revert toaster

.sops.yaml

@@ -3,6 +3,7 @@ keys:
   - &cirrus age1qm70jkg7us4ft4x3nh7kwxlul022kteescjj83ywvjhysj6nsq5sw7l6p8
   - &dishwasher age18t2dc53m7a53996fwcmuanwjtxxvvgkntpmdvd3q42pnkch6rajqnm4up8
   - &nextcloud age1ds7zgenz9a664jqx5308m6q5mgtavzmelg239xsj8mdh64pmqa9qtkffmk
+  - &toaster age1qyj95tsntreefqeetawqy5pf26456s9c0v3tzz8yzs706c0jsg6qv56jzk
   - &music age1aj7mgq8jxv0n5rnpqtgu4l56ymqyq86qacn3jp7ve2emk0eheuaqgm4rtt
   - &news age1dwem3slsm04jpmje2ru5n7fujkmz2kvhdat5htx2xnc2yqtyefeqchwx7f
 creation_rules:
@@ -24,6 +25,12 @@ creation_rules:
         - *admin_oxa
         age:
         - *nextcloud
+  - path_regex: secrets/toaster/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *admin_oxa
+        age:
+        - *toaster
   - path_regex: secrets/music/[^/]+\.yaml$
     key_groups:
       - pgp:

flake.nix

@@ -32,7 +32,22 @@
     , ...
     }:
 
+    flake-utils.lib.eachDefaultSystem
+      (system:
+      let
+        pkgs = nixpkgs.legacyPackages.${system};
+      in
       {
+        packages.slick = pkgs.callPackage "${self}/pkgs/slick.nix" { };
+        # packages.imhex = pkgs.libsForQt5.callPackage "${self}/pkgs/imhex.nix" { };
+      })
+    //
+    {
+      overlays.default = _final: prev: {
+        inherit (self.packages.${prev.system})
+          slick;
+      };
+
       nixosConfigurations = {
         cirrus = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";

hosts/toaster/amd-new-pstate.nix

@@ -0,0 +1,5 @@
+{ ... }:
+{
+  # use new amd pstate driver
+  boot.kernelParams = [ "amd_pstate=active" ];
+}

hosts/toaster/amd.nix

@@ -0,0 +1,16 @@
+{ pkgs, config, ... }: {
+  boot.initrd.kernelModules = [ "amdgpu" ];
+
+  hardware.opengl = {
+    driSupport = true;
+    driSupport32Bit = true;
+    extraPackages = with pkgs; [
+      rocm-opencl-icd
+      rocm-opencl-runtime
+      amdvlk
+    ];
+    extraPackages32 = with pkgs; [
+      driversi686Linux.amdvlk
+    ];
+  };
+}

hosts/toaster/default.nix

@@ -0,0 +1,63 @@
+{ pkgs, ... }: {
+  imports = [
+    ./amd.nix
+    ./amd-new-pstate.nix
+    ./hardware-configuration.nix
+    ./irc.nix
+    ./stateful-network.nix
+    ./secrets.nix
+    ./secure-boot.nix
+    ./zfs.nix
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  hardware.enableAllFirmware = true;
+
+  # update the firmware
+  services.fwupd.enable = true;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Amsterdam";
+
+  # Select internationalisation properties.
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    supportedLocales = [ "all" ];
+  };
+
+  users.users.grue = {
+    extraGroups = [
+      "wheel"
+      "video"
+      "plugdev"
+      "dialout"
+      "bluetooth"
+      "libvirtd"
+    ];
+    group = "users";
+    home = "/home/grue";
+    isNormalUser = true;
+    uid = 1000;
+  };
+
+  programs.steam.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    factorio
+  ];
+
+  services.emacs.defaultEditor = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}

hosts/toaster/hardware-configuration.nix

@@ -0,0 +1,94 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "toasterpool/nixos/root";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/nix" =
+    {
+      device = "toasterpool/nixos/nix";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/var" =
+    {
+      device = "toasterpool/userdata/var";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/var/lib" =
+    {
+      device = "toasterpool/userdata/var/lib";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/var/log" =
+    {
+      device = "toasterpool/userdata/var/log";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/home" =
+    {
+      device = "toasterpool/userdata/home";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/home/grue" =
+    {
+      device = "toasterpool/userdata/home/grue";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/7663-6239";
+      fsType = "vfat";
+      options = [ "X-mount.mkdir" ];
+    };
+
+  swapDevices = [
+    {
+      device = "/dev/disk/by-id/nvme-eui.ace42e002621ff2b2ee4ac0000000001-part2";
+      randomEncryption = true;
+    }
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+
+  networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
+  #networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+  networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  # services.fprintd.enable = true;
+}

hosts/toaster/irc.nix

@@ -0,0 +1,9 @@
+{ config, pkgs, ... }: {
+  environment.systemPackages = [ pkgs.senpai ];
+
+  sops.secrets = {
+    "irc/senpai" = {
+      owner = config.users.users.grue.name;
+    };
+  };
+}

