+    "var-lib-nfsroot-dacbert.mount"
+    ''var-lib-dump\x2ddvb-whoopsie.mount''
+  ];
 }
--- a/hosts/nfsroot/tftp.nix
+++ b/hosts/nfsroot/tftp.nix
@ -1,8 +1,6 @@
 { tftproots, pkgs, ... }:

 {
-  networking.firewall.enable = false;
-
  # raspberrypi boot
  services.atftpd = {
    enable = true;
--- a/hosts/nncp/default.nix
+++ b/hosts/nncp/default.nix
@ -20,10 +20,7 @@

  system.stateVersion = "22.05";

-  networking = {
-    hostName = "nncp";
-    firewall.enable = false;
-  };
+  networking.hostName = "nncp";

  programs.nncp = {
    enable = true;
--- a/hosts/owncast/default.nix
+++ b/hosts/owncast/default.nix
@ -9,10 +9,6 @@
    vcpu = 8;
    mem = 2048;
    persistedShares = [ "/etc" "/home" "/var" ];
-    extraShares = [ {
-      source = "/storage/cephfs/microvms/c3d2/config/owncast/archive";
-      mountPoint = config.services.owncast-archiver.targetDir;
-    } ];
  };
  c3d2.hq.statistics.enable = true;

--- a/hosts/owncast/owncast-archiver.nix
+++ b/hosts/owncast/owncast-archiver.nix
@ -30,7 +30,7 @@ in

    targetDir = mkOption {
      type = types.str;
-      default = "/mnt/archive";
+      default = "/archive";
    };

    pollInterval = mkOption {
--- a/hosts/oxigraph/default.nix
+++ b/hosts/oxigraph/default.nix
@ -1,34 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  networking.hostName = "oxigraph";
-  system.stateVersion = "22.11";
-  c3d2.hq.statistics.enable = true;
-  deployment = {
-    vcpu = 16;
-    mem = 8192;
-    needForSpeed = true;
-  };
-
-  users = {
-    groups.oxigraph = {};
-    users.oxigraph = {
-      isSystemUser = true;
-      group = "oxigraph";
-      home = "/var/lib/oxigraph";
-      createHome = true;
-    };
-  };
-
-  systemd.services.oxigraph = {
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network.target" ];
-    serviceConfig = {
-      User = "oxigraph";
-      Group = "oxigraph";
-      ExecStart = "${pkgs.oxigraph}/bin/oxigraph_server serve -l ${config.users.users.oxigraph.home}/data";
-    };
-  };
-
-  # curl https://dumps.wikimedia.org/wikidatawiki/entities/latest-all.nt.bz2 |bzip2 -cd - | parallel -j`nproc` --pipe -L 100000 --joblog /tmp/split_log.txt --resume-failed 'F=$(mktemp /tmp/wikidata-XXXXXX); cat > $F && time curl -X POST -H 'Content-Type:application/n-triples' -T $F "http://localhost:7878/store?graph=https://wikidata.org/"; rm $F'
-}
--- a/hosts/pipebert/default.nix
+++ b/hosts/pipebert/default.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, libC, pkgs, ... }:

 {
  imports = [
@ -25,6 +25,7 @@
        },
      },
      apply_properties = {
+        -- TODO: better name?
        ["node.description"] = "Pipebert Audio Streaming",
      },
    }
@ -81,7 +82,7 @@
              proxy_set_header X-Scheme $scheme;
              proxy_set_header Accept-Encoding identity;
              client_max_body_size 200M;
-            '';
+            '' + libC.hqNetworkOnly;
          };
          # locations."/cam/stream" = {
          #   proxyPass = "http://localhost:3020/?action=stream";
@ -103,6 +104,7 @@
          locations."/" = {
            proxyPass = "http://127.0.0.1:8888/";
            proxyWebsockets = true;
+            extraConfig = libC.hqNetworkOnly;
          };
        };
        "mopidy.hq.c3d2.de" = {
@ -111,6 +113,7 @@
          locations."/" = {
            proxyPass = "http://127.0.0.1:6680";
            proxyWebsockets = true;
+            extraConfig = libC.hqNetworkOnly;
          };
        };
        "pipebert.hq.c3d2.de" = {
--- a/hosts/prometheus/secrets.yaml
+++ b/hosts/prometheus/secrets.yaml
@ -3,7 +3,7 @@ alertmanager:
 alert2muc:
    config: ENC[AES256_GCM,data:1JKSMT5yz9xzHQrx9BOZupoYhSDmYQKPO85GVZiQbiN03LkPNMhilSKteU6Mr5vTau+aWBYqKr14t9iTc9xwnClfT5YiK4CbRbDELZ7OcmENmeGnf881t8O6pLkvkkPIK0rtr78U6JRdIJ6dxp8Veg8eTEcJtGdK2/FiiW0Z384NEIDFjYv7FAhBCE14QYCgC1r/xa11mmJYW9BgmloI,iv:fkvsTnbllRVqaE4CHKV07zOKjbKPmR/M4qpp2dWAkmM=,tag:s543Eralf/eWwAIKugbZKw==,type:str]
 nginx:
-    httpAuth: ENC[AES256_GCM,data:PS7icDVNB4g7XBMP7mMSbalkvQ==,iv:0GOfGl97k1AjkRxm2x2f4LpeQOuJcFqAHgdRrbceW6U=,tag:GX5L0wI5zwHwuls7ZOPlOQ==,type:str]
+    httpAuth: ENC[AES256_GCM,data:37Q4IXXfC0XlEXArHefpYfBs43p7iET+vwB4z5JkLHvbI3Wj+McFf1z6pMhEat00D9aAj4Xv9s3KK/4u0/KkNp4f,iv:ODtFBPkewYGXu7UI5nvdXhWz0r4dCyv+ZZ0A0nrcy4E=,tag:Wqy8b9cGrRCp/cCZZdb2qQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -28,8 +28,8 @@ sops:
            VURvRkJmaUYzMHlmdDJnT2N0WjhmYUUKx9lhKZAxIOx/R4oVAz3DKhcb0sHR6i7t
            XuXT538o2VgWUEnREbmIP7Tn/iPaqtpmtlRdIRjOc1LqZiRGTP8nlw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-16T19:39:57Z"
-    mac: ENC[AES256_GCM,data:7TI6W1heh8em+GwIv6d0RJsJqA/kfBWUkNgRKPtMxkLFfeOC8Xw6APntKaEXpG4pK/eed1FOClnTlwr2watHPDO6ssXYCZgLYXgJctjmE3FduAf6sfd6vmdrnVtP1z9KPAmXpYsJYIloQbnSldyl/oijfTLWtUotj0umpwWfFA0=,iv:0cEEVINd3Mt+n1Ci/pp41fzuDKISgVAB3DjuxcIdODw=,tag:C/ktisdUV1sI1do7K53tzQ==,type:str]
+    lastmodified: "2023-06-07T23:21:00Z"
+    mac: ENC[AES256_GCM,data:eUXv2R8IF4cfrO/5t5BxIkm0Ha0VUJ5zy5ZEY6tBCESreEUBqq6Tsz25amb6z04MlTIpG12rwQDlMTo6KGS/EsL5qv3ZgqOsVNo2k4RHvL5kQ6N0hFwAx1am2z05qu9y/pHN/8UKtCI9hfwgcmm/jNvSwpDjoV+O8UFgMX6ypAY=,iv:Tzuz5DJNBBo/7IlDbSsx4cAZHX+DB1y87QV6ez1EwBU=,tag:PFZv2kH/dGb2o7j686BAHg==,type:str]
    pgp:
        - created_at: "2022-12-26T19:10:09Z"
          enc: |
--- a/hosts/public-access-proxy/default.nix
+++ b/hosts/public-access-proxy/default.nix
@ -138,12 +138,6 @@
    } {
      hostNames = [ "relay.fedi.buzz" ];
      proxyTo.host = zentralwerk.lib.config.site.net.serv.hosts4.buzzrelay;
-    } {
-      hostNames = [ "tmppleroma.hq.c3d2.de" ];
-      proxyTo.host = zentralwerk.lib.config.site.net.serv.hosts4.tmppleroma;
-    } {
-      hostNames = [ "oxigraph.hq.c3d2.de" ];
-      proxyTo.host = zentralwerk.lib.config.site.net.serv.hosts4.oxigraph;
    } {
      hostNames = [ "drone.hq.c3d2.de" ];
      proxyTo.host = hostRegistry.drone.ip4;
--- a/hosts/pulsebert/default.nix
+++ b/hosts/pulsebert/default.nix
@ -17,7 +17,7 @@
    loader.grub.enable = false;
    loader.efi.canTouchEfiVariables = true;
    supportedFilesystems = lib.mkForce [ "vfat" "ext4" ];
-    tmpOnTmpfs = true;
+    tmp.useTmpfs = true;
  };

  hardware = {
--- a/hosts/radiobert/readsb.nix
+++ b/hosts/radiobert/readsb.nix
@ -7,7 +7,7 @@ let

  makeMlatClientService = args: {
    wantedBy = [ "multi-user.target" ];
-    requires = [ "readsb.service" ];
+    requires = [ "dump1090.service" ];
    serviceConfig = {
      User = "mlat-client";
      Group = "adsb";
@ -26,8 +26,17 @@ in {
    "dvb_usb_rtl28xxu"
  ];

+  networking.firewall.allowedTCPPorts = [
+    # dump1090
+    30001
+    30002
+    30003
+    30004
+    30005
+  ];
+
  environment.systemPackages = with pkgs; [
-    readsb
+    dump1090
  ];

  sops.secrets = {
@ -45,7 +54,7 @@ in {
        isSystemUser = true;
        group = "adsb";
      };
-      readsb = {
+      dump1090 = {
        isSystemUser = true;
        group = "adsb";
      };
@ -59,7 +68,7 @@ in {
  systemd.services = {
    dump1090-influxdb = {
      wantedBy = [ "multi-user.target" ];
-      requires = [ "readsb.service" ];
+      requires = [ "dump1090.service" ];
      serviceConfig = {
        ExecStart = "${pkgs.dump1090-influxdb}/bin/dump1090-influxdb";
        User = "dump1090-influxdb";
@ -109,11 +118,11 @@ in {
    # Feeds https://adsb.chaos-consulting.de/map/
    mlat-client-chaos-consulting = makeMlatClientService "--server ${config.services.stunnel.clients.mlat-client-chaos-consulting.accept} --user \"$(cat ${config.sops.secrets."chaos-consulting/user".path})\"";

-    readsb = {
+    dump1090 = {
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
-        ExecStart = "${pkgs.readsb}/bin/readsb --modeac --aggressive --fix --stats-range --dcfilter --quiet --gain=-10 --lon=${lon} --lat=${lat} --net --net-ro-port=30002 --net-sbs-port=30003 --net-bo-port=30005 --net-vrs-port=30006 --net-beast-reduce-interval 1 --net-connector feed.adsbexchange.com,30005,beast_reduce_out";
-        User = "readsb";
+        ExecStart = "${pkgs.dump1090}/bin/dump1090 --modeac --forward-mlat --quiet --lon ${lon} --lat ${lat} --net --net-ro-port 30002 --net-sbs-port 30003 --net-bo-port 30005";
+        User = "dump1090";
        Group = "adsb";
        ProtectSystem = "full";
        ProtectHome = true;
@ -122,10 +131,10 @@ in {
      };
    };

-    # SHIM because readsb has no web server like dump1090
+    # SHIM because dump1090 has no web server like dump1090
    sbs2json = {
      wantedBy = [ "multi-user.target" ];
-      requires = [ "readsb.service" ];
+      requires = [ "dump1090.service" ];
      serviceConfig = {
        ExecStart = "${pkgs.heliwatch.http-json}/bin/http-json";
        User = "sbs2json";
--- a/hosts/radiobert/default.nix
+++ b/hosts/radiobert/default.nix
@ -3,7 +3,7 @@
 {
  imports = [
    ./soapysdr.nix
-    ./readsb.nix
+    ./adsb.nix
  ];

  c3d2 = {
@ -47,7 +47,7 @@
    # No ZFS on latest kernel:
    supportedFilesystems = lib.mkForce [ "vfat" "ext4" ];

-    tmpOnTmpfs = true;
+    tmp.useTmpfs = true;
    extraModulePackages = [ ];
    initrd = {
      availableKernelModules = [ "usbhid" ];
@ -98,7 +98,6 @@
      prefixLength = zentralwerk.lib.config.site.net.serv.subnet4Len;
    }];
    defaultGateway = "172.20.73.1";
-    firewall.enable = false;
    nameservers = [ "172.20.73.8" "9.9.9.9" ];
  };

@ -127,7 +126,7 @@
  '';
  systemd.services = {
    soapysdr-server.serviceConfig.CPUAffinity = "2-2";
-    readsdb.serviceConfig.CPUAffinity = "3-3";
+    dump1090.serviceConfig.CPUAffinity = "3-3";
  };

  system.stateVersion = "21.05"; # Did you read the comment?
--- a/hosts/radiobert/soapysdr.nix
+++ b/hosts/radiobert/soapysdr.nix
@ -1,6 +1,10 @@
 { pkgs, ... }:

 {
+  networking.firewall.allowedTCPPorts = [
+    55132
+  ];
+
  environment.systemPackages = with pkgs; [
    soapysdr-with-plugins
    hackrf
--- a/hosts/riscbert/default.nix
+++ b/hosts/riscbert/default.nix
@ -26,7 +26,7 @@
      ];
    };

-    tmpOnTmpfs = true;
+    tmp.useTmpfs = true;
  };

  fileSystems."/mnt/sd" = {
--- a/hosts/rpi-netboot/default.nix
+++ b/hosts/rpi-netboot/default.nix
@ -27,7 +27,6 @@
    hostName = "rpi-netboot";
    useDHCP = false;
    interfaces.eth0.useDHCP = true;
-    firewall.enable = false;
  };

  fileSystems = {
--- a/hosts/schalter/default.nix
+++ b/hosts/schalter/default.nix
@ -3,7 +3,6 @@
 {
  networking.hostName = "schalter";
  hardware.enableRedistributableFirmware = true;
-  #networking.wireless.enable = true;
  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";

  boot = {
@ -19,7 +18,7 @@
    # no zfs required
    supportedFilesystems = lib.mkForce [ "vfat" "ext4" ];

-    tmpOnTmpfs = true;
+    tmp.useTmpfs = true;
  };

  nixpkgs.config.packageOverrides = pkgs: {
@ -34,5 +33,8 @@
    firmwareSize = 512;
  };

+  # can't find zstd library on armv6
+  services.nginx.recommendedZstdSettings = false;
+
  nixpkgs.crossSystem = lib.systems.examples.raspberryPi;
 }
--- a/hosts/sdrweb/adsb.html
+++ b/hosts/sdrweb/adsb.html
@ -38,7 +38,7 @@
             color:#333;
         }
        </style>
-        <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
+        <script src="jquery-3.7.0.min.js"></script>
        <script src="https://unpkg.com/leaflet@1.6.0/dist/leaflet.js" integrity="sha512-gZwIG9x3wUXg2hdXF6+rVkLF/0Vi9U8D2Ntg4Ga5I5BZpVkVxlJWbSQtXPSiUTtC0TjtGOmxa1AJPuV0CPthew==" crossorigin=""></script>
        <script type="text/javascript">
         Map=null;
--- a/hosts/sdrweb/default.nix
+++ b/hosts/sdrweb/default.nix
@ -28,6 +28,7 @@
      root = pkgs.runCommand "adsb-map" {} ''
        mkdir $out
        cp ${./adsb.html} $out/index.html
+        cp ${./jquery-3.7.0.min.js} $out/jquery-3.7.0.min.js
        cp ${./airplane.svg} $out/airplane.svg
      '';
      extraConfig = ''
--- a/hosts/sdrweb/jquery-3.7.0.min.js
+++ b/hosts/sdrweb/jquery-3.7.0.min.js
--- a/hosts/server10/default.nix
+++ b/hosts/server10/default.nix
@ -1,10 +1,9 @@
-{ config, ... }:
+{ config, lib, pkgs, ... }:

 {
  imports = [
    ./hardware-configuration.nix
    ./microvm-staging.nix
-    ./znapzend.nix
  ];

  c3d2 = {
@ -16,7 +15,6 @@
  boot = {
    loader.grub = {
      enable = true;
-      version = 2;
      device = "/dev/sda";
    };
    kernelParams = [
@ -24,25 +22,33 @@
      # No server/router runs any untrusted user code
      "mitigations=off"
    ];
-    tmpOnTmpfs = true;
-    tmpOnTmpfsSize = "80%";
+    tmp = {
+      useTmpfs = true;
+      tmpfsSize = "80%";
+    };
  };

  networking = {
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [ 22 ];
-    };
    hostName = "server10";
    # TODO: change that to something more random
    hostId = "10101010";
  };

-  # reserve resources for legacy MicroVMs
-  services.nomad.settings.client.reserved = {
-    cpu = 4200;
-    # see /sys/fs/cgroup/system.slice/system-microvm.slice/memory.current
-    memory = 28 * 1024;
+  services = {
+    ceph = {
+      mds.package = pkgs.ceph_17_2;
+      mgr.package = pkgs.ceph_17_2;
+      mon.package = pkgs.ceph_17_2;
+      osd.package = pkgs.ceph_17_2;
+      rgw.package = pkgs.ceph_17_2;
+    };
+
+    # reserve resources for legacy MicroVMs
+    nomad.settings.client.reserved = {
+      cpu = 4200;
+      # see /sys/fs/cgroup/system.slice/system-microvm.slice/memory.current
+      memory = 28 * 1024;
+    };
  };

  simd.arch = "ivybridge";
@ -62,6 +68,7 @@
    "staging-data-hoarder"
    "borken-data-hoarder"
    "tram-borzoi"
+    "uranus"
  ];
  skyflake.nomad.client.meta."c3d2.cpuSpeed" = "4";
  skyflake.storage.ceph.osds = [ {
@ -71,6 +78,8 @@
    keyfile = config.sops.secrets."ceph/osd.4/keyfile".path;
    deviceClass = "ssd";
  } ];
+  # TODO: remove
+  skyflake.storage.ceph.package = lib.mkForce pkgs.ceph_17_2;

  system.stateVersion = "21.11"; # Did you read the comment?
 }
--- a/hosts/server10/znapzend.nix
+++ b/hosts/server10/znapzend.nix
@ -1,27 +0,0 @@
-# Quick full backups of all service MicroVM datasets.
-# server10 runs services, server8+9 have the storage.
-{
-  services.znapzend = {
-    enable = true;
-    logLevel = "info";
-    autoCreation = true;
-    # override preexisting zetups
-    pure = true;
-    zetup = {
-      "server10/vm" = {
-        recursive = true;
-        # keep a day of hourly snapshots locally on server10
-        plan = "24h => 1h";
-        destinations = {
-          server8 = rec {
-            dataset = "server8_hdd/backups/server10/vm";
-            host = "server8.cluster.zentralwerk.org";
-            plan = "2h => 1h, 7d => 24h";
-            # just always work
-            presend = "ssh-keygen -F ${host} >/dev/null || ssh-keyscan ${host} >> .ssh/known_hosts";
-          };
-        };
-      };
-    };
-  };
-}
--- a/hosts/server6/default.nix
+++ b/hosts/server6/default.nix
@ -21,8 +21,10 @@ _:
      # No server/router runs any untrusted user code
      "mitigations=off"
    ];
-    tmpOnTmpfs = true;
-    tmpOnTmpfsSize = "80%";
+    tmp = {
+      useTmpfs = true;
+      tmpfsSize = "80%";
+    };
  };

  disko.disks = [ {
--- a/hosts/server7/default.nix
+++ b/hosts/server7/default.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, pkgs, ... }:

 {
  imports = [
@ -12,14 +12,20 @@
  };

  boot = {
+    initrd = {
+      availableKernelModules = [ "igb" ];
+      network.ssh.enable = true;
+    };
    loader.systemd-boot.enable = true;
    kernelParams = [
      "preempt=none"
      # No server/router runs any untrusted user code
      "mitigations=off"
    ];
-    tmpOnTmpfs = true;
-    tmpOnTmpfsSize = "80%";
+    tmp = {
+      useTmpfs = true;
+      tmpfsSize = "80%";
+    };
  };

  networking = {
@ -27,6 +33,14 @@
    hostId = "07070707";
  };

