From 12d499bcc72b6e4bc76599508da8497469962382 Mon Sep 17 00:00:00 2001
From: Xe <me@christine.website>
Date: Sun, 1 Jan 2023 16:51:47 -0500
Subject: [PATCH] first attempt

Signed-off-by: Xe <me@christine.website>
---
 common/default.nix                       |   2 +-
 common/services/backup.nix               |  57 ++++++++
 common/services/default.nix              |  11 ++
 common/services/graphviz.nix             |  41 ++++++
 common/services/lewa.nix                 |  38 +++++
 common/services/mi/default.nix           | 104 ++++++++++++++
 common/services/mi/source.json           |   7 +
 common/services/tron/default.nix         |  52 +++++++
 common/services/tron/source.json         |   9 ++
 common/services/tulpanomicon/default.nix |  27 ++++
 common/services/tulpanomicon/source.json |   9 ++
 common/services/withinbot/default.nix    |  91 ++++++++++++
 common/services/withinbot/source.json    |   7 +
 flake.lock                               | 160 ++++++++-------------
 flake.nix                                |  63 ++++++---
 hosts/lufta/.gitignore                   |   1 +
 hosts/lufta/acme.nix                     | 114 +++++++++++++++
 hosts/lufta/akua.nix                     |   9 ++
 hosts/lufta/bootstrap.nix                |  28 ++++
 hosts/lufta/certs.akua.nix               |   5 +
 hosts/lufta/default.nix                  | 171 ++++++++++++++++++++++
 hosts/lufta/docker.nix                   |  20 +++
 hosts/lufta/gitea.nix                    |  78 ++++++++++
 hosts/lufta/hardware-configuration.nix   |  72 ++++++++++
 hosts/lufta/monitoring.nix               |  54 +++++++
 hosts/lufta/weechat.nix                  |  30 ++++
 hosts/lufta/when-then-zen.nix            | 167 ++++++++++++++++++++++
 hosts/lufta/within.nix                   | 173 +++++++++++++++++++++++
 hosts/lufta/zrepl.nix                    |  54 +++++++
 hosts/toxapex/default.nix                | 111 ---------------
 hosts/toxapex/hardware-configuration.nix |  41 ------
 secret/aerial.env.age                    |  30 ++++
 secret/aura.env.age                      | Bin 0 -> 1927 bytes
 secret/borg_ssh_key.pub                  |   1 +
 secret/borgbackup_passphrase             |  31 ++++
 secret/borgbackup_ssh_key                | Bin 0 -> 1941 bytes
 secret/cetacean.club.crt.age             | Bin 0 -> 1998 bytes
 secret/cetacean.club.key.age             | Bin 0 -> 1718 bytes
 secret/lufta.aws.env.age                 | Bin 0 -> 1583 bytes
 secret/mi-token.age                      |  31 ++++
 secret/mi.toml.age                       | Bin 0 -> 3105 bytes
 secret/tron.env.age                      |  30 ++++
 secret/withinbot.env.age                 |  30 ++++
 secret/xesite.env.age                    |  30 ++++
 secret/xn--sz8hf6d.ws.crt.age            | Bin 0 -> 2055 bytes
 secret/xn--sz8hf6d.ws.key.age            |  30 ++++
 secrets.nix                              |  23 ++-
 47 files changed, 1769 insertions(+), 273 deletions(-)
 create mode 100644 common/services/backup.nix
 create mode 100644 common/services/default.nix
 create mode 100644 common/services/graphviz.nix
 create mode 100644 common/services/lewa.nix
 create mode 100644 common/services/mi/default.nix
 create mode 100644 common/services/mi/source.json
 create mode 100644 common/services/tron/default.nix
 create mode 100644 common/services/tron/source.json
 create mode 100644 common/services/tulpanomicon/default.nix
 create mode 100644 common/services/tulpanomicon/source.json
 create mode 100644 common/services/withinbot/default.nix
 create mode 100644 common/services/withinbot/source.json
 create mode 100644 hosts/lufta/.gitignore
 create mode 100644 hosts/lufta/acme.nix
 create mode 100644 hosts/lufta/akua.nix
 create mode 100644 hosts/lufta/bootstrap.nix
 create mode 100644 hosts/lufta/certs.akua.nix
 create mode 100644 hosts/lufta/default.nix
 create mode 100644 hosts/lufta/docker.nix
 create mode 100644 hosts/lufta/gitea.nix
 create mode 100644 hosts/lufta/hardware-configuration.nix
 create mode 100644 hosts/lufta/monitoring.nix
 create mode 100644 hosts/lufta/weechat.nix
 create mode 100644 hosts/lufta/when-then-zen.nix
 create mode 100644 hosts/lufta/within.nix
 create mode 100644 hosts/lufta/zrepl.nix
 delete mode 100644 hosts/toxapex/default.nix
 delete mode 100644 hosts/toxapex/hardware-configuration.nix
 create mode 100644 secret/aerial.env.age
 create mode 100644 secret/aura.env.age
 create mode 100644 secret/borg_ssh_key.pub
 create mode 100644 secret/borgbackup_passphrase
 create mode 100644 secret/borgbackup_ssh_key
 create mode 100644 secret/cetacean.club.crt.age
 create mode 100644 secret/cetacean.club.key.age
 create mode 100644 secret/lufta.aws.env.age
 create mode 100644 secret/mi-token.age
 create mode 100644 secret/mi.toml.age
 create mode 100644 secret/tron.env.age
 create mode 100644 secret/withinbot.env.age
 create mode 100644 secret/xesite.env.age
 create mode 100644 secret/xn--sz8hf6d.ws.crt.age
 create mode 100644 secret/xn--sz8hf6d.ws.key.age

diff --git a/common/default.nix b/common/default.nix
index 70458a0..a4ec350 100644
--- a/common/default.nix
+++ b/common/default.nix
@@ -1,5 +1,5 @@
 { config, lib, pkgs, ... }: {
-  imports = [ ./users ./microcode.nix ];
+  imports = [ ./services ./users ./microcode.nix ];
 
   boot.cleanTmpDir = true;
   boot.kernelModules = [ "wireguard" ];
diff --git a/common/services/backup.nix b/common/services/backup.nix
new file mode 100644
index 0000000..c9814ab
--- /dev/null
+++ b/common/services/backup.nix
@@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.within.backups;
+in with lib; {
+  options.within.backups = {
+    enable = mkEnableOption "Enables per-host backups to rsync.net";
+    paths = mkOption {
+      type = with types; listOf str;
+      default = [ "/home" "/srv" "/var/lib" "/root" ];
+      description = "paths to backup to rsync.net";
+    };
+    exclude = mkOption {
+      type = with types; listOf str;
+      default = [
+        "/var/lib/docker"
+        "/var/lib/systemd"
+        "/var/lib/libvirt"
+        "'**/.cache'"
+        "'**/.nix-profile'"
+        "'**/.elm'"
+        "'**/.emacs.d'"
+      ];
+      description = "paths to NOT backup to rsync.net";
+    };
+    repo = mkOption {
+      type = types.str;
+      description = "Repo to submit backups to";
+    };
+  };
+
+  config = mkIf config.within.backups.enable {
+    services.borgbackup.jobs."borgbase" = {
+      paths = cfg.paths;
+      exclude = cfg.exclude;
+      repo = cfg.repo;
+      encryption = {
+        mode = "repokey-blake2";
+        passCommand = "cat /root/borgbackup_passphrase";
+      };
+      environment.BORG_RSH = "ssh -i /root/borgbackup_ssh_key";
+      compression = "auto,lzma";
+      startAt = "daily";
+      extraArgs = "--remote-path=borg1";
+    };
+
+    age.secrets = {
+      borgbackup-passphrase = {
+        file = ../../secret/borgbackup_passphrase;
+        path = "/root/borgbackup_passphrase";
+      };
+      borgbackup-ssh-key = {
+        file = ../../secret/borgbackup_ssh_key;
+        path = "/root/borgbackup_ssh_key";
+      };
+    };
+  };
+}
diff --git a/common/services/default.nix b/common/services/default.nix
new file mode 100644
index 0000000..2f24450
--- /dev/null
+++ b/common/services/default.nix
@@ -0,0 +1,11 @@
+{ ... }: {
+  imports = [
+    ./backup.nix
+    ./graphviz.nix
+    ./lewa.nix
+    ./mi
+    ./tron
+    ./tulpanomicon
+    ./withinbot
+  ];
+}
diff --git a/common/services/graphviz.nix b/common/services/graphviz.nix
new file mode 100644
index 0000000..12609d3
--- /dev/null
+++ b/common/services/graphviz.nix
@@ -0,0 +1,41 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.within.services.graphviz;
+  graphviz = pkgs.stdenv.mkDerivation {
+    name = "GraphvizOnline";
+    src = pkgs.fetchFromGitHub {
+      owner = "Xe";
+      repo = "GraphvizOnline";
+      rev = "98ab98e6dbabba984e49be2c8b46c470aca829fe";
+      sha256 = "l3BEmY20pfC1rWyQLz6j4pDPdZcv1FYKeIpBZUmosXc=";
+      fetchSubmodules = false;
+    };
+
+    phases = "installPhase";
+
+    installPhase = ''
+      mkdir -p $out
+      cp -vrf $src/* $out
+    '';
+  };
+in {
+  options.within.services.graphviz.enable =
+    mkEnableOption "Activates the graphviz site";
+
+  config = mkIf cfg.enable {
+    services.nginx.virtualHosts."graphviz" = {
+      serverName = "graphviz.christine.website";
+      locations."/".root = graphviz;
+      forceSSL = true;
+      useACMEHost = "christine.website";
+      extraConfig = ''
+        access_log /var/log/nginx/graphviz.access.log;
+      '';
+    };
+
+    services.cfdyndns.records = [ "graphviz.christine.website" ];
+  };
+}
diff --git a/common/services/lewa.nix b/common/services/lewa.nix
new file mode 100644
index 0000000..e52d895
--- /dev/null
+++ b/common/services/lewa.nix
@@ -0,0 +1,38 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.within.services.lewa;
+  l'ewa = pkgs.fetchzip {
+    url = "https://xena.greedo.xeserv.us/files/lewa-book.tar.gz";
+    sha256 = "0n86fq25cnqwgfp7hfzh8l1h57a1sgvafq7lyd477amgvq0drk4c";
+  };
+in {
+  options.within.services.lewa = {
+    enable = mkEnableOption "Activates the eBook for l'ewa";
+    useACME = mkEnableOption "enables ACME for cert stuff";
+
+    domain = mkOption {
+      type = types.str;
+      default = "lewa.akua";
+      example = "lewa.cetacean.club";
+      description =
+        "The domain name that nginx should check against for HTTP hostnames";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.nginx.virtualHosts."lewa" = {
+      serverName = "${cfg.domain}";
+      locations."/".root = "${l'ewa}/book";
+      forceSSL = cfg.useACME;
+      useACMEHost = "within.website";
+      extraConfig = ''
+        access_log /var/log/nginx/lewa.access.log;
+      '';
+    };
+
+    services.cfdyndns = mkIf cfg.useACME { records = [ "${cfg.domain}" ]; };
+  };
+}
diff --git a/common/services/mi/default.nix b/common/services/mi/default.nix
new file mode 100644
index 0000000..9970c51
--- /dev/null
+++ b/common/services/mi/default.nix
@@ -0,0 +1,104 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.within.services.mi;
+  mi = with pkgs;
+    import
+    (fetchFromGitHub (builtins.fromJSON (builtins.readFile ./source.json))) { };
+in {
+  options.within.services.mi = {
+    enable = mkEnableOption "Activates mi (a personal API)";
+    useACME = mkEnableOption "Enables ACME for cert stuff";
+
+    port = mkOption {
+      type = types.int;
+      default = 38288;
+      example = 9001;
+      description = "The port number mi should listen on for HTTP traffic";
+    };
+
+    domain = mkOption {
+      type = types.str;
+      default = "mi.within.website";
+      example = "mi.within.website";
+      description =
+        "The domain name that nginx should check against for HTTP hostnames";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.mi = {
+      createHome = true;
+      description = "github.com/Xe/mi";
+      isSystemUser = true;
+      group = "within";
+      home = "/srv/within/mi";
+      extraGroups = [ "keys" ];
+    };
+
+    age.secrets.mi = {
+      file = ../../secret/mi.toml.age;
+      path = "/srv/within/mi/Rocket.toml";
+      owner = "mi";
+      group = "within";
+      mode = "0400";
+    };
+
+    systemd.services.mi = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "mi-key.service" "systemd-resolved.service" ];
+      wants = [ "mi-key.service" "systemd-resolved.service" ];
+
+      serviceConfig = {
+        User = "mi";
+        Group = "within";
+        Restart = "on-failure";
+        WorkingDirectory = "/srv/within/mi";
+        RestartSec = "30s";
+        Type = "notify";
+      };
+
+      script = ''
+        export ROCKET_PORT=${toString cfg.port}
+        exec ${mi}/bin/mi-backend
+      '';
+    };
+
+    systemd.services.mi-package-updater = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "mi-key.service" ];
+      wants = [ "mi-key.service" ];
+
+      serviceConfig = {
+        User = "mi";
+        Group = "within";
+        WorkingDirectory = "/srv/within/mi";
+        Type = "oneshot";
+      };
+
+      script = ''
+        export DATABASE_URL=./mi.db
+        exec ${mi}/bin/package_track
+      '';
+
+      startAt = "*-*-* 00:00:00"; # daily
+    };
+
+    services.nginx.virtualHosts."mi" = {
+      serverName = "${cfg.domain}";
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+        proxyWebsockets = true;
+      };
+      forceSSL = cfg.useACME;
+      useACMEHost = "within.website";
+      extraConfig = ''
+        access_log /var/log/nginx/mi.access.log;
+      '';
+    };
+
+    services.cfdyndns = mkIf cfg.useACME { records = [ "${cfg.domain}" ]; };
+  };
+}
diff --git a/common/services/mi/source.json b/common/services/mi/source.json
new file mode 100644
index 0000000..0d54d50
--- /dev/null
+++ b/common/services/mi/source.json
@@ -0,0 +1,7 @@
+{
+    "owner": "Xe",
+    "repo": "mi",
+    "rev": "220a123b586445da1f99b59226f7ccbe5b4a566a",
+    "sha256": "wbvA3++JFv7PjVl0RyRSbhdmSouJ4k3NWgh5J4jYyGk=",
+    "fetchSubmodules": false
+}
diff --git a/common/services/tron/default.nix b/common/services/tron/default.nix
new file mode 100644
index 0000000..0258b81
--- /dev/null
+++ b/common/services/tron/default.nix
@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+let
+  tron = with pkgs;
+    callPackage (fetchgit (builtins.fromJSON (builtins.readFile ./source.json)))
+    { };
+
+in with lib; {
+  options.within.services.tron.enable =
+    mkEnableOption "Activates Tron (a furbooru moderation tool)";
+
+  config = mkIf config.within.services.tron.enable {
+    # User account
+    users.users.tron = {
+      createHome = true;
+      description = "tulpa.dev/cadey/tron";
+      isSystemUser = true;
+      group = "within";
+      home = "/srv/within/tron";
+      extraGroups = [ "keys" ];
+    };
+
+    # Secret config
+    age.secrets.tron = {
+      file = ../../../secret/tron.env.age;
+      path = "/srv/within/tron/.env";
+      owner = "tron";
+      group = "within";
+      mode = "0640";
+    };
+
+    # Service
+    systemd.services.tron = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "tron-key.service" ];
+      wants = [ "tron-key.service" ];
+
+      serviceConfig = {
+        User = "tron";
+        Group = "within";
+        Restart = "on-failure";
+        RestartSec = "30s";
+      };
+
+      script = ''
+        export $(cat /srv/within/tron/.env | xargs)
+        export REGEXES=${tron}/regexes.dhall
+        exec ${tron}/bin/tron
+      '';
+    };
+  };
+}
diff --git a/common/services/tron/source.json b/common/services/tron/source.json
new file mode 100644
index 0000000..60e99f3
--- /dev/null
+++ b/common/services/tron/source.json
@@ -0,0 +1,9 @@
+{
+  "url": "https://tulpa.dev/cadey/tron.git",
+  "rev": "20e69676d9899013b5c9630ad9ea01e73b8d2b06",
+  "sha256": "1qpkis92a837c4j1f17ic57l9qpzvnbxg61vccqhcjxfx5vbyc7k",
+  "fetchLFS": false,
+  "fetchSubmodules": false,
+  "deepClone": false,
+  "leaveDotGit": false
+}
diff --git a/common/services/tulpanomicon/default.nix b/common/services/tulpanomicon/default.nix
new file mode 100644
index 0000000..b997187
--- /dev/null
+++ b/common/services/tulpanomicon/default.nix
@@ -0,0 +1,27 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.within.services.tulpanomicon;
+  book = with pkgs;
+    callPackage (fetchgit (builtins.fromJSON (builtins.readFile ./source.json)))
+    { };
+in {
+  options.within.services.tulpanomicon.enable =
+    mkEnableOption "Activates tulpa --force";
+
+  config = mkIf cfg.enable {
+    services.nginx.virtualHosts."tulpanomicon" = {
+      serverName = "tulpanomicon.guide";
+      locations."/".root = "${book}";
+      forceSSL = true;
+      useACMEHost = "tulpanomicon.guide";
+      extraConfig = ''
+        access_log /var/log/nginx/tulpanomicon.access.log;
+      '';
+    };
+
+    services.cfdyndns.records = [ "tulpanomicon.guide" ];
+  };
+}
diff --git a/common/services/tulpanomicon/source.json b/common/services/tulpanomicon/source.json
new file mode 100644
index 0000000..6cabc57
--- /dev/null
+++ b/common/services/tulpanomicon/source.json
@@ -0,0 +1,9 @@
+{
+  "url": "https://tulpa.dev/tulpa-ebooks/tulpanomicon.git",
+  "rev": "5a2cce637ec680ce6aea1e9e35cdbb73d5570221",
+  "sha256": "0r7imilh9p84wdb15qwmk05yab2y5qndpqka4nwqv8mk4l9jdpga",
+  "fetchLFS": false,
+  "fetchSubmodules": false,
+  "deepClone": false,
+  "leaveDotGit": false
+}
diff --git a/common/services/withinbot/default.nix b/common/services/withinbot/default.nix
new file mode 100644
index 0000000..b88d26a
--- /dev/null
+++ b/common/services/withinbot/default.nix
@@ -0,0 +1,91 @@
+{ config, lib, pkgs, ... }:
+let
+  bot = with pkgs;
+    import
+    (fetchFromGitHub (builtins.fromJSON (builtins.readFile ./source.json))) { };
+in with lib; {
+  options.within.services.withinbot.enable =
+    mkEnableOption "Activates Withinbot (the furryhole chatbot)";
+
+  config = mkIf config.within.services.withinbot.enable {
+    users.users.withinbot = {
+      createHome = true;
+      description = "github.com/Xe/withinbot";
+      isSystemUser = true;
+      group = "within";
+      home = "/srv/within/withinbot";
+      extraGroups = [ "keys" ];
+    };
+
+    age.secrets.withinbot = {
+      file = ../../../secret/withinbot.env;
+      path = "/srv/within/withinbot/.env";
+      owner = "withinbot";
+      group = "within";
+      mode = "0400";
+    };
+
+    systemd.services.withinbot = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "withinbot-key.service" ];
+      wants = [ "withinbot-key.service" ];
+
+      serviceConfig = {
+        User = "withinbot";
+        Group = "within";
+        Restart = "on-failure";
+        WorkingDirectory = "/srv/within/withinbot";
+        RestartSec = "30s";
+
+        # security settings
+        CapabilityBoundingSet = "";
+        DeviceAllow = [ ];
+        NoNewPrivileges = "true";
+        ProtectControlGroups = "true";
+        ProtectClock = "true";
+        PrivateDevices = "true";
+        PrivateUsers = "true";
+        ProtectHome = "true";
+        ProtectHostname = "true";
+        ProtectKernelLogs = "true";
+        ProtectKernelModules = "true";
+        ProtectKernelTunables = "true";
+        ProtectSystem = "true";
+        ProtectProc = "invisible";
+        RemoveIPC = "true";
+        RestrictAddressFamilies = [ "~AF_UNIX" "~AF_NETLINK" ];
+        RestrictNamespaces = [
+          "CLONE_NEWCGROUP"
+          "CLONE_NEWIPC"
+          "CLONE_NEWNET"
+          "CLONE_NEWNS"
+          "CLONE_NEWPID"
+          "CLONE_NEWUTS"
+          "CLONE_NEWUSER"
+        ];
+        RestrictSUIDSGID = "true";
+        RestrictRealtime = "true";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "~@reboot"
+          "~@module"
+          "~@mount"
+          "~@swap"
+          "~@resources"
+          "~@cpu-emulation"
+          "~@obsolete"
+          "~@debug"
+          "~@privileged"
+        ];
+        UMask = "077";
+      };
+
+      script = let withinbot = bot;
+      in ''
+        export CAMPAIGN_FOLDER=${withinbot}/campaigns
+        export RUST_LOG=error,serenity::client::bridge::gateway::shard_runner=error,serenity::gateway::shard=error
+        exec ${withinbot}/bin/withinbot
+      '';
+    };
+  };
+}
diff --git a/common/services/withinbot/source.json b/common/services/withinbot/source.json
new file mode 100644
index 0000000..925e8bf
--- /dev/null
+++ b/common/services/withinbot/source.json
@@ -0,0 +1,7 @@
+{
+    "owner": "Xe",
+    "repo": "withinbot",
+    "rev": "b819aec3add88298a65277fbf4e13de4fe254bc0",
+    "sha256": "wIZ9znXL98yNlHUxhQXH/fJihukyK6XfUCyjiJ5fgzY=",
+    "fetchSubmodules": false
+}
diff --git a/flake.lock b/flake.lock
index ea2fa41..dcd83f9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,7 +2,9 @@
   "nodes": {
     "agenix": {
       "inputs": {
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
         "lastModified": 1665870395,
@@ -18,6 +20,29 @@
         "type": "github"
       }
     },
+    "aura": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": [
+          "utils"
+        ]
+      },
+      "locked": {
+        "lastModified": 1672605913,
+        "narHash": "sha256-TRHzwtCZC2IMPTq3UsFDJno3Y1k58HONotnA4B9dT+8=",
+        "owner": "PonyvilleFM",
+        "repo": "aura",
+        "rev": "ffc55b4177cdc1a3c6323397d077e26476843e65",
+        "type": "github"
+      },
+      "original": {
+        "owner": "PonyvilleFM",
+        "repo": "aura",
+        "type": "github"
+      }
+    },
     "deno2nix": {
       "inputs": {
         "devshell": "devshell",
@@ -48,8 +73,12 @@
     "deploy-rs": {
       "inputs": {
         "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs_2",
-        "utils": "utils"
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": [
+          "utils"
+        ]
       },
       "locked": {
         "lastModified": 1672327199,
@@ -219,8 +248,12 @@
     },
     "home-manager": {
       "inputs": {
-        "nixpkgs": "nixpkgs_3",
-        "utils": "utils_2"
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": [
+          "utils"
+        ]
       },
       "locked": {
         "lastModified": 1672349765,
@@ -285,7 +318,7 @@
     },
     "naersk_2": {
       "inputs": {
-        "nixpkgs": "nixpkgs_5"
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
         "lastModified": 1650265945,
@@ -345,54 +378,6 @@
       }
     },
     "nixpkgs": {
-      "locked": {
-        "lastModified": 1665732960,
-        "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1671417167,
-        "narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1671983799,
-        "narHash": "sha256-Z2Ro6hFPZHkBqkVXY5/aBUzxi5xizQGvuHQ9+T5B/ks=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "fad51abd42ca17a60fc1d4cb9382e2d79ae31836",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_4": {
       "locked": {
         "lastModified": 1672350804,
         "narHash": "sha256-jo6zkiCabUBn3ObuKXHGqqORUMH27gYDIFFfLq5P4wg=",
@@ -408,7 +393,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_5": {
+    "nixpkgs_2": {
       "locked": {
         "lastModified": 1650555608,
         "narHash": "sha256-e34oMPWPwRWhF1K6NZnF0mNle7qDADJzjWujp8UupGo=",
@@ -422,7 +407,7 @@
         "type": "indirect"
       }
     },
-    "nixpkgs_6": {
+    "nixpkgs_3": {
       "locked": {
         "lastModified": 1650161686,
         "narHash": "sha256-70ZWAlOQ9nAZ08OU6WY7n4Ij2kOO199dLfNlvO/+pf8=",
@@ -437,7 +422,7 @@
         "type": "indirect"
       }
     },
-    "nixpkgs_7": {
+    "nixpkgs_4": {
       "locked": {
         "lastModified": 1640319671,
         "narHash": "sha256-ZkKmakwaOaLiZOpIZWbeJZwap5CzJ30s4UJTfydYIYc=",
@@ -455,7 +440,7 @@
     },
     "portable-svc": {
       "inputs": {
-        "nixpkgs": "nixpkgs_6"
+        "nixpkgs": "nixpkgs_3"
       },
       "locked": {
         "lastModified": 1650586426,
@@ -506,11 +491,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1667491896,
-        "narHash": "sha256-v2iUBQ0kwUz5a/MZGJvhlpDj+H8PLMJFRvvgYb1knZg=",
+        "lastModified": 1672602248,
+        "narHash": "sha256-VH7/DqYZfQ5N+38gYm3xHEwMVG3iGaPmjfvVAU9ifk4=",
         "owner": "Xe",
         "repo": "rhea",
-        "rev": "30a0900b9409b9c9044c83deaaaa9f708b402eb3",
+        "rev": "a47a471a202e3335569e4254ad35254fb483f416",
         "type": "github"
       },
       "original": {
@@ -522,14 +507,15 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "aura": "aura",
         "deploy-rs": "deploy-rs",
         "emacs-overlay": "emacs-overlay",
         "home-manager": "home-manager",
         "mara": "mara",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs",
         "printerfacts": "printerfacts",
         "rhea": "rhea",
-        "utils": "utils_4",
+        "utils": "utils_2",
         "waifud": "waifud",
         "wsl": "wsl",
         "x": "x",
@@ -562,36 +548,6 @@
       }
     },
     "utils": {
-      "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "utils_2": {
-      "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "utils_3": {
       "locked": {
         "lastModified": 1638122382,
         "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
@@ -606,7 +562,7 @@
         "type": "github"
       }
     },
-    "utils_4": {
+    "utils_2": {
       "locked": {
         "lastModified": 1667395993,
         "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@@ -682,11 +638,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1672596703,
-        "narHash": "sha256-jq2PwMWQE8Dt3v4WRBa2qj77apR37L0l/Dwm+es2qcQ=",
+        "lastModified": 1672604621,
+        "narHash": "sha256-V5VtmCB6htNBkYWy7zc8TD/lI+oFqUVMGxuE5IsKnXk=",
         "owner": "Xe",
         "repo": "x",
-        "rev": "88ab7e70b442a45a67e4a9f4f1ee79b0aa622273",
+        "rev": "1a031713e7a4813b40694ffb902b73de4e3d36da",
         "type": "github"
       },
       "original": {
@@ -708,11 +664,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1672519133,
-        "narHash": "sha256-KkwWlxbX1HSBDtyKX1/4L+z+ocGkptQMGe3VnsowXZg=",
+        "lastModified": 1672607480,
+        "narHash": "sha256-iDQRK6YjXz8iCfTjhZ9LI48YzLP7xE1IaGT6a1vrxMk=",
         "owner": "Xe",
         "repo": "site",
-        "rev": "3890085b77db7637ca9b48cb7809cf898a26ec1c",
+        "rev": "9ab1724f06c38001afa87c38398f021d9cc64298",
         "type": "github"
       },
       "original": {
@@ -723,8 +679,8 @@
     },
     "xess": {
       "inputs": {
-        "nixpkgs": "nixpkgs_7",
-        "utils": "utils_3"
+        "nixpkgs": "nixpkgs_4",
+        "utils": "utils"
       },
       "locked": {
         "lastModified": 1640540322,
diff --git a/flake.nix b/flake.nix
index 220a33e..2c00d02 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,17 +2,32 @@
   description = "My deploy-rs config for logos";
 