hosts/toaster/network-vpns.nix

@@ -0,0 +1,210 @@
+{ config, ... }: {
+
+  systemd.network = {
+    # Wireguard
+    # Dump-dvb
+    netdevs."30-wg-dumpdvb" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg-dumpdvb";
+        Description = "dvb.solutions enterprise network";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = config.sops.secrets."wg/dvb".path;
+      };
+      wireguardPeers = [
+        {
+          wireguardPeerConfig = {
+            PublicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
+            Endpoint = "academicstrokes.com:51820";
+            AllowedIPs = [ "10.13.37.0/24" ];
+            PersistentKeepalive = 25;
+          };
+        }
+      ];
+    };
+    networks."30-wg-dumpdvb" = {
+      matchConfig.Name = "wg-dumpdvb";
+      networkConfig = {
+        Address = "10.13.37.3/24";
+        IPv6AcceptRA = true;
+      };
+      routes = [
+        { routeConfig = { Gateway = "10.13.37.1"; Destination = "10.13.37.0/24"; }; }
+      ];
+    };
+
+    # oxalab
+    netdevs."10-wg-oxalab" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg-oxalab";
+        Description = "lab of oxa";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = config.sops.secrets."wg/oxalab".path;
+      };
+      wireguardPeers = [
+        {
+          wireguardPeerConfig = {
+            PublicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=";
+            Endpoint = "95.216.166.21:51820";
+            AllowedIPs = [ "10.66.66.0/24" ];
+            PersistentKeepalive = 25;
+          };
+        }
+      ];
+    };
+    networks."10-wg-oxalab" = {
+      matchConfig.Name = "wg-oxalab";
+      networkConfig = {
+        Address = "10.66.66.10/24";
+        IPv6AcceptRA = true;
+      };
+      routes = [
+        { routeConfig = { Gateway = "10.66.66.1"; Destination = "10.66.66.1/24"; }; }
+      ];
+    };
+
+
+    # zentralwerk
+    netdevs."10-wg-zentralwerk" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg-zentralwerk";
+        Description = "Tunnel to the best basement in Dresden";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = config.sops.secrets."wg/zw".path;
+        RouteTable = "off";
+      };
+      wireguardPeers = [
+        {
+          wireguardPeerConfig = {
+            PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo=";
+            Endpoint = "81.201.149.152:1337";
+            AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" "172.22.99.0/24" ];
+            PersistentKeepalive = 25;
+          };
+        }
+      ];
+    };
+    networks."10-wg-zentralwerk" = {
+      matchConfig.Name = "wg-zentralwerk";
+      networkConfig = {
+        Address = "172.20.76.226/21";
+        IPv6AcceptRA = true;
+        DNS = "172.20.73.8";
+        Domains = [
+          "~hq.c3d2.de"
+          "~serv.zentralwerk.org"
+          "~hq.zentralwerk.org"
+          "~cluster.zentralwerk.org"
+        ];
+      };
+      routes = [
+        {
+          routeConfig = {
+            Gateway = "172.20.76.225";
+            Destination = "172.20.72.0/21";
+            Metric = 1023;
+          };
+        }
+        {
+          routeConfig = {
+            Gateway = "172.20.76.225";
+            Destination = "172.20.90.0/24";
+            Metric = 1023;
+          };
+        }
+        {
+          routeConfig = {
+            Gateway = "172.20.76.225";
+            Destination = "172.22.99.0/24";
+            Metric = 1023;
+          };
+        }
+
+      ];
+    };
+
+    # VPN
+    netdevs."10-wg-mullvad" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg-mullvad";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = config.sops.secrets."wg/mullvad".path;
+        FirewallMark = 34952; # 0x8888
+        RouteTable = "off";
+      };
+      wireguardPeers = [
+        {
+          wireguardPeerConfig = {
+            PublicKey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk=";
+            Endpoint = "169.150.196.15:51820";
+            AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
+          };
+        }
+      ];
+    };
+    networks."10-wg-mullvad" = {
+      matchConfig.Name = "wg-mullvad";
+      address = [ "10.66.157.228/32" "fc00:bbbb:bbbb:bb01::3:9de3/128" ];
+      networkConfig = {
+        DNS = "10.64.0.1";
+        DNSDefaultRoute = true;
+        Domains = [ "~." ];
+      };
+      routes = map
+        (gate: {
+          routeConfig = {
+            Gateway = gate;
+            Table = 1000;
+          };
+        }) [
+        "0.0.0.0"
+        "::"
+      ];
+
+      routingPolicyRules = [
+        {
+          routingPolicyRuleConfig = {
+            Family = "both";
+            FirewallMark = 34952; # 0x8888
+            InvertRule = true;
+            Table = "1000";
+            Priority = 100;
+          };
+        }
+        {
+          routingPolicyRuleConfig = {
+            Family = "both";
+            SuppressPrefixLength = 0;
+            Table = "main";
+            Priority = 90;
+          };
+        }
+      ] ++ map
+        (net: {
+          # only route global addresses over VPN
+          routingPolicyRuleConfig = {
+            Priority = 80;
+            To = net;
+          };
+        }) [
+        # Mullvad endpoint
+        "169.150.196.15/32"
+        # "10.0.0.0/8"
+        "10.13.37.0/24"
+        "10.66.66.0/24"
+        # "172.16.0.0/12"
+        "172.16.0.0/12"
+        # "182.168.0.0/16"
+        "182.168.0.0/16"
+        # "fc00::/7"
+      ];
+    };
+  };
+}

hosts/toaster/network.nix

@@ -0,0 +1,57 @@
+{ config, pkgs, ... }: {
+  environment.systemPackages = with pkgs; [ iwgtk ];
+
+  networking = {
+    hostName = "toaster";
+    firewall.enable = true;
+    networkmanager.enable = false;
+    useNetworkd = true;
+    wireguard.enable = true;
+    wireless.iwd.enable = true;
+  };
+
+  services.resolved = {
+    enable = true;
+    dnssec = "allow-downgrade";
+    fallbackDns = [
+      "9.9.9.9"
+      "2620:fe::fe"
+      "149.112.112.112"
+      "2620:fe::9"
+    ];
+  };
+
+  # workaround for networkd waiting for shit
+  systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [
+    "" # clear old command
+    "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --any"
+  ];
+
+  systemd.network = {
+    enable = true;
+
+    networks."10-ether" = {
+      matchConfig.MACAddress = "e8:80:88:2f:c6:70";
+      networkConfig = {
+        DHCP = "yes";
+        IPv6AcceptRA = true;
+      };
+    };
+    networks."10-dock" = {
+      matchConfig.Name = "enp5s0f4u1u1";
+      networkConfig = {
+        DHCP = "yes";
+        IPv6AcceptRA = true;
+      };
+      dhcpV4Config = { RouteMetric = 666; };
+    };
+    networks."10-wlan" = {
+      # matchConfig.MACAddress = "04:7b:cb:2a:aa:8c";
+      matchConfig.Name = "wlan0";
+      networkConfig = {
+        DHCP = "yes";
+        IPv6AcceptRA = true;
+      };
+    };
+  };
+}