+  services.ceph = {
+    mds.package = pkgs.ceph_17_2;
+    mgr.package = pkgs.ceph_17_2;
+    mon.package = pkgs.ceph_17_2;
+    osd.package = pkgs.ceph_17_2;
+    rgw.package = pkgs.ceph_17_2;
+  };
+
  simd.arch = "ivybridge"; # E5-2690 v2

  sops = {
@ -45,7 +59,7 @@
    fsid = "036260b7-6bff-4e90-a635-a18640223fe0";
    path = "/dev/server7_nvme0/ceph";
    keyfile = config.sops.secrets."ceph/osd.5/keyfile".path;
-    deviceClass = "nvme";
+    deviceClass = "ssd";
  } {
    id = 6;
    fsid = "e4dbb8be-da42-4a85-85c9-da207b17386c";
--- a/hosts/server8/default.nix
+++ b/hosts/server8/default.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, pkgs, ... }:

 {
  imports = [
@ -14,7 +14,6 @@
  boot = {
    loader.grub = {
      enable = true;
-      version = 2;
      # Define on which hard drive you want to install Grub.
      device = "/dev/disk/by-id/scsi-3600300570140a6102b0acad9825149f2"; # or "nodev" for efi only
    };
@ -23,8 +22,10 @@
      # No server/router runs any untrusted user code
      "mitigations=off"
    ];
-    tmpOnTmpfs = true;
-    tmpOnTmpfsSize = "80%";
+    tmp = {
+      useTmpfs = true;
+      tmpfsSize = "80%";
+    };
  };

  networking = {
@ -33,6 +34,14 @@
  };

  services = {
+    ceph = {
+      mds.package = pkgs.ceph_17_2;
+      mgr.package = pkgs.ceph_17_2;
+      mon.package = pkgs.ceph_17_2;
+      osd.package = pkgs.ceph_17_2;
+      rgw.package = pkgs.ceph_17_2;
+    };
+
    nginx = {
      enable = true;
      virtualHosts."server8.cluster.zentralwerk.org" = {
@ -68,8 +77,6 @@
        path = "/etc/machine-id";
      };
      "restic/htpasswd" = {
-        group = config.systemd.services.restic-rest-server.serviceConfig.Group;
-        mode = "400";
        owner = config.systemd.services.restic-rest-server.serviceConfig.User;
        path = "/var/lib/restic/.htpasswd";
      };
@ -90,6 +97,8 @@
    keyfile = config.sops.secrets."ceph/osd.2/keyfile".path;
    deviceClass = "hdd";
  } ];
+  # TODO: remove
+  skyflake.storage.ceph.package = lib.mkForce pkgs.ceph_17_2;

  system.stateVersion = "22.11";
 }
--- a/hosts/server8/secrets.yaml
+++ b/hosts/server8/secrets.yaml
@ -5,9 +5,9 @@ ceph:
    osd.2:
        keyfile: ENC[AES256_GCM,data:PwOm1GNXLUYVhjoTQB1Ne/X0J1OUeUBk3ucGJv2qgbgpJUH6sXR/Ng==,iv:q7JUhvn2jeyT55/DTepQTa4ocXl1zN9SdzKz1CO/XEE=,tag:lPsfERwCcfyjvaCWEd4e7w==,type:str]
 restic:
-    password: ENC[AES256_GCM,data:srAGp/9yMg+MUFSJHcTGm1Vo/9a1iIQ8gLHKfLIcJIi9j3ruHYlgPcLmRzGN48C9MCZePTYfljLiFRv0/TEvxoiIwLF3N8So+dPza/3PalzXZKn6Z48fg2k6+JfxcmLKt1WgFabUb3fcA0ZqoU+IWJ9IkvtNuFuSOytr9V4R1SpnJi/4+X/G9LQokXgZapxD2bjqldAOl4XnJqnYUfWzHNIdBziVt/sw1wGOJCoTd3ijiadjnNmcxstDGc3iD69bBX5m87wG4OxzVJT8H1IvJLL+U6J3ffIJzOvtUIJ1BdZQh0mVBBCyf3UAP+M9XvmaSoJvh9E24g7ywi+BFYYfuP1GXYy9W3PhTKoZzGAzrzRdWMI4Yjf6pitDk5eXWfDKszVlWKBGnegi3KtIgYfE1FtZ1/Xl0gAk/t9b4TUewN8kPbsOgdVDDGU5nA+rMkq0DXZBh7G45MZ9rQEcd40XA60P8PCo38Cttb/t36cWHqofHsVOkDEHwG+VXqhkz2r6Ic0N8D7TSqXP1+3yTQ12ommZOVVygouF7Q==,iv:U4SQFSUJxQ2aD91zFxalhphrKRp4lWDEESh3JVLED20=,tag:U3fhdw34+fkVOLvAgCrEmA==,type:str]
+    password: ENC[AES256_GCM,data:U2cJwi/wB3U7Fx7KnDjHo59dz21KYgvTGWqTOVWD9fiF4DKyCit6V7hmWzRKfYiKHxwtZafcjbrTbCcQRVOLzOjNzycMu+XjBOV8zflUZpURDJTnVLKTphd5sRod66NWcqg7BzB0aYYsTmsjh5bJk+/zzSa6Ara/AlqZJcpq522XfVGbMkguH1rrEhIFkXXmgc57Wo9HH1D/5whveNv2gf1yS+76wv42epNbaRSPXwa9NeWFjQQQOydUVCESNteg64yI6jXf4YID7H8uSQB48AHdB/oUd+nexkH6+LEoXSkBCWxW6G/saipoi6LTzDlZIBo7XTSiONQfulcV52Rwb3UhPy69akwcROKdOeJ4IYyjH2eafCBv5mBnoCmCAcR+369cR6Ga1XxCvbiIMRagEv6J1nHR7GyrHS2h0xu9n1eGRfx3xztPMhPqTqIUeafr+Wwx87CpSKsH7JaQkQgBaI1qAXvqUjbkGOEvL8+oH3o8COddIxMshnUm5gIomTfvGx/v23Sqj1wD4PLyY/spGEbYTrru2XaROwbVxDaH8hz0ujp3S0eKP91lZf+1MxOPrjdtn3Nkl8h15c4/9EV4EkkH65wMbFoacAzW3vCj0pxW6kGgnWOL53gQkosU+JRGiUXjRVSsiaDK71BYn9SAgO0Dr/PFHBsgPBKv3idv109e6baIgIYYTsEj/wxTMyWCh+M=,iv:/V9sw67SswAY2DGQX71gtqpg6AceUqheCJ46fiZ9RDA=,tag:mWDbBm/XYx3/0FxF+xeT6Q==,type:str]
    #ENC[AES256_GCM,data:wKIykk+mVh3I2Hyo2TZVftZxuPZzlAmPEIX41WO7eLka/03P01cTZQl6bmElMRprwWFY,iv:B1ujyiHpdDeNLFjntmRKaAEFknLVNzsxv52kTMx9hVw=,tag:hzyRxamPe7nSUoKFaUKJKw==,type:comment]
-    htpasswd: ENC[AES256_GCM,data:LcIDGqfVsBrfP2xJQP2nPsSkH7gfQV37IWHK4HjiW0AlPftsIndpYfJLtPeYp3sO8j8pLKkHYRCaC6dCLC6XSx4oenwiOSPLip7exUBRYi1MGw1p82IIUoa8JEgDZ5EEpfSHHxALGtKM8andIW9aMHZC41KVYBgBkdnYtrSTjmT2MZC1NgWE3A6Nu30IrzLLJIU9ubxpqg/xeHcyfwwwm2BsSEJ3cu4IoaDSHCOpEQm5ZabxtgeY9wGj7RYo0vbcKPa0h21CQ8pex2fUE8FGXEma9gkQexN58g9WogXttCdMN4+1KBRh4yYX4cjIN3doP5ZoilZaqJ/qpI6Yp/6qRwDxcFrbKhJVokJV5auxZcNxa4CNwdiV/erugVtL/vc2RjjeSHeMYK0ZimBEwM9yZ78MY2vTENsmSdq1vkoyCU+wiPziRo6XfGJAMdgYcWfFlh//OESYtqfNCYG5E8rcjytojjf9ui4eSrfrB51kCeRol/t0k21+hU/pko5/z0j2YKyLyGmv9TW3cMpWWh7DHUPwWa/MdJCj95KmxVUGes/RtVxNn4ltH4r214hWgvCnNj+YD0SqmdVAk0YPHJGRMks9HQTVneGCorp+xpmalEEKGN15RjtQoN23/ENVt2R/1f1d6egsJxCQAuJl0XOyIzjDIzHFvv/OYRIFxPY4AhYOFddn1urcG1m4UGxFX2TGWY1N7ccNhWqK+TkldRIgGEhfyu7y8SdxRNfjfqeyd7iMOZ3/hlb3b7wl6vt38dxHB5cWUtuTo0OBhpHJXFqsV6UGFeXG8HEEkqwwZfg8yw4qxQnf+Lv7N4pSa+1gebzZRPmK1CKV+Qaza3spqzsGZo7HAw6aKht9EYRKYXSnaCJ1rEPAdeqrGh0UDAhe6mKNULqBvBqLpvNA590PusmtqhI=,iv:AvbeDZlkQ+/N0QlOTjcDSQzUjQ0BQRsFN8DnzQZJ0So=,tag:1b2Km5nt1p4DMxUcjeIr7A==,type:str]
+    htpasswd: ENC[AES256_GCM,data:jPz5LNyFtaYLe3pGg0heC7en2nM3sOJ8XYtChhCzpuJsuZBuGrbVKo4nT/tu5UhuQy6PA+nMAtTQ6a9EETOajTb6yDxm7NeXHIll2Gv9EnepAFKNAMbuwGMLJs3fiP3vUF5ioWJBCstKq+uzFnb7BtkMivQIVv1a7iDA/Y1VpcN5/b69fO9bxpRc9UenvYC1QYXZ2T7p5gU6BUraEBAZAFdTSC5JY3l8dFsFzMYZbfT3I7d1a0oAjsgnW4CNsuDRYEvqbb9EITxQpDTwoMOZEGRynWa0vGX4QXP0RO0rI4HtQaZd/EaxkdTTzUuJgbixPFe5qPn/prWwH+E5B5Obn9blsmlM5QHNWw1ne+Pmp9oAU6l+7+SLfWP7XJcbrZbkwAoO4tUi9jwRkRXw2aTYyya0WwFPFaoBLsxfXQ/igJqzdfX7PcwCdCLoDh+nG75ePpCuaXn1fGrUzayGooQ6FtuwFiaZ2Z4nNtWS0N3ptrzi/382hLBfKTelIp9wpOrJPuh6DK+4Zp9XhjZGch8slvZnwXIihF6/vXZhKun/4o1vHYDrUCB6spVC/scJkO2vkgp8lQYVW2WOUBUq0OZDZ9ettfXEtri0iJleaZ44k57LIJTWwB07YMRoqZmaB7FBOw3cCQJ43PgTdsBaKzz+Pl4tLfikW9jbVk31u3qO+shi0NeIcL2hpJ/sEj3gQtXDYgv44JYNISjBuSQ/Ko1TjCerRrzRZr9D5jpseggB6FbsaQqrM+bMWjSwUxakq6FD0Yf4yG+WNrqm/cs4/AloZsFSOMTfXjYuK8KXR68ybVRh4AIYcH3/pm2gw2sMMXwHuap9IJhppft9zjehGgwdOwdX59yY3J/4NXfyc7tifQYqAkygWdOb5XeeWqdifmL90JSJV6xggiP45KgUJ5FIJdbfdgBTtKFthu6tM42P6ghu5apdA/CFGvSB1C4M4jWv6WYFPE48UeM61CHJf2qGM6gRv3Y5NYIfshUQ1EbbEjvUiSJHN1VBltAAXLT5oSOFgcyNi4jnUs81Jo2OOkKbcJJdmSJTIlm3SQspBPqjHevc5dIirO9kXOk49ZL55k/+3NFOpcdVgckv9hpJ40EOzVx9IxxdJVn977D0liclmtDPI1kIznNe+PpjRZWpNOqqr3jKSk4GGac2fhO7x2AFyza+/Ru7/Wjf9ACdnBf/,iv:eHSNpur/NEtslT68boyKBzOTiipY6mzuL7yOaenOUr0=,tag:gucpMWQ6nektYqq9YMF8OA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -32,8 +32,8 @@ sops:
            bWl4MTZUak1Bb0JWRXhRQkR4ZUFnNHMKvKQnoxb3IC7jW0P/zewbR68yJI8Uzz7U
            iPaL8MoOlmXPu5dHBSTwn39CpFR6bPxIDMHUn+y9gtCUrbIIJQAaQQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-21T22:45:59Z"
-    mac: ENC[AES256_GCM,data:z0tocX88YIcvmITRXmcMA6QuGY8pBHcsvZMgXOr6ESt0EdjHc2PlnE75dL9wZBkM85JkxxhU5hmJZYm5ofecx07q68v3hNgVl/0vjtrqLjh1kiEfhQyYt9hIZRfCzGfhUrzyChsEMA4HCrAuHHVzuws5P9vjDHYrk94xU8drVRY=,iv:22N+fo/fR/vkrMbc+SzHwwUnCRi6D7XEAf9e57F4g6Y=,tag:ycPxZZExtTYu0n0IC1XOVQ==,type:str]
+    lastmodified: "2023-06-05T18:59:40Z"
+    mac: ENC[AES256_GCM,data:SqKqTPndq3ZA8G+imEuOMp0YjMDjkyndRBhxQi6wgJRVswVzjVd+u4XW9voGryiHDaalBCoCLbOYdXfxpFC6H1Cc1hYHnu9jHA80Mk9sgiJ354P8GSF1pmufiPudXiGxhnZt2oWSSeXy/cvIr6FMePdqQCVaBHWBdoxq/mQq8og=,iv:IUbi910TuLamO+qzfd+n+m2cnP7bozwhyI0tjH6+nIA=,tag:lMoXpILp9DV5iGkb61yCnA==,type:str]
    pgp:
        - created_at: "2022-12-27T23:54:07Z"
          enc: |
--- a/hosts/server9/default.nix
+++ b/hosts/server9/default.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, pkgs, ... }:

 {
  imports = [
@ -14,7 +14,6 @@
  boot = {
    loader.grub = {
      enable = true;
-      version = 2;
      device = "/dev/sdc";
    };
    kernelParams = [
@ -22,8 +21,10 @@
      # No server/router runs any untrusted user code
      "mitigations=off"
    ];
-    tmpOnTmpfs = true;
-    tmpOnTmpfsSize = "80%";
+    tmp = {
+      useTmpfs = true;
+      tmpfsSize = "80%";
+    };
  };

  networking = {
@ -34,10 +35,20 @@
  # required by libvirtd
  security.polkit.enable = true;

-  # reserve resources for libvirt VMs
-  services.nomad.settings.client.reserved = {
-    cpu = 2300;
-    memory = 16 * 1024;
+  services = {
+    ceph = {
+      mds.package = pkgs.ceph_17_2;
+      mgr.package = pkgs.ceph_17_2;
+      mon.package = pkgs.ceph_17_2;
+      osd.package = pkgs.ceph_17_2;
+      rgw.package = pkgs.ceph_17_2;
+    };
+
+    # reserve resources for libvirt VMs
+    nomad.settings.client.reserved = {
+      cpu = 2300;
+      memory = 16 * 1024;
+    };
  };

  simd.arch = "westmere";
@ -49,6 +60,7 @@
      path = "/etc/machine-id";
    };
    secrets."ceph/osd.3/keyfile" = {};
+    secrets."ceph/osd.7/keyfile" = {};
  };

  skyflake.nomad.client.meta."c3d2.cpuSpeed" = "3";
@ -58,7 +70,15 @@
    path = "/dev/zvol/tank/ceph-osd.3";
    keyfile = config.sops.secrets."ceph/osd.3/keyfile".path;
    deviceClass = "hdd";
+  } {
+    id = 7;
+    fsid = "a5450c3b-2e20-450b-a17a-d7938ee9d262";
+    path = "/dev/disk/by-id/wwn-0x600300570140a0c02c39f0863bd3c53e";
+    keyfile = config.sops.secrets."ceph/osd.7/keyfile".path;
+    deviceClass = "ssd";
  } ];
+  # TODO: remove
+  skyflake.storage.ceph.package = lib.mkForce pkgs.ceph_17_2;

  system.stateVersion = "21.11";

--- a/hosts/server9/secrets.yaml
+++ b/hosts/server9/secrets.yaml
@ -2,6 +2,8 @@ machine-id: ENC[AES256_GCM,data:YIOQJ21rswp+TE6sEKdNu0gP4iJ7K9ohrdXJRi5POoc=,iv:
 ceph:
    osd.3:
        keyfile: ENC[AES256_GCM,data:jz+zGf9sRCjxxHHa+5FVOjIS3S2xXvLr4CoOdnLDQIrQypT8p9rbcQ==,iv:QoCCR8EhcYZqGgT512ou8CyPXR8qGUvfmTqaoAXLLpc=,tag:LcFl3qc3W0BSlXMClfQvyQ==,type:str]
+    osd.7:
+        keyfile: ENC[AES256_GCM,data:yUDQ8bwnK7a++XFAVRJscbIxuBsLgef9ueGG6qujWNUyrmAZGvCMdg==,iv:MuLAqz5vcM92IuHEC/OeexSmXMdVYiwZgoxunlM0GHs=,tag:pR/JXDJSF1px7dzelpySeg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -26,8 +28,8 @@ sops:
            dU1TaURPUWFOVW11bVNtd2J4OFhDMVUK6YIU1s2aPhY3HL9EFrzcuRoFObiLjc/t
            HOFh/iFJd6fFPia7HYLYyJ1bv6Blcz9K6I5i9Ptb1AM8RUrBWC7BGw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-07T00:23:15Z"
-    mac: ENC[AES256_GCM,data:SaOmnwmKjGmHZbcSBaDM2QK0+s68+2PmRe1mkLBNjAANTRIK9djxxXpBf2cpk7FAof+BNRJUa3Mcmy3r1b+LPBrzxK0aGLwRunN+Vc8xGMYQhJObVHbcwQkJg490dHW+jZ6vROxunwghq0/sAeKUbRgCf64TpbBgFt2DRMz1mIM=,iv:kKCEWzQvgXPr7YVtjCwp4ld2mTFD29kQov2gotH400c=,tag:cByRU1D529KZCFuc3pXOHQ==,type:str]
+    lastmodified: "2023-07-06T21:59:36Z"
+    mac: ENC[AES256_GCM,data:B1Z4Raxaax1O6Es/TsD7gn+uZ5HyvVxngxTOBpRFEn3OtJFHZSNMap/4J9XxlXZg4DzYe7peLb8PJ8cMoADmQ3rucuC6PGa1zgokfU3HCpFm+I9wookeW/pPUCRaupz2DU+Av3qy0zI2QP6yOfgJy57vHq+nsLvCXWRF/sRos+I=,iv:mhaiqSsDBp4EQSRndMfJO419zDtl9WrEZwUm3gzDVv8=,tag:TGF7Ps1vUeHL3j0/Rh5Gzg==,type:str]
    pgp:
        - created_at: "2022-12-27T22:59:15Z"
          enc: |
--- a/hosts/spaceapi/default.nix
+++ b/hosts/spaceapi/default.nix
@ -4,14 +4,13 @@ _:
  c3d2.deployment.server = "server10";

  networking = {
-    firewall.enable = false;
+    firewall.allowedTCPPorts = [
+      3000 # spaceapi
+    ];
    hostName = "spaceapi";
  };

  services.spaceapi.enable = true;

-  # HACK for ‘ekg-json-0.1.0.6’ nixos-22.05
-  # nixpkgs.config.allowBroken = true;
-
  system.stateVersion = "19.03";
 }
--- a/hosts/stream/default.nix
+++ b/hosts/stream/default.nix
@ -1,7 +1,4 @@
 { zentralwerk, config, hostRegistry, lib, pkgs, ... }:
-let
-  authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY";
-in
 {
  networking.hostName = "stream";
  c3d2.hq.statistics.enable = true;
@ -48,6 +45,11 @@ in
  };
  services.jackett.enable = true;