   inputs = {
-    agenix.url = "github:ryantm/agenix";
-    deploy-rs.url = "github:serokell/deploy-rs";
-    home-manager.url = "github:nix-community/home-manager";
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     utils.url = "github:numtide/flake-utils";
 
+    # external dependencies
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    deploy-rs = {
+      url = "github:serokell/deploy-rs";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.utils.follows = "utils";
+    };
+
     emacs-overlay = {
       url = "github:nix-community/emacs-overlay";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.utils.follows = "utils";
+    };
+
     wsl = {
       url = "github:nix-community/NixOS-WSL";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -20,41 +35,57 @@
     };
 
     # my apps
+    aura = {
+      url = "github:PonyvilleFM/aura";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.utils.follows = "utils";
+    };
+
     printerfacts = {
       url = "git+https://tulpa.dev/cadey/printerfacts.git?ref=main";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.flake-utils.follows = "utils";
     };
+
     mara = {
       url = "git+https://tulpa.dev/Xe/mara.git?ref=main";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.utils.follows = "utils";
     };
+
     rhea = {
       url = "github:Xe/rhea";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
     waifud = {
       url = "github:Xe/waifud";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.utils.follows = "utils";
     };
+
     x = {
       url = "github:Xe/x";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.utils.follows = "utils";
     };
+
     xesite = {
       url = "github:Xe/site";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.flake-utils.follows = "utils";
     };
+
+    # legacy apps
   };
 
   outputs = { self, nixpkgs, deploy-rs, home-manager, agenix, printerfacts, mara
-    , rhea, waifud, emacs-overlay, wsl, x, xesite, ... }:
+    , rhea, waifud, emacs-overlay, wsl, x, xesite, aura, ... }:
     let
-      pkgs = nixpkgs.legacyPackages."x86_64-linux";
+      pkgs = import nixpkgs {
+        system = "x86_64-linux";
+        overlays = [ x.overlays.x86_64-linux.default ];
+      };
 
       mkSystem = extraModules:
         nixpkgs.lib.nixosSystem rec {
@@ -64,15 +95,13 @@
             home-manager.nixosModules.home-manager
 
             ({ config, ... }: {
-              system.configurationRevision = self.sourceInfo.rev;
-              services.getty.greetingLine =
-                "<<< Welcome to NixOS ${config.system.nixos.label} @ ${self.sourceInfo.rev} - \\l >>>";
+              # system.configurationRevision = self.sourceInfo.rev;
+              # services.getty.greetingLine =
+              #   "<<< Welcome to NixOS ${config.system.nixos.label} @ ${self.sourceInfo.rev} - \\l >>>";
 
               home-manager.useGlobalPkgs = true;
               home-manager.useUserPackages = true;
-              nixpkgs.overlays = [
-                emacs-overlay.overlay
-              ];
+              nixpkgs.overlays = [ emacs-overlay.overlay ];
             })
             ./common
 
@@ -80,8 +109,9 @@
             mara.nixosModules.${system}.bot
             rhea.nixosModule.${system}
             x.nixosModules.default
-            #xesite.nixosModules.default
-
+            xesite.nixosModules.default
+            aura.nixosModules.aerial
+            aura.nixosModules.aura
           ] ++ extraModules;
         };
     in {
@@ -328,12 +358,11 @@
         ];
 
         # cloud
-        akko = mkSystem [
-          ./hosts/akko
-          ./hardware/location/YYZ
-        ];
+        akko = mkSystem [ ./hosts/akko ./hardware/location/YYZ ];
 
         firgu = mkSystem [ ./hosts/firgu ./hardware/location/YYZ ];
+
+        lufta = mkSystem [ ./hosts/lufta ];
       };
 