hosts/toaster/secrets.nix

@@ -0,0 +1,20 @@
+{ config, ... }:
+{
+  sops.defaultSopsFile = ../../secrets/toaster/secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets = {
+    "wg/zw" = {
+      owner = config.users.users.systemd-network.name;
+    };
+    "wg/dvb" = {
+      owner = config.users.users.systemd-network.name;
+    };
+    "wg/mullvad" = {
+      owner = config.users.users.systemd-network.name;
+    };
+    "wg/oxalab" = {
+      owner = config.users.users.systemd-network.name;
+    };
+  };
+}

hosts/toaster/secure-boot.nix

@@ -0,0 +1,12 @@
+{ pkgs, lib, ... }: {
+  boot = {
+    bootspec.enable = true;
+    loader.systemd-boot.enable = lib.mkForce false;
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/etc/secureboot";
+    };
+  };
+
+  environment.systemPackages = [ pkgs.sbctl ];
+}

hosts/toaster/stateful-network.nix

@@ -0,0 +1,39 @@
+{ pkgs, ... }: {
+  users.users.grue.extraGroups = [ "networkmanager" ];
+
+  networking = {
+    hostName = "toaster";
+    firewall.enable = true;
+    wireguard.enable = true;
+  };
+
+  services.resolved = {
+    enable = true;
+    dnssec = "allow-downgrade";
+    fallbackDns = [
+      "9.9.9.9"
+      "2620:fe::fe"
+      "149.112.112.112"
+      "2620:fe::9"
+    ];
+  };
+
+  # fixup the rpfilter fucking up the networkmanager wireguard
+  networking.firewall = {
+    # if packets are still dropped, they will show up in dmesg
+    logReversePathDrops = true;
+    # wireguard trips rpfilter up
+    extraCommands = ''
+      ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
+      ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
+      ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1337 -j RETURN
+      ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1337 -j RETURN
+    '';
+    extraStopCommands = ''
+      ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
+      ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
+      ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1337 -j RETURN || true
+      ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1337 -j RETURN || true
+    '';
+  };
+}

hosts/toaster/zfs.nix

@@ -0,0 +1,19 @@
+{ pkgs, ... }: {
+  services.fstrim.enable = true;
+  services.zfs = {
+    autoSnapshot.enable = true;
+    trim.enable = true;
+    autoScrub = {
+      enable = true;
+      pools = [ "toasterpool" ];
+    };
+  };
+  networking.hostId = "dca22577";
+  boot = {
+    kernelPackages = pkgs.zfs.latestCompatibleLinuxPackages;
+    supportedFilesystems = [ "zfs" ];
+    kernelParams = [ "nohibernate" ];
+    plymouth.enable = false;
+    tmp.useTmpfs = true;
+  };
+}

modules/chromium.nix

@@ -0,0 +1,34 @@
+{ config, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    chromium
+  ];
+
+  nixpkgs.config.chromium.commandLineArgs = "--enable-features=UseOzonePlatform --ozone-platform=wayland  --force-dark-mode --ignore-gpu-blocklist --enable-gpu-rasterization --enable-zero-copy --enable-native-gpu-memory-buffers --enable-features=VaapiVideoDecoder,VaapiVideoEncoder,CanvasOopRasterization,WebUIDarkMode";
+
+  programs.chromium = {
+    enable = true;
+    extensions = [
+      "pkehgijcmpdhfbdbbnkijodmdjhbjlgp" # privacy badger
+      "ekhagklcjbdpajgpjgmbionohlpdbjgc" # zotero connector
+      "nngceckbapebfimnlniiiahkandclblb" # bitwarden
+      "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
+    ];
+    extraOpts = {
+      "BrowserSignin" = 0;
+      "SyncDisabled" = true;
+      "PasswordManagerEnabled" = false;
+      "TranslateEnabled" = false;
+      "AutofillAddressEnabled" = false;
+      "AutofillCreditCardEnabled" = false;
+      "AutoplayAllowed" = false;
+      "DefaultNotificationSetting" = 2;
+      "BackgroundModeEnabled" = false;
+      # "DefaultSearchProviderEnabled" = true;
+      # "DefaultSearchProviderSearchURL" = "https://google.com/search?q={searchTerms}";
+      # "DefaultSearchProviderSearchURL" = "https://duckduckgo.com/?q={searchTerms}";
+      "SearchSuggestEnable" = false;
+    };
+  };
+}

modules/desktop-software.nix

@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    blender
+    dino
+    ffmpeg-full
+    firefox-wayland
+    fluffychat
+    gimp
+    inkscape
+    kicad
+    signal-desktop
+    tdesktop
+    tor-browser-bundle-bin
+    wl-clipboard
+    yt-dlp
+    libreoffice
+  ];
+}

modules/dvb-dump-nfs-automount.nix

@@ -0,0 +1,26 @@
+{ pkgs, lib, ... }:
+{
+
+  environment.systemPackages = with pkgs; [ nfs-utils ];
+  services.rpcbind.enable = true;
+
+  systemd.mounts = [{
+    type = "nfs";
+    mountConfig = {
+      Options = "noatime";
+    };
+    what = "10.13.37.5:/";
+    where = "/mnt/dvb";
+  }];
+
+  systemd.automounts = [{
+    wantedBy = [ "multi-user.target" ];
+    requires = [ "wg-quick-wg-dvb.service" ];
+    automountConfig = {
+      TimeoutIdleSec = "600";
+    };
+    where = "/mnt/dvb";
+  }];
+}
+
+