+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets."nginx/httpAuth".owner = config.systemd.services.nginx.serviceConfig.User;
+  };
+
  services.nginx = {
    enable = true;
    virtualHosts."stream.hq.c3d2.de" = {
@ -59,7 +61,7 @@ in
        proxyWebsockets = true;
        extraConfig = ''
          auth_basic "Stream";
-          auth_basic_user_file ${authFile};
+          auth_basic_user_file ${config.sops.secrets."nginx/httpAuth".path};
        '';
      };
    };
@ -70,7 +72,7 @@ in
        proxyPass = "http://127.0.0.1:9117";
        extraConfig = ''
          auth_basic "Torrents";
-          auth_basic_user_file ${authFile};
+          auth_basic_user_file ${config.sops.secrets."nginx/httpAuth".path};
        '';
      };
    };
--- a/hosts/stream/secrets.yaml
+++ b/hosts/stream/secrets.yaml
@ -0,0 +1,201 @@
+nginx:
+    httpAuth: ENC[AES256_GCM,data:Om2ow5xTUahuAfZWgWtHgBU=,iv:yVLc94lT4Anlbw5Qd/xJ/2kEQcZxiikGMF1173gIMR4=,tag:StKZYTytyZYxBwxadklMKQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1j5csp5v5s2g8am47dd85kcke8986e0qc88f0vfgd3kmvwu8azg3smslk92
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0WXJ5MWJSTVpDWmdYMTdY
+            aXA5RXN0UEdJYmdzUEFtdUlFNWtKcnhkRDNRCnRrOTJHOS9vNE83QWk4SEd5Qktx
+            SDZJY1JnU1FBOHZERDhCY3JmK1h1dlUKLS0tIE9tSDlNQllSNFFUV3kxL1ZLMy81
+            NnBmVVVjRzZCNmhtOC83bnJaTDhRcFUKwDE+ok9bsHy378KffumjqX7bx+o8iX2R
+            pG/33VRkUAB8pD0wvBZtz5v8Qcz95GR1w4XcJMS/fox6mnLyNBC8aQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxc05ieHVlYmxudlF0Y3Bn
+            Ri9UZVI3TEVkMm9MMENZU3F3WmkyTG5aOEhBCmJrdFBIbW4yc0xBcXBCaFdZckJt
+            QW1lTjJCVkE3WnlkdkRHVVMrMzVTY00KLS0tIDkzY25uR0tVaXFpbnBzcTJFaVVF
+            UWtqU0hBYzVFbkVlMzJMYXJBZFQvcTQKrsbWfrNUCfl3ycHdDKBg6sQrNZ56bKrV
+            u7BgTUjlryB35jwdrI+as3QzxqTdyjdXTfBMeEQQEkfqsNVu+j7vmQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-06-07T23:27:53Z"
+    mac: ENC[AES256_GCM,data:+C6FOuncSKwj13MjV4I8Zk/wZ6vRPfHMLkOJnfoCjzKRY9/xmuXuDmeHzxp1de7qJKI/lKMQ799assfcX8wJNiFjHM+XV3TYeH6FBYABjR7xAgr14dfTgryp59bVp59vDYhGaFsIYYKwtqqxsPeIkxxioqE6WI0iEUGQVBWgij8=,iv:Z5LZe/biKdYpBr8qIo/fx0OQHI5kh0Zkpggpl5qC35c=,tag:/crmeTUW/8ie/Ed23cC+eQ==,type:str]
+    pgp:
+        - created_at: "2023-06-07T23:27:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA6j84+xkv3y7ARAAk6nuflGhk3S8qdgS3pxdExTZ+bxMeWwuvOVnI6tZdRoB
+            ow1ULUvfKCBp0zJoC3vKhtrAQc51sh2Dqsst3Bo+HGTqLEWHQUjQ+QXOwXadcpo+
+            YyoBpcl5lXD1eEchHRFdpOu6ZGzf7ETpePH+bQQYBtw7YWPKmY0DpHv1+3vYLtXT
+            xczBg9k+uQMc6tvaoLdT6PTiAov9IvT3mvVbnmKoa96nTF/tZqcW4hDrrDOy9iQ2
+            zibhMK4lyoybMd4Wl8IL0wkaRxhgeCCVv0ygQ4JtdvNx4C5ifJR2dO5p2VtACAe9
+            8XAOdItx8Wh4h/OeO78BO5Sf68lG7NHU9utvrIrv3n2+iPlejhqL7VZ6kI7TtdeR
+            tjS14dUhhau2KEPPKgx3i434hSVyptAV2n1wMe5WSUiZlBKLPVI6yC1GV6X24+eQ
+            3bq+A7h+sIZxFlylaN2CamVwu7X10jQdNrpjSMoXJ2hccYQutdNATDolISHISfq0
+            2i1al/npdQXhntWFleCqgfLnkp+J60kgwTsgUkFGwQKkSPoYGfZn1W1ttAi4vQ7N
+            ADhn5HuEbxB/54ud87iy6EqFm4qDF8Cq7hH2jGJEJGl79J+XANS+L0t6H1SWaDZQ
+            nrOIMsnMjnvGhQCkGUhFgmibRvNLJPq660IrbyblLNDsv8RpVtUKjVBFJ/LQv3fS
+            UQGv3xKTRzWK716mkxdbXAF0ZEgp8PM5RgsTk1ZzqoVPySRqVOu1JxE9C8YtPISv
+            4xfj58IFn/KX/l8+ePIo/HdUurUsGecfRP4w+Oqe0bp6iQ==
+            =us88
+            -----END PGP MESSAGE-----
+          fp: A5EE826D645DBE35F9B0993358512AE87A69900F
+        - created_at: "2023-06-07T23:27:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA8zMZ+ak7y/zAQ/8CF0XQrlmThc/OU0wZ78k9/Q5M/pBRDf5JAaHu+sqtlSh
+            2y9/bofbuz43sZqKsekCHT/kS0lMHPtbb1DM6l3Rs3VRjz2sggcLEorNN+vg6+2R
+            q3Aq07U6IkwP3mvTb5KO5U/+oTYi5B5yoTVtOWSx+RxctqHnWbxYj9IAV+73Ydj6
+            i7hRfd5lv00rTX/xLDCLsyq1MO451O9ccrVOVRE/heTf7AxQYMG+oYUfEpSII5RI
+            udl3bUUO7GYg3B5fZxMQSmtqAFZxVzmDDfxRZlIHQVbF4pke9rvIQYk9APLaCiZL
+            1/BLzZC8fS8Tn9sowvw0hRjftYI/Wi243xwgdIsHWYxlZ/YlefopW5uLbk2Hl+bP
+            kLw5/U5Q9tAKciiNxtFd5K8wyyEH0HUcoio5OzckbCuHAs/I8VZ1Rpoo5Lckxju9
+            GwZOhIbAXqOQQfRzcrhkZiBMhvZQl3DybUMZvJBJUY1RzRZcSMpWXIptuDd1wHmo
+            zxtqLPSHUVDvWUEWLD0YN8h+NIgFmOOKkH3as/rk6orzcuV+jSL+6x9sWjqM0XD+
+            QDd9jZ39Jh9PUAixL/bOHFoJz4NQdLlMGlluIekp+iMgaxkdOjyyjQbW21YDiB4C
+            Ne+vZApHhhnPSib7jyXBB6oSuNpidsVo5geAwFxZXbbU/pco+kv9k7L1E6ECvgrS
+            UQHeUZO5GVhCgNTeAn6RFUIwKUhBRVTRF4EBZ1FzSKJ9QRh/IV6cU7x//VSiNNcp
+            4x5IoueqsSDrGGIL7UuC6LH6CAbrX7u5aaJ5MNrRi0bGqQ==
+            =Q64C
+            -----END PGP MESSAGE-----
+          fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A
+        - created_at: "2023-06-07T23:27:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMA45bZkLXmBFpAQf/WKeXAV7Frbt3+WW9U9kAXpEK7jvgLEbjyVLNAza4dEYd
+            y4x4iUiDxZw6l6pJFELHM9ngSgqsdLU/MCFzZymgmgLSYww7mfZXTv39GnhmLsjY
+            L7srNOqFsyhWPfC/epWXNsdmJdyM4S7j6YXr0oL9t83Mqpu9WoHPT8hFUfLhlnGk
+            EvzuATPbg3b77qrBJVI9hK3qRXPKNUhVsAB/CqiycaC3eIBMe9GtAyafFXc1oTAC
+            /flMdYFP+whHfTcMi9d7ZbqmPChuujUI2QdKg6dML9TT6gqUvY6lEWJI12KfliD3
+            +8yyme+kCDev4QJCOfzIyyT4WELTw5ELe51z2LL1+NJRAX95uUAEuGYRjFveoYKw
+            7XCazAU3T510WuuJKsR9kgT2k47IHO5V904zawh11etOijgoPs8jIUlm12pkwX4Z
+            RRGhz0ttPyqu2HsyY3CmV1F2
+            =Kfi1
+            -----END PGP MESSAGE-----
+          fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
+        - created_at: "2023-06-07T23:27:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMAwMCBBrc/JA6AQ//fEfEcVozIxrNDB6qaj/F2SC9qHvaptcZbSgr/7xUOFvE
+            ByRwIMITycaxVhPt9Ph8VyyhZzHfDueKFb0uVmPGlx0aP8X/hpiA+ZMtDfGfR+pY
+            w68vCyLue7x/A6Wb5NSP/STvcgPDyT8cZRITNRLQEtwqAUHO3lSC+f7FEH47ehZX
+            SWpSx3sCRFNJBFiA3GsPZTRXZmHrRIuFnCDm5I8p4qW1SfC+HV8BfQY8Qgo3ysuO
+            m0asnFJPB2o7chZ7bxTVgOd4Vd9lJd6H8LQqNwSJBXQKNffqs7toU/RdVJJw4EEY
+            0lzrfCDa0yPM4aIm3LSYBdn8JQe2SaS3WtdBphZvKc13r4ZlJ7RVJz+RiNGl4P2P
+            OA1xgvqzd9OlqKD6Ulq3X8VgKSsskHyxfqbmH2SgLLebTg4Z1J6onkh+SdRCkgRk
+            OJRacZiJdGPbJhQeR7soqop/DDasUXchCcd86dL94kCLLjkMGtjPt50EHJ2LqaMe
+            jgfh6IjmMmXEWPkjKqQaBZ8G8acfpArRZZzNznunyUsQZ7MSzScYn4CmR5rIgsRw
+            /KRRInpY9cDSUJbqk73r5cjGIhXhjnKTCflN8/IE2QJILBK+uaAd6p01ks1kw1A2
+            thSvRzcmiSEH/RvETeOIXY4z5PfxxGaQi/+o4RRY3NydTnvqYsMhi6gQqLBKiyXS
+            UQH+UjVTas+BdcpJ+Lqn548/BgCRf72YFMEQgsyTfXsaCYF1iW0AmUyPjlsSXvzc
+            CT5iSAqT6CIxIKW3BU10mEBSFOMrVhwxhtsLzJLZLWpWAg==
+            =euNq
+            -----END PGP MESSAGE-----
+          fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
+        - created_at: "2023-06-07T23:27:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA9XEenRNYVGHAQ//bSh0jHk5UiwadJNFpZTuEOMCgeMZQTmcGi93YZbQCOtV
+            WcJF/qNjo4lZHeNqAAOxolU6tA2c4Kv1UO/XVNpOu3O+DNizEXG8gq9jBOPNxl2O
+            1OTxLwg3BIdQjS7OvlP1q/3ZSD+8NinrWiHxICdgTVmC/JWmo4coTrqAyPgKgaJV
+            yqzwhoQUfS6dMtHMdCSqFOjP64ZGcTKqJ2UbtBP/vFpGiSciyg1OYe6Wbyjjx2Kt
+            WVB3MHhZSL5IKVwU/nYIP2ZZ1uugPRBLNKtmZjZWvl5heImAKhVf5WbVXwAExYLl
+            m0Xeb8sYqHXNTOUvYK8CuyYwnBLz1BEBSeEMlLxzSZ+KAh7jkM9DTy8BN0aOempC
+            Qtxt5X5bwITV2UBuCvFAog2+kguO8lX2l3nH3KqLsWGAD9adrJhGJVstI2N50bcV
+            WLyAMNx6Wyb7p+JPS5qyJKfdvJWJJQp1DQmBaW49d6h/wVw2PinHgt4pi0ujum/0
+            NCC3N1n7vTFP2SXHRGCgiZ0c7DQP3SHkKUh7QfOiB79lyuA7iapBhlXcuqhcUcVj
+            gSXQTkCwD7WH/jzietSZD581hEe0NbUFlcnX6KjXg++HXXOV6ECZM4COQSbyqs/3
+            LrBWku207kUypcXYoQR8cJFM83094cb84dJM1UuJ71fnrdeQWtvialmDcWCB82fS
+            UQFOvgXY0jQTnc0GLSm9bvcoTu8AsJ5rGY/G/l5INtPa5+J6tlPWCcRArb3Ppt5V
+            DcEKnT6QdA/4p5PooRmGQB7Wwrs9pQEnjmafEf7oJJy7HQ==
+            =NMVb
+            -----END PGP MESSAGE-----
+          fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
+        - created_at: "2023-06-07T23:27:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMA/Z87ylQaotQAQgAhIjff77caU9YPiV89NaEtqYbRSLwNLTopbI6Mkzfisss
+            0KoFI9Iu1GKov7lmGyjyfoQzUQG8qn5pueCPDVyeFLWPtbtfZopIIsBoqTbQDxSt
+            PfDqB42zCdf1XQWeKvNO74cGIkhYPDyvWE2z/JBloeVOhLL039t0RNgxRU1AFksP
+            Xn10cfrxwsROPAzw4jMd3EOwxmKRuR1/SBav1B3HBfiYeyBAS7OLhL6Ah1XGWNC6
+            l7HsdRmnrzeFRbENXRXlrKFAyTtxGgghNfANhYf2+ErbfGHUNvpvw1Xr06gExQRb
+            UnyE9c70XKAgWseS6ilHpn25ojwp5Ta3m3KNUb2fxtJRAVGk8qcGkBDKdIbeYqZV
+            pfbJyDNo5BAXAGzeEcPAxAHFBW6jrFpNDefkaMIZsm3gBsYL70i7HOPOm6Z2bbL4
+            hjHEcr+rzDANAc1cuIgtHzWm
+            =Ooxv
+            -----END PGP MESSAGE-----
+          fp: 9EA68B7F21204979645182E4287B083353C3241C
+        - created_at: "2023-06-07T23:27:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA9qJIVK2WMV7AQ/9HujZNSHp8HSGVqLvg3niuR+x9cYsvkSE0jEq/f2PM1VA
+            z+qzcXV2ysBk9WZ8ubwLP5MNw6cGukdOT7wepXztMU2UWmBCDdZ7yjQgH3JhIcGq
+            jKcqxzMRs91WqkvJNWrdwKnyGeOSd/ZYrXX0poqhZy9wjIjlKxdYfFwXYORwXzCA
+            9m6dAqycqkehmNBJOs93QC2JAtrLP4WOVy0Llys+uoS8pWaqG4pDPpxM7WFFe70p
+            /eXL9pRev9X74WCUdvWSUUDTy2orOgetsHWjzeP6swCEhllhtDnuQAdyH3y9O+PE
+            Lx+I1n0Etlo4yBeBMp+kyxnlEy6e12PvknDy4+eFi4vBTkHMQIw0z7J+iZ/B1ACg
+            XGeZTIAFHd0qJHABAVbb5vbTv9a3wdMxbfiIpzDgxAooka4zaXH4phMvAowx/L2Q
+            k0eOrPCUHO7xYAkqj0/6SckWB82QCoGyyw6gOUdJgK1aqI6NBqok1u+Hg489R3Q2
+            /m0Q5v2fD8Wejr8KjUc7eJwoR0NLlNlxKBmacAN1SZdu9wHVw4sAIlNALz/hZqvV
+            BXK4TxmVJcSXjvTj5hOSKtcsHa4qDgTZuuUlHdsJ9Q8RyRaQZR2izoCecQHM5MtH
+            9Lu81AYnYhR30e4GxxxhVsz6VAsojwTajBoNa3dB0y/Tgye7G3y8JZF7SSpXm7TS
+            UQF+YNwXAZtHktefn4ugfoFD6d39uaSyWKDnHuhmc+39mD/I3ekIVQ0fnLcg2Qfp
+            u72FaELVQU6yib216Yade7/DW1uuD3ppDa0as8EBQQYsGw==
+            =W4Dg
+            -----END PGP MESSAGE-----
+          fp: 53B26AEDC08246715E15504B236B6291555E8401
+        - created_at: "2023-06-07T23:27:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA/YLzOYaRIJJAQ//YaO5qqVj9SypZx8bkilfggoZYNosv8wN8B0V5jNrAA9T
+            TVu021ELVXAGGnZ/nqnf1TEuYebFye4Jc6NRh1r0GS1kjtBmqlSmuZ2IlrFdwz/K
+            Cryi6JYel7Sh6ZBX8fqRJoac6KE1vTthr1GvxoJF89VWUxKJwNsqN90yTq3f0aLP
+            3eu8YjF72fPoSzPifB6ze89BjxxOBpDhWBqGc/WbsCHFRK3rWsadWI0MIaJ1Lume
+            f0or8HQfDSjxh6DTb6DHpV/QLxPfmgWQO1CuopB2MJVz5C9WBWkFNWPO1o5KM/uR
+            hUxaj9Ak5N+ACtWUL8S8rT/T9XGY7NQMMS/WXCiAstyaXwhv0Lt8OefRaF5/RpG5
+            2w+ZDGPFM1RTaHcwNY1slXy1MJAB58qM2UlID8jIOCpyctRlu8uuOY2niHI81L3K
+            C5tYxVPRmvoFnYG5eiF6+YqUpPxZiTc4B8Rx8/gmRIzuaMjvZIQ9LWICpnB7tkxJ
+            coumUVq2R8t0oY0b0hGpT9DEjEAvOlLlYS11YjN6cBF6X9BYdOH68NId/EebghH9
+            dBrbRQ1nBOGRtK08vx689H+k7RM3D5h7DPSvYzku+1GPzaABCKxzGOGdBqtBF2Qh
+            YIHK9NE9qL6YDQiQguWmVcyVEAua4cSd5JWcVbIk5i7jj93N65Xu6AvmG3TsMuXS
+            UQE+ayMj/+frB4IkUp8FjD9A0fEzT3FcaDACTMJJup4zDOzsdgVK6fDxkRTpK71Y
+            HmIDiMpGWBNUa5M93vWzk2iWmj5u3PKgHSTmWN7oynujMw==
+            =f0sW
+            -----END PGP MESSAGE-----
+          fp: 91EBE87016391323642A6803B966009D57E69CC6
+        - created_at: "2023-06-07T23:27:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7zUOKwzpAE7AQ/+JVSJGoklxiQ8Mjc61znOy4mx7Ufr8Z8MDWZaEGZU2RF5
+            GQC2JNLfnCckW7Yhpzi7r+BgxUcUOjZK8SSEgxCwNdmtQii4AkoMC54ObLB2Zubf
+            guMuByUR0zHEy9/fW7yaZ7rvIyUh87n/YwYYgJwBk5+o/S9xhN9GDdLmOLZXlp4P
+            5ryLe3dHfVqQLtc3mQJN2WbbmZJRRYrC+/MAsZ82KQL/8jbxINaw9lM+g9g8KJsg
+            UbldUd1PULPLttVwip9E8c9SMmW4xMYvSim6kV2mGDpyYybhna+4Y5xsF9gzKYQP
+            Haf1evA/50m/vtZJVa/fwDM0vStDplBioxX9wpLPx6tHOUjpJ52UYlYlVFdoxTTK
+            A6mTVe98JFZ9Xb2tkTiljzGITlZVhq+2rHarpX9DqXrl+y1UjLYyg6/RsYDDT6Xc
+            Vf64TUVF66r33+HvYtojD9kG/EejfcbvXwGv5Shfyca0BeUjtnx7wsE0rWVZ5g8i
+            f+uKQEffAycS2zQIDhz8EPdARMF4DbaKtAejV/Q65WUGKwNIpdYHClRN6HyH89hy
+            0+pRu2ANSOznnzyWJsjer1anThE0trUU5L4T9recgCC6xWlQoumMVeLcbO0KIOAB
+            H9ILe1LozGPqN+YZAD9l+OhIv6X5rckfH3oOGcMe0P7XreI+Z/ihQ0JH++or973S
+            UQE98jCRWp6pfgV6kHgIbqDOf3gXslEeMYG0De56w2eI2wDxGtQVNxBVPEa7U5CJ
+            xU/9WgISfvK9LlW+311hW3flDYGqADJsfl/CNJcaDDaNlA==
+            =h1xD
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/hosts/ticker/default.nix
+++ b/hosts/ticker/default.nix
@ -53,10 +53,10 @@
          url = "https://www.google.com/calendar/ical/grhnk1uaotql6gv2dkf9ldmqjc%40group.calendar.google.com/public/basic.ics";
          color = "#A700A7";
        };
-        # palaissommer = {
-        #   url = "https://palaissommer.de/programm/?event=all";
-        #   color = "#7F003F";
-        # };
+        palaissommer = {
+          url = "https://palaissommer.de/programm/?event=all";
+          color = "#7F003F";
+        };
        kreta = {
          url = "https://www.kreta-dresden.org/kreta.ics";
          color = "#BF3F7F";
--- a/hosts/tmppleroma/default.nix
+++ b/hosts/tmppleroma/default.nix
@ -1,108 +0,0 @@
-{ pkgs, ... }:
-{
-  deployment.mem = 2048;
-
-  networking = {
-    hostName = "tmppleroma";
-    firewall.allowedTCPPorts = [
-      80 443
-    ];
-  };
-
-  environment.systemPackages = with pkgs; [ pleroma-otp ];
-
-  services.postgresql = {
-    enable = true;
-    package = pkgs.postgresql_15;
-  };
-
-  services.pleroma = {
-    enable = true;
-    secretConfigFile = "/var/lib/pleroma/secrets.exs";
-    configs = [
-      ''
-        import Config
-
-        config :pleroma, Pleroma.Web.Endpoint,
-           url: [host: "tmppleroma.hq.c3d2.de", scheme: "https", port: 443],
-           http: [ip: {127, 0, 0, 1}, port: 4000],
-           secret_key_base: "lcOBbHZPbGMkpfifPgn5UwUNy0twrSnZplGYceWQ6JZtG7vaUu0QpKy/vGkBVi2o",
-           signing_salt: "Li+Voq8h"
-
-        config :pleroma, :instance,
-          name: "Temporary Pleroma Instance",
-          email: "astro@c3d2.de",
-          notify_email: "astro@c3d2.de",
-          limit: 5000,
-          registrations_open: true
-
-        config :pleroma, :media_proxy,
-          enabled: false,
-          redirect_on_failure: true
-          #base_url: "https://cache.pleroma.social"
-
-        config :pleroma, Pleroma.Repo,
-          adapter: Ecto.Adapters.Postgres,
-          username: "pleroma",
-          password: "ZSfzzg93MGLmEBrkKY3H//k2nhWTJZq4IBi/mDaIU9HcGE2gXdLLfSnak+Y5mpyj",
-          database: "pleroma",
-          hostname: "localhost"
-
-        # Configure web push notifications
-        config :web_push_encryption, :vapid_details,
-          subject: "mailto:astro@c3d2.de",
-          public_key: "BIRoExJLLKr8qu5CjOcbEvv55DsxvcQrVhCmWKtKoYVi6uZRp6dL7V4_9zdyouolg60wKERt1wFaLr8v3BuZckE",
-          private_key: "hch8xAe2KkkpvXKTC6ybwxGJqhfFUPMFNU1ags5dgWU"
-
-        config :pleroma, :database, rum_enabled: false
-        config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
-        config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
-
-        # Enable Strict-Transport-Security once SSL is working:
-        # config :pleroma, :http_security,
-        #   sts: true
-
-        # Configure S3 support if desired.
-        # The public S3 endpoint (base_url) is different depending on region and provider,
-        # consult your S3 provider's documentation for details on what to use.
-        #
-        # config :pleroma, Pleroma.Upload,
-        #  uploader: Pleroma.Uploaders.S3,
-        #  base_url: "https://s3.amazonaws.com"
-        #
-        # config :pleroma, Pleroma.Uploaders.S3,
-        #   bucket: "some-bucket",
-        #   bucket_namespace: "my-namespace",
-        #   truncated_namespace: nil,
-        #   streaming_enabled: true
-        #
-        # Configure S3 credentials:
-        # config :ex_aws, :s3,
-        #   access_key_id: "xxxxxxxxxxxxx",
-        #   secret_access_key: "yyyyyyyyyyyy",
-        #   region: "us-east-1",
-        #   scheme: "https://"
-        #
-        # For using third-party S3 clones like wasabi, also do:
-        # config :ex_aws, :s3,
-        #   host: "s3.wasabisys.com"
-
-        config :joken, default_signer: "u3DwPUxgU1n2v5DQT6lBt1p1hzq1E1YfIFUoADArzY2ZGRMt1trctw5tfAa9HmNn"
-
-        config :pleroma, configurable_from_database: true
-      ''
-    ];
-  };
-
-  services.nginx = {
-    enable = true;
-    virtualHosts."tmppleroma.hq.c3d2.de" = {
-      default = true;
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:4000";
-      };
-    };
-  };
-}
--- a/lib/nginx.nix
+++ b/lib/nginx.nix
@ -26,4 +26,17 @@ _:
    ];
  in
  map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen;
+
+  hqNetworkOnly = ''
+    satisfy any;
+    allow 2a00:8180:2c00:200::/56;
+    allow 2a0f:5382:acab:1400::/56;
+    allow fd23:42:c3d2:500::/56;
+    allow 30c:c3d2:b946:76d0::/64;
+    allow ::1/128;
+    allow 172.22.99.0/24;
+    allow 172.20.72.0/21;
+    allow 127.0.0.0/8;
+    deny all;
+  '';
 }
--- a/modules/audio-server.nix
+++ b/modules/audio-server.nix
@ -1,5 +1,46 @@
-{ config, lib, pkgs, ... }:
+{ config, is2305, lib, pkgs, ... }:

+let
+  #    _____ _______ ____  _____
+  #   / ____|__   __/ __ \|  __ \
+  #  | (___    | | | |  | | |__) |
+  #   \___ \   | | | |  | |  ___/
+  #   ____) |  | | | |__| | |
+  #  |_____/   |_|  \____/|_|
+  #
+  # errors such as:
+  # mod.zeroconf-publish: error id:47 seq:349 res:-2 (No such file or directory): enum params id:16 (Spa:Enum:ParamId:ProcessLatency) failed
+  # are harmless and can be ignored. You most likely want to restart your local avahi-daemon: sudo systemctl restart avahi-daemon
+  pipewireCfg = contextExec: let
+    pactl = "${pkgs.pulseaudio}/bin/pactl";
+  in {
+    "context.exec" = contextExec ++ [
+      # should be loaded by "server.address" but that is either to late or razy on 23.05
+      {
+        "path" = pactl;
+        "args" = "load-module module-native-protocol-tcp";
+      } {
+        "path" = pactl;
+        "args" = "load-module module-zeroconf-publish";
+      }
+    ];
+    "pulse.properties" = {
+      "auth-ip-acl" = [
+        "127.0.0.0/8"
+        "::1/128"
+        "fd23:42:c3d2:500::/56"
+        "172.22.99.0/24"
+        "172.20.72.0/21"
+        "2a00:8180:2c00:200::/56"
+        "2a0f:5382:acab:1400::/56"
+      ];
+      "server.address" = [
+        "unix:native"
+        "tcp:4713"
+      ];
+    };
+  };
+in
 {
  options.c3d2.audioServer = {
    enable = lib.mkEnableOption "Enable PulseAudio and Bluetooth sinks";
@ -8,14 +49,19 @@
  config = lib.mkIf config.c3d2.audioServer.enable {
    boot.kernelPackages = lib.mkOverride 900 pkgs.linuxPackages-rt_latest;

-    environment.systemPackages = with pkgs; [
-      mpd
-      mpv
-      ncmpcpp
-      ncpamixer
-      pulseaudio # required for pactl
-      somafm-cli
-    ];
+    environment = {
+      etc = lib.optionalAttrs is2305 {
+        "pipewire/pipewire.conf.d/audio-server.conf".text = builtins.toJSON (pipewireCfg [ ]);
+      };
+      systemPackages = with pkgs; [
+        mpd
+        mpv
+        ncmpcpp
+        ncpamixer
+        pulseaudio # required for pactl
+        somafm-cli
+      ];
+    };

    hardware = {
      bluetooth.settings = {
@ -62,13 +108,24 @@

    nixpkgs.overlays = [
      (final: prev: {
+        ledfx = prev.ledfx.overrideAttrs ({ postPatch ? "", ... }: {
+          postPatch = postPatch + ''
+            substituteInPlace setup.py \
+              --replace '"pystray>=0.17",' ""
+          '';
+        });
+
        python3 = prev.python3.override {
-          packageOverrides = python-final: python-prev: {
+          packageOverrides = python-final: python-prev:
+          (lib.optionalAttrs config.environment.noXlibs {
+            # remove x11 dependencies from pkgs.ledfx
+            pystray = null;
+          } // {
            # avoid dependency on x11 libraries
            samplerate = python-prev.samplerate.overrideAttrs (_: {
              dontUseSetuptoolsCheck = true;
            });
-          };
+          });
        };
        python3Packages = final.python3.pkgs;
      })
@ -76,13 +133,22 @@

    security = {
      polkit.extraConfig = /* javascript */ ''
-        # https://www.reddit.com/r/voidlinux/comments/o74i76/comment/h2z9u11/?utm_source=reddit&utm_medium=web2x&context=3
+        // https://www.reddit.com/r/voidlinux/comments/o74i76/comment/h2z9u11/?utm_source=reddit&utm_medium=web2x&context=3
        polkit.addRule(function(action, subject) {
          if (action.id == "org.freedesktop.RealtimeKit1.acquire-high-priority"
            || action.id == "org.freedesktop.RealtimeKit1.acquire-real-time") {
            return polkit.Result.YES;
          }
        });
+
+        // broader alternative if the above ever breaks
+        // polkit.addRule(function(action, subject) {
+        //   if (subject.isInGroup("rtkit")) {
+        //     if (action.id.indexOf("org.freedesktop.RealtimeKit1.") == 0) {
+        //       return polkit.Result.YES;
+        //     }
+        //   }
+        // });
      '';
      rtkit.enable = true;
    };
@ -90,43 +156,13 @@
    services.pipewire = {
      enable = true;
      alsa.enable = true; # required for ledfx
-      config.pipewire-pulse =
-        let
-          default-pipewire-pulse = lib.importJSON (pkgs.path + "/nixos/modules/services/desktops/pipewire/daemon/pipewire-pulse.conf.json");
-        in
-        #      _____ _______ ____  _____
-          #   / ____|__   __/ __ \|  __ \
-          #  | (___    | | | |  | | |__) |
-          #   \___ \   | | | |  | |  ___/
-          #   ____) |  | | | |__| | |
-          #  |_____/   |_|  \____/|_|
-          #
-          # errors such as:
-          # mod.zeroconf-publish: error id:47 seq:349 res:-2 (No such file or directory): enum params id:16 (Spa:Enum:ParamId:ProcessLatency) failed
-          # are harmless and can be ignored. You most likely want to restart your local avahi-daemon: sudo systemctl restart avahi-daemon
-        default-pipewire-pulse // {
-          "context.exec" = default-pipewire-pulse."context.exec" ++ [
-            {
-              "path" = "pactl";
-              "args" = "load-module module-zeroconf-publish";
-            }
-          ];
-          "pulse.properties" = {
-            "auth-ip-acl" = [
-              "127.0.0.0/8"
-              "::1/128"
-              "fd23:42:c3d2:500::/56"
-              "172.22.99.0/24"
-              "172.20.72.0/21"
-              "2a00:8180:2c00:200::/56"
-              "2a0f:5382:acab:1400::/56"
-            ];
-            "server.address" = [
-              "unix:native"
-              "tcp:4713"
-            ];
-          };
-        };
+      config = lib.mkIf (!is2305) {
+        pipewire-pulse =
+          let
+            default-pipewire-pulse = lib.importJSON (pkgs.path + "/nixos/modules/services/desktops/pipewire/daemon/pipewire-pulse.conf.json");
+          in
+          default-pipewire-pulse // (pipewireCfg default-pipewire-pulse."context.exec");
+      };
      pulse.enable = true;
    };