       deploy.nodes.akko = {
diff --git a/hosts/lufta/.gitignore b/hosts/lufta/.gitignore
new file mode 100644
index 0000000..d97c5ea
--- /dev/null
+++ b/hosts/lufta/.gitignore
@@ -0,0 +1 @@
+secret
diff --git a/hosts/lufta/acme.nix b/hosts/lufta/acme.nix
new file mode 100644
index 0000000..daf4505
--- /dev/null
+++ b/hosts/lufta/acme.nix
@@ -0,0 +1,114 @@
+{ pkgs, ... }:
+
+let
+  aws = "/var/lib/acme/.env";
+
+  extraLegoFlags = [ "--dns.resolvers=8.8.8.8:53" ];
+
+in {
+  age.secrets.aws = {
+    file = ../../secret/lufta.aws.env.age;
+    path = "/var/lib/acme/.env";
+    mode = "600";
+    owner = "acme";
+    group = "nginx";
+  };
+
+  security.acme.defaults.email = "me@christine.website";
+  security.acme.acceptTerms = true;
+
+  security.acme.certs."xeiaso.net" = {
+    group = "nginx";
+    email = "me@christine.website";
+    dnsProvider = "route53";
+    credentialsFile = "${aws}";
+    extraDomainNames = [ "*.xeiaso.net" "xelaso.net" ];
+    inherit extraLegoFlags;
+  };
+
+  security.acme.certs."tulpa.dev" = {
+    group = "nginx";
+    email = "me@christine.website";
+    dnsProvider = "route53";
+    credentialsFile = "${aws}";
+    extraDomainNames = [ "*.tulpa.dev" ];
+    inherit extraLegoFlags;
+  };
+
+  security.acme.certs."christine.website" = {
+    group = "nginx";
+    email = "me@christine.website";
+    dnsProvider = "route53";
+    credentialsFile = "${aws}";
+    extraDomainNames = [ "*.christine.website" ];
+    inherit extraLegoFlags;
+  };
+
+  security.acme.certs."cetacean.club" = {
+    group = "nginx";
+    email = "me@christine.website";
+    dnsProvider = "route53";
+    credentialsFile = "${aws}";
+    extraDomainNames =
+      [ "*.cetacean.club" "*.kahless.cetacean.club" "*.lufta.cetacean.club" ];
+    inherit extraLegoFlags;
+  };
+
+  security.acme.certs."pvfmsets.cf" = {
+    group = "nginx";
+    email = "me@christine.website";
+    dnsProvider = "route53";
+    credentialsFile = "${aws}";
+    inherit extraLegoFlags;
+  };
+
+  security.acme.certs."tulpanomicon.guide" = {
+    group = "nginx";
+    email = "me@christine.website";
+    dnsProvider = "route53";
+    credentialsFile = "${aws}";
+    extraDomainNames = [ "*.tulpanomicon.guide" ];
+    inherit extraLegoFlags;
+  };
+
+  security.acme.certs."tulpaforce.xyz" = {
+    group = "nginx";
+    email = "me@christine.website";
+    dnsProvider = "route53";
+    credentialsFile = "${aws}";
+    extraDomainNames = [ "*.tulpaforce.xyz" ];
+    inherit extraLegoFlags;
+  };
+
+  security.acme.certs."within.website" = {
+    group = "nginx";
+    email = "me@christine.website";
+    dnsProvider = "route53";
+    credentialsFile = "${aws}";
+    extraDomainNames = [ "*.within.website" ];
+    inherit extraLegoFlags;
+  };
+
+  security.acme.certs."xeserv.us" = {
+    group = "nginx";
+    email = "me@christine.website";
+    dnsProvider = "route53";
+    credentialsFile = "${aws}";
+    extraDomainNames = [
+      "*.xeserv.us"
+      "*.greedo.xeserv.us"
+      "*.apps.xeserv.us"
+      "*.minipaas.xeserv.us"
+    ];
+    inherit extraLegoFlags;
+  };
+
+  security.acme.certs."xn--u7hz981o.ws" = {
+    group = "nginx";
+    email = "me@christine.website";
+    dnsProvider = "route53";
+    credentialsFile = "${aws}";
+    extraDomainNames = [ "*.xn--u7hz981o.ws" ];
+    inherit extraLegoFlags;
+  };
+}
diff --git a/hosts/lufta/akua.nix b/hosts/lufta/akua.nix
new file mode 100644
index 0000000..ad77597
--- /dev/null
+++ b/hosts/lufta/akua.nix
@@ -0,0 +1,9 @@
+{ pkgs, config, ... }:
+
+let metadata = pkgs.callPackage ../../ops/metadata/peers.nix { };
+in {
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.ipv6.conf.all.forwarding" = 1;
+  };
+}
diff --git a/hosts/lufta/bootstrap.nix b/hosts/lufta/bootstrap.nix
new file mode 100644
index 0000000..06d7f69
--- /dev/null
+++ b/hosts/lufta/bootstrap.nix
@@ -0,0 +1,28 @@
+{ pkgs, ... }:
+
+{
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPg9gYKVglnO2HQodSJt4z4mNrUSUiyJQ7b+J798bwD9 cadey@shachi"
+  ];
+
+  networking.usePredictableInterfaceNames = false;
+  systemd.network = {
+    enable = true;
+    networks."eth0".extraConfig = ''
+      [Match]
+      Name = eth0
+      [Network]
+      # Add your own assigned ipv6 subnet here here!
+      Address = 2a01:4f9:3a:1a1c::/64
+      Gateway = fe80::1
+      # optionally you can do the same for ipv4 and disable DHCP (networking.dhcpcd.enable = false;)
+      Address =  135.181.162.99/26
+      Gateway = 135.181.162.65
+    '';
+  };
+
+  boot.supportedFilesystems = [ "zfs" ];
+
+  environment.systemPackages = with pkgs; [ wget vim zfs ];
+}
diff --git a/hosts/lufta/certs.akua.nix b/hosts/lufta/certs.akua.nix
new file mode 100644
index 0000000..06a38ec
--- /dev/null
+++ b/hosts/lufta/certs.akua.nix
@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  services.nginx.virtualHosts."certs.akua" = { };
+}
diff --git a/hosts/lufta/default.nix b/hosts/lufta/default.nix
new file mode 100644
index 0000000..9501448
--- /dev/null
+++ b/hosts/lufta/default.nix
@@ -0,0 +1,171 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ./acme.nix
+    ./akua.nix
+    ./docker.nix
+    ./gitea.nix
+    ./hardware-configuration.nix
+    ./monitoring.nix
+    ./weechat.nix
+    ./within.nix
+    ./when-then-zen.nix
+    ./zrepl.nix
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/nvme0n1"; # or "nodev" for efi only
+  boot.kernelParams = [ "zfs.zfs_arc_max=1073741824" ];
+  boot.zfs.devNodes = "/dev/disk/by-partuuid";
+
+  networking.hostName = "lufta"; # Define your hostname.
+  networking.hostId = "2487cd1f";
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = false;
+
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPg9gYKVglnO2HQodSJt4z4mNrUSUiyJQ7b+J798bwD9 cadey@shachi"
+  ];
+
+  security.polkit.enable = true;
+
+  networking.usePredictableInterfaceNames = false;
+  systemd.network = {
+    enable = true;
+    networks."eth0".extraConfig = ''
+      [Match]
+      Name = eth0
+      [Network]
+      # Add your own assigned ipv6 subnet here here!
+      Address = 2a01:4f9:3a:1a1c::/64
+      Gateway = fe80::1
+      # optionally you can do the same for ipv4 and disable DHCP (networking.dhcpcd.enable = false;)
+      Address =  135.181.162.99/26
+      Gateway = 135.181.162.65
+    '';
+  };
+
+  services.tor.enable = true;
+  services.tor.client.enable = true;
+  services.tor.settings.SOCKSPort = [ 9051 ];
+
+  boot.supportedFilesystems = [ "zfs" ];
+
+  environment.systemPackages = with pkgs; [ wget vim zfs weechat tailscale ];
+
+  networking.firewall = {
+    enable = false;
+    allowedTCPPorts = [ 22 80 443 1965 6667 6697 ];
+    allowedUDPPorts = [ 41641 51822 51820 ];
+
+    allowedUDPPortRanges = [{
+      from = 32768;
+      to = 65535;
+    }];
+
+    trustedInterfaces = [ "akua" "tailscale0" ];
+  };
+
+  system.stateVersion = "20.09"; # Did you read the comment?
+
+  within.microcode = {
+    enable = true;
+    vendor = "amd";
+  };
+
+  virtualisation.docker.enable = true;
+  virtualisation.docker.storageDriver = "zfs";
+  virtualisation.libvirtd.enable = true;
+
+  systemd.services.nginx.serviceConfig.SupplementaryGroups = "within";
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    statusPage = true;
+    enableReload = true;
+    commonHttpConfig = ''
+      set_real_ip_from 103.21.244.0/22;
+      set_real_ip_from 103.22.200.0/22;
+      set_real_ip_from 103.31.4.0/22;
+      set_real_ip_from 104.16.0.0/13;
+      set_real_ip_from 104.24.0.0/14;
+      set_real_ip_from 108.162.192.0/18;
+      set_real_ip_from 131.0.72.0/22;
+      set_real_ip_from 141.101.64.0/18;
+      set_real_ip_from 162.158.0.0/15;
+      set_real_ip_from 172.64.0.0/13;
+      set_real_ip_from 173.245.48.0/20;
+      set_real_ip_from 188.114.96.0/20;
+      set_real_ip_from 190.93.240.0/20;
+      set_real_ip_from 197.234.240.0/22;
+      set_real_ip_from 198.41.128.0/17;
+      set_real_ip_from 2400:cb00::/32;
+      set_real_ip_from 2606:4700::/32;
+      set_real_ip_from 2803:f800::/32;
+      set_real_ip_from 2405:b500::/32;
+      set_real_ip_from 2405:8100::/32;
+      set_real_ip_from 2c0f:f248::/32;
+      set_real_ip_from 2a06:98c0::/29;
+      real_ip_header CF-Connecting-IP;
+    '';
+
+    virtualHosts."withinwebsite" = {
+      locations = {
+        "/.well-known/matrix/server".extraConfig = let
+          # use 443 instead of the default 8448 port to unite
+          # the client-server and server-server port for simplicity
+          server = { "m.server" = "matrix.within.website:443"; };
+        in ''
+          add_header Content-Type application/json;
+          return 200 '${builtins.toJSON server}';
+        '';
+
+        "/.well-known/matrix/client".extraConfig = let
+          client = {
+            "m.homeserver" = { "base_url" = "https://matrix.within.website"; };
+          };
+          # ACAO required to allow riot-web on any URL to request this json file
+        in ''
+          add_header Content-Type application/json;
+          add_header Access-Control-Allow-Origin *;
+          return 200 '${builtins.toJSON client}';
+        '';
+      };
+    };
+  };
+
+  services.tailscale.enable = true;
+
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+    settings.mysqld.bind-address = "127.0.0.1";
+  };
+
+  services.zfs.autoScrub.enable = true;
+  services.zfs.autoSnapshot = {
+    enable = true;
+    monthly = 1;
+  };
+
+  services.yggdrasil = {
+    enable = true;
+    persistentKeys = true;
+    openMulticastPort = true;
+    config = {
+      IfName = "yggdrasil0";
+      Peers = [
+        "tls://94.103.82.150:8080"
+        "tcp://ams1.y.sota.sh:8080"
+        "tls://45.147.198.155:6010"
+        "tls://ygg-nl.incognet.io:8884"
+      ];
+    };
+  };
+}
diff --git a/hosts/lufta/docker.nix b/hosts/lufta/docker.nix
new file mode 100644
index 0000000..658d6e2
--- /dev/null
+++ b/hosts/lufta/docker.nix
@@ -0,0 +1,20 @@
+{ config, pkgs, ... }:
+
+{
+  virtualisation.oci-containers.containers = {
+    olin = {
+      image = "xena/olin:latest";
+      ports = [ "127.0.0.1:25723:5000" ];
+      environment.PORT = "5000";
+    };
+  };
+
+  services.nginx.virtualHosts."olin.within.website" = {
+    locations."/".proxyPass = "http://127.0.0.1:25723";
+    forceSSL = true;
+    useACMEHost = "within.website";
+    extraConfig = ''
+      access_log /var/log/nginx/olin.access.log;
+    '';
+  };
+}
diff --git a/hosts/lufta/gitea.nix b/hosts/lufta/gitea.nix
new file mode 100644
index 0000000..e61a082
--- /dev/null
+++ b/hosts/lufta/gitea.nix
@@ -0,0 +1,78 @@
+{ config, pkgs, lib, ... }:
+
+let cfg = config.services.gitea;
+in {
+  users.users.git = {
+    description = "Gitea Service";
+    home = cfg.stateDir;
+    useDefaultShell = true;
+    group = "git";
+    isSystemUser = true;
+  };
+  users.groups.git = { };
+
+  services.gitea = {
+    enable = true;
+    user = "git";
+    domain = "tulpa.dev";
+    appName = "${cfg.domain}: git in plurality";
+    rootUrl = "https://${cfg.domain}/";
+    httpAddress = "127.0.0.1";
+    httpPort = 49381;
+    log.level = "Error";
+    settings = {
+      i18n = {
+        LANGS = "en-US";
+        NAMES = "glico";
+      };
+      metrics = {
+        ENABLED = true;
+        ENABLED_ISSUE_BY_LABEL = true;
+        ENABLED_ISSUE_BY_REPOSITORY = true;
+      };
+      other.SHOW_FOOTER_VERSION = false;
+      security.INSTALL_LOCK = true;
+      service = {
+        DISABLE_REGISTRATION = lib.mkForce true;
+        REGISTER_MANUAL_CONFIRM = true;
+        REQUIRE_SIGNIN_VIEW = false;
+        REGISTER_EMAIL_CONFIRM = false;
+        ENABLE_NOTIFY_MAIL = false;
+        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
+        ENABLE_CAPTCHA = false;
+        DEFAULT_KEEP_EMAIL_PRIVATE = true;
+        DEFAULT_ALLOW_CREATE_ORGANIZATION = true;
+        DEFAULT_ENABLE_TIMETRACKING = true;
+      };
+      server.SSH_DOMAIN = "ssh.tulpa.dev";
+    };
+    dump.enable = false;
+    database.user = "git";
+  };
+
+  services.cfdyndns.records = [ "lufta.tulpa.dev" "tulpa.dev" ];
+
+  services.nginx.virtualHosts."lufta.tulpa.dev" = {
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString cfg.httpPort}";
+      proxyWebsockets = true;
+    };
+    forceSSL = true;
+    useACMEHost = "tulpa.dev";
+    extraConfig = ''
+      access_log /var/log/nginx/gitea.access.log;
+    '';
+  };
+
+  services.nginx.virtualHosts."tulpa.dev" = {
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString cfg.httpPort}";
+      proxyWebsockets = true;
+    };
+    forceSSL = true;
+    useACMEHost = "tulpa.dev";
+    extraConfig = ''
+      access_log /var/log/nginx/gitea.access.log;
+    '';
+  };
+}
diff --git a/hosts/lufta/hardware-configuration.nix b/hosts/lufta/hardware-configuration.nix
new file mode 100644
index 0000000..9179f9e
--- /dev/null
+++ b/hosts/lufta/hardware-configuration.nix
@@ -0,0 +1,72 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules =
+    [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "rpool/safe/root";
+    fsType = "zfs";
+  };
+
+  fileSystems."/nix" = {
+    device = "rpool/local/nix";
+    fsType = "zfs";
+  };
+
+  fileSystems."/home" = {
+    device = "rpool/safe/home";
+    fsType = "zfs";
+  };
+
+  fileSystems."/srv/within" = {
+    device = "rpool/safe/srv/within";
+    fsType = "zfs";
+  };
+
+  fileSystems."/srv/within/aura" = {
+    device = "rpool/safe/srv/aura";
+    fsType = "zfs";
+  };
+
+  fileSystems."/srv/http/xena.greedo.xeserv.us" = {
+    device = "rpool/safe/srv/xena-greedo-xeserv-us";
+    fsType = "zfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/8e7e8aed-d92c-4bbd-8d8e-318c8920740a";
+    fsType = "ext4";
+  };
+
+  fileSystems."/var/lib/libvirt/images/pool" = {
+    device = "rpool/safe/vm-images";
+    fsType = "zfs";
+  };
+
+  fileSystems."/srv/backup" = {
+    device = "rpool/safe/srv/backup";
+    fsType = "zfs";
+  };
+
+  fileSystems."/srv/certs" = {
+    device = "rpool/safe/srv/certs";
+    fsType = "zfs";
+  };
+
+  fileSystems."/srv/http" = {
+    device = "rpool/safe/srv/http";
+    fsType = "zfs";
+  };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/23cb316c-06d8-4a74-86d2-0d2f7474ade2"; }];
+}
diff --git a/hosts/lufta/monitoring.nix b/hosts/lufta/monitoring.nix
new file mode 100644
index 0000000..773b991
--- /dev/null
+++ b/hosts/lufta/monitoring.nix
@@ -0,0 +1,54 @@
+{ config, pkgs, ... }:
+
+{
+  services.prometheus = {
+    exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = [ "systemd" ];
+      };
+      wireguard = { enable = true; };
+      nginx = { enable = true; };
+      nginxlog = {
+        enable = true;
+        settings = {
+          namespaces = let
+            format = ''
+              $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'';
+            mkApp = name: {
+              metrics_override.prefix = "nginx";
+              inherit name format;
+              source.files = [ "/var/log/nginx/${name}.access.log" ];
+              namespace_label = "vhost";
+            };
+          in [
+            {
+              name = "filelogger";
+              inherit format;
+              source.files = [ "/var/log/nginx/access.log" ];
+            }
+            (mkApp "gitea")
+            (mkApp "goproxy")
+            (mkApp "graphviz")
+            (mkApp "idp")
+            (mkApp "johaus")
+            (mkApp "lewa")
+            (mkApp "maison")
+            (mkApp "mi")
+            (mkApp "olin")
+            (mkApp "printerfacts")
+            (mkApp "todayinmarch2020")
+            (mkApp "tulpaforce")
+            (mkApp "tulpanomicon")
+            (mkApp "when-then-zen")
+            (mkApp "withinwebsite")
+            (mkApp "xenafiles")
+            (mkApp "xesite")
+          ];
+        };
+        group = "nginx";
+        user = "nginx";
+      };
+    };
+  };
+}
diff --git a/hosts/lufta/weechat.nix b/hosts/lufta/weechat.nix
new file mode 100644
index 0000000..c0c837d
--- /dev/null
+++ b/hosts/lufta/weechat.nix
@@ -0,0 +1,30 @@
+{ config, pkgs, ... }:
+
+let
+  domain = name: "irc-${name}.lufta.cetacean.club";
+  vhost = { domain, port, ... }: {
+    forceSSL = true;
+    locations."^~ /weechat" = {
+      proxyPass = "http://127.0.0.1:${toString port}";
+      proxyWebsockets = true;
+    };
+    locations."/" = { root = pkgs.glowing-bear; };
+    useACMEHost = "cetacean.club";
+  };
+  cadey = domain "cadey";
+  mai = domain "mai";
+in {
+  services.cfdyndns.records = [ cadey mai ];
+
+  services.nginx.virtualHosts = {
+    "${cadey}" = vhost {
+      domain = cadey;
+      port = 28945;
+    };
+
+    "${mai}" = vhost {
+      domain = mai;
+      port = 28946;
+    };
+  };
+}
diff --git a/hosts/lufta/when-then-zen.nix b/hosts/lufta/when-then-zen.nix
new file mode 100644
index 0000000..45ce647
--- /dev/null
+++ b/hosts/lufta/when-then-zen.nix
@@ -0,0 +1,167 @@
+{ pkgs, ... }:
+
+let
+  port = 38471;
+  config = pkgs.writeTextFile {
+    name = "Caddyfile";
+    text = ''
+      when-then-zen.christine.website:${toString port} {
+          tls off
+          errors syslog
+
+          root /srv/http/when-then-zen.christine.website
+
+          internal /README.md
+          internal /templates
+          internal /LICENSE
+          internal /Caddyfile
+
+          ext .md
+
+          browse /bonus
+          browse /meditation /srv/http/when-then-zen.christine.website/templates/index.html
+          browse /skills /srv/http/when-then-zen.christine.website/templates/index.html
+