modules/emacs.nix

@@ -0,0 +1,29 @@
+{ pkgs, inputs, lib, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    direnv
+  ];
+
+  nixpkgs.overlays = [
+    inputs.emacs-overlay.overlay
+  ];
+
+  services.emacs = {
+    install = true;
+    enable = false;
+    package = with pkgs; ((emacsPackagesFor (emacs-pgtk.overrideAttrs (old: {
+      passthru = old.passthru // {
+        treeSitter = true;
+      };
+    }))).emacsWithPackages (epkgs: with epkgs; [
+      # treesitter bits
+      treesit-grammars.with-all-grammars
+
+      vterm
+      pdf-tools
+    ]));
+    defaultEditor = lib.mkDefault true;
+  };
+
+}

modules/gnome.nix

@@ -0,0 +1,116 @@
+{ config, pkgs, ... }: {
+
+  imports = [
+    ./desktop-software.nix
+  ];
+  environment.systemPackages = with pkgs; [
+    amberol
+    celluloid
+    gnome-console
+    gnome-obfuscate
+    gnome.gnome-boxes
+    gnome.gnome-tweaks
+    nextcloud-client
+    qbittorrent
+    spotify
+  ];
+
+  environment.gnome.excludePackages = with pkgs; [
+    gnome.totem
+    gnome.geary
+    gnome.gnome-music
+    gnome-console
+  ];
+
+
+  services.gnome = {
+    evolution-data-server.enable = true;
+    gnome-keyring.enable = true;
+    gnome-online-accounts.enable = true;
+  };
+
+  programs = {
+    seahorse.enable = true;
+    gnupg.agent.pinentryFlavor = "gnome3";
+    evolution = {
+      enable = true;
+      plugins = [ pkgs.evolution-ews ];
+    };
+  };
+
+  qt = {
+    enable = true;
+    platformTheme = "gnome";
+    style = "adwaita-dark";
+  };
+
+  services.xserver = {
+    enable = true;
+    desktopManager.gnome.enable = true;
+    displayManager.gdm = {
+      enable = true;
+      wayland = true;
+    };
+  };
+
+  # Enable sound.
+  security.rtkit.enable = true;
+  hardware.pulseaudio = {
+    enable = false;
+    zeroconf.discovery.enable = true;
+    extraClientConf = ''
+      autospawn=yes
+    '';
+  };
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    pulse.enable = true;
+  };
+
+  programs.zsh.vteIntegration = true;
+  programs.bash.vteIntegration = true;
+
+  fonts.fonts = with pkgs; [
+    (nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" ]; })
+    monoid
+    font-awesome
+    dejavu_fonts
+    julia-mono
+    uw-ttyp0
+    gohufont
+    spleen
+    terminus_font
+    creep
+    corefonts
+    dina-font
+    fira
+    fira-mono
+    hack-font
+    liberation_ttf
+    noto-fonts
+    noto-fonts-cjk
+    noto-fonts-emoji
+    noto-fonts-extra
+    proggyfonts
+    symbola
+    open-sans
+    twemoji-color-font
+    twitter-color-emoji
+    iosevka-bin
+  ];
+
+  fonts.enableDefaultFonts = true;
+  fonts.fontconfig = {
+    enable = true;
+    allowBitmaps = true;
+    useEmbeddedBitmaps = true;
+    defaultFonts.emoji = [
+      "Twitter Color Emoji"
+      "Noto Color Emoji"
+    ];
+  };
+
+  hardware.bluetooth.enable = true;
+
+}

modules/gnupg.nix

@@ -0,0 +1,18 @@
+{ config, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    gnupg
+    opensc
+
+    yubikey-personalization-gui
+  ];
+
+  # smartcard support
+  services.pcscd.enable = false;
+  hardware.gpgSmartcards.enable = true;
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+}

modules/hw-accel-intel.nix

@@ -0,0 +1,21 @@
+# overrides to enable [sometimes] wonky intel acceleration
+{ config, pkgs, ... }:
+
+{
+  nixpkgs.config.packageOverrides = pkgs: {
+    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  };
+
+  hardware.opengl = {
+    enable = true;
+    extraPackages = with pkgs; [
+      vaapiVdpau
+      vaapiIntel
+      libvdpau-va-gl
+      intel-media-driver
+    ];
+  };
+
+  boot.initrd.kernelModules = [ "i915" ];
+
+}