--- a/modules/backup.nix
+++ b/modules/backup.nix
@ -81,19 +81,16 @@ in

    sops.secrets = lib.mkIf cfg.enable {
      "restic/offsite/private" = {
-        mode = "400";
        owner = "root";
        path = "/root/.ssh/id_offsite-backup";
        sopsFile = ./backup.yaml;
      };
      "restic/offsite/public" = {
-        mode = "400";
        owner = "root";
        path = "/root/.ssh/id_offsite-backup.pub";
        sopsFile = ./backup.yaml;
      };
      "restic/offsite/ssh-config" = {
-        mode = "400";
        owner = "root";
        path = "/root/.ssh/config";
        sopsFile = ./backup.yaml;
--- a/modules/backup.yaml
+++ b/modules/backup.yaml
@ -9,278 +9,305 @@ sops:
    azure_kv: []
    hc_vault: []
    age:
+        - recipient: age1lccjvj9z8de4hfrdeumm9eu7awef4d9jygv3w7zdash3fhv6e53quy53wz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VCtTS0c0bmhiV25xekdk
+            cXBNRnh2cW1kV0QvTU5CWWZoQm5PMjRXN3dJCk5NSlBpZk1ETUlzNlBRS1lwcXlL
+            SVcyVlMzT3RScVhFU0FYZUpKWFFLYk0KLS0tIE1VeWdtUUdBMHgvQ0x0YkY3ZExy
+            eWNJQXNxdmwxSE9XZTJKbXNoa2ltKzgKSId95HNIOgMEYNN10zn27SmqPXnk8SDJ
+            gcgYh4e9g2UxMGHfn3MHbwJDjh2l8O5jPeyNI3K++FoVkvR2hcfgNw==
+            -----END AGE ENCRYPTED FILE-----
        - recipient: age1j2euh5qt4a7cvx0t93uj4n9t8y8tkv9h3nefszc6g2q7t7gvngxswhrve0
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZGxzdzZPbGRXcmViNUt4
-            S1Vqa3ZwdGp0WDBNWXJERW1ha2lSRUtuRVhZCkZwQ3dDVWlaVmJVd2dHdEV1M0U2
-            K3BESXdWajhDdys4b2lrSGN2U3ptdkkKLS0tIFN2V2x5TFUrdTJ1bmRTMEJMUEZI
-            K1Izek9WZU9CZ3pIVzF3YWtkOHlvWmMKoKrudQIj2OzvEUuJv0++qzAzPiwbC+mN
-            HbnbJ/YGOyjz/0IC0EIILg1+rb9RUyAzOOF6akRySiH6FNuzPnObVg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBd2svV1ovdFU2SUVHMTdo
+            SWg0U2Q4blVVNFBkbmxKY1Q0dlNqK2ZCcFJrCmV2YUpEOUFPeVlFVklHRmZuUng4
+            SSswc2JnLzNKbnBzWUU2NnRsNWFodU0KLS0tIEU0c0tpV2Q1SUJ2RjN3RVVmYUt1
+            bzBQUzNoWElMTi9sY0RMRnhvallnQlUK5xi2oEC0O+EWwfdQmZln4MlTZaiTNvwM
+            GjJwL6Cn6oafQ97PUwoqtUDacsHVQS2wTW+7LTNOhkSd8PULvUridA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1w6u8zjfya63q9rjfll98eegnfdsvyaspnwn802t2mxh47gt8p30q0kn898
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDSXozb3NqbDlXZmk1VVFw
+            S2Q1L2phU2F2dDlyelRmZjRYNW83T3FGaWdFCnZEWXVscVNESDRyYU1DYUh2T2g3
+            cEpVSGU5STNFSmxIb1JqN0I4QXNuOFkKLS0tIGlhK2ZiR3JMMGY1MU9iMlNmWEk3
+            eU5YZW51QzJGS2pSSW55VzdtRmRrS0kK31Et8rSwDP+ruzbyNUa1U/jjAS9Y0PtA
+            Yh6qB+j5JMHR7ByTb8qG+VcshH/oFGZwdVxQ8zRAArS9i1iHJuKNQQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age12n5k6c4rxp4mjnexw9uw83yp34sallt44kldupfmxr2xkppj8a8sdsmv8h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZVlnRllWMVArdFhSaXVB
-            b3pNajRhQTlWdXZmRFpYWHJzeVlWSDNIbkJnCitKVmwrblp5UmVLVkF4OC85TDZY
-            RW4raFMzRVpqNlh0MFlGdGE1cXEyWWcKLS0tIE5aQktKb0JvWDFNd3hNVnpveHAy
-            SjJJMmlFRVd4OU1vV2Q4eDVxTXVpL0UKm6UDRROD/GBqVWiaWCNNso5W2VE6TTfP
-            uGjs8dvQupeBdTSNXTSf7hr7g9o2tFukl5+WIz1+Za4p4jKsJadNAw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTzlITlU3L24zcC9BbHlt
+            OHVMaUUyZUhmUzdwbThYSytTR2VjRmNEM0FNCnhlTzNGMWkreGJHWDZFU0ovUFFr
+            blE4Zis4YTVxOThuajZDZHFZZEhZSU0KLS0tIFk5Mlk5MzFPdXZtNXNDODFCcTRJ
+            OWVZeE4waVIrTXplUHVSN2dkeTlzNlkK+5UYiogeJr10xKi8lFLawtqKJRbnV3U7
+            zEuTa+tc7yBbQZTZHNhPTyYpuR+coSLnI9X0yya4KgnbNW6JSHVteA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1jt5pj0c0fvmzg7quaucq4n2rzcx9ajzstp8ruwc8ewjpay5vqfqsdjaal8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SklNV3grWjVBUDNZMGo1
-            Qm1makRqVUxnazhyNzVCVUlTVkg1bWx5MkFFCmxiQzRacWJvTWRCaDV6ZW5IbHln
-            N1h6U0hIQm9uTmNhdWtwb2VNK2ltMncKLS0tIG5Oc2lHMXJaeFB1cTVBTHpaTVd0
-            blNpR3pQNGlQVGpHcVplQTlCNE1NRjAKmckhn1HQAmj+FuMB4l2Qpb2Ovw7v3hWA
-            e+QZlM8FSpMcs0obwJALFwGh6zFbv1Kikhh1x7vSGkVe8XpA755ELQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZTdYaTBKa2tMRU0zaHdy
+            K0RYUG1MblBrVE5lMXlLSmh4L1ZROFNnRzNFClNQSjMwZ3BaLzV5WGdnOGYreCtS
+            VDF6VCtzZzFLNThveXlQNlQrbFVZR2sKLS0tIC9uc2RLNnozYm5PTjdRNHlQemZu
+            a1JSYnA3d25pc0dOUjk1ZGpnT1JoUTQKCHHljS2QlngSnKcnCQshu/A26csvbk9p
+            1bWzw1m1/WdWi9TwRY8SHt1189YOkgyE8q5aidx88/VgM0LL8UKjzg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOeXJkbFBOK2dHNXlMREpw
-            Q0x4a21Ia1B2Y2d4dmR0TUROTW5RRjZkYVNrCnkraTBCNTR0QmdvRE5rUThMck55
-            Z0o1L2k3WlVSeHhVZm4rTjFSa2g3MjAKLS0tIEs0MXo2YnNNa2JkcXY2VHc3WFVi
-            TkpFMk5IOVNIVUFJM2M2MzZsV1RINHMKvJBZC+2fYgJ/uwVKQMW7cRLDJXTKgI+l
-            FP8YM1+CfejkNvqepIF52nK1YMVSy5K3wqYWYv73oLo531IevnRmhw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSGJteU8yUXg0WWdZM1dP
+            SUtyWVdQUWM1aDF4cFNkYXNjS1hXK0pFeUdzCmVDOHNBVzNiR3E3cytKMTRUY0JM
+            dVZxOWFIV2lvclRIWnN2MUR3eGNPOWsKLS0tIGlTa0M5bmlBQjBPWnphZkd6TnMz
+            OVNzbEg0a3ErdG1kK29hTVRUM0tpY3MKqHiGzV0j4Dk9xq9o2xkyqursuPkeuEHE
+            D+ifnRCOKuoGMYBeIiNgNetYGxcCcj+aMFD6GMbNEaynjTaQPTAzKQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1tnq862ekxepjkes6efr282uj9gtcsqru04s5k0l2enq5djxyt5as0k0c2a
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SUpGdHRWQ3Jody9NVSsx
-            cDN5dUxHUGZJNXFaL0Q2aWowdHlRS0RZd2lzCmRhbjNYOVVpT2hEUGdma1ZNVUM0
-            dVhib3JYVnhmOEV0M0xZOGZnNC93aVUKLS0tIExJNWlsWERlQVB0NE9zOGJYK2h0
-            ZDRGR3RQc3cya0YvNHVMcEcxRUZPYzAKcqMyNl6lRaTJPX7U9QpBE+rNIB9KK5XK
-            W8G9JH6ggZ12leYeyt1Vv2JVDW28es/T+tKN646NVPo26OMadvBR4g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEN1BoMFdISHptSENZSnp3
+            OWVpb2FhTExVN1hDVHBjNjk1aVpxcFhKd0JNCk1zVjJmNFRoK1UrbFZOSkxiWGRx
+            MXVqZ1VRU04vYnpMQ3ZqYndYK0lkM2MKLS0tIFYyNUJ1YUtyUWx2dlFDRkFhOFU1
+            bkVkVUpJOWUwdnA5SHd3b0RHWWlzbXcKXqNG3XGkioIJqkGED0tgjaplQgBSFvNl
+            kg53DN36cchMKr++ajC1cIAY6dlkwyP7NEkIOk6pikUezgrQ6OTd2Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1dcpd6u4psq3hehjyjrt3s7kzmnvxd20vsc8urjcdv6anr5v7ky2sq9rhtt
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERlNVWU5UVVlTNlpCMUo1
-            Nnc0VlhDL2kydWRTQ1V4NVBWcHRXWmJUbDFZCkp4SmgvcTEvZzhXY3RFSkYxa2VN
-            eHhzWVBvWExGM3djSHgxUTBQYkQ2cTAKLS0tIGtJWUxlT09WZ21UVmJ2QnBwTjF5
-            Ri9WbXpSalNraEw3OHlYb1F5ZmNIaEEKh+FlWOJoKVoAj7dIqzsOIDku9NogKpiS
-            9dPKAZF4+CV1lIgl8WtqW9m6KefkzMzU+xXf61O0vydBDORSb0si4A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNWFTWG5mVWY4d0d0YzIz
+            dGRDS3AzbS9ocnJrcDRJMENWbG84UWhOWFZNCnJzSVdTMlBFdmJvaFhZM1ArR241
+            ZVY5NHBFTWVLd2FXb0RxQUhqWWU5UzgKLS0tIGNoVXdqVWc0NmpPd24yWmtnVnZ6
+            RU84R2lrVnE5bjFFME50UnpRdzY5Nk0K+yjkIxnh0HYU5raiydjZZqXOCzPqJ+h3
+            j1MQZMD2R6nYi/on1aLRmqBCtYf87eqWv//kE0zSHzpVsOqcTApjLw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age15vmz2evhnkn26fyt4vqvgztfrsr2s8qavd2m6zfjmkh84q2g75csnc5kr6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZnloK0o0cG1abG04eVJo
-            dkVvM2doVFpoc2pWMTl0RmxEU3lPVWhWRTJBCk9qWm04cVFNWHMyL1BLK05Qa2hX
-            THByc0lDMHlDNWdqRnhFeWtSZTBmWU0KLS0tIHpTMi9hVEQwMG8wWFpvbHVPWmpT
-            aDZnOU1ubzZRU3habzhaVUNaNnl1VDAKGUIlFZL5/Mw6YbIXOYp4HQelNjMYXgbS
-            byDkDHdgMCgXAxTGgB/iP+0WFJJQRQ5O5UxvGM7mHWnViFk91IH/gQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQ0xFRWU0N1c2c0czV1hT
+            QmtiQS9YbzJjVVlsSzl3dDlsMXh1NzRXZWl3Ckd3YjczaGI0VFVlcWY0NENPTHZm
+            bnB4K1UvWE96VTZuMmkzemRmZFdudmcKLS0tIEg1dElDOW1CRGt1THRvZ3RQTWFV
+            WGZrRkREVlptekMrL0VTbFFQYjhDMU0KmmVUcueqcpVqeuHO1wg2bK3uKHAFB56v
+            2IA5SXgklVEbyFslXXbqkv3VZDjZjzidUB6ZLpzDdGvDdtdKRmo6pg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1s2ww76ll6nclz74gny27tk42xfsepl23z2k0849a8jv8xpnmpe3shgunxr
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLb1NyMTlobWU0TDZXZER6
-            VHgrUmpLeTl1WmVoYzRHc1JocWs3WXZUWENVCmMxRFVwZkZLZDdQb1FPRWM2TXpH
-            V3FXZXk1VXJ3V1dFRWRrUW1aY3JXV0EKLS0tIGw1Y3JyblpJbUNLWkZobUNqYitj
-            OHloTkpXdlRpWlJxOGxMNW5taUlqUDQK5wtfrKArGJYupIxgAGw+KkS7ELHxfpfI
-            CwuO5IIEXast85CF+33uzIEzPPPu6n3CuQAo/Vd20695OIh30+/eOQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaUG5XMmlXNFg3SDcwQit1
+            ZW4wcU1JUjlUd09TV29aakgwQ2dsbE1Pa0VnCmNCTmx0dE44RklERXduRTZTRWQw
+            elNFSWhGZHZYTDVuQ1JqcTRGVjZaZ28KLS0tIFNqa2N1Qk9kOTR5dGREd2xpdmhm
+            LzlmTCt4R0J0QlZ1cHRrb3JTa0IzMVkKhAiGbtSIpnyJmHN8ukxOCBst0dUGhT8B
+            tWtxjUJ4CM4TvaVkdHaPiNqGEB08DHQ79ZBNKbHAfUZYQxaSK7phhg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1xjvep7hsnfefgxvuwall8nq0486qu8yknhzwhf0cskw5xlpm8qws9txc56
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWjljNDhuY2pDdDNsdzR6
-            S1U2amQwbURldFZINDg0RXJ5TGNTTlBtc2lVCkxPbFZjemFUMjhNamIzc3hhVFUr
-            NnZwTy9NOU5QOHp5akhhY00xcTViVUEKLS0tIFNpenRIdk50NDFUdDIvUzdHN2x5
-            VGx1WE43Q2hWRXpid044aFgzMk9zVXcK3offsI3vSqnFQer+MjCtdHnyCN5ygNAy
-            Jj+sXCht9LoiCUTN2BOa7MB8JxXNtnGaFjuYRzy95biyq9mukqd+cA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMkhSMDNiS3RNbHI4c3ZH
+            bzNGQTBEN3Zadnl2NlMvK0dGRUN6M1p5REFzCm1RanpLMjRMUnFiNVpGeXk0Mjhu
+            dWNGQldHeGdCQWtRUVZhYjdZRDYySmcKLS0tIHArWnY3K2xPN1pKQm0yMUs5NFoy
+            Yk5vbEdPN1VHYWVkYWJZU2ZWdjZnN0kK76Z0VEtiNfxxluRflxGVxovO9J3LUn5w
+            oFoctgpjME/Yj355feeU0qbgPo99OyXtIXkCxEPrNnGjZlNawgjpOQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age182ms3ygypflk7mtpemp4k4ks9rz4gwhvzc9jlk95u4py5q68ppxstzu2e3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTloxdnY4QlBaNmZ4anly
+            eTRPR2R2aWJwU1ZUWDdvNk5GM2lWYjRsaGo0Ck5tVFljbkxnYUZGalJIS21Fci9G
+            NzM1eTZSQ05SMkdHZ05mZXppcmNRT2sKLS0tIExZU2pGL2VzSU5qajRxSEFFQXVz
+            Z0R0dVdDZUVxeDNVOEFPVDkrS3Q3SXMK3Z5EiJSK/1/JLJg7glX3pBjPBL0OLi6p
+            qGHOZaiizrgZ+/yX9XA0ZRK2NkfOldy8zCWb4yBqQ2uyEFVKUVJGUw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1kdrpaqsy7gdnf80fpq6qrrc98nqjuzzlqx955uk2pkky3xcxky8sw9cdjl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvd1RlMUdVU0FBTTJ0RURl
-            TXVjbExZNWZvcElyZ2JzR0RTMGdhVG9mV3dRClZ5bVNTWCtRejNtbXhmK2lXcGsv
-            NzR4RzFsUkcrSlpFODNaazlaamU5L3cKLS0tIHB2S2YwWjJMbWF3QXQvcDJNNFdr
-            YUxRK3VxRXRWc1VVbTFDUFlITURZWFUKmVIlwGIZnV83gLehh/Bm/zGH5Usd3GCL
-            toa4Ru7Sni12kZli34qWZQ8lEgWDlvm0v3g2r36qN7sQnWp82/+C1g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtRzNBNU9CWElzakk2cTAx
+            OWJzUHZmM3BLUkRieEQwOThOUDM2ZWdzdEg0Cmd1RU5IdUIycGNHRDJXdEl5dEI0
+            TDdBcGJpWjdQS0RmNUhvSlVFcXBOVlkKLS0tIFpoNFlRamF2ME1oUkEvQTVUejU5
+            Sk9yVHBPVFpMcHVmMUlXNXlNaHk0MHcKorriZmZWjlbYB8wmyQL0mOpHhK7IUuxJ
+            BagH0+vETZcFutnmGrkctCp5JxiMEr4TUkG8zdU2coaq1dU0l4Y2uw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age12aukzah0pt2rck52hwn08kezyxueqz2f49ld7hpyuzmu847vavdqkunn5c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQTTYwY1d6ZnNSWXMyQW9k
-            N210aUIwSjlESmlFVEhOVFFJMDdERHdialRzCllveVIweTBkZlZDSElFd0pqb2pu
-            cDlXaXlldGhtN3FtMm1IUy94WHpJZzQKLS0tIEdTWmpmMDc3T0kxRjdYdXA5SVA3
-            UjBTdVhaWDVtOGNUSGVJTDlzQXhVemsKgFP8fb6PKJGj+C4/zABlEy3hXSd37U6j
-            2zAezxZyFCch2vHeIHgyteV+4hRtOgAwMT3wpetEV4Q5O5YX4BqaRw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMEFjRERaS0NtcC9Tb1Zk
+            YWhGSjZRNittaVhkWkNEWWxUMDFCZ0RHeEQ4CithV3dubUg0cWxpdjZ4ZGh5aS8v
+            b1NKRGRsQzVRSjA1S3E2Q2p6TWljNVUKLS0tIHFzenVLdGpLcmx4RXdCNTdaVDlv
+            Uyt2STgycHdKNW5rcERjNWlyaUU2L0kKszUfYxFXeLppZ8BJdmhrZuxJvZkRq+w5
+            u8wKHdcSQfb8hzCJ696fsw/CMcGDRjqnIRiabRe3dUetRzl6tkMDiA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-05-16T23:43:55Z"
    mac: ENC[AES256_GCM,data:OAFdTBgFBtobgRR8WTQR+hfByJBeTM1t4gBxjBmcm9rClz2XgDuFQ/rDYRYEoAEKXoztCZhRqa82DSFsEZkaseaMOX6NeGlcsnXGKHzAmjRJrtEdYawpbH6i0o4r9kTBeMbjzCkP6NhxfjY6kvwMAgmUjzj7sQiSUgOLpeZt9tw=,iv:NTQuU4lN2LvvPKT/IpUQlycTaQayqgHEqFHUCWw4dME=,tag:VFfeht6E9xTL1+s7pt+hAQ==,type:str]
    pgp:
-        - created_at: "2023-05-21T22:51:07Z"
+        - created_at: "2023-06-05T19:07:50Z"
          enc: |
            -----BEGIN PGP MESSAGE-----

-            hQIMA6j84+xkv3y7ARAAj22jz23fuNTyPpxLR0a/Q410BBNQL39O0cboQWLuxbQU
-            /4sm27NjSEzsmJRycQYUuR2n1jE3i0Mozprj9sQVPpQKMtw7iKouN77rFbu+x0Cb
-            0uQ4Fel69POUQ/NPALhDgTU7TOkG/i8iJY33dHuoM52ttJJJit8R7vaI4GptZktx
-            6izdOPJc+m6KVWUTeuAXKe0EpbaY4x57qfvh7UqvWqnVvR1vztbKSL7GRxuq+DCf
-            cNMVYh3rV6YBRsxE54OcYpgNjDeeVt4uqWDvTM+pFxgg9eeqse1Y0c1hFwEw/1FH
-            uJyKYqQCl1KJuHmYS+L7wewsbmZtLsi+5wjEoFXcSMM9VpUTmYdpyTy1HhAxSNnK
-            Q1GutTPDV+J3EMY9rnJFZmebjq1kdyurblmXHRLB0rMufJuyPoVL4t3FWZdR1zMn
-            2Y6KeoweP0m/kyqcBcmDatqfzvBnaPwvNzZbnkMIwjqZ95ZfatOy3P4V8+YgxYLP
-            Z9ws/BcVeCSSo/SW7WiQWpZOgQ8PRu3r/NaEfsZzOz612P33DKVLXJYjb9tD7e2s
-            soMPC3phtk3LFVkKGMQmkusUNcrfVs3XS/4Uj4YtsEc+FESeh9mYFOMyMz40NgKl
-            SMp/Mimty3zpqZflQc7hMpNSOFj4lFjhJZBUhOp4dIzQjbTKapFTmYYAp8YyiH3S
-            XgFkEzLSPGQjZdE/GwUbvbhwqb8v7IJ/5cA0+z6ZLiVxwziC6xBy7t766NaF4/HA
-            nqiU0YePsdOW73R/bsafytm8Ve+HLmJjX4RyBY0o1i6+reHpIHIZrOr+d4IyB5s=
-            =Auu+
+            hQIMA6j84+xkv3y7AQ/9FNmPwjvjeySYpGxvb562JGaeMC0zHjFRJXvU8rlqGsSV
+            A3aIczVzF71EnCZ7hBcwq54l2JMv9ZNCMRAl8+7rQkQYAhx7QQprfvofOOnbn1/X
+            K8J4Oeg8p09zA2xiah1HExCV9MWVbeJqqHJMlvfhTcaCNvEpYVNmQnP87Ucfx/n2
+            xWH430WFx2o9/7BPj7HGAIDWRO5o9Nsqxhq3lEl3BvEm1PTu3pXoMe6if0odoo5O
+            yvpIXHkiHimfUnmStsvIwscCMkkZ8Ay3FArW6XpioZq4hNOLqEKRMTPtE/DDJ7MY
+            aT6Rib0bUIAHGUi1r2k2mAuV+a7x3MYPIW4U4NrKZmD15FxgwY1ZjItVAvzPck+e
+            SOcBhxZYkw/KFwbJyG5CveuWdq6vQq/V4fcQyHaKchkI38p0zFe3me8KCg4tFaYn
+            /KsWm8fRjGEY0dIq1kkHzsRs7UKNBFP9wd6ZAsNbl1J52i9IGti5wO1sYKCCcdf9
+            gLiTQ4tN4E3vCGuXN66Ns9kwkJKn63utEW3BuvOKXm1CytofaplNbtIqp1o11+Js
+            buLi6qtwrmsFi02taJILVqdvcJYZQ2F2h7IvioTWVxUOA2P8myDbtuUS10uDl06j
+            KQhFr4HV/idQqvfRLGHa5+rXHpfYw663kATJ8H2svBl5zBDxgj+yC+EpkxgtJyrS
+            XgHMO/ueuOMkiOHjMxKbPRoBUtmIG8Ow26sU5s5mrD//o5c/ymeRYu/VAWiILMny
+            gtdiQlJNNvZ4qED3hQ7rhAySRlht9bD+rH25qXu0UAb5lqPU0kvR18TiIZmITwc=
+            =4zuW
            -----END PGP MESSAGE-----
          fp: A5EE826D645DBE35F9B0993358512AE87A69900F
-        - created_at: "2023-05-21T22:51:07Z"
+        - created_at: "2023-06-05T19:07:50Z"
          enc: |
            -----BEGIN PGP MESSAGE-----

-            hQIMA8zMZ+ak7y/zAQ/9F5Hn9iWehGjv+B1Kyjaalo9SLwlH2MC3siVXD0onaUFu
-            o4NijY0jPFlwKNJ28CLcGgiH1ECodYGjLfn4tGfciE0WB7VBaJVF3T+8GXtawwFP
-            XwGl8BVrK4ykDJMyeVD8pXBdvukls4CXgFKwyh27lwqwQMRA6YyZf6/V+eNXGZqi
-            0nAnjW/hLCroiM2DEuo57yAl3jVL/v4V0nGK417RxEsG/f6+naKTsuvNcfcK7YLy
-            fjB4zM0Prky5aWdluClcHaLGq7JEQheJPrknjgj7uQDJ7XZzKDV+7AuCVqsVbADO
-            v1Of+JZv7aquWj6ZUvE8qrVXuokW82pj5ClFJARNzm8N0I2N3U0opEp26JL9wv2F
-            wH9Ip3gi8h/tpvO4PeTS56uTvlu8nFzUsK8rzApZjpZVsb644wVa4oFB6casQxD1
-            0BDBDrqO4Wb7XWPBzAxf4xAAV72aE4InpXU3IkJtV4pU1EJ0xbxGwPcAKt4yta6r
-            XzjC9861RQjt9vTNVVXXFF7vyjYf0a30pE2bYYnDZDVWUFVOXGofVmvlkTYc9nm7
-            Q3WbbRRH7lzajGwJGsgkLBPH/llweAoOg+DhL4tlw7vhFsAk2/38ZJXxTkwym2Hi
-            KHllON1sUSVefJ3mGDm3Mu3o101+cWDx5NHdeSV1tOSBQDPTqyqsTwiiXIEN8MHS
-            XgH1WQO6sq4+njkFyIRIW2rVN9vGuphGIMFpWlXcgmdq7COZslPs0QuYrAIXsw4V
-            s3UhFWkCNeAjuoUR9ZDCxdeAXOcUVVcTe2RIOgUNu5iKcgntMhPAaVqjxQuw5Po=
-            =NQGe
+            hQIMA8zMZ+ak7y/zARAAsqlV023cUfNfK5+T6HtGX6HU1lXUARvp8Gw8FAVAc54J
+            l0Ly1jmYkZamJt2dA1jScmH+jom9h9LyTABOorxQjvplXosPu1sf0uQJu6SL+ZIG
+            rbPJ93TZ/c1MBoQuI51PQk4RltBTXCHYsPA/y7kSJP2qv25IwPPTf9DaGeJxPRbA
+            CLmHEqmCxErY+3Lq0PjNMtiXDVndmXWoxHMSM0NCxBfK4UKnK1ne54u2YxhV7rlb
+            f7u+eevIf1SAVP9pjJ4jie+LrfjcnrT5SEDxT5G06KgSv4yozumNevbR5V1uPFVK
+            HuppNRB9MEqFlsNawUuEQ0GWLwa6IcdCrpBdq2e23f94ScWS6RAywNcv3U447WU8
+            zZVgDG/2MBV/eNvTwOODmqyk5q0LHRcWRuq4a4TUc90dYtlWYZl1R8ke2TCCF8DQ
+            oKbtFZGxsVrA+Kddh9qI9AuzEhY5YgIU4Ln/8g6OkCB13/UqJk4AQnqdawE0DY/7
+            6w2dm+gUhZXmInAE5FRz2mW27tr/Xr3+0HV2ZLzyxjcRJ7GMVOlw6uuj2TORBmEM
+            3ioTfPTIF5XATp8LjD3/OaveayX3ck0cqrp7FAqXz/YyFMvJHTf4nLvnbr78wBLM
+            lHwZ/llqjXcJMJN6AcWyHHR4xCKPFnDClRKWZPlvH+iviFGDW5vc8qdkRqjO2lbS
+            XgHkXe4OgpLeUYwQWuOvjBckvw8Nxw2q+3v0spuFd3Cs8ZSrD78wynciy9RRF6dx
+            QGWAsO0JoL87xPJ4q+65KHz7LhznzO3m5v1m80gjPVo67HHi50ZaqgFm5JaqgAU=
+            =xKNT
            -----END PGP MESSAGE-----
          fp: D4E89C6A0A58EE803EF708EFA9B23715F7AA3F1A
-        - created_at: "2023-05-21T22:51:07Z"
+        - created_at: "2023-06-05T19:07:50Z"
          enc: |
            -----BEGIN PGP MESSAGE-----