+          markdown / {
+                  template templates/page.html
+          }
+      }
+
+      xena.greedo.xeserv.us:${toString port} {
+          tls off
+          errors syslog
+
+          header / X-Clacks-Overhead "GNU Ashlynn"
+
+          root /srv/http/xena.greedo.xeserv.us
+          markdown / {
+                  template blog templates/blog.html
+                  template index templates/index.html
+          }
+
+          browse
+      }
+
+      xn--u7hz981o.ws:${toString port} {
+          tls off
+          errors syslog
+
+          header / X-Clacks-Overhead "GNU Ashlynn"
+
+          internal /templates
+
+          root /srv/http/xn--u7hz981o.ws
+          markdown / {
+              template index templates/index.html
+              template page templates/page.html
+          }
+      }
+    '';
+  };
+  caddyPkg = pkgs.stdenv.mkDerivation {
+    pname = "caddy";
+    version = "1.0.4";
+    src = builtins.fetchurl {
+      url =
+        "https://github.com/caddyserver/caddy/releases/download/v1.0.4/caddy_v1.0.4_linux_amd64.tar.gz";
+      sha256 = "0cmlwkp3cjx5yw3947y91wymsr398knq92q3iwc57bdzdi33fzwy";
+    };
+
+    phases = "unpackPhase installPhase";
+
+    installPhase = ''
+      tar zxf $src
+      mkdir -p $out/bin
+      cp ./caddy $out/bin/caddy
+    '';
+  };
+in {
+  age.secrets.mi-token = {
+    file = ../../secret/lufta.aws.env.age;
+    path = "/var/lib/nginx/mi-token";
+    mode = "600";
+    owner = "nginx";
+    group = "nginx";
+  };
+
+  services.fcgiwrap.enable = true;
+  services.nginx.virtualHosts = {
+    "home.cetacean.club" = {
+      locations."/front".extraConfig = ''
+        root /tmp;
+        fastcgi_param   QUERY_STRING            $query_string;
+        fastcgi_param   REQUEST_METHOD          $request_method;
+        fastcgi_param   CONTENT_TYPE            $content_type;
+        fastcgi_param   CONTENT_LENGTH          $content_length;
+
+        fastcgi_param   PATH_INFO               $fastcgi_path_info;
+        fastcgi_param   PATH_TRANSLATED         $document_root$fastcgi_path_info;
+        fastcgi_param   REQUEST_URI             $request_uri;
+        fastcgi_param   DOCUMENT_URI            $document_uri;
+        fastcgi_param   DOCUMENT_ROOT           /srv/http/home.cetacean.club;
+        fastcgi_param   SERVER_PROTOCOL         $server_protocol;
+
+        fastcgi_param   GATEWAY_INTERFACE       CGI/1.1;
+        fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;
+
+        fastcgi_param   REMOTE_ADDR             $remote_addr;
+        fastcgi_param   REMOTE_PORT             $remote_port;
+        fastcgi_param   SERVER_ADDR             $server_addr;
+        fastcgi_param   SERVER_PORT             $server_port;
+        fastcgi_param   SERVER_NAME             $server_name;
+
+        fastcgi_param   HTTPS                   $https;
+
+        # PHP only, required if PHP was built with --enable-force-cgi-redirect
+        fastcgi_param   REDIRECT_STATUS         200;
+        fastcgi_param MI_TOKEN_PATH /var/lib/nginx/mi-token;
+        fastcgi_param SCRIPT_FILENAME ${pkgs.xeserv.whoisfront};
+        fastcgi_pass unix:/run/fcgiwrap.sock;
+      '';
+      forceSSL = true;
+      useACMEHost = "cetacean.club";
+      extraConfig = ''
+        access_log /var/log/nginx/home.cetacean.club.access.log;
+      '';
+    };
+
+    "when-then-zen.christine.website" = {
+      locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
+      forceSSL = true;
+      useACMEHost = "christine.website";
+      extraConfig = ''
+        access_log /var/log/nginx/when-then-zen.access.log;
+      '';
+    };
+
+    "xena.greedo.xeserv.us" = {
+      locations."/".proxyPass = "http://127.0.0.1:${toString port}";
+      forceSSL = true;
+      useACMEHost = "xeserv.us";
+      extraConfig = ''
+        access_log /var/log/nginx/xenafiles.access.log;
+      '';
+    };
+
+    "xn--u7hz981o.ws" = {
+      locations."/".proxyPass = "http://127.0.0.1:${toString port}";
+      forceSSL = true;
+      useACMEHost = "xn--u7hz981o.ws";
+    };
+  };
+
+  systemd.services.caddy = {
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      User = "nginx";
+      Group = "within";
+      Restart = "on-failure";
+      RestartSec = "30s";
+    };
+
+    script = ''
+      exec ${caddyPkg}/bin/caddy -conf ${config} -port ${toString port} -agree
+    '';
+  };
+}
diff --git a/hosts/lufta/within.nix b/hosts/lufta/within.nix
new file mode 100644
index 0000000..58d417b
--- /dev/null
+++ b/hosts/lufta/within.nix
@@ -0,0 +1,173 @@
+{ config, ... }:
+
+let
+  paths = [
+    "/srv"
+    "/home/cadey/.weechat"
+    "/home/mai/.weechat"
+    "/home/cadey/life"
+    "/home/cadey/org"
+    "/var/lib/acme"
+    "/var/lib/gitea"
+    "/var/lib/mysql"
+    "/var/lib/tor/onion"
+    "/srv/http/xena.greedo.xeserv.us/articles"
+    "/srv/http/xena.greedo.xeserv.us/books"
+    "/srv/http/xena.greedo.xeserv.us/css"
+    "/srv/http/xena.greedo.xeserv.us/fics"
+    "/srv/http/xena.greedo.xeserv.us/pkg"
+    "/srv/http/xena.greedo.xeserv.us/repo"
+    "/srv/http/xena.greedo.xeserv.us/templates"
+    "/srv/http/xena.greedo.xeserv.us/tumblr"
+    "/srv/gemini"
+    "/home/cadey/prefix/flightjournal"
+    "/run/keys"
+    "/home/cadey/backup/ponychat"
+    "/home/cadey/backup/shadowh511"
+    "/home/cadey/go/src"
+    "/home/cadey/code"
+    "/home/cadey/prefix"
+    "/home/cadey/backup/construct"
+    "/home/cadey/backup/greedo"
+    "/home/cadey/backup/luna"
+    "/home/cadey/backup/tulpa"
+  ];
+  exclude = [
+    # temporary files created by cargo
+    "**/target"
+    "/home/cadey/prefix/aura"
+    "/srv/http/xena.greedo.xeserv.us"
+    "/srv/backup"
+
+    "/var/lib/docker"
+    "/var/lib/systemd"
+    "/var/lib/libvirt"
+    "'**/.cache'"
+    "'**/.nix-profile'"
+    "'**/.elm'"
+    "'**/.emacs.d'"
+  ];
+in {
+  # services.borgbackup.jobs."hetzner" = {
+  #   inherit paths exclude;
+  #   repo = "ssh://u252481@u252481.your-storagebox.de:23/./lufta";
+  #   encryption = {
+  #     mode = "repokey-blake2";
+  #     passCommand = "cat /root/borgbackup_passphrase";
+  #   };
+  #   environment.BORG_RSH = "ssh -i /root/.ssh/id_rsa";
+  #   compression = "auto,lzma";
+  #   startAt = "daily";
+  # };
+
+  within = {
+    backups = {
+      inherit exclude paths;
+      enable = true;
+      repo = "57196@usw-s007.rsync.net:lufta";
+    };
+
+    services = {
+      # webapps
+      aura = {
+        enable = true;
+        domain = "pvfmsets.cf";
+      };
+
+      mi = {
+        enable = false;
+        useACME = true;
+        domain = "mi.within.website";
+        port = 38184;
+      };
+
+      printerfacts = {
+        enable = true;
+        useACME = true;
+        domain = "printerfacts.cetacean.club";
+      };
+
+      xesite = {
+        enable = true;
+        useACME = true;
+        domain = "christine.website";
+      };
+
+      # gemini server
+      rhea = {
+        enable = true;
+        sites = [rec {
+          domain = "cetacean.club";
+          certPath = "/run/${domain}.crt";
+          keyPath = "/run/${domain}.key";
+          files = {
+            root = "/srv/gemini/${domain}";
+            autoIndex = true;
+            userPaths = false;
+          };
+        }];
+      };
+
+      # bots
+      aerial.enable = true;
+      tron.enable = true;
+      withinbot.enable = false;
+
+      # static sites
+      lewa = {
+        enable = true;
+        useACME = true;
+        domain = "lewa.within.website";
+      };
+
+      tulpanomicon.enable = true;
+      graphviz.enable = true;
+    };
+  };
+
+  xeserv.services = {
+    aegis = {
+      enable = true;
+      hostport = "[::]:43705";
+      sockdir = "/srv/within/run";
+    };
+
+    todayinmarch2020.enable = true;
+    within-website.enable = true;
+  };
+
+  age.secrets = {
+    "cetacean-club-cert" = {
+      file = ../../secret/cetacean.club.crt.age;
+      path = "/run/cetacean.club.crt";
+    };
+    "cetacean-club-key" = {
+      file = ../../secret/cetacean.club.key.age;
+      path = "/run/cetacean.club.key";
+    };
+
+    aerial-env = {
+      file = ../../secret/aerial.env.age;
+      path = "/srv/within/aerial/.env";
+      owner = "aerial";
+      group = "within";
+      mode = "600";
+    };
+
+    aura-env = {
+      file = ../../secret/aura.env.age;
+      path = "/srv/within/aura/.env";
+      owner = "aura";
+      group = "within";
+      mode = "600";
+    };
+
+    xesite = {
+      file = ../../secrets/xesite.env.age;
+      path = "/srv/within/xesite/.env";
+      owner = "xesite";
+      group = "within";
+      mode = "0400";
+    };
+  };
+}
diff --git a/hosts/lufta/zrepl.nix b/hosts/lufta/zrepl.nix
new file mode 100644
index 0000000..e1f7b1e
--- /dev/null
+++ b/hosts/lufta/zrepl.nix
@@ -0,0 +1,54 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.zrepl = {
+    enable = false;
+    settings = {
+      global = {
+        logging = [{
+          type = "syslog";
+          level = "info";
+          format = "human";
+        }];
+      };
+
+      jobs = [{
+        name = "backups";
+        type = "push";
+        connect = {
+          type = "tcp";
+          address = "[fda2:d982:1da2:180d:ce10:49d:742d:aab7]:29491";
+        };
+        filesystems = {
+          "rpool/safe/vm<" = true;
+          "rpool/safe/vm-images" = true;
+          "rpool/safe/srv<" = true;
+          "rpool/mkvm-test/buddy" = true;
+          "rpool/safe/home" = true;
+          "rpool/safe/root" = true;
+        };
+        send.compressed = true;
+        snapshotting = {
+          type = "periodic";
+          prefix = "zrepl_";
+          interval = "10m";
+        };
+        pruning = {
+          keep_sender = [
+            { type = "not_replicated"; }
+            {
+              type = "last_n";
+              count = 10;
+            }
+          ];
+          keep_receiver = [{
+            type = "grid";
+            regex = "^zrepl_";
+            grid =
+              lib.concatStringsSep " | " [ "1x1h(keep=all)" "24x1h" "365x1d" ];
+          }];
+        };
+      }];
+    };
+  };
+}
diff --git a/hosts/toxapex/default.nix b/hosts/toxapex/default.nix
deleted file mode 100644
index fca1e9d..0000000
--- a/hosts/toxapex/default.nix
+++ /dev/null
@@ -1,111 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, ... }:
-
-{
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ../../hardware/macos-rosetta
-    ];
-
-  # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  # networking.hostName = "nixos"; # Define your hostname.
-  # Pick only one of the below networking options.
-  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
-
-  # Set your time zone.
-  # time.timeZone = "Europe/Amsterdam";
-
-  # Configure network proxy if necessary
-  # networking.proxy.default = "http://user:password@proxy:port/";
-  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
-
-  # Select internationalisation properties.
-  # i18n.defaultLocale = "en_US.UTF-8";
-  # console = {
-  #   font = "Lat2-Terminus16";
-  #   keyMap = "us";
-  #   useXkbConfig = true; # use xkbOptions in tty.
-  # };
-
-  # Enable the X11 windowing system.
-  # services.xserver.enable = true;
-
-
-  
-
-  # Configure keymap in X11
-  # services.xserver.layout = "us";
-  # services.xserver.xkbOptions = {
-  #   "eurosign:e";
-  #   "caps:escape" # map caps to escape.
-  # };
-
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
-
-  # Enable sound.
-  # sound.enable = true;
-  # hardware.pulseaudio.enable = true;
-
-  # Enable touchpad support (enabled default in most desktopManager).
-  # services.xserver.libinput.enable = true;
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  # users.users.alice = {
-  #   isNormalUser = true;
-  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-  #   packages = with pkgs; [
-  #     firefox
-  #     thunderbird
-  #   ];
-  # };
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  # environment.systemPackages = with pkgs; [
-  #   vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
-  #   wget
-  # ];
-
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  # programs.gnupg.agent = {
-  #   enable = true;
-  #   enableSSHSupport = true;
-  # };
-
-  # List services that you want to enable:
-
-  # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  # Copy the NixOS configuration file and link it from the resulting system
-  # (/run/current-system/configuration.nix). This is useful in case you
-  # accidentally delete configuration.nix.
-  # system.copySystemConfiguration = true;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-
-}
-
diff --git a/hosts/toxapex/hardware-configuration.nix b/hosts/toxapex/hardware-configuration.nix
deleted file mode 100644
index 40e9782..0000000
--- a/hosts/toxapex/hardware-configuration.nix
+++ /dev/null
@@ -1,41 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports = [ ];
-
-  boot.initrd.availableKernelModules = [ "virtio_pci" "xhci_pci" "usb_storage" "usbhid" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/402c8c24-de0b-4392-9a28-37517b15d0cf";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/CF82-94A5";
-      fsType = "vfat";
-    };
-
-  fileSystems."/host" =
-    { device = "share";
-      fsType = "virtiofs";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/3fb88e75-9469-4b50-8ec0-c4fdd4dea9d0"; }
-    ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp0s1.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
-}
diff --git a/secret/aerial.env.age b/secret/aerial.env.age
new file mode 100644
index 0000000..b127dcb
--- /dev/null
+++ b/secret/aerial.env.age
@@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 jO2MvQ sX8QXT0aNypOPGyo6VVCcsPu1bqKo0kr1Kd+KRZMdGI
+bwzaVLVoiKk5HMI7WMxlA4kTwMpuWlD6nSAfMoK9CHY
+-> ssh-ed25519 txQL9A pDxZPtIHKEldOyPsCKLFi6qW05ASwhdG1UHL2zE0jwI
+3kpzZZ/BghlLsOMtBb1+IPHVR9aKMLT0fPPcXW1V/0w
+-> ssh-ed25519 YcYwVA E07VHnKdJ0ndOeF9CnP5rpaZlWA6Ik0EQz3KrrZbpyE
+1gOR1mZYEK5BjkwZP98vuQ1KY6HQ57M87ay+K90TZJM
+-> ssh-ed25519 rIaBGw pX28F96rAo9uV+eY8z/CpymFvEst7T9hX5zwr6A6QEY
+2cXfDbyPHavifi9IKmCDYJ99GuaNJA0JdeVpWzCxdXk
+-> ssh-ed25519 H5HtPA 3hJ4CUQ23w7SHKqpdMgMw4i5Ka/CU7EsA1uiUfpaxx4
+NvOVzLd0QNkyySxRh7l2glJP8bMZc20EXj85VGtf4SM
+-> ssh-ed25519 Yy06mw 4ybL32VLmuUdE2iXu3b0dY1FCweOH0pJfyBii3+exgc
+0gEcM4MWuQzJIeiEsbabIC8IdIbLQYyrBhpcTR3hazE
+-> ssh-ed25519 6Sqpww qV//WNxYiqbFzdSrd4YEQ/ji7wDSo+b7zHJqpj9wv3w
+VHDq5APsm+BkZFXwGbVZkiLWzwLONw4TsyLweokrtGU
+-> ssh-ed25519 Cb6l4g jd1R/g3pOX9mtuaZR0kUqTdUU4U83QXi6OI8SYCLayU
+8WDPeDK6bKQYZX5LE4bTmcODkwWFXcAcYNuEyOgXDSk
+-> ssh-ed25519 x40ZwA Ix0DVuYIb+6beM0dWdYnIWUOw+xdggofhi8671RoExM
+1uI1L9L1r5NBTaCwOhvwPtIstP9hPRNwiOB62rAc1fY
+-> ssh-ed25519 ZvILxA X2kLLYS+c/cMBEUrV++LF5vImgcfpWCX2YoKAusRA1c
+UgoAYHE4kqa+8Jl9mqFQxNpeUhaazqA2TigD1VZ6ywo
+-> ssh-ed25519 0rx8bA yrAvfxjl3mqeKrCSCvimj/IFHP4OzPtbmO0tbryc/gk
+DoMOm0Kgv75sxWS9qkMsSDRse3+XymWf2m+MQLyUc8M
+-> ssh-ed25519 extxyg vWN8YTDceSAAJvLtRZap11YkSKBRQdXktgRjJm6oMWo
+KZeby3vB80nBTWIYiHpbhCl13eOyksvu9TX+KhON5GE
+-> /x-grease
+zIM
+--- atvkZYi9jdu47B/KnBbmWqf0pJOgl+vXT0n94s6d2qE
+�R��K�	���gݩ$�L
+/�����ʰS���RO�:�"6�D��>{�po>��b��ll^�7�����*O��:_#�	�xHu(��򅣦��`M_n� 
\ No newline at end of file
diff --git a/secret/aura.env.age b/secret/aura.env.age
new file mode 100644
index 0000000000000000000000000000000000000000..89aede3d5989bb023e8435907c539397c214c8f7
GIT binary patch
literal 1927
zcmZY8{g2y(9R_fi_NI*fQs|IYCQ|7pZB4Is96K*uRnB(e*s-0&N&MO#!m(q=@k?Uo
z#V>sUv|d-Pn$~SaR4~?|PV11ErqQ+QIH?G2mDo-b+Qe<$ieLk=3Md^2Mq#SPs{MHU
z1s^@%=liH;Z@%YgK|GpRLvQCWFo9V%HNQJO9{1;aI)otEQhLyU*cq3u0%AiAv$=u>
zP9>3-!x=Bb62Qr3b6VAHV#d^zb{VXrRXf$4ad>?^1#o&mb8ddbs6-tM@KDn;0O3)z
zVepf15U31JZPX?a$CS`?tqC{=Y4v-k30Scm3jF}AwiUlNiKJ{sfxJ8<**@CR>|sh0
zDne4N7PJ}Ij1d`0MB5!<1*zM%jr<5^Gzll#a?Rq|@kUM7<WNA<<1SF;+8t7A3%aPt
zcwCcBp>CS_jte-9NxC9hO1Ml;>xZc^AD1Dt+lmzfmMadJK%7jAwX7;*LyeU&Sw&?w
z7LdZIvQY~t6|08n9!j=wD?;Q#c3`#{5-&mgEQk<;0AaeC6!1>Jgee7MLddB$t16h$
zC^7?1hnN{avT8WVgcdmniQX7&cOt`wNwjGa_C}3F$Vn4TlYPGClrtV?6D*mXH~??D
zelCg{g{)2%V9K=1vuwW))^A>t>FP2f#h@?ioX25GSIFazLG^T9q-~Re{A!XZiR8Ef
zp&K<h2J>#1He-K+=6x@RiHTY!fChw_)->C0@TjLm%8bgpx`Ns`9~M&}0^)A7?o@FI
zb(um)wM!lihYh3N=nAFLh>6X~NU_*<=2Kd}?T^ARJ#8uB7<81PAt^>k!HQ<~lCCyj
zT@=a%N~s{}Fey6zs1K(^nlkvVN;SuDu^#y#HzaMf;*y-%GNFWt6u}gHu`jzyxG@{v
z%{#D}CIpk=14Hu1G^aM;B;QF0wA?P*RoJ4DLQ}KIVx7)rAjnQlhk!zr#KcuFq1T^~
zIiU|3ysnAJB+FDuCEHh;QL*080eGVp!JrbNX;BwjO?6hzl<4}{2otHT1bq(4+e5jR
zYa4n??eeV_sfT4dg^>w69gEdTi5$6=N!A|@T40SMx|vuRH(45OQ&uafL9)ed)NWS7
zL})rjrHrp&3ZmE5E-ovP%wRQEESYjnM9Z9PG`vouFvw*vImH5uIO<~wn1w4qkhln?
z&XNvU@)fbc$v#o$d&sCo@>KMxb%Q}v?A}~A&+-}|Qf^s+b9z^3i6t!<l9O1nr?QjG
zGVG``$Y7aVMN9D(6i<4fo3kvZr;#Yv8ZdfErwW8xgS{bAw$N4)w`>F*Zp_w;CQ)pr
z9b66@zHYY2e1&DBPC+wqzsWE**%hKVmn%kG(6lR3KeSUl0`c%pBPn+(9%^+pF{))V
z{VLs3w3<n~4X8#KlADeD{{O$^z`Pms)NwEUwWV(u_k<~2Qm7nJXicqT7)~=q4AEz#
zg~>uz;?=z81UPR-1`bR(HumJ4oRIB$G<He@)R$eq;iL>(1yb|#^J$7ss*YMjO^h|#
zj0^en$Op@a$5U?Is8Jv^@X#C&S3rtQy@J2?+$Z<ibCZu?k$PkKwFiFk?CFc^3+q>Q
z{LWn6wH!T)*Nc089E^hN{{ps!k1h}&zj>FppI*A(`0&hwTaN@UzjNnp)5~+<I<azf
zl@#w@J8|Op2TM}#-kld7+xN-8fB5<@E?s}@$ff63_7J}e-`c$X@=H&=Rq{^t&+TTP
zIQOTY{<GRKz;|ze+v|5fE*xKZ<wx5eu3v<1yM>P)zV8@*c>hV~EcTs8)_!m)UisUr
z@72CnxTc?9`u5g4FH0{j=ieWzTX<(}@fo;#_>QBm|2=*C^a_9GgU_FIw=S-1TP=U(
z&@t!Ps~-~EKDzeg?I#vO@*tL8e#!VNws-CD-03ejeqY<aeBkj-zYg^4^t-1Y`u@+3
zt=+#9{oK|o-~8fV&Mm*6z46GA7v4GfF;D&HSNx5&)i;lBd2;EuXZPKD=8c8(51u_0
z?ArERX7j<L8u{m2b!Oqd+&yP5>{{O|EwUYD-{OG_rP+TEE(%Yb-#15}dTRS2<|=um
z{NC5E|518~-$Y#7a&`Az2OpTexLQ5+>W**C+0S203XA66Ka79l0P|mX`&i}DXTNmv
p=bOKKOJVhCR`o9DH?4f;&<lIs-cLO959*HUSD!wf3U_R&{||-|wcG#z