modules/mail/default.nix

@@ -0,0 +1,133 @@
+{ config, pkgs, ... }:
+let
+  mbsyncConf = ./mbsyncrc;
+in
+{
+  environment.systemPackages = with pkgs; [
+    isync
+    msmtp
+    neomutt
+    notmuch
+    alot
+    w3m
+    links2
+  ];
+
+  environment.shellAliases = {
+    mutt = "neomutt";
+  };
+
+  sops.secrets = {
+    "mail/oxapentane.com" = {
+      owner = config.users.users.grue.name;
+    };
+    "mail/shipunov.xyz" = {
+      owner = config.users.users.grue.name;
+    };
+    "mail/dvb.solutions" = {
+      owner = config.users.users.grue.name;
+    };
+    "mail/tlm.solutions" = {
+      owner = config.users.users.grue.name;
+    };
+  };
+
+  programs.msmtp = {
+    enable = true;
+    setSendmail = true;
+    extraConfig = ''
+      account mail@oxapentane.com
+      host smtp.migadu.com
+      port 587
+      from *@oxapentane.com
+      user mail@oxapentane.com
+      passwordeval cat ${config.sops.secrets."mail/oxapentane.com".path}
+      auth on
+      tls on
+      tls_trust_file	/etc/ssl/certs/ca-certificates.crt
+      logfile ~/.msmtp.log
+
+      account grigory@shipunov.xyz
+      host smtp.migadu.com
+      port 587
+      from *@shipunov.xyz
+      user grigory@shipunov.xyz
+      passwordeval cat ${config.sops.secrets."mail/shipunov.xyz".path}
+      auth on
+      tls on
+      tls_trust_file	/etc/ssl/certs/ca-certificates.crt
+      logfile ~/.msmtp.log
+
+      account dump@dvb.solutions
+      host smtp.migadu.com
+      port 587
+      from dump@dvb.solutions
+      user dump@dvb.solutions
+      passwordeval cat ${config.sops.secrets."mail/dvb.solutions".path}
+      auth on
+      tls on
+      tls_trust_file	/etc/ssl/certs/ca-certificates.crt
+      logfile ~/.msmtp.log
+
+      account grigory@tlm.solutions
+      host smtp.migadu.com
+      port 587
+      from grigory@tlm.solutions
+      user grigory@tlm.solutions
+      passwordeval cat ${config.sops.secrets."mail/tlm.solutions".path}
+      auth on
+      tls on
+      tls_trust_file	/etc/ssl/certs/ca-certificates.crt
+      logfile ~/.msmtp.log
+    '';
+  };
+
+
+  systemd.user = {
+
+    # Service and timer to sync imap to local maildir
+    services.mbsync = {
+      enable = true;
+      after = [ "graphical.target" "network-online.target" ];
+      script = ''
+        ${pkgs.isync}/bin/mbsync -q -a --config=${mbsyncConf}
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+      };
+    };
+
+    timers.mbsync = {
+      enable = true;
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        Unit = "mbsync.service";
+        OnBootSec = "5m";
+        OnUnitInactiveSec = "11m";
+      };
+    };
+
+    # service and timer to flush the msmtp queue
+    services.flush-msmtpq = {
+      enable = true;
+      after = [ "graphical.target" "network-online.target" ];
+      script = ''
+        ${pkgs.msmtp}/bin/msmtp-queue -r
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+      };
+    };
+
+    timers.flush-msmtpq = {
+      enable = true;
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        Unit = "flush-msmtpq.service";
+        OnBootSec = "11m";
+        OnUnitInactiveSec = "13m";
+      };
+    };
+
+  };
+}

modules/mail/mbsyncrc

@@ -0,0 +1,97 @@
+IMAPStore mail@oxapentane.com-remote
+Host imap.migadu.com
+Port 993
+User mail@oxapentane.com
+PassCmd "cat /run/secrets/mail/oxapentane.com"
+AuthMechs LOGIN
+SSLType IMAPS
+
+MaildirStore mail@oxapentane.com-local
+Subfolders Verbatim
+Path /home/grue/mail/mail@oxapentane.com/
+Inbox /home/grue/mail/mail@oxapentane.com/INBOX
+
+Channel mail@oxapentane.com
+Expunge Both
+Master :mail@oxapentane.com-remote:
+Slave :mail@oxapentane.com-local:
+Create Both
+SyncState *
+Patterns *
+MaxMessages 0
+ExpireUnread no
+# End profile
+
+
+IMAPStore grigory@shipunov.xyz-remote
+Host imap.migadu.com
+Port 993
+User grigory@shipunov.xyz
+PassCmd "cat /run/secrets/mail/shipunov.xyz"
+AuthMechs LOGIN
+SSLType IMAPS
+
+MaildirStore grigory@shipunov.xyz-local
+Subfolders Verbatim
+Path /home/grue/mail/grigory@shipunov.xyz/
+Inbox /home/grue/mail/grigory@shipunov.xyz/INBOX
+
+Channel grigory@shipunov.xyz
+Expunge Both
+Master :grigory@shipunov.xyz-remote:
+Slave :grigory@shipunov.xyz-local:
+Create Both
+SyncState *
+Patterns *
+MaxMessages 0
+ExpireUnread no
+# End profile
+
+
+IMAPStore dump@dvb.solutions-remote
+Host imap.migadu.com
+Port 993
+User dump@dvb.solutions
+PassCmd "cat /run/secrets/mail/dvb.solutions"
+AuthMechs LOGIN
+SSLType IMAPS
+
+MaildirStore dump@dvb.solutions-local
+Subfolders Verbatim
+Path /home/grue/mail/dump@dvb.solutions/
+Inbox /home/grue/mail/dump@dvb.solutions/INBOX
+
+Channel dump@dvb.solutions
+Expunge Both
+Master :dump@dvb.solutions-remote:
+Slave :dump@dvb.solutions-local:
+Create Both
+SyncState *
+Patterns *
+MaxMessages 0
+ExpireUnread no
+# End profile
+
+IMAPStore grigory@tlm.solutions-remote
+Host imap.migadu.com
+Port 993
+User grigory@tlm.solutions
+PassCmd "cat /run/secrets/mail/tlm.solutions"
+AuthMechs LOGIN
+SSLType IMAPS
+
+MaildirStore grigory@tlm.solutions-local
+Subfolders Verbatim
+Path /home/grue/mail/grigory@tlm.solutions/
+Inbox /home/grue/mail/grigory@tlm.solutions/INBOX
+
+Channel grigory@tlm.solutions
+Expunge Both
+Master :grigory@tlm.solutions-remote:
+Slave :grigory@tlm.solutions-local:
+Create Both
+SyncState *
+Patterns *
+MaxMessages 0
+ExpireUnread no
+# End profile