-            hQEMA45bZkLXmBFpAQf/QQ6b4K2zLh2hj/3Zk34lB4qzMAq1UxlDWSz0TMbbbzrd
-            nes3jJPKpQgIkUx0Nmmtu4ueipi8eDU6GJI/dLDio6rtZEToYHOFOAAbD7cZUDrh
-            IgDW3bqFm28hOR5yQXg3F05dUpC61MmdjJi8LUoKP6pNcuWkkxHxfcZrZdJnntPg
-            PSGqy+YFAXhO2untnS6+PdAgPWJO/9Fgrk2jsLOU3eeR+1oB+IrUxlxqSFp2Gj9x
-            4aeeiJG+kaCBTMi3SNEO5Wqe8JybHg5us/dTU3GqPYxPNYKDxpCzH92CIjT6eVj9
-            AVraeuCN/1eoE6Q9JyXxKqscTx/3bEgmIBKZ8FJ2AdJeAV8rYyAjQZuv6N+qM15Z
-            6iMor98bpPJ4+BzKIHdUKGga7jP02y4cT7mJRIayx4P2xG8wqMKQbGAYbQz31UTU
-            bs7IxC6zFx2UBe71fSOftR4gxgmR0an6Tm9CJbsxtw==
-            =QJ0A
+            hQEMA45bZkLXmBFpAQgAlLyUxz2Ty9KSF9epRqInIDSwQs0i8AzGW+F3lC7DBdR9
+            0fnfcwKlxKcU4aMn9waP3q450p2iq51j9RL0h2WJceBTJMLArhGHWqy7SNOgDivP
+            djwmu56b4ANVi5fBkAfS7uL7wgXspc3SfA3FkmlnH7HolUGFXYNFEwMD5nvYXRSm
+            fLTjyRcEcrQ8fh1hXkvqI30vKGV2hD/M68Lnk7jEjE9LpBLpALNe16v8i/dmONdL
+            gVkTjogfuQfTqkbBZNEWN2wyPW3Gh1hKypo8r41cDrFZVeJqefLALcv4zY1cZYxW
+            Guu3XSrPa3E0Yn1jvVtTJ6KW840u9L89ULyRHa4WxNJeAb1x0ceQF3ZOSoAPzZLX
+            LsNi1s1IsHENPqnbFwdhFhzNfPcrvWGRQEIatijZpkt+CyjyrjAHJpM6zJYbr1Xu
+            8q+fMn0hrNI3SxCCzM3rykmuNiwIjF/DK0Glstl7XQ==
+            =dUKt
            -----END PGP MESSAGE-----
          fp: A4B0F5A80C2E2448A97BEC25BB829C4DECA6CCB9
-        - created_at: "2023-05-21T22:51:07Z"
+        - created_at: "2023-06-05T19:07:50Z"
          enc: |
            -----BEGIN PGP MESSAGE-----

-            hQIMAwMCBBrc/JA6AQ//ec4F75cSeN51D93IA/AYA4xC6luLG56j2+VWhzIK/9bT
-            2vhmJ4aoWjJq5uokLhERlk+SnAous1Jw4P3vDlVcSD8EJMIx+8ZnCe3/nPd+yIiD
-            eqGIdyzpAfNzNYI0Ce1Ts2X8RQtMof49LjX3IulvJJ2IbYJPIulK3LQSOHm1uHfK
-            LOZTKMyHTHP1EhDUdNOCFSIbSVpaArk+9Od9AtE+bwgVM88GbGdovRPw7pm+L1P5
-            4ZeMd9O4GaVBFohi6DfN9vlllT9GDA4RbnmhbvpQ4GqUm6Vn5nrjkVpzJqmQngPb
-            20dssId7fuHBAiV+j4UrPBK+M3sTBuU9yBmaKUvRnficqmazgsFQIoODAVjD/Klb
-            /MamuBGY/syc/sFJSKgMZCduJ2uN5aqKIpjfqnKwSUiaogxVKa5QP1LJlWAizKyk
-            Lk2yl2XT83ERxdWd8IEKt8Vm/oAng2ADRiX4V0uIGZU+Wx4Tu/RAWKgdzfz1vAcE
-            rySfIBjmhyuz+BBQXdOdLhfnQ1k7AYZGH+zn9X/nvMA3S7Q6QiciTumdxXqyOg7S
-            PHO9uyUU8kJaXOoGbwYo2DgGAcGAYICgJAerBibwZAYiqTFdU90HQh6A8rK0JXLL
-            E/ujPUgFu+XvbIIAj/qr0KQgUqOGR/k9KMw8LvFy2TWYMaCHDuKpwgM0/02OurXS
-            lwGV73VKrbcj5dTpLUZh0F4d2AXK+9gWnmCjuwCA5GuY9R8I0tLGhwzD8YSlXdvr
-            pVug8wticmP/1sGZEHWtfVuHLRslCRsNH7jY+KDlOIHs+uM+LjGt9osOz9rtP5cG
-            2XQz7vOwpmTaV/Gtps8rQT3/3PuKfkCspf5DvgxNfiQQwIhFA1bUfDtFjCXezwSH
-            wCo7o91/zn8=
-            =fbns
+            hQIMAwMCBBrc/JA6ARAAiGs3PZMAiMYqO4TuZSf6lBSs/9FZ8kYaPf67BIHqnmlp
+            LqtvEbSC1OI53CX4gzOLH8E8vtE+NuND9XPSbzWS4L9n4X0qZhDes5BwzVCR7X8l
+            a6wuas+AvtfIrq/Sd4bt2r/a8kJtHGoylJJaMn1Z8oTwRzUoB8KlGMmzukucOkkh
+            CSBH8gqnoPAUgCTT7VfaDxwCZFphmY+fYz4BOiCY37UKAXb4yAuHizM06QbnZq5k
+            n3U4z5ucBwtWcr6Wv+X1Y2eu7Tlg//XuWAYyoMkKv/uiB5MNTp0+9DD+qZi3tqit
+            szMk0LyxecnWeohKAy4Y/k3tyfQQFy/BCj5srCWScBtxByDQiXTWNWaN9XNis5Dk
+            HBSpbxpPC0GTHCpbn0rJJRdrNLBcK920n6e27QBDUxCOE4RtQMZ4n9ggtGHMBU+s
+            q8mN93oSflZAZ0XL45Yw7TX0k+aFIfX9iHg2hQPOioDT5PbOgLTHK43/PsIlVuDx
+            2GTV86xR34piQK+V7nP4Y2e4Rc+5Yy5H4g1gdM27wiBzqCbLjjNkJ1cePL3d3Gko
+            eH0g5CG7vNkpfi0AtEpE0uYZeIjSRP9qZlpemtdOqz2sTX+x5pfFS/7mQVpd+Qz9
+            4mJQ//Todf8BxiXOqnSiRQKFt8uo9QLTFFDmNNWK4v6VvM90gGMWF7TThjw5D5HS
+            mAGI6oyJZygfiLh5vSs2opoTFP/4Xxd3An1M8h17HYVtYym9m7Kbm9By7EDFgjmP
+            dREhtf9ut0aEW4YJ6jx7lJY+LkOIW0tWi9CP5NH0pvGd300bgVCLjuAaXBkOPaa5
+            fz79s1YMQ2+DLHe+ODgP7hnVCt8f08bQ+a1LfmXaIOtaiNBFxuZ5cVu2LBC3hfOZ
+            h/4RnCm1ybl+
+            =TmpY
            -----END PGP MESSAGE-----
          fp: 4F9F44A64CC2E438979329E1F122F05437696FCE
-        - created_at: "2023-05-21T22:51:07Z"
+        - created_at: "2023-06-05T19:07:50Z"
          enc: |
            -----BEGIN PGP MESSAGE-----

-            hQIMA9XEenRNYVGHARAAzA6akuP1mkn6l1Ap0xe+5hIPNNm5BfRAraZTVErZS6wg
-            QlQxkM0ZAcwUrPH0Cj5a7J5LnX//bzTzzmHLtC4APL9wSYRG7KPx1X8i6urOVPDb
-            C1DFgjRW4O3Knbw6k7yVgKzPLlf+Ysh/uzyILizupT1vDah7pGR8nUx2erjqedzy
-            0iUL0v9P2vJh8zXv0C46NOyUy31o/A2opddHLGqlBLa9ak+AjO22RVCSdI3FKk8g
-            3moEEeyxUrrKz661lPOyf+Qj4NFyQuG8hrsVwPlMmUFleDHeJ+qbvesTKHWvHsYC
-            a2xeSTgzX7i/SLukcBBi11aPjYyQb+XZOfM6EAyVRmkLsApkb3640/BWyOw3FsYV
-            +0W79xs2BJK4ZyvtB4OvdWp41p+utAbushfJGrMLfD4wjcv26RXAiald8FxgrwUo
-            GhdA32P0VFJcTW5juVFW3p9DV+nSbtTUXyuvooegvT0jzTKBSlEz1twP6y0TdZ3+
-            a8eacy3124mPMUM50hy3/elzAFTORWrMvYqC2KywosngNBIKhhFUidxqssUajNT6
-            nO9Kc/bvRPsDY2avyD4RRuen6yIs9bHdGx3lxudSZom8L8LsxF+jk4wOpIhFAEHk
-            Kubc8C33eWIUOBN/xrM9lipR159B4dxaVhjugeiXRFgTf/uENWDfB1DZ3Y7TZlTS
-            XgGLRMoCxOcIavIn9YxXLl1qmv2PO4ukEIOi2VgvoqgyGeAAZdUW5fAPefs5LZdi
-            F3Yt4307oD8MoFK12QJUZID6esQjx686WWiiqEOCRiWJj5UsLTC6/4T2I47+Uwc=
-            =gNXa
+            hQIMA9XEenRNYVGHAQ//bT3i8RoQzWDN0jLRdzAD9HQ1/evOiSosTYlETDqkolCF
+            PjwmooqlgaXwFfLTJ6h4jsYA29LcGQggzwSLaA/mGf9HeEgkMEFNT5bI0SQtsAJ5
+            9/uLnlN2aW6g/dJyIDVdUFtihUKNBVefF3varK2XwLscIjyZj4YLo/j/eH8SL4iL
+            vf1zhQ/D/OlU5jS3R8FYKvoMFeIxwQdj242q+PGvxgZF6T4opubfDQc4tjQMdx8H
+            6IMtDAG4WfR+T3HSZx2gz11z5Rr0oKgTzn1D9c3BEIwTaX2h88wTzvziMGjbRxlo
+            Tz3Ldbyn9cavigz+wASi+BmILVmm7M7e8rzyZUOJxvJd0zvYT5UeZRq0xGmMjH/C
+            smbLCDZRyjG4u0s/ggz0ItXkusXSjt7s7y/1oy0/W1H1VxsiYJ60/0wceFR8yMLu
+            ZOmJGTmkE8Dpd4fPdRqZlEtBUJ4f9UTRT12I7rR4XEovPEUMKeck+jkx7A2kXn/J
+            bBmADR1zlXNnzOjtYLqEoJMynDBNrQwKuCdNm0ixdx/9uo4p0MmXe+MMxK97jgpe
+            SMIfO5jhXFoPqxqsc+2ilzzaCNKRndQXRSTRs2PRVeqTKKPp3rPEjCVo0h4F/FQu
+            Tpqf8mXWdimwuFelaVsmQ5iQSDE1GhHYr3fbS9Ki7iCS5IUdi5ptf6i6EKJOUBrS
+            XgGV7wmVfsEVg5b6bfGSEbAaB6rNMTs40ZIOj3xoR/4FnhvKhkklve43KWVad243
+            7M22JVEEudpBl9Lc8iSTCgAMQdJKOKgU5XZJQ0tbhJ1/6TtOVBHD5L/GlZimPHU=
+            =K5Yj
            -----END PGP MESSAGE-----
          fp: 4B12EFA69166CA8C23FC47E49CD3A46248B660CA
-        - created_at: "2023-05-21T22:51:07Z"
+        - created_at: "2023-06-05T19:07:50Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            wcBMA/Z87ylQaotQAQgAorrdBEubsaIC37kx+bo79Rv7zAOadlyIErthzjWJgCra
-            cw1r3WiCEFXRg/d21GwMFeiPtMCbAemF4Q+/sJByw88VjRazGnA2cCpc8FUXZsez
-            WhGfARQD140TytyBzQGt6x2dblLsrUyi5cUaSZ63LCQYAyBh2g2m+rt6Nc0n+72U
-            pKOa4GF0I9HrWnXGKmlQBVfwoBDPNw/MUcP64dXWorar482p1fCwazimvww5/QlB
-            J5ggG/TRZM//5FSkO+W+PSOdkNLBWjY24jmUWDB1YGeU86awM7bHr+db7hiooOlI
-            JAXhMd5NrEGlTk5veeRAcnbdUXfqs1g799JWMbVfwNJRAWoFNJ54nB3jJ4rN2KHk
-            GVS0ed7+D+xF5e+K9Eq1zb9p4LTCJQGPt5zAZe7VSRhUvT0GGz0n2QhTr7oiG1E3
-            HAK8Hq73YmByhNI332CCTqmQ
-            =vX+P
+            wcBMA/Z87ylQaotQAQgAiCrJv1b2bMgEOq+L6bznzuBa1fgCcxzBdscWqYTzENpP
+            F7hHtHuO54mfiNsNKyvo72VYS6VMNgmoiZYvmwvTaEMp5awocUYm62ie9Dl7pbkK
+            GabxbDqV+vCJOE10xzf0jnWR0GhZSbZVSXj1JYbQRTDCgpEA3ddLBD47TaaotDXB
+            qnyhV6UnqOPTSpp8bUY4IauTueoHgoAfvUclOMXAFFBHVj5sNA4ydD2fMwbqfLLc
+            cCcZ7c5SRY0ZbzSoeMp8pHQ62hi7IswPBUEkJNb1le2RbQbBXqfwlG+TGpDlHZA+
+            SDDoH7iByD2MYLKGL4G3Iz54rWYHIepR4aTQ2XoIOdJRAXk6mQd46c5JqA1ONYEt
+            2vHCowb2ykcdrOxmuoHl1kmplI/Ue2GeBX8GaOd9UaxxK1RjjZSyIRQGmVqlGHQN
+            cNeep13UQJnVUjpBHSDO/Ol+
+            =bvaj
            -----END PGP MESSAGE-----
          fp: 9EA68B7F21204979645182E4287B083353C3241C
-        - created_at: "2023-05-21T22:51:07Z"
+        - created_at: "2023-06-05T19:07:50Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            wcFMA9qJIVK2WMV7AQ/6AroDkAJe25B4EpfNflslL29Erv616LddHF7GAXYMD0oU
-            zi/c/PDM9Kfu2PohFVksWTioFshaC4EAPRzS2xM4ozQej2rGl0WkHwjQEkuXCYFm
-            lCk3AcYEx2K/xGqvZSVCuwgeRSa9+DtkvTw0UXe3jz/vQ6FyqAXMWrSelGeneAlu
-            8altkU3xRct6XumIqV2YeSlcv9CpbXleqXndggCi1x9kitxwWkE+y05Vn+m26Rjd
-            uY81tcRgbuuNsfHSBZoq9+pPpJ/4bRR4wktHII+wjwCqryFzpteoaDQ9dAWPwO3E
-            n78eZbKMZxE21WXQ26XMdRiSdexXvLZeX4Tznuqg7F8LQ77vnaW1vQfAcnhxrlDc
-            jGAlD0pb9Oh9vGMeWOookoRGM7WMImCFvxkFakEcyUtSAAfX0pf++hksFZMJrEYj
-            WOfvYmmEELQtWC8CEdDKOb/7DhwMlHImMJF1w7UYyzcbnOlDBY4JXrIfOcpY5ztY
-            bBT5D2Ihz2UvOgIk4IozhJDfba+eCbqzo//2lMDJrS8qcocK06IIenuhTsjZi2Os
-            q+/xhwSQZR0yu3VoEJQZKVS/ejMXsEt3pcCM32UDYq9kq6UAin1/gZ37NPl0w2MM
-            vw/P5J3aqevS1aX+HUk1ANQOaopZxeqPgDowAtq9I3r0T9LpjwaM91f18JsnW6zS
-            UQFJwMmvBNbOVN7xXv1mUb5OYGxRldLb6CRSs54k1RJW2WLgy54wo23dAN7VLBR1
-            fju2hOCYOSWRiX3o6ekBWHuIkGPo3gFsiWflL3T1KGoYHQ==
-            =B+Io
+            wcFLA9qJIVK2WMV7AQ/4zIJz5IgPCCY9Pll/jLH6nTqif9ZRV3Yd26wZBiv7JNUh
+            4JznoA42rkcNFfcwfIxkIDHFgxU1Xv2jaZ4aL4PubSyjYUGS/n+9IOshiWA2VV+s
+            HALjZKIKt3RMUXPMNiUS5jNGNyclhQKHzkR/FLRpTFtsWXxh/Pu7fsviHsyP0VxY
+            tSIzUnqw4FdPIYj7v8eIat/zryzAH6Ogc+hSTJ3uKoqFWs7AjauycrEaDYakBCOs
+            bq5X2pAE2oODm4BUMgan38GJQi4JNcpd7MHNvZfdCVD/Ksn0urZSPZIJz8HegATB
+            8X7BuFFRjYQjwEBDlm14MZ8uq2VeIggb5j+wJdybhOfcHaqgSZIXqEwpQ3jr7j1+
+            eKvfBepe4D74gqH2lKZ4Z/r0pQR8YqW+23xHxGaxfdrGLSs06cBkWdE39v4eizxH
+            g2rDLIdrjTDu+puY6iS0jUpd2SQXh5wqblBg3HHamTWCRF0aDpbZKhNiD92lZtVt
+            b5USsmtWLdX2cFH/R5/vkD9rbVCbUHo1aeQ8QggxBDHj2WqSHf0HO5FIfrknJzH3
+            yyL5WGNhq8XVCxqarrjtjrgtgs3GXJFjB8NQeYQh3olIHn2lTKiqyij+U3I7qLW0
+            1xrPo23nslNYouK3ZI8T2ipLr2nLZMCQxU/cdnYhf5IDlLcY5LrW9ASN1RfhtdJR
+            Aew2nBFoqOaOzLc9rdM700LXEs/19Ao16J46XUM3YyUuwxB3LNJxfDkqaf/nK8Jl
+            w2BUq1iT1FDWJ0p+7w3QgsMkxaZYEke4Q5GaTM/VZ1q3
+            =TlcY
            -----END PGP MESSAGE-----
          fp: 53B26AEDC08246715E15504B236B6291555E8401
-        - created_at: "2023-05-21T22:51:07Z"
+        - created_at: "2023-06-05T19:07:50Z"
          enc: |
            -----BEGIN PGP MESSAGE-----