literal 0
HcmV?d00001

diff --git a/secret/borg_ssh_key.pub b/secret/borg_ssh_key.pub
new file mode 100644
index 0000000..5873bcc
--- /dev/null
+++ b/secret/borg_ssh_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMy3uSs/gLpFnRVbLPUBVJd3GHlCqFbjCnnJd7kKiErI cadey@shachi
diff --git a/secret/borgbackup_passphrase b/secret/borgbackup_passphrase
new file mode 100644
index 0000000..0a964d1
--- /dev/null
+++ b/secret/borgbackup_passphrase
@@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 jO2MvQ tcy9nhpJ+UPN75OkSmbysFYVJzGb+AlbmXObhnON5BQ
+yQmNFxNqKQGY8HbW0ihuVnBzBp4/uxtjZYFYRSn6tNc
+-> ssh-ed25519 txQL9A HtGBgibnD1j0S5PPKZaiR3q8fAU8U2kwHIlI1cNIsXM
+Po5AEklI7tLGfYEqP4wQ3EVrEKvpP2rszTQAH84OJ2g
+-> ssh-ed25519 YcYwVA bcXifq9JiaALth6WEJW/vo/R/2ZfhzjjvmLC4PLy7XI
+d5XAJCeDmTuKZSuYpK6NLJgmL/dXMa+tY+pb0g+QnDs
+-> ssh-ed25519 rIaBGw Ed5MYSq54gzHibDdwGDFl4YrOWapeoKdjOAus91UxGY
+L/FGN/v7c4rPpH5MvrsJlY7z2HuS4VdCOxRyrw3I3FA
+-> ssh-ed25519 H5HtPA k5YIiz/4ys7UMTTBeXNAwBNf9OQxHXl5296T9ohdcTg
+gJubCP/bIYU4oe4AIMgaAEcy2Mv+WY0Lk9rsJhd9LvI
+-> ssh-ed25519 Yy06mw 5GyyzJn8OduTQkThFaN2BHouEmLAT7bA9/JL9z24gBA
+buY52j20/qUtOrxpY7inEpWcRAmMY9KAMj3uCsqrRJA
+-> ssh-ed25519 6Sqpww pLp0l+R5n+O/YsMZOQ1sMdE6428LX8HemN4mYa0OaQU
+9xCpVbzTbWWfydcCakBKNXww4aADfRXGHRX7ekvedPk
+-> ssh-ed25519 Cb6l4g T9pAZAUZh05W233esyWksKcH1EmjXEF/B+X6P8b1NW0
+PvT+RJYkVWg/lKl7DiYU9gTuVq6pi5xaI3rFa1mUsYM
+-> ssh-ed25519 x40ZwA n9H9PP4MnWpI6KK/OwDLajbw4XC/2y+xfEUpEnJVMg0
+3AZZT+YCRuJswxVyDWQIqaow34goNhLif6x5Xo445gM
+-> ssh-ed25519 ZvILxA 2e3rs7856mAhe6Ak/emu3bqyOCkmwwAGZKq+glJpGwI
+RtW50MXUf4OnX6kOEcMIzdBPlsjYxHhOCv0Ba4XHASM
+-> ssh-ed25519 0rx8bA r6R57M+kOsN84QUHru71E7wBQRqfU43Z0ON95Up0Xnk
+F6kr7g6MOfhrFSsdEjz3AfBzzGNBtRkOZtlu3YJVIC4
+-> ssh-ed25519 extxyg cKtLG7W85XXDy7MRS6+Z/gTEEsxoO7w+GwstY+V84SU
+4cQB1BMsIFc2tvYK4LbD7b6B5MDpzMurBj+w9EwYnT4
+-> Q?-grease
+8wPImyj0LyPiATdO14ObjpwPi/viYFMmPTjpfr8FLuGj3SriUUI2wRqhfHwkfKxX
+EuhnMufWCr/b/jLnyS65mVOOPw
+--- 9BOzJF8aanp+LJE/40BiLjoFnmausvs8Qd0BGLSgGBY
+�OC�B���q2a�UMg9�D���΍��˚.hX�п+�k��{n���܇I�$�3�A�ز>�!B��`�]����L�r���S���(�=5"�Ծ�u�+ެp`�_�q�
+٧M�#3)M�K[Uc`��+�KN
\ No newline at end of file
diff --git a/secret/borgbackup_ssh_key b/secret/borgbackup_ssh_key
new file mode 100644
index 0000000000000000000000000000000000000000..9d343c88b64c3f547aa32e3a811258ef632f5465
GIT binary patch
literal 1941
zcmZY9{qNia0mpF@=LQ#1%m|Ah?lg+q%6Hf6wbvftr0qTQ+Phxwp?AHTO!|E7U7w#%
z<}@&aAb!~rLPi)c1d{o~0*g$9!S@Fl$YcU;Odb@)A4D@j78ApqM(3~J{ROYQlTSXP
zt}dyz>}PIhIQCY@*9&nmx3n!E1k)u|fe@rv$(tRh9e4Ac3?7sL4ZxhHIsy?gLUm^r
z5zeAKY6#?_OiUBmp2l{qE9V%t=$l|lnvBfV3QdSC`Ra&JxMtEqrVH3_2~-Q<aWpA(
zS8HL~ZB_96f*H|tg-Ao6f>LO%*sV(J(Nw_lcFMHUY8|&-V8PpLt(!|7qvA^gM6s2E
z1hz{YTj4vVLPsH;v?p}S0X4KX#SI;~NE^%JWQga*#<V9V0;;9eA=HNpBs{2BO`%Cw
zxY-2N?DEj6=x$9#5-c}l^vJQ=SS7Sd#SHO>e7yuU6NekN;_gCLr5RB67jv%Gf>*cs
zO_69Mc@bi>**tTDqGQ@<F-l0I9!nnS@*t`pxW^enm!LVAD>=CifOhF9jw_=AX(LHl
z@9QQ_`16t?bEZ|)<~EF@@)!@&V6{deRLJ4^iC5<>z1xToHXB>4AveXW3Xcp(nOROm
z@;I3es~S$1k|Za<eB@Tx6qyWgoaA7QQV|wv2U@9>jCsaDii1TUFxg_xuhzyHShg;-
z1uiHz`b5JBRl7&b$l8JcVwV*Hh?t2qi&dGV)AL7yUdwp{y3q=!bG|!d{4A*|_1<`L
zK?*VusnrG=t59M!l0^u)NGta}H%TsR5`s%v;tE8a(T&2yYXc)hs*5ovf+mgH9k|z-
z@;!_-lH8~<uNhP(d3>MYWhojFvQLYe*Qt^L1Y}ro9F4?b7nM+XbsH&_=dhj+{W8>4
zQ3Q=JiBxR^?*>&uavN01E|`^cJ{_Bl603@6Ey$^1rYeaqwQ*OdkhW0>XBkz787ox8
zVVkWnhJ$yi%>=P8+GGlYlLXIG>KJbL<%EMeEC7?CC{5Tlg}AEFH?>lQbTSDbnoTX_
zom?$#w7@baB`!E*rdUJjm#T5S*ppl|l5m|Fpwob{+0aPGtJ@}Vvz6lcItF{mlql5w
zbPR@djrIk87D}Q3K-8!)5&%*TXMhlpR*>`S9tcoSyV$oaDFCVQWYkL_t7=#-Q@0m7
zHU(#eC^W$fi(2(1pr2wAo(GeDnDntmt1ferWZSe$s|#krOQ}^#;8u4w*U+|%3RD-*
znL(^*BfGp1{BFsTu&77^vTankYyq@-C17AWev3#-(-F2>Q`0cb^t>AhjE9F!eButI
zh_MU0>h(%-q!i+g!AZD0sRfSG#Czt2=aS-19U*)}=>Y|>(l6H86gBuJG1eQH*smE%
zS|B33WpnNSYy2cw(tTA7)I7VhY@%=;j?=BVbZYvEGIB7!!qkGY;kJXmBjcJE$rd+^
zdwxmmxid$hvzX|{p#cF?kEtL6H^7=z-y7t*klZU;Rwj3QZU!~yHIFa%lp#!3n0an#
zX(<l@ip~@|#RABPVt0(;y^^Gw9@i_<6r5=!+?J`jsu*Jx%w4ane0b|;o)q4A@U9nc
znw)y(t(Wfm=8eG(lP|o!=A&$7(@ARG3tOJJhTXO2+(tywwr~8`rN4UoQf-A(DR$@K
znUUT-t(-Y~?t54KB3g6v@9+HGP1n7CK>1PhzHshQX*S2NJ$T8}%@=WYZT#PdPXG19
z?YDjYhQp^%X+J*Heh_?U+qJWGU)#$3>^`>p%#L6G{gETgvELl{#&Iw#=bk#Xa_j!D
z?%lItt9kkTzg?dFaR2w$zxR@L{Bw`l&!3e3@`pS3Z@J3~J^9&3JJr{Y{bS#kPw%zg
ze&s9g{O6iG-fP$gPVkTad(UM*FTMQny$|oJ{pm_=Gez(G)~?I#cYpc8+OtRXM-DnG
zUpEKO&F}c|mZj@%L0?|E`}R%C=l`6$`PBywU+;hFkBh4}F(h`#eB0GGz7=oUu)J$>
zxK`iy@#Ofa^+*2p-0pjhZF^thj<he?{LXiGblzQmwbOc2rOrs_N4v2Hh^3FtUwK$w
zIfQvTesb?))@>($`pL;BKK<~)Z(nuvidQ%PbIlv4M<0A~S$}$n-Wc&O6t_J86#eFF
u*xBXFe&C{udv>4r>;~_u?MFA<e{S!-!I>|8XYDJ;);$ZX9NDg)v;GGd_PPH6