modules/radio.nix

@@ -0,0 +1,39 @@
+{ lib, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    gnuradio
+    gqrx
+    cubicsdr
+    sdrangel
+    multimon-ng
+    sox
+
+    libusb1
+    rtl-sdr
+    hackrf
+    soapyhackrf
+
+    sigdigger
+    suscan
+    sigutils
+  ];
+
+  hardware = {
+    rtl-sdr.enable = true;
+    hackrf.enable = true;
+  };
+
+  services.udev.extraRules = ''
+    # MCH2022 Badge
+    SUBSYSTEM=="usb", ATTR{idVendor}=="16d0", ATTR{idProduct}=="0f9a", MODE="0666"
+
+    #Flipper Zero serial port
+    SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="5740", ATTRS{manufacturer}=="Flipper Devices Inc.", TAG+="uaccess"
+    #Flipper Zero DFU
+    SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", ATTRS{manufacturer}=="STMicroelectronics", TAG+="uaccess"
+    #Flipper ESP32s2 BlackMagic
+    SUBSYSTEMS=="usb", ATTRS{idVendor}=="303a", ATTRS{idProduct}=="40??", ATTRS{manufacturer}=="Flipper Devices Inc.", TAG+="uaccess"
+  '';
+
+}

modules/science.nix

@@ -0,0 +1,17 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    (rWrapper.override {
+      packages = with rPackages; [
+        ggplot2
+        swirl
+        dplyr
+        data_table
+      ];
+    })
+    gnuplot
+    zotero
+    python3Full
+    paraview
+  ];
+}

modules/sway.nix

@@ -0,0 +1,166 @@
+# General Desktop-related config
+{ pkgs, ... }:
+{
+  imports = [
+    ./desktop-software.nix
+  ];
+  environment.systemPackages = with pkgs; [
+    screen-message
+    qbittorrent
+    gajim
+    imv
+    swayimg
+    mpv
+    evince
+    brightnessctl
+    pulsemixer
+    cmus
+    termusic
+    gsettings-desktop-schemas
+    xdg-utils
+    nextcloud-client
+    foot
+    qt5.qtwayland
+    bashmount
+    gnome.nautilus
+    audacity
+  ];
+
+  #on the desktop, we need nice fonts ^^
+  fonts.fonts = with pkgs; [
+    monoid
+    font-awesome
+    dejavu_fonts
+    julia-mono
+    uw-ttyp0
+    gohufont
+    spleen
+    terminus_font
+    creep
+    corefonts
+    dina-font
+    fira
+    fira-mono
+    hack-font
+    liberation_ttf
+    noto-fonts
+    noto-fonts-cjk
+    noto-fonts-emoji
+    noto-fonts-extra
+    proggyfonts
+    symbola
+    open-sans
+    twemoji-color-font
+    twitter-color-emoji
+    iosevka
+  ];
+
+  fonts.enableDefaultFonts = true;
+  fonts.fontconfig = {
+    enable = true;
+    allowBitmaps = true;
+    useEmbeddedBitmaps = true;
+    defaultFonts.emoji = [
+      "Noto Color Emoji"
+      "Twitter Color Emoji"
+    ];
+  };
+
+  # Enable sound.
+  security.rtkit.enable = true;
+
+  services.avahi = {
+    enable = true;
+    nssmdns = true;
+  };
+
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    pulse.enable = true;
+  };
+  hardware.pulseaudio.zeroconf.discovery.enable = true;
+
+  hardware.bluetooth = {
+    enable = true;
+    package = pkgs.bluez;
+  };
+
+  programs.zsh.vteIntegration = true;
+  programs.bash.vteIntegration = true;
+  services.upower.enable = true;
+
+  services.acpid.enable = true;
+  programs.light.enable = true;
+
+  services.blueman.enable = true;
+
+  programs.xwayland.enable = true;
+  programs.sway = {
+    enable = true;
+    wrapperFeatures.gtk = true;
+    extraSessionCommands = ''
+      export SDL_VIDEODRIVER=wayland
+      export QT_QPA_PLATFORM=wayland-egl
+      export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
+      export QT_QPA_PLATFORMTHEME="gnome"
+      export QT_STYLE_OVERRIDE="adwaita-dark"
+    '';
+    extraPackages = with pkgs; [
+      alacritty
+      pamixer
+      swaylock
+      graphicsmagick
+      swayidle
+      wl-clipboard
+      mako
+      foot
+      rofi-wayland
+      grim
+      slurp
+      gnome.adwaita-icon-theme
+      i3status-rust
+      kanshi
+      wl-mirror
+      gammastep
+    ];
+  };
+  environment.sessionVariables = { GTK_THEME = "Adwaita:dark"; };
+  xdg.portal = {
+    enable = true;
+    wlr.enable = true;
+    extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
+  };
+
+  services.udisks2.enable = true;
+  environment.shellAliases = {
+    # mounting shit
+    mnt = "udisksctl mount -b";
+    umnt = "udisksctl unmount -b";
+    unlock = "udisksctl unlock -b";
+    lock = "udisksctl lock -b";
+    # easier navigation
+    pwc = "pwd|wl-copy";
+    cdp = "cd $(wl-paste)";
+  };
+
+  qt = {
+    enable = true;
+    platformTheme = "gnome";
+    style = "adwaita-dark";
+  };
+
+  services.gnome.gnome-keyring.enable = true;
+  security.pam.services.greetd.enableGnomeKeyring = true;
+
+  services.greetd = {
+    enable = true;
+    settings = {
+      default_session = {
+        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --greeting \"$(${pkgs.fortune}/bin/fortune -s)\" --cmd ${pkgs.sway}/bin/sway";
+      };
+    };
+  };
+
+  programs.gnupg.agent.pinentryFlavor = "curses";
+}

modules/tlp.nix

@@ -0,0 +1,14 @@
+{ config, pkgs, ... }:
+
+{
+  powerManagement.cpuFreqGovernor = null;
+  services.power-profiles-daemon.enable = false;
+  services.tlp = {
+    enable = true;
+    settings = {
+      USB_BLACKLIST = "1d50:604b 1d50:6089 1d50:cc15 1fc9:000c";
+      CPU_SCALING_GOVERNOR_ON_AC = "performance";
+      CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
+    };
+  };
+}