-            hQIMA/YLzOYaRIJJAQ//UCtVD+TiabB9yvCv0HvyY2OaGIGtZOTr+izGb6KJfGPs
-            M7vz0bppDTBJo3YiXj37+wRvIwK7bESQHvbWiFdqEadqJBHMI7NXSOdWvbVLFuAN
-            +fXPEVsupaGcUTZpCLQS+mZrVFYgLE4yMs4JSu5roL6tu7y04+1PtGiYoF0QNRuf
-            auLE6ItdZ96iJWe/OFK9VRKFtX4mbjOi/Z9+1nBasJAaAXb2AtVr2EBbqfx8NYgR
-            NTdMvE9zbcaHxiw4eGWWAeJSVcSloP7BvN+eQe8oE7ivg55+DgmFE8o+/O4TheMp
-            LUMa2vykQN/JWo6K0AYv0y37S5N+YLztdF9jw3EUZ015BhlzbQvy2Rc/pIoOFj6p
-            t16Kjaa752RpK4mDTmkiha2yoSL6aHZUnpGzpeV2jiTUVIktYHo+7ISp/jauDFAu
-            1ONtXJji2CLW6eM2VrIIkcazzYmCbnkkTekg08r4W/btzKSeQNZ96Teqz12Ag1eA
-            F2HchbHGYARwo491UlkMXKbtqso4OIuVIyks5HApbdS065NReozQWPNQtGq8ISVe
-            bAXoHDrmX+0FS+jdj8+zeWzb0CfNq8fX3Jjk1eyjUv9Q5ClEHOvh9fbmfzUJTLkm
-            lxpoK5s1CxKsEbP+vwlfd4lRSM6BRARZRHUy4msScfpHhyJ5UwCIkBfmFyzw+FHS
-            XgFfZL2BJdtXXTReiVJd+HR/KA3HIBXJcqYZ8vt4+hzYOnwwScaoLT8dVxtwNksC
-            Tdtk1lO2lK/C3OEtexhrkmUCYCxQceauYtkwYX4Q/va8t4o2eyAdnvoHejxQTwk=
-            =/Y5m
+            hQIMA/YLzOYaRIJJAQ/9F0Y0q7ZWuHF1Ck11iNMDIuuiaMwbWTgq6mmCp2VHTuKP
+            LBkjihQfQxnJbkqllY6v2Q4Bo2g2HnPzUDDFkxJUzYaoIGcNNL6lnY02Tb0+asVv
+            gJGBbTuYNGaHNNo3MQOVi3GHp+YjAQFWFi3vXDX0HP/+eJsxVShYcStRU9giyaM5
+            4DZ9P1ti6I+Y2344QdyUm6ERIQROkFdBd94FeLLSaElXKpljgAemXT6hFx1Ol09p
+            FUgfDQJZrTI2zjrPP0twvnX3W2DS663JVnmW6EgZNA3Zd+wS8F6D7OLlTQsy7hpb
+            KETG6BKMpB7jCagXV08ylL+Ova0JnGvBPudAnW+Tg2afmZWXq5eTRw5xbwqxxPOH
+            aZMCwnq9fqJvPIoR3vOlZsjj5uPv0L6iwntp5l446qEzbpBhuctY27ij6d0KYrA2
+            SwEFqPMKnTyi12pfwM1xv8cw0L0FoCTStRMaTofmlDBfvBh0N+FHUsVLGyXsqXiH
+            7O3i53Ijaj+ybt/v+OfKl1MvIzUU2aVw9VFrZWht8F6Hell80bilobL9lkQnuTjs
+            ohfc/nHMtttsx1F9f6NWlWQ4QknxbjkaXeLGjfviykDmQH9VSNcSjttzTXdp2JG+
+            qNJGBGqNyHUuU7QbBV0b60WiVh0UXjFY5I1KW+82PLby0QRq0hue0ugoFlgZA3zS
+            XgEBGeIMv+XJXWIZ3JBecJiOGoZ+a97uTM5tbSURlKJTmNMz5DkR/hHtzohCoeyt
+            tF3cB/+Rn+M5J/iOAZLGdp/cjznLBmMyBIQzRBCw5SFYkZO6Ist+Fl4ZtpfYmUA=
+            =zkFg
            -----END PGP MESSAGE-----
          fp: 91EBE87016391323642A6803B966009D57E69CC6
-        - created_at: "2023-05-21T22:51:07Z"
+        - created_at: "2023-06-05T19:07:50Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            wcFMA7zUOKwzpAE7AQ//c1rrZEnkBY/zxsR8nR75Rd8f+h7emqjnwkQkEsrI/ZvB
-            CHXhy0nWEeBS0sSxnI0B4yGRmeUoYmoC3GFcyxvuv9VbVTjOn7zGLix5eTT69i1v
-            G2kclTY9N9q+IqcBLFGotOmEYtdbo+pnuFWZhMKyl2522O827FkAsbh9TtvUthfQ
-            I5BE/f4wR4Mb2zsIVSvq8iWrCx9+KWlgjZo3+X/FlHu1QWdaoXWBgq6Bv6XnLZRa
-            OmtH2xKnQEXMVaVE0I/CWqh66UWRPFbNEfxX0qkMmorgmvd54dkk5XI39a1qF5Y/
-            TLIm0x4Qs+auwxawM57NCPK1Z2PixX8mR5rE0xckKAMbzcosOFIWnob7y5188k3U
-            f1G65DySPf9FBekAxqYNBBrA5v+w+W8n7lfHXz2EzcSHwwLuz67W5bkD8bBBDWfR
-            1dBUXtiYa87gA/ZTgwpd2P14dMTZKzjWhmvjpVfFXE4lyz+ZilF5Cw61kA08J0Gr
-            219Dmi2TB4mRm97Z58aR8ro55BnVU6yE0e7uCxR7HOuFq9nYQ+l7ilie3bq7266n
-            dFg6riLcrmtHNX4X1HV2L/E9P02ve/ybz8BzhWRT74OedD1Uasyg3fcQapllw/ek
-            YtJyNElxOH+egxoDuxRUhfruYuv3gengl76cAzz3vQCooI8asgCSuEdvQ+WaLa3S
-            UQHer1vyowr4o5lqP2T5JE5h1vcYcoTb1mq2bHV41OUuqnMBfTysor98pS0WP07R
-            9IeV2eirnOmfRYmneIXnKT/u+6gF4mjg2GQoGGDBdEU0rA==
-            =qWRQ
+            wcFMA7zUOKwzpAE7AQ//UAenuwR/veLq3VWQThJH77EpgdbKTqV2xPOXBO4iR+wj
+            RHA28/rueyNDqVv7ep4rYcQ+qN+Vt2dkR4Zn28h28ndyGCxtXKF3V1qhDdYp8z+X
+            acodjt9vboCvHajkR5YCMoQkv8sb4MJvXP+VwvkbjmiXkzpY2DHRjNAVr76M+5yK
+            I0xU8deh6bRKj9r+F1U+oKiVRwSdwHei/IWVY76LAaT/VYmWf87GnfnKmmmHHxxE
+            74NtndW3NBWX8A+of53KAEJ/E8Ls74ky4I5TwfPXLKFiLJjE7AN4GX0AW83O1Qvw
+            UoMvgLXIA21UJUQx3m7/qWPLMBxMngxS00IL2MEzUzgfl+OmGBP0tk50otVlHJDS
+            fvR6DCWJiS7G9i+OtN1CmHNqRvzAgZ9dwcd6NhzFrYWi3pzbo+F0KRW5V5Fmqvij
+            QAVm/uCMojUtrrYNCAGA9UxaYvZiHG5nc3cAmfqYCDgZjUlMVZ5C+LxK/cAXUQQC
+            VLxc1PbJkRE6npam/XpewY6irEpcFXW0gsAmTdexUN4beel3B5pcCEWXGtaGDwDr
+            ffsxXhgk/A51EqJvZJzn4eKqH5J2qoGNJvpqn8quwGF5gDpQNH0P117HHpwG6Ipt
+            kUcfPOwy7gb3i4jGnlVCMzlcnJ3tRePhnXSAGdV8rjfWxOhfJ3lOwbDeSaxzUpfS
+            UQGbQWO7K1Bd5TUMH8xXladHum+pYtTvIBUQjdVj9XXVXiinfBXUS6L8FMfd8OkA
+            MC854+d3CCkoJPk8jnxKNan34Q+xsMK4WX1RsUotwVH+4w==
+            =tCRU
            -----END PGP MESSAGE-----
          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
    unencrypted_suffix: _unencrypted
--- a/modules/baremetal.nix
+++ b/modules/baremetal.nix
@ -40,6 +40,7 @@
    };

    environment.systemPackages = with pkgs; [
+      freeipmi
      lshw
      pciutils # lscpi
      smartmontools # for smartctl
@ -49,18 +50,28 @@
      "kvm" "big-parallel" "nixos-test" "benchmark"
    ];

+    powerManagement.cpuFreqGovernor = "schedutil";
+
    services = {
      # just assume there are ssd's everywhere
      fstrim.enable = true;
      smartd.enable = true;
    };

-    system.activationScripts.generateInitrdOpensshHostKeys = lib.mkIf config.boot.initrd.network.ssh.enable ''
+    system.activationScripts.generateInitrdOpensshHostKeys = let
+      sshKeygen = "${config.programs.ssh.package}/bin/ssh-keygen";
+    in lib.mkIf config.boot.initrd.network.ssh.enable ''
      if [[ ! -e ${initrdEd2219Key} || ! -e ${initrdRsaKey} ]]; then
        echo "Generating initrd OpenSSH hostkeys..."
        mkdir -m700 -p /etc/ssh/initrd/
-        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${initrdEd2219Key}
-        ${pkgs.openssh}/bin/ssh-keygen -t rsa -N "" -f ${initrdRsaKey}
+        ${sshKeygen} -t ed25519 -N "" -f ${initrdEd2219Key}
+        ${sshKeygen} -t rsa -b 4096 -N "" -f ${initrdRsaKey}
+      fi
+
+      if [[ -e ${initrdRsaKey} && $(${sshKeygen} -l -f ${initrdRsaKey} | ${pkgs.gawk}/bin/awk '{print $1}') == 3072 ]]; then
+        echo "Upgrading RSA initrd OpenSSH hostkey with only 3072 bit..."
+        rm -f ${initrdRsaKey} ${initrdRsaKey}.pub
+        ${sshKeygen} -t rsa -b 4096 -N "" -f ${initrdRsaKey}
      fi
    '';
  };
--- a/modules/cluster/default.nix
+++ b/modules/cluster/default.nix
@ -1,4 +1,4 @@
-{ config, hostRegistry, lib, pkgs, ssh-public-keys, zentralwerk, ... }:
+{ config, hostRegistry, is2305, lib, pkgs, ssh-public-keys, zentralwerk, ... }:

 let
  inherit (config.networking) hostName;
@ -67,7 +67,10 @@ in {
      # Deployment user for leon who also uses this flake
      leon = {
        uid = 1002;
-        sshKeys = with ssh-public-keys; leon ++ astro;
+        sshKeys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPZoT83l0ogbJpviBs4VmO+NdF4NPtYAnyf8RRSoXsv leon@leon"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air"
+        ] ++ ssh-public-keys.astro;
        home = "${skyflakeHome}/leon";
      };
      # Deployment user for neighbour Andreas Lippmann <andreaslippmann@web.de>
@ -89,7 +92,8 @@ in {
    deploy.customizationModule = ./customization;

    # Ceph storage cluster configuration
-    storage.ceph = assert lib.versions.majorMinor pkgs.ceph.version == "16.2"; rec {
+    storage.ceph = rec {
+      package = pkgs.ceph_17_2;
      fsid = "a06b1061-ef09-46d6-a15f-2f8ce4d7d1bf";
      mons = [ "server7" "server8" "server9" "server10" ];
      mgrs = mons;
@ -97,6 +101,9 @@ in {
      rbdPools.microvms = {
        params = { size = 2; class = "ssd"; };
      };
+      rbdPools.microvms-hdd = {
+        params = { size = 2; class = "hdd"; };
+      };
      cephfs.home.mountPoint = skyflakeHome;
      # Legacy: migration to rbd
      cephfs.skyflake.mountPoint = "/storage/cephfs";
--- a/modules/microvm-defaults.nix
+++ b/modules/microvm-defaults.nix
@ -9,11 +9,19 @@

  boot = {
    loader.grub.enable = false;
-    kernel.sysctl = lib.optionalAttrs (config.microvm.mem <= 1024) {
-      # table overflow causing packets from nginx to the service to drop
-      # nf_conntrack: nf_conntrack: table full, dropping packet
-      "net.netfilter.nf_conntrack_max" = "65536";
-    };
+    kernel.sysctl =
+      let
+        mem = if (config?microvm) then config.microvm.mem else config.deployment.mem;
+      in
+      lib.optionalAttrs (mem <= 2*1024) {
+        # table overflow causing packets from nginx to the service to drop
+        # nf_conntrack: nf_conntrack: table full, dropping packet
+        "net.netfilter.nf_conntrack_max" = "65536";
+      };
+    kernelModules = [
+      # required for net.netfilter.nf_conntrack_max appearing in sysfs early at boot
+      "nf_conntrack"
+    ];
    kernelParams = [
      "preempt=none"
      # No server/router runs any untrusted user code
@ -27,11 +35,11 @@

  hardware.enableRedistributableFirmware = false;

-  # required that sysctl contains net.netfilter.nf_conntrack_max on boot
-  networking.firewall.autoLoadConntrackHelpers = true;
-
  # nix store is mounted read only
-  nix.gc.automatic = false;
+  nix = {
+    enable = false;
+    gc.automatic = false;
+  };

  systemd.tmpfiles.rules = [
    "d /home/root 0700 root root -" # createHome does not create it
--- a/modules/microvm-host.nix
+++ b/modules/microvm-host.nix
@ -8,11 +8,20 @@
  };

  config = {
-    # just all the microvms from this flake that are supposed to run on the server
-    microvm.autostart =
-      builtins.filter (name:
-        (self.nixosConfigurations.${name}.config.c3d2.deployment.server or null) == config.networking.hostName
-      ) (builtins.attrNames self.nixosConfigurations);
+    assertions = [
+      {
+        assertion = config.skyflake.storage.ceph.package != 17;
+        message = "Please pin ceph to major version 17!";
+      }
+    ];
+
+    microvm = {
+      # just all the microvms from this flake that are supposed to run on the server
+      autostart =
+        builtins.filter (name:
+          (self.nixosConfigurations.${name}.config.c3d2.deployment.server or null) == config.networking.hostName
+        ) (builtins.attrNames self.nixosConfigurations);
+    };

    systemd.services = {
      "microvm-virtiofsd@" = {
--- a/modules/plume.nix
+++ b/modules/plume.nix
@ -44,6 +44,7 @@ in
        CREATE DATABASE plume;
        GRANT ALL PRIVILEGES ON DATABASE plume TO plume;
      '';
+      # TODO: update to postgresql 15
    };

    systemd.services.plume = {
--- a/modules/rpi-netboot.nix
+++ b/modules/rpi-netboot.nix
@ -36,7 +36,7 @@
      ];
    };

-    tmpOnTmpfs = true;
+    tmp.useTmpfs = true;
  };

  hardware.deviceTree.enable = true;
--- a/modules/stats.nix
+++ b/modules/stats.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, libC, pkgs, ... }:

 let
  cfg = config.c3d2.hq.statistics;
@ -7,6 +7,7 @@ let
    !config.boot.isContainer &&
    !(config ? microvm);

+  nginxStatusPort = 9100;
 in
 {
  options.c3d2.hq.statistics = {
@ -14,50 +15,50 @@ in
  };

  config = {
-    services = lib.mkMerge [
-      (let
-        nginxStatusPort = 9100;
-      in {
-        collectd = lib.mkIf cfg.enable {
-          enable = true;
-          extraConfig = ''
-            FQDNLookup false
-            Interval 10
-          '';
-          buildMinimalPackage = true;
-          plugins = {
-            logfile = ''
-              LogLevel info
-              File STDOUT
-            '';
-            network = ''
-              Server "grafana.serv.zentralwerk.org" "25826"
-            '';
-            memory = "";
-            processes = "";
-            disk = "";
-            df = "";
-            cpu = "";
-            entropy = "";
-            load = "";
-            swap = "";
-            cgroups = "";
-            vmem = "";
-            interface = "";
-          } // lib.optionalAttrs isMetal {
-            sensors = "";
-            cpufreq = "";
-            irq = "";
-            ipmi = "";
-            thermal = "";
-          } // lib.optionalAttrs config.services.nginx.enable {
-            nginx = ''
-              URL "http://localhost:${toString nginxStatusPort}/nginx_status"
-            '';
-          };
-        };
+    networking.firewall.allowedTCPPorts = [ 9100 ];

-        nginx = lib.mkIf config.services.nginx.enable {
+    services = {
+      collectd = lib.mkIf cfg.enable {
+        enable = true;
+        extraConfig = ''
+          FQDNLookup false
+          Interval 10
+        '';
+        buildMinimalPackage = true;
+        plugins = {
+          logfile = ''
+            LogLevel info
+            File STDOUT
+          '';
+          network = ''
+            Server "grafana.serv.zentralwerk.org" "25826"
+          '';
+          memory = "";
+          processes = "";
+          disk = "";
+          df = "";
+          cpu = "";
+          entropy = "";
+          load = "";
+          swap = "";
+          cgroups = "";
+          vmem = "";
+          interface = "";
+        } // lib.optionalAttrs isMetal {
+          sensors = "";
+          cpufreq = "";
+          irq = "";
+          ipmi = "";
+          thermal = "";
+        } // lib.optionalAttrs config.services.nginx.enable {
+          nginx = ''
+            URL "http://localhost:${toString nginxStatusPort}/nginx_status"
+          '';
+        };
+      };
+
+      nginx = lib.mkMerge [
+        (lib.mkIf config.services.nginx.enable {
          virtualHosts.localhost = {
            listen = [
              { addr = "127.0.0.1"; port = nginxStatusPort; }
@ -72,48 +73,30 @@ in
              deny all;
            '';
          };
-        };
-      })
+        })

-      (lib.mkIf (pkgs.system != "riscv64-linux") {
-        nginx = {
+        (lib.mkIf (pkgs.system != "riscv64-linux") {
          enable = true;
          virtualHosts."_" = {
-            listen =
-              let
-                port = 9100;
-              in
-              [
-                { addr = "0.0.0.0"; inherit port; }
-                { addr = "[::]"; inherit port; }
-              ];
+            listen = let port = 9100; in [
+              { addr = "0.0.0.0"; inherit port; }
+              { addr = "[::]"; inherit port; }
+            ];
            locations."/metrics" = {
              proxyPass = "http://127.0.0.1:${toString config.services.prometheus.exporters.node.port}/metrics";
-              # ip ranges duplicated with matemat
-              extraConfig = ''
-                satisfy any;
-                allow 2a00:8180:2c00:200::/56;
-                allow 2a0f:5382:acab:1400::/56;
-                allow fd23:42:c3d2:500::/56;
-                allow 30c:c3d2:b946:76d0::/64;
-                allow ::1/128;
-                allow 172.22.99.0/24;
-                allow 172.20.72.0/21;
-                allow 127.0.0.0/8;
-                deny all;
-              '';
+              extraConfig = libC.hqNetworkOnly;
            };
          };
-        };
+        })
+      ];

-        prometheus.exporters.node = {
-          enable = true;
-          enabledCollectors = [ "ethtool" "systemd" ];
-          listenAddress = "127.0.0.1";
-          openFirewall = true;
-          port = 9101;
-        };
-      })
-    ];
+      prometheus.exporters.node = lib.mkIf (pkgs.system != "riscv64-linux") {
+        enable = true;
+        enabledCollectors = [ "ethtool" "systemd" ];
+        listenAddress = "127.0.0.1";
+        openFirewall = true;
+        port = 9101;
+      };
+    };
  };
 }
--- a/overlays/0000-fix-SPDK-build-env.patch
+++ b/overlays/0000-fix-SPDK-build-env.patch
@ -0,0 +1,11 @@
+--- a/cmake/modules/BuildSPDK.cmake
+++ b/cmake/modules/BuildSPDK.cmake
+@@ -35,7 +35,7 @@ macro(build_spdk)
+     # unset $CFLAGS, otherwise it will interfere with how SPDK sets
+     # its include directory.
+     # unset $LDFLAGS, otherwise SPDK will fail to mock some functions.
+-    BUILD_COMMAND env -i PATH=$ENV{PATH} CC=${CMAKE_C_COMPILER} ${make_cmd} EXTRA_CFLAGS="${spdk_CFLAGS}"
+    BUILD_COMMAND env -i PATH=$ENV{PATH} CC=${CMAKE_C_COMPILER} ${make_cmd} EXTRA_CFLAGS="${spdk_CFLAGS}" C_OPT="-mssse3"
+     BUILD_IN_SOURCE 1
+     INSTALL_COMMAND "true")
+   unset(make_cmd)
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -13,17 +13,27 @@ with final; {

  bmxd = callPackage ./bmxd.nix { };