literal 0
HcmV?d00001

diff --git a/secret/cetacean.club.crt.age b/secret/cetacean.club.crt.age
new file mode 100644
index 0000000000000000000000000000000000000000..70bfee81737ac8db1e777cf1a738888c8edcbbfa
GIT binary patch
literal 1998
zcmZY7`O_1H0mkunXrUUWlnT?qX{Tm}!Ko}EyPI=4Ub{IqyUAvgO*YwNmD=4+vPY8L
zWOtK2%FBS#DfNKysHKWnJm?e!Ulsa_()zZJ?+oL-6<d%)1v?|qVwIy%=z-S$`uZ1q
z=6UAJOU*!26Aia#DY~{?H>BVY@&!iyrYQ%S4LA~k5WiZ0^F!LNMZzhyK?-fkZLnaa
zl#S%Ogj#e2h-lTqoe)8wHd_;rJZk$IAfBa5nFOIID1+p9zO0f(sUAsqRJ(waA;)GZ
zVwfothB#BR9GXN>f8X<PxFU4ON+plEPz1mVW(qBYB!VC#!8l54bfewZB`IV3`Ynr(
zF~xW#-%83o&UI*4t(V&f51?AP#pYC@HKYuUglT)GRu}7b74;9>l9W{`PRoX<2H%c&
zqE(47D%=tQltIB1p#TZI08#@e>|+s%Z4~K9OxFpMr~<m9<mg;K!nP>f?zQtFMv>!i
zuz@j^nVLcHiHz;<7A&j~&yaBdL{o6I=~lC3VnAk4ImYslzR0E(2L})V!s<TS`{Jym
z5oJS$8S<+2Pyxv_22uk@s+f}|`pKY^NL6w;tAuB2cm%hKs2`VgH)OSPm}&x|7WB&X
zlnduu8L$*isF<v03=M3Vl&m<quUzUUhqVE1x?#;}v|S^mbR&W{)Wj;4<h!^6a^*xR
zqbG>=Os(#M(XQ=R;4G%cfpXjkdhrgx^SGUfF@<Ur^LjZl1zDopgq&iVR6w7b*VJmY
z;t+$RAyphCNdtvA3}porqIzk<Q`NB5<CqwRfityex!<#Ge@6rj60JfuoPuys>q`j}
zD>)V%3I+2$y{$4{(X+x(EmA{$xK@Nbqh(rO^gEPe)m|1)<*SgRGk{DLYFUp>HDyXy
z3RrxmmK36$u;d?PoFUc}qcJK737pzx9neYjx@bHpVn#pehC`_`<iwD42lch<KwD$l
z<t|?o%Y{~#Xq029)Tj%tD0Ja!oa~|{95k64S)ZvnVUV*?e|rcPOQ_xNJ53B?b6&1Q
zkhWnvgqZib8LSGJC0GoV>P3(Cxp=SJjuSe`_Z0wlQ5UVEu~0svWStsAMw3Q32@Wv9
zaD*>a!VL-1LH$Gt&sU-uKFBz#5)zegFjk^X1lAac)cbTA=u=<;VZ;<$@pS|TV3e3s
z2S7JU4YM8-mEl&nB(l1e6lkp^A+~Mi5sLfLHqdb50_xABfXk-DN}0zTSB>P!cGeI|
ztZG@TjCSNgu-~jBIGpaWai7VVi8QWKQV$_wwRB^cVyU+7w#{NJ*s2x;sZ<aM$%+y-
zG4si$V>zzmSJ_mHE$VF6w5v5l!QzIkV6hNU<Q*YP8n`L-@f3<^R+{#On;|aVLih?j
z=+L?#li9G&iL#SNlqw%a<r>O0;2K{iCHnuGFbXOG$!PLs(^qyF&goE;oTv<A)l6SW
zwB>=QH8jZ=2n77R&Y>+<wVNr-12nQLC=tbQd9<t-We%rJqfsq)KqDc+72ii&Zd>xh
zf8Y4Ia6h^2QsgG)H{tttTVq%L0bIR4IXjuSi@)@V9pvt~w$AymqETPDx%V%6bb+@1
z#GgZ+`CfeW=(^9QA4_qEFMjIYkbWVx=$+QpH9neKgM_ca7p9&j8lM9{2%MUKYw!Ae
z@5~*g3rEhjxRtMw^Y|;PPaGUO2`+vuu=wny#IZYlUwyhfcW&X#_^h`-dw;|6Ia@X$
zUFM|sskX28;?)yBnf%~C>+RC>9{{)PF8_GHI(OgYEibK0FTDHJz_ajQ@40Pkdd1|3
z<;~jq<j4x*@}0N8`r9|RoqD(U^8?HN1Z{Yu3EjK(&9!4YCLTT&TXKByvcqk6ePZ-s
zZ0Fvk;|IAtFMeEIb#M4~`7aaoiNAe(4jqAxo`0nNv)Y3BN530+?DFyh>vxZAo_>V5
z@!jp;+`Q^Lqq|1N=TMjSyv}Z!H8nnct#Nbn<#Wqku_k`>;r`kGJm`Px6X%e5<)@36
z?0R<2L!5leAemmU?#UyHyq`IC>y8JFoudCx=pOvRmHN~Qq6q99d*I|k*#7#;eRs!h
zYOLDGUm@1)x?$70NpAb2n|8nLMZfnF@f2}!(UH?zmYmWiH*Hv6JAd}|=P!ca{{G9W
z*Y}?x2KQ;#R|ZGkKeOm}N6(xsjqkef#?-GizBlo$clI3WubqDMtyiq*AO85Ysiz)V
zJAV53L?^uMfcE#Xd9%-1$FRNIPj1~tZUlcVzHmPGjk`8aXx{bH_XVB<mi~TPnET%y
f(i7QVth}0gX7A>D`6FfNJpH+ahadRmfye&`;=k$U

literal 0
HcmV?d00001

diff --git a/secret/cetacean.club.key.age b/secret/cetacean.club.key.age
new file mode 100644
index 0000000000000000000000000000000000000000..928a890973e0cb27a17adeb77fa9760aefc463aa
GIT binary patch
literal 1718
zcmZY6{p;KY0mpH_gCQPOOY59J-Wcs@<JTmY=XG|=(_M0x<dR&HOKuFw<#Ng0_b$(u
zC!Gl04^k!~E2ua(Yh_&(9F8*ZVe2L+)Bd1P1_Kp_GI7X!oc`jh55M02f*0@4#|`{L
zKk~9BDOPdxi8u?u67C$H@8)@U=r4L022<VjxF?rdm*nSpz-zP{k>P4r23t^oYuSx9
zaqTLww_9Z<304V0BU;C>Vjs0JmGhuAMDZ*_88(Tm+qJ`a_!{OJ44oJpt+9l-uNAc>
zQFIp?5IZS}(SAF}12rxLfHSg4NO_a@wwhZ9V_7Jd?8axsj;8c@k77p?D&dE4wS+wx
z-5{o#aN9%|l%icw41`M~2;lcM$8#!+?k4pLQ!Pi`2{{SR?T|deV7#4yrZta;Q<Tb>
zP%xcDY-qWYESgd;jmWluHez@MD<fX#AZlUbB(wx*7<Tn(RA<Yk+SfACWd>EZ(adq*
z=*13;Na(-{Fo!4-eJG}y4NTiGK!Bw_6bPKs<<2SqeXs(}QbSb^pJJGg%!xj+IjSoJ
z<@7RTtk4$IDk;r<O~8agrMs;KO;ikMOcFz2C?2e_UIh&Y(otNk5Z!9?NwhHFf*4mp
zM@iAXF8ShSxm;@tXxYLhz;XO`s$)W<X%Z<`H7&1LSbgu34TNv2ZbjfGBV>bV1*oF4
z8QDi{SU43eYy{EEhppU(%zV8l!71G#b!*{@TX7{7fMI*1TH!#4RAMQb``U(&0b(hy
zupAgg!G0S)Nt3GTN-^#7;j94*JzMvE1rr?sm&UUNBDO<s?k1Ep98(2m9Fd)T&RG6V
z$@&nm!Yjn5V@}FUja|;C+HOP!(Iy4Kg-sy{xv#Nve1isEAh286C}e373BDF{3_DYF
zfk?p`8%`wNRR)&I%!9QQ<sG=u>2;+$v$e}WsZ&p8rd3zy$R_{*<p&Nv_CXMm<+b4L
zYc&eZD!S`4o&lx)QCjCBJ4+cpS2w#Q&e0%*Nrp0^mN{=EMBfgojx%3kp@9em;d;H2
zR_H7>mrEpvD}1(CFrsGUd>Z!0ZT+6#W~C_AbXR7}kTCPo(FSG(XVDxTuoX?r6kwQz
z;I;u*sizd11lGw86J_{dFtn2lDJNSaaF}7+^Voh%k&A@wYdoZ{heqPA7xaD`l-1;%
z?(!>iveJQZvf5-6*l7H4=XtxWHG}ghgw1#q4re79R0ZO78qvxJn2j?>@`5t!L6G1h
zQL*!>IZ==j^(Wy{mpGDDN6^0J*G1g~T`XZKLRFn1X;6eb0uzW9GJO=QBWo}qeVPM%
zb2r!ytdQ)as<yP+qa;bIRoT<(S_u0#ZRk*g<Ktk*#KX;a2xXEni~p}Zls%&PA+bIT
zGT+Vp&H{pU-G_Sx%Jpbs0Auz@N3Dt36U@~2h3&fh-`$6YT}`6(#toyy-@u}(i>78G
zBL~6YF*}l5ZJw5lLS-<L^yJRPyS^R&^U_W~IE5U$<Lj4if9BYe&t8b1d~lYWxOLB?
zZ#;3wxfAD~yYYwjzj*CUVfel#dEwP}AH3_CJB8;^<KX27ddE-#c>2>{Jo|y`*PnhT
z{ro+DZ$5h3x$?o+{`$LY_RH`7UTI!^=1t<!w?2I3C%+#3^rZ`DpbuU88vWM49$39{
z@#aae_x#o42X`L7{QYlrZ++>Z=YLyl5AN;W_>cR!WpEL`@7&dI-goWbGXC!5>|-yV
zzfqpL_SB_+eC3m`2xkvZaF5;iEPMQn-8uKh?YDn%{p8)){h!)!SKq$*!biUIjWd7#
z)B4Nu>kohR!oTkgPd}AE{>basslVL*`Ke1Ed*_GWYwr(U`%&*Ve|!Aa&%SW8`|OXO
UIQ_@;S99v*$Is~};U8T2FDO1nC;$Ke

literal 0
HcmV?d00001

diff --git a/secret/lufta.aws.env.age b/secret/lufta.aws.env.age
new file mode 100644
index 0000000000000000000000000000000000000000..8c525e3bb437fb834a72f89aff2b02821e53c834
GIT binary patch
literal 1583
zcmZA1&+Fv$83*uM=)n=BP?a8JH?74(hcUl13EL`}WHR|VnM{7oL{KuBOp=-W&Sxgc
z*kc!wMZJi6T9B2N-g;>%s|O3EJ(SiJp)Gps-t-`df`Z}~kMkG2-aOCqe*7pLg?Ui-
zB}j_=siKbH6FL|@4K+<X3bz<Zq71axG3{hP4!l|Sgu1k=d_0F;8*g-#tIKv+rSP0*
z=21%r(@-oLM;okg?Pvyzz}_!QHI#;VZwu9i>G=%f6EKVTtoN1+tzT$|OAT~}%CJ!5
zyOE+7lib-_aTdE|BjAWe<$#^~;xG<|z>*yjE8(0Tu!#kT3>WQ`*jfoENPAw%tIaN+
zGk9c|2zSD*B5;S4B3)|hVBI<_)E7Nm<-#hT1z6f_9b!9C5A8yZmBd0(!wnV~*m+r&
zo6<n>mxNiW6db^8w<Yk2eDpo<xWfW;Tvcd8!Gdnr!w9wMORbjt$*hGOv)<*cX-wFe
zWa!QG#Bwo-B5@=k<=F?;rn4zz>K{eB9b}r`omCWr!_HeJZ91o!sX-jn0FCKc3VWMQ
zlg8o1tpRbViKGY?EaWb+V$Tb+BCyOw!mNc&i!3w+EL(+d4p!Z6+IHbF0lzc`hTwZ+
z-S@$awA0@2^>w}h!9-|-)?ykAoR8J9O3r9xt}nH9k5E|)0r?O|;~}CUa)z063e{U~
zzsYPfYRCodq6Zq;ZOcM(aBWb8GxfYLN;sB@u;lPPzV&Ml6f=T8P#J=FXEVlDV~mWV
zON}zCvTdP6Qs5X<y_uW^Ce5ys9A{F?-V?m7GN3EuT)?VB)JPdIpn)@8TUU3J4P~ka
zc~}l-=s6S&alW6gy3E~qL8pb?Jkc&SZbPL+1o=Z<11r6Wbxw7;tKhtA5$k=*V{1{K
ztd`vo6DfQxP);xa8N=zpaIvIWkXD70Q`WXvA6wWH(-x5(_S|5Vb~t&seW`T>;<YSv
z^0hi4GlEx=MYf<d!3c9rYlI*YjL2Y_t+zI>+LTaNlME#;h1)7)(Xb+U)HDf`FhIKM
z5E8Iv587s2M1>${@bpsiPLkTO&}5!Sq}&Ly#LM)Fg9}a^@4MXT5oOcR2munivi82R
znnZ)D=f~9C7gtC)(RS29#wb?u^zHH>v<kLr)hXig!Xy&m;!;EEj^41)sz73o8>`(a
zC9G1@9dkDc>%^UBpee-&XR*@K<%y^Z#z3ACqS2(nk-GW=8>R6bpzPhY(VDqZ#C%Bg
zZA_F$JL`f=E$l$oM^IX`V@BKtD`|apk!cTGN|8IE9g9;!9V#TgW2WvnsaB#f$PShz
z7J06F7&a%tu7E=v?Xh*psYTw+Cncjz(IFQj)c1RfM$~UcQ62hC2#x&_`Si2w5bB1%
zhKgSVP`&-tjbfm1d^qfC-K>E(Ce)mr7MsCnG=gO8j3=tI$N7D>ux4Rt8M|sq;ckA$
znZ3>>AhoBVaK@Wp@C5ke#`1^ve(>+#dLQpT{pt0)pZ)*!_kRDp@$Taf{qJutk{@)R
zKlt&@|6F@U{0LJ1<=H=uzWVEZ^p$V(52HUn{v`d#{cnVuKQG^W>$z8dck8uBzkc}I
zgW>Hj|8Q?`{qOXxKmO^B(?5b2W-9zo@t1e5w~yU@=f7XkKl$X#mwxv4oiFbF=-$h>
O-+zCOJ#h2xU%mtXDGuWR