modules/vscode.nix

@@ -0,0 +1,22 @@
+{ pkgs, ... }: {
+environment.systemPackages = with pkgs; [
+  (vscode-with-extensions.override {
+    vscodeExtensions = with vscode-extensions; [
+      bbenoist.nix
+      ms-python.python
+      ms-vscode-remote.remote-ssh
+      rust-lang.rust-analyzer
+      vscodevim.vim
+      james-yu.latex-workshop
+      ms-toolsai.jupyter
+    ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
+      {
+        name = "remote-ssh-edit";
+        publisher = "ms-vscode-remote";
+        version = "0.86.0";
+        sha256 = "sha256-JsbaoIekUo2nKCu+fNbGlh5d1Tt/QJGUuXUGP04TsDI=";
+      }
+    ];
+  })
+];
+}

pkgs/imhex.nix

@@ -0,0 +1,75 @@
+{ gcc12Stdenv
+, lib
+, cmake
+, ccache
+, glfw
+, glm
+, magic-vlsi
+, mbedtls
+, freetype
+, dbus
+, capstone
+, openssl
+, pkg-config
+, lld
+, libGL
+, wrapQtAppsHook
+, fetchFromGitHub
+}:
+gcc12Stdenv.mkDerivation rec {
+  pname = "imhex";
+  version = "1.26.2";
+
+  src = fetchFromGitHub {
+    owner = "WerWolv";
+    repo = "ImHex";
+    rev = "v${version}";
+    fetchSubmodules = true;
+    sha256 = "sha256-H2bnRByCUAltngmVWgPW4vW8k5AWecOAzwtBKsjbpTw=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+    lld
+  ];
+
+  cmakeFlags = [
+    "-DCMAKE_BUILD_TYPE=Release"
+    # "-DCMAKE_INSTALL_PREFIX="/usr""
+    "-DCMAKE_C_COMPILER_LAUNCHER=ccache"
+    "-DCMAKE_CXX_COMPILER_LAUNCHER=ccache"
+    "-DCMAKE_C_FLAGS=-fuse-ld=lld"
+    "-DCMAKE_CXX_FLAGS=-fuse-ld=lld"
+    "-DCMAKE_OBJC_COMPILER_LAUNCHER=ccache"
+    "-DCMAKE_OBJCXX_COMPILER_LAUNCHER=ccache"
+
+    # looks like the cmake here tries to be "helpful"...
+    "-DFREETYPE_LIBRARY=${freetype.dev}"
+    "-DFREETYPE_INCLUDE_DIRS=${freetype.dev}"
+    "-DOPENGL_opengl_LIBRARY=${libGL.dev}"
+    "-DOPENGL_glx_LIBRARY=${libGL.dev}"
+    "-DOPENGL_INCLUDE_DIR=${libGL.dev}"
+    "-DMBEDTLS_LIBRARY=${mbedtls}"
+    "-DMBEDTLS_INCLUDE_DIRS=${mbedtls}"
+    "-DMBEDX509_LIBRARY=${mbedtls}"
+    "-DMBEDCRYPTO_LIBRARY=${mbedtls}"
+
+    "-DCMAKE_PREFIX_PATH=${glfw}"
+    "-DCMAKE_LIBRARY_PATH=${magic-vlsi}"
+    "-DCMAKE_PREFIX_PATH=${dbus.dev}"
+  ];
+
+  BuildInputs = [
+    ccache
+    glfw
+    glm
+    magic-vlsi
+    mbedtls
+    freetype
+    dbus
+    openssl
+    capstone
+    libGL
+  ];
+}

pkgs/slick.nix

@@ -0,0 +1,24 @@
+{ stdenv, lib, openssl, pkgconfig, fetchFromGitHub, rustPlatform }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "slick";
+  version = "0.10.0";
+
+  src = fetchFromGitHub {
+    owner = "nbari";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-GM9OHnySc3RVkfaK7yMf1LqpGdz3emq2H/3tSAph4jw=";
+  };
+
+  buildInputs = [ openssl pkgconfig ];
+  nativeBuildInputs = [ pkgconfig ];
+
+  cargoSha256 = "sha256-2WxFprq+AcXGXDMjMQvqKTkeWQEWM/z2Fz6qYPtSFGw=";
+
+  meta = with lib; {
+    description = "Async ZSH prompt";
+    homepage = "https://github.com/nbari/slick";
+    license = licenses.bsd3;
+  };
+}