-  dex-oidc = prev.dex-oidc.override {
-    buildGoModule = args: buildGoModule (args // {
-      patches = args.patches or [ ] ++ [
-        # remember session
-        (fetchpatch {
-          url = "https://github.com/dexidp/dex/commit/dd0fb05386ce89c74381ce49e903cc10b987459e.patch";
-          sha256 = "sha256-71py0pysgS3jDkKeqD/K4KJ821bolz/4PTjt2rDdUy8=";
-        })
-      ];
+  ceph_17_2 = assert (lib.versions.majorMinor ceph.version) == "17.2"; prev.ceph;

+  dex-oidc = prev.dex-oidc.override {
+    buildGoModule = let
+      ver = lib.versions.majorMinor prev.dex-oidc.version;
+    in args: buildGoModule (args // {
+      patches = args.patches or [ ]
+        # remember session
+        # TODO: remove 2.35 when 23.05 is stable
+        ++ lib.optional (ver == "2.35") (fetchpatch {
+          url = "https://github.com/dexidp/dex/commit/dd0fb05386ce89c74381ce49e903cc10b987459e.patch";
+          hash = "sha256-71py0pysgS3jDkKeqD/K4KJ821bolz/4PTjt2rDdUy8=";
+        })
+        ++ lib.optional (ver == "2.36") (fetchpatch {
+          url = "https://github.com/dexidp/dex/commit/000004b13b876e04a6f75ec0394f7cabe84fb15e.patch";
+          hash = "sha256-u85RnwfhcQt7RK11Ed/fDLUbHOuD+TKJU8UHQslZowM=";
+        });
+    } // lib.optionalAttrs (ver == "2.35") {
      vendorSha256 = "sha256-BxFiRHOGIJf3jTVtrw/QbnvG5gyfwAKQGd3IiWw5iVc=";
+    } // lib.optionalAttrs (ver == "2.36") {
+      vendorHash = "sha256-hxq7JPz8uD5WQIPO2anSf9+kzyoQy/BQ0OVTblA8qts=";
    });
  };

@ -100,14 +110,14 @@ with final; {
    doCheck = false;
  });

-  oxigraph = callPackage ./oxigraph.nix { };
-
  pi-sensors = callPackage ./pi-sensors { };

  plume = callPackage ./plume { };

  readsb = callPackage ./readsb.nix { };

+  schalterd = callPackage ./schalterd.nix { };
+
  telme10 = callPackage ./telme10.nix { };

  tracer-game =
--- a/overlays/mlat-client.nix
+++ b/overlays/mlat-client.nix
@ -2,12 +2,12 @@

 buildPythonApplication rec {
  pname = "mlat-client";
-  version = "0.3.9";
+  version = "0.4.2";

  src = fetchFromGitHub {
    owner = "adsbxchange";
    repo = "mlat-client";
    rev = "v${version}";
-    sha256 = "0zqm9g6sg3mzq8x809x9kicc9mqpkh1ndb0xfapb3hkz5d5dnm6z";
+    hash = "sha256-V//LpYmBXtT8haX1aZ4XldzzyUY2YN7x3lTpQ2csTmw=";
  };
 }
--- a/overlays/oxigraph.nix
+++ b/overlays/oxigraph.nix
@ -1,35 +0,0 @@
-{ lib
-, rustPlatform
-, fetchFromGitHub
-, pkg-config
-, llvmPackages
-}:
-
-rustPlatform.buildRustPackage rec {
-  pname = "oxigraph";
-  version = "0.3.11";
-
-  src = fetchFromGitHub {
-    owner = pname;
-    repo = pname;
-    rev = "v${version}";
-    sha256 = "sha256-7KbDZKKJPk3QTp4siIbdB6xKbslw73Lhc7NoeOuA0Og=";
-    fetchSubmodules = true;
-  };
-
-  cargoSha256 = "sha256-Yqn6hwejg6LzcqW0MiUN3tqrOql6cpu/5plaOz+2/ns=";
-
-  nativeBuildInputs = [
-    pkg-config llvmPackages.clang
-  ];
-  LIBCLANG_PATH = "${llvmPackages.libclang.lib}/lib";
-
-  preConfigure = ''
-    cd server
-  '';
-  postBuild = ''
-    cd ..
-  '';
-
-  doCheck = false;
-}
--- a/overlays/schalterd.nix
+++ b/overlays/schalterd.nix
@ -0,0 +1,15 @@
+{ lib, pkgsStatic, fetchFromGitHub }:
+
+pkgsStatic.pkgsCross.armv7l-hf-multiplatform.rustPlatform.buildRustPackage {
+  name = "schalterd";
+
+  src = "${fetchFromGitHub {
+    owner = "astro";
+    repo = "spacemsg";
+    # master of 2023-07-02
+    rev = "a825a738544e62c285f4497c151a73d417326da2";
+    sha256 = "sha256-8sM2GdQ2nJ3YCCF5+ZW0vBNTKL3/ulY1/fmyw++5UQQ=";
+  }}/schalterd";
+
+  cargoSha256 = "sha256-OdNztl4XQML2UqK/4BLzKed3pBJNd9rIwHEXaIzLQ4U=";
+}
--- a/overlays/trainbot.nix
+++ b/overlays/trainbot.nix
@ -7,17 +7,17 @@

 buildGoModule {
  pname = "trainbot";
-  version = "unstable-2023-05-07";
+  version = "unstable-2023-05-25";

  src = fetchFromGitHub {
    owner = "jo-m";
    repo = "trainbot";
-    rev = "82444a14cba5f611c620f752e79d8bf5e3c5b416";
-    sha256 = "sha256-4f5TtTxsJyfT/N9wElnAYxUTuPmx90zQN9afA0UylCU=";
+    rev = "3a03711c99ff157a793dddc20a59116eb7cd1664";
+    sha256 = "sha256-JdilVe/jysTVBg2Q/IrLIzODVz+PG+1HGo+5AF+X6D4=";
  };

  checkInputs = [ ffmpeg ];
  doCheck = false;

-  vendorHash = "sha256-DphXCfPW4w0aGI1e3aKQ9pDAMJ8wioPCDqRUR5gJ+Q4=";
+  vendorHash = "sha256-IsYUvVmZdlwEaOoD76m9KABsldBado9yQiOa8Q8Pkp0=";
 }
--- a/packages.nix
+++ b/packages.nix
@ -121,8 +121,7 @@ lib.attrsets.mapAttrs
          nix copy --no-check-sigs --to ssh-ng://${target} ${inputPaths}

          # use nixos-rebuild from target config
-          nixosRebuild=$(nix build ${self}#nixosConfigurations.${name}.config.system.build.nixos-rebuild ${overrideInputsArgs} --no-link --json | ${pkgs.jq}/bin/jq -r '.[0].outputs.out')
-          nix copy --no-check-sigs --to ssh-ng://${target} $nixosRebuild
+          nixosRebuild=$(ssh ${target} nix build ${self}#nixosConfigurations.${name}.config.system.build.nixos-rebuild ${overrideInputsArgs} --no-link --json | ${pkgs.jq}/bin/jq -r '.[0].outputs.out')
          ssh ${target} $nixosRebuild/bin/nixos-rebuild ${rebuildArg} "$@"
        '';

--- a/ssh-public-keys.nix
+++ b/ssh-public-keys.nix
@ -23,28 +23,30 @@
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhcrBEpbCOM4KTVqjvuEOAcKOPScQ7U4TsNJzzrQW/k laalsaas"
  ];
  marenz = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDixJ6x0QnSk/ebIJ9zlsRM5olZbqrxDaIt0QQmZOuAbbz441SVW+/0/7ks80GMIMxzUy5YpNvrkY+6q/dZVvNybZLm/csdoFB2soOI/F1NUOppM+r2f33db/5ae3iaun/xBOW/D5lQTbm6IfrYjN9z3gW6tTYFPauZyctizZz5P1egwtCrAnMti8aBE3G+lGXVIVbjsjYruqgSN86WM0YM9HH9XB8Kd/TDCI/j9prXFkoj9EuzOQtIDNRA4Asmi08ZmoVKqadbuZAXoYEngPe2nigiiBoV/5fyyWIJSliWPZ8YDXk8X6pRJaOgZyc6mmot0/BLJo+DkhoUDA7wp3wr cardno:000609614306"
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6edpEvI6/0IBBolm3fX67U7UhA42hBVXPcN2hrTe9DiaRTMC1EnsgHSLYAuV1Ltu9gkDxHZ4aTpa69La7C7I0WPAhzXWAE1BNl2/93CETAcZoum2IYl9CZNGFG5D2Uxd8lnyZH9WtgN5WYLaKm/xFSVclYwbnYtTjI2T9mYmrrDf4bwvvjg6p6KBQUgaotwC+qyADGTJjfSiIsYU8cJhA4XROudmiKa6LAlw0VrkgQoITRYoWvmrdHMgzeCJa5UvKGxyGRqGcPB7wVFQpv2uxJVtCjb5Uhk8ZHzbc/rANBXwCgMr9tmyKDsO9imtcucQXZT7O06mkD5OYCVSdtVsx cardno:000610670724"
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDixJ6x0QnSk/ebIJ9zlsRM5olZbqrxDaIt0QQmZOuAbbz441SVW+/0/7ks80GMIMxzUy5YpNvrkY+6q/dZVvNybZLm/csdoFB2soOI/F1NUOppM+r2f33db/5ae3iaun/xBOW/D5lQTbm6IfrYjN9z3gW6tTYFPauZyctizZz5P1egwtCrAnMti8aBE3G+lGXVIVbjsjYruqgSN86WM0YM9HH9XB8Kd/TDCI/j9prXFkoj9EuzOQtIDNRA4Asmi08ZmoVKqadbuZAXoYEngPe2nigiiBoV/5fyyWIJSliWPZ8YDXk8X6pRJaOgZyc6mmot0/BLJo+DkhoUDA7wp3wr cardno:000609614306 - marenz"
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6edpEvI6/0IBBolm3fX67U7UhA42hBVXPcN2hrTe9DiaRTMC1EnsgHSLYAuV1Ltu9gkDxHZ4aTpa69La7C7I0WPAhzXWAE1BNl2/93CETAcZoum2IYl9CZNGFG5D2Uxd8lnyZH9WtgN5WYLaKm/xFSVclYwbnYtTjI2T9mYmrrDf4bwvvjg6p6KBQUgaotwC+qyADGTJjfSiIsYU8cJhA4XROudmiKa6LAlw0VrkgQoITRYoWvmrdHMgzeCJa5UvKGxyGRqGcPB7wVFQpv2uxJVtCjb5Uhk8ZHzbc/rANBXwCgMr9tmyKDsO9imtcucQXZT7O06mkD5OYCVSdtVsx cardno:000610670724 - marenz"
  ];
  nek0 = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpLQaRn6wzdyU5f1MZKYgL3A9t0H/ELyZHEMK0e2I+k nek0@madness"
  ];
  oxa = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCou/7YU2kbeWbZv/F3kjWJLyLeZ5SGGMNr03rWjqZcliJCqEZGO4gz7jdizg/h+j7YWTV3Gn+03LY+tlfhuI7Okxe1YLphuPb4qb38QUprpdg9QTdREGUUpKeaXUOXASoC5EHAkx5GYcQ9uZAx70ZHdggwNvQOVcOfbSIv+MPTaEq4MTwf/Y5MhFvCUrQecTvaoukAPS3PEOWptz5hDDH7jjiJmDwHeICMhHK9YvesFjIsc/iQHScCDWBg+WbQAeLYSbJkmnzFz/7jbdF34Wmz/7FlUiOqqzkZ5Ykr78ae4NgbSz09QjkZ/W0wVIH+UAVHn3OQ+7aRukkve9w48lEb1XJvMo3Y1sGRY6AUOHw0B4xa9ZgXQiuAH4ExjaDSArNkUWjQrKkUvyl30j7t6HRA2Y+W5BzodYKO/JBGqaGneTvlXV2e7lFP2kmnf17dnkJmwTi2p0CQJrpsnifuj5gNDA/qZkXPK5DOPe+asW2Vc2panSbXosZG9Gk20JeahZ54gVn2UvRVk41GhQdCAuVWeuXF9+rtSyjtx2NSrQLIyi/59n6STL/hS1135wrEifP+xTCoI+8yxTB8BSd5JSQ9GeUGkevZp9asmwKOA/WkTzsESECbCrbgOstTCSsKPfQITLu45zIrLHn9cLjrwby06mNhp2B28GlAmvcDBC95NQ== mail@oxapentane.com"
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP6xE2ey0C8XXfvniiiHiqXsCC277jKI9RXEA+s2LQLUI5zl7v350i3Oa8H3NCcPj39lfMreqE6ncxcOhqYyzahPrrMkOqgbPAoRvq8H3ophLK+56O3xdHoKwLBwRD1yoGACjqG4UTiTrmnN2ateENgYcnTEY1e4vDw1qMj1drUXCsZ/6mkBBmHJiFfCaR4yCMt1r4gGi/dAC7ifnBP3oSyV/lJEwPxYYkGlbOBIvX/7Ar98pJS6xYPB3jHs9gwyNNON63d0fNYrwBojXPPCnGGaRZNOkBTzex3zZYp12ThINQ2xl8tRp9D8qpZ7vrLjhTD6AXkOBRzmDj+NsCeEaeTuWajqUM93iKncYUI+JxR1t7q8gA2pBMFzLesMXnx7R+5Kw7QDtSJM7a4GMIfsocPwf64BH6rzxEz68rXFE3P+J77PPM9CuaYw90JXHo3z220zYw2nMQ/1qjATVZw/hiVrLmQMVfmFJIufnGjTBs2sy3IoNyzvYm/oDeNNg1cdSV9gyyRKZhK08fxjXN5GSf9vZkfZa9tHtqaZ99HI40GQBHUVx1K2/NQJY8TVTSA+v16SFnJK8BIbmp/WFCuvDcMkgLIbqiYtDASe7P2mKIib86uOENT+P820egeLiTQ06kFw/gfUa8t69d5qEcjiQZ+lxCeYIs/E9KrEXHvRUWew== cardno:16 811 339"
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP6xE2ey0C8XXfvniiiHiqXsCC277jKI9RXEA+s2LQLUI5zl7v350i3Oa8H3NCcPj39lfMreqE6ncxcOhqYyzahPrrMkOqgbPAoRvq8H3ophLK+56O3xdHoKwLBwRD1yoGACjqG4UTiTrmnN2ateENgYcnTEY1e4vDw1qMj1drUXCsZ/6mkBBmHJiFfCaR4yCMt1r4gGi/dAC7ifnBP3oSyV/lJEwPxYYkGlbOBIvX/7Ar98pJS6xYPB3jHs9gwyNNON63d0fNYrwBojXPPCnGGaRZNOkBTzex3zZYp12ThINQ2xl8tRp9D8qpZ7vrLjhTD6AXkOBRzmDj+NsCeEaeTuWajqUM93iKncYUI+JxR1t7q8gA2pBMFzLesMXnx7R+5Kw7QDtSJM7a4GMIfsocPwf64BH6rzxEz68rXFE3P+J77PPM9CuaYw90JXHo3z220zYw2nMQ/1qjATVZw/hiVrLmQMVfmFJIufnGjTBs2sy3IoNyzvYm/oDeNNg1cdSV9gyyRKZhK08fxjXN5GSf9vZkfZa9tHtqaZ99HI40GQBHUVx1K2/NQJY8TVTSA+v16SFnJK8BIbmp/WFCuvDcMkgLIbqiYtDASe7P2mKIib86uOENT+P820egeLiTQ06kFw/gfUa8t69d5qEcjiQZ+lxCeYIs/E9KrEXHvRUWew== cardno:16 811 339 - oxapentane"
  ];
  poelzi = [
    # TODO: use a RSA4096 or ed25519 key
    "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQbziwBjiSZqzE2b4iOqz1HxjinqHbGjAv1XHLOq+AFfNwMc4wiyQ/u2LpuRG2HlwK9pBeIY/gZSUP3YJZ1RumnrEOxY2Tgmzko0W9ME+hvK1OHZcXI69QA/ctxEVgOUMvTtS8XssFLAbQfkXJYeTL/5yr/Qrs3MDDfa+1UGY7LQlyzh6c4pQ+pBgWJALyzztc0orqgSVUJ2u8naQ210Jv3dQnpE+bwfeG9IuWjQqBXWHwlqxwRDxnnDBVcUj4z24XsMmHHWd/zizD+4C0Qx/rBiFhYBDXP+320U5gpgFzRl3t1HQXiPCb/LAgp2CLpZ8Eh4u9tgIhp6Z6l9r0B+vQ== poelzi@poelzi.org"
  ];
  polygon = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGEKrCGXyHqD0jdTYVHnnScL9mhDU2PR9VyH7fu528J jan@nixbrett"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGEKrCGXyHqD0jdTYVHnnScL9mhDU2PR9VyH7fu528J jan@nixbrett - polygon"
  ];
  revol-xut = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6NLB8EHnUgl2GO2uaojdf3p3YpsHH6px6CZleif8klhLN+ro5KeFK2OXC2SO3Vo4qgF/NySdsoInV9JEsssELZ2ttVbeKxI6f76V5dZgGI7qoSf4E0TXIgpS9n9K2AEmRKr65uC2jgkSJuo/T1mF+4/Nzyo706FT/GGVoiBktgq9umbYX0vIQkTMFAcw921NwFCWFQcMYRruaH01tLu6HIAdJ9FVG8MAt84hCr4D4PobD6b029bHXTzcixsguRtl+q4fQAl3WK3HAxT+txN91CDoP2eENo3gbmdTBprD2RcB/hz5iI6IaY3p1+8fTX2ehvI3loRA8Qjr/xzkzMUlpA/8NLKbJD4YxNGgFbauEmEnlC8Evq2vMrxdDr2SjnBAUwzZ63Nq+pUoBNYG/c+h+eO/s7bjnJVe0m2/2ZqPj1jWQp4hGoNzzU1cQmy6TdEWJcg2c8ints5068HN3o0gQKkp1EseNrdB8SuG+me/c/uIOX8dPASgo3Yjv9IGLhhx8GOGQxHEQN9QFC4QyZt/rrAyGmlX342PBNYmmStgVWHiYCcMVUWGlsG0XvG6bvGgmMeHNVsDf6WdMQuLj9luvxJzrd4FlKX6O0X/sIaqMVSkhIbD2+vvKNqrii7JdUTntUPs89L5h9DoDqQWkL13Plg1iQt4/VYeKTbUhYYz1lw== revo-xut@plank"
  ];
  sandro = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFidD6Snqgd8J7avxHvdDd81rdi0zNZWSilBe3eaTIlv sandro@magnesium"
+    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAUDvmdH7DwqMXLg/fAXtwme44P5L6ye9dFcVIdL+wk5AAAABHNzaDo= sandro@geode"
+    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDZVEPkbVT3+g5PEngQ4HSmXWBppmoAYuDIrZrPYMeXrAAAABHNzaDo= sandro@prism"
  ];
  tboston = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIINkmizml/XsSRzp3mNIumb3ZEPQoZhi/TtDU7rOUiKA tboston"
@ -58,8 +60,4 @@
  wolf = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJa4Xl4izrsirkBPxRruPSyByWj31Tya1h+jDQ94ZuU3 vv01f@debitch"
  ];
-  leon = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPZoT83l0ogbJpviBs4VmO+NdF4NPtYAnyf8RRSoXsv leon@leon"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANupx+diz5N8sGZOc7ZXopyPh9HaML8M7Qh70aVVIaJ leon@leons-Air"
-  ];
 }