literal 0
HcmV?d00001

diff --git a/secret/mi-token.age b/secret/mi-token.age
new file mode 100644
index 0000000..20dfb06
--- /dev/null
+++ b/secret/mi-token.age
@@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 jO2MvQ FgUB+cUmDdeoXYKPM57kBZdTTqmXIv1JwfYq9PWfAWI
+gBRG1mv2R4k3q2J6Q2gLIrizLvr8D+mX4EMGEEyxdlo
+-> ssh-ed25519 txQL9A cTP+Kff1oAigqllVHyb7gcoOeYUjrAHtGIDjG0/yKD0
+i1OiWrm8jnKUuQQDVyhElhT5Irv2Rd+DhoKbbuoINPo
+-> ssh-ed25519 YcYwVA cdeO/P4hX78OlQSZ8EF+sVvodpf00SWZYl0ZpJwLbF4
+WIv2kkMakaNM9XmhGY3CM9H9qA8YiaqFDVTOomb0WlA
+-> ssh-ed25519 rIaBGw nv+YH10pIzm2aA0aSdM5sMKy+NS7ztatMwqQ5OswqHo
+f+JYkuPza0cggSdXpR3ygmaE4nWaaxhFZy6UbBoXQWQ
+-> ssh-ed25519 H5HtPA 1+ZauOpNaBFSWlwpX5MLD7RcSmEMmpTVCB0fnSH2LVg
+2/C2EjUY6C5aBpShLN5vdtnQa5LEKHJEL8AtQH9pOAM
+-> ssh-ed25519 Yy06mw jpnvL/OtH5+RqT4yVdogNrBtsno2UgiR53FXGwzIoiY
+jzrP/abR/KdCWFUnJ435Cx0PJ07Zc63SJsTRrZAq0Os
+-> ssh-ed25519 6Sqpww d7n4/2JusHBvxFn27L9g5Ke5pSp7tjtX5oOvJbhosEQ
+TKhIBUusBhM+D3WpXPeRxOwIU8bdBtD8uKtor2WMv0w
+-> ssh-ed25519 Cb6l4g xK4SFl2hT+P9tEjZ7qkiRMomK+/lFFtj+9VA1mvVbAU
+8aYpeNT/gwdvmaQ6QREA/6w5qijnTUkG9DbOw5K+29s
+-> ssh-ed25519 x40ZwA GDrRgIdNjxOnIwve+lXonInZMwGvbrmekIaKuvZfaUY
+IZFOEjBbsklqcwHaBl+R75c1MhIfYvwnb6nIvNkZFDo
+-> ssh-ed25519 ZvILxA hMi50mp2fID8yXl6hGD7eSdVZIKL3MCwgASmRb49zX0
+9Iw7VguynWY3TNyWA4cZBoHiAqYGDf0LdAgkynbfky8
+-> ssh-ed25519 0rx8bA HARyXEVwjdvFGmHS4Ira8W97onUHTgGih+mKG4exnAs
+Rq5igLlDK2BMGMy/zy/dq6yhg8Z3nqToDjWNV/lVyLI
+-> ssh-ed25519 extxyg 09iNDxRuPlkTgECbeDK6ERbPhZaCWw9Jwlr7RFFuhBQ
+QTBd86g+0Hy8gHnmYTsaq5kT9MfyakByqu8E+MV8Hs0
+-> |T?6xR-grease
+y7ddROPArLKhAq6nHbv08HCr1rWZaSrz3enXHo+N49KqVfDqiC+Zhp3MbbdPrSoc
+FYCVSeUTsu9D
+--- HThg4VKfAxrrBEaeutTM2umVl8Me0wRkjt1fNec1vOM
+��FcЪt��f��#�R�p
ɡD�A ��s���?:�*��{B�K�'Z1�����@M@��!lCH�cS��h���gIBsp&@���/��yx�l����t��a6 �av���_)3E���cX�}���л^���+�*
+v鸍ޏ�q������v��]�pɮl���/��d�O�Y�H�XY �j���|�Gʚ��`���p`�+�f�N'@�5l��@�y��b����L
�l
��0��wN���t����_��2lܭ|��}��? �&X�
�y�������~܁<��3
\ No newline at end of file
diff --git a/secret/mi.toml.age b/secret/mi.toml.age
new file mode 100644
index 0000000000000000000000000000000000000000..8befb3ad9b8d7957b2493c2d0ecd1132656b52c8
GIT binary patch
literal 3105
zcmZY8_g_<o0tIjvjtIqx3vF6Nt1%`w<0cVAv-e)yR4Unf-6S_d1S_suiz0{>5v;pv
z-CFu^fki=EtO6<`qSU&IK*fsHitoK&^)L8-&gYz?x0<nLj}eagf_ATGt{1lA5CDbE
zKnDUgtl2~$lK~pqAti_rIod+Tu@D?7<`p=V8Wurq$GKE^fm-MHLR331WU+XmOoA_}
zAZo>^0Kk^BwLzki6w*sc1}ihH(9ykeDHZ3W+nq9kiej=zRAi<@;(T8VM&u$I9nGeQ
z`BrkK$DyM71zxAi;Ai`#0u>1e=y@Q4FAcI~7_C9ACjw#=1``sfNer8Y3j{<_rCS{K
zc}b8Y7?g&!c8ks<W~#L=5rxW<(cjk~BNW!q(QYl%Eb*#Mek;ibuw)JpGPvbV#D<~E
zd?7JL6t**s47E{3at2UdhcZUA8I)p+9ura9DI8%87O<@V6{712Mn7zGntTke(8v?1
z-`8Nip1}>HsoE$)BC@=AJP!$yEPAJ1D580sM2wxnx5iXHm73>}i!<5bSQr(vs?{7P
zS*tMeq)|HwZ^MhDVxBEbF>$DXR)Mz@Y$BDw?+`OT$i^e{f-*W9((@n@R~B+$I1-9e
z%pj6PL>Ur=ZMIB0>{IytGPz$yXA_y6Fp8Ne=b5A$oz{#a%QJCAT@Vm>>{2JoDA8IJ
zTD6=>z*%?_kOc+a&jv;DpgW9~ArQh4hCzXlW7kUr2wfM$V?u~1Y<642P!yx$Py;N8
zh8OVUD6^I7cPZs8CJxjaJUj{q7C4;ZfQhFT*`-tnq+(#MgDNoFq|o~ssPy~7VRWX4
zB91Z)3XE6p<Qg;SR*V~<8Za~+K}mPuVkV52;SQ<Q8ra5135YToO>5<I*;X6I<r6Es
zKEwrbqcm9K0wbD$fM*SeA`qADCB3gP4WNr;MF-Uo*+2<Ki5xXZ;_`43#B689+-9#q
zgJ4|2m><y!j7FJG%iyE*EU5#KLqQrKfCO%qgzb(72qM4R7P9JL#1JuSj817FB#S7F
z?`shfUKggL^-P;GQxyaB6f#%sGSGs0*g>*NEmGLbwJV7Zi#@1e67T{Xfsf*cxe_uX
zl4&tHojkMM6A3$UK8%j4Gy{M}CIVFmLnpzg=osV!O^5JBk^em)Or!*ZUL_J@2S^yB
z$KvJ*$$Apb$&~n_0jh?Ggbh@_Jp{+ZD6bk1NJ(-g&7+nuqg=Vg1Q~633DZI|$z^zf
z1S6DkT~Q%U9sA$`csN2e(9v8E7;wXU3R{sG6}f#Jz{zI=3<!bfE|`x22_BM&;&*y!
zVul<QQjtg!1<2K@BSDr-FLX(1N{QQ!*rPt30K@PjVy8~4R>(R04_0E11S3%^8jQx|
zfGXzZdO^FBuHv(TM3AGi1O#R=CursiokR)<TG=t77LRh6yaqW@Ns}3M0X!(y3R!?&
z8&eR~5TujxV^OumB(uXV3N66@e{X46D{R&W%;?Op0V`({(DR}~rU0$-qWnlq;h_6H
zq@dG=Kr*6TPseyPh%GFL>TCf(2w|u)x+W$I3N&7ING)Q-$O6~_^E4C+S3-n?C<OMq
z?KX#99`MBsfRr4NYs4e~;t8!NEEbDaW%2+~kc4nRGTTKGx#%pw?o@}2F0$Skg|%|2
zSQgR*0uh%hfMV`%>)UtlZf<oFxohLBA|RuGS4I2@Lc_@70pAZNXOGgGex1))B_1cp
zSWf;YyV3L2JkuiDq#tf1=IiG_-+C~Y)An-6)$+HZ(A+hp4Yzk1E_|$S8#S(SMDw%x
zX>)c$%=xd7>f^Tx*Z=O?I@uP#b_Vy(yv>ixBG0|`OM2QXCtUA+v%sFxT)yh|rqRjI
zbK!^Fc=CVB)})L)nu1+CqPJk_vQ>>0BQ>M@4|l)&Jk%}QKkXFp-;3^i^Sd?qL-VO^
zQ+nd#x;d(aZwRpD*wx=CV0J<>JFj;<ow4%LFLeXZNyoCRLmH1AYgsU1)2^k(r{+%o
z^v`V%#}bq+H(O@TKA*NMKNpx+e)PxJ)4-JSz^%Uaers~;h8+m@=X07BC;1beu8+2?
zK&6F|f#YQBdnXUb!KT>;RDUx5tHl13<{K(mdD5eth8*iraU!fxaQ4j2o00li#sGb)
zi~cm<SaR-b#+|bR`Ig!De<08d<JMDd&65WA=cfiH1-2%>Sh9O?^P1*`J<H~%pnp4J
zib>X8y22PXu$x5evDRkItQz_D(V%s!4X>sG>_y)ePDWO~yjiPMrLRPgne5+#>yeUc
zQ~Jt;Ifb9_lWMnb_Ow(|3O0d>Z&Af*7coz($#ph8?eezDs&HGnZ6}_-rE;Nr`QkNA
z$=WOCNo}DA%IgyEtv4qVR^#{PrnXPXel(L&xvQz>^u?An#lJpVJaOvHomh^x>73SE
zKW)Zd)P)Vb2lC2`N#r*}zj~B0ddqA6$3+>O#y9!hWA1DsQWhqz-CLj2N*_D@m%i54
z_&-h>#^G5@-@Q!jyuUcp`uD(F&%xQy?N#v8qese$muLGAPkc75hqJ7Ly&3y<_wYl9
z+ww-ahf!f-u;#$W$Ev!f_k6ahG(TzK8;x}A<Fqj^R{EcYan;kO&cAly6h#?`$6jpA
z9hx^PCI4vKL0Lw}6?OOZ>&5ZSk1yUJVF!&Yz4`0C-Xk3~`fZ1grhU}8w<y=uI50<f
zuX53e)`um=J6%PI%;Z(vHR{Ner&Hty6YJ}=&k8nn>~_rJxu^GSK6Ll5ZB)hr;fc|t
zvqLL3r?0$_`o}BLq3YS+ZMwE`(vG^G<xQ_C<4(7AG_-G-sN!RGSAVy1&OZKwmuI@-
zXFm}K6TcnzX;$%<tH$sLotjj!+8&4M88NBE<o7?HTI#zxgYvFqcuk~k&%xk>8sq8l
z?Io+K2YJ0KcPtuHVt+G!X(7imYkaqWQKu|<IdI?Iy<NxhYJ0IO7o7RLVX4FkE*rgP
zPLeOxRhE)`A~#jA<@8n83E=12>`~9gY&0$Jd|Oa7^ntVB@{eeKbCaT=FTT+F<kI){
zg+&SLjzG(OrLQ||CBlyym-NV|XVGVf2@C#`n0DAFH33j?Yk|zxcekq?_3zsqyEa<F
zS)SgHmi;wGR1Y*KeY34u`S)<C|LnsyPP*jDV1pOMN+!0%A4eB<W<NYCTy!n&R7?4W
z_B3?u_+(-KcgIoM7hQdar<5i9J2`G!=@w@O`EonQH)w^pAxpa9{Foc8OwI13_B)k{
zRkPQ=ICH&uLX9B5BCFuc<#Kbbd0OQk^E$5O1alfUZJIp%+Una4vr5;AYNn2H6pcOq
z&ku8ed&4D<vcAT~6@0xQ?%>JUBhEM`is~=0>fzR;gLCeso?o*2@@xF`HryA>mt=Kf
z-2*_Gt9`KS$;FhzUEgdto_PL5LRRM`WXQCW^@^YRUnNXvid^$F{X0STuKIoy(^PaI
z{cY(^SKZ(pmxYCt=-F86Ob~OaXT|wK&CX%DjKR>-s?7RyRsScm59X|+@sn2kxwfq1
zLEOgQOUY+<J*368c;4;0bcp_B*hAQy;d*y<*cQ!(x~*%|qnnrE*@M6%t;O3_%VRGW
zHGGO+no?Tz#mJvkp~k*eRbxW?{R7(*x^T4%9Oy@0OxKLKnK$p$UDz(()NO)uhK(;g
zo~+HCM%uS7WzXTArGJO65C&V%Rh3@ex_SsJP!>ADS#fu?e*c$`_lu_P+lTAp8rS}`
z^E&xT%{QGa@WncP7-d@bi>J5tr>Y_Bg@ewHz4=mEc6D_KJsPK*YY@Iz|7{3$?o#+1
tWYi6xHKd~Hc>j)!j=VE@bXj{*CwTHqiMMyxUTgOA^eq?l6<aH={};P)`MUrB