secrets/toaster/secrets.yaml

@@ -0,0 +1,52 @@
+wg:
+    mullvad: ENC[AES256_GCM,data:9wgZKgcVGBIkNrfeurwDOCWLE6t2z7bN5KaUAeiRAcGRKO5uAkVCp0kpWZc=,iv:c1XM8GXEeAuDM47pTA5Pa6lPCI0fwau1uZdSaDcBykI=,tag:pSjmhHw7mt7hGTLpXFPsHQ==,type:str]
+    zw: ENC[AES256_GCM,data:CXrLvV+b9DUfmr+CwH8dBTHvDHtgVmiF9g+QpzFqMcc91yQDzQqT1d4AQSk=,iv:Wdj11qlGWGm2XSieFZ4csqdIyR0epzPCkeWyUUmjJbk=,tag:UO07WUwr138B5TtMGujvew==,type:str]
+    oxalab: ENC[AES256_GCM,data:YRN3fSzukqgDK3Bf5O7I8U3QmJAINCsjSseOZfzM/4xGXfGbBNeH3UmD0PI=,iv:U3kXH1HdT4OWcFZ+40a5W+jQ1hdS4UYYXxxyy+SqHEU=,tag:w65VyfylSKnM7c50BRCVgQ==,type:str]
+    dvb: ENC[AES256_GCM,data:1+IM6ORPtlIroeekaJSkOwYArh0fN6ycJNaXo680pE2Xv4DUBrIlh8q3V2A=,iv:btf3IpM4Wntkf3RYPwUdhH+4WUUqZp0zYp0aj2sdGM0=,tag:MDvS4CWYQLdp2YGs3/5Htw==,type:str]
+mail:
+    oxapentane.com: ENC[AES256_GCM,data:HW1xcclr5CiUFVF8As79ZZH1c14sl4T0l18=,iv:leAVYaQkMuJewkCZc3fTUUNzZ9BDjV5CuT84bzvhrrs=,tag:Mm8OB8gLbmUwKSLugTR6GA==,type:str]
+    shipunov.xyz: ENC[AES256_GCM,data:cg+P+FrZ2icjfhwDGKGyUH9DejSZHpNs2bcSBPyz8g==,iv:XZFaSXnGmTL9j2sEyt5Q7+pe6rr+WA/0UGq/2Gl5DTI=,tag:oq+5EuJWJKwK3h0/e6Uozw==,type:str]
+    dvb.solutions: ENC[AES256_GCM,data:GSjPIPA5TGMWfhdRzTsiHPfXFVGLVSpJvJG+I++i,iv:EBlk00wqADCuYTzuVcuX9kSn6TVBfN12UlcXyps6TtE=,tag:G7rKTngN4v2FtuhQEMdUQQ==,type:str]
+    tlm.solutions: ENC[AES256_GCM,data:ncTMh/jw+YmcmcVU/c1I36vV1CwtmtYwfyDUx9w9,iv:vPnmdvDnEJ9FF4rDkSfPnLWebleSgI/yG7qOgJfq5ic=,tag:z4w4LOGf2v0TBSxrHULBsw==,type:str]
+irc:
+    senpai: ENC[AES256_GCM,data:PvvYDSbmjeS2EUV8Jw2YVvFTBu/0fhuHFXXkkTUq,iv:e8toiG9ldrTfJc3ZrMO3qfSxmefiFgrD/o2x3EP3uis=,tag:QVdTuAEVFR6zoebJxeLyTw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1qyj95tsntreefqeetawqy5pf26456s9c0v3tzz8yzs706c0jsg6qv56jzk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVmx5T0ROT1ZPZ2JmUHhn
+            bWZ3UlZvQTR1Y0VOSXJsSy9makswR1VTSDBZCjZmOVZQdkF3b0tkWmo2aGcrOWZs
+            ZDBwRVFSK3BTdVlpWUpNVW5qWWFVZjQKLS0tIFJOdWxOSGR2SXdlWXBDTkMvUDlG
+            T3F6NXpBbEFxemVzM0lxbEdKMlVzYlEK9YPSglPYmsk3fH7qduK/FVFIWnHaQ6O1
+            ZJsgmz/5H7TPbSoy6mfyROQY+b7amJDSAAqhLazKYI22yP3Gnkmmbg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-02-09T19:44:17Z"
+    mac: ENC[AES256_GCM,data:zOB88rp+cjB+RFOrAnvdNEkKxYRKidmQOBwXI+cOwAfl/FBvGt68u08PjLEEABZvfrehLPgHQL9pnmTAuu6k49CezWCW/23F9GkswZlxji1qS40jl9XgeV7WfluWke78a9FW9MuAP2CpB5tZcAIcO6Q6Ngk1NVDBYX2R7D0fAeI=,iv:ETarRq0uwU3Kuoxf8lLgcLWm7MivFQ3W1EKIKFCho/s=,tag:V00p6PknQoV1t1R7UoiZOA==,type:str]
+    pgp:
+        - created_at: "2023-01-09T22:45:17Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7zUOKwzpAE7AQ//SREB1bVNjocJIdu1OsRi/98r/Sq66jvfvv9qN4iarhX6
+            nULcylhQgxMAEaY2af1aWfzH8aVOQFfFWQaFLNCs44TkSa9MCPxPrqRI4qCPl9os
+            V6l9IVOhmv/HIDlHvTOfsFYZjE9LOtA5y3VrQqLBG4zjpTczcQxlrHgeSZyDrS9i
+            eqTiVVwdiZurFUMoety63S82u62YjtEwgHbFYdKnodEPygZvU5LFftmTRdDRNCII
+            i6tJRe70HTg2gNBxQEwh/DTcyQBaUkermhDaok0ABW6BFfrwzaxaUXexqFAqk7XK
+            fpWNGUX4w8ExtZ6XH/6vlu17yhej4VP9EuHzlZTPPjBPRcdPXETo3QShB+tH4hvw
+            aPgOfJaneVM+MpwgVW66qWmQt7NpaHLRo2tjvZnvuVXlg/AnuphaXpfafRja2DEj
+            hMH+FAIiQr5tFLf9ur8VltdeOsjWj7NbfWYEGm9UW0eHC5r/NuEZiQVt7BKWPU70
+            DcZdN9f3Scs9mpNuD/CGhf4Oj4L0tkgt/x2mirkSQcB0lui8s1/joCCV/7cZ30jB
+            /FHATHlo6RW1S8uGVcb1dkfsv4ki+4bvh1ZxZRuQg9rNlPWyHEIG6VJSMmgC7e9Y
+            P1NS/WF35BybvXFR3UVJca9qciRvPzcRo/4sEJtuPbwXpAqHR4OavHJhmb4ZDYfS
+            UQE6svFmutqwRPC2WSk0Knxh5o/bUYrliT6FU01xwkkIo5SgahDe0XJeXS3poQEs
+            htM7FZ7w0PjcRa66cul5j5FjDI4R7ZcFupv6RF84ImP5hw==
+            =3z9H
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3