literal 0
HcmV?d00001

diff --git a/secret/tron.env.age b/secret/tron.env.age
new file mode 100644
index 0000000..4148db3
--- /dev/null
+++ b/secret/tron.env.age
@@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 jO2MvQ mDZCMTQsUZUAJ+8UknZJnRRev4MX/A1PBP6qRSolekA
+2Dj7wO070kEkH0RMbrqQvymI4ItFNyQNA3EzdY84D7s
+-> ssh-ed25519 txQL9A YDunYGniXh7RVWEKSeCwI703g9oiBKKDRVJj/ZGFXB0
+W4GoPvWYPYZp8gy6X5LOwbhbwRl2waMqOHXZfFanrfw
+-> ssh-ed25519 YcYwVA 1rLnVW4M49GscZCPu8S5/s2I8Zf12PPYAr85X685pHA
+R1DCWV6rymwWjPBouEawPfLfIISvChYBMDwUw9rskXE
+-> ssh-ed25519 rIaBGw 9lZXrVgN+2pE7cZGTWvY6s+paAxYcqH+sRa3sKFhT1Q
+L9cDIMNK6NEwlcMe/A14+kK9i6ZcJ3ft/Mft/5HOuBE
+-> ssh-ed25519 H5HtPA LsXMHQsp3+qapm05iw1PQ3BTm10Um5wpFwwvwXLKpWY
+r80F1ibwCcT8sd7q2yKpMoTrDlJF2ooxdGuwWfjFsrg
+-> ssh-ed25519 Yy06mw KDXc4HHC7wBr411HA8YikQtnlVQeHlPK2sAjSyhlwVo
+380kd7mGLFcvKwVf1hbuJ+pwk6AP2h5HkuwGwrbyOwo
+-> ssh-ed25519 6Sqpww UL7ktmcNpvQbYmnIi/ZAedmzw+V/f7Os9ojRPnGcOlo
+yDnXQ+IpuHdpf3dHHyThsHIXiWRje2u+84w/aDUbfKg
+-> ssh-ed25519 Cb6l4g 2+ZGxy6UAAuFPbw0xZZhNxRyszLjDYrTKmizkYIgFl8
+Dg12lcrf3uCnjnpXmm6zkJAZAM4nRoP6dzbxNgdmkWk
+-> ssh-ed25519 x40ZwA V3+q6OxOiJJBP6RctIPv3z0CBhp+EHl0vQ+Q3x0QgAM
+RViINU3HmPYpvPE1Yl0j0ha2JBD7NrRu982lc6fHSoU
+-> ssh-ed25519 ZvILxA Hyh4CU07bOP+rmFhde2LjwDOhR8fgTsdF3Ds9JPZSkw
+BJv1bU/uvcI1xLYY8R9LY31gtGH2xIqiwoZNRxlqKsQ
+-> ssh-ed25519 0rx8bA xMqZLnnXZxqCyZdmj2xOQNlNRUlIN9rGRmvt2FD8omI
+YCx5pt85/ie5WaaPiHfjSj5gM197CF9XkZ8XNiUQJQk
+-> ssh-ed25519 extxyg ix+lckxf5kMdfS7O0F41x6fpmrT3RBOAv5N6Axzk3RU
+XfYTFcbkyAcSW1JN3FUxKlx9RY1/HYVmhooYU4ymWos
+-> ^-grease AtJ2D(w %6#@ +X
+09Q88UAZ958OPbSivI9BN8nZlSL6PELmwBRbN8LVVQEy0R33henNTOBnaoWG
+--- B+U3Sp+GEBqpwkN2CetGC4KJxuQyR3O3c3K/O8X5h5k
+�
+�үS���	<�!!����{���~��������H���8����o�R�%��tH�vDV_%N:�)B�/�Cr�k?�����	
B��zg�΍��7|��ȺR���
��Ϟv�cpM�_���DU�F:�#=�37C��	w��l���~�J׍�42�R�xT!�c�)�-V�@�b���>�:���J[D��E'������_�|�����"r����(����i�h��Vv����)����o���w	E<(��O|Z��
\ No newline at end of file
diff --git a/secret/withinbot.env.age b/secret/withinbot.env.age
new file mode 100644
index 0000000..5e73d89
--- /dev/null
+++ b/secret/withinbot.env.age
@@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 jO2MvQ Uqja6onXASxq/OgzpL7cB9qK0jAYnGqDyG0U6sJLklI
+r2XL6JW4E4xlYLezbyeV4G7SDBKOAebczM9jKCaeV/4
+-> ssh-ed25519 txQL9A 41VU+wHlNsjhwek53oYLIXYCD5mARh6AS7laNmes6Ro
+NO85NXuhHbzlAPUycs98U/uRRgkypOWH8J39NlA48Nc
+-> ssh-ed25519 YcYwVA i95rlp2R6+P8KmrgX9/zSmIrTVELL/VDIShGo93OWiM
+oI8tBddvzBX9v3cHUetUEarq5thpCMaqjPLm5gxQpWk
+-> ssh-ed25519 rIaBGw iD8mwEvyCBpRZ9yQu5EgTsVLHS590GZ5Kbhz8TDff0c
+lVnDL5voPEa0q7AkSUmw6/j66uwR9R6vrYf53zm+VZg
+-> ssh-ed25519 H5HtPA p6dMYLz2snmRGdexOUSSEW7JmLPInQnvpxsRoNxLJSw
+mqcHZnRYnApdwl05t0MmZPYbOfvn6F86Dr1Bbg6gLD0
+-> ssh-ed25519 Yy06mw DohydHTDA5W4LySkd684err2MAytcivGt+ZJiK7cTiY
+nt/ASg+TIcOKrePS2LWoaSaRjHxdOdt5pBUfw/7klfo
+-> ssh-ed25519 6Sqpww r4u0HdIMxDAUw1LEpBb4WJ0v9lA6L9mfalzPIua+Rkc
+CxwaeandCpsV+T1nV+RJTl9tyaVS7oIdqavQByMxmjo
+-> ssh-ed25519 Cb6l4g soPlS7R3EOgcWBwaqqWPNiqk4PMT9LiYs/5b3hmtWEQ
+uLwwU9KsZLWZ4+4SZpXFP/OIlfgQF1U+wy8lav5KWbg
+-> ssh-ed25519 x40ZwA zC5vV+0CjXayFhyImI05Exw2gfG/FZ6wDT4Jz0BBjxE
+0bk5S68ztbskuKeZg+3NRF0HaXDJzdsCkqMFt6mECRk
+-> ssh-ed25519 ZvILxA FN7midnLj+m/8EfFyRZuAg/xjpLPQjt9f1Xo/89YMHw
+uqRJT9kyS4P7Kxs1voQLP/RPlbRhZRKvTeFC6Mxo2eY
+-> ssh-ed25519 0rx8bA 4rsg7DfsFoKNOOCVKMI4ulNE308QO8GSCqTGxVC2NV8
+YYtbPih/hWnVoRZlOjSpInDuTk/YKPedNrH3778SWV4
+-> ssh-ed25519 extxyg 9JMMEZIafrZNNN7H11IY92Jqt8BEPa2V/dGZMk8A1kE
+wCslVYjUb9LboUybhYbi3klAqX3MTzPyIXxl7wQccVc
+-> ,Deat~W-grease Nbch}6{- 0_F]3MI D-J
+DWDGbJzdtUl0aEHnz0MDQVV2UqYD5QL+OUp8p0PkNM0Ilhg7BmjXSrX74HUHX4DU
+JZ2Vvcjc8vFvAg
+--- 8+Jz48tU6YdydL2ku2YxWSs4TCSVVKiwJzc5QursTWg
+<�dL�jb��^K��gdN�h��9.�+j
IF�"i�� ‚;�]���*z�ߢP2XF�%���'o�^�(m��[DS�3,��z�^ks�%��ev��l�D-���\��A���	a�ҕtŽT]��Im��8Φ,;Ehk��>l�br����,�ٺ�?M��la��0�v�Ys^̍��S3��r��-��Y�2�N�l���̊<]�b �x�����wYr��Q��|�T�G$���`�T�@�0R�8
\ No newline at end of file
diff --git a/secret/xesite.env.age b/secret/xesite.env.age
new file mode 100644
index 0000000..4441e37
--- /dev/null
+++ b/secret/xesite.env.age
@@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 jO2MvQ TjUmCJ3Bw0/Swc7GLe0IpCqZvRDC9yevhXmAOhgqYAQ
+jgWPK6sNIFLcAWSeIvV3Um8CJkThfLLGHAkVKpT74oA
+-> ssh-ed25519 txQL9A N+5p2jxwM/VY9kUYgTwJmeZm0XRMWX5bVHJmJzeUC1c
+6leDM4rQLTSuUWy4xLctHS+u9tvmOeJfHL0HVzTnJS4
+-> ssh-ed25519 YcYwVA kiUBJ7+Q6WOMIRZWJB9zusXdX2+qIeg75citJjuCAzY
+PbyclvAWL4tsgOwJoNoZZ38fw5f+kcVBGPTKO6RejWY
+-> ssh-ed25519 rIaBGw TBwyoDlUqNCC4/wUEmEIdRFxkV+4eEIXKhiJBl+OCAU
+ocIuXQLOxr5xQN7Eh+e/g8Yk1w9K7QTiDoPT24hCfvc
+-> ssh-ed25519 H5HtPA cbr71ypHuKc2oxlDolQBd/Htz/1IJ+lSgt431PzrKgE
+rQmpI1uX9PKvef1+0DymkpcegoIErKIEl1krRwK7JaY
+-> ssh-ed25519 Yy06mw lIV0rxlf7FwDici0VRqaTgTSWadJZOKzJ2LqK3Qv5jA
+0kMrJb3nzeaSlMtZle5tv5Jo2urC/uvhEEPuL8m0zww
+-> ssh-ed25519 6Sqpww eVRoSIdrN0CBRABKjQLNtfHU0kEYsyOE9imF5B1sMxg
+XHVf/cvXOuERIBjYAnaDGXjUAy9exImImLPRvt90IDo
+-> ssh-ed25519 Cb6l4g U5npiwIynsMAtfjGCO9tD3xt23yZEn4xbS7HuBJktF8
++Vaq6PLqcopZn8iP9tgFvIag4onr8qs3JS2B4z/jJ6A
+-> ssh-ed25519 x40ZwA iVYMar5SvPQdZBTOMdH/x6TYBwgU2VZbvY+sQnIlYh8
+H/lpnxsCCVHRSD70Srrwv3VCc80FGHDpsSODzMi49rg
+-> ssh-ed25519 ZvILxA RQ+3LBulXOuq+vDjFTYQq9egZsP2iXN0MWEOl3EXfns
+rCGsLoYn8VUVM4ptp+IIAgXuZetxalSoKIO3tbJEUBg
+-> ssh-ed25519 0rx8bA bvj4/eT1Fz+1XuxG4yQjwadYgPPIxOyiQfs3q0NDQGY
+KWU5ffP74jxZ8wvohWDkzJ13wxvGb9b4ANL2G3YCrQI
+-> ssh-ed25519 extxyg BIkVxRIC9pPQENcjDjSLmTEoO6RHGXY0oVSiP6dCSAE
+yCZfCpEdxI7VaX1UfHEBniht9jkC80Dsm1tS72NYIZM
+-> ht-grease Ekx [Y_)&: O+o>A o
+jLirD/Pjc46GwjoBqEHIcKGxLROLSSFSkb/OsLzVzT41ex1FBRqQ50wT0Bg
+--- 4sBE3L2C6hGzI81Aheg4NSMUmgLdwzky+270B7k+oGU
+?�?)ye�SHSPG�b�GR����V��L�Ä���?�ѵ���r��蘮�P�X���!8��~'���k���R����|���q��y^��0�;�e���
�TƁ�A
1��"�'h����X:c�50J(_:G^�ŭ��$ɥK\xs�%T��C��,�>S�������?�����-@������9���.�N)��W2Tp\��C3�ۯ=G1#|Ɋx�+,�g#��W��Ul>�mfK��@��Y�ݍg��z�k�+�}�����KTr�����&��d>[>���5�
I����l��	•m�O�5'oo��O��(��OO4�kf3W�>aȐ�^�b�B�Ҝ�E|�z[�
(Ga��S���4�<�)��_�.��0x��O��2
+�O�cbpl��>�f���v�Tt�j��THM+�E���
\ No newline at end of file
diff --git a/secret/xn--sz8hf6d.ws.crt.age b/secret/xn--sz8hf6d.ws.crt.age
new file mode 100644
index 0000000000000000000000000000000000000000..385247ac27f84f6ef029cff4d4d23c3b7db5e6d3
GIT binary patch
literal 2055
zcmZY8{gV?10mgB9SbIhWDcFLwmUP;qBOzpW^IoL5$!<3Lmh5hlO*VRP+1+Hb*<_RK
zCi{|UwG^$waCT~omFh6`2c}2|E7MVDD$s%REH6^TLeEmMAYuiM-V99Pe4*O$$LnA4
zneWW=RFtZ}s!N93>8Wjfb=yz^7U=Om<~7Z_zbZrFFc|kXvJh>t-e|m*iYv0w43_}8
zD8+eLCdgvHfi?mP$~O?YTMWVdszKBhPavimq7n{Oi(%47$y&e20|OC|T?p&8U_2xx
z<cLB;DvGjmwVuOLaoB5H-9X(ZgyMKB)*&DvA^F58uA^==(d0m(+Mw-fOW-lSp?Me<
zr7L7IY-QS#r1NMrP=(_I)9u%~Nhk<$xY6zbf)-R$_*_kp1e=GweMWFn?YdTNL%3q)
z)9IY0yR4jnTddTT3%wYK(FVZQt8Uw)DG1SmNGGfa`IciR<N&6mAfhy2dXWa9)*`UR
zVui4!v_I8m;FSbsdoiDgB;j(n<!}n8_Om)%KzKdV3}>QwGm~XQKvwl3L<maY9vC(S
z4C=aBkO)WNye~+1q9s;`Q+!}hsY|I0Sg^!KgAl>c+_rQ$-D6;HG8=Qcz9=t>^=c*C
z$ut$E<kp*9g$TBZcwEr|DC>d|E~W{dSW`>{td`PefHq_|igGC2j8*F#fL1ipDdU|+
z2L%hrU{JB=YJv+yTDG@DHRS@=P8h6i2C7!6T*4KNj`m}&Mj$FnNf9WSm!&YqYaUJs
zk*>yb5tZ#>J`jhExP^xFmQ$${bh;cDS~3E)ik%t-&($KiZpXI0hGmn*25V+q#w7GI
zS|gEkAB}+)PV4PdA!^By0p_+DA1Zic(bp8Rq|;V%bwu#>@;SL~a9A83<X|Ef=~=F-
z*=D7wm)mo-q!?+26fexwq8TcZ6RQOq<0@!67LbBwr_Sekh^pum8G$hZ%oPU%*dtZ>
zaw>17^I9^>V~I9RMg*}an~LiOKw9Z5O}Qy2=vuZ6%+;I_P_|*OCP<A|rx$GX!+DOv
z=?;bDRl`Vz212`BVgwrWCGmzLQ)<Xlu={Mqjew25n<y0UoF&zg%s^+$VkVu8NRXsr
zxFrxAm;BTN$`(#Juvc;cv=&2TUy?`?*>uo|!)OiVi>@_D=h2`eg_L-vgrGDgc{)fl
z0NA}OhXH9{p{i4c%_->ws?!pcAx+*arQ4Vsu@Qux+Xfg;OoY9GmTiT7AV(uKX}c6-
z*hHn5Z8wT_N~}XDBX{w^0Em-t+Vtpk3!-A3rdE%Oya@KyfLLsY^Gqd`<GW3;tl&AU
z(d+iifi_pGIz7i#yksB<2U0bbAZ3z?reXjnmt?c+ux`gtaiCWU*18&pRMb?#!{G|c
zx7ZSeRehf<K2f6L7?^?iNY2P1mLi%h4wNe4ri%Vw8?zox_!XmCF{@t1>-WI9ipumb
zpj7KPw4so7HPvb|V7pgJq2+WD<dR5Bin=&NR|Y;5rL(CT7sh3gNhQHxB%1OJgs2XM
z&}i|KgZcel#0o|b#h?h14EKvdH>BV_(+OY_#pHb9xDD_+$#wF<Tv_qNh|A9U*QTYV
z{PnLM*>_>^*BeW3AK!3RT>VU7$$M+Q9MaZZnYER7w(P#{>{<1XKW^f-yl6lB(*>V-
zamC1=9~@mXKEBDn_wlQ5pM7mgI)yiWo*G&5wUw7<559i)$EzM4KYY)dhvU{ZYW~pI
z(dn0#U|Z2C#hH9z!Kux3;?{ZO;~W2-xBspM7hgZWb;q6GJ@l}-h&x+;XwmL(-@G~X
z(YnLgRcofylfSyK{=k*djZ7nn#C~nDPcWnR+zzSZ-#_w`oktg%ORlfHx-q@y)Umg(
zJ-+VN)H2|R4ex&GDSPwG%>3t)N0<NU-ZSoca!G#sXD1KDkL`T7HvIlS$7gme6MU7^
zUwQX%y>sS!MR?Dvr}2ef8k)Ym@z&`2_&JvR!@YHC=>sE&udn%`@YwM2)$7;&_91BW
zz#4`f3Os*nnSYo$dU3d=-hG21PrWkl<~Jsw`Cs&8_i0z8<NNnLGQHp<{{Drl?tBv1
zyM4vv)dx@R8tOim;Z|Ol_v2%;)}tdS^KX|V@$<iUtMS%}v5{@p4&HXijZYWvJ9fbP
zow1=0?l}G71hM<%^u)`X_<57VJ9a$#=J<w7AFNpWpKA|XYP_RGHRkGxzichf4xL;F
zU*2?c_+0bgvB2W=eZPF;XNx9&bpP-CPcPjzHnur^a>Elx@2J1<ug|SLy>N&0%C2eO
z=H?r}f4};hrxuTGG|s)e-8i!rT{!Q;iG33@n?{1m4~-5@@BAkH;mw)azoXyUf35#W
k<lLdZf5AU9c`-jTwPo-5Cr_ubiN!x)-djHVs{fh)0l};H!2kdN

literal 0
HcmV?d00001

diff --git a/secret/xn--sz8hf6d.ws.key.age b/secret/xn--sz8hf6d.ws.key.age
new file mode 100644
index 0000000..4c8243d
--- /dev/null
+++ b/secret/xn--sz8hf6d.ws.key.age
@@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 jO2MvQ GvwQEupjkNthH7Rme8NgSP9L788ftHSFG6jPDB+efXY
+XCOQ6x8zcXjnsLavUDBVJKXc5zWlLZsQUXe48oGKK88
+-> ssh-ed25519 txQL9A IepeTe/QqjZGzlDXUkzYaaajDOI9kWFIyJexqZZYOxo
+21dwm6HCaKCrySRzgjEuoSqEcaKkgOgiRkhh7G4fnVI
+-> ssh-ed25519 YcYwVA gpsJpz1TOlPQwIF9L0y1hPdwIB5LyUpRcWI+7uxaRjY
+eujCfAZNsy1vY85UuhoHbvLv0s578N8V1KjfrvNzrlY
+-> ssh-ed25519 rIaBGw nvzFLfXF7gYWs/qjm7zZdZKi1EoTeLhtuQm9DFF6rjk
+ucl1p4Lfdm5cX+amaPg4AGaOgx/8gAFGo338DDx8ISA
+-> ssh-ed25519 H5HtPA vMEBfV7Kq7LXEwPTHunG7MLocmE9mVk+wt4nN+5y/kg
+rrGGvqNSAVgWHAo+O20eDPwmwZql8Bv3Ka6oHR1dsgw
+-> ssh-ed25519 Yy06mw iCjTX6uZ4P7RC1dPz26hAzmyv6agefQXXo7tLXadcRo
+uQTS59ehxTqWuCTwevrHJ3HOehYsLh1uRzL+/rR0WzY
+-> ssh-ed25519 6Sqpww ALV9B4PuGdizQTk/GBKUUjKxuthziVxdc0rGIcUnBjc
+0jB5nl23QuEz1bHsui5cPHNYNUluxKZcBkbq+xJxuaY
+-> ssh-ed25519 Cb6l4g x58bPssYWy2Rz9M5C1FJlHz7uCOK/g80daUyrY3ieTs
+k0effIcWAe6oFBuS7dknsTBjazFindVdVGieue7F8jA
+-> ssh-ed25519 x40ZwA mE1GF+8IlAC/N6+lBfvo88WTbYZ9SI/uC7LdrfmGvAI
+O++6THxVg2aej5xGbeZo5Icv2OH8ZzfvURA/AAQpWOI
+-> ssh-ed25519 ZvILxA KuvWA10QyzriOwQT0M9wlvx9rCKQNlEYMfmBGefWJz4
+ACglU4mnTNQZeW/wRAeCBPiEOtC7U86xUCGd+iJlWpY
+-> ssh-ed25519 0rx8bA MSV57AL6ZCJtB0IMD43ZIPILPFGyV6Vd7YHXG+aYMUA
+R+uNOkDBjrXbv5EP+TWEoGEUGF9HtSI5RFME5LsxOoI
+-> ssh-ed25519 extxyg 0b371PzvXf89GSHtvlzxGIze2XhRu9mKYvPH8tQFUUg
+cc1EHeYEp90gGMzOqxW2+V/qBDrk06GokS3iMBg06Pk
+-> <G-grease mnuC*3{ mD@e },U6!
+KjhiKqIS4fD8BYfxa25NLQcdlQW4EvMKXHbf0atwyvZTvJdcaduCWqWf0DG6uRoD
+h913xdhXq1c/AQRDj0RAL5oN76oap5YzK/Gvw/5O
+--- PPomXfotXOn4BScoWpGYidrg61bEaYghSSQwlhyNKEY
+�v6!��h�DԨB���,�qL�(�����3g�0��
�s�|��^q&@����1NTU�&iOv�-7Ί�Ԇ��Wlj��/��<6�s�tL�#�tP�'�=�@<3yt�Ç� Ĉ�~`��\j�S��.ܙrj����l*���+&��)XfI�ش�F���=�A.]??��*>r=��򝨌���v�22>"����}��]�%&�֠���K�V&����u�@����u�vj(�-�e�g�b�[tI��X��o��F$��z���Mȋ�
\ No newline at end of file
diff --git a/secrets.nix b/secrets.nix
index 2a3d778..c0aa158 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -40,8 +40,29 @@ in {
   "hosts/firgu/secret/cf.env.age".publicKeys = publicKeys;
   "hosts/firgu/secret/snoo2nebby.age".publicKeys = publicKeys;
 
-  "secret/aws-within.website.age".publicKeys = publicKeys;
+  # backup
+  "secret/borgbackup_passphrase".publicKeys = publicKeys;
+  "secret/borgbackup_ssh_key".publicKeys = publicKeys;
+
+  # robocadey
   "secret/robocadey.age".publicKeys = publicKeys;
+
+  # akkoma
+  "secret/aws-within.website.age".publicKeys = publicKeys;
   "secret/akko-keyid.age".publicKeys = publicKeys;
   "secret/akko-applicationkey.age".publicKeys = publicKeys;
+
+  # lufta
+  "secret/cetacean.club.crt.age".publicKeys = publicKeys;
+  "secret/cetacean.club.key.age".publicKeys = publicKeys;
+  "secret/xn--sz8hf6d.ws.crt.age".publicKeys = publicKeys;
+  "secret/xn--sz8hf6d.ws.key.age".publicKeys = publicKeys;
+  "secret/lufta.aws.env.age".publicKeys = publicKeys;
+  "secret/mi-token.age".publicKeys = publicKeys;
+  "secret/mi.toml.age".publicKeys = publicKeys;
+  "secret/aerial.env.age".publicKeys = publicKeys;
+  "secret/aura.env.age".publicKeys = publicKeys;
+  "secret/tron.env.age".publicKeys = publicKeys;
+  "secret/withinbot.env.age".publicKeys = publicKeys;
+  "secret/xesite.env.age".publicKeys = publicKeys;
